clean up i3 sxhkd

too bad it looks terrible, especially for nautilus

.github/workflows/check.yml

@@ -0,0 +1,20 @@
+name: Check Build
+
+on:
+  workflow_dispatch: # allows manual triggering
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Check Nixpkgs Inputs
+        uses: DeterminateSystems/flake-checker-action@v5
+      - name: Add Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Check the Flake
+        run: nix flake check

.github/workflows/update.yml

@@ -0,0 +1,38 @@
+name: Update Flake
+
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '33 3 * * 0' # runs weekly on Sunday at 03:33
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  lockfile:
+    name: Lockfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Check Nixpkgs Inputs
+        uses: DeterminateSystems/flake-checker-action@v5
+      - name: Add Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@v19
+        id: update
+        with:
+          pr-title: "Update flake.lock" # Title of PR to be created
+          pr-labels: |                  # Labels to be set on the PR
+            dependencies
+            automated
+      - name: Check the Flake
+        run: nix flake check
+      - name: Enable Pull Request Automerge
+        run: gh pr merge --rebase --auto ${{ steps.update.outputs.pull-request-number }}
+        env:
+          GH_TOKEN: ${{ github.token }}

.gitignore

@@ -3,7 +3,6 @@
 *.db
 **/.direnv/**
 result
-.luarc.json
 private/**
+templates/**/flake.lock
 !private/**.age
-!private/**.sha512

apps/README.md

@@ -0,0 +1,9 @@
+# Apps
+
+These are all my miscellaneous utilies and scripts to accompany this project.
+
+They can be run with:
+
+```
+nix run github:nmasur/dotfiles#appname
+```

apps/encrypt-secret.nix

@@ -11,7 +11,7 @@
     tmpfile=$(mktemp)
     echo "''${secret}" > ''${tmpfile}
     ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../public-keys
+      builtins.toString ../misc/public-keys
     } $tmpfile
     rm $tmpfile
   '');

apps/installer.nix

@@ -17,8 +17,8 @@
             --foreground "#fb4934" \
             "Missing required parameter." \
             "Usage: installer -- <disk> <host>" \
-            "Example: installer -- nvme0n1 desktop" \
+            "Example: installer -- nvme0n1 tempest" \
-            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 desktop"
+            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 tempest"
         echo "(exiting)"
         exit 1
     fi

apps/neovim.nix

@@ -5,7 +5,7 @@
   program = "${
       (import ../modules/common/neovim/package {
         inherit pkgs;
-        colors = (import ../colorscheme/gruvbox).dark;
+        colors = (import ../colorscheme/nord).dark;
       })
     }/bin/nvim";
 

apps/reencrypt-secrets.nix

@@ -17,7 +17,7 @@
         --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
       echo "Encrypting ''${encryptedfile}..."
       ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../public-keys
+        builtins.toString ../misc/public-keys
       } $tmpfile > $encryptedfile
       rm $tmpfile
     done

colorscheme/README.md

@@ -0,0 +1,5 @@
+# Colorschemes
+
+Color information for different themes is found here. The colors are sourced
+and used with [base16](https://github.com/chriskempson/base16) format
+consistently across the system.

colorscheme/everforest/default.nix

@@ -1,6 +1,7 @@
 {
   name = "everforest"; # dark, hard
   author = "Sainnhe Park";
+  dark = {
     base00 = "#2b3339"; # Default Background
     base01 = "#323c41"; # Lighter Background
     base02 = "#503946"; # Selection Background
@@ -15,6 +16,9 @@
     base0B = "#dbbc7f"; # Strings, Inherited Class, Markup Code, Diff Inserted
     base0C = "#e69875"; # Support, Regular Expressions, Escape Characters, ...
     base0D = "#a7c080"; # Functions, Methods, Attribute IDs, Headings
-  base0E = "#e67e80"; # Keywords, Storage, Selector, Markup Italic, Diff Changed
+    base0E =
-  base0F = "#d699b6"; # Deprecated, Opening/Closing Embedded Language Tags, ...
+      "#e67e80"; # Keywords, Storage, Selector, Markup Italic, Diff Changed
+    base0F =
+      "#d699b6"; # Deprecated, Opening/Closing Embedded Language Tags, ...
+  };
 }

colorscheme/nord/default.nix

@@ -1,7 +1,7 @@
 {
-  dark = {
   name = "nord";
   author = "arcticicestudio";
+  dark = {
     base00 = "#2E3440";
     base01 = "#3B4252";
     base02 = "#434C5E";

colorscheme/nord/neovim.lua

@@ -1,13 +0,0 @@
-local M = {}
-
-M.packer = function(use)
-    use({
-        "shaunsingh/nord.nvim",
-        config = function()
-            vim.g.nord_italic = true
-            vim.cmd("colorscheme nord")
-        end,
-    })
-end
-
-return M

disks/README.md

@@ -0,0 +1,5 @@
+# Disks
+
+These are my [disko](https://github.com/nix-community/disko) configurations,
+which allow me to save desired disk formatting layouts as a declarative file so
+I don't have to remember how to format my disks later on.

docs/README.md

@@ -0,0 +1,4 @@
+# Documentation
+
+Reference documents for some of the more complicated services and maintenance
+tasks.

docs/repair-nextcloud.md

@@ -0,0 +1,65 @@
+# Repairing Nextcloud
+
+You can run the maintenance commands like this:
+
+```
+sudo -u nextcloud nextcloud-occ maintenance:mode --on
+sudo -u nextcloud nextcloud-occ maintenance:repair
+sudo -u nextcloud nextcloud-occ maintenance:mode --off
+```
+
+## Rescan Files
+
+```
+sudo -u nextcloud nextcloud-occ files:scan --all
+```
+
+## Converting from SQLite to MySQL (mariadb)
+
+First: keep Nextcloud set to SQLite as its dbtype, and separately launch MySQL
+as a service by copying the configuration found
+[here](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/nextcloud.nix).
+
+No password is necessary, since the user-based auth works with UNIX sockets.
+
+You can connect to the MySQL instance like this:
+
+```
+sudo -u nextcloud mysql -S /run/mysqld/mysqld.sock
+```
+
+Create a blank database for Nextcloud:
+
+```sql
+create database nextcloud;
+```
+
+Now setup the [conversion](https://docs.nextcloud.com/server/17/admin_manual/configuration_database/db_conversion.html):
+
+```
+sudo -u nextcloud nextcloud-occ db:convert-type mysql nextcloud localhost nextcloud
+```
+
+Ignore the password prompt. Proceed with the conversion.
+
+Now `config.php` will be updated but the override config from NixOS will not
+be. Now update your NixOS configuration:
+
+- Remove the `mysql` service you created.
+- Set `dbtype` to `mysql`.
+- Set `database.createLocally` to `true`.
+
+Rebuild your configuration.
+
+Now, make sure to enable [4-byte
+support](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html)
+in the database.
+
+## Backing Up MySQL Database
+
+Use this mysqldump command:
+
+```
+sudo -u nextcloud mysqldump -S /run/mysqld/mysqld.sock --default-character-set=utf8mb4 nextcloud > backup.sql
+```
+

docs/restore-nextcloud.md

@@ -1,43 +0,0 @@
-# Restoring Nextcloud From Backup
-
-Install the `litestream` package.
-
-```
-nix-shell --run fish -p litestream
-```
-
-Set the S3 credentials:
-
-```
-set -x AWS_ACCESS_KEY_ID (read)
-set -x AWS_SECRET_ACCESS_KEY (read)
-```
-
-Restore from S3:
-
-```
-litestream restore -o nextcloud.db s3://noahmasur-backup.s3.us-west-002.backblazeb2.com/nextcloud
-```
-
-Install Nextcloud. Then copy DB:
-
-```
-sudo rm /data/nextcloud/data/nextcloud.db*
-sudo mv nextcloud.db /data/nextcloud/data/
-sudo chown nextcloud:nextcloud /data/nextcloud/data/nextcloud.db
-sudo chmod 770 /data/nextcloud/data/nextcloud.db
-```
-
-Restart Nextcloud:
-
-```
-sudo systemctl restart phpfpm-nextcloud.service
-```
-
-Adjust Permissions and Directories:
-
-```
-sudo mkdir /data/nextcloud/data/noah/files
-sudo chown nextcloud:nextcloud /data/nextcloud/data/noah/files
-```
-

docs/zfs.md

@@ -0,0 +1,45 @@
+# ZFS
+
+Swan runs its root on ext4. The ZFS drives are managed imperatively (this
+[disko configuration](../disks/zfs.nix) is an unused work-in-progress).
+
+The basic ZFS settings are managed [here](../modules/nixos/hardware/zfs.nix).
+
+## Creating a New Dataset
+
+```
+sudo zfs create tank/mydataset
+sudo zfs set compression=zstd tank/myzstddataset
+sudo zfs set mountpoint=/data/mydataset tank/mydataset
+```
+
+## Maintenance
+
+### Get Status
+
+```
+sudo zpool status
+```
+
+### Replace Disk
+
+```
+sudo zdb
+sudo zpool status -g # Show by GUID
+sudo zpool offline tank <GUID>
+sudo zpool status
+# Remove old disk, insert new disk
+sudo zdb
+sudo zpool replace tank <OLD GUID> /dev/disk/by-id/<NEW PATH>
+sudo zpool status
+```
+
+## Initial Setup
+
+```
+sudo zpool create tank raidz1 sda sdb sdc
+sudo zpool set ashift=12 tank
+sudo zpool set autoexpand=on tank
+sudo zpool set compression=on tank
+```
+

flake.lock

@@ -17,6 +17,22 @@
         "type": "github"
       }
     },
+    "baleia-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1681806450,
+        "narHash": "sha256-jxRlIzWbnSj89032msc5w+2TVt7zVyzlxdXxiH1dQqY=",
+        "owner": "m00qek",
+        "repo": "baleia.nvim",
+        "rev": "00bb4af31c8c3865b735d40ebefa6c3f07b2dd16",
+        "type": "github"
+      },
+      "original": {
+        "owner": "m00qek",
+        "repo": "baleia.nvim",
+        "type": "github"
+      }
+    },
     "bufferline-nvim-src": {
       "flake": false,
       "locked": {
@@ -57,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687517837,
+        "lastModified": 1691275315,
-        "narHash": "sha256-Ea+JTy6NSf+wWIFrgC8gnOnyt01xwmtDEn2KecvaBkg=",
+        "narHash": "sha256-9WN0IA0vNZSNxKHpy/bYvPnCw4VH/nr5iBv7c+7KUts=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "6460468e7a3e1290f132fee4170ebeaa127f6f32",
+        "rev": "829041cf10c4f6751a53c0a11ca2fd22ff0918d6",
         "type": "github"
       },
       "original": {
@@ -78,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687598357,
+        "lastModified": 1690739034,
-        "narHash": "sha256-70ciIe8415oQnQypawaqocEaLJcI1XtkqRNmle8vsrg=",
+        "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1e7098ee0448dc5d33df394d040f454cd42a809c",
+        "rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
         "type": "github"
       },
       "original": {
@@ -98,11 +114,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688605308,
+        "lastModified": 1691196340,
-        "narHash": "sha256-B9suu7dcdX4a18loO5ul237gqIJ5/+TRuheLj8fJjwM=",
+        "narHash": "sha256-b1haFWCbFJkiUkeTQCkNjr8hFq/8JlMPaQwNpGlcvxI=",
         "owner": "bandithedoge",
         "repo": "nixpkgs-firefox-darwin",
-        "rev": "78d28acf685e19d353b2ecb6c38eeb3fc624fc68",
+        "rev": "6081c33185dba05da784d9f2a392861af025bf1a",
         "type": "github"
       },
       "original": {
@@ -165,11 +181,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1685518550,
+        "lastModified": 1689068808,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -178,6 +194,22 @@
         "type": "github"
       }
     },
+    "hmts-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1691223193,
+        "narHash": "sha256-Zsl4s3e4upWiU2mXKqiQcUGxslPzzebKKXfzaHiNq48=",
+        "owner": "calops",
+        "repo": "hmts.nvim",
+        "rev": "1d40963804925754672940d07ddb250d19efec2e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "calops",
+        "repo": "hmts.nvim",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -185,11 +217,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687627695,
+        "lastModified": 1691225770,
-        "narHash": "sha256-6Pu7nWb52PRtUmihwuDNShDmsZiXgtXR0OARtH4DSik=",
+        "narHash": "sha256-O5slH8nW8msTAqVAS5rkvdHSkjmrO+JauuSDzZCmv2M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "172d46d4b2677b32277d903bdf4cff77c2cc6477",
+        "rev": "0a014a729cdd54d9919ff36b714d047909d7a4c8",
         "type": "github"
       },
       "original": {
@@ -199,6 +231,42 @@
         "type": "github"
       }
     },
+    "nextcloud-cookbook": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=",
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
+      }
+    },
+    "nextcloud-external": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-gY1nxqK/pHfoxW/9mE7DFtNawgdEV7a4OXpscWY14yk=",
+        "type": "tarball",
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
+      }
+    },
+    "nextcloud-news": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-hhXPEITSbCiFs0o+TOsQnSasXBpjU9mA/OFsbzuaCPw=",
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
+      }
+    },
     "nil": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -245,11 +313,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1687049841,
+        "lastModified": 1689469483,
-        "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
+        "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
+        "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
         "type": "github"
       },
       "original": {
@@ -266,11 +334,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687398392,
+        "lastModified": 1690133435,
-        "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
+        "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
+        "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
         "type": "github"
       },
       "original": {
@@ -281,11 +349,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1687502512,
+        "lastModified": 1691186842,
-        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
+        "narHash": "sha256-wxBVCvZUwq+XS4N4t9NqsHV4E64cPVqQ2fdDISpjcw0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
+        "rev": "18036c0be90f4e308ae3ebcab0e14aae0336fe42",
         "type": "github"
       },
       "original": {
@@ -297,16 +365,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1686929285,
+        "lastModified": 1690470004,
-        "narHash": "sha256-WGtVzn+vGMPTXDO0DMNKVFtf+zUSqeW+KKk4Y/Ae99I=",
+        "narHash": "sha256-l57RmPhPz9r1LGDg/0v8bYgJO8R+GGTQZtkIxE7negU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "93fddcf640ceca0be331210ba3101cee9d91c13d",
+        "rev": "9462344318b376e157c94fa60c20a25b913b2381",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -314,11 +382,11 @@
     "null-ls-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686871437,
+        "lastModified": 1688652536,
-        "narHash": "sha256-MxIZqyRW8jStiDNXt7Bsw8peDLKpqxKEaUuIJsXkGMI=",
+        "narHash": "sha256-6KJtj9pbvBm6fOVpnyzO2fEVC+cVrw2XtZHOgq9ieIw=",
         "owner": "jose-elias-alvarez",
         "repo": "null-ls.nvim",
-        "rev": "bbaf5a96913aa92281f154b08732be2f57021c45",
+        "rev": "db09b6c691def0038c456551e4e2772186449f35",
         "type": "github"
       },
       "original": {
@@ -329,11 +397,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1687625402,
+        "lastModified": 1691289987,
-        "narHash": "sha256-V+vSWypmm/tGbwNXGhqzmiV7vTjV2gNCEh9N7OhNnyA=",
+        "narHash": "sha256-sbbDlVzxlP+bBTdhyyzJ6C0APUNU/sChuLmNU9ehkmg=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "aeaf37c7538965e45700d39e6b5dc9c9a0e0749c",
+        "rev": "cf2f5d8ad452795e5aca290c95eedc829d3da7ec",
         "type": "github"
       },
       "original": {
@@ -362,11 +430,11 @@
     "nvim-tree-lua-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687132855,
+        "lastModified": 1691292370,
-        "narHash": "sha256-ZRUoCDBv8rO8ZUBUMLgo33EBbqD9+ZOSET9rkFsA++E=",
+        "narHash": "sha256-YQRirmp8QerxwF9qdrSrUKJZiVrBb6ZWpUTfM8H7fl4=",
         "owner": "kyazdani42",
         "repo": "nvim-tree.lua",
-        "rev": "c3c6544ee00333b0f1d6a13735d0dd302dba4f70",
+        "rev": "904f95cd9db31d1800998fa428e78e418a50181d",
         "type": "github"
       },
       "original": {
@@ -395,12 +463,17 @@
     "root": {
       "inputs": {
         "Comment-nvim-src": "Comment-nvim-src",
+        "baleia-nvim-src": "baleia-nvim-src",
         "bufferline-nvim-src": "bufferline-nvim-src",
         "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
         "darwin": "darwin",
         "disko": "disko",
         "firefox-darwin": "firefox-darwin",
+        "hmts-nvim-src": "hmts-nvim-src",
         "home-manager": "home-manager",
+        "nextcloud-cookbook": "nextcloud-cookbook",
+        "nextcloud-external": "nextcloud-external",
+        "nextcloud-news": "nextcloud-news",
         "nil": "nil",
         "nix2vim": "nix2vim",
         "nixos-generators": "nixos-generators",
@@ -413,9 +486,15 @@
         "telescope-nvim-src": "telescope-nvim-src",
         "telescope-project-nvim-src": "telescope-project-nvim-src",
         "toggleterm-nvim-src": "toggleterm-nvim-src",
+        "tree-sitter-bash": "tree-sitter-bash",
+        "tree-sitter-ini": "tree-sitter-ini",
+        "tree-sitter-puppet": "tree-sitter-puppet",
+        "tree-sitter-python": "tree-sitter-python",
+        "tree-sitter-rasi": "tree-sitter-rasi",
         "vscode-terraform-snippets": "vscode-terraform-snippets",
         "wallpapers": "wallpapers",
-        "wsl": "wsl"
+        "wsl": "wsl",
+        "zenyd-mpv-scripts": "zenyd-mpv-scripts"
       }
     },
     "rust-overlay": {
@@ -523,6 +602,88 @@
         "type": "github"
       }
     },
+    "tree-sitter-bash": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1688032601,
+        "narHash": "sha256-gl5F3IeZa2VqyH/qFj8ey2pRbGq4X8DL5wiyvRrH56U=",
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-bash",
+        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-bash",
+        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
+        "type": "github"
+      }
+    },
+    "tree-sitter-ini": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1690815608,
+        "narHash": "sha256-IIpKzpA4q1jpYVZ75VZaxWHaqNt8TA427eMOui2s71M=",
+        "owner": "justinmk",
+        "repo": "tree-sitter-ini",
+        "rev": "7f11a02fb8891482068e0fe419965d7bade81a68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "justinmk",
+        "repo": "tree-sitter-ini",
+        "type": "github"
+      }
+    },
+    "tree-sitter-puppet": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1690231696,
+        "narHash": "sha256-YEjjy9WLwITERYqoeSVrRYnwVBIAwdc4o0lvAK9wizw=",
+        "owner": "amaanq",
+        "repo": "tree-sitter-puppet",
+        "rev": "9ce9a5f7d64528572aaa8d59459ba869e634086b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "amaanq",
+        "repo": "tree-sitter-puppet",
+        "type": "github"
+      }
+    },
+    "tree-sitter-python": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1690493803,
+        "narHash": "sha256-2btd/NRE6NuGNlx4cq535OrwtWXihiP3VMCJjPCiDOk=",
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-python",
+        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-python",
+        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
+        "type": "github"
+      }
+    },
+    "tree-sitter-rasi": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1678701563,
+        "narHash": "sha256-2nYZoLcrxxxiOJEySwHUm93lzMg8mU+V7LIP63ntFdA=",
+        "owner": "Fymyte",
+        "repo": "tree-sitter-rasi",
+        "rev": "371dac6bcce0df5566c1cfebde69d90ecbeefd2d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Fymyte",
+        "repo": "tree-sitter-rasi",
+        "type": "github"
+      }
+    },
     "vscode-terraform-snippets": {
       "flake": false,
       "locked": {
@@ -562,11 +723,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1687279045,
+        "lastModified": 1690553050,
-        "narHash": "sha256-LR0dsXd/A07M61jclyBUW0wRojEQteWReKM35zoJXp0=",
+        "narHash": "sha256-pK3kF30OykL3v6P8UP6ipihlS34KoGq9SryCj3tHrFw=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "a8486b5d191f11d571f15d80b6e265d1712d01cf",
+        "rev": "f7a95a37306c46b42e9ce751977c44c752fd5eca",
         "type": "github"
       },
       "original": {
@@ -574,6 +735,22 @@
         "repo": "NixOS-WSL",
         "type": "github"
       }
+    },
+    "zenyd-mpv-scripts": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650625438,
+        "narHash": "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=",
+        "owner": "zenyd",
+        "repo": "mpv-scripts",
+        "rev": "19ea069abcb794d1bf8fac2f59b50d71ab992130",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zenyd",
+        "repo": "mpv-scripts",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -75,6 +75,10 @@
       url = "github:jose-elias-alvarez/null-ls.nvim";
       flake = false;
     };
+    baleia-nvim-src = {
+      url = "github:m00qek/baleia.nvim";
+      flake = false;
+    };
     Comment-nvim-src = {
       url = "github:numToStr/Comment.nvim/v0.8.0";
       flake = false;
@@ -107,6 +111,61 @@
       url = "github:run-at-scale/vscode-terraform-doc-snippets";
       flake = false;
     };
+    hmts-nvim-src = {
+      url = "github:calops/hmts.nvim";
+      flake = false;
+    };
+
+    # Tree-Sitter Grammars
+    tree-sitter-bash = {
+      # Fix: bash highlighting doesn't work as of this commit:
+      # https://github.com/NixOS/nixpkgs/commit/49cce41b7c5f6b88570a482355d9655ca19c1029
+      url =
+        "github:tree-sitter/tree-sitter-bash/493646764e7ad61ce63ce3b8c59ebeb37f71b841";
+      flake = false;
+    };
+    tree-sitter-python = {
+      # Fix: invalid node in position. Broken as of this commit (replaced with newer):
+      # https://github.com/NixOS/nixpkgs/commit/8ec3627796ecc899e6f47f5bf3c3220856ead9c5
+      url =
+        "github:tree-sitter/tree-sitter-python/5af00f64af6bbf822f208243cce5cf75396fb6f5";
+      flake = false;
+    };
+    tree-sitter-ini = {
+      url = "github:justinmk/tree-sitter-ini";
+      flake = false;
+    };
+    tree-sitter-puppet = {
+      url = "github:amaanq/tree-sitter-puppet";
+      flake = false;
+    };
+    tree-sitter-rasi = {
+      url = "github:Fymyte/tree-sitter-rasi";
+      flake = false;
+    };
+
+    # MPV Scripts
+    zenyd-mpv-scripts = {
+      url = "github:zenyd/mpv-scripts";
+      flake = false;
+    };
+
+    # Nextcloud Apps
+    nextcloud-news = {
+      url =
+        "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz";
+      flake = false;
+    };
+    nextcloud-external = {
+      url =
+        "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz";
+      flake = false;
+    };
+    nextcloud-cookbook = {
+      url =
+        "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
+      flake = false;
+    };
 
   };
 
@@ -124,7 +183,7 @@
         mail.server = "noahmasur.com";
         mail.imapHost = "imap.purelymail.com";
         mail.smtpHost = "smtp.purelymail.com";
-        dotfilesRepo = "git@github.com:nmasur/dotfiles";
+        dotfilesRepo = "https://github.com/nmasur/dotfiles";
         hostnames = {
           git = "git.${baseName}";
           metrics = "metrics.${baseName}";
@@ -144,7 +203,11 @@
         (import ./overlays/neovim-plugins.nix inputs)
         (import ./overlays/calibre-web.nix)
         (import ./overlays/disko.nix inputs)
-        (import ./overlays/tree-sitter-bash.nix)
+        (import ./overlays/tree-sitter.nix inputs)
+        (import ./overlays/caddy.nix inputs)
+        (import ./overlays/mpv-scripts.nix inputs)
+        (import ./overlays/nextcloud-apps.nix inputs)
+        (import ./overlays/betterlockscreen.nix)
       ];
 
       # System types to support.
@@ -223,6 +286,24 @@
 
         });
 
+      checks = forAllSystems (system:
+        let pkgs = import nixpkgs { inherit system overlays; };
+        in {
+          neovim = pkgs.runCommand "neovim-check-health" {
+            buildInputs = [ inputs.self.packages.${system}.neovim ];
+          } ''
+            mkdir -p $out
+            export HOME=$TMPDIR
+            nvim -c "checkhealth" -c "write $out/health.log" -c "quitall"
+
+            # Check for errors inside the health log
+            if $(grep "ERROR" $out/health.log); then
+              cat $out/health.log
+              exit 1
+            fi
+          '';
+        });
+
       # Templates for starting other projects quickly
       templates = rec {
         default = basic;

hosts/README.md

@@ -1,5 +1,7 @@
 # Hosts
 
+These are the individual machines managed by this flake.
+
 | Host                                       | Purpose             |
 | ---                                        | ---                 |
 | [aws](./aws/default.nix)                   | AWS AMI             |

hosts/aws/default.nix

@@ -4,14 +4,10 @@ inputs.nixos-generators.nixosGenerate {
   inherit system;
   format = "amazon";
   modules = [
+    globals
     inputs.home-manager.nixosModules.home-manager
     {
       nixpkgs.overlays = overlays;
-      user = globals.user;
-      fullName = globals.fullName;
-      dotfilesRepo = globals.dotfilesRepo;
-      gitName = globals.gitName;
-      gitEmail = globals.gitEmail;
       networking.hostName = "sheep";
       gui.enable = false;
       theme.colors = (import ../../colorscheme/gruvbox).dark;

hosts/flame/default.nix

@@ -3,6 +3,7 @@
 
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
+# These days, probably use nixos-anywhere instead.
 
 { inputs, globals, overlays, ... }:
 
@@ -21,39 +22,47 @@ inputs.nixpkgs.lib.nixosSystem {
       server = true;
       networking.hostName = "flame";
 
+      # Not sure what's necessary but too afraid to remove anything
       imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
       boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
+      # I forgot to set a clean label for it
       fileSystems."/" = {
         device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for systemd-boot
       fileSystems."/boot" = {
         device = "/dev/disk/by-uuid/D5CA-237A";
         fsType = "vfat";
       };
 
       # Theming
-      gui.enable = false;
-      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
-      # Disable passwords, only use SSH key
+      # Server doesn't require GUI
-      publicKey =
+      gui.enable = false;
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
+
+      # Still require colors for programs like Neovim, K9S
+      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
       # Programs and services
       cloudflare.enable = true; # Proxy traffic with Cloudflare
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
-
+      giteaRunner.enable = true;
       services.caddy.enable = true;
       services.grafana.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.victoriametrics.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@@ -69,8 +78,9 @@ inputs.nixpkgs.lib.nixosSystem {
         accessKeyId = "0026b0e73b2e2c80000000005";
       };
 
-      # # Grant access to Jellyfin directories from Nextcloud
+      # Disable passwords, only use SSH key
-      # users.users.nextcloud.extraGroups = [ "jellyfin" ];
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
 
       # # Wireguard config for Transmission
       # wireguard.enable = true;
@@ -101,9 +111,6 @@ inputs.nixpkgs.lib.nixosSystem {
       # # VPN port forwarding
       # services.transmission.settings.peer-port = 57599;
 
-      # # Grant access to Transmission directories from Jellyfin
-      # users.users.jellyfin.extraGroups = [ "transmission" ];
-
     }
   ];
 }

hosts/hydra/default.nix

@@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem {
         colors = (import ../../colorscheme/gruvbox).dark;
         dark = true;
       };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
       wsl = {
         enable = true;
         wslConf.automount.root = "/mnt";

hosts/lookingglass/default.nix

@@ -21,7 +21,7 @@ inputs.darwin.lib.darwinSystem {
       identityFile = "/Users/Noah.Masur/.ssh/id_ed25519";
       gui.enable = true;
       theme = {
-        colors = (import ../../colorscheme/gruvbox).dark;
+        colors = (import ../../colorscheme/gruvbox-dark).dark;
         dark = true;
       };
       mail.user = globals.user;

hosts/swan/default.nix

@@ -13,10 +13,14 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../modules/common
     ../../modules/nixos
     {
+      nixpkgs.overlays = overlays;
+
       # Hardware
       server = true;
+      physical = true;
       networking.hostName = "swan";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
 
@@ -29,36 +33,54 @@ inputs.nixpkgs.lib.nixosSystem {
         "amdgpu.cik_support=1"
         "amdgpu.dc=1"
       ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
 
+      # Prioritize efficiency over performance
       powerManagement.cpuFreqGovernor = "powersave";
+
+      # Allow firmware updates
       hardware.cpu.intel.updateMicrocode = true;
 
       # ZFS
       zfs.enable = true;
       # Generated with: head -c 8 /etc/machine-id
       networking.hostId = "600279f4"; # Random ID required for ZFS
+
+      # Sets root ext4 filesystem instead of declaring it manually
       disko = {
         enableConfig = true;
         devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
       };
+
+      # Automatically load the ZFS pool on boot
       boot.zfs.extraPools = [ "tank" ];
 
+      # Theming
+
+      # Server doesn't require GUI
       gui.enable = false;
+
+      # Still require colors for programs like Neovim, K9S
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
-      nixpkgs.overlays = overlays;
+
+      # Programs and services
       neovim.enable = true;
       cloudflare.enable = true;
       dotfiles.enable = true;
       arrs.enable = true;
-
+      services.bind.enable = true;
       services.caddy.enable = true;
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.prometheus.enable = false;
+      services.vmagent.enable = true;
       services.samba.enable = true;
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@@ -67,6 +89,7 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
       };
 
+      # Send regular backups and litestream for DBs to an S3-like bucket
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
         bucket = "noahmasur-backup";

hosts/tempest/default.nix

@@ -17,14 +17,25 @@ inputs.nixpkgs.lib.nixosSystem {
       physical = true;
       networking.hostName = "tempest";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+
+      # Graphics and VMs
       boot.initrd.kernelModules = [ "amdgpu" ];
       boot.kernelModules = [ "kvm-amd" ];
       services.xserver.videoDrivers = [ "amdgpu" ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
+
+      # Prioritize performance over efficiency
       powerManagement.cpuFreqGovernor = "performance";
+
+      # Allow firmware updates
       hardware.cpu.amd.updateMicrocode = true;
+
+      # Helps reduce GPU fan noise under idle loads
       hardware.fancontrol.enable = true;
       hardware.fancontrol.config = ''
         # Configuration file generated by pwmconfig, changes will be lost
@@ -41,22 +52,29 @@ inputs.nixpkgs.lib.nixosSystem {
         MAXPWM=hwmon0/pwm1=240
       '';
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
       fileSystems."/" = {
         device = "/dev/disk/by-label/nixos";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for Grub
       fileSystems."/boot" = {
         device = "/dev/disk/by-label/boot";
         fsType = "vfat";
       };
 
-      # Must be prepared ahead
+      # Secrets must be prepared ahead before deploying
-      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
 
       # Theming
+
+      # Turn on all features related to desktop and graphical applications
       gui.enable = true;
+
+      # Set the system-wide theme, also used for non-graphical programs
       theme = {
         colors = (import ../../colorscheme/gruvbox-dark).dark;
         dark = true;
@@ -91,7 +109,11 @@ inputs.nixpkgs.lib.nixosSystem {
         leagueoflegends.enable = true;
         ryujinx.enable = true;
       };
+      services.vmagent.enable = true; # Enables Prometheus metrics
+      services.openssh.enable =
+        true; # Required for Cloudflare tunnel and identity file
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@@ -100,6 +122,11 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
       };
 
+      # Allows requests to force machine to wake up
+      # This network interface might change, needs to be set specifically for each machine.
+      # Or set usePredictableInterfaceNames = false
+      networking.interfaces.enp5s0.wakeOnLan.enable = true;
+
     }
   ];
 }

misc/README.md

@@ -0,0 +1,21 @@
+# Miscellaneous
+
+These files contain important data sourced by the configuration, or simply
+information to store for safekeeping later.
+
+---
+
+Creating hashed password for [password.sha512](./password.sha512):
+
+```
+mkpasswd -m sha-512
+```
+
+---
+
+Getting key for [public-keys](./public-keys):
+
+```
+ssh-keyscan -t ed25519 <hostname>
+```
+

misc/libratbag-profile

@@ -0,0 +1,23 @@
+Profile 1: (active)
+Name: n/a
+Report Rate: 1000Hz
+Resolutions:
+  0: 400dpi (active) (default)
+  1: 800dpi
+  2: 1600dpi
+  3: 2400dpi
+  4: 0dpi
+Button: 0 is mapped to 'button 1'
+Button: 1 is mapped to 'button 2'
+Button: 2 is mapped to 'button 3'
+Button: 3 is mapped to 'button 4'
+Button: 4 is mapped to 'button 5'
+Button: 5 is mapped to macro '↕F11'
+Button: 6 is mapped to macro '↕VOLUMEDOWN'
+Button: 7 is mapped to macro '↕VOLUMEUP'
+Button: 8 is mapped to 'unknown'
+Button: 9 is mapped to 'wheel-right'
+Button: 10 is mapped to 'wheel-left'
+LED: 0, depth: monochrome, mode: on, color: 000000
+LED: 1, depth: monochrome, mode: on, color: 000000
+LED: 2, depth: monochrome, mode: on, color: 000000

misc/public-keys

@@ -1,5 +1,6 @@
 # Scan hosts: ssh-keyscan -t ed25519 <hostnames>
 
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s tempest
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVknmPi7sG6ES0G0jcsvebzKGWWaMfJTYgvOue6EULI flame
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9mwXlZnIALt9SnH3FOZvdgHLM5ZqwYUERXBbM7Rwh6 swan
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC3yHivgEXr2ecwe58h9bkhwTYivf3GwL8xenQKMeiUb tempest

modules/README.md

@@ -5,4 +5,5 @@
 | [common](./common/default.nix) | User programs and OS-agnostic configuration |
 | [darwin](./darwin/default.nix) | macOS-specific configuration                |
 | [nixos](./nixos/default.nix)   | NixOS-specific configuration                |
+| [wsl](./wsl/default.nix)       | WSL-specific configuration                  |
 

modules/common/applications/firefox.nix

@@ -73,6 +73,7 @@
             "media.ffmpeg.vaapi.enabled" =
               true; # Enable hardware video acceleration
             "cookiebanners.ui.desktop.enabled" = true; # Reject cookie popups
+            "svg.context-properties.content.enabled" = true; # Sidebery styling
           };
           userChrome = ''
             :root {

modules/common/applications/kitty.nix

@@ -11,22 +11,15 @@
 
   config = lib.mkIf (config.gui.enable && config.kitty.enable) {
 
-    # Set the Rofi-Systemd terminal for viewing logs
+    terminal = "${pkgs.kitty}/bin/kitty";
-    # Using optionalAttrs because only available in NixOS
-    environment = { } // lib.attrsets.optionalAttrs
-      (builtins.hasAttr "sessionVariables" config.environment) {
-        sessionVariables.ROFI_SYSTEMD_TERM = "${pkgs.kitty}/bin/kitty";
-      };
 
     home-manager.users.${config.user} = {
 
-      # Set the i3 terminal
+      # Display images in the terminal
-      xsession.windowManager.i3.config.terminal =
+      programs.fish.shellAliases = {
-        lib.mkIf pkgs.stdenv.isLinux "kitty";
+        icat = "kitty +kitten icat";
-
+        ssh = "kitty +kitten ssh";
-      # Set the Rofi terminal for running programs
+      };
-      programs.rofi.terminal =
-        lib.mkIf pkgs.stdenv.isLinux "${pkgs.kitty}/bin/kitty";
 
       programs.kitty = {
         enable = true;
@@ -34,7 +27,10 @@
         extraConfig = "";
         font.size = 14;
         keybindings = {
+          # Use shift+enter to complete text suggestions in fish
           "shift+enter" = "send_text all \\x1F";
+
+          # Easy fullscreen toggle (for macOS)
           "super+f" = "toggle_fullscreen";
         };
         settings = {
@@ -85,7 +81,6 @@
           # Scrollback
           scrolling_lines = 10000;
           scrollback_pager_history_size = 10; # MB
-          scrollback_pager = "${pkgs.neovim}/bin/nvim -c 'normal G'";
 
           # Window
           window_padding_width = 6;
@@ -93,7 +88,7 @@
           tab_bar_edge = "top";
           tab_bar_style = "slant";
 
-          # Audio
+          # Disable audio
           enable_audio_bell = false;
         };
       };

modules/common/applications/media.nix

@@ -22,8 +22,8 @@
         enable = true;
         bindings = { };
         config = {
-          image-display-duration = 2;
+          image-display-duration = 2; # For cycling through images
-          hwdec = "auto-safe";
+          hwdec = "auto-safe"; # Attempt to use GPU decoding for video
         };
         scripts = [
 
@@ -31,25 +31,11 @@
           pkgs.mpvScripts.autoload
 
           # Delete current file after quitting
-          (pkgs.stdenv.mkDerivation rec {
+          pkgs.mpvScripts.mpv-delete-file
-            pname = "mpv-delete-file";
-            version = "0.1"; # made-up
-            src = pkgs.fetchFromGitHub {
-              owner = "zenyd";
-              repo = "mpv-scripts";
-              rev = "19ea069abcb794d1bf8fac2f59b50d71ab992130";
-              sha256 = "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=";
-            } + "/delete_file.lua";
-            dontBuild = true;
-            dontUnpack = true;
-            installPhase =
-              "install -Dm644 ${src} $out/share/mpv/scripts/delete_file.lua";
-            passthru.scriptName = "delete_file.lua";
-          })
         ];
       };
 
-      # Set default for opening PDFs
+      # Set default programs for opening PDFs and other media
       xdg.mimeApps = {
         associations.added = {
           "application/pdf" = [ "pwmt.zathura-cb.desktop" ];

modules/common/default.nix

@@ -59,7 +59,7 @@
     };
     dotfilesRepo = lib.mkOption {
       type = lib.types.str;
-      description = "Link to dotfiles repository.";
+      description = "Link to dotfiles repository HTTPS URL.";
     };
     unfreePackages = lib.mkOption {
       type = lib.types.listOf lib.types.str;

modules/common/mail/default.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  imports = [ ./himalaya.nix ./aerc.nix ];
+  imports = [ ./himalaya.nix ./aerc.nix ./system.nix ];
 
   options = {
     mail.enable = lib.mkEnableOption "Mail service.";
@@ -27,15 +27,32 @@
 
     home-manager.users.${config.user} = {
       programs.mbsync = { enable = true; };
+
+      # Automatically check for mail and keep files synced locally
       services.mbsync = lib.mkIf pkgs.stdenv.isLinux {
         enable = true;
         frequency = "*:0/5";
         postExec = "${pkgs.notmuch}/bin/notmuch new";
       };
+
+      # Used to watch for new mail and trigger sync
       services.imapnotify.enable = pkgs.stdenv.isLinux;
-      programs.notmuch.enable = true;
+
+      # Allows sending email from CLI/sendmail
+      programs.msmtp.enable = true;
+
+      # Better local mail search
+      programs.notmuch = {
+        enable = true;
+        new.ignore =
+          [ ".mbsyncstate.lock" ".mbsyncstate.journal" ".mbsyncstate.new" ];
+      };
+
       accounts.email = {
+
+        # Where email files are stored
         maildirBasePath = "${config.homePath}/mail";
+
         accounts = {
           home = let address = "${config.mail.user}@${config.mail.server}";
           in {
@@ -48,13 +65,17 @@
               "hey"
               "admin"
             ];
+
+            # Options for contact completion
             alot = { };
-            flavor = "plain";
+
             imap = {
               host = config.mail.imapHost;
               port = 993;
               tls.enable = true;
             };
+
+            # Watch for mail and run notifications or sync
             imapnotify = {
               enable = true;
               boxes = [ "Inbox" ];
@@ -63,7 +84,11 @@
                 config.home-manager.users.${config.user}.services.dunst.enable
                 "${pkgs.libnotify}/bin/notify-send 'New mail arrived'";
             };
+
+            # Name of the directory in maildir for this account
             maildir = { path = "main"; };
+
+            # Bi-directional syncing options for local files
             mbsync = {
               enable = true;
               create = "both";
@@ -74,12 +99,17 @@
                 CopyArrivalDate = "yes"; # Sync time of original message
               };
             };
+
+            # Enable indexing
             notmuch.enable = true;
+
+            # Used to login and send and receive emails
             passwordCommand =
-              "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
+              "${pkgs.age}/bin/age --decrypt --identity ~/.ssh/id_ed25519 ${
                 pkgs.writeText "mailpass.age"
                 (builtins.readFile ../../../private/mailpass.age)
               }";
+
             smtp = {
               host = config.mail.smtpHost;
               port = 465;

modules/common/mail/system.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }: {
+
+  config = lib.mkIf (config.mail.enable || config.server) {
+
+    home-manager.users.${config.user} = {
+
+      programs.msmtp.enable = true;
+
+      # The system user for sending automatic notifications
+      accounts.email.accounts.system =
+        let address = "system@${config.mail.server}";
+        in {
+          userName = address;
+          realName = "NixOS System";
+          primary = !config.mail.enable; # Only primary if mail not enabled
+          inherit address;
+          passwordCommand =
+            "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
+              pkgs.writeText "mailpass-system.age"
+              (builtins.readFile ../../../private/mailpass-system.age)
+            }";
+          msmtp.enable = true;
+          smtp = {
+            host = config.mail.smtpHost;
+            port = 465;
+            tls.enable = true;
+          };
+        };
+
+    };
+
+  };
+
+}

modules/common/neovim/config/align.nix

@@ -1,4 +1,7 @@
 { pkgs, ... }: {
+
+  # Plugin for aligning text programmatically
+
   plugins = [ pkgs.vimPlugins.tabular ];
   lua = ''
     -- Align

modules/common/neovim/config/bufferline.nix

@@ -1,4 +1,7 @@
 { pkgs, ... }: {
+
+  # Shows buffers in a VSCode-style tab layout
+
   plugins = [
     pkgs.vimPlugins.bufferline-nvim
     pkgs.vimPlugins.vim-bbye # Better closing of buffers

modules/common/neovim/config/colors.nix

@@ -1,5 +1,7 @@
 { pkgs, lib, config, ... }: {
 
+  # Sets Neovim colors based on Nix colorscheme
+
   options.colors = lib.mkOption {
     type = lib.types.attrsOf lib.types.str;
     description = "Attrset of base16 colorscheme key value pairs.";

modules/common/neovim/config/completion.nix

@@ -24,12 +24,14 @@
       end
     '';
 
+    # Enable Luasnip snippet completion
     snippet.expand = dsl.rawLua ''
       function(args)
           require("luasnip").lsp_expand(args.body)
       end
     '';
 
+    # Basic completion keybinds
     mapping = {
       "['<C-n>']" = dsl.rawLua
         "require('cmp').mapping.select_next_item({ behavior = require('cmp').SelectBehavior.Insert })";
@@ -64,24 +66,26 @@
       '';
     };
 
+    # These are where the completion engine gets its suggestions
     sources = [
-      { name = "nvim_lua"; }
+      { name = "nvim_lua"; } # Fills in common Neovim lua functions
-      { name = "nvim_lsp"; }
+      { name = "nvim_lsp"; } # LSP results
-      { name = "luasnip"; }
+      { name = "luasnip"; } # Snippets
-      { name = "path"; }
+      { name = "path"; } # Shell completion from current PATH
       {
-        name = "buffer";
+        name = "buffer"; # Grep for text from the current text buffer
         keyword_length = 3;
         max_item_count = 10;
       }
       {
-        name = "rg";
+        name = "rg"; # Grep for text from the current directory
         keyword_length = 6;
         max_item_count = 10;
         option = { additional_arguments = "--ignore-case"; };
       }
     ];
 
+    # Styling of the completion menu
     formatting = {
       fields = [ "kind" "abbr" "menu" ];
       format = dsl.rawLua ''

modules/common/neovim/config/misc.nix

@@ -7,11 +7,14 @@
     pkgs.vimPlugins.comment-nvim # Smart comment commands
     pkgs.vimPlugins.glow-nvim # Markdown preview popup
     pkgs.vimPlugins.nvim-colorizer-lua # Hex color previews
+    pkgs.vimPlugins.which-key-nvim # Keybind helper
   ];
 
+  # Initialize some plugins
   setup.Comment = { };
   setup.colorizer = { };
   setup.glow = { };
+  setup.which-key = { };
 
   vim.o = {
     termguicolors = true; # Set to truecolor
@@ -41,11 +44,17 @@
     relativenumber = true; # Relative numbers instead of absolute
   };
 
+  # For which-key-nvim
+  vim.o.timeout = true;
+  vim.o.timeoutlen = 300;
+
   # Better backup, swap and undo storage
   vim.o.backup = true; # Easier to recover and more secure
   vim.bo.swapfile = false; # Instead of swaps, create backups
   vim.bo.undofile = true; # Keeps undos after quit
-  vim.o.backupdir = dsl.rawLua ''vim.fn.stdpath("cache") .. "/backup"'';
+  vim.o.backupdir =
+    dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/backup//")'';
+  vim.o.undodir = dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/undo//")'';
 
   # Required for nvim-cmp completion
   vim.opt.completeopt = [ "menu" "menuone" "noselect" ];

modules/common/neovim/config/statusline.nix

@@ -2,7 +2,7 @@
   plugins = [ pkgs.vimPlugins.lualine-nvim ];
   setup.lualine = {
     options = {
-      theme = "gruvbox";
+      theme = "base16";
       icons_enabled = true;
     };
   };

modules/common/neovim/config/syntax.nix

@@ -6,12 +6,15 @@
         tree-sitter-bash
         tree-sitter-fish
         tree-sitter-hcl
+        tree-sitter-ini
         tree-sitter-json
         tree-sitter-lua
         tree-sitter-markdown
         tree-sitter-markdown-inline
         tree-sitter-nix
+        tree-sitter-puppet
         tree-sitter-python
+        tree-sitter-rasi
         tree-sitter-toml
         tree-sitter-yaml
       ]))
@@ -19,7 +22,8 @@
     pkgs.vimPlugins.playground # Tree-sitter experimenting
     pkgs.vimPlugins.nginx-vim
     pkgs.vimPlugins.vim-helm
-    pkgs.vimPlugins.vim-puppet
+    pkgs.baleia-nvim # Clean ANSI from kitty scrollback
+    # pkgs.hmts-nvim # Tree-sitter injections for home-manager
     (pkgs.vimUtils.buildVimPluginFrom2Nix {
       pname = "nmasur";
       version = "0.1";
@@ -30,6 +34,7 @@
   setup."nvim-treesitter.configs" = {
     highlight = { enable = true; };
     indent = { enable = true; };
+    matchup = { enable = true; }; # Uses vim-matchup
 
     textobjects = {
       select = {

modules/common/neovim/config/telescope.nix

@@ -1,5 +1,7 @@
 { pkgs, dsl, ... }: {
 
+  # Telescope is a fuzzy finder that can work with different sub-plugins
+
   plugins = [
     pkgs.vimPlugins.telescope-nvim
     pkgs.vimPlugins.project-nvim

modules/common/neovim/config/toggleterm.lua

@@ -12,6 +12,8 @@ vim.api.nvim_create_autocmd("TermOpen", {
     end,
 })
 
+-- These are all the different types of terminals we can trigger
+
 local terminal = require("toggleterm.terminal").Terminal
 
 local basicterminal = terminal:new()

modules/common/neovim/config/toggleterm.nix

@@ -1,5 +1,7 @@
 { pkgs, dsl, ... }: {
 
+  # Toggleterm provides a floating terminal inside the editor for quick access
+
   plugins = [ pkgs.vimPlugins.toggleterm-nvim ];
 
   use.toggleterm.setup = dsl.callWith {

modules/common/neovim/config/tree.nix

@@ -1,5 +1,7 @@
 { pkgs, dsl, ... }: {
 
+  # This plugin creates a side drawer for navigating the current project
+
   plugins = [ pkgs.vimPlugins.nvim-tree-lua pkgs.vimPlugins.nvim-web-devicons ];
 
   # Disable netrw eagerly
@@ -10,16 +12,16 @@
   };
 
   setup.nvim-tree = {
-    disable_netrw = true;
+    disable_netrw = true; # Disable the built-in file manager
-    hijack_netrw = true;
+    hijack_netrw = true; # Works as the file manager
-    sync_root_with_cwd = true;
+    sync_root_with_cwd = true; # Change project whenever currend dir changes
-    respect_buf_cwd = true;
+    respect_buf_cwd = true; # Change to exact location of focused buffer
-    update_focused_file = {
+    update_focused_file = { # Change project based on the focused buffer
       enable = true;
       update_root = true;
       ignore_list = { };
     };
-    diagnostics = {
+    diagnostics = { # Enable LSP and linter integration
       enable = true;
       icons = {
         hint = "";
@@ -28,7 +30,7 @@
         error = "";
       };
     };
-    renderer = {
+    renderer = { # Show files with changes vs. current commit
       icons = {
         glyphs = {
           git = {
@@ -43,6 +45,7 @@
         };
       };
     };
+    # Set keybinds and initialize program
     on_attach = dsl.rawLua ''
       function (bufnr)
         local api = require('nvim-tree.api')
@@ -58,7 +61,7 @@
         vim.keymap.set('n', 'v', api.node.open.vertical, opts('Open: Vertical Split'))
       end
     '';
-    view = {
+    view = { # Set look and feel
       width = 30;
       hide_root_folder = false;
       side = "left";
@@ -67,6 +70,7 @@
     };
   };
 
+  # Toggle the sidebar
   lua = ''
     vim.keymap.set("n", "<Leader>e", ":NvimTreeFindFileToggle<CR>", { silent = true })
   '';

modules/common/neovim/default.nix

@@ -18,11 +18,17 @@ in {
 
         home.packages = [ neovim ];
 
+        # Use Neovim as the editor for git commit messages
         programs.git.extraConfig.core.editor = "nvim";
+        programs.jujutsu.settings.ui.editor = "nvim";
+
+        # Set Neovim as the default app for text editing and manual pages
         home.sessionVariables = {
           EDITOR = "nvim";
           MANPAGER = "nvim +Man!";
         };
+
+        # Create quick aliases for launching Neovim
         programs.fish = {
           shellAliases = { vim = "nvim"; };
           shellAbbrs = {
@@ -31,12 +37,20 @@ in {
             vll = "nvim -c 'Telescope oldfiles'";
           };
         };
-        programs.kitty.settings.scrollback_pager = lib.mkForce ''
-          ${neovim}/bin/nvim -c 'setlocal nonumber nolist showtabline=0 foldcolumn=0|Man!' -c "autocmd VimEnter * normal G" -'';
 
+        # Set Neovim as the kitty terminal "scrollback" (vi mode) option.
+        # Requires removing some of the ANSI escape codes that are sent to the
+        # scrollback using sed and baleia, as well as removing several
+        # unnecessary features.
+        programs.kitty.settings.scrollback_pager = ''
+          $SHELL -c 'sed -r "s/[[:cntrl:]]\]133;[AC]..//g" | ${neovim}/bin/nvim -c "setlocal nonumber norelativenumber nolist laststatus=0" -c "lua baleia = require(\"baleia\").setup({}); baleia.once(0)" -c "map <silent> q :qa!<CR>" -c "autocmd VimEnter * normal G"' '';
+
+        # Create a desktop option for launching Neovim from a file manager
+        # (Requires launching the terminal and then executing Neovim)
         xdg.desktopEntries.nvim = lib.mkIf pkgs.stdenv.isLinux {
           name = "Neovim wrapper";
           exec = "kitty nvim %F";
+          mimeType = [ "text/plain" "text/markdown" ];
         };
         xdg.mimeApps.defaultApplications = lib.mkIf pkgs.stdenv.isLinux {
           "text/plain" = [ "nvim.desktop" ];
@@ -45,9 +59,6 @@ in {
 
       };
 
-    # # Used for icons in Vim
-    # fonts.fonts = with pkgs; [ nerdfonts ];
-
   };
 
 }

modules/common/neovim/lua/keybinds.lua

@@ -39,7 +39,7 @@ key("n", "<Leader>fs", ":write<CR>")
 key("n", "<Leader>fd", ":lcd %:p:h<CR>", { silent = true })
 key("n", "<Leader>fu", ":lcd ..<CR>", { silent = true })
 key("n", "<Leader><Tab>", ":b#<CR>", { silent = true })
-key("n", "<Leader>gr", ":!gh repo view -w<CR><CR>", { silent = true })
+key("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
 key("n", "<Leader>tt", [[<Cmd>exe 'edit $NOTES_PATH/journal/'.strftime("%Y-%m-%d_%a").'.md'<CR>]])
 key("n", "<Leader>jj", ":!journal<CR>:e<CR>")
 

modules/common/neovim/lua/settings.lua

@@ -6,7 +6,7 @@ vim.filetype.add({
     pattern = {
         [".*%.tfvars"] = "terraform",
         [".*%.tf"] = "terraform",
-        [".*%.rasi"] = "css",
+        [".*%.rasi"] = "rasi",
     },
 })
 

modules/common/repositories/dotfiles.nix

@@ -1,5 +1,7 @@
 { config, pkgs, lib, ... }: {
 
+  # Allows me to make sure I can work on my dotfiles locally
+
   options.dotfiles.enable = lib.mkEnableOption "Clone dotfiles.";
 
   config = lib.mkIf config.dotfiles.enable {
@@ -14,13 +16,8 @@
           [ "writeBoundary" ] ''
             if [ ! -d "${config.dotfilesPath}" ]; then
                 $DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname "${config.dotfilesPath}")
-
+                $DRY_RUN_CMD ${pkgs.git}/bin/git \
-                # Force HTTPS because anonymous SSH doesn't work
+                    clone ${config.dotfilesRepo} "${config.dotfilesPath}"
-                GIT_CONFIG_COUNT=1 \
-                    GIT_CONFIG_KEY_0="url.https://github.com/.insteadOf" \
-                    GIT_CONFIG_VALUE_0="git@github.com:" \
-                    $DRY_RUN_CMD \
-                    ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
             fi
           '';
 

modules/common/repositories/notes.nix

@@ -1,5 +1,8 @@
 { config, ... }: {
 
+  # This is just a placeholder as I expect to interact with my notes in a
+  # certain location
+
   home-manager.users.${config.user} = {
 
     home.sessionVariables = {

modules/common/shell/bash/scripts/docker-cleanup.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Stop all containers
+if [ "$(docker ps -a -q)" ]; then
+    echo "Stopping docker containers..."
+    docker stop "$(docker ps -a -q)"
+else
+    echo "No running docker containers."
+fi
+
+# Remove all stopped containers
+if [ "$(docker ps -a -q)" ]; then
+    echo "Removing docker containers..."
+    docker rm "$(docker ps -a -q)"
+else
+    echo "No stopped docker containers."
+fi
+
+# Remove all untagged images
+if docker images | grep -q "^<none>"; then
+    docker rmi "$(docker images | grep "^<none>" | awk '{print $3}')"
+else
+    echo "No untagged docker images."
+fi
+
+echo "Cleaned up docker."

modules/common/shell/charm.nix

@@ -1,5 +1,7 @@
 { config, pkgs, lib, ... }: {
 
+  # Convenience utilities from charm.sh
+
   options.charm.enable = lib.mkEnableOption "Charm utilities.";
 
   config.home-manager.users.${config.user} = lib.mkIf config.charm.enable {

modules/common/shell/default.nix

@@ -7,6 +7,7 @@
     ./fzf.nix
     ./git.nix
     ./github.nix
+    ./jujutsu.nix
     ./nixpkgs.nix
     ./starship.nix
     ./utilities.nix

modules/common/shell/direnv.nix

@@ -1,5 +1,6 @@
 { config, ... }: {
 
+  # Enables quickly entering Nix shells when changing directories
   home-manager.users.${config.user}.programs.direnv = {
     enable = true;
     nix-direnv.enable = true;

modules/common/shell/fish/default.nix

@@ -1,8 +1,7 @@
 { config, pkgs, lib, ... }: {
 
   users.users.${config.user}.shell = pkgs.fish;
-  programs.fish.enable =
+  programs.fish.enable = true; # Needed for LightDM to remember username
-    true; # Needed for LightDM to remember username (TODO: fix)
 
   home-manager.users.${config.user} = {
 
@@ -12,8 +11,14 @@
     programs.fish = {
       enable = true;
       shellAliases = {
+
+        # Version of bash which works much better on the terminal
         bash = "${pkgs.bashInteractive}/bin/bash";
-        ls = "exa";
+
+        # Use exa instead of ls for fancier output
+        ls = "exa --group";
+
+        # Move files to XDG trash on the commandline
         trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
       };
       functions = {

modules/common/shell/fish/functions/fish_user_key_bindings.fish

@@ -14,7 +14,7 @@ bind -M insert \cp projects
 bind -M default \cp projects
 bind -M insert \x1F accept-autosuggestion
 bind -M default \x1F accept-autosuggestion
-bind -M insert \cn 'commandline -r "nix run nixpkgs#"'
+bind -M insert \cn 'commandline -r "nix shell nixpkgs#"'
-bind -M default \cn 'commandline -r "nix run nixpkgs#"'
+bind -M default \cn 'commandline -r "nix shell nixpkgs#"'
 bind -M insert \x11F nix-fzf
 bind -M default \x11F nix-fzf

modules/common/shell/fzf.nix

@@ -1,5 +1,7 @@
 { config, ... }: {
 
+  # FZF is a fuzzy-finder for the terminal
+
   home-manager.users.${config.user} = {
 
     programs.fzf.enable = true;

modules/common/shell/github.nix

@@ -5,7 +5,7 @@
     programs.gh =
       lib.mkIf config.home-manager.users.${config.user}.programs.git.enable {
         enable = true;
-        enableGitCredentialHelper = true;
+        gitCredentialHelper.enable = true;
         settings.git_protocol = "https";
       };
 

modules/common/shell/jujutsu.nix

@@ -0,0 +1,21 @@
+{ config, ... }: {
+
+  config = {
+
+    home-manager.users.${config.user}.programs.jujutsu = {
+      enable = true;
+      enableFishIntegration = true;
+
+      # https://github.com/martinvonz/jj/blob/main/docs/config.md
+      settings = {
+        user = {
+          name = config.home-manager.users.${config.user}.programs.git.userName;
+          email =
+            config.home-manager.users.${config.user}.programs.git.userEmail;
+        };
+      };
+    };
+
+  };
+
+}

modules/common/shell/nixpkgs.nix

@@ -73,6 +73,9 @@
       path = builtins.toString pkgs.path;
     };
 
+    # For security, only allow specific users
+    settings.allowed-users = [ "@wheel" config.user ];
+
   };
 
 }

modules/common/shell/starship.nix

@@ -13,7 +13,7 @@
         "$cmd_duration"
         "$character"
       ];
-      right_format = "$nix_shell";
+      # right_format = "$nix_shell";
       character = {
         success_symbol = "[❯](bold green)";
         error_symbol = "[❯](bold red)";

modules/common/shell/utilities.nix

@@ -23,6 +23,7 @@ in {
         dig # DNS lookup
         fd # find
         htop # Show system processes
+        killall # Force quit
         inetutils # Includes telnet, whois
         jq # JSON manipulation
         lf # File viewer
@@ -34,6 +35,9 @@ in {
         tree # View directory hierarchy
         vimv-rs # Batch rename files
         unzip # Extract zips
+        dua # File sizes (du)
+        du-dust # Disk usage tree (ncdu)
+        duf # Basic disk information (df)
       ];
 
       programs.zoxide.enable = true; # Shortcut jump command
@@ -52,10 +56,6 @@ in {
         };
       };
 
-      programs.fish.shellAbbrs = {
-        cat = "bat"; # Swap cat with bat
-      };
-
       programs.fish.functions = {
         ping = {
           description = "Improved ping";

modules/darwin/hammerspoon.nix

@@ -20,12 +20,22 @@
         };
       xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source =
         ./hammerspoon/Spoons/MoveWindow.spoon;
+
+      home.activation.reloadHammerspoon =
+        config.home-manager.users.${config.user}.lib.dag.entryAfter
+        [ "writeBoundary" ] ''
+          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.reload()"
+          $DRY_RUN_CMD sleep 1
+          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.console.clearConsole()"
+        '';
+
     };
 
     homebrew.casks = [ "hammerspoon" ];
 
     system.activationScripts.postUserActivation.text = ''
       defaults write org.hammerspoon.Hammerspoon MJConfigFile "~/.config/hammerspoon/init.lua"
+      sudo killall Dock
     '';
 
   };

modules/darwin/hammerspoon/init.lua

@@ -2,3 +2,4 @@ hs.loadSpoon("ControlEscape"):start() -- Load Hammerspoon bits from https://gith
 hs.loadSpoon("Launcher"):init()
 hs.loadSpoon("DismissAlerts"):init()
 hs.loadSpoon("MoveWindow"):init()
+hs.ipc.cliInstall() -- Install Hammerspoon CLI program

modules/nixos/applications/calibre.nix

@@ -14,6 +14,8 @@
       home.packages = with pkgs; [ calibre ];
       # home.sessionVariables = { CALIBRE_USE_DARK_PALETTE = 1; };
     };
+
+    # Forces Calibre to use dark mode
     environment.sessionVariables = { CALIBRE_USE_DARK_PALETTE = "1"; };
   };
 }

modules/nixos/applications/nautilus.nix

@@ -18,12 +18,14 @@
 
     home-manager.users.${config.user} = {
 
+      # Quick button for launching nautilus
       xsession.windowManager.i3.config.keybindings = {
         "${
           config.home-manager.users.${config.user}.xsession.windowManager.i3.config.modifier
         }+n" = "exec --no-startup-id ${pkgs.gnome.nautilus}/bin/nautilus";
       };
 
+      # Generates a QR code and previews it with sushi
       programs.fish.functions = {
         qr = {
           body =
@@ -31,7 +33,7 @@
         };
       };
 
-      # Set default for opening directories
+      # Set Nautilus as default for opening directories
       xdg.mimeApps = {
         associations.added."inode/directory" = [ "org.gnome.Nautilus.desktop" ];
         # associations.removed = {
@@ -40,6 +42,7 @@
         defaultApplications."inode/directory" =
           lib.mkBefore [ "org.gnome.Nautilus.desktop" ];
       };
+
     };
 
     # # Set default for opening directories
@@ -50,6 +53,13 @@
     #     lib.mkForce [ "org.gnome.Nautilus.desktop" ];
     # };
 
+    # Delete Trash files older than 1 week
+    systemd.user.services.empty-trash = {
+      description = "Empty Trash on a regular basis";
+      wantedBy = [ "default.target" ];
+      script = "${pkgs.trash-cli}/bin/trash-empty 7";
+    };
+
   };
 
 }

modules/nixos/gaming/steam.nix

@@ -22,6 +22,10 @@
 
     ];
 
+    # Seems like NetworkManager can help speed up Steam launch
+    # https://www.reddit.com/r/archlinux/comments/qguhco/steam_startup_time_arch_1451_seconds_fedora_34/hi8opet/
+    networking.networkmanager.enable = true;
+
   };
 
 }

modules/nixos/graphical/default.nix

@@ -3,7 +3,9 @@
   imports = [
     ./dunst.nix
     ./fonts.nix
+    ./gtk.nix
     ./i3.nix
+    ./keybinds.nix
     ./picom.nix
     ./polybar.nix
     ./rofi.nix
@@ -12,14 +14,6 @@
 
   options = {
 
-    launcherCommand = lib.mkOption {
-      type = lib.types.str;
-      description = "Command to use for launching";
-    };
-    systemdSearch = lib.mkOption {
-      type = lib.types.str;
-      description = "Command to use for interacting with systemd";
-    };
     altTabCommand = lib.mkOption {
       type = lib.types.str;
       description = "Command to use for choosing windows";
@@ -36,14 +30,30 @@
       type = lib.types.str;
       description = "Command to use for quick calculations";
     };
-    toggleBarCommand = lib.mkOption {
+    launcherCommand = lib.mkOption {
       type = lib.types.str;
-      description = "Command to hide and show the status bar.";
+      description = "Command to use for launching";
+    };
+    lockScreenCommand = lib.mkOption {
+      type = lib.types.str;
+      description = "Command to use to lock the screen";
     };
     powerCommand = lib.mkOption {
       type = lib.types.str;
       description = "Command to use for power options menu";
     };
+    systemdSearch = lib.mkOption {
+      type = lib.types.str;
+      description = "Command to use for interacting with systemd";
+    };
+    terminal = lib.mkOption {
+      type = lib.types.str;
+      description = "Package to use for graphical terminal";
+    };
+    toggleBarCommand = lib.mkOption {
+      type = lib.types.str;
+      description = "Command to hide and show the status bar.";
+    };
     wallpaper = lib.mkOption {
       type = lib.types.path;
       description = "Wallpaper background image file";

modules/nixos/graphical/fonts.nix

@@ -6,7 +6,7 @@ in {
 
   config = lib.mkIf (config.gui.enable && pkgs.stdenv.isLinux) {
 
-    fonts.fonts = with pkgs; [
+    fonts.packages = with pkgs; [
       victor-mono # Used for Vim and Terminal
       (nerdfonts.override { fonts = [ "Hack" ]; }) # For Polybar, Rofi
     ];

modules/nixos/graphical/gtk.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }: {
+
+  options = {
+    gtk.theme = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        description = "Theme name for GTK applications";
+      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        description = "Theme package for GTK applications";
+        default = pkgs.gnome-themes-extra;
+      };
+    };
+  };
+
+  config = lib.mkIf config.gui.enable {
+
+    home-manager.users.${config.user} = {
+
+      gtk = let
+        gtkExtraConfig = {
+          gtk-application-prefer-dark-theme = config.theme.dark;
+        };
+      in {
+        enable = true;
+        theme = {
+          name = config.gtk.theme.name;
+          package = config.gtk.theme.package;
+        };
+        gtk3.extraConfig = gtkExtraConfig;
+        gtk4.extraConfig = gtkExtraConfig;
+      };
+
+    };
+
+    # Required for setting GTK theme (for preferred-color-scheme in browser)
+    services.dbus.packages = [ pkgs.dconf ];
+    programs.dconf.enable = true;
+
+    # Make the login screen dark
+    services.xserver.displayManager.lightdm.greeters.gtk.theme = {
+      name = config.gtk.theme.name;
+      package = config.gtk.theme.package;
+    };
+
+    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
+
+  };
+
+}

modules/nixos/graphical/i3.nix

@@ -2,11 +2,22 @@
 
 let
 
-  lockCmd =
-    "${pkgs.betterlockscreen}/bin/betterlockscreen --lock --display 1 --blur 0.5 --span";
   lockUpdate =
     "${pkgs.betterlockscreen}/bin/betterlockscreen --update ${config.wallpaper} --display 1 --span";
 
+  workspaces = {
+    "1" = "1:I";
+    "2" = "2:II";
+    "3" = "3:III";
+    "4" = "4:IV";
+    "5" = "5:V";
+    "6" = "6:VI";
+    "7" = "7:VII";
+    "8" = "8:VIII";
+    "9" = "9:IX";
+    "10" = "10:X";
+  };
+
 in {
 
   config = lib.mkIf pkgs.stdenv.isLinux {
@@ -23,29 +34,18 @@ in {
     home-manager.users.${config.user} = {
       xsession.windowManager.i3 = {
         enable = config.services.xserver.enable;
-        config = let
+        config = let modifier = "Mod4"; # Super key
-          modifier = "Mod4"; # Super key
-          ws1 = "1:I";
-          ws2 = "2:II";
-          ws3 = "3:III";
-          ws4 = "4:IV";
-          ws5 = "5:V";
-          ws6 = "6:VI";
-          ws7 = "7:VII";
-          ws8 = "8:VIII";
-          ws9 = "9:IX";
-          ws10 = "10:X";
         in {
           modifier = modifier;
           assigns = {
-            "${ws1}" = [{ class = "Firefox"; }];
+            "${workspaces."1"}" = [{ class = "Firefox"; }];
-            "${ws2}" = [
+            "${workspaces."2"}" = [
               { class = "kitty"; }
               { class = "aerc"; }
               { class = "obsidian"; }
             ];
-            "${ws3}" = [{ class = "discord"; }];
+            "${workspaces."3"}" = [{ class = "discord"; }];
-            "${ws4}" = [{ class = "Steam"; }];
+            "${workspaces."4"}" = [{ class = "Steam"; }];
           };
           bars = [{ command = "echo"; }]; # Disable i3bar
           colors = let
@@ -91,129 +91,7 @@ in {
             newWindow = "urgent";
             followMouse = false;
           };
-          keybindings = {
+          keybindings = { };
-
-            # Adjust screen brightness
-            "Shift+F12" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 + 30";
-            "Shift+F11" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 - 30";
-            "XF86MonBrightnessUp" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 + 30";
-            "XF86MonBrightnessDown" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 - 30";
-
-            # Media player controls
-            "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
-            "XF86AudioStop" = "exec ${pkgs.playerctl}/bin/playerctl stop";
-            "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
-            "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
-
-            # Launchers
-            "${modifier}+Return" =
-              "exec --no-startup-id kitty; workspace ${ws2}; layout tabbed";
-            "${modifier}+space" =
-              "exec --no-startup-id ${config.launcherCommand}";
-            "${modifier}+Shift+s" =
-              "exec --no-startup-id ${config.systemdSearch}";
-            "${modifier}+Shift+a" =
-              "exec --no-startup-id ${config.audioSwitchCommand}";
-            "Mod1+Tab" = "exec --no-startup-id ${config.altTabCommand}";
-            "${modifier}+Shift+period" =
-              "exec --no-startup-id ${config.powerCommand}";
-            "${modifier}+Shift+m" =
-              "exec --no-startup-id ${config.brightnessCommand}";
-            "${modifier}+c" =
-              "exec --no-startup-id ${config.calculatorCommand}";
-            "${modifier}+Shift+c" = "reload";
-            "${modifier}+Shift+r" = "restart";
-            "${modifier}+Shift+q" = ''
-              exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'"'';
-            "${modifier}+Shift+x" = "exec ${lockCmd}";
-            "${modifier}+Mod1+h" =
-              "exec --no-startup-id kitty sh -c '${pkgs.home-manager}/bin/home-manager switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
-            "${modifier}+Mod1+r" =
-              "exec --no-startup-id kitty sh -c 'doas nixos-rebuild switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
-
-            # Window options
-            "${modifier}+q" = "kill";
-            "${modifier}+b" = "exec ${config.toggleBarCommand}";
-            "${modifier}+f" = "fullscreen toggle";
-            "${modifier}+h" = "focus left";
-            "${modifier}+j" = "focus down";
-            "${modifier}+k" = "focus up";
-            "${modifier}+l" = "focus right";
-            "${modifier}+Left" = "focus left";
-            "${modifier}+Down" = "focus down";
-            "${modifier}+Up" = "focus up";
-            "${modifier}+Right" = "focus right";
-            "${modifier}+Shift+h" = "move left";
-            "${modifier}+Shift+j" = "move down";
-            "${modifier}+Shift+k" = "move up";
-            "${modifier}+Shift+l" = "move right";
-            "${modifier}+Shift+Left" = "move left";
-            "${modifier}+Shift+Down" = "move down";
-            "${modifier}+Shift+Up" = "move up";
-            "${modifier}+Shift+Right" = "move right";
-
-            # Tiling
-            "${modifier}+i" = "split h";
-            "${modifier}+v" = "split v";
-            "${modifier}+s" = "layout stacking";
-            "${modifier}+t" = "layout tabbed";
-            "${modifier}+e" = "layout toggle split";
-            "${modifier}+Shift+space" = "floating toggle";
-            "${modifier}+Control+space" = "focus mode_toggle";
-            "${modifier}+a" = "focus parent";
-
-            # Workspaces
-            "${modifier}+1" = "workspace ${ws1}";
-            "${modifier}+2" = "workspace ${ws2}";
-            "${modifier}+3" = "workspace ${ws3}";
-            "${modifier}+4" = "workspace ${ws4}";
-            "${modifier}+5" = "workspace ${ws5}";
-            "${modifier}+6" = "workspace ${ws6}";
-            "${modifier}+7" = "workspace ${ws7}";
-            "${modifier}+8" = "workspace ${ws8}";
-            "${modifier}+9" = "workspace ${ws9}";
-            "${modifier}+0" = "workspace ${ws10}";
-
-            # Move windows
-            "${modifier}+Shift+1" =
-              "move container to workspace ${ws1}; workspace ${ws1}";
-            "${modifier}+Shift+2" =
-              "move container to workspace ${ws2}; workspace ${ws2}";
-            "${modifier}+Shift+3" =
-              "move container to workspace ${ws3}; workspace ${ws3}";
-            "${modifier}+Shift+4" =
-              "move container to workspace ${ws4}; workspace ${ws4}";
-            "${modifier}+Shift+5" =
-              "move container to workspace ${ws5}; workspace ${ws5}";
-            "${modifier}+Shift+6" =
-              "move container to workspace ${ws6}; workspace ${ws6}";
-            "${modifier}+Shift+7" =
-              "move container to workspace ${ws7}; workspace ${ws7}";
-            "${modifier}+Shift+8" =
-              "move container to workspace ${ws8}; workspace ${ws8}";
-            "${modifier}+Shift+9" =
-              "move container to workspace ${ws9}; workspace ${ws9}";
-            "${modifier}+Shift+0" =
-              "move container to workspace ${ws10}; workspace ${ws10}";
-
-            # Move screens
-            "${modifier}+Control+l" = "move workspace to output right";
-            "${modifier}+Control+h" = "move workspace to output left";
-
-            # Resizing
-            "${modifier}+r" = ''mode "resize"'';
-            "${modifier}+Control+Shift+h" =
-              "resize shrink width 10 px or 10 ppt";
-            "${modifier}+Control+Shift+j" =
-              "resize grow height 10 px or 10 ppt";
-            "${modifier}+Control+Shift+k" =
-              "resize shrink height 10 px or 10 ppt";
-            "${modifier}+Control+Shift+l" = "resize grow width 10 px or 10 ppt";
-          };
           modes = { };
           startup = [
             {
@@ -222,16 +100,15 @@ in {
               notification = false;
             }
             {
-              command =
+              command = "i3-msg focus right, workspace ${workspaces."2"}";
-                "i3-msg workspace ${ws2}, move workspace to output right";
               notification = false;
             }
             {
-              command =
+              command = "i3-msg focus left, workspace ${workspaces."1"}";
-                "i3-msg workspace ${ws1}, move workspace to output left";
               notification = false;
             }
           ];
+          terminal = config.terminal;
           window = {
             border = 0;
             hideEdgeBorders = "smart";
@@ -239,22 +116,74 @@ in {
           };
           workspaceAutoBackAndForth = false;
           workspaceOutputAssign = [ ];
-          # gaps = {
-          # bottom = 8;
-          # top = 8;
-          # left = 8;
-          # right = 8;
-          # horizontal = 15;
-          # vertical = 15;
-          # inner = 15;
-          # outer = 0;
-          # smartBorders = "off";
-          # smartGaps = false;
-          # };
         };
         extraConfig = "";
       };
 
+      services.sxhkd.keybindings = let
+
+        # Shortcuts
+        i3-msg = "${pkgs.i3}/bin/i3-msg";
+
+      in {
+
+        # Window navigation
+        "super + {_,shift +}{h,j,k,l}" =
+          ''${i3-msg} "{focus,move} {left,down,up,right}"'';
+        "super + {_,shift +}{Left,Down,Up,Right}" =
+          ''${i3-msg} "{focus,move} {left,down,up,right}"'';
+        "super + q" = ''${i3-msg} "kill"'';
+        "super + f" = ''${i3-msg} "fullscreen toggle"'';
+
+        # Screen management
+        "super + control + l" = ''${i3-msg} "move workspace to output right"'';
+        "super + control + h" = ''${i3-msg} "move workspace to output left"'';
+
+        # Window layouts and tiling
+        "super + {i,v}" = ''${i3-msg} "split {h,v}"'';
+        "super + {s,t,e}" =
+          ''${i3-msg} "layout {stacking,tabbed,toggle split}"'';
+        "super + shift + space" = ''${i3-msg} "floating toggle"'';
+        "super + control + space" = ''${i3-msg} "focus mode_toggle"'';
+        "super + a" = ''${i3-msg} "focus parent"'';
+
+        # Launch terminal
+        "super + Return" = ''
+          ${i3-msg} "exec --no-startup-id ${config.terminal}; workspace ${
+            workspaces."2"
+          }; layout tabbed"'';
+
+        # Restart and reload
+        "super + shift + {c,r}" = ''${i3-msg} "{reload,restart}"'';
+        "super + shift + q" = ''
+          ${pkgs.i3}/bin/i3-nagbar -t warning -m "Exit i3?" -B "Yes, exit i3" "${i3-msg} exit"'';
+
+        # Resize
+        "super + r : {h,j,k,l}" =
+          ''${i3-msg} "resize {shrink,grow} width 10px or 10 ppt"'';
+        "super + r : {j,k}" =
+          ''${i3-msg} "resize {shrink,grow} height 10px or 10 ppt"'';
+
+      } // (
+
+        # Bind navigation by number
+        let
+          bindWorkspace = num: workspace:
+            lib.attrsets.nameValuePair ("super + ${num}")
+            (''${i3-msg} "workspace ${workspace}"'');
+        in lib.mapAttrs' bindWorkspace workspaces
+
+      ) // (
+
+        # Bind move container to workspace by number
+        let
+          bindWorkspace = num: workspace:
+            lib.attrsets.nameValuePair ("super + shift +${num}") (''
+              ${i3-msg} "move container to workspace ${workspace}; workspace ${workspace}"'');
+        in lib.mapAttrs' bindWorkspace workspaces
+
+      );
+
       programs.fish.functions = {
         update-lock-screen = lib.mkIf config.services.xserver.enable {
           description = "Update lockscreen with wallpaper";
@@ -275,17 +204,20 @@ in {
 
     };
 
+    lockScreenCommand =
+      "${pkgs.betterlockscreen}/bin/betterlockscreen --lock --display 1 --blur 0.5 --span";
+
     # Ref: https://github.com/betterlockscreen/betterlockscreen/blob/next/system/betterlockscreen%40.service
     systemd.services.lock = {
       enable = config.services.xserver.enable;
-      description = "Lock the screen on resume from suspend";
+      description = "Lock the screen before suspend";
       before = [ "sleep.target" "suspend.target" ];
       serviceConfig = {
         User = config.user;
         Type = "simple";
         Environment = "DISPLAY=:0";
         TimeoutSec = "infinity";
-        ExecStart = lockCmd;
+        ExecStart = config.lockScreenCommand;
         ExecStartPost = "${pkgs.coreutils-full}/bin/sleep 1";
       };
       wantedBy = [ "sleep.target" "suspend.target" ];

modules/nixos/graphical/keybinds.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, ... }: {
+
+  home-manager.users.${config.user} = {
+    services.sxhkd = {
+      enable = true;
+      keybindings = {
+
+        # Adjust screen brightness (TODO: replace with pkgs.light?)
+        "shift + {F11,F12}" = ''
+          ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 {- 30,+ 30} && sleep 1; \\
+          ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 {- 30,+ 30}
+        '';
+        "XF86MonBrightness{Down,Up}" = ''
+          ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 {- 30,+ 30} && sleep 1; \\
+          ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 {- 30,+ 30}
+        '';
+
+        # Media controls
+        "XF86Audio{Play,Stop,Next,Prev}" =
+          "${pkgs.playerctl}/bin/playerctl {play-pause,stop,next,previous}";
+
+        # Toggle bar
+        "super + b" = config.toggleBarCommand;
+
+        # Launchers
+        "super + space" = config.launcherCommand;
+        "super + shift + s" = config.systemdSearch;
+        "super + shift + a" = config.audioSwitchCommand;
+        "alt + Tab" = config.altTabCommand;
+        "super + shift + period" = config.powerCommand;
+        "super + shift + m" = config.brightnessCommand;
+        "super + c" = config.calculatorCommand;
+        "super + shift + x" = config.lockScreenCommand;
+        "super + alt + h" =
+          "${config.terminal} sh -c '${pkgs.home-manager}/bin/home-manager switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
+        "super + alt + r" =
+          "${config.terminal} sh -c 'doas nixos-rebuild switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
+
+      };
+    };
+
+    xsession.windowManager.i3.config.startup = [{
+
+      command = "pkill sxhkd; sxhkd";
+      always = true;
+      notification = false;
+    }];
+
+  };
+
+}

modules/nixos/graphical/picom.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
+  config = lib.mkIf config.services.xserver.enable {
     home-manager.users.${config.user} = {
 
       services.picom = {

modules/nixos/graphical/polybar.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
+  config = lib.mkIf config.services.xserver.enable {
 
     toggleBarCommand = "polybar-msg cmd toggle";
 
@@ -36,7 +36,7 @@
             module-margin = 1;
             modules-left = "i3";
             modules-center = "xwindow";
-            modules-right = "mailcount pulseaudio date power";
+            modules-right = "mailcount network pulseaudio date power";
             cursor-click = "pointer";
             cursor-scroll = "ns-resize";
             enable-ipc = true;
@@ -106,8 +106,14 @@
             interval = 10;
             format = "<label>";
             exec = builtins.toString (pkgs.writeShellScript "mailcount.sh" ''
-              ${pkgs.notmuch}/bin/notmuch new > /dev/null
+              ${pkgs.notmuch}/bin/notmuch new --quiet 2>&1>/dev/null
-              UNREAD=$(${pkgs.notmuch}/bin/notmuch count is:inbox and is:unread and folder:main/Inbox)
+              UNREAD=$(
+                  ${pkgs.notmuch}/bin/notmuch count \
+                      is:inbox and \
+                      is:unread and \
+                      folder:main/Inbox \
+                      2>/dev/null
+              )
               if [ $UNREAD = "0" ]; then
                 echo ""
               else
@@ -118,6 +124,16 @@
               "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
 
           };
+          "module/network" = {
+            type = "internal/network";
+            interface-type = "wired";
+            interval = 3;
+            accumulate-stats = true;
+            format-connected = "<label-connected>";
+            format-disconnected = "<label-disconnected>";
+            label-connected = "";
+            label-disconnected = "";
+          };
           "module/pulseaudio" = {
             type = "internal/pulseaudio";
             # format-volume-prefix = "VOL ";
@@ -127,10 +143,10 @@
             # label-volume-background = colors.background;
             format-volume-foreground = config.theme.colors.base0B;
             label-volume = "%percentage%%";
-            label-muted = "ﱝ ---";
+            label-muted = "󰝟 ---";
             label-muted-foreground = config.theme.colors.base03;
             ramp-volume-0 = "";
-            ramp-volume-1 = "墳";
+            ramp-volume-1 = "󰕾";
             ramp-volume-2 = "";
             click-right = config.audioSwitchCommand;
           };

modules/nixos/graphical/rofi.nix

@@ -8,11 +8,10 @@ in {
 
   imports = [ ./rofi/power.nix ./rofi/brightness.nix ];
 
-  config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
+  config = lib.mkIf config.services.xserver.enable {
 
     # Set the Rofi-Systemd terminal for viewing logs
-    environment.sessionVariables.ROFI_SYSTEMD_TERM =
+    environment.sessionVariables.ROFI_SYSTEMD_TERM = config.terminal;
-      lib.mkIf config.kitty.enable "${pkgs.kitty}/bin/kitty";
 
     home-manager.users.${config.user} = {
 
@@ -24,6 +23,13 @@ in {
       programs.rofi = {
         enable = true;
         cycle = true;
+        extraConfig = {
+          show-icons = true;
+          kb-cancel = "Escape,Super+space";
+          modi = "window,run,ssh,emoji,calc,systemd";
+          sort = true;
+          # levenshtein-sort = true;
+        };
         location = "center";
         pass = { };
         plugins = [ pkgs.rofi-calc pkgs.rofi-emoji pkgs.rofi-systemd ];
@@ -143,15 +149,9 @@ in {
           };
 
         };
+        terminal = config.terminal;
         xoffset = 0;
         yoffset = -20;
-        extraConfig = {
-          show-icons = true;
-          kb-cancel = "Escape,Super+space";
-          modi = "window,run,ssh,emoji,calc,systemd";
-          sort = true;
-          # levenshtein-sort = true;
-        };
       };
 
       home.file.".local/share/rofi/themes" = {

modules/nixos/graphical/rofi/power.nix

@@ -25,7 +25,7 @@ in {
         | ${rofi}/bin/rofi \
             -theme-str '@import "power.rasi"' \
             -hover-select \
-            -me-select-entry ''' \
+            -me-select-entry "" \
             -me-accept-entry MousePrimary \
             -dmenu \
             -sep ';' \

modules/nixos/graphical/rofi/rofi-prompt.sh

@@ -32,7 +32,7 @@ done
 chosen=$(printf '%s;%s\n' "$yes" "$no" |
     rofi -theme-str '@import "prompt.rasi"' \
         -hover-select \
-        -me-select-entry '' \
+        -me-select-entry "" \
         -me-accept-entry MousePrimary \
         -p "$query" \
         -dmenu \

modules/nixos/graphical/rofi/themes/prompt.rasi

@@ -4,14 +4,13 @@
  */
 @import "common.rasi"
 * {
-  font: @text-font;
+  font: @prompt-text-font;
 }
 #window {
   height: @prompt-window-height;
   width: @prompt-window-width;
   children: [ inputbar, horibox ];
   border: @prompt-window-border;
-  border-color: @accent;
 }
 #inputbar {
   enabled: false;
@@ -19,8 +18,6 @@
 #prompt {
   padding: @prompt-prompt-padding;
   margin: @prompt-prompt-margin;
-  background-color: @accent;
-  text-color: @background-light;
 }
 #listview {
   padding: @prompt-listview-padding;
@@ -31,19 +28,3 @@
   font: @prompt-text-font;
   padding: @prompt-element-padding;
 }
-element.alternate.active,
-element.normal.active,
-element.alternate.urgent,
-element.normal.urgent {
-  background-color: @background-light;
-  text-color: @foreground;
-}
-element.selected.urgent {
-  background-color: @off;
-  text-color: @background;
-}
-element.selected.active {
-  background-color: @on;
-  text-color: @background;
-}
-

modules/nixos/graphical/sway.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }: {
+
+  config = lib.mkIf config.gui.enable {
+
+    programs.sway = {
+      enable = true;
+      package = null; # Use home-manager Sway instead
+    };
+
+  };
+
+  home-manager.users.${config.user} = {
+
+    wayland.windowManager.sway = {
+      enable = true;
+      config =
+        config.home-manager.users.${config.user}.xsession.windowManager.i3.config;
+    };
+
+  };
+
+  # TODO: swaybg
+  # TODO: swaylock
+
+}

modules/nixos/graphical/xorg.nix

@@ -1,27 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  options = {
+  config = lib.mkIf config.gui.enable {
-    gtk.theme = {
-      name = lib.mkOption {
-        type = lib.types.str;
-        description = "Theme name for GTK applications";
-      };
-      package = lib.mkOption {
-        type = lib.types.str;
-        description = "Theme package name for GTK applications";
-        default = "gnome-themes-extra";
-      };
-    };
-  };
-
-  config = let
-
-    gtkTheme = {
-      name = config.gtk.theme.name;
-      package = pkgs."${config.gtk.theme.package}";
-    };
-
-  in lib.mkIf config.gui.enable {
 
     # Enable the X11 windowing system.
     services.xserver = {
@@ -36,10 +15,8 @@
           enable = config.services.xserver.enable;
           background = config.wallpaper;
 
-          # Make the login screen dark
-          greeters.gtk.theme = gtkTheme;
-
           # Show default user
+          # Also make sure /var/lib/AccountsService/users/<user> has SystemAccount=false
           extraSeatDefaults = ''
             greeter-hide-users = false
           '';
@@ -54,12 +31,6 @@
         xclip # Clipboard
       ];
 
-    # Required for setting GTK theme (for preferred-color-scheme in browser)
-    services.dbus.packages = [ pkgs.dconf ];
-    programs.dconf.enable = true;
-
-    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
-
     home-manager.users.${config.user} = {
 
       programs.fish.shellAliases = {
@@ -67,17 +38,6 @@
         pbpaste = "xclip -selection clipboard -out";
       };
 
-      gtk = let
-        gtkExtraConfig = {
-          gtk-application-prefer-dark-theme = config.theme.dark;
-        };
-      in {
-        enable = true;
-        theme = gtkTheme;
-        gtk3.extraConfig = gtkExtraConfig;
-        gtk4.extraConfig = gtkExtraConfig;
-      };
-
     };
 
   };

modules/nixos/hardware/boot.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  boot.loader = lib.mkIf config.physical {
+  boot.loader = lib.mkIf (config.physical && !config.server) {
     grub = {
       enable = true;
 

modules/nixos/hardware/keyboard.nix

@@ -15,8 +15,13 @@
     # Use capslock as escape and/or control
     services.keyd = {
       enable = true;
+      keyboards = {
+        default = {
+          ids = [ "*" ];
           settings = { main = { capslock = "overload(control, esc)"; }; };
         };
+      };
+    };
 
     # Enable num lock on login
     home-manager.users.${config.user}.xsession.numlock.enable = true;

modules/nixos/hardware/networking.nix

@@ -1,13 +1,8 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
 
   config = lib.mkIf config.physical {
 
-    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    networking.useDHCP = !config.networking.networkmanager.enable;
-    # Per-interface useDHCP will be mandatory in the future, so this generated config
-    # replicates the default behaviour.
-    networking.useDHCP = false;
-    networking.interfaces.enp5s0.useDHCP = true;
-    networking.interfaces.wlp4s0.useDHCP = true;
 
     networking.firewall.allowPing = lib.mkIf config.server true;
 
@@ -15,6 +10,9 @@
     services.avahi = {
       enable = true;
       domainName = "local";
+      ipv6 = false; # Should work either way
+      # Resolve local hostnames using Avahi DNS
+      nssmdns = true;
       publish = {
         enable = true;
         addresses = true;
@@ -23,8 +21,10 @@
       };
     };
 
-    # Resolve local hostnames using Avahi DNS
+    environment.systemPackages = [
-    services.avahi.nssmdns = true;
+      (pkgs.writeShellScriptBin "wake-tempest"
+        "${pkgs.wakeonlan}/bin/wakeonlan --ip=192.168.1.255 74:56:3C:40:37:5D")
+    ];
 
   };
 

modules/nixos/hardware/server.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
 
-  config = lib.mkIf (pkgs.stdenv.isLinux && config.server) {
+  config = lib.mkIf config.server {
 
     # Servers need a bootloader or they won't start
     boot.loader.systemd-boot.enable = true;

modules/nixos/hardware/sleep.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  config = lib.mkIf config.physical {
+  config = lib.mkIf (config.physical && !config.server) {
 
     # Prevent wake from keyboard
     powerManagement.powerDownCommands = ''

modules/nixos/hardware/wifi.nix

@@ -3,7 +3,7 @@
   config = lib.mkIf (config.physical && pkgs.stdenv.isLinux) {
 
     # Enables wireless support via wpa_supplicant.
-    networking.wireless.enable = true;
+    networking.wireless.enable = !config.networking.networkmanager.enable;
 
     # Allows the user to control the WiFi settings.
     networking.wireless.userControlled.enable = true;

modules/nixos/hardware/zfs.nix

@@ -1,15 +1,20 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
 
   options = { zfs.enable = lib.mkEnableOption "ZFS file system."; };
 
-  config =
+  config = lib.mkIf (config.server && config.zfs.enable) {
-    lib.mkIf (pkgs.stdenv.isLinux && config.server && config.zfs.enable) {
 
     # Only use compatible Linux kernel, since ZFS can be behind
-      boot.kernelPackages =
+    boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-        config.boot.zfs.package.latestCompatibleLinuxPackages;
     boot.kernelParams = [ "nohibernate" ];
     boot.supportedFilesystems = [ "zfs" ];
+    services.prometheus.exporters.zfs.enable =
+      config.prometheus.exporters.enable;
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.zfs.port
+      }"
+    ];
 
   };
 

modules/nixos/services/arr.nix

@@ -1,4 +1,31 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }:
+
+let
+
+  arrConfig = {
+    radarr = {
+      exportarrPort = "9707";
+      url = "localhost:7878";
+      apiKey = config.secrets.radarrApiKey.dest;
+    };
+    sonarr = {
+      exportarrPort = "9708";
+      url = "localhost:8989";
+      apiKey = config.secrets.sonarrApiKey.dest;
+    };
+    prowlarr = {
+      exportarrPort = "9709";
+      url = "localhost:9696";
+      apiKey = config.secrets.prowlarrApiKey.dest;
+    };
+    sabnzbd = {
+      exportarrPort = "9710";
+      url = "localhost:8085";
+      apiKey = config.secrets.sabnzbdApiKey.dest;
+    };
+  };
+
+in {
 
   options = { arrs.enable = lib.mkEnableOption "Arr services"; };
 
@@ -43,7 +70,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:8989"; }];
+          upstreams = [{ dial = arrConfig.sonarr.url; }];
         }];
       }
       {
@@ -54,7 +81,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:7878"; }];
+          upstreams = [{ dial = arrConfig.radarr.url; }];
         }];
       }
       {
@@ -76,7 +103,11 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:6767"; }];
+          upstreams = [{
+            dial = "localhost:${
+                builtins.toString config.services.bazarr.listenPort
+              }";
+          }];
         }];
       }
       {
@@ -87,7 +118,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:8085"; }];
+          upstreams = [{ dial = arrConfig.sabnzbd.url; }];
         }];
       }
       {
@@ -95,11 +126,83 @@
         match = [{ host = [ config.hostnames.download ]; }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:5055"; }];
+          upstreams = [{
+            dial =
+              "localhost:${builtins.toString config.services.jellyseerr.port}";
+          }];
         }];
       }
     ];
 
+    # Enable Prometheus exporters
+    systemd.services = lib.mapAttrs' (name: attrs: {
+      name = "prometheus-${name}-exporter";
+      value = {
+        description = "Export Prometheus metrics for ${name}";
+        after = [ "network.target" ];
+        wantedBy = [ "${name}.service" ];
+        serviceConfig = {
+          Type = "simple";
+          DynamicUser = true;
+          ExecStart = let
+            url = if name != "sabnzbd" then
+              "http://${attrs.url}/${name}"
+            else
+              "http://${attrs.url}";
+          in ''
+            ${pkgs.exportarr}/bin/exportarr ${name} \
+                        --url ${url} \
+                        --port ${attrs.exportarrPort}'';
+          EnvironmentFile =
+            lib.mkIf (builtins.hasAttr "apiKey" attrs) attrs.apiKey;
+          Restart = "on-failure";
+          ProtectHome = true;
+          ProtectSystem = "strict";
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          NoNewPrivileges = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RemoveIPC = true;
+          PrivateMounts = true;
+        };
+      };
+    }) arrConfig;
+
+    # Secrets for Prometheus exporters
+    secrets.radarrApiKey = {
+      source = ../../../private/radarr-api-key.age;
+      dest = "/var/private/radarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.sonarrApiKey = {
+      source = ../../../private/sonarr-api-key.age;
+      dest = "/var/private/sonarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.prowlarrApiKey = {
+      source = ../../../private/prowlarr-api-key.age;
+      dest = "/var/private/prowlarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.sabnzbdApiKey = {
+      source = ../../../private/sabnzbd-api-key.age;
+      dest = "/var/private/sabnzbd-api";
+      prefix = "API_KEY=";
+    };
+
+    # Prometheus scrape targets
+    prometheus.scrapeTargets = map (key:
+      "127.0.0.1:${
+        lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig
+      }") (builtins.attrNames arrConfig);
+
   };
 
 }

modules/nixos/services/bind.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+  localIp = "192.168.1.218";
+  localServices = [
+    config.hostnames.stream
+    config.hostnames.content
+    config.hostnames.books
+    config.hostnames.download
+  ];
+  mkRecord = service: "${service}       A       ${localIp}";
+  localRecords = lib.concatLines (map mkRecord localServices);
+
+in {
+
+  config = lib.mkIf config.services.bind.enable {
+
+    caddy.cidrAllowlist = [ "192.168.0.0/16" ];
+
+    services.bind = {
+      cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
+      forwarders = [ "1.1.1.1" "1.0.0.1" ];
+      ipv4Only = true;
+
+      # Use rpz zone as an override
+      extraOptions = ''response-policy { zone "rpz"; };'';
+
+      zones = {
+        rpz = {
+          master = true;
+          file = pkgs.writeText "db.rpz" ''
+            $TTL 60  ; 1 minute
+            @       IN      SOA     localhost. root.localhost. (
+                                    2023071800      ; serial
+                                    1h              ; refresh
+                                    30m             ; retry
+                                    1w              ; expire
+                                    30m             ; minimum ttl
+                                    )
+                    IN      NS      localhost.
+            localhost       A       127.0.0.1
+            ${localRecords}
+          '';
+        };
+      };
+
+    };
+
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+  };
+
+}

modules/nixos/services/caddy.nix

@@ -1,25 +1,41 @@
 { config, pkgs, lib, ... }: {
 
   options = {
-    caddy.tlsPolicies = lib.mkOption {
+    caddy = {
+      tlsPolicies = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON TLS policies";
         default = [ ];
       };
-    caddy.routes = lib.mkOption {
+      routes = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON routes for http servers";
         default = [ ];
       };
-    caddy.blocks = lib.mkOption {
+      blocks = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON error blocks for http servers";
         default = [ ];
       };
+      cidrAllowlist = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "CIDR blocks to allow for requests";
+        default = [ ];
+      };
+    };
   };
 
-  config =
+  config = lib.mkIf config.services.caddy.enable {
-    lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
+
+    # Force Caddy to 403 if not coming from allowlisted source
+    caddy.cidrAllowlist = [ "127.0.0.1/32" ];
+    caddy.routes = [{
+      match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
+      handle = [{
+        handler = "static_response";
+        status_code = "403";
+      }];
+    }];
 
     services.caddy = {
       adapter = "''"; # Required to enable JSON
@@ -28,8 +44,9 @@
           listen = [ ":443" ];
           routes = config.caddy.routes;
           errors.routes = config.caddy.blocks;
-            # logs = { }; # Uncomment to collect access logs
+          logs = { }; # Uncomment to collect access logs
         };
+        apps.http.servers.metrics = { }; # Enables Prometheus metrics
         apps.tls.automation.policies = config.caddy.tlsPolicies;
         logging.logs.main = {
           encoder = { format = "console"; };
@@ -37,6 +54,7 @@
             output = "file";
             filename = "${config.services.caddy.logDir}/caddy.log";
             roll = true;
+            roll_size_mb = 1;
           };
           level = "INFO";
         };
@@ -47,6 +65,8 @@
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     networking.firewall.allowedUDPPorts = [ 443 ];
 
+    prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
+
   };
 
 }

modules/nixos/services/calibre.nix

@@ -30,7 +30,11 @@ in {
       match = [{ host = [ config.hostnames.books ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:8083"; }];
+        upstreams = [{
+          dial = "localhost:${
+              builtins.toString config.services.calibre-web.listen.port
+            }";
+        }];
         headers.request.add."X-Script-Name" = [ "/calibre-web" ];
       }];
     }];

modules/nixos/services/cloudflare.nix

@@ -41,19 +41,10 @@ in {
   config = lib.mkIf config.cloudflare.enable {
 
     # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
+    caddy.cidrAllowlist = cloudflareIpRanges;
-      match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
-      handle = [{
-        handler = "static_response";
-        abort = true;
-      }];
-    }];
 
     # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
+    services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay
-      plugins = [ "github.com/caddy-dns/cloudflare" ];
-      # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
-    });
     caddy.tlsPolicies = [{
       issuers = [{
         module = "acme";

modules/nixos/services/default.nix

@@ -3,10 +3,12 @@
   imports = [
     ./arr.nix
     ./backups.nix
+    ./bind.nix
     ./caddy.nix
     ./calibre.nix
     ./cloudflare-tunnel.nix
     ./cloudflare.nix
+    ./gitea-runner.nix
     ./gitea.nix
     ./gnupg.nix
     ./grafana.nix
@@ -23,6 +25,7 @@
     ./sshd.nix
     ./transmission.nix
     ./vaultwarden.nix
+    ./victoriametrics.nix
     ./wireguard.nix
   ];
 

modules/nixos/services/gitea-runner.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+{
+  options.giteaRunner.enable =
+    lib.mkEnableOption "Enable Gitea Actions runner.";
+
+  config = lib.mkIf config.giteaRunner.enable {
+
+    services.gitea-actions-runner.instances.${config.networking.hostName} = {
+      enable = true;
+      labels = [
+        # Provide a Debian base with NodeJS for actions
+        # "debian-latest:docker://node:18-bullseye"
+        # Fake the Ubuntu name, because Node provides no Ubuntu builds
+        # "ubuntu-latest:docker://node:18-bullseye"
+        # Provide native execution on the host using below packages
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+      ];
+      name = config.networking.hostName;
+      url = "https://${config.hostnames.git}";
+      tokenFile = config.secrets.giteaRunnerToken.dest;
+    };
+
+    # Make sure the runner doesn't start until after Gitea
+    systemd.services."gitea-runner-${config.networking.hostName}".after =
+      [ "gitea.service" ];
+
+    # API key needed to connect to Gitea
+    secrets.giteaRunnerToken = {
+      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
+      dest = "${config.secretsDirectory}/gitea-runner-token";
+    };
+    systemd.services.giteaRunnerToken-secret = {
+      requiredBy = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+      before = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+    };
+
+  };
+
+}

modules/nixos/services/gitea.nix

@@ -8,6 +8,8 @@ in {
     services.gitea = {
       database.type = "sqlite3";
       settings = {
+        actions.ENABLED = true;
+        metrics.ENABLED = true;
         repository = {
           DEFAULT_PUSH_CREATE_PRIVATE = true;
           DISABLE_HTTP_GIT = false;
@@ -36,13 +38,36 @@ in {
     networking.firewall.allowedTCPPorts = [ 122 ];
     users.users.${config.user}.extraGroups = [ "gitea" ];
 
-    caddy.routes = [{
+    caddy.routes = [
+      {
+        match = [{
+          host = [ config.hostnames.git ];
+          path = [ "/metrics*" ];
+        }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
         match = [{ host = [ config.hostnames.git ]; }];
         handle = [{
           handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:3001"; }];
+          upstreams = [{
+            dial = "localhost:${
+                builtins.toString
+                config.services.gitea.settings.server.HTTP_PORT
+              }";
           }];
         }];
+      }
+    ];
+
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.gitea.settings.server.HTTP_PORT
+      }"
+    ];
 
     ## Backup config