sops: switch to id_ed25519 keys

This reverts commit 38dfa39c6d.

.sops.yaml

@@ -0,0 +1,28 @@
+keys:
+  - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+  - &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
+  - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
+  - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *lelgenio-gpg
+      age:
+      - *lelgenio-ssh
+      - *monolith-ssh
+  - path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *lelgenio-gpg
+      age:
+      - *lelgenio-ssh
+      - *monolith-ssh
+  - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *lelgenio-gpg
+      age:
+      - *lelgenio-ssh
+      - *phantom-ssh

flake.nix

@@ -1,165 +1,180 @@
 {
   description = "My system config";
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    nixpkgs.url = "nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+
+    home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
+    vpsadminos.url = "github:vpsfreecz/vpsadminos";
+
     nix-index-database = {
       url = "github:Mic92/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    hyprland = {
-      url = "github:hyprwm/Hyprland";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     ranger-icons.url = "github:alexanderjeurissen/ranger_devicons";
     ranger-icons.flake = false;
 
-    material-wifi-icons.url = "github:dcousens/material-wifi-icons";
-    material-wifi-icons.flake = false;
-
     plymouth-themes.url = "github:adi1090x/plymouth-themes";
     plymouth-themes.flake = false;
 
-    lipsum.url = "github:hannenz/lipsum";
-    lipsum.flake = false;
-
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
     nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    dzgui-nix = {
-      url = "github:lelgenio/dzgui-nix";
-    };
+    dzgui-nix.url = "github:lelgenio/dzgui-nix";
 
     tlauncher = {
-      url = "github:lelgenio/tlauncher-nix";
+      url = "git+https://git.lelgenio.xyz/lelgenio/tlauncher-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    treefmt-nix.url = "github:numtide/treefmt-nix";
+
     # my stuff
-    dhist = {
-      url = "github:lelgenio/dhist";
-      inputs.nixpkgs.follows = "nixpkgs";
+    dhist.url = "github:lelgenio/dhist";
+    demoji.url = "github:lelgenio/demoji";
+    wl-crosshair.url = "github:lelgenio/wl-crosshair";
+    warthunder-leak-counter.url = "git+https://git.lelgenio.com/lelgenio/warthunder-leak-counter";
+    made-you-look.url = "git+https://git.lelgenio.com/lelgenio/made-you-look";
+    catboy-spinner = {
+      url = "git+https://git.lelgenio.com/lelgenio/catboy-spinner";
+      flake = false;
     };
-    demoji = {
-      url = "github:lelgenio/demoji";
-      inputs.nixpkgs.follows = "nixpkgs";
+    tomater = {
+      url = "git+https://git.lelgenio.com/lelgenio/tomater";
+      flake = false;
     };
-    maildir-notify-daemon = {
-      url = "github:lelgenio/maildir-notify-daemon";
-      inputs.nixpkgs.follows = "nixpkgs";
+    youre-wrong = {
+      url = "git+https://git.lelgenio.com/lelgenio/youre-wrong";
+      flake = false;
     };
-    wl-crosshair = {
-      url = "github:lelgenio/wl-crosshair";
-      inputs.nixpkgs.follows = "nixpkgs";
+    hello-fonts = {
+      url = "git+https://git.lelgenio.com/lelgenio/hello-fonts";
+      flake = false;
     };
-
-    # gnome stuff
-    nixos-conf-editor.url = "github:vlinkz/nixos-conf-editor";
-    nix-software-center.url = "github:vlinkz/nix-software-center";
   };
-  outputs = inputs:
+  outputs =
+    inputs:
     let
       nixpkgsConfig = {
         inherit system;
-        config = { allowUnfree = true; };
+        config = {
+          allowUnfree = true;
+        };
         overlays = old_overlays.all;
       };
 
-      bootstrapPkgs = import inputs.nixpkgs nixpkgsConfig;
-      nixpkgs = bootstrapPkgs.applyPatches {
-        name = "patched-nixpkgs";
-        src = inputs.nixpkgs;
-        patches = lib.mapAttrsToList (k: v: ./patches/nixpkgs/${k})
-          (builtins.readDir ./patches/nixpkgs);
-      };
-
       inherit (import ./user/variables.nix) desktop;
       system = "x86_64-linux";
-      pkgs = import nixpkgs nixpkgsConfig;
+      pkgs = import inputs.nixpkgs nixpkgsConfig;
       lib = inputs.nixpkgs.lib;
 
       packages = import ./pkgs { inherit pkgs inputs; };
 
       old_overlays = (import ./overlays { inherit packages inputs; });
 
-      specialArgs = { inherit inputs; };
-      common_modules = [
-        { nixpkgs.pkgs = pkgs; }
-        ./system/configuration.nix
-        ./system/secrets.nix
-        ./system/specialisation.nix
-        ./system/greetd.nix
-        { login-manager.greetd.enable = desktop == "sway" || desktop == "hyprland"; }
+      specialArgs = {
+        inherit inputs;
+      };
+      common_modules =
+        [
+          { nixpkgs.pkgs = pkgs; }
+          ./system/configuration.nix
+          ./system/secrets.nix
+          ./system/sops.nix
+          ./system/greetd.nix
+          { login-manager.greetd.enable = desktop == "sway"; }
 
-        inputs.agenix.nixosModules.default
-        inputs.hyprland.nixosModules.default
-        inputs.dzgui-nix.nixosModules.default
-        { programs.hyprland.enable = (desktop == "hyprland"); }
-        inputs.home-manager.nixosModules.home-manager
-        {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.users.lelgenio = import ./user/home.nix;
-          home-manager.backupFileExtension = "bkp";
-          # Optionally, use home-manager.extraSpecialArgs to pass
-          # arguments to home.nix
-          home-manager.extraSpecialArgs = { inherit inputs; };
-        }
-      ]
-      ++ lib.optional (desktop == "gnome") ./system/gnome.nix
-      ++ lib.optional (desktop == "kde") ./system/kde.nix;
+          inputs.agenix.nixosModules.default
+          inputs.sops-nix.nixosModules.default
+          inputs.home-manager.nixosModules.home-manager
+          inputs.disko.nixosModules.disko
+          (
+            { config, ... }:
+            {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users.lelgenio = {
+                my = config.my;
+                imports = [
+                  ./user/home.nix
+                ];
+              };
+              home-manager.backupFileExtension = "bkp";
+              # Optionally, use home-manager.extraSpecialArgs to pass
+              # arguments to home.nix
+              home-manager.extraSpecialArgs = {
+                inherit inputs;
+              };
+            }
+          )
+        ]
+        ++ lib.optional (desktop == "gnome") ./system/gnome.nix
+        ++ lib.optional (desktop == "kde") ./system/kde.nix;
     in
     {
+      checks."${system}" = {
+        disko-format-i15 = pkgs.callPackage ./hosts/i15/partitions-test.nix { };
+      };
       nixosConfigurations = {
         i15 = lib.nixosSystem {
           inherit system specialArgs;
-          modules = [ ./hosts/i15.nix ] ++ common_modules;
+          modules = [ ./hosts/i15 ] ++ common_modules;
         };
         monolith = lib.nixosSystem {
           inherit system specialArgs;
           modules = [
-            ./hosts/monolith.nix
+            ./hosts/monolith
             ./system/monolith-gitlab-runner.nix
+            ./system/monolith-bitbucket-runner.nix
+            ./system/monolith-forgejo-runner.nix
             ./system/nix-serve.nix
-            ./system/steam.nix
-          ] ++ common_modules;
-        };
-        rainbow = lib.nixosSystem {
-          inherit system specialArgs;
-          modules = [
-            ./hosts/rainbow.nix
-            ./system/rainbow-gitlab-runner.nix
           ] ++ common_modules;
         };
         double-rainbow = lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             ./hosts/double-rainbow.nix
-            ./system/rainbow-gitlab-runner.nix
           ] ++ common_modules;
         };
         pixie = lib.nixosSystem {
           inherit system specialArgs;
-          modules = [ ./hosts/pixie.nix ] ++ common_modules ++ [{
-            packages.media-packages.enable = lib.mkOverride 0 false;
-            programs.steam.enable = lib.mkOverride 0 false;
-            services.flatpak.enable = lib.mkOverride 0 false;
-          }];
+          modules =
+            [ ./hosts/pixie.nix ]
+            ++ common_modules
+            ++ [
+              {
+                packages.media-packages.enable = lib.mkOverride 0 false;
+                services.flatpak.enable = lib.mkOverride 0 false;
+              }
+            ];
         };
         phantom = lib.nixosSystem {
           inherit system specialArgs;
-          modules = [ ./hosts/phantom ];
+          modules = [
+            { nixpkgs.pkgs = pkgs; }
+            ./hosts/phantom
+          ];
         };
       };
 
@@ -176,6 +191,7 @@
 
       packages.${system} = pkgs // packages;
 
-      formatter.${system} = pkgs.nixpkgs-fmt;
+      # formatter.${system} = pkgs.nixfmt-rfc-style;
+      formatter.${system} = (inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix).config.build.wrapper;
     };
 }

hosts/double-rainbow.nix

@@ -1,13 +1,32 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 let
-  btrfs_options = [ "compress=zstd:3" "noatime" "x-systemd.device-timeout=0" ];
-  btrfs_ssd = [ "ssd" "discard=async" ];
+  btrfs_options = [
+    "compress=zstd:3"
+    "noatime"
+    "x-systemd.device-timeout=0"
+  ];
+  btrfs_ssd = [
+    "ssd"
+    "discard=async"
+  ];
 in
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ "i915" ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
@@ -26,7 +45,13 @@ in
     fsType = "vfat";
   };
 
-  swapDevices = [ ];
+  swapDevices = [ { device = "/swapfile"; } ];
+
+  services.udev.extraRules = ''
+    # Force all disks to use mq-deadline scheduler
+    # For some reason "noop" is used by default which is kinda bad when io is saturated
+    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/scheduler}="mq-deadline"
+  '';
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -37,8 +62,7 @@ in
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-  hardware.cpu.intel.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
   networking.hostName = "double-rainbow"; # Define your hostname.
 }

hosts/i15.nix

@@ -1,15 +1,30 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 let
-  btrfs_options = [ "compress=zstd:3" "noatime" "x-systemd.device-timeout=0" ];
+  btrfs_options = [
+    "compress=zstd:3"
+    "noatime"
+    "x-systemd.device-timeout=0"
+  ];
 in
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_usb_sdmmc"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
@@ -45,10 +60,12 @@ in
     options = [ "subvol=@swap" ] ++ btrfs_options;
   };
 
-  swapDevices = [{
-    device = "/swap/swapfile";
-    size = (1024 * 8) + (1024 * 2); # RAM size + 2 GB
-  }];
+  swapDevices = [
+    {
+      device = "/swap/swapfile";
+      size = (1024 * 8) + (1024 * 2); # RAM size + 2 GB
+    }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -59,7 +76,6 @@ in
   # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-  hardware.cpu.intel.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   networking.hostName = "i15"; # Define your hostname.
 }

hosts/i15/default.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  networking.hostName = "i15"; # Define your hostname.
+
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_usb_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  disko.devices = (import ./partitions.nix { disks = [ "/dev/sda" ]; });
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+
+  swapDevices = [
+    {
+      device = "/swap/swapfile";
+      size = (1024 * 8) + (1024 * 2); # RAM size + 2 GB
+    }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/i15/partitions-test.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+pkgs.makeDiskoTest {
+  name = "test-disko-i15";
+  disko-config = ./partitions.nix;
+  enableOCR = true;
+  bootCommands = ''
+    machine.wait_for_text("[Pp]assphrase for")
+    machine.send_chars("secretsecret\n")
+  '';
+  extraTestScript = ''
+    machine.succeed("cryptsetup isLuks /dev/vda2");
+    machine.succeed("mountpoint /home");
+  '';
+}

hosts/i15/partitions.nix

@@ -0,0 +1,73 @@
+{
+  disks ? [ "/dev/sda" ],
+  ...
+}:
+let
+  btrfs_options = [
+    "compress=zstd:3"
+    "noatime"
+  ];
+in
+{
+  disk.sda = {
+    type = "disk";
+    device = builtins.elemAt disks 0;
+    content = {
+      type = "table";
+      format = "gpt";
+      partitions = [
+        {
+          type = "partition";
+          name = "NIX_BOOT";
+          start = "1MiB";
+          end = "300MiB";
+          bootable = true;
+          content = {
+            type = "filesystem";
+            extraArgs = [
+              "-n"
+              "BOOT_I15"
+            ];
+            format = "vfat";
+            mountpoint = "/boot";
+            # options = [ "defaults" ];
+          };
+        }
+        {
+          type = "partition";
+          name = "CRYPT_I15";
+          start = "300MiB";
+          end = "100%";
+          content = {
+            type = "luks";
+            name = "main";
+            keyFile = "/tmp/secret.key";
+            content = {
+              type = "btrfs";
+              extraArgs = [
+                "--label"
+                "ROOT_I15"
+              ];
+              subvolumes =
+                let
+                  mountOptions = btrfs_options;
+                in
+                {
+                  "/home" = {
+                    inherit mountOptions;
+                  };
+                  "/nixos" = {
+                    inherit mountOptions;
+                    mountpoint = "/";
+                  };
+                  "/swap" = {
+                    inherit mountOptions;
+                  };
+                };
+            };
+          };
+        }
+      ];
+    };
+  };
+}

hosts/monolith.nix

@@ -1,140 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-let
-  btrfs_options = [ "compress=zstd:3" "noatime" "x-systemd.device-timeout=0" ];
-  btrfs_ssd = [ "ssd" "discard=async" ];
-in
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-  boot.initrd.availableKernelModules =
-    [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-
-  hardware.opentabletdriver.enable = true;
-
-  boot.extraModulePackages = with config.boot.kernelPackages; [
-    zenpower
-  ];
-  boot.initrd.kernelModules = [ "amdgpu" ];
-  boot.kernelModules = [
-    "kvm-amd"
-    "amdgpu"
-    "zenpower"
-  ];
-  boot.kernelParams = [
-    "video=DP-1:1920x1080@144"
-    # hibernation
-    "resume=LABEL=BTRFS_ROOT" # findmnt -o LABEL --noheadings /swap/
-    "resume_offset=36709632" # btrfs inspect-internal map-swapfile -r /swap/swapfile
-  ];
-  systemd.sleep.extraConfig = ''
-    HibernateDelaySec=30s
-    SuspendState=mem
-  '';
-
-  hardware.opengl.driSupport = true;
-  # # For 32 bit applications
-  hardware.opengl.driSupport32Bit = true;
-
-  hardware.opengl.extraPackages = with pkgs; [
-    libva
-    libvdpau
-    vaapiVdpau
-    rocm-opencl-icd
-    rocm-opencl-runtime
-  ];
-
-  programs.corectrl.enable = true;
-  virtualisation.virtualbox.host.enable = true;
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    options = [ "subvol=nixos" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-  # boot.initrd.luks.reusePassphrases = true;
-  boot.initrd.luks.devices = {
-    "main" = {
-      bypassWorkqueues = true;
-      device = "/dev/disk/by-label/CRYPT_ROOT";
-    };
-    "data" = {
-      bypassWorkqueues = true;
-      device = "/dev/disk/by-label/CRYPT_DATA";
-    };
-    "bigboy" = {
-      bypassWorkqueues = true;
-      device = "/dev/disk/by-label/CRYPT_BIGBOY";
-    };
-  };
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-label/NIXBOOT";
-    fsType = "vfat";
-  };
-  fileSystems."/home" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    options = [ "subvol=home" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-  fileSystems."/home/lelgenio/Games" = {
-    device = "/dev/disk/by-label/BTRFS_DATA";
-    fsType = "btrfs";
-    options = [ "subvol=@games" "nofail" ] ++ btrfs_options;
-  };
-  fileSystems."/home/lelgenio/Downloads/Torrents" = {
-    device = "/dev/disk/by-label/BTRFS_DATA";
-    fsType = "btrfs";
-    options = [ "subvol=@torrents" "nofail" ] ++ btrfs_options;
-  };
-  fileSystems."/home/lelgenio/Música" = {
-    device = "/dev/disk/by-label/BTRFS_DATA";
-    fsType = "btrfs";
-    options = [ "subvol=@music" "nofail" ] ++ btrfs_options;
-  };
-  fileSystems."/home/lelgenio/.local/mount/data" = {
-    device = "/dev/disk/by-label/BTRFS_DATA";
-    fsType = "btrfs";
-    options = [ "subvol=@data" "nofail" ] ++ btrfs_options;
-  };
-  fileSystems."/home/lelgenio/.local/mount/bigboy" = {
-    device = "/dev/disk/by-label/BTRFS_BIGBOY";
-    fsType = "btrfs";
-    options = [ "nofail" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-  fileSystems."/home/lelgenio/projects" = {
-    device = "/dev/disk/by-label/BTRFS_BIGBOY";
-    fsType = "btrfs";
-    options = [ "subvol=@projects" "nofail" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
-  powerManagement.cpuFreqGovernor = "ondemand";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
-  networking.hostName = "monolith"; # Define your hostname.
-
-  # Fix broken suspend with Logitech USB dongle
-  # `lsusb | grep Logitech` will return "vendor:product"
-  services.udev.extraRules = ''
-    ACTION=="add" SUBSYSTEM=="usb" ATTR{idVendor}=="046d" ATTR{idProduct}=="c547" ATTR{power/wakeup}="disabled"
-  '';
-
-  # swap
-  fileSystems."/swap" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    # Note these options effect the entire BTRFS filesystem and not just this volume,
-    # with the exception of `"subvol=swap"`, the other options are repeated in my other `fileSystem` mounts
-    options = [ "subvol=swap" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-  swapDevices = [{
-    device = "/swap/swapfile";
-    size = (1024 * 16) + (1024 * 2); # RAM size + 2 GB
-  }];
-}

hosts/monolith/amdgpu.nix

@@ -0,0 +1,39 @@
+{ pkgs, lib, ... }:
+let
+  undervoltGpu = pkgs.writeShellScript "undervolt-gpu" ''
+    set -xe
+    cd $1
+    echo "manual" > power_dpm_force_performance_level
+    echo "1" > pp_power_profile_mode
+    test -e pp_od_clk_voltage
+    echo "vo -120" > pp_od_clk_voltage
+    echo "c" > pp_od_clk_voltage
+  '';
+in
+{
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelParams = [
+    "video=DP-1:1920x1080@144"
+  ];
+
+  systemd.services.amd-fan-control = {
+    script = ''
+      ${lib.getExe pkgs.amd-fan-control} /sys/class/drm/card1/device 60 85
+    '';
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = 10;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  hardware.graphics.enable32Bit = true;
+
+  hardware.graphics.extraPackages = with pkgs; [
+    libva
+  ];
+
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="hwmon", ATTR{name}=="amdgpu", ATTR{power1_cap}="186000000", RUN+="${undervoltGpu} %S%p/device"
+  '';
+}

hosts/monolith/default.nix

@@ -0,0 +1,168 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  btrfs_options = [
+    "compress=zstd:3"
+    "noatime"
+    "x-systemd.device-timeout=0"
+  ];
+  btrfs_ssd = [
+    "ssd"
+    "discard=async"
+  ];
+in
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ./partition.nix
+    ./amdgpu.nix
+    ./factorio-server.nix
+  ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+
+  hardware.opentabletdriver = {
+    enable = true;
+    # TODO: remove this once otd gets updated
+    package = pkgs.unstable.opentabletdriver;
+  };
+
+  my.gaming.enable = true;
+
+  boot.extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
+
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [
+    "kvm-amd"
+    "amdgpu"
+    "zenpower"
+  ];
+
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=30s
+    SuspendState=mem
+  '';
+
+  fileSystems."/mnt/old" = {
+    device = "/dev/disk/by-label/BTRFS_ROOT";
+    fsType = "btrfs";
+    options = [ "nofail" ] ++ btrfs_options ++ btrfs_ssd;
+  };
+  # boot.initrd.luks.reusePassphrases = true;
+  boot.initrd.luks.devices = {
+    "old" = {
+      bypassWorkqueues = true;
+      device = "/dev/disk/by-label/CRYPT_ROOT";
+    };
+    "data" = {
+      bypassWorkqueues = true;
+      device = "/dev/disk/by-label/CRYPT_DATA";
+    };
+    # "bigboy" = {
+    #   bypassWorkqueues = true;
+    #   device = "/dev/disk/by-label/CRYPT_BIGBOY";
+    # };
+  };
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # fileSystems."/boot/efi" = {
+  #   device = "/dev/disk/by-label/NIXBOOT";
+  #   fsType = "vfat";
+  # };
+  # fileSystems."/home" = {
+  #   device = "/dev/disk/by-label/BTRFS_ROOT";
+  #   fsType = "btrfs";
+  #   options = [ "subvol=home" ] ++ btrfs_options ++ btrfs_ssd;
+  # };
+  fileSystems."/home/lelgenio/Games" = {
+    device = "/dev/disk/by-label/BTRFS_DATA";
+    fsType = "btrfs";
+    options = [
+      "subvol=@games"
+      "nofail"
+    ] ++ btrfs_options;
+  };
+  fileSystems."/home/lelgenio/Downloads/Torrents" = {
+    device = "/dev/disk/by-label/BTRFS_DATA";
+    fsType = "btrfs";
+    options = [
+      "subvol=@torrents"
+      "nofail"
+    ] ++ btrfs_options;
+  };
+  fileSystems."/home/lelgenio/Música" = {
+    device = "/dev/disk/by-label/BTRFS_DATA";
+    fsType = "btrfs";
+    options = [
+      "subvol=@music"
+      "nofail"
+    ] ++ btrfs_options;
+  };
+  fileSystems."/home/lelgenio/.local/mount/data" = {
+    device = "/dev/disk/by-label/BTRFS_DATA";
+    fsType = "btrfs";
+    options = [
+      "subvol=@data"
+      "nofail"
+    ] ++ btrfs_options;
+  };
+  fileSystems."/home/lelgenio/.local/mount/old" = {
+    device = "/dev/disk/by-label/BTRFS_ROOT";
+    fsType = "btrfs";
+    options = [ "nofail" ] ++ btrfs_options ++ btrfs_ssd;
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  powerManagement.cpuFreqGovernor = "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  networking.hostName = "monolith"; # Define your hostname.
+
+  virtualisation.virtualbox.host.enable = true;
+
+  services.udev.extraRules = ''
+    # Fix broken suspend with Logitech USB dongle
+    # `lsusb | grep Logitech` will return "vendor:product"
+    ACTION=="add" SUBSYSTEM=="usb" ATTR{idVendor}=="046d" ATTR{idProduct}=="c547" ATTR{power/wakeup}="disabled"
+    # Force all disks to use mq-deadline scheduler
+    # For some reason "noop" is used by default which is kinda bad when io is saturated
+    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/scheduler}="mq-deadline"
+  '';
+
+  boot.tmp = {
+    cleanOnBoot = true;
+    useTmpfs = true;
+  };
+
+  # swap
+  # fileSystems."/swap" = {
+  #   device = "/dev/disk/by-label/BTRFS_ROOT";
+  #   fsType = "btrfs";
+  #   # Note these options effect the entire BTRFS filesystem and not just this volume,
+  #   # with the exception of `"subvol=swap"`, the other options are repeated in my other `fileSystem` mounts
+  #   options = [ "subvol=swap" ] ++ btrfs_options ++ btrfs_ssd;
+  # };
+  # swapDevices = [
+  #   {
+  #     device = "/swap/swapfile";
+  #     size = (1024 * 16) + (1024 * 2); # RAM size + 2 GB
+  #   }
+  # ];
+}

hosts/monolith/factorio-server.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  services.factorio = {
+    enable = true;
+    package = pkgs.factorio-headless; # I override this in ./pkgs
+    public = true;
+    lan = true;
+    openFirewall = true;
+    admins = [ "lelgenio" ];
+    extraSettingsFile = config.age.secrets.factorio-settings.path;
+  };
+
+  systemd.services.factorio = {
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+  };
+
+  systemd.services.factorio-backup-save = {
+    description = "Backup factorio saves";
+    script = ''
+      ${lib.getExe pkgs.rsync} \
+        -av  \
+        --chown=lelgenio \
+        /var/lib/factorio/saves/default.zip \
+        ~lelgenio/Documentos/GameSaves/factorio_saves/space-age-$(date --iso=seconds).zip
+    '';
+    serviceConfig.Type = "oneshot";
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  systemd.timers.factorio-backup-save = {
+    timerConfig = {
+      OnCalendar = "*-*-* 18:00:00";
+      Persistent = true;
+      Unit = "factorio-backup-save.service";
+    };
+    wantedBy = [ "timers.target" ];
+  };
+
+  age.secrets.factorio-settings = {
+    file = ../../secrets/factorio-settings.age;
+    mode = "777";
+  };
+}

hosts/monolith/partition.nix

@@ -0,0 +1,68 @@
+let
+  btrfs_options = [
+    "compress=zstd:3"
+    "noatime"
+    "x-systemd.device-timeout=0"
+  ];
+  btrfs_ssd = btrfs_options ++ [
+    "ssd"
+    "discard=async"
+  ];
+in
+{
+  disko.devices = {
+    disk = {
+      bigboy_disk = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "2G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "bigboy";
+                # disable settings.keyFile if you want to use interactive password entry
+                passwordFile = "/tmp/secret.key"; # Interactive
+                # settings = {
+                #   allowDiscards = true;
+                #   keyFile = "/tmp/secret.key";
+                # };
+                # additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/@nixos" = {
+                      mountpoint = "/";
+                      mountOptions = btrfs_ssd;
+                    };
+                    "/@home" = {
+                      mountpoint = "/home";
+                      mountOptions = btrfs_ssd;
+                    };
+                    "/@swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "32G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/phantom/davi.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  users.users.davikiwi = {
+    isNormalUser = true;
+    description = "Davi";
+    hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgZDBnj+gVMHqoNvjpx2T/HqnxUDbLPshu+t7301gXd Davi@DESKTOP-EVHFGJ9"
+    ];
+    extraGroups = [ "docker" ];
+    packages = with pkgs; [
+      (pkgs.python3.withPackages (python-pkgs: [
+        python-pkgs.pip
+        python-pkgs.wheel
+      ]))
+    ];
+  };
+
+  services.nginx.virtualHosts."davikiwi.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:24618";
+    };
+  };
+}

hosts/phantom/default.nix

@@ -1,19 +1,53 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  lib,
+  ...
+}:
+{
   imports = [
-    ./vpsadminos.nix
+    inputs.vpsadminos.nixosConfigurations.container
     inputs.agenix.nixosModules.default
+    inputs.sops-nix.nixosModules.default
+
+    ../../system/sops.nix
     ../../system/nix.nix
     ./hardware-config.nix
     ./mastodon.nix
+    ./lemmy.nix
     ./nextcloud.nix
     ./nginx.nix
     ./syncthing.nix
     ./users.nix
     ./writefreely.nix
-    ./renawiki.nix
     ./email.nix
+    ./forgejo.nix
+    ./invidious.nix
+    ./davi.nix
+    ./goofs.nix
   ];
 
+  networking.hostName = "phantom";
+
+  services.nginx.virtualHosts."lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = pkgs.runCommand "www-dir" { } ''
+      mkdir -p $out
+      cat > $out/index.html <<EOF
+        <!DOCTYPE html>
+        <html lang="en">
+        <body>
+          <h1>
+              Nothing to see here!
+          <h1>
+        </body>
+        </html>
+      EOF
+    '';
+  };
+
   # # Enable networking
   # networking.networkmanager.enable = true;
   # Set your time zone.
@@ -27,14 +61,46 @@
     identityPaths = [ "/root/.ssh/id_rsa" ];
   };
 
+  sops = {
+    secrets.hello = { };
+    defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml;
+  };
+
+  environment.etc."teste-sops" = {
+    text = config.sops.secrets.hello.path;
+  };
+
+  virtualisation.docker = {
+    enable = true;
+    daemon.settings = {
+      # needed by bitbucket runner ???
+      log-driver = "json-file";
+      log-opts = {
+        max-size = "10m";
+        max-file = "3";
+      };
+    };
+  };
+
+  nix.settings = {
+    cores = 1;
+    max-jobs = 1;
+  };
+
   system.autoUpgrade = {
     enable = true;
     dates = "04:40";
     operation = "switch";
-    flags = [ "--update-input" "nixpkgs" "--no-write-lock-file" "-L" ];
-    flake = "github:lelgenio/nixos-config#phantom";
+    flags = [
+      "--update-input"
+      "nixpkgs"
+      "--no-write-lock-file"
+      "--print-build-logs"
+    ];
+    flake = "git+https://git.lelgenio.com/lelgenio/nixos-config#phantom";
   };
 
+  networking.firewall.allowedTCPPorts = [ 8745 ];
+
   system.stateVersion = "23.05"; # Never change this
 }
-

hosts/phantom/email.nix

@@ -1,35 +1,58 @@
-{ pkgs, inputs, ... }: {
-  # It's important to let Digital Ocean set the hostname so we get rDNS to work
-  networking.hostName = "";
-
-  imports = [
-    inputs.nixos-mailserver.nixosModules.mailserver
-  ];
+{
+  pkgs,
+  inputs,
+  config,
+  ...
+}:
+{
+  imports = [ inputs.nixos-mailserver.nixosModules.mailserver ];
 
   mailserver = {
     enable = true;
-    fqdn = "mail.lelgenio.xyz";
-    domains = [ "lelgenio.xyz" ];
+    fqdn = "lelgenio.com";
+    domains = [
+      "lelgenio.xyz"
+      "git.lelgenio.xyz"
+      "lelgenio.com"
+      "git.lelgenio.com"
+      "social.lelgenio.com"
+    ];
     certificateScheme = "acme-nginx";
+    # Create passwords with
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
     loginAccounts = {
-      "lelgenio@lelgenio.xyz" = {
+      "lelgenio@lelgenio.com" = {
         hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS";
-        aliases = [ "postmaster@lelgenio.xyz" ];
+        aliases = [
+          "postmaster@lelgenio.com"
+          "lelgenio@lelgenio.xyz"
+          "lelgenio@lelgenio.xyz"
+        ];
+      };
+      "noreply@git.lelgenio.com" = {
+        hashedPassword = "$2b$05$TmR1R7ZwXfec7yrOfeBL7u3ZtyXf0up5dEO6uMWSvb/O7LPEm.j0.";
+      };
+      "noreply@social.lelgenio.com" = {
+        hashedPassword = "$2b$05$DcA9xMdvHqqQMZw2.zybI.vfKsQAJtaQ/JB.t9AHu6psstWq97m2C";
       };
     };
   };
 
+  # Prefer ipv4 and use main ipv6 to avoid reverse DNS issues
+  services.postfix.extraConfig = ''
+    smtp_address_preference = ipv4
+  '';
+
   # Webmail
-  services.roundcube = rec {
+  services.roundcube = {
     enable = true;
     package = pkgs.roundcube.withPlugins (p: [ p.carddav ]);
-    hostName = "mail.lelgenio.xyz";
+    hostName = "mail.lelgenio.com";
     extraConfig = ''
-      $config['smtp_host'] = "tls://${hostName}:587";
+      $config['smtp_host'] = "tls://${config.mailserver.fqdn}:587";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
-      $config['plugins'] = [ "carddav" ];
+      $config['plugins'] = [ "carddav", "archive" ];
     '';
   };
-
 }

hosts/phantom/forgejo.nix

@@ -0,0 +1,53 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.nginx = {
+    virtualHosts.${cfg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+      };
+      server = {
+        DOMAIN = "git.lelgenio.com";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://${srv.DOMAIN}/";
+      };
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "lelgenio.com";
+        FROM = "noreply@git.lelgenio.com";
+        USER = "noreply@git.lelgenio.com";
+      };
+    };
+    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+  };
+
+  age.secrets.phantom-forgejo-mailer-password = {
+    file = ../../secrets/phantom-forgejo-mailer-password.age;
+    mode = "400";
+    owner = "forgejo";
+  };
+}

hosts/phantom/goofs.nix

@@ -0,0 +1,46 @@
+{ inputs, config, ... }:
+{
+  imports = [
+    inputs.warthunder-leak-counter.nixosModules.default
+    inputs.made-you-look.nixosModules.default
+  ];
+
+  services.warthunder-leak-counter.enable = true;
+  services.nginx.virtualHosts."warthunder-leak-counter.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.warthunder-leak-counter.port}";
+    };
+  };
+
+  services.made-you-look.enable = true;
+  services.nginx.virtualHosts."coolest-thing-ever.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.made-you-look.port}";
+    };
+  };
+
+  services.nginx.virtualHosts."catboy-spinner.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = inputs.catboy-spinner;
+  };
+  services.nginx.virtualHosts."tomater.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = inputs.tomater;
+  };
+  services.nginx.virtualHosts."youre-wrong.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = inputs.youre-wrong;
+  };
+  services.nginx.virtualHosts."hello-fonts.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = inputs.hello-fonts;
+  };
+}

hosts/phantom/hardware-config.nix

@@ -1,7 +1,19 @@
-{ config, pkgs, inputs, ... }: {
-  swapDevices = [{
-    device = "/swap/swapfile";
-    size = (1024 * 2); # 2 GB
-  }];
-}
+{
+  fileSystems."/var/lib/syncthing-data" = {
+    device = "172.16.130.7:/nas/5749/syncthinng_data";
+    fsType = "nfs";
+    options = [ "nofail" ];
+  };
+  fileSystems."/var/lib/mastodon" = {
+    device = "172.16.130.7:/nas/5749/mastodon";
+    fsType = "nfs";
+    options = [ "nofail" ];
+  };
 
+  swapDevices = [
+    {
+      device = "/swap/swapfile";
+      size = (1024 * 2); # 2 GB
+    }
+  ];
+}

hosts/phantom/invidious.nix

@@ -0,0 +1,40 @@
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
+{
+  # Replace with unstable, since 24.05 does not have sig-helper
+  disabledModules = [ "services/web-apps/invidious.nix" ];
+  imports = [ (inputs.nixpkgs-unstable + "/nixos/modules/services/web-apps/invidious.nix") ];
+
+  services.invidious = {
+    enable = true;
+    domain = "invidious.lelgenio.com";
+    nginx.enable = true;
+    port = 10601;
+    http3-ytproxy.enable = true;
+    sig-helper = {
+      enable = true;
+      package = pkgs.unstable.inv-sig-helper;
+    };
+    # {
+    #     "visitor_data": "...",
+    #     "po_token": "..."
+    # }
+    extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
+    settings = {
+      force_resolve = "ipv6";
+      db = {
+        user = "invidious";
+        dbname = "invidious";
+      };
+    };
+  };
+
+  age.secrets.phantom-invidious-settings = {
+    file = ../../secrets/phantom-invidious-settings.age;
+    mode = "666";
+  };
+}

hosts/phantom/lemmy.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  services.lemmy = {
+    enable = true;
+    settings = {
+      hostname = "lemmy.lelgenio.com";
+    };
+    database.createLocally = true;
+    nginx.enable = true;
+  };
+
+  services.pict-rs.package = pkgs.pict-rs;
+
+  services.nginx.virtualHosts."lemmy.lelgenio.com" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+}

hosts/phantom/mastodon.nix

@@ -1,10 +1,29 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+{
   services.mastodon = {
     enable = true;
     configureNginx = true;
-    localDomain = "social.lelgenio.xyz";
-    smtp.fromAddress = "lelgenio@disroot.org";
+    localDomain = "social.lelgenio.com";
+    smtp = {
+      authenticate = true;
+      host = "lelgenio.com";
+      fromAddress = "noreply@social.lelgenio.com";
+      user = "noreply@social.lelgenio.com";
+      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+    };
     streamingProcesses = 2;
     extraConfig.SINGLE_USER_MODE = "true";
+    mediaAutoRemove.olderThanDays = 5;
+  };
+
+  age.secrets.phantom-mastodon-mailer-password = {
+    file = ../../secrets/phantom-mastodon-mailer-password.age;
+    mode = "400";
+    owner = "mastodon";
   };
 }

hosts/phantom/nextcloud.nix

@@ -1,14 +1,25 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+{
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud27;
-    hostName = "cloud.lelgenio.xyz";
+    package = pkgs.nextcloud30;
+    hostName = "cloud.lelgenio.com";
     https = true;
     config = {
       adminpassFile = config.age.secrets.phantom-nextcloud.path;
     };
   };
 
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+
   age = {
     secrets.phantom-nextcloud = {
       file = ../../secrets/phantom-nextcloud.age;
@@ -17,6 +28,4 @@
       group = "nextcloud";
     };
   };
-
 }
-

hosts/phantom/nginx.nix

@@ -1,15 +1,47 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    clientMaxBodySize = "512M";
   };
 
+  # Redirect *lelgenio.xyz -> *lelgenio.com
+  services.nginx.virtualHosts =
+    lib.mapAttrs' (key: value: lib.nameValuePair "${key}lelgenio.xyz" value)
+      (
+        lib.genAttrs
+          [
+            ""
+            "social."
+            "blog."
+            "cloud."
+            "mail."
+            "git."
+            "syncthing."
+          ]
+          (name: {
+            enableACME = true;
+            forceSSL = true;
+            locations."/".return = "301 $scheme://${name}lelgenio.com$request_uri";
+          })
+      );
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "lelgenio@disroot.org";
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
-

hosts/phantom/renawiki.nix

@@ -1,23 +0,0 @@
-{ config, pkgs, inputs, ... }: {
-  services.mediawiki = {
-    enable = true;
-    name = "Rena Wiki";
-
-    webserver = "nginx";
-    nginx.hostName = "renawiki.lelgenio.xyz";
-    passwordFile = config.age.secrets.phantom-renawiki.path;
-
-    extensions.VisualEditor = null;
-  };
-  services.nginx.virtualHosts."renawiki.lelgenio.xyz" = {
-    enableACME = true;
-    forceSSL = true;
-  };
-
-  age.secrets.phantom-renawiki = {
-    file = ../../secrets/phantom-renawiki.age;
-    mode = "400";
-    owner = "mediawiki";
-  };
-}
-

hosts/phantom/syncthing.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+{
 
   services.syncthing = {
     enable = true;
@@ -7,18 +13,17 @@
     openDefaultPorts = true;
   };
 
-  services.nginx.virtualHosts."syncthing.lelgenio.xyz" = {
+  services.nginx.virtualHosts."syncthing.lelgenio.com" = {
     enableACME = true;
     forceSSL = true;
     locations."/" = {
       proxyPass = "http://127.0.0.1:8384";
       extraConfig =
         # required when the target is also TLS server with multiple hosts
-        "proxy_ssl_server_name on;" +
-        # required when the server wants to use HTTP Authentication
-        "proxy_pass_header Authorization;"
-      ;
+        "proxy_ssl_server_name on;"
+        +
+          # required when the server wants to use HTTP Authentication
+          "proxy_pass_header Authorization;";
     };
   };
 }
-

hosts/phantom/users.nix

@@ -1,8 +1,12 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
   security.rtkit.enable = true;
   services.openssh = {
     enable = true;
-    ports = [ 9022 ];
+    ports = [
+      9022
+      22
+    ];
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
@@ -15,7 +19,15 @@
     isNormalUser = true;
     description = "Leonardo Eugênio";
     hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
-    extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+      "docker"
+      "adbusers"
+      "bluetooth"
+      "corectrl"
+      "vboxusers"
+    ];
     shell = pkgs.fish;
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
@@ -28,11 +40,10 @@
     ];
     initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
   };
+
   security.sudo.wheelNeedsPassword = false;
 
   programs.fish.enable = true;
 
-  environment.systemPackages = with pkgs; [
-    git
-  ];
+  environment.systemPackages = with pkgs; [ git ];
 }

hosts/phantom/vpsadminos.nix

@@ -1,67 +0,0 @@
-# This file provides compatibility for NixOS to run in a container on vpsAdminOS
-# hosts.
-#
-# If you're experiencing issues, try updating this file to the latest version
-# from vpsAdminOS repository:
-#
-#   https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
-
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  nameservers = [
-    "1.1.1.1"
-    "2606:4700:4700::1111"
-  ];
-in {
-  networking.nameservers = mkDefault nameservers;
-  services.resolved = mkDefault { fallbackDns = nameservers; };
-  networking.dhcpcd.extraConfig = "noipv4ll";
-
-  systemd.services.systemd-sysctl.enable = false;
-  systemd.services.systemd-oomd.enable = false;
-  systemd.sockets."systemd-journald-audit".enable = false;
-  systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ];
-  systemd.services.rpc-gssd.enable = false;
-
-  # Due to our restrictions in /sys, the default systemd-udev-trigger fails
-  # on accessing PCI devices, etc. Override it to match only network devices.
-  # In addition, boot.isContainer prevents systemd-udev-trigger.service from
-  # being enabled at all, so add it explicitly.
-  systemd.additionalUpstreamSystemUnits = [
-    "systemd-udev-trigger.service"
-  ];
-  systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = [
-    ""
-    "-udevadm trigger --subsystem-match=net --action=add"
-  ];
-
-  boot.isContainer = true;
-  boot.enableContainers = mkDefault true;
-  boot.loader.initScript.enable = true;
-  boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs";
-  boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0";
-
-  # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
-  documentation.enable = mkOverride 500 true;
-  documentation.nixos.enable = mkOverride 500 true;
-  networking.useHostResolvConf = mkOverride 500 false;
-  services.openssh.startWhenNeeded = mkOverride 500 false;
-
-  # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
-  systemd.services.networking-setup = {
-    description = "Load network configuration provided by the vpsAdminOS host";
-    before = [ "network.target" ];
-    wantedBy = [ "network.target" ];
-    after = [ "network-pre.target" ];
-    path = [ pkgs.iproute2 ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
-      ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
-    };
-    unitConfig.ConditionPathExists = "/ifcfg.add";
-    restartIfChanged = false;
-  };
-}

hosts/phantom/writefreely.nix

@@ -1,10 +1,16 @@
-{ config, pkgs, inputs, ... }: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+{
   services.writefreely = {
     enable = true;
     acme.enable = true;
     nginx.enable = true;
     nginx.forceSSL = true;
-    host = "blog.lelgenio.xyz";
+    host = "blog.lelgenio.com";
     admin.name = "lelgenio";
     admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
     settings.app = {
@@ -22,4 +28,3 @@
     };
   };
 }
-

hosts/pixie/default.nix

@@ -1,13 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
-    [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
@@ -18,8 +30,7 @@
     options = [ "subvol=nixos" ];
   };
 
-  boot.initrd.luks.devices."pixie".device =
-    "/dev/disk/by-uuid/f4ae5858-d2d6-4cd1-a054-bf5147a9a928";
+  boot.initrd.luks.devices."pixie".device = "/dev/disk/by-uuid/f4ae5858-d2d6-4cd1-a054-bf5147a9a928";
 
   fileSystems."/home" = {
     device = "/dev/mapper/pixie";
@@ -46,8 +57,7 @@
   # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.veth74f3ffc.useDHCP = lib.mkDefault true;
 
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
   networking.hostName = "pixie"; # Define your hostname.
 }

hosts/rainbow.nix

@@ -1,66 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-let
-  btrfs_options = [ "compress=zstd:3" "noatime" "x-systemd.device-timeout=0" ];
-  btrfs_ssd = [ "ssd" "discard=async" ];
-in
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "i915" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    options = [ "subvol=@nixos" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-
-  boot.initrd.luks.devices = {
-    "main" = {
-      bypassWorkqueues = true;
-      device = "/dev/disk/by-label/CRYPT_ROOT";
-    };
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    options = [ "subvol=@home" ] ++ btrfs_options ++ btrfs_ssd;
-  };
-
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-uuid/DC3B-5753";
-    fsType = "vfat";
-  };
-
-  fileSystems."/swap" = {
-    device = "/dev/disk/by-label/BTRFS_ROOT";
-    fsType = "btrfs";
-    options = [ "subvol=@swap" ] ++ btrfs_ssd;
-  };
-
-  swapDevices = [{
-    device = "/swap/swapfile";
-    size = (1024 * 8);
-  }];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-  hardware.cpu.intel.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-  networking.hostName = "rainbow"; # Define your hostname.
-}

install/i15.sh

@@ -1,63 +0,0 @@
-#!/bin/sh
-
-set -xe
-
-settle() {
-    udevadm trigger --subsystem-match=block
-    udevadm settle
-}
-
-lsblk
-echo 'Enter the name of the device to WIPE and install (something like "sda"):'
-read DRIVE_ID
-
-echo 'Enter a passphrase to encrypt the disk:'
-read -s DRIVE_PASSPHRASE
-
-echo "Creating partition table..."
-parted -s "/dev/${DRIVE_ID}" -- mklabel gpt
-
-echo "Creating EFI system partition..."
-parted -s "/dev/${DRIVE_ID}" -- mkpart ESP 1MiB 1GiB
-parted -s "/dev/${DRIVE_ID}" -- set 1 boot on
-mkfs.fat -F32 "/dev/${DRIVE_ID}1" -n NIX_BOOT
-
-echo "Creating encrypted root partition..."
-parted -s "/dev/${DRIVE_ID}" -- mkpart luks 1GiB 100%
-echo "$DRIVE_PASSPHRASE" | cryptsetup --batch-mode luksFormat --label CRYPT_ROOT "/dev/${DRIVE_ID}2"
-settle
-echo "$DRIVE_PASSPHRASE" | cryptsetup luksOpen /dev/disk/by-label/CRYPT_ROOT "crypt_root"
-
-echo "Creating btrfs partition..."
-mkfs.btrfs --quiet --label NIX_ROOT /dev/mapper/"crypt_root"
-MNTPOINT=$(mktemp -d)
-mount /dev/mapper/"crypt_root" "$MNTPOINT"
-
-echo "Creating subvolumes..."
-btrfs subvolume create "$MNTPOINT"/@nixos
-btrfs subvolume create "$MNTPOINT"/@home
-btrfs subvolume create "$MNTPOINT"/@swap
-
-echo "Closing btrfs partition..."
-umount -Rl "$MNTPOINT"
-rm -rf "$MNTPOINT"
-
-echo "Mounting root btrfs submodule to '$MNTPOINT' ..."
-MNTPOINT=$(mktemp -d)
-mount /dev/disk/by-label/NIX_ROOT "$MNTPOINT" -o subvol=@nixos,noatime,compress=zstd
-
-echo "Creating and mounting EFI system partition mountpoint..."
-mkdir -p "$MNTPOINT/boot"
-mount /dev/disk/by-label/NIX_BOOT "$MNTPOINT/boot"
-
-echo "Creating home partition mountpoint..."
-mkdir -p "$MNTPOINT/home"
-mount /dev/disk/by-label/NIX_ROOT "$MNTPOINT/home" -o subvol=@home,noatime,compress=zstd
-
-echo "Swapfile"
-mkdir -p "$MNTPOINT/swap"
-mount /dev/disk/by-label/NIX_ROOT "$MNTPOINT/swap" -o subvol=@swap,noatime
-
-# echo "Installing system..."
-nixos-generate-config --root "$MNTPOINT"
-# nixos-install --root "$MNTPOINT"

overlays/default.nix

@@ -1,74 +1,89 @@
-{ inputs, packages, ... }: rec {
+{ inputs, packages, ... }:
+rec {
   all = [
     scripts
-    sway
+    unstable
     themes
     new-packages
     patches
-    variables
     lib_extended
+    disko
   ];
 
   scripts = (import ../scripts);
 
-  sway = (import ./sway.nix);
+  unstable = final: prev: {
+    unstable = import inputs.nixpkgs-unstable { inherit (final) system config; };
+  };
 
-  themes = (final: prev: {
-    material-wifi-icons = final.stdenv.mkDerivation rec {
-      name = "material-wifi-icons";
-      src = inputs.material-wifi-icons;
-      installPhase = ''
-        install -D material-wifi.ttf $out/share/fonts/${name}
-      '';
-    };
-    papirus_red = (final.papirus-icon-theme.override { color = "red"; });
-    orchis_theme_compact = (final.orchis-theme.override {
-      border-radius = 0;
-      tweaks = [ "compact" "solid" ];
-    });
-    nerdfonts_fira_hack = (final.nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; });
-  });
+  themes = (
+    final: prev: {
+      papirus_red = (final.papirus-icon-theme.override { color = "red"; });
+      orchis_theme_compact = (
+        final.orchis-theme.override {
+          border-radius = 0;
+          tweaks = [
+            "compact"
+            "solid"
+          ];
+        }
+      );
+      nerdfonts_fira_hack = (
+        final.nerdfonts.override {
+          fonts = [
+            "FiraCode"
+            "Hack"
+          ];
+        }
+      );
+    }
+  );
 
-  new-packages = (final: prev: packages // {
-    dhist = inputs.dhist.packages.${prev.system}.dhist;
-    demoji = inputs.demoji.packages.${prev.system}.default;
-    tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher;
-    maildir-notify-daemon = inputs.maildir-notify-daemon.packages.${prev.system}.default;
-    wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default;
+  new-packages = (
+    final: prev:
+    packages
+    // {
+      dhist = inputs.dhist.packages.${prev.system}.dhist;
+      demoji = inputs.demoji.packages.${prev.system}.default;
+      tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher;
+      wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default;
+    }
+  );
 
-    webcord = (prev.webcord.overrideAttrs (old: {
-      patches = (old.patches or [ ]) ++ [ ../patches/webcord/fix-reading-config.patch ];
-    }));
-  });
+  patches = (
+    final: prev: {
+      mySway = prev.sway.override {
+        withBaseWrapper = true;
+        withGtkWrapper = true;
+        sway-unwrapped = prev.sway-unwrapped.overrideAttrs (old: {
+          patches = old.patches ++ [ ../patches/sway/fix-hide_cursor-clearing-focus.patch ];
+        });
+      };
+    }
+  );
 
-  patches = (final: prev: {
-    bemenu = prev.bemenu.overrideAttrs (o: {
-      postPatch = ''
-        substituteInPlace lib/renderers/wayland/window.c \
-          --replace ZWLR_LAYER_SHELL_V1_LAYER_TOP ZWLR_LAYER_SHELL_V1_LAYER_OVERLAY
-      '';
-    });
-    sway-unwrapped = prev.sway-unwrapped.overrideAttrs (old: {
-      patches = old.patches
-        ++ [ ../patches/sway/fix-hide_cursor-clearing-focus.patch ];
-    });
-  });
+  lib_extended = (
+    final: prev: {
+      lib = prev.lib // rec {
+        # Utility function
+        # Input: [{v1=1;} {v2=2;}]
+        # Output: {v1=1;v2=2;}
+        mergeAttrsSet = prev.lib.foldAttrs (n: _: n) { };
 
-  variables = (final: prev: {
-    uservars = import ../user/variables.nix;
-  });
+        # Easily translate imperative templating code
+        # Input: [ 1 2 ] (num: { "v${num}" = num; })
+        # Output: {v1=1;v2=2;}
+        forEachMerge = list: func: mergeAttrsSet (prev.lib.forEach list func);
+      };
+    }
+  );
 
-  lib_extended = (final: prev: {
-    lib = prev.lib // rec {
-      # Utility function
-      # Input: [{v1=1;} {v2=2;}]
-      # Output: {v1=1;v2=2;}
-      mergeAttrsSet = prev.lib.foldAttrs (n: _: n) { };
-
-      # Easily translate imperative templating code
-      # Input: [ 1 2 ] (num: { "v${num}" = num; })
-      # Output: {v1=1;v2=2;}
-      forEachMerge = list: func: mergeAttrsSet (prev.lib.forEach list func);
-    };
-  });
+  disko = final: prev: {
+    makeDiskoTest =
+      let
+        makeTest = import (prev.path + "/nixos/tests/make-test-python.nix");
+        eval-config = import (prev.path + "/nixos/lib/eval-config.nix");
+      in
+      (prev.callPackage "${inputs.disko}/tests/lib.nix" { inherit makeTest eval-config; }).makeDiskoTest;
+  };
 }

overlays/sway.nix

@@ -1,19 +0,0 @@
-(pkgs: _: {
-  # bash script to let dbus know about important env variables and
-  # propogate them to relevent services run at the end of sway config
-  # see
-  # https://github.com/emersion/xdg-desktop-portal-wlr/wiki/"It-doesn't-work"-Troubleshooting-Checklist
-  # note: this is pretty much the same as  /etc/sway/config.d/nixos.conf but also restarts
-  # some user services to make sure they have the correct environment variables
-  dbus-sway-environment = pkgs.writeTextFile {
-    name = "dbus-sway-environment";
-    destination = "/bin/dbus-sway-environment";
-    executable = true;
-    text = ''
-      systemctl --user import-environment
-      dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
-      # systemctl --user stop pipewire wireplumber xdg-desktop-portal xdg-desktop-portal-wlr
-      # systemctl --user start pipewire wireplumber xdg-desktop-portal xdg-desktop-portal-wlr
-    '';
-  };
-})

patches/nixpkgs/fix-steam-generation-after-generation-switch.patch

@@ -1,27 +0,0 @@
-From ac4d51306af54a088e29e2e5efcfac5dfe87d95c Mon Sep 17 00:00:00 2001
-From: lelgenio <lelgenio@disroot.org>
-Date: Fri, 4 Aug 2023 01:25:04 -0300
-Subject: [PATCH] HACK: fix steam after generation switch
-
----
- pkgs/build-support/build-fhsenv-bubblewrap/default.nix | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
-index 3500e5e9216f..4d7ac0aa7618 100644
---- a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
-+++ b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
-@@ -152,6 +152,10 @@ let
-       fi
-       if [[ -L $i ]]; then
-         symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$i")
-+      elif [[ -f $i && -r $i ]]; then
-+        SNAPSHOT=$(mktemp --dry-run)
-+        cp "$i" "$SNAPSHOT"
-+        ro_mounts+=(--ro-bind-try "$SNAPSHOT" "$i")
-       else
-         ro_mounts+=(--ro-bind-try "$i" "$i")
-       fi
--- 
-2.42.0
-

patches/webcord/fix-reading-config.patch

@@ -1,14 +0,0 @@
-diff --git a/sources/code/main/modules/config.ts b/sources/code/main/modules/config.ts
-index caf51df..41faabe 100644
---- a/sources/code/main/modules/config.ts
-+++ b/sources/code/main/modules/config.ts
-@@ -158,6 +158,9 @@ class Config<T> {
-   #read(): unknown {
-     const encodedData = readFileSync(this.#path+this.#pathExtension);
-     let decodedData = encodedData.toString();
-+    if (decodedData === "")
-+        return {};
-+
-     if(this.#pathExtension === FileExt.Encrypted)
-       decodedData = safeStorage.decryptString(encodedData);
-     return JSON.parse(decodedData);

pkgs/blade-formatter/default.nix

@@ -1,61 +0,0 @@
-{ lib
-, mkYarnPackage
-, fetchFromGitHub
-, fetchYarnDeps
-, testers
-, writeText
-, runCommand
-, blade-formatter
-}:
-
-mkYarnPackage rec {
-  pname = "blade-formatter";
-  version = "1.38.2";
-
-  src = fetchFromGitHub {
-    owner = "shufo";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-JvILLw7Yp4g/dSsYtZ2ylmlXfS9t+2KADlBrYOJWTpg=";
-  };
-
-  packageJSON = ./package.json;
-  offlineCache = fetchYarnDeps {
-    yarnLock = "${src}/yarn.lock";
-    hash = "sha256-UFDxw3fYMzSUhZw+TCEh/dN7OioKI75LzKSnEwGPKDA=";
-  };
-
-  postBuild = "yarn build";
-
-  passthru.tests = {
-    version = testers.testVersion {
-      package = blade-formatter;
-      command = "blade-formatter --version";
-    };
-
-    simple = testers.testEqualContents {
-      assertion = "blade-formatter formats a basic blade file";
-      expected = writeText "expected" ''
-        @if (true)
-            Hello world!
-        @endif
-      '';
-      actual = runCommand "actual"
-        {
-          nativeBuildInputs = [ blade-formatter ];
-          base = writeText "base" ''
-            @if(   true )  Hello world!   @endif
-          '';
-        } ''
-        blade-formatter $base > $out
-      '';
-    };
-  };
-
-  meta = with lib; {
-    description = "Laravel Blade template formatter";
-    homepage = "https://github.com/shufo/blade-formatter";
-    license = licenses.mit;
-    maintainers = with maintainers; [ lelgenio ];
-  };
-}

pkgs/blade-formatter/package.json

@@ -1,120 +0,0 @@
-{
-  "name": "blade-formatter",
-  "engines": {
-    "node": ">= 14.0.0"
-  },
-  "keywords": [
-    "php",
-    "formatter",
-    "laravel"
-  ],
-  "version": "1.38.2",
-  "description": "An opinionated blade template formatter for Laravel",
-  "main": "./dist/bundle.cjs",
-  "types": "./dist/types/main.d.ts",
-  "type": "module",
-  "exports": {
-    ".": {
-      "import": "./dist/bundle.js",
-      "require": "./dist/bundle.cjs",
-      "default": "./dist/bundle.js"
-    },
-    "./*": "./*"
-  },
-  "scripts": {
-    "build": "cross-env NODE_ENV=production node esbuild.js && cross-env NODE_ENV=production ESM_BUILD=true node esbuild.js",
-    "prepublish": "tsc src/main.ts --declaration --emitDeclarationOnly --outDir ./dist/types || true",
-    "watch": "node esbuild.js",
-    "test": "yarn run build && node --experimental-vm-modules node_modules/.bin/jest",
-    "lint": "eslint src -c .eslintrc.json --ext ts",
-    "fix": "prettier {src,__tests__}/**/*.ts --write",
-    "check_formatted": "prettier **/*.ts -c",
-    "changelog": "conventional-changelog -p angular -i CHANGELOG.md -s -r 0",
-    "prepare": "husky install",
-    "bin": "cross-env ./bin/blade-formatter.cjs"
-  },
-  "bin": {
-    "blade-formatter": "bin/blade-formatter.cjs"
-  },
-  "author": "Shuhei Hayashibara",
-  "license": "MIT",
-  "dependencies": {
-    "@prettier/plugin-php": "^0.19.7",
-    "@shufo/tailwindcss-class-sorter": "3.0.1",
-    "aigle": "^1.14.1",
-    "ajv": "^8.9.0",
-    "chalk": "^4.1.0",
-    "concat-stream": "^2.0.0",
-    "detect-indent": "^6.0.0",
-    "find-config": "^1.0.0",
-    "glob": "^8.0.1",
-    "html-attribute-sorter": "^0.4.3",
-    "ignore": "^5.1.8",
-    "js-beautify": "^1.14.8",
-    "lodash": "^4.17.19",
-    "php-parser": "3.1.5",
-    "prettier": "^2.2.0",
-    "tailwindcss": "^3.1.8",
-    "vscode-oniguruma": "1.7.0",
-    "vscode-textmate": "^7.0.1",
-    "xregexp": "^5.0.1",
-    "yargs": "^17.3.1"
-  },
-  "devDependencies": {
-    "@babel/core": "^7.6.4",
-    "@babel/plugin-transform-modules-commonjs": "^7.16.5",
-    "@babel/preset-env": "^7.13.12",
-    "@babel/preset-typescript": "^7.16.5",
-    "@types/concat-stream": "^2.0.0",
-    "@types/find-config": "^1.0.1",
-    "@types/fs-extra": "^11.0.0",
-    "@types/glob": "^8.0.0",
-    "@types/jest": "^29.0.0",
-    "@types/js-beautify": "^1.13.3",
-    "@types/lodash": "^4.14.178",
-    "@types/mocha": "^10.0.0",
-    "@types/node": "^18.0.0",
-    "@types/xregexp": "^4.4.0",
-    "@typescript-eslint/eslint-plugin": "^5.8.1",
-    "@typescript-eslint/parser": "^5.8.1",
-    "app-root-path": "^3.0.0",
-    "babel-jest": "^29.0.0",
-    "codecov": "^3.8.3",
-    "cross-env": "^7.0.3",
-    "esbuild": "^0.19.0",
-    "esbuild-node-externals": "^1.4.1",
-    "eslint": "^8.5.0",
-    "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-config-airbnb-typescript": "^17.0.0",
-    "eslint-config-prettier": "^9.0.0",
-    "eslint-import-resolver-typescript": "^3.0.0",
-    "eslint-plugin-import": "^2.25.3",
-    "eslint-plugin-jest": "^26.0.0",
-    "eslint-plugin-prettier": "^5.0.0",
-    "fs-extra": "^11.0.0",
-    "husky": "^8.0.0",
-    "jest": "^29.0.0",
-    "lint-staged": ">=10",
-    "source-map-loader": "^4.0.0",
-    "ts-jest": "^29.0.0",
-    "ts-loader": "^9.2.6",
-    "ts-migrate": "^0.1.27",
-    "ts-node": "^10.4.0",
-    "typescript": "^5.0.0"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/shufo/blade-formatter.git"
-  },
-  "files": [
-    "dist",
-    "src",
-    "bin",
-    "wasm",
-    "syntaxes",
-    "CHANGELOG.md"
-  ],
-  "lint-staged": {
-    "*.ts": "yarn run fix"
-  }
-}

pkgs/cargo-checkmate.nix

@@ -1,11 +1,12 @@
-{ lib
-, rustPlatform
-, fetchFromGitHub
-, pkg-config
-, openssl
-, zlib
-, stdenv
-, Security ? null
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  pkg-config,
+  openssl,
+  zlib,
+  stdenv,
+  Security ? null,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -22,9 +23,7 @@ rustPlatform.buildRustPackage rec {
   cargoSha256 = "sha256-hOB84u55ishahIFSqBnqccqH3OlC9J8mCYzsd23jTyA=";
 
   nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [
-    Security
-  ];
+  buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [ Security ];
 
   meta = with lib; {
     description = "Check all the things.";

pkgs/default.nix

@@ -1,9 +1,14 @@
 # Custom packages, that can be defined similarly to ones from nixpkgs
 # You can build them using 'nix build .#example' or (legacy) 'nix-build -A example'
 
-{ pkgs, inputs }: {
-  blade-formatter = pkgs.callPackage ./blade-formatter { };
+{ pkgs, inputs }:
+rec {
   cargo-checkmate = pkgs.callPackage ./cargo-checkmate.nix { };
-  lipsum = pkgs.callPackage ./lipsum.nix { inherit inputs; };
+  lipsum = pkgs.callPackage ./lipsum.nix { };
   emmet-cli = pkgs.callPackage ./emmet-cli.nix { };
+  material-wifi-icons = pkgs.callPackage ./material-wifi-icons.nix { };
+  gnome-pass-search-provider = pkgs.callPackage ./gnome-pass-search-provider.nix { };
+  factorio-headless = pkgs.callPackage ./factorio-headless {
+    inherit (pkgs.unstable) factorio-headless;
+  };
 }

pkgs/emmet-cli.nix

@@ -1,6 +1,7 @@
-{ lib
-, buildNpmPackage
-, fetchFromGitHub
+{
+  lib,
+  buildNpmPackage,
+  fetchFromGitHub,
 }:
 
 buildNpmPackage rec {

pkgs/factorio-headless/default.nix

@@ -0,0 +1,10 @@
+{ factorio-headless, pkgs }:
+
+factorio-headless.overrideAttrs (_: rec {
+  version = "2.0.32";
+  src = pkgs.fetchurl {
+    name = "factorio_headless_x64-${version}.tar.xz";
+    url = "https://www.factorio.com/get-download/${version}/headless/linux64";
+    hash = "sha256-KmECrkLcxej+kjvWi80yalaeNZEqzeEhMB5dTS2FZBc=";
+  };
+})

pkgs/factorio-headless/update.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -xe
+
+cd "$(dirname $0)"
+
+current_version="$(rg '^.*?version\s*=\s*"(.+)".*?$' --replace '$1' ./default.nix)"
+current_hash="$(rg '^.*?hash\s*=\s*"(.+)".*?$' --replace '$1' ./default.nix)"
+
+new_version="$(curl https://factorio.com/api/latest-releases | jq -r .stable.headless)"
+new_hash="$(nix-hash --to-sri --type sha256 $(nix-prefetch-url --type sha256 https://www.factorio.com/get-download/${new_version}/headless/linux64))"
+
+sd --fixed-strings "$current_version" "$new_version" ./default.nix
+sd --fixed-strings "$current_hash" "$new_hash" ./default.nix

pkgs/gnome-pass-search-provider.nix

@@ -0,0 +1,63 @@
+{
+  stdenv,
+  fetchFromGitHub,
+  python3Packages,
+  wrapGAppsHook,
+  gtk3,
+  gobject-introspection,
+}:
+
+let
+  inherit (python3Packages)
+    dbus-python
+    pygobject3
+    fuzzywuzzy
+    levenshtein
+    ;
+in
+
+stdenv.mkDerivation rec {
+  pname = "gnome-pass-search-provider";
+  version = "1.4.0";
+
+  src = fetchFromGitHub {
+    owner = "jle64";
+    repo = "gnome-pass-search-provider";
+    rev = version;
+    hash = "sha256-PDR8fbDoT8IkHiTopQp0zd4DQg7JlacA6NdKYKYmrWw=";
+  };
+
+  nativeBuildInputs = [
+    python3Packages.wrapPython
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = [
+    dbus-python
+    pygobject3
+    fuzzywuzzy
+    levenshtein
+
+    gtk3
+    gobject-introspection
+  ];
+
+  env = {
+    LIBDIR = builtins.placeholder "out" + "/lib";
+    DATADIR = builtins.placeholder "out" + "/share";
+  };
+
+  postPatch = ''
+    substituteInPlace  conf/org.gnome.Pass.SearchProvider.service.{dbus,systemd} \
+      --replace-fail "/usr/lib" "$LIBDIR"
+  '';
+
+  installPhase = ''
+    bash ./install.sh
+  '';
+
+  postFixup = ''
+    makeWrapperArgs=( "''${gappsWrapperArgs[@]}" )
+    wrapPythonProgramsIn "$out/lib" "$out $propagatedBuildInputs"
+  '';
+}

pkgs/lipsum.nix

@@ -1,19 +1,28 @@
-{ pkgs, inputs }:
-pkgs.stdenv.mkDerivation rec {
+{
+  stdenv,
+  fetchFromGitHub,
+  pkg-config,
+  vala,
+  wrapGAppsHook,
+}:
+stdenv.mkDerivation rec {
   pname = "lipsum";
   version = "0.0.1";
 
-  src = inputs.lipsum;
+  src = fetchFromGitHub {
+    owner = "hannenz";
+    repo = "lipsum";
+    rev = "0fb31e6ede10fbd78d7652f5fb21670cddd8e3ed";
+    hash = "sha256-a6uv0tJulN9cAGWxvQr8B0PUJEY8Rx4e759xzS66Xlo=";
+  };
 
-  nativeBuildInputs = with pkgs; [
+  nativeBuildInputs = [
     pkg-config
     vala
     wrapGAppsHook
   ];
 
-  makeFlags = [
-    "PRG=${pname}"
-  ];
+  makeFlags = [ "PRG=${pname}" ];
 
   installPhase = ''
     install -Dm 755 "$pname" "$out/bin/$pname"
@@ -21,4 +30,3 @@ pkgs.stdenv.mkDerivation rec {
     glib-compile-schemas "$out/share/glib-2.0/schemas/"
   '';
 }
-

pkgs/material-wifi-icons.nix

@@ -0,0 +1,16 @@
+{ stdenv, fetchFromGitHub }:
+stdenv.mkDerivation rec {
+  pname = "material-wifi-icons";
+  version = "0.0.1";
+
+  src = fetchFromGitHub {
+    owner = "dcousens";
+    repo = "material-wifi-icons";
+    rev = "2daf6b3d96d65beb2a3e37a9a53556aab3826d97";
+    hash = "sha256-KykU5J7SdpBDG+6rkD//XeHd+6pK3qabe+88RduhwKc=";
+  };
+
+  installPhase = ''
+    install -D material-wifi.ttf $out/share/fonts/${pname}
+  '';
+}

scripts/_docker-block-external-connections

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Create the DOCKER-USER chain if it doesn't exist
+iptables -N DOCKER-USER || true
+
+# Flush existing rules in the DOCKER-USER chain
+iptables -F DOCKER-USER
+
+# Get all external network interfaces
+interfaces=$(
+    ip -o -f inet addr show |
+    awk '{print $2}' |
+    grep -E '^(enp|eth|wlan|wlp)' |
+    sort -u
+)
+
+for iface in $interfaces; do
+    # Allow traffic from LAN
+    iptables -A DOCKER-USER -i "$iface" -s 127.0.0.1 -j ACCEPT
+    iptables -A DOCKER-USER -i "$iface" -s 10.0.0.0/8 -j ACCEPT
+    iptables -A DOCKER-USER -i "$iface" -s 192.168.0.0/16 -j ACCEPT
+
+    # Allow established and related connections
+    iptables -A DOCKER-USER -i "$iface" -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+    # Drop all other traffic
+    iptables -A DOCKER-USER -i "$iface" -j DROP
+
+    echo "iptables rules have been set up for interface: $iface"
+done
+
+# Return to the previous chain
+iptables -A DOCKER-USER -j RETURN

scripts/amd-fan-control

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+set -e
+
+DEVICE="$1" # eg: /sys/class/drm/card1/device
+HWMON=$(echo "$DEVICE"/hwmon/hwmon*)
+
+exit() {
+    echo "Setting controll to auto" >&2
+    echo 2 > "$HWMON/pwm1_enable"
+}
+
+trap exit EXIT INT
+
+bail() {
+    echo "Error: $@" >&2
+    echo "Exiting..." >&2
+    exit 1
+}
+
+if ! [ -d "$HWMON" ]; then
+    bail "Invalid HWMON"
+fi
+
+TEMP_INPUT="$HWMON/temp2_input"
+
+if ! [ -f $TEMP_INPUT ]; then
+    bail "Invalid TEMP_INPUT"
+fi
+
+TEMP_MIN="$2"
+TEMP_MAX="$3"
+
+if [ -z "$TEMP_MIN" ];then
+  bail "No minimum temperature provided"
+fi
+
+if [ -z "$TEMP_MAX" ];then
+  bail "No maximum temperature provided"
+fi
+
+PWM_MIN=0
+PWM_MAX=255
+
+echo "Running..." >&2
+while true; do
+    TEMPERATURE_RAW=$(cat "$TEMP_INPUT")
+    TEMPERATURE="$(( $TEMPERATURE_RAW / 1000 ))"
+    # Remap from a number between 60_000..90_000 to 0..255
+    PWM=$(( ($TEMPERATURE - $TEMP_MIN) * $PWM_MAX / ($TEMP_MAX - $TEMP_MIN) ))
+
+    if [ "$PWM" -gt $PWM_MAX ]; then
+        PWM=$PWM_MAX
+    elif [ "$PWM" -lt $PWM_MIN ]; then
+        PWM=$PWM_MIN
+    fi
+
+    echo 1 > "$HWMON/pwm1_enable"
+    echo "$PWM" > "$HWMON/pwm1"
+    sleep .1s
+done

scripts/controller-battery

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e
+
+CONTROLLER=$(find /sys/class/power_supply -maxdepth 1 -name '*controller*' || true)
+
+if test -z "$CONTROLLER"; then
+    echo
+    exit 0
+fi
+
+CAPACITY=$(cat "$CONTROLLER/capacity")
+
+echo -n '󰊴'
+
+if test "$CAPACITY" -ge 90; then
+    echo '󰁹'
+elif test "$CAPACITY" -ge 90; then
+    echo '󰂂'
+elif test "$CAPACITY" -ge 80; then
+    echo '󰂁'
+elif test "$CAPACITY" -ge 70; then
+    echo '󰂀'
+elif test "$CAPACITY" -ge 60; then
+    echo '󰁿'
+elif test "$CAPACITY" -ge 50; then
+    echo '󰁾'
+elif test "$CAPACITY" -ge 40; then
+    echo '󰁽'
+elif test "$CAPACITY" -ge 30; then
+    echo '󰁼'
+elif test "$CAPACITY" -ge 20; then
+    echo '󰁻'
+elif test "$CAPACITY" -ge 10; then
+    echo '󰁺'
+else
+    echo '󰂎'
+fi

scripts/default.nix

@@ -1,58 +1,153 @@
-(final: prev:
-with prev;
-let
-  import_script = (_: path: import (path) { inherit pkgs lib; });
-  create_script = (name: text: runtimeInputs:
-    let
-      script_body = pkgs.writeTextFile {
-        inherit name;
-        executable = true;
-        text = ''
-          ${builtins.readFile text}
-        '';
-      };
-    in
-    (pkgs.writeShellApplication {
-      inherit name runtimeInputs;
-      text = ''exec ${script_body} "$@"'';
-      checkPhase = "";
-    }));
-  create_scripts =
-    lib.mapAttrs (name: deps: create_script name ./${name} deps);
+(
+  final: prev:
+  let
+    lib = prev.lib;
 
-  pass = pkgs.pass.withExtensions (ex: with ex; [
-    pass-otp
-  ]);
-in
-create_scripts
-  {
+    importScript = (_: path: import (path) { inherit (final) pkgs lib; });
+    wrapScript =
+      name: text: runtimeInputs:
+      final.runCommand name
+        {
+          nativeBuildInputs = [ final.makeWrapper ];
+          meta.mainProgram = name;
+        }
+        ''
+          mkdir -p $out/bin
+          cp ${text} $out/bin/${name}
+          wrapProgram $out/bin/${name} \
+              --suffix PATH : ${lib.makeBinPath runtimeInputs}
+        '';
+    createScripts = lib.mapAttrs (name: deps: wrapScript name ./${name} deps);
+
+    myPass = final.pass.withExtensions (ex: with ex; [ pass-otp ]);
+  in
+  with final;
+  createScripts {
+    amd-fan-control = [ bash ];
     br = [ ];
-    bmenu = [ final.bemenu final.dhist fish j4-dmenu-desktop jq sway ];
-    down_meme = [ wl-clipboard yt-dlp libnotify ];
-    wl-copy-file = [ wl-clipboard fish ];
+    bmenu = [
+      bemenu
+      dhist
+      fish
+      j4-dmenu-desktop
+      jq
+      sway
+    ];
+    down_meme = [
+      wl-clipboard
+      yt-dlp
+      libnotify
+    ];
+    wl-copy-file = [
+      wl-clipboard
+      fish
+    ];
     _diffr = [ diffr ];
-    _thunar-terminal = [ final.terminal ];
-    _sway_idle_toggle = [ final.swayidle ];
-    kak-pager = [ fish final._diffr ];
-    kak-man-pager = [ final.kak-pager ];
-    helix-pager = [ fish final._diffr ];
-    helix-man-pager = [ final.helix-pager ];
-    musmenu = [ mpc-cli final.wdmenu trash-cli xdg-user-dirs libnotify sd wl-clipboard ];
-    showkeys =
-      [ ]; # This will not work unless programs.wshowkeys is enabled systemwide
+    _thunar-terminal = [ terminal ];
+    _sway_idle_toggle = [ swayidle ];
+    kak-pager = [
+      fish
+      _diffr
+    ];
+    kak-man-pager = [ kak-pager ];
+    helix-pager = [
+      fish
+      _diffr
+    ];
+    helix-man-pager = [ helix-pager ];
+    musmenu = [
+      mpc-cli
+      wdmenu
+      trash-cli
+      xdg-user-dirs
+      libnotify
+      sd
+      wl-clipboard
+    ];
+    showkeys = [ ]; # This will not work unless programs.wshowkeys is enabled systemwide
     terminal = [ alacritty ];
     playerctl-status = [ playerctl ];
-    wpass = [ final.wdmenu fd pass sd wl-clipboard wtype ];
-    screenshotsh =
-      [ capitaine-cursors grim slurp jq sway wl-clipboard xdg-user-dirs ];
-    volumesh = [ pulseaudio libnotify ];
-    pulse_sink = [ pulseaudio pamixer final.wdmenu ];
-    color_picker = [ grim slurp wl-clipboard libnotify imagemagick ];
-    dzadd = [ procps libnotify final.wdmenu jq mpv pqiv python3Packages.deemix mpc-cli final.mpdDup ];
-    mpdDup = [ mpc-cli perl ];
-    readQrCode = [ grim zbar wl-clipboard ];
-  } // lib.mapAttrs import_script {
-  wdmenu = ./wdmenu.nix;
-  wlauncher = ./wlauncher.nix;
-  _gpg-unlock = ./_gpg-unlock.nix;
-})
+    pass-export = [
+      pass2csv
+      gnupg
+      sd
+    ];
+    wpass = [
+      wdmenu
+      fd
+      myPass
+      sd
+      wl-clipboard
+      wtype
+    ];
+    screenshotsh = [
+      capitaine-cursors
+      grim
+      slurp
+      jq
+      sway
+      wl-clipboard
+      xdg-user-dirs
+    ];
+    volumesh = [
+      pulseaudio
+      libnotify
+    ];
+    pulse_sink = [
+      pulseaudio
+      pamixer
+      wdmenu
+    ];
+    color_picker = [
+      grim
+      slurp
+      wl-clipboard
+      libnotify
+      imagemagick
+    ];
+    dzadd = [
+      procps
+      libnotify
+      wdmenu
+      jq
+      mpv
+      pqiv
+      python3Packages.deemix
+      mpc-cli
+      mpdDup
+    ];
+    mpdDup = [
+      mpc-cli
+      perl
+    ];
+    readQrCode = [
+      grim
+      zbar
+      wl-clipboard
+    ];
+    git_clean_remote_deleted = [
+      git
+      gnugrep
+      gawk
+      findutils
+    ];
+    pint-fmt = [ ];
+    powerplay-led-idle = [
+      bash
+      libinput
+      libratbag
+    ];
+    controller-battery = [ ];
+    _docker-block-external-connections = [
+      iptables
+      gawk
+      gnugrep
+      iproute2
+    ];
+  }
+  // lib.mapAttrs importScript {
+    wdmenu = ./wdmenu.nix;
+    wlauncher = ./wlauncher.nix;
+    _gpg-unlock = ./_gpg-unlock.nix;
+  }
+)

scripts/git_clean_remote_deleted

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git branch -vv \
+| grep ': gone]' \
+| awk '{print $1}' \
+| xargs git branch -D

scripts/pass-export

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if test -z "$PASSWORD_STORE_DIR"; then
+  PASSWORD_STORE_DIR="$HOME/.password-store"
+fi
+
+pass2csv "$PASSWORD_STORE_DIR" "$HOME/passwords.csv" \
+  -f User '(user|login)(:\s*)?' \
+  -f TOTP 'otpauth(:)?' \
+  -f URL 'url(:\s*)?'
+
+# Fix TOTP format for keepass
+sd '"//totp/.*?secret=(.*?)(&.*?)?"' '"$1"' "$HOME/passwords.csv"

scripts/pint-fmt

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+file="$(mktemp)"
+cat - >"$file"
+./vendor/bin/pint --quiet "$file"
+cat "$file"
+rm "$file"

scripts/powerplay-led-idle

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Constants
+SECONDS_UNTIL_FADE=$(( 1 * 60))
+SECONDS_UNTIL_OFF=$(( 6 * 60))
+
+COLOR_ON=ff0000
+COLOR_FADE=880000
+COLOR_OFF=000000
+
+# Logging
+
+if [[ "$1" = "debug" ]]; then
+    echo "Running with debugging" >&2
+    DEBUG="true"
+
+    SECONDS_UNTIL_FADE=$(( 3 ))
+    SECONDS_UNTIL_OFF=$(( 5 ))
+fi
+
+log() {
+    if [[ "$DEBUG" = "true" ]]; then
+        echo "$@" >&2
+    fi
+}
+
+# Implementation
+
+main() {
+    CURRENT_STATE="UNKNOWN"
+    LAST_POINTER_MOTION="$(date +%s)"
+
+    if [ "$(ratbagctl list | wc -l)" -ne 1 ]; then
+        echo "Not exactly one device found, exiting..."
+        exit 1
+    fi
+
+    DEVICE="$(ratbagctl list | cut -d: -f1)"
+
+    while true; do
+        while read line; do
+            LAST_POINTER_MOTION="$(date +%s)"
+            break
+        done < <(
+            timeout 5s \
+                libinput debug-events \
+                | grep POINTER_MOTION
+        )
+        TIME_SINCE_LAST=$(( "$(date +%s)" - "$LAST_POINTER_MOTION" ))
+        log "Last pointer motion was $TIME_SINCE_LAST seconds ago"
+        if [ "$TIME_SINCE_LAST" -gt "$SECONDS_UNTIL_OFF" ]; then
+            setState OFF "$COLOR_OFF"
+        elif [ "$TIME_SINCE_LAST" -gt "$SECONDS_UNTIL_FADE" ]; then
+            setState FADE "$COLOR_FADE"
+        else
+            setState ON "$COLOR_ON"
+        fi
+    done
+}
+
+setState() {
+    STATE="$1"
+    COLOR="$2"
+    MODE="$3"
+
+    if [[ "$STATE" = "$CURRENT_STATE" ]]; then
+        log "Already in $STATE state"
+        return
+    fi
+    log "Changing state to $STATE"
+    CURRENT_STATE="$STATE"
+
+    ratbagctl "$DEVICE" led 0 set mode on
+    ratbagctl "$DEVICE" led 0 set color "$COLOR"
+}
+
+main

scripts/wdmenu.nix

@@ -1,12 +1,4 @@
 { pkgs, ... }:
-let
-  inherit (pkgs.uservars) dmenu;
-  available_menus = {
-    bmenu = "bmenu";
-    rofi = "rofi -dmenu -sort";
-  };
-  menu_cmd = available_menus.${dmenu};
-in
 pkgs.writeShellScriptBin "wdmenu" ''
-  exec ${menu_cmd} "$@"
+  exec bmenu "$@"
 ''

scripts/wfile-picker.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 let
-  inherit (pkgs.uservars) dmenu;
+  inherit (config.my) dmenu;
   available_menus = {
     bmenu = "bmenu run";
     rofi = "rofi -show drun -sort";

scripts/wlauncher.nix

@@ -1,12 +1,4 @@
 { pkgs, ... }:
-let
-  inherit (pkgs.uservars) dmenu;
-  available_menus = {
-    bmenu = "bmenu run";
-    rofi = "rofi -show drun -sort";
-  };
-  menu_cmd = available_menus.${dmenu};
-in
 pkgs.writeShellScriptBin "wlauncher" ''
-  exec ${menu_cmd} "$@"
+  exec bmenu run "$@"
 ''

scripts/wpass

@@ -50,10 +50,6 @@ main() {
 }
 
 autotype(){
-    if pgrep qutebrowser >/dev/null; then
-        qutebrowser ":mode-enter insert"
-    fi
-
     env wtype -s 100 "$username"
     env wtype -s 100 -k tab
     env wtype -s 100 "$password"

secrets/monolith/default.yaml

@@ -0,0 +1,55 @@
+forgejo-runners:
+    git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str]
+gitlab-runners:
+    thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
+    thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
+    docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
+bitbucket-runners:
+    wopus-runner-1: ENC[AES256_GCM,data:gtH0T5n8qMYpvSv5ciN8+ScGlFDf9xE0FTxNP97vT/qsOCcaItTE+5P+DFcWw46onLED+1c+u0sArFbEsT3f8lyco9b+0l99uOQAxLZQzAXYH8zGye1UnwUtytkci2PHu5c8kTpIWHXyZ1IOYNGWkermeab57ANzOkM1LbkHyAjS6VTh0I60LfAOdHOw5FDFL8d1d9oWxLloOe9USLPqHjC023EpCUT2YuyHoPCTpBu8Kb/2HfV0wkAKaB3dvVrKwXCj+bfP6+bjQ3uMzVO/7jxPmnSGBfvyZ+Hlg5goJ6bSAqQWmnPPnQ96FgQfe8su5ML9qNIp9/7eNiL6Rv6Vhxe0hHbE5wsZ/58grcg/LrugeWJvUJ9THhwcTwO8Pkvwlq0XM9seUY2NV+LCK3bLQ4IWDjWkU1IHg6+nihTcvl1iD6UIGMgqGoB/v05WVzHb+GcE2fFuSuhVHfa5RMyboELOJoFrqZiXGhY=,iv:ZakLafxYQCDd1Zw8T83Xfj+YwAQKna9LC6ognJqtifA=,tag:bwBObfdMIvJfRrOG04NtxA==,type:str]
+    wopus-runner-2: ENC[AES256_GCM,data:gg8merZMFbf396hdJY7zmKQndT3GzB7NeGZAs3C0au8Zd7OFAg9vcQcFcxNA3kZGJZqmFTR/ycWJwhYr9fhlfFuPhDynVvgJAqoYtvC2MUDiOMD/d3DlfwFjQ6cOGTrvFuY1kkgSFb4OFdrVC1eiTDrGygFmYnYcqTKn/t5Ttqi+cHZNzFzVzdVLvaLCYxltM5g45zn+fXYxYwCfqyb32/M1XTnnwIGiataGxEX5oWhVV4zqeLO4ZIYPSby5AVvIMJ/zqvqaeVVY52GLDcTKrj3thbZxMQLWN3/lOA0uYhi3L/WM8Gx+JMEIbSICcuT7QXu4w4PA+opcx9GnsMCK2/egzS+cNPJ4vGZCdVD/jh6A9zVEJAgXdsHXNXFHmMPt7DcgrCQiub62og4kBY4G/Rcg4UN7sb3v3qyBpGbCGHGRjCFc+wdHpom0yDOG2cwcqfN49pC2R7Ag2BisFQ/5A+DPmKnvGG3kt9s=,iv:5g5XiDecYqi4JNRkZubgPJECBQdZ6rBeojgFe6Etebk=,tag:HRy5bFSbfxKTb5e13lGtgg==,type:str]
+    wopus-runner-3: ENC[AES256_GCM,data:f9pLYR8t51HtPpLyXysIVaDAhxDrmktJH93E7rb7imtKwK7hRhR8usnvHTcknLfD7BMvStAIYefdGt19u7PrQu6vqc19bEcNbnK5OH4KBP6+X47oMgBYtbIGXH+t3dSDt22fSIoppTwdX7/Kf4vqesfN8K7EunETvFR86oyyKdy15mvXr0XUO4us4HZjnIOBEnOm1P/V8hk5JcCpRuo+8ZYmBe5gzq5pTnqnYlPE1EovM7eDMg72J7ev07h50qvySrAqmNiqDcXfTPQ2TzuHx3XxAYqFybf1L6P9OnLB6RDAlpoFJ0h8dSg2tzC2+amYsBP0UIBK/ZhWvvAjpX+MZrTASjenh/tefDcNdbsXDOr7A4i/261z4rC0r+97INglCN1N/SZg51iBHiRAVV1zibDLfioR5+eBIykWAtjILMoYU+zOcr0E8K0I9jQGMtpnYmvHJqV0DVcdfZpJptrPUUy+lQ/iZVcPpLs=,iv:grzvVsfpUzywjNE4jvTxXKG3TYajrvSsQgfOgtafvIo=,tag:K1B6crN0ckLk0EYBtGHDkw==,type:str]
+    wopus-runner-4: ENC[AES256_GCM,data:D1Zq0BtPuACnutAbUcj3gYSMLuIZcMuqc/1mEFmitEG0tBFMWhkabS+8lXcp8sb1DM0LTDMEwgMB9FVyFb670MKQNEncqQtaNJtY1BxS3SolovDAM/I+i6YGvd4X8jX99d+7ZNR6xGBWJ/dW8rz4QnIM8Eh3FDOqaFa/ltfyPKP9IZ2uZi67C/n8Q/OSdgMQkt+QxhgJfSghE1iruPwxyGlqv+E4SZNI/fQQMjX0Lh7z02ms58yyMtjO71YbukV/JXFRsdJrqY2wfH/6NlZbsKideoSxluBRVqmbW6KQd7dUT819KbOSu9CFdgThtVCU8qiv3jbAbn8D5xRy4AAOEfSqRLXJoj7otCqr47R/8+0BdS3aztFBjL3lDmprMWZ4+LD55fvczfpxUF9ox1mhcjIvCvZJJL06XsST1XRXa7i2fr4/a/XhCmQgIzar5IYxSC9OjuHp6jLsTaY3ZUgid5W1L1n8uWSmA98=,iv:O9caRG//brERiIhuMrsFdTz6TnPY0rdQnvHEu0P42yM=,tag:hrmwLX/CRhZfammJ2nfTPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaFFtOHRBNjZqOXJOV1Bk
+            SXRhZTdNWklKaTZST2JhU3VFLzBGSWY0QlMwCldwS1hhMDEyZDAxWUlRRXZtTWts
+            Ti9IOUR2OFdGYkJ4cFRsV0lkbWJvb1EKLS0tIEJUS1ZCZ1M4ZUs5cDhiam5JaEk1
+            U1VjNFprNHZWeDhwU3owRXh0MlBFYkUKHPgxz9/w3+JEtOljfyWBPSshfFlVWVys
+            f15yxlAeWIZVEGqoau7DegVdZiYYIJR2dFBXV1RkKbAwLrbUxAQidg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OWk0cTJ4d25Qd0hrdkFD
+            a2Fzd1lrMDREclkvRmxUSjFpYXZvRGs2Rm13Cm5aRVZDWE5ZUVR1K2hkZkdKWjYw
+            K3lKNndBNGFveGVGVWplaHA0MVlYUG8KLS0tIFlVeXhCTGJGUm1HK2RCSFg1RnI3
+            aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
+            jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-07T21:28:04Z"
+    mac: ENC[AES256_GCM,data:4lOafZQ6PP38CByulzA/J86sw+TpQhj40s1lTRXqUtpt72yH8nQK8dXpw0dNYvDBtDpKRvNTHZubzalEua6n2lCQL7rsZ2+fo6FJ4ht2Kb70dddDcWEyrfyZQ2FaKC5L/QjqM0SbIfPszNvyQ8wIaOoMfNJBis5QOjRSGDAcJm8=,iv:LLT0oJW+3KNe1nKphCK0c5FPIuh8GfnDrvNDCFhP4NM=,tag:rPbVY7L1qxNc3aCfv77FAg==,type:str]
+    pgp:
+        - created_at: "2025-03-07T22:49:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAzy6JxafzLr5AQgAjwQqdeESOfrOuCjfjALdoy3AnNYC+slusdlra58CoRu6
+            YFDAivwPHJBRiuVy43Lo7SWnKXMKvLOry589GBY3JGjNV5U1cPWBhMlTubYZmZWl
+            iel8Bvw4IF5JksMIvLFdDgexLN7wETzzZP9S8750BCgpSrncrw1k/dUedhv5HUjo
+            N10x6BPjPSmgolA8uxsISHLAUrKcQoeaWvcZFU1ofKywq08HgIySphy6z3Gmv3Qs
+            86saZp1rFm5+qHkrDRgL6Oe3Xx30jVkzn9MHPWzZCDPCEvYGJgXX34NGzbX+/nd3
+            JB9XkT2YTFi4BLhdHY3EE7e9//PJc5G9RVDZyAF1e9JeAXH2yR5blXbogoy+VMnS
+            Yn74Uvs+fnYFTDOiuequro5i0uAyxtrCx8fdfwjuh+9SC5p3N2cBv2eT7zLQwQHi
+            czHlwxmpi/dMB/u83fR4FzuCUt98VXiezIC4yGn25g==
+            =Yqqx
+            -----END PGP MESSAGE-----
+          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4-unstable

secrets/phantom-invidious-settings.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa BwwxHg
+iTcgtxF1IxopbtF+aw7V8IQfH7tWiMk9lE/eWlVHVjeaRvER5W6Y3xZNOFCjtbqY
+VwEyV6ibfZ4GJt1jRu2icEH/AnLUJFFGQnxu/K/rtoZ3tqSIk9WCBv3aPo4oZRiU
+uaaxi2gD8qo1RLyl/Ij7Djw4i/isUOO1EON5sgx1d39k6qUD4Mak0DSU4EtGdTsr
+OaxDAc0kAxhxZQOUH/QlKa0HLonaFcy1LHqvttOcw3UZuZnaYfZiPlcqe3USS9cm
+96aIC5cS9pHr4JFrqRYvfpla2TY5jlCB/xBGw3KjGEIQoBPXSsJZA6BCMZyp00++
+tdfS2aomt9HFmb1wZDS0jWAxkVF6nXXBbolFVih+58h0nYLljtHIQ3SizRoXY459
+x3JE9NReHp2OO3SlIeO03Kv8YMBvj7nSSd1C1PMpu+hJ/eCXi1WQxD6QY+40muk6
+KhqE3PZ8BCY2b+VpywUF5gVH28mo3jscqAzhf2dZ3SQlzldI+hFyKPxTdAqkfUOH
+
+--- cinb+wzjVfTkpfm1CtFIFaepwoQVCj1MquB5rAC45Ew
+¾
+6
+ZCþHS07ïºÖóýE¼X*Àqb=üOßíÛÉwu¥¤³­Pºþ¹Ùçǖѳ/£ómvòÞ×Ë2VœÄ«
+ÁŠxvç
[“£‚µ£±”Ì‚A~ evdÓåÙ0¢Œni³1Ò›¹Qý„"í@Ù¹§ÞÔ{KpÐ:åϵuµsÊÎBñò(X…r[ÂQVg¢Tš¤°ðœîËï@Ä*ÇõÿíB«<>.§¯žhE鲟èÐë’­÷½¥Žûzlz|kã`l8‘´8¼M›cch<63>îáZ`ƒ ?yeoƒ+ÈM-:/–À**ìè¦ÊcŸÎZD¡2Ñá¼é&·÷¾Ç¢¹£e¤ï*Hnç"Þ~+|ua(û6óËJ

secrets/phantom-mastodon-mailer-password.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-rsa BwwxHg
+Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
+/WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
+eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
+WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
+bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
+MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
+ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
+CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
+
+--- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
+ÆJ…¨Úãè·<hUs/¿ïš}ó´Zi`ˆ‘ 'ÂJŸ°z5ùÃgõãŸ%€ì‡`¤º%/˜‚±
<01>ˆ„á-Î<x—íõÉ’|

secrets/phantom/default.yaml

@@ -0,0 +1,54 @@
+hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str]
+example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str]
+#ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str]
+    - ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str]
+example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool]
+    - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXhsMHQvb0NyUXRkRDE3
+            TjVjb2orQktDMGs4U2JUS3hWdmtMdnhuYnhBCi9VU1RVblZPaW14VGxMcjM0N20z
+            R1pOdUJZc1ZGcjBsTnNaZGhleVR6L1kKLS0tIE5vQkFhVXd0R3ZQSzZkNmVqN1Vj
+            NERXdlJhVHF0NWpNT29CNlRid2NYMVUKxg7kbP6dOZDUz0uxdC45DZCAa6GQTQ1x
+            nIb7lvPW4xFIb0bOZuvc7cAbHjf4So+8zvA0MM4mkTmIDpnwGD5Clg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcTJGVmZUenNwYVNjRFlU
+            VXNBeDdpVFVtSTN5TG9VN0Q1WjRFbjlHd0Z3CjFsU1BsNkZ1a1ZkY2lva3lBUWZ3
+            YUpqeEo0Tys1bDk0TEpwQTJ2U29kbjgKLS0tIFJDYWpNemY4NXZ0MkM0YWNldDBE
+            RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
+            o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-05T22:27:18Z"
+    mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str]
+    pgp:
+        - created_at: "2025-03-07T22:49:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAzy6JxafzLr5AQf/Zw+EB0lFpbul4KmHL3ndbhQCHzhkMgG6vEyj7EpjHQxE
+            nwf9kRrTcRh9YdrgR+5PFRnFJ8+L+gZhk+V/GaEPcEUyskOX/YGTSp1u6pXKGEem
+            TGojrIx0WwcmeCZUn+qCehbC7ZU64NDDmb7VeWnRkMbboU6UVooHUub88VsbnYw2
+            XXtXh4G8isrbyAKzUyypnJnEVbKlVqPOL67BYczjyBqMYc1JVLmBy6nP+sv6q/yo
+            QyDzlunmZtu52dwAL0L6wJF+novLr4W9cso4K5UVv2sp5M8gucuiY2obiB3vNfgO
+            q9GZTlMWnyDGflM1w+tzpZ/Ke+sM4dSy3cXpZd+MFNJeAaBJ1owjolb4tPUXlt+W
+            cJ+SFLWxzH8MsPb+Hfxrt8PPCcv67uch/k50PLYs/V/EM59+mgEJe5LY4rMbUSFw
+            REGL3LA6Cnkl2bUeHlfG7XlztHd/ehmZM2RPKof+Qw==
+            =htZl
+            -----END PGP MESSAGE-----
+          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4-unstable

secrets/secrets.nix

@@ -2,12 +2,18 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
-  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
+  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [
+    main_ssh_public_key
+  ];
   "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
+  "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
   "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
+  "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
   "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
   "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
+  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
+  "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
+  "phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
 }

secrets/test.yaml

@@ -0,0 +1,55 @@
+hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str]
+example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str]
+#ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str]
+    - ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str]
+example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool]
+    - ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUURIQmZvSVp3aXlFT0RR
+            VHVBR0drN2JyV1hNUk5sakxGRXl6SEJuOUUwClQ1Q1lRZTR5R3Z4dlZyb29OaTNW
+            UVcwV3h6UlhtZkg2aFhrUUtIT0tQRmsKLS0tIDlnckhHWXRKcmRwTGUzdHZxWEVh
+            a3ZSWk0wNm1raXdMYXdKY1hDd2dZWUEK+IFU/9vsHu70XbSJ7sKqFncrZO3NAH8/
+            X/XF1VUmIuDfQZYJsDa4HaXe52xvDWTw3/4frG9HutEI2NcvvRpxlw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGxFWXJVcDZOdzVxaFJG
+            LzdhN3JKaFhPOVBlblRPNWpDdERPaWhDNkM0CmcvUGxNQ09tNTJndWZTdjFia2pl
+            RnNWQ0ZKSFhEN0FNbVZlKzlFUlh5QTgKLS0tIFkwc1pJajlyOGNHSTdaM3FQZWFK
+            NUJpRDlLNXlGOTNBbVRTU0ZMVkhqdUUK1koXmGDGTKoNx1wp4c9EknY9LQ5a7dQP
+            Zx6OzvtpsxL6KGjH7BeNNcm2zOR4YqnklLq09UsPHElz2upJQzECAQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-07T22:49:01Z"
+    mac: ENC[AES256_GCM,data:yma+7wtzVjCzlLOVpqiicjQ9YN1ttzoh8CpcAtjdtVl6gu7/3FXUKYyAWJd+1NUUpK7vN435gOq9/nsig0FRrn0Hgq0+cjFUGS6+6+SPmL97eFvti89gCOeIFhPvBnJQYJLiyVkUcBek4xW+vnt6UgrTy+sD9AT3KHdBlfu3pzY=,iv:ioswFO5KDAL3Bv7MI8V0aWXXxZZIz1M1PyMUbIMnCRI=,tag:5fUBtqz9J2qvY4fUT2ueoQ==,type:str]
+    pgp:
+        - created_at: "2025-03-07T22:49:20Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAzy6JxafzLr5AQf/Xok7aBMNT6W3LV2Ekx/ccxEZaZ0aVNKHE9aFTz5kBSpu
+            cXVohu5mEgeXr++HbrsCI821/gfchQ1yzVSLJsSrmZdJ586c3a7pWx2Eo4pcngmy
+            vb5UWtTBNogABnLz4iTjVQYLjZeNcNhkzW6s3m9PiaX3AvJP9irPcmwIyYpzd9pt
+            hngnBsdTis52fmvZ6+wOuMyTZU0Iksknom1De8xqgR5ZuO0Vitt19RGbpVhx96AC
+            t1CUkb5WMFTdpbCFORa/ta9Z7UcKxXTAPsfPkPVG9DnHQ1jSmsJWPDQZxoIJLHuH
+            SVV+qfRGndOo9fjExCInX6I5wBlrHrdpGtL7VLczV9JeAXYlMJwH63eOyi8hxxtr
+            KfTJEIALC25uFhoK8bmr30yVZe7thUPMXfht+R5dlHne7+FcBb4k7YLpeN/M40me
+            CSKk+9YaG7gQIdrfvEXlHSPCPppcKev6ZUspHewhmQ==
+            =IMON
+            -----END PGP MESSAGE-----
+          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

settings/default.nix

@@ -0,0 +1,18 @@
+{ lib, ... }:
+{
+  options = {
+    my = {
+      themes = lib.mkOption { };
+      key = lib.mkOption { };
+      theme = lib.mkOption { };
+      accent = lib.mkOption { };
+      font = lib.mkOption { };
+      username = lib.mkOption { type = lib.types.str; };
+      mail = lib.mkOption { };
+      dmenu = lib.mkOption { type = lib.types.str; };
+      desktop = lib.mkOption { type = lib.types.str; };
+      browser = lib.mkOption { type = lib.types.str; };
+      editor = lib.mkOption { type = lib.types.str; };
+    };
+  };
+}

switch

@@ -1,13 +1,25 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 nix fmt
 
-git diff
+git --no-pager diff
 
-sudo nice ionice \
+run() {
     nixos-rebuild \
-    switch \
-    --verbose \
-    --print-build-logs \
-    --flake .# \
-    $@
+        switch \
+        --use-remote-sudo \
+        --print-build-logs \
+        --flake .# \
+        "$@"
+}
+
+if which nom >/dev/null; then
+    run --verbose \
+        --log-format internal-json \
+        "$@" \
+    |& nom --json
+else
+    run "$@"
+fi

switch-phantom

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+nix fmt
+
+git --no-pager diff
+
+nixos-rebuild switch --flake .#phantom \
+  --update-input nixpkgs \
+  --no-write-lock-file \
+  --build-host phantom \
+  --target-host phantom \
+  "$@"

system/android.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  options.my.android.enable = lib.mkEnableOption { };
+
+  config = lib.mkIf config.my.android.enable {
+    # Open kde connect ports
+    programs.kdeconnect.enable = true;
+
+    programs.adb.enable = true;
+    services.udev.packages = [ pkgs.android-udev-rules ];
+  };
+}

system/bluetooth.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  services.blueman.enable = true;
+  hardware.bluetooth = {
+    enable = true;
+    settings = {
+      General = {
+        DiscoverableTimeout = 0;
+        Discoverable = true;
+        AlwaysPairable = true;
+      };
+      Policy = {
+        AutoEnable = true;
+      };
+    };
+  };
+}

system/boot.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, inputs, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
   console = {
     font = "${pkgs.terminus_font}/share/consolefonts/ter-120n.psf.gz";
     packages = [ pkgs.terminus_font ];
@@ -36,11 +42,9 @@
     };
     plymouth = {
       enable = true;
-      theme = lib.mkIf (pkgs.uservars.desktop == "sway") "red_loader";
+      theme = lib.mkIf (config.my.desktop == "sway") "red_loader";
       themePackages = with pkgs; [
-        (adi1090x-plymouth-themes.override {
-          selected_themes = [ "red_loader" ];
-        })
+        (adi1090x-plymouth-themes.override { selected_themes = [ "red_loader" ]; })
       ];
     };
   };

system/cachix.nix

@@ -1,12 +0,0 @@
-{ pkgs, lib, config, ... }: {
-  services.cachix-watch-store = {
-    enable = true;
-    cacheName = "lelgenio";
-    cachixTokenFile = config.age.secrets.lelgenio-cachix.path;
-  };
-  systemd.services.cachix-watch-store-agent = {
-    serviceConfig.TimeoutStopSec = 3;
-    # If we don't do this, cachix tends to timeout
-    serviceConfig.KillMode = lib.mkForce "control-group";
-  };
-}

system/configuration.nix

@@ -1,149 +1,46 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ config, pkgs, inputs, ... }: {
+{ pkgs, config, ... }:
+{
   imports = [
-    ./gamemode.nix
-    ./cachix.nix
+    ./android.nix
+    ./gaming.nix
     ./media-packages.nix
     ./boot.nix
     ./thunar.nix
     ./nix.nix
+    ./fonts.nix
+    ./sound.nix
+    ./bluetooth.nix
+    ./mouse.nix
+    ./locale.nix
+    ./users.nix
+    ./containers.nix
+    ./network.nix
+    ../settings
   ];
 
+  my = import ../user/variables.nix // {
+    android.enable = true;
+    media-packages.enable = true;
+    containers.enable = true;
+  };
+
   zramSwap.enable = true;
 
-  programs.adb.enable = true;
-  services.udev.packages = [ pkgs.android-udev-rules ];
-
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-  # Enable networking
-  networking.networkmanager.enable = true;
-  # Open kde connect ports
-  programs.kdeconnect.enable = true;
-  networking.firewall.allowedTCPPorts = [ 55201 ];
-
-  # Set your time zone.
-  time.timeZone = "America/Sao_Paulo";
-  environment.variables.TZ = config.time.timeZone;
-  # Select internationalisation properties.
-  i18n.defaultLocale = "pt_BR.utf8";
-
-  # Enable the GNOME Desktop Environment.
-  # services.xserver.displayManager.gdm.enable = true;
-  # services.xserver.desktopManager.gnome.enable = true;
-  # services.xserver.displayManager.autologin.user = "lelgenio";
-
-  # Configure keymap in X11
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "colemak";
-  };
-  console.keyMap = "colemak";
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-  services.flatpak.enable = true;
-  virtualisation.docker.enable = true;
-  virtualisation.docker.autoPrune.enable = true;
-  virtualisation.docker.autoPrune.dates = "monthly";
-  virtualisation.docker.autoPrune.flags = [ "--all --volumes" ];
-
-  programs.extra-container.enable = true;
-
-  programs.firejail.enable = true;
-
-  security.rtkit.enable = true;
-  services.openssh = {
-    enable = true;
-    ports = [ 9022 ];
-    settings = {
-      PermitRootLogin = "no";
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-    };
-  };
-  # programs.ssh = {
-  #   startAgent = true;
-  #   extraConfig = ''
-  #     AddKeysToAgent yes
-  #   '';
-  # };
-
-  ## Enable sound with pipewire.
-  sound.enable = true;
-  hardware.pulseaudio.enable = false;
-  services.pipewire = {
-    enable = true;
-    wireplumber.enable = true;
-    pulse.enable = true;
-    alsa.enable = true;
-    jack.enable = true;
-  };
-
-  services.blueman.enable = true;
-  hardware.bluetooth = {
-    enable = true;
-    settings = {
-      General = {
-        DiscoverableTimeout = 0;
-        # Discoverable = true;
-        AlwaysPairable = true;
-      };
-      Policy = { AutoEnable = true; };
-    };
-  };
-
   # Enable touchpad support (enabled default in most desktopManager).
-  services.xserver.libinput.enable = true;
+  services.libinput.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.mutableUsers = false;
-  users.users.lelgenio = {
-    isNormalUser = true;
-    description = "Leonardo Eugênio";
-    hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
-    extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
-    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
-    ];
-  };
-  users.users.root.initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
-
-  # services.getty.autologinUser = "lelgenio";
-  programs.fish.enable = true;
-
-  programs.dzgui.enable = true;
-  programs.dzgui.package = inputs.dzgui-nix.packages.${pkgs.system}.default;
-
-  packages.media-packages.enable = true;
   environment.systemPackages = with pkgs; [
     pavucontrol
 
     glib # gsettings
     usbutils
-    # dracula-theme # gtk theme
-    gnome3.adwaita-icon-theme # default gnome cursors
-  ];
-
-  fonts.enableDefaultPackages = true;
-  fonts.packages = with pkgs; [
-    noto-fonts
-    noto-fonts-cjk
-    noto-fonts-emoji
-    nerdfonts_fira_hack
+    adwaita-icon-theme # default gnome cursors
   ];
 
   services.geoclue2.enable = true;
-  # programs.qt5ct.enable = true;
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  services.pcscd.enable = true;
-  security.sudo.wheelNeedsPassword = false;
 
   systemd.extraConfig = ''
     DefaultTimeoutStopSec=10s

system/containers.nix

@@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  options.my.containers.enable = lib.mkEnableOption { };
+
+  config = lib.mkIf config.my.containers.enable {
+    services.flatpak.enable = true;
+
+    virtualisation.docker = {
+      enable = true;
+      autoPrune = {
+        enable = true;
+        dates = "monthly";
+        flags = [
+          "--all"
+          "--volumes"
+        ];
+      };
+      daemon.settings = {
+        # needed by bitbucket runner ???
+        log-driver = "json-file";
+        log-opts = {
+          max-size = "10m";
+          max-file = "3";
+        };
+      };
+    };
+
+    networking.firewall.extraCommands = lib.getExe pkgs._docker-block-external-connections;
+
+    programs.extra-container.enable = true;
+
+    programs.firejail.enable = true;
+  };
+}

system/fonts.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  fonts.enableDefaultPackages = true;
+  fonts.packages = with pkgs; [
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-emoji
+    nerdfonts_fira_hack
+  ];
+}

system/gamemode.nix

@@ -1,19 +0,0 @@
-{ config, pkgs, inputs, ... }: {
-  programs.gamemode.enable = true;
-  programs.gamemode.enableRenice = true;
-  programs.gamemode.settings = {
-    general = { renice = 10; };
-
-    # Warning: GPU optimisations have the potential to damage hardware
-    gpu = {
-      apply_gpu_optimisations = "accept-responsibility";
-      gpu_device = 0;
-      amd_performance_level = "high";
-    };
-
-    custom = {
-      start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
-      end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
-    };
-  };
-}

system/gaming.nix

@@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  options.my.gaming.enable = lib.mkEnableOption { };
+
+  config = lib.mkIf config.my.gaming.enable {
+    programs.steam.enable = true;
+    programs.steam.extraPackages =
+      config.fonts.packages
+      ++ (with pkgs; [
+        capitaine-cursors
+        bibata-cursors
+        mangohud
+        xdg-user-dirs
+        gamescope
+
+        # gamescope compatibility??
+        xorg.libXcursor
+        xorg.libXi
+        xorg.libXinerama
+        xorg.libXScrnSaver
+        libpng
+        libpulseaudio
+        libvorbis
+        stdenv.cc.cc.lib
+        libkrb5
+        keyutils
+      ]);
+
+    environment.systemPackages = with pkgs; [
+      protontricks
+      bottles
+      inputs.dzgui-nix.packages.${pkgs.system}.default
+    ];
+
+    programs.gamemode = {
+      enable = true;
+      enableRenice = true;
+      settings = {
+        general = {
+          renice = 10;
+        };
+
+        # Warning: GPU optimisations have the potential to damage hardware
+        gpu = {
+          apply_gpu_optimisations = "accept-responsibility";
+          gpu_device = 0;
+          amd_performance_level = "high";
+        };
+
+        custom = {
+          start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+          end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+        };
+      };
+    };
+
+    programs.corectrl = {
+      enable = true;
+      gpuOverclock = {
+        enable = true;
+        ppfeaturemask = "0xffffffff";
+      };
+    };
+  };
+}

system/gitlab-runner.nix

@@ -1,40 +1,51 @@
-{ pkgs, lib, ... }: {
-  mkNixRunner = registrationConfigFile: with lib; rec {
-    # File should contain at least these two variables:
-    # `CI_SERVER_URL`
-    # `REGISTRATION_TOKEN`
-    inherit registrationConfigFile; # 2
-    dockerImage = "alpine:3.18.2";
-    dockerAllowedImages = [ dockerImage ];
-    dockerVolumes = [
-      "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
-      "/nix/store:/nix/store:ro"
-      "/nix/var/nix/db:/nix/var/nix/db:ro"
-      "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
-    ];
-    dockerDisableCache = true;
-    preBuildScript = pkgs.writeScript "setup-container" ''
-      mkdir -p -m 0755 /nix/var/log/nix/drvs
-      mkdir -p -m 0755 /nix/var/nix/gcroots
-      mkdir -p -m 0755 /nix/var/nix/profiles
-      mkdir -p -m 0755 /nix/var/nix/temproots
-      mkdir -p -m 0755 /nix/var/nix/userpool
-      mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
-      mkdir -p -m 1777 /nix/var/nix/profiles/per-user
-      mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
-      mkdir -p -m 0700 "$HOME/.nix-defexpr"
+{ pkgs, lib, ... }:
+{
+  mkNixRunner =
+    authenticationTokenConfigFile: with lib; rec {
+      # File should contain at least these two variables:
+      # `CI_SERVER_URL`
+      # `REGISTRATION_TOKEN`
+      inherit authenticationTokenConfigFile; # 2
+      dockerImage = "alpine:3.18.2";
+      dockerAllowedImages = [ dockerImage ];
+      dockerVolumes = [
+        "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
+        "/nix/store:/nix/store:ro"
+        "/nix/var/nix/db:/nix/var/nix/db:ro"
+        "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+      ];
+      dockerDisableCache = true;
+      preBuildScript = pkgs.writeScript "setup-container" ''
+        mkdir -p -m 0755 /nix/var/log/nix/drvs
+        mkdir -p -m 0755 /nix/var/nix/gcroots
+        mkdir -p -m 0755 /nix/var/nix/profiles
+        mkdir -p -m 0755 /nix/var/nix/temproots
+        mkdir -p -m 0755 /nix/var/nix/userpool
+        mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+        mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+        mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+        mkdir -p -m 0700 "$HOME/.nix-defexpr"
 
-      . ${pkgs.nix}/etc/profile.d/nix.sh
+        . ${pkgs.nix}/etc/profile.d/nix.sh
 
-      ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
-    '';
-    environmentVariables = {
-      ENV = "/etc/profile";
-      USER = "root";
-      NIX_REMOTE = "daemon";
-      PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
-      NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        ${pkgs.nix}/bin/nix-env -i ${
+          concatStringsSep " " (
+            with pkgs;
+            [
+              nix
+              cacert
+              git
+              openssh
+            ]
+          )
+        }
+      '';
+      environmentVariables = {
+        ENV = "/etc/profile";
+        USER = "root";
+        NIX_REMOTE = "daemon";
+        PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+        NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+      };
     };
-    tagList = [ "nix" ];
-  };
 }

system/gnome.nix

@@ -1,25 +1,47 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-{ config, pkgs, ... }: {
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  # Enable the GNOME Desktop Environment.
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
+{ pkgs, lib, ... }:
+{
+  services.xserver = {
+    enable = true;
+    desktopManager.gnome = {
+      enable = true;
+      # Enable VRR (Variable Refresh Rate)
+      extraGSettingsOverridePackages = with pkgs; [ gnome.mutter ];
+      extraGSettingsOverrides = ''
+        [org.gnome.mutter]
+        experimental-features=['variable-refresh-rate', 'scale-monitor-framebuffer']
+      '';
+    };
+    displayManager.gdm.enable = true;
+  };
 
-  services.xserver.displayManager.autoLogin = {
+  # Workaround for https://github.com/NixOS/nixpkgs/issues/103746
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@tty1".enable = false;
+
+  services.displayManager.autoLogin = {
     enable = true;
     user = "lelgenio";
   };
 
-  # services.xserver.displayManager.autologin.user = "lelgenio";
-  environment.systemPackages = with pkgs; with gnome; [
-    gnome-tweaks
-    dconf-editor
+  programs.kdeconnect = {
+    enable = true;
+    package = pkgs.gnomeExtensions.gsconnect;
+  };
 
-    chrome-gnome-shell
-    gnomeExtensions.gsconnect
-    gnomeExtensions.quick-settings-audio-devices-hider
-  ];
+  hardware.opentabletdriver.enable = lib.mkForce false;
+
+  programs.gpaste.enable = true;
+
+  # services.xserver.displayManager.autologin.user = "lelgenio";
+  environment.systemPackages =
+    with pkgs;
+    with gnome;
+    [
+      gnome-tweaks
+      dconf-editor
+
+      chrome-gnome-shell
+      gnomeExtensions.quick-settings-audio-devices-hider
+      gnome-pass-search-provider
+    ];
 }

system/greetd.nix

@@ -1,6 +1,17 @@
-{ lib, pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 let
-  inherit (pkgs.uservars) key accent font theme desktop;
+  inherit (config.my)
+    key
+    accent
+    font
+    theme
+    desktop
+    ;
 
   cfg = config.login-manager.greetd;
 in
@@ -17,6 +28,7 @@ in
     # enable sway window manager
     programs.sway = {
       enable = true;
+      package = pkgs.mySway;
       wrapperFeatures.gtk = true;
     };
 
@@ -33,7 +45,6 @@ in
     services.greetd =
       let
         greetd_main_script = pkgs.writeShellScriptBin "main" ''
-          ${pkgs.dbus-sway-environment}/bin/dbus-sway-environment
           export XDG_CURRENT_DESKTOP=sway GTK_THEME="${theme.gtk_theme}" XCURSOR_THEME="${theme.cursor_theme}"
           ${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c ${desktop}
           swaymsg exit
@@ -59,7 +70,7 @@ in
         enable = true;
         settings = {
           initial_session = {
-            command = "${pkgs.sway}/bin/sway";
+            command = desktop;
             user = "lelgenio";
           };
           default_session = {

system/kde.nix

@@ -1,4 +1,5 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+{
   # Enable the X11 windowing system.
   services.xserver.enable = true;
   # Enable the KDE Desktop Environment.

system/locale.nix

@@ -0,0 +1,13 @@
+{ pkgs, config, ... }:
+{
+  time.timeZone = "America/Sao_Paulo";
+  environment.variables.TZ = config.time.timeZone;
+  i18n.defaultLocale = "pt_BR.utf8";
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "colemak";
+  };
+  console.keyMap = "colemak";
+}

system/media-packages.nix

@@ -1,7 +1,14 @@
-{ config, pkgs, lib, ... }:
-let cfg = config.packages.media-packages;
-in {
-  options.packages.media-packages = {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.media-packages;
+in
+{
+  options.my.media-packages = {
     enable = lib.mkEnableOption "media packages";
   };
   config = lib.mkIf cfg.enable {
@@ -16,7 +23,8 @@ in {
       gimp
       inkscape
       krita
-      kdenlive
+      kdePackages.breeze
+      kdePackages.kdenlive
       pitivi
       blender-hip
       libreoffice