flake.lock: Update

Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414' (2024-07-08) → 'github:nix-community/disko/786965e1b1ed3fd2018d78399984f461e2a44689' (2024-07-11) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/194846768975b7ad2c4988bdb82572c00222c0d7' (2024-07-07) → 'github:NixOS/nixpkgs/249fbde2a178a2ea2638b65b9ecebd531b338cf9' (2024-07-09) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/655a58a72a6601292512670343087c2d75d859c1' (2024-07-08) → 'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-09) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/995d818078778b366e6302ea32d83c2ba586e015' (2024-07-07) → 'github:nix-community/plasma-manager/f0691e1a9fff4684ce399c345c3a941d2ef0fe78' (2024-07-10)
flake.lock: Update
2024-07-11 11:06:21 +01:00 · 2024-07-09 21:51:42 +01:00 · 2024-07-09 09:05:14 +01:00 · 2024-07-09 09:03:37 +01:00 · 2024-07-09 00:17:11 +01:00 · 2024-07-08 23:27:50 +01:00
58 changed files with 2273 additions and 769 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,15 @@
 name: Check flake
 on:
  push:
    branches: ['master']
 jobs:
  build-amd64-linux:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
        with:
          ref: master
      - name: Check flake
        run: |
          echo "Checking flake at ${{ gitea.ref }}"
          nix flake check
--- a/README.md
+++ b/README.md
@@ -9,16 +9,47 @@ System and user configuration for NixOS-based systems.
 | **Theme:** | adwaita |
 | **Terminal:** | Console |
-## Provisioning
+## Provisioning a new host
-> [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used for provisioning
+> [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used
 > for provisioning
 Generate a new SSH host key in "$temp/etc/ssh" as per [this guide](https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-decrypting-an-openssh-host-key-with-pass).
 ```
 ssh-keygen -t ed25519 -f /tmp/ssh_host_ed25519_key
 ```
-Then run;
+Update [nix-secrets](/jordan/nix-secrets) with the new host key to enable the system to decrypt
 any relevant secrets.
 In order to use the borgmatic module for backups, go to [borgbase.com](https://borgbase.com).
 Add the generated SSH host key and create a new repository for the system.
 Create a new directory under `hosts/` with a system configuration and disk layout.
 Boot the NixOS installer (or any Linux distribution) on the target.
 Then run:
 ```
 nix run github:nix-community/nixos-anywhere -- \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
  --extra-files "$temp" \
  --flake .#<hostname> \
-  root@<ip>
+  root@<target-ip>
 ```
 ### Post install
 If backups are configured, you'll need to run:
 ```
 borgmatic init --encryption repokey-blake2
 ```
 then restart `borgmatic`.
 To join the Tailscale network, run:
 ```
 tailscale up --login-server https://headscale.vimium.net
 ```
 then visit the URL, SSH onto `vps1` and run `headscale --user mesh nodes register --key <key>`.
 The new node can optionally be given a friendly name with `headscale node rename -i <index> <hostname>`.
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1707830867,
+        "lastModified": 1720546205,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
        "type": "github"
      },
      "original": {
@@ -21,6 +21,22 @@
        "type": "github"
      }
    },
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@@ -50,11 +66,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1708091384,
+        "lastModified": 1718194053,
-        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
        "type": "github"
      },
      "original": {
@@ -63,6 +79,28 @@
        "type": "github"
      }
    },
    "devshell": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717408969,
        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -70,11 +108,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709439398,
+        "lastModified": 1720661479,
-        "narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=",
+        "narHash": "sha256-nsGgA14vVn0GGiqEfomtVgviRJCuSR3UEopfP8ixW1I=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57",
+        "rev": "786965e1b1ed3fd2018d78399984f461e2a44689",
        "type": "github"
      },
      "original": {
@@ -86,11 +124,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1708965002,
+        "lastModified": 1719758591,
-        "narHash": "sha256-gIBZCPB0sA8Gagrxd8w4+y9uUkWBnXJBmq9Ur5BYTQU=",
+        "narHash": "sha256-3DE/UnxJxRWjtWPZuuiT3TIG7HrHf+srpmiCTFkrAQs=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "4e966509c180f93ba8665cd73cad8456bf44baab",
+        "rev": "8fb5267c5b3434f76983e29749aba7cd636e03ca",
        "type": "github"
      },
      "original": {
@@ -115,6 +153,157 @@
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "revCount": 57,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
      }
    },
    "flake-compat_4": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1719994518,
        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1701680307,
        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_4",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1720450253,
        "narHash": "sha256-1in42htN3g3MnE3/AO5Qgs6pMWUzmtPQ7s675brO8uw=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "2b6bd3c87d3a66fb0b8f2f06c985995e04b4fb96",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitea-github-theme": {
      "flake": false,
      "locked": {
        "lastModified": 1717248105,
        "narHash": "sha256-BwSsIkl7DpN/c8HNXOh2aKjOuPmFsGybv4RegOC7Xq0=",
        "ref": "main",
        "rev": "4f829f88e6f443ff048c4d337bd010315aa4b50a",
        "revCount": 101,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -143,27 +332,86 @@
        ]
      },
      "locked": {
-        "lastModified": 1706981411,
+        "lastModified": 1720042825,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_3": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1720042825,
        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "kvlibadwaita": {
      "flake": false,
      "locked": {
        "lastModified": 1710621848,
        "narHash": "sha256-xBl6zmpqTAH5MIT5iNAdW6kdOcB5MY0Dtrb95hdYpwA=",
        "owner": "GabePoel",
        "repo": "KvLibadwaita",
        "rev": "87c1ef9f44ec48855fd09ddab041007277e30e37",
        "type": "github"
      },
      "original": {
        "owner": "GabePoel",
        "repo": "KvLibadwaita",
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1720337362,
        "narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1709410583,
+        "lastModified": 1720515935,
-        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
+        "narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "rev": "a111ce6b537df12a39874aa9672caa87f8677eda",
        "type": "github"
      },
      "original": {
@@ -172,6 +420,31 @@
        "type": "github"
      }
    },
    "nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat_2",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-24_05": "nixpkgs-24_05",
        "utils": "utils_2"
      },
      "locked": {
        "lastModified": 1718084203,
        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "ref": "nixos-24.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1703013332,
@@ -188,13 +461,28 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-24_05": {
      "locked": {
-        "lastModified": 1709237383,
+        "lastModified": 1717144377,
-        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-24.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1720542800,
        "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "feb2849fdeb70028c70d73b848214b00d324a497",
        "type": "github"
      },
      "original": {
@@ -221,29 +509,85 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1709309926,
+        "lastModified": 1720553833,
-        "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=",
+        "narHash": "sha256-IXMiHQMtdShDXcBW95ctA+m5Oq2kLxnBt7WlMxvDQXA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "79baff8812a0d68e24a836df0a364c678089e2c7",
+        "rev": "249fbde2a178a2ea2638b65b9ecebd531b338cf9",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "type": "indirect"
      }
    },
    "nixvim": {
      "inputs": {
        "devshell": "devshell",
        "flake-compat": "flake-compat_3",
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
        "home-manager": "home-manager_3",
        "nix-darwin": "nix-darwin",
        "nixpkgs": [
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1720472744,
        "narHash": "sha256-BJf06/uE8XgjSqXB6ftabinqK+qaAmWA0dLxAfLrAjw=",
        "owner": "nix-community",
        "repo": "nixvim",
        "rev": "2c52164a4f1b863f5eda842b4b9423b7f2677ddc",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "nixos-24.05",
        "repo": "nixvim",
        "type": "github"
      }
    },
    "plasma-manager": {
      "inputs": {
        "home-manager": [
          "home-manager"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1720603727,
        "narHash": "sha256-A5qYbCT3rHvVi95u8Zy12cRmW5OPT7yFl1LrTDSejyE=",
        "owner": "nix-community",
        "repo": "plasma-manager",
        "rev": "f0691e1a9fff4684ce399c345c3a941d2ef0fe78",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "plasma-manager",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "disko": "disko",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "gitea-github-theme": "gitea-github-theme",
        "home-manager": "home-manager_2",
        "kvlibadwaita": "kvlibadwaita",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
        "plasma-manager": "plasma-manager",
        "secrets": "secrets",
        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
      }
@@ -251,11 +595,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1709495020,
+        "lastModified": 1720459643,
-        "narHash": "sha256-eiz0qUjUbdeb6m28XPY7OVnrGMZ45JiT2dZZ0Bmq2X0=",
+        "narHash": "sha256-X71/NplPXPe9pCvrd9ELpnYBEYtju4+x3LA7S5I1GXM=",
        "ref": "refs/heads/master",
-        "rev": "d135b4d6d5f0079999188895f8b5f35e821b0d4b",
+        "rev": "f8d68b934f4380ecbc6365b4ef7f7c632833d1aa",
-        "revCount": 14,
+        "revCount": 21,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
@@ -294,14 +638,44 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1701889124,
+        "lastModified": 1710774977,
-        "narHash": "sha256-K+6oh7+J6RDBFkxphY/pzf0B+q5+IY54ZMKZrFSKXlc=",
+        "narHash": "sha256-nQBz2PW3YF3+RTflPzDoAcs6vH1PTozESIYUGAwvSdA=",
        "owner": "rafaelmardojai",
        "repo": "thunderbird-gnome-theme",
-        "rev": "966e9dd54bd2ce9d36d51cd6af8c3bac7a764a68",
+        "rev": "65d5c03fc9172d549a3ea72fd366d544981a002b",
        "type": "github"
      },
      "original": {
@@ -310,6 +684,27 @@
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1720436211,
        "narHash": "sha256-/cKXod0oGLl+vH4bKBZnTV3qxrw4jgOLnyQ8KXey5J8=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "6fc8bded78715cdd43a3278a14ded226eb3a239e",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems_2"
@@ -327,6 +722,24 @@
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "utils_2": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1709126324,
        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "NixOS system configuration";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs.url = "nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    # nixpkgs-master.url = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
@@ -12,14 +12,35 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
-      url = "github:nix-community/home-manager/release-23.11";
+      url = "github:nix-community/home-manager/release-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    firefox-gnome-theme = {
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
    };
    gitea-github-theme = {
      url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
      flake = false;
    };
    kvlibadwaita = {
      url = "github:GabePoel/KvLibadwaita";
      flake = false;
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixvim = {
      url = "github:nix-community/nixvim/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    plasma-manager = {
      url = "github:nix-community/plasma-manager";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    secrets = {
      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
      flake = false;
@@ -30,7 +51,7 @@
    };
  };
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, secrets, ... }:
+  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, ... }:
    let
      mkPkgsForSystem = system: inputs.nixpkgs;
      overlays = [
@@ -46,6 +67,7 @@
      commonModules = [
        agenix.nixosModules.age
        disko.nixosModules.disko
        nixos-mailserver.nixosModule
        home-manager.nixosModule
        ./modules
      ];
@@ -64,6 +86,7 @@
                nixpkgs.pkgs = import nixpkgs {
                  inherit overlays system;
                  config.allowUnfree = true;
                  config.nvidia.acceptLicense = true;
                };
                networking.hostName = name;
              })
@@ -78,6 +101,7 @@
        helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
        hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
        library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
        mail = mkNixosSystem { system = "x86_64-linux"; name = "mail"; };
        odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
        pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
        vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };
@@ -94,6 +118,14 @@
        autoRollback = true;
        sshUser = "root";
        nodes = {
          mail = {
            hostname = "mail.mesh.vimium.net";
            profiles.system = {
              user = "root";
              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mail;
            };
          };
          vps1 = {
            hostname = "vps1.mesh.vimium.net";
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
  imports = [
@@ -16,6 +16,9 @@
    networkmanager.enable = true;
  };
  virtualisation.virtualbox.host.enable = true;
  users.extraGroups.vboxusers.members = [ "jordan" ];
  modules = {
    desktop = {
      apps = {
@@ -36,7 +39,6 @@
    };
    editors = {
      neovim.enable = true;
      vscode.enable = true;
    };
    security = {
      gpg.enable = true;
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -48,7 +48,7 @@
      min-free = 128000000;
      max-free = 1000000000;
      fallback = true;
-      allowed-users = [ "@wheel" ];
+      trusted-users = [ "@wheel" ];
      auto-optimise-store = true;
      substituters = [
        "http://odyssey.mesh.vimium.net"
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@@ -21,7 +21,18 @@
  fileSystems."/mnt/library" = {
    device = "library.mesh.vimium.net:/mnt/library";
    fsType = "nfs";
-    options = [ "nfsvers=4.2" "soft" "nocto" "ro" "x-systemd.automount" "noauto" ];
+    options = [
      "nfsvers=4.2"
      "bg"
      "soft"
      "timeo=20"
      "retry=5"
      "nocto"
      "ro"
      "x-systemd.automount"
      "x-systemd.requires=tailscaled.service"
      "noauto"
    ];
  };
  system.autoUpgrade = {
@@ -30,8 +41,35 @@
    randomizedDelaySec = "10min";
  };
  systemd.services.NetworkManager-wait-online.enable = false;
  fonts.packages = with pkgs; [
    noto-fonts
    (nerdfonts.override { fonts = [ "BigBlueTerminal" "ComicShannsMono" "Terminus" "UbuntuMono" ]; })
  ];
  modules = {
    desktop.gnome.enable = true;
    networking.tailscale.enable = true;
  };
  environment.systemPackages = with pkgs; [
    bind
    bmon
    fd
    ffmpeg
    iotop
    unstable.nix-du
    # unstable.nix-melt
    unstable.nix-tree
    unstable.nix-visualize
    ripgrep
    rsync
    tcpdump
    tokei
    tree
    wl-clipboard
  ];
  environment.sessionVariables.NIXOS_OZONE_WL = "1";
 }
--- a/hosts/hypnos/0001-Add-apple_set_os-EFI-boot-service.patch
+++ b/hosts/hypnos/0001-Add-apple_set_os-EFI-boot-service.patch
@@ -0,0 +1,102 @@
 From d310ddee0fb8e7a5a8b89668c6cb8f9dc863ce94 Mon Sep 17 00:00:00 2001
 From: Jordan Holt <jordan@vimium.com>
 Date: Sun, 28 Apr 2024 15:59:52 +0100
 Subject: [PATCH] Add apple_set_os EFI boot service
 ---
 drivers/firmware/efi/libstub/x86-stub.c | 59 +++++++++++++++++++++++++
 include/linux/efi.h                     |  1 +
 2 files changed, 60 insertions(+)
 diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
 index d5a8182cf..be722c43a 100644
 --- a/drivers/firmware/efi/libstub/x86-stub.c
 +++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -449,6 +449,63 @@ static void setup_graphics(struct boot_params *boot_params)
 	}
 }
 +typedef struct {
 +	u64 version;
 +	void (*set_os_version) (const char *os_version);
 +	void (*set_os_vendor) (const char *os_vendor);
 +} apple_set_os_interface_t;
 +
 +static efi_status_t apple_set_os()
 +{
 +	apple_set_os_interface_t *set_os;
 +	efi_guid_t set_os_guid = APPLE_SET_OS_PROTOCOL_GUID;
 +	efi_status_t status;
 +	void **handles;
 +	unsigned long i, nr_handles, size = 0;
 +
 +	status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
 +			     &set_os_guid, NULL, &size, handles);
 +
 +	if (status == EFI_BUFFER_TOO_SMALL) {
 +		status = efi_bs_call(allocate_pool, EFI_LOADER_DATA,
 +				     size, &handles);
 +
 +		if (status != EFI_SUCCESS)
 +			return status;
 +
 +		status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
 +				     &set_os_guid, NULL, &size, handles);
 +	}
 +
 +	if (status != EFI_SUCCESS)
 +		goto free_handle;
 +
 +	nr_handles = size / sizeof(void *);
 +	for (i = 0; i < nr_handles; i++) {
 +		void *h = handles[i];
 +
 +		status = efi_bs_call(handle_protocol, h,
 +				     &set_os_guid, &set_os);
 +
 +		if (status != EFI_SUCCESS || !set_os)
 +			continue;
 +
 +		if (set_os->version > 0) {
 +			efi_bs_call((unsigned long)set_os->set_os_version,
 +					"Mac OS X 10.9");
 +		}
 +
 +		if (set_os->version >= 2) {
 +			efi_bs_call((unsigned long)set_os->set_os_vendor,
 +					"Apple Inc.");
 +		}
 +	}
 +
 +free_handle:
 +	efi_bs_call(free_pool, uga_handle);
 +
 +	return status;
 +}
 static void __noreturn efi_exit(efi_handle_t handle, efi_status_t status)
 {
@@ -951,6 +1008,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle,
 	setup_unaccepted_memory();
 +	apple_set_os();
 +
 	status = exit_boot(boot_params, handle);
 	if (status != EFI_SUCCESS) {
 		efi_err("exit_boot() failed!\n");
 diff --git a/include/linux/efi.h b/include/linux/efi.h
 index d59b0947f..81158014f 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
@@ -385,6 +385,7 @@ void efi_native_runtime_setup(void);
 #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID	EFI_GUID(0xdcfa911d, 0x26eb, 0x469f,  0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
 #define EFI_CONSOLE_OUT_DEVICE_GUID		EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4,  0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
 #define APPLE_PROPERTIES_PROTOCOL_GUID		EFI_GUID(0x91bd12fe, 0xf6c3, 0x44fb,  0xa5, 0xb7, 0x51, 0x22, 0xab, 0x30, 0x3a, 0xe0)
 +#define APPLE_SET_OS_PROTOCOL_GUID		EFI_GUID(0xc5c5da95, 0x7d5c, 0x45e6,  0xb2, 0xf1, 0x3f, 0xd5, 0x2b, 0xb1, 0x00, 0x77)
 #define EFI_TCG2_PROTOCOL_GUID			EFI_GUID(0x607f766c, 0x7455, 0x42be,  0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
 #define EFI_TCG2_FINAL_EVENTS_TABLE_GUID	EFI_GUID(0x1e2ed096, 0x30e2, 0x4254,  0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25)
 #define EFI_LOAD_FILE_PROTOCOL_GUID		EFI_GUID(0x56ec3091, 0x954c, 0x11d2,  0x8e, 0x3f, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
 -- 
 2.42.0
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
  imports = [
@@ -14,6 +14,21 @@
  networking.hostId = "cf791898";
  # nvidia 470 driver doesn't work with Wayland
  services = {
    xserver = {
      displayManager.gdm.wayland = lib.mkForce false;
      videoDrivers = [ "nvidia" ];
    };
    displayManager = {
      defaultSession = if config.modules.desktop.kde.enable then "plasmax11" else "gnome-xorg";
      sddm.wayland.enable = lib.mkForce false;
    };
  };
  # Workaround for label rendering bug in GTK4 with nvidia 470 driver
  environment.sessionVariables.GSK_RENDERER = "gl";
  modules = {
    desktop = {
      browsers = {
--- a/hosts/hypnos/hardware-configuration.nix
+++ b/hosts/hypnos/hardware-configuration.nix
@@ -7,9 +7,11 @@
  boot = {
    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "applesmc" "kvm-intel" "wl" ];
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+    extraModulePackages = [
      config.boot.kernelPackages.broadcom_sta
      config.boot.kernelPackages.nvidiaPackages.legacy_470
    ];
  };
  networking.useDHCP = lib.mkDefault true;
@@ -19,9 +21,18 @@
  hardware = {
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    nvidia = {
      package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
      modesetting.enable = true;
      powerManagement.enable = true;
    };
    opengl = {
      enable = true;
      extraPackages = with pkgs; [
        libvdpau-va-gl
      ];
      driSupport = true;
      driSupport32Bit = true;
    };
  };
 }
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 with lib.my;
 {
  imports = [
    ./hardware-configuration.nix
@@ -21,12 +20,7 @@ with lib.my;
      allowedTCPPorts = [
        22  # SSH
      ];
      interfaces."podman+" = {
        allowedUDPPorts = [ 53 ];
        allowedTCPPorts = [ 53 ];
      };
    };
    networkmanager.enable = true;
  };
  services.zfs = {
@@ -48,6 +42,17 @@ with lib.my;
    enable = true;
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        domain = "library.mesh.vimium.net";
        http_addr = "0.0.0.0";
        http_port = 3000;
      };
    };
  };
  services.prometheus = {
    enable = true;
    port = 9001;
@@ -64,7 +69,7 @@ with lib.my;
    };
    scrapeConfigs = [
      {
-        job_name = "library";
+        job_name = "node";
        static_configs = [{
          targets = [
            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
@@ -150,9 +155,22 @@ with lib.my;
    };
  };
-  services.jellyfin.enable = true;
+  hardware.opengl = {
    enable = true;
    extraPackages = with pkgs; [
      vaapiVdpau
    ];
    driSupport = true;
  };
  users.users.jellyfin.extraGroups = [ "video" "render" ];
  services.jellyfin = {
    enable = true;
    cacheDir = "/var/cache/jellyfin";
    dataDir = "/var/lib/jellyfin";
  };
  modules = {
    podman.enable = true;
    security = {
      gpg.enable = true;
    };
@@ -163,6 +181,7 @@ with lib.my;
      borgmatic = {
        enable = true;
        directories = [
          config.services.jellyfin.dataDir
          "/home/jordan"
        ];
        repoPath = "ssh://b61758r4@b61758r4.repo.borgbase.com/./repo";
--- a/hosts/mail/README.md
+++ b/hosts/mail/README.md
@@ -0,0 +1,18 @@
 # Mail server
 ## Overview
 Mail server hosted in OVH.
 ## Specs
 * CPU - ??
 * Memory - ??
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 NVMe | `/dev/sda1` (ext4, NixOS Root)
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `mail.mesh.vimium.net`.
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@@ -0,0 +1,49 @@
 { config, lib, pkgs, inputs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disko-config.nix
    ../server.nix
  ];
  networking = {
    hostId = "08ac2f14";
    domain = "mesh.vimium.net";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22    # SSH
      ];
    };
  };
  users = {
    users = {
      root = {
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
      };
    };
  };
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
  modules = {
    services = {
      borgmatic = {
        enable = true;
        directories = [
          "/var/dkim"
          "/var/lib"
          "/var/vmail"
        ];
        repoPath = "ssh://kg2mpt28@kg2mpt28.repo.borgbase.com/./repo";
      };
      mail.enable = true;
    };
  };
  system.stateVersion = "22.11";
 }
--- a/hosts/mail/disko-config.nix
+++ b/hosts/mail/disko-config.nix
@@ -0,0 +1,55 @@
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "2M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "300M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "lvm_pv";
              vg = "pool";
            };
          };
        };
      };
    };
    lvm_vg = {
      pool = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%FREE";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
              mountOptions = [
                "defaults"
              ];
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/mail/hardware-configuration.nix
+++ b/hosts/mail/hardware-configuration.nix
@@ -0,0 +1,22 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
      kernelModules = [ "nvme" ];
    };
    loader.grub = {
      efiSupport = true;
      efiInstallAsRemovable = true;
    };
    tmp.cleanOnBoot = true;
  };
  zramSwap.enable = true;
 }
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -47,13 +47,16 @@
      browsers = {
        firefox.enable = true;
      };
-      gaming.emulators = {
+      gaming = {
-        gamecube.enable = true;
+        emulators = {
-        ps2.enable = true;
+          gamecube.enable = true;
-        ps3.enable = true;
+          ps2.enable = true;
-        psp.enable = true;
+          ps3.enable = true;
-        wii.enable = true;
+          psp.enable = true;
-        xbox.enable = true;
+          wii.enable = true;
          xbox.enable = true;
        };
        lutris.enable = true;
      };
      media.graphics = {
        modeling.enable = true;
@@ -64,13 +67,13 @@
        audio.enable = true;
        video.enable = true;
      };
      office.libreoffice.enable = true;
    };
    dev = {
      node.enable = true;
    };
    editors = {
      neovim.enable = true;
      vscode.enable = true;
    };
    hardware.presonus-studio.enable = true;
    security = {
@@ -82,9 +85,16 @@
        enable = true;
        directories = [
          "/home/jordan/Documents"
          "/home/jordan/Downloads"
          "/home/jordan/Music"
          "/home/jordan/Pictures"
          "/home/jordan/projects"
          "/home/jordan/Videos"
          "/home/jordan/.mozilla"
        ];
        repoPath = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo";
      };
      gitea-runner.enable = true;
    };
    shell = {
      git.enable = true;
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -19,6 +19,7 @@
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    nvidia = {
      modesetting.enable = true;
      package = config.boot.kernelPackages.nvidiaPackages.beta;
      powerManagement.enable = true;
    };
  };
--- a/hosts/server.nix
+++ b/hosts/server.nix
@@ -7,15 +7,51 @@
  documentation.enable = false;
  fonts.fontconfig.enable = false;
  security = {
-    acme.acceptTerms = true;
+    acme = {
-    auditd.enable = true;
+      acceptTerms = true;
-    audit = {
+      defaults = {
-      enable = true;
+        email = "hostmaster@vimium.com";
-      rules = [
+        group = "nginx";
-        "-a exit,always -F arch=b64 -S execve"
+        webroot = "/var/lib/acme/acme-challenge";
-      ];
+      };
    };
    # auditd.enable = true;
    # audit = {
    #   enable = true;
    #   rules = [
    #     "-a exit,always -F arch=b64 -S execve"
    #   ];
    # };
  };
  systemd = {
    enableEmergencyMode = false;
    sleep.extraConfig = ''
      AllowSuspend=no
      AllowHibernation=no
    '';
    watchdog = {
      runtimeTime = "20s";
      rebootTime = "30s";
    };
  };
  services.fail2ban = {
    enable = true;
    bantime = "1h";
    bantime-increment = {
      enable = true;
      maxtime = "24h";
      rndtime = "7m";
    };
    ignoreIP = [
      "100.64.0.0/10"
    ];
  };
  modules.networking.tailscale = {
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,4 +1,7 @@
-{ config, lib, pkgs, inputs, ... }:
+{
  lib,
  ...
 }:
 {
  imports = [
@@ -40,13 +43,8 @@
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
-  security.acme.defaults = {
+  modules = rec {
-    email = "hostmaster@vimium.com";
+    databases.postgresql.enable = true;
    group = "nginx";
    webroot = "/var/lib/acme/acme-challenge";
  };
  modules = {
    services = {
      borgmatic = {
        enable = true;
@@ -57,11 +55,19 @@
        ];
        repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
      };
-      coturn.enable = true;
+      coturn = {
        enable = true;
        realm = "turn.vimium.com";
        matrixIntegration = true;
      };
      gitea.enable = true;
      headscale.enable = true;
-      matrix-synapse.enable = true;
+      matrix-synapse = {
        enable = true;
        usePostgresql = databases.postgresql.enable;
      };
      nginx.enable = true;
      photoprism.enable = true;
    };
  };
--- a/modules/databases/postgresql.nix
+++ b/modules/databases/postgresql.nix
@@ -0,0 +1,40 @@
 {
  config,
  lib,
  ...
 }:
 let
  cfg = config.modules.databases.postgresql;
 in {
  options.modules.databases.postgresql = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
      initdbArgs = [
        "--allow-group-access"
        "--encoding=UTF8"
        "--locale=C"
      ];
      settings = {
        log_connections = true;
        log_disconnections = true;
        log_destination = lib.mkForce "syslog";
      };
    };
    services.borgmatic.settings = {
      postgresql_databases = [
        {
          name = "all";
        }
      ];
    };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,12 +1,18 @@
 {
  imports = [
    ./options.nix
    ./podman.nix
    ./databases/postgresql.nix
    ./desktop/gnome.nix
    ./desktop/forensics.nix
    ./desktop/hyprland.nix
    ./desktop/kde.nix
    ./desktop/mimeapps.nix
    ./desktop/apps/qbittorrent.nix
    ./desktop/apps/slack.nix
    ./desktop/apps/thunderbird.nix
    ./desktop/apps/zoom.nix
    ./desktop/browsers/brave.nix
    ./desktop/browsers/firefox.nix
    ./desktop/gaming/emulators.nix
    ./desktop/gaming/lutris.nix
@@ -31,11 +37,15 @@
    ./security/gpg.nix
    ./security/pass.nix
    ./services/borgmatic
    ./services/chrony
    ./services/coturn
    ./services/gitea
    ./services/gitea-runner
    ./services/headscale
    ./services/mail
    ./services/matrix-synapse
    ./services/nginx
    ./services/photoprism
    ./shell/git
    ./shell/zsh
  ];
--- a/modules/desktop/browsers/brave.nix
+++ b/modules/desktop/browsers/brave.nix
@@ -0,0 +1,17 @@
 { config, lib, pkgs, inputs, ... }:
 let cfg = config.modules.desktop.browsers.brave;
 in {
  options.modules.desktop.browsers.brave = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    user.packages = with pkgs; [
      brave
    ];
  };
 }
--- a/modules/desktop/browsers/firefox.nix
+++ b/modules/desktop/browsers/firefox.nix
@@ -35,23 +35,46 @@ in {
          ## Preferences
          "browser.ctrlTab.sortByRecentlyUsed" = true;
          "browser.discovery.enabled" = false;
          "browser.newtabpage.enabled" = false;
          "browser.newtabpage.activity-stream.showSponsored" = false;
          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
          "browser.newtabpage.activity-stream.default.sites" = "";
          "browser.privatebrowsing.forceMediaMemoryCache" = true;
          "browser.search.widget.inNavBar" = true;
          "browser.startup.page" = 3;
          "browser.startup.homepage" = "https://www.vimium.com";
          "browser.toolbars.bookmarks.visibility" = "never";
          "browser.uitour.enabled" = false;
          "media.memory_cache_max_size" = 65536;
          ## Performance
          "gfx.webrender.all" = true;
          "gfx.webrender.compositor" = true;
          "gfx.webrender.enable" = true;
          "layers.acceleration.force-enabled" = true;
          "media.ffmpeg.vaapi.enabled" = true;
          ## Experiments
          "app.normandy.enabled" = false;
          "app.normandy.api_url" = "";
          "app.normandy.user_id" = "";
          "app.shield.optoutstudies.enabled" = false;
          "browser.shopping.experience2023.active" = false;
          "browser.shopping.experience2023.enabled" = false;
          "extensions.screenshots.disabled" = true;
          "extensions.screenshots.upload-disabled" = true;
          "experiments.supported" = false;
          "experiments.enabled" = false;
          "experiments.manifest.uri" = "";
          "network.allow-experiments" = false;
-          "privacy.trackingprotection.enabled" = false;
+
          ## Privacy
          # "privacy.resistFingerprinting" = true;
          "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" = false;
          "privacy.trackingprotection.enabled" = true;
          "privacy.trackingprotection.pbmode.enabled" = true;
          "privacy.userContext.enabled" = true;
          ## Geo
          "geo.enabled" = false;
@@ -104,6 +127,28 @@ in {
          "privacy.firstparty.isolate" = true;
          "privacy.firstparty.isolate.restrict_opener_access" = true;
          ## Telemetry
          "beacon.enabled" = false;
          "browser.newtabpage.activity-stream.feeds.telemetry" = false;
          "browser.newtabpage.activity-stream.telemetry" = false;
          "browser.send_pings" = false;
          "datareporting.policy.dataSubmissionEnabled" = false;
          "datareporting.healthReport.uploadEnabled" = false;
          "toolkit.coverage.opt-out" = true;
          "toolkit.coverage.endpoint.base" = "";
          "toolkit.telemetry.archive.enabled" = false;
          "toolkit.telemetry.bhrPing.enabled" = false;
          "toolkit.telemetry.coverage.opt-out" = true;
          "toolkit.telemetry.enabled" = false;
          "toolkit.telemetry.firstShutdownPing.enabled" = false;
          "toolkit.telemetry.hybridContent.enabled" = false;
          "toolkit.telemetry.newProfilePing.enabled" = false;
          "toolkit.telemetry.reportingPolicy.firstRun" = false;
          "toolkit.telemetry.server" = "data:,";
          "toolkit.telemetry.shutdownPingSender.enabled" = false;
          "toolkit.telemetry.unified" = false;
          "toolkit.telemetry.updatePing.enabled" = false;
          ## Pocket/Hello
          "loop.enabled" = false;
          "loop.feedback.baseUrl" = "";
@@ -125,6 +170,10 @@ in {
          "browser.pocket.useLocaleList" = false;
          "brwoser.pocket.enabledLocales" = "";
          ## Plugins
          "plugin.state.flash" = 0;
          "plugin.state.java" = 0;
          ## Misc
          "browser.selfsupport.url" = "";
        };
--- a/modules/desktop/forensics.nix
+++ b/modules/desktop/forensics.nix
@@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 let cfg = config.modules.desktop.forensics;
 in {
  options.modules.desktop.forensics = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    user.packages = with pkgs; [
      acquire
      afflib
      autopsy
      fatcat
      foremost
      hstsparser
      networkminer
      sleuthkit
      testdisk-qt
      tracee
    ];
  };
 }
--- a/modules/desktop/gaming/emulators.nix
+++ b/modules/desktop/gaming/emulators.nix
@@ -54,11 +54,11 @@ in {
  };
  config = {
-    user.packages = with pkgs.unstable; [
+    user.packages = with pkgs; [
      (lib.mkIf cfg.ps1.enable duckstation)
-      (lib.mkIf cfg.ps2.enable pcsx2)
+      (lib.mkIf cfg.ps2.enable unstable.pcsx2)
      (lib.mkIf cfg.ps3.enable rpcs3)
-      (lib.mkIf cfg.psp.enable ppsspp)
+      (lib.mkIf cfg.psp.enable unstable.ppsspp)
      (lib.mkIf cfg.ds.enable desmume)
      (lib.mkIf (cfg.gba.enable ||
             cfg.gb.enable  ||
@@ -68,7 +68,7 @@ in {
      (lib.mkIf (cfg.wii.enable ||
             cfg.gamecube.enable)
        dolphin-emu)
-      (lib.mkIf cfg.xbox.enable xemu)
+      (lib.mkIf cfg.xbox.enable unstable.xemu)
    ];
  };
 }
--- a/modules/desktop/gaming/lutris.nix
+++ b/modules/desktop/gaming/lutris.nix
@@ -10,8 +10,13 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    user.packages = with pkgs; [
+    environment.systemPackages = with pkgs; [
-      lutris
+      (lutris.override {
        extraPkgs = pkgs: [
          winePackages.staging
          wine64Packages.staging
        ];
      })
      vulkan-loader
      vulkan-tools
    ];
--- a/modules/desktop/gnome.nix
+++ b/modules/desktop/gnome.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:
 let cfg = config.modules.desktop.gnome;
 in {
@@ -21,28 +21,89 @@ in {
    programs.dconf.enable = true;
    dconf.settings = {
      "io/github/celluloid-player/celluloid" = {
        draggable-video-area-enable = true;
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
        cursor-theme = "Adwaita";
        enable-hot-corners = false;
        font-name = "Cantarell 11";
        gtk-theme = "adw-gtk3-dark";
        icon-theme = "MoreWaita";
        monospace-font-name = "UbuntuMono Nerd Font 11";
        toolbar-style = "both-horiz";
      };
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = true;
      };
      "org/gnome/desktop/sound" = {
        theme-name = "freedesktop";
      };
      "org/gnome/desktop/search-providers" = {
        disabled = [ "org.gnome.Epiphany.desktop" ];
      };
      "org/gnome/desktop/wm/keybindings" = {
        switch-group = [ "<Super>grave" ];
        switch-group-backward = [ "<Shift><Super>grave" ];
      };
      "org/gnome/desktop/wm/preferences" = {
        button-layout = "appmenu:close";
      };
      "org/gnome/gnome-session" = {
        auto-save-session = true;
      };
      "org/gnome/gnome-system-monitor" = {
        show-dependencies = true;
      };
      "org/gnome/mutter" = {
        center-new-windows = true;
        edge-tiling = true;
        experimental-features = [ "scale-monitor-framebuffer" ];
      };
      "org/gnome/settings-daemon/plugins/media-keys" = {
        volume-up = [
          "<Shift>F12"
          "XF86AudioRaiseVolume"
        ];
        volume-down = [
          "<Shift>F11"
          "XF86AudioLowerVolume"
        ];
      };
      "org/gnome/shell" = {
        disable-user-extensions = false;
        enabled-extensions = [
-          # "another-window-session-manager@gmail.com"
+          "appindicatorsupport@rgcjonas.gmail.com"
          # "arcmenu@arcmenu.com"
          "blur-my-shell@aunetx"
          # "browser-tabs@com.github.harshadgavali"
          "burn-my-windows@schneegans.github.com"
          "clipboard-indicator@tudmotu.com"
          "CoverflowAltTab@palatis.blogspot.com"
          # "dash-to-panel@jderose9.github.com"
          # "desktop-cube@schneegans.github.com"
-          # "desktop-zoom@colin.kinlo.ch"
+          # "EasyScreenCast@iacopodeenosee.gmail.com"
          "espresso@coadmunkee.github.com"
-          # "flypie@schneegans.github.com"
+          "flypie@schneegans.github.com"
          # "forge@jmmaranan.com"
-          "hue-lights@chlumskyvaclav@gmail.com"
+          "gsconnect@andyholmes.github.io"
          # "gSnap@micahosborne"
          # "hidetopbar@mathieu.bidon.ca"
          "just-perfection-desktop@just-perfection"
          # "mediacontrols@cliffniff.github.com"
          # "mousefollowsfocus@matthes.biz"
          # "pano@elhan.io"
          # "paperwm@hedning:matrix.org"
          "pip-on-top@rafostar.github.com"
          # "rounded-window-corners@yilozt"
          # "search-light@icedman.github.com"
          "space-bar@luchrioh"
          # "smart-auto-move@khimaros.com"
-          # "systemd-manager@hardpixel.eu"
+          "space-bar@luchrioh"
          # "tailscale-status@maxgallup.github.com"
          # "tiling-assistant@leleat-on-github"
          "Vitals@CoreCoding.com"
          "windowIsReady_Remover@nunofarruca@gmail.com"
          # "worksets@blipk.xyz"
          # "wsmatrix@martin.zurowietz.de"
        ];
        favorite-apps = [
@@ -50,9 +111,6 @@ in {
          "org.gnome.Nautilus.desktop"
        ];
      };
      "org/gnome/shell/extensions/another-window-session-manager" = {
        enable-autorestore-sessions = true;
      };
      "org/gnome/shell/extensions/blur-my-shell/panel" = {
        static-blur = true;
      };
@@ -64,8 +122,14 @@ in {
        glide-open-effect = true;
        glide-close-effect = true;
      };
-      "org/gnome/shell/extensions/desktop-zoom" = {
+      "org/gnome/shell/extensions/dash-to-panel" = {
-        mag-factor-delta = 0.07;
+        intellihide = true;
        panel-positions = ''
          {"0":"TOP"}
        '';
        trans-panel-opacity = 0.3;
        trans-use-custom-opacity = true;
        trans-use-dynamic-opacity = true;
      };
      "org/gnome/shell/extensions/espresso" = {
        enable-fullscreen = true;
@@ -75,18 +139,32 @@ in {
          "com.obsproject.Studio.desktop"
        ];
      };
-      "org/gnome/shell/extensions/paperwm" = {
+      "org/gnome/shell/extensions/flypie" = {
-        use-default-background = true;
+        preview-on-right-side = true;
      };
      "org/gnome/shell/extensions/forge" = {
        window-gap-size = 8;
        window-gap-hidden-on-single = false;
      };
      "org/gnome/shell/extensions/hidetopbar" = {
        mouse-sensitive = true;
        mouse-sensitive-fullscreen-window = true;
        enable-active-window = false;
      };
      "org/gnome/shell/extensions/just-perfection" = {
        activities-button = false;
        window-demands-attention-focus = true;
        workspace-wrap-around = true;
      };
      "org/gnome/shell/extensions/paperwm" = {
        use-default-background = true;
      };
      "org/gnome/shell/extensions/pip-on-top" = {
        stick = true;
      };
      "org/gnome/shell/extensions/search-light" = {
        popup-at-cursor-monitor = true;
      };
      "org/gnome/shell/extensions/space-bar/behavior" = {
        enable-activate-workspace-shortcuts = true;
        show-empty-workspaces = true;
@@ -99,15 +177,10 @@ in {
        screen-left-gap = 8;
        window-gap = 8;
      };
-      "org/gnome/desktop/background" = {
+      "org/gnome/Console" = {
-        picture-uri = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-l.jpg";
+        font-scale = 1.4;
-        picture-uri-dark = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-d.jpg";
+        use-system-font = false;
-      };
+        custom-font = "ComicShannsMono Nerd Font 10";
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = true;
      };
      "org/gnome/desktop/search-providers" = {
        disabled = [ "org.gnome.Epiphany.desktop" ];
      };
      "org/gtk/settings/file-chooser" = {
        show-hidden = true;
@@ -117,119 +190,92 @@ in {
        show-hidden = true;
        sort-directories-first = true;
      };
      "org/gnome/settings-daemon/plugins/media-keys" = {
        volume-up = [
          "<Shift>F12"
          "XF86AudioRaiseVolume"
        ];
        volume-down = [
          "<Shift>F11"
          "XF86AudioLowerVolume"
        ];
      };
      "org/gnome/gnome-session" = {
        auto-save-session = true;
      };
      "org/gnome/gnome-system-monitor" = {
        show-dependencies = true;
      };
      "org/gnome/Console" = {
        font-scale = 1.4;
      };
      "org/gnome/mutter" = {
        center-new-windows = true;
        edge-tiling = true;
        experimental-features = [ "scale-monitor-framebuffer" ];
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
        enable-hot-corners = false;
        monospace-font-name = "Ubuntu Mono 11";
      };
      "org/gnome/desktop/wm/keybindings" = {
        switch-group = [ "<Super>grave" ];
        switch-group-backward = [ "<Shift><Super>grave" ];
      };
      "io/github/celluloid-player/celluloid" = {
        draggable-video-area-enable = true;
      };
    };
-    fonts.packages = with pkgs; [
+    environment.sessionVariables = {
-      noto-fonts
+      QT_STYLE_OVERRIDE = lib.mkForce "kvantum";
-      ubuntu_font_family
+      QT_WAYLAND_DECORATION = lib.mkForce "adwaita";
-    ];
+    };
    home.configFile = {
      "Kvantum/kvantum.kvconfig".text = lib.generators.toINI {} {
        General.theme = "KvLibadwaitaDark";
      };
      "Kvantum/KvLibadwaita".source = "${inputs.kvlibadwaita}/src/KvLibadwaita";
    };
    user.packages = with pkgs; [
      authenticator
-      bottles
+      # bottles
-      bustle
+      # bustle
      celluloid
-      d-spy
+      # d-spy
-      drawing
+      # drawing
-      fragments
+      # fragments
      gnome.dconf-editor
      gnome.ghex
      # gnome-builder
      gnome-decoder
      gnome-firmware
      gnome-frog
-      gnome-obfuscate
+      # gnome-obfuscate
      gnome-podcasts
      identity
      mission-center
      mousam
      newsflash
-      schemes
+      # schemes
      shortwave
-    ];
+      sysprof
    environment.systemPackages = with pkgs; [
      adw-gtk3
      bind
      bmon
      fd
      ffmpeg
      gnome.gnome-boxes
      gnomeExtensions.another-window-session-manager
      # gnomeExtensions.bifocals
      gnomeExtensions.blur-my-shell
      gnomeExtensions.browser-tabs
      gnomeExtensions.burn-my-windows
      gnomeExtensions.desktop-cube
      gnomeExtensions.desktop-zoom
      gnomeExtensions.espresso
      gnome44Extensions."flypie@schneegans.github.com"
      # gnomeExtensions.forge
      # gnomeExtensions.gsnap
      gnomeExtensions.hue-lights
      gnomeExtensions.just-perfection
      # gnomeExtensions.mutter-primary-gpu
      gnomeExtensions.pano
      gnomeExtensions.paperwm
      # gnomeExtensions.pip-on-top
      gnomeExtensions.rounded-window-corners
      gnomeExtensions.search-light
      gnomeExtensions.smart-auto-move
      gnomeExtensions.space-bar
      gnomeExtensions.systemd-manager
      gnomeExtensions.tailscale-status
      gnomeExtensions.tiling-assistant
      # gnomeExtensions.todotxt
      gnomeExtensions.vitals
      # gnomeExtensions.window-is-ready-remover
      # gnomeExtensions.worksets
      # gnomeExtensions.workspace-matrix
      iotop
      unstable.morewaita-icon-theme
      ripgrep
      rsync
      tcpdump
      tokei
      tree
      wl-clipboard
    ] ++ (if config.virtualisation.podman.enable then [
      pods
    ] else []);
-    home.services.gpg-agent.pinentryFlavor = "gnome3";
+    environment.systemPackages = with pkgs.unstable; [
      adw-gtk3
      kdePackages.qtstyleplugin-kvantum
      libsForQt5.qtstyleplugin-kvantum
      morewaita-icon-theme
      nautilus-python
      qadwaitadecorations
      qadwaitadecorations-qt6
      ## Shell extensions
      gnomeExtensions.appindicator
      gnomeExtensions.arcmenu
      gnomeExtensions.blur-my-shell
      gnomeExtensions.browser-tabs
      gnomeExtensions.burn-my-windows
      gnomeExtensions.clipboard-indicator
      gnomeExtensions.coverflow-alt-tab
      gnomeExtensions.dash-to-panel
      gnomeExtensions.desktop-cube
      gnomeExtensions.easyScreenCast
      gnomeExtensions.espresso
      gnomeExtensions.fly-pie
      gnomeExtensions.forge
      gnomeExtensions.gsconnect
      gnomeExtensions.gsnap
      gnomeExtensions.hide-top-bar
      gnomeExtensions.just-perfection
      gnomeExtensions.media-controls
      gnomeExtensions.mouse-follows-focus
      gnomeExtensions.pano
      gnomeExtensions.paperwm
      gnomeExtensions.pip-on-top
      gnomeExtensions.rounded-window-corners
      gnomeExtensions.search-light
      gnomeExtensions.smart-auto-move
      gnomeExtensions.space-bar
      gnomeExtensions.tiling-assistant
      # gnomeExtensions.tiling-shell
      gnomeExtensions.todotxt
      gnomeExtensions.vitals
      gnomeExtensions.window-is-ready-remover
      gnomeExtensions.worksets
      gnomeExtensions.workspace-matrix
    ];
    home.services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
  };
 }
--- a/modules/desktop/hyprland.nix
+++ b/modules/desktop/hyprland.nix
@@ -0,0 +1,27 @@
 { config, lib, pkgs, ... }:
 let cfg = config.modules.desktop.hyprland;
 in {
  options.modules.desktop.hyprland = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    programs.hyprland.enable = true;
    networking.networkmanager.enable = true;
    user.packages = with pkgs; [
      mpv
    ];
    environment.systemPackages = with pkgs; [
      adw-gtk3
    ];
    home.services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
  };
 }
--- a/modules/desktop/kde.nix
+++ b/modules/desktop/kde.nix
@@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 let cfg = config.modules.desktop.kde;
 in {
  options.modules.desktop.kde = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    services = {
      xserver = {
        enable = true;
      };
      desktopManager.plasma6.enable = true;
      displayManager.sddm = {
        enable = true;
        wayland.enable = true;
      };
    };
    networking.networkmanager.enable = true;
    user.packages = with pkgs; [
      kmail
      mpv
    ];
    environment.systemPackages = with pkgs; [
      adw-gtk3
    ];
    home.services.gpg-agent.pinentryPackage = pkgs.pinentry-qt;
  };
 }
--- a/modules/desktop/office/libreoffice.nix
+++ b/modules/desktop/office/libreoffice.nix
@@ -1,6 +1,24 @@
 { config, lib, pkgs, ... }:
-let cfg = config.modules.desktop.office.libreoffice;
+let
  cfg = config.modules.desktop.office.libreoffice;
  # libreoffice-gtk4 = pkgs.libreoffice.override {
  #   extraMakeWrapperArgs = [
  #     "--set SAL_USE_VCLPLUGIN gtk4"
  #   ];
  #   unwrapped = pkgs.libreoffice-unwrapped.overrideAttrs (oldAttrs: {
  #     buildInputs = oldAttrs.buildInputs ++ [
  #       pkgs.gtk4
  #     ];
  #     configureFlags = oldAttrs.configureFlags ++ [
  #       "--disable-werror"
  #       "--enable-gtk4"
  #     ];
  #     passthru = oldAttrs.passthru // {
  #       inherit (pkgs) gtk4;
  #     };
  #   });
  # };
 in {
  options.modules.desktop.office.libreoffice = {
    enable = lib.mkOption {
@@ -11,7 +29,10 @@ in {
  config = lib.mkIf cfg.enable {
    user.packages = with pkgs; [
-      libreoffice
+      (if config.modules.desktop.kde.enable == true then libreoffice-qt else libreoffice)
      hunspell
      hunspellDicts.en-gb-large
      hunspellDicts.en-us-large
    ];
  };
 }
--- a/modules/editors/neovim/default.nix
+++ b/modules/editors/neovim/default.nix
@@ -2,7 +2,6 @@
 let
  cfg = config.modules.editors.neovim;
  dev = config.modules.dev;
 in {
  options.modules.editors.neovim = {
    enable = lib.mkOption {
@@ -12,124 +11,129 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    user.packages = with pkgs; [
+    home.programs.nixvim = {
-      (neovim.override {
+      enable = true;
-        configure = {
+      defaultEditor = true;
-          customRC = ''
+
-            luafile ~/.config/nvim/init.lua
+      viAlias = true;
-          '';
+      vimAlias = true;
-          packages.myPlugins = with pkgs.vimPlugins; {
+
-            start = [
+      options = {
-              (nvim-treesitter.withPlugins (
+        number = true;
-                plugins: with plugins; [
+        tabstop = 2;
-                  bash
+        shiftwidth = 2;
-                  c
+        expandtab = true;
-                  cmake
+        foldlevel = 99;
-                  cpp
+        splitbelow = true;
-                  css
+        splitright = true;
-                  dockerfile
+        undofile = true;
-                  elm
+        updatetime = 100;
-                  glsl
+        list = true;
-                  graphql
+      };
-                  haskell
+
-                  http
+      globals = {
-                  html
+        mapleader = ",";
-                  java
+        maplocalleader = ",";
-                  javascript
+      };
-                  jsdoc
+
-                  json
+      clipboard = {
-                  json5
+        register = "unnamedplus";
-                  latex
+
-                  lua
+        providers.wl-copy.enable = true;
-                  markdown
+      };
-                  ninja
+
-                  nix
+      plugins.comment.enable = true;
-                  org
+
-                  perl
+      plugins.hmts.enable = true;
-                  php
+
-                  pug
+      plugins.lightline.enable = true;
-                  python
+
-                  regex
+      plugins.luasnip.enable = true;
-                  rst
+
-                  ruby
+      plugins.lsp = {
-                  rust
+        enable = true;
-                  scala
+        servers = {
-                  scss
+          bashls.enable = true;
-                  toml
+          ccls.enable = true;
-                  tsx
+          cssls.enable = true;
-                  typescript
+          eslint.enable = true;
-                  vim
+          gopls.enable = true;
-                  yaml
+          html.enable = true;
-                  zig
+          lua-ls.enable = true;
-                ]
+          pylsp.enable = true;
-              ))
+          nixd.enable = true;
-              nvim-treesitter-context
+          rust-analyzer = {
-              nvim-treesitter-textobjects
+            enable = true;
-              nvim-lspconfig
+            installCargo = true;
-            ];
+            installRustc = true;
          };
          tsserver.enable = true;
        };
      };
      plugins.nvim-autopairs.enable = true;
      plugins.cmp = {
        enable = true;
        autoEnableSources = true;
        settings = {
          sources = [
            { name = "nvim_lsp"; }
            { name = "path"; }
            { name = "buffer"; }
          ];
          mapping = {
            "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
            "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
            "<CR>" = "cmp.mapping.confirm({ select = true })";
          };
        };
-      })
+      };
    ] ++
-    # Install appropriate language servers
+      plugins.telescope = {
-    (if dev.cc.enable then [
+        enable = true;
-      ccls                                            # C/C++
+        keymaps = {
-    ] else []) ++
+          "<leader>ff" = "find_files";
-    (if dev.java.enable then [
+          "<leader>fg" = "live_grep";
-      java-language-server                            # Java
+          "<leader>b" = "buffers";
-      ltex-ls                                         # LaTeX
+          "<leader>fh" = "help_tags";
-    ] else []) ++
+          "<C-p>" = "git_files";
-    (if dev.lua.enable then [
+          "<C-f>" = "live_grep";
-      sumneko-lua-language-server                     # Lua
+        };
-    ] else []) ++
+      };
    (if dev.node.enable then [
      nodePackages.bash-language-server               # Bash
      nodePackages.dockerfile-language-server-nodejs  # Dockerfile
      nodePackages.graphql-language-service-cli       # GraphQL
      nodePackages.purescript-language-server         # PureScript
      nodePackages.svelte-language-server             # Svelte
      nodePackages.typescript-language-server         # JavaScript/TypeScript
      nodePackages.vim-language-server                # Vim
      nodePackages.vscode-langservers-extracted       # HTML, CSS, JSON, ESLint
      nodePackages.vue-language-server                # Vue.js
      nodePackages.yaml-language-server               # YAML
    ] else []) ++
    (if dev.python.enable then [
      cmake-language-server                           # CMake
      python310Packages.python-lsp-server             # Python
    ] else []) ++
    (if dev.rust.enable then [
      rust-analyzer                                   # Rust
    ] else []) ++
    (if dev.scala.enable then [
      metals                                          # Scala
    ] else []) ++
    (if dev.zig.enable then [
      zls                                             # Zig
    ] else []);
-    home.configFile = {
+      plugins.treesitter = {
-      "nvim/init.lua".source = ./init.lua;
+        enable = true;
-      "nvim/lua" = { source = ./lua; recursive = true; };
+
-      "nvim/lua/config/lsp.lua".text = ''
+        nixvimInjections = true;
-        -- This file is autogenerated, do not edit.
+
-        ${if dev.cc.enable then "require('config.lsp.cc')\n" else ""}
+        folding = true;
-        ${if dev.java.enable then "require('config.lsp.java')\n" else ""}
+        indent = true;
-        ${if dev.lua.enable then "require('config.lsp.lua')\n" else ""}
+      };
-        ${if dev.node.enable then "require('config.lsp.node')\n" else ""}
+
-        ${if dev.python.enable then "require('config.lsp.python')\n" else ""}
+      plugins.treesitter-refactor = {
-        ${if dev.rust.enable then "require('config.lsp.rust')\n" else ""}
+        enable = true;
-        ${if dev.scala.enable then "require('config.lsp.scala')\n" else ""}
+        highlightDefinitions = {
-        ${if dev.zig.enable then "require('config.lsp.zig')\n" else ""}
+          enable = true;
-      '';
+          clearOnCursorMove = false;
        };
      };
      plugins.undotree.enable = true;
      # plugins.gitsigns.enable = true;
      # plugins.gitgutter.enable = true;
      # plugins.goyo.enable = true;
      # plugins.fugitive.enable = true;
      # plugins.fzf-lua.enable = true;
      # plugins.neo-tree.enable = true;
      # plugins.none-ls.enable = true;
      # plugins.nvim-tree.enable = true;
      # plugins.oil.enable = true;
      # plugins.project-nvim.enable = true;
      # plugins.surround.enable = true;
    };
    env.EDITOR = "nvim";
    environment.shellAliases = {
      vim = "nvim";
      v   = "nvim";
    };
  };
 }
--- a/modules/editors/neovim/init.lua
+++ b/modules/editors/neovim/init.lua
@@ -1,6 +0,0 @@
 require("config.core")
 require("config.keymap")
 require("config.treesitter")
 require("config.plugins")
 require("config.lsp")
--- a/modules/editors/neovim/lua/config/core.lua
+++ b/modules/editors/neovim/lua/config/core.lua
@@ -1,36 +0,0 @@
 local o = vim.opt
 local wo = vim.wo
 local bo = vim.bo
 -- Global dirs
 local cachedir = os.getenv("XDG_CACHE_HOME")
 o.backupdir = cachedir .. "/nvim/backup/"
 o.directory = cachedir .. "/nvim/swap/"
 o.undodir   = cachedir .. "/nvim/undo/"
 -- Global
 o.breakindent = true
 o.clipboard = "unnamedplus"
 o.compatible = false
 o.encoding = "utf-8"
 o.expandtab = true
 o.foldlevel = 99
 o.hidden = true
 o.hlsearch = false
 o.ignorecase = true
 o.laststatus = 2
 o.listchars = { eol = '↲', tab = '▸ ', trail = '·' }
 o.relativenumber = true
 o.shiftwidth = 2
 o.showmode = false
 o.smartcase = true
 o.smarttab = true
 o.softtabstop = 2
 o.synmaxcol = 150
 o.tabstop = 4
 o.undofile = true
 o.wildmenu = true
 -- Window
 -- Buffer
--- a/modules/editors/neovim/lua/config/keymap.lua
+++ b/modules/editors/neovim/lua/config/keymap.lua
@@ -1,35 +0,0 @@
 local keymap = vim.keymap.set
 local opts = { noremap = true, silent = true }
 vim.g.mapleader = ","
 -- Modes
 --   Normal = "n",
 --   Insert = "i",
 --   Visual = "v",
 --   Visual Block = "x",
 --   Term = "t",
 --   Command = "c"
 keymap("n", "<Left>", "<Nop>", opts)
 keymap("n", "<Right>", "<Nop>", opts)
 keymap("n", "<Up>", "<Nop>", opts)
 keymap("n", "<Down>", "<Nop>", opts)
 keymap("n", "<C-h>", "<C-w>h", { noremap = true })
 keymap("n", "<C-j>", "<C-w>j", { noremap = true })
 keymap("n", "<C-k>", "<C-w>k", { noremap = true })
 keymap("n", "<C-l>", "<C-w>l", { noremap = true })
 keymap("n", "gV", "`[v`]", opts)
 keymap("n", ";", ":", { noremap = true })
 -- Bubble single lines with vim-unimpaired
 keymap("n", "<C-Up>", "[e", opts)
 keymap("n", "<C-Down>", "]e", opts)
 -- Bubble multiple lines with vim-unimpaired
 keymap("v", "<C-Up>", "[egv", opts)
 keymap("v", "<C-Down>", "]egv", opts)
--- a/modules/editors/neovim/lua/config/lsp/cc.lua
+++ b/modules/editors/neovim/lua/config/lsp/cc.lua
@@ -1,5 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires C/C++
 lspconfig.ccls.setup{}
--- a/modules/editors/neovim/lua/config/lsp/java.lua
+++ b/modules/editors/neovim/lua/config/lsp/java.lua
@@ -1,6 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Java
 lspconfig.java_language_server.setup{}
 lspconfig.ltex.setup{}
--- a/modules/editors/neovim/lua/config/lsp/lua.lua
+++ b/modules/editors/neovim/lua/config/lsp/lua.lua
@@ -1,22 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Lua
 lspconfig.sumneko_lua.setup {
  settings = {
    Lua = {
      runtime = {
        -- Tell the language server which version of Lua you're using (most likely LuaJIT in the case of Neovim)
        version = 'LuaJIT',
      },
      diagnostics = {
        -- Get the language server to recognize the `vim` global
        globals = {'vim'},
      },
      -- Do not send telemetry data containing a randomized but unique identifier
      telemetry = {
        enable = false,
      },
    },
  },
 }
--- a/modules/editors/neovim/lua/config/lsp/node.lua
+++ b/modules/editors/neovim/lua/config/lsp/node.lua
@@ -1,17 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Node.js
 lspconfig.bashls.setup{}
 lspconfig.cssls.setup{}
 lspconfig.dockerls.setup{}
 lspconfig.eslint.setup{}
 lspconfig.graphql.setup{}
 lspconfig.html.setup{}
 lspconfig.jsonls.setup{}
 lspconfig.purescriptls.setup{}
 lspconfig.svelte.setup{}
 lspconfig.tsserver.setup{}
 lspconfig.vimls.setup{}
 lspconfig.vuels.setup{}
 lspconfig.yamlls.setup{}
--- a/modules/editors/neovim/lua/config/lsp/python.lua
+++ b/modules/editors/neovim/lua/config/lsp/python.lua
@@ -1,6 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Python
 lspconfig.cmake.setup{}
 lspconfig.pylsp.setup{}
--- a/modules/editors/neovim/lua/config/lsp/rust.lua
+++ b/modules/editors/neovim/lua/config/lsp/rust.lua
@@ -1,5 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Rust
 lspconfig.rls.setup{}
--- a/modules/editors/neovim/lua/config/lsp/scala.lua
+++ b/modules/editors/neovim/lua/config/lsp/scala.lua
@@ -1,5 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Scala
 lspconfig.metals.setup{}
--- a/modules/editors/neovim/lua/config/lsp/zig.lua
+++ b/modules/editors/neovim/lua/config/lsp/zig.lua
@@ -1,5 +0,0 @@
 lspconfig = require('lspconfig')
 -- Requires Zig
 lspconfig.zls.setup{}
--- a/modules/editors/neovim/lua/config/plugins.lua
+++ b/modules/editors/neovim/lua/config/plugins.lua
@@ -1,77 +0,0 @@
 local fn = vim.fn
 local install_path = fn.stdpath "data" .. "/site/pack/packer/start/packer.nvim"
 if fn.empty(fn.glob(install_path)) > 0 then
  PACKER_BOOTSTRAP = fn.system {
    "git",
    "clone",
    "--depth",
    "1",
    "https://github.com/wbthomason/packer.nvim",
    install_path,
  }
  print "Installing packer close and reopen Neovim..."
  vim.cmd [[packadd packer.nvim]]
 end
 vim.cmd [[
  augroup packer_user_config
    autocmd!
    autocmd BufWritePost plugins.lua source <afile> | PackerSync
  augroup end
 ]]
 local status_ok, packer = pcall(require, "packer")
 if not status_ok then
  return
 end
 packer.init {
  display = {
    open_fn = function()
      return require("packer.util").float { border = "rounded" }
    end,
  },
 }
 return packer.startup(function(use)
  -- Utilities
  use { "wbthomason/packer.nvim", opt = true }
  use { "mbbill/undotree" }
  use { "nvim-lua/plenary.nvim" }
  use { "tpope/vim-fugitive", event = "User InGitRepo" }
  -- Editing
  use { "andymass/vim-matchup" }
  use { "godlygeek/tabular" }
  use { "JoosepAlviste/nvim-ts-context-commentstring" }
  use { "kana/vim-textobj-user" }
  use { "mg979/vim-visual-multi", branch = "master" }
  use { "p00f/nvim-ts-rainbow" }
  use { "terryma/vim-expand-region" }
  use { "tommcdo/vim-exchange", event = "VimEnter" }
  use { "tpope/vim-abolish" }
  use { "tpope/vim-commentary", event = "VimEnter" }
  use { "tpope/vim-repeat", event = "VimEnter" }
  use { "tpope/vim-surround", event = "VimEnter" }
  use { "windwp/nvim-autopairs" }
  use { "windwp/nvim-ts-autotag" }
  -- UI
  use { "junegunn/goyo.vim" }
  use { "junegunn/limelight.vim" }
  use { "markonm/traces.vim" }
  -- Searching
  use { "nvim-telescope/telescope.nvim", config = [[require('config.telescope')]] }
  use { "cljoly/telescope-repo.nvim", requires = "telescope.nvim" }
  use { "dyng/ctrlsf.vim" }
  -- LSP
  use { "jose-elias-alvarez/null-ls.nvim" }
  if PACKER_BOOTSTRAP then
    require("packer").sync()
  end
 end)
--- a/modules/editors/neovim/lua/config/telescope.lua
+++ b/modules/editors/neovim/lua/config/telescope.lua
@@ -1,46 +0,0 @@
 local status_ok, telescope = pcall(require, "telescope")
 if not status_ok then
  return
 end
 local actions = require("telescope.actions")
 telescope.setup({
  defaults = {
    file_ignore_patterns = { ".git/", "node_modules" },
  },
  mappings = {
    i = {
      ["<Down>"] = actions.cycle_history_next,
      ["<Up>"] = actions.cycle_history_prev,
      ["<C-j>"] = actions.move_selection_next,
      ["<C-k>"] = actions.move_selection_previous,
    },
  },
  extensions = {
    repo = {
      list = {
        fd_opts = {
          "--no-ignore-vcs",
        },
        search_dirs = {
          "~/projects",
          "~/repos",
          "~/workspace",
        },
      },
    },
  },
 })
 telescope.load_extension("repo")
 local keymap = vim.keymap.set
 local opts = { noremap = true, silent = true }
 keymap("n", "<Leader>ff", "<cmd>Telescope find_files<cr>", opts)
 keymap("n", "<Leader>fg", "<cmd>Telescope live_grep<cr>", opts)
 keymap("n", "<Leader>fb", "<cmd>Telescope buffers<cr>", opts)
 keymap("n", "<Leader>fh", "<cmd>Telescope help_tags<cr>", opts)
 keymap("n", "<Leader>fr", "<cmd>Telescope repo list<cr>", opts)
--- a/modules/editors/neovim/lua/config/treesitter.lua
+++ b/modules/editors/neovim/lua/config/treesitter.lua
@@ -1,35 +0,0 @@
 require("nvim-treesitter.configs").setup({
  ignore_install = {},
  highlight = {
    enable = true,
    disable = {},
  },
  indent = { enable = true },
  incremental_selection = {
    enable = true,
    keymaps = {
      init_selection = "gnn",
      node_incremental = "grn",
      scope_incremental = "grc",
      node_decremental = "grm",
    },
  },
  -- Extensions
  autotag = { enable = true },
  context_commentstring = { enable = true },
  matchup = { enable = true },
  rainbow = { enable = true },
  textobjects = {
    select = {
      enable = true,
      keymaps = {
        ["af"] = "@function.outer",
        ["if"] = "@function.inner",
      },
    },
  },
 })
 vim.opt.foldmethod = "expr"
 vim.opt.foldexpr = "nvim_treesitter#foldexpr()"
--- a/modules/hardware/presonus-studio.nix
+++ b/modules/hardware/presonus-studio.nix
@@ -7,12 +7,12 @@ let
  patched = snd-usb-audio-module.overrideAttrs (prev: {
    patches = [ ./0001-Update-device-ID-for-PreSonus-1824c.patch ];
  });
-  upmixConfig = ''
+  upmixConfig = {
-    stream.properties = {
+    "stream.properties" = {
-      channelmix.upmix = true
+      "channelmix.upmix" = true;
-      channelmix.upmix-method = psd
+      "channelmix.upmix-method" = "psd";
-    }
+    };
-  '';
+  };
 in {
  options.modules.hardware.presonus-studio = {
    enable = lib.mkOption {
@@ -27,43 +27,62 @@ in {
      (patched)
    ];
-    environment.etc = {
+    # Workaround for mainline module loading instead of patched module
-      "pipewire/pipewire.conf.d/10-network.conf".text = ''
+    systemd.services.reload-snd-usb-audio = {
-        context.modules = [
+      description = "Reload snd_usb_audio kernel module";
-          {
+      wantedBy = [ "sound.target" ];
-            name = libpipewire-module-rtp-session
+      serviceConfig.Type = "oneshot";
-            args = {
+      path = with pkgs; [
-              stream.props = {
+        kmod
-                node.name = "rtp-source"
+      ];
-              }
+      script = ''
-            }
+        # Only reload if device hasn't been initialised
-          }
+        if ! cat /proc/asound/card*/usbmixer | grep -q "Mute Main Out Switch"; then
-        ]
+          rmmod snd_usb_audio
          insmod /run/booted-system/kernel-modules/lib/modules/$(uname -r)/extra/snd-usb-audio.ko.xz
        fi
      '';
-      "pipewire/pipewire.conf.d/surround.conf".text = ''
+    };
-        context.modules = [
+
-          {
+    services.pipewire.extraConfig = {
-            name = libpipewire-module-loopback
+      pipewire = {
-            args = {
+        "10-network" = {
-              node.description = "Genelec 4.1 Surround"
+          "context.modules" = [
-              capture.props = {
+            {
-                node.name = "Genelec_Speakers"
+              "name" = "libpipewire-module-rtp-session";
-                media.class = "Audio/Sink"
+              "args" = {
-                audio.position = [ FL FR SL SR LFE ]
+                "stream.props" = {
-              }
+                  "node.name" = "rtp-source";
-              playback.props = {
+                };
-                node.name = "playback.Genelec_Speakers"
+              };
                audio.position = [ AUX0 AUX1 AUX3 AUX4 AUX5 ]
                target.object = "alsa_output.usb-PreSonus_Studio_1824c_SC4E21110775-00.multichannel-output"
                stream.dont-remix = true
                node.passive = true
              }
            }
-          }
+          ];
-        ]
+        };
-      '';
+        "surround" = {
-      "pipewire/pipewire-pulse.conf.d/40-upmix.conf".text = upmixConfig;
+          "context.modules" = [
-      "pipewire/client-rt.conf.d/40-upmix.conf".text = upmixConfig;
+            {
              "name" = "libpipewire-module-loopback";
              "args" = {
                "node.description" = "Genelec 4.1 Surround";
                "capture.props" = {
                  "node.name" = "Genelec_Speakers";
                  "media.class" = "Audio/Sink";
                  "audio.position" = [ "FL" "FR" "SL" "SR" "LFE" ];
                };
                "playback.props" = {
                  "node.name" = "playback.Genelec_Speakers";
                  "audio.position" = [ "AUX0" "AUX1" "AUX3" "AUX4" "AUX5" ];
                  "target.object" = "alsa_output.usb-PreSonus_Studio_1824c_SC4E21110775-00.multichannel-output";
                  "stream.dont-remix" = true;
                  "node.passive" = true;
                };
              };
            }
          ];
        };
      };
      pipewire-pulse."40-upmix" = upmixConfig;
      client-rt."40-upmix" = upmixConfig;
    };
  };
 } 
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@@ -1,6 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:
-let cfg = config.modules.networking.tailscale;
+let
  cfg = config.modules.networking.tailscale;
  headscale = "https://headscale.vimium.net";
  hostname = config.networking.hostName;
 in {
  options.modules.networking.tailscale = {
    enable = lib.mkOption {
@@ -14,8 +17,24 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    services.tailscale.enable = true;
+    age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
    };
    environment.systemPackages = [ pkgs.tailscale ];
    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
      extraUpFlags = [
        "--login-server"
        headscale
      ];
    };
    services.openssh.openFirewall = !cfg.restrictSSH;
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
--- a/modules/options.nix
+++ b/modules/options.nix
@@ -66,6 +66,11 @@ with lib;
        };
        dconf.settings = mkAliasDefinitions options.dconf.settings;
      };
      sharedModules = [
        inputs.nixvim.homeManagerModules.nixvim
        inputs.plasma-manager.homeManagerModules.plasma-manager
      ];
    };
    users.users.${config.user.name} = mkAliasDefinitions options.user;
--- a/modules/podman.nix
+++ b/modules/podman.nix
@@ -0,0 +1,45 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
  cfg = config.modules.podman;
 in {
  options.modules.podman = {
    enable = mkOption {
      default = false;
      example = true;
      description = mdDoc "Enable podman on this host";
    };
  };
  config = mkIf cfg.enable {
    virtualisation = {
      docker.enable = false;
      podman = {
        enable = true;
        defaultNetwork.settings.dns_enabled = true;
        autoPrune = {
          enable = true;
          dates = "weekly";
          flags = [ "--all" ];
        };
        extraPackages = [ pkgs.zfs ];
      };
      containers.storage.settings.storage = {
        driver = "zfs";
        graphroot = "/var/lib/containers/storage";
        runroot = "/run/containers/storage";
      };
      oci-containers.backend = "podman";
    };
    networking.firewall.interfaces."podman+" = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 53 ];
    };
  };
 }
--- a/modules/services/chrony/default.nix
+++ b/modules/services/chrony/default.nix
@@ -0,0 +1,41 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.modules.services.chrony;
 in {
  options.modules.services.chrony = {
    enable = mkOption {
      default = false;
      example = true;
      description = "Enable chrony NTP deamon";
    };
    config = mkIf cfg.enable {
      services.chrony = {
        enable = true;
        servers = [
          "uk.pool.ntp.org"
          "time.cloudflare.com"
        ];
        extraConfig = ''
          makestep 1.0 3
          bindaddress 0.0.0.0
          port 123
          allow
        '';
      };
      services.timesyncd.enable = mkForce false;
      networking.firewall = {
        allowedUDPPorts = [ 123 ];
        allowedTCPPorts = [ 123 ];
      };
    };
  };
 }
--- a/modules/services/coturn/default.nix
+++ b/modules/services/coturn/default.nix
@@ -1,60 +1,123 @@
-{ config, lib, pkgs, inputs, ... }:
+{
-
+  config,
-with lib;
+  lib,
  inputs,
  ...
 }:
 let
  cfg = config.modules.services.coturn;
 in {
  options.modules.services.coturn = {
-    enable = mkOption {
+    enable = lib.mkOption {
      default = false;
      example = true;
    };
    realm = lib.mkOption {
      type = lib.types.str;
      description = "The realm to be used by the TURN server.";
      example = "turn.vimium.com";
    };
    matrixIntegration = lib.mkOption {
      default = false;
      description = "Configure the matrix-synapse module to use this TURN server.";
      example = true;
    };
  };
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
-    networking.firewall = {
+    networking.firewall = let
      range = with config.services.coturn; lib.singleton {
        from = min-port;
        to = max-port;
      };
    in {
      allowedTCPPorts = [
        3478  # TURN listener
        5349  # STUN TLS
        5350  # STUN TLS alt
      ];
-      allowedUDPPortRanges = [
+      allowedUDPPorts = [
-        { from = 49152; to = 49999; } # TURN relay
+        3478  # TURN listener
        5349  # TLS
        5350  # TLS alt
      ];
      allowedUDPPortRanges = range; # TURN peer relays
    };
    security.acme.certs = {
-      "turn.vimium.com" = {
+      "${config.services.coturn.realm}" = {
        group = "turnserver";
        reloadServices = [ "coturn" ];
      };
    };
-    age.secrets."passwords/services/coturn/shared-secret" = {
+    age.secrets = {
-      file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
+      "passwords/services/coturn/static-auth-secret" = {
-      owner = "turnserver";
+        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
-      group = "turnserver";
+        owner = "turnserver";
-    };
+        group = "turnserver";
      };
    } // (if cfg.matrixIntegration then {
      "passwords/services/coturn/matrix-turn-config.yml" = {
        file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
        owner = "matrix-synapse";
        group = "matrix-synapse";
      };
    } else {});
-    services.coturn = {
+    services.coturn = rec {
      enable = true;
-      lt-cred-mech = true;
+      realm = cfg.realm;
      use-auth-secret = true;
-      static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret".path;
+      static-auth-secret-file = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
-      realm = "turn.vimium.com";
+      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
-      relay-ips = [
+      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
-        "198.244.190.160"
+      min-port = 49000;
-      ];
+      max-port = 50000;
      no-cli = true;
      no-tcp-relay = true;
      extraConfig = ''
        cipher-list="HIGH"
        no-loopback-peers
        no-multicast-peers
        # Ban private CIDR blocks
        denied-peer-ip=0.0.0.0-0.255.255.255
        denied-peer-ip=10.0.0.0-10.255.255.255
        denied-peer-ip=100.64.0.0-100.127.255.255
        denied-peer-ip=127.0.0.0-127.255.255.255
        denied-peer-ip=169.254.0.0-169.254.255.255
        denied-peer-ip=172.16.0.0-172.31.255.255
        denied-peer-ip=192.0.0.0-192.0.0.255
        denied-peer-ip=192.0.2.0-192.0.2.255
        denied-peer-ip=192.88.99.0-192.88.99.255
        denied-peer-ip=192.168.0.0-192.168.255.255
        denied-peer-ip=198.18.0.0-198.19.255.255
        denied-peer-ip=198.51.100.0-198.51.100.255
        denied-peer-ip=203.0.113.0-203.0.113.255
        denied-peer-ip=240.0.0.0-255.255.255.255
        denied-peer-ip=::1
        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      '';
-      secure-stun = true;
+    };
-      cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
+
-      pkey = "/var/lib/acme/turn.vimium.com/key.pem";
+    services.matrix-synapse = lib.mkIf cfg.matrixIntegration {
-      min-port = 49152;
+      settings = with config.services.coturn; {
-      max-port = 49999;
+        turn_uris = [
          "turn:${realm}:3478?transport=udp"
          "turn:${realm}:3478?transport=tcp"
        ];
        turn_user_lifetime = "1h";
      };
      extraConfigFiles = [
        config.age.secrets."passwords/services/coturn/matrix-turn-config.yml".path
      ];
    };
  };
 }
--- a/modules/services/gitea-runner/default.nix
+++ b/modules/services/gitea-runner/default.nix
@@ -0,0 +1,226 @@
 { pkgs, config, lib, inputs, ... }:
 # Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
 with lib;
 let
  cfg = config.modules.services.gitea-runner;
  hostname = config.networking.hostName;
  giteaUrl = "https://git.vimium.com";
  storeDepsBins = with pkgs; [
    coreutils
    findutils
    gnugrep
    gawk
    git
    nix
    nix-update
    bash
    jq
    nodejs
  ];
  storeDeps = pkgs.runCommand "store-deps" { } ''
    mkdir -p $out/bin
    for dir in ${toString storeDepsBins}; do
      for bin in "$dir"/bin/*; do
        ln -s "$bin" "$out/bin/$(basename "$bin")"
      done
    done
    # Add SSL CA certs
    mkdir -p $out/etc/ssl/certs
    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
  '';
 in
 {
  options.modules.services.gitea-runner = {
    enable = mkOption {
      default = false;
      example = true;
      description = mdDoc "Enable a runner for Gitea Actions on this host";
    };
  };
  config = mkIf cfg.enable {
    modules.podman.enable = true;
    systemd.services = {
      gitea-runner-nix-image = {
        wantedBy = [ "multi-user.target" ];
        after = [ "podman.service" ];
        requires = [ "podman.service" ];
        path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
        script = ''
          set -eux -o pipefail
          mkdir -p etc/nix
          # Create an unpriveleged user that we can use also without the run-as-user.sh script
          touch etc/passwd etc/group
          groupid=$(cut -d: -f3 < <(getent group nix-ci-user))
          userid=$(cut -d: -f3 < <(getent passwd nix-ci-user))
          groupadd --prefix $(pwd) --gid "$groupid" nix-ci-user
          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nix-ci-user nix-ci-user
          cat <<NIX_CONFIG > etc/nix/nix.conf
          accept-flake-config = true
          experimental-features = nix-command flakes
          NIX_CONFIG
          cat <<NSSWITCH > etc/nsswitch.conf
          passwd:    files mymachines systemd
          group:     files mymachines systemd
          shadow:    files
          hosts:     files mymachines dns myhostname
          networks:  files
          ethers:    files
          services:  files
          protocols: files
          rpc:       files
          NSSWITCH
          # list the content as it will be imported into the container
          tar -cv . | tar -tvf -
          tar -cv . | podman import - gitea-runner-nix
        '';
        serviceConfig = {
          RuntimeDirectory = "gitea-runner-nix-image";
          WorkingDirectory = "/run/gitea-runner-nix-image";
          Type = "oneshot";
          RemainAfterExit = true;
        };
      };
      gitea-runner-nix = {
        after = [ "gitea-runner-nix-image.service" ];
        requires = [ "gitea-runner-nix-image.service" ];
        serviceConfig = {
          # Hardening (may overlap with DynamicUser=)
          # The following options are only for optimizing output of systemd-analyze
          AmbientCapabilities = "";
          CapabilityBoundingSet = "";
          # ProtectClock= adds DeviceAllow=char-rtc r
          DeviceAllow = "";
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateMounts = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          UMask = "0066";
          ProtectProc = "invisible";
          SystemCallFilter = [
            "~@clock"
            "~@cpu-emulation"
            "~@module"
            "~@mount"
            "~@obsolete"
            "~@raw-io"
            "~@reboot"
            "~@swap"
            # needed by go?
            #"~@resources"
            "~@privileged"
            "~capset"
            "~setdomainname"
            "~sethostname"
          ];
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
          # Needs network access
          PrivateNetwork = false;
          # Cannot be true due to Node
          MemoryDenyWriteExecute = false;
          # The more restrictive "pid" option makes `nix` commands in CI emit
          # "GC Warning: Couldn't read /proc/stat"
          # You may want to set this to "pid" if not using `nix` commands
          ProcSubset = "all";
          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
          # ASLR (address space layout randomization) which requires the
          # `personality` syscall
          # You may want to set this to `true` if not using coverage tooling on
          # compiled code
          LockPersonality = false;
          # Note that this has some interactions with the User setting; so you may
          # want to consult the systemd docs if using both.
          DynamicUser = true;
        };
      };
    };
    users.users.nix-ci-user = {
      group = "nix-ci-user";
      description = "Used for running nix-based CI jobs";
      home = "/var/empty";
      isSystemUser = true;
    };
    users.groups.nix-ci-user = { };
    age.secrets."files/services/gitea-runner/${hostname}-token" = {
      file = "${inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
      group = "podman";
    };
    services.gitea-actions-runner.instances = {
      act = {
        enable = true;
        url = giteaUrl;
        name = "act-runner-${hostname}";
        tokenFile = config.age.secrets."files/services/gitea-runner/${hostname}-token".path;
        settings = {
          cache.enabled = true;
          runner.capacity = 4;
        };
        labels = [
          "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
        ];
      };
      nix = {
        enable = true;
        url = giteaUrl;
        name = "nix-runner-${hostname}";
        tokenFile = config.age.secrets."files/services/gitea-runner/${hostname}-token".path;
        settings = {
          cache.enabled = true;
          container = {
            options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nix-ci-user";
            network = "host";
            valid_volumes = [
              "/nix"
              "${storeDeps}/bin"
              "${storeDeps}/etc/ssl"
            ];
          };
          runner.capacity = 4;
        };
        labels = [
          "nix:docker://gitea-runner-nix"
        ];
      };
    };
  };
 }
--- a/modules/services/gitea/default.nix
+++ b/modules/services/gitea/default.nix
@@ -39,6 +39,13 @@ in {
      };
    };
    systemd.tmpfiles.rules = [
      "d '${config.services.gitea.customDir}/public/assets/css' 0750 ${config.services.gitea.user} ${config.services.gitea.group} - -"
      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${inputs.gitea-github-theme}/theme-github.css"
      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${inputs.gitea-github-theme}/theme-github-auto.css"
      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${inputs.gitea-github-theme}/theme-github-dark.css"
    ];
    services.gitea = rec {
      package = pkgs.unstable.gitea;
      enable = true;
@@ -57,19 +64,23 @@ in {
      };
      settings = {
        server = {
          DOMAIN = config.networking.domain;
          LANDING_PAGE = "explore";
          OFFLINE_MODE = true;
          PROTOCOL = "http+unix";
          SSH_USER = "git";
          SSH_DOMAIN = "git.vimium.com";
          SSH_PORT = lib.head config.services.openssh.ports;
          OFFLINE_MODE = true;
          PROTOCOL = "http+unix";
          DOMAIN = config.networking.domain;
          ROOT_URL = "https://git.vimium.com/";
        };
        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;
-        log.ROOT_PATH = "${stateDir}/log";
+        log = {
          ROOT_PATH = "${stateDir}/log";
          DISABLE_ROUTER_LOG = true;
        };
        ui = {
-          THEMES = "gitea,arc-green,github-dark,bthree-dark";
+          THEMES = "gitea,arc-green,github,github-auto,github-dark";
          DEFAULT_THEME = "github-dark";
        };
        actions.ENABLED = true;
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@@ -4,6 +4,7 @@ with lib;
 let
  cfg = config.modules.services.headscale;
  fqdn = "headscale.vimium.net";
 in {
  options.modules.services.headscale = {
    enable = mkOption {
@@ -13,8 +14,39 @@ in {
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.headscale ];
    services.headscale = {
      enable = true;
      port = 8080;
      settings = {
        ip_prefixes = [
          "100.64.0.0/10"
        ];
        server_url = "https://${fqdn}";
        dns_config = {
          base_domain = "vimium.net";
          extra_records = [
            {
              name = "grafana.mesh.vimium.net";
              type = "A";
              value = "100.64.0.6";
            }
            {
              name = "home.mesh.vimium.net";
              type = "A";
              value = "100.64.0.7";
            }
          ];
        };
        logtail.enabled = false;
      };
    };
    services.nginx.virtualHosts = {
-      "headscale.vimium.net" = {
+      "${fqdn}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
@@ -23,21 +55,5 @@ in {
        };
      };
    };
    services.headscale = {
      enable = true;
      port = 8080;
      settings = {
        server_url = "https://headscale.vimium.net";
        dns_config = {
          base_domain = "vimium.net";
        };
        logtail.enabled = false;
      };
    };
    environment.systemPackages = with pkgs; [
      config.services.headscale.package
    ];
  };
 }
--- a/modules/services/mail/default.nix
+++ b/modules/services/mail/default.nix
@@ -0,0 +1,70 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.modules.services.mail;
  domains = [
    "h0lt.com"
    "jdholt.com"
    "jordanholt.xyz"
    "vimium.co"
    "vimium.com"
    "vimium.co.uk"
    "vimium.info"
    "vimium.net"
    "vimium.org"
    "vimium.xyz"
  ];
 in {
  options.modules.services.mail = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
  };
  config = lib.mkIf cfg.enable {
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
      extraConfig = ''
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
      plugins = [ "contextmenu" ];
    };
    services.nginx.enable = true;
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    mailserver = {
      enable = true;
      fqdn = "mail.vimium.com";
      domains = domains;
      indexDir = "/var/lib/dovecot/indices";
      certificateDomains = [
        "imap.vimium.com"
        "smtp.vimium.com"
      ];
      certificateScheme = "acme-nginx";
      fullTextSearch.enable = true;
      loginAccounts = {
        "jordan@vimium.com" = {
          hashedPasswordFile = config.users.users.jordan.hashedPasswordFile;
          catchAll = domains;
        };
      };
      extraVirtualAliases = {
        "hostmaster@vimium.com" = "jordan@vimium.com";
        "postmaster@vimium.com" = "jordan@vimium.com";
        "webmaster@vimium.com" = "jordan@vimium.com";
        "abuse@vimium.com" = "jordan@vimium.com";
      };
    };
  };
 }
--- a/modules/services/matrix-synapse/default.nix
+++ b/modules/services/matrix-synapse/default.nix
@@ -1,58 +1,94 @@
-{ config, lib, pkgs, inputs, ... }:
+{
-
+  config,
-with lib;
+  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.modules.services.matrix-synapse;
-  matrixClientConfig = {
+  validBridges = [
-    "m.homeserver" = {
+    "signal"
-      base_url = "https://matrix.vimium.com";
+    "whatsapp"
-      server_name = "vimium.com";
+  ];
    };
    "m.identity_server" = {};
  };
  matrixServerConfig."m.server" = "matrix.vimium.com:443";
  mkWellKnown = data: ''
    more_set_headers 'Content-Type: application/json';
    return 200 '${builtins.toJSON data}';
  '';
 in {
  options.modules.services.matrix-synapse = {
-    enable = mkOption {
+    enable = lib.mkOption {
      default = false;
      example = true;
    };
    enableElementWeb = lib.mkOption {
      default = true;
      example = false;
    };
    bridges = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = "A list of bridges to configure with Synapse.";
      example = [ "signal" "whatsapp" ];
      default = [];
      apply = bridges:
        if lib.all (bridge: lib.elem bridge validBridges) bridges
        then bridges
        else throw "Invalid bridge(s) specified. Valid bridges are: ${lib.concatStringsSep ", " validBridges}";
    };
    serverName = lib.mkOption {
      type = lib.types.str;
      default = "vimium.com";
      example = "vimium.com";
    };
    usePostgresql = lib.mkOption {
      default = false;
      example = true;
    };
  };
-  config = mkIf cfg.enable {
+  config = let
    commonBridgeSettings = bridge: {
      appservice = {
        database = lib.mkIf cfg.usePostgresql {
          type = "postgres";
          uri = "postgresql:///mautrix-${bridge}?host=/run/postgresql";
        };
      };
      bridge = {
        encryption = {
          allow = true;
          default = true;
          require = true;
        };
        permissions = {
          "${cfg.serverName}" = "user";
        };
        provisioning = {
          shared_secret = "disable";
        };
      };
    };
    matrixClientConfig = {
      "m.homeserver" = {
        base_url = "https://matrix.${cfg.serverName}";
        server_name = cfg.serverName;
      };
      "m.identity_server" = {};
    };
    matrixServerConfig."m.server" = "matrix.${cfg.serverName}:443";
    mkWellKnown = data: ''
      more_set_headers 'Content-Type: application/json';
      return 200 '${builtins.toJSON data}';
    '';
  in lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      8448 # Matrix federation
    ];
    security.acme.certs = {
-      "matrix.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
        reloadServices = [ "matrix-synapse" ];
      };
    };
    services.nginx.virtualHosts = {
-      "chat.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
        forceSSL = true;
        enableACME = true;
        root = pkgs.unstable.element-web.override {
          conf = {
            default_server_config = matrixClientConfig;
            brand = "Vimium Chat";
            branding = {
              auth_header_logo_url = "https://vimium.com/images/logo.svg";
              auth_footer_links = [
                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
              ];
            };
          };
        };
      };
      "matrix.vimium.com" = {
        forceSSL = true;
        enableACME = true;
        listen = [
@@ -102,26 +138,71 @@ in {
          "/_synapse/client".proxyPass = "http://localhost:8008";
        };
      };
-      "vimium.com" = {
+      "${cfg.serverName}" = {
        locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
        locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
      };
-    };
+    } // (if cfg.enableElementWeb then {
      "chat.${cfg.serverName}" = {
        forceSSL = true;
        enableACME = true;
        root = pkgs.unstable.element-web.override {
          conf = {
            default_server_config = matrixClientConfig;
            brand = "Vimium Chat";
            branding = {
              auth_header_logo_url = "https://vimium.com/images/logo.svg";
              auth_footer_links = [
                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
              ];
            };
          };
        };
      };
    } else {});
    services.matrix-synapse = {
      enable = true;
      settings = {
-        database.name = "sqlite3";
+        database.name = (if cfg.usePostgresql then "psycopg2" else "sqlite3");
        enable_metrics = false;
        enable_registration = false;
-        server_name = "vimium.com";
+        max_upload_size = "100M";
-        # turn_shared_secret = "???";
+        report_stats = false;
-        # turn_uris = [
+        server_name = cfg.serverName;
        #   "turn:turn.vimium.com:5349?transport=udp"
        #   "turn:turn.vimium.com:5350?transport=udp"
        #   "turn:turn.vimium.com:5349?transport=tcp"
        #   "turn:turn.vimium.com:5350?transport=tcp"
        # ];
      };
    };
    services.postgresql = lib.mkIf cfg.usePostgresql {
      ensureUsers = [
        {
          name = "matrix-synapse";
          ensureDBOwnership = true;
        }
      ];
      ensureDatabases = [
        "matrix-synapse"
      ];
    };
    services.mautrix-signal = lib.mkIf (lib.elem "signal" cfg.bridges) {
      enable = true;
      settings = commonBridgeSettings "signal";
    };
    services.mautrix-whatsapp = lib.mkIf (lib.elem "whatsapp" cfg.bridges) {
      enable = true;
      settings = {
        bridge = {
          history_sync = {
            backfill = true;
            max_initial_conversations = -1;
            message_count = 50;
            request_full_sync = false;
          };
          mute_bridging = true;
        };
      } // commonBridgeSettings "whatsapp";
    };
  };
 }
--- a/modules/services/photoprism/default.nix
+++ b/modules/services/photoprism/default.nix
@@ -0,0 +1,57 @@
 { config, lib, pkgs, inputs, ... }:
 with lib;
 let cfg = config.modules.services.photoprism;
 in {
  options.modules.services.photoprism = {
    enable = mkOption {
      default = false;
      example = true;
    };
  };
  config = mkIf cfg.enable {
    services.nginx = {
      virtualHosts = {
        "gallery.vimium.com" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://localhost:${toString config.services.photoprism.port}";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_buffering off;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
            '';
          };
        };
      };
    };
    age.secrets."passwords/services/photoprism/admin" = {
      file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
    };
    services.photoprism = {
      enable = true;
      address = "localhost";
      passwordFile = config.age.secrets."passwords/services/photoprism/admin".path;
      originalsPath = "${config.services.photoprism.storagePath}/originals";
      settings = {
        PHOTOPRISM_APP_NAME = "Vimium Gallery";
        PHOTOPRISM_SITE_AUTHOR = "Vimium";
        PHOTOPRISM_SITE_TITLE = "Vimium Gallery";
        PHOTOPRISM_SITE_CAPTION = "Vimium Gallery";
        PHOTOPRISM_DISABLE_TLS = "true";
        PHOTOPRISM_SPONSOR = "true";
      };
    };
  };
 }
--- a/overlays/gnome.nix
+++ b/overlays/gnome.nix
@@ -3,8 +3,8 @@ self: super:
  gnome = super.gnome.overrideScope' (gself: gsuper: {
    mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
      src = super.fetchurl {
-        url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-45/mutter-triple-buffering-v4-45.tar.gz";
+        url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
-        sha256 = "tN+zQ5brk+hc+louIipqPV/Bqft42ghKOzjZZMj5Q8A=";
+        sha256 = "mmFABDsRMzYnLO3+Cf3CJ60XyUBl3y9NAUj+vs7nLqE=";
      };
    });
  });