attempt to use pkgs for unfree predicate

still not working

apps/default.nix

@@ -1,45 +1,19 @@
 { pkgs, ... }: rec {
 
-  default = {
-    type = "app";
-    program = builtins.toString (pkgs.writeShellScript "default" ''
-      ${pkgs.gum}/bin/gum style --margin "1 2" --padding "0 2" --foreground "15" --background "55" "Options"
-      ${pkgs.gum}/bin/gum format --type=template -- '  {{ Italic "Run with" }} {{ Color "15" "69" " nix run github:nmasur/dotfiles#" }}{{ Color "15" "62" "someoption" }}{{ Color "15" "69" " " }}.'
-      echo ""
-      echo ""
-      ${pkgs.gum}/bin/gum format --type=template -- \
-          '  • {{ Color "15" "57" " readme " }} {{ Italic "Documentation for this repository." }}' \
-          '  • {{ Color "15" "57" " rebuild " }} {{ Italic "Switch to this configuration." }}' \
-          '  • {{ Color "15" "57" " installer " }} {{ Italic "Format and install from nothing." }}' \
-          '  • {{ Color "15" "57" " neovim " }} {{ Italic "Test out the Neovim package." }}' \
-          '  • {{ Color "15" "57" " loadkey " }} {{ Italic "Load an ssh key for this machine using melt." }}' \
-          '  • {{ Color "15" "57" " encrypt-secret " }} {{ Italic "Encrypt a secret for all machines." }}' \
-          '  • {{ Color "15" "57" " reencrypt-secrets " }} {{ Italic "Reencrypt all secrets when new machine is added." }}' \
-          '  • {{ Color "15" "57" " netdata " }} {{ Italic "Connect a machine to Netdata cloud." }}'
-      echo ""
-      echo ""
-    '');
-  };
+  # Show quick helper
+  default = import ./help.nix { inherit pkgs; };
 
-  # Format and install from nothing
+  # Format primary disk
+  format-root = import ./format-root.nix { inherit pkgs; };
+
+  # Format and install from nothing (deprecated)
   installer = import ./installer.nix { inherit pkgs; };
 
   # Display the readme for this repository
   readme = import ./readme.nix { inherit pkgs; };
 
   # Rebuild
-  rebuild = {
-    type = "app";
-    program = builtins.toString (pkgs.writeShellScript "rebuild" ''
-      echo ${pkgs.system}
-      SYSTEM=${if pkgs.stdenv.isDarwin then "darwin" else "linux"}
-      if [ "$SYSTEM" == "darwin" ]; then
-          darwin-rebuild switch --flake github:nmasur/dotfiles#lookingglass
-      else
-          nixos-rebuild switch --flake github:nmasur/dotfiles
-      fi
-    '');
-  };
+  rebuild = import ./rebuild.nix { inherit pkgs; };
 
   # Load the SSH key for this machine
   loadkey = import ./loadkey.nix { inherit pkgs; };
@@ -54,17 +28,7 @@
   netdata = import ./netdata-cloud.nix { inherit pkgs; };
 
   # Run neovim as an app
-  neovim = {
-    type = "app";
-    program = "${
-        (import ../modules/common/neovim/package {
-          inherit pkgs;
-          colors =
-            import ../colorscheme/gruvbox/neovim-gruvbox.nix { inherit pkgs; };
-        })
-      }/bin/nvim";
-  };
-
+  neovim = import ./neovim.nix { inherit pkgs; };
   nvim = neovim;
 
 }

apps/format-root.nix

@@ -0,0 +1,39 @@
+{ pkgs, ... }: {
+
+  # This script will partition and format drives; use at your own risk!
+
+  type = "app";
+
+  program = builtins.toString (pkgs.writeShellScript "format-root" ''
+    set -e
+
+    DISK=$1
+
+    if [ -z "''${DISK}" ]; then
+        ${pkgs.gum}/bin/gum style --width 50 --margin "1 2" --padding "2 4" \
+            --foreground "#fb4934" \
+            "Missing required parameter." \
+            "Usage: format-root -- <disk>" \
+            "Flake example: nix run github:nmasur/dotfiles#format-root -- nvme0n1"
+        echo "(exiting)"
+        exit 1
+    fi
+
+    ${pkgs.disko-packaged}/bin/disko \
+        --mode create \
+        --dry-run \
+        --flake "path:$(pwd)#root" \
+        --arg disk \""/dev/''${DISK}"\"
+
+    ${pkgs.gum}/bin/gum confirm \
+        "This will ERASE ALL DATA on the disk /dev/''${DISK}. Are you sure you want to continue?" \
+        --default=false
+
+    ${pkgs.disko-packaged}/bin/disko \
+        --mode create \
+        --flake "path:$(pwd)#root" \
+        --arg disk "/dev/''${DISK}"
+
+  '');
+
+}

apps/help.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }: {
+
+  type = "app";
+
+  program = builtins.toString (pkgs.writeShellScript "default" ''
+    ${pkgs.gum}/bin/gum style --margin "1 2" --padding "0 2" --foreground "15" --background "55" "Options"
+    ${pkgs.gum}/bin/gum format --type=template -- '  {{ Italic "Run with" }} {{ Color "15" "69" " nix run github:nmasur/dotfiles#" }}{{ Color "15" "62" "someoption" }}{{ Color "15" "69" " " }}.'
+    echo ""
+    echo ""
+    ${pkgs.gum}/bin/gum format --type=template -- \
+        '  • {{ Color "15" "57" " readme " }} {{ Italic "Documentation for this repository." }}' \
+        '  • {{ Color "15" "57" " rebuild " }} {{ Italic "Switch to this configuration." }}' \
+        '  • {{ Color "15" "57" " installer " }} {{ Italic "Format and install from nothing." }}' \
+        '  • {{ Color "15" "57" " neovim " }} {{ Italic "Test out the Neovim package." }}' \
+        '  • {{ Color "15" "57" " loadkey " }} {{ Italic "Load an ssh key for this machine using melt." }}' \
+        '  • {{ Color "15" "57" " encrypt-secret " }} {{ Italic "Encrypt a secret for all machines." }}' \
+        '  • {{ Color "15" "57" " reencrypt-secrets " }} {{ Italic "Reencrypt all secrets when new machine is added." }}' \
+        '  • {{ Color "15" "57" " netdata " }} {{ Italic "Connect a machine to Netdata cloud." }}'
+    echo ""
+    echo ""
+  '');
+
+}

apps/neovim.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+
+  type = "app";
+
+  program = "${
+      (import ../modules/common/neovim/package {
+        inherit pkgs;
+        colors =
+          import ../colorscheme/gruvbox/neovim-gruvbox.nix { inherit pkgs; };
+      })
+    }/bin/nvim";
+
+}

apps/rebuild.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }: {
+
+  type = "app";
+
+  program = builtins.toString (pkgs.writeShellScript "rebuild" ''
+    echo ${pkgs.system}
+    SYSTEM=${if pkgs.stdenv.isDarwin then "darwin" else "linux"}
+    if [ "$SYSTEM" == "darwin" ]; then
+        darwin-rebuild switch --flake github:nmasur/dotfiles#lookingglass
+    else
+        nixos-rebuild switch --flake github:nmasur/dotfiles
+    fi
+  '');
+
+}

disks/root.nix

@@ -0,0 +1,44 @@
+{ disk, ... }: {
+  disk = {
+    boot = {
+      type = "disk";
+      device = disk;
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          # Boot partition
+          {
+            type = "partition";
+            name = "ESP";
+            start = "0";
+            end = "512MiB";
+            fs-type = "fat32";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              extraArgs = [ "-n boot" ];
+            };
+          }
+          # Root partition ext4
+          {
+            type = "partition";
+            name = "root";
+            start = "512MiB";
+            end = "100%";
+            part-type = "primary";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              extraArgs = [ "-L nixos" ];
+            };
+          }
+        ];
+      };
+    };
+  };
+}

disks/zfs.nix

@@ -0,0 +1,95 @@
+{ pool, disks, ... }: {
+  disk = lib.genAttrs disks (disk: {
+    "${disk}" = {
+      type = "disk";
+      device = "/dev/${disk}";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [{
+          type = "partition";
+          name = "zfs";
+          start = "128MiB";
+          end = "100%";
+          content = {
+            type = "zfs";
+            pool = pool;
+          };
+        }];
+      };
+    };
+  });
+  zpool = {
+    "${pool}" = {
+      type = "zpool";
+      mode = "raidz1";
+      rootFsOptions = {
+        compression = "on"; # lz4 by default
+        "com.sun:auto-snapshot" = "false";
+        ashift = "12";
+      };
+      # mountpoint = "/";
+
+      datasets = {
+        root = {
+          zfs_type = "filesystem";
+          mountpoint = null;
+          options."com.sun:auto-snapshot" = "false";
+        };
+        # "media/movies" = {
+        #   zfs_type = "filesystem";
+        #   mountpoint = "/media/movies";
+        #   options.recordsize = "1M";
+        # };
+        # "media/tv" = {
+        #   zfs_type = "filesystem";
+        #   mountpoint = "/media/tv";
+        #   options.recordsize = "1M";
+        # };
+        # "media/books" = {
+        #   zfs_type = "filesystem";
+        #   mountpoint = "/media/books";
+        # };
+        # archive = {
+        #   zfs_type = "filesystem";
+        #   mountpoint = "/archive";
+        #   options.compression = "zstd";
+        #   options."com.sun:auto-snapshot" = "true";
+        # };
+        # zfs_unmounted_fs = {
+        #   zfs_type = "filesystem";
+        #   options.mountpoint = "none";
+        # };
+        # zfs_legacy_fs = {
+        #   zfs_type = "filesystem";
+        #   options.mountpoint = "legacy";
+        #   mountpoint = "/zfs_legacy_fs";
+        # };
+        # zfs_testvolume = {
+        #   zfs_type = "volume";
+        #   size = "10M";
+        #   content = {
+        #     type = "filesystem";
+        #     format = "ext4";
+        #     mountpoint = "/ext4onzfs";
+        #   };
+        # };
+        # encrypted = {
+        #   zfs_type = "filesystem";
+        #   size = "20M";
+        #   options = {
+        #     mountpoint = "none";
+        #     encryption = "aes-256-gcm";
+        #     keyformat = "passphrase";
+        #     keylocation = "file:///tmp/secret.key";
+        #   };
+        # };
+        # "encrypted/test" = {
+        #   zfs_type = "filesystem";
+        #   size = "2M";
+        #   mountpoint = "/zfs_crypted";
+        # };
+      };
+    };
+  };
+}

docs/restore-calibre.md

@@ -0,0 +1,23 @@
+# Restoring Calibre From Backup
+
+The `metadata.db` holds the library and `app.db` and `gdrive.db` contain the
+web/account information.
+
+Place books directories in `/data/books/`.
+
+Place `metadata.db` in `/var/lib/calibre-web-db/`.
+
+Symlink `metadata.db` to the library:
+
+```
+sudo ln -s /var/lib/calibre-web-db/metadata.db /data/books/metadata.db
+```
+
+Place `app.db` and `gdrive.db` in `/var/lib/calibre-web/`.
+
+Restart Calibre:
+
+```
+sudo systemctl restart calibre-web.service
+```
+

docs/restore-nextcloud.md

@@ -0,0 +1,43 @@
+# Restoring Nextcloud From Backup
+
+Install the `litestream` package.
+
+```
+nix-shell --run fish -p litestream
+```
+
+Set the S3 credentials:
+
+```
+set -x AWS_ACCESS_KEY_ID (read)
+set -x AWS_SECRET_ACCESS_KEY (read)
+```
+
+Restore from S3:
+
+```
+litestream restore -o nextcloud.db s3://noahmasur-backup.s3.us-west-002.backblazeb2.com/nextcloud
+```
+
+Install Nextcloud. Then copy DB:
+
+```
+sudo rm /data/nextcloud/data/nextcloud.db*
+sudo mv nextcloud.db /data/nextcloud/data/
+sudo chown nextcloud:nextcloud /data/nextcloud/data/nextcloud.db
+sudo chmod 770 /data/nextcloud/data/nextcloud.db
+```
+
+Restart Nextcloud:
+
+```
+sudo systemctl restart phpfpm-nextcloud.service
+```
+
+Adjust Permissions and Directories:
+
+```
+sudo mkdir /data/nextcloud/data/noah/files
+sudo chown nextcloud:nextcloud /data/nextcloud/data/noah/files
+```
+

flake.lock

@@ -69,16 +69,36 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1677116397,
+        "narHash": "sha256-2OHwhv4k1SDEuNxhq+zluvrd5pbW8d4TP9NKW4B8iO8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "8fddb2fd721365fa77ff68b709539639d4dc65d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "firefox-darwin": {
       "inputs": {
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1675471726,
-        "narHash": "sha256-526iHwidfdtZZ7aAU9od1/zbyfSFBEailBTet+Gvfqg=",
+        "lastModified": 1676854489,
+        "narHash": "sha256-hWmx3JFLNPGMtflyjgEn5GZydbLW3msjXvarS1NsBDM=",
         "owner": "bandithedoge",
         "repo": "nixpkgs-firefox-darwin",
-        "rev": "813d55a3e3b3c0423eb5d1fcb4bf82197c9f7796",
+        "rev": "6a5cca0ea8dfab4718e1e43e243c80ba110c2364",
         "type": "github"
       },
       "original": {
@@ -156,11 +176,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1675935446,
-        "narHash": "sha256-WajulTn7QdwC7QuXRBavrANuIXE5z+08EdxdRw1qsNs=",
+        "lastModified": 1678271387,
+        "narHash": "sha256-H2dv/i1LRlunRtrESirELzfPWdlG/6ElDB1ksO529H4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2dce7f1a55e785a22d61668516df62899278c9e4",
+        "rev": "36999b8d19eb6eebb41983ef017d7e0095316af2",
         "type": "github"
       },
       "original": {
@@ -281,11 +301,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1676973346,
-        "narHash": "sha256-rft8oGMocTAhUVqG3LW6I8K/Fo9ICGmNjRqaWTJwav0=",
+        "lastModified": 1676885936,
+        "narHash": "sha256-ZRKb6zBfTvdCOXI7nGC1L9UWSU5ay2ltxg+f5UIzBOU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d0d55259081f0b97c828f38559cad899d351cad1",
+        "rev": "b69883faca9542d135fa6bab7928ff1b233c167f",
         "type": "github"
       },
       "original": {
@@ -396,6 +416,7 @@
         "bufferline-nvim-src": "bufferline-nvim-src",
         "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
         "darwin": "darwin",
+        "disko": "disko",
         "firefox-darwin": "firefox-darwin",
         "home-manager": "home-manager",
         "nil": "nil",
@@ -489,11 +510,11 @@
     },
     "utils": {
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
         "type": "github"
       },
       "original": {

flake.nix

@@ -29,6 +29,12 @@
     # Use official Firefox binary for macOS
     firefox-darwin.url = "github:bandithedoge/nixpkgs-firefox-darwin";
 
+    # Manage disk format and partitioning
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # Wallpapers
     wallpapers = {
       url = "gitlab:exorcist365/wallpapers";
@@ -146,6 +152,9 @@
           darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
       };
 
+      # Disk formatting
+      diskoConfigurations = { root = import ./disks/root.nix; };
+
       # Package servers into images with a generator
       packages = forAllSystems (system: {
 
@@ -170,7 +179,15 @@
       });
 
       apps = forAllSystems (system:
-        let pkgs = import nixpkgs { inherit system overlays; };
+        let
+          pkgs = import nixpkgs {
+            inherit system;
+            overlays = overlays ++ [
+              (final: prev: {
+                disko-packaged = inputs.disko.packages.${system}.disko;
+              })
+            ];
+          };
         in import ./apps { inherit pkgs; });
 
       devShells = forAllSystems (system:

generators/staff/default.nix

@@ -1,7 +1,7 @@
 # The Staff
 # ISO configuration for my USB drive
 
-{ inputs, system, ... }:
+{ inputs, system, overlays, ... }:
 
 with inputs;
 
@@ -9,9 +9,39 @@ nixos-generators.nixosGenerate {
   inherit system;
   format = "install-iso";
   modules = [{
+    nixpkgs.overlays = overlays;
     networking.hostName = "staff";
     users.extraUsers.root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"
     ];
+    services.openssh = {
+      enable = true;
+      ports = [ 22 ];
+      allowSFTP = true;
+      settings = {
+        GatewayPorts = "no";
+        X11Forwarding = false;
+        PasswordAuthentication = false;
+        PermitRootLogin = "yes";
+      };
+    };
+    environment.systemPackages =
+      let pkgs = import inputs.nixpkgs { inherit system overlays; };
+      in with pkgs; [
+        git
+        vim
+        wget
+        curl
+        (import ../../modules/common/neovim/package {
+          inherit pkgs;
+          # colors = import ../../colorscheme/gruvbox.dark.neovimConfig {
+          #   inherit pkgs;
+          # };
+        })
+      ];
+    nix.extraOptions = ''
+      experimental-features = nix-command flakes
+      warn-dirty = false
+    '';
   }];
 }

hosts/flame/default.nix

@@ -29,7 +29,7 @@ nixpkgs.lib.nixosSystem {
       # FQDNs for various services
       networking.hostName = "flame";
       bookServer = "books.masu.rs";
-      streamServer = "stream.masu.rs";
+      # streamServer = "stream.masu.rs";
       nextcloudServer = "cloud.masu.rs";
       transmissionServer = "download.masu.rs";
       metricsServer = "metrics.masu.rs";

hosts/hydra/default.nix

@@ -25,7 +25,7 @@ nixpkgs.lib.nixosSystem {
         colors = (import ../../colorscheme/gruvbox).dark;
         dark = true;
       };
-      passwordHash = nixpkgs.lib.fileContents ../../private/password.sha512;
+      passwordHash = nixpkgs.lib.fileContents ../../password.sha512;
       wsl = {
         enable = true;
         wslConf.automount.root = "/mnt";

hosts/lookingglass/default.nix

@@ -44,6 +44,7 @@ darwin.lib.darwinSystem {
       lua.enable = true;
       kubernetes.enable = true;
       _1password.enable = true;
+      slack.enable = true;
     }
   ];
 }

hosts/swan/default.nix

@@ -15,15 +15,40 @@ nixpkgs.lib.nixosSystem {
     (removeAttrs globals [ "mail.server" ])
     wsl.nixosModules.wsl
     home-manager.nixosModules.home-manager
+    disko.nixosModules.disko
     {
       server = true;
+      networking.hostName = "swan";
+
+      # head -c 8 /etc/machine-id
+      networking.hostId = "600279f4"; # Random ID required for ZFS
+
+      zfs.enable = true;
+      disko = {
+        enableConfig = true;
+        devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
+        # // (import ../../disks/zfs.nix {
+        #   pool = "tank";
+        #   disks = [ "/dev/sda" "/dev/sdb" "/dev/sdc" ];
+        # });
+      };
+      boot.zfs.extraPools = [ "tank" ];
+
       gui.enable = false;
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
       nixpkgs.overlays = overlays;
-      wsl.enable = false;
+      neovim.enable = true;
       caddy.enable = true;
+      streamServer = "stream.masu.rs";
+      nextcloudServer = "cloud.masu.rs";
+      bookServer = "books.masu.rs";
+      samba.enable = true;
 
-      networking.hostName = "swan";
+      backup.s3 = {
+        endpoint = "s3.us-west-002.backblazeb2.com";
+        bucket = "noahmasur-backup";
+        accessKeyId = "0026b0e73b2e2c80000000005";
+      };
 
       # Disable passwords, only use SSH key
       publicKey =
@@ -32,16 +57,7 @@ nixpkgs.lib.nixosSystem {
       # Clone dotfiles
       dotfiles.enable = true;
 
-      neovim.enable = true;
-
-      boot.zfs.enabled = true;
-      boot.kernelPackages =
-        config.boot.zfs.package.latestCompatibleLinuxPackages;
-      boot.zfs.extraPools = [ "mypool" ];
-      services.zfs.autoScrub.enable = true;
-      services.zfs.autoScrub.interval = "daily";
-
-      services.nfs.server.enable = true;
+      # services.nfs.server.enable = true;
 
     }
   ];

hosts/swan/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # fileSystems."/" = {
+  #   device = "/dev/disk/by-label/nixos";
+  #   fsType = "ext4";
+  # };
+  #
+  # fileSystems."/boot" = {
+  #   device = "/dev/disk/by-label/boot";
+  #   fsType = "vfat";
+  # };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/tempest/default.nix

@@ -29,7 +29,7 @@ nixpkgs.lib.nixosSystem {
       };
       wallpaper = "${wallpapers}/gruvbox/road.jpg";
       gtk.theme.name = nixpkgs.lib.mkDefault "Adwaita-dark";
-      passwordHash = nixpkgs.lib.fileContents ../../private/password.sha512;
+      passwordHash = nixpkgs.lib.fileContents ../../password.sha512;
       wsl.enable = false;
       publicKey = null;
 
@@ -49,6 +49,7 @@ nixpkgs.lib.nixosSystem {
       # mullvad.enable = true;
       nixlang.enable = true;
       dotfiles.enable = true;
+      yt-dlp.enable = true;
 
       gaming = {
         enable = true;

modules/common/applications/1password.nix

@@ -11,7 +11,7 @@
 
   config = lib.mkIf
     (config.gui.enable && config._1password.enable && pkgs.stdenv.isLinux) {
-      unfreePackages = [ "1password" "_1password-gui" ];
+      unfreePackages = with pkgs; [ _1password _1password-gui ];
       home-manager.users.${config.user} = {
         home.packages = with pkgs; [ _1password-gui ];
       };

modules/common/applications/default.nix

@@ -7,9 +7,11 @@
     ./firefox.nix
     ./kitty.nix
     ./media.nix
+    ./nautilus.nix
     ./obsidian.nix
     ./qbittorrent.nix
-    ./nautilus.nix
+    ./slack.nix
+    ./yt-dlp.nix
   ];
 
 }

modules/common/applications/discord.nix

@@ -10,7 +10,7 @@
   };
 
   config = lib.mkIf (config.gui.enable && config.discord.enable) {
-    unfreePackages = [ "discord" ];
+    unfreePackages = [ pkgs.discord ];
     home-manager.users.${config.user} = {
       home.packages = with pkgs; [ discord ];
       xdg.configFile."discord/settings.json".text = ''

modules/common/applications/firefox.nix

@@ -13,9 +13,9 @@
 
   config = lib.mkIf (config.gui.enable && config.firefox.enable) {
 
-    unfreePackages = [
-      (lib.mkIf config._1password.enable "onepassword-password-manager")
-      "okta-browser-plugin"
+    unfreePackages = with pkgs.nur.repos.rycee.firefox-addons; [
+      (lib.mkIf config._1password.enable onepassword-password-manager)
+      okta-browser-plugin
     ];
 
     home-manager.users.${config.user} = {

modules/common/applications/media.nix

@@ -19,9 +19,17 @@
       ];
 
       # Set default for opening PDFs
-      xdg.mimeApps.defaultApplications."application/pdf" =
-        [ "zathura.desktop" ];
-      xdg.mimeApps.defaultApplications."image/*" = [ "sxiv.desktop" ];
+      xdg.mimeApps = {
+        associations.added = {
+          "application/pdf" = [ "pwmt.zathura-cb.desktop" ];
+          "image/*" = [ "sxiv.desktop" ];
+        };
+        associations.removed = { "application/pdf" = [ "mupdf.desktop" ]; };
+        defaultApplications = {
+          "application/pdf" = [ "pwmt.zathura-cb.desktop" ];
+          "image/*" = [ "sxiv.desktop" ];
+        };
+      };
 
     };
 

modules/common/applications/nautilus.nix

@@ -28,6 +28,7 @@
         };
       };
     };
+
   };
 
 }

modules/common/applications/obsidian.nix

@@ -10,7 +10,7 @@
   };
 
   config = lib.mkIf (config.gui.enable && config.obsidian.enable) {
-    unfreePackages = [ "obsidian" ];
+    unfreePackages = [ pkgs.obsidian ];
     home-manager.users.${config.user} = {
       home.packages = with pkgs; [ obsidian ];
     };

modules/common/applications/slack.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, lib, ... }: {
+
+  options = {
+    slack = {
+      enable = lib.mkEnableOption {
+        description = "Enable Slack.";
+        default = false;
+      };
+    };
+  };
+
+  config = lib.mkIf (config.gui.enable && config.slack.enable) {
+    unfreePackages = [ pkgs.slack ];
+    home-manager.users.${config.user} = {
+      home.packages = with pkgs; [ slack ];
+    };
+  };
+
+}

modules/common/applications/yt-dlp.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }: {
+
+  options = {
+    yt-dlp = {
+      enable = lib.mkEnableOption {
+        description = "Enable YouTube downloader.";
+        default = false;
+      };
+    };
+  };
+
+  config = lib.mkIf (config.yt-dlp.enable) {
+    home-manager.users.${config.user} = {
+      programs.yt-dlp = {
+        enable = true;
+        extraConfig = "";
+        settings = {
+          no-continue = true; # Always re-download each fragment
+          no-overwrites = true; # Don't overwrite existing files
+          download-archive = "archive.log"; # Log of archives
+          embed-metadata = true;
+          embed-thumbnail = true;
+          embed-subs = true;
+          sub-langs = "en.*";
+          concurrent-fragments = 4; # Parallel download chunks
+        };
+      };
+
+      programs.fish.shellAbbrs.yt = "yt-dlp";
+
+    };
+
+  };
+
+}

modules/common/default.nix

@@ -68,7 +68,7 @@
       description = "Link to dotfiles repository.";
     };
     unfreePackages = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
+      type = lib.types.listOf lib.types.package;
       description = "List of unfree packages to allow.";
       default = [ ];
     };
@@ -77,12 +77,30 @@
   config = let stateVersion = "23.05";
   in {
 
+    nix = {
+
       # Enable features in Nix commands
-    nix.extraOptions = ''
+      extraOptions = ''
         experimental-features = nix-command flakes
         warn-dirty = false
       '';
 
+      settings = {
+
+        # Add community Cachix to binary cache
+        substituters = lib.mkIf (!pkgs.stdenv.isDarwin)
+          [ "https://nix-community.cachix.org" ];
+        trusted-public-keys = lib.mkIf (!pkgs.stdenv.isDarwin) [
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        ];
+
+        # Scans and hard links identical files in the store
+        auto-optimise-store = true;
+
+      };
+
+    };
+
     # Basic common system packages for all devices
     environment.systemPackages = with pkgs; [ git vim wget curl ];
 
@@ -95,8 +113,10 @@
 
     # Allow specified unfree packages (identified elsewhere)
     # Retrieves package object based on string name
+    # Idea: https://discourse.nixos.org/t/how-to-use-packages-directly-in-allowunfreepredicate/22455/6
     nixpkgs.config.allowUnfreePredicate = pkg:
-      builtins.elem (lib.getName pkg) config.unfreePackages;
+      builtins.elem (pkg.name or (builtins.parseDrvName pkg.pname).name)
+      (map lib.getName config.unfreePackages);
 
     # Pin a state version to prevent warnings
     home-manager.users.${config.user}.home.stateVersion = stateVersion;

modules/common/mail/default.nix

@@ -67,7 +67,7 @@
             notmuch.enable = false;
             passwordCommand =
               "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
-                builtins.toString ../../private/mailpass.age
+                builtins.toString ../../../private/mailpass.age
               }";
             smtp = {
               host = "smtp.purelymail.com";

modules/common/neovim/config/align.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }: {
+  plugins = [ pkgs.vimPlugins.tabular ];
+  lua = ''
+    -- Align
+    vim.keymap.set("", "<Leader>ta", ":Tabularize /")
+    vim.keymap.set("", "<Leader>t#", ":Tabularize /#<CR>")
+    vim.keymap.set("", "<Leader>tl", ":Tabularize /---<CR>")
+  '';
+}

modules/common/neovim/config/lsp.nix

@@ -6,10 +6,10 @@
     pkgs.vimPlugins.null-ls-nvim
   ];
 
-  use.lspconfig.sumneko_lua.setup = dsl.callWith {
+  use.lspconfig.lua_ls.setup = dsl.callWith {
     settings = { Lua = { diagnostics = { globals = [ "vim" "hs" ]; }; }; };
     capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
-    cmd = [ "${pkgs.sumneko-lua-language-server}/bin/lua-language-server" ];
+    cmd = [ "${pkgs.lua-language-server}/bin/lua-language-server" ];
   };
 
   use.lspconfig.nil_ls.setup = dsl.callWith {

modules/common/neovim/default.nix

@@ -34,6 +34,14 @@ in {
         programs.kitty.settings.scrollback_pager = lib.mkForce ''
           ${neovim}/bin/nvim -c 'setlocal nonumber nolist showtabline=0 foldcolumn=0|Man!' -c "autocmd VimEnter * normal G" -'';
 
+        xdg.desktopEntries.nvim = lib.mkIf pkgs.stdenv.isLinux {
+          name = "Neovim wrapper";
+          exec = "kitty nvim %F";
+        };
+        xdg.mimeApps = lib.mkIf pkgs.stdenv.isLinux {
+          defaultApplications."text/markdown" = [ "nvim.desktop" ];
+        };
+
       };
 
     # # Used for icons in Vim

modules/common/neovim/package/default.nix

@@ -31,6 +31,7 @@
 pkgs.neovimBuilder {
   package = pkgs.neovim-unwrapped;
   imports = [
+    ../config/align.nix
     ../config/bufferline.nix
     ../config/completion.nix
     ../config/gitsigns.nix

modules/common/repositories/dotfiles.nix

@@ -14,7 +14,13 @@
           [ "writeBoundary" ] ''
             if [ ! -d "${config.dotfilesPath}" ]; then
                 $DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname "${config.dotfilesPath}")
-                $DRY_RUN_CMD ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
+
+                # Force HTTPS because anonymous SSH doesn't work
+                GIT_CONFIG_COUNT=1 \
+                    GIT_CONFIG_KEY_0="url.https://github.com/.insteadOf" \
+                    GIT_CONFIG_VALUE_0="git@github.com:" \
+                    $DRY_RUN_CMD \
+                    ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
             fi
           '';
 

modules/common/shell/direnv.nix

@@ -6,4 +6,10 @@
     config = { whitelist = { prefix = [ config.dotfilesPath ]; }; };
   };
 
+  # Prevent garbage collection
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+  '';
+
 }

modules/common/shell/fish/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, lib, ... }: {
 
   users.users.${config.user}.shell = pkgs.fish;
   programs.fish.enable =
@@ -11,7 +11,10 @@
 
     programs.fish = {
       enable = true;
-      shellAliases = { ls = "exa"; };
+      shellAliases = {
+        ls = "exa";
+        trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
+      };
       functions = {
         commandline-git-commits = {
           description = "Insert commit into commandline";
@@ -90,6 +93,7 @@
         sc = "systemctl";
         scs = "systemctl status";
         m = "make";
+        t = "trash";
 
         # Vim (overwritten by Neovim)
         v = "vim";

modules/common/shell/utilities.nix

@@ -17,20 +17,6 @@ in {
 
     home-manager.users.${config.user} = {
 
-      # Fix: age won't build
-      nixpkgs.overlays = [
-        (_final: prev: {
-          age = prev.age.overrideAttrs (_old: {
-            src = prev.fetchFromGitHub {
-              owner = "FiloSottile";
-              repo = "age";
-              rev = "7354aa0d08a06eac42c635670a55f858bd23c943";
-              sha256 = "H80mNTgZmExDMgubONIXP7jmLBvNMVqXee6NiZJhPFY=";
-            };
-          });
-        })
-      ];
-
       home.packages = with pkgs; [
         unzip # Extract zips
         rsync # Copy folders

modules/darwin/hammerspoon.nix

@@ -16,6 +16,7 @@
           firefox = "${pkgs.firefox-bin}/Applications/Firefox.app";
           discord = "${pkgs.discord}/Applications/Discord.app";
           kitty = "${pkgs.kitty}/Applications/kitty.app";
+          slack = "${pkgs.slack}/Applications/Slack.app";
         };
       xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source =
         ./hammerspoon/Spoons/MoveWindow.spoon;

modules/darwin/hammerspoon/Spoons/DismissAlerts.spoon/close_notifications.applescript

@@ -0,0 +1,21 @@
+# Credit: https://github.com/Ptujec/LaunchBar/blob/f7b5a0dba9919c2fec879513f68a044f78748539/Notifications/Dismiss%20all%20notifications.lbaction/Contents/Scripts/default.applescript
+
+tell application "System Events"
+	try
+		set _groups to groups of UI element 1 of scroll area 1 of group 1 of window "Notification Center" of application process "NotificationCenter"
+		
+		repeat with _group in _groups
+			
+			set _actions to actions of _group
+			
+			repeat with _action in _actions
+				if description of _action is in {"Schlie§en", "Alle entfernen", "Close", "Clear All"} then
+					perform _action
+					
+				end if
+			end repeat
+			
+		end repeat
+		
+	end try
+end tell

modules/darwin/hammerspoon/Spoons/DismissAlerts.spoon/init.lua

@@ -10,7 +10,7 @@ obj.license = "MIT - https://opensource.org/licenses/MIT"
 
 function obj:init()
     hs.hotkey.bind({ "cmd", "alt", "ctrl" }, "k", function()
-        hs.osascript.javascriptFromFile("Spoons/DismissAlerts.spoon/close_notifications_applescript.js")
+        hs.osascript.applescriptFromFile("Spoons/DismissAlerts.spoon/close_notifications.applescript")
     end)
 end
 

modules/darwin/hammerspoon/Spoons/Launcher.spoon/init.lua

@@ -8,44 +8,44 @@ obj.name = "Launcher"
 obj.version = "0.1"
 obj.license = "MIT - https://opensource.org/licenses/MIT"
 
-function DrawSwitcher()
-    -- Drawing
-    local width = hs.screen.mainScreen():fullFrame().w
-    local switcherWidth = 500
-    local canv = hs.canvas.new({
+local width = hs.screen.mainScreen():fullFrame().w
+local switcherWidth = 500
+obj.canvas = hs.canvas.new({
     x = width / 2 - switcherWidth / 2,
     y = 1,
     h = 3,
     w = switcherWidth,
-    })
-    canv[#canv + 1] = {
+})
+-- Draw switcher
+obj.canvas[#obj.canvas + 1] = {
     action = "build",
     type = "rectangle",
-    }
-    canv[#canv + 1] = {
+}
+obj.canvas[#obj.canvas + 1] = {
     type = "rectangle",
     fillColor = { alpha = 1, red = 0.8, green = 0.6, blue = 0.3 },
     action = "fill",
-    }
-    return canv:show()
-end
+}
 
 function obj:init()
     -- Begin launcher mode
     if self.launcher == nil then
         self.launcher = hs.hotkey.modal.new("ctrl", "space")
+
+        print(self.canvas)
+        print(obj.canvas)
     end
 
     -- Behaviors on enter
     function self.launcher:entered()
         -- hs.alert("Entered mode")
-        self.canv = DrawSwitcher()
+        obj.canvas:show()
     end
 
     -- Behaviors on exit
     function self.launcher:exited()
         -- hs.alert("Exited mode")
-        self.canv:hide()
+        obj.canvas:hide()
     end
 
     -- Use escape to exit launcher mode
@@ -54,7 +54,8 @@ function obj:init()
     end)
 
     -- Launcher shortcuts
-    self.launcher:bind("ctrl", "space", function() end)
+    self.launcher:bind("ctrl", "space", function()
+    end)
     self.launcher:bind("", "return", function()
         self:switch("@kitty@")
     end)
@@ -92,7 +93,7 @@ function obj:init()
         hs.reload()
     end)
     self.launcher:bind("", "S", function()
-        self:switch("Slack.app")
+        self:switch("@slack@")
     end)
     self.launcher:bind("", "Z", function()
         self:switch("zoom.us.app")

modules/darwin/homebrew.nix

@@ -45,12 +45,6 @@
       ];
     };
 
-    home-manager.users.${config.user} = {
-
-      programs.fish.shellAbbrs.t = "trash";
-
-    };
-
   };
 
 }

modules/darwin/system.nix

@@ -166,7 +166,7 @@
         echo "Choose and order dock icons"
         defaults write com.apple.dock persistent-apps -array \
             "$(__dock_item /Applications/1Password.app)" \
-            "$(__dock_item /Applications/Slack.app)" \
+            "$(__dock_item ${pkgs.slack}/Applications/Slack.app)" \
             "$(__dock_item /System/Applications/Calendar.app)" \
             "$(__dock_item ${pkgs.firefox-bin}/Applications/Firefox.app)" \
             "$(__dock_item /System/Applications/Messages.app)" \

modules/nixos/gaming/default.nix

@@ -16,5 +16,6 @@
       driSupport = true;
       driSupport32Bit = true;
     };
+    programs.gamemode.enable = true;
   };
 }

modules/nixos/gaming/minecraft-server.nix

@@ -14,7 +14,7 @@ in {
 
   config = lib.mkIf config.gaming.minecraft-server.enable {
 
-    unfreePackages = [ "minecraft-server" ];
+    unfreePackages = [ pkgs.minecraft-server ];
 
     services.minecraft-server = {
       enable = true;

modules/nixos/gaming/steam.nix

@@ -4,16 +4,21 @@
 
   config = lib.mkIf (config.gaming.steam.enable && pkgs.stdenv.isLinux) {
     hardware.steam-hardware.enable = true;
-    unfreePackages = [ "steam" "steam-original" "steamcmd" "steam-run" ];
-    environment.systemPackages = with pkgs; [
+    unfreePackages = with pkgs; [ steam steamcmd steam-run ];
 
-      steam
+    programs.steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+    };
+
+    environment.systemPackages = with pkgs; [
 
       # Enable terminal interaction
       steamPackages.steamcmd
       steam-tui
 
     ];
+
   };
 
 }

modules/nixos/hardware/boot.nix

@@ -13,6 +13,9 @@
       # Attempt to display GRUB on widescreen monitor
       gfxmodeEfi = "1920x1080";
 
+      # Limit the total number of configurations to rollback
+      configurationLimit = 25;
+
       # Install GRUB onto the boot disk
       # device = config.fileSystems."/boot".device;
 

modules/nixos/hardware/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./audio.nix
     ./boot.nix
+    ./disk.nix
     ./keyboard.nix
     ./monitors.nix
     ./mouse.nix
@@ -10,6 +11,7 @@
     ./server.nix
     ./sleep.nix
     ./wifi.nix
+    ./zfs.nix
   ];
 
   options = {

modules/nixos/hardware/disk.nix

@@ -0,0 +1,7 @@
+{ config, pkgs, lib, ... }: {
+
+  # Enable fstrim, which tracks free space on SSDs for garbage collection
+  # More info: https://www.reddit.com/r/NixOS/comments/rbzhb1/if_you_have_a_ssd_dont_forget_to_enable_fstrim/
+  services.fstrim.enable = true;
+
+}

modules/nixos/hardware/networking.nix

@@ -9,6 +9,12 @@
     networking.interfaces.enp5s0.useDHCP = true;
     networking.interfaces.wlp4s0.useDHCP = true;
 
+    networking.firewall.allowPing = lib.mkIf config.server true;
+    networking.hosts = {
+      "192.168.0.120" = [ "tempest" ];
+      "192.168.0.218" = [ "swan" ];
+    };
+
   };
 
 }

modules/nixos/hardware/sleep.nix

@@ -4,9 +4,17 @@
 
     # Prevent wake from keyboard
     powerManagement.powerDownCommands = ''
-      for wakeup in /sys/bus/usb/devices/1-*/power/wakeup; do echo disabled > $wakeup; done
+      # for power in /sys/bus/usb/devices/*/power; do echo disabled > ''${power}/wakeup; done
+
+      # AMD issue: https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Instantaneous_wakeups_from_suspend
+      for power in /sys/bus/i2c/devices/i2c-*/device/power; do echo disabled > ''${power}/wakeup; done
     '';
 
+    # From here: https://www.reddit.com/r/NixOS/comments/wcu34f/how_would_i_do_this_in_nix/
+    # services.udev.extraRules = ''
+    #   ACTION=="add", SUBSYSTEM=="i2c", ATTRS{idVendor}=="<vendor>", ATTRS{idProduct}=="<product>" RUN+="${pkgs.bash}/bin/bash -c 'echo disabled > /sys/bus/i2c/devices/i2c-*/power/wakeup'"
+    # '';
+
   };
 
 }

modules/nixos/hardware/zfs.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }: {
+
+  options = { zfs.enable = lib.mkEnableOption "ZFS file system."; };
+
+  config =
+    lib.mkIf (pkgs.stdenv.isLinux && config.server && config.zfs.enable) {
+
+      # Only use compatible Linux kernel, since ZFS can be behind
+      boot.kernelPackages =
+        config.boot.zfs.package.latestCompatibleLinuxPackages;
+      boot.kernelParams = [ "nohibernate" ];
+      boot.supportedFilesystems = [ "zfs" ];
+
+    };
+
+}

modules/nixos/services/backups.nix

@@ -27,7 +27,7 @@
     users.groups.backup = { };
 
     secrets.backup = {
-      source = ../../private/backup.age;
+      source = ../../../private/backup.age;
       dest = "${config.secretsDirectory}/backup";
       group = "backup";
       permissions = "0440";
@@ -38,6 +38,7 @@
     services.litestream = {
       enable = true;
       environmentFile = config.secrets.backup.dest;
+      settings = { };
     };
 
     # Wait for secret to exist

modules/nixos/services/calibre.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, lib, ... }:
+
+let
+
+  libraryPath = "/data/books";
+
+in {
 
   options = {
     bookServer = lib.mkOption {
@@ -6,6 +12,11 @@
       description = "Hostname for Calibre library";
       default = null;
     };
+    backups.calibre = lib.mkOption {
+      type = lib.types.bool;
+      description = "Whether to backup Calibre library";
+      default = true;
+    };
   };
 
   config = lib.mkIf (config.bookServer != null) {
@@ -17,6 +28,7 @@
         reverseProxyAuth.enable = false;
         enableBookConversion = true;
         enableBookUploading = true;
+        calibreLibrary = libraryPath;
       };
     };
 
@@ -30,7 +42,7 @@
     }];
 
     # Run a backup on a schedule
-    systemd.timers.calibre-backup = {
+    systemd.timers.calibre-backup = lib.mkIf config.backups.calibre {
       timerConfig = {
         OnCalendar = "*-*-* 00:00:00"; # Once per day
         Unit = "calibre-backup.service";
@@ -39,9 +51,7 @@
     };
 
     # Backup Calibre data to object storage
-    systemd.services.calibre-backup =
-      let libraryPath = "/var/lib/calibre-web"; # Default location
-      in {
+    systemd.services.calibre-backup = lib.mkIf config.backups.calibre {
       description = "Backup Calibre data";
       environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
       serviceConfig = {

modules/nixos/services/default.nix

@@ -15,6 +15,7 @@
     ./netdata.nix
     ./nextcloud.nix
     ./prometheus.nix
+    ./samba.nix
     ./secrets.nix
     ./sshd.nix
     ./transmission.nix

modules/nixos/services/jellyfin.nix

@@ -20,6 +20,9 @@
       }];
     }];
 
+    # Grant user access to Jellyfin directories
+    users.users.${config.user}.extraGroups = [ "jellyfin" ];
+
     # Create videos directory, allow anyone in Jellyfin group to manage it
     systemd.tmpfiles.rules = [
       "d /var/lib/jellyfin 0775 jellyfin jellyfin"

modules/nixos/services/nextcloud.nix

@@ -15,6 +15,7 @@
     services.nextcloud = {
       enable = true;
       package = pkgs.nextcloud25; # Required to specify
+      datadir = "/data/nextcloud";
       https = true;
       hostName = "localhost";
       maxUploadSize = "50G";
@@ -41,7 +42,7 @@
 
     # Create credentials file for nextcloud
     secrets.nextcloud = {
-      source = ../../private/nextcloud.age;
+      source = ../../../private/nextcloud.age;
       dest = "${config.secretsDirectory}/nextcloud";
       owner = "nextcloud";
       group = "nextcloud";
@@ -52,6 +53,9 @@
       before = [ "nextcloud-setup.service" ];
     };
 
+    # Grant user access to Nextcloud directories
+    users.users.${config.user}.extraGroups = [ "nextcloud" ];
+
     ## Backup config
 
     # Open to groups, allowing for backups

modules/nixos/services/samba.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }: {
+
+  options = { samba.enable = lib.mkEnableOption "Enable Samba sharing."; };
+
+  config = {
+
+    services.samba = lib.mkIf (config.samba.enable) {
+      enable = true;
+      openFirewall = true;
+      shares.data = {
+        path = "/data";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "force user" = config.user;
+        "force group" = config.user;
+        comment = "NAS";
+      };
+    };
+
+    # Allows Windows clients to discover server
+    services.samba-wsdd.enable = true;
+    networking.firewall.allowedTCPPorts = [ 5357 ];
+    networking.firewall.allowedUDPPorts = [ 3702 ];
+
+    # Allow client browsing Samba and virtual filesystem shares
+    services.gvfs =
+      lib.mkIf (config.gui.enable && config.nautilus.enable) { enable = true; };
+
+    # # Permissions required to mount Samba with GVFS, if not using desktop environment
+    # environment.systemPackages = lib.mkIf (config.gui.enable
+    #   && config.nautilus.enable
+    #   && config.services.xserver.windowManager.i3.enable)
+    #   [ pkgs.lxqt.lxqt-policykit ];
+
+  };
+
+}

modules/nixos/services/sshd.nix

@@ -17,11 +17,13 @@
       services.openssh = {
         enable = true;
         ports = [ 22 ];
-        passwordAuthentication = false;
-        gatewayPorts = "no";
-        forwardX11 = false;
         allowSFTP = true;
-        permitRootLogin = config.permitRootLogin;
+        settings = {
+          GatewayPorts = "no";
+          X11Forwarding = false;
+          PasswordAuthentication = false;
+          PermitRootLogin = config.permitRootLogin;
+        };
       };
 
       users.users.${config.user}.openssh.authorizedKeys.keys =

modules/nixos/system/user.nix

@@ -32,6 +32,11 @@
     };
 
     home-manager.users.${config.user}.xdg = {
+
+      # Allow Nix to manage the default applications list
+      mimeApps.enable = true;
+
+      # Set directories for application defaults
       userDirs = {
         enable = true;
         createDirectories = true;

private/backup.age

@@ -1,10 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBmVEo2
-bExsZERhYi9vVXMxVThRK2w3dFR4UlZVcGlsWUFPM3pReTQwaW5ZCjQ5Z3g3amZC
-bWUwWkdKTStVbFpwMmdwK3pQQU5CeE5tMVNHbXI1UkdCTFUKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIE9sTG1lOHIyVGdLNWtJRTZtdGNWWEFsTTJ5bE1HS1V2MEdKeGNN
-WFMyV28KVlRHdDg5SGFadVlJempKWkp6eEp6TkhINnl0R0xDL0J0WXByclpFWE5I
-VQotLS0gVVhaUDZLTy8xS3hKOVliSlpuTEY2Q2xOQUEvblBtUG9Vb0I5ZE1oOUZ1
-VQr18Jwx6XDa7bwq0QWT6NdIFzqNUHWhDyUvS9twncFsr0yEAUDQd2XLtE+Vc8T9
-Z7y/C8Ct5+duqd6YaeqROJz5zVj0NnI0lshirBl89PQWF9ihp4V4Hw==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBkOVNs
+NklGeTFxTTQzQ2t5WVUvVzREVnk3WjB0ZnUwdGo5Wk5Zc2RVeVJJCnBFbHcvUzdi
+SG5xeTg2dU9oRUtiYXk3cERJOC9zbitrZ1hxZ0RJWDVYNmcKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIElNNkFMYkRoYXpPV1RtWEhrdUJCbXczd05tTG5QNi8wVktYQmZn
+eTlWbTgKUVVrb21mTTNzZ1d6cE0yU2l4SVhqbkNyUEpLSHJyUEMyS1pLNGloTlpK
+cwotPiBzc2gtZWQyNTUxOSBuanZYNUEgRU5LM2FKNEZ3Y1dDOW02VFU4bnNuZHpE
+QzBLMlBhVnY3aGIrZDNhOUNWcwpSMHNsYTRlNFc5V0NsQ1h2VGFqUHNBVkxTVXdz
+dGx6bWFwR1FFU2JNdmlBCi0tLSB6b3dpRmFURm0veFRFRitpbmZoOWJFcU8rbHJk
+OXVIbGpUSWNFdWZmczVNCrodWjz8yVOdHHcVH9s2gOJfDrZFCP7L14RdGs9UW/Iw
+JaJr5YblUiqTfKJiCN8dnCve3oCUlIY6K+yrBh5GaNbiwOgCzzZO5BGXEqoUSnux
+ltmV1UI4
 -----END AGE ENCRYPTED FILE-----

private/mailpass.age

@@ -1,10 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBIRnEy
-am1HTXptMmpSTjZQa2hQSUxNUU1rdXlod3U3bVZ0VGxQVlE2WldBClg0K3k5MDZH
-NFlPdHI0VnZSZE9DTTNMeDdldUpFQ3V0V0k0RnRIZHFhdzAKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIFlxZFpqNU5kNVY2VUk0Um0zZ1d1M2FlRkYvV1BoTEFSNjZ2Vk9I
-QTVHM0UKY2gvVU9wckVUNEFwdUwyVFJZUGwxOFFKYm12cUlFTEVrb3IvcXI3TnND
-UQotLS0gMHdaajFjV2ozd0g5dWN5YkhiU2NBVWZVSU00aVIzY0VKYjJleVlQTUdX
-QQo7rH6kOTRFP43U/qiBOCHx+hBGlaODFRS1CgzkuqfMOq8PM28RsIN+l3sbwjxE
-W8chE/A0EChjIDtfYTMgsN3cYg==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBsb0pX
+R2RJRlJkbWF2a3BJN25ZY3ZwWTNRNDFhbWFkRE5TdkxDNUMrUms4CjI4TVN4Rk5U
+a0xMRHVQSEJUcVJTQ2ZLd0c0c0MxM2thMFpyeXZ1NGM2NFEKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIFFnN1VkSzVXVzg4UGFWakxweWRmSldWbDBOMW9xYWJQek1Ielk0
+YXVrVFUKSzhUNVd3SGU4MkVZUXdLWXpFL3JCUWxOSitHOEJzQ0pXN0FKSXZ6RUFm
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgVG5jYmFCTkFmekJMdFBUVWJscmN5dUxp
+RngzZEFEZUJINDBwUFBIUitpWQo3aWlLRDdoUklhbDlNeFJjeXFkTnJFcDJiV1Vv
+ajBQQzFlaTFwWVFDSjljCi0tLSBWS3pzSWo4SXpIallxc0JQWk9LSWFDekxtOGRp
+eGhYSEdqL1RmRnhtemMwCmQ5wc817Rk+Rs8RHXMe2Gm1mKbFOFMVrWFW5gLm9UHE
+T05kZ7OBh34D9B7jmFokYM4uQBXBrydcb51TGVLXXgnN
 -----END AGE ENCRYPTED FILE-----

private/nextcloud.age

@@ -1,10 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBudkxn
-ZzU1YVViYUZBWVVTYm1SeHpvanQ5M0YwVGo2YldlN2RwY0tscWpBCjd0ZmtLZ2th
-dEMrQk5QV0EzT0RpVkg5bGo1cHdTNzVYVkZpVzE4aHR0azgKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIFlqaEI2QUNnMjR1T0FENXJIMEJWOUFJUXZ4SlJxbUFnQktWUW9w
-UFlmUUkKL1RwaWxoNFM4SkpadWtyN3JnWHdjVTYrQmo0dU9JUnp0MjN5enVsUm9o
-ZwotLS0gWUd2eTR2VGkyeTZ5cHNuanMrSlZKVmc4T1ZORExmUnhDSjN0NEJkNjkz
-cwriuyYCgvJe7TRi3n/JwxIRKMsoh7+xj4B5Fdxuj3BOtKVi1geSjlDHVklRwu9Y
-IMCTLqQtj08JnuLfDezRGHAYCM8=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBsWmI2
+UisyZ01rS3k4R0tJMThNdEZUOXZNVnV5RGNtVTR3V25wb2UwUDE0CnlGc0xySy8x
+L2k2b1VRc1M0R1p5MkVTUWxHWkU2ZEtTSDFXK211V0ZHQTQKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIExWdlE1M1ZldnpPYWVta3ovdmdEU3VtZU0xWWFldnp3L3hicnFY
+Y0dxQjQKdEFHa09Sd2IwUDRwM2dMK1paTFNESUJVRk1NNUFScXJGK1J5MkdtUGZv
+YwotPiBzc2gtZWQyNTUxOSBuanZYNUEgVnRhWmtLTnpDSGhRODcvcUY1K2VySlJK
+Rlk4WW1kQlVFd2Y4bWRLdGJWOAp1S1ZVclRrMUhicy9xQ1NTZ21tazEraDFaU2tD
+eldWVVR1S1BTRDJ4ZjVrCi0tLSAwdXF6Nmt4RHBFVnVzZ08yeFBLbWF3dUx1M1hq
+bVRzYmZiZk1Sb1ZOZUZRCpm4DLNa9DuoFQxQux3Q90PP6G30Z2b0j85cZqyr7anw
+fg3687eKqMNwl4qdGYeE63oeUHrxfYISKB41zRDHmc7H2w==
 -----END AGE ENCRYPTED FILE-----

private/transmission.json.age

@@ -1,10 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBSYUU2
-OWp1ZDRLVTJrR1k3SVdXZnRPN3RUNDY5RFM2WEZaTzRmdU1zSWdrCjV1VHpNMG81
-VHA4LzdsN3FpOUNoTGNlWmlHS3E4dTVvWTVoZHJMSlNYTHMKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIDVjM1JmclgxQThKcU1XQWptWmN0MjlKU1NvMEpwMnYyd3Y4czBT
-RTVkQ0UKc0pOYkRxZldsWnloQnBYMWk1eFU0M3R5SkZVTUYyaldIcENONE1PWVJv
-NAotLS0gclZDQndaREZpZ2Z0R0d0alBPeW1tZFVOVHhSaHNlQTRXdTRoZmFDUFFK
-SQqueOUzTFuhSryWW4Do+NAUcq2YdOtN8gmP5Zcp1oMe/9+JIs6Upjsc3eWn+dSA
-7QwbGlTyd6D0+PLJxHA18Xfgpj5owGeTDtwykFPgdO1BjE8C3KlgzUfN
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyB1TWhO
+N1k5bFFvODkwdzRGcGtFL2YzRkJDUjVSbUVFeXBOTExpK29uU2drCjN2cS9GZjJW
+RGxrMlQzK3ZGVWU4L2M0M1d4cXJrOTNrcDhsdWUyRGt5N1EKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RICtoM2V3UjZ1cnVFN09pZ1Y0azYraENoWlN2ajRUeHRLZVlVd0Yw
+T29BRW8Kb2ltQlpJZ1JUTkd6Wk14ZkFIdDliQ1JOMHMvVzhwaGkyMkl6ajFrYVNv
+MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgNThPSW91di91SWxtbTRpQVJwek94VGJV
+UERvS2tITHF0SXVlVFEyLzJTMApuYjdsWndDd01mUk5LbXJWTkd6UEt3eFkvMk40
+VDBpZmk0bUkxNTBWMzlrCi0tLSBiVFpxcjd4ZkZ6YittMDBBT25rOFlrcEpTdXg1
+d2Y5TkdwZ25sRFN0ZjVzCj8h/4aeASCnUoK7Sc6LsY9ur3krKlF+3GMMvlLiRqsi
+COBx+YbkwR0EfrxhLZ6DLHhM/t2jnWAMMzDK2a4volvQkdORLiRo3sfjR5kSy5N5
+Ml3lFlXKxYQ=
 -----END AGE ENCRYPTED FILE-----

private/vaultwarden.age

@@ -1,11 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBqNm0x
-YVc0bXp6eldNdkp1QWk2cEI0WFBhVVd3cHhDODNwMS9UUTBPN25JCmxXZnRIcFZr
-SFJrQnI3R1BTUk1BcVl3RjlUaXMzSXpqaGdTMi9reno1eHcKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIFlKWCtsWGtWdTI4L0ZFTVRHNFN5by9vTE95MXFoMVZGYlYrM1I2
-alREaE0Kd251SGRDdE96VmZqblhEWXFkZDhvRUZsZ1pnZ3NqdEdJSlBvaXhoOHVB
-WQotLS0gaGJNRm14SkdXcTFmYlJUell1WUZUeEllT3ZwMkNaejF3eWJ5U1ZSdno1
-MAqQIT8vvUro+C+avm6lCPfrX9yigKzx/gtKfMB//1Ie7BUo1+o5iYoA+R0luMU8
-/zVX1yGAzDPqas/HfYclIPg3bdjm2dnpz0ltOrOvjA4x3nEzzrmS96zo3Fy1d8oX
-oAMw2l/p2QDHI60cyhvC
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBLemo1
+TXRJdkYxR1RBcFdrVEthRUI1UEtWbm5LUlRKYVpOTUIyZjY2YlhJCmkzbEdmZFFN
+MzBFQkN3ME9FcjdCOTN4T3ZlcWg1NEIydjZQQm93VURvcVEKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIDNjMXpObEhuTWg5bitFL2VjUGtTcjhIMDYzeVFpQ0tpUnRRV3pJ
+SGRwRzgKRkpzdzJsZ3N4dnhSaGplN0ZjQ1dpY0xOZHZyU0NON1NEbDc5MmtMKzhL
+ZwotPiBzc2gtZWQyNTUxOSBuanZYNUEgaEFrMTZYNndKVWg0OTFtOVJyVTFPbjJJ
+RHJwU0JsclUrSms5ckMyZTdoYwpmV3dlZFY4MEFYSEhoQnpic0NEd2xxOENIRTBt
+MWs4RVNFUnIyTnNWUDRNCi0tLSAvT2ZPektwL2djUlNQdy9tek9hL3JmekJOc28z
+NzU3cDR6TUxod0I5ODdZCnxOYrlDTdi8Y+m5PRxAYgS3u2cC1YlfXi5TZo1LIEjv
+UxWwPwn8JAF9CYB1o8e6p/w+yMcUfr+2UHWo0GqLqye8VCGy7Vzk2S3tOCZJv+k9
++kQtMva6CND8gBZIIJ3aXoYshT4sLWfx+BAkxPQ=
 -----END AGE ENCRYPTED FILE-----

private/wireguard.age

@@ -1,10 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBOOXNm
-VG5EMHhEU2JLbkYyY1VXdXZJd2VxSEVXUjZaaURnU254QUVzUENzCnhnV21oRFNY
-NGpMeXlqdDlYRmltN1cxTlJ3eWFTVElpK0ZBalA3QVFoL2MKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIDk3TVhDVVBjQU5XNjVTbkxKdUNEU25uZXREeEpHcTF4STg4VXR1
-V2xzRTQKZTBXZUQrbjIwTDEwOEc3MktpQzBjTzhjS3lTNTJ0TEMyMVBOODQ0N0lt
-OAotLS0gODA2L2FpSmxiWDAyM1IvM2Q4U2QrNmRkVjl1bFhURW5sNCtWZ2tiMnZU
-YwoC0chavNt+a/AImm/7bNheZIPghrobp9g+ga+UpRWBtM2snpkyFZrBR0qAkw/f
-3krp5Rrco7IOlEwWx96UzvAUpKlC7CdVI1MFa76ZUg==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBqamNI
+eGQ3Ty9td3owQWNyOXMrM1ZTQ1dSOVc0dEZ6UlplY0ZDQlV4MG1NCmQ1eUpTdURs
+YkhsNnF5djkwdWRlcms4SFEyaTdFUFZ2WFpTaVRPRy8zam8KLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIHBTWEkyekhRQ1RqWnVpM2FQVGVqQzZyVFpuL0liZU9UUHl4dVpr
+dno5UjgKbFZxL0xXTWZwYU0wWjNhYm9NZzVCRWhER2N6eWUySjV4N0c3Z3V4S2o2
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgeDNtdjZvQkVGZXZsUFhkd3ZnWkNYaTdr
+ZlFuR2RrNTVZNWh4WUY2cTh6OApEYTBwcGlvQ0xVazIzUjBBT2VuWGczRkRyM0d2
+YmdoMVRPMFh5NVBwb3RFCi0tLSBjaXVreU1LYjNvOVVZeTlTRldyWE02Rzc1V2xN
+N082QUtDNXM2bEpRMlpjCp6Qtp6EN1L1V/mLp48M6uymwPmGjR1pAloYXDhXSiab
+uz9LLBvB8qVp15/724DTLg6Mi72LVYiHZ+zQ3IB8kv7gjhMMryfFJSPErZfY
 -----END AGE ENCRYPTED FILE-----

public-keys

@@ -1,4 +1,5 @@
 # Scan hosts: ssh-keyscan -t ed25519 <hostnames>
 
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s noah
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVknmPi7sG6ES0G0jcsvebzKGWWaMfJTYgvOue6EULI oracle.masu.rs
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s tempest
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVknmPi7sG6ES0G0jcsvebzKGWWaMfJTYgvOue6EULI flame
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9mwXlZnIALt9SnH3FOZvdgHLM5ZqwYUERXBbM7Rwh6 swan