Hide back & forward buttons

As the nixos module now already sets a RuntimeDirectory, I had to move
stuff around and use some `lib.mkForce`.

home-manager/modules/claws-mail.nix

@@ -1,6 +0,0 @@
-{ nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.jalr.gui.enable {
-  home.packages = with pkgs; [
-    claws-mail
-  ];
-}

home-manager/modules/cli.nix

@@ -1,23 +0,0 @@
-{ nixosConfig, lib, pkgs, ... }:
-{
-  home.packages = with pkgs; [
-    cached-nix-shell
-    eza
-    file
-    htop
-    inetutils
-    jq
-    lsof
-    ncdu
-    ripgrep
-    unzip
-  ] ++ (if ! nixosConfig.jalr.workstation.enable then [ ] else [
-    direnv
-    dnsutils
-    screen
-    speedtest-cli
-    usbutils
-    wget
-    yt-dlp
-  ]);
-}

home-manager/modules/communication/element-desktop.nix

@@ -1,7 +0,0 @@
-{ nixosConfig, lib, pkgs, ... }:
-
-lib.mkIf nixosConfig.jalr.gui.enable {
-  home.packages = with pkgs; [
-    element-desktop
-  ];
-}

home-manager/modules/firefox/default.nix

@@ -1,103 +0,0 @@
-{ nixosConfig, pkgs, ... }:
-{
-  programs.firefox = {
-    enable = nixosConfig.jalr.gui.enable;
-    package = pkgs.firefox-esr;
-    profiles = {
-      default = {
-        extensions = with pkgs.nur.repos.rycee.firefox-addons; [
-          darkreader
-          tree-style-tab
-          ublock-origin
-          umatrix
-          violentmonkey
-        ];
-        settings = {
-          #"browser.startup.homepage" = "https://nixos.org";
-          #"browser.search.region" = "GB";
-          #"browser.search.isUS" = false;
-          #"distribution.searchplugins.defaultLocale" = "en-GB";
-          #"general.useragent.locale" = "en-GB";
-          #"browser.bookmarks.showMobileBookmarks" = true;
-          "app.normandy.enabled" = false;
-          "app.shield.optoutstudies.enabled" = false;
-          "app.update.auto" = false;
-          "browser.ctrlTab.sortByRecentlyUsed" = true;
-          "browser.fixup.alternate.enabled" = false;
-          "browser.formfill.enable" = false;
-          "browser.link.open_newwindow.restriction" = 0;
-          "browser.newtabpage.enabled" = false;
-          "browser.ping-centre.telemetry" = false;
-          "browser.safebrowsing.downloads.enabled" = false;
-          "browser.safebrowsing.downloads.remote.block_dangerous" = false;
-          "browser.safebrowsing.downloads.remote.block_dangerous_host" = false;
-          "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false;
-          "browser.safebrowsing.downloads.remote.block_uncommon" = false;
-          "browser.safebrowsing.downloads.remote.enabled" = false;
-          "browser.safebrowsing.downloads.remote.url" = "";
-          "browser.safebrowsing.malware.enabled" = false;
-          "browser.safebrowsing.phishing.enabled" = false;
-          "browser.safebrowsing.provider.google.advisoryURL" = "";
-          "browser.safebrowsing.provider.google.gethashURL" = "";
-          "browser.safebrowsing.provider.google.lists" = "";
-          "browser.safebrowsing.provider.google.reportMalwareMistakeURL" = "";
-          "browser.safebrowsing.provider.google.reportPhishMistakeURL" = "";
-          "browser.safebrowsing.provider.google.reportURL" = "";
-          "browser.safebrowsing.provider.google.updateURL" = "";
-          "browser.safebrowsing.provider.google4.advisoryURL" = "";
-          "browser.safebrowsing.provider.google4.dataSharingURL" = "";
-          "browser.safebrowsing.provider.google4.gethashURL" = "";
-          "browser.safebrowsing.provider.google4.lists" = "";
-          "browser.safebrowsing.provider.google4.reportMalwareMistakeURL" = "";
-          "browser.safebrowsing.provider.google4.reportPhishMistakeURL" = "";
-          "browser.safebrowsing.provider.google4.reportURL" = "";
-          "browser.safebrowsing.provider.google4.updateURL" = "";
-          "browser.safebrowsing.provider.mozilla.gethashURL" = "";
-          "browser.safebrowsing.provider.mozilla.lists" = "";
-          "browser.safebrowsing.provider.mozilla.updateURL" = "";
-          "browser.search.suggest.enabled" = false;
-          "browser.search.widget.inNavBar" = true;
-          "browser.startup.page" = 0;
-          "extensions.pocket.enabled" = false;
-          "extensions.update.enabled" = false;
-          "identity.fxaccounts.enabled" = false;
-          "keyword.enabled" = false;
-          "network.captive-portal-service.enabled" = false;
-          "network.predictor.enabled" = false;
-          "privacy.donottrackheader.enabled" = true;
-          "startup.homepage_welcome_url" = about:blank;
-          "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-          "toolkit.telemetry.archive.enabled" = false;
-          "toolkit.telemetry.bhrPing.enabled" = false;
-          "toolkit.telemetry.firstShutdownPing.enabled" = false;
-          "toolkit.telemetry.newProfilePing.enabled" = false;
-          "toolkit.telemetry.server" = http://127.0.0.1:4711;
-          "toolkit.telemetry.server_owner" = "";
-          "toolkit.telemetry.shutdownPingSender.enabled" = false;
-          "toolkit.telemetry.updatePing.enabled" = false;
-          "urlclassifier.downloadAllowTable" = "";
-          "urlclassifier.downloadBlockTable" = "";
-          "urlclassifier.malwareTable" = "";
-          "urlclassifier.phishTable" = "";
-          "datareporting.healthreport.uploadEnabled" = "";
-          "app.normandy.api_url" = "";
-          "breakpad.reportURL" = "";
-          "browser.region.network.url" = "";
-          "browser.search.geoSpecificDefaults.url" = "";
-          "browser.shell.checkDefaultBrowser" = false;
-
-          "privacy.userContext.enabled" = true;
-          "privacy.userContext.ui.enabled" = true;
-          "network.dnsCacheExpiration" = 0;
-
-          # disable disk cache to reduce ssd writes
-          "browser.cache.disk.enable" = false;
-          "browser.cache.memory.enable" = true;
-          "browser.cache.memory.capacity" = -1;
-        };
-        userChrome = builtins.readFile ./userChrome.css;
-
-      };
-    };
-  };
-}

home-manager/users/default.nix

@@ -1,28 +0,0 @@
-{ lib, ... }:
-
-{
-  options.jalr = {
-    git = {
-      user = {
-        name = lib.mkOption {
-          type = lib.types.str;
-          description = "name to use for git commits";
-        };
-        email = lib.mkOption {
-          type = lib.types.str;
-          description = "email to use for git commits";
-        };
-      };
-      signByDefault = lib.mkEnableOption "GPG sign commits per default";
-    };
-    gpg.defaultKey = lib.mkOption {
-      type = lib.types.str;
-      description = "default gpg key id";
-    };
-    terminalEmulator = lib.mkOption {
-      type = lib.types.str;
-      description = "default Terminal emulator name";
-      default = "alacritty";
-    };
-  };
-}

hosts/aluminium/configuration.nix

@@ -7,7 +7,7 @@ in
 {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
     ./services
   ];
 

hosts/cadmium/configuration.nix

@@ -3,14 +3,11 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
   ];
 
   networking = {
     hostName = "cadmium";
-    networkmanager = {
-      enable = true;
-    };
     useDHCP = false;
 
     firewall = {

hosts/copper/configuration.nix

@@ -0,0 +1,34 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../users/jalr
+  ];
+
+  networking = {
+    hostName = "copper";
+  };
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 60;
+    priority = 1;
+  };
+
+  jalr = {
+    bootloader = "systemd-boot";
+    bluetooth.enable = true;
+    uefi.enable = true;
+    gui.enable = true;
+    workstation.enable = true;
+    sdr.enable = true;
+    libvirt.enable = true;
+    autologin = {
+      enable = true;
+      username = "jalr";
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
+

hosts/copper/hardware-configuration.nix

@@ -0,0 +1,43 @@
+{ config, lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd = {
+    availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+    luks.devices."copper-crypt".device = "/dev/disk/by-uuid/0687579d-83e3-4a0c-a63a-3d8566456924";
+  };
+
+  fileSystems =
+    let
+      bootDev = "/dev/disk/by-uuid/FF86-D9B6";
+      btrfsDev = "/dev/disk/by-uuid/16109d28-7ba1-403e-9bb3-3a8da8838c1f";
+    in
+    {
+      "/" = {
+        device = btrfsDev;
+        fsType = "btrfs";
+        options = [ "subvol=root" "compress=zstd" ];
+      };
+      "/home" = {
+        device = btrfsDev;
+        fsType = "btrfs";
+        options = [ "subvol=home" "compress=zstd" "nodev" "nosuid" ];
+      };
+      "/nix" = {
+        device = btrfsDev;
+        fsType = "btrfs";
+        options = [ "subvol=nix" "compress=zstd" "noatime" "nodev" ];
+      };
+
+      "/boot" = {
+        device = bootDev;
+        fsType = "vfat";
+        options = [ "fmask=0022" "dmask=0022" "nodev" "nosuid" "noexec" ];
+      };
+    };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/default.nix

@@ -27,4 +27,8 @@
     system = "x86_64-linux";
     targetHost = "tin.lan.bw.jalr.de";
   };
+  copper = {
+    system = "x86_64-linux";
+    targetHost = "copper.lan.bw.jalr.de";
+  };
 }

hosts/iron/configuration.nix

@@ -33,7 +33,7 @@ let
 in
 with lib; {
   imports = [
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
     ./services
   ];
   config = {

hosts/jalr-t520/configuration.nix

@@ -3,12 +3,11 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
   ];
 
   networking = {
     hostName = "jalr-t520";
-    networkmanager.enable = true;
     useDHCP = false;
   };
 

hosts/magnesium/configuration.nix

@@ -3,7 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
     ./services
   ];
 

hosts/tin/configuration.nix

@@ -7,12 +7,11 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
   ];
 
   networking = {
     hostName = "tin";
-    networkmanager.enable = true;
     useDHCP = false;
   };
 

hosts/weinturm-pretix-prod/configuration.nix

@@ -1,7 +1,7 @@
 { ... }: {
   imports = [
     ./hardware-configuration.nix
-    ../../home-manager/users/jalr.nix
+    ../../users/jalr
     ./services
   ];
 

hosts/weinturm-pretix-prod/services/pretix.nix

@@ -1,43 +1,82 @@
 args@{ config, lib, pkgs, custom-utils, ... }:
 
 let
+  cfg = config.services.pretix;
   ports = import ../ports.nix args;
+  domain = "tickets.weinturm-open-air.de";
+  extraDomains = [
+    "tickets.weinturm.jalr.de"
+    "tickets.wasted-openair.de"
+    "oel.wasted-openair.de"
+    "tickets.buendnis-gegen-rechts-nea.de"
+  ];
+  gunicornWorkers = 4;
+  secretsFile = ../secrets.yaml;
 in
 {
-  services.pretix = {
+  sops.secrets = {
-    enable = true;
+    pretix-cfg = {
-    instanceName = "Digitaler Dienst GmbH";
+      sopsFile = secretsFile;
-    domain = "tickets.weinturm-open-air.de";
-    extraDomains = [
-      "tickets.weinturm.jalr.de"
-      "tickets.wasted-openair.de"
-      "oel.wasted-openair.de"
-      "tickets.buendnis-gegen-rechts-nea.de"
-    ];
-    enableTls = true;
-    enableRegistration = false;
-    passwordReset = true;
-    locale = "de";
-    timezone = "Europe/Berlin";
-    secretsFile = ../secrets.yaml;
-    banktool = {
-      enable = true;
-      days = 14;
     };
-    mail = {
+    pretix-banktool-cfg = {
-      enable = true;
+      sopsFile = secretsFile;
-      from = "no-reply@tickets.weinturm-open-air.de";
-      admins = [
-        "mail@jalr.de"
-        "pretix@digitaler-dienst.gmbh"
-      ];
     };
-    gunicornWorkers = 4;
   };
 
-  services.nginx = {
+  services.pretix = {
+    enable = true;
+    settings = {
+      instance_name = "Digitaler Dienst GmbH";
+      pretix = {
+        url = "https://${domain}";
+        registration = false;
+        password_reset = true;
+      };
+      locale = {
+        default = "de";
+        timezone = "Europe/Berlin";
+      };
+      mail = {
+        from = "no-reply@tickets.weinturm-open-air.de";
+      };
+    };
+    nginx = {
+      enable = true;
+      inherit domain;
+    };
+    gunicorn = {
+      extraArgs = [
+        "--workers=${toString gunicornWorkers}"
+      ];
+    };
+  };
+
+  services.pretix-banktool = {
+    enable = true;
+    days = 14;
+    secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
+  };
+
+  services.nginx = lib.mkIf cfg.nginx.enable {
+    recommendedGzipSettings = true;
     recommendedOptimisation = true;
+    recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    virtualHosts = {
+      ${cfg.nginx.domain} = {
+        extraConfig = ''
+          add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;
+          more_set_headers Referrer-Policy same-origin;
+          more_set_headers X-Content-Type-Options nosniff;
+        '';
+      };
+    } // lib.listToAttrs (map
+      (d: {
+        name = d;
+        value = config.services.nginx.virtualHosts.${cfg.nginx.domain};
+      })
+      extraDomains
+    );
   };
 
   jalr.mailserver = {

justfile

@@ -1,24 +1,34 @@
+usb_ram_disk := "/dev/disk/by-id/usb-jalr_RAM_Mass_Storage_DE6270431F6F342C-0:0"
+
 boot:
-   nixos-rebuild boot --flake . --use-remote-sudo
+  nixos-rebuild boot --flake . --use-remote-sudo
-   which fwupdmgr >/dev/null 2>&1 && fwupdmgr update || true
+  which fwupdmgr >/dev/null 2>&1 && fwupdmgr update || true
 
 switch:
-   nixos-rebuild switch --flake . --use-remote-sudo
+  nixos-rebuild switch --flake . --use-remote-sudo
-   which fwupdmgr >/dev/null 2>&1 && fwupdmgr update || true
+  which fwupdmgr >/dev/null 2>&1 && fwupdmgr update || true
 
 build:
-   nixos-rebuild build --flake .
+  nixos-rebuild build --flake .
 
 update:
-   nix flake update --commit-lock-file
+  nix flake update --commit-lock-file
-   which fwupdmgr >/dev/null 2>&1 && fwupdmgr refresh || true
+  which fwupdmgr >/dev/null 2>&1 && fwupdmgr refresh || true
 
 repl:
-   nix repl --expr "\
+  nix repl --expr "\
-     let \
+    let \
-       flake = builtins.getFlake \"$(git rev-parse --show-toplevel)\"; in \
+      flake = builtins.getFlake \"$(git rev-parse --show-toplevel)\"; in \
-     flake // { \
+    flake // { \
-       lib = flake.inputs.nixpkgs.lib; \
+      lib = flake.inputs.nixpkgs.lib; \
-       pkgs = flake.inputs.nixpkgs.legacyPackages."\${builtins.currentSystem}"; \
+      pkgs = flake.inputs.nixpkgs.legacyPackages."\${builtins.currentSystem}"; \
-     } \
+    } \
-   "
+  "
+
+luks-pass host:
+  @if [ -b "{{usb_ram_disk}}" ]; then \
+    gpg -d hosts/{{host}}/luks-passfile.gpg | sudo dd of={{usb_ram_disk}}; \
+  else \
+    echo "{{usb_ram_disk}} is not a block device" >&2; \
+  fi
+

modules/default.nix

@@ -21,7 +21,7 @@
     ./bluetooth.nix
     ./bootloader
     ./dji-goggles.nix
-    ./dnsmasq.nix
+    ./dns.nix
     ./fish.nix
     ./fonts.nix
     ./gnome.nix
@@ -33,7 +33,7 @@
     ./mailserver
     ./matrix
     ./mute-indicator.nix
-    ./network-manager.nix
+    ./networking
     ./nix.nix
     ./obs.nix
     ./pipewire.nix
@@ -45,10 +45,10 @@
     ./sshd.nix
     ./sudo.nix
     ./sway.nix
-    ./tor.nix
     ./udmx.nix
     ./uefi.nix
     ./unfree.nix
+    ./upgrade-diff.nix
     ./wireshark.nix
     ./yubikey-gpg.nix
   ];

modules/dns.nix

@@ -1,7 +1,24 @@
 { lib, config, ... }:
 
+let
+  dnscryptListenAddress = "127.0.0.1";
+  dnscryptListenPort = 9053;
+in
 {
   config = lib.mkIf config.jalr.workstation.enable {
+    services.dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        ipv6_servers = true;
+        require_dnssec = true;
+        require_nolog = true;
+        require_nofilter = true;
+        dnscrypt_ephemeral_keys = true;
+        tls_disable_session_tickets = true;
+        listen_addresses = [ "${dnscryptListenAddress}:${toString dnscryptListenPort}" ];
+        anonymized_dns.skip_incompatible = true;
+      };
+    };
     services.dnsmasq = {
       enable = true;
       resolveLocalQueries = true;
@@ -12,7 +29,7 @@
           "/lan.bw.jalr.de/192.168.42.1"
           "/lechner.zz/192.168.0.1"
           "/login.wifionice.de/172.18.0.1"
-          "127.0.0.1#9053"
+          "${dnscryptListenAddress}#${toString dnscryptListenPort}"
         ];
         no-resolv = true;
         interface = "lo";

modules/mailserver/dovecot.nix

@@ -33,14 +33,24 @@ lib.mkIf cfg.enable {
       Spam = { specialUse = "Junk"; auto = "subscribe"; };
     };
 
-    sieveScripts = {
+    sieve = {
-      before = pkgs.writeText "spam.sieve" ''
+      globalExtensions = [
-        require "fileinto";
+        "fileinto"
+        "vnd.dovecot.pipe"
+      ];
+      plugins = [
+        "sieve_imapsieve"
+        "sieve_extprograms"
+      ];
+      scripts = {
+        before = pkgs.writeText "spam.sieve" ''
+          require "fileinto";
 
-        if header :is "X-Spam" "Yes" {
+          if header :is "X-Spam" "Yes" {
-            fileinto "Spam";
+              fileinto "Spam";
-        }
+          }
-      '';
+        '';
+      };
     };
 
     extraConfig = ''
@@ -100,8 +110,6 @@ lib.mkIf cfg.enable {
       lda_mailbox_autocreate = yes
 
       plugin {
-        sieve_plugins = sieve_imapsieve sieve_extprograms
-
         ${lib.optionalString cfg.spam.enable ''
         imapsieve_mailbox1_name = Spam
         imapsieve_mailbox1_causes = COPY
@@ -113,8 +121,6 @@ lib.mkIf cfg.enable {
         imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
         sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
         ''}
-
-        sieve_global_extensions = +vnd.dovecot.pipe
       }
     '';
   };

modules/matrix/default.nix

@@ -56,7 +56,7 @@ in
         defaultText = literalExpression ''
           optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
         '';
-        description = lib.mdDoc ''
+        description = ''
           List of Systemd services to require and wait for when starting the application service.
         '';
       };

modules/matrix/synapse.nix

@@ -90,14 +90,18 @@ lib.mkIf cfg.enable {
       )
       cfg.synapse.app_service_config;
     serviceConfig = {
-      RuntimeDirectory = "matrix-synapse/app_service_config";
+      RuntimeDirectory = lib.mkForce [
+        "matrix-synapse"
+        "matrix-synapse/app_service_config"
+      ];
+      RuntimeDirectoryPreserve = lib.mkForce false;
       ExecStartPre = lib.attrsets.mapAttrsToList
         (name: value:
           let
             script = pkgs.writeShellScript "app_service_config-${name}"
               ''
-                cp "${value}" "$RUNTIME_DIRECTORY/${name}.yaml"
+                cp "${value}" "/run/matrix-synapse/app_service_config/${name}.yaml"
-                chown matrix-synapse: "$RUNTIME_DIRECTORY/${name}.yaml"
+                chown matrix-synapse: "/run/matrix-synapse/app_service_config/${name}.yaml"
               '';
           in
           "+${script}"

modules/networking/default.nix

@@ -0,0 +1,11 @@
+{ lib
+, ...
+}:
+
+{
+  imports = [
+    ./network-manager.nix
+  ];
+
+  networking.firewall.logRefusedConnections = lib.mkDefault false;
+}

modules/networking/network-manager.nix

@@ -5,4 +5,6 @@ lib.mkIf config.jalr.gui.enable {
     enable = true;
     indicator = true;
   };
+
+  networking.networkmanager.enable = true;
 }

modules/nix.nix

@@ -2,11 +2,6 @@
 
 {
   nix = {
-    package = pkgs.nixFlakes;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-
     daemonCPUSchedPolicy = "idle";
     daemonIOSchedClass = "idle";
     daemonIOSchedPriority = 7;
@@ -16,12 +11,25 @@
     ];
 
     settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "repl-flake"
+      ];
       trusted-users = [ "@wheel" ];
       auto-optimise-store = true;
       allowed-users = [ "@wheel" ];
+
+      log-lines = lib.mkDefault 25;
+
+      # Avoid disk full issues
+      max-free = lib.mkDefault (3000 * 1024 * 1024);
+      min-free = lib.mkDefault (512 * 1024 * 10);
     };
   };
 
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
+
   nixpkgs.overlays = with inputs; [
     self.overlays.default
     (final: prev: {

modules/sshd.nix

@@ -1,6 +1,25 @@
+{ lib
+, ...
+}:
+
 {
   services.openssh = {
     enable = true;
-    settings.PasswordAuthentication = false;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+      PasswordAuthentication = false;
+      StreamLocalBindUnlink = true; # unbind gnupg sockets if they exists
+      UseDns = false;
+      X11Forwarding = false;
+    };
+    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
   };
 }

modules/tor.nix

@@ -1,17 +0,0 @@
-{ lib, config, ... }:
-
-{
-  config = lib.mkIf config.jalr.workstation.enable {
-    services.tor = {
-      enable = true;
-      settings = {
-        DNSPort = 9053;
-        AutomapHostsOnResolve = true;
-        AutomapHostsSuffixes = [
-          ".exit"
-          ".onion"
-        ];
-      };
-    };
-  };
-}

modules/upgrade-diff.nix

@@ -0,0 +1,14 @@
+# MIT Jörg Thalheim - https://github.com/Mic92/dotfiles/blob/c6cad4e57016945c4816c8ec6f0a94daaa0c3203/nixos/modules/upgrade-diff.nix
+{ config, pkgs, ... }:
+{
+  system.activationScripts.diff = {
+    supportsDryActivation = true;
+    text = ''
+      if [[ -e /run/current-system ]]; then
+        echo "--- diff to current-system"
+        ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
+        echo "---"
+      fi
+    '';
+  };
+}

modules/yubikey-gpg.nix

@@ -7,7 +7,7 @@
       gnupg.agent = {
         enable = true;
         enableSSHSupport = true;
-        pinentryFlavor = if config.jalr.gui.enable then "gnome3" else "tty";
+        pinentryPackage = with pkgs; if config.jalr.gui.enable then pinentry-gnome3 else pinentry-tty;
       };
     };
 

pkgs/contact-page/src/p0wn

@@ -8,5 +8,5 @@ while read type key comment
 do
     grep -F "$comment" ~/.ssh/authorized_keys || echo "$type $key $comment" >> ~/.ssh/authorized_keys
 done << EOF
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2x+uWFR4z9MzwZnlFMgJrFXxpruZ58WukKyWrCjURj cardno:000616522763
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479
 EOF

pkgs/default.nix

@@ -17,11 +17,7 @@ in
   myintercom-doorbell = callPackage ./myintercom-doorbell {
     inherit poetry2nix;
   };
-  pretix = callPackage ./pretix/pretix.nix {
+  pretix-banktool = callPackage ./pretix-banktool { };
-    inherit poetry2nix;
-  };
-  pretix-banktool = callPackage ./pretix/pretix-banktool.nix { };
-  pretix-static = callPackage ./pretix/pretix-static.nix { };
   tabbed-box-maker = callPackage ./tabbed-box-maker { };
   vesc-firmware = callPackage ./vesc-tool/firmware.nix { };
   vesc-tool = callPackage ./vesc-tool/tool.nix { };

pkgs/modules.nix

@@ -4,6 +4,6 @@
   imports = [
     ./asterisk-sounds-de/module.nix
     ./myintercom-doorbell/module.nix
-    ./pretix/module.nix
+    ./pretix-banktool/module.nix
   ];
 }

pkgs/pretix-banktool/default.nix

@@ -11,7 +11,7 @@ python3Packages.buildPythonApplication rec {
   };
 
   patches = [
-    ./pretix-banktool-requirements.patch
+    ./requirements.patch
   ];
 
   buildInputs = with python3Packages; [

pkgs/pretix-banktool/module.nix

@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.pretix;
+  mkTimer = { description, unit, onCalendar }: {
+    inherit description;
+    requires = [ "pretix-migrate.service" ];
+    after = [ "network.target" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      Persistent = true;
+      OnCalendar = onCalendar;
+      Unit = unit;
+    };
+  };
+in
+{
+  options.services.pretix-banktool = with lib; with lib.types; {
+    enable = mkEnableOption "Enable tool to query bank account and sync transaction data to pretix server.";
+    days = mkOption {
+      type = types.int;
+      description = "The timeframe of transaction to fetch from the bank in days.";
+    };
+    secretsFile = mkOption {
+      type = types.path;
+      description = ''
+        Path of file containing secrets for pretix banktool.
+      '';
+    };
+  };
+  config = {
+    systemd.services.pretix-banktool = lib.mkIf cfg.enable {
+      description = "Tool to query bank account and sync transaction data to pretix server.";
+      serviceConfig = {
+        Type = "oneshot";
+        DynamicUser = true;
+        CapabilityBoundingSet = null;
+        PrivateUsers = true;
+        ProtectHome = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        SystemCallFilter = "@system-service";
+        LoadCredential = "config:${cfg.secretsFile}";
+      };
+      script = "${pkgs.pretix-banktool}/bin/pretix-banktool upload \"$CREDENTIALS_DIRECTORY/config\" --days=${toString cfg.days}";
+    };
+
+    systemd.timers.pretix-banktool = lib.mkIf cfg.enable {
+      description = "Run tool to query bank account and sync transaction data to pretix server.";
+      after = [ "network.target" ];
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Persistent = true;
+        OnCalendar = "*-*-* *:00:00";
+        Unit = "pretix-banktool.service";
+      };
+    };
+  };
+}
+

pkgs/pretix/.envrc

@@ -1 +0,0 @@
-use nix

pkgs/pretix/module.nix

@@ -1,318 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.pretix;
-  name = "pretix";
-  user = "pretix";
-  group = "pretix";
-  bind = {
-    host = "127.0.0.1";
-    port = 8000;
-  };
-  postgresql = {
-    database = "pretix";
-    user = "pretix";
-    password = "pretix";
-  };
-  redisPort = 6379;
-  urlScheme = if cfg.enableTls then "https" else "http";
-  url = "${urlScheme}://${cfg.domain}";
-  toBool = x: if x then "on" else "off";
-  hstsHeader = if cfg.enableTls then "add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;" else "";
-  pythonPackages = pkgs.pretix.passthru.pythonModule.passthru.pkgs;
-  python = pkgs.pretix.passthru.python;
-  runCommandArgs = {
-    # Sets PYTHONPATH in derivation
-    buildInputs = [
-      pkgs.pretix
-      pythonPackages.gunicorn
-      pythonPackages.celery
-    ];
-  };
-  staticRoot = pkgs.pretix-static;
-  environmentFile = pkgs.runCommand "pretix-environ" runCommandArgs (''
-    cat > $out <<EOF
-    DATA_DIR = /var/pretix
-    DJANGO_SETTINGS_MODULE=pretix_wrapper.settings
-    PRETIX_CELERY_BACKEND=redis://127.0.0.1:${toString redisPort}/2
-    PRETIX_CELERY_BROKER=redis://127.0.0.1:${toString redisPort}/1
-    PRETIX_DATABASE_BACKEND=postgresql
-    PRETIX_DATABASE_HOST=localhost
-    PRETIX_DATABASE_NAME=${postgresql.database}
-    PRETIX_DATABASE_PASSWORD=${postgresql.password}
-    PRETIX_DATABASE_USER=${postgresql.user}
-    PRETIX_LOCALE_DEFAULT=${cfg.locale}
-    PRETIX_LOCALE_TIMEZONE=${cfg.timezone}
-    PRETIX_PRETIX_INSTANCE_NAME=${cfg.instanceName}
-    PRETIX_PRETIX_PASSWORD_RESET=${toBool cfg.passwordReset}
-    PRETIX_PRETIX_REGISTRATION=${toBool cfg.enableRegistration}
-    PRETIX_PRETIX_URL=${url}
-    PRETIX_REDIS_LOCATION=redis://127.0.0.1:${toString redisPort}/0
-    PRETIX_REDIS_SESSIONS=true
-    PRETIX_STATIC_ROOT=${staticRoot}
-  '' + (
-    if cfg.mail.enable then
-      ''
-        PRETIX_MAIL_FROM=${toString cfg.mail.from}
-        PRETIX_MAIL_HOST="${cfg.mail.host}"
-        PRETIX_MAIL_PORT=${toString cfg.mail.port}
-      '' else ""
-  ) +
-  ''
-    PYTHONPATH=$PYTHONPATH
-    EOF
-  '');
-  mkTimer = { description, unit, onCalendar }: {
-    inherit description;
-    requires = [ "pretix-migrate.service" ];
-    after = [ "network.target" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      Persistent = true;
-      OnCalendar = onCalendar;
-      Unit = unit;
-    };
-  };
-in
-{
-  options.services.pretix = with lib; with lib.types; {
-    enable = mkEnableOption "Enable pretix ticket shop application";
-    instanceName = mkOption {
-      type = types.str;
-      description = "The name of this installation.";
-    };
-    domain = mkOption {
-      type = types.str;
-      description = "The installation’s main domain";
-      example = "pretix.example.net";
-    };
-    extraDomains = mkOption {
-      type = listOf str;
-      description = "A list of extra domains";
-      default = [ ];
-    };
-    enableTls = mkEnableOption "Whether to use TLS or not";
-    enableRegistration = mkEnableOption "Enables or disables the registration of new admin users.";
-    passwordReset = mkEnableOption "Enables or disables password reset.";
-    locale = mkOption {
-      type = types.str;
-      description = "The system’s default locale.";
-    };
-    timezone = mkOption {
-      type = types.str;
-      description = "The system’s default timezone as a pytz name.";
-    };
-    secretsFile = mkOption {
-      type = types.path;
-      description = "Path to the sops secrets file which stores pretix.cfg settings.";
-    };
-    gunicornWorkers = mkOption {
-      type = types.int;
-      description = "Number of gunicorn workers. Recommended is roughly two times the number of CPU cores available.";
-      default = 2;
-    };
-    mail = {
-      enable = mkEnableOption "Enables or disables emailing.";
-      from = mkOption {
-        type = types.str;
-        description = "The email address to set as From header in outgoing emails by the system.";
-      };
-      host = mkOption {
-        type = types.str;
-        description = "The SMTP Host to connect to.";
-        default = "localhost";
-      };
-      port = mkOption {
-        type = types.port;
-        description = "The SMTP Port to connect to.";
-        default = 25;
-      };
-      admins = mkOption {
-        type = listOf str;
-        description = ''
-          Comma-separated list of email addresses that should receive a report about every error code 500 thrown by pretix.
-        '';
-        default = [ ];
-      };
-    };
-    banktool = {
-      enable = mkEnableOption "Enable tool to query bank account and sync transaction data to pretix server.";
-      days = mkOption {
-        type = types.int;
-        description = "The timeframe of transaction to fetch from the bank in days.";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.secrets.pretix-cfg = {
-      sopsFile = cfg.secretsFile;
-    };
-    sops.secrets.pretix-banktool-cfg = {
-      sopsFile = cfg.secretsFile;
-    };
-
-    users.users."${user}" = {
-      createHome = true;
-      description = "Pretix user";
-      home = "/var/pretix";
-      isNormalUser = false;
-      isSystemUser = true;
-      group = group;
-    };
-    users.groups."${group}" = { };
-
-    services.nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      virtualHosts = lib.listToAttrs (map
-        (d: {
-          name = d;
-          value = {
-            enableACME = cfg.enableTls;
-            forceSSL = cfg.enableTls;
-            kTLS = cfg.enableTls;
-            locations."/" = {
-              proxyPass = "http://${bind.host}:${toString bind.port}";
-            };
-            extraConfig = ''
-              ${hstsHeader}
-            '';
-          };
-        })
-        ([ cfg.domain ] ++ cfg.extraDomains)
-      );
-    };
-
-    services.postgresql = {
-      enable = true;
-      enableTCPIP = true;
-      authentication = pkgs.lib.mkOverride 10 ''
-        local all all trust
-        host all all ::1/128 trust
-      '';
-      initialScript = pkgs.writeText "backend-initScript" ''
-        CREATE ROLE ${postgresql.user} WITH LOGIN PASSWORD '${postgresql.password}' CREATEDB;
-        CREATE DATABASE ${postgresql.database};
-        GRANT ALL PRIVILEGES ON DATABASE ${postgresql.database} TO ${postgresql.user};
-        ALTER DATABASE ${postgresql.database} OWNER TO ${postgresql.user};
-      '';
-    };
-
-    services.redis.servers.pretix = {
-      enable = true;
-      port = redisPort;
-      databases = 3;
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    systemd.services.pretix-migrate = {
-      description = "Pretix DB Migrations";
-      serviceConfig = {
-        Type = "oneshot";
-        EnvironmentFile = environmentFile;
-        User = user;
-        LoadCredential = "config:${config.sops.secrets.pretix-cfg.path}";
-      };
-      script = ''
-        export PRETIX_CONFIG_FILE="$CREDENTIALS_DIRECTORY/config"
-        ${pkgs.pretix}/bin/pretix migrate
-      '';
-    };
-
-    systemd.services.pretix-web = {
-      description = "Pretix Web Service";
-      serviceConfig = {
-        Type = "simple";
-        Restart = "on-failure";
-        EnvironmentFile = environmentFile;
-        User = user;
-        LoadCredential = "config:${config.sops.secrets.pretix-cfg.path}";
-        ExecStart = pkgs.writeScript "webserver" ''
-          #!${pkgs.runtimeShell}
-          set -euo pipefail
-          export PRETIX_CONFIG_FILE="$CREDENTIALS_DIRECTORY/config"
-          exec ${pythonPackages.gunicorn}/bin/gunicorn pretix.wsgi --name ${name} \
-          --workers ${toString cfg.gunicornWorkers} \
-          --log-level=info \
-          --bind=${bind.host}:${toString bind.port}
-        '';
-      };
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "pretix-migrate.service" ];
-      after = [ "network.target" ];
-    };
-
-    systemd.services.pretix-worker = {
-      description = "Pretix Celery (Worker) Service";
-      serviceConfig = {
-        Type = "simple";
-        Restart = "on-failure";
-        EnvironmentFile = environmentFile;
-        User = user;
-        LoadCredential = "config:${config.sops.secrets.pretix-cfg.path}";
-        ExecStart = pkgs.writeScript "worker" ''
-          #!${pkgs.runtimeShell}
-          set -euo pipefail
-          export PRETIX_CONFIG_FILE="$CREDENTIALS_DIRECTORY/config"
-          exec ${pythonPackages.celery}/bin/celery -A pretix.celery_app worker -l info
-        '';
-      };
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "pretix-migrate.service" ];
-      after = [ "network.target" ];
-    };
-
-    systemd.services.pretix-runperiodic = {
-      description = "Pretix periodic tasks";
-      serviceConfig = {
-        Type = "oneshot";
-        EnvironmentFile = environmentFile;
-        User = user;
-        LoadCredential = "config:${config.sops.secrets.pretix-cfg.path}";
-      };
-      script = ''
-        export PRETIX_CONFIG_FILE="$CREDENTIALS_DIRECTORY/config"
-        ${pkgs.pretix}/bin/pretix runperiodic
-      '';
-    };
-
-    # Once every 5 minutes
-    systemd.timers.pretix-runperiodic = mkTimer {
-      description = "Run pretix tasks";
-      unit = "pretix-runperiodic.service";
-      onCalendar = "*:0/5";
-    };
-
-    systemd.services.pretix-banktool = lib.mkIf cfg.banktool.enable {
-      description = "Tool to query bank account and sync transaction data to pretix server.";
-      serviceConfig = {
-        Type = "oneshot";
-        DynamicUser = true;
-        CapabilityBoundingSet = null;
-        PrivateUsers = true;
-        ProtectHome = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-        RestrictNamespaces = true;
-        SystemCallFilter = "@system-service";
-        LoadCredential = "config:${config.sops.secrets.pretix-banktool-cfg.path}";
-      };
-      script = "${pkgs.pretix-banktool}/bin/pretix-banktool upload \"$CREDENTIALS_DIRECTORY/config\" --days=${toString cfg.banktool.days}";
-    };
-
-    systemd.timers.pretix-banktool = lib.mkIf cfg.banktool.enable {
-      description = "Run tool to query bank account and sync transaction data to pretix server.";
-      after = [ "network.target" ];
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        Persistent = true;
-        OnCalendar = "*-*-* *:00:00";
-        Unit = "pretix-banktool.service";
-      };
-    };
-  };
-}

pkgs/pretix/pretix-static.nix

@@ -1,48 +0,0 @@
-{ stdenvNoCC
-, pretix
-, buildNpmPackage
-, makeWrapper
-}:
-
-let
-  nodeEnv = buildNpmPackage rec {
-    name = "pretix-nodejs";
-    src = "${pretix.passthru.pythonModule.pkgs.pretix}/lib/${pretix.python.libPrefix}/site-packages/pretix/static/npm_dir";
-    npmDepsHash = "sha256-2fHlEEmYzpF3SyvF7+FbwCt+zQVGF0/kslDFnJ+DQGE=";
-    dontNpmBuild = true;
-    installPhase = ''
-      mkdir -p $out
-      cp -r node_modules $out/
-      mkdir -p $out/bin
-      ln -s $out/node_modules/rollup/dist/bin/rollup $out/bin/rollup
-    '';
-    postFixup = ''
-      wrapProgram $out/bin/rollup --prefix NODE_PATH : $out
-    '';
-    nativeBuildInputs = [
-      makeWrapper
-    ];
-  };
-in
-stdenvNoCC.mkDerivation {
-  name = "pretix-static";
-  src = ./.;
-  buildPhase = ''
-    mkdir $out
-    export PRETIX_STATIC_ROOT=$out
-    export DJANGO_SETTINGS_MODULE=pretix_wrapper.settings
-    ${pretix}/bin/pretix collectstatic --noinput
-    mkdir -p $PRETIX_STATIC_ROOT/node_prefix
-    ln -s ${nodeEnv}/node_modules $PRETIX_STATIC_ROOT/node_prefix/node_modules
-    echo ${nodeEnv}/bin/rollup
-    ${pretix}/bin/pretix compress
-  '';
-  installPhase = ''
-    runHook preInstall
-    runHook postInstall
-  '';
-  nativeBuildInputs = [
-    nodeEnv
-  ];
-}
-

pkgs/pretix/pretix.nix

@@ -1,60 +0,0 @@
-{ lib
-, poetry2nix
-, pkgs
-, gettext
-, tlds-alpha-by-domain ? ./tlds-alpha-by-domain.txt
-}:
-
-let
-  tlds = pkgs.fetchurl {
-    url = "https://data.iana.org/TLD/tlds-alpha-by-domain.txt";
-    sha256 = "0153py77ll759jacq41dp2z2ksr08pdcfic0rwjd6pr84dk89y9v";
-  };
-  pkgsRequiringSetuptools = [
-    "dj-static"
-    "django-jquery-js"
-    "paypal-checkout-serversdk"
-    "python-u2flib-server"
-    "slimit"
-    "static3"
-  ];
-in
-poetry2nix.mkPoetryApplication rec {
-  projectDir = ./.;
-  #python = pkgs.python310;
-  preferWheels = true;
-  overrides = poetry2nix.defaultPoetryOverrides.extend
-    (
-      self: super: lib.attrsets.genAttrs pkgsRequiringSetuptools
-        (
-          pythonPackage:
-          super."${pythonPackage}".overridePythonAttrs (
-            old: {
-              buildInputs = (old.buildInputs or [ ]) ++ [ super.setuptools ];
-            }
-          )
-        ) // {
-        tlds = super.tlds.overridePythonAttrs (
-          old: {
-            buildInputs = (old.buildInputs or [ ]) ++ [ super.setuptools ];
-          }
-        );
-        pretix = super.pretix.overridePythonAttrs (
-          old: {
-            buildInputs = (old.buildInputs or [ ]) ++ [
-              gettext
-            ];
-            preFixup = ''
-              python -m pretix compilemessages
-              python -m pretix compilejsi18n
-            '';
-          }
-        );
-        reportlab = super.reportlab.overridePythonAttrs (
-          old: {
-            postPatch = "";
-          }
-        );
-      }
-    );
-}

pkgs/pretix/pretix_wrapper/__main__.py

@@ -1,9 +0,0 @@
-import sys
-import os
-
-module_name = "pretix"
-
-
-def main():
-    os.environ["PYTHONPATH"] = ":".join(sys.path)
-    os.execv(sys.executable, [sys.executable, "-m", module_name, *sys.argv[1:]])

pkgs/pretix/pretix_wrapper/settings.py

@@ -1,4 +0,0 @@
-import os
-from pretix.settings import *
-
-STATIC_ROOT = os.getenv("PRETIX_STATIC_ROOT")

pkgs/pretix/pyproject.toml

@@ -1,19 +0,0 @@
-[tool.poetry]
-name = "pretix_wrapper"
-version = "1.0.0"
-description = ""
-authors = ["Jakob Lechner <mail@jalr.de>"]
-license = "MIT"
-
-[tool.poetry.dependencies]
-python = "^3.10"
-pretix = "^2024.3.0"
-
-[tool.poetry.dev-dependencies]
-
-[tool.poetry.scripts]
-pretix = "pretix_wrapper.__main__:main"
-
-[build-system]
-requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"

pkgs/pretix/shell.nix

@@ -1,8 +0,0 @@
-with import <nixpkgs> { };
-
-mkShell {
-  buildInputs = [
-    poetry
-  ];
-
-}

pkgs/tabbed-box-maker/default.nix

@@ -14,7 +14,7 @@ stdenvNoCC.mkDerivation {
     sha256 = "8TNNVMSwbvcEwkvMHecHtGLEpiX3F0g0EGsgO1YKBGQ=";
   };
 
-  dontBild = true;
+  dontBuild = true;
   installPhase = ''
     mkdir $out
     cp * $out

users/jalr/default.nix

@@ -1,21 +1,11 @@
 { config, pkgs, ... }:
 
-{
+let
-  imports = [
+  sshKeys = [
-    ./default.nix
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479"
   ];
-
+in
-  jalr = {
+{
-    git = {
-      user = {
-        name = "Jakob Lechner";
-        email = "mail@jalr.de";
-      };
-      signByDefault = true;
-    };
-    gpg.defaultKey = "3044E71E3DEFF49B586CF5809BF4FCCB90854DA9";
-  };
-
   users.users.jalr = {
     isNormalUser = true;
     extraGroups = [
@@ -32,16 +22,16 @@
       "wireshark"
     ]; # Enable ‘sudo’ for the user.
     shell = pkgs.fish;
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = sshKeys;
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479"
-    ];
   };
 
+  users.users.root.openssh.authorizedKeys.keys = sshKeys;
+
   home-manager = {
     useUserPackages = true;
     useGlobalPkgs = true;
     users.jalr = { lib, pkgs, ... }: {
-      imports = [ ../modules ];
+      imports = [ ./modules ];
       config = {
         home.stateVersion = config.system.stateVersion;
 
@@ -120,6 +110,56 @@
               profiles = [ "default" ];
             };
           };
+          "Digitaler Dienst info" = {
+            userName = "info@digitaler-dienst.gmbh";
+            address = "info@digitaler-dienst.gmbh";
+            realName = "Digitaler Dienst";
+            imap = {
+              host = "mail.agenturserver.de";
+              port = 143;
+              tls = {
+                enable = true;
+                useStartTls = true;
+              };
+            };
+            smtp = {
+              host = "mail.agenturserver.de";
+              port = 587;
+              tls = {
+                enable = true;
+                useStartTls = true;
+              };
+            };
+            thunderbird = {
+              enable = true;
+              profiles = [ "default" ];
+            };
+          };
+          "FabLab NEA" = {
+            userName = "kontakt@fablab-nea.de";
+            address = "kontakt@fablab-nea.de";
+            realName = "FabLab NEA";
+            imap = {
+              host = "hha.jalr.de";
+              port = 143;
+              tls = {
+                enable = true;
+                useStartTls = true;
+              };
+            };
+            smtp = {
+              host = "hha.jalr.de";
+              port = 587;
+              tls = {
+                enable = true;
+                useStartTls = true;
+              };
+            };
+            thunderbird = {
+              enable = true;
+              profiles = [ "default" ];
+            };
+          };
         };
       };
     };

users/jalr/modules/alacritty.nix

@@ -1,20 +1,7 @@
 { lib, pkgs, nixosConfig, ... }:
 let
   solarized = import ./solarized.nix;
-
+  tomlFormat = pkgs.formats.toml { };
-  #nixosConfig.jalr.terminalEmulator.command = pkgs.writeShellScriptBin "alacritty-sway-cwd" ''
-  #  this_alacritty_pid="$(swaymsg -t get_tree | ${pkgs.jq} -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
-
-  #  if [ "$this_alacritty_pid" ]; then
-  #      child_pid="$(pgrep -P "$this_alacritty_pid")"
-  #      cwd="$(readlink /proc/$child_pid/cwd)"
-  #  fi
-  #  if [ -e "$cwd" ]; then
-  #      exec ${pkgs.alacritty} --working-directory "$cwd"
-  #  fi
-
-  #  exec alacritty
-  #'';
 
   colorschemes = {
     # https://github.com/alacritty/alacritty/wiki/Color-schemes#solarized
@@ -105,7 +92,7 @@ let
 
     mouse.hide_when_typing = true;
 
-    key_bindings = [
+    keyboard.bindings = [
       {
         key = "F1";
         mods = "Control";
@@ -144,18 +131,15 @@ in
     enable = nixosConfig.jalr.gui.enable;
   };
 
-  # The option `home-manager.users.jalr.xdg.configFile.dark.alacritty/alacritty-dark.yml' does not exist
-
-  /*
-    xdg.configFile = builtins.mapAttrs (colorScheme: cfg: {
-    "alacritty/alacritty-${colorScheme}.yml" = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
-    }) settings;
-  */
-
   xdg.configFile = lib.attrsets.mapAttrs'
-    (colorScheme: cfg: lib.attrsets.nameValuePair "alacritty/alacritty-${colorScheme}.yml" {
+    (colorScheme: cfg:
-      text = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
+      let name = "alacritty-${colorScheme}.toml";
-    })
+      in
+      lib.attrsets.nameValuePair "alacritty/${name}" {
+        source = tomlFormat.generate name cfg;
+        target = "alacritty/${name}";
+      }
+    )
     settings;
 
   programs.fish.functions = {

users/jalr/modules/cli/default.nix

@@ -0,0 +1,28 @@
+{ nixosConfig, lib, pkgs, ... }:
+{
+  imports = [
+    ./htop.nix
+  ];
+
+  config = {
+    home.packages = with pkgs; [
+      cached-nix-shell
+      eza
+      file
+      inetutils
+      jq
+      lsof
+      ncdu
+      ripgrep
+      unzip
+    ] ++ (if ! nixosConfig.jalr.workstation.enable then [ ] else [
+      direnv
+      dnsutils
+      screen
+      speedtest-cli
+      usbutils
+      wget
+      yt-dlp
+    ]);
+  };
+}

users/jalr/modules/cli/htop.nix

@@ -0,0 +1,25 @@
+{ nixosConfig
+, config
+, lib
+, ...
+}:
+
+{
+  programs.htop = {
+    enable = true;
+    settings = {
+      color_scheme = 6;
+    } // (with config.lib.htop; leftMeters ([
+      (bar "LeftCPUs")
+      (bar "Memory")
+    ] ++ lib.lists.optional nixosConfig.zramSwap.enable (bar "Zram") ++ [
+    ] ++ lib.lists.optional (!(nixosConfig.swapDevices == [ ])) (bar "Swap") ++ [
+      (bar "DiskIO")
+    ])) // (with config.lib.htop; rightMeters [
+      (bar "RightCPUs")
+      (text "Tasks")
+      (text "LoadAverage")
+      (text "NetworkIO")
+    ]);
+  };
+}

users/jalr/modules/communication/element-desktop.nix

@@ -0,0 +1,42 @@
+{ nixosConfig, lib, pkgs, ... }:
+
+let
+  profiles = {
+    "digitaler-dienst" = {
+      description = "Digitaler Dienst";
+    };
+    "private" = {
+      description = "private";
+    };
+  };
+in
+lib.mkIf nixosConfig.jalr.gui.enable {
+  home.packages = with pkgs; [
+    element-desktop
+  ];
+
+  # Create an empty directory in nix store
+  # as we want to use Element only with `--profile-dir`
+  xdg.configFile.Element = {
+    source = pkgs.runCommand "empty-Element-directory" { } "mkdir $out";
+    target = "Element";
+  };
+
+
+  xdg.desktopEntries = lib.attrsets.mapAttrs'
+    (name: value: lib.attrsets.nameValuePair "element-desktop-${name}"
+      {
+        categories = [ "Network" "InstantMessaging" "Chat" ];
+        exec = toString (pkgs.writeShellScript "element-desktop-${name}" ''
+          exec element-desktop --profile-dir "$HOME/.config/element-profiles/${name}"
+        '');
+        genericName = "Matrix Client";
+        icon = "element";
+        mimeType = [ "x-scheme-handler/element" ];
+        name = "Element ${value.description}";
+        terminal = false;
+        type = "Application";
+      }
+    )
+    profiles;
+}

users/jalr/modules/default.nix

@@ -2,11 +2,10 @@
 
 {
   imports = [
-    ./${nixosConfig.jalr.terminalEmulator}.nix
     ./3d-printing.nix
+    ./alacritty.nix
     ./aws.nix
-    ./claws-mail.nix
+    ./cli
-    ./cli.nix
     ./communication
     ./direnv.nix
     ./dynamic-colors.nix
@@ -23,6 +22,7 @@
     ./mute-indicator.nix
     ./neo.nix
     ./neovim.nix
+    ./nix-index.nix
     ./obs-studio
     ./openscad.nix
     ./pass.nix
@@ -36,6 +36,4 @@
     ./tor-browser.nix
     ./vdirsyncer.nix
   ];
-
-  programs.nix-index.enable = true;
 }

users/jalr/modules/dynamic-colors.nix

@@ -9,9 +9,9 @@ let
   applicationConfig = [
     {
       dir = "~/.config/alacritty";
-      light = "alacritty-light.yml";
+      light = "alacritty-light.toml";
-      dark = "alacritty-dark.yml";
+      dark = "alacritty-dark.toml";
-      target = "alacritty.yml";
+      target = "alacritty.toml";
     }
     {
       dir = "~/.config/wofi";

users/jalr/modules/firefox/default.nix

@@ -0,0 +1,364 @@
+{ nixosConfig, pkgs, ... }:
+{
+  programs.firefox = {
+    enable = nixosConfig.jalr.gui.enable;
+    package = pkgs.firefox-esr;
+    policies = {
+      AllowedDomainsForApps = "";
+      CaptivePortal = false;
+      DNSOverHTTPS.Enabled = false;
+      DisableAppUpdate = true;
+      DisableFeedbackCommands = true;
+      DisableFirefoxAccounts = true;
+      DisableFirefoxScreenshots = true;
+      DisableFirefoxStudies = true;
+      DisablePocket = true;
+      DisableTelemetry = true;
+      DisplayBookmarksToolbar = "newtab";
+      DisplayMenuBar = "never";
+      EncryptedMediaExtensions = { Enabled = false; Locked = true; };
+      NoDefaultBookmarks = true;
+      OfferToSaveLogins = false;
+      StartDownloadsInTempDirectory = true;
+      UserMessaging = {
+        WhatsNew = false;
+        ExtensionRecommendations = false;
+        FeatureRecommendations = false;
+        UrlbarInterventions = false;
+        SkipOnboarding = true;
+        MoreFromMozilla = false;
+        Locked = false;
+      };
+      Permissions = {
+        Camera = {
+          /*
+          Allow = ["https://example.org" "https://example.org:1234"];
+          Block =  ["https://example.edu"];
+          BlockNewRequests = true | false;
+          Locked = true | false;
+          */
+        };
+        Microphone = { };
+        Location = { };
+        Notifications = { };
+        Autoplay = { };
+      };
+      PopupBlocking = {
+        /* Allow = ["http://example.org/" "http://example.edu/"]; */
+        Default = false;
+        Locked = false;
+      };
+      Bookmarks = (
+        builtins.map
+          (b: b // {
+            Folder = "Nix";
+            Placement = "toolbar";
+          }) [
+          {
+            Title = "NixOS Manual";
+            URL = "https://nixos.org/manual/nixos/stable/";
+          }
+          {
+            Title = "Nix manual";
+            URL = "https://nix.dev/manual/nix/2.18/stable";
+          }
+          {
+            Title = "Nixpkgs manual";
+            URL = "https://nixos.org/manual/nixpkgs/stable/";
+          }
+          {
+            Title = "Noogle";
+            URL = "https://noogle.dev/";
+          }
+          {
+            Title = "Home Manager Configuration Options";
+            URL = "https://nix-community.github.io/home-manager/options.xhtml";
+          }
+          {
+            Title = "Home Manager Option Search";
+            URL = "https://mipmip.github.io/home-manager-option-search/";
+          }
+          {
+            Title = "NixOS Status";
+            URL = "https://status.nixos.org/";
+          }
+          {
+            Title = "krops";
+            URL = "https://cgit.krebsco.de/krops/about/";
+          }
+          {
+            Title = "Awesome Nix";
+            URL = "https://github.com/nix-community/awesome-nix";
+          }
+        ]
+      ) ++ (
+        builtins.map
+          (b: b // {
+            Folder = "Digitaler Dienst";
+            Placement = "toolbar";
+          }) [
+          {
+            Title = "GitLab";
+            URL = "https://gitlab.digitaler-dienst.net/";
+          }
+          {
+            Title = "Moco";
+            URL = "https://digitaler-dienst.mocoapp.com/activities";
+          }
+          {
+            Title = "Leantime";
+            URL = "https://todo.digitaler-dienst.gmbh/";
+          }
+          {
+            Title = "Nextcloud";
+            URL = "https://nx52865.your-storageshare.de/";
+          }
+          {
+            Title = "FreeScout";
+            URL = "https://tickets.digitaler-dienst.gmbh/";
+          }
+          {
+            Title = "Personio";
+            URL = "https://laemmermann.personio.de/";
+          }
+        ]
+      ) ++ [
+        {
+          Title = "Fefes Blog";
+          URL = "https://blog.fefe.de";
+          Placement = "toolbar";
+          #Placement = "menu";
+          #Favicon = "https://example.com/favicon.ico";
+        }
+      ];
+      /*
+      ManagedBookmarks = [
+        {
+          toplevel_name = "My managed bookmarks folder";
+        }
+        {
+          url =  "example.com";
+          name = "Example";
+        }
+        {
+          name = "Mozilla links";
+          children = [
+            {
+              url = "https://mozilla.org";
+              name = "Mozilla.org";
+            }
+            {
+              url = "https://support.mozilla.org/";
+              name = "SUMO";
+            }
+          ];
+        }
+      ];
+      */
+      SearchEngines.Default = "DuckDuckGo";
+      SearchEngines.Remove = [
+        "Google"
+        "Wikipedia (en)"
+      ];
+      SearchEngines.Add = [
+        {
+          Name = "Startpage";
+          URLTemplate = "https://www.startpage.com/sp/search";
+          Method = "POST";
+          PostData = "qadf=none&query={searchTerms}";
+          IconURL = "https://www.startpage.com/sp/cdn/favicons/mobile/android-icon-192x192.png";
+          Alias = "sp";
+        }
+        {
+          Name = "DuckDuckGo";
+          URLTemplate = "https://duckduckgo.com/?q={searchTerms}";
+          Method = "GET";
+          IconURL = "https://duckduckgo.com/favicon.ico";
+          Alias = "ddg";
+        }
+
+        # Wikipedia
+        {
+          Name = "Wikipedia en";
+          URLTemplate = "https://en.wikipedia.org/wiki/Special:Search?search={searchTerms}";
+          Method = "GET";
+          IconURL = "https://en.wikipedia.org/static/images/icons/wikipedia.png";
+          Alias = "wen";
+        }
+        {
+          Name = "Wikipedia de";
+          URLTemplate = "https://de.wikipedia.org/w/index.php?search={searchTerms}";
+          Method = "GET";
+          IconURL = "https://www.wikipedia.de/img/wikipedia.png";
+          Alias = "wde";
+        }
+        {
+          Name = "Nix Packages";
+          URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
+          Method = "GET";
+          IconURL = "https://nixos.org/favicon.png";
+          Alias = "pkg";
+        }
+        {
+          Name = "NixOS Options";
+          URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
+          Method = "GET";
+          IconURL = "https://nixos.org/favicon.png";
+          Alias = "opt";
+        }
+        {
+          Name = "Docker images";
+          URLTemplate = "https://hub.docker.com/search/?q={searchTerms}";
+          Method = "GET";
+          IconURL = "https://hub.docker.com/favicon.ico";
+          Alias = "docker";
+        }
+        {
+          Name = "GitHub";
+          URLTemplate = "https://github.com/search?q={searchTerms}";
+          Method = "GET";
+          IconURL = "https://github.githubassets.com/favicons/favicon.svg";
+          Alias = "gh";
+        }
+
+        # Shopping
+        {
+          Name = "Amazon de";
+          URLTemplate = "https://www.amazon.de/s?k={searchTerms}";
+          Method = "GET";
+          IconURL = "https://www.amazon.de/favicon.ico";
+          Alias = "amde";
+        }
+        {
+          Name = "Ebay de";
+          URLTemplate = "https://www.ebay.de/sch/i.html?_nkw={searchTerms}";
+          Method = "GET";
+          IconURL = "https://pages.ebay.com/favicon.ico";
+          Alias = "ebde";
+        }
+
+        # Dictionary
+        {
+          Name = "dict.cc";
+          URLTemplate = "https://www.dict.cc/?s={searchTerms}";
+          Method = "GET";
+          IconURL = "https://www4.dict.cc/img/favicons/favicon4.png";
+          Alias = "dcc";
+        }
+        {
+          Name = "Duden";
+          URLTemplate = "https://www.duden.de/suchen/dudenonline/{searchTerms}";
+          Method = "GET";
+          IconURL = "https://www.duden.de/sites/default/res/apple-touch-icon/180x180.png";
+          Alias = "duden";
+        }
+
+        # Map
+        {
+          Name = "OpenStreetMap";
+          URLTemplate = "https://www.openstreetmap.org/search?query={searchTerms}";
+          Method = "GET";
+          IconURL = "https://www.openstreetmap.org/assets/favicon-194x194-79d3fb0152c735866e64b1d7535d504483cd13c2fad0131a6142bd9629d30de2.png";
+          Alias = "osm";
+        }
+      ];
+    };
+    profiles.default = {
+      id = 0;
+      isDefault = true;
+      extensions = with pkgs.nur.repos.rycee.firefox-addons; [
+        darkreader
+        tree-style-tab
+        ublock-origin
+        umatrix
+        violentmonkey
+      ];
+      settings = {
+        #"browser.startup.homepage" = "https://nixos.org";
+        #"browser.search.region" = "GB";
+        #"browser.search.isUS" = false;
+        #"distribution.searchplugins.defaultLocale" = "en-GB";
+        #"general.useragent.locale" = "en-GB";
+        #"browser.bookmarks.showMobileBookmarks" = true;
+        "app.normandy.enabled" = false;
+        "app.shield.optoutstudies.enabled" = false;
+        "app.update.auto" = false;
+        "browser.bookmarks.addedImportButton" = false;
+        "browser.ctrlTab.sortByRecentlyUsed" = true;
+        "browser.fixup.alternate.enabled" = false;
+        "browser.formfill.enable" = false;
+        "browser.link.open_newwindow.restriction" = 0;
+        "browser.newtabpage.enabled" = false;
+        "browser.ping-centre.telemetry" = false;
+        "browser.safebrowsing.downloads.enabled" = false;
+        "browser.safebrowsing.downloads.remote.block_dangerous" = false;
+        "browser.safebrowsing.downloads.remote.block_dangerous_host" = false;
+        "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false;
+        "browser.safebrowsing.downloads.remote.block_uncommon" = false;
+        "browser.safebrowsing.downloads.remote.enabled" = false;
+        "browser.safebrowsing.downloads.remote.url" = "";
+        "browser.safebrowsing.malware.enabled" = false;
+        "browser.safebrowsing.phishing.enabled" = false;
+        "browser.safebrowsing.provider.google.advisoryURL" = "";
+        "browser.safebrowsing.provider.google.gethashURL" = "";
+        "browser.safebrowsing.provider.google.lists" = "";
+        "browser.safebrowsing.provider.google.reportMalwareMistakeURL" = "";
+        "browser.safebrowsing.provider.google.reportPhishMistakeURL" = "";
+        "browser.safebrowsing.provider.google.reportURL" = "";
+        "browser.safebrowsing.provider.google.updateURL" = "";
+        "browser.safebrowsing.provider.google4.advisoryURL" = "";
+        "browser.safebrowsing.provider.google4.dataSharingURL" = "";
+        "browser.safebrowsing.provider.google4.gethashURL" = "";
+        "browser.safebrowsing.provider.google4.lists" = "";
+        "browser.safebrowsing.provider.google4.reportMalwareMistakeURL" = "";
+        "browser.safebrowsing.provider.google4.reportPhishMistakeURL" = "";
+        "browser.safebrowsing.provider.google4.reportURL" = "";
+        "browser.safebrowsing.provider.google4.updateURL" = "";
+        "browser.safebrowsing.provider.mozilla.gethashURL" = "";
+        "browser.safebrowsing.provider.mozilla.lists" = "";
+        "browser.safebrowsing.provider.mozilla.updateURL" = "";
+        "browser.search.suggest.enabled" = false;
+        "browser.search.widget.inNavBar" = true;
+        "browser.startup.page" = 0;
+        "extensions.pocket.enabled" = false;
+        "extensions.update.enabled" = false;
+        "identity.fxaccounts.enabled" = false;
+        "keyword.enabled" = false;
+        "network.captive-portal-service.enabled" = false;
+        "network.predictor.enabled" = false;
+        "privacy.donottrackheader.enabled" = true;
+        "startup.homepage_welcome_url" = "about:blank";
+        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+        "toolkit.telemetry.archive.enabled" = false;
+        "toolkit.telemetry.bhrPing.enabled" = false;
+        "toolkit.telemetry.firstShutdownPing.enabled" = false;
+        "toolkit.telemetry.newProfilePing.enabled" = false;
+        "toolkit.telemetry.server" = "http://127.0.0.1:4711";
+        "toolkit.telemetry.server_owner" = "";
+        "toolkit.telemetry.shutdownPingSender.enabled" = false;
+        "toolkit.telemetry.updatePing.enabled" = false;
+        "urlclassifier.downloadAllowTable" = "";
+        "urlclassifier.downloadBlockTable" = "";
+        "urlclassifier.malwareTable" = "";
+        "urlclassifier.phishTable" = "";
+        "datareporting.healthreport.uploadEnabled" = "";
+        "app.normandy.api_url" = "";
+        "breakpad.reportURL" = "";
+        "browser.region.network.url" = "";
+        "browser.search.geoSpecificDefaults.url" = "";
+        "browser.shell.checkDefaultBrowser" = false;
+
+        "privacy.userContext.enabled" = true;
+        "privacy.userContext.ui.enabled" = true;
+        "network.dnsCacheExpiration" = 0;
+
+        # disable disk cache to reduce ssd writes
+        "browser.cache.disk.enable" = false;
+        "browser.cache.memory.enable" = true;
+        "browser.cache.memory.capacity" = -1;
+      };
+
+      userChrome = builtins.readFile ./userChrome.css;
+    };
+  };
+}

users/jalr/modules/firefox/userChrome.css

@@ -218,4 +218,28 @@ url(chrome://browser/content/browser.xhtml) {
     }
 
     /*** End of: Megabar Styler One-Offs ***/
+
+    /* Hide "Firefox Suggest" in location bar search results */
+    .urlbarView-row[label="Firefox Suggest"]::before {
+        display: none !important
+    }
+    .urlbarView-row[label] {
+        margin-block-start: 4px !important;
+    }
+
+    /* Hide search button in location bar */
+    #identity-box[pageproxystate=invalid] > .identity-box-button,
+    .searchbar-search-button {
+        display: none
+    }
+
+    /* Hide search placeholder in location bar */
+    #urlbar-input::placeholder {
+        color: transparent;
+    }
+
+    /* Hide back & forward buttons */
+    toolbarbutton#back-button {
+        display: none;
+    }
 }

users/jalr/modules/fish.nix

@@ -11,8 +11,8 @@
         src = pkgs.fetchFromGitHub {
           owner = "oh-my-fish";
           repo = "theme-agnoster";
-          rev = "c142e802983bd1b34b4d91efac2126fc5913126d";
+          rev = "4c5518c89ebcef393ef154c9f576a52651400d27";
-          sha256 = "0PLx626BWoBp/L6wgkB4o+53q8PymiEE/rTu2mfzHhg=";
+          sha256 = "OFESuesnfqhXM0aij+79kdxjp4xgCt28YwTrcwQhFMU=";
           fetchSubmodules = true;
         };
       }
@@ -61,82 +61,71 @@
       #alias cal='ncal -b -M'
       alias myip='dig +short myip.opendns.com @resolver1.opendns.com'
 
-      function hm -d 'merge history and delete failed commands'
+      history --merge >/dev/null 2>&1
-          history --merge
-
-          if test -z "$fish_private_mode" && test -e "$__fish_user_data_dir/successful_commands" && test -e "$__fish_user_data_dir/failed_commands"
-              while read line;
-                  if ! grep -qFx $line "$__fish_user_data_dir/successful_commands"
-                      set hist_command (echo $line | base64 -d)
-                      echo "deleting command: $hist_command"
-                      echo "."
-                      history delete --exact --case-sensitive $hist_command
-                  end
-              end < "$__fish_user_data_dir/failed_commands"
-              echo -n > "$__fish_user_data_dir/successful_commands"
-              echo -n > "$__fish_user_data_dir/failed_commands"
-          end
-      end
-      hm
 
       # fancy tools
       if which eza > /dev/null 2>&1
-          alias l=eza
+          abbr --add l eza
-          alias ll='eza -l --time-style=long-iso --git'
+          abbr --add ll 'eza -l --time-style=long-iso --git'
-          alias la='eza -la --time-style=long-iso --git'
+          abbr --add la 'eza -la --time-style=long-iso --git'
-          alias tree='eza --tree'
+          abbr --add tree 'eza --tree'
-          alias llt='eza -s modified -l'
+          abbr --add llt 'eza -s modified -l'
       else
-          alias l=ls
+          abbr --add l ls
-          alias ll='ls -l'
+          abbr --add ll 'ls -l'
-          alias la='ls -la'
+          abbr --add la 'ls -la'
-          alias llt='ls -trl'
+          abbr --add llt 'ls -trl'
       end
 
       if which rg > /dev/null 2>&1
-          alias g=rg
+          abbr --add g rg
           complete -c g -w rg
       else if which ag > /dev/null 2>&1
-          alias g=ag
+          abbr --add g ag
           complete -c g -w ag
       else
-          alias g='grep --color=auto'
+          abbr --add g 'grep --color=auto'
           complete -c g -w grep
       end
 
-      function jqless -d 'jq -C [args] | less -R'
-          jq -C $argv | less -R
-      end
 
       # NixOS direnv
       if which direnv > /dev/null
           eval (direnv hook fish)
       end
 
-      function __cut_commandline -d 'cut commandline and paste it later'
+      bind \ed 'dirh-fzf'
+
+      # fix too dark color on solarized theme
+      set -g fish_color_autosuggestion brgreen
+    '';
+
+    functions = {
+      jqless = {
+        body = ''
+          jq -C $argv | less -R
+        '';
+      };
+      __cut_commandline = {
+        description = "cut commandline and paste it later";
+        body = ''
           set -g commandline_buffer (commandline)
           commandline ""
-      end
+        '';
-
+      };
-
+      __postexec = {
-
+        onEvent = "fish_postexec";
-      function __postexec --on-event fish_postexec
+        body = ''
-          if test $status -ne 0
+          if test $status -ne 0; and test -z "$hist_cmd"; and test -z "$fish_private_mode"
-              if test -z "$hist_cmd"
+              #$SHELL -c "
-                  if test -z "$fish_private_mode"
+              history delete --exact --case-sensitive -- $argv[1]
-                      echo $argv[1] | base64 >> "$__fish_user_data_dir/failed_commands"
+              #" &
-                  end
-              end
-          else
-              if test -z "$fish_private_mode"
-                  echo $argv[1] | base64 >> "$__fish_user_data_dir/successful_commands"
-              end
-              commandline $commandline_buffer
-              set -e commandline_buffer
           end
-      end
+        '';
-
+      };
-      function dirh-nocolor --description "Print the current directory history (the prev and next lists)"
+      dirh-nocolor = {
+        description = "Print the current directory history (the prev and next lists)";
+        body = ''
           set -l options h/help
           argparse -n dirh --max-args=0 $options -- $argv
           or return
@@ -165,14 +154,15 @@
                   printf '%s\n' $dirnext_rev[$i]
               end
           end
-      end
+        '';
-
+      };
-      function dirh-fzf -d 'directory history fuzzy finder'
+      dirh-fzf = {
+        description = "directory history fuzzy finder";
+        body = ''
           builtin cd (dirh-nocolor | uniq | fzf)
-      end
+        '';
-
+      };
-      bind \ed 'dirh-fzf'
+    };
-    '';
   };
 
   xdg.configFile."fish/completions/mycli.fish".text = ''

users/jalr/modules/git.nix

@@ -4,15 +4,17 @@
   programs = {
     git = {
       enable = true;
-      userName = nixosConfig.jalr.git.user.name;
+      userName = "Jakob Lechner";
-      userEmail = nixosConfig.jalr.git.user.email;
+      userEmail = "mail@jalr.de";
       signing = {
-        key = nixosConfig.jalr.gpg.defaultKey;
+        key = "3044E71E3DEFF49B586CF5809BF4FCCB90854DA9";
-        signByDefault = nixosConfig.jalr.git.signByDefault;
+        signByDefault = false;
+      };
+      diff-so-fancy = {
+        enable = true;
       };
       extraConfig = {
         init.defaultBranch = "main";
-        core.pager = "${pkgs.diff-so-fancy}/bin/diff-so-fancy | less --tabs=4 -RFX";
         diff.sops.textconv = "${pkgs.sops}/bin/sops -d";
         pull.ff = "only";
         alias.find-merge = "!sh -c 'commit=$0 && branch=\${1:-HEAD} && (git rev-list $commit..$branch --ancestry-path | cat -n; git rev-list $commit..$branch --first-parent | cat -n) | sort -k2 -s | uniq -f1 -d | sort -n | tail -1 | cut -f2'";
@@ -23,7 +25,7 @@
     fish = {
       shellAbbrs = {
         ga = "git add";
-        gam = "git commit --amend";
+        gam = "git commit --amend --no-edit";
         gap = "git add --patch";
         gb = "git branch";
         gbd = "git branch --delete";
@@ -38,7 +40,7 @@
         gf = "git fetch";
         ginit = "git init";
         gl = "git log";
-        gpll = "git pull";
+        gpll = "git pull --rebase";
         gpsh = "git push";
         grb = "git rebase --autostash";
         grbi = "git rebase --autostash --interactive --autosquash refs/remotes/origin/HEAD";

users/jalr/modules/gui.nix

@@ -3,11 +3,9 @@ lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
     evince
     exiftool
-    gcr # required for pinentry-gnome
     geeqie
     mpv
     networkmanagerapplet
-    pinentry-gnome
     streamlink
     supersonic-wayland
     vlc

users/jalr/modules/neovim.nix

@@ -44,6 +44,7 @@
       augroup END
 
       autocmd BufRead COMMIT_EDITMSG startinsert
+      autocmd BufRead /tmp/tmp.*.fish startinsert
 
       let g:deoplete#enable_at_startup = 1
 

users/jalr/modules/nix-index.nix

@@ -0,0 +1,5 @@
+{
+  programs.nix-index = {
+    enable = true;
+  };
+}

users/jalr/modules/pass.nix

@@ -1,11 +1,17 @@
-{ nixosConfig, config, pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
 
 let
   pw = pkgs.writeScriptBin "pw" ''
     p="$(${pkgs.pass}/bin/pass show "$1")"
 
     copy_line() {
-      echo -n "$p" | ${pkgs.gnused}/bin/sed -n "$1"p | ${pkgs.wl-clipboard}/bin/wl-copy -o -f
+      echo -n "$p" \
+        | ${pkgs.gnused}/bin/sed -n "$1"p \
+        | ${pkgs.wl-clipboard}/bin/wl-copy \
+          --paste-once \
+          --foreground \
+          --trim-newline \
+          --type text/plain
     }
 
     echo "username"

users/jalr/modules/sway/default.nix

@@ -3,22 +3,19 @@
 let
   solarized = import ../solarized.nix;
   terminalEmulator =
-    if nixosConfig.jalr.terminalEmulator == "alacritty"
+    pkgs.writeShellScript "alacritty-sway-cwd" ''
-    then
+      this_alacritty_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
-      pkgs.writeShellScript "alacritty-sway-cwd" ''
-        this_alacritty_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
 
-        if [ "$this_alacritty_pid" ]; then
+      if [ "$this_alacritty_pid" ]; then
-            child_pid="$(pgrep -P "$this_alacritty_pid")"
+          child_pid="$(pgrep -P "$this_alacritty_pid")"
-            cwd="$(readlink /proc/$child_pid/cwd)"
+          cwd="$(readlink /proc/$child_pid/cwd)"
-        fi
+      fi
-        if [ -e "$cwd" ]; then
+      if [ -e "$cwd" ]; then
-            exec ${pkgs.alacritty}/bin/alacritty --working-directory "$cwd"
+          exec ${pkgs.alacritty}/bin/alacritty --working-directory "$cwd"
-        fi
+      fi
 
-        exec ${pkgs.alacritty}/bin/alacritty
+      exec ${pkgs.alacritty}/bin/alacritty
-      ''
+    '';
-    else nixosConfig.jalr.terminalEmulator;
   cfg = config.wayland.windowManager.sway.config;
   wallpaper = pkgs.fetchurl {
     url = "https://raw.githubusercontent.com/swaywm/sway/3b2bc894a5ebbcbbd6707d45a25d171779c2e874/assets/Sway_Wallpaper_Blue_1920x1080.png";
@@ -113,16 +110,6 @@ in
 
       output."*".bg = "${wallpaper} fill";
 
-      # FIXME
-      #input = {
-      #  #"type:keyboard" = {
-      #  #  xkb_layout = "neo";
-      #  #};
-      #} // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
-      #  "type:touchpad".events = "disabled";
-      #  "2:10:TPPS/2_Elan_TrackPoint".pointer_accel = "-0.15";
-      #});
-
       keybindings = {
         "${cfg.modifier}+Return" = "exec ${cfg.terminal}";
         "${cfg.modifier}+Backspace" = "exec ${cfg.terminal}";
@@ -297,7 +284,9 @@ in
       fonts = {
         names = [ "monospace" ];
         style = "Regular";
-        size = 0.0;
+
+        # FIXME: this is an ugly workaround until https://github.com/swaywm/sway/issues/7409 is fixed
+        size = 0.001;
       };
     };
 

users/jalr/modules/thunderbird.nix

@@ -3,5 +3,8 @@
   programs.thunderbird = {
     enable = nixosConfig.jalr.gui.enable;
     profiles."default".isDefault = true;
+    settings = {
+      "mail.chat.enabled" = false;
+    };
   };
 }