Attempt to remove sensitive stuff from notifications

Add unavail voicemail message
Add git lfs
2023-11-09 00:48:36 +00:00 · 2023-11-09 00:10:43 +00:00 · 2023-11-09 00:02:33 +00:00 · 2023-11-09 00:01:57 +00:00 · 2023-11-08 23:54:36 +00:00 · 2023-11-08 23:50:21 +00:00
360 changed files with 7843 additions and 15679 deletions
--- a/.git-crypt/keys/default/0/3044E71E3DEFF49B586CF5809BF4FCCB90854DA9.gpg
+++ b/.git-crypt/keys/default/0/3044E71E3DEFF49B586CF5809BF4FCCB90854DA9.gpg
--- a/.git-crypt/keys/default/0/66FB54F6081375106EEBF651A222365EB448F934.gpg
+++ b/.git-crypt/keys/default/0/66FB54F6081375106EEBF651A222365EB448F934.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1,5 +1,3 @@
 **/secrets/** filter=git-crypt diff=git-crypt
 **/secrets.yaml diff=sops
 *.wav filter=lfs diff=lfs merge=lfs -text
 hosts/iron/services/tvproxy.nix filter=git-crypt diff=git-crypt
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,12 +1,11 @@
 keys:
-  - &admin_jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+  - &admin_jalr 66FB54F6081375106EEBF651A222365EB448F934
  - &admin_jalr_tb FE170812543DF81393EA56BA5042B8317A10617E
  - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
  - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
  - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
-  - &host_magnesium age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8
+  - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
  - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
  - &host_copper age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3
 creation_rules:
  - path_regex: hosts/aluminium/secrets\.yaml$
    key_groups:
@ -38,12 +37,6 @@ creation_rules:
      - *admin_jalr
      age:
      - *host_weinturm_pretix_prod
  - path_regex: hosts/copper/secrets\.yaml$
    key_groups:
    - pgp:
      - *admin_jalr
      age:
      - *host_copper
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
--- a/README.md
+++ b/README.md
@ -1,27 +1,18 @@
-# jalr's NixOS Configuration
+## home-manager
 https://github.com/nix-community/home-manager
 For a systematic overview of Home Manager and its available options, please see
 - the [Home Manager manual](https://nix-community.github.io/home-manager/index.html) and
 - the [Home Manager configuration options](https://nix-community.github.io/home-manager/options.html).
 ## Install a new host
 This installs nixos on host `somehost`:
 ### NixOS Anywhere
 ```bash
 nix run github:nix-community/nixos-anywhere -- --flake .#<somehost> root@<somehost>
 ```
 ### The traditional way
 ```bash
 nix-shell -p nixUnstable --run 'nixos-install --flake https://gitlab.jalr.de/jalr/nixos-configuration#somehost --no-channel-copy'
 ```
 ### Build a configuration
 ```
 nix build .#nixosConfigurations.iron.config.system.build.toplevel
 ```
 ### setting up sops
 Get the host key and convert it.
 ```bash
@ -55,12 +46,4 @@ nix-repl> :lf .#
 ```
 gpg --card-edit
 gpg/card> fetch
 gpg --edit-key $key
 gpg> trust
 Your decision? 5
 ```
 ## Debugging boot issues
 1. Add `rd.systemd.debug_shell` kernel parameter
 2. Press CTRL+ALT+F9 to switch to root shell
--- a/custom-utils/default.nix
+++ b/custom-utils/default.nix
@ -1,5 +1,33 @@
 { lib, ... }:
 let
  filterPort = pm: port: (
    lib.attrsets.catAttrs port (
      lib.attrsets.attrValues (
        lib.attrsets.filterAttrs (n: v: v ? "${port}") pm
      )
    )
  );
  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
  validateList = allowed: builtins.all (x: builtins.elem x allowed);
 in
 {
-  validatePortAttrset = import ./ports.nix { inherit lib; };
+  validatePortAttrset = portmap:
    if ! onlyUniqueItemsInList (lib.flatten (map
      (x:
        if lib.isInt x then x
        else if lib.isList x then x
        else if lib.isAttrs x then
          (
            if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
            else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
            else builtins.abort "found invalid attrset"
          )
        else builtins.abort "found invalid entry in portmap"
      )
      (filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
    else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
    else portmap;
 }
--- a/custom-utils/ports.nix
+++ b/custom-utils/ports.nix
@ -4,30 +4,30 @@ let
  filterPort = pm: port: (
    lib.attrsets.catAttrs port (
      lib.attrsets.attrValues (
-        lib.attrsets.filterAttrs (_: v: v ? "${port}") pm
+        lib.attrsets.filterAttrs (n: v: v ? "${port}") pm
      )
    )
  );
-  onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
+  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
-  mkRange = { from, to }: (lib.lists.range from to);
+  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
  validateList = allowed: builtins.all (x: builtins.elem x allowed);
 in
-portmap:
+{
-if builtins.all
+  validatePortAttrset = portmap:
-  (
+    if ! onlyUniqueItemsInList (lib.flatten (map
-    proto:
+      (x:
-    if onlyUniqueItemsInList
+        if lib.isInt x then x
-      (
+        else if lib.isList x then x
-        lib.flatten (
+        else if lib.isAttrs x then
-          map
+          (
-            (x:
+            if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
-            if lib.isInt x then x
+            else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
-            else if lib.isList x then x
+            else builtins.abort "found invalid attrset"
-            else if lib.isAttrs x then mkRange x
+          )
-            else builtins.abort "found invalid entry in portmap"
+        else builtins.abort "found invalid entry in portmap"
-            )
+      )
-            (filterPort portmap proto)
+      (filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
-        )
+    else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
-      ) then true else builtins.abort "Found duplicate ${proto} ports."
+    else portmap;
-  ) [ "tcp" "udp" ]
+}
 then portmap
 else builtins.abort "Found duplicate ports."
--- a/flake.lock
+++ b/flake.lock
@ -1,91 +1,13 @@
 {
  "nodes": {
    "asterisk-sounds-de": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nix-filter": [
          "nix-filter"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1748284610,
        "narHash": "sha256-B3/OOZC0puXbODupPEbdMA6sJP39MzbMCl4j1HvgNfU=",
        "ref": "refs/heads/main",
        "rev": "6b1c484318727af78a64aee3f46903493dae8259",
        "revCount": 1,
        "type": "git",
        "url": "https://git.jalr.de/jalr/asterisk-sounds-de"
      },
      "original": {
        "type": "git",
        "url": "https://git.jalr.de/jalr/asterisk-sounds-de"
      }
    },
    "bldcSrc": {
      "flake": false,
      "locked": {
        "lastModified": 1733324381,
        "narHash": "sha256-ui9N8QSog1G5zyK7yRrD0Xl+Y2CZhvvhBkaJuQZ2qZw=",
        "owner": "vedderb",
        "repo": "bldc",
        "rev": "a0d40e2c5a42c810888d8c379307e6b0a118a125",
        "type": "github"
      },
      "original": {
        "owner": "vedderb",
        "ref": "release_6_05",
        "repo": "bldc",
        "type": "github"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1731098351,
        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1762276996,
        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1673956053,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -94,74 +16,16 @@
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730504689,
        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1694529238,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -170,49 +34,7 @@
        "type": "github"
      }
    },
    "gg-chatmix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1748177977,
        "narHash": "sha256-xC/dOrDrZoQhUfVotj/z14iTwGlE80OqSl9S5zkevdA=",
        "owner": "nilathedragon",
        "repo": "gg-chatmix",
        "rev": "1dadaa51794042c20ddc52d52479e8a156bd235b",
        "type": "github"
      },
      "original": {
        "owner": "nilathedragon",
        "repo": "gg-chatmix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
          "pre-commit-hooks-nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "nix-pre-commit-hooks",
@ -220,11 +42,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709087332,
+        "lastModified": 1660459072,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
        "type": "github"
      },
      "original": {
@ -243,11 +65,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759991118,
+        "lastModified": 1694616124,
-        "narHash": "sha256-pDyrtUQyeP1lVTMIYqJtftzDtsXEZaJjYy9ZQ/SGhL8=",
+        "narHash": "sha256-c49BVhQKw3XDRgt+y+uPAbArtgUlMXCET6VxEBmzHXE=",
        "owner": "nix-community",
        "repo": "gomod2nix",
-        "rev": "7f8d7438f5870eb167abaf2c39eea3d2302019d1",
+        "rev": "f95720e89af6165c8c0aa77f180461fe786f3c21",
        "type": "github"
      },
      "original": {
@ -263,35 +85,20 @@
        ]
      },
      "locked": {
-        "lastModified": 1758463745,
+        "lastModified": 1695108154,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "krops": {
      "inputs": {
        "flake-utils": [
@ -315,146 +122,86 @@
        "type": "github"
      }
    },
    "lanzaboote": {
      "inputs": {
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1737639419,
        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
        "owner": "nix-community",
        "repo": "lanzaboote",
        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "v0.4.2",
        "repo": "lanzaboote",
        "type": "github"
      }
    },
    "nix-filter": {
      "locked": {
        "lastModified": 1757882181,
        "narHash": "sha256-+cCxYIh2UNalTz364p+QYmWHs0P+6wDhiWR4jDIKQIU=",
        "owner": "numtide",
        "repo": "nix-filter",
        "rev": "59c44d1909c72441144b93cf0f054be7fe764de5",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "nix-filter",
        "type": "github"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1729742964,
        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix-pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
-        "gitignore": "gitignore_2",
+        "flake-utils": [
-        "nixpkgs": [
+          "flake-utils"
-          "nixpkgs"
+        ],
-        ]
+        "gitignore": "gitignore",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1763319842,
+        "lastModified": 1699271226,
-        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=",
        "owner": "cachix",
-        "repo": "git-hooks.nix",
+        "repo": "pre-commit-hooks.nix",
-        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "rev": "ea758da1a6dcde6dc36db348ed690d09b9864128",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "ref": "master",
-        "repo": "git-hooks.nix",
+        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1762847253,
        "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",
        "owner": "nixos",
        "repo": "nixos-hardware",
        "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1763334038,
+        "lastModified": 1689261696,
-        "narHash": "sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ=",
+        "narHash": "sha256-LzfUtFs9MQRvIoQ3MfgSuipBVMXslMPH/vZ+nM40LkA=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c",
+        "rev": "df1eee2aa65052a18121ed4971081576b25d6b5c",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1730741070,
+        "lastModified": 1685801374,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1699110214,
        "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgsMaster": {
      "locked": {
-        "lastModified": 1763473525,
+        "lastModified": 1699437456,
-        "narHash": "sha256-NzmsN8hRIn/9rJvZH3vPirBrOJJfeSfvPr4+feeK7LY=",
+        "narHash": "sha256-nYPKALWauhG5WvGhx7whUCNFTeLZEtchEre+3Mze4eI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "15901670689a6f338ebd2a9436b947ec189463a3",
+        "rev": "e556bb0b675a849371645b6b79eccd4130744967",
        "type": "github"
      },
      "original": {
@ -464,65 +211,29 @@
        "type": "github"
      }
    },
    "nixpkgsOld": {
      "locked": {
        "lastModified": 1748037224,
        "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1763283776,
+        "lastModified": 1699291058,
-        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
+        "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
+        "rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1735554305,
        "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "0e82ab234249d8eee3e8c91437802b32c74bb3fd",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts_2",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1763471545,
+        "lastModified": 1699435759,
-        "narHash": "sha256-B1ua1UtkPuMwT8o4nOR7yNP5yz10usMcNnxwHpGtLck=",
+        "narHash": "sha256-K1G+UfpvvWFSbHdWtCOTI1MCK4ivQpu/bz9DWB66SJc=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "4c584dcedf9aa3394e9730e62693515a0e47674b",
+        "rev": "9249f2baa49a8ba139eb084128e092073ed88c4e",
        "type": "github"
      },
      "original": {
@ -531,114 +242,32 @@
        "type": "github"
      }
    },
    "poetry2nix": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems_2",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1743690424,
        "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=",
        "owner": "nix-community",
        "repo": "poetry2nix",
        "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "poetry2nix",
        "type": "github"
      }
    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
          "lanzaboote",
          "flake-compat"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1731363552,
        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "asterisk-sounds-de": "asterisk-sounds-de",
        "disko": "disko",
        "flake-utils": "flake-utils",
        "gg-chatmix": "gg-chatmix",
        "gomod2nix": "gomod2nix",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "krops": "krops",
        "lanzaboote": "lanzaboote",
        "nix-filter": "nix-filter",
        "nix-pre-commit-hooks": "nix-pre-commit-hooks",
-        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs": "nixpkgs",
        "nixpkgsMaster": "nixpkgsMaster",
        "nur": "nur",
-        "poetry2nix": "poetry2nix",
+        "sops-nix": "sops-nix"
        "sops-nix": "sops-nix",
        "vesc-tool": "vesc-tool"
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731897198,
        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1763417348,
+        "lastModified": 1699311858,
-        "narHash": "sha256-n5xDOeNN+smocQp3EMIc11IzBlR9wvvTIJZeL0g33Fs=",
+        "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "3f66a7fb9626a9a9c077612ef10a0ce396286c7d",
+        "rev": "664187539871f63857bda2d498f452792457b998",
        "type": "github"
      },
      "original": {
@ -661,87 +290,6 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730120726,
        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1744961264,
        "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "8d404a69efe76146368885110f29a2ca3700bee6",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "vesc-tool": {
      "inputs": {
        "bldcSrc": "bldcSrc",
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgsOld": "nixpkgsOld",
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
        "lastModified": 1762968599,
        "narHash": "sha256-j+AZQYOuZ0X33p76LsZu4/NZl1Ccu6kkwPKC5HpIn1Y=",
        "owner": "vedderb",
        "repo": "vesc_tool",
        "rev": "6a75051ce9742d97f14addd5d175ac516effb3c6",
        "type": "github"
      },
      "original": {
        "owner": "vedderb",
        "ref": "master",
        "repo": "vesc_tool",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,88 +1,52 @@
 {
  inputs = {
    disko.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko";
    flake-utils.url = "github:numtide/flake-utils";
-
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
    nix-filter.url = "github:numtide/nix-filter";
    gg-chatmix = {
      url = "github:nilathedragon/gg-chatmix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    gomod2nix = {
      url = "github:nix-community/gomod2nix";
      inputs.flake-utils.follows = "flake-utils";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    krops = {
      url = "github:Mic92/krops";
      inputs.flake-utils.follows = "flake-utils";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.4.2";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-pre-commit-hooks = {
      url = "github:cachix/git-hooks.nix/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-hardware.url = "github:nixos/nixos-hardware/master";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
    nixpkgsMaster.url = "github:NixOS/nixpkgs/master";
    nur.url = "github:nix-community/NUR";
-    poetry2nix = {
+    home-manager = {
-      url = "github:nix-community/poetry2nix";
+      url = "github:nix-community/home-manager/release-23.05";
      inputs.flake-utils.follows = "flake-utils";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-pre-commit-hooks = {
      url = "github:cachix/pre-commit-hooks.nix/master";
      inputs.flake-utils.follows = "flake-utils";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    asterisk-sounds-de = {
+    krops = {
-      url = "git+https://git.jalr.de/jalr/asterisk-sounds-de";
+      url = "github:Mic92/krops";
      inputs = {
        flake-utils.follows = "flake-utils";
        nix-filter.follows = "nix-filter";
        nixpkgs.follows = "nixpkgs";
      };
    };
-    vesc-tool = {
+    gomod2nix = {
-      url = "github:vedderb/vesc_tool/master";
+      url = "github:nix-community/gomod2nix";
-      inputs.flake-utils.follows = "flake-utils";
+      inputs = {
-      inputs.nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
        nixpkgs.follows = "nixpkgs";
      };
    };
  };
  outputs =
    { self
    , flake-utils
    , home-manager
    , krops
    , nix-pre-commit-hooks
    , nixpkgs
    , flake-utils
    , krops
    , gomod2nix
    , home-manager
    , nur
    , nix-pre-commit-hooks
    , ...
    }@inputs: flake-utils.lib.eachSystem [
      "x86_64-linux"
@ -98,26 +62,20 @@
            src = self;
            hooks = {
              black.enable = true;
              deadnix.enable = true;
              nixpkgs-fmt.enable = true;
              shellcheck.enable = true;
              statix = {
                enable = true;
                settings.ignore = [ ".direnv" ];
              };
            };
            excludes = [ ".envrc" ];
          };
        };
        devShells.default = pkgs.mkShell {
-          buildInputs = with pkgs; [
+          buildInputs = (with pkgs; [
            black
            just
            nixpkgs-fmt
            shellcheck
            sops
            ssh-to-age
-          ];
+          ]);
          shellHook = ''
            ${self.checks.${system}.pre-commit-check.shellHook}
@ -125,7 +83,7 @@
        };
        apps = lib.mapAttrs
-          (_: program: { type = "app"; program = toString program; })
+          (name: program: { type = "app"; program = toString program; })
          (flake-utils.lib.flattenTree {
            deploy = lib.recurseIntoAttrs (lib.mapAttrs
              (hostname: machine:
@ -149,7 +107,6 @@
                  command = targetPath: ''
                    nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
                  '';
                  force = true;
                }
              )
              self.nixosConfigurations);
@ -184,67 +141,42 @@
                   , extraModules ? [ ]
                   , targetHost ? hostname
                   , nixpkgs ? inputs.nixpkgs
-                   }: nixpkgs.lib.nixosSystem {
+                   }: nixpkgs.lib.nixosSystem rec {
          inherit system;
          specialArgs = { inherit self system; };
-          modules =
+          modules = [
-            let
+            (./hosts + "/${hostname}/configuration.nix")
              hostDir = ./hosts + "/${hostname}";
            in
            [
              (hostDir + "/configuration.nix")
-              ./modules
+            ./modules
-              {
+            {
-                _module.args = {
+              _module.args = {
-                  inherit inputs;
+                inputs = inputs;
-                  custom-utils = import ./custom-utils { inherit (nixpkgs) lib; };
+                custom-utils = import ./custom-utils { lib = nixpkgs.lib; };
              };
            }
            # deployment settings
            ({ lib, ... }: {
              options.deployment = {
                targetHost = lib.mkOption {
                  type = lib.types.str;
                  readOnly = true;
                  internal = true;
                };
-              }
+              };
-
+              config.deployment = {
-              # deployment settings
+                inherit targetHost;
-              ({ lib, ... }: {
+              };
-                options.deployment = {
+            })
-                  targetHost = lib.mkOption {
+          ] ++ [{
-                    type = lib.types.str;
+            nixpkgs.overlays = [ nur.overlay ];
-                    readOnly = true;
+          }] ++ [
-                    internal = true;
+            home-manager.nixosModules.home-manager
-                  };
+          ] ++ (with inputs; [
-                };
+            sops-nix.nixosModules.sops
-                config.deployment = {
+          ]) ++ extraModules;
                  inherit targetHost;
                };
              })
              # sops settings
              ({ lib, config, pkgs, ... }:
                {
                  sops.defaultSopsFile = hostDir + "/secrets.yaml";
                  sops.secrets =
                    let
                      secretFile = config.sops.defaultSopsFile;
                      getSecrets = file: builtins.fromJSON (builtins.readFile (pkgs.runCommandNoCC "secretKeys" { } ''${pkgs.yq-go}/bin/yq -o json '[del .sops | .. | select(tag != "!!seq" and tag != "!!map") | path | join("/")]' ${file} > $out''));
                      secretNames = getSecrets secretFile;
                      secrets =
                        if builtins.pathExists secretFile then
                          lib.listToAttrs (builtins.map (name: lib.nameValuePair name { }) secretNames)
                        else
                          { };
                    in
                    secrets;
                })
            ] ++ [
              { nixpkgs.overlays = [ nur.overlays.default inputs.vesc-tool.overlays.default ]; }
              home-manager.nixosModules.home-manager
              inputs.asterisk-sounds-de.nixosModules.default
              inputs.disko.nixosModules.disko
              inputs.impermanence.nixosModules.impermanence
              inputs.lanzaboote.nixosModules.lanzaboote
              inputs.sops-nix.nixosModules.sops
              inputs.gg-chatmix.nixosModule
            ] ++ extraModules;
        })
        (import ./hosts inputs);
    };
--- a/home-manager/README.md
+++ b/home-manager/README.md
@ -0,0 +1,2 @@
 # Documentation
 [Home Manager Manual](https://rycee.gitlab.io/home-manager/)
--- a/home-manager/modules/alacritty.nix
+++ b/home-manager/modules/alacritty.nix
@ -0,0 +1,174 @@
 { lib, pkgs, nixosConfig, ... }:
 let
  solarized = import ./solarized.nix;
  #nixosConfig.jalr.terminalEmulator.command = pkgs.writeShellScriptBin "alacritty-sway-cwd" ''
  #  this_alacritty_pid="$(swaymsg -t get_tree | ${pkgs.jq} -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
  #  if [ "$this_alacritty_pid" ]; then
  #      child_pid="$(pgrep -P "$this_alacritty_pid")"
  #      cwd="$(readlink /proc/$child_pid/cwd)"
  #  fi
  #  if [ -e "$cwd" ]; then
  #      exec ${pkgs.alacritty} --working-directory "$cwd"
  #  fi
  #  exec alacritty
  #'';
  colorschemes = {
    # https://github.com/alacritty/alacritty/wiki/Color-schemes#solarized
    solarized-dark = {
      # Default colors
      primary = {
        background = solarized.base03.hex;
        foreground = solarized.base0.hex;
      };
      # Cursor colors
      cursor = {
        text = solarized.base03.hex;
        cursor = solarized.base0.hex;
      };
      # Normal colors
      normal = {
        black = solarized.base02.hex;
        red = solarized.red.hex;
        green = solarized.green.hex;
        yellow = solarized.yellow.hex;
        blue = solarized.blue.hex;
        magenta = solarized.magenta.hex;
        cyan = solarized.cyan.hex;
        white = solarized.base2.hex;
      };
      # Bright colors
      bright = {
        black = solarized.base03.hex;
        red = solarized.orange.hex;
        green = solarized.base01.hex;
        yellow = solarized.base00.hex;
        blue = solarized.base0.hex;
        magenta = solarized.violet.hex;
        cyan = solarized.base1.hex;
        white = solarized.base3.hex;
      };
    };
    solarized-light = {
      # Default colors
      primary = {
        background = solarized.base3.hex;
        foreground = solarized.base00.hex;
      };
      # Cursor colors
      cursor = {
        text = solarized.base3.hex;
        cursor = solarized.base00.hex;
      };
      # Normal colors
      normal = {
        black = solarized.base02.hex;
        red = solarized.red.hex;
        green = solarized.green.hex;
        yellow = solarized.yellow.hex;
        blue = solarized.blue.hex;
        magenta = solarized.magenta.hex;
        cyan = solarized.cyan.hex;
        white = solarized.base2.hex;
      };
      # Bright colors
      bright = {
        black = solarized.base03.hex;
        red = solarized.orange.hex;
        green = solarized.base01.hex;
        yellow = solarized.base00.hex;
        blue = solarized.base0.hex;
        magenta = solarized.violet.hex;
        cyan = solarized.base1.hex;
        white = solarized.base3.hex;
      };
    };
  };
  commonSettings = {
    font = {
      normal = {
        family = "Inconsolata for Powerline";
        style = "Regular";
      };
      size = 12;
    };
    mouse.hide_when_typing = true;
    key_bindings = [
      {
        key = "F1";
        mods = "Control";
        action = "DecreaseFontSize";
      }
      {
        key = "F2";
        mods = "Control";
        action = "IncreaseFontSize";
      }
    ];
    bell = {
      duration = 100;
      color = "#000000";
    };
    window.dynamic_title = true;
    scrolling.history = 100000;
    window.opacity = 0.95;
  };
  settings = {
    dark = commonSettings // {
      colors = colorschemes.solarized-dark;
    };
    light = commonSettings // {
      colors = colorschemes.solarized-light;
    };
  };
 in
 {
  programs.alacritty = {
    enable = nixosConfig.jalr.gui.enable;
  };
  # The option `home-manager.users.jalr.xdg.configFile.dark.alacritty/alacritty-dark.yml' does not exist
  /*
    xdg.configFile = builtins.mapAttrs (colorScheme: cfg: {
    "alacritty/alacritty-${colorScheme}.yml" = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
    }) settings;
  */
  xdg.configFile = lib.attrsets.mapAttrs'
    (colorScheme: cfg: lib.attrsets.nameValuePair "alacritty/alacritty-${colorScheme}.yml" {
      text = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
    })
    settings;
  programs.fish.functions = {
    ssh = {
      description = "ssh wrapper function";
      wraps = "ssh";
      body = ''
        if [ "$TERM" = alacritty ]
            TERM=xterm-256color command ssh $argv
        else
            command ssh $argv
        end
      '';
    };
  };
 }
--- a/home-manager/modules/aws.nix
+++ b/home-manager/modules/aws.nix
@ -1,7 +1,7 @@
-{ nixosConfig, lib, config, ... }:
+{ nixosConfig, lib, pkgs, config, ... }:
 let
-  inherit (config) xdg;
+  xdg = config.xdg;
 in
 {
  config = lib.mkIf nixosConfig.jalr.aws.enable {
@ -17,7 +17,7 @@ in
    xdg.configFile."aws/config".text = lib.generators.toINI { } (
      lib.mapAttrs'
        (name: value:
-          lib.attrsets.nameValuePair "profile ${name}" value
+          lib.attrsets.nameValuePair ("profile ${name}") (value)
        )
        nixosConfig.jalr.aws.accounts
      //
--- a/home-manager/modules/claws-mail.nix
+++ b/home-manager/modules/claws-mail.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    roomeqwizard
+    claws-mail
  ];
 }
--- a/home-manager/modules/cli.nix
+++ b/home-manager/modules/cli.nix
@ -0,0 +1,21 @@
 { nixosConfig, lib, pkgs, ... }:
 {
  home.packages = with pkgs; [
    cached-nix-shell
    file
    htop
    inetutils
    jq
    lsof
    ncdu
    ripgrep
  ] ++ (if ! nixosConfig.jalr.workstation.enable then [ ] else [
    direnv
    dnsutils
    screen
    speedtest-cli
    usbutils
    wget
    yt-dlp
  ]);
 }
--- a/home-manager/modules/communication/default.nix
+++ b/home-manager/modules/communication/default.nix
@ -0,0 +1,10 @@
 { nixosConfig, ... }:
 {
  imports = [
    ./ferdium.nix
    ./mumble.nix
    ./qtox.nix
    ./telegram-desktop.nix
  ];
 }
--- a/home-manager/modules/communication/ferdium.nix
+++ b/home-manager/modules/communication/ferdium.nix
@ -0,0 +1,7 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.tradebyte.enable {
  home.packages = with pkgs; [
    master.ferdium
  ];
 }
--- a/home-manager/modules/communication/mumble.nix
+++ b/home-manager/modules/communication/mumble.nix
--- a/home-manager/modules/communication/qtox.nix
+++ b/home-manager/modules/communication/qtox.nix
@ -2,6 +2,6 @@
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    ksoloti
+    qtox
  ];
 }
--- a/home-manager/modules/communication/telegram-desktop.nix
+++ b/home-manager/modules/communication/telegram-desktop.nix
@ -2,6 +2,6 @@
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    prusa-slicer
+    tdesktop
  ];
 }
--- a/home-manager/modules/default.nix
+++ b/home-manager/modules/default.nix
@ -0,0 +1,39 @@
 { nixosConfig, ... }:
 {
  imports = [
    ./${nixosConfig.jalr.terminalEmulator}.nix
    ./aws.nix
    ./claws-mail.nix
    ./cli.nix
    ./communication
    ./direnv.nix
    ./dynamic-colors.nix
    ./firefox
    ./fish.nix
    ./fpv.nix
    ./git.nix
    ./gnuradio.nix
    ./graphics
    ./gui.nix
    ./jameica.nix
    ./kicad.nix
    ./mpv.nix
    ./mute-indicator.nix
    ./neo.nix
    ./neovim.nix
    ./obs-studio
    ./openscad.nix
    ./pass.nix
    ./pcmanfm.nix
    ./python.nix
    ./sound
    ./sway
    ./terraform.nix
    ./tmux.nix
    ./tor-browser.nix
    ./vdirsyncer.nix
  ];
  programs.nix-index.enable = true;
 }
--- a/home-manager/modules/direnv.nix
+++ b/home-manager/modules/direnv.nix
--- a/home-manager/modules/dynamic-colors.nix
+++ b/home-manager/modules/dynamic-colors.nix
@ -0,0 +1,21 @@
 { nixosConfig, lib, pkgs, ... }:
 let
  dynamic-colors = pkgs.writeShellScriptBin "dynamic-colors" /* bash */ ''
    case "''$1" in
      light|dark)
        if [ -e "''$HOME/.config/alacritty/alacritty-''$1.yml" ]; then
          ln -sf "''$HOME/.config/alacritty/alacritty-''$1.yml" "$HOME/.config/alacritty/alacritty.yml"
        fi
      ;;
      *)
        echo "unknown command ''$1" >&2
        exit 1
    esac
  '';
 in
 {
  home.packages = [
    dynamic-colors
  ];
 }
--- a/home-manager/modules/firefox/default.nix
+++ b/home-manager/modules/firefox/default.nix
@ -0,0 +1,102 @@
 { nixosConfig, pkgs, ... }:
 {
  programs.firefox = {
    enable = nixosConfig.jalr.gui.enable;
    package = pkgs.firefox-esr;
    profiles = {
      default = {
        extensions = with pkgs.nur.repos.rycee.firefox-addons; [
          tree-style-tab
          ublock-origin
          umatrix
          violentmonkey
        ];
        settings = {
          #"browser.startup.homepage" = "https://nixos.org";
          #"browser.search.region" = "GB";
          #"browser.search.isUS" = false;
          #"distribution.searchplugins.defaultLocale" = "en-GB";
          #"general.useragent.locale" = "en-GB";
          #"browser.bookmarks.showMobileBookmarks" = true;
          "app.normandy.enabled" = false;
          "app.shield.optoutstudies.enabled" = false;
          "app.update.auto" = false;
          "browser.ctrlTab.sortByRecentlyUsed" = true;
          "browser.fixup.alternate.enabled" = false;
          "browser.formfill.enable" = false;
          "browser.link.open_newwindow.restriction" = 0;
          "browser.newtabpage.enabled" = false;
          "browser.ping-centre.telemetry" = false;
          "browser.safebrowsing.downloads.enabled" = false;
          "browser.safebrowsing.downloads.remote.block_dangerous" = false;
          "browser.safebrowsing.downloads.remote.block_dangerous_host" = false;
          "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false;
          "browser.safebrowsing.downloads.remote.block_uncommon" = false;
          "browser.safebrowsing.downloads.remote.enabled" = false;
          "browser.safebrowsing.downloads.remote.url" = "";
          "browser.safebrowsing.malware.enabled" = false;
          "browser.safebrowsing.phishing.enabled" = false;
          "browser.safebrowsing.provider.google.advisoryURL" = "";
          "browser.safebrowsing.provider.google.gethashURL" = "";
          "browser.safebrowsing.provider.google.lists" = "";
          "browser.safebrowsing.provider.google.reportMalwareMistakeURL" = "";
          "browser.safebrowsing.provider.google.reportPhishMistakeURL" = "";
          "browser.safebrowsing.provider.google.reportURL" = "";
          "browser.safebrowsing.provider.google.updateURL" = "";
          "browser.safebrowsing.provider.google4.advisoryURL" = "";
          "browser.safebrowsing.provider.google4.dataSharingURL" = "";
          "browser.safebrowsing.provider.google4.gethashURL" = "";
          "browser.safebrowsing.provider.google4.lists" = "";
          "browser.safebrowsing.provider.google4.reportMalwareMistakeURL" = "";
          "browser.safebrowsing.provider.google4.reportPhishMistakeURL" = "";
          "browser.safebrowsing.provider.google4.reportURL" = "";
          "browser.safebrowsing.provider.google4.updateURL" = "";
          "browser.safebrowsing.provider.mozilla.gethashURL" = "";
          "browser.safebrowsing.provider.mozilla.lists" = "";
          "browser.safebrowsing.provider.mozilla.updateURL" = "";
          "browser.search.suggest.enabled" = false;
          "browser.search.widget.inNavBar" = true;
          "browser.startup.page" = 0;
          "extensions.pocket.enabled" = false;
          "extensions.update.enabled" = false;
          "identity.fxaccounts.enabled" = false;
          "keyword.enabled" = false;
          "network.captive-portal-service.enabled" = false;
          "network.predictor.enabled" = false;
          "privacy.donottrackheader.enabled" = true;
          "startup.homepage_welcome_url" = about:blank;
          "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
          "toolkit.telemetry.archive.enabled" = false;
          "toolkit.telemetry.bhrPing.enabled" = false;
          "toolkit.telemetry.firstShutdownPing.enabled" = false;
          "toolkit.telemetry.newProfilePing.enabled" = false;
          "toolkit.telemetry.server" = http://127.0.0.1:4711;
          "toolkit.telemetry.server_owner" = "";
          "toolkit.telemetry.shutdownPingSender.enabled" = false;
          "toolkit.telemetry.updatePing.enabled" = false;
          "urlclassifier.downloadAllowTable" = "";
          "urlclassifier.downloadBlockTable" = "";
          "urlclassifier.malwareTable" = "";
          "urlclassifier.phishTable" = "";
          "datareporting.healthreport.uploadEnabled" = "";
          "app.normandy.api_url" = "";
          "breakpad.reportURL" = "";
          "browser.region.network.url" = "";
          "browser.search.geoSpecificDefaults.url" = "";
          "browser.shell.checkDefaultBrowser" = false;
          "privacy.userContext.enabled" = true;
          "privacy.userContext.ui.enabled" = true;
          "network.dnsCacheExpiration" = 0;
          # disable disk cache to reduce ssd writes
          "browser.cache.disk.enable" = false;
          "browser.cache.memory.enable" = true;
          "browser.cache.memory.capacity" = -1;
        };
        userChrome = builtins.readFile ./userChrome.css;
      };
    };
  };
 }
--- a/home-manager/modules/firefox/userChrome.css
+++ b/home-manager/modules/firefox/userChrome.css
@ -218,28 +218,4 @@ url(chrome://browser/content/browser.xhtml) {
    }
    /*** End of: Megabar Styler One-Offs ***/
    /* Hide "Firefox Suggest" in location bar search results */
    .urlbarView-row[label="Firefox Suggest"]::before {
        display: none !important
    }
    .urlbarView-row[label] {
        margin-block-start: 4px !important;
    }
    /* Hide search button in location bar */
    #identity-box[pageproxystate=invalid] > .identity-box-button,
    .searchbar-search-button {
        display: none
    }
    /* Hide search placeholder in location bar */
    #urlbar-input::placeholder {
        color: transparent;
    }
    /* Hide back & forward buttons */
    toolbarbutton#back-button, toolbarbutton#forward-button {
        display: none;
    }
 }
--- a/home-manager/modules/fish.nix
+++ b/home-manager/modules/fish.nix
@ -0,0 +1,201 @@
 { config, pkgs, ... }:
 {
  home.packages = with pkgs; [
    fzf
  ];
  programs.fish = {
    enable = true;
    plugins = [
      {
        name = "theme-agnoster";
        src = pkgs.fetchFromGitHub {
          owner = "oh-my-fish";
          repo = "theme-agnoster";
          rev = "c142e802983bd1b34b4d91efac2126fc5913126d";
          sha256 = "0PLx626BWoBp/L6wgkB4o+53q8PymiEE/rTu2mfzHhg=";
          fetchSubmodules = true;
        };
      }
      {
        name = "fzf";
        src = pkgs.fetchFromGitHub {
          owner = "jethrokuan";
          repo = "fzf";
          rev = "479fa67d7439b23095e01b64987ae79a91a4e283";
          sha256 = "0k6l21j192hrhy95092dm8029p52aakvzis7jiw48wnbckyidi6v";
          fetchSubmodules = true;
        };
      }
    ];
    shellAliases = {
      ls = "ls --color=auto";
      crontab = "crontab -i";
    };
    shellAbbrs = {
      lessr = "less -R";
      jqc = "jq -C";
    };
    #interactiveShellInit = ''
    #  echo "programs.fish.interactiveShellInit"
    #'';
    shellInit = ''
      # key bindings
      bind \cr '__fzf_reverse_isearch'
      # PATH
      set -U fish_user_paths $HOME/.local/bin $HOME/.local/bin/pio
      # pass
      #set -x PASSWORD_STORE_ENABLE_EXTENSIONS true
      set -x AWS_VAULT_BACKEND pass
      set -x AWS_VAULT_PASS_PREFIX aws
      complete -c pw --no-files -a '(__fish_pass_print_entries)'
      # colors
      set -x GCC_COLORS 'error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
      abbr --add v vim
      #alias cal='ncal -b -M'
      alias myip='dig +short myip.opendns.com @resolver1.opendns.com'
      function hm -d 'merge history and delete failed commands'
          history --merge
          if test -z "$fish_private_mode" && test -e "$__fish_user_data_dir/successful_commands" && test -e "$__fish_user_data_dir/failed_commands"
              while read line;
                  if ! grep -qFx $line "$__fish_user_data_dir/successful_commands"
                      set hist_command (echo $line | base64 -d)
                      echo "deleting command: $hist_command"
                      echo "."
                      history delete --exact --case-sensitive $hist_command
                  end
              end < "$__fish_user_data_dir/failed_commands"
              echo -n > "$__fish_user_data_dir/successful_commands"
              echo -n > "$__fish_user_data_dir/failed_commands"
          end
      end
      hm
      # fancy tools
      if which exa > /dev/null 2>&1
          alias l=exa
          alias ll='exa -l --time-style=long-iso --git'
          alias la='exa -la --time-style=long-iso --git'
          alias tree='exa --tree'
          alias llt='exa -s modified -l'
      else
          alias l=ls
          alias ll='ls -l'
          alias la='ls -la'
          alias llt='ls -trl'
      end
      if which rg > /dev/null 2>&1
          alias g=rg
          complete -c g -w rg
      else if which ag > /dev/null 2>&1
          alias g=ag
          complete -c g -w ag
      else
          alias g='grep --color=auto'
          complete -c g -w grep
      end
      function jqless -d 'jq -C [args] | less -R'
          jq -C $argv | less -R
      end
      # NixOS direnv
      if which direnv > /dev/null
          eval (direnv hook fish)
      end
      function __cut_commandline -d 'cut commandline and paste it later'
          set -g commandline_buffer (commandline)
          commandline ""
      end
      function __postexec --on-event fish_postexec
          if test $status -ne 0
              if test -z "$hist_cmd"
                  if test -z "$fish_private_mode"
                      echo $argv[1] | base64 >> "$__fish_user_data_dir/failed_commands"
                  end
              end
          else
              if test -z "$fish_private_mode"
                  echo $argv[1] | base64 >> "$__fish_user_data_dir/successful_commands"
              end
              commandline $commandline_buffer
              set -e commandline_buffer
          end
      end
      function dirh-nocolor --description "Print the current directory history (the prev and next lists)"
          set -l options h/help
          argparse -n dirh --max-args=0 $options -- $argv
          or return
          if set -q _flag_help
              __fish_print_help dirh
              return 0
          end
          set -l dirc (count $dirprev)
          if test $dirc -gt 0
              set -l dirprev_rev $dirprev[-1..1]
              # This can't be (seq $dirc -1 1) because of BSD.
              set -l dirnum (seq 1 $dirc)
              for i in $dirnum[-1..1]
                  printf '%s\n' $dirprev_rev[$i]
              end
          end
          echo $PWD
          set -l dirc (count $dirnext)
          if test $dirc -gt 0
              set -l dirnext_rev $dirnext[-1..1]
              for i in (seq $dirc)
                  printf '%s\n' $dirnext_rev[$i]
              end
          end
      end
      function dirh-fzf -d 'directory history fuzzy finder'
          builtin cd (dirh-nocolor | uniq | fzf)
      end
      bind \ed 'dirh-fzf'
    '';
  };
  xdg.configFile."fish/completions/mycli.fish".text = ''
    complete -e -c mycli
    complete -c mycli -f -s h -l host     -d "Host address of the database."
    complete -c mycli -f -s P -l port     -d "Port number to use for connection."
    complete -c mycli -f -s u -l user     -d "User name to connect to the database."
    complete -c mycli -f -s S -l socket   -d "The socket file to use for connection."
    complete -c mycli -f -s p -l pass \
                              -l password -d "Password to connect to the database."
    complete -c mycli -f -s V -l version  -d "Output mycli's version."
    complete -c mycli -f -s v -l verbose  -d "Verbose output."
    complete -c mycli -f -s d -l dsn      -d "Use DSN configured into the [alias_dsn] section of myclirc file."
    complete -c mycli -f      -l list-dsn -d "list of DSN configured into the [alias_dsn] section of myclirc file."
    complete -c mycli -f -s t -l table    -d "Display batch output in table format."
    complete -c mycli -f      -l csv      -d "Display batch output in CSV format."
    complete -c mycli -f      -l warn \
                              -l no-warn  -d "Warn before running a destructive query."
    complete -c mycli -f -s e -l execute  -d "Execute command and quit."
    complete -c mycli -f -s h -l host -r -a '(__fish_print_hostnames)'
    complete -c mycli -f -s d -l dsn -r -a '(mycli --list-dsn)'
  '';
 }
--- a/home-manager/modules/fpv.nix
+++ b/home-manager/modules/fpv.nix
@ -2,7 +2,7 @@
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    betaflight-configurator
+    master.betaflight-configurator
    fpvout
  ];
 }
--- a/home-manager/modules/git.nix
+++ b/home-manager/modules/git.nix
@ -1,59 +1,29 @@
-{ pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
-let
+
  identity.DigitalerDienst = {
    name = "Jakob Lechner";
    email = "j.lechner@digitaler-dienst.gmbh";
  };
 in
 {
  programs = {
    git = {
      enable = true;
-      userName = "Jakob Lechner";
+      userName = nixosConfig.jalr.git.user.name;
-      userEmail = "mail@jalr.de";
+      userEmail = nixosConfig.jalr.git.user.email;
      signing = {
-        key = "3044E71E3DEFF49B586CF5809BF4FCCB90854DA9";
+        key = nixosConfig.jalr.gpg.defaultKey;
-        signByDefault = false;
+        signByDefault = nixosConfig.jalr.git.signByDefault;
      };
      diff-so-fancy = {
        enable = true;
        markEmptyLines = false;
      };
      extraConfig = {
        init.defaultBranch = "main";
        core.pager = "${pkgs.diff-so-fancy}/bin/diff-so-fancy | less --tabs=4 -RFX";
        diff.sops.textconv = "${pkgs.sops}/bin/sops -d";
        pull.ff = "only";
        alias.find-merge = "!sh -c 'commit=$0 && branch=\${1:-HEAD} && (git rev-list $commit..$branch --ancestry-path | cat -n; git rev-list $commit..$branch --first-parent | cat -n) | sort -k2 -s | uniq -f1 -d | sort -n | tail -1 | cut -f2'";
        alias.show-merge = "!sh -c 'merge=$(git find-merge $0 $1) && [ -n \"$merge\" ] && git show $merge'";
        color = {
          ui = true;
          meta = "11";
          frag = "magenta bold";
          func = "146 bold";
          commit = "yellow bold";
          old = "red bold";
          new = "green bold";
          whitespace = "red reverse";
          diff-highlight = {
            oldNormal = "red bold";
            oldHighlight = "red bold 52";
            newNormal = "green bold";
            newHighlight = "green bold 22";
          };
        };
      };
      lfs.enable = true;
    };
    lazygit = {
      enable = true;
      settings = {
        gui.scrollHeight = 8;
      };
    };
    fish = {
      shellAbbrs = {
        ga = "git add";
-        gam = "git commit --amend --no-edit";
+        gam = "git commit --amend";
        gap = "git add --patch";
        gb = "git branch";
        gbd = "git branch --delete";
@ -66,10 +36,12 @@ in
        gd = "git diff";
        gdc = "git diff --cached";
        gf = "git fetch";
        ginit = "git init";
        gl = "git log";
-        gpll = "git pull --rebase";
+        gpll = "git pull";
        gpsh = "git push";
        grb = "git rebase --autostash";
        grbi = "git rebase --autostash --interactive --autosquash refs/remotes/origin/HEAD";
        gr = "git restore";
        grs = "git restore --staged";
        grst = "git reset";
@ -84,7 +56,6 @@ in
        gswc = "git switch -c";
        gwl = "git worktree list";
        gwr = "git worktree remove";
        lg = "lazygit";
      };
      functions = {
        #function gwa -d 'git worktree add'
@ -125,28 +96,19 @@ in
            end
          '';
        };
-        git_pick-commit = {
+        git_pick-commit_merge-base_origin = {
          description = "fuzzy find a commit hash";
          body = ''
-            git log --decorate --oneline --color=always \
+            git log --oneline refs/remotes/origin/HEAD..HEAD | ${pkgs.fzf}/bin/fzf --preview='git show (echo {} | cut -d" " -f 1)' --preview-window=top:75% | cut -d" " -f 1
              | ${pkgs.fzf}/bin/fzf --ansi --preview='git show --color=always (echo {} | cut -d" " -f 1)' --preview-window=top:75% \
              | cut -d" " -f 1
          '';
        };
        gfix = {
          description = "git commit --fixup with fuzzy find commmit picker";
          body = ''
-            set commit (git_pick-commit)
+            set commit (git_pick-commit_merge-base_origin)
            commandline "git commit --fixup=$commit"
          '';
        };
        gi = {
          description = "git interactive rebase with fuzzy find commmit picker";
          body = ''
            set commit (git_pick-commit)
            commandline "git rebase --autostash --interactive --autosquash $commit"
          '';
        };
        ".g" = {
          description = "change directory to repository root";
          body = ''
@ -189,23 +151,10 @@ in
            end
          '';
        };
        "fish_set_git_author_by_pwd" = {
          description = "Set Git identity by PWD";
          body = ''
            if string match -n $HOME'/digitaler-dienst/*' $PWD/ > /dev/null
              if git rev-parse --git-dir >/dev/null 2>&1
                git config --local user.name >/dev/null || git config --local user.name "${identity.DigitalerDienst.name}"
                git config --local user.email >/dev/null || git config --local user.email "${identity.DigitalerDienst.email}"
              end
            end
          '';
          onVariable = "PWD";
        };
      };
    };
  };
  home.packages = with pkgs; [
    git-crypt
    tig
  ];
 }
--- a/home-manager/modules/gnuradio.nix
+++ b/home-manager/modules/gnuradio.nix
@ -1,13 +1,13 @@
 { nixosConfig, lib, pkgs, ... }:
 let
-  gnuradioEnv = pkgs.gnuradio.override {
+  gnuradioEnv = pkgs.gnuradio3_8.override {
    extraPackages = pkgs.lib.attrVals [
      "osmosdr"
    ]
-      pkgs.gnuradioPackages;
+      pkgs.gnuradio3_8Packages;
  };
 in
-lib.mkIf nixosConfig.jalr.gui.enable {
+(lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = [ gnuradioEnv ];
-}
+})
--- a/home-manager/modules/graphics/default.nix
+++ b/home-manager/modules/graphics/default.nix
@ -1,3 +1,5 @@
 { nixosConfig, ... }:
 {
  imports = [
    ./gimp.nix
--- a/home-manager/modules/graphics/gimp.nix
+++ b/home-manager/modules/graphics/gimp.nix
--- a/home-manager/modules/graphics/inkscape.nix
+++ b/home-manager/modules/graphics/inkscape.nix
--- a/home-manager/modules/graphics/krita.nix
+++ b/home-manager/modules/graphics/krita.nix
--- a/home-manager/modules/gui.nix
+++ b/home-manager/modules/gui.nix
@ -0,0 +1,15 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    evince
    gcr # required for pinentry-gnome
    geeqie
    mpv
    networkmanagerapplet
    networkmanagerapplet
    pinentry-gnome
    streamlink
    vlc
    xdg_utils
  ];
 }
--- a/home-manager/modules/jameica.nix
+++ b/home-manager/modules/jameica.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    trilium-next-desktop
+    jameica
  ];
 }
--- a/home-manager/modules/kicad.nix
+++ b/home-manager/modules/kicad.nix
--- a/home-manager/modules/mpv.nix
+++ b/home-manager/modules/mpv.nix
--- a/home-manager/modules/mute-indicator.nix
+++ b/home-manager/modules/mute-indicator.nix
--- a/home-manager/modules/neo.nix
+++ b/home-manager/modules/neo.nix
@ -1,5 +1,6 @@
 { config, pkgs, ... }:
 {
-  environment.variables = {
+  home.sessionVariables = {
    XKB_DEFAULT_LAYOUT = "de,de";
    XKB_DEFAULT_VARIANT = "neo,";
    XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
--- a/home-manager/modules/neovim.nix
+++ b/home-manager/modules/neovim.nix
@ -0,0 +1,174 @@
 { lib, nixosConfig, config, pkgs, ... }:
 {
  home.sessionVariables = {
    EDITOR = "nvim";
  };
  programs.neovim = {
    enable = true;
    vimAlias = true;
    extraConfig = ''
      " use space as leader
      let mapleader = " "
      colorscheme NeoSolarized
      """""""""""""""""
      " Swap and undo "
      set noswapfile
      set nobackup
      if has('persistent_undo')
          " yay persistent undo
          :silent !mkdir -p ~/.local/vim-undo
          set undofile
          set undodir=~/.local/vim-undo
      endif
      cabbr <expr> %% expand('%:p:h')
      set listchars=trail:·,precedes:«,extends:»,eol:↲,tab:▸\
      nmap <silent> <leader>c :set list!<CR>
      set smartcase
      set hlsearch
      nnoremap <silent> <CR> :nohlsearch<CR>:set nolist<CR><CR>
      " highlight whitespace
      highlight ExtraWhitespace ctermbg=red guibg=red
      highlight WrongIndent ctermbg=2 guibg=blue
      match ExtraWhitespace /\s\+$/
      augroup highlight_extra_whitespace
          autocmd BufWinEnter * match ExtraWhitespace /\s\+$/
          autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/
          autocmd InsertLeave * match ExtraWhitespace /\s\+$/
          autocmd BufWinLeave * call clearmatches()
      augroup END
      let g:deoplete#enable_at_startup = 1
      sign define LspDiagnosticsSignError text=🟥
      sign define LspDiagnosticsSignWarning text=🟠
      sign define LspDiagnosticsSignInformation text=🟣
      sign define LspDiagnosticsSignHint text=🟢
      nnoremap <silent> gd    <cmd>lua vim.lsp.buf.definition()<CR>
      nnoremap <silent> gi    <cmd>lua vim.lsp.buf.implementation()<CR>
      nnoremap <silent> gr    <cmd>lua vim.lsp.buf.references()<CR>
      nnoremap <silent> gD    <cmd>lua vim.lsp.buf.declaration()<CR>
      nnoremap <silent> ge    <cmd>lua vim.lsp.diagnostic.set_loclist()<CR>
      nnoremap <silent> K     <cmd>lua vim.lsp.buf.hover()<CR>
      nnoremap <silent> <leader>f    <cmd>lua vim.lsp.buf.formatting()<CR>
      nnoremap <silent> <leader>rn    <cmd>lua vim.lsp.buf.rename()<CR>
      nnoremap <silent> <leader>a <cmd>lua vim.lsp.buf.code_action()<CR>
      xmap <silent> <leader>a <cmd>lua vim.lsp.buf.range_code_action()<CR>
      lua require('init')
    '';
    # nix-env -f '<nixpkgs>' -qaP -A vimPlugins
    plugins = with pkgs.vimPlugins; [
      #Valloric/MatchTagAlways
      #frankier/neovim-colors-solarized-truecolor-only
      #nvie/vim-rst-tables
      NeoSolarized
      deoplete-nvim
      editorconfig-vim
      nvim-lspconfig
      vim-gitgutter
      vim-indent-guides
      vim-nix
      vim-puppet
      vim-terraform
    ];
  };
  xdg.configFile."nvim/lua/init.lua".text = builtins.concatStringsSep "\n" (
    [
      ''
        -- init.lua
        -- this configuration applies to servers and workstations
      ''
    ] ++ lib.optional nixosConfig.jalr.workstation.enable (
      ''
        -- this configuration applies to workstations only
        -- https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md
        local lsp = require('lspconfig')
      '' +
      builtins.concatStringsSep "\n" (
        lib.mapAttrsToList
          (
            lang: cfg: "lsp.${lang}.setup\n" + lib.generators.toLua { } cfg
          )
          {
            # C and C++
            ccls = {
              cmd = [ "${pkgs.ccls}/bin/ccls" ];
            };
            # Nix
            rnix = {
              cmd = [ "${pkgs.rnix-lsp}/bin/rnix-lsp" ];
            };
            # Python
            pylsp = {
              cmd = [ "${pkgs.python310Packages.python-lsp-server}/bin/pylsp" ];
              settings = {
                # https://github.com/python-lsp/python-lsp-server/blob/develop/CONFIGURATION.md
                pylsp = {
                  plugins = {
                    flake8 = {
                      enabled = true;
                      executable = "${pkgs.python310Packages.flake8}/bin/flake8";
                    };
                    jedi_completion = { enabled = true; };
                    jedi_definition = { enabled = true; };
                    jedi_hover = { enabled = true; };
                    jedi_references = { enabled = true; };
                    jedi_signature_help = { enabled = true; };
                    jedi_symbols = { enabled = true; };
                    mccabe = { enabled = true; };
                    preload = { enabled = true; };
                    pycodestyle = { enabled = true; };
                    pyflakes = { enabled = true; };
                    rope_completion = { enabled = true; };
                    yapf = { enabled = true; };
                  };
                };
              };
            };
            # Ruby
            solargraph = {
              cmd = [ "${pkgs.solargraph}/bin/solargraph" "stdio" ];
            };
            # Rust
            rust_analyzer = {
              cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
            };
            # Bash
            bashls = {
              cmd = [ "${pkgs.nodePackages.bash-language-server}/bin/bash-language-server" "start" ];
            };
            # Terraform
            terraform_lsp = {
              cmd = [ "${pkgs.terraform-lsp}/bin/terraform-lsp" "serve" ];
            };
            # YAML
            yamlls = {
              cmd = [ "${pkgs.nodePackages.yaml-language-server}/bin/yaml-language-server" "--stdio" ];
              settings = {
                yaml = {
                  keyOrdering = false;
                };
              };
            };
          }
      )
    )
  );
 }
--- a/home-manager/modules/obs-studio/default.nix
+++ b/home-manager/modules/obs-studio/default.nix
@ -2,7 +2,7 @@
 {
  programs.obs-studio = {
-    inherit (nixosConfig.jalr.gui) enable;
+    enable = nixosConfig.jalr.gui.enable;
    plugins = with pkgs; [
      obs-studio-plugins.wlrobs
    ];
--- a/users/jalr/modules/3d-modeling.nix
+++ b/users/jalr/modules/3d-modeling.nix
--- a/home-manager/modules/pass.nix
+++ b/home-manager/modules/pass.nix
@ -0,0 +1,29 @@
 { nixosConfig, config, pkgs, ... }:
 let
  pw = pkgs.writeScriptBin "pw" ''
    p="$(${pkgs.pass}/bin/pass show "$1")"
    copy_line() {
      echo -n "$p" | ${pkgs.gnused}/bin/sed -n "$1"p | ${pkgs.wl-clipboard}/bin/wl-copy -o -f
    }
    echo "username"
    copy_line 2
    echo "password"
    copy_line 1
  '';
 in
 {
  home.packages = [
    pw
  ] ++
  (
    if nixosConfig.jalr.gui.enable
    then with pkgs; [
      qtpass
      pass-wayland
    ]
    else [ ]
  );
 }
--- a/home-manager/modules/pcmanfm.nix
+++ b/home-manager/modules/pcmanfm.nix
@ -0,0 +1,7 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    pcmanfm
  ];
 }
--- a/home-manager/modules/python.nix
+++ b/home-manager/modules/python.nix
@ -1,10 +1,8 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.workstation.enable {
  home.packages = with pkgs; [
-    (python3.withPackages (pp: with pp; [
+    python310
-      ipython
+    python310Packages.virtualenv
-      pyyaml
+    python310Packages.ipython
      virtualenv
    ]))
  ];
 }
--- a/home-manager/modules/solarized.nix
+++ b/home-manager/modules/solarized.nix
@ -0,0 +1,23 @@
 builtins.mapAttrs
  (name: hex: {
    inherit hex;
    rgb = builtins.concatStringsSep "," (map (f: toString (builtins.fromTOML "i = 0x${f hex}").i) (map (pos: builtins.substring pos 2) [ 1 3 5 ]));
  })
 {
  base00 = "#657b83";
  base01 = "#586e75";
  base02 = "#073642";
  base03 = "#002b36";
  base0 = "#839496";
  base1 = "#93a1a1";
  base2 = "#eee8d5";
  base3 = "#fdf6e3";
  blue = "#268bd2";
  cyan = "#2aa198";
  green = "#859900";
  magenta = "#d33682";
  orange = "#cb4b16";
  red = "#dc322f";
  violet = "#6c71c4";
  yellow = "#b58900";
 }
--- a/home-manager/modules/sound/audacity.nix
+++ b/home-manager/modules/sound/audacity.nix
--- a/home-manager/modules/sound/default.nix
+++ b/home-manager/modules/sound/default.nix
@ -1,8 +1,8 @@
 { nixosConfig, ... }:
 {
  imports = [
    ./audacity.nix
    ./easyeffects.nix
    ./pipewire.nix
    #./ksoloti.nix
  ];
 }
--- a/home-manager/modules/sound/easyeffects.nix
+++ b/home-manager/modules/sound/easyeffects.nix
@ -0,0 +1,7 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    easyeffects
  ];
 }
--- a/home-manager/modules/sound/pipewire.nix
+++ b/home-manager/modules/sound/pipewire.nix
@ -2,6 +2,7 @@
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    easyeffects
    pavucontrol
    qpwgraph
  ];
--- a/home-manager/modules/sway/default.nix
+++ b/home-manager/modules/sway/default.nix
@ -1,21 +1,24 @@
-{ nixosConfig, config, lib, pkgs, ... }:
+{ nixosConfig, config, lib, pkgs, stdenv, ... }:
 let
  solarized = import ../solarized.nix;
  terminalEmulator =
-    pkgs.writeShellScript "wezterm-sway-cwd" ''
+    if nixosConfig.jalr.terminalEmulator == "alacritty"
-      this_wezterm_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree --raw | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="org.wezfurlong.wezterm")).pid')"
+    then
      pkgs.writeShellScript "alacritty-sway-cwd" ''
        this_alacritty_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
-      if [ "$this_wezterm_pid" ]; then
+        if [ "$this_alacritty_pid" ]; then
-          child_pid="$(pgrep -P "$this_wezterm_pid")"
+            child_pid="$(pgrep -P "$this_alacritty_pid")"
-          cwd="$(readlink /proc/$child_pid/cwd)"
+            cwd="$(readlink /proc/$child_pid/cwd)"
-      fi
+        fi
-      if [ -e "$cwd" ]; then
+        if [ -e "$cwd" ]; then
-          exec ${pkgs.wezterm}/bin/wezterm start --cwd "$cwd"
+            exec ${pkgs.alacritty}/bin/alacritty --working-directory "$cwd"
-      fi
+        fi
-      exec ${pkgs.wezterm}/bin/wezterm
+        exec ${pkgs.alacritty}/bin/alacritty
-    '';
+      ''
    else nixosConfig.jalr.terminalEmulator;
  cfg = config.wayland.windowManager.sway.config;
  wallpaper = pkgs.fetchurl {
    url = "https://raw.githubusercontent.com/swaywm/sway/3b2bc894a5ebbcbbd6707d45a25d171779c2e874/assets/Sway_Wallpaper_Blue_1920x1080.png";
@ -24,59 +27,19 @@ let
    meta.license = lib.licenses.cc0;
  };
  move-to-output = pkgs.callPackage ./move-to-output { };
  gsettings =
    let
      schema = pkgs.gsettings-desktop-schemas;
      datadir = "${schema}/share/gsettings-schemas/${schema.name}";
    in
    pkgs.writeShellScriptBin "gsettings" ''
      export XDG_DATA_DIRS=${datadir}:$XDG_DATA_DIRS
      gnome_schema=org.gnome.desktop.interface
      #gsettings set $gnome_schema gtk-theme 'Dracula'
      ${pkgs.glib}/bin/gsettings "$@"
    '';
  matchHostname = hostname: lib.optionalAttrs (nixosConfig.networking.hostName == hostname);
  resumeTimeTrackingNotification = pkgs.writeShellScript "resume-time-tracking-notification" ''
    export PATH=${pkgs.lib.makeBinPath [pkgs.timewarrior pkgs.libnotify]}
    task="$1"
    date="$2"
    if [ $(notify-send --action 'default=Resume time tracking' "Tracking '$task' stopped at $date, resume?") = "default" ]; then
      timew continue
    fi
  '';
  lockScreen = pkgs.writeShellScript "lock-screen" ''
    export PATH="${pkgs.lib.makeBinPath [pkgs.gnused pkgs.timewarrior pkgs.coreutils pkgs.swaylock]}"
    task="$(timew | sed -n -r 's/^Tracking (.*)$/\1/p')"
    date="$(date --rfc-3339=seconds)"
    if [ "$task" != "" ]; then
      timew stop
      nohup ${resumeTimeTrackingNotification} "$task" "$date" >/dev/null 2>&1 &
    fi
    swaylock -f -i ${wallpaper}
  '';
 in
 {
  imports = lib.optionals nixosConfig.jalr.gui.enable [
    ./gammastep.nix
    ./mako.nix
    ./screenshare.nix
    ./waybar.nix
    ./wofi-bluetooth.nix
    ./wofi.nix
    ./wofi-bluetooth.nix
    ./yubikey-touch-detector.nix
  ];
 } // (lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    gsettings
    libnotify # notify-send
    mako
    slurp
    swappy # screenshot editing
    sway-contrib.grimshot # screenshots
    timewarrior
    wdisplays # graphical output manager
    wl-clipboard
    wl-mirror
  ];
  home.sessionVariables = {
@ -88,6 +51,28 @@ in
    _JAVA_AWT_WM_NONREPARENTING = "1";
  };
  #home.sessionVariables = {
  #  CLUTTER_BACKEND = "wayland";
  #  GDK_BACKEND = "wayland";
  #  GDK_DPI_SCALE = 1;
  #  MOZ_ENABLE_WAYLAND = 1;
  #  QT_QPA_PLATFORM = "wayland-egl";
  #  QT_WAYLAND_DISABLE_WINDOWDECORATION = 1;
  #  SDL_VIDEODRIVER = "wayland";
  #  WLR_NO_HARDWARE_CURSORS = 1;
  #  _JAVA_AWT_WM_NONREPARENTING = 1;
  #  _JAVA_OPTIONS = "-Dawt.useSystemAAFontSettings=on";
  #};
  programs.fish.loginShellInit = ''
    if [ -z $WAYLAND_DISPLAY ] && [ (tty) = /dev/tty1 ]
        export XDG_SESSION_TYPE="wayland" # otherwise set to tty
        set -e __HM_SESS_VARS_SOURCED
        set -e __NIXOS_SET_ENVIRONMENT_DONE
        exec systemd-cat -t sway sway
    end
  '';
  wayland.windowManager.sway = {
    enable = true;
@ -99,19 +84,19 @@ in
      down = "r";
      terminal = "${terminalEmulator}";
-      menu = "${pkgs.wofi}/bin/wofi --allow-images --show drun --color=$HOME/.config/wofi/color";
+      menu = "${pkgs.wofi}/bin/wofi --allow-images --show drun";
-      input."type:keyboard" = {
+      output."*".bg = "${wallpaper} fill";
        xkb_layout = "de,de,us";
        xkb_variant = "neo,,";
        xkb_options = "grp:win_space_toggle";
      };
-      output = {
+      # FIXME
-        "*".bg = "${wallpaper} fill";
+      #input = {
-      } // matchHostname "copper" {
+      #  #"type:keyboard" = {
-        eDP-1.scale = toString 1.5;
+      #  #  xkb_layout = "neo";
-      };
+      #  #};
      #} // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
      #  "type:touchpad".events = "disabled";
      #  "2:10:TPPS/2_Elan_TrackPoint".pointer_accel = "-0.15";
      #});
      keybindings = {
        "${cfg.modifier}+Return" = "exec ${cfg.terminal}";
@ -233,8 +218,7 @@ in
        "XF86AudioMute" = "exec pactl set-source-mute alsa_input.usb-BEHRINGER_UMC202HD_192k-00.HiFi__umc202hd_mono_in_U192k_0_1__source toggle";
-        "${cfg.modifier}+l" = "exec ${lockScreen}";
+        "${cfg.modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}";
        "${cfg.modifier}+v" = "exec GSK_RENDERER=cairo GTK_USE_PORTAL=0 ${pkgs.mixxc}/bin/mixxc -A";
      };
      bars = [ ]; # managed as systemd user unit
@ -272,20 +256,6 @@ in
          criteria = { app_id = "firefox"; title = "Firefox — Sharing Indicator"; };
          command = "kill";
        }
        {
          criteria = {
            app_id = "firefox-esr";
            title = "Extension: \\\\(Tree Style Tab\\\\) - Close tabs\\\\? — Mozilla Firefox";
          };
          command = "floating enable";
        }
        {
          criteria = {
            app_id = "yad";
            title = "Pomodoro";
          };
          command = "floating enable";
        }
      ];
      window.border = 2;
@ -299,22 +269,45 @@ in
        border = 1;
      };
      colors = {
        focused = rec {
          border = solarized.base1.hex;
          background = solarized.base2.hex;
          text = solarized.base1.hex;
          indicator = solarized.cyan.hex;
          childBorder = background;
        };
        focusedInactive = rec {
          border = solarized.base0.hex;
          background = solarized.base03.hex;
          text = solarized.base0.hex;
          indicator = solarized.cyan.hex;
          childBorder = background;
        };
        unfocused = rec {
          border = solarized.base0.hex;
          background = solarized.base03.hex;
          text = solarized.base0.hex;
          indicator = solarized.cyan.hex;
          childBorder = background;
        };
        urgent = rec {
          border = solarized.base02.hex;
          background = solarized.red.hex;
          text = solarized.base02.hex;
          indicator = solarized.cyan.hex;
          childBorder = background;
        };
      };
      fonts = {
        names = [ "monospace" ];
        style = "Regular";
-
+        size = 10.0;
        # FIXME: this is an ugly workaround until https://github.com/swaywm/sway/issues/7409 is fixed
        size = 0.001;
      };
    };
    extraConfig = ''
      include ~/.config/sway/theme
      # Hide title bar, see https://github.com/swaywm/sway/issues/6946
      titlebar_border_thickness 0
      titlebar_padding 1
      # Cursor
      seat seat0 xcursor_theme Adwaita
    '' + (
@ -355,48 +348,35 @@ in
      Environment = "PATH=${pkgs.bash}/bin:${config.wayland.windowManager.sway.package}/bin";
      ExecStart = ''
        ${pkgs.swayidle}/bin/swayidle -w \
-            timeout 300 "${lockScreen}" \
+            timeout 300 "${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}" \
-            timeout 270 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
+            timeout 300 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
                resume '${pkgs.sway}/bin/swaymsg "output * dpms on"' \
-            before-sleep "${lockScreen}"
+            before-sleep "${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}"
      '';
      Restart = "on-failure";
    };
  };
-  xdg.configFile =
+  xdg.configFile."swaynag/config".text =
    let
-      makeTheme = scheme: ''
+      # adding it to the header doesn’t work since the defaults overwrite it
-        client.focused ${scheme.base05} ${scheme.base0D} ${scheme.base00} ${scheme.base0D} ${scheme.base0D}
+      commonConfig = /* ini */ ''
-        client.focused_inactive ${scheme.base01} ${scheme.base01} ${scheme.base05} ${scheme.base03} ${scheme.base01}
+        background=${lib.substring 1 6 solarized.base3.hex}
-        client.unfocused ${scheme.base01} ${scheme.base00} ${scheme.base05} ${scheme.base01} ${scheme.base01}
+        border-bottom=${lib.substring 1 6 solarized.base2.hex}
-        client.urgent ${scheme.base08} ${scheme.base08} ${scheme.base00} ${scheme.base08} ${scheme.base08}
+        border=${lib.substring 1 6 solarized.base2.hex}
        button-background=${lib.substring 1 6 solarized.base3.hex}
        button-text=${lib.substring 1 6 solarized.base00.hex}
      '';
    in
-    {
+      /* ini */ ''
-      "sway/light-theme".text = makeTheme solarized.light.hex;
+      font=Monospace 12
      "sway/dark-theme".text = makeTheme solarized.dark.hex;
      "swaynag/config".text =
        let
          # adding it to the header doesn’t work since the defaults overwrite it
          commonConfig = /* ini */ ''
            background=${lib.substring 1 6 solarized.colors.base3}
            border-bottom=${lib.substring 1 6 solarized.colors.base2}
            border=${lib.substring 1 6 solarized.colors.base2}
            button-background=${lib.substring 1 6 solarized.colors.base3}
            button-text=${lib.substring 1 6 solarized.colors.base00}
          '';
        in
          /* ini */ ''
          font=Monospace 12
-          [warning]
+      [warning]
-          text=${lib.substring 1 6 solarized.colors.yellow}
+      text=${lib.substring 1 6 solarized.yellow.hex}
-          ${commonConfig}
+      ${commonConfig}
-          [error]
+      [error]
-          text=${lib.substring 1 6 solarized.colors.red}
+      text=${lib.substring 1 6 solarized.red.hex}
-          ${commonConfig}
+      ${commonConfig}
-        '';
+    '';
    };
 })
--- a/home-manager/modules/sway/gammastep.nix
+++ b/home-manager/modules/sway/gammastep.nix
--- a/home-manager/modules/sway/move-to-output/default.nix
+++ b/home-manager/modules/sway/move-to-output/default.nix
@ -1,5 +1,5 @@
-{ stdenv, pkgs, ... }:
+{ lib, stdenv, pkgs, writeShellScript, ... }:
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
  name = "sway-move-to-output";
  phases = "installPhase";
  installPhase = ''
@ -8,7 +8,7 @@ stdenv.mkDerivation {
    chmod +x $out/bin/move-to-output
  '';
  script = ''
-    #!${pkgs.python3}/bin/python
+    #!${pkgs.python310}/bin/python
    import sys
    import json
    import subprocess
--- a/home-manager/modules/sway/waybar.nix
+++ b/home-manager/modules/sway/waybar.nix
@ -0,0 +1,491 @@
 { config, lib, nixosConfig, pkgs, ... }:
 let
  watchUserUnitState = unit: started: stopped: pkgs.writeShellScript "watch-user-unit-${unit}-state" ''
    ${pkgs.systemd}/bin/journalctl --user -u ${unit} -t systemd -o cat -f \
        | ${pkgs.gnugrep}/bin/grep --line-buffered -Eo '^(Started|Stopped)' \
        | ${pkgs.jq}/bin/jq --unbuffered -Rc 'if . == "Started" then ${builtins.toJSON started} else ${builtins.toJSON stopped} end'
  '';
  toggleUserUnitState = unit: pkgs.writeShellScript "toggle-user-unit-${unit}-state" ''
    if ${pkgs.systemd}/bin/systemctl --user show ${unit} | ${pkgs.gnugrep}/bin/grep -q ActiveState=active; then
        ${pkgs.systemd}/bin/systemctl --user stop ${unit}
    else
        ${pkgs.systemd}/bin/systemctl --user start ${unit}
    fi
  '';
  makoInhibitorTest = pkgs.writeShellScript "mako-inhibitor-test" ''
    export PATH=${pkgs.lib.makeBinPath (with pkgs; [pkgs.libnotify])}
    notify-send "test"
    notify-send "bla $1"
  '';
  setMakoMode = pkgs.writeShellScript "set-mako-mode" ''
    export PATH=${pkgs.lib.makeBinPath (with pkgs; [pkgs.mako])}
    if [[ "$2" = "toggle" ]]; then
        if makoctl mode | grep -Fxq "$1"; then
            action = "add"
        else
            action = "remove"
        fi
    else
        action = "$2"
    fi
    case "$action" in
        add)
            makoctl mode -a "$1"
        ;;
        remove)
            makoctl mode -d "$1"
        ;;
        *)
            exit 1
        ;;
    esac
  '';
  # for fine-grained control over spacing
  thinsp = "&#8201;";
  solarized = import ../solarized.nix;
 in
 {
  # home-manager’s waybar module performs additional checks that are overly strict
  xdg.configFile."waybar/config".text = lib.generators.toJSON { } {
    layer = "top";
    position = "top";
    height = 24;
    modules-center = [ ];
    modules-left = [
      "sway/workspaces"
      "sway/mode"
    ];
    modules-right = [
      "tray"
      "custom/screencast"
      "custom/redshift"
      "idle_inhibitor"
      "backlight"
      "mpd"
      "pulseaudio"
      "network"
      "custom/vpn"
      "memory"
      "cpu"
      "temperature"
      "battery"
      "clock"
      "custom/calendar"
    ];
    "sway/workspaces" = {
      disable-scroll = true;
    };
    "sway/mode" = {
      format = "{}";
    };
    tray = {
      spacing = 5;
    };
    "custom/redshift" = {
      exec = watchUserUnitState
        "gammastep"
        { class = "active"; }
        { class = "inactive"; };
      on-click = toggleUserUnitState "gammastep";
      return-type = "json";
      format = "󰌵";
      tooltip = false;
    };
    idle_inhibitor = {
      format = "{icon}";
      format-icons = {
        activated = "󰈈 ";
        deactivated = "󰈉 ";
      };
      on-click = "${makoInhibitorTest} {}";
    };
    "custom/screencast" = {
      exec = pkgs.writeScript "screencast-monitor" /* python */ ''
        #!${pkgs.python3}/bin/python3
        import subprocess
        import sys
        active_outputs = 0
        with subprocess.Popen(
            ["${pkgs.coreutils}/bin/stdbuf", "-o0", "${nixosConfig.services.pipewire.package}/bin/pw-link", "-m", "-o", "xdg-desktop-portal-wlr"],
            stdout=subprocess.PIPE,
            text=True,
        ) as proc:
            for line in proc.stdout:
                action = line.split(" ")[0]
                if action == "=" or action == "+":
                    active_outputs += 1
                elif action == "-":
                    active_outputs -= 1
                else:
                    print(f"Invalid action {action} (in line {line})", file=sys.stderr)
                if active_outputs > 0:
                    print("󱒃")
                else:
                    print()
                sys.stdout.flush()
      '';
      format = "{}";
      tooltip = false;
    };
    backlight = {
      format = "{percent}% {icon}";
      format-icons = [ "󰛩" "󱩎" "󱩏" "󱩐" "󱩑" "󱩒" "󱩓" "󱩔" "󱩕" "󱩖" "󰛨" ];
      on-scroll-up = "${pkgs.brightnessctl}/bin/brightnessctl -q set +5%";
      on-scroll-down = "${pkgs.brightnessctl}/bin/brightnessctl -q set 5%-";
    };
    mpd = {
      server = config.services.mpd.network.listenAddress;
      format = "{stateIcon} {consumeIcon}{randomIcon}{repeatIcon}{singleIcon}{artist} – {title} ({elapsedTime:%M:%S}/{totalTime:%M:%S}) 󰎈";
      format-disconnected = "Disconnected 󰎈";
      format-stopped = "{consumeIcon}{randomIcon}{repeatIcon}{singleIcon}Stopped 󰎈";
      unknown-tag = "N/A";
      interval = 2;
      tooltip-format = "MPD (connected)";
      tooltip-format-disconnected = "MPD (disconnected)";
      on-scroll-up = "${pkgs.mpc_cli}/bin/mpc -q -h ${config.services.mpd.network.listenAddress} volume +2";
      on-scroll-down = "${pkgs.mpc_cli}/bin/mpc -q -h ${config.services.mpd.network.listenAddress} volume -2";
      title-len = 48;
      artist-len = 24;
      consume-icons = {
        on = "󰩫  ";
      };
      random-icons = {
        off = "󰒞 ";
        on = "󰒝 ";
      };
      repeat-icons = {
        on = "󰑖 ";
      };
      single-icons = {
        on = "󰑘 ";
      };
      state-icons = {
        paused = "󰏤 ";
        playing = "󰐊 ";
      };
    };
    pulseaudio = {
      format = "{volume}% {icon} {format_source}";
      format-bluetooth = "{volume}% {icon}󰗾{format_source}";
      format-bluetooth-muted = "{icon}󰗿{format_source}";
      format-muted = "󰝟 {format_source}";
      format-source = "{volume}% ${thinsp}";
      format-source-muted = "${thinsp}";
      format-icons = {
        car = "󰄋 ";
        default = [ "󰕿" "󰖀" "󰕾" ];
        hands-free = "󰋎";
        headphone = "󰋋";
        headset = "󰋎";
        phone = "󰏲";
        portable = "󰏲";
      };
      on-click-right = "${pkgs.pavucontrol}/bin/pavucontrol";
    };
    network = {
      format-wifi = "{essid} ({signalStrength}%) 󰖩 ";
      format-ethernet = "{ipaddr}/{cidr} 󰈀 ";
      format-linked = "{ifname} (No IP) 󰈀 ";
      format-disconnected = "Disconnected ⚠ ";
      format-alt = "{ifname}: {ipaddr}/{cidr}";
      tooltip = false;
      on-click-right = "${config.programs.alacritty.package}/bin/alacritty -e ${pkgs.networkmanager}/bin/nmtui";
    };
    "custom/vpn" = {
      interval = 10;
      exec = pkgs.writeShellScript "vpn-state" ''
        ${pkgs.iproute}/bin/ip -j link \
          | ${pkgs.jq}/bin/jq --unbuffered --compact-output '
            [[.[].ifname | select(. | startswith("mullvad"))][] | split("-")[1] + " 󰌾${thinsp}"] as $conns
            | { text: ($conns[0] // ""), class: (if $conns | length > 0 then "connected" else "disconnected" end) }'
      '';
      return-type = "json";
      format = "{}";
      tooltip = false;
    };
    memory = {
      interval = 2;
      format = "{:2}% 󰍛 ";
    };
    cpu = {
      interval = 2;
      format = "{usage:2}%  ";
      tooltip = false;
    };
    temperature = {
      critical-threshold = 80;
      format = "{temperatureC}°C {icon}";
      format-icons = [ "" "" "" "" "" ];
    } // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
      hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
    });
    battery = {
      interval = 5;
      format = "{capacity}% {icon}";
      format-charging = "{capacity}% ";
      format-plugged = "{capacity}% x";
      format-alt = "{time} {icon}";
      format-icons = [ "󰂎" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
      states = {
        critical = 15;
        good = 95;
        warning = 30;
      };
    };
    clock = {
      format = "{:%H:%M %Z}";
      format-alt = "{:%Y-%m-%d (%a)}";
      tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
    };
    "custom/calendar" = {
      interval = 300;
      exec = pkgs.writeScript "calendar" /* python */ ''
        #!${pkgs.python3}/bin/python3
        import json
        import subprocess
        def khal(args):
            completed = subprocess.run(["${pkgs.khal}/bin/khal"] + args, capture_output=True)
            assert completed.returncode == 0
            return completed.stdout.decode("utf-8")
        events_today = khal(["list", "today", "today", "-df", "", "-f", "{title}"]).rstrip().split("\n")
        events_2d = khal(["list", "today", "tomorrow", "-df", "<b>{name}, {date}</b>"]).rstrip()
        if len(events_today) == 1 and events_today[0] == "No events":
            events_today = []
        if len(events_today) == 0:
            text = "󰃮 "
        else:
            text = f"{len(events_today)} 󰃶 "
        print(
            json.dumps(
                {
                    "class": "active" if len(events_today) > 0 else "",
                    "text": text,
                    "tooltip": events_2d,
                }
            )
        )
      '';
      return-type = "json";
      format = "{}";
    };
  };
  xdg.configFile."waybar/style.css".text = ''
    * {
      border-radius: 0;
      border: none;
      font-family: "Iosevka Nerd Font";
      font-size: 14px;
      min-height: 0;
      transition-property: none;
    }
    window#waybar {
      background-color: ${solarized.base03.hex};
      color: ${solarized.base0.hex};
    }
    #workspaces button {
      padding: 0 5px;
      background-color: ${solarized.base03.hex};
      color: inherit;
      border-bottom: 2px solid transparent;
    }
    #workspaces button:hover {
      background: ${solarized.base02.hex};
      box-shadow: inherit;
      text-shadow: inherit;
    }
    #workspaces button.focused {
      border-bottom: 2px solid ${solarized.green.hex};
    }
    #workspaces button.urgent {
      background-color: ${solarized.red.hex};
    }
    #mode {
      background-color: ${solarized.base02.hex};
      font-style: italic;
    }
    /* all modules on the right */
    #waybar > box > box:nth-child(3) > widget > label {
      padding: 0 10px;
    }
    #battery.charging {
      color: ${solarized.base02.hex};
      background-color: ${solarized.green.hex};
    }
    @keyframes blink {
      to {
        background-color: ${solarized.base3.hex};
        color: ${solarized.base00.hex};
      }
    }
    #battery.critical:not(.charging),
    #temperature.critical {
      background-color: ${solarized.red.hex};
      animation-name: blink;
      animation-duration: 0.5s;
      /* FIXME use nearest neighbor interpolation if possible */
      animation-timing-function: cubic-bezier(1, 0, 0, 1);
      animation-iteration-count: infinite;
      animation-direction: alternate;
    }
    #cpu {
      background-color: ${solarized.cyan.hex};
      color: ${solarized.base02.hex}
    }
    #memory {
      background-color: ${solarized.yellow.hex};
      color: ${solarized.base02.hex}
    }
    #backlight {
      background-color: ${solarized.base3.hex};
      color: ${solarized.base00.hex};
    }
    #network {
      background-color: ${solarized.violet.hex};
      color: ${solarized.base02.hex}
    }
    #custom-vpn {
      background-color: ${solarized.blue.hex};
      color: ${solarized.base02.hex}
    }
    #network.disconnected {
      background-color: ${solarized.red.hex};
    }
    #pulseaudio {
      background-color: ${solarized.base3.hex};
      color: ${solarized.base00.hex};
    }
    #pulseaudio.muted {
      background-color: ${solarized.base03.hex};
      color: ${solarized.base0.hex};
    }
    #temperature {
      background-color: ${solarized.magenta.hex};
      color: ${solarized.base02.hex};
    }
    #idle_inhibitor.activated {
      background-color: ${solarized.base3.hex};
      color: ${solarized.base03.hex};
    }
    #mpd {
      background-color: ${solarized.green.hex};
      color: ${solarized.base02.hex};
    }
    #mpd.disconnected {
      background-color: ${solarized.red.hex};
    }
    #mpd.stopped {
      background-color: ${solarized.orange.hex};
    }
    #mpd.paused {
      background-color: ${solarized.yellow.hex};
    }
    #custom-redshift {
      color: ${solarized.base02.hex};
    }
    #custom-redshift.active {
      background-color: ${solarized.red.hex};
    }
    #custom-redshift.inactive {
      background-color: ${solarized.blue.hex};
    }
    #tray {
      padding: 0 5px;
    }
    #custom-notification_inhibitor.active {
      background-color: ${solarized.base3.hex};
      color: ${solarized.base03.hex};
    }
    #custom-screencast {
      background-color: ${solarized.red.hex};
      color: ${solarized.base03.hex};
      animation-name: blink;
      animation-duration: 0.5s;
      animation-timing-function: cubic-bezier(1, 0, 0, 1);
      animation-iteration-count: infinite;
      animation-direction: alternate;
    }
    #custom-calendar.active {
      background-color: ${solarized.base3.hex};
      color: ${solarized.base00.hex};
    }
  '';
  systemd.user.services.waybar = {
    Unit = {
      Description = "Highly customizable Wayland bar for Sway and Wlroots based compositors.";
      Documentation = "https://github.com/Alexays/Waybar/wiki/";
      PartOf = [ "sway-session.target" ];
    };
    Install.WantedBy = [ "sway-session.target" ];
    Service = {
      # ensure sway is already started, otherwise workspaces will not work
      ExecStartPre = "${config.wayland.windowManager.sway.package}/bin/swaymsg";
      ExecStart = "${pkgs.waybar}/bin/waybar";
      ExecReload = "${pkgs.utillinux}/bin/kill -SIGUSR2 $MAINPID";
      Restart = "on-failure";
      RestartSec = "1s";
    };
  };
  # TODO: remove when https://github.com/nix-community/home-manager/issues/2064
  # is resolved
  systemd.user.targets.tray = {
    Unit = {
      Description = "Home Manager System Tray";
      Requires = [ "graphical-session-pre.target" ];
    };
  };
 }
--- a/home-manager/modules/sway/wofi-bluetooth.nix
+++ b/home-manager/modules/sway/wofi-bluetooth.nix
--- a/home-manager/modules/sway/wofi.nix
+++ b/home-manager/modules/sway/wofi.nix
@ -0,0 +1,64 @@
 { nixosConfig, config, lib, pkgs, ... }:
 let
  solarized = import ../solarized.nix;
 in
 {
  xdg.configFile."wofi/style.css".text =
    let
      # adding it to the header doesn’t work since the defaults overwrite it
      commonConfig = /* ini */ ''
        background=${lib.substring 1 6 solarized.base3}
        border-bottom=${lib.substring 1 6 solarized.base2}
        border=${lib.substring 1 6 solarized.base2}
        button-background=${lib.substring 1 6 solarized.base3}
        button-text=${lib.substring 1 6 solarized.base00}
      '';
    in
      /* css */ ''
      window {
        margin: 0px;
        border: 3px solid ${solarized.base02.hex};
        border-radius: 8px;
        background-color: rgba(${solarized.base03.rgb},0.8);
      }
      #input {
        margin: 5px;
        border: none;
        color: ${solarized.base0.hex};
        background-color: rgba(${solarized.base02.rgb},0.8);
      }
      #inner-box {
        margin: 5px;
        border: none;
        background: none;
      }
      #outer-box {
        margin: 5px;
        border: none;
        background: none;
      }
      #scroll {
        margin: 0px;
        border: none;
      }
      #text {
        margin: 5px;
        border: none;
        color: ${solarized.base0.hex};
      }
      #entry:selected {
        background-color: rgba(${solarized.base02.rgb},0.8);
      }
      #entry:selected #text{
        color: ${solarized.green.hex};
      }
    '';
 }
--- a/home-manager/modules/sway/yubikey-touch-detector.nix
+++ b/home-manager/modules/sway/yubikey-touch-detector.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ nixosConfig, config, lib, pkgs, ... }:
 {
  systemd.user.services.yubikey-touch-detector = {
--- a/home-manager/modules/terraform.nix
+++ b/home-manager/modules/terraform.nix
@ -0,0 +1,11 @@
 { config, pkgs, ... }:
 {
  home.packages = with pkgs; [
    terraform
  ];
  home.sessionVariables = {
    TF_PLUGIN_CACHE_DIR = "$HOME/.local/share/terraform/plugins";
  };
 }
--- a/home-manager/modules/tmux.nix
+++ b/home-manager/modules/tmux.nix
@ -1,3 +1,4 @@
 { config, pkgs, ... }:
 {
  programs.tmux = {
    enable = true;
--- a/home-manager/modules/tor-browser.nix
+++ b/home-manager/modules/tor-browser.nix
--- a/home-manager/modules/vdirsyncer.nix
+++ b/home-manager/modules/vdirsyncer.nix
@ -45,6 +45,27 @@ let
    };
  };
  mkWebcalSection = { name, url ? null, urlCommand ? null }: assert url == null -> urlCommand != null; {
    "pair calendar_${name}" = {
      a = "calendar_${name}_local";
      b = "calendar_${name}_remote";
      collections = null;
    };
    "storage calendar_${name}_local" = {
      type = "filesystem";
      path = "${calendarBasePath}/${name}/";
      fileext = ".ics";
    };
    "storage calendar_${name}_remote" = {
      type = "http";
    } // (if urlCommand != null then {
      "url.fetch" = fetchCommand urlCommand;
    } else {
      inherit url;
    });
  };
 in
 {
  home.packages = with pkgs; [
--- a/home-manager/users/default.nix
+++ b/home-manager/users/default.nix
@ -0,0 +1,28 @@
 { lib, ... }:
 {
  options.jalr = {
    git = {
      user = {
        name = lib.mkOption {
          type = lib.types.str;
          description = "name to use for git commits";
        };
        email = lib.mkOption {
          type = lib.types.str;
          description = "email to use for git commits";
        };
      };
      signByDefault = lib.mkEnableOption "GPG sign commits per default";
    };
    gpg.defaultKey = lib.mkOption {
      type = lib.types.str;
      description = "default gpg key id";
    };
    terminalEmulator = lib.mkOption {
      type = lib.types.str;
      description = "default Terminal emulator name";
      default = "alacritty";
    };
  };
 }
--- a/home-manager/users/jal.nix
+++ b/home-manager/users/jal.nix
@ -0,0 +1,224 @@
 { config, lib, pkgs, ... }:
 let
  userName = "jal";
  vpn_routes = [
    "10.18.0.0/16" # OEE VPC
    "10.64.0.0/16" # CPS
    "10.158.128.0/23" # approval
    "10.158.224.0/20" # core production
    "10.158.240.0/20" # core development
    #"10.96.0.0/24" # CCS infrastructure
    #"10.96.8.0/24" # Boomi
    #"10.96.10.0/24" # Boomi (new)
    "10.96.0.0/16"
    "10.170.254.30/32" "10.170.254.40/32" # core DNS resolver
  ];
  vpnc-script = pkgs.writeShellScript "vpnc-script-tb" ''
    cisco_split_inc="$CISCO_SPLIT_INC"
    export CISCO_SPLIT_INC=0
    echo "DNS server sent by vpn: $INTERNAL_IP4_DNS"
    unset INTERNAL_IP4_DNS
    route_in_whitelist() {
        for route in ${builtins.toString vpn_routes}; do
            [ "$1" = "$route" ] && return 0
        done
        return 1
    }
    routes() {
      for i in $(seq 0 $((cisco_split_inc-1))); do
          addr_var="CISCO_SPLIT_INC_''${i}_ADDR"
          mask_var="CISCO_SPLIT_INC_''${i}_MASK"
          masklen_var="CISCO_SPLIT_INC_''${i}_MASKLEN"
          addr="''${!addr_var}"
          mask="''${!mask_var}"
          masklen="''${!masklen_var}"
          if route_in_whitelist "$addr/$masklen"; then
              case "$1" in
                  add)
                      if [ -n "$NETGW" ]; then
                          ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" via "$NETGW"
                      else
                          ip route add "$addr/$masklen" metric 100 dev "$TUNDEV"
                      fi
                  ;;
                  remove)
                      ip route del "$addr/$masklen" dev "$TUNDEV"
                  ;;
              esac
              echo "allowing route '$addr/$masklen'"
          else
              echo "ignoring route '$addr/$masklen'"
          fi
      done
    }
    case "$reason" in
        pre-init|reconnect|attempt-reconnect)
            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
        ;;
        connect)
            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
            routes add
        ;;
        disconnect)
            routes remove
            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
        ;;
        *)
            echo "reason '$reason' is not implemented" >&2
            exit 1
        ;;
    esac
  '';
  tradebyte-vpn = pkgs.writeShellScriptBin "tradebyte-vpn" ''
    [ $UID -ne 0 ] && exec sudo -- "$0" "$@"
    /run/wrappers/bin/sudo -u "$SUDO_USER" ${pkgs.pass}/bin/pass show zalando | openconnect \
      --protocol=pulse \
      -u jlechner \
      --passwd-on-stdin \
      -i pulse \
      --pfs \
      --disable-ipv6 \
      --script=${vpnc-script} \
      https://remote.tradebyte.org | grep -v '^> '
  '';
  aws_defaults = {
    sso = {
      start_url = "https://d-9967250383.awsapps.com/start";
      region = "eu-central-1";
      role_name = "AdministratorAccess";
    };
    region = "eu-central-1";
  };
 in
 {
  imports = [
    ./default.nix
  ];
  jalr = {
    git = {
      user = {
        name = "Jakob Lechner";
        email = "jal@tradebyte.biz";
      };
      signByDefault = false;
    };
    gpg.defaultKey = "FE170812543DF81393EA56BA5042B8317A10617E";
    aws = {
      enable = true;
      accounts = {
        ops_testing = {
          sso_account_id = 134848648016;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        core-production = {
          sso_account_id = 455520445575;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        tbmeta-production = {
          sso_account_id = 696695470425;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        abnahme = {
          sso_account_id = 837645089494;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        core-develop = {
          sso_account_id = 934000686307;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        infrastructure = {
          sso_account_id = 994756397773;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
        tbmeta-development = {
          sso_account_id = 730951147261;
          sso_start_url = aws_defaults.sso.start_url;
          sso_region = aws_defaults.sso.region;
          sso_role_name = aws_defaults.sso.role_name;
          region = aws_defaults.region;
        };
      };
    };
  };
  users.users.${userName} = {
    isNormalUser = true;
    extraGroups = [
      "dialout"
      "podman"
      "libvirtd"
      "lp"
      "networkmanager"
      "scanner"
      "video"
      "wheel"
      "wireshark"
    ]; # Enable ‘sudo’ for the user.
    shell = pkgs.fish;
  };
  home-manager = {
    useUserPackages = true;
    useGlobalPkgs = true;
    users.${userName} = { lib, pkgs, ... }: {
      imports = [ ../modules ];
      config = {
        home.stateVersion = config.system.stateVersion;
        home.packages = with pkgs; [
          mycli
          timetrap
          tradebyte-vpn
          # common
          asciinema
          bat
          docker-compose
          envsubst
          exa
          gnupg
          nmap
          psutils
          pwgen
          tig
          vlc
          xdg_utils
        ];
      };
    };
  };
  security.sudo.extraRules = [{
    users = [ userName ];
    commands = [
      {
        command = "${tradebyte-vpn}/bin/tradebyte-vpn";
        options = [ "NOPASSWD" ];
      }
    ];
  }];
 }
--- a/home-manager/users/jalr.nix
+++ b/home-manager/users/jalr.nix
@ -0,0 +1,70 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./default.nix
  ];
  jalr = {
    git = {
      user = {
        name = "Jakob Lechner";
        email = "mail@jalr.de";
      };
      signByDefault = true;
    };
    gpg.defaultKey = "66FB54F6081375106EEBF651A222365EB448F934";
  };
  users.users.jalr = {
    isNormalUser = true;
    extraGroups = [
      "audio"
      "dialout"
      "docker"
      "libvirtd"
      "lp"
      "networkmanager"
      "scanner"
      "video"
      "wheel"
      "wireshark"
    ]; # Enable ‘sudo’ for the user.
    shell = pkgs.fish;
  };
  home-manager = {
    useUserPackages = true;
    useGlobalPkgs = true;
    users.jalr = { lib, pkgs, ... }: {
      imports = [ ../modules ];
      config = {
        home.stateVersion = if config.system.stateVersion == "22.11" then "22.05" else config.system.stateVersion;
        home.packages = with pkgs; [
          cutecom
          ghostscript
          newsboat
          pdftk
          platformio
          ptouch-print
          qrencode
          sshfs
          tmate
          # common
          asciinema
          bat
          docker-compose
          envsubst
          exa
          gnupg
          nmap
          psutils
          pwgen
          tig
        ];
      };
    };
  };
 }
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@ -1,18 +1,21 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 let
  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
  iptablesInsertIfMissing = rule: "iptables -C " + rule + " || iptables -I " + rule;
 in
 {
  imports = [
    ./hardware-configuration.nix
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
    ./services
    ./ports.nix
  ];
  networking.hostName = "aluminium";
  services.openssh.enable = true;
  security.sudo.wheelNeedsPassword = false;
  networking = {
    hostName = "aluminium";
    useDHCP = false;
    vlans = {
      lechner = {
@ -23,10 +26,6 @@
        id = 2;
        interface = "enp1s0";
      };
      iot = {
        id = 3;
        interface = "enp1s0";
      };
      pv = {
        id = 10;
        interface = "enp1s0";
@ -35,10 +34,6 @@
        id = 11;
        interface = "enp1s0";
      };
      sprechanlage = {
        id = 12;
        interface = "enp1s0";
      };
    };
    interfaces = {
      lechner.ipv4.addresses = [{
@ -49,21 +44,13 @@
        address = "192.168.1.1";
        prefixLength = 24;
      }];
      iot.ipv4.addresses = [{
        address = "192.168.2.1";
        prefixLength = 24;
      }];
      pv.ipv4.addresses = [{
        address = "192.168.10.1";
        prefixLength = 30;
      }];
      heizung.ipv4.addresses = [{
        address = "192.168.10.5";
-        prefixLength = 30;
+        prefixLength = 24;
      }];
      sprechanlage.ipv4.addresses = [{
        address = "192.168.10.9";
        prefixLength = 30;
      }];
      enp2s0.useDHCP = false;
    };
@ -75,22 +62,19 @@
        "voice"
      ];
    };
-    firewall.extraInputRules = ''
+    firewall = {
-      iifname "voice" udp dport 5059 accept
+      extraCommands = lib.concatStringsSep "\n" [
-      ip saddr 217.10.68.150 udp dport 5060 accept
+        (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
-    '';
+        (iptablesInsertIfMissing "INPUT -i voice -p udp -m udp --dport 5060 -j ACCEPT")
-    nftables.tables.pppoe = {
+        (iptablesInsertIfMissing "INPUT -s 217.10.68.150 -p udp --dport 5060 -j ACCEPT")
-      family = "ip";
+      ];
      content = ''
        chain clamp {
          type filter hook forward priority mangle;
          oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu comment "clamp MSS to Path MTU"
        }
      '';
    };
  };
  sops.secrets.pap-secrets = {
    sopsFile = ./secrets.yaml;
  };
  environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path;
  services.pppd = {
    enable = true;
@ -136,7 +120,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/hosts/aluminium/hardware-configuration.nix
+++ b/hosts/aluminium/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 {
  imports =
--- a/hosts/aluminium/ports.nix
+++ b/hosts/aluminium/ports.nix
@ -1,16 +1,7 @@
-{ custom-utils, ... }:
+{ lib, custom-utils, ... }:
-{
+custom-utils.validatePortAttrset {
-  config.networking.ports = custom-utils.validatePortAttrset {
+  asterisk-rtp = { udp.range = [ 10000 10200 ]; };
-    asterisk-rtp.udp = { from = 10000; to = 10200; };
+  unifi.tcp = 8443;
-    doorbell-audiosocket.tcp = 9092;
+  doorbell-audiosocket.tcp = 9092;
    doorbell-webrtc-ice.tcp = 8189;
    doorbell-webrtc.tcp = 8889;
    esphome.tcp = 6052;
    home-assistant.tcp = 8123;
    nginx-http.tcp = 80;
    nginx-https.tcp = 443;
    unifi-inform.tcp = 8080;
    unifi-ui.tcp = 8443;
  };
 }
--- a/hosts/aluminium/secrets.yaml
+++ b/hosts/aluminium/secrets.yaml
@ -4,7 +4,6 @@ myintercom-doorbell-password: ENC[AES256_GCM,data:waUUvHQ9BZFePQ==,iv:ev21SNOwzd
 asterisk-pjsip: ENC[AES256_GCM,data:PMgHCdo7K1a9/OitWdUonJ66gr70uwYgylCCWAO9cYOeXdPTIFuFLHlgBIUUxfln3UqhquTzoTluZJW9vaSuzZGe1kLIYrb1hRyrM0HLCCQc8m46jN898le/9ZrEivxonWkxf4FTfpENIf7iEr5KHh4vfd4tr4IbORTFdpcbsy8pd5eyvS8G2z9dynIWS19zqrzfGrW6yZICzAJz28IQCiiHgpN16bqSwlcPm1UdX+qi0+ZJ3TAr16Px1F9VFOXtEsu4EZvJSomecJDuhjo3QzBFffXDL971of8KX05BJgtpP6SzIZXKfSWaOxaguctdFr2tScvze0o3FXpDoOn0cvinOdYQt1P2TzjFnBZ4I3N1turpD4be9xJ92coV/j1hBsZHj2mWE/iCdsrzj2uP/74b4Mo1BJZ6l1gXFg3OgyDXaVoMxAOnutelCEG0lf78hsJXF56aQ1LVSUly6ugZP4rMiPFg5oa7WfrIsVVURUt7WRFrDLCYIQVynpfeUxHshPSB+/jVvYLqie5XeNt8B8mgTJYFo5hFB28sa1beqYEA27QMT3gRvWivqDnuf8soVi/r3WREfnSCBujhzXQF/uJZEwqVEn0OQo9ICfJ8hqtvDiAw6Hb4Wn+0maoYQeKjbPHeL3kr1SUE/kU913FNig4Yn66QKYevLLIkd3uQ0GqTLcgn4Ttwu3qArlXXxrI4US8yA7XGQUutVadN7ayyZBbYnw+vUTlPfhSO+ridK3huGKnQfcPAbD31L11EeQBe2820Nba9Bb4d5QAkiGsNj5y9tZ4Vl6l2JErO63fVPKQ9fPxD3yYyZpP8Hm1e7Wl1eRsNtoWqkTRtno7hIpAYFoMYTUk2x5U/qZOgtRX0JHufi6+GXvPPlBaQNfiGzNlJjdmtTT6MGLPRQjsASGi00pSjKd4psAj9Uf8rttsHhJHvIRDRsiNSjae+JGbVlyyauU1JL44Qf+U+MaJDjkLagNqUZ9xgNFmXzr7st6bRFYCJHkmQC8bgJsdpwRMz3HjNzrKZRvRhHIiwT3d+oyrd9hoSQl3JkxcrD7AfEThrBQL9BpGCDcfr5RzfNv8Fb08tR7rlIzyb6Rw3eKlY1obfZRRNTF+iYlBDz8LLI+BwWqJiefbHB2F9nOC0of5Eqm5gjn+MXSKuSIP5ltDsjfO+m6q7c+t7udKwnJVnePtOnuf4uQpKfxjpld4e8Y1N9hyuKSjqEy83UB4yXJb1OoUAOXENvdPhGFDghmSC+ZVcCZRBG2k6d6MdXY6AkdjUAteDQLsDNMwpW8a8RwOXlDoAtxu7yEYP51BrHu2spagNfXMWHThnkcuR/TvqAPmcPlzVjcX+tnuU0k+JK5e4eWc+diTcvo8fpeaKi7A4uyGWRaZsoaauxsK1dEwIgmAAYyWc0Hl+Z49/dLW8kgr/Qh9N5SRRk/SLk4GvS0uyYYClN7G/7LdMDUwWifr32oqXEINDh0NEyehEJ9dEQsIIH5gR3OdlEAuL1C7/Js3/ZCdBREXRYt4y5y4TAO/kMmGgv7Y/Z2XVD0klXVBMvVnil4LJ0H5KF+RZC4j/C6acRBdrPaI0nlE3bfAbmizQN9D7jOj5BkkRzBaYlMaBuFKRKUA6CUanhUWhIn3ZlF3Z+o4PGB2c7EFXZN+PzOSgkQYUD7KtVW/QV94mxkcqN9mKe6mAbj87neN1IHhEkNOj7KJQP60pqDjx6N+WYFpD3sYvDcJDg2WFumR8F2v+jHx09v5AB1r6AzhPJ3TCwnHN4e1+Nexxlb91iPcoSmLRF3Fimn7307260CtaA70hngWHSRaBcKTXi3WL1v9kKOou2kKs1GMy5bjREtqheBxZ1i4x56VtANF9lo9UT+97qxuAqk08Rc4z9j5M8cJK/d1syRT0z/uAuTWlRgxdE/Fj/OlDNr/SnZw9CLkQ0SVJAuJFFg9EY0ru3PC9PDNt9CJiVy0GoeK0mv7ZkTv2o456kdzMpJPBwpKLIO9tpZBbNZrMn1HpLJrfXIvmuVDFmm3EH6FVhGoI+4yB11Eo/2aEMzUOEtn55KNeESkoVel6GgYiwrg1ZlQS7XhdCTGyCOMbFTOLHgUe4vaUfPBNOyLaLWE3ZiyGCxVb+nBltcPSDHrNtbc2fuPqVom3Z1wfmako1BGcwRzbLdaUPwuu6eRa/KxppPh/PoYTttPxOArql25BWAVTI6BIhlvGgZgqDRwihHBGt1uyXjwv4ufES5zgxhMB8mNqVnCSkcLXXyvpmCiB5kEv5+V4nCJIXSNbmym+V9tEzGh+cx8up24IHrg6gG28fHfMcV7Z+JzN86jogr+sgH9wigrcYcDqTE9lHJhaZlmNraTl8viAwEXkPC/dnQuPSTX5V1qeRtKo1oFkf9xnPhdVLq51GoVU+MhQqZsbnqymgKnPWTQq3Kyiux5go/Li0BqfiV+Wwpn+f3WXJ21aMpU2FfIR26z2DULlJUYDKoewmklq8vzk5iZ/tywPFGR1G0z8IM5jwr+qz0uEccAtulCWsQjtvw0kGLnTsoB2WNL4x0Kti/cE14purKaE65wMrBoG/mxd6R7ZHE7u/Uo1MDAsgqsS8MomCqyxC/1yH9BdhpXc6VZJpborqWQjW/kK8/OBxWFjfQgwvDGeQkgv2ShV0c8U6DgnS545Im9aAxQGvu1sXMhnVNQZdZ2Ta3Gz7bTHqkxB4/X7KGHdGSmw5s/RQfo0BkBBBLLTc49pcmJTxG5LPkRebCM8ANX57qj3u/D9wYumFKclTglNdrjaxSdh3zTb1kEQ0rn/D4z7lVNUsw7srUUZeEadg3xTZSmSustbziXvp51juiJeyPjVY2AlmbVVxU0O245kbyWA8lHcEluo+dfk0Rr9hDNHz35NxQRCslPHiSKswxfuPcqyzlSiBMLsMWrJ5/RyQJgaO/XJ/x3R2o4h+MiHtUKj91epxAIpYD8JqQ4eaUkP6GJRNDSNLK3VNP69Qecc7b6AvV5udzt2up0lp7OuzEZeT88Vg8YcZvOv1UTxmkI6dem1xi4imJs+V4OZrcSt9ZTlc34rc6/lvVxVQZs/1vADB0ZVk3jp24KWuRWFGacJqUIxW8TbI8N1DtmZcf7sqoQU1QPRzkOa/UYmzWablAP4B5M5WOjyr3YSJGOzHxN+GSSs4K4jHUon+LbpKxHL5KJUSsD+kZFTfsDauFhAzpFDhR2wW/XYLr0iTvKQ6+26dIpW65P8Egv+n/CXQE0wuJ1R5z0M4FucpUo+FTUIcww8cfqfHqMlMeKEFeu8/QNdZ0uj06Q8/j6E/OUjpxTIVRQBs4qaLWxMZv3zulCUe9Czr6c28NhewIJlLUxOnCVDo5pT1OmzZPghurNyhTBFP8PfJrRXN1h2uvXfGP46dgt9jgeqqQqP9xlq+fzo9cyEZ/n4nQvY+CBuOW9Cqo41zNB0PQ3tC9SU477gQkDrg0M6/bAk+xsqVg1DpZOSuRUQnOfbTdZ1CXhESy+dcri9BeKKcTCZ6aenvW4W4J6OV8en3L4jPFsgqEWJUk1qr9ggM5NXc7RIrR0eCsiR9V1gi4HWMF1roTZ3wK9NvdATj3HWTGssfdpXht/vjedIp+InNWBWjnBfIf7XWuPgiB/ZW9uew8g8vDLULGVtww==,iv:bFKc8e+3rLAHje8UWwY2elof5xqceTTWX1f7nkE91nM=,tag:NWMiljj8urTDoka5bkF0jg==,type:str]
 asterisk-ari: ENC[AES256_GCM,data:HnY7d3BdScb0bmsBVlsTHAMv2k8tyyA/,iv:q+NsCHcGGOCe6gdAHbFfjKvO4dyWoW/xI5jtngJmdds=,tag:e8kuEsEokf5lAAgO/coxTQ==,type:str]
 asterisk-voicemail: ENC[AES256_GCM,data:uyXeBP+9WkfVot4Ot3vwv3OEZfoVDK2I+lvaPpGJTZp16YNtP+uxNiW2ynewQlORCTY59bP1jW3bQdT/ASGsErOrhInYSytTyfdZ51BF9+jz0TH6oWxsSuuawTrkC8jvJOpejt6XuGoYbbqlM/VL1xzgDkq3ztTxaHTfdTonQij2Q4cYddMRHWIEuBCK7FU2TlHAJeIFZvtE0MiyNNT3rEWSs1xcljTGfMjkoMd+FI1uZSQT4r0kAaPPkvCWcAGH6R+F0Ue++i9TuLhu+sDV+X6u3N/garDW74H0bOcLJysImtuPXh1aXuBkHQuC1Liss/IF4NDjtDDhpfc0eePR5MWv/Kj0q+VFJiUPY6XnWh6fG9I2yY22+I7eAAg/xWVZBXPWbFHRz8jm1owp4ln6/hcrJOw6Fzw8tZ6Jd9nciOeOmR1KtjEzklPP5kP1YQPtGio/LnOaAAhTHy16MbWf/Ey4S30+eHB+joD8OM93+YxxrdKNE6XXEcAhkdpHYecrvz4Co1fhY7ZoOnNvA8Juup/7PMyNEU/Fy4Pta34aT/j1s7de2vTpRNBeecWvgFA9Qd7Re/2XPqOAkpduxDniwsUdb52oL39MBoOCY8brmXn2J/mMDeOmoqvjRHsPZsajPTAqF/nqRB8VpwoZAKAx59DYBGgmHz7/7JRX9NXOAus1yLbMfVqDftk6+KTFQ9wCqei3jaI/K5AJrSEwlZG0BLoDefIGXT5f8bNNgSn865j2RP+FLa6W3/u5t+k=,iv:/phktIxMdDO5Nrum7hf3oLDmQO04lrkvFuHNw77aRks=,tag:7OUg0BG9X7nBHWiQNaSOEQ==,type:str]
 esphome: ENC[AES256_GCM,data:2pFVokO8YTyKa1F7EePo6wIS3y6prL8SSkxypWZkHl3Ye6Qg0eqZ4du/iwLIXQpJoc6R3uU7D6eIQEVOGbwqYp6+F0CW17F89k9c/VLHQHRpWbA20GgLr7X4fZ8xdbp7HCLpVxRsdzDz8aoARfV8Cn6T7Uo80ah1rMDnTj10WI+Yu6xVqVwPNWrSk9NUGKMK32M2slk=,iv:Xla0c4d9rxn06upy7GTbWBQ8pzl+gLnIw+Rf6hqQlhk=,tag:S+clc2ctuOA6lsInSFm93Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,25 +13,25 @@ sops:
        - recipient: age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZmNOcVlKNmZCdWN5NVBy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodUx5V25ETmJLTi9EZlRU
-            U3VRbXl3OUljWCtITXZCQTdrVkIxOEtDZHg4CktBNjVKRmVucjRpYXo3WXFWd1VV
+            ZnYweXliTDl4ZUlvcmliTjhQRkpzU0pkNXlZCjFtYU5ySWFxOGlNL29SR2RJZHNu
-            MFpGdWIvTmNHRlJ4akxUQkZzWUtXVUkKLS0tIGs3NlNXREVkT1Nta2prSXk4QkV0
+            UHJ4YWE4UWJVeEJBUXJwaHJBd292REkKLS0tIDV2WlppeUxIOWFPTHlRYTBaMzA0
-            NEtzRXY1Q1Njelc1YXNWVE9Jd2NnOFEKjOWHaxO5fF5l+c1Hv6QLBQajrvu1VimZ
+            MU41eU8zeTRRUlZyUXV0U1N6U0NRNnMKZK3vfyRRr7Iu6HfpdpmDTKzUbEnCnW9l
-            Hqk0GYrFpfpFtbhBRyrYgmNuX/qIRMHemdXcNKDYcj0WXgsdVqH7Qw==
+            rGjFmY9VX2q9w3j/4E5uUToQfeGMqqBTOFUB3hNgU8K5ZT7wMbOXAg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-17T20:41:27Z"
+    lastmodified: "2023-11-06T23:32:51Z"
-    mac: ENC[AES256_GCM,data:f7RdcXpu9CGSZpIF8rwuIkn97EWRxJXxoC7KKbkZg4yxSxZJR/S5UXzEC56eY73IdBHap4op3l+cO7pT7p1rkspHQPH/5D225ihVQ8PQ29u2nlyyrrebB5tM1Mt+rJRlizBPxDDKySJYgdqZCWUwB8f5hQudpb0CGra7NfQreRg=,iv:vwpVqib7fyuV83FiyMT4BOeuqyrcspFyieQGWyZZzcU=,tag:zuJVSA2WqzSvM4MBWrdRlQ==,type:str]
+    mac: ENC[AES256_GCM,data:7lW6i4ULus4348NwnV/ovcWebspBcEBzYqLtl+8xFOfe3erIFnC3iRo0ibZJ8yishZpIUxoVu08yxQoa1qEriC57WETMaR+iGUPaY75tHraBJGY26Etk7Hy2QhQ7D+srBY+CogHhHAD8HUwT4/ZiPqKe1eQAvNg/6HWnjbQkG/Q=,iv:r43odkYgQsyK5uJJ5V98kTx7enP7TRuFoTnYfHmD/8o=,tag:hR+1zCniHs1l3qSkhQhtFw==,type:str]
    pgp:
-        - created_at: "2024-01-31T01:19:14Z"
+        - created_at: "2022-11-02T22:14:19Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DY/xpNY5WhB0SAQdAkeQx8NatnRtZUJa/G0zaw+NL5twonTayNH8mmNBXOWgw
+            wV4D3ylLYNOsO+0SAQdASri/Ozm8ibaE1PN8ItRanuAGU4jRQL1g4U8GbsiXWzcw
-            EWaC9Yq6yWntxxfkVaJHN5BEzxVVumrKmpKSIkvCkJqFZ5SuYH/DyE9oZZSr7iC/
+            u7trrk6foY98pfVAP4Z78X4Dp79UagorlDCT6F6yWtfFODFdTVJdbzJsD5QtZ1vK
-            0l4BTKZ8SdxQL8usQPSQVbs9skr7KsYfhtjTeTi823RwZLD1+wZKwqe43AJTE0Hl
+            0lEBMmTyLDw4lzTpedDhvgkWpNd33TC3WgAfRb/2LCSPmoVp83O7ja6BfuBQDkWY
-            b2jIihfXa7wKTfi9jXI/mpxLRpGH8kZnPoQuldkz1zWIU14YKoTKq55My8qwR4uW
+            gP7g815fKYigaihDH8HlNzvRoOOcGC9+6lyQkHTJyRjKsrg=
-            =RazZ
+            =WfhH
            -----END PGP MESSAGE-----
-          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+          fp: 66FB54F6081375106EEBF651A222365EB448F934
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3
--- a/hosts/aluminium/services/asterisk/default.nix
+++ b/hosts/aluminium/services/asterisk/default.nix
@ -1,15 +1,33 @@
-{ config, lib, pkgs, ... }:
+args@{ config, lib, pkgs, custom-utils, ... }:
 let
-  inherit (config.networking) ports;
+  ports = import ../../ports.nix args;
  secretConfigFiles = [
    "ari"
    "pjsip"
    "voicemail"
  ];
  rtp = {
    start = builtins.elemAt ports.asterisk-rtp.udp.range 0;
    end = builtins.elemAt ports.asterisk-rtp.udp.range 1;
  };
  voicemail-sounds = pkgs.callPackage ./voicemail-sounds { };
-in
+in {
-{
+  systemd.services.asterisk-voicemail-sounds = {
    wantedBy = ["asterisk.service"];
    after = ["asterisk.service"];
    script = ''
      ln -sfn \
        ${voicemail-sounds}/unavail.wav \
        /var/spool/asterisk/voicemail/lechner/876/unavail.wav
    '';
    restartTriggers = [voicemail-sounds];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
  };
  services.asterisk = {
    enable = true;
    confFiles = {
@ -120,7 +138,7 @@ in
      '';
      "features.conf" = ''
        [applicationmap]
-        doorOpen => 1,peer,Gosub,"door-open,s,1"
+        doorOpen => #9,peer,Gosub,"door-open,s,1"
      '';
      "http.conf" = ''
        [general]
@ -138,8 +156,8 @@ in
      '';
      "rtp.conf" = ''
        [general]
-        rtpstart=${toString ports.asterisk-rtp.udp.from}
+        rtpstart=${toString rtp.start}
-        rtpend=${toString ports.asterisk-rtp.udp.to}
+        rtpend=${toString rtp.end}
      '';
      "dnsmgr.conf" = ''
        [general]
@ -150,11 +168,12 @@ in
    useTheseDefaultConfFiles = [ ];
  };
-  sops.secrets = lib.listToAttrs (map
+  sops.secrets = (lib.listToAttrs (map
    (name: lib.nameValuePair "asterisk-${name}" {
      sopsFile = ../../secrets.yaml;
      owner = config.users.users.asterisk.name;
    })
-    secretConfigFiles);
+    secretConfigFiles));
  environment.etc = lib.mapAttrs'
    (name: _: lib.nameValuePair
      "asterisk/${name}.conf"
@ -162,106 +181,92 @@ in
    (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
  networking.firewall = {
-    allowedUDPPortRanges = lib.singleton ports.asterisk-rtp.udp;
+    allowedUDPPortRanges = [
-    interfaces.voice = {
+      {
-      allowedTCPPorts = [ 5060 ];
+        from = rtp.start;
-      allowedUDPPorts = [ 5060 ];
+        to = rtp.end;
      }
    ];
  };
  systemd.services."asterisk-reload-endpoint@" = {
    description = "Check if asterisk endpoint is identified and reload it when it is not.";
    serviceConfig = {
      Type = "oneshot";
    };
    environment = {
      ENDPOINT = "%I";
    };
    script = ''
      export PATH=${pkgs.lib.makeBinPath [pkgs.asterisk pkgs.gnused pkgs.gnugrep]}
      if ! asterisk -r -x "pjsip show endpoint $ENDPOINT" | sed -n '/^===/,/^\s*ParameterName/{//!p}' | grep -q 'Identify:'; then
          asterisk -r -x "module reload res_pjsip_endpoint_identifier_ip.so"
      fi
    '';
  };
  systemd.timers.asterisk-reload-endpoint = {
    description = "Check if asterisk endpoint is identified and reload it when it is not.";
    after = [ "asterisk.service" ];
    wantedBy = [ "timers.target" ];
    timerConfig = {
      Persistent = true;
      OnCalendar = "*-*-* *:*:00";
      Unit = "asterisk-reload-endpoint@sipgate.service";
    };
  };
-  systemd.services = {
+  systemd.services."asterisk-voicemail-call@" = {
-    "asterisk-reload-endpoint@" = {
+    description = "Check if voicemail exists and place a call to the voicemail application.";
-      description = "Check if asterisk endpoint is identified and reload it when it is not.";
+    serviceConfig = {
-      serviceConfig = {
+      Type = "oneshot";
        Type = "oneshot";
      };
      environment = {
        ENDPOINT = "%I";
      };
      script = ''
        export PATH=${pkgs.lib.makeBinPath [pkgs.asterisk pkgs.gnused pkgs.gnugrep]}
        if ! asterisk -r -x "pjsip show endpoint $ENDPOINT" | sed -n '/^===/,/^\s*ParameterName/{//!p}' | grep -q 'Identify:'; then
            asterisk -r -x "module reload res_pjsip_endpoint_identifier_ip.so"
        fi
      '';
    };
-    asterisk-voicemail-sounds = {
+    scriptArgs = "%I";
-      wantedBy = [ "asterisk.service" ];
+    script = ''
-      after = [ "asterisk.service" ];
+      export PATH=${pkgs.lib.makeBinPath [pkgs.asterisk pkgs.coreutils pkgs.findutils]}
-      script = ''
+      number="$(echo "$1" | cut -d ':' -f 1)"
-        ln -sfn \
+      user="$(echo "$1" | cut -d ':' -f 2)"
-          ${voicemail-sounds}/unavail.wav \
+      channel="PJSIP/$(echo "$1" | cut -d ':' -f 3)"
-          /var/spool/asterisk/voicemail/lechner/876/unavail.wav
+
-      '';
+      if ! find "/var/spool/asterisk/voicemail/$user/$number/INBOX/" -mindepth 1 -maxdepth 1 | read; then
-      restartTriggers = [ voicemail-sounds ];
+          exit
-      serviceConfig = {
+      fi
-        Type = "oneshot";
+
-        RemainAfterExit = true;
+      callfile="$(mktemp -p /tmp XXXXXXXXXX.call)"
-      };
+      chmod 644 "$callfile"
      cat > "$callfile" << EOF
      Channel: $channel
      WaitTime: 15
      Application: VoiceMailMain
      Data: $number@$user
      CallerID: Voicemail
      EOF
      mv "$callfile" /var/spool/asterisk/outgoing/
    '';
  };
  systemd.timers.asterisk-voicemail-call-10 = {
    description = "Check if voicemail exists and place a call to the voicemail application.";
    after = [ "asterisk.service" ];
    wantedBy = [ "timers.target" ];
    timerConfig = {
      Persistent = true;
      OnCalendar = "*-*-* 07..22:00,20,40:00";
      Unit = "asterisk-voicemail-call@876:lechner:10.service";
    };
-    "asterisk-voicemail-call@" = {
+  };
-      description = "Check if voicemail exists and place a call to the voicemail application.";
+  systemd.timers.asterisk-voicemail-call-11 = {
-      serviceConfig = {
+    description = "Check if voicemail exists and place a call to the voicemail application.";
-        Type = "oneshot";
+    after = [ "asterisk.service" ];
-      };
+    wantedBy = [ "timers.target" ];
-      scriptArgs = "%I";
+    timerConfig = {
-      script = ''
+      Persistent = true;
-        export PATH=${pkgs.lib.makeBinPath [pkgs.asterisk pkgs.coreutils pkgs.findutils]}
+      OnCalendar = "*-*-* 07..22:00,10,30:50";
-        number="$(echo "$1" | cut -d ':' -f 1)"
+      Unit = "asterisk-voicemail-call@876:lechner:11.service";
        user="$(echo "$1" | cut -d ':' -f 2)"
        channel="PJSIP/$(echo "$1" | cut -d ':' -f 3)"
        if ! find "/var/spool/asterisk/voicemail/$user/$number/INBOX/" -mindepth 1 -maxdepth 1 | read; then
            exit
        fi
        callfile="$(mktemp -p /tmp XXXXXXXXXX.call)"
        chmod 644 "$callfile"
        cat > "$callfile" << EOF
        Channel: $channel
        WaitTime: 15
        Application: VoiceMailMain
        Data: $number@$user
        CallerID: Voicemail
        EOF
        mv "$callfile" /var/spool/asterisk/outgoing/
      '';
    };
  };
-  systemd.timers = {
+  #voicemailCallScript
    asterisk-reload-endpoint = {
      description = "Check if asterisk endpoint is identified and reload it when it is not.";
      after = [ "asterisk.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Persistent = true;
        OnCalendar = "*-*-* *:*:00";
        Unit = "asterisk-reload-endpoint@sipgate.service";
      };
    };
    asterisk-voicemail-call-10 = {
      description = "Check if voicemail exists and place a call to the voicemail application.";
      after = [ "asterisk.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Persistent = true;
        OnCalendar = "*-*-* 07..22:00,20,40:00";
        Unit = "asterisk-voicemail-call@876:lechner:10.service";
      };
    };
    asterisk-voicemail-call-11 = {
      description = "Check if voicemail exists and place a call to the voicemail application.";
      after = [ "asterisk.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Persistent = true;
        OnCalendar = "*-*-* 07..22:00,10,30:50";
        Unit = "asterisk-voicemail-call@876:lechner:11.service";
      };
    };
  };
 }
--- a/hosts/aluminium/services/asterisk/voicemail-sounds/default.nix
+++ b/hosts/aluminium/services/asterisk/voicemail-sounds/default.nix
@ -1,4 +1,4 @@
-{ stdenvNoCC }:
+{ lib, stdenvNoCC }:
 stdenvNoCC.mkDerivation {
  name = "voicemail-sounds";
--- a/hosts/aluminium/services/default.nix
+++ b/hosts/aluminium/services/default.nix
@ -4,10 +4,6 @@
    ./dnsmasq.nix
    ./doorbell.nix
    ./dyndns.nix
    ./esphome
    ./home-assistant.nix
    ./nginx.nix
    ./ntp.nix
    ./unifi-controller.nix
  ];
 }
--- a/hosts/aluminium/services/dnsmasq.nix
+++ b/hosts/aluminium/services/dnsmasq.nix
@ -1,5 +1,8 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 let
  stateDir = "/var/lib/dnsmasq";
 in
 {
  services.dnsmasq = {
    enable = true;
@ -7,23 +10,13 @@
      listen-address = [
        "192.168.0.1"
        "192.168.1.1"
        "192.168.2.1"
        "192.168.10.9"
      ];
      interface = "lo";
      expand-hosts = true;
-      domain = [
+      domain = "lan.kbh.jalr.de";
        "lan.kbh.jalr.de"
        "iot.kbh.jalr.de,192.168.2.0/24"
      ];
      dhcp-range = [
        "192.168.0.20,192.168.0.254,4h"
        "192.168.1.20,192.168.1.254,4h"
        "192.168.2.20,192.168.2.254,4h"
        "192.168.10.8,static,24h"
      ];
      dhcp-host = [
        "AC:CC:8E:40:1C:B9,192.168.10.10,sprechanlage,infinite"
      ];
      cache-size = 10000;
      dns-forward-max = 1000;
@ -36,24 +29,11 @@
        "2001:470:20::2" # ordns.he.net
        "74.82.42.42" # ordns.he.net
      ];
      dhcp-option = [
        "option:ntp-server,192.168.0.1"
      ];
    };
  };
-  networking.firewall.interfaces = lib.attrsets.genAttrs [
+  networking.firewall = {
-    "heizung"
+    allowedUDPPorts = [ 53 67 ];
-    "iot"
+    allowedTCPPorts = [ 53 ];
-    "lechner"
+  };
    "pv"
    "sprechanlage"
    "voice"
  ]
    (
      _: {
        allowedUDPPorts = [ 53 67 ];
        allowedTCPPorts = [ 53 ];
      }
    );
 }
--- a/hosts/aluminium/services/doorbell.nix
+++ b/hosts/aluminium/services/doorbell.nix
@ -1,13 +1,16 @@
-{ config, ... }:
+args@{ config, lib, pkgs, custom-utils, ... }:
 let
-  inherit (config.networking) ports;
+  ports = import ../ports.nix args;
 in
 {
-  sops.secrets.myintercom-doorbell-password.owner = "asterisk";
+  sops.secrets.myintercom-doorbell-password = {
    sopsFile = ../secrets.yaml;
    owner = "asterisk";
  };
  services.myintercom-doorbell = {
    enable = true;
-    host = "sprechanlage.lan.kbh.jalr.de";
+    host = "192.168.0.74";
    username = "btxpvt0002";
    passwordFile = config.sops.secrets.myintercom-doorbell-password.path;
    audiosocket = {
@ -16,15 +19,5 @@ in
      uuid = "4960ab41-dbef-4773-a25e-90536d97345e";
    };
    callerId = "Sprechanlage";
    cam = {
      enable = true;
      bindAddress = "192.168.0.1";
      webrtcPort = ports.doorbell-webrtc.tcp;
      webrtcIceTcpPort = ports.doorbell-webrtc-ice.tcp;
    };
  };
  networking.firewall.interfaces.lechner.allowedTCPPorts = [
    ports.doorbell-webrtc.tcp
    ports.doorbell-webrtc-ice.tcp
  ];
 }
--- a/hosts/aluminium/services/dyndns.nix
+++ b/hosts/aluminium/services/dyndns.nix
@ -1,42 +1,16 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 let
  mkService = config:
    lib.mapAttrs'
      (name: cfg: lib.nameValuePair "godns-${name}" (
        let
          config = cfg.settings // {
            login_token_file = "$CREDENTIALS_DIRECTORY/login_token";
          };
          configFile = (pkgs.formats.yaml { }).generate "config.yaml" config;
        in
        {
          description = "GoDNS service";
          wantedBy = [ "multi-user.target" ];
          after = [ "network.target" ];
          serviceConfig = {
            DynamicUser = true;
            ExecStart = "${lib.getExe pkgs.godns} -c ${configFile}";
            LoadCredential = "login_token:${cfg.tokenPath}";
            Restart = "always";
            RestartSec = "2s";
          };
        }
      ))
      config;
 in
 {
-  systemd.services = mkService {
+  sops.secrets.duckdns-secret = {
-    ip4 = {
+    sopsFile = ../secrets.yaml;
-      tokenPath = config.sops.secrets.duckdns-secret.path;
+  };
-      settings = {
+  services.ddclient = {
-        provider = "DuckDNS";
+    enable = true;
-        domains = [{ domain_name = "www.duckdns.org"; sub_domains = [ "jalr-k" ]; }];
+    interval = "1min";
-        resolver = "8.8.8.8";
+    protocol = "duckdns";
-        ip_interface = "ppp0";
+    server = "www.duckdns.org";
-        ip_urls = [ "" ];
+    username = "nouser";
-        ip_type = "IPv4";
+    passwordFile = config.sops.secrets.duckdns-secret.path;
-        interval = 60;
+    domains = [ "jalr-k" ];
-      };
+    ipv6 = false;
    };
  };
 }
--- a/hosts/aluminium/services/esphome/default.nix
+++ b/hosts/aluminium/services/esphome/default.nix
@ -1,25 +0,0 @@
 { pkgs
 , config
 , ...
 }:
 let
  inherit (config.networking) ports;
 in
 {
  sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ];
  jalr.esphome = {
    enable = true;
    port = ports.esphome.tcp;
    secretsFile = config.sops.secrets.esphome.path;
    configDir = pkgs.stdenvNoCC.mkDerivation {
      name = "esphome-config";
      src = ./devices;
      dontBuild = true;
      installPhase = ''
        mkdir $out
        cp -r * $out
      '';
    };
  };
 }
--- a/hosts/aluminium/services/esphome/devices/.env
+++ b/hosts/aluminium/services/esphome/devices/.env
@ -1,2 +0,0 @@
 ESPHOME_HOST="jalr-k.duckdns.org"
 ESPHOME_SECRETS_FILE="esphome_${ESPHOME_HOST}_secrets.yaml"
--- a/hosts/aluminium/services/esphome/devices/.gitignore
+++ b/hosts/aluminium/services/esphome/devices/.gitignore
@ -1,5 +0,0 @@
 # Gitignore settings for ESPHome
 # This is an example and may include too much for your use-case.
 # You can modify this file to suit your needs.
 /.esphome/
 /secrets.yaml
--- a/hosts/aluminium/services/esphome/devices/justfile
+++ b/hosts/aluminium/services/esphome/devices/justfile
@ -1 +0,0 @@
 ../../../../../modules/esphome/devices/justfile
--- a/hosts/aluminium/services/esphome/devices/wasserbett.yaml
+++ b/hosts/aluminium/services/esphome/devices/wasserbett.yaml
@ -1,64 +0,0 @@
 esphome:
  name: "waterbed"
  friendly_name: "Wasserbett"
 esp8266:
  board: d1_mini
  framework:
    version: recommended
 logger:
 api:
  encryption:
    key: !secret apikey_waterbed
 ota:
  - platform: esphome
    password: !secret otapass_waterbed
 wifi:
  ssid: !secret wifi_ssid_kbh
  password: !secret wifi_password_kbh
  domain: .iot.kbh.jalr.de
  enable_on_boot: true
  fast_connect: true
 switch:
  - platform: gpio
    pin:
      number: 13
    id: pump
    icon: "mdi:electric-switch"
 dallas:
  - pin: 12
 sensor:
  - platform: dallas
    #address: 0xb7000802397ccc10
    index: 0
    name: "Temperatur"
    id: temperature_waterbed
 climate:
 - platform: thermostat
   name: "Temperatur"
   id: temperature
   sensor: temperature_waterbed
   heat_deadband: 0.2
   heat_overrun: 0.2
   min_heating_off_time: 300s
   min_heating_run_time: 300s
   min_idle_time: 30s
   heat_action:
     - switch.turn_on: pump
   idle_action:
     - switch.turn_off: pump
   default_preset: heizen
   on_boot_restore_from: memory
   preset:
     - name: heizen
       default_target_temperature_low: 28.5 °C
     - name: abwesend
       default_target_temperature_low: 24 °C
--- a/hosts/aluminium/services/home-assistant.nix
+++ b/hosts/aluminium/services/home-assistant.nix
@ -1,141 +0,0 @@
 { pkgs, config, ... }:
 let
  inherit (config.networking) ports;
 in
 {
  services.home-assistant = {
    enable = true;
    lovelaceConfig = {
      title = "Home";
      views = [
        {
          path = "default_view";
          title = "Home";
          cards = [
            {
              title = "Heizung";
              type = "entities";
              entities = [
                { entity = "sensor.guntamaticbiostar_betrieb"; }
                { entity = "sensor.guntamaticbiostar_pufferladung"; }
                { entity = "sensor.guntamaticbiostar_puffer_oben"; }
                { entity = "sensor.guntamaticbiostar_puffer_unten"; }
                { entity = "sensor.guntamaticbiostar_kesseltemperatur"; }
                { entity = "sensor.guntamaticbiostar_vorlauf_ist_1"; }
                { entity = "sensor.guntamaticbiostar_aussentemperatur"; }
                { entity = "sensor.guntamaticbiostar_co2_gehalt"; }
                { entity = "select.guntamaticbiostar_program"; }
                { entity = "sensor.guntamaticbiostar_programm"; }
                { entity = "sensor.guntamaticbiostar_programm_hk1"; }
                { entity = "sensor.guntamaticbiostar_rucklauftemperatur"; }
                { entity = "sensor.guntamaticbiostar_servicezeit"; }
              ];
            }
            {
              type = "grid";
              square = false;
              columns = 1;
              cards = [
                {
                  title = "Wasserbett";
                  type = "entities";
                  entities = [
                    {
                      entity = "sensor.waterbed_temperatur";
                      name = "Temperatur";
                    }
                  ];
                }
                {
                  type = "thermostat";
                  entity = "climate.waterbed_temperatur";
                }
              ];
            }
          ];
        }
      ];
    };
    extraComponents = [
      # See https://www.home-assistant.io/integrations
      "esphome"
      "openweathermap"
    ];
    customComponents = [
      # https://github.com/a529987659852/GuntamaticBiostar
      pkgs.home-assistant-custom-components.guntamatic
    ];
    lovelaceConfigWritable = false;
    configWritable = false;
    config = {
      http = {
        server_host = [ "127.0.0.1" ];
        server_port = ports.home-assistant.tcp;
        use_x_forwarded_for = true;
        trusted_proxies = [ "127.0.0.1" ];
      };
      homeassistant = {
        unit_system = "metric";
        time_zone = "Europe/Berlin";
        temperature_unit = "C";
        inherit (config.location) longitude;
        inherit (config.location) latitude;
      };
      default_config = { };
      "automation nix" = [
        {
          alias = "Nachschüren";
          description = "Benachrichtigung auf iPad bei Wechsel auf Teillast";
          mode = "single";
          trigger = [
            {
              platform = "state";
              entity_id = [ "sensor.guntamaticbiostar_betrieb" ];
              from = "VOLLLAST";
              to = "TEILLAST";
            }
          ];
          condition = [
            {
              condition = "numeric_state";
              entity_id = "sensor.guntamaticbiostar_pufferladung";
              below = "80";
            }
          ];
          action = [
            {
              device_id = "5612874405fa2ee539ad4518a1bb8e34";
              domain = "mobile_app";
              type = "notify";
              message = ''
                Kessel läuft auf Teillast und Puffer ist unter 80%. Vielleicht willst du
                nachschüren.
              '';
              title = "Nachschüren?";
            }
          ];
        }
      ];
      "automation ui" = "!include automations.yaml";
      "scene nix" = [
      ];
      "scene ui" = "!include scenes.yaml";
    };
  };
  systemd.tmpfiles.rules = [
    "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
    "f ${config.services.home-assistant.configDir}/scenes.yaml 0755 hass hass"
  ];
  services.nginx.virtualHosts."hass.kbh.jalr.de" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString ports.home-assistant.tcp}/";
      recommendedProxySettings = true;
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/aluminium/services/nginx.nix
+++ b/hosts/aluminium/services/nginx.nix
@ -1,20 +0,0 @@
 { config, ... }:
 let
  inherit (config.networking) ports;
 in
 {
  services.nginx = {
    enable = true;
    defaultHTTPListenPort = ports.nginx-http.tcp;
    defaultSSLListenPort = ports.nginx-https.tcp;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
 }
--- a/hosts/aluminium/services/ntp.nix
+++ b/hosts/aluminium/services/ntp.nix
@ -1,12 +0,0 @@
 {
  services.chrony = {
    enable = true;
    extraConfig = ''
      allow 192.168.0.0/24
      allow 192.168.10.0/24
      leapsectz right/UTC
    '';
  };
  networking.firewall.interfaces.lechner.allowedUDPPorts = [ 123 ];
  networking.firewall.interfaces.heizung.allowedUDPPorts = [ 123 ];
 }
--- a/hosts/aluminium/services/unifi-controller.nix
+++ b/hosts/aluminium/services/unifi-controller.nix
@ -1,16 +1,13 @@
-{ config, pkgs, ... }:
+args@{ pkgs, custom-utils, ... }:
 let
-  inherit (config.networking) ports;
+  ports = import ../ports.nix args;
 in
 {
  services.unifi = {
    enable = true;
    openFirewall = true;
    unifiPackage = pkgs.unifi;
    mongodbPackage = pkgs.mongodb-7_0;
  };
-  networking.firewall.interfaces.lechner.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [ ports.unifi.tcp ];
    ports.unifi-inform.tcp
    ports.unifi-ui.tcp
  ];
 }
--- a/hosts/cadmium/configuration.nix
+++ b/hosts/cadmium/configuration.nix
@ -1,13 +1,16 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
  ];
  networking = {
    hostName = "cadmium";
    networkmanager = {
      enable = true;
    };
    useDHCP = false;
    firewall = {
@ -47,11 +50,9 @@
    bootloader = "systemd-boot";
    bluetooth.enable = true;
    uefi.enable = true;
-    gui = {
+    gui.enable = true;
      enable = true;
      sway.enable = true;
    };
    workstation.enable = true;
    sdr.enable = true;
    libvirt.enable = true;
    autologin.enable = true;
    autologin.username = "jalr";
@ -63,6 +64,6 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/hosts/copper/configuration.nix
+++ b/hosts/copper/configuration.nix
@ -1,77 +0,0 @@
 { lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disko.nix
    ../../users/jalr
    ./services
    ./framework-fixes.nix
  ];
  networking = {
    hostName = "copper";
    extraHosts = lib.concatStringsSep "\n" (
      lib.attrsets.mapAttrsToList
        (addr: hosts:
          lib.concatStringsSep " " ([ addr ] ++ hosts)
        )
        {
          #"192.0.2.1" = ["example.com"];
        }
    );
    firewall.interfaces.virbr0.allowedTCPPorts = [ 53 64172 ];
    firewall.interfaces.virbr0.allowedUDPPorts = [ 53 67 69 4011 ];
  };
  zramSwap = {
    enable = true;
    algorithm = "zstd";
    memoryPercent = 60;
    priority = 1;
  };
  services = {
    fstrim.enable = true;
    flatpak.enable = true;
    snapper.configs = {
      home = {
        SUBVOLUME = "/home";
        ALLOW_USERS = [ "jalr" ];
        TIMELINE_CREATE = true;
        TIMELINE_CLEANUP = true;
        TIMELINE_LIMIT_HOURLY = 12;
        TIMELINE_LIMIT_DAILY = 7;
        TIMELINE_LIMIT_WEEKLY = 4;
        TIMELINE_LIMIT_MONTHLY = 3;
        TIMELINE_LIMIT_YEARLY = 0;
        BACKGROUND_COMPARISON = "yes";
        NUMBER_CLEANUP = "no";
        NUMBER_MIN_AGE = "1800";
        NUMBER_LIMIT = "100";
        NUMBER_LIMIT_IMPORTANT = "10";
        EMPTY_PRE_POST_CLEANUP = "yes";
        EMPTY_PRE_POST_MIN_AGE = "1800";
      };
    };
  };
  jalr = {
    bootloader = "lanzaboote";
    bluetooth.enable = true;
    uefi.enable = true;
    gui = {
      enable = true;
      sway.enable = true;
    };
    workstation.enable = true;
    libvirt.enable = true;
    autologin = {
      enable = true;
      username = "jalr";
    };
  };
  system.stateVersion = "24.05";
 }
--- a/hosts/copper/disko.nix
+++ b/hosts/copper/disko.nix
@ -1,59 +0,0 @@
 {
  disko.devices = {
    disk = {
      nvme = {
        type = "disk";
        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_2TB_S7DNNJ0X235226N";
        content = {
          type = "gpt";
          partitions = {
            esp = {
              type = "EF00";
              size = "1024M";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "copper-crypt";
                settings = {
                  allowDiscards = true;
                };
                extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = [ "compress-force=zstd:1" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
                    };
                    "/home/.snapshots" = {
                      mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress-force=zstd:1" "noatime" "noatime" "nodev" ];
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/copper/framework-fixes.nix
+++ b/hosts/copper/framework-fixes.nix
@ -1,14 +0,0 @@
 { pkgs, ... }:
 {
  boot.extraModprobeConfig = ''
    options cfg80211 ieee80211_regdom="DE"
    options mt7921_common disable_clc=1
    options mt7921e disable_aspm=Y
  '';
  hardware.firmware = [ pkgs.wireless-regdb ];
  services.udev.extraRules = ''
    ACTION=="add", SUBSYSTEM=="pci", ATTR{power/wakeup}="disabled"
  '';
 }
--- a/hosts/copper/hardware-configuration.nix
+++ b/hosts/copper/hardware-configuration.nix
@ -1,18 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd = {
    availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  environment.systemPackages = with pkgs; [
    fw-ectool
  ];
 }
--- a/hosts/copper/secrets.yaml
+++ b/hosts/copper/secrets.yaml
@ -1,32 +0,0 @@
 ntfy_shiftphone: ENC[AES256_GCM,data:WG/LlELNgEh2BiyrOYLDvYk3AlObSvUYUH8v3Cq9oHOhN1+Iwg==,iv:MVwLBIQjY8Z31V9mXf7Ge/jGb9S7ceLFx2TffcsO+o4=,tag:skeQbBPLYH8D4CPDorJ0fQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbXFqbHJFM0xxL284dWZD
            TDkzcGVSRGorRWQvV3h3dkJ6UjNOeUxVcGdRCk5jTkZDeVFORVVWdm1vZm5XUHdk
            S0ZBTEdEeDgramZNZm5xK3RkVkkxSDgKLS0tIFZ6dysvVm1YNlJzOVFXZXhrdXBE
            dU0reGFSUmRxb0ZlUHgyYlpjU0FOQUEKuOMKvkZcynBGyMHmAYmz13Jy32YKyVK0
            ztCWcXbl9qCe6KtI0yW+t8DLk/PaRrmSrB+2ICTMFqPh7HiBoX+KgQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-12T20:36:21Z"
    mac: ENC[AES256_GCM,data:BpwQmtqj8NkTNO7cJHMoOeILY4HRcb7OasiCcnXsBwIFvbeDgwj+DMZOeKbitLXwzS5frWhZWg0eBHQ4BZQFjX1K0KReVacH9CblHnSZLxjMg3x6o3upB70YjdmD3KKBisOwfMCjklwk0rKwx0w5vzac3r1nJU+PGtFw1luIiBs=,iv:bYIRVFWVGjwgmaGu6JqvpCa0TIp8idP5Bc5cYV7Bri8=,tag:D2xS1PK9a9Dd1mm8+R9RRA==,type:str]
    pgp:
        - created_at: "2025-03-12T20:51:07Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DY/xpNY5WhB0SAQdAhB2C4sQhoL04j1RiWoeNCNSbGxDkrqXP+IffdoY8DWgw
            x8aogh0b7CpTplBG/4g/WMVB4N/86uvI+mLYxJMyRb9b0f0bDr5dPpnhk//r/MDg
            0l4B9+hcSzmkwXlKh7L8Ds4cZr/z3RlqnR424KSfKbiaaigYttui5l4xgEEPZE1H
            1yfIJ5lBMgG1HTj3HX5mqM9ocA4HVzIkfPPqrFRAgjZdqeDEbLBT3lItMlvsOwy4
            =kS0b
            -----END PGP MESSAGE-----
          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/hosts/copper/services/default.nix
+++ b/hosts/copper/services/default.nix
@ -1,8 +0,0 @@
 {
  imports = [
    ./illuminanced.nix
    ./ntfy.nix
    ./timelog.nix
    ./webdev.nix
  ];
 }
--- a/hosts/copper/services/illuminanced.nix
+++ b/hosts/copper/services/illuminanced.nix
@ -1,94 +0,0 @@
 { lib, pkgs, ... }:
 let
  tomlFormat = pkgs.formats.toml { };
  cfg = {
    daemonize = {
      log_to = "syslog";
      pid_file = "/run/illuminanced/illuminanced.pid";
      #log_level = "OFF", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"
      log_level = "ERROR";
    };
    general = {
      check_period_in_seconds = 1;
      light_steps = 100;
      min_backlight = 20;
      step_barrier = 0.1;
      max_backlight_file = "/sys/class/backlight/amdgpu_bl1/max_brightness";
      backlight_file = "/sys/class/backlight/amdgpu_bl1/brightness";
      illuminance_file = "/sys/bus/iio/devices/iio:device0/in_illuminance_raw";
      #event_device_mask = "/dev/input/event*";
      #event_device_name = "Asus WMI hotkeys";
      enable_max_brightness_mode = true;
      filename_for_sensor_activation = "";
    };
    kalman = {
      q = 1;
      r = 20;
      covariance = 10;
    };
    light = {
      points_count = 6;
      illuminance_0 = 0;
      light_0 = 0;
      illuminance_1 = 20;
      light_1 = 35;
      illuminance_2 = 70;
      light_2 = 50;
      illuminance_3 = 120;
      light_3 = 65;
      illuminance_4 = 200;
      light_4 = 75;
      illuminance_5 = 255;
      light_5 = 99;
    };
  };
  configFile = tomlFormat.generate "illuminanced.toml" cfg;
 in
 {
  systemd.services.illuminanced = {
    description = "Ambient Light Sensor Daemon";
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "exec";
      Restart = "always";
      ExecStart = "${pkgs.illuminanced}/bin/illuminanced -c ${configFile}";
      PIDFile = cfg.daemonize.pid_file;
      StandardOutput = "journal";
      BindReadOnlyPaths = [
        "/nix/store"
        "/dev/log"
        "/run/systemd/journal/socket"
        "/run/systemd/journal/stdout"
        cfg.general.max_backlight_file
        (lib.strings.escape [ ":" ] cfg.general.illuminance_file)
      ];
      BindPaths = [
        cfg.general.backlight_file
      ];
      CapabilityBoundingSet = null;
      IPAddressDeny = "any";
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "noaccess";
      ProtectSystem = "strict";
      RestrictAddressFamilies = [ ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RootDirectory = "/run/illuminanced";
      RuntimeDirectory = "illuminanced";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
    };
  };
 }
--- a/hosts/copper/services/ntfy.nix
+++ b/hosts/copper/services/ntfy.nix
@ -1,3 +0,0 @@
 {
  sops.secrets.ntfy_shiftphone.owner = "jalr";
 }
--- a/hosts/copper/services/timelog.nix
+++ b/hosts/copper/services/timelog.nix
@ -1,10 +0,0 @@
 {
  powerManagement = {
    powerUpCommands = ''
      echo "timelog: powerUp"
    '';
    powerDownCommands = ''
      echo "timelog: powerDown"
    '';
  };
 }
--- a/hosts/copper/services/webdev.nix
+++ b/hosts/copper/services/webdev.nix
@ -1,50 +0,0 @@
 { pkgs, lib, ... }:
 {
  systemd.services = lib.attrsets.mapAttrs'
    (
      name: mapping: lib.attrsets.nameValuePair "redir-${name}" {
        description = "Port redirection for local development web server (${name})";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
          BindReadOnlyPaths = [ "/nix/store" ];
          CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
          DynamicUser = true;
          ExecStart = "${pkgs.redir}/bin/redir -n 127.0.0.1:${toString mapping.to} 127.0.0.1:${toString mapping.from}";
          IPAddressAllow = "localhost";
          IPAddressDeny = "any";
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateDevices = lib.mkForce true;
          PrivateTmp = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "noaccess";
          ProtectSystem = "strict";
          ReadWritePaths = "";
          RemoveIPC = true;
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          RootDirectory = "/run/redir-https";
          RuntimeDirectory = "redir-https";
          SystemCallArchitectures = "native";
          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
          Type = "exec";
        };
      }
    )
    {
      http = { from = 8080; to = 80; };
      https = { from = 8443; to = 443; };
    };
 }
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,10 +1,7 @@
-inputs:
+{ ... }@inputs:
 let
  hardware = inputs.nixos-hardware.nixosModules;
 in
 {
  aluminium = {
-    targetHost = "jalr-k.duckdns.org";
+    targetHost = "192.168.0.1";
    system = "x86_64-linux";
  };
  jalr-t520 = {
@ -13,20 +10,20 @@ in
  cadmium = {
    system = "x86_64-linux";
  };
  hafnium = {
    system = "x86_64-linux";
  };
  weinturm-pretix-prod = {
    system = "aarch64";
    targetHost = "142.132.185.70";
  };
  iron = {
    system = "x86_64-linux";
    #targetHost = "192.168.42.1";
    targetHost = "jalr-bw.duckdns.org";
  };
  magnesium = {
-    system = "x86_64-linux";
+    system = "aarch64";
-    targetHost = "magnesium.jalr.de";
+    targetHost = "162.55.35.199";
  };
  copper = {
    system = "x86_64-linux";
    targetHost = "copper.lan.bw.jalr.de";
    extraModules = [
      hardware.framework-16-7040-amd
    ];
  };
 }
--- a/hosts/hafnium/configuration.nix
+++ b/hosts/hafnium/configuration.nix
@ -0,0 +1,146 @@
 { lib, config, pkgs, self, system, ... }:
 let
  tradebyteDnsServers = [
    "10.170.254.30"
    "10.170.254.40"
  ];
 in
 {
  imports = [
    ./hardware-configuration.nix
    ../../home-manager/users/jal.nix
  ];
  networking = {
    hostName = "hafnium";
    networkmanager = {
      enable = true;
    };
    useDHCP = false;
    interfaces = {
      enp2s0f0.useDHCP = false;
      enp5s0.useDHCP = false;
      wlp3s0.useDHCP = false;
    };
    firewall = {
      allowedUDPPorts = [
        53
      ];
      allowedTCPPorts = [
        53
      ];
    };
    extraHosts = ''
      #10.10.10.10 example.com
    '';
  };
  environment.systemPackages = with pkgs; [
    brightnessctl
    gnome3.adwaita-icon-theme
    openconnect
    redir
    tcpdump
  ];
  environment.variables.EDITOR = "nvim";
  programs.mtr.enable = true;
  services.udisks2.enable = true;
  jalr = {
    bootloader = "systemd-boot";
    bluetooth.enable = true;
    uefi.enable = true;
    gui.enable = true;
    workstation.enable = true;
    sdr.enable = false;
    libvirt.enable = true;
    autologin.enable = true;
    autologin.username = "jal";
    tradebyte.enable = true;
  };
  sops.secrets = (
    lib.listToAttrs (map
      (name: lib.nameValuePair "wireguard_key_${name}" {
        sopsFile = ./secrets.yaml;
      })
      [
        "tbcore"
        "ops-testing"
      ]
    )
  );
  networking.wireguard.interfaces = {
    tbcore = {
      ips = [ "172.27.27.16/32" ];
      privateKeyFile = config.sops.secrets.wireguard_key_tbcore.path;
      listenPort = 51930;
      peers = [{
        publicKey = "K5vF/yTag6NnWjZsMug63DERdCFRfHoqxVkgKH55oFE=";
        endpoint = "194.33.184.175:51930";
        #endpoint = "ccs-emergency-vpn.core.tradebyte.com:51930";
        persistentKeepalive = 25;
        allowedIPs = [
          "10.158.128.0/23"
          "10.158.224.0/20"
          "10.18.0.0/16"
          "10.64.64.0/20" # CPS
          "172.31.1.0/24"
        ];
      }];
    };
    ops-testing = {
      ips = [ "10.254.254.2/30" ];
      privateKeyFile = config.sops.secrets.wireguard_key_ops-testing.path;
      peers = [{
        publicKey = "+jZETJfwaRiM+7ys5eYjgiWEAtxP47RzZSCx0w4l2nI=";
        endpoint = "3.68.138.217:2048";
        persistentKeepalive = 25;
        allowedIPs = [
          "10.254.254.0/30"
          "10.250.0.0/16"
        ];
      }];
    };
  };
  services.dnsmasq.settings.server = lib.lists.flatten (
    map (domain: (map (srv: "/${domain}/${srv}") tradebyteDnsServers)) [
    "vpce-0c1c169d1e33a1c2f-yugtdam1.s3.eu-central-1.vpce.amazonaws.com"
    "ccs.tradebyte.com"
    "instance.tradebyte.com"
  ]) ++ [
    "/internal.production.core.tradebyte.com/10.158.224.2"
    "/internal.development.core.tradebyte.com/10.170.254.30"
    "/rds.amazonaws.com/9.9.9.9"
    "/tradebyte.com/9.9.9.9"
    "/tradebyte.org/9.9.9.9"
    "/develop.sys.tradebyte.com/10.0.3.1"
    "/corp.ad.zalando.net/10.160.19.100"
  ];
  services.actkbd = {
    enable = true;
    bindings = [
      { keys = [ 232 ]; events = [ "key" ]; command = "/run/current-system/sw/bin/brightnessctl s -5%"; }
      { keys = [ 233 ]; events = [ "key" ]; command = "/run/current-system/sw/bin/brightnessctl s +5%"; }
    ];
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/hosts/hafnium/hardware-configuration.nix
+++ b/hosts/hafnium/hardware-configuration.nix
@ -0,0 +1,44 @@
 { modulesPath, ... }:
 {
  imports = [
    "${modulesPath}/installer/scan/not-detected.nix"
  ];
  hardware.cpu.amd.updateMicrocode = true;
  boot = {
    initrd.availableKernelModules = [
      "nvme"
      "ehci_pci"
      "xhci_pci"
      "usb_storage"
      "sd_mod"
      "rtsx_pci_sdmmc"
    ];
    kernelModules = [ "kvm-amd" ];
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/b86310f5-fe3d-4b4d-bc02-ab0d7e9297cf";
      fsType = "btrfs";
      options = [
        "discard=async"
        "noatime"
        "subvol=/nixos"
        "compress=zstd:6"
      ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/564E-26B4";
      fsType = "vfat";
      options = [ "nodev" "nosuid" "noexec" ];
    };
  };
  boot.initrd.luks.devices.cryptroot = {
    device = "/dev/disk/by-uuid/d9b120c1-5e80-4893-92fe-497e5b44c25b";
    allowDiscards = true;
  };
 }
--- a/hosts/hafnium/secrets.yaml
+++ b/hosts/hafnium/secrets.yaml
@ -0,0 +1,42 @@
 wireguard_key_tbcore: ENC[AES256_GCM,data:/VdCVC6xciihm2suOiuNabAWPhWPGSyWSKbLKRpy8EK7aXpyxZPybnANc1E=,iv:/LxrjPLzUkHdyT45RIfbfc4Xa3vsnQNiamnbiMdubpg=,tag:N5nFx1QsH9FGiK9DrMg2hQ==,type:str]
 wireguard_key_ops-testing: ENC[AES256_GCM,data:FiADGmh3GAK6LI9Y5EEErmoVCfx4So6mN3glnzUWk8zDXJbRYP1Uj1kJiss=,iv:7tEWVT6eeHpekgkO17DXtrO7meFvYo6xV4ZLpGG20PQ=,tag:Mtr2gMnCqfJP5ADyordddw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlZBSFBKNXJ4QmpDZUpT
            NE91ek10QkwxSU1XTE81cGxHZXZmL1JncEY0ClZFbVd5dG14L1hqQlRWTDVkZmpx
            V1EzSG9rMC80WTNIZExXOXU1VjcrMk0KLS0tIElWdkh4MzNyeTNteDJTY3RvanQx
            ai9YdFdleXNNY2pXQzZMem0vdDdSMjgKvngMU5Y1/Pp+G/a9SyewkN9wr22ZcGP6
            XHHadzk6NE7BJWqquY+2B0Rh3B1Ow+rC8yJd7FhJlHw+i0Bp/d/ESw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-04-21T08:09:31Z"
    mac: ENC[AES256_GCM,data:+TB7XQPMQCFAR/0jrUKTgjm2yJ7qJ6Jak3DMbFof7mnGE9LKT+xPKYzPwAM+4aDzngHv1fumD6JCXDoJ4DS95frAVfNVNM1bfB0iVmrtf0PX1y+Em189/hs3bt2YBkvvW9kYJMq0g9VBngX6gwGuaBAFHly1gi6SPMZN4vNRF6g=,iv:DK5OYG+BohxllorP0j9mvQ7MtqVNnBjJ3Nf378scJOA=,tag:lBwsHbY9PlJ2/eMtKcxZxA==,type:str]
    pgp:
        - created_at: "2022-04-20T21:27:25Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
            hQIMA6jlFWJ+id7kARAArP1hdPwQk2XyKsXYnSj6vxK81GhfZp3tkYEqsU3Jdpwn
            OR+0SnuoNWk4dN4JE4ooS5DOhS0ZaVsglLPtiLLohGWYY4OrX33JHZN4oEa5GMBK
            t9b0YNb9owow0MSFN679tmiCMvzXGprT0mdWO3/X/HlKvCcTYPRqul4BVeVR/LyG
            V94MSaF3BUwFb4p/Q8jcWfsfH5gmMpiFHQsmtci4LjDHvAVCFzI3AjcbRRJUfO5v
            ampZ+9yUNo8Y6btrQQWvMoGpOp6U7cj6rTk+eZuW16/7WbHMz6WSpolDyy01QjzQ
            szS5RuACnUTMqG4YWQk90H3Srgq/6CFBVLSTm2h8zdO9UZcgkJRYLTFczbYbyqgN
            2Vpjf0UwIv5MHvdo1QZJeBEl8TxjI5UZY2/UDOb9OZXktcAxW5U0Wy6pZIfUsJpk
            GJeAb+P3pLvs62hkNSS+rGoGvLX2u0R/Xvw1btTdLLOeIOPNGF8lau32mBuErIZ9
            2E44N1qV8uQDkDdvaKpj4ikf/0MURPW4GWXST3K/BwD1Gos2SzVD17kXGGOVdeOP
            Q19LSo06h2Cq+zNcyKU4C0IdRPvFLKJbyEN3vDYXGnJK7lqGr/UDDcPgYPHVPn1Q
            gTdmAk2e8lZY6O0OP5tth5cMjJZj5msvjbww9J1PA3VnBuo8+17zCJ/IYwCUlEbS
            XgEWH0LKnwjG7Ufr8eT0DzeCJoD2U/2h+8/+Q2dc4YqokIPW7VuZhR+HZygVAX65
            1yT/1z+1Hr6kLr9cDLzjyPRu5rNgZJHc8pxkbrQsT764oclvfbgIcmvko9Fsg4o=
            =S5XT
            -----END PGP MESSAGE-----
          fp: FE170812543DF81393EA56BA5042B8317A10617E
    unencrypted_suffix: _unencrypted
    version: 3.7.2
--- a/hosts/iron/configuration.nix
+++ b/hosts/iron/configuration.nix
@ -1,25 +1,24 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 let
-  interfaces = import ./interfaces.nix;
+  zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  disks = {
+  disks = [
-    slot1 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K";
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K"
-    slot2 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A";
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A"
-    slot3 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N";
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N"
-    slot4 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H";
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H"
-    slot5 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y";
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y"
-  };
+  ];
  removableEfi = true;
  devNodes = "/dev/disk/by-id/";
  datasets = {
    "bpool/nixos/root" = "/boot";
    "rpool/filebitch" = "/filebitch";
    "rpool/navidrome" = "/var/lib/private/navidrome";
-    "rpool/navidrome/music" = "/var/lib/navidrome/music";
+    "rpool/navidrome/music" = "/var/lib/private/navidrome/music";
    "rpool/nixos/home" = "/home";
    "rpool/nixos/root" = "/";
    "rpool/nixos/var/lib" = "/var/lib";
-    "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent";
+    "rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent";
-    "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads";
+    "rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads";
    "rpool/nixos/var/log" = "/var/log";
  };
  partitionScheme = {
@ -28,16 +27,16 @@ let
    luksDev = "-part3";
    biosBoot = "-part4";
  };
-  efiSystemPartitions = map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks);
+  efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) disks);
  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
 in
 with lib; {
  imports = [
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
    ./services
    ./ports.nix
  ];
  config = {
-    system.stateVersion = "25.05";
+    system.stateVersion = "22.11";
    security.sudo.wheelNeedsPassword = false;
@ -47,56 +46,35 @@ with lib; {
      useDHCP = false;
      networkmanager.enable = false;
      bridges = {
        "${interfaces.lan}" = {
          interfaces = [ "enp2s4" "enp3s5" ];
        };
      };
      vlans = {
        iot = {
          id = 20;
          interface = interfaces.lan;
        };
      };
      interfaces = {
-        "${interfaces.lan}".ipv4.addresses = [{
+        enp2s4.ipv4.addresses = [{
          address = "192.168.42.1";
          prefixLength = 24;
        }];
-        iot.ipv4.addresses = [{
+        enp3s5 = {
          address = "10.20.0.1";
          prefixLength = 20;
        }];
        "${interfaces.wan}" = {
          useDHCP = true;
        };
      };
      nat = {
        enable = true;
-        externalInterface = interfaces.wan;
+        externalInterface = "enp3s5";
        internalInterfaces = [
-          interfaces.lan
+          "enp2s4"
          "virbr0"
        ];
      };
      firewall = {
-        allowedTCPPorts = [ 5201 ];
+        extraCommands = lib.concatStringsSep "\n" [
-        extraForwardRules = ''
+          (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
-          tcp flags syn tcp option maxseg size set rt mtu
+        ];
        '';
        interfaces.virbr0 = {
          allowedTCPPorts = [ 53 ];
          allowedUDPPorts = [ 53 67 ];
        };
      };
    };
    services.radvd = {
      enable = true;
      config = ''
-        interface ${interfaces.lan} {
+        interface enp2s4 {
          AdvSendAdvert on;
          prefix ::/64 {
            AdvOnLink on;
@ -111,59 +89,47 @@ with lib; {
      noipv6rs
      waitip 6
-      interface ${interfaces.wan}
+      interface enp3s5
        ipv6rs
        ia_na 1
-        ia_pd 1/::/64 ${interfaces.lan}/0/64
+        ia_pd 1/::/64 enp2s4/0/64
    '';
    jalr.luksUsbUnlock = {
      enable = true;
      devices = builtins.mapAttrs
        (_: _: {
          keyPath = "iron.key";
          usbDevice = "by-label/RAM_USB";
          waitForDevice = 10;
        })
        disks;
    };
    boot = {
      kernelPackages = zfsKernelPackages;
      kernel.sysctl = {
        "net.ipv6.conf.all.forwarding" = 1;
      };
      initrd = {
-        availableKernelModules = [
+        availableKernelModules = [ "ahci" ];
          "ahci"
          "ehci_pci"
          "sd_mod"
          "sdhci_pci"
          "usb_storage"
          "xhci_pci"
        ];
        systemd.enable = true;
-        luks.devices = builtins.mapAttrs
+        luks.devices = lib.listToAttrs (
-          (_: dev: {
+          map
-            device = "${devNodes}${dev}${partitionScheme.luksDev}";
+            (dev: {
-            allowDiscards = true;
+              name = "LUKS-${dev}${partitionScheme.luksDev}";
-          })
+              value = {
-          disks;
+                device = "${devNodes}${dev}${partitionScheme.luksDev}";
                allowDiscards = true;
              };
            })
            disks
        );
      };
      supportedFilesystems = [ "zfs" ];
      zfs = {
-        inherit devNodes;
+        devNodes = devNodes;
        forceImportRoot = false;
      };
      loader = {
        efi = {
-          canTouchEfiVariables = if removableEfi then false else true;
+          canTouchEfiVariables = (if removableEfi then false else true);
-          efiSysMountPoint = "/boot/efis/" + (head (lib.attrValues disks))
+          efiSysMountPoint = ("/boot/efis/" + (head disks)
-            + partitionScheme.efiBoot;
+            + partitionScheme.efiBoot);
        };
        generationsDir.copyKernels = true;
        grub = {
          enable = true;
-          devices = map (diskName: devNodes + diskName) (attrValues disks);
+          devices = (map (diskName: devNodes + diskName) disks);
          efiInstallAsRemovable = removableEfi;
          copyKernels = true;
          efiSupport = true;
@ -173,11 +139,11 @@ with lib; {
            terminal_input --append serial
            terminal_output --append serial
          '';
-          extraInstallCommands = toString (map
+          extraInstallCommands = (toString (map
            (diskName: ''
              ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
            '')
-            (tail (attrValues disks)));
+            (tail disks)));
        };
      };
      kernelParams = [
@ -218,15 +184,7 @@ with lib; {
      };
    };
-    hardware = {
+    hardware.enableRedistributableFirmware = true;
      enableRedistributableFirmware = true;
      graphics = {
        enable = true;
        extraPackages = [
          pkgs.intel-vaapi-driver
        ];
      };
    };
    virtualisation.containers.storage.settings = {
      storage = {
@ -236,16 +194,5 @@ with lib; {
        options.zfs.fsname = "rpool/nixos/podman";
      };
    };
    zramSwap = {
      enable = true;
      algorithm = "zstd";
      memoryPercent = 60;
      priority = 1;
    };
    services.zfs = {
      trim.enable = false;
    };
  };
 }
--- a/hosts/iron/interfaces.nix
+++ b/hosts/iron/interfaces.nix
@ -1,4 +0,0 @@
 {
  lan = "br0";
  wan = "enp0s25";
 }
--- a/hosts/iron/luks-passfile.gpg
+++ b/hosts/iron/luks-passfile.gpg
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,2 @@`
							`# Documentation`
							`[Home Manager Manual](https://rycee.gitlab.io/home-manager/)`
		`@ -1,2 +0,0 @@`
			`ESPHOME_HOST="jalr-k.duckdns.org"`
			`ESPHOME_SECRETS_FILE="esphome_${ESPHOME_HOST}_secrets.yaml"`
		`@ -1 +0,0 @@`
			`../../../../../modules/esphome/devices/justfile`