test

t14: use yubikey for git signing
waybar: add padding to battery icon
2025-09-24 21:27:41 -06:00 · 2025-09-24 21:25:08 -06:00 · 2025-09-24 18:24:10 -06:00 · 2025-09-23 07:36:36 -06:00 · 2025-09-23 01:44:09 -06:00 · 2025-09-23 01:42:59 -06:00
137 changed files with 5849 additions and 222 deletions
--- a/README.md
+++ b/README.md
@ -1,8 +1,41 @@
-### Push:
+# Nix configuration
+
+## Updating
+
+Update flake
+
+    nix flake update --commit-lock-file
+
+Switch current machine
+
+    sudo nixos-rebuild switch --flake . --show-trace
+
+Switch current home manager
+
+    home-manager switch --flake . --show-trace
+
+Switch server
+
+    nixos-rebuild switch --target-host root@posixlycorrect.com --use-substitutes --show-trace --flake .\#vps
+
+Update homepage
+
+    nix flake update --commit-lock-file homepage
+
+
+## Cleanup
+
+Collect garbage (run with sudo to collect root garbage)
+
+    nix-collect-garbage -d
+
+
+## Submodule management
+
+Trivionomicon

    git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
-
-
-### Pull:
-
    git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+## About
+This is a unification of my old configs, which had a combined 506 commits.
--- a/flake.lock
+++ b/flake.lock
@ -1,8 +1,112 @@
 {
  "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1757676906,
+        "narHash": "sha256-2Zbde5orbGsYdzroe51P1AW8pFMCNyqHgLjmHYJvOmE=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "04db807ac00ba6d62808ffab18b3b6d500b6f7cb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1755873658,
+        "narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2025.8.1",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
      },
      "locked": {
        "lastModified": 1731533236,
@ -18,13 +122,249 @@
        "type": "github"
      }
    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "hm-isolation": {
+      "locked": {
+        "lastModified": 1675806557,
+        "narHash": "sha256-39NPKKwU7JflyDG9Cn36UPPelkcNATsrCaoazuIO5PA=",
+        "owner": "3442",
+        "repo": "hm-isolation",
+        "rev": "0b435299c3735231bf4faf1ea7de32d03f070056",
+        "type": "github"
+      },
+      "original": {
+        "owner": "3442",
+        "repo": "hm-isolation",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757808926,
+        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "homepage": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758437709,
+        "narHash": "sha256-EyflOWOdq007z0P4JdzxAwPoZmuo33Rq/5opdcQ7miQ=",
+        "ref": "refs/heads/master",
+        "rev": "f0cecfa02d67e986cb3eaf537ec2f7007e1b9583",
+        "revCount": 68,
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "mediawikiSkinCitizen": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724097552,
+        "narHash": "sha256-+o5FDWMrEqnva5qcdc45wAYyE2ZtUhEjygUGVt0HsaA=",
+        "owner": "StarCitizenTools",
+        "repo": "mediawiki-skins-Citizen",
+        "rev": "28cd4e18b52aed3270fe7b55bff4545c8314a687",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StarCitizenTools",
+        "ref": "v2.27.0",
+        "repo": "mediawiki-skins-Citizen",
+        "type": "github"
+      }
+    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
+    "nixGL": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1752054764,
+        "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=",
+        "owner": "guibou",
+        "repo": "nixGL",
+        "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "guibou",
+        "repo": "nixGL",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1754292888,
-        "narHash": "sha256-1ziydHSiDuSnaiPzCQh1mRFBsM2d2yRX9I+5OPGEmIE=",
+        "lastModified": 1746378225,
+        "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ce01daebf8489ba97bd1609d185ea276efdeb121",
+        "rev": "93e8cdce7afc64297cfec447c311470788131cd9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1753579242,
+        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1757810152,
+        "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9a094440e02a699be5c57453a092a8baf569bdad",
        "type": "github"
      },
      "original": {
@ -34,13 +374,124 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1757745802,
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nur": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1757879066,
+        "narHash": "sha256-EHZWQe3a04DvOlUR2j7LwGCaGqYTStYExpstYezfq3c=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "087c74cd9cc63e44dd20f1dcc5cdb4e5fddc9e14",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik-nix",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756087852,
+        "narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "6edb3ae27395cd88be3d64b732d1539957dad59c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756395552,
+        "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "030dffc235dcf240d918c651c78dc5f158067b51",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "authentik-nix": "authentik-nix",
+        "flake-utils": "flake-utils_2",
+        "hm-isolation": "hm-isolation",
+        "home-manager": "home-manager",
+        "homepage": "homepage",
+        "impermanence": "impermanence",
+        "mediawikiSkinCitizen": "mediawikiSkinCitizen",
+        "nixGL": "nixGL",
+        "nixpkgs": "nixpkgs_2",
+        "nur": "nur",
+        "trivionomicon": "trivionomicon",
+        "unstable": "unstable",
+        "vpsadminos": "vpsadminos"
      }
    },
    "systems": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -54,6 +505,124 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "trivionomicon": {
+      "inputs": {
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "path": "./trivionomicon",
+        "type": "path"
+      },
+      "original": {
+        "path": "./trivionomicon",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1757745802,
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756466761,
+        "narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "0529e6d8227517205afcd1b37eee3088db745730",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
+    },
+    "vpsadminos": {
+      "locked": {
+        "lastModified": 1755964485,
+        "narHash": "sha256-+YzznL/mHiSjDFC8vJsSgQ+pvjhqWMsLRjegEKSNv/4=",
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "rev": "20f55b1d9bee4fdab62494d4471854d6586d3637",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,218 +1,56 @@
 {
  inputs = {
-    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    trivionomicon = {
+      url = "./trivionomicon";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    homepage = {
+      url = "git+https://git.posixlycorrect.com/fabian/homepage.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mediawikiSkinCitizen = {
+      url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
+      flake = false;
+    };
+
+    flake-utils.url = "github:numtide/flake-utils";
+    hm-isolation.url = "github:3442/hm-isolation";
+    impermanence.url = "github:nix-community/impermanence";
+    nixGL.url = "github:guibou/nixGL";
+    nur.url = "github:nix-community/NUR";
+    vpsadminos.url = "github:vpsfreecz/vpsadminos";
  };

-  outputs = {
-    self,
-    nixpkgs,
-    flake-utils,
-  }: let
-    mapOverlayOverride = namespace: overlay: final: prev: let
-      overlayPkgs = overlay final prev;
-    in
-      {
-        "${namespace}" = builtins.removeAttrs overlayPkgs ["override"];
-      }
-      // (overlayPkgs.override or {});
+  outputs = flakes:
+    flakes.trivionomicon.lib.mkSystemFlake {
+      inherit flakes;

-    doctrineNoPkgs = self.lib.mkDoctrine {
-      lib = nixpkgs.lib;
-      pkgs = null;
-    };
-  in
-    flake-utils.lib.eachDefaultSystem (system: let
-      pkgs = import nixpkgs {inherit system;};
-    in {
-      formatter = pkgs.alejandra;
+      system = "x86_64-linux";

-      packages =
-        (import nixpkgs {
-          inherit system;
-          overlays = [(mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs))];
-        }).${
-          doctrineNoPkgs.prefix
-        };
-    })
-    // {
-      templates = let
-        system-flake = {
-          path = ./templates/system-flake;
-          description = "Opinionated flake for a NixOS system with Home Manager";
-        };
-      in {
-        inherit system-flake;
+      paths = {
+        localOverlay = "pkgs";
+        nixpkgsConfig = "pkgs/config";

-        default = system-flake;
-      };
+        nixosSource = "sys";
+        nixosPlatforms = "sys/platforms";

-      overlays = let
-        overlay = mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs);
-      in {
-        default = overlay;
-        ${doctrineNoPkgs.prefix} = overlay;
-      };
-
-      homeManagerModules.default = ./modules;
-      nixosModules.default = ./modules;
-
-      lib = {
-        mkDoctrine = import ./doctrine;
-
-        mkSystemFlake = {
-          flakes,
-          system,
-          doctrinePrefix ? null,
-          formatter ? "alejandra",
-          paths ? {},
-        }: let
-          mkDoctrine = args:
-            self.lib.mkDoctrine
-            (args
-              // optionalAttrs (doctrinePrefix != null) {
-                prefix = doctrinePrefix;
-              });
-
-          doctrineNoPkgs = mkDoctrine {
-            lib = nixpkgs.lib;
-            pkgs = null;
-          };
-
-          optionalFlake = name:
-            if flakes ? "${name}"
-            then flakes.${name}
-            else null;
-
-          requireFlake = name:
-            if flakes ? "${name}"
-            then flakes.${name}
-            else throw "Required flake input '${name}' is missing";
-
-          nur = optionalFlake "nur";
-          nixpkgs = requireFlake "nixpkgs";
-          unstable = optionalFlake "unstable";
-
-          home-manager =
-            if hmSourcePath != null
-            then requireFlake "home-manager"
-            else null;
-
-          pathFromSelf = path: builtins.toPath "${flakes.self}" + "/${path}";
-
-          localOverlayPath = pathFromSelf paths.localOverlay;
-          nixpkgsConfigPath = pathFromSelf paths.nixpkgsConfig;
-          nixosSourcePath = pathFromSelf paths.nixosSource;
-          nixosPlatformsPath = pathFromSelf paths.nixosPlatforms;
-          hmSourcePath = pathFromSelf paths.hmSource;
-          hmPlatformsPath = pathFromSelf paths.hmPlatforms;
-
-          pkgs = importPkgs nixpkgs;
-
-          importPkgs = flake:
-            import flake ({
-                inherit system;
-
-                overlays = let
-                  conditions = [
-                    {
-                      overlay = nur.overlays.default;
-                      condition = nur != null;
-                    }
-                    # NB: Preserve the relative order
-                    {
-                      overlay = self.overlays.default;
-                      condition = true;
-                    }
-                    {
-                      overlay = flakes.self.overlays.default;
-                      condition = true;
-                    }
-                  ];
-                in
-                  builtins.map (cond: cond.overlay) (builtins.filter (cond: cond.condition) conditions);
-              }
-              // optionalAttrs (paths ? nixpkgsConfig) {
-                config = import nixpkgsConfigPath {inherit (nixpkgs) lib;};
-              });
-
-          inherit (pkgs) lib;
-          inherit (nixpkgs.lib) optionalAttrs; # Prevents infinite recursion
-          inherit (doctrineNoPkgs) prefix;
-          inherit (doctrineNoPkgs.lib) importAll;
-        in
-          {
-            formatter.${system} =
-              if formatter == "alejandra"
-              then pkgs.alejandra
-              else if formatter == "nixpkgs-fmt"
-              then pkgs.nixpkgs-fmt
-              else throw "Unknown formatter: '${formatter}'";
-
-            packages.${system} = pkgs.${prefix};
-
-            overlays.default = final: prev: let
-              overlay = final: prev:
-                if paths ? localOverlay
-                then import localOverlayPath {inherit final prev flakes;}
-                else {};
-            in
-              mapOverlayOverride prefix overlay final prev
-              // optionalAttrs (unstable != null) {
-                unstable = importPkgs unstable;
-              };
-          }
-          // optionalAttrs (paths ? nixosSource) {
-            nixosConfigurations = let
-              nixosSystem = {modules}:
-                lib.makeOverridable nixpkgs.lib.nixosSystem {
-                  inherit modules pkgs system;
-
-                  specialArgs = {
-                    inherit flakes;
-
-                    doctrine = mkDoctrine {
-                      inherit pkgs;
-                      namespace = "sys";
-                    };
-                  };
-                };
-
-              hostConfig = platform:
-                nixosSystem {
-                  modules = [
-                    self.nixosModules.default
-                    nixosSourcePath
-                    platform
-                  ];
-                };
-            in
-              lib.mapAttrs (_: hostConfig) (importAll {root = nixosPlatformsPath;});
-          }
-          // optionalAttrs (paths ? hmSource) {
-            homeConfigurations = let
-              home = name: platform:
-                home-manager.lib.homeManagerConfiguration {
-                  inherit pkgs;
-
-                  extraSpecialArgs = {
-                    inherit flakes;
-
-                    doctrine = mkDoctrine {
-                      inherit pkgs;
-                      namespace = "hm";
-                    };
-                  };
-
-                  modules = [
-                    self.homeManagerModules.default
-                    hmSourcePath
-                    platform
-                  ];
-                };
-            in
-              lib.mapAttrs home (importAll {root = hmPlatformsPath;});
-          };
+        hmSource = "home";
+        hmPlatforms = "home/platforms";
      };
    };
 }
--- a/home/default.nix
+++ b/home/default.nix
@ -0,0 +1,14 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [
+    ./modules
+    flakes.trivionomicon.homeManagerModules.default
+    flakes.hm-isolation.homeManagerModule
+  ];
+}
--- a/home/modules/accounts.nix
+++ b/home/modules/accounts.nix
@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.accounts;
+in {
+  options.local.services.accounts.enable = mkEnableOption "accounts settings";
+  config = mkIf cfg.enable {
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        address = "fabian@posixlycorrect.com";
+        userName = "fabianmontero@fastmail.com";
+        realName = "fabian";
+        primary = true;
+        flavor = "fastmail.com";
+      };
+    };
+  };
+}
--- a/home/modules/baseline.nix
+++ b/home/modules/baseline.nix
@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; let
+  cfg = config.local.baseline;
+in {
+  options.local.baseline = {
+    enable = mkEnableOption "Basic home settings";
+  };
+  config = mkIf cfg.enable {
+    programs.home-manager.enable = true;
+
+    nix.registry = {
+      "system".to = {
+        type = "path";
+        path = "/home/fabian/nix";
+      };
+
+      "nixpkgs".flake = flakes.nixpkgs;
+      "unstable".flake = flakes.unstable;
+    };
+
+    xdg = {
+      enable = true;
+    };
+
+    home = {
+      stateVersion = "24.05"; # DO NOT CHANGE
+
+      username = "fabian";
+      homeDirectory = "/home/fabian";
+
+      packages = with pkgs; [
+        calc
+        dysk
+        fd
+        file
+        fzf
+        gcc
+        htop
+        killall
+        man-pages
+        man-pages-posix
+        nmap
+        pv
+        ripgrep
+        tree
+        units
+        unzip
+        vim
+        wl-clipboard
+        zip
+        zoxide
+      ];
+      keyboard = {
+        layout = "us";
+        variant = "altgr-intl";
+      };
+      sessionVariables = {
+        "EDITOR" = mkDefault "vim";
+      };
+    };
+
+    programs.git = {
+      enable = true;
+      userEmail = "fabian@posixlycorrect.com";
+      userName = "Fabian Montero";
+    };
+
+    local = {
+      services = {
+        zsh.enable = true;
+      };
+      programs = {
+        neovim.enable = true;
+      };
+    };
+  };
+}
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./terminal.nix
+    ./neovim.nix
+    ./baseline.nix
+    ./gaming.nix
+    ./yubikey.nix
+    ./firefox.nix
+    ./gui
+    ./zsh
+    ./gpg.nix
+    ./defaultDesktopPack.nix
+    ./accounts.nix
+    ./syncthing.nix
+    ./mapping.nix
+    ./zed.nix
+    ./pass.nix
+    ./halloy.nix
+  ];
+}
--- a/home/modules/defaultDesktopPack.nix
+++ b/home/modules/defaultDesktopPack.nix
@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.defaultDesktopPack;
+in {
+  options.local.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+    laptop = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      calibre
+      chromium
+      discord
+      (gajim.override {
+        enableSecrets = true;
+        enableUPnP = true;
+        enableAppIndicator = true;
+        enableE2E = true;
+        enableRST = true;
+      })
+      libreoffice-fresh
+      mpv
+      obs-studio
+      pavucontrol
+      pdfarranger
+      qimgv
+      qpdfview
+      qbittorrent
+      runelite
+      spotify
+      tdesktop
+      thunderbird
+      usbutils
+      vpsfree-client
+      vscodium-fhs
+      zola
+    ];
+
+    local = {
+      baseline.enable = true;
+
+      services = {
+        gpg.enable = true;
+        accounts.enable = true;
+        pass.enable = true;
+        syncthing.enable = true;
+      };
+      programs = {
+        firefox.enable = true;
+        zed.enable = true;
+        halloy.enable = true;
+        terminal.enable = true;
+      };
+    };
+  };
+}
--- a/home/modules/firefox.nix
+++ b/home/modules/firefox.nix
@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.firefox;
+in {
+  options.local.programs.firefox = {
+    enable = mkEnableOption "firefox";
+  };
+
+  config = mkIf cfg.enable {
+    programs.firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        nativeMessagingHosts = [pkgs.passff-host];
+      };
+    };
+
+    xdg = {
+      mimeApps = {
+        enable = true;
+        defaultApplications = {
+          "text/html" = ["firefox.desktop"];
+          "text/uri-list" = ["firefox.desktop"];
+          "x-scheme-handler/http" = ["firefox.desktop"];
+          "x-scheme-handler/https" = ["firefox.desktop"];
+          "x-scheme-handler/about" = ["firefox.desktop"];
+          "x-scheme-handler/unknown" = ["firefox.desktop"];
+        };
+      };
+    };
+    home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
+  };
+}
--- a/home/modules/gaming.nix
+++ b/home/modules/gaming.nix
@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.gaming;
+in {
+  options.local.programs.gaming = {
+    enable = mkEnableOption "gaming apps";
+  };
+  config = mkIf cfg.enable {
+    home.packages = [
+      pkgs.lutris
+      pkgs.openrct2
+      pkgs.prismlauncher
+    ];
+  };
+}
--- a/home/modules/gpg.nix
+++ b/home/modules/gpg.nix
@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.gpg;
+in {
+  options.local.services.gpg = {
+    enable = mkEnableOption "gpg settings";
+    defaultKey = mkOption {
+      type = types.str;
+      description = "fingerprint of default public key to be used in gpg, git, email, etc.";
+      example = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.gpg = {
+      enable = true;
+      settings = {
+        default-key = config.local.services.gpg.defaultKey;
+      };
+    };
+
+    services.gpg-agent = {
+      enable = true;
+
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+
+      enableExtraSocket = true;
+      enableSshSupport = true;
+
+      defaultCacheTtl = 3600 * 3;
+      defaultCacheTtlSsh = 3600 * 3;
+
+      maxCacheTtl = 3600 * 6;
+      maxCacheTtlSsh = 3600 * 6;
+
+      pinentry.package = pkgs.pinentry-emacs;
+    };
+
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        gpg = {
+          encryptByDefault = true;
+          signByDefault = true;
+          key = config.local.services.gpg.defaultKey;
+        };
+      };
+    };
+
+    programs.git = {
+      signing = {
+        key = config.local.services.gpg.defaultKey;
+        signByDefault = true;
+      };
+    };
+  };
+}
--- a/home/modules/gui/default.nix
+++ b/home/modules/gui/default.nix
@ -0,0 +1,70 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.local.gui;
+  monitorType = {setName}: (
+    types.submodule ({name ? null, ...}: {
+      options = {
+        width = mkOption {
+          type = types.str;
+          default = "1920";
+          example = "1920";
+        };
+        height = mkOption {
+          type = types.str;
+          default = "1080";
+          example = "1080";
+        };
+        rate = mkOption {
+          type = types.str;
+          description = "refresh rate";
+          example = "143.85";
+        };
+        posX = mkOption {
+          type = types.str;
+          description = "x axis position";
+          default = "0";
+          example = "0";
+        };
+        posY = mkOption {
+          type = types.str;
+          description = "y axis position";
+          default = "0";
+          example = "0";
+        };
+      };
+    })
+  );
+in {
+  options.local.gui = {
+    enable = mkEnableOption "GUI settings";
+    monitors = mkOption {
+      type = types.attrsOf (monitorType {setName = true;});
+    };
+  };
+
+  imports = [
+    ./fonts.nix
+    ./theme.nix
+    ./sway.nix
+    ./waybar.nix
+    ./mako.nix
+  ];
+
+  config = mkIf cfg.enable {
+    xdg = {
+      enable = true;
+      mimeApps = {
+        enable = true;
+        defaultApplications = {
+          "application/pdf" = with pkgs; ["qpdfview.desktop"];
+          "x-scheme-handler/file" = with pkgs; ["foot.desktop"];
+        };
+      };
+    };
+  };
+}
--- a/home/modules/gui/fonts.nix
+++ b/home/modules/gui/fonts.nix
@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  fonts.fontconfig = {
+    enable = true;
+    defaultFonts = {
+      monospace = [
+        "JetBrainsMono Nerd Font"
+        "Noto Sans Mono CJK SC"
+        "Noto Sans Mono"
+        "Noto Color Emoji"
+      ];
+      sansSerif = [
+        "Noto Sans"
+        "Noto Sans CJK SC"
+        "Noto Color Emoji"
+      ];
+      serif = [
+        "Noto Serif"
+        "Noto Serif CJK SC"
+        "Noto Color Emoji"
+      ];
+      emoji = ["Noto Color Emoji"];
+    };
+  };
+
+  # this is probably not necessary since they are already installed in sys
+  # with fonts.packages buy im too lazy to check
+  home.packages = with pkgs; [
+    jetbrains-mono
+    nerd-fonts.jetbrains-mono
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-emoji
+    noto-fonts-extra
+  ];
+}
--- a/home/modules/gui/mako.nix
+++ b/home/modules/gui/mako.nix
@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.gui;
+in {
+  config = mkIf cfg.enable {
+    services.mako = {
+      enable = true;
+      settings = {
+        actions = true;
+        anchor = "top-right";
+        background-color = "#000000";
+        border-color = "#000000";
+        progress-color = "over #FFFFFF";
+        border-radius = 0;
+        default-timeout = 7000;
+        font = "JetBrainsMono Nerd Font 10";
+        icons = true;
+        ignore-timeout = false;
+        layer = "top";
+      };
+    };
+  };
+}
--- a/home/modules/gui/sway.nix
+++ b/home/modules/gui/sway.nix
@ -0,0 +1,189 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.gui;
+in {
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      wlr-randr
+      bemenu
+    ];
+
+    home.sessionVariables = {
+      "BEMENU_BACKEND" = "wayland";
+    };
+
+    services = {
+      swayidle = {
+        enable = true;
+        timeouts = [
+          {
+            timeout = 600;
+            command = "${getExe pkgs.gtklock} -d";
+          }
+        ];
+      };
+    };
+
+    systemd.user.services.wl-gammarelay-rs = {
+      Unit.After = ["sway-session.target"];
+      Install.WantedBy = ["sway-session.target"];
+
+      Service.ExecStart = getExe pkgs.wl-gammarelay-rs;
+    };
+
+    wayland.windowManager.sway = {
+      enable = true;
+
+      config = {
+        output =
+          lib.mapAttrs (k: v: {
+            mode = "${toString v.width}x${toString v.height}@${v.rate}Hz";
+            pos = "${toString v.posX} ${toString v.posY}";
+          })
+          cfg.monitors;
+
+        modifier = "Mod4";
+
+        focus = {
+          followMouse = true;
+          wrapping = "workspace";
+        };
+
+        input = {
+          "*" = {
+            xkb_layout = "us";
+            xkb_variant = "altgr-intl";
+          };
+        };
+
+        fonts = {
+          names = ["JetBrainsMono Nerd Font"];
+          style = "Regular";
+          size = 8.0;
+        };
+
+        gaps = {
+          inner = 8;
+          outer = -10;
+          smartBorders = "on";
+          smartGaps = true;
+        };
+
+        bars = singleton {
+          command = "waybar";
+          position = "top";
+        };
+
+        window = {
+          hideEdgeBorders = "both";
+          titlebar = false;
+          border = 2;
+        };
+
+        floating = {
+          border = 0;
+          titlebar = false;
+        };
+
+        menu = "bemenu-run";
+
+        workspaceLayout = "tabbed";
+
+        colors = {
+          background = "#141414";
+          focused = {
+            border = "#444444";
+            background = "#000000";
+            text = "#eaeaea";
+            indicator = "#000000";
+            childBorder = "#000000";
+          };
+          focusedInactive = {
+            border = "#000000";
+            background = "#000000";
+            text = "#eaeaea";
+            indicator = "#000000";
+            childBorder = "#000000";
+          };
+          unfocused = {
+            border = "#000000";
+            background = "#000000";
+            text = "#eaeaea";
+            indicator = "#000000";
+            childBorder = "#000000";
+          };
+          urgent = {
+            border = "#ff6666";
+            background = "#ff6666";
+            text = "#eaeaea";
+            indicator = "#ff6666";
+            childBorder = "#ff6666";
+          };
+          placeholder = {
+            border = "#000000";
+            background = "#000000";
+            text = "#eaeaea";
+            indicator = "#000000";
+            childBorder = "#000000";
+          };
+        };
+
+        keybindings = let
+          mod = config.wayland.windowManager.sway.config.modifier;
+          grimshot = getExe pkgs.sway-contrib.grimshot;
+          bemenuCommand = ''bemenu-run --center --width-factor 0.2 --fixed-height --list 10 --scrollbar none --auto-select --accept-single --fn "JetBrainsMono Nerd Font 12" --prompt "" --tb "#000000" --tf "#EAEAEA" --fb "#000000" --ff "#EAEAEA" --cb "#EAEAEA" --cf "#000000" --nb "#000000" --nf "#EAEAEA" --sb "#000000" --sf "#EAEAEA" --hb "#000000" --hf "#EAEAEA" --fbb "#000000" --fbf "#000000" --ab "#000000" --af "#EAEAEA"'';
+        in
+          mkOptionDefault {
+            "${mod}+a" = "focus parent";
+            "${mod}+c" = "focus child";
+            "${mod}+d" = "exec ${bemenuCommand}";
+            "${mod}+l" = "exec ${getExe pkgs.gtklock} -d";
+            "${mod}+Return" = "exec ${lib.getExe pkgs.foot} ${lib.getExe pkgs.tmux}";
+            "${mod}+Shift+s" = "exec ${grimshot} copy area";
+            "${mod}+Shift+a" = "exec ${grimshot} copy output";
+            "${mod}+Tab" = "focus right";
+            "${mod}+Shift+Tab" = "focus left";
+            "${mod}+Shift+w" = "move workspace to output right";
+          };
+
+        startup = [
+          {
+            command = "${lib.getExe pkgs.sway} 'workspace 1; exec ${lib.getExe pkgs.firefox}'";
+          }
+          {
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.tdesktop}'";
+          }
+          {
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.gajim}'";
+          }
+          {
+            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/jupiter.png";
+            always = true;
+          }
+          {
+            command = "${lib.getExe pkgs.networkmanagerapplet}";
+          }
+        ];
+      };
+
+      extraSessionCommands = ''
+        export SDL_VIDEODRIVER=wayland
+        # needs qt5.qtwayland in systemPackages
+        export QT_QPA_PLATFORM=wayland
+        export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+        # Fix for some Java AWT applications (e.g. Android Studio),
+        # use this if they aren't displayed properly:
+        export _JAVA_AWT_WM_NONREPARENTING=1
+      '';
+
+      swaynag.enable = true;
+      systemd.enable = true;
+      xwayland = true;
+    };
+  };
+}
--- a/home/modules/gui/theme.nix
+++ b/home/modules/gui/theme.nix
@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  gtk = {
+    enable = true;
+
+    iconTheme = {
+      name = "Papirus-Dark";
+      package = pkgs.papirus-icon-theme;
+    };
+    theme = {
+      package = pkgs.materia-theme;
+      name = "Materia-dark";
+    };
+
+    gtk2.extraConfig = ''
+      gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ
+      gtk-menu-images=1
+      gtk-button-images=1
+    '';
+
+    gtk3.extraConfig = {
+      gtk-application-prefer-dark-theme = 1;
+    };
+    gtk4.extraConfig = {
+      gtk-application-prefer-dark-theme = 1;
+    };
+  };
+
+  home.sessionVariables = {
+    # Use gtk in jvm apps
+    _JAVA_OPTIONS = concatStringsSep " " [
+      "-Dawt.useSystemAAFontSettings=on"
+      "-Dswing.aatext=true"
+      "-Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel"
+      "-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel"
+    ];
+  };
+}
--- a/home/modules/gui/waybar.nix
+++ b/home/modules/gui/waybar.nix
@ -0,0 +1,199 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.gui;
+  laptop = config.local.defaultDesktopPack.laptop;
+in {
+  config = mkIf cfg.enable {
+    programs.waybar = {
+      enable = true;
+      settings = {
+        mainBar = {
+          layer = "top";
+          position = "top";
+          height = 20;
+          spacing = 0;
+
+          modules-left = [
+            "sway/workspaces"
+            "sway/mode"
+          ];
+          modules-center = [
+            "clock"
+          ];
+
+          modules-right = [
+            "keyboard-state"
+            "privacy"
+            "cpu"
+            "memory"
+            "disk"
+            "temperature"
+            "tray"
+          ]
+          ++ lists.optionals laptop [
+            "battery"
+          ];
+          battery = mkIf laptop {
+            format = "{capacity}% {icon}";
+            format-plugged = "{capacity}% 󱐥{icon}";
+            format-icons = [ "󰂃" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
+            states = {
+              warning = 20;
+              critical = 10;
+            };
+          };
+          keyboard-state = {
+            capslock = true;
+            format.capslock = "{icon}";
+            format-icons = {
+              locked = "󰘲 ";
+              unlocked = "";
+            };
+          };
+          tray = {
+            icon-size = 13;
+            spacing = 8;
+          };
+          clock = {
+            interval = 60;
+            format = "{:%A %B %d %Y %H:%M}";
+            tooltip = false;
+          };
+          cpu = {
+            format = " {usage}%";
+            tooltip = false;
+          };
+          memory = {
+            format = " {percentage}% ";
+            tooltip = true;
+            tooltip-format = "{used}/{total}";
+          };
+          disk = {
+            format = " {specific_used:0.0f}/{specific_total:0.0f}";
+            unit = "GiB";
+            tooltip = false;
+          };
+          privacy = {
+            icon-size = 12;
+          };
+        };
+      };
+      style = ''
+        * {
+          font-family: "JetBrainsMono Nerd Font", monospace;
+          font-size: 12px;
+          font-weight: 500;
+          border: none;
+          box-shadow: none;
+        }
+
+        /* Entire bar: fully transparent, no border */
+        window#waybar {
+          background: transparent;
+          color: #eaeaea;
+          margin: 0;
+          padding: 0;
+        }
+
+        /* Optional: small edge breathing room (comment out if you want edge-to-edge) */
+        /* window#waybar { margin: 3px 6px 0 6px; } */
+
+        /* Module containers */
+        .modules-left, .modules-center, .modules-right {
+          padding: 0;
+          margin: 0 6px;
+        }
+
+        /* Subtle separators between modules (no boxes) */
+        .modules-left > widget:not(:first-child),
+        .modules-center > widget:not(:first-child),
+        .modules-right > widget:not(:first-child) {
+          margin-left: 12px;
+          padding-left: 12px;
+          border-left: 1px solid rgba(255, 255, 255, 0.08);
+        }
+
+        /* Tightest possible workspaces */
+        #workspaces { padding: 0; margin: 0; }
+        #workspaces button {
+          margin: 0;
+          padding: 0 3px;
+          min-width: 0;
+          border-radius: 0;
+          background: transparent;
+          color: #cfcfcf;
+        }
+        #workspaces button:hover {
+          background: rgba(255, 255, 255, 0.06);
+        }
+        #workspaces button.active,
+        #workspaces button.focused {
+          background: rgba(255, 255, 255, 0.10);
+          color: #ffffff;
+          box-shadow: inset 0 -2px #ffffff;
+        }
+        #workspaces button.urgent {
+          background: rgba(255, 80, 80, 0.25);
+          box-shadow: inset 0 -2px #ff5050;
+        }
+
+        /* Focused window title: single line, no glow */
+        #window {
+          padding: 0 6px;
+          margin: 0;
+          color: #dedede;
+        }
+
+        /* Sway mode indicator: visible only when active, no bloat */
+        #mode {
+          padding: 0 6px;
+          margin: 0;
+          background: rgba(255, 255, 255, 0.10);
+          color: #ffffff;
+          box-shadow: inset 0 -2px #ffffff;
+        }
+
+        /* Status modules — keep them flat and compact */
+        #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
+          padding: 0 6px;
+          margin: 0;
+          background: transparent;
+          color: #eaeaea;
+        }
+
+        /* States (battery, network, audio) */
+        #battery.charging { color: #27f902; }
+        #battery.warning:not(.charging) { color: #fc8b02; }
+        #battery.critical:not(.charging) { color: #fc0000; }
+
+        #network.disconnected { color: #ffb4b4; }
+        #pulseaudio.muted    { color: #9aa0a6; }
+
+        /* Tray: compress icons */
+        #tray > .passive { opacity: 0.6; }
+        #tray > .needs-attention { opacity: 1; }
+
+        /* Tooltips: clean and readable */
+        tooltip {
+          background: rgba(30, 30, 30, 0.95);
+          border: 1px solid rgba(255, 255, 255, 0.08);
+          color: #eaeaea;
+          padding: 6px 8px;
+        }
+
+        /* Remove any leftover borders around everything */
+        #custom-*, #idle_inhibitor, #privacy, #bluetooth {
+          border: none;
+          background: transparent;
+          margin: 0;
+          padding: 0 6px;
+        }
+      '';
+    };
+  };
+}
--- a/home/modules/halloy.nix
+++ b/home/modules/halloy.nix
@ -0,0 +1,114 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.halloy;
+in {
+  options.local.programs.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        theme = "macawCustom";
+        font.size = 16;
+        preview.enabled = false;
+        sidebar = {
+          buffer_action = "replace-pane";
+          focused_buffer_action = "close-pane";
+        };
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+          server_messages = {
+            join.exclude = ["*"];
+            quit.exclude = ["*"];
+          };
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "##chat"
+            "##politics"
+            "##rust"
+            "#datahoarder"
+            "#git"
+            "#indieweb"
+            "#indieweb-dev"
+            "#linux"
+            "#lobsters"
+            "#nixos"
+            "#OSRS"
+            "#soju"
+          ];
+        };
+      };
+      themes = {
+        macawCustom = {
+          general = {
+            background = "#333333";
+            border = "#505050";
+            horizontal_rule = "#333333";
+            unread_indicator = "#2884FC";
+          };
+
+          text = {
+            primary = "#DFDFDF";
+            secondary = "#C2C2C2";
+            tertiary = "#8839EF";
+            success = "#959595";
+            error = "#959595";
+          };
+
+          buffer = {
+            action = "#959595";
+            background = "#1E1E1E";
+            background_text_input = "#2E2E2E";
+            background_title_bar = "#2E2E2E";
+            border = "#1A1A1A";
+            border_selected = "#1A1A1A";
+            code = "#7287FD";
+            highlight = "#454645";
+            nickname = "#00C8FF";
+            selection = "#777777";
+            timestamp = "#959595";
+            topic = "#DFDFDF";
+            url = "#2884FC";
+            buffer.server_messages = {
+              default = "#959595";
+            };
+          };
+
+          buttons.primary = {
+            background = "#00000000";
+            background_hover = "#484848";
+            background_selected = "#4A4A4A";
+            background_selected_hover = "#666666";
+          };
+
+          buttons.secondary = {
+            background = "#3B3B3B";
+            background_hover = "#484848";
+            background_selected = "#646464";
+            background_selected_hover = "#666666";
+          };
+        };
+      };
+    };
+  };
+}
--- a/home/modules/mapping.nix
+++ b/home/modules/mapping.nix
@ -0,0 +1,19 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.mapping;
+in {
+  options.local.programs.mapping = {
+    enable = mkEnableOption "mapping apps";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      qgis
+      openorienteering-mapper
+    ];
+  };
+}
--- a/home/modules/neovim.nix
+++ b/home/modules/neovim.nix
@ -0,0 +1,109 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.neovim;
+in {
+  options.local.programs.neovim = {
+    enable = mkEnableOption "Neovim settings";
+  };
+  config = mkIf cfg.enable {
+    programs.neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      defaultEditor = true;
+
+      extraConfig = ''
+        set nobackup
+        set showmatch               " show matching
+        set hlsearch                " highlight search
+        set incsearch               " incremental search
+        set tabstop=4               " number of columns occupied by a tab
+        set softtabstop=4           " see multiple spaces as tabstops so <BS> does the right thing
+        set shiftwidth=4            " width for autoindents
+        set autoindent              " indent a new line the same amount as the line just typed
+        set number                  " add line numbers
+        set wildmode=longest,list   " get bash-like tab completions
+        set cc=80                   " set an 80 column border for good coding style
+        filetype plugin indent on   " allow auto-indenting depending on file type
+        syntax on                   " syntax highlighting
+        set mouse=a                 " enable mouse click
+        set clipboard=unnamedplus   " using system clipboard
+        filetype plugin on
+        set cursorline              " highlight current cursorline
+        set ttyfast                 " Speed up scrolling in Vim
+        set noswapfile              " disable creating swap file
+      '';
+
+      plugins = with pkgs.vimPlugins; [
+        barbar-nvim
+        nvim-web-devicons
+        vim-nix
+        vim-visual-multi
+        {
+          plugin = nvim-tree-lua;
+          type = "lua";
+          config = ''
+            require("nvim-tree").setup({
+              renderer = {
+                icons = {
+                  show = {
+                    file = true,
+                    folder = true,
+                    folder_arrow = true,
+                    git = true,
+                  },
+                  glyphs = {
+                    git = {
+                      unstaged = "",
+                      staged = "",
+                      unmerged = "",
+                      renamed = "",
+                      untracked = "",
+                      deleted = "",
+                      ignored = "",
+                    },
+                  },
+                },
+              },
+              view = {
+                width = 30,
+                side = 'left',
+              },
+              sync_root_with_cwd = true, --fix to open cwd with tree
+              respect_buf_cwd = true,
+              update_cwd = true,
+              update_focused_file = {
+                enable = true,
+                update_cwd = true,
+                update_root = true,
+              },
+            })
+
+            vim.g.nvim_tree_respect_buf_cwd = 1
+
+            -- use g? for bindings help while in tree
+          '';
+        }
+        {
+          plugin = gruvbox-nvim;
+          type = "lua";
+          config = ''
+            require("gruvbox").setup({
+              contrast = "high",
+            })
+            vim.o.background = "dark"
+            vim.cmd([[colorscheme gruvbox]])
+          '';
+        }
+      ];
+    };
+    home.sessionVariables = {
+      "EDITOR" = mkForce "neovim";
+    };
+  };
+}
--- a/home/modules/pass.nix
+++ b/home/modules/pass.nix
@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.pass;
+in {
+  options.local.services.pass = {
+    enable = mkEnableOption "pass settings";
+  };
+  config = mkIf cfg.enable {
+    programs.password-store = {
+      enable = true;
+      package = pkgs.pass.withExtensions (exts:
+        with exts; [
+          pass-audit
+          pass-genphrase
+          pass-otp
+          pass-tomb
+          pass-update
+        ]);
+
+      settings = {
+        PASSWORD_STORE_DIR = "${config.home.homeDirectory}/safe/trust";
+      };
+    };
+  };
+}
--- a/home/modules/syncthing.nix
+++ b/home/modules/syncthing.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.syncthing;
+in {
+  options.local.services.syncthing = {
+    enable = mkEnableOption "syncthing settings";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+      tray.enable = true;
+    };
+  };
+}
--- a/home/modules/terminal.nix
+++ b/home/modules/terminal.nix
@ -0,0 +1,125 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.terminal;
+in {
+  options.local.programs.terminal = {
+    enable = mkEnableOption "terminal emulator settings";
+  };
+  config = mkIf cfg.enable {
+    programs = {
+      foot = {
+        enable = true;
+        settings = {
+          main = {
+            term = "xterm-256color";
+            font = "JetBrainsMono Nerd Font:style=Medium:size=15";
+            font-bold = "JetBrainsMono Nerd Font:style=Bold:size=15";
+            font-italic = "JetBrainsMono Nerd Font:style=Italic:size=15";
+            font-bold-italic = "JetBrainsMono Nerd Font:style=Bold Italic:size=15";
+            dpi-aware = "yes";
+            initial-window-size-pixels = "1200x600";
+          };
+
+          cursor = {
+            style = "block";
+            blink = "yes";
+          };
+
+          colors = {
+            background = "000000";
+            regular0 = "616161";
+            regular1 = "ff4d51";
+            regular2 = "35d450";
+            regular3 = "e9e836";
+            regular4 = "5dc5f8";
+            regular5 = "feabf2";
+            regular6 = "24dfc4";
+            regular7 = "ffffff";
+          };
+
+          bell = {
+            system = "no";
+            urgent = "no";
+            notify = "no";
+            visual = "no";
+            command-focused = "no";
+          };
+
+          mouse = {
+            hide-when-typing = "no";
+          };
+
+          key-bindings = {
+            clipboard-copy = "Control+Shift+c";
+            clipboard-paste = "Control+Shift+v";
+            font-increase = "Control+Shift+equal";
+            font-decrease = "Control+Shift+minus";
+            font-reset = "Control+Shift+BackSpace";
+          };
+
+          mouse-bindings = {
+            scrollback-up-mouse = "BTN_WHEEL_BACK";
+            scrollback-down-mouse = "BTN_WHEEL_FORWARD";
+            font-increase = "Control+BTN_WHEEL_BACK";
+            font-decrease = "Control+BTN_WHEEL_FORWARD";
+            select-begin = "BTN_LEFT";
+            select-begin-block = "Control+BTN_LEFT";
+            select-extend = "BTN_RIGHT";
+            select-extend-character-wise = "Control+BTN_RIGHT";
+            select-word = "BTN_LEFT-2";
+            select-word-whitespace = "Control+BTN_LEFT-2";
+            select-quote = " BTN_LEFT-3";
+            select-row = "BTN_LEFT-4";
+          };
+        };
+      };
+
+      tmux = {
+        enable = true;
+        aggressiveResize = true;
+        clock24 = true;
+        escapeTime = 10;
+        terminal = "xterm-256color";
+        keyMode = "emacs";
+        mouse = true;
+
+        extraConfig = ''
+          set -ga update-environment " LIFT_PID"
+          set -g set-titles on
+          set -g renumber-windows on
+          set -sa terminal-overrides ',xterm-termite:RGB'
+
+          set -g status-style bg=default,fg=colour250
+          set -g pane-border-style fg=colour236
+          set -g pane-active-border-style fg=colour240
+          set -g window-status-format " #I:#W "
+          set -g window-status-style bg=default,fg=colour244
+          set -g window-status-current-format " #I:#W "
+          set -g window-status-current-style bg=colour236,fg=white,bold
+          set -g status-position bottom
+          set -g status-left-length 20
+          set -g status-right-length 60
+          set -g status-left ""
+          set -g window-status-separator ""
+          set -g status-justify left
+        '';
+      };
+
+      fzf = {
+        enable = true;
+        enableZshIntegration = true;
+        tmux.enableShellIntegration = true;
+      };
+    };
+    home = {
+      sessionVariables = {
+        "TERMINAL" = "foot";
+      };
+    };
+  };
+}
--- a/home/modules/yubikey.nix
+++ b/home/modules/yubikey.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.yubikey;
+in {
+  options.local.services.yubikey = {
+    enable = mkEnableOption "Yubikey home settings";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubico-pam
+      yubikey-personalization
+    ];
+  };
+}
--- a/home/modules/zed.nix
+++ b/home/modules/zed.nix
@ -0,0 +1,95 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.zed;
+in {
+  options.local.programs.zed = {
+    enable = mkEnableOption "zed editor settings";
+  };
+  config = mkIf cfg.enable {
+    programs.zed-editor = {
+      enable = true;
+      extensions = [
+        "nix"
+        "codebook"
+        "vscode-dark-high-contrast"
+        "catppuccin-icons"
+      ];
+      extraPackages = with pkgs; [
+        nixd
+      ];
+      userSettings = {
+        disable_ai = true;
+        theme = {
+          dark = "VSCode Dark High Contrast";
+          light = "VSCode Dark High Contrast";
+        };
+        icon_theme = {
+          dark = "Catppuccin Latte";
+          light = "Catppuccin Latte";
+        };
+        file_icons = true;
+        rulers = [80 120];
+        preferred_line_length = 120;
+        scroll_past_end = true;
+        cursor = {
+          blink_interval = 600;
+          smooth_scroll = true;
+        };
+        autosave = "on_focus_change";
+        auto_update = false;
+        buffer_font_family = "JetBrainsMono Nerd Font";
+        buffer_font_size = 22;
+        hide_mouse = "never";
+        minimap.show = "auto";
+        tabs = {
+          file_icons = true;
+          git_status = true;
+          activate_on_close = "neighbour";
+          show_close_button = "always";
+        };
+        toolbar = {
+          breadcrumbs = true;
+          quick_actions = true;
+          selections_menu = true;
+          agent_review = false;
+          code_actions = false;
+        };
+        format_on_save = "off";
+        use_autoclose = false;
+        git = {
+          git_gutter = "tracked_files";
+          inline_blame = {
+            enabled = true;
+            delay_ms = 5000;
+          };
+        };
+        indent_guides = {
+          enabled = true;
+          line_width = 1;
+          active_line_width = 1;
+          coloring = "fixed";
+          background_coloring = "disabled";
+        };
+        hour_format = "hour24";
+        remove_trailing_whitespace_on_save = false;
+        use_smartcase_search = true;
+        soft_wrap = "editor_width";
+        tab_size = 2;
+        telemetry = {
+          diagnostics = false;
+          metrics = false;
+        };
+        auto_fold_dirs = false;
+        scrollbar = {
+          show = "always";
+        };
+        unnecessary_code_fade = 0.0;
+      };
+    };
+  };
+}
--- a/home/modules/zsh/default.nix
+++ b/home/modules/zsh/default.nix
@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.zsh;
+in {
+  options.local.services.zsh = {
+    enable = mkEnableOption "zsh settings";
+    prompt = mkOption {
+      type = types.str;
+      description = "prompt for your terminal";
+      example = literalExpression "%B[%~] \${vcs_info_msg_0_}%b";
+      default = "%B[%~] \${vcs_info_msg_0_}%b";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.zsh = {
+      enable = true;
+      syntaxHighlighting.enable = true;
+      autosuggestion.enable = true;
+
+      history = {
+        append = true;
+        expireDuplicatesFirst = true;
+        ignoreAllDups = true;
+        ignoreSpace = true;
+      };
+
+      initContent = import ./zshrc.nix {inherit config lib pkgs;};
+    };
+  };
+}
--- a/home/modules/zsh/zshrc.nix
+++ b/home/modules/zsh/zshrc.nix
@ -0,0 +1,132 @@
+{
+  config,
+  lib,
+  pkgs,
+}: ''
+  # The following lines were added by compinstall
+
+  zstyle ':completion:*' auto-description 'specify: %d'
+  zstyle ':completion:*' completer _expand _complete _ignored _correct _approximate
+  zstyle ':completion:*' expand prefix suffix
+  zstyle ':completion:*' ignore-parents parent
+  zstyle ':completion:*' insert-unambiguous true
+  zstyle ':completion:*' list-colors ""
+  zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s
+  zstyle ':completion:*' list-suffixes true
+  zstyle ':completion:*' matcher-list "" 'm:{[:lower:]}={[:upper:]} m:{[:lower:][:upper:]}={[:upper:][:lower:]}' 'r:|[._-]=** r:|=** l:|=*'
+  zstyle ':completion:*' menu select=1
+  zstyle ':completion:*' original true
+  zstyle ':completion:*' preserve-prefix '//[^/]##/'
+  zstyle ':completion:*' verbose true
+  zstyle :compinstall filename '/home/fabian/.zshrc'
+
+  autoload -Uz compinit
+  compinit
+  # End of lines added by compinstall
+  # Lines configured by zsh-newuser-install
+  HISTFILE=~/.histfile
+  HISTSIZE=1000
+  SAVEHIST=1000
+  setopt autocd extendedglob nomatch
+  unsetopt beep notify
+  bindkey -v
+  # End of lines configured by zsh-newuser-install
+
+  # Prompt
+  setopt prompt_subst
+  autoload -Uz vcs_info
+  precmd_vcs_info() { vcs_info }
+  precmd_functions+=( precmd_vcs_info )
+
+  zstyle ':vcs_info:*' disable bzr cdv darcs mtn svk tla cvs svn
+  zstyle ':vcs_info:*' enable git
+  zstyle ':vcs_info:git+set-message:*' hooks format_msg
+
+  function +vi-format_msg {
+  local branch=$(git branch --show-current)
+
+  if [[ -z "$branch" ]] ; then
+  	branch=$(git rev-parse --short HEAD)
+  fi
+
+  local color=""
+
+  if [[ -z $(git status --porcelain 2>/dev/null) ]];
+  then
+  	color="%F{blue}"
+  fi
+
+  if [[ $(git status --porcelain 2>/dev/null | grep "^A \|^M " | wc -l) > 0 ]];
+  	then
+  	color="%F{green}"
+  fi
+
+  if [[ $(git status --porcelain 2>/dev/null | grep "^??\|^AM\|^.D" | wc -l) > 0 ]]
+  then
+  	color="%F{red}"
+  fi
+
+  ret=1
+  hook_com[message]="$color($branch)%f "
+
+  return 0
+  }
+
+  PROMPT='${config.local.services.zsh.prompt}'
+
+  # Aliases and binds
+  alias ls='ls --color -F'
+  alias l='ls --color -FhAltr'
+  alias x='killall --ignore-case --user=$(whoami) --interactive'
+  alias tree='tree -CF'
+  alias nixoide="nix repl '<nixpkgs>'"
+  alias vps="ssh -A vps"
+  bindkey -e
+  bindkey "^[[1;5D" backward-word
+  bindkey "^[[1;5C" forward-word
+  bindkey "\e[3~" delete-char
+
+  function use() {
+    local pkg
+    pkg="$1"
+    shift
+    echo "nix shell nixpkgs#$pkg"
+    nix shell "nixpkgs#$pkg" "$@"
+  }
+
+  function unuse() {
+    local pkg
+    pkg="$1"
+    shift
+    echo "nix shell nixpkgs#$pkg --impure"
+    nix shell "nixpkgs#$pkg" "$@" --impure
+  }
+
+  function spawn () {
+    if [ ! -x "$(command -v $1)" ]
+      then
+         echo "spawn: no such program: $1" >&2
+         return 1
+     fi
+     $@ > /dev/null 0>&1 2>&1 &
+     disown
+  }
+
+  autoload -Uz up-line-or-beginning-search
+  zle -N up-line-or-beginning-search
+  autoload -Uz down-line-or-beginning-search
+  zle -N down-line-or-beginning-search
+  bindkey '\eOA' up-line-or-beginning-search
+  bindkey '\e[A' up-line-or-beginning-search
+  bindkey '\eOB' down-line-or-beginning-search
+  bindkey '\e[B' down-line-or-beginning-search
+
+  # Env
+  export TERM=xterm-256color
+  export EDITOR=nvim
+  export VISUAL=nvim
+  export PATH="$PATH:$HOME/.local/bin:$HOME/.cargo/bin"
+  export NIXPKGS_ALLOW_UNFREE=1
+
+  eval "$(fzf --zsh)"
+''
--- a/home/platforms/fabian@posixlycorrect/default.nix
+++ b/home/platforms/fabian@posixlycorrect/default.nix
@ -0,0 +1,52 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack.enable = true;
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        DP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "59.94";
+        };
+        DP-2 = {
+          width = "1920";
+          height = "1080";
+          rate = "143.855";
+          posX = "1920";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+      darktable
+      gnucash
+      kdePackages.kdenlive
+      virt-manager
+    ];
+  };
+}
--- a/home/platforms/fabian@posixlycorrect/isolation.nix
+++ b/home/platforms/fabian@posixlycorrect/isolation.nix
@ -0,0 +1,22 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  home.isolation = {
+    enable = true;
+    btrfsSupport = true;
+    defaults = {
+      static = true;
+      bindHome = "home/";
+      persist = {
+        base = "shenvs";
+        btrfs = true;
+      };
+    };
+
+    modulesUnder = ./shenvs;
+  };
+}
--- a/home/platforms/fabian@posixlycorrect/shenvs/c.nix
+++ b/home/platforms/fabian@posixlycorrect/shenvs/c.nix
@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    binutils
+    cmake
+    curl
+    gdb
+    gnumake
+    rustup
+    valgrind
+  ];
+}
--- a/home/platforms/fabian@posixlycorrect/shenvs/python.nix
+++ b/home/platforms/fabian@posixlycorrect/shenvs/python.nix
@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    pipenv
+    (python310.withPackages (packages:
+      with packages; [
+        setuptools
+      ]))
+  ];
+}
--- a/home/platforms/fabian@posixlycorrect/systemd/default.nix
+++ b/home/platforms/fabian@posixlycorrect/systemd/default.nix
@ -0,0 +1,10 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.user.tmpfiles.rules = [
+    "d %t/tmp 0700 fabian fabian 24h"
+  ];
+}
--- a/home/platforms/fabian@t14/default.nix
+++ b/home/platforms/fabian@t14/default.nix
@ -0,0 +1,45 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack = {
+      enable = true;
+      laptop = true;
+    };
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        eDP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "60.00";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}
--- a/home/platforms/fabian@t14/isolation.nix
+++ b/home/platforms/fabian@t14/isolation.nix
@ -0,0 +1,22 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  home.isolation = {
+    enable = true;
+    btrfsSupport = true;
+    defaults = {
+      static = true;
+      bindHome = "home/";
+      persist = {
+        base = "shenvs";
+        btrfs = true;
+      };
+    };
+
+    modulesUnder = ./shenvs;
+  };
+}
--- a/home/platforms/fabian@t14/shenvs/c.nix
+++ b/home/platforms/fabian@t14/shenvs/c.nix
@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    binutils
+    cmake
+    curl
+    gdb
+    gnumake
+    rustup
+    valgrind
+  ];
+}
--- a/home/platforms/fabian@t14/shenvs/python.nix
+++ b/home/platforms/fabian@t14/shenvs/python.nix
@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    pipenv
+    (python310.withPackages (packages:
+      with packages; [
+        setuptools
+      ]))
+  ];
+}
--- a/home/platforms/fabian@t14/systemd/default.nix
+++ b/home/platforms/fabian@t14/systemd/default.nix
@ -0,0 +1,10 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.user.tmpfiles.rules = [
+    "d %t/tmp 0700 fabian fabian 24h"
+  ];
+}
--- a/home/platforms/fabian@vps/default.nix
+++ b/home/platforms/fabian@vps/default.nix
@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+  ];
+
+  local = {
+    baseline.enable = true;
+
+    services = {
+      zsh.prompt = "%B<%~> \${vcs_info_msg_0_}%b";
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}
--- a/templates/system-flake/pkgs/config/default.nix
+++ b/templates/system-flake/pkgs/config/default.nix
--- a/pkgs/config/unfree.nix
+++ b/pkgs/config/unfree.nix
@ -0,0 +1,11 @@
+lib: name:
+with lib;
+  elem name [
+    "discord"
+    "spotify"
+    "spotify-unwrapped"
+    "steam"
+    "steam-original"
+    "steam-unwrapped"
+    "steam-run"
+  ]
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,9 +1,39 @@
-final: prev:
+{
+  final,
+  prev,
+  flakes,
+}:
 with prev.lib; let
-  inherit (final) callPackage;
+  inherit (final) callPackage fetchpatch;
 in {
-  override = {};
+  homepage = flakes.homepage.packages.${final.system}.default;

-  athena-bccr = callPackage ./athena-bccr {};
-  spliit = callPackage ./spliit {};
+  override =
+    {
+      # add python modules here to make them available in all versions
+    }
+    // (
+      let
+        makePyOverrides = version: let
+          name = "python3${toString version}";
+        in {
+          inherit name;
+
+          value = prev.${name}.override {
+            packageOverrides = nextPy: prevPy: {
+            };
+          };
+        };
+
+        pyVersionRange' = start: end: let
+          next = end + 1;
+        in
+          if prev ? "python3${toString next}"
+          then pyVersionRange' start next
+          else range start end;
+
+        pyVersionRange = start: pyVersionRange' start start;
+      in
+        listToAttrs (map makePyOverrides (pyVersionRange 9))
+    );
 }
--- a/sys/default.nix
+++ b/sys/default.nix
@ -0,0 +1,13 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.trivionomicon.nixosModules.default
+    ./modules
+  ];
+}
--- a/sys/modules/android.nix
+++ b/sys/modules/android.nix
@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.androidSupport;
+in {
+  options.local.sys.androidSupport = {
+    enable = mkEnableOption "androidSupport settings";
+  };
+  config = mkIf cfg.enable {
+    services.udev.packages = with pkgs; [
+      android-udev-rules
+    ];
+  };
+}
--- a/sys/modules/audio.nix
+++ b/sys/modules/audio.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.audio;
+in {
+  options.local.sys.audio = {
+    enable = mkEnableOption "audio settings";
+  };
+  config = mkIf cfg.enable {
+    security.rtkit.enable = true;
+
+    services.pipewire = {
+      enable = true;
+
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+
+      jack.enable = true;
+      pulse.enable = true;
+      wireplumber.enable = true;
+    };
+  };
+}
--- a/sys/modules/baseline.nix
+++ b/sys/modules/baseline.nix
@ -0,0 +1,91 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.baseline;
+in {
+  options.local.sys.baseline = {
+    enable = mkEnableOption "Basic system settings";
+  };
+  config = mkIf cfg.enable {
+    system.stateVersion = "24.05"; # DO NOT CHANGE
+
+    nix = {
+      package = pkgs.nixVersions.stable;
+
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+
+      # Not interested in the global flake registry
+      settings.flake-registry = "";
+    };
+
+    console = {
+      keyMap = "us";
+    };
+
+    programs = {
+      zsh.enable = true;
+      fuse.userAllowOther = true;
+    };
+
+    environment = {
+      pathsToLink = [
+        "/share/zsh"
+      ];
+
+      systemPackages = with pkgs;
+        [
+          git
+          vim
+        ]
+        ++ optionals (!config.boot.isContainer) [
+          lm_sensors
+          lshw
+          parted
+          pciutils
+          smartmontools
+          usbutils
+        ];
+    };
+
+    fonts.packages = with pkgs; [
+      jetbrains-mono
+      nerd-fonts.jetbrains-mono
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-emoji
+      noto-fonts-extra
+      nerd-fonts.fira-code
+      nerd-fonts.droid-sans-mono
+    ];
+
+    services = {
+      openssh.enable = mkDefault true;
+
+      earlyoom = {
+        enable = mkDefault true;
+        enableNotifications = true;
+      };
+    };
+
+    programs.dconf.enable = true;
+
+    # Coredumps are a security risk and may use up a lot of disk space
+    systemd.coredump.extraConfig = ''
+      Storage=none
+      ProcessSizeMax=0
+    '';
+
+    security.dhparams = {
+      enable = true;
+      defaultBitSize = 4096;
+    };
+
+    i18n.defaultLocale = "en_US.UTF-8";
+  };
+}
--- a/sys/modules/bluetooth.nix
+++ b/sys/modules/bluetooth.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.bluetooth;
+in {
+  options.local.sys.bluetooth = {
+    enable = mkEnableOption "bluetooth settings";
+  };
+  config = mkIf cfg.enable {
+    hardware = {
+      bluetooth = {
+        enable = true;
+        settings = {
+          General = {
+            Enable = "Source,Sink,Media,Socket";
+          };
+        };
+      };
+    };
+
+    services = {
+      blueman.enable = true;
+    };
+  };
+}
--- a/sys/modules/borgsync.nix
+++ b/sys/modules/borgsync.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.borgsync;
+in {
+  options.local.sys.borgsync = {
+    enable = mkEnableOption "borg backup to an rsync.net repo";
+    paths = mkOption {
+      type = with types; nullOr (coercedTo str singleton (listOf str));
+      default = null;
+      description = "Paths to back up.";
+    };
+    exclude = mkOption {
+      type = with types; listOf str;
+      description = "Exclude paths.";
+      default = [];
+    };
+    repoName = mkOption {
+      type = types.str;
+      description = "Remote rsync repository to back up to.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup.jobs.rsync = {
+      paths = cfg.paths;
+      exclude = cfg.exclude;
+      user = "root";
+      group = "root";
+      doInit = true;
+      startAt = [
+        "hourly"
+      ];
+      inhibitsSleep = true;
+      persistentTimer = true;
+
+      repo = "zh5777@zh5777.rsync.net:${cfg.repoName}";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /var/trust/borg/${cfg.repoName}_passphrase";
+      };
+      compression = "auto,lz4";
+      prune = {
+        keep = {
+          hourly = 24;
+          daily = 7;
+          weekly = 4;
+          monthly = 12;
+          yearly = 99;
+        };
+      };
+      extraArgs = [
+        "--remote-path=borg14"
+      ];
+    };
+
+    environment.sessionVariables.BORG_REMOTE_PATH = "borg14";
+  };
+}
--- a/sys/modules/default.nix
+++ b/sys/modules/default.nix
@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./baseline.nix
+    ./yubikey.nix
+    ./audio.nix
+    ./graphics.nix
+    ./virtualisation.nix
+    ./android.nix
+    ./users.nix
+    ./bluetooth.nix
+    ./net.nix
+    ./steam.nix
+    ./gtklock.nix
+    ./borgsync.nix
+    ./dufs.nix
+    ./defaultDesktopPack.nix
+  ];
+}
--- a/sys/modules/defaultDesktopPack.nix
+++ b/sys/modules/defaultDesktopPack.nix
@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.defaultDesktopPack;
+in {
+  options.local.sys.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+  };
+  config = mkIf cfg.enable {
+    local.sys = {
+      baseline.enable = true;
+
+      audio.enable = true;
+      graphics.enable = true;
+      gtklock.enable = true;
+      steam.enable = true;
+
+      users = {
+        fabian = {
+          enable = true;
+          unixId = 1002; #TODO !!!!!!
+        };
+      };
+    };
+
+    trivium = {
+      sway.enable = true;
+      trivionomiconMotd.enable = true;
+    };
+
+    networking = {
+      networkmanager.enable = true;
+      useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    };
+  };
+}
--- a/sys/modules/dufs.nix
+++ b/sys/modules/dufs.nix
@ -0,0 +1,233 @@
+# https://github.com/NixOS/nixpkgs/blob/c77cd68706b590b44334bb8c506239b3384c26a0/nixos/modules/services/misc/dufs.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.dufs;
+  types = lib.types;
+in {
+  options.local.sys.dufs = {
+    enable = lib.mkEnableOption "the dufs server";
+    package = lib.mkPackageOption pkgs "dufs" {};
+    settings = lib.mkOption {
+      type = types.submodule {
+        options = {
+          serve-path = lib.mkOption {
+            type = types.path;
+            description = "Specific path to serve.";
+          };
+          bind = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Specify bind address or unix socket.";
+            default = null;
+          };
+          port = lib.mkOption {
+            type = types.port;
+            description = "Specify port to listen on.";
+            default = 5000;
+          };
+          path-prefix = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Specify a path prefix.";
+            default = null;
+          };
+          hidden = lib.mkOption {
+            type = types.listOf types.str;
+            description = "Hide paths from directory listings, e.g. tmp,*.log,*.lock.";
+            default = [];
+            example = lib.literalExpression ''
+              [
+                "tmp"
+                "*.log"
+                "*.lock."
+              ]
+            '';
+          };
+          allow-all = lib.mkOption {
+            type = types.bool;
+            description = "Allow all operations.";
+            default = true;
+          };
+          allow-upload = lib.mkOption {
+            type = types.bool;
+            description = "Allow upload files/folders.";
+            default = false;
+          };
+          allow-delete = lib.mkOption {
+            type = types.bool;
+            description = "Allow delete files/folders.";
+            default = false;
+          };
+          allow-search = lib.mkOption {
+            type = types.bool;
+            description = "Allow search files/folders.";
+            default = false;
+          };
+          allow-symlink = lib.mkOption {
+            type = types.bool;
+            description = "Allow symlink to files/folders outside root directory.";
+            default = false;
+          };
+          allow-archive = lib.mkOption {
+            type = types.bool;
+            description = "Allow zip archive generation.";
+            default = false;
+          };
+          enable-cors = lib.mkOption {
+            type = types.bool;
+            description = "Enable CORS, sets `Access-Control-Allow-Origin: *`.";
+            default = false;
+          };
+          render-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns 404 if not found index.html.";
+            default = false;
+          };
+          render-try-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns directory listing if not found index.html.";
+            default = false;
+          };
+          render-spa = lib.mkOption {
+            type = types.bool;
+            description = "Serve SPA(Single Page Application).";
+            default = false;
+          };
+          assets = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Set the path to the assets directory for overriding the built-in assets.";
+            default = null;
+          };
+          log-format = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Customize http log format.";
+            default = null;
+            example = lib.literalExpression ''
+              "$remote_addr \"$request\" $status"
+            '';
+          };
+          compress = lib.mkOption {
+            type = types.enum [
+              "none"
+              "low"
+              "medium"
+              "high"
+            ];
+            description = "Customize http log format.";
+            default = "none";
+          };
+          tls-cert = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to an SSL/TLS certificate to serve with HTTPS.";
+            default = null;
+          };
+          tls-key = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to the SSL/TLS certificate's private key.";
+            default = null;
+          };
+        };
+      };
+      description = "Settings for dufs.";
+    };
+    authFile = lib.mkOption {
+      type = types.nullOr types.path;
+      description = ''
+        Path to file containing auth roles (e.g. user:pass@/dir1:rw,/dir2), one per line.
+
+        Passwords may be hashed, see https://github.com/sigoden/dufs#hashed-password.
+      '';
+      default = null;
+    };
+    openFirewall = lib.mkOption {
+      type = types.bool;
+      description = "Open firewall on configured port.";
+      default = false;
+    };
+    user = lib.mkOption {
+      type = types.str;
+      description = "User to run dufs under.";
+      default = "dufs";
+    };
+    group = lib.mkOption {
+      type = types.str;
+      description = "Group to run dufs under.";
+      default = "dufs";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [cfg.settings.port];
+    systemd.services.dufs = let
+      settings = lib.filterAttrs (_: v: v != null) cfg.settings;
+      pathWritable = settings.allow-all || settings.allow-upload || settings.allow-delete;
+    in {
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      environment.DUFS_CONFIG = (pkgs.formats.yaml {}).generate "dufs-config.yaml" settings;
+      script = ''
+        ${lib.optionalString (cfg.authFile != null) ''
+          export DUFS_AUTH=$(tr '\n' '|' < ${lib.escapeShellArg cfg.authFile} | sed 's/|$//')
+        ''}
+        exec ${lib.escapeShellArg (lib.getExe cfg.package)}
+      '';
+      serviceConfig = {
+        BindReadOnlyPaths =
+          [
+            builtins.storeDir
+          ]
+          ++ lib.optional (!pathWritable) settings.serve-path
+          ++ lib.optional (cfg.authFile != null) cfg.authFile;
+        BindPaths = lib.mkIf pathWritable settings.serve-path;
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        Group = cfg.group;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RootDirectory = "/run/dufs";
+        RuntimeDirectory = "dufs";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        User = cfg.user;
+      };
+    };
+    users = {
+      users.dufs = lib.mkIf (cfg.user == "dufs") {
+        group = cfg.group;
+        home = cfg.settings.serve-path;
+        isSystemUser = true;
+      };
+      groups.dufs = lib.mkIf (cfg.group == "dufs") {};
+    };
+  };
+  meta.maintainers = with lib.maintainers; [jackwilsdon];
+}
--- a/sys/modules/graphics.nix
+++ b/sys/modules/graphics.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.graphics;
+in {
+  options.local.sys.graphics = {
+    enable = mkEnableOption "graphics settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      libinput.enable = true;
+    };
+
+    hardware.graphics.enable = true;
+  };
+}
--- a/sys/modules/gtklock.nix
+++ b/sys/modules/gtklock.nix
@ -0,0 +1,84 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.gtklock;
+in {
+  options.local.sys.gtklock = {
+    enable = mkEnableOption "gtklock settings";
+  };
+  config = mkIf cfg.enable {
+    programs.gtklock = {
+      enable = true;
+      config = {
+        main = {
+          idle-hide = true;
+          idle-timeout = 1;
+          time-format = "%H:%M:%S";
+          start-hidden = true;
+        };
+      };
+      style = ''
+        /* Main lockscreen window */
+        window {
+          background-color: black;
+          color: #eaeaea;
+          font-family: "JetBrainsMono Nerd Font", monospace;
+          font-size: 14px;
+        }
+
+        /* Container for clock + prompt */
+        #main-box {
+          background: black;
+          border: none;
+          border-radius: 0;
+          padding: 0;
+          margin: 0;
+        }
+
+        /* Clock text */
+        #clock {
+          font-size: 32px;
+          font-weight: bold;
+          color: #ffffff;
+          margin-bottom: 12px;
+        }
+
+        /* Date text */
+        #date {
+          font-size: 14px;
+          color: #aaaaaa;
+          margin-bottom: 24px;
+        }
+
+        /* Password entry */
+        entry {
+          background-color: black;
+          color: #ffffff;
+          border: none;
+          border-radius: 0;
+          padding: 6px 8px;
+          font-family: "JetBrains Mono", monospace;
+          font-size: 12px;
+        }
+
+        /* Hide any extra icons in the entry */
+        entry image {
+          opacity: 0;
+          width: 0;
+          height: 0;
+        }
+
+        /* Wrong password feedback */
+        #auth-failure {
+          color: #ff6666;
+          font-size: 12px;
+          margin-top: 6px;
+        }
+      '';
+    };
+  };
+}
--- a/sys/modules/net.nix
+++ b/sys/modules/net.nix
@ -0,0 +1,186 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  options.local.sys.nets = with lib.types;
+    mkOption {
+      readOnly = true;
+
+      type = attrsOf (submodule ({config, ...}: {
+        options = let
+          v4config = config.v4;
+          v6config = config.v6;
+        in {
+          hosts = mkOption {
+            default = {};
+
+            type = attrsOf (submodule {
+              options = {
+                v4 = mkOption {
+                  default = null;
+
+                  type = nullOr (submodule ({config, ...}: {
+                    options = {
+                      suffix = mkOption {
+                        type = str;
+                      };
+
+                      address = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+
+                      cidr = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+
+                      single = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+                    };
+
+                    config = {
+                      address =
+                        if v4config.bits == 0
+                        then config.suffix
+                        else if v4config.bits == 32
+                        then v4config.subnet
+                        else "${v4config.prefix}.${config.suffix}";
+
+                      cidr = "${config.address}/${toString v4config.bits}";
+                      single = "${config.address}/32";
+                    };
+                  }));
+                };
+
+                v6 = mkOption {
+                  default = null;
+
+                  type = nullOr (submodule ({config, ...}: {
+                    options = {
+                      suffix = mkOption {
+                        type = str;
+                      };
+
+                      address = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+
+                      cidr = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+
+                      single = mkOption {
+                        type = str;
+                        readOnly = true;
+                      };
+                    };
+
+                    config = {
+                      address = let
+                        hextets = fragment: length (splitString ":" fragment);
+                        separator =
+                          if doubleColon
+                          then "::"
+                          else ":";
+                        doubleColon = hextets v6config.prefix + hextets config.suffix < 8;
+
+                        joined =
+                          if v6config.bits == 128
+                          then v6config.prefix
+                          else if v6config.bits == 0
+                          then config.suffix
+                          else "${v6config.prefix}${separator}${config.suffix}";
+                      in
+                        joined;
+
+                      cidr = "${config.address}/${toString v6config.bits}";
+                      single = "${config.address}/128";
+                    };
+                  }));
+                };
+              };
+            });
+          };
+
+          v4 = mkOption {
+            default = null;
+
+            type = nullOr (submodule ({config, ...}: {
+              options = {
+                bits = mkOption {
+                  type = enum [0 8 16 24 32];
+                };
+
+                prefix = mkOption {
+                  type = str;
+                };
+
+                subnet = mkOption {
+                  type = str;
+                  readOnly = true;
+                };
+
+                cidr = mkOption {
+                  type = str;
+                  readOnly = true;
+                };
+              };
+
+              config = {
+                cidr = "${config.subnet}/${toString config.bits}";
+                subnet =
+                  if config.bits != 0
+                  then config.prefix + strings.replicate (4 - config.bits / 8) ".0"
+                  else "0.0.0.0";
+              };
+            }));
+          };
+
+          v6 = mkOption {
+            default = null;
+
+            type = nullOr (submodule ({config, ...}: {
+              options = {
+                bits = mkOption {
+                  type =
+                    addCheck (ints.between 0 128) (b: mod b 4 == 0)
+                    // {
+                      description = "IPv6 subnet bits at nibble boundary";
+                    };
+                };
+
+                prefix = mkOption {
+                  type = str;
+                };
+
+                subnet = mkOption {
+                  type = str;
+                  readOnly = true;
+                };
+
+                cidr = mkOption {
+                  type = str;
+                  readOnly = true;
+                };
+              };
+
+              config = {
+                cidr = "${config.subnet}/${toString config.bits}";
+                subnet =
+                  if config.bits == 128 || length (splitString "::" config.prefix) > 1
+                  then config.prefix
+                  else "${config.prefix}::";
+              };
+            }));
+          };
+        };
+      }));
+    };
+}
--- a/sys/modules/steam.nix
+++ b/sys/modules/steam.nix
@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.steam;
+in {
+  options.local.sys.steam = {
+    enable = mkEnableOption "steam settings";
+  };
+  config = mkIf cfg.enable {
+    programs.steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      dedicatedServer.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+    };
+
+    environment = {
+      systemPackages = with pkgs; [
+        protontricks
+        protonup
+        protonup-ng
+        winetricks
+      ];
+    };
+  };
+}
--- a/sys/modules/users.nix
+++ b/sys/modules/users.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.users;
+  userType = types.submodule {
+    options = {
+      enable = mkEnableOption "user settings";
+      unixId = mkOption {
+        # gid and uid are always the same
+        type = types.int;
+      };
+      admin = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      sshKeyPublicFile = mkOption {
+        type = types.listOf types.path;
+        default = [];
+      };
+    };
+  };
+in {
+  options.local.sys.users = mkOption {
+    type = types.attrsOf userType;
+    default = {};
+  };
+
+  config = {
+    local.sys.users = {
+      fabian = {
+        unixId = mkDefault 1000;
+        admin = true;
+      };
+    };
+
+    users = let
+      enabledUsers = filterAttrs (k: v: v.enable) cfg;
+    in {
+      groups =
+        mapAttrs (k: v: {
+          gid = v.unixId;
+        })
+        enabledUsers;
+
+      users =
+        mapAttrs (k: v: {
+          isNormalUser = true;
+          uid = v.unixId;
+          group = k;
+          shell = pkgs.zsh;
+          extraGroups =
+            ["users" "networkmanager"]
+            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers" "video" "input"];
+          openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile;
+        })
+        enabledUsers;
+    };
+  };
+}
--- a/sys/modules/virtualisation.nix
+++ b/sys/modules/virtualisation.nix
@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.virtualisation;
+in {
+  options.local.sys.virtualisation = {
+    enable = mkEnableOption "virtualisation settings";
+  };
+  config = mkIf cfg.enable {
+    virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm;
+    virtualisation.libvirtd.qemu.ovmf.enable = true;
+    virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd];
+    virtualisation.libvirtd.enable = true;
+    # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+    # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ];
+    virtualisation.libvirtd.onBoot = "start";
+  };
+}
--- a/sys/modules/yubikey.nix
+++ b/sys/modules/yubikey.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/posixlycorrect/default.nix
+++ b/sys/platforms/posixlycorrect/default.nix
@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    virtualisation.enable = true;
+    androidSupport.enable = true;
+    borgsync = {
+      enable = true;
+      paths = [
+        "/home/fabian/nix"
+        "/home/fabian/safe"
+        "/xtern/backup"
+      ];
+      repoName = "posixlycorrect";
+    };
+  };
+
+  networking = {
+    hostName = "posixlycorrect";
+    hostId = "0414a727";
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      forceImportRoot = false;
+      useKeyringForCredentials = true;
+    };
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}
--- a/sys/platforms/posixlycorrect/hardware-configuration.nix
+++ b/sys/platforms/posixlycorrect/hardware-configuration.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+  subvol = subvol: {
+    device = "/dev/disk/by-uuid/645fdba0-5c03-4285-926b-facded1ee259";
+    fsType = "btrfs";
+    options = ["subvol=${subvol}" "compress=zstd" "noatime" "ssd"];
+  };
+in {
+  imports = [
+    flakes.nixpkgs.nixosModules.notDetected
+  ];
+
+  boot.initrd = {
+    availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+    luks.devices."toplevel" = {
+      device = "/dev/disk/by-uuid/58277baa-90d4-4a5e-a658-1b918b89130a";
+      preLVM = false;
+    };
+  };
+
+  fileSystems = {
+    "/" = subvol "root";
+    "/toplevel" = subvol "/";
+    "/boot" = {
+      device = "/dev/disk/by-uuid/B007-B007";
+      fsType = "vfat";
+      options = ["umask=027"];
+    };
+
+    "/extern" = {
+      device = "/dev/disk/by-uuid/7d8d3ec9-b456-4e2a-9396-551dcaf7705b";
+      fsType = "btrfs";
+      options = ["noatime" "compress=zstd"];
+    };
+  };
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/sys/platforms/t14/default.nix
+++ b/sys/platforms/t14/default.nix
@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    bluetooth.enable = true;
+  };
+
+  trivium = {
+    laptop.enable = true;
+    thinkpad.enable = true;
+  };
+
+  services = {
+    fwupd.enable = true; #TODO
+    pcscd.enable = true; #TODO
+  };
+
+  hardware.acpilight.enable = true;
+
+  networking.hostName = "t14";
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}
--- a/sys/platforms/t14/hardware-configuration.nix
+++ b/sys/platforms/t14/hardware-configuration.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  services.xserver.videoDrivers = ["i915" "modesetting" "fbdev"];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "sdhci_pci"];
+      kernelModules = ["dm-snapshot"];
+      luks.devices."tomb" = {
+        device = "/dev/disk/by-uuid/0b2b9aec-c239-4cce-948d-4411d9300c1d";
+        preLVM = true;
+      };
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=root"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A7E5-EEAB";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=nix"];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=home"];
+    };
+
+    "/toplevel" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+    };
+  };
+
+  swapDevices = [];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/sys/platforms/vps/default.nix
+++ b/sys/platforms/vps/default.nix
@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  doctrine,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.vpsadminos.nixosConfigurations.container
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+    ./srv
+    ./networkMap.nix
+  ];
+
+  local.sys = {
+    baseline.enable = true;
+
+    borgsync = {
+      enable = true;
+      paths = [
+        "/var/lib/forgejo"
+        "/var/lib/mealie"
+        "/var/lib/trilium"
+        "/var/lib/forgejo"
+      ];
+      repoName = "vps";
+    };
+
+    users.fabian = {
+      enable = true;
+      sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
+    };
+  };
+
+  trivium.soju = {
+    enable = true;
+    fullyQualifiedDomain = "soju.posixlycorrect.com";
+  };
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;
+  };
+
+  programs.mosh.enable = true;
+
+  networking = {
+    hostName = "vps";
+    domain = "posixlycorrect.com";
+    firewall.allowedUDPPorts = [51820]; #TODO
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  systemd = {
+    extraConfig = ''
+      DefaultTimeoutStartSec=900s
+    '';
+
+    network = let
+      inherit (config.local.sys) nets;
+    in {
+      enable = true;
+
+      netdevs = {
+        wg-vpn = {
+          netdevConfig = {
+            Name = "wg-vpn";
+            Kind = "wireguard";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
+            ListenPort = "51820";
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
+              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
+            }
+            {
+              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
+              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
+            }
+          ];
+        };
+      };
+
+      networks = {
+        wg-vpn = {
+          name = "wg-vpn";
+
+          networkConfig = {
+            Address = [
+              nets.vpn-vps.hosts.vps.v6.cidr
+            ];
+          };
+
+          routes = [
+            {
+              Destination = nets.vpn.v6.cidr;
+            }
+            {
+              Source = nets.vpn.v6.cidr;
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    extraSpecialArgs = {
+      inherit flakes;
+      doctrine = flakes.trivionomicon.lib.mkDoctrine {
+        inherit pkgs;
+        inherit (doctrine) prefix;
+        namespace = "home";
+      };
+    };
+
+    users.fabian = {
+      imports = [
+        flakes.impermanence.nixosModules.home-manager.impermanence
+        "${flakes.self}/home/platforms/fabian@vps"
+        "${flakes.self}/home"
+      ];
+    };
+  };
+}
--- a/sys/platforms/vps/hardware-configuration.nix
+++ b/sys/platforms/vps/hardware-configuration.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+in {
+  fileSystems = {
+    "/mnt/export2008" = {
+      device = "172.16.129.19:/nas/5876";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2178" = {
+      device = "172.16.129.151:/nas/5876/immich";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2179" = {
+      device = "172.16.131.31:/nas/5876/syncthing";
+      fsType = "nfs";
+      options = ["nofail"];
+    };
+  };
+}
--- a/sys/platforms/vps/networkMap.nix
+++ b/sys/platforms/vps/networkMap.nix
@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  local.sys.nets = {
+    default = {
+      v4 = {
+        bits = 32;
+        prefix = "37.205.12.34";
+      };
+
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:fe:102";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+        vps.v4.suffix = "";
+      };
+    };
+
+    vpn = {
+      v6 = {
+        bits = 48;
+        prefix = "2a03:3b40:2b";
+      };
+    };
+
+    vpn-vps = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1000";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+      };
+    };
+
+    vpn-posixlycorrect = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1001";
+      };
+
+      hosts = {
+        posixlycorrect.v6.suffix = "1";
+      };
+    };
+
+    vpn-pixel8 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1002";
+      };
+
+      hosts = {
+        pixel8.v6.suffix = "1";
+      };
+    };
+
+    vpn-t14 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1003";
+      };
+
+      hosts = {
+        t14.v6.suffix = "1";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/pki/id_ed25519.pub
+++ b/sys/platforms/vps/pki/id_ed25519.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7
--- a/sys/platforms/vps/srv/calibre-web.nix
+++ b/sys/platforms/vps/srv/calibre-web.nix
@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."calibre.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8083";
+        };
+      };
+    };
+
+    calibre-web = {
+      enable = true;
+      options = {
+        enableBookUploading = true;
+        calibreLibrary = "/var/lib/calibre-web/calibre_library";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/default.nix
+++ b/sys/platforms/vps/srv/default.nix
@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    ./forgejo.nix
+    ./vaultwarden.nix
+    ./msmtp.nix
+    ./trilium.nix
+    ./syncthing.nix
+    ./calibre-web.nix
+    ./immich.nix
+    ./mealie.nix
+    ./dufs.nix
+    ./isso.nix
+    ./miniflux.nix
+    ./radicale.nix
+  ];
+}
--- a/sys/platforms/vps/srv/dufs.nix
+++ b/sys/platforms/vps/srv/dufs.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."public.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5000";
+        };
+      };
+    };
+  };
+
+  local.sys.dufs = {
+    enable = true;
+    settings = {
+      serve-path = "/var/public";
+      allow-all = false;
+      allow-archive = true;
+    };
+  };
+}
--- a/sys/platforms/vps/srv/forgejo.nix
+++ b/sys/platforms/vps/srv/forgejo.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = true;
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/immich.nix
+++ b/sys/platforms/vps/srv/immich.nix
@ -0,0 +1,72 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."photos.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:2283";
+        };
+      };
+    };
+
+    immich = {
+      enable = true;
+      secretsFile = "/var/trust/immich/secrets.txt";
+      mediaLocation = "/mnt/export2178/immich/media";
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
+      };
+      settings = {
+        machineLearning = {
+          enabled = false;
+        };
+        job = {
+          backgroundTask = {
+            concurrency = 1;
+          };
+          smartSearch = {
+            concurrency = 1;
+          };
+          metadataExtraction = {
+            concurrency = 1;
+          };
+          faceDetection = {
+            concurrency = 1;
+          };
+          search = {
+            concurrency = 1;
+          };
+          sidecar = {
+            concurrency = 1;
+          };
+          library = {
+            concurrency = 1;
+          };
+          migration = {
+            concurrency = 1;
+          };
+          thumbnailGeneration = {
+            concurrency = 1;
+          };
+          videoConversion = {
+            concurrency = 1;
+          };
+          notifications = {
+            concurrency = 1;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/isso.nix
+++ b/sys/platforms/vps/srv/isso.nix
@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."isso.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8888/";
+        };
+      };
+    };
+
+    isso = {
+      enable = true;
+      settings = {
+        general = {
+          host = "https://posixlycorrect.com/";
+          dbpath = "/var/lib/isso/comments.db";
+          notify = "stdout";
+        };
+        moderation = {
+          enabled = false;
+          approve-if-email-previously-approved = false;
+          purge-after = "365d";
+        };
+        server = {
+          listen = "http://127.0.0.1:8888/";
+        };
+        guard = {
+          require-author = true;
+          require-email = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/mealie.nix
+++ b/sys/platforms/vps/srv/mealie.nix
@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.services.wiki-js = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services = {
+    nginx = {
+      virtualHosts."food.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9000";
+        };
+      };
+    };
+
+    mealie = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9000;
+      credentialsFile = "/var/trust/mealie/credentials.env";
+      settings = {
+        ALLOW_SIGNUP = "false";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/mediawiki.nix
+++ b/sys/platforms/vps/srv/mediawiki.nix
@ -0,0 +1,71 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+
+      skins = {
+        citizen = "${flakes.mediawikiSkinCitizen}";
+      };
+
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgDefaultSkin = 'citizen';
+        $wgDefaultMobileSkin = 'citizen';
+        $wgCitizenThemeDefault = 'dark';
+        $wgCitizenShowPageTools = 'login';
+        $wgLogos = [
+          'icon' => "https://posixlycorrect.com/favicon.png",
+          '1x' => "https://posixlycorrect.com/favicon.png",
+          '2x' => "https://posixlycorrect.com/favicon.png",
+        ];
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        CategoryTree = null;
+        CiteThisPage = null;
+        Scribunto = null;
+        Cite = null;
+        CodeEditor = null;
+        Math = null;
+        MultimediaViewer = null;
+        PdfHandler = null;
+        Poem = null;
+        SecureLinkFixer = null;
+        WikiEditor = null;
+        ParserFunctions = null;
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/miniflux.nix
+++ b/sys/platforms/vps/srv/miniflux.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."rss.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8087";
+        };
+      };
+    };
+
+    miniflux = {
+      enable = true;
+      adminCredentialsFile = "/var/trust/miniflux/adminCredentialsFile";
+      config = {
+        CLEANUP_FREQUENCY = 48;
+        LISTEN_ADDR = "127.0.0.1:8087";
+        BASE_URL = "https://rss.posixlycorrect.com";
+        CREATE_ADMIN = 1;
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/msmtp.nix
+++ b/sys/platforms/vps/srv/msmtp.nix
@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  users.groups = {
+    mailsenders = {
+      members = ["fabian" "mediawiki"];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/net.nix
+++ b/sys/platforms/vps/srv/net.nix
@ -0,0 +1,100 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  inherit (config.local.sys) nets;
+in {
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
+  options = {
+    security.acme = {
+      certs = mkOption {
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
+    };
+  };
+
+  config = {
+    networking = {
+      nftables.enable = false; # learn how to use this later
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };
+
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "fabian@posixlycorrect.com";
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.trivium.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
+          };
+        };
+      };
+
+      fail2ban = {
+        enable = true;
+        bantime = "10m";
+        ignoreIP = [
+          nets.default.hosts.vps.v6.cidr
+          nets.default.hosts.vps.v4.address
+          nets.vpn.v6.cidr
+        ];
+        bantime-increment = {
+          enable = true;
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "48h"; # Do not ban for more than 48h
+          rndtime = "10m";
+          overalljails = true; # Calculate the bantime based on all the violations
+        };
+        jails = {
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+          nginx-botsearch.settings = {
+            # Usar log en vez de journalctl
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/radicale.nix
+++ b/sys/platforms/vps/srv/radicale.nix
@ -0,0 +1,41 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."dav.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5232";
+        };
+      };
+    };
+
+    radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = ["127.0.0.1:5232"];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/var/trust/radicale/htpasswd";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          filesystem_folder = "/var/lib/radicale/collections";
+        };
+        web.type = "internal";
+        rights.type = "authenticated";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/syncthing.nix
+++ b/sys/platforms/vps/srv/syncthing.nix
@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    syncthing = {
+      enable = true;
+      systemService = true;
+      overrideFolders = false;
+      overrideDevices = false;
+      openDefaultPorts = true;
+      guiAddress = "127.0.0.1:8384";
+      settings.options.urAccepted = -1;
+      dataDir = "/mnt/export2179/syncthing";
+      relay = {
+        enable = true;
+        pools = [];
+        providedBy = "vps.posixlycorrect.com";
+      };
+    };
+  };
+
+  # calibre web stuff. make this better someday, this is pure duct-tape
+  users.groups."calybresync".members = ["syncthing" "calibre-web"];
+  systemd = {
+    services."calybreown" = {
+      script = ''
+        chgrp -R calybresync /var/lib/calibre-web/calibre_library
+        chmod -R g+w /var/lib/calibre-web/calibre_library
+      '';
+      serviceConfig.Type = "oneshot";
+    };
+    timers."calybreown" = {
+      wantedBy = [
+        "timers.target"
+      ];
+      timerConfig.OnCalendar = "*-*-* *:00/30:00";
+    };
+  };
+}
--- a/sys/platforms/vps/srv/trilium.nix
+++ b/sys/platforms/vps/srv/trilium.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."notes.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    trilium-server = {
+      enable = true;
+      package = pkgs.trilium-next-server;
+      host = "127.0.0.1";
+      port = 8458;
+      noAuthentication = false;
+      noBackup = true; # I already backup the whole dataDir, so no need for this
+      instanceName = "posixlycorrect";
+      dataDir = "/var/lib/trilium";
+      nginx = {
+        enable = true;
+        hostName = "notes.posixlycorrect.com";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/vaultwarden.nix
+++ b/sys/platforms/vps/srv/vaultwarden.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = ["vaultwarden"];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}
--- a/trivionomicon/.gitignore
+++ b/trivionomicon/.gitignore
@ -0,0 +1,2 @@
+!**/.keep
+result
--- a/trivionomicon/COPYING
+++ b/trivionomicon/COPYING
@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/trivionomicon/README.md
+++ b/trivionomicon/README.md
@ -0,0 +1,8 @@
+### Push:
+
+    git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+
+### Pull:
+
+    git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
--- a/trivionomicon/doctrine/default.nix
+++ b/trivionomicon/doctrine/default.nix
--- a/trivionomicon/doctrine/lib/default.nix
+++ b/trivionomicon/doctrine/lib/default.nix
--- a/trivionomicon/doctrine/lib/import-all.nix
+++ b/trivionomicon/doctrine/lib/import-all.nix
--- a/trivionomicon/doctrine/lib/mk-module.nix
+++ b/trivionomicon/doctrine/lib/mk-module.nix
--- a/trivionomicon/flake.lock
+++ b/trivionomicon/flake.lock
@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1754292888,
+        "narHash": "sha256-1ziydHSiDuSnaiPzCQh1mRFBsM2d2yRX9I+5OPGEmIE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ce01daebf8489ba97bd1609d185ea276efdeb121",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/trivionomicon/flake.nix
+++ b/trivionomicon/flake.nix
@ -0,0 +1,229 @@
+{
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+  }: let
+    mapOverlayOverride = prefix: overlay: final: prev: let
+      overlayPkgs = overlay final prev;
+    in
+      {
+        "${prefix}" = (prev.${prefix} or {}) // builtins.removeAttrs overlayPkgs ["override"];
+      }
+      // (overlayPkgs.override or {});
+
+    doctrineNoPkgs = self.lib.mkDoctrine {
+      lib = nixpkgs.lib;
+      pkgs = null;
+    };
+  in
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = import nixpkgs {inherit system;};
+    in {
+      formatter = pkgs.alejandra;
+
+      packages =
+        (import nixpkgs {
+          inherit system;
+          overlays = [self.overlays.default];
+        }).${
+          doctrineNoPkgs.prefix
+        };
+    })
+    // {
+      templates = let
+        system-flake = {
+          path = ./templates/system-flake;
+          description = "Opinionated flake for a NixOS system with Home Manager";
+        };
+      in {
+        inherit system-flake;
+
+        default = system-flake;
+      };
+
+      overlays = let
+        overlay = mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs);
+      in {
+        default = overlay;
+        ${doctrineNoPkgs.prefix} = overlay;
+      };
+
+      homeManagerModules.default = ./modules;
+      nixosModules.default = ./modules;
+
+      lib = {
+        mkDoctrine = import ./doctrine;
+
+        mkSystemFlake = {
+          flakes,
+          system,
+          doctrinePrefix ? null,
+          formatter ? "alejandra",
+          paths ? {},
+        }: let
+          mkDoctrine = args:
+            self.lib.mkDoctrine
+            (args
+              // optionalAttrs (doctrinePrefix != null) {
+                prefix = doctrinePrefix;
+              });
+
+          doctrineNoPkgs = mkDoctrine {
+            lib = nixpkgs.lib;
+            pkgs = null;
+          };
+
+          optionalFlake = name:
+            if flakes ? "${name}"
+            then flakes.${name}
+            else null;
+
+          requireFlake = name:
+            if flakes ? "${name}"
+            then flakes.${name}
+            else throw "Required flake input '${name}' is missing";
+
+          nur = optionalFlake "nur";
+          nixpkgs = requireFlake "nixpkgs";
+          unstable = optionalFlake "unstable";
+
+          home-manager =
+            if hmSourcePath != null
+            then requireFlake "home-manager"
+            else null;
+
+          pathFromSelf = path: builtins.toPath "${flakes.self}" + "/${path}";
+
+          localOverlayPath = pathFromSelf paths.localOverlay;
+          nixpkgsConfigPath = pathFromSelf paths.nixpkgsConfig;
+          nixosSourcePath = pathFromSelf paths.nixosSource;
+          nixosPlatformsPath = pathFromSelf paths.nixosPlatforms;
+          hmSourcePath = pathFromSelf paths.hmSource;
+          hmPlatformsPath = pathFromSelf paths.hmPlatforms;
+
+          pkgs = importPkgs nixpkgs;
+
+          importPkgs = flake:
+            import flake ({
+                inherit system;
+
+                overlays = let
+                  conditions = [
+                    {
+                      overlay = nur.overlays.default;
+                      condition = nur != null;
+                    }
+                    # NB: Preserve the relative order
+                    {
+                      overlay = mapOverlayOverride prefix (import ./pkgs);
+                      condition = true;
+                    }
+                    {
+                      overlay = flakes.self.overlays.default;
+                      condition = true;
+                    }
+                  ];
+                in
+                  builtins.map (cond: cond.overlay) (builtins.filter (cond: cond.condition) conditions);
+              }
+              // optionalAttrs (paths ? nixpkgsConfig) {
+                config = import nixpkgsConfigPath {inherit (nixpkgs) lib;};
+              });
+
+          inherit (pkgs) lib;
+          inherit (nixpkgs.lib) optionalAttrs; # Prevents infinite recursion
+          inherit (doctrineNoPkgs) prefix;
+          inherit (doctrineNoPkgs.lib) importAll;
+        in
+          {
+            formatter.${system} =
+              if formatter == "alejandra"
+              then pkgs.alejandra
+              else if formatter == "nixpkgs-fmt"
+              then pkgs.nixpkgs-fmt
+              else throw "Unknown formatter: '${formatter}'";
+
+            packages.${system} = pkgs.${prefix};
+
+            overlays.default = final: prev: let
+              overlay = final: prev:
+                if paths ? localOverlay
+                then import localOverlayPath {inherit final prev flakes;}
+                else {};
+            in
+              mapOverlayOverride prefix overlay final prev
+              // optionalAttrs (unstable != null) {
+                unstable = importPkgs unstable;
+              };
+          }
+          // optionalAttrs (paths ? nixosSource) {
+            nixosConfigurations = let
+              hostConfig = platform:
+                self.lib.mkSystem {
+                  inherit flakes pkgs;
+                  doctrine = doctrineNoPkgs;
+
+                  modules = [
+                    nixosSourcePath
+                    platform
+                  ];
+                };
+            in
+              lib.mapAttrs (_: hostConfig) (importAll {root = nixosPlatformsPath;});
+          }
+          // optionalAttrs (paths ? hmSource) {
+            homeConfigurations = let
+              home = name: platform:
+                home-manager.lib.homeManagerConfiguration {
+                  inherit pkgs;
+
+                  extraSpecialArgs = {
+                    inherit flakes;
+
+                    doctrine = mkDoctrine {
+                      inherit pkgs;
+                      namespace = "hm";
+                    };
+                  };
+
+                  modules = [
+                    self.homeManagerModules.default
+                    hmSourcePath
+                    platform
+                  ];
+                };
+            in
+              lib.mapAttrs home (importAll {root = hmPlatformsPath;});
+          };
+
+        mkSystem = {
+          pkgs,
+          flakes,
+          doctrine,
+          modules,
+        }:
+          flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem {
+            inherit pkgs;
+            inherit (pkgs) system;
+
+            modules = [self.nixosModules.default] ++ modules;
+
+            specialArgs = {
+              inherit flakes;
+
+              doctrine = self.lib.mkDoctrine {
+                inherit pkgs;
+                inherit (doctrine) prefix;
+                namespace = "sys";
+              };
+            };
+          };
+      };
+    };
+}
--- a/trivionomicon/modules/athena-bccr/default.nix
+++ b/trivionomicon/modules/athena-bccr/default.nix
--- a/trivionomicon/modules/athena-bccr/hm.nix
+++ b/trivionomicon/modules/athena-bccr/hm.nix
--- a/trivionomicon/modules/athena-bccr/options.nix
+++ b/trivionomicon/modules/athena-bccr/options.nix
--- a/trivionomicon/modules/athena-bccr/sys.nix
+++ b/trivionomicon/modules/athena-bccr/sys.nix
--- a/trivionomicon/modules/default.nix
+++ b/trivionomicon/modules/default.nix
--- a/trivionomicon/modules/laptop/default.nix
+++ b/trivionomicon/modules/laptop/default.nix
--- a/trivionomicon/modules/laptop/sys.nix
+++ b/trivionomicon/modules/laptop/sys.nix
--- a/trivionomicon/modules/nix-registry/default.nix
+++ b/trivionomicon/modules/nix-registry/default.nix
--- a/trivionomicon/modules/nix-registry/hm.nix
+++ b/trivionomicon/modules/nix-registry/hm.nix
--- a/trivionomicon/modules/nix-registry/options.nix
+++ b/trivionomicon/modules/nix-registry/options.nix
--- a/trivionomicon/modules/soju/default.nix
+++ b/trivionomicon/modules/soju/default.nix
@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7`