fix pr body template for flake updates

Flake lock file updates:

• Updated input 'bypass-paywalls-clean':
    'gitlab:magnolia1234/bpc-uploads/55af5ff1f6a7f8ea7fc57253029c07de8f481c62' (2024-01-18)
  → 'gitlab:magnolia1234/bpc-uploads/245899e6b06e30ce36f26b37b8045b6c5b0ac8de' (2024-01-23)
• Updated input 'darwin':
    'github:lnl7/nix-darwin/3ac7acd32db4f7111015e8d5349ff6067df01bf6' (2024-01-21)
  → 'github:lnl7/nix-darwin/0108864c15bb68ad57d17fb2e7d3a3e025751d79' (2024-01-28)
• Updated input 'disko':
    'github:nix-community/disko/0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733' (2024-01-18)
  → 'github:nix-community/disko/f7424625dc1f2e4eceac3009cbd1203d566feebc' (2024-01-26)
• Updated input 'firefox-darwin':
    'github:bandithedoge/nixpkgs-firefox-darwin/51cc53fd6e6a1625a00565f110edc09f9ea7cfd9' (2024-01-21)
  → 'github:bandithedoge/nixpkgs-firefox-darwin/912228b33c72703badb20a309518e1e09af302c3' (2024-01-28)
• Updated input 'home-manager':
    'github:nix-community/home-manager/9b378afae72cb07471e19aefc30e8e05ef2d7a61' (2024-01-20)
  → 'github:nix-community/home-manager/b2f56952074cb46e93902ecaabfb04dd93733434' (2024-01-26)
• Updated input 'nextcloud-snappymail':
    'https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz?narHash=sha256-UeZXoZFEPJj7zEVNTXJ3IYNt/wI7VFq3Pjh1ubMHCBo%3D' (2024-01-21)
  → 'https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz?narHash=sha256-UeZXoZFEPJj7zEVNTXJ3IYNt/wI7VFq3Pjh1ubMHCBo%3D' (2024-01-28)
• Updated input 'nix2vim':
    'github:gytis-ivaskevicius/nix2vim/3836a348503ae27340c7f83f0bc7bcb907f3781d' (2023-06-05)
  → 'github:gytis-ivaskevicius/nix2vim/84584da274869fb8177e8ef2d0b9d975bbb82489' (2024-01-28)
• Updated input 'nix2vim/flake-utils':
    'github:numtide/flake-utils/a1720a10a6cfe8234c0e93907ffe81be440f4cef' (2023-05-31)
  → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/521fb4cdd8a2e1a00d1adf0fea7135d1faf04234' (2024-01-16)
  → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/bbe7d8f876fbbe7c959c90ba2ae2852220573261' (2024-01-19)
  → 'github:nixos/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25)
• Updated input 'nur':
    'github:nix-community/nur/ff6497ef576a1d88ef7ecb7e40e3a7cd9a410b2b' (2024-01-21)
  → 'github:nix-community/nur/ab8cf147ee2254ef91e87ff7272524975fcbba3f' (2024-01-28)
• Updated input 'nvim-tree-lua-src':
    'github:kyazdani42/nvim-tree.lua/74525ac04760bf0d9fec2bf51474d2b05f36048e' (2024-01-20)
  → 'github:kyazdani42/nvim-tree.lua/7bdb220d0fe604a77361e92cdbc7af1b8a412126' (2024-01-21)
• Updated input 'nvim-treesitter-src':
    'github:nvim-treesitter/nvim-treesitter/5cc562748729b6dc9563ea5a3d676ff102ab38b1' (2024-01-20)
  → 'github:nvim-treesitter/nvim-treesitter/458ce4d16c1771fc601ec10a87820acae9981f6d' (2024-01-27)
• Updated input 'wsl':
    'github:nix-community/NixOS-WSL/bb3eeeb96ce059ae29309138874ccf58e796f4b1' (2024-01-15)
  → 'github:nix-community/NixOS-WSL/31346e340e828f79be23d9c83ec1674b152f17bc' (2024-01-24)
• Updated input 'wsl/flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
  → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
• Updated input 'zenyd-mpv-scripts':
    'github:zenyd/mpv-scripts/3ad7502fe2d6575b395db5568afdf830872c85d0' (2024-01-19)
  → 'github:zenyd/mpv-scripts/7100d19d18d111ce77fc9e6e8947c0d542a86397' (2024-01-26)

.github/workflows/update.yml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  checks: write
 
 jobs:
   lockfile:
@@ -30,9 +31,39 @@ jobs:
           pr-labels: |                  # Labels to be set on the PR
             dependencies
             automated
+          pr-body: |
+            Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+
+            ```
+            {{ env.GIT_COMMIT_MESSAGE }}
+            ```
       - name: Check the Flake
+        id: check
         run: nix flake check
+      - name: Update Check Status
+        uses: LouisBrunner/checks-action@v1.6.1
+        if: always()
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: Update Flake
+          conclusion: ${{ job.status }}
+          output: |
+            {"summary":"${{ steps.check.outputs.stdout }}"}
       - name: Enable Pull Request Automerge
-        run: gh pr merge --rebase --auto ${{ steps.update.outputs.pull-request-number }}
+        if: success()
+        run: |
+          gh pr merge \
+            --rebase \
+            --auto \
+            ${{ steps.update.outputs.pull-request-number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Close Pull Request If Failed
+        if: failure()
+        run: |
+          gh pr close \
+            --comment "Auto-closing pull request" \
+            --delete-branch \
+            ${{ steps.update.outputs.pull-request-number }}
         env:
           GH_TOKEN: ${{ github.token }}

README.md

@@ -41,6 +41,30 @@ configuration may be difficult to translate to a non-Nix system.
 | ---      | ---                                         | ---                                  |
 | Keybinds | [Hammerspoon](https://www.hammerspoon.org/) | [Link](./modules/darwin/hammerspoon) |
 
+# Diagram
+
+![Diagram](https://github.com/nmasur/dotfiles/assets/7386960/ed3e7202-09c4-4a9c-9b14-0272c01647f6)
+
+- [flake.nix](./flake.nix)
+- [hosts](./hosts/)
+- [modules](./modules/)
+
+---
+
+# Unique Configurations
+
+This repo contains a few more elaborate elements of configuration.
+
+- [Neovim config](./modules/common/neovim/default.nix) generated with Nix2Vim
+and source-controlled plugins, differing based on installed LSPs, for example.
+- [Caddy JSON](./modules/nixos/services/caddy.nix) file (routes, etc.) based
+dynamically on enabled services rendered with Nix.
+- [Grafana config](./modules/nixos/services/grafana.nix) rendered with Nix.
+- Custom [secrets deployment](./modules/nixos/services/secrets.nix) similar to
+agenix.
+- Base16 [colorschemes](./colorscheme/) applied to multiple applications,
+including Firefox userChrome.
+
 ---
 
 # Installation

apps/loadkey.nix

@@ -5,6 +5,7 @@
   program = builtins.toString (pkgs.writeShellScript "loadkey" ''
     printf "\nEnter the seed phrase for your SSH key...\n"
     printf "\nThen press ^D when complete.\n\n"
+    mkdir -p ~/.ssh/
     ${pkgs.melt}/bin/melt restore ~/.ssh/id_ed25519
     printf "\n\nContinuing activation.\n\n"
   '');

docs/installation.md

@@ -49,19 +49,24 @@ move the `windows/alacritty.yml` file to
 To get started on a bare macOS installation, first install Nix:
 
 ```bash
-sh -c "$(curl -L https://nixos.org/nix/install)"
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 ```
 
-Then use Nix to build nix-darwin:
+Launch a new shell. Then use Nix to switch to the macOS configuration:
 
 ```bash
-nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A installer
-./result/bin/darwin-installer
+sudo rm /etc/bashrc
+sudo rm /etc/nix/nix.conf
+nix \
+    --extra-experimental-features flakes \
+    --extra-experimental-features nix-command \
+    run nix-darwin -- switch \
+    --flake github:nmasur/dotfiles#lookingglass
 ```
 
-Then switch to the macOS configuration:
+Once installed, you can continue to update the macOS configuration:
 
 ```bash
-darwin-rebuild switch --flake github:nmasur/dotfiles#lookingglass
+darwin-rebuild switch --flake ~/dev/personal/dotfiles
 ```
 

flake.lock

@@ -17,14 +17,31 @@
         "type": "github"
       }
     },
+    "age": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1672087018,
+        "narHash": "sha256-LRxxJQLQkzoCNYGS/XBixVmYXoZ1mPHKvFicPGXYLcw=",
+        "owner": "FiloSottile",
+        "repo": "age",
+        "rev": "c6dcfa1efcaa27879762a934d5bea0d1b83a894c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "FiloSottile",
+        "ref": "v1.1.1",
+        "repo": "age",
+        "type": "github"
+      }
+    },
     "baleia-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1681806450,
-        "narHash": "sha256-jxRlIzWbnSj89032msc5w+2TVt7zVyzlxdXxiH1dQqY=",
+        "lastModified": 1704551058,
+        "narHash": "sha256-0NmiGzMFvL1awYOVtiaSd+O4sAR524x68xwWLgArlqs=",
         "owner": "m00qek",
         "repo": "baleia.nvim",
-        "rev": "00bb4af31c8c3865b735d40ebefa6c3f07b2dd16",
+        "rev": "6d9cbdaca3a428bc7296f838fdfce3ad01ee7495",
         "type": "github"
       },
       "original": {
@@ -36,28 +53,44 @@
     "bufferline-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687763763,
-        "narHash": "sha256-wbOeylzjjScQXkrDbBU2HtrOZrp2YUK+wQ2aOkgxmRQ=",
+        "lastModified": 1695205521,
+        "narHash": "sha256-MQMpXMgUpZA0E9TunzjXeOQxDWSCTogXbvi9VJnv4Kw=",
         "owner": "akinsho",
         "repo": "bufferline.nvim",
-        "rev": "bf2f6b7edd0abf6b0732f5e5c0a8f30e51611c75",
+        "rev": "6ecd37e0fa8b156099daedd2191130e083fb1490",
         "type": "github"
       },
       "original": {
         "owner": "akinsho",
-        "ref": "v4.2.0",
+        "ref": "v4.4.0",
         "repo": "bufferline.nvim",
         "type": "github"
       }
     },
+    "bypass-paywalls-clean": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1706005203,
+        "narHash": "sha256-9vku2FK5dXAnb2R/YHTKIHgc+Ckqza1qAH0kOw0Uryg=",
+        "owner": "magnolia1234",
+        "repo": "bpc-uploads",
+        "rev": "245899e6b06e30ce36f26b37b8045b6c5b0ac8de",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "magnolia1234",
+        "repo": "bpc-uploads",
+        "type": "gitlab"
+      }
+    },
     "cmp-nvim-lsp-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1687494203,
-        "narHash": "sha256-mU0soCz79erJXMMqD/FyrJZ0mu2n6fE0deymPzQlxts=",
+        "lastModified": 1702205473,
+        "narHash": "sha256-/0sh9vJBD9pUuD7q3tNSQ1YLvxFMNykdg5eG+LjZAA8=",
         "owner": "hrsh7th",
         "repo": "cmp-nvim-lsp",
-        "rev": "44b16d11215dce86f253ce0c30949813c0a90765",
+        "rev": "5af77f54de1b16c34b23cba810150689a3a90312",
         "type": "github"
       },
       "original": {
@@ -73,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1691275315,
-        "narHash": "sha256-9WN0IA0vNZSNxKHpy/bYvPnCw4VH/nr5iBv7c+7KUts=",
+        "lastModified": 1706405065,
+        "narHash": "sha256-femlVBNWgr9a6HfBUzhBF/9S8VBlaHDKcEm8B89O+zc=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "829041cf10c4f6751a53c0a11ca2fd22ff0918d6",
+        "rev": "0108864c15bb68ad57d17fb2e7d3a3e025751d79",
         "type": "github"
       },
       "original": {
@@ -94,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690739034,
-        "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
+        "lastModified": 1706302763,
+        "narHash": "sha256-Le1wk75qlzOSfzDk8vqYxSdoEyr/ORIbMhziltVNGYw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
+        "rev": "f7424625dc1f2e4eceac3009cbd1203d566feebc",
         "type": "github"
       },
       "original": {
@@ -107,6 +140,23 @@
         "type": "github"
       }
     },
+    "fidget-nvim-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702031048,
+        "narHash": "sha256-wbjQuOFd/2339TIrUA97PYsV8N3PZsS+xbyMsyZmki8=",
+        "owner": "j-hui",
+        "repo": "fidget.nvim",
+        "rev": "300018af4abd00610a345e382ca1f4b7ba420f77",
+        "type": "github"
+      },
+      "original": {
+        "owner": "j-hui",
+        "ref": "v1.1.0",
+        "repo": "fidget.nvim",
+        "type": "github"
+      }
+    },
     "firefox-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -114,11 +164,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1691196340,
-        "narHash": "sha256-b1haFWCbFJkiUkeTQCkNjr8hFq/8JlMPaQwNpGlcvxI=",
+        "lastModified": 1706402627,
+        "narHash": "sha256-lq2g41A527U2qJ1A9socjFPBOJ1/PM+Mftj3t7D/lhM=",
         "owner": "bandithedoge",
         "repo": "nixpkgs-firefox-darwin",
-        "rev": "6081c33185dba05da784d9f2a392861af025bf1a",
+        "rev": "912228b33c72703badb20a309518e1e09af302c3",
         "type": "github"
       },
       "original": {
@@ -130,11 +180,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -144,12 +194,15 @@
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -160,14 +213,14 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1685518550,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -178,14 +231,14 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -197,11 +250,11 @@
     "hmts-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1691223193,
-        "narHash": "sha256-Zsl4s3e4upWiU2mXKqiQcUGxslPzzebKKXfzaHiNq48=",
+        "lastModified": 1693226725,
+        "narHash": "sha256-jUuztOqNBltC3axa7s3CPJz9Cmukfwkf846+Z/gAxCU=",
         "owner": "calops",
         "repo": "hmts.nvim",
-        "rev": "1d40963804925754672940d07ddb250d19efec2e",
+        "rev": "14fd941d7ec2bb98314a1aacaa2573d97f1629ab",
         "type": "github"
       },
       "original": {
@@ -217,11 +270,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1691225770,
-        "narHash": "sha256-O5slH8nW8msTAqVAS5rkvdHSkjmrO+JauuSDzZCmv2M=",
+        "lastModified": 1706306660,
+        "narHash": "sha256-lZvgkHtVeduGByPb0Tz9LpAi4olfkEm8XPgv0o7GRsk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0a014a729cdd54d9919ff36b714d047909d7a4c8",
+        "rev": "b2f56952074cb46e93902ecaabfb04dd93733434",
         "type": "github"
       },
       "original": {
@@ -234,37 +287,53 @@
     "nextcloud-cookbook": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=",
+        "lastModified": 1702545935,
+        "narHash": "sha256-19LN1nYJJ0RMWj6DrYPvHzocTyhMfYdpdhBFch3fpHE=",
         "type": "tarball",
-        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
+        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
+        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz"
       }
     },
     "nextcloud-external": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-gY1nxqK/pHfoxW/9mE7DFtNawgdEV7a4OXpscWY14yk=",
+        "lastModified": 1699624334,
+        "narHash": "sha256-RCL2RP5twRDLxI/KfAX6QLYQOzqZmSWsfrC5ZQIwTD4=",
         "type": "tarball",
-        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
+        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz"
       }
     },
     "nextcloud-news": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-hhXPEITSbCiFs0o+TOsQnSasXBpjU9mA/OFsbzuaCPw=",
+        "lastModified": 1703426420,
+        "narHash": "sha256-AENBJH/bEob5JQvw4WEi864mdLYJ5Mqe78HJH6ceCpI=",
         "type": "tarball",
-        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
+        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
+        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz"
+      }
+    },
+    "nextcloud-snappymail": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1706414864,
+        "narHash": "sha256-UeZXoZFEPJj7zEVNTXJ3IYNt/wI7VFq3Pjh1ubMHCBo=",
+        "type": "tarball",
+        "url": "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz"
       }
     },
     "nil": {
@@ -276,16 +345,16 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1680544266,
-        "narHash": "sha256-d/TusDXmIo8IT5DNRA21lN+nOVSER8atIx9TJteR6LQ=",
+        "lastModified": 1691372739,
+        "narHash": "sha256-fZ8KfBMcIFO/R7xaWtB85SFeuUjb9SCH8fxYBnY8068=",
         "owner": "oxalica",
         "repo": "nil",
-        "rev": "56a1fa87b98a9508920f4b0ab8fe36d5b54b2362",
+        "rev": "97abe7d3d48721d4e0fcc1876eea83bb4247825b",
         "type": "github"
       },
       "original": {
         "owner": "oxalica",
-        "ref": "2023-04-03",
+        "ref": "2023-08-09",
         "repo": "nil",
         "type": "github"
       }
@@ -298,11 +367,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685980282,
-        "narHash": "sha256-uQyVaoqkiocA8bXKMfrgizuKmz0hUzHye5owFoUd2AQ=",
+        "lastModified": 1706407735,
+        "narHash": "sha256-Q5Lv4FlKVmMXd91ujh6FUxCsoAU2Q8KPU+ipTZPkTjE=",
         "owner": "gytis-ivaskevicius",
         "repo": "nix2vim",
-        "rev": "3836a348503ae27340c7f83f0bc7bcb907f3781d",
+        "rev": "84584da274869fb8177e8ef2d0b9d975bbb82489",
         "type": "github"
       },
       "original": {
@@ -313,11 +382,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1689469483,
-        "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
+        "lastModified": 1693701915,
+        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
+        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
         "type": "github"
       },
       "original": {
@@ -334,11 +403,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690133435,
-        "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
+        "lastModified": 1706085261,
+        "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
+        "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132",
         "type": "github"
       },
       "original": {
@@ -349,11 +418,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1691186842,
-        "narHash": "sha256-wxBVCvZUwq+XS4N4t9NqsHV4E64cPVqQ2fdDISpjcw0=",
+        "lastModified": 1706191920,
+        "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "18036c0be90f4e308ae3ebcab0e14aae0336fe42",
+        "rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
         "type": "github"
       },
       "original": {
@@ -363,30 +432,14 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1690470004,
-        "narHash": "sha256-l57RmPhPz9r1LGDg/0v8bYgJO8R+GGTQZtkIxE7negU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9462344318b376e157c94fa60c20a25b913b2381",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "null-ls-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1688652536,
-        "narHash": "sha256-6KJtj9pbvBm6fOVpnyzO2fEVC+cVrw2XtZHOgq9ieIw=",
+        "lastModified": 1691810493,
+        "narHash": "sha256-cWA0rzkOp/ekVKaFee7iea1lhnqKtWUIU+fW5M950wI=",
         "owner": "jose-elias-alvarez",
         "repo": "null-ls.nvim",
-        "rev": "db09b6c691def0038c456551e4e2772186449f35",
+        "rev": "0010ea927ab7c09ef0ce9bf28c2b573fc302f5a7",
         "type": "github"
       },
       "original": {
@@ -397,11 +450,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1691289987,
-        "narHash": "sha256-sbbDlVzxlP+bBTdhyyzJ6C0APUNU/sChuLmNU9ehkmg=",
+        "lastModified": 1706405996,
+        "narHash": "sha256-hJbt3cTW0ma3k/kZ51F/T9MijyJxR1S3ZIeQHL2JPYw=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "cf2f5d8ad452795e5aca290c95eedc829d3da7ec",
+        "rev": "ab8cf147ee2254ef91e87ff7272524975fcbba3f",
         "type": "github"
       },
       "original": {
@@ -430,11 +483,11 @@
     "nvim-tree-lua-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1691292370,
-        "narHash": "sha256-YQRirmp8QerxwF9qdrSrUKJZiVrBb6ZWpUTfM8H7fl4=",
+        "lastModified": 1705818283,
+        "narHash": "sha256-EKAzWIT2Qs65Il1pwgpkFsCogFViapUiSHcZgVy+QsY=",
         "owner": "kyazdani42",
         "repo": "nvim-tree.lua",
-        "rev": "904f95cd9db31d1800998fa428e78e418a50181d",
+        "rev": "7bdb220d0fe604a77361e92cdbc7af1b8a412126",
         "type": "github"
       },
       "original": {
@@ -446,34 +499,51 @@
     "nvim-treesitter-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1681121236,
-        "narHash": "sha256-iPsPDLhVKJ14iP1/2cCgcY9SCKK/DQz9Y0mQB1DqNiM=",
+        "lastModified": 1706392286,
+        "narHash": "sha256-JWGTIuhyTUok4QsML63eUragDoqKkyk5tBuv25lmbg8=",
         "owner": "nvim-treesitter",
         "repo": "nvim-treesitter",
-        "rev": "cc360a9beb1b30d172438f640e2c3450358c4086",
+        "rev": "458ce4d16c1771fc601ec10a87820acae9981f6d",
         "type": "github"
       },
       "original": {
         "owner": "nvim-treesitter",
-        "ref": "v0.9.0",
+        "ref": "master",
         "repo": "nvim-treesitter",
         "type": "github"
       }
     },
+    "proton-ge": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1700610476,
+        "narHash": "sha256-IoClZ6hl2lsz9OGfFgnz7vEAGlSY2+1K2lDEEsJQOfU=",
+        "type": "tarball",
+        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz"
+      }
+    },
     "root": {
       "inputs": {
         "Comment-nvim-src": "Comment-nvim-src",
+        "age": "age",
         "baleia-nvim-src": "baleia-nvim-src",
         "bufferline-nvim-src": "bufferline-nvim-src",
+        "bypass-paywalls-clean": "bypass-paywalls-clean",
         "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
         "darwin": "darwin",
         "disko": "disko",
+        "fidget-nvim-src": "fidget-nvim-src",
         "firefox-darwin": "firefox-darwin",
         "hmts-nvim-src": "hmts-nvim-src",
         "home-manager": "home-manager",
         "nextcloud-cookbook": "nextcloud-cookbook",
         "nextcloud-external": "nextcloud-external",
         "nextcloud-news": "nextcloud-news",
+        "nextcloud-snappymail": "nextcloud-snappymail",
         "nil": "nil",
         "nix2vim": "nix2vim",
         "nixos-generators": "nixos-generators",
@@ -483,15 +553,16 @@
         "nvim-lspconfig-src": "nvim-lspconfig-src",
         "nvim-tree-lua-src": "nvim-tree-lua-src",
         "nvim-treesitter-src": "nvim-treesitter-src",
+        "proton-ge": "proton-ge",
         "telescope-nvim-src": "telescope-nvim-src",
         "telescope-project-nvim-src": "telescope-project-nvim-src",
         "toggleterm-nvim-src": "toggleterm-nvim-src",
         "tree-sitter-bash": "tree-sitter-bash",
         "tree-sitter-ini": "tree-sitter-ini",
+        "tree-sitter-lua": "tree-sitter-lua",
         "tree-sitter-puppet": "tree-sitter-puppet",
         "tree-sitter-python": "tree-sitter-python",
         "tree-sitter-rasi": "tree-sitter-rasi",
-        "vscode-terraform-snippets": "vscode-terraform-snippets",
         "wallpapers": "wallpapers",
         "wsl": "wsl",
         "zenyd-mpv-scripts": "zenyd-mpv-scripts"
@@ -509,11 +580,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680488274,
-        "narHash": "sha256-0vYMrZDdokVmPQQXtFpnqA2wEgCCUXf5a3dDuDVshn0=",
+        "lastModified": 1688783586,
+        "narHash": "sha256-HHaM2hk2azslv1kH8zmQxXo2e7i5cKgzNIuK4yftzB0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "7ec2ff598a172c6e8584457167575b3a1a5d80d8",
+        "rev": "7a29283cc242c2486fc67f60b431ef708046d176",
         "type": "github"
       },
       "original": {
@@ -552,19 +623,34 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "telescope-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686302912,
-        "narHash": "sha256-fV3LLRwAPykVGc4ImOnUSP+WTrPp9Ad9OTfBJ6wqTMk=",
+        "lastModified": 1697004956,
+        "narHash": "sha256-7SqYFnfCjotOBhuX6Wx1IOhgMKoxaoI1a4SKz1d5RVM=",
         "owner": "nvim-telescope",
         "repo": "telescope.nvim",
-        "rev": "776b509f80dd49d8205b9b0d94485568236d1192",
+        "rev": "7011eaae0ac1afe036e30c95cf80200b8dc3f21a",
         "type": "github"
       },
       "original": {
         "owner": "nvim-telescope",
-        "ref": "0.1.2",
+        "ref": "0.1.4",
         "repo": "telescope.nvim",
         "type": "github"
       }
@@ -572,11 +658,11 @@
     "telescope-project-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1682606566,
-        "narHash": "sha256-H6lrPjpOUVleKHB0ziI+6dthg9ymitHhEWtcgYJTrKo=",
+        "lastModified": 1701464478,
+        "narHash": "sha256-touMCltcnqkrQYV1NtNeWLQeFVGt+WM3aIWIdKilA7w=",
         "owner": "nvim-telescope",
         "repo": "telescope-project.nvim",
-        "rev": "7c64b181dd4e72deddcf6f319e3bf1e95b2a2f30",
+        "rev": "1aaf16580a614601a7f7077d9639aeb457dc5559",
         "type": "github"
       },
       "original": {
@@ -588,16 +674,16 @@
     "toggleterm-nvim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1685434104,
-        "narHash": "sha256-oiCnBrvft6XxiQtQH8E4F842xhh348SaTpHzaeb+iDY=",
+        "lastModified": 1695636777,
+        "narHash": "sha256-o8xzoo7OuYrPnKlfrupQ24Ja9hZy1qQVnvwO0FO+4zM=",
         "owner": "akinsho",
         "repo": "toggleterm.nvim",
-        "rev": "95204ece0f2a54c89c4395295432f9aeedca7b5f",
+        "rev": "faee9d60428afc7857e0927fdc18daa6c409fa64",
         "type": "github"
       },
       "original": {
         "owner": "akinsho",
-        "ref": "v2.7.0",
+        "ref": "v2.8.0",
         "repo": "toggleterm.nvim",
         "type": "github"
       }
@@ -605,28 +691,28 @@
     "tree-sitter-bash": {
       "flake": false,
       "locked": {
-        "lastModified": 1688032601,
-        "narHash": "sha256-gl5F3IeZa2VqyH/qFj8ey2pRbGq4X8DL5wiyvRrH56U=",
+        "lastModified": 1705686017,
+        "narHash": "sha256-+Mpks0FyQLl26TX63J6WhaAl/QDUR1k9wSUY5SFwL+w=",
         "owner": "tree-sitter",
         "repo": "tree-sitter-bash",
-        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
+        "rev": "f7239f638d3dc16762563a9027faeee518ce1bd9",
         "type": "github"
       },
       "original": {
         "owner": "tree-sitter",
+        "ref": "master",
         "repo": "tree-sitter-bash",
-        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
         "type": "github"
       }
     },
     "tree-sitter-ini": {
       "flake": false,
       "locked": {
-        "lastModified": 1690815608,
-        "narHash": "sha256-IIpKzpA4q1jpYVZ75VZaxWHaqNt8TA427eMOui2s71M=",
+        "lastModified": 1699877527,
+        "narHash": "sha256-dYPeVTNWO4apY5dsjsKViavU7YtLeGTp6BzEemXhsEU=",
         "owner": "justinmk",
         "repo": "tree-sitter-ini",
-        "rev": "7f11a02fb8891482068e0fe419965d7bade81a68",
+        "rev": "bcb84a2d4bcd6f55b911c42deade75c8f90cb0c5",
         "type": "github"
       },
       "original": {
@@ -635,6 +721,23 @@
         "type": "github"
       }
     },
+    "tree-sitter-lua": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1694072484,
+        "narHash": "sha256-5t5w8KqbefInNbA12/jpNzmky/uOUhsLjKdEqpl1GEc=",
+        "owner": "MunifTanjim",
+        "repo": "tree-sitter-lua",
+        "rev": "9668709211b2e683f27f414454a8b51bf0a6bda1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "MunifTanjim",
+        "ref": "main",
+        "repo": "tree-sitter-lua",
+        "type": "github"
+      }
+    },
     "tree-sitter-puppet": {
       "flake": false,
       "locked": {
@@ -654,17 +757,17 @@
     "tree-sitter-python": {
       "flake": false,
       "locked": {
-        "lastModified": 1690493803,
-        "narHash": "sha256-2btd/NRE6NuGNlx4cq535OrwtWXihiP3VMCJjPCiDOk=",
+        "lastModified": 1700218345,
+        "narHash": "sha256-hXNxa895SyNOG7PH2vAIkWbcMjZDjWYDsCafBZuvnT0=",
         "owner": "tree-sitter",
         "repo": "tree-sitter-python",
-        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
+        "rev": "4bfdd9033a2225cc95032ce77066b7aeca9e2efc",
         "type": "github"
       },
       "original": {
         "owner": "tree-sitter",
+        "ref": "master",
         "repo": "tree-sitter-python",
-        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
         "type": "github"
       }
     },
@@ -684,22 +787,6 @@
         "type": "github"
       }
     },
-    "vscode-terraform-snippets": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1614849738,
-        "narHash": "sha256-v392tyzXV+zyBNt5OCB2NBCK7JcByrTa5Ne/nFtSCJI=",
-        "owner": "run-at-scale",
-        "repo": "vscode-terraform-doc-snippets",
-        "rev": "6ab3e44b566e660f38922cf908e6e547eaa5d4b4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "run-at-scale",
-        "repo": "vscode-terraform-doc-snippets",
-        "type": "github"
-      }
-    },
     "wallpapers": {
       "flake": false,
       "locked": {
@@ -720,14 +807,16 @@
       "inputs": {
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1690553050,
-        "narHash": "sha256-pK3kF30OykL3v6P8UP6ipihlS34KoGq9SryCj3tHrFw=",
+        "lastModified": 1706071294,
+        "narHash": "sha256-mpt86O5GQxKQoIg4nzKz810PeXjGSEFb4rW+shXbRco=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "f7a95a37306c46b42e9ce751977c44c752fd5eca",
+        "rev": "31346e340e828f79be23d9c83ec1674b152f17bc",
         "type": "github"
       },
       "original": {
@@ -739,11 +828,11 @@
     "zenyd-mpv-scripts": {
       "flake": false,
       "locked": {
-        "lastModified": 1650625438,
-        "narHash": "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=",
+        "lastModified": 1706283438,
+        "narHash": "sha256-hpLZDtt5q18aZ8d9LHfT852wtBosKUTJ7Bx+cbjBLcg=",
         "owner": "zenyd",
         "repo": "mpv-scripts",
-        "rev": "19ea069abcb794d1bf8fac2f59b50d71ab992130",
+        "rev": "7100d19d18d111ce77fc9e6e8947c0d542a86397",
         "type": "github"
       },
       "original": {

flake.nix

@@ -9,12 +9,15 @@
 
     # Used for MacOS system config
     darwin = {
-      url = "github:/lnl7/nix-darwin/master";
+      url = "github:lnl7/nix-darwin/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Used for Windows Subsystem for Linux compatibility
-    wsl.url = "github:nix-community/NixOS-WSL";
+    wsl = {
+      url = "github:nix-community/NixOS-WSL";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     # Used for user packages and dotfiles
     home-manager = {
@@ -58,12 +61,13 @@
 
     # Nix language server
     nil = {
-      url = "github:oxalica/nil/2023-04-03";
+      url = "github:oxalica/nil/2023-08-09";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Neovim plugins
     nvim-lspconfig-src = {
+      # https://github.com/neovim/nvim-lspconfig/tags
       url = "github:neovim/nvim-lspconfig/v0.1.6";
       flake = false;
     };
@@ -76,6 +80,7 @@
       flake = false;
     };
     baleia-nvim-src = {
+      # https://github.com/m00qek/baleia.nvim/tags
       url = "github:m00qek/baleia.nvim";
       flake = false;
     };
@@ -84,11 +89,12 @@
       flake = false;
     };
     nvim-treesitter-src = {
-      url = "github:nvim-treesitter/nvim-treesitter/v0.9.0";
+      # https://github.com/nvim-treesitter/nvim-treesitter/tags
+      url = "github:nvim-treesitter/nvim-treesitter/master";
       flake = false;
     };
     telescope-nvim-src = {
-      url = "github:nvim-telescope/telescope.nvim/0.1.2";
+      url = "github:nvim-telescope/telescope.nvim/0.1.4";
       flake = false;
     };
     telescope-project-nvim-src = {
@@ -96,39 +102,38 @@
       flake = false;
     };
     toggleterm-nvim-src = {
-      url = "github:akinsho/toggleterm.nvim/v2.7.0";
+      url = "github:akinsho/toggleterm.nvim/v2.8.0";
       flake = false;
     };
     bufferline-nvim-src = {
-      url = "github:akinsho/bufferline.nvim/v4.2.0";
+      url = "github:akinsho/bufferline.nvim/v4.4.0";
       flake = false;
     };
     nvim-tree-lua-src = {
       url = "github:kyazdani42/nvim-tree.lua";
       flake = false;
     };
-    vscode-terraform-snippets = {
-      url = "github:run-at-scale/vscode-terraform-doc-snippets";
-      flake = false;
-    };
     hmts-nvim-src = {
       url = "github:calops/hmts.nvim";
       flake = false;
     };
+    fidget-nvim-src = {
+      # https://github.com/j-hui/fidget.nvim/tags
+      url = "github:j-hui/fidget.nvim/v1.1.0";
+      flake = false;
+    };
 
     # Tree-Sitter Grammars
     tree-sitter-bash = {
-      # Fix: bash highlighting doesn't work as of this commit:
-      # https://github.com/NixOS/nixpkgs/commit/49cce41b7c5f6b88570a482355d9655ca19c1029
-      url =
-        "github:tree-sitter/tree-sitter-bash/493646764e7ad61ce63ce3b8c59ebeb37f71b841";
+      url = "github:tree-sitter/tree-sitter-bash/master";
       flake = false;
     };
     tree-sitter-python = {
-      # Fix: invalid node in position. Broken as of this commit (replaced with newer):
-      # https://github.com/NixOS/nixpkgs/commit/8ec3627796ecc899e6f47f5bf3c3220856ead9c5
-      url =
-        "github:tree-sitter/tree-sitter-python/5af00f64af6bbf822f208243cce5cf75396fb6f5";
+      url = "github:tree-sitter/tree-sitter-python/master";
+      flake = false;
+    };
+    tree-sitter-lua = {
+      url = "github:MunifTanjim/tree-sitter-lua/main";
       flake = false;
     };
     tree-sitter-ini = {
@@ -150,20 +155,51 @@
       flake = false;
     };
 
+    # Age encryption (pin because of failed builds)
+    age = {
+      url = "github:FiloSottile/age/v1.1.1";
+      flake = false;
+    };
+
+    # GE version of Proton for game compatibility
+    # Alternatively, could consider using https://github.com/fufexan/nix-gaming
+    proton-ge = {
+      # https://github.com/GloriousEggroll/proton-ge-custom/releases
+      url =
+        "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-25/GE-Proton8-25.tar.gz";
+      flake = false;
+    };
+
+    # Firefox addon from outside the extension store
+    bypass-paywalls-clean = {
+      # https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
+      url = "gitlab:magnolia1234/bpc-uploads";
+      flake = false;
+    };
+
     # Nextcloud Apps
     nextcloud-news = {
+      # https://github.com/nextcloud/news/releases
       url =
-        "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz";
+        "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
       flake = false;
     };
     nextcloud-external = {
+      # https://github.com/nextcloud-releases/external/releases
       url =
-        "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz";
+        "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
       flake = false;
     };
     nextcloud-cookbook = {
+      # https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
       url =
-        "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
+        "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
+      flake = false;
+    };
+    nextcloud-snappymail = {
+      # https://github.com/the-djmaze/snappymail/releases
+      url =
+        "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
       flake = false;
     };
 
@@ -186,8 +222,10 @@
         dotfilesRepo = "https://github.com/nmasur/dotfiles";
         hostnames = {
           git = "git.${baseName}";
+          influxdb = "influxdb.${baseName}";
           metrics = "metrics.${baseName}";
           prometheus = "prom.${baseName}";
+          paperless = "paper.${baseName}";
           secrets = "vault.${baseName}";
           stream = "stream.${baseName}";
           content = "cloud.${baseName}";
@@ -208,6 +246,11 @@
         (import ./overlays/mpv-scripts.nix inputs)
         (import ./overlays/nextcloud-apps.nix inputs)
         (import ./overlays/betterlockscreen.nix)
+        (import ./overlays/age.nix inputs)
+        (import ./overlays/proton-ge.nix inputs)
+        (import ./overlays/gh-collaborators.nix)
+        (import ./overlays/bypass-paywalls-clean.nix inputs)
+        (import ./overlays/terraform.nix)
       ];
 
       # System types to support.

hosts/README.md

@@ -12,3 +12,15 @@ These are the individual machines managed by this flake.
 | [swan](./swan/default.nix)                 | Home server         |
 | [tempest](./tempest/default.nix)           | Linux desktop       |
 
+## NixOS Workflow
+
+Each hosts file is imported into [nixosConfigurations](../flake.nix) and passed
+the arguments from the flake (inputs, globals, overlays). The `nixosSystem`
+function in that hosts file will be called by the NixOS module system during a
+nixos-rebuild.
+
+Each module in the each host's `modules` list is either a function or an
+attrset. The attrsets will simply apply values to options that have been
+declared in the config by other modules. Meanwhile, the functions will be
+passed various arguments, several of which you will see listed at the top of
+each of their files.

hosts/flame/default.nix

@@ -1,6 +1,8 @@
 # The Flame
 # System configuration for an Oracle free server
 
+# See [readme](../README.md) to explain how this file works.
+
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
 # These days, probably use nixos-anywhere instead.
@@ -50,6 +52,7 @@ inputs.nixpkgs.lib.nixosSystem {
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
       # Programs and services
+      atuin.enable = true;
       cloudflare.enable = true; # Proxy traffic with Cloudflare
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
@@ -58,6 +61,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.grafana.enable = true;
       services.openssh.enable = true;
       services.victoriametrics.enable = true;
+      services.influxdb2.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server

hosts/hydra/default.nix

@@ -1,6 +1,8 @@
 # The Hydra
 # System configuration for WSL
 
+# See [readme](../README.md) to explain how this file works.
+
 { inputs, globals, overlays, ... }:
 
 inputs.nixpkgs.lib.nixosSystem {

hosts/lookingglass/default.nix

@@ -4,7 +4,7 @@
 { inputs, globals, overlays, ... }:
 
 inputs.darwin.lib.darwinSystem {
-  system = "x86_64-darwin";
+  system = "aarch64-darwin";
   specialArgs = { };
   modules = [
     ../../modules/common
@@ -25,6 +25,7 @@ inputs.darwin.lib.darwinSystem {
         dark = true;
       };
       mail.user = globals.user;
+      atuin.enable = true;
       charm.enable = true;
       neovim.enable = true;
       mail.enable = true;
@@ -37,7 +38,9 @@ inputs.darwin.lib.darwinSystem {
       nixlang.enable = true;
       terraform.enable = true;
       python.enable = true;
+      rust.enable = true;
       lua.enable = true;
+      obsidian.enable = true;
       kubernetes.enable = true;
       _1password.enable = true;
       slack.enable = true;

hosts/swan/default.nix

@@ -1,6 +1,8 @@
 # The Swan
 # System configuration for my home NAS server
 
+# See [readme](../README.md) to explain how this file works.
+
 { inputs, globals, overlays, ... }:
 
 inputs.nixpkgs.lib.nixosSystem {
@@ -66,6 +68,7 @@ inputs.nixpkgs.lib.nixosSystem {
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
       # Programs and services
+      atuin.enable = true;
       neovim.enable = true;
       cloudflare.enable = true;
       dotfiles.enable = true;
@@ -79,6 +82,8 @@ inputs.nixpkgs.lib.nixosSystem {
       services.prometheus.enable = false;
       services.vmagent.enable = true;
       services.samba.enable = true;
+      services.paperless.enable = true;
+      services.postgresql.enable = true;
 
       # Allows private remote access over the internet
       cloudflareTunnel = {

hosts/tempest/default.nix

@@ -1,6 +1,8 @@
 # The Tempest
 # System configuration for my desktop
 
+# See [readme](../README.md) to explain how this file works.
+
 { inputs, globals, overlays, ... }:
 
 inputs.nixpkgs.lib.nixosSystem {
@@ -83,6 +85,7 @@ inputs.nixpkgs.lib.nixosSystem {
       gtk.theme.name = inputs.nixpkgs.lib.mkDefault "Adwaita-dark";
 
       # Programs and services
+      atuin.enable = true;
       charm.enable = true;
       neovim.enable = true;
       media.enable = true;
@@ -99,6 +102,7 @@ inputs.nixpkgs.lib.nixosSystem {
       keybase.enable = true;
       mullvad.enable = false;
       nixlang.enable = true;
+      rust.enable = true;
       yt-dlp.enable = true;
       gaming = {
         dwarf-fortress.enable = true;

modules/common/applications/1password.nix

@@ -9,12 +9,22 @@
     };
   };
 
-  config = lib.mkIf
-    (config.gui.enable && config._1password.enable && pkgs.stdenv.isLinux) {
-      unfreePackages = [ "1password" "_1password-gui" ];
+  config = lib.mkIf (config.gui.enable && config._1password.enable) {
+    unfreePackages = [ "1password" "_1password-gui" "1password-cli" ];
     home-manager.users.${config.user} = {
       home.packages = with pkgs; [ _1password-gui ];
     };
+
+    # https://1password.community/discussion/135462/firefox-extension-does-not-connect-to-linux-app
+    # On Mac, does not apply: https://1password.community/discussion/142794/app-and-browser-integration
+    # However, the button doesn't work either:
+    # https://1password.community/discussion/140735/extending-support-for-trusted-web-browsers
+    environment.etc."1password/custom_allowed_browsers".text = ''
+      ${
+        config.home-manager.users.${config.user}.programs.firefox.package
+      }/Applications/Firefox.app/Contents/MacOS/firefox
+      firefox
+    '';
   };
 
 }

modules/common/applications/firefox.nix

@@ -16,6 +16,7 @@
     unfreePackages = [
       (lib.mkIf config._1password.enable "onepassword-password-manager")
       "okta-browser-plugin"
+      "wappalyzer"
     ];
 
     home-manager.users.${config.user} = {
@@ -28,21 +29,23 @@
           id = 0;
           name = "default";
           isDefault = true;
+          # https://nur.nix-community.org/repos/rycee/
           extensions = with pkgs.nur.repos.rycee.firefox-addons; [
-            ublock-origin
-            vimium
-            multi-account-containers
-            facebook-container
             (lib.mkIf config._1password.enable onepassword-password-manager)
+            pkgs.bypass-paywalls-clean
+            darkreader
+            don-t-fuck-with-paste
+            facebook-container
+            markdownload
+            multi-account-containers
             okta-browser-plugin
-            sponsorblock
             reddit-enhancement-suite
             return-youtube-dislikes
-            markdownload
-            darkreader
             snowflake
-            don-t-fuck-with-paste
-            i-dont-care-about-cookies
+            sponsorblock
+            ublock-origin
+            ublacklist
+            vimium
             wappalyzer
           ];
           settings = {
@@ -73,6 +76,8 @@
             "media.ffmpeg.vaapi.enabled" =
               true; # Enable hardware video acceleration
             "cookiebanners.ui.desktop.enabled" = true; # Reject cookie popups
+            "devtools.command-button-screenshot.enabled" =
+              true; # Scrolling screenshot of entire page
             "svg.context-properties.content.enabled" = true; # Sidebery styling
           };
           userChrome = ''
@@ -114,7 +119,7 @@
               background-color: ${config.theme.colors.base00};
               color: ${config.theme.colors.base06} !important;
             }
-            .tab-content[selected=true] {
+            .tab-content[selected] {
               border-bottom: 2px solid color-mix(in srgb, var(--identity-tab-color) 25%, transparent);
               background-color: ${config.theme.colors.base01} !important;
               color: ${config.theme.colors.base07} !important;

modules/common/applications/obsidian.nix

@@ -15,8 +15,9 @@
       home.packages = with pkgs; [ obsidian ];
     };
 
-    # Broken on 2023-04-16
-    nixpkgs.config.permittedInsecurePackages = [ "electron-21.4.0" ];
+    # Broken on 2023-12-11
+    # https://forum.obsidian.md/t/electron-25-is-now-eol-please-upgrade-to-a-newer-version/72878/8
+    nixpkgs.config.permittedInsecurePackages = [ "electron-25.9.0" ];
 
   };
 

modules/common/default.nix

@@ -75,10 +75,18 @@
         type = lib.types.str;
         description = "Hostname for metrics server.";
       };
+      paperless = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for document server (paperless-ngx).";
+      };
       prometheus = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for Prometheus server.";
       };
+      influxdb = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for InfluxDB2 server.";
+      };
       secrets = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for passwords and secrets (Vaultwarden).";

modules/common/mail/aerc.nix

@@ -68,7 +68,7 @@
             "!" = ":term<space>";
             "|" = ":pipe<space>";
 
-            "/" = ":search<space>";
+            "/" = ":search<space>-a<space>";
             "\\" = ":filter <space>";
             n = ":next-result<Enter>";
             N = ":prev-result<Enter>";

modules/common/neovim/config/completion.nix

@@ -9,7 +9,6 @@
     pkgs.vimPlugins.luasnip
     pkgs.vimPlugins.cmp_luasnip
     pkgs.vimPlugins.cmp-rg
-    pkgs.vimPlugins.friendly-snippets
   ];
 
   use.cmp.setup = dsl.callWith {
@@ -24,13 +23,6 @@
       end
     '';
 
-    # Enable Luasnip snippet completion
-    snippet.expand = dsl.rawLua ''
-      function(args)
-          require("luasnip").lsp_expand(args.body)
-      end
-    '';
-
     # Basic completion keybinds
     mapping = {
       "['<C-n>']" = dsl.rawLua
@@ -70,7 +62,6 @@
     sources = [
       { name = "nvim_lua"; } # Fills in common Neovim lua functions
       { name = "nvim_lsp"; } # LSP results
-      { name = "luasnip"; } # Snippets
       { name = "path"; } # Shell completion from current PATH
       {
         name = "buffer"; # Grep for text from the current text buffer
@@ -119,7 +110,6 @@
             }
             vim_item.kind = string.format("%s", kind_icons[vim_item.kind])
             vim_item.menu = ({
-                luasnip = "[Snippet]",
                 buffer = "[Buffer]",
                 path = "[Path]",
                 rg = "[Grep]",
@@ -139,13 +129,6 @@
   };
 
   lua = ''
-    -- Load snippets
-    -- Check status: :lua require("luasnip").log.open()
-    require("luasnip.loaders.from_vscode").lazy_load()
-    require("luasnip.loaders.from_vscode").lazy_load({ paths = { "${
-      builtins.toString pkgs.vscode-terraform-snippets
-    }" } })
-
     -- Use buffer source for `/`
     require('cmp').setup.cmdline("/", {
         sources = {

modules/common/neovim/config/github.lua

@@ -0,0 +1,14 @@
+-- Keymap to open file in GitHub web
+vim.keymap.set("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
+
+-- Pop a terminal to watch the current run
+local gitwatch =
+    require("toggleterm.terminal").Terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
+
+-- Set a toggle for this terminal
+function GITWATCH_TOGGLE()
+    gitwatch:toggle()
+end
+
+-- Keymap to toggle the run
+vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)

modules/common/neovim/config/kubernetes.lua

@@ -0,0 +1,6 @@
+local k9s = require("toggleterm.terminal").Terminal:new({ cmd = "k9s" })
+function K9S_TOGGLE()
+    k9s:toggle()
+end
+
+vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)

modules/common/neovim/config/lsp.nix

@@ -1,28 +1,63 @@
-{ pkgs, dsl, ... }: {
+{ pkgs, lib, config, dsl, ... }: {
 
+  # Terraform optional because non-free
+  options.terraform = lib.mkEnableOption "Whether to enable Terraform LSP";
+  options.github = lib.mkEnableOption "Whether to enable GitHub features";
+  options.kubernetes =
+    lib.mkEnableOption "Whether to enable Kubernetes features";
+
+  config =
+
+    let
+
+      terraformFormat = if config.terraform then ''
+        require("null-ls").builtins.formatting.terraform_fmt.with({
+            command = "${pkgs.terraform}/bin/terraform",
+            extra_filetypes = { "hcl" },
+        }),
+      '' else
+        "";
+
+    in {
       plugins = [
         pkgs.vimPlugins.nvim-lspconfig
-    pkgs.vimPlugins.lsp-colors-nvim
         pkgs.vimPlugins.null-ls-nvim
+        pkgs.vimPlugins.fidget-nvim
       ];
 
+      setup.fidget = { };
+
       use.lspconfig.lua_ls.setup = dsl.callWith {
         settings = { Lua = { diagnostics = { globals = [ "vim" "hs" ]; }; }; };
-    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
+        capabilities =
+          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
         cmd = [ "${pkgs.lua-language-server}/bin/lua-language-server" ];
       };
 
       use.lspconfig.nil_ls.setup = dsl.callWith {
         cmd = [ "${pkgs.nil}/bin/nil" ];
-    capabilities = dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
+        capabilities =
+          dsl.rawLua "require('cmp_nvim_lsp').default_capabilities()";
       };
 
       use.lspconfig.pyright.setup = dsl.callWith {
         cmd = [ "${pkgs.pyright}/bin/pyright-langserver" "--stdio" ];
       };
 
-  use.lspconfig.terraformls.setup =
-    dsl.callWith { cmd = [ "${pkgs.terraform-ls}/bin/terraform-ls" "serve" ]; };
+      use.lspconfig.terraformls.setup = dsl.callWith {
+        cmd = if config.terraform then [
+          "${pkgs.terraform-ls}/bin/terraform-ls"
+          "serve"
+        ] else
+          [ "echo" ];
+      };
+
+      use.lspconfig.rust_analyzer.setup = dsl.callWith {
+        cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
+        settings = {
+          "['rust-analyzer']" = { check = { command = "clippy"; }; };
+        };
+      };
 
       vim.api.nvim_create_augroup = dsl.callWith [ "LspFormatting" { } ];
 
@@ -45,10 +80,7 @@
                     command = "${pkgs.shfmt}/bin/shfmt",
                     extra_args = { "-i", "4", "-ci" },
                 }),
-            require("null-ls").builtins.formatting.terraform_fmt.with({
-                command = "${pkgs.terraform}/bin/terraform",
-                extra_filetypes = { "hcl" },
-            }),
+                ${terraformFormat}
             },
 
             on_attach = function(client, bufnr)
@@ -73,4 +105,6 @@
         })
       '';
 
+    };
+
 }

modules/common/neovim/config/misc.nix

@@ -12,7 +12,7 @@
 
   # Initialize some plugins
   setup.Comment = { };
-  setup.colorizer = { };
+  setup.colorizer = { user_default_options = { names = false; }; };
   setup.glow = { };
   setup.which-key = { };
 
@@ -69,10 +69,6 @@
     " Remember last position when reopening file
     au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$") | exe "normal! g`\"" | endif
 
-    " LaTeX options
-    au FileType tex inoremap ;bf \textbf{}<Esc>i
-    au BufWritePost *.tex silent! execute "!pdflatex -output-directory=%:p:h % >/dev/null 2>&1" | redraw!
-
     " Flash highlight when yanking
     au TextYankPost * silent! lua vim.highlight.on_yank { timeout = 250 }
   '';

modules/common/neovim/config/syntax.nix

@@ -4,6 +4,7 @@
     (pkgs.vimPlugins.nvim-treesitter.withPlugins (_plugins:
       with pkgs.tree-sitter-grammars; [
         tree-sitter-bash
+        # tree-sitter-c
         tree-sitter-fish
         tree-sitter-hcl
         tree-sitter-ini
@@ -24,7 +25,7 @@
     pkgs.vimPlugins.vim-helm
     pkgs.baleia-nvim # Clean ANSI from kitty scrollback
     # pkgs.hmts-nvim # Tree-sitter injections for home-manager
-    (pkgs.vimUtils.buildVimPluginFrom2Nix {
+    (pkgs.vimUtils.buildVimPlugin {
       pname = "nmasur";
       version = "0.1";
       src = ../plugin;

modules/common/neovim/config/toggleterm.lua

@@ -26,17 +26,5 @@ function NIXPKGS_TOGGLE()
     nixpkgs:toggle()
 end
 
-local gitwatch = terminal:new({ cmd = "fish --interactive --init-command 'gh run watch'" })
-function GITWATCH_TOGGLE()
-    gitwatch:toggle()
-end
-
-local k9s = terminal:new({ cmd = "k9s" })
-function K9S_TOGGLE()
-    k9s:toggle()
-end
-
 vim.keymap.set("n", "<Leader>t", TERM_TOGGLE)
 vim.keymap.set("n", "<Leader>P", NIXPKGS_TOGGLE)
-vim.keymap.set("n", "<Leader>gw", GITWATCH_TOGGLE)
-vim.keymap.set("n", "<Leader>9", K9S_TOGGLE)

modules/common/neovim/config/toggleterm.nix

@@ -1,4 +1,4 @@
-{ pkgs, dsl, ... }: {
+{ pkgs, dsl, config, ... }: {
 
   # Toggleterm provides a floating terminal inside the editor for quick access
 
@@ -10,6 +10,10 @@
     direction = "float";
   };
 
-  lua = builtins.readFile ./toggleterm.lua;
+  lua = ''
+    ${builtins.readFile ./toggleterm.lua}
+    ${if config.github then (builtins.readFile ./github.lua) else ""}
+    ${if config.kubernetes then (builtins.readFile ./kubernetes.lua) else ""}
+  '';
 
 }

modules/common/neovim/config/tree.nix

@@ -63,7 +63,6 @@
     '';
     view = { # Set look and feel
       width = 30;
-      hide_root_folder = false;
       side = "left";
       number = false;
       relativenumber = false;

modules/common/neovim/default.nix

@@ -5,6 +5,9 @@ let
   neovim = import ./package {
     inherit pkgs;
     colors = config.theme.colors;
+    terraform = config.terraform.enable;
+    github = true;
+    kubernetes = config.kubernetes.enable;
   };
 
 in {

modules/common/neovim/lua/keybinds.lua

@@ -39,7 +39,6 @@ key("n", "<Leader>fs", ":write<CR>")
 key("n", "<Leader>fd", ":lcd %:p:h<CR>", { silent = true })
 key("n", "<Leader>fu", ":lcd ..<CR>", { silent = true })
 key("n", "<Leader><Tab>", ":b#<CR>", { silent = true })
-key("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
 key("n", "<Leader>tt", [[<Cmd>exe 'edit $NOTES_PATH/journal/'.strftime("%Y-%m-%d_%a").'.md'<CR>]])
 key("n", "<Leader>jj", ":!journal<CR>:e<CR>")
 
@@ -65,6 +64,12 @@ key("n", "<C-Down>", ":resize -2<CR>", { silent = true })
 key("n", "<C-Left>", ":vertical resize -2<CR>", { silent = true })
 key("n", "<C-Right>", ":vertical resize +2<CR>", { silent = true })
 
+-- Quickfix
+key("n", "]q", ":cnext<CR>")
+key("n", "[q", ":cprevious<CR>")
+key("n", "co", ":copen<CR>")
+key("n", "cq", ":cclose<CR>")
+
 -- Other
 key("n", "<A-CR>", ":noh<CR>", { silent = true })           --- Clear search in VimWiki
 key("n", "Y", "y$")                                         --- Copy to end of line

modules/common/neovim/package/default.nix

@@ -26,13 +26,13 @@
 #   ] ++ extraConfig;
 # }
 
-{ pkgs, colors, ... }:
+{ pkgs, colors, terraform ? false, github ? false, kubernetes ? false, ... }:
 
 # Comes from nix2vim overlay:
 # https://github.com/gytis-ivaskevicius/nix2vim/blob/master/lib/neovim-builder.nix
 pkgs.neovimBuilder {
   package = pkgs.neovim-unwrapped;
-  inherit colors;
+  inherit colors terraform github kubernetes;
   imports = [
     ../config/align.nix
     ../config/bufferline.nix

modules/common/programming/default.nix

@@ -6,6 +6,7 @@
     ./lua.nix
     ./nix.nix
     ./python.nix
+    ./rust.nix
     ./terraform.nix
   ];
 

modules/common/programming/rust.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }: {
+
+  options.rust.enable = lib.mkEnableOption "Rust programming language.";
+
+  config = lib.mkIf config.rust.enable {
+
+    home-manager.users.${config.user} = {
+
+      programs.fish.shellAbbrs = { ca = "cargo"; };
+
+      home.packages = with pkgs; [ cargo rustc clippy gcc ];
+
+    };
+
+  };
+
+}

modules/common/programming/terraform.nix

@@ -3,6 +3,7 @@
   options.terraform.enable = lib.mkEnableOption "Terraform tools.";
 
   config = lib.mkIf config.terraform.enable {
+    unfreePackages = [ "terraform" ];
 
     home-manager.users.${config.user} = {
       programs.fish.shellAbbrs = {

modules/common/shell/atuin.nix

@@ -0,0 +1,39 @@
+{ config, lib, ... }: {
+
+  # Shell history sync
+
+  options.atuin.enable = lib.mkEnableOption "Atuin";
+
+  config = {
+
+    home-manager.users.${config.user} = lib.mkIf config.atuin.enable {
+
+      programs.atuin = {
+        enable = true;
+        flags = [ "--disable-up-arrow" "--disable-ctrl-r" ];
+        settings = {
+          auto_sync = true;
+          update_check = false;
+          sync_address = "https://api.atuin.sh";
+          search_mode = "fuzzy";
+          filter_mode = "host"; # global, host, session, directory
+          search_mode_shell_up_key_binding = "fuzzy";
+          filter_mode_shell_up_key_binding = "session";
+          style = "compact"; # or auto,full
+          show_help = true;
+          history_filter = [ ];
+          secrets_filter = true;
+          enter_accept = false;
+          keymap_mode = "vim-normal";
+        };
+      };
+
+    };
+
+    # Give root user the same setup
+    home-manager.users.root.programs.atuin =
+      config.home-manager.users.${config.user}.programs.atuin;
+
+  };
+
+}

modules/common/shell/charm.nix

@@ -10,6 +10,7 @@
       glow # Markdown previews
       skate # Key-value store
       charm # Manage account and filesystem
+      pop # Send emails from a TUI
     ];
 
   };

modules/common/shell/default.nix

@@ -1,5 +1,6 @@
 { ... }: {
   imports = [
+    ./atuin.nix
     ./bash
     ./charm.nix
     ./direnv.nix

modules/common/shell/direnv.nix

@@ -7,6 +7,22 @@
     config = { whitelist = { prefix = [ config.dotfilesPath ]; }; };
   };
 
+  # programs.direnv.direnvrcExtra = ''
+  #   layout_postgres() {
+  #       export PGDATA="$(direnv_layout_dir)/postgres"
+  #       export PGHOST="$PGDATA"
+  #
+  #       if [[ ! -d "PGDATA" ]]; then
+  #           initdb
+  #           cat >> "$PGDATA/postgres.conf" <<- EOF
+  #                   listen_addresses = '''
+  #                   unix_socket_directories = '$PGHOST'
+  #           EOF
+  #           echo "CREATE DATABASE $USER;" | postgres --single -E postgres
+  #       fi
+  #   }
+  # '';
+
   # Prevent garbage collection
   nix.extraOptions = ''
     keep-outputs = true

modules/common/shell/fish/default.nix

@@ -6,7 +6,7 @@
   home-manager.users.${config.user} = {
 
     # Packages used in abbreviations and aliases
-    home.packages = with pkgs; [ curl exa ];
+    home.packages = with pkgs; [ curl ];
 
     programs.fish = {
       enable = true;
@@ -15,8 +15,8 @@
         # Version of bash which works much better on the terminal
         bash = "${pkgs.bashInteractive}/bin/bash";
 
-        # Use exa instead of ls for fancier output
-        ls = "exa --group";
+        # Use eza (exa) instead of ls for fancier output
+        ls = "${pkgs.eza}/bin/eza --group";
 
         # Move files to XDG trash on the commandline
         trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
@@ -123,9 +123,6 @@
         dr = "docker run --rm -it";
         db = "docker build . -t";
 
-        # Rust
-        ca = "cargo";
-
       };
       shellInit = "";
     };

modules/common/shell/fish/functions/fish_user_key_bindings.fish

@@ -18,3 +18,5 @@ bind -M insert \cn 'commandline -r "nix shell nixpkgs#"'
 bind -M default \cn 'commandline -r "nix shell nixpkgs#"'
 bind -M insert \x11F nix-fzf
 bind -M default \x11F nix-fzf
+bind -M insert \ch _atuin_search --filter-mode global
+bind -M default \ch _atuin_search --filter-mode global

modules/common/shell/fzf.nix

@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, pkgs, ... }: {
 
   # FZF is a fuzzy-finder for the terminal
 
@@ -16,10 +16,9 @@
                     --search-path $HOME/dev \
                     --type directory \
                     --exact-depth 2 \
+                | ${pkgs.proximity-sort}/bin/proximity-sort $PWD \
                 | sed 's/\\/$//' \
-                | fzf \
-                    --delimiter '/' \
-                    --with-nth 6.. \
+                | fzf --tiebreak=index \
             )
             and cd $projdir
             and commandline -f execute

modules/common/shell/git.nix

@@ -35,8 +35,20 @@ in {
           init = { defaultBranch = "master"; };
         };
         ignores = [ ".direnv/**" "result" ];
+        includes = [{
+          path = "~/.config/git/personal";
+          condition = "gitdir:~/dev/personal/";
+        }];
       };
 
+      # Personal git config
+      # TODO: fix with variables
+      xdg.configFile."git/personal".text = ''
+        [user]
+            name = "Noah Masur"
+            email = "7386960+nmasur@users.noreply.github.com"
+      '';
+
       programs.fish.shellAbbrs = {
         g = "git";
         gs = "git status";
@@ -58,6 +70,7 @@ in {
           git switch (git symbolic-ref refs/remotes/origin/HEAD | cut -d"/" -f4)'';
         gcob = "git switch -c";
         gb = "git branch";
+        gpd = "git push origin -d";
         gbd = "git branch -d";
         gbD = "git branch -D";
         gr = "git reset";

modules/common/shell/github.nix

@@ -7,6 +7,7 @@
         enable = true;
         gitCredentialHelper.enable = true;
         settings.git_protocol = "https";
+        extensions = [ pkgs.gh-collaborators ];
       };
 
     programs.fish =
@@ -14,7 +15,7 @@
         shellAbbrs = {
           ghr = "gh repo view -w";
           gha =
-            "gh run list | head -1 | awk '{ print $(NF-2) }' | xargs gh run view";
+            "gh run list | head -1 | awk '{ print \\$\\(NF-2\\) }' | xargs gh run view";
           grw = "gh run watch";
           grf = "gh run view --log-failed";
           grl = "gh run view --log";
@@ -56,6 +57,7 @@
             | fzf \
                 --header-lines=1 \
                 --layout=reverse \
+                --height=100% \
                 --bind "ctrl-o:execute:gh repo view -w ''${organization}/{1}" \
                 --bind "shift-up:preview-half-page-up" \
                 --bind "shift-down:preview-half-page-down" \

modules/common/shell/nixpkgs.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, lib, ... }: {
   home-manager.users.${config.user} = {
 
     programs.fish = {
@@ -60,6 +60,18 @@
       enableFishIntegration = true;
     };
 
+    # Create nix-index if doesn't exist
+    home.activation.createNixIndex =
+      let cacheDir = "${config.homePath}/.cache/nix-index";
+      in lib.mkIf
+      config.home-manager.users.${config.user}.programs.nix-index.enable
+      (config.home-manager.users.${config.user}.lib.dag.entryAfter
+        [ "writeBoundary" ] ''
+          if [ ! -d ${cacheDir} ]; then
+              $DRY_RUN_CMD ${pkgs.nix-index}/bin/nix-index -f ${pkgs.path}
+          fi
+        '');
+
   };
 
   nix = {

modules/common/shell/utilities.nix

@@ -25,6 +25,8 @@ in {
         htop # Show system processes
         killall # Force quit
         inetutils # Includes telnet, whois
+        jless # JSON viewer
+        jo # JSON output
         jq # JSON manipulation
         lf # File viewer
         qrencode # Generate qr codes
@@ -44,10 +46,11 @@ in {
 
       home.file = {
         ".rgignore".text = ignorePatterns;
-        ".fdignore".text = ignorePatterns;
         ".digrc".text = "+noall +answer"; # Cleaner dig commands
       };
 
+      xdg.configFile."fd/ignore".text = ignorePatterns;
+
       programs.bat = {
         enable = true; # cat replacement
         config = {

modules/darwin/hammerspoon.nix

@@ -24,9 +24,9 @@
       home.activation.reloadHammerspoon =
         config.home-manager.users.${config.user}.lib.dag.entryAfter
         [ "writeBoundary" ] ''
-          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.reload()"
+          $DRY_RUN_CMD /Applications/Hammerspoon.app/Contents/Frameworks/hs/hs -c "hs.reload()"
           $DRY_RUN_CMD sleep 1
-          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.console.clearConsole()"
+          $DRY_RUN_CMD /Applications/Hammerspoon.app/Contents/Frameworks/hs/hs -c "hs.console.clearConsole()"
         '';
 
     };

modules/darwin/hammerspoon/Spoons/Launcher.spoon/init.lua

@@ -54,14 +54,19 @@ function obj:init()
     end)
 
     -- Launcher shortcuts
-    self.launcher:bind("ctrl", "space", function()
-    end)
+    self.launcher:bind("ctrl", "space", function() end)
     self.launcher:bind("", "return", function()
         self:switch("@kitty@")
     end)
     self.launcher:bind("", "C", function()
         self:switch("Calendar.app")
     end)
+    self.launcher:bind("shift", "D", function()
+        hs.execute("launchctl remove com.paloaltonetworks.gp.pangps")
+        hs.execute("launchctl remove com.paloaltonetworks.gp.pangpa")
+        hs.alert.show("Disconnected from GlobalProtect", nil, nil, 4)
+        self.launcher:exit()
+    end)
     self.launcher:bind("", "E", function()
         self:switch("Mail.app")
     end)
@@ -80,6 +85,12 @@ function obj:init()
     self.launcher:bind("", "P", function()
         self:switch("System Preferences.app")
     end)
+    self.launcher:bind("shift", "P", function()
+        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist")
+        hs.execute("launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist")
+        hs.alert.show("Reconnecting to GlobalProtect", nil, nil, 4)
+        self.launcher:exit()
+    end)
     self.launcher:bind("", "R", function()
         hs.console.clearConsole()
         hs.reload()

modules/darwin/hammerspoon/Spoons/MoveWindow.spoon/worklayout.lua

@@ -55,6 +55,15 @@ local function worklayout()
         local layout = concat(left, right, laptop)
         hs.layout.apply(layout)
     end)
+
+    -- Reload Hammerspoon whenever layout changes
+    hs.screen.watcher.new(function()
+        -- Pause for 5 seconds to give time for layout to change
+        hs.timer.doAfter(5, function()
+            -- Perform the actual reload
+            hs.reload()
+        end)
+    end)
 end
 
 return worklayout

modules/darwin/hammerspoon/init.lua

@@ -1,5 +1,5 @@
+hs.ipc.cliInstall()                   -- Install Hammerspoon CLI program
 hs.loadSpoon("ControlEscape"):start() -- Load Hammerspoon bits from https://github.com/jasonrudolph/ControlEscape.spoon
 hs.loadSpoon("Launcher"):init()
 hs.loadSpoon("DismissAlerts"):init()
 hs.loadSpoon("MoveWindow"):init()
-hs.ipc.cliInstall() -- Install Hammerspoon CLI program

modules/darwin/homebrew.nix

@@ -8,11 +8,15 @@
       if ! xcode-select --version 2>/dev/null; then
         $DRY_RUN_CMD xcode-select --install
       fi
-      if ! /usr/local/bin/brew --version 2>/dev/null; then
+      if ! /opt/homebrew/bin/brew --version 2>/dev/null; then
         $DRY_RUN_CMD /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
       fi
     '';
 
+    # Add homebrew paths to CLI path
+    home-manager.users.${config.user}.home.sessionPath =
+      [ "/opt/homebrew/bin/" ];
+
     homebrew = {
       enable = true;
       onActivation = {
@@ -24,24 +28,22 @@
         brewfile = true; # Run brew bundle from anywhere
         lockfiles = false; # Don't save lockfile (since running from anywhere)
       };
-      taps = [
-        "homebrew/cask" # Required for casks
-        "homebrew/cask-drivers" # Used for Logitech G-Hub
-      ];
       brews = [
         "trash" # Delete files and folders to trash instead of rm
         "openjdk" # Required by Apache Directory Studio
       ];
       casks = [
-        "1password" # 1Password packaging on Nix is broken for macOS
+        "1password" # 1Password will not launch from Nix on macOS
         "apache-directory-studio" # Packaging on Nix is not available for macOS
-        "gitify" # Git notifications in menu bar
+        # "gitify" # Git notifications in menu bar (downgrade manually from 4.6.1)
         "keybase" # GUI on Nix not available for macOS
-        "logitech-g-hub" # Mouse and keyboard management
+        # "logitech-g-hub" # Mouse and keyboard management
+        "logitune" # Logitech webcam firmware
         "meetingbar" # Show meetings in menu bar
-        "obsidian" # Obsidian packaging on Nix is not available for macOS
+        # "obsidian" # Obsidian packaging on Nix is not available for macOS
         "scroll-reverser" # Different scroll style for mouse vs. trackpad
-        "steam" # Not packaged for Nix
+        # "steam" # Not packaged for Nix
+        # "epic-games" # Not packaged for Nix
       ];
     };
 

modules/darwin/networking.nix

@@ -2,7 +2,7 @@
 
   config = lib.mkIf pkgs.stdenv.isDarwin {
     networking = {
-      computerName = "${config.fullName}'\\''s Mac";
+      computerName = config.networking.hostName;
       # Adjust if necessary
       # hostName = "";
     };

modules/darwin/system.nix

@@ -34,8 +34,8 @@
           # Enable full keyboard access for all controls (e.g. enable Tab in modal dialogs)
           AppleKeyboardUIMode = 3;
 
-          # Automatically show and hide the menu bar
-          _HIHideMenuBar = true;
+          # Only hide menu bar in fullscreen
+          _HIHideMenuBar = false;
 
           # Expand save panel by default
           NSNavPanelExpandedStateForSaveMode = true;
@@ -154,11 +154,15 @@
         echo "Show the ~/Library folder"
         chflags nohidden ~/Library
 
+        if [ ! $(defaults read com.apple.dock magnification) = "1" ]; then
             echo "Enable dock magnification"
             defaults write com.apple.dock magnification -bool true
+        fi
 
+        if [ ! $(defaults read com.apple.dock largesize) = "48" ]; then
             echo "Set dock magnification size"
             defaults write com.apple.dock largesize -int 48
+        fi
 
         echo "Define dock icon function"
         __dock_item() {
@@ -180,9 +184,16 @@
             "$(__dock_item /System/Applications/Mail.app)" \
             "$(__dock_item /Applications/zoom.us.app)" \
             "$(__dock_item ${pkgs.discord}/Applications/Discord.app)" \
-            "$(__dock_item /Applications/Obsidian.app)" \
+            "$(__dock_item ${pkgs.obsidian}/Applications/Obsidian.app)" \
             "$(__dock_item ${pkgs.kitty}/Applications/kitty.app)" \
             "$(__dock_item /System/Applications/System\ Settings.app)"
+
+        echo "MeetingBar settings"
+        defaults write leits.MeetingBar eventTimeFormat -string "\"show\""
+        defaults write leits.MeetingBar eventTitleFormat -string "\"none\""
+        defaults write leits.MeetingBar eventTitleIconFormat -string "\"iconCalendar\""
+        defaults write leits.MeetingBar slackBrowser -string "{\"deletable\":true,\"arguments\":\"\",\"name\":\"Slack\",\"path\":\"\"}"
+        defaults write leits.MeetingBar zoomBrowser -string "{\"deletable\":true,\"arguments\":\"\",\"name\":\"Zoom\",\"path\":\"\"}"
       '';
 
     };

modules/darwin/user.nix

@@ -9,13 +9,19 @@
 
     };
 
-    # Used for aerc
     home-manager.users.${config.user} = {
-      home.sessionVariables = {
-        XDG_CONFIG_HOME = "${config.homePath}/.config";
-      };
+
+      # Default shell setting doesn't work
+      home.sessionVariables = { SHELL = "${pkgs.fish}/bin/fish"; };
+
+      # Used for aerc
+      xdg.enable = true;
+
     };
 
+    # Fix for: 'Error: HOME is set to "/var/root" but we expect "/var/empty"'
+    home-manager.users.root.home.homeDirectory = lib.mkForce "/var/root";
+
   };
 
 }

modules/darwin/utilities.nix

@@ -2,6 +2,8 @@
 
 {
 
+  unfreePackages = [ "consul" "vault-bin" ];
+
   home-manager.users.${config.user} = lib.mkIf pkgs.stdenv.isDarwin {
 
     home.packages = with pkgs; [
@@ -11,11 +13,13 @@
       youtube-dl # Convert web videos
       pandoc # Convert text documents
       mpd # TUI slideshows
+      mpv # Video player
+      gnupg # Encryption
       awscli2
       awslogs
       google-cloud-sdk
       ansible
-      vault
+      vault-bin
       consul
       noti # Create notifications programmatically
       ipcalc # Make IP network calculations

modules/nixos/gaming/steam.nix

@@ -22,6 +22,11 @@
 
     ];
 
+    # Adapted in part from: https://github.com/Shawn8901/nix-configuration/blob/1c48be94238a9f463cf0bbd1e1842a4454286514/modules/nixos/steam-compat-tools/default.nix
+    # Based on: https://github.com/NixOS/nixpkgs/issues/73323
+    environment.sessionVariables.STEAM_EXTRA_COMPAT_TOOLS_PATHS =
+      lib.makeBinPath [ pkgs.proton-ge-custom ];
+
     # Seems like NetworkManager can help speed up Steam launch
     # https://www.reddit.com/r/archlinux/comments/qguhco/steam_startup_time_arch_1451_seconds_fedora_34/hi8opet/
     networking.networkmanager.enable = true;

modules/nixos/graphical/i3.nix

@@ -45,7 +45,7 @@ in {
               { class = "obsidian"; }
             ];
             "${ws3}" = [{ class = "discord"; }];
-            "${ws4}" = [{ class = "Steam"; }];
+            "${ws4}" = [ { class = "steam"; } { class = "Steam"; } ];
           };
           bars = [{ command = "echo"; }]; # Disable i3bar
           colors = let
@@ -95,13 +95,15 @@ in {
 
             # Adjust screen brightness
             "Shift+F12" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 + 30";
+              # Disable dynamic sleep
+              # https://github.com/rockowitz/ddcutil/issues/323
+              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 + 30";
             "Shift+F11" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 - 30";
+              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 - 30";
             "XF86MonBrightnessUp" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 + 30";
+              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 + 30";
             "XF86MonBrightnessDown" =
-              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 - 30";
+              "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 - 30";
 
             # Media player controls
             "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";

modules/nixos/graphical/polybar.nix

@@ -36,7 +36,7 @@
             module-margin = 1;
             modules-left = "i3";
             modules-center = "xwindow";
-            modules-right = "mailcount network pulseaudio date power";
+            modules-right = "mailcount network pulseaudio date keyboard power";
             cursor-click = "pointer";
             cursor-scroll = "ns-resize";
             enable-ipc = true;
@@ -200,10 +200,17 @@
             label-foreground = config.theme.colors.base0A;
             # format-background = colors.background;
           };
+          "module/keyboard" = {
+            type = "custom/text";
+            content = "󰌌";
+            click-left = "doas systemctl restart keyd";
+            content-foreground = config.theme.colors.base04;
+          };
           "module/power" = {
             type = "custom/text";
             content = "  ";
             click-left = config.powerCommand;
+            click-right = "polybar-msg cmd restart";
             content-foreground = config.theme.colors.base04;
           };
           "settings" = {

modules/nixos/graphical/rofi.nix

@@ -59,7 +59,7 @@ in {
             border = mkLiteral "0px";
             border-radius = mkLiteral "0px";
             border-color = mkLiteral config.theme.colors.base04;
-            children = map mkLiteral [ "inputbar" "listview" ];
+            children = map mkLiteral [ "inputbar" "message" "listview" ];
             spacing = mkLiteral "10px";
             padding = mkLiteral "10px";
           };

modules/nixos/graphical/rofi/brightness.nix

@@ -28,17 +28,18 @@ in {
               -sep ';' \
               -selected-row 1)
 
+
       case "$chosen" in
           "$dimmer")
-              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 25; ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 25
+              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 25; ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 25
               ;;
 
           "$medium")
-              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 75; ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 75
+              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 75; ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 75
               ;;
 
           "$brighter")
-              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 100; ${pkgs.ddcutil}/bin/ddcutil --display 2 setvcp 10 100
+              ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 100; ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 100
               ;;
 
           *) exit 1 ;;

modules/nixos/graphical/rofi/power.nix

@@ -31,15 +31,17 @@ in {
             -sep ';' \
             -selected-row 2)
 
+    confirm () {
+        ${builtins.readFile ./rofi-prompt.sh}
+    }
+
     case "$chosen" in
         "$power_off")
-            ${
-              builtins.toString ./rofi-prompt.sh
-            } 'Shutdown?' && doas shutdown now
+            confirm 'Shutdown?' && doas shutdown now
             ;;
 
         "$reboot")
-            ${builtins.toString ./rofi-prompt.sh} 'Reboot?' && doas reboot
+            confirm 'Reboot?' && doas reboot
             ;;
 
         "$lock")
@@ -51,7 +53,7 @@ in {
             ;;
 
         "$log_out")
-            ${builtins.toString ./rofi-prompt.sh} 'Logout?' && i3-msg exit
+            confirm 'Logout?' && i3-msg exit
             ;;
 
         *) exit 1 ;;

modules/nixos/graphical/rofi/rofi-prompt.sh

@@ -42,6 +42,6 @@ chosen=$(printf '%s;%s\n' "$yes" "$no" |
         -selected-row 1)
 
 case "$chosen" in
-    "$yes") exit 0 ;;
-    *) exit 1 ;;
+    "$yes") return 0 ;;
+    *) return 1 ;;
 esac

modules/nixos/hardware/keyboard.nix

@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, pkgs, ... }: {
 
   config = {
 
@@ -23,6 +23,10 @@
       };
     };
 
+    # For some reason, keyd doesn't restart properly when updating
+    system.activationScripts.keyd.text =
+      "${pkgs.systemd}/bin/systemctl restart keyd.service";
+
     # Enable num lock on login
     home-manager.users.${config.user}.xsession.numlock.enable = true;
 

modules/nixos/hardware/networking.nix

@@ -12,7 +12,7 @@
       domainName = "local";
       ipv6 = false; # Should work either way
       # Resolve local hostnames using Avahi DNS
-      nssmdns = true;
+      nssmdns4 = true;
       publish = {
         enable = true;
         addresses = true;

modules/nixos/services/arr.nix

@@ -2,6 +2,7 @@
 
 let
 
+  # This config specifies ports for Prometheus to scrape information
   arrConfig = {
     radarr = {
       exportarrPort = "9707";
@@ -41,6 +42,8 @@ in {
       sabnzbd = {
         enable = true;
         group = "media";
+        # The config file must be editable within the application
+        # It contains server configs and credentials
         configFile = "/data/downloads/sabnzbd/sabnzbd.ini";
       };
       sonarr = {
@@ -53,16 +56,23 @@ in {
       };
     };
 
+    # Create a media group to be shared between services
     users.groups.media = { };
+
+    # Give the human user access to the media group
     users.users.${config.user}.extraGroups = [ "media" ];
+
+    # Allows media group to read/write the sabnzbd directory
     users.users.sabnzbd.homeMode = "0770";
 
-    unfreePackages = [ "unrar" ]; # Required for sabnzbd
+    unfreePackages = [ "unrar" ]; # Required as a dependency for sabnzbd
 
     # Requires updating the base_url config value in each service
     # If you try to rewrite the URL, the service won't redirect properly
     caddy.routes = [
       {
+        # Group means that routes with the same name are mutually exclusive,
+        # so they are split between the appropriate services.
         group = "download";
         match = [{
           host = [ config.hostnames.download ];
@@ -70,6 +80,7 @@ in {
         }];
         handle = [{
           handler = "reverse_proxy";
+          # We're able to reference the url and port of the service dynamically 
           upstreams = [{ dial = arrConfig.sonarr.url; }];
         }];
       }
@@ -92,6 +103,7 @@ in {
         }];
         handle = [{
           handler = "reverse_proxy";
+          # Prowlarr doesn't offer a dynamic config, so we have to hardcode it
           upstreams = [{ dial = "localhost:9696"; }];
         }];
       }
@@ -104,6 +116,7 @@ in {
         handle = [{
           handler = "reverse_proxy";
           upstreams = [{
+            # Bazarr only dynamically sets the port, not the host
             dial = "localhost:${
                 builtins.toString config.services.bazarr.listenPort
               }";
@@ -145,10 +158,12 @@ in {
           Type = "simple";
           DynamicUser = true;
           ExecStart = let
+            # Sabnzbd doesn't accept the URI path, unlike the others
             url = if name != "sabnzbd" then
               "http://${attrs.url}/${name}"
             else
               "http://${attrs.url}";
+            # Exportarr is trained to pull from the arr services
           in ''
             ${pkgs.exportarr}/bin/exportarr ${name} \
                         --url ${url} \
@@ -197,7 +212,7 @@ in {
       prefix = "API_KEY=";
     };
 
-    # Prometheus scrape targets
+    # Prometheus scrape targets (expose Exportarr to Prometheus)
     prometheus.scrapeTargets = map (key:
       "127.0.0.1:${
         lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig

modules/nixos/services/backups.nix

@@ -1,3 +1,6 @@
+# This is my setup for backing up SQlite databases and other systems to S3 or
+# S3-equivalent services (like Backblaze B2).
+
 { config, lib, ... }: {
 
   options = {

modules/nixos/services/bind.nix

@@ -1,3 +1,10 @@
+# Bind is a DNS service. This allows me to resolve public domains locally so
+# when I'm at home, I don't have to travel over the Internet to reach my
+# server.
+
+# To set this on all home machines, I point my router's DNS resolver to the
+# local IP address of the machine running this service (swan).
+
 { config, pkgs, lib, ... }:
 
 let
@@ -16,11 +23,19 @@ in {
 
   config = lib.mkIf config.services.bind.enable {
 
+    # Normally I block all requests not coming from Cloudflare, so I have to also
+    # allow my local network.
     caddy.cidrAllowlist = [ "192.168.0.0/16" ];
 
     services.bind = {
+
+      # Allow requests coming from these IPs. This way I don't somehow get
+      # spammed with DNS requests coming from the Internet.
       cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
+
+      # When making normal DNS requests, forward them to Cloudflare to resolve.
       forwarders = [ "1.1.1.1" "1.0.0.1" ];
+
       ipv4Only = true;
 
       # Use rpz zone as an override
@@ -47,6 +62,7 @@ in {
 
     };
 
+    # We must allow DNS traffic to hit our machine as well
     networking.firewall.allowedTCPPorts = [ 53 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
 

modules/nixos/services/caddy.nix

@@ -1,3 +1,14 @@
+# Caddy is a reverse proxy, like Nginx or Traefik. This creates an ingress
+# point from my local network or the public (via Cloudflare). Instead of a
+# Caddyfile, I'm using the more expressive JSON config file format. This means
+# I can source routes from other areas in my config and build the JSON file
+# using the result of the expression.
+
+# Caddy helpfully provides automatic ACME cert generation and management, but
+# it requires a form of validation. We are using a custom build of Caddy
+# (compiled with an overlay) to insert a plugin for managing DNS validation
+# with Cloudflare's DNS API.
+
 { config, pkgs, lib, ... }: {
 
   options = {
@@ -42,12 +53,17 @@
       configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
         apps.http.servers.main = {
           listen = [ ":443" ];
+
+          # These routes are pulled from the rest of this repo
           routes = config.caddy.routes;
           errors.routes = config.caddy.blocks;
-          logs = { }; # Uncomment to collect access logs
+
+          logs = { }; # Uncommenting collects access logs
         };
         apps.http.servers.metrics = { }; # Enables Prometheus metrics
         apps.tls.automation.policies = config.caddy.tlsPolicies;
+
+        # Setup logging to file
         logging.logs.main = {
           encoder = { format = "console"; };
           writer = {
@@ -58,13 +74,23 @@
           };
           level = "INFO";
         };
+
       });
 
     };
 
+    # Allows Caddy to serve lower ports (443, 80)
+    systemd.services.caddy.serviceConfig.AmbientCapabilities =
+      "CAP_NET_BIND_SERVICE";
+
+    # Required for web traffic to reach this machine
     networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    # HTTP/3 QUIC uses UDP (not sure if being used)
     networking.firewall.allowedUDPPorts = [ 443 ];
 
+    # Caddy exposes Prometheus metrics with the admin API
+    # https://caddyserver.com/docs/api
     prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
 
   };

modules/nixos/services/calibre.nix

@@ -1,3 +1,9 @@
+# Calibre-web is an E-Book library and management tool.
+
+# - Exposed to the public via Caddy.
+# - Hostname defined with config.hostnames.books
+# - File directory backed up to S3 on a cron schedule.
+
 { config, pkgs, lib, ... }:
 
 let
@@ -26,6 +32,7 @@ in {
       };
     };
 
+    # Allow web traffic to Caddy
     caddy.routes = [{
       match = [{ host = [ config.hostnames.books ]; }];
       handle = [{
@@ -35,6 +42,8 @@ in {
               builtins.toString config.services.calibre-web.listen.port
             }";
         }];
+        # This is required when calibre-web is behind a reverse proxy
+        # https://github.com/janeczku/calibre-web/issues/19
         headers.request.add."X-Script-Name" = [ "/calibre-web" ];
       }];
     }];

modules/nixos/services/cloudflare-tunnel.nix

@@ -1,3 +1,12 @@
+# Cloudflare Tunnel is a service for accessing the network even behind a
+# firewall, through outbound-only requests. It works by installing an agent on
+# our machines that exposes services through Cloudflare Access (Zero Trust),
+# similar to something like Tailscale.
+
+# In this case, we're using Cloudflare Tunnel to enable SSH access over a web
+# browser even when outside of my network. This is probably not the safest
+# choice but I feel comfortable enough with it anyway.
+
 { config, lib, ... }:
 
 # First time setup:
@@ -40,23 +49,28 @@
       tunnels = {
         "${config.cloudflareTunnel.id}" = {
           credentialsFile = config.secrets.cloudflared.dest;
+          # Catch-all if no match (should never happen anyway)
           default = "http_status:404";
+          # Match from ingress of any valid server name to SSH access
           ingress = { "*.masu.rs" = "ssh://localhost:22"; };
         };
       };
     };
 
+    # Grant Cloudflare access to SSH into this server
     environment.etc = {
       "ssh/ca.pub".text = ''
         ${config.cloudflareTunnel.ca}
       '';
 
-      # Must match the username of the email address in Cloudflare Access
+      # Must match the username portion of the email address in Cloudflare
+      # Access
       "ssh/authorized_principals".text = ''
         ${config.user}
       '';
     };
 
+    # Adjust SSH config to allow access from Cloudflare's certificate
     services.openssh.extraConfig = ''
       PubkeyAuthentication yes
       TrustedUserCAKeys /etc/ssh/ca.pub

modules/nixos/services/cloudflare.nix

@@ -1,5 +1,13 @@
 # This module is necessary for hosts that are serving through Cloudflare.
 
+# Cloudflare is a CDN service that is used to serve the domain names and
+# caching for my websites and services. Since Cloudflare acts as our proxy, we
+# must allow access over the Internet from Cloudflare's IP ranges.
+
+# We also want to validate our HTTPS certificates from Caddy. We'll use Caddy's
+# DNS validation plugin to connect to Cloudflare and automatically create
+# validation DNS records for our generated certificates.
+
 { config, pkgs, lib, ... }:
 
 let
@@ -59,10 +67,9 @@ in {
         };
       }];
     }];
+    # Allow Caddy to read Cloudflare API key for DNS validation
     systemd.services.caddy.serviceConfig.EnvironmentFile =
       config.secrets.cloudflareApi.dest;
-    systemd.services.caddy.serviceConfig.AmbientCapabilities =
-      "CAP_NET_BIND_SERVICE";
 
     # API key must have access to modify Cloudflare DNS records
     secrets.cloudflareApi = {
@@ -73,7 +80,7 @@ in {
     };
 
     # Allows Nextcloud to trust Cloudflare IPs
-    services.nextcloud.config.trustedProxies = cloudflareIpRanges;
+    services.nextcloud.extraOptions.trusted_proxies = cloudflareIpRanges;
 
   };
 }

modules/nixos/services/default.nix

@@ -1,3 +1,6 @@
+# This file imports all the other files in this directory for use as modules in
+# my config.
+
 { ... }: {
 
   imports = [
@@ -13,12 +16,15 @@
     ./gnupg.nix
     ./grafana.nix
     ./honeypot.nix
+    ./influxdb2.nix
     ./jellyfin.nix
     ./keybase.nix
     ./mullvad.nix
     ./n8n.nix
     ./netdata.nix
     ./nextcloud.nix
+    ./paperless.nix
+    ./postgresql.nix
     ./prometheus.nix
     ./samba.nix
     ./secrets.nix

modules/nixos/services/gitea-runner.nix

@@ -1,3 +1,9 @@
+# Gitea Actions is a CI/CD service for the Gitea source code server, meaning it
+# allows us to run code operations (such as testing or deploys) when our git
+# repositories are updated. Any machine can act as a Gitea Action Runner, so
+# the Runners don't necessarily need to be running Gitea. All we need is an API
+# key for Gitea to connect to it and register ourselves as a Runner.
+
 { config, pkgs, lib, ... }:
 
 {

modules/nixos/services/gitea.nix

@@ -11,11 +11,21 @@ in {
         actions.ENABLED = true;
         metrics.ENABLED = true;
         repository = {
+          # Pushing to a repo that doesn't exist automatically creates one as
+          # private.
           DEFAULT_PUSH_CREATE_PRIVATE = true;
+
+          # Allow git over HTTP.
           DISABLE_HTTP_GIT = false;
+
+          # Allow requests hitting the specified hostname.
           ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;
+
+          # Automatically create viable users/orgs on push.
           ENABLE_PUSH_CREATE_USER = true;
           ENABLE_PUSH_CREATE_ORG = true;
+
+          # Default when creating new repos.
           DEFAULT_BRANCH = "main";
         };
         server = {
@@ -25,11 +35,15 @@ in {
           SSH_PORT = 22;
           START_SSH_SERVER = false; # Use sshd instead
           DISABLE_SSH = false;
-          # SSH_LISTEN_HOST = "0.0.0.0";
-          # SSH_LISTEN_PORT = 122;
         };
+
+        # Don't allow public users to register accounts.
         service.DISABLE_REGISTRATION = true;
+
+        # Force using HTTPS for all session access.
         session.COOKIE_SECURE = true;
+
+        # Hide users' emails.
         ui.SHOW_USER_EMAIL = false;
       };
       extraConfig = null;
@@ -39,6 +53,7 @@ in {
     users.users.${config.user}.extraGroups = [ "gitea" ];
 
     caddy.routes = [
+      # Prevent public access to Prometheus metrics.
       {
         match = [{
           host = [ config.hostnames.git ];
@@ -49,6 +64,7 @@ in {
           status_code = "403";
         }];
       }
+      # Allow access to primary server.
       {
         match = [{ host = [ config.hostnames.git ]; }];
         handle = [{
@@ -63,6 +79,7 @@ in {
       }
     ];
 
+    # Scrape the metrics endpoint for Prometheus.
     prometheus.scrapeTargets = [
       "127.0.0.1:${
         builtins.toString config.services.gitea.settings.server.HTTP_PORT

modules/nixos/services/gnupg.nix

@@ -1,3 +1,5 @@
+# GPG is an encryption tool. This isn't really in use for me at the moment.
+
 { config, pkgs, lib, ... }: {
 
   options.gpg.enable = lib.mkEnableOption "GnuPG encryption.";

modules/nixos/services/grafana.nix

@@ -7,6 +7,7 @@ in {
 
   config = lib.mkIf config.services.grafana.enable {
 
+    # Allow Grafana to connect to email service
     secrets.mailpass-grafana = {
       source = ../../../private/mailpass-grafana.age;
       dest = "${config.secretsDirectory}/mailpass-grafana";

modules/nixos/services/honeypot.nix

@@ -1,7 +1,10 @@
-{ config, lib, pkgs, ... }:
+# This is a tool for blocking IPs of anyone who attempts to scan all of my
+# ports.
 
 # Currently has some issues that don't make this viable.
 
+{ config, lib, pkgs, ... }:
+
 # Taken from:
 # https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
 

modules/nixos/services/influxdb2.nix

@@ -0,0 +1,61 @@
+# InfluxDB is a timeseries database similar to Prometheus. While
+# VictoriaMetrics can also act as an InfluxDB, this version of it allows for
+# infinite retention separate from our other metrics, which can be nice for
+# recording health information, for example.
+
+{ config, lib, ... }: {
+
+  config = {
+
+    services.influxdb2 = {
+      provision = {
+        enable = true;
+        initialSetup = {
+          bucket = "default";
+          organization = "main";
+          passwordFile = config.secrets.influxdb2Password.dest;
+          retention = 0; # Keep data forever
+          tokenFile = config.secrets.influxdb2Token.dest;
+          username = "admin";
+        };
+      };
+      settings = { };
+    };
+
+    # Create credentials file for InfluxDB admin
+    secrets.influxdb2Password = lib.mkIf config.services.influxdb2.enable {
+      source = ../../../private/influxdb2-password.age;
+      dest = "${config.secretsDirectory}/influxdb2-password";
+      owner = "influxdb2";
+      group = "influxdb2";
+      permissions = "0440";
+    };
+    systemd.services.influxdb2Password-secret =
+      lib.mkIf config.services.influxdb2.enable {
+        requiredBy = [ "influxdb2.service" ];
+        before = [ "influxdb2.service" ];
+      };
+    secrets.influxdb2Token = lib.mkIf config.services.influxdb2.enable {
+      source = ../../../private/influxdb2-token.age;
+      dest = "${config.secretsDirectory}/influxdb2-token";
+      owner = "influxdb2";
+      group = "influxdb2";
+      permissions = "0440";
+    };
+    systemd.services.influxdb2Token-secret =
+      lib.mkIf config.services.influxdb2.enable {
+        requiredBy = [ "influxdb2.service" ];
+        before = [ "influxdb2.service" ];
+      };
+
+    caddy.routes = lib.mkIf config.services.influxdb2.enable [{
+      match = [{ host = [ config.hostnames.influxdb ]; }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{ dial = "localhost:8086"; }];
+      }];
+    }];
+
+  };
+
+}

modules/nixos/services/jellyfin.nix

@@ -1,3 +1,6 @@
+# Jellyfin is a self-hosted video streaming service. This means I can play my
+# server's videos from a webpage, mobile app, or TV client.
+
 { config, pkgs, lib, ... }: {
 
   config = lib.mkIf config.services.jellyfin.enable {
@@ -6,6 +9,7 @@
     users.users.jellyfin = { isSystemUser = true; };
 
     caddy.routes = [
+      # Prevent public access to Prometheus metrics.
       {
         match = [{
           host = [ config.hostnames.stream ];
@@ -16,6 +20,7 @@
           status_code = "403";
         }];
       }
+      # Allow access to normal route.
       {
         match = [{ host = [ config.hostnames.stream ]; }];
         handle = [{
@@ -47,6 +52,9 @@
     users.users.jellyfin.extraGroups =
       [ "render" "video" ]; # Access to /dev/dri
 
+    # Fix issue where Jellyfin-created directories don't allow access for media group
+    systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0007";
+
     # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
     prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
 

modules/nixos/services/keybase.nix

@@ -1,23 +1,23 @@
+# Keybase is an encrypted communications tool with a synchronized encrypted
+# filestore that can be mounted onto a machine's filesystem.
+
 { config, pkgs, lib, ... }: {
 
   options.keybase.enable = lib.mkEnableOption "Keybase.";
 
   config = lib.mkIf config.keybase.enable {
 
+    home-manager.users.${config.user} = lib.mkIf config.keybase.enable {
+
       services.keybase.enable = true;
       services.kbfs = {
         enable = true;
-      # enableRedirector = true;
-      mountPoint = "/run/user/1000/keybase/kbfs";
-    };
-    security.wrappers.keybase-redirector = {
-      setuid = true;
-      owner = "root";
-      group = "root";
-      source = "${pkgs.kbfs}/bin/redirector";
+        mountPoint = "keybase";
       };
 
-    home-manager.users.${config.user} = {
+      # https://github.com/nix-community/home-manager/issues/4722
+      systemd.user.services.kbfs.Service.PrivateTmp = lib.mkForce false;
+
       home.packages = [ (lib.mkIf config.gui.enable pkgs.keybase-gui) ];
       home.file = let
         ignorePatterns = ''

modules/nixos/services/mullvad.nix

@@ -1,3 +1,5 @@
+# Mullvad is a VPN service. This isn't currently in use for me at the moment.
+
 { config, pkgs, lib, ... }: {
 
   options.mullvad.enable = lib.mkEnableOption "Mullvad VPN.";

modules/nixos/services/n8n.nix

@@ -1,3 +1,6 @@
+# n8n is an automation integration tool for connecting data from services
+# together with triggers.
+
 { config, lib, ... }: {
 
   options = {

modules/nixos/services/netdata.nix

@@ -1,3 +1,6 @@
+# Netdata is an out-of-the-box monitoring tool that exposes many different
+# metrics. Not currently in use, in favor of VictoriaMetrics and Grafana.
+
 { config, lib, ... }: {
 
   options.netdata.enable = lib.mkEnableOption "Netdata metrics.";

modules/nixos/services/nextcloud.nix

@@ -3,7 +3,7 @@
   config = lib.mkIf config.services.nextcloud.enable {
 
     services.nextcloud = {
-      package = pkgs.nextcloud27; # Required to specify
+      package = pkgs.nextcloud28; # Required to specify
       configureRedis = true;
       datadir = "/data/nextcloud";
       database.createLocally = true;
@@ -13,18 +13,26 @@
       config = {
         adminpassFile = config.secrets.nextcloud.dest;
         dbtype = "mysql";
-        extraTrustedDomains = [ config.hostnames.content ];
-        trustedProxies = [ "127.0.0.1" ];
       };
-      extraOptions = { default_phone_region = "US"; };
+      extraOptions = {
+        default_phone_region = "US";
+        # Allow access when hitting either of these hosts or IPs
+        trusted_domains = [ config.hostnames.content ];
+        trusted_proxies = [ "127.0.0.1" ];
+      };
       extraAppsEnable = true;
       extraApps = with config.services.nextcloud.package.packages.apps; {
         inherit calendar contacts;
+        # These apps are defined and pinned by overlay in flake.
         news = pkgs.nextcloudApps.news;
         external = pkgs.nextcloudApps.external;
         cookbook = pkgs.nextcloudApps.cookbook;
+        snappymail = pkgs.nextcloudApps.snappymail;
+      };
+      phpOptions = {
+        "opcache.interned_strings_buffer" = "16";
+        "output_buffering" = "0";
       };
-      phpOptions = { "opcache.interned_strings_buffer" = "16"; };
     };
 
     # Don't let Nginx use main ports (using Caddy instead)
@@ -47,7 +55,10 @@
             handle = [
               {
                 handler = "vars";
-                root = config.services.nextcloud.package;
+                # Grab the webroot out of the written config
+                # The webroot is a symlinked combined Nextcloud directory
+                root =
+                  config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root;
               }
               {
                 handler = "headers";
@@ -56,13 +67,6 @@
               }
             ];
           }
-          {
-            match = [{ path = [ "/nix-apps*" "/store-apps*" ]; }];
-            handle = [{
-              handler = "vars";
-              root = config.services.nextcloud.home;
-            }];
-          }
           # Reroute carddav and caldav traffic
           {
             match =

modules/nixos/services/paperless.nix

@@ -0,0 +1,71 @@
+# Paperless-ngx is a document scanning and management solution.
+
+{ config, lib, ... }: {
+
+  config = lib.mkIf config.services.paperless.enable {
+
+    services.paperless = {
+      mediaDir = "/data/generic/paperless";
+      passwordFile = config.secrets.paperless.dest;
+      settings = {
+        PAPERLESS_OCR_USER_ARGS =
+          builtins.toJSON { invalidate_digital_signatures = true; };
+
+        # Enable if changing the path name in Caddy
+        # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
+        # PAPERLESS_STATIC_URL = "/paperless/static/";
+      };
+    };
+
+    # Allow Nextcloud and user to see files
+    users.users.nextcloud.extraGroups =
+      lib.mkIf config.services.nextcloud.enable [ "paperless" ];
+    users.users.${config.user}.extraGroups = [ "paperless" ];
+
+    caddy.routes = [{
+      match = [{
+        host = [ config.hostnames.paperless ];
+        # path = [ "/paperless*" ]; # Change path name in Caddy
+      }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{
+          dial =
+            "localhost:${builtins.toString config.services.paperless.port}";
+        }];
+      }];
+    }];
+
+    secrets.paperless = {
+      source = ../../../private/prometheus.age;
+      dest = "${config.secretsDirectory}/paperless";
+      owner = "paperless";
+      group = "paperless";
+      permissions = "0440";
+    };
+    systemd.services.paperless-secret = {
+      requiredBy = [ "paperless.service" ];
+      before = [ "paperless.service" ];
+    };
+
+    # Fix permissions on a regular schedule
+    systemd.timers.paperless-permissions = {
+      timerConfig = {
+        OnCalendar = "*-*-* *:0/5"; # Every 5 minutes
+        Unit = "paperless-permissions.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+
+    # Fix paperless shared permissions
+    systemd.services.paperless-permissions = {
+      description = "Allow group access to paperless files";
+      serviceConfig = { Type = "oneshot"; };
+      script = ''
+        find ${config.services.paperless.mediaDir} -type f -exec chmod 640 -- {} +
+      '';
+    };
+
+  };
+
+}

modules/nixos/services/postgresql.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }: {
+
+  services.postgresql = {
+    package = pkgs.postgresql_15;
+    settings = { };
+    identMap = "";
+    ensureUsers = [{
+      name = config.user;
+      ensureClauses = {
+        createdb = true;
+        createrole = true;
+        login = true;
+      };
+    }];
+  };
+
+  home-manager.users.${config.user}.home.packages =
+    lib.mkIf config.services.postgresql.enable [
+      pkgs.pgcli # Postgres client with autocomplete
+    ];
+
+}

modules/nixos/services/prometheus.nix

@@ -1,3 +1,9 @@
+# Prometheus is a timeseries database that exposes system and service metrics
+# for use in visualizing, monitoring, and alerting (with Grafana).
+
+# Instead of running traditional Prometheus, I generally run VictoriaMetrics as
+# a more efficient drop-in replacement.
+
 { config, pkgs, lib, ... }: {
 
   options.prometheus = {

modules/nixos/services/samba.nix

@@ -1,3 +1,5 @@
+# Samba is a Windows-compatible file-sharing service.
+
 { config, lib, ... }: {
 
   config = {

modules/nixos/services/sshd.nix

@@ -1,4 +1,6 @@
-{ config, lib, ... }: {
+# SSHD service for allowing SSH access to my machines.
+
+{ config, pkgs, lib, ... }: {
 
   options = {
     publicKey = lib.mkOption {
@@ -32,7 +34,10 @@
     services.sshguard.enable = true;
 
     # Add terminfo for SSH from popular terminal emulators
-    environment.enableAllTerminfo = true;
+    # Fix: terminfo now installs contour, which is broken on ARM
+    # - https://github.com/NixOS/nixpkgs/pull/253334
+    # - Will disable until fixed
+    environment.enableAllTerminfo = pkgs.stdenv.isLinux && pkgs.stdenv.isx86_64;
   };
 
 }

modules/nixos/services/transmission.nix

@@ -1,3 +1,6 @@
+# Transmission is a bittorrent client, which can run in the background for
+# automated downloads with a web GUI.
+
 { config, pkgs, lib, ... }: {
 
   options = {

modules/nixos/services/vaultwarden.nix

@@ -1,3 +1,7 @@
+# Vaultwarden is an implementation of the Bitwarden password manager backend
+# service, which allows for self-hosting the synchronization of a Bitwarden
+# password manager client.
+
 { config, pkgs, lib, ... }:
 
 let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory

modules/nixos/services/victoriametrics.nix

@@ -1,3 +1,6 @@
+# VictoriaMetrics is a more efficient drop-in replacement for Prometheus and
+# InfluxDB (timeseries databases built for monitoring system metrics).
+
 { config, pkgs, lib, ... }:
 
 let

modules/nixos/services/wireguard.nix

@@ -1,3 +1,6 @@
+# Wireguard is a VPN protocol that can be setup to create a mesh network
+# between machines on different LANs. This is currently not in use in my setup.
+
 { config, pkgs, lib, ... }: {
 
   options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";

modules/nixos/system/doas.nix

@@ -26,9 +26,14 @@
       };
     };
 
+    home-manager.users.${config.user}.programs = {
+
       # Alias sudo to doas for convenience
-    home-manager.users.${config.user}.programs.fish.shellAliases = {
-      sudo = "doas";
+      fish.shellAliases = { sudo = "doas"; };
+
+      # Disable overriding our sudo alias with a TERMINFO alias
+      kitty.settings.shell_integration = "no-sudo";
+
     };
 
   };

overlays/age.nix

@@ -0,0 +1,9 @@
+# Pin age because it is failing to build
+# https://github.com/NixOS/nixpkgs/pull/265753
+
+inputs: _final: prev: {
+  age = prev.age.overrideAttrs (old: {
+    src = inputs.age;
+    doCheck = false; # https://github.com/FiloSottile/age/issues/517
+  });
+}

overlays/bypass-paywalls-clean.nix

@@ -0,0 +1,20 @@
+inputs: _final: prev: {
+
+  # Based on:
+  # https://git.sr.ht/~rycee/nur-expressions/tree/master/item/pkgs/firefox-addons/default.nix#L34
+
+  bypass-paywalls-clean = let addonId = "magnolia@12.34";
+  in prev.stdenv.mkDerivation rec {
+    pname = "bypass-paywalls-clean";
+    version = "3.4.9.0";
+    src = inputs.bypass-paywalls-clean + "/bypass_paywalls_clean-latest.xpi";
+    preferLocalBuild = true;
+    allowSubstitutes = true;
+    buildCommand = ''
+      dst="$out/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"
+      mkdir -p "$dst"
+      install -v -m644 "${src}" "$dst/${addonId}.xpi"
+    '';
+  };
+
+}

overlays/caddy.nix

@@ -22,7 +22,7 @@ let
   '';
 
 in {
-  caddy-cloudflare = prev.buildGo118Module {
+  caddy-cloudflare = prev.buildGo120Module {
     pname = "caddy-cloudflare";
     version = prev.caddy.version;
     runVend = true;
@@ -31,7 +31,7 @@ in {
 
     src = prev.caddy.src;
 
-    vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M=";
+    vendorHash = "sha256:pr2MI2Nv9y357lCEEh6aNdmD9FiCaJIkRfHaoWgdQIE=";
 
     overrideModAttrs = (_: {
       preBuild = ''

overlays/calibre-web-cloudflare.patch

@@ -1,8 +1,8 @@
 diff --git a/cps/__init__.py b/cps/__init__.py
-index 269e4aca..e2b828a9 100644
+index f4f8dbf2..7377acdf 100644
 --- a/cps/__init__.py
 +++ b/cps/__init__.py
-@@ -150,7 +150,6 @@ def create_app():
+@@ -151,7 +151,6 @@ def create_app():
  
      lm.login_view = 'web.login'
      lm.anonymous_user = ub.Anonymous
@@ -11,15 +11,17 @@ index 269e4aca..e2b828a9 100644
      db.CalibreDB.update_config(config)
      db.CalibreDB.setup_db(config.config_calibre_dir, cli_param.settings_path)
 diff --git a/cps/admin.py b/cps/admin.py
-index 20c58aac..99d2ad19 100644
+index 045a9523..825a28af 100644
 --- a/cps/admin.py
 +++ b/cps/admin.py
-@@ -101,8 +101,6 @@ def admin_required(f):
+@@ -102,10 +102,6 @@ def admin_required(f):
  
  @admi.before_app_request
  def before_request():
--    if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path:
+-    if not ub.check_user_session(current_user.id,
+-                                 flask_session.get('_id')) and 'opds' not in request.path \
+-      and config.config_session == 1:
 -        logout_user()
      g.constants = constants
-     g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION','')
+     g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION', '')
      g.allow_registration = config.config_public_reg

overlays/gh-collaborators.nix

@@ -0,0 +1,25 @@
+_final: prev: {
+
+  gh-collaborators = prev.buildGo120Module rec {
+    pname = "gh-collaborators";
+    version = "2.0.2";
+
+    src = prev.fetchFromGitHub {
+      owner = "katiem0";
+      repo = "gh-collaborators";
+      rev = version;
+      sha256 = "sha256-sz5LHkwZ28aA2vbMnFMzAlyGiJBDZm7jwDQYxgKBPLU=";
+    };
+
+    vendorHash = "sha256-rsRDOgJBa8T6+bC/APcmuRmg6ykbIp9pwRnJ9rrfHEs=";
+
+    ldflags = [
+      "-s"
+      "-w"
+      "-X github.com/katiem0/gh-collaborators/cmd.Version=${version}"
+      # "-X main.Version=${version}"
+    ];
+
+  };
+
+}

overlays/neovim-plugins.nix

@@ -9,7 +9,7 @@ let
 
   # Package plugin - for plugins not found in nixpkgs at all
   plugin = pname: src:
-    prev.vimUtils.buildVimPluginFrom2Nix {
+    prev.vimUtils.buildVimPlugin {
       inherit pname src;
       version = "master";
     };
@@ -17,8 +17,6 @@ let
 in {
 
   nil = inputs.nil.packages.${prev.system}.nil;
-  vscode-terraform-snippets = inputs.vscode-terraform-snippets;
-
   nvim-lspconfig = withSrc prev.vimPlugins.nvim-lspconfig inputs.nvim-lspconfig;
   cmp-nvim-lsp = withSrc prev.vimPlugins.cmp-nvim-lsp inputs.cmp-nvim-lsp;
   null-ls-nvim = withSrc prev.vimPlugins.null-ls-nvim inputs.null-ls-nvim;
@@ -33,6 +31,7 @@ in {
   bufferline-nvim =
     withSrc prev.vimPlugins.bufferline-nvim inputs.bufferline-nvim;
   nvim-tree-lua = withSrc prev.vimPlugins.nvim-tree-lua inputs.nvim-tree-lua;
+  fidget-nvim = withSrc prev.vimPlugins.fidget-nvim inputs.fidget-nvim;
 
   # Packaging plugins entirely with Nix
   baleia-nvim = plugin "baleia-nvim" inputs.baleia-nvim-src;

overlays/nextcloud-apps.nix

@@ -4,14 +4,22 @@ inputs: _final: prev: {
     news = prev.fetchNextcloudApp {
       url = inputs.nextcloud-news.outPath;
       sha256 = inputs.nextcloud-news.narHash;
+      license = "agpl3Plus";
     };
     external = prev.fetchNextcloudApp {
       url = inputs.nextcloud-external.outPath;
       sha256 = inputs.nextcloud-external.narHash;
+      license = "agpl3Plus";
     };
     cookbook = prev.fetchNextcloudApp {
       url = inputs.nextcloud-cookbook.outPath;
       sha256 = inputs.nextcloud-cookbook.narHash;
+      license = "agpl3Plus";
+    };
+    snappymail = prev.fetchNextcloudApp {
+      url = inputs.nextcloud-snappymail.outPath;
+      sha256 = inputs.nextcloud-snappymail.narHash;
+      license = "agpl3Plus";
     };
   };
 

overlays/proton-ge.nix

@@ -0,0 +1,15 @@
+# Adapted from:
+# https://github.com/Shawn8901/nix-configuration/blob/182a45a6b193143ff7ff8e78bb66f7b869ea48d4/packages/proton-ge-custom/default.nix
+# Based on: https://github.com/NixOS/nixpkgs/issues/73323
+
+inputs: _final: prev: {
+  proton-ge-custom = prev.stdenv.mkDerivation (finalAttrs: rec {
+    name = "proton-ge-custom";
+    version = "0.1"; # Made up
+    src = inputs.proton-ge;
+    installPhase = ''
+      mkdir -p $out/bin
+      cp -r ${src}/* -t $out/bin/
+    '';
+  });
+}

overlays/terraform.nix

@@ -0,0 +1,12 @@
+# Fix for Terraform and Consul on Darwin:
+# https://github.com/NixOS/nixpkgs/pull/275534/files
+_final: prev: {
+  girara = prev.girara.overrideAttrs (old: {
+    mesonFlags = [
+      "-Ddocs=disabled"
+      (prev.lib.mesonEnable "tests"
+        ((prev.stdenv.buildPlatform.canExecute prev.stdenv.hostPlatform)
+          && (!prev.stdenv.isDarwin)))
+    ];
+  });
+}