gpg: add encrypt-to option to always encrypt to yourself

waybar: add waybar module
waybar: move waybar to trivionomicon
2025-10-08 22:40:36 -06:00 · 2025-10-07 15:13:17 -06:00 · 2025-10-07 15:12:57 -06:00 · 2025-10-07 13:45:47 -06:00 · 2025-10-05 15:33:12 -06:00 · 2025-10-05 10:53:55 -06:00
88 changed files with 3094 additions and 527 deletions
--- a/README.md
+++ b/README.md
@ -1,12 +1,41 @@
-## Unified nix configuration
+# Nix configuration

-Update whole flake (clean working directory 1st): `nix flake update --commit-lock-file`
+## Updating

-Switch current machine: `sudo nixos-rebuild switch --flake . --show-trace`
+Update flake

-Switch current home manager: `home-manager switch --flake . --show-trace`
+    nix flake update --commit-lock-file

-## Maintenance shit ()
-Clean shit de Home: `nix store gc`
+Switch current machine

-Clean shit de sys: `sudo nix store gc`
+    sudo nixos-rebuild switch --flake . --show-trace
+
+Switch current home manager
+
+    home-manager switch --flake . --show-trace
+
+Switch server
+
+    nixos-rebuild switch --target-host root@posixlycorrect.com --use-substitutes --show-trace --flake .\#vps
+
+Update homepage
+
+    nix flake update --commit-lock-file homepage
+
+
+## Cleanup
+
+Collect garbage (run with sudo to collect root garbage)
+
+    nix-collect-garbage -d
+
+
+## Submodule management
+
+Trivionomicon
+
+    git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+    git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+## About
+This is a unification of my old configs, which had a combined 506 commits.
--- a/flake.lock
+++ b/flake.lock
@ -1,6 +1,86 @@
 {
  "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1759322529,
+        "narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "69fac057b2e553ee17c9a09b822d735823d65a6c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1759190535,
+        "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2025.8.4",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nur",
@ -23,7 +103,10 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
      },
      "locked": {
        "lastModified": 1731533236,
@ -61,6 +144,42 @@
      "inputs": {
        "systems": "systems_3"
      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -97,11 +216,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756679287,
-        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
+        "lastModified": 1758463745,
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
        "type": "github"
      },
      "original": {
@ -111,6 +230,27 @@
        "type": "github"
      }
    },
+    "homepage": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759284596,
+        "narHash": "sha256-N/poXYxAbHyWf2EBC6CSc6vKq0txtHMqTUMdPNOUB0g=",
+        "ref": "refs/heads/master",
+        "rev": "51c57acdbff6f3f0c490bc67e791f5376a3f2be9",
+        "revCount": 72,
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      }
+    },
    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
@ -126,9 +266,52 @@
        "type": "github"
      }
    },
+    "mediawikiSkinCitizen": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724097552,
+        "narHash": "sha256-+o5FDWMrEqnva5qcdc45wAYyE2ZtUhEjygUGVt0HsaA=",
+        "owner": "StarCitizenTools",
+        "repo": "mediawiki-skins-Citizen",
+        "rev": "28cd4e18b52aed3270fe7b55bff4545c8314a687",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StarCitizenTools",
+        "ref": "v2.27.0",
+        "repo": "mediawiki-skins-Citizen",
+        "type": "github"
+      }
+    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
    "nixGL": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_4",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
@ -160,13 +343,28 @@
        "type": "github"
      }
    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1757244434,
-        "narHash": "sha256-AeqTqY0Y95K1Fgs6wuT1LafBNcmKxcOkWnm4alD9pqM=",
+        "lastModified": 1759580034,
+        "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "092c565d333be1e17b4779ac22104338941d913f",
+        "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318",
        "type": "github"
      },
      "original": {
@ -178,11 +376,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1757068644,
-        "narHash": "sha256-NOrUtIhTkIIumj1E/Rsv1J37Yi3xGStISEo8tZm3KW4=",
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8eb28adfa3dc4de28e792e3bf49fcf9007ca8ac9",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@ -194,15 +392,15 @@
    },
    "nur": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1757345656,
-        "narHash": "sha256-ZvNfl8pu1iwJW0uUZKV8XHIM7JqJxoZX+EqzjayMDqU=",
+        "lastModified": 1759682435,
+        "narHash": "sha256-bPh7JZnT7WydN4E1kVLq1l87NlzuD2pz1GYwvYSWo1U=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "9009f3b97f820b7b5c2732d423a08bb8d82d179a",
+        "rev": "ba4952df76bc6179d0bb3b9e7b4ff8517cfec870",
        "type": "github"
      },
      "original": {
@ -211,31 +409,85 @@
        "type": "github"
      }
    },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik-nix",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757296493,
+        "narHash": "sha256-6nzSZl28IwH2Vx8YSmd3t6TREHpDbKlDPK+dq1LKIZQ=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "5b8e37fe0077db5c1df3a5ee90a651345f085d38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757246327,
+        "narHash": "sha256-6pNlGhwOIMfhe/RLjHdpXveKS4FyLHvlGe+KtjDild4=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "8d77f342d66ad1601cdb9d97e9388b69f64d4c8e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "authentik-nix": "authentik-nix",
+        "flake-utils": "flake-utils_2",
        "hm-isolation": "hm-isolation",
        "home-manager": "home-manager",
+        "homepage": "homepage",
        "impermanence": "impermanence",
+        "mediawikiSkinCitizen": "mediawikiSkinCitizen",
        "nixGL": "nixGL",
        "nixpkgs": "nixpkgs_2",
        "nur": "nur",
        "trivionomicon": "trivionomicon",
-        "unstable": "unstable"
+        "unstable": "unstable",
+        "vpsadminos": "vpsadminos"
      }
    },
    "systems": {
      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
        "type": "github"
      }
    },
@ -269,9 +521,39 @@
        "type": "github"
      }
    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "trivionomicon": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_5",
        "nixpkgs": [
          "nixpkgs"
        ]
@ -288,11 +570,11 @@
    },
    "unstable": {
      "locked": {
-        "lastModified": 1757068644,
-        "narHash": "sha256-NOrUtIhTkIIumj1E/Rsv1J37Yi3xGStISEo8tZm3KW4=",
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8eb28adfa3dc4de28e792e3bf49fcf9007ca8ac9",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@ -301,6 +583,46 @@
        "repo": "nixpkgs",
        "type": "github"
      }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757925761,
+        "narHash": "sha256-7Hwz0vfHuFqCo5v7Q07GQgLBWuPvZCuf/5/pk4NoADg=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "780494c40895bb7419a73d942bee326291e80b3b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
+    },
+    "vpsadminos": {
+      "locked": {
+        "lastModified": 1759490618,
+        "narHash": "sha256-H0FC6QbxgEE79pXwlPVvWUNenQOTMldzlWSij5pPyMk=",
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "rev": "087b340cc897083a31defafd6a6f1c66e5bf48eb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -8,16 +8,32 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nur.url = "github:nix-community/NUR";
-    impermanence.url = "github:nix-community/impermanence";
-    hm-isolation.url = "github:3442/hm-isolation";
-    nixGL.url = "github:guibou/nixGL";
-    flake-utils.url = "github:numtide/flake-utils";
-
    trivionomicon = {
      url = "./trivionomicon";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    homepage = {
+      url = "git+https://git.posixlycorrect.com/fabian/homepage.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mediawikiSkinCitizen = {
+      url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
+      flake = false;
+    };
+
+    flake-utils.url = "github:numtide/flake-utils";
+    hm-isolation.url = "github:3442/hm-isolation";
+    impermanence.url = "github:nix-community/impermanence";
+    nixGL.url = "github:guibou/nixGL";
+    nur.url = "github:nix-community/NUR";
+    vpsadminos.url = "github:vpsfreecz/vpsadminos";
  };

  outputs = flakes:
@ -25,7 +41,6 @@
      inherit flakes;

      system = "x86_64-linux";
-      doctrinePrefix = "local";

      paths = {
        localOverlay = "pkgs";
--- a/home/modules/accounts.nix
+++ b/home/modules/accounts.nix
@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.accounts;
+in {
+  options.local.services.accounts.enable = mkEnableOption "accounts settings";
+  config = mkIf cfg.enable {
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        address = "fabian@posixlycorrect.com";
+        userName = "fabianmontero@fastmail.com";
+        realName = "fabian";
+        primary = true;
+        flavor = "fastmail.com";
+      };
+    };
+  };
+}
--- a/home/modules/baseline.nix
+++ b/home/modules/baseline.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  flakes,
  ...
 }:
 with lib; let
@ -11,6 +12,18 @@ in {
    enable = mkEnableOption "Basic home settings";
  };
  config = mkIf cfg.enable {
+    programs.home-manager.enable = true;
+
+    nix.registry = {
+      "system".to = {
+        type = "path";
+        path = "/home/fabian/nix";
+      };
+
+      "nixpkgs".flake = flakes.nixpkgs;
+      "unstable".flake = flakes.unstable;
+    };
+
    xdg = {
      enable = true;
    };
@ -18,20 +31,31 @@ in {
    home = {
      stateVersion = "24.05"; # DO NOT CHANGE

+      username = "fabian";
+      homeDirectory = "/home/fabian";
+
      packages = with pkgs; [
        calc
+        dysk
+        fd
        file
+        fzf
        gcc
        htop
        killall
        man-pages
        man-pages-posix
+        nmap
+        p7zip
        pv
+        ripgrep
        tree
        units
        unzip
        vim
+        wl-clipboard
        zip
+        zoxide
      ];
      keyboard = {
        layout = "us";
@ -44,8 +68,17 @@ in {

    programs.git = {
      enable = true;
-      userEmail = "josescalante9808@gmail.com";
-      userName = "josEscalante";
+      userEmail = "fabian@posixlycorrect.com";
+      userName = "Fabian Montero";
+    };
+
+    local = {
+      services = {
+        zsh.enable = true;
+      };
+      programs = {
+        neovim.enable = true;
+      };
    };
  };
 }
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -9,11 +9,17 @@
    ./neovim.nix
    ./baseline.nix
    ./gaming.nix
+    ./yubikey.nix
    ./firefox.nix
    ./gui
    ./zsh
+    ./gpg.nix
    ./defaultDesktopPack.nix
+    ./accounts.nix
+    ./syncthing.nix
    ./mapping.nix
    ./zed.nix
+    ./pass.nix
+    ./halloy.nix
  ];
 }
--- a/home/modules/defaultDesktopPack.nix
+++ b/home/modules/defaultDesktopPack.nix
@ -5,28 +5,67 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.defaultDesktopPack;
+  cfg = config.local.defaultDesktopPack;
 in {
-  options.local.apps.defaultDesktopPack = {
-    enable = mkEnableOption "common desktop apps";
+  options.local.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+    laptop = mkOption {
+      type = types.bool;
+      default = false;
+    };
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      calibre
      chromium
      discord
-      kdePackages.gwenview
+      (gajim.override {
+        enableSecrets = true;
+        enableUPnP = true;
+        enableAppIndicator = true;
+        enableE2E = true;
+        enableRST = true;
+      })
      libreoffice-fresh
      mpv
      obs-studio
      pavucontrol
      pdfarranger
+      qimgv
      qpdfview
+      qbittorrent
+      runelite
      spotify
      tdesktop
+      thunderbird
      usbutils
+      vpsfree-client
      vscodium-fhs
-      trilium-next-desktop
+      zola
    ];
+
+    trivium = {
+      waybar = {
+        enable = true;
+        fontFamily = "JetBrainsMono Nerd Font";
+      };
+    };
+
+    local = {
+      baseline.enable = true;
+
+      services = {
+        gpg.enable = true;
+        accounts.enable = true;
+        pass.enable = true;
+        syncthing.enable = true;
+      };
+      programs = {
+        firefox.enable = true;
+        zed.enable = true;
+        halloy.enable = true;
+        terminal.enable = true;
+      };
+    };
  };
 }
--- a/home/modules/firefox.nix
+++ b/home/modules/firefox.nix
@ -5,41 +5,33 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.firefox;
+  cfg = config.local.programs.firefox;
 in {
-  options.local.apps.firefox = {
-    enable = mkEnableOption "firefox settings";
-
-    makeDefaultBrowser = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Take a guess
-      '';
-    };
+  options.local.programs.firefox = {
+    enable = mkEnableOption "firefox";
  };

-  config = mkIf cfg.enable (mkMerge [
-    {
-      programs.firefox.enable = true;
-    }
+  config = mkIf cfg.enable {
+    programs.firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        nativeMessagingHosts = [pkgs.passff-host];
+      };
+    };

-    (mkIf cfg.makeDefaultBrowser {
-      xdg = {
-        mimeApps = {
-          enable = true;
-          defaultApplications = {
-            "text/html" = ["firefox"];
-            "text/uri-list" = ["firefox"];
-            "x-scheme-handler/http" = ["firefox"];
-            "x-scheme-handler/https" = ["firefox"];
-            "x-scheme-handler/about" = ["firefox"];
-            "x-scheme-handler/unknown" = ["firefox"];
-          };
+    xdg = {
+      mimeApps = {
+        enable = true;
+        defaultApplications = {
+          "text/html" = ["firefox.desktop"];
+          "text/uri-list" = ["firefox.desktop"];
+          "x-scheme-handler/http" = ["firefox.desktop"];
+          "x-scheme-handler/https" = ["firefox.desktop"];
+          "x-scheme-handler/about" = ["firefox.desktop"];
+          "x-scheme-handler/unknown" = ["firefox.desktop"];
        };
      };
-
-      home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
-    })
-  ]);
+    };
+    home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
+  };
 }
--- a/home/modules/gaming.nix
+++ b/home/modules/gaming.nix
@ -5,16 +5,16 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.gaming;
+  cfg = config.local.programs.gaming;
 in {
-  options.local.apps.gaming = {
+  options.local.programs.gaming = {
    enable = mkEnableOption "gaming apps";
  };
  config = mkIf cfg.enable {
-    home.packages = with pkgs; [
-      lutris
-      openrct2
-      prismlauncher
+    home.packages = [
+      pkgs.lutris
+      pkgs.openrct2
+      pkgs.prismlauncher
    ];
  };
 }
--- a/home/modules/gpg.nix
+++ b/home/modules/gpg.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.gpg;
+in {
+  options.local.services.gpg = {
+    enable = mkEnableOption "gpg settings";
+    defaultKey = mkOption {
+      type = types.str;
+      description = "fingerprint of default public key to be used in gpg, git, email, etc.";
+      example = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.gpg = {
+      enable = true;
+      settings = {
+        default-key = cfg.defaultKey;
+        encrypt-to = cfg.defaultKey;
+      };
+    };
+
+    services.gpg-agent = {
+      enable = true;
+
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+
+      enableExtraSocket = true;
+      enableSshSupport = true;
+
+      defaultCacheTtl = 3600 * 3;
+      defaultCacheTtlSsh = 3600 * 3;
+
+      maxCacheTtl = 3600 * 6;
+      maxCacheTtlSsh = 3600 * 6;
+
+      pinentry.package = pkgs.pinentry-emacs;
+    };
+
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        gpg = {
+          encryptByDefault = true;
+          signByDefault = true;
+          key = cfg.defaultKey;
+        };
+      };
+    };
+
+    programs.git = {
+      signing = {
+        key = cfg.defaultKey;
+        signByDefault = true;
+      };
+    };
+  };
+}
--- a/home/modules/gui/default.nix
+++ b/home/modules/gui/default.nix
@ -51,7 +51,6 @@ in {
    ./fonts.nix
    ./theme.nix
    ./sway.nix
-    ./waybar.nix
    ./mako.nix
  ];

@ -61,8 +60,8 @@ in {
      mimeApps = {
        enable = true;
        defaultApplications = {
-          "application/pdf" = with pkgs; ["qpdfview"];
-          "x-scheme-handler/file" = with pkgs; ["foot"];
+          "application/pdf" = with pkgs; ["qpdfview.desktop"];
+          "x-scheme-handler/file" = with pkgs; ["foot.desktop"];
        };
      };
    };
--- a/home/modules/gui/fonts.nix
+++ b/home/modules/gui/fonts.nix
@ -8,7 +8,7 @@
    enable = true;
    defaultFonts = {
      monospace = [
-        "JetBrains Mono"
+        "JetBrainsMono Nerd Font"
        "Noto Sans Mono CJK SC"
        "Noto Sans Mono"
        "Noto Color Emoji"
@ -31,11 +31,10 @@
  # with fonts.packages buy im too lazy to check
  home.packages = with pkgs; [
    jetbrains-mono
+    nerd-fonts.jetbrains-mono
    noto-fonts
    noto-fonts-cjk-sans
    noto-fonts-emoji
    noto-fonts-extra
-    nerd-fonts.fira-code
-    nerd-fonts.droid-sans-mono
  ];
 }
--- a/home/modules/gui/mako.nix
+++ b/home/modules/gui/mako.nix
@ -18,7 +18,7 @@ in {
        progress-color = "over #FFFFFF";
        border-radius = 0;
        default-timeout = 7000;
-        font = "JetBrains Mono 10";
+        font = "JetBrainsMono Nerd Font 10";
        icons = true;
        ignore-timeout = false;
        layer = "top";
--- a/home/modules/gui/sway.nix
+++ b/home/modules/gui/sway.nix
@ -62,7 +62,7 @@ in {
        };

        fonts = {
-          names = ["JetBrains Mono"];
+          names = ["JetBrainsMono Nerd Font"];
          style = "Regular";
          size = 8.0;
        };
@ -136,7 +136,7 @@ in {
        keybindings = let
          mod = config.wayland.windowManager.sway.config.modifier;
          grimshot = getExe pkgs.sway-contrib.grimshot;
-          bemenuCommand = ''bemenu-run --center --width-factor 0.2 --fixed-height --list 10 --scrollbar none --auto-select --accept-single --fn "JetBrains Mono 12" --prompt "" --tb "#000000" --tf "#EAEAEA" --fb "#000000" --ff "#EAEAEA" --cb "#EAEAEA" --cf "#000000" --nb "#000000" --nf "#EAEAEA" --sb "#000000" --sf "#EAEAEA" --hb "#000000" --hf "#EAEAEA" --fbb "#000000" --fbf "#000000" --ab "#000000" --af "#EAEAEA"'';
+          bemenuCommand = ''bemenu-run --center --width-factor 0.2 --fixed-height --list 10 --scrollbar none --auto-select --accept-single --fn "JetBrainsMono Nerd Font 12" --prompt "" --tb "#000000" --tf "#EAEAEA" --fb "#000000" --ff "#EAEAEA" --cb "#EAEAEA" --cf "#000000" --nb "#000000" --nf "#EAEAEA" --sb "#000000" --sf "#EAEAEA" --hb "#000000" --hf "#EAEAEA" --fbb "#000000" --fbf "#000000" --ab "#000000" --af "#EAEAEA"'';
        in
          mkOptionDefault {
            "${mod}+a" = "focus parent";
@ -156,10 +156,13 @@ in {
            command = "${lib.getExe pkgs.sway} 'workspace 1; exec ${lib.getExe pkgs.firefox}'";
          }
          {
-            command = "${lib.getExe pkgs.sway} 'workspace 10; exec ${lib.getExe pkgs.tdesktop}'";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.tdesktop}'";
          }
          {
-            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/wallpaper.jpg";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.gajim}'";
+          }
+          {
+            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/jupiter.png";
            always = true;
          }
          {
--- a/home/modules/gui/waybar.nix
+++ b/home/modules/gui/waybar.nix
@ -1,182 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.local.gui;
-in {
-  config = mkIf cfg.enable {
-    programs.waybar = {
-      enable = true;
-      settings = {
-        mainBar = {
-          layer = "top";
-          position = "top";
-          height = 20;
-          spacing = 0;
-
-          modules-left = [
-            "sway/workspaces"
-            "sway/mode"
-          ];
-          modules-center = [
-            "clock"
-          ];
-
-          modules-right = [
-            "privacy"
-            "cpu"
-            "memory"
-            "disk"
-            "temperature"
-            "keyboard-state"
-            "tray"
-          ];
-          "keyboard-state" = {
-            numlock = true;
-            capslock = true;
-          };
-          "tray" = {
-            icon-size = 13;
-            spacing = 8;
-          };
-          "clock" = {
-            interval = 60;
-            format = "{:%A %B %d %Y %H:%M}";
-            tooltip = false;
-          };
-          "cpu" = {
-            format = "cpu {usage}%";
-            tooltip = false;
-          };
-          "memory" = {
-            format = "mem {percentage}%";
-            tooltip = true;
-            tooltip-format = "{used}/{total}";
-          };
-          "disk" = {
-            format = "disk {specific_used:0.0f}/{specific_total:0.0f}";
-            unit = "GiB";
-            tooltip = false;
-          };
-          "privacy" = {
-            icon-size = 12;
-          };
-        };
-      };
-      style = ''
-        * {
-          font-family: "JetBrains Mono", monospace;
-          font-size: 12px;
-          font-weight: 500;
-          border: none;
-          box-shadow: none;
-        }
-
-        /* Entire bar: blacc, no border */
-        window#waybar {
-          background: #000000;
-          color: #eaeaea;
-          margin: 0;
-          padding: 0;
-        }
-
-        /* Optional: small edge breathing room (comment out if you want edge-to-edge) */
-        /* window#waybar { margin: 3px 6px 0 6px; } */
-
-        /* Module containers */
-        .modules-left, .modules-center, .modules-right {
-          padding: 0;
-          margin: 0 6px;
-        }
-
-        /* Subtle separators between modules (no boxes) */
-        .modules-left > widget:not(:first-child),
-        .modules-center > widget:not(:first-child),
-        .modules-right > widget:not(:first-child) {
-          margin-left: 12px;
-          padding-left: 12px;
-          border-left: 1px solid rgba(255, 255, 255, 0.08);
-        }
-
-        /* Tightest possible workspaces */
-        #workspaces { padding: 0; margin: 0; }
-        #workspaces button {
-          margin: 0;
-          padding: 0 3px;
-          min-width: 0;
-          border-radius: 0;
-          background: transparent;
-          color: #cfcfcf;
-        }
-        #workspaces button:hover {
-          background: rgba(255, 255, 255, 0.06);
-        }
-        #workspaces button.active,
-        #workspaces button.focused {
-          background: rgba(255, 255, 255, 0.10);
-          color: #ffffff;
-          box-shadow: inset 0 -2px #ffffff;
-        }
-        #workspaces button.urgent {
-          background: rgba(255, 80, 80, 0.25);
-          box-shadow: inset 0 -2px #ff5050;
-        }
-
-        /* Focused window title: single line, no glow */
-        #window {
-          padding: 0 6px;
-          margin: 0;
-          color: #dedede;
-        }
-
-        /* Sway mode indicator: visible only when active, no bloat */
-        #mode {
-          padding: 0 6px;
-          margin: 0;
-          background: rgba(255, 255, 255, 0.10);
-          color: #ffffff;
-          border-bottom: 2px solid #ffffff;
-        }
-
-        /* Status modules — keep them flat and compact */
-        #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
-          padding: 0 6px;
-          margin: 0;
-          background: #000000;
-          color: #eaeaea;
-        }
-
-        /* States (battery, network, audio) */
-        #battery.charging { color: #c9ffbf; }
-        #battery.warning:not(.charging) { color: #ffd29a; }
-        #battery.critical:not(.charging) { color: #ff9a9a; }
-
-        #network.disconnected { color: #ffb4b4; }
-        #pulseaudio.muted    { color: #9aa0a6; }
-
-        /* Tray: compress icons */
-        #tray > .passive { opacity: 0.6; }
-        #tray > .needs-attention { opacity: 1; }
-
-        /* Tooltips: clean and readable */
-        tooltip {
-          background: rgba(30, 30, 30, 0.95);
-          border: 1px solid rgba(255, 255, 255, 0.08);
-          color: #eaeaea;
-          padding: 6px 8px;
-        }
-
-        /* Remove any leftover borders around everything */
-        #custom-*, #idle_inhibitor, #privacy, #bluetooth {
-          border: none;
-          background: transparent;
-          margin: 0;
-          padding: 0 6px;
-        }
-      '';
-    };
-  };
-}
--- a/home/modules/halloy.nix
+++ b/home/modules/halloy.nix
@ -0,0 +1,114 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.halloy;
+in {
+  options.local.programs.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        theme = "macawCustom";
+        font.size = 16;
+        preview.enabled = false;
+        sidebar = {
+          buffer_action = "replace-pane";
+          focused_buffer_action = "close-pane";
+        };
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+          server_messages = {
+            join.exclude = ["*"];
+            quit.exclude = ["*"];
+          };
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "##chat"
+            "##politics"
+            "##rust"
+            "#datahoarder"
+            "#git"
+            "#indieweb"
+            "#indieweb-dev"
+            "#linux"
+            "#lobsters"
+            "#nixos"
+            "#OSRS"
+            "#soju"
+          ];
+        };
+      };
+      themes = {
+        macawCustom = {
+          general = {
+            background = "#333333";
+            border = "#505050";
+            horizontal_rule = "#333333";
+            unread_indicator = "#2884FC";
+          };
+
+          text = {
+            primary = "#DFDFDF";
+            secondary = "#C2C2C2";
+            tertiary = "#8839EF";
+            success = "#959595";
+            error = "#959595";
+          };
+
+          buffer = {
+            action = "#959595";
+            background = "#1E1E1E";
+            background_text_input = "#2E2E2E";
+            background_title_bar = "#2E2E2E";
+            border = "#1A1A1A";
+            border_selected = "#1A1A1A";
+            code = "#7287FD";
+            highlight = "#454645";
+            nickname = "#00C8FF";
+            selection = "#777777";
+            timestamp = "#959595";
+            topic = "#DFDFDF";
+            url = "#2884FC";
+            buffer.server_messages = {
+              default = "#959595";
+            };
+          };
+
+          buttons.primary = {
+            background = "#00000000";
+            background_hover = "#484848";
+            background_selected = "#4A4A4A";
+            background_selected_hover = "#666666";
+          };
+
+          buttons.secondary = {
+            background = "#3B3B3B";
+            background_hover = "#484848";
+            background_selected = "#646464";
+            background_selected_hover = "#666666";
+          };
+        };
+      };
+    };
+  };
+}
--- a/home/modules/mapping.nix
+++ b/home/modules/mapping.nix
@ -5,9 +5,9 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.mapping;
+  cfg = config.local.programs.mapping;
 in {
-  options.local.apps.mapping = {
+  options.local.programs.mapping = {
    enable = mkEnableOption "mapping apps";
  };
  config = mkIf cfg.enable {
--- a/home/modules/neovim.nix
+++ b/home/modules/neovim.nix
@ -5,9 +5,9 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.neovim;
+  cfg = config.local.programs.neovim;
 in {
-  options.local.apps.neovim = {
+  options.local.programs.neovim = {
    enable = mkEnableOption "Neovim settings";
  };
  config = mkIf cfg.enable {
@ -40,8 +40,66 @@ in {
      '';

      plugins = with pkgs.vimPlugins; [
+        barbar-nvim
+        nvim-web-devicons
        vim-nix
        vim-visual-multi
+        {
+          plugin = nvim-tree-lua;
+          type = "lua";
+          config = ''
+            require("nvim-tree").setup({
+              renderer = {
+                icons = {
+                  show = {
+                    file = true,
+                    folder = true,
+                    folder_arrow = true,
+                    git = true,
+                  },
+                  glyphs = {
+                    git = {
+                      unstaged = "",
+                      staged = "",
+                      unmerged = "",
+                      renamed = "",
+                      untracked = "",
+                      deleted = "",
+                      ignored = "",
+                    },
+                  },
+                },
+              },
+              view = {
+                width = 30,
+                side = 'left',
+              },
+              sync_root_with_cwd = true, --fix to open cwd with tree
+              respect_buf_cwd = true,
+              update_cwd = true,
+              update_focused_file = {
+                enable = true,
+                update_cwd = true,
+                update_root = true,
+              },
+            })
+
+            vim.g.nvim_tree_respect_buf_cwd = 1
+
+            -- use g? for bindings help while in tree
+          '';
+        }
+        {
+          plugin = gruvbox-nvim;
+          type = "lua";
+          config = ''
+            require("gruvbox").setup({
+              contrast = "high",
+            })
+            vim.o.background = "dark"
+            vim.cmd([[colorscheme gruvbox]])
+          '';
+        }
      ];
    };
    home.sessionVariables = {
--- a/home/modules/pass.nix
+++ b/home/modules/pass.nix
@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.pass;
+in {
+  options.local.services.pass = {
+    enable = mkEnableOption "pass settings";
+  };
+  config = mkIf cfg.enable {
+    programs.password-store = {
+      enable = true;
+      package = pkgs.pass.withExtensions (exts:
+        with exts; [
+          pass-audit
+          pass-genphrase
+          pass-otp
+          pass-tomb
+          pass-update
+          pass-import
+        ]);
+
+      settings = {
+        PASSWORD_STORE_DIR = "${config.home.homeDirectory}/safe/trust";
+      };
+    };
+  };
+}
--- a/home/modules/syncthing.nix
+++ b/home/modules/syncthing.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.syncthing;
+in {
+  options.local.services.syncthing = {
+    enable = mkEnableOption "syncthing settings";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+      tray.enable = true;
+    };
+  };
+}
--- a/home/modules/terminal.nix
+++ b/home/modules/terminal.nix
@ -5,9 +5,11 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.terminal;
+  cfg = config.local.programs.terminal;
 in {
-  options.local.apps.terminal.enable = mkEnableOption "terminal emulator settings";
+  options.local.programs.terminal = {
+    enable = mkEnableOption "terminal emulator settings";
+  };
  config = mkIf cfg.enable {
    programs = {
      foot = {
@ -15,10 +17,10 @@ in {
        settings = {
          main = {
            term = "xterm-256color";
-            font = "JetBrains Mono:style=Medium:size=12";
-            font-bold = "JetBrains Mono:style=Bold:size=12";
-            font-italic = "JetBrains Mono:style=Italic:size=12";
-            font-bold-italic = "JetBrains Mono:style=Bold Italic:size=12";
+            font = "JetBrainsMono Nerd Font:style=Medium:size=15";
+            font-bold = "JetBrainsMono Nerd Font:style=Bold:size=15";
+            font-italic = "JetBrainsMono Nerd Font:style=Italic:size=15";
+            font-bold-italic = "JetBrainsMono Nerd Font:style=Bold Italic:size=15";
            dpi-aware = "yes";
            initial-window-size-pixels = "1200x600";
          };
@ -29,15 +31,15 @@ in {
          };

          colors = {
-            background = "111111";
-            regular0 = "1E201E"; #black
-            regular1 = "BE3144"; #red
-            regular2 = "1F7D53"; #green
-            regular3 = "FEC260"; #yellow
-            regular4 = "065084"; #blue
-            regular5 = "940B92"; #magenta
-            regular6 = "008B8B"; #cyan
-            regular7 = "D3DAD9"; #white
+            background = "000000";
+            regular0 = "616161";
+            regular1 = "ff4d51";
+            regular2 = "35d450";
+            regular3 = "e9e836";
+            regular4 = "5dc5f8";
+            regular5 = "feabf2";
+            regular6 = "24dfc4";
+            regular7 = "ffffff";
          };

          bell = {
@ -107,6 +109,12 @@ in {
          set -g status-justify left
        '';
      };
+
+      fzf = {
+        enable = true;
+        enableZshIntegration = true;
+        tmux.enableShellIntegration = true;
+      };
    };
    home = {
      sessionVariables = {
--- a/home/modules/yubikey.nix
+++ b/home/modules/yubikey.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.yubikey;
+in {
+  options.local.services.yubikey = {
+    enable = mkEnableOption "Yubikey home settings";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubico-pam
+      yubikey-personalization
+    ];
+  };
+}
--- a/home/modules/zed.nix
+++ b/home/modules/zed.nix
@ -5,16 +5,18 @@
  ...
 }:
 with lib; let
-  cfg = config.local.apps.zed;
+  cfg = config.local.programs.zed;
 in {
-  options.local.apps.zed.enable = mkEnableOption "zed editor settings";
+  options.local.programs.zed = {
+    enable = mkEnableOption "zed editor settings";
+  };
  config = mkIf cfg.enable {
    programs.zed-editor = {
      enable = true;
      extensions = [
        "nix"
        "codebook"
-        "one-dark"
+        "vscode-dark-high-contrast"
        "catppuccin-icons"
      ];
      extraPackages = with pkgs; [
@ -23,8 +25,8 @@ in {
      userSettings = {
        disable_ai = true;
        theme = {
-          dark = "One Dark";
-          light = "One Dark";
+          dark = "VSCode Dark High Contrast";
+          light = "VSCode Dark High Contrast";
        };
        icon_theme = {
          dark = "Catppuccin Latte";
@ -40,8 +42,8 @@ in {
        };
        autosave = "on_focus_change";
        auto_update = false;
-        buffer_font_family = "JetBrains Mono";
-        buffer_font_size = 16;
+        buffer_font_family = "JetBrainsMono Nerd Font";
+        buffer_font_size = 22;
        hide_mouse = "never";
        minimap.show = "auto";
        tabs = {
--- a/home/modules/zsh/default.nix
+++ b/home/modules/zsh/default.nix
@ -13,6 +13,7 @@ in {
      type = types.str;
      description = "prompt for your terminal";
      example = literalExpression "%B[%~] \${vcs_info_msg_0_}%b";
+      default = "%B[%~] \${vcs_info_msg_0_}%b";
    };
  };
  config = mkIf cfg.enable {
--- a/home/modules/zsh/zshrc.nix
+++ b/home/modules/zsh/zshrc.nix
@ -18,7 +18,7 @@
  zstyle ':completion:*' original true
  zstyle ':completion:*' preserve-prefix '//[^/]##/'
  zstyle ':completion:*' verbose true
-  zstyle :compinstall filename '/home/chem/.zshrc'
+  zstyle :compinstall filename '/home/fabian/.zshrc'

  autoload -Uz compinit
  compinit
@ -79,11 +79,8 @@
  alias l='ls --color -FhAltr'
  alias x='killall --ignore-case --user=$(whoami) --interactive'
  alias tree='tree -CF'
-  alias lock="betterlockscreen -l"
-  alias nightmode="${lib.getExe pkgs.redshift} -P -O 1000"
-  alias lightmode="${lib.getExe pkgs.redshift} -x="
  alias nixoide="nix repl '<nixpkgs>'"
-  alias vim=nvim
+  alias vps="ssh -A vps"
  bindkey -e
  bindkey "^[[1;5D" backward-word
  bindkey "^[[1;5C" forward-word
@ -101,8 +98,8 @@
    local pkg
    pkg="$1"
    shift
-    echo "nix shell unstable#$pkg --impure"
-    nix shell "unstable#$pkg" "$@"  --impure
+    echo "nix shell nixpkgs#$pkg --impure"
+    nix shell "nixpkgs#$pkg" "$@" --impure
  }

  function spawn () {
@ -130,4 +127,6 @@
  export VISUAL=nvim
  export PATH="$PATH:$HOME/.local/bin:$HOME/.cargo/bin"
  export NIXPKGS_ALLOW_UNFREE=1
+
+  eval "$(fzf --zsh)"
 ''
--- a/home/platforms/chem@yuki/default.nix
+++ b/home/platforms/chem@yuki/default.nix
@ -1,77 +0,0 @@
-{
-  flakes,
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ./systemd
-    ./isolation.nix
-  ];
-
-  nix.registry = {
-    "system".to = {
-      type = "path";
-      path = "/home/chem/nix";
-    };
-
-    "nixpkgs".flake = flakes.nixpkgs;
-    "unstable".flake = flakes.unstable;
-  };
-
-  local = {
-    baseline.enable = true;
-
-    services = {
-      zsh = {
-        enable = true;
-        prompt = "%B[%~] \${vcs_info_msg_0_}%b";
-      };
-    };
-
-    apps = {
-      #todo move some of this to defaultDesktop pack?
-      terminal.enable = true;
-      neovim.enable = true;
-      gaming.enable = true;
-      defaultDesktopPack.enable = true;
-      firefox.enable = true;
-      mapping.enable = true;
-      zed.enable = true;
-    };
-
-    gui = {
-      enable = true;
-      monitors = {
-        HDMI-A-4 = {
-          width = "1920";
-          height = "1080";
-          rate = "59.94";
-        };
-        DP-1 = {
-          width = "1600";
-          height = "900";
-          rate = "59.94";
-          posX = "1920";
-        };
-      };
-    };
-  };
-
-  home = {
-    packages = with pkgs; [
-      gnucash
-      kdePackages.kdenlive
-      nmap
-      qbittorrent
-      virt-manager
-      vintagestory
-    ];
-
-    username = "chem";
-    homeDirectory = "/home/chem";
-  };
-
-  programs.home-manager.enable = true;
-}
--- a/home/platforms/fabian@posixlycorrect/default.nix
+++ b/home/platforms/fabian@posixlycorrect/default.nix
@ -0,0 +1,46 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack.enable = true;
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        DP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "59.94";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+      darktable
+      gnucash
+      kdePackages.kdenlive
+      virt-manager
+    ];
+  };
+}
--- a/home/platforms/fabian@posixlycorrect/isolation.nix
+++ b/home/platforms/fabian@posixlycorrect/isolation.nix
--- a/home/platforms/fabian@posixlycorrect/shenvs/c.nix
+++ b/home/platforms/fabian@posixlycorrect/shenvs/c.nix
--- a/home/platforms/fabian@posixlycorrect/shenvs/python.nix
+++ b/home/platforms/fabian@posixlycorrect/shenvs/python.nix
--- a/home/platforms/fabian@posixlycorrect/systemd/default.nix
+++ b/home/platforms/fabian@posixlycorrect/systemd/default.nix
@ -5,6 +5,6 @@
 }:
 with lib; {
  systemd.user.tmpfiles.rules = [
-    "d %t/tmp 0700 chem chem 24h"
+    "d %t/tmp 0700 fabian fabian 24h"
  ];
 }
--- a/home/platforms/fabian@t14/default.nix
+++ b/home/platforms/fabian@t14/default.nix
@ -0,0 +1,45 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack = {
+      enable = true;
+      laptop = true;
+    };
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        eDP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "60.00";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}
--- a/home/platforms/fabian@t14/isolation.nix
+++ b/home/platforms/fabian@t14/isolation.nix
@ -0,0 +1,22 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  home.isolation = {
+    enable = true;
+    btrfsSupport = true;
+    defaults = {
+      static = true;
+      bindHome = "home/";
+      persist = {
+        base = "shenvs";
+        btrfs = true;
+      };
+    };
+
+    modulesUnder = ./shenvs;
+  };
+}
--- a/home/platforms/fabian@t14/shenvs/c.nix
+++ b/home/platforms/fabian@t14/shenvs/c.nix
@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    binutils
+    cmake
+    curl
+    gdb
+    gnumake
+    rustup
+    valgrind
+  ];
+}
--- a/home/platforms/fabian@t14/shenvs/python.nix
+++ b/home/platforms/fabian@t14/shenvs/python.nix
@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    pipenv
+    (python310.withPackages (packages:
+      with packages; [
+        setuptools
+      ]))
+  ];
+}
--- a/home/platforms/fabian@t14/systemd/default.nix
+++ b/home/platforms/fabian@t14/systemd/default.nix
@ -0,0 +1,10 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.user.tmpfiles.rules = [
+    "d %t/tmp 0700 fabian fabian 24h"
+  ];
+}
--- a/home/platforms/fabian@vps/default.nix
+++ b/home/platforms/fabian@vps/default.nix
@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+  ];
+
+  local = {
+    baseline.enable = true;
+
+    services = {
+      zsh.prompt = "%B<%~> \${vcs_info_msg_0_}%b";
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}
--- a/pkgs/config/default.nix
+++ b/pkgs/config/default.nix
@ -1,6 +1,5 @@
 {lib}:
 with lib; {
-  android_sdk.accept_license = true; #TODO: what the fuck is this
+  android_sdk.accept_license = true;
  allowUnfreePredicate = pkg: import ./unfree.nix lib (getName pkg);
-  allowInsecurePredicate = pkg: import ./insecure.nix lib (getName pkg);
 }
--- a/pkgs/config/insecure.nix
+++ b/pkgs/config/insecure.nix
@ -1,4 +0,0 @@
-lib: name:
-with lib;
-  elem name [
-  ]
--- a/pkgs/config/unfree.nix
+++ b/pkgs/config/unfree.nix
@ -8,5 +8,4 @@ with lib;
    "steam-original"
    "steam-unwrapped"
    "steam-run"
-    "vintagestory"
  ]
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -6,6 +6,8 @@
 with prev.lib; let
  inherit (final) callPackage fetchpatch;
 in {
+  homepage = flakes.homepage.packages.${final.system}.default;
+
  override =
    {
      # add python modules here to make them available in all versions
--- a/sys/modules/android.nix
+++ b/sys/modules/android.nix
@ -14,5 +14,9 @@ in {
    services.udev.packages = with pkgs; [
      android-udev-rules
    ];
+
+    environment.systemPackages = with pkgs; [
+      android-tools
+    ];
  };
 }
--- a/sys/modules/baseline.nix
+++ b/sys/modules/baseline.nix
@ -53,6 +53,17 @@ in {
        ];
    };

+    fonts.packages = with pkgs; [
+      jetbrains-mono
+      nerd-fonts.jetbrains-mono
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-emoji
+      noto-fonts-extra
+      nerd-fonts.fira-code
+      nerd-fonts.droid-sans-mono
+    ];
+
    services = {
      openssh.enable = mkDefault true;

@ -62,6 +73,8 @@ in {
      };
    };

+    programs.dconf.enable = true;
+
    # Coredumps are a security risk and may use up a lot of disk space
    systemd.coredump.extraConfig = ''
      Storage=none
@ -72,5 +85,7 @@ in {
      enable = true;
      defaultBitSize = 4096;
    };
+
+    i18n.defaultLocale = "en_US.UTF-8";
  };
 }
--- a/sys/modules/borgsync.nix
+++ b/sys/modules/borgsync.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.borgsync;
+in {
+  options.local.sys.borgsync = {
+    enable = mkEnableOption "borg backup to an rsync.net repo";
+    paths = mkOption {
+      type = with types; nullOr (coercedTo str singleton (listOf str));
+      default = null;
+      description = "Paths to back up.";
+    };
+    exclude = mkOption {
+      type = with types; listOf str;
+      description = "Exclude paths.";
+      default = [];
+    };
+    repoName = mkOption {
+      type = types.str;
+      description = "Remote rsync repository to back up to.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup.jobs.rsync = {
+      paths = cfg.paths;
+      exclude = cfg.exclude;
+      user = "root";
+      group = "root";
+      doInit = true;
+      startAt = [
+        "hourly"
+      ];
+      inhibitsSleep = true;
+      persistentTimer = true;
+
+      repo = "zh5777@zh5777.rsync.net:${cfg.repoName}";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /var/trust/borg/${cfg.repoName}_passphrase";
+      };
+      compression = "auto,lz4";
+      prune = {
+        keep = {
+          hourly = 24;
+          daily = 7;
+          weekly = 4;
+          monthly = 12;
+          yearly = 99;
+        };
+      };
+      extraArgs = [
+        "--remote-path=borg14"
+      ];
+    };
+
+    environment.sessionVariables.BORG_REMOTE_PATH = "borg14";
+  };
+}
--- a/sys/modules/default.nix
+++ b/sys/modules/default.nix
@ -6,6 +6,7 @@
 }: {
  imports = [
    ./baseline.nix
+    ./yubikey.nix
    ./audio.nix
    ./graphics.nix
    ./virtualisation.nix
@ -15,15 +16,8 @@
    ./net.nix
    ./steam.nix
    ./gtklock.nix
-  ];
-
-  fonts.packages = with pkgs; [
-    jetbrains-mono
-    noto-fonts
-    noto-fonts-cjk-sans
-    noto-fonts-emoji
-    noto-fonts-extra
-    nerd-fonts.fira-code
-    nerd-fonts.droid-sans-mono
+    ./borgsync.nix
+    ./dufs.nix
+    ./defaultDesktopPack.nix
  ];
 }
--- a/sys/modules/defaultDesktopPack.nix
+++ b/sys/modules/defaultDesktopPack.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.defaultDesktopPack;
+in {
+  options.local.sys.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+  };
+  config = mkIf cfg.enable {
+    local.sys = {
+      baseline.enable = true;
+
+      audio.enable = true;
+      graphics.enable = true;
+      gtklock.enable = true;
+      steam.enable = true;
+
+      users = {
+        fabian = {
+          enable = true;
+          unixId = 1002; #TODO !!!!!!
+        };
+      };
+    };
+
+    trivium = {
+      sway.enable = true;
+      trivionomiconMotd.enable = true;
+    };
+
+    networking = {
+      networkmanager.enable = true;
+      useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    };
+
+    services = {
+      fwupd.enable = true;
+    };
+  };
+}
--- a/sys/modules/dufs.nix
+++ b/sys/modules/dufs.nix
@ -0,0 +1,233 @@
+# https://github.com/NixOS/nixpkgs/blob/c77cd68706b590b44334bb8c506239b3384c26a0/nixos/modules/services/misc/dufs.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.dufs;
+  types = lib.types;
+in {
+  options.local.sys.dufs = {
+    enable = lib.mkEnableOption "the dufs server";
+    package = lib.mkPackageOption pkgs "dufs" {};
+    settings = lib.mkOption {
+      type = types.submodule {
+        options = {
+          serve-path = lib.mkOption {
+            type = types.path;
+            description = "Specific path to serve.";
+          };
+          bind = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Specify bind address or unix socket.";
+            default = null;
+          };
+          port = lib.mkOption {
+            type = types.port;
+            description = "Specify port to listen on.";
+            default = 5000;
+          };
+          path-prefix = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Specify a path prefix.";
+            default = null;
+          };
+          hidden = lib.mkOption {
+            type = types.listOf types.str;
+            description = "Hide paths from directory listings, e.g. tmp,*.log,*.lock.";
+            default = [];
+            example = lib.literalExpression ''
+              [
+                "tmp"
+                "*.log"
+                "*.lock."
+              ]
+            '';
+          };
+          allow-all = lib.mkOption {
+            type = types.bool;
+            description = "Allow all operations.";
+            default = true;
+          };
+          allow-upload = lib.mkOption {
+            type = types.bool;
+            description = "Allow upload files/folders.";
+            default = false;
+          };
+          allow-delete = lib.mkOption {
+            type = types.bool;
+            description = "Allow delete files/folders.";
+            default = false;
+          };
+          allow-search = lib.mkOption {
+            type = types.bool;
+            description = "Allow search files/folders.";
+            default = false;
+          };
+          allow-symlink = lib.mkOption {
+            type = types.bool;
+            description = "Allow symlink to files/folders outside root directory.";
+            default = false;
+          };
+          allow-archive = lib.mkOption {
+            type = types.bool;
+            description = "Allow zip archive generation.";
+            default = false;
+          };
+          enable-cors = lib.mkOption {
+            type = types.bool;
+            description = "Enable CORS, sets `Access-Control-Allow-Origin: *`.";
+            default = false;
+          };
+          render-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns 404 if not found index.html.";
+            default = false;
+          };
+          render-try-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns directory listing if not found index.html.";
+            default = false;
+          };
+          render-spa = lib.mkOption {
+            type = types.bool;
+            description = "Serve SPA(Single Page Application).";
+            default = false;
+          };
+          assets = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Set the path to the assets directory for overriding the built-in assets.";
+            default = null;
+          };
+          log-format = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Customize http log format.";
+            default = null;
+            example = lib.literalExpression ''
+              "$remote_addr \"$request\" $status"
+            '';
+          };
+          compress = lib.mkOption {
+            type = types.enum [
+              "none"
+              "low"
+              "medium"
+              "high"
+            ];
+            description = "Customize http log format.";
+            default = "none";
+          };
+          tls-cert = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to an SSL/TLS certificate to serve with HTTPS.";
+            default = null;
+          };
+          tls-key = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to the SSL/TLS certificate's private key.";
+            default = null;
+          };
+        };
+      };
+      description = "Settings for dufs.";
+    };
+    authFile = lib.mkOption {
+      type = types.nullOr types.path;
+      description = ''
+        Path to file containing auth roles (e.g. user:pass@/dir1:rw,/dir2), one per line.
+
+        Passwords may be hashed, see https://github.com/sigoden/dufs#hashed-password.
+      '';
+      default = null;
+    };
+    openFirewall = lib.mkOption {
+      type = types.bool;
+      description = "Open firewall on configured port.";
+      default = false;
+    };
+    user = lib.mkOption {
+      type = types.str;
+      description = "User to run dufs under.";
+      default = "dufs";
+    };
+    group = lib.mkOption {
+      type = types.str;
+      description = "Group to run dufs under.";
+      default = "dufs";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [cfg.settings.port];
+    systemd.services.dufs = let
+      settings = lib.filterAttrs (_: v: v != null) cfg.settings;
+      pathWritable = settings.allow-all || settings.allow-upload || settings.allow-delete;
+    in {
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      environment.DUFS_CONFIG = (pkgs.formats.yaml {}).generate "dufs-config.yaml" settings;
+      script = ''
+        ${lib.optionalString (cfg.authFile != null) ''
+          export DUFS_AUTH=$(tr '\n' '|' < ${lib.escapeShellArg cfg.authFile} | sed 's/|$//')
+        ''}
+        exec ${lib.escapeShellArg (lib.getExe cfg.package)}
+      '';
+      serviceConfig = {
+        BindReadOnlyPaths =
+          [
+            builtins.storeDir
+          ]
+          ++ lib.optional (!pathWritable) settings.serve-path
+          ++ lib.optional (cfg.authFile != null) cfg.authFile;
+        BindPaths = lib.mkIf pathWritable settings.serve-path;
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        Group = cfg.group;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RootDirectory = "/run/dufs";
+        RuntimeDirectory = "dufs";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        User = cfg.user;
+      };
+    };
+    users = {
+      users.dufs = lib.mkIf (cfg.user == "dufs") {
+        group = cfg.group;
+        home = cfg.settings.serve-path;
+        isSystemUser = true;
+      };
+      groups.dufs = lib.mkIf (cfg.group == "dufs") {};
+    };
+  };
+  meta.maintainers = with lib.maintainers; [jackwilsdon];
+}
--- a/sys/modules/graphics.nix
+++ b/sys/modules/graphics.nix
@ -16,7 +16,5 @@ in {
    };

    hardware.graphics.enable = true;
-
-    programs.dconf.enable = true;
  };
 }
--- a/sys/modules/gtklock.nix
+++ b/sys/modules/gtklock.nix
@ -26,7 +26,7 @@ in {
        window {
          background-color: black;
          color: #eaeaea;
-          font-family: "JetBrains Mono", monospace;
+          font-family: "JetBrainsMono Nerd Font", monospace;
          font-size: 14px;
        }

--- a/sys/modules/users.nix
+++ b/sys/modules/users.nix
@ -31,7 +31,7 @@ in {

  config = {
    local.sys.users = {
-      chem = {
+      fabian = {
        unixId = mkDefault 1000;
        admin = true;
      };
@ -54,7 +54,7 @@ in {
          shell = pkgs.zsh;
          extraGroups =
            ["users" "networkmanager"]
-            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers"];
+            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers" "video" "input"];
          openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile;
        })
        enabledUsers;
--- a/sys/modules/yubikey.nix
+++ b/sys/modules/yubikey.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/posixlycorrect/default.nix
+++ b/sys/platforms/posixlycorrect/default.nix
@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    virtualisation.enable = true;
+    androidSupport.enable = true;
+    borgsync = {
+      enable = true;
+      paths = [
+        "/home/fabian/nix"
+        "/home/fabian/safe"
+        "/xtern/backup"
+      ];
+      repoName = "posixlycorrect";
+    };
+  };
+
+  networking = {
+    hostName = "posixlycorrect";
+    hostId = "0414a727";
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      forceImportRoot = false;
+      useKeyringForCredentials = true;
+    };
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}
--- a/sys/platforms/posixlycorrect/hardware-configuration.nix
+++ b/sys/platforms/posixlycorrect/hardware-configuration.nix
@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+  subvol = subvol: {
+    device = "/dev/disk/by-uuid/645fdba0-5c03-4285-926b-facded1ee259";
+    fsType = "btrfs";
+    options = ["subvol=${subvol}" "compress=zstd" "noatime" "ssd"];
+  };
+in {
+  imports = [
+    flakes.nixpkgs.nixosModules.notDetected
+  ];
+
+  boot.initrd = {
+    availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+    luks.devices."toplevel" = {
+      device = "/dev/disk/by-uuid/58277baa-90d4-4a5e-a658-1b918b89130a";
+      preLVM = false;
+    };
+  };
+
+  fileSystems = {
+    "/" = subvol "root";
+    "/toplevel" = subvol "/";
+    "/boot" = {
+      device = "/dev/disk/by-uuid/B007-B007";
+      fsType = "vfat";
+      options = ["umask=027"];
+    };
+  };
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/sys/platforms/t14/default.nix
+++ b/sys/platforms/t14/default.nix
@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    bluetooth.enable = true;
+    androidSupport.enable = true;
+  };
+
+  trivium = {
+    laptop.enable = true;
+    thinkpad.enable = true;
+  };
+
+  hardware.acpilight.enable = true;
+
+  networking.hostName = "t14";
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}
--- a/sys/platforms/t14/hardware-configuration.nix
+++ b/sys/platforms/t14/hardware-configuration.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  services.xserver.videoDrivers = ["i915" "modesetting" "fbdev"];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "sdhci_pci"];
+      kernelModules = ["dm-snapshot"];
+      luks.devices."tomb" = {
+        device = "/dev/disk/by-uuid/0b2b9aec-c239-4cce-948d-4411d9300c1d";
+        preLVM = true;
+      };
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=root"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A7E5-EEAB";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=nix"];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=home"];
+    };
+
+    "/toplevel" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+    };
+  };
+
+  swapDevices = [];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/sys/platforms/vps/default.nix
+++ b/sys/platforms/vps/default.nix
@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  doctrine,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.vpsadminos.nixosConfigurations.container
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+    ./srv
+    ./networkMap.nix
+  ];
+
+  local.sys = {
+    baseline.enable = true;
+
+    borgsync = {
+      enable = true;
+      paths = [
+        "/var/lib/forgejo"
+        "/var/lib/mealie"
+        "/var/lib/trilium"
+        "/var/lib/forgejo"
+      ];
+      repoName = "vps";
+    };
+
+    users.fabian = {
+      enable = true;
+      sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
+    };
+  };
+
+  trivium.soju = {
+    enable = true;
+    fullyQualifiedDomain = "soju.posixlycorrect.com";
+  };
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;
+  };
+
+  programs.mosh.enable = true;
+
+  networking = {
+    hostName = "vps";
+    domain = "posixlycorrect.com";
+    firewall.allowedUDPPorts = [51820]; #TODO
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  systemd = {
+    extraConfig = ''
+      DefaultTimeoutStartSec=900s
+    '';
+
+    network = let
+      inherit (config.local.sys) nets;
+    in {
+      enable = true;
+
+      netdevs = {
+        wg-vpn = {
+          netdevConfig = {
+            Name = "wg-vpn";
+            Kind = "wireguard";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
+            ListenPort = "51820";
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
+              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
+            }
+            {
+              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
+              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
+            }
+          ];
+        };
+      };
+
+      networks = {
+        wg-vpn = {
+          name = "wg-vpn";
+
+          networkConfig = {
+            Address = [
+              nets.vpn-vps.hosts.vps.v6.cidr
+            ];
+          };
+
+          routes = [
+            {
+              Destination = nets.vpn.v6.cidr;
+            }
+            {
+              Source = nets.vpn.v6.cidr;
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    extraSpecialArgs = {
+      inherit flakes;
+      doctrine = flakes.trivionomicon.lib.mkDoctrine {
+        inherit pkgs;
+        inherit (doctrine) prefix;
+        namespace = "home";
+      };
+    };
+
+    users.fabian = {
+      imports = [
+        flakes.impermanence.nixosModules.home-manager.impermanence
+        "${flakes.self}/home/platforms/fabian@vps"
+        "${flakes.self}/home"
+      ];
+    };
+  };
+}
--- a/sys/platforms/vps/hardware-configuration.nix
+++ b/sys/platforms/vps/hardware-configuration.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+in {
+  fileSystems = {
+    "/mnt/export2008" = {
+      device = "172.16.129.19:/nas/5876";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2178" = {
+      device = "172.16.129.151:/nas/5876/immich";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2179" = {
+      device = "172.16.131.31:/nas/5876/syncthing";
+      fsType = "nfs";
+      options = ["nofail"];
+    };
+  };
+}
--- a/sys/platforms/vps/networkMap.nix
+++ b/sys/platforms/vps/networkMap.nix
@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  local.sys.nets = {
+    default = {
+      v4 = {
+        bits = 32;
+        prefix = "37.205.12.34";
+      };
+
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:fe:102";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+        vps.v4.suffix = "";
+      };
+    };
+
+    vpn = {
+      v6 = {
+        bits = 48;
+        prefix = "2a03:3b40:2b";
+      };
+    };
+
+    vpn-vps = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1000";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+      };
+    };
+
+    vpn-posixlycorrect = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1001";
+      };
+
+      hosts = {
+        posixlycorrect.v6.suffix = "1";
+      };
+    };
+
+    vpn-pixel8 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1002";
+      };
+
+      hosts = {
+        pixel8.v6.suffix = "1";
+      };
+    };
+
+    vpn-t14 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1003";
+      };
+
+      hosts = {
+        t14.v6.suffix = "1";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/pki/id_ed25519.pub
+++ b/sys/platforms/vps/pki/id_ed25519.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7
--- a/sys/platforms/vps/srv/calibre-web.nix
+++ b/sys/platforms/vps/srv/calibre-web.nix
@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."calibre.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8083";
+        };
+      };
+    };
+
+    calibre-web = {
+      enable = true;
+      options = {
+        enableBookUploading = true;
+        calibreLibrary = "/var/lib/calibre-web/calibre_library";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/default.nix
+++ b/sys/platforms/vps/srv/default.nix
@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    ./forgejo.nix
+    ./vaultwarden.nix
+    ./msmtp.nix
+    ./trilium.nix
+    ./syncthing.nix
+    ./calibre-web.nix
+    ./immich.nix
+    ./mealie.nix
+    ./dufs.nix
+    ./isso.nix
+    ./miniflux.nix
+    ./radicale.nix
+  ];
+}
--- a/sys/platforms/vps/srv/dufs.nix
+++ b/sys/platforms/vps/srv/dufs.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."public.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5000";
+        };
+      };
+    };
+  };
+
+  local.sys.dufs = {
+    enable = true;
+    settings = {
+      serve-path = "/var/public";
+      allow-all = false;
+      allow-archive = true;
+    };
+  };
+}
--- a/sys/platforms/vps/srv/forgejo.nix
+++ b/sys/platforms/vps/srv/forgejo.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = true;
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/immich.nix
+++ b/sys/platforms/vps/srv/immich.nix
@ -0,0 +1,72 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."photos.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:2283";
+        };
+      };
+    };
+
+    immich = {
+      enable = true;
+      secretsFile = "/var/trust/immich/secrets.txt";
+      mediaLocation = "/mnt/export2178/immich/media";
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
+      };
+      settings = {
+        machineLearning = {
+          enabled = false;
+        };
+        job = {
+          backgroundTask = {
+            concurrency = 1;
+          };
+          smartSearch = {
+            concurrency = 1;
+          };
+          metadataExtraction = {
+            concurrency = 1;
+          };
+          faceDetection = {
+            concurrency = 1;
+          };
+          search = {
+            concurrency = 1;
+          };
+          sidecar = {
+            concurrency = 1;
+          };
+          library = {
+            concurrency = 1;
+          };
+          migration = {
+            concurrency = 1;
+          };
+          thumbnailGeneration = {
+            concurrency = 1;
+          };
+          videoConversion = {
+            concurrency = 1;
+          };
+          notifications = {
+            concurrency = 1;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/isso.nix
+++ b/sys/platforms/vps/srv/isso.nix
@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."isso.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8888/";
+        };
+      };
+    };
+
+    isso = {
+      enable = true;
+      settings = {
+        general = {
+          host = "https://posixlycorrect.com/";
+          dbpath = "/var/lib/isso/comments.db";
+          notify = "stdout";
+        };
+        moderation = {
+          enabled = false;
+          approve-if-email-previously-approved = false;
+          purge-after = "365d";
+        };
+        server = {
+          listen = "http://127.0.0.1:8888/";
+        };
+        guard = {
+          require-author = true;
+          require-email = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/mealie.nix
+++ b/sys/platforms/vps/srv/mealie.nix
@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.services.wiki-js = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services = {
+    nginx = {
+      virtualHosts."food.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9000";
+        };
+      };
+    };
+
+    mealie = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9000;
+      credentialsFile = "/var/trust/mealie/credentials.env";
+      settings = {
+        ALLOW_SIGNUP = "false";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/mediawiki.nix
+++ b/sys/platforms/vps/srv/mediawiki.nix
@ -0,0 +1,71 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+
+      skins = {
+        citizen = "${flakes.mediawikiSkinCitizen}";
+      };
+
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgDefaultSkin = 'citizen';
+        $wgDefaultMobileSkin = 'citizen';
+        $wgCitizenThemeDefault = 'dark';
+        $wgCitizenShowPageTools = 'login';
+        $wgLogos = [
+          'icon' => "https://posixlycorrect.com/favicon.png",
+          '1x' => "https://posixlycorrect.com/favicon.png",
+          '2x' => "https://posixlycorrect.com/favicon.png",
+        ];
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        CategoryTree = null;
+        CiteThisPage = null;
+        Scribunto = null;
+        Cite = null;
+        CodeEditor = null;
+        Math = null;
+        MultimediaViewer = null;
+        PdfHandler = null;
+        Poem = null;
+        SecureLinkFixer = null;
+        WikiEditor = null;
+        ParserFunctions = null;
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/miniflux.nix
+++ b/sys/platforms/vps/srv/miniflux.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."rss.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8087";
+        };
+      };
+    };
+
+    miniflux = {
+      enable = true;
+      adminCredentialsFile = "/var/trust/miniflux/adminCredentialsFile";
+      config = {
+        CLEANUP_FREQUENCY = 48;
+        LISTEN_ADDR = "127.0.0.1:8087";
+        BASE_URL = "https://rss.posixlycorrect.com";
+        CREATE_ADMIN = 1;
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/msmtp.nix
+++ b/sys/platforms/vps/srv/msmtp.nix
@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  users.groups = {
+    mailsenders = {
+      members = ["fabian" "mediawiki"];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/net.nix
+++ b/sys/platforms/vps/srv/net.nix
@ -0,0 +1,100 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  inherit (config.local.sys) nets;
+in {
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
+  options = {
+    security.acme = {
+      certs = mkOption {
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
+    };
+  };
+
+  config = {
+    networking = {
+      nftables.enable = false; # learn how to use this later
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };
+
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "fabian@posixlycorrect.com";
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.trivium.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
+          };
+        };
+      };
+
+      fail2ban = {
+        enable = true;
+        bantime = "10m";
+        ignoreIP = [
+          nets.default.hosts.vps.v6.cidr
+          nets.default.hosts.vps.v4.address
+          nets.vpn.v6.cidr
+        ];
+        bantime-increment = {
+          enable = true;
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "48h"; # Do not ban for more than 48h
+          rndtime = "10m";
+          overalljails = true; # Calculate the bantime based on all the violations
+        };
+        jails = {
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+          nginx-botsearch.settings = {
+            # Usar log en vez de journalctl
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/radicale.nix
+++ b/sys/platforms/vps/srv/radicale.nix
@ -0,0 +1,41 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."dav.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5232";
+        };
+      };
+    };
+
+    radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = ["127.0.0.1:5232"];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/var/trust/radicale/htpasswd";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          filesystem_folder = "/var/lib/radicale/collections";
+        };
+        web.type = "internal";
+        rights.type = "authenticated";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/syncthing.nix
+++ b/sys/platforms/vps/srv/syncthing.nix
@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    syncthing = {
+      enable = true;
+      systemService = true;
+      overrideFolders = false;
+      overrideDevices = false;
+      openDefaultPorts = true;
+      guiAddress = "127.0.0.1:8384";
+      settings.options.urAccepted = -1;
+      dataDir = "/mnt/export2179/syncthing";
+      relay = {
+        enable = true;
+        pools = [];
+        providedBy = "vps.posixlycorrect.com";
+      };
+    };
+  };
+
+  # calibre web stuff. make this better someday, this is pure duct-tape
+  users.groups."calybresync".members = ["syncthing" "calibre-web"];
+  systemd = {
+    services."calybreown" = {
+      script = ''
+        chgrp -R calybresync /var/lib/calibre-web/calibre_library
+        chmod -R g+w /var/lib/calibre-web/calibre_library
+      '';
+      serviceConfig.Type = "oneshot";
+    };
+    timers."calybreown" = {
+      wantedBy = [
+        "timers.target"
+      ];
+      timerConfig.OnCalendar = "*-*-* *:00/30:00";
+    };
+  };
+}
--- a/sys/platforms/vps/srv/trilium.nix
+++ b/sys/platforms/vps/srv/trilium.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."notes.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    trilium-server = {
+      enable = true;
+      package = pkgs.trilium-next-server;
+      host = "127.0.0.1";
+      port = 8458;
+      noAuthentication = false;
+      noBackup = true; # I already backup the whole dataDir, so no need for this
+      instanceName = "posixlycorrect";
+      dataDir = "/var/lib/trilium";
+      nginx = {
+        enable = true;
+        hostName = "notes.posixlycorrect.com";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/vaultwarden.nix
+++ b/sys/platforms/vps/srv/vaultwarden.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = ["vaultwarden"];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}
--- a/sys/platforms/yuki/default.nix
+++ b/sys/platforms/yuki/default.nix
@ -1,55 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  flakes,
-  ...
-}: {
-  imports = [
-    flakes.home-manager.nixosModules.home-manager
-    flakes.impermanence.nixosModule
-    ./hardware-configuration.nix
-  ];
-
-  local.sys = {
-    baseline.enable = true;
-
-    audio.enable = true;
-    graphics.enable = true;
-    virtualisation.enable = true;
-    androidSupport.enable = true;
-    steam.enable = true;
-    gtklock.enable = true;
-
-    users = {
-      chem = {
-        enable = true;
-      };
-    };
-  };
-
-  local.sway.enable = true;
-
-  networking = {
-    hostName = "yuki";
-    networkmanager.enable = true;
-
-    useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    #interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config
-    #interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour.
-  };
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    tmp.useTmpfs = true;
-    kernelPackages = pkgs.linuxPackages_zen;
-  };
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8"; #todo: move to baseline?
-
-  time.timeZone = "America/Costa_Rica"; #todo: move to baseline?
-}
--- a/sys/platforms/yuki/hardware-configuration.nix
+++ b/sys/platforms/yuki/hardware-configuration.nix
@ -1,42 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/b925ebc0-f717-4f0d-83ca-a9a29990b8e2";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EC62-0FDF";
-    fsType = "vfat";
-    options = ["fmask=0022" "dmask=0022"];
-  };
-
-  swapDevices = [];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
--- a/trivionomicon/flake.nix
+++ b/trivionomicon/flake.nix
@ -9,11 +9,11 @@
    nixpkgs,
    flake-utils,
  }: let
-    mapOverlayOverride = namespace: overlay: final: prev: let
+    mapOverlayOverride = prefix: overlay: final: prev: let
      overlayPkgs = overlay final prev;
    in
      {
-        "${namespace}" = builtins.removeAttrs overlayPkgs ["override"];
+        "${prefix}" = (prev.${prefix} or {}) // builtins.removeAttrs overlayPkgs ["override"];
      }
      // (overlayPkgs.override or {});

@ -30,7 +30,7 @@
      packages =
        (import nixpkgs {
          inherit system;
-          overlays = [(mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs))];
+          overlays = [self.overlays.default];
        }).${
          doctrineNoPkgs.prefix
        };
@ -121,7 +121,7 @@
                    }
                    # NB: Preserve the relative order
                    {
-                      overlay = self.overlays.default;
+                      overlay = mapOverlayOverride prefix (import ./pkgs);
                      condition = true;
                    }
                    {
@ -164,24 +164,12 @@
          }
          // optionalAttrs (paths ? nixosSource) {
            nixosConfigurations = let
-              nixosSystem = {modules}:
-                lib.makeOverridable nixpkgs.lib.nixosSystem {
-                  inherit modules pkgs system;
-
-                  specialArgs = {
-                    inherit flakes;
-
-                    doctrine = mkDoctrine {
-                      inherit pkgs;
-                      namespace = "sys";
-                    };
-                  };
-                };
-
              hostConfig = platform:
-                nixosSystem {
+                self.lib.mkSystem {
+                  inherit flakes pkgs;
+                  doctrine = doctrineNoPkgs;
+
                  modules = [
-                    self.nixosModules.default
                    nixosSourcePath
                    platform
                  ];
@ -213,6 +201,29 @@
            in
              lib.mapAttrs home (importAll {root = hmPlatformsPath;});
          };
+
+        mkSystem = {
+          pkgs,
+          flakes,
+          doctrine,
+          modules,
+        }:
+          flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem {
+            inherit pkgs;
+            inherit (pkgs) system;
+
+            modules = [self.nixosModules.default] ++ modules;
+
+            specialArgs = {
+              inherit flakes;
+
+              doctrine = self.lib.mkDoctrine {
+                inherit pkgs;
+                inherit (doctrine) prefix;
+                namespace = "sys";
+              };
+            };
+          };
      };
    };
 }
--- a/trivionomicon/modules/soju/default.nix
+++ b/trivionomicon/modules/soju/default.nix
@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}
--- a/trivionomicon/modules/soju/options.nix
+++ b/trivionomicon/modules/soju/options.nix
@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+  sys = {
+    fullyQualifiedDomain = lib.mkOption {
+      type = str;
+      example = "soju.trivionomicon.com";
+      description = "fully qualified domain name to be used by soju";
+    };
+
+    port = lib.mkOption {
+      type = port;
+      default = 6697;
+      description = "port to be used by soju";
+    };
+  };
+}
--- a/trivionomicon/modules/soju/sys.nix
+++ b/trivionomicon/modules/soju/sys.nix
@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+  in {
+    enable = true;
+    hostName = "${cfg.fullyQualifiedDomain}";
+    listen = ["ircs://[::]:${toString cfg.port}"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}
--- a/trivionomicon/modules/trivionomiconMotd/default.nix
+++ b/trivionomicon/modules/trivionomiconMotd/default.nix
@ -0,0 +1,10 @@
+{
+  config,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "trivionomiconMotd";
+  sys = ./sys.nix;
+}
--- a/trivionomicon/modules/trivionomiconMotd/sys.nix
+++ b/trivionomicon/modules/trivionomiconMotd/sys.nix
@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  users.motd = ''
+                                          _   _             _   _
+                                         | | | |           | | | |
+     _ __   _____      _____ _ __ ___  __| | | |__  _   _  | |_| |__   ___
+    | '_ \ / _ \ \ /\ / / _ \ '__/ _ \/ _` | | '_ \| | | | | __| '_ \ / _ \
+    | |_) | (_) \ V  V /  __/ | |  __/ (_| | | |_) | |_| | | |_| | | |  __/
+    | .__/ \___/ \_/\_/ \___|_|  \___|\__,_| |_.__/ \__, |  \__|_| |_|\___|
+    | |                                              __/ |
+    |_|_____ _____  _______      _______ ____  _   _|___/_  __  __ _____ _____ ____  _   _
+    |__   __|  __ \|_   _\ \    / /_   _/ __ \| \ | |/ __ \|  \/  |_   _/ ____/ __ \| \ | |
+       | |  | |__) | | |  \ \  / /  | || |  | |  \| | |  | | \  / | | || |   | |  | |  \| |
+       | |  |  _  /  | |   \ \/ /   | || |  | | . ` | |  | | |\/| | | || |   | |  | | . ` |
+       | |  | | \ \ _| |_   \  /   _| || |__| | |\  | |__| | |  | |_| || |___| |__| | |\  |
+       |_|  |_|  \_\_____|   \/   |_____\____/|_| \_|\____/|_|  |_|_____\_____\____/|_| \_|
+  '';
+}
--- a/trivionomicon/modules/waybar/default.nix
+++ b/trivionomicon/modules/waybar/default.nix
@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "waybar";
+  hm = ./hm.nix;
+  options = ./options.nix;
+}
--- a/trivionomicon/modules/waybar/hm.nix
+++ b/trivionomicon/modules/waybar/hm.nix
@ -0,0 +1,207 @@
+{
+  lib,
+  pkgs,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  programs.waybar = {
+    enable = true;
+    settings = {
+      mainBar = {
+        layer = "top";
+        position = "top";
+        height = 20;
+        spacing = 0;
+
+        modules-left = [
+          "sway/workspaces"
+          "sway/mode"
+        ];
+        modules-center = [
+          "clock"
+        ];
+
+        modules-right =
+          [
+            "keyboard-state"
+            "privacy"
+            "idle_inhibitor"
+            "cpu"
+            "memory"
+            "disk"
+            "temperature"
+            "tray"
+          ]
+          ++ lists.optionals cfg.battery [
+            "battery"
+          ];
+        battery = mkIf cfg.battery {
+          format = "{capacity}% {icon}";
+          format-plugged = "{capacity}% 󱐥{icon}";
+          format-icons = ["󰂃" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹"];
+          states = {
+            warning = 20;
+            critical = 10;
+          };
+        };
+        keyboard-state = {
+          capslock = true;
+          format.capslock = "{icon}";
+          format-icons = {
+            locked = "󰘲 ";
+            unlocked = "";
+          };
+        };
+        idle_inhibitor = {
+          format = "{icon}";
+          format-icons = {
+            activated = " ";
+            deactivated = " ";
+          };
+        };
+        tray = {
+          icon-size = 13;
+          spacing = 8;
+        };
+        clock = {
+          interval = 60;
+          format = "{:%A %B %d %Y %H:%M}";
+          tooltip = false;
+        };
+        cpu = {
+          format = " {usage}%";
+          tooltip = false;
+        };
+        memory = {
+          format = " {percentage}% ";
+          tooltip = true;
+          tooltip-format = "{used}/{total}";
+        };
+        disk = {
+          format = " {specific_used:0.0f}/{specific_total:0.0f}";
+          unit = "GiB";
+          tooltip = false;
+        };
+        temperature = {
+          format = " {temperatureC}°C";
+        };
+        privacy = {
+          icon-size = 12;
+        };
+      };
+    };
+    style = ''
+      * {
+        font-family: "${cfg.fontFamily}", monospace;
+        font-size: ${cfg.fontSize};
+        font-weight: 500;
+        border: none;
+        box-shadow: none;
+      }
+
+      /* Entire bar: fully transparent, no border */
+      window#waybar {
+        background: transparent;
+        color: #eaeaea;
+        margin: 0;
+        padding: 0;
+      }
+
+      /* Optional: small edge breathing room (comment out if you want edge-to-edge) */
+      /* window#waybar { margin: 3px 6px 0 6px; } */
+
+      /* Module containers */
+      .modules-left, .modules-center, .modules-right {
+        padding: 0;
+        margin: 0 6px;
+      }
+
+      /* Subtle separators between modules (no boxes) */
+      .modules-left > widget:not(:first-child),
+      .modules-center > widget:not(:first-child),
+      .modules-right > widget:not(:first-child) {
+        margin-left: 12px;
+        padding-left: 12px;
+        border-left: 1px solid rgba(255, 255, 255, 0.08);
+      }
+
+      /* Tightest possible workspaces */
+      #workspaces { padding: 0; margin: 0; }
+      #workspaces button {
+        margin: 0;
+        padding: 0 3px;
+        min-width: 0;
+        border-radius: 0;
+        background: transparent;
+        color: #cfcfcf;
+      }
+      #workspaces button:hover {
+        background: rgba(255, 255, 255, 0.06);
+      }
+      #workspaces button.active,
+      #workspaces button.focused {
+        background: rgba(255, 255, 255, 0.10);
+        color: #ffffff;
+        box-shadow: inset 0 -2px #ffffff;
+      }
+      #workspaces button.urgent {
+        background: rgba(255, 80, 80, 0.25);
+        box-shadow: inset 0 -2px #ff5050;
+      }
+
+      /* Focused window title: single line, no glow */
+      #window {
+        padding: 0 6px;
+        margin: 0;
+        color: #dedede;
+      }
+
+      /* Sway mode indicator: visible only when active, no bloat */
+      #mode {
+        padding: 0 6px;
+        margin: 0;
+        background: rgba(255, 255, 255, 0.10);
+        color: #ffffff;
+        box-shadow: inset 0 -2px #ffffff;
+      }
+
+      /* Status modules — keep them flat and compact */
+      #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
+        padding: 0 6px;
+        margin: 0;
+        background: transparent;
+        color: #eaeaea;
+      }
+
+      /* States (battery, network, audio) */
+      #battery.charging { color: #27f902; }
+      #battery.warning:not(.charging) { color: #fc8b02; }
+      #battery.critical:not(.charging) { color: #fc0000; }
+
+      #network.disconnected { color: #ffb4b4; }
+      #pulseaudio.muted    { color: #9aa0a6; }
+
+      /* Tray: compress icons */
+      #tray > .passive { opacity: 0.6; }
+      #tray > .needs-attention { opacity: 1; }
+
+      /* Tooltips: clean and readable */
+      tooltip {
+        background: rgba(30, 30, 30, 0.95);
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        color: #eaeaea;
+        padding: 6px 8px;
+      }
+
+      /* Remove any leftover borders around everything */
+      #custom-*, #idle_inhibitor, #privacy, #bluetooth {
+        border: none;
+        background: transparent;
+        margin: 0;
+        padding: 0 6px;
+      }
+    '';
+  };
+}
--- a/trivionomicon/modules/waybar/options.nix
+++ b/trivionomicon/modules/waybar/options.nix
@ -0,0 +1,23 @@
+{lib, ...}:
+with lib.types; {
+  hm = {
+    battery = lib.mkOption {
+      type = bool;
+      default = false;
+      description = ''
+        `true` to display battery info
+      '';
+    };
+    fontFamily = lib.mkOption {
+      type = str;
+      example = "JetBrainsMono Nerd Font";
+      description = ''
+        needs to be a nerdfont
+      '';
+    };
+    fontSize = lib.mkOption {
+      type = str;
+      default = "12px";
+    };
+  };
+}
--- a/trivionomicon/pkgs/default.nix
+++ b/trivionomicon/pkgs/default.nix
@ -5,5 +5,6 @@ in {
  override = {};

  athena-bccr = callPackage ./athena-bccr {};
+  snapborg = final.python3Packages.callPackage ./snapborg {};
  spliit = callPackage ./spliit {};
 }
--- a/trivionomicon/pkgs/snapborg/0001-Remove-env-arg-from-subprocess-calls.patch
+++ b/trivionomicon/pkgs/snapborg/0001-Remove-env-arg-from-subprocess-calls.patch
@ -0,0 +1,29 @@
+From c363931656938f9cc3354b8e2797fe9abac1b0e3 Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sun, 31 Aug 2025 13:30:45 -0600
+Subject: [PATCH] Remove "env" arg from subprocess calls
+
+---
+ snapborg/borg.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/snapborg/borg.py b/snapborg/borg.py
+index 89a3d84..b74ddf7 100644
+--- a/snapborg/borg.py
+++ b/snapborg/borg.py
+@@ -173,11 +173,10 @@ def launch_borg(args, password=None, print_output=False, dryrun=False, cwd=None)
+         # TODO: parse output from JSON log lines
+         try:
+             if print_output:
+-                subprocess.run(cmd, env=env, check=True, cwd=cwd)
+                subprocess.run(cmd, check=True, cwd=cwd)
+             else:
+                 subprocess.check_output(cmd,
+                                         stderr=subprocess.STDOUT,
+-                                        env=env,
+                                         cwd=cwd)
+         except CalledProcessError as e:
+             if e.returncode == 1:
+-- 
+2.49.0
+
--- a/trivionomicon/pkgs/snapborg/default.nix
+++ b/trivionomicon/pkgs/snapborg/default.nix
@ -0,0 +1,34 @@
+{
+  borgbackup,
+  buildPythonApplication,
+  fetchFromGitHub,
+  lib,
+  packaging,
+  pyyaml,
+}:
+buildPythonApplication {
+  pname = "snapborg";
+  version = "0.1.0-unstable-20250331";
+
+  src = fetchFromGitHub {
+    repo = "snapborg";
+    owner = "enzingerm";
+
+    rev = "7e860395319f995161a6e0c7954ce47635e3cd59";
+    hash = "sha256-RzYL4IHulk1Q/ALWFs6YCTeCO8ohwqXH2NMHRctRVSA=";
+  };
+
+  patches = [
+    ./0001-Remove-env-arg-from-subprocess-calls.patch # Fixes broken $PATH when calling borg
+  ];
+
+  propagatedBuildInputs = [
+    borgbackup
+    packaging
+    pyyaml
+  ];
+
+  preFixup = ''
+    makeWrapperArgs+=(--prefix PATH : ${lib.makeBinPath [borgbackup]})
+  '';
+}
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7`