fix vps home bug

Flake lock file updates:

• Updated input 'authentik-nix':
    'github:nix-community/authentik-nix/69fac057b2e553ee17c9a09b822d735823d65a6c?narHash=sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ%3D' (2025-10-01)
  → 'github:nix-community/authentik-nix/c14192ad67d071f88eb5cd7492a9f03b62865642?narHash=sha256-fWNdWw/iky//zyGpSygNZ%2BXpa1ywwrgwniUTEBQCTvI%3D' (2025-11-09)
• Updated input 'authentik-nix/authentik-src':
    'github:goauthentik/authentik/8d3a289d12c7de2f244c76493af7880f70d08af2?narHash=sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI%3D' (2025-09-30)
  → 'github:goauthentik/authentik/70406664dca2a13aabb695094f85471585668cb1?narHash=sha256-HowB6DTGCqz770fKYbnE%2BrQ11XRV0WSNkLD%2BHSWZwz8%3D' (2025-11-03)
• Updated input 'authentik-nix/flake-parts':
    'github:hercules-ci/flake-parts/4524271976b625a4a605beefd893f270620fd751?narHash=sha256-%2BuWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw%3D' (2025-09-01)
  → 'github:hercules-ci/flake-parts/864599284fc7c0ba6357ed89ed5e2cd5040f0c04?narHash=sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4%3D' (2025-10-20)
• Updated input 'authentik-nix/pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/5b8e37fe0077db5c1df3a5ee90a651345f085d38?narHash=sha256-6nzSZl28IwH2Vx8YSmd3t6TREHpDbKlDPK%2Bdq1LKIZQ%3D' (2025-09-08)
  → 'github:pyproject-nix/build-system-pkgs/dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5?narHash=sha256-fgxP2RCN4cg0jYiMYoETYc7TZ2JjgyvJa2y9l8oSUFE%3D' (2025-09-29)
• Updated input 'authentik-nix/pyproject-nix':
    'github:pyproject-nix/pyproject.nix/8d77f342d66ad1601cdb9d97e9388b69f64d4c8e?narHash=sha256-6pNlGhwOIMfhe/RLjHdpXveKS4FyLHvlGe%2BKtjDild4%3D' (2025-09-07)
  → 'github:pyproject-nix/pyproject.nix/84c4ea102127c77058ea1ed7be7300261fafc7d2?narHash=sha256-jF6UKLs2uGc2rtved8Vrt58oTWjTQoAssuYs/0578Z4%3D' (2025-10-14)
• Updated input 'authentik-nix/uv2nix':
    'github:pyproject-nix/uv2nix/780494c40895bb7419a73d942bee326291e80b3b?narHash=sha256-7Hwz0vfHuFqCo5v7Q07GQgLBWuPvZCuf/5/pk4NoADg%3D' (2025-09-15)
  → 'github:pyproject-nix/uv2nix/e6e728d9719e989c93e65145fe3f9e0c65a021a2?narHash=sha256-4Kt3RsfJgg6HzmDCc44ZN//xB8n7KGEGxxt9dNjqPQc%3D' (2025-10-22)
• Updated input 'nixGL':
    'github:guibou/nixGL/a8e1ce7d49a149ed70df676785b07f63288f53c5?narHash=sha256-Ob/HuUhANoDs%2BnvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ%3D' (2025-07-09)
  → 'github:guibou/nixGL/b6105297e6f0cd041670c3e8628394d4ee247ed5?narHash=sha256-fbRQzIGPkjZa83MowjbD2ALaJf9y6KMDdJBQMKFeY/8%3D' (2025-11-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3bcc93c5f7a4b30335d31f21e2f1281cba68c318?narHash=sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI%3D' (2025-10-04)
  → 'github:nixos/nixpkgs/4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c?narHash=sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ%3D' (2025-11-16)
• Updated input 'nur':
    'github:nix-community/NUR/ba4952df76bc6179d0bb3b9e7b4ff8517cfec870?narHash=sha256-bPh7JZnT7WydN4E1kVLq1l87NlzuD2pz1GYwvYSWo1U%3D' (2025-10-05)
  → 'github:nix-community/NUR/a6894a64a56a2b3d40b08e34342d8c172510b490?narHash=sha256-EwM6RvgVrrcFmvIGwwm7hALIz2QL4SnzNk82Fpg5UV0%3D' (2025-11-19)
• Updated input 'nur/nixpkgs':
    'github:nixos/nixpkgs/7df7ff7d8e00218376575f0acdcc5d66741351ee?narHash=sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs%3D' (2025-10-02)
  → 'github:nixos/nixpkgs/89c2b2330e733d6cdb5eae7b899326930c2c0648?narHash=sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw%3D' (2025-11-17)
• Updated input 'trivionomicon':
    'path:./trivionomicon'
  → 'path:./trivionomicon'
• Updated input 'unstable':
    'github:nixos/nixpkgs/7df7ff7d8e00218376575f0acdcc5d66741351ee?narHash=sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs%3D' (2025-10-02)
  → 'github:nixos/nixpkgs/89c2b2330e733d6cdb5eae7b899326930c2c0648?narHash=sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw%3D' (2025-11-17)
• Updated input 'vpsadminos':
    'github:vpsfreecz/vpsadminos/087b340cc897083a31defafd6a6f1c66e5bf48eb?narHash=sha256-H0FC6QbxgEE79pXwlPVvWUNenQOTMldzlWSij5pPyMk%3D' (2025-10-03)
  → 'github:vpsfreecz/vpsadminos/63538f06d436775273084157117ada72ca40f4d5?narHash=sha256-nP3Egwd5i40bcNRfklH0WYPOFv9BUDAU5usozigDtSE%3D' (2025-11-03)

README.md

@@ -1,12 +1,41 @@
-## Unified nix configuration
+# Nix configuration
 
-Update whole flake (clean working directory 1st): `nix flake update --commit-lock-file`
+## Updating
 
-Switch current machine: `sudo nixos-rebuild switch --flake . --show-trace`
+Update flake
 
-Switch current home manager: `home-manager switch --flake . --show-trace`
+    nix flake update --commit-lock-file
 
-## Maintenance shit ()
+Switch current machine
-Clean shit de Home: `nix store gc`
 
-Clean shit de sys: `sudo nix store gc`
+    sudo nixos-rebuild switch --flake . --show-trace
+
+Switch current home manager
+
+    home-manager switch --flake . --show-trace
+
+Switch server
+
+    nixos-rebuild switch --target-host root@posixlycorrect.com --use-substitutes --show-trace --flake .\#vps
+
+Update homepage
+
+    nix flake update --commit-lock-file homepage
+
+
+## Cleanup
+
+Collect garbage (run with sudo to collect root garbage)
+
+    nix-collect-garbage -d
+
+
+## Submodule management
+
+Trivionomicon
+
+    git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+    git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+## About
+This is a unification of my old configs, which had a combined 506 commits.

flake.lock

@@ -1,6 +1,86 @@
 {
   "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1762701457,
+        "narHash": "sha256-fWNdWw/iky//zyGpSygNZ+Xpa1ywwrgwniUTEBQCTvI=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "c14192ad67d071f88eb5cd7492a9f03b62865642",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1762188128,
+        "narHash": "sha256-HowB6DTGCqz770fKYbnE+rQ11XRV0WSNkLD+HSWZwz8=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "70406664dca2a13aabb695094f85471585668cb1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2025.10.1",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1760948891,
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nur",
@@ -23,7 +103,10 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
       },
       "locked": {
         "lastModified": 1731533236,
@@ -61,6 +144,42 @@
       "inputs": {
         "systems": "systems_3"
       },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
       "locked": {
         "lastModified": 1731533236,
         "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@@ -111,6 +230,27 @@
         "type": "github"
       }
     },
+    "homepage": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759284596,
+        "narHash": "sha256-N/poXYxAbHyWf2EBC6CSc6vKq0txtHMqTUMdPNOUB0g=",
+        "ref": "refs/heads/master",
+        "rev": "51c57acdbff6f3f0c490bc67e791f5376a3f2be9",
+        "revCount": 72,
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.posixlycorrect.com/fabian/homepage.git"
+      }
+    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -126,17 +266,60 @@
         "type": "github"
       }
     },
+    "mediawikiSkinCitizen": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724097552,
+        "narHash": "sha256-+o5FDWMrEqnva5qcdc45wAYyE2ZtUhEjygUGVt0HsaA=",
+        "owner": "StarCitizenTools",
+        "repo": "mediawiki-skins-Citizen",
+        "rev": "28cd4e18b52aed3270fe7b55bff4545c8314a687",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StarCitizenTools",
+        "ref": "v2.27.0",
+        "repo": "mediawiki-skins-Citizen",
+        "type": "github"
+      }
+    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
     "nixGL": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1752054764,
+        "lastModified": 1762090880,
-        "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=",
+        "narHash": "sha256-fbRQzIGPkjZa83MowjbD2ALaJf9y6KMDdJBQMKFeY/8=",
         "owner": "guibou",
         "repo": "nixGL",
-        "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5",
+        "rev": "b6105297e6f0cd041670c3e8628394d4ee247ed5",
         "type": "github"
       },
       "original": {
@@ -160,13 +343,28 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1758589230,
+        "lastModified": 1763334038,
-        "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=",
+        "narHash": "sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0",
+        "rev": "4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c",
         "type": "github"
       },
       "original": {
@@ -178,11 +376,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1758427187,
+        "lastModified": 1763421233,
-        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
+        "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
+        "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648",
         "type": "github"
       },
       "original": {
@@ -194,15 +392,15 @@
     },
     "nur": {
       "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1758770724,
+        "lastModified": 1763589398,
-        "narHash": "sha256-ayj0RkDQ57roFRtqOuDaUk6493Yd2x2xJrfOz44s4jk=",
+        "narHash": "sha256-EwM6RvgVrrcFmvIGwwm7hALIz2QL4SnzNk82Fpg5UV0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "2147792a5e7b210162abdc6b318441737cd73da5",
+        "rev": "a6894a64a56a2b3d40b08e34342d8c172510b490",
         "type": "github"
       },
       "original": {
@@ -211,31 +409,85 @@
         "type": "github"
       }
     },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik-nix",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759113590,
+        "narHash": "sha256-fgxP2RCN4cg0jYiMYoETYc7TZ2JjgyvJa2y9l8oSUFE=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760402624,
+        "narHash": "sha256-jF6UKLs2uGc2rtved8Vrt58oTWjTQoAssuYs/0578Z4=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "84c4ea102127c77058ea1ed7be7300261fafc7d2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "authentik-nix": "authentik-nix",
+        "flake-utils": "flake-utils_2",
         "hm-isolation": "hm-isolation",
         "home-manager": "home-manager",
+        "homepage": "homepage",
         "impermanence": "impermanence",
+        "mediawikiSkinCitizen": "mediawikiSkinCitizen",
         "nixGL": "nixGL",
         "nixpkgs": "nixpkgs_2",
         "nur": "nur",
         "trivionomicon": "trivionomicon",
-        "unstable": "unstable"
+        "unstable": "unstable",
+        "vpsadminos": "vpsadminos"
       }
     },
     "systems": {
       "locked": {
-        "lastModified": 1681028828,
+        "lastModified": 1689347949,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
@@ -269,9 +521,39 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "trivionomicon": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_5",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -288,11 +570,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1758427187,
+        "lastModified": 1763421233,
-        "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=",
+        "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46",
+        "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648",
         "type": "github"
       },
       "original": {
@@ -301,6 +583,46 @@
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761101082,
+        "narHash": "sha256-4Kt3RsfJgg6HzmDCc44ZN//xB8n7KGEGxxt9dNjqPQc=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "e6e728d9719e989c93e65145fe3f9e0c65a021a2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
+    },
+    "vpsadminos": {
+      "locked": {
+        "lastModified": 1762202056,
+        "narHash": "sha256-nP3Egwd5i40bcNRfklH0WYPOFv9BUDAU5usozigDtSE=",
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "rev": "63538f06d436775273084157117ada72ca40f4d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vpsfreecz",
+        "repo": "vpsadminos",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -8,16 +8,32 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nur.url = "github:nix-community/NUR";
-    impermanence.url = "github:nix-community/impermanence";
-    hm-isolation.url = "github:3442/hm-isolation";
-    nixGL.url = "github:guibou/nixGL";
-    flake-utils.url = "github:numtide/flake-utils";
-
     trivionomicon = {
       url = "./trivionomicon";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    homepage = {
+      url = "git+https://git.posixlycorrect.com/fabian/homepage.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mediawikiSkinCitizen = {
+      url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
+      flake = false;
+    };
+
+    flake-utils.url = "github:numtide/flake-utils";
+    hm-isolation.url = "github:3442/hm-isolation";
+    impermanence.url = "github:nix-community/impermanence";
+    nixGL.url = "github:guibou/nixGL";
+    nur.url = "github:nix-community/NUR";
+    vpsadminos.url = "github:vpsfreecz/vpsadminos";
   };
 
   outputs = flakes:
@@ -25,7 +41,6 @@
       inherit flakes;
 
       system = "x86_64-linux";
-      doctrinePrefix = "local";
 
       paths = {
         localOverlay = "pkgs";

home/modules/accounts.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.accounts;
+in {
+  options.local.services.accounts.enable = mkEnableOption "accounts settings";
+  config = mkIf cfg.enable {
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        address = "fabian@posixlycorrect.com";
+        userName = "fabianmontero@fastmail.com";
+        realName = "fabian";
+        primary = true;
+        flavor = "fastmail.com";
+      };
+    };
+  };
+}

home/modules/baseline.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  flakes,
   ...
 }:
 with lib; let
@@ -11,6 +12,18 @@ in {
     enable = mkEnableOption "Basic home settings";
   };
   config = mkIf cfg.enable {
+    programs.home-manager.enable = true;
+
+    nix.registry = {
+      "system".to = {
+        type = "path";
+        path = "/home/fabian/nix";
+      };
+
+      "nixpkgs".flake = flakes.nixpkgs;
+      "unstable".flake = flakes.unstable;
+    };
+
     xdg = {
       enable = true;
     };
@@ -18,20 +31,31 @@ in {
     home = {
       stateVersion = "24.05"; # DO NOT CHANGE
 
+      username = "fabian";
+      homeDirectory = "/home/fabian";
+
       packages = with pkgs; [
         calc
+        dysk
+        fd
         file
+        fzf
         gcc
         htop
         killall
         man-pages
         man-pages-posix
+        nmap
+        p7zip
         pv
+        ripgrep
         tree
         units
         unzip
         vim
+        wl-clipboard
         zip
+        zoxide
       ];
       keyboard = {
         layout = "us";
@@ -44,8 +68,17 @@ in {
 
     programs.git = {
       enable = true;
-      userEmail = "josescalante9808@gmail.com";
+      userEmail = "fabian@posixlycorrect.com";
-      userName = "josEscalante";
+      userName = "Fabian Montero";
+    };
+
+    local = {
+      services = {
+        zsh.enable = true;
+      };
+      programs = {
+        neovim.enable = true;
+      };
     };
   };
 }

home/modules/default.nix

@@ -9,11 +9,17 @@
     ./neovim.nix
     ./baseline.nix
     ./gaming.nix
+    ./yubikey.nix
     ./firefox.nix
     ./gui
     ./zsh
+    ./gpg.nix
     ./defaultDesktopPack.nix
+    ./accounts.nix
+    ./syncthing.nix
     ./mapping.nix
     ./zed.nix
+    ./pass.nix
+    ./halloy.nix
   ];
 }

home/modules/defaultDesktopPack.nix

@@ -5,28 +5,67 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.defaultDesktopPack;
+  cfg = config.local.defaultDesktopPack;
 in {
-  options.local.apps.defaultDesktopPack = {
+  options.local.defaultDesktopPack = {
-    enable = mkEnableOption "common desktop apps";
+    enable = mkEnableOption "common desktop programs and services";
+    laptop = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
       calibre
       chromium
       discord
-      kdePackages.gwenview
+      (gajim.override {
+        enableSecrets = true;
+        enableUPnP = true;
+        enableAppIndicator = true;
+        enableE2E = true;
+        enableRST = true;
+      })
       libreoffice-fresh
       mpv
       obs-studio
       pavucontrol
       pdfarranger
+      qimgv
       qpdfview
+      qbittorrent
+      runelite
       spotify
       tdesktop
+      thunderbird
       usbutils
+      vpsfree-client
       vscodium-fhs
-      trilium-next-desktop
+      zola
     ];
+
+    trivium = {
+      waybar = {
+        enable = true;
+        fontFamily = "JetBrainsMono Nerd Font";
+      };
+    };
+
+    local = {
+      baseline.enable = true;
+
+      services = {
+        gpg.enable = true;
+        accounts.enable = true;
+        pass.enable = true;
+        syncthing.enable = true;
+      };
+      programs = {
+        firefox.enable = true;
+        zed.enable = true;
+        halloy.enable = true;
+        terminal.enable = true;
+      };
+    };
   };
 }

home/modules/firefox.nix

@@ -5,41 +5,33 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.firefox;
+  cfg = config.local.programs.firefox;
 in {
-  options.local.apps.firefox = {
+  options.local.programs.firefox = {
-    enable = mkEnableOption "firefox settings";
+    enable = mkEnableOption "firefox";
+  };
 
-    makeDefaultBrowser = mkOption {
+  config = mkIf cfg.enable {
-      type = types.bool;
+    programs.firefox = {
-      default = true;
+      enable = true;
-      description = ''
+      package = pkgs.firefox.override {
-        Take a guess
+        nativeMessagingHosts = [pkgs.passff-host];
-      '';
       };
     };
 
-  config = mkIf cfg.enable (mkMerge [
-    {
-      programs.firefox.enable = true;
-    }
-
-    (mkIf cfg.makeDefaultBrowser {
     xdg = {
       mimeApps = {
         enable = true;
         defaultApplications = {
-            "text/html" = ["firefox"];
+          "text/html" = ["firefox.desktop"];
-            "text/uri-list" = ["firefox"];
+          "text/uri-list" = ["firefox.desktop"];
-            "x-scheme-handler/http" = ["firefox"];
+          "x-scheme-handler/http" = ["firefox.desktop"];
-            "x-scheme-handler/https" = ["firefox"];
+          "x-scheme-handler/https" = ["firefox.desktop"];
-            "x-scheme-handler/about" = ["firefox"];
+          "x-scheme-handler/about" = ["firefox.desktop"];
-            "x-scheme-handler/unknown" = ["firefox"];
+          "x-scheme-handler/unknown" = ["firefox.desktop"];
         };
       };
     };
-
     home.sessionVariables.DEFAULT_BROWSER = "${lib.getExe pkgs.firefox}";
-    })
+  };
-  ]);
 }

home/modules/gaming.nix

@@ -5,16 +5,16 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.gaming;
+  cfg = config.local.programs.gaming;
 in {
-  options.local.apps.gaming = {
+  options.local.programs.gaming = {
     enable = mkEnableOption "gaming apps";
   };
   config = mkIf cfg.enable {
-    home.packages = with pkgs; [
+    home.packages = [
-      lutris
+      pkgs.lutris
-      openrct2
+      pkgs.openrct2
-      prismlauncher
+      pkgs.prismlauncher
     ];
   };
 }

home/modules/gpg.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.gpg;
+in {
+  options.local.services.gpg = {
+    enable = mkEnableOption "gpg settings";
+    defaultKey = mkOption {
+      type = types.str;
+      description = "fingerprint of default public key to be used in gpg, git, email, etc.";
+      example = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.gpg = {
+      enable = true;
+      settings = {
+        default-key = cfg.defaultKey;
+        encrypt-to = cfg.defaultKey;
+      };
+    };
+
+    services.gpg-agent = {
+      enable = true;
+
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+
+      enableExtraSocket = true;
+      enableSshSupport = true;
+
+      defaultCacheTtl = 3600 * 3;
+      defaultCacheTtlSsh = 3600 * 3;
+
+      maxCacheTtl = 3600 * 6;
+      maxCacheTtlSsh = 3600 * 6;
+
+      pinentry.package = pkgs.pinentry-emacs;
+    };
+
+    accounts.email.accounts = {
+      "fabian@posixlycorrect.com" = {
+        gpg = {
+          encryptByDefault = true;
+          signByDefault = true;
+          key = cfg.defaultKey;
+        };
+      };
+    };
+
+    programs.git = {
+      signing = {
+        key = cfg.defaultKey;
+        signByDefault = true;
+      };
+    };
+  };
+}

home/modules/gui/default.nix

@@ -51,7 +51,6 @@ in {
     ./fonts.nix
     ./theme.nix
     ./sway.nix
-    ./waybar.nix
     ./mako.nix
   ];
 
@@ -61,8 +60,8 @@ in {
       mimeApps = {
         enable = true;
         defaultApplications = {
-          "application/pdf" = with pkgs; ["qpdfview"];
+          "application/pdf" = with pkgs; ["qpdfview.desktop"];
-          "x-scheme-handler/file" = with pkgs; ["foot"];
+          "x-scheme-handler/file" = with pkgs; ["foot.desktop"];
         };
       };
     };

home/modules/gui/sway.nix

@@ -142,7 +142,7 @@ in {
             "${mod}+a" = "focus parent";
             "${mod}+c" = "focus child";
             "${mod}+d" = "exec ${bemenuCommand}";
-            "${mod}+l" = "exec ${getExe pkgs.gtklock} -d && systemctl suspend";
+            "${mod}+l" = "exec ${getExe pkgs.gtklock} -d";
             "${mod}+Return" = "exec ${lib.getExe pkgs.foot} ${lib.getExe pkgs.tmux}";
             "${mod}+Shift+s" = "exec ${grimshot} copy area";
             "${mod}+Shift+a" = "exec ${grimshot} copy output";
@@ -156,10 +156,13 @@ in {
             command = "${lib.getExe pkgs.sway} 'workspace 1; exec ${lib.getExe pkgs.firefox}'";
           }
           {
-            command = "${lib.getExe pkgs.sway} 'workspace 10; exec ${lib.getExe pkgs.tdesktop}'";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.tdesktop}'";
           }
           {
-            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/wallpaper.jpg";
+            command = "${lib.getExe pkgs.sway} 'workspace 2; exec ${lib.getExe pkgs.gajim}'";
+          }
+          {
+            command = "${lib.getExe pkgs.swaybg} -m fill -i ${config.home.homeDirectory}/Pictures/wallpapers/jupiter.png";
             always = true;
           }
           {

home/modules/gui/waybar.nix

@@ -1,182 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.local.gui;
-in {
-  config = mkIf cfg.enable {
-    programs.waybar = {
-      enable = true;
-      settings = {
-        mainBar = {
-          layer = "top";
-          position = "top";
-          height = 20;
-          spacing = 0;
-
-          modules-left = [
-            "sway/workspaces"
-            "sway/mode"
-          ];
-          modules-center = [
-            "clock"
-          ];
-
-          modules-right = [
-            "privacy"
-            "cpu"
-            "memory"
-            "disk"
-            "temperature"
-            "keyboard-state"
-            "tray"
-          ];
-          "keyboard-state" = {
-            numlock = true;
-            capslock = true;
-          };
-          "tray" = {
-            icon-size = 13;
-            spacing = 8;
-          };
-          "clock" = {
-            interval = 60;
-            format = "{:%A %B %d %Y %H:%M}";
-            tooltip = false;
-          };
-          "cpu" = {
-            format = " {usage}%";
-            tooltip = false;
-          };
-          "memory" = {
-            format = " {percentage}%";
-            tooltip = true;
-            tooltip-format = "{used}/{total}";
-          };
-          "disk" = {
-            format = " {specific_used:0.0f}/{specific_total:0.0f}";
-            unit = "GiB";
-            tooltip = false;
-          };
-          "privacy" = {
-            icon-size = 12;
-          };
-        };
-      };
-      style = ''
-        * {
-          font-family: "JetBrainsMono Nerd Font", monospace;
-          font-size: 12px;
-          font-weight: 500;
-          border: none;
-          box-shadow: none;
-        }
-
-        /* Entire bar: blacc, no border */
-        window#waybar {
-          background: #000000;
-          color: #eaeaea;
-          margin: 0;
-          padding: 0;
-        }
-
-        /* Optional: small edge breathing room (comment out if you want edge-to-edge) */
-        /* window#waybar { margin: 3px 6px 0 6px; } */
-
-        /* Module containers */
-        .modules-left, .modules-center, .modules-right {
-          padding: 0;
-          margin: 0 6px;
-        }
-
-        /* Subtle separators between modules (no boxes) */
-        .modules-left > widget:not(:first-child),
-        .modules-center > widget:not(:first-child),
-        .modules-right > widget:not(:first-child) {
-          margin-left: 12px;
-          padding-left: 12px;
-          border-left: 1px solid rgba(255, 255, 255, 0.08);
-        }
-
-        /* Tightest possible workspaces */
-        #workspaces { padding: 0; margin: 0; }
-        #workspaces button {
-          margin: 0;
-          padding: 0 3px;
-          min-width: 0;
-          border-radius: 0;
-          background: transparent;
-          color: #cfcfcf;
-        }
-        #workspaces button:hover {
-          background: rgba(255, 255, 255, 0.06);
-        }
-        #workspaces button.active,
-        #workspaces button.focused {
-          background: rgba(255, 255, 255, 0.10);
-          color: #ffffff;
-          box-shadow: inset 0 -2px #ffffff;
-        }
-        #workspaces button.urgent {
-          background: rgba(255, 80, 80, 0.25);
-          box-shadow: inset 0 -2px #ff5050;
-        }
-
-        /* Focused window title: single line, no glow */
-        #window {
-          padding: 0 6px;
-          margin: 0;
-          color: #dedede;
-        }
-
-        /* Sway mode indicator: visible only when active, no bloat */
-        #mode {
-          padding: 0 6px;
-          margin: 0;
-          background: rgba(255, 255, 255, 0.10);
-          color: #ffffff;
-          border-bottom: 2px solid #ffffff;
-        }
-
-        /* Status modules — keep them flat and compact */
-        #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
-          padding: 0 6px;
-          margin: 0;
-          background: #000000;
-          color: #eaeaea;
-        }
-
-        /* States (battery, network, audio) */
-        #battery.charging { color: #c9ffbf; }
-        #battery.warning:not(.charging) { color: #ffd29a; }
-        #battery.critical:not(.charging) { color: #ff9a9a; }
-
-        #network.disconnected { color: #ffb4b4; }
-        #pulseaudio.muted    { color: #9aa0a6; }
-
-        /* Tray: compress icons */
-        #tray > .passive { opacity: 0.6; }
-        #tray > .needs-attention { opacity: 1; }
-
-        /* Tooltips: clean and readable */
-        tooltip {
-          background: rgba(30, 30, 30, 0.95);
-          border: 1px solid rgba(255, 255, 255, 0.08);
-          color: #eaeaea;
-          padding: 6px 8px;
-        }
-
-        /* Remove any leftover borders around everything */
-        #custom-*, #idle_inhibitor, #privacy, #bluetooth {
-          border: none;
-          background: transparent;
-          margin: 0;
-          padding: 0 6px;
-        }
-      '';
-    };
-  };
-}

home/modules/halloy.nix

@@ -0,0 +1,114 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.programs.halloy;
+in {
+  options.local.programs.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        theme = "macawCustom";
+        font.size = 16;
+        preview.enabled = false;
+        sidebar = {
+          buffer_action = "replace-pane";
+          focused_buffer_action = "close-pane";
+        };
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+          server_messages = {
+            join.exclude = ["*"];
+            quit.exclude = ["*"];
+          };
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "##chat"
+            "##politics"
+            "##rust"
+            "#datahoarder"
+            "#git"
+            "#indieweb"
+            "#indieweb-dev"
+            "#linux"
+            "#lobsters"
+            "#nixos"
+            "#OSRS"
+            "#soju"
+          ];
+        };
+      };
+      themes = {
+        macawCustom = {
+          general = {
+            background = "#333333";
+            border = "#505050";
+            horizontal_rule = "#333333";
+            unread_indicator = "#2884FC";
+          };
+
+          text = {
+            primary = "#DFDFDF";
+            secondary = "#C2C2C2";
+            tertiary = "#8839EF";
+            success = "#959595";
+            error = "#959595";
+          };
+
+          buffer = {
+            action = "#959595";
+            background = "#1E1E1E";
+            background_text_input = "#2E2E2E";
+            background_title_bar = "#2E2E2E";
+            border = "#1A1A1A";
+            border_selected = "#1A1A1A";
+            code = "#7287FD";
+            highlight = "#454645";
+            nickname = "#00C8FF";
+            selection = "#777777";
+            timestamp = "#959595";
+            topic = "#DFDFDF";
+            url = "#2884FC";
+            buffer.server_messages = {
+              default = "#959595";
+            };
+          };
+
+          buttons.primary = {
+            background = "#00000000";
+            background_hover = "#484848";
+            background_selected = "#4A4A4A";
+            background_selected_hover = "#666666";
+          };
+
+          buttons.secondary = {
+            background = "#3B3B3B";
+            background_hover = "#484848";
+            background_selected = "#646464";
+            background_selected_hover = "#666666";
+          };
+        };
+      };
+    };
+  };
+}

home/modules/mapping.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.mapping;
+  cfg = config.local.programs.mapping;
 in {
-  options.local.apps.mapping = {
+  options.local.programs.mapping = {
     enable = mkEnableOption "mapping apps";
   };
   config = mkIf cfg.enable {

home/modules/neovim.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.neovim;
+  cfg = config.local.programs.neovim;
 in {
-  options.local.apps.neovim = {
+  options.local.programs.neovim = {
     enable = mkEnableOption "Neovim settings";
   };
   config = mkIf cfg.enable {

home/modules/pass.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.pass;
+in {
+  options.local.services.pass = {
+    enable = mkEnableOption "pass settings";
+  };
+  config = mkIf cfg.enable {
+    programs.password-store = {
+      enable = true;
+      package = pkgs.pass.withExtensions (exts:
+        with exts; [
+          pass-audit
+          pass-genphrase
+          pass-otp
+          pass-tomb
+          pass-update
+          pass-import
+        ]);
+
+      settings = {
+        PASSWORD_STORE_DIR = "${config.home.homeDirectory}/safe/trust";
+      };
+    };
+  };
+}

home/modules/syncthing.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.syncthing;
+in {
+  options.local.services.syncthing = {
+    enable = mkEnableOption "syncthing settings";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+      tray.enable = true;
+    };
+  };
+}

home/modules/terminal.nix

@@ -5,9 +5,11 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.terminal;
+  cfg = config.local.programs.terminal;
 in {
-  options.local.apps.terminal.enable = mkEnableOption "terminal emulator settings";
+  options.local.programs.terminal = {
+    enable = mkEnableOption "terminal emulator settings";
+  };
   config = mkIf cfg.enable {
     programs = {
       foot = {
@@ -15,10 +17,10 @@ in {
         settings = {
           main = {
             term = "xterm-256color";
-            font = "JetBrains Mono:style=Medium:size=12";
+            font = "JetBrainsMono Nerd Font:style=Medium:size=15";
-            font-bold = "JetBrains Mono:style=Bold:size=12";
+            font-bold = "JetBrainsMono Nerd Font:style=Bold:size=15";
-            font-italic = "JetBrains Mono:style=Italic:size=12";
+            font-italic = "JetBrainsMono Nerd Font:style=Italic:size=15";
-            font-bold-italic = "JetBrains Mono:style=Bold Italic:size=12";
+            font-bold-italic = "JetBrainsMono Nerd Font:style=Bold Italic:size=15";
             dpi-aware = "yes";
             initial-window-size-pixels = "1200x600";
           };
@@ -29,15 +31,15 @@ in {
           };
 
           colors = {
-            background = "111111";
+            background = "000000";
-            regular0 = "1E201E"; #black
+            regular0 = "616161";
-            regular1 = "BE3144"; #red
+            regular1 = "ff4d51";
-            regular2 = "1F7D53"; #green
+            regular2 = "35d450";
-            regular3 = "FEC260"; #yellow
+            regular3 = "e9e836";
-            regular4 = "065084"; #blue
+            regular4 = "5dc5f8";
-            regular5 = "940B92"; #magenta
+            regular5 = "feabf2";
-            regular6 = "008B8B"; #cyan
+            regular6 = "24dfc4";
-            regular7 = "D3DAD9"; #white
+            regular7 = "ffffff";
           };
 
           bell = {
@@ -107,6 +109,12 @@ in {
           set -g status-justify left
         '';
       };
+
+      fzf = {
+        enable = true;
+        enableZshIntegration = true;
+        tmux.enableShellIntegration = true;
+      };
     };
     home = {
       sessionVariables = {

home/modules/yubikey.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.services.yubikey;
+in {
+  options.local.services.yubikey = {
+    enable = mkEnableOption "Yubikey home settings";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      yubikey-manager
+      yubico-pam
+      yubikey-personalization
+    ];
+  };
+}

home/modules/zed.nix

@@ -5,16 +5,18 @@
   ...
 }:
 with lib; let
-  cfg = config.local.apps.zed;
+  cfg = config.local.programs.zed;
 in {
-  options.local.apps.zed.enable = mkEnableOption "zed editor settings";
+  options.local.programs.zed = {
+    enable = mkEnableOption "zed editor settings";
+  };
   config = mkIf cfg.enable {
     programs.zed-editor = {
       enable = true;
       extensions = [
         "nix"
         "codebook"
-        "one-dark"
+        "vscode-dark-high-contrast"
         "catppuccin-icons"
       ];
       extraPackages = with pkgs; [
@@ -23,8 +25,8 @@ in {
       userSettings = {
         disable_ai = true;
         theme = {
-          dark = "One Dark";
+          dark = "VSCode Dark High Contrast";
-          light = "One Dark";
+          light = "VSCode Dark High Contrast";
         };
         icon_theme = {
           dark = "Catppuccin Latte";

home/modules/zsh/default.nix

@@ -13,6 +13,7 @@ in {
       type = types.str;
       description = "prompt for your terminal";
       example = literalExpression "%B[%~] \${vcs_info_msg_0_}%b";
+      default = "%B[%~] \${vcs_info_msg_0_}%b";
     };
   };
   config = mkIf cfg.enable {

home/modules/zsh/zshrc.nix

@@ -18,7 +18,7 @@
   zstyle ':completion:*' original true
   zstyle ':completion:*' preserve-prefix '//[^/]##/'
   zstyle ':completion:*' verbose true
-  zstyle :compinstall filename '/home/chem/.zshrc'
+  zstyle :compinstall filename '/home/fabian/.zshrc'
 
   autoload -Uz compinit
   compinit
@@ -79,11 +79,8 @@
   alias l='ls --color -FhAltr'
   alias x='killall --ignore-case --user=$(whoami) --interactive'
   alias tree='tree -CF'
-  alias lock="betterlockscreen -l"
-  alias nightmode="${lib.getExe pkgs.redshift} -P -O 1000"
-  alias lightmode="${lib.getExe pkgs.redshift} -x="
   alias nixoide="nix repl '<nixpkgs>'"
-  alias vim=nvim
+  alias vps="ssh -A vps"
   bindkey -e
   bindkey "^[[1;5D" backward-word
   bindkey "^[[1;5C" forward-word
@@ -101,8 +98,8 @@
     local pkg
     pkg="$1"
     shift
-    echo "nix shell unstable#$pkg --impure"
+    echo "nix shell nixpkgs#$pkg --impure"
-    nix shell "unstable#$pkg" "$@"  --impure
+    nix shell "nixpkgs#$pkg" "$@" --impure
   }
 
   function spawn () {
@@ -130,4 +127,6 @@
   export VISUAL=nvim
   export PATH="$PATH:$HOME/.local/bin:$HOME/.cargo/bin"
   export NIXPKGS_ALLOW_UNFREE=1
+
+  eval "$(fzf --zsh)"
 ''

home/platforms/chem@yuki/default.nix

@@ -1,78 +0,0 @@
-{
-  flakes,
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ./systemd
-    ./isolation.nix
-  ];
-
-  nix.registry = {
-    "system".to = {
-      type = "path";
-      path = "/home/chem/nix";
-    };
-
-    "nixpkgs".flake = flakes.nixpkgs;
-    "unstable".flake = flakes.unstable;
-  };
-
-  local = {
-    baseline.enable = true;
-
-    services = {
-      zsh = {
-        enable = true;
-        prompt = "%B[%~] \${vcs_info_msg_0_}%b";
-      };
-    };
-
-    apps = {
-      #todo move some of this to defaultDesktop pack?
-      terminal.enable = true;
-      neovim.enable = true;
-      gaming.enable = true;
-      defaultDesktopPack.enable = true;
-      firefox.enable = true;
-      mapping.enable = true;
-      zed.enable = true;
-    };
-
-    gui = {
-      enable = true;
-      monitors = {
-        HDMI-A-1 = {
-          width = "1920";
-          height = "1080";
-          rate = "59.94";
-        };
-        DP-1 = {
-          width = "1600";
-          height = "900";
-          rate = "59.94";
-          posX = "1920";
-        };
-      };
-    };
-  };
-
-  home = {
-    packages = with pkgs; [
-      gnucash
-      kdePackages.kdenlive
-      nmap
-      qbittorrent
-      virt-manager
-      vintagestory
-      easyeffects
-    ];
-
-    username = "chem";
-    homeDirectory = "/home/chem";
-  };
-
-  programs.home-manager.enable = true;
-}

home/platforms/fabian@posixlycorrect/default.nix

@@ -0,0 +1,46 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack.enable = true;
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        DP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "59.94";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+      darktable
+      gnucash
+      kdePackages.kdenlive
+      virt-manager
+    ];
+  };
+}

home/platforms/fabian@posixlycorrect/systemd/default.nix

@@ -5,6 +5,6 @@
 }:
 with lib; {
   systemd.user.tmpfiles.rules = [
-    "d %t/tmp 0700 chem chem 24h"
+    "d %t/tmp 0700 fabian fabian 24h"
   ];
 }

home/platforms/fabian@t14/default.nix

@@ -0,0 +1,45 @@
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./systemd
+    ./isolation.nix
+  ];
+
+  local = {
+    defaultDesktopPack = {
+      enable = true;
+      laptop = true;
+    };
+
+    services = {
+      gpg.defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
+      yubikey.enable = true;
+    };
+
+    programs = {
+      gaming.enable = true;
+      mapping.enable = true;
+    };
+
+    gui = {
+      enable = true;
+      monitors = {
+        eDP-1 = {
+          width = "1920";
+          height = "1080";
+          rate = "60.00";
+        };
+      };
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}

home/platforms/fabian@t14/isolation.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  home.isolation = {
+    enable = true;
+    btrfsSupport = true;
+    defaults = {
+      static = true;
+      bindHome = "home/";
+      persist = {
+        base = "shenvs";
+        btrfs = true;
+      };
+    };
+
+    modulesUnder = ./shenvs;
+  };
+}

home/platforms/fabian@t14/shenvs/c.nix

@@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    binutils
+    cmake
+    curl
+    gdb
+    gnumake
+    rustup
+    valgrind
+  ];
+}

home/platforms/fabian@t14/shenvs/python.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  static = true;
+
+  packages = with pkgs; [
+    pipenv
+    (python310.withPackages (packages:
+      with packages; [
+        setuptools
+      ]))
+  ];
+}

home/platforms/fabian@t14/systemd/default.nix

@@ -0,0 +1,10 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.user.tmpfiles.rules = [
+    "d %t/tmp 0700 fabian fabian 24h"
+  ];
+}

home/platforms/fabian@vps/default.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+  ];
+
+  local = {
+    baseline.enable = true;
+
+    services = {
+      zsh.prompt = "%B<%~> \${vcs_info_msg_0_}%b";
+    };
+  };
+
+  home = {
+    packages = with pkgs; [
+    ];
+  };
+}

pkgs/config/default.nix

@@ -1,6 +1,5 @@
 {lib}:
 with lib; {
-  android_sdk.accept_license = true; #TODO: what the fuck is this
+  android_sdk.accept_license = true;
   allowUnfreePredicate = pkg: import ./unfree.nix lib (getName pkg);
-  allowInsecurePredicate = pkg: import ./insecure.nix lib (getName pkg);
 }

pkgs/config/insecure.nix

@@ -1,4 +0,0 @@
-lib: name:
-with lib;
-  elem name [
-  ]

pkgs/config/unfree.nix

@@ -8,5 +8,4 @@ with lib;
     "steam-original"
     "steam-unwrapped"
     "steam-run"
-    "vintagestory"
   ]

pkgs/default.nix

@@ -6,6 +6,8 @@
 with prev.lib; let
   inherit (final) callPackage fetchpatch;
 in {
+  homepage = flakes.homepage.packages.${final.system}.default;
+
   override =
     {
       # add python modules here to make them available in all versions

sys/modules/android.nix

@@ -14,5 +14,9 @@ in {
     services.udev.packages = with pkgs; [
       android-udev-rules
     ];
+
+    environment.systemPackages = with pkgs; [
+      android-tools
+    ];
   };
 }

sys/modules/baseline.nix

@@ -73,6 +73,8 @@ in {
       };
     };
 
+    programs.dconf.enable = true;
+
     # Coredumps are a security risk and may use up a lot of disk space
     systemd.coredump.extraConfig = ''
       Storage=none
@@ -83,5 +85,7 @@ in {
       enable = true;
       defaultBitSize = 4096;
     };
+
+    i18n.defaultLocale = "en_US.UTF-8";
   };
 }

sys/modules/borgsync.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.borgsync;
+in {
+  options.local.sys.borgsync = {
+    enable = mkEnableOption "borg backup to an rsync.net repo";
+    paths = mkOption {
+      type = with types; nullOr (coercedTo str singleton (listOf str));
+      default = null;
+      description = "Paths to back up.";
+    };
+    exclude = mkOption {
+      type = with types; listOf str;
+      description = "Exclude paths.";
+      default = [];
+    };
+    repoName = mkOption {
+      type = types.str;
+      description = "Remote rsync repository to back up to.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup.jobs.rsync = {
+      paths = cfg.paths;
+      exclude = cfg.exclude;
+      user = "root";
+      group = "root";
+      doInit = true;
+      startAt = [
+        "hourly"
+      ];
+      inhibitsSleep = true;
+      persistentTimer = true;
+
+      repo = "zh5777@zh5777.rsync.net:${cfg.repoName}";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /var/trust/borg/${cfg.repoName}_passphrase";
+      };
+      compression = "auto,lz4";
+      prune = {
+        keep = {
+          hourly = 24;
+          daily = 7;
+          weekly = 4;
+          monthly = 12;
+          yearly = 99;
+        };
+      };
+      extraArgs = [
+        "--remote-path=borg14"
+      ];
+    };
+
+    environment.sessionVariables.BORG_REMOTE_PATH = "borg14";
+  };
+}

sys/modules/default.nix

@@ -6,6 +6,7 @@
 }: {
   imports = [
     ./baseline.nix
+    ./yubikey.nix
     ./audio.nix
     ./graphics.nix
     ./virtualisation.nix
@@ -15,15 +16,8 @@
     ./net.nix
     ./steam.nix
     ./gtklock.nix
-  ];
+    ./borgsync.nix
-
+    ./dufs.nix
-  fonts.packages = with pkgs; [
+    ./defaultDesktopPack.nix
-    jetbrains-mono
-    noto-fonts
-    noto-fonts-cjk-sans
-    noto-fonts-emoji
-    noto-fonts-extra
-    nerd-fonts.fira-code
-    nerd-fonts.droid-sans-mono
   ];
 }

sys/modules/defaultDesktopPack.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.defaultDesktopPack;
+in {
+  options.local.sys.defaultDesktopPack = {
+    enable = mkEnableOption "common desktop programs and services";
+  };
+  config = mkIf cfg.enable {
+    local.sys = {
+      baseline.enable = true;
+
+      audio.enable = true;
+      graphics.enable = true;
+      gtklock.enable = true;
+      steam.enable = true;
+
+      users = {
+        fabian = {
+          enable = true;
+          unixId = 1002; #TODO !!!!!!
+        };
+      };
+    };
+
+    trivium = {
+      sway.enable = true;
+      trivionomiconMotd.enable = true;
+    };
+
+    networking = {
+      networkmanager.enable = true;
+      useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    };
+
+    services = {
+      fwupd.enable = true;
+    };
+  };
+}

sys/modules/dufs.nix

@@ -0,0 +1,233 @@
+# https://github.com/NixOS/nixpkgs/blob/c77cd68706b590b44334bb8c506239b3384c26a0/nixos/modules/services/misc/dufs.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.dufs;
+  types = lib.types;
+in {
+  options.local.sys.dufs = {
+    enable = lib.mkEnableOption "the dufs server";
+    package = lib.mkPackageOption pkgs "dufs" {};
+    settings = lib.mkOption {
+      type = types.submodule {
+        options = {
+          serve-path = lib.mkOption {
+            type = types.path;
+            description = "Specific path to serve.";
+          };
+          bind = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Specify bind address or unix socket.";
+            default = null;
+          };
+          port = lib.mkOption {
+            type = types.port;
+            description = "Specify port to listen on.";
+            default = 5000;
+          };
+          path-prefix = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Specify a path prefix.";
+            default = null;
+          };
+          hidden = lib.mkOption {
+            type = types.listOf types.str;
+            description = "Hide paths from directory listings, e.g. tmp,*.log,*.lock.";
+            default = [];
+            example = lib.literalExpression ''
+              [
+                "tmp"
+                "*.log"
+                "*.lock."
+              ]
+            '';
+          };
+          allow-all = lib.mkOption {
+            type = types.bool;
+            description = "Allow all operations.";
+            default = true;
+          };
+          allow-upload = lib.mkOption {
+            type = types.bool;
+            description = "Allow upload files/folders.";
+            default = false;
+          };
+          allow-delete = lib.mkOption {
+            type = types.bool;
+            description = "Allow delete files/folders.";
+            default = false;
+          };
+          allow-search = lib.mkOption {
+            type = types.bool;
+            description = "Allow search files/folders.";
+            default = false;
+          };
+          allow-symlink = lib.mkOption {
+            type = types.bool;
+            description = "Allow symlink to files/folders outside root directory.";
+            default = false;
+          };
+          allow-archive = lib.mkOption {
+            type = types.bool;
+            description = "Allow zip archive generation.";
+            default = false;
+          };
+          enable-cors = lib.mkOption {
+            type = types.bool;
+            description = "Enable CORS, sets `Access-Control-Allow-Origin: *`.";
+            default = false;
+          };
+          render-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns 404 if not found index.html.";
+            default = false;
+          };
+          render-try-index = lib.mkOption {
+            type = types.bool;
+            description = "Serve index.html when requesting a directory, returns directory listing if not found index.html.";
+            default = false;
+          };
+          render-spa = lib.mkOption {
+            type = types.bool;
+            description = "Serve SPA(Single Page Application).";
+            default = false;
+          };
+          assets = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Set the path to the assets directory for overriding the built-in assets.";
+            default = null;
+          };
+          log-format = lib.mkOption {
+            type = types.nullOr types.str;
+            description = "Customize http log format.";
+            default = null;
+            example = lib.literalExpression ''
+              "$remote_addr \"$request\" $status"
+            '';
+          };
+          compress = lib.mkOption {
+            type = types.enum [
+              "none"
+              "low"
+              "medium"
+              "high"
+            ];
+            description = "Customize http log format.";
+            default = "none";
+          };
+          tls-cert = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to an SSL/TLS certificate to serve with HTTPS.";
+            default = null;
+          };
+          tls-key = lib.mkOption {
+            type = types.nullOr types.path;
+            description = "Path to the SSL/TLS certificate's private key.";
+            default = null;
+          };
+        };
+      };
+      description = "Settings for dufs.";
+    };
+    authFile = lib.mkOption {
+      type = types.nullOr types.path;
+      description = ''
+        Path to file containing auth roles (e.g. user:pass@/dir1:rw,/dir2), one per line.
+
+        Passwords may be hashed, see https://github.com/sigoden/dufs#hashed-password.
+      '';
+      default = null;
+    };
+    openFirewall = lib.mkOption {
+      type = types.bool;
+      description = "Open firewall on configured port.";
+      default = false;
+    };
+    user = lib.mkOption {
+      type = types.str;
+      description = "User to run dufs under.";
+      default = "dufs";
+    };
+    group = lib.mkOption {
+      type = types.str;
+      description = "Group to run dufs under.";
+      default = "dufs";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [cfg.settings.port];
+    systemd.services.dufs = let
+      settings = lib.filterAttrs (_: v: v != null) cfg.settings;
+      pathWritable = settings.allow-all || settings.allow-upload || settings.allow-delete;
+    in {
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      environment.DUFS_CONFIG = (pkgs.formats.yaml {}).generate "dufs-config.yaml" settings;
+      script = ''
+        ${lib.optionalString (cfg.authFile != null) ''
+          export DUFS_AUTH=$(tr '\n' '|' < ${lib.escapeShellArg cfg.authFile} | sed 's/|$//')
+        ''}
+        exec ${lib.escapeShellArg (lib.getExe cfg.package)}
+      '';
+      serviceConfig = {
+        BindReadOnlyPaths =
+          [
+            builtins.storeDir
+          ]
+          ++ lib.optional (!pathWritable) settings.serve-path
+          ++ lib.optional (cfg.authFile != null) cfg.authFile;
+        BindPaths = lib.mkIf pathWritable settings.serve-path;
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        Group = cfg.group;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RootDirectory = "/run/dufs";
+        RuntimeDirectory = "dufs";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        User = cfg.user;
+      };
+    };
+    users = {
+      users.dufs = lib.mkIf (cfg.user == "dufs") {
+        group = cfg.group;
+        home = cfg.settings.serve-path;
+        isSystemUser = true;
+      };
+      groups.dufs = lib.mkIf (cfg.group == "dufs") {};
+    };
+  };
+  meta.maintainers = with lib.maintainers; [jackwilsdon];
+}

sys/modules/graphics.nix

@@ -16,7 +16,5 @@ in {
     };
 
     hardware.graphics.enable = true;
-
-    programs.dconf.enable = true;
   };
 }

sys/modules/users.nix

@@ -31,7 +31,7 @@ in {
 
   config = {
     local.sys.users = {
-      chem = {
+      fabian = {
         unixId = mkDefault 1000;
         admin = true;
       };
@@ -54,7 +54,7 @@ in {
           shell = pkgs.zsh;
           extraGroups =
             ["users" "networkmanager"]
-            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers"];
+            ++ optionals (v.admin) ["wheel" "libvirtd" "dialout" "adbusers" "video" "input"];
           openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile;
         })
         enabledUsers;

sys/modules/yubikey.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.yubikey;
+in {
+  options.local.sys.yubikey = {
+    enable = mkEnableOption "yubikey settings";
+  };
+  config = mkIf cfg.enable {
+    services = {
+      pcscd.enable = true;
+      udev.packages = [pkgs.yubikey-personalization];
+    };
+
+    environment.etc."pkcs11/modules/ykcs11".text = ''
+      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
+    '';
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+
+    security.pam = {
+      services = {
+        login.u2fAuth = true;
+        sudo.u2fAuth = true;
+      };
+
+      u2f = {
+        enable = true;
+        control = "sufficient";
+        settings = {
+          debug = false;
+          cue = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/posixlycorrect/default.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    virtualisation.enable = true;
+    androidSupport.enable = true;
+    borgsync = {
+      enable = true;
+      paths = [
+        "/home/fabian/nix"
+        "/home/fabian/safe"
+        "/xtern/backup"
+      ];
+      repoName = "posixlycorrect";
+    };
+  };
+
+  networking = {
+    hostName = "posixlycorrect";
+    hostId = "0414a727";
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      forceImportRoot = false;
+      useKeyringForCredentials = true;
+    };
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}

sys/platforms/posixlycorrect/hardware-configuration.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+  subvol = subvol: {
+    device = "/dev/disk/by-uuid/645fdba0-5c03-4285-926b-facded1ee259";
+    fsType = "btrfs";
+    options = ["subvol=${subvol}" "compress=zstd" "noatime" "ssd"];
+  };
+in {
+  imports = [
+    flakes.nixpkgs.nixosModules.notDetected
+  ];
+
+  boot.initrd = {
+    availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+    luks.devices."toplevel" = {
+      device = "/dev/disk/by-uuid/58277baa-90d4-4a5e-a658-1b918b89130a";
+      preLVM = false;
+    };
+  };
+
+  fileSystems = {
+    "/" = subvol "root";
+    "/toplevel" = subvol "/";
+    "/boot" = {
+      device = "/dev/disk/by-uuid/B007-B007";
+      fsType = "vfat";
+      options = ["umask=027"];
+    };
+  };
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

sys/platforms/t14/default.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}: {
+  imports = [
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+  ];
+
+  local.sys = {
+    defaultDesktopPack.enable = true;
+
+    yubikey.enable = true;
+    bluetooth.enable = true;
+    androidSupport.enable = true;
+  };
+
+  trivium = {
+    laptop.enable = true;
+    thinkpad.enable = true;
+  };
+
+  hardware.acpilight.enable = true;
+
+  networking.hostName = "t14";
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  time.timeZone = "America/Costa_Rica";
+}

sys/platforms/t14/hardware-configuration.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  services.xserver.videoDrivers = ["i915" "modesetting" "fbdev"];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "sdhci_pci"];
+      kernelModules = ["dm-snapshot"];
+      luks.devices."tomb" = {
+        device = "/dev/disk/by-uuid/0b2b9aec-c239-4cce-948d-4411d9300c1d";
+        preLVM = true;
+      };
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=root"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A7E5-EEAB";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=nix"];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+      options = ["subvol=home"];
+    };
+
+    "/toplevel" = {
+      device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
+      fsType = "btrfs";
+    };
+  };
+
+  swapDevices = [];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

sys/platforms/vps/default.nix

@@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  doctrine,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.vpsadminos.nixosConfigurations.container
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./hardware-configuration.nix
+    ./srv
+    ./networkMap.nix
+  ];
+
+  local.sys = {
+    baseline.enable = true;
+
+    borgsync = {
+      enable = true;
+      paths = [
+        "/var/lib/forgejo"
+        "/var/lib/mealie"
+        "/var/lib/trilium"
+        "/var/lib/forgejo"
+      ];
+      repoName = "vps";
+    };
+
+    users.fabian = {
+      enable = true;
+      sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
+    };
+  };
+
+  trivium.soju = {
+    enable = true;
+    fullyQualifiedDomain = "soju.posixlycorrect.com";
+  };
+
+  services.openssh = {
+    settings.PasswordAuthentication = false;
+  };
+
+  programs.mosh.enable = true;
+
+  networking = {
+    hostName = "vps";
+    domain = "posixlycorrect.com";
+    firewall.allowedUDPPorts = [51820]; #TODO
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  systemd = {
+    extraConfig = ''
+      DefaultTimeoutStartSec=900s
+    '';
+
+    network = let
+      inherit (config.local.sys) nets;
+    in {
+      enable = true;
+
+      netdevs = {
+        wg-vpn = {
+          netdevConfig = {
+            Name = "wg-vpn";
+            Kind = "wireguard";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
+            ListenPort = "51820";
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
+              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
+            }
+            {
+              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
+              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
+            }
+          ];
+        };
+      };
+
+      networks = {
+        wg-vpn = {
+          name = "wg-vpn";
+
+          networkConfig = {
+            Address = [
+              nets.vpn-vps.hosts.vps.v6.cidr
+            ];
+          };
+
+          routes = [
+            {
+              Destination = nets.vpn.v6.cidr;
+            }
+            {
+              Source = nets.vpn.v6.cidr;
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    extraSpecialArgs = {
+      inherit flakes;
+      doctrine = flakes.trivionomicon.lib.mkDoctrine {
+        inherit pkgs;
+        inherit (doctrine) prefix;
+        namespace = "hm";
+      };
+    };
+
+    users.fabian = {
+      imports = [
+        flakes.impermanence.nixosModules.home-manager.impermanence
+        "${flakes.self}/home/platforms/fabian@vps"
+        "${flakes.self}/home"
+      ];
+    };
+  };
+}

sys/platforms/vps/hardware-configuration.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  flakes,
+  modulesPath,
+  ...
+}: let
+in {
+  fileSystems = {
+    "/mnt/export2008" = {
+      device = "172.16.129.19:/nas/5876";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2178" = {
+      device = "172.16.129.151:/nas/5876/immich";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2179" = {
+      device = "172.16.131.31:/nas/5876/syncthing";
+      fsType = "nfs";
+      options = ["nofail"];
+    };
+  };
+}

sys/platforms/vps/networkMap.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  local.sys.nets = {
+    default = {
+      v4 = {
+        bits = 32;
+        prefix = "37.205.12.34";
+      };
+
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:fe:102";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+        vps.v4.suffix = "";
+      };
+    };
+
+    vpn = {
+      v6 = {
+        bits = 48;
+        prefix = "2a03:3b40:2b";
+      };
+    };
+
+    vpn-vps = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1000";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+      };
+    };
+
+    vpn-posixlycorrect = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1001";
+      };
+
+      hosts = {
+        posixlycorrect.v6.suffix = "1";
+      };
+    };
+
+    vpn-pixel8 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1002";
+      };
+
+      hosts = {
+        pixel8.v6.suffix = "1";
+      };
+    };
+
+    vpn-t14 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1003";
+      };
+
+      hosts = {
+        t14.v6.suffix = "1";
+      };
+    };
+  };
+}

sys/platforms/vps/pki/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7

sys/platforms/vps/srv/calibre-web.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."calibre.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8083";
+        };
+      };
+    };
+
+    calibre-web = {
+      enable = true;
+      options = {
+        enableBookUploading = true;
+        calibreLibrary = "/var/lib/calibre-web/calibre_library";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/default.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    ./forgejo.nix
+    ./vaultwarden.nix
+    ./msmtp.nix
+    ./trilium.nix
+    ./syncthing.nix
+    ./calibre-web.nix
+    ./immich.nix
+    ./mealie.nix
+    ./dufs.nix
+    ./isso.nix
+    ./miniflux.nix
+    ./radicale.nix
+  ];
+}

sys/platforms/vps/srv/dufs.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."public.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5000";
+        };
+      };
+    };
+  };
+
+  local.sys.dufs = {
+    enable = true;
+    settings = {
+      serve-path = "/var/public";
+      allow-all = false;
+      allow-archive = true;
+    };
+  };
+}

sys/platforms/vps/srv/forgejo.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = true;
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/immich.nix

@@ -0,0 +1,72 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."photos.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:2283";
+        };
+      };
+    };
+
+    immich = {
+      enable = true;
+      secretsFile = "/var/trust/immich/secrets.txt";
+      mediaLocation = "/mnt/export2178/immich/media";
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
+      };
+      settings = {
+        machineLearning = {
+          enabled = false;
+        };
+        job = {
+          backgroundTask = {
+            concurrency = 1;
+          };
+          smartSearch = {
+            concurrency = 1;
+          };
+          metadataExtraction = {
+            concurrency = 1;
+          };
+          faceDetection = {
+            concurrency = 1;
+          };
+          search = {
+            concurrency = 1;
+          };
+          sidecar = {
+            concurrency = 1;
+          };
+          library = {
+            concurrency = 1;
+          };
+          migration = {
+            concurrency = 1;
+          };
+          thumbnailGeneration = {
+            concurrency = 1;
+          };
+          videoConversion = {
+            concurrency = 1;
+          };
+          notifications = {
+            concurrency = 1;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/isso.nix

@@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."isso.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8888/";
+        };
+      };
+    };
+
+    isso = {
+      enable = true;
+      settings = {
+        general = {
+          host = "https://posixlycorrect.com/";
+          dbpath = "/var/lib/isso/comments.db";
+          notify = "stdout";
+        };
+        moderation = {
+          enabled = false;
+          approve-if-email-previously-approved = false;
+          purge-after = "365d";
+        };
+        server = {
+          listen = "http://127.0.0.1:8888/";
+        };
+        guard = {
+          require-author = true;
+          require-email = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/mealie.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.services.wiki-js = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services = {
+    nginx = {
+      virtualHosts."food.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9000";
+        };
+      };
+    };
+
+    mealie = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9000;
+      credentialsFile = "/var/trust/mealie/credentials.env";
+      settings = {
+        ALLOW_SIGNUP = "false";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/mediawiki.nix

@@ -0,0 +1,71 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+
+      skins = {
+        citizen = "${flakes.mediawikiSkinCitizen}";
+      };
+
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgDefaultSkin = 'citizen';
+        $wgDefaultMobileSkin = 'citizen';
+        $wgCitizenThemeDefault = 'dark';
+        $wgCitizenShowPageTools = 'login';
+        $wgLogos = [
+          'icon' => "https://posixlycorrect.com/favicon.png",
+          '1x' => "https://posixlycorrect.com/favicon.png",
+          '2x' => "https://posixlycorrect.com/favicon.png",
+        ];
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        CategoryTree = null;
+        CiteThisPage = null;
+        Scribunto = null;
+        Cite = null;
+        CodeEditor = null;
+        Math = null;
+        MultimediaViewer = null;
+        PdfHandler = null;
+        Poem = null;
+        SecureLinkFixer = null;
+        WikiEditor = null;
+        ParserFunctions = null;
+      };
+    };
+  };
+}

sys/platforms/vps/srv/miniflux.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."rss.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8087";
+        };
+      };
+    };
+
+    miniflux = {
+      enable = true;
+      adminCredentialsFile = "/var/trust/miniflux/adminCredentialsFile";
+      config = {
+        CLEANUP_FREQUENCY = 48;
+        LISTEN_ADDR = "127.0.0.1:8087";
+        BASE_URL = "https://rss.posixlycorrect.com";
+        CREATE_ADMIN = 1;
+      };
+    };
+  };
+}

sys/platforms/vps/srv/msmtp.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  users.groups = {
+    mailsenders = {
+      members = ["fabian" "mediawiki"];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/net.nix

@@ -0,0 +1,100 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  inherit (config.local.sys) nets;
+in {
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
+  options = {
+    security.acme = {
+      certs = mkOption {
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
+    };
+  };
+
+  config = {
+    networking = {
+      nftables.enable = false; # learn how to use this later
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };
+
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "fabian@posixlycorrect.com";
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.trivium.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
+          };
+        };
+      };
+
+      fail2ban = {
+        enable = true;
+        bantime = "10m";
+        ignoreIP = [
+          nets.default.hosts.vps.v6.cidr
+          nets.default.hosts.vps.v4.address
+          nets.vpn.v6.cidr
+        ];
+        bantime-increment = {
+          enable = true;
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "48h"; # Do not ban for more than 48h
+          rndtime = "10m";
+          overalljails = true; # Calculate the bantime based on all the violations
+        };
+        jails = {
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+          nginx-botsearch.settings = {
+            # Usar log en vez de journalctl
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/radicale.nix

@@ -0,0 +1,41 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."dav.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5232";
+        };
+      };
+    };
+
+    radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = ["127.0.0.1:5232"];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/var/trust/radicale/htpasswd";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          filesystem_folder = "/var/lib/radicale/collections";
+        };
+        web.type = "internal";
+        rights.type = "authenticated";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/syncthing.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    syncthing = {
+      enable = true;
+      systemService = true;
+      overrideFolders = false;
+      overrideDevices = false;
+      openDefaultPorts = true;
+      guiAddress = "127.0.0.1:8384";
+      settings.options.urAccepted = -1;
+      dataDir = "/mnt/export2179/syncthing";
+      relay = {
+        enable = true;
+        pools = [];
+        providedBy = "vps.posixlycorrect.com";
+      };
+    };
+  };
+
+  # calibre web stuff. make this better someday, this is pure duct-tape
+  users.groups."calybresync".members = ["syncthing" "calibre-web"];
+  systemd = {
+    services."calybreown" = {
+      script = ''
+        chgrp -R calybresync /var/lib/calibre-web/calibre_library
+        chmod -R g+w /var/lib/calibre-web/calibre_library
+      '';
+      serviceConfig.Type = "oneshot";
+    };
+    timers."calybreown" = {
+      wantedBy = [
+        "timers.target"
+      ];
+      timerConfig.OnCalendar = "*-*-* *:00/30:00";
+    };
+  };
+}

sys/platforms/vps/srv/trilium.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."notes.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    trilium-server = {
+      enable = true;
+      package = pkgs.trilium-next-server;
+      host = "127.0.0.1";
+      port = 8458;
+      noAuthentication = false;
+      noBackup = true; # I already backup the whole dataDir, so no need for this
+      instanceName = "posixlycorrect";
+      dataDir = "/var/lib/trilium";
+      nginx = {
+        enable = true;
+        hostName = "notes.posixlycorrect.com";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/vaultwarden.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = ["vaultwarden"];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}

sys/platforms/yuki/default.nix

@@ -1,55 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  flakes,
-  ...
-}: {
-  imports = [
-    flakes.home-manager.nixosModules.home-manager
-    flakes.impermanence.nixosModule
-    ./hardware-configuration.nix
-  ];
-
-  local.sys = {
-    baseline.enable = true;
-
-    audio.enable = true;
-    graphics.enable = true;
-    virtualisation.enable = true;
-    androidSupport.enable = true;
-    steam.enable = true;
-    gtklock.enable = true;
-
-    users = {
-      chem = {
-        enable = true;
-      };
-    };
-  };
-
-  local.sway.enable = true;
-
-  networking = {
-    hostName = "yuki";
-    networkmanager.enable = true;
-
-    useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    #interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config
-    #interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour.
-  };
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    tmp.useTmpfs = true;
-    kernelPackages = pkgs.linuxPackages_zen;
-  };
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8"; #todo: move to baseline?
-
-  time.timeZone = "America/Costa_Rica"; #todo: move to baseline?
-}

sys/platforms/yuki/hardware-configuration.nix

@@ -1,42 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/b925ebc0-f717-4f0d-83ca-a9a29990b8e2";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EC62-0FDF";
-    fsType = "vfat";
-    options = ["fmask=0022" "dmask=0022"];
-  };
-
-  swapDevices = [];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

trivionomicon/flake.nix

@@ -9,11 +9,11 @@
     nixpkgs,
     flake-utils,
   }: let
-    mapOverlayOverride = namespace: overlay: final: prev: let
+    mapOverlayOverride = prefix: overlay: final: prev: let
       overlayPkgs = overlay final prev;
     in
       {
-        "${namespace}" = builtins.removeAttrs overlayPkgs ["override"];
+        "${prefix}" = (prev.${prefix} or {}) // builtins.removeAttrs overlayPkgs ["override"];
       }
       // (overlayPkgs.override or {});
 
@@ -30,7 +30,7 @@
       packages =
         (import nixpkgs {
           inherit system;
-          overlays = [(mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs))];
+          overlays = [self.overlays.default];
         }).${
           doctrineNoPkgs.prefix
         };
@@ -121,7 +121,7 @@
                     }
                     # NB: Preserve the relative order
                     {
-                      overlay = self.overlays.default;
+                      overlay = mapOverlayOverride prefix (import ./pkgs);
                       condition = true;
                     }
                     {
@@ -164,24 +164,12 @@
           }
           // optionalAttrs (paths ? nixosSource) {
             nixosConfigurations = let
-              nixosSystem = {modules}:
-                lib.makeOverridable nixpkgs.lib.nixosSystem {
-                  inherit modules pkgs system;
-
-                  specialArgs = {
-                    inherit flakes;
-
-                    doctrine = mkDoctrine {
-                      inherit pkgs;
-                      namespace = "sys";
-                    };
-                  };
-                };
-
               hostConfig = platform:
-                nixosSystem {
+                self.lib.mkSystem {
+                  inherit flakes pkgs;
+                  doctrine = doctrineNoPkgs;
+
                   modules = [
-                    self.nixosModules.default
                     nixosSourcePath
                     platform
                   ];
@@ -213,6 +201,29 @@
             in
               lib.mapAttrs home (importAll {root = hmPlatformsPath;});
           };
+
+        mkSystem = {
+          pkgs,
+          flakes,
+          doctrine,
+          modules,
+        }:
+          flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem {
+            inherit pkgs;
+            inherit (pkgs) system;
+
+            modules = [self.nixosModules.default] ++ modules;
+
+            specialArgs = {
+              inherit flakes;
+
+              doctrine = self.lib.mkDoctrine {
+                inherit pkgs;
+                inherit (doctrine) prefix;
+                namespace = "sys";
+              };
+            };
+          };
       };
     };
 }

trivionomicon/modules/soju/default.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}

trivionomicon/modules/soju/options.nix

@@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+  sys = {
+    fullyQualifiedDomain = lib.mkOption {
+      type = str;
+      example = "soju.trivionomicon.com";
+      description = "fully qualified domain name to be used by soju";
+    };
+
+    port = lib.mkOption {
+      type = port;
+      default = 6697;
+      description = "port to be used by soju";
+    };
+  };
+}

trivionomicon/modules/soju/sys.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+  in {
+    enable = true;
+    hostName = "${cfg.fullyQualifiedDomain}";
+    listen = ["ircs://[::]:${toString cfg.port}"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}

trivionomicon/modules/trivionomiconMotd/default.nix

@@ -0,0 +1,10 @@
+{
+  config,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "trivionomiconMotd";
+  sys = ./sys.nix;
+}

trivionomicon/modules/trivionomiconMotd/sys.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  users.motd = ''
+                                          _   _             _   _
+                                         | | | |           | | | |
+     _ __   _____      _____ _ __ ___  __| | | |__  _   _  | |_| |__   ___
+    | '_ \ / _ \ \ /\ / / _ \ '__/ _ \/ _` | | '_ \| | | | | __| '_ \ / _ \
+    | |_) | (_) \ V  V /  __/ | |  __/ (_| | | |_) | |_| | | |_| | | |  __/
+    | .__/ \___/ \_/\_/ \___|_|  \___|\__,_| |_.__/ \__, |  \__|_| |_|\___|
+    | |                                              __/ |
+    |_|_____ _____  _______      _______ ____  _   _|___/_  __  __ _____ _____ ____  _   _
+    |__   __|  __ \|_   _\ \    / /_   _/ __ \| \ | |/ __ \|  \/  |_   _/ ____/ __ \| \ | |
+       | |  | |__) | | |  \ \  / /  | || |  | |  \| | |  | | \  / | | || |   | |  | |  \| |
+       | |  |  _  /  | |   \ \/ /   | || |  | | . ` | |  | | |\/| | | || |   | |  | | . ` |
+       | |  | | \ \ _| |_   \  /   _| || |__| | |\  | |__| | |  | |_| || |___| |__| | |\  |
+       |_|  |_|  \_\_____|   \/   |_____\____/|_| \_|\____/|_|  |_|_____\_____\____/|_| \_|
+  '';
+}

trivionomicon/modules/waybar/default.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "waybar";
+  hm = ./hm.nix;
+  options = ./options.nix;
+}

trivionomicon/modules/waybar/hm.nix

@@ -0,0 +1,207 @@
+{
+  lib,
+  pkgs,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  programs.waybar = {
+    enable = true;
+    settings = {
+      mainBar = {
+        layer = "top";
+        position = "top";
+        height = 20;
+        spacing = 0;
+
+        modules-left = [
+          "sway/workspaces"
+          "sway/mode"
+        ];
+        modules-center = [
+          "clock"
+        ];
+
+        modules-right =
+          [
+            "keyboard-state"
+            "privacy"
+            "idle_inhibitor"
+            "cpu"
+            "memory"
+            "disk"
+            "temperature"
+            "tray"
+          ]
+          ++ lists.optionals cfg.battery [
+            "battery"
+          ];
+        battery = mkIf cfg.battery {
+          format = "{capacity}% {icon}";
+          format-plugged = "{capacity}% 󱐥{icon}";
+          format-icons = ["󰂃" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹"];
+          states = {
+            warning = 20;
+            critical = 10;
+          };
+        };
+        keyboard-state = {
+          capslock = true;
+          format.capslock = "{icon}";
+          format-icons = {
+            locked = "󰘲 ";
+            unlocked = "";
+          };
+        };
+        idle_inhibitor = {
+          format = "{icon}";
+          format-icons = {
+            activated = " ";
+            deactivated = " ";
+          };
+        };
+        tray = {
+          icon-size = 13;
+          spacing = 8;
+        };
+        clock = {
+          interval = 60;
+          format = "{:%A %B %d %Y %H:%M}";
+          tooltip = false;
+        };
+        cpu = {
+          format = " {usage}%";
+          tooltip = false;
+        };
+        memory = {
+          format = " {percentage}% ";
+          tooltip = true;
+          tooltip-format = "{used}/{total}";
+        };
+        disk = {
+          format = " {specific_used:0.0f}/{specific_total:0.0f}";
+          unit = "GiB";
+          tooltip = false;
+        };
+        temperature = {
+          format = " {temperatureC}°C";
+        };
+        privacy = {
+          icon-size = 12;
+        };
+      };
+    };
+    style = ''
+      * {
+        font-family: "${cfg.fontFamily}", monospace;
+        font-size: ${cfg.fontSize};
+        font-weight: 500;
+        border: none;
+        box-shadow: none;
+      }
+
+      /* Entire bar: fully transparent, no border */
+      window#waybar {
+        background: transparent;
+        color: #eaeaea;
+        margin: 0;
+        padding: 0;
+      }
+
+      /* Optional: small edge breathing room (comment out if you want edge-to-edge) */
+      /* window#waybar { margin: 3px 6px 0 6px; } */
+
+      /* Module containers */
+      .modules-left, .modules-center, .modules-right {
+        padding: 0;
+        margin: 0 6px;
+      }
+
+      /* Subtle separators between modules (no boxes) */
+      .modules-left > widget:not(:first-child),
+      .modules-center > widget:not(:first-child),
+      .modules-right > widget:not(:first-child) {
+        margin-left: 12px;
+        padding-left: 12px;
+        border-left: 1px solid rgba(255, 255, 255, 0.08);
+      }
+
+      /* Tightest possible workspaces */
+      #workspaces { padding: 0; margin: 0; }
+      #workspaces button {
+        margin: 0;
+        padding: 0 3px;
+        min-width: 0;
+        border-radius: 0;
+        background: transparent;
+        color: #cfcfcf;
+      }
+      #workspaces button:hover {
+        background: rgba(255, 255, 255, 0.06);
+      }
+      #workspaces button.active,
+      #workspaces button.focused {
+        background: rgba(255, 255, 255, 0.10);
+        color: #ffffff;
+        box-shadow: inset 0 -2px #ffffff;
+      }
+      #workspaces button.urgent {
+        background: rgba(255, 80, 80, 0.25);
+        box-shadow: inset 0 -2px #ff5050;
+      }
+
+      /* Focused window title: single line, no glow */
+      #window {
+        padding: 0 6px;
+        margin: 0;
+        color: #dedede;
+      }
+
+      /* Sway mode indicator: visible only when active, no bloat */
+      #mode {
+        padding: 0 6px;
+        margin: 0;
+        background: rgba(255, 255, 255, 0.10);
+        color: #ffffff;
+        box-shadow: inset 0 -2px #ffffff;
+      }
+
+      /* Status modules — keep them flat and compact */
+      #clock, #battery, #network, #pulseaudio, #backlight, #cpu, #memory, #temperature, #tray {
+        padding: 0 6px;
+        margin: 0;
+        background: transparent;
+        color: #eaeaea;
+      }
+
+      /* States (battery, network, audio) */
+      #battery.charging { color: #27f902; }
+      #battery.warning:not(.charging) { color: #fc8b02; }
+      #battery.critical:not(.charging) { color: #fc0000; }
+
+      #network.disconnected { color: #ffb4b4; }
+      #pulseaudio.muted    { color: #9aa0a6; }
+
+      /* Tray: compress icons */
+      #tray > .passive { opacity: 0.6; }
+      #tray > .needs-attention { opacity: 1; }
+
+      /* Tooltips: clean and readable */
+      tooltip {
+        background: rgba(30, 30, 30, 0.95);
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        color: #eaeaea;
+        padding: 6px 8px;
+      }
+
+      /* Remove any leftover borders around everything */
+      #custom-*, #idle_inhibitor, #privacy, #bluetooth {
+        border: none;
+        background: transparent;
+        margin: 0;
+        padding: 0 6px;
+      }
+    '';
+  };
+}

trivionomicon/modules/waybar/options.nix

@@ -0,0 +1,23 @@
+{lib, ...}:
+with lib.types; {
+  hm = {
+    battery = lib.mkOption {
+      type = bool;
+      default = false;
+      description = ''
+        `true` to display battery info
+      '';
+    };
+    fontFamily = lib.mkOption {
+      type = str;
+      example = "JetBrainsMono Nerd Font";
+      description = ''
+        needs to be a nerdfont
+      '';
+    };
+    fontSize = lib.mkOption {
+      type = str;
+      default = "12px";
+    };
+  };
+}

trivionomicon/pkgs/default.nix

@@ -5,5 +5,6 @@ in {
   override = {};
 
   athena-bccr = callPackage ./athena-bccr {};
+  snapborg = final.python3Packages.callPackage ./snapborg {};
   spliit = callPackage ./spliit {};
 }

trivionomicon/pkgs/snapborg/0001-Remove-env-arg-from-subprocess-calls.patch

@@ -0,0 +1,29 @@
+From c363931656938f9cc3354b8e2797fe9abac1b0e3 Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sun, 31 Aug 2025 13:30:45 -0600
+Subject: [PATCH] Remove "env" arg from subprocess calls
+
+---
+ snapborg/borg.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/snapborg/borg.py b/snapborg/borg.py
+index 89a3d84..b74ddf7 100644
+--- a/snapborg/borg.py
++++ b/snapborg/borg.py
+@@ -173,11 +173,10 @@ def launch_borg(args, password=None, print_output=False, dryrun=False, cwd=None)
+         # TODO: parse output from JSON log lines
+         try:
+             if print_output:
+-                subprocess.run(cmd, env=env, check=True, cwd=cwd)
++                subprocess.run(cmd, check=True, cwd=cwd)
+             else:
+                 subprocess.check_output(cmd,
+                                         stderr=subprocess.STDOUT,
+-                                        env=env,
+                                         cwd=cwd)
+         except CalledProcessError as e:
+             if e.returncode == 1:
+-- 
+2.49.0
+

trivionomicon/pkgs/snapborg/default.nix

@@ -0,0 +1,34 @@
+{
+  borgbackup,
+  buildPythonApplication,
+  fetchFromGitHub,
+  lib,
+  packaging,
+  pyyaml,
+}:
+buildPythonApplication {
+  pname = "snapborg";
+  version = "0.1.0-unstable-20250331";
+
+  src = fetchFromGitHub {
+    repo = "snapborg";
+    owner = "enzingerm";
+
+    rev = "7e860395319f995161a6e0c7954ce47635e3cd59";
+    hash = "sha256-RzYL4IHulk1Q/ALWFs6YCTeCO8ohwqXH2NMHRctRVSA=";
+  };
+
+  patches = [
+    ./0001-Remove-env-arg-from-subprocess-calls.patch # Fixes broken $PATH when calling borg
+  ];
+
+  propagatedBuildInputs = [
+    borgbackup
+    packaging
+    pyyaml
+  ];
+
+  preFixup = ''
+    makeWrapperArgs+=(--prefix PATH : ${lib.makeBinPath [borgbackup]})
+  '';
+}