try to configure using nixosModules

doesn't seem like there's that much benefit?
2025-07-07 20:40:14 +00:00 · 2023-07-10 17:56:15 -06:00
154 changed files with 908 additions and 5189 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -1,20 +0,0 @@
 name: Check Build
 on:
  workflow_dispatch: # allows manual triggering
 jobs:
  check:
    name: Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v4
      - name: Check Nixpkgs Inputs
        uses: DeterminateSystems/flake-checker-action@v5
      - name: Add Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@v2
      - name: Check the Flake
        run: nix flake check
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -1,63 +0,0 @@
 name: Update Flake
 on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '33 3 * * 0' # runs weekly on Sunday at 03:33
 permissions:
  contents: write
  pull-requests: write
  checks: write
 jobs:
  lockfile:
    name: Lockfile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v4
      - name: Check Nixpkgs Inputs
        uses: DeterminateSystems/flake-checker-action@v5
      - name: Add Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@v2
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@v19
        id: update
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
          pr-labels: |                  # Labels to be set on the PR
            dependencies
            automated
      - name: Check the Flake
        id: check
        run: nix flake check
      - name: Update Check Status
        uses: LouisBrunner/checks-action@v1.6.1
        if: always()
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          name: Update Flake
          conclusion: ${{ job.status }}
          output: |
            {"summary":"${{ steps.check.outputs.stdout }}"}
      - name: Enable Pull Request Automerge
        if: success()
        run: |
          gh pr merge \
            --rebase \
            --auto \
            ${{ steps.update.outputs.pull-request-number }}
        env:
          GH_TOKEN: ${{ github.token }}
      - name: Close Pull Request If Failed
        if: failure()
        run: |
          gh pr close \
            --comment "Auto-closing pull request" \
            --delete-branch \
            ${{ steps.update.outputs.pull-request-number }}
        env:
          GH_TOKEN: ${{ github.token }}
--- a/README.md
+++ b/README.md
@ -43,22 +43,6 @@ configuration may be difficult to translate to a non-Nix system.
 ---
 # Unique Configurations
 This repo contains a few atypical choices for configuration.
 - [Neovim config](./modules/common/neovim/default.nix) generated with Nix2Vim
 and source-controlled plugins, differing from host to host.
 - [Caddy JSON](./modules/nixos/services/caddy.nix) file (routes, etc.) based on
 dynamic service metadata.
 - [Grafana config](./modules/nixos/services/grafana.nix) based on dynamic
 service metadata.
 - Custom [secrets deployment](./modules/nixos/services/secrets.nix) similar to
 agenix.
 - Base16 [colorschemes](./colorscheme/) applied to multiple applications.
 ---
 # Installation
 Click [here](./docs/installation.md) for detailed installation instructions.
--- a/apps/README.md
+++ b/apps/README.md
@ -1,9 +0,0 @@
 # Apps
 These are all my miscellaneous utilies and scripts to accompany this project.
 They can be run with:
 ```
 nix run github:nmasur/dotfiles#appname
 ```
--- a/apps/encrypt-secret.nix
+++ b/apps/encrypt-secret.nix
@ -11,7 +11,7 @@
    tmpfile=$(mktemp)
    echo "''${secret}" > ''${tmpfile}
    ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../misc/public-keys
+      builtins.toString ../public-keys
    } $tmpfile
    rm $tmpfile
  '');
--- a/apps/installer.nix
+++ b/apps/installer.nix
@ -17,8 +17,8 @@
            --foreground "#fb4934" \
            "Missing required parameter." \
            "Usage: installer -- <disk> <host>" \
-            "Example: installer -- nvme0n1 tempest" \
+            "Example: installer -- nvme0n1 desktop" \
-            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 tempest"
+            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 desktop"
        echo "(exiting)"
        exit 1
    fi
--- a/apps/reencrypt-secrets.nix
+++ b/apps/reencrypt-secrets.nix
@ -17,7 +17,7 @@
        --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
      echo "Encrypting ''${encryptedfile}..."
      ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../misc/public-keys
+        builtins.toString ../public-keys
      } $tmpfile > $encryptedfile
      rm $tmpfile
    done
--- a/colorscheme/README.md
+++ b/colorscheme/README.md
@ -1,5 +0,0 @@
 # Colorschemes
 Color information for different themes is found here. The colors are sourced
 and used with [base16](https://github.com/chriskempson/base16) format
 consistently across the system.
--- a/disks/README.md
+++ b/disks/README.md
@ -1,5 +0,0 @@
 # Disks
 These are my [disko](https://github.com/nix-community/disko) configurations,
 which allow me to save desired disk formatting layouts as a declarative file so
 I don't have to remember how to format my disks later on.
--- a/docs/README.md
+++ b/docs/README.md
@ -1,4 +0,0 @@
 # Documentation
 Reference documents for some of the more complicated services and maintenance
 tasks.
--- a/docs/repair-nextcloud.md
+++ b/docs/repair-nextcloud.md
@ -1,65 +0,0 @@
 # Repairing Nextcloud
 You can run the maintenance commands like this:
 ```
 sudo -u nextcloud nextcloud-occ maintenance:mode --on
 sudo -u nextcloud nextcloud-occ maintenance:repair
 sudo -u nextcloud nextcloud-occ maintenance:mode --off
 ```
 ## Rescan Files
 ```
 sudo -u nextcloud nextcloud-occ files:scan --all
 ```
 ## Converting from SQLite to MySQL (mariadb)
 First: keep Nextcloud set to SQLite as its dbtype, and separately launch MySQL
 as a service by copying the configuration found
 [here](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/nextcloud.nix).
 No password is necessary, since the user-based auth works with UNIX sockets.
 You can connect to the MySQL instance like this:
 ```
 sudo -u nextcloud mysql -S /run/mysqld/mysqld.sock
 ```
 Create a blank database for Nextcloud:
 ```sql
 create database nextcloud;
 ```
 Now setup the [conversion](https://docs.nextcloud.com/server/17/admin_manual/configuration_database/db_conversion.html):
 ```
 sudo -u nextcloud nextcloud-occ db:convert-type mysql nextcloud localhost nextcloud
 ```
 Ignore the password prompt. Proceed with the conversion.
 Now `config.php` will be updated but the override config from NixOS will not
 be. Now update your NixOS configuration:
 - Remove the `mysql` service you created.
 - Set `dbtype` to `mysql`.
 - Set `database.createLocally` to `true`.
 Rebuild your configuration.
 Now, make sure to enable [4-byte
 support](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html)
 in the database.
 ## Backing Up MySQL Database
 Use this mysqldump command:
 ```
 sudo -u nextcloud mysqldump -S /run/mysqld/mysqld.sock --default-character-set=utf8mb4 nextcloud > backup.sql
 ```
--- a/docs/restore-nextcloud.md
+++ b/docs/restore-nextcloud.md
@ -0,0 +1,43 @@
 # Restoring Nextcloud From Backup
 Install the `litestream` package.
 ```
 nix-shell --run fish -p litestream
 ```
 Set the S3 credentials:
 ```
 set -x AWS_ACCESS_KEY_ID (read)
 set -x AWS_SECRET_ACCESS_KEY (read)
 ```
 Restore from S3:
 ```
 litestream restore -o nextcloud.db s3://noahmasur-backup.s3.us-west-002.backblazeb2.com/nextcloud
 ```
 Install Nextcloud. Then copy DB:
 ```
 sudo rm /data/nextcloud/data/nextcloud.db*
 sudo mv nextcloud.db /data/nextcloud/data/
 sudo chown nextcloud:nextcloud /data/nextcloud/data/nextcloud.db
 sudo chmod 770 /data/nextcloud/data/nextcloud.db
 ```
 Restart Nextcloud:
 ```
 sudo systemctl restart phpfpm-nextcloud.service
 ```
 Adjust Permissions and Directories:
 ```
 sudo mkdir /data/nextcloud/data/noah/files
 sudo chown nextcloud:nextcloud /data/nextcloud/data/noah/files
 ```
--- a/docs/zfs.md
+++ b/docs/zfs.md
@ -1,45 +0,0 @@
 # ZFS
 Swan runs its root on ext4. The ZFS drives are managed imperatively (this
 [disko configuration](../disks/zfs.nix) is an unused work-in-progress).
 The basic ZFS settings are managed [here](../modules/nixos/hardware/zfs.nix).
 ## Creating a New Dataset
 ```
 sudo zfs create tank/mydataset
 sudo zfs set compression=zstd tank/myzstddataset
 sudo zfs set mountpoint=/data/mydataset tank/mydataset
 ```
 ## Maintenance
 ### Get Status
 ```
 sudo zpool status
 ```
 ### Replace Disk
 ```
 sudo zdb
 sudo zpool status -g # Show by GUID
 sudo zpool offline tank <GUID>
 sudo zpool status
 # Remove old disk, insert new disk
 sudo zdb
 sudo zpool replace tank <OLD GUID> /dev/disk/by-id/<NEW PATH>
 sudo zpool status
 ```
 ## Initial Setup
 ```
 sudo zpool create tank raidz1 sda sdb sdc
 sudo zpool set ashift=12 tank
 sudo zpool set autoexpand=on tank
 sudo zpool set compression=on tank
 ```
--- a/flake.lock
+++ b/flake.lock
@ -17,52 +17,19 @@
        "type": "github"
      }
    },
    "age": {
      "flake": false,
      "locked": {
        "lastModified": 1672087018,
        "narHash": "sha256-LRxxJQLQkzoCNYGS/XBixVmYXoZ1mPHKvFicPGXYLcw=",
        "owner": "FiloSottile",
        "repo": "age",
        "rev": "c6dcfa1efcaa27879762a934d5bea0d1b83a894c",
        "type": "github"
      },
      "original": {
        "owner": "FiloSottile",
        "ref": "v1.1.1",
        "repo": "age",
        "type": "github"
      }
    },
    "baleia-nvim-src": {
      "flake": false,
      "locked": {
        "lastModified": 1681806450,
        "narHash": "sha256-jxRlIzWbnSj89032msc5w+2TVt7zVyzlxdXxiH1dQqY=",
        "owner": "m00qek",
        "repo": "baleia.nvim",
        "rev": "00bb4af31c8c3865b735d40ebefa6c3f07b2dd16",
        "type": "github"
      },
      "original": {
        "owner": "m00qek",
        "repo": "baleia.nvim",
        "type": "github"
      }
    },
    "bufferline-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1695205521,
+        "lastModified": 1687763763,
-        "narHash": "sha256-MQMpXMgUpZA0E9TunzjXeOQxDWSCTogXbvi9VJnv4Kw=",
+        "narHash": "sha256-wbOeylzjjScQXkrDbBU2HtrOZrp2YUK+wQ2aOkgxmRQ=",
        "owner": "akinsho",
        "repo": "bufferline.nvim",
-        "rev": "6ecd37e0fa8b156099daedd2191130e083fb1490",
+        "rev": "bf2f6b7edd0abf6b0732f5e5c0a8f30e51611c75",
        "type": "github"
      },
      "original": {
        "owner": "akinsho",
-        "ref": "v4.4.0",
+        "ref": "v4.2.0",
        "repo": "bufferline.nvim",
        "type": "github"
      }
@ -70,11 +37,11 @@
    "cmp-nvim-lsp-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1702205473,
+        "lastModified": 1687494203,
-        "narHash": "sha256-/0sh9vJBD9pUuD7q3tNSQ1YLvxFMNykdg5eG+LjZAA8=",
+        "narHash": "sha256-mU0soCz79erJXMMqD/FyrJZ0mu2n6fE0deymPzQlxts=",
        "owner": "hrsh7th",
        "repo": "cmp-nvim-lsp",
-        "rev": "5af77f54de1b16c34b23cba810150689a3a90312",
+        "rev": "44b16d11215dce86f253ce0c30949813c0a90765",
        "type": "github"
      },
      "original": {
@ -90,11 +57,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703990467,
+        "lastModified": 1687517837,
-        "narHash": "sha256-LItEeQVwDfLnavNskwdfRnonbEdq8DYiJlWRtF+bwng=",
+        "narHash": "sha256-Ea+JTy6NSf+wWIFrgC8gnOnyt01xwmtDEn2KecvaBkg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "1a41453cba42a3a1af2fff003be455ddbd75386c",
+        "rev": "6460468e7a3e1290f132fee4170ebeaa127f6f32",
        "type": "github"
      },
      "original": {
@ -111,11 +78,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704072400,
+        "lastModified": 1687598357,
-        "narHash": "sha256-Es4zcFoCJ+Pa9TN46VoqgNlYznuhc6s50LRcDqQEATs=",
+        "narHash": "sha256-70ciIe8415oQnQypawaqocEaLJcI1XtkqRNmle8vsrg=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "59f915b45a38cb0ec0e97a713237877a06b43386",
+        "rev": "1e7098ee0448dc5d33df394d040f454cd42a809c",
        "type": "github"
      },
      "original": {
@ -124,23 +91,6 @@
        "type": "github"
      }
    },
    "fidget-nvim-src": {
      "flake": false,
      "locked": {
        "lastModified": 1702031048,
        "narHash": "sha256-wbjQuOFd/2339TIrUA97PYsV8N3PZsS+xbyMsyZmki8=",
        "owner": "j-hui",
        "repo": "fidget.nvim",
        "rev": "300018af4abd00610a345e382ca1f4b7ba420f77",
        "type": "github"
      },
      "original": {
        "owner": "j-hui",
        "ref": "v1.1.0",
        "repo": "fidget.nvim",
        "type": "github"
      }
    },
    "firefox-darwin": {
      "inputs": {
        "nixpkgs": [
@ -148,11 +98,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704070085,
+        "lastModified": 1688605308,
-        "narHash": "sha256-bTwLbeao1cHkQpD1q/4fGbyImCFJ83b4CpBK/qgT17Y=",
+        "narHash": "sha256-B9suu7dcdX4a18loO5ul237gqIJ5/+TRuheLj8fJjwM=",
        "owner": "bandithedoge",
        "repo": "nixpkgs-firefox-darwin",
-        "rev": "122138e9e07595a6712e65e47a4a9c80a19764cc",
+        "rev": "78d28acf685e19d353b2ecb6c38eeb3fc624fc68",
        "type": "github"
      },
      "original": {
@ -164,11 +114,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1673956053,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -178,15 +128,12 @@
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1687709756,
+        "lastModified": 1678901627,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
        "type": "github"
      },
      "original": {
@ -197,7 +144,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
      },
      "locked": {
        "lastModified": 1685518550,
@ -215,14 +162,14 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1701680307,
+        "lastModified": 1685518550,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
        "type": "github"
      },
      "original": {
@ -231,22 +178,6 @@
        "type": "github"
      }
    },
    "hmts-nvim-src": {
      "flake": false,
      "locked": {
        "lastModified": 1693226725,
        "narHash": "sha256-jUuztOqNBltC3axa7s3CPJz9Cmukfwkf846+Z/gAxCU=",
        "owner": "calops",
        "repo": "hmts.nvim",
        "rev": "14fd941d7ec2bb98314a1aacaa2573d97f1629ab",
        "type": "github"
      },
      "original": {
        "owner": "calops",
        "repo": "hmts.nvim",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -254,11 +185,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704100519,
+        "lastModified": 1687627695,
-        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
+        "narHash": "sha256-6Pu7nWb52PRtUmihwuDNShDmsZiXgtXR0OARtH4DSik=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
+        "rev": "172d46d4b2677b32277d903bdf4cff77c2cc6477",
        "type": "github"
      },
      "original": {
@ -268,45 +199,6 @@
        "type": "github"
      }
    },
    "nextcloud-cookbook": {
      "flake": false,
      "locked": {
        "lastModified": 1679666795,
        "narHash": "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=",
        "type": "tarball",
        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
      }
    },
    "nextcloud-external": {
      "flake": false,
      "locked": {
        "lastModified": 1699624334,
        "narHash": "sha256-RCL2RP5twRDLxI/KfAX6QLYQOzqZmSWsfrC5ZQIwTD4=",
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
      }
    },
    "nextcloud-news": {
      "flake": false,
      "locked": {
        "lastModified": 1695883388,
        "narHash": "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=",
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"
      }
    },
    "nil": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -316,16 +208,16 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1691372739,
+        "lastModified": 1680544266,
-        "narHash": "sha256-fZ8KfBMcIFO/R7xaWtB85SFeuUjb9SCH8fxYBnY8068=",
+        "narHash": "sha256-d/TusDXmIo8IT5DNRA21lN+nOVSER8atIx9TJteR6LQ=",
        "owner": "oxalica",
        "repo": "nil",
-        "rev": "97abe7d3d48721d4e0fcc1876eea83bb4247825b",
+        "rev": "56a1fa87b98a9508920f4b0ab8fe36d5b54b2362",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
-        "ref": "2023-08-09",
+        "ref": "2023-04-03",
        "repo": "nil",
        "type": "github"
      }
@ -353,11 +245,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1693701915,
+        "lastModified": 1687049841,
-        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
+        "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
+        "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
        "type": "github"
      },
      "original": {
@ -374,11 +266,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1701689616,
+        "lastModified": 1687398392,
-        "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
+        "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "246219bc21b943c6f6812bb7744218ba0df08600",
+        "rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
        "type": "github"
      },
      "original": {
@ -389,11 +281,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1703961334,
+        "lastModified": 1687502512,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
        "type": "github"
      },
      "original": {
@ -405,16 +297,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1703900474,
+        "lastModified": 1686929285,
-        "narHash": "sha256-Zu+chYVYG2cQ4FCbhyo6rc5Lu0ktZCjRbSPE0fDgukI=",
+        "narHash": "sha256-WGtVzn+vGMPTXDO0DMNKVFtf+zUSqeW+KKk4Y/Ae99I=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9dd7699928e26c3c00d5d46811f1358524081062",
+        "rev": "93fddcf640ceca0be331210ba3101cee9d91c13d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -422,11 +314,11 @@
    "null-ls-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1691810493,
+        "lastModified": 1686871437,
-        "narHash": "sha256-cWA0rzkOp/ekVKaFee7iea1lhnqKtWUIU+fW5M950wI=",
+        "narHash": "sha256-MxIZqyRW8jStiDNXt7Bsw8peDLKpqxKEaUuIJsXkGMI=",
        "owner": "jose-elias-alvarez",
        "repo": "null-ls.nvim",
-        "rev": "0010ea927ab7c09ef0ce9bf28c2b573fc302f5a7",
+        "rev": "bbaf5a96913aa92281f154b08732be2f57021c45",
        "type": "github"
      },
      "original": {
@ -437,11 +329,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1704142590,
+        "lastModified": 1687625402,
-        "narHash": "sha256-4cFVrYDodnB1vJQ79htwm4rAYl1HwHcemiZ68izluLI=",
+        "narHash": "sha256-V+vSWypmm/tGbwNXGhqzmiV7vTjV2gNCEh9N7OhNnyA=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "0529839a62a15cda326e38353f9c10a4efa01d60",
+        "rev": "aeaf37c7538965e45700d39e6b5dc9c9a0e0749c",
        "type": "github"
      },
      "original": {
@ -470,11 +362,11 @@
    "nvim-tree-lua-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1704073600,
+        "lastModified": 1687132855,
-        "narHash": "sha256-D+wCJQuRj9mvgLd0DaiYgqghDYDwfux9zlEb/vIvaqA=",
+        "narHash": "sha256-ZRUoCDBv8rO8ZUBUMLgo33EBbqD9+ZOSET9rkFsA++E=",
        "owner": "kyazdani42",
        "repo": "nvim-tree.lua",
-        "rev": "f1b3e6a7eb92da492bd693257367d9256839ed3d",
+        "rev": "c3c6544ee00333b0f1d6a13735d0dd302dba4f70",
        "type": "github"
      },
      "original": {
@ -486,49 +378,29 @@
    "nvim-treesitter-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1703930904,
+        "lastModified": 1681121236,
-        "narHash": "sha256-3G5qOgqjZMrUkM7LaI02GTpwra6w+l97cIpFh4DHbgY=",
+        "narHash": "sha256-iPsPDLhVKJ14iP1/2cCgcY9SCKK/DQz9Y0mQB1DqNiM=",
        "owner": "nvim-treesitter",
        "repo": "nvim-treesitter",
-        "rev": "e49f1e8ef3e8450a8446cb1f2bbb53c919f60b6d",
+        "rev": "cc360a9beb1b30d172438f640e2c3450358c4086",
        "type": "github"
      },
      "original": {
        "owner": "nvim-treesitter",
-        "ref": "master",
+        "ref": "v0.9.0",
        "repo": "nvim-treesitter",
        "type": "github"
      }
    },
    "proton-ge": {
      "flake": false,
      "locked": {
        "lastModified": 1699415676,
        "narHash": "sha256-3XniKYf/KDRDYhTwffkktbmoISwOtGIABF28bsp8QHA=",
        "type": "tarball",
        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-23/GE-Proton8-23.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-23/GE-Proton8-23.tar.gz"
      }
    },
    "root": {
      "inputs": {
        "Comment-nvim-src": "Comment-nvim-src",
        "age": "age",
        "baleia-nvim-src": "baleia-nvim-src",
        "bufferline-nvim-src": "bufferline-nvim-src",
        "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
        "darwin": "darwin",
        "disko": "disko",
        "fidget-nvim-src": "fidget-nvim-src",
        "firefox-darwin": "firefox-darwin",
        "hmts-nvim-src": "hmts-nvim-src",
        "home-manager": "home-manager",
        "nextcloud-cookbook": "nextcloud-cookbook",
        "nextcloud-external": "nextcloud-external",
        "nextcloud-news": "nextcloud-news",
        "nil": "nil",
        "nix2vim": "nix2vim",
        "nixos-generators": "nixos-generators",
@ -538,20 +410,12 @@
        "nvim-lspconfig-src": "nvim-lspconfig-src",
        "nvim-tree-lua-src": "nvim-tree-lua-src",
        "nvim-treesitter-src": "nvim-treesitter-src",
        "proton-ge": "proton-ge",
        "telescope-nvim-src": "telescope-nvim-src",
        "telescope-project-nvim-src": "telescope-project-nvim-src",
        "toggleterm-nvim-src": "toggleterm-nvim-src",
        "tree-sitter-bash": "tree-sitter-bash",
        "tree-sitter-ini": "tree-sitter-ini",
        "tree-sitter-lua": "tree-sitter-lua",
        "tree-sitter-puppet": "tree-sitter-puppet",
        "tree-sitter-python": "tree-sitter-python",
        "tree-sitter-rasi": "tree-sitter-rasi",
        "vscode-terraform-snippets": "vscode-terraform-snippets",
        "wallpapers": "wallpapers",
-        "wsl": "wsl",
+        "wsl": "wsl"
        "zenyd-mpv-scripts": "zenyd-mpv-scripts"
      }
    },
    "rust-overlay": {
@ -566,11 +430,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1688783586,
+        "lastModified": 1680488274,
-        "narHash": "sha256-HHaM2hk2azslv1kH8zmQxXo2e7i5cKgzNIuK4yftzB0=",
+        "narHash": "sha256-0vYMrZDdokVmPQQXtFpnqA2wEgCCUXf5a3dDuDVshn0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "7a29283cc242c2486fc67f60b431ef708046d176",
+        "rev": "7ec2ff598a172c6e8584457167575b3a1a5d80d8",
        "type": "github"
      },
      "original": {
@ -609,34 +473,19 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "telescope-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1697004956,
+        "lastModified": 1686302912,
-        "narHash": "sha256-7SqYFnfCjotOBhuX6Wx1IOhgMKoxaoI1a4SKz1d5RVM=",
+        "narHash": "sha256-fV3LLRwAPykVGc4ImOnUSP+WTrPp9Ad9OTfBJ6wqTMk=",
        "owner": "nvim-telescope",
        "repo": "telescope.nvim",
-        "rev": "7011eaae0ac1afe036e30c95cf80200b8dc3f21a",
+        "rev": "776b509f80dd49d8205b9b0d94485568236d1192",
        "type": "github"
      },
      "original": {
        "owner": "nvim-telescope",
-        "ref": "0.1.4",
+        "ref": "0.1.2",
        "repo": "telescope.nvim",
        "type": "github"
      }
@ -644,11 +493,11 @@
    "telescope-project-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1701464478,
+        "lastModified": 1682606566,
-        "narHash": "sha256-touMCltcnqkrQYV1NtNeWLQeFVGt+WM3aIWIdKilA7w=",
+        "narHash": "sha256-H6lrPjpOUVleKHB0ziI+6dthg9ymitHhEWtcgYJTrKo=",
        "owner": "nvim-telescope",
        "repo": "telescope-project.nvim",
-        "rev": "1aaf16580a614601a7f7077d9639aeb457dc5559",
+        "rev": "7c64b181dd4e72deddcf6f319e3bf1e95b2a2f30",
        "type": "github"
      },
      "original": {
@ -660,119 +509,20 @@
    "toggleterm-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1695636777,
+        "lastModified": 1685434104,
-        "narHash": "sha256-o8xzoo7OuYrPnKlfrupQ24Ja9hZy1qQVnvwO0FO+4zM=",
+        "narHash": "sha256-oiCnBrvft6XxiQtQH8E4F842xhh348SaTpHzaeb+iDY=",
        "owner": "akinsho",
        "repo": "toggleterm.nvim",
-        "rev": "faee9d60428afc7857e0927fdc18daa6c409fa64",
+        "rev": "95204ece0f2a54c89c4395295432f9aeedca7b5f",
        "type": "github"
      },
      "original": {
        "owner": "akinsho",
-        "ref": "v2.8.0",
+        "ref": "v2.7.0",
        "repo": "toggleterm.nvim",
        "type": "github"
      }
    },
    "tree-sitter-bash": {
      "flake": false,
      "locked": {
        "lastModified": 1696959291,
        "narHash": "sha256-VP7rJfE/k8KV1XN1w5f0YKjCnDMYU1go/up0zj1mabM=",
        "owner": "tree-sitter",
        "repo": "tree-sitter-bash",
        "rev": "7331995b19b8f8aba2d5e26deb51d2195c18bc94",
        "type": "github"
      },
      "original": {
        "owner": "tree-sitter",
        "ref": "master",
        "repo": "tree-sitter-bash",
        "type": "github"
      }
    },
    "tree-sitter-ini": {
      "flake": false,
      "locked": {
        "lastModified": 1699877527,
        "narHash": "sha256-dYPeVTNWO4apY5dsjsKViavU7YtLeGTp6BzEemXhsEU=",
        "owner": "justinmk",
        "repo": "tree-sitter-ini",
        "rev": "bcb84a2d4bcd6f55b911c42deade75c8f90cb0c5",
        "type": "github"
      },
      "original": {
        "owner": "justinmk",
        "repo": "tree-sitter-ini",
        "type": "github"
      }
    },
    "tree-sitter-lua": {
      "flake": false,
      "locked": {
        "lastModified": 1694072484,
        "narHash": "sha256-5t5w8KqbefInNbA12/jpNzmky/uOUhsLjKdEqpl1GEc=",
        "owner": "MunifTanjim",
        "repo": "tree-sitter-lua",
        "rev": "9668709211b2e683f27f414454a8b51bf0a6bda1",
        "type": "github"
      },
      "original": {
        "owner": "MunifTanjim",
        "ref": "main",
        "repo": "tree-sitter-lua",
        "type": "github"
      }
    },
    "tree-sitter-puppet": {
      "flake": false,
      "locked": {
        "lastModified": 1690231696,
        "narHash": "sha256-YEjjy9WLwITERYqoeSVrRYnwVBIAwdc4o0lvAK9wizw=",
        "owner": "amaanq",
        "repo": "tree-sitter-puppet",
        "rev": "9ce9a5f7d64528572aaa8d59459ba869e634086b",
        "type": "github"
      },
      "original": {
        "owner": "amaanq",
        "repo": "tree-sitter-puppet",
        "type": "github"
      }
    },
    "tree-sitter-python": {
      "flake": false,
      "locked": {
        "lastModified": 1700218345,
        "narHash": "sha256-hXNxa895SyNOG7PH2vAIkWbcMjZDjWYDsCafBZuvnT0=",
        "owner": "tree-sitter",
        "repo": "tree-sitter-python",
        "rev": "4bfdd9033a2225cc95032ce77066b7aeca9e2efc",
        "type": "github"
      },
      "original": {
        "owner": "tree-sitter",
        "ref": "master",
        "repo": "tree-sitter-python",
        "type": "github"
      }
    },
    "tree-sitter-rasi": {
      "flake": false,
      "locked": {
        "lastModified": 1678701563,
        "narHash": "sha256-2nYZoLcrxxxiOJEySwHUm93lzMg8mU+V7LIP63ntFdA=",
        "owner": "Fymyte",
        "repo": "tree-sitter-rasi",
        "rev": "371dac6bcce0df5566c1cfebde69d90ecbeefd2d",
        "type": "github"
      },
      "original": {
        "owner": "Fymyte",
        "repo": "tree-sitter-rasi",
        "type": "github"
      }
    },
    "vscode-terraform-snippets": {
      "flake": false,
      "locked": {
@ -812,11 +562,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1704091507,
+        "lastModified": 1687279045,
-        "narHash": "sha256-SMtf/mgpYro3H2kGxck3W3jc3LYKnyAgNegjsEUuKfs=",
+        "narHash": "sha256-LR0dsXd/A07M61jclyBUW0wRojEQteWReKM35zoJXp0=",
        "owner": "nix-community",
        "repo": "NixOS-WSL",
-        "rev": "b8d2747e2f7474e6c1ba5a63f265424c8d000257",
+        "rev": "a8486b5d191f11d571f15d80b6e265d1712d01cf",
        "type": "github"
      },
      "original": {
@ -824,22 +574,6 @@
        "repo": "NixOS-WSL",
        "type": "github"
      }
    },
    "zenyd-mpv-scripts": {
      "flake": false,
      "locked": {
        "lastModified": 1650625438,
        "narHash": "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=",
        "owner": "zenyd",
        "repo": "mpv-scripts",
        "rev": "19ea069abcb794d1bf8fac2f59b50d71ab992130",
        "type": "github"
      },
      "original": {
        "owner": "zenyd",
        "repo": "mpv-scripts",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,7 @@
    # Used for MacOS system config
    darwin = {
-      url = "github:lnl7/nix-darwin/master";
+      url = "github:/lnl7/nix-darwin/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@ -58,13 +58,12 @@
    # Nix language server
    nil = {
-      url = "github:oxalica/nil/2023-08-09";
+      url = "github:oxalica/nil/2023-04-03";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Neovim plugins
    nvim-lspconfig-src = {
      # https://github.com/neovim/nvim-lspconfig/tags
      url = "github:neovim/nvim-lspconfig/v0.1.6";
      flake = false;
    };
@ -76,22 +75,16 @@
      url = "github:jose-elias-alvarez/null-ls.nvim";
      flake = false;
    };
    baleia-nvim-src = {
      # https://github.com/m00qek/baleia.nvim/tags
      url = "github:m00qek/baleia.nvim";
      flake = false;
    };
    Comment-nvim-src = {
      url = "github:numToStr/Comment.nvim/v0.8.0";
      flake = false;
    };
    nvim-treesitter-src = {
-      # https://github.com/nvim-treesitter/nvim-treesitter/tags
+      url = "github:nvim-treesitter/nvim-treesitter/v0.9.0";
      url = "github:nvim-treesitter/nvim-treesitter/master";
      flake = false;
    };
    telescope-nvim-src = {
-      url = "github:nvim-telescope/telescope.nvim/0.1.4";
+      url = "github:nvim-telescope/telescope.nvim/0.1.2";
      flake = false;
    };
    telescope-project-nvim-src = {
@ -99,11 +92,11 @@
      flake = false;
    };
    toggleterm-nvim-src = {
-      url = "github:akinsho/toggleterm.nvim/v2.8.0";
+      url = "github:akinsho/toggleterm.nvim/v2.7.0";
      flake = false;
    };
    bufferline-nvim-src = {
-      url = "github:akinsho/bufferline.nvim/v4.4.0";
+      url = "github:akinsho/bufferline.nvim/v4.2.0";
      flake = false;
    };
    nvim-tree-lua-src = {
@ -114,89 +107,23 @@
      url = "github:run-at-scale/vscode-terraform-doc-snippets";
      flake = false;
    };
    hmts-nvim-src = {
      url = "github:calops/hmts.nvim";
      flake = false;
    };
    fidget-nvim-src = {
      # https://github.com/j-hui/fidget.nvim/tags
      url = "github:j-hui/fidget.nvim/v1.1.0";
      flake = false;
    };
    # Tree-Sitter Grammars
    tree-sitter-bash = {
      url = "github:tree-sitter/tree-sitter-bash/master";
      flake = false;
    };
    tree-sitter-python = {
      url = "github:tree-sitter/tree-sitter-python/master";
      flake = false;
    };
    tree-sitter-lua = {
      url = "github:MunifTanjim/tree-sitter-lua/main";
      flake = false;
    };
    tree-sitter-ini = {
      url = "github:justinmk/tree-sitter-ini";
      flake = false;
    };
    tree-sitter-puppet = {
      url = "github:amaanq/tree-sitter-puppet";
      flake = false;
    };
    tree-sitter-rasi = {
      url = "github:Fymyte/tree-sitter-rasi";
      flake = false;
    };
    # MPV Scripts
    zenyd-mpv-scripts = {
      url = "github:zenyd/mpv-scripts";
      flake = false;
    };
    # Age encryption (pin because of failed builds)
    age = {
      url = "github:FiloSottile/age/v1.1.1";
      flake = false;
    };
    # GE version of Proton for game compatibility
    # Alternatively, could consider using https://github.com/fufexan/nix-gaming
    proton-ge = {
      # https://github.com/GloriousEggroll/proton-ge-custom/releases
      url =
        "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-23/GE-Proton8-23.tar.gz";
      flake = false;
    };
    # Nextcloud Apps
    nextcloud-news = {
      # https://github.com/nextcloud/news/releases
      url =
        "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz";
      flake = false;
    };
    nextcloud-external = {
      # https://github.com/nextcloud-releases/external/releases
      url =
        "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
      flake = false;
    };
    nextcloud-cookbook = {
      # https://github.com/nextcloud/cookbook/releases
      url =
        "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
      flake = false;
    };
  };
-  outputs = { nixpkgs, ... }@inputs:
+  outputs = { self, nixpkgs, ... }@inputs:
    let
      # Common overlays to always use
      overlays = [
        inputs.nur.overlay
        inputs.nix2vim.overlay
        (import ./overlays/neovim-plugins.nix inputs)
        (import ./overlays/calibre-web.nix)
        (import ./overlays/disko.nix inputs)
        (import ./overlays/tree-sitter.nix inputs)
      ];
      # Global configuration for my systems
      globals = let baseName = "masu.rs";
      in rec {
@ -207,13 +134,12 @@
        mail.server = "noahmasur.com";
        mail.imapHost = "imap.purelymail.com";
        mail.smtpHost = "smtp.purelymail.com";
-        dotfilesRepo = "https://github.com/nmasur/dotfiles";
+        dotfilesRepo = "git@github.com:nmasur/dotfiles";
        nixpkgs.overlays = overlays;
        hostnames = {
          git = "git.${baseName}";
          influxdb = "influxdb.${baseName}";
          metrics = "metrics.${baseName}";
          prometheus = "prom.${baseName}";
          paperless = "paper.${baseName}";
          secrets = "vault.${baseName}";
          stream = "stream.${baseName}";
          content = "cloud.${baseName}";
@ -222,23 +148,6 @@
        };
      };
      # Common overlays to always use
      overlays = [
        inputs.nur.overlay
        inputs.nix2vim.overlay
        (import ./overlays/neovim-plugins.nix inputs)
        (import ./overlays/calibre-web.nix)
        (import ./overlays/disko.nix inputs)
        (import ./overlays/tree-sitter.nix inputs)
        (import ./overlays/caddy.nix inputs)
        (import ./overlays/mpv-scripts.nix inputs)
        (import ./overlays/nextcloud-apps.nix inputs)
        (import ./overlays/betterlockscreen.nix)
        (import ./overlays/age.nix inputs)
        (import ./overlays/proton-ge.nix inputs)
        (import ./overlays/gh-collaborators.nix)
      ];
      # System types to support.
      supportedSystems =
        [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
@ -248,20 +157,26 @@
    in rec {
      nixosModules = {
        globals = { config }: { config = globals; };
        common = import ./modules/common;
        nixos = import ./modules/nixos;
        darwin = import ./modules/darwin;
      };
      # Contains my full system builds, including home-manager
      # nixos-rebuild switch --flake .#tempest
      nixosConfigurations = {
-        tempest = import ./hosts/tempest { inherit inputs globals overlays; };
+        tempest = import ./hosts/tempest { inherit self; };
-        hydra = import ./hosts/hydra { inherit inputs globals overlays; };
+        hydra = import ./hosts/hydra { inherit self; };
-        flame = import ./hosts/flame { inherit inputs globals overlays; };
+        flame = import ./hosts/flame { inherit self; };
-        swan = import ./hosts/swan { inherit inputs globals overlays; };
+        swan = import ./hosts/swan { inherit self; };
      };
      # Contains my full Mac system builds, including home-manager
      # darwin-rebuild switch --flake .#lookingglass
      darwinConfigurations = {
-        lookingglass =
+        lookingglass = import ./hosts/lookingglass { inherit self; };
          import ./hosts/lookingglass { inherit inputs globals overlays; };
      };
      # For quickly applying home-manager settings with:
@ -277,10 +192,8 @@
      diskoConfigurations = { root = import ./disks/root.nix; };
      packages = let
-        aws = system:
+        aws = system: import ./hosts/aws { inherit self system; };
-          import ./hosts/aws { inherit inputs globals overlays system; };
+        staff = system: import ./hosts/staff { inherit self system; };
        staff = system:
          import ./hosts/staff { inherit inputs globals overlays system; };
        neovim = system:
          let pkgs = import nixpkgs { inherit system overlays; };
          in import ./modules/common/neovim/package {
@ -315,24 +228,6 @@
        });
      checks = forAllSystems (system:
        let pkgs = import nixpkgs { inherit system overlays; };
        in {
          neovim = pkgs.runCommand "neovim-check-health" {
            buildInputs = [ inputs.self.packages.${system}.neovim ];
          } ''
            mkdir -p $out
            export HOME=$TMPDIR
            nvim -c "checkhealth" -c "write $out/health.log" -c "quitall"
            # Check for errors inside the health log
            if $(grep "ERROR" $out/health.log); then
              cat $out/health.log
              exit 1
            fi
          '';
        });
      # Templates for starting other projects quickly
      templates = rec {
        default = basic;
--- a/hosts/README.md
+++ b/hosts/README.md
@ -1,7 +1,5 @@
 # Hosts
 These are the individual machines managed by this flake.
 | Host                                       | Purpose             |
 | ---                                        | ---                 |
 | [aws](./aws/default.nix)                   | AWS AMI             |
--- a/hosts/aws/default.nix
+++ b/hosts/aws/default.nix
@ -1,13 +1,14 @@
-{ inputs, system, globals, overlays, ... }:
+{ self, system, ... }:
-inputs.nixos-generators.nixosGenerate {
+self.inputs.nixos-generators.nixosGenerate {
  inherit system;
  format = "amazon";
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
    self.nixosModules.common
    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      networking.hostName = "sheep";
      gui.enable = false;
      theme.colors = (import ../../colorscheme/gruvbox).dark;
@ -17,9 +18,6 @@ inputs.nixos-generators.nixosGenerate {
      # AWS settings require this
      permitRootLogin = "prohibit-password";
    }
    ../../modules/common
    ../../modules/nixos
    ../../modules/nixos/services/sshd.nix
  ] ++ [
    # Required to fix diskSize errors during build
    ({ ... }: { amazonImage.sizeMB = 16 * 1024; })
--- a/hosts/flame/default.nix
+++ b/hosts/flame/default.nix
@ -3,67 +3,56 @@
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
 # These days, probably use nixos-anywhere instead.
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "aarch64-linux";
  specialArgs = { };
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      server = true;
      networking.hostName = "flame";
-      # Not sure what's necessary but too afraid to remove anything
+      imports =
-      imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
+        [ (self.inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
      boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
      # File systems must be declared in order to boot
      # This is the root filesystem containing NixOS
      # I forgot to set a clean label for it
      fileSystems."/" = {
        device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
        fsType = "ext4";
      };
      # This is the boot filesystem for systemd-boot
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/D5CA-237A";
        fsType = "vfat";
      };
      # Theming
      # Server doesn't require GUI
      gui.enable = false;
      # Still require colors for programs like Neovim, K9S
      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
      # Disable passwords, only use SSH key
      publicKey =
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
      # Programs and services
      cloudflare.enable = true; # Proxy traffic with Cloudflare
      dotfiles.enable = true; # Clone dotfiles
      neovim.enable = true;
-      giteaRunner.enable = true;
+
      services.caddy.enable = true;
      services.grafana.enable = true;
-      services.openssh.enable = true;
+      services.prometheus.enable = true;
      services.victoriametrics.enable = true;
      services.influxdb2.enable = true;
      services.gitea.enable = true;
      services.vaultwarden.enable = true;
      services.minecraft-server.enable = true; # Setup Minecraft server
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@ -72,6 +61,8 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
      };
      giteaRunner.enable = true;
      # Nextcloud backup config
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
@ -79,10 +70,6 @@ inputs.nixpkgs.lib.nixosSystem {
        accessKeyId = "0026b0e73b2e2c80000000005";
      };
      # Disable passwords, only use SSH key
      publicKey =
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
      # # Wireguard config for Transmission
      # wireguard.enable = true;
      # networking.wireguard.interfaces.wg0 = {
@ -112,6 +99,9 @@ inputs.nixpkgs.lib.nixosSystem {
      # # VPN port forwarding
      # services.transmission.settings.peer-port = 57599;
      # # Grant access to Transmission directories from Jellyfin
      # users.users.jellyfin.extraGroups = [ "transmission" ];
    }
  ];
 }
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -1,28 +1,27 @@
 # The Hydra
 # System configuration for WSL
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  specialArgs = { };
  modules = [
-    ../../modules/common
+    self.inputs.wsl.nixosModules.wsl
-    ../../modules/nixos
+    self.inputs.home-manager.nixosModules.home-manager
-    ../../modules/wsl
+    self.nixosModules.globals
-    globals
+    self.nixosModules.common
-    inputs.wsl.nixosModules.wsl
+    self.nixosModules.nixos
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.wsl
    {
      networking.hostName = "hydra";
      nixpkgs.overlays = overlays;
      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
      gui.enable = false;
      theme = {
        colors = (import ../../colorscheme/gruvbox).dark;
        dark = true;
      };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
      wsl = {
        enable = true;
        wslConf.automount.root = "/mnt";
--- a/hosts/lookingglass/default.nix
+++ b/hosts/lookingglass/default.nix
@ -1,24 +1,23 @@
 # The Looking Glass
 # System configuration for my work Macbook
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.darwin.lib.darwinSystem {
+self.inputs.darwin.lib.darwinSystem {
  system = "x86_64-darwin";
  specialArgs = { };
  modules = [
-    ../../modules/common
+    self.inputs.home-manager.darwinModules.home-manager
-    ../../modules/darwin
+    self.nixosModules.common
-    (globals // rec {
+    self.nixosModules.darwin
-      user = "Noah.Masur";
+    ({ config, lib, ... }: {
-      gitName = "Noah-Masur_1701";
+      config = rec {
-      gitEmail = "${user}@take2games.com";
+        user = lib.mkForce "Noah.Masur";
-    })
+        gitName = lib.mkForce "Noah-Masur_1701";
-    inputs.home-manager.darwinModules.home-manager
+        gitEmail = lib.mkForce "${user}@take2games.com";
-    {
+        nixpkgs.overlays = [ self.inputs.firefox-darwin.overlay ];
      nixpkgs.overlays = [ inputs.firefox-darwin.overlay ] ++ overlays;
        networking.hostName = "lookingglass";
-      identityFile = "/Users/Noah.Masur/.ssh/id_ed25519";
+        identityFile = "/Users/${user}/.ssh/id_ed25519";
        gui.enable = true;
        theme = {
          colors = (import ../../colorscheme/gruvbox-dark).dark;
@ -37,11 +36,11 @@ inputs.darwin.lib.darwinSystem {
        nixlang.enable = true;
        terraform.enable = true;
        python.enable = true;
      rust.enable = true;
        lua.enable = true;
        kubernetes.enable = true;
        _1password.enable = true;
        slack.enable = true;
-    }
+      };
    })
  ];
 }
--- a/hosts/staff/default.nix
+++ b/hosts/staff/default.nix
@ -1,13 +1,16 @@
 # The Staff
 # ISO configuration for my USB drive
-{ inputs, system, overlays, ... }:
+{ self, system, ... }:
-inputs.nixos-generators.nixosGenerate {
+self.inputs.nixos-generators.nixosGenerate {
  inherit system;
  format = "install-iso";
-  modules = [{
+  modules = [
-    nixpkgs.overlays = overlays;
+    self.nixosModules.global
    self.nixosModules.common
    self.nixosModules.nixos
    ({ config, pkgs, ... }: {
      networking.hostName = "staff";
      users.extraUsers.root.openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"
@ -23,9 +26,7 @@ inputs.nixos-generators.nixosGenerate {
          PermitRootLogin = "yes";
        };
      };
-    environment.systemPackages =
+      environment.systemPackages = with pkgs; [
      let pkgs = import inputs.nixpkgs { inherit system overlays; };
      in with pkgs; [
        git
        vim
        wget
@ -39,5 +40,6 @@ inputs.nixos-generators.nixosGenerate {
        experimental-features = nix-command flakes
        warn-dirty = false
      '';
-  }];
+    })
  ];
 }
--- a/hosts/swan/default.nix
+++ b/hosts/swan/default.nix
@ -1,26 +1,22 @@
 # The Swan
 # System configuration for my home NAS server
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  specialArgs = { };
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.inputs.disko.nixosModules.disko
-    inputs.disko.nixosModules.disko
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      server = true;
      physical = true;
      networking.hostName = "swan";
      # Not sure what's necessary but too afraid to remove anything
      boot.initrd.availableKernelModules =
        [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
@ -33,55 +29,35 @@ inputs.nixpkgs.lib.nixosSystem {
        "amdgpu.cik_support=1"
        "amdgpu.dc=1"
      ];
      # Required binary blobs to boot on this machine
      hardware.enableRedistributableFirmware = true;
      # Prioritize efficiency over performance
      powerManagement.cpuFreqGovernor = "powersave";
      # Allow firmware updates
      hardware.cpu.intel.updateMicrocode = true;
      # ZFS
      zfs.enable = true;
      # Generated with: head -c 8 /etc/machine-id
      networking.hostId = "600279f4"; # Random ID required for ZFS
      # Sets root ext4 filesystem instead of declaring it manually
      disko = {
        enableConfig = true;
        devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
      };
      # Automatically load the ZFS pool on boot
      boot.zfs.extraPools = [ "tank" ];
      # Theming
      # Server doesn't require GUI
      gui.enable = false;
      # Still require colors for programs like Neovim, K9S
      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
      # Programs and services
      neovim.enable = true;
      cloudflare.enable = true;
      dotfiles.enable = true;
      arrs.enable = true;
-      services.bind.enable = true;
+
      services.caddy.enable = true;
      services.jellyfin.enable = true;
      services.nextcloud.enable = true;
      services.calibre-web.enable = true;
-      services.openssh.enable = true;
+      services.prometheus.enable = true;
      services.prometheus.enable = false;
      services.vmagent.enable = true;
      services.samba.enable = true;
      services.paperless.enable = true;
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@ -90,7 +66,6 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
      };
      # Send regular backups and litestream for DBs to an S3-like bucket
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
        bucket = "noahmasur-backup";
--- a/hosts/tempest/default.nix
+++ b/hosts/tempest/default.nix
@ -1,41 +1,28 @@
 # The Tempest
 # System configuration for my desktop
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      physical = true;
      networking.hostName = "tempest";
      # Not sure what's necessary but too afraid to remove anything
      boot.initrd.availableKernelModules =
        [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
      # Graphics and VMs
      boot.initrd.kernelModules = [ "amdgpu" ];
      boot.kernelModules = [ "kvm-amd" ];
      services.xserver.videoDrivers = [ "amdgpu" ];
      # Required binary blobs to boot on this machine
      hardware.enableRedistributableFirmware = true;
      # Prioritize performance over efficiency
      powerManagement.cpuFreqGovernor = "performance";
      # Allow firmware updates
      hardware.cpu.amd.updateMicrocode = true;
      # Helps reduce GPU fan noise under idle loads
      hardware.fancontrol.enable = true;
      hardware.fancontrol.config = ''
        # Configuration file generated by pwmconfig, changes will be lost
@ -52,35 +39,28 @@ inputs.nixpkgs.lib.nixosSystem {
        MAXPWM=hwmon0/pwm1=240
      '';
      # File systems must be declared in order to boot
      # This is the root filesystem containing NixOS
      fileSystems."/" = {
        device = "/dev/disk/by-label/nixos";
        fsType = "ext4";
      };
      # This is the boot filesystem for Grub
      fileSystems."/boot" = {
        device = "/dev/disk/by-label/boot";
        fsType = "vfat";
      };
-      # Secrets must be prepared ahead before deploying
+      # Must be prepared ahead
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
      passwordHash = self.inputs.nixpkgs.lib.fileContents ../../password.sha512;
      # Theming
      # Turn on all features related to desktop and graphical applications
      gui.enable = true;
      # Set the system-wide theme, also used for non-graphical programs
      theme = {
        colors = (import ../../colorscheme/gruvbox-dark).dark;
        dark = true;
      };
-      wallpaper = "${inputs.wallpapers}/gruvbox/road.jpg";
+      wallpaper = "${self.inputs.wallpapers}/gruvbox/road.jpg";
-      gtk.theme.name = inputs.nixpkgs.lib.mkDefault "Adwaita-dark";
+      gtk.theme.name = self.inputs.nixpkgs.lib.mkDefault "Adwaita-dark";
      # Programs and services
      charm.enable = true;
@ -99,22 +79,17 @@ inputs.nixpkgs.lib.nixosSystem {
      keybase.enable = true;
      mullvad.enable = false;
      nixlang.enable = true;
      rust.enable = true;
      yt-dlp.enable = true;
      gaming = {
        dwarf-fortress.enable = true;
        enable = true;
        steam.enable = true;
-        legendary.enable = false; # Electron marked as insecure
+        legendary.enable = true;
        lutris.enable = true;
        leagueoflegends.enable = true;
        ryujinx.enable = true;
      };
      services.vmagent.enable = true; # Enables Prometheus metrics
      services.openssh.enable =
        true; # Required for Cloudflare tunnel and identity file
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@ -123,11 +98,6 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
      };
      # Allows requests to force machine to wake up
      # This network interface might change, needs to be set specifically for each machine.
      # Or set usePredictableInterfaceNames = false
      networking.interfaces.enp5s0.wakeOnLan.enable = true;
    }
  ];
 }
--- a/misc/README.md
+++ b/misc/README.md
@ -1,21 +0,0 @@
 # Miscellaneous
 These files contain important data sourced by the configuration, or simply
 information to store for safekeeping later.
 ---
 Creating hashed password for [password.sha512](./password.sha512):
 ```
 mkpasswd -m sha-512
 ```
 ---
 Getting key for [public-keys](./public-keys):
 ```
 ssh-keyscan -t ed25519 <hostname>
 ```
--- a/misc/libratbag-profile
+++ b/misc/libratbag-profile
@ -1,23 +0,0 @@
 Profile 1: (active)
 Name: n/a
 Report Rate: 1000Hz
 Resolutions:
  0: 400dpi (active) (default)
  1: 800dpi
  2: 1600dpi
  3: 2400dpi
  4: 0dpi
 Button: 0 is mapped to 'button 1'
 Button: 1 is mapped to 'button 2'
 Button: 2 is mapped to 'button 3'
 Button: 3 is mapped to 'button 4'
 Button: 4 is mapped to 'button 5'
 Button: 5 is mapped to macro '↕F11'
 Button: 6 is mapped to macro '↕VOLUMEDOWN'
 Button: 7 is mapped to macro '↕VOLUMEUP'
 Button: 8 is mapped to 'unknown'
 Button: 9 is mapped to 'wheel-right'
 Button: 10 is mapped to 'wheel-left'
 LED: 0, depth: monochrome, mode: on, color: 000000
 LED: 1, depth: monochrome, mode: on, color: 000000
 LED: 2, depth: monochrome, mode: on, color: 000000
--- a/modules/README.md
+++ b/modules/README.md
@ -5,5 +5,4 @@
 | [common](./common/default.nix) | User programs and OS-agnostic configuration |
 | [darwin](./darwin/default.nix) | macOS-specific configuration                |
 | [nixos](./nixos/default.nix)   | NixOS-specific configuration                |
 | [wsl](./wsl/default.nix)       | WSL-specific configuration                  |
--- a/modules/common/applications/firefox.nix
+++ b/modules/common/applications/firefox.nix
@ -16,7 +16,6 @@
    unfreePackages = [
      (lib.mkIf config._1password.enable "onepassword-password-manager")
      "okta-browser-plugin"
      "wappalyzer"
    ];
    home-manager.users.${config.user} = {
@ -43,6 +42,7 @@
            darkreader
            snowflake
            don-t-fuck-with-paste
            i-dont-care-about-cookies
            wappalyzer
          ];
          settings = {
@ -73,9 +73,6 @@
            "media.ffmpeg.vaapi.enabled" =
              true; # Enable hardware video acceleration
            "cookiebanners.ui.desktop.enabled" = true; # Reject cookie popups
            "devtools.command-button-screenshot.enabled" =
              true; # Scrolling screenshot of entire page
            "svg.context-properties.content.enabled" = true; # Sidebery styling
          };
          userChrome = ''
            :root {
@ -116,7 +113,7 @@
              background-color: ${config.theme.colors.base00};
              color: ${config.theme.colors.base06} !important;
            }
-            .tab-content[selected] {
+            .tab-content[selected=true] {
              border-bottom: 2px solid color-mix(in srgb, var(--identity-tab-color) 25%, transparent);
              background-color: ${config.theme.colors.base01} !important;
              color: ${config.theme.colors.base07} !important;
--- a/modules/common/applications/kitty.nix
+++ b/modules/common/applications/kitty.nix
@ -28,22 +28,13 @@
      programs.rofi.terminal =
        lib.mkIf pkgs.stdenv.isLinux "${pkgs.kitty}/bin/kitty";
      # Display images in the terminal
      programs.fish.shellAliases = {
        icat = "kitty +kitten icat";
        ssh = "kitty +kitten ssh";
      };
      programs.kitty = {
        enable = true;
        environment = { };
        extraConfig = "";
        font.size = 14;
        keybindings = {
          # Use shift+enter to complete text suggestions in fish
          "shift+enter" = "send_text all \\x1F";
          # Easy fullscreen toggle (for macOS)
          "super+f" = "toggle_fullscreen";
        };
        settings = {
@ -94,6 +85,7 @@
          # Scrollback
          scrolling_lines = 10000;
          scrollback_pager_history_size = 10; # MB
          scrollback_pager = "${pkgs.neovim}/bin/nvim -c 'normal G'";
          # Window
          window_padding_width = 6;
@ -101,7 +93,7 @@
          tab_bar_edge = "top";
          tab_bar_style = "slant";
-          # Disable audio
+          # Audio
          enable_audio_bell = false;
        };
      };
--- a/modules/common/applications/media.nix
+++ b/modules/common/applications/media.nix
@ -22,8 +22,8 @@
        enable = true;
        bindings = { };
        config = {
-          image-display-duration = 2; # For cycling through images
+          image-display-duration = 2;
-          hwdec = "auto-safe"; # Attempt to use GPU decoding for video
+          hwdec = "auto-safe";
        };
        scripts = [
@ -31,11 +31,25 @@
          pkgs.mpvScripts.autoload
          # Delete current file after quitting
-          pkgs.mpvScripts.mpv-delete-file
+          (pkgs.stdenv.mkDerivation rec {
            pname = "mpv-delete-file";
            version = "0.1"; # made-up
            src = pkgs.fetchFromGitHub {
              owner = "zenyd";
              repo = "mpv-scripts";
              rev = "19ea069abcb794d1bf8fac2f59b50d71ab992130";
              sha256 = "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=";
            } + "/delete_file.lua";
            dontBuild = true;
            dontUnpack = true;
            installPhase =
              "install -Dm644 ${src} $out/share/mpv/scripts/delete_file.lua";
            passthru.scriptName = "delete_file.lua";
          })
        ];
      };
-      # Set default programs for opening PDFs and other media
+      # Set default for opening PDFs
      xdg.mimeApps = {
        associations.added = {
          "application/pdf" = [ "pwmt.zathura-cb.desktop" ];
--- a/modules/common/applications/obsidian.nix
+++ b/modules/common/applications/obsidian.nix
@ -15,9 +15,8 @@
      home.packages = with pkgs; [ obsidian ];
    };
-    # Broken on 2023-12-11
+    # Broken on 2023-04-16
-    # https://forum.obsidian.md/t/electron-25-is-now-eol-please-upgrade-to-a-newer-version/72878/8
+    nixpkgs.config.permittedInsecurePackages = [ "electron-21.4.0" ];
    nixpkgs.config.permittedInsecurePackages = [ "electron-25.9.0" ];
  };
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -59,7 +59,7 @@
    };
    dotfilesRepo = lib.mkOption {
      type = lib.types.str;
-      description = "Link to dotfiles repository HTTPS URL.";
+      description = "Link to dotfiles repository.";
    };
    unfreePackages = lib.mkOption {
      type = lib.types.listOf lib.types.str;
@ -75,18 +75,10 @@
        type = lib.types.str;
        description = "Hostname for metrics server.";
      };
      paperless = lib.mkOption {
        type = lib.types.str;
        description = "Hostname for document server (paperless-ngx).";
      };
      prometheus = lib.mkOption {
        type = lib.types.str;
        description = "Hostname for Prometheus server.";
      };
      influxdb = lib.mkOption {
        type = lib.types.str;
        description = "Hostname for InfluxDB2 server.";
      };
      secrets = lib.mkOption {
        type = lib.types.str;
        description = "Hostname for passwords and secrets (Vaultwarden).";
--- a/modules/common/mail/default.nix
+++ b/modules/common/mail/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  imports = [ ./himalaya.nix ./aerc.nix ./system.nix ];
+  imports = [ ./himalaya.nix ./aerc.nix ];
  options = {
    mail.enable = lib.mkEnableOption "Mail service.";
@ -27,32 +27,15 @@
    home-manager.users.${config.user} = {
      programs.mbsync = { enable = true; };
      # Automatically check for mail and keep files synced locally
      services.mbsync = lib.mkIf pkgs.stdenv.isLinux {
        enable = true;
        frequency = "*:0/5";
        postExec = "${pkgs.notmuch}/bin/notmuch new";
      };
      # Used to watch for new mail and trigger sync
      services.imapnotify.enable = pkgs.stdenv.isLinux;
-
+      programs.notmuch.enable = true;
      # Allows sending email from CLI/sendmail
      programs.msmtp.enable = true;
      # Better local mail search
      programs.notmuch = {
        enable = true;
        new.ignore =
          [ ".mbsyncstate.lock" ".mbsyncstate.journal" ".mbsyncstate.new" ];
      };
      accounts.email = {
        # Where email files are stored
        maildirBasePath = "${config.homePath}/mail";
        accounts = {
          home = let address = "${config.mail.user}@${config.mail.server}";
          in {
@ -65,17 +48,13 @@
              "hey"
              "admin"
            ];
            # Options for contact completion
            alot = { };
-
+            flavor = "plain";
            imap = {
              host = config.mail.imapHost;
              port = 993;
              tls.enable = true;
            };
            # Watch for mail and run notifications or sync
            imapnotify = {
              enable = true;
              boxes = [ "Inbox" ];
@ -84,11 +63,7 @@
                config.home-manager.users.${config.user}.services.dunst.enable
                "${pkgs.libnotify}/bin/notify-send 'New mail arrived'";
            };
            # Name of the directory in maildir for this account
            maildir = { path = "main"; };
            # Bi-directional syncing options for local files
            mbsync = {
              enable = true;
              create = "both";
@ -99,17 +74,12 @@
                CopyArrivalDate = "yes"; # Sync time of original message
              };
            };
            # Enable indexing
            notmuch.enable = true;
            # Used to login and send and receive emails
            passwordCommand =
-              "${pkgs.age}/bin/age --decrypt --identity ~/.ssh/id_ed25519 ${
+              "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
                pkgs.writeText "mailpass.age"
                (builtins.readFile ../../../private/mailpass.age)
              }";
            smtp = {
              host = config.mail.smtpHost;
              port = 465;
--- a/modules/common/mail/system.nix
+++ b/modules/common/mail/system.nix
@ -1,34 +0,0 @@
 { config, pkgs, lib, ... }: {
  config = lib.mkIf (config.mail.enable || config.server) {
    home-manager.users.${config.user} = {
      programs.msmtp.enable = true;
      # The system user for sending automatic notifications
      accounts.email.accounts.system =
        let address = "system@${config.mail.server}";
        in {
          userName = address;
          realName = "NixOS System";
          primary = !config.mail.enable; # Only primary if mail not enabled
          inherit address;
          passwordCommand =
            "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
              pkgs.writeText "mailpass-system.age"
              (builtins.readFile ../../../private/mailpass-system.age)
            }";
          msmtp.enable = true;
          smtp = {
            host = config.mail.smtpHost;
            port = 465;
            tls.enable = true;
          };
        };
    };
  };
 }
--- a/modules/common/neovim/config/align.nix
+++ b/modules/common/neovim/config/align.nix
@ -1,7 +1,4 @@
 { pkgs, ... }: {
  # Plugin for aligning text programmatically
  plugins = [ pkgs.vimPlugins.tabular ];
  lua = ''
    -- Align
--- a/modules/common/neovim/config/bufferline.nix
+++ b/modules/common/neovim/config/bufferline.nix
@ -1,7 +1,4 @@
 { pkgs, ... }: {
  # Shows buffers in a VSCode-style tab layout
  plugins = [
    pkgs.vimPlugins.bufferline-nvim
    pkgs.vimPlugins.vim-bbye # Better closing of buffers
--- a/modules/common/neovim/config/colors.nix
+++ b/modules/common/neovim/config/colors.nix
@ -1,7 +1,5 @@
 { pkgs, lib, config, ... }: {
  # Sets Neovim colors based on Nix colorscheme
  options.colors = lib.mkOption {
    type = lib.types.attrsOf lib.types.str;
    description = "Attrset of base16 colorscheme key value pairs.";
--- a/modules/common/neovim/config/completion.nix
+++ b/modules/common/neovim/config/completion.nix
@ -24,14 +24,12 @@
      end
    '';
    # Enable Luasnip snippet completion
    snippet.expand = dsl.rawLua ''
      function(args)
          require("luasnip").lsp_expand(args.body)
      end
    '';
    # Basic completion keybinds
    mapping = {
      "['<C-n>']" = dsl.rawLua
        "require('cmp').mapping.select_next_item({ behavior = require('cmp').SelectBehavior.Insert })";
@ -66,26 +64,24 @@
      '';
    };
    # These are where the completion engine gets its suggestions
    sources = [
-      { name = "nvim_lua"; } # Fills in common Neovim lua functions
+      { name = "nvim_lua"; }
-      { name = "nvim_lsp"; } # LSP results
+      { name = "nvim_lsp"; }
-      { name = "luasnip"; } # Snippets
+      { name = "luasnip"; }
-      { name = "path"; } # Shell completion from current PATH
+      { name = "path"; }
      {
-        name = "buffer"; # Grep for text from the current text buffer
+        name = "buffer";
        keyword_length = 3;
        max_item_count = 10;
      }
      {
-        name = "rg"; # Grep for text from the current directory
+        name = "rg";
        keyword_length = 6;
        max_item_count = 10;
        option = { additional_arguments = "--ignore-case"; };
      }
    ];
    # Styling of the completion menu
    formatting = {
      fields = [ "kind" "abbr" "menu" ];
      format = dsl.rawLua ''
--- a/modules/common/neovim/config/github.lua
+++ b/modules/common/neovim/config/github.lua
@ -1,14 +0,0 @@
 -- Keymap to open file in GitHub web
 vim.keymap.set("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
 -- Pop a terminal to watch the current run
 local gitwatch =
    require("toggleterm.terminal").Terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
 -- Set a toggle for this terminal
 function GITWATCH_TOGGLE()
    gitwatch:toggle()
 end
 -- Keymap to toggle the run
 vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)
--- a/modules/common/neovim/config/kubernetes.lua
+++ b/modules/common/neovim/config/kubernetes.lua
@ -1,6 +0,0 @@
 local k9s = require("toggleterm.terminal").Terminal:new({ cmd = "k9s" })
 function K9S_TOGGLE()
    k9s:toggle()
 end
 vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)
--- a/modules/common/neovim/config/lsp.nix
+++ b/modules/common/neovim/config/lsp.nix
@ -1,63 +1,28 @@
-{ pkgs, lib, config, dsl, ... }: {
+{ pkgs, dsl, ... }: {
  # Terraform optional because non-free
  options.terraform = lib.mkEnableOption "Whether to enable Terraform LSP";
  options.github = lib.mkEnableOption "Whether to enable GitHub features";
  options.kubernetes =
    lib.mkEnableOption "Whether to enable Kubernetes features";
  config =
    let
      terraformFormat = if config.terraform then ''
        require("null-ls").builtins.formatting.terraform_fmt.with({
            command = "${pkgs.terraform}/bin/terraform",
            extra_filetypes = { "hcl" },
        }),
      '' else
        "";
    in {
  plugins = [
    pkgs.vimPlugins.nvim-lspconfig
    pkgs.vimPlugins.lsp-colors-nvim
    pkgs.vimPlugins.null-ls-nvim
        pkgs.vimPlugins.fidget-nvim
  ];
      setup.fidget = { };
  use.lspconfig.lua_ls.setup = dsl.callWith {
    settings = { Lua = { diagnostics = { globals = [ "vim" "hs" ]; }; }; };
-        capabilities =
+    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
    cmd = [ "${pkgs.lua-language-server}/bin/lua-language-server" ];
  };
  use.lspconfig.nil_ls.setup = dsl.callWith {
    cmd = [ "${pkgs.nil}/bin/nil" ];
-        capabilities =
+    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
  };
  use.lspconfig.pyright.setup = dsl.callWith {
    cmd = [ "${pkgs.pyright}/bin/pyright-langserver" "--stdio" ];
  };
-      use.lspconfig.terraformls.setup = dsl.callWith {
+  use.lspconfig.terraformls.setup =
-        cmd = if config.terraform then [
+    dsl.callWith { cmd = [ "${pkgs.terraform-ls}/bin/terraform-ls" "serve" ]; };
          "${pkgs.terraform-ls}/bin/terraform-ls"
          "serve"
        ] else
          [ "echo" ];
      };
      use.lspconfig.rust_analyzer.setup = dsl.callWith {
        cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
        settings = {
          "['rust-analyzer']" = { check = { command = "clippy"; }; };
        };
      };
  vim.api.nvim_create_augroup = dsl.callWith [ "LspFormatting" { } ];
@ -80,7 +45,10 @@
                command = "${pkgs.shfmt}/bin/shfmt",
                extra_args = { "-i", "4", "-ci" },
            }),
-                ${terraformFormat}
+            require("null-ls").builtins.formatting.terraform_fmt.with({
                command = "${pkgs.terraform}/bin/terraform",
                extra_filetypes = { "hcl" },
            }),
        },
        on_attach = function(client, bufnr)
@ -105,6 +73,4 @@
    })
  '';
    };
 }
--- a/modules/common/neovim/config/misc.nix
+++ b/modules/common/neovim/config/misc.nix
@ -7,14 +7,11 @@
    pkgs.vimPlugins.comment-nvim # Smart comment commands
    pkgs.vimPlugins.glow-nvim # Markdown preview popup
    pkgs.vimPlugins.nvim-colorizer-lua # Hex color previews
    pkgs.vimPlugins.which-key-nvim # Keybind helper
  ];
  # Initialize some plugins
  setup.Comment = { };
-  setup.colorizer = { user_default_options = { names = false; }; };
+  setup.colorizer = { };
  setup.glow = { };
  setup.which-key = { };
  vim.o = {
    termguicolors = true; # Set to truecolor
@ -44,17 +41,11 @@
    relativenumber = true; # Relative numbers instead of absolute
  };
  # For which-key-nvim
  vim.o.timeout = true;
  vim.o.timeoutlen = 300;
  # Better backup, swap and undo storage
  vim.o.backup = true; # Easier to recover and more secure
  vim.bo.swapfile = false; # Instead of swaps, create backups
  vim.bo.undofile = true; # Keeps undos after quit
-  vim.o.backupdir =
+  vim.o.backupdir = dsl.rawLua ''vim.fn.stdpath("cache") .. "/backup"'';
    dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/backup//")'';
  vim.o.undodir = dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/undo//")'';
  # Required for nvim-cmp completion
  vim.opt.completeopt = [ "menu" "menuone" "noselect" ];
@ -69,6 +60,10 @@
    " Remember last position when reopening file
    au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$") | exe "normal! g`\"" | endif
    " LaTeX options
    au FileType tex inoremap ;bf \textbf{}<Esc>i
    au BufWritePost *.tex silent! execute "!pdflatex -output-directory=%:p:h % >/dev/null 2>&1" | redraw!
    " Flash highlight when yanking
    au TextYankPost * silent! lua vim.highlight.on_yank { timeout = 250 }
  '';
--- a/modules/common/neovim/config/syntax.nix
+++ b/modules/common/neovim/config/syntax.nix
@ -4,7 +4,6 @@
    (pkgs.vimPlugins.nvim-treesitter.withPlugins (_plugins:
      with pkgs.tree-sitter-grammars; [
        tree-sitter-bash
        # tree-sitter-c
        tree-sitter-fish
        tree-sitter-hcl
        tree-sitter-ini
@ -23,9 +22,7 @@
    pkgs.vimPlugins.playground # Tree-sitter experimenting
    pkgs.vimPlugins.nginx-vim
    pkgs.vimPlugins.vim-helm
-    pkgs.baleia-nvim # Clean ANSI from kitty scrollback
+    (pkgs.vimUtils.buildVimPluginFrom2Nix {
    # pkgs.hmts-nvim # Tree-sitter injections for home-manager
    (pkgs.vimUtils.buildVimPlugin {
      pname = "nmasur";
      version = "0.1";
      src = ../plugin;
--- a/modules/common/neovim/config/telescope.nix
+++ b/modules/common/neovim/config/telescope.nix
@ -1,7 +1,5 @@
 { pkgs, dsl, ... }: {
  # Telescope is a fuzzy finder that can work with different sub-plugins
  plugins = [
    pkgs.vimPlugins.telescope-nvim
    pkgs.vimPlugins.project-nvim
--- a/modules/common/neovim/config/toggleterm.lua
+++ b/modules/common/neovim/config/toggleterm.lua
@ -12,8 +12,6 @@ vim.api.nvim_create_autocmd("TermOpen", {
    end,
 })
 -- These are all the different types of terminals we can trigger
 local terminal = require("toggleterm.terminal").Terminal
 local basicterminal = terminal:new()
@ -26,5 +24,17 @@ function NIXPKGS_TOGGLE()
    nixpkgs:toggle()
 end
 local gitwatch = terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
 function GITWATCH_TOGGLE()
    gitwatch:toggle()
 end
 local k9s = terminal:new({ cmd = "k9s" })
 function K9S_TOGGLE()
    k9s:toggle()
 end
 vim.keymap.set("n", "<Leader>t", TERM_TOGGLE)
 vim.keymap.set("n", "<Leader>P", NIXPKGS_TOGGLE)
 vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)
 vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)
--- a/modules/common/neovim/config/toggleterm.nix
+++ b/modules/common/neovim/config/toggleterm.nix
@ -1,6 +1,4 @@
-{ pkgs, dsl, config, ... }: {
+{ pkgs, dsl, ... }: {
  # Toggleterm provides a floating terminal inside the editor for quick access
  plugins = [ pkgs.vimPlugins.toggleterm-nvim ];
@ -10,10 +8,6 @@
    direction = "float";
  };
-  lua = ''
+  lua = builtins.readFile ./toggleterm.lua;
    ${builtins.readFile ./toggleterm.lua}
    ${if config.github then (builtins.readFile ./github.lua) else ""}
    ${if config.kubernetes then (builtins.readFile ./kubernetes.lua) else ""}
  '';
 }
--- a/modules/common/neovim/config/tree.nix
+++ b/modules/common/neovim/config/tree.nix
@ -1,7 +1,5 @@
 { pkgs, dsl, ... }: {
  # This plugin creates a side drawer for navigating the current project
  plugins = [ pkgs.vimPlugins.nvim-tree-lua pkgs.vimPlugins.nvim-web-devicons ];
  # Disable netrw eagerly
@ -12,16 +10,16 @@
  };
  setup.nvim-tree = {
-    disable_netrw = true; # Disable the built-in file manager
+    disable_netrw = true;
-    hijack_netrw = true; # Works as the file manager
+    hijack_netrw = true;
-    sync_root_with_cwd = true; # Change project whenever currend dir changes
+    sync_root_with_cwd = true;
-    respect_buf_cwd = true; # Change to exact location of focused buffer
+    respect_buf_cwd = true;
-    update_focused_file = { # Change project based on the focused buffer
+    update_focused_file = {
      enable = true;
      update_root = true;
      ignore_list = { };
    };
-    diagnostics = { # Enable LSP and linter integration
+    diagnostics = {
      enable = true;
      icons = {
        hint = "";
@ -30,7 +28,7 @@
        error = "";
      };
    };
-    renderer = { # Show files with changes vs. current commit
+    renderer = {
      icons = {
        glyphs = {
          git = {
@ -45,7 +43,6 @@
        };
      };
    };
    # Set keybinds and initialize program
    on_attach = dsl.rawLua ''
      function (bufnr)
        local api = require('nvim-tree.api')
@ -61,15 +58,15 @@
        vim.keymap.set('n', 'v', api.node.open.vertical, opts('Open: Vertical Split'))
      end
    '';
-    view = { # Set look and feel
+    view = {
      width = 30;
      hide_root_folder = false;
      side = "left";
      number = false;
      relativenumber = false;
    };
  };
  # Toggle the sidebar
  lua = ''
    vim.keymap.set("n", "<Leader>e", ":NvimTreeFindFileToggle<CR>", { silent = true })
  '';
--- a/modules/common/neovim/default.nix
+++ b/modules/common/neovim/default.nix
@ -5,9 +5,6 @@ let
  neovim = import ./package {
    inherit pkgs;
    colors = config.theme.colors;
    terraform = config.terraform.enable;
    github = true;
    kubernetes = config.kubernetes.enable;
  };
 in {
@ -21,17 +18,11 @@ in {
        home.packages = [ neovim ];
        # Use Neovim as the editor for git commit messages
        programs.git.extraConfig.core.editor = "nvim";
        programs.jujutsu.settings.ui.editor = "nvim";
        # Set Neovim as the default app for text editing and manual pages
        home.sessionVariables = {
          EDITOR = "nvim";
          MANPAGER = "nvim +Man!";
        };
        # Create quick aliases for launching Neovim
        programs.fish = {
          shellAliases = { vim = "nvim"; };
          shellAbbrs = {
@ -40,20 +31,12 @@ in {
            vll = "nvim -c 'Telescope oldfiles'";
          };
        };
        programs.kitty.settings.scrollback_pager = lib.mkForce ''
          ${neovim}/bin/nvim -c 'setlocal nonumber nolist showtabline=0 foldcolumn=0|Man!' -c "autocmd VimEnter * normal G" -'';
        # Set Neovim as the kitty terminal "scrollback" (vi mode) option.
        # Requires removing some of the ANSI escape codes that are sent to the
        # scrollback using sed and baleia, as well as removing several
        # unnecessary features.
        programs.kitty.settings.scrollback_pager = ''
          $SHELL -c 'sed -r "s/[[:cntrl:]]\]133;[AC]..//g" | ${neovim}/bin/nvim -c "setlocal nonumber norelativenumber nolist laststatus=0" -c "lua baleia = require(\"baleia\").setup({}); baleia.once(0)" -c "map <silent> q :qa!<CR>" -c "autocmd VimEnter * normal G"' '';
        # Create a desktop option for launching Neovim from a file manager
        # (Requires launching the terminal and then executing Neovim)
        xdg.desktopEntries.nvim = lib.mkIf pkgs.stdenv.isLinux {
          name = "Neovim wrapper";
          exec = "kitty nvim %F";
          mimeType = [ "text/plain" "text/markdown" ];
        };
        xdg.mimeApps.defaultApplications = lib.mkIf pkgs.stdenv.isLinux {
          "text/plain" = [ "nvim.desktop" ];
@ -62,6 +45,9 @@ in {
      };
    # # Used for icons in Vim
    # fonts.fonts = with pkgs; [ nerdfonts ];
  };
 }
--- a/modules/common/neovim/lua/keybinds.lua
+++ b/modules/common/neovim/lua/keybinds.lua
@ -39,6 +39,7 @@ key("n", "<Leader>fs", ":write<CR>")
 key("n", "<Leader>fd", ":lcd %:p:h<CR>", { silent = true })
 key("n", "<Leader>fu", ":lcd ..<CR>", { silent = true })
 key("n", "<Leader><Tab>", ":b#<CR>", { silent = true })
 key("n", "<Leader>gr", ":!gh repo view -w<CR><CR>", { silent = true })
 key("n", "<Leader>tt", [[<Cmd>exe 'edit $NOTES_PATH/journal/'.strftime("%Y-%m-%d_%a").'.md'<CR>]])
 key("n", "<Leader>jj", ":!journal<CR>:e<CR>")
@ -64,12 +65,6 @@ key("n", "<C-Down>", ":resize -2<CR>", { silent = true })
 key("n", "<C-Left>", ":vertical resize -2<CR>", { silent = true })
 key("n", "<C-Right>", ":vertical resize +2<CR>", { silent = true })
 -- Quickfix
 key("n", "]q", ":cnext<CR>")
 key("n", "[q", ":cprevious<CR>")
 key("n", "co", ":copen<CR>")
 key("n", "cq", ":cclose<CR>")
 -- Other
 key("n", "<A-CR>", ":noh<CR>", { silent = true })           --- Clear search in VimWiki
 key("n", "Y", "y$")                                         --- Copy to end of line
--- a/modules/common/neovim/package/default.nix
+++ b/modules/common/neovim/package/default.nix
@ -26,13 +26,13 @@
 #   ] ++ extraConfig;
 # }
-{ pkgs, colors, terraform ? false, github ? false, kubernetes ? false, ... }:
+{ pkgs, colors, ... }:
 # Comes from nix2vim overlay:
 # https://github.com/gytis-ivaskevicius/nix2vim/blob/master/lib/neovim-builder.nix
 pkgs.neovimBuilder {
  package = pkgs.neovim-unwrapped;
-  inherit colors terraform github kubernetes;
+  inherit colors;
  imports = [
    ../config/align.nix
    ../config/bufferline.nix
--- a/modules/common/programming/default.nix
+++ b/modules/common/programming/default.nix
@ -6,7 +6,6 @@
    ./lua.nix
    ./nix.nix
    ./python.nix
    ./rust.nix
    ./terraform.nix
  ];
--- a/modules/common/programming/rust.nix
+++ b/modules/common/programming/rust.nix
@ -1,17 +0,0 @@
 { config, pkgs, lib, ... }: {
  options.rust.enable = lib.mkEnableOption "Rust programming language.";
  config = lib.mkIf config.rust.enable {
    home-manager.users.${config.user} = {
      programs.fish.shellAbbrs = { ca = "cargo"; };
      home.packages = with pkgs; [ cargo rustc clippy gcc ];
    };
  };
 }
--- a/modules/common/programming/terraform.nix
+++ b/modules/common/programming/terraform.nix
@ -3,7 +3,6 @@
  options.terraform.enable = lib.mkEnableOption "Terraform tools.";
  config = lib.mkIf config.terraform.enable {
    unfreePackages = [ "terraform" ];
    home-manager.users.${config.user} = {
      programs.fish.shellAbbrs = {
--- a/modules/common/repositories/dotfiles.nix
+++ b/modules/common/repositories/dotfiles.nix
@ -1,7 +1,5 @@
 { config, pkgs, lib, ... }: {
  # Allows me to make sure I can work on my dotfiles locally
  options.dotfiles.enable = lib.mkEnableOption "Clone dotfiles.";
  config = lib.mkIf config.dotfiles.enable {
@ -16,8 +14,13 @@
          [ "writeBoundary" ] ''
            if [ ! -d "${config.dotfilesPath}" ]; then
                $DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname "${config.dotfilesPath}")
-                $DRY_RUN_CMD ${pkgs.git}/bin/git \
+
-                    clone ${config.dotfilesRepo} "${config.dotfilesPath}"
+                # Force HTTPS because anonymous SSH doesn't work
                GIT_CONFIG_COUNT=1 \
                    GIT_CONFIG_KEY_0="url.https://github.com/.insteadOf" \
                    GIT_CONFIG_VALUE_0="git@github.com:" \
                    $DRY_RUN_CMD \
                    ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
            fi
          '';
--- a/modules/common/repositories/notes.nix
+++ b/modules/common/repositories/notes.nix
@ -1,8 +1,5 @@
 { config, ... }: {
  # This is just a placeholder as I expect to interact with my notes in a
  # certain location
  home-manager.users.${config.user} = {
    home.sessionVariables = {
--- a/modules/common/shell/bash/scripts/docker-cleanup.sh
+++ b/modules/common/shell/bash/scripts/docker-cleanup.sh
@ -1,26 +0,0 @@
 #!/bin/sh
 # Stop all containers
 if [ "$(docker ps -a -q)" ]; then
    echo "Stopping docker containers..."
    docker stop "$(docker ps -a -q)"
 else
    echo "No running docker containers."
 fi
 # Remove all stopped containers
 if [ "$(docker ps -a -q)" ]; then
    echo "Removing docker containers..."
    docker rm "$(docker ps -a -q)"
 else
    echo "No stopped docker containers."
 fi
 # Remove all untagged images
 if docker images | grep -q "^<none>"; then
    docker rmi "$(docker images | grep "^<none>" | awk '{print $3}')"
 else
    echo "No untagged docker images."
 fi
 echo "Cleaned up docker."
--- a/modules/common/shell/charm.nix
+++ b/modules/common/shell/charm.nix
@ -1,7 +1,5 @@
 { config, pkgs, lib, ... }: {
  # Convenience utilities from charm.sh
  options.charm.enable = lib.mkEnableOption "Charm utilities.";
  config.home-manager.users.${config.user} = lib.mkIf config.charm.enable {
@ -10,7 +8,6 @@
      glow # Markdown previews
      skate # Key-value store
      charm # Manage account and filesystem
      pop # Send emails from a TUI
    ];
  };
--- a/modules/common/shell/default.nix
+++ b/modules/common/shell/default.nix
@ -7,7 +7,6 @@
    ./fzf.nix
    ./git.nix
    ./github.nix
    ./jujutsu.nix
    ./nixpkgs.nix
    ./starship.nix
    ./utilities.nix
--- a/modules/common/shell/direnv.nix
+++ b/modules/common/shell/direnv.nix
@ -1,28 +1,11 @@
 { config, ... }: {
  # Enables quickly entering Nix shells when changing directories
  home-manager.users.${config.user}.programs.direnv = {
    enable = true;
    nix-direnv.enable = true;
    config = { whitelist = { prefix = [ config.dotfilesPath ]; }; };
  };
  # programs.direnv.direnvrcExtra = ''
  #   layout_postgres() {
  #       export PGDATA="$(direnv_layout_dir)/postgres"
  #       export PGHOST="$PGDATA"
  #
  #       if [[ ! -d "PGDATA" ]]; then
  #           initdb
  #           cat >> "$PGDATA/postgres.conf" <<- EOF
  #                   listen_addresses = '''
  #                   unix_socket_directories = '$PGHOST'
  #           EOF
  #           echo "CREATE DATABASE $USER;" | postgres --single -E postgres
  #       fi
  #   }
  # '';
  # Prevent garbage collection
  nix.extraOptions = ''
    keep-outputs = true
--- a/modules/common/shell/fish/default.nix
+++ b/modules/common/shell/fish/default.nix
@ -1,24 +1,19 @@
 { config, pkgs, lib, ... }: {
  users.users.${config.user}.shell = pkgs.fish;
-  programs.fish.enable = true; # Needed for LightDM to remember username
+  programs.fish.enable =
    true; # Needed for LightDM to remember username (TODO: fix)
  home-manager.users.${config.user} = {
    # Packages used in abbreviations and aliases
-    home.packages = with pkgs; [ curl ];
+    home.packages = with pkgs; [ curl exa ];
    programs.fish = {
      enable = true;
      shellAliases = {
        # Version of bash which works much better on the terminal
        bash = "${pkgs.bashInteractive}/bin/bash";
-
+        ls = "exa";
        # Use eza (exa) instead of ls for fancier output
        ls = "${pkgs.eza}/bin/eza --group";
        # Move files to XDG trash on the commandline
        trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
      };
      functions = {
@ -123,6 +118,9 @@
        dr = "docker run --rm -it";
        db = "docker build . -t";
        # Rust
        ca = "cargo";
      };
      shellInit = "";
    };
--- a/modules/common/shell/fzf.nix
+++ b/modules/common/shell/fzf.nix
@ -1,7 +1,5 @@
 { config, ... }: {
  # FZF is a fuzzy-finder for the terminal
  home-manager.users.${config.user} = {
    programs.fzf.enable = true;
--- a/modules/common/shell/git.nix
+++ b/modules/common/shell/git.nix
@ -58,7 +58,6 @@ in {
          git switch (git symbolic-ref refs/remotes/origin/HEAD | cut -d"/" -f4)'';
        gcob = "git switch -c";
        gb = "git branch";
        gpd = "git push origin -d";
        gbd = "git branch -d";
        gbD = "git branch -D";
        gr = "git reset";
--- a/modules/common/shell/github.nix
+++ b/modules/common/shell/github.nix
@ -5,9 +5,8 @@
    programs.gh =
      lib.mkIf config.home-manager.users.${config.user}.programs.git.enable {
        enable = true;
-        gitCredentialHelper.enable = true;
+        enableGitCredentialHelper = true;
        settings.git_protocol = "https";
        extensions = [ pkgs.gh-collaborators ];
      };
    programs.fish =
@ -15,7 +14,7 @@
        shellAbbrs = {
          ghr = "gh repo view -w";
          gha =
-            "gh run list | head -1 | awk '{ print \\$\\(NF-2\\) }' | xargs gh run view";
+            "gh run list | head -1 | awk '{ print $(NF-2) }' | xargs gh run view";
          grw = "gh run watch";
          grf = "gh run view --log-failed";
          grl = "gh run view --log";
--- a/modules/common/shell/jujutsu.nix
+++ b/modules/common/shell/jujutsu.nix
@ -1,21 +0,0 @@
 { config, ... }: {
  config = {
    home-manager.users.${config.user}.programs.jujutsu = {
      enable = true;
      enableFishIntegration = true;
      # https://github.com/martinvonz/jj/blob/main/docs/config.md
      settings = {
        user = {
          name = config.home-manager.users.${config.user}.programs.git.userName;
          email =
            config.home-manager.users.${config.user}.programs.git.userEmail;
        };
      };
    };
  };
 }
--- a/modules/common/shell/nixpkgs.nix
+++ b/modules/common/shell/nixpkgs.nix
@ -73,9 +73,6 @@
      path = builtins.toString pkgs.path;
    };
    # For security, only allow specific users
    settings.allowed-users = [ "@wheel" config.user ];
  };
 }
--- a/modules/common/shell/utilities.nix
+++ b/modules/common/shell/utilities.nix
@ -23,7 +23,6 @@ in {
        dig # DNS lookup
        fd # find
        htop # Show system processes
        killall # Force quit
        inetutils # Includes telnet, whois
        jq # JSON manipulation
        lf # File viewer
@ -35,9 +34,6 @@ in {
        tree # View directory hierarchy
        vimv-rs # Batch rename files
        unzip # Extract zips
        dua # File sizes (du)
        du-dust # Disk usage tree (ncdu)
        duf # Basic disk information (df)
      ];
      programs.zoxide.enable = true; # Shortcut jump command
@ -56,6 +52,10 @@ in {
        };
      };
      programs.fish.shellAbbrs = {
        cat = "bat"; # Swap cat with bat
      };
      programs.fish.functions = {
        ping = {
          description = "Improved ping";
--- a/modules/darwin/hammerspoon.nix
+++ b/modules/darwin/hammerspoon.nix
@ -20,22 +20,12 @@
        };
      xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source =
        ./hammerspoon/Spoons/MoveWindow.spoon;
      home.activation.reloadHammerspoon =
        config.home-manager.users.${config.user}.lib.dag.entryAfter
        [ "writeBoundary" ] ''
          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.reload()"
          $DRY_RUN_CMD sleep 1
          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.console.clearConsole()"
        '';
    };
    homebrew.casks = [ "hammerspoon" ];
    system.activationScripts.postUserActivation.text = ''
      defaults write org.hammerspoon.Hammerspoon MJConfigFile "~/.config/hammerspoon/init.lua"
      sudo killall Dock
    '';
  };
--- a/modules/darwin/hammerspoon/Spoons/Launcher.spoon/init.lua
+++ b/modules/darwin/hammerspoon/Spoons/Launcher.spoon/init.lua
@ -54,19 +54,14 @@ function obj:init()
    end)
    -- Launcher shortcuts
-    self.launcher:bind("ctrl", "space", function() end)
+    self.launcher:bind("ctrl", "space", function()
    end)
    self.launcher:bind("", "return", function()
        self:switch("@kitty@")
    end)
    self.launcher:bind("", "C", function()
        self:switch("Calendar.app")
    end)
    self.launcher:bind("shift", "D", function()
        hs.execute("launchctl remove com.paloaltonetworks.gp.pangps")
        hs.execute("launchctl remove com.paloaltonetworks.gp.pangpa")
        hs.alert.show("Disconnected from GlobalProtect", nil, nil, 4)
        self.launcher:exit()
    end)
    self.launcher:bind("", "E", function()
        self:switch("Mail.app")
    end)
@ -85,12 +80,6 @@ function obj:init()
    self.launcher:bind("", "P", function()
        self:switch("System Preferences.app")
    end)
    self.launcher:bind("shift", "P", function()
        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist")
        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist")
        hs.alert.show("Reconnecting to GlobalProtect", nil, nil, 4)
        self.launcher:exit()
    end)
    self.launcher:bind("", "R", function()
        hs.console.clearConsole()
        hs.reload()
--- a/modules/darwin/hammerspoon/Spoons/MoveWindow.spoon/worklayout.lua
+++ b/modules/darwin/hammerspoon/Spoons/MoveWindow.spoon/worklayout.lua
@ -55,15 +55,6 @@ local function worklayout()
        local layout = concat(left, right, laptop)
        hs.layout.apply(layout)
    end)
    -- Reload Hammerspoon whenever layout changes
    hs.screen.watcher.new(function()
        -- Pause for 5 seconds to give time for layout to change
        hs.timer.doAfter(5, function()
            -- Perform the actual reload
            hs.reload()
        end)
    end)
 end
 return worklayout
--- a/modules/darwin/hammerspoon/init.lua
+++ b/modules/darwin/hammerspoon/init.lua
@ -2,4 +2,3 @@ hs.loadSpoon("ControlEscape"):start() -- Load Hammerspoon bits from https://gith
 hs.loadSpoon("Launcher"):init()
 hs.loadSpoon("DismissAlerts"):init()
 hs.loadSpoon("MoveWindow"):init()
 hs.ipc.cliInstall() -- Install Hammerspoon CLI program
--- a/modules/darwin/homebrew.nix
+++ b/modules/darwin/homebrew.nix
@ -42,7 +42,6 @@
        "obsidian" # Obsidian packaging on Nix is not available for macOS
        "scroll-reverser" # Different scroll style for mouse vs. trackpad
        "steam" # Not packaged for Nix
        "epic-games" # Not packaged for Nix
      ];
    };
--- a/modules/darwin/utilities.nix
+++ b/modules/darwin/utilities.nix
@ -11,12 +11,11 @@
      youtube-dl # Convert web videos
      pandoc # Convert text documents
      mpd # TUI slideshows
      mpv # Video player
      awscli2
      awslogs
      google-cloud-sdk
      ansible
-      vault-bin
+      vault
      consul
      noti # Create notifications programmatically
      ipcalc # Make IP network calculations
--- a/modules/nixos/applications/calibre.nix
+++ b/modules/nixos/applications/calibre.nix
@ -14,8 +14,6 @@
      home.packages = with pkgs; [ calibre ];
      # home.sessionVariables = { CALIBRE_USE_DARK_PALETTE = 1; };
    };
    # Forces Calibre to use dark mode
    environment.sessionVariables = { CALIBRE_USE_DARK_PALETTE = "1"; };
  };
 }
--- a/modules/nixos/applications/nautilus.nix
+++ b/modules/nixos/applications/nautilus.nix
@ -18,14 +18,12 @@
    home-manager.users.${config.user} = {
      # Quick button for launching nautilus
      xsession.windowManager.i3.config.keybindings = {
        "${
          config.home-manager.users.${config.user}.xsession.windowManager.i3.config.modifier
        }+n" = "exec --no-startup-id ${pkgs.gnome.nautilus}/bin/nautilus";
      };
      # Generates a QR code and previews it with sushi
      programs.fish.functions = {
        qr = {
          body =
@ -33,7 +31,7 @@
        };
      };
-      # Set Nautilus as default for opening directories
+      # Set default for opening directories
      xdg.mimeApps = {
        associations.added."inode/directory" = [ "org.gnome.Nautilus.desktop" ];
        # associations.removed = {
@ -42,7 +40,6 @@
        defaultApplications."inode/directory" =
          lib.mkBefore [ "org.gnome.Nautilus.desktop" ];
      };
    };
    # # Set default for opening directories
@ -53,13 +50,6 @@
    #     lib.mkForce [ "org.gnome.Nautilus.desktop" ];
    # };
    # Delete Trash files older than 1 week
    systemd.user.services.empty-trash = {
      description = "Empty Trash on a regular basis";
      wantedBy = [ "default.target" ];
      script = "${pkgs.trash-cli}/bin/trash-empty 7";
    };
  };
 }
--- a/modules/nixos/gaming/steam.nix
+++ b/modules/nixos/gaming/steam.nix
@ -22,15 +22,6 @@
    ];
    # Adapted in part from: https://github.com/Shawn8901/nix-configuration/blob/1c48be94238a9f463cf0bbd1e1842a4454286514/modules/nixos/steam-compat-tools/default.nix
    # Based on: https://github.com/NixOS/nixpkgs/issues/73323
    environment.sessionVariables.STEAM_EXTRA_COMPAT_TOOLS_PATHS =
      lib.makeBinPath [ pkgs.proton-ge-custom ];
    # Seems like NetworkManager can help speed up Steam launch
    # https://www.reddit.com/r/archlinux/comments/qguhco/steam_startup_time_arch_1451_seconds_fedora_34/hi8opet/
    networking.networkmanager.enable = true;
  };
 }
--- a/modules/nixos/graphical/default.nix
+++ b/modules/nixos/graphical/default.nix
@ -3,7 +3,6 @@
  imports = [
    ./dunst.nix
    ./fonts.nix
    ./gtk.nix
    ./i3.nix
    ./picom.nix
    ./polybar.nix
--- a/modules/nixos/graphical/fonts.nix
+++ b/modules/nixos/graphical/fonts.nix
@ -6,7 +6,7 @@ in {
  config = lib.mkIf (config.gui.enable && pkgs.stdenv.isLinux) {
-    fonts.packages = with pkgs; [
+    fonts.fonts = with pkgs; [
      victor-mono # Used for Vim and Terminal
      (nerdfonts.override { fonts = [ "Hack" ]; }) # For Polybar, Rofi
    ];
--- a/modules/nixos/graphical/gtk.nix
+++ b/modules/nixos/graphical/gtk.nix
@ -1,51 +0,0 @@
 { config, pkgs, lib, ... }: {
  options = {
    gtk.theme = {
      name = lib.mkOption {
        type = lib.types.str;
        description = "Theme name for GTK applications";
      };
      package = lib.mkOption {
        type = lib.types.package;
        description = "Theme package for GTK applications";
        default = pkgs.gnome-themes-extra;
      };
    };
  };
  config = lib.mkIf config.gui.enable {
    home-manager.users.${config.user} = {
      gtk = let
        gtkExtraConfig = {
          gtk-application-prefer-dark-theme = config.theme.dark;
        };
      in {
        enable = true;
        theme = {
          name = config.gtk.theme.name;
          package = config.gtk.theme.package;
        };
        gtk3.extraConfig = gtkExtraConfig;
        gtk4.extraConfig = gtkExtraConfig;
      };
    };
    # Required for setting GTK theme (for preferred-color-scheme in browser)
    services.dbus.packages = [ pkgs.dconf ];
    programs.dconf.enable = true;
    # Make the login screen dark
    services.xserver.displayManager.lightdm.greeters.gtk.theme = {
      name = config.gtk.theme.name;
      package = config.gtk.theme.package;
    };
    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
  };
 }
--- a/modules/nixos/graphical/i3.nix
+++ b/modules/nixos/graphical/i3.nix
@ -45,7 +45,7 @@ in {
              { class = "obsidian"; }
            ];
            "${ws3}" = [{ class = "discord"; }];
-            "${ws4}" = [ { class = "steam"; } { class = "Steam"; } ];
+            "${ws4}" = [{ class = "Steam"; }];
          };
          bars = [{ command = "echo"; }]; # Disable i3bar
          colors = let
--- a/modules/nixos/graphical/polybar.nix
+++ b/modules/nixos/graphical/polybar.nix
@ -36,7 +36,7 @@
            module-margin = 1;
            modules-left = "i3";
            modules-center = "xwindow";
-            modules-right = "mailcount network pulseaudio date keyboard power";
+            modules-right = "mailcount pulseaudio date power";
            cursor-click = "pointer";
            cursor-scroll = "ns-resize";
            enable-ipc = true;
@ -106,14 +106,8 @@
            interval = 10;
            format = "<label>";
            exec = builtins.toString (pkgs.writeShellScript "mailcount.sh" ''
-              ${pkgs.notmuch}/bin/notmuch new --quiet 2>&1>/dev/null
+              ${pkgs.notmuch}/bin/notmuch new > /dev/null
-              UNREAD=$(
+              UNREAD=$(${pkgs.notmuch}/bin/notmuch count is:inbox and is:unread and folder:main/Inbox)
                  ${pkgs.notmuch}/bin/notmuch count \
                      is:inbox and \
                      is:unread and \
                      folder:main/Inbox \
                      2>/dev/null
              )
              if [ $UNREAD = "0" ]; then
                echo ""
              else
@ -124,16 +118,6 @@
              "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
          };
          "module/network" = {
            type = "internal/network";
            interface-type = "wired";
            interval = 3;
            accumulate-stats = true;
            format-connected = "<label-connected>";
            format-disconnected = "<label-disconnected>";
            label-connected = "";
            label-disconnected = "";
          };
          "module/pulseaudio" = {
            type = "internal/pulseaudio";
            # format-volume-prefix = "VOL ";
@ -143,10 +127,10 @@
            # label-volume-background = colors.background;
            format-volume-foreground = config.theme.colors.base0B;
            label-volume = "%percentage%%";
-            label-muted = "󰝟 ---";
+            label-muted = "ﱝ ---";
            label-muted-foreground = config.theme.colors.base03;
            ramp-volume-0 = "";
-            ramp-volume-1 = "󰕾";
+            ramp-volume-1 = "墳";
            ramp-volume-2 = "";
            click-right = config.audioSwitchCommand;
          };
@ -200,17 +184,10 @@
            label-foreground = config.theme.colors.base0A;
            # format-background = colors.background;
          };
          "module/keyboard" = {
            type = "custom/text";
            content = "󰌌";
            click-left = "doas systemctl restart keyd";
            content-foreground = config.theme.colors.base04;
          };
          "module/power" = {
            type = "custom/text";
            content = "  ";
            click-left = config.powerCommand;
            click-right = "polybar-msg cmd restart";
            content-foreground = config.theme.colors.base04;
          };
          "settings" = {
--- a/modules/nixos/graphical/rofi.nix
+++ b/modules/nixos/graphical/rofi.nix
@ -59,7 +59,7 @@ in {
            border = mkLiteral "0px";
            border-radius = mkLiteral "0px";
            border-color = mkLiteral config.theme.colors.base04;
-            children = map mkLiteral [ "inputbar" "message" "listview" ];
+            children = map mkLiteral [ "inputbar" "listview" ];
            spacing = mkLiteral "10px";
            padding = mkLiteral "10px";
          };
--- a/modules/nixos/graphical/rofi/power.nix
+++ b/modules/nixos/graphical/rofi/power.nix
@ -25,7 +25,7 @@ in {
        | ${rofi}/bin/rofi \
            -theme-str '@import "power.rasi"' \
            -hover-select \
-            -me-select-entry "" \
+            -me-select-entry ''' \
            -me-accept-entry MousePrimary \
            -dmenu \
            -sep ';' \
--- a/modules/nixos/graphical/rofi/rofi-prompt.sh
+++ b/modules/nixos/graphical/rofi/rofi-prompt.sh
@ -32,7 +32,7 @@ done
 chosen=$(printf '%s;%s\n' "$yes" "$no" |
    rofi -theme-str '@import "prompt.rasi"' \
        -hover-select \
-        -me-select-entry "" \
+        -me-select-entry '' \
        -me-accept-entry MousePrimary \
        -p "$query" \
        -dmenu \
--- a/modules/nixos/graphical/rofi/themes/prompt.rasi
+++ b/modules/nixos/graphical/rofi/themes/prompt.rasi
@ -4,13 +4,14 @@
 */
@import "common.rasi"
 * {
-  font: @prompt-text-font;
+  font: @text-font;
 }
 #window {
  height: @prompt-window-height;
  width: @prompt-window-width;
  children: [ inputbar, horibox ];
  border: @prompt-window-border;
  border-color: @accent;
 }
 #inputbar {
  enabled: false;
@ -18,6 +19,8 @@
 #prompt {
  padding: @prompt-prompt-padding;
  margin: @prompt-prompt-margin;
  background-color: @accent;
  text-color: @background-light;
 }
 #listview {
  padding: @prompt-listview-padding;
@ -28,3 +31,19 @@
  font: @prompt-text-font;
  padding: @prompt-element-padding;
 }
 element.alternate.active,
 element.normal.active,
 element.alternate.urgent,
 element.normal.urgent {
  background-color: @background-light;
  text-color: @foreground;
 }
 element.selected.urgent {
  background-color: @off;
  text-color: @background;
 }
 element.selected.active {
  background-color: @on;
  text-color: @background;
 }
--- a/modules/nixos/graphical/xorg.nix
+++ b/modules/nixos/graphical/xorg.nix
@ -1,6 +1,27 @@
 { config, pkgs, lib, ... }: {
-  config = lib.mkIf config.gui.enable {
+  options = {
    gtk.theme = {
      name = lib.mkOption {
        type = lib.types.str;
        description = "Theme name for GTK applications";
      };
      package = lib.mkOption {
        type = lib.types.str;
        description = "Theme package name for GTK applications";
        default = "gnome-themes-extra";
      };
    };
  };
  config = let
    gtkTheme = {
      name = config.gtk.theme.name;
      package = pkgs."${config.gtk.theme.package}";
    };
  in lib.mkIf config.gui.enable {
    # Enable the X11 windowing system.
    services.xserver = {
@ -15,8 +36,10 @@
          enable = config.services.xserver.enable;
          background = config.wallpaper;
          # Make the login screen dark
          greeters.gtk.theme = gtkTheme;
          # Show default user
          # Also make sure /var/lib/AccountsService/users/<user> has SystemAccount=false
          extraSeatDefaults = ''
            greeter-hide-users = false
          '';
@ -31,6 +54,12 @@
        xclip # Clipboard
      ];
    # Required for setting GTK theme (for preferred-color-scheme in browser)
    services.dbus.packages = [ pkgs.dconf ];
    programs.dconf.enable = true;
    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
    home-manager.users.${config.user} = {
      programs.fish.shellAliases = {
@ -38,6 +67,17 @@
        pbpaste = "xclip -selection clipboard -out";
      };
      gtk = let
        gtkExtraConfig = {
          gtk-application-prefer-dark-theme = config.theme.dark;
        };
      in {
        enable = true;
        theme = gtkTheme;
        gtk3.extraConfig = gtkExtraConfig;
        gtk4.extraConfig = gtkExtraConfig;
      };
    };
  };
--- a/modules/nixos/hardware/boot.nix
+++ b/modules/nixos/hardware/boot.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  boot.loader = lib.mkIf (config.physical && !config.server) {
+  boot.loader = lib.mkIf config.physical {
    grub = {
      enable = true;
--- a/modules/nixos/hardware/keyboard.nix
+++ b/modules/nixos/hardware/keyboard.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, ... }: {
  config = {
@ -15,17 +15,8 @@
    # Use capslock as escape and/or control
    services.keyd = {
      enable = true;
      keyboards = {
        default = {
          ids = [ "*" ];
      settings = { main = { capslock = "overload(control, esc)"; }; };
    };
      };
    };
    # For some reason, keyd doesn't restart properly when updating
    system.activationScripts.keyd.text =
      "${pkgs.systemd}/bin/systemctl restart keyd.service";
    # Enable num lock on login
    home-manager.users.${config.user}.xsession.numlock.enable = true;
--- a/modules/nixos/hardware/networking.nix
+++ b/modules/nixos/hardware/networking.nix
@ -1,8 +1,13 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
  config = lib.mkIf config.physical {
-    networking.useDHCP = !config.networking.networkmanager.enable;
+    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
    # Per-interface useDHCP will be mandatory in the future, so this generated config
    # replicates the default behaviour.
    networking.useDHCP = false;
    networking.interfaces.enp5s0.useDHCP = true;
    networking.interfaces.wlp4s0.useDHCP = true;
    networking.firewall.allowPing = lib.mkIf config.server true;
@ -10,9 +15,6 @@
    services.avahi = {
      enable = true;
      domainName = "local";
      ipv6 = false; # Should work either way
      # Resolve local hostnames using Avahi DNS
      nssmdns4 = true;
      publish = {
        enable = true;
        addresses = true;
@ -21,10 +23,8 @@
      };
    };
-    environment.systemPackages = [
+    # Resolve local hostnames using Avahi DNS
-      (pkgs.writeShellScriptBin "wake-tempest"
+    services.avahi.nssmdns = true;
        "${pkgs.wakeonlan}/bin/wakeonlan --ip=192.168.1.255 74:56:3C:40:37:5D")
    ];
  };
--- a/modules/nixos/hardware/server.nix
+++ b/modules/nixos/hardware/server.nix
@ -1,6 +1,6 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
-  config = lib.mkIf config.server {
+  config = lib.mkIf (pkgs.stdenv.isLinux && config.server) {
    # Servers need a bootloader or they won't start
    boot.loader.systemd-boot.enable = true;
--- a/modules/nixos/hardware/sleep.nix
+++ b/modules/nixos/hardware/sleep.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  config = lib.mkIf (config.physical && !config.server) {
+  config = lib.mkIf config.physical {
    # Prevent wake from keyboard
    powerManagement.powerDownCommands = ''
--- a/modules/nixos/hardware/wifi.nix
+++ b/modules/nixos/hardware/wifi.nix
@ -3,7 +3,7 @@
  config = lib.mkIf (config.physical && pkgs.stdenv.isLinux) {
    # Enables wireless support via wpa_supplicant.
-    networking.wireless.enable = !config.networking.networkmanager.enable;
+    networking.wireless.enable = true;
    # Allows the user to control the WiFi settings.
    networking.wireless.userControlled.enable = true;
--- a/modules/nixos/hardware/zfs.nix
+++ b/modules/nixos/hardware/zfs.nix
@ -1,20 +1,15 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
  options = { zfs.enable = lib.mkEnableOption "ZFS file system."; };
-  config = lib.mkIf (config.server && config.zfs.enable) {
+  config =
    lib.mkIf (pkgs.stdenv.isLinux && config.server && config.zfs.enable) {
      # Only use compatible Linux kernel, since ZFS can be behind
-    boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+      boot.kernelPackages =
        config.boot.zfs.package.latestCompatibleLinuxPackages;
      boot.kernelParams = [ "nohibernate" ];
      boot.supportedFilesystems = [ "zfs" ];
    services.prometheus.exporters.zfs.enable =
      config.prometheus.exporters.enable;
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.zfs.port
      }"
    ];
    };
--- a/modules/nixos/services/arr.nix
+++ b/modules/nixos/services/arr.nix
@ -1,31 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }: {
 let
  arrConfig = {
    radarr = {
      exportarrPort = "9707";
      url = "localhost:7878";
      apiKey = config.secrets.radarrApiKey.dest;
    };
    sonarr = {
      exportarrPort = "9708";
      url = "localhost:8989";
      apiKey = config.secrets.sonarrApiKey.dest;
    };
    prowlarr = {
      exportarrPort = "9709";
      url = "localhost:9696";
      apiKey = config.secrets.prowlarrApiKey.dest;
    };
    sabnzbd = {
      exportarrPort = "9710";
      url = "localhost:8085";
      apiKey = config.secrets.sabnzbdApiKey.dest;
    };
  };
 in {
  options = { arrs.enable = lib.mkEnableOption "Arr services"; };
@ -70,7 +43,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.sonarr.url; }];
+          upstreams = [{ dial = "localhost:8989"; }];
        }];
      }
      {
@ -81,7 +54,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.radarr.url; }];
+          upstreams = [{ dial = "localhost:7878"; }];
        }];
      }
      {
@ -103,11 +76,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{
+          upstreams = [{ dial = "localhost:6767"; }];
            dial = "localhost:${
                builtins.toString config.services.bazarr.listenPort
              }";
          }];
        }];
      }
      {
@ -118,7 +87,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.sabnzbd.url; }];
+          upstreams = [{ dial = "localhost:8085"; }];
        }];
      }
      {
@ -126,83 +95,11 @@ in {
        match = [{ host = [ config.hostnames.download ]; }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{
+          upstreams = [{ dial = "localhost:5055"; }];
            dial =
              "localhost:${builtins.toString config.services.jellyseerr.port}";
          }];
        }];
      }
    ];
    # Enable Prometheus exporters
    systemd.services = lib.mapAttrs' (name: attrs: {
      name = "prometheus-${name}-exporter";
      value = {
        description = "Export Prometheus metrics for ${name}";
        after = [ "network.target" ];
        wantedBy = [ "${name}.service" ];
        serviceConfig = {
          Type = "simple";
          DynamicUser = true;
          ExecStart = let
            url = if name != "sabnzbd" then
              "http://${attrs.url}/${name}"
            else
              "http://${attrs.url}";
          in ''
            ${pkgs.exportarr}/bin/exportarr ${name} \
                        --url ${url} \
                        --port ${attrs.exportarrPort}'';
          EnvironmentFile =
            lib.mkIf (builtins.hasAttr "apiKey" attrs) attrs.apiKey;
          Restart = "on-failure";
          ProtectHome = true;
          ProtectSystem = "strict";
          PrivateTmp = true;
          PrivateDevices = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          NoNewPrivileges = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          RemoveIPC = true;
          PrivateMounts = true;
        };
      };
    }) arrConfig;
    # Secrets for Prometheus exporters
    secrets.radarrApiKey = {
      source = ../../../private/radarr-api-key.age;
      dest = "/var/private/radarr-api";
      prefix = "API_KEY=";
    };
    secrets.sonarrApiKey = {
      source = ../../../private/sonarr-api-key.age;
      dest = "/var/private/sonarr-api";
      prefix = "API_KEY=";
    };
    secrets.prowlarrApiKey = {
      source = ../../../private/prowlarr-api-key.age;
      dest = "/var/private/prowlarr-api";
      prefix = "API_KEY=";
    };
    secrets.sabnzbdApiKey = {
      source = ../../../private/sabnzbd-api-key.age;
      dest = "/var/private/sabnzbd-api";
      prefix = "API_KEY=";
    };
    # Prometheus scrape targets
    prometheus.scrapeTargets = map (key:
      "127.0.0.1:${
        lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig
      }") (builtins.attrNames arrConfig);
  };
 }
--- a/modules/nixos/services/bind.nix
+++ b/modules/nixos/services/bind.nix
@ -1,55 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  localIp = "192.168.1.218";
  localServices = [
    config.hostnames.stream
    config.hostnames.content
    config.hostnames.books
    config.hostnames.download
  ];
  mkRecord = service: "${service}       A       ${localIp}";
  localRecords = lib.concatLines (map mkRecord localServices);
 in {
  config = lib.mkIf config.services.bind.enable {
    caddy.cidrAllowlist = [ "192.168.0.0/16" ];
    services.bind = {
      cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
      forwarders = [ "1.1.1.1" "1.0.0.1" ];
      ipv4Only = true;
      # Use rpz zone as an override
      extraOptions = ''response-policy { zone "rpz"; };'';
      zones = {
        rpz = {
          master = true;
          file = pkgs.writeText "db.rpz" ''
            $TTL 60  ; 1 minute
            @       IN      SOA     localhost. root.localhost. (
                                    2023071800      ; serial
                                    1h              ; refresh
                                    30m             ; retry
                                    1w              ; expire
                                    30m             ; minimum ttl
                                    )
                    IN      NS      localhost.
            localhost       A       127.0.0.1
            ${localRecords}
          '';
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 53 ];
    networking.firewall.allowedUDPPorts = [ 53 ];
  };
 }
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@ -1,41 +1,25 @@
 { config, pkgs, lib, ... }: {
  options = {
-    caddy = {
+    caddy.tlsPolicies = lib.mkOption {
      tlsPolicies = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Caddy JSON TLS policies";
      default = [ ];
    };
-      routes = lib.mkOption {
+    caddy.routes = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Caddy JSON routes for http servers";
      default = [ ];
    };
-      blocks = lib.mkOption {
+    caddy.blocks = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Caddy JSON error blocks for http servers";
      default = [ ];
    };
      cidrAllowlist = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = "CIDR blocks to allow for requests";
        default = [ ];
      };
    };
  };
-  config = lib.mkIf config.services.caddy.enable {
+  config =
-
+    lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
    # Force Caddy to 403 if not coming from allowlisted source
    caddy.cidrAllowlist = [ "127.0.0.1/32" ];
    caddy.routes = [{
      match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
      handle = [{
        handler = "static_response";
        status_code = "403";
      }];
    }];
      services.caddy = {
        adapter = "''"; # Required to enable JSON
@ -44,9 +28,8 @@
            listen = [ ":443" ];
            routes = config.caddy.routes;
            errors.routes = config.caddy.blocks;
-          logs = { }; # Uncomment to collect access logs
+            # logs = { }; # Uncomment to collect access logs
          };
        apps.http.servers.metrics = { }; # Enables Prometheus metrics
          apps.tls.automation.policies = config.caddy.tlsPolicies;
          logging.logs.main = {
            encoder = { format = "console"; };
@ -54,7 +37,6 @@
              output = "file";
              filename = "${config.services.caddy.logDir}/caddy.log";
              roll = true;
            roll_size_mb = 1;
            };
            level = "INFO";
          };
@ -65,8 +47,6 @@
      networking.firewall.allowedTCPPorts = [ 80 443 ];
      networking.firewall.allowedUDPPorts = [ 443 ];
    prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
    };
 }
--- a/modules/nixos/services/calibre.nix
+++ b/modules/nixos/services/calibre.nix
@ -30,11 +30,7 @@ in {
      match = [{ host = [ config.hostnames.books ]; }];
      handle = [{
        handler = "reverse_proxy";
-        upstreams = [{
+        upstreams = [{ dial = "localhost:8083"; }];
          dial = "localhost:${
              builtins.toString config.services.calibre-web.listen.port
            }";
        }];
        headers.request.add."X-Script-Name" = [ "/calibre-web" ];
      }];
    }];
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -41,10 +41,19 @@ in {
  config = lib.mkIf config.cloudflare.enable {
    # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.cidrAllowlist = cloudflareIpRanges;
+    caddy.blocks = [{
      match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
      handle = [{
        handler = "static_response";
        abort = true;
      }];
    }];
    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay
+    services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
      plugins = [ "github.com/caddy-dns/cloudflare" ];
      # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
    });
    caddy.tlsPolicies = [{
      issuers = [{
        module = "acme";
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -3,7 +3,6 @@
  imports = [
    ./arr.nix
    ./backups.nix
    ./bind.nix
    ./caddy.nix
    ./calibre.nix
    ./cloudflare-tunnel.nix
@ -13,21 +12,18 @@
    ./gnupg.nix
    ./grafana.nix
    ./honeypot.nix
    ./influxdb2.nix
    ./jellyfin.nix
    ./keybase.nix
    ./mullvad.nix
    ./n8n.nix
    ./netdata.nix
    ./nextcloud.nix
    ./paperless.nix
    ./prometheus.nix
    ./samba.nix
    ./secrets.nix
    ./sshd.nix
    ./transmission.nix
    ./vaultwarden.nix
    ./victoriametrics.nix
    ./wireguard.nix
  ];
--- a/modules/nixos/services/gitea-runner.nix
+++ b/modules/nixos/services/gitea-runner.nix
@ -10,9 +10,9 @@
      enable = true;
      labels = [
        # Provide a Debian base with NodeJS for actions
-        # "debian-latest:docker://node:18-bullseye"
+        "debian-latest:docker://node:18-bullseye"
        # Fake the Ubuntu name, because Node provides no Ubuntu builds
-        # "ubuntu-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:18-bullseye"
        # Provide native execution on the host using below packages
        "native:host"
      ];
@ -31,28 +31,6 @@
      tokenFile = config.secrets.giteaRunnerToken.dest;
    };
    # Make sure the runner doesn't start until after Gitea
    systemd.services."gitea-runner-${config.networking.hostName}".after =
      [ "gitea.service" ];
    # API key needed to connect to Gitea
    secrets.giteaRunnerToken = {
      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
      dest = "${config.secretsDirectory}/gitea-runner-token";
    };
    systemd.services.giteaRunnerToken-secret = {
      requiredBy = [
        "gitea-runner-${
          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
        }.service"
      ];
      before = [
        "gitea-runner-${
          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
        }.service"
      ];
    };
  };
 }
--- a/modules/nixos/services/gitea.nix
+++ b/modules/nixos/services/gitea.nix
@ -9,7 +9,6 @@ in {
      database.type = "sqlite3";
      settings = {
        actions.ENABLED = true;
        metrics.ENABLED = true;
        repository = {
          DEFAULT_PUSH_CREATE_PRIVATE = true;
          DISABLE_HTTP_GIT = false;
@ -38,36 +37,13 @@ in {
    networking.firewall.allowedTCPPorts = [ 122 ];
    users.users.${config.user}.extraGroups = [ "gitea" ];
-    caddy.routes = [
+    caddy.routes = [{
      {
        match = [{
          host = [ config.hostnames.git ];
          path = [ "/metrics*" ];
        }];
        handle = [{
          handler = "static_response";
          status_code = "403";
        }];
      }
      {
      match = [{ host = [ config.hostnames.git ]; }];
      handle = [{
        handler = "reverse_proxy";
-          upstreams = [{
+        upstreams = [{ dial = "localhost:3001"; }];
            dial = "localhost:${
                builtins.toString
                config.services.gitea.settings.server.HTTP_PORT
              }";
      }];
    }];
      }
    ];
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.gitea.settings.server.HTTP_PORT
      }"
    ];
    ## Backup config
--- a/modules/nixos/services/grafana.nix
+++ b/modules/nixos/services/grafana.nix
--- a/Show More
+++ b/Show More