chore(flake): bump inputs

Chrome defaults to connecting to X11.

.gitignore

@@ -1 +1,3 @@
+result-*
 result
+repl-result-*

faucet/fs/btrfs.nix

@@ -1,22 +0,0 @@
-{ pkgs
-, lib
-, config
-, ... }: with lib; let
-  cfg = config.faucet.fs;
-in {
-  options.faucet.fs.btrfs = {
-    options = mkOption {
-      type = with types; listOf str;
-      default = [ "noatime" "compress=zstd" ];
-      description = "btrfs mount options";
-    };
-  };
-
-  config = mkIf (cfg.type == "btrfs") {
-    fileSystems."/nix" =
-    { inherit (cfg.btrfs) options;
-      device = "/dev/disk/by-uuid/${cfg.store}";
-      fsType = "btrfs";
-    };
-  };
-}

faucet/gui/default.nix

@@ -1,61 +0,0 @@
-{ pkgs
-, lib
-, config
-, ... }: with lib; let
-  cfg = config.faucet.gui;
-in {
-  imports = [
-    ./plymouth.nix
-    ./greetd.nix
-  ];
-
-  options.faucet.gui = {
-    enable = mkEnableOption "various setup required for GUI and support software";
-    session = mkEnableOption "software required for a graphical session" // { default = true; };
-    type = mkOption {
-      type = with types; enum [ "intel" "amdgpu" "nvidia" "prime" ];
-      description = "type of graphics acceleration used";
-    };
-    prime = {
-      integrated = mkOption {
-        type = with types; str;
-        default = "i915";
-        description = "integrated gpu driver";
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    hardware.opengl = {
-      enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
-    };
-
-    services.xserver.videoDrivers =
-    optional ((cfg.type == "nvidia") || (cfg.type == "prime")) "nvidia" ++
-    optional (cfg.type == "amdgpu") "amdgpu";
-    # inhibits default display manager
-    services.xserver.displayManager.startx.enable = mkDefault true;
-
-    hardware.nvidia = mkIf ((cfg.type == "nvidia") || (cfg.type == "prime")) {
-      modesetting.enable = true;
-      nvidiaSettings = true;
-
-      prime = mkIf (cfg.type == "prime") {
-        offload = {
-          enable = true;
-          enableOffloadCmd = true;
-        };
-      };
-
-      powerManagement.enable = false;
-      powerManagement.finegrained = false;
-      open = true;
-    };
-
-    boot.initrd.kernelModules =
-    optional (cfg.type == "amdgpu") "amdgpu" ++
-    optional (cfg.type == "prime") cfg.prime.integrated;
-  };
-}

faucet/gui/greetd.nix

@@ -1,17 +0,0 @@
-{ pkgs
-, lib
-, config
-, ... }: with lib; let
-  cfg = config.faucet.gui;
-in mkIf (cfg.enable && cfg.session) {
-  programs.regreet = {
-    enable = true;
-    cageArgs = [ "-s" "-d" "-m" "last" ];
-    settings = {
-      background.path = ../../share/54345906_p0.jpg;
-      gtk.application_prefer_dark_theme = true;
-    };
-  };
-
-  environment.persistence."/nix/persist/fhs".directories = [ "/var/cache/regreet" ];
-}

faucet/util/default.nix

@@ -1,17 +0,0 @@
-{ pkgs
-, lib
-, config
-, ... }: with lib; let
-  cfg = config.faucet.util;
-in {
-  options.faucet.util = { };
-
-  config = {
-    programs.zsh.enable = true;
-    environment.shells = singleton pkgs.zsh;
-
-    environment.systemPackages = with pkgs; [
-      pciutils
-    ];
-  };
-}

flake.lock

@@ -1,30 +1,33 @@
 {
   "nodes": {
+    "catppuccin": {
+      "locked": {
+        "lastModified": 1734057772,
+        "narHash": "sha256-waF/2Y39JXJ4kG3zawmw1J1GxPHopyoOkJKJhfJ7RBs=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "20b6328df20ae45752c81311d225fd47cba32483",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
-        ],
-        "rust-overlay": [
-          "lanzaboote",
-          "rust-overlay"
         ]
       },
       "locked": {
-        "lastModified": 1681177078,
-        "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
+        "lastModified": 1717535930,
+        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
+        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -56,11 +59,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704152458,
-        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -77,11 +80,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680392223,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
         "type": "github"
       },
       "original": {
@@ -95,11 +98,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -113,11 +116,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -135,11 +138,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -155,11 +158,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704100519,
-        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
+        "lastModified": 1734093295,
+        "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
+        "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8",
         "type": "github"
       },
       "original": {
@@ -170,11 +173,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1703656108,
-        "narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=",
+        "lastModified": 1731242966,
+        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "033643a45a4a920660ef91caa391fbffb14da466",
+        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
         "type": "github"
       },
       "original": {
@@ -184,6 +187,25 @@
         "type": "github"
       }
     },
+    "jovian": {
+      "inputs": {
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1734162608,
+        "narHash": "sha256-m2AX+3eiVqIK6uO7GbGY7SFnkkYOlR5fQiNI0eRvWOQ=",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "rev": "31bdf4c7c91204d65afbde01146deee0259a8fb7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "type": "github"
+      }
+    },
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
@@ -197,27 +219,49 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1682802423,
-        "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
+        "lastModified": 1718178907,
+        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
+        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "v0.3.0",
+        "ref": "v0.4.1",
         "repo": "lanzaboote",
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "jovian",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729697500,
+        "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
+        "owner": "zhaofengli",
+        "repo": "nix-github-actions",
+        "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "matrix-name",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703961334,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "lastModified": 1733392399,
+        "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
         "type": "github"
       },
       "original": {
@@ -229,30 +273,65 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1678872516,
-        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1733940404,
+        "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "plasma-manager": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733858086,
+        "narHash": "sha256-h2BDIDKiqgMpA6E+mu0RgMGy3FeM6k+EuJ9xgOQ1+zw=",
+        "owner": "pjones",
+        "repo": "plasma-manager",
+        "rev": "7e2010249529931a3848054d5ff0dbf24675ab68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pjones",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
           "lanzaboote",
           "flake-compat"
         ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
@@ -261,11 +340,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1681413034,
-        "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
+        "lastModified": 1717664902,
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
         "type": "github"
       },
       "original": {
@@ -276,12 +355,15 @@
     },
     "root": {
       "inputs": {
+        "catppuccin": "catppuccin",
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "jovian": "jovian",
         "lanzaboote": "lanzaboote",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2",
+        "plasma-manager": "plasma-manager"
       }
     },
     "rust-overlay": {
@@ -296,11 +378,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682129965,
-        "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
+        "lastModified": 1717813066,
+        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "2c417c0460b788328220120c698630947547ee83",
+        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,24 +3,21 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-
     flake-utils.url = "github:numtide/flake-utils";
-    flake-parts = {
-      url = "github:hercules-ci/flake-parts";
-      inputs.nixpkgs-lib.follows = "nixpkgs";
-    };
-
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     impermanence.url = "github:nix-community/impermanence/master";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    plasma-manager.url = "github:pjones/plasma-manager";
+    plasma-manager.inputs.nixpkgs.follows = "nixpkgs";
+    plasma-manager.inputs.home-manager.follows = "home-manager";
+    catppuccin.url = "github:catppuccin/nix";
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
+    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.3.0";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    # steamdeck
+    jovian.url = "github:Jovian-Experiments/Jovian-NixOS";
   };
 
   outputs = inputs:

global/acme/default.nix

@@ -0,0 +1,20 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.acme;
+in {
+  options.global.acme = {
+    enable = mkEnableOption "ACME SSL certificates";
+  };
+
+  config = mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = mkDefault "koishi@514fpv.one";
+      defaults.group = config.services.nginx.group;
+    };
+
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/acme" ];
+  };
+}

global/android/default.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.android;
+in {
+  options.global.android = {
+    enable = mkEnableOption "android tools";
+  };
+
+  config = mkIf cfg.enable {
+    programs.adb.enable = true;
+
+    # allow device access by admin users
+    users.adminGroups = [ "adbusers" ];
+  };
+}

global/asusd/default.nix

@@ -0,0 +1,18 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.asusd;
+in {
+  options.global.asusd = {
+    enable = mkEnableOption "ASUS laptop userland support daemon";
+  };
+
+  config = mkIf cfg.enable {
+    services.asusd.enable = true;
+
+    environment.persistence."/nix/persist/fhs".directories = [
+      "/etc/asusd"
+    ];
+  };
+}

global/auth/default.nix

@@ -2,20 +2,22 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.auth;
+  cfg = config.global.auth;
   pub = lib.pipe ./pub [
     builtins.readDir
     (lib.filterAttrs (n: ty: ty == "regular"))
     (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
+    (foldr (payload: keys: (splitString "\n" payload) ++ keys) [ ])
+    (foldr (candidate: keys: keys ++ (if candidate == "" then [ ] else [ candidate ])) [ ])
   ];
 in {
-  options.faucet.auth = {
+  options.global.auth = {
     enable = mkEnableOption "identity authentication in various software" // { default = true; };
     openssh = {
       enable = mkEnableOption "openssh server";
       password = mkEnableOption "password authentication";
       publicKeys = mkOption {
-        type = with types; listOf str;
+        type = with types; listOf singleLineStr;
         default = pub;
         description = "list of trusted openssh keys";
       };
@@ -40,7 +42,7 @@ in {
       settings.PasswordAuthentication = cfg.openssh.password;
     };
 
-    networking.firewall.allowedTCPPorts = [ ] ++
+    networking.firewall.allowedTCPPorts = [ 1300 ] ++ # utility port
     optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
 
     environment.persistence."/nix/persist/fhs".directories = [ ] ++

global/auth/pub/eientei.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnhMCGSLMY+QldeCTaRovmfuzKdJsllQy9XinN2JU2z koishi@eientei

global/auth/pub/hakugyokurou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKCA0/6dsdVyLEgzWt8+u5lWVc0o6A3MY4M2Hf2BT8h koishi@hakugyokurou

global/auth/pub/koumakyou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJOoXrfB4D8Vi6HH4E7RqHHIWhPPqEiiOeLRfggW1XZ koishi@koumakyou

global/auth/pub/reimaden.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIZq1mD3J1cgWK61okXx3hQSe+5g3UTBfAf4RHkkFVd koishi@reimaden

global/auth/pub/shinkirou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwV7Z+PDC8ARRj1LxUJlv59gJ3A84LCMMyMSqLtRtuQ koishi@shinkirou

global/auth/pub/yume.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdzq2g13LEyxTZnA0HQ5hMEp4XNh0TOB/KY1bRwjsaq koishi@yume

global/boot/default.nix

@@ -2,12 +2,17 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.boot;
+  cfg = config.global.boot;
 in {
-  options.faucet.boot = {
+  options.global.boot = {
     enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
     systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
     lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
+    memtest = mkOption {
+      type = with types; nullOr int;
+      default = null;
+      description = "memtest passes to perform on boot";
+    };
   };
 
   config = let
@@ -20,10 +25,11 @@ in {
       loader.systemd-boot.enable = cfg.systemd-boot;
       loader.efi.canTouchEfiVariables = true;
       tmp.cleanOnBoot = true;
+      kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";
     };
 
     # symlink for sbctl
-    environment.etc.secureboot = mkIf cfg.lanzaboote { source = sbPath; };
-    #environment.systemPackages = optional cfg.lanzaboote pkgs.sbctl;
+    environment.etc.secureboot.source = sbPath;
+    environment.systemPackages = [ pkgs.sbctl ];
   };
 }

global/flatpak/default.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.flatpak;
+in {
+  options.global.flatpak = {
+    enable = mkEnableOption "flatpak sandbox";
+  };
+
+  config = mkIf cfg.enable {
+    services.flatpak.enable = true;
+    xdg.portal.enable = true;
+    users.home.persist.directories = [ ".local/share/flatpak" ".var" ];
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/flatpak" ];
+  };
+}

global/fs/bcachefs.nix

@@ -0,0 +1,22 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in {
+  options.global.fs.bcachefs = {
+    options = mkOption {
+      type = with types; listOf str;
+      default = [ "noatime" "compression=zstd" ];
+      description = "bcachefs mount options";
+    };
+  };
+
+  config = mkIf (cfg.type == "bcachefs") {
+    fileSystems."/nix" =
+    { inherit (cfg.bcachefs) options;
+      device = "/dev/disk/by-uuid/${cfg.store}";
+      fsType = "bcachefs";
+    };
+  };
+}

global/fs/default.nix

@@ -2,34 +2,36 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.fs;
+  cfg = config.global.fs;
 in {
   imports = [
     ./ext4.nix
+    ./f2fs.nix
     ./xfs.nix
-    #./bcachefs.nix
-    ./btrfs.nix
+    ./bcachefs.nix
+    ./zfs
   ];
 
-  options.faucet.fs = {
+  options.global.fs = {
     type = mkOption {
-      type = with types; enum [ "ext4" "xfs" "bcachefs" "btrfs" ];
+      type = with types; enum [ "ext4" "f2fs" "xfs" "zfs" "bcachefs" ];
       default = "bcachefs";
       description = "filesystem type to use for persistent state storage";
     };
     store = mkOption {
       type = with types; str;
+      default = config.networking.hostName;
       description = "UUID/dataset of nix store backing device";
     };
     esp = {
       enable = mkEnableOption "EFI system partition" // { default = true; };
       uuid = mkOption {
         type = with types; str;
-        default = "cafebabe";
+        default = "CAFE-BABE";
         description = "vfat serial number of EFI system partition";
       };
     };
-    extPersist = {
+    external = {
       enable = mkEnableOption "external persist filesystem";
       # this wraps the standard fileSystems module
       # since some attrs have to be unconditionally set
@@ -70,10 +72,15 @@ in {
     { device = "/dev/disk/by-uuid/${cfg.esp.uuid}";
       fsType = "vfat";
     };
-    fileSystems."/nix/persist" = mkIf cfg.extPersist.enable
-    { inherit (cfg.extPersist) device fsType options;
+    fileSystems."/nix/persist" = mkIf cfg.external.enable
+    { inherit (cfg.external) device fsType options;
       neededForBoot = true;
-      depends = "/nix";
+      depends = [ "/nix" ];
+    };
+    fileSystems."/tmp" =
+    { device = "/nix/tmp";
+      options = [ "bind" ];
+      depends = [ "/nix/tmp" ];
     };
 
     services.fstrim.enable = mkIf ((cfg.type == "ext4") || (cfg.type == "xfs")) true;
@@ -83,5 +90,10 @@ in {
       inherit (cfg.cryptsetup) allowDiscards bypassWorkqueues;
       device = "/dev/disk/by-uuid/${uuid}";
     }) cfg.cryptsetup.uuids);
+
+    environment.persistence."/nix/persist/fhs".files = [ {
+      file = "/var/lib/private/mode";
+      parentDirectory.mode = "0700";
+    } ];
   };
 }

global/fs/ext4.nix

@@ -1,10 +1,11 @@
 { lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.fs;
+  cfg = config.global.fs;
 in mkIf (cfg.type == "ext4") {
   fileSystems."/nix" =
   { device = "/dev/disk/by-uuid/${cfg.store}";
     fsType = "ext4";
+    options = [ "noatime" ];
   };
 }

global/fs/f2fs.nix

@@ -0,0 +1,10 @@
+{ lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in mkIf (cfg.type == "f2fs") {
+  fileSystems."/nix" =
+  { device = "/dev/disk/by-uuid/${cfg.store}";
+    fsType = "f2fs";
+  };
+}

global/fs/xfs.nix

@@ -1,11 +1,12 @@
 { lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.fs;
+  cfg = config.global.fs;
 in mkIf (cfg.type == "xfs") {
   # NOTE: -m reflink=1
   fileSystems."/nix" =
   { device = "/dev/disk/by-uuid/${cfg.store}";
     fsType = "xfs";
+    options = [ "noatime" ];
   };
 }

global/fs/zfs/alert.nix

@@ -0,0 +1,122 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.alert;
+
+  backend = {
+    text = pkgs.writeShellScript "telegram-text" ''
+      set -e
+      source ${cfg.secret}
+
+      ${pkgs.curl}/bin/curl -sG \
+        --data-urlencode "chat_id=$CHATID" \
+        --data-urlencode "text=$ALERT" \
+        $CURL_EXTRA_ARGS \
+        "https://api.telegram.org/bot$APIKEY/sendMessage"
+    '';
+    image = pkgs.writeShellScript "telegram-image" ''
+      set -e
+      source ${cfg.secret}
+
+      ${pkgs.curl}/bin/curl -sG \
+        -F "chat_id=$CHATID" \
+        -F "caption=$ALERT" \
+        -F "photo=@-" \
+        $CURL_EXTRA_ARGS \
+        "https://api.telegram.org/bot$APIKEY/sendPhoto"
+    '';
+  };
+
+  zedAlert = pkgs.writeShellScript "zed-alert" ''
+    set -e
+    export BODY="$(cat)"
+
+    # add tag
+    ALERT="$1 #zfs"
+
+    export ALERT
+    echo -e "$BODY" | \
+    ${pkgs.imagemagick}/bin/convert \
+      -size 1500x2000 xc:black \
+      -font "${pkgs.freefont_ttf}/share/fonts/truetype/FreeMono.ttf" \
+      -pointsize 16 \
+      -fill white -annotate +15+80 "@-" \
+      -trim -bordercolor "#000" \
+      -border 32 +repage \
+      png:- | \
+    ${backend.image}
+  '';
+
+  mdadmAlert = pkgs.writeShellScript "mdadm-alert" ''
+    set -e
+
+    EVENT="$1"
+    ARRAY="$2"
+    DEVICE="$3"
+
+    # fallback alert
+    ALERT="$EVENT | $ARRAY | $DEVICE"
+
+    case $EVENT in
+      DegradedArray)
+        ALERT="Array $ARRAY is in a degraded state"
+        ;;
+      DeviceDisappeared)
+        ALERT="Array $ARRAY disappeared"
+        ;;
+      Fail)
+        ALERT="Array $ARRAY encountered failure of component $DEVICE"
+        ;;
+      FailSpare)
+        ALERT="Array $ARRAY encountered failure of spare component $DEVICE during rebuild"
+        ;;
+      MoveSpare)
+        ALERT="Spare $DEVICE moved to array $ARRAY"
+        ;;
+      NewArray)
+        ALERT="Array $ARRAY appeared"
+        ;;
+      Rebuild??)
+        ALERT="Array $ARRAY rebuild is now $(echo $EVENT | ${pkgs.sedutil}/bin/sed 's/Rebuild//')% complete"
+        ;;
+      RebuildFinished)
+        ALERT="Rebuild of array $ARRAY has concluded"
+        ;;
+      RebuildStarted)
+        ALERT="Rebuild of array $ARRAY has started"
+        ;;
+      SpareActive)
+        ALERT="Spare $DEVICE activated in array $ARRAY"
+        ;;
+      SparesMissing)
+        ALERT="Array $ARRAY missing one or more spares"
+        ;;
+      TestMessage)
+        ALERT="Test message generated for array $ARRAY"
+        ;;
+    esac
+
+    # add tag
+    ALERT="$ALERT #swraid"
+
+    export ALERT
+    exec ${backend.text}
+  '';
+in mkIf (cfg.secret != null) {
+  services.zfs.zed = mkIf cfg.zed {
+    settings = {
+      ZED_EMAIL_ADDR = [ "root" ];
+      ZED_EMAIL_PROG = toString zedAlert;
+      ZED_EMAIL_OPTS = "'@SUBJECT@'";
+
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = false;
+
+      ZED_USE_ENCLOSURE_LEDS = true;
+      ZED_SCRUB_AFTER_RESILVER = false;
+    };
+  };
+
+  global.fs.zfs.split.mdProg = mkIf cfg.swraid (toString mdadmAlert);
+}

global/fs/zfs/default.nix

@@ -0,0 +1,105 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in {
+  imports = [
+    ./alert.nix
+    ./split.nix
+    ./replication.nix
+  ];
+
+  # -o ashift=12
+  # -O encryption=on -O keyformat=passphrase -O keylocation=prompt
+  # -O compression=on -O mountpoint=none -O xattr=sa -O acltype=posixacl
+  options.global.fs.zfs = {
+    alert = {
+      zed = mkEnableOption "zfs event alerts" // { default = true; };
+      swraid = mkEnableOption "software raid alerts" // { default = true; };
+      secret = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "path to alert secrets";
+      };
+    };
+
+    persist = mkOption {
+      type = with types; str;
+      default = cfg.store;
+      description = ''
+        pool for persist dataset
+        defaults to nix store dataset
+      '';
+    };
+    mountpoints = mkOption {
+      type = with types; attrsOf str;
+      description = "zfs dataset mountpoints";
+    };
+    externalStore = mkEnableOption "external nix store filesystem";
+
+    split = {
+      enable = mkEnableOption "zfs state with split nix store";
+      mdProg = mkOption {
+        type = with types; str;
+        default = "/usr/bin/true";
+        description = "mdadm PROGRAM config value";
+      };
+      secret = mkOption {
+        type = with types; str;
+        description = "UUID of secret filesystem";
+      };
+      store = mkOption {
+        type = with types; str;
+        description = "UUID of store filesystem";
+      };
+    };
+
+    replication = {
+      enable = mkEnableOption "zfs replication to remote";
+      remote = mkOption {
+        type = with types; str;
+        description = "remote host as replication destination";
+      };
+      port = mkOption {
+        type = with types; port;
+        description = "ssh port of replication target";
+        default = 22;
+      };
+      datasets = mkOption {
+        type = with types; listOf str;
+        default = [ "persist" "service" "storage" ];
+        description = "list of filesystems to perform replication for";
+      };
+      sendOptions = mkOption {
+        type = with types; str;
+        default = "w";
+        description = "send options for all datasets";
+      };
+    };
+  };
+
+  config = mkIf (cfg.type == "zfs") {
+    fileSystems = (mapAttrs (path: dataset: {
+      device = "${cfg.zfs.persist}/${dataset}";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+      # required by impermanence
+      neededForBoot = true;
+    }) cfg.zfs.mountpoints) // {
+      "/nix" = (if !cfg.zfs.externalStore then
+        { device = "${cfg.store}/nix";
+          fsType = "zfs";
+        } else
+        { inherit (cfg.external) device fsType options; });
+    };
+    global.fs.zfs.mountpoints."/nix/persist" = "persist";
+
+    services.zfs.trim.enable = true;
+    services.zfs.autoSnapshot.enable = true;
+    services.zfs.autoScrub.enable = true;
+    boot.zfs.devNodes = mkDefault "/dev/disk/by-partuuid";
+    #boot.kernelPackages = mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
+    global.kernel.lts = mkDefault true;
+  };
+}

global/fs/zfs/replication.nix

@@ -0,0 +1,30 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.replication;
+in mkIf cfg.enable {
+  services.syncoid = {
+    enable = mkDefault true;
+    interval = mkDefault "daily";
+    sshKey = mkDefault "/var/lib/syncoid/.ssh/id_ed25519";
+    commonArgs = [
+      "--recursive"
+      "--mbuffer-size=128M"
+      "--delete-target-snapshots"
+      "--sshport=${toString cfg.port}"
+    ];
+    localSourceAllow = mkOptionDefault [ "mount" ];
+
+    commands = (lists.foldr (name: commands: commands // {
+      "${config.global.fs.store}/${name}" = {
+        inherit (cfg) sendOptions;
+        target = "${cfg.remote}/${name}";
+      };
+    }) { }) cfg.datasets;
+  };
+
+  users.users.syncoid.uid = 82;
+  users.groups.syncoid.gid = 82;
+  environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/syncoid" ];
+}

global/fs/zfs/split.nix

@@ -0,0 +1,35 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.split;
+in mkIf cfg.enable {
+  # unconditionally enable fstrim for xfs and ext4
+  services.fstrim.enable = mkDefault true;
+
+  # enable swraid for split raid1 system array
+  boot.swraid.enable = mkDefault true;
+  boot.swraid.mdadmConf = mkDefault ''
+    PROGRAM ${cfg.mdProg}
+  '';
+
+  # secret filesystem backed by swraid
+  fileSystems."/nix/var/secret" =
+  { device = "/dev/disk/by-uuid/${cfg.secret}";
+    fsType = "ext4";
+    options = [ "noatime" ];
+    neededForBoot = true;
+    depends = [ "/nix/var" ];
+  };
+
+  # external store backed by swraid
+  global.fs = {
+    zfs.externalStore = mkDefault true;
+    external.device = "/dev/disk/by-uuid/${cfg.store}";
+    external.fsType = "xfs";
+    external.options = [ "noatime" ];
+  };
+
+  # import system state pool after encrypted filesystems become available for key loading
+  boot.initrd.systemd.services."zfs-import-${config.global.fs.store}".after = [ "sysroot-nix-var-secret.mount" "cryptsetup.target" ];
+}

global/gpu/default.nix

@@ -0,0 +1,111 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.gpu;
+
+  intel = cfg.type == "intel" || (cfg.type == "prime" && config.hardware.nvidia.prime.intelBusId != "");
+  amdgpu = cfg.type == "amdgpu" || (cfg.type == "prime" && config.hardware.nvidia.prime.amdgpuBusId != "");
+  nvidia = cfg.type == "nvidia" || cfg.type == "prime";
+in {
+  imports = [
+    ./plymouth.nix
+    ./greetd.nix
+  ];
+
+  options.global.gpu = {
+    enable = mkEnableOption "various setup required for GUI and support software";
+    session = mkEnableOption "software required for a graphical session" // { default = true; };
+    type = mkOption {
+      type = with types; nullOr (enum [ "intel" "amdgpu" "nvidia" "prime" ]);
+      default = null;
+      description = "type of graphics acceleration used";
+    };
+    arc = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "intel arc PCI ID if installed, enables toggling the arc before boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    hardware.graphics = {
+      enable = true;
+      enable32Bit = true;
+
+      # https://nixos.wiki/wiki/Accelerated_Video_Playback
+      extraPackages = with pkgs; optionals intel [
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiVdpau
+        libvdpau-va-gl
+        intel-compute-runtime
+      ] ++
+      optional nvidia nvidia-vaapi-driver ++
+      optional (cfg.type == "nvidia") vulkan-validation-layers;
+    };
+
+    services.xserver = mkIf cfg.session {
+      videoDrivers =
+      optional nvidia "nvidia" ++
+      optional (cfg.type == "amdgpu") "amdgpu";
+      # inhibits default display manager
+
+      displayManager.startx.enable = mkDefault true;
+    };
+
+    hardware.nvidia = mkIf nvidia {
+      modesetting.enable = true;
+      nvidiaSettings = true;
+
+      prime = mkIf (cfg.type == "prime") {
+        offload = {
+          enable = true;
+          enableOffloadCmd = true;
+        };
+      };
+
+      powerManagement.enable = false;
+      powerManagement.finegrained = false;
+      open = false;
+    };
+
+    environment.variables = {
+      # work around broken nvidia hw cursor on wayland
+      WLR_NO_HARDWARE_CURSORS = mkIf (cfg.type == "nvidia") "1";
+      # work around wlroots flickering on pure nvidia
+      #WLR_RENDERER = mkIf (cfg.type == "nvidia") "vulkan";
+    };
+
+    specialisation.integratedGraphics = mkIf (cfg.type == "prime") {
+      configuration = {
+        global.gpu.type = mkForce (if intel then "intel" else if amdgpu then "amdgpu" else "prime");
+        boot.blacklistedKernelModules = [ "nouveau" ];
+      };
+    };
+
+    specialisation.withArc = mkIf (cfg.arc != null) {
+      configuration = {
+        global.gpu.arc = mkForce null;
+        powerManagement.cpuFreqGovernor = mkForce "performance";
+      };
+    };
+
+    boot.initrd.kernelModules =
+    optional amdgpu "amdgpu" ++
+    optional (intel && cfg.arc == null) "i915" ++
+    optionals nvidia [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ] ++
+    optional (cfg.arc != null) "vfio-pci";
+
+    boot.extraModulePackages = optional nvidia config.boot.kernelPackages.nvidia_x11;
+
+    boot.extraModprobeConfig = mkIf (cfg.arc != null) ''
+      softdep drm pre: vfio-pci
+      options vfio-pci ids=${cfg.arc}
+    '';
+
+    boot.kernelParams =
+    optional intel "i915.fastboot=1" ++
+    optionals nvidia [ "nvidia_drm.modeset=1" "nvidia_drm.fbdev=1" ];
+  };
+}

global/gpu/greetd.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.gpu;
+  gui = with cfg; enable && session;
+in mkIf gui {
+  programs.regreet = {
+    enable = mkDefault true;
+    cageArgs = [ "-s" "-d" "-m" "last" ];
+    settings = {
+      background.path = mkDefault ../../share/54345906_p0.jpg;
+      background.fit = "Fill";
+      GTK = {
+        application_prefer_dark_theme = mkDefault true;
+        cursor_theme_name = mkDefault "Bibata-Modern-Classic";
+        icon_theme_name = mkDefault "Papirus-Dark";
+        theme_name = mkDefault "WhiteSur-Dark";
+      };
+    };
+  };
+
+  environment.persistence."/nix/persist/fhs".directories = [ "/var/cache/regreet" ];
+}

global/gpu/plymouth.nix

@@ -2,10 +2,11 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.gui;
-in mkIf cfg.enable {
+  cfg = config.global.gpu;
+  gui = with cfg; enable && session;
+in mkIf gui {
   boot = {
-    loader.timeout = lib.mkDefault 0;
+    loader.timeout = mkDefault 0;
     consoleLogLevel = 0;
     initrd.verbose = false;
     initrd.systemd.enable = true;
@@ -13,7 +14,6 @@ in mkIf cfg.enable {
     kernelParams = [
       "quiet"
       "splash"
-      "i915.fastboot=1"
       "loglevel=3"
       "rd.systemd.show_status=false"
       "rd.udev.log_level=3"

global/id/default.nix

@@ -2,9 +2,9 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.id;
+  cfg = config.global.id;
 in {
-  options.faucet.id = mkOption {
+  options.global.id = mkOption {
     type = with types; str;
     description = "systemd machine id";
   };

global/io/default.nix

@@ -2,41 +2,61 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.io;
+  cfg = config.global.io;
+  gui = with config.global.gpu; enable && session;
 in {
-  options.faucet.io = {
-    betaflight = mkEnableOption "betaflight udev rules" // { default = true; };
-    bluetooth = mkEnableOption "bluetooth daemons and state persistence" // { default = true; };
-    audio = mkEnableOption "pulseaudio server configuration" // { default = true; };
+  options.global.io = {
+    betaflight = mkEnableOption "betaflight udev rules" // { default = gui; };
+    bluetooth = mkEnableOption "bluetooth daemons and state persistence" // { default = gui; };
+    audio = mkEnableOption "pulseaudio server configuration" // { default = gui; };
     coredump = mkEnableOption "save coredumps handled by systemd";
   };
 
   config = {
-    services.udev.extraRules = "" + (if cfg.betaflight then ''
+    services.udev.extraRules = ''
+      # ignore zvols
+      KERNEL=="zd*", ENV{UDISKS_IGNORE}="1"
+    '' + (if cfg.betaflight then ''
       # DFU (Internal bootloader for STM32 and AT32 MCUs)
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2e3c", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
       SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
     '' else "");
 
     networking.networkmanager.enable = mkDefault true;
+    networking.hosts = {
+      "10.5.14.0" = [ "codec" ];
+      "10.5.14.1" = [ "redir" ];
+      "10.5.14.2" = [ "compat" ];
+
+      "192.168.123.1" = [ "netvm" ];
+    };
+    networking.firewall.logRefusedConnections = true;
     hardware.bluetooth.enable = mkDefault cfg.bluetooth;
 
-    hardware.pulseaudio = mkIf cfg.audio {
+    # rtkit is optional but recommended
+    security.rtkit.enable = cfg.audio;
+    services.pipewire = mkIf cfg.audio {
       enable = true;
-      support32Bit = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
     };
-    #nixpkgs.config.pulseaudio = mkIf cfg.audio;
 
     security.pam.loginLimits = mkIf (!cfg.coredump) (singleton { domain = "*"; item = "core"; type = "hard"; value = "0"; });
     systemd.coredump.extraConfig = mkIf (!cfg.coredump) "Storage=none";
 
     environment.persistence."/nix/persist/fhs".directories = [
       "/var/log"
+      "/var/lib/nixos"
       "/var/lib/systemd/backlight"
     ] ++
     optional config.networking.networkmanager.enable "/etc/NetworkManager/system-connections" ++
     optional cfg.bluetooth "/var/lib/bluetooth" ++
     optional cfg.coredump "/var/lib/systemd/coredump";
     environment.persistence."/nix/persist/fhs".hideMounts = true;
+
+    users.home.persist.directories = [ ] ++
+    optional cfg.audio ".local/state/wireplumber";
   };
 }

global/kernel/default.nix

@@ -2,9 +2,9 @@
 , lib
 , config
 , ... }: with lib; let
-  cfg = config.faucet.kernel;
+  cfg = config.global.kernel;
 in {
-  options.faucet.kernel = {
+  options.global.kernel = {
     enable = mkEnableOption "kernel version and configuration" // { default = true; };
     lts = mkEnableOption "longterm kernel releases";
     sysctl = {
@@ -23,6 +23,6 @@ in {
       "kernel.dmesg_restrict" = mkIf cfg.sysctl.harden 1;
       "vm.swappiness" = cfg.sysctl.swappiness;
     };
-    boot.kernelPackages = with pkgs; mkDefault (if cfg.lts then linuxPackages else linuxPackages_latest);
+    boot.kernelPackages = with pkgs; mkOverride 1001 (if cfg.lts then linuxPackages else linuxPackages_latest);
   };
 }

global/libvirt/default.nix

@@ -0,0 +1,36 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.libvirt;
+in {
+  options.global.libvirt = {
+    enable = mkEnableOption "libvirt virtualisation daemon" // { default = true; };
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.libvirtd = {
+      enable = true;
+      qemu.runAsRoot = false;
+      qemu.swtpm.enable = true;
+
+      # disable as much implicit state as possible
+      onBoot = "ignore";
+      onShutdown = "shutdown";
+      parallelShutdown = 5;
+    };
+
+    environment.systemPackages = with pkgs; [ virtiofsd ];
+
+    # USB redirection requires a setuid wrapper
+    virtualisation.spiceUSBRedirection.enable = true;
+
+    environment.persistence."/nix/persist/fhs".directories = [
+      "/var/lib/libvirt"
+    ];
+    global.fs.zfs.mountpoints."/nix/persist/service/libvirt" = "service/libvirt";
+
+    # allow management by admin users
+    users.adminGroups = [ "libvirtd" ];
+  };
+}

global/lowmem/default.nix

@@ -0,0 +1,25 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.lowmem;
+in {
+  options.global.lowmem = {
+    enable = mkEnableOption "low memory optimisations";
+    swapsize = mkOption {
+      type = with types; int;
+      default = 8 * 1024;
+      description = "automatic swap file size";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # enables remote nixos-rebuild
+    nix.settings.trusted-users = [ "koishi" ];
+
+    swapDevices = [ {
+      device = "/nix/persist/secret/swap";
+      size = cfg.swapsize;
+    } ];
+  };
+}

global/netdata/default.nix

@@ -0,0 +1,52 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.netdata;
+in {
+  options.global.netdata = {
+    enable = mkEnableOption "netdata";
+    host = mkOption {
+      type = with types; str;
+      default = "localhost";
+      description = "hostname of netdata web interface";
+    };
+    addSSL = mkEnableOption "add SSL to netdata proxy";
+    useACMEHost = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "existing acme host";
+    };
+    basicAuthFile = mkOption {
+      type = with types; nullOr path;
+      default = "/nix/persist/secret/netdata";
+      description = "path to passwd file";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.netdata = {
+      enable = true;
+      config = {
+        global = {
+          "error log" = "syslog";
+          "access log" = "none";
+          "debug log" = "syslog";
+        };
+        web."bind to" = "unix:/var/run/netdata/netdata.sock";
+      };
+    };
+
+    users.users.netdata.uid = 287;
+    users.groups.netdata.gid = 287;
+
+    services.nginx.enable = mkDefault true;
+    services.nginx.virtualHosts.${cfg.host} = {
+      inherit (cfg) addSSL useACMEHost basicAuthFile;
+      locations."/".proxyPass = "http://unix:/var/run/netdata/netdata.sock";
+    };
+    users.users.nginx.extraGroups = [ "netdata" ];
+
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/netdata" ];
+  };
+}

global/oci/default.nix

@@ -0,0 +1,21 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.oci;
+in {
+  options.global.oci = {
+    enable = mkEnableOption "oci container runtime";
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.podman = {
+      enable = true;
+      enableNvidia = with config.global.gpu; mkDefault type == "prime" || type == "nvidia";
+      dockerCompat = true;
+    };
+
+    users.home.persist.directories = [ ".local/share/containers" ];
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/containers" ];
+  };
+}

global/virtualbox/default.nix

@@ -0,0 +1,34 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.virtualbox;
+in {
+  options.global.virtualbox = {
+    enable = mkEnableOption "virtualbox host (kvm)";
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.virtualbox.host = {
+      enable = true;
+      enableKvm = true;
+      enableExtensionPack = true;
+
+      enableHardening = false;
+      addNetworkInterface = false;
+    };
+
+    # allow virtualbox USB passthrough
+    users.adminGroups = [ "vboxusers" ];
+
+    users.home.persist.directories = [
+      ".config/VirtualBox"
+    ];
+
+    users.homeModules = [ {
+      wayland.windowManager.sway.config.window.commands = [
+        { criteria.class = "VirtualBox Manager"; command = "floating enable"; }
+      ];
+    } ];
+  };
+}

home/app/nixos.nix

@@ -0,0 +1,28 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.users;
+in {
+  options.users.home.persistApp = {
+    files = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+    directories = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+  };
+
+  config = {
+    users.profiles.app = {
+      uid = 5800;
+      description = "Insecure Applications";
+      picture = ../picture/app.png;
+    };
+
+    # extra persistence specific to the app user
+    environment.persistence."/nix/persist".users.app = cfg.home.persistApp;
+  };
+}

home/auth/home.nix

@@ -17,9 +17,21 @@
         # compiled from trusted keys in auth module
         ssh.allowedSignersFile = toString (pkgs.writeText
         "allowed_signers" (foldr (key: folded:
-        folded + "koishi@514fpv.one ${key}") ""
+        folded + "koishi@514fpv.one ${key}\n") ""
         config.passthrough.publicKeys));
       };
     };
   };
+
+  programs.ssh = {
+    enable = true;
+    matchBlocks = {
+      "edge.514fpv.io".port = 8086;
+      "sf.514fpv.io".port = 8087;
+    };
+  };
+
+  wayland.windowManager.sway.config.window.commands = mkIf config.passthrough.gui [
+    { criteria.title = "Bitwarden"; command = "floating enable"; }
+  ];
 }

home/auth/nixos.nix

@@ -2,6 +2,6 @@
 , ... }: {
   # this module passes openssh public keys to home-manager
   users.homeModules = [ {
-    passthrough.publicKeys = config.faucet.auth.openssh.publicKeys;
+    passthrough.publicKeys = config.global.auth.openssh.publicKeys;
   } ];
 }

home/btop/home.nix

@@ -0,0 +1,13 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.btop;
+in mkIf cfg.enable {
+  programs.btop = {
+    enable = true;
+    settings = {
+      theme_background = false;
+    };
+  };
+}

home/btop/nixos.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.btop;
+in {
+  options.home.btop = {
+    enable = mkEnableOption "btop" // { default = !config.home.util.minimal; };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes gyroflow configuration to home-manager
+      { passthrough.btop = cfg; }
+    ];
+  };
+}

home/catppuccin/gui.nix

@@ -0,0 +1,62 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.catppuccin;
+  palette = (lib.importJSON "${config.catppuccin.sources.palette}/palette.json").${config.catppuccin.flavor}.colors;
+in mkIf cfg.enable {
+  gtk.theme = { inherit (cfg.gtk) package name; };
+  qt.style.name = "kvantum";
+  qt.platformTheme.name = "kvantum";
+  home.pointerCursor = { inherit (cfg.cursor) package name; };
+
+  # sway colour palette override
+  wayland.windowManager.sway.config = {
+    colors = {
+      focused =         { border = "$lavender"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$lavender"; };
+      focusedInactive = { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$overlay0"; };
+      unfocused =       { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$overlay0"; };
+      urgent =          { border = "$peach";    background = "$base"; text = "$peach"; indicator = "$overlay0";  childBorder = "$peach"; };
+      placeholder =     { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$overlay0";  childBorder = "$overlay0"; };
+      background =                 "$base";
+    };
+
+    bars = mkForce [ {
+      colors = {
+        background =                   "$base";
+        statusline =                   "$text";
+        focusedStatusline =            "$text";
+        focusedSeparator =             "$base";
+        focusedWorkspace =  { border = "$base"; background = "$base"; text = "$green"; };
+        activeWorkspace =   { border = "$base"; background = "$base"; text = "$blue"; };
+        inactiveWorkspace = { border = "$base"; background = "$base"; text = "$surface1"; };
+        urgentWorkspace =   { border = "$base"; background = "$base"; text = "$surface1"; };
+        bindingMode =       { border = "$base"; background = "$base"; text = "$surface1"; };
+      };
+
+      mode = "dock";
+      position = "bottom";
+      workspaceButtons = true;
+      workspaceNumbers = true;
+      statusCommand = "${pkgs.i3status}/bin/i3status";
+      fonts = {
+        names = [ "monospace" ];
+        size = 8.0;
+      };
+      trayOutput = "primary";
+    } ];
+
+    output."*".bg = mkForce "${./flake.png} fill";
+    gaps.inner = 12;
+    gaps.outer = 5;
+    # dodge the status bar
+    gaps.bottom = 0;
+  };
+
+  # i3status colour palette override
+  programs.i3status.general = with palette; {
+    color_good = lavender.hex;
+    color_degraded = yellow.hex;
+    color_bad = red.hex;
+  };
+}

home/catppuccin/home.nix

@@ -0,0 +1,9 @@
+{
+  catppuccin = {
+    enable = true;
+    accent = "pink";
+    flavor = "mocha";
+  };
+
+  imports = [ ./gui.nix ];
+}

home/catppuccin/nixos.nix

@@ -0,0 +1,79 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+  cfg = config.home.catppuccin;
+in {
+  options.home.catppuccin = {
+    enable = mkEnableOption "catppuccin colour scheme" // { default = gui; };
+
+    gtk = {
+      package = mkOption {
+        type = with types; package;
+        default = (pkgs.catppuccin-gtk.overrideAttrs {
+          src = pkgs.fetchFromGitHub {
+            owner = "catppuccin";
+            repo = "gtk";
+            rev = "v1.0.3";
+            fetchSubmodules = true;
+            hash = "sha256-q5/VcFsm3vNEw55zq/vcM11eo456SYE5TQA3g2VQjGc=";
+          };
+
+          postUnpack = "";
+        }).override {
+          accents = [ "pink" ];
+          size = "compact";
+          #tweaks = [ "rimless" "black" ];
+          variant = "mocha";
+        };
+        description = "catppuccin gtk theme package";
+      };
+      name = mkOption {
+        type = with types; str;
+        default = "catppuccin-mocha-pink-compact";
+        description = "name of catppuccin gtk theme";
+      };
+    };
+
+    cursor = {
+      package = mkOption {
+        type = with types; package;
+        default = pkgs.catppuccin-cursors.mochaDark;
+        description = "catppuccin cursor theme package";
+      };
+      name = mkOption {
+        type = with types; str;
+        default = "catppuccin-mocha-dark-cursors";
+        description = "name of catppuccin cursor theme";
+      };
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes catppuccin configuration to home-manager
+      { passthrough.catppuccin = cfg; }
+    ];
+
+    catppuccin.enable = cfg.enable;
+
+    # gtk and cursor themes
+    environment.systemPackages = with cfg; mkIf enable [
+      gtk.package cursor.package
+    ];
+
+    # override greetd theme
+    programs.regreet = mkIf cfg.enable {
+      theme = {
+        inherit (cfg.gtk) name package;
+      };
+      cursorTheme = {
+        inherit (cfg.cursor) name package;
+      };
+      settings = {
+        background.path = ./solid.png;
+      };
+    };
+  };
+}

home/chrome/home.nix

@@ -0,0 +1,13 @@
+{ pkgs
+, lib
+, config
+, ...}: lib.mkIf config.passthrough.gui {
+  programs.chromium = {
+    enable = true;
+    package = pkgs.google-chrome;
+    commandLineArgs = [
+      "--enable-features=UseOzonePlatform"
+      "--ozone-platform=wayland"
+    ];
+  };
+}

home/chrome/nixos.nix

@@ -0,0 +1,10 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+in {
+  users.home.persist.directories = mkIf gui [ ".config/google-chrome" ];
+  security.chromiumSuidSandbox.enable = mkIf gui true;
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+}

home/foot/home.nix

@@ -0,0 +1,11 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.foot = {
+    enable = true;
+    settings.main.term = "xterm-256color";
+    settings.main.font = "DejaVu Sans Mono:size=11";
+    #settings.colors.alpha = 0.8;
+  };
+}

home/gnome/home.nix

@@ -0,0 +1,11 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.gnome;
+in {
+  imports = [
+    ./impl/home.nix
+    ./impl/dconf.nix
+  ];
+}

home/gnome/impl/dconf.nix

@@ -0,0 +1,286 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.gnome;
+  bg = ../../../share/54345906_p0.jpg;
+in mkIf cfg.enable {
+  dconf.settings = let
+    p = "org/gnome";
+    pd = "${p}/desktop";
+    ps = "${p}/shell";
+    pse = "${ps}/extensions";
+    ptl = "${p}/terminal/legacy";
+    ptlp = "${ptl}/profiles:";
+  in {
+    "${pd}/peripherals/mouse".natural-scroll = true;
+    "${pd}/peripherals/touchpad".tap-to-click = true;
+    "${p}/epiphany".ask-for-default = false;
+    "${p}/evolution-data-server".migrated = true;
+
+    "${p}/nautilus/preferences" = {
+      default-folder-viewer = "icon-view";
+      migrated-gtk-settings = true;
+      search-filter-time-type = "last_modified";
+    };
+
+    "${pd}/background" = {
+      color-shading-type = "solid";
+      picture-options = "zoom";
+      picture-uri = "file://${bg}";
+      picture-uri-dark = "file://${bg}";
+      primary-color = "#000000000000";
+      secondary-color = "#000000000000";
+    };
+
+    "${pd}/interface" = {
+      color-scheme = "prefer-dark";
+      cursor-theme = "Bibata-Modern-Classic";
+      font-antialiasing = "grayscale";
+      font-hinting = "slight";
+      gtk-theme = "adw-gtk3-dark";
+      icon-theme = "Papirus-Dark";
+    };
+
+    "${pd}/screensaver" = {
+      color-shading-type = "solid";
+      lock-enabled = false;
+      picture-options = "zoom";
+      picture-uri = "file://${bg}";
+      primary-color = "#000000000000";
+      secondary-color = "#000000000000";
+    };
+
+    "${pd}/wm/preferences" = {
+      action-double-click-titlebar = "toggle-maximize";
+      action-middle-click-titlebar = "minimize";
+      button-layout = "close:appmenu";
+      resize-with-right-button = true;
+    };
+
+    "${pd}/wm/keybindings" = {
+      panel-run-dialog = [ ];
+      begin-resize = [ "<Super>r" ];
+      close = [ "<Shift><Super>q" ];
+      minimize = [ "<Super>BackSpace" ];
+      move-to-workspace-1 = [ "<Shift><Super>1" ];
+      move-to-workspace-2 = [ "<Shift><Super>2" ];
+      move-to-workspace-3 = [ "<Shift><Super>3" ];
+      move-to-workspace-4 = [ "<Shift><Super>4" ];
+      move-to-workspace-left = [ "<Shift><Super>h" ];
+      move-to-workspace-right = [ "<Shift><Super>l" ];
+      switch-to-workspace-1 = [ "<Super>1" ];
+      switch-to-workspace-2 = [ "<Super>2" ];
+      switch-to-workspace-3 = [ "<Super>3" ];
+      switch-to-workspace-4 = [ "<Super>4" ];
+      toggle-maximized = [ "<Super>f" ];
+    };
+
+    "${ps}/keybindings" = {
+      switch-to-application-1 = [ ];
+      switch-to-application-2 = [ ];
+      switch-to-application-3 = [ ];
+      switch-to-application-4 = [ ];
+      switch-to-application-5 = [ ];
+      switch-to-application-6 = [ ];
+      switch-to-application-7 = [ ];
+      switch-to-application-8 = [ ];
+      switch-to-application-9 = [ ];
+      toggle-application-view = [ "<Super>d" ];
+    };
+
+    "${p}/settings-daemon/plugins/media-keys" = {
+      custom-keybindings = [
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/"
+      ];
+      logout = [ ];
+      screensaver = [ "<Control><Alt>l" ];
+    };
+
+    "${p}/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
+      binding = "<Super>Return";
+      command = "kgx";
+      name = "Launch console";
+    };
+
+    "${p}/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = {
+      binding = "<Super>q";
+      command = "google-chrome-stable";
+      name = "Launch Google Chrome";
+    };
+
+    "${ptlp}" = {
+      #default = "95894cfd-82f7-430d-af6e-84d168bc34f5";
+      list = [
+        "de8a9081-8352-4ce4-9519-5de655ad9361"
+        "71a9971e-e829-43a9-9b2f-4565c855d664"
+        "5083e06b-024e-46be-9cd2-892b814f1fc8"
+        "95894cfd-82f7-430d-af6e-84d168bc34f5"
+      ];
+    };
+
+    "${ptlp}/:5083e06b-024e-46be-9cd2-892b814f1fc8" = {
+      background-color = "#24273a";
+      cursor-background-color = "#f4dbd6";
+      cursor-colors-set = true;
+      cursor-foreground-color = "#24273a";
+      foreground-color = "#cad3f5";
+      highlight-background-color = "#24273a";
+      highlight-colors-set = true;
+      highlight-foreground-color = "#5b6078";
+      palette = [
+        "#494d64" "#ed8796" "#a6da95" "#eed49f"
+        "#8aadf4" "#f5bde6" "#8bd5ca" "#b8c0e0"
+        "#5b6078" "#ed8796" "#a6da95" "#eed49f"
+        "#8aadf4" "#f5bde6" "#8bd5ca" "#a5adcb"
+      ];
+      use-theme-colors = false;
+      visible-name = "Catppuccin Macchiato";
+    };
+
+    "${ptlp}/:71a9971e-e829-43a9-9b2f-4565c855d664" = {
+      background-color = "#303446";
+      cursor-background-color = "#f2d5cf";
+      cursor-colors-set = true;
+      cursor-foreground-color = "#303446";
+      default-size-columns = 150;
+      default-size-rows = 35;
+      foreground-color = "#c6d0f5";
+      highlight-background-color = "#303446";
+      highlight-colors-set = true;
+      highlight-foreground-color = "#626880";
+      palette = [
+        "#51576d" "#e78284" "#a6d189" "#e5c890"
+        "#8caaee" "#f4b8e4" "#81c8be" "#b5bfe2"
+        "#626880" "#e78284" "#a6d189" "#e5c890"
+        "#8caaee" "#f4b8e4" "#81c8be" "#a5adce"
+      ];
+      use-theme-colors = false;
+      visible-name = "Catppuccin Frappe";
+    };
+
+    "${ptlp}/:95894cfd-82f7-430d-af6e-84d168bc34f5" = {
+      background-color = "#1e1e2e";
+      cursor-background-color = "#f5e0dc";
+      cursor-colors-set = true;
+      cursor-foreground-color = "#1e1e2e";
+      foreground-color = "#cdd6f4";
+      highlight-background-color = "#1e1e2e";
+      highlight-colors-set = true;
+      highlight-foreground-color = "#585b70";
+      palette = [
+        "#45475a" "#f38ba8" "#a6e3a1" "#f9e2af"
+        "#89b4fa" "#f5c2e7" "#94e2d5" "#bac2de"
+        "#585b70" "#f38ba8" "#a6e3a1" "#f9e2af"
+        "#89b4fa" "#f5c2e7" "#94e2d5" "#a6adc8"
+      ];
+      use-theme-colors = false;
+      visible-name = "Catppuccin Mocha";
+    };
+
+    "${ptlp}/:de8a9081-8352-4ce4-9519-5de655ad9361" = {
+      background-color = "#eff1f5";
+      cursor-background-color = "#dc8a78";
+      cursor-colors-set = true;
+      cursor-foreground-color = "#eff1f5";
+      foreground-color = "#4c4f69";
+      highlight-background-color = "#eff1f5";
+      highlight-colors-set = true;
+      highlight-foreground-color = "#acb0be";
+      palette = [
+        "#5c5f77" "#d20f39" "#40a02b" "#df8e1d"
+        "#1e66f5" "#ea76cb" "#179299" "#acb0be"
+        "#6c6f85" "#d20f39" "#40a02b" "#df8e1d"
+        "#1e66f5" "#ea76cb" "#179299" "#bcc0cc"
+      ];
+      use-theme-colors = false;
+      visible-name = "Catppuccin Latte";
+    };
+
+    "${ps}" = {
+      disabled-extensions = [
+        "light-style@gnome-shell-extensions.gcampax.github.com"
+        "places-menu@gnome-shell-extensions.gcampax.github.com"
+        "windowsNavigator@gnome-shell-extensions.gcampax.github.com"
+        "window-list@gnome-shell-extensions.gcampax.github.com"
+        "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
+        "dash-to-dock@micxgx.gmail.com"
+      ];
+      enabled-extensions = [
+        "user-theme@gnome-shell-extensions.gcampax.github.com"
+        "apps-menu@gnome-shell-extensions.gcampax.github.com"
+        "drive-menu@gnome-shell-extensions.gcampax.github.com"
+        "appindicatorsupport@rgcjonas.gmail.com"
+        "dash-to-panel@jderose9.github.com"
+        "caffeine@patapon.info"
+        "PrivacyMenu@stuarthayhurst"
+      ];
+      last-selected-power-profile = "performance";
+      welcome-dialog-last-shown-version = "45.3";
+    };
+
+    #"${pse}/user-theme".name = "catppuccin-mocha-pink-compact";
+
+    "${pse}/caffeine" = {
+      screen-blank = "never";
+    };
+
+    "${pse}/dash-to-dock" = {
+      background-opacity = 0.80000000000000004;
+      dash-max-icon-size = 48;
+      dock-position = "BOTTOM";
+      height-fraction = 0.90000000000000002;
+      multi-monitor = false;
+      running-indicator-style = "DOTS";
+      custom-theme-shrink = true;
+    };
+
+    "${pse}/dash-to-panel" = {
+      animate-appicon-hover = false;
+      animate-appicon-hover-animation-type = "SIMPLE";
+      appicon-margin = 0;
+      appicon-padding = 4;
+      appicon-style= "NORMAL";
+      available-monitors = [ 0 ];
+      dot-position = "BOTTOM";
+      dot-style-focused = "METRO";
+      dot-style-unfocused = "DOTS";
+      group-apps = true;
+      hide-overview-on-startup = true;
+      hotkeys-overlay-combo = "TEMPORARILY";
+      intellihide = true;
+      intellihide-behaviour = "FOCUSED_WINDOWS";
+      intellihide-hide-from-windows = true;
+      isolate-workspaces = false;
+      leftbox-padding = -1;
+      overview-click-to-exit = true;
+      panel-anchors = ''{"0":"MIDDLE"}'';
+      panel-element-positions = ''{"0":[{"element":"showAppsButton","visible":true,"position":"stackedTL"},{"element":"activitiesButton","visible":true,"position":"stackedTL"},{"element":"leftBox","visible":false,"position":"stackedTL"},{"element":"taskbar","visible":true,"position":"centerMonitor"},{"element":"centerBox","visible":true,"position":"stackedBR"},{"element":"rightBox","visible":true,"position":"stackedBR"},{"element":"dateMenu","visible":true,"position":"stackedBR"},{"element":"systemMenu","visible":true,"position":"stackedBR"},{"element":"desktopButton","visible":false,"position":"stackedBR"}]}'';
+      panel-lengths = ''{"0":100}'';
+      panel-positions = ''{"0":"BOTTOM"}'';
+      panel-sizes = ''{"0":42}'';
+      primary-monitor = 0;
+      secondarymenu-contains-showdetails = true;
+      show-showdesktop-hover = true;
+      status-icon-padding = -1;
+      stockgs-force-hotcorner = false;
+      stockgs-keep-dash = false;
+      stockgs-keep-top-panel = false;
+      stockgs-panelbtn-click-only = false;
+      trans-bg-color = "#2a2a2a";
+      trans-dynamic-anim-target = 1.0;
+      trans-dynamic-behavior = "MAXIMIZED_WINDOWS";
+      trans-gradient-bottom-color = "#000000";
+      trans-gradient-bottom-opacity = 0.5;
+      trans-gradient-top-opacity = 0.0;
+      trans-panel-opacity = 0.0;
+      trans-use-custom-bg = true;
+      trans-use-custom-gradient = true;
+      trans-use-custom-opacity = true;
+      trans-use-dynamic-opacity = true;
+      tray-padding = -1;
+      window-preview-title-position = "TOP";
+    };
+  };
+}

home/gnome/impl/home.nix

@@ -0,0 +1,32 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.gnome;
+in mkIf cfg.enable {
+  home.packages =
+  with pkgs;
+  with gnome;
+  with gnomeExtensions; [
+    # gtk3 theme
+    adw-gtk3
+
+    # gnomeExtensions
+    caffeine
+    dash-to-panel
+    dash-to-dock
+    appindicator
+    privacy-settings-menu
+  ];
+
+  catppuccin.enable = mkForce false;
+  home.pointerCursor = mkForce null;
+  gtk.enable = false;
+
+  home.persistence."/nix/persist/home/${config.home.username}" = {
+    removePrefixDirectory = true;
+    files = [
+      (if config.specialisation != {} then "gnome/.config/monitors.xml" else "extern/.config/monitors.xml")
+    ];
+  };
+}

home/gnome/impl/nixos.nix

@@ -0,0 +1,49 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.gnome;
+in mkIf cfg.enable {
+  global.flatpak.enable = mkDefault true;
+  home.catppuccin.enable = mkDefault false;
+  catppuccin.enable = false;
+  programs.regreet.enable = false;
+  services.xserver.enable = true;
+  services.xserver.displayManager.startx.enable = false;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  services.udev.packages = with pkgs; [ gnome-settings-daemon ];
+  services.hardware.bolt.enable = true;
+  xdg.portal.configPackages = with pkgs; [ gnome-session ];
+  hardware.pulseaudio.enable = false;
+
+  environment.gnome.excludePackages = (with pkgs; [
+    snapshot
+    gnome-tour
+  ] ++ optionals config.global.flatpak.enable [
+    baobab
+    simple-scan
+    evince
+    file-roller
+    geary
+    loupe
+    seahorse
+    totem
+    epiphany
+    gnome-calculator
+    gnome-calendar
+    gnome-connections
+    gnome-font-viewer
+    gnome-text-editor
+    gnome-characters
+    gnome-clocks
+    gnome-contacts
+    gnome-logs
+    gnome-maps
+    gnome-music
+    gnome-weather
+  ]) ++ (with pkgs.gnome; [ ] ++ optionals config.global.flatpak.enable [
+  ]);
+
+  users.home.persist.directories = [ ".config/dconf" ];
+}

home/gnome/nixos.nix

@@ -0,0 +1,25 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.gnome;
+in {
+  imports = [ ./impl/nixos.nix ];
+
+  options.home.gnome = {
+    enable = mkEnableOption "GNOME desktop environment";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes gnome configuration to home-manager
+      { passthrough.gnome = cfg; }
+    ];
+
+    specialisation.nognome = with cfg; mkIf enable {
+      configuration = {
+        home.gnome.enable = mkForce false;
+      };
+    };
+  };
+}

home/gui/home.nix

@@ -0,0 +1,35 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  catppuccin = config.passthrough.catppuccin.enable;
+in {
+  config = mkIf config.passthrough.gui {
+    # cursor theme
+    home.pointerCursor = {
+      package = mkDefault pkgs.bibata-cursors;
+      name = mkDefault "Bibata-Modern-Classic";
+      size = 24;
+      x11.enable = true;
+      gtk.enable = true;
+    };
+
+    # gtk theme
+    gtk.theme = mkDefault {
+      package = pkgs.whitesur-gtk-theme;
+      name = "WhiteSur-Dark";
+    };
+
+    # gtk icons
+    gtk.iconTheme = mkDefault {
+      package = pkgs.papirus-icon-theme;
+      name = "Papirus-Dark";
+    };
+
+    # unify qt theme
+    qt.platformTheme.name = mkDefault "gtk";
+
+    gtk.enable = mkDefault true;
+    qt.enable = mkDefault true;
+  };
+}

home/gui/nixos.nix

@@ -0,0 +1,36 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+  catppuccin = config.home.catppuccin;
+in {
+  config = {
+    users.homeModules = [
+      # this module passes gui configuration to home-manager
+      { passthrough.gui = gui; }
+    ];
+    users.adminGroups = mkIf gui [ "video" ];
+
+    # themes and icons
+    environment.systemPackages = with pkgs; mkIf gui ([
+      papirus-icon-theme
+    ] ++ optionals (!catppuccin.enable) [
+      whitesur-gtk-theme
+      whitesur-icon-theme
+      bibata-cursors
+    ]);
+
+    fonts.enableDefaultPackages = mkIf gui true;
+
+    security = mkIf gui {
+      polkit.enable = true;
+    };
+    programs = mkIf gui {
+      dconf.enable = true;
+    };
+    services = mkIf gui {
+      blueman.enable = !config.global.flatpak.enable;
+    };
+  };
+}

home/gyroflow/home.nix

@@ -0,0 +1,13 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.gyroflow;
+in mkIf cfg.enable {
+  # temporarily gone until regression is fixed
+  #home.packages = [ cfg.package ];
+
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.app_id = "xyz.gyroflow.gyroflow"; command = "floating enable"; }
+  ];
+}

home/gyroflow/nixos.nix

@@ -0,0 +1,26 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.gyroflow;
+in {
+  options.home.gyroflow = {
+    enable = mkEnableOption "gyroflow stabilisation software";
+    package = mkOption {
+      type = with types; package;
+      default = pkgs.gyroflow.overrideAttrs (finalAttrs: previousAttrs: {
+        buildInputs = previousAttrs.buildInputs ++ [ pkgs.qt6Packages.qtwayland ];
+      });
+      description = "gyroflow package";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes gyroflow configuration to home-manager
+      { passthrough.gyroflow = cfg; }
+    ];
+
+    users.home.persist.directories = mkIf cfg.enable [ ".config/Gyroflow" ];
+  };
+}

home/headless/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.headless;
+in mkIf (cfg.enable != null) {
+  wayland.windowManager.sway.config = {
+    output = {
+      ${cfg.enable}.pos = "0 0";
+      HEADLESS-1 = cfg.output;
+    };
+
+    startup = [ { command = "swaymsg create_output && swaymsg output HEADLESS-1 disable"; } ];
+  };
+
+  home.packages = [ (pkgs.writeShellScriptBin "headless" ''
+    swaymsg output HEADLESS-1 enable
+    ${pkgs.wayvnc}/bin/wayvnc \
+      --output=HEADLESS-1 \
+      ${cfg.extraArgs} \
+      ${cfg.host} ${toString cfg.port}
+    swaymsg output HEADLESS-1 disable
+  '') ];
+}

home/headless/nixos.nix

@@ -0,0 +1,51 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.headless;
+in {
+  options.home.headless = {
+    enable = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "a headless, remotely viewed sway display";
+    };
+
+    output = mkOption {
+      type = with types; attrsOf str;
+      default = {
+        # pixel tablet
+        mode = "2560x1600";
+        scale = "2";
+        pos = "1920 0";
+      };
+      description = "headless display configuration";
+    };
+
+    host = mkOption {
+      type = with types; str;
+      default = "0.0.0.0";
+      description = "wayvnc listen host";
+    };
+
+    port = mkOption {
+      type = with types; port;
+      # utility port
+      default = 1300;
+      description = "wayvnc listen port";
+    };
+
+    extraArgs = mkOption {
+      type = with types; str;
+      default = "--max-fps=60";
+      description = "extra wayvnc args";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes headless configuration to home-manager
+      { passthrough.headless = cfg; }
+    ];
+  };
+}

home/i3status/home.nix

@@ -0,0 +1,77 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.i3status = {
+    enable = true;
+    enableDefault = false;
+    general.colors = true;
+    general.interval = 1;
+
+    modules = {
+      "ethernet _first_" = {
+        position = 1;
+        settings = {
+          format_up = "%ip at %speed";
+          format_down = "";
+        };
+      };
+
+      "wireless _first_" = {
+        position = 2;
+        settings = {
+          format_up = ''%ip at %bitrate (\"%essid\"%quality @ %frequency)'';
+          format_down = "";
+        };
+      };
+
+      "disk /nix/persist" = {
+        position = 3;
+        settings = {
+          format = "%avail (%percentage_avail)";
+          threshold_type = "percentage_free";
+          low_threshold = 25;
+        };
+      };
+
+      memory = {
+        position = 4;
+        settings = {
+          format = "%used / %total";
+          threshold_degraded = "10%";
+          threshold_critical = "5%";
+          format_degraded = ">>> %used / %total <<<";
+        };
+      };
+
+      load = {
+        position = 5;
+        settings = {
+          format = "%1min %5min %15min";
+          max_threshold =
+            removeSuffix "\n" (builtins.readFile (pkgs.runCommandLocal "nproc" { } "nproc > $out"));
+        };
+      };
+
+      "battery all" = {
+        position = 6;
+        settings = {
+          format = "%status%percentage @ %consumption ~ %remaining";
+          format_down = "";
+          status_chr = "^";
+          status_full = "";
+          status_unk = "?";
+          status_bat = "";
+          last_full_capacity = true;
+          threshold_type = "percentage";
+          low_threshold = "15";
+        };
+      };
+
+      "tztime local" = {
+        position = 127;
+        settings = { format = "%Y-%m-%d %H:%M:%S"; };
+      };
+    };
+  };
+}

home/imv/home.nix

@@ -0,0 +1,6 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.imv.enable = true;
+}

home/jetbrains/home.nix

@@ -0,0 +1,11 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.jetbrains;
+in mkIf cfg.enable {
+  home.packages = with pkgs.jetbrains; [ pkgs.go ] ++
+    optional cfg.idea idea-community ++
+    optional cfg.clion clion ++
+    optional cfg.goland goland;
+}

home/jetbrains/nixos.nix

@@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.jetbrains;
+in {
+  options.home.jetbrains = {
+    enable = mkEnableOption "jetbrains text editor";
+    idea = mkEnableOption "intellij idea";
+    clion = mkEnableOption "clion ide";
+    goland = mkEnableOption "goland ide" // { default = true; };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes jetbrains configuration to home-manager
+      { passthrough.jetbrains = cfg; }
+    ];
+
+    users.home.persist.directories = mkIf cfg.enable [
+      "go"
+      ".java/.userPrefs"
+      ".config/JetBrains"
+      ".local/share/JetBrains"
+    ];
+  };
+}

home/libreoffice/home.nix

@@ -0,0 +1,9 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.libreoffice;
+  enable = cfg.enable && (cfg.allUsers || (config.home.username == "app"));
+in mkIf enable {
+  home.packages = with pkgs; [ libreoffice ];
+}

home/libreoffice/nixos.nix

@@ -0,0 +1,22 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.libreoffice;
+  persist = [ ".config/libreoffice" ];
+in {
+  options.home.libreoffice = {
+    enable = mkEnableOption "open source office suite";
+    allUsers = mkEnableOption "set up for all users";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes minecraft configuration to home-manager
+      { passthrough.libreoffice = cfg; }
+    ];
+
+    users.home.persist.directories = with cfg; mkIf (enable && allUsers) persist;
+    users.home.persistApp.directories = with cfg; mkIf (enable && !allUsers) persist;
+  };
+}

home/mako/home.nix

@@ -0,0 +1,10 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  services.mako = {
+    enable = true;
+    defaultTimeout = 5000;
+    anchor = "bottom-center";
+  };
+}

home/minecraft/home.nix

@@ -0,0 +1,16 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  inherit (config.passthrough) gui;
+  cfg = config.passthrough.minecraft;
+  enable = cfg.enable && config.home.username == cfg.user;
+in mkIf enable {
+  home.packages = with pkgs; [
+    jdk8
+  ] ++ optional gui prismlauncher;
+
+  wayland.windowManager.sway.config.window.commands = mkIf gui [
+    { criteria.app_id = "org.prismlauncher.PrismLauncher"; command = "floating enable"; }
+  ];
+}

home/minecraft/nixos.nix

@@ -0,0 +1,33 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.minecraft;
+  gui = with config.global.gpu; enable && session;
+in {
+  options.home.minecraft = {
+    enable = mkEnableOption "minecraft game launcher and jvm";
+    user = mkOption {
+      type = with types; str;
+      default = "minecraft";
+      description = "username which minecraft game client runs under";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes minecraft configuration to home-manager
+      { passthrough.minecraft = cfg; }
+    ];
+
+    users.profiles.minecraft = mkIf (cfg.enable && cfg.user == "minecraft") {
+      uid = 5801;
+      description = "Minecraft";
+      picture = ../picture/aux.png;
+    };
+
+    environment.persistence."/nix/persist".users.${cfg.user} = mkIf (cfg.enable && gui) {
+      directories = [ ".local/share/PrismLauncher" ];
+    };
+  };
+}

home/mpv/home.nix

@@ -0,0 +1,14 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.mpv = {
+    enable = true;
+    config = {
+      hwdec = "auto-safe";
+      vo = "gpu";
+      profile = "gpu-hq";
+      gpu-context = "wayland";
+    };
+  };
+}

home/plasma/config.nix

@@ -0,0 +1,13 @@
+{
+  programs.plasma = {
+    workspace = {
+      lookAndFeel = "org.kde.breezedark.desktop";
+      #clickItemTo = "select";
+    };
+
+    configFile = {
+      baloofilerc."Basic Settings"."Indexing-Enabled" = false;
+      kcminputrc.Libinput."2362"."597"."UNIW0001:00 093A:0255 Touchpad".NaturalScroll = true;
+    };
+  };
+}

home/plasma/home.nix

@@ -0,0 +1,51 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.plasma;
+  image = ../../share/54345906_p0.jpg;
+in mkIf cfg.enable {
+  programs.plasma = {
+    # https://github.com/pjones/plasma-manager
+    enable = true;
+    #overrideConfig = true;
+
+    workspace = {
+      lookAndFeel = "org.kde.breezedark.desktop";
+      wallpaper = image;
+    };
+
+    hotkeys.commands = {
+      launch-konsole = {
+        name = "Launch Konsole";
+        key = "Meta+Enter";
+        command = "konsole";
+      };
+    };
+
+    configFile = {
+      baloofilerc."Basic Settings"."Indexing-Enabled" = false;
+      kscreenlockerrc.Greeter.Wallpaper."org.kde.image".General.Image = image;
+      kscreenlockerrc.Greeter.Wallpaper."org.kde.image".General.PreviewImage = image;
+    };
+  } // cfg.extraConfig;
+
+  home.activation.gtkCleanup = hm.dag.entryAfter [ "writeBoundary" ] ''
+    $DRY_RUN_CMD rm -f $HOME/.gtkrc-2.0.old
+  '';
+
+  qt.enable = false;
+  qt.platformTheme.name = null;
+
+  # gtk theme
+  gtk.theme = {
+    package = pkgs.kdePackages.breeze-gtk;
+    name = "Breeze-Dark";
+  };
+
+  # gtk icons
+  gtk.iconTheme = {
+    package = pkgs.kdePackages.breeze-icons;
+    name = "breeze-dark";
+  };
+}

home/plasma/nixos.nix

@@ -0,0 +1,52 @@
+{ pkgs
+, lib
+, config
+, plasma-manager
+, ... }: with lib; let
+  cfg = config.home.plasma;
+in {
+  options.home.plasma = {
+    enable = mkEnableOption "plasma desktop and configuration";
+    specialise = mkEnableOption "enable plasma in a specialisation";
+    extraConfig = mkOption {
+      type = with types; anything;
+      default = { };
+      description = "extra plasma-manager configuration";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes plasma configuration to home-manager
+      { passthrough.plasma = cfg; }
+    ];
+
+    users.home.persist.files = mkIf cfg.enable [
+      ".config/kwinoutputconfig.json"
+    ];
+    users.home.persist.directories = mkIf cfg.enable [
+      ".local/share/kwalletd"
+    ];
+
+    services.desktopManager.plasma6 = mkIf cfg.enable {
+      enable = true;
+    };
+
+    home-manager.backupFileExtension = mkIf cfg.enable "old";
+    home-manager.sharedModules = [
+      plasma-manager.homeManagerModules.plasma-manager
+    ];
+
+    services.blueman = mkIf cfg.enable {
+      enable = mkForce false;
+    };
+
+    home = mkIf cfg.enable {
+      catppuccin.enable = mkForce false;
+    };
+
+    specialisation.plasma = mkIf cfg.specialise {
+      configuration.home.plasma.enable = true;
+    };
+  };
+}

home/profile.nix

@@ -1,6 +1,7 @@
 { pkgs
 , lib
 , config
+, inputs
 , ... }: with lib; let
   cfg = config.users;
 in {
@@ -28,6 +29,11 @@ in {
             default = false;
             description = "enable ssh authorized keys for user";
           };
+          picture = mkOption {
+            type = with types; nullOr path;
+            default = null;
+            description = "path to user profile picture";
+          };
         };
       });
       description = "preconfigured users with profile options";
@@ -67,9 +73,9 @@ in {
       users = mapAttrs (name: opts: {
         inherit (opts) uid;
         description = with opts; mkIf (description != null) description;
-        extraGroups = mkIf opts.admin cfg.adminGroups;
+        extraGroups = [ "dialout" ] ++ optionals opts.admin cfg.adminGroups;
         openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable)
-        config.faucet.auth.openssh.publicKeys;
+        config.global.auth.openssh.publicKeys;
         hashedPasswordFile = "/nix/persist/shadow/${name}";
         shell = pkgs.zsh;
         isNormalUser = mkIf (name != "root") true;
@@ -79,8 +85,9 @@ in {
 
       # base groups
       adminGroups = [
-        "wheel" "dialout" "kvm"
+        "wheel" "kvm"
         "systemd-journal"
+        "networkmanager"
       ];
 
       # base home modules in current directory
@@ -124,25 +131,64 @@ in {
       neededForBoot = true;
     }) cfg.profiles;
 
+    global.fs.zfs.mountpoints = mapAttrs'
+    (name: opts: nameValuePair
+    "/nix/persist/home/${name}"
+    "home/${name}")
+    (filterAttrs (n: _: n != "root") config.users.profiles);
+
     home-manager.users = mapAttrs (name: opts: {
-      imports = cfg.homeModules;
+      imports = with inputs; cfg.homeModules ++ [
+        impermanence.homeManagerModules.impermanence
+        catppuccin.homeManagerModules.catppuccin
+      ];
+      home.file.".face" = mkIf (opts.picture != null) {
+        source = opts.picture;
+      };
       home.stateVersion = "23.11";
     }) cfg.profiles;
 
+    system.activationScripts = mapAttrs'
+    (name: opts: nameValuePair
+    "${name}-profile-icon"
+    {
+      deps = [ "users" ];
+      text = let
+        iconDest = "/var/lib/AccountsService/icons/${name}";
+        userConf = pkgs.writeText "${name}-config" ''
+          [User]
+          Session=
+          Icon=${iconDest}
+          SystemAccount=false
+        '';
+      in ''
+        install -Dm 0444 ${opts.picture} ${iconDest}
+        install -Dm 0400 ${userConf} /var/lib/AccountsService/users/${name}
+      '';
+    })
+    (filterAttrs (n: _: n != "root") config.users.profiles);
+
     # set up standard persistence for users
     # this is registered internally for each software's configuration
     environment.persistence."/nix/persist" = {
-      users = mapAttrs (name: _: cfg.home.persist // {
+      users = (mapAttrs (name: _: cfg.home.persist // {
         # root workaround, ugly but necessary
         # cannot get it properly for the same reason
         # mentioned above in fileSystems
         home = mkIf (name == "root") "/root";
-      }) cfg.profiles;
+      }) cfg.profiles);
+
       hideMounts = true;
     };
 
     # enable passwordless sudo
     security.sudo.wheelNeedsPassword = false;
+
+    # enable access in build-vm
+    virtualisation.vmVariant = {
+      users.users.koishi.password = "passwd";
+      users.users.koishi.hashedPasswordFile = mkForce null;
+    };
   };
 
   # this is for home components that need to extend nixos

home/steam/config.nix

@@ -0,0 +1,14 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.steam;
+in mkIf cfg.enable {
+  hardware.steam-hardware.enable = true;
+
+  networking.firewall = {
+    allowedTCPPorts = [ 27015 27036 ];
+    allowedUDPPorts = [ 27015 ];
+    allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
+  };
+}

home/steam/home.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.steam;
+  enable = cfg.enable && (cfg.allUsers || (config.home.username == "app"));
+  package = config.programs.steam.package;
+in mkIf enable {
+  home.packages = with pkgs; [
+    cfg.package
+    cfg.package.run
+  ];
+
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.class = "steam"; command = "floating enable"; }
+  ];
+}

home/steam/nixos.nix

@@ -0,0 +1,29 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.steam;
+  persist = [ ".steam" ".local/share/Steam" ];
+in {
+  imports = [ ./config.nix ];
+
+  options.home.steam = {
+    enable = mkEnableOption "steam software and environment";
+    package = mkOption {
+      type = with types; package;
+      default = config.programs.steam.package;
+      description = "steam package";
+    };
+    allUsers = mkEnableOption "set up for all users";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes steam configuration to home-manager
+      { passthrough.steam = cfg; }
+    ];
+
+    users.home.persist.directories = with cfg; mkIf (enable && allUsers) persist;
+    users.home.persistApp.directories = with cfg; mkIf (enable && !allUsers) persist;
+  };
+}

home/sway/home.nix

@@ -0,0 +1,48 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  wayland.windowManager.sway = {
+    enable = true;
+
+    wrapperFeatures.base = true;
+    wrapperFeatures.gtk = true;
+
+    swaynag.enable = true;
+    config = {
+      defaultWorkspace = "workspace number 1";
+      modifier = "Mod4";
+      keybindings = let
+        modifier = config.wayland.windowManager.sway.config.modifier;
+      in mkOptionDefault {
+        XF86MonBrightnessUp = "light -A 5";
+        XF86MonBrightnessDown = "light -U 5";
+
+        "Control+Alt+l" = "exec swaylock -f --grace 0";
+        "Print" = "exec ${pkgs.grim}/bin/grim - | ${pkgs.wl-clipboard}/bin/wl-copy";
+        "${modifier}+Print" = "exec ${pkgs.grim}/bin/grim -g \"$(${pkgs.slurp}/bin/slurp)\" - | ${pkgs.wl-clipboard}/bin/wl-copy";
+        "${modifier}+q" = "exec google-chrome-stable";
+        "${modifier}+Home" = "exec ${pkgs.pavucontrol}/bin/pavucontrol";
+      };
+
+      bars = [ {
+        mode = "dock";
+        position = "bottom";
+        workspaceButtons = true;
+        workspaceNumbers = true;
+        statusCommand = "${pkgs.i3status}/bin/i3status";
+        fonts = {
+          names = [ "monospace" ];
+          size = 8.0;
+        };
+        trayOutput = "primary";
+        # sets transparency
+        colors.background = "00000000";
+      } ];
+
+      input."*".natural_scroll = "enabled";
+      input."type:touchpad".tap = "enabled";
+      output."*".bg = "#000000 solid_color";
+    };
+  };
+}

home/sway/nixos.nix

@@ -0,0 +1,37 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+  nvidia = with config.global.gpu; type == "nvidia" || type == "prime";
+in mkIf gui {
+  services.displayManager.sessionPackages = [
+    (pkgs.writeTextFile {
+      name = "sway-session";
+      destination = "/share/wayland-sessions/sway.desktop";
+      text = ''
+        [Desktop Entry]
+        Name=Sway
+        Comment=An i3-compatible Wayland compositor
+        Exec=${pkgs.writeTextFile {
+          name = "sway-wrapper";
+          executable = true;
+          text = ''
+            #!${pkgs.zsh}/bin/zsh
+            SHLVL=0
+            for profile in ''${(z)NIX_PROFILES}; do
+              fpath+=($profile/share/zsh/site-functions $profile/share/zsh/$ZSH_VERSION/functions $profile/share/zsh/vendor-completions)
+            done
+            exec sway${if nvidia then " --unsupported-gpu" else ""} 2>&1 >> $XDG_CACHE_HOME/sway
+          '';
+          checkPhase = ''
+            ${pkgs.stdenv.shellDryRun} "$target"
+          '';
+        }}
+        Type=Application
+      '';
+    } // { providedSessions = [ pkgs.sway.meta.mainProgram ]; })
+  ];
+
+  programs.light.enable = true;
+}

home/swayidle/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  services.swayidle = let
+    sway = config.wayland.windowManager.sway.package;
+    swaymsg = "${sway}/bin/swaymsg";
+    swaylock = "${config.programs.swaylock.package}/bin/swaylock";
+  in {
+    enable = true;
+    systemdTarget = "sway-session.target";
+    timeouts = [
+      { timeout = 600; command = "${swaymsg} 'output * dpms off'"; resumeCommand = "${swaymsg} 'output * dpms on'"; }
+    ];
+    events = [
+      { event = "before-sleep"; command = "${swaylock} -f --grace 0"; }
+    ];
+  };
+
+  # fullscreen as simple idle inhibitor shortcut
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.shell = ".*"; command = "inhibit_idle fullscreen"; }
+  ];
+}

home/swaylock/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.swaylock = {
+    enable = true;
+    package = pkgs.swaylock-effects;
+    settings = {
+      indicator-caps-lock = true;
+      font-size = 20;
+      ignore-empty-password = true;
+      show-failed-attempts = true;
+      color = mkDefault "#00000000";
+
+      # Ring
+      indicator-radius = 115;
+
+      # Swaylock-effects specific settings
+      clock = true;
+      timestr = "%r";
+      grace = 2;
+    };
+  };
+}

home/swaylock/nixos.nix

@@ -0,0 +1,8 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+in mkIf gui {
+  security.pam.services.swaylock = { };
+}

home/user.nix

@@ -5,11 +5,13 @@
       description = "Koishi";
       admin = true;
       sshLogin = true;
+      picture = ./picture/koishi.png;
     };
 
     staging = {
       uid = 1000;
       description = "Staging Environment";
+      picture = ./picture/staging.png;
     };
 
     root.uid = 0;

home/util/home.nix

@@ -0,0 +1,33 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.util;
+in {
+  home.packages = with pkgs; [
+    pv file wget e2fsprogs
+  ] ++ optionals (!cfg.minimal) [
+    tio mbuffer sedutil
+    lsscsi zip unzip
+    nix-index dnsutils whois
+    pciutils usbutils nvme-cli
+  ] ++ optionals config.passthrough.gui [
+    gtk-engine-murrine
+    gnome-themes-extra
+
+    mission-planner
+    inav-configurator
+    inav-blackbox-tools
+    (blhelisuite32.override { workdir = "${config.home.homeDirectory}/.blhelisuite32"; })
+  ] ++ optionals (config.passthrough.gui && !config.passthrough.flatpak.enable) [
+    xfce.thunar gimp
+    jellyfin-media-player
+    betaflight-configurator
+    expresslrs-configurator
+  ];
+
+  wayland.windowManager.sway.config.window.commands = mkIf config.passthrough.gui [
+    { criteria.class = "BLHeliSuite32xl"; command = "floating enable"; }
+    { criteria.app_id = "thunar"; command = "floating enable"; }
+  ];
+}

home/util/nixos.nix

@@ -0,0 +1,44 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.util;
+  gui = with config.global.gpu; enable && session;
+in {
+  options.home.util = {
+    minimal = mkEnableOption "minimal system environment with less packages";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes util configuration to home-manager
+      { passthrough.util = cfg; }
+      # this module passes flatpak configuration to home-manager
+      { passthrough.flatpak = config.global.flatpak; }
+    ];
+
+    programs.zsh.enable = true;
+    environment.shells = singleton pkgs.zsh;
+
+    users.home.persist.directories = [ ] ++
+    optionals (!cfg.minimal) [
+      ".cache/nix-index"
+    ] ++
+    optionals gui [
+      # mission-planner
+      ".local/share/Mission Planner"
+      # inav-configurator
+      ".config/inav-configurator"
+    ] ++
+    optionals (gui && !config.global.flatpak.enable) [
+      # jellyfin-media-player
+      ".config/jellyfin.org"
+      ".local/share/jellyfinmediaplayer"
+      ".local/share/Jellyfin Media Player"
+      # expresslrs-configurator
+      ".config/ExpressLRS Configurator"
+      # betaflight-configurator
+      ".config/betaflight-configurator"
+    ];
+  };
+}

home/virt-manager/home.nix

@@ -0,0 +1,58 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  dconf.settings = let
+    p = "org/virt-manager/virt-manager";
+  in {
+    ${p} = {
+      xmleditor-enabled = true;
+      # swaybar tray doesn't really work
+      system-tray = false;
+    };
+
+    "${p}/details".show-toolbar = true;
+    "${p}/console" = {
+      scaling = 0;
+      auto-redirect = false;
+      resize-guest = 1;
+    };
+    "${p}/stats" = {
+      enable-memory-poll = true;
+      enable-disk-poll = true;
+      enable-net-poll = true;
+    };
+    "${p}/vmlist-fields" = {
+      host-cpu-usage = true;
+      memory-usage = true;
+      disk-usage = true;
+      network-traffic = true;
+    };
+
+    "${p}/new-vm" = {
+      firmware = "uefi";
+      graphics-type = "system";
+    };
+
+    "${p}/confirm" = {
+      unapplied-dev = true;
+      removedev = true;
+      delete-storage = true;
+      forcepoweroff = false;
+    };
+
+    "${p}/connections" = let
+      uri = "qemu:///system";
+    in {
+      uris = [ uri ];
+      autoconnect = [ uri ];
+    };
+    "${p}/conns/qemu:system".pretty-name = "KVM";
+  };
+
+  # floating other than main window
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.app_id = "virt-manager"; command = "floating enable"; }
+    { criteria.app_id = "virt-manager"; criteria.title = "Virtual Machine Manager"; command = "floating disable"; }
+  ];
+}

home/virt-manager/nixos.nix

@@ -0,0 +1,8 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+in mkIf gui {
+  programs.virt-manager.enable = true;
+}

home/vscode/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.vscode;
+  theme = config.passthrough.catppuccin.enable;
+in mkIf cfg.enable {
+  programs.vscode = {
+    enable = true;
+    mutableExtensionsDir = false;
+    enableUpdateCheck = false;
+    enableExtensionUpdateCheck = false;
+    package = pkgs.vscodium;
+    extensions = with pkgs.vscode-extensions; [
+      catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc-icons
+      bbenoist.nix golang.go rust-lang.rust-analyzer
+    ];
+    userSettings = {
+      "workbench.colorTheme" = mkIf theme "Catppuccin Mocha";
+      "workbench.iconTheme" = mkIf theme "catppuccin-mocha";
+      "[nix]"."editor.tabSize" = 2;
+    };
+  };
+}

home/vscode/nixos.nix

@@ -0,0 +1,19 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.vscode;
+in {
+  options.home.vscode = {
+    enable = mkEnableOption "vscode text editor";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes vscode configuration to home-manager
+      { passthrough.vscode = cfg; }
+    ];
+
+    users.home.persist.directories = mkIf cfg.enable [ ".config/VSCodium" ];
+  };
+}

home/wofi/home.nix

@@ -0,0 +1,12 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.wofi = {
+    enable = true;
+    settings.mode = "drun";
+    settings.allow_images = true;
+  };
+
+  wayland.windowManager.sway.config.menu = "wofi -show drun -modi drun";
+}

package/blhelisuite32/default.nix

@@ -0,0 +1,92 @@
+{ lib
+, libicns
+, p7zip
+, fetchzip
+, stdenvNoCC
+, makeDesktopItem
+, buildFHSUserEnv
+, workdir ? "/tmp/blhelisuite32" }: let
+  name = "BLHeliSuite32";
+  pname = "blhelisuite32";
+  version = "32.10";
+  suffix = "1044";
+
+  dist = fetchzip {
+    name = "${pname}-dist";
+    url = "https://github.com/bitdump/BLHeli/releases/download/Rev${version}/${name}xLinux64_${suffix}.zip";
+    hash = "sha256-y4S824s9Ipxb1M1IeD6Lo6k7hmm8CEmPflvhaqZz+84=";
+  };
+
+  desktopItem = makeDesktopItem {
+    name = pname;
+    exec = pname;
+    icon = pname;
+    comment = "This Application may flash and configure BLHeli_32 based ESCs";
+    desktopName = name;
+    genericName = "BLHeli for brushless ESC firmware";
+  };
+
+  icons = stdenvNoCC.mkDerivation {
+    pname = "${pname}-icons";
+    inherit version;
+    src = fetchzip {
+      name = "${pname}-macos";
+      url = "https://github.com/bitdump/BLHeli/releases/download/Rev${version}/${name}xm_MacOS64_${suffix}.zip";
+      hash = "sha256-StRnrVI8p51vNsTMO1LtaZvENbG7XZ1V/mKHe4pO7kU=";
+    };
+
+    nativeBuildInputs = [ libicns p7zip ];
+
+    configurePhase = ''
+      7z x *.dmg
+    '';
+
+    buildPhase = ''
+      icns2png -x ${name}xm_MacOS64_${suffix}/${name}xm.app/Contents/Resources/${name}xm.icns
+    '';
+
+    installPhase = ''
+      mkdir -p "$out"
+      cp -r ${name}*.png "$out"
+    '';
+  };
+
+  linked = stdenvNoCC.mkDerivation {
+    inherit pname version;
+    phases = [ "unpackPhase" "patchPhase" "installPhase" ];
+    src = dist;
+
+    installPhase = ''
+      cp -r . "$out"
+
+      # BLHeliSuite32 tries to write next to its binary
+      ln -s ${workdir}/settings $out/Settings
+      ln -s ${workdir}/music $out/Music
+    '';
+  };
+in buildFHSUserEnv {
+  inherit pname version;
+  targetPkgs = pkgs: (with pkgs; [
+    glib libGL curl
+    libgcc gtk3
+    zlib systemdLibs
+  ]);
+  extraInstallCommands = let
+    mkIconScale = scale:
+    "install -m 444 -D ${icons}/${name}xm_${scale}x${scale}x32.png $out/share/icons/hicolor/${scale}x${scale}/apps/${pname}.png";
+  in ''
+    ${mkIconScale "16"}
+    ${mkIconScale "32"}
+    ${mkIconScale "64"}
+    ${mkIconScale "128"}
+    ${mkIconScale "256"}
+    ${mkIconScale "512"}
+    ${mkIconScale "1024"}
+    cp -r ${desktopItem}/share/applications $out/share/
+  '';
+
+  runScript = "sh -c '" +
+  "mkdir -p ${workdir}/settings && " +
+  "mkdir -p ${workdir}/music && " +
+  "exec ${linked}/${name}xl'";
+}