update niri config

niri: wip add niri
wpass: allow copying arbitrary keys
2026-03-04 00:39:51 -03:00 · 2026-03-03 23:40:33 -03:00 · 2026-03-03 23:26:25 -03:00 · 2026-03-03 23:19:35 -03:00 · 2026-03-03 23:19:13 -03:00 · 2026-03-03 23:17:23 -03:00
155 changed files with 3641 additions and 1836 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
 flake.lock binary
 *.gpg binary
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,37 @@
 keys:
  - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
  - &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
  - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
  - &double-rainbow-ssh age1026d4c8nqyapcsy4jz57szt6zw3ejcgv3ecyvz0s89t7w7z964fqdqv52h
  - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|gpg)$
    key_groups:
    - pgp:
      - *lelgenio-gpg
      age:
      - *lelgenio-ssh
      - *monolith-ssh
  - path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini|gpg)$
    key_groups:
    - pgp:
      - *lelgenio-gpg
      age:
      - *lelgenio-ssh
      - *monolith-ssh
  - path_regex: secrets/double-rainbow/[^/]+\.(yaml|json|env|ini|gpg)$
    key_groups:
    - pgp:
      - *lelgenio-gpg
      age:
      - *lelgenio-ssh
      - *monolith-ssh
      - *double-rainbow-ssh
  - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini|gpg)$
    key_groups:
    - pgp:
      - *lelgenio-gpg
      age:
      - *lelgenio-ssh
      - *phantom-ssh
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,10 +1,14 @@
 {
  description = "My system config";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05";
+    nixpkgs.url = "nixpkgs/nixos-25.11";
-    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    vpsadminos.url = "github:vpsfreecz/vpsadminos";
    nix-index-database = {
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
@ -16,47 +20,60 @@
    plymouth-themes.url = "github:adi1090x/plymouth-themes";
    plymouth-themes.flake = false;
-    agenix = {
+    sops-nix = {
-      url = "github:ryantm/agenix";
+      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs-24_05.follows = "nixpkgs";
    };
-    dzgui-nix = {
+    dzgui-nix.url = "github:lelgenio/dzgui-nix";
      url = "github:lelgenio/dzgui-nix/dzgui-4.1.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    tlauncher = {
-      url = "git+https://git.lelgenio.xyz/lelgenio/tlauncher-nix";
+      url = "git+https://git.lelgenio.com/lelgenio/tlauncher-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    disko.url = "github:nix-community/disko";
+    lsfg-vk-flake = {
-    disko.inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:pabloaul/lsfg-vk-flake";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    treefmt-nix.url = "github:numtide/treefmt-nix";
    # my stuff
-    dhist = {
+    dhist.url = "github:lelgenio/dhist";
-      url = "github:lelgenio/dhist";
+    demoji.url = "github:lelgenio/demoji";
-      inputs.nixpkgs.follows = "nixpkgs";
+    wl-crosshair.url = "github:lelgenio/wl-crosshair";
    warthunder-leak-counter.url = "git+https://git.lelgenio.com/lelgenio/warthunder-leak-counter";
    made-you-look.url = "git+https://git.lelgenio.com/lelgenio/made-you-look";
    contador-da-viagem = {
      url = "git+https://git.lelgenio.com/lelgenio/contador-da-viagem";
      flake = false;
    };
-    demoji = {
+    catboy-spinner = {
-      url = "github:lelgenio/demoji";
+      url = "git+https://git.lelgenio.com/lelgenio/catboy-spinner";
-      inputs.nixpkgs.follows = "nixpkgs";
+      flake = false;
    };
-    wl-crosshair = {
+    tomater = {
-      url = "github:lelgenio/wl-crosshair";
+      url = "git+https://git.lelgenio.com/lelgenio/tomater";
-      inputs.nixpkgs.follows = "nixpkgs";
+      flake = false;
    };
-    warthunder-leak-counter = {
+    youre-wrong = {
-      url = "git+https://git.lelgenio.com/lelgenio/warthunder-leak-counter";
+      url = "git+https://git.lelgenio.com/lelgenio/youre-wrong";
-      inputs.nixpkgs.follows = "nixpkgs";
+      flake = false;
    };
    hello-fonts = {
      url = "git+https://git.lelgenio.com/lelgenio/hello-fonts";
      flake = false;
    };
    niri-flake = {
@ -86,40 +103,19 @@
      specialArgs = {
        inherit inputs;
        self = inputs.self;
      };
-      common_modules =
+      common_modules = [
        [
        { nixpkgs.pkgs = pkgs; }
          inputs.niri-flake.nixosModules.niri
          {
            programs.niri.enable = true;
            niri-flake.cache.enable = true;
            environment.systemPackages = with pkgs; [ fuzzel ];
          }
        ./system/configuration.nix
          ./system/secrets.nix
          ./system/greetd.nix
          { login-manager.greetd.enable = desktop == "sway"; }
          inputs.agenix.nixosModules.default
          inputs.dzgui-nix.nixosModules.default
          inputs.home-manager.nixosModules.home-manager
          inputs.disko.nixosModules.disko
        {
-            home-manager.useGlobalPkgs = true;
+          login-manager.greetd.enable = desktop == "sway" || desktop == "niri";
-            home-manager.useUserPackages = true;
+          my.gnome.enable = desktop == "gnome";
-            home-manager.users.lelgenio = import ./user/home.nix;
+          my.kde.enable = desktop == "kde";
            home-manager.backupFileExtension = "bkp";
            # Optionally, use home-manager.extraSpecialArgs to pass
            # arguments to home.nix
            home-manager.extraSpecialArgs = {
              inherit inputs;
            };
        }
-        ]
+
-        ++ lib.optional (desktop == "gnome") ./system/gnome.nix
+        { home-manager.extraSpecialArgs = specialArgs; }
-        ++ lib.optional (desktop == "kde") ./system/kde.nix;
+      ];
    in
    {
      checks."${system}" = {
@ -127,49 +123,33 @@
      };
      nixosConfigurations = {
        i15 = lib.nixosSystem {
-          inherit system specialArgs;
+          inherit specialArgs;
-          modules = [ ./hosts/i15 ] ++ common_modules;
+          modules = common_modules ++ [ ./hosts/i15 ];
        };
        monolith = lib.nixosSystem {
-          inherit system specialArgs;
+          inherit specialArgs;
-          modules = [
+          modules = common_modules ++ [
            ./hosts/monolith
-            ./system/monolith-gitlab-runner.nix
+          ];
            ./system/monolith-forgejo-runner.nix
            ./system/nix-serve.nix
            ./system/steam.nix
          ] ++ common_modules;
        };
        rainbow = lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            ./hosts/rainbow
            ./system/rainbow-gitlab-runner.nix
          ] ++ common_modules;
        };
        double-rainbow = lib.nixosSystem {
-          inherit system specialArgs;
+          inherit specialArgs;
-          modules = [
+          modules = common_modules ++ [
-            ./hosts/double-rainbow.nix
+            ./hosts/double-rainbow
-            ./system/rainbow-gitlab-runner.nix
+          ];
          ] ++ common_modules;
        };
        pixie = lib.nixosSystem {
-          inherit system specialArgs;
+          inherit specialArgs;
-          modules =
+          modules = common_modules ++ [
-            [ ./hosts/pixie.nix ]
+            ./hosts/pixie.nix
            ++ common_modules
            ++ [
              {
                packages.media-packages.enable = lib.mkOverride 0 false;
                programs.steam.enable = lib.mkOverride 0 false;
                services.flatpak.enable = lib.mkOverride 0 false;
              }
          ];
        };
        phantom = lib.nixosSystem {
-          inherit system specialArgs;
+          inherit specialArgs;
-          modules = [ ./hosts/phantom ];
+          modules = [
            { nixpkgs.pkgs = pkgs; }
            ./hosts/phantom
          ];
        };
      };
@ -186,6 +166,7 @@
      packages.${system} = pkgs // packages;
-      formatter.${system} = pkgs.nixfmt-rfc-style;
+      # formatter.${system} = pkgs.nixfmt-rfc-style;
      formatter.${system} = (inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix).config.build.wrapper;
    };
 }
--- a/hosts/double-rainbow/default.nix
+++ b/hosts/double-rainbow/default.nix
@ -17,7 +17,13 @@ let
  ];
 in
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ./gitlab-runner.nix
    ./nebula-vpn.nix
  ];
  my.nix-ld.enable = true;
  boot.initrd.availableKernelModules = [
    "xhci_pci"
@ -37,14 +43,15 @@ in
    options = [ "subvol=@" ] ++ btrfs_options ++ btrfs_ssd;
  };
-  boot.initrd.luks.devices."luks-d6573cf8-25f0-4ffc-8046-ac3a4db1e964".device = "/dev/disk/by-uuid/d6573cf8-25f0-4ffc-8046-ac3a4db1e964";
+  boot.initrd.luks.devices."luks-d6573cf8-25f0-4ffc-8046-ac3a4db1e964".device =
    "/dev/disk/by-uuid/d6573cf8-25f0-4ffc-8046-ac3a4db1e964";
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/97EB-7DB5";
    fsType = "vfat";
  };
-  swapDevices = [ ];
+  swapDevices = [ { device = "/swapfile"; } ];
  services.udev.extraRules = ''
    # Force all disks to use mq-deadline scheduler
--- a/hosts/double-rainbow/gitlab-runner.nix
+++ b/hosts/double-rainbow/gitlab-runner.nix
@ -0,0 +1,36 @@
 {
  config,
  pkgs,
  ...
 }:
 let
  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { }) mkNixRunnerFull;
 in
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 4;
    services = {
      wopus-gitlab-nix = mkNixRunnerFull {
        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
        # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
        # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
      };
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
  sops.secrets = {
    "gitlab-runners/wopus-gitlab-nix" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
    "gitlab-runners/wopus-ssh-nix-cache-pk" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
    "gitlab-runners/wopus-ssh-nix-cache-pub" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
  };
 }
--- a/hosts/double-rainbow/nebula-vpn.nix
+++ b/hosts/double-rainbow/nebula-vpn.nix
@ -0,0 +1,51 @@
 { pkgs, config, ... }:
 let
  s = config.sops.secrets;
  secretConfig = {
    owner = "nebula-wopus";
    group = "nebula-wopus";
    restartUnits = [ "nebula@wopus.service" ];
    sopsFile = ../../secrets/double-rainbow/default.yaml;
  };
 in
 {
  environment.systemPackages = with pkgs; [ nebula ];
  services.nebula.networks.wopus = {
    enable = true;
    isLighthouse = false;
    lighthouses = [ "192.168.88.1" ];
    settings = {
      cipher = "aes";
    };
    cert = s."nebula-wopus-vpn/double-rainbow-crt".path;
    key = s."nebula-wopus-vpn/double-rainbow-key".path;
    ca = s."nebula-wopus-vpn/ca-crt".path;
    staticHostMap = {
      "192.168.88.1" = [
        "neubla-vpn.wopus.dev:4242"
      ];
    };
    firewall.outbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
    firewall.inbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
  };
  sops.secrets = {
    "nebula-wopus-vpn/ca-crt" = secretConfig;
    "nebula-wopus-vpn/double-rainbow-crt" = secretConfig;
    "nebula-wopus-vpn/double-rainbow-key" = secretConfig;
  };
 }
--- a/hosts/monolith/amdgpu.nix
+++ b/hosts/monolith/amdgpu.nix
@ -0,0 +1,23 @@
 { pkgs, ... }:
 {
  boot.initrd.kernelModules = [ "amdgpu" ];
  boot.kernelParams = [
    "video=DP-1:1920x1080@144"
  ];
  # hardware.amdgpu = {
  #   overdrive = {
  #     enable = true;
  #     ppfeaturemask = "0xffffffff";
  #   };
  # };
  hardware.graphics.package = pkgs.unstable.mesa; # Mesa 26 at the time
  hardware.graphics.enable32Bit = true;
  hardware.graphics.extraPackages = with pkgs; [
    # libva needs to match `hardware.graphics.package`
    unstable.libva
  ];
 }
--- a/hosts/monolith/default.nix
+++ b/hosts/monolith/default.nix
@ -23,7 +23,12 @@ in
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ./partition.nix
-    ./undervolt.nix
+    ./amdgpu.nix
    ./factorio-server.nix
    ./nebula-vpn.nix
    ./minio.nix
    ./monolith-forgejo-runner.nix
    ./monolith-gitlab-runner.nix
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
@ -34,37 +39,39 @@ in
    "sd_mod"
  ];
-  hardware.opentabletdriver.enable = true;
+  hardware.opentabletdriver = {
    enable = true;
    # TODO: remove this once otd gets updated
    package = pkgs.unstable.opentabletdriver;
  };
  sops.defaultSopsFile = lib.mkForce ../../secrets/monolith/default.yaml;
  my.gaming.enable = true;
  my.nix-ld.enable = true;
  systemd.slices."system" = {
    enable = true;
    sliceConfig = {
      # 50% maximum usage accross 8 cores
      CPUQuota = "${toString (8 * 50)}%";
    };
  };
  boot.extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
  boot.initrd.kernelModules = [ "amdgpu" ];
  boot.kernelModules = [
    "kvm-amd"
    "amdgpu"
    "zenpower"
  ];
-  boot.kernelParams = [
+
    "amdgpu.dcdebugmask=0x10" # amdgpu undervolting bug
    "video=DP-1:1920x1080@144"
  ];
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=30s
    SuspendState=mem
  '';
  hardware.opengl.driSupport = true;
  # # For 32 bit applications
  hardware.opengl.driSupport32Bit = true;
  hardware.opengl.extraPackages = with pkgs; [
    libva
    libvdpau
    vaapiVdpau
    rocm-opencl-icd
    rocm-opencl-runtime
    rocmPackages.rocm-smi
  ];
  fileSystems."/mnt/old" = {
    device = "/dev/disk/by-label/BTRFS_ROOT";
    fsType = "btrfs";
@ -101,7 +108,8 @@ in
    options = [
      "subvol=@games"
      "nofail"
-    ] ++ btrfs_options;
+    ]
    ++ btrfs_options;
  };
  fileSystems."/home/lelgenio/Downloads/Torrents" = {
    device = "/dev/disk/by-label/BTRFS_DATA";
@ -109,7 +117,8 @@ in
    options = [
      "subvol=@torrents"
      "nofail"
-    ] ++ btrfs_options;
+    ]
    ++ btrfs_options;
  };
  fileSystems."/home/lelgenio/Música" = {
    device = "/dev/disk/by-label/BTRFS_DATA";
@ -117,7 +126,8 @@ in
    options = [
      "subvol=@music"
      "nofail"
-    ] ++ btrfs_options;
+    ]
    ++ btrfs_options;
  };
  fileSystems."/home/lelgenio/.local/mount/data" = {
    device = "/dev/disk/by-label/BTRFS_DATA";
@ -125,7 +135,8 @@ in
    options = [
      "subvol=@data"
      "nofail"
-    ] ++ btrfs_options;
+    ]
    ++ btrfs_options;
  };
  fileSystems."/home/lelgenio/.local/mount/old" = {
    device = "/dev/disk/by-label/BTRFS_ROOT";
@ -149,9 +160,9 @@ in
    # Fix broken suspend with Logitech USB dongle
    # `lsusb | grep Logitech` will return "vendor:product"
    ACTION=="add" SUBSYSTEM=="usb" ATTR{idVendor}=="046d" ATTR{idProduct}=="c547" ATTR{power/wakeup}="disabled"
-    # Force all disks to use mq-deadline scheduler
+    # Force all disks to use kyber scheduler
    # For some reason "noop" is used by default which is kinda bad when io is saturated
-    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/scheduler}="mq-deadline"
+    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/scheduler}="kyber"
  '';
  boot.tmp = {
--- a/hosts/monolith/factorio-server.nix
+++ b/hosts/monolith/factorio-server.nix
@ -0,0 +1,65 @@
 {
  config,
  pkgs,
  ...
 }:
 let
  mkBackup = time: {
    systemd.services."factorio-backup-save-${time}" = {
      description = "Backup factorio saves";
      script = ''
        set -exuo pipefail
        FILENAME="space-age-$(date --iso=seconds | tr ':' '_').zip"
        DEST_DIR=~lelgenio/Documentos/GameSaves/factorio_saves/space-age-1/${time}
        mkdir -p "$DEST_DIR"
        cp /var/lib/factorio/saves/default.zip "$DEST_DIR"/$FILENAME
        chown lelgenio "$DEST_DIR" "$DEST_DIR"/$FILENAME
        # list all files, from oldest to newest
        # remove the last 10 from the list
        # delete the rest
        cd "$DEST_DIR"
        ls | head -n-10 | xargs -r rm -v
      '';
      serviceConfig.Type = "oneshot";
    };
    systemd.timers."factorio-backup-save-${time}" = {
      timerConfig = {
        # Systemd accepts descriptive names such as "daily"
        # The times are at midnight, Persistent makes sure that the backups get executed
        OnCalendar = time;
        Persistent = true;
        Unit = "factorio-backup-save-${time}.service";
      };
      wantedBy = [ "timers.target" ];
    };
  };
 in
 {
  imports = [
    (mkBackup "daily")
    (mkBackup "monthly")
  ];
  services.factorio = {
    enable = true;
    package = pkgs.my-factorio-headless;
    public = true;
    lan = true;
    openFirewall = true;
    admins = [ "lelgenio" ];
    extraSettingsFile = config.sops.secrets."factorio/server-config.json".path;
  };
  systemd.services.factorio = {
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
  };
  sops.secrets."factorio/server-config.json" = {
    mode = "777";
  };
 }
--- a/hosts/monolith/minio.nix
+++ b/hosts/monolith/minio.nix
@ -0,0 +1,43 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  s = config.sops.secrets;
  dataDir = "/var/lib/minio";
  s3Port = 14749;
  consolePort = 10601;
  secretConfig = {
    owner = "minio";
    group = "minio";
    restartUnits = [ "minio.service" ];
    sopsFile = ../../secrets/monolith/default.yaml;
  };
 in
 {
  services.minio = {
    enable = true;
    dataDir = [ dataDir ];
    listenAddress = "0.0.0.0:${toString s3Port}";
    consoleAddress = "127.0.0.1:${toString consolePort}";
    rootCredentialsFile = config.sops.secrets."minio/root-credentials".path;
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 minio minio -"
  ];
  networking.firewall.allowedTCPPorts = [ s3Port ];
  sops.secrets = {
    "minio/root-credentials" = secretConfig;
  };
 }
--- a/hosts/monolith/monolith-forgejo-runner.nix
+++ b/hosts/monolith/monolith-forgejo-runner.nix
@ -1,12 +1,12 @@
 { pkgs, config, ... }:
 {
  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
+    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = "monolith";
      url = "https://git.lelgenio.com";
-      tokenFile = config.age.secrets.monolith-forgejo-runner-token.path;
+      tokenFile = config.sops.secrets."forgejo-runners/git.lelgenio.com-default".path;
      labels = [
        # provide a debian base with nodejs for actions
        "debian-latest:docker://node:18-bullseye"
@ -17,4 +17,6 @@
      ];
    };
  };
  sops.secrets."forgejo-runners/git.lelgenio.com-default" = { };
 }
--- a/hosts/monolith/monolith-gitlab-runner.nix
+++ b/hosts/monolith/monolith-gitlab-runner.nix
@ -0,0 +1,51 @@
 {
  config,
  pkgs,
  inputs,
  ...
 }:
 let
  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { inherit inputs; })
    mkNixRunner
    mkNixRunnerFull
    ;
 in
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 8;
    services = {
      # runner for building in docker via host's nix-daemon
      # nix store will be readable in runner, might be insecure
      thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
      thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
      wopus-gitlab-nix = mkNixRunnerFull {
        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
        # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
        # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
      };
      default = {
        # File should contain at least these two variables:
        # `CI_SERVER_URL`
        # `CI_SERVER_TOKEN`
        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path;
        dockerImage = "debian:stable";
        dockerPullPolicy = "if-not-present";
      };
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
  sops.secrets = {
    "gitlab-runners/thoreb-telemetria-nix" = { };
    "gitlab-runners/thoreb-itinerario-nix" = { };
    "gitlab-runners/docker-images-token" = { };
    "gitlab-runners/wopus-gitlab-nix" = { };
    "gitlab-runners/wopus-ssh-nix-cache-pk" = { };
    "gitlab-runners/wopus-ssh-nix-cache-pub" = { };
  };
 }
--- a/hosts/monolith/nebula-vpn.nix
+++ b/hosts/monolith/nebula-vpn.nix
@ -0,0 +1,53 @@
 { pkgs, config, ... }:
 let
  s = config.sops.secrets;
  secretConfig = {
    owner = "nebula-wopus";
    group = "nebula-wopus";
    restartUnits = [ "nebula@wopus.service" ];
    sopsFile = ../../secrets/monolith/default.yaml;
  };
 in
 {
  environment.systemPackages = with pkgs; [ nebula ];
  services.nebula.networks.wopus = {
    enable = true;
    isLighthouse = false;
    lighthouses = [
      "192.168.88.3"
    ];
    settings = {
      cipher = "aes";
    };
    cert = s."nebula-wopus-vpn/monolith-crt".path;
    key = s."nebula-wopus-vpn/monolith-key".path;
    ca = s."nebula-wopus-vpn/ca-crt".path;
    staticHostMap = {
      "192.168.88.3" = [
        "72.60.60.221:4242"
      ];
    };
    firewall.outbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
    firewall.inbound = [
      {
        host = "any";
        port = "any";
        proto = "any";
      }
    ];
  };
  sops.secrets = {
    "nebula-wopus-vpn/ca-crt" = secretConfig;
    "nebula-wopus-vpn/monolith-crt" = secretConfig;
    "nebula-wopus-vpn/monolith-key" = secretConfig;
  };
 }
--- a/hosts/monolith/undervolt.nix
+++ b/hosts/monolith/undervolt.nix
@ -1,18 +0,0 @@
 { pkgs, ... }:
 let
  undervoltGpu = pkgs.writeShellScript "undervolt-gpu" ''
    set -xe
    cd $1
    echo "manual" > power_dpm_force_performance_level
    echo "1" > pp_power_profile_mode
    test -e pp_od_clk_voltage
    echo "vo -100" > pp_od_clk_voltage
    echo "c" > pp_od_clk_voltage
  '';
 in
 {
  boot.kernelParams = [ "amdgpu.ppfeaturemask=0xfffd7fff" ];
  services.udev.extraRules = ''
    ACTION=="add", SUBSYSTEM=="hwmon", ATTR{name}=="amdgpu", ATTR{power1_cap}="186000000", RUN+="${undervoltGpu} %S%p/device"
  '';
 }
--- a/hosts/phantom/default.nix
+++ b/hosts/phantom/default.nix
@ -2,15 +2,19 @@
  config,
  pkgs,
  inputs,
  lib,
  ...
 }:
 {
  imports = [
-    ./vpsadminos.nix
+    inputs.vpsadminos.nixosConfigurations.container
-    inputs.agenix.nixosModules.default
+    inputs.sops-nix.nixosModules.default
    ../../system/sops.nix
    ../../system/nix.nix
    ./hardware-config.nix
    ./mastodon.nix
    ./lemmy.nix
    ./nextcloud.nix
    ./nginx.nix
    ./syncthing.nix
@ -18,9 +22,9 @@
    ./writefreely.nix
    ./email.nix
    ./forgejo.nix
    ./warthunder-leak-counter.nix
    ./invidious.nix
    ./davi.nix
    ./goofs.nix
  ];
  networking.hostName = "phantom";
@ -48,12 +52,29 @@
  # Set your time zone.
  time.timeZone = "America/Sao_Paulo";
  # Select internationalisation properties.
-  i18n.defaultLocale = "pt_BR.utf8";
+  i18n.defaultLocale = "pt_BR.UTF-8";
  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
-  age = {
+  sops = {
-    identityPaths = [ "/root/.ssh/id_rsa" ];
+    secrets.hello = { };
    defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml;
  };
  environment.etc."teste-sops" = {
    text = config.sops.secrets.hello.path;
  };
  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      # needed by bitbucket runner ???
      log-driver = "json-file";
      log-opts = {
        max-size = "10m";
        max-file = "3";
      };
    };
  };
  nix.settings = {
@ -61,19 +82,6 @@
    max-jobs = 1;
  };
  system.autoUpgrade = {
    enable = true;
    dates = "04:40";
    operation = "switch";
    flags = [
      "--update-input"
      "nixpkgs"
      "--no-write-lock-file"
      "--print-build-logs"
    ];
    flake = "git+https://git.lelgenio.com/lelgenio/nixos-config#phantom";
  };
  networking.firewall.allowedTCPPorts = [ 8745 ];
  system.stateVersion = "23.05"; # Never change this
--- a/hosts/phantom/email.nix
+++ b/hosts/phantom/email.nix
@ -36,12 +36,16 @@
        hashedPassword = "$2b$05$DcA9xMdvHqqQMZw2.zybI.vfKsQAJtaQ/JB.t9AHu6psstWq97m2C";
      };
    };
    enableManageSieve = true;
    stateVersion = 3;
  };
  # Prefer ipv4 and use main ipv6 to avoid reverse DNS issues
-  services.postfix.extraConfig = ''
+  services.postfix.settings.main = {
-    smtp_address_preference = ipv4
+    smtp_address_preference = "ipv4";
-  '';
+  };
  # Webmail
  services.roundcube = {
@ -52,7 +56,7 @@
      $config['smtp_host'] = "tls://${config.mailserver.fqdn}:587";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
-      $config['plugins'] = [ "carddav", "archive" ];
+      $config['plugins'] = [ "carddav", "archive", "managesieve" ];
    '';
  };
 }
--- a/hosts/phantom/forgejo.nix
+++ b/hosts/phantom/forgejo.nix
@ -27,6 +27,9 @@ in
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
      };
      server = {
        DOMAIN = "git.lelgenio.com";
        HTTP_PORT = 3000;
@ -39,11 +42,10 @@ in
        USER = "noreply@git.lelgenio.com";
      };
    };
-    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+    secrets.mailer.PASSWD = config.sops.secrets."forgejo/smtp_password".path;
  };
-  age.secrets.phantom-forgejo-mailer-password = {
+  sops.secrets."forgejo/smtp_password" = {
    file = ../../secrets/phantom-forgejo-mailer-password.age;
    mode = "400";
    owner = "forgejo";
  };
--- a/hosts/phantom/goofs.nix
+++ b/hosts/phantom/goofs.nix
@ -0,0 +1,51 @@
 { inputs, config, ... }:
 {
  imports = [
    inputs.warthunder-leak-counter.nixosModules.default
    inputs.made-you-look.nixosModules.default
  ];
  services.warthunder-leak-counter.enable = true;
  services.nginx.virtualHosts."warthunder-leak-counter.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.warthunder-leak-counter.port}";
    };
  };
  services.made-you-look.enable = true;
  services.nginx.virtualHosts."coolest-thing-ever.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.made-you-look.port}";
    };
  };
  services.nginx.virtualHosts."catboy-spinner.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    root = inputs.catboy-spinner;
  };
  services.nginx.virtualHosts."tomater.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    root = inputs.tomater;
  };
  services.nginx.virtualHosts."youre-wrong.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    root = inputs.youre-wrong;
  };
  services.nginx.virtualHosts."hello-fonts.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    root = inputs.hello-fonts;
  };
  services.nginx.virtualHosts."contador-da-viagem.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    root = inputs.contador-da-viagem;
  };
 }
--- a/hosts/phantom/hardware-config.nix
+++ b/hosts/phantom/hardware-config.nix
@ -1,10 +1,15 @@
 {
-  config,
+  fileSystems."/var/lib/syncthing-data" = {
-  pkgs,
+    device = "172.16.130.7:/nas/5749/syncthinng_data";
-  inputs,
+    fsType = "nfs";
-  ...
+    options = [ "nofail" ];
-}:
+  };
-{
+  fileSystems."/var/lib/mastodon" = {
    device = "172.16.131.19:/nas/5749/mastodon";
    fsType = "nfs";
    options = [ "nofail" ];
  };
  swapDevices = [
    {
      device = "/swap/swapfile";
--- a/hosts/phantom/invidious.nix
+++ b/hosts/phantom/invidious.nix
@ -1,12 +1,39 @@
 {
  inputs,
  pkgs,
  config,
  ...
 }:
 {
  # Replace with unstable, since 24.05 does not have sig-helper
  disabledModules = [ "services/web-apps/invidious.nix" ];
  imports = [ (inputs.nixpkgs-unstable + "/nixos/modules/services/web-apps/invidious.nix") ];
  services.invidious = {
    enable = true;
    domain = "invidious.lelgenio.com";
    nginx.enable = true;
    port = 10601;
-    settings.db = {
+    http3-ytproxy.enable = true;
    sig-helper = {
      enable = true;
      package = pkgs.unstable.inv-sig-helper;
    };
    # {
    #     "visitor_data": "...",
    #     "po_token": "..."
    # }
    extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
    settings = {
      force_resolve = "ipv6";
      db = {
        user = "invidious";
        dbname = "invidious";
      };
    };
  };
  sops.secrets."invidious/settings.json" = {
    mode = "666";
  };
 }
--- a/hosts/phantom/lemmy.nix
+++ b/hosts/phantom/lemmy.nix
@ -0,0 +1,18 @@
 { pkgs, ... }:
 {
  services.lemmy = {
    enable = true;
    settings = {
      hostname = "lemmy.lelgenio.com";
    };
    database.createLocally = true;
    nginx.enable = true;
  };
  services.pict-rs.package = pkgs.pict-rs;
  services.nginx.virtualHosts."lemmy.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
  };
 }
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@ -14,15 +14,14 @@
      host = "lelgenio.com";
      fromAddress = "noreply@social.lelgenio.com";
      user = "noreply@social.lelgenio.com";
-      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+      passwordFile = config.sops.secrets."mastodon/smtp-password".path;
    };
    streamingProcesses = 2;
    extraConfig.SINGLE_USER_MODE = "true";
    mediaAutoRemove.olderThanDays = 5;
  };
-  age.secrets.phantom-mastodon-mailer-password = {
+  sops.secrets."mastodon/smtp-password" = {
    file = ../../secrets/phantom-mastodon-mailer-password.age;
    mode = "400";
    owner = "mastodon";
  };
--- a/hosts/phantom/nextcloud.nix
+++ b/hosts/phantom/nextcloud.nix
@ -1,17 +1,17 @@
 {
  config,
  pkgs,
  inputs,
  ...
 }:
 {
  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud29;
+    package = pkgs.nextcloud32;
    hostName = "cloud.lelgenio.com";
    https = true;
    config = {
-      adminpassFile = config.age.secrets.phantom-nextcloud.path;
+      dbtype = "sqlite"; # TODO: move to single postgres db
      adminpassFile = config.sops.secrets."nextcloud/default-password".path;
    };
  };
@ -20,12 +20,9 @@
    enableACME = true;
  };
-  age = {
+  sops.secrets."nextcloud/default-password" = {
    secrets.phantom-nextcloud = {
      file = ../../secrets/phantom-nextcloud.age;
    mode = "400";
    owner = "nextcloud";
    group = "nextcloud";
  };
  };
 }
--- a/hosts/phantom/syncthing.nix
+++ b/hosts/phantom/syncthing.nix
@ -11,6 +11,10 @@
    dataDir = "/var/lib/syncthing-data";
    guiAddress = "0.0.0.0:8384";
    openDefaultPorts = true;
    guiPasswordFile = config.sops.secrets."syncthing/password".path;
    settings.gui = {
      user = "lelgenio";
    };
  };
  services.nginx.virtualHosts."syncthing.lelgenio.com" = {
@ -26,4 +30,10 @@
          "proxy_pass_header Authorization;";
    };
  };
  sops.secrets."syncthing/password" = {
    mode = "400";
    owner = "syncthing";
    group = "syncthing";
  };
 }
--- a/hosts/phantom/vpsadminos.nix
+++ b/hosts/phantom/vpsadminos.nix
@ -1,76 +0,0 @@
 # This file provides compatibility for NixOS to run in a container on vpsAdminOS
 # hosts.
 #
 # If you're experiencing issues, try updating this file to the latest version
 # from vpsAdminOS repository:
 #
 #   https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
  nameservers = [
    "1.1.1.1"
    "2606:4700:4700::1111"
  ];
 in
 {
  networking.nameservers = mkDefault nameservers;
  services.resolved = mkDefault { fallbackDns = nameservers; };
  networking.dhcpcd.extraConfig = "noipv4ll";
  systemd.services.systemd-sysctl.enable = false;
  systemd.services.systemd-oomd.enable = false;
  systemd.sockets."systemd-journald-audit".enable = false;
  systemd.mounts = [
    {
      where = "/sys/kernel/debug";
      enable = false;
    }
  ];
  systemd.services.rpc-gssd.enable = false;
  # Due to our restrictions in /sys, the default systemd-udev-trigger fails
  # on accessing PCI devices, etc. Override it to match only network devices.
  # In addition, boot.isContainer prevents systemd-udev-trigger.service from
  # being enabled at all, so add it explicitly.
  systemd.additionalUpstreamSystemUnits = [ "systemd-udev-trigger.service" ];
  systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = [
    ""
    "-udevadm trigger --subsystem-match=net --action=add"
  ];
  boot.isContainer = true;
  boot.enableContainers = mkDefault true;
  boot.loader.initScript.enable = true;
  boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs";
  boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0";
  # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
  documentation.enable = mkOverride 500 true;
  documentation.nixos.enable = mkOverride 500 true;
  networking.useHostResolvConf = mkOverride 500 false;
  services.openssh.startWhenNeeded = mkOverride 500 false;
  # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
  systemd.services.networking-setup = {
    description = "Load network configuration provided by the vpsAdminOS host";
    before = [ "network.target" ];
    wantedBy = [ "network.target" ];
    after = [ "network-pre.target" ];
    path = [ pkgs.iproute2 ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
      ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
    };
    unitConfig.ConditionPathExists = "/ifcfg.add";
    restartIfChanged = false;
  };
 }
--- a/hosts/phantom/warthunder-leak-counter.nix
+++ b/hosts/phantom/warthunder-leak-counter.nix
@ -1,19 +0,0 @@
 {
  inputs,
  pkgs,
  config,
  ...
 }:
 {
  imports = [ inputs.warthunder-leak-counter.nixosModules.default ];
  services.warthunder-leak-counter.enable = true;
  services.nginx.virtualHosts."warthunder-leak-counter.lelgenio.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.warthunder-leak-counter.port}";
    };
  };
 }
--- a/hosts/phantom/writefreely.nix
+++ b/hosts/phantom/writefreely.nix
@ -12,19 +12,16 @@
    nginx.forceSSL = true;
    host = "blog.lelgenio.com";
    admin.name = "lelgenio";
-    admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
+    admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
    settings.app = {
      site_name = "Leo's blog";
      single_user = true;
    };
  };
-  age = {
+  sops.secrets."writefreely/password" = {
    secrets.phantom-writefreely = {
      file = ../../secrets/phantom-writefreely.age;
    mode = "400";
    owner = "writefreely";
    group = "writefreely";
  };
  };
 }
--- a/hosts/pixie/default.nix
+++ b/hosts/pixie/default.nix
@ -12,6 +12,9 @@
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  packages.media-packages.enable = lib.mkOverride 0 false;
  services.flatpak.enable = lib.mkOverride 0 false;
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
--- a/hosts/rainbow/default.nix
+++ b/hosts/rainbow/default.nix
@ -1,85 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 let
  btrfs_options = [
    "compress=zstd:3"
    "noatime"
    "x-systemd.device-timeout=0"
  ];
  btrfs_ssd = [
    "ssd"
    "discard=async"
  ];
 in
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ahci"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "i915" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/BTRFS_ROOT";
    fsType = "btrfs";
    options = [ "subvol=@nixos" ] ++ btrfs_options ++ btrfs_ssd;
  };
  boot.initrd.luks.devices = {
    "main" = {
      bypassWorkqueues = true;
      device = "/dev/disk/by-label/CRYPT_ROOT";
    };
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-label/BTRFS_ROOT";
    fsType = "btrfs";
    options = [ "subvol=@home" ] ++ btrfs_options ++ btrfs_ssd;
  };
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  fileSystems."/boot/efi" = {
    device = "/dev/disk/by-uuid/DC3B-5753";
    fsType = "vfat";
  };
  fileSystems."/swap" = {
    device = "/dev/disk/by-label/BTRFS_ROOT";
    fsType = "btrfs";
    options = [ "subvol=@swap" ] ++ btrfs_ssd;
  };
  swapDevices = [
    {
      device = "/swap/swapfile";
      size = (1024 * 8);
    }
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  networking.hostName = "rainbow"; # Define your hostname.
 }
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -2,6 +2,7 @@
 rec {
  all = [
    scripts
    unstable
    themes
    new-packages
    patches
@ -11,6 +12,18 @@ rec {
  scripts = (import ../scripts);
  unstable =
    final: prev:
    let
      args = {
        inherit (final) config;
        system = prev.stdenv.hostPlatform.system;
      };
    in
    {
      unstable = import inputs.nixpkgs-unstable args;
    };
  themes = (
    final: prev: {
      papirus_red = (final.papirus-icon-theme.override { color = "red"; });
@ -23,25 +36,23 @@ rec {
          ];
        }
      );
      nerdfonts_fira_hack = (
        final.nerdfonts.override {
          fonts = [
            "FiraCode"
            "Hack"
          ];
        }
      );
    }
  );
  new-packages = (
    final: prev:
    let
      system = prev.stdenv.hostPlatform.system;
    in
    packages
    // {
-      dhist = inputs.dhist.packages.${prev.system}.dhist;
+      lsfg-vk = inputs.lsfg-vk-flake.packages.${system}.lsfg-vk;
-      demoji = inputs.demoji.packages.${prev.system}.default;
+      lsfg-vk-ui = inputs.lsfg-vk-flake.packages.${system}.lsfg-vk-ui;
-      tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher;
+      dhist = inputs.dhist.packages.${system}.dhist;
-      wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default;
+      demoji = inputs.demoji.packages.${system}.default;
      tlauncher = inputs.tlauncher.packages.${system}.tlauncher;
      wl-crosshair = inputs.wl-crosshair.packages.${system}.default;
      dzgui = inputs.dzgui-nix.packages.${system}.default;
    }
  );
--- a/pkgs/blade-formatter/default.nix
+++ b/pkgs/blade-formatter/default.nix
@ -1,64 +0,0 @@
 {
  lib,
  mkYarnPackage,
  fetchFromGitHub,
  fetchYarnDeps,
  testers,
  writeText,
  runCommand,
  blade-formatter,
 }:
 mkYarnPackage rec {
  pname = "blade-formatter";
  version = "1.38.2";
  src = fetchFromGitHub {
    owner = "shufo";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-JvILLw7Yp4g/dSsYtZ2ylmlXfS9t+2KADlBrYOJWTpg=";
  };
  packageJSON = ./package.json;
  offlineCache = fetchYarnDeps {
    yarnLock = "${src}/yarn.lock";
    hash = "sha256-UFDxw3fYMzSUhZw+TCEh/dN7OioKI75LzKSnEwGPKDA=";
  };
  postBuild = "yarn build";
  passthru.tests = {
    version = testers.testVersion {
      package = blade-formatter;
      command = "blade-formatter --version";
    };
    simple = testers.testEqualContents {
      assertion = "blade-formatter formats a basic blade file";
      expected = writeText "expected" ''
        @if (true)
            Hello world!
        @endif
      '';
      actual =
        runCommand "actual"
          {
            nativeBuildInputs = [ blade-formatter ];
            base = writeText "base" ''
              @if(   true )  Hello world!   @endif
            '';
          }
          ''
            blade-formatter $base > $out
          '';
    };
  };
  meta = with lib; {
    description = "Laravel Blade template formatter";
    homepage = "https://github.com/shufo/blade-formatter";
    license = licenses.mit;
    maintainers = with maintainers; [ lelgenio ];
  };
 }
--- a/pkgs/blade-formatter/package.json
+++ b/pkgs/blade-formatter/package.json
@ -1,120 +0,0 @@
 {
  "name": "blade-formatter",
  "engines": {
    "node": ">= 14.0.0"
  },
  "keywords": [
    "php",
    "formatter",
    "laravel"
  ],
  "version": "1.38.2",
  "description": "An opinionated blade template formatter for Laravel",
  "main": "./dist/bundle.cjs",
  "types": "./dist/types/main.d.ts",
  "type": "module",
  "exports": {
    ".": {
      "import": "./dist/bundle.js",
      "require": "./dist/bundle.cjs",
      "default": "./dist/bundle.js"
    },
    "./*": "./*"
  },
  "scripts": {
    "build": "cross-env NODE_ENV=production node esbuild.js && cross-env NODE_ENV=production ESM_BUILD=true node esbuild.js",
    "prepublish": "tsc src/main.ts --declaration --emitDeclarationOnly --outDir ./dist/types || true",
    "watch": "node esbuild.js",
    "test": "yarn run build && node --experimental-vm-modules node_modules/.bin/jest",
    "lint": "eslint src -c .eslintrc.json --ext ts",
    "fix": "prettier {src,__tests__}/**/*.ts --write",
    "check_formatted": "prettier **/*.ts -c",
    "changelog": "conventional-changelog -p angular -i CHANGELOG.md -s -r 0",
    "prepare": "husky install",
    "bin": "cross-env ./bin/blade-formatter.cjs"
  },
  "bin": {
    "blade-formatter": "bin/blade-formatter.cjs"
  },
  "author": "Shuhei Hayashibara",
  "license": "MIT",
  "dependencies": {
    "@prettier/plugin-php": "^0.19.7",
    "@shufo/tailwindcss-class-sorter": "3.0.1",
    "aigle": "^1.14.1",
    "ajv": "^8.9.0",
    "chalk": "^4.1.0",
    "concat-stream": "^2.0.0",
    "detect-indent": "^6.0.0",
    "find-config": "^1.0.0",
    "glob": "^8.0.1",
    "html-attribute-sorter": "^0.4.3",
    "ignore": "^5.1.8",
    "js-beautify": "^1.14.8",
    "lodash": "^4.17.19",
    "php-parser": "3.1.5",
    "prettier": "^2.2.0",
    "tailwindcss": "^3.1.8",
    "vscode-oniguruma": "1.7.0",
    "vscode-textmate": "^7.0.1",
    "xregexp": "^5.0.1",
    "yargs": "^17.3.1"
  },
  "devDependencies": {
    "@babel/core": "^7.6.4",
    "@babel/plugin-transform-modules-commonjs": "^7.16.5",
    "@babel/preset-env": "^7.13.12",
    "@babel/preset-typescript": "^7.16.5",
    "@types/concat-stream": "^2.0.0",
    "@types/find-config": "^1.0.1",
    "@types/fs-extra": "^11.0.0",
    "@types/glob": "^8.0.0",
    "@types/jest": "^29.0.0",
    "@types/js-beautify": "^1.13.3",
    "@types/lodash": "^4.14.178",
    "@types/mocha": "^10.0.0",
    "@types/node": "^18.0.0",
    "@types/xregexp": "^4.4.0",
    "@typescript-eslint/eslint-plugin": "^5.8.1",
    "@typescript-eslint/parser": "^5.8.1",
    "app-root-path": "^3.0.0",
    "babel-jest": "^29.0.0",
    "codecov": "^3.8.3",
    "cross-env": "^7.0.3",
    "esbuild": "^0.19.0",
    "esbuild-node-externals": "^1.4.1",
    "eslint": "^8.5.0",
    "eslint-config-airbnb-base": "^15.0.0",
    "eslint-config-airbnb-typescript": "^17.0.0",
    "eslint-config-prettier": "^9.0.0",
    "eslint-import-resolver-typescript": "^3.0.0",
    "eslint-plugin-import": "^2.25.3",
    "eslint-plugin-jest": "^26.0.0",
    "eslint-plugin-prettier": "^5.0.0",
    "fs-extra": "^11.0.0",
    "husky": "^8.0.0",
    "jest": "^29.0.0",
    "lint-staged": ">=10",
    "source-map-loader": "^4.0.0",
    "ts-jest": "^29.0.0",
    "ts-loader": "^9.2.6",
    "ts-migrate": "^0.1.27",
    "ts-node": "^10.4.0",
    "typescript": "^5.0.0"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/shufo/blade-formatter.git"
  },
  "files": [
    "dist",
    "src",
    "bin",
    "wasm",
    "syntaxes",
    "CHANGELOG.md"
  ],
  "lint-staged": {
    "*.ts": "yarn run fix"
  }
 }
--- a/pkgs/caffeinated/default.nix
+++ b/pkgs/caffeinated/default.nix
@ -0,0 +1,53 @@
 {
  stdenv,
  lib,
  fetchFromGitHub,
  pkgconf,
  pkg-config,
  wayland-scanner,
  systemd,
  libbsd,
  wayland,
  wayland-protocols,
  libcap,
 }:
 stdenv.mkDerivation {
  pname = "caffeinated";
  version = "2022-12-08";
  src = fetchFromGitHub {
    owner = "electrickite";
    repo = "caffeinated";
    rev = "5a8eff054bdce225a19cf3ab785dc1bbc9bd3265";
    hash = "sha256-X1w/YWljcwb5ZH8Nt92CDhPU/yqBLH3lBS7yVJUeyzY=";
  };
  nativeBuildInputs = [
    pkgconf
    pkg-config
    wayland-scanner
  ];
  buildInputs = [
    systemd
    libbsd
    wayland
    wayland-protocols
    libcap
  ];
  makeFlags = [ "WAYLAND=1" ];
  installFlags = [ "PREFIX=$(out)" ];
  meta = {
    description = "Utility to prevent the system from entering an idle state";
    homepage = "https://github.com/electrickite/caffeinated";
    license = lib.licenses.mit;
    platforms = lib.platforms.linux;
    maintainers = with lib.maintainers; [ lelgenio ];
  };
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -3,11 +3,13 @@
 { pkgs, inputs }:
 rec {
-  blade-formatter = pkgs.callPackage ./blade-formatter { };
+  caffeinated = pkgs.callPackage ./caffeinated { };
  cargo-checkmate = pkgs.callPackage ./cargo-checkmate.nix { };
  lipsum = pkgs.callPackage ./lipsum.nix { };
  emmet-cli = pkgs.callPackage ./emmet-cli.nix { };
  material-wifi-icons = pkgs.callPackage ./material-wifi-icons.nix { };
  gnome-pass-search-provider = pkgs.callPackage ./gnome-pass-search-provider.nix { };
-  kak-tree-sitter = pkgs.callPackage ./kak-tree-sitter.nix { };
+  my-factorio-headless = pkgs.callPackage ./factorio-headless {
    inherit (pkgs.unstable) factorio-headless;
  };
 }
--- a/pkgs/factorio-headless/default.nix
+++ b/pkgs/factorio-headless/default.nix
@ -0,0 +1,10 @@
 { factorio-headless, pkgs }:
 factorio-headless.overrideAttrs (_: rec {
  version = "2.0.73";
  src = pkgs.fetchurl {
    name = "factorio_headless_x64-${version}.tar.xz";
    url = "https://www.factorio.com/get-download/${version}/headless/linux64";
    hash = "sha256-dSAl+BtewSKZGe3IafnIdz20u1SKkNNw+Fk4I2yFfZo=";
  };
 })
--- a/pkgs/factorio-headless/update.sh
+++ b/pkgs/factorio-headless/update.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 set -xe
 cd "$(dirname $0)"
 current_version="$(rg '^.*?version\s*=\s*"(.+)".*?$' --replace '$1' ./default.nix)"
 current_hash="$(rg '^.*?hash\s*=\s*"(.+)".*?$' --replace '$1' ./default.nix)"
 new_version="$(curl https://factorio.com/api/latest-releases | jq -r .stable.headless)"
 new_hash="$(nix-hash --to-sri --type sha256 $(nix-prefetch-url --type sha256 https://www.factorio.com/get-download/${new_version}/headless/linux64))"
 sd --fixed-strings "$current_version" "$new_version" ./default.nix
 sd --fixed-strings "$current_hash" "$new_hash" ./default.nix
--- a/pkgs/gnome-pass-search-provider.nix
+++ b/pkgs/gnome-pass-search-provider.nix
@ -2,10 +2,9 @@
  stdenv,
  fetchFromGitHub,
  python3Packages,
-  wrapGAppsHook,
+  wrapGAppsHook3,
  gtk3,
  gobject-introspection,
  gnome,
 }:
 let
@ -30,7 +29,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [
    python3Packages.wrapPython
-    wrapGAppsHook
+    wrapGAppsHook3
  ];
  propagatedBuildInputs = [
--- a/pkgs/kak-tree-sitter.nix
+++ b/pkgs/kak-tree-sitter.nix
@ -1,34 +0,0 @@
 {
  lib,
  stdenv,
  rustPlatform,
  fetchFromSourcehut,
  makeWrapper,
 }:
 rustPlatform.buildRustPackage rec {
  pname = "kak-tree-sitter";
  version = "1.1.2";
  src = fetchFromSourcehut {
    owner = "~hadronized";
    repo = "kak-tree-sitter";
    rev = "kak-tree-sitter-v${version}";
    hash = "sha256-wBWfSyR8LGtug/mCD0bJ4lbdN3trIA/03AnCxZoEOSA=";
  };
  cargoSha256 = "sha256-OQPUWqJAts8DbFNSsC/CmMCbuZ9TVxRTR05O7oiodKI=";
  nativeBuildInputs = [ makeWrapper ];
  postFixup = ''
    wrapProgram "$out/bin/ktsctl" \
      --suffix PATH : ${stdenv.cc}
  '';
  meta = with lib; {
    description = "Server that interfaces tree-sitter with kakoune";
    homepage = "https://git.sr.ht/~hadronized/kak-tree-sitter";
    license = with licenses; [ mit ];
  };
 }
--- a/pkgs/lipsum.nix
+++ b/pkgs/lipsum.nix
@ -3,7 +3,7 @@
  fetchFromGitHub,
  pkg-config,
  vala,
-  wrapGAppsHook,
+  wrapGAppsHook3,
 }:
 stdenv.mkDerivation rec {
  pname = "lipsum";
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [
    pkg-config
    vala
-    wrapGAppsHook
+    wrapGAppsHook3
  ];
  makeFlags = [ "PRG=${pname}" ];
--- a/scripts/_docker-block-external-connections
+++ b/scripts/_docker-block-external-connections
@ -0,0 +1,33 @@
 #!/bin/sh
 # Create the DOCKER-USER chain if it doesn't exist
 iptables -N DOCKER-USER || true
 # Flush existing rules in the DOCKER-USER chain
 iptables -F DOCKER-USER
 # Get all external network interfaces
 interfaces=$(
    ip -o -f inet addr show |
    awk '{print $2}' |
    grep -E '^(enp|eth|wlan|wlp)' |
    sort -u
 )
 for iface in $interfaces; do
    # Allow traffic from LAN
    iptables -A DOCKER-USER -i "$iface" -s 127.0.0.1 -j ACCEPT
    iptables -A DOCKER-USER -i "$iface" -s 10.0.0.0/8 -j ACCEPT
    iptables -A DOCKER-USER -i "$iface" -s 192.168.0.0/16 -j ACCEPT
    # Allow established and related connections
    iptables -A DOCKER-USER -i "$iface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    # Drop all other traffic
    iptables -A DOCKER-USER -i "$iface" -j DROP
    echo "iptables rules have been set up for interface: $iface"
 done
 # Return to the previous chain
 iptables -A DOCKER-USER -j RETURN
--- a/scripts/_sway_idle_toggle
+++ b/scripts/_sway_idle_toggle
@ -1,11 +0,0 @@
 #!/bin/sh
 swayidlectl() {
  systemctl --user $1 swayidle.service
 }
 if swayidlectl status > /dev/null; then
    swayidlectl stop
 else
    swayidlectl start
 fi
--- a/scripts/bcrypt
+++ b/scripts/bcrypt
@ -0,0 +1,17 @@
 #!/bin/sh
 set -euo pipefail
 if [ "$#" = 0 ]; then
    echo "Usage: $0 [passwords...] | $0 - < passwords.txt" >&2
    exit 1
 fi
 if [ "$1" = '-' ]; then
    xargs -x -n1 -d'\n' htpasswd -bnBC 10 "" | tr -d ':' | sed '/^$/d'
 else
    for pass in "$@"; do
        htpasswd -bnBC 10 "" "$pass" | tr -d ':' | sed '/^$/d'
    done
 fi
--- a/scripts/bmenu
+++ b/scripts/bmenu
@ -8,14 +8,16 @@
 if test "$argv[1]" = "run"
    test -n "$argv[2]" && set t "$argv[2]" || set t "terminal"
-    test -n "$i3SOCK" && set wrapper 'i3-msg exec --'
+    set -l launcher_args \
    test -n "$SWAYSOCK" && set wrapper 'swaymsg exec --'
    exec j4-dmenu-desktop \
        --dmenu="bmenu start -p Iniciar:" \
        --term "$t" \
        --wrapper="$wrapper" \
        --no-generic
    if test -n "$SWAYSOCK"
        set launcher_args $launcher_args --i3-ipc
    end
    exec j4-dmenu-desktop $launcher_args
 end
 if test -n "$SWAYSOCK"
@ -25,6 +27,13 @@ if test -n "$SWAYSOCK"
    test -n "$focused_output"
    and set focused_output "-m $focused_output"
 else if test -n "$NIRI_SOCKET"
    set -l focused_name (niri msg -j focused-output | jq -r '.name')
    set -l focused_index (niri msg -j outputs | jq -r --arg focused "$focused_name" 'keys | index($focused)')
    if test -n "$focused_index"; and test "$focused_index" != "null"
        set focused_output "-m $focused_index"
    end
 end
 set -l config "$HOME/.config/bmenu.conf"
--- a/scripts/controller-battery
+++ b/scripts/controller-battery
@ -0,0 +1,29 @@
 #!/bin/sh
 set -e
 CONTROLLER=$(find /sys/class/power_supply -maxdepth 1 -name '*controller*' || true)
 if test -z "$CONTROLLER"; then
    echo
    exit 0
 fi
 CAPACITY=$(cat "$CONTROLLER/capacity")
 STATUS=$(cat "$CONTROLLER/status")
 echo -n '󰊴 '
 if test "$STATUS" = "Charging"; then
    echo -n "󰂄"
 else
    print-battery-icon "$CAPACITY"
 fi
 # Add terminating newline
 echo
 # Tooltip
 echo -n '󰊴'
 print-battery-icon "$CAPACITY"
 echo " $CAPACITY%"
--- a/scripts/default.nix
+++ b/scripts/default.nix
@ -34,7 +34,7 @@
    ];
    down_meme = [
      wl-clipboard
-      yt-dlp
+      unstable.yt-dlp
      libnotify
    ];
    wl-copy-file = [
@ -43,19 +43,24 @@
    ];
    _diffr = [ diffr ];
    _thunar-terminal = [ terminal ];
    _sway_idle_toggle = [ swayidle ];
    kak-pager = [
      fish
      _diffr
    ];
    kak-man-pager = [ kak-pager ];
    kubectl-rsh = [
      bash
      kubectl
      rsync
    ];
    helix-pager = [
      fish
      _diffr
    ];
    helix-man-pager = [ helix-pager ];
    bcrypt = [ apacheHttpd ];
    musmenu = [
-      mpc-cli
+      mpc
      wdmenu
      trash-cli
      xdg-user-dirs
@ -73,6 +78,7 @@
    ];
    wpass = [
      wdmenu
      ripgrep
      fd
      myPass
      sd
@ -112,11 +118,11 @@
      mpv
      pqiv
      python3Packages.deemix
-      mpc-cli
+      mpc
      mpdDup
    ];
    mpdDup = [
-      mpc-cli
+      mpc
      perl
    ];
    readQrCode = [
@ -124,11 +130,35 @@
      zbar
      wl-clipboard
    ];
    git_clean_remote_deleted = [
      git
      gnugrep
      gawk
      findutils
    ];
    pint-fmt = [ ];
    powerplay-led-idle = [
      bash
      libinput
      libratbag
    ];
    sway-sync-xkbmap = [
      xorg.setxkbmap
      jq
    ];
    print-battery-icon = [ ];
    controller-battery = [ print-battery-icon ];
    mouse-battery = [ print-battery-icon ];
    nix-prefetch-firefox-extension = [
      nix
    ];
    _docker-block-external-connections = [
      iptables
      gawk
      gnugrep
      iproute2
    ];
  }
  // lib.mapAttrs importScript {
    wdmenu = ./wdmenu.nix;
--- a/scripts/down_meme
+++ b/scripts/down_meme
@ -1,10 +1,19 @@
 #!/bin/sh
 set -euo pipefail
 cleanup() {
    if test "$?" != 0; then
        notify-send "Failed to download"
    fi
 }
 trap cleanup EXIT INT
 DIR=$(mktemp -d)
 cd "$DIR"
-yt-dlp --merge-output-format mp4 "$(wl-paste)"
+yt-dlp --cookies-from-browser firefox --merge-output-format mp4 "$(wl-paste)"
 FILENAME="$(ls | head -n1)"
--- a/scripts/git_clean_remote_deleted
+++ b/scripts/git_clean_remote_deleted
@ -0,0 +1,6 @@
 #!/bin/sh
 git branch -vv \
 | grep ': gone]' \
 | awk '{print $1}' \
 | xargs git branch -D
--- a/scripts/kubectl-rsh
+++ b/scripts/kubectl-rsh
@ -0,0 +1,30 @@
 #!/usr/bin/env bash
 set -exu
 set -o pipefail
 namespace=''
 container=''
 pod=$1
 shift
 # rsync calls us with "-l pod namespace" if we use pod@namespace
 if [ "X$pod" = "X-l" ]; then
 	pod=$1
 	shift
 	namespace="-n $1"
 	shift
 fi
 # pod is "pod.container"
 if [[ "$pod" == *"."* ]]; then
 	container="-c ${pod#*.}"
 	pod="${pod%.*}"
 fi
 # pod is "type#name"
 if [[ "$pod" == *"#"* ]]; then
 	pod="${pod//#/\/}"
 fi
 exec kubectl $namespace exec -i $container $pod -- "$@"
--- a/scripts/mouse-battery
+++ b/scripts/mouse-battery
@ -0,0 +1,39 @@
 #!/bin/sh
 set -e
 MODEL_NAME_FILE=$(rg --files-with-matches G502 /sys/class/power_supply/*/model_name | head -n1)
 if test -z "$MODEL_NAME_FILE"; then
    echo
    exit 0
 fi
 MOUSE=$(dirname "$MODEL_NAME_FILE")
 if test -z "$MOUSE"; then
    echo
    exit 0
 fi
 CAPACITY=$(cat "$MOUSE/capacity")
 STATUS=$(cat "$MOUSE/status")
 echo -n '🖱️'
 if test "$STATUS" = "Charging"; then
    echo -n "󰂄"
 else
    print-battery-icon "$CAPACITY"
 fi
 if test "$CAPACITY" -lt 50; then
    echo -n "$CAPACITY%"
 fi
 echo
 # Tooltip
 echo -n '🖱️'
 print-battery-icon "$CAPACITY"
 echo " $CAPACITY%"
--- a/scripts/nix-prefetch-firefox-extension
+++ b/scripts/nix-prefetch-firefox-extension
@ -0,0 +1,7 @@
 #!/bin/sh
 set -euo pipefail
 hash="$(nix-prefetch-url --type sha256 "$@")"
 nix-hash --to-sri --type sha256 "$hash" 2>/dev/null
--- a/scripts/pint-fmt
+++ b/scripts/pint-fmt
@ -0,0 +1,7 @@
 #!/bin/sh
 file="$(mktemp)"
 cat - >"$file"
 ./vendor/bin/pint --quiet "$file"
 cat "$file"
 rm "$file"
--- a/scripts/print-battery-icon
+++ b/scripts/print-battery-icon
@ -0,0 +1,33 @@
 #!/bin/sh
 set -e
 if test $# -ne 1; then
    echo "Usage $0" >&2
    exit 1
 fi
 CAPACITY="$1"
 if test "$CAPACITY" -ge 90; then
    echo -n '󰁹'
 elif test "$CAPACITY" -ge 90; then
    echo -n '󰂂'
 elif test "$CAPACITY" -ge 80; then
    echo -n '󰂁'
 elif test "$CAPACITY" -ge 70; then
    echo -n '󰂀'
 elif test "$CAPACITY" -ge 60; then
    echo -n '󰁿'
 elif test "$CAPACITY" -ge 50; then
    echo -n '󰁾'
 elif test "$CAPACITY" -ge 40; then
    echo -n '󰁽'
 elif test "$CAPACITY" -ge 30; then
    echo -n '󰁼'
 elif test "$CAPACITY" -ge 20; then
    echo -n '󰁻'
 elif test "$CAPACITY" -ge 10; then
    echo -n '󰁺'
 else
    echo -n '󰂎'
 fi
--- a/scripts/screenshotsh
+++ b/scripts/screenshotsh
@ -46,4 +46,13 @@ case $1 in
            $screenshot -o "$cur_output" - | $copy ||
            $screenshot - | $copy
        ;;
    edit)
        # Focused monitor to clipboard
        cur_output=$(swaymsg -t get_outputs |
            jq -r '.[] | select(.focused) | .name')
        test -n "$cur_output" &&
            $screenshot -o "$cur_output" - | satty --filename - --output-filename "$DESTFILE" ||
            $screenshot - | satty --filename - --output-filename "$DESTFILE"
        ;;
 esac
--- a/scripts/sway-sync-xkbmap
+++ b/scripts/sway-sync-xkbmap
@ -0,0 +1,22 @@
 #!/bin/sh
 set -euo pipefail
 LAST_LAYOUT=""
 while sleep 1s; do
    CURRENT_LAYOUT=$(swaymsg -t get_inputs | jq -r '.[]|.xkb_active_layout_name|select(.)' | head -n1)
    if test "$LAST_LAYOUT" = "$CURRENT_LAYOUT"; then
        true
    elif test "$CURRENT_LAYOUT" = "English (Colemak)"; then
        echo "Setting layout to colemak"
        setxkbmap us colemak
    elif test "$CURRENT_LAYOUT" = "Portuguese (Brazil)"; then
        echo "Setting layout to br"
        setxkbmap br
    fi
    LAST_LAYOUT="$CURRENT_LAYOUT"
 done
--- a/scripts/wpass
+++ b/scripts/wpass
@ -18,6 +18,13 @@ print_actions_for_entry() {
  if test -n "$otp"; then
    echo "OTP"
  fi
  echo "$entry_content" | \
    rg '^(\w+): .*$' --replace '$1' | \
    sed \
      -e '/login/d' \
      -e '/user/d' \
      -e '/email/d'
 }
 main() {
@ -29,8 +36,9 @@ main() {
    test -n "$entry" || exit 0
-    username=`pass show "$entry" 2>/dev/null | perl -ne 'print $2 if /^(login|user|email): (.*)/'`
+    entry_content="$(pass show "$entry" 2>/dev/null)" || true
-    password=`pass show "$entry" 2>/dev/null | head -n 1`
+    username=`echo "$entry_content" | rg -m1 '(login|user|email): (.*)' -r '$2'` || true
    password=`echo "$entry_content" | head -n 1` || true
    otp=`pass otp "$entry" 2>/dev/null` || true
    action="$(print_actions_for_entry | wdmenu -p Action)"
@ -45,13 +53,19 @@ main() {
            printf '%s' "$password" | wl-copy;;
        OTP)
            pass otp "$entry" | wl-copy;;
        *)
            key="$action"
            printf '%s\n' "$entry_content"  | rg -m1 "^$key: (.*)" -r '$1' | wl-copy -n
            ;;
    esac
 }
 autotype(){
    if test -n "$username"; then
        env wtype -s 100 "$username"
        env wtype -s 100 -k tab
    fi
    env wtype -s 100 "$password"
 }
--- a/secrets/double-rainbow/default.yaml
+++ b/secrets/double-rainbow/default.yaml
@ -0,0 +1,57 @@
 gitlab-runners:
    wopus-gitlab-nix: ENC[AES256_GCM,data:n/bm5W5Q/h7MxMZX7yz4qeUBpfZDrI7A7/PlnLncMto5V5itVTXRvfd3+D/d2r9PVuJSogfMgMAh0cwuvPspjlm9ToPxrmgGdYbnAkhnFeTHdCfcF1x2DG2JkHe54wUhcQa9QEJkWZ5jJM//2jU=,iv:63lrYCCBMSr5toulba7Rni+iun0Bl2vMFbIsTVvOWQs=,tag:Z1GHj91q09sOWCaLPIKJ4Q==,type:str]
    wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:+5I7INvMNfegjjC0xPNOSj+vFakXe6V4N/S5wvL64DOxfPXhSQAjVtdMslp/LlJXH4XWbkQ8ErLbySB3WMDMRDnDRY+6+UKXsP6MFpvEtho0lN+8ZeAGC25ehadYDSFTX43wz6cLRuoAqRQdhPKM96wcYif7nF40cStgaAQhkNemK7AenSA9LQ4J72dWovFuwfTZml8qH6W/O+YEqfOgZsyJ/LobcM1fiuN1S4NnCOJSWB2Ahsu0tiMOSRxKWeUS9+ewh+x1xnZL3y4vax5GgtS2KojtXq0U4qgNi4Gwnmef7HmH1tVgeMO2ykCsuCCZ9iJR0IOqTHU2l+U6hTzf5vehpgK5/tsthkXRsLUmVRnjUaQwaEq9JYltGpEdk6U0UnD+Mf0f5BsDw23lHgannLeduhrSFrPFj+BVodnPxjyYJTPXwXfbWrKIQ8s5kWfIq9x0VePsteIgEH4xLL0yFtyZzrYeCq9WF3j5xTvJsOlG0ehQzX22orrM4RzrFVmeLYOIc/V4bQeyIf1lWemr,iv:UNaUnlVayrzF7qpgIVi9gxPFGCzIP24jNUpO295JPog=,tag:a5OlD+AJH3u6y+Lo3lOQWw==,type:str]
    wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:aknblYwAAGaso/Vhr9f1RX64tA3uOh3qxc1dBI7DQmk4TUlQn/AYrKF7wanIhhydrasRulDEam3CBiiyeW/ejcXG07wKIUyZ94TOYfcyRd1yo+PGkmb1yycU6PdjaP5/zwUPAnjMhR2quW+8iwADaUMYKXIJkdQaqUW9a845vBKIxgNgBskWMGMzldb+aUnr2eCb,iv:MQdEUrNugzv+QL6f/MNUqh9M+nFVsWI4VHlMrgQOTEg=,tag:olNTQyCSOhv3sgSjuIXKBA==,type:str]
 nebula-wopus-vpn:
    ca-crt: ENC[AES256_GCM,data:zNESDEqeRPBsaY53cDKx6DMYdHIdEjxAsX7rLMrGkd0+aw2zOEJDJ5jb/zIeatf7xBj5DkJa+CDWmWsu5v9p0QUu0LEEvdin3utuGa5GQEYR+1LCCrlB52klTvKEK6ck5cYewVR5bmq0NTvw4aVxZJoMKMXICYhNEs20ZMCIrbX8UOddXKt6OxeOzVZ/9uFg1gY9qkHe3Wn5mmNLwvXoHvzwtr+Oc9xT+SRMPYkGUkbyxQ5zRjJUKS79aPQ8R6ZgZVJqUmr9wS58D2To1Sfk4Ykrd4Q2lIlbTXdswp1im3LSTy0YosHu5P6mmBq9u3M=,iv:hnCrHDkQiUsoaFTImtWlvM+tuSplU5p4s6kkm/ysLZ0=,tag:5vH6oEWwUOA/QsiW0XvBag==,type:str]
    double-rainbow-crt: ENC[AES256_GCM,data:gdR79bE2RdE8cc9HdIxoiTCbyzsaTrSRg8uouVLmq6IRnb8B7tltIitli0SRXzMWqfg1IUIQbXHbIvPgeQ+puCHqr1ghYK1GzrDLz6GIGTn8g+9MnDbRTghdlWKKrKVxJnrSecJvV0qEkDr2/WEAsXalstxcDEPNq2Rb+c7bv/P2oFNjKN1eeWsE5TgpFj61RLEWx/wPzQKyNx2ZFu1l4r63II6npvlZ8rwdrJAeZIT8oaU53zQzMMs0tHGYTJeaZcPgdBKfVSCmzGxrE2kuwR0bxSSB2knqdBmtl1aVxs3bF2Fkm1+wovCadCze+Ta6Vgtk4v8d3Ta+wE5qzek8shb2m7lXTixki356wOG0r3B+180Kzk5B7q4tIycrk9ggKPKAA+2XNHVFM9L8PojflK3BY+U=,iv:wNoELN2y8QrFGPJYQdrAVsaLrhMzD8ep313o/jpT9fM=,tag:8sRBtkfd1TVMK7R64sMXqw==,type:str]
    double-rainbow-key: ENC[AES256_GCM,data:I0LGhV9biErwZw4PzOX6mbqyh+8n2XbpikwOqLe70g9+pfO72e8qdXvzYko8zLGIL0x8ZUYn6XCP63ZYzP866cLHCgglZ0+PQeBbqzp3lgfYDd7zBHDJE0NQobPtV6n1enbpzRtBe+ROeYQxCV5sZmEoxbzUyR0aSJ3JaGgZNw==,iv:Y5Iy32zHnQgqIH3d9U81FlsW+Mg8u06fk+AMnTcGejk=,tag:1ojEKwVALA9grJRzyNc+9g==,type:str]
 sops:
    age:
        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eTBFdVM5OFlQTi9JMmFw
            QWpIU2dSdDMzQTVJOWJCUU03QXR1QVZoeXc4CkljdHNKQ0tUczMrNys5eXNGMnVa
            K003QjdRaWY4RmNtaEw4cEsxSEJwZlEKLS0tIFZpbGUyaHh0RndkVlpQVlVucHJa
            TndIUUhsY2xSR3E1WlJXV3ZFN0lIMncKjjf1yt4XhfguzYoCNmHYSmetMDnoz4cr
            frbZdy4hl9w9EZO5JUeC/n7QMYTZLC2/Zk2PXRUvwyQglrGoUVK2Bg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHd4L0NEZW55OWd3SWlv
            U3dEcDNKZUJid2VsZ1lQdy9NRnIyVDRPRm1VCnZDcCs0S1BLNjJLZTFpSHVpNVRj
            OFpMK0ZjWTJkcWJoUFk2YnBCK3JKcFUKLS0tIEtqRkF4Q0FobXhPVTF6eWN2d0Nx
            eVAwSi9LaVNEcHIvQnhhZmZLbHRPOUUK6A91L8YCpi/sM9FiXcJ1sLmW3U4KadYL
            uw07mobP1Rf0RUdAuSK+42ErFgmS+OTDze/mT/PXg6Dfk+vhTjbfGA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1026d4c8nqyapcsy4jz57szt6zw3ejcgv3ecyvz0s89t7w7z964fqdqv52h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaUpLU1ZxQWNCNFNGeEpl
            dEpVbzBFbk1XaVoxMXIzMWFmTkZWS05GOFFvCmJGamVGK2pCeTJROVloMGdYK3Mx
            cGF1elFSbjJ3UmUyc1FsUkh6b2JNWTgKLS0tIFRzbHZIL25tK1dnWm90QVFueWZM
            WUZrTkg0cklJSUg5MndsN0ZPcVk4U0kKPsj787kDFDMxsBt5qk4Bp121AMTE++99
            m2X4lL6ona9fUe8e8wGhdgxZmqvJL2RCaVWJJy5SAbJ/skP3y7i2mw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-11-12T16:38:27Z"
    mac: ENC[AES256_GCM,data:XMsrBwV2G1jRA2c/T3y4015p6bJdggfrbI62bHZ1PQtbOImQUpxChVI9JhZqOIzWpyYB32HavRHwCe5nfam+L2tWNlVMRSogKBpDuanxyf3o2EHHStQqZYUuJrYtOL5cdeYMIXKRWS6LmHdHkcI2ixHsL+NXIG5o3XIYMaEBufo=,iv:G20hevYygnonf5l4qGZqs+b9f1FC+cfnYIKZcs+mUP4=,tag:p5rITlVoOwqdrG8Kcmjieg==,type:str]
    pgp:
        - created_at: "2025-09-09T20:27:32Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQEMAzy6JxafzLr5AQf/a5v/AIIsdE9WawM710HCLQwEJXskDXfN7UP055gDBJer
            96qny8cKC833OhTPLqWCUpAVgJ1JQ8EDLvj2YvXLiq/NmMFs+mBwjPdzNIUKzK6E
            QgtjRJuQfOGSW0i44b+nkmWLSi1PhxVbIFt27Nl4I+mrvkhztIZcTwht+be3mMrp
            z1hEn/BbXsin6JOB6EuyFbsRZ3wYFUlr23NiKVI/JSo39ifbtGqgWn68GN+tYYYs
            mZ5tJykyRZxTU6qEKBaW9veClxs0FW2shQpp6Go/u6u/ghhHeB99trauPFL2rypT
            IaLGWruFwHMsd+rSTcw+YrTbL7bfkqx/4xj5dxJaFNJeAfo5F5ddr1odeAHeSQmh
            pfStJmy83SHhyDw8wLKMeF9d7dPKIyU4cXbLjSv1w86bDpDw8LBJSYEjJPVjLONV
            F6AXCJxNckDXmshGUejC09abAcMzzTsEJK7ocqEoMg==
            =XAWM
            -----END PGP MESSAGE-----
          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
+++ b/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
@ -1,16 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 KuJIQzvERsM1zAF4iikbaIMsi4e/vnyx1yq6h9Mzxf6FnXyFRcUgLPVe05krQhJX
 0wjv18bI0jxRb8742Ww9i2nU5Tlrok9ol458iye5CPl63fAlVih4/Rkl3IkUIiIz
 q/VayGVaIHmpRD2xiEa4L+NXS9N69vVXoubX0oZrB0nPdYJ83gFU9u+CBqqG2EWr
 PBjyIvT5i5MDBnPZGOudadIoyeWGfjXEPsQWhQhL9ssi5QOzLXBnTDlxT53bNvHX
 2yOFprLDZ+ZONedkxy8OXZpPDYNcgPAIHiqx1E87ftqPIucdeU49AqlPh46wrPC3
 79E2hgSoPvn4poTlJtAD0tIADRGkcEV6wLCylN2lTOUJenUfhLNQ7ok4ITx8MOv3
 IkbWiD9yTMExVBlhc+us+XfBHM8mlWs/zu+18YTy21RM03gzY6lHVZCQPxay2Rof
 A505SeZ4Tyhoy0+oLaYv9b+7DJdlhUo/XMaKSibtgJ/2MCtRqmV5ZsnuUIWn1Qsc
 -> Vg-grease `tLg-(2z
 4EPuRnZmXpoB32r/0GCtskU3HU3h5ic
 --- QmKr+zAXnMpWBBBqNm2u954fOu2Zt8Y/kPPdq4UHgZc
 ¤ì{çu|õæu´Ó€]OmXÝP3µÆ²•4_±½Â_
 q4›<EFBFBD>Ð6mþm©<‚pLH+d.hî‹’C<RDµ‘q<1F>Oø}öô3ÁZ¤KJ¤DÉàj]ÈýÒ¯Ù
ìá‚ØûCROË¥F;>‡
--- a/secrets/lelgenio-cachix.age
+++ b/secrets/lelgenio-cachix.age
--- a/secrets/lsfg.dll.gpg
+++ b/secrets/lsfg.dll.gpg
--- a/secrets/monolith-forgejo-runner-token.age
+++ b/secrets/monolith-forgejo-runner-token.age
--- a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ b/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
@ -1,13 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 YvABDqm9pSLhyLaKLDStuDisPJnaDpHnpTdTU4/xWgD3F4g2WkMymilhabqM+R5S
 hqcSVDxYE2mpPDPIDIMPRlZyw5EBKS6zQYFr7u3fdSMzzhL6pBLUvFtfq40Y3o6C
 LkkkYyWnJisWuTYeBY95H+fbDhqOylbjHP1fhRVwXO85pa4CcRMAWU2pKOIZRb3T
 IuQyE3LOT/vts56q0mgdItJK0gX0NJzXxi+8YdXb2VU5ny6IOBzDL4jUHhi4nfpS
 AmzEZE3ezq4Nxg+txMDQ6ZO+JUhqjCS4XDf5b2Lq6fDenVhFaNYf4HK/fMZHKhKE
 Ac+K5U3CKB7B2Ur+sEdB7AYWOc346bvxZhP16nwCI0ocaquo6WzEa6XA7zfRVC86
 wlTIUVdYKW3e/4AIHFnSXhFNss52kkhOjxcdQpdBb5RgSc/gWel7XFJ3bV17bCmV
 ccCYejBvW+Arpgr9Tl3UfyEbRbGTe7Jbxydsrx5h7gcXOuBYE3x8RGhegiL28wVl
 --- E11l59lvUhPNzXAYTgVUIIUCgJsEsSDMdnLV6r+qSiA
 ¥Ë‹-&I:Ú¹Sa°_àÝzt•ø¨J!H¤¹'ëC`'uÜ@sØÙ'”:†èì÷ãÎ¶~Ò[0š×ïnÝY-uôF¦eÜ‹ê‹Çü`xÓ7‚öªíßDÆãÉþ0<C3BE>/Ã—%V½«Þ‘îUˆ
--- a/secrets/monolith-nix-serve-privkey.age
+++ b/secrets/monolith-nix-serve-privkey.age
--- a/secrets/monolith/default.yaml
+++ b/secrets/monolith/default.yaml
@ -0,0 +1,59 @@
 forgejo-runners:
    git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str]
 gitlab-runners:
    thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
    thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
    docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
    wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str]
    wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str]
    wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:F+QHv9wwgyQYobKwyG13tS2OKCZuBPKLe7RLkhxsqYmVEtkCnli9jG+unMp7MC5L0i3puNqfoXP2IC6g4ESHq1yE0ksUpUCHzps4oMZBQK9b5JcqXQs+c//hskTQ/sFmTfGPpdnQ7wAifnQf5Mx2E4RwiRznMgJGQ3RDDjg9xfWUyvw6PlslZH65aGrq3P/iURvj,iv:u34+rXKLcZjBlVJmdbf60I82Fb621lUjOBmR4CTJWGk=,tag:ToPtBIz3bgzAUKc6hh4Oxg==,type:str]
 nebula-wopus-vpn:
    ca-crt: ENC[AES256_GCM,data:sFc9SxfCVaDYxbJqzEK6pRsVoJSFbD1qs/oVKLXXJPrR2y5jVM/ESk/xwaemwEBDPn2VOxLqD62lPF8jP665w/rutskKJ4pMji+Ev2zeryaxDmEwSOL8EbEQtlNxkZZEX3dwVNxykbK5A3bIrcI6vHaOTFeMht6IanO6CdeQOS0KoyYW0fHbW0Dc/YytBMjVWCPQk2VeWCl7X4JBsjj8aVQ8qgupsI16tJmETetO3lHAaYt6dk0Fp51XVaKSuaYGBhnoADXEKA3cIQoPUOaJ1Q0CmdfYk5XWEr0q0OcqjeAn8OERGufHr227tJgYx8A=,iv:G5iq5qeX9NlkOdmj9K0GRQ/6lAU0cBNEO2hQe9kyirY=,tag:b3sW5hs0pkIqqm2j81BIIA==,type:str]
    monolith-crt: ENC[AES256_GCM,data:+0YbGYreXYR2+cu0NwXUuAnfIEUBGXm5J6nUTx2/z25gDTOVx9eI7USX6cQT/3NOt9S8odHcHeWQXChgWU9Xf+avdXmNO9vQGf8bZCybDQltPF+Gb2zRiFWiAy7raQaZc74SMbGCzABdfQBnEnqs+s/y0+ovilzOmcopnu551QEyjojuMLVcpUsvrEoQBx+dLYBjx22xob0wNUmXgBFxLRuDvYHGdehZ4jg8Ihf9kpDyjtjpfa8mF1kmdKZvPI5Y9z4ZOvA8266H+jFSqfx41nIuYcIwi8naKkoRue4kRCv71IXyK5DJNEweZPXD5sCdd005sxGgBnpSJCpSfr7TsCy5FxDcf9ISi3yrXLttcnOt2u1b3FFKNQiwlo5s2PQB2AB2Zf3nvKPqICmcXtGN3w==,iv:Q6izpQw3SymKNjnjO4x3pzqGJo5SxYZkVYdXcHQBi0A=,tag:9tlMYrN+/mMNYifw1F3yZQ==,type:str]
    monolith-key: ENC[AES256_GCM,data:Y8KVQk66dewyeRIF+6HJeufD9EYO55m73LxrtZi4KQU0RbUpsV0eiRMX62rYtw6+uP87f5Tx6kC3fX4+mqNb2ZgDtVvm3/Qnz5Ly112c/h33krNqRpv6pEHRkrS9j01tLkJnxwiyIvq3b03GTAIoCKWgqaaagCXYHArgzRrDIw==,iv:lp3zuD8XWaiJvyxzXHrgpF4qbrCv/uf9l9qyWXVrkkM=,tag:eSlTCa2TrIuga7UUxoloBQ==,type:str]
 minio:
    root-credentials: ENC[AES256_GCM,data:izDiis6BgAubbe91EUcuwMKrSrYEDQFQbaEGzpdjj3Wlt8Z8gzgvGmYCryAK8GBUMbzQvy0do26xMGMl3LxLWz9bgixixPVFTTg5GhfUJw==,iv:hkrkGz+EpVwkWEMQWBrm2u4Jti7azsDtsTmyouDREug=,tag:mDnOKKBwgKOmsxegKcRhpQ==,type:str]
 nix-serve:
    private-key: ENC[AES256_GCM,data:xSHNHiLKs5QG92cSR0gNlusRhGjRUcelSvBt/f3+LdLjTtPaYMmiEiUsl43FyaigGkGq4nGDWAgPVJ+bFNpman0F4KwYqoSp5zH07IC9KaXouvudRLMZc8MkpwKKptKebKDlxKfsLt44n3qnV7OPYzSgzA==,iv:yUM/4yCIJqTt04HyXBVe+EMN4NnFkVnVhsUvUlKv2QM=,tag:qAr0UIjWzXH1eEzGCrK5Vg==,type:str]
 factorio:
    server-config.json: ENC[AES256_GCM,data:qpLNcNjKrlH5IjGsq7ukCPR7G5dfOfN9joM2KZUdKZetZ/mA8ikBSbuBtRxwBQUSB6PcFxDftus704vlOkLcDcc4PT9rnpEiedLng9NkJPZZo2exfozut3N7dhij28c6Jy2uvad1pzAfW78iHI0kJNkDQDD2oW9xoFAZrPDRh5oNLpNn1/iIFoIflyYFctUbcpsDvs+8xHGGM5PQQo0QnZcxfSPY2iT4At1i5WP/Uedonvlw9fNcoOtzP7BhOECuMWUC5W2v2hP2/vcp7M8=,iv:Ln+/4AudJfdJYdkq0xLVF8dyrObzLwhANpTo3WgjUF4=,tag:Rgw4/J016Geiv6FwF5ZaMQ==,type:str]
 sops:
    age:
        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaFFtOHRBNjZqOXJOV1Bk
            SXRhZTdNWklKaTZST2JhU3VFLzBGSWY0QlMwCldwS1hhMDEyZDAxWUlRRXZtTWts
            Ti9IOUR2OFdGYkJ4cFRsV0lkbWJvb1EKLS0tIEJUS1ZCZ1M4ZUs5cDhiam5JaEk1
            U1VjNFprNHZWeDhwU3owRXh0MlBFYkUKHPgxz9/w3+JEtOljfyWBPSshfFlVWVys
            f15yxlAeWIZVEGqoau7DegVdZiYYIJR2dFBXV1RkKbAwLrbUxAQidg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OWk0cTJ4d25Qd0hrdkFD
            a2Fzd1lrMDREclkvRmxUSjFpYXZvRGs2Rm13Cm5aRVZDWE5ZUVR1K2hkZkdKWjYw
            K3lKNndBNGFveGVGVWplaHA0MVlYUG8KLS0tIFlVeXhCTGJGUm1HK2RCSFg1RnI3
            aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
            jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-15T06:33:37Z"
    mac: ENC[AES256_GCM,data:lYnwpoQuDSRpcPdIoSX3aGssc34UPqj6aZaliXl9XKMu1FMEgKwYXvNGOgs4tV2hBUQvTB4ZhiPT62awEHxzO1CmVdi6eiR9LTP2KetVubvKp8Ps/xoWKl51pG9ubJj+H3rfwAhfbGVZmAb6PKQgY6mnpyutlt/ojCMoKJ4BVwM=,iv:O0MoP+Nb1+nrowX3yfhIY/pjtSbLPV6qHOhDiEfdpzw=,tag:qSA02qKepxJ8p1qpZYN+UQ==,type:str]
    pgp:
        - created_at: "2025-03-07T22:49:16Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQEMAzy6JxafzLr5AQgAjwQqdeESOfrOuCjfjALdoy3AnNYC+slusdlra58CoRu6
            YFDAivwPHJBRiuVy43Lo7SWnKXMKvLOry589GBY3JGjNV5U1cPWBhMlTubYZmZWl
            iel8Bvw4IF5JksMIvLFdDgexLN7wETzzZP9S8750BCgpSrncrw1k/dUedhv5HUjo
            N10x6BPjPSmgolA8uxsISHLAUrKcQoeaWvcZFU1ofKywq08HgIySphy6z3Gmv3Qs
            86saZp1rFm5+qHkrDRgL6Oe3Xx30jVkzn9MHPWzZCDPCEvYGJgXX34NGzbX+/nd3
            JB9XkT2YTFi4BLhdHY3EE7e9//PJc5G9RVDZyAF1e9JeAXH2yR5blXbogoy+VMnS
            Yn74Uvs+fnYFTDOiuequro5i0uAyxtrCx8fdfwjuh+9SC5p3N2cBv2eT7zLQwQHi
            czHlwxmpi/dMB/u83fR4FzuCUt98VXiezIC4yGn25g==
            =Yqqx
            -----END PGP MESSAGE-----
          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/phantom-forgejo-mailer-password.age
+++ b/secrets/phantom-forgejo-mailer-password.age
--- a/secrets/phantom-mastodon-mailer-password.age
+++ b/secrets/phantom-mastodon-mailer-password.age
@ -1,13 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
 /WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
 eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
 WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
 bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
 MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
 ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
 CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
 --- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
 ÆJ…¨Úãè·<hUs/¿ïš}ó´Zi`ˆ‘ 'ÂJŸ°z5ùÃgõãŸ%€ì‡`¤º%/˜‚±<01>ˆ„á-Î<x—íõÉ’|
--- a/secrets/phantom-nextcloud.age
+++ b/secrets/phantom-nextcloud.age
@ -1,15 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 bpGCgyaAPDutva1Gp/YPuek6IZTXJHKb7+oIAV/x+7Ry4Oci9zM2VWvPVE/rPE/d
 0AzBX1NvsWBB005w42RfiErk4FQYRCouwNR1FNjUWNdQOmku++RPfxBXspAFIDkQ
 yM7mqbhwf5by5rZY+2kl20QxkErkVtZolus1am9RV4uyXfdPaRcKjWOuPiEim42d
 YdeCXq4nJGxlL3tRunIqLIZGhV08wHBl7Dubhn9hdD6/ekDk0RloVTBDZUY5tUPL
 dJk+bfFPI0DimytzCwyQbWEHOkdiWYSNzbx2JhTSvuqefHP1UzB2LukaQc2gOJFV
 mVKvQuGpOWknytMUhM6zCTvRw4OQutAZd96OniQYTas/vnmfT2l2n9aMEzQK157A
 U9DmsvhBypILiQSPpA7QrGB1QVuRjAFJA86ASY1FAT6MdBBK4vZ8fK7mpT06JO/n
 gwv+UlvFBziWHzA/1GOLrfD+ExjmbeucRZr5XGszrAaK/7GPZt4LF69hRmKegL94
 -> 9I3~SC,<-grease M$2 RibFL]C
 uR6MirHtTc4Tyrcw3T2my+BN2Q
 --- 56zk9BqgwQqNymga1mUDgpvtfIpMy5i/JnaSXbjx6jk
 ÞQÚÞ—Ž)NâÿÚ¦¨Žß‘-†ŸÀ ÷ÑDz-ÖIÅß-°]p$ÉX5æT·PU=u;kæ8}wÁV¦mšç=
--- a/secrets/phantom-renawiki.age
+++ b/secrets/phantom-renawiki.age
@ -1,16 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 BUJ9L1bwZ0RWj3FmMghmZDkY4iuc0gujS3Rfat+hj/pg+MALZ69Tovc5RnqmOZT/
 pTGPTzWj3WO70YU+wCUHKZ74JcKdL3wSD1FWOWYRvyDV3gxZjDTjw4Grs+sH9M4Z
 MrhdoyY95fhmGZHJ7Qkx/aKCAK/OaFSu5Vhh37ykmLd1gQ9NJYQ+G3lLr1Mrqjd/
 1QaBqJtJpAFTA0eCd3+oBtQ/qgHD2ZBJcOmkS9sRC6S4YKNoyoDifTbL29aJC4f/
 08myI0WH/ApbtN1hWuiVWibmy/9/76IAvgUqi8fULNY5w7Otz3nKGV+mDA5+oD11
 jCHZJdcec9JFyZ/V2mh/PoHpNawksNPy85eJ0MpM1avM25Qib8kWJM6fnZb7uJzt
 DsYCl2q4ILnTaieuTSJUfgacKbrwSv7MQfgdh1SkXAShyZ7aSCoDhsgSdOVwYoAX
 Mspm0NtodeV7493qZwYspO6H0xbfh20vXa1DOeMt98T1iP0aYYhfRXkb0wACx1QF
 -> \z/RLj3S-grease cmv( uCkG*= .cX3S 9r^&
 OVTVTnB3PjD4COiRCtQ
 --- EhfDqxfjLIHF9Sa7V4ytO1xsRK8p23WDsWcB9/B9fRw
 .ß=–£))/’ö‰Í¹êÒ‹#´ýLÁƒŒÓ‰Ž—|p
 7	ÍñÄKä®7ò²Š@üCJfš:w6Pè•@@/N<>7¿
--- a/secrets/phantom/default.yaml
+++ b/secrets/phantom/default.yaml
@ -0,0 +1,62 @@
 hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str]
 example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str]
 #ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment]
 example_array:
    - ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str]
    - ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str]
 example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float]
 example_booleans:
    - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool]
    - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
 forgejo:
    smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
 invidious:
    settings.json: ENC[AES256_GCM,data:wzbBnj3qrhw+clHpetEm/FYs+zkMM0kG0JO97E2wPEPaoBZDuOy3BRAbzmwkn4RUEt2hWVN89/A1qweXuuScXt5LSgaQXFXmGQQ2RzXY7K7Pr3uBNol53pnNQI5M6Mi1bif26rdiwznE0QgZCuptadhPcHbCaWB2QrXyYDdTdvQ6Wd+ZueSXPXCjpRnXaqZzTFc5VJf09wqTFahUvVkgjkhgiLVUu218b8xghekJLwJ3bKwmXuXsnmGSQjFry6ttbFPQJawVXWqsiNY7iaE0k1K3NKcTu5Fm2XiriPTKuGM51EXrqaw97ywWN8JEBGxZTk7kcWg2tAf9ddOewYMG,iv:2oDgPdFihZ9O8IkAydL2DtlUtCBUw70u2F2Rn+eW9rs=,tag:zvdZbEdQzbtWgft+i00ufQ==,type:str]
 mastodon:
    smtp-password: ENC[AES256_GCM,data:ciRTgcCKueSiYerBjWHOD4c9wlpMlcV9jiFaEWFh92vgA6J9,iv:TAaPiMIL8Yfd9k4j9dN40dWqQWAPb+24ngvPC7GTrlE=,tag:+7fGAN7FKiPIWvdsQXGqxg==,type:str]
 nextcloud:
    default-password: ENC[AES256_GCM,data:mR0KRCheXh6NBVn+odK9Kx0e4njJDuZ6OS37Iw==,iv:PAb/sCt7hq5WKZwr4FMfiMqf7mGvpXQEnZcbzmDz9oI=,tag:ukBDHbFKrStXckzuE1TwJA==,type:str]
 writefreely:
    password: ENC[AES256_GCM,data:5hzvM8Aitvj4Hb/RgViV1QjsnpQqln0k1nZvEz8Y7vdZvcHo,iv:Wi+pKcGqi09050sitgxt/+hYGF2mlmYC0SDjmqSWPr4=,tag:V0KSBgIV4fgMbxuADVTxrA==,type:str]
 syncthing:
    password: ENC[AES256_GCM,data:s3EMaGJGSwGxgajdHfWpblAU1Ows/h5JzS6PB9jU/BfmSMvG,iv:E2Exhs2f2v16iovexQGm9HUMxpLrY2uQ8OS/rOawj08=,tag:QXesaGB9v+yPnokZh6DMWA==,type:str]
 sops:
    age:
        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXhsMHQvb0NyUXRkRDE3
            TjVjb2orQktDMGs4U2JUS3hWdmtMdnhuYnhBCi9VU1RVblZPaW14VGxMcjM0N20z
            R1pOdUJZc1ZGcjBsTnNaZGhleVR6L1kKLS0tIE5vQkFhVXd0R3ZQSzZkNmVqN1Vj
            NERXdlJhVHF0NWpNT29CNlRid2NYMVUKxg7kbP6dOZDUz0uxdC45DZCAa6GQTQ1x
            nIb7lvPW4xFIb0bOZuvc7cAbHjf4So+8zvA0MM4mkTmIDpnwGD5Clg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcTJGVmZUenNwYVNjRFlU
            VXNBeDdpVFVtSTN5TG9VN0Q1WjRFbjlHd0Z3CjFsU1BsNkZ1a1ZkY2lva3lBUWZ3
            YUpqeEo0Tys1bDk0TEpwQTJ2U29kbjgKLS0tIFJDYWpNemY4NXZ0MkM0YWNldDBE
            RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
            o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-22T12:00:25Z"
    mac: ENC[AES256_GCM,data:AZm1yDw8whCTufBYbiug3i1e1YQRVprOMFTSR6GvvPDXD8ouvwSqoqYbmL7Cm1GxEG5WME1Z/tRzBzN2rU0gleGpXAXb/C+nF3R4PEHdPg25b0vfWAShZHb1YZGpMwkAd3H69y7yJclXeE2sFKx85DUGieYELelrzF9hT8jceHE=,iv:74M+68IAx0Kv7MCAe4Hsj/oTRJP6XOZNc2bxc1Ot5kI=,tag:XfocOwXlpM9WYHVHGs0MWg==,type:str]
    pgp:
        - created_at: "2025-03-07T22:49:19Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQEMAzy6JxafzLr5AQf/Zw+EB0lFpbul4KmHL3ndbhQCHzhkMgG6vEyj7EpjHQxE
            nwf9kRrTcRh9YdrgR+5PFRnFJ8+L+gZhk+V/GaEPcEUyskOX/YGTSp1u6pXKGEem
            TGojrIx0WwcmeCZUn+qCehbC7ZU64NDDmb7VeWnRkMbboU6UVooHUub88VsbnYw2
            XXtXh4G8isrbyAKzUyypnJnEVbKlVqPOL67BYczjyBqMYc1JVLmBy6nP+sv6q/yo
            QyDzlunmZtu52dwAL0L6wJF+novLr4W9cso4K5UVv2sp5M8gucuiY2obiB3vNfgO
            q9GZTlMWnyDGflM1w+tzpZ/Ke+sM4dSy3cXpZd+MFNJeAaBJ1owjolb4tPUXlt+W
            cJ+SFLWxzH8MsPb+Hfxrt8PPCcv67uch/k50PLYs/V/EM59+mgEJe5LY4rMbUSFw
            REGL3LA6Cnkl2bUeHlfG7XlztHd/ehmZM2RPKof+Qw==
            =htZl
            -----END PGP MESSAGE-----
          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ b/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
@ -1,13 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 KCVF4Sy49stOeQs2uunYKkvadqeimmWlJ4ucEJxfXy2z+OkkZpixUnWgJEH2nCa4
 NL/F0Wezbqvh+Texl4FlHN8PT2w/d5gdg/L+fI4jBYCvbbiHA4sdUgmXWigY8zrU
 5H7Y9mgb1Y174fA6zfTCk2fHmk+KARoV27YrS2fzGoVQiPhnvv8ZT51eF1E+Zs4I
 +YtXehxEOqYljJKYJJnF9ElzfNa8nypACGtcjTE8eEq0DlZu2U7qV+QWwQudHbcs
 MbFR2VtkHWQaNdK1vVBGND1CMlfshSCqbUzGcexownMiCVSal1RKA2uAWnYdOEc/
 QSR8cKn8QQ5dyPFCqZ8RnlCMUegCVLg5cC0/rlTUD0C/Ti2SRBYTH3HvJjmSNk8k
 3LdcNwK4YtG4d1gkqLVjwCM1Yg8I/UICb5nQYclvBz5VQ2drvL/gU/+Vc7Z5KUFI
 0G/7uNmeJ16Eky+X9c73ZZxVqm0TzDENE2GzkPhBHEfXBR+4j6m8KKEWxQmA2ZSg
 --- Oq9wU0h90iU/8g1XTNI+LuAg7t09hngj9DCK91V1+pg
 Ï‡võ’P·Êì}ÓN,×ÿWl?y0)‘eVw‰©Aði±ýê•Å<E280A2>Sm¥œ¼¸à‡ì>‰ð°ÑD“ÂQž¦C-ùëB†Ôáôôø0ŽúVµ|÷=ŽXÊ6©ë ¢œ‹W<E280B9>>ãÒì~·-qIÞ%
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,20 +0,0 @@
 let
  main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
  "rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [
    main_ssh_public_key
  ];
  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [
    main_ssh_public_key
  ];
  "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
  "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
  "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
  "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
  "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
  "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
  "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
  "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
 }
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@ -0,0 +1,55 @@
 hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str]
 example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str]
 #ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment]
 example_array:
    - ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str]
    - ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str]
 example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float]
 example_booleans:
    - ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool]
    - ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool]
 sops:
    shamir_threshold: 1
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUURIQmZvSVp3aXlFT0RR
            VHVBR0drN2JyV1hNUk5sakxGRXl6SEJuOUUwClQ1Q1lRZTR5R3Z4dlZyb29OaTNW
            UVcwV3h6UlhtZkg2aFhrUUtIT0tQRmsKLS0tIDlnckhHWXRKcmRwTGUzdHZxWEVh
            a3ZSWk0wNm1raXdMYXdKY1hDd2dZWUEK+IFU/9vsHu70XbSJ7sKqFncrZO3NAH8/
            X/XF1VUmIuDfQZYJsDa4HaXe52xvDWTw3/4frG9HutEI2NcvvRpxlw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGxFWXJVcDZOdzVxaFJG
            LzdhN3JKaFhPOVBlblRPNWpDdERPaWhDNkM0CmcvUGxNQ09tNTJndWZTdjFia2pl
            RnNWQ0ZKSFhEN0FNbVZlKzlFUlh5QTgKLS0tIFkwc1pJajlyOGNHSTdaM3FQZWFK
            NUJpRDlLNXlGOTNBbVRTU0ZMVkhqdUUK1koXmGDGTKoNx1wp4c9EknY9LQ5a7dQP
            Zx6OzvtpsxL6KGjH7BeNNcm2zOR4YqnklLq09UsPHElz2upJQzECAQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-07T22:49:01Z"
    mac: ENC[AES256_GCM,data:yma+7wtzVjCzlLOVpqiicjQ9YN1ttzoh8CpcAtjdtVl6gu7/3FXUKYyAWJd+1NUUpK7vN435gOq9/nsig0FRrn0Hgq0+cjFUGS6+6+SPmL97eFvti89gCOeIFhPvBnJQYJLiyVkUcBek4xW+vnt6UgrTy+sD9AT3KHdBlfu3pzY=,iv:ioswFO5KDAL3Bv7MI8V0aWXXxZZIz1M1PyMUbIMnCRI=,tag:5fUBtqz9J2qvY4fUT2ueoQ==,type:str]
    pgp:
        - created_at: "2025-03-07T22:49:20Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQEMAzy6JxafzLr5AQf/Xok7aBMNT6W3LV2Ekx/ccxEZaZ0aVNKHE9aFTz5kBSpu
            cXVohu5mEgeXr++HbrsCI821/gfchQ1yzVSLJsSrmZdJ586c3a7pWx2Eo4pcngmy
            vb5UWtTBNogABnLz4iTjVQYLjZeNcNhkzW6s3m9PiaX3AvJP9irPcmwIyYpzd9pt
            hngnBsdTis52fmvZ6+wOuMyTZU0Iksknom1De8xqgR5ZuO0Vitt19RGbpVhx96AC
            t1CUkb5WMFTdpbCFORa/ta9Z7UcKxXTAPsfPkPVG9DnHQ1jSmsJWPDQZxoIJLHuH
            SVV+qfRGndOo9fjExCInX6I5wBlrHrdpGtL7VLczV9JeAXYlMJwH63eOyi8hxxtr
            KfTJEIALC25uFhoK8bmr30yVZe7thUPMXfht+R5dlHne7+FcBb4k7YLpeN/M40me
            CSKk+9YaG7gQIdrfvEXlHSPCPppcKev6ZUspHewhmQ==
            =IMON
            -----END PGP MESSAGE-----
          fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/settings/default.nix
+++ b/settings/default.nix
@ -1,6 +1,18 @@
 { lib, ... }:
 {
  options = {
-    my = lib.mkOption { };
+    my = {
      themes = lib.mkOption { };
      key = lib.mkOption { };
      theme = lib.mkOption { };
      accent = lib.mkOption { };
      font = lib.mkOption { };
      username = lib.mkOption { type = lib.types.str; };
      mail = lib.mkOption { };
      dmenu = lib.mkOption { type = lib.types.str; };
      desktop = lib.mkOption { type = lib.types.str; };
      browser = lib.mkOption { type = lib.types.str; };
      editor = lib.mkOption { type = lib.types.str; };
    };
  };
 }
--- a/24
+++ b/24
@ -1,13 +1,29 @@
 #!/usr/bin/env bash
-nix fmt
+set -euo pipefail
 nix fmt --option warn-dirty false
 # Allow usage of untracked files in nix code
 git add --intent-to-add .
 # I only use warn-dirty=false because of this
 git --no-pager diff
-sudo nice ionice \
+run() {
    nixos-rebuild \
        switch \
-    --verbose \
+        --sudo \
        --option warn-dirty false \
        --print-build-logs \
        --flake .# \
-    $@
+        "$@"
 }
 if which nom >/dev/null; then
    run --log-format internal-json \
        "$@" \
    |& nom --json
 else
    run "$@"
 fi
--- a/6
+++ b/6
@ -1,6 +0,0 @@
 #!/bin/sh
 ./switch \
    --option extra-substituters "http://nixcache.lelgenio.1337.cx:5000" \
    --option extra-trusted-public-keys "nixcache.lelgenio.1337.cx:HZCwDaM39BOF+MLuviMQTUrz3rBWLTLV9H+GV4zcxVI=" \
    "$@"
--- a/system/android.nix
+++ b/system/android.nix
@ -0,0 +1,16 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  options.my.android.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.android.enable {
    # Open kde connect ports
    programs.kdeconnect.enable = true;
    programs.adb.enable = true;
  };
 }
--- a/system/boot.nix
+++ b/system/boot.nix
@ -2,7 +2,6 @@
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 {
@ -43,7 +42,7 @@
    };
    plymouth = {
      enable = true;
-      theme = lib.mkIf (config.my.desktop == "sway") "red_loader";
+      theme = lib.mkIf (config.my.desktop == "sway" || config.my.desktop == "niri") "red_loader";
      themePackages = with pkgs; [
        (adi1090x-plymouth-themes.override { selected_themes = [ "red_loader" ]; })
      ];
--- a/system/cachix.nix
+++ b/system/cachix.nix
@ -1,18 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 {
  services.cachix-watch-store = {
    enable = true;
    cacheName = "lelgenio";
    cachixTokenFile = config.age.secrets.lelgenio-cachix.path;
  };
  systemd.services.cachix-watch-store-agent = {
    serviceConfig.TimeoutStopSec = 3;
    # If we don't do this, cachix tends to timeout
    serviceConfig.KillMode = lib.mkForce "control-group";
  };
 }
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -2,15 +2,21 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 {
  config,
  pkgs,
  config,
  inputs,
  ...
 }:
 {
  imports = [
-    ./gamemode.nix
+    inputs.sops-nix.nixosModules.default
-    ./cachix.nix
+    inputs.home-manager.nixosModules.home-manager
    inputs.disko.nixosModules.disko
    inputs.niri-flake.nixosModules.niri
    ./niri.nix
    ./android.nix
    ./gaming.nix
    ./media-packages.nix
    ./boot.nix
    ./thunar.nix
@ -22,38 +28,45 @@
    ./locale.nix
    ./users.nix
    ./containers.nix
    ./nix-ld.nix
    ./network.nix
    ./sops.nix
    ./greetd.nix
    ./gnome.nix
    ./kde.nix
    ./home-manager.nix
    ../settings
  ];
-  my = import ../user/variables.nix;
+  my = import ../user/variables.nix // {
    android.enable = true;
    media-packages.enable = true;
    containers.enable = true;
    niri.enable = true;
  };
  zramSwap.enable = true;
  programs.adb.enable = true;
  services.udev.packages = [ pkgs.android-udev-rules ];
  # Enable touchpad support (enabled default in most desktopManager).
  services.libinput.enable = true;
  packages.media-packages.enable = true;
  environment.systemPackages = with pkgs; [
    pavucontrol
    glib # gsettings
    usbutils
-    # dracula-theme # gtk theme
+    adwaita-icon-theme # default gnome cursors
    gnome3.adwaita-icon-theme # default gnome cursors
  ];
  services.geoclue2.enable = true;
-  systemd.extraConfig = ''
+  systemd.settings.Manager = {
-    DefaultTimeoutStopSec=10s
+    DefaultTimeoutStopSec = "10s";
-  '';
+  };
-  services.logind.extraConfig = ''
+  services.logind.settings.Login = {
-    HandlePowerKey=suspend
+    HandlePowerKey = "suspend";
-  '';
+  };
  services.upower.enable = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
--- a/system/containers.nix
+++ b/system/containers.nix
@ -1,6 +1,15 @@
 { pkgs, ... }:
 {
  pkgs,
  lib,
  config,
  ...
 }:
 {
  options.my.containers.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.containers.enable {
    services.flatpak.enable = true;
    programs.appimage.enable = true;
    virtualisation.docker = {
      enable = true;
@ -12,9 +21,36 @@
          "--volumes"
        ];
      };
      daemon.settings = {
        # needed by bitbucket runner ???
        log-driver = "json-file";
        log-opts = {
          max-size = "10m";
          max-file = "3";
        };
      };
    };
    networking.firewall.extraCommands = lib.getExe pkgs._docker-block-external-connections;
    # Docker punches holes in your firewall
    systemd.services.docker-update-firewall = {
      script = lib.getExe pkgs._docker-block-external-connections;
    };
    systemd.timers.docker-update-firewall = {
      timerConfig = {
        OnCalendar = "minutely";
        Unit = "docker-update-firewall.service";
      };
      wantedBy = [ "multi-user.target" ];
    };
    programs.extra-container.enable = true;
    programs.firejail.enable = true;
    virtualisation.libvirtd.enable = true;
    environment.systemPackages = with pkgs; [ dnsmasq ];
    networking.firewall.trustedInterfaces = [ "virbr0" ];
  };
 }
--- a/system/fonts.nix
+++ b/system/fonts.nix
@ -3,8 +3,9 @@
  fonts.enableDefaultPackages = true;
  fonts.packages = with pkgs; [
    noto-fonts
-    noto-fonts-cjk
+    noto-fonts-cjk-sans
-    noto-fonts-emoji
+    noto-fonts-color-emoji
-    nerdfonts_fira_hack
+    nerd-fonts.fira-code
    nerd-fonts.hack
  ];
 }
--- a/system/gamemode.nix
+++ b/system/gamemode.nix
@ -1,27 +0,0 @@
 {
  config,
  pkgs,
  inputs,
  ...
 }:
 {
  programs.gamemode.enable = true;
  programs.gamemode.enableRenice = true;
  programs.gamemode.settings = {
    general = {
      renice = 10;
    };
    # Warning: GPU optimisations have the potential to damage hardware
    gpu = {
      apply_gpu_optimisations = "accept-responsibility";
      gpu_device = 0;
      amd_performance_level = "high";
    };
    custom = {
      start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
      end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
    };
  };
 }
--- a/system/gaming.nix
+++ b/system/gaming.nix
@ -0,0 +1,65 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 {
  options.my.gaming.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.gaming.enable {
    programs.steam.enable = true;
    programs.steam.extraPackages =
      config.fonts.packages
      ++ (with pkgs; [
        capitaine-cursors
        bibata-cursors
        mangohud
        xdg-user-dirs
        gamescope
        # gamescope compatibility??
        xorg.libXcursor
        xorg.libXi
        xorg.libXinerama
        xorg.libXScrnSaver
        libpng
        libpulseaudio
        libvorbis
        stdenv.cc.cc.lib
        libkrb5
        keyutils
      ]);
    environment.systemPackages = with pkgs; [
      protontricks
      bottles
      dzgui
    ];
    programs.gamemode = {
      enable = true;
      enableRenice = true;
      settings = {
        general = {
          renice = 10;
        };
        # Warning: GPU optimisations have the potential to damage hardware
        gpu = {
          apply_gpu_optimisations = "accept-responsibility";
          gpu_device = 0;
          amd_performance_level = "high";
        };
        custom = {
          start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
          end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
        };
      };
    };
    programs.corectrl.enable = true;
  };
 }
--- a/system/gitlab-runner.nix
+++ b/system/gitlab-runner.nix
@ -1,21 +1,18 @@
 { pkgs, lib, ... }:
 {
-  mkNixRunner =
+  pkgs,
-    authenticationTokenConfigFile: with lib; rec {
+  lib,
-      # File should contain at least these two variables:
+  inputs ? null,
-      # `CI_SERVER_URL`
+  ...
-      # `REGISTRATION_TOKEN`
+}:
-      inherit authenticationTokenConfigFile; # 2
+let
-      dockerImage = "alpine:3.18.2";
+  installNixScript =
-      dockerAllowedImages = [ dockerImage ];
+    {
-      dockerVolumes = [
+      authenticationTokenConfigFile,
-        "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
+      nixCacheSshPrivateKeyPath ? null,
-        "/nix/store:/nix/store:ro"
+      nixCacheSshPublicKeyPath ? null,
-        "/nix/var/nix/db:/nix/var/nix/db:ro"
+      ...
-        "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+    }:
-      ];
+    pkgs.writeScriptBin "install-nix" ''
      dockerDisableCache = true;
      preBuildScript = pkgs.writeScript "setup-container" ''
      mkdir -p -m 0755 /nix/var/log/nix/drvs
      mkdir -p -m 0755 /nix/var/nix/gcroots
      mkdir -p -m 0755 /nix/var/nix/profiles
@ -29,23 +26,70 @@
      . ${pkgs.nix}/etc/profile.d/nix.sh
      ${pkgs.nix}/bin/nix-env -i ${
-          concatStringsSep " " (
+        lib.concatStringsSep " " (
          with pkgs;
          [
            nix
            cacert
            git
            openssh
            docker
          ]
        )
      }
      ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) ''
        NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
        NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}"
        . ${./gitlab-runner/nix-cache-start}
      ''}
    '';
 in
 rec {
  mkNixRunnerFull =
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
      nixCacheSshPublicKeyPath ? null,
      ...
    }@args:
    {
      # File should contain at least these two variables:
      # `CI_SERVER_URL`
      # `REGISTRATION_TOKEN`
      inherit authenticationTokenConfigFile; # 2
      dockerImage = "alpine:3.18.2";
      dockerPullPolicy = "if-not-present";
      dockerVolumes = [
        "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
        "/nix/store:/nix/store:ro"
        "/nix/var/nix/db:/nix/var/nix/db:ro"
        "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
        "/tmp:/tmp"
        "/var/run/docker.sock:/var/run/docker.sock"
        "/var/lib/docker/containers:/var/lib/docker/containers"
        "/cache"
      ]
      ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
        "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
      ]
      ++ lib.optionals (nixCacheSshPublicKeyPath != null) [
        "${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}"
      ];
      # dockerDisableCache = true;
      preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
      environmentVariables = {
        ENV = "/etc/profile";
        USER = "root";
        NIX_REMOTE = "daemon";
        PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
        NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
        NIX_PATH = if inputs != null then "nixpkgs=${inputs.nixpkgs}" else "";
      };
    };
  mkNixRunner =
    authenticationTokenConfigFile:
    mkNixRunnerFull {
      inherit authenticationTokenConfigFile;
    };
 }
--- a/system/gitlab-runner/nix-cache-start
+++ b/system/gitlab-runner/nix-cache-start
@ -0,0 +1,49 @@
 #!/bin/sh
 echo "nix-cache: Setting up ssh key and host" >&2
 STORE_HOST_PUB_KEY="$(cat "$NIX_CACHE_SSH_PUBLIC_KEY_PATH" | base64 | tr -d '\n')"
 STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
 echo STORE_URL="$STORE_URL" >&2
 NIX_EXTRA_CONFIG_FILE=$(mktemp)
 cat > "$NIX_EXTRA_CONFIG_FILE" <<EOF
  extra-substituters = $STORE_URL
 EOF
 echo "nix-cache: Adding remote cache as substituter" >&2
 export NIX_USER_CONF_FILES="$NIX_EXTRA_CONFIG_FILE:$NIX_USER_CONF_FILES"
 echo "nix-cache: Setting up nix hook" >&2
 nix() {
    echo "nix-cache: executing nix hook" >&2
    command nix "$@"
    local STATUS="$?"
    local BUILD=no
    if test "$STATUS" = "0"; then
        for arg in "$@"; do
            echo "nix-cache: evaluating arg '$arg'" >&2
            case "$arg" in
                build)
                    echo "nix-cache: enablig upload" >&2
                    BUILD=yes
                ;;
                -*)
                    echo "nix-cache: ignoring argument '$arg'" >&2
                ;;
                *)
                    if test "$BUILD" = yes; then
                        echo "nix-cache: Sending path $arg" >&2
                        command nix copy --to "$STORE_URL" "$arg" || true
                    else
                        echo "nix-cache: not building, ignoring argument '$arg'" >&2
                    fi
                ;;
            esac
        done
    else
        echo "nix-cache: nix exited with code '$STATUS', ignoring" >&2
    fi
    return "$STATUS"
 }
--- a/system/gnome.nix
+++ b/system/gnome.nix
@ -1,18 +1,24 @@
 { pkgs, lib, ... }:
 {
-  services.xserver = {
+  config,
-    enable = true;
+  pkgs,
-    desktopManager.gnome = {
+  lib,
  ...
 }:
 {
  options.my.gnome.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.gnome.enable {
    services.xserver.enable = true;
    services.displayManager.gdm.enable = true;
    services.desktopManager.gnome = {
      enable = true;
      # Enable VRR (Variable Refresh Rate)
-      extraGSettingsOverridePackages = with pkgs; [ gnome.mutter ];
+      extraGSettingsOverridePackages = with pkgs; [ mutter ];
      extraGSettingsOverrides = ''
        [org.gnome.mutter]
        experimental-features=['variable-refresh-rate', 'scale-monitor-framebuffer']
      '';
    };
    displayManager.gdm.enable = true;
  };
    # Workaround for https://github.com/NixOS/nixpkgs/issues/103746
    systemd.services."getty@tty1".enable = false;
@ -32,16 +38,14 @@
    programs.gpaste.enable = true;
-  # services.xserver.displayManager.autologin.user = "lelgenio";
+    environment.systemPackages = with pkgs; [
  environment.systemPackages =
    with pkgs;
    with gnome;
    [
      gnome-tweaks
      dconf-editor
-      chrome-gnome-shell
+      gnome-browser-connector
      gnomeExtensions.quick-settings-audio-devices-hider
      gnomeExtensions.user-themes
      gnome-pass-search-provider
    ];
  };
 }
--- a/system/greetd.nix
+++ b/system/greetd.nix
@ -14,6 +14,8 @@ let
    ;
  cfg = config.login-manager.greetd;
  isSway = desktop == "sway";
  isNiri = desktop == "niri";
 in
 {
  options.login-manager.greetd = {
@ -25,8 +27,7 @@ in
    # Enable the X11 windowing system.
    services.xserver.enable = false;
-    # enable sway window manager
+    programs.sway = lib.mkIf isSway {
    programs.sway = {
      enable = true;
      package = pkgs.mySway;
      wrapperFeatures.gtk = true;
@ -37,17 +38,27 @@ in
    xdg.portal = {
      enable = true;
      wlr.enable = true;
      # Always pick the first monitor, this is fine since I only ever use a single monitor
      wlr.settings.screencast.chooser_type = "none";
      # gtk portal needed to make gtk apps happy
      extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
    };
    services.greetd =
      let
        start-session = pkgs.writeShellScriptBin "start-session" (
          if isNiri then
            ''
              mkdir -p ~/.local/share/niri
              exec niri-session 2>&1 | tee -a ~/.local/share/niri/niri.log
            ''
          else
            ''
              mkdir -p ~/.local/share/sway
              exec sway 2>&1 | tee -a ~/.local/share/sway/sway.log
            ''
        );
        greetd_main_script = pkgs.writeShellScriptBin "main" ''
-          export XDG_CURRENT_DESKTOP=sway GTK_THEME="${theme.gtk_theme}" XCURSOR_THEME="${theme.cursor_theme}"
+          export XDG_CURRENT_DESKTOP=${desktop} GTK_THEME="${theme.gtk_theme}" XCURSOR_THEME="${theme.cursor_theme}"
-          ${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c ${desktop}
+          ${pkgs.gtkgreet}/bin/gtkgreet -l -c ${lib.getExe start-session}
-          swaymsg exit
+          ${lib.optionalString isSway "swaymsg exit"}
        '';
        swayConfig = pkgs.writeText "greetd-sway-config" ''
          # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet.
@ -70,15 +81,16 @@ in
        enable = true;
        settings = {
          initial_session = {
-            command = desktop;
+            command = lib.getExe start-session;
            user = "lelgenio";
          };
          default_session = {
-            command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
+            command = "dbus-run-session -- ${pkgs.sway}/bin/sway --config ${swayConfig}";
          };
        };
      };
    environment.systemPackages = with pkgs; [
      niri
      sway
      swaylock
      swayidle
--- a/system/home-manager.nix
+++ b/system/home-manager.nix
@ -0,0 +1,13 @@
 { config, inputs, ... }:
 {
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
    users.lelgenio = {
      my = config.my;
      # Don't add other modules here, add them in home.nix
      imports = [ ../user/home.nix ];
    };
    backupFileExtension = "bkp";
  };
 }
--- a/system/kde.nix
+++ b/system/kde.nix
@ -1,15 +1,19 @@
 { config, pkgs, ... }:
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  options.my.kde.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.kde.enable {
    # Enable the X11 windowing system.
    services.xserver.enable = true;
    # Enable the KDE Desktop Environment.
-  services.xserver.displayManager.sddm.enable = true;
+    services.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
+    services.desktopManager.plasma6.enable = true;
    # services.xserver.displayManager.autologin.user = "lelgenio";
    programs.dconf.enable = true;
-  # environment.systemPackages = with pkgs;
+  };
  #   with gnome; [
  #     gnome-tweaks
  #     dconf-editor
  #   ];
 }
--- a/system/locale.nix
+++ b/system/locale.nix
@ -2,7 +2,7 @@
 {
  time.timeZone = "America/Sao_Paulo";
  environment.variables.TZ = config.time.timeZone;
-  i18n.defaultLocale = "pt_BR.utf8";
+  i18n.defaultLocale = "pt_BR.UTF-8";
  # Configure keymap in X11
  services.xserver.xkb = {
--- a/system/media-packages.nix
+++ b/system/media-packages.nix
@ -5,20 +5,20 @@
  ...
 }:
 let
-  cfg = config.packages.media-packages;
+  cfg = config.my.media-packages;
 in
 {
-  options.packages.media-packages = {
+  options.my.media-packages = {
    enable = lib.mkEnableOption "media packages";
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      down_meme
-      yt-dlp
+      unstable.yt-dlp
      ffmpeg
      obs-studio
      imagemagick
-      mpc-cli
+      mpc
      helvum
      gimp
      inkscape
--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@ -1,24 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (pkgs.callPackage ./gitlab-runner.nix { }) mkNixRunner;
 in
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 4;
    services = {
      # runner for building in docker via host's nix-daemon
      # nix store will be readable in runner, might be insecure
      thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
      thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
 }
--- a/system/mouse.nix
+++ b/system/mouse.nix
@ -10,6 +10,6 @@
    MatchBus=usb
    MatchVendor=0x046D
    MatchProduct=0x4099
-    AttrEventCode=-REL_WHEEL_HI_RES
+    AttrEventCode=-REL_WHEEL_HI_RES;-REL_HWHEEL_HI_RES;
  '';
 }
--- a/system/network.nix
+++ b/system/network.nix
@ -6,8 +6,6 @@
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Enable networking
  networking.networkmanager.enable = true;
  # Open kde connect ports
  programs.kdeconnect.enable = true;
  networking.firewall = {
    enable = true;
@ -15,7 +13,7 @@
  };
  # Enable CUPS to print documents.
-  # services.printing.enable = true;
+  services.printing.enable = true;
  security.rtkit.enable = true;
  services.openssh = {
@ -27,4 +25,15 @@
      KbdInteractiveAuthentication = false;
    };
  };
  services.fail2ban.enable = true;
  # Workaround for nm-wait-online hanging??
  # Ref: https://github.com/NixOS/nixpkgs/issues/180175
  systemd.services.NetworkManager-wait-online = {
    serviceConfig.ExecStart = [
      ""
      "${pkgs.networkmanager}/bin/nm-online -q"
    ];
  };
 }
--- a/system/niri.nix
+++ b/system/niri.nix
@ -0,0 +1,18 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  options.my.niri.enable = lib.mkEnableOption { };
  config = lib.mkIf config.my.niri.enable {
    programs.niri.enable = true;
    niri-flake.cache.enable = true;
    environment.systemPackages = with pkgs; [
      fuzzel
      xwayland-satellite
    ];
  };
 }
--- a/system/nix-ld.nix
+++ b/system/nix-ld.nix
@ -0,0 +1,21 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 {
  options.my.nix-ld.enable = lib.mkEnableOption { };
  config = lib.mkIf (config.my.nix-ld.enable) {
    programs.nix-ld = {
      enable = true;
      libraries =
        with pkgs;
        # run appimages + linux games natively
        [ fuse ]
        ++ (appimageTools.defaultFhsEnvArgs.multiPkgs pkgs)
        ++ (appimageTools.defaultFhsEnvArgs.targetPkgs pkgs);
    };
  };
 }
--- a/system/nix-serve.nix
+++ b/system/nix-serve.nix
@ -1,12 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  services.nix-serve = {
    enable = true;
    secretKeyFile = config.age.secrets.monolith-nix-serve-privkey.path;
  };
 }
--- a/system/nix.nix
+++ b/system/nix.nix
@ -29,22 +29,18 @@ in
      substituters = [
        "https://cache.nixos.org"
        "https://nix-community.cachix.org"
        # "http://nixcache.lelgenio.1337.cx:5000"
        "https://lelgenio.cachix.org"
        "https://wegank.cachix.org"
        "https://snowflakeos.cachix.org/"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        # "nixcache.lelgenio.1337.cx:zxCfx7S658llDgAUG0JVyNrlAdFVvPniSdDOkvfTPS8="
        "lelgenio.cachix.org-1:W8tMlmDFLU/V+6DlChXjekxoHZpjgVHZpmusC4cueBc="
        "wegank.cachix.org-1:xHignps7GtkPP/gYK5LvA/6UFyz98+sgaxBSy7qK0Vs="
        "snowflakeos.cachix.org-1:gXb32BL86r9bw1kBiw9AJuIkqN49xBvPd1ZW8YlqO70="
      ];
    };
    extraOptions = ''
-      experimental-features = nix-command flakes repl-flake
+      experimental-features = nix-command flakes
    '';
  };
 }
--- a/system/rainbow-gitlab-runner.nix
+++ b/system/rainbow-gitlab-runner.nix
@ -1,34 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (pkgs.callPackage ./gitlab-runner.nix { }) mkNixRunner;
 in
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 1;
    services = {
      # ci_test = {
      #   registrationConfigFile = "/srv/gitlab-runner/env/ci_test";
      #   dockerImage = "debian";
      #   dockerPrivileged = true;
      # };
      thoreb_builder = {
        registrationConfigFile =
          config.age.secrets.rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
        dockerImage = "debian";
        dockerPrivileged = true;
      };
      thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
      thoreb-itinerario-nix = mkNixRunner config.age.secrets.rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
 }
--- a/system/secrets.nix
+++ b/system/secrets.nix
@ -1,13 +0,0 @@
 { pkgs, ... }:
 {
  age = {
    identityPaths = [ "/root/.ssh/id_rsa" ];
    secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
    secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file = ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
    secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file = ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
    secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;
    secrets.rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.file = ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
    secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
    secrets.phantom-forgejo-mailer-password.file = ../secrets/phantom-forgejo-mailer-password.age;
  };
 }
--- a/Show more
+++ b/Show more