Add immich module

Flake lock file updates:

• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/3867348fa92bc892eba5d9ddb2d7a97b9e127a8a' (2024-06-12)
  → 'github:serokell/deploy-rs/aa07eb05537d4cd025e2310397a6adcedfe72c76' (2024-09-27)
• Updated input 'disko':
    'github:nix-community/disko/c1c472f4cd91e4b0703e02810a8c7ed30186b6fa' (2024-09-25)
  → 'github:nix-community/disko/67dc29be3036cc888f0b9d4f0a788ee0f6768700' (2024-09-26)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/d0cb432a9d28218df11cbd77d984a2a46caeb5ac' (2024-09-22)
  → 'github:NixOS/nixos-hardware/d830ad47cc992b4a46b342bbc79694cbd0e980b2' (2024-09-27)

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1720546205,
+        "lastModified": 1723293904,
-        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1718194053,
+        "lastModified": 1727447169,
-        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -81,18 +81,17 @@
     },
     "devshell": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixvim",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1717408969,
+        "lastModified": 1722113426,
-        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
+        "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
+        "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
         "type": "github"
       },
       "original": {
@@ -108,11 +107,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721417620,
+        "lastModified": 1727359191,
-        "narHash": "sha256-6q9b1h8fI3hXg2DG6/vrKWCeG8c5Wj2Kvv22RCgedzg=",
+        "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "bec6e3cde912b8acb915fecdc509eda7c973fb42",
+        "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700",
         "type": "github"
       },
       "original": {
@@ -124,11 +123,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1721276923,
+        "lastModified": 1723137499,
-        "narHash": "sha256-HJKuwVvi+yGv+8n9Ez4EwaJA0B79JRss9J30vpgy/GI=",
+        "narHash": "sha256-MOE9NeU2i6Ws1GhGmppMnjOHkNLl2MQMJmGhaMzdoJM=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "cc70ec20e2775df7cd2bccdd20dcdecc3e0a733b",
+        "rev": "fb5b578a4f49ae8705e5fea0419242ed1b8dba70",
         "type": "github"
       },
       "original": {
@@ -207,11 +206,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719994518,
+        "lastModified": 1725234343,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
         "type": "github"
       },
       "original": {
@@ -220,24 +219,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems_4"
-      },
-      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "git-hooks": {
       "inputs": {
         "flake-compat": "flake-compat_4",
@@ -252,11 +233,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721038330,
+        "lastModified": 1724857454,
-        "narHash": "sha256-DyIGJ+DEnKeGd346YJCwjmp9hXwiYq8wqGtikgbDqSc=",
+        "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "622291c026190caf13cb26f5136616b1ff0a07aa",
+        "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
         "type": "github"
       },
       "original": {
@@ -332,11 +313,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720042825,
+        "lastModified": 1726989464,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
         "type": "github"
       },
       "original": {
@@ -392,11 +373,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720845312,
+        "lastModified": 1725189302,
-        "narHash": "sha256-yPhAsJTpyoIPQZJGC8Fw8W2lAXyhLoTn+HP20bmfkfk=",
+        "narHash": "sha256-IhXok/kwQqtusPsoguQLCHA+h6gKvgdCrkhIaN+kByA=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "5ce8503cf402cf76b203eba4b7e402bea8e44abc",
+        "rev": "7c4b53a7d9f3a3df902b3fddf2ae245ef20ebcda",
         "type": "github"
       },
       "original": {
@@ -407,11 +388,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1721413321,
+        "lastModified": 1727437159,
-        "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=",
+        "narHash": "sha256-v4qLwEw5OmprgQZTT7KZMNU7JjXJzRypw8+Cw6++fWk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f",
+        "rev": "d830ad47cc992b4a46b342bbc79694cbd0e980b2",
         "type": "github"
       },
       "original": {
@@ -478,11 +459,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1721379653,
+        "lastModified": 1727122398,
-        "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
+        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
+        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
         "type": "github"
       },
       "original": {
@@ -509,11 +490,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1721409541,
+        "lastModified": 1727264057,
-        "narHash": "sha256-b6PLr0Ty7JPDBtJtjnYzlBf02bbH9alWMAgispMkTwk=",
+        "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0c53b6b8c2a3e46c68e04417e247bba660689c9d",
+        "rev": "759537f06e6999e141588ff1c9be7f3a5c060106",
         "type": "github"
       },
       "original": {
@@ -536,11 +517,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1721045803,
+        "lastModified": 1725350106,
-        "narHash": "sha256-dQGvOK+t45unF7DTp5bfO37hY0NkDUw6X3MH5CCTEAs=",
+        "narHash": "sha256-TaMMlI2KPJ3wCyxJk6AShOLhNuTeabHCnvYRkLBlEFs=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "eef2f4c6b190d92e296e47e5fe10e7ced65fd959",
+        "rev": "0f2c31e6a57a83ed4e6fa3adc76749620231055d",
         "type": "github"
       },
       "original": {
@@ -560,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720992717,
+        "lastModified": 1727210241,
-        "narHash": "sha256-8j1bZVfKT1vJ0e+U7NYRNBG+DdBj5C/tpwe5krxT4/4=",
+        "narHash": "sha256-lufS6uzSbSrggNCSgubymMQWnQMh7PvQ+lRZ8qH9Uoc=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "460b48dc3dcd05df568e27cbb90581d23baec8dc",
+        "rev": "a02fef2ece8084aff0b41700bb57d24d73574cd1",
         "type": "github"
       },
       "original": {
@@ -595,11 +576,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1720459643,
+        "lastModified": 1724093899,
-        "narHash": "sha256-X71/NplPXPe9pCvrd9ELpnYBEYtju4+x3LA7S5I1GXM=",
+        "narHash": "sha256-VohYwTIBq7NEssFibuu+HMXXwuCoLmMOmEwQf7sESSI=",
         "ref": "refs/heads/master",
-        "rev": "f8d68b934f4380ecbc6365b4ef7f7c632833d1aa",
+        "rev": "7f5901bb5d6eeaa94d7e1f18f66093be9df014e4",
-        "revCount": 21,
+        "revCount": 27,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -653,29 +634,14 @@
         "type": "github"
       }
     },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "thunderbird-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1721309490,
+        "lastModified": 1721874544,
-        "narHash": "sha256-Xheela/OazoNH9YjP9IgC3hzxQdnPHRQMeH9yW7xl2c=",
+        "narHash": "sha256-BHW9jlx92CsHY84FT0ce5Vxl0KFheLhNn2vndcIf7no=",
         "owner": "rafaelmardojai",
         "repo": "thunderbird-gnome-theme",
-        "rev": "1c89a500dd35b7746ef1fde104a1baf809c2b59a",
+        "rev": "628fcccb7788e3e0ad34f67114f563c87ac8c1dc",
         "type": "github"
       },
       "original": {
@@ -692,11 +658,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720930114,
+        "lastModified": 1724833132,
-        "narHash": "sha256-VZK73b5hG5bSeAn97TTcnPjXUXtV7j/AtS4KN8ggCS0=",
+        "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "b92afa1501ac73f1d745526adc4f89b527595f14",
+        "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -51,65 +51,60 @@
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, ... }:
+  outputs = inputs @ { self, nixpkgs, ... }:
     let
-      mkPkgsForSystem = system: inputs.nixpkgs;
+      inherit (nixpkgs) lib;
-      overlays = [
+
-        agenix.overlays.default
+      domain = "mesh.vimium.net";
-        (import ./overlays/gnome.nix)
+      forEverySystem = lib.getAttrs lib.systems.flakeExposed;
-        (
+      forEachSystem = lib.genAttrs [
-          final: prev: {
+        "x86_64-linux"
-            unstable = import inputs.nixpkgs-unstable { system = final.system; };
+        "aarch64-linux"
-            custom = self.packages { system = final.system; };
-          }
-        )
       ];
-      commonModules = [
+      mkDeployNode = hostName: {
-        agenix.nixosModules.age
+        hostname = "${hostName}.${domain}";
-        disko.nixosModules.disko
+
-        nixos-mailserver.nixosModule
+        profiles.system = {
-        home-manager.nixosModule
+          user = "root";
-        ./modules
+          path = inputs.deploy-rs.lib.${self.nixosConfigurations.${hostName}.config.system.build.toplevel.system}.activate.nixos self.nixosConfigurations.${hostName};
-      ];
-      mkNixosSystem = { system, name, extraModules ? [] }:
-        let
-          nixpkgs = mkPkgsForSystem system;
-          lib = (import nixpkgs { inherit overlays system; }).lib;
-        in
-        inputs.nixpkgs.lib.nixosSystem {
-          inherit lib system;
-          specialArgs = { modulesPath = toString (nixpkgs + "/nixos/modules"); inherit inputs; };
-          baseModules = import (nixpkgs + "/nixos/modules/module-list.nix");
-          modules = commonModules ++ [
-            ({ config, ... }:
-              {
-                nixpkgs.pkgs = import nixpkgs {
-                  inherit overlays system;
-                  config.allowUnfree = true;
-                  config.nvidia.acceptLicense = true;
-                };
-                networking.hostName = name;
-              })
-            ./hosts/${name}
-          ] ++ extraModules;
         };
+      };
     in
     {
-      nixosConfigurations = {
+      overlays = lib.packagesFromDirectoryRecursive {
-        atlas = mkNixosSystem { system = "x86_64-linux"; name = "atlas"; };
+        callPackage = path: overrides: import path;
-        eos = mkNixosSystem { system = "x86_64-linux"; name = "eos"; };
+        directory = ./overlays;
-        helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
-        hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
-        library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
-        mail = mkNixosSystem { system = "x86_64-linux"; name = "mail"; };
-        odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
-        pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
-        vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };
       };
 
+      legacyPackages = forEachSystem (system:
+        lib.packagesFromDirectoryRecursive {
+          callPackage = nixpkgs.legacyPackages.${system}.callPackage;
+          directory = ./pkgs;
+        });
+
+      nixosConfigurations = lib.pipe ./hosts [
+        builtins.readDir
+        (lib.filterAttrs (name: value: value == "directory"))
+        (lib.mapAttrs (name: value:
+          lib.nixosSystem {
+            specialArgs = { inherit self; };
+
+            modules = [
+              {
+                networking = {
+                  inherit domain;
+                  hostName = name;
+                };
+              }
+              ./hosts/${name}
+            ];
+          }))
+      ];
+
       devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
         buildInputs = [
-          deploy-rs.packages.x86_64-linux.deploy-rs
+          inputs.agenix.packages.x86_64-linux.agenix
+          inputs.deploy-rs.packages.x86_64-linux.deploy-rs
         ];
       };
 
@@ -117,35 +112,15 @@
         magicRollback = true;
         autoRollback = true;
         sshUser = "root";
-        nodes = {
+        nodes = lib.genAttrs [
-          mail = {
+          "mail"
-            hostname = "mail.mesh.vimium.net";
+          # "pi"
-
+          # "skycam"
-            profiles.system = {
+          "vps1"
-              user = "root";
+        ] mkDeployNode;
-              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mail;
-            };
-          };
-          vps1 = {
-            hostname = "vps1.mesh.vimium.net";
-
-            profiles.system = {
-              user = "root";
-              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vps1;
-            };
-          };
-          # pi = {
-          #   hostname = "10.0.1.191";
-          #
-          #   profiles.system = {
-          #     user = "root";
-          #     path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi;
-          #   };
-          # };
-        };
       };
 
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
     };
 }
 

hosts/atlas/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/common.nix

@@ -1,6 +1,22 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, self, ... }:
 
 {
+  imports = [
+    self.inputs.agenix.nixosModules.age
+    self.inputs.home-manager.nixosModule
+    ../modules
+  ];
+
+  nixpkgs.overlays = [
+    self.inputs.agenix.overlays.default
+    (import ../overlays/default.nix)
+    (
+      final: prev: {
+        unstable = import self.inputs.nixpkgs-unstable { system = final.system; };
+      }
+    )
+  ];
+
   time.timeZone = "Europe/London";
 
   i18n.defaultLocale = "en_GB.UTF-8";
@@ -42,6 +58,17 @@
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
+    buildMachines = [
+      {
+        hostName = "10.0.1.79";
+        sshUser = "root";
+        system = "aarch64-linux";
+        maxJobs = 6;
+        speedFactor = 1;
+        supportedFeatures = [ "big-parallel" "benchmark" ];
+      }
+    ];
+    distributedBuilds = true;
     settings = {
       connect-timeout = 5;
       log-lines = 25;

hosts/desktop.nix

@@ -1,10 +1,14 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
     ./common.nix
   ];
 
+  nixpkgs.overlays = [
+    (import ../overlays/gnome.nix)
+  ];
+
   services.printing.enable = true;
   services.openssh.startWhenNeeded = true;
 
@@ -59,7 +63,7 @@
     fd
     ffmpeg
     iotop
-    unstable.nix-du
+    # unstable.nix-du
     # unstable.nix-melt
     unstable.nix-tree
     unstable.nix-visualize

hosts/eos/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/eos/hardware-configuration.nix

@@ -7,11 +7,12 @@
 
   boot = {
     initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
-    initrd.kernelModules = [ ];
     initrd.supportedFilesystems = [ "zfs" ];
-    kernelModules = [ ];
+    kernel.sysctl = {
+      "kernel.nmi_watchdog" = 0;
+      "vm.laptop_mode" = 5;
+    };
     kernelParams = [ "elevator=none" ];
-    extraModulePackages = [ ];
     supportedFilesystems = [ "zfs" ];
   };
 

hosts/helios/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot = {
     loader.grub = {
       enable = true;

hosts/hypnos/default.nix

@@ -1,12 +1,21 @@
-{ config, lib, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
+    self.inputs.disko.nixosModules.disko
     ./hardware-configuration.nix
     ./disko-config.nix
     ../desktop.nix
   ];
 
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+      nvidia.acceptLicense = true;
+    };
+  };
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/hypnos/hardware-configuration.nix

@@ -7,6 +7,10 @@
 
   boot = {
     initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+    kernel.sysctl = {
+      "kernel.nmi_watchdog" = 0;
+      "vm.laptop_mode" = 5;
+    };
     kernelModules = [ "applesmc" "kvm-intel" "wl" ];
     extraModulePackages = [
       config.boot.kernelPackages.broadcom_sta

hosts/library/default.nix

@@ -6,6 +6,8 @@
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
@@ -13,7 +15,6 @@
   };
 
   networking = {
-    domain = "mesh.vimium.net";
     hostId = "d24ae953";
     firewall = {
       enable = true;

hosts/mail/default.nix

@@ -1,15 +1,17 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
+    self.inputs.disko.nixosModules.disko
     ./hardware-configuration.nix
     ./disko-config.nix
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   networking = {
     hostId = "08ac2f14";
-    domain = "mesh.vimium.net";
     firewall = {
       enable = true;
       allowedTCPPorts = [

hosts/odyssey/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,14 @@
     ../desktop.nix
   ];
 
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+      nvidia.acceptLicense = true;
+    };
+  };
+
   boot.loader = {
     systemd-boot = {
       enable = true;

hosts/pi/default.nix

@@ -1,12 +1,13 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 {
   imports = [
+    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
     ./hardware-configuration.nix
     ../server.nix
   ];
 
-  networking.hostId = "731d1660";
+  nixpkgs.hostPlatform = "aarch64-linux";
 
   hardware = {
     raspberry-pi."4" = {
@@ -97,6 +98,8 @@
     ];
   };
 
+  networking.hostId = "731d1660";
+
   sound.enable = true;
 
   security.rtkit.enable = true;
@@ -108,7 +111,7 @@
   };
 
   age.secrets."files/services/home-assistant/secrets.yaml" = {
-    file = "${inputs.secrets}/files/services/home-assistant/secrets.yaml.age";
+    file = "${self.inputs.secrets}/files/services/home-assistant/secrets.yaml.age";
     path = "${config.services.home-assistant.configDir}/secrets.yaml";
     owner = "hass";
     group = "hass";
@@ -173,7 +176,7 @@
   };
 
   age.secrets."files/services/zigbee2mqtt/secret.yaml" = {
-    file = "${inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
+    file = "${self.inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
     path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
     owner = "zigbee2mqtt";
     group = "zigbee2mqtt";

hosts/skycam/README.md

@@ -0,0 +1,29 @@
+# Skycam
+
+## Overview
+Raspberry Pi 4-based webcam
+
+## Specs
+* SoC - Broadcom BCM2711
+* CPU - ARM Cortex-A72 @ 1.8 GHz
+* Memory - 8 GB LPDDR4
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+SD card | `/dev/mmcblk0` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `skycam.mesh.vimium.net`.
+
+## Devices and connections
+- Camera Module 3 with wide-angle lens
+
+## Building
+To generate a compressed SD card image for Skycam, run:
+`nix build '.#nixosConfigurations.skycam.config.system.build.sdImage'`
+
+Once a card is imaged, the existing SSH host keys should be copied to
+`/etc/ssh` manually to enable secret decryption.
+

hosts/skycam/default.nix

@@ -0,0 +1,111 @@
+{ config, lib, pkgs, self, ... }:
+
+{
+  imports = [
+    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  hardware = {
+    raspberry-pi."4" = {
+      apply-overlays-dtmerge.enable = true;
+      audio.enable = false;
+      xhci.enable = false;
+    };
+    deviceTree = {
+      enable = true;
+      filter = "*rpi-4-*.dtb";
+      # From https://github.com/Electrostasy/dots/blob/3b81723feece67610a252ce754912f6769f0cd34/hosts/phobos/klipper.nix#L43-L65
+      overlays =
+        let
+          mkCompatibleDtsFile = dtbo:
+            let
+              drv = pkgs.runCommand "fix-dts" { nativeBuildInputs = with pkgs; [ dtc gnused ]; } ''
+                mkdir "$out"
+                dtc -I dtb -O dts ${dtbo} | sed -e 's/bcm2835/bcm2711/' > $out/overlay.dts
+              '';
+            in
+              "${drv}/overlay.dts";
+
+          inherit (config.boot.kernelPackages) kernel;
+        in
+          [
+            {
+              name = "imx708.dtbo";
+              dtsFile = mkCompatibleDtsFile "${kernel}/dtbs/overlays/imx708.dtbo";
+            }
+            {
+              name = "vc4-kms-v3d-pi4.dtbo";
+              dtsFile = mkCompatibleDtsFile "${kernel}/dtbs/overlays/vc4-kms-v3d-pi4.dtbo";
+            }
+          ];
+    };
+    firmware = with pkgs; [
+      firmwareLinuxNonfree
+    ];
+  };
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="rpivid-*", GROUP="video", MODE="0660"
+    KERNEL=="vcsm-cma", GROUP="video", MODE="0660"
+    SUBSYSTEM=="dma_heap", GROUP="video", MODE="0660"
+  '';
+
+  nixpkgs.overlays = [
+    (import ./../../overlays/libcamera.nix)
+  ];
+
+  networking = {
+    hostId = "731d1660";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 8080 ];
+      allowedUDPPorts = [ 8080 ];
+    };
+  };
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
+    ];
+  };
+
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+
+  systemd.services.ustreamer = {
+    enable = true;
+    description = "uStreamer service";
+    unitConfig = {
+      Type = "simple";
+      ConditionPathExists = "/sys/bus/i2c/drivers/imx708/10-001a/video4linux";
+    };
+    serviceConfig = {
+      ExecStart = ''${pkgs.libcamera}/bin/libcamerify ${pkgs.unstable.ustreamer}/bin/ustreamer \
+        --host=0.0.0.0 \
+        --resolution=4608x2592
+      '';
+      DynamicUser = "yes";
+      SupplementaryGroups = [ "video" ];
+      Restart = "always";
+      RestartSec = 10;
+    };
+    wantedBy = [ "network-online.target" ];
+    confinement.mode = "chroot-only";
+  };
+
+  environment.systemPackages = with pkgs; [
+    camera-streamer
+    git
+    neovim
+    libcamera
+    libraspberrypi
+    raspberrypi-eeprom
+    v4l-utils
+    unstable.ustreamer
+  ];
+
+  system.stateVersion = "24.05";
+}

hosts/skycam/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{ config, lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+  ];
+
+  boot = {
+    kernelModules = [ "bcm2835-v4l2" ];
+    kernelParams = [
+      "cma=512M"
+      "panic=0"
+    ];
+    supportedFilesystems = lib.mkForce [ "f2fs" "vfat" "xfs" ];
+    tmp.cleanOnBoot = false;
+  };
+
+  nixpkgs.overlays = [
+    (final: super: {
+      makeModulesClosure = x:
+        super.makeModulesClosure (x // { allowMissing = true; });
+    })
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+}
+

hosts/vps1/default.nix

@@ -1,7 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
-  lib,
-  ...
-}:
 
 {
   imports = [
@@ -9,9 +6,10 @@
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   networking = {
     hostId = "08bf6db3";
-    domain = "mesh.vimium.net";
     firewall = {
       enable = true;
       allowedTCPPorts = [
@@ -39,10 +37,47 @@
     groups = {
       jellyfin = { };
     };
+    extraGroups.acme.members = [ "kanidm" "nginx" ];
   };
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  security.acme.certs."auth.vimium.com" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
+  };
+
+  services.kanidm = let
+    baseDomain = "vimium.com";
+    domain = "auth.${baseDomain}";
+    uri = "https://${domain}";
+  in {
+    package = pkgs.unstable.kanidm;
+    enableClient = true;
+    enableServer = true;
+    clientSettings = {
+      inherit uri;
+    };
+    serverSettings = {
+      bindaddress = "[::1]:3013";
+      ldapbindaddress = "[::1]:636";
+      domain = baseDomain;
+      origin = uri;
+      tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+      tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "auth.vimium.com" = {
+      useACMEHost = "auth.vimium.com";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://[::1]:3013";
+      };
+    };
+  };
+
   modules = rec {
     databases.postgresql.enable = true;
     services = {
@@ -62,13 +97,13 @@
       };
       gitea.enable = true;
       headscale.enable = true;
-      matrix-synapse = {
+      matrix = {
         enable = true;
+        bridges = {
+          signal = true;
+          whatsapp = true;
+        };
         usePostgresql = databases.postgresql.enable;
-        bridges = [
-          "signal"
-          "whatsapp"
-        ];
       };
       nginx.enable = true;
       photoprism.enable = true;

modules/default.nix

@@ -32,6 +32,7 @@
     ./editors/neovim
     ./editors/vscode.nix
     ./hardware/presonus-studio.nix
+    ./networking/netbird.nix
     ./networking/tailscale.nix
     ./networking/wireless.nix
     ./security/gpg.nix
@@ -42,8 +43,9 @@
     ./services/gitea
     ./services/gitea-runner
     ./services/headscale
+    ./services/immich
     ./services/mail
-    ./services/matrix-synapse
+    ./services/matrix
     ./services/nginx
     ./services/photoprism
     ./shell/git

modules/desktop/apps/thunderbird.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
 
 let cfg = config.modules.desktop.apps.thunderbird;
 in {
@@ -10,7 +10,7 @@ in {
   };
   
   config = lib.mkIf cfg.enable {
-    home.file.".thunderbird/Default/chrome/thunderbird-gnome-theme".source = inputs.thunderbird-gnome-theme;
+    home.file.".thunderbird/Default/chrome/thunderbird-gnome-theme".source = self.inputs.thunderbird-gnome-theme;
 
     home.programs.thunderbird = {
       enable = true;

modules/desktop/browsers/brave.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
 
 let cfg = config.modules.desktop.browsers.brave;
 in {

modules/desktop/browsers/firefox.nix

@@ -1,4 +1,4 @@
-{ config, lib, inputs, ... }:
+{ config, lib, self, ... }:
 
 let cfg = config.modules.desktop.browsers.firefox;
 in {
@@ -10,7 +10,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    home.file.".mozilla/firefox/Default/chrome/firefox-gnome-theme".source = inputs.firefox-gnome-theme;
+    home.file.".mozilla/firefox/Default/chrome/firefox-gnome-theme".source = self.inputs.firefox-gnome-theme;
 
     home.programs.firefox = {
       enable = true;
@@ -154,7 +154,7 @@ in {
           "dom.battery.enabled" = false;
           "dom.vr.enabled" = false;
           "media.navigator.enabled" = false;
-          "dom.webaudio.enabled" = false;
+          # "dom.webaudio.enabled" = false;
 
           ## Isolation
           "privacy.firstparty.isolate" = true;

modules/desktop/gnome.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 let cfg = config.modules.desktop.gnome;
 in {
@@ -101,6 +101,7 @@ in {
           # "smart-auto-move@khimaros.com"
           "space-bar@luchrioh"
           # "tiling-assistant@leleat-on-github"
+          "tilingshell@ferrarodomenico.com"
           "Vitals@CoreCoding.com"
           "windowIsReady_Remover@nunofarruca@gmail.com"
           # "worksets@blipk.xyz"
@@ -177,6 +178,11 @@ in {
         screen-left-gap = 8;
         window-gap = 8;
       };
+      "org/gnome/shell/extensions/tilingshell" = {
+        inner-gaps = 16;
+        outer-gaps = 8;
+        enable-blur-snap-assistant = true;
+      };
       "org/gnome/Console" = {
         font-scale = 1.4;
         use-system-font = false;
@@ -201,7 +207,7 @@ in {
       "Kvantum/kvantum.kvconfig".text = lib.generators.toINI {} {
         General.theme = "KvLibadwaitaDark";
       };
-      "Kvantum/KvLibadwaita".source = "${inputs.kvlibadwaita}/src/KvLibadwaita";
+      "Kvantum/KvLibadwaita".source = "${self.inputs.kvlibadwaita}/src/KvLibadwaita";
     };
 
     user.packages = with pkgs; [
@@ -268,7 +274,7 @@ in {
       gnomeExtensions.smart-auto-move
       gnomeExtensions.space-bar
       gnomeExtensions.tiling-assistant
-      # gnomeExtensions.tiling-shell
+      gnomeExtensions.tiling-shell
       gnomeExtensions.todotxt
       gnomeExtensions.vitals
       gnomeExtensions.window-is-ready-remover

modules/networking/netbird.nix

@@ -0,0 +1,70 @@
+{ config, lib, self, ... }:
+
+let
+  cfg = config.modules.networking.netbird;
+  hostname = config.networking.hostName;
+in {
+  options.modules.networking.netbird = {
+    enable = lib.mkEnableOption "netbird";
+    coordinatorDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "netbird.vimium.net";
+    };
+    meshDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "mesh.vimium.net";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets."passwords/services/netbird/data-store-encryption-key" = {
+      file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age";
+    };
+
+    services.netbird = {
+      enable = true;
+    };
+
+    services.netbird.server = {
+      domain = cfg.coordinatorDomain;
+      enable = true;
+      enableNginx = true;
+      dashboard.settings = {
+        AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird";
+      };
+      management = rec {
+        disableAnonymousMetrics = true;
+        dnsDomain = cfg.meshDomain;
+        oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration";
+        settings = {
+          DataStoreEncryptionKey = {
+            _secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path;
+          };
+          HttpConfig = {
+            AuthAudience = "netbird";
+          };
+          StoreConfig = { Engine = "sqlite"; };
+          TURNConfig = {
+            Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
+            TimeBasedCredentials = true;
+          };
+          PKCEAuthorizationFlow.ProviderConfig = {
+            AuthorizationEndpoint = "https://auth.vimium.com/ui/oauth2";
+            TokenEndpoint = "https://auth.vimium.com/oauth2/token";
+          };
+        };
+        singleAccountModeDomain = dnsDomain;
+        turnDomain = config.services.coturn.realm;
+        turnPort = config.services.coturn.listening-port;
+      };
+    };
+
+    systemd.services.netbird-signal.serviceConfig.RestartSec = "60";
+    systemd.services.netbird-management.serviceConfig.RestartSec = "60";
+
+    services.nginx.virtualHosts."netbird.vimium.net" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}

modules/networking/tailscale.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 let
   cfg = config.modules.networking.tailscale;
@@ -18,7 +18,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
-      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
+      file = "${self.inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
     };
 
     environment.systemPackages = [ pkgs.tailscale ];

modules/networking/wireless.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 with lib;
 
@@ -19,7 +19,7 @@ in {
 
   config = mkIf cfg.enable {
     age.secrets."passwords/networks" = {
-      file = "${inputs.secrets}/passwords/networks.age";
+      file = "${self.inputs.secrets}/passwords/networks.age";
     };
 
     networking = {

modules/options.nix

@@ -1,4 +1,4 @@
-{ config, options, lib, home-manager, inputs, ... }:
+{ config, options, lib, self, ... }:
 
 with lib;
 {
@@ -29,7 +29,7 @@ with lib;
   };
 
   config = {
-    age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
+    age.secrets."passwords/users/jordan".file = "${self.inputs.secrets}/passwords/users/jordan.age";
     user =
       let user = builtins.getEnv "USER";
           name = if elem user [ "" "root" ] then "jordan" else user;
@@ -68,8 +68,8 @@ with lib;
       };
 
       sharedModules = [
-        inputs.nixvim.homeManagerModules.nixvim
+        self.inputs.nixvim.homeManagerModules.nixvim
-        inputs.plasma-manager.homeManagerModules.plasma-manager
+        self.inputs.plasma-manager.homeManagerModules.plasma-manager
       ];
     };
 

modules/services/borgmatic/default.nix

@@ -1,35 +1,33 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
-
-with lib;
 
 let
   cfg = config.modules.services.borgmatic;
   hostname = config.networking.hostName;
 in {
   options.modules.services.borgmatic = {
-    enable = mkOption {
+    enable = lib.mkOption {
       default = false;
       example = true;
-      description = mdDoc "Enable backups on this host with `borgmatic`";
+      description = lib.mdDoc "Enable backups on this host with `borgmatic`";
     };
-    directories = mkOption {
+    directories = lib.mkOption {
-      type = types.listOf types.str;
+      type = lib.types.listOf lib.types.str;
       default = [];
       example = [
         "/home/jordan/Documents"
       ];
-      description = mdDoc "List of directories to backup";
+      description = lib.mdDoc "List of directories to backup";
     };
-    repoPath = mkOption {
+    repoPath = lib.mkOption {
-      type = types.str;
+      type = lib.types.str;
       example = "ssh://example@example.repo.borgbase.com/./repo";
-      description = mdDoc "Destination borg repository for backup";
+      description = lib.mdDoc "Destination borg repository for backup";
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     age.secrets."passwords/services/borg/${hostname}-passphrase" = {
-      file = "${inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
+      file = "${self.inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
     };
 
     services.borgmatic = {
@@ -47,6 +45,16 @@ in {
       };
     };
 
+    services.postgresql.ensureUsers = [
+      {
+        name = "root";
+        ensureClauses.superuser = true;
+      }
+    ];
+
+    # Add `pg_dumpall` to unit environment
+    systemd.services.borgmatic.path = [ config.services.postgresql.package ];
+
     # Without this override, `cat` is unavailable for `encryption_passcommand`
     systemd.services.borgmatic.confinement.fullUnit = true;
   };

modules/services/coturn/default.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, self, ... }:
-  config,
-  lib,
-  inputs,
-  ...
-}:
 
 let
   cfg = config.modules.services.coturn;
@@ -54,13 +49,13 @@ in {
 
     age.secrets = {
       "passwords/services/coturn/static-auth-secret" = {
-        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
+        file = "${self.inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
         owner = "turnserver";
         group = "turnserver";
       };
     } // (if cfg.matrixIntegration then {
       "passwords/services/coturn/matrix-turn-config.yml" = {
-        file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
+        file = "${self.inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
         owner = "matrix-synapse";
         group = "matrix-synapse";
       };

modules/services/gitea-runner/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, inputs, ... }:
+{ pkgs, config, lib, self, ... }:
 
 # Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
 
@@ -176,7 +176,7 @@ in
     users.groups.nix-ci-user = { };
 
     age.secrets."files/services/gitea-runner/${hostname}-token" = {
-      file = "${inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
+      file = "${self.inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
       group = "podman";
     };
 

modules/services/gitea/default.nix

@@ -1,18 +1,17 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
-
-with lib;
 
 let
   cfg = config.modules.services.gitea;
 in {
   options.modules.services.gitea = {
-    enable = mkOption {
+    enable = lib.mkEnableOption "gitea";
-      default = false;
+    domain = lib.mkOption {
-      example = true;
+      type = lib.types.string;
+      default = "git.vimium.com";
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     users = {
       users.git = {
         isSystemUser = true;
@@ -31,7 +30,7 @@ in {
         };
       };
       virtualHosts = {
-        "git.vimium.com" = {
+        "${cfg.domain}" = {
           forceSSL = true;
           enableACME = true;
           locations."/".proxyPass = "http://gitea";
@@ -41,9 +40,9 @@ in {
 
     systemd.tmpfiles.rules = [
       "d '${config.services.gitea.customDir}/public/assets/css' 0750 ${config.services.gitea.user} ${config.services.gitea.group} - -"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${inputs.gitea-github-theme}/theme-github.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${self.inputs.gitea-github-theme}/theme-github.css"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${inputs.gitea-github-theme}/theme-github-auto.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${self.inputs.gitea-github-theme}/theme-github-auto.css"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${inputs.gitea-github-theme}/theme-github-dark.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${self.inputs.gitea-github-theme}/theme-github-dark.css"
     ];
 
     services.gitea = rec {
@@ -69,15 +68,15 @@ in {
           OFFLINE_MODE = true;
           PROTOCOL = "http+unix";
           SSH_USER = "git";
-          SSH_DOMAIN = "git.vimium.com";
+          SSH_DOMAIN = "${cfg.domain}";
           SSH_PORT = lib.head config.services.openssh.ports;
-          ROOT_URL = "https://git.vimium.com/";
+          ROOT_URL = "https://${cfg.domain}/";
         };
         service.DISABLE_REGISTRATION = true;
         session.COOKIE_SECURE = true;
         log = {
           ROOT_PATH = "${stateDir}/log";
-          DISABLE_ROUTER_LOG = true;
+          "logger.router.MODE" = "";
         };
         ui = {
           THEMES = "gitea,arc-green,github,github-auto,github-dark";

modules/services/headscale/default.nix

@@ -1,19 +1,17 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
-
-with lib;
 
 let
   cfg = config.modules.services.headscale;
   fqdn = "headscale.vimium.net";
 in {
   options.modules.services.headscale = {
-    enable = mkOption {
+    enable = lib.mkOption {
       default = false;
       example = true;
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.headscale ];
 
     services.headscale = {
@@ -22,10 +20,16 @@ in {
       port = 8080;
 
       settings = {
+        acl_policy_path = null;
         ip_prefixes = [
           "100.64.0.0/10"
         ];
         server_url = "https://${fqdn}";
+        derp = {
+          auto_update_enable = false;
+          update_frequency = "24h";
+          urls = [];
+        };
         dns_config = {
           base_domain = "vimium.net";
           extra_records = [
@@ -40,6 +44,10 @@ in {
               value = "100.64.0.7";
             }
           ];
+          magic_dns = true;
+          nameservers = [
+            "9.9.9.9"
+          ];
         };
         logtail.enabled = false;
       };

modules/services/immich/default.nix

@@ -0,0 +1,54 @@
+{ config, lib, self, ... }:
+
+with lib;
+
+let cfg = config.modules.services.immich;
+in {
+  options.modules.services.immich = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      virtualHosts = {
+        "gallery.vimium.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.immich.port}";
+            extraConfig = ''
+              client_max_body_size 50000M;
+
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header Host $host;
+
+              proxy_buffering off;
+              proxy_redirect off;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+
+              proxy_read_timeout 600s;
+              proxy_send_timeout 600s;
+              send_timeout 600s;
+            '';
+          };
+        };
+      };
+    };
+
+    age.secrets."files/services/immich/envfile" = {
+      file = "${self.inputs.secrets}/files/services/immich/envfile.age";
+    };
+
+    services.immich = {
+      enable = true;
+      secretsFile = config.age.secrets."files/services/immich/envfile".path;
+    };
+  };
+}

modules/services/mail/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, self, ... }:
 
 let
   cfg = config.modules.services.mail;
@@ -22,6 +22,10 @@ in {
     };
   };
 
+  imports = [
+    self.inputs.nixos-mailserver.nixosModule
+  ];
+
   config = lib.mkIf cfg.enable {
     services.roundcube = {
       enable = true;

modules/services/matrix/default.nix

@@ -1,52 +1,53 @@
-{
+{ config, lib, pkgs, self, ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 
 let
-  cfg = config.modules.services.matrix-synapse;
+  cfg = config.modules.services.matrix;
-  validBridges = [
-    "signal"
-    "whatsapp"
-  ];
 in {
-  options.modules.services.matrix-synapse = {
+  options.modules.services.matrix = {
-    enable = lib.mkOption {
+    enable = lib.mkEnableOption "matrix";
-      default = false;
+    element = {
-      example = true;
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
     };
-    enableElementWeb = lib.mkOption {
+    bridges = {
-      default = true;
+      signal = lib.mkOption {
-      example = false;
+        type = lib.types.bool;
-    };
+        default = false;
-    bridges = lib.mkOption {
+        description = "Enable Signal bridge.";
-      type = lib.types.listOf lib.types.str;
+      };
-      description = "A list of bridges to configure with Synapse.";
+      whatsapp = lib.mkOption {
-      example = [ "signal" "whatsapp" ];
+        type = lib.types.bool;
-      default = [];
+        default = false;
-      apply = bridges:
+        description = "Enable WhatsApp bridge.";
-        if lib.all (bridge: lib.elem bridge validBridges) bridges
+      };
-        then lib.map (b: "mautrix-${b}") bridges
-        else throw "Invalid bridge(s) specified. Valid bridges are: ${lib.concatStringsSep ", " validBridges}";
     };
     serverName = lib.mkOption {
       type = lib.types.str;
       default = "vimium.com";
       example = "vimium.com";
     };
-    usePostgresql = lib.mkOption {
+    slidingSync = {
-      default = false;
+      enable = lib.mkEnableOption "sliding-sync";
-      example = true;
     };
+    usePostgresql = lib.mkEnableOption "postgresql";
   };
 
   config = let
-    mkBridgeDatabase = bridge: {
+    matrixSubdomain = "matrix.${cfg.serverName}";
-      name = bridge;
+    elementSubdomain = "chat.${cfg.serverName}";
-      ensureDBOwnership = true;
+    matrixClientConfig = {
+      "m.homeserver" = {
+        base_url = "https://${matrixSubdomain}";
+        server_name = cfg.serverName;
+      };
+      "m.identity_server" = {};
+      "org.matrix.msc3575.proxy" = if cfg.slidingSync.enable then {
+        "url" = "https://${matrixSubdomain}";
+      } else { };
     };
+    matrixServerConfig."m.server" = "${matrixSubdomain}:443";
     commonBridgeSettings = bridge: {
       appservice = {
         database = lib.mkIf cfg.usePostgresql {
@@ -62,42 +63,30 @@ in {
         };
         permissions = {
           "${cfg.serverName}" = "user";
-          "@jordan:vimium.com" = "admin";
+          "@jordan:${cfg.serverName}" = "admin";
         };
         provisioning = {
           shared_secret = "disable";
         };
       };
       homeserver = {
-        address = "https://matrix.${cfg.serverName}";
+        address = "https://${matrixSubdomain}";
         domain = cfg.serverName;
       };
     };
-    matrixClientConfig = {
-      "m.homeserver" = {
-        base_url = "https://matrix.${cfg.serverName}";
-        server_name = cfg.serverName;
-      };
-      "m.identity_server" = {};
-    };
-    matrixServerConfig."m.server" = "matrix.${cfg.serverName}:443";
-    mkWellKnown = data: ''
-      more_set_headers 'Content-Type: application/json';
-      return 200 '${builtins.toJSON data}';
-    '';
   in lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [
       8448 # Matrix federation
     ];
 
     security.acme.certs = {
-      "matrix.${cfg.serverName}" = {
+      "${matrixSubdomain}" = {
         reloadServices = [ "matrix-synapse" ];
       };
     };
 
     services.nginx.virtualHosts = {
-      "matrix.${cfg.serverName}" = {
+      "${matrixSubdomain}" = {
         forceSSL = true;
         enableACME = true;
         listen = [
@@ -145,14 +134,26 @@ in {
             '';
           };
           "/_synapse/client".proxyPass = "http://localhost:8008";
+          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = lib.mkIf cfg.slidingSync.enable {
+            priority = 100;
+            proxyPass = "http://localhost:8009";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-For $remote_addr;
+            '';
+          };
         };
       };
-      "${cfg.serverName}" = {
+      "${cfg.serverName}" = let
+        mkWellKnown = data: ''
+          more_set_headers 'Content-Type: application/json';
+          return 200 '${builtins.toJSON data}';
+        '';
+      in {
         locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
         locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
       };
-    } // (if cfg.enableElementWeb then {
+    } // (if cfg.element.enable then {
-      "chat.${cfg.serverName}" = {
+      "${elementSubdomain}" = {
         forceSSL = true;
         enableACME = true;
         root = pkgs.unstable.element-web.override {
@@ -170,6 +171,11 @@ in {
       };
     } else {});
 
+    nixpkgs.config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8043"
+      "olm-3.2.16"
+    ];
+
     services.matrix-synapse = {
       enable = true;
       enableRegistrationScript = true;
@@ -180,32 +186,56 @@ in {
         max_upload_size = "100M";
         report_stats = false;
         server_name = cfg.serverName;
-        app_service_config_files = (lib.optional (lib.elem "mautrix-whatsapp" cfg.bridges)
+        app_service_config_files = (lib.optional cfg.bridges.whatsapp
           "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml");
       };
     };
     systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups =
-      (lib.optional (lib.elem "mautrix-whatsapp" cfg.bridges)
+      (lib.optional cfg.bridges.whatsapp
         config.systemd.services.mautrix-whatsapp.serviceConfig.Group);
 
+    age.secrets = if cfg.slidingSync.enable then {
+      "files/services/matrix/sliding-sync" = {
+        file = "${self.inputs.secrets}/files/services/matrix/sliding-sync.age";
+      };
+    } else {};
+
+    services.matrix-sliding-sync = lib.mkIf cfg.slidingSync.enable {
+      enable = true;
+      environmentFile = config.age.secrets."files/services/matrix/sliding-sync".path;
+      settings = { SYNCV3_SERVER = "https://${matrixSubdomain}"; };
+    };
+
     services.postgresql = lib.mkIf cfg.usePostgresql {
       ensureUsers = [
         {
           name = "matrix-synapse";
           ensureDBOwnership = true;
         }
-      ] ++ lib.map mkBridgeDatabase cfg.bridges;
+      ] ++ (lib.optional cfg.bridges.signal
+        {
+          name = "mautrix-signal";
+          ensureDBOwnership = true;
+        })
+        ++ (lib.optional cfg.bridges.whatsapp
+        {
+          name = "mautrix-whatsapp";
+          ensureDBOwnership = true;
+        });
       ensureDatabases = [
         "matrix-synapse"
-      ] ++ cfg.bridges;
+      ] ++ (lib.optional cfg.bridges.signal
+        "mautrix-signal")
+        ++ (lib.optional cfg.bridges.whatsapp
+        "mautrix-whatsapp");
     };
 
-    services.mautrix-signal = lib.mkIf (lib.elem "mautrix-signal" cfg.bridges) {
+    services.mautrix-signal = lib.mkIf cfg.bridges.signal {
       enable = true;
       settings = commonBridgeSettings "mautrix-signal";
     };
 
-    services.mautrix-whatsapp = lib.mkIf (lib.elem "mautrix-whatsapp" cfg.bridges) {
+    services.mautrix-whatsapp = lib.mkIf cfg.bridges.whatsapp {
       enable = true;
       settings = {
         bridge = {

modules/services/nginx/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -82,6 +82,13 @@ in {
         worker_connections 20000;
         multi_accept off;
       '';
+      proxyCachePath = {
+        "skycam" = {
+          enable = true;
+          keysZoneName = "skycam_cache";
+          maxSize = "100m";
+        };
+      };
       virtualHosts = {
         ## Static sites
         "jellyfin.vimium.com" = {
@@ -105,6 +112,25 @@ in {
             '';
           };
         };
+        "jdholt.com" = {
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [ "www.jdholt.com" ];
+          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+          locations."/skycam/snapshot.jpg" = {
+            extraConfig = ''
+              set $backend "skycam.mesh.vimium.net:8080";
+
+              resolver 100.100.100.100;
+
+              proxy_pass http://$backend/snapshot;
+              proxy_cache skycam_cache;
+              proxy_cache_valid any 10s;
+              proxy_ignore_headers Cache-Control Expires Set-Cookie;
+            '';
+          };
+          locations."/".return = "301 https://vimium.com$request_uri";
+        };
         "pki.vimium.com" = {
           addSSL = true;
           forceSSL = false;
@@ -142,7 +168,6 @@ in {
       ## Redirects
       // (mkRedirect "h0lt.com" "jdholt.com")
       // (mkRedirect "jordanholt.xyz" "jdholt.com")
-      // (mkRedirect "jdholt.com" "vimium.com")
       // (mkRedirect "omnimagic.com" "vimium.com")
       // (mkRedirect "omnimagic.net" "vimium.com")
       // (mkRedirect "thelostlegend.com" "suhailhussain.com")

modules/services/photoprism/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 with lib;
 
@@ -36,7 +36,7 @@ in {
     };
 
     age.secrets."passwords/services/photoprism/admin" = {
-      file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
+      file = "${self.inputs.secrets}/passwords/services/photoprism/admin.age";
     };
 
     services.photoprism = {

modules/shell/zsh/default.nix

@@ -21,7 +21,7 @@ in {
 
     user.packages = with pkgs; [
       fd
-      fzf
+      unstable.fzf
       jq
       nix-zsh-completions
       nnn

overlays/0001-Ignore-IPA-signing.patch

@@ -0,0 +1,25 @@
+From 625939e594ce255afa3fab3a40c3e524460e1f8b Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sat, 10 Aug 2024 18:28:08 +0100
+Subject: [PATCH] Ignore IPA signing
+
+---
+ src/libcamera/ipa_manager.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index 6d5bbd05..43004175 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -295,7 +295,7 @@ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
+ 	if (data.empty())
+ 		return false;
+ 
+-	bool valid = pubKey_.verify(data, ipa->signature());
++	bool valid = true;
+ 
+ 	LOG(IPAManager, Debug)
+ 		<< "IPA module " << ipa->path() << " signature is "
+-- 
+2.44.1
+

overlays/0001-Remove-relative-config-lookups.patch

@@ -0,0 +1,142 @@
+From 57128bb78f56cadf9e2dcca5ba4d710c3bd478a7 Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Mon, 5 Aug 2024 21:53:09 +0100
+Subject: [PATCH] Remove relative config lookups
+
+---
+ src/libcamera/ipa_manager.cpp      | 16 ----------
+ src/libcamera/ipa_proxy.cpp        | 48 ++----------------------------
+ src/libcamera/pipeline_handler.cpp | 21 ++-----------
+ 3 files changed, 4 insertions(+), 81 deletions(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index f4e0b633..6d5bbd05 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -131,22 +131,6 @@ IPAManager::IPAManager()
+ 				<< "No IPA found in '" << modulePaths << "'";
+ 	}
+ 
+-	/*
+-	 * When libcamera is used before it is installed, load IPAs from the
+-	 * same build directory as the libcamera library itself.
+-	 */
+-	std::string root = utils::libcameraBuildPath();
+-	if (!root.empty()) {
+-		std::string ipaBuildPath = root + "src/ipa";
+-		constexpr int maxDepth = 2;
+-
+-		LOG(IPAManager, Info)
+-			<< "libcamera is not installed. Adding '"
+-			<< ipaBuildPath << "' to the IPA search path";
+-
+-		ipaCount += addDir(ipaBuildPath.c_str(), maxDepth);
+-	}
+-
+ 	/* Finally try to load IPAs from the installed system path. */
+ 	ipaCount += addDir(IPA_MODULE_DIR);
+ 
+diff --git a/src/libcamera/ipa_proxy.cpp b/src/libcamera/ipa_proxy.cpp
+index 69975d8f..cd9284a3 100644
+--- a/src/libcamera/ipa_proxy.cpp
++++ b/src/libcamera/ipa_proxy.cpp
+@@ -122,33 +122,11 @@ std::string IPAProxy::configurationFile(const std::string &name,
+ 		}
+ 	}
+ 
+-	std::string root = utils::libcameraSourcePath();
+-	if (!root.empty()) {
+-		/*
+-		 * When libcamera is used before it is installed, load
+-		 * configuration files from the source directory. The
+-		 * configuration files are then located in the 'data'
+-		 * subdirectory of the corresponding IPA module.
+-		 */
+-		std::string ipaConfDir = root + "src/ipa/" + ipaName + "/data";
+-
+-		LOG(IPAProxy, Info)
+-			<< "libcamera is not installed. Loading IPA configuration from '"
+-			<< ipaConfDir << "'";
+-
+-		std::string confPath = ipaConfDir + "/" + name;
++	for (const auto &dir : utils::split(IPA_CONFIG_DIR, ":")) {
++		std::string confPath = dir + "/" + ipaName + "/" + name;
+ 		ret = stat(confPath.c_str(), &statbuf);
+ 		if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+ 			return confPath;
+-
+-	} else {
+-		/* Else look in the system locations. */
+-		for (const auto &dir : utils::split(IPA_CONFIG_DIR, ":")) {
+-			std::string confPath = dir + "/" + ipaName + "/" + name;
+-			ret = stat(confPath.c_str(), &statbuf);
+-			if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+-				return confPath;
+-		}
+ 	}
+ 
+ 	if (fallbackName.empty()) {
+@@ -197,28 +175,6 @@ std::string IPAProxy::resolvePath(const std::string &file) const
+ 		}
+ 	}
+ 
+-	/*
+-	 * When libcamera is used before it is installed, load proxy workers
+-	 * from the same build directory as the libcamera directory itself.
+-	 * This requires identifying the path of the libcamera.so, and
+-	 * referencing a relative path for the proxy workers from that point.
+-	 */
+-	std::string root = utils::libcameraBuildPath();
+-	if (!root.empty()) {
+-		std::string ipaProxyDir = root + "src/libcamera/proxy/worker";
+-
+-		LOG(IPAProxy, Info)
+-			<< "libcamera is not installed. Loading proxy workers from '"
+-			<< ipaProxyDir << "'";
+-
+-		std::string proxyPath = ipaProxyDir + proxyFile;
+-		if (!access(proxyPath.c_str(), X_OK))
+-			return proxyPath;
+-
+-		return std::string();
+-	}
+-
+-	/* Else try finding the exec target from the install directory. */
+ 	std::string proxyPath = std::string(IPA_PROXY_DIR) + proxyFile;
+ 	if (!access(proxyPath.c_str(), X_OK))
+ 		return proxyPath;
+diff --git a/src/libcamera/pipeline_handler.cpp b/src/libcamera/pipeline_handler.cpp
+index 5ea2ca78..fd8555ca 100644
+--- a/src/libcamera/pipeline_handler.cpp
++++ b/src/libcamera/pipeline_handler.cpp
+@@ -561,25 +561,8 @@ std::string PipelineHandler::configurationFile(const std::string &subdir,
+ 	struct stat statbuf;
+ 	int ret;
+ 
+-	std::string root = utils::libcameraSourcePath();
+-	if (!root.empty()) {
+-		/*
+-		 * When libcamera is used before it is installed, load
+-		 * configuration files from the source directory. The
+-		 * configuration files are then located in the 'data'
+-		 * subdirectory of the corresponding pipeline handler.
+-		 */
+-		std::string confDir = root + "src/libcamera/pipeline/";
+-		confPath = confDir + subdir + "/data/" + name;
+-
+-		LOG(Pipeline, Info)
+-			<< "libcamera is not installed. Loading platform configuration file from '"
+-			<< confPath << "'";
+-	} else {
+-		/* Else look in the system locations. */
+-		confPath = std::string(LIBCAMERA_DATA_DIR)
+-				+ "/pipeline/" + subdir + '/' + name;
+-	}
++	confPath = std::string(LIBCAMERA_DATA_DIR)
++			+ "/pipeline/" + subdir + '/' + name;
+ 
+ 	ret = stat(confPath.c_str(), &statbuf);
+ 	if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+-- 
+2.44.1
+

overlays/default.nix

@@ -0,0 +1,35 @@
+final: prev:
+
+/*
+  Generate an overlay from `pkgs` by handling the `callPackage` behaviour
+  ourselves, making exceptions for namespaced package sets. We cannot reuse
+  the definitions from `self.legacyPackages.${prev.system}`, as that would
+  evaluate nixpkgs twice here (prev.system does not exist then).
+*/
+
+let
+  lib = prev.lib;
+
+  pkgs = lib.packagesFromDirectoryRecursive {
+    callPackage = path: overrides: path;
+    directory = ../pkgs;
+  };
+in
+  lib.mapAttrs
+    (name: value:
+      if lib.isAttrs value then
+        if lib.hasAttrByPath [ name "overrideScope" ] prev then
+          # Namespaced package sets created with `lib.makeScope pkgs.newScope`.
+          prev.${name}.overrideScope (final': prev':
+            lib.mapAttrs (name': value': final'.callPackage value' { }) value)
+        else if lib.hasAttrByPath [ name "extend" ] prev then
+          # Namespaced package sets created with `lib.makeExtensible`.
+          prev.${name}.extend (final': prev':
+            lib.mapAttrs (name': value': final.callPackage value' { }) value)
+        else
+          # Namespaced package sets in regular attrsets.
+          prev.${name} // value
+      else
+        final.callPackage value { })
+    pkgs
+

overlays/gnome.nix

@@ -1,10 +1,10 @@
-self: super:
+final: prev:
 {
-  gnome = super.gnome.overrideScope' (gself: gsuper: {
+  gnome = prev.gnome.overrideScope' (gself: gsuper: {
     mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
-      src = super.fetchurl {
+      src = prev.fetchurl {
         url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
-        sha256 = "mmFABDsRMzYnLO3+Cf3CJ60XyUBl3y9NAUj+vs7nLqE=";
+        sha256 = "9MVb53tcOTkcXJ025bF2kX1+fGSfffliA43q00x2c/Y=";
       };
     });
   });

overlays/libcamera.nix

@@ -0,0 +1,64 @@
+final: prev:
+{
+  libpisp = final.stdenv.mkDerivation {
+    name = "libpisp";
+    version = "1.0.5";
+    src = final.fetchFromGitHub {
+      owner = "raspberrypi";
+      repo = "libpisp";
+      rev = "v1.0.5";
+      hash = "sha256-CHd44CH5dBcZuK+5fZtONZ8HE/lwGKwK5U0BYUK8gG4=";
+    };
+
+    nativeBuildInputs = with final; [
+      pkg-config
+      meson
+      ninja
+    ];
+
+    buildInputs = with final; [
+      nlohmann_json
+      boost
+    ];
+
+    BOOST_INCLUDEDIR = "${prev.lib.getDev final.boost}/include";
+    BOOST_LIBRARYDIR = "${prev.lib.getLib final.boost}/lib";
+  };
+
+  libcamera = prev.libcamera.overrideAttrs (old: {
+    src = final.fetchFromGitHub {
+      owner = "raspberrypi";
+      repo = "libcamera";
+      rev = "eb00c13d7c9f937732305d47af5b8ccf895e700f";
+      hash = "sha256-p0/inkHPRUkxSIsTmj7VI7sIaX7OXdqjMGZ31W7cnt4=";
+    };
+
+    postPatch = ''
+      patchShebangs utils/ src/py/
+    '';
+
+    patches = [
+      ./0001-Remove-relative-config-lookups.patch
+      ./0001-Ignore-IPA-signing.patch
+    ];
+
+    buildInputs = old.buildInputs ++ (with final; [
+      libpisp
+      libglibutil
+    ]);
+
+    mesonFlags = old.mesonFlags ++ [
+      "--buildtype=release"
+      "-Dpipelines=rpi/vc4,rpi/pisp"
+      "-Dipas=rpi/vc4,rpi/pisp"
+      "-Dgstreamer=enabled"
+      "-Dtest=false"
+      "-Dcam=enabled"
+      "-Dpycamera=disabled"
+    ];
+  });
+
+  camera-streamer = prev.callPackage ../pkgs/camera-streamer/package.nix {
+    libcamera = final.libcamera;
+  };
+}

pkgs/camera-streamer/0001-Disable-libdatachannel.patch

@@ -0,0 +1,25 @@
+From 0f17bb86772afe9495891e420a809a0b3c071caf Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sat, 10 Aug 2024 15:37:15 +0100
+Subject: [PATCH] Disable libdatachannel
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index d5029bd..e50ba1a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -23,7 +23,7 @@ USE_HW_H264 ?= 1
+ USE_FFMPEG ?= $(shell pkg-config libavutil libavformat libavcodec && echo 1)
+ USE_LIBCAMERA ?= $(shell pkg-config libcamera && echo 1)
+ USE_RTSP ?= $(shell pkg-config live555 && echo 1)
+-USE_LIBDATACHANNEL ?= $(shell [ -e $(LIBDATACHANNEL_PATH)/CMakeLists.txt ] && echo 1)
++USE_LIBDATACHANNEL ?= 0
+ 
+ ifeq (1,$(DEBUG))
+ CFLAGS += -g
+-- 
+2.44.1
+

pkgs/camera-streamer/package.nix

@@ -0,0 +1,78 @@
+{ stdenv
+, fetchFromGitHub
+
+, cmake
+, gnumake
+, pkg-config
+, xxd
+
+, v4l-utils
+, nlohmann_json
+, ffmpegSupport ? true
+, ffmpeg
+, libcameraSupport ? true
+, libcamera
+, rtspSupport ? false
+, live555
+, webrtcSupport ? false
+, openssl
+
+, lib
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "camera-streamer";
+  version = "0.2.8";
+
+  src = fetchFromGitHub {
+    owner = "ayufan";
+    repo = "camera-streamer";
+    rev = "refs/tags/v${finalAttrs.version}";
+    hash = "sha256-8vV8BMFoDeh22I1/qxk6zttJROaD/lrThBxXHZSPpT4=";
+    fetchSubmodules = true;
+  };
+
+  patches = [
+    ./0001-Disable-libdatachannel.patch
+  ];
+
+  # Second replacement fixes literal newline in generated version.h.
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace '/usr/local/bin' '/bin' \
+      --replace 'echo "#define' 'echo -e "#define'
+  '';
+
+  env.NIX_CFLAGS_COMPILE = builtins.toString [
+    "-Wno-error=stringop-overflow"
+    "-Wno-error=format"
+    "-Wno-format"
+    "-Wno-format-security"
+    "-Wno-error=unused-result"
+  ];
+
+  nativeBuildInputs = [
+    cmake
+    gnumake
+    pkg-config
+    xxd
+  ];
+
+  dontUseCmakeConfigure = true;
+
+  buildInputs = [ nlohmann_json v4l-utils ]
+    ++ (lib.optional ffmpegSupport ffmpeg)
+    ++ (lib.optional libcameraSupport libcamera)
+    ++ (lib.optional rtspSupport live555)
+    ++ (lib.optional webrtcSupport openssl);
+
+  installFlags = [ "DESTDIR=${builtins.placeholder "out"}" ];
+  preInstall = "mkdir -p $out/bin";
+
+  meta = with lib; {
+    description = "High-performance low-latency camera streamer for Raspberry Pi's";
+    website = "https://github.com/ayufan/camera-streamer";
+    license = licenses.gpl3Only;
+  };
+})
+

pkgs/rpicam-apps/package.nix

@@ -0,0 +1,58 @@
+{ stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, pkg-config
+, boost
+, ffmpeg
+, libcamera
+, libdrm
+, libexif
+, libjpeg
+, libpng
+, libtiff
+, lib
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "rpicam-apps";
+  version = "1.4.1";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "rpicam-apps";
+    rev = "v" + finalAttrs.version;
+    hash = "sha256-3NG2ZE/Ub3lTbfne0LCXuDgLGTPaAAADRdElEbZwvls=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+  ];
+
+  buildInputs = [
+    boost
+    ffmpeg
+    libcamera
+    libdrm
+    libexif
+    libjpeg
+    libpng
+    libtiff
+  ];
+
+  # Meson is no longer able to pick up Boost automatically:
+  # https://github.com/NixOS/nixpkgs/issues/86131
+  BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
+  BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
+
+  meta = with lib; {
+    description = ''
+      libcamera-based applications to drive the cameras on a Raspberry Pi platform
+    '';
+    homepage = "https://github.com/raspberrypi/rpicam-apps";
+    license = licenses.bsd2;
+  };
+})
+