Attempt to remove sensitive stuff from notifications

Flake lock file updates:

• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/bd38df3d508dfcdff52cd243d297f218ed2257bf' (2023-10-25)
  → 'github:cachix/pre-commit-hooks.nix/ea758da1a6dcde6dc36db348ed690d09b9864128' (2023-11-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/60b9db998f71ea49e1a9c41824d09aa274be1344' (2023-10-26)
  → 'github:nixos/nixpkgs/41de143fda10e33be0f47eab2bfe08a50f234267' (2023-11-06)
• Updated input 'nixpkgsMaster':
    'github:NixOS/nixpkgs/71ef7ea8fe2aff7c21cf2e7ec7283a4276a2f366' (2023-10-29)
  → 'github:NixOS/nixpkgs/e556bb0b675a849371645b6b79eccd4130744967' (2023-11-08)
• Updated input 'nur':
    'github:nix-community/NUR/4364937d33ca6b79cd8b66fdf4ee1758ff279e62' (2023-10-29)
  → 'github:nix-community/NUR/9249f2baa49a8ba139eb084128e092073ed88c4e' (2023-11-08)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/632c3161a6cc24142c8e3f5529f5d81042571165' (2023-10-29)
  → 'github:Mic92/sops-nix/664187539871f63857bda2d498f452792457b998' (2023-11-06)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/d87c5d8c41c9b3b39592563242f3a448b5cc4bc9' (2023-10-29)
  → 'github:NixOS/nixpkgs/78f3a4ae19f0e99d5323dd2e3853916b8ee4afee' (2023-11-04)

.gitattributes

@@ -1,5 +1,3 @@
 **/secrets/** filter=git-crypt diff=git-crypt
 **/secrets.yaml diff=sops
 *.wav filter=lfs diff=lfs merge=lfs -text
-
-hosts/iron/services/tvproxy.nix filter=git-crypt diff=git-crypt

.sops.yaml

@@ -1,12 +1,11 @@
 keys:
-  - &admin_jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+  - &admin_jalr 66FB54F6081375106EEBF651A222365EB448F934
   - &admin_jalr_tb FE170812543DF81393EA56BA5042B8317A10617E
   - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
   - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
   - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
-  - &host_magnesium age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8
+  - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
   - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
-  - &host_copper age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3
 creation_rules:
   - path_regex: hosts/aluminium/secrets\.yaml$
     key_groups:
@@ -38,12 +37,6 @@ creation_rules:
       - *admin_jalr
       age:
       - *host_weinturm_pretix_prod
-  - path_regex: hosts/copper/secrets\.yaml$
-    key_groups:
-    - pgp:
-      - *admin_jalr
-      age:
-      - *host_copper
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:

README.md

@@ -1,27 +1,18 @@
-# jalr's NixOS Configuration
+## home-manager
+https://github.com/nix-community/home-manager
+
+For a systematic overview of Home Manager and its available options, please see
+- the [Home Manager manual](https://nix-community.github.io/home-manager/index.html) and
+- the [Home Manager configuration options](https://nix-community.github.io/home-manager/options.html).
+
 
 ## Install a new host
 
 This installs nixos on host `somehost`:
-
-### NixOS Anywhere
-
-```bash
-nix run github:nix-community/nixos-anywhere -- --flake .#<somehost> root@<somehost>
-```
-
-### The traditional way
-
 ```bash
 nix-shell -p nixUnstable --run 'nixos-install --flake https://gitlab.jalr.de/jalr/nixos-configuration#somehost --no-channel-copy'
 ```
 
-### Build a configuration
-
-```
-nix build .#nixosConfigurations.iron.config.system.build.toplevel
-```
-
 ### setting up sops
 Get the host key and convert it.
 ```bash
@@ -55,12 +46,4 @@ nix-repl> :lf .#
 ```
 gpg --card-edit
 gpg/card> fetch
-gpg --edit-key $key
-gpg> trust
-Your decision? 5
 ```
-
-## Debugging boot issues
-
-1. Add `rd.systemd.debug_shell` kernel parameter
-2. Press CTRL+ALT+F9 to switch to root shell

custom-utils/default.nix

@@ -1,5 +1,33 @@
 { lib, ... }:
 
+let
+  filterPort = pm: port: (
+    lib.attrsets.catAttrs port (
+      lib.attrsets.attrValues (
+        lib.attrsets.filterAttrs (n: v: v ? "${port}") pm
+      )
+    )
+  );
+  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
+  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
+  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
+  validateList = allowed: builtins.all (x: builtins.elem x allowed);
+in
 {
-  validatePortAttrset = import ./ports.nix { inherit lib; };
+  validatePortAttrset = portmap:
+    if ! onlyUniqueItemsInList (lib.flatten (map
+      (x:
+        if lib.isInt x then x
+        else if lib.isList x then x
+        else if lib.isAttrs x then
+          (
+            if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
+            else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
+            else builtins.abort "found invalid attrset"
+          )
+        else builtins.abort "found invalid entry in portmap"
+      )
+      (filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
+    else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
+    else portmap;
 }

custom-utils/ports.nix

@@ -4,30 +4,30 @@ let
   filterPort = pm: port: (
     lib.attrsets.catAttrs port (
       lib.attrsets.attrValues (
-        lib.attrsets.filterAttrs (_: v: v ? "${port}") pm
+        lib.attrsets.filterAttrs (n: v: v ? "${port}") pm
       )
     )
   );
-  onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
-  mkRange = { from, to }: (lib.lists.range from to);
+  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
+  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
+  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
+  validateList = allowed: builtins.all (x: builtins.elem x allowed);
 in
-portmap:
-if builtins.all
-  (
-    proto:
-    if onlyUniqueItemsInList
-      (
-        lib.flatten (
-          map
+{
+  validatePortAttrset = portmap:
+    if ! onlyUniqueItemsInList (lib.flatten (map
       (x:
         if lib.isInt x then x
         else if lib.isList x then x
-            else if lib.isAttrs x then mkRange x
+        else if lib.isAttrs x then
+          (
+            if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
+            else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
+            else builtins.abort "found invalid attrset"
+          )
         else builtins.abort "found invalid entry in portmap"
       )
-            (filterPort portmap proto)
-        )
-      ) then true else builtins.abort "Found duplicate ${proto} ports."
-  ) [ "tcp" "udp" ]
-then portmap
-else builtins.abort "Found duplicate ports."
+      (filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
+    else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
+    else portmap;
+}

flake.lock

@@ -1,91 +1,13 @@
 {
   "nodes": {
-    "asterisk-sounds-de": {
-      "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nix-filter": [
-          "nix-filter"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1748284610,
-        "narHash": "sha256-B3/OOZC0puXbODupPEbdMA6sJP39MzbMCl4j1HvgNfU=",
-        "ref": "refs/heads/main",
-        "rev": "6b1c484318727af78a64aee3f46903493dae8259",
-        "revCount": 1,
-        "type": "git",
-        "url": "https://git.jalr.de/jalr/asterisk-sounds-de"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.jalr.de/jalr/asterisk-sounds-de"
-      }
-    },
-    "bldcSrc": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733324381,
-        "narHash": "sha256-ui9N8QSog1G5zyK7yRrD0Xl+Y2CZhvvhBkaJuQZ2qZw=",
-        "owner": "vedderb",
-        "repo": "bldc",
-        "rev": "a0d40e2c5a42c810888d8c379307e6b0a118a125",
-        "type": "github"
-      },
-      "original": {
-        "owner": "vedderb",
-        "ref": "release_6_05",
-        "repo": "bldc",
-        "type": "github"
-      }
-    },
-    "crane": {
-      "locked": {
-        "lastModified": 1731098351,
-        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1762276996,
-        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
@@ -94,74 +16,16 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730504689,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nur",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -170,49 +34,7 @@
         "type": "github"
       }
     },
-    "gg-chatmix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1748177977,
-        "narHash": "sha256-xC/dOrDrZoQhUfVotj/z14iTwGlE80OqSl9S5zkevdA=",
-        "owner": "nilathedragon",
-        "repo": "gg-chatmix",
-        "rev": "1dadaa51794042c20ddc52d52479e8a156bd235b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nilathedragon",
-        "repo": "gg-chatmix",
-        "type": "github"
-      }
-    },
     "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "pre-commit-hooks-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
       "inputs": {
         "nixpkgs": [
           "nix-pre-commit-hooks",
@@ -220,11 +42,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
         "type": "github"
       },
       "original": {
@@ -243,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759991118,
-        "narHash": "sha256-pDyrtUQyeP1lVTMIYqJtftzDtsXEZaJjYy9ZQ/SGhL8=",
+        "lastModified": 1694616124,
+        "narHash": "sha256-c49BVhQKw3XDRgt+y+uPAbArtgUlMXCET6VxEBmzHXE=",
         "owner": "nix-community",
         "repo": "gomod2nix",
-        "rev": "7f8d7438f5870eb167abaf2c39eea3d2302019d1",
+        "rev": "f95720e89af6165c8c0aa77f180461fe786f3c21",
         "type": "github"
       },
       "original": {
@@ -263,35 +85,20 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "lastModified": 1695108154,
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-23.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
-    "impermanence": {
-      "locked": {
-        "lastModified": 1737831083,
-        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "type": "github"
-      }
-    },
     "krops": {
       "inputs": {
         "flake-utils": [
@@ -315,146 +122,86 @@
         "type": "github"
       }
     },
-    "lanzaboote": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1737639419,
-        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "v0.4.2",
-        "repo": "lanzaboote",
-        "type": "github"
-      }
-    },
-    "nix-filter": {
-      "locked": {
-        "lastModified": 1757882181,
-        "narHash": "sha256-+cCxYIh2UNalTz364p+QYmWHs0P+6wDhiWR4jDIKQIU=",
-        "owner": "numtide",
-        "repo": "nix-filter",
-        "rev": "59c44d1909c72441144b93cf0f054be7fe764de5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "nix-filter",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-pre-commit-hooks": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
-        "gitignore": "gitignore_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "flake-compat": "flake-compat",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1763319842,
-        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "lastModified": 1699271226,
+        "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=",
         "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "ea758da1a6dcde6dc36db348ed690d09b9864128",
         "type": "github"
       },
       "original": {
         "owner": "cachix",
         "ref": "master",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "nixos-hardware": {
-      "locked": {
-        "lastModified": 1762847253,
-        "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",
-        "owner": "nixos",
-        "repo": "nixos-hardware",
-        "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixos-hardware",
+        "repo": "pre-commit-hooks.nix",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763334038,
-        "narHash": "sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ=",
-        "owner": "nixos",
+        "lastModified": 1689261696,
+        "narHash": "sha256-LzfUtFs9MQRvIoQ3MfgSuipBVMXslMPH/vZ+nM40LkA=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c",
+        "rev": "df1eee2aa65052a18121ed4971081576b25d6b5c",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-25.05",
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "lastModified": 1685801374,
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1699110214,
+        "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgsMaster": {
       "locked": {
-        "lastModified": 1763473525,
-        "narHash": "sha256-NzmsN8hRIn/9rJvZH3vPirBrOJJfeSfvPr4+feeK7LY=",
+        "lastModified": 1699437456,
+        "narHash": "sha256-nYPKALWauhG5WvGhx7whUCNFTeLZEtchEre+3Mze4eI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "15901670689a6f338ebd2a9436b947ec189463a3",
+        "rev": "e556bb0b675a849371645b6b79eccd4130744967",
         "type": "github"
       },
       "original": {
@@ -464,65 +211,29 @@
         "type": "github"
       }
     },
-    "nixpkgsOld": {
-      "locked": {
-        "lastModified": 1748037224,
-        "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1763283776,
-        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
+        "lastModified": 1699291058,
+        "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
+        "rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1735554305,
-        "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "0e82ab234249d8eee3e8c91437802b32c74bb3fd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nur": {
-      "inputs": {
-        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_2"
-      },
       "locked": {
-        "lastModified": 1763471545,
-        "narHash": "sha256-B1ua1UtkPuMwT8o4nOR7yNP5yz10usMcNnxwHpGtLck=",
+        "lastModified": 1699435759,
+        "narHash": "sha256-K1G+UfpvvWFSbHdWtCOTI1MCK4ivQpu/bz9DWB66SJc=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "4c584dcedf9aa3394e9730e62693515a0e47674b",
+        "rev": "9249f2baa49a8ba139eb084128e092073ed88c4e",
         "type": "github"
       },
       "original": {
@@ -531,114 +242,32 @@
         "type": "github"
       }
     },
-    "poetry2nix": {
-      "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems_2",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1743690424,
-        "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks-nix": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1731363552,
-        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "asterisk-sounds-de": "asterisk-sounds-de",
-        "disko": "disko",
         "flake-utils": "flake-utils",
-        "gg-chatmix": "gg-chatmix",
         "gomod2nix": "gomod2nix",
         "home-manager": "home-manager",
-        "impermanence": "impermanence",
         "krops": "krops",
-        "lanzaboote": "lanzaboote",
-        "nix-filter": "nix-filter",
         "nix-pre-commit-hooks": "nix-pre-commit-hooks",
-        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgsMaster": "nixpkgsMaster",
         "nur": "nur",
-        "poetry2nix": "poetry2nix",
-        "sops-nix": "sops-nix",
-        "vesc-tool": "vesc-tool"
-      }
-    },
-    "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731897198,
-        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
+        "sops-nix": "sops-nix"
       }
     },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1763417348,
-        "narHash": "sha256-n5xDOeNN+smocQp3EMIc11IzBlR9wvvTIJZeL0g33Fs=",
+        "lastModified": 1699311858,
+        "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "3f66a7fb9626a9a9c077612ef10a0ce396286c7d",
+        "rev": "664187539871f63857bda2d498f452792457b998",
         "type": "github"
       },
       "original": {
@@ -661,87 +290,6 @@
         "repo": "default",
         "type": "github"
       }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730120726,
-        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_3"
-      },
-      "locked": {
-        "lastModified": 1744961264,
-        "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "8d404a69efe76146368885110f29a2ca3700bee6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "vesc-tool": {
-      "inputs": {
-        "bldcSrc": "bldcSrc",
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgsOld": "nixpkgsOld",
-        "treefmt-nix": "treefmt-nix_2"
-      },
-      "locked": {
-        "lastModified": 1762968599,
-        "narHash": "sha256-j+AZQYOuZ0X33p76LsZu4/NZl1Ccu6kkwPKC5HpIn1Y=",
-        "owner": "vedderb",
-        "repo": "vesc_tool",
-        "rev": "6a75051ce9742d97f14addd5d175ac516effb3c6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "vedderb",
-        "ref": "master",
-        "repo": "vesc_tool",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -1,88 +1,52 @@
 {
   inputs = {
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko";
-
     flake-utils.url = "github:numtide/flake-utils";
-
-    nix-filter.url = "github:numtide/nix-filter";
-
-    gg-chatmix = {
-      url = "github:nilathedragon/gg-chatmix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    gomod2nix = {
-      url = "github:nix-community/gomod2nix";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    impermanence.url = "github:nix-community/impermanence";
-
-    krops = {
-      url = "github:Mic92/krops";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    nix-pre-commit-hooks = {
-      url = "github:cachix/git-hooks.nix/master";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    nixos-hardware.url = "github:nixos/nixos-hardware/master";
-
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
-
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
     nixpkgsMaster.url = "github:NixOS/nixpkgs/master";
 
     nur.url = "github:nix-community/NUR";
 
-    poetry2nix = {
-      url = "github:nix-community/poetry2nix";
-      inputs.flake-utils.follows = "flake-utils";
+    home-manager = {
+      url = "github:nix-community/home-manager/release-23.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nix-pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix/master";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    asterisk-sounds-de = {
-      url = "git+https://git.jalr.de/jalr/asterisk-sounds-de";
+    krops = {
+      url = "github:Mic92/krops";
       inputs = {
         flake-utils.follows = "flake-utils";
-        nix-filter.follows = "nix-filter";
         nixpkgs.follows = "nixpkgs";
       };
     };
 
-    vesc-tool = {
-      url = "github:vedderb/vesc_tool/master";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
+    gomod2nix = {
+      url = "github:nix-community/gomod2nix";
+      inputs = {
+        flake-utils.follows = "flake-utils";
+        nixpkgs.follows = "nixpkgs";
       };
     };
+
+  };
   outputs =
     { self
-    , flake-utils
-    , home-manager
-    , krops
-    , nix-pre-commit-hooks
     , nixpkgs
+    , flake-utils
+    , krops
+    , gomod2nix
+    , home-manager
     , nur
+    , nix-pre-commit-hooks
     , ...
     }@inputs: flake-utils.lib.eachSystem [
       "x86_64-linux"
@@ -98,26 +62,20 @@
             src = self;
             hooks = {
               black.enable = true;
-              deadnix.enable = true;
               nixpkgs-fmt.enable = true;
               shellcheck.enable = true;
-              statix = {
-                enable = true;
-                settings.ignore = [ ".direnv" ];
             };
           };
-            excludes = [ ".envrc" ];
-          };
         };
         devShells.default = pkgs.mkShell {
-          buildInputs = with pkgs; [
+          buildInputs = (with pkgs; [
             black
             just
             nixpkgs-fmt
             shellcheck
             sops
             ssh-to-age
-          ];
+          ]);
 
           shellHook = ''
             ${self.checks.${system}.pre-commit-check.shellHook}
@@ -125,7 +83,7 @@
         };
 
         apps = lib.mapAttrs
-          (_: program: { type = "app"; program = toString program; })
+          (name: program: { type = "app"; program = toString program; })
           (flake-utils.lib.flattenTree {
             deploy = lib.recurseIntoAttrs (lib.mapAttrs
               (hostname: machine:
@@ -149,7 +107,6 @@
                   command = targetPath: ''
                     nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
                   '';
-                  force = true;
                 }
               )
               self.nixosConfigurations);
@@ -184,23 +141,19 @@
                    , extraModules ? [ ]
                    , targetHost ? hostname
                    , nixpkgs ? inputs.nixpkgs
-                   }: nixpkgs.lib.nixosSystem {
+                   }: nixpkgs.lib.nixosSystem rec {
           inherit system;
           specialArgs = { inherit self system; };
 
-          modules =
-            let
-              hostDir = ./hosts + "/${hostname}";
-            in
-            [
-              (hostDir + "/configuration.nix")
+          modules = [
+            (./hosts + "/${hostname}/configuration.nix")
 
             ./modules
 
             {
               _module.args = {
-                  inherit inputs;
-                  custom-utils = import ./custom-utils { inherit (nixpkgs) lib; };
+                inputs = inputs;
+                custom-utils = import ./custom-utils { lib = nixpkgs.lib; };
               };
             }
 
@@ -217,34 +170,13 @@
                 inherit targetHost;
               };
             })
-
-              # sops settings
-              ({ lib, config, pkgs, ... }:
-                {
-                  sops.defaultSopsFile = hostDir + "/secrets.yaml";
-                  sops.secrets =
-                    let
-                      secretFile = config.sops.defaultSopsFile;
-                      getSecrets = file: builtins.fromJSON (builtins.readFile (pkgs.runCommandNoCC "secretKeys" { } ''${pkgs.yq-go}/bin/yq -o json '[del .sops | .. | select(tag != "!!seq" and tag != "!!map") | path | join("/")]' ${file} > $out''));
-                      secretNames = getSecrets secretFile;
-                      secrets =
-                        if builtins.pathExists secretFile then
-                          lib.listToAttrs (builtins.map (name: lib.nameValuePair name { }) secretNames)
-                        else
-                          { };
-                    in
-                    secrets;
-                })
-            ] ++ [
-              { nixpkgs.overlays = [ nur.overlays.default inputs.vesc-tool.overlays.default ]; }
+          ] ++ [{
+            nixpkgs.overlays = [ nur.overlay ];
+          }] ++ [
             home-manager.nixosModules.home-manager
-              inputs.asterisk-sounds-de.nixosModules.default
-              inputs.disko.nixosModules.disko
-              inputs.impermanence.nixosModules.impermanence
-              inputs.lanzaboote.nixosModules.lanzaboote
-              inputs.sops-nix.nixosModules.sops
-              inputs.gg-chatmix.nixosModule
-            ] ++ extraModules;
+          ] ++ (with inputs; [
+            sops-nix.nixosModules.sops
+          ]) ++ extraModules;
         })
         (import ./hosts inputs);
     };

home-manager/README.md

@@ -0,0 +1,2 @@
+# Documentation
+[Home Manager Manual](https://rycee.gitlab.io/home-manager/)

home-manager/modules/alacritty.nix

@@ -0,0 +1,174 @@
+{ lib, pkgs, nixosConfig, ... }:
+let
+  solarized = import ./solarized.nix;
+
+  #nixosConfig.jalr.terminalEmulator.command = pkgs.writeShellScriptBin "alacritty-sway-cwd" ''
+  #  this_alacritty_pid="$(swaymsg -t get_tree | ${pkgs.jq} -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
+
+  #  if [ "$this_alacritty_pid" ]; then
+  #      child_pid="$(pgrep -P "$this_alacritty_pid")"
+  #      cwd="$(readlink /proc/$child_pid/cwd)"
+  #  fi
+  #  if [ -e "$cwd" ]; then
+  #      exec ${pkgs.alacritty} --working-directory "$cwd"
+  #  fi
+
+  #  exec alacritty
+  #'';
+
+  colorschemes = {
+    # https://github.com/alacritty/alacritty/wiki/Color-schemes#solarized
+    solarized-dark = {
+      # Default colors
+      primary = {
+        background = solarized.base03.hex;
+        foreground = solarized.base0.hex;
+      };
+
+      # Cursor colors
+      cursor = {
+        text = solarized.base03.hex;
+        cursor = solarized.base0.hex;
+      };
+
+      # Normal colors
+      normal = {
+        black = solarized.base02.hex;
+        red = solarized.red.hex;
+        green = solarized.green.hex;
+        yellow = solarized.yellow.hex;
+        blue = solarized.blue.hex;
+        magenta = solarized.magenta.hex;
+        cyan = solarized.cyan.hex;
+        white = solarized.base2.hex;
+      };
+
+      # Bright colors
+      bright = {
+        black = solarized.base03.hex;
+        red = solarized.orange.hex;
+        green = solarized.base01.hex;
+        yellow = solarized.base00.hex;
+        blue = solarized.base0.hex;
+        magenta = solarized.violet.hex;
+        cyan = solarized.base1.hex;
+        white = solarized.base3.hex;
+      };
+    };
+
+    solarized-light = {
+      # Default colors
+      primary = {
+        background = solarized.base3.hex;
+        foreground = solarized.base00.hex;
+      };
+
+      # Cursor colors
+      cursor = {
+        text = solarized.base3.hex;
+        cursor = solarized.base00.hex;
+      };
+
+      # Normal colors
+      normal = {
+        black = solarized.base02.hex;
+        red = solarized.red.hex;
+        green = solarized.green.hex;
+        yellow = solarized.yellow.hex;
+        blue = solarized.blue.hex;
+        magenta = solarized.magenta.hex;
+        cyan = solarized.cyan.hex;
+        white = solarized.base2.hex;
+      };
+
+      # Bright colors
+      bright = {
+        black = solarized.base03.hex;
+        red = solarized.orange.hex;
+        green = solarized.base01.hex;
+        yellow = solarized.base00.hex;
+        blue = solarized.base0.hex;
+        magenta = solarized.violet.hex;
+        cyan = solarized.base1.hex;
+        white = solarized.base3.hex;
+      };
+    };
+  };
+  commonSettings = {
+    font = {
+      normal = {
+        family = "Inconsolata for Powerline";
+        style = "Regular";
+      };
+      size = 12;
+    };
+
+    mouse.hide_when_typing = true;
+
+    key_bindings = [
+      {
+        key = "F1";
+        mods = "Control";
+        action = "DecreaseFontSize";
+      }
+      {
+        key = "F2";
+        mods = "Control";
+        action = "IncreaseFontSize";
+      }
+    ];
+
+    bell = {
+      duration = 100;
+      color = "#000000";
+    };
+
+    window.dynamic_title = true;
+
+    scrolling.history = 100000;
+
+    window.opacity = 0.95;
+  };
+  settings = {
+    dark = commonSettings // {
+      colors = colorschemes.solarized-dark;
+    };
+    light = commonSettings // {
+      colors = colorschemes.solarized-light;
+    };
+  };
+in
+{
+
+  programs.alacritty = {
+    enable = nixosConfig.jalr.gui.enable;
+  };
+
+  # The option `home-manager.users.jalr.xdg.configFile.dark.alacritty/alacritty-dark.yml' does not exist
+
+  /*
+    xdg.configFile = builtins.mapAttrs (colorScheme: cfg: {
+    "alacritty/alacritty-${colorScheme}.yml" = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
+    }) settings;
+  */
+
+  xdg.configFile = lib.attrsets.mapAttrs'
+    (colorScheme: cfg: lib.attrsets.nameValuePair "alacritty/alacritty-${colorScheme}.yml" {
+      text = lib.replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg);
+    })
+    settings;
+
+  programs.fish.functions = {
+    ssh = {
+      description = "ssh wrapper function";
+      wraps = "ssh";
+      body = ''
+        if [ "$TERM" = alacritty ]
+            TERM=xterm-256color command ssh $argv
+        else
+            command ssh $argv
+        end
+      '';
+    };
+  };
+}

home-manager/modules/aws.nix

@@ -1,7 +1,7 @@
-{ nixosConfig, lib, config, ... }:
+{ nixosConfig, lib, pkgs, config, ... }:
 
 let
-  inherit (config) xdg;
+  xdg = config.xdg;
 in
 {
   config = lib.mkIf nixosConfig.jalr.aws.enable {
@@ -17,7 +17,7 @@ in
     xdg.configFile."aws/config".text = lib.generators.toINI { } (
       lib.mapAttrs'
         (name: value:
-          lib.attrsets.nameValuePair "profile ${name}" value
+          lib.attrsets.nameValuePair ("profile ${name}") (value)
         )
         nixosConfig.jalr.aws.accounts
       //

home-manager/modules/claws-mail.nix

@@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    roomeqwizard
+    claws-mail
   ];
 }

home-manager/modules/cli.nix

@@ -0,0 +1,21 @@
+{ nixosConfig, lib, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    cached-nix-shell
+    file
+    htop
+    inetutils
+    jq
+    lsof
+    ncdu
+    ripgrep
+  ] ++ (if ! nixosConfig.jalr.workstation.enable then [ ] else [
+    direnv
+    dnsutils
+    screen
+    speedtest-cli
+    usbutils
+    wget
+    yt-dlp
+  ]);
+}

home-manager/modules/communication/default.nix

@@ -0,0 +1,10 @@
+{ nixosConfig, ... }:
+
+{
+  imports = [
+    ./ferdium.nix
+    ./mumble.nix
+    ./qtox.nix
+    ./telegram-desktop.nix
+  ];
+}

home-manager/modules/communication/ferdium.nix

@@ -0,0 +1,7 @@
+{ nixosConfig, lib, pkgs, ... }:
+
+lib.mkIf nixosConfig.jalr.tradebyte.enable {
+  home.packages = with pkgs; [
+    master.ferdium
+  ];
+}

home-manager/modules/communication/qtox.nix

@@ -2,6 +2,6 @@
 
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    ksoloti
+    qtox
   ];
 }

home-manager/modules/communication/telegram-desktop.nix

@@ -2,6 +2,6 @@
 
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    prusa-slicer
+    tdesktop
   ];
 }

home-manager/modules/default.nix

@@ -0,0 +1,39 @@
+{ nixosConfig, ... }:
+
+{
+  imports = [
+    ./${nixosConfig.jalr.terminalEmulator}.nix
+    ./aws.nix
+    ./claws-mail.nix
+    ./cli.nix
+    ./communication
+    ./direnv.nix
+    ./dynamic-colors.nix
+    ./firefox
+    ./fish.nix
+    ./fpv.nix
+    ./git.nix
+    ./gnuradio.nix
+    ./graphics
+    ./gui.nix
+    ./jameica.nix
+    ./kicad.nix
+    ./mpv.nix
+    ./mute-indicator.nix
+    ./neo.nix
+    ./neovim.nix
+    ./obs-studio
+    ./openscad.nix
+    ./pass.nix
+    ./pcmanfm.nix
+    ./python.nix
+    ./sound
+    ./sway
+    ./terraform.nix
+    ./tmux.nix
+    ./tor-browser.nix
+    ./vdirsyncer.nix
+  ];
+
+  programs.nix-index.enable = true;
+}

home-manager/modules/dynamic-colors.nix

@@ -0,0 +1,21 @@
+{ nixosConfig, lib, pkgs, ... }:
+
+let
+  dynamic-colors = pkgs.writeShellScriptBin "dynamic-colors" /* bash */ ''
+    case "''$1" in
+      light|dark)
+        if [ -e "''$HOME/.config/alacritty/alacritty-''$1.yml" ]; then
+          ln -sf "''$HOME/.config/alacritty/alacritty-''$1.yml" "$HOME/.config/alacritty/alacritty.yml"
+        fi
+      ;;
+      *)
+        echo "unknown command ''$1" >&2
+        exit 1
+    esac
+  '';
+in
+{
+  home.packages = [
+    dynamic-colors
+  ];
+}

home-manager/modules/firefox/default.nix

@@ -0,0 +1,102 @@
+{ nixosConfig, pkgs, ... }:
+{
+  programs.firefox = {
+    enable = nixosConfig.jalr.gui.enable;
+    package = pkgs.firefox-esr;
+    profiles = {
+      default = {
+        extensions = with pkgs.nur.repos.rycee.firefox-addons; [
+          tree-style-tab
+          ublock-origin
+          umatrix
+          violentmonkey
+        ];
+        settings = {
+          #"browser.startup.homepage" = "https://nixos.org";
+          #"browser.search.region" = "GB";
+          #"browser.search.isUS" = false;
+          #"distribution.searchplugins.defaultLocale" = "en-GB";
+          #"general.useragent.locale" = "en-GB";
+          #"browser.bookmarks.showMobileBookmarks" = true;
+          "app.normandy.enabled" = false;
+          "app.shield.optoutstudies.enabled" = false;
+          "app.update.auto" = false;
+          "browser.ctrlTab.sortByRecentlyUsed" = true;
+          "browser.fixup.alternate.enabled" = false;
+          "browser.formfill.enable" = false;
+          "browser.link.open_newwindow.restriction" = 0;
+          "browser.newtabpage.enabled" = false;
+          "browser.ping-centre.telemetry" = false;
+          "browser.safebrowsing.downloads.enabled" = false;
+          "browser.safebrowsing.downloads.remote.block_dangerous" = false;
+          "browser.safebrowsing.downloads.remote.block_dangerous_host" = false;
+          "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false;
+          "browser.safebrowsing.downloads.remote.block_uncommon" = false;
+          "browser.safebrowsing.downloads.remote.enabled" = false;
+          "browser.safebrowsing.downloads.remote.url" = "";
+          "browser.safebrowsing.malware.enabled" = false;
+          "browser.safebrowsing.phishing.enabled" = false;
+          "browser.safebrowsing.provider.google.advisoryURL" = "";
+          "browser.safebrowsing.provider.google.gethashURL" = "";
+          "browser.safebrowsing.provider.google.lists" = "";
+          "browser.safebrowsing.provider.google.reportMalwareMistakeURL" = "";
+          "browser.safebrowsing.provider.google.reportPhishMistakeURL" = "";
+          "browser.safebrowsing.provider.google.reportURL" = "";
+          "browser.safebrowsing.provider.google.updateURL" = "";
+          "browser.safebrowsing.provider.google4.advisoryURL" = "";
+          "browser.safebrowsing.provider.google4.dataSharingURL" = "";
+          "browser.safebrowsing.provider.google4.gethashURL" = "";
+          "browser.safebrowsing.provider.google4.lists" = "";
+          "browser.safebrowsing.provider.google4.reportMalwareMistakeURL" = "";
+          "browser.safebrowsing.provider.google4.reportPhishMistakeURL" = "";
+          "browser.safebrowsing.provider.google4.reportURL" = "";
+          "browser.safebrowsing.provider.google4.updateURL" = "";
+          "browser.safebrowsing.provider.mozilla.gethashURL" = "";
+          "browser.safebrowsing.provider.mozilla.lists" = "";
+          "browser.safebrowsing.provider.mozilla.updateURL" = "";
+          "browser.search.suggest.enabled" = false;
+          "browser.search.widget.inNavBar" = true;
+          "browser.startup.page" = 0;
+          "extensions.pocket.enabled" = false;
+          "extensions.update.enabled" = false;
+          "identity.fxaccounts.enabled" = false;
+          "keyword.enabled" = false;
+          "network.captive-portal-service.enabled" = false;
+          "network.predictor.enabled" = false;
+          "privacy.donottrackheader.enabled" = true;
+          "startup.homepage_welcome_url" = about:blank;
+          "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+          "toolkit.telemetry.archive.enabled" = false;
+          "toolkit.telemetry.bhrPing.enabled" = false;
+          "toolkit.telemetry.firstShutdownPing.enabled" = false;
+          "toolkit.telemetry.newProfilePing.enabled" = false;
+          "toolkit.telemetry.server" = http://127.0.0.1:4711;
+          "toolkit.telemetry.server_owner" = "";
+          "toolkit.telemetry.shutdownPingSender.enabled" = false;
+          "toolkit.telemetry.updatePing.enabled" = false;
+          "urlclassifier.downloadAllowTable" = "";
+          "urlclassifier.downloadBlockTable" = "";
+          "urlclassifier.malwareTable" = "";
+          "urlclassifier.phishTable" = "";
+          "datareporting.healthreport.uploadEnabled" = "";
+          "app.normandy.api_url" = "";
+          "breakpad.reportURL" = "";
+          "browser.region.network.url" = "";
+          "browser.search.geoSpecificDefaults.url" = "";
+          "browser.shell.checkDefaultBrowser" = false;
+
+          "privacy.userContext.enabled" = true;
+          "privacy.userContext.ui.enabled" = true;
+          "network.dnsCacheExpiration" = 0;
+
+          # disable disk cache to reduce ssd writes
+          "browser.cache.disk.enable" = false;
+          "browser.cache.memory.enable" = true;
+          "browser.cache.memory.capacity" = -1;
+        };
+        userChrome = builtins.readFile ./userChrome.css;
+
+      };
+    };
+  };
+}

home-manager/modules/firefox/userChrome.css

@@ -218,28 +218,4 @@ url(chrome://browser/content/browser.xhtml) {
     }
 
     /*** End of: Megabar Styler One-Offs ***/
-
-    /* Hide "Firefox Suggest" in location bar search results */
-    .urlbarView-row[label="Firefox Suggest"]::before {
-        display: none !important
-    }
-    .urlbarView-row[label] {
-        margin-block-start: 4px !important;
-    }
-
-    /* Hide search button in location bar */
-    #identity-box[pageproxystate=invalid] > .identity-box-button,
-    .searchbar-search-button {
-        display: none
-    }
-
-    /* Hide search placeholder in location bar */
-    #urlbar-input::placeholder {
-        color: transparent;
-    }
-
-    /* Hide back & forward buttons */
-    toolbarbutton#back-button, toolbarbutton#forward-button {
-        display: none;
-    }
 }

home-manager/modules/fish.nix

@@ -0,0 +1,201 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    fzf
+  ];
+  programs.fish = {
+    enable = true;
+    plugins = [
+      {
+        name = "theme-agnoster";
+        src = pkgs.fetchFromGitHub {
+          owner = "oh-my-fish";
+          repo = "theme-agnoster";
+          rev = "c142e802983bd1b34b4d91efac2126fc5913126d";
+          sha256 = "0PLx626BWoBp/L6wgkB4o+53q8PymiEE/rTu2mfzHhg=";
+          fetchSubmodules = true;
+        };
+      }
+      {
+        name = "fzf";
+        src = pkgs.fetchFromGitHub {
+          owner = "jethrokuan";
+          repo = "fzf";
+          rev = "479fa67d7439b23095e01b64987ae79a91a4e283";
+          sha256 = "0k6l21j192hrhy95092dm8029p52aakvzis7jiw48wnbckyidi6v";
+          fetchSubmodules = true;
+        };
+      }
+    ];
+    shellAliases = {
+      ls = "ls --color=auto";
+      crontab = "crontab -i";
+    };
+
+    shellAbbrs = {
+      lessr = "less -R";
+      jqc = "jq -C";
+    };
+
+    #interactiveShellInit = ''
+    #  echo "programs.fish.interactiveShellInit"
+    #'';
+    shellInit = ''
+      # key bindings
+      bind \cr '__fzf_reverse_isearch'
+
+      # PATH
+      set -U fish_user_paths $HOME/.local/bin $HOME/.local/bin/pio
+
+      # pass
+      #set -x PASSWORD_STORE_ENABLE_EXTENSIONS true
+      set -x AWS_VAULT_BACKEND pass
+      set -x AWS_VAULT_PASS_PREFIX aws
+      complete -c pw --no-files -a '(__fish_pass_print_entries)'
+
+      # colors
+      set -x GCC_COLORS 'error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
+
+      abbr --add v vim
+
+      #alias cal='ncal -b -M'
+      alias myip='dig +short myip.opendns.com @resolver1.opendns.com'
+
+      function hm -d 'merge history and delete failed commands'
+          history --merge
+
+          if test -z "$fish_private_mode" && test -e "$__fish_user_data_dir/successful_commands" && test -e "$__fish_user_data_dir/failed_commands"
+              while read line;
+                  if ! grep -qFx $line "$__fish_user_data_dir/successful_commands"
+                      set hist_command (echo $line | base64 -d)
+                      echo "deleting command: $hist_command"
+                      echo "."
+                      history delete --exact --case-sensitive $hist_command
+                  end
+              end < "$__fish_user_data_dir/failed_commands"
+              echo -n > "$__fish_user_data_dir/successful_commands"
+              echo -n > "$__fish_user_data_dir/failed_commands"
+          end
+      end
+      hm
+
+      # fancy tools
+      if which exa > /dev/null 2>&1
+          alias l=exa
+          alias ll='exa -l --time-style=long-iso --git'
+          alias la='exa -la --time-style=long-iso --git'
+          alias tree='exa --tree'
+          alias llt='exa -s modified -l'
+      else
+          alias l=ls
+          alias ll='ls -l'
+          alias la='ls -la'
+          alias llt='ls -trl'
+      end
+
+      if which rg > /dev/null 2>&1
+          alias g=rg
+          complete -c g -w rg
+      else if which ag > /dev/null 2>&1
+          alias g=ag
+          complete -c g -w ag
+      else
+          alias g='grep --color=auto'
+          complete -c g -w grep
+      end
+
+      function jqless -d 'jq -C [args] | less -R'
+          jq -C $argv | less -R
+      end
+
+      # NixOS direnv
+      if which direnv > /dev/null
+          eval (direnv hook fish)
+      end
+
+      function __cut_commandline -d 'cut commandline and paste it later'
+          set -g commandline_buffer (commandline)
+          commandline ""
+      end
+
+
+
+      function __postexec --on-event fish_postexec
+          if test $status -ne 0
+              if test -z "$hist_cmd"
+                  if test -z "$fish_private_mode"
+                      echo $argv[1] | base64 >> "$__fish_user_data_dir/failed_commands"
+                  end
+              end
+          else
+              if test -z "$fish_private_mode"
+                  echo $argv[1] | base64 >> "$__fish_user_data_dir/successful_commands"
+              end
+              commandline $commandline_buffer
+              set -e commandline_buffer
+          end
+      end
+
+      function dirh-nocolor --description "Print the current directory history (the prev and next lists)"
+          set -l options h/help
+          argparse -n dirh --max-args=0 $options -- $argv
+          or return
+
+          if set -q _flag_help
+              __fish_print_help dirh
+              return 0
+          end
+
+          set -l dirc (count $dirprev)
+          if test $dirc -gt 0
+              set -l dirprev_rev $dirprev[-1..1]
+              # This can't be (seq $dirc -1 1) because of BSD.
+              set -l dirnum (seq 1 $dirc)
+              for i in $dirnum[-1..1]
+                  printf '%s\n' $dirprev_rev[$i]
+              end
+          end
+
+          echo $PWD
+
+          set -l dirc (count $dirnext)
+          if test $dirc -gt 0
+              set -l dirnext_rev $dirnext[-1..1]
+              for i in (seq $dirc)
+                  printf '%s\n' $dirnext_rev[$i]
+              end
+          end
+      end
+
+      function dirh-fzf -d 'directory history fuzzy finder'
+          builtin cd (dirh-nocolor | uniq | fzf)
+      end
+
+      bind \ed 'dirh-fzf'
+    '';
+  };
+
+  xdg.configFile."fish/completions/mycli.fish".text = ''
+    complete -e -c mycli
+    complete -c mycli -f -s h -l host     -d "Host address of the database."
+    complete -c mycli -f -s P -l port     -d "Port number to use for connection."
+    complete -c mycli -f -s u -l user     -d "User name to connect to the database."
+    complete -c mycli -f -s S -l socket   -d "The socket file to use for connection."
+    complete -c mycli -f -s p -l pass \
+                              -l password -d "Password to connect to the database."
+    complete -c mycli -f -s V -l version  -d "Output mycli's version."
+    complete -c mycli -f -s v -l verbose  -d "Verbose output."
+    complete -c mycli -f -s d -l dsn      -d "Use DSN configured into the [alias_dsn] section of myclirc file."
+    complete -c mycli -f      -l list-dsn -d "list of DSN configured into the [alias_dsn] section of myclirc file."
+
+    complete -c mycli -f -s t -l table    -d "Display batch output in table format."
+    complete -c mycli -f      -l csv      -d "Display batch output in CSV format."
+    complete -c mycli -f      -l warn \
+                              -l no-warn  -d "Warn before running a destructive query."
+    complete -c mycli -f -s e -l execute  -d "Execute command and quit."
+
+
+    complete -c mycli -f -s h -l host -r -a '(__fish_print_hostnames)'
+    complete -c mycli -f -s d -l dsn -r -a '(mycli --list-dsn)'
+  '';
+}

home-manager/modules/fpv.nix

@@ -2,7 +2,7 @@
 
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    betaflight-configurator
+    master.betaflight-configurator
     fpvout
   ];
 }

home-manager/modules/git.nix

@@ -1,59 +1,29 @@
-{ pkgs, ... }:
-let
-  identity.DigitalerDienst = {
-    name = "Jakob Lechner";
-    email = "j.lechner@digitaler-dienst.gmbh";
-  };
-in
+{ nixosConfig, pkgs, ... }:
+
 {
   programs = {
     git = {
       enable = true;
-      userName = "Jakob Lechner";
-      userEmail = "mail@jalr.de";
+      userName = nixosConfig.jalr.git.user.name;
+      userEmail = nixosConfig.jalr.git.user.email;
       signing = {
-        key = "3044E71E3DEFF49B586CF5809BF4FCCB90854DA9";
-        signByDefault = false;
-      };
-      diff-so-fancy = {
-        enable = true;
-        markEmptyLines = false;
+        key = nixosConfig.jalr.gpg.defaultKey;
+        signByDefault = nixosConfig.jalr.git.signByDefault;
       };
       extraConfig = {
         init.defaultBranch = "main";
+        core.pager = "${pkgs.diff-so-fancy}/bin/diff-so-fancy | less --tabs=4 -RFX";
         diff.sops.textconv = "${pkgs.sops}/bin/sops -d";
         pull.ff = "only";
         alias.find-merge = "!sh -c 'commit=$0 && branch=\${1:-HEAD} && (git rev-list $commit..$branch --ancestry-path | cat -n; git rev-list $commit..$branch --first-parent | cat -n) | sort -k2 -s | uniq -f1 -d | sort -n | tail -1 | cut -f2'";
         alias.show-merge = "!sh -c 'merge=$(git find-merge $0 $1) && [ -n \"$merge\" ] && git show $merge'";
-        color = {
-          ui = true;
-          meta = "11";
-          frag = "magenta bold";
-          func = "146 bold";
-          commit = "yellow bold";
-          old = "red bold";
-          new = "green bold";
-          whitespace = "red reverse";
-          diff-highlight = {
-            oldNormal = "red bold";
-            oldHighlight = "red bold 52";
-            newNormal = "green bold";
-            newHighlight = "green bold 22";
-          };
-        };
       };
       lfs.enable = true;
     };
-    lazygit = {
-      enable = true;
-      settings = {
-        gui.scrollHeight = 8;
-      };
-    };
     fish = {
       shellAbbrs = {
         ga = "git add";
-        gam = "git commit --amend --no-edit";
+        gam = "git commit --amend";
         gap = "git add --patch";
         gb = "git branch";
         gbd = "git branch --delete";
@@ -66,10 +36,12 @@ in
         gd = "git diff";
         gdc = "git diff --cached";
         gf = "git fetch";
+        ginit = "git init";
         gl = "git log";
-        gpll = "git pull --rebase";
+        gpll = "git pull";
         gpsh = "git push";
         grb = "git rebase --autostash";
+        grbi = "git rebase --autostash --interactive --autosquash refs/remotes/origin/HEAD";
         gr = "git restore";
         grs = "git restore --staged";
         grst = "git reset";
@@ -84,7 +56,6 @@ in
         gswc = "git switch -c";
         gwl = "git worktree list";
         gwr = "git worktree remove";
-        lg = "lazygit";
       };
       functions = {
         #function gwa -d 'git worktree add'
@@ -125,28 +96,19 @@ in
             end
           '';
         };
-        git_pick-commit = {
+        git_pick-commit_merge-base_origin = {
           description = "fuzzy find a commit hash";
           body = ''
-            git log --decorate --oneline --color=always \
-              | ${pkgs.fzf}/bin/fzf --ansi --preview='git show --color=always (echo {} | cut -d" " -f 1)' --preview-window=top:75% \
-              | cut -d" " -f 1
+            git log --oneline refs/remotes/origin/HEAD..HEAD | ${pkgs.fzf}/bin/fzf --preview='git show (echo {} | cut -d" " -f 1)' --preview-window=top:75% | cut -d" " -f 1
           '';
         };
         gfix = {
           description = "git commit --fixup with fuzzy find commmit picker";
           body = ''
-            set commit (git_pick-commit)
+            set commit (git_pick-commit_merge-base_origin)
             commandline "git commit --fixup=$commit"
           '';
         };
-        gi = {
-          description = "git interactive rebase with fuzzy find commmit picker";
-          body = ''
-            set commit (git_pick-commit)
-            commandline "git rebase --autostash --interactive --autosquash $commit"
-          '';
-        };
         ".g" = {
           description = "change directory to repository root";
           body = ''
@@ -189,23 +151,10 @@ in
             end
           '';
         };
-        "fish_set_git_author_by_pwd" = {
-          description = "Set Git identity by PWD";
-          body = ''
-            if string match -n $HOME'/digitaler-dienst/*' $PWD/ > /dev/null
-              if git rev-parse --git-dir >/dev/null 2>&1
-                git config --local user.name >/dev/null || git config --local user.name "${identity.DigitalerDienst.name}"
-                git config --local user.email >/dev/null || git config --local user.email "${identity.DigitalerDienst.email}"
-              end
-            end
-          '';
-          onVariable = "PWD";
-        };
       };
     };
   };
   home.packages = with pkgs; [
     git-crypt
-    tig
   ];
 }

home-manager/modules/gnuradio.nix

@@ -1,13 +1,13 @@
 { nixosConfig, lib, pkgs, ... }:
 
 let
-  gnuradioEnv = pkgs.gnuradio.override {
+  gnuradioEnv = pkgs.gnuradio3_8.override {
     extraPackages = pkgs.lib.attrVals [
       "osmosdr"
     ]
-      pkgs.gnuradioPackages;
+      pkgs.gnuradio3_8Packages;
   };
 in
-lib.mkIf nixosConfig.jalr.gui.enable {
+(lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = [ gnuradioEnv ];
-}
+})

home-manager/modules/graphics/default.nix

@@ -1,3 +1,5 @@
+{ nixosConfig, ... }:
+
 {
   imports = [
     ./gimp.nix

home-manager/modules/gui.nix

@@ -0,0 +1,15 @@
+{ nixosConfig, lib, pkgs, ... }:
+lib.mkIf nixosConfig.jalr.gui.enable {
+  home.packages = with pkgs; [
+    evince
+    gcr # required for pinentry-gnome
+    geeqie
+    mpv
+    networkmanagerapplet
+    networkmanagerapplet
+    pinentry-gnome
+    streamlink
+    vlc
+    xdg_utils
+  ];
+}

home-manager/modules/jameica.nix

@@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    trilium-next-desktop
+    jameica
   ];
 }

home-manager/modules/neo.nix

@@ -1,5 +1,6 @@
+{ config, pkgs, ... }:
 {
-  environment.variables = {
+  home.sessionVariables = {
     XKB_DEFAULT_LAYOUT = "de,de";
     XKB_DEFAULT_VARIANT = "neo,";
     XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";

home-manager/modules/neovim.nix

@@ -0,0 +1,174 @@
+{ lib, nixosConfig, config, pkgs, ... }:
+{
+  home.sessionVariables = {
+    EDITOR = "nvim";
+  };
+  programs.neovim = {
+    enable = true;
+    vimAlias = true;
+    extraConfig = ''
+      " use space as leader
+      let mapleader = " "
+
+      colorscheme NeoSolarized
+
+      """""""""""""""""
+      " Swap and undo "
+      set noswapfile
+      set nobackup
+      if has('persistent_undo')
+          " yay persistent undo
+          :silent !mkdir -p ~/.local/vim-undo
+          set undofile
+          set undodir=~/.local/vim-undo
+      endif
+
+      cabbr <expr> %% expand('%:p:h')
+
+      set listchars=trail:·,precedes:«,extends:»,eol:↲,tab:▸\
+      nmap <silent> <leader>c :set list!<CR>
+
+      set smartcase
+      set hlsearch
+      nnoremap <silent> <CR> :nohlsearch<CR>:set nolist<CR><CR>
+
+      " highlight whitespace
+      highlight ExtraWhitespace ctermbg=red guibg=red
+      highlight WrongIndent ctermbg=2 guibg=blue
+      match ExtraWhitespace /\s\+$/
+      augroup highlight_extra_whitespace
+          autocmd BufWinEnter * match ExtraWhitespace /\s\+$/
+          autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/
+          autocmd InsertLeave * match ExtraWhitespace /\s\+$/
+          autocmd BufWinLeave * call clearmatches()
+      augroup END
+
+      let g:deoplete#enable_at_startup = 1
+
+      sign define LspDiagnosticsSignError text=🟥
+      sign define LspDiagnosticsSignWarning text=🟠
+      sign define LspDiagnosticsSignInformation text=🟣
+      sign define LspDiagnosticsSignHint text=🟢
+
+      nnoremap <silent> gd    <cmd>lua vim.lsp.buf.definition()<CR>
+      nnoremap <silent> gi    <cmd>lua vim.lsp.buf.implementation()<CR>
+      nnoremap <silent> gr    <cmd>lua vim.lsp.buf.references()<CR>
+      nnoremap <silent> gD    <cmd>lua vim.lsp.buf.declaration()<CR>
+      nnoremap <silent> ge    <cmd>lua vim.lsp.diagnostic.set_loclist()<CR>
+      nnoremap <silent> K     <cmd>lua vim.lsp.buf.hover()<CR>
+      nnoremap <silent> <leader>f    <cmd>lua vim.lsp.buf.formatting()<CR>
+      nnoremap <silent> <leader>rn    <cmd>lua vim.lsp.buf.rename()<CR>
+
+      nnoremap <silent> <leader>a <cmd>lua vim.lsp.buf.code_action()<CR>
+      xmap <silent> <leader>a <cmd>lua vim.lsp.buf.range_code_action()<CR>
+
+      lua require('init')
+    '';
+
+    # nix-env -f '<nixpkgs>' -qaP -A vimPlugins
+    plugins = with pkgs.vimPlugins; [
+      #Valloric/MatchTagAlways
+      #frankier/neovim-colors-solarized-truecolor-only
+      #nvie/vim-rst-tables
+      NeoSolarized
+      deoplete-nvim
+      editorconfig-vim
+      nvim-lspconfig
+      vim-gitgutter
+      vim-indent-guides
+      vim-nix
+      vim-puppet
+      vim-terraform
+    ];
+  };
+
+  xdg.configFile."nvim/lua/init.lua".text = builtins.concatStringsSep "\n" (
+    [
+      ''
+        -- init.lua
+        -- this configuration applies to servers and workstations
+      ''
+    ] ++ lib.optional nixosConfig.jalr.workstation.enable (
+      ''
+        -- this configuration applies to workstations only
+        -- https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md
+        local lsp = require('lspconfig')
+      '' +
+      builtins.concatStringsSep "\n" (
+        lib.mapAttrsToList
+          (
+            lang: cfg: "lsp.${lang}.setup\n" + lib.generators.toLua { } cfg
+          )
+          {
+            # C and C++
+            ccls = {
+              cmd = [ "${pkgs.ccls}/bin/ccls" ];
+            };
+
+            # Nix
+            rnix = {
+              cmd = [ "${pkgs.rnix-lsp}/bin/rnix-lsp" ];
+            };
+
+            # Python
+            pylsp = {
+              cmd = [ "${pkgs.python310Packages.python-lsp-server}/bin/pylsp" ];
+              settings = {
+                # https://github.com/python-lsp/python-lsp-server/blob/develop/CONFIGURATION.md
+                pylsp = {
+                  plugins = {
+                    flake8 = {
+                      enabled = true;
+                      executable = "${pkgs.python310Packages.flake8}/bin/flake8";
+                    };
+                    jedi_completion = { enabled = true; };
+                    jedi_definition = { enabled = true; };
+                    jedi_hover = { enabled = true; };
+                    jedi_references = { enabled = true; };
+                    jedi_signature_help = { enabled = true; };
+                    jedi_symbols = { enabled = true; };
+                    mccabe = { enabled = true; };
+                    preload = { enabled = true; };
+                    pycodestyle = { enabled = true; };
+                    pyflakes = { enabled = true; };
+                    rope_completion = { enabled = true; };
+                    yapf = { enabled = true; };
+                  };
+                };
+              };
+            };
+
+            # Ruby
+            solargraph = {
+              cmd = [ "${pkgs.solargraph}/bin/solargraph" "stdio" ];
+            };
+
+            # Rust
+            rust_analyzer = {
+              cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
+            };
+
+            # Bash
+            bashls = {
+              cmd = [ "${pkgs.nodePackages.bash-language-server}/bin/bash-language-server" "start" ];
+            };
+
+            # Terraform
+            terraform_lsp = {
+              cmd = [ "${pkgs.terraform-lsp}/bin/terraform-lsp" "serve" ];
+            };
+
+            # YAML
+            yamlls = {
+              cmd = [ "${pkgs.nodePackages.yaml-language-server}/bin/yaml-language-server" "--stdio" ];
+              settings = {
+                yaml = {
+                  keyOrdering = false;
+                };
+              };
+            };
+          }
+      )
+    )
+  );
+}

home-manager/modules/obs-studio/default.nix

@@ -2,7 +2,7 @@
 
 {
   programs.obs-studio = {
-    inherit (nixosConfig.jalr.gui) enable;
+    enable = nixosConfig.jalr.gui.enable;
     plugins = with pkgs; [
       obs-studio-plugins.wlrobs
     ];

home-manager/modules/pass.nix

@@ -0,0 +1,29 @@
+{ nixosConfig, config, pkgs, ... }:
+
+let
+  pw = pkgs.writeScriptBin "pw" ''
+    p="$(${pkgs.pass}/bin/pass show "$1")"
+
+    copy_line() {
+      echo -n "$p" | ${pkgs.gnused}/bin/sed -n "$1"p | ${pkgs.wl-clipboard}/bin/wl-copy -o -f
+    }
+
+    echo "username"
+    copy_line 2
+    echo "password"
+    copy_line 1
+  '';
+in
+{
+  home.packages = [
+    pw
+  ] ++
+  (
+    if nixosConfig.jalr.gui.enable
+    then with pkgs; [
+      qtpass
+      pass-wayland
+    ]
+    else [ ]
+  );
+}

home-manager/modules/pcmanfm.nix

@@ -0,0 +1,7 @@
+{ nixosConfig, lib, pkgs, ... }:
+lib.mkIf nixosConfig.jalr.gui.enable {
+  home.packages = with pkgs; [
+    pcmanfm
+  ];
+}
+

home-manager/modules/python.nix

@@ -1,10 +1,8 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.workstation.enable {
   home.packages = with pkgs; [
-    (python3.withPackages (pp: with pp; [
-      ipython
-      pyyaml
-      virtualenv
-    ]))
+    python310
+    python310Packages.virtualenv
+    python310Packages.ipython
   ];
 }

home-manager/modules/solarized.nix

@@ -0,0 +1,23 @@
+builtins.mapAttrs
+  (name: hex: {
+    inherit hex;
+    rgb = builtins.concatStringsSep "," (map (f: toString (builtins.fromTOML "i = 0x${f hex}").i) (map (pos: builtins.substring pos 2) [ 1 3 5 ]));
+  })
+{
+  base00 = "#657b83";
+  base01 = "#586e75";
+  base02 = "#073642";
+  base03 = "#002b36";
+  base0 = "#839496";
+  base1 = "#93a1a1";
+  base2 = "#eee8d5";
+  base3 = "#fdf6e3";
+  blue = "#268bd2";
+  cyan = "#2aa198";
+  green = "#859900";
+  magenta = "#d33682";
+  orange = "#cb4b16";
+  red = "#dc322f";
+  violet = "#6c71c4";
+  yellow = "#b58900";
+}

home-manager/modules/sound/default.nix

@@ -1,8 +1,8 @@
+{ nixosConfig, ... }:
+
 {
   imports = [
     ./audacity.nix
-    ./easyeffects.nix
     ./pipewire.nix
-    #./ksoloti.nix
   ];
 }

home-manager/modules/sound/easyeffects.nix

@@ -0,0 +1,7 @@
+{ nixosConfig, lib, pkgs, ... }:
+
+lib.mkIf nixosConfig.jalr.gui.enable {
+  home.packages = with pkgs; [
+    easyeffects
+  ];
+}

home-manager/modules/sound/pipewire.nix

@@ -2,6 +2,7 @@
 
 lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
+    easyeffects
     pavucontrol
     qpwgraph
   ];

home-manager/modules/sway/default.nix

@@ -1,21 +1,24 @@
-{ nixosConfig, config, lib, pkgs, ... }:
+{ nixosConfig, config, lib, pkgs, stdenv, ... }:
 
 let
   solarized = import ../solarized.nix;
   terminalEmulator =
-    pkgs.writeShellScript "wezterm-sway-cwd" ''
-      this_wezterm_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree --raw | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="org.wezfurlong.wezterm")).pid')"
+    if nixosConfig.jalr.terminalEmulator == "alacritty"
+    then
+      pkgs.writeShellScript "alacritty-sway-cwd" ''
+        this_alacritty_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
 
-      if [ "$this_wezterm_pid" ]; then
-          child_pid="$(pgrep -P "$this_wezterm_pid")"
+        if [ "$this_alacritty_pid" ]; then
+            child_pid="$(pgrep -P "$this_alacritty_pid")"
             cwd="$(readlink /proc/$child_pid/cwd)"
         fi
         if [ -e "$cwd" ]; then
-          exec ${pkgs.wezterm}/bin/wezterm start --cwd "$cwd"
+            exec ${pkgs.alacritty}/bin/alacritty --working-directory "$cwd"
         fi
 
-      exec ${pkgs.wezterm}/bin/wezterm
-    '';
+        exec ${pkgs.alacritty}/bin/alacritty
+      ''
+    else nixosConfig.jalr.terminalEmulator;
   cfg = config.wayland.windowManager.sway.config;
   wallpaper = pkgs.fetchurl {
     url = "https://raw.githubusercontent.com/swaywm/sway/3b2bc894a5ebbcbbd6707d45a25d171779c2e874/assets/Sway_Wallpaper_Blue_1920x1080.png";
@@ -24,59 +27,19 @@ let
     meta.license = lib.licenses.cc0;
   };
   move-to-output = pkgs.callPackage ./move-to-output { };
-  gsettings =
-    let
-      schema = pkgs.gsettings-desktop-schemas;
-      datadir = "${schema}/share/gsettings-schemas/${schema.name}";
-    in
-    pkgs.writeShellScriptBin "gsettings" ''
-      export XDG_DATA_DIRS=${datadir}:$XDG_DATA_DIRS
-      gnome_schema=org.gnome.desktop.interface
-      #gsettings set $gnome_schema gtk-theme 'Dracula'
-      ${pkgs.glib}/bin/gsettings "$@"
-    '';
-  matchHostname = hostname: lib.optionalAttrs (nixosConfig.networking.hostName == hostname);
-  resumeTimeTrackingNotification = pkgs.writeShellScript "resume-time-tracking-notification" ''
-    export PATH=${pkgs.lib.makeBinPath [pkgs.timewarrior pkgs.libnotify]}
-    task="$1"
-    date="$2"
-    if [ $(notify-send --action 'default=Resume time tracking' "Tracking '$task' stopped at $date, resume?") = "default" ]; then
-      timew continue
-    fi
-  '';
-  lockScreen = pkgs.writeShellScript "lock-screen" ''
-    export PATH="${pkgs.lib.makeBinPath [pkgs.gnused pkgs.timewarrior pkgs.coreutils pkgs.swaylock]}"
-    task="$(timew | sed -n -r 's/^Tracking (.*)$/\1/p')"
-    date="$(date --rfc-3339=seconds)"
-    if [ "$task" != "" ]; then
-      timew stop
-      nohup ${resumeTimeTrackingNotification} "$task" "$date" >/dev/null 2>&1 &
-    fi
-    swaylock -f -i ${wallpaper}
-  '';
 in
 {
   imports = lib.optionals nixosConfig.jalr.gui.enable [
     ./gammastep.nix
-    ./mako.nix
-    ./screenshare.nix
     ./waybar.nix
-    ./wofi-bluetooth.nix
     ./wofi.nix
+    ./wofi-bluetooth.nix
     ./yubikey-touch-detector.nix
   ];
 } // (lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = with pkgs; [
-    gsettings
-    libnotify # notify-send
-    mako
-    slurp
-    swappy # screenshot editing
     sway-contrib.grimshot # screenshots
-    timewarrior
     wdisplays # graphical output manager
-    wl-clipboard
-    wl-mirror
   ];
 
   home.sessionVariables = {
@@ -88,6 +51,28 @@ in
     _JAVA_AWT_WM_NONREPARENTING = "1";
   };
 
+  #home.sessionVariables = {
+  #  CLUTTER_BACKEND = "wayland";
+  #  GDK_BACKEND = "wayland";
+  #  GDK_DPI_SCALE = 1;
+  #  MOZ_ENABLE_WAYLAND = 1;
+  #  QT_QPA_PLATFORM = "wayland-egl";
+  #  QT_WAYLAND_DISABLE_WINDOWDECORATION = 1;
+  #  SDL_VIDEODRIVER = "wayland";
+  #  WLR_NO_HARDWARE_CURSORS = 1;
+  #  _JAVA_AWT_WM_NONREPARENTING = 1;
+  #  _JAVA_OPTIONS = "-Dawt.useSystemAAFontSettings=on";
+  #};
+
+  programs.fish.loginShellInit = ''
+    if [ -z $WAYLAND_DISPLAY ] && [ (tty) = /dev/tty1 ]
+        export XDG_SESSION_TYPE="wayland" # otherwise set to tty
+        set -e __HM_SESS_VARS_SOURCED
+        set -e __NIXOS_SET_ENVIRONMENT_DONE
+        exec systemd-cat -t sway sway
+    end
+  '';
+
   wayland.windowManager.sway = {
     enable = true;
 
@@ -99,19 +84,19 @@ in
       down = "r";
 
       terminal = "${terminalEmulator}";
-      menu = "${pkgs.wofi}/bin/wofi --allow-images --show drun --color=$HOME/.config/wofi/color";
+      menu = "${pkgs.wofi}/bin/wofi --allow-images --show drun";
 
-      input."type:keyboard" = {
-        xkb_layout = "de,de,us";
-        xkb_variant = "neo,,";
-        xkb_options = "grp:win_space_toggle";
-      };
+      output."*".bg = "${wallpaper} fill";
 
-      output = {
-        "*".bg = "${wallpaper} fill";
-      } // matchHostname "copper" {
-        eDP-1.scale = toString 1.5;
-      };
+      # FIXME
+      #input = {
+      #  #"type:keyboard" = {
+      #  #  xkb_layout = "neo";
+      #  #};
+      #} // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
+      #  "type:touchpad".events = "disabled";
+      #  "2:10:TPPS/2_Elan_TrackPoint".pointer_accel = "-0.15";
+      #});
 
       keybindings = {
         "${cfg.modifier}+Return" = "exec ${cfg.terminal}";
@@ -233,8 +218,7 @@ in
 
         "XF86AudioMute" = "exec pactl set-source-mute alsa_input.usb-BEHRINGER_UMC202HD_192k-00.HiFi__umc202hd_mono_in_U192k_0_1__source toggle";
 
-        "${cfg.modifier}+l" = "exec ${lockScreen}";
-        "${cfg.modifier}+v" = "exec GSK_RENDERER=cairo GTK_USE_PORTAL=0 ${pkgs.mixxc}/bin/mixxc -A";
+        "${cfg.modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}";
       };
 
       bars = [ ]; # managed as systemd user unit
@@ -272,20 +256,6 @@ in
           criteria = { app_id = "firefox"; title = "Firefox — Sharing Indicator"; };
           command = "kill";
         }
-        {
-          criteria = {
-            app_id = "firefox-esr";
-            title = "Extension: \\\\(Tree Style Tab\\\\) - Close tabs\\\\? — Mozilla Firefox";
-          };
-          command = "floating enable";
-        }
-        {
-          criteria = {
-            app_id = "yad";
-            title = "Pomodoro";
-          };
-          command = "floating enable";
-        }
       ];
 
       window.border = 2;
@@ -299,22 +269,45 @@ in
         border = 1;
       };
 
+      colors = {
+        focused = rec {
+          border = solarized.base1.hex;
+          background = solarized.base2.hex;
+          text = solarized.base1.hex;
+          indicator = solarized.cyan.hex;
+          childBorder = background;
+        };
+        focusedInactive = rec {
+          border = solarized.base0.hex;
+          background = solarized.base03.hex;
+          text = solarized.base0.hex;
+          indicator = solarized.cyan.hex;
+          childBorder = background;
+        };
+        unfocused = rec {
+          border = solarized.base0.hex;
+          background = solarized.base03.hex;
+          text = solarized.base0.hex;
+          indicator = solarized.cyan.hex;
+          childBorder = background;
+        };
+        urgent = rec {
+          border = solarized.base02.hex;
+          background = solarized.red.hex;
+          text = solarized.base02.hex;
+          indicator = solarized.cyan.hex;
+          childBorder = background;
+        };
+      };
+
       fonts = {
         names = [ "monospace" ];
         style = "Regular";
-
-        # FIXME: this is an ugly workaround until https://github.com/swaywm/sway/issues/7409 is fixed
-        size = 0.001;
+        size = 10.0;
       };
     };
 
     extraConfig = ''
-      include ~/.config/sway/theme
-
-      # Hide title bar, see https://github.com/swaywm/sway/issues/6946
-      titlebar_border_thickness 0
-      titlebar_padding 1
-
       # Cursor
       seat seat0 xcursor_theme Adwaita
     '' + (
@@ -355,48 +348,35 @@ in
       Environment = "PATH=${pkgs.bash}/bin:${config.wayland.windowManager.sway.package}/bin";
       ExecStart = ''
         ${pkgs.swayidle}/bin/swayidle -w \
-            timeout 300 "${lockScreen}" \
-            timeout 270 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
+            timeout 300 "${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}" \
+            timeout 300 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
                 resume '${pkgs.sway}/bin/swaymsg "output * dpms on"' \
-            before-sleep "${lockScreen}"
+            before-sleep "${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}"
       '';
       Restart = "on-failure";
     };
   };
 
-  xdg.configFile =
-    let
-      makeTheme = scheme: ''
-        client.focused ${scheme.base05} ${scheme.base0D} ${scheme.base00} ${scheme.base0D} ${scheme.base0D}
-        client.focused_inactive ${scheme.base01} ${scheme.base01} ${scheme.base05} ${scheme.base03} ${scheme.base01}
-        client.unfocused ${scheme.base01} ${scheme.base00} ${scheme.base05} ${scheme.base01} ${scheme.base01}
-        client.urgent ${scheme.base08} ${scheme.base08} ${scheme.base00} ${scheme.base08} ${scheme.base08}
-      '';
-    in
-    {
-      "sway/light-theme".text = makeTheme solarized.light.hex;
-      "sway/dark-theme".text = makeTheme solarized.dark.hex;
-      "swaynag/config".text =
+  xdg.configFile."swaynag/config".text =
     let
       # adding it to the header doesn’t work since the defaults overwrite it
       commonConfig = /* ini */ ''
-            background=${lib.substring 1 6 solarized.colors.base3}
-            border-bottom=${lib.substring 1 6 solarized.colors.base2}
-            border=${lib.substring 1 6 solarized.colors.base2}
-            button-background=${lib.substring 1 6 solarized.colors.base3}
-            button-text=${lib.substring 1 6 solarized.colors.base00}
+        background=${lib.substring 1 6 solarized.base3.hex}
+        border-bottom=${lib.substring 1 6 solarized.base2.hex}
+        border=${lib.substring 1 6 solarized.base2.hex}
+        button-background=${lib.substring 1 6 solarized.base3.hex}
+        button-text=${lib.substring 1 6 solarized.base00.hex}
       '';
     in
       /* ini */ ''
       font=Monospace 12
 
       [warning]
-          text=${lib.substring 1 6 solarized.colors.yellow}
+      text=${lib.substring 1 6 solarized.yellow.hex}
       ${commonConfig}
 
       [error]
-          text=${lib.substring 1 6 solarized.colors.red}
+      text=${lib.substring 1 6 solarized.red.hex}
       ${commonConfig}
     '';
-    };
 })

home-manager/modules/sway/move-to-output/default.nix

@@ -1,5 +1,5 @@
-{ stdenv, pkgs, ... }:
-stdenv.mkDerivation {
+{ lib, stdenv, pkgs, writeShellScript, ... }:
+stdenv.mkDerivation rec {
   name = "sway-move-to-output";
   phases = "installPhase";
   installPhase = ''
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     chmod +x $out/bin/move-to-output
   '';
   script = ''
-    #!${pkgs.python3}/bin/python
+    #!${pkgs.python310}/bin/python
     import sys
     import json
     import subprocess

home-manager/modules/sway/waybar.nix

@@ -0,0 +1,491 @@
+{ config, lib, nixosConfig, pkgs, ... }:
+let
+  watchUserUnitState = unit: started: stopped: pkgs.writeShellScript "watch-user-unit-${unit}-state" ''
+    ${pkgs.systemd}/bin/journalctl --user -u ${unit} -t systemd -o cat -f \
+        | ${pkgs.gnugrep}/bin/grep --line-buffered -Eo '^(Started|Stopped)' \
+        | ${pkgs.jq}/bin/jq --unbuffered -Rc 'if . == "Started" then ${builtins.toJSON started} else ${builtins.toJSON stopped} end'
+  '';
+
+  toggleUserUnitState = unit: pkgs.writeShellScript "toggle-user-unit-${unit}-state" ''
+    if ${pkgs.systemd}/bin/systemctl --user show ${unit} | ${pkgs.gnugrep}/bin/grep -q ActiveState=active; then
+        ${pkgs.systemd}/bin/systemctl --user stop ${unit}
+    else
+        ${pkgs.systemd}/bin/systemctl --user start ${unit}
+    fi
+  '';
+
+  makoInhibitorTest = pkgs.writeShellScript "mako-inhibitor-test" ''
+    export PATH=${pkgs.lib.makeBinPath (with pkgs; [pkgs.libnotify])}
+    notify-send "test"
+    notify-send "bla $1"
+  '';
+  setMakoMode = pkgs.writeShellScript "set-mako-mode" ''
+    export PATH=${pkgs.lib.makeBinPath (with pkgs; [pkgs.mako])}
+
+    if [[ "$2" = "toggle" ]]; then
+        if makoctl mode | grep -Fxq "$1"; then
+            action = "add"
+        else
+            action = "remove"
+        fi
+    else
+        action = "$2"
+    fi
+
+    case "$action" in
+        add)
+            makoctl mode -a "$1"
+        ;;
+        remove)
+            makoctl mode -d "$1"
+        ;;
+        *)
+            exit 1
+        ;;
+    esac
+  '';
+
+  # for fine-grained control over spacing
+  thinsp = " ";
+
+  solarized = import ../solarized.nix;
+in
+{
+  # home-manager’s waybar module performs additional checks that are overly strict
+  xdg.configFile."waybar/config".text = lib.generators.toJSON { } {
+    layer = "top";
+    position = "top";
+    height = 24;
+
+    modules-center = [ ];
+    modules-left = [
+      "sway/workspaces"
+      "sway/mode"
+    ];
+    modules-right = [
+      "tray"
+      "custom/screencast"
+      "custom/redshift"
+      "idle_inhibitor"
+      "backlight"
+      "mpd"
+      "pulseaudio"
+      "network"
+      "custom/vpn"
+      "memory"
+      "cpu"
+      "temperature"
+      "battery"
+      "clock"
+      "custom/calendar"
+    ];
+
+    "sway/workspaces" = {
+      disable-scroll = true;
+    };
+    "sway/mode" = {
+      format = "{}";
+    };
+
+    tray = {
+      spacing = 5;
+    };
+    "custom/redshift" = {
+      exec = watchUserUnitState
+        "gammastep"
+        { class = "active"; }
+        { class = "inactive"; };
+      on-click = toggleUserUnitState "gammastep";
+      return-type = "json";
+      format = "󰌵";
+      tooltip = false;
+    };
+    idle_inhibitor = {
+      format = "{icon}";
+      format-icons = {
+        activated = "󰈈 ";
+        deactivated = "󰈉 ";
+      };
+      on-click = "${makoInhibitorTest} {}";
+    };
+    "custom/screencast" = {
+      exec = pkgs.writeScript "screencast-monitor" /* python */ ''
+        #!${pkgs.python3}/bin/python3
+        import subprocess
+        import sys
+
+        active_outputs = 0
+
+        with subprocess.Popen(
+            ["${pkgs.coreutils}/bin/stdbuf", "-o0", "${nixosConfig.services.pipewire.package}/bin/pw-link", "-m", "-o", "xdg-desktop-portal-wlr"],
+            stdout=subprocess.PIPE,
+            text=True,
+        ) as proc:
+            for line in proc.stdout:
+                action = line.split(" ")[0]
+                if action == "=" or action == "+":
+                    active_outputs += 1
+                elif action == "-":
+                    active_outputs -= 1
+                else:
+                    print(f"Invalid action {action} (in line {line})", file=sys.stderr)
+
+                if active_outputs > 0:
+                    print("󱒃")
+                else:
+                    print()
+
+                sys.stdout.flush()
+      '';
+      format = "{}";
+      tooltip = false;
+    };
+    backlight = {
+      format = "{percent}% {icon}";
+      format-icons = [ "󰛩" "󱩎" "󱩏" "󱩐" "󱩑" "󱩒" "󱩓" "󱩔" "󱩕" "󱩖" "󰛨" ];
+      on-scroll-up = "${pkgs.brightnessctl}/bin/brightnessctl -q set +5%";
+      on-scroll-down = "${pkgs.brightnessctl}/bin/brightnessctl -q set 5%-";
+    };
+    mpd = {
+      server = config.services.mpd.network.listenAddress;
+      format = "{stateIcon} {consumeIcon}{randomIcon}{repeatIcon}{singleIcon}{artist} – {title} ({elapsedTime:%M:%S}/{totalTime:%M:%S}) 󰎈";
+      format-disconnected = "Disconnected 󰎈";
+      format-stopped = "{consumeIcon}{randomIcon}{repeatIcon}{singleIcon}Stopped 󰎈";
+      unknown-tag = "N/A";
+      interval = 2;
+      tooltip-format = "MPD (connected)";
+      tooltip-format-disconnected = "MPD (disconnected)";
+      on-scroll-up = "${pkgs.mpc_cli}/bin/mpc -q -h ${config.services.mpd.network.listenAddress} volume +2";
+      on-scroll-down = "${pkgs.mpc_cli}/bin/mpc -q -h ${config.services.mpd.network.listenAddress} volume -2";
+      title-len = 48;
+      artist-len = 24;
+      consume-icons = {
+        on = "󰩫  ";
+      };
+      random-icons = {
+        off = "󰒞 ";
+        on = "󰒝 ";
+      };
+      repeat-icons = {
+        on = "󰑖 ";
+      };
+      single-icons = {
+        on = "󰑘 ";
+      };
+      state-icons = {
+        paused = "󰏤 ";
+        playing = "󰐊 ";
+      };
+    };
+    pulseaudio = {
+      format = "{volume}% {icon} {format_source}";
+      format-bluetooth = "{volume}% {icon}󰗾{format_source}";
+      format-bluetooth-muted = "{icon}󰗿{format_source}";
+      format-muted = "󰝟 {format_source}";
+      format-source = "{volume}% ${thinsp}";
+      format-source-muted = "${thinsp}";
+      format-icons = {
+        car = "󰄋 ";
+        default = [ "󰕿" "󰖀" "󰕾" ];
+        hands-free = "󰋎";
+        headphone = "󰋋";
+        headset = "󰋎";
+        phone = "󰏲";
+        portable = "󰏲";
+      };
+      on-click-right = "${pkgs.pavucontrol}/bin/pavucontrol";
+    };
+    network = {
+      format-wifi = "{essid} ({signalStrength}%) 󰖩 ";
+      format-ethernet = "{ipaddr}/{cidr} 󰈀 ";
+      format-linked = "{ifname} (No IP) 󰈀 ";
+      format-disconnected = "Disconnected ⚠ ";
+      format-alt = "{ifname}: {ipaddr}/{cidr}";
+      tooltip = false;
+      on-click-right = "${config.programs.alacritty.package}/bin/alacritty -e ${pkgs.networkmanager}/bin/nmtui";
+    };
+    "custom/vpn" = {
+      interval = 10;
+      exec = pkgs.writeShellScript "vpn-state" ''
+        ${pkgs.iproute}/bin/ip -j link \
+          | ${pkgs.jq}/bin/jq --unbuffered --compact-output '
+            [[.[].ifname | select(. | startswith("mullvad"))][] | split("-")[1] + " 󰌾${thinsp}"] as $conns
+            | { text: ($conns[0] // ""), class: (if $conns | length > 0 then "connected" else "disconnected" end) }'
+      '';
+      return-type = "json";
+      format = "{}";
+      tooltip = false;
+    };
+    memory = {
+      interval = 2;
+      format = "{:2}% 󰍛 ";
+    };
+    cpu = {
+      interval = 2;
+      format = "{usage:2}%  ";
+      tooltip = false;
+    };
+    temperature = {
+      critical-threshold = 80;
+      format = "{temperatureC}°C {icon}";
+      format-icons = [ "" "" "" "" "" ];
+    } // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
+      hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
+    });
+    battery = {
+      interval = 5;
+      format = "{capacity}% {icon}";
+      format-charging = "{capacity}% ";
+      format-plugged = "{capacity}% x";
+      format-alt = "{time} {icon}";
+      format-icons = [ "󰂎" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
+      states = {
+        critical = 15;
+        good = 95;
+        warning = 30;
+      };
+    };
+    clock = {
+      format = "{:%H:%M %Z}";
+      format-alt = "{:%Y-%m-%d (%a)}";
+      tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
+    };
+    "custom/calendar" = {
+      interval = 300;
+      exec = pkgs.writeScript "calendar" /* python */ ''
+        #!${pkgs.python3}/bin/python3
+        import json
+        import subprocess
+
+
+        def khal(args):
+            completed = subprocess.run(["${pkgs.khal}/bin/khal"] + args, capture_output=True)
+            assert completed.returncode == 0
+            return completed.stdout.decode("utf-8")
+
+
+        events_today = khal(["list", "today", "today", "-df", "", "-f", "{title}"]).rstrip().split("\n")
+        events_2d = khal(["list", "today", "tomorrow", "-df", "<b>{name}, {date}</b>"]).rstrip()
+
+        if len(events_today) == 1 and events_today[0] == "No events":
+            events_today = []
+
+        if len(events_today) == 0:
+            text = "󰃮 "
+        else:
+            text = f"{len(events_today)} 󰃶 "
+
+        print(
+            json.dumps(
+                {
+                    "class": "active" if len(events_today) > 0 else "",
+                    "text": text,
+                    "tooltip": events_2d,
+                }
+            )
+        )
+      '';
+      return-type = "json";
+      format = "{}";
+    };
+  };
+  xdg.configFile."waybar/style.css".text = ''
+    * {
+      border-radius: 0;
+      border: none;
+      font-family: "Iosevka Nerd Font";
+      font-size: 14px;
+      min-height: 0;
+      transition-property: none;
+    }
+
+    window#waybar {
+      background-color: ${solarized.base03.hex};
+      color: ${solarized.base0.hex};
+    }
+
+    #workspaces button {
+      padding: 0 5px;
+      background-color: ${solarized.base03.hex};
+      color: inherit;
+      border-bottom: 2px solid transparent;
+    }
+
+    #workspaces button:hover {
+      background: ${solarized.base02.hex};
+      box-shadow: inherit;
+      text-shadow: inherit;
+    }
+
+    #workspaces button.focused {
+      border-bottom: 2px solid ${solarized.green.hex};
+    }
+
+    #workspaces button.urgent {
+      background-color: ${solarized.red.hex};
+    }
+
+    #mode {
+      background-color: ${solarized.base02.hex};
+      font-style: italic;
+    }
+
+    /* all modules on the right */
+    #waybar > box > box:nth-child(3) > widget > label {
+      padding: 0 10px;
+    }
+
+    #battery.charging {
+      color: ${solarized.base02.hex};
+      background-color: ${solarized.green.hex};
+    }
+
+    @keyframes blink {
+      to {
+        background-color: ${solarized.base3.hex};
+        color: ${solarized.base00.hex};
+      }
+    }
+
+    #battery.critical:not(.charging),
+    #temperature.critical {
+      background-color: ${solarized.red.hex};
+      animation-name: blink;
+      animation-duration: 0.5s;
+      /* FIXME use nearest neighbor interpolation if possible */
+      animation-timing-function: cubic-bezier(1, 0, 0, 1);
+      animation-iteration-count: infinite;
+      animation-direction: alternate;
+    }
+
+    #cpu {
+      background-color: ${solarized.cyan.hex};
+      color: ${solarized.base02.hex}
+    }
+
+    #memory {
+      background-color: ${solarized.yellow.hex};
+      color: ${solarized.base02.hex}
+    }
+
+    #backlight {
+      background-color: ${solarized.base3.hex};
+      color: ${solarized.base00.hex};
+    }
+
+    #network {
+      background-color: ${solarized.violet.hex};
+      color: ${solarized.base02.hex}
+    }
+
+    #custom-vpn {
+      background-color: ${solarized.blue.hex};
+      color: ${solarized.base02.hex}
+    }
+
+    #network.disconnected {
+      background-color: ${solarized.red.hex};
+    }
+
+    #pulseaudio {
+      background-color: ${solarized.base3.hex};
+      color: ${solarized.base00.hex};
+    }
+
+    #pulseaudio.muted {
+      background-color: ${solarized.base03.hex};
+      color: ${solarized.base0.hex};
+    }
+
+    #temperature {
+      background-color: ${solarized.magenta.hex};
+      color: ${solarized.base02.hex};
+    }
+
+    #idle_inhibitor.activated {
+      background-color: ${solarized.base3.hex};
+      color: ${solarized.base03.hex};
+    }
+
+    #mpd {
+      background-color: ${solarized.green.hex};
+      color: ${solarized.base02.hex};
+    }
+
+    #mpd.disconnected {
+      background-color: ${solarized.red.hex};
+    }
+
+    #mpd.stopped {
+      background-color: ${solarized.orange.hex};
+    }
+
+    #mpd.paused {
+      background-color: ${solarized.yellow.hex};
+    }
+
+    #custom-redshift {
+      color: ${solarized.base02.hex};
+    }
+
+    #custom-redshift.active {
+      background-color: ${solarized.red.hex};
+    }
+
+    #custom-redshift.inactive {
+      background-color: ${solarized.blue.hex};
+    }
+
+    #tray {
+      padding: 0 5px;
+    }
+
+    #custom-notification_inhibitor.active {
+      background-color: ${solarized.base3.hex};
+      color: ${solarized.base03.hex};
+    }
+
+    #custom-screencast {
+      background-color: ${solarized.red.hex};
+      color: ${solarized.base03.hex};
+      animation-name: blink;
+      animation-duration: 0.5s;
+      animation-timing-function: cubic-bezier(1, 0, 0, 1);
+      animation-iteration-count: infinite;
+      animation-direction: alternate;
+    }
+
+    #custom-calendar.active {
+      background-color: ${solarized.base3.hex};
+      color: ${solarized.base00.hex};
+    }
+  '';
+
+  systemd.user.services.waybar = {
+    Unit = {
+      Description = "Highly customizable Wayland bar for Sway and Wlroots based compositors.";
+      Documentation = "https://github.com/Alexays/Waybar/wiki/";
+      PartOf = [ "sway-session.target" ];
+    };
+
+    Install.WantedBy = [ "sway-session.target" ];
+
+    Service = {
+      # ensure sway is already started, otherwise workspaces will not work
+      ExecStartPre = "${config.wayland.windowManager.sway.package}/bin/swaymsg";
+      ExecStart = "${pkgs.waybar}/bin/waybar";
+      ExecReload = "${pkgs.utillinux}/bin/kill -SIGUSR2 $MAINPID";
+      Restart = "on-failure";
+      RestartSec = "1s";
+    };
+  };
+
+  # TODO: remove when https://github.com/nix-community/home-manager/issues/2064
+  # is resolved
+  systemd.user.targets.tray = {
+    Unit = {
+      Description = "Home Manager System Tray";
+      Requires = [ "graphical-session-pre.target" ];
+    };
+  };
+}

home-manager/modules/sway/wofi.nix

@@ -0,0 +1,64 @@
+{ nixosConfig, config, lib, pkgs, ... }:
+
+let
+  solarized = import ../solarized.nix;
+in
+{
+  xdg.configFile."wofi/style.css".text =
+    let
+      # adding it to the header doesn’t work since the defaults overwrite it
+      commonConfig = /* ini */ ''
+        background=${lib.substring 1 6 solarized.base3}
+        border-bottom=${lib.substring 1 6 solarized.base2}
+        border=${lib.substring 1 6 solarized.base2}
+        button-background=${lib.substring 1 6 solarized.base3}
+        button-text=${lib.substring 1 6 solarized.base00}
+      '';
+    in
+      /* css */ ''
+      window {
+        margin: 0px;
+        border: 3px solid ${solarized.base02.hex};
+        border-radius: 8px;
+        background-color: rgba(${solarized.base03.rgb},0.8);
+      }
+
+      #input {
+        margin: 5px;
+        border: none;
+        color: ${solarized.base0.hex};
+        background-color: rgba(${solarized.base02.rgb},0.8);
+      }
+
+      #inner-box {
+        margin: 5px;
+        border: none;
+        background: none;
+      }
+
+      #outer-box {
+        margin: 5px;
+        border: none;
+        background: none;
+      }
+
+      #scroll {
+        margin: 0px;
+        border: none;
+      }
+
+      #text {
+        margin: 5px;
+        border: none;
+        color: ${solarized.base0.hex};
+      }
+
+      #entry:selected {
+        background-color: rgba(${solarized.base02.rgb},0.8);
+      }
+
+      #entry:selected #text{
+        color: ${solarized.green.hex};
+      }
+    '';
+}

home-manager/modules/sway/yubikey-touch-detector.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ nixosConfig, config, lib, pkgs, ... }:
 
 {
   systemd.user.services.yubikey-touch-detector = {

home-manager/modules/terraform.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  home.packages = with pkgs; [
+    terraform
+  ];
+
+  home.sessionVariables = {
+    TF_PLUGIN_CACHE_DIR = "$HOME/.local/share/terraform/plugins";
+  };
+}

home-manager/modules/tmux.nix

@@ -1,3 +1,4 @@
+{ config, pkgs, ... }:
 {
   programs.tmux = {
     enable = true;

home-manager/modules/vdirsyncer.nix

@@ -45,6 +45,27 @@ let
     };
   };
 
+  mkWebcalSection = { name, url ? null, urlCommand ? null }: assert url == null -> urlCommand != null; {
+    "pair calendar_${name}" = {
+      a = "calendar_${name}_local";
+      b = "calendar_${name}_remote";
+      collections = null;
+    };
+
+    "storage calendar_${name}_local" = {
+      type = "filesystem";
+      path = "${calendarBasePath}/${name}/";
+      fileext = ".ics";
+    };
+
+    "storage calendar_${name}_remote" = {
+      type = "http";
+    } // (if urlCommand != null then {
+      "url.fetch" = fetchCommand urlCommand;
+    } else {
+      inherit url;
+    });
+  };
 in
 {
   home.packages = with pkgs; [

home-manager/users/default.nix

@@ -0,0 +1,28 @@
+{ lib, ... }:
+
+{
+  options.jalr = {
+    git = {
+      user = {
+        name = lib.mkOption {
+          type = lib.types.str;
+          description = "name to use for git commits";
+        };
+        email = lib.mkOption {
+          type = lib.types.str;
+          description = "email to use for git commits";
+        };
+      };
+      signByDefault = lib.mkEnableOption "GPG sign commits per default";
+    };
+    gpg.defaultKey = lib.mkOption {
+      type = lib.types.str;
+      description = "default gpg key id";
+    };
+    terminalEmulator = lib.mkOption {
+      type = lib.types.str;
+      description = "default Terminal emulator name";
+      default = "alacritty";
+    };
+  };
+}

home-manager/users/jal.nix

@@ -0,0 +1,224 @@
+{ config, lib, pkgs, ... }:
+
+let
+  userName = "jal";
+  vpn_routes = [
+    "10.18.0.0/16" # OEE VPC
+    "10.64.0.0/16" # CPS
+    "10.158.128.0/23" # approval
+    "10.158.224.0/20" # core production
+    "10.158.240.0/20" # core development
+    #"10.96.0.0/24" # CCS infrastructure
+    #"10.96.8.0/24" # Boomi
+    #"10.96.10.0/24" # Boomi (new)
+    "10.96.0.0/16"
+    "10.170.254.30/32" "10.170.254.40/32" # core DNS resolver
+  ];
+  vpnc-script = pkgs.writeShellScript "vpnc-script-tb" ''
+    cisco_split_inc="$CISCO_SPLIT_INC"
+    export CISCO_SPLIT_INC=0
+
+    echo "DNS server sent by vpn: $INTERNAL_IP4_DNS"
+    unset INTERNAL_IP4_DNS
+
+    route_in_whitelist() {
+        for route in ${builtins.toString vpn_routes}; do
+            [ "$1" = "$route" ] && return 0
+        done
+        return 1
+    }
+
+    routes() {
+      for i in $(seq 0 $((cisco_split_inc-1))); do
+          addr_var="CISCO_SPLIT_INC_''${i}_ADDR"
+          mask_var="CISCO_SPLIT_INC_''${i}_MASK"
+          masklen_var="CISCO_SPLIT_INC_''${i}_MASKLEN"
+          addr="''${!addr_var}"
+          mask="''${!mask_var}"
+          masklen="''${!masklen_var}"
+          if route_in_whitelist "$addr/$masklen"; then
+              case "$1" in
+                  add)
+                      if [ -n "$NETGW" ]; then
+                          ip route add "$addr/$masklen" metric 100 dev "$TUNDEV" via "$NETGW"
+                      else
+                          ip route add "$addr/$masklen" metric 100 dev "$TUNDEV"
+                      fi
+                  ;;
+                  remove)
+                      ip route del "$addr/$masklen" dev "$TUNDEV"
+                  ;;
+              esac
+              echo "allowing route '$addr/$masklen'"
+          else
+              echo "ignoring route '$addr/$masklen'"
+          fi
+      done
+    }
+
+    case "$reason" in
+        pre-init|reconnect|attempt-reconnect)
+            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
+        ;;
+        connect)
+            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
+            routes add
+        ;;
+        disconnect)
+            routes remove
+            "${pkgs.vpnc-scripts}/bin/vpnc-script" "$@"
+        ;;
+        *)
+            echo "reason '$reason' is not implemented" >&2
+            exit 1
+        ;;
+    esac
+  '';
+  tradebyte-vpn = pkgs.writeShellScriptBin "tradebyte-vpn" ''
+    [ $UID -ne 0 ] && exec sudo -- "$0" "$@"
+    /run/wrappers/bin/sudo -u "$SUDO_USER" ${pkgs.pass}/bin/pass show zalando | openconnect \
+      --protocol=pulse \
+      -u jlechner \
+      --passwd-on-stdin \
+      -i pulse \
+      --pfs \
+      --disable-ipv6 \
+      --script=${vpnc-script} \
+      https://remote.tradebyte.org | grep -v '^> '
+  '';
+  aws_defaults = {
+    sso = {
+      start_url = "https://d-9967250383.awsapps.com/start";
+      region = "eu-central-1";
+      role_name = "AdministratorAccess";
+    };
+    region = "eu-central-1";
+  };
+in
+{
+  imports = [
+    ./default.nix
+  ];
+
+  jalr = {
+    git = {
+      user = {
+        name = "Jakob Lechner";
+        email = "jal@tradebyte.biz";
+      };
+      signByDefault = false;
+    };
+    gpg.defaultKey = "FE170812543DF81393EA56BA5042B8317A10617E";
+    aws = {
+      enable = true;
+      accounts = {
+        ops_testing = {
+          sso_account_id = 134848648016;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        core-production = {
+          sso_account_id = 455520445575;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        tbmeta-production = {
+          sso_account_id = 696695470425;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        abnahme = {
+          sso_account_id = 837645089494;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        core-develop = {
+          sso_account_id = 934000686307;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        infrastructure = {
+          sso_account_id = 994756397773;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+        tbmeta-development = {
+          sso_account_id = 730951147261;
+          sso_start_url = aws_defaults.sso.start_url;
+          sso_region = aws_defaults.sso.region;
+          sso_role_name = aws_defaults.sso.role_name;
+          region = aws_defaults.region;
+        };
+      };
+    };
+  };
+
+  users.users.${userName} = {
+    isNormalUser = true;
+    extraGroups = [
+      "dialout"
+      "podman"
+      "libvirtd"
+      "lp"
+      "networkmanager"
+      "scanner"
+      "video"
+      "wheel"
+      "wireshark"
+    ]; # Enable ‘sudo’ for the user.
+    shell = pkgs.fish;
+  };
+
+  home-manager = {
+    useUserPackages = true;
+    useGlobalPkgs = true;
+    users.${userName} = { lib, pkgs, ... }: {
+      imports = [ ../modules ];
+      config = {
+        home.stateVersion = config.system.stateVersion;
+
+        home.packages = with pkgs; [
+          mycli
+          timetrap
+          tradebyte-vpn
+
+          # common
+          asciinema
+          bat
+          docker-compose
+          envsubst
+          exa
+          gnupg
+          nmap
+          psutils
+          pwgen
+          tig
+          vlc
+          xdg_utils
+        ];
+      };
+    };
+  };
+
+  security.sudo.extraRules = [{
+    users = [ userName ];
+    commands = [
+      {
+        command = "${tradebyte-vpn}/bin/tradebyte-vpn";
+        options = [ "NOPASSWD" ];
+      }
+    ];
+  }];
+}

home-manager/users/jalr.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./default.nix
+  ];
+
+  jalr = {
+    git = {
+      user = {
+        name = "Jakob Lechner";
+        email = "mail@jalr.de";
+      };
+      signByDefault = true;
+    };
+    gpg.defaultKey = "66FB54F6081375106EEBF651A222365EB448F934";
+  };
+
+  users.users.jalr = {
+    isNormalUser = true;
+    extraGroups = [
+      "audio"
+      "dialout"
+      "docker"
+      "libvirtd"
+      "lp"
+      "networkmanager"
+      "scanner"
+      "video"
+      "wheel"
+      "wireshark"
+    ]; # Enable ‘sudo’ for the user.
+    shell = pkgs.fish;
+  };
+
+  home-manager = {
+    useUserPackages = true;
+    useGlobalPkgs = true;
+    users.jalr = { lib, pkgs, ... }: {
+      imports = [ ../modules ];
+      config = {
+        home.stateVersion = if config.system.stateVersion == "22.11" then "22.05" else config.system.stateVersion;
+
+        home.packages = with pkgs; [
+          cutecom
+          ghostscript
+          newsboat
+          pdftk
+          platformio
+          ptouch-print
+          qrencode
+          sshfs
+          tmate
+
+          # common
+          asciinema
+          bat
+          docker-compose
+          envsubst
+          exa
+          gnupg
+          nmap
+          psutils
+          pwgen
+          tig
+        ];
+      };
+    };
+  };
+}

hosts/aluminium/configuration.nix

@@ -1,18 +1,21 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 
+let
+  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
+  iptablesInsertIfMissing = rule: "iptables -C " + rule + " || iptables -I " + rule;
+in
 {
   imports = [
     ./hardware-configuration.nix
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
     ./services
-    ./ports.nix
   ];
 
+  networking.hostName = "aluminium";
   services.openssh.enable = true;
   security.sudo.wheelNeedsPassword = false;
 
   networking = {
-    hostName = "aluminium";
     useDHCP = false;
     vlans = {
       lechner = {
@@ -23,10 +26,6 @@
         id = 2;
         interface = "enp1s0";
       };
-      iot = {
-        id = 3;
-        interface = "enp1s0";
-      };
       pv = {
         id = 10;
         interface = "enp1s0";
@@ -35,10 +34,6 @@
         id = 11;
         interface = "enp1s0";
       };
-      sprechanlage = {
-        id = 12;
-        interface = "enp1s0";
-      };
     };
     interfaces = {
       lechner.ipv4.addresses = [{
@@ -49,21 +44,13 @@
         address = "192.168.1.1";
         prefixLength = 24;
       }];
-      iot.ipv4.addresses = [{
-        address = "192.168.2.1";
-        prefixLength = 24;
-      }];
       pv.ipv4.addresses = [{
         address = "192.168.10.1";
         prefixLength = 30;
       }];
       heizung.ipv4.addresses = [{
         address = "192.168.10.5";
-        prefixLength = 30;
-      }];
-      sprechanlage.ipv4.addresses = [{
-        address = "192.168.10.9";
-        prefixLength = 30;
+        prefixLength = 24;
       }];
       enp2s0.useDHCP = false;
     };
@@ -75,22 +62,19 @@
         "voice"
       ];
     };
-    firewall.extraInputRules = ''
-      iifname "voice" udp dport 5059 accept
-      ip saddr 217.10.68.150 udp dport 5060 accept
-    '';
-    nftables.tables.pppoe = {
-      family = "ip";
-      content = ''
-        chain clamp {
-          type filter hook forward priority mangle;
-          oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu comment "clamp MSS to Path MTU"
-        }
-      '';
+    firewall = {
+      extraCommands = lib.concatStringsSep "\n" [
+        (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
+        (iptablesInsertIfMissing "INPUT -i voice -p udp -m udp --dport 5060 -j ACCEPT")
+        (iptablesInsertIfMissing "INPUT -s 217.10.68.150 -p udp --dport 5060 -j ACCEPT")
+      ];
     };
   };
 
 
+  sops.secrets.pap-secrets = {
+    sopsFile = ./secrets.yaml;
+  };
   environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path;
   services.pppd = {
     enable = true;
@@ -136,7 +120,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 
 }
 

hosts/aluminium/hardware-configuration.nix

@@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
   imports =

hosts/aluminium/ports.nix

@@ -1,16 +1,7 @@
-{ custom-utils, ... }:
+{ lib, custom-utils, ... }:
 
-{
-  config.networking.ports = custom-utils.validatePortAttrset {
-    asterisk-rtp.udp = { from = 10000; to = 10200; };
+custom-utils.validatePortAttrset {
+  asterisk-rtp = { udp.range = [ 10000 10200 ]; };
+  unifi.tcp = 8443;
   doorbell-audiosocket.tcp = 9092;
-    doorbell-webrtc-ice.tcp = 8189;
-    doorbell-webrtc.tcp = 8889;
-    esphome.tcp = 6052;
-    home-assistant.tcp = 8123;
-    nginx-http.tcp = 80;
-    nginx-https.tcp = 443;
-    unifi-inform.tcp = 8080;
-    unifi-ui.tcp = 8443;
-  };
 }

hosts/aluminium/secrets.yaml

@@ -4,7 +4,6 @@ myintercom-doorbell-password: ENC[AES256_GCM,data:waUUvHQ9BZFePQ==,iv:ev21SNOwzd
 asterisk-pjsip: ENC[AES256_GCM,data:PMgHCdo7K1a9/OitWdUonJ66gr70uwYgylCCWAO9cYOeXdPTIFuFLHlgBIUUxfln3UqhquTzoTluZJW9vaSuzZGe1kLIYrb1hRyrM0HLCCQc8m46jN898le/9ZrEivxonWkxf4FTfpENIf7iEr5KHh4vfd4tr4IbORTFdpcbsy8pd5eyvS8G2z9dynIWS19zqrzfGrW6yZICzAJz28IQCiiHgpN16bqSwlcPm1UdX+qi0+ZJ3TAr16Px1F9VFOXtEsu4EZvJSomecJDuhjo3QzBFffXDL971of8KX05BJgtpP6SzIZXKfSWaOxaguctdFr2tScvze0o3FXpDoOn0cvinOdYQt1P2TzjFnBZ4I3N1turpD4be9xJ92coV/j1hBsZHj2mWE/iCdsrzj2uP/74b4Mo1BJZ6l1gXFg3OgyDXaVoMxAOnutelCEG0lf78hsJXF56aQ1LVSUly6ugZP4rMiPFg5oa7WfrIsVVURUt7WRFrDLCYIQVynpfeUxHshPSB+/jVvYLqie5XeNt8B8mgTJYFo5hFB28sa1beqYEA27QMT3gRvWivqDnuf8soVi/r3WREfnSCBujhzXQF/uJZEwqVEn0OQo9ICfJ8hqtvDiAw6Hb4Wn+0maoYQeKjbPHeL3kr1SUE/kU913FNig4Yn66QKYevLLIkd3uQ0GqTLcgn4Ttwu3qArlXXxrI4US8yA7XGQUutVadN7ayyZBbYnw+vUTlPfhSO+ridK3huGKnQfcPAbD31L11EeQBe2820Nba9Bb4d5QAkiGsNj5y9tZ4Vl6l2JErO63fVPKQ9fPxD3yYyZpP8Hm1e7Wl1eRsNtoWqkTRtno7hIpAYFoMYTUk2x5U/qZOgtRX0JHufi6+GXvPPlBaQNfiGzNlJjdmtTT6MGLPRQjsASGi00pSjKd4psAj9Uf8rttsHhJHvIRDRsiNSjae+JGbVlyyauU1JL44Qf+U+MaJDjkLagNqUZ9xgNFmXzr7st6bRFYCJHkmQC8bgJsdpwRMz3HjNzrKZRvRhHIiwT3d+oyrd9hoSQl3JkxcrD7AfEThrBQL9BpGCDcfr5RzfNv8Fb08tR7rlIzyb6Rw3eKlY1obfZRRNTF+iYlBDz8LLI+BwWqJiefbHB2F9nOC0of5Eqm5gjn+MXSKuSIP5ltDsjfO+m6q7c+t7udKwnJVnePtOnuf4uQpKfxjpld4e8Y1N9hyuKSjqEy83UB4yXJb1OoUAOXENvdPhGFDghmSC+ZVcCZRBG2k6d6MdXY6AkdjUAteDQLsDNMwpW8a8RwOXlDoAtxu7yEYP51BrHu2spagNfXMWHThnkcuR/TvqAPmcPlzVjcX+tnuU0k+JK5e4eWc+diTcvo8fpeaKi7A4uyGWRaZsoaauxsK1dEwIgmAAYyWc0Hl+Z49/dLW8kgr/Qh9N5SRRk/SLk4GvS0uyYYClN7G/7LdMDUwWifr32oqXEINDh0NEyehEJ9dEQsIIH5gR3OdlEAuL1C7/Js3/ZCdBREXRYt4y5y4TAO/kMmGgv7Y/Z2XVD0klXVBMvVnil4LJ0H5KF+RZC4j/C6acRBdrPaI0nlE3bfAbmizQN9D7jOj5BkkRzBaYlMaBuFKRKUA6CUanhUWhIn3ZlF3Z+o4PGB2c7EFXZN+PzOSgkQYUD7KtVW/QV94mxkcqN9mKe6mAbj87neN1IHhEkNOj7KJQP60pqDjx6N+WYFpD3sYvDcJDg2WFumR8F2v+jHx09v5AB1r6AzhPJ3TCwnHN4e1+Nexxlb91iPcoSmLRF3Fimn7307260CtaA70hngWHSRaBcKTXi3WL1v9kKOou2kKs1GMy5bjREtqheBxZ1i4x56VtANF9lo9UT+97qxuAqk08Rc4z9j5M8cJK/d1syRT0z/uAuTWlRgxdE/Fj/OlDNr/SnZw9CLkQ0SVJAuJFFg9EY0ru3PC9PDNt9CJiVy0GoeK0mv7ZkTv2o456kdzMpJPBwpKLIO9tpZBbNZrMn1HpLJrfXIvmuVDFmm3EH6FVhGoI+4yB11Eo/2aEMzUOEtn55KNeESkoVel6GgYiwrg1ZlQS7XhdCTGyCOMbFTOLHgUe4vaUfPBNOyLaLWE3ZiyGCxVb+nBltcPSDHrNtbc2fuPqVom3Z1wfmako1BGcwRzbLdaUPwuu6eRa/KxppPh/PoYTttPxOArql25BWAVTI6BIhlvGgZgqDRwihHBGt1uyXjwv4ufES5zgxhMB8mNqVnCSkcLXXyvpmCiB5kEv5+V4nCJIXSNbmym+V9tEzGh+cx8up24IHrg6gG28fHfMcV7Z+JzN86jogr+sgH9wigrcYcDqTE9lHJhaZlmNraTl8viAwEXkPC/dnQuPSTX5V1qeRtKo1oFkf9xnPhdVLq51GoVU+MhQqZsbnqymgKnPWTQq3Kyiux5go/Li0BqfiV+Wwpn+f3WXJ21aMpU2FfIR26z2DULlJUYDKoewmklq8vzk5iZ/tywPFGR1G0z8IM5jwr+qz0uEccAtulCWsQjtvw0kGLnTsoB2WNL4x0Kti/cE14purKaE65wMrBoG/mxd6R7ZHE7u/Uo1MDAsgqsS8MomCqyxC/1yH9BdhpXc6VZJpborqWQjW/kK8/OBxWFjfQgwvDGeQkgv2ShV0c8U6DgnS545Im9aAxQGvu1sXMhnVNQZdZ2Ta3Gz7bTHqkxB4/X7KGHdGSmw5s/RQfo0BkBBBLLTc49pcmJTxG5LPkRebCM8ANX57qj3u/D9wYumFKclTglNdrjaxSdh3zTb1kEQ0rn/D4z7lVNUsw7srUUZeEadg3xTZSmSustbziXvp51juiJeyPjVY2AlmbVVxU0O245kbyWA8lHcEluo+dfk0Rr9hDNHz35NxQRCslPHiSKswxfuPcqyzlSiBMLsMWrJ5/RyQJgaO/XJ/x3R2o4h+MiHtUKj91epxAIpYD8JqQ4eaUkP6GJRNDSNLK3VNP69Qecc7b6AvV5udzt2up0lp7OuzEZeT88Vg8YcZvOv1UTxmkI6dem1xi4imJs+V4OZrcSt9ZTlc34rc6/lvVxVQZs/1vADB0ZVk3jp24KWuRWFGacJqUIxW8TbI8N1DtmZcf7sqoQU1QPRzkOa/UYmzWablAP4B5M5WOjyr3YSJGOzHxN+GSSs4K4jHUon+LbpKxHL5KJUSsD+kZFTfsDauFhAzpFDhR2wW/XYLr0iTvKQ6+26dIpW65P8Egv+n/CXQE0wuJ1R5z0M4FucpUo+FTUIcww8cfqfHqMlMeKEFeu8/QNdZ0uj06Q8/j6E/OUjpxTIVRQBs4qaLWxMZv3zulCUe9Czr6c28NhewIJlLUxOnCVDo5pT1OmzZPghurNyhTBFP8PfJrRXN1h2uvXfGP46dgt9jgeqqQqP9xlq+fzo9cyEZ/n4nQvY+CBuOW9Cqo41zNB0PQ3tC9SU477gQkDrg0M6/bAk+xsqVg1DpZOSuRUQnOfbTdZ1CXhESy+dcri9BeKKcTCZ6aenvW4W4J6OV8en3L4jPFsgqEWJUk1qr9ggM5NXc7RIrR0eCsiR9V1gi4HWMF1roTZ3wK9NvdATj3HWTGssfdpXht/vjedIp+InNWBWjnBfIf7XWuPgiB/ZW9uew8g8vDLULGVtww==,iv:bFKc8e+3rLAHje8UWwY2elof5xqceTTWX1f7nkE91nM=,tag:NWMiljj8urTDoka5bkF0jg==,type:str]
 asterisk-ari: ENC[AES256_GCM,data:HnY7d3BdScb0bmsBVlsTHAMv2k8tyyA/,iv:q+NsCHcGGOCe6gdAHbFfjKvO4dyWoW/xI5jtngJmdds=,tag:e8kuEsEokf5lAAgO/coxTQ==,type:str]
 asterisk-voicemail: ENC[AES256_GCM,data:uyXeBP+9WkfVot4Ot3vwv3OEZfoVDK2I+lvaPpGJTZp16YNtP+uxNiW2ynewQlORCTY59bP1jW3bQdT/ASGsErOrhInYSytTyfdZ51BF9+jz0TH6oWxsSuuawTrkC8jvJOpejt6XuGoYbbqlM/VL1xzgDkq3ztTxaHTfdTonQij2Q4cYddMRHWIEuBCK7FU2TlHAJeIFZvtE0MiyNNT3rEWSs1xcljTGfMjkoMd+FI1uZSQT4r0kAaPPkvCWcAGH6R+F0Ue++i9TuLhu+sDV+X6u3N/garDW74H0bOcLJysImtuPXh1aXuBkHQuC1Liss/IF4NDjtDDhpfc0eePR5MWv/Kj0q+VFJiUPY6XnWh6fG9I2yY22+I7eAAg/xWVZBXPWbFHRz8jm1owp4ln6/hcrJOw6Fzw8tZ6Jd9nciOeOmR1KtjEzklPP5kP1YQPtGio/LnOaAAhTHy16MbWf/Ey4S30+eHB+joD8OM93+YxxrdKNE6XXEcAhkdpHYecrvz4Co1fhY7ZoOnNvA8Juup/7PMyNEU/Fy4Pta34aT/j1s7de2vTpRNBeecWvgFA9Qd7Re/2XPqOAkpduxDniwsUdb52oL39MBoOCY8brmXn2J/mMDeOmoqvjRHsPZsajPTAqF/nqRB8VpwoZAKAx59DYBGgmHz7/7JRX9NXOAus1yLbMfVqDftk6+KTFQ9wCqei3jaI/K5AJrSEwlZG0BLoDefIGXT5f8bNNgSn865j2RP+FLa6W3/u5t+k=,iv:/phktIxMdDO5Nrum7hf3oLDmQO04lrkvFuHNw77aRks=,tag:7OUg0BG9X7nBHWiQNaSOEQ==,type:str]
-esphome: ENC[AES256_GCM,data:2pFVokO8YTyKa1F7EePo6wIS3y6prL8SSkxypWZkHl3Ye6Qg0eqZ4du/iwLIXQpJoc6R3uU7D6eIQEVOGbwqYp6+F0CW17F89k9c/VLHQHRpWbA20GgLr7X4fZ8xdbp7HCLpVxRsdzDz8aoARfV8Cn6T7Uo80ah1rMDnTj10WI+Yu6xVqVwPNWrSk9NUGKMK32M2slk=,iv:Xla0c4d9rxn06upy7GTbWBQ8pzl+gLnIw+Rf6hqQlhk=,tag:S+clc2ctuOA6lsInSFm93Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,25 +13,25 @@ sops:
         - recipient: age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZmNOcVlKNmZCdWN5NVBy
-            U3VRbXl3OUljWCtITXZCQTdrVkIxOEtDZHg4CktBNjVKRmVucjRpYXo3WXFWd1VV
-            MFpGdWIvTmNHRlJ4akxUQkZzWUtXVUkKLS0tIGs3NlNXREVkT1Nta2prSXk4QkV0
-            NEtzRXY1Q1Njelc1YXNWVE9Jd2NnOFEKjOWHaxO5fF5l+c1Hv6QLBQajrvu1VimZ
-            Hqk0GYrFpfpFtbhBRyrYgmNuX/qIRMHemdXcNKDYcj0WXgsdVqH7Qw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodUx5V25ETmJLTi9EZlRU
+            ZnYweXliTDl4ZUlvcmliTjhQRkpzU0pkNXlZCjFtYU5ySWFxOGlNL29SR2RJZHNu
+            UHJ4YWE4UWJVeEJBUXJwaHJBd292REkKLS0tIDV2WlppeUxIOWFPTHlRYTBaMzA0
+            MU41eU8zeTRRUlZyUXV0U1N6U0NRNnMKZK3vfyRRr7Iu6HfpdpmDTKzUbEnCnW9l
+            rGjFmY9VX2q9w3j/4E5uUToQfeGMqqBTOFUB3hNgU8K5ZT7wMbOXAg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-17T20:41:27Z"
-    mac: ENC[AES256_GCM,data:f7RdcXpu9CGSZpIF8rwuIkn97EWRxJXxoC7KKbkZg4yxSxZJR/S5UXzEC56eY73IdBHap4op3l+cO7pT7p1rkspHQPH/5D225ihVQ8PQ29u2nlyyrrebB5tM1Mt+rJRlizBPxDDKySJYgdqZCWUwB8f5hQudpb0CGra7NfQreRg=,iv:vwpVqib7fyuV83FiyMT4BOeuqyrcspFyieQGWyZZzcU=,tag:zuJVSA2WqzSvM4MBWrdRlQ==,type:str]
+    lastmodified: "2023-11-06T23:32:51Z"
+    mac: ENC[AES256_GCM,data:7lW6i4ULus4348NwnV/ovcWebspBcEBzYqLtl+8xFOfe3erIFnC3iRo0ibZJ8yishZpIUxoVu08yxQoa1qEriC57WETMaR+iGUPaY75tHraBJGY26Etk7Hy2QhQ7D+srBY+CogHhHAD8HUwT4/ZiPqKe1eQAvNg/6HWnjbQkG/Q=,iv:r43odkYgQsyK5uJJ5V98kTx7enP7TRuFoTnYfHmD/8o=,tag:hR+1zCniHs1l3qSkhQhtFw==,type:str]
     pgp:
-        - created_at: "2024-01-31T01:19:14Z"
+        - created_at: "2022-11-02T22:14:19Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DY/xpNY5WhB0SAQdAkeQx8NatnRtZUJa/G0zaw+NL5twonTayNH8mmNBXOWgw
-            EWaC9Yq6yWntxxfkVaJHN5BEzxVVumrKmpKSIkvCkJqFZ5SuYH/DyE9oZZSr7iC/
-            0l4BTKZ8SdxQL8usQPSQVbs9skr7KsYfhtjTeTi823RwZLD1+wZKwqe43AJTE0Hl
-            b2jIihfXa7wKTfi9jXI/mpxLRpGH8kZnPoQuldkz1zWIU14YKoTKq55My8qwR4uW
-            =RazZ
+            wV4D3ylLYNOsO+0SAQdASri/Ozm8ibaE1PN8ItRanuAGU4jRQL1g4U8GbsiXWzcw
+            u7trrk6foY98pfVAP4Z78X4Dp79UagorlDCT6F6yWtfFODFdTVJdbzJsD5QtZ1vK
+            0lEBMmTyLDw4lzTpedDhvgkWpNd33TC3WgAfRb/2LCSPmoVp83O7ja6BfuBQDkWY
+            gP7g815fKYigaihDH8HlNzvRoOOcGC9+6lyQkHTJyRjKsrg=
+            =WfhH
             -----END PGP MESSAGE-----
-          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+          fp: 66FB54F6081375106EEBF651A222365EB448F934
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

hosts/aluminium/services/asterisk/default.nix

@@ -1,15 +1,33 @@
-{ config, lib, pkgs, ... }:
+args@{ config, lib, pkgs, custom-utils, ... }:
 
 let
-  inherit (config.networking) ports;
+  ports = import ../../ports.nix args;
   secretConfigFiles = [
     "ari"
     "pjsip"
     "voicemail"
   ];
+  rtp = {
+    start = builtins.elemAt ports.asterisk-rtp.udp.range 0;
+    end = builtins.elemAt ports.asterisk-rtp.udp.range 1;
+  };
   voicemail-sounds = pkgs.callPackage ./voicemail-sounds { };
-in
-{
+in {
+  systemd.services.asterisk-voicemail-sounds = {
+    wantedBy = ["asterisk.service"];
+    after = ["asterisk.service"];
+    script = ''
+      ln -sfn \
+        ${voicemail-sounds}/unavail.wav \
+        /var/spool/asterisk/voicemail/lechner/876/unavail.wav
+    '';
+    restartTriggers = [voicemail-sounds];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
   services.asterisk = {
     enable = true;
     confFiles = {
@@ -120,7 +138,7 @@ in
       '';
       "features.conf" = ''
         [applicationmap]
-        doorOpen => 1,peer,Gosub,"door-open,s,1"
+        doorOpen => #9,peer,Gosub,"door-open,s,1"
       '';
       "http.conf" = ''
         [general]
@@ -138,8 +156,8 @@ in
       '';
       "rtp.conf" = ''
         [general]
-        rtpstart=${toString ports.asterisk-rtp.udp.from}
-        rtpend=${toString ports.asterisk-rtp.udp.to}
+        rtpstart=${toString rtp.start}
+        rtpend=${toString rtp.end}
       '';
       "dnsmgr.conf" = ''
         [general]
@@ -150,11 +168,12 @@ in
     useTheseDefaultConfFiles = [ ];
   };
 
-  sops.secrets = lib.listToAttrs (map
+  sops.secrets = (lib.listToAttrs (map
     (name: lib.nameValuePair "asterisk-${name}" {
+      sopsFile = ../../secrets.yaml;
       owner = config.users.users.asterisk.name;
     })
-    secretConfigFiles);
+    secretConfigFiles));
   environment.etc = lib.mapAttrs'
     (name: _: lib.nameValuePair
       "asterisk/${name}.conf"
@@ -162,15 +181,15 @@ in
     (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
 
   networking.firewall = {
-    allowedUDPPortRanges = lib.singleton ports.asterisk-rtp.udp;
-    interfaces.voice = {
-      allowedTCPPorts = [ 5060 ];
-      allowedUDPPorts = [ 5060 ];
-    };
+    allowedUDPPortRanges = [
+      {
+        from = rtp.start;
+        to = rtp.end;
+      }
+    ];
   };
 
-  systemd.services = {
-    "asterisk-reload-endpoint@" = {
+  systemd.services."asterisk-reload-endpoint@" = {
     description = "Check if asterisk endpoint is identified and reload it when it is not.";
     serviceConfig = {
       Type = "oneshot";
@@ -185,21 +204,19 @@ in
       fi
     '';
   };
-    asterisk-voicemail-sounds = {
-      wantedBy = [ "asterisk.service" ];
+
+  systemd.timers.asterisk-reload-endpoint = {
+    description = "Check if asterisk endpoint is identified and reload it when it is not.";
     after = [ "asterisk.service" ];
-      script = ''
-        ln -sfn \
-          ${voicemail-sounds}/unavail.wav \
-          /var/spool/asterisk/voicemail/lechner/876/unavail.wav
-      '';
-      restartTriggers = [ voicemail-sounds ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      Persistent = true;
+      OnCalendar = "*-*-* *:*:00";
+      Unit = "asterisk-reload-endpoint@sipgate.service";
     };
   };
-    "asterisk-voicemail-call@" = {
+
+  systemd.services."asterisk-voicemail-call@" = {
     description = "Check if voicemail exists and place a call to the voicemail application.";
     serviceConfig = {
       Type = "oneshot";
@@ -229,21 +246,8 @@ in
       mv "$callfile" /var/spool/asterisk/outgoing/
     '';
   };
-  };
 
-  systemd.timers = {
-    asterisk-reload-endpoint = {
-      description = "Check if asterisk endpoint is identified and reload it when it is not.";
-      after = [ "asterisk.service" ];
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        Persistent = true;
-        OnCalendar = "*-*-* *:*:00";
-        Unit = "asterisk-reload-endpoint@sipgate.service";
-      };
-    };
-
-    asterisk-voicemail-call-10 = {
+  systemd.timers.asterisk-voicemail-call-10 = {
     description = "Check if voicemail exists and place a call to the voicemail application.";
     after = [ "asterisk.service" ];
     wantedBy = [ "timers.target" ];
@@ -253,7 +257,7 @@ in
       Unit = "asterisk-voicemail-call@876:lechner:10.service";
     };
   };
-    asterisk-voicemail-call-11 = {
+  systemd.timers.asterisk-voicemail-call-11 = {
     description = "Check if voicemail exists and place a call to the voicemail application.";
     after = [ "asterisk.service" ];
     wantedBy = [ "timers.target" ];
@@ -263,5 +267,6 @@ in
       Unit = "asterisk-voicemail-call@876:lechner:11.service";
     };
   };
-  };
+
+  #voicemailCallScript
 }

hosts/aluminium/services/asterisk/voicemail-sounds/default.nix

@@ -1,4 +1,4 @@
-{ stdenvNoCC }:
+{ lib, stdenvNoCC }:
 
 stdenvNoCC.mkDerivation {
   name = "voicemail-sounds";

hosts/aluminium/services/default.nix

@@ -4,10 +4,6 @@
     ./dnsmasq.nix
     ./doorbell.nix
     ./dyndns.nix
-    ./esphome
-    ./home-assistant.nix
-    ./nginx.nix
-    ./ntp.nix
     ./unifi-controller.nix
   ];
 }

hosts/aluminium/services/dnsmasq.nix

@@ -1,5 +1,8 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 
+let
+  stateDir = "/var/lib/dnsmasq";
+in
 {
   services.dnsmasq = {
     enable = true;
@@ -7,23 +10,13 @@
       listen-address = [
         "192.168.0.1"
         "192.168.1.1"
-        "192.168.2.1"
-        "192.168.10.9"
       ];
       interface = "lo";
       expand-hosts = true;
-      domain = [
-        "lan.kbh.jalr.de"
-        "iot.kbh.jalr.de,192.168.2.0/24"
-      ];
+      domain = "lan.kbh.jalr.de";
       dhcp-range = [
         "192.168.0.20,192.168.0.254,4h"
         "192.168.1.20,192.168.1.254,4h"
-        "192.168.2.20,192.168.2.254,4h"
-        "192.168.10.8,static,24h"
-      ];
-      dhcp-host = [
-        "AC:CC:8E:40:1C:B9,192.168.10.10,sprechanlage,infinite"
       ];
       cache-size = 10000;
       dns-forward-max = 1000;
@@ -36,24 +29,11 @@
         "2001:470:20::2" # ordns.he.net
         "74.82.42.42" # ordns.he.net
       ];
-      dhcp-option = [
-        "option:ntp-server,192.168.0.1"
-      ];
     };
   };
 
-  networking.firewall.interfaces = lib.attrsets.genAttrs [
-    "heizung"
-    "iot"
-    "lechner"
-    "pv"
-    "sprechanlage"
-    "voice"
-  ]
-    (
-      _: {
+  networking.firewall = {
     allowedUDPPorts = [ 53 67 ];
     allowedTCPPorts = [ 53 ];
-      }
-    );
+  };
 }

hosts/aluminium/services/doorbell.nix

@@ -1,13 +1,16 @@
-{ config, ... }:
+args@{ config, lib, pkgs, custom-utils, ... }:
 
 let
-  inherit (config.networking) ports;
+  ports = import ../ports.nix args;
 in
 {
-  sops.secrets.myintercom-doorbell-password.owner = "asterisk";
+  sops.secrets.myintercom-doorbell-password = {
+    sopsFile = ../secrets.yaml;
+    owner = "asterisk";
+  };
   services.myintercom-doorbell = {
     enable = true;
-    host = "sprechanlage.lan.kbh.jalr.de";
+    host = "192.168.0.74";
     username = "btxpvt0002";
     passwordFile = config.sops.secrets.myintercom-doorbell-password.path;
     audiosocket = {
@@ -16,15 +19,5 @@ in
       uuid = "4960ab41-dbef-4773-a25e-90536d97345e";
     };
     callerId = "Sprechanlage";
-    cam = {
-      enable = true;
-      bindAddress = "192.168.0.1";
-      webrtcPort = ports.doorbell-webrtc.tcp;
-      webrtcIceTcpPort = ports.doorbell-webrtc-ice.tcp;
   };
-  };
-  networking.firewall.interfaces.lechner.allowedTCPPorts = [
-    ports.doorbell-webrtc.tcp
-    ports.doorbell-webrtc-ice.tcp
-  ];
 }

hosts/aluminium/services/dyndns.nix

@@ -1,42 +1,16 @@
-{ config, lib, pkgs, ... }:
-let
-  mkService = config:
-    lib.mapAttrs'
-      (name: cfg: lib.nameValuePair "godns-${name}" (
-        let
-          config = cfg.settings // {
-            login_token_file = "$CREDENTIALS_DIRECTORY/login_token";
-          };
-          configFile = (pkgs.formats.yaml { }).generate "config.yaml" config;
-        in
+{ config, ... }:
 {
-          description = "GoDNS service";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          serviceConfig = {
-            DynamicUser = true;
-            ExecStart = "${lib.getExe pkgs.godns} -c ${configFile}";
-            LoadCredential = "login_token:${cfg.tokenPath}";
-            Restart = "always";
-            RestartSec = "2s";
-          };
-        }
-      ))
-      config;
-in
-{
-  systemd.services = mkService {
-    ip4 = {
-      tokenPath = config.sops.secrets.duckdns-secret.path;
-      settings = {
-        provider = "DuckDNS";
-        domains = [{ domain_name = "www.duckdns.org"; sub_domains = [ "jalr-k" ]; }];
-        resolver = "8.8.8.8";
-        ip_interface = "ppp0";
-        ip_urls = [ "" ];
-        ip_type = "IPv4";
-        interval = 60;
-      };
-    };
+  sops.secrets.duckdns-secret = {
+    sopsFile = ../secrets.yaml;
+  };
+  services.ddclient = {
+    enable = true;
+    interval = "1min";
+    protocol = "duckdns";
+    server = "www.duckdns.org";
+    username = "nouser";
+    passwordFile = config.sops.secrets.duckdns-secret.path;
+    domains = [ "jalr-k" ];
+    ipv6 = false;
   };
 }

hosts/aluminium/services/esphome/default.nix

@@ -1,25 +0,0 @@
-{ pkgs
-, config
-, ...
-}:
-let
-  inherit (config.networking) ports;
-in
-{
-  sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ];
-
-  jalr.esphome = {
-    enable = true;
-    port = ports.esphome.tcp;
-    secretsFile = config.sops.secrets.esphome.path;
-    configDir = pkgs.stdenvNoCC.mkDerivation {
-      name = "esphome-config";
-      src = ./devices;
-      dontBuild = true;
-      installPhase = ''
-        mkdir $out
-        cp -r * $out
-      '';
-    };
-  };
-}

hosts/aluminium/services/esphome/devices/.env

@@ -1,2 +0,0 @@
-ESPHOME_HOST="jalr-k.duckdns.org"
-ESPHOME_SECRETS_FILE="esphome_${ESPHOME_HOST}_secrets.yaml"

hosts/aluminium/services/esphome/devices/.gitignore

@@ -1,5 +0,0 @@
-# Gitignore settings for ESPHome
-# This is an example and may include too much for your use-case.
-# You can modify this file to suit your needs.
-/.esphome/
-/secrets.yaml

hosts/aluminium/services/esphome/devices/justfile

@@ -1 +0,0 @@
-../../../../../modules/esphome/devices/justfile

hosts/aluminium/services/esphome/devices/wasserbett.yaml

@@ -1,64 +0,0 @@
-esphome:
-  name: "waterbed"
-  friendly_name: "Wasserbett"
-
-esp8266:
-  board: d1_mini
-  framework:
-    version: recommended
-
-logger:
-
-api:
-  encryption:
-    key: !secret apikey_waterbed
-
-ota:
-  - platform: esphome
-    password: !secret otapass_waterbed
-
-wifi:
-  ssid: !secret wifi_ssid_kbh
-  password: !secret wifi_password_kbh
-  domain: .iot.kbh.jalr.de
-  enable_on_boot: true
-  fast_connect: true
-
-switch:
-  - platform: gpio
-    pin:
-      number: 13
-    id: pump
-    icon: "mdi:electric-switch"
-
-dallas:
-  - pin: 12
-
-sensor:
-  - platform: dallas
-    #address: 0xb7000802397ccc10
-    index: 0
-    name: "Temperatur"
-    id: temperature_waterbed
-
-climate:
- - platform: thermostat
-   name: "Temperatur"
-   id: temperature
-   sensor: temperature_waterbed
-   heat_deadband: 0.2
-   heat_overrun: 0.2
-   min_heating_off_time: 300s
-   min_heating_run_time: 300s
-   min_idle_time: 30s
-   heat_action:
-     - switch.turn_on: pump
-   idle_action:
-     - switch.turn_off: pump
-   default_preset: heizen
-   on_boot_restore_from: memory
-   preset:
-     - name: heizen
-       default_target_temperature_low: 28.5 °C
-     - name: abwesend
-       default_target_temperature_low: 24 °C

hosts/aluminium/services/home-assistant.nix

@@ -1,141 +0,0 @@
-{ pkgs, config, ... }:
-let
-  inherit (config.networking) ports;
-in
-{
-  services.home-assistant = {
-    enable = true;
-    lovelaceConfig = {
-      title = "Home";
-      views = [
-        {
-          path = "default_view";
-          title = "Home";
-          cards = [
-            {
-              title = "Heizung";
-              type = "entities";
-              entities = [
-                { entity = "sensor.guntamaticbiostar_betrieb"; }
-                { entity = "sensor.guntamaticbiostar_pufferladung"; }
-                { entity = "sensor.guntamaticbiostar_puffer_oben"; }
-                { entity = "sensor.guntamaticbiostar_puffer_unten"; }
-                { entity = "sensor.guntamaticbiostar_kesseltemperatur"; }
-                { entity = "sensor.guntamaticbiostar_vorlauf_ist_1"; }
-                { entity = "sensor.guntamaticbiostar_aussentemperatur"; }
-                { entity = "sensor.guntamaticbiostar_co2_gehalt"; }
-                { entity = "select.guntamaticbiostar_program"; }
-                { entity = "sensor.guntamaticbiostar_programm"; }
-                { entity = "sensor.guntamaticbiostar_programm_hk1"; }
-                { entity = "sensor.guntamaticbiostar_rucklauftemperatur"; }
-                { entity = "sensor.guntamaticbiostar_servicezeit"; }
-              ];
-            }
-            {
-              type = "grid";
-              square = false;
-              columns = 1;
-              cards = [
-                {
-                  title = "Wasserbett";
-                  type = "entities";
-                  entities = [
-                    {
-                      entity = "sensor.waterbed_temperatur";
-                      name = "Temperatur";
-                    }
-                  ];
-                }
-                {
-                  type = "thermostat";
-                  entity = "climate.waterbed_temperatur";
-                }
-              ];
-            }
-          ];
-        }
-      ];
-    };
-    extraComponents = [
-      # See https://www.home-assistant.io/integrations
-      "esphome"
-      "openweathermap"
-    ];
-    customComponents = [
-      # https://github.com/a529987659852/GuntamaticBiostar
-      pkgs.home-assistant-custom-components.guntamatic
-    ];
-    lovelaceConfigWritable = false;
-    configWritable = false;
-    config = {
-      http = {
-        server_host = [ "127.0.0.1" ];
-        server_port = ports.home-assistant.tcp;
-        use_x_forwarded_for = true;
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-      homeassistant = {
-        unit_system = "metric";
-        time_zone = "Europe/Berlin";
-        temperature_unit = "C";
-        inherit (config.location) longitude;
-        inherit (config.location) latitude;
-      };
-      default_config = { };
-      "automation nix" = [
-        {
-          alias = "Nachschüren";
-          description = "Benachrichtigung auf iPad bei Wechsel auf Teillast";
-          mode = "single";
-          trigger = [
-            {
-              platform = "state";
-              entity_id = [ "sensor.guntamaticbiostar_betrieb" ];
-              from = "VOLLLAST";
-              to = "TEILLAST";
-            }
-          ];
-          condition = [
-            {
-              condition = "numeric_state";
-              entity_id = "sensor.guntamaticbiostar_pufferladung";
-              below = "80";
-            }
-          ];
-          action = [
-            {
-              device_id = "5612874405fa2ee539ad4518a1bb8e34";
-              domain = "mobile_app";
-              type = "notify";
-              message = ''
-                Kessel läuft auf Teillast und Puffer ist unter 80%. Vielleicht willst du
-                nachschüren.
-              '';
-              title = "Nachschüren?";
-            }
-          ];
-        }
-      ];
-      "automation ui" = "!include automations.yaml";
-      "scene nix" = [
-      ];
-      "scene ui" = "!include scenes.yaml";
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
-    "f ${config.services.home-assistant.configDir}/scenes.yaml 0755 hass hass"
-  ];
-
-  services.nginx.virtualHosts."hass.kbh.jalr.de" = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString ports.home-assistant.tcp}/";
-      recommendedProxySettings = true;
-      proxyWebsockets = true;
-    };
-  };
-}

hosts/aluminium/services/nginx.nix

@@ -1,20 +0,0 @@
-{ config, ... }:
-
-let
-  inherit (config.networking) ports;
-in
-{
-  services.nginx = {
-    enable = true;
-    defaultHTTPListenPort = ports.nginx-http.tcp;
-    defaultSSLListenPort = ports.nginx-https.tcp;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-}

hosts/aluminium/services/ntp.nix

@@ -1,12 +0,0 @@
-{
-  services.chrony = {
-    enable = true;
-    extraConfig = ''
-      allow 192.168.0.0/24
-      allow 192.168.10.0/24
-      leapsectz right/UTC
-    '';
-  };
-  networking.firewall.interfaces.lechner.allowedUDPPorts = [ 123 ];
-  networking.firewall.interfaces.heizung.allowedUDPPorts = [ 123 ];
-}

hosts/aluminium/services/unifi-controller.nix

@@ -1,16 +1,13 @@
-{ config, pkgs, ... }:
+args@{ pkgs, custom-utils, ... }:
 
 let
-  inherit (config.networking) ports;
+  ports = import ../ports.nix args;
 in
 {
   services.unifi = {
     enable = true;
+    openFirewall = true;
     unifiPackage = pkgs.unifi;
-    mongodbPackage = pkgs.mongodb-7_0;
   };
-  networking.firewall.interfaces.lechner.allowedTCPPorts = [
-    ports.unifi-inform.tcp
-    ports.unifi-ui.tcp
-  ];
+  networking.firewall.allowedTCPPorts = [ ports.unifi.tcp ];
 }

hosts/cadmium/configuration.nix

@@ -1,13 +1,16 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
     ./hardware-configuration.nix
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
   ];
 
   networking = {
     hostName = "cadmium";
+    networkmanager = {
+      enable = true;
+    };
     useDHCP = false;
 
     firewall = {
@@ -47,11 +50,9 @@
     bootloader = "systemd-boot";
     bluetooth.enable = true;
     uefi.enable = true;
-    gui = {
-      enable = true;
-      sway.enable = true;
-    };
+    gui.enable = true;
     workstation.enable = true;
+    sdr.enable = true;
     libvirt.enable = true;
     autologin.enable = true;
     autologin.username = "jalr";
@@ -63,6 +64,6 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 
 }

hosts/copper/configuration.nix

@@ -1,77 +0,0 @@
-{ lib, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ./disko.nix
-    ../../users/jalr
-    ./services
-    ./framework-fixes.nix
-  ];
-
-  networking = {
-    hostName = "copper";
-    extraHosts = lib.concatStringsSep "\n" (
-      lib.attrsets.mapAttrsToList
-        (addr: hosts:
-          lib.concatStringsSep " " ([ addr ] ++ hosts)
-        )
-        {
-          #"192.0.2.1" = ["example.com"];
-        }
-    );
-    firewall.interfaces.virbr0.allowedTCPPorts = [ 53 64172 ];
-    firewall.interfaces.virbr0.allowedUDPPorts = [ 53 67 69 4011 ];
-  };
-
-  zramSwap = {
-    enable = true;
-    algorithm = "zstd";
-    memoryPercent = 60;
-    priority = 1;
-  };
-
-  services = {
-    fstrim.enable = true;
-    flatpak.enable = true;
-    snapper.configs = {
-      home = {
-        SUBVOLUME = "/home";
-        ALLOW_USERS = [ "jalr" ];
-        TIMELINE_CREATE = true;
-        TIMELINE_CLEANUP = true;
-        TIMELINE_LIMIT_HOURLY = 12;
-        TIMELINE_LIMIT_DAILY = 7;
-        TIMELINE_LIMIT_WEEKLY = 4;
-        TIMELINE_LIMIT_MONTHLY = 3;
-        TIMELINE_LIMIT_YEARLY = 0;
-        BACKGROUND_COMPARISON = "yes";
-        NUMBER_CLEANUP = "no";
-        NUMBER_MIN_AGE = "1800";
-        NUMBER_LIMIT = "100";
-        NUMBER_LIMIT_IMPORTANT = "10";
-        EMPTY_PRE_POST_CLEANUP = "yes";
-        EMPTY_PRE_POST_MIN_AGE = "1800";
-      };
-    };
-  };
-
-  jalr = {
-    bootloader = "lanzaboote";
-    bluetooth.enable = true;
-    uefi.enable = true;
-    gui = {
-      enable = true;
-      sway.enable = true;
-    };
-    workstation.enable = true;
-    libvirt.enable = true;
-    autologin = {
-      enable = true;
-      username = "jalr";
-    };
-  };
-
-  system.stateVersion = "24.05";
-}
-

hosts/copper/disko.nix

@@ -1,59 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      nvme = {
-        type = "disk";
-        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_2TB_S7DNNJ0X235226N";
-        content = {
-          type = "gpt";
-          partitions = {
-            esp = {
-              type = "EF00";
-              size = "1024M";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
-              };
-            };
-            luks = {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "copper-crypt";
-                settings = {
-                  allowDiscards = true;
-                };
-                extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "/root" = {
-                      mountpoint = "/";
-                      mountOptions = [ "compress-force=zstd:1" "noatime" ];
-                    };
-                    "/home" = {
-                      mountpoint = "/home";
-                      mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
-                    };
-                    "/home/.snapshots" = {
-                      mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ];
-                    };
-                    "/nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [ "compress-force=zstd:1" "noatime" "noatime" "nodev" ];
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
-
-

hosts/copper/framework-fixes.nix

@@ -1,14 +0,0 @@
-{ pkgs, ... }:
-
-{
-  boot.extraModprobeConfig = ''
-    options cfg80211 ieee80211_regdom="DE"
-    options mt7921_common disable_clc=1
-    options mt7921e disable_aspm=Y
-  '';
-  hardware.firmware = [ pkgs.wireless-regdb ];
-
-  services.udev.extraRules = ''
-    ACTION=="add", SUBSYSTEM=="pci", ATTR{power/wakeup}="disabled"
-  '';
-}

hosts/copper/hardware-configuration.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd = {
-    availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
-  };
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-  environment.systemPackages = with pkgs; [
-    fw-ectool
-  ];
-}

hosts/copper/secrets.yaml

@@ -1,32 +0,0 @@
-ntfy_shiftphone: ENC[AES256_GCM,data:WG/LlELNgEh2BiyrOYLDvYk3AlObSvUYUH8v3Cq9oHOhN1+Iwg==,iv:MVwLBIQjY8Z31V9mXf7Ge/jGb9S7ceLFx2TffcsO+o4=,tag:skeQbBPLYH8D4CPDorJ0fQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbXFqbHJFM0xxL284dWZD
-            TDkzcGVSRGorRWQvV3h3dkJ6UjNOeUxVcGdRCk5jTkZDeVFORVVWdm1vZm5XUHdk
-            S0ZBTEdEeDgramZNZm5xK3RkVkkxSDgKLS0tIFZ6dysvVm1YNlJzOVFXZXhrdXBE
-            dU0reGFSUmRxb0ZlUHgyYlpjU0FOQUEKuOMKvkZcynBGyMHmAYmz13Jy32YKyVK0
-            ztCWcXbl9qCe6KtI0yW+t8DLk/PaRrmSrB+2ICTMFqPh7HiBoX+KgQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-12T20:36:21Z"
-    mac: ENC[AES256_GCM,data:BpwQmtqj8NkTNO7cJHMoOeILY4HRcb7OasiCcnXsBwIFvbeDgwj+DMZOeKbitLXwzS5frWhZWg0eBHQ4BZQFjX1K0KReVacH9CblHnSZLxjMg3x6o3upB70YjdmD3KKBisOwfMCjklwk0rKwx0w5vzac3r1nJU+PGtFw1luIiBs=,iv:bYIRVFWVGjwgmaGu6JqvpCa0TIp8idP5Bc5cYV7Bri8=,tag:D2xS1PK9a9Dd1mm8+R9RRA==,type:str]
-    pgp:
-        - created_at: "2025-03-12T20:51:07Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DY/xpNY5WhB0SAQdAhB2C4sQhoL04j1RiWoeNCNSbGxDkrqXP+IffdoY8DWgw
-            x8aogh0b7CpTplBG/4g/WMVB4N/86uvI+mLYxJMyRb9b0f0bDr5dPpnhk//r/MDg
-            0l4B9+hcSzmkwXlKh7L8Ds4cZr/z3RlqnR424KSfKbiaaigYttui5l4xgEEPZE1H
-            1yfIJ5lBMgG1HTj3HX5mqM9ocA4HVzIkfPPqrFRAgjZdqeDEbLBT3lItMlvsOwy4
-            =kS0b
-            -----END PGP MESSAGE-----
-          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4

hosts/copper/services/default.nix

@@ -1,8 +0,0 @@
-{
-  imports = [
-    ./illuminanced.nix
-    ./ntfy.nix
-    ./timelog.nix
-    ./webdev.nix
-  ];
-}

hosts/copper/services/illuminanced.nix

@@ -1,94 +0,0 @@
-{ lib, pkgs, ... }:
-
-let
-  tomlFormat = pkgs.formats.toml { };
-  cfg = {
-    daemonize = {
-      log_to = "syslog";
-      pid_file = "/run/illuminanced/illuminanced.pid";
-      #log_level = "OFF", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"
-      log_level = "ERROR";
-    };
-    general = {
-      check_period_in_seconds = 1;
-      light_steps = 100;
-      min_backlight = 20;
-      step_barrier = 0.1;
-      max_backlight_file = "/sys/class/backlight/amdgpu_bl1/max_brightness";
-      backlight_file = "/sys/class/backlight/amdgpu_bl1/brightness";
-      illuminance_file = "/sys/bus/iio/devices/iio:device0/in_illuminance_raw";
-      #event_device_mask = "/dev/input/event*";
-      #event_device_name = "Asus WMI hotkeys";
-      enable_max_brightness_mode = true;
-      filename_for_sensor_activation = "";
-    };
-    kalman = {
-      q = 1;
-      r = 20;
-      covariance = 10;
-    };
-    light = {
-      points_count = 6;
-
-      illuminance_0 = 0;
-      light_0 = 0;
-      illuminance_1 = 20;
-      light_1 = 35;
-      illuminance_2 = 70;
-      light_2 = 50;
-      illuminance_3 = 120;
-      light_3 = 65;
-      illuminance_4 = 200;
-      light_4 = 75;
-      illuminance_5 = 255;
-      light_5 = 99;
-    };
-  };
-  configFile = tomlFormat.generate "illuminanced.toml" cfg;
-in
-{
-  systemd.services.illuminanced = {
-    description = "Ambient Light Sensor Daemon";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "exec";
-      Restart = "always";
-      ExecStart = "${pkgs.illuminanced}/bin/illuminanced -c ${configFile}";
-      PIDFile = cfg.daemonize.pid_file;
-      StandardOutput = "journal";
-      BindReadOnlyPaths = [
-        "/nix/store"
-        "/dev/log"
-        "/run/systemd/journal/socket"
-        "/run/systemd/journal/stdout"
-        cfg.general.max_backlight_file
-        (lib.strings.escape [ ":" ] cfg.general.illuminance_file)
-      ];
-      BindPaths = [
-        cfg.general.backlight_file
-      ];
-      CapabilityBoundingSet = null;
-      IPAddressDeny = "any";
-      LockPersonality = true;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "noaccess";
-      ProtectSystem = "strict";
-      RestrictAddressFamilies = [ ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RootDirectory = "/run/illuminanced";
-      RuntimeDirectory = "illuminanced";
-      SystemCallArchitectures = "native";
-      SystemCallFilter = "@system-service";
-    };
-  };
-}

hosts/copper/services/ntfy.nix

@@ -1,3 +0,0 @@
-{
-  sops.secrets.ntfy_shiftphone.owner = "jalr";
-}

hosts/copper/services/timelog.nix

@@ -1,10 +0,0 @@
-{
-  powerManagement = {
-    powerUpCommands = ''
-      echo "timelog: powerUp"
-    '';
-    powerDownCommands = ''
-      echo "timelog: powerDown"
-    '';
-  };
-}

hosts/copper/services/webdev.nix

@@ -1,50 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  systemd.services = lib.attrsets.mapAttrs'
-    (
-      name: mapping: lib.attrsets.nameValuePair "redir-${name}" {
-        description = "Port redirection for local development web server (${name})";
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-          BindReadOnlyPaths = [ "/nix/store" ];
-          CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
-          DynamicUser = true;
-          ExecStart = "${pkgs.redir}/bin/redir -n 127.0.0.1:${toString mapping.to} 127.0.0.1:${toString mapping.from}";
-          IPAddressAllow = "localhost";
-          IPAddressDeny = "any";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = lib.mkForce true;
-          PrivateTmp = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "noaccess";
-          ProtectSystem = "strict";
-          ReadWritePaths = "";
-          RemoveIPC = true;
-          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          RootDirectory = "/run/redir-https";
-          RuntimeDirectory = "redir-https";
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
-          Type = "exec";
-        };
-      }
-    )
-    {
-      http = { from = 8080; to = 80; };
-      https = { from = 8443; to = 443; };
-    };
-}

hosts/default.nix

@@ -1,10 +1,7 @@
-inputs:
-let
-  hardware = inputs.nixos-hardware.nixosModules;
-in
+{ ... }@inputs:
 {
   aluminium = {
-    targetHost = "jalr-k.duckdns.org";
+    targetHost = "192.168.0.1";
     system = "x86_64-linux";
   };
   jalr-t520 = {
@@ -13,20 +10,20 @@ in
   cadmium = {
     system = "x86_64-linux";
   };
+  hafnium = {
+    system = "x86_64-linux";
+  };
+  weinturm-pretix-prod = {
+    system = "aarch64";
+    targetHost = "142.132.185.70";
+  };
   iron = {
     system = "x86_64-linux";
     #targetHost = "192.168.42.1";
     targetHost = "jalr-bw.duckdns.org";
   };
   magnesium = {
-    system = "x86_64-linux";
-    targetHost = "magnesium.jalr.de";
-  };
-  copper = {
-    system = "x86_64-linux";
-    targetHost = "copper.lan.bw.jalr.de";
-    extraModules = [
-      hardware.framework-16-7040-amd
-    ];
+    system = "aarch64";
+    targetHost = "162.55.35.199";
   };
 }

hosts/hafnium/configuration.nix

@@ -0,0 +1,146 @@
+{ lib, config, pkgs, self, system, ... }:
+
+let
+  tradebyteDnsServers = [
+    "10.170.254.30"
+    "10.170.254.40"
+  ];
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../home-manager/users/jal.nix
+  ];
+
+  networking = {
+    hostName = "hafnium";
+    networkmanager = {
+      enable = true;
+    };
+    useDHCP = false;
+    interfaces = {
+      enp2s0f0.useDHCP = false;
+      enp5s0.useDHCP = false;
+      wlp3s0.useDHCP = false;
+    };
+    firewall = {
+      allowedUDPPorts = [
+        53
+      ];
+      allowedTCPPorts = [
+        53
+      ];
+    };
+    extraHosts = ''
+      #10.10.10.10 example.com
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    brightnessctl
+    gnome3.adwaita-icon-theme
+    openconnect
+    redir
+    tcpdump
+  ];
+
+  environment.variables.EDITOR = "nvim";
+
+  programs.mtr.enable = true;
+
+
+  services.udisks2.enable = true;
+
+  jalr = {
+    bootloader = "systemd-boot";
+    bluetooth.enable = true;
+    uefi.enable = true;
+    gui.enable = true;
+    workstation.enable = true;
+    sdr.enable = false;
+    libvirt.enable = true;
+    autologin.enable = true;
+    autologin.username = "jal";
+    tradebyte.enable = true;
+  };
+
+
+  sops.secrets = (
+    lib.listToAttrs (map
+      (name: lib.nameValuePair "wireguard_key_${name}" {
+        sopsFile = ./secrets.yaml;
+      })
+      [
+        "tbcore"
+        "ops-testing"
+      ]
+    )
+  );
+
+  networking.wireguard.interfaces = {
+    tbcore = {
+      ips = [ "172.27.27.16/32" ];
+      privateKeyFile = config.sops.secrets.wireguard_key_tbcore.path;
+      listenPort = 51930;
+
+      peers = [{
+        publicKey = "K5vF/yTag6NnWjZsMug63DERdCFRfHoqxVkgKH55oFE=";
+        endpoint = "194.33.184.175:51930";
+        #endpoint = "ccs-emergency-vpn.core.tradebyte.com:51930";
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "10.158.128.0/23"
+          "10.158.224.0/20"
+          "10.18.0.0/16"
+          "10.64.64.0/20" # CPS
+          "172.31.1.0/24"
+        ];
+      }];
+    };
+    ops-testing = {
+      ips = [ "10.254.254.2/30" ];
+      privateKeyFile = config.sops.secrets.wireguard_key_ops-testing.path;
+      peers = [{
+        publicKey = "+jZETJfwaRiM+7ys5eYjgiWEAtxP47RzZSCx0w4l2nI=";
+        endpoint = "3.68.138.217:2048";
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "10.254.254.0/30"
+          "10.250.0.0/16"
+        ];
+      }];
+    };
+  };
+
+  services.dnsmasq.settings.server = lib.lists.flatten (
+    map (domain: (map (srv: "/${domain}/${srv}") tradebyteDnsServers)) [
+    "vpce-0c1c169d1e33a1c2f-yugtdam1.s3.eu-central-1.vpce.amazonaws.com"
+    "ccs.tradebyte.com"
+    "instance.tradebyte.com"
+  ]) ++ [
+    "/internal.production.core.tradebyte.com/10.158.224.2"
+    "/internal.development.core.tradebyte.com/10.170.254.30"
+    "/rds.amazonaws.com/9.9.9.9"
+    "/tradebyte.com/9.9.9.9"
+    "/tradebyte.org/9.9.9.9"
+    "/develop.sys.tradebyte.com/10.0.3.1"
+    "/corp.ad.zalando.net/10.160.19.100"
+  ];
+  services.actkbd = {
+    enable = true;
+    bindings = [
+      { keys = [ 232 ]; events = [ "key" ]; command = "/run/current-system/sw/bin/brightnessctl s -5%"; }
+      { keys = [ 233 ]; events = [ "key" ]; command = "/run/current-system/sw/bin/brightnessctl s +5%"; }
+    ];
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+}
+

hosts/hafnium/hardware-configuration.nix

@@ -0,0 +1,44 @@
+{ modulesPath, ... }:
+
+{
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+  ];
+
+  hardware.cpu.amd.updateMicrocode = true;
+
+  boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "ehci_pci"
+      "xhci_pci"
+      "usb_storage"
+      "sd_mod"
+      "rtsx_pci_sdmmc"
+    ];
+    kernelModules = [ "kvm-amd" ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/b86310f5-fe3d-4b4d-bc02-ab0d7e9297cf";
+      fsType = "btrfs";
+      options = [
+        "discard=async"
+        "noatime"
+        "subvol=/nixos"
+        "compress=zstd:6"
+      ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/564E-26B4";
+      fsType = "vfat";
+      options = [ "nodev" "nosuid" "noexec" ];
+    };
+  };
+
+  boot.initrd.luks.devices.cryptroot = {
+    device = "/dev/disk/by-uuid/d9b120c1-5e80-4893-92fe-497e5b44c25b";
+    allowDiscards = true;
+  };
+}

hosts/hafnium/secrets.yaml

@@ -0,0 +1,42 @@
+wireguard_key_tbcore: ENC[AES256_GCM,data:/VdCVC6xciihm2suOiuNabAWPhWPGSyWSKbLKRpy8EK7aXpyxZPybnANc1E=,iv:/LxrjPLzUkHdyT45RIfbfc4Xa3vsnQNiamnbiMdubpg=,tag:N5nFx1QsH9FGiK9DrMg2hQ==,type:str]
+wireguard_key_ops-testing: ENC[AES256_GCM,data:FiADGmh3GAK6LI9Y5EEErmoVCfx4So6mN3glnzUWk8zDXJbRYP1Uj1kJiss=,iv:7tEWVT6eeHpekgkO17DXtrO7meFvYo6xV4ZLpGG20PQ=,tag:Mtr2gMnCqfJP5ADyordddw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlZBSFBKNXJ4QmpDZUpT
+            NE91ek10QkwxSU1XTE81cGxHZXZmL1JncEY0ClZFbVd5dG14L1hqQlRWTDVkZmpx
+            V1EzSG9rMC80WTNIZExXOXU1VjcrMk0KLS0tIElWdkh4MzNyeTNteDJTY3RvanQx
+            ai9YdFdleXNNY2pXQzZMem0vdDdSMjgKvngMU5Y1/Pp+G/a9SyewkN9wr22ZcGP6
+            XHHadzk6NE7BJWqquY+2B0Rh3B1Ow+rC8yJd7FhJlHw+i0Bp/d/ESw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-04-21T08:09:31Z"
+    mac: ENC[AES256_GCM,data:+TB7XQPMQCFAR/0jrUKTgjm2yJ7qJ6Jak3DMbFof7mnGE9LKT+xPKYzPwAM+4aDzngHv1fumD6JCXDoJ4DS95frAVfNVNM1bfB0iVmrtf0PX1y+Em189/hs3bt2YBkvvW9kYJMq0g9VBngX6gwGuaBAFHly1gi6SPMZN4vNRF6g=,iv:DK5OYG+BohxllorP0j9mvQ7MtqVNnBjJ3Nf378scJOA=,tag:lBwsHbY9PlJ2/eMtKcxZxA==,type:str]
+    pgp:
+        - created_at: "2022-04-20T21:27:25Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6jlFWJ+id7kARAArP1hdPwQk2XyKsXYnSj6vxK81GhfZp3tkYEqsU3Jdpwn
+            OR+0SnuoNWk4dN4JE4ooS5DOhS0ZaVsglLPtiLLohGWYY4OrX33JHZN4oEa5GMBK
+            t9b0YNb9owow0MSFN679tmiCMvzXGprT0mdWO3/X/HlKvCcTYPRqul4BVeVR/LyG
+            V94MSaF3BUwFb4p/Q8jcWfsfH5gmMpiFHQsmtci4LjDHvAVCFzI3AjcbRRJUfO5v
+            ampZ+9yUNo8Y6btrQQWvMoGpOp6U7cj6rTk+eZuW16/7WbHMz6WSpolDyy01QjzQ
+            szS5RuACnUTMqG4YWQk90H3Srgq/6CFBVLSTm2h8zdO9UZcgkJRYLTFczbYbyqgN
+            2Vpjf0UwIv5MHvdo1QZJeBEl8TxjI5UZY2/UDOb9OZXktcAxW5U0Wy6pZIfUsJpk
+            GJeAb+P3pLvs62hkNSS+rGoGvLX2u0R/Xvw1btTdLLOeIOPNGF8lau32mBuErIZ9
+            2E44N1qV8uQDkDdvaKpj4ikf/0MURPW4GWXST3K/BwD1Gos2SzVD17kXGGOVdeOP
+            Q19LSo06h2Cq+zNcyKU4C0IdRPvFLKJbyEN3vDYXGnJK7lqGr/UDDcPgYPHVPn1Q
+            gTdmAk2e8lZY6O0OP5tth5cMjJZj5msvjbww9J1PA3VnBuo8+17zCJ/IYwCUlEbS
+            XgEWH0LKnwjG7Ufr8eT0DzeCJoD2U/2h+8/+Q2dc4YqokIPW7VuZhR+HZygVAX65
+            1yT/1z+1Hr6kLr9cDLzjyPRu5rNgZJHc8pxkbrQsT764oclvfbgIcmvko9Fsg4o=
+            =S5XT
+            -----END PGP MESSAGE-----
+          fp: FE170812543DF81393EA56BA5042B8317A10617E
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2

hosts/iron/configuration.nix

@@ -1,25 +1,24 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 let
-  interfaces = import ./interfaces.nix;
-  disks = {
-    slot1 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K";
-    slot2 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A";
-    slot3 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N";
-    slot4 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H";
-    slot5 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y";
-  };
+  zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  disks = [
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K"
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A"
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N"
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H"
+    "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y"
+  ];
   removableEfi = true;
   devNodes = "/dev/disk/by-id/";
   datasets = {
     "bpool/nixos/root" = "/boot";
-    "rpool/filebitch" = "/filebitch";
     "rpool/navidrome" = "/var/lib/private/navidrome";
-    "rpool/navidrome/music" = "/var/lib/navidrome/music";
+    "rpool/navidrome/music" = "/var/lib/private/navidrome/music";
     "rpool/nixos/home" = "/home";
     "rpool/nixos/root" = "/";
     "rpool/nixos/var/lib" = "/var/lib";
-    "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent";
-    "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads";
+    "rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent";
+    "rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads";
     "rpool/nixos/var/log" = "/var/log";
   };
   partitionScheme = {
@@ -28,16 +27,16 @@ let
     luksDev = "-part3";
     biosBoot = "-part4";
   };
-  efiSystemPartitions = map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks);
+  efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) disks);
+  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
 in
 with lib; {
   imports = [
-    ../../users/jalr
+    ../../home-manager/users/jalr.nix
     ./services
-    ./ports.nix
   ];
   config = {
-    system.stateVersion = "25.05";
+    system.stateVersion = "22.11";
 
     security.sudo.wheelNeedsPassword = false;
 
@@ -47,56 +46,35 @@ with lib; {
       useDHCP = false;
       networkmanager.enable = false;
 
-      bridges = {
-        "${interfaces.lan}" = {
-          interfaces = [ "enp2s4" "enp3s5" ];
-        };
-      };
-      vlans = {
-        iot = {
-          id = 20;
-          interface = interfaces.lan;
-        };
-      };
       interfaces = {
-        "${interfaces.lan}".ipv4.addresses = [{
+        enp2s4.ipv4.addresses = [{
           address = "192.168.42.1";
           prefixLength = 24;
         }];
-        iot.ipv4.addresses = [{
-          address = "10.20.0.1";
-          prefixLength = 20;
-        }];
-        "${interfaces.wan}" = {
+        enp3s5 = {
           useDHCP = true;
         };
       };
 
       nat = {
         enable = true;
-        externalInterface = interfaces.wan;
+        externalInterface = "enp3s5";
         internalInterfaces = [
-          interfaces.lan
-          "virbr0"
+          "enp2s4"
         ];
       };
 
       firewall = {
-        allowedTCPPorts = [ 5201 ];
-        extraForwardRules = ''
-          tcp flags syn tcp option maxseg size set rt mtu
-        '';
-        interfaces.virbr0 = {
-          allowedTCPPorts = [ 53 ];
-          allowedUDPPorts = [ 53 67 ];
-        };
+        extraCommands = lib.concatStringsSep "\n" [
+          (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
+        ];
       };
     };
 
     services.radvd = {
       enable = true;
       config = ''
-        interface ${interfaces.lan} {
+        interface enp2s4 {
           AdvSendAdvert on;
           prefix ::/64 {
             AdvOnLink on;
@@ -111,59 +89,47 @@ with lib; {
       noipv6rs
       waitip 6
 
-      interface ${interfaces.wan}
+      interface enp3s5
         ipv6rs
         ia_na 1
-        ia_pd 1/::/64 ${interfaces.lan}/0/64
+        ia_pd 1/::/64 enp2s4/0/64
     '';
 
-    jalr.luksUsbUnlock = {
-      enable = true;
-      devices = builtins.mapAttrs
-        (_: _: {
-          keyPath = "iron.key";
-          usbDevice = "by-label/RAM_USB";
-          waitForDevice = 10;
-        })
-        disks;
-    };
-
     boot = {
+      kernelPackages = zfsKernelPackages;
       kernel.sysctl = {
         "net.ipv6.conf.all.forwarding" = 1;
       };
       initrd = {
-        availableKernelModules = [
-          "ahci"
-          "ehci_pci"
-          "sd_mod"
-          "sdhci_pci"
-          "usb_storage"
-          "xhci_pci"
-        ];
+        availableKernelModules = [ "ahci" ];
         systemd.enable = true;
-        luks.devices = builtins.mapAttrs
-          (_: dev: {
+        luks.devices = lib.listToAttrs (
+          map
+            (dev: {
+              name = "LUKS-${dev}${partitionScheme.luksDev}";
+              value = {
                 device = "${devNodes}${dev}${partitionScheme.luksDev}";
                 allowDiscards = true;
+              };
             })
-          disks;
+            disks
+        );
       };
       supportedFilesystems = [ "zfs" ];
       zfs = {
-        inherit devNodes;
+        devNodes = devNodes;
         forceImportRoot = false;
       };
       loader = {
         efi = {
-          canTouchEfiVariables = if removableEfi then false else true;
-          efiSysMountPoint = "/boot/efis/" + (head (lib.attrValues disks))
-            + partitionScheme.efiBoot;
+          canTouchEfiVariables = (if removableEfi then false else true);
+          efiSysMountPoint = ("/boot/efis/" + (head disks)
+            + partitionScheme.efiBoot);
         };
         generationsDir.copyKernels = true;
         grub = {
           enable = true;
-          devices = map (diskName: devNodes + diskName) (attrValues disks);
+          devices = (map (diskName: devNodes + diskName) disks);
           efiInstallAsRemovable = removableEfi;
           copyKernels = true;
           efiSupport = true;
@@ -173,11 +139,11 @@ with lib; {
             terminal_input --append serial
             terminal_output --append serial
           '';
-          extraInstallCommands = toString (map
+          extraInstallCommands = (toString (map
             (diskName: ''
               ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
             '')
-            (tail (attrValues disks)));
+            (tail disks)));
         };
       };
       kernelParams = [
@@ -218,15 +184,7 @@ with lib; {
       };
     };
 
-    hardware = {
-      enableRedistributableFirmware = true;
-      graphics = {
-        enable = true;
-        extraPackages = [
-          pkgs.intel-vaapi-driver
-        ];
-      };
-    };
+    hardware.enableRedistributableFirmware = true;
 
     virtualisation.containers.storage.settings = {
       storage = {
@@ -236,16 +194,5 @@ with lib; {
         options.zfs.fsname = "rpool/nixos/podman";
       };
     };
-
-    zramSwap = {
-      enable = true;
-      algorithm = "zstd";
-      memoryPercent = 60;
-      priority = 1;
-    };
-
-    services.zfs = {
-      trim.enable = false;
-    };
   };
 }

hosts/iron/interfaces.nix

@@ -1,4 +0,0 @@
-{
-  lan = "br0";
-  wan = "enp0s25";
-}