chore: allow lazygit to use some gpg features

flake.lock

@@ -52,11 +52,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740485968,
+        "lastModified": 1741786315,
-        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
+        "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
+        "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
         "type": "github"
       },
       "original": {
@@ -88,11 +88,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740872218,
+        "lastModified": 1741352980,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1736143030,
+        "lastModified": 1740872218,
-        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740199244,
+        "lastModified": 1742070442,
-        "narHash": "sha256-BiNUbNWLcG8AuKiAZmJ8tS+fr+JO8vGwB7QQ54cezKk=",
+        "narHash": "sha256-xPDSLswRazXLlceqc2+VdbKKG2m/OXCjTzU9O/Bs4ZQ=",
         "owner": "feel-co",
         "repo": "hjem",
-        "rev": "829109220c14352990bee4cf092f4918f45fb6a1",
+        "rev": "ae49a5a2e013c710d2b2cf046ae365d08eae75b3",
         "type": "github"
       },
       "original": {
@@ -206,11 +206,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740845322,
+        "lastModified": 1741955947,
-        "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
+        "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
+        "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4",
         "type": "github"
       },
       "original": {
@@ -221,11 +221,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1740646007,
+        "lastModified": 1741792691,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "e1f12151258b12c567f456d8248e4694e9390613",
         "type": "github"
       },
       "original": {
@@ -253,23 +253,23 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1735774519,
+        "lastModified": 1740872140,
-        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
+        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1740828860,
+        "lastModified": 1742069588,
-        "narHash": "sha256-cjbHI+zUzK5CPsQZqMhE3npTyYFt9tJ3+ohcfaOF/WM=",
+        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "303bd8071377433a2d8f76e684ec773d70c5b642",
+        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
         "type": "github"
       },
       "original": {
@@ -281,11 +281,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1738297584,
+        "lastModified": 1741462378,
-        "narHash": "sha256-AYvaFBzt8dU0fcSK2jKD0Vg23K2eIRxfsVXIPCW9a0E=",
+        "narHash": "sha256-ZF3YOjq+vTcH51S+qWa1oGA9FgmdJ67nTNPG2OIlXDc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9189ac18287c599860e878e905da550aa6dec1cd",
+        "rev": "2d9e4457f8e83120c9fdf6f1707ed0bc603e5ac9",
         "type": "github"
       },
       "original": {
@@ -295,6 +295,21 @@
         "type": "github"
       }
     },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1741851582,
+        "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts_2",
@@ -304,11 +319,11 @@
         "quasigod": "quasigod"
       },
       "locked": {
-        "lastModified": 1738585852,
+        "lastModified": 1741801623,
-        "narHash": "sha256-Z+cDls2k+57lAFU+/EwRcjutgCI2iRMRpGlXHMkVcz8=",
+        "narHash": "sha256-U3pD4UFNMFwm1hDQeKa4H+lgVy+RoX/XbbphUROXHEo=",
         "ref": "refs/heads/master",
-        "rev": "60d71b8a446906db16b33bc3081507d077d39b6c",
+        "rev": "e25a92424c4b0d095d7cdf63eb9ae2b276c84a51",
-        "revCount": 5,
+        "revCount": 6,
         "type": "git",
         "url": "https://git.ccnlc.eu/nydragon/nur.git"
       },
@@ -325,11 +340,11 @@
         "quickshell": "quickshell"
       },
       "locked": {
-        "lastModified": 1739209080,
+        "lastModified": 1742061478,
-        "narHash": "sha256-s1SVaFQ7GSJalxIhVN7aDS7rMcMJ1AUQfjRMYho5yuM=",
+        "narHash": "sha256-zfqsTAU4l17jjtTFibe2MmLlqMcMuhk5iaHN55vb9RU=",
         "ref": "refs/heads/main",
-        "rev": "2ca83819872d82fa0ee8dbfccfbfcf3480c279f1",
+        "rev": "693a785140b5202d51cee0c883c73dba8b2561b3",
-        "revCount": 107,
+        "revCount": 108,
         "type": "git",
         "url": "https://git.ccnlc.eu/nydragon/nysh.git"
       },
@@ -344,11 +359,11 @@
         "snowfall-lib": "snowfall-lib"
       },
       "locked": {
-        "lastModified": 1738444760,
+        "lastModified": 1741620435,
-        "narHash": "sha256-MbAyUUHtiByivJLDKLO5fu3goxeHxQHQxqCzhAZ3F14=",
+        "narHash": "sha256-DUbAVfzso8WoqNQPkuIykv8be0z5d6OMY+kbtCn9A6Q=",
         "ref": "refs/heads/main",
-        "rev": "a1db39ff40250211485a98853c6d71ac42d79026",
+        "rev": "148b55beaeacb7ffef5ae6ccaf1543aed02cc843",
-        "revCount": 16,
+        "revCount": 20,
         "type": "git",
         "url": "https://codeberg.org/quasigod/nur.git"
       },
@@ -359,10 +374,7 @@
     },
     "quickshell": {
       "inputs": {
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs_4"
-          "nysh",
-          "nixpkgs"
-        ]
       },
       "locked": {
         "lastModified": 1738200090,

home/default.nix

@@ -1,6 +1,7 @@
 # This file contains default settings used across different systems
 {
   imports = [
+    ./themes/catppuccin.nix
     ./graphical
     ./terminal
     ./desktop

home/graphical/vscode/default.nix

@@ -12,23 +12,18 @@ in
   config = mkIf cfg.enable {
     programs.vscode = {
       package = pkgs.vscode;
-      enableUpdateCheck = false;
+      profiles.default = {
-      extensions = with pkgs.vscode-extensions; [
+        enableUpdateCheck = false;
-        rust-lang.rust-analyzer
+        extensions = with pkgs.vscode-extensions; [
-        ms-vscode-remote.remote-ssh
+          rust-lang.rust-analyzer
-        ms-vscode-remote.remote-ssh-edit
+          ms-vscode-remote.remote-ssh
-        tamasfe.even-better-toml
+          ms-vscode-remote.remote-ssh-edit
-      ];
+          tamasfe.even-better-toml
-      userSettings = {
+        ];
-        editor.formatOnSave = true;
+        userSettings = {
-        terminal.integrated.inheritEnv = false;
+          editor.formatOnSave = true;
-        git.autofetch = true;
+          terminal.integrated.inheritEnv = false;
-        remote.SSH = {
+          git.autofetch = true;
-          connectTimeout = 60;
-          useLocalServer = true;
-          remotePlatform = {
-            "192.168.122.152" = "linux";
-          };
         };
       };
     };

home/hyprland/default.nix

@@ -8,6 +8,9 @@
 let
   inherit (lib) mapAttrsToList mkIf hasAttr;
   inherit (lib.my) getExe getExe';
+
+  roles = osConfig.modules.system.roles;
+  desktop = osConfig.modules.system.roles.desktop;
 in
 mkIf osConfig.programs.hyprland.enable {
   home.sessionVariables.ELECTRON_OZONE_PLATFORM_HINT = "auto";
@@ -33,7 +36,7 @@ mkIf osConfig.programs.hyprland.enable {
 
       exec-once = [
         "${config.services.kdeconnect.package}/bin/kdeconnect-indicator"
-        "${pkgs.keepassxc}/bin/keepassxc"
+        "${getExe' pkgs.gnome-keyring "gnome-keyring-daemon"}"
       ];
 
       general = {
@@ -72,7 +75,7 @@ mkIf osConfig.programs.hyprland.enable {
         inactive_opacity = 1.0;
 
         shadow = {
-          enabled = true;
+          enabled = roles.portable.enable;
           range = 4;
           render_power = 3;
           color = "rgba(1a1a1aee)";
@@ -80,7 +83,7 @@ mkIf osConfig.programs.hyprland.enable {
 
         # https://wiki.hyprland.org/Configuring/Variables/#blur
         blur = {
-          enabled = true;
+          enabled = roles.portable.enable;
           size = 3;
           passes = 1;
 
@@ -149,6 +152,7 @@ mkIf osConfig.programs.hyprland.enable {
         key_press_enables_dpms = true;
         mouse_move_enables_dpms = true;
         disable_autoreload = true;
+        vfr = true;
       };
 
       bindm = [ "$mod,mouse:272,movewindow" ];
@@ -156,6 +160,7 @@ mkIf osConfig.programs.hyprland.enable {
       bind =
         let
           copy = getExe' pkgs.wl-clipboard "wl-copy";
+          cliphist = getExe pkgs.cliphist;
         in
         [
           "$mod, D, exec, ${getExe osConfig.modules.system.roles.desktop.runner.package}"
@@ -164,7 +169,7 @@ mkIf osConfig.programs.hyprland.enable {
           "$mod SHIFT, Q, killactive,"
           "$mod, V, togglefloating"
           "$mod SHIFT, P, exec, ${getExe pkgs.scripts.powerMenu}"
-          "$mod, P, exec, ${getExe pkgs.cliphist} wipe & ${getExe pkgs.hyprlock}"
+          "$mod, P, exec, ${cliphist} wipe & ${getExe pkgs.hyprlock}"
           "$mod SHIFT, C, exec, hyprctl reload"
           "$mod SHIFT, space, togglefloating"
           "$mod, left, movefocus, l"
@@ -173,13 +178,13 @@ mkIf osConfig.programs.hyprland.enable {
           "$mod, down, movefocus, d"
 
           # Example special workspace (scratchpad)
-          "$mod, S, togglespecialworkspace, magic"
+          "$mod, W, togglespecialworkspace, magic"
-          "$mod SHIFT, S, movetoworkspace, special:magic"
+          "$mod SHIFT, W, movetoworkspace, special:magic"
           "$mod, X, fullscreen, 1"
           "$mod, F, fullscreen, 0"
-          "$mod, N, exec, ${pkgs.swaynotificationcenter}/bin/swaync-client -t"
           "$mod, U, exec, ${pkgs.hyprshot}/bin/hyprshot -o ${config.xdg.userDirs.pictures}/screenshots -m region"
           "$mod SHIFT, U, exec, ${pkgs.hyprshot}/bin/hyprshot --raw -m region | ${getExe pkgs.satty} -f - --fullscreen  --copy-command ${copy}"
+          "$mod, S, exec, ${cliphist} list | ${desktop.runner.dmenu}  | ${cliphist} decode |  ${copy}"
 
           #: Brightness and Media {{{
           ",XF86MonBrightnessUp, exec, ${pkgs.brightnessctl}/bin/brightnessctl s +10%"

home/terminal/git/default.nix

@@ -16,7 +16,7 @@
         editor = "${pkgs.neovim}/bin/nvim";
       };
       init = {
-        defaultBranch = "master";
+        defaultBranch = "main";
       };
       merge = {
         conflictstyle = "diff3";

home/terminal/ssh/default.nix

@@ -10,7 +10,7 @@ let
 in
 mkIf config.programs.ssh.enable {
   programs.ssh = {
-    addKeysToAgent = "confirm";
+    addKeysToAgent = "yes";
     matchBlocks = {
       deck = {
         hostname = "steamdeck";

hosts/brontes/default.nix

@@ -43,6 +43,7 @@ in
   };
 
   modules = {
+    fs.nfsEnable = true;
     system = {
       roles = {
         desktop.enable = true;
@@ -106,7 +107,6 @@ in
     fish.enable = true;
     firefox.enable = true;
     thunderbird.enable = true;
-    sway.enable = true;
     hyprland.enable = true;
   };
 
@@ -118,7 +118,6 @@ in
       isNormalUser = true;
       createHome = true;
       packages = with pkgs; [
-        prismlauncher
         orca-slicer
       ];
       extraGroups = [
@@ -138,18 +137,6 @@ in
     enableSSHSupport = true;
   };
 
-  environment.systemPackages = with pkgs; [
-    fish
-    wireguard-tools
-    git
-    htop
-    eza
-    bat
-    nfs-utils
-  ];
-
-  services.rpcbind.enable = true; # necessary for nfs
-
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   nix.settings.extra-platforms = config.boot.binfmt.emulatedSystems;
 

hosts/brontes/home.nix

@@ -14,7 +14,6 @@ in
 
   home-manager.users.${username} = {
     imports = [
-      ../../home/themes/catppuccin.nix
       ../../home
     ];
 

hosts/marr/default.nix

@@ -2,13 +2,16 @@
 {
   pkgs,
   inputs,
+  config,
   ...
 }:
+let
+  inherit (config.modules.meta) username;
+in
 {
   imports = [
     ./hardware-configuration.nix
     ./home.nix
-    ./ny.nix
     ../../users/ny
   ];
 
@@ -21,6 +24,7 @@
     system = {
       roles = {
         desktop.enable = true;
+        portable.enable = true;
       };
 
       outputs = {
@@ -61,8 +65,6 @@
     };
   };
 
-  hardware.graphics.enable = true;
-
   xdg = {
     portal.enable = true;
     mime.enable = true;
@@ -89,11 +91,12 @@
     firefox.enable = true;
     thunderbird.enable = true;
     hyprland.enable = true;
-    pulseview.enable = true;
     gnupg.agent = {
       enable = true;
       enableSSHSupport = true;
+      enableExtraSocket = true;
     };
+    seahorse.enable = true;
   };
 
   hardware.sane = {
@@ -122,9 +125,9 @@
       powerKey = "hibernate";
     };
 
-    thermald.enable = true;
+    #thermald.enable = true;
 
-    auto-cpufreq.enable = true;
+    #auto-cpufreq.enable = true;
 
     upower = {
       enable = true;
@@ -137,6 +140,19 @@
 
   users = {
     defaultUserShell = pkgs.fish;
+    users.${username} = {
+      isNormalUser = true;
+      createHome = true;
+      packages = with pkgs; [
+        simple-scan
+        beekeeper-studio
+      ];
+      extraGroups = [
+        "networkmanager"
+        "audio"
+        "libvirtd" # VM OPs
+      ];
+    };
   };
 
   environment.variables = {
@@ -150,6 +166,7 @@
     libvirtd.enable = true;
     docker = {
       enable = true;
+      extraPackages = [ pkgs.docker-credential-helpers ];
       rootless = {
         enable = true;
         setSocketVariable = true;
@@ -159,13 +176,7 @@
 
   programs.virt-manager.enable = true;
 
-  programs.nix-ld.enable = true;
-
   environment.systemPackages = with pkgs; [
-    shared-mime-info
-    glib
-    dconf
-    xdg-utils
     brightnessctl
   ];
 

hosts/marr/home.nix

@@ -14,7 +14,6 @@ in
 
   home-manager.users.${username} = {
     imports = [
-      ../../home/themes/vanilla.nix
       ../../home
     ];
 

hosts/marr/ny.nix

@@ -1,71 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs',
-  ...
-}:
-let
-  inherit (config.modules.meta) username;
-in
-{
-  config = {
-    users.users.${username} = {
-      packages =
-        [
-          inputs'.nur.packages.grayjay-desktop
-        ]
-        ++ (with pkgs; [
-          digikam
-          fragments
-          element-desktop
-          loupe
-          seahorse
-          gimp
-          thunderbird
-          keepassxc
-          protonmail-bridge-gui
-          varia
-          signal-desktop
-          onlyoffice-desktopeditors
-          picard
-          simple-scan
-          insomnia
-          beekeeper-studio
-
-          # Proprietary
-          postman
-          mongodb-compass
-          obsidian
-
-          # CLI tools
-          jhead
-          fdupes
-          exiftool
-          sshfs
-          lazygit
-          wl-clipboard
-
-          # custom
-          nysh
-          scripts.screenshot
-          scripts.nixedit
-          scripts.set-background
-          scripts.rpaste
-          scripts.nrun
-          scripts.nruni
-          scripts.genswitch
-          scripts.gentest
-          scripts.editsym
-          scripts.deployswitch
-          scripts.deploytest
-        ]);
-      isNormalUser = true;
-      createHome = true;
-      extraGroups = [
-        "networkmanager"
-        "audio"
-        "libvirtd"
-      ];
-    };
-  };
-}

hosts/nihilus/default.nix

@@ -4,6 +4,10 @@
   ];
 
   modules = {
+    meta = {
+      tailscale.ip = "100.64.0.6";
+    };
+
     services.tailscale = {
       enable = true;
       tags = [
@@ -15,7 +19,6 @@
     server = {
       rsync-daemon = {
         enable = true;
-        port = 9523;
         openFirewall = true;
         location = "/mnt/backups";
         address = "100.64.0.6";
@@ -31,8 +34,8 @@
             mode = "write";
           }
           {
-            name = "brontes-backup";
+            name = "shan";
-            comment = "brontes's backup space";
+            comment = "backups for shan";
             mode = "write";
           }
           {
@@ -65,6 +68,8 @@
     };
   };
 
+  security.polkit.enable = true;
+
   services.prometheus.exporters.node = {
     enable = true;
     port = 9000;

hosts/raptus/default.nix

@@ -26,6 +26,10 @@ in
       group = "rustypaste";
     };
     forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age;
+    acme = {
+      owner = if config.security.acme.useRoot then "root" else "acme";
+      file = ../../secrets/acme.age;
+    };
   };
 
   boot.loader.grub = {
@@ -33,6 +37,8 @@ in
     efiInstallAsRemovable = true;
   };
 
+  virtualisation.docker.enable = true;
+
   modules = {
     server.rustypaste = {
       enable = true;
@@ -93,8 +99,12 @@ in
     polkit.enable = true;
 
     acme = {
-      defaults.email = "admin@ccnlc.eu";
       acceptTerms = true;
+      defaults = {
+        email = "contact@ccnlc.eu";
+        dnsProvider = "ovh";
+        environmentFile = config.age.secrets.acme.path;
+      };
     };
   };
 

hosts/raptus/forgejo/default.nix

@@ -4,10 +4,6 @@ let
   sshPort = 2222;
 in
 {
-  imports = [
-    ./runner.nix
-  ];
-
   systemd.tmpfiles.rules =
     let
       # Disallow crawlers from indexing this site.
@@ -56,6 +52,8 @@ in
       migrations.ALLOWED_DOMAINS = "*";
       service = {
         DISABLE_REGISTRATION = true;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        #REQUIRE_SIGNIN_VIEW = true;
       };
       packages.ENABLED = false;
       log.LEVEL = "Info";

hosts/raptus/forgejo/runner.nix

@@ -12,6 +12,8 @@ let
 in
 {
   config = mkIf cfg.enable {
+    virtualisation.docker.autoPrune.enable = true;
+
     services.gitea-actions-runner = {
       package = pkgs.forgejo-runner;
 

hosts/raptus/headscale/acls.nix

@@ -16,6 +16,7 @@ let
   };
 
   shanMeta = self.nixosConfigurations.shan.config.modules.meta;
+  nihilusCfg = self.nixosConfigurations.nihilus.config;
   homeAIp = "100.64.0.9";
 in
 {
@@ -36,7 +37,9 @@ in
             "tag:client"
             "tag:server"
           ]
-          [ "tag:backup:${toString options.modules.server.rsync-daemon.port.default}" ]
+          [
+            "${nihilusCfg.modules.meta.tailscale.ip}:${toString nihilusCfg.modules.server.rsync-daemon.port}"
+          ]
         )
 
         (mkAcl
@@ -67,7 +70,6 @@ in
       tags = [
         "tag:client"
         "tag:server"
-        "tag:backup"
         "tag:guest"
       ];
 
@@ -77,7 +79,6 @@ in
           tags = map (name: "tag:${name}") [
             "server"
             "client"
-            "backup"
           ];
         in
         lib.genAttrs tags (_: users);

hosts/shan/calibre-web.nix

@@ -4,9 +4,15 @@
       enable = true;
       options = {
         enableBookUploading = true;
+        calibreLibrary = "/mnt/books";
       };
     };
 
+    systemd.services.calibre-web = {
+      after = [ "mnt-books.mount" ];
+      requires = [ "mnt-books.mount" ];
+    };
+
     fileSystems."/mnt/books" = {
       device = "192.168.178.21:/mnt/Fort/data/books";
       fsType = "nfs";

hosts/shan/default.nix

@@ -27,6 +27,10 @@
       file = ../../secrets/freshrss-default-password.age;
       owner = config.services.freshrss.user;
     };
+    acme = {
+      owner = if config.security.acme.useRoot then "root" else "acme";
+      file = ../../secrets/acme.age;
+    };
   };
 
   boot.loader.grub = {
@@ -85,6 +89,21 @@
       rsync-backup = {
         enable = true;
         modules = [
+          {
+            sources = [
+              "/var/lib/paperless"
+              "/var/lib/radicale"
+              "/var/lib/navidrome"
+              "/var/lib/immich"
+              "/var/lib/freshrss"
+            ];
+            target = {
+              location = "shan";
+              type = "rsyncd";
+              host = "nihilus";
+            };
+            incremental.enable = true;
+          }
           {
             sources = [ "/var/lib/paperless" ];
             target = {
@@ -139,34 +158,40 @@
             };
             incremental.enable = true;
           }
-
         ];
       };
     };
   };
-  security.acme = {
+  security = {
-    acceptTerms = true;
+    polkit.enable = true;
-    defaults = {
-      email = "contact@ccnlc.eu";
-      dnsProvider = "ovh";
-      environmentFile = "/run/secrets/ovh";
-    };
 
-    certs."ccnlc.eu" = {
+    acme = {
-      group = "nginx";
+      acceptTerms = true;
-      extraDomainNames = [ "*.ccnlc.eu" ];
+      defaults = {
+        email = "dns@ccnlc.eu";
+        dnsProvider = "ovh";
+        dnsResolver = "9.9.9.9"; # Necessary to avoid failing due to a local dns server
+        environmentFile = config.age.secrets.acme.path;
+      };
+
+      certs."ccnlc.eu" = {
+        group = "nginx";
+        extraDomainNames = [ "*.ccnlc.eu" ];
+      };
     };
   };
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    clientMaxBodySize = "100M";
+    clientMaxBodySize = "0";
     virtualHosts =
       let
         mkVHLocal = mkVH "http://localhost";
         mkVH = domain: port: {
           forceSSL = true;
+          useACMEHost = "ccnlc.eu";
           locations."/" = {
             proxyPass = "${domain}:${toString port}";
             extraConfig = ''
@@ -177,7 +202,6 @@
               proxy_http_version 1.1;
             '';
           };
-          useACMEHost = "ccnlc.eu";
         };
       in
       {
@@ -194,6 +218,7 @@
         "truenas.ccnlc.eu" = mkVH "https://192.168.178.21" 443;
         "calibre.ccnlc.eu" = mkVHLocal config.services.calibre-web.listen.port;
         "prometheus.ccnlc.eu" = mkVHLocal config.services.prometheus.port;
+        "adguard.ccnlc.eu" = mkVHLocal config.services.adguardhome.port;
         "grafana.ccnlc.eu" = mkVHLocal config.services.grafana.settings.server.http_port;
         ${config.services.freshrss.virtualHost} = {
           forceSSL = true;

modules/env.nix

@@ -1,6 +1,7 @@
 { pkgs, inputs, ... }:
 {
   environment.sessionVariables = {
+    SSH_AUTH_SOCK = "/run/user/\${UID}/keyring/ssh";
     MANROFFOPT = "-c";
     MANPAGER = "sh -c 'col -bx | ${pkgs.bat}/bin/bat -l man -p'";
     WALLPAPERS = "${inputs.wallpapers}";

modules/portals.nix

@@ -7,10 +7,10 @@
 lib.mkIf config.xdg.portal.enable {
   xdg.portal = {
     config = {
-      sway = {
+      common = {
+        default = "*";
         "org.freedesktop.impl.portal.Screenshot.PickColor" = [ "${pkgs.hyprpicker}/bin/hyprpicker" ];
       };
-      common.default = "*";
     };
 
     # gtk portal needed to make gtk apps happy

modules/programs/firefox.nix

@@ -51,12 +51,6 @@ lib.mkIf config.programs.firefox.enable {
 
       "dom.security.https_only_mode" = true;
 
-      "cookiebanners.service.mode" = 1;
-      "cookiebanners.bannerClicking.enabled" = true;
-      "cookiebanners.cookieInjector.enabled" = true;
-      "cookiebanners.service.mode.privateBrowsing" = 2;
-      "cookiebanners.ui.desktop.enabled" = true;
-
       "browser.shell.checkDefaultBrowser" = false;
       #"privacy.clearOnShutdown.offlineApps" = true;
       "layout.spellcheckDefault" = 1;
@@ -99,9 +93,10 @@ lib.mkIf config.programs.firefox.enable {
         builtins.listToAttrs [
           (extension "ublock-origin" "uBlock0@raymondhill.net")
           (extension "firefox-translations" "firefox-translations-addon@mozilla.org")
-          (extension "private-relay" "private-relay@firefox.com")
           (extension "decentraleyes" "jid1-BoFifL9Vbdl2zQ@jetpack")
           (extension "keepassxc-browser" "keepassxc-browser@keepassxc.org")
+          (extension "simplelogin" "addon@simplelogin")
+
         ];
       FirefoxHome = {
         Search = true;

modules/programs/lazygit.nix

@@ -3,6 +3,9 @@
     enable = true;
     settings = {
       "notARepository" = "skip";
+      git = {
+        overrideGpg = true;
+      };
     };
   };
 }

modules/themes/default.nix

@@ -8,16 +8,14 @@
   config = lib.mkIf config.modules.system.roles.desktop.enable {
     qt = {
       enable = true;
-      platformTheme = "gtk2";
+      platformTheme = "gtk2"; # Follow gtk theme
-      #platformTheme = "qt5ct";
-      #style = "kvantum";
     };
 
     environment.systemPackages = with pkgs; [
-      #vimix-icon-theme
+      (catppuccin-papirus-folders.override {
-      #pop-icon-theme
+        accent = "lavender";
-      catppuccin-papirus-folders
+        flavor = "frappe";
-      #catppuccin-kvantum
+      })
     ];
   };
 }

options/server/navidrome.nix

@@ -76,6 +76,9 @@ in
     };
 
     systemd.services.navidrome = {
+      after = mkIf (cfg.library.type == "nfs") [ "mnt-music.mount" ];
+      requires = mkIf (cfg.library.type == "nfs") [ "mnt-music.mount" ];
+
       serviceConfig = {
         Restart = cfg.restartPolicy;
         EnvironmentFile = config.age.secrets.navidrome.path;

options/server/rsync-daemon/default.nix

@@ -26,7 +26,7 @@ in
       default = false;
       description = "Whether to open the firewall";
     };
-    port = mkPortOption 9523 "rsyncd";
+    port = mkPortOption 873 "rsyncd";
     address = mkOption {
       type = nonEmptyStr;
       default = "0.0.0.0";
@@ -80,6 +80,8 @@ in
 
     modules.fixes.services.rsyncd = {
       enable = true;
+      inherit (cfg) port;
+      socketActivated = true;
       settings = {
         globalSection = {
           inherit (cfg) port address;

options/services/cliphist.nix

@@ -40,5 +40,7 @@ in
 
       postStop = "${cfg.package}/bin/cliphist wipe";
     };
+
+    environment.systemPackages = [ cfg.package ];
   };
 }

options/services/nysh.nix

@@ -33,7 +33,6 @@ in
         Type = "simple";
         ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
         Restart = "on-failure";
-
         NoNewPrivileges = true;
       };
     };

options/services/rsync-backup/default.nix

@@ -135,6 +135,17 @@ in
           unitConfig = {
             Description = "Backs up files from a source location to a specified destination.";
           };
+
+          postStop = ''
+            if [ "$SERVICE_RESULT" != "success" ]; then
+                ${pkgs.curl}/bin/curl \
+                    -H "Priority: urgent" \
+                    -H "Title: Backup error" \
+                    -d "Backup '${cfg.unitName}-${slugify mod.target.location}' had unexpected behaviour: $SERVICE_RESULT" \
+                    https://ntfy.ccnlc.eu/rsync-backup
+            fi
+          '';
+
           serviceConfig = {
             Type = "simple";
             Restart = "on-failure";

options/services/tailscale.nix

@@ -18,6 +18,7 @@ let
     enum
     bool
     ;
+  inherit (lib.my) getExe;
   cfg = config.modules.services.tailscale;
 in
 {
@@ -86,14 +87,29 @@ in
       description = "tailscale system tray";
       wantedBy = [ "graphical-session.target" ];
       after = [ "graphical-session.target" ];
-      path = [ pkgs.polkit ];
+      path = with pkgs; [
+        polkit
+        tailscale
+      ];
       serviceConfig = {
         Type = "simple";
-        ExecStart = "/bin/sh -lc ${pkgs.tailscale-systray}/bin/tailscale-systray";
+        ExecStart = getExe pkgs.tail-tray;
         Restart = "on-failure";
         RestartSec = 1;
         TimeoutStopSec = 10;
         IPAddressDeny = "any";
+        NoNewPrivileges = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+        #  ProtectControlGroups = true;
+        #RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
       };
     };
   };

options/system/roles/default.nix

@@ -3,5 +3,6 @@
     ./terminal.nix
     ./desktop.nix
     ./gaming.nix
+    ./portable.nix
   ];
 }

options/system/roles/gaming.nix

@@ -12,6 +12,7 @@ in
 {
   options.modules.system.roles.gaming = {
     enable = mkEnableOption "gaming features";
+    minecraft.enable = mkEnableOption "minecraft";
   };
 
   config = mkIf cfg.enable {
@@ -32,6 +33,7 @@ in
     environment.systemPackages = with pkgs; [
       mangohud
       heroic
+      (mkIf cfg.minecraft.enable prismlauncher)
     ];
   };
 }

options/system/roles/portable.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+let
+  inherit (lib) mkEnableOption;
+in
+{
+  options.modules.system.roles.portable = {
+    enable = mkEnableOption "Laptop/Portable tweaks";
+  };
+}

options/system/roles/terminal.nix

@@ -38,6 +38,7 @@ in
         fd
         ripgrep
         jnv
+        jq
       ];
     };
   };

secrets/secrets.nix

@@ -24,4 +24,9 @@ in
     shan
     ny
   ];
+  "acme.age".publicKeys = [
+    shan
+    raptus
+    ny
+  ];
 }

users/ny/default.nix

@@ -22,16 +22,14 @@ in
 
   users.users.${username}.packages =
     [
-      inputs'.nur.packages.grayjay-desktop
+      inputs'.nur.packages.grayjay
     ]
     ++ (with pkgs; [
       keepassxc
-      digikam
       fragments
       element-desktop
       libreoffice
       loupe
-      seahorse
       pwvucontrol
       thunderbird
       keepassxc
@@ -39,6 +37,7 @@ in
       signal-desktop
       tagger
       kid3
+      hoppscotch
 
       # proprietary
       obsidian
@@ -56,6 +55,7 @@ in
       scripts.set-background
       scripts.fishl
       scripts.nrun
+      scripts.nruni
       scripts.rpaste
       scripts.genswitch
       scripts.gentest

users/ny/programs/keepassxc.nix

@@ -11,7 +11,7 @@
         Enabled = true;
       };
       GUI = {
-        ApplicationTheme = "auto";
+        ApplicationTheme = "dark";
         ColorPasswords = true;
         MinimizeOnClose = true;
         MinimizeOnStartup = true;