add influx listener to telegraf

add shimmie
add prowlarr
2025-05-29 12:55:45 +02:00 · 2025-04-20 18:57:58 +02:00 · 2025-04-19 19:17:46 +02:00 · 2025-04-05 18:50:31 +02:00 · 2025-04-04 10:58:51 +02:00 · 2025-04-04 10:37:40 +02:00
37 changed files with 1574 additions and 1658 deletions
--- a/.gitea/workflows/nix-flake-check.yaml
+++ b/.gitea/workflows/nix-flake-check.yaml
@ -0,0 +1,14 @@
+name: nix flake check
+on:
+  push:
+    branches:
+      - 'renovate/**'
+
+jobs:
+  nix-flake-update:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - run: /root/.nix-profile/bin/nix flake check --all-systems
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,7 +2,7 @@ keys:
  - &user_patrick 5FA64909521A5C85992F26E0F819AEFF941BB849
  - &host_celestia age1vadwmwh8ckfal7j83gwrwn9324gqufwgkxskznhp9v867amndcwqgp2w6t
  - &host_primordial age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
-  - &host_laptop age1fhnujflp29sekvwjgw0ue2hnmjum3fpcj80vly0rkt07u9xwlf7ql25mkk
+  - &host_framework age18kc63lpfutqlw505fkqagumqup6dtpudajeaheueuaf0frjpdc3suz49qk
 creation_rules:
  - path_regex: nixos/celestia/secrets\.yaml$
    key_groups:
@ -16,3 +16,9 @@ creation_rules:
      - *user_patrick
      age:
      - *host_primordial
+  - path_regex: nixos/framework/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *user_patrick
+      age:
+      - *host_framework
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -3,16 +3,23 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
-
    flake-utils.url = "github:numtide/flake-utils";
-    deploy = {
-      url = "github:serokell/deploy-rs";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nurpkgs.url = "github:nix-community/NUR";
-    sops-nix.url = "github:Mic92/sops-nix";
-    lanzaboote.url = "github:nix-community/lanzaboote";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nur = {
+      url = "github:nix-community/NUR";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
@ -23,21 +30,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    rycee-nurpkgs = {
-      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
-      };
-    };
-
-    nixpkgs-f2k = {
-      url = "github:fortuneteller2k/nixpkgs-f2k";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    devenv = {
-      url = "github:cachix/devenv/latest";
+    nixvim = {
+      url = "git+https://gitlab.fuckwit.dev/fuckwit/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
--- a/home-modules/firefox-webapp.nix
+++ b/home-modules/firefox-webapp.nix
@ -14,31 +14,35 @@
      nameValuePair "home-manager-webapp-${name}" {
        id = cfg.id;

-        userChrome = ''
-          @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
+        userChrome =
+          /*
+          css
+          */
+          ''
+            @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");

-          browser {
-            margin-right: 0px; margin-bottom: 0px;
-          }
+            browser {
+              margin-right: 0px; margin-bottom: 0px;
+            }

-          #TabsToolbar {
-            visibility: collapse !important;
-          }
+            #TabsToolbar {
+              visibility: collapse !important;
+            }

-          #nav-bar {
-            margin-top: 0;
-            margin-bottom: -42px;
-            z-index: -100;
-          }
+            #nav-bar {
+              margin-top: 0;
+              margin-bottom: -42px;
+              z-index: -100;
+            }

-          #main-window[windowtype="navigator:browser"] {
-            background-color: transparent !important;
-          }
+            #main-window[windowtype="navigator:browser"] {
+              background-color: transparent !important;
+            }

-          .tab-background[selected="true"] {
-            background: ${cfg.backgroundColor} !important;
-          }
-        '';
+            .tab-background[selected="true"] {
+              background: ${cfg.backgroundColor} !important;
+            }
+          '';

        settings =
          cfg.extraSettings
--- a/home-modules/firefox/default.nix
+++ b/home-modules/firefox/default.nix
@ -0,0 +1,111 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkOption mkEnableOption mkPackageOption types;
+
+  defaultExtensions = with pkgs.nur.repos.rycee.firefox-addons; [
+    bitwarden
+    darkreader
+    i-dont-care-about-cookies
+    privacy-badger
+    ublock-origin
+  ];
+
+  defaultSettings = {
+    "app.normandy.first_run" = false;
+    "app.shield.optoutstudies.enabled" = false;
+
+    # disable updates (pretty pointless with nix)
+    "app.update.channel" = "default";
+
+    "browser.contentblocking.category" = "standard"; # "strict"
+    "browser.ctrlTab.recentlyUsedOrder" = false;
+
+    "browser.download.viewableInternally.typeWasRegistered.svg" = true;
+    "browser.download.viewableInternally.typeWasRegistered.webp" = true;
+    "browser.download.viewableInternally.typeWasRegistered.xml" = true;
+
+    "browser.search.region" = "DE";
+
+    "browser.shell.checkDefaultBrowser" = false;
+    "browser.tabs.loadInBackground" = true;
+    "browser.urlbar.placeholderName" = "EnteEnteLauf";
+    "browser.urlbar.showSearchSuggestionsFirst" = false;
+
+    # disable all the annoying quick actions
+    "browser.urlbar.quickactions.enabled" = false;
+    "browser.urlbar.quickactions.showPrefs" = false;
+    "browser.urlbar.shortcuts.quickactions" = false;
+    "browser.urlbar.suggest.quickactions" = false;
+
+    "distribution.searchplugins.defaultLocale" = "en-US";
+
+    "doh-rollout.balrog-migration-done" = true;
+    "doh-rollout.doneFirstRun" = true;
+
+    "general.useragent.locale" = "en-US";
+
+    "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
+
+    "extensions.extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
+    "extensions.update.enabled" = false;
+    "extensions.webcompat.enable_picture_in_picture_overrides" = true;
+    "extensions.webcompat.enable_shims" = true;
+    "extensions.webcompat.perform_injections" = true;
+    "extensions.webcompat.perform_ua_overrides" = true;
+
+    "privacy.donottrackheader.enabled" = true;
+    "browser.translations.enable" = false;
+
+    # Yubikey
+    "security.webauth.u2f" = true;
+    "security.webauth.webauthn" = true;
+    "security.webauth.webauthn_enable_softtoken" = false;
+    "security.webauth.webauthn_enable_usbtoken" = true;
+
+    "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+    "layout.word_select.stop_at_punctuation" = false;
+  };
+
+  cfg = config.personal.firefox;
+in {
+  options.personal.firefox = {
+    enable = mkEnableOption "Apply personal firefox defaults.";
+    package = mkPackageOption pkgs "firefox-bin" {};
+
+    extraExtensions = mkOption {
+      type = types.listOf types.package;
+      default = [];
+      description = "Extra Firefox extensions to install.";
+    };
+
+    settings = mkOption {
+      type = types.attrsOf ((pkgs.formats.json {}).type
+        // {
+          description = "Preferences (int, bool, string, and also attrs, list, float as a JSON string)";
+        });
+      default = defaultSettings;
+      description = "Attribute set of preferences.";
+    };
+  };
+
+  config = {
+    programs.firefox = lib.mkIf cfg.enable {
+      enable = true;
+      package = cfg.package;
+
+      profiles = {
+        default = {
+          isDefault = true;
+          id = 0;
+          userChrome = builtins.readFile ./userChrome.css;
+          extensions = defaultExtensions ++ cfg.extraExtensions;
+          inherit (cfg) settings;
+        };
+      };
+    };
+  };
+}
--- a/home-modules/firefox/userChrome.css
+++ b/home-modules/firefox/userChrome.css
@ -0,0 +1,76 @@
+/* Source file https://github.com/MrOtherGuy/firefox-csshacks/tree/master/chrome/toolbars_below_content_v2.css made available under Mozilla Public License v. 2.0
+See the above repository for updates as well as full license text. */
+
+/* This requires Firefox 133
+ * By default tabs will be the top-most toolbar, but you can set the following pref to move them to bottom:
+ * userchrome.toolbars-below-content.tabs-at-bottom.enabled
+ */
+
+#navigator-toolbox{
+  display: contents;
+  --uc-navbar-height: 40px;
+}
+:root[uidensity="compact"] #navigator-toolbox{
+  --uc-navbar-height: 34px;
+}
+#main-window > body > #browser,
+.global-notificationbox,
+ #tab-notification-deck,
+ #toolbar-menubar{
+  order: -1;
+}
+
+#TabsToolbar{
+  max-height: calc((var(--tab-min-height) + 2 * var(--tab-block-margin,0px)) * var(--multirow-n-rows,1));
+}
+#toolbar-menubar,
+#TabsToolbar{
+  background: inherit !important;
+}
+@media (-moz-platform: linux){
+  :root[sizemode="normal"][customtitlebar] #toolbar-menubar{
+    border-top-left-radius: inherit;
+    border-top-right-radius: inherit;
+  }
+  #toolbar-menubar,
+  #TabsToolbar{
+    opacity: 1 !important;
+    will-change: unset !important;
+  }
+  #notification-popup[side="top"]{
+    margin-top: calc(-2 * var(--panel-padding-block) - 40px - 32px - 8.5em) !important;
+  }
+  #permission-popup[side="top"]{
+    margin-top: calc(-2 * var(--panel-padding-block) - 2.5em);
+  }
+}
+
+#nav-bar,
+#PersonalToolbar{
+  background-image: linear-gradient(var(--toolbar-bgcolor),var(--toolbar-bgcolor)), var(--lwt-additional-images,var(--toolbar-bgimage)) !important;
+  background-position: top,var(--lwt-background-alignment);
+  background-position-y: calc(0px - var(--tab-min-height) - 2*var(--tab-block-margin,0px));
+  background-repeat: repeat,var(--lwt-background-tiling);
+}
+:root[lwtheme-image] #nav-bar,
+:root[lwtheme-image] #PersonalToolbar{
+  background-image: linear-gradient(var(--toolbar-bgcolor),var(--toolbar-bgcolor)),var(--lwt-header-image), var(--lwt-additional-images,var(--toolbar-bgimage)) !important;
+}
+#PersonalToolbar{
+  background-position-y: calc(0px - var(--tab-min-height) - 2*var(--tab-block-margin,0px) - var( --uc-navbar-height));
+}
+#urlbar[breakout][breakout-extend]{
+  display: flex !important;
+  flex-direction: column-reverse !important;
+  transform: translateY(calc(var(--urlbar-container-height) - 100%));
+}
+#urlbar[breakout-extend]:not([usertyping]) > .urlbar-input-container::after{
+  display: flex;
+  content: "";
+  height: calc(var(--urlbar-min-height) - 2px - 2 * var(--urlbar-container-padding));
+}
+.urlbarView-body-inner{ border-top-style: none !important; }
+
+#TabsToolbar{
+  order: 3
+}
--- a/home-modules/modules-list.nix
+++ b/home-modules/modules-list.nix
@ -1,5 +1,6 @@
 {...}: {
  imports = [
+    ./firefox
    ./firefox-webapp.nix
  ];
 }
--- a/home/configurations.nix
+++ b/home/configurations.nix
@ -1,27 +1,18 @@
 {
  nixpkgs,
-  nurpkgs,
+  nur,
  home-manager,
-  devenv,
+  nixvim,
  ...
 }: let
-  pkgs = import nixpkgs {
+  pkgs = import nixpkgs rec {
    system = "x86_64-linux";
-  };
-
-  nur = import nurpkgs {
-    inherit pkgs;
-    nurpkgs = pkgs;
+    overlays = [(final: prev: {nixvim = nixvim.packages.${system}.default;}) nur.overlays.default];
  };
 in {
  work = home-manager.lib.homeManagerConfiguration {
    inherit pkgs;

-    extraSpecialArgs = {
-      inherit devenv; # TODO: Remove dependency on devenv
-      ff-addons = nur.repos.rycee.firefox-addons;
-    };
-
    modules = [
      ../home-modules/modules-list.nix
      ./work
@ -31,12 +22,8 @@ in {
  framework = home-manager.lib.homeManagerConfiguration {
    inherit pkgs;

-    extraSpecialArgs = {
-      ff-addons = nur.repos.rycee.firefox-addons;
-    };
-
    modules = [
-      # ../home-modules/modules-list.nix
+      ../home-modules/modules-list.nix
      ./framework
    ];
  };
--- a/home/framework/default.nix
+++ b/home/framework/default.nix
@ -14,6 +14,7 @@
      moonlight-qt
      vesktop
      telegram-desktop
+      nixvim
    ];
    sessionPath = ["~/.local/bin"];
    sessionVariables = {
@ -27,6 +28,8 @@
    ./programs
  ];

+  services.udiskie.enable = true;
+
  accounts.email.accounts = {
    patrick = {
      primary = true;
--- a/home/framework/programs/alacritty/default.nix
+++ b/home/framework/programs/alacritty/default.nix
@ -0,0 +1,35 @@
+{...}: {
+  programs.alacritty = {
+    enable = true;
+
+    settings = {
+      general.live_config_reload = true;
+      env.TERM = "xterm-256color";
+      bell.duration = 0;
+      cursor.style = "Block";
+
+      scrolling = {
+        history = 10000;
+        multiplier = 3;
+      };
+
+      window = {
+        opacity = 0.9;
+      };
+
+      mouse.bindings = [
+        {
+          mouse = "Middle";
+          action = "PasteSelection";
+        }
+      ];
+
+      colors = {
+        primary = {
+          background = "0x000000";
+          foreground = "0xeaeaea";
+        };
+      };
+    };
+  };
+}
--- a/home/framework/programs/default.nix
+++ b/home/framework/programs/default.nix
@ -1,4 +1,5 @@
 [
+  ./alacritty
  ./firefox
  ./hyprland
  {
--- a/home/framework/programs/firefox/default.nix
+++ b/home/framework/programs/firefox/default.nix
@ -1,129 +1,5 @@
-{
-  pkgs,
-  lib,
-  stdenv,
-  specialArgs,
-  ...
-}: let
-  extensions = with specialArgs.ff-addons; [
-    bitwarden
-    darkreader
-    i-dont-care-about-cookies
-    privacy-badger
-    ublock-origin
-    tree-style-tab
-    tridactyl
-  ];
-
-  customChrome = ''
-    @-moz-document url(chrome://browser/content/browser.xhtml) {
-      /* tabs on bottom of window */
-      /* requires that you set
-       * toolkit.legacyUserProfileCustomizations.stylesheets = true
-       * in about:config
-       */
-      #main-window body { flex-direction: column-reverse !important; }
-      #navigator-toolbox { flex-direction: column-reverse !important; }
-      #urlbar {
-        top: unset !important;
-        bottom: calc((var(--urlbar-toolbar-height) - var(--urlbar-height)) / 2) !important;
-        box-shadow: none !important;
-        display: flex !important;
-        flex-direction: column !important;
-      }
-      #urlbar-input-container {
-        order: 2;
-      }
-      #urlbar > .urlbarView {
-        order: 1;
-        border-bottom: 1px solid #666;
-      }
-      #urlbar-results {
-        display: flex;
-        flex-direction: column-reverse;
-      }
-      .search-one-offs { display: none !important; }
-      .tab-background { border-top: none !important; }
-      #navigator-toolbox::after { border: none; }
-      #TabsToolbar .tabbrowser-arrowscrollbox,
-      #tabbrowser-tabs, .tab-stack { min-height: 28px !important; }
-      .tabbrowser-tab { font-size: 80%; }
-      .tab-content { padding: 0 5px; }
-      .tab-close-button .toolbarbutton-icon { width: 12px !important; height: 12px !important; }
-      toolbox[inFullscreen=true] { display: none; }
-    }
-  '';
-
-  userChrome = customChrome;
-
-  # ~/.mozilla/firefox/PROFILE_NAME/prefs.js | user.js
-  settings = {
-    "app.normandy.first_run" = false;
-    "app.shield.optoutstudies.enabled" = false;
-
-    # disable updates (pretty pointless with nix)
-    "app.update.channel" = "default";
-
-    "browser.contentblocking.category" = "standard"; # "strict"
-    "browser.ctrlTab.recentlyUsedOrder" = false;
-
-    "browser.download.viewableInternally.typeWasRegistered.svg" = true;
-    "browser.download.viewableInternally.typeWasRegistered.webp" = true;
-    "browser.download.viewableInternally.typeWasRegistered.xml" = true;
-
-    "browser.search.region" = "DE";
-
-    "browser.shell.checkDefaultBrowser" = false;
-    "browser.tabs.loadInBackground" = true;
-    "browser.urlbar.placeholderName" = "EnteEnteLauf";
-    "browser.urlbar.showSearchSuggestionsFirst" = false;
-
-    # disable all the annoying quick actions
-    "browser.urlbar.quickactions.enabled" = false;
-    "browser.urlbar.quickactions.showPrefs" = false;
-    "browser.urlbar.shortcuts.quickactions" = false;
-    "browser.urlbar.suggest.quickactions" = false;
-
-    "distribution.searchplugins.defaultLocale" = "en-US";
-
-    "doh-rollout.balrog-migration-done" = true;
-    "doh-rollout.doneFirstRun" = true;
-
-    "general.useragent.locale" = "en-US";
-
-    "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-
-    "extensions.extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-    "extensions.update.enabled" = false;
-    "extensions.webcompat.enable_picture_in_picture_overrides" = true;
-    "extensions.webcompat.enable_shims" = true;
-    "extensions.webcompat.perform_injections" = true;
-    "extensions.webcompat.perform_ua_overrides" = true;
-
-    "privacy.donottrackheader.enabled" = true;
-    "browser.translations.enable" = false;
-
-    # Yubikey
-    "security.webauth.u2f" = true;
-    "security.webauth.webauthn" = true;
-    "security.webauth.webauthn_enable_softtoken" = false;
-    "security.webauth.webauthn_enable_usbtoken" = true;
-
-    "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-    "layout.word_select.stop_at_punctuation" = false;
-  };
-in {
-  programs.firefox = {
+{...}: {
+  personal.firefox = {
    enable = true;
-
-    package = pkgs.firefox-bin;
-
-    profiles = {
-      default = {
-        isDefault = true;
-        id = 0;
-        inherit extensions settings userChrome;
-      };
-    };
  };
 }
--- a/home/framework/programs/hyprland/default.nix
+++ b/home/framework/programs/hyprland/default.nix
@ -1,19 +1,84 @@
 {pkgs, ...}: {
-  wayland.windowManager.hyprland = let
-    locker = "${pkgs.swaylock}/bin/swaylock";
-    set-dpms = "${pkgs.hyprland}/bin/hyprctl dispatcher dpms";
-    locked-dpms = pkgs.writeShellScript "locked-dpms.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 10 'if pgrep -x swaylock; then ${set-dpms} off; fi' \
-        resume '${set-dpms} on'
-    '';
-    idle-script = pkgs.writeShellScript "idle-lock.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 300 '${locker} -f' \
-        timeout 330 '${set-dpms} off' \
-        resume '${set-dpms} on'
-    '';
-  in {
+  services.hypridle = {
+    enable = true;
+
+    settings = {
+      general = {
+        lock_cmd = "pidof hyprlock || hyprlock";
+      };
+
+      listener = [
+        {
+          timeout = 300;
+          on-timeout = "loginctl lock-session";
+        }
+        {
+          timeout = 330;
+          on-timeout = "hyprctl dispatch dpms off";
+          on-resume = "hyprctl dispatch dpms on";
+        }
+      ];
+    };
+  };
+
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      background = {
+        monitor = "";
+        path = "screenshot";
+
+        blur_passes = 2;
+        blur_size = 7;
+        noise = 1.17e-2;
+      };
+
+      auth.fingerprint.enabled = true;
+
+      label = [
+        {
+          monitor = "";
+          text = "$TIME";
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 95;
+          position = "0, 300";
+          halign = "center";
+          valign = "center";
+        }
+        {
+          monitor = "";
+          text = ''cmd[update:1000] echo $(date +"%A, %B %d")'';
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 22;
+          position = "0, 200";
+          halign = "center";
+          valign = "center";
+        }
+      ];
+
+      input-field = {
+        monitor = "";
+        size = "200,50";
+        outline_thickness = 2;
+        dots_size = 0.2;
+        dots_spacing = 0.35;
+        dots_center = true;
+        outer_color = "rgba(0, 0, 0, 0)";
+        inner_color = "rgba(0, 0, 0, 0.2)";
+        font_color = "rgb(111, 45, 104)";
+        fade_on_empty = false;
+        rounding = -1;
+        check_color = "rgb(30, 107, 204)";
+        placeholder_text = ''<i><span foreground="##cdd6f4">Input Password...</span></i>'';
+        hide_input = false;
+        position = "0, -100";
+        halign = "center";
+        valign = "center";
+      };
+    };
+  };
+
+  wayland.windowManager.hyprland = {
    enable = true;
    settings = {
      "$mod" = "SUPER";
@ -28,8 +93,6 @@
      exec-once = [
        "${pkgs.waybar}/bin/waybar"
        "${pkgs.mako}/bin/mako"
-        idle-script
-        locked-dpms
      ];

      input = {
@ -49,10 +112,12 @@

      decoration = {
        rounding = 5;
-        drop_shadow = true;
-        shadow_range = 4;
-        shadow_render_power = 3;
-        "col.shadow" = "rgba(1a1a1aee)";
+        shadow = {
+          enabled = true;
+          range = 4;
+          render_power = 3;
+          color = "rgba(1a1a1aee)";
+        };

        blur = {
          enabled = true;
@ -81,7 +146,7 @@
          "$mod, return, exec, ${pkgs.alacritty}/bin/alacritty"
          "$mod, D, exec, ${pkgs.rofi-wayland}/bin/rofi -show drun"
          "$mod SHIFT, Q, killactive, "
-          "$mod, L, exec, ${locker}"
+          "$mod, L, exec, loginctl lock-session"
          "$mod, V, togglefloating, "
          "$mod, F, fullscreen, 1"
          "$mod, P, pseudo, # dwindle"
--- a/home/work/default.nix
+++ b/home/work/default.nix
@ -1,14 +1,14 @@
 {
  config,
  pkgs,
-  devenv,
+  # devenv,
  ...
 }: {
  home = {
    stateVersion = "22.11";
    username = "patrick";
    homeDirectory = "/home/${config.home.username}";
-    packages = (pkgs.callPackage ./pkgs.nix {});
+    packages = pkgs.callPackage ./pkgs.nix {};
    # packages = (pkgs.callPackage ./pkgs.nix {}) ++ [devenv.packages.${pkgs.system}.devenv];
    sessionPath = ["~/.local/bin"];
    sessionVariables = {
--- a/home/work/pkgs.nix
+++ b/home/work/pkgs.nix
@ -1,15 +1,10 @@
 {pkgs, ...}:
 with pkgs; [
  age # Modern encryption tool with small explicit keys
-  arandr # simple GUI for xrandr
  atuin
  dig # dns command-line tool
  fd # "find" for files
-  # geckodriver # remote controll firefox
-  helix # modal editor
  htop # process monitor
-  hyperfine # command-line benchmarking tool
-  # i3lock # screen locker
  imagemagick # selection screenshot stuff
  just # just a command runner
  keepassxc # password manager
@ -22,22 +17,16 @@ with pkgs; [
  mtr # traceroute
  mumble # voice call client
  ncdu # disk space info (a better du)
-  neovim-unwrapped # best code editor on the planet
  networkmanagerapplet # systray applet for NetworkManager
-  # nitrogen # wallpapger manager
-  nushell # A modern shell written in Rust
  ouch # painless compression and decompression for your terminal
  pavucontrol # pulseaudio volume control
  playerctl # music player controller
  podman-compose # podman manager
-  restic # incremental backup tool
  ripgrep # fast grep
-  # rocketchat-desktop # company chat
  sops # Mozilla sops (Secrets OPerationS) is an editor of encrypted files
  thunderbird # email client
-  # xclip # clipboard support
-  # xsel # clipboard support (also for neovim)
  zeal # offline documentation browser
  zellij # A terminal workspace with batteries included
  wl-clipboard
+  nixvim
 ]
--- a/home/work/programs/alacritty/default.nix
+++ b/home/work/programs/alacritty/default.nix
@ -3,8 +3,7 @@
    enable = true;

    settings = {
-      live_config_reload = true;
-
+      general.live_config_reload = true;
      env.TERM = "xterm-256color";
      bell.duration = 0;
      cursor.style = "Block";
--- a/home/work/programs/bash/default.nix
+++ b/home/work/programs/bash/default.nix
@ -9,10 +9,14 @@
      rescue = "ssh-wrapper rescue";
    };

-    initExtra = ''
-      source ${pkgs.blesh}/share/blesh/ble.sh
-      export PATH=$PATH:~/.local/bin
-      export SSH_AUTH_SOCK=/run/user/1000/ssh-agent
-    '';
+    initExtra =
+      /*
+      bash
+      */
+      ''
+        source ${pkgs.blesh}/share/blesh/ble.sh
+        export PATH=$PATH:~/.local/bin
+        export SSH_AUTH_SOCK=/run/user/1000/ssh-agent
+      '';
  };
 }
--- a/home/work/programs/default.nix
+++ b/home/work/programs/default.nix
@ -3,6 +3,7 @@
  ./autorandr
  ./bash
  ./firefox
+  ./nvim
  ./rofi
  ./tmate
  ./xresources
@ -17,7 +18,7 @@

      eza = {
        enable = true;
-        icons = true;
+        icons = "auto";
        git = true;
      };

--- a/home/work/programs/firefox/default.nix
+++ b/home/work/programs/firefox/default.nix
@ -1,106 +1,6 @@
-{
-  pkgs,
-  lib,
-  stdenv,
-  specialArgs,
-  ...
-}: let
-  extensions = with specialArgs.ff-addons; [
-    bitwarden
-    darkreader
-    i-dont-care-about-cookies
-    privacy-badger
-    ublock-origin
-    # tree-style-tab
-    # tridactyl
-    keepassxc-browser
-  ];
-
-  userChrome = builtins.readFile ./userChrome.css;
-
-  # ~/.mozilla/firefox/PROFILE_NAME/prefs.js | user.js
-  settings = {
-    "app.normandy.first_run" = false;
-    "app.shield.optoutstudies.enabled" = false;
-
-    # disable updates (pretty pointless with nix)
-    "app.update.channel" = "default";
-
-    "browser.contentblocking.category" = "standard"; # "strict"
-    "browser.ctrlTab.recentlyUsedOrder" = false;
-
-    "browser.download.viewableInternally.typeWasRegistered.svg" = true;
-    "browser.download.viewableInternally.typeWasRegistered.webp" = true;
-    "browser.download.viewableInternally.typeWasRegistered.xml" = true;
-
-    "browser.search.region" = "DE";
-
-    "browser.shell.checkDefaultBrowser" = false;
-    "browser.tabs.loadInBackground" = true;
-    "browser.urlbar.placeholderName" = "EnteEnteLauf";
-    "browser.urlbar.showSearchSuggestionsFirst" = false;
-
-    # disable all the annoying quick actions
-    "browser.urlbar.quickactions.enabled" = false;
-    "browser.urlbar.quickactions.showPrefs" = false;
-    "browser.urlbar.shortcuts.quickactions" = false;
-    "browser.urlbar.suggest.quickactions" = false;
-
-    # disable tab preview on hover
-    "browser.tabs.hoverPreview.enabled" = false;
-    "browser.tabs.hoverPreview.showThumbnails" = false;
-
-    "distribution.searchplugins.defaultLocale" = "en-US";
-
-    "doh-rollout.balrog-migration-done" = true;
-    "doh-rollout.doneFirstRun" = true;
-
-    "general.useragent.locale" = "en-US";
-
-    "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-
-    "extensions.extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-    "extensions.update.enabled" = false;
-    "extensions.webcompat.enable_picture_in_picture_overrides" = true;
-    "extensions.webcompat.enable_shims" = true;
-    "extensions.webcompat.perform_injections" = true;
-    "extensions.webcompat.perform_ua_overrides" = true;
-
-    "privacy.donottrackheader.enabled" = true;
-
-    # Yubikey
-    "security.webauth.u2f" = true;
-    "security.webauth.webauthn" = true;
-    "security.webauth.webauthn_enable_softtoken" = false;
-    "security.webauth.webauthn_enable_usbtoken" = true;
-
-    "network.dns.ipv4OnlyDomains" = "google.com";
-
-    "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-    "layout.word_select.stop_at_punctuation" = false;
-  };
-in {
-  programs.firefox = {
+{pkgs, ...}: {
+  personal.firefox = {
    enable = true;
-
-    package = pkgs.firefox-bin;
-
-    profiles = {
-      default = {
-        isDefault = true;
-        id = 0;
-        inherit extensions settings userChrome;
-      };
-    };
-
-    # webapps = {
-    #   rocket-chat = {
-    #     url = "https://chat.hetzner.company";
-    #     id = 1;
-
-    #     genericName = "Internet Messenger";
-    #     categories = ["Network" "InstantMessaging"];
-    #   };
-    # };
+    extraExtensions = with pkgs.nur.repos.rycee.firefox-addons; [keepassxc-browser];
  };
 }
--- a/home/work/programs/firefox/userChrome.css
+++ b/home/work/programs/firefox/userChrome.css
@ -1,88 +0,0 @@
-/* Source file https://github.com/MrOtherGuy/firefox-csshacks/tree/master/chrome/toolbars_below_content.css made available under Mozilla Public License v. 2.0
-See the above repository for updates as well as full license text. */
-
-/* Moves tabs toolbar, bookmarks toolbar and main toolbar to the bottom of the window, and makes tabs be the bottom-most toolbar */
-
-/* By default, menubar will stay on top with two options to select it's behavior - see below */
-
-@-moz-document url(chrome://browser/content/browser.xhtml){
-  
-  #titlebar{ -moz-appearance: none !important; }
-
-  #navigator-toolbox > div{ display: contents }
-  .global-notificationbox,
-  #mainPopupSet,
-  #browser,
-  #customization-container,
-  #tab-notification-deck{
-    order: -1;
-  }
-
-  /* Remove the next row if you want tabs to be the top-most row */
-  #titlebar{
-    order: 2;
-  } 
-
-  #toolbar-menubar{
-    position: fixed;
-    display: flex;
-    width: 100vw;
-    top: 0px;
-    -moz-window-dragging: drag;
-  }
-  /* Remove bottom border that won't do anything useful when at bottom of the window */
-  #navigator-toolbox{ border-bottom: none !important; }
-
-  #toolbar-menubar > spacer{ flex-grow: 1 }
-
-  #urlbar[breakout][breakout-extend]{
-    display: flex !important;
-    flex-direction: column-reverse;
-    bottom: 0px !important; /* Change to 3-5 px if using compact_urlbar_megabar.css depending on toolbar density */
-    top: auto !important;
-  }
-
-  .urlbarView-body-inner{ border-top-style: none !important; }
-
-  /* Yeah, removes window controls. Likely not wanted on bottom row  */
-  #TabsToolbar > .titlebar-buttonbox-container{ display: none }
-  #toolbar-menubar > .titlebar-buttonbox-container{ order: 1000 }
-
-  /* Fix panels sizing */
-  .panel-viewstack{ max-height: unset !important; }
-
-  /* Fullscreen mode support */
-  :root[sizemode="fullscreen"] #navigator-toolbox{ margin-top: 0 !important }
-  :root[sizemode="fullscreen"] #navigator-toolbox[style*="margin-top"]{ visibility: collapse }
-  #fullscr-toggler{ bottom: 0; top: unset !important; }
-  
-  /* These three rules exist for compatibility with autohide_toolbox.css */
-  #navigator-toolbox{ bottom: 0px; transform-origin: bottom }
-  #main-window > body > box{ margin-top: 0 !important; }
-  #toolbar-menubar{ z-index: 1; background-color: var(--lwt-accent-color,black); }
-  
-  :root[BookmarksToolbarOverlapsBrowser] #navigator-toolbox{
-    margin-block: calc(-1 * var(--bookmarks-toolbar-height)) 0 !important;
-  }
-  :root[BookmarksToolbarOverlapsBrowser] .newTabBrowserPanel{
-    padding-block: 0 var(--bookmarks-toolbar-height) !important;
-  }
-  
-  /**************
-  Menubar options - By default, menubar is overlayed on top of web-content
-  ***************/
-
- /* Uncomment the following if you want static menubar on top of the window (make menubar enabled)
-  * Use when menubar is enabled to always show it */
-  
-  /*
-  #browser,#customization-container{ padding-top: var(--uc-menubar-spacer,28px) }
-  */
-  
-  /* OR, uncomment the following if you want menubar to appear below content, above tabs toolbar */
-  
-  #toolbar-menubar{ position: static; display: flex; margin-top: 0px !important; background-color: transparent }
-
-  /* set to "column-reverse" (without quotes) if you want tabs above menubar with the above option */
-  #titlebar{ flex-direction: column }
-}
--- a/home/work/programs/hyprland/default.nix
+++ b/home/work/programs/hyprland/default.nix
@ -1,19 +1,82 @@
 {pkgs, ...}: {
-  wayland.windowManager.hyprland = let
-    locker = "${pkgs.swaylock}/bin/swaylock";
-    set-dpms = "${pkgs.hyprland}/bin/hyprctl dispatcher dpms";
-    locked-dpms = pkgs.writeShellScript "locked-dpms.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 10 'if pgrep -x swaylock; then ${set-dpms} off; fi' \
-        resume '${set-dpms} on'
-    '';
-    idle-script = pkgs.writeShellScript "idle-lock.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 300 '${locker} -f' \
-        timeout 330 '${set-dpms} off' \
-        resume '${set-dpms} on'
-    '';
-  in {
+  services.hypridle = {
+    enable = true;
+
+    settings = {
+      general = {
+        lock_cmd = "pidof hyprlock || hyprlock";
+      };
+
+      listener = [
+        {
+          timeout = 300;
+          on-timeout = "loginctl lock-session";
+        }
+        {
+          timeout = 330;
+          on-timeout = "hyprctl dispatch dpms off";
+          on-resume = "hyprctl dispatch dpms on";
+        }
+      ];
+    };
+  };
+
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      background = {
+        monitor = "";
+        path = "screenshot";
+
+        blur_passes = 2;
+        blur_size = 7;
+        noise = 1.17e-2;
+      };
+
+      label = [
+        {
+          monitor = "";
+          text = "$TIME";
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 95;
+          position = "0, 300";
+          halign = "center";
+          valign = "center";
+        }
+        {
+          monitor = "";
+          text = ''cmd[update:1000] echo $(date +"%A, %B %d")'';
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 22;
+          position = "0, 200";
+          halign = "center";
+          valign = "center";
+        }
+      ];
+
+      input-field = {
+        monitor = "";
+        size = "200,50";
+        outline_thickness = 2;
+        dots_size = 0.2;
+        dots_spacing = 0.35;
+        dots_center = true;
+        outer_color = "rgba(0, 0, 0, 0)";
+        inner_color = "rgba(0, 0, 0, 0.2)";
+        font_color = "rgb(111, 45, 104)";
+        fade_on_empty = false;
+        rounding = -1;
+        check_color = "rgb(30, 107, 204)";
+        placeholder_text = ''<i><span foreground="##cdd6f4">Input Password...</span></i>'';
+        hide_input = false;
+        position = "0, -100";
+        halign = "center";
+        valign = "center";
+      };
+    };
+  };
+
+  wayland.windowManager.hyprland = {
    enable = true;

    settings = {
@ -22,16 +85,12 @@
      exec-once = [
        "${pkgs.waybar}/bin/waybar"
        "${pkgs.mako}/bin/mako"
-        idle-script
-        locked-dpms
      ];

      monitor = [
        "eDP-1,1920x1080,0x0,1.333333" # Laptop screen
        "desc:Dell Inc. DELL P2723DE 79RFH14,2560x1440,1440x0,1"
        "desc:Dell Inc. DELL P2723DE 39RFH14,2560x1440,4000x0,1"
-        # "desc:LG Electronics LG ULTRAWIDE 0x000219F2,2560x1080,1440x0,1" # Primary @home
-        # "desc:Fujitsu Siemens Computers GmbH B22W-6 LED YV3U164923,1680x1050,4000x0,1" # Secondary @home
        ",preferred,auto,1" # Automatically configure everything else
      ];

@ -63,10 +122,12 @@

      decoration = {
        rounding = 5;
-        drop_shadow = true;
-        shadow_range = 4;
-        shadow_render_power = 3;
-        "col.shadow" = "rgba(1a1a1aee)";
+        shadow = {
+          enabled = true;
+          range = 4;
+          render_power = 3;
+          color = "rgba(1a1a1aee)";
+        };

        blur = {
          enabled = true;
@ -95,7 +156,7 @@
          "$mod, return, exec, ${pkgs.alacritty}/bin/alacritty"
          "$mod, D, exec, ${pkgs.rofi-wayland}/bin/rofi -show drun"
          "$mod SHIFT, Q, killactive, "
-          "$mod, L, exec, ${locker}"
+          "$mod, L, exec, loginctl lock-session"
          "$mod, V, togglefloating, "
          "$mod, F, fullscreen, 1"
          "$mod, P, pseudo, # dwindle"
@ -122,10 +183,6 @@
        "$mod, mouse:273, resizewindow"
      ];

-      bindl = [
-        "$mod SHIFT, L, exec, ${locker}"
-      ];
-
      windowrulev2 = [
        # KeePassXC
        "float,class:(org.keepassxc.KeePassXC)"
--- a/home/work/programs/nvim/default.nix
+++ b/home/work/programs/nvim/default.nix
@ -0,0 +1,357 @@
+{pkgs, ...}: {
+  programs.neovim = {
+    enable = false;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+    vimdiffAlias = true;
+    withRuby = false;
+    withPython3 = false;
+
+    plugins = with pkgs.vimPlugins; [
+      vim-commentary
+      plenary-nvim
+      cmp-nvim-lsp
+      cmp-buffer
+      cmp-path
+      nvim-web-devicons
+      lsp_extensions-nvim
+      lsp_signature-nvim
+      telescope-nvim
+      onedark-nvim
+      {
+        plugin = fidget-nvim;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            require('fidget').setup {}
+          '';
+      }
+      {
+        plugin = symbols-outline-nvim;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            require('symbols-outline').setup()
+          '';
+      }
+      {
+        plugin = nvim-treesitter.withAllGrammars;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            require('nvim-treesitter.configs').setup {
+              highlight = {
+                enable = true, -- false will disable the whole extension
+              },
+              incremental_selection = {
+                enable = false,
+                keymaps = {
+                  init_selection = 'gnn',
+                  node_incremental = 'grn',
+                  scope_incremental = 'grc',
+                  node_decremental = 'grm',
+                },
+              },
+              indent = {
+                enable = true,
+              }
+            }
+          '';
+      }
+      {
+        plugin = nvim-tree-lua;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            local function my_on_attach(bufnr)
+              local api = require "nvim-tree.api"
+
+              local function opts(desc)
+                return { desc = "nvim-tree: " .. desc, buffer = bufnr, noremap = true, silent = true, nowait = true }
+              end
+
+              -- default mappings
+              api.config.mappings.default_on_attach(bufnr)
+
+              -- custom mappings
+              vim.keymap.set('n', '?',  api.tree.toggle_help,     opts('Help'))
+              vim.keymap.set('n', 's',  api.node.open.horizontal, opts('Paste File'))
+              vim.keymap.set('n', 'ma', api.fs.create,            opts('New File'))
+              vim.keymap.set('n', 'md', api.fs.remove,            opts('Delete File'))
+              vim.keymap.set('n', 'me', api.fs.rename_node,       opts('Rename File'))
+              vim.keymap.set('n', 'yy', api.fs.copy.node,         opts('Copy File'))
+              vim.keymap.set('n', 'mp', api.fs.paste,             opts('Paste File'))
+            end
+
+            require("nvim-tree").setup {
+              on_attach = my_on_attach,
+            }
+          '';
+      }
+      {
+        plugin = nvim-cmp;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            -- local luasnip = require 'luasnip'
+            local cmp = require 'cmp'
+
+            cmp.setup {
+              -- snippet = {
+              --   expand = function(args)
+              --     require('luasnip').lsp_expand(args.body)
+              --   end,
+              -- },
+              window = {
+                -- documentation = true,
+              },
+              mapping = cmp.mapping.preset.insert({
+                ['<C-p>'] = cmp.mapping.select_prev_item(),
+                ['<C-n>'] = cmp.mapping.select_next_item(),
+                ['<C-d>'] = cmp.mapping.scroll_docs(-4),
+                ['<C-f>'] = cmp.mapping.scroll_docs(4),
+                ['<C-Space>'] = cmp.mapping.complete(),
+                ['<C-e>'] = cmp.mapping.close(),
+                ['<CR>'] = cmp.mapping.confirm {
+                  behavior = cmp.ConfirmBehavior.Replace,
+                  select = true,
+                },
+                ['<Tab>'] = function(fallback)
+                  if cmp.visible() then
+                    cmp.select_next_item()
+                  else
+                    fallback()
+                  end
+                end,
+                ['<S-Tab>'] = function(fallback)
+                  if cmp.visible() then
+                    cmp.select_prev_item()
+                  else
+                    fallback()
+                  end
+                end,
+              }),
+              sources = {
+                { name = 'nvim_lsp' },
+                -- { name = 'luasnip' },
+                { name = 'buffer' },
+                { name = 'path' },
+                -- { name = 'latex_symbols' },
+              },
+            }
+          '';
+      }
+      {
+        plugin = nvim-lspconfig;
+        type = "lua";
+        config =
+          /*
+          lua
+          */
+          ''
+            function hi(name, opts)
+              local options = ""
+              for k, v in pairs(opts) do
+                  options = options.." "..k.."="..v
+              end
+              vim.cmd("highlight "..name..options)
+            end
+
+            local u = require('utils')
+            local lspc = require('lspconfig')
+            local ih = require("inlay-hints")
+            ih.setup()
+
+
+            local on_attach = function(client, bufnr)
+              local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(bufnr, ...) end
+              local function buf_set_option(...) vim.api.nvim_buf_set_option(bufnr, ...) end
+
+              buf_set_option('omnifunc', 'v:lua.vim.lsp.omnifunc')
+
+              local opts = { noremap=true, silent=true }
+
+              buf_set_keymap('n', '<c-]>', ':lua vim.lsp.buf.definition()<CR>',           opts)
+              buf_set_keymap('n', 'K',     ':lua vim.lsp.buf.hover()<CR>',                opts)
+              buf_set_keymap('n', 'gD',    ':lua vim.lsp.buf.implementation()<CR>',       opts)
+              buf_set_keymap('n', '<c-k>', ':lua vim.lsp.buf.signature_help()<CR>',       opts)
+              buf_set_keymap('n', '1gD',   ':lua vim.lsp.buf.type_definition()<CR>',      opts)
+              buf_set_keymap('n', 'gr',    ':lua vim.lsp.buf.references()<CR>',           opts)
+              buf_set_keymap('n', 'g0',    ':lua vim.lsp.buf.document_symbol()<CR>',      opts)
+              buf_set_keymap('n', 'gW',    ':lua vim.lsp.buf.workspace_symbol()<CR>',     opts)
+              buf_set_keymap('n', 'gd',    ':lua vim.lsp.buf.definition()<CR>',           opts)
+              buf_set_keymap('n', 'ga',    ':lua vim.lsp.buf.code_action()<CR>',          opts)
+              buf_set_keymap('n', 'ff',    ':lua vim.lsp.buf.format({async = true})<CR>', opts)
+              buf_set_keymap('n', 'gn',    '<cmd>lua vim.lsp.buf.rename()<CR>',           opts)
+
+              --require'completion'.on_attach(client)
+
+              -- Set highlight colors
+              local highlights = {
+                Error = "Red",
+                Warning = "Yellow",
+                Information = "Blue",
+                Hint = "Green",
+              }
+
+              for typ, color in pairs(highlights) do
+                hi('LspDiagnosticsDefault'..typ, {ctermfg = color})
+                hi('LspDiagnosticsUnderline'..typ, {cterm = 'underline'})
+              end
+
+              vim.lsp.handlers['textDocument/publishDiagnostics'] = vim.lsp.with(
+                vim.lsp.diagnostic.on_publish_diagnostics,
+                {
+                  virtual_text = true,
+                  signs = true,
+                  update_in_insert = true,
+                  underline = true
+                }
+              )
+              require "lsp_signature".on_attach({doc_lines = 0})
+              ih.on_attach(client, bufnr)
+            end
+
+            -- nvim-cmp supports additional completion capabilities
+            local capabilities = vim.lsp.protocol.make_client_capabilities()
+            capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
+
+
+            local config = {
+              on_attach = on_attach,
+              capabilities = capabilities,
+              flags = {debounce_text_changes = 150}
+            }
+
+            lspc.bashls.setup(config)
+            lspc.nixd.setup(config)
+            lspc.solargraph.setup(config)
+
+            lspc.rust_analyzer.setup{
+              on_attach = on_attach,
+              capabilities = capabilities,
+              flags = {debounce_text_changes = 150},
+              settings = {
+                ['rust-analyzer'] = {
+                   assist = {
+                     importGranularity = "module",
+                     importPrefix = "by_self",
+                   },
+                   cargo = {
+                     loadOutDirsFromCheck = true
+                   },
+                   procMacro = {
+                     enable = true
+                   },
+                   checkOnSave = {
+                     command = "clippy"
+                   },
+                }
+              }
+            }
+
+            -- Set completeopt to have a better completion experience
+            vim.o.completeopt = 'menuone,noselect'
+          '';
+      }
+    ];
+
+    extraLuaConfig =
+      /*
+      lua
+      */
+      ''
+        local onedark = require('onedark')
+        onedark.setup { style = 'warmer' }
+        onedark.load()
+        vim.cmd('set background=dark')
+
+        local llc = require('lualine').get_config()
+        llc.options.theme = 'onedark'
+        require('lualine').setup(llc)
+
+        local key = vim.api.nvim_set_keymap
+        local o = vim.o
+        local wo = vim.wo
+        local bo = vim.bo
+        local cmd = vim.cmd
+
+        vim.cmd([[autocmd CursorHold * lua vim.diagnostic.open_float({focusable = false})]])
+
+        key('n', ';', ':Telescope find_files<CR>', {})
+        key('n', '<C-n>', ':NvimTreeToggle<CR>', {})
+        key('n', 'gh', '/<c-r>=expand("<cword>")<CR><CR>N', {})
+
+        key('i', '<TAB>', 'pumvisible() ? "<C-n>" : "<Tab>"', { expr = true, silent = true })
+        key('i', '<S-TAB>', 'pumvisible() ? "<C-p>" : "<S-Tab>"', { expr = true, silent = true })
+        key('n', '<leader>g', ':lua require"telescope.builtin".live_grep{}<CR>', {})
+        key('v', '<leader>c', ':w !wl-copy<CR><CR>', { silent = true })
+
+        vim.api.nvim_exec(
+          [[
+          augroup YankHighlight
+            autocmd!
+            autocmd TextYankPost * silent! lua vim.highlight.on_yank()
+          augroup end
+        ]] ,
+          false
+        )
+
+        vim.api.nvim_create_autocmd("BufEnter", {
+          nested = true,
+          callback = function()
+            if #vim.api.nvim_list_wins() == 1 and vim.api.nvim_buf_get_name(0):match("NvimTree_") ~= nil then
+              vim.cmd 'quit'
+            end
+          end
+        })
+
+        cmd('syntax on')
+        cmd('set number')
+        cmd('set completeopt=menuone,noinsert,noselect')
+        cmd('set shortmess+=c')
+        cmd("autocmd CursorHold,CursorHoldI *.rs :lua require'lsp_extensions'.inlay_hints{ only_current_line = true }")
+
+        o.startofline = true
+        wo.cursorline = true
+
+        o.updatetime = 300
+        wo.signcolumn='yes'
+        o.showcmd = true
+
+        o.shell = 'bash'
+        o.mouse = 'a'
+
+        o.smarttab = true
+        bo.tabstop = 2
+        bo.shiftwidth = 2
+        bo.expandtab = true
+
+        wo.relativenumber = true
+        o.hidden = true
+
+      '';
+
+    extraPackages = with pkgs; [
+      shfmt
+      nixd
+      nodePackages.bash-language-server
+    ];
+  };
+}
--- a/home/work/programs/tmate/.tmate.conf
+++ b/home/work/programs/tmate/.tmate.conf
@ -1,8 +1,10 @@
 set -g history-limit 50000
-set -g default-terminal "screen-256color"
 set -g mouse on
 set -sg escape-time 50

+set -g default-terminal "xterm-256color"
+set -as terminal-overrides ",xterm-*:Tc"
+
 unbind C-b
 set-option -g prefix C-a
 bind-key C-a send-prefix
--- a/nixos/celestia/configuration.nix
+++ b/nixos/celestia/configuration.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  mypkgs,
  ...
 }: let
  makeVirtualHost = {
@ -35,6 +36,11 @@ in {
  sops.secrets."tailscale-auth-key" = {};
  sops.secrets."act-runner-token" = {};
  sops.secrets."photoprism-password-file" = {};
+  sops.secrets."restic_ssh_key" = {};
+  sops.secrets."restic_documents_repository_password" = {};
+  sops.secrets."restic_images_repository_password" = {};
+  sops.secrets."protonvpn_wg_private_key" = {};
+  sops.secrets."telegraf_api_token" = {};

  imports = [
    ./hardware-configuration.nix
@ -49,6 +55,14 @@ in {
  ];
  boot.kernelModules = ["amd-pstate"];

+  # *arr services are not yet all updated to .NET 8
+  nixpkgs.config.permittedInsecurePackages = [
+    "aspnetcore-runtime-6.0.36"
+    "aspnetcore-runtime-wrapped-6.0.36"
+    "dotnet-sdk-6.0.428"
+    "dotnet-sdk-wrapped-6.0.428"
+  ];
+
  system.stateVersion = "23.11"; # Did you read the comment?
  networking = {
    hostName = "celestia";
@ -65,7 +79,7 @@ in {

    firewall = {
      enable = true;
-      allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048];
+      allowedTCPPorts = [22 111 443 2049 4000 4001 4002 9999 20048];
      allowedUDPPorts = [53 111 2049 4000 4001 4002 20048];
    };
  };
@ -81,6 +95,10 @@ in {
    zfs
    lm_sensors
    ffmpeg
+    rtl_433
+    dump1090
+    rtl-sdr
+    mypkgs.nixvim
  ];

  users.users."root".openssh.authorizedKeys.keys = [
@ -161,8 +179,10 @@ in {
    samba = {
      enable = true;
      openFirewall = true;
-      extraConfig = "map to guest = bad user";
-      shares = {
+      settings = {
+        global = {
+          "map to guest" = "bad user";
+        };
        dump = {
          path = "/tank/dump";
          browsable = "yes";
@ -182,6 +202,15 @@ in {
          # "force create mode" = "0666";
          # "force directory mode" = "0777";
        };
+        all = {
+          path = "/tank";
+          browsable = "yes";
+          public = "yes";
+          "guest only" = "yes";
+          writable = "no";
+          # "force create mode" = "0666";
+          # "force directory mode" = "0777";
+        };
      };
    };

@ -189,63 +218,144 @@ in {
      autoScrub.enable = true;
    };

-    gitea-actions-runner.instances = {
-      runner1 = {
+    restic = let
+      mkBackup = repo: paths: exclude: pruneOpts: {
+        repository = "sftp:u169497-sub5@u169497.your-storagebox.de:${repo}";
+        passwordFile = config.sops.secrets."restic_${repo}_repository_password".path;
+        initialize = true;
+        extraOptions = [
+          "sftp.command='ssh -p23 u169497-sub5@u169497.your-storagebox.de -i ${config.sops.secrets."restic_ssh_key".path} -s sftp'"
+        ];
+        paths = paths;
+        exclude = exclude;
+        pruneOpts = pruneOpts;
+        timerConfig = {
+          OnCalendar = "00:05";
+          RandomizedDelaySec = "1h";
+        };
+      };
+    in {
+      backups = {
+        documents = mkBackup "documents" ["/tank/documents"] [] ["-d 7" "-w 5" "-m 12"];
+        images = mkBackup "images" ["/tank/images"] ["/tank/images/import"] ["-d 7" "-w 5" "-m 12"];
+      };
+    };
+
+    prometheus.exporters = {
+      zfs.enable = true;
+      smartctl = {
        enable = true;
-        name = "celestia";
-        url = "https://git.fuckwit.dev";
-        tokenFile = config.sops.secrets."act-runner-token".path;
-        labels = [
-          "native:host"
-        ];
-        hostPackages = with pkgs; [
-          bash
-          coreutils
-          curl
-          wget
-          gnused
-          gitMinimal
-        ];
+        devices =
+          [
+            "/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSAF213446M"
+          ]
+          ++ disks;
+      };
+      systemd.enable = true;
+      node.enable = true;
+    };
+
+    telegraf = {
+      enable = true;
+      environmentFiles = [config.sops.secrets."telegraf_api_token".path];
+      extraConfig = {
+        inputs = {
+          influxdb_v2_listener = {
+            service_address = "127.0.0.1:9998";
+          };
+
+          prometheus = {
+            urls = [
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.zfs.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.smartctl.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.systemd.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"
+            ];
+          };
+        };
+        outputs = {
+          influxdb_v2 = {
+            urls = ["https://influx.fuckwit.dev"];
+            token = "\${TELEGRAF_API_TOKEN}";
+            organization = "fuckwit.dev";
+            bucket = "world";
+            timeout = "60s";
+          };
+        };
      };
    };

    nginx = {
      enable = true;
      clientMaxBodySize = "500m";
-      virtualHosts = makeVirtualHosts [
+      virtualHosts =
+        # Tasmota devices check /health of the influxdb2 server.
+        # Telegraf does not provide this endpoint so we fake it via nginx
+        # https://github.com/influxdata/telegraf/issues/16321
        {
-          subdomain = "jdownloader";
-          port = 8000;
+          "influxdb-proxy.fuckwit.dev" = {
+            listen = [
+              {
+                port = 9999;
+                addr = "0.0.0.0";
+              }
+            ];
+            locations = {
+              "/health".return = "200 ''";
+              "/".proxyPass = "http://127.0.0.1:9998";
+            };
+          };
        }
-        {
-          subdomain = "jellyfin";
-          port = 8096;
-        }
-        {
-          subdomain = "sonarr";
-          port = 8989;
-        }
-        {
-          subdomain = "radarr";
-          port = 7878;
-        }
-        {
-          subdomain = "lidarr";
-          port = 8686;
-        }
-        {
-          subdomain = "paperless";
-          port = 28981;
-        }
-        {
-          subdomain = "homepage";
-          port = 8082;
-        }
-        {
-          subdomain = "photoprism";
-          port = 2342;
-        }
-      ];
+        // makeVirtualHosts [
+          {
+            subdomain = "jdownloader";
+            port = 5800;
+          }
+          {
+            subdomain = "jellyfin";
+            port = 8096;
+          }
+          {
+            subdomain = "sonarr";
+            port = 8989;
+          }
+          {
+            subdomain = "radarr";
+            port = 7878;
+          }
+          {
+            subdomain = "lidarr";
+            port = 8686;
+          }
+          {
+            subdomain = "prowlarr";
+            port = 9696;
+          }
+          {
+            subdomain = "paperless";
+            port = 28981;
+          }
+          {
+            subdomain = "homepage";
+            port = 8082;
+          }
+          {
+            subdomain = "photoprism";
+            port = 2342;
+          }
+          {
+            subdomain = "immich";
+            port = 2283;
+          }
+          {
+            subdomain = "qbittorrent";
+            port = 8080;
+          }
+          {
+            subdomain = "shimmie";
+            port = 8000;
+          }
+        ];
    };

    paperless = {
@ -287,6 +397,8 @@ in {
      dataDir = "/var/lib/sonarr";
    };

+    prowlarr.enable = true;
+
    jellyfin.enable = true;

    photoprism = {
@ -297,9 +409,18 @@ in {
      settings = {
        PHOTOPRISM_ADMIN_USER = "root";
        PHOTOPRISM_DEFAULT_LOCALE = "de";
+        PHOTOPRISM_DETECT_NSFW = "true";
+        PHOTOPRISM_UPLOAD_NSFW = "true";
      };
    };

+    immich = {
+      enable = true;
+      host = "127.0.0.1";
+      mediaLocation = "/tank/images/immich";
+      settings.server.externalDomain = "https://immich.fuckwit.dev";
+    };
+
    homepage-dashboard = {
      enable = true;

@ -397,6 +518,8 @@ in {
  };

  hardware = {
+    rtl-sdr.enable = true;
+
    fancontrol = {
      enable = true;
      config = ''
@ -424,15 +547,75 @@ in {
      backend = "podman";

      containers = {
+        shimmie = {
+          image = "docker.io/shish2k/shimmie2:latest";
+          volumes = ["/tank/dump/shimmie:/app/data"];
+          ports = ["127.0.0.1:8000:8000"];
+        };
+
        jdownloader = {
          image = "docker.io/jlesage/jdownloader-2:latest";
          autoStart = true;
-          ports = ["0.0.0.0:8000:5800"];
+          networks = ["container:gluetun"];
+          dependsOn = ["gluetun"];
          volumes = [
            "jdownloader_config:/config"
            "/tank/dump:/output"
          ];
        };
+
+        gluetun = {
+          image = "docker.io/qmcgaw/gluetun";
+          autoStart = true;
+          environment = {
+            VPN_SERVICE_PROVIDER = "protonvpn";
+            VPN_TYPE = "wireguard";
+            VPN_PORT_FORWARDING = "on";
+            SERVER_COUNTRIES = "Switzerland";
+            PORT_FORWARD_ONLY = "on";
+            VPN_PORT_FORWARDING_UP_COMMAND = ''
+              /bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORTS}}}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
+            '';
+          };
+          environmentFiles = [
+            config.sops.secrets."protonvpn_wg_private_key".path
+          ];
+          capabilities = {
+            NET_ADMIN = true;
+          };
+          devices = ["/dev/net/tun"];
+          ports = [
+            "127.0.0.1:8080:8080"
+            "127.0.0.1:5800:5800"
+            "127.0.0.1:8123:8123"
+          ];
+        };
+
+        qbittorrent = {
+          image = "lscr.io/linuxserver/qbittorrent:latest";
+          autoStart = true;
+          networks = ["container:gluetun"];
+          environment = {
+            WEBUI_PORT = "8080";
+          };
+          dependsOn = ["gluetun"];
+          volumes = [
+            "/var/lib/qbittorrent:/config"
+            "/tank/dump/torrent:/downloads"
+          ];
+        };
+
+        # qbittorrent-exporter = {
+        #   image = "docker.io/esanchezm/prometheus-qbittorrent-exporter";
+        #   autoStart = true;
+        #   networks = ["container:gluetun"];
+        #   dependsOn = ["qbittorrent"];
+        #   environment = {
+        #     QBITTORRENT_PORT = "8080";
+        #     QBITTORRENT_HOST = "127.0.0.1";
+        #     EXPORTER_PORT = "8123";
+        #   };
+        # };
      };
    };
  };
@ -450,6 +633,7 @@ in {

      script = ''
        while read -r evt file; do
+          printf "handling $evt for $file"
          ${pkgs.coreutils}/bin/chown ${user}:${group} "$file"
          ${pkgs.coreutils}/bin/chmod 775 "$file"
        done < <(${pkgs.inotify-tools}/bin/inotifywait -e create,move -m -r --format '%e %w%f' ${path})
@ -460,6 +644,10 @@ in {
      StateDirectory = "dnscrypt-proxy";
    };

+    podman-qbittorrent.serviceConfig = {
+      StateDirectory = "qbittorrent";
+    };
+
    ensure-radarr-perms = ensure-perms "/tank/video/movie" "radarr" "nas";
    ensure-sonarr-perms = ensure-perms "/tank/video/series" "sonarr" "nas";
    ensure-lidarr-perms = ensure-perms "/tank/audio" "lidarr" "nas";
--- a/nixos/celestia/hardware-configuration.nix
+++ b/nixos/celestia/hardware-configuration.nix
@ -21,7 +21,6 @@
    forceImportRoot = false;
    extraPools = ["tank"];
  };
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;

  fileSystems."/" = {
    device = "/dev/disk/by-uuid/3652c231-d679-42dd-80f1-e9afccb4ca13";
@ -34,6 +33,7 @@
      allowDiscards = true;
      keyFileSize = 4096;
      keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_D5A325A0-0:0";
+      tryEmptyPassphrase = true;
    };
  };

--- a/nixos/celestia/secrets.yaml
+++ b/nixos/celestia/secrets.yaml
@ -2,6 +2,11 @@ acme.env: ENC[AES256_GCM,data:VgSJO2Q32csfN0DEH6kTsaN0z/hRa0fRHLUleju+gqBPjoQmZG
 tailscale-auth-key: ENC[AES256_GCM,data:Rvq2wL9civCoH6acKk3lYIXbVAME+kUmeuQYOTl+rvdb5bFoI5i688qI58ceF47PGKi1jeXe46SkJGJe0iY=,iv:b0kavSFEG40Jxa3yAjttarN5N3nOLEbZYqP3LOXvBrU=,tag:cpgYzoX9L6+1IHnmjfZfQg==,type:str]
 act-runner-token: ENC[AES256_GCM,data:vNYCpt96yFeEUERCXYlk5p1NbVrQOBps7jEUI+4aXonxTDTDfyPZF8tjCjERfg==,iv:hMUz99UdHlXwhTGKr4QlrvkDTfy+jVCSOQlQEENTDI8=,tag:buvPFy10R0BKu4tQBMJhEg==,type:str]
 photoprism-password-file: ENC[AES256_GCM,data:a0fqrjRDc2M=,iv:H/kLPIJsti8QsOJjwPGFSELD4LHb8u8dIkq8pd7W61E=,tag:xp/vpqE/n+alm17d9eIRcA==,type:str]
+restic_ssh_key: ENC[AES256_GCM,data:NK7WXhnnueZ6kVZJnjShZ/QaNXINrJ6+youN3EPBmNjiLBTJHFg4LVR3MCU1GaK2HJpbz3qEJa/kto9LPONRR0F6LO6/7U17O0fdzF7Ca7u4xHI7uKBE6x9/dhd5MHJ2yQpEUwJnTB6i/++OcbSfTJmp062jTgWxdarngt6skx0m5JIlu6lhLKyFzGa+cBIesFItredQ2SJroUC4rK3CiQLutuaBlhw90wys3T2uTtRRgzQ08AF90+JY5jqflZposQPT0ox+xEegOyZ4UJxX2WToxD998N7/eETxo2E94zL/5f2mGoubDxwPTZp8cPX+1g85tFjhn361OSgHBwgRRT3rs/js1xZkQQO2McKPyGZVHOzQ0GSrpvxiSiUZk8/49eynEkWUsY2YXQxvl3/s6r/Toh9Wbr9mo3X67A2phTx1beEnU8XMwWS/5ZnqtFNHvxC6tfkAIwblNvCc9mTigSYhOji9TBpcZNOCumY/MYzGSCzxSFXcOnsKZKjxdE3ByHFKcMvJ+uiaav000MbdplOOsYLCSpdQAAZH,iv:JFcu2GO8k7awfB8RV17tcFj5KhXmUxnzjnoEdmMaqxc=,tag:awy4njmuS/l5CCFqWdsy3A==,type:str]
+restic_documents_repository_password: ENC[AES256_GCM,data:rcQ5PsvJW2i3e2v1FqbqCOoqiblqFDsqRifzY6YxIKZTNSNrRPgqUduqei/0aSGJTNG+zYS4YRCooCZ/E7mYFg==,iv:IO6OGY+Dfai0Hl/NWT7bqqhTkfhXlUqqnJyQjm87fSw=,tag:K3D112tm+kC5OpEF2t+oZQ==,type:str]
+restic_images_repository_password: ENC[AES256_GCM,data:yNWUqZ9ddkfD15mO7NocUYwqNWPaTHXfLkMNq7yy5xgSG4I3G01mFTt5qCPbZ0n+Y6DFlhDQBLAC5SwOvVNggA==,iv:LqA7TG9TS7eyHZ/xqF+L1w5imPdogQGH0DyokaQj4Bc=,tag:1OLRp7VO8Lfy1nQcUr3OWA==,type:str]
+protonvpn_wg_private_key: ENC[AES256_GCM,data:cm4ytBg2lMDDppx50JxmEX8lC+x5bessRmIk60iSuYYCtb7DTlkcwROivz7oG/x1DXjvxjLPW9Y5wEE3GxXD8xo1,iv:B6TeBVC0d6S3XNhv7nSiuVI7nr3M1LeqYMuv0AxvG2c=,tag:RvhSLKRv1FDNntHFvtrelw==,type:str]
+telegraf_api_token: ENC[AES256_GCM,data:pCNHkdKlBhYW+IJuvdLgAsk2oXVIowvCVwy2uvJIJQ8DdtRgYgR4JIMcz4l8u+yTPyRPGSqdXnkojNeB9O7T8FM25lklrcRfeKL3ofSY8RJ1FiovcEGYjESi/A7sgrETFMD2QIO0kmZ+3qM=,iv:PKm2hp6+aInR2+AglHImjxIPBFU0FRjpMklranVgjiM=,tag:T/88jJJjkgYxisKZtZAyQg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -17,8 +22,8 @@ sops:
            K0RaVVNSczZBcDNtaXhGem5iQnlVTDAK+XogkPQD2xYQ7sW8DwAXaaLA/ftw6vZM
            wsNs0uun9dgGjZIXcU6AIsrJeUiWBl5zgc6CCd/ad/3QxpmKj1p9Mg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-26T08:34:59Z"
-    mac: ENC[AES256_GCM,data:bqt8+j+t4p2T6+y3+GkeZB2DsHpf9ugBNBnnR1+m9nyKRsS1bR7divl0GZyndlmPMEzOxGJSeHjDhTwrQ/w6szmmHFuUEpogkiJUxzZM9UUa/k4zBQlgVliQM/uuAvYEQJgWVwBJgkIEHsn/F3QGFPCOY/9N9epkhqr1BgfkMQo=,iv:3DhlnJQ70blHqK+n1DrV8FdjUj6qDQ7L8t/r7tOkEQY=,tag:exY8TN8XIuLvoRDhEHDWTQ==,type:str]
+    lastmodified: "2025-03-29T14:12:23Z"
+    mac: ENC[AES256_GCM,data:5og1eH8IKVj0UHPgv1qVyC+VgjL1uf7uuJR3w0Y8qqAwNjhyifCTLVRxIg+3EPKQH+w5H0uIovmnlPdRCdwDbkysBkFL6xAlDszouEDX5F+S5ZOZkpONSieeCNG+obVO1PLstLffb+Rh2OR4hhi0xH6D8ryH0yqe7o0tZROBaqo=,iv:Tw6EC4pZcrF4k2H89ZVKlDPT40x02cOrNVH6e57bIGU=,tag:luYMemQCAjHu9D9JgfvpCw==,type:str]
    pgp:
        - created_at: "2024-01-25T08:00:56Z"
          enc: |-
@ -33,4 +38,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.4
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -1,11 +1,10 @@
 {
  self,
  nixpkgs,
-  nixpkgs-stable,
  sops-nix,
-  home-manager,
  lanzaboote,
  simple-nixos-mailserver,
+  nixvim,
  inputs,
  ...
 }: let
@ -52,7 +51,7 @@
  }:
    np.lib.nixosSystem {
      inherit system;
-      specialArgs = {mypkgs = customPkgs."${system}";};
+      specialArgs = {mypkgs = customPkgs."${system}" // { nixvim = nixvim.packages.${system}.default;};};
      modules =
        defaultModules
        ++ [
@ -92,7 +91,7 @@ in {
    np = nixpkgs;
    system = "x86_64-linux";
    ip = "192.168.1.11";
-    # remoteBuild = false;
+    remoteBuild = false;
    file = ./celestia/configuration.nix;
  };

--- a/nixos/framework/configuration.nix
+++ b/nixos/framework/configuration.nix
@ -6,6 +6,8 @@
  ...
 }: {
  imports = [./hardware-configuration.nix];
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets."tailscale-auth-key" = {};

  boot.bootspec.enable = true;
  boot.loader.systemd-boot.enable = lib.mkForce false;
@ -14,7 +16,6 @@
    pkiBundle = "/etc/secureboot";
  };
  boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_6_9;

  nixpkgs.config.allowUnfree = true;

@ -33,21 +34,26 @@
    extraPackages = [pkgs.vaapiVdpau];
  };

+  hardware.rtl-sdr.enable = true;
+
  hardware.bluetooth.enable = true;

  security.pam.services.swaylock = {};
+  security.pam.services.hyprlock = {};

  fonts.packages = with pkgs; [
    font-awesome
-    (nerdfonts.override {fonts = ["FiraMono"];})
+    nerd-fonts.fira-mono
    mypkgs.comic-mono
  ];

  services = {
    illum.enable = true;
    fwupd.enable = true;
-    fprintd.enable = false; # currently broken
+    fprintd.enable = true; # currently broken
    pcscd.enable = true;
+    udisks2.enable = true;
+
    tlp = {
      enable = true;
      settings = {
@ -97,6 +103,14 @@
      lidSwitchExternalPower = "ignore";
      extraConfig = "HoldoffTimeoutSec=300s";
    };
+
+    tailscale = {
+      enable = true;
+      extraUpFlags = [
+        "--accept-routes=true"
+      ];
+      authKeyFile = config.sops.secrets."tailscale-auth-key".path;
+    };
  };

  services.pipewire = {
@ -111,7 +125,7 @@

  users.users.patrick = {
    isNormalUser = true;
-    extraGroups = ["wheel"];
+    extraGroups = ["wheel" "plugdev"];
  };

  environment.systemPackages = with pkgs; [
--- a/nixos/framework/secrets.yaml
+++ b/nixos/framework/secrets.yaml
@ -0,0 +1,33 @@
+tailscale-auth-key: ENC[AES256_GCM,data:jReYmVBmruNXXOlB9ep1Vx84XSKA8JAPReuxXglPMNDCUOIaX2S7zPuxAJp4KYhE91CnCNzprW/rdGejMw==,iv:251dyqcTqRh6N/lM07spgcyBnsxvwTdhKXdM45hepTc=,tag:/JqRTN80TJmA3H06Efbx8A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18kc63lpfutqlw505fkqagumqup6dtpudajeaheueuaf0frjpdc3suz49qk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQ29IUmRFcjNXNFRVZDh5
+            ZGE0YUJxYmFITHJ1N1RtVkNHbnpBYS9IM0g0CmFWak94ZE9BR2x2cHhrTkxxVWVn
+            czlRNUJoSm5FUVVPQVdXMnp6V1dMRjAKLS0tIFNUWVNCMEhjbEpjUXhRS05QTFpL
+            bk1raG5pVE10ZEh1RXdYUXY0ZkVkUW8K5JWNqbd6k6slfOR9xfc6a58tdouElwlX
+            w4MzIE7dUlqYux4MxbTzXhnX/A3D2oXg60Ya5rKqakgnAYvWlNwwAw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-25T15:49:24Z"
+    mac: ENC[AES256_GCM,data:GQcgu7CWkUPrcsYlSK8rbnZIu3Ph/q5ohEt2F46Q5afEh2j0aQQfdlO7suFUmO93qoQ4Z4qo6HmSsqajR5QTMvWMjERSdAYh8WiX64zgnxzYD32GCLjvtp3NSraIHy5RsnX/+4vNDsGVq1pJIEr6McWuvxuuZ3cT2JbHiui8cGI=,iv:GkHo9aM6JXM1+kY42au7Rm3fJrqOnncKLxLC52JrVUw=,tag:7Ua+LTsfihrr+qcVhKvJPA==,type:str]
+    pgp:
+        - created_at: "2024-11-25T15:46:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DMGJRmcuHhnsSAQdAIUNST8klTbwju58Y6yBe8tZtn0yK4hCrocSfV5qAOz8w
+            eDZyWmShWVeAMIksZPJthyq2GmExd6S+BPjgn6sLmeaDBHzUsLV2lexpGSTif6MW
+            1GgBCQIQVijI8dBnboVzsQHN1Yaj9Ntfb++u29TBmYiXLm455jsr/Aqwp8I9ZM0P
+            tMPkxT6kHebICXpsbZvkSxv3kaPK1+TBGZkk8VEZxZZBl7NpvCAKufOiCHU/sH8I
+            UOJGtqbpiWwqJQ==
+            =qjQD
+            -----END PGP MESSAGE-----
+          fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/nixos/laptop/configuration.nix
+++ b/nixos/laptop/configuration.nix
@ -17,7 +17,7 @@
      preLVM = true;
    };
  };
-  boot.kernelPackages = pkgs.linuxPackages_6_10;
+  boot.kernelPackages = pkgs.linuxPackages_6_6;

  i18n.defaultLocale = "en_US.UTF-8";
  time.timeZone = "Europe/Berlin";
@ -135,7 +135,7 @@

  fonts.packages = with pkgs; [
    font-awesome
-    (nerdfonts.override {fonts = ["FiraMono"];})
+    nerd-fonts.fira-mono
    mypkgs.comic-mono
  ];

--- a/nixos/primordial/configuration.nix
+++ b/nixos/primordial/configuration.nix
@ -1,17 +1,45 @@
 {
  config,
  pkgs,
+  lib,
  ...
 }: let
+  makeVirtualHost = {
+    subdomain,
+    port,
+  }: {
+    name = "${subdomain}.fuckwit.dev";
+    value = {
+      forceSSL = true;
+      useACMEHost = "fuckwit.dev";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
+
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
+  secretFile = name: config.sops.secrets.${name}.path;
 in {
  sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."gitea.env" = {};
-  sops.secrets."keycloak_db_pw" = {};
+  sops.secrets."acme.env" = {};
+  sops.secrets."restic_mail_repository_password" = {};
+  sops.secrets."restic_ssh_key" = {};
+  sops.secrets."act-runner-token" = {};
+  sops.secrets."gitlab-db-password".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-initial-root-pw".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-db-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-secret-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-otp-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-jws-key-pem".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-runner-authentication-file" = {};

  imports = [
    ./mail.nix
@ -20,6 +48,7 @@ in {

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;

  networking = {
    hostName = "primordial";
@ -48,8 +77,20 @@ in {

  i18n.defaultLocale = "en_US.UTF-8";

-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "huanzodev@gmail.com";
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@fuckwit.dev";
+      dnsProvider = "cloudflare";
+      environmentFile = secretFile "acme.env";
+      dnsPropagationCheck = true;
+    };
+
+    certs."fuckwit.dev" = {
+      extraDomainNames = ["*.fuckwit.dev"];
+    };
+  };
+  users.users.nginx.extraGroups = ["acme"];

  services = {
    openssh = {
@ -78,6 +119,41 @@ in {
      '';
    };

+    gitlab = {
+      enable = true;
+      https = true;
+      host = "gitlab.fuckwit.dev";
+      port = 443;
+      databasePasswordFile = secretFile "gitlab-db-password";
+      initialRootPasswordFile = secretFile "gitlab-initial-root-pw";
+      secrets = {
+        secretFile = secretFile "gitlab-secret-key-base";
+        otpFile = secretFile "gitlab-otp-key-base";
+        dbFile = secretFile "gitlab-db-key-base";
+        jwsFile = secretFile "gitlab-jws-key-pem";
+      };
+      registry = {
+        enable = true;
+        package = pkgs.gitlab-container-registry;
+        defaultForProjects = true;
+        externalAddress = "https://registry-git.fuckwit.dev";
+        externalPort = 443;
+        keyFile = "/run/gitlab/registry.pem";
+        certFile = "/run/gitlab/registry.crt";
+      };
+    };
+
+    gitlab-runner = {
+      enable = true;
+
+      services = {
+        default = {
+          authenticationTokenConfigFile = secretFile "gitlab-runner-authentication-file";
+          dockerImage = "debian:stable";
+        };
+      };
+    };
+
    matrix-synapse = {
      enable = true;
      settings.server_name = "fuckwit.dev";
@ -111,97 +187,73 @@ in {
      recommendedGzipSettings = true;
      recommendedOptimisation = true;

-      virtualHosts."fuckwit.dev" = let
-        serverConfig."m.server" = "matrix.fuckwit.dev:443";
-        clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
-      in {
-        enableACME = true;
-        forceSSL = true;
-        # This section is not needed if the server_name of matrix-synapse is equal to
-        # the domain (i.e. example.org from @foo:example.org) and the federation port
-        # is 8448.
-        # Further reference can be found in the docs about delegation under
-        # https://element-hq.github.io/synapse/latest/delegate.html
-        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-        # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
-        # Further reference can be found in the upstream docs at
-        # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
-        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-      };
+      virtualHosts =
+        {
+          "fuckwit.dev" = let
+            serverConfig."m.server" = "matrix.fuckwit.dev:443";
+            clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
+          in {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # This section is not needed if the server_name of matrix-synapse is equal to
+            # the domain (i.e. example.org from @foo:example.org) and the federation port
+            # is 8448.
+            # Further reference can be found in the docs about delegation under
+            # https://element-hq.github.io/synapse/latest/delegate.html
+            locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+            # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
+            # Further reference can be found in the upstream docs at
+            # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
+            locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          };

-      virtualHosts."matrix.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-        # It's also possible to do a redirect here or something else, this vhost is not
-        # needed for Matrix. It's recommended though to *not put* element
-        # here, see also the section about Element.
-        locations."/".extraConfig = ''
-          return 404;
-        '';
-        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
-        # *must not* be used here.
-        locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
-        # Forward requests for e.g. SSO and password-resets.
-        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
-      };
+          "matrix.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # It's also possible to do a redirect here or something else, this vhost is not
+            # needed for Matrix. It's recommended though to *not put* element
+            # here, see also the section about Element.
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+            # *must not* be used here.
+            locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
+            # Forward requests for e.g. SSO and password-resets.
+            locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
+          };

-      virtualHosts."vault.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
+          "gitlab.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;

-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8000";
-        };
-      };
-
-      virtualHosts."git.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8001";
-        };
-      };
-
-      virtualHosts."grafana.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8002";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."influx.fuckwit.dev" = {
-        enableACME = true;
-        addSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8003";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."sso.fuckwit.dev" = {
-        enableACME = true;
-        addSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8004";
-          proxyWebsockets = true;
-        };
-      };
-
-      # virtualHosts."drone.fuckwit.dev" = {
-      #   enableACME = true;
-      #   addSSL = true;
-
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:8004";
-      #     proxyWebsockets = true;
-      #   };
-      # };
+            locations."/" = {
+              proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+            };
+          };
+        }
+        // makeVirtualHosts [
+          {
+            subdomain = "vault";
+            port = 8000;
+          }
+          {
+            subdomain = "git";
+            port = 8001;
+          }
+          {
+            subdomain = "grafana";
+            port = 8002;
+          }
+          {
+            subdomain = "influx";
+            port = 8003;
+          }
+          {
+            subdomain = "registry-git";
+            port = 4567;
+          }
+        ];
    };

    vaultwarden = {
@ -229,6 +281,22 @@ in {
      lfs.enable = true;
    };

+    gitea-actions-runner.instances = {
+      docker-runner = {
+        enable = true;
+        name = "primordial-docker";
+        url = "https://git.fuckwit.dev";
+        tokenFile = config.sops.secrets."act-runner-token".path;
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+        ];
+        settings = {
+          runner.capacity = 5;
+          cache.enabled = false;
+        };
+      };
+    };
+
    grafana = {
      enable = true;

@ -248,35 +316,31 @@ in {
      };
    };

-    keycloak = {
-      enable = true;
-
-      database = {
-        type = "postgresql";
-        createLocally = true;
-        passwordFile = config.sops.secrets."keycloak_db_pw".path;
-      };
-
-      settings = {
-        hostname = "sso.fuckwit.dev";
-        http-host = "127.0.0.1";
-        http-port = 8004;
-        proxy = "edge";
+    restic = {
+      backups = {
+        mail = {
+          repository = "sftp:u169497-sub5@u169497.your-storagebox.de:mail";
+          initialize = true;
+          extraOptions = [
+            "sftp.command='ssh -p23 u169497-sub5@u169497.your-storagebox.de -i ${config.sops.secrets."restic_ssh_key".path} -s sftp'"
+          ];
+          passwordFile = config.sops.secrets."restic_mail_repository_password".path;
+          paths = ["/var/vmail" "/var/dkim"];
+          timerConfig = {
+            OnCalendar = "00:05";
+            RandomizedDelaySec = "1h";
+          };
+        };
      };
    };
-
-    # drone-server = {
-    #   enable = true;
-    #   config = {
-    #     giteaServer = "https://git.fuckwit.dev";
-    #     serverHost = "drone.fuckwit.dev";
-    #     serverPort = ":8004";
-    #     serverProto = "https";
-    #   };
-    #   environmentFile = config.sops.secrets."gitea.env".path;
-    # };
  };

+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+  };
+  virtualisation.docker.enable = lib.mkForce false;
+
  users.users."root".openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
--- a/nixos/primordial/mail.nix
+++ b/nixos/primordial/mail.nix
@ -5,6 +5,7 @@
 }: {
  mailserver = {
    enable = true;
+    enableManageSieve = true;
    fqdn = "mail.fuckwit.dev";
    domains = ["fuckwit.dev"];

@ -15,6 +16,7 @@
      };
    };

-    certificateScheme = "acme-nginx";
+    certificateScheme = "acme";
+    acmeCertificateName = "fuckwit.dev";
  };
 }
--- a/nixos/primordial/secrets.yaml
+++ b/nixos/primordial/secrets.yaml
@ -1,10 +1,15 @@
-gitea.env: ENC[AES256_GCM,data:wkSPzLQtL3vGNIjG+jG6I3+R7wLBBdXeaCHbKxMbpVOldo8zrPLu8HdoryneRro58d7D9Cao9x+n5SvYNfGwHPgDJG8saXTeyEffIWIKNC+5+8fjiWwIkAvstckmZjSLitVxcwhifs49jmZgW/xQBPEPiAHzVkjeueV7p/Jm9WgyD2ycPrKUvNEYJ6DWZqQq9r10Y/KsRZsvRzF2cp6YeX7YGjW7E2wuQz9yy8gOFHxmoJxAc4zM7XaKZWKtow1UPCjTtxiY7qRkWK7KQt21Xf3FCsU=,iv:qQv7hbqh3Kl6sE/XW37D9AbYt4gLJw5BnfbbLIkzOd4=,tag:g6Cecvdb67W01HvIULNzsQ==,type:str]
-keycloak_db_pw: ENC[AES256_GCM,data:1oBqzpFokAmjkT770YKYwzCllaGTprtDR9W4B/+V6ZUXPhJ1R9DNWZHqpQ==,iv:dK36GBiDj12HVjUkZqTVk/rR6s1sf6dmQTk1ZJQwi+I=,tag:6Ix9QSf+A0U82sG0z8wSmw==,type:str]
+acme.env: ENC[AES256_GCM,data:+EwmrLsjjOvvXOBgbI5T2e98pJ+PImvbaCd5/9cvqmPWurzGe1H2fjBOguDf5Mb64eZXaL7jbZxeTqT1T/w32+Y=,iv:tBuFM3V6jW7M3eXb2cwK8ZoKqfEfMxHC31GvF0GTOJs=,tag:Z/vDDFAp2cY7UarPWT/ykg==,type:str]
+restic_mail_repository_password: ENC[AES256_GCM,data:B2XAP9tnztl/c7HB7bHywfJcwV9sLahfqCfI0TajWaWHPhRsZow4yxhn813FN4pINb5i1kYyiRG/sMXMKAFo9g==,iv:pQnVRVtuhcVtH/Kot9hcx8DSA4qlkksuUiY8HaOawfk=,tag:4lbmh8bQDSVNbI06/gNUlQ==,type:str]
+restic_ssh_key: ENC[AES256_GCM,data:HpS73OEFvqSLYg8Qh1syJEjCfv5og5VxxzK2VPmAFRk5BzM4xF3Dn0cmJtQpwMMwaRGRWFdCTMrQCBWRrLgDt7wUyMpBn1HivLr4nwEOU4oDStv+1zKmrNbWLSYw3TbHoNJ2K+C46lfpV9CBdb+8dmv2vto6HoKFrOYc5/ftYd7lD9zMhueAMCc3q7aPsIFGb2TRGNz1wrF6Cn9ew1Oqh/P7xlUuIgS0kAKRrybhiIO9IUgQsTV3qqZIXogP4Yy2OLSyhbtDuvtLAncL2pJ/ZsGme47G8HoFomyqEIf0eq7YKqlpTqKPbbnxfWSlWYGg+l9OtCJOeyp5oEZ6sjPNdTUYjpcVZpHNEEa2zkaZzRj5Jo/GIiJfCu4F0kk4opbqEUTeDQHgesylxwpd/v5zaplGEqpYZ7y/DAud+YUw7XWYWjy60kjlZdkbKwrL/Cg4dxWY8Cc7v42Ve7aADgSEpEhwo5rHxM3JSVHHHunfC6y+/Qin26wQZhF1w+d8/yqSaJidx6FsDSipGCJtXa9liIG7oG2vUlmYm4rE,iv:d/AFzPAJGSGv1WzQY4+p8mImFoWKkaoMRtIBNAYiU0E=,tag:mdE/e2VX5zdrFT43NZaYNQ==,type:str]
+act-runner-token: ENC[AES256_GCM,data:QEiYYYg8fZQIwVPT+vG2Eo8JO9y5PgVJBm5E1UlujANigQKvVkhPbVtulIB1Fg==,iv:V88x7xqYlbZuawPFU824bZtvM/b44BBVIjhnmtdYCwo=,tag:PgQcH1nkRpHCiBBMCSXfxg==,type:str]
+gitlab-db-password: ENC[AES256_GCM,data:2TEOCeTjbD+SddZej0Bt2nXiJO032IT4Z43I49ChW18=,iv:65G3bjLO+ebhJfG8DEWG7EImsLheR7YUxikU6x+xj0M=,tag:GoQBrYPAlzdz7oscL2ie6A==,type:str]
+gitlab-initial-root-pw: ENC[AES256_GCM,data:Q+0cg6lNctY=,iv:Z+9AlxlQ5YsEWg+ff1rPWfiBDJM/wAqvNKPHQ+s8CiA=,tag:1PVqV8qXLyiKDwr02sg9tA==,type:str]
+gitlab-db-key-base: ENC[AES256_GCM,data:zzuYk07Tk4ti4k0y/lSDqrhDxdr5YqqKP5DUl0nCO1s=,iv:nKC3OkOxo+CrGTBvDPQkjps5OYrO/QPtGTY6uQsAUi4=,tag:tgRK3oUD9ZJy/DtKVkawDg==,type:str]
+gitlab-secret-key-base: ENC[AES256_GCM,data:wXaad/yooHobhuKS+BFxiy29g0iUmFn5rLRmEMWchoQ=,iv:6JFjgkfgfTNr59v+PvIKItYJXtycGffmc7gJtyeHzMg=,tag:Nll20xSIXd2DoWcd1MJojw==,type:str]
+gitlab-otp-key-base: ENC[AES256_GCM,data:3LGpjpqaQdeO7v3waFCZDVVKtgXl3h0N/XiBcqlW2Kc=,iv:Kk1Af6FoTs+kejHmTL3FXoQJ9XAV+2J5+xC+heGbKu4=,tag:EI0agVoGUVEqphCCFfRwLA==,type:str]
+gitlab-jws-key-pem: ENC[AES256_GCM,data:LUyY4Ri2Ky7LRnx5azAM6xCMolZbBskHQIwBax3wwOy8QROP5tsK+ABZYVkPNjmooNrdSBECjBfy//TI4qauYJoresMK0rnQbwJQSAmmMmDHxBT7Qt0oY2sUZ2Ohf2mx2lsmzCCesJX2mXOKyOQR/P4xmrGcE64km5e9q6wU3wkKECg72BCpUAIOkpDHtq6f87rtGSKnXLjXItw7A6IuK75s0nGJUH6zomocuWPbNVE44QAfR1Ib2UZrl1Vk20hQWhAaAZajYrGIshaHKvm0K+DpgMu7qca0HNV1fKtcuMM5s2XXpUZS97pHBXjhdGigHQ+zPm4paajQqtffXUdiO7vui+kNW/p+gCON3dmYEMXv35Q/VpinVhahnNM7y3xKIHTl2O1jdUtwJLWeBTfiul2dt/143wIsasr0qW3lx4eSmg8oKK6CJsA6Ujbo5w5Oifso5MMxKJ7kQzcVNAHM2sWn9b2G8iVZ/o1158CMv1Sz5zhfintIwoTjbcOOrk3Njchcq8RVGRaE4A0hdPLFk+MNFw3CenZNe5aBY/1sOFoL4r6GGl5p+1Bvjm84OHDbXvSaA/tBVDvjw3LXLi5OTHlahcdMrxVhMxy4OY7A5EKfrN0KkoSYg3U8nw7fcgI9bUgp53H0mQafGHY+2I9b7k6o3v6kbYy8TyPrk06tBOISj3MwO9S4GT195i5sI9NMQwE2pOl1gzWXa4wBoLHu8zWWr1UHuQLbfH9ipbVehB2uwp7LU6xm5PIW43S9zcAOMM/p3cFLjSc/qBeSktvetzw9ucFeCOm9eTuq8fgImd+DzzwGkHy7mFJJQE/dvV4yAbNiGHDqlBMYuwxd3vdKCVcGCH3cBveusXILj53QL3FKAHFaoASKpgFCWD1BrBeLwhb3kdZqtTacS9EEqUxG1jzURcpA3vJVG62vKbcZ0GWuZvDlYh+EwEGcAEQWeP3impO1kn77TU3st+ZcUP7HINB+n4WRxCNvI67T6rfAtr/s7+8oGZLiD+1wtSip7to7rbHAj8ZiMDN1r5EGnelGfPpohRTrapIfwHu3mIHYceEdywqe2odY+MrUrMUuFgVaXgIN4xGMyiHhW3IKPVHT5ujJU/Qqark/9wiXAMBiDVHxHdJK/xeYq18hIYqXImdqMaK1nzZYa2rUnRWuFZnZELuiuvaYs6VumF8NJKhBamzjiQt4JdohQIzln8nqkA5Qf3pWGitmMDXp7FlbRQgPh84V/sBE+2aur1oLAPAa07oarOsjXity3eUhCjdwtgLIcCGph+8/srFy7BcYR6bu+qIEesaxBKw1HEGWkPctMk8bW8iYqgP3BmGru6SQqDPofISBxRJWhjrrrd3plmk9vBv8xcVehZ6nrCbvsgIku3kIqaBbbHTXCCoJeKm6aHkOkt+YCPEsroAONz3gYG4FwRKTeIh2ICqmqK0JjYj6jHVXUubOVwFTlEfrj4lr8hBNpIzAdIprzh5jCsSVjkBSrQqKcpNAB2oQReAZqxnnqCVfjc7LotagSvsPeuan5h3sx/RikqrK47EvpDk6QguoCOBO43yyBx9uGW8pmyvytR+6LzGQA2WS2o8mQyDxGsnfVO5iCY8e9XRWvoF4srjzFe1Zu/2ah7VaDpe8302PUV8oh6l1gFi9NAq7tkD3qAdvE8X7TEnN0bcXsDte80zjpY+pVdsvWpTU8ojl0YeHkuqeCijJ+iikJCbwwhYDE3DsiDvPH39O+twaTLjQ/9tAQiOOrVWrU3dXilqcBY41qsbCbtKquRv6wu6Wh4mSJnRDYqQUYDMLFMr5i0xqVK6nwx1sDecJ7iRCOI0gHsu2AquzK1KQ4dv3zkiXmRbeWgntKu8PnLhz4S4sj055DH/Lo5OxfKhkcZV2g3awThLzKGd8NTtR9oiqKuIOrLsqd0UzfWMIWP4BCeKcTi9FV359uhUO646/Fon65vbqu3Ej32ueA/4D10a2cFnk9aO3EFlihMS6XSENPbkXafrQsNleZJvd267RpprVDxQFGmASEU1sMcoPVY481OeDcQPb+xq4spUc0TpsU249yYXjrzclzx9pluwpQy6/pxH+eACybqHg3OixPxfKhoYwJ+nCdoQWRHA53thU4VcCnVbInESE9hs0OfxCuA4XkTFIxn93T8VrPiIAQZlTdd4mEW/8zlWPbwZMJAIuFgPpd3hRhch9mC19wpM/AxBoVKEy63kPRv7AHhBITXXLJJa6cLybxF/ioj3w81vFHzsMiBbSM/I9B2SINidvtI/NuWEx2/EdRL29ahKbmXkGLZ0eUUp0Vci1FFZkV+4gR6W5HQDHc34Upxgd0q8FEgmw3MT+QMaDSVZ4DNT207sHFQgcpfuXzjioA2DDG62qa7HXinm0brCIIq0qpmtavIMFS+ycqqUGO4fSA/LAQT6AvzV51gC84cU1pMgW5bjFq9MlNC+kGp4VGS34Dv1QxuUFepgQGMQgqpStNIB25QSVo8R59+8PmhZTT8jl0j5Vx7fhDJNnIsvN+0EcbITlB4CXjW5T5O+ju8uFELeavxm0imYYIdVnrT4MRZrIn8+yIxqZhLv5SF3ZtKZOb2Ij/R4CePWjrVoRU1Uzo04MZOYz3q9Fv+P2fnZVJB725tTehLUWy423ARQtFarB6REoaTY58z5ggoHrNW/Pb8JpS8kNsSS+PtSGP1NLcLtAlBXjt1TfyrLMBfatu13ww70yS/4CGok1GmLIhE5NVdM1xcUvhvNqnY6UpALcwrRr4jUTR9pH81Cb7i2YwduGbfvdn0I+BwauAhArlI3n8Z88lbqMJ3/OPHbDq9DvD9hGH1qZrj7WaX8Fd22u3F3cxAOusOv7to3pjhG4IZQYaV5WMc1WtOspowG7O5R2ZHxLJR2o05VJde9dGI79WJcLhIcm7rETGFm2iHc/X4PqsZKFHXqNWJDlYW+K2uwZXHO0m2XpF1pkHu8iCdEIofxfFT3LGPq6iUxCCXifj3pC+FPA/1F+fxAJp8TkE3ATrZu2hdAhZgmG1Q/2AQo4aZiaTc6oQhnXwheuIpF0XAzgtnMPRlHkEoxr+NdjSpPbSuEWDN3lAC4ZSa5hF03No+9nQmuPVl+k9hdch+rd+iIih/MB3MTqMm6E11wk/Nj09BJnhiudTo0htSo2rFOLhWz9GsHauxwONWTzpFsJzp3US8DtZXQQ+UDAASmAyJharVrfhY/vyD7JXeakAqWMcP5oFzAZwzmQS2lrg/DMT9fXvPNCUGPvwcGeYqm0403OItOQInysdh1pugwlERNBSbaP4EfA0KIH9SyjuOBz23rEKI1CZPrzRCUTRSDLJFvIuYzlsZ/+s0bhvvyuKonKU+28DQBUYdV1T9cTFRei0Y1LDPuicutzT4wCNKCg/8iqqH6jWHVHhy9U/So6AZBqvMZSvAwdn5vCUuc0KcB7VgA5OKE6Dmt5NF8daoRpzSNECWNEhiTHd6T+9Ktbriae66mfrO0QbFn92NJT4xunreRsmXnUQKb1Rsboswzy6bDHucgFHBY2GiP95ckw17MxTDLwi4nym/tR2XG7ml2iseTwByraFhX8DTPNMu5d8pgi0SfI4bwxwXdLW4kpFXaH3nbkgal5MkfkdWKH8ve+fXozQm9hkiFH3rYNYlXzgPm0pPZVZCh9+xIbnbKjVT9/22iNwu1XIzIDh2soo9/FX9yN+VwCZHwtOJ0qUSk6SP3ts1a6Q1v2K6etfDGzfbQXlT7TC2/imW+ifF60+k2KepaYeqRSG7tDtc+QATg7d7arNBYKB1pDaVId6jeO6oa72KZ1UH08ypGjH6lwFnqWRC2p+hXDTpq0yLg4c+0cHmIxtcSDDdlIFFkXkjp84OZ0ciZ4c8zFVMulFDzHndeOx72Dv+uf8MSq6w4Aqq9bO4v+7U62oI0sFo6IHzVUVVWVxo8KY44w60JP0iKDdy3LoKm2MA+bfIiaZYHEqkv3LDf17ng290aerGKemDPdO0fNTb8jHKklwbxs7q6YabZOuOwccB5losdXjhWzprCq2vYDSLiQHlPuCF5RNd86PvUhTbMhhDotU92TdwO5QxMqQjw3pdoEBTgq5gY7YMBpu/iMxMjmMaghI++R46CZ/a1od75kTtRF886Fl8IZHxOpVnTyJIfAM0cCQQaMiGG6SewMWpgJ7P8+0wsow9WIsfEZfzGST7AVA+Rqnsoz6i5XhUu0GtolftefpKwWoWzXGnClPx1B/jo7Ev6QpVw7a/5tMF8be5y7J2Yiz+Et49nAGrih9RCGIqgpofT2Ez6xm+XNBqB7ZKHTYorlHW1oHbBLn53+yv6TR7wf4kfMRGaRzzCigl2gyukaKVsHymkV2AwNHnraA6+AXIU=,iv:/+l13lQ/8tvLt+SHO03H8dBsUyoIDVhfas1v2n1RYPc=,tag:3Q91nWeZT8PQo/EWq8/6DQ==,type:str]
+gitlab-runner-authentication-file: ENC[AES256_GCM,data:M0dn62YNywEs08eHM0EcLJJfldsqlxrdeyJJSzp7yS3EO1umQPoPrlNnrZpwjLH2EDyMP81M/S5kPoR70ckB0LYt4w2d7Iao+6/WCvIGrhhN5WPejvg=,iv:qopX16X0dfrzjQ1vMuxWIouV96dig70iDU6dX4Y4Lc0=,tag:ZVac+M3OyMtLbJWM/1CPMA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
          enc: |
@ -15,8 +20,8 @@ sops:
            V1h2NGxyNVc3WnF2ZFBpQm1oK1AzeGcK4GoD2E8nwOl/WKtgMgs0Y1Q8abRX4mpy
            GdHGDQUWvySCisJo4JXsooYkLjOyKvir+vcVbX4nDd4L1W2OMULkrg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-25T19:17:29Z"
-    mac: ENC[AES256_GCM,data:Qnou0/umwMX2XD7gDF6SceFI5tLjOO30OVhFSXhxc2yuFj/gB0R1bPplLm5j/wmxfRQDvvm2zLgGFMqt+8i4Z+6OYgbuwFcv4FR2E001aWVj1zh+F8pRZVTxqnsvegoKWQwoXkhZe5S/fjX9N09SMYhBkjLUh9fboGXajEpDws8=,iv:hTQgeyli/MPaUVxJSzhDK+ssxv78w7hRBtQ1pnZGASg=,tag:HDKQ2duHMYvGa74Vp0fIjw==,type:str]
+    lastmodified: "2025-04-05T16:20:30Z"
+    mac: ENC[AES256_GCM,data:eofNTFKPcT8oyhhjyEXtoLsNpaXZh+cinYARB6+cgNQiDSmrT4nO8V4VS6EWcL6RAqGLtd0UkEhHJN05JMrwyS3teCeC+/2opqJa0XN8OeYZSSUfDEW5ilN7Ms7UW1+2N/7FkJgvEkpAA08HCUoDdruRb0HPYG74RmTy2Q2Wz/Q=,iv:Nffwz6l1qBHvsMri3JhNY1xJqgcB/LGjZ6tDQeG8n50=,tag:/LDX2/MWvpaLwfJuqZ0zQQ==,type:str]
    pgp:
        - created_at: "2024-01-25T11:10:44Z"
          enc: |-
@ -31,4 +36,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.1
--- a/outputs.nix
+++ b/outputs.nix
@ -2,8 +2,6 @@
  self,
  flake-utils,
  nixpkgs,
-  nurpkgs,
-  deploy,
  home-manager,
  ...
 } @ inputs:
@ -13,7 +11,6 @@ in {
  packages = import ./pkgs {inherit pkgs;};

  devShell = pkgs.callPackage ./shell.nix {
-    # inherit (deploy.packages.${system}) deploy-rs;
    inherit (home-manager.packages.${system}) home-manager;
  };

@ -45,18 +42,4 @@ in {
      imports = value._module.args.modules;
    })
    self.nixosConfigurations;
-
-  # deploy.nodes =
-  #   builtins.mapAttrs (name: value: {
-  #     hostname = value.config.remote.ip;
-  #     profiles.system = {
-  #       sshUser = value.config.remote.sshUser;
-  #       sshOpts = ["-p" (builtins.toString value.config.remote.sshPort)];
-  #       remoteBuild = value.config.remote.remoteBuild;
-  #       path = deploy.lib.x86_64-linux.activate.nixos value;
-  #     };
-  #   })
-  #   self.nixosConfigurations;
-
-  # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy.lib;
 }
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,12 @@
+{
+  "nix": {
+    "enabled": true
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": [
+      "0 10 * * 0"
+    ]
+  },
+  "automerge": true
+}
--- a/shell.nix
+++ b/shell.nix
@ -2,8 +2,6 @@
  mkShell,
  sops,
  colmena,
-  # deploy-rs,
-  nixpkgs-fmt,
  nil,
  alejandra,
  home-manager,
@ -12,8 +10,6 @@ mkShell {
  nativeBuildInputs = [
    sops
    colmena
-    # deploy-rs
-    nixpkgs-fmt
    nil
    alejandra
    home-manager
Author	SHA1	Message	Date
fuckwit	fa4fafa7a9	add influx listener to telegraf	2025-05-29 12:55:45 +02:00
fuckwit	72fffad326	add shimmie	2025-04-20 18:57:58 +02:00
fuckwit	13b08245de	add prowlarr	2025-04-19 19:17:46 +02:00
fuckwit	4032168d8d	cleanup and use wildcard certs	2025-04-05 18:50:31 +02:00
fuckwit	cacdcca2e6	use stable kernel on frameowkr	2025-04-04 10:58:51 +02:00
fuckwit	c422607636	update flakes	2025-04-04 10:37:40 +02:00
fuckwit	4db755eb43	add portforwarder	2025-03-31 19:41:52 +02:00
fuckwit	53ba3a4dc1	add gitlab	2025-03-28 19:08:55 +01:00
fuckwit	0217fd1ad0	add share and node exporter	2025-03-25 20:24:05 +01:00
fuckwit	4559269329	add monitoring for celestia	2025-03-10 09:55:15 +01:00
fuckwit	19112159cc	update lock	2025-02-28 00:19:54 +01:00
fuckwit	001b7edf56	try torrent setup	2025-02-28 00:10:06 +01:00
fuckwit	92fa07489a	remove gitea runner from NAS and bind immich to ipv4 localhost	2025-02-28 00:10:06 +01:00
fuckwit	c0915335ce	add immich to NAS	2025-02-28 00:10:06 +01:00
Renovate Bot	677ecfbb3c	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 2m26s Details	2025-01-19 18:01:46 +00:00
Renovate Bot	e738985f41	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 2m33s Details	2025-01-19 17:31:42 +00:00
fuckwit	42ec135959	enable fingerprint unlock in hyprlock	2025-01-19 18:25:00 +01:00
fuckwit	51b871ecda	add udisks2 and udiskie to framework	2025-01-19 18:11:42 +01:00
Renovate Bot	89a775c1e8	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 2m30s Details	2025-01-13 20:01:49 +00:00
Renovate Bot	4f2119b767	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 2m35s Details	2025-01-13 19:31:48 +00:00
Renovate Bot	197784db20	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 2m30s Details	2025-01-13 19:01:47 +00:00
fuckwit	6289bf15d9	disable actions caching for now and increase runner concurrency	2025-01-12 18:20:54 +01:00
Renovate Bot	4e47e87075	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 11m15s Details	2025-01-11 21:01:41 +00:00
Renovate Bot	48253567c2	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 11m13s Details	2025-01-11 20:01:39 +00:00
Renovate Bot	dd5c3c3a48	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 11m12s Details	2025-01-11 19:01:39 +00:00
fuckwit	5e50a8235d	unify config a bit	2025-01-11 19:52:15 +01:00
Renovate Bot	a57efbacda	Lock file maintenance Some checks failed nix flake check / nix-flake-update (push) Has been cancelled Details	2025-01-11 18:00:09 +00:00
Renovate Bot	db13ab54b6	Lock file maintenance All checks were successful nix flake check / nix-flake-update (push) Successful in 11m37s Details	2025-01-10 23:32:27 +00:00
fuckwit	b959147b69	install nix via detsys and check then All checks were successful nix flake check / nix-flake-update (push) Successful in 11m42s Details	2025-01-11 00:17:23 +01:00
fuckwit	3fc00f521c	add flake check action Some checks failed nix flake check / nix-flake-update (push) Failing after 0s Details	2025-01-11 00:14:34 +01:00
fuckwit	7df23c160a	enable automerge for lockfile maintenance	2025-01-10 23:55:50 +01:00
fuckwit	fb060c9068	use https for inputs	2025-01-10 23:47:53 +01:00
fuckwit	d30921202e	schedule is part of group	2025-01-10 23:12:23 +01:00
fuckwit	8a90f6a82c	does the renovate schedule work now?	2025-01-10 23:06:07 +01:00
fuckwit	412bf0a33b	fix renovate.json error	2025-01-10 23:04:25 +01:00
fuckwit	9df08b4882	tell renovate to always run this when bot runs	2025-01-10 23:03:25 +01:00
fuckwit	259c7b1fd9	.... this time for real enable nix in renovate	2025-01-10 22:53:47 +01:00
fuckwit	2bb38b1634	enable nix for renovate	2025-01-10 22:53:00 +01:00
fuckwit	b5e2ce9d1b	configure renovate	2025-01-10 22:48:03 +01:00
fuckwit	afa5e8aab7	update secrets	2025-01-10 22:25:41 +01:00
fuckwit	e7940f6177	switch docker image to ubuntu-latest and test actions flow Some checks failed update-flake-lock / lockfile (push) Failing after 11m56s Details	2025-01-09 20:36:18 +01:00
fuckwit	e3b38cc453	add runner on primordial	2025-01-09 20:23:38 +01:00
fuckwit	1ae33bf279	run action on push for now Some checks failed update-flake-lock / lockfile (push) Failing after 20s Details	2025-01-09 19:53:03 +01:00
fuckwit	60c364dd22	try actions	2025-01-09 19:50:56 +01:00
fuckwit	8a74d36bd7	let act_runner use docker/podman	2025-01-09 19:11:11 +01:00
fuckwit	9031dfb62d	pass nur as overlay and fix firefox module	2025-01-09 19:10:30 +01:00
fuckwit	7539947bb0	firefox module	2025-01-04 15:16:42 +01:00
fuckwit	acc9c123df	fix firefox tabs at bottom	2025-01-03 17:21:24 +01:00
fuckwit	15ea443308	cleanup framework homemanager config	2024-12-22 21:51:42 +01:00
fuckwit	e458325578	allow EOL .NET6 for arr services	2024-12-22 20:32:42 +01:00
fuckwit	00f39fbd66	swap to hyprlock and hypridle	2024-12-22 20:03:55 +01:00
fuckwit	07e17650a8	fix tailscale	2024-12-09 19:06:45 +01:00
fuckwit	7d82ca8f5d	add prune options for backups	2024-12-09 18:45:52 +01:00
fuckwit	482463c8d4	allow more uploads	2024-12-08 18:42:17 +01:00
fuckwit	a8df9404f0	add tailwind to framework	2024-11-26 00:24:10 +01:00
fuckwit	f9bb7a157a	fix deprecations and add sdr stuff	2024-11-25 10:32:26 +01:00
fuckwit	30d45c55f6	use lts kernel for work	2024-11-20 06:06:10 +01:00
fuckwit	55137bcd83	Merge pull request 'update nixvim and fix deprecations' (#2 ) from laptop into master Reviewed-on: #2	2024-11-19 16:48:01 +01:00
fuckwit	461d94f808	update nixvim and fix deprecations	2024-11-19 16:46:13 +01:00
fuckwit	1d2679af96	fix samba deprecations	2024-11-18 19:24:25 +01:00
fuckwit	ab27ee081a	add backups for NAS	2024-11-18 19:21:50 +01:00
fuckwit	13925c6490	fix programs.eza.icons deprecation	2024-11-18 18:51:05 +01:00
fuckwit	b90ac7e424	use newer kernel	2024-11-18 18:46:20 +01:00
fuckwit	382c1be9b6	update nixvim	2024-11-18 18:31:52 +01:00
fuckwit	cd7cc0cea1	update flake, add mail backup and fix formatting	2024-11-17 20:56:50 +01:00
fuckwit	391c15be69	stuff	2024-11-17 18:05:37 +01:00
fuckwit	5ebf139b8f	add nvim config	2024-11-04 18:05:01 +01:00
fuckwit	4eed14ce1f	update flake	2024-10-11 11:13:51 +02:00