chore(flake): bump inputs

These options print newlines as progress.

.gitignore

@@ -1 +1,3 @@
+result-*
 result
+repl-result-*

flake.lock

@@ -1,30 +1,33 @@
 {
   "nodes": {
+    "catppuccin": {
+      "locked": {
+        "lastModified": 1734057772,
+        "narHash": "sha256-waF/2Y39JXJ4kG3zawmw1J1GxPHopyoOkJKJhfJ7RBs=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "20b6328df20ae45752c81311d225fd47cba32483",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
-        ],
-        "rust-overlay": [
-          "lanzaboote",
-          "rust-overlay"
         ]
       },
       "locked": {
-        "lastModified": 1681177078,
-        "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
+        "lastModified": 1717535930,
+        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
+        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -56,11 +59,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706830856,
-        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -77,11 +80,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680392223,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
         "type": "github"
       },
       "original": {
@@ -95,11 +98,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -113,11 +116,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -135,11 +138,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -155,11 +158,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707175763,
-        "narHash": "sha256-0MKHC6tQ4KEuM5rui6DjKZ/VNiSANB4E+DJ/+wPS1PU=",
+        "lastModified": 1734093295,
+        "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f99eace7c167b8a6a0871849493b1c613d0f1b80",
+        "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8",
         "type": "github"
       },
       "original": {
@@ -170,11 +173,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1706639736,
-        "narHash": "sha256-CaG4j9+UwBDfinxxvJMo6yOonSmSo0ZgnbD7aj2Put0=",
+        "lastModified": 1731242966,
+        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "cd13c2917eaa68e4c49fea0ff9cada45440d7045",
+        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
         "type": "github"
       },
       "original": {
@@ -184,6 +187,25 @@
         "type": "github"
       }
     },
+    "jovian": {
+      "inputs": {
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1734162608,
+        "narHash": "sha256-m2AX+3eiVqIK6uO7GbGY7SFnkkYOlR5fQiNI0eRvWOQ=",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "rev": "31bdf4c7c91204d65afbde01146deee0259a8fb7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "type": "github"
+      }
+    },
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
@@ -197,27 +219,49 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1682802423,
-        "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
+        "lastModified": 1718178907,
+        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
+        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "v0.3.0",
+        "ref": "v0.4.1",
         "repo": "lanzaboote",
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "jovian",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729697500,
+        "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
+        "owner": "zhaofengli",
+        "repo": "nix-github-actions",
+        "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "matrix-name",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706913249,
-        "narHash": "sha256-x3M7iV++CsvRXI1fpyFPduGELUckZEhSv0XWnUopAG8=",
+        "lastModified": 1733392399,
+        "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e92b6015881907e698782c77641aa49298330223",
+        "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
         "type": "github"
       },
       "original": {
@@ -229,30 +273,65 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1678872516,
-        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1733940404,
+        "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "plasma-manager": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733858086,
+        "narHash": "sha256-h2BDIDKiqgMpA6E+mu0RgMGy3FeM6k+EuJ9xgOQ1+zw=",
+        "owner": "pjones",
+        "repo": "plasma-manager",
+        "rev": "7e2010249529931a3848054d5ff0dbf24675ab68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pjones",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
           "lanzaboote",
           "flake-compat"
         ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
@@ -261,11 +340,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1681413034,
-        "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
+        "lastModified": 1717664902,
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
         "type": "github"
       },
       "original": {
@@ -276,12 +355,15 @@
     },
     "root": {
       "inputs": {
+        "catppuccin": "catppuccin",
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "jovian": "jovian",
         "lanzaboote": "lanzaboote",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2",
+        "plasma-manager": "plasma-manager"
       }
     },
     "rust-overlay": {
@@ -296,11 +378,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682129965,
-        "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
+        "lastModified": 1717813066,
+        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "2c417c0460b788328220120c698630947547ee83",
+        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,24 +3,21 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-
     flake-utils.url = "github:numtide/flake-utils";
-    flake-parts = {
-      url = "github:hercules-ci/flake-parts";
-      inputs.nixpkgs-lib.follows = "nixpkgs";
-    };
-
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     impermanence.url = "github:nix-community/impermanence/master";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    plasma-manager.url = "github:pjones/plasma-manager";
+    plasma-manager.inputs.nixpkgs.follows = "nixpkgs";
+    plasma-manager.inputs.home-manager.follows = "home-manager";
+    catppuccin.url = "github:catppuccin/nix";
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
+    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.3.0";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    # steamdeck
+    jovian.url = "github:Jovian-Experiments/Jovian-NixOS";
   };
 
   outputs = inputs:

global/auth/default.nix

@@ -7,6 +7,8 @@
     builtins.readDir
     (lib.filterAttrs (n: ty: ty == "regular"))
     (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
+    (foldr (payload: keys: (splitString "\n" payload) ++ keys) [ ])
+    (foldr (candidate: keys: keys ++ (if candidate == "" then [ ] else [ candidate ])) [ ])
   ];
 in {
   options.global.auth = {
@@ -15,7 +17,7 @@ in {
       enable = mkEnableOption "openssh server";
       password = mkEnableOption "password authentication";
       publicKeys = mkOption {
-        type = with types; listOf str;
+        type = with types; listOf singleLineStr;
         default = pub;
         description = "list of trusted openssh keys";
       };
@@ -40,7 +42,7 @@ in {
       settings.PasswordAuthentication = cfg.openssh.password;
     };
 
-    networking.firewall.allowedTCPPorts = [ ] ++
+    networking.firewall.allowedTCPPorts = [ 1300 ] ++ # utility port
     optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
 
     environment.persistence."/nix/persist/fhs".directories = [ ] ++

global/auth/pub/hakugyokurou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKCA0/6dsdVyLEgzWt8+u5lWVc0o6A3MY4M2Hf2BT8h koishi@hakugyokurou

global/auth/pub/koumakyou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJOoXrfB4D8Vi6HH4E7RqHHIWhPPqEiiOeLRfggW1XZ koishi@koumakyou

global/auth/pub/shinkirou.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwV7Z+PDC8ARRj1LxUJlv59gJ3A84LCMMyMSqLtRtuQ koishi@shinkirou

global/flatpak/default.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.flatpak;
+in {
+  options.global.flatpak = {
+    enable = mkEnableOption "flatpak sandbox";
+  };
+
+  config = mkIf cfg.enable {
+    services.flatpak.enable = true;
+    xdg.portal.enable = true;
+    users.home.persist.directories = [ ".local/share/flatpak" ".var" ];
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/flatpak" ];
+  };
+}

global/fs/default.nix

@@ -8,8 +8,8 @@ in {
     ./ext4.nix
     ./f2fs.nix
     ./xfs.nix
-    ./zfs.nix
     ./bcachefs.nix
+    ./zfs
   ];
 
   options.global.fs = {
@@ -90,5 +90,10 @@ in {
       inherit (cfg.cryptsetup) allowDiscards bypassWorkqueues;
       device = "/dev/disk/by-uuid/${uuid}";
     }) cfg.cryptsetup.uuids);
+
+    environment.persistence."/nix/persist/fhs".files = [ {
+      file = "/var/lib/private/mode";
+      parentDirectory.mode = "0700";
+    } ];
   };
 }

global/fs/zfs.nix

@@ -1,47 +0,0 @@
-{ pkgs
-, lib
-, config
-, ... }: with lib; let
-  cfg = config.global.fs;
-in {
-  # -o ashift=12
-  # -O encryption=on -O keyformat=passphrase -O keylocation=prompt
-  # -O compression=on -O mountpoint=none -O xattr=sa -O acltype=posixacl
-  options.global.fs.zfs = {
-    persist = mkOption {
-      type = with types; str;
-      default = cfg.store;
-      description = ''
-        pool for persist dataset
-        defaults to nix store dataset
-      '';
-    };
-    mountpoints = mkOption {
-      type = with types; attrsOf str;
-      description = "zfs dataset mountpoints";
-    };
-    externalStore = mkEnableOption "external nix store filesystem";
-  };
-
-  config = mkIf (cfg.type == "zfs") {
-    fileSystems = (mapAttrs (path: dataset: {
-      device = "${cfg.zfs.persist}/${dataset}";
-      fsType = "zfs";
-      # required by impermanence
-      neededForBoot = true;
-    }) cfg.zfs.mountpoints) // {
-      "/nix" = (if !cfg.zfs.externalStore then
-        { device = "${cfg.store}/nix";
-          fsType = "zfs";
-        } else
-        { inherit (cfg.external) device fsType options; });
-    };
-    global.fs.zfs.mountpoints."/nix/persist" = "persist";
-
-    services.zfs.trim.enable = true;
-    services.zfs.autoSnapshot.enable = true;
-    services.zfs.autoScrub.enable = true;
-    boot.zfs.devNodes = mkDefault "/dev/disk/by-partuuid";
-    boot.kernelPackages = mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
-  };
-}

global/fs/zfs/alert.nix

@@ -0,0 +1,122 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.alert;
+
+  backend = {
+    text = pkgs.writeShellScript "telegram-text" ''
+      set -e
+      source ${cfg.secret}
+
+      ${pkgs.curl}/bin/curl -sG \
+        --data-urlencode "chat_id=$CHATID" \
+        --data-urlencode "text=$ALERT" \
+        $CURL_EXTRA_ARGS \
+        "https://api.telegram.org/bot$APIKEY/sendMessage"
+    '';
+    image = pkgs.writeShellScript "telegram-image" ''
+      set -e
+      source ${cfg.secret}
+
+      ${pkgs.curl}/bin/curl -sG \
+        -F "chat_id=$CHATID" \
+        -F "caption=$ALERT" \
+        -F "photo=@-" \
+        $CURL_EXTRA_ARGS \
+        "https://api.telegram.org/bot$APIKEY/sendPhoto"
+    '';
+  };
+
+  zedAlert = pkgs.writeShellScript "zed-alert" ''
+    set -e
+    export BODY="$(cat)"
+
+    # add tag
+    ALERT="$1 #zfs"
+
+    export ALERT
+    echo -e "$BODY" | \
+    ${pkgs.imagemagick}/bin/convert \
+      -size 1500x2000 xc:black \
+      -font "${pkgs.freefont_ttf}/share/fonts/truetype/FreeMono.ttf" \
+      -pointsize 16 \
+      -fill white -annotate +15+80 "@-" \
+      -trim -bordercolor "#000" \
+      -border 32 +repage \
+      png:- | \
+    ${backend.image}
+  '';
+
+  mdadmAlert = pkgs.writeShellScript "mdadm-alert" ''
+    set -e
+
+    EVENT="$1"
+    ARRAY="$2"
+    DEVICE="$3"
+
+    # fallback alert
+    ALERT="$EVENT | $ARRAY | $DEVICE"
+
+    case $EVENT in
+      DegradedArray)
+        ALERT="Array $ARRAY is in a degraded state"
+        ;;
+      DeviceDisappeared)
+        ALERT="Array $ARRAY disappeared"
+        ;;
+      Fail)
+        ALERT="Array $ARRAY encountered failure of component $DEVICE"
+        ;;
+      FailSpare)
+        ALERT="Array $ARRAY encountered failure of spare component $DEVICE during rebuild"
+        ;;
+      MoveSpare)
+        ALERT="Spare $DEVICE moved to array $ARRAY"
+        ;;
+      NewArray)
+        ALERT="Array $ARRAY appeared"
+        ;;
+      Rebuild??)
+        ALERT="Array $ARRAY rebuild is now $(echo $EVENT | ${pkgs.sedutil}/bin/sed 's/Rebuild//')% complete"
+        ;;
+      RebuildFinished)
+        ALERT="Rebuild of array $ARRAY has concluded"
+        ;;
+      RebuildStarted)
+        ALERT="Rebuild of array $ARRAY has started"
+        ;;
+      SpareActive)
+        ALERT="Spare $DEVICE activated in array $ARRAY"
+        ;;
+      SparesMissing)
+        ALERT="Array $ARRAY missing one or more spares"
+        ;;
+      TestMessage)
+        ALERT="Test message generated for array $ARRAY"
+        ;;
+    esac
+
+    # add tag
+    ALERT="$ALERT #swraid"
+
+    export ALERT
+    exec ${backend.text}
+  '';
+in mkIf (cfg.secret != null) {
+  services.zfs.zed = mkIf cfg.zed {
+    settings = {
+      ZED_EMAIL_ADDR = [ "root" ];
+      ZED_EMAIL_PROG = toString zedAlert;
+      ZED_EMAIL_OPTS = "'@SUBJECT@'";
+
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = false;
+
+      ZED_USE_ENCLOSURE_LEDS = true;
+      ZED_SCRUB_AFTER_RESILVER = false;
+    };
+  };
+
+  global.fs.zfs.split.mdProg = mkIf cfg.swraid (toString mdadmAlert);
+}

global/fs/zfs/default.nix

@@ -0,0 +1,105 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in {
+  imports = [
+    ./alert.nix
+    ./split.nix
+    ./replication.nix
+  ];
+
+  # -o ashift=12
+  # -O encryption=on -O keyformat=passphrase -O keylocation=prompt
+  # -O compression=on -O mountpoint=none -O xattr=sa -O acltype=posixacl
+  options.global.fs.zfs = {
+    alert = {
+      zed = mkEnableOption "zfs event alerts" // { default = true; };
+      swraid = mkEnableOption "software raid alerts" // { default = true; };
+      secret = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "path to alert secrets";
+      };
+    };
+
+    persist = mkOption {
+      type = with types; str;
+      default = cfg.store;
+      description = ''
+        pool for persist dataset
+        defaults to nix store dataset
+      '';
+    };
+    mountpoints = mkOption {
+      type = with types; attrsOf str;
+      description = "zfs dataset mountpoints";
+    };
+    externalStore = mkEnableOption "external nix store filesystem";
+
+    split = {
+      enable = mkEnableOption "zfs state with split nix store";
+      mdProg = mkOption {
+        type = with types; str;
+        default = "/usr/bin/true";
+        description = "mdadm PROGRAM config value";
+      };
+      secret = mkOption {
+        type = with types; str;
+        description = "UUID of secret filesystem";
+      };
+      store = mkOption {
+        type = with types; str;
+        description = "UUID of store filesystem";
+      };
+    };
+
+    replication = {
+      enable = mkEnableOption "zfs replication to remote";
+      remote = mkOption {
+        type = with types; str;
+        description = "remote host as replication destination";
+      };
+      port = mkOption {
+        type = with types; port;
+        description = "ssh port of replication target";
+        default = 22;
+      };
+      datasets = mkOption {
+        type = with types; listOf str;
+        default = [ "persist" "service" "storage" ];
+        description = "list of filesystems to perform replication for";
+      };
+      sendOptions = mkOption {
+        type = with types; str;
+        default = "w";
+        description = "send options for all datasets";
+      };
+    };
+  };
+
+  config = mkIf (cfg.type == "zfs") {
+    fileSystems = (mapAttrs (path: dataset: {
+      device = "${cfg.zfs.persist}/${dataset}";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+      # required by impermanence
+      neededForBoot = true;
+    }) cfg.zfs.mountpoints) // {
+      "/nix" = (if !cfg.zfs.externalStore then
+        { device = "${cfg.store}/nix";
+          fsType = "zfs";
+        } else
+        { inherit (cfg.external) device fsType options; });
+    };
+    global.fs.zfs.mountpoints."/nix/persist" = "persist";
+
+    services.zfs.trim.enable = true;
+    services.zfs.autoSnapshot.enable = true;
+    services.zfs.autoScrub.enable = true;
+    boot.zfs.devNodes = mkDefault "/dev/disk/by-partuuid";
+    #boot.kernelPackages = mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
+    global.kernel.lts = mkDefault true;
+  };
+}

global/fs/zfs/replication.nix

@@ -0,0 +1,30 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.replication;
+in mkIf cfg.enable {
+  services.syncoid = {
+    enable = mkDefault true;
+    interval = mkDefault "daily";
+    sshKey = mkDefault "/var/lib/syncoid/.ssh/id_ed25519";
+    commonArgs = [
+      "--recursive"
+      "--mbuffer-size=128M"
+      "--delete-target-snapshots"
+      "--sshport=${toString cfg.port}"
+    ];
+    localSourceAllow = mkOptionDefault [ "mount" ];
+
+    commands = (lists.foldr (name: commands: commands // {
+      "${config.global.fs.store}/${name}" = {
+        inherit (cfg) sendOptions;
+        target = "${cfg.remote}/${name}";
+      };
+    }) { }) cfg.datasets;
+  };
+
+  users.users.syncoid.uid = 82;
+  users.groups.syncoid.gid = 82;
+  environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/syncoid" ];
+}

global/fs/zfs/split.nix

@@ -0,0 +1,35 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.split;
+in mkIf cfg.enable {
+  # unconditionally enable fstrim for xfs and ext4
+  services.fstrim.enable = mkDefault true;
+
+  # enable swraid for split raid1 system array
+  boot.swraid.enable = mkDefault true;
+  boot.swraid.mdadmConf = mkDefault ''
+    PROGRAM ${cfg.mdProg}
+  '';
+
+  # secret filesystem backed by swraid
+  fileSystems."/nix/var/secret" =
+  { device = "/dev/disk/by-uuid/${cfg.secret}";
+    fsType = "ext4";
+    options = [ "noatime" ];
+    neededForBoot = true;
+    depends = [ "/nix/var" ];
+  };
+
+  # external store backed by swraid
+  global.fs = {
+    zfs.externalStore = mkDefault true;
+    external.device = "/dev/disk/by-uuid/${cfg.store}";
+    external.fsType = "xfs";
+    external.options = [ "noatime" ];
+  };
+
+  # import system state pool after encrypted filesystems become available for key loading
+  boot.initrd.systemd.services."zfs-import-${config.global.fs.store}".after = [ "sysroot-nix-var-secret.mount" "cryptsetup.target" ];
+}

global/gpu/default.nix

@@ -29,10 +29,9 @@ in {
   };
 
   config = mkIf cfg.enable {
-    hardware.opengl = {
+    hardware.graphics = {
       enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
+      enable32Bit = true;
 
       # https://nixos.wiki/wiki/Accelerated_Video_Playback
       extraPackages = with pkgs; optionals intel [
@@ -46,11 +45,14 @@ in {
       optional (cfg.type == "nvidia") vulkan-validation-layers;
     };
 
-    services.xserver.videoDrivers =
+    services.xserver = mkIf cfg.session {
+      videoDrivers =
       optional nvidia "nvidia" ++
       optional (cfg.type == "amdgpu") "amdgpu";
       # inhibits default display manager
-    services.xserver.displayManager.startx.enable = mkDefault true;
+
+      displayManager.startx.enable = mkDefault true;
+    };
 
     hardware.nvidia = mkIf nvidia {
       modesetting.enable = true;
@@ -72,7 +74,7 @@ in {
       # work around broken nvidia hw cursor on wayland
       WLR_NO_HARDWARE_CURSORS = mkIf (cfg.type == "nvidia") "1";
       # work around wlroots flickering on pure nvidia
-      WLR_RENDERER = mkIf (cfg.type == "nvidia") "vulkan";
+      #WLR_RENDERER = mkIf (cfg.type == "nvidia") "vulkan";
     };
 
     specialisation.integratedGraphics = mkIf (cfg.type == "prime") {
@@ -91,7 +93,7 @@ in {
 
     boot.initrd.kernelModules =
     optional amdgpu "amdgpu" ++
-    optional intel "i915" ++
+    optional (intel && cfg.arc == null) "i915" ++
     optionals nvidia [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ] ++
     optional (cfg.arc != null) "vfio-pci";
 
@@ -102,6 +104,8 @@ in {
       options vfio-pci ids=${cfg.arc}
     '';
 
-    boot.kernelParams = optional intel "i915.fastboot=1";
+    boot.kernelParams =
+    optional intel "i915.fastboot=1" ++
+    optionals nvidia [ "nvidia_drm.modeset=1" "nvidia_drm.fbdev=1" ];
   };
 }

global/gpu/greetd.nix

@@ -3,18 +3,19 @@
 , config
 , ... }: with lib; let
   cfg = config.global.gpu;
-in mkIf (cfg.enable && cfg.session) {
+  gui = with cfg; enable && session;
+in mkIf gui {
   programs.regreet = {
     enable = mkDefault true;
     cageArgs = [ "-s" "-d" "-m" "last" ];
     settings = {
-      background.path = ../../share/54345906_p0.jpg;
+      background.path = mkDefault ../../share/54345906_p0.jpg;
       background.fit = "Fill";
       GTK = {
-        application_prefer_dark_theme = true;
-        cursor_theme_name = "Bibata-Modern-Classic";
-        icon_theme_name = "Papirus-Dark";
-        theme_name = "WhiteSur-Dark";
+        application_prefer_dark_theme = mkDefault true;
+        cursor_theme_name = mkDefault "Bibata-Modern-Classic";
+        icon_theme_name = mkDefault "Papirus-Dark";
+        theme_name = mkDefault "WhiteSur-Dark";
       };
     };
   };

global/gpu/plymouth.nix

@@ -3,7 +3,8 @@
 , config
 , ... }: with lib; let
   cfg = config.global.gpu;
-in mkIf cfg.enable {
+  gui = with cfg; enable && session;
+in mkIf gui {
   boot = {
     loader.timeout = mkDefault 0;
     consoleLogLevel = 0;

global/io/default.nix

@@ -13,31 +13,50 @@ in {
   };
 
   config = {
-    services.udev.extraRules = "" + (if cfg.betaflight then ''
+    services.udev.extraRules = ''
+      # ignore zvols
+      KERNEL=="zd*", ENV{UDISKS_IGNORE}="1"
+    '' + (if cfg.betaflight then ''
       # DFU (Internal bootloader for STM32 and AT32 MCUs)
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2e3c", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
       SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
     '' else "");
 
     networking.networkmanager.enable = mkDefault true;
+    networking.hosts = {
+      "10.5.14.0" = [ "codec" ];
+      "10.5.14.1" = [ "redir" ];
+      "10.5.14.2" = [ "compat" ];
+
+      "192.168.123.1" = [ "netvm" ];
+    };
+    networking.firewall.logRefusedConnections = true;
     hardware.bluetooth.enable = mkDefault cfg.bluetooth;
 
-    hardware.pulseaudio = mkIf cfg.audio {
+    # rtkit is optional but recommended
+    security.rtkit.enable = cfg.audio;
+    services.pipewire = mkIf cfg.audio {
       enable = true;
-      support32Bit = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
     };
-    #nixpkgs.config.pulseaudio = mkIf cfg.audio;
 
     security.pam.loginLimits = mkIf (!cfg.coredump) (singleton { domain = "*"; item = "core"; type = "hard"; value = "0"; });
     systemd.coredump.extraConfig = mkIf (!cfg.coredump) "Storage=none";
 
     environment.persistence."/nix/persist/fhs".directories = [
       "/var/log"
+      "/var/lib/nixos"
       "/var/lib/systemd/backlight"
     ] ++
     optional config.networking.networkmanager.enable "/etc/NetworkManager/system-connections" ++
     optional cfg.bluetooth "/var/lib/bluetooth" ++
     optional cfg.coredump "/var/lib/systemd/coredump";
     environment.persistence."/nix/persist/fhs".hideMounts = true;
+
+    users.home.persist.directories = [ ] ++
+    optional cfg.audio ".local/state/wireplumber";
   };
 }

global/libvirt/default.nix

@@ -20,6 +20,8 @@ in {
       parallelShutdown = 5;
     };
 
+    environment.systemPackages = with pkgs; [ virtiofsd ];
+
     # USB redirection requires a setuid wrapper
     virtualisation.spiceUSBRedirection.enable = true;
 

global/netdata/default.nix

@@ -0,0 +1,52 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.netdata;
+in {
+  options.global.netdata = {
+    enable = mkEnableOption "netdata";
+    host = mkOption {
+      type = with types; str;
+      default = "localhost";
+      description = "hostname of netdata web interface";
+    };
+    addSSL = mkEnableOption "add SSL to netdata proxy";
+    useACMEHost = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "existing acme host";
+    };
+    basicAuthFile = mkOption {
+      type = with types; nullOr path;
+      default = "/nix/persist/secret/netdata";
+      description = "path to passwd file";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.netdata = {
+      enable = true;
+      config = {
+        global = {
+          "error log" = "syslog";
+          "access log" = "none";
+          "debug log" = "syslog";
+        };
+        web."bind to" = "unix:/var/run/netdata/netdata.sock";
+      };
+    };
+
+    users.users.netdata.uid = 287;
+    users.groups.netdata.gid = 287;
+
+    services.nginx.enable = mkDefault true;
+    services.nginx.virtualHosts.${cfg.host} = {
+      inherit (cfg) addSSL useACMEHost basicAuthFile;
+      locations."/".proxyPass = "http://unix:/var/run/netdata/netdata.sock";
+    };
+    users.users.nginx.extraGroups = [ "netdata" ];
+
+    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/netdata" ];
+  };
+}

global/virtualbox/default.nix

@@ -0,0 +1,34 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.virtualbox;
+in {
+  options.global.virtualbox = {
+    enable = mkEnableOption "virtualbox host (kvm)";
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.virtualbox.host = {
+      enable = true;
+      enableKvm = true;
+      enableExtensionPack = true;
+
+      enableHardening = false;
+      addNetworkInterface = false;
+    };
+
+    # allow virtualbox USB passthrough
+    users.adminGroups = [ "vboxusers" ];
+
+    users.home.persist.directories = [
+      ".config/VirtualBox"
+    ];
+
+    users.homeModules = [ {
+      wayland.windowManager.sway.config.window.commands = [
+        { criteria.class = "VirtualBox Manager"; command = "floating enable"; }
+      ];
+    } ];
+  };
+}

home/auth/home.nix

@@ -17,9 +17,21 @@
         # compiled from trusted keys in auth module
         ssh.allowedSignersFile = toString (pkgs.writeText
         "allowed_signers" (foldr (key: folded:
-        folded + "koishi@514fpv.one ${key}") ""
+        folded + "koishi@514fpv.one ${key}\n") ""
         config.passthrough.publicKeys));
       };
     };
   };
+
+  programs.ssh = {
+    enable = true;
+    matchBlocks = {
+      "edge.514fpv.io".port = 8086;
+      "sf.514fpv.io".port = 8087;
+    };
+  };
+
+  wayland.windowManager.sway.config.window.commands = mkIf config.passthrough.gui [
+    { criteria.title = "Bitwarden"; command = "floating enable"; }
+  ];
 }

home/btop/home.nix

@@ -0,0 +1,13 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.btop;
+in mkIf cfg.enable {
+  programs.btop = {
+    enable = true;
+    settings = {
+      theme_background = false;
+    };
+  };
+}

home/btop/nixos.nix

@@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.btop;
+in {
+  options.home.btop = {
+    enable = mkEnableOption "btop" // { default = !config.home.util.minimal; };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes gyroflow configuration to home-manager
+      { passthrough.btop = cfg; }
+    ];
+  };
+}

home/catppuccin/gui.nix

@@ -0,0 +1,62 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.catppuccin;
+  palette = (lib.importJSON "${config.catppuccin.sources.palette}/palette.json").${config.catppuccin.flavor}.colors;
+in mkIf cfg.enable {
+  gtk.theme = { inherit (cfg.gtk) package name; };
+  qt.style.name = "kvantum";
+  qt.platformTheme.name = "kvantum";
+  home.pointerCursor = { inherit (cfg.cursor) package name; };
+
+  # sway colour palette override
+  wayland.windowManager.sway.config = {
+    colors = {
+      focused =         { border = "$lavender"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$lavender"; };
+      focusedInactive = { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$overlay0"; };
+      unfocused =       { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$rosewater"; childBorder = "$overlay0"; };
+      urgent =          { border = "$peach";    background = "$base"; text = "$peach"; indicator = "$overlay0";  childBorder = "$peach"; };
+      placeholder =     { border = "$overlay0"; background = "$base"; text = "$text";  indicator = "$overlay0";  childBorder = "$overlay0"; };
+      background =                 "$base";
+    };
+
+    bars = mkForce [ {
+      colors = {
+        background =                   "$base";
+        statusline =                   "$text";
+        focusedStatusline =            "$text";
+        focusedSeparator =             "$base";
+        focusedWorkspace =  { border = "$base"; background = "$base"; text = "$green"; };
+        activeWorkspace =   { border = "$base"; background = "$base"; text = "$blue"; };
+        inactiveWorkspace = { border = "$base"; background = "$base"; text = "$surface1"; };
+        urgentWorkspace =   { border = "$base"; background = "$base"; text = "$surface1"; };
+        bindingMode =       { border = "$base"; background = "$base"; text = "$surface1"; };
+      };
+
+      mode = "dock";
+      position = "bottom";
+      workspaceButtons = true;
+      workspaceNumbers = true;
+      statusCommand = "${pkgs.i3status}/bin/i3status";
+      fonts = {
+        names = [ "monospace" ];
+        size = 8.0;
+      };
+      trayOutput = "primary";
+    } ];
+
+    output."*".bg = mkForce "${./flake.png} fill";
+    gaps.inner = 12;
+    gaps.outer = 5;
+    # dodge the status bar
+    gaps.bottom = 0;
+  };
+
+  # i3status colour palette override
+  programs.i3status.general = with palette; {
+    color_good = lavender.hex;
+    color_degraded = yellow.hex;
+    color_bad = red.hex;
+  };
+}

home/catppuccin/home.nix

@@ -0,0 +1,9 @@
+{
+  catppuccin = {
+    enable = true;
+    accent = "pink";
+    flavor = "mocha";
+  };
+
+  imports = [ ./gui.nix ];
+}

home/catppuccin/nixos.nix

@@ -0,0 +1,79 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+  cfg = config.home.catppuccin;
+in {
+  options.home.catppuccin = {
+    enable = mkEnableOption "catppuccin colour scheme" // { default = gui; };
+
+    gtk = {
+      package = mkOption {
+        type = with types; package;
+        default = (pkgs.catppuccin-gtk.overrideAttrs {
+          src = pkgs.fetchFromGitHub {
+            owner = "catppuccin";
+            repo = "gtk";
+            rev = "v1.0.3";
+            fetchSubmodules = true;
+            hash = "sha256-q5/VcFsm3vNEw55zq/vcM11eo456SYE5TQA3g2VQjGc=";
+          };
+
+          postUnpack = "";
+        }).override {
+          accents = [ "pink" ];
+          size = "compact";
+          #tweaks = [ "rimless" "black" ];
+          variant = "mocha";
+        };
+        description = "catppuccin gtk theme package";
+      };
+      name = mkOption {
+        type = with types; str;
+        default = "catppuccin-mocha-pink-compact";
+        description = "name of catppuccin gtk theme";
+      };
+    };
+
+    cursor = {
+      package = mkOption {
+        type = with types; package;
+        default = pkgs.catppuccin-cursors.mochaDark;
+        description = "catppuccin cursor theme package";
+      };
+      name = mkOption {
+        type = with types; str;
+        default = "catppuccin-mocha-dark-cursors";
+        description = "name of catppuccin cursor theme";
+      };
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes catppuccin configuration to home-manager
+      { passthrough.catppuccin = cfg; }
+    ];
+
+    catppuccin.enable = cfg.enable;
+
+    # gtk and cursor themes
+    environment.systemPackages = with cfg; mkIf enable [
+      gtk.package cursor.package
+    ];
+
+    # override greetd theme
+    programs.regreet = mkIf cfg.enable {
+      theme = {
+        inherit (cfg.gtk) name package;
+      };
+      cursorTheme = {
+        inherit (cfg.cursor) name package;
+      };
+      settings = {
+        background.path = ./solid.png;
+      };
+    };
+  };
+}

home/chrome/nixos.nix

@@ -6,4 +6,5 @@
 in {
   users.home.persist.directories = mkIf gui [ ".config/google-chrome" ];
   security.chromiumSuidSandbox.enable = mkIf gui true;
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
 }

home/foot/home.nix

@@ -6,5 +6,6 @@
     enable = true;
     settings.main.term = "xterm-256color";
     settings.main.font = "DejaVu Sans Mono:size=11";
+    #settings.colors.alpha = 0.8;
   };
 }

home/gnome/impl/dconf.nix

@@ -3,6 +3,7 @@
 , config
 , ... }: with lib; let
   cfg = config.passthrough.gnome;
+  bg = ../../../share/54345906_p0.jpg;
 in mkIf cfg.enable {
   dconf.settings = let
     p = "org/gnome";
@@ -26,18 +27,18 @@ in mkIf cfg.enable {
     "${pd}/background" = {
       color-shading-type = "solid";
       picture-options = "zoom";
-      picture-uri = "file://${./catppuccin-nix.png}";
-      picture-uri-dark = "file://${./catppuccin-nix.png}";
+      picture-uri = "file://${bg}";
+      picture-uri-dark = "file://${bg}";
       primary-color = "#000000000000";
       secondary-color = "#000000000000";
     };
 
     "${pd}/interface" = {
       color-scheme = "prefer-dark";
-      cursor-theme = "Catppuccin-Frappe-Dark-Cursors";
+      cursor-theme = "Bibata-Modern-Classic";
       font-antialiasing = "grayscale";
       font-hinting = "slight";
-      gtk-theme = "Catppuccin-Frappe-Compact-Pink-Dark";
+      gtk-theme = "adw-gtk3-dark";
       icon-theme = "Papirus-Dark";
     };
 
@@ -45,7 +46,7 @@ in mkIf cfg.enable {
       color-shading-type = "solid";
       lock-enabled = false;
       picture-options = "zoom";
-      picture-uri = "file://${./catppuccin-nix.png}";
+      picture-uri = "file://${bg}";
       primary-color = "#000000000000";
       secondary-color = "#000000000000";
     };
@@ -53,11 +54,64 @@ in mkIf cfg.enable {
     "${pd}/wm/preferences" = {
       action-double-click-titlebar = "toggle-maximize";
       action-middle-click-titlebar = "minimize";
-      button-layout = "close,minimize,maximize:appmenu";
+      button-layout = "close:appmenu";
+      resize-with-right-button = true;
+    };
+
+    "${pd}/wm/keybindings" = {
+      panel-run-dialog = [ ];
+      begin-resize = [ "<Super>r" ];
+      close = [ "<Shift><Super>q" ];
+      minimize = [ "<Super>BackSpace" ];
+      move-to-workspace-1 = [ "<Shift><Super>1" ];
+      move-to-workspace-2 = [ "<Shift><Super>2" ];
+      move-to-workspace-3 = [ "<Shift><Super>3" ];
+      move-to-workspace-4 = [ "<Shift><Super>4" ];
+      move-to-workspace-left = [ "<Shift><Super>h" ];
+      move-to-workspace-right = [ "<Shift><Super>l" ];
+      switch-to-workspace-1 = [ "<Super>1" ];
+      switch-to-workspace-2 = [ "<Super>2" ];
+      switch-to-workspace-3 = [ "<Super>3" ];
+      switch-to-workspace-4 = [ "<Super>4" ];
+      toggle-maximized = [ "<Super>f" ];
+    };
+
+    "${ps}/keybindings" = {
+      switch-to-application-1 = [ ];
+      switch-to-application-2 = [ ];
+      switch-to-application-3 = [ ];
+      switch-to-application-4 = [ ];
+      switch-to-application-5 = [ ];
+      switch-to-application-6 = [ ];
+      switch-to-application-7 = [ ];
+      switch-to-application-8 = [ ];
+      switch-to-application-9 = [ ];
+      toggle-application-view = [ "<Super>d" ];
+    };
+
+    "${p}/settings-daemon/plugins/media-keys" = {
+      custom-keybindings = [
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/"
+      ];
+      logout = [ ];
+      screensaver = [ "<Control><Alt>l" ];
+    };
+
+    "${p}/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
+      binding = "<Super>Return";
+      command = "kgx";
+      name = "Launch console";
+    };
+
+    "${p}/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = {
+      binding = "<Super>q";
+      command = "google-chrome-stable";
+      name = "Launch Google Chrome";
     };
 
     "${ptlp}" = {
-      default = "71a9971e-e829-43a9-9b2f-4565c855d664";
+      #default = "95894cfd-82f7-430d-af6e-84d168bc34f5";
       list = [
         "de8a9081-8352-4ce4-9519-5de655ad9361"
         "71a9971e-e829-43a9-9b2f-4565c855d664"
@@ -151,41 +205,80 @@ in mkIf cfg.enable {
         "windowsNavigator@gnome-shell-extensions.gcampax.github.com"
         "window-list@gnome-shell-extensions.gcampax.github.com"
         "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
-        "dash-to-panel@jderose9.github.com"
+        "dash-to-dock@micxgx.gmail.com"
       ];
       enabled-extensions = [
         "user-theme@gnome-shell-extensions.gcampax.github.com"
         "apps-menu@gnome-shell-extensions.gcampax.github.com"
         "drive-menu@gnome-shell-extensions.gcampax.github.com"
-        "dash-to-dock@micxgx.gmail.com"
+        "appindicatorsupport@rgcjonas.gmail.com"
+        "dash-to-panel@jderose9.github.com"
+        "caffeine@patapon.info"
+        "PrivacyMenu@stuarthayhurst"
       ];
+      last-selected-power-profile = "performance";
       welcome-dialog-last-shown-version = "45.3";
     };
 
-    "${pse}/user-theme".name = "Catppuccin-Frappe-Compact-Pink-Dark";
+    #"${pse}/user-theme".name = "catppuccin-mocha-pink-compact";
+
+    "${pse}/caffeine" = {
+      screen-blank = "never";
+    };
 
     "${pse}/dash-to-dock" = {
       background-opacity = 0.80000000000000004;
       dash-max-icon-size = 48;
       dock-position = "BOTTOM";
       height-fraction = 0.90000000000000002;
-      multi-monitor = true;
+      multi-monitor = false;
+      running-indicator-style = "DOTS";
+      custom-theme-shrink = true;
     };
 
     "${pse}/dash-to-panel" = {
-      animate-appicon-hover-animation-extent = ''{'RIPPLE': 4, 'PLANK': 4, 'SIMPLE': 1}'';
+      animate-appicon-hover = false;
+      animate-appicon-hover-animation-type = "SIMPLE";
       appicon-margin = 0;
       appicon-padding = 4;
+      appicon-style= "NORMAL";
       available-monitors = [ 0 ];
       dot-position = "BOTTOM";
+      dot-style-focused = "METRO";
+      dot-style-unfocused = "DOTS";
+      group-apps = true;
+      hide-overview-on-startup = true;
       hotkeys-overlay-combo = "TEMPORARILY";
+      intellihide = true;
+      intellihide-behaviour = "FOCUSED_WINDOWS";
+      intellihide-hide-from-windows = true;
+      isolate-workspaces = false;
       leftbox-padding = -1;
+      overview-click-to-exit = true;
       panel-anchors = ''{"0":"MIDDLE"}'';
-      panel-lengths=''{"0":100}'';
-      panel-sizes=''{"0":42}'';
+      panel-element-positions = ''{"0":[{"element":"showAppsButton","visible":true,"position":"stackedTL"},{"element":"activitiesButton","visible":true,"position":"stackedTL"},{"element":"leftBox","visible":false,"position":"stackedTL"},{"element":"taskbar","visible":true,"position":"centerMonitor"},{"element":"centerBox","visible":true,"position":"stackedBR"},{"element":"rightBox","visible":true,"position":"stackedBR"},{"element":"dateMenu","visible":true,"position":"stackedBR"},{"element":"systemMenu","visible":true,"position":"stackedBR"},{"element":"desktopButton","visible":false,"position":"stackedBR"}]}'';
+      panel-lengths = ''{"0":100}'';
+      panel-positions = ''{"0":"BOTTOM"}'';
+      panel-sizes = ''{"0":42}'';
       primary-monitor = 0;
+      secondarymenu-contains-showdetails = true;
+      show-showdesktop-hover = true;
       status-icon-padding = -1;
-      trans-use-custom-bg = false;
+      stockgs-force-hotcorner = false;
+      stockgs-keep-dash = false;
+      stockgs-keep-top-panel = false;
+      stockgs-panelbtn-click-only = false;
+      trans-bg-color = "#2a2a2a";
+      trans-dynamic-anim-target = 1.0;
+      trans-dynamic-behavior = "MAXIMIZED_WINDOWS";
+      trans-gradient-bottom-color = "#000000";
+      trans-gradient-bottom-opacity = 0.5;
+      trans-gradient-top-opacity = 0.0;
+      trans-panel-opacity = 0.0;
+      trans-use-custom-bg = true;
+      trans-use-custom-gradient = true;
+      trans-use-custom-opacity = true;
+      trans-use-dynamic-opacity = true;
       tray-padding = -1;
       window-preview-title-position = "TOP";
     };

home/gnome/impl/home.nix

@@ -4,33 +4,29 @@
 , ... }: with lib; let
   cfg = config.passthrough.gnome;
 in mkIf cfg.enable {
-  # cursor theme
-  home.pointerCursor = {
-    package = pkgs.catppuccin-cursors.frappeDark;
-    name = "Catppuccin-Frappe-Dark-Cursors";
-  };
-
-  # gtk theme
-  gtk.theme = {
-    package = pkgs.catppuccin-gtk.override {
-      accents = [ "pink" ];
-      size = "compact";
-      #tweaks = [ "rimless" "black" ];
-      variant = "frappe";
-    };
-    name = "Catppuccin-Frappe-Compact-Pink-Dark";
-  };
-
   home.packages =
   with pkgs;
   with gnome;
   with gnomeExtensions; [
-    # gnome
-    gnome-terminal
+    # gtk3 theme
+    adw-gtk3
 
     # gnomeExtensions
+    caffeine
     dash-to-panel
     dash-to-dock
     appindicator
+    privacy-settings-menu
   ];
+
+  catppuccin.enable = mkForce false;
+  home.pointerCursor = mkForce null;
+  gtk.enable = false;
+
+  home.persistence."/nix/persist/home/${config.home.username}" = {
+    removePrefixDirectory = true;
+    files = [
+      (if config.specialisation != {} then "gnome/.config/monitors.xml" else "extern/.config/monitors.xml")
+    ];
+  };
 }

home/gnome/impl/nixos.nix

@@ -4,13 +4,46 @@
 , ... }: with lib; let
   cfg = config.home.gnome;
 in mkIf cfg.enable {
+  global.flatpak.enable = mkDefault true;
+  home.catppuccin.enable = mkDefault false;
+  catppuccin.enable = false;
   programs.regreet.enable = false;
   services.xserver.enable = true;
   services.xserver.displayManager.startx.enable = false;
   services.xserver.displayManager.gdm.enable = true;
   services.xserver.desktopManager.gnome.enable = true;
-  services.udev.packages = with pkgs; [ gnome.gnome-settings-daemon ];
+  services.udev.packages = with pkgs; [ gnome-settings-daemon ];
+  services.hardware.bolt.enable = true;
+  xdg.portal.configPackages = with pkgs; [ gnome-session ];
+  hardware.pulseaudio.enable = false;
 
-  users.home.persist.directories = [ ];
-  environment.persistence."/nix/persist/fhs".directories = [ ];
+  environment.gnome.excludePackages = (with pkgs; [
+    snapshot
+    gnome-tour
+  ] ++ optionals config.global.flatpak.enable [
+    baobab
+    simple-scan
+    evince
+    file-roller
+    geary
+    loupe
+    seahorse
+    totem
+    epiphany
+    gnome-calculator
+    gnome-calendar
+    gnome-connections
+    gnome-font-viewer
+    gnome-text-editor
+    gnome-characters
+    gnome-clocks
+    gnome-contacts
+    gnome-logs
+    gnome-maps
+    gnome-music
+    gnome-weather
+  ]) ++ (with pkgs.gnome; [ ] ++ optionals config.global.flatpak.enable [
+  ]);
+
+  users.home.persist.directories = [ ".config/dconf" ];
 }

home/gnome/nixos.nix

@@ -13,7 +13,7 @@ in {
   config = {
     users.homeModules = [
       # this module passes gnome configuration to home-manager
-      { passthrough.gnome= cfg; }
+      { passthrough.gnome = cfg; }
     ];
 
     specialisation.nognome = with cfg; mkIf enable {

home/gui/home.nix

@@ -1,29 +1,35 @@
 { pkgs
 , lib
 , config
-, ... }: with lib; mkIf config.passthrough.gui {
+, ... }: with lib; let
+  catppuccin = config.passthrough.catppuccin.enable;
+in {
+  config = mkIf config.passthrough.gui {
     # cursor theme
     home.pointerCursor = {
       package = mkDefault pkgs.bibata-cursors;
       name = mkDefault "Bibata-Modern-Classic";
       size = 24;
+      x11.enable = true;
+      gtk.enable = true;
     };
 
     # gtk theme
-  gtk.theme = {
-    package = mkDefault pkgs.whitesur-gtk-theme;
-    name = mkDefault "WhiteSur-Dark";
+    gtk.theme = mkDefault {
+      package = pkgs.whitesur-gtk-theme;
+      name = "WhiteSur-Dark";
     };
 
     # gtk icons
-  gtk.iconTheme = {
-    package = mkDefault pkgs.papirus-icon-theme;
-    name = mkDefault "Papirus-Dark";
+    gtk.iconTheme = mkDefault {
+      package = pkgs.papirus-icon-theme;
+      name = "Papirus-Dark";
     };
 
     # unify qt theme
-  qt.platformTheme = mkDefault "gtk";
+    qt.platformTheme.name = mkDefault "gtk";
 
     gtk.enable = mkDefault true;
     qt.enable = mkDefault true;
+  };
 }

home/gui/nixos.nix

@@ -3,6 +3,7 @@
 , config
 , ... }: with lib; let
   gui = with config.global.gpu; enable && session;
+  catppuccin = config.home.catppuccin;
 in {
   config = {
     users.homeModules = [
@@ -12,10 +13,13 @@ in {
     users.adminGroups = mkIf gui [ "video" ];
 
     # themes and icons
-    environment.systemPackages = with pkgs; mkIf gui [
-      whitesur-gtk-theme whitesur-icon-theme
-      papirus-icon-theme bibata-cursors
-    ];
+    environment.systemPackages = with pkgs; mkIf gui ([
+      papirus-icon-theme
+    ] ++ optionals (!catppuccin.enable) [
+      whitesur-gtk-theme
+      whitesur-icon-theme
+      bibata-cursors
+    ]);
 
     fonts.enableDefaultPackages = mkIf gui true;
 
@@ -26,7 +30,7 @@ in {
       dconf.enable = true;
     };
     services = mkIf gui {
-      blueman.enable = true;
+      blueman.enable = !config.global.flatpak.enable;
     };
   };
 }

home/gyroflow/home.nix

@@ -4,5 +4,10 @@
 , ... }: with lib; let
   cfg = config.passthrough.gyroflow;
 in mkIf cfg.enable {
-  home.packages = with pkgs; [ gyroflow ];
+  # temporarily gone until regression is fixed
+  #home.packages = [ cfg.package ];
+
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.app_id = "xyz.gyroflow.gyroflow"; command = "floating enable"; }
+  ];
 }

home/gyroflow/nixos.nix

@@ -6,6 +6,13 @@
 in {
   options.home.gyroflow = {
     enable = mkEnableOption "gyroflow stabilisation software";
+    package = mkOption {
+      type = with types; package;
+      default = pkgs.gyroflow.overrideAttrs (finalAttrs: previousAttrs: {
+        buildInputs = previousAttrs.buildInputs ++ [ pkgs.qt6Packages.qtwayland ];
+      });
+      description = "gyroflow package";
+    };
   };
 
   config = {

home/headless/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.headless;
+in mkIf (cfg.enable != null) {
+  wayland.windowManager.sway.config = {
+    output = {
+      ${cfg.enable}.pos = "0 0";
+      HEADLESS-1 = cfg.output;
+    };
+
+    startup = [ { command = "swaymsg create_output && swaymsg output HEADLESS-1 disable"; } ];
+  };
+
+  home.packages = [ (pkgs.writeShellScriptBin "headless" ''
+    swaymsg output HEADLESS-1 enable
+    ${pkgs.wayvnc}/bin/wayvnc \
+      --output=HEADLESS-1 \
+      ${cfg.extraArgs} \
+      ${cfg.host} ${toString cfg.port}
+    swaymsg output HEADLESS-1 disable
+  '') ];
+}

home/headless/nixos.nix

@@ -0,0 +1,51 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.headless;
+in {
+  options.home.headless = {
+    enable = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "a headless, remotely viewed sway display";
+    };
+
+    output = mkOption {
+      type = with types; attrsOf str;
+      default = {
+        # pixel tablet
+        mode = "2560x1600";
+        scale = "2";
+        pos = "1920 0";
+      };
+      description = "headless display configuration";
+    };
+
+    host = mkOption {
+      type = with types; str;
+      default = "0.0.0.0";
+      description = "wayvnc listen host";
+    };
+
+    port = mkOption {
+      type = with types; port;
+      # utility port
+      default = 1300;
+      description = "wayvnc listen port";
+    };
+
+    extraArgs = mkOption {
+      type = with types; str;
+      default = "--max-fps=60";
+      description = "extra wayvnc args";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes headless configuration to home-manager
+      { passthrough.headless = cfg; }
+    ];
+  };
+}

home/jetbrains/home.nix

@@ -0,0 +1,11 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.jetbrains;
+in mkIf cfg.enable {
+  home.packages = with pkgs.jetbrains; [ pkgs.go ] ++
+    optional cfg.idea idea-community ++
+    optional cfg.clion clion ++
+    optional cfg.goland goland;
+}

home/jetbrains/nixos.nix

@@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.jetbrains;
+in {
+  options.home.jetbrains = {
+    enable = mkEnableOption "jetbrains text editor";
+    idea = mkEnableOption "intellij idea";
+    clion = mkEnableOption "clion ide";
+    goland = mkEnableOption "goland ide" // { default = true; };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes jetbrains configuration to home-manager
+      { passthrough.jetbrains = cfg; }
+    ];
+
+    users.home.persist.directories = mkIf cfg.enable [
+      "go"
+      ".java/.userPrefs"
+      ".config/JetBrains"
+      ".local/share/JetBrains"
+    ];
+  };
+}

home/minecraft/home.nix

@@ -2,15 +2,15 @@
 , lib
 , config
 , ... }: with lib; let
+  inherit (config.passthrough) gui;
   cfg = config.passthrough.minecraft;
-  enable = cfg.enable && (cfg.allUsers || (config.home.username == "app"));
+  enable = cfg.enable && config.home.username == cfg.user;
 in mkIf enable {
   home.packages = with pkgs; [
-    prismlauncher
     jdk8
-  ];
+  ] ++ optional gui prismlauncher;
 
-  wayland.windowManager.sway.config.window.commands = [
+  wayland.windowManager.sway.config.window.commands = mkIf gui [
     { criteria.app_id = "org.prismlauncher.PrismLauncher"; command = "floating enable"; }
   ];
 }

home/minecraft/nixos.nix

@@ -3,11 +3,15 @@
 , config
 , ... }: with lib; let
   cfg = config.home.minecraft;
-  persist = [ ".local/share/PrismLauncher" ];
+  gui = with config.global.gpu; enable && session;
 in {
   options.home.minecraft = {
     enable = mkEnableOption "minecraft game launcher and jvm";
-    allUsers = mkEnableOption "set up for all users";
+    user = mkOption {
+      type = with types; str;
+      default = "minecraft";
+      description = "username which minecraft game client runs under";
+    };
   };
 
   config = {
@@ -16,7 +20,14 @@ in {
       { passthrough.minecraft = cfg; }
     ];
 
-    users.home.persist.directories = with cfg; mkIf (enable && allUsers) persist;
-    users.home.persistApp.directories = with cfg; mkIf (enable && !allUsers) persist;
+    users.profiles.minecraft = mkIf (cfg.enable && cfg.user == "minecraft") {
+      uid = 5801;
+      description = "Minecraft";
+      picture = ../picture/aux.png;
+    };
+
+    environment.persistence."/nix/persist".users.${cfg.user} = mkIf (cfg.enable && gui) {
+      directories = [ ".local/share/PrismLauncher" ];
+    };
   };
 }

home/plasma/config.nix

@@ -0,0 +1,13 @@
+{
+  programs.plasma = {
+    workspace = {
+      lookAndFeel = "org.kde.breezedark.desktop";
+      #clickItemTo = "select";
+    };
+
+    configFile = {
+      baloofilerc."Basic Settings"."Indexing-Enabled" = false;
+      kcminputrc.Libinput."2362"."597"."UNIW0001:00 093A:0255 Touchpad".NaturalScroll = true;
+    };
+  };
+}

home/plasma/home.nix

@@ -0,0 +1,51 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.plasma;
+  image = ../../share/54345906_p0.jpg;
+in mkIf cfg.enable {
+  programs.plasma = {
+    # https://github.com/pjones/plasma-manager
+    enable = true;
+    #overrideConfig = true;
+
+    workspace = {
+      lookAndFeel = "org.kde.breezedark.desktop";
+      wallpaper = image;
+    };
+
+    hotkeys.commands = {
+      launch-konsole = {
+        name = "Launch Konsole";
+        key = "Meta+Enter";
+        command = "konsole";
+      };
+    };
+
+    configFile = {
+      baloofilerc."Basic Settings"."Indexing-Enabled" = false;
+      kscreenlockerrc.Greeter.Wallpaper."org.kde.image".General.Image = image;
+      kscreenlockerrc.Greeter.Wallpaper."org.kde.image".General.PreviewImage = image;
+    };
+  } // cfg.extraConfig;
+
+  home.activation.gtkCleanup = hm.dag.entryAfter [ "writeBoundary" ] ''
+    $DRY_RUN_CMD rm -f $HOME/.gtkrc-2.0.old
+  '';
+
+  qt.enable = false;
+  qt.platformTheme.name = null;
+
+  # gtk theme
+  gtk.theme = {
+    package = pkgs.kdePackages.breeze-gtk;
+    name = "Breeze-Dark";
+  };
+
+  # gtk icons
+  gtk.iconTheme = {
+    package = pkgs.kdePackages.breeze-icons;
+    name = "breeze-dark";
+  };
+}

home/plasma/nixos.nix

@@ -0,0 +1,52 @@
+{ pkgs
+, lib
+, config
+, plasma-manager
+, ... }: with lib; let
+  cfg = config.home.plasma;
+in {
+  options.home.plasma = {
+    enable = mkEnableOption "plasma desktop and configuration";
+    specialise = mkEnableOption "enable plasma in a specialisation";
+    extraConfig = mkOption {
+      type = with types; anything;
+      default = { };
+      description = "extra plasma-manager configuration";
+    };
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes plasma configuration to home-manager
+      { passthrough.plasma = cfg; }
+    ];
+
+    users.home.persist.files = mkIf cfg.enable [
+      ".config/kwinoutputconfig.json"
+    ];
+    users.home.persist.directories = mkIf cfg.enable [
+      ".local/share/kwalletd"
+    ];
+
+    services.desktopManager.plasma6 = mkIf cfg.enable {
+      enable = true;
+    };
+
+    home-manager.backupFileExtension = mkIf cfg.enable "old";
+    home-manager.sharedModules = [
+      plasma-manager.homeManagerModules.plasma-manager
+    ];
+
+    services.blueman = mkIf cfg.enable {
+      enable = mkForce false;
+    };
+
+    home = mkIf cfg.enable {
+      catppuccin.enable = mkForce false;
+    };
+
+    specialisation.plasma = mkIf cfg.specialise {
+      configuration.home.plasma.enable = true;
+    };
+  };
+}

home/profile.nix

@@ -1,6 +1,7 @@
 { pkgs
 , lib
 , config
+, inputs
 , ... }: with lib; let
   cfg = config.users;
 in {
@@ -86,6 +87,7 @@ in {
       adminGroups = [
         "wheel" "kvm"
         "systemd-journal"
+        "networkmanager"
       ];
 
       # base home modules in current directory
@@ -136,13 +138,36 @@ in {
     (filterAttrs (n: _: n != "root") config.users.profiles);
 
     home-manager.users = mapAttrs (name: opts: {
-      imports = cfg.homeModules;
+      imports = with inputs; cfg.homeModules ++ [
+        impermanence.homeManagerModules.impermanence
+        catppuccin.homeManagerModules.catppuccin
+      ];
       home.file.".face" = mkIf (opts.picture != null) {
         source = opts.picture;
       };
       home.stateVersion = "23.11";
     }) cfg.profiles;
 
+    system.activationScripts = mapAttrs'
+    (name: opts: nameValuePair
+    "${name}-profile-icon"
+    {
+      deps = [ "users" ];
+      text = let
+        iconDest = "/var/lib/AccountsService/icons/${name}";
+        userConf = pkgs.writeText "${name}-config" ''
+          [User]
+          Session=
+          Icon=${iconDest}
+          SystemAccount=false
+        '';
+      in ''
+        install -Dm 0444 ${opts.picture} ${iconDest}
+        install -Dm 0400 ${userConf} /var/lib/AccountsService/users/${name}
+      '';
+    })
+    (filterAttrs (n: _: n != "root") config.users.profiles);
+
     # set up standard persistence for users
     # this is registered internally for each software's configuration
     environment.persistence."/nix/persist" = {
@@ -158,6 +183,12 @@ in {
 
     # enable passwordless sudo
     security.sudo.wheelNeedsPassword = false;
+
+    # enable access in build-vm
+    virtualisation.vmVariant = {
+      users.users.koishi.password = "passwd";
+      users.users.koishi.hashedPasswordFile = mkForce null;
+    };
   };
 
   # this is for home components that need to extend nixos

home/sway/home.nix

@@ -10,6 +10,7 @@
 
     swaynag.enable = true;
     config = {
+      defaultWorkspace = "workspace number 1";
       modifier = "Mod4";
       keybindings = let
         modifier = config.wayland.windowManager.sway.config.modifier;
@@ -17,7 +18,7 @@
         XF86MonBrightnessUp = "light -A 5";
         XF86MonBrightnessDown = "light -U 5";
 
-        "Control+Alt+l" = "exec ${pkgs.swaylock}/bin/swaylock -c 000000";
+        "Control+Alt+l" = "exec swaylock -f --grace 0";
         "Print" = "exec ${pkgs.grim}/bin/grim - | ${pkgs.wl-clipboard}/bin/wl-copy";
         "${modifier}+Print" = "exec ${pkgs.grim}/bin/grim -g \"$(${pkgs.slurp}/bin/slurp)\" - | ${pkgs.wl-clipboard}/bin/wl-copy";
         "${modifier}+q" = "exec google-chrome-stable";

home/sway/nixos.nix

@@ -5,7 +5,7 @@
   gui = with config.global.gpu; enable && session;
   nvidia = with config.global.gpu; type == "nvidia" || type == "prime";
 in mkIf gui {
-  services.xserver.displayManager.sessionPackages = [
+  services.displayManager.sessionPackages = [
     (pkgs.writeTextFile {
       name = "sway-session";
       destination = "/share/wayland-sessions/sway.desktop";
@@ -22,7 +22,7 @@ in mkIf gui {
             for profile in ''${(z)NIX_PROFILES}; do
               fpath+=($profile/share/zsh/site-functions $profile/share/zsh/$ZSH_VERSION/functions $profile/share/zsh/vendor-completions)
             done
-            exec sway ${if nvidia then "--unsupported-gpu" else ""}
+            exec sway${if nvidia then " --unsupported-gpu" else ""} 2>&1 >> $XDG_CACHE_HOME/sway
           '';
           checkPhase = ''
             ${pkgs.stdenv.shellDryRun} "$target"
@@ -33,6 +33,5 @@ in mkIf gui {
     } // { providedSessions = [ pkgs.sway.meta.mainProgram ]; })
   ];
 
-  security.pam.services.swaylock = { };
   programs.light.enable = true;
 }

home/swayidle/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  services.swayidle = let
+    sway = config.wayland.windowManager.sway.package;
+    swaymsg = "${sway}/bin/swaymsg";
+    swaylock = "${config.programs.swaylock.package}/bin/swaylock";
+  in {
+    enable = true;
+    systemdTarget = "sway-session.target";
+    timeouts = [
+      { timeout = 600; command = "${swaymsg} 'output * dpms off'"; resumeCommand = "${swaymsg} 'output * dpms on'"; }
+    ];
+    events = [
+      { event = "before-sleep"; command = "${swaylock} -f --grace 0"; }
+    ];
+  };
+
+  # fullscreen as simple idle inhibitor shortcut
+  wayland.windowManager.sway.config.window.commands = [
+    { criteria.shell = ".*"; command = "inhibit_idle fullscreen"; }
+  ];
+}

home/swaylock/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; mkIf config.passthrough.gui {
+  programs.swaylock = {
+    enable = true;
+    package = pkgs.swaylock-effects;
+    settings = {
+      indicator-caps-lock = true;
+      font-size = 20;
+      ignore-empty-password = true;
+      show-failed-attempts = true;
+      color = mkDefault "#00000000";
+
+      # Ring
+      indicator-radius = 115;
+
+      # Swaylock-effects specific settings
+      clock = true;
+      timestr = "%r";
+      grace = 2;
+    };
+  };
+}

home/swaylock/nixos.nix

@@ -0,0 +1,8 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  gui = with config.global.gpu; enable && session;
+in mkIf gui {
+  security.pam.services.swaylock = { };
+}

home/util/home.nix

@@ -7,19 +7,22 @@ in {
   home.packages = with pkgs; [
     pv file wget e2fsprogs
   ] ++ optionals (!cfg.minimal) [
+    tio mbuffer sedutil
     lsscsi zip unzip
     nix-index dnsutils whois
     pciutils usbutils nvme-cli
   ] ++ optionals config.passthrough.gui [
     gtk-engine-murrine
     gnome-themes-extra
-    xfce.thunar gimp
 
     mission-planner
-    betaflight-configurator
     inav-configurator
     inav-blackbox-tools
     (blhelisuite32.override { workdir = "${config.home.homeDirectory}/.blhelisuite32"; })
+  ] ++ optionals (config.passthrough.gui && !config.passthrough.flatpak.enable) [
+    xfce.thunar gimp
+    jellyfin-media-player
+    betaflight-configurator
     expresslrs-configurator
   ];
 

home/util/nixos.nix

@@ -13,6 +13,8 @@ in {
     users.homeModules = [
       # this module passes util configuration to home-manager
       { passthrough.util = cfg; }
+      # this module passes flatpak configuration to home-manager
+      { passthrough.flatpak = config.global.flatpak; }
     ];
 
     programs.zsh.enable = true;
@@ -23,10 +25,20 @@ in {
       ".cache/nix-index"
     ] ++
     optionals gui [
+      # mission-planner
       ".local/share/Mission Planner"
-      ".config/ExpressLRS Configurator"
-      ".config/betaflight-configurator"
+      # inav-configurator
       ".config/inav-configurator"
+    ] ++
+    optionals (gui && !config.global.flatpak.enable) [
+      # jellyfin-media-player
+      ".config/jellyfin.org"
+      ".local/share/jellyfinmediaplayer"
+      ".local/share/Jellyfin Media Player"
+      # expresslrs-configurator
+      ".config/ExpressLRS Configurator"
+      # betaflight-configurator
+      ".config/betaflight-configurator"
     ];
   };
 }

home/vscode/home.nix

@@ -0,0 +1,24 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.passthrough.vscode;
+  theme = config.passthrough.catppuccin.enable;
+in mkIf cfg.enable {
+  programs.vscode = {
+    enable = true;
+    mutableExtensionsDir = false;
+    enableUpdateCheck = false;
+    enableExtensionUpdateCheck = false;
+    package = pkgs.vscodium;
+    extensions = with pkgs.vscode-extensions; [
+      catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc-icons
+      bbenoist.nix golang.go rust-lang.rust-analyzer
+    ];
+    userSettings = {
+      "workbench.colorTheme" = mkIf theme "Catppuccin Mocha";
+      "workbench.iconTheme" = mkIf theme "catppuccin-mocha";
+      "[nix]"."editor.tabSize" = 2;
+    };
+  };
+}

home/vscode/nixos.nix

@@ -0,0 +1,19 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.home.vscode;
+in {
+  options.home.vscode = {
+    enable = mkEnableOption "vscode text editor";
+  };
+
+  config = {
+    users.homeModules = [
+      # this module passes vscode configuration to home-manager
+      { passthrough.vscode = cfg; }
+    ];
+
+    users.home.persist.directories = mkIf cfg.enable [ ".config/VSCodium" ];
+  };
+}

package/blhelisuite32/default.nix

@@ -65,7 +65,7 @@
     '';
   };
 in buildFHSUserEnv {
-  inherit pname;
+  inherit pname version;
   targetPkgs = pkgs: (with pkgs; [
     glib libGL curl
     libgcc gtk3

package/default.nix

@@ -10,4 +10,10 @@
     else { });
   }) (builtins.attrNames (builtins.readDir ./.)))
   ) ];
+
+  imports = lib.pipe ./. [
+    builtins.readDir
+    (lib.filterAttrs (n: ty: ty == "directory" && builtins.pathExists ./${n}/nixos.nix))
+    (lib.mapAttrsToList (n: _: ./${n}/nixos.nix))
+  ];
 }

package/expresslrs-configurator/default.nix

@@ -5,13 +5,13 @@
 , buildFHSUserEnv }: let
   name = "ExpressLRS-Configurator";
   pname = "expresslrs-configurator";
-  version = "1.6.1";
+  version = "1.7.2";
 
   dist = fetchzip {
     name = "${pname}-dist";
     url = "https://github.com/ExpressLRS/ExpressLRS-Configurator/releases/download/v${version}/${pname}-${version}.zip";
     stripRoot = false;
-    hash = "sha256-m/e8dsOadjk63cwfnnCBbjXzI/ooWZUGRM5n267JmhQ=";
+    hash = "sha256-pXmJ420HeJaMjAZCzlIriuFrTK5xabxTrSy3PDVisgU=";
   };
 
   desktopItem = makeDesktopItem {
@@ -23,7 +23,7 @@
     genericName = "radio link configuration & build tool";
   };
 in buildFHSUserEnv {
-  inherit pname;
+  inherit pname version;
   # copied from chromium deps
   targetPkgs = pkgs: (with pkgs; [
     glib fontconfig freetype pango cairo xorg.libX11 xorg.libXi atk nss nspr

package/photoview/default.nix

@@ -0,0 +1,74 @@
+{ lib
+, pkg-config
+, libjpeg_turbo
+, libheif
+, lapack
+, dlib
+, blas
+, ffmpeg
+, exiftool
+, darktable
+, fetchFromGitHub
+, buildGoModule
+, buildNpmPackage
+, runCommandLocal
+, makeWrapper }: buildGoModule rec {
+  pname = "photoview";
+  version = "2.4.0";
+
+  source = fetchFromGitHub {
+    name = "${pname}-src";
+    owner = pname;
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    hash = "sha256-ZfvBdQlyqONsrviZGL22Kt+AiPaVWwdoREDUrHDYyIs=";
+  };
+
+  src = source + "/api";
+  vendorHash = "sha256-Tn4OxSV41s/4n2Q3teJRJNc39s6eKW4xE9wW/CIR5Fg=";
+  nativeBuildInputs = [
+    pkg-config
+    makeWrapper
+  ];
+  buildInputs = [
+    libjpeg_turbo
+    libheif
+    lapack
+    dlib
+    blas
+  ];
+
+  ui = buildNpmPackage {
+    pname = "${pname}-ui";
+    inherit version;
+    src = source + "/ui";
+
+    #REACT_APP_API_ENDPOINT = "";
+    REACT_APP_BUILD_VERSION = version;
+    REACT_APP_BUILD_DATE = builtins.readFile (runCommandLocal "date" { } "date -uI > $out" );
+    REACT_APP_BUILD_COMMIT_SHA = "nix";
+
+    npmDepsHash = "sha256-wUbfq+7SuJUBxfy9TxHVda8A0g4mmYCbzJT64XBN2mI=";
+  };
+
+  postInstall = ''
+    mkdir -p "$out/lib/${pname}"
+
+    mv "$out/bin/api" "$out/bin/${pname}"
+    wrapProgram $out/bin/${pname} \
+      --prefix PATH ":" "${lib.makeBinPath [
+        ffmpeg
+        exiftool
+        darktable
+      ]}" \
+      --set PHOTOVIEW_SERVE_UI 1 \
+      --set PHOTOVIEW_UI_PATH "$out/lib/${pname}/ui"
+    cp -r \
+    "${src}/data/" \
+    "$out/lib/${pname}/data/"
+
+    cp -r \
+    "${ui}/lib/node_modules/photoview-ui/dist" \
+    "$out/lib/${pname}/ui"
+  '';
+}

package/photoview/nixos.nix

@@ -0,0 +1,148 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.services.photoview;
+in {
+  options.services.photoview = {
+    enable = mkEnableOption "photoview server";
+
+    package = mkOption {
+      type = with types; package;
+      default = pkgs.photoview;
+      description = "photoview package";
+    };
+
+    user = mkOption {
+      type = with types; str;
+      default = "photoview";
+      description = "user under which photoview runs";
+    };
+    group = mkOption {
+      type = with types; str;
+      default = "photoview";
+      description = "group under which photoview runs";
+    };
+
+    listen = {
+      host = mkOption {
+        type = with types; str;
+        default = "127.0.0.1";
+        description = "host to listen on";
+      };
+      port = mkOption {
+        type = with types; port;
+        default = 8000;
+        description = "port to listen on";
+      };
+    };
+
+    database = {
+      driver = mkOption {
+        type = with types; enum [ "sqlite" "mysql" "postgres" ];
+        default = "sqlite";
+        description = "database driver";
+      };
+      string = mkOption {
+        type = with types; str;
+        description = "database connection string";
+      };
+    };
+
+    stateDir = mkOption {
+      type = with types; str;
+      default = "/var/lib/photoview";
+      description = "path to photoview state directory";
+    };
+
+    cacheDir = mkOption {
+      type = with types; str;
+      default = "${cfg.stateDir}/media_cache";
+      description = "path to photoview media cache";
+    };
+
+    secrets = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "path to secrets environment file";
+      example = ''
+        MAPBOX_TOKEN=
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.photoview = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "Photoview - Photo gallery for self-hosted personal servers";
+      environment = with cfg; {
+        PHOTOVIEW_LISTEN_IP = listen.host;
+        PHOTOVIEW_LISTEN_PORT = toString listen.port;
+        PHOTOVIEW_MEDIA_CACHE = cacheDir;
+        PHOTOVIEW_DATABASE_DRIVER = database.driver;
+        "PHOTOVIEW_${toUpper database.driver}_URL" = database.string;
+      };
+      serviceConfig = {
+        ExecStartPre = pkgs.writeShellScript "photoview-pre" ''
+          rm -f "${cfg.stateDir}/data"
+          ln -s "${cfg.package}/lib/photoview/data" "${cfg.stateDir}/data"
+        '';
+        ExecStart = "${cfg.package}/bin/photoview";
+        WorkingDirectory = cfg.stateDir;
+        User = cfg.user;
+        Group = cfg.group;
+        EnvironmentFile = mkIf (cfg.secrets != null) cfg.secrets;
+
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "all";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        ReadWritePaths = [ cfg.stateDir ];
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+
+    users.users = mkIf (cfg.user == "photoview") {
+      photoview = {
+        description = "photoview service account";
+        group = cfg.group;
+        uid = config.ids.uids.photoview;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "photoview") {
+      photoview.gid = config.ids.gids.photoview;
+    };
+
+    ids.uids.photoview = 287;
+    ids.gids.photoview = 287;
+  };
+}

package/tubesync/database-local-socket.patch

@@ -0,0 +1,27 @@
+diff --git a/tubesync/tubesync/local_settings.py.container b/tubesync/tubesync/local_settings.py.container
+index a7a07ab..7564138 100644
+--- a/tubesync/tubesync/local_settings.py.container
++++ b/tubesync/tubesync/local_settings.py.container
+@@ -34,14 +34,20 @@ if database_connection_env:
+     database_dict = parse_database_connection_string(database_connection_env)
+ 
+ 
++database_host = database_dict.get("HOST")
++if database_host == "localhost":
++    database_dict["HOST"] = None
++    database_dict["PASSWORD"] = None
++
++
+ if database_dict:
+     log.info(f'Using database connection: {database_dict["ENGINE"]}://'
+-             f'{database_dict["USER"]}:[hidden]@{database_dict["HOST"]}:'
++             f'{database_dict["USER"]}:[hidden]@{database_host}:'
+              f'{database_dict["PORT"]}/{database_dict["NAME"]}')
+     DATABASES = {
+         'default': database_dict,
+     }
+-    DATABASE_CONNECTION_STR = (f'{database_dict["DRIVER"]} at "{database_dict["HOST"]}:'
++    DATABASE_CONNECTION_STR = (f'{database_dict["DRIVER"]} at "{database_host}:'
+                                f'{database_dict["PORT"]}" database '
+                                f'"{database_dict["NAME"]}"')
+ else:

package/tubesync/default.nix

@@ -0,0 +1,139 @@
+{ lib
+, stdenvNoCC
+, ffmpeg
+, rtmpdump
+, atomicparsley
+, callPackage
+, fetchFromGitHub
+, fetchPypi
+, fetchpatch
+, makeWrapper
+, python3Packages }: with python3Packages; let
+  mkPypi = pname: version: src: format: buildPythonPackage {
+    inherit pname version src format;
+    doCheck = false;
+    nativeBuildInputs = [ setuptools ];
+  };
+
+  mkPypi' = pname: version: hash: format: mkPypi pname version
+  (fetchPypi {
+    inherit pname version hash;
+  }) format;
+
+  mkPypi'' = pname: version: hash: mkPypi' pname version hash
+  "setuptools";
+
+  django-compat = mkPypi'' "django-compat" "1.0.15" "sha256-OsmjvtxWuTZdnrJBvFFX0MGTdpv5lfmnjcG8JOfCMxs=";
+  django-appconf = mkPypi'' "django-appconf" "1.0.6" "sha256-z+h+qCfE7gS5pw+rkLhtcEywLymB+J2oQjyw+r+I778=";
+  django-basicauth = mkPypi'' "django-basicauth" "0.5.3" "sha256-FenjZvaY9TxxseeU2v6gYPmQoqxVa65rczDdJTJKCRw=";
+  django-sass-processor = mkPypi'' "django-sass-processor" "1.4" "sha256-sX850H06dRCuxCXBkZN+IwUC3ut8pr9pUKGt+LS3wcM=";
+  django-background-tasks = mkPypi'' "django-background-tasks" "1.2.5" "sha256-4bGejUlaJ2ydZMWh/4tBEy910vWORb5xt4ZQ2tWa+d4=";
+
+  django-compressor = let
+    pname = "django-compressor";
+    version = "4.4";
+  in mkPypi pname version (fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "refs/tags/${version}";
+    hash = "sha256-c9uS5Z077b23Aj8jV30XNsshbEfrLRX3ozXasitQ6UQ=";
+  }) "setuptools";
+
+  app = buildPythonApplication rec {
+    pname = "tubesync";
+    version = "0.13.6";
+    format = "other";
+
+    src = fetchFromGitHub {
+      name = "${pname}-src";
+      owner = "meeb";
+      repo = pname;
+      rev = "v${version}";
+      hash = "sha256-5l1HkMoTn99rNeeK5u+KoFejTFi2LfLyt8upq7xwrj0=";
+    };
+
+    patches = [
+      ./gunicorn-env.patch
+      ./state-dir-env.patch
+      ./database-local-socket.patch
+      ./ensure-fragments.patch
+    ];
+
+    propagatedBuildInputs = [
+      yt-dlp requests
+      httptools pillow
+      gunicorn whitenoise
+      psycopg2 mysqlclient
+      redis hiredis
+      libsass six
+    ] ++ [
+      django_3
+      django-compat
+      django-appconf
+      django-compressor
+      django-basicauth
+      django-sass-processor
+      django-background-tasks
+    ];
+
+    buildPhase = ''
+      mv "tubesync/tubesync/local_settings.py.container" "tubesync/tubesync/local_settings.py"
+      rm "tubesync/tubesync/local_settings.py.example"
+      rm "tubesync/tubesync/local_settings.py.container.orig"
+
+      python3 tubesync/manage.py compilescss
+      python3 tubesync/manage.py collectstatic --no-input
+    '';
+
+    installPhase = ''
+      mkdir -p "$out"
+      cp -r "tubesync" "$out/app"
+
+      FFMPEG_VERSION=$(${ffmpegFix}/bin/ffmpeg -version | head -n 1 | awk '{ print $3 }')
+      echo "ffmpeg_version = '$FFMPEG_VERSION'" >> "$out/app/common/third_party_versions.py"
+
+      mv "$out/app/static" "$out/static"
+      ln -s "/tmp/tubesync/static" "$out/app/static"
+    '';
+  };
+
+  ffmpegFix = ffmpeg.overrideAttrs (finalAttrs: previousAttrs: {
+    patches = previousAttrs.patches ++ [ (fetchpatch {
+      name = "avformat-webvttdec-skip-style-region.patch";
+      url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/51d303e20cbb0874172f50b5172c515a973587d4";
+      hash = "sha256-dxCjKZUz2H2QyktsprkzyfNp5aDG6X8deF4ZGdvhvfk=";
+    }) ];
+  });
+in stdenvNoCC.mkDerivation {
+  pname = "${app.pname}-wrapped";
+  inherit (app) version;
+
+  nativeBuildInputs = [ makeWrapper ];
+  unpackPhase = "true";
+  installPhase = let
+    prefix = ''--prefix PATH : "${lib.makeBinPath [
+      ffmpegFix rtmpdump atomicparsley
+    ]}"'';
+  in ''
+    mkdir -p "$out/bin"
+
+    makeWrapper "${python}/bin/python3" "$out/bin/tubesync-worker" \
+    --chdir ${app}/app --add-flags \
+    "${app}/app/manage.py process_tasks" \
+    ${prefix}
+
+    makeWrapper "${gunicorn}/bin/gunicorn" "$out/bin/tubesync-gunicorn" \
+    --chdir ${app}/app --add-flags \
+    "-c ${app}/app/tubesync/gunicorn.py --capture-output tubesync.wsgi:application" \
+    ${prefix}
+
+    makeWrapper "${python}/bin/python3" "$out/bin/tubesync-migrate" \
+    --chdir "${app}/app" --add-flags \
+    "${app}/app/manage.py migrate"
+  '';
+
+  passthru = {
+    inherit app;
+    pythonPath = makePythonPath app.propagatedBuildInputs;
+  };
+}

package/tubesync/ensure-fragments.patch

@@ -0,0 +1,15 @@
+diff --git a/tubesync/sync/youtube.py b/tubesync/sync/youtube.py
+index 4ac6e83..192b031 100644
+--- a/tubesync/sync/youtube.py
++++ b/tubesync/sync/youtube.py
+@@ -119,6 +119,10 @@ def download_media(url, media_format, extension, output_file, info_json,
+         'writesubtitles': write_subtitles,
+         'writeautomaticsub': auto_subtitles,
+         'subtitleslangs': sub_langs.split(','),
++        'progress_with_newline': True,
++        'fragment_retries': 65536,
++        'skip_unavailable_fragments': False,
++        'continue_dl': False,
+     }
+     
+     sbopt = {

package/tubesync/gunicorn-env.patch

@@ -0,0 +1,19 @@
+diff --git a/tubesync/tubesync/gunicorn.py b/tubesync/tubesync/gunicorn.py
+index d59c138..341af25 100644
+--- a/tubesync/tubesync/gunicorn.py
++++ b/tubesync/tubesync/gunicorn.py
+@@ -23,11 +23,10 @@ def get_bind():
+ 
+ workers = get_num_workers()
+ timeout = 30
+-chdir = '/app'
+ daemon = False
+-pidfile = '/run/app/gunicorn.pid'
+-user = 'app'
+-group = 'app'
++pidfile = os.getenv('GUNICORN_PID_FILE', '/var/run/tubesync/gunicorn.pid')
++user = os.getenv('GUNICORN_USER', 'tubesync')
++group = os.getenv('GUNICORN_GROUP', 'tubesync')
+ loglevel = 'info'
+ errorlog = '-'
+ accesslog = '/dev/null'  # Access logs are printed to stdout from nginx

package/tubesync/nixos.nix

@@ -0,0 +1,188 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.services.tubesync;
+in {
+  options.services.tubesync = {
+    enable = mkEnableOption "tubesync stack";
+    debug = mkEnableOption "debug logging";
+    package = mkOption {
+      type = with types; package;
+      default = pkgs.tubesync;
+      description = "tubesync launcher package";
+    };
+
+    workers = mkOption {
+      type = with types; int;
+      default = 1;
+      description = "maximum amount of concurrent workers";
+    };
+
+    user = mkOption {
+      type = with types; str;
+      default = "tubesync";
+      description = "user under which tubesync runs";
+    };
+    group = mkOption {
+      type = with types; str;
+      default = "tubesync";
+      description = "group under which tubesync runs";
+    };
+
+    listen = {
+      host = mkOption {
+        type = with types; str;
+        default = "127.0.0.1";
+        description = "host to listen on";
+      };
+      port = mkOption {
+        type = with types; port;
+        default = 8080;
+        description = "port to listen on";
+      };
+    };
+
+    stateDir = mkOption {
+      type = with types; str;
+      default = "/var/lib/tubesync";
+      description = "path to tubesync state storage directory";
+    };
+
+    dataDir = mkOption {
+      type = with types; str;
+      default = "${cfg.stateDir}/downloads";
+      description = "path to tubesync video downloads";
+    };
+
+    database = mkOption {
+      type = with types; str;
+      default = "postgresql://tubesync:@localhost:5432/tubesync";
+      description = "database connection string";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services = let
+      env = {
+        GUNICORN_PID_FILE = "${cfg.stateDir}/run/gunicorn.pid";
+        GUNICORN_USER = cfg.user;
+        GUNICORN_GROUP = cfg.group;
+        DATABASE_CONNECTION = cfg.database;
+        CONFIG_BASE_DIR = cfg.stateDir;
+        DOWNLOADS_BASE_DIR = cfg.dataDir;
+        TUBESYNC_DEBUG = mkIf cfg.debug "True";
+        TUBESYNC_WORKERS = toString cfg.workers;
+
+        PYTHONPATH = cfg.package.pythonPath;
+        REDIS_CONNECTION = "redis+socket://"
+        + "${cfg.stateDir}/run/redis.sock";
+      };
+
+      base = description: {
+        description = "tubesync: ${description}";
+        wantedBy = [ "multi-user.target" ];
+        environment = env;
+        path = [ cfg.package ];
+        serviceConfig = {
+          WorkingDirectory = cfg.stateDir;
+          User = cfg.user;
+          Group = cfg.group;
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          PrivateUsers = false;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProcSubset = "all";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          ReadWritePaths = with cfg; [ stateDir dataDir ];
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_NETLINK"
+            "AF_UNIX"
+          ];
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+            "@chown"
+          ];
+          #UMask = "0077";
+        };
+      };
+
+      base' = description: (base description) // {
+        after = [ "tubesync.service" ];
+        partOf = [ "tubesync.service" ];
+      };
+    in {
+      tubesync = recursiveUpdate (base "gunicorn") ({
+        after = [ "network.target" ];
+        serviceConfig = {
+          PIDFile = env.GUNICORN_PID_FILE;
+          ExecStartPre = pkgs.writeShellScript "tubesync-setup" ''
+            set -xe
+            tubesync-migrate
+            mkdir -p "${cfg.stateDir}/run"
+
+            mkdir -p "/tmp/tubesync"
+            cp -r "${cfg.package.app}/static/." "/tmp/tubesync/static"
+            chmod +w -R "/tmp/tubesync/static"
+          '';
+          ExecStart = "${cfg.package}/bin/tubesync-gunicorn";
+          ExecReload = "/usr/bin/env kill -s HUP $MAINPID";
+          ExecStop = "/usr/bin/env kill -s TERM $MAINPID";
+          ExecStopPost = pkgs.writeShellScript "tubesync-cleanup" ''
+            rm -f "$GUNICORN_PID_FILE"
+            rm -rf "/tmp/tubesync"
+          '';
+        };
+      });
+
+      tubesync-worker = recursiveUpdate (base' "worker") ({
+        serviceConfig.ExecStart = "${cfg.package}/bin/tubesync-worker";
+      });
+
+      # allow binding to unix socket
+      redis-tubesync-celery.serviceConfig.ReadWritePaths = [ "${cfg.stateDir}/run" ];
+    };
+
+    services.redis.servers.tubesync-celery = {
+      enable = true;
+      inherit (cfg) user;
+      unixSocket = "${cfg.stateDir}/run/redis.sock";
+      save = [ ];
+    };
+
+    users.users = mkIf (cfg.user == "tubesync") {
+      tubesync = {
+        description = "tubesync service account";
+        group = cfg.group;
+        uid = config.ids.uids.tubesync;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "tubesync") {
+      tubesync.gid = config.ids.gids.tubesync;
+    };
+
+    ids.uids.tubesync = 101;
+    ids.gids.tubesync = 101;
+
+    # package is local-only, will allow this for now
+    nixpkgs.config.permittedInsecurePackages = [
+      "python3.12-django-3.2.25"
+    ];
+  };
+}

package/tubesync/state-dir-env.patch

@@ -0,0 +1,16 @@
+diff --git a/tubesync/tubesync/local_settings.py.container b/tubesync/tubesync/local_settings.py.container
+index a7a07ab..9207c7f 100644
+--- a/tubesync/tubesync/local_settings.py.container
++++ b/tubesync/tubesync/local_settings.py.container
+@@ -6,9 +6,8 @@ from common.utils import parse_database_connection_string
+ 
+ 
+ BASE_DIR = Path(__file__).resolve().parent.parent
+-ROOT_DIR = Path('/')
+-CONFIG_BASE_DIR = ROOT_DIR / 'config'
+-DOWNLOADS_BASE_DIR = ROOT_DIR / 'downloads'
++CONFIG_BASE_DIR = Path(os.getenv('CONFIG_BASE_DIR', "/var/lib/tubesync"))
++DOWNLOADS_BASE_DIR = Path(os.getenv('DOWNLOADS_BASE_DIR', f"{CONFIG_BASE_DIR}/downloads"))
+ DJANGO_URL_PREFIX = os.getenv('DJANGO_URL_PREFIX', None)
+ STATIC_URL = str(os.getenv('DJANGO_STATIC_URL', '/static/'))
+ if DJANGO_URL_PREFIX and STATIC_URL:

spec/chireiden/default.nix

@@ -1,4 +1,4 @@
-{
+{ pkgs, ... }: {
   global = {
     id = "5d3c16fe58444e12ad621600039f10af";
     fs.esp.uuid = "32A5-6257";
@@ -18,18 +18,27 @@
   };
 
   home = {
+    gnome.enable = true;
+    vscode.enable = true;
+    libreoffice.enable = true;
     minecraft.enable = true;
     steam.enable = true;
   };
 
   powerManagement.enable = true;
   powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.resumeCommands = ''
+    # trackpad driver resume workaround
+    ${pkgs.kmod}/bin/modprobe -r psmouse
+    ${pkgs.kmod}/bin/modprobe psmouse
+  '';
 
   hardware.nvidia.prime = {
     intelBusId = "PCI:0:2:0";
     nvidiaBusId = "PCI:5:0:0";
   };
 
+  boot.plymouth.catppuccin.enable = false;
   hardware.enableRedistributableFirmware = true;
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];

spec/default.nix

@@ -12,6 +12,7 @@
         ./channel.nix
         impermanence.nixosModules.impermanence
         home-manager.nixosModules.home-manager
+        catppuccin.nixosModules.catppuccin
         {
           home-manager.useGlobalPkgs = true;
           home-manager.useUserPackages = true;

spec/eientei/default.nix

@@ -6,42 +6,29 @@
     auth.openssh.enable = true;
     fs.esp.uuid = "C368-7571";
     fs.type = "zfs";
-    fs.zfs.externalStore = true;
-    fs.external.device = "/dev/disk/by-uuid/d9202e56-a14f-4342-acdb-dbae33d680fc";
-    fs.external.fsType = "xfs";
-    fs.external.options = [ "noatime" ];
+    fs.zfs.alert.secret = "/nix/persist/secret/telegram";
+    fs.zfs.split.enable = true;
+    fs.zfs.split.store = "d9202e56-a14f-4342-acdb-dbae33d680fc";
+    fs.zfs.split.secret = "1404c4f1-b890-4cf0-ab8a-26bd81bd2254";
+    fs.zfs.replication.enable = true;
+    fs.zfs.replication.remote = "eientei@archive:archive/backup/koishi/eientei";
     fs.cryptsetup.enable = true;
     fs.cryptsetup.allowDiscards = false;
     fs.cryptsetup.uuids.secret = "c33c9b18-a280-42d7-8740-3f8d3f60dc43";
+    gpu.enable = true;
+    gpu.type = "intel";
+    gpu.session = false;
     boot.lanzaboote = true;
     boot.memtest = 4;
     acme.enable = true;
     oci.enable = true;
   };
 
-  services.fstrim.enable = true;
-  boot.swraid.enable = true;
-  boot.swraid.mdadmConf = ''
-    PROGRAM /usr/bin/true
-  '';
-  fileSystems."/nix/var/secret" =
-  { device = "/dev/disk/by-uuid/1404c4f1-b890-4cf0-ab8a-26bd81bd2254";
-    fsType = "ext4";
-    options = [ "noatime" ];
-    neededForBoot = true;
-    depends = [ "/nix/var" ];
-  };
-  boot.initrd.systemd.services.zfs-import-eientei.after = [ "cryptsetup.target" ];
-
   services.udev.extraRules = ''
     SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="80:61:5f:07:9e:2f", NAME="ix0"
     SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:e0:4c:68:bb:30", NAME="ss0"
   '';
-
-  networking.proxy = {
-    allProxy = "socks5://192.168.1.253:1080";
-    noProxy = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1,localhost,.localdomain";
-  };
+  boot.kernelParams = [ "zfs.zfs_arc_max=17179869184" ];
 
   imports = lib.pipe ./. [
     builtins.readDir
@@ -55,6 +42,5 @@
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  networking.firewall.allowedTCPPorts = [ 25565 ];
   environment.systemPackages = with pkgs; [ python3 ];
 }

spec/eientei/frigate.nix

@@ -23,8 +23,8 @@
     ];
   };
 
-  networking.firewall.interfaces.enp0s20f0u1.allowedTCPPorts = [ 5000 8554 8555 ];
-  networking.firewall.interfaces.enp0s20f0u1.allowedUDPPorts = [ 8555 ];
+  networking.firewall.interfaces.ss0.allowedTCPPorts = [ 5000 8554 8555 ];
+  networking.firewall.interfaces.ss0.allowedUDPPorts = [ 8555 ];
 
   global.fs.zfs.mountpoints."/nix/persist/service/frigate" = "service/frigate";
 }

spec/eientei/hass.nix

@@ -13,9 +13,25 @@
       "mqtt"
       "synology_dsm"
     ];
+
+    extraPackages = python3Packages: with python3Packages; [
+      aiogithubapi gtts radios
+    ];
   };
 
-  nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+  services.nginx.virtualHosts."home.514fpv.io" = {
+    useACMEHost = ".514fpv.io";
+    addSSL = true;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8123";
+      proxyWebsockets = true;
+    };
+  };
 
   global.fs.zfs.mountpoints."/nix/persist/service/hass" = "service/hass";
+
+  nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
 }

spec/eientei/jellyfin.nix

@@ -0,0 +1,35 @@
+{ pkgs
+, config
+, ...}: {
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    dataDir = "/nix/persist/service/jellyfin";
+  };
+
+  environment.systemPackages = with pkgs; [ jellyfin jellyfin-web jellyfin-ffmpeg ];
+
+  users.users.jellyfin.uid = 282;
+  users.groups.jellyfin.gid = 282;
+
+  services.nginx.virtualHosts."jellyfin.514fpv.io" = {
+    useACMEHost = ".514fpv.io";
+    addSSL = true;
+    locations = {
+      "= /".return = "302 https://jellyfin.514fpv.io:2096/web/";
+      "/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+      "= /web/".proxyPass = "http://127.0.0.1:8096/web/index.html";
+      "/socket" = {
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  global.fs.zfs.mountpoints."/nix/persist/service/jellyfin" = "service/jellyfin";
+}

spec/eientei/matrix.nix

@@ -40,6 +40,7 @@ in {
     locations."/".extraConfig = ''
       return 404;
     '';
+    locations."/health".proxyPass = "http://127.0.0.1:8008";
     locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
     locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
   };

spec/eientei/minecraft.nix

@@ -0,0 +1,106 @@
+{ pkgs, lib, config, ... }: let
+  inherit (lib) mapAttrs' nameValuePair;
+
+  servers = {
+    #bungeecord = {
+    #  cmdline = "${pkgs.graalvmCEPackages.graalvm-ce}/bin/java -Xms2G -Xmx4G -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -jar waterfall-1.20-578.jar";
+    #  stop = "end";
+    #};
+
+    #limbo = {
+    #  cmdline = "${pkgs.graalvmCEPackages.graalvm-ce}/bin/java -Xms1G -Xmx1G -jar NanoLimbo-1.8-all.jar";
+    #  stop = "stop";
+    #};
+
+    greedycraft = {
+      cmdline = "${pkgs.jdk8}/bin/java -Xmx10G -Xms10G -Xss4M -Dfile.encoding=GBK -Dsun.rmi.dgc.server.gcInterval=1800000 -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:+AlwaysPreTouch -XX:+UseStringDeduplication -Dfml.ignorePatchDiscrepancies=true -Dfml.ignoreInvalidMinecraftCertificates=true -XX:-OmitStackTraceInFastThrow -XX:+OptimizeStringConcat -XX:+UseAdaptiveGCBoundary -XX:G1HeapRegionSize=32M -jar forge-1.12.2-14.23.5.2855.jar nogui";
+      stop = "stop";
+    };
+
+    nfwc = {
+      cmdline = "${pkgs.jdk}/bin/java @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.19.2-43.3.8/unix_args.txt";
+      stop = "stop";
+    };
+  };
+
+  prefix = "minecraft-server-";
+  data = "/nix/persist/service/minecraft";
+in {
+  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/games/minecraft-server.nix
+  users.users.minecraft = {
+    description     = "Minecraft server service user";
+    home            = data;
+    createHome      = true;
+    isSystemUser    = true;
+    uid             = 1021;
+    group           = "minecraft";
+  };
+  users.groups.minecraft.gid = 1021;
+
+  systemd.sockets = mapAttrs' (name: value: with value; (nameValuePair "${prefix}${name}" {
+    bindsTo = [ "${prefix}${name}.service" ];
+    socketConfig = {
+      ListenFIFO = "/run/minecraft-server/${name}.stdin";
+      SocketMode = "0660";
+      SocketUser = "minecraft";
+      SocketGroup = "minecraft";
+      RemoveOnStop = true;
+      FlushPending = true;
+    };
+  })) servers;
+
+  systemd.services = let
+    stopScript = { name, stop }: pkgs.writeShellScript "minecraft-server-stop" ''
+      echo ${stop} > ${config.systemd.sockets."${prefix}${name}".socketConfig.ListenFIFO}
+
+      # Wait for the PID of the minecraft server to disappear before
+      # returning, so systemd doesn't attempt to SIGKILL it.
+      while kill -0 "$1" 2> /dev/null; do
+        sleep 1s
+      done
+    '';
+  in mapAttrs' (name: value: with value; (nameValuePair "${prefix}${name}" {
+    description   = "Minecraft Server Service for ${name}";
+    wantedBy      = [ "multi-user.target" ];
+    requires      = [ "${prefix}${name}.socket" ];
+    after         = [ "network.target" "${prefix}${name}.socket" ];
+    path          = [ pkgs.bash ];
+
+    serviceConfig = {
+      ExecStart = cmdline;
+      ExecStop = "${stopScript { inherit name stop; }} $MAINPID";
+      Restart = "always";
+      User = "minecraft";
+      WorkingDirectory = "${data}/${name}";
+
+      StandardInput = "socket";
+      StandardOutput = "journal";
+      StandardError = "journal";
+
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  })) servers;
+
+  global.fs.zfs.mountpoints.${data} = "service/minecraft";
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+}

spec/eientei/nextcloud.nix

@@ -4,11 +4,12 @@
 in {
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud30;
     extraApps = {
-      inherit (pkgs.nextcloud28Packages.apps)
+      inherit (pkgs.nextcloud30Packages.apps)
       notify_push impersonate spreed
-      contacts bookmarks deck polls notes forms;
+      contacts bookmarks deck polls notes forms
+      twofactor_webauthn;
     };
     home = "/nix/persist/service/nextcloud";
     configureRedis = true;
@@ -22,6 +23,7 @@ in {
     config.adminpassFile = builtins.toString (pkgs.writeText "password" "initial_password");
     settings.overwriteprotocol = "https";
     settings.default_phone_region = "US";
+    settings.maintenance_window_start = 17;
     caching.redis = true;
     phpOptions.upload_max_filesize = "128G";
     phpOptions.post_max_size = "128G";

spec/eientei/nginx.nix

@@ -17,18 +17,6 @@
         useACMEHost = ".514fpv.io";
         extraConfig = "return 444;";
       };
-
-      "home.514fpv.io" = {
-        useACMEHost = ".514fpv.io";
-        addSSL = true;
-        extraConfig = ''
-          proxy_buffering off;
-        '';
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8123";
-          proxyWebsockets = true;
-        };
-      };
     };
   };
 

spec/eientei/photoprism.nix

@@ -0,0 +1,36 @@
+{ lib
+, ... }: with lib; {
+  services.photoprism = {
+    enable = true;
+    originalsPath = "/run/storage/aerial/raw";
+    settings = {
+      PHOTOPRISM_ADMIN_USER = "koishi";
+      PHOTOPRISM_FFMPEG_ENCODER = "vaapi";
+      PHOTOPRISM_ORIGINALS_LIMIT = "-1";
+      PHOTOPRISM_RESOLUTION_LIMIT = "-1";
+    };
+    passwordFile = "/var/lib/photoprism/password";
+  };
+
+  services.nginx.virtualHosts."raw.514fpv.io" = {
+    useACMEHost = ".514fpv.io";
+    addSSL = true;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:2342";
+      proxyWebsockets = true;
+    };
+  };
+
+  systemd.services.photoprism.serviceConfig = {
+    PrivateDevices = mkForce false;
+    DevicePolicy = "closed";
+    DeviceAllow = [ "/dev/dri/renderD128 rw" ];
+  };
+
+  environment.persistence."/nix/persist/fhs".directories = [
+    "/var/lib/private/photoprism"
+  ];
+}

spec/eientei/photoview.nix

@@ -0,0 +1,20 @@
+{
+  services.photoview = {
+    enable = true;
+    database.driver = "postgres";
+    database.string = "postgresql:///photoview?host=/var/run/postgresql";
+    stateDir = "/nix/persist/service/photoview";
+    secrets = "/nix/persist/service/photoview/secrets.env" ;
+  };
+
+  services.nginx.virtualHosts."dvr.514fpv.io" = {
+    useACMEHost = ".514fpv.io";
+    addSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8000";
+      proxyWebsockets = true;
+    };
+  };
+
+  global.fs.zfs.mountpoints."/nix/persist/service/photoview" = "service/photoview";
+}

spec/eientei/tubesync.nix

@@ -0,0 +1,8 @@
+{
+  services.tubesync = {
+    enable = false;
+    stateDir = "/nix/persist/service/tubesync";
+  };
+
+  global.fs.zfs.mountpoints."/nix/persist/service/tubesync" = "service/tubesync";
+}

spec/eientei/vaultwarden.nix

@@ -0,0 +1,27 @@
+{
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = "/nix/persist/service/vaultwarden/secret.env";
+    config = {
+      domain = "https://vault.514fpv.io:2096";
+      signupsAllowed = false;
+      rocketAddress = "127.0.0.1";
+      rocketPort = 8222;
+      rocketLog = "critical";
+      databaseUrl = "postgresql:///vaultwarden";
+    };
+    dbBackend = "postgresql";
+  };
+
+  services.nginx.virtualHosts."vault.514fpv.io" = {
+    useACMEHost = ".514fpv.io";
+    addSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:8222";
+  };
+
+  environment.persistence."/nix/persist/fhs".directories = [
+    "/var/lib/bitwarden_rs"
+  ];
+
+  global.fs.zfs.mountpoints."/nix/persist/service/vaultwarden" = "service/vaultwarden";
+}

spec/focus/default.nix

@@ -5,38 +5,31 @@
     auth.openssh.enable = true;
     fs.esp.uuid = "8C36-CBE2";
     fs.type = "zfs";
-    fs.zfs.externalStore = true;
-    fs.external.device = "/dev/disk/by-uuid/59b73292-8098-4774-b8b6-59c23130d405";
-    fs.external.fsType = "xfs";
-    fs.external.options = [ "noatime" ];
+    fs.zfs.alert.secret = "/nix/persist/secret/telegram";
+    fs.zfs.split.enable = true;
+    fs.zfs.split.store = "59b73292-8098-4774-b8b6-59c23130d405";
+    fs.zfs.split.secret = "f8983719-f9e7-42b2-b8f3-0f32f6b328ae";
+    fs.zfs.replication.enable = true;
+    fs.zfs.replication.remote = "focus@edge.514fpv.io:archive/backup/koishi/focus";
+    fs.zfs.replication.port = 8087;
     fs.cryptsetup.enable = true;
     fs.cryptsetup.allowDiscards = false;
     fs.cryptsetup.uuids.secret = "c2bc361e-6f9a-48fa-b698-ed3603a9664a";
     boot.lanzaboote = true;
     boot.memtest = 4;
     acme.enable = true;
+    netdata.enable = true;
+    netdata.host = "sf.514fpv.io";
+    netdata.addSSL = true;
+    netdata.useACMEHost = "sf.514fpv.io";
   };
 
-  services.fstrim.enable = true;
-  boot.swraid.enable = true;
-  boot.swraid.mdadmConf = ''
-    PROGRAM /usr/bin/true
-  '';
-  fileSystems."/nix/var/secret" =
-  { device = "/dev/disk/by-uuid/f8983719-f9e7-42b2-b8f3-0f32f6b328ae";
-    fsType = "ext4";
-    options = [ "noatime" ];
-    neededForBoot = true;
-    depends = [ "/nix/var" ];
-  };
-  boot.initrd.systemd.services.zfs-import-focus.after = [ "cryptsetup.target" ];
-
   services.udev.extraRules = ''
     SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="6c:b3:11:3d:80:13", NAME="2g5"
   '';
 
   networking.proxy = {
-    allProxy = "socks5://192.168.1.1:1080";
+    allProxy = "http://compat:3128";
     noProxy = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1,localhost,.localdomain";
   };
 

spec/focus/grafana.nix

@@ -1,36 +0,0 @@
-{ config
-, ... }: {
-  services.grafana = {
-    enable = true;
-    dataDir = "/nix/persist/service/grafana";
-    settings = {
-      server = {
-        http_addr = "127.0.0.1";
-        http_port = 3000;
-        domain = "sf.514fpv.io";
-        root_url = "https://sf.514fpv.io:8086/dash";
-        serve_from_sub_path = true;
-      };
-    };
-  };
-
-  services.prometheus = {
-    enable = true;
-    port = 9001;
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-        port = 9002;
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."sf.514fpv.io".locations."/dash/" = {
-    proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
-    proxyWebsockets = true;
-    recommendedProxySettings = true;
-  };
-
-  global.fs.zfs.mountpoints."/nix/persist/service/grafana" = "service/grafana";
-}

spec/focus/nextcloud.nix

@@ -4,16 +4,18 @@
 in {
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud30;
     extraApps = {
-      inherit (pkgs.nextcloud28Packages.apps)
+      inherit (pkgs.nextcloud30Packages.apps)
       notify_push impersonate spreed
-      contacts bookmarks deck polls notes forms;
+      contacts bookmarks deck polls notes forms
+      twofactor_webauthn;
     };
     home = "/nix/persist/service/nextcloud";
     configureRedis = true;
     webfinger = true;
     maxUploadSize = "128G";
+    fastcgiTimeout = 300;
     hostName = host;
     phpExtraExtensions = all: with all; [ bz2 ];
     database.createLocally = true;
@@ -21,6 +23,7 @@ in {
     config.adminuser = "koishi";
     config.adminpassFile = builtins.toString (pkgs.writeText "password" "initial_password");
     settings.overwriteprotocol = "https";
+    settings.maintenance_window_start = 17;
     settings.default_phone_region = "US";
     settings.default_language = "zh";
     settings.default_locale = "zh_Hans_CN";

spec/focus/nginx.nix

@@ -17,14 +17,6 @@
         useACMEHost = ".sf.514fpv.io";
         extraConfig = "return 444;";
       };
-
-      "sf.514fpv.io" = {
-        addSSL = true;
-        useACMEHost = "sf.514fpv.io";
-        locations."/" = {
-          return = "307 https://sf.514fpv.io:8086/dash/";
-        };
-      };
     };
   };
 

spec/hakugyokurou/default.nix

@@ -0,0 +1,61 @@
+{ pkgs, lib, config, ... }: {
+  global = {
+    id = "09a2900f15b74f36b023a9ebcd539f6a";
+    fs.esp.uuid = "AE73-B83E";
+    fs.type = "xfs";
+    fs.store = "e4c673cb-03c5-44ac-b2f1-1085a7f7a553";
+    fs.cryptsetup.enable = true;
+    fs.cryptsetup.uuids.persist = "122001b1-7a43-4bab-ae7c-ba8eeb1cc864";
+    boot.lanzaboote = true;
+    gpu.enable = true;
+    gpu.type = "amdgpu";
+    android.enable = true;
+  };
+
+  home = {
+    gnome.enable = true;
+    jetbrains.enable = true;
+    vscode.enable = true;
+    steam.enable = true;
+    minecraft.enable = true;
+    minecraft.user = "app";
+  };
+
+  users.homeModules = [ {
+    wayland.windowManager.sway.config = {
+      input = {
+        "9610:30:HID_258a:001e_Mouse".natural_scroll = "disabled";
+        "1539:61441:NVTK0603:00_0603:F001_UNKNOWN".map_to_output = "eDP-1";
+        "1539:61441:NVTK0603:00_0603:F001".map_to_output = "eDP-1";
+      };
+      output = {
+        eDP-1.scale = "2";
+        eDP-1.transform = "270";
+      };
+    };
+  } ];
+
+  powerManagement.enable = true;
+  powerManagement.cpuFreqGovernor = "performance";
+  boot.kernelParams = [
+    "video=eDP-1:panel_orientation=left_side_up"
+  ];
+  boot.plymouth.extraConfig = ''
+    DeviceScale=2
+  '';
+
+  services.greetd.settings.default_session.command = let
+    cfg = config.programs.regreet;
+  in lib.mkOverride 999 "${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${pkgs.writeShellScript "cageResolution" ''
+    ${lib.getExe pkgs.wlr-randr} --output eDP-1 --scale 2 --transform 90
+    ${lib.getExe cfg.package}
+  ''}";
+
+  hardware.sensor.iio.enable = true;
+  hardware.enableRedistributableFirmware = true;
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+  hardware.cpu.intel.updateMicrocode = true;
+}

spec/incinerator/default.nix

@@ -21,4 +21,5 @@
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
+  boot.initrd.systemd.emergencyAccess = true;
 }

spec/koumakyou/default.nix

@@ -1,50 +1,71 @@
-{ pkgs
-, lib
-, ... }: {
+{ pkgs, lib, config, jovian, ... }: {
   global = {
-    id = "eeb44fb1150944aab7d146b7caad789f";
-    auth.openssh.enable = true;
-    fs.esp.uuid = "B20E-5994";
+    id = "0a920a834b5f480bab258040096d4c6e";
+    fs.esp.uuid = "ACB3-4AFF";
     fs.type = "xfs";
-    fs.store = "e8eea851-51b0-4c29-80c4-3d9358c4f3f8";
-    fs.external.enable = true;
-    fs.external.device = "/dev/disk/by-uuid/f0e13b58-1223-479c-b673-3a8e629c7f72";
-    fs.external.fsType = "ext4";
+    fs.store = "6b885fa6-5c13-4a46-94da-a287232606b9";
     fs.cryptsetup.enable = true;
-    fs.cryptsetup.uuids.nix = "84baa53a-c76d-4716-813a-196f5a53e44d";
-    fs.cryptsetup.uuids.persist = "e31f8b1c-6504-4b43-93dd-997ad17ebf5e";
+    fs.cryptsetup.uuids.persist = "b4a5a66d-b491-4ac7-bc71-1ea8b1a503be";
     boot.lanzaboote = true;
     gpu.enable = true;
-    gpu.type = "prime";
-    asusd.enable = true;
-    oci.enable = true;
+    gpu.type = "amdgpu";
   };
 
   home = {
-    gyroflow.enable = true;
+    jetbrains.enable = true;
+    vscode.enable = true;
     minecraft.enable = true;
-    minecraft.allUsers = true;
-    steam.enable = true;
-    steam.allUsers = true;
+    minecraft.user = "app";
   };
 
+  users.homeModules = [ {
+    wayland.windowManager.sway.config = {
+      input."1046:911:Goodix_Capacitive_TouchScreen".map_to_output = "eDP-1";
+      output = {
+        eDP-1.scale = "1.75";
+      };
+    };
+  } ];
+
   powerManagement.enable = true;
   powerManagement.cpuFreqGovernor = "performance";
+  powerManagement.resumeCommands = ''
+    # trackpad driver resume workaround
+    ${pkgs.kmod}/bin/modprobe -r bmi260_i2c
+    ${pkgs.kmod}/bin/modprobe -r bmi260_core
+    ${pkgs.kmod}/bin/modprobe bmi260_i2c
+    ${pkgs.kmod}/bin/modprobe bmi260_core
+  '';
+  console.packages = [ pkgs.terminus_font ];
+  console.font = "ter-v32n";
+  console.earlySetup = true;
 
-  hardware.nvidia.prime = {
-    amdgpuBusId = "PCI:6:0:0";
-    nvidiaBusId = "PCI:1:0:0";
+  specialisation.desktop.configuration = {
+    global.jovian = false;
+    jovian.steamos.useSteamOSConfig = false;
+    services.greetd.settings.default_session.command = let
+      cfg = config.programs.regreet;
+    in "${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${pkgs.writeShellScript "cageResolution" ''
+      ${lib.getExe pkgs.wlr-randr} --output eDP-1 --scale 2
+      ${lib.getExe cfg.package}
+    ''}";
+    environment.systemPackages = with pkgs; [
+      (writeShellScriptBin "sway-logout" ''
+        ${systemd}/bin/systemctl --user unset-environment WAYLAND_DISPLAY SWAYSOCK
+        ${sway}/bin/swaymsg exit
+      '')
+    ];
   };
 
-  imports = lib.pipe ./. [
-    builtins.readDir
-    (lib.filterAttrs (n: ty: ty == "regular" && n != "default.nix"))
-    (lib.mapAttrsToList (n: _: ./${n}))
-  ];
-
   hardware.enableRedistributableFirmware = true;
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
+  hardware.cpu.intel.updateMicrocode = true;
+
+  imports = [
+    jovian.nixosModules.jovian
+    ./jovian.nix
+  ];
 }

spec/koumakyou/jovian.nix

@@ -0,0 +1,80 @@
+{ pkgs, lib, config, ... }: with lib; {
+  options.global.jovian = mkEnableOption "set up Jovian NixOS" // { default = true; };
+
+  config = mkIf config.global.jovian {
+    jovian = {
+      hardware.has.amd.gpu = true;
+      steamos.useSteamOSConfig = true;
+      steamos.enableDefaultCmdlineConfig = false;
+
+      steam = {
+        enable = true;
+        autoStart = true;
+        desktopSession = "plasma";
+        user = "app";
+      };
+    };
+
+    users.home.persistApp.directories = [
+      ".steam" ".local/share/Steam"
+      ".config/gamescope" ".config/hhd"
+      ".kodi"
+    ];
+
+    users.users.app.extraGroups = [ "networkmanager" "gamemode" ];
+    programs.gamemode.enable = true;
+    programs.regreet.enable = false;
+    home.plasma.enable = true;
+    home.plasma.extraConfig = {
+      configFile = {
+        kwinrc.Xwayland.Scale = 1.75;
+        kscreenlockerrc.Daemon.Autolock = false;
+      };
+    };
+
+    home-manager.users.app = {
+      home.packages = with pkgs; [
+        (pkgs.kodi-wayland.passthru.withPackages (kodiPkgs: with kodiPkgs; [
+          joystick # keymap steam-controller
+          #controller-topology-project
+          libretro libretro-2048
+          libretro-fuse libretro-genplus libretro-mgba
+          libretro-nestopia libretro-snes9x
+          jellycon
+        ]))
+      ];
+
+      home.pointerCursor = {
+        package = pkgs.steamdeck-hw-theme;
+        name = "steam";
+      };
+    };
+
+    services.handheld-daemon = {
+      enable = true;
+      user = "app";
+    };
+
+    jovian.decky-loader = {
+      # ~/.steam/steam/.cef-enable-remote-debugging
+      enable = true;
+      user = "app";
+      extraPackages = with pkgs; [
+        curl unzip util-linux gnugrep procps pciutils kmod ryzenadj
+      ];
+      extraPythonPackages = pythonPackages: with pythonPackages; [
+        hid pyyaml
+      ];
+      stateDir = "/nix/persist/decky";
+    };
+
+    boot.kernelParams = [
+      "iomem=relaxed"
+      "amd_pstate=passive"
+    ];
+
+    services.udev.extraRules = ''
+      SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="${pkgs.ryzenadj}/bin/ryzenadj --max-performance"
+    '';
+  };
+}

spec/reimaden/ac71/Makefile

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: GPL-2.0
+PWD := $(shell pwd)
+MODNAME = ac71
+MODVER = 0.0
+
+obj-m += $(MODNAME).o
+
+# alphabetically sorted
+$(MODNAME)-y += ec.o \
+		main.o \
+		misc.o \
+		pdev.o \
+		events.o \
+
+$(MODNAME)-$(CONFIG_ACPI_BATTERY) += battery.o
+$(MODNAME)-$(CONFIG_HWMON)        += hwmon.o hwmon_fan.o hwmon_pwm.o fan.o
+
+all:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) modules
+
+install:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) modules_install
+
+clean:
+	$(MAKE) -C $(KERNEL_DIR) M=$(PWD) clean

spec/reimaden/ac71/battery.c

@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "pr.h"
+
+#include <linux/device.h>
+#include <linux/kernel.h>
+#include <linux/moduleparam.h>
+#include <linux/power_supply.h>
+#include <acpi/battery.h>
+#include <linux/sysfs.h>
+#include <linux/types.h>
+#include <linux/version.h>
+
+#include "ec.h"
+
+/* ========================================================================== */
+
+#if IS_ENABLED(CONFIG_ACPI_BATTERY)
+
+static bool battery_hook_registered;
+
+static bool nobattery;
+module_param(nobattery, bool, 0444);
+MODULE_PARM_DESC(nobattery, "do not expose battery related controls (default=false)");
+
+/* ========================================================================== */
+
+static ssize_t charge_control_end_threshold_show(struct device *dev,
+						 struct device_attribute *attr, char *buf)
+{
+	int status = ec_read_byte(BATT_CHARGE_CTRL_ADDR);
+
+	if (status < 0)
+		return status;
+
+	status &= BATT_CHARGE_CTRL_VALUE_MASK;
+
+	if (status == 0)
+		status = 100;
+
+	return sprintf(buf, "%d\n", status);
+}
+
+static ssize_t charge_control_end_threshold_store(struct device *dev, struct device_attribute *attr,
+						  const char *buf, size_t count)
+{
+	int status, value;
+
+	if (kstrtoint(buf, 10, &value) || !(1 <= value && value <= 100))
+		return -EINVAL;
+
+	status = ec_read_byte(BATT_CHARGE_CTRL_ADDR);
+	if (status < 0)
+		return status;
+
+	if (value == 100)
+		value = 0;
+
+	status = (status & ~BATT_CHARGE_CTRL_VALUE_MASK) | value;
+
+	status = ec_write_byte(BATT_CHARGE_CTRL_ADDR, status);
+
+	if (status < 0)
+		return status;
+
+	return count;
+}
+
+static DEVICE_ATTR_RW(charge_control_end_threshold);
+static struct attribute *ac71_batt_attrs[] = {
+	&dev_attr_charge_control_end_threshold.attr,
+	NULL
+};
+ATTRIBUTE_GROUPS(ac71_batt);
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 2, 0)
+static int ac71_batt_add(struct power_supply *battery, struct acpi_battery_hook *hook)
+#else
+static int ac71_batt_add(struct power_supply *battery)
+#endif
+{
+	if (strcmp(battery->desc->name, "BAT0") != 0)
+		return 0;
+
+	return device_add_groups(&battery->dev, ac71_batt_groups);
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 2, 0)
+static int ac71_batt_remove(struct power_supply *battery, struct acpi_battery_hook *hook)
+#else
+static int ac71_batt_remove(struct power_supply *battery)
+#endif
+{
+	if (strcmp(battery->desc->name, "BAT0") != 0)
+		return 0;
+
+	device_remove_groups(&battery->dev, ac71_batt_groups);
+	return 0;
+}
+
+static struct acpi_battery_hook ac71_batt_hook = {
+	.add_battery    = ac71_batt_add,
+	.remove_battery = ac71_batt_remove,
+	.name           = "AC71 laptop battery extension",
+};
+
+int __init ac71_battery_setup(void)
+{
+	if (nobattery)
+		return -ENODEV;
+
+	battery_hook_register(&ac71_batt_hook);
+	battery_hook_registered = true;
+
+	return 0;
+}
+
+void ac71_battery_cleanup(void)
+{
+	if (battery_hook_registered)
+		battery_hook_unregister(&ac71_batt_hook);
+}
+
+#endif

spec/reimaden/ac71/battery.h

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-2.0
+#ifndef AC71_BATTERY_H
+#define AC71_BATTERY_H
+
+#if IS_ENABLED(CONFIG_ACPI_BATTERY)
+
+#include <linux/init.h>
+
+int  __init ac71_battery_setup(void);
+void        ac71_battery_cleanup(void);
+
+#else
+
+static inline int ac71_battery_setup(void)
+{
+	return 0;
+}
+
+static inline void ac71_battery_cleanup(void)
+{
+
+}
+
+#endif
+
+#endif /* AC71_BATTERY_H */