nijika: update boot partition id

This reverts commit 4c6086487dfefb83bb7f7947a390c3c56923daa6.

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+result

README.md

@@ -1,46 +1,54 @@
-# my little nix system
+# dots
+## overview
+<img width="60%" align="right" src="assets/linux-oneshot-launcher.webp">
 
-## installation
-### linux - desktop
-1. Boot up NixOS live iso on a system.
-2. Clone flake
-3. Make a folder for the system under hosts/
-4. Run `nixos-generate-config --dir hosts/HOSTNAME`
-6. Set LUKS encryption passphrase via `sudo nano /tmp/secret.key`
-7. Run disko `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount /path/to/disko-config.nix`
-8. Copy over flake directory to new system
-9. Install system with `sudo nixos-install --flake .#HOSTNAME` - set a password for root
-10. Reboot into new system.
-11. Open a terminal and run `passwd`
-12. Log into normal user and configure networking via `nmtui`
-13. Apply dotfiles via `stow stow` in the base of the dotfiles directory.
-14. Download a wallpaper and apply it via `matugen image`
+my dotfiles for NixOS, macOS or POSIX systems. primarily for systems that support [Nix](https://nixos.org) since they have declarative configuration. although dotfiles (in the stow directory) are made to keep them portable without the need for nix necessarily.
+- OS: [NixOS](https://nixos.org) and macOS
+- Shell: [fish](https://fishshell.com/)
+- Terminal: [Ghostty](https://ghostty.org/)
+- Browser: Firefox
 
-#### Secure boot
-If a system has a secure boot, install the system WITHOUT the secureboot module. Once the steps above have been completed return here.
+linux specific:
+- Desktop: [Hyprland](https://hyprland.org/) and [Niri](https://github.com/YaLTeR/niri)
+- Status Bar: [Waybar](https://github.com/Alexays/Waybar)
+- Launcher: [Vicinae](https://github.com/vicinaehq/vicinae)
 
-1.  Generate secureboot signing keys with `sudo nix run nixpkgs#sbctl create-keys`
-2.  Rebuild the system WITH the secureboot module.
-3.  Run `sudo sbctl verify` to check if SOME of the files are signed.
-4.  Reboot your system, in the UEFI enable onboarding secureboot keys, usually a setting called 'Reset to setup mode'.
-5.  Boot into your NixOS system and run `sudo sbctl enroll-keys --microsoft` to enroll your keys.
-6.  Reboot into your UEFI again and enable secure boot.
+macOS specific:
+- Launcher: [Raycast](https://www.raycast.com/)
+- Application Firewall: [Lulu](https://objective-see.org/products/lulu.html)
 
-### macOS
-1.  Install xcode developer tools, determinate nix and brew.
-```sh
-xcode-select --install
-curl -fsSL https://install.determinate.systems/nix | sh -s -- install --determinate
-/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+# showcase
+
+<table>
+    <tr>
+        <td>NixOS</td>
+        <td>macOS</td>
+    </tr>
+    <tr>
+        <td><img src="assets/linux-bocchi-fastfetch.webp"></td>
+        <td><img src="assets/macos-bocchi-fastfetch.webp"></td>
+    </tr>
+    <tr>
+        <td><img src="assets/linux-oneshot-launcher.webp"></td>
+        <td><img src="assets/macos-oneshot-light.webp"></td>
+    </tr>
+    <tr>
+        <td><img src="assets/linux-mafuyu.webp"></td>
+        <td><img src="assets/macos-nene.webp"></td>
+    </tr>
+</table>
+
+# license
+all content in this repository is licensed under the BSD0 license aka 0-Clause BSD license.
+```
+Permission to use, copy, modify, and/or distribute this software for
+any purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 ```
-2.  Install Nix flake to system. `nix run nix-darwin/master#darwin-rebuild -- switch`
-3.  Reboot
-4.  Install OpenUTAU `https://github.com/stakira/OpenUtau/releases/latest/download/OpenUtau-osx-x64.dmg`
-5.  Configure non-automated settings
-- set accent colour
-- set display to be spacious
-- customise spotlight settings
-- disable bluetooth
-- enable firewall
-- set wallpaper
-- enable switching workspace keybinds

backup.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+# stops the script immediately if any error is encountered
+set -e
+
+PINK="\033[35m"
+RESET="\033[0m"
+
+kanidm_backup() {
+  # $1 = out path
+  echo -e "$PINK  kanidm: backing up database$RESET"
+
+  DATABASE_DUMP_PATH="$(mktemp)"
+  chown kanidm:kanidm "$DATABASE_DUMP_PATH"
+  run0 -u kanidm --unit=kanidmd sh -c "kanidmd database backup \"$DATABASE_DUMP_PATH\""
+
+  rsync "$DATABASE_DUMP_PATH" "$1"
+  rm "$DATABASE_DUMP_PATH"
+
+  echo -e "$PINK  kanidm: DONE$RESET"
+}
+
+postgres_backup() {
+  # $1 = database to backup
+  # $2 = location to put backup
+  echo -e "$PINK  postgres($1): backing up database $1 to stdout$RESET"
+  run0 -u postgres pg_dump --dbname="$1" > "$2"
+
+  echo -e "$PINK  postgres($1): DONE$RESET"
+}
+
+if [ "$1" = "" ]; then
+  echo "$0: [BACKUP_DIR]"
+  exit 1
+elif [ "$USER" != "root" ]; then
+  echo "$0: rerun the script as root"
+  exit 1
+fi
+
+case "$1" in
+  /*) echo " ";;
+  *) echo "$0: use absolute path for backup dir"; exit 1;;
+esac
+
+BACKUP_DIR="$1"
+echo -e "$PINK  using folder $BACKUP_DIR$RESET"
+mkdir --parents "$BACKUP_DIR"
+
+SERVICES="jellyfin radarr sonarr prowlarr uptime-kuma deluged forgejo karakeep-web karakeep-workers karakeep-browser"
+
+systemctl stop $SERVICES
+
+rsync -avP /media/ --exclude "media" --exclude "secrets" --exclude "torrents" --include "torrents/files/*" "$BACKUP_DIR"
+
+kanidm_backup "$BACKUP_DIR"/apps/kanidm.bak
+postgres_backup miniflux "$BACKUP_DIR"/apps/miniflux.sql
+
+systemctl start $SERVICES
+
+echo -e "\n\nBACKUP COMPLETED!"

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "crane": {
       "locked": {
-        "lastModified": 1731098351,
-        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "lastModified": 1754269165,
+        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
         "type": "github"
       },
       "original": {
@@ -15,35 +15,14 @@
         "type": "github"
       }
     },
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1746728054,
-        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "ff442f5d1425feb86344c028298548024f21256d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "latest",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -55,11 +34,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -76,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1730504689,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "lastModified": 1754091436,
+        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
         "type": "github"
       },
       "original": {
@@ -89,24 +68,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -137,11 +98,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747990026,
-        "narHash": "sha256-sG5VbID+x5+xUC+jjgHibnzg8IllVcH+K2TLmYHLPME=",
+        "lastModified": 1771587792,
+        "narHash": "sha256-XGFLdlLOez7f0rmjlF+1TLXyBguy8gx2aBHx/Q5JXxs=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "e2f4ced874406541a7957f7e2b8f05a0d59a0f00",
+        "rev": "b49fc54950e251f166a2240799315033ab7a8916",
         "type": "github"
       },
       "original": {
@@ -162,16 +123,16 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1737639419,
-        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "lastModified": 1762205063,
+        "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "v0.4.2",
+        "ref": "v0.4.3",
         "repo": "lanzaboote",
         "type": "github"
       }
@@ -183,11 +144,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748004251,
-        "narHash": "sha256-XodjkVWTth3A2JpBqGBkdLD9kkWn94rnv98l3xwKukg=",
+        "lastModified": 1771520882,
+        "narHash": "sha256-9SeTZ4Pwr730YfT7V8Azb8GFbwk1ZwiQDAwft3qAD+o=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "33220d4791784e4dd4739edd3f6c028020082f91",
+        "rev": "6a7fdcd5839ec8b135821179eea3b58092171bcf",
         "type": "github"
       },
       "original": {
@@ -221,15 +182,15 @@
     "nix-minecraft": {
       "inputs": {
         "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1748051893,
-        "narHash": "sha256-KV6bgVHPzb9ymVk9WDRX1lkkeoZETMbS/MyPpIOUWVo=",
+        "lastModified": 1771641457,
+        "narHash": "sha256-TIekRGfeCwuEmYcWex40RTx0Gd46pqmyUtxdFKb5juI=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "a600d058c19e1668db6ba759ecc4cfd154079ab5",
+        "rev": "c4e2b8969e09067da9d44b6b5762e1e896418f40",
         "type": "github"
       },
       "original": {
@@ -240,11 +201,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1742889210,
-        "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
+        "lastModified": 1769461804,
+        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "698214a32beb4f4c8e3942372c694f40848b360d",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
         "type": "github"
       },
       "original": {
@@ -254,29 +215,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1747744144,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
+        "lastModified": 1771369470,
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
         "type": "github"
       },
       "original": {
@@ -296,15 +241,14 @@
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1731363552,
-        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
         "type": "github"
       },
       "original": {
@@ -315,7 +259,6 @@
     },
     "root": {
       "inputs": {
-        "disko": "disko",
         "jovian": "jovian",
         "lanzaboote": "lanzaboote",
         "nix-darwin": "nix-darwin",
@@ -331,11 +274,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731897198,
-        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "lastModified": 1761791894,
+        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
         "type": "github"
       },
       "original": {

flake.nix

@@ -4,54 +4,79 @@
   inputs = {
     # NixOS official package source, using the unstable branch here
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.2";
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.3";
     lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
     nix-darwin.url = "github:LnL7/nix-darwin";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko/latest";
-    disko.inputs.nixpkgs.follows = "nixpkgs";
     jovian.url = "github:Jovian-Experiments/Jovian-NixOS";
     jovian.inputs.nixpkgs.follows = "nixpkgs";
     nix-minecraft.url = "github:Infinidoge/nix-minecraft";
   };
 
-  outputs = { self, nixpkgs, lanzaboote, nix-darwin, disko, jovian, nix-minecraft, ... }@inputs: {
+  outputs = { self, nixpkgs, lanzaboote, nix-darwin, jovian, nix-minecraft, ... }@inputs: {
     nixosConfigurations.nijika = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
         ./hosts/nixos-common.nix
 
+        ./modules/desktop/default.nix
+        ./modules/desktop/de/hyprland.nix
+        ./modules/desktop/japanese-input.nix
+        ./modules/desktop/login/autologin.nix
+        ./modules/applications/default.nix
+        ./modules/applications/keepassxc.nix
+        ./modules/games/linux.nix
+        ./modules/browser/firefox.nix
+
         ./modules/nix/linux.nix
         ./modules/shell.nix
 
-        nix-minecraft.nixosModules.minecraft-servers
-        { nixpkgs.overlays = [ inputs.nix-minecraft.overlay ]; }
-        ./modules/games/server/minecraft/default.nix
-        ./modules/services/uptime-kuma.nix
-        ./modules/services/pocketid.nix
-        ./modules/services/auth/kanidm.nix
-        ./modules/services/caddy.nix
-        ./modules/services/forgejo.nix
-        ./modules/services/miniflux.nix
-        ./modules/services/media/arr.nix
-        ./modules/services/media/jellyfin.nix
-        ./modules/services/ssh.nix
-        ./modules/services/glance.nix
-
         ./modules/network/avahi.nix
-        ./modules/network/firewall/opensnitch.nix
+        ./modules/services/ssh.nix
         ./modules/network/vpn/tailscale.nix
 
         ./modules/users/nico.nix
         ./modules/hardware/secureboot.nix
+        ./modules/hardware/bootloader/systemd-boot.nix
         lanzaboote.nixosModules.lanzaboote
 
         ./hosts/nijika/configuration.nix
-        disko.nixosModules.disko
       ];
     };
 
-    nixosConfigurations.bocchi = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.seika = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./hosts/nixos-common.nix
+
+        ./modules/services/uptime-kuma.nix
+        ./modules/services/auth/kanidm.nix
+        ./modules/services/auth/tinyauth.nix
+        ./modules/services/caddy.nix
+        ./modules/services/forgejo.nix
+        ./modules/services/miniflux.nix
+        ./modules/services/karakeep.nix
+        ./modules/services/media/arr.nix
+        ./modules/services/media/jellyfin.nix
+        ./modules/services/archiveteam-warrior.nix
+        ./modules/services/samba.nix
+        ./modules/hardware/restic.nix
+
+        ./modules/network/avahi.nix
+        ./modules/services/ssh.nix
+        ./modules/services/dns/coredns.nix
+        ./modules/services/dns/ddns-updater.nix
+        ./modules/network/vpn/tailscale.nix
+
+        ./modules/nix/linux.nix
+        ./modules/shell.nix
+        ./modules/users/nico.nix
+        ./modules/hardware/bootloader/systemd-boot.nix
+        ./hosts/seika/configuration.nix
+      ];
+    };
+
+    nixosConfigurations.miki = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
         ./hosts/nixos-common.nix
@@ -59,20 +84,20 @@
         ./modules/nix/linux.nix
         ./modules/shell.nix
 
+        ./modules/services/caddy.nix
+        ./modules/services/media/jellyfin.nix
+        ./modules/services/media/arr.nix
+        ./modules/services/auth/tinyauth.nix
+
         ./modules/services/ssh.nix
         ./modules/network/vpn/tailscale.nix
 
-        nix-minecraft.nixosModules.minecraft-servers
-        { nixpkgs.overlays = [ inputs.nix-minecraft.overlay ]; }
-        ./modules/games/server/minecraft/default.nix
-        ./modules/games/server/minecraft/neoforge-1.21.1.nix
-
         ./modules/users/nico.nix
         ./modules/users/rhys.nix
 
-        ./hosts/bocchi/configuration.nix
+        ./hosts/miki/configuration.nix
+        ./modules/hardware/bootloader/systemd-boot.nix
         ./hosts/nixos-common.nix
-        disko.nixosModules.disko
       ];
     };
 
@@ -86,6 +111,8 @@
         ./modules/games/darwin.nix
         ./modules/applications/darwin.nix
         ./modules/desktop/de/darwin.nix
+        ./modules/desktop/de/yabai.nix
+        ./modules/desktop/programs/sketchybar.nix
         ./modules/hardware/darwin.nix
         ./modules/nix/darwin.nix
         ./modules/network/vpn/tailscale-darwin.nix

hosts/bocchi/configuration.nix

@@ -1,16 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  networking.hostName = "bocchi";
-  hardware.graphics.enable = true;
-
-  # game servers
-  services.minecraft-servers.servers.velocity.enable = lib.mkForce false;
-  virtualisation.oci-containers.containers.neoforge-1-21-1.ports = [ "25565:25565" ];
-  virtualisation.oci-containers.containers.neoforge-1-21-1.environment.SERVER_PORT = lib.mkForce "25565";
-
-}

hosts/miki/configuration.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  networking.hostName = "miki";
+
+  # gpu drivers
+  hardware.graphics.enable = true;
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  hardware.nvidia.open = false;
+
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.nvidia.acceptLicense = true;
+
+  swapDevices = [{
+    device = "/swapfile";
+    size = 8*1024; # 8 GB
+  }];
+
+  # so safe!!!!
+  nixpkgs.config.permittedInsecurePackages = [
+    "broadcom-sta-6.30.223.271-59-6.12.65"
+  ];
+}

hosts/nijika/configuration.nix

@@ -2,7 +2,6 @@
 
 {
   imports = [
-    ./disko.nix
     ./hardware-configuration.nix
   ];
 
@@ -18,9 +17,6 @@
     # see: https://github.com/NixOS/nixpkgs/issues/356535
 #    intel-compute-runtime-legacy1 
     vpl-gpu-rt # QSV on 11th gen or newer
-    intel-media-sdk # QSV up to 11th gen
     intel-ocl # OpenCL support
   ];
-
-  services.logind.lidSwitchExternalPower = "ignore";
 }

hosts/nijika/disko.nix

@@ -1,61 +0,0 @@
-{ ... }:
-
-{
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/nvme0n1";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "umask=0077" ];
-              };
-            };
-            luks = {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "root";
-                passwordFile = "/tmp/secret.key";
-                settings = {
-                  allowDiscards = true;
-                };
-#                additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "/root" = {
-                      mountpoint = "/";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/home" = {
-                      mountpoint = "/home";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/swap" = {
-                      mountpoint = "/.swapvol";
-                      swap.swapfile.size = "1G";
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/nijika/hardware-configuration.nix

@@ -8,17 +8,44 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+  fileSystems."/" =
+    { device = "/dev/mapper/root";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/4a0361b6-b3b4-48dd-a089-babdfa072fc2";
+
+  fileSystems."/nix" =
+    { device = "/dev/mapper/root";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/.swapvol" =
+    { device = "/dev/mapper/root";
+      fsType = "btrfs";
+      options = [ "subvol=swap" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/mapper/root";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/CF57-9CF0";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

hosts/nixos-common.nix

@@ -6,7 +6,6 @@
 
 {
   # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   # Networking

hosts/seika/configuration.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  networking.hostName = "seika";
+
+  hardware.graphics.enable = true;
+  environment.sessionVariables.LIBVA_DRIVER_NAME = "iHD";
+  hardware.graphics.extraPackages = with pkgs; [
+    intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
+    libva-vdpau-driver # Previously vaapiVdpau
+    intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+  ];
+
+  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
+}

hosts/seika/hardware-configuration.nix

@@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
+      fsType = "btrfs";
+      options = [ "subvol=@root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" ];
+    };
+
+  fileSystems."/media" =
+    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
+      fsType = "btrfs";
+      options = [ "subvol=@media" ];
+    };
+
+  fileSystems."/swap" =
+    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
+      fsType = "btrfs";
+      options = [ "subvol=@swap" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/E89A-EECA";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

modules/applications/1password.nix

@@ -0,0 +1,19 @@
+{ config, ...}:
+
+{
+  programs._1password.enable = true;
+  programs._1password-gui = {
+    enable = true;
+    polkitPolicyOwners = [ "nico" ];
+  };
+
+  # browser extensions
+  programs.firefox.policies.ExtensionSettings."{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
+    installation_mode = "force_installed";
+    install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
+  };
+
+  programs.chromium.extensions = [
+    "aeblfdkhhhdcdjpifhhbdiojplfjncoa" # 1Password
+  ];
+}

modules/applications/darwin.nix

@@ -5,27 +5,30 @@
 
   # dock
   system.defaults.dock.persistent-apps = [
-    "/Applications/Firefox.app"
+    "/Applications/Zen.app"
     "/Applications/Ghostty.app"
-    "/Applications/Nix Apps/Spotify.app"
-    "/Applications/Grayjay.app"
-    "/Applications/Infuse.app"
+    "/System/Applications/Music.app"
+    "/Applications/Nix Apps/KeePassXC.app"
+    { spacer.small = true; }
 
     "/System/Applications/Messages.app"
-    "/Applications/Nix Apps/Vesktop.app"
-
-    "/Applications/Nix Apps/UTM.app"
-
+    "/Applications/Signal.app"
+    "/Applications/Nix Apps/Discord.app"
     "/System/Applications/Mail.app"
-    "/Applications/Nix Apps/Obsidian.app"
-    "/Applications/1Password.app"
+    { spacer.small = true; }
+
+    "/Applications/Nix Apps/Obsidian.app"
+    "/Applications/Nix Apps/Anki.app"
+    "/Applications/Reeder.app"
+    { spacer.small = true; }
 
-    "/Applications/OBS.app"
     "/Applications/Nix Apps/Audacity.app"
+    "/Applications/Affinity.app"
     "/Applications/GIMP.app"
     "/Applications/Krita.app"
-    "/Applications/Blender.app"
-    "/Applications/OpenUTAU.app"
+#    "/Applications/Blender.app"
+#    "/Applications/OpenUTAU.app"
+    { spacer.small = true; }
   ];
   
   # homebrew pkgs
@@ -33,28 +36,27 @@
     enable = true;
     onActivation.cleanup = "zap";
     casks = [
-      "firefox"
+      "zen"
       "ghostty"
       "krita"
       "blender"
       "obs"
-      "grayjay"
       "gimp"
-      "1password"
+      "signal"
+      "soulseek"
+      "musicbrainz-picard"
+      "affinity"
 
       "the-unarchiver"
-      "battery"
       "linearmouse"
-      "alt-tab"
-      "easy-move+resize"
       "lulu"
-      "rectangle"
+    ];
+    brews = [
+      "mas"
     ];
     masApps = {
       "Infuse" = 1136220934;
+      "Reeder Classic" = 1529448980;
     };
   };
-
-  # hotkey daemon
-  services.skhd.enable = true;
 }

modules/applications/default.nix

@@ -2,25 +2,31 @@
 
 {
   environment.systemPackages = with pkgs; [
-    spotify
     audacity
     obsidian
     ani-cli
-    vesktop
-    _1password-cli
+    (discord.override {
+      withVencord = true;
+    })
+    yt-dlp
   ] ++ lib.optionals pkgs.stdenv.isLinux (with pkgs; [  
     mpv
     ghostty
     thunderbird
     krita
-    openutau
     obs-studio
     blender
-    gimp
-    _1password-gui
+    gimp3
+    signal-desktop-bin
+    anki
+    newsflash
+    nicotine-plus
+    picard
+    whipper
   ]) ++ lib.optionals pkgs.stdenv.isDarwin (with pkgs; [
     iina
-    utm
     raycast
+    anki-bin
+    keepassxc
   ]);
 }

modules/applications/keepassxc.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    keepassxc
+  ];
+  # browser extensions
+  programs.firefox.policies.ExtensionSettings."keepassxc-browser@keepassxc.org" = {
+    installation_mode = "force_installed";
+    install_url = "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi";
+  };
+
+  programs.chromium.extensions = [
+    "oboonakemofpalcgghocfoadofidjkkk" # KeePassXC
+  ];
+}

modules/browser/chromium.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.chromium # not enabled through programs.chromium.enable
+  ];
+  
+  programs.chromium = {
+    enable = true;
+    enablePlasmaBrowserIntegration = if (config.services.desktopManager.plasma6.enable == true) then true else false;
+
+    extensions = [
+      "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock origin lite
+      "eimadpbcbfnmbkopoojfekhnkhdbieeh" # dark reader
+      "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock
+      "fnaicdffflnofjppbagibeoednhnbjhg" # floccus bookmark sync
+    ];
+  };
+}

modules/browser/firefox.nix

@@ -8,6 +8,18 @@
         installation_mode = "force_installed";
         install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
       };
+      "gdpr@cavi.au.dk" = {
+        installation_mode = "force_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
+      };
+      "{cb31ec5d-c49a-4e5a-b240-16c767444f62}" = {
+        installation_mode = "force_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/indie-wiki-buddy/latest.xpi";
+      };
+      "myallychou@gmail.com" = {
+        installation_mode = "force_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/youtube-recommended-videos/latest.xpi";
+      };
       "@testpilot-containers" = {
         installation_mode = "force_installed";
         install_url = "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi";
@@ -20,13 +32,9 @@
         installation_mode = "force_installed";
         install_url = "https://addons.mozilla.org/firefox/downloads/latest/temporarytabcontainer/latest.xpi";
       };
-      "keepassxc-browser@keepassxc.org" = {
+      "sponsorBlocker@ajay.app" = {
         installation_mode = "force_installed";
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi";
-      };
-      "pywalfox@frewacom.org" = {
-        installation_mode = "force_installed";
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/pywalfox/latest.xpi";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi";
       };
     };
 
@@ -124,15 +132,5 @@
 
     // use same search engine (duckduckgo) for private browsing
     lockPref("browser.search.separatePrivateDefault", false);
-
-    // stop extensions connecting to the internet
-    lockPref(
-      "extensions.webextensions.base-content-security-policy",
-      "default-src 'none'; script-src 'none'; object-src 'none';"
-    );
-    lockPref(
-      "extensions.webextensions.base-content-security-policy.v3",
-      "default-src 'none'; script-src 'none'; object-src 'none';"
-    );
   '';
 }

modules/desktop/de/aerospace.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  services.aerospace.enable = true;
+  services.aerospace.settings = ( builtins.fromTOML ( builtins.readFile ../../../stow/.config/aerospace/aerospace.toml ));
+  homebrew.brews = [
+    "FelixKratz/formulae/borders"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    matugen
+  ];
+}

modules/desktop/de/darwin.nix

@@ -11,6 +11,9 @@
   system.defaults.NSGlobalDomain.NSDisableAutomaticTermination = true;
   system.defaults.NSGlobalDomain.NSDocumentSaveNewDocumentsToCloud = false;
 
+  # enable ctrl+cmd to drag windows anywhere
+  system.defaults.NSGlobalDomain.NSWindowShouldDragOnGesture = true;
+
   # hot corners
   system.defaults.dock = {
     wvous-bl-corner = 1;
@@ -22,7 +25,6 @@
   # login
   system.defaults.loginwindow.GuestEnabled = false;
   system.defaults.screensaver.askForPassword = true;
-  system.defaults.loginwindow.SHOWFULLNAME = true; # user needs to enter username and password to login
 
   # control center
   system.defaults.controlcenter = {

modules/desktop/de/hyprland.nix

@@ -5,11 +5,8 @@
   # Optional, hint electron apps to use wayland:
   environment.sessionVariables.NIXOS_OZONE_WL = "1";
 
-  # have portals
-  xdg.portal.enable = true;
-  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
-
   programs.hyprlock.enable = true;
+  services.hypridle.enable = true;
 
   environment.systemPackages = with pkgs; [
     ghostty
@@ -21,32 +18,15 @@
     wl-clipboard
     brightnessctl
     helvum
-    walker
+    vicinae
     playerctl
     swaynotificationcenter
     hyprshot
     matugen
-    pywalfox-native
+    glib
     hyprshade
+    hyprpolkitagent
   ];
 
   programs.ssh.startAgent = true;
-
-  # enable polkit
-  security.polkit.enable = true;
-  systemd = {
-    user.services.polkit-gnome-authentication-agent-1 = {
-      description = "polkit-gnome-authentication-agent-1";
-      wantedBy = [ "graphical-session.target" ];
-      wants = [ "graphical-session.target" ];
-      after = [ "graphical-session.target" ];
-      serviceConfig = {
-          Type = "simple";
-          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-          Restart = "on-failure";
-          RestartSec = 1;
-          TimeoutStopSec = 10;
-        };
-    };
-  };
 }

modules/desktop/de/kde.nix

@@ -4,26 +4,23 @@
   services.desktopManager.plasma6.enable = true;
 
   environment.plasma6.excludePackages = with pkgs.kdePackages; [
-    plasma-browser-integration
     konsole
     (lib.getBin qttools) # Expose qdbus in PATH
-    ark
     elisa
-    gwenview
     okular
-    kate
     khelpcenter
-    #dolphin
     baloo-widgets  # baloo information in Dolphin
     dolphin-plugins
-    spectacle
     ffmpegthumbs
     krdp
-    gwenview
+
+    # gwenview
+    # dolphin
+    # spectacle
     # xwaylandvideobridge
+    # kate
+    # gwenview
+    # ark
+    # plasma-browser-integration
   ];
-
-
-
-
 }

modules/desktop/de/yabai.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.yabai = {
+    enable = true;
+    enableScriptingAddition = true;
+    extraConfig = builtins.readFile ../../../stow/.config/yabai/yabairc;
+  };
+
+  system.defaults.spaces.spans-displays = lib.mkForce false;
+
+  environment.systemPackages = with pkgs; [
+    skhd
+    matugen
+  ];
+
+  homebrew.brews = [
+    "FelixKratz/formulae/borders"
+  ];
+}

modules/desktop/default.nix

@@ -5,8 +5,14 @@
     ./pipewire.nix
     ./flatpak.nix
     ./fonts.nix
+    ./printing.nix
   ];
 
   # Enable font dir for compatability
   fonts.fontDir.enable = true;
+
+  # enable desktop portals
+  xdg.portal.enable = true;
+  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+
 }

modules/desktop/fonts.nix

@@ -8,6 +8,8 @@
       noto-fonts-cjk-sans       # gets japanese and chinese langs
       nerd-fonts.comic-shanns-mono # programming fonts
       corefonts                 # basic web fonts
+
+      comic-neue
     ];
   };
 }

modules/desktop/japanese-input.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  i18n.inputMethod = {
+    enable = true;
+    type = "fcitx5";
+    fcitx5.waylandFrontend = true;
+    fcitx5.addons = with pkgs; [
+      fcitx5-mozc
+      fcitx5-gtk
+    ];
+  };
+
+  i18n.inputMethod.fcitx5.settings.inputMethod = {
+    GroupOrder."0" = "Default";
+    "Groups/0" = {
+      Name = "Default";
+      "Default Layout" = "au";
+      DefaultIM = "mozc";
+    };
+    "Groups/0/Items/0".Name = "keyboard-au";
+    "Groups/0/Items/1".Name = "mozc";
+  };
+}

modules/desktop/login/autologin.nix

@@ -6,11 +6,11 @@
     enable = true;
     settings = {
       initial_session = {
-        command = if (config.programs.niri.enable == true) then "${pkgs.niri}/bin/niri-session" else if (config.programs.hyprland.enable == true) then "${pkgs.hyprland}/bin/Hyprland" else "${pkgs.zsh}/bin/zsh";
+        command = if (config.programs.niri.enable == true) then "${pkgs.niri}/bin/niri-session" else if (config.programs.hyprland.enable == true) then "${pkgs.hyprland}/bin/start-hyprland" else "${pkgs.zsh}/bin/zsh";
         user = "nico";
       };
       default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --asterisks --time --greeting 'nyaaa~~'";
+        command = "${lib.getExe pkgs.tuigreet} --asterisks --time --greeting 'nyaaa~~'";
       };
     };
   };

modules/desktop/login/plymouth.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }: {
+  boot = {
+    plymouth = {
+      enable = true;
+      theme = "bgrt";
+    };
+
+    # Enable "Silent boot"
+    consoleLogLevel = 3;
+    initrd.verbose = false;
+    kernelParams = [
+      "quiet"
+      "splash"
+      "boot.shell_on_fail"
+      "udev.log_priority=3"
+      "rd.systemd.show_status=auto"
+    ];
+  };
+}
+

modules/desktop/login/sddm.nix

@@ -0,0 +1,6 @@
+{ config, ... }:
+
+{
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.wayland.enable = true;
+}

modules/desktop/polkit-gtk.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  # enable polkit
+  security.polkit.enable = true;
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+          Restart = "on-failure";
+          RestartSec = 1;
+          TimeoutStopSec = 10;
+        };
+    };
+  };
+}

modules/desktop/printing.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  imports = [
+    ../network/avahi.nix
+  ];
+
+  services.printing.enable = true;
+  services.avahi.openFirewall = true;
+}

modules/desktop/programs/sketchybar.nix

@@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:
 
 {
-  services.skhd.enable = true;
-  services.sketchybar.enable = true;
   system.defaults.NSGlobalDomain._HIHideMenuBar = true;
+
+  homebrew.brews = [
+    "FelixKratz/formulae/sketchybar"
+  ];
 }

modules/games/darwin.nix

@@ -4,16 +4,14 @@
   imports = [ ./default.nix ];
 
   homebrew.casks = [
-    "whisky"
     "steam"
-    "heroic"
+    "roblox"
   ];
 
   system.defaults.dock.persistent-apps = [
     "/Applications/Steam.app"
-    "/Applications/Heroic.app"
-    "/Applications/Whisky.app"
     "${pkgs.prismlauncher}/Applications/PrismLauncher.app"
     "${pkgs.osu-lazer-bin}/Applications/osu!.app"
+    { spacer.small = true; }
   ];
 }

modules/games/server/minecraft/building.nix

@@ -3,9 +3,9 @@
 {
   services.minecraft-servers.servers.building = {
     enable = true;
-    package = pkgs.paperServers.paper-1_21_5;
+    package = pkgs.paperServers.paper-1_21_11;
     autoStart = true;
-    jvmOpts = "-Xms4096M -Xmx4096M";
+    jvmOpts = "-Xms1024M -Xmx4096M";
 
     serverProperties = {
       server-port = 30002;
@@ -16,8 +16,8 @@
     };
 
     symlinks = {
-      "plugins/Worldedit.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/1u6JkXh5/versions/NhJaettg/worldedit-bukkit-7.3.12-beta-01.jar"; sha256 = "sha256-NP5ALYQe6DVVAeTeDGxySKZ8sjQnLjQc8PTbDS+Lbd4="; };
-      "plugins/EssentialsX.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/hXiIvTyT/versions/SKQwLLoQ/EssentialsX-2.21.0.jar"; sha256 = "sha256-VwQyKlSDa5hLEQ9+Igi67RiGwu/tREa0l+Z+US/skMU="; };
+      "plugins/Worldedit.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/1u6JkXh5/versions/qYMNQYjH/worldedit-bukkit-7.3.18-beta-01.jar"; sha256 = "sha256-/TRUrwHhjnyBuCVyS34IWzvILz79RhZjS6k2DLwkUk0="; };
+      "plugins/EssentialsX.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/hXiIvTyT/versions/Oa9ZDzZq/EssentialsX-2.21.2.jar"; sha256 = "sha256-C3WQJvAvPFR8MohvNmbbPB+Uz/c+FBrlZIMT/Q0L38Y="; };
     };
   };
 

modules/games/server/minecraft/fabric-modless.nix

@@ -3,9 +3,9 @@
 {
   services.minecraft-servers.servers.fabric-modless = {
     enable = true;
-    package = pkgs.fabricServers.fabric-1_21_5;
+    package = pkgs.fabricServers.fabric-1_21_11;
     autoStart = true;
-    jvmOpts = "-Xms4096M -Xmx4096M";
+    jvmOpts = "-Xms1024M -Xmx4096M";
 
     serverProperties = {
       server-port = 30001;
@@ -15,11 +15,11 @@
 
     symlinks = {
       mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
-        FabricAPI = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/FZ4q3wQK/fabric-api-0.119.9%2B1.21.5.jar"; sha512 = "4eec629514cba71e4792c1ebf357e574713e5fdb3c01c6e7d132ed631bdeaab0b38bcab84d4ade14c6966c24f9938026da2e65c25b58cde4ce9710c49d147e87"; };
-        Chunky = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/fALzjamp/versions/mhLtMoLk/Chunky-Fabric-1.4.36.jar"; sha512 = "65a201c246c95f6189a16e715d944e4a7ca7f44a8c4a39c8e6523d8c58e331d6611c78deff050cb4a2a2d80c5b8d84e3593a9b8ff961f7aee3d171a4ef7af2c7"; };
-        Ferritecore = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/uXXizFIs/versions/CtMpt7Jr/ferritecore-8.0.0-fabric.jar"; sha512 = "131b82d1d366f0966435bfcb38c362d604d68ecf30c106d31a6261bfc868ca3a82425bb3faebaa2e5ea17d8eed5c92843810eb2df4790f2f8b1e6c1bdc9b7745"; };
-        NoChatReports = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/qQyHxfxd/versions/CHlHxkvf/NoChatReports-FABRIC-1.21.5-v2.12.0.jar"; sha512 = "c0825db25672cf8b50face51ec8a6bedb4be50b374a2537640a433c98817bc07c177485e93ab8cee9e3f7bfb1d2eb1460309e818b411764c92426b552487a9f7"; };
-        FabricProxyLite = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/AQhF7kvw/FabricProxy-Lite-2.9.0.jar"; sha512 = "3044f36df7e83021210a7c318def18a95b5dbf5e3230bb72a3ddb42ebdda33f248c6d12efcee1240ff0c54600d68d147afa105d04ee37a90acb9409619c89848"; };
+        FabricAPI = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/KhCFoeip/fabric-api-0.139.5%2B1.21.11.jar"; sha512 = "hSyedhdbLVHOoZG/zAAFuCTeQz8abeAdZyuegsocq4R4sYBnC8bEgRdE70q+yL0v86sPnBqlZEcT0G8/vMJ48A=="; };
+        Chunky = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/fALzjamp/versions/bk9YUabA/Chunky-Fabric-1.4.54.jar"; sha512 = "vxX9sMDiBMKUdmxrkvDcidlulM5PcLmKxC6qRrh4Aq9Wz+tlSHePSUWx/cL+VholR39xGTfb85DiC5TBvQBsrg=="; };
+        Ferritecore = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/uXXizFIs/versions/eRLwt73x/ferritecore-8.0.3-fabric.jar"; sha512 = "vmAFQ+SZtZKG+UCfRkl1cK3FGTmuY+qhKsKeZ3jaJ9jHxs0LM0DYvMocyZzmF3mxqPUrmQ+eTpqTqpxkgpBSMQ=="; };
+        NoChatReports = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/qQyHxfxd/versions/78RjC1gi/NoChatReports-FABRIC-1.21.10-v2.16.0.jar"; sha512 = "ObLyhPc/gpABK4ucxwCF1ZZoVH/HtOxDqzTkvKazmmaR++MrwzJuQDU7qcFqBjIOUoGDFb53eZparVJjcMvHcw=="; };
+        FabricProxyLite = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/nR8AIdvx/FabricProxy-Lite-2.11.0.jar"; sha512 = "wuHZJ59vGaVh+TS4RlQLKKAzWGtLQZucGqJ6xD/8j60s5g4hKhVAbl+jkH/17L5a96XtsYOp7mc3pB5GSuwTdQ=="; };
       });
     };
   };
@@ -27,11 +27,6 @@
   services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
     servers = {
       fabric-modless = "127.0.0.1:30001";
-
-      # In what order we should try servers when a player logs in or is kicked from a server.
-      try = [
-          "fabric-modless"
-      ];
     };
   };
 }

modules/games/server/minecraft/forge-1.19.2.nix

@@ -22,11 +22,6 @@
   services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
     servers = {
       forge-1-19-2 = "127.0.0.1:30004";
-
-      # In what order we should try servers when a player logs in or is kicked from a server.
-      try = [
-          "forge-1-19-2"
-      ];
     };
   };
 }

modules/games/server/minecraft/neoforge-1.21.1.nix

@@ -10,7 +10,8 @@
       TYPE = "NEOFORGE";
       VERSION = "1.21.1";
       EULA = "TRUE";
-      MEMORY = "4G";
+      INIT_MEMORY = "1G";
+      MAX_MEMORY = "6G";
       SERVER_PORT = "30005";
 
       UID = "992";
@@ -21,11 +22,6 @@
   services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
     servers = {
       neoforge-1-21-1 = "127.0.0.1:30005";
-
-      # In what order we should try servers when a player logs in or is kicked from a server.
-      try = [
-          "neoforge-1-21-1"
-      ];
     };
   };
 }

modules/games/server/minecraft/velocity.nix

@@ -6,10 +6,10 @@
     package = pkgs.velocityServers.velocity;
     autoStart = true;
     openFirewall = true;
-    jvmOpts = "-Xms256M -Xmx1024M";
+    jvmOpts = "-Xms128M -Xmx1024M";
     symlinks = {
-      "plugins/Luckperms.jar" = pkgs.fetchurl { url = "https://download.luckperms.net/1575/velocity/LuckPerms-Velocity-5.4.158.jar"; sha512 = "07b649db2d2c9f16791d706621dcb606d05bbc1125fa65765e7d4cf4b45778a84f65ca4ad8e461ff146646805072852322cfbd91d66699af5e895d00b233648f"; };
-      "plugins/Velocitab.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/William278/Velocitab/versions/1.7.5/VELOCITY/Velocitab-1.7.5.jar"; sha512 = "ExyxRVbkzgVRTOZC9yRrwJbNpRnD1aFZa/QlMmBHAjLMXYmM/Q7lRMGtQs3dyrjBI06Z9e01ZaOmTTa2RbtNew=="; };
+      "plugins/Luckperms.jar" = pkgs.fetchurl { url = "https://download.luckperms.net/1610/velocity/LuckPerms-Velocity-5.5.21.jar"; sha512 = "xAUogBzYUF71CuutcUPM1QJLVel/6Ihzui1Ksbdrd5qeGDqecULdHJtMNsLCM6XQJndGgBTrGv4xljLzVQsx7A=="; };
+      "plugins/Velocitab.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/William278/Velocitab/versions/1.7.9/VELOCITY/Velocitab-1.7.9.jar"; sha512 = "2okGzE0QJz8RTOmVCZHBizokEuTwVvKRPwr6JhJUg5kpsWWhkF+k+XCMzI5aMwSbDy7+2W3NE1qvbfFZHAKdsw=="; };
 
       "plugins/Message.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/OskarsMC-Plugins/message/versions/1.4.0/VELOCITY/message-1.4.0-all.jar"; sha512 = "62503339714d7d26d71a98b2036cd04e91c9049567a033441d904a5f3190177bdc41dcd5183e6c51eb083a143edbfaf50642d44c99c1b83e7a3546a3654305c8"; };
       "plugins/Send.jar" = pkgs.fetchurl { url = "https://github.com/OskarsMC-Plugins/send/releases/download/3.0.0/send-3.0.0.jar"; sha512 = "aff03bb13804cd01ecd649d283bfdb0b3411cb4df045670328a43f53a05f7386a76a536c4fcbbd3cdc718aa300f2ab2940c7437a181e31fa9f1c9c0e591896ab"; };
@@ -21,7 +21,7 @@
       config-version = "2.7";
 
       bind = "0.0.0.0:25565";
-      motd = "<#09add3>A Velocity Server";
+      motd = "<gray>A velocity server.\n<gray>hosted on <light_purple>${config.networking.hostName}<gray>.";
       show-max-players = 500; # displayed maximum players, not an actual cap
       online-mode = true;
       force-key-authentication = true;
@@ -42,6 +42,7 @@
           headers = [ "<gray>" ];
           footers = [ "<gray>connected to <light_purple>%server%<gray>" ];
           format = "<white>%prefix%%username% <gray>%server%";
+          send_scoreboard_packets = true;
           nametag.prefix = "%prefix%";
           nametag.suffix = "";
           sorting_placeholders = [
@@ -63,7 +64,7 @@
 
       messages = {
         message-sent = "<light_purple>✉</light_purple> <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
-        message-received = "<light_purple>✉</light_purple> <gray><receiver></gray> <dark_gray>→</dark_gray> <gray><sender></gray> <white><message></white>";
+        message-received = "<light_purple>✉</light_purple> <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
         message-socialspy = "<light_purple>✉ spy</light_purple>  <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
       };
 

modules/hardware/bootloader/limine.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  boot.loader.limine = {
+    enable = true;
+    validateChecksums = true;
+    panicOnChecksumMismatch = true;
+    enableEditor = false;
+
+
+    extraEntries =
+''
+/memtest86
+  protocol: chainload
+  path: boot():///efi/memtest86/memtest86.efi
+'';
+    additionalFiles = { 
+      "efi/memtest86/memtest86.efi" = "${pkgs.memtest86-efi}/BOOTX64.efi";
+    };
+
+    secureBoot.enable = true;
+  };
+}

modules/hardware/bootloader/systemd-boot.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+  };
+
+  boot.loader.timeout = 0;
+}

modules/hardware/darwin.nix

@@ -14,10 +14,6 @@
       "Ethernet Adaptor"
       "Thunderbolt Ethernet"
     ];
-
-    dns = [
-      "1.1.1.1"
-    ];
   };
 
   # keyboard

modules/hardware/restic.nix

@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.restic.backups."${config.networking.hostName}-server" = {
+    initialize = false;
+
+    paths = [
+      "/media"
+    ];
+
+    exclude = [
+      "/media/secrets"
+      "/media/torrents"
+      "/media/media"
+
+      ".cache*"
+      ".DS_Store"
+      "logs"
+    ];
+
+    checkOpts = [
+      "--with-cache" # just to make checks faster
+    ];
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 10"
+    ];
+
+    timerConfig = {
+      OnBootSec = "5m"; # lets wifi connect before starting backups
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+
+    # backup postgres databases, kind of hacky but
+    # i think its the only way to do it without needing
+    # another backup repo
+    backupPrepareCommand = ''
+      rm -f /media/apps/postgres # -f doesn't error if doesn't exist
+      touch /media/apps/postgres
+      chmod 600 /media/apps/postgres
+      ${lib.getExe pkgs.sudo} -u postgres ${config.services.postgresql.package}/bin/pg_dumpall > /media/apps/postgres
+    '';
+
+    backupCleanupCommand = ''
+      rm /media/apps/postgres
+    '';
+
+    # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
+    # put something like : "rclone:onedrive:restic" to use as the remote
+    #
+    # sudo nix run nixpkgs#rclone -- config
+    repositoryFile = "/media/secrets/restic-repo";
+
+    # the passphrase used 
+    passwordFile = "/media/secrets/restic-password";
+  };
+
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/restic-repo 0400 root root"
+    "f /media/secrets/restic-password 0400 root root"
+  ];
+}

modules/network/avahi.nix

@@ -3,6 +3,7 @@
 {
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
+    nssmdns6 = true;
   };
 }

modules/network/ddclient.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  services.ddclient = {
+    enable = true;
+    configFile = "/root/nixos/secrets/ddclient.conf";
+  };
+}

modules/network/firewall/opensnitch.nix

@@ -10,6 +10,8 @@
     };
 
     rules = {
+      #
+      # system services
       "systemd-timesyncd" = {
         "name" = "systemd-timesyncd";
         "enabled" = true;
@@ -18,8 +20,8 @@
         "operator" = {
           "type" = "simple";
           "sensitive" = false;
-          "operand" = "process.path";
-          "data" = "${pkgs.systemd}/lib/systemd/systemd-timesyncd";
+          "operand" = "lists.domains";
+          "data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers);
         };
       };
       "nsncd" = {
@@ -34,6 +36,157 @@
           "data" = "${pkgs.nsncd}/bin/nsncd";
         };
       };
+      "tailscale" =  {
+        "name" = "tailscale";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "operand" = "process.path";
+          "type" = "simple";
+          "sensitive" = false;
+          "data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped";
+        };
+      };
+      "avahi-daemon" =  {
+        "name" = "avahi-daemon";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "operand" = "process.path";
+          "type" = "simple";
+          "sensitive" = false;
+          "data" = "${pkgs.avahi}/bin/avahi-daemon";
+        };
+      };
+
+      #
+      # services
+      "prowlarr" =  {
+        "name" = "prowlarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "prowlarr";
+            }
+          ];
+        };
+      };
+      "sonarr" =  {
+        "name" = "sonarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.sonarr}/lib/sonarr/Sonarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.sonarr.user}";
+            }
+          ];
+        };
+      };
+      "radarr" =  {
+        "name" = "radarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.radarr}/lib/radarr/Radarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.radarr.user}";
+            }
+          ];
+        };
+      };
+      "forgejo" =  {
+        "name" = "forgejo";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.forgejo.user}";
+            }
+          ];
+        };
+      };
+      "caddy" =  {
+        "name" = "caddy";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.caddy}/bin/caddy";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.caddy.user}";
+            }
+          ];
+        };
+      };
+
+
+      #
+      # desktop applications
       "firefox" = {
         "name" = "firefox";
         "enabled" = true;

modules/network/vpn/tailscale-darwin.nix

@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
-  homebrew.casks = [
-    "tailscale"
-  ];
+  homebrew.masApps = {
+    "Tailscale" = 1475387142;
+  };
 }

modules/network/vpn/tailscale.nix

@@ -2,4 +2,8 @@
 
 {
   services.tailscale.enable = true;
+  services.tailscale.extraSetFlags = [
+    "--advertise-exit-node"
+  ];
+  services.tailscale.useRoutingFeatures = "server";
 }

modules/services/archiveteam-warrior.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers.archiveteam-warrior = {
+    image = "atdr.meo.ws/archiveteam/warrior-dockerfile";
+    ports = [ "8001:8001" ];
+    environment = {
+      "CONCURRENT_ITEMS" = "5";
+      "DOWNLOADER" = "astolfo";
+      "SELECTED_PROJECT" = "auto";
+    };
+  };
+}

modules/services/auth/kanidm.nix

@@ -2,11 +2,11 @@
 
 {
   services.kanidm = {
-    enableServer = true;
-    enablePam = false;
-    package = pkgs.kanidm_1_5;
+    server.enable = true;
+    unix.enable = false;
+    package = pkgs.kanidm_1_9;
 
-    serverSettings = {
+    server.settings = {
       bindaddress = "127.0.0.1:8443";
       ldapbindaddress = "0.0.0.0:636";
       domain = "${config.homelab.authDomain}";
@@ -14,6 +14,12 @@
 
       tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
       tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";
+
+      online_backup = {
+        schedule =  "00 22 * * *";
+        path = "/media/apps/kanidm";
+        versions = 14;
+      };
     };
   };
 
@@ -24,11 +30,10 @@
     dnsProvider = "cloudflare";
     dnsResolver = "1.1.1.1:53";
     dnsPropagationCheck = true;
-    environmentFile = /var/lib/caddy/secret;
   };
 
   services.caddy.virtualHosts."${config.homelab.authDomain}" = {
-    useACMEHost = config.services.kanidm.serverSettings.domain;
+    useACMEHost = config.services.kanidm.server.settings.domain;
     extraConfig = ''
       reverse_proxy https://localhost:8443 {
         header_up Host "${config.homelab.authDomain}:8443"

modules/services/auth/tinyauth.nix

@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers.tinyauth = {
+    image = "ghcr.io/steveiliop56/tinyauth:v4";
+    ports = [
+      "3009:3000"
+    ];
+    environment = {
+      "APP_URL" = "https://tinyauth.${config.homelab.domain}";
+
+      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
+      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
+      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
+      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
+      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
+      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
+      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
+    };
+
+  environmentFiles = [
+      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
+      /media/secrets/tinyauth
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/tinyauth 0400 root root"
+  ];
+
+  services.caddy.extraConfig = ''
+    (tinyauth_forwarder) {
+      forward_auth 127.0.0.1:3009 {
+        uri /api/auth/caddy
+      }
+    }
+  '';
+
+
+  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:3009
+    '';
+  };
+}

modules/services/caddy.nix

@@ -22,11 +22,19 @@
     
     services.caddy = {
       enable = true;
+      extraConfig = ''
+      (block_non_private_ips) {
+        @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges
+        abort @non_private_ips
+      }
+      '';
     };
 
     security.acme = {
       acceptTerms = true;
       defaults.email = "hello@astolfo.org";
+      defaults.environmentFile = /media/secrets/acme;
+      defaults.profile = "shortlived";
 
       certs."${config.homelab.domain}" = {
         group = config.services.caddy.group;
@@ -36,8 +44,11 @@
         dnsProvider = "cloudflare";
         dnsResolver = "1.1.1.1:53";
         dnsPropagationCheck = true;
-        environmentFile = /var/lib/caddy/secret;
       };
     };
+
+    systemd.tmpfiles.rules = [
+      "f /media/secrets/acme 0400 acme acme"
+    ];
   };
 }

modules/services/dns/adguardhome.nix

@@ -3,7 +3,7 @@
 {
   services.adguardhome = {
     enable = true;
-    mutableSettings = true;
+    mutableSettings = false;
     extraArgs = [ "--web-addr" "0.0.0.0:3003" ];
 
     settings = {
@@ -27,6 +27,17 @@
       filtering = {
         protection_enabled = true;
         filtering_enabled = true;
+
+        rewrites = [
+          {
+            domain = "nijika.astolfo.org";
+            answer = "100.105.94.30";
+          }
+          {
+            domain = "*.nijika.astolfo.org";
+            answer = "100.105.94.30";
+          }
+        ];
       };
 
       # The following notation uses map

modules/services/dns/coredns.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  services.coredns = {
+    enable = true;
+    config = ''
+      .:53 {
+        hosts {
+          100.100.144.4 seika.astolfo.org
+          fallthrough
+        }
+
+        # rewrite the CNAME to itself so hosts rule apply
+        rewrite cname exact seika.astolfo.org. seika.astolfo.org.
+
+        forward . 1.1.1.1
+        log
+        errors
+      }
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+}

modules/services/dns/ddns-updater.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+  services.ddns-updater = {
+    enable = true;
+    environment = {
+      SERVER_ENABLED="no";
+
+      # setup dynamic dns provider here
+      # https://wiki.nixos.org/wiki/Dynamic_DNS
+      # https://github.com/qdm12/ddns-updater/blob/master/docs/cloudflare.md
+      CONFIG_FILEPATH = "/media/secrets/ddns-updater.json";
+      PERIOD = "5m";
+    };
+  };
+}

modules/services/forgejo.nix

@@ -3,22 +3,20 @@
 {
   services.forgejo = {
     enable = true;
-    stateDir = "/var/lib/forgejo";
-    repositoryRoot = "${config.services.forgejo.stateDir}/repositories";
+    stateDir = "/media/apps/git";
+    repositoryRoot = "${config.services.forgejo.stateDir}/repos";
     database.createDatabase = true;
     
     settings = {
       session.COOKIE_SECURE = true;
       server = {
-        DOMAIN = "git.${config.homelab.domain}";
+        DOMAIN = "git.${config.homelab.publicDomain}";
         ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
         SSH_PORT = 22;
 #        PROTOCOL = "https";
         HTTP_PORT = 3000;
       };
 
-      security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
-
       service = {
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
         SHOW_REGISTRATION_BUTTON = false;
@@ -27,15 +25,11 @@
     };
   };
 
-  # configure anubis to prevent AI scrapers from overloading the git server.
-  services.anubis.instances.forgejo = {
-    enable = true;
-    settings = {
-      TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
-      SERVE_ROBOTS_TXT = true;
-      BIND_NETWORK = "tcp";
-      BIND = ":3333";
-    };
+  security.acme.certs."${config.services.forgejo.settings.server.DOMAIN}" = {
+    domain = "${config.services.forgejo.settings.server.DOMAIN}";
+    dnsProvider = "cloudflare";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = true;
   };
 
   # forgejo has user keys under its own .ssh/authorizedKeys file.
@@ -43,13 +37,10 @@
   # in order to only allow that to the forgejo user as it has "/var"
   services.openssh.authorizedKeysInHomedir = lib.mkForce true;
 
-  services.caddy.virtualHosts."git.${config.homelab.domain}" = {
-    useACMEHost = config.homelab.domain;
+  services.caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
+    useACMEHost = config.services.forgejo.settings.server.DOMAIN;
     extraConfig = ''
-      reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
-        header_up X-Real-Ip {remote_host}
-        header_up X-Http-Version {http.request.proto}
-      }
+      reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
     '';
   };
 }

modules/services/glance.nix

@@ -107,6 +107,7 @@
     useACMEHost = config.homelab.domain;
     extraConfig = ''
       reverse_proxy http://localhost:8888
+      import block_non_private_ips
     '';
   };
 }

modules/services/karakeep.nix

@@ -1,35 +1,38 @@
 { config, ... }:
 
 {
-  virtualisation.oci-containers.containers.karakeep = {
-    image = "ghcr.io/karakeep-app/karakeep:release";
-    volumes = [ "/var/lib/karakeep/data:/data" ];
-    ports = [ "8023:3000" ];
-    environment = {
-      DATA_DIR = "/data"; # dont change
+  services.karakeep = {
+    enable = true;
+    extraEnvironment = {
+      PORT = "8023";
 
-      OAUTH_WELLKNOWN_URL = "https://auth.${config.homelab.domain}/.well-known/openid-configuration";
-      OAUTH_PROVIDER_NAME = "PocketID";
+      OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
+      OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
       NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";
 
       DISABLE_PASSWORD_AUTH	= "true";
       OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
     };
 
-    environmentFiles = [
-      # put the environment variable NEXTAUTH_SECRET in here
-      # with a randomly generated string. gen with `openssl rand -base64 36`
-      /var/lib/karakeep/nextauth-secret
+    # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
+    # https://docs.karakeep.app/configuration/environment-variables#authentication--signup
+    environmentFile = "/media/secrets/karakeep";
+  };
 
-      # https://pocket-id.org/docs/client-examples/hoarder
-      /var/lib/karakeep/oidc
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/karakeep 0400 karakeep karakeep"
   ];
+  
+  fileSystems."/var/lib/karakeep" = {
+    device = "/media/apps/karakeep";
+    options = [ "bind" ];
   };
 
   services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
       reverse_proxy http://localhost:8023
+      import block_non_private_ips
     '';
   };
 }

modules/services/linkding.nix

@@ -0,0 +1,61 @@
+{ config, ... }:
+
+{
+  virtualisation.oci-containers.containers.linkding = {
+    image = "sissbruecker/linkding:latest";
+    ports = [ "9090:9090" ];
+    volumes = [ "/var/lib/linkding/data:/data" ];
+    environmentFiles = [
+      # create superuser account before initially signing in
+      # https://linkding.link/options/#oidc-and-ld_superuser_name
+      # include following environment variables:
+      #   OIDC_RP_CLIENT_SECRET - set to oidc client secret
+      /var/lib/linkding/oidc
+
+    ];
+    environment = {
+      # Can be used to run linkding under a context path, for example: linkding/
+      # Must end with a slash `/`
+      "LD_CONTEXT_PATH"="";
+      # Username of the initial superuser to create, leave empty to not create one
+      "LD_SUPERUSER_NAME"="";
+      # Option to disable background tasks
+      "LD_DISABLE_BACKGROUND_TASKS"="False";
+      # Option to disable URL validation for bookmarks completely
+      "LD_DISABLE_URL_VALIDATION"="False";
+      # List of trusted origins from which to accept POST requests
+      # See docs/Options.md for more details
+      "LD_CSRF_TRUSTED_ORIGINS"="";
+
+      # OIDC
+      "LD_ENABLE_OIDC" = "True";
+      "OIDC_OP_AUTHORIZATION_ENDPOINT"="https://${config.homelab.authDomain}/ui/oauth2";
+      "OIDC_OP_TOKEN_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/token";
+      "OIDC_OP_USER_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/userinfo";
+      "OIDC_OP_JWKS_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/public_key.jwk";
+      "OIDC_RP_SIGN_ALGO"="ES256";
+      "OIDC_RP_CLIENT_ID"="linkding";
+
+      # Database settings
+      # These are currently only required for configuring PostreSQL.
+      # By default, linkding uses SQLite for which you don't need to configure anything.
+
+      # Database engine, can be sqlite (default) or postgres
+      "LD_DB_ENGINE"="sqlite";
+      # Database name (default: linkding)
+      "LD_DB_DATABASE"="";
+      # Username to connect to the database server  (default: linkding)
+      "LD_DB_USER"="";
+      # Password to connect to the database server
+      "LD_DB_PASSWORD"="";
+    };
+  };
+
+  services.caddy.virtualHosts."bookmark.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:9090
+      import block_non_private_ips
+    '';
+  };
+}

modules/services/media/arr.nix

@@ -3,83 +3,95 @@
 {
   users.groups.media = {};
 
-  # Finding/Requesting downloading
+  #
+  # Downloading movies
   services.radarr = {
     enable = true;
     openFirewall = false;
-    dataDir = "/var/lib/radarr";
+    dataDir = "/media/apps/radarr";
     group = "media";
   };
 
-  services.sonarr = {
-    enable = true;
-    openFirewall = false;
-    dataDir = "/var/lib/sonarr";
-    group = "media";
-  };
-
-  services.prowlarr = {
-    enable = true;
-    openFirewall = false;
-  };
-
-  services.bazarr = {
-    enable = true;
-    openFirewall = false;
-    group = "media";
-  };
-
-  # Downloading files
-  services.deluge = {
-    enable = true;
-    web.enable = true;
-    web.openFirewall = false;
-    group = "media";
-  };
-
-
-  # Requesting Frontend
-  services.jellyseerr = {
-    enable = true;
-    port = 5055;
-    openFirewall = false;
-    package = pkgs.jellyseerr;
-  };
-
   services.caddy.virtualHosts."radarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:7878
+      # For tinyauth
+      reverse_proxy http://localhost:7878 {
+        header_up -X-Forwarded-For
+      }
+      import block_non_private_ips
+      import tinyauth_forwarder *
     '';
   };
+
+  #
+  # Downloading shows
+  services.sonarr = {
+    enable = true;
+    openFirewall = false;
+    dataDir = "/media/apps/sonarr";
+    group = "media";
+  };
+
   services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:8989
+      reverse_proxy http://localhost:8989 {
+        header_up -X-Forwarded-For
+      }
+      import block_non_private_ips
+      import tinyauth_forwarder *
     '';
   };
+
+  #
+  # Managing Torrent sources
+  services.prowlarr = {
+    enable = true;
+    openFirewall = false;
+    dataDir = "/media/apps/prowlarr";
+  };
+
   services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:9696
+      reverse_proxy http://localhost:9696 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
+      import block_non_private_ips
     '';
   };
-  services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = {
-    useACMEHost = config.homelab.domain;
-    extraConfig = ''
-      reverse_proxy http://localhost:6767
-    '';
+
+  #
+  # Downloading torrents
+  services.deluge = {
+    enable = true;
+    dataDir = "/media/apps/deluge";
+    web.enable = true;
+    web.openFirewall = false;
+    group = "media";
   };
+
   services.caddy.virtualHosts."deluge.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:8112
+      reverse_proxy http://localhost:8112 {
+        header_up -X-Forwarded-For
+      }
+      import tinyauth_forwarder *
+      import block_non_private_ips
     '';
   };
-  services.caddy.virtualHosts."jellyseer.${config.homelab.domain}" = {
-    useACMEHost = config.homelab.domain;
-    extraConfig = ''
-      reverse_proxy http://localhost:5055
-    '';
+
+  # setup network samba share
+  services.samba.settings = {
+    "media" = {
+      "path" = "/media/media";
+      "valid users" = "@users";
+      "force user" = "nobody";
+      "public" = "no";
+      "read only" = "yes";
+    };
   };
 }

modules/services/media/jellyfin.nix

@@ -6,6 +6,7 @@
     enable = true;
     openFirewall = false;
     group = "media";
+    dataDir = "/media/apps/jellyfin";
   };
 
   users.users.jellyfin.extraGroups = [ "render" "video" ];
@@ -14,6 +15,7 @@
 #    useACMEHost = config.homelab.domain;
     extraConfig = ''
       reverse_proxy http://localhost:8096
+      import block_non_private_ips
     '';
   };
 }

modules/services/miniflux.nix

@@ -10,7 +10,7 @@
     # OAUTH2_CLIENT_ID = "<client ID>";
     # OAUTH2_CLIENT_SECRET = "<client secret>";
     # https://pocket-id.org/docs/client-examples/miniflux/
-    adminCredentialsFile = /var/lib/miniflux/oidc;
+    adminCredentialsFile = /media/secrets/miniflux;
 
     config = {
       LISTEN_ADDR = "0.0.0.0:8021";
@@ -33,7 +33,7 @@
       FILTER_ENTRY_MAX_AGE_DAYS = 1825; # 5 years
 
       FORCE_REFRESH_INTERVAL = 30;
-      POLLING_FREQUENCY = 60;
+      POLLING_FREQUENCY = 180;
 
       OAUTH2_PROVIDER = "oidc";
       OAUTH2_REDIRECT_URL = "https://rss.${config.homelab.domain}/oauth2/oidc/callback";
@@ -44,10 +44,15 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/miniflux 0400 root root"
+  ];
+
   services.caddy.virtualHosts."rss.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
       reverse_proxy http://localhost:8021
+      import block_non_private_ips
     '';
   };
 }

modules/services/pocketid.nix

@@ -19,6 +19,7 @@
     useACMEHost = config.homelab.domain;
     extraConfig = ''
       reverse_proxy http://localhost:8025
+      import block_non_private_ips
     '';
   };
 }

modules/services/samba.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+
+{
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "${config.networking.hostName}";
+        "netbios name" = "${config.networking.hostName}";
+        "security" = "user";
+      };
+    };
+  };
+}
+

modules/services/ssh.nix

@@ -6,7 +6,6 @@
     enable = true;
     allowSFTP = true;
     openFirewall = true;
-    authorizedKeysInHomedir = false;
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;

modules/services/uptime-kuma.nix

@@ -9,6 +9,15 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d /media/apps/uptime-kuma 0700 root root"
+  ];
+  
+  fileSystems."/var/lib/private/uptime-kuma" = {
+    device = "/media/apps/uptime-kuma";
+    options = [ "bind" ];
+  };
+
   services.caddy.virtualHosts."status.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''

modules/shell.nix

@@ -4,8 +4,11 @@
   programs.zsh.enable = true;
   programs.zsh.promptInit = ( builtins.readFile ../stow/.zshrc );
 
+  programs.fish.enable = true;
+
   environment.systemPackages = with pkgs; [
     neovim
+    yazi
     git
     zoxide
     tlrc

modules/users/alex.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ...}:
+
+{
+  users.users.alex = {
+    description = "Alexander";
+    isNormalUser = true;
+    extraGroups = [ ];
+  };
+}

modules/users/nico.nix

@@ -4,10 +4,10 @@
   users.users.nico = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    shell = pkgs.zsh;
+    shell = pkgs.fish;
   };
 
   users.users.nico.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzUJnqCpbRxggjyIZo4KWnTyHobPdi/xXkN1/n/yIMD"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7CxmkYo58hRm9bGdg7J3500tChjMz/KaDBs0fw975"
   ];
 }

modules/users/rhys.nix

@@ -9,6 +9,6 @@
 
   users.users.rhys.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0Pce0wQKV+wI7rCIiUZgqqkiodTXZ6fMiZezLy9uZk" # laptop
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+HNs1/r4LMQsfpqXhU7396q5zL9hvfcNdiQSUTIl4R" # phone
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmLm9HwZXDbySVupNHPlGMtm6Vwx4nxVp2tsGvuSLUr" # phone
   ];
 }

modules/virtualisation/virt-manager.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+  services.qemuGuest.enable = true;
+  services.spice-vdagentd.enable = true;  # enable copy and paste between host and guest
+}

stow/.config/aerospace/aerospace.toml

@@ -0,0 +1,172 @@
+# You can use it to add commands that run after AeroSpace startup.
+# Available commands : https://nikitabobko.github.io/AeroSpace/commands
+after-startup-command = [
+  'exec-and-forget borders active_color=0xfff74f9e inactive_color=0xffffa8f1 width=6.0',
+  'exec-and-forget sh ~/.cache/matugen-jankyborders.sh',
+  'exec-and-forget sketchybar'
+]
+
+
+# Notify Sketchybar about workspace change
+exec-on-workspace-change = ['/bin/bash', '-c',
+    'sketchybar --trigger aerospace_workspace_change FOCUSED_WORKSPACE=$AEROSPACE_FOCUSED_WORKSPACE'
+]
+
+# Start AeroSpace at login - breaks nix darwin
+start-at-login = false
+
+# Normalizations. See: https://nikitabobko.github.io/AeroSpace/guide#normalization
+enable-normalization-flatten-containers = true
+enable-normalization-opposite-orientation-for-nested-containers = true
+
+# See: https://nikitabobko.github.io/AeroSpace/guide#layouts
+# The 'accordion-padding' specifies the size of accordion padding
+# You can set 0 to disable the padding feature
+accordion-padding = 30
+
+# Possible values: tiles|accordion
+default-root-container-layout = 'tiles'
+
+# Possible values: horizontal|vertical|auto
+# 'auto' means: wide monitor (anything wider than high) gets horizontal orientation,
+#               tall monitor (anything higher than wide) gets vertical orientation
+default-root-container-orientation = 'auto'
+
+# Mouse follows focus when focused monitor changes
+# Drop it from your config, if you don't like this behavior
+# See https://nikitabobko.github.io/AeroSpace/guide#on-focus-changed-callbacks
+# See https://nikitabobko.github.io/AeroSpace/commands#move-mouse
+# Fallback value (if you omit the key): on-focused-monitor-changed = []
+on-focused-monitor-changed = ['move-mouse monitor-lazy-center']
+
+# You can effectively turn off macOS "Hide application" (cmd-h) feature by toggling this flag
+# Useful if you don't use this macOS feature, but accidentally hit cmd-h or cmd-alt-h key
+# Also see: https://nikitabobko.github.io/AeroSpace/goodies#disable-hide-app
+automatically-unhide-macos-hidden-apps = true
+
+# Possible values: (qwerty|dvorak|colemak)
+# See https://nikitabobko.github.io/AeroSpace/guide#key-mapping
+[key-mapping]
+preset = 'qwerty'
+
+# Gaps between windows (inner-*) and between monitor edges (outer-*).
+# Possible values:
+# - Constant:     gaps.outer.top = 8
+# - Per monitor:  gaps.outer.top = [{ monitor.main = 16 }, { monitor."some-pattern" = 32 }, 24]
+#                 In this example, 24 is a default value when there is no match.
+#                 Monitor pattern is the same as for 'workspace-to-monitor-force-assignment'.
+#                 See:
+#                 https://nikitabobko.github.io/AeroSpace/guide#assign-workspaces-to-monitors
+[gaps]
+    inner.horizontal = 12
+    inner.vertical =   12
+    outer.left =       12
+    outer.bottom =     12
+    outer.top =        6
+    outer.right =      12
+
+
+[[on-window-detected]]
+    if.app-id = 'com.objective-see.lulu.app'
+    check-further-callbacks = true
+    run = 'layout floating'
+
+[mode.main.binding]
+# All possible keys:
+# - Letters.        a, b, c, ..., z
+# - Numbers.        0, 1, 2, ..., 9
+# - Keypad numbers. keypad0, keypad1, keypad2, ..., keypad9
+# - F-keys.         f1, f2, ..., f20
+# - Special keys.   minus, equal, period, comma, slash, backslash, quote, semicolon,
+#                   backtick, leftSquareBracket, rightSquareBracket, space, enter, esc,
+#                   backspace, tab, pageUp, pageDown, home, end, forwardDelete,
+#                   sectionSign (ISO keyboards only, european keyboards only)
+# - Keypad special. keypadClear, keypadDecimalMark, keypadDivide, keypadEnter, keypadEqual,
+#                   keypadMinus, keypadMultiply, keypadPlus
+# - Arrows.         left, down, up, right
+
+# All possible modifiers: cmd, alt, ctrl, shift
+# All possible commands: https://nikitabobko.github.io/AeroSpace/commands
+
+# App keybinds
+alt-shift-f = 'exec-and-forget open ~'
+alt-shift-b = 'exec-and-forget /Applications/Zen.app/Contents/MacOS/zen --new-window'
+alt-s       = 'exec-and-forget screencapture -i -c'
+
+alt-shift-w       = 'exec-and-forget $HOME/.config/aerospace/toggle-tiling.sh off'
+
+# Layout
+# See: https://nikitabobko.github.io/AeroSpace/commands#layout
+alt-c = 'layout tiles horizontal vertical'
+alt-comma = 'layout accordion horizontal vertical'
+alt-space = 'layout floating tiling'
+alt-f = 'fullscreen'
+
+# Moving Focus
+# See: https://nikitabobko.github.io/AeroSpace/commands#focus
+alt-h = 'focus left'
+alt-j = 'focus down'
+alt-k = 'focus up'
+alt-l = 'focus right'
+
+# Moving windows
+# See: https://nikitabobko.github.io/AeroSpace/commands#move
+alt-shift-h = 'move left'
+alt-shift-j = 'move down'
+alt-shift-k = 'move up'
+alt-shift-l = 'move right'
+
+alt-ctrl-h = 'join-with left'
+alt-ctrl-j = 'join-with down'
+alt-ctrl-k = 'join-with up'
+alt-ctrl-l = 'join-with right'
+
+
+# Resizing Windows
+# See: https://nikitabobko.github.io/AeroSpace/commands#resize
+alt-minus = 'resize smart -50'
+alt-equal = 'resize smart +50'
+
+# See: https://nikitabobko.github.io/AeroSpace/commands#workspace
+alt-1 = 'workspace 1'
+alt-2 = 'workspace 2'
+alt-3 = 'workspace 3'
+alt-4 = 'workspace 4'
+alt-5 = 'workspace 5'
+alt-6 = 'workspace 6'
+alt-7 = 'workspace 7'
+alt-8 = 'workspace 8'
+alt-9 = 'workspace 9'
+
+# See: https://nikitabobko.github.io/AeroSpace/commands#move-node-to-workspace
+alt-shift-1 = 'move-node-to-workspace --focus-follows-window 1'
+alt-shift-2 = 'move-node-to-workspace --focus-follows-window 2'
+alt-shift-3 = 'move-node-to-workspace --focus-follows-window 3'
+alt-shift-4 = 'move-node-to-workspace --focus-follows-window 4'
+alt-shift-5 = 'move-node-to-workspace --focus-follows-window 5'
+alt-shift-6 = 'move-node-to-workspace --focus-follows-window 6'
+alt-shift-7 = 'move-node-to-workspace --focus-follows-window 7'
+alt-shift-8 = 'move-node-to-workspace --focus-follows-window 8'
+alt-shift-9 = 'move-node-to-workspace --focus-follows-window 9'
+
+# See: https://nikitabobko.github.io/AeroSpace/commands#workspace-back-and-forth
+alt-tab = 'workspace-back-and-forth'
+
+
+# See: https://nikitabobko.github.io/AeroSpace/commands#mode
+# See: https://nikitabobko.github.io/AeroSpace/guide#binding-modes
+alt-shift-semicolon = 'mode service'
+[mode.service.binding]
+esc = ['reload-config', 'mode main']
+r = ['flatten-workspace-tree', 'mode main'] # reset layout
+f = ['layout floating tiling', 'mode main'] # Toggle between floating and tiling layout
+backspace = ['close-all-windows-but-current', 'mode main']
+
+alt-shift-h = ['join-with left', 'mode main']
+alt-shift-j = ['join-with down', 'mode main']
+alt-shift-k = ['join-with up', 'mode main']
+alt-shift-l = ['join-with right', 'mode main']
+
+down = 'volume down'
+up = 'volume up'
+shift-down = ['volume set 0', 'mode main']

stow/.config/aerospace/toggle-tiling.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+disableTiling () { 
+  defaults write com.apple.dock orientation bottom
+  defaults write com.apple.dock autohide -bool FALSE
+  defaults write com.apple.finder CreateDesktop true
+
+  killall Finder Dock sketchybar borders
+
+  aerospace enable off # fails when script called from aerospace directly, bin not in path
+  /run/current-system/sw/bin/aerospace enable off
+
+  osascript -e 'tell application "System Events"
+    tell dock preferences
+        set properties to {autohide menu bar:false, autohide:false}
+    end tell
+  end tell' -e 'tell application "System Events" to set visible of (every application process whose visible is true and name is not "Finder") to false'
+}
+
+enableTiling () { 
+  aerospace enable on
+  sketchybar & disown
+  sh ~/.cache/matugen-jankyborders.sh & disown
+
+  defaults write com.apple.dock orientation right
+  defaults write com.apple.dock autohide -bool FALSE
+  defaults write com.apple.finder CreateDesktop false
+  killall Dock Finder
+
+  osascript -e '
+  tell application "System Events"
+      tell dock preferences
+          set properties to {autohide menu bar:true, autohide:true}
+      end tell
+  end tell
+'
+}
+
+if [ "$1" = "on" ]; then
+  enableTiling
+elif [ "$1" = "off" ]; then
+  disableTiling
+else
+  echo "$0: [on|off]"
+fi

stow/.config/fastfetch/ascii.txt

@@ -1,19 +0,0 @@
-$4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀$3⡀$4  ⡣⠨⡂⠄⠠⠠⠠⡀⡂⠄⠄⠄⢄⢀⢀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⠀⠀⠀⢀⠠⠨ $3⡡$4⢪⠂⡃⠔⡨⠨⡨⠨⡐⠌⠌⢌⠊⠔⡐⡐⡡⢂⢑⢐⠄⠠⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠄⠄⢆⠁⡀⠨⠨⡐⡐$3⢅$4⠊⠄⠕⡐⠡⡂⡑⠄⢅⠅⠕⡨⢈⢂⢂⠢⢂⠅⡂⡪⠨$3⡀$4⠂⠠⠀⢠⠠⢒⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⠀⡠⠊⢄⠅⢅⢂⠎⡐$3⡡$4⢑⠡⠊⢔⠐⡌⢌⢂⠪⢐⠌⠔⡐⡡⠨⠂⠌⡂⡂$3⠅$4⢌⠢⠐⠐⠣⡘⣸⢈⠢⠐⠀⠀⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠠⢁⠢⡡⠡⢊⢐⠔⡡⢂$3⠊$4⠔⡨⢌⢂⠕⡨⠐⠄⢕⢐⠜⠌⠔⡐⡡⠕⠡⠠$3⠠$4⡈⢀⠈⢀⠐⠈⠄⡇⠢⡡⢑⠒⠐⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠠⡁⡪⢐⠌⢌⢂⢆⡇⡢⢂⠕⡁⡪⢂⢢⢑⢐⠅⡕⠕⠁⢕⠡⢑⢐⠒⢱⠡⢑$3⠡$4⠨⢂⠌⠢⢐⠄⠘⡌⢌⢂⠅⢪⢀⠀⠀⠀⠀⠀⠀
-$4⠀⠀⡢⢊⠔⢡⠪⡐⠔⡮⣺⢐⢐⠌⠔⠅⠕⢕⢐⢅$1⠘⠁⡀⠂$4⡇⠌⡂⠎$1⡀$4⡌⢌⢂⠅$3⠕$4⠡⠨⢊⠔⡈⡂⡰⢐⢐⠅⠅⡀⠁⠄⠀⠀⠀⠀
-$4⠀⢐⠌⡂⢮⡫⢂⠪⡰⣝⢮⡣⢂⠅⢍⠈⡰$2⣖⣵⡗⠣$1⠁$4⢀⠀⠇⠅⡊$1⢀⠁⠀$4⠒⡰⡈⣎⢌⢊⠔⢔⠨⡐⢵⡐⡡⠨⡊⡀⠀⠀⠀⠀⠀⠀
-$4⠀⠕⠌⠂⢸⠐⢅⢊⠎⠊⡗⣱⢐⠡⡂⣜⠁$2⣜⢷⣳⢂$1⠐$4⠀⠠⠨$1⠈⡀⢀$2⠨⣫⣖⢦$4⢊⢨⢂⢂⠇⢅⠊⢜⡮⡺⡌⢌⡖⡐⠀⠀⠀⠀⠀⠀
-$4⠈⠈⠀⠀⠆⢕⠡⢢⠀⠸⢨⢚⢄⢑$1⠠⠐⠀$2⠣⣱⠑⠀$1⠄⠈⠀⠄⠂⠀⡀$2⢰⣗⣧⡉⢧$4⢐⠢⢭⠃⢅⢊⢇⠫⡫$5⡎⡢⢏⢆⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⢕⠡⢊⢮⡂⠀⢊⠪⡢⢢$1⠀⠄⠂⢀⠀⠄⠁⡀⢈⠀⠄⠐⠀⡀$2⢇⠗⡵⠁⢵⠀$4⡽⣱⠡⡑⡌⠆⡆$5⠫⡎⡄⢸⡐⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⡃⡊⡢⡗⠀⠀⠀⠀⢂⢕$1⠀⠄⠂⠀⠄⠐⠀⡀⠠⠀⠆⢀⠁⢀⠀⠡⠀⠄⠂$4⡸⡝⡮$5⡂⡲⠘⠈⠁⠘⠑⢀⢠⠇⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⢐⢑⠜⠀⠀⠀⠀⠀⠀⠂$1⠈⠠⢀⢁⠀⠂⠁⢀⠠⠐⡀⠄⠐⠀⡀⢁⠐⠀⢢$4⡫⡳$5⡱⡈$3⢀⢄⠅$5⠀⠠⠀⠀⠈⠠⠀⠀⠀⠀⠀⠀
-$4⠀⠀⠀⠀⠀⢅⠅⠀⠀⠀⠀⠀⠀⠀$1⠀⠀⠀⠀⠂⣄⡁⡀⠄⠂⢀⠠⠐⠀⢄⢠⡰⡸$4⣜⠮$5⡃⡆⠀⠀$3⠁⠁$5⠀⢀⠀⠈⢀⠀⠁⠀⠄⠠⠀⡀
-$5⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⡖⡌⢣⡒⡖⡆⡎⡏⡍⠔      $5⣅⠀⠈⠀⠐⡈⠀⠀$3⠸⣪$5⠀⢠⠉⢪⠪⡱⠐
-$6⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠄⠀$6⡀⣄⣼⣿⣿⡌⡆⡣⢣⡱⡣⢣⠩⡊⢆⢑⠌⢀⠝⡌$5⠌⢇⢧⢓⢄⠁⠀⠀⡀⠠⠀⠀⡀⢨⢊⠈⠀⠀⠀
-$6⠀⠀⠀⠀⠀⠀⠀⠀⠠⠁⠀⠠⠀$6⢮⣟⣔⢮⣖⢽$7⣝⢮⡢⡓⢜⣜⢮$6⢬⣀⢶⠀⠈⠑⡀⠂⢱⠁$5⡔⢔⢑⢄⢅⢀⡀⠠⡠⠐⠁⠁⠁⠀⠀⠀
-$6⠀⠀⠀⠀⠀⠀⠀⠠⠁⡀⠈⡀⠀$6⣟⣞⣞⢞⡮$7⡷⡽$8⣿⣿⣿⣿⣿$7⡽⣕$6⢷⢝⣖⡌⠀⠀⠠⠁⠠$5⠨⠢⠃⠑⠨⠢⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-$6⠀⠀⠀⠀⠀⠀⣠⣡⣾⡀⠄⠐⠀$6⢗⡷⣝⣗$7⡯⡯$8⣿⣿⣿⣿⣿⣿⣿$7⢽⢽$6⣕⣗⠀⠄⠈⢀⠀⠡⠀⠅⠀⡢⠀⢨⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

stow/.config/fastfetch/config.jsonc

@@ -1,32 +1,8 @@
 {
-    "logo": {
-        "source": "$HOME/.config/fastfetch/ascii.txt",
-        "padding": {
-            "top": 2,
-            "right": 6
-        },
-        "color": {
-          "1": "38;5;231", // skin
-          "4": "38;5;217", // hair
-          "2": "38;5;206", // eyes
-          "3": "38;5;196", // hair tie
-          "5": "38;5;15", // kyubey
-          "6": "38;5;212", // clothes
-          "7": "38;5;241", // gem border
-          "8": "38;5;219", // gem inside
-          "9": "white",
-        },
-    },
     "display": {
         "separator": " ",
-        "color": {
-          "title": "38;5;206",
-          "keys":  "38;5;219",
-        },
     },
     "modules": [
-        "break",
-        "break",
         {
             "type": "title",
             "keyWidth": 10,
@@ -41,8 +17,12 @@
             "key": " ",
         },
         {
-            "type": "packages",
-            "key": " ",
+            "type": "wm",
+            "key": " ",
+        },
+        {
+            "type": "shell",
+            "key": " ",
         },
         "break",
         {
@@ -59,27 +39,18 @@
         },
         "break",
         {
-            "type": "shell",
-            "key": " ",
-        },
-        {
-            "type": "terminal",
-            "key": " ",
-        },
-        {
-            "type": "wm",
-            "key": " ",
-        },
-        {
-            "type": "uptime",
-            "key": " ",
+            "type": "packages",
+            "key": " ",
         },
         {
             "type": "media",
             "key": "󰝚 ",
         },
+        {
+            "type": "uptime",
+            "key": " ",
+        },
         "break",
-        "colors",
-        "break",
+        "colors"
     ]
 }

stow/.config/fish/.gitignore

@@ -0,0 +1 @@
+fish_variables

stow/.config/fish/config.fish

@@ -0,0 +1,92 @@
+if status is-interactive
+  # Commands to run in interactive sessions can go here
+
+
+  #
+  # shell prompt 
+  #
+
+  # match prompt symbol to OS logo
+  if test -e /etc/os-release
+    posix-source /etc/os-release
+  end
+
+  if test -e /System
+    set os_icon ""
+    eval "$(/opt/homebrew/bin/brew shellenv)"
+  else if [ "$ID" = "nixos" ]
+    set os_icon ""
+  else if [ "$ID" = "debian" ]
+    set os_icon ""
+  else if [ "$ID" = "fedora" ]
+    set os_icon ""
+  else if [ "$ID" = "arch" ]
+    set os_icon "󰣇"
+  else
+    set os_icon "\$"
+  end
+
+  # set prompt colours
+  if test -e ~/.cache/zsh_colours.sh
+    posix-source-universal (string replace -fra "{|}|#|\"" "" (cat ~/.cache/zsh_colours.sh) | psub)
+  else
+    set -Ux PRIMARY_COLOUR blue
+    set -Ux SECONDARY_COLOUR purple
+  end
+
+
+  # construct final prompt
+  function fish_prompt
+    # turn os_icon red if an error occurs
+    set -l prompt_icon
+    if test $status -ne 0
+      set prompt_icon (set_color red)"$os_icon"(set_color normal)
+    else
+      set prompt_icon "$os_icon"
+    end
+
+    # set ssh status
+    set -l ssh_status
+    if set -q SSH_CONNECTION
+      set ssh_status (prompt_login)
+    end
+
+    # concatenate $HOME to a ~ eg. /home/user to ~
+    set shorten_path (string replace -r "^$HOME" "~" "$PWD")
+
+    echo (set_color $PRIMARY_COLOUR)$shorten_path $ssh_status (set_color $SECONDARY_COLOUR)$prompt_icon (set_color normal) 
+  end
+
+  #
+  # shell intergration
+  #
+
+  zoxide init fish | source
+
+  #
+  # environment variables
+  #
+
+  set -gx EDITOR nvim
+  set fish_greeting ""
+  set HOMEBREW_AUTO_UPDATE_SECS 86400
+
+  # xdg variables
+  set -gx XDG_CONFIG_HOME "$HOME/.config"      # config
+  set -gx XDG_CACHE_HOME "$HOME/.cache"        # cache
+  set -gx XDG_DATA_HOME "$HOME/.local/share"  # data files eg. /usr/share
+  set -gx XDG_STATE_HOME "$HOME/.local/state"  # state files eg. /var/lib
+
+  # make apps use XDG folders
+  set -gx PYTHON_HISTORY "$XDG_STATE_HOME"/python_history
+  set -gx PYTHONPYCACHEPREFIX "$XDG_CACHE_HOME"/python
+  set -gx PYTHONUSERBASE "$XDG_DATA_HOME"/python
+  set -gx GOPATH "$XDG_STATE_HOME"/go
+  set -gx GOMODCACHE "$XDG_CACHE_HOME"/go/mod
+  set -gx NPM_CONFIG_USERCONFIG "$XDG_CONFIG_HOME"/npm/npmrc
+
+  function wget --wraps=wget
+    wget --hsts-file="$XDG_STATE_HOME/wget-hsts" $argv
+  end
+
+end

stow/.config/fish/functions/cat.fish

@@ -0,0 +1,4 @@
+function cat --wraps=bat --description 'alias cat bat'
+  bat $argv
+        
+end

stow/.config/fish/functions/ff.fish

@@ -0,0 +1,4 @@
+function ff --wraps=fastfetch --description 'alias ff=fastfetch'
+  fastfetch $argv
+        
+end

stow/.config/fish/functions/ga.fish

@@ -0,0 +1,4 @@
+function ga --wraps='git add' --description 'alias ga=git add'
+  git add $argv
+        
+end

stow/.config/fish/functions/gc.fish

@@ -0,0 +1,4 @@
+function gc --wraps='git commit' --description 'alias gc=git commit'
+  git commit $argv
+        
+end

stow/.config/fish/functions/glo.fish

@@ -0,0 +1,4 @@
+function glo --wraps='git log' --description 'alias glo=git log'
+  git log $argv
+        
+end

stow/.config/fish/functions/gph.fish

@@ -0,0 +1,4 @@
+function gph --wraps='git push' --description 'alias gph=git push'
+  git push $argv
+        
+end

stow/.config/fish/functions/gpl.fish

@@ -0,0 +1,4 @@
+function gpl --wraps='git pull' --description 'alias gpl=git pull'
+  git pull $argv
+        
+end

stow/.config/fish/functions/gs.fish

@@ -0,0 +1,4 @@
+function gs --wraps='git status' --description 'alias gs=git status'
+  git status $argv
+        
+end

stow/.config/fish/functions/la.fish

@@ -0,0 +1,4 @@
+function la --wraps='ls -ah --color=auto' --description 'alias la=ls -ah --color=auto'
+  ls -ah --color=auto $argv
+        
+end

stow/.config/fish/functions/ll.fish

@@ -0,0 +1,4 @@
+function ll --wraps='ls -l' --wraps='ls -ahl --color=auto' --description 'alias ll=ls -ahl --color=auto'
+  ls -ahl --color=auto $argv
+        
+end

stow/.config/fish/functions/ls.fish

@@ -0,0 +1,4 @@
+function ls --description 'alias ls=ls -h --color=auto'
+ command ls -h --color=auto $argv
+        
+end

stow/.config/fish/functions/posix-source-universal.fish

@@ -0,0 +1,6 @@
+function posix-source-universal
+	for i in (cat $argv)
+		set arr (echo $i |tr = \n)
+  		set -Ux $arr[1] $arr[2]
+	end
+end

stow/.config/fish/functions/posix-source.fish

@@ -0,0 +1,6 @@
+function posix-source
+	for i in (cat $argv)
+		set arr (echo $i |tr = \n)
+  		set -gx $arr[1] $arr[2]
+	end
+end

stow/.config/fish/functions/rm.fish

@@ -0,0 +1,4 @@
+function rm --wraps=trash --description 'alias rm trash'
+  trash $argv
+
+end

stow/.config/fish/functions/v.fish

@@ -0,0 +1,4 @@
+function v --wraps=nvim --description 'alias v nvim'
+  nvim $argv
+        
+end

stow/.config/fish/functions/vi.fish

@@ -0,0 +1,4 @@
+function vi --wraps=nvim --description 'alias vi nvim'
+  nvim $argv
+        
+end