update to latest proton-ge

fixing issues with keybase running in the background and keybase gui

.github/workflows/check.yml

@@ -0,0 +1,20 @@
+name: Check Build
+
+on:
+  workflow_dispatch: # allows manual triggering
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Check Nixpkgs Inputs
+        uses: DeterminateSystems/flake-checker-action@v5
+      - name: Add Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Check the Flake
+        run: nix flake check

.github/workflows/update.yml

@@ -0,0 +1,63 @@
+name: Update Flake
+
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '33 3 * * 0' # runs weekly on Sunday at 03:33
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: write
+
+jobs:
+  lockfile:
+    name: Lockfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Check Nixpkgs Inputs
+        uses: DeterminateSystems/flake-checker-action@v5
+      - name: Add Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@v19
+        id: update
+        with:
+          pr-title: "Update flake.lock" # Title of PR to be created
+          pr-labels: |                  # Labels to be set on the PR
+            dependencies
+            automated
+      - name: Check the Flake
+        id: check
+        run: nix flake check
+      - name: Update Check Status
+        uses: LouisBrunner/checks-action@v1.6.1
+        if: always()
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: Update Flake
+          conclusion: ${{ job.status }}
+          output: |
+            {"summary":"${{ steps.check.outputs.stdout }}"}
+      - name: Enable Pull Request Automerge
+        if: success()
+        run: |
+          gh pr merge \
+            --rebase \
+            --auto \
+            ${{ steps.update.outputs.pull-request-number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Close Pull Request If Failed
+        if: failure()
+        run: |
+          gh pr close \
+            --comment "Auto-closing pull request" \
+            --delete-branch \
+            ${{ steps.update.outputs.pull-request-number }}
+        env:
+          GH_TOKEN: ${{ github.token }}

README.md

@@ -43,6 +43,22 @@ configuration may be difficult to translate to a non-Nix system.
 
 ---
 
+# Unique Configurations
+
+This repo contains a few atypical choices for configuration.
+
+- [Neovim config](./modules/common/neovim/default.nix) generated with Nix2Vim
+and source-controlled plugins, differing from host to host.
+- [Caddy JSON](./modules/nixos/services/caddy.nix) file (routes, etc.) based on
+dynamic service metadata.
+- [Grafana config](./modules/nixos/services/grafana.nix) based on dynamic
+service metadata.
+- Custom [secrets deployment](./modules/nixos/services/secrets.nix) similar to
+agenix.
+- Base16 [colorschemes](./colorscheme/) applied to multiple applications.
+
+---
+
 # Installation
 
 Click [here](./docs/installation.md) for detailed installation instructions.

apps/README.md

@@ -0,0 +1,9 @@
+# Apps
+
+These are all my miscellaneous utilies and scripts to accompany this project.
+
+They can be run with:
+
+```
+nix run github:nmasur/dotfiles#appname
+```

apps/encrypt-secret.nix

@@ -11,7 +11,7 @@
     tmpfile=$(mktemp)
     echo "''${secret}" > ''${tmpfile}
     ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../public-keys
+      builtins.toString ../misc/public-keys
     } $tmpfile
     rm $tmpfile
   '');

apps/installer.nix

@@ -17,8 +17,8 @@
             --foreground "#fb4934" \
             "Missing required parameter." \
             "Usage: installer -- <disk> <host>" \
-            "Example: installer -- nvme0n1 desktop" \
-            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 desktop"
+            "Example: installer -- nvme0n1 tempest" \
+            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 tempest"
         echo "(exiting)"
         exit 1
     fi

apps/reencrypt-secrets.nix

@@ -17,7 +17,7 @@
         --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
       echo "Encrypting ''${encryptedfile}..."
       ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../public-keys
+        builtins.toString ../misc/public-keys
       } $tmpfile > $encryptedfile
       rm $tmpfile
     done

colorscheme/README.md

@@ -0,0 +1,5 @@
+# Colorschemes
+
+Color information for different themes is found here. The colors are sourced
+and used with [base16](https://github.com/chriskempson/base16) format
+consistently across the system.

disks/README.md

@@ -0,0 +1,5 @@
+# Disks
+
+These are my [disko](https://github.com/nix-community/disko) configurations,
+which allow me to save desired disk formatting layouts as a declarative file so
+I don't have to remember how to format my disks later on.

docs/README.md

@@ -0,0 +1,4 @@
+# Documentation
+
+Reference documents for some of the more complicated services and maintenance
+tasks.

docs/repair-nextcloud.md

@@ -0,0 +1,65 @@
+# Repairing Nextcloud
+
+You can run the maintenance commands like this:
+
+```
+sudo -u nextcloud nextcloud-occ maintenance:mode --on
+sudo -u nextcloud nextcloud-occ maintenance:repair
+sudo -u nextcloud nextcloud-occ maintenance:mode --off
+```
+
+## Rescan Files
+
+```
+sudo -u nextcloud nextcloud-occ files:scan --all
+```
+
+## Converting from SQLite to MySQL (mariadb)
+
+First: keep Nextcloud set to SQLite as its dbtype, and separately launch MySQL
+as a service by copying the configuration found
+[here](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/nextcloud.nix).
+
+No password is necessary, since the user-based auth works with UNIX sockets.
+
+You can connect to the MySQL instance like this:
+
+```
+sudo -u nextcloud mysql -S /run/mysqld/mysqld.sock
+```
+
+Create a blank database for Nextcloud:
+
+```sql
+create database nextcloud;
+```
+
+Now setup the [conversion](https://docs.nextcloud.com/server/17/admin_manual/configuration_database/db_conversion.html):
+
+```
+sudo -u nextcloud nextcloud-occ db:convert-type mysql nextcloud localhost nextcloud
+```
+
+Ignore the password prompt. Proceed with the conversion.
+
+Now `config.php` will be updated but the override config from NixOS will not
+be. Now update your NixOS configuration:
+
+- Remove the `mysql` service you created.
+- Set `dbtype` to `mysql`.
+- Set `database.createLocally` to `true`.
+
+Rebuild your configuration.
+
+Now, make sure to enable [4-byte
+support](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html)
+in the database.
+
+## Backing Up MySQL Database
+
+Use this mysqldump command:
+
+```
+sudo -u nextcloud mysqldump -S /run/mysqld/mysqld.sock --default-character-set=utf8mb4 nextcloud > backup.sql
+```
+

docs/restore-nextcloud.md

@@ -1,43 +0,0 @@
-# Restoring Nextcloud From Backup
-
-Install the `litestream` package.
-
-```
-nix-shell --run fish -p litestream
-```
-
-Set the S3 credentials:
-
-```
-set -x AWS_ACCESS_KEY_ID (read)
-set -x AWS_SECRET_ACCESS_KEY (read)
-```
-
-Restore from S3:
-
-```
-litestream restore -o nextcloud.db s3://noahmasur-backup.s3.us-west-002.backblazeb2.com/nextcloud
-```
-
-Install Nextcloud. Then copy DB:
-
-```
-sudo rm /data/nextcloud/data/nextcloud.db*
-sudo mv nextcloud.db /data/nextcloud/data/
-sudo chown nextcloud:nextcloud /data/nextcloud/data/nextcloud.db
-sudo chmod 770 /data/nextcloud/data/nextcloud.db
-```
-
-Restart Nextcloud:
-
-```
-sudo systemctl restart phpfpm-nextcloud.service
-```
-
-Adjust Permissions and Directories:
-
-```
-sudo mkdir /data/nextcloud/data/noah/files
-sudo chown nextcloud:nextcloud /data/nextcloud/data/noah/files
-```
-

docs/zfs.md

@@ -0,0 +1,45 @@
+# ZFS
+
+Swan runs its root on ext4. The ZFS drives are managed imperatively (this
+[disko configuration](../disks/zfs.nix) is an unused work-in-progress).
+
+The basic ZFS settings are managed [here](../modules/nixos/hardware/zfs.nix).
+
+## Creating a New Dataset
+
+```
+sudo zfs create tank/mydataset
+sudo zfs set compression=zstd tank/myzstddataset
+sudo zfs set mountpoint=/data/mydataset tank/mydataset
+```
+
+## Maintenance
+
+### Get Status
+
+```
+sudo zpool status
+```
+
+### Replace Disk
+
+```
+sudo zdb
+sudo zpool status -g # Show by GUID
+sudo zpool offline tank <GUID>
+sudo zpool status
+# Remove old disk, insert new disk
+sudo zdb
+sudo zpool replace tank <OLD GUID> /dev/disk/by-id/<NEW PATH>
+sudo zpool status
+```
+
+## Initial Setup
+
+```
+sudo zpool create tank raidz1 sda sdb sdc
+sudo zpool set ashift=12 tank
+sudo zpool set autoexpand=on tank
+sudo zpool set compression=on tank
+```
+

flake.lock

@@ -17,31 +17,80 @@
         "type": "github"
       }
     },
+    "age": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1672087018,
+        "narHash": "sha256-LRxxJQLQkzoCNYGS/XBixVmYXoZ1mPHKvFicPGXYLcw=",
+        "owner": "FiloSottile",
+        "repo": "age",
+        "rev": "c6dcfa1efcaa27879762a934d5bea0d1b83a894c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "FiloSottile",
+        "ref": "v1.1.1",
+        "repo": "age",
+        "type": "github"
+      }
+    },
+    "baleia-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1681806450,
+        "narHash": "sha256-jxRlIzWbnSj89032msc5w+2TVt7zVyzlxdXxiH1dQqY=",
+        "owner": "m00qek",
+        "repo": "baleia.nvim",
+        "rev": "00bb4af31c8c3865b735d40ebefa6c3f07b2dd16",
+        "type": "github"
+      },
+      "original": {
+        "owner": "m00qek",
+        "repo": "baleia.nvim",
+        "type": "github"
+      }
+    },
     "bufferline-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687763763,
-        "narHash": "sha256-wbOeylzjjScQXkrDbBU2HtrOZrp2YUK+wQ2aOkgxmRQ=",
+        "lastModified": 1695205521,
+        "narHash": "sha256-MQMpXMgUpZA0E9TunzjXeOQxDWSCTogXbvi9VJnv4Kw=",
         "owner": "akinsho",
         "repo": "bufferline.nvim",
-        "rev": "bf2f6b7edd0abf6b0732f5e5c0a8f30e51611c75",
+        "rev": "6ecd37e0fa8b156099daedd2191130e083fb1490",
         "type": "github"
       },
       "original": {
         "owner": "akinsho",
-        "ref": "v4.2.0",
+        "ref": "v4.4.0",
         "repo": "bufferline.nvim",
         "type": "github"
       }
     },
+    "bypass-paywalls-clean": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1704296449,
+        "narHash": "sha256-UkEaTOBEfPTxcNo9Iv2xUEW6jYWMJeaGKA38KF6Yuf0=",
+        "owner": "magnolia1234",
+        "repo": "bpc-uploads",
+        "rev": "dcd11128c6b7c6246fc6d199ce10d5ec796d4716",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "magnolia1234",
+        "repo": "bpc-uploads",
+        "type": "gitlab"
+      }
+    },
     "cmp-nvim-lsp-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687494203,
-        "narHash": "sha256-mU0soCz79erJXMMqD/FyrJZ0mu2n6fE0deymPzQlxts=",
+        "lastModified": 1702205473,
+        "narHash": "sha256-/0sh9vJBD9pUuD7q3tNSQ1YLvxFMNykdg5eG+LjZAA8=",
         "owner": "hrsh7th",
         "repo": "cmp-nvim-lsp",
-        "rev": "44b16d11215dce86f253ce0c30949813c0a90765",
+        "rev": "5af77f54de1b16c34b23cba810150689a3a90312",
         "type": "github"
       },
       "original": {
@@ -57,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687517837,
-        "narHash": "sha256-Ea+JTy6NSf+wWIFrgC8gnOnyt01xwmtDEn2KecvaBkg=",
+        "lastModified": 1704277720,
+        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "6460468e7a3e1290f132fee4170ebeaa127f6f32",
+        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
         "type": "github"
       },
       "original": {
@@ -78,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687598357,
-        "narHash": "sha256-70ciIe8415oQnQypawaqocEaLJcI1XtkqRNmle8vsrg=",
+        "lastModified": 1704318910,
+        "narHash": "sha256-wOIJwAsnZhM0NlFRwYJRgO4Lldh8j9viyzwQXtrbNtM=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1e7098ee0448dc5d33df394d040f454cd42a809c",
+        "rev": "aef9a509db64a081186af2dc185654d78dc8e344",
         "type": "github"
       },
       "original": {
@@ -91,6 +140,23 @@
         "type": "github"
       }
     },
+    "fidget-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702031048,
+        "narHash": "sha256-wbjQuOFd/2339TIrUA97PYsV8N3PZsS+xbyMsyZmki8=",
+        "owner": "j-hui",
+        "repo": "fidget.nvim",
+        "rev": "300018af4abd00610a345e382ca1f4b7ba420f77",
+        "type": "github"
+      },
+      "original": {
+        "owner": "j-hui",
+        "ref": "v1.1.0",
+        "repo": "fidget.nvim",
+        "type": "github"
+      }
+    },
     "firefox-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -98,11 +164,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688605308,
-        "narHash": "sha256-B9suu7dcdX4a18loO5ul237gqIJ5/+TRuheLj8fJjwM=",
+        "lastModified": 1704415391,
+        "narHash": "sha256-DOK05XW4cSdE+lw+OfrzYTywIHSVazm5TJsODSDrNKY=",
         "owner": "bandithedoge",
         "repo": "nixpkgs-firefox-darwin",
-        "rev": "78d28acf685e19d353b2ecb6c38eeb3fc624fc68",
+        "rev": "ca04361b1c2e6cbe5cbf7e118a28fe67ddf51f4c",
         "type": "github"
       },
       "original": {
@@ -114,11 +180,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -128,12 +194,15 @@
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -143,24 +212,6 @@
       }
     },
     "flake-utils_2": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1685518550,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_3": {
       "inputs": {
         "systems": "systems_2"
       },
@@ -178,6 +229,40 @@
         "type": "github"
       }
     },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "hmts-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1693226725,
+        "narHash": "sha256-jUuztOqNBltC3axa7s3CPJz9Cmukfwkf846+Z/gAxCU=",
+        "owner": "calops",
+        "repo": "hmts.nvim",
+        "rev": "14fd941d7ec2bb98314a1aacaa2573d97f1629ab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "calops",
+        "repo": "hmts.nvim",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -185,11 +270,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687627695,
-        "narHash": "sha256-6Pu7nWb52PRtUmihwuDNShDmsZiXgtXR0OARtH4DSik=",
+        "lastModified": 1704383912,
+        "narHash": "sha256-Be7O73qoOj/z+4ZCgizdLlu+5BkVvO2KO299goZ9cW8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "172d46d4b2677b32277d903bdf4cff77c2cc6477",
+        "rev": "26b8adb300e50efceb51fff6859a1a6ba1ade4f7",
         "type": "github"
       },
       "original": {
@@ -199,6 +284,45 @@
         "type": "github"
       }
     },
+    "nextcloud-cookbook": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702545935,
+        "narHash": "sha256-19LN1nYJJ0RMWj6DrYPvHzocTyhMfYdpdhBFch3fpHE=",
+        "type": "tarball",
+        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz"
+      }
+    },
+    "nextcloud-external": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1699624334,
+        "narHash": "sha256-RCL2RP5twRDLxI/KfAX6QLYQOzqZmSWsfrC5ZQIwTD4=",
+        "type": "tarball",
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
+      }
+    },
+    "nextcloud-news": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1703426420,
+        "narHash": "sha256-AENBJH/bEob5JQvw4WEi864mdLYJ5Mqe78HJH6ceCpI=",
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz"
+      }
+    },
     "nil": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -208,16 +332,16 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1680544266,
-        "narHash": "sha256-d/TusDXmIo8IT5DNRA21lN+nOVSER8atIx9TJteR6LQ=",
+        "lastModified": 1691372739,
+        "narHash": "sha256-fZ8KfBMcIFO/R7xaWtB85SFeuUjb9SCH8fxYBnY8068=",
         "owner": "oxalica",
         "repo": "nil",
-        "rev": "56a1fa87b98a9508920f4b0ab8fe36d5b54b2362",
+        "rev": "97abe7d3d48721d4e0fcc1876eea83bb4247825b",
         "type": "github"
       },
       "original": {
         "owner": "oxalica",
-        "ref": "2023-04-03",
+        "ref": "2023-08-09",
         "repo": "nil",
         "type": "github"
       }
@@ -245,11 +369,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1687049841,
-        "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
+        "lastModified": 1693701915,
+        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
+        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
         "type": "github"
       },
       "original": {
@@ -266,11 +390,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687398392,
-        "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
+        "lastModified": 1701689616,
+        "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
+        "rev": "246219bc21b943c6f6812bb7744218ba0df08600",
         "type": "github"
       },
       "original": {
@@ -281,11 +405,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1687502512,
-        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
+        "lastModified": 1704194953,
+        "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
+        "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
         "type": "github"
       },
       "original": {
@@ -297,16 +421,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1686929285,
-        "narHash": "sha256-WGtVzn+vGMPTXDO0DMNKVFtf+zUSqeW+KKk4Y/Ae99I=",
+        "lastModified": 1703900474,
+        "narHash": "sha256-Zu+chYVYG2cQ4FCbhyo6rc5Lu0ktZCjRbSPE0fDgukI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "93fddcf640ceca0be331210ba3101cee9d91c13d",
+        "rev": "9dd7699928e26c3c00d5d46811f1358524081062",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -314,11 +438,11 @@
     "null-ls-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686871437,
-        "narHash": "sha256-MxIZqyRW8jStiDNXt7Bsw8peDLKpqxKEaUuIJsXkGMI=",
+        "lastModified": 1691810493,
+        "narHash": "sha256-cWA0rzkOp/ekVKaFee7iea1lhnqKtWUIU+fW5M950wI=",
         "owner": "jose-elias-alvarez",
         "repo": "null-ls.nvim",
-        "rev": "bbaf5a96913aa92281f154b08732be2f57021c45",
+        "rev": "0010ea927ab7c09ef0ce9bf28c2b573fc302f5a7",
         "type": "github"
       },
       "original": {
@@ -329,11 +453,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1687625402,
-        "narHash": "sha256-V+vSWypmm/tGbwNXGhqzmiV7vTjV2gNCEh9N7OhNnyA=",
+        "lastModified": 1704483764,
+        "narHash": "sha256-SuMEUsYHFbYYVZr3wWC64/tc1K/iI2/CJGdDixk6J5c=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "aeaf37c7538965e45700d39e6b5dc9c9a0e0749c",
+        "rev": "9c4f6b66f05fc6f6285df25e89f825b441ec9705",
         "type": "github"
       },
       "original": {
@@ -362,11 +486,11 @@
     "nvim-tree-lua-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687132855,
-        "narHash": "sha256-ZRUoCDBv8rO8ZUBUMLgo33EBbqD9+ZOSET9rkFsA++E=",
+        "lastModified": 1704073600,
+        "narHash": "sha256-D+wCJQuRj9mvgLd0DaiYgqghDYDwfux9zlEb/vIvaqA=",
         "owner": "kyazdani42",
         "repo": "nvim-tree.lua",
-        "rev": "c3c6544ee00333b0f1d6a13735d0dd302dba4f70",
+        "rev": "f1b3e6a7eb92da492bd693257367d9256839ed3d",
         "type": "github"
       },
       "original": {
@@ -378,29 +502,50 @@
     "nvim-treesitter-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1681121236,
-        "narHash": "sha256-iPsPDLhVKJ14iP1/2cCgcY9SCKK/DQz9Y0mQB1DqNiM=",
+        "lastModified": 1704470326,
+        "narHash": "sha256-/kyRtwWuW68zTETOmVpJWzC1iqzl+U0q0gvRVvmnEfI=",
         "owner": "nvim-treesitter",
         "repo": "nvim-treesitter",
-        "rev": "cc360a9beb1b30d172438f640e2c3450358c4086",
+        "rev": "49f1b9a7efc794be143f7ddcd60ce18e8164a7f8",
         "type": "github"
       },
       "original": {
         "owner": "nvim-treesitter",
-        "ref": "v0.9.0",
+        "ref": "master",
         "repo": "nvim-treesitter",
         "type": "github"
       }
     },
+    "proton-ge": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1700610476,
+        "narHash": "sha256-IoClZ6hl2lsz9OGfFgnz7vEAGlSY2+1K2lDEEsJQOfU=",
+        "type": "tarball",
+        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz"
+      }
+    },
     "root": {
       "inputs": {
         "Comment-nvim-src": "Comment-nvim-src",
+        "age": "age",
+        "baleia-nvim-src": "baleia-nvim-src",
         "bufferline-nvim-src": "bufferline-nvim-src",
+        "bypass-paywalls-clean": "bypass-paywalls-clean",
         "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
         "darwin": "darwin",
         "disko": "disko",
+        "fidget-nvim-src": "fidget-nvim-src",
         "firefox-darwin": "firefox-darwin",
+        "hmts-nvim-src": "hmts-nvim-src",
         "home-manager": "home-manager",
+        "nextcloud-cookbook": "nextcloud-cookbook",
+        "nextcloud-external": "nextcloud-external",
+        "nextcloud-news": "nextcloud-news",
         "nil": "nil",
         "nix2vim": "nix2vim",
         "nixos-generators": "nixos-generators",
@@ -410,12 +555,20 @@
         "nvim-lspconfig-src": "nvim-lspconfig-src",
         "nvim-tree-lua-src": "nvim-tree-lua-src",
         "nvim-treesitter-src": "nvim-treesitter-src",
+        "proton-ge": "proton-ge",
         "telescope-nvim-src": "telescope-nvim-src",
         "telescope-project-nvim-src": "telescope-project-nvim-src",
         "toggleterm-nvim-src": "toggleterm-nvim-src",
+        "tree-sitter-bash": "tree-sitter-bash",
+        "tree-sitter-ini": "tree-sitter-ini",
+        "tree-sitter-lua": "tree-sitter-lua",
+        "tree-sitter-puppet": "tree-sitter-puppet",
+        "tree-sitter-python": "tree-sitter-python",
+        "tree-sitter-rasi": "tree-sitter-rasi",
         "vscode-terraform-snippets": "vscode-terraform-snippets",
         "wallpapers": "wallpapers",
-        "wsl": "wsl"
+        "wsl": "wsl",
+        "zenyd-mpv-scripts": "zenyd-mpv-scripts"
       }
     },
     "rust-overlay": {
@@ -430,11 +583,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680488274,
-        "narHash": "sha256-0vYMrZDdokVmPQQXtFpnqA2wEgCCUXf5a3dDuDVshn0=",
+        "lastModified": 1688783586,
+        "narHash": "sha256-HHaM2hk2azslv1kH8zmQxXo2e7i5cKgzNIuK4yftzB0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "7ec2ff598a172c6e8584457167575b3a1a5d80d8",
+        "rev": "7a29283cc242c2486fc67f60b431ef708046d176",
         "type": "github"
       },
       "original": {
@@ -473,19 +626,34 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "telescope-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686302912,
-        "narHash": "sha256-fV3LLRwAPykVGc4ImOnUSP+WTrPp9Ad9OTfBJ6wqTMk=",
+        "lastModified": 1697004956,
+        "narHash": "sha256-7SqYFnfCjotOBhuX6Wx1IOhgMKoxaoI1a4SKz1d5RVM=",
         "owner": "nvim-telescope",
         "repo": "telescope.nvim",
-        "rev": "776b509f80dd49d8205b9b0d94485568236d1192",
+        "rev": "7011eaae0ac1afe036e30c95cf80200b8dc3f21a",
         "type": "github"
       },
       "original": {
         "owner": "nvim-telescope",
-        "ref": "0.1.2",
+        "ref": "0.1.4",
         "repo": "telescope.nvim",
         "type": "github"
       }
@@ -493,11 +661,11 @@
     "telescope-project-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1682606566,
-        "narHash": "sha256-H6lrPjpOUVleKHB0ziI+6dthg9ymitHhEWtcgYJTrKo=",
+        "lastModified": 1701464478,
+        "narHash": "sha256-touMCltcnqkrQYV1NtNeWLQeFVGt+WM3aIWIdKilA7w=",
         "owner": "nvim-telescope",
         "repo": "telescope-project.nvim",
-        "rev": "7c64b181dd4e72deddcf6f319e3bf1e95b2a2f30",
+        "rev": "1aaf16580a614601a7f7077d9639aeb457dc5559",
         "type": "github"
       },
       "original": {
@@ -509,20 +677,119 @@
     "toggleterm-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1685434104,
-        "narHash": "sha256-oiCnBrvft6XxiQtQH8E4F842xhh348SaTpHzaeb+iDY=",
+        "lastModified": 1695636777,
+        "narHash": "sha256-o8xzoo7OuYrPnKlfrupQ24Ja9hZy1qQVnvwO0FO+4zM=",
         "owner": "akinsho",
         "repo": "toggleterm.nvim",
-        "rev": "95204ece0f2a54c89c4395295432f9aeedca7b5f",
+        "rev": "faee9d60428afc7857e0927fdc18daa6c409fa64",
         "type": "github"
       },
       "original": {
         "owner": "akinsho",
-        "ref": "v2.7.0",
+        "ref": "v2.8.0",
         "repo": "toggleterm.nvim",
         "type": "github"
       }
     },
+    "tree-sitter-bash": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696959291,
+        "narHash": "sha256-VP7rJfE/k8KV1XN1w5f0YKjCnDMYU1go/up0zj1mabM=",
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-bash",
+        "rev": "7331995b19b8f8aba2d5e26deb51d2195c18bc94",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tree-sitter",
+        "ref": "master",
+        "repo": "tree-sitter-bash",
+        "type": "github"
+      }
+    },
+    "tree-sitter-ini": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1699877527,
+        "narHash": "sha256-dYPeVTNWO4apY5dsjsKViavU7YtLeGTp6BzEemXhsEU=",
+        "owner": "justinmk",
+        "repo": "tree-sitter-ini",
+        "rev": "bcb84a2d4bcd6f55b911c42deade75c8f90cb0c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "justinmk",
+        "repo": "tree-sitter-ini",
+        "type": "github"
+      }
+    },
+    "tree-sitter-lua": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1694072484,
+        "narHash": "sha256-5t5w8KqbefInNbA12/jpNzmky/uOUhsLjKdEqpl1GEc=",
+        "owner": "MunifTanjim",
+        "repo": "tree-sitter-lua",
+        "rev": "9668709211b2e683f27f414454a8b51bf0a6bda1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "MunifTanjim",
+        "ref": "main",
+        "repo": "tree-sitter-lua",
+        "type": "github"
+      }
+    },
+    "tree-sitter-puppet": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1690231696,
+        "narHash": "sha256-YEjjy9WLwITERYqoeSVrRYnwVBIAwdc4o0lvAK9wizw=",
+        "owner": "amaanq",
+        "repo": "tree-sitter-puppet",
+        "rev": "9ce9a5f7d64528572aaa8d59459ba869e634086b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "amaanq",
+        "repo": "tree-sitter-puppet",
+        "type": "github"
+      }
+    },
+    "tree-sitter-python": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1700218345,
+        "narHash": "sha256-hXNxa895SyNOG7PH2vAIkWbcMjZDjWYDsCafBZuvnT0=",
+        "owner": "tree-sitter",
+        "repo": "tree-sitter-python",
+        "rev": "4bfdd9033a2225cc95032ce77066b7aeca9e2efc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tree-sitter",
+        "ref": "master",
+        "repo": "tree-sitter-python",
+        "type": "github"
+      }
+    },
+    "tree-sitter-rasi": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1678701563,
+        "narHash": "sha256-2nYZoLcrxxxiOJEySwHUm93lzMg8mU+V7LIP63ntFdA=",
+        "owner": "Fymyte",
+        "repo": "tree-sitter-rasi",
+        "rev": "371dac6bcce0df5566c1cfebde69d90ecbeefd2d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Fymyte",
+        "repo": "tree-sitter-rasi",
+        "type": "github"
+      }
+    },
     "vscode-terraform-snippets": {
       "flake": false,
       "locked": {
@@ -562,11 +829,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1687279045,
-        "narHash": "sha256-LR0dsXd/A07M61jclyBUW0wRojEQteWReKM35zoJXp0=",
+        "lastModified": 1704321386,
+        "narHash": "sha256-d2ZIWHHsVviiqLDUuezuNO6w+V87EW6M+DwtNLN/Hmk=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "a8486b5d191f11d571f15d80b6e265d1712d01cf",
+        "rev": "c81bc3f9baa0571d03d1297faddf3a08737fe49e",
         "type": "github"
       },
       "original": {
@@ -574,6 +841,22 @@
         "repo": "NixOS-WSL",
         "type": "github"
       }
+    },
+    "zenyd-mpv-scripts": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650625438,
+        "narHash": "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=",
+        "owner": "zenyd",
+        "repo": "mpv-scripts",
+        "rev": "19ea069abcb794d1bf8fac2f59b50d71ab992130",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zenyd",
+        "repo": "mpv-scripts",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -9,7 +9,7 @@
 
     # Used for MacOS system config
     darwin = {
-      url = "github:/lnl7/nix-darwin/master";
+      url = "github:lnl7/nix-darwin/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -58,12 +58,13 @@
 
     # Nix language server
     nil = {
-      url = "github:oxalica/nil/2023-04-03";
+      url = "github:oxalica/nil/2023-08-09";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Neovim plugins
     nvim-lspconfig-src = {
+      # https://github.com/neovim/nvim-lspconfig/tags
       url = "github:neovim/nvim-lspconfig/v0.1.6";
       flake = false;
     };
@@ -75,16 +76,22 @@
       url = "github:jose-elias-alvarez/null-ls.nvim";
       flake = false;
     };
+    baleia-nvim-src = {
+      # https://github.com/m00qek/baleia.nvim/tags
+      url = "github:m00qek/baleia.nvim";
+      flake = false;
+    };
     Comment-nvim-src = {
       url = "github:numToStr/Comment.nvim/v0.8.0";
       flake = false;
     };
     nvim-treesitter-src = {
-      url = "github:nvim-treesitter/nvim-treesitter/v0.9.0";
+      # https://github.com/nvim-treesitter/nvim-treesitter/tags
+      url = "github:nvim-treesitter/nvim-treesitter/master";
       flake = false;
     };
     telescope-nvim-src = {
-      url = "github:nvim-telescope/telescope.nvim/0.1.2";
+      url = "github:nvim-telescope/telescope.nvim/0.1.4";
       flake = false;
     };
     telescope-project-nvim-src = {
@@ -92,11 +99,11 @@
       flake = false;
     };
     toggleterm-nvim-src = {
-      url = "github:akinsho/toggleterm.nvim/v2.7.0";
+      url = "github:akinsho/toggleterm.nvim/v2.8.0";
       flake = false;
     };
     bufferline-nvim-src = {
-      url = "github:akinsho/bufferline.nvim/v4.2.0";
+      url = "github:akinsho/bufferline.nvim/v4.4.0";
       flake = false;
     };
     nvim-tree-lua-src = {
@@ -107,6 +114,89 @@
       url = "github:run-at-scale/vscode-terraform-doc-snippets";
       flake = false;
     };
+    hmts-nvim-src = {
+      url = "github:calops/hmts.nvim";
+      flake = false;
+    };
+    fidget-nvim-src = {
+      # https://github.com/j-hui/fidget.nvim/tags
+      url = "github:j-hui/fidget.nvim/v1.1.0";
+      flake = false;
+    };
+
+    # Tree-Sitter Grammars
+    tree-sitter-bash = {
+      url = "github:tree-sitter/tree-sitter-bash/master";
+      flake = false;
+    };
+    tree-sitter-python = {
+      url = "github:tree-sitter/tree-sitter-python/master";
+      flake = false;
+    };
+    tree-sitter-lua = {
+      url = "github:MunifTanjim/tree-sitter-lua/main";
+      flake = false;
+    };
+    tree-sitter-ini = {
+      url = "github:justinmk/tree-sitter-ini";
+      flake = false;
+    };
+    tree-sitter-puppet = {
+      url = "github:amaanq/tree-sitter-puppet";
+      flake = false;
+    };
+    tree-sitter-rasi = {
+      url = "github:Fymyte/tree-sitter-rasi";
+      flake = false;
+    };
+
+    # MPV Scripts
+    zenyd-mpv-scripts = {
+      url = "github:zenyd/mpv-scripts";
+      flake = false;
+    };
+
+    # Age encryption (pin because of failed builds)
+    age = {
+      url = "github:FiloSottile/age/v1.1.1";
+      flake = false;
+    };
+
+    # GE version of Proton for game compatibility
+    # Alternatively, could consider using https://github.com/fufexan/nix-gaming
+    proton-ge = {
+      # https://github.com/GloriousEggroll/proton-ge-custom/releases
+      url =
+        "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz";
+      flake = false;
+    };
+
+    # Firefox addon from outside the extension store
+    bypass-paywalls-clean = {
+      # https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
+      url = "gitlab:magnolia1234/bpc-uploads";
+      flake = false;
+    };
+
+    # Nextcloud Apps
+    nextcloud-news = {
+      # https://github.com/nextcloud/news/releases
+      url =
+        "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
+      flake = false;
+    };
+    nextcloud-external = {
+      # https://github.com/nextcloud-releases/external/releases
+      url =
+        "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
+      flake = false;
+    };
+    nextcloud-cookbook = {
+      # https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
+      url =
+        "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
+      flake = false;
+    };
 
   };
 
@@ -124,11 +214,13 @@
         mail.server = "noahmasur.com";
         mail.imapHost = "imap.purelymail.com";
         mail.smtpHost = "smtp.purelymail.com";
-        dotfilesRepo = "git@github.com:nmasur/dotfiles";
+        dotfilesRepo = "https://github.com/nmasur/dotfiles";
         hostnames = {
           git = "git.${baseName}";
+          influxdb = "influxdb.${baseName}";
           metrics = "metrics.${baseName}";
           prometheus = "prom.${baseName}";
+          paperless = "paper.${baseName}";
           secrets = "vault.${baseName}";
           stream = "stream.${baseName}";
           content = "cloud.${baseName}";
@@ -145,6 +237,15 @@
         (import ./overlays/calibre-web.nix)
         (import ./overlays/disko.nix inputs)
         (import ./overlays/tree-sitter.nix inputs)
+        (import ./overlays/caddy.nix inputs)
+        (import ./overlays/mpv-scripts.nix inputs)
+        (import ./overlays/nextcloud-apps.nix inputs)
+        (import ./overlays/betterlockscreen.nix)
+        (import ./overlays/age.nix inputs)
+        (import ./overlays/proton-ge.nix inputs)
+        (import ./overlays/gh-collaborators.nix)
+        (import ./overlays/bypass-paywalls-clean.nix inputs)
+        (import ./overlays/terraform.nix)
       ];
 
       # System types to support.
@@ -223,6 +324,24 @@
 
         });
 
+      checks = forAllSystems (system:
+        let pkgs = import nixpkgs { inherit system overlays; };
+        in {
+          neovim = pkgs.runCommand "neovim-check-health" {
+            buildInputs = [ inputs.self.packages.${system}.neovim ];
+          } ''
+            mkdir -p $out
+            export HOME=$TMPDIR
+            nvim -c "checkhealth" -c "write $out/health.log" -c "quitall"
+
+            # Check for errors inside the health log
+            if $(grep "ERROR" $out/health.log); then
+              cat $out/health.log
+              exit 1
+            fi
+          '';
+        });
+
       # Templates for starting other projects quickly
       templates = rec {
         default = basic;

hosts/README.md

@@ -1,5 +1,7 @@
 # Hosts
 
+These are the individual machines managed by this flake.
+
 | Host                                       | Purpose             |
 | ---                                        | ---                 |
 | [aws](./aws/default.nix)                   | AWS AMI             |

hosts/aws/default.nix

@@ -4,14 +4,10 @@ inputs.nixos-generators.nixosGenerate {
   inherit system;
   format = "amazon";
   modules = [
+    globals
     inputs.home-manager.nixosModules.home-manager
     {
       nixpkgs.overlays = overlays;
-      user = globals.user;
-      fullName = globals.fullName;
-      dotfilesRepo = globals.dotfilesRepo;
-      gitName = globals.gitName;
-      gitEmail = globals.gitEmail;
       networking.hostName = "sheep";
       gui.enable = false;
       theme.colors = (import ../../colorscheme/gruvbox).dark;

hosts/flame/default.nix

@@ -3,6 +3,7 @@
 
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
+# These days, probably use nixos-anywhere instead.
 
 { inputs, globals, overlays, ... }:
 
@@ -21,39 +22,48 @@ inputs.nixpkgs.lib.nixosSystem {
       server = true;
       networking.hostName = "flame";
 
+      # Not sure what's necessary but too afraid to remove anything
       imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
       boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
+      # I forgot to set a clean label for it
       fileSystems."/" = {
         device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for systemd-boot
       fileSystems."/boot" = {
         device = "/dev/disk/by-uuid/D5CA-237A";
         fsType = "vfat";
       };
 
       # Theming
-      gui.enable = false;
-      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
-      # Disable passwords, only use SSH key
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
+      # Server doesn't require GUI
+      gui.enable = false;
+
+      # Still require colors for programs like Neovim, K9S
+      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
       # Programs and services
       cloudflare.enable = true; # Proxy traffic with Cloudflare
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
-
+      giteaRunner.enable = true;
       services.caddy.enable = true;
       services.grafana.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.victoriametrics.enable = true;
+      services.influxdb2.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@@ -62,8 +72,6 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
       };
 
-      giteaRunner.enable = true;
-
       # Nextcloud backup config
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
@@ -71,8 +79,9 @@ inputs.nixpkgs.lib.nixosSystem {
         accessKeyId = "0026b0e73b2e2c80000000005";
       };
 
-      # # Grant access to Jellyfin directories from Nextcloud
-      # users.users.nextcloud.extraGroups = [ "jellyfin" ];
+      # Disable passwords, only use SSH key
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
 
       # # Wireguard config for Transmission
       # wireguard.enable = true;
@@ -103,9 +112,6 @@ inputs.nixpkgs.lib.nixosSystem {
       # # VPN port forwarding
       # services.transmission.settings.peer-port = 57599;
 
-      # # Grant access to Transmission directories from Jellyfin
-      # users.users.jellyfin.extraGroups = [ "transmission" ];
-
     }
   ];
 }

hosts/hydra/default.nix

@@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem {
         colors = (import ../../colorscheme/gruvbox).dark;
         dark = true;
       };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
       wsl = {
         enable = true;
         wslConf.automount.root = "/mnt";

hosts/lookingglass/default.nix

@@ -37,6 +37,7 @@ inputs.darwin.lib.darwinSystem {
       nixlang.enable = true;
       terraform.enable = true;
       python.enable = true;
+      rust.enable = true;
       lua.enable = true;
       kubernetes.enable = true;
       _1password.enable = true;

hosts/swan/default.nix

@@ -13,10 +13,14 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../modules/common
     ../../modules/nixos
     {
+      nixpkgs.overlays = overlays;
+
       # Hardware
       server = true;
+      physical = true;
       networking.hostName = "swan";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
 
@@ -29,36 +33,55 @@ inputs.nixpkgs.lib.nixosSystem {
         "amdgpu.cik_support=1"
         "amdgpu.dc=1"
       ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
 
+      # Prioritize efficiency over performance
       powerManagement.cpuFreqGovernor = "powersave";
+
+      # Allow firmware updates
       hardware.cpu.intel.updateMicrocode = true;
 
       # ZFS
       zfs.enable = true;
       # Generated with: head -c 8 /etc/machine-id
       networking.hostId = "600279f4"; # Random ID required for ZFS
+
+      # Sets root ext4 filesystem instead of declaring it manually
       disko = {
         enableConfig = true;
         devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
       };
+
+      # Automatically load the ZFS pool on boot
       boot.zfs.extraPools = [ "tank" ];
 
+      # Theming
+
+      # Server doesn't require GUI
       gui.enable = false;
+
+      # Still require colors for programs like Neovim, K9S
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
-      nixpkgs.overlays = overlays;
+
+      # Programs and services
       neovim.enable = true;
       cloudflare.enable = true;
       dotfiles.enable = true;
       arrs.enable = true;
-
+      services.bind.enable = true;
       services.caddy.enable = true;
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.prometheus.enable = false;
+      services.vmagent.enable = true;
       services.samba.enable = true;
+      services.paperless.enable = true;
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@@ -67,6 +90,7 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
       };
 
+      # Send regular backups and litestream for DBs to an S3-like bucket
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
         bucket = "noahmasur-backup";

hosts/tempest/default.nix

@@ -17,14 +17,25 @@ inputs.nixpkgs.lib.nixosSystem {
       physical = true;
       networking.hostName = "tempest";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+
+      # Graphics and VMs
       boot.initrd.kernelModules = [ "amdgpu" ];
       boot.kernelModules = [ "kvm-amd" ];
       services.xserver.videoDrivers = [ "amdgpu" ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
+
+      # Prioritize performance over efficiency
       powerManagement.cpuFreqGovernor = "performance";
+
+      # Allow firmware updates
       hardware.cpu.amd.updateMicrocode = true;
+
+      # Helps reduce GPU fan noise under idle loads
       hardware.fancontrol.enable = true;
       hardware.fancontrol.config = ''
         # Configuration file generated by pwmconfig, changes will be lost
@@ -41,22 +52,29 @@ inputs.nixpkgs.lib.nixosSystem {
         MAXPWM=hwmon0/pwm1=240
       '';
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
       fileSystems."/" = {
         device = "/dev/disk/by-label/nixos";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for Grub
       fileSystems."/boot" = {
         device = "/dev/disk/by-label/boot";
         fsType = "vfat";
       };
 
-      # Must be prepared ahead
-      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
+      # Secrets must be prepared ahead before deploying
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
 
       # Theming
+
+      # Turn on all features related to desktop and graphical applications
       gui.enable = true;
+
+      # Set the system-wide theme, also used for non-graphical programs
       theme = {
         colors = (import ../../colorscheme/gruvbox-dark).dark;
         dark = true;
@@ -81,17 +99,22 @@ inputs.nixpkgs.lib.nixosSystem {
       keybase.enable = true;
       mullvad.enable = false;
       nixlang.enable = true;
+      rust.enable = true;
       yt-dlp.enable = true;
       gaming = {
         dwarf-fortress.enable = true;
         enable = true;
         steam.enable = true;
-        legendary.enable = true;
+        legendary.enable = false; # Electron marked as insecure
         lutris.enable = true;
         leagueoflegends.enable = true;
         ryujinx.enable = true;
       };
+      services.vmagent.enable = true; # Enables Prometheus metrics
+      services.openssh.enable =
+        true; # Required for Cloudflare tunnel and identity file
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@@ -100,6 +123,11 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
       };
 
+      # Allows requests to force machine to wake up
+      # This network interface might change, needs to be set specifically for each machine.
+      # Or set usePredictableInterfaceNames = false
+      networking.interfaces.enp5s0.wakeOnLan.enable = true;
+
     }
   ];
 }

misc/README.md

@@ -0,0 +1,21 @@
+# Miscellaneous
+
+These files contain important data sourced by the configuration, or simply
+information to store for safekeeping later.
+
+---
+
+Creating hashed password for [password.sha512](./password.sha512):
+
+```
+mkpasswd -m sha-512
+```
+
+---
+
+Getting key for [public-keys](./public-keys):
+
+```
+ssh-keyscan -t ed25519 <hostname>
+```
+

misc/libratbag-profile

@@ -0,0 +1,23 @@
+Profile 1: (active)
+Name: n/a
+Report Rate: 1000Hz
+Resolutions:
+  0: 400dpi (active) (default)
+  1: 800dpi
+  2: 1600dpi
+  3: 2400dpi
+  4: 0dpi
+Button: 0 is mapped to 'button 1'
+Button: 1 is mapped to 'button 2'
+Button: 2 is mapped to 'button 3'
+Button: 3 is mapped to 'button 4'
+Button: 4 is mapped to 'button 5'
+Button: 5 is mapped to macro '↕F11'
+Button: 6 is mapped to macro '↕VOLUMEDOWN'
+Button: 7 is mapped to macro '↕VOLUMEUP'
+Button: 8 is mapped to 'unknown'
+Button: 9 is mapped to 'wheel-right'
+Button: 10 is mapped to 'wheel-left'
+LED: 0, depth: monochrome, mode: on, color: 000000
+LED: 1, depth: monochrome, mode: on, color: 000000
+LED: 2, depth: monochrome, mode: on, color: 000000

misc/public-keys

@@ -1,5 +1,6 @@
 # Scan hosts: ssh-keyscan -t ed25519 <hostnames>
 
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s tempest
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVknmPi7sG6ES0G0jcsvebzKGWWaMfJTYgvOue6EULI flame
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9mwXlZnIALt9SnH3FOZvdgHLM5ZqwYUERXBbM7Rwh6 swan
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC3yHivgEXr2ecwe58h9bkhwTYivf3GwL8xenQKMeiUb tempest

modules/README.md

@@ -5,4 +5,5 @@
 | [common](./common/default.nix) | User programs and OS-agnostic configuration |
 | [darwin](./darwin/default.nix) | macOS-specific configuration                |
 | [nixos](./nixos/default.nix)   | NixOS-specific configuration                |
+| [wsl](./wsl/default.nix)       | WSL-specific configuration                  |
 

modules/common/applications/firefox.nix

@@ -16,6 +16,7 @@
     unfreePackages = [
       (lib.mkIf config._1password.enable "onepassword-password-manager")
       "okta-browser-plugin"
+      "wappalyzer"
     ];
 
     home-manager.users.${config.user} = {
@@ -29,20 +30,21 @@
           name = "default";
           isDefault = true;
           extensions = with pkgs.nur.repos.rycee.firefox-addons; [
-            ublock-origin
-            vimium
-            multi-account-containers
-            facebook-container
             (lib.mkIf config._1password.enable onepassword-password-manager)
+            pkgs.bypass-paywalls-clean
+            darkreader
+            don-t-fuck-with-paste
+            facebook-container
+            markdownload
+            multi-account-containers
             okta-browser-plugin
-            sponsorblock
             reddit-enhancement-suite
             return-youtube-dislikes
-            markdownload
-            darkreader
             snowflake
-            don-t-fuck-with-paste
-            i-dont-care-about-cookies
+            sponsorblock
+            ublock-origin
+            ublacklist
+            vimium
             wappalyzer
           ];
           settings = {
@@ -73,6 +75,9 @@
             "media.ffmpeg.vaapi.enabled" =
               true; # Enable hardware video acceleration
             "cookiebanners.ui.desktop.enabled" = true; # Reject cookie popups
+            "devtools.command-button-screenshot.enabled" =
+              true; # Scrolling screenshot of entire page
+            "svg.context-properties.content.enabled" = true; # Sidebery styling
           };
           userChrome = ''
             :root {
@@ -113,7 +118,7 @@
               background-color: ${config.theme.colors.base00};
               color: ${config.theme.colors.base06} !important;
             }
-            .tab-content[selected=true] {
+            .tab-content[selected] {
               border-bottom: 2px solid color-mix(in srgb, var(--identity-tab-color) 25%, transparent);
               background-color: ${config.theme.colors.base01} !important;
               color: ${config.theme.colors.base07} !important;

modules/common/applications/kitty.nix

@@ -28,13 +28,22 @@
       programs.rofi.terminal =
         lib.mkIf pkgs.stdenv.isLinux "${pkgs.kitty}/bin/kitty";
 
+      # Display images in the terminal
+      programs.fish.shellAliases = {
+        icat = "kitty +kitten icat";
+        ssh = "kitty +kitten ssh";
+      };
+
       programs.kitty = {
         enable = true;
         environment = { };
         extraConfig = "";
         font.size = 14;
         keybindings = {
+          # Use shift+enter to complete text suggestions in fish
           "shift+enter" = "send_text all \\x1F";
+
+          # Easy fullscreen toggle (for macOS)
           "super+f" = "toggle_fullscreen";
         };
         settings = {
@@ -85,7 +94,6 @@
           # Scrollback
           scrolling_lines = 10000;
           scrollback_pager_history_size = 10; # MB
-          scrollback_pager = "${pkgs.neovim}/bin/nvim -c 'normal G'";
 
           # Window
           window_padding_width = 6;
@@ -93,7 +101,7 @@
           tab_bar_edge = "top";
           tab_bar_style = "slant";
 
-          # Audio
+          # Disable audio
           enable_audio_bell = false;
         };
       };

modules/common/applications/media.nix

@@ -22,8 +22,8 @@
         enable = true;
         bindings = { };
         config = {
-          image-display-duration = 2;
-          hwdec = "auto-safe";
+          image-display-duration = 2; # For cycling through images
+          hwdec = "auto-safe"; # Attempt to use GPU decoding for video
         };
         scripts = [
 
@@ -31,25 +31,11 @@
           pkgs.mpvScripts.autoload
 
           # Delete current file after quitting
-          (pkgs.stdenv.mkDerivation rec {
-            pname = "mpv-delete-file";
-            version = "0.1"; # made-up
-            src = pkgs.fetchFromGitHub {
-              owner = "zenyd";
-              repo = "mpv-scripts";
-              rev = "19ea069abcb794d1bf8fac2f59b50d71ab992130";
-              sha256 = "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=";
-            } + "/delete_file.lua";
-            dontBuild = true;
-            dontUnpack = true;
-            installPhase =
-              "install -Dm644 ${src} $out/share/mpv/scripts/delete_file.lua";
-            passthru.scriptName = "delete_file.lua";
-          })
+          pkgs.mpvScripts.mpv-delete-file
         ];
       };
 
-      # Set default for opening PDFs
+      # Set default programs for opening PDFs and other media
       xdg.mimeApps = {
         associations.added = {
           "application/pdf" = [ "pwmt.zathura-cb.desktop" ];

modules/common/applications/obsidian.nix

@@ -15,8 +15,9 @@
       home.packages = with pkgs; [ obsidian ];
     };
 
-    # Broken on 2023-04-16
-    nixpkgs.config.permittedInsecurePackages = [ "electron-21.4.0" ];
+    # Broken on 2023-12-11
+    # https://forum.obsidian.md/t/electron-25-is-now-eol-please-upgrade-to-a-newer-version/72878/8
+    nixpkgs.config.permittedInsecurePackages = [ "electron-25.9.0" ];
 
   };
 

modules/common/default.nix

@@ -59,7 +59,7 @@
     };
     dotfilesRepo = lib.mkOption {
       type = lib.types.str;
-      description = "Link to dotfiles repository.";
+      description = "Link to dotfiles repository HTTPS URL.";
     };
     unfreePackages = lib.mkOption {
       type = lib.types.listOf lib.types.str;
@@ -75,10 +75,18 @@
         type = lib.types.str;
         description = "Hostname for metrics server.";
       };
+      paperless = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for document server (paperless-ngx).";
+      };
       prometheus = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for Prometheus server.";
       };
+      influxdb = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for InfluxDB2 server.";
+      };
       secrets = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for passwords and secrets (Vaultwarden).";

modules/common/mail/default.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  imports = [ ./himalaya.nix ./aerc.nix ];
+  imports = [ ./himalaya.nix ./aerc.nix ./system.nix ];
 
   options = {
     mail.enable = lib.mkEnableOption "Mail service.";
@@ -27,15 +27,32 @@
 
     home-manager.users.${config.user} = {
       programs.mbsync = { enable = true; };
+
+      # Automatically check for mail and keep files synced locally
       services.mbsync = lib.mkIf pkgs.stdenv.isLinux {
         enable = true;
         frequency = "*:0/5";
         postExec = "${pkgs.notmuch}/bin/notmuch new";
       };
+
+      # Used to watch for new mail and trigger sync
       services.imapnotify.enable = pkgs.stdenv.isLinux;
-      programs.notmuch.enable = true;
+
+      # Allows sending email from CLI/sendmail
+      programs.msmtp.enable = true;
+
+      # Better local mail search
+      programs.notmuch = {
+        enable = true;
+        new.ignore =
+          [ ".mbsyncstate.lock" ".mbsyncstate.journal" ".mbsyncstate.new" ];
+      };
+
       accounts.email = {
+
+        # Where email files are stored
         maildirBasePath = "${config.homePath}/mail";
+
         accounts = {
           home = let address = "${config.mail.user}@${config.mail.server}";
           in {
@@ -48,13 +65,17 @@
               "hey"
               "admin"
             ];
+
+            # Options for contact completion
             alot = { };
-            flavor = "plain";
+
             imap = {
               host = config.mail.imapHost;
               port = 993;
               tls.enable = true;
             };
+
+            # Watch for mail and run notifications or sync
             imapnotify = {
               enable = true;
               boxes = [ "Inbox" ];
@@ -63,7 +84,11 @@
                 config.home-manager.users.${config.user}.services.dunst.enable
                 "${pkgs.libnotify}/bin/notify-send 'New mail arrived'";
             };
+
+            # Name of the directory in maildir for this account
             maildir = { path = "main"; };
+
+            # Bi-directional syncing options for local files
             mbsync = {
               enable = true;
               create = "both";
@@ -74,12 +99,17 @@
                 CopyArrivalDate = "yes"; # Sync time of original message
               };
             };
+
+            # Enable indexing
             notmuch.enable = true;
+
+            # Used to login and send and receive emails
             passwordCommand =
-              "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
+              "${pkgs.age}/bin/age --decrypt --identity ~/.ssh/id_ed25519 ${
                 pkgs.writeText "mailpass.age"
                 (builtins.readFile ../../../private/mailpass.age)
               }";
+
             smtp = {
               host = config.mail.smtpHost;
               port = 465;

modules/common/mail/system.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }: {
+
+  config = lib.mkIf (config.mail.enable || config.server) {
+
+    home-manager.users.${config.user} = {
+
+      programs.msmtp.enable = true;
+
+      # The system user for sending automatic notifications
+      accounts.email.accounts.system =
+        let address = "system@${config.mail.server}";
+        in {
+          userName = address;
+          realName = "NixOS System";
+          primary = !config.mail.enable; # Only primary if mail not enabled
+          inherit address;
+          passwordCommand =
+            "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
+              pkgs.writeText "mailpass-system.age"
+              (builtins.readFile ../../../private/mailpass-system.age)
+            }";
+          msmtp.enable = true;
+          smtp = {
+            host = config.mail.smtpHost;
+            port = 465;
+            tls.enable = true;
+          };
+        };
+
+    };
+
+  };
+
+}

modules/common/neovim/config/align.nix

@@ -1,4 +1,7 @@
 { pkgs, ... }: {
+
+  # Plugin for aligning text programmatically
+
   plugins = [ pkgs.vimPlugins.tabular ];
   lua = ''
     -- Align

modules/common/neovim/config/bufferline.nix

@@ -1,4 +1,7 @@
 { pkgs, ... }: {
+
+  # Shows buffers in a VSCode-style tab layout
+
   plugins = [
     pkgs.vimPlugins.bufferline-nvim
     pkgs.vimPlugins.vim-bbye # Better closing of buffers

modules/common/neovim/config/colors.nix

@@ -1,5 +1,7 @@
 { pkgs, lib, config, ... }: {
 
+  # Sets Neovim colors based on Nix colorscheme
+
   options.colors = lib.mkOption {
     type = lib.types.attrsOf lib.types.str;
     description = "Attrset of base16 colorscheme key value pairs.";

modules/common/neovim/config/completion.nix

@@ -24,12 +24,14 @@
       end
     '';
 
+    # Enable Luasnip snippet completion
     snippet.expand = dsl.rawLua ''
       function(args)
           require("luasnip").lsp_expand(args.body)
       end
     '';
 
+    # Basic completion keybinds
     mapping = {
       "['<C-n>']" = dsl.rawLua
         "require('cmp').mapping.select_next_item({ behavior = require('cmp').SelectBehavior.Insert })";
@@ -64,24 +66,26 @@
       '';
     };
 
+    # These are where the completion engine gets its suggestions
     sources = [
-      { name = "nvim_lua"; }
-      { name = "nvim_lsp"; }
-      { name = "luasnip"; }
-      { name = "path"; }
+      { name = "nvim_lua"; } # Fills in common Neovim lua functions
+      { name = "nvim_lsp"; } # LSP results
+      { name = "luasnip"; } # Snippets
+      { name = "path"; } # Shell completion from current PATH
       {
-        name = "buffer";
+        name = "buffer"; # Grep for text from the current text buffer
         keyword_length = 3;
         max_item_count = 10;
       }
       {
-        name = "rg";
+        name = "rg"; # Grep for text from the current directory
         keyword_length = 6;
         max_item_count = 10;
         option = { additional_arguments = "--ignore-case"; };
       }
     ];
 
+    # Styling of the completion menu
     formatting = {
       fields = [ "kind" "abbr" "menu" ];
       format = dsl.rawLua ''

modules/common/neovim/config/github.lua

@@ -0,0 +1,14 @@
+-- Keymap to open file in GitHub web
+vim.keymap.set("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
+
+-- Pop a terminal to watch the current run
+local gitwatch =
+    require("toggleterm.terminal").Terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
+
+-- Set a toggle for this terminal
+function GITWATCH_TOGGLE()
+    gitwatch:toggle()
+end
+
+-- Keymap to toggle the run
+vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)

modules/common/neovim/config/kubernetes.lua

@@ -0,0 +1,6 @@
+local k9s = require("toggleterm.terminal").Terminal:new({ cmd = "k9s" })
+function K9S_TOGGLE()
+    k9s:toggle()
+end
+
+vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)

modules/common/neovim/config/lsp.nix

@@ -1,28 +1,63 @@
-{ pkgs, dsl, ... }: {
+{ pkgs, lib, config, dsl, ... }: {
 
+  # Terraform optional because non-free
+  options.terraform = lib.mkEnableOption "Whether to enable Terraform LSP";
+  options.github = lib.mkEnableOption "Whether to enable GitHub features";
+  options.kubernetes =
+    lib.mkEnableOption "Whether to enable Kubernetes features";
+
+  config =
+
+    let
+
+      terraformFormat = if config.terraform then ''
+        require("null-ls").builtins.formatting.terraform_fmt.with({
+            command = "${pkgs.terraform}/bin/terraform",
+            extra_filetypes = { "hcl" },
+        }),
+      '' else
+        "";
+
+    in {
       plugins = [
         pkgs.vimPlugins.nvim-lspconfig
-    pkgs.vimPlugins.lsp-colors-nvim
         pkgs.vimPlugins.null-ls-nvim
+        pkgs.vimPlugins.fidget-nvim
       ];
 
+      setup.fidget = { };
+
       use.lspconfig.lua_ls.setup = dsl.callWith {
         settings = { Lua = { diagnostics = { globals = [ "vim" "hs" ]; }; }; };
-    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
+        capabilities =
+          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
         cmd = [ "${pkgs.lua-language-server}/bin/lua-language-server" ];
       };
 
       use.lspconfig.nil_ls.setup = dsl.callWith {
         cmd = [ "${pkgs.nil}/bin/nil" ];
-    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
+        capabilities =
+          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
       };
 
       use.lspconfig.pyright.setup = dsl.callWith {
         cmd = [ "${pkgs.pyright}/bin/pyright-langserver" "--stdio" ];
       };
 
-  use.lspconfig.terraformls.setup =
-    dsl.callWith { cmd = [ "${pkgs.terraform-ls}/bin/terraform-ls" "serve" ]; };
+      use.lspconfig.terraformls.setup = dsl.callWith {
+        cmd = if config.terraform then [
+          "${pkgs.terraform-ls}/bin/terraform-ls"
+          "serve"
+        ] else
+          [ "echo" ];
+      };
+
+      use.lspconfig.rust_analyzer.setup = dsl.callWith {
+        cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
+        settings = {
+          "['rust-analyzer']" = { check = { command = "clippy"; }; };
+        };
+      };
 
       vim.api.nvim_create_augroup = dsl.callWith [ "LspFormatting" { } ];
 
@@ -45,10 +80,7 @@
                     command = "${pkgs.shfmt}/bin/shfmt",
                     extra_args = { "-i", "4", "-ci" },
                 }),
-            require("null-ls").builtins.formatting.terraform_fmt.with({
-                command = "${pkgs.terraform}/bin/terraform",
-                extra_filetypes = { "hcl" },
-            }),
+                ${terraformFormat}
             },
 
             on_attach = function(client, bufnr)
@@ -73,4 +105,6 @@
         })
       '';
 
+    };
+
 }

modules/common/neovim/config/misc.nix

@@ -7,11 +7,14 @@
     pkgs.vimPlugins.comment-nvim # Smart comment commands
     pkgs.vimPlugins.glow-nvim # Markdown preview popup
     pkgs.vimPlugins.nvim-colorizer-lua # Hex color previews
+    pkgs.vimPlugins.which-key-nvim # Keybind helper
   ];
 
+  # Initialize some plugins
   setup.Comment = { };
-  setup.colorizer = { };
+  setup.colorizer = { user_default_options = { names = false; }; };
   setup.glow = { };
+  setup.which-key = { };
 
   vim.o = {
     termguicolors = true; # Set to truecolor
@@ -41,11 +44,17 @@
     relativenumber = true; # Relative numbers instead of absolute
   };
 
+  # For which-key-nvim
+  vim.o.timeout = true;
+  vim.o.timeoutlen = 300;
+
   # Better backup, swap and undo storage
   vim.o.backup = true; # Easier to recover and more secure
   vim.bo.swapfile = false; # Instead of swaps, create backups
   vim.bo.undofile = true; # Keeps undos after quit
-  vim.o.backupdir = dsl.rawLua ''vim.fn.stdpath("cache") .. "/backup"'';
+  vim.o.backupdir =
+    dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/backup//")'';
+  vim.o.undodir = dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/undo//")'';
 
   # Required for nvim-cmp completion
   vim.opt.completeopt = [ "menu" "menuone" "noselect" ];
@@ -60,10 +69,6 @@
     " Remember last position when reopening file
     au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$") | exe "normal! g`\"" | endif
 
-    " LaTeX options
-    au FileType tex inoremap ;bf \textbf{}<Esc>i
-    au BufWritePost *.tex silent! execute "!pdflatex -output-directory=%:p:h % >/dev/null 2>&1" | redraw!
-
     " Flash highlight when yanking
     au TextYankPost * silent! lua vim.highlight.on_yank { timeout = 250 }
   '';

modules/common/neovim/config/syntax.nix

@@ -4,6 +4,7 @@
     (pkgs.vimPlugins.nvim-treesitter.withPlugins (_plugins:
       with pkgs.tree-sitter-grammars; [
         tree-sitter-bash
+        # tree-sitter-c
         tree-sitter-fish
         tree-sitter-hcl
         tree-sitter-ini
@@ -22,7 +23,9 @@
     pkgs.vimPlugins.playground # Tree-sitter experimenting
     pkgs.vimPlugins.nginx-vim
     pkgs.vimPlugins.vim-helm
-    (pkgs.vimUtils.buildVimPluginFrom2Nix {
+    pkgs.baleia-nvim # Clean ANSI from kitty scrollback
+    # pkgs.hmts-nvim # Tree-sitter injections for home-manager
+    (pkgs.vimUtils.buildVimPlugin {
       pname = "nmasur";
       version = "0.1";
       src = ../plugin;

modules/common/neovim/config/telescope.nix

@@ -1,5 +1,7 @@
 { pkgs, dsl, ... }: {
 
+  # Telescope is a fuzzy finder that can work with different sub-plugins
+
   plugins = [
     pkgs.vimPlugins.telescope-nvim
     pkgs.vimPlugins.project-nvim

modules/common/neovim/config/toggleterm.lua

@@ -12,6 +12,8 @@ vim.api.nvim_create_autocmd("TermOpen", {
     end,
 })
 
+-- These are all the different types of terminals we can trigger
+
 local terminal = require("toggleterm.terminal").Terminal
 
 local basicterminal = terminal:new()
@@ -24,17 +26,5 @@ function NIXPKGS_TOGGLE()
     nixpkgs:toggle()
 end
 
-local gitwatch = terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
-function GITWATCH_TOGGLE()
-    gitwatch:toggle()
-end
-
-local k9s = terminal:new({ cmd = "k9s" })
-function K9S_TOGGLE()
-    k9s:toggle()
-end
-
 vim.keymap.set("n", "<Leader>t", TERM_TOGGLE)
 vim.keymap.set("n", "<Leader>P", NIXPKGS_TOGGLE)
-vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)
-vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)

modules/common/neovim/config/toggleterm.nix

@@ -1,4 +1,6 @@
-{ pkgs, dsl, ... }: {
+{ pkgs, dsl, config, ... }: {
+
+  # Toggleterm provides a floating terminal inside the editor for quick access
 
   plugins = [ pkgs.vimPlugins.toggleterm-nvim ];
 
@@ -8,6 +10,10 @@
     direction = "float";
   };
 
-  lua = builtins.readFile ./toggleterm.lua;
+  lua = ''
+    ${builtins.readFile ./toggleterm.lua}
+    ${if config.github then (builtins.readFile ./github.lua) else ""}
+    ${if config.kubernetes then (builtins.readFile ./kubernetes.lua) else ""}
+  '';
 
 }

modules/common/neovim/config/tree.nix

@@ -1,5 +1,7 @@
 { pkgs, dsl, ... }: {
 
+  # This plugin creates a side drawer for navigating the current project
+
   plugins = [ pkgs.vimPlugins.nvim-tree-lua pkgs.vimPlugins.nvim-web-devicons ];
 
   # Disable netrw eagerly
@@ -10,16 +12,16 @@
   };
 
   setup.nvim-tree = {
-    disable_netrw = true;
-    hijack_netrw = true;
-    sync_root_with_cwd = true;
-    respect_buf_cwd = true;
-    update_focused_file = {
+    disable_netrw = true; # Disable the built-in file manager
+    hijack_netrw = true; # Works as the file manager
+    sync_root_with_cwd = true; # Change project whenever currend dir changes
+    respect_buf_cwd = true; # Change to exact location of focused buffer
+    update_focused_file = { # Change project based on the focused buffer
       enable = true;
       update_root = true;
       ignore_list = { };
     };
-    diagnostics = {
+    diagnostics = { # Enable LSP and linter integration
       enable = true;
       icons = {
         hint = "";
@@ -28,7 +30,7 @@
         error = "";
       };
     };
-    renderer = {
+    renderer = { # Show files with changes vs. current commit
       icons = {
         glyphs = {
           git = {
@@ -43,6 +45,7 @@
         };
       };
     };
+    # Set keybinds and initialize program
     on_attach = dsl.rawLua ''
       function (bufnr)
         local api = require('nvim-tree.api')
@@ -58,15 +61,15 @@
         vim.keymap.set('n', 'v', api.node.open.vertical, opts('Open: Vertical Split'))
       end
     '';
-    view = {
+    view = { # Set look and feel
       width = 30;
-      hide_root_folder = false;
       side = "left";
       number = false;
       relativenumber = false;
     };
   };
 
+  # Toggle the sidebar
   lua = ''
     vim.keymap.set("n", "<Leader>e", ":NvimTreeFindFileToggle<CR>", { silent = true })
   '';

modules/common/neovim/default.nix

@@ -5,6 +5,9 @@ let
   neovim = import ./package {
     inherit pkgs;
     colors = config.theme.colors;
+    terraform = config.terraform.enable;
+    github = true;
+    kubernetes = config.kubernetes.enable;
   };
 
 in {
@@ -18,11 +21,17 @@ in {
 
         home.packages = [ neovim ];
 
+        # Use Neovim as the editor for git commit messages
         programs.git.extraConfig.core.editor = "nvim";
+        programs.jujutsu.settings.ui.editor = "nvim";
+
+        # Set Neovim as the default app for text editing and manual pages
         home.sessionVariables = {
           EDITOR = "nvim";
           MANPAGER = "nvim +Man!";
         };
+
+        # Create quick aliases for launching Neovim
         programs.fish = {
           shellAliases = { vim = "nvim"; };
           shellAbbrs = {
@@ -31,12 +40,20 @@ in {
             vll = "nvim -c 'Telescope oldfiles'";
           };
         };
-        programs.kitty.settings.scrollback_pager = lib.mkForce ''
-          ${neovim}/bin/nvim -c 'setlocal nonumber nolist showtabline=0 foldcolumn=0|Man!' -c "autocmd VimEnter * normal G" -'';
 
+        # Set Neovim as the kitty terminal "scrollback" (vi mode) option.
+        # Requires removing some of the ANSI escape codes that are sent to the
+        # scrollback using sed and baleia, as well as removing several
+        # unnecessary features.
+        programs.kitty.settings.scrollback_pager = ''
+          $SHELL -c 'sed -r "s/[[:cntrl:]]\]133;[AC]..//g" | ${neovim}/bin/nvim -c "setlocal nonumber norelativenumber nolist laststatus=0" -c "lua baleia = require(\"baleia\").setup({}); baleia.once(0)" -c "map <silent> q :qa!<CR>" -c "autocmd VimEnter * normal G"' '';
+
+        # Create a desktop option for launching Neovim from a file manager
+        # (Requires launching the terminal and then executing Neovim)
         xdg.desktopEntries.nvim = lib.mkIf pkgs.stdenv.isLinux {
           name = "Neovim wrapper";
           exec = "kitty nvim %F";
+          mimeType = [ "text/plain" "text/markdown" ];
         };
         xdg.mimeApps.defaultApplications = lib.mkIf pkgs.stdenv.isLinux {
           "text/plain" = [ "nvim.desktop" ];
@@ -45,9 +62,6 @@ in {
 
       };
 
-    # # Used for icons in Vim
-    # fonts.fonts = with pkgs; [ nerdfonts ];
-
   };
 
 }

modules/common/neovim/lua/keybinds.lua

@@ -39,7 +39,6 @@ key("n", "<Leader>fs", ":write<CR>")
 key("n", "<Leader>fd", ":lcd %:p:h<CR>", { silent = true })
 key("n", "<Leader>fu", ":lcd ..<CR>", { silent = true })
 key("n", "<Leader><Tab>", ":b#<CR>", { silent = true })
-key("n", "<Leader>gr", ":!gh repo view -w<CR><CR>", { silent = true })
 key("n", "<Leader>tt", [[<Cmd>exe 'edit $NOTES_PATH/journal/'.strftime("%Y-%m-%d_%a").'.md'<CR>]])
 key("n", "<Leader>jj", ":!journal<CR>:e<CR>")
 
@@ -65,6 +64,12 @@ key("n", "<C-Down>", ":resize -2<CR>", { silent = true })
 key("n", "<C-Left>", ":vertical resize -2<CR>", { silent = true })
 key("n", "<C-Right>", ":vertical resize +2<CR>", { silent = true })
 
+-- Quickfix
+key("n", "]q", ":cnext<CR>")
+key("n", "[q", ":cprevious<CR>")
+key("n", "co", ":copen<CR>")
+key("n", "cq", ":cclose<CR>")
+
 -- Other
 key("n", "<A-CR>", ":noh<CR>", { silent = true })           --- Clear search in VimWiki
 key("n", "Y", "y$")                                         --- Copy to end of line

modules/common/neovim/package/default.nix

@@ -26,13 +26,13 @@
 #   ] ++ extraConfig;
 # }
 
-{ pkgs, colors, ... }:
+{ pkgs, colors, terraform ? false, github ? false, kubernetes ? false, ... }:
 
 # Comes from nix2vim overlay:
 # https://github.com/gytis-ivaskevicius/nix2vim/blob/master/lib/neovim-builder.nix
 pkgs.neovimBuilder {
   package = pkgs.neovim-unwrapped;
-  inherit colors;
+  inherit colors terraform github kubernetes;
   imports = [
     ../config/align.nix
     ../config/bufferline.nix

modules/common/programming/default.nix

@@ -6,6 +6,7 @@
     ./lua.nix
     ./nix.nix
     ./python.nix
+    ./rust.nix
     ./terraform.nix
   ];
 

modules/common/programming/rust.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }: {
+
+  options.rust.enable = lib.mkEnableOption "Rust programming language.";
+
+  config = lib.mkIf config.rust.enable {
+
+    home-manager.users.${config.user} = {
+
+      programs.fish.shellAbbrs = { ca = "cargo"; };
+
+      home.packages = with pkgs; [ cargo rustc clippy gcc ];
+
+    };
+
+  };
+
+}

modules/common/programming/terraform.nix

@@ -3,6 +3,7 @@
   options.terraform.enable = lib.mkEnableOption "Terraform tools.";
 
   config = lib.mkIf config.terraform.enable {
+    unfreePackages = [ "terraform" ];
 
     home-manager.users.${config.user} = {
       programs.fish.shellAbbrs = {

modules/common/repositories/dotfiles.nix

@@ -1,5 +1,7 @@
 { config, pkgs, lib, ... }: {
 
+  # Allows me to make sure I can work on my dotfiles locally
+
   options.dotfiles.enable = lib.mkEnableOption "Clone dotfiles.";
 
   config = lib.mkIf config.dotfiles.enable {
@@ -14,13 +16,8 @@
           [ "writeBoundary" ] ''
             if [ ! -d "${config.dotfilesPath}" ]; then
                 $DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname "${config.dotfilesPath}")
-
-                # Force HTTPS because anonymous SSH doesn't work
-                GIT_CONFIG_COUNT=1 \
-                    GIT_CONFIG_KEY_0="url.https://github.com/.insteadOf" \
-                    GIT_CONFIG_VALUE_0="git@github.com:" \
-                    $DRY_RUN_CMD \
-                    ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
+                $DRY_RUN_CMD ${pkgs.git}/bin/git \
+                    clone ${config.dotfilesRepo} "${config.dotfilesPath}"
             fi
           '';
 

modules/common/repositories/notes.nix

@@ -1,5 +1,8 @@
 { config, ... }: {
 
+  # This is just a placeholder as I expect to interact with my notes in a
+  # certain location
+
   home-manager.users.${config.user} = {
 
     home.sessionVariables = {

modules/common/shell/bash/scripts/docker-cleanup.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Stop all containers
+if [ "$(docker ps -a -q)" ]; then
+    echo "Stopping docker containers..."
+    docker stop "$(docker ps -a -q)"
+else
+    echo "No running docker containers."
+fi
+
+# Remove all stopped containers
+if [ "$(docker ps -a -q)" ]; then
+    echo "Removing docker containers..."
+    docker rm "$(docker ps -a -q)"
+else
+    echo "No stopped docker containers."
+fi
+
+# Remove all untagged images
+if docker images | grep -q "^<none>"; then
+    docker rmi "$(docker images | grep "^<none>" | awk '{print $3}')"
+else
+    echo "No untagged docker images."
+fi
+
+echo "Cleaned up docker."

modules/common/shell/charm.nix

@@ -1,5 +1,7 @@
 { config, pkgs, lib, ... }: {
 
+  # Convenience utilities from charm.sh
+
   options.charm.enable = lib.mkEnableOption "Charm utilities.";
 
   config.home-manager.users.${config.user} = lib.mkIf config.charm.enable {
@@ -8,6 +10,7 @@
       glow # Markdown previews
       skate # Key-value store
       charm # Manage account and filesystem
+      pop # Send emails from a TUI
     ];
 
   };

modules/common/shell/default.nix

@@ -7,6 +7,7 @@
     ./fzf.nix
     ./git.nix
     ./github.nix
+    ./jujutsu.nix
     ./nixpkgs.nix
     ./starship.nix
     ./utilities.nix

modules/common/shell/direnv.nix

@@ -1,11 +1,28 @@
 { config, ... }: {
 
+  # Enables quickly entering Nix shells when changing directories
   home-manager.users.${config.user}.programs.direnv = {
     enable = true;
     nix-direnv.enable = true;
     config = { whitelist = { prefix = [ config.dotfilesPath ]; }; };
   };
 
+  # programs.direnv.direnvrcExtra = ''
+  #   layout_postgres() {
+  #       export PGDATA="$(direnv_layout_dir)/postgres"
+  #       export PGHOST="$PGDATA"
+  #
+  #       if [[ ! -d "PGDATA" ]]; then
+  #           initdb
+  #           cat >> "$PGDATA/postgres.conf" <<- EOF
+  #                   listen_addresses = '''
+  #                   unix_socket_directories = '$PGHOST'
+  #           EOF
+  #           echo "CREATE DATABASE $USER;" | postgres --single -E postgres
+  #       fi
+  #   }
+  # '';
+
   # Prevent garbage collection
   nix.extraOptions = ''
     keep-outputs = true

modules/common/shell/fish/default.nix

@@ -1,19 +1,24 @@
 { config, pkgs, lib, ... }: {
 
   users.users.${config.user}.shell = pkgs.fish;
-  programs.fish.enable =
-    true; # Needed for LightDM to remember username (TODO: fix)
+  programs.fish.enable = true; # Needed for LightDM to remember username
 
   home-manager.users.${config.user} = {
 
     # Packages used in abbreviations and aliases
-    home.packages = with pkgs; [ curl exa ];
+    home.packages = with pkgs; [ curl ];
 
     programs.fish = {
       enable = true;
       shellAliases = {
+
+        # Version of bash which works much better on the terminal
         bash = "${pkgs.bashInteractive}/bin/bash";
-        ls = "exa";
+
+        # Use eza (exa) instead of ls for fancier output
+        ls = "${pkgs.eza}/bin/eza --group";
+
+        # Move files to XDG trash on the commandline
         trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
       };
       functions = {
@@ -118,9 +123,6 @@
         dr = "docker run --rm -it";
         db = "docker build . -t";
 
-        # Rust
-        ca = "cargo";
-
       };
       shellInit = "";
     };

modules/common/shell/fzf.nix

@@ -1,5 +1,7 @@
 { config, ... }: {
 
+  # FZF is a fuzzy-finder for the terminal
+
   home-manager.users.${config.user} = {
 
     programs.fzf.enable = true;

modules/common/shell/git.nix

@@ -58,6 +58,7 @@ in {
           git switch (git symbolic-ref refs/remotes/origin/HEAD | cut -d"/" -f4)'';
         gcob = "git switch -c";
         gb = "git branch";
+        gpd = "git push origin -d";
         gbd = "git branch -d";
         gbD = "git branch -D";
         gr = "git reset";

modules/common/shell/github.nix

@@ -5,8 +5,9 @@
     programs.gh =
       lib.mkIf config.home-manager.users.${config.user}.programs.git.enable {
         enable = true;
-        enableGitCredentialHelper = true;
+        gitCredentialHelper.enable = true;
         settings.git_protocol = "https";
+        extensions = [ pkgs.gh-collaborators ];
       };
 
     programs.fish =
@@ -14,7 +15,7 @@
         shellAbbrs = {
           ghr = "gh repo view -w";
           gha =
-            "gh run list | head -1 | awk '{ print $(NF-2) }' | xargs gh run view";
+            "gh run list | head -1 | awk '{ print \\$\\(NF-2\\) }' | xargs gh run view";
           grw = "gh run watch";
           grf = "gh run view --log-failed";
           grl = "gh run view --log";

modules/common/shell/jujutsu.nix

@@ -0,0 +1,21 @@
+{ config, ... }: {
+
+  config = {
+
+    home-manager.users.${config.user}.programs.jujutsu = {
+      enable = true;
+      enableFishIntegration = true;
+
+      # https://github.com/martinvonz/jj/blob/main/docs/config.md
+      settings = {
+        user = {
+          name = config.home-manager.users.${config.user}.programs.git.userName;
+          email =
+            config.home-manager.users.${config.user}.programs.git.userEmail;
+        };
+      };
+    };
+
+  };
+
+}

modules/common/shell/nixpkgs.nix

@@ -73,6 +73,9 @@
       path = builtins.toString pkgs.path;
     };
 
+    # For security, only allow specific users
+    settings.allowed-users = [ "@wheel" config.user ];
+
   };
 
 }

modules/common/shell/utilities.nix

@@ -23,7 +23,10 @@ in {
         dig # DNS lookup
         fd # find
         htop # Show system processes
+        killall # Force quit
         inetutils # Includes telnet, whois
+        jless # JSON viewer
+        jo # JSON output
         jq # JSON manipulation
         lf # File viewer
         qrencode # Generate qr codes
@@ -34,16 +37,20 @@ in {
         tree # View directory hierarchy
         vimv-rs # Batch rename files
         unzip # Extract zips
+        dua # File sizes (du)
+        du-dust # Disk usage tree (ncdu)
+        duf # Basic disk information (df)
       ];
 
       programs.zoxide.enable = true; # Shortcut jump command
 
       home.file = {
         ".rgignore".text = ignorePatterns;
-        ".fdignore".text = ignorePatterns;
         ".digrc".text = "+noall +answer"; # Cleaner dig commands
       };
 
+      xdg.configFile."fd/ignore".text = ignorePatterns;
+
       programs.bat = {
         enable = true; # cat replacement
         config = {
@@ -52,10 +59,6 @@ in {
         };
       };
 
-      programs.fish.shellAbbrs = {
-        cat = "bat"; # Swap cat with bat
-      };
-
       programs.fish.functions = {
         ping = {
           description = "Improved ping";

modules/darwin/hammerspoon.nix

@@ -20,12 +20,22 @@
         };
       xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source =
         ./hammerspoon/Spoons/MoveWindow.spoon;
+
+      home.activation.reloadHammerspoon =
+        config.home-manager.users.${config.user}.lib.dag.entryAfter
+        [ "writeBoundary" ] ''
+          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.reload()"
+          $DRY_RUN_CMD sleep 1
+          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.console.clearConsole()"
+        '';
+
     };
 
     homebrew.casks = [ "hammerspoon" ];
 
     system.activationScripts.postUserActivation.text = ''
       defaults write org.hammerspoon.Hammerspoon MJConfigFile "~/.config/hammerspoon/init.lua"
+      sudo killall Dock
     '';
 
   };

modules/darwin/hammerspoon/Spoons/Launcher.spoon/init.lua

@@ -54,14 +54,19 @@ function obj:init()
     end)
 
     -- Launcher shortcuts
-    self.launcher:bind("ctrl", "space", function()
-    end)
+    self.launcher:bind("ctrl", "space", function() end)
     self.launcher:bind("", "return", function()
         self:switch("@kitty@")
     end)
     self.launcher:bind("", "C", function()
         self:switch("Calendar.app")
     end)
+    self.launcher:bind("shift", "D", function()
+        hs.execute("launchctl remove com.paloaltonetworks.gp.pangps")
+        hs.execute("launchctl remove com.paloaltonetworks.gp.pangpa")
+        hs.alert.show("Disconnected from GlobalProtect", nil, nil, 4)
+        self.launcher:exit()
+    end)
     self.launcher:bind("", "E", function()
         self:switch("Mail.app")
     end)
@@ -80,6 +85,12 @@ function obj:init()
     self.launcher:bind("", "P", function()
         self:switch("System Preferences.app")
     end)
+    self.launcher:bind("shift", "P", function()
+        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist")
+        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist")
+        hs.alert.show("Reconnecting to GlobalProtect", nil, nil, 4)
+        self.launcher:exit()
+    end)
     self.launcher:bind("", "R", function()
         hs.console.clearConsole()
         hs.reload()

modules/darwin/hammerspoon/Spoons/MoveWindow.spoon/worklayout.lua

@@ -55,6 +55,15 @@ local function worklayout()
         local layout = concat(left, right, laptop)
         hs.layout.apply(layout)
     end)
+
+    -- Reload Hammerspoon whenever layout changes
+    hs.screen.watcher.new(function()
+        -- Pause for 5 seconds to give time for layout to change
+        hs.timer.doAfter(5, function()
+            -- Perform the actual reload
+            hs.reload()
+        end)
+    end)
 end
 
 return worklayout

modules/darwin/hammerspoon/init.lua

@@ -2,3 +2,4 @@ hs.loadSpoon("ControlEscape"):start() -- Load Hammerspoon bits from https://gith
 hs.loadSpoon("Launcher"):init()
 hs.loadSpoon("DismissAlerts"):init()
 hs.loadSpoon("MoveWindow"):init()
+hs.ipc.cliInstall() -- Install Hammerspoon CLI program

modules/darwin/homebrew.nix

@@ -42,6 +42,7 @@
         "obsidian" # Obsidian packaging on Nix is not available for macOS
         "scroll-reverser" # Different scroll style for mouse vs. trackpad
         "steam" # Not packaged for Nix
+        "epic-games" # Not packaged for Nix
       ];
     };
 

modules/darwin/utilities.nix

@@ -2,6 +2,8 @@
 
 {
 
+  unfreePackages = [ "consul" "vault-bin" ];
+
   home-manager.users.${config.user} = lib.mkIf pkgs.stdenv.isDarwin {
 
     home.packages = with pkgs; [
@@ -11,11 +13,12 @@
       youtube-dl # Convert web videos
       pandoc # Convert text documents
       mpd # TUI slideshows
+      mpv # Video player
       awscli2
       awslogs
       google-cloud-sdk
       ansible
-      vault
+      vault-bin
       consul
       noti # Create notifications programmatically
       ipcalc # Make IP network calculations

modules/nixos/applications/calibre.nix

@@ -14,6 +14,8 @@
       home.packages = with pkgs; [ calibre ];
       # home.sessionVariables = { CALIBRE_USE_DARK_PALETTE = 1; };
     };
+
+    # Forces Calibre to use dark mode
     environment.sessionVariables = { CALIBRE_USE_DARK_PALETTE = "1"; };
   };
 }

modules/nixos/applications/nautilus.nix

@@ -18,12 +18,14 @@
 
     home-manager.users.${config.user} = {
 
+      # Quick button for launching nautilus
       xsession.windowManager.i3.config.keybindings = {
         "${
           config.home-manager.users.${config.user}.xsession.windowManager.i3.config.modifier
         }+n" = "exec --no-startup-id ${pkgs.gnome.nautilus}/bin/nautilus";
       };
 
+      # Generates a QR code and previews it with sushi
       programs.fish.functions = {
         qr = {
           body =
@@ -31,7 +33,7 @@
         };
       };
 
-      # Set default for opening directories
+      # Set Nautilus as default for opening directories
       xdg.mimeApps = {
         associations.added."inode/directory" = [ "org.gnome.Nautilus.desktop" ];
         # associations.removed = {
@@ -40,6 +42,7 @@
         defaultApplications."inode/directory" =
           lib.mkBefore [ "org.gnome.Nautilus.desktop" ];
       };
+
     };
 
     # # Set default for opening directories
@@ -50,6 +53,13 @@
     #     lib.mkForce [ "org.gnome.Nautilus.desktop" ];
     # };
 
+    # Delete Trash files older than 1 week
+    systemd.user.services.empty-trash = {
+      description = "Empty Trash on a regular basis";
+      wantedBy = [ "default.target" ];
+      script = "${pkgs.trash-cli}/bin/trash-empty 7";
+    };
+
   };
 
 }

modules/nixos/gaming/steam.nix

@@ -22,6 +22,15 @@
 
     ];
 
+    # Adapted in part from: https://github.com/Shawn8901/nix-configuration/blob/1c48be94238a9f463cf0bbd1e1842a4454286514/modules/nixos/steam-compat-tools/default.nix
+    # Based on: https://github.com/NixOS/nixpkgs/issues/73323
+    environment.sessionVariables.STEAM_EXTRA_COMPAT_TOOLS_PATHS =
+      lib.makeBinPath [ pkgs.proton-ge-custom ];
+
+    # Seems like NetworkManager can help speed up Steam launch
+    # https://www.reddit.com/r/archlinux/comments/qguhco/steam_startup_time_arch_1451_seconds_fedora_34/hi8opet/
+    networking.networkmanager.enable = true;
+
   };
 
 }

modules/nixos/graphical/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./dunst.nix
     ./fonts.nix
+    ./gtk.nix
     ./i3.nix
     ./picom.nix
     ./polybar.nix

modules/nixos/graphical/fonts.nix

@@ -6,7 +6,7 @@ in {
 
   config = lib.mkIf (config.gui.enable && pkgs.stdenv.isLinux) {
 
-    fonts.fonts = with pkgs; [
+    fonts.packages = with pkgs; [
       victor-mono # Used for Vim and Terminal
       (nerdfonts.override { fonts = [ "Hack" ]; }) # For Polybar, Rofi
     ];

modules/nixos/graphical/gtk.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }: {
+
+  options = {
+    gtk.theme = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        description = "Theme name for GTK applications";
+      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        description = "Theme package for GTK applications";
+        default = pkgs.gnome-themes-extra;
+      };
+    };
+  };
+
+  config = lib.mkIf config.gui.enable {
+
+    home-manager.users.${config.user} = {
+
+      gtk = let
+        gtkExtraConfig = {
+          gtk-application-prefer-dark-theme = config.theme.dark;
+        };
+      in {
+        enable = true;
+        theme = {
+          name = config.gtk.theme.name;
+          package = config.gtk.theme.package;
+        };
+        gtk3.extraConfig = gtkExtraConfig;
+        gtk4.extraConfig = gtkExtraConfig;
+      };
+
+    };
+
+    # Required for setting GTK theme (for preferred-color-scheme in browser)
+    services.dbus.packages = [ pkgs.dconf ];
+    programs.dconf.enable = true;
+
+    # Make the login screen dark
+    services.xserver.displayManager.lightdm.greeters.gtk.theme = {
+      name = config.gtk.theme.name;
+      package = config.gtk.theme.package;
+    };
+
+    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
+
+  };
+
+}

modules/nixos/graphical/i3.nix

@@ -45,7 +45,7 @@ in {
               { class = "obsidian"; }
             ];
             "${ws3}" = [{ class = "discord"; }];
-            "${ws4}" = [{ class = "Steam"; }];
+            "${ws4}" = [ { class = "steam"; } { class = "Steam"; } ];
           };
           bars = [{ command = "echo"; }]; # Disable i3bar
           colors = let

modules/nixos/graphical/polybar.nix

@@ -36,7 +36,7 @@
             module-margin = 1;
             modules-left = "i3";
             modules-center = "xwindow";
-            modules-right = "mailcount pulseaudio date power";
+            modules-right = "mailcount network pulseaudio date keyboard power";
             cursor-click = "pointer";
             cursor-scroll = "ns-resize";
             enable-ipc = true;
@@ -106,8 +106,14 @@
             interval = 10;
             format = "<label>";
             exec = builtins.toString (pkgs.writeShellScript "mailcount.sh" ''
-              ${pkgs.notmuch}/bin/notmuch new > /dev/null
-              UNREAD=$(${pkgs.notmuch}/bin/notmuch count is:inbox and is:unread and folder:main/Inbox)
+              ${pkgs.notmuch}/bin/notmuch new --quiet 2>&1>/dev/null
+              UNREAD=$(
+                  ${pkgs.notmuch}/bin/notmuch count \
+                      is:inbox and \
+                      is:unread and \
+                      folder:main/Inbox \
+                      2>/dev/null
+              )
               if [ $UNREAD = "0" ]; then
                 echo ""
               else
@@ -118,6 +124,16 @@
               "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
 
           };
+          "module/network" = {
+            type = "internal/network";
+            interface-type = "wired";
+            interval = 3;
+            accumulate-stats = true;
+            format-connected = "<label-connected>";
+            format-disconnected = "<label-disconnected>";
+            label-connected = "";
+            label-disconnected = "";
+          };
           "module/pulseaudio" = {
             type = "internal/pulseaudio";
             # format-volume-prefix = "VOL ";
@@ -127,10 +143,10 @@
             # label-volume-background = colors.background;
             format-volume-foreground = config.theme.colors.base0B;
             label-volume = "%percentage%%";
-            label-muted = "ﱝ ---";
+            label-muted = "󰝟 ---";
             label-muted-foreground = config.theme.colors.base03;
             ramp-volume-0 = "";
-            ramp-volume-1 = "墳";
+            ramp-volume-1 = "󰕾";
             ramp-volume-2 = "";
             click-right = config.audioSwitchCommand;
           };
@@ -184,10 +200,17 @@
             label-foreground = config.theme.colors.base0A;
             # format-background = colors.background;
           };
+          "module/keyboard" = {
+            type = "custom/text";
+            content = "󰌌";
+            click-left = "doas systemctl restart keyd";
+            content-foreground = config.theme.colors.base04;
+          };
           "module/power" = {
             type = "custom/text";
             content = "  ";
             click-left = config.powerCommand;
+            click-right = "polybar-msg cmd restart";
             content-foreground = config.theme.colors.base04;
           };
           "settings" = {

modules/nixos/graphical/rofi.nix

@@ -59,7 +59,7 @@ in {
             border = mkLiteral "0px";
             border-radius = mkLiteral "0px";
             border-color = mkLiteral config.theme.colors.base04;
-            children = map mkLiteral [ "inputbar" "listview" ];
+            children = map mkLiteral [ "inputbar" "message" "listview" ];
             spacing = mkLiteral "10px";
             padding = mkLiteral "10px";
           };

modules/nixos/graphical/rofi/power.nix

@@ -25,7 +25,7 @@ in {
         | ${rofi}/bin/rofi \
             -theme-str '@import "power.rasi"' \
             -hover-select \
-            -me-select-entry ''' \
+            -me-select-entry "" \
             -me-accept-entry MousePrimary \
             -dmenu \
             -sep ';' \

modules/nixos/graphical/rofi/rofi-prompt.sh

@@ -32,7 +32,7 @@ done
 chosen=$(printf '%s;%s\n' "$yes" "$no" |
     rofi -theme-str '@import "prompt.rasi"' \
         -hover-select \
-        -me-select-entry '' \
+        -me-select-entry "" \
         -me-accept-entry MousePrimary \
         -p "$query" \
         -dmenu \

modules/nixos/graphical/rofi/themes/prompt.rasi

@@ -4,14 +4,13 @@
  */
 @import "common.rasi"
 * {
-  font: @text-font;
+  font: @prompt-text-font;
 }
 #window {
   height: @prompt-window-height;
   width: @prompt-window-width;
   children: [ inputbar, horibox ];
   border: @prompt-window-border;
-  border-color: @accent;
 }
 #inputbar {
   enabled: false;
@@ -19,8 +18,6 @@
 #prompt {
   padding: @prompt-prompt-padding;
   margin: @prompt-prompt-margin;
-  background-color: @accent;
-  text-color: @background-light;
 }
 #listview {
   padding: @prompt-listview-padding;
@@ -31,19 +28,3 @@
   font: @prompt-text-font;
   padding: @prompt-element-padding;
 }
-element.alternate.active,
-element.normal.active,
-element.alternate.urgent,
-element.normal.urgent {
-  background-color: @background-light;
-  text-color: @foreground;
-}
-element.selected.urgent {
-  background-color: @off;
-  text-color: @background;
-}
-element.selected.active {
-  background-color: @on;
-  text-color: @background;
-}
-

modules/nixos/graphical/xorg.nix

@@ -1,27 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  options = {
-    gtk.theme = {
-      name = lib.mkOption {
-        type = lib.types.str;
-        description = "Theme name for GTK applications";
-      };
-      package = lib.mkOption {
-        type = lib.types.str;
-        description = "Theme package name for GTK applications";
-        default = "gnome-themes-extra";
-      };
-    };
-  };
-
-  config = let
-
-    gtkTheme = {
-      name = config.gtk.theme.name;
-      package = pkgs."${config.gtk.theme.package}";
-    };
-
-  in lib.mkIf config.gui.enable {
+  config = lib.mkIf config.gui.enable {
 
     # Enable the X11 windowing system.
     services.xserver = {
@@ -36,10 +15,8 @@
           enable = config.services.xserver.enable;
           background = config.wallpaper;
 
-          # Make the login screen dark
-          greeters.gtk.theme = gtkTheme;
-
           # Show default user
+          # Also make sure /var/lib/AccountsService/users/<user> has SystemAccount=false
           extraSeatDefaults = ''
             greeter-hide-users = false
           '';
@@ -54,12 +31,6 @@
         xclip # Clipboard
       ];
 
-    # Required for setting GTK theme (for preferred-color-scheme in browser)
-    services.dbus.packages = [ pkgs.dconf ];
-    programs.dconf.enable = true;
-
-    environment.sessionVariables = { GTK_THEME = config.gtk.theme.name; };
-
     home-manager.users.${config.user} = {
 
       programs.fish.shellAliases = {
@@ -67,17 +38,6 @@
         pbpaste = "xclip -selection clipboard -out";
       };
 
-      gtk = let
-        gtkExtraConfig = {
-          gtk-application-prefer-dark-theme = config.theme.dark;
-        };
-      in {
-        enable = true;
-        theme = gtkTheme;
-        gtk3.extraConfig = gtkExtraConfig;
-        gtk4.extraConfig = gtkExtraConfig;
-      };
-
     };
 
   };

modules/nixos/hardware/boot.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  boot.loader = lib.mkIf config.physical {
+  boot.loader = lib.mkIf (config.physical && !config.server) {
     grub = {
       enable = true;
 

modules/nixos/hardware/keyboard.nix

@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, pkgs, ... }: {
 
   config = {
 
@@ -15,8 +15,17 @@
     # Use capslock as escape and/or control
     services.keyd = {
       enable = true;
+      keyboards = {
+        default = {
+          ids = [ "*" ];
           settings = { main = { capslock = "overload(control, esc)"; }; };
         };
+      };
+    };
+
+    # For some reason, keyd doesn't restart properly when updating
+    system.activationScripts.keyd.text =
+      "${pkgs.systemd}/bin/systemctl restart keyd.service";
 
     # Enable num lock on login
     home-manager.users.${config.user}.xsession.numlock.enable = true;

modules/nixos/hardware/networking.nix

@@ -1,13 +1,8 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
 
   config = lib.mkIf config.physical {
 
-    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    # Per-interface useDHCP will be mandatory in the future, so this generated config
-    # replicates the default behaviour.
-    networking.useDHCP = false;
-    networking.interfaces.enp5s0.useDHCP = true;
-    networking.interfaces.wlp4s0.useDHCP = true;
+    networking.useDHCP = !config.networking.networkmanager.enable;
 
     networking.firewall.allowPing = lib.mkIf config.server true;
 
@@ -15,6 +10,9 @@
     services.avahi = {
       enable = true;
       domainName = "local";
+      ipv6 = false; # Should work either way
+      # Resolve local hostnames using Avahi DNS
+      nssmdns4 = true;
       publish = {
         enable = true;
         addresses = true;
@@ -23,8 +21,10 @@
       };
     };
 
-    # Resolve local hostnames using Avahi DNS
-    services.avahi.nssmdns = true;
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "wake-tempest"
+        "${pkgs.wakeonlan}/bin/wakeonlan --ip=192.168.1.255 74:56:3C:40:37:5D")
+    ];
 
   };
 

modules/nixos/hardware/server.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
 
-  config = lib.mkIf (pkgs.stdenv.isLinux && config.server) {
+  config = lib.mkIf config.server {
 
     # Servers need a bootloader or they won't start
     boot.loader.systemd-boot.enable = true;

modules/nixos/hardware/sleep.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  config = lib.mkIf config.physical {
+  config = lib.mkIf (config.physical && !config.server) {
 
     # Prevent wake from keyboard
     powerManagement.powerDownCommands = ''

modules/nixos/hardware/wifi.nix

@@ -3,7 +3,7 @@
   config = lib.mkIf (config.physical && pkgs.stdenv.isLinux) {
 
     # Enables wireless support via wpa_supplicant.
-    networking.wireless.enable = true;
+    networking.wireless.enable = !config.networking.networkmanager.enable;
 
     # Allows the user to control the WiFi settings.
     networking.wireless.userControlled.enable = true;

modules/nixos/hardware/zfs.nix

@@ -1,15 +1,20 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
 
   options = { zfs.enable = lib.mkEnableOption "ZFS file system."; };
 
-  config =
-    lib.mkIf (pkgs.stdenv.isLinux && config.server && config.zfs.enable) {
+  config = lib.mkIf (config.server && config.zfs.enable) {
 
     # Only use compatible Linux kernel, since ZFS can be behind
-      boot.kernelPackages =
-        config.boot.zfs.package.latestCompatibleLinuxPackages;
+    boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     boot.kernelParams = [ "nohibernate" ];
     boot.supportedFilesystems = [ "zfs" ];
+    services.prometheus.exporters.zfs.enable =
+      config.prometheus.exporters.enable;
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.zfs.port
+      }"
+    ];
 
   };
 

modules/nixos/services/arr.nix

@@ -1,4 +1,31 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }:
+
+let
+
+  arrConfig = {
+    radarr = {
+      exportarrPort = "9707";
+      url = "localhost:7878";
+      apiKey = config.secrets.radarrApiKey.dest;
+    };
+    sonarr = {
+      exportarrPort = "9708";
+      url = "localhost:8989";
+      apiKey = config.secrets.sonarrApiKey.dest;
+    };
+    prowlarr = {
+      exportarrPort = "9709";
+      url = "localhost:9696";
+      apiKey = config.secrets.prowlarrApiKey.dest;
+    };
+    sabnzbd = {
+      exportarrPort = "9710";
+      url = "localhost:8085";
+      apiKey = config.secrets.sabnzbdApiKey.dest;
+    };
+  };
+
+in {
 
   options = { arrs.enable = lib.mkEnableOption "Arr services"; };
 
@@ -43,7 +70,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:8989"; }];
+          upstreams = [{ dial = arrConfig.sonarr.url; }];
         }];
       }
       {
@@ -54,7 +81,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:7878"; }];
+          upstreams = [{ dial = arrConfig.radarr.url; }];
         }];
       }
       {
@@ -76,7 +103,11 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:6767"; }];
+          upstreams = [{
+            dial = "localhost:${
+                builtins.toString config.services.bazarr.listenPort
+              }";
+          }];
         }];
       }
       {
@@ -87,7 +118,7 @@
         }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:8085"; }];
+          upstreams = [{ dial = arrConfig.sabnzbd.url; }];
         }];
       }
       {
@@ -95,11 +126,83 @@
         match = [{ host = [ config.hostnames.download ]; }];
         handle = [{
           handler = "reverse_proxy";
-          upstreams = [{ dial = "localhost:5055"; }];
+          upstreams = [{
+            dial =
+              "localhost:${builtins.toString config.services.jellyseerr.port}";
+          }];
         }];
       }
     ];
 
+    # Enable Prometheus exporters
+    systemd.services = lib.mapAttrs' (name: attrs: {
+      name = "prometheus-${name}-exporter";
+      value = {
+        description = "Export Prometheus metrics for ${name}";
+        after = [ "network.target" ];
+        wantedBy = [ "${name}.service" ];
+        serviceConfig = {
+          Type = "simple";
+          DynamicUser = true;
+          ExecStart = let
+            url = if name != "sabnzbd" then
+              "http://${attrs.url}/${name}"
+            else
+              "http://${attrs.url}";
+          in ''
+            ${pkgs.exportarr}/bin/exportarr ${name} \
+                        --url ${url} \
+                        --port ${attrs.exportarrPort}'';
+          EnvironmentFile =
+            lib.mkIf (builtins.hasAttr "apiKey" attrs) attrs.apiKey;
+          Restart = "on-failure";
+          ProtectHome = true;
+          ProtectSystem = "strict";
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          NoNewPrivileges = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RemoveIPC = true;
+          PrivateMounts = true;
+        };
+      };
+    }) arrConfig;
+
+    # Secrets for Prometheus exporters
+    secrets.radarrApiKey = {
+      source = ../../../private/radarr-api-key.age;
+      dest = "/var/private/radarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.sonarrApiKey = {
+      source = ../../../private/sonarr-api-key.age;
+      dest = "/var/private/sonarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.prowlarrApiKey = {
+      source = ../../../private/prowlarr-api-key.age;
+      dest = "/var/private/prowlarr-api";
+      prefix = "API_KEY=";
+    };
+    secrets.sabnzbdApiKey = {
+      source = ../../../private/sabnzbd-api-key.age;
+      dest = "/var/private/sabnzbd-api";
+      prefix = "API_KEY=";
+    };
+
+    # Prometheus scrape targets
+    prometheus.scrapeTargets = map (key:
+      "127.0.0.1:${
+        lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig
+      }") (builtins.attrNames arrConfig);
+
   };
 
 }

modules/nixos/services/bind.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+  localIp = "192.168.1.218";
+  localServices = [
+    config.hostnames.stream
+    config.hostnames.content
+    config.hostnames.books
+    config.hostnames.download
+  ];
+  mkRecord = service: "${service}       A       ${localIp}";
+  localRecords = lib.concatLines (map mkRecord localServices);
+
+in {
+
+  config = lib.mkIf config.services.bind.enable {
+
+    caddy.cidrAllowlist = [ "192.168.0.0/16" ];
+
+    services.bind = {
+      cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
+      forwarders = [ "1.1.1.1" "1.0.0.1" ];
+      ipv4Only = true;
+
+      # Use rpz zone as an override
+      extraOptions = ''response-policy { zone "rpz"; };'';
+
+      zones = {
+        rpz = {
+          master = true;
+          file = pkgs.writeText "db.rpz" ''
+            $TTL 60  ; 1 minute
+            @       IN      SOA     localhost. root.localhost. (
+                                    2023071800      ; serial
+                                    1h              ; refresh
+                                    30m             ; retry
+                                    1w              ; expire
+                                    30m             ; minimum ttl
+                                    )
+                    IN      NS      localhost.
+            localhost       A       127.0.0.1
+            ${localRecords}
+          '';
+        };
+      };
+
+    };
+
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+  };
+
+}

modules/nixos/services/caddy.nix

@@ -1,25 +1,41 @@
 { config, pkgs, lib, ... }: {
 
   options = {
-    caddy.tlsPolicies = lib.mkOption {
+    caddy = {
+      tlsPolicies = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON TLS policies";
         default = [ ];
       };
-    caddy.routes = lib.mkOption {
+      routes = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON routes for http servers";
         default = [ ];
       };
-    caddy.blocks = lib.mkOption {
+      blocks = lib.mkOption {
         type = lib.types.listOf lib.types.attrs;
         description = "Caddy JSON error blocks for http servers";
         default = [ ];
       };
+      cidrAllowlist = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "CIDR blocks to allow for requests";
+        default = [ ];
+      };
+    };
   };
 
-  config =
-    lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
+  config = lib.mkIf config.services.caddy.enable {
+
+    # Force Caddy to 403 if not coming from allowlisted source
+    caddy.cidrAllowlist = [ "127.0.0.1/32" ];
+    caddy.routes = [{
+      match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
+      handle = [{
+        handler = "static_response";
+        status_code = "403";
+      }];
+    }];
 
     services.caddy = {
       adapter = "''"; # Required to enable JSON
@@ -28,8 +44,9 @@
           listen = [ ":443" ];
           routes = config.caddy.routes;
           errors.routes = config.caddy.blocks;
-            # logs = { }; # Uncomment to collect access logs
+          logs = { }; # Uncomment to collect access logs
         };
+        apps.http.servers.metrics = { }; # Enables Prometheus metrics
         apps.tls.automation.policies = config.caddy.tlsPolicies;
         logging.logs.main = {
           encoder = { format = "console"; };
@@ -37,6 +54,7 @@
             output = "file";
             filename = "${config.services.caddy.logDir}/caddy.log";
             roll = true;
+            roll_size_mb = 1;
           };
           level = "INFO";
         };
@@ -47,6 +65,8 @@
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     networking.firewall.allowedUDPPorts = [ 443 ];
 
+    prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
+
   };
 
 }

modules/nixos/services/calibre.nix

@@ -30,7 +30,11 @@ in {
       match = [{ host = [ config.hostnames.books ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:8083"; }];
+        upstreams = [{
+          dial = "localhost:${
+              builtins.toString config.services.calibre-web.listen.port
+            }";
+        }];
         headers.request.add."X-Script-Name" = [ "/calibre-web" ];
       }];
     }];

modules/nixos/services/cloudflare.nix

@@ -41,19 +41,10 @@ in {
   config = lib.mkIf config.cloudflare.enable {
 
     # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
-      match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
-      handle = [{
-        handler = "static_response";
-        abort = true;
-      }];
-    }];
+    caddy.cidrAllowlist = cloudflareIpRanges;
 
     # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
-      plugins = [ "github.com/caddy-dns/cloudflare" ];
-      # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
-    });
+    services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay
     caddy.tlsPolicies = [{
       issuers = [{
         module = "acme";
@@ -82,7 +73,7 @@ in {
     };
 
     # Allows Nextcloud to trust Cloudflare IPs
-    services.nextcloud.config.trustedProxies = cloudflareIpRanges;
+    services.nextcloud.extraOptions.trusted_proxies = cloudflareIpRanges;
 
   };
 }

modules/nixos/services/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./arr.nix
     ./backups.nix
+    ./bind.nix
     ./caddy.nix
     ./calibre.nix
     ./cloudflare-tunnel.nix
@@ -12,18 +13,21 @@
     ./gnupg.nix
     ./grafana.nix
     ./honeypot.nix
+    ./influxdb2.nix
     ./jellyfin.nix
     ./keybase.nix
     ./mullvad.nix
     ./n8n.nix
     ./netdata.nix
     ./nextcloud.nix
+    ./paperless.nix
     ./prometheus.nix
     ./samba.nix
     ./secrets.nix
     ./sshd.nix
     ./transmission.nix
     ./vaultwarden.nix
+    ./victoriametrics.nix
     ./wireguard.nix
   ];
 

modules/nixos/services/gitea-runner.nix

@@ -10,9 +10,9 @@
       enable = true;
       labels = [
         # Provide a Debian base with NodeJS for actions
-        "debian-latest:docker://node:18-bullseye"
+        # "debian-latest:docker://node:18-bullseye"
         # Fake the Ubuntu name, because Node provides no Ubuntu builds
-        "ubuntu-latest:docker://node:18-bullseye"
+        # "ubuntu-latest:docker://node:18-bullseye"
         # Provide native execution on the host using below packages
         "native:host"
       ];
@@ -31,6 +31,28 @@
       tokenFile = config.secrets.giteaRunnerToken.dest;
     };
 
+    # Make sure the runner doesn't start until after Gitea
+    systemd.services."gitea-runner-${config.networking.hostName}".after =
+      [ "gitea.service" ];
+
+    # API key needed to connect to Gitea
+    secrets.giteaRunnerToken = {
+      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
+      dest = "${config.secretsDirectory}/gitea-runner-token";
+    };
+    systemd.services.giteaRunnerToken-secret = {
+      requiredBy = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+      before = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+    };
+
   };
 
 }

modules/nixos/services/gitea.nix

@@ -9,6 +9,7 @@ in {
       database.type = "sqlite3";
       settings = {
         actions.ENABLED = true;
+        metrics.ENABLED = true;
         repository = {
           DEFAULT_PUSH_CREATE_PRIVATE = true;
           DISABLE_HTTP_GIT = false;
@@ -37,13 +38,36 @@ in {
     networking.firewall.allowedTCPPorts = [ 122 ];
     users.users.${config.user}.extraGroups = [ "gitea" ];
 
-    caddy.routes = [{
+    caddy.routes = [
+      {
+        match = [{
+          host = [ config.hostnames.git ];
+          path = [ "/metrics*" ];
+        }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
         match = [{ host = [ config.hostnames.git ]; }];
         handle = [{
           handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:3001"; }];
+          upstreams = [{
+            dial = "localhost:${
+                builtins.toString
+                config.services.gitea.settings.server.HTTP_PORT
+              }";
           }];
         }];
+      }
+    ];
+
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.gitea.settings.server.HTTP_PORT
+      }"
+    ];
 
     ## Backup config