test

Flake lock file updates:

• Updated input 'homepage':
    'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=7e9c71caeb2edb1c8d66fe80f3822cc1b60f1ef8' (2025-09-21)
  → 'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=f0cecfa02d67e986cb3eaf537ec2f7007e1b9583' (2025-09-21)

README.md

@@ -1,12 +1,41 @@
-## Unified nix configuration
+# Nix configuration
 
-Update whole flake (clean working directory 1st): `nix flake update --commit-lock-file`
+## Updating
 
-Switch current machine: `sudo nixos-rebuild switch --flake . --show-trace`
+Update flake
 
-Switch current home manager: `home-manager switch --flake . --show-trace`
+    nix flake update --commit-lock-file
 
-## Maintenance shit ()
-Clean shit de Home: `nix store gc`
+Switch current machine
 
-Clean shit de sys: `sudo nix store gc`
+    sudo nixos-rebuild switch --flake . --show-trace
+
+Switch current home manager
+
+    home-manager switch --flake . --show-trace
+
+Switch server
+
+    nixos-rebuild switch --target-host root@posixlycorrect.com --use-substitutes --show-trace --flake .\#vps
+
+Update homepage
+
+    nix flake update --commit-lock-file homepage
+
+
+## Cleanup
+
+Collect garbage (run with sudo to collect root garbage)
+
+    nix-collect-garbage -d
+
+
+## Submodule management
+
+Trivionomicon
+
+    git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+    git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+## About
+This is a unification of my old configs, which had a combined 506 commits.

flake.lock

@@ -1,6 +1,86 @@
 {
   "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1757676906,
+        "narHash": "sha256-2Zbde5orbGsYdzroe51P1AW8pFMCNyqHgLjmHYJvOmE=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "04db807ac00ba6d62808ffab18b3b6d500b6f7cb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1755873658,
+        "narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2025.8.1",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nur",
@@ -23,7 +103,10 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
       },
       "locked": {
         "lastModified": 1731533236,
@@ -61,6 +144,42 @@
       "inputs": {
         "systems": "systems_3"
       },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
       "locked": {
         "lastModified": 1731533236,
         "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@@ -97,11 +216,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756679287,
-        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
+        "lastModified": 1757808926,
+        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
+        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
         "type": "github"
       },
       "original": {
@@ -111,6 +230,27 @@
         "type": "github"
       }
     },
+    "homepage": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758437709,
+        "narHash": "sha256-EyflOWOdq007z0P4JdzxAwPoZmuo33Rq/5opdcQ7miQ=",
+        "ref": "refs/heads/master",
+        "rev": "f0cecfa02d67e986cb3eaf537ec2f7007e1b9583",
+        "revCount": 68,
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      }
+    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -126,9 +266,52 @@
         "type": "github"
       }
     },
+    "mediawikiSkinCitizen": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724097552,
+        "narHash": "sha256-+o5FDWMrEqnva5qcdc45wAYyE2ZtUhEjygUGVt0HsaA=",
+        "owner": "StarCitizenTools",
+        "repo": "mediawiki-skins-Citizen",
+        "rev": "28cd4e18b52aed3270fe7b55bff4545c8314a687",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StarCitizenTools",
+        "ref": "v2.27.0",
+        "repo": "mediawiki-skins-Citizen",
+        "type": "github"
+      }
+    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
     "nixGL": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
@@ -160,13 +343,28 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1753579242,
+        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1757244434,
-        "narHash": "sha256-AeqTqY0Y95K1Fgs6wuT1LafBNcmKxcOkWnm4alD9pqM=",
+        "lastModified": 1757810152,
+        "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "092c565d333be1e17b4779ac22104338941d913f",
+        "rev": "9a094440e02a699be5c57453a092a8baf569bdad",
         "type": "github"
       },
       "original": {
@@ -178,11 +376,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1757068644,
-        "narHash": "sha256-NOrUtIhTkIIumj1E/Rsv1J37Yi3xGStISEo8tZm3KW4=",
+        "lastModified": 1757745802,
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8eb28adfa3dc4de28e792e3bf49fcf9007ca8ac9",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
         "type": "github"
       },
       "original": {
@@ -194,15 +392,15 @@
     },
     "nur": {
       "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1757345656,
-        "narHash": "sha256-ZvNfl8pu1iwJW0uUZKV8XHIM7JqJxoZX+EqzjayMDqU=",
+        "lastModified": 1757879066,
+        "narHash": "sha256-EHZWQe3a04DvOlUR2j7LwGCaGqYTStYExpstYezfq3c=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "9009f3b97f820b7b5c2732d423a08bb8d82d179a",
+        "rev": "087c74cd9cc63e44dd20f1dcc5cdb4e5fddc9e14",
         "type": "github"
       },
       "original": {
@@ -211,31 +409,85 @@
         "type": "github"
       }
     },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik-nix",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756087852,
+        "narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "6edb3ae27395cd88be3d64b732d1539957dad59c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756395552,
+        "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "030dffc235dcf240d918c651c78dc5f158067b51",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "authentik-nix": "authentik-nix",
+        "flake-utils": "flake-utils_2",
         "hm-isolation": "hm-isolation",
         "home-manager": "home-manager",
+        "homepage": "homepage",
         "impermanence": "impermanence",
+        "mediawikiSkinCitizen": "mediawikiSkinCitizen",
         "nixGL": "nixGL",
         "nixpkgs": "nixpkgs_2",
         "nur": "nur",
         "trivionomicon": "trivionomicon",
-        "unstable": "unstable"
+        "unstable": "unstable",
+        "vpsadminos": "vpsadminos"
       }
     },
     "systems": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
@@ -269,9 +521,39 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "trivionomicon": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_5",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -288,11 +570,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1757068644,
-        "narHash": "sha256-NOrUtIhTkIIumj1E/Rsv1J37Yi3xGStISEo8tZm3KW4=",
+        "lastModified": 1757745802,
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8eb28adfa3dc4de28e792e3bf49fcf9007ca8ac9",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
         "type": "github"
       },
       "original": {
@@ -301,6 +583,46 @@
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756466761,
+        "narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "0529e6d8227517205afcd1b37eee3088db745730",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
+    },
+    "vpsadminos": {
+      "locked": {
+        "lastModified": 1755964485,
+        "narHash": "sha256-+YzznL/mHiSjDFC8vJsSgQ+pvjhqWMsLRjegEKSNv/4=",
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "rev": "20f55b1d9bee4fdab62494d4471854d6586d3637",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -8,16 +8,32 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nur.url = "github:nix-community/NUR";
-    impermanence.url = "github:nix-community/impermanence";
-    hm-isolation.url = "github:3442/hm-isolation";
-    nixGL.url = "github:guibou/nixGL";
-    flake-utils.url = "github:numtide/flake-utils";
-
     trivionomicon = {
       url = "./trivionomicon";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    homepage = {
+      url = "git+https://git.posixlycorrect.com/fabian/homepage.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mediawikiSkinCitizen = {
+      url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
+      flake = false;
+    };
+
+    flake-utils.url = "github:numtide/flake-utils";
+    hm-isolation.url = "github:3442/hm-isolation";
+    impermanence.url = "github:nix-community/impermanence";
+    nixGL.url = "github:guibou/nixGL";
+    nur.url = "github:nix-community/NUR";
+    vpsadminos.url = "github:vpsfreecz/vpsadminos";
   };
 
   outputs = flakes:
@@ -25,7 +41,6 @@
       inherit flakes;
 
       system = "x86_64-linux";
-      doctrinePrefix = "local";
 
       paths = {
         localOverlay = "pkgs";

home/modules/accounts.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.accounts;
+in {
+  options.local.services.accounts.enable = mkEnableOption "accounts settings";
+  config = mkIf cfg.enable {
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        address = "fabian@posixlycorrect.com";
+        userName = "fabianmontero@fastmail.com";
+        realName = "fabian";
+        primary = true;
+        flavor = "fastmail.com";
+      };
+    };
+  };
+}

home/modules/baseline.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  flakes,
   ...
 }:
 with lib; let
@@ -11,6 +12,18 @@ in {
     enable = mkEnableOption "Basic home settings";
   };
   config = mkIf cfg.enable {
+    programs.home-manager.enable = true;
+
+    nix.registry = {
+      "system".to = {
+        type = "path";
+        path = "/home/fabian/nix";
+      };
+
+      "nixpkgs".flake = flakes.nixpkgs;
+      "unstable".flake = flakes.unstable;
+    };
+
     xdg = {
       enable = true;
     };
@@ -18,20 +31,30 @@ in {
     home = {
       stateVersion = "24.05"; # DO NOT CHANGE
 
+      username = "fabian";
+      homeDirectory = "/home/fabian";
+
       packages = with pkgs; [
         calc
+        dysk
+        fd
         file
+        fzf
         gcc
         htop
         killall
         man-pages
         man-pages-posix
+        nmap
         pv
+        ripgrep
         tree
         units
         unzip
         vim
+        wl-clipboard
         zip
+        zoxide
       ];
       keyboard = {
         layout = "us";
@@ -44,8 +67,17 @@ in {
 
     programs.git = {
       enable = true;
-      userEmail = "josescalante9808@gmail.com";
-      userName = "josEscalante";
+      userEmail = "fabian@posixlycorrect.com";
+      userName = "Fabian Montero";
+    };
+
+    local = {
+      services = {
+        zsh.enable = true;
+      };
+      programs = {
+        neovim.enable = true;
+      };
     };
   };
 }

home/modules/default.nix

@@ -9,11 +9,17 @@
     ./neovim.nix
     ./baseline.nix
     ./gaming.nix
+    ./yubikey.nix
     ./firefox.nix
     ./gui
     ./zsh
+    ./gpg.nix
     ./defaultDesktopPack.nix
+    ./accounts.nix
+    ./syncthing.nix
     ./mapping.nix
     ./zed.nix
+    ./pass.nix
+    ./halloy.nix
   ];
 }

home/modules/defaultDesktopPack.nix

@@ -5,28 +5,60 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.defaultDesktopPack;
+  cfg = config.local.defaultDesktopPack;
 in {
-  options.local.apps.defaultDesktopPack = {
-    enable = mkEnableOption "common desktop apps";
+  options.local.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+    laptop = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
       calibre
       chromium
       discord
-      kdePackages.gwenview
+      (gajim.override {
+        enableSecrets = true;
+        enableUPnP = true;
+        enableAppIndicator = true;
+        enableE2E = true;
+        enableRST = true;
+      })
       libreoffice-fresh
       mpv
       obs-studio
       pavucontrol
       pdfarranger
+      qimgv
       qpdfview
+      qbittorrent
+      runelite
       spotify
       tdesktop
+      thunderbird
       usbutils
+      vpsfree-client
       vscodium-fhs
-      trilium-next-desktop
+      zola
     ];
+
+    local = {
+      baseline.enable = true;
+
+      services = {
+        gpg.enable = true;
+        accounts.enable = true;
+        pass.enable = true;
+        syncthing.enable = true;
+      };
+      programs = {
+        firefox.enable = true;
+        zed.enable = true;
+        halloy.enable = true;
+        terminal.enable = true;
+      };
+    };
   };
 }

home/modules/firefox.nix

@@ -5,41 +5,33 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.firefox;
+  cfg = config.local.programs.firefox;
 in {
-  options.local.apps.firefox = {
-    enable = mkEnableOption "firefox settings";
-
-    makeDefaultBrowser = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Take a guess
-      '';
-    };
+  options.local.programs.firefox = {
+    enable = mkEnableOption "firefox";
   };
 
-  config = mkIf cfg.enable (mkMerge [
-    {
-      programs.firefox.enable = true;
-    }
+  config = mkIf cfg.enable {
+    programs.firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        nativeMessagingHosts = [pkgs.passff-host];
+      };
+    };
 
-    (mkIf cfg.makeDefaultBrowser {
-      xdg = {
-        mimeApps = {
-          enable = true;
-          defaultApplications = {
-            "text/html" = ["firefox"];
-            "text/uri-list" = ["firefox"];
-            "x-scheme-handler/http" = ["firefox"];
-            "x-scheme-handler/https" = ["firefox"];
-            "x-scheme-handler/about" = ["firefox"];
-            "x-scheme-handler/unknown" = ["firefox"];
-          };
+    xdg = {
+      mimeApps = {
+        enable = true;
+        defaultApplications = {
+          "text/html" = ["firefox.desktop"];
+          "text/uri-list" = ["firefox.desktop"];
+          "x-scheme-handler/http" = ["firefox.desktop"];
+          "x-scheme-handler/https" = ["firefox.desktop"];
+          "x-scheme-handler/about" = ["firefox.desktop"];
+          "x-scheme-handler/unknown" = ["firefox.desktop"];
         };
       };
-
-      home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
-    })
-  ]);
+    };
+    home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
+  };
 }

home/modules/gaming.nix

@@ -5,16 +5,16 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.gaming;
+  cfg = config.local.programs.gaming;
 in {
-  options.local.apps.gaming = {
+  options.local.programs.gaming = {
     enable = mkEnableOption "gaming apps";
   };
   config = mkIf cfg.enable {
-    home.packages = with pkgs; [
-      lutris
-      openrct2
-      prismlauncher
+    home.packages = [
+      pkgs.lutris
+      pkgs.openrct2
+      pkgs.prismlauncher
     ];
   };
 }

home/modules/gpg.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.gpg;
+in {
+  options.local.services.gpg = {
+    enable = mkEnableOption "gpg settings";
+    defaultKey = mkOption {
+      type = types.str;
+      description = "fingerprint of default public key to be used in gpg, git, email, etc.";
+      example = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.gpg = {
+      enable = true;
+      settings = {
+        default-key = config.local.services.gpg.defaultKey;
+      };
+    };
+
+    services.gpg-agent = {
+      enable = true;
+
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+
+      enableExtraSocket = true;
+      enableSshSupport = true;
+
+      defaultCacheTtl = 3600 * 3;
+      defaultCacheTtlSsh = 3600 * 3;
+
+      maxCacheTtl = 3600 * 6;
+      maxCacheTtlSsh = 3600 * 6;
+
+      pinentry.package = pkgs.pinentry-emacs;
+    };
+
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        gpg = {
+          encryptByDefault = true;
+          signByDefault = true;
+          key = config.local.services.gpg.defaultKey;
+        };
+      };
+    };
+
+    programs.git = {
+      signing = {
+        key = config.local.services.gpg.defaultKey;
+        signByDefault = true;
+      };
+    };
+  };
+}

home/modules/gui/default.nix

@@ -61,8 +61,8 @@ in {
       mimeApps = {
         enable = true;
         defaultApplications = {
-          "application/pdf" = with pkgs; ["qpdfview"];
-          "x-scheme-handler/file" = with pkgs; ["foot"];
+          "application/pdf" = with pkgs; ["qpdfview.desktop"];
+          "x-scheme-handler/file" = with pkgs; ["foot.desktop"];
         };
       };
     };

home/modules/gui/fonts.nix

@@ -8,7 +8,7 @@
     enable = true;
     defaultFonts = {
       monospace = [
-        "JetBrains Mono"
+        "JetBrainsMono Nerd Font"
         "Noto Sans Mono CJK SC"
         "Noto Sans Mono"
         "Noto Color Emoji"
@@ -31,11 +31,10 @@
   # with fonts.packages buy im too lazy to check
   home.packages = with pkgs; [
     jetbrains-mono
+    nerd-fonts.jetbrains-mono
     noto-fonts
     noto-fonts-cjk-sans
     noto-fonts-emoji
     noto-fonts-extra
-    nerd-fonts.fira-code
-    nerd-fonts.droid-sans-mono
   ];
 }

home/modules/gui/mako.nix

@@ -18,7 +18,7 @@ in {
         progress-color = "over #FFFFFF";
         border-radius = 0;
         default-timeout = 7000;
-        font = "JetBrains Mono 10";
+        font = "JetBrainsMono Nerd Font 10";
         icons = true;
         ignore-timeout = false;
         layer = "top";

home/modules/gui/sway.nix

@@ -62,7 +62,7 @@ in {
         };
 
         fonts = {
-          names = ["JetBrains Mono"];
+          names = ["JetBrainsMono Nerd Font"];
           style = "Regular";
           size = 8.0;
         };
@@ -136,7 +136,7 @@ in {
         keybindings = let
           mod = config.wayland.windowManager.sway.config.modifier;
           grimshot = getExe pkgs.sway-contrib.grimshot;
-          bemenuCommand = ''bemenu-run --center --width-factor 0.2 --fixed-height --list 10 --scrollbar none --auto-select --accept-single --fn "JetBrains Mono 12" --prompt "" --tb "#000000" --tf "#EAEAEA" --fb "#000000" --ff "#EAEAEA" --cb "#EAEAEA" --cf "#000000" --nb "#000000" --nf "#EAEAEA" --sb "#000000" --sf "#EAEAEA" --hb "#000000" --hf "#EAEAEA" --fbb "#000000" --fbf "#000000" --ab "#000000" --af "#EAEAEA"'';
+          bemenuCommand = ''bemenu-run --center --width-factor 0.2 --fixed-height --list 10 --scrollbar none --auto-select --accept-single --fn "JetBrainsMono Nerd Font 12" --prompt "" --tb "#000000" --tf "#EAEAEA" --fb "#000000" --ff "#EAEAEA" --cb "#EAEAEA" --cf "#000000" --nb "#000000" --nf "#EAEAEA" --sb "#000000" --sf "#EAEAEA" --hb "#000000" --hf "#EAEAEA" --fbb "#000000" --fbf "#000000" --ab "#000000" --af "#EAEAEA"'';
         in
           mkOptionDefault {
             "${mod}+a" = "focus parent";
@@ -156,10 +156,13 @@ in {
             command = "${lib.getExe pkgs.sway} 'workspace 1; exec ${lib.getExe pkgs.firefox}'";
           }
           {
-            command = "${lib.getExe pkgs.sway} 'workspace 10; exec ${lib.getExe pkgs.tdesktop}'";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.tdesktop}'";
           }
           {
-            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/wallpaper.jpg";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.gajim}'";
+          }
+          {
+            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/jupiter.png";
             always = true;
           }
           {

home/modules/gui/waybar.nix

@@ -6,6 +6,7 @@
 }:
 with lib; let
   cfg = config.local.gui;
+  laptop = config.local.defaultDesktopPack.laptop;
 in {
   config = mkIf cfg.enable {
     programs.waybar = {
@@ -26,58 +27,74 @@ in {
           ];
 
           modules-right = [
+            "keyboard-state"
             "privacy"
             "cpu"
             "memory"
             "disk"
             "temperature"
-            "keyboard-state"
             "tray"
+          ]
+          ++ lists.optionals laptop [
+            "battery"
           ];
-          "keyboard-state" = {
-            numlock = true;
-            capslock = true;
+          battery = mkIf laptop {
+            format = "{capacity}% {icon}";
+            format-plugged = "{capacity}% 󱐥{icon}";
+            format-icons = [ "󰂃" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
+            states = {
+              warning = 20;
+              critical = 10;
+            };
           };
-          "tray" = {
+          keyboard-state = {
+            capslock = true;
+            format.capslock = "{icon}";
+            format-icons = {
+              locked = "󰘲 ";
+              unlocked = "";
+            };
+          };
+          tray = {
             icon-size = 13;
             spacing = 8;
           };
-          "clock" = {
+          clock = {
             interval = 60;
             format = "{:%A %B %d %Y %H:%M}";
             tooltip = false;
           };
-          "cpu" = {
-            format = "cpu {usage}%";
+          cpu = {
+            format = " {usage}%";
             tooltip = false;
           };
-          "memory" = {
-            format = "mem {percentage}%";
+          memory = {
+            format = " {percentage}% ";
             tooltip = true;
             tooltip-format = "{used}/{total}";
           };
-          "disk" = {
-            format = "disk {specific_used:0.0f}/{specific_total:0.0f}";
+          disk = {
+            format = " {specific_used:0.0f}/{specific_total:0.0f}";
             unit = "GiB";
             tooltip = false;
           };
-          "privacy" = {
+          privacy = {
             icon-size = 12;
           };
         };
       };
       style = ''
         * {
-          font-family: "JetBrains Mono", monospace;
+          font-family: "JetBrainsMono Nerd Font", monospace;
           font-size: 12px;
           font-weight: 500;
           border: none;
           box-shadow: none;
         }
 
-        /* Entire bar: blacc, no border */
+        /* Entire bar: fully transparent, no border */
         window#waybar {
-          background: #000000;
+          background: transparent;
           color: #eaeaea;
           margin: 0;
           padding: 0;
@@ -138,21 +155,21 @@ in {
           margin: 0;
           background: rgba(255, 255, 255, 0.10);
           color: #ffffff;
-          border-bottom: 2px solid #ffffff;
+          box-shadow: inset 0 -2px #ffffff;
         }
 
         /* Status modules — keep them flat and compact */
         #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
           padding: 0 6px;
           margin: 0;
-          background: #000000;
+          background: transparent;
           color: #eaeaea;
         }
 
         /* States (battery, network, audio) */
-        #battery.charging { color: #c9ffbf; }
-        #battery.warning:not(.charging) { color: #ffd29a; }
-        #battery.critical:not(.charging) { color: #ff9a9a; }
+        #battery.charging { color: #27f902; }
+        #battery.warning:not(.charging) { color: #fc8b02; }
+        #battery.critical:not(.charging) { color: #fc0000; }
 
         #network.disconnected { color: #ffb4b4; }
         #pulseaudio.muted    { color: #9aa0a6; }

home/modules/halloy.nix

@@ -0,0 +1,114 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.halloy;
+in {
+  options.local.programs.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        theme = "macawCustom";
+        font.size = 16;
+        preview.enabled = false;
+        sidebar = {
+          buffer_action = "replace-pane";
+          focused_buffer_action = "close-pane";
+        };
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+          server_messages = {
+            join.exclude = ["*"];
+            quit.exclude = ["*"];
+          };
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "##chat"
+            "##politics"
+            "##rust"
+            "#datahoarder"
+            "#git"
+            "#indieweb"
+            "#indieweb-dev"
+            "#linux"
+            "#lobsters"
+            "#nixos"
+            "#OSRS"
+            "#soju"
+          ];
+        };
+      };
+      themes = {
+        macawCustom = {
+          general = {
+            background = "#333333";
+            border = "#505050";
+            horizontal_rule = "#333333";
+            unread_indicator = "#2884FC";
+          };
+
+          text = {
+            primary = "#DFDFDF";
+            secondary = "#C2C2C2";
+            tertiary = "#8839EF";
+            success = "#959595";
+            error = "#959595";
+          };
+
+          buffer = {
+            action = "#959595";
+            background = "#1E1E1E";
+            background_text_input = "#2E2E2E";
+            background_title_bar = "#2E2E2E";
+            border = "#1A1A1A";
+            border_selected = "#1A1A1A";
+            code = "#7287FD";
+            highlight = "#454645";
+            nickname = "#00C8FF";
+            selection = "#777777";
+            timestamp = "#959595";
+            topic = "#DFDFDF";
+            url = "#2884FC";
+            buffer.server_messages = {
+              default = "#959595";
+            };
+          };
+
+          buttons.primary = {
+            background = "#00000000";
+            background_hover = "#484848";
+            background_selected = "#4A4A4A";
+            background_selected_hover = "#666666";
+          };
+
+          buttons.secondary = {
+            background = "#3B3B3B";
+            background_hover = "#484848";
+            background_selected = "#646464";
+            background_selected_hover = "#666666";
+          };
+        };
+      };
+    };
+  };
+}

home/modules/mapping.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.mapping;
+  cfg = config.local.programs.mapping;
 in {
-  options.local.apps.mapping = {
+  options.local.programs.mapping = {
     enable = mkEnableOption "mapping apps";
   };
   config = mkIf cfg.enable {

home/modules/neovim.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.neovim;
+  cfg = config.local.programs.neovim;
 in {
-  options.local.apps.neovim = {
+  options.local.programs.neovim = {
     enable = mkEnableOption "Neovim settings";
   };
   config = mkIf cfg.enable {
@@ -40,8 +40,66 @@ in {
       '';
 
       plugins = with pkgs.vimPlugins; [
+        barbar-nvim
+        nvim-web-devicons
         vim-nix
         vim-visual-multi
+        {
+          plugin = nvim-tree-lua;
+          type = "lua";
+          config = ''
+            require("nvim-tree").setup({
+              renderer = {
+                icons = {
+                  show = {
+                    file = true,
+                    folder = true,
+                    folder_arrow = true,
+                    git = true,
+                  },
+                  glyphs = {
+                    git = {
+                      unstaged = "",
+                      staged = "",
+                      unmerged = "",
+                      renamed = "",
+                      untracked = "",
+                      deleted = "",
+                      ignored = "",
+                    },
+                  },
+                },
+              },
+              view = {
+                width = 30,
+                side = 'left',
+              },
+              sync_root_with_cwd = true, --fix to open cwd with tree
+              respect_buf_cwd = true,
+              update_cwd = true,
+              update_focused_file = {
+                enable = true,
+                update_cwd = true,
+                update_root = true,
+              },
+            })
+
+            vim.g.nvim_tree_respect_buf_cwd = 1
+
+            -- use g? for bindings help while in tree
+          '';
+        }
+        {
+          plugin = gruvbox-nvim;
+          type = "lua";
+          config = ''
+            require("gruvbox").setup({
+              contrast = "high",
+            })
+            vim.o.background = "dark"
+            vim.cmd([[colorscheme gruvbox]])
+          '';
+        }
       ];
     };
     home.sessionVariables = {

home/modules/pass.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.pass;
+in {
+  options.local.services.pass = {
+    enable = mkEnableOption "pass settings";
+  };
+  config = mkIf cfg.enable {
+    programs.password-store = {
+      enable = true;
+      package = pkgs.pass.withExtensions (exts:
+        with exts; [
+          pass-audit
+          pass-genphrase
+          pass-otp
+          pass-tomb
+          pass-update
+        ]);
+
+      settings = {
+        PASSWORD_STORE_DIR = "${config.home.homeDirectory}/safe/trust";
+      };
+    };
+  };
+}

home/modules/syncthing.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.syncthing;
+in {
+  options.local.services.syncthing = {
+    enable = mkEnableOption "syncthing settings";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+      tray.enable = true;
+    };
+  };
+}

home/modules/terminal.nix

@@ -5,9 +5,11 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.terminal;
+  cfg = config.local.programs.terminal;
 in {
-  options.local.apps.terminal.enable = mkEnableOption "terminal emulator settings";
+  options.local.programs.terminal = {
+    enable = mkEnableOption "terminal emulator settings";
+  };
   config = mkIf cfg.enable {
     programs = {
       foot = {
@@ -15,10 +17,10 @@ in {
         settings = {
           main = {
             term = "xterm-256color";
-            font = "JetBrains Mono:style=Medium:size=12";
-            font-bold = "JetBrains Mono:style=Bold:size=12";
-            font-italic = "JetBrains Mono:style=Italic:size=12";
-            font-bold-italic = "JetBrains Mono:style=Bold Italic:size=12";
+            font = "JetBrainsMono Nerd Font:style=Medium:size=15";
+            font-bold = "JetBrainsMono Nerd Font:style=Bold:size=15";
+            font-italic = "JetBrainsMono Nerd Font:style=Italic:size=15";
+            font-bold-italic = "JetBrainsMono Nerd Font:style=Bold Italic:size=15";
             dpi-aware = "yes";
             initial-window-size-pixels = "1200x600";
           };
@@ -29,15 +31,15 @@ in {
           };
 
           colors = {
-            background = "111111";
-            regular0 = "1E201E"; #black
-            regular1 = "BE3144"; #red
-            regular2 = "1F7D53"; #green
-            regular3 = "FEC260"; #yellow
-            regular4 = "065084"; #blue
-            regular5 = "940B92"; #magenta
-            regular6 = "008B8B"; #cyan
-            regular7 = "D3DAD9"; #white
+            background = "000000";
+            regular0 = "616161";
+            regular1 = "ff4d51";
+            regular2 = "35d450";
+            regular3 = "e9e836";
+            regular4 = "5dc5f8";
+            regular5 = "feabf2";
+            regular6 = "24dfc4";
+            regular7 = "ffffff";
           };
 
           bell = {
@@ -107,6 +109,12 @@ in {
           set -g status-justify left
         '';
       };
+
+      fzf = {
+        enable = true;
+        enableZshIntegration = true;
+        tmux.enableShellIntegration = true;
+      };
     };
     home = {
       sessionVariables = {

home/modules/yubikey.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.yubikey;
+in {
+  options.local.services.yubikey = {
+    enable = mkEnableOption "Yubikey home settings";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubico-pam
+      yubikey-personalization
+    ];
+  };
+}

home/modules/zed.nix

@@ -5,16 +5,18 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.zed;
+  cfg = config.local.programs.zed;
 in {
-  options.local.apps.zed.enable = mkEnableOption "zed editor settings";
+  options.local.programs.zed = {
+    enable = mkEnableOption "zed editor settings";
+  };
   config = mkIf cfg.enable {
     programs.zed-editor = {
       enable = true;
       extensions = [
         "nix"
         "codebook"
-        "one-dark"
+        "vscode-dark-high-contrast"
         "catppuccin-icons"
       ];
       extraPackages = with pkgs; [
@@ -23,8 +25,8 @@ in {
       userSettings = {
         disable_ai = true;
         theme = {
-          dark = "One Dark";
-          light = "One Dark";
+          dark = "VSCode Dark High Contrast";
+          light = "VSCode Dark High Contrast";
         };
         icon_theme = {
           dark = "Catppuccin Latte";
@@ -40,8 +42,8 @@ in {
         };
         autosave = "on_focus_change";
         auto_update = false;
-        buffer_font_family = "JetBrains Mono";
-        buffer_font_size = 16;
+        buffer_font_family = "JetBrainsMono Nerd Font";
+        buffer_font_size = 22;
         hide_mouse = "never";
         minimap.show = "auto";
         tabs = {

home/modules/zsh/default.nix

@@ -13,6 +13,7 @@ in {
       type = types.str;
       description = "prompt for your terminal";
       example = literalExpression "%B[%~] \${vcs_info_msg_0_}%b";
+      default = "%B[%~] \${vcs_info_msg_0_}%b";
     };
   };
   config = mkIf cfg.enable {

home/modules/zsh/zshrc.nix

@@ -18,7 +18,7 @@
   zstyle ':completion:*' original true
   zstyle ':completion:*' preserve-prefix '//[^/]##/'
   zstyle ':completion:*' verbose true
-  zstyle :compinstall filename '/home/chem/.zshrc'
+  zstyle :compinstall filename '/home/fabian/.zshrc'
 
   autoload -Uz compinit
   compinit
@@ -79,11 +79,8 @@
   alias l='ls --color -FhAltr'
   alias x='killall --ignore-case --user=$(whoami) --interactive'
   alias tree='tree -CF'
-  alias lock="betterlockscreen -l"
-  alias nightmode="${lib.getExe pkgs.redshift} -P -O 1000"
-  alias lightmode="${lib.getExe pkgs.redshift} -x="
   alias nixoide="nix repl '<nixpkgs>'"
-  alias vim=nvim
+  alias vps="ssh -A vps"
   bindkey -e
   bindkey "^[[1;5D" backward-word
   bindkey "^[[1;5C" forward-word
@@ -101,8 +98,8 @@
     local pkg
     pkg="$1"
     shift
-    echo "nix shell unstable#$pkg --impure"
-    nix shell "unstable#$pkg" "$@"  --impure
+    echo "nix shell nixpkgs#$pkg --impure"
+    nix shell "nixpkgs#$pkg" "$@" --impure
   }
 
   function spawn () {
@@ -130,4 +127,6 @@
   export VISUAL=nvim
   export PATH="$PATH:$HOME/.local/bin:$HOME/.cargo/bin"
   export NIXPKGS_ALLOW_UNFREE=1
+
+  eval "$(fzf --zsh)"
 ''

home/platforms/chem@yuki/default.nix

@@ -1,77 +0,0 @@
-{
-  flakes,
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ./systemd
-    ./isolation.nix
-  ];
-
-  nix.registry = {
-    "system".to = {
-      type = "path";
-      path = "/home/chem/nix";
-    };
-
-    "nixpkgs".flake = flakes.nixpkgs;
-    "unstable".flake = flakes.unstable;
-  };
-
-  local = {
-    baseline.enable = true;
-
-    services = {
-      zsh = {
-        enable = true;
-        prompt = "%B[%~] \${vcs_info_msg_0_}%b";
-      };
-    };
-
-    apps = {
-      #todo move some of this to defaultDesktop pack?
-      terminal.enable = true;
-      neovim.enable = true;
-      gaming.enable = true;
-      defaultDesktopPack.enable = true;
-      firefox.enable = true;
-      mapping.enable = true;
-      zed.enable = true;
-    };
-
-    gui = {
-      enable = true;
-      monitors = {
-        HDMI-A-4 = {
-          width = "1920";
-          height = "1080";
-          rate = "59.94";
-        };
-        DP-1 = {
-          width = "1600";
-          height = "900";
-          rate = "59.94";
-          posX = "1920";
-        };
-      };
-    };
-  };
-
-  home = {
-    packages = with pkgs; [
-      gnucash
-      kdePackages.kdenlive
-      nmap
-      qbittorrent
-      virt-manager
-      vintagestory
-    ];
-
-    username = "chem";
-    homeDirectory = "/home/chem";
-  };
-
-  programs.home-manager.enable = true;
-}

home/platforms/fabian@posixlycorrect/default.nix

@@ -0,0 +1,52 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack.enable = true;
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        DP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "59.94";
+        };
+        DP-2 = {
+          width = "1920";
+          height = "1080";
+          rate = "143.855";
+          posX = "1920";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+      darktable
+      gnucash
+      kdePackages.kdenlive
+      virt-manager
+    ];
+  };
+}

home/platforms/fabian@posixlycorrect/systemd/default.nix

@@ -5,6 +5,6 @@
 }:
 with lib; {
   systemd.user.tmpfiles.rules = [
-    "d %t/tmp 0700 chem chem 24h"
+    "d %t/tmp 0700 fabian fabian 24h"
   ];
 }

home/platforms/fabian@t14/default.nix

@@ -0,0 +1,45 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack = {
+      enable = true;
+      laptop = true;
+    };
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        eDP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "60.00";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}

home/platforms/fabian@t14/isolation.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  home.isolation = {
+    enable = true;
+    btrfsSupport = true;
+    defaults = {
+      static = true;
+      bindHome = "home/";
+      persist = {
+        base = "shenvs";
+        btrfs = true;
+      };
+    };
+
+    modulesUnder = ./shenvs;
+  };
+}

home/platforms/fabian@t14/shenvs/c.nix

@@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    binutils
+    cmake
+    curl
+    gdb
+    gnumake
+    rustup
+    valgrind
+  ];
+}

home/platforms/fabian@t14/shenvs/python.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    pipenv
+    (python310.withPackages (packages:
+      with packages; [
+        setuptools
+      ]))
+  ];
+}

home/platforms/fabian@t14/systemd/default.nix

@@ -0,0 +1,10 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.user.tmpfiles.rules = [
+    "d %t/tmp 0700 fabian fabian 24h"
+  ];
+}

home/platforms/fabian@vps/default.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+  ];
+
+  local = {
+    baseline.enable = true;
+
+    services = {
+      zsh.prompt = "%B<%~> \${vcs_info_msg_0_}%b";
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}

pkgs/config/default.nix

@@ -1,6 +1,5 @@
 {lib}:
 with lib; {
-  android_sdk.accept_license = true; #TODO: what the fuck is this
+  android_sdk.accept_license = true;
   allowUnfreePredicate = pkg: import ./unfree.nix lib (getName pkg);
-  allowInsecurePredicate = pkg: import ./insecure.nix lib (getName pkg);
 }

pkgs/config/insecure.nix

@@ -1,4 +0,0 @@
-lib: name:
-with lib;
-  elem name [
-  ]

pkgs/config/unfree.nix

@@ -8,5 +8,4 @@ with lib;
     "steam-original"
     "steam-unwrapped"
     "steam-run"
-    "vintagestory"
   ]

pkgs/default.nix

@@ -6,6 +6,8 @@
 with prev.lib; let
   inherit (final) callPackage fetchpatch;
 in {
+  homepage = flakes.homepage.packages.${final.system}.default;
+
   override =
     {
       # add python modules here to make them available in all versions

sys/modules/baseline.nix

@@ -53,6 +53,17 @@ in {
         ];
     };
 
+    fonts.packages = with pkgs; [
+      jetbrains-mono
+      nerd-fonts.jetbrains-mono
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-emoji
+      noto-fonts-extra
+      nerd-fonts.fira-code
+      nerd-fonts.droid-sans-mono
+    ];
+
     services = {
       openssh.enable = mkDefault true;
 
@@ -62,6 +73,8 @@ in {
       };
     };
 
+    programs.dconf.enable = true;
+
     # Coredumps are a security risk and may use up a lot of disk space
     systemd.coredump.extraConfig = ''
       Storage=none
@@ -72,5 +85,7 @@ in {
       enable = true;
       defaultBitSize = 4096;
     };
+
+    i18n.defaultLocale = "en_US.UTF-8";
   };
 }

sys/modules/borgsync.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.borgsync;
+in {
+  options.local.sys.borgsync = {
+    enable = mkEnableOption "borg backup to an rsync.net repo";
+    paths = mkOption {
+      type = with types; nullOr (coercedTo str singleton (listOf str));
+      default = null;
+      description = "Paths to back up.";
+    };
+    exclude = mkOption {
+      type = with types; listOf str;
+      description = "Exclude paths.";
+      default = [];
+    };
+    repoName = mkOption {
+      type = types.str;
+      description = "Remote rsync repository to back up to.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup.jobs.rsync = {
+      paths = cfg.paths;
+      exclude = cfg.exclude;
+      user = "root";
+      group = "root";
+      doInit = true;
+      startAt = [
+        "hourly"
+      ];
+      inhibitsSleep = true;
+      persistentTimer = true;
+
+      repo = "zh5777@zh5777.rsync.net:${cfg.repoName}";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /var/trust/borg/${cfg.repoName}_passphrase";
+      };
+      compression = "auto,lz4";
+      prune = {
+        keep = {
+          hourly = 24;
+          daily = 7;
+          weekly = 4;
+          monthly = 12;
+          yearly = 99;
+        };
+      };
+      extraArgs = [
+        "--remote-path=borg14"
+      ];
+    };
+
+    environment.sessionVariables.BORG_REMOTE_PATH = "borg14";
+  };
+}

sys/modules/default.nix

@@ -6,6 +6,7 @@
 }: {
   imports = [
     ./baseline.nix
+    ./yubikey.nix
     ./audio.nix
     ./graphics.nix
     ./virtualisation.nix
@@ -15,15 +16,8 @@
     ./net.nix
     ./steam.nix
     ./gtklock.nix
-  ];
-
-  fonts.packages = with pkgs; [
-    jetbrains-mono
-    noto-fonts
-    noto-fonts-cjk-sans
-    noto-fonts-emoji
-    noto-fonts-extra
-    nerd-fonts.fira-code
-    nerd-fonts.droid-sans-mono
+    ./borgsync.nix
+    ./dufs.nix
+    ./defaultDesktopPack.nix
   ];
 }

sys/modules/defaultDesktopPack.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.defaultDesktopPack;
+in {
+  options.local.sys.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+  };
+  config = mkIf cfg.enable {
+    local.sys = {
+      baseline.enable = true;
+
+      audio.enable = true;
+      graphics.enable = true;
+      gtklock.enable = true;
+      steam.enable = true;
+
+      users = {
+        fabian = {
+          enable = true;
+          unixId = 1002; #TODO !!!!!!
+        };
+      };
+    };
+
+    trivium = {
+      sway.enable = true;
+      trivionomiconMotd.enable = true;
+    };
+
+    networking = {
+      networkmanager.enable = true;
+      useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    };
+  };
+}

sys/modules/dufs.nix

@@ -0,0 +1,233 @@
+# https://github.com/NixOS/nixpkgs/blob/c77cd68706b590b44334bb8c506239b3384c26a0/nixos/modules/services/misc/dufs.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.dufs;
+  types = lib.types;
+in {
+  options.local.sys.dufs = {
+    enable = lib.mkEnableOption "the dufs server";
+    package = lib.mkPackageOption pkgs "dufs" {};
+    settings = lib.mkOption {
+      type = types.submodule {
+        options = {
+          serve-path = lib.mkOption {
+            type = types.path;
+            description = "Specific path to serve.";
+          };
+          bind = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Specify bind address or unix socket.";
+            default = null;
+          };
+          port = lib.mkOption {
+            type = types.port;
+            description = "Specify port to listen on.";
+            default = 5000;
+          };
+          path-prefix = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Specify a path prefix.";
+            default = null;
+          };
+          hidden = lib.mkOption {
+            type = types.listOf types.str;
+            description = "Hide paths from directory listings, e.g. tmp,*.log,*.lock.";
+            default = [];
+            example = lib.literalExpression ''
+              [
+                "tmp"
+                "*.log"
+                "*.lock."
+              ]
+            '';
+          };
+          allow-all = lib.mkOption {
+            type = types.bool;
+            description = "Allow all operations.";
+            default = true;
+          };
+          allow-upload = lib.mkOption {
+            type = types.bool;
+            description = "Allow upload files/folders.";
+            default = false;
+          };
+          allow-delete = lib.mkOption {
+            type = types.bool;
+            description = "Allow delete files/folders.";
+            default = false;
+          };
+          allow-search = lib.mkOption {
+            type = types.bool;
+            description = "Allow search files/folders.";
+            default = false;
+          };
+          allow-symlink = lib.mkOption {
+            type = types.bool;
+            description = "Allow symlink to files/folders outside root directory.";
+            default = false;
+          };
+          allow-archive = lib.mkOption {
+            type = types.bool;
+            description = "Allow zip archive generation.";
+            default = false;
+          };
+          enable-cors = lib.mkOption {
+            type = types.bool;
+            description = "Enable CORS, sets `Access-Control-Allow-Origin: *`.";
+            default = false;
+          };
+          render-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns 404 if not found index.html.";
+            default = false;
+          };
+          render-try-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns directory listing if not found index.html.";
+            default = false;
+          };
+          render-spa = lib.mkOption {
+            type = types.bool;
+            description = "Serve SPA(Single Page Application).";
+            default = false;
+          };
+          assets = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Set the path to the assets directory for overriding the built-in assets.";
+            default = null;
+          };
+          log-format = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Customize http log format.";
+            default = null;
+            example = lib.literalExpression ''
+              "$remote_addr \"$request\" $status"
+            '';
+          };
+          compress = lib.mkOption {
+            type = types.enum [
+              "none"
+              "low"
+              "medium"
+              "high"
+            ];
+            description = "Customize http log format.";
+            default = "none";
+          };
+          tls-cert = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to an SSL/TLS certificate to serve with HTTPS.";
+            default = null;
+          };
+          tls-key = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to the SSL/TLS certificate's private key.";
+            default = null;
+          };
+        };
+      };
+      description = "Settings for dufs.";
+    };
+    authFile = lib.mkOption {
+      type = types.nullOr types.path;
+      description = ''
+        Path to file containing auth roles (e.g. user:pass@/dir1:rw,/dir2), one per line.
+
+        Passwords may be hashed, see https://github.com/sigoden/dufs#hashed-password.
+      '';
+      default = null;
+    };
+    openFirewall = lib.mkOption {
+      type = types.bool;
+      description = "Open firewall on configured port.";
+      default = false;
+    };
+    user = lib.mkOption {
+      type = types.str;
+      description = "User to run dufs under.";
+      default = "dufs";
+    };
+    group = lib.mkOption {
+      type = types.str;
+      description = "Group to run dufs under.";
+      default = "dufs";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [cfg.settings.port];
+    systemd.services.dufs = let
+      settings = lib.filterAttrs (_: v: v != null) cfg.settings;
+      pathWritable = settings.allow-all || settings.allow-upload || settings.allow-delete;
+    in {
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      environment.DUFS_CONFIG = (pkgs.formats.yaml {}).generate "dufs-config.yaml" settings;
+      script = ''
+        ${lib.optionalString (cfg.authFile != null) ''
+          export DUFS_AUTH=$(tr '\n' '|' < ${lib.escapeShellArg cfg.authFile} | sed 's/|$//')
+        ''}
+        exec ${lib.escapeShellArg (lib.getExe cfg.package)}
+      '';
+      serviceConfig = {
+        BindReadOnlyPaths =
+          [
+            builtins.storeDir
+          ]
+          ++ lib.optional (!pathWritable) settings.serve-path
+          ++ lib.optional (cfg.authFile != null) cfg.authFile;
+        BindPaths = lib.mkIf pathWritable settings.serve-path;
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        Group = cfg.group;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RootDirectory = "/run/dufs";
+        RuntimeDirectory = "dufs";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        User = cfg.user;
+      };
+    };
+    users = {
+      users.dufs = lib.mkIf (cfg.user == "dufs") {
+        group = cfg.group;
+        home = cfg.settings.serve-path;
+        isSystemUser = true;
+      };
+      groups.dufs = lib.mkIf (cfg.group == "dufs") {};
+    };
+  };
+  meta.maintainers = with lib.maintainers; [jackwilsdon];
+}

sys/modules/graphics.nix

@@ -16,7 +16,5 @@ in {
     };
 
     hardware.graphics.enable = true;
-
-    programs.dconf.enable = true;
   };
 }

sys/modules/gtklock.nix

@@ -26,7 +26,7 @@ in {
         window {
           background-color: black;
           color: #eaeaea;
-          font-family: "JetBrains Mono", monospace;
+          font-family: "JetBrainsMono Nerd Font", monospace;
           font-size: 14px;
         }
 

sys/modules/users.nix

@@ -31,7 +31,7 @@ in {
 
   config = {
     local.sys.users = {
-      chem = {
+      fabian = {
         unixId = mkDefault 1000;
         admin = true;
       };
@@ -54,7 +54,7 @@ in {
           shell = pkgs.zsh;
           extraGroups =
             ["users" "networkmanager"]
-            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers"];
+            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers" "video" "input"];
           openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile;
         })
         enabledUsers;

sys/modules/yubikey.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/posixlycorrect/default.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    virtualisation.enable = true;
+    androidSupport.enable = true;
+    borgsync = {
+      enable = true;
+      paths = [
+        "/home/fabian/nix"
+        "/home/fabian/safe"
+        "/xtern/backup"
+      ];
+      repoName = "posixlycorrect";
+    };
+  };
+
+  networking = {
+    hostName = "posixlycorrect";
+    hostId = "0414a727";
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      forceImportRoot = false;
+      useKeyringForCredentials = true;
+    };
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}

sys/platforms/posixlycorrect/hardware-configuration.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+  subvol = subvol: {
+    device = "/dev/disk/by-uuid/645fdba0-5c03-4285-926b-facded1ee259";
+    fsType = "btrfs";
+    options = ["subvol=${subvol}" "compress=zstd" "noatime" "ssd"];
+  };
+in {
+  imports = [
+    flakes.nixpkgs.nixosModules.notDetected
+  ];
+
+  boot.initrd = {
+    availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+    luks.devices."toplevel" = {
+      device = "/dev/disk/by-uuid/58277baa-90d4-4a5e-a658-1b918b89130a";
+      preLVM = false;
+    };
+  };
+
+  fileSystems = {
+    "/" = subvol "root";
+    "/toplevel" = subvol "/";
+    "/boot" = {
+      device = "/dev/disk/by-uuid/B007-B007";
+      fsType = "vfat";
+      options = ["umask=027"];
+    };
+
+    "/extern" = {
+      device = "/dev/disk/by-uuid/7d8d3ec9-b456-4e2a-9396-551dcaf7705b";
+      fsType = "btrfs";
+      options = ["noatime" "compress=zstd"];
+    };
+  };
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

sys/platforms/t14/default.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    bluetooth.enable = true;
+  };
+
+  trivium = {
+    laptop.enable = true;
+    thinkpad.enable = true;
+  };
+
+  services = {
+    fwupd.enable = true; #TODO
+    pcscd.enable = true; #TODO
+  };
+
+  hardware.acpilight.enable = true;
+
+  networking.hostName = "t14";
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}

sys/platforms/t14/hardware-configuration.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  services.xserver.videoDrivers = ["i915" "modesetting" "fbdev"];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "sdhci_pci"];
+      kernelModules = ["dm-snapshot"];
+      luks.devices."tomb" = {
+        device = "/dev/disk/by-uuid/0b2b9aec-c239-4cce-948d-4411d9300c1d";
+        preLVM = true;
+      };
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=root"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A7E5-EEAB";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=nix"];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=home"];
+    };
+
+    "/toplevel" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+    };
+  };
+
+  swapDevices = [];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

sys/platforms/vps/default.nix

@@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  doctrine,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.vpsadminos.nixosConfigurations.container
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+    ./srv
+    ./networkMap.nix
+  ];
+
+  local.sys = {
+    baseline.enable = true;
+
+    borgsync = {
+      enable = true;
+      paths = [
+        "/var/lib/forgejo"
+        "/var/lib/mealie"
+        "/var/lib/trilium"
+        "/var/lib/forgejo"
+      ];
+      repoName = "vps";
+    };
+
+    users.fabian = {
+      enable = true;
+      sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
+    };
+  };
+
+  trivium.soju = {
+    enable = true;
+    fullyQualifiedDomain = "soju.posixlycorrect.com";
+  };
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;
+  };
+
+  programs.mosh.enable = true;
+
+  networking = {
+    hostName = "vps";
+    domain = "posixlycorrect.com";
+    firewall.allowedUDPPorts = [51820]; #TODO
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  systemd = {
+    extraConfig = ''
+      DefaultTimeoutStartSec=900s
+    '';
+
+    network = let
+      inherit (config.local.sys) nets;
+    in {
+      enable = true;
+
+      netdevs = {
+        wg-vpn = {
+          netdevConfig = {
+            Name = "wg-vpn";
+            Kind = "wireguard";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
+            ListenPort = "51820";
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
+              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
+            }
+            {
+              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
+              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
+            }
+          ];
+        };
+      };
+
+      networks = {
+        wg-vpn = {
+          name = "wg-vpn";
+
+          networkConfig = {
+            Address = [
+              nets.vpn-vps.hosts.vps.v6.cidr
+            ];
+          };
+
+          routes = [
+            {
+              Destination = nets.vpn.v6.cidr;
+            }
+            {
+              Source = nets.vpn.v6.cidr;
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    extraSpecialArgs = {
+      inherit flakes;
+      doctrine = flakes.trivionomicon.lib.mkDoctrine {
+        inherit pkgs;
+        inherit (doctrine) prefix;
+        namespace = "home";
+      };
+    };
+
+    users.fabian = {
+      imports = [
+        flakes.impermanence.nixosModules.home-manager.impermanence
+        "${flakes.self}/home/platforms/fabian@vps"
+        "${flakes.self}/home"
+      ];
+    };
+  };
+}

sys/platforms/vps/hardware-configuration.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+in {
+  fileSystems = {
+    "/mnt/export2008" = {
+      device = "172.16.129.19:/nas/5876";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2178" = {
+      device = "172.16.129.151:/nas/5876/immich";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2179" = {
+      device = "172.16.131.31:/nas/5876/syncthing";
+      fsType = "nfs";
+      options = ["nofail"];
+    };
+  };
+}

sys/platforms/vps/networkMap.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  local.sys.nets = {
+    default = {
+      v4 = {
+        bits = 32;
+        prefix = "37.205.12.34";
+      };
+
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:fe:102";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+        vps.v4.suffix = "";
+      };
+    };
+
+    vpn = {
+      v6 = {
+        bits = 48;
+        prefix = "2a03:3b40:2b";
+      };
+    };
+
+    vpn-vps = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1000";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+      };
+    };
+
+    vpn-posixlycorrect = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1001";
+      };
+
+      hosts = {
+        posixlycorrect.v6.suffix = "1";
+      };
+    };
+
+    vpn-pixel8 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1002";
+      };
+
+      hosts = {
+        pixel8.v6.suffix = "1";
+      };
+    };
+
+    vpn-t14 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1003";
+      };
+
+      hosts = {
+        t14.v6.suffix = "1";
+      };
+    };
+  };
+}

sys/platforms/vps/pki/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7

sys/platforms/vps/srv/calibre-web.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."calibre.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8083";
+        };
+      };
+    };
+
+    calibre-web = {
+      enable = true;
+      options = {
+        enableBookUploading = true;
+        calibreLibrary = "/var/lib/calibre-web/calibre_library";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/default.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    ./forgejo.nix
+    ./vaultwarden.nix
+    ./msmtp.nix
+    ./trilium.nix
+    ./syncthing.nix
+    ./calibre-web.nix
+    ./immich.nix
+    ./mealie.nix
+    ./dufs.nix
+    ./isso.nix
+    ./miniflux.nix
+    ./radicale.nix
+  ];
+}

sys/platforms/vps/srv/dufs.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."public.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5000";
+        };
+      };
+    };
+  };
+
+  local.sys.dufs = {
+    enable = true;
+    settings = {
+      serve-path = "/var/public";
+      allow-all = false;
+      allow-archive = true;
+    };
+  };
+}

sys/platforms/vps/srv/forgejo.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = true;
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/immich.nix

@@ -0,0 +1,72 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."photos.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:2283";
+        };
+      };
+    };
+
+    immich = {
+      enable = true;
+      secretsFile = "/var/trust/immich/secrets.txt";
+      mediaLocation = "/mnt/export2178/immich/media";
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
+      };
+      settings = {
+        machineLearning = {
+          enabled = false;
+        };
+        job = {
+          backgroundTask = {
+            concurrency = 1;
+          };
+          smartSearch = {
+            concurrency = 1;
+          };
+          metadataExtraction = {
+            concurrency = 1;
+          };
+          faceDetection = {
+            concurrency = 1;
+          };
+          search = {
+            concurrency = 1;
+          };
+          sidecar = {
+            concurrency = 1;
+          };
+          library = {
+            concurrency = 1;
+          };
+          migration = {
+            concurrency = 1;
+          };
+          thumbnailGeneration = {
+            concurrency = 1;
+          };
+          videoConversion = {
+            concurrency = 1;
+          };
+          notifications = {
+            concurrency = 1;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/isso.nix

@@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."isso.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8888/";
+        };
+      };
+    };
+
+    isso = {
+      enable = true;
+      settings = {
+        general = {
+          host = "https://posixlycorrect.com/";
+          dbpath = "/var/lib/isso/comments.db";
+          notify = "stdout";
+        };
+        moderation = {
+          enabled = false;
+          approve-if-email-previously-approved = false;
+          purge-after = "365d";
+        };
+        server = {
+          listen = "http://127.0.0.1:8888/";
+        };
+        guard = {
+          require-author = true;
+          require-email = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/mealie.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.services.wiki-js = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services = {
+    nginx = {
+      virtualHosts."food.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9000";
+        };
+      };
+    };
+
+    mealie = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9000;
+      credentialsFile = "/var/trust/mealie/credentials.env";
+      settings = {
+        ALLOW_SIGNUP = "false";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/mediawiki.nix

@@ -0,0 +1,71 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+
+      skins = {
+        citizen = "${flakes.mediawikiSkinCitizen}";
+      };
+
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgDefaultSkin = 'citizen';
+        $wgDefaultMobileSkin = 'citizen';
+        $wgCitizenThemeDefault = 'dark';
+        $wgCitizenShowPageTools = 'login';
+        $wgLogos = [
+          'icon' => "https://posixlycorrect.com/favicon.png",
+          '1x' => "https://posixlycorrect.com/favicon.png",
+          '2x' => "https://posixlycorrect.com/favicon.png",
+        ];
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        CategoryTree = null;
+        CiteThisPage = null;
+        Scribunto = null;
+        Cite = null;
+        CodeEditor = null;
+        Math = null;
+        MultimediaViewer = null;
+        PdfHandler = null;
+        Poem = null;
+        SecureLinkFixer = null;
+        WikiEditor = null;
+        ParserFunctions = null;
+      };
+    };
+  };
+}

sys/platforms/vps/srv/miniflux.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."rss.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8087";
+        };
+      };
+    };
+
+    miniflux = {
+      enable = true;
+      adminCredentialsFile = "/var/trust/miniflux/adminCredentialsFile";
+      config = {
+        CLEANUP_FREQUENCY = 48;
+        LISTEN_ADDR = "127.0.0.1:8087";
+        BASE_URL = "https://rss.posixlycorrect.com";
+        CREATE_ADMIN = 1;
+      };
+    };
+  };
+}

sys/platforms/vps/srv/msmtp.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  users.groups = {
+    mailsenders = {
+      members = ["fabian" "mediawiki"];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/net.nix

@@ -0,0 +1,100 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  inherit (config.local.sys) nets;
+in {
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
+  options = {
+    security.acme = {
+      certs = mkOption {
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
+    };
+  };
+
+  config = {
+    networking = {
+      nftables.enable = false; # learn how to use this later
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };
+
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "fabian@posixlycorrect.com";
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.trivium.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
+          };
+        };
+      };
+
+      fail2ban = {
+        enable = true;
+        bantime = "10m";
+        ignoreIP = [
+          nets.default.hosts.vps.v6.cidr
+          nets.default.hosts.vps.v4.address
+          nets.vpn.v6.cidr
+        ];
+        bantime-increment = {
+          enable = true;
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "48h"; # Do not ban for more than 48h
+          rndtime = "10m";
+          overalljails = true; # Calculate the bantime based on all the violations
+        };
+        jails = {
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+          nginx-botsearch.settings = {
+            # Usar log en vez de journalctl
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/radicale.nix

@@ -0,0 +1,41 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."dav.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5232";
+        };
+      };
+    };
+
+    radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = ["127.0.0.1:5232"];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/var/trust/radicale/htpasswd";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          filesystem_folder = "/var/lib/radicale/collections";
+        };
+        web.type = "internal";
+        rights.type = "authenticated";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/syncthing.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    syncthing = {
+      enable = true;
+      systemService = true;
+      overrideFolders = false;
+      overrideDevices = false;
+      openDefaultPorts = true;
+      guiAddress = "127.0.0.1:8384";
+      settings.options.urAccepted = -1;
+      dataDir = "/mnt/export2179/syncthing";
+      relay = {
+        enable = true;
+        pools = [];
+        providedBy = "vps.posixlycorrect.com";
+      };
+    };
+  };
+
+  # calibre web stuff. make this better someday, this is pure duct-tape
+  users.groups."calybresync".members = ["syncthing" "calibre-web"];
+  systemd = {
+    services."calybreown" = {
+      script = ''
+        chgrp -R calybresync /var/lib/calibre-web/calibre_library
+        chmod -R g+w /var/lib/calibre-web/calibre_library
+      '';
+      serviceConfig.Type = "oneshot";
+    };
+    timers."calybreown" = {
+      wantedBy = [
+        "timers.target"
+      ];
+      timerConfig.OnCalendar = "*-*-* *:00/30:00";
+    };
+  };
+}

sys/platforms/vps/srv/trilium.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."notes.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    trilium-server = {
+      enable = true;
+      package = pkgs.trilium-next-server;
+      host = "127.0.0.1";
+      port = 8458;
+      noAuthentication = false;
+      noBackup = true; # I already backup the whole dataDir, so no need for this
+      instanceName = "posixlycorrect";
+      dataDir = "/var/lib/trilium";
+      nginx = {
+        enable = true;
+        hostName = "notes.posixlycorrect.com";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/vaultwarden.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = ["vaultwarden"];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}

sys/platforms/yuki/default.nix

@@ -1,55 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  flakes,
-  ...
-}: {
-  imports = [
-    flakes.home-manager.nixosModules.home-manager
-    flakes.impermanence.nixosModule
-    ./hardware-configuration.nix
-  ];
-
-  local.sys = {
-    baseline.enable = true;
-
-    audio.enable = true;
-    graphics.enable = true;
-    virtualisation.enable = true;
-    androidSupport.enable = true;
-    steam.enable = true;
-    gtklock.enable = true;
-
-    users = {
-      chem = {
-        enable = true;
-      };
-    };
-  };
-
-  local.sway.enable = true;
-
-  networking = {
-    hostName = "yuki";
-    networkmanager.enable = true;
-
-    useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    #interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config
-    #interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour.
-  };
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    tmp.useTmpfs = true;
-    kernelPackages = pkgs.linuxPackages_zen;
-  };
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8"; #todo: move to baseline?
-
-  time.timeZone = "America/Costa_Rica"; #todo: move to baseline?
-}

sys/platforms/yuki/hardware-configuration.nix

@@ -1,42 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/b925ebc0-f717-4f0d-83ca-a9a29990b8e2";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EC62-0FDF";
-    fsType = "vfat";
-    options = ["fmask=0022" "dmask=0022"];
-  };
-
-  swapDevices = [];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

trivionomicon/flake.nix

@@ -9,11 +9,11 @@
     nixpkgs,
     flake-utils,
   }: let
-    mapOverlayOverride = namespace: overlay: final: prev: let
+    mapOverlayOverride = prefix: overlay: final: prev: let
       overlayPkgs = overlay final prev;
     in
       {
-        "${namespace}" = builtins.removeAttrs overlayPkgs ["override"];
+        "${prefix}" = (prev.${prefix} or {}) // builtins.removeAttrs overlayPkgs ["override"];
       }
       // (overlayPkgs.override or {});
 
@@ -30,7 +30,7 @@
       packages =
         (import nixpkgs {
           inherit system;
-          overlays = [(mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs))];
+          overlays = [self.overlays.default];
         }).${
           doctrineNoPkgs.prefix
         };
@@ -121,7 +121,7 @@
                     }
                     # NB: Preserve the relative order
                     {
-                      overlay = self.overlays.default;
+                      overlay = mapOverlayOverride prefix (import ./pkgs);
                       condition = true;
                     }
                     {
@@ -164,24 +164,12 @@
           }
           // optionalAttrs (paths ? nixosSource) {
             nixosConfigurations = let
-              nixosSystem = {modules}:
-                lib.makeOverridable nixpkgs.lib.nixosSystem {
-                  inherit modules pkgs system;
-
-                  specialArgs = {
-                    inherit flakes;
-
-                    doctrine = mkDoctrine {
-                      inherit pkgs;
-                      namespace = "sys";
-                    };
-                  };
-                };
-
               hostConfig = platform:
-                nixosSystem {
+                self.lib.mkSystem {
+                  inherit flakes pkgs;
+                  doctrine = doctrineNoPkgs;
+
                   modules = [
-                    self.nixosModules.default
                     nixosSourcePath
                     platform
                   ];
@@ -213,6 +201,29 @@
             in
               lib.mapAttrs home (importAll {root = hmPlatformsPath;});
           };
+
+        mkSystem = {
+          pkgs,
+          flakes,
+          doctrine,
+          modules,
+        }:
+          flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem {
+            inherit pkgs;
+            inherit (pkgs) system;
+
+            modules = [self.nixosModules.default] ++ modules;
+
+            specialArgs = {
+              inherit flakes;
+
+              doctrine = self.lib.mkDoctrine {
+                inherit pkgs;
+                inherit (doctrine) prefix;
+                namespace = "sys";
+              };
+            };
+          };
       };
     };
 }

trivionomicon/modules/soju/default.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}

trivionomicon/modules/soju/options.nix

@@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+  sys = {
+    fullyQualifiedDomain = lib.mkOption {
+      type = str;
+      example = "soju.trivionomicon.com";
+      description = "fully qualified domain name to be used by soju";
+    };
+
+    port = lib.mkOption {
+      type = port;
+      default = 6697;
+      description = "port to be used by soju";
+    };
+  };
+}

trivionomicon/modules/soju/sys.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+  in {
+    enable = true;
+    hostName = "${cfg.fullyQualifiedDomain}";
+    listen = ["ircs://[::]:${toString cfg.port}"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}

trivionomicon/modules/trivionomiconMotd/default.nix

@@ -0,0 +1,10 @@
+{
+  config,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "trivionomiconMotd";
+  sys = ./sys.nix;
+}

trivionomicon/modules/trivionomiconMotd/sys.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  users.motd = ''
+                                          _   _             _   _
+                                         | | | |           | | | |
+     _ __   _____      _____ _ __ ___  __| | | |__  _   _  | |_| |__   ___
+    | '_ \ / _ \ \ /\ / / _ \ '__/ _ \/ _` | | '_ \| | | | | __| '_ \ / _ \
+    | |_) | (_) \ V  V /  __/ | |  __/ (_| | | |_) | |_| | | |_| | | |  __/
+    | .__/ \___/ \_/\_/ \___|_|  \___|\__,_| |_.__/ \__, |  \__|_| |_|\___|
+    | |                                              __/ |
+    |_|_____ _____  _______      _______ ____  _   _|___/_  __  __ _____ _____ ____  _   _
+    |__   __|  __ \|_   _\ \    / /_   _/ __ \| \ | |/ __ \|  \/  |_   _/ ____/ __ \| \ | |
+       | |  | |__) | | |  \ \  / /  | || |  | |  \| | |  | | \  / | | || |   | |  | |  \| |
+       | |  |  _  /  | |   \ \/ /   | || |  | | . ` | |  | | |\/| | | || |   | |  | | . ` |
+       | |  | | \ \ _| |_   \  /   _| || |__| | |\  | |__| | |  | |_| || |___| |__| | |\  |
+       |_|  |_|  \_\_____|   \/   |_____\____/|_| \_|\____/|_|  |_|_____\_____\____/|_| \_|
+  '';
+}

trivionomicon/pkgs/default.nix

@@ -5,5 +5,6 @@ in {
   override = {};
 
   athena-bccr = callPackage ./athena-bccr {};
+  snapborg = final.python3Packages.callPackage ./snapborg {};
   spliit = callPackage ./spliit {};
 }

trivionomicon/pkgs/snapborg/0001-Remove-env-arg-from-subprocess-calls.patch

@@ -0,0 +1,29 @@
+From c363931656938f9cc3354b8e2797fe9abac1b0e3 Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sun, 31 Aug 2025 13:30:45 -0600
+Subject: [PATCH] Remove "env" arg from subprocess calls
+
+---
+ snapborg/borg.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/snapborg/borg.py b/snapborg/borg.py
+index 89a3d84..b74ddf7 100644
+--- a/snapborg/borg.py
++++ b/snapborg/borg.py
+@@ -173,11 +173,10 @@ def launch_borg(args, password=None, print_output=False, dryrun=False, cwd=None)
+         # TODO: parse output from JSON log lines
+         try:
+             if print_output:
+-                subprocess.run(cmd, env=env, check=True, cwd=cwd)
++                subprocess.run(cmd, check=True, cwd=cwd)
+             else:
+                 subprocess.check_output(cmd,
+                                         stderr=subprocess.STDOUT,
+-                                        env=env,
+                                         cwd=cwd)
+         except CalledProcessError as e:
+             if e.returncode == 1:
+-- 
+2.49.0
+

trivionomicon/pkgs/snapborg/default.nix

@@ -0,0 +1,34 @@
+{
+  borgbackup,
+  buildPythonApplication,
+  fetchFromGitHub,
+  lib,
+  packaging,
+  pyyaml,
+}:
+buildPythonApplication {
+  pname = "snapborg";
+  version = "0.1.0-unstable-20250331";
+
+  src = fetchFromGitHub {
+    repo = "snapborg";
+    owner = "enzingerm";
+
+    rev = "7e860395319f995161a6e0c7954ce47635e3cd59";
+    hash = "sha256-RzYL4IHulk1Q/ALWFs6YCTeCO8ohwqXH2NMHRctRVSA=";
+  };
+
+  patches = [
+    ./0001-Remove-env-arg-from-subprocess-calls.patch # Fixes broken $PATH when calling borg
+  ];
+
+  propagatedBuildInputs = [
+    borgbackup
+    packaging
+    pyyaml
+  ];
+
+  preFixup = ''
+    makeWrapperArgs+=(--prefix PATH : ${lib.makeBinPath [borgbackup]})
+  '';
+}