Check flake instead of dry building

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/e1b3ae2b4ebc3c7b83154b9361e3d154e64e362d' (2024-05-06)
  → 'github:nix-community/disko/874c83c94830d45a64edb408de5a1dd1cae786a4' (2024-05-07)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/e148ccbecbd2fe4dc4768fba67f6db828466ad06' (2024-05-06)
  → 'github:NixOS/nixos-hardware/d1659c9eb8af718118fb4bbe2c86797c8b8623eb' (2024-05-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/651b4702e27a388f0f18e1b970534162dec09aff' (2024-05-04)
  → 'github:NixOS/nixpkgs/27c13997bf450a01219899f5a83bd6ffbfc70d3c' (2024-05-06)

.gitea/workflows/check.yml

@@ -0,0 +1,15 @@
+name: Check flake
+on:
+  push:
+    branches: ['master']
+jobs:
+  build-amd64-linux:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: master
+      - name: Check flake
+        run: |
+          echo "Checking flake at ${{ gitea.ref }}"
+          nix flake check

README.md

@@ -9,16 +9,47 @@ System and user configuration for NixOS-based systems.
 | **Theme:** | adwaita |
 | **Terminal:** | Console |
 
-## Provisioning
+## Provisioning a new host
-> [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used for provisioning
+> [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used
+> for provisioning
 
 Generate a new SSH host key in "$temp/etc/ssh" as per [this guide](https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-decrypting-an-openssh-host-key-with-pass).
+```
+ssh-keygen -t ed25519 -f /tmp/ssh_host_ed25519_key
+```
 
-Then run;
+Update [nix-secrets](/jordan/nix-secrets) with the new host key to enable the system to decrypt
+any relevant secrets.
+
+In order to use the borgmatic module for backups, go to [borgbase.com](https://borgbase.com).
+Add the generated SSH host key and create a new repository for the system.
+
+Create a new directory under `hosts/` with a system configuration and disk layout.
+
+Boot the NixOS installer (or any Linux distribution) on the target.
+
+Then run:
 ```
 nix run github:nix-community/nixos-anywhere -- \
   --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
   --extra-files "$temp" \
   --flake .#<hostname> \
-  root@<ip>
+  root@<target-ip>
 ```
+
+### Post install
+
+If backups are configured, you'll need to run:
+```
+borgmatic init --encryption repokey-blake2
+```
+then restart `borgmatic`.
+
+To join the Tailscale network, run:
+```
+tailscale up --login-server https://headscale.vimium.net
+```
+then visit the URL, SSH onto `vps1` and run `headscale --user mesh nodes register --key <key>`.
+
+The new node can optionally be given a friendly name with `headscale node rename -i <index> <hostname>`.
+

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1707830867,
+        "lastModified": 1714136352,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "narHash": "sha256-BtWQ2Th/jamO1SlD+2ASSW5Jaf7JhA/JLpQHk0Goqpg=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
         "type": "github"
       },
       "original": {
@@ -21,6 +21,45 @@
         "type": "github"
       }
     },
+    "beautysh": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix",
+        "utils": "utils_3"
+      },
+      "locked": {
+        "lastModified": 1680308980,
+        "narHash": "sha256-aUEHV0jk2qIFP3jlsWYWhBbm+w/N9gzH3e4I5DcdB5s=",
+        "owner": "lovesegfault",
+        "repo": "beautysh",
+        "rev": "9845efc3ea3e86cc0d41465d720a47f521b2799c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lovesegfault",
+        "repo": "beautysh",
+        "type": "github"
+      }
+    },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -50,11 +89,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1708091384,
+        "lastModified": 1711973905,
-        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
+        "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
+        "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
         "type": "github"
       },
       "original": {
@@ -70,11 +109,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709439398,
+        "lastModified": 1715067242,
-        "narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=",
+        "narHash": "sha256-KCEzKd58z4X0ffHPp9hh2IE255lnprwIl19r1TDzB6o=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57",
+        "rev": "874c83c94830d45a64edb408de5a1dd1cae786a4",
         "type": "github"
       },
       "original": {
@@ -86,11 +125,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1708965002,
+        "lastModified": 1714702515,
-        "narHash": "sha256-gIBZCPB0sA8Gagrxd8w4+y9uUkWBnXJBmq9Ur5BYTQU=",
+        "narHash": "sha256-EACja6V2lNh67Xvmhr0eEM/VeqM7OlTTm/81LhRbsBE=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "4e966509c180f93ba8665cd73cad8456bf44baab",
+        "rev": "c4eec329c464f3f89ab78a56a47eee6271ea9d19",
         "type": "github"
       },
       "original": {
@@ -115,6 +154,113 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1685518550,
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitea-github-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1714774531,
+        "narHash": "sha256-qbju0jKnOqsO77cMjVPZmJADU3mb/q3a5ULkM7RDCWk=",
+        "ref": "main",
+        "rev": "cb120eb24fa69f69984d175832acfc5a011384e5",
+        "revCount": 95,
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -143,11 +289,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706981411,
+        "lastModified": 1714043624,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
         "type": "github"
       },
       "original": {
@@ -159,11 +305,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1709410583,
+        "lastModified": 1715010655,
-        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
+        "narHash": "sha256-FmdhvR/hgBkPDvIv/HOEIQsSMaVXh8wvTrnep8dF3Jc=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "rev": "d1659c9eb8af718118fb4bbe2c86797c8b8623eb",
         "type": "github"
       },
       "original": {
@@ -172,6 +318,32 @@
         "type": "github"
       }
     },
+    "nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "nixpkgs-23_11": "nixpkgs-23_11",
+        "utils": "utils_2"
+      },
+      "locked": {
+        "lastModified": 1706219574,
+        "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-23.11",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1703013332,
@@ -188,13 +360,59 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-23_05": {
       "locked": {
-        "lastModified": 1709237383,
+        "lastModified": 1704290814,
-        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_11": {
+      "locked": {
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1685801374,
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1714906307,
+        "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
         "type": "github"
       },
       "original": {
@@ -221,11 +439,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1709309926,
+        "lastModified": 1714971268,
-        "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=",
+        "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "79baff8812a0d68e24a836df0a364c678089e2c7",
+        "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
         "type": "github"
       },
       "original": {
@@ -234,16 +452,95 @@
         "type": "indirect"
       }
     },
+    "nixvim": {
+      "inputs": {
+        "beautysh": "beautysh",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": "pre-commit-hooks"
+      },
+      "locked": {
+        "lastModified": 1713951100,
+        "narHash": "sha256-ObeER1qB/i06lk7jQqVp9DdTKnykNaojOVoX9GcCoRc=",
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "rev": "7c59615585f691b560d9522c94d8f3195853ca8e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "nixos-23.11",
+        "repo": "nixvim",
+        "type": "github"
+      }
+    },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "nixvim",
+          "beautysh",
+          "utils"
+        ],
+        "nixpkgs": [
+          "nixvim",
+          "beautysh",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1658665240,
+        "narHash": "sha256-/wkx7D7enyBPRjIkK0w7QxLQhzEkb3UxNQnjyc3FTUI=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "8b8edc85d24661d5a6d0d71d6a7011f3e699780f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1703939133,
+        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "firefox-gnome-theme": "firefox-gnome-theme",
+        "gitea-github-theme": "gitea-github-theme",
         "home-manager": "home-manager_2",
         "nixos-hardware": "nixos-hardware",
+        "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixvim": "nixvim",
         "secrets": "secrets",
         "thunderbird-gnome-theme": "thunderbird-gnome-theme"
       }
@@ -251,11 +548,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1709495020,
+        "lastModified": 1715007828,
-        "narHash": "sha256-eiz0qUjUbdeb6m28XPY7OVnrGMZ45JiT2dZZ0Bmq2X0=",
+        "narHash": "sha256-3791/+OWOMFAY3OFOsOwaFmpo2iIv9iHUhEb63oUL2M=",
         "ref": "refs/heads/master",
-        "rev": "d135b4d6d5f0079999188895f8b5f35e821b0d4b",
+        "rev": "b4a1c8968a1cb3688c12caddecd99432494df95b",
-        "revCount": 14,
+        "revCount": 18,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -294,14 +591,44 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "thunderbird-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1701889124,
+        "lastModified": 1710774977,
-        "narHash": "sha256-K+6oh7+J6RDBFkxphY/pzf0B+q5+IY54ZMKZrFSKXlc=",
+        "narHash": "sha256-nQBz2PW3YF3+RTflPzDoAcs6vH1PTozESIYUGAwvSdA=",
         "owner": "rafaelmardojai",
         "repo": "thunderbird-gnome-theme",
-        "rev": "966e9dd54bd2ce9d36d51cd6af8c3bac7a764a68",
+        "rev": "65d5c03fc9172d549a3ea72fd366d544981a002b",
         "type": "github"
       },
       "original": {
@@ -327,6 +654,36 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_2": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "utils_3": {
+      "locked": {
+        "lastModified": 1678901627,
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -19,7 +19,19 @@
       url = "github:rafaelmardojai/firefox-gnome-theme";
       flake = false;
     };
+    gitea-github-theme = {
+      url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
+      flake = false;
+    };
     nixos-hardware.url = "github:NixOS/nixos-hardware";
+    nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixvim = {
+      url = "github:nix-community/nixvim/nixos-23.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     secrets = {
       url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
       flake = false;
@@ -30,7 +42,7 @@
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, secrets, ... }:
+  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, secrets, ... }:
     let
       mkPkgsForSystem = system: inputs.nixpkgs;
       overlays = [
@@ -46,6 +58,7 @@
       commonModules = [
         agenix.nixosModules.age
         disko.nixosModules.disko
+        nixos-mailserver.nixosModule
         home-manager.nixosModule
         ./modules
       ];
@@ -78,6 +91,7 @@
         helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
         hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
         library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
+        mail = mkNixosSystem { system = "x86_64-linux"; name = "mail"; };
         odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
         pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
         vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };
@@ -94,6 +108,14 @@
         autoRollback = true;
         sshUser = "root";
         nodes = {
+          mail = {
+            hostname = "mail.mesh.vimium.net";
+
+            profiles.system = {
+              user = "root";
+              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mail;
+            };
+          };
           vps1 = {
             hostname = "vps1.mesh.vimium.net";
 

hosts/atlas/default.nix

@@ -36,7 +36,6 @@
     };
     editors = {
       neovim.enable = true;
-      vscode.enable = true;
     };
     security = {
       gpg.enable = true;

hosts/common.nix

@@ -49,6 +49,7 @@
       max-free = 1000000000;
       fallback = true;
       allowed-users = [ "@wheel" ];
+      trusted-users = [ "@wheel" ];
       auto-optimise-store = true;
       substituters = [
         "http://odyssey.mesh.vimium.net"

hosts/desktop.nix

@@ -21,7 +21,20 @@
   fileSystems."/mnt/library" = {
     device = "library.mesh.vimium.net:/mnt/library";
     fsType = "nfs";
-    options = [ "nfsvers=4.2" "soft" "nocto" "ro" "x-systemd.automount" "noauto" ];
+    options = [
+      "nfsvers=4.2"
+      "bg"
+      "intr"
+      "soft"
+      "timeo=5"
+      "retrans=5"
+      "actimeo=5"
+      "retry=5"
+      "nocto"
+      "ro"
+      "x-systemd.automount"
+      "noauto"
+    ];
   };
 
   system.autoUpgrade = {
@@ -30,8 +43,35 @@
     randomizedDelaySec = "10min";
   };
 
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  fonts.packages = with pkgs; [
+    noto-fonts
+    (nerdfonts.override { fonts = [ "BigBlueTerminal" "ComicShannsMono" "Terminus" "UbuntuMono" ]; })
+  ];
+
   modules = {
     desktop.gnome.enable = true;
     networking.tailscale.enable = true;
   };
+
+  environment.systemPackages = with pkgs; [
+    bind
+    bmon
+    fd
+    ffmpeg
+    iotop
+    unstable.nix-du
+    # unstable.nix-melt
+    unstable.nix-tree
+    unstable.nix-visualize
+    ripgrep
+    rsync
+    tcpdump
+    tokei
+    tree
+    wl-clipboard
+  ];
+
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
 }

hosts/hypnos/0001-Add-apple_set_os-EFI-boot-service.patch

@@ -0,0 +1,102 @@
+From d310ddee0fb8e7a5a8b89668c6cb8f9dc863ce94 Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sun, 28 Apr 2024 15:59:52 +0100
+Subject: [PATCH] Add apple_set_os EFI boot service
+
+---
+ drivers/firmware/efi/libstub/x86-stub.c | 59 +++++++++++++++++++++++++
+ include/linux/efi.h                     |  1 +
+ 2 files changed, 60 insertions(+)
+
+diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
+index d5a8182cf..be722c43a 100644
+--- a/drivers/firmware/efi/libstub/x86-stub.c
++++ b/drivers/firmware/efi/libstub/x86-stub.c
+@@ -449,6 +449,63 @@ static void setup_graphics(struct boot_params *boot_params)
+ 	}
+ }
+ 
++typedef struct {
++	u64 version;
++	void (*set_os_version) (const char *os_version);
++	void (*set_os_vendor) (const char *os_vendor);
++} apple_set_os_interface_t;
++
++static efi_status_t apple_set_os()
++{
++	apple_set_os_interface_t *set_os;
++	efi_guid_t set_os_guid = APPLE_SET_OS_PROTOCOL_GUID;
++	efi_status_t status;
++	void **handles;
++	unsigned long i, nr_handles, size = 0;
++
++	status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
++			     &set_os_guid, NULL, &size, handles);
++
++	if (status == EFI_BUFFER_TOO_SMALL) {
++		status = efi_bs_call(allocate_pool, EFI_LOADER_DATA,
++				     size, &handles);
++
++		if (status != EFI_SUCCESS)
++			return status;
++
++		status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
++				     &set_os_guid, NULL, &size, handles);
++	}
++
++	if (status != EFI_SUCCESS)
++		goto free_handle;
++
++	nr_handles = size / sizeof(void *);
++	for (i = 0; i < nr_handles; i++) {
++		void *h = handles[i];
++
++		status = efi_bs_call(handle_protocol, h,
++				     &set_os_guid, &set_os);
++
++		if (status != EFI_SUCCESS || !set_os)
++			continue;
++
++		if (set_os->version > 0) {
++			efi_bs_call((unsigned long)set_os->set_os_version,
++					"Mac OS X 10.9");
++		}
++
++		if (set_os->version >= 2) {
++			efi_bs_call((unsigned long)set_os->set_os_vendor,
++					"Apple Inc.");
++		}
++	}
++
++free_handle:
++	efi_bs_call(free_pool, uga_handle);
++
++	return status;
++}
+ 
+ static void __noreturn efi_exit(efi_handle_t handle, efi_status_t status)
+ {
+@@ -951,6 +1008,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle,
+ 
+ 	setup_unaccepted_memory();
+ 
++	apple_set_os();
++
+ 	status = exit_boot(boot_params, handle);
+ 	if (status != EFI_SUCCESS) {
+ 		efi_err("exit_boot() failed!\n");
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index d59b0947f..81158014f 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -385,6 +385,7 @@ void efi_native_runtime_setup(void);
+ #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID	EFI_GUID(0xdcfa911d, 0x26eb, 0x469f,  0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
+ #define EFI_CONSOLE_OUT_DEVICE_GUID		EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4,  0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
+ #define APPLE_PROPERTIES_PROTOCOL_GUID		EFI_GUID(0x91bd12fe, 0xf6c3, 0x44fb,  0xa5, 0xb7, 0x51, 0x22, 0xab, 0x30, 0x3a, 0xe0)
++#define APPLE_SET_OS_PROTOCOL_GUID		EFI_GUID(0xc5c5da95, 0x7d5c, 0x45e6,  0xb2, 0xf1, 0x3f, 0xd5, 0x2b, 0xb1, 0x00, 0x77)
+ #define EFI_TCG2_PROTOCOL_GUID			EFI_GUID(0x607f766c, 0x7455, 0x42be,  0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
+ #define EFI_TCG2_FINAL_EVENTS_TABLE_GUID	EFI_GUID(0x1e2ed096, 0x30e2, 0x4254,  0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25)
+ #define EFI_LOAD_FILE_PROTOCOL_GUID		EFI_GUID(0x56ec3091, 0x954c, 0x11d2,  0x8e, 0x3f, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+-- 
+2.42.0
+

hosts/hypnos/default.nix

@@ -19,6 +19,8 @@
       browsers = {
         firefox.enable = true;
       };
+      gnome.enable = lib.mkForce false;
+      kde.enable = true;
       media.recording = {
         audio.enable = true;
       };

hosts/hypnos/hardware-configuration.nix

@@ -7,8 +7,13 @@
 
   boot = {
     initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-    initrd.kernelModules = [ ];
     kernelModules = [ "applesmc" "kvm-intel" "wl" ];
+    kernelPatches = [
+      {
+        name = "spoof-mac-os-x";
+        patch = ./0001-Add-apple_set_os-EFI-boot-service.patch;
+      }
+    ];
     extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
   };
 
@@ -18,10 +23,19 @@
 
   hardware = {
     cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-    nvidia = {
+    opengl = {
-      modesetting.enable = true;
+      enable = true;
-      powerManagement.enable = true;
+      extraPackages = with pkgs; [
+        intel-vaapi-driver
+        intel-media-driver
+        libvdpau-va-gl
+      ];
+      driSupport = true;
     };
   };
+
+  environment.variables = {
+    VDPAU_DRIVER = "va_gl";
+  };
 }
 

hosts/library/default.nix

@@ -21,10 +21,6 @@ with lib.my;
       allowedTCPPorts = [
         22  # SSH
       ];
-      interfaces."podman+" = {
-        allowedUDPPorts = [ 53 ];
-        allowedTCPPorts = [ 53 ];
-      };
     };
     networkmanager.enable = true;
   };
@@ -153,6 +149,7 @@ with lib.my;
   services.jellyfin.enable = true;
 
   modules = {
+    podman.enable = true;
     security = {
       gpg.enable = true;
     };

hosts/mail/README.md

@@ -0,0 +1,18 @@
+# Mail server
+
+## Overview
+Mail server hosted in OVH.
+
+## Specs
+* CPU - ??
+* Memory - ??
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+NVMe | `/dev/sda1` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `mail.mesh.vimium.net`.
+

hosts/mail/default.nix

@@ -0,0 +1,55 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ../server.nix
+  ];
+
+  networking = {
+    hostId = "08ac2f14";
+    domain = "mesh.vimium.net";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22    # SSH
+      ];
+    };
+  };
+
+  users = {
+    users = {
+      root = {
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
+        ];
+      };
+    };
+  };
+
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+
+  security.acme.defaults = {
+    email = "hostmaster@vimium.com";
+    group = "nginx";
+    webroot = "/var/lib/acme/acme-challenge";
+  };
+
+  modules = {
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/var/dkim"
+          "/var/lib"
+          "/var/vmail"
+        ];
+        repoPath = "ssh://kg2mpt28@kg2mpt28.repo.borgbase.com/./repo";
+      };
+      mail.enable = true;
+    };
+  };
+
+  system.stateVersion = "22.11";
+}

hosts/mail/disko-config.nix

@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "2M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "300M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/mail/hardware-configuration.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+}
+

hosts/odyssey/default.nix

@@ -47,13 +47,16 @@
       browsers = {
         firefox.enable = true;
       };
-      gaming.emulators = {
+      gaming = {
-        gamecube.enable = true;
+        emulators = {
-        ps2.enable = true;
+          gamecube.enable = true;
-        ps3.enable = true;
+          ps2.enable = true;
-        psp.enable = true;
+          ps3.enable = true;
-        wii.enable = true;
+          psp.enable = true;
-        xbox.enable = true;
+          wii.enable = true;
+          xbox.enable = true;
+        };
+        lutris.enable = true;
       };
       media.graphics = {
         modeling.enable = true;
@@ -70,7 +73,6 @@
     };
     editors = {
       neovim.enable = true;
-      vscode.enable = true;
     };
     hardware.presonus-studio.enable = true;
     security = {
@@ -82,9 +84,16 @@
         enable = true;
         directories = [
           "/home/jordan/Documents"
+          "/home/jordan/Downloads"
+          "/home/jordan/Music"
+          "/home/jordan/Pictures"
+          "/home/jordan/projects"
+          "/home/jordan/Videos"
+          "/home/jordan/.mozilla"
         ];
         repoPath = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo";
       };
+      gitea-runner.enable = true;
     };
     shell = {
       git.enable = true;

hosts/vps1/default.nix

@@ -62,6 +62,7 @@
       headscale.enable = true;
       matrix-synapse.enable = true;
       nginx.enable = true;
+      photoprism.enable = true;
     };
   };
 

modules/default.nix

@@ -1,7 +1,10 @@
 {
   imports = [
     ./options.nix
+    ./podman.nix
     ./desktop/gnome.nix
+    ./desktop/hyprland.nix
+    ./desktop/kde.nix
     ./desktop/mimeapps.nix
     ./desktop/apps/qbittorrent.nix
     ./desktop/apps/slack.nix
@@ -33,9 +36,12 @@
     ./services/borgmatic
     ./services/coturn
     ./services/gitea
+    ./services/gitea-runner
     ./services/headscale
+    ./services/mail
     ./services/matrix-synapse
     ./services/nginx
+    ./services/photoprism
     ./shell/git
     ./shell/zsh
   ];

modules/desktop/gaming/emulators.nix

@@ -54,11 +54,11 @@ in {
   };
 
   config = {
-    user.packages = with pkgs.unstable; [
+    user.packages = with pkgs; [
       (lib.mkIf cfg.ps1.enable duckstation)
-      (lib.mkIf cfg.ps2.enable pcsx2)
+      (lib.mkIf cfg.ps2.enable unstable.pcsx2)
       (lib.mkIf cfg.ps3.enable rpcs3)
-      (lib.mkIf cfg.psp.enable ppsspp)
+      (lib.mkIf cfg.psp.enable unstable.ppsspp)
       (lib.mkIf cfg.ds.enable desmume)
       (lib.mkIf (cfg.gba.enable ||
              cfg.gb.enable  ||
@@ -68,7 +68,7 @@ in {
       (lib.mkIf (cfg.wii.enable ||
              cfg.gamecube.enable)
         dolphin-emu)
-      (lib.mkIf cfg.xbox.enable xemu)
+      (lib.mkIf cfg.xbox.enable unstable.xemu)
     ];
   };
 }

modules/desktop/gaming/lutris.nix

@@ -10,8 +10,13 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    user.packages = with pkgs; [
+    environment.systemPackages = with pkgs; [
-      lutris
+      (lutris.override {
+        extraPkgs = pkgs: [
+          winePackages.staging
+          wine64Packages.staging
+        ];
+      })
       vulkan-loader
       vulkan-tools
     ];

modules/desktop/gnome.nix

@@ -135,6 +135,8 @@ in {
       };
       "org/gnome/Console" = {
         font-scale = 1.4;
+        use-system-font = false;
+        custom-font = "ComicShannsMono Nerd Font 10";
       };
       "org/gnome/mutter" = {
         center-new-windows = true;
@@ -142,8 +144,8 @@ in {
         experimental-features = [ "scale-monitor-framebuffer" ];
       };
       "org/gnome/desktop/interface" = {
-        color-scheme = "prefer-dark";
         enable-hot-corners = false;
+        icon-theme = "MoreWaita";
         monospace-font-name = "UbuntuMono Nerd Font 11";
       };
       "org/gnome/desktop/wm/keybindings" = {
@@ -155,39 +157,30 @@ in {
       };
     };
 
-    fonts.packages = with pkgs; [
-      noto-fonts
-      (nerdfonts.override { fonts = [ "BigBlueTerminal" "ComicShannsMono" "UbuntuMono" ]; })
-    ];
-
     user.packages = with pkgs; [
       authenticator
-      bottles
+      # bottles
-      bustle
+      # bustle
       celluloid
-      d-spy
+      # d-spy
-      drawing
+      # drawing
-      fragments
+      # fragments
       gnome.ghex
       # gnome-builder
       gnome-decoder
       gnome-firmware
       gnome-frog
-      gnome-obfuscate
+      # gnome-obfuscate
       gnome-podcasts
       identity
       mission-center
       newsflash
-      schemes
+      # schemes
       shortwave
     ];
 
     environment.systemPackages = with pkgs; [
       adw-gtk3
-      bind
-      bmon
-      fd
-      ffmpeg
       gnome.gnome-boxes
       gnomeExtensions.another-window-session-manager
       # gnomeExtensions.bifocals
@@ -218,14 +211,7 @@ in {
       # gnomeExtensions.window-is-ready-remover
       # gnomeExtensions.worksets
       # gnomeExtensions.workspace-matrix
-      iotop
       unstable.morewaita-icon-theme
-      ripgrep
-      rsync
-      tcpdump
-      tokei
-      tree
-      wl-clipboard
     ] ++ (if config.virtualisation.podman.enable then [
       pods
     ] else []);

modules/desktop/hyprland.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.modules.desktop.hyprland;
+in {
+  options.modules.desktop.hyprland = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.hyprland.enable = true;
+
+    networking.networkmanager.enable = true;
+
+    user.packages = with pkgs; [
+      mpv
+    ];
+
+    environment.systemPackages = with pkgs; [
+      adw-gtk3
+    ];
+
+    home.services.gpg-agent.pinentryFlavor = "gnome3";
+  };
+}

modules/desktop/kde.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.modules.desktop.kde;
+in {
+  options.modules.desktop.kde = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      displayManager.sddm = {
+        enable = true;
+        wayland.enable = true;
+      };
+      desktopManager.plasma5.enable = true;
+    };
+
+    networking.networkmanager.enable = true;
+
+    user.packages = with pkgs; [
+      kmail
+      mpv
+    ];
+
+    environment.systemPackages = with pkgs; [
+      adw-gtk3
+    ];
+
+    home.services.gpg-agent.pinentryFlavor = "qt";
+  };
+}

modules/desktop/office/libreoffice.nix

@@ -11,7 +11,10 @@ in {
 
   config = lib.mkIf cfg.enable {
     user.packages = with pkgs; [
-      libreoffice
+      (if config.modules.desktop.kde.enable == true then libreoffice-qt else libreoffice)
+      hunspell
+      hunspellDicts.en-gb-large
+      hunspellDicts.en-us-large
     ];
   };
 }

modules/editors/neovim/default.nix

@@ -11,15 +11,128 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    user.packages = with pkgs.unstable; [
+    home.programs.nixvim = {
-      lunarvim
+      enable = true;
-    ];
+      defaultEditor = true;
 
-    env.EDITOR = "lvim";
+      viAlias = true;
+      vimAlias = true;
 
-    environment.shellAliases = {
+      options = {
-      vim = "lvim";
+        number = true;
-      v   = "lvim";
+        tabstop = 2;
+        shiftwidth = 2;
+        expandtab = true;
+        foldlevel = 99;
+        splitbelow = true;
+        splitright = true;
+        undofile = true;
+        updatetime = 100;
+        list = true;
+      };
+
+      globals = {
+        mapleader = ",";
+        maplocalleader = ",";
+      };
+
+      clipboard = {
+        register = "unnamedplus";
+
+        providers.wl-copy.enable = true;
+      };
+
+      plugins.comment-nvim.enable = true;
+
+      plugins.hmts.enable = true;
+
+      plugins.lightline.enable = true;
+
+      plugins.luasnip.enable = true;
+
+      plugins.lsp = {
+        enable = true;
+        servers = {
+          bashls.enable = true;
+          ccls.enable = true;
+          cssls.enable = true;
+          eslint.enable = true;
+          gopls.enable = true;
+          html.enable = true;
+          lua-ls.enable = true;
+          pylsp.enable = true;
+          nixd.enable = true;
+          rust-analyzer = {
+            enable = true;
+            installCargo = true;
+            installRustc = true;
+          };
+          tsserver.enable = true;
+        };
+      };
+
+      plugins.nvim-autopairs.enable = true;
+
+      plugins.nvim-cmp = {
+        enable = true;
+        autoEnableSources = true;
+        sources = [
+          { name = "nvim_lsp"; }
+          { name = "path"; }
+          { name = "buffer"; }
+        ];
+        mapping = {
+          "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
+          "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
+          "<CR>" = "cmp.mapping.confirm({ select = true })";
+        };
+      };
+
+      plugins.telescope = {
+        enable = true;
+        keymaps = {
+          "<leader>ff" = "find_files";
+          "<leader>fg" = "live_grep";
+          "<leader>b" = "buffers";
+          "<leader>fh" = "help_tags";
+          "<C-p>" = "git_files";
+          "<C-f>" = "live_grep";
+        };
+        keymapsSilent = true;
+      };
+
+      plugins.treesitter = {
+        enable = true;
+
+        nixvimInjections = true;
+
+        folding = true;
+        indent = true;
+      };
+
+      plugins.treesitter-refactor = {
+        enable = true;
+        highlightDefinitions = {
+          enable = true;
+          clearOnCursorMove = false;
+        };
+      };
+
+      plugins.undotree.enable = true;
+
+      # plugins.gitsigns.enable = true;
+      # plugins.gitgutter.enable = true;
+      # plugins.goyo.enable = true;
+      # plugins.fugitive.enable = true;
+      # plugins.fzf-lua.enable = true;
+      # plugins.neo-tree.enable = true;
+      # plugins.none-ls.enable = true;
+      # plugins.nvim-tree.enable = true;
+      # plugins.oil.enable = true;
+      # plugins.project-nvim.enable = true;
+      # plugins.surround.enable = true;
     };
+
+    env.EDITOR = "nvim";
   };
 }

modules/hardware/presonus-studio.nix

@@ -27,6 +27,23 @@ in {
       (patched)
     ];
 
+    # Workaround for mainline module loading instead of patched module
+    systemd.services.reload-snd-usb-audio = {
+      description = "Reload snd_usb_audio kernel module";
+      wantedBy = [ "sound.target" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [
+        kmod
+      ];
+      script = ''
+        # Only reload if device hasn't been initialised
+        if ! cat /proc/asound/card*/usbmixer | grep -q "Mute Main Out Switch"; then
+          rmmod snd_usb_audio
+          insmod /run/booted-system/kernel-modules/lib/modules/$(uname -r)/extra/snd-usb-audio.ko.xz
+        fi
+      '';
+    };
+
     environment.etc = {
       "pipewire/pipewire.conf.d/10-network.conf".text = ''
         context.modules = [

modules/options.nix

@@ -66,6 +66,10 @@ with lib;
         };
         dconf.settings = mkAliasDefinitions options.dconf.settings;
       };
+
+      sharedModules = [
+        inputs.nixvim.homeManagerModules.nixvim
+      ];
     };
 
     users.users.${config.user.name} = mkAliasDefinitions options.user;

modules/podman.nix

@@ -0,0 +1,45 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.podman;
+in {
+  options.modules.podman = {
+    enable = mkOption {
+      default = false;
+      example = true;
+      description = mdDoc "Enable podman on this host";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation = {
+      docker.enable = false;
+
+      podman = {
+        enable = true;
+        defaultNetwork.settings.dns_enabled = true;
+        autoPrune = {
+          enable = true;
+          dates = "weekly";
+          flags = [ "--all" ];
+        };
+        extraPackages = [ pkgs.zfs ];
+      };
+
+      containers.storage.settings.storage = {
+        driver = "zfs";
+        graphroot = "/var/lib/containers/storage";
+        runroot = "/run/containers/storage";
+      };
+
+      oci-containers.backend = "podman";
+    };
+
+    networking.firewall.interfaces."podman+" = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
+  };
+}

modules/services/gitea-runner/default.nix

@@ -0,0 +1,226 @@
+{ pkgs, config, lib, inputs, ... }:
+
+# Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
+
+with lib;
+
+let
+  cfg = config.modules.services.gitea-runner;
+  hostname = config.networking.hostName;
+  giteaUrl = "https://git.vimium.com";
+
+  storeDepsBins = with pkgs; [
+    coreutils
+    findutils
+    gnugrep
+    gawk
+    git
+    nix
+    nix-update
+    bash
+    jq
+    nodejs
+  ];
+
+  storeDeps = pkgs.runCommand "store-deps" { } ''
+    mkdir -p $out/bin
+    for dir in ${toString storeDepsBins}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+in
+{
+  options.modules.services.gitea-runner = {
+    enable = mkOption {
+      default = false;
+      example = true;
+      description = mdDoc "Enable a runner for Gitea Actions on this host";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    modules.podman.enable = true;
+
+    systemd.services = {
+      gitea-runner-nix-image = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "podman.service" ];
+        requires = [ "podman.service" ];
+        path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
+
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nix-ci-user))
+          userid=$(cut -d: -f3 < <(getent passwd nix-ci-user))
+          groupadd --prefix $(pwd) --gid "$groupid" nix-ci-user
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nix-ci-user nix-ci-user
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      gitea-runner-nix = {
+        after = [ "gitea-runner-nix-image.service" ];
+        requires = [ "gitea-runner-nix-image.service" ];
+
+        serviceConfig = {
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      };
+    };
+
+    users.users.nix-ci-user = {
+      group = "nix-ci-user";
+      description = "Used for running nix-based CI jobs";
+      home = "/var/empty";
+      isSystemUser = true;
+    };
+    users.groups.nix-ci-user = { };
+
+    age.secrets."files/services/gitea-runner/${hostname}-token" = {
+      file = "${inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
+      group = "podman";
+    };
+
+    services.gitea-actions-runner.instances = {
+      act = {
+        enable = true;
+        url = giteaUrl;
+        name = "act-runner-${hostname}";
+
+        tokenFile = config.age.secrets."files/services/gitea-runner/${hostname}-token".path;
+        settings = {
+          cache.enabled = true;
+          runner.capacity = 4;
+        };
+
+        labels = [
+          "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+        ];
+      };
+      nix = {
+        enable = true;
+        url = giteaUrl;
+        name = "nix-runner-${hostname}";
+
+        tokenFile = config.age.secrets."files/services/gitea-runner/${hostname}-token".path;
+        settings = {
+          cache.enabled = true;
+          container = {
+            options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nix-ci-user";
+            network = "host";
+            valid_volumes = [
+              "/nix"
+              "${storeDeps}/bin"
+              "${storeDeps}/etc/ssl"
+            ];
+          };
+          runner.capacity = 4;
+        };
+
+        labels = [
+          "nix:docker://gitea-runner-nix"
+        ];
+      };
+    };
+  };
+}

modules/services/gitea/default.nix

@@ -39,6 +39,13 @@ in {
       };
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${config.services.gitea.customDir}/public/assets/css' 0750 ${config.services.gitea.user} ${config.services.gitea.group} - -"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${inputs.gitea-github-theme}/theme-github.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${inputs.gitea-github-theme}/theme-github-auto.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${inputs.gitea-github-theme}/theme-github-dark.css"
+    ];
+
     services.gitea = rec {
       package = pkgs.unstable.gitea;
       enable = true;
@@ -57,19 +64,21 @@ in {
       };
       settings = {
         server = {
+          DOMAIN = config.networking.domain;
+          DISABLE_ROUTER_LOG = true;
+          LANDING_PAGE = "explore";
+          OFFLINE_MODE = true;
+          PROTOCOL = "http+unix";
           SSH_USER = "git";
           SSH_DOMAIN = "git.vimium.com";
           SSH_PORT = lib.head config.services.openssh.ports;
-          OFFLINE_MODE = true;
-          PROTOCOL = "http+unix";
-          DOMAIN = config.networking.domain;
           ROOT_URL = "https://git.vimium.com/";
         };
         service.DISABLE_REGISTRATION = true;
         session.COOKIE_SECURE = true;
         log.ROOT_PATH = "${stateDir}/log";
         ui = {
-          THEMES = "gitea,arc-green,github-dark,bthree-dark";
+          THEMES = "gitea,arc-green,github,github-auto,github-dark";
           DEFAULT_THEME = "github-dark";
         };
         actions.ENABLED = true;

modules/services/mail/default.nix

@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.modules.services.mail;
+  domains = [
+    "h0lt.com"
+    "jdholt.com"
+    "jordanholt.xyz"
+    "vimium.co"
+    "vimium.com"
+    "vimium.co.uk"
+    "vimium.info"
+    "vimium.net"
+    "vimium.org"
+    "vimium.xyz"
+  ];
+in {
+  options.modules.services.mail = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.roundcube = {
+      enable = true;
+      hostName = config.mailserver.fqdn;
+      extraConfig = ''
+        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+    };
+
+    services.nginx.enable = true;
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    mailserver = {
+      enable = true;
+      fqdn = "mail.vimium.com";
+      domains = domains;
+      indexDir = "/var/lib/dovecot/indices";
+
+      certificateDomains = [
+        "imap.vimium.com"
+        "smtp.vimium.com"
+      ];
+      certificateScheme = "acme-nginx";
+
+      fullTextSearch.enable = true;
+
+      loginAccounts = {
+        "jordan@vimium.com" = {
+          hashedPasswordFile = config.users.users.jordan.hashedPasswordFile;
+          catchAll = domains;
+        };
+      };
+
+      extraVirtualAliases = {
+        "hostmaster@vimium.com" = "jordan@vimium.com";
+        "postmaster@vimium.com" = "jordan@vimium.com";
+        "webmaster@vimium.com" = "jordan@vimium.com";
+        "abuse@vimium.com" = "jordan@vimium.com";
+      };
+    };
+  };
+}

modules/services/photoprism/default.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let cfg = config.modules.services.photoprism;
+in {
+  options.modules.services.photoprism = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      virtualHosts = {
+        "gallery.vimium.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.photoprism.port}";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header Host $host;
+
+              proxy_buffering off;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
+          };
+        };
+      };
+    };
+
+    age.secrets."passwords/services/photoprism/admin" = {
+      file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
+    };
+
+    services.photoprism = {
+      enable = true;
+      address = "localhost";
+      passwordFile = config.age.secrets."passwords/services/photoprism/admin".path;
+      originalsPath = "${config.services.photoprism.storagePath}/originals";
+      settings = {
+        PHOTOPRISM_APP_NAME = "Vimium Gallery";
+        PHOTOPRISM_SITE_AUTHOR = "Vimium";
+        PHOTOPRISM_SITE_TITLE = "Vimium Gallery";
+        PHOTOPRISM_SITE_CAPTION = "Vimium Gallery";
+        PHOTOPRISM_DISABLE_TLS = "true";
+        PHOTOPRISM_SPONSOR = "true";
+      };
+    };
+  };
+}