updates

the commit.

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.envrc

@@ -0,0 +1 @@
+use flake

.forgejo/workflows/lint.yml

@@ -0,0 +1,22 @@
+name: Lint
+
+on: [push]
+
+jobs:
+  lint:
+    runs-on: docker
+    env:
+    container:
+      image: ghcr.io/catthehacker/ubuntu:js-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: https://github.com/cachix/install-nix-action@v22
+        env:
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - run: |
+          sed -i '/^access-tokens/ d' /etc/nix/nix.conf
+          nix profile install 'nixpkgs#deadnix' 'nixpkgs#statix' 'nixpkgs#yamllint'
+          statix check .
+          deadnix -f
+          yamllint .

.forgejo/workflows/nix.yml

@@ -0,0 +1,22 @@
+name: Nix
+
+# on: [push]
+
+jobs:
+  lint:
+    runs-on: docker
+    env:
+    container:
+      image: ghcr.io/catthehacker/ubuntu:js-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check Nix flake inputs
+        uses: https://github.com/DeterminateSystems/flake-checker-action@v5
+      - uses: https://github.com/cachix/install-nix-action@v22
+        env:
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: Run `nix flake check`
+        run: |
+          sed -i '/^access-tokens/ d' /etc/nix/nix.conf
+          nix run '.#' -- -V

.forgejo/workflows/plex_update.yml

@@ -0,0 +1,37 @@
+name: Plex Update
+
+on:
+  push:
+    branches:
+      - main
+      - ci
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  update:
+    runs-on: docker
+    container:
+      image: ghcr.io/catthehacker/ubuntu:js-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: https://github.com/cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - env:
+          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
+          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
+        run: |
+          git config user.name "Forgejo Actions Bot"
+          git config user.email "<>"
+
+          # Run Update script
+          ./pkgs/plex-pass/update.sh
+
+          git add ./pkgs/plex-pass/
+
+          # Push if changed
+          if git status ./nixos/pkgs/plex-pass/ | grep -q "to be committed"; then
+            git commit -m "Update Plex"
+            git push origin main
+          fi

.gitignore

@@ -0,0 +1,3 @@
+result
+.direnv
+.gcroots

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "Lua.diagnostics.globals": [
+        "vim"
+    ]
+}

.vscode/snippets.code-snippets

@@ -0,0 +1,31 @@
+{
+	// Place your infrastructure workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 
+	// description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 
+	// is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 
+	// used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 
+	// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 
+	// Placeholders with the same ids are connected.
+	// Example:
+	// "Print to console": {
+	// 	"scope": "javascript,typescript",
+	// 	"prefix": "log",
+	// 	"body": [
+	// 		"console.log('$1');",
+	// 		"$2"
+	// 	],
+	// 	"description": "Log output to console"
+	// }
+	"Create Host": {
+		"scope": "nix",
+		"prefix": "new_host",
+		"body": [
+			"{",
+			"  hostname = \"$1\";",
+			"  ip = \"$2\";",
+			"  mac = \"$3\";",
+			"  nix = ${4|false,true|};",
+			"}",
+			"$0"
+		]
+	}
+}

.yamllint.yaml

@@ -0,0 +1,27 @@
+ignore: |
+  charts/
+  docs/
+  .private/
+  .terraform/
+  .vscode/
+  gotk-components.yaml
+  gotk-sync.yaml
+extends: default
+rules:
+  document-start:
+    level: warning
+    present: false
+  empty-lines:
+    max-end: 1
+  truthy:
+    allowed-values: ["true", "false", "on"]
+  comments:
+    min-spaces-from-content: 1
+  line-length: disable
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  indentation: enable

README.md

@@ -0,0 +1,18 @@
+# 0x76's Infrastructure
+This repository contains my fleet of VMs, Containers and Bare Metal machines.
+
+## Directory Structure
+`flake.nix` is a NixOS flake which is the entrypoint for my NixOS config, it also contains a 'DevShell' containing all the tools needed
+to deploy the infrastructure, this can be accessed running `nix develop`.
+* **flux**: Kubernetes manifests as managed by [Flux]
+* **nixos**: Nix configurations for my NixOS LXCs and VMs, deployed using [colmena].
+
+
+[Flux]: https://github.com/fluxcd/flux2
+[colmena]: https://colmena.cli.rs/unstable/
+
+## Inspired by the following repos
+* <https://github.com/colemickens/nixcfg>
+* <https://github.com/serokell/pegasus-infra>
+* <https://git.asraphiel.dev/j00lz/strato-infra>
+* <https://github.com/tadfisher/flake>

cluster/flux-system/gotk-sync.yaml

@@ -1,26 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: flux-system
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  ref:
-    branch: main
-  secretRef:
-    name: flux-system
-  url: ssh://git@git.xirion.net:2222/olympus/flux.git
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: flux-system
-  namespace: flux-system
-spec:
-  interval: 10m0s
-  path: ./cluster
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system

cluster/flux-system/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- gotk-components.yaml
-- gotk-sync.yaml

common/default.nix

@@ -0,0 +1,111 @@
+{
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./users
+    ./modules
+  ];
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {
+      inherit inputs;
+    };
+    sharedModules = [
+      ./hm-modules
+      inputs.nixvim.homeManagerModules.nixvim
+      inputs.autostart.homeManagerModules.xdg-autostart
+      inputs.catppuccin.homeModules.catppuccin
+      inputs.autostart.homeManagerModules.xdg-autostart
+    ];
+  };
+
+  virtualisation.oci-containers.backend = lib.mkDefault "podman";
+
+  # Set your time zone.
+  time.timeZone = lib.mkDefault "Europe/Amsterdam";
+
+  # Systemd OOMd
+  # Fedora enables these options by default. See the 10-oomd-* files here:
+  # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
+  systemd.oomd = {
+    enableRootSlice = true;
+    enableUserSlices = true;
+  };
+
+  # security.polkit.enable = lib.mkDefault true;
+  boot.tmp.useTmpfs = lib.mkDefault true;
+
+  # Nix Settings
+  nix = {
+    # registry.nixpkgs.flake = inputs.nixpkgs;
+    # nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+    package = pkgs.lix;
+    settings = {
+      auto-optimise-store = true;
+      trusted-users = [
+        "root"
+        "vivian"
+      ];
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://nixpkgs-review-bot.cachix.org"
+        "https://cachix.cachix.org"
+        "https://hyprland.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      ];
+    };
+    optimise = {
+      automatic = true;
+      dates = [ "weekly" ];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      randomizedDelaySec = "3h";
+      options = "--delete-older-than 7d";
+    };
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  services = {
+    # Limit the systemd journal to 100 MB of disk or the
+    # last 7 days of logs, whichever happens first.
+    journald.extraConfig = ''
+      SystemMaxUse=100M
+      MaxFileSec=7day
+    '';
+
+    dbus.implementation = "broker";
+
+    # Enable SSH
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = lib.mkDefault false;
+        PermitRootLogin = lib.mkDefault "no";
+      };
+    };
+  };
+
+  # Debloat
+  documentation = {
+    enable = lib.mkForce false;
+    doc.enable = lib.mkForce false;
+    man.enable = lib.mkForce false;
+    info.enable = lib.mkForce false;
+    nixos.enable = lib.mkForce false;
+  };
+}

common/desktop/README.md

@@ -0,0 +1,9 @@
+# Common Desktop Config
+This is where I store the NixOS config that is common between
+my laptop and desktop
+
+## Files
+* `./default.nix`: Contains common systemwide configuration
+  * See also my NixOS [modules](../modules), specifically gnome
+* `./home.nix`: Contains common user-level configuration
+  * See also my Home-Manager [modules](../hm-modules)

common/desktop/default.nix

@@ -0,0 +1,131 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  # Bootloader.
+  boot = {
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+    loader = {
+      systemd-boot.enable = lib.mkDefault true;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+    };
+    kernel.sysctl = lib.mkDefault { "fs.inotify.max_user_watches" = 524288; };
+    initrd = {
+      systemd.enable = true;
+      verbose = false;
+    };
+  };
+
+  # programs.nix-ld.enable = true;
+
+  hardware.keyboard.qmk.enable = true;
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    users.vivian = import ./home.nix;
+    extraSpecialArgs = {
+      inherit inputs;
+    };
+  };
+
+  services = {
+    pulseaudio.enable = false;
+
+    # Enable my config for the gnome desktop environment
+    v.gnome.enable = lib.mkDefault true;
+
+    flatpak.enable = true;
+
+    # Enable CUPS to print documents.
+    printing.enable = true;
+    pipewire = {
+      enable = true;
+      audio.enable = true;
+      # alsa.enable = true;
+      # alsa.support32Bit = true;
+      pulse.enable = true;
+      # If you want to use JACK applications, uncomment this
+      jack.enable = true;
+
+      # use the example session manager (no others are packaged yet so this is enabled by default,
+      # no need to redefine it in your config for now)
+      #media-session.enable = true;
+    };
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "nl_NL.UTF-8";
+    LC_IDENTIFICATION = "nl_NL.UTF-8";
+    LC_MEASUREMENT = "nl_NL.UTF-8";
+    LC_MONETARY = "nl_NL.UTF-8";
+    LC_NAME = "nl_NL.UTF-8";
+    LC_NUMERIC = "nl_NL.UTF-8";
+    LC_PAPER = "nl_NL.UTF-8";
+    LC_TELEPHONE = "nl_NL.UTF-8";
+    LC_TIME = "nl_NL.UTF-8";
+  };
+
+  # Global Packages
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+    sbctl
+  ]; # ++ (if config.virtualisation.podman.enable then [ pkgs.podman-compose ] else []);
+
+  security.rtkit.enable = true;
+
+  virtualisation = {
+    podman.enable = lib.mkDefault true;
+    libvirtd = {
+      enable = true;
+      qemu.package = pkgs.qemu_kvm;
+    };
+  };
+
+  fonts.packages = with pkgs; [
+    material-design-icons
+
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-emoji
+
+    dejavu_fonts
+
+    nerd-fonts.dejavu-sans-mono
+    nerd-fonts.ubuntu
+    nerd-fonts.droid-sans-mono
+    nerd-fonts.symbols-only
+  ];
+
+  programs = {
+    steam = {
+      enable = true;
+      # Open ports in the firewall for Steam Remote Play
+      remotePlay.openFirewall = true;
+      package = pkgs.steam.override {
+        extraPkgs =
+          pkgs: with pkgs; [
+            gamescope
+            mangohud
+          ];
+      };
+    };
+
+    adb.enable = true;
+  };
+
+  networking = {
+    # Networking
+    networkmanager.enable = true;
+    firewall.checkReversePath = false;
+    firewall.enable = false;
+  };
+}

common/desktop/home.nix

@@ -0,0 +1,124 @@
+{
+  pkgs,
+  inputs,
+  config,
+  ...
+}:
+let
+  tex = pkgs.texlive.combine {
+    inherit (pkgs.texlive) scheme-full;
+  };
+  my-python-packages =
+    ps: with ps; [
+      cryptography
+      flask
+      ipwhois
+      numpy
+      pandas
+      pyasn
+      pyshark
+      requests
+      scapy
+      z3-solver
+    ];
+in
+{
+  home.packages = with pkgs; [
+    (python3.withPackages my-python-packages)
+    btop
+    calibre
+    celluloid # video player
+    comma
+    cinny-desktop
+    discord
+    element-desktop
+    foliate # epub reader
+    firefox
+    gcc
+    gimp
+    jellyfin-media-player
+    neofetch
+    nixpkgs-review
+    qmk
+    signal-desktop
+    solo2-cli
+    spotify
+    unzip
+    yt-dlp
+
+    obsidian
+    (lib.hiPrio (
+      pkgs.writeShellScriptBin "obsidian" ''
+        unset WAYLAND_DISPLAY
+        ${pkgs.obsidian}/bin/obsidian
+      ''
+    ))
+  ];
+  # Enable my own hm modules
+  themes.v.catppuccin.enable = true;
+  programs = {
+    v = {
+      vscode.enable = true;
+      nvim.enable = true;
+      rust.enable = true;
+    };
+
+    zed-editor = {
+      enable = true;
+    };
+
+    # firefox.enable = true;
+
+    chromium = {
+      enable = true;
+      extensions = [
+        { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # ublock origin
+        { id = "nngceckbapebfimnlniiiahkandclblb"; } # bitwarden
+      ];
+    };
+
+    direnv = {
+      enable = true;
+      nix-direnv.enable = true;
+    };
+
+    zsh = {
+      enable = true;
+      sessionVariables = {
+        DIRENV_LOG_FORMAT = "";
+      };
+    };
+
+    kitty = {
+      enable = true;
+      shellIntegration.enableZshIntegration = true;
+    };
+  };
+
+  xdg.autoStart = {
+    packages = with pkgs; [
+      element-desktop
+      firefox
+      discord
+    ];
+  };
+
+  # Syncthing
+  services.syncthing.enable = true;
+  xdg.userDirs =
+    let
+      home = config.home.homeDirectory;
+    in
+    {
+      enable = true;
+      createDirectories = true;
+      desktop = "${home}/.desktop";
+      documents = "${home}/cloud/Documents";
+      download = "${home}/dl";
+      music = "${home}/cloud/Music";
+      pictures = "${home}/cloud/Pictures";
+      publicShare = "${home}/.publicShare";
+      templates = "${home}/.templates";
+      videos = "${home}/cloud/Videos";
+    };
+}

common/generic-vm.nix

@@ -0,0 +1,6 @@
+{ lib, ... }: {
+  networking.useDHCP = lib.mkDefault true;
+
+  # Enable qemu guest agent
+  services.qemuGuest.enable = true;
+}

common/hm-modules/catppuccin/default.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.themes.v.catppuccin;
+in
+{
+  options.themes.v.catppuccin = {
+    enable = mkEnableOption "catppuccin";
+  };
+  config = mkIf cfg.enable {
+    catppuccin = {
+      enable = true;
+      flavor = "frappe";
+      accent = "pink";
+
+      waybar.enable = false;
+
+      mako.enable = false;
+      rofi.enable = true;
+
+      hyprland.enable = true;
+      kitty.enable = true;
+
+      kvantum.enable = true;
+    };
+
+    # home.pointerCursor = {
+      # name = "Bibata_Ghost";
+      # size = 24;
+      # package = pkgs.bibata-cursors-translucent;
+    # };
+
+    programs.kitty = {
+      # themeFile = "Catppuccin-Frappe";
+      font.name = "DejaVuSansMono Nerd Font";
+    };
+
+    gtk = {
+      enable = true;
+      iconTheme = {
+        name = "Papirus-Dark";
+        package = pkgs.papirus-icon-theme.override { color = "violet"; };
+      };
+      # cursorTheme = {
+        # inherit (config.home.pointerCursor) name package size;
+      # };
+    };
+
+    qt = {
+      enable = true;
+      # platformTheme = "qtct";
+      style.name = "kvantum";
+      platformTheme.name = "kvantum";
+    };
+
+  };
+}

common/hm-modules/default.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./catppuccin
+    ./nvim
+    ./vscode.nix
+    ./git.nix
+    ./rust.nix
+  ];
+}

common/hm-modules/git.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.programs.v.git;
+in {
+  options.programs.v.git = { enable = mkEnableOption "git"; };
+  config = mkIf cfg.enable {
+    programs.git = {
+      enable = true;
+      package = pkgs.gitAndTools.gitFull;
+      userName = "Vivian";
+      userEmail = "vivian@0x76.dev";
+      lfs.enable = true;
+      extraConfig = {
+        push.autoSetupRemote = true;
+        init.defaultBranch = "main";
+        # Git merge driver that always grabs upstream changes
+        # Useful for e.g. lock files
+        merge.ours = {
+          name = "Overwrite Upstream Changes";
+          driver = "cp -f '%A' '%B'";
+        };
+      };
+
+      difftastic.enable = true;
+    };
+
+    home.file.".config/git/attributes".text = ''
+      flake.lock merge=ours
+    '';
+  };
+}

common/hm-modules/nvim/default.nix

@@ -0,0 +1,220 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.programs.v.nvim;
+in
+with lib;
+{
+  options.programs.v.nvim = {
+    enable = mkEnableOption "nvim";
+  };
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [ fd ];
+    home.file.".config/nvim/lua".source = ./lua;
+    programs.nixvim =
+      { helpers, ... }:
+      {
+        enable = true;
+
+        imports = [
+          ./keybinds.nix
+          ./lsp.nix
+        ];
+
+        package = pkgs.neovim-unwrapped;
+        vimAlias = true;
+        luaLoader.enable = true;
+
+        performance = {
+          byteCompileLua.enable = true;
+          combinePlugins.enable = true;
+        };
+
+        globals.mapleader = " ";
+
+        opts = {
+          number = true;
+          conceallevel = 2;
+          expandtab = true;
+          tabstop = 2;
+
+          shiftwidth = 2;
+          smartindent = true;
+
+          title = true;
+
+          spell = true;
+          spelllang = "en_gb";
+        };
+
+        clipboard.providers.wl-copy.enable = true;
+
+        extraPlugins = with pkgs.vimPlugins; [
+          FixCursorHold-nvim
+        ];
+
+        extraConfigLua = "";
+
+        colorschemes.catppuccin = {
+          enable = true;
+          settings.flavour = "frappe";
+        };
+
+        plugins = {
+          nvim-surround.enable = true;
+
+          zen-mode = {
+            enable = true;
+            settings = {
+              window.options = {
+                number = false;
+              };
+            };
+          };
+
+          vimwiki = {
+            enable = true;
+            settings = {
+              list = [
+                {
+                  ext = ".md";
+                  path = "~/cloud/Notes/";
+                  syntax = "markdown";
+                }
+              ];
+            };
+          };
+
+          image = {
+            enable = false;
+            settings.backend = "kitty";
+          };
+          web-devicons.enable = true;
+          bufferline.enable = true;
+          nix.enable = true;
+          luasnip.enable = true;
+          startup = {
+            enable = true;
+            theme = "my_theme";
+          };
+          obsidian = {
+            enable = false;
+            settings = {
+              new_notes_location = "notes_subdir";
+              notes_subdir = "Unsorted";
+              daily_notes = {
+                folder = "Diary/Daily";
+              };
+              workspaces = [
+                {
+                  name = "notes";
+                  path = "~/cloud/Notes";
+                }
+              ];
+              completion = {
+                min_chars = 2;
+                nvim_cmp = true;
+              };
+              picker.name = "telescope.nvim";
+            };
+          };
+          fidget = {
+            enable = true;
+            settings = {
+              progress = {
+                ignore = [ "ltex" ];
+                display.done_ttl = 5;
+              };
+              notification = {
+                override_vim_notify = true;
+              };
+            };
+          };
+          neotest = {
+            enable = true;
+            adapters = {
+              plenary.enable = true;
+              python.enable = true;
+              rust = {
+                enable = true;
+                settings.args = [ "--no-capture" ];
+              };
+            };
+          };
+          treesitter = {
+            enable = true;
+            nixGrammars = true;
+            settings = {
+              highlight.enable = true;
+              incremental_selection.enable = true;
+              indent.enable = true;
+            };
+          };
+
+          # Git
+          committia.enable = true;
+          gitsigns.enable = true;
+
+          lualine = {
+            enable = true;
+            settings.options.theme = "catppuccin";
+          };
+
+          oil = {
+            enable = true;
+          };
+
+          telescope = {
+            enable = true;
+            settings.defaults.preview.ls_short = true;
+            extensions.file-browser = {
+              enable = true;
+              settings = {
+                hijack_netrw = true;
+                dir_icon = "";
+              };
+            };
+            extensions.fzf-native.enable = true;
+            extensions.fzf-native.settings.fuzzy = true;
+            extensions.frecency.enable = true;
+            extensions.ui-select.enable = true;
+          };
+          comment.enable = true;
+          vimtex.enable = false;
+          typst-preview.enable = true;
+          floaterm.enable = true;
+          cmp = {
+            enable = true;
+            autoEnableSources = true;
+            settings = {
+              cmdline.":".sources = [ { name = "path"; } ];
+              snippet.expand = "function(args) require('luasnip').lsp_expand(args.body) end";
+              mapping = {
+                "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
+                "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
+                "<CR>" = "cmp.mapping.confirm({ select = true })";
+                "<C-Space>" = "cmp.mapping.complete()";
+                "<C-e>" = "cmp.mapping.close()";
+              };
+              sources = [
+                { name = "nvim_lsp_signature_help"; }
+                { name = "path"; }
+                { name = "spell"; }
+                {
+                  name = "buffer";
+                  # Words from other open buffers can also be suggested.
+                  option.get_bufnrs.__raw = "vim.api.nvim_list_bufs";
+                }
+                { name = "nvim_lsp"; }
+                { name = "luasnip"; }
+              ];
+            };
+          };
+        };
+      };
+  };
+}

common/hm-modules/nvim/keybinds.nix

@@ -0,0 +1,185 @@
+{ helpers, ... }:
+{
+  keymaps = with helpers; [
+    # Disable arrow keys
+    {
+      mode = "n";
+      key = "<Up>";
+      action = "<Nop>";
+    }
+    {
+      mode = "n";
+      key = "<Down>";
+      action = "<Nop>";
+    }
+    {
+      mode = "n";
+      key = "<Left>";
+      action = "<Nop>";
+    }
+    {
+      mode = "n";
+      key = "<Right>";
+      action = "<Nop>";
+    }
+    # General
+    {
+      mode = "n";
+      key = "<leader>";
+      action = ":noh<CR>";
+    }
+    # Telescope
+    {
+      mode = "n";
+      key = "<leader>ff";
+      action = ":Telescope find_files<CR>";
+    }
+    {
+      mode = "n";
+      key = "<leader>fs";
+      action = ":Telescope lsp_dynamic_workspace_symbols<CR>";
+    }
+    {
+      mode = "n";
+      key = "<leader>fg";
+      action = mkRaw "require('telescope.builtin').live_grep";
+    }
+    {
+      mode = "n";
+      key = "<leader>fb";
+      action = ":Telescope buffers<CR>";
+    }
+    {
+      mode = "n";
+      key = "<leader>fo";
+      action = ":Telescope oldfiles<CR>";
+    }
+    {
+      mode = "n";
+      key = "<leader>fr";
+      action = ":Telescope frecency<CR>";
+    }
+    # Commenting
+    {
+      mode = "n";
+      key = "<C-/>";
+      action = mkRaw "require('Comment.api').toggle.linewise.current";
+    }
+    {
+      mode = "x";
+      key = "<C-/>";
+      action = mkRaw ''
+        function()
+          local esc = vim.api.nvim_replace_termcodes(
+            '<ESC>', true, false, true
+          )
+          vim.api.nvim_feedkeys(esc, 'nx', false)
+          require('Comment.api').toggle.linewise(vim.fn.visualmode())
+        end
+      '';
+    }
+    # Float Term
+    {
+      mode = "n";
+      key = "t";
+      action = ":FloatermToggle myfloat<CR>";
+    }
+    {
+      mode = "t";
+      key = "<ESC>";
+      action = mkRaw "function() vim.cmd(':FloatermToggle myfloat') end";
+    }
+    # Switch buffers
+    {
+      mode = "n";
+      key = "<leader>q";
+      action = ":bd<CR>"; # Delete buffer
+    }
+    {
+      mode = "n";
+      key = "<leader>s";
+      action = ":bn<CR>"; # Buffer next
+    }
+    {
+      mode = "n";
+      key = "<leader>a";
+      action = ":bp<CR>"; # Buffer previous
+    }
+    # Change Indenting
+    {
+      mode = "i";
+      key = "<S-Tab>";
+      action = "<C-o><<";
+    }
+    {
+      mode = "n";
+      key = "<S-Tab>";
+      action = "<<_";
+    }
+    {
+      mode = "n";
+      key = "<Tab>";
+      action = ">>_";
+    }
+    {
+      mode = "v";
+      key = "<Tab>";
+      action = ">gv";
+    }
+    {
+      mode = "v";
+      key = "<S-Tab>";
+      action = "<gv";
+    }
+    # Neotest
+    {
+      mode = "n";
+      key = "<leader>nr";
+      action = mkRaw "require('neotest').run.run";
+    }
+    {
+      mode = "n";
+      key = "<leader>no";
+      action = mkRaw "require('neotest').output.open";
+    }
+    {
+      mode = "n";
+      key = "<leader>ns";
+      action = mkRaw "require('neotest').run.stop";
+    }
+    {
+      mode = "n";
+      key = "<leader>nf";
+      action = mkRaw "function() require('neotest').run.run(vim.fn.expand('%')) end";
+    }
+    # LSP
+    {
+      mode = "n";
+      key = "<M-CR>";
+      action = mkRaw "vim.lsp.buf.code_action";
+    }
+    {
+      mode = "n";
+      key = "<leader>e";
+      action = mkRaw "vim.diagnostic.open_float";
+    }
+    # oil
+    {
+      mode = "n";
+      key = "_";
+      action = "<CMD>Oil<CR>";
+    }
+    # Tiny mist (Typst)
+    # {
+    #   mode = "n";
+    #   key = "<leader>tp";
+    #   action = mkRaw ''
+    #         client:exec_cmd({
+    #             title = "pin",
+    #             command = "tinymist.pinMain",
+    #             arguments = { vim.api.nvim_buf_get_name(0) },
+    #         }, { bufnr = bufnr })
+    #   '';
+    # }
+  ];
+}

common/hm-modules/nvim/lsp.nix

@@ -0,0 +1,127 @@
+{ pkgs, ... }:
+{
+  plugins = {
+    rustaceanvim = {
+      enable = true;
+
+      settings = {
+        auto_attach = true;
+        server = {
+          standalone = false;
+          default_settings = {
+            rust-analyzer = {
+              inlayHints = {
+                lifetimeElisionHints = {
+                  enable = "always";
+                };
+              };
+              cargo.features = "all";
+              check = {
+                command = "clippy";
+              };
+              cachePriming.enable = false;
+            };
+          };
+        };
+      };
+    };
+
+    lsp = {
+      enable = true;
+      inlayHints = true;
+      keymaps = {
+        lspBuf = {
+          K = "hover";
+          gD = "references";
+          gd = "definition";
+          gi = "implementation";
+          gt = "type_definition";
+          "<leader>rn" = "rename";
+          "g=" = "format";
+        };
+        diagnostic = {
+          "<leader>j" = "goto_next";
+          "<leader>k" = "goto_prev";
+        };
+      };
+      servers = {
+        cssls.enable = true;
+        nil_ls.enable = true; # NixOS
+        dockerls.enable = true;
+        rust_analyzer = {
+          enable = false;
+          installCargo = false;
+          installRustc = false;
+        };
+        pyright.enable = true;
+        pylsp = {
+          enable = true;
+          settings.plugins = {
+            black = {
+              enabled = true;
+              cache_config = true;
+            };
+            pycodestyle = {
+              maxLineLength = 100;
+            };
+          };
+        };
+        elixirls.enable = true;
+        clangd.enable = true;
+        yamlls.enable = true;
+        lua_ls.enable = true;
+        tinymist = {
+          enable = true;
+          rootMarkers = [ "main.typ" ];
+          onAttach.function = ''
+            vim.keymap.set("n", "<leader>tp", function()
+                client:exec_cmd({
+                    title = "pin",
+                    command = "tinymist.pinMain",
+                    arguments = { vim.api.nvim_buf_get_name(0) },
+                }, { bufnr = bufnr })
+            end, { desc = "[T]inymist [P]in", noremap = true })
+
+            vim.keymap.set("n", "<leader>tu", function()
+                client:exec_cmd({
+                    title = "unpin",
+                    command = "tinymist.pinMain",
+                    arguments = { vim.v.null },
+                }, { bufnr = bufnr })
+            end, { desc = "[T]inymist [U]npin", noremap = true })
+          '';
+          settings = {
+            formatterMode = "typstyle"; # or "typstfmt"
+
+          };
+        };
+      };
+    };
+
+    trouble.enable = true;
+    lspkind.enable = true;
+    lspsaga = {
+      enable = true;
+      lightbulb.enable = false;
+    };
+    nvim-lightbulb = {
+      enable = true;
+      settings = {
+        autocmd.enabled = true;
+        number.enabled = true;
+      };
+    };
+
+    none-ls = {
+      enable = true;
+      sources = {
+        formatting = {
+          nixfmt = {
+            enable = true;
+            package = pkgs.nixfmt-rfc-style;
+          };
+        };
+      };
+    };
+  };
+}

common/hm-modules/nvim/lua/obsidian_picker.lua

@@ -0,0 +1,48 @@
+local pickers = require "telescope.pickers"
+local finders = require "telescope.finders"
+local conf = require("telescope.config").values
+local actions = require("telescope.actions")
+local action_state = require("telescope.actions.state")
+
+local obsidian_commands = require("obsidian.commands").commands
+local results = {}
+for key, _ in pairs(obsidian_commands) do
+  table.insert(results, string.sub(key, 9))
+end
+
+Local = 100
+local Local = 3
+print(Local)
+
+local obsidian_picker = function(opts)
+  opts = opts or require("telescope.themes").get_dropdown{}
+  pickers.new(opts, {
+    prompt_title = "Obsidian",
+    finder = finders.new_table {
+      results = results,
+      -- entry_maker = function(entry)
+      --   return {
+      --     value = entry,
+      --     display = entry[1],
+      --     ordinal = entry[1],
+      --   }
+      -- end
+    },
+    sorter = conf.generic_sorter(opts),
+    attach_mappings = function(prompt_bufnr, map)
+      actions.select_default:replace(function()
+        actions.close(prompt_bufnr)
+        local selection = action_state.get_selected_entry()
+        vim.cmd(':Obsidian' .. selection[1])
+      end)
+      return true
+    end,
+  }):find()
+end
+
+-- obsidian_picker()
+
+return {
+  obsidian_picker = obsidian_picker
+}
+

common/hm-modules/nvim/lua/startup/themes/my_theme.lua

@@ -0,0 +1,75 @@
+local settings = {
+    -- every line should be same width without escaped \
+    header = {
+        type = "text",
+        oldfiles_directory = false,
+        align = "center",
+        fold_section = false,
+        title = "Header",
+        margin = 5,
+        content = {
+            " ███╗   ██╗ ███████╗ ██████╗  ██╗   ██╗ ██╗ ███╗   ███╗",
+            " ████╗  ██║ ██╔════╝██╔═══██╗ ██║   ██║ ██║ ████╗ ████║",
+            " ██╔██╗ ██║ █████╗  ██║   ██║ ██║   ██║ ██║ ██╔████╔██║",
+            " ██║╚██╗██║ ██╔══╝  ██║   ██║ ╚██╗ ██╔╝ ██║ ██║╚██╔╝██║",
+            " ██║ ╚████║ ███████╗╚██████╔╝  ╚████╔╝  ██║ ██║ ╚═╝ ██║",
+            " ╚═╝  ╚═══╝ ╚══════╝ ╚═════╝    ╚═══╝   ╚═╝ ╚═╝     ╚═╝",
+        },
+        highlight = "Statement",
+        default_color = "",
+        oldfiles_amount = 0,
+    },
+    -- name which will be displayed and command
+    body = {
+        type = "mapping",
+        oldfiles_directory = false,
+        align = "center",
+        fold_section = false,
+        title = "Basic Commands",
+        margin = 5,
+        content = {
+            { " Find File", "Telescope find_files", "<leader>ff"},
+            { "󰍉 Find Word ", "Telescope live_grep", "<leader>fg"},
+            { " Recent Files", "Telescope oldfiles", "<leader>fo"},
+            { " File Browser", "Telescope file_browser", "<leader>fs"},
+            { " New File", "lua require'startup'.new_file()", "<leader>nf"},
+        },
+        highlight = "String",
+        default_color = "",
+        oldfiles_amount = 0,
+    },
+    footer = {
+        type = "text",
+        oldfiles_directory = false,
+        align = "center",
+        fold_section = false,
+        title = "Footer",
+        margin = 5,
+        content = { "bottom text" },
+        highlight = "Number",
+        default_color = "",
+        oldfiles_amount = 0,
+    },
+
+    options = {
+        mapping_keys = true,
+        cursor_column = 0.5,
+        empty_lines_between_mappings = true,
+        disable_statuslines = true,
+        paddings = { 1, 3, 3, 0 },
+    },
+    mappings = {
+        execute_command = "<CR>",
+        open_file = "o",
+        open_file_split = "<c-o>",
+        open_section = "<TAB>",
+        open_help = "?",
+    },
+    colors = {
+        background = "#1f2227",
+        folded_section = "#56b6c2",
+    },
+    parts = { "header", "body", "footer" },
+}
+return settings
+

common/hm-modules/nvim/obsidian_picker.lua

@@ -0,0 +1,35 @@
+local pickers = require "telescope.pickers"
+local finders = require "telescope.finders"
+local conf = require("telescope.config").values
+local actions = require("telescope.actions")
+local action_state = require("telescope.actions.state")
+
+local obsidian_commands = require("obsidian.commands").commands
+local results = {}
+for key, _ in pairs(obsidian_commands) do
+  table.insert(results, string.sub(key, 9))
+end
+
+local obsidian_picker = function(opts)
+  opts = opts or require("telescope.themes").get_dropdown {}
+  pickers.new(opts, {
+    prompt_title = "Obsidian",
+    finder = finders.new_table {
+      results = results,
+    },
+    sorter = conf.generic_sorter(opts),
+    attach_mappings = function(prompt_bufnr, map)
+      actions.select_default:replace(function()
+        actions.close(prompt_bufnr)
+        local selection = action_state.get_selected_entry()
+        vim.cmd(':Obsidian' .. selection[1])
+      end)
+      return true
+    end,
+  }):find()
+end
+
+
+return {
+  obsidian_picker = obsidian_picker
+}

common/hm-modules/rust.nix

@@ -0,0 +1,41 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib;
+let
+  cfg = config.programs.v.rust;
+in
+{
+  options.programs.v.rust.enable = mkEnableOption "rust";
+
+  config = mkIf cfg.enable {
+    home = {
+      packages = with pkgs; [
+        bacon
+        rustup
+        cargo-binutils
+        cargo-nextest
+        cargo-msrv
+        cargo-dist
+        cargo-cross
+        cargo-generate
+      ];
+
+      file.".cargo/config.toml".text = ''
+        [registries.crates-io]
+        protocol = "sparse"
+
+        [build]
+        rustc-wrapper = "${pkgs.sccache}/bin/sccache"
+
+        [profile.rust-analyzer]
+        inherits = "dev"
+      '';
+
+      sessionPath = [ "$HOME/.cargo/bin" ];
+    };
+  };
+}

common/hm-modules/vscode.nix

@@ -0,0 +1,115 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.programs.v.vscode;
+in
+{
+  options.programs.v.vscode = {
+    enable = mkEnableOption "vscode";
+  };
+  config = mkIf cfg.enable {
+    programs.vscode = {
+      enable = true;
+      package = pkgs.vscode;
+      profiles.default = {
+        userSettings = {
+          "ltex.language" = "en-GB";
+          "latex-workshop.linting.chktex.enabled" = true;
+          "latex-workshop.latex.clean.subfolder.enabled" = true;
+          "latex-workshop.latex.outDir" = "%TMPDIR%/%RELATIVE_DOC%";
+          "editor.fontFamily" = "'DejaVuSansMono Nerd Font', 'monospace', monospace";
+          "keyboard.dispatch" = "keyCode";
+          "rust-analyzer.server.path" = "${pkgs.rust-analyzer}/bin/rust-analyzer";
+          "rust-analyzer.check.extraArgs" = [
+            "--profile"
+            "rust-analyzer"
+          ];
+          "rust-analyzer.check.command" = "clippy";
+          "terminal.integrated.defaultProfile.linux" = "zsh";
+          "nix.enableLanguageServer" = true; # Enable LSP.
+          "nix.serverPath" = "${pkgs.nil}/bin/nil";
+          "[nix]" = {
+            "editor.defaultFormatter" = "brettm12345.nixfmt-vscode";
+          };
+          "[python]" = {
+            "editor.formatOnType" = true;
+          };
+          "debug.allowBreakpointsEverywhere" = true;
+          "C_Cpp.clang_format_fallbackStyle" = "{ BasedOnStyle: Google, IndentWidth: 4, ColumnLimit: 0}";
+          # "crates.compatibleDecorator" = "✓";
+          # "crates.errorDecorator" = "✗";
+          # "crates.incompatibleDecorator" = "🛇";
+
+          # Verilog
+          "verilog.formatting.verilogHDL.formatter" = "verible-verilog-format";
+          "verilog.languageServer.svls.enabled" = true;
+          "verilog.languageServer.svls.path" = "${pkgs.svls}/bin/svls";
+          "verilog.languageServer.veribleVerilogLs.enabled" = true;
+          "verilog.languageServer.veribleVerilogLs.path" = "${pkgs.verible}/bin/verible-verilog-ls";
+          "verilog.formatting.veribleVerilogFormatter.path" = "${pkgs.verible}/bin/verible-verilog-format";
+          "verilog.linting.linter" = "verilator";
+          "verilog.linting.path" = "${pkgs.verilator}/bin/verilator";
+          "[verilog]" = {
+            "editor.defaultFormatter" = "mshr-h.veriloghdl";
+          };
+
+          # Don't index unecessary things
+          "files.exclude" = {
+            "**/.vscode" = true;
+            "**/.git" = true;
+            "**/.svn" = true;
+            "**/.hg" = true;
+            "**/.deps" = true;
+            "**/CVS" = true;
+            "**/.DS_Store" = true;
+            "/bin" = true;
+            "/boot" = true;
+            "/cdrom" = true;
+            "/dev" = true;
+            "/proc" = true;
+            "/etc" = true;
+            "/nix" = true;
+          };
+        };
+        extensions = with pkgs.vscode-extensions; [
+          brettm12345.nixfmt-vscode
+          # catppuccin.catppuccin-vsc
+          codezombiech.gitignore
+          codezombiech.gitignore
+          davidlday.languagetool-linter
+          editorconfig.editorconfig
+          foxundermoon.shell-format
+          github.copilot
+          github.copilot-chat
+          github.vscode-github-actions
+          james-yu.latex-workshop
+          jnoortheen.nix-ide
+          mkhl.direnv
+          ms-vscode-remote.remote-ssh
+          ms-vscode.cpptools
+          ms-vsliveshare.vsliveshare
+          mshr-h.veriloghdl
+          # platformio.platformio-ide
+          redhat.vscode-xml
+          redhat.vscode-yaml
+          rust-lang.rust-analyzer
+          skellock.just
+          sumneko.lua
+          tamasfe.even-better-toml
+          vadimcn.vscode-lldb
+          vadimcn.vscode-lldb
+          valentjn.vscode-ltex
+          vscodevim.vim
+          xaver.clang-format
+          continue.continue
+        ];
+      };
+    };
+
+  };
+}

common/modules/default.nix

@@ -0,0 +1,11 @@
+{ ... }: {
+  imports = [
+    ./meta.nix
+    ./nginx.nix
+    ./dns.nix
+    ./flood.nix
+    ./gnome
+    ./unpackerr.nix
+    ./vault.nix
+  ];
+}

common/modules/dns.nix

@@ -0,0 +1,114 @@
+{ config, pkgs, lib, self, ... }:
+# DNS Module to set up Unbound DNS with all my hosts in the config
+# Used for DNS Servers and my laptop
+with lib;
+let
+  inherit (builtins) filter attrValues;
+  domains = [ "hades" "olympus" "thalassa" ];
+  mapConfig = host: {
+    inherit (host.config.networking) hostName domain;
+    inherit (host.config.meta) ipv4 ipv6;
+  };
+  hosts = (map mapConfig (attrValues self.nixosConfigurations));
+  ipv4Hosts = filter (v: v.ipv4 != null) hosts;
+  ipv6Hosts = filter (v: v.ipv6 != null) hosts;
+
+  localData = { hostName, domain, ipv4, ... }: ''"${hostName}.${domain}. A ${ipv4}"'';
+  local6Data = { hostName, domain, ipv6, ... }: ''"${hostName}.${domain}. AAAA ${ipv6}"'';
+  ptrData = { hostName, domain, ipv4, ... }: ''"${ipv4} ${hostName}.${domain}"'';
+  ptr6Data = { hostName, domain, ipv6, ... }: ''"${ipv6} ${hostName}.${domain}"'';
+
+  cfg = config.services.v.dns;
+in {
+  options.services.v.dns = {
+    enable = mkEnableOption "v.dns";
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to open port 53 in the firwall for unbound dns
+        And `services.prometheus.exporters.unbound.port` for metrics (if enabled).
+      '';
+    };
+
+    enableMetrics = mkOption {
+      type = types.bool;
+      default = cfg.mode == "server";
+      description = ''
+        Enable prometheus metrics
+      '';
+    };
+
+    mode = mkOption {
+      type = types.enum [ "server" "laptop" ];
+      default = "laptop";
+      description = ''
+        Whether to configure the DNS in server mode (listen on all interfaces) or laptop mode (just on localhost)
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+    services.prometheus.exporters.unbound = mkIf cfg.enableMetrics {
+      enable = true;
+      inherit (cfg) openFirewall;
+      inherit (config.services.unbound) group;
+      controlInterface = config.services.unbound.localControlSocketPath;
+    };
+    services.unbound = {
+      enable = true;
+      package = pkgs.v.unbound;
+      localControlSocketPath =
+        mkIf cfg.enableMetrics "/run/unbound/unbound.socket";
+      settings = {
+        server = mkMerge [
+          {
+            use-syslog = "yes";
+            module-config = ''"validator iterator"'';
+
+            local-zone =
+              map (localdomain: ''"${localdomain}}." transparent'') domains;
+            local-data = (map localData ipv4Hosts) ++ (map local6Data ipv6Hosts);
+            local-data-ptr = (map ptrData ipv4Hosts) ++ (map ptr6Data ipv6Hosts);
+
+            private-address = [
+              "127.0.0.0/8"
+              "10.0.0.0/8"
+              "::ffff:a00:0/104"
+              "172.16.0.0/12"
+              "::ffff:ac10:0/108"
+              "169.254.0.0/16"
+              "::ffff:a9fe:0/112"
+              "192.168.0.0/16"
+              "::ffff:c0a8:0/112"
+              "fd00::/8"
+              "fe80::/10"
+            ];
+          }
+          (mkIf (cfg.mode == "server") {
+            interface-automatic = "yes";
+            interface = [ "0.0.0.0" "::0" ];
+            access-control = [
+              "127.0.0.1/32 allow_snoop"
+              "::1 allow_snoop"
+              "10.42.0.0/16 allow"
+              "127.0.0.0/8 allow"
+              "192.168.0.0/23 allow"
+              "192.168.2.0/24 allow"
+              "::1/128 allow"
+            ];
+          })
+          (mkIf (cfg.mode == "laptop") {
+            interface = [ "127.0.0.1" "::1" ];
+            access-control = [ "127.0.0.1/32 allow_snoop" "::1 allow_snoop" ];
+          })
+        ];
+      };
+    };
+  };
+}

common/modules/flood.nix

@@ -0,0 +1,153 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.services.v.flood;
+in {
+  options.services.v.flood = {
+    enable = mkEnableOption "flood";
+
+    user = mkOption {
+      default = "flood";
+      type = types.str;
+      description = ''
+        User account under which flood runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "rtorrent";
+      description = ''
+        Group under which flood runs.
+        Flood needs to have the correct permissions if accessing rtorrent through the socket.
+      '';
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.flood;
+      defaultText = "pkgs.flood";
+      description = ''
+        The flood package to use.
+      '';
+    };
+
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = ''
+        Address flood binds to.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 3000;
+      description = ''
+        The flood web port.
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open the firewall for the port in <option>services.flood.port</option>.
+      '';
+    };
+
+    rpcSocket = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = "/run/rtorrent/rpc.sock";
+      description = ''
+        RPC socket path.
+        (Only used when auth=none).
+      '';
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/flood";
+      description = ''
+        The directory where flood stores its data files.
+      '';
+    };
+
+    downloadDir = mkOption {
+      type = types.str;
+      default = "/var/lib/rtorrent/download";
+      description = ''
+        Root directory for downloaded files.
+      '';
+    };
+
+    authMode = mkOption {
+      type = types.str;
+      default = "none";
+      description = ''
+        Access control and user management method.
+        Either 'default' or 'none'.
+      '';
+    };
+
+    ssl = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable SSL.
+        key.pem and fullchain.pem needed in runtime directory.
+      '';
+    };
+
+    baseURI = mkOption {
+      type = types.str;
+      default = "/";
+      description = ''
+        This URI will prefix all of Flood's HTTP requests
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Create group if set to default
+    users.groups = mkIf (cfg.group == "rtorrent") { rtorrent = { }; };
+
+    # Create user if set to default
+    users.users = mkIf (cfg.user == "flood") {
+      flood = {
+        inherit (cfg) group;
+        shell = pkgs.bashInteractive;
+        home = cfg.dataDir;
+        description = "flood Daemon user";
+        isSystemUser = true;
+      };
+    };
+
+    # Open firewall if option is set to do so.
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+
+    # The actual service
+    systemd.services.flood = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "flood system service";
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "simple";
+        Restart = "on-failure";
+        WorkingDirectory = cfg.dataDir;
+        ExecStart =
+          "${cfg.package}/bin/flood --baseuri ${cfg.baseURI} --rundir ${cfg.dataDir} --host ${cfg.host} --port ${
+            toString cfg.port
+          } ${
+            if cfg.ssl then "--ssl" else ""
+          } --auth ${cfg.authMode} --rtsocket ${cfg.rpcSocket} --allowedpath ${cfg.downloadDir}";
+      };
+    };
+
+    # This is needed to create the dataDir with the correct permissions.
+    systemd.tmpfiles.rules =
+      [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ];
+  };
+}

common/modules/gnome/default.nix

@@ -0,0 +1,103 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.services.v.gnome;
+in
+{
+  options.services.v.gnome = {
+    enable = mkEnableOption "v.gnome";
+    hm = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable home manager integration to set default dconf values
+      '';
+    };
+
+    auto-unlock-keyring = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to automatically unlock the keyring upon login.
+        This is mostly useful if you are logging in using a fingerprint
+        or FIDO device and the keyring does not automatically get unlocked.
+        Make sure you have enrolled you password into the keyring unlocker.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      xserver = {
+        enable = true;
+        excludePackages = [ pkgs.xterm ];
+        # Configure keymap in X11
+        xkb = {
+          layout = "us";
+          variant = "altgr-intl";
+        };
+
+        # Enable the GNOME Desktop Environment.
+        displayManager.gdm.enable = lib.mkDefault true;
+        desktopManager.gnome.enable = true;
+      };
+      udev.packages = with pkgs; [ gnome-settings-daemon ];
+      dbus.enable = true;
+      udisks2.enable = true;
+    };
+
+    services.gnome-autounlock-keyring.enable = cfg.auto-unlock-keyring;
+
+    # Add Home-manager dconf stuff
+    home-manager.sharedModules = mkIf cfg.hm [ ./hm.nix ];
+
+    environment.gnome.excludePackages = (
+      with pkgs;
+      [
+        gnome-photos
+        gnome-tour
+        gnome-connections
+        gnome-calendar
+        epiphany # web browser
+        geary # email reader
+        simple-scan # document scanner
+        totem # video player
+        gnome-terminal
+        gnome-contacts
+        atomix # puzzle game
+        gnome-maps
+        gedit # text editor
+        gnome-music
+        gnome-clocks
+        iagno # go game
+        tali # poker game
+        hitori # sudoku game
+        gnome-notes
+        gnome-weather
+        gnome-software
+      ]
+    );
+
+    services.gnome.evolution-data-server.enable = lib.mkForce false;
+    services.gnome.gnome-online-accounts.enable = false;
+    services.gnome.gnome-remote-desktop.enable = false;
+    services.gnome.gnome-user-share.enable = false;
+    services.gnome.rygel.enable = false;
+    services.gnome.tinysparql.enable = false;
+    services.gnome.localsearch.enable = false;
+
+    # Services required for gnome
+    programs.dconf.enable = true;
+
+    # Extra gnome packages
+    environment.systemPackages = with pkgs; [
+      gnome-tweaks
+      gnome-boxes
+    ];
+  };
+}

common/modules/gnome/hm.nix

@@ -0,0 +1,166 @@
+{ lib, pkgs, ... }:
+
+with lib.hm.gvariant;
+let
+  inherit (builtins) attrNames map;
+  inherit (lib.attrsets) mapAttrs' nameValuePair;
+  generate_custom_keybindings =
+    binds:
+    {
+      "org/gnome/settings-daemon/plugins/media-keys" = {
+        custom-keybindings = map (
+          name: "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/${name}/"
+        ) (attrNames binds);
+      };
+    }
+    // mapAttrs' (
+      name: nameValuePair "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/${name}"
+    ) binds;
+in
+{
+  xdg.mimeApps.enable = true;
+  xdg.mimeApps.defaultApplications = {
+    "text/plain" = "org.gnome.TextEditor.desktop";
+    "application/pdf" = "org.gnome.Evince.desktop";
+
+    # Firefox
+    "text/html" = "firefox.desktop";
+    "x-scheme-handler/http" = "firefox.desktop";
+    "x-scheme-handler/https" = "firefox.desktop";
+    "x-scheme-handler/chrome" = "firefox.desktop";
+    "application/x-extension-htm" = "firefox.desktop";
+    "application/x-extension-shtml" = "firefox.desktop";
+    "application/xhtml+xml" = "firefox.desktop";
+    "application/x-extension-xhtml" = "firefox.desktop";
+    "application/x-extension-xht" = "firefox.desktop";
+    "application/x-extension-html" = "firefox.desktop";
+
+    # Images
+    "image/bmp" = "org.gnome.Loupe.desktop";
+    "image/gif" = "org.gnome.Loupe.desktop";
+    "image/jpg" = "org.gnome.Loupe.desktop";
+    "image/pjpeg" = "org.gnome.Loupe.desktop";
+    "image/png" = "org.gnome.Loupe.desktop";
+    "image/tiff" = "org.gnome.Loupe.desktop";
+    "image/webp" = "org.gnome.Loupe.desktop";
+    "image/x-bmp" = "org.gnome.Loupe.desktop";
+    "image/x-gray" = "org.gnome.Loupe.desktop";
+    "image/x-icb" = "org.gnome.Loupe.desktop";
+    "image/x-ico" = "org.gnome.Loupe.desktop";
+    "image/x-png" = "org.gnome.Loupe.desktop";
+    "image/x-portable-anymap" = "org.gnome.Loupe.desktop";
+    "image/x-portable-bitmap" = "org.gnome.Loupe.desktop";
+    "image/x-portable-graymap" = "org.gnome.Loupe.desktop";
+    "image/x-portable-pixmap" = "org.gnome.Loupe.desktop";
+    "image/x-xbitmap" = "org.gnome.Loupe.desktop";
+    "image/x-xpixmap" = "org.gnome.Loupe.desktop";
+    "image/x-pcx" = "org.gnome.Loupe.desktop";
+    "image/svg+xml" = "org.gnome.Loupe.desktop";
+    "image/svg+xml-compressed" = "org.gnome.Loupe.desktop";
+    "image/vnd.wap.wbmp" = "org.gnome.Loupe.desktop";
+    "image/x-icns" = "org.gnome.Loupe.desktop";
+  };
+
+  dconf.settings =
+    {
+
+      "org/gnome/shell" = {
+        disable-user-extensions = false;
+        enabled-extensions = with pkgs.gnomeExtensions; [
+          auto-move-windows.extensionUuid
+        ];
+      };
+
+      # "org/gnome/shell/extensions/auto-move-windows" = {
+      #   application-list = [
+      #     "element-desktop.desktop:1"
+      #     "discord.desktop:1"
+      #     "firefox.desktop:2"
+      #     "obsidian.desktop:3"
+      #   ];
+      # };
+
+      "org/gnome/desktop/input-sources" = {
+        sources = [
+          (mkTuple [
+            "xkb"
+            "us+altgr-intl"
+          ])
+        ];
+        xkb-options = [ "terminate:ctrl_alt_bksp" ];
+      };
+
+      "org/gnome/desktop/peripherals/touchpad" = {
+        tap-to-click = true;
+        two-finger-scrolling-enabled = true;
+      };
+
+      "org/gnome/mutter" = {
+        attach-modal-dialogs = true;
+        dynamic-workspaces = false;
+        edge-tiling = true;
+        focus-change-on-pointer-rest = true;
+        workspaces-only-on-primary = true;
+      };
+
+      "org/gnome/mutter/keybindings" = {
+        toggle-tiled-left = [ "<Super>bracketleft" ];
+        toggle-tiled-right = [ "<Super>bracketright" ];
+      };
+
+      "org/gnome/shell/keybindings" = {
+        toggle-overview = [ "<Super>d" ];
+      };
+
+      "org/gnome/desktop/interface" = {
+        color-scheme = "prefer-dark";
+      };
+
+      "org/gnome/desktop/wm/preferences" = {
+        auto-raise = false;
+        num-workspaces = 6;
+        focus-mode = "sloppy";
+      };
+
+      "org/gnome/desktop/wm/keybindings" = {
+        raise-or-lower = [ "<Super>s" ];
+        switch-applications = [ "<Super>Tab" ];
+        switch-applications-backward = [ "<Super>Tab" ];
+        move-to-workspace-1 = [ "<Shift><Super>1" ];
+        move-to-workspace-2 = [ "<Shift><Super>2" ];
+        move-to-workspace-3 = [ "<Shift><Super>3" ];
+        move-to-workspace-4 = [ "<Shift><Super>4" ];
+        move-to-workspace-5 = [ "<Shift><Super>5" ];
+        move-to-workspace-6 = [ "<Shift><Super>6" ];
+        switch-to-workspace-1 = [ "<Super>1" ];
+        switch-to-workspace-2 = [ "<Super>2" ];
+        switch-to-workspace-3 = [ "<Super>3" ];
+        switch-to-workspace-4 = [ "<Super>4" ];
+        switch-to-workspace-5 = [ "<Super>5" ];
+        switch-to-workspace-6 = [ "<Super>6" ];
+        toggle-fullscreen = [ "<Super><Shift>M" ];
+        toggle-maximized = [ "<Super>m" ];
+        close = [ "<Super>Q" ];
+      };
+
+      "org/gnome/tweaks" = {
+        show-extensions-notice = false;
+      };
+
+      "org/gnome/boxes" = {
+        first-run = false;
+      };
+    }
+    // generate_custom_keybindings {
+      "terminal" = {
+        binding = "<Super>Return";
+        command = "${pkgs.kitty}/bin/kitty";
+        name = "Open Terminal";
+      };
+      "firefox" = {
+        binding = "<Super>f";
+        command = "firefox";
+        name = "Open Firefox";
+      };
+    };
+}

common/modules/meta.nix

@@ -0,0 +1,89 @@
+{ lib, config, ... }:
+with lib;
+let
+  exposesOpts = {
+    options = {
+      domain = mkOption {
+        type = types.str;
+        example = "<name>.example.com";
+        description = lib.mdDoc ''
+          The domain under which this service should be available
+        '';
+      };
+      port = mkOption {
+        type = types.int;
+        default = 80;
+        example = 4242;
+        description = lib.mdDoc ''
+          The port under which the service runs on the host
+        '';
+      };
+    };
+  };
+in {
+  options.meta = {
+    exposes = mkOption {
+      type = with types; attrsOf (submodule exposesOpts);
+      default = { };
+      description = ''
+        Exposed services
+      '';
+    };
+
+    ipv4 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = lib.mdDoc ''
+        Host's IPv4 Address
+      '';
+    };
+
+    ipv6 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = lib.mdDoc ''
+        Host's IPv6 address
+      '';
+    };
+
+    mac = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = lib.mdDoc ''
+        Own MAC Address
+      '';
+    };
+
+    isLaptop = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Is this host a Laptop (i.e. no DNS entries should be made).
+      '';
+    };
+
+    realm = mkOption {
+      readOnly = true;
+      type = types.nullOr (types.enum [ "thalassa" "hades" "olympus" ]);
+      default = config.networking.domain;
+      defaultText = literalExpression "config.network.domain";
+    };
+  };
+
+  config = {
+    # TODO: Open Firewall
+
+    assertions = [
+      # {
+      #   assertion = config.meta.mac != null;
+      #   message =
+      #     "${config.networking.fqdnOrHostName} is missing a mac address";
+      # }
+      # {
+      #   assertion = !config.meta.isLaptop -> config.meta.ipv4 != null;
+      #   message =
+      #     "${config.networking.fqdnOrHostName} needs ipv4 address set as it is not a laptop";
+      # }
+    ];
+  };
+}

common/modules/nginx.nix

@@ -0,0 +1,32 @@
+{ lib, hosts, config, ... }:
+with lib;
+let cfg = config.services.v.nginx;
+in {
+  options.services.v.nginx.autoExpose =
+    mkEnableOption "generate vhosts";
+
+  config =
+    let
+
+      proxy = url: {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = url;
+          proxyWebsockets = true;
+        };
+      };
+
+      hosts' =
+        filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
+      exposes = { ip, exposes, ... }:
+        map ({ domain, port ? 80 }: { inherit ip domain port; }) (attrValues exposes);
+      mkVhost = { ip, domain, port }: {
+        "${domain}" = proxy "http://${ip}:${toString port}";
+      };
+      vhosts = foldr (el: acc: acc // mkVhost el) { } (concatMap exposes hosts');
+    in
+    mkIf cfg.autoExpose {
+      services.nginx.virtualHosts = vhosts;
+    };
+}

common/modules/unpackerr.nix

@@ -0,0 +1,328 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.services.unpackerr;
+  mkStarrOptions = { name, url }: {
+    url = mkOption {
+      type = types.str;
+      default = "";
+      example = "${url}";
+      description = ''
+        The URL to access ${name}
+      '';
+    };
+    apiKey = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        The API key for accessing ${name}
+      '';
+    };
+    paths = mkOption {
+      type = types.str;
+      default = "";
+      example = "/downloads,/moreDownloads";
+      description = ''
+        List of paths where content is downloaded for ${name}
+      '';
+    };
+    protocols = mkOption {
+      type = types.str;
+      default = "torrent";
+      example = "torrent,usenet";
+      description = ''
+        Protocols to process
+      '';
+    };
+    timeout = mkOption {
+      type = types.str;
+      default = "10s";
+      description = ''
+        How long to wait for ${name} to respond
+      '';
+    };
+    deleteOrginal = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Delete archives after import?
+        Recommend not setting this to true
+      '';
+    };
+    deleteDelay = mkOption {
+      type = types.str;
+      default = "5m";
+      description = ''
+        Extracts are deleted this long after import. `-1` to disable.
+      '';
+    };
+  };
+in
+{
+  options.services.unpackerr = {
+    enable = mkEnableOption "unpackerr";
+
+    user = mkOption {
+      default = "unpackerr";
+      type = types.str;
+      description = ''
+        User account under which unpackerr runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "unpackerr";
+      description = ''
+        Group under which unpackerr runs.
+      '';
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.unpackerr;
+      defaultText = "pkgs.unpackerr";
+      description = ''
+        The unpackerr package to use.
+      '';
+    };
+
+    debug = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Turns on more logs.
+      '';
+    };
+
+    interval = mkOption {
+      type = types.str;
+      default = "2m";
+      description = ''
+        How often apps are polled, recommended 1m to 5m
+      '';
+    };
+
+    startDelay = mkOption {
+      type = types.str;
+      default = "1m";
+      description = ''
+        Files are queued at least this long before extraction
+      '';
+    };
+
+    retryDelay = mkOption {
+      type = types.str;
+      default = "5m";
+      description = ''
+        Failed extractions are retried after at least this long
+      '';
+    };
+
+    maxRetries = mkOption {
+      type = types.int;
+      default = 3;
+      description = ''
+        Times to retry failed extractions. `0` = unlimited.
+      '';
+    };
+
+    parallel = mkOption {
+      type = types.int;
+      default = 1;
+      description = ''
+        Concurrent extractions, 1 is recommended.
+      '';
+    };
+
+    fileMode = mkOption {
+      type = types.str;
+      default = "0644";
+      description = ''
+        Extracted files are written with this mode
+      '';
+    };
+
+    dirMode = mkOption {
+      type = types.str;
+      default = "0755";
+      description = ''
+        Extracted folders are written with this mode
+      '';
+    };
+
+    sonarr = mkStarrOptions {
+      name = "Sonarr";
+      url = "http://localhost:8989";
+    };
+
+    radarr = mkStarrOptions {
+      name = "Radarr";
+      url = "http://localhost:7878";
+    };
+
+    lidarr = mkStarrOptions {
+      name = "Lidarr";
+      url = "http://localhost:8686";
+    };
+
+    readarr = mkStarrOptions {
+      name = "Readarr";
+      url = "http://localhost:8787";
+    };
+
+    folder = {
+      path = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          folder path, not for Starr apps.
+        '';
+      };
+      extractPath = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          Where to extract to, Defaults to <option>services.unpackerr.folder.path</option>.
+        '';
+      };
+      deleteAfter = mkOption {
+        type = types.str;
+        default = "";
+        example = "10m";
+        description = ''
+          Delete extracted files and/or archives after this duration, `0` to disable.
+        '';
+      };
+      deleteOrginal = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Delete archives after extraction
+        '';
+      };
+      deleteFiles = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Delete extracted files after successful extraction
+        '';
+      };
+      moveBack = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Move extracted items back into original folder
+        '';
+      };
+    };
+
+    extraConfig = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        Extra environment variables
+      '';
+      example = { UN_WEBHOOK_0_URL = "http://example.com"; };
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = lib.mdDoc ''
+        Environment file (see `systemd.exec(5)`
+        "EnvironmentFile=" section for the syntax) to define variables for unpackerr.
+        This option can be used to safely include secret keys into the unpackerr configuration.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Create group if set to default
+    users.groups = mkIf (cfg.group == "unpackerr") { unpackerr = { }; };
+
+    # Create user if set to default
+    users.users = mkIf (cfg.user == "unpackerr") {
+      unpackerr = {
+        inherit (cfg) group;
+        shell = pkgs.bashInteractive;
+        createHome = false;
+        description = "unpackerr Daemon user";
+        isSystemUser = true;
+      };
+    };
+
+    # The actual service
+    systemd.services.unpackerr = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "unpackerr system service";
+      # Filter out all unset variables else unpackerr complains
+      environment = filterAttrs (_n: v: stringLength v > 0)
+        {
+          # General options
+          UN_DEBUG = "${toString cfg.debug}";
+          UN_INTERVAL = "${cfg.interval}";
+          UN_START_DELAY = "${cfg.startDelay}";
+          UN_RETRY_DELAY = "${cfg.retryDelay}";
+          UN_MAX_RETRIES = "${toString cfg.maxRetries}";
+          UN_PARALLEL = "${toString cfg.parallel}";
+          UN_FILE_MODE = "${cfg.fileMode}";
+          UN_DIR_MODE = "${cfg.dirMode}";
+
+          # Sonarr
+          UN_SONARR_0_URL = "${cfg.sonarr.url}";
+          UN_SONARR_0_API_KEY = "${cfg.sonarr.apiKey}";
+          UN_SONARR_0_PATHS_0 = "${cfg.sonarr.paths}";
+          UN_SONARR_0_PROTOCOLS = "${cfg.sonarr.protocols}";
+          UN_SONARR_0_TIMEOUT = "${cfg.sonarr.timeout}";
+          UN_SONARR_0_DELETE_ORIG = "${toString cfg.sonarr.deleteOrginal}";
+          UN_SONARR_0_DELETE_DELAY = "${cfg.sonarr.deleteDelay}";
+
+          # Radarr
+          UN_RADARR_0_URL = "${cfg.radarr.url}";
+          UN_RADARR_0_API_KEY = "${cfg.radarr.apiKey}";
+          UN_RADARR_0_PATHS_0 = "${cfg.radarr.paths}";
+          UN_RADARR_0_PROTOCOLS = "${cfg.radarr.protocols}";
+          UN_RADARR_0_TIMEOUT = "${cfg.radarr.timeout}";
+          UN_RADARR_0_DELETE_ORIG = "${toString cfg.radarr.deleteOrginal}";
+          UN_RADARR_0_DELETE_DELAY = "${cfg.radarr.deleteDelay}";
+
+          # Lidarr
+          UN_LIDARR_0_URL = "${cfg.lidarr.url}";
+          UN_LIDARR_0_API_KEY = "${cfg.lidarr.apiKey}";
+          UN_LIDARR_0_PATHS_0 = "${cfg.lidarr.paths}";
+          UN_LIDARR_0_PROTOCOLS = "${cfg.lidarr.protocols}";
+          UN_LIDARR_0_TIMEOUT = "${cfg.lidarr.timeout}";
+          UN_LIDARR_0_DELETE_ORIG = "${toString cfg.lidarr.deleteOrginal}";
+          UN_LIDARR_0_DELETE_DELAY = "${cfg.lidarr.deleteDelay}";
+
+          # Readarr
+          UN_READARR_0_URL = "${cfg.readarr.url}";
+          UN_READARR_0_API_KEY = "${cfg.readarr.apiKey}";
+          UN_READARR_0_PATHS_0 = "${cfg.readarr.paths}";
+          UN_READARR_0_PROTOCOLS = "${cfg.readarr.protocols}";
+          UN_READARR_0_TIMEOUT = "${cfg.readarr.timeout}";
+          UN_READARR_0_DELETE_ORIG = "${toString cfg.readarr.deleteOrginal}";
+          UN_READARR_0_DELETE_DELAY = "${cfg.readarr.deleteDelay}";
+
+          # Folder
+          UN_FOLDER_0_PATH = "${cfg.folder.path}";
+          UN_FOLDER_0_EXTRACT_PATH = "${cfg.folder.extractPath}";
+          UN_FOLDER_0_DELETE_AFTER = "${cfg.folder.deleteAfter}";
+          UN_FOLDER_0_DELETE_ORIGINAL = "${toString cfg.folder.deleteOrginal}";
+          UN_FOLDER_0_DELETE_FILES = "${toString cfg.folder.deleteFiles}";
+          UN_FOLDER_0_MOVE_BACK = "${toString cfg.folder.moveBack}";
+        } // cfg.extraConfig;
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "simple";
+        Restart = "on-failure";
+        ExecStart = "${cfg.package}/bin/unpackerr";
+      } // optionalAttrs (cfg.environmentFile != null) {
+        EnvironmentFile = cfg.environmentFile;
+      };
+    };
+  };
+}

common/modules/vault.nix

@@ -0,0 +1,125 @@
+{ config, pkgs, lib, flat_hosts, inputs, ... }:
+with lib;
+let
+  cfg = config.services.v.vault;
+  hostIP = config.meta.ipv4;
+
+  # Find all vault hosts that do not have the same IP as the current host
+  vault_hosts =
+    filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP))
+      flat_hosts;
+  cluster_config = concatStrings (map
+    ({ ip, ... }: ''
+      retry_join {
+        leader_api_addr = "http://${ip}:${toString cfg.port}"
+      }
+    '')
+    vault_hosts);
+in
+{
+  options.services.v.vault = {
+    enable = mkEnableOption "v's vault";
+
+    node_id = mkOption {
+      type = types.str;
+      description = lib.mdDoc ''
+        The cluster node id of this node
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to open port `port` and `clusterPort` in the firewall for vault
+      '';
+    };
+
+    port = mkOption {
+      type = types.int;
+      default = 8200;
+      description = lib.mdDoc ''
+        The port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+
+    clusterPort = mkOption {
+      type = types.int;
+      default = 8201;
+      description = lib.mdDoc ''
+        The cluster port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+
+    autoUnseal = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to auto-unseal this vault
+      '';
+    };
+
+    autoUnsealKeysFile = mkOption {
+      type = types.str;
+      default = null;
+      example = "/var/lib/vault-unseal/keys.json";
+      description = lib.mdDoc ''
+        auto unseal keys to use, has to be a json file with the following structure
+        ```json
+        {
+          keys = [ key_1, ..., key_n ]
+        }
+        ```
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg.autoUnseal -> (cfg.autoUnsealKeysFile != null);
+      message = "If autoUnseal is enabled, a token path is required!";
+    }];
+
+    networking.firewall.allowedTCPPorts =
+      mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];
+
+    services.vault = {
+      enable = true;
+      # bin version includes the UI
+      package = pkgs.vault-bin;
+      address = "0.0.0.0:${toString cfg.port}";
+      storageBackend = "raft";
+      storagePath = "/var/lib/vault-raft";
+      storageConfig = ''
+        node_id = "${cfg.node_id}"
+      '' + cluster_config;
+      extraConfig = ''
+        ui = true
+        disable_mlock = true
+        api_addr = "http://${hostIP}:${toString cfg.port}"
+        cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
+      '';
+    };
+
+    systemd.services.vault-unseal = mkIf cfg.autoUnseal {
+      description = "Vault unseal service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "vault.service" ];
+      environment = {
+        VAULT_ADDR = "http://localhost:${toString cfg.port}";
+        VAULT_KEY_FILE = cfg.autoUnsealKeysFile;
+      };
+      serviceConfig = {
+        User = "vault";
+        Group = "vault";
+        Type = "simple";
+        Restart = "on-failure";
+        ExecStart = "${
+            inputs.vault-unseal.packages.${pkgs.system}.default
+          }/bin/vault-unseal";
+      };
+    };
+  };
+}

common/users/default.nix

@@ -0,0 +1,85 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./laura.nix
+    ./vivian.nix
+    ./jonathan.nix
+  ];
+  programs = {
+
+    # Setup ZSH to use grml config
+    zsh = {
+      enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+      autosuggestions.enable = true;
+      interactiveShellInit = ''
+        source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
+        export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
+        export FZF_CTRL_T_COMMAND="$FZF_DEFAULT_COMMAND"
+        export FZF_CTRL_R_COMMAND="$FZF_DEFAULT_COMMAND"
+        eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
+        eval "$(${pkgs.fzf}/bin/fzf --zsh)"
+
+        export TEMPDIRS="$HOME/tmp"
+      '';
+      # otherwise it'll override the grml prompt
+      promptInit = lib.mkDefault "";
+    };
+
+    # Install Neovim and set it as alias for vi(m)
+    neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      defaultEditor = true;
+    };
+  };
+
+  environment.pathsToLink = [ "/share/zsh" ];
+
+  # Disable sudo prompt for `wheel` users.
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+  # Configure the root account
+  users.extraUsers.root = {
+    # Allow my SSH keys for logging in as root.
+    openssh.authorizedKeys.keys = config.users.extraUsers.vivian.openssh.authorizedKeys.keys;
+    # Also use zsh for root
+    shell = pkgs.zsh;
+  };
+
+  # Setup packages available everywhere
+  environment.systemPackages = with pkgs; [
+    file
+    fzf
+    git
+    htop
+    ncdu
+    psmisc
+    helix
+    ripgrep
+    rsync
+    zoxide
+
+    # Terminfo
+    kitty.terminfo
+  ];
+
+  programs.tmux = {
+    enable = true;
+    withUtempter = true;
+    terminal = "tmux-256color";
+    secureSocket = false;
+    extraConfig = ''
+      set -g mouse on
+      setw -g mouse on
+    '';
+  };
+}

common/users/jonathan.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  users.extraUsers.jonathan = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jonathan@kili"
+    ];
+
+    extraGroups = [ ];
+  };
+}
+

common/users/laura.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+  users.extraUsers.laura = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBIlFUUXbwOkhNUjoA6zueTdRuaylgpgFqSe/xWGK9zb laura@zmeura"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVkk9/80askWhInQk03JMntF6SThAYkFZNm+lIGt4E7 laura@mura"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxoq/J/0ad3AOK/CxPvsIGQjRUzURSuNAtmNOqUmKcr laura@cherry"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMKbP2/vNTybDoEwdFaQvAI1zCVpdTBN25avfeCV0jP laura@bosbes"
+    ];
+
+    extraGroups = [ ];
+  };
+}

common/users/vivian.nix

@@ -0,0 +1,45 @@
+{ pkgs, ... }: {
+  # The block that specifies my user account.
+  users.extraUsers.vivian = {
+    # This account is intended for a non-system user.
+    isNormalUser = true;
+
+    # My default shell
+    shell = pkgs.zsh;
+
+    # My SSH keys.
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBhJAp7NWlHgwDYd2z6VNROy5RkeZHRINFLsFvwT4b3 vivian@bastion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMMbdjysLnmwJD5Fs/SjBPstdIQNUxy8zFHP0GlhHMJB vivian@bastion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfooZjMWXvXZu1ReOEACDZ0TMb2WJRBSOLlWE8y6fUh vivian@aoife"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIM3TqXaApX2JZsgfZd7PKVFMecDgqTHKibpSzgdXNpYAAAAABHNzaDo= solov2-le"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+HbsgJTQS6pvnMEI5NPKjIf78z+9A7CTIt3abi+PS6 vivian@eevee"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMypFe7cSMgvEI1sdxRtdC+AalXa0ryB/zkO9KmQGOxK vivian@nothing2"
+    ];
+
+    # Make me admin
+    extraGroups =
+      [ "systemd-journal" "wheel" "networkmanager" "libvirtd" "dialout" ];
+  };
+
+  home-manager.users.vivian = {
+    programs = {
+      home-manager.enable = true;
+
+      v.git.enable = true;
+
+      tmux = {
+        enable = true;
+        shortcut = "b";
+        clock24 = true;
+      };
+
+      bat.enable = true;
+    };
+    home = {
+      username = "vivian";
+      homeDirectory = "/home/vivian";
+      stateVersion = "23.05";
+    };
+  };
+}

flake.nix

@@ -0,0 +1,198 @@
+{
+  description = "0x76's infrastructure";
+
+  # For minecraft use:
+  # * https://github.com/Infinidoge/nix-minecraft
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    flake-utils-plus.url = "github:gytis-ivaskevicius/flake-utils-plus";
+    nur.url = "github:nix-community/NUR";
+    colmena.url = "github:zhaofengli/colmena";
+    deploy.url = "github:serokell/deploy-rs";
+    vault-secrets.url = "github:serokell/vault-secrets";
+
+    microvm.url = "github:astro/microvm.nix";
+
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    mailserver.url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
+    mailserver.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixvim.url = "github:pta2002/nixvim";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    lanzaboote.url = "github:nix-community/lanzaboote";
+    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
+
+    vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git";
+    vault-unseal.inputs.nixpkgs.follows = "nixpkgs";
+
+    gnome-autounlock-keyring.url = "git+https://git.0x76.dev/v/gnome-autounlock-keyring.git";
+
+    t.url = "github:jdonszelmann/t-rs";
+    t.inputs.nixpkgs.follows = "nixpkgs";
+
+    attic.url = "github:zhaofengli/attic";
+    attic.inputs.nixpkgs.follows = "nixpkgs";
+
+    catppuccin.url = "github:catppuccin/nix";
+
+    essentials.url = "github:jdonszelmann/essentials";
+    essentials.inputs.nixpkgs.follows = "nixpkgs";
+
+    autostart.url = "github:Zocker1999NET/home-manager-xdg-autostart";
+
+    hyprland-qtutils.url = "github:hyprwm/hyprland-qtutils";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils-plus,
+      nur,
+      attic,
+      deploy,
+      home-manager,
+      gnome-autounlock-keyring,
+      lanzaboote,
+      t,
+      catppuccin,
+      ...
+    }@inputs:
+    let
+      pkgs = self.pkgs.x86_64-linux.nixpkgs;
+      apply-local = pkgs.writeShellScriptBin "apply-local" ''
+        nh os switch --ask
+      '';
+    in
+    flake-utils-plus.lib.mkFlake {
+      # `self` and `inputs` arguments are required
+      inherit self inputs;
+
+      # Supported systems, used for packages, apps, devShell and multiple other definitions. Defaults to `flake-utils.lib.defaultSystems`.
+      supportedSystems = [ "x86_64-linux" ];
+
+      # Channels config
+      channelsConfig = {
+        allowUnfree = true;
+        permittedInsecurePackages = [ "electron" ];
+      };
+      sharedOverlays = [
+        (import ./pkgs)
+        nur.overlays.default
+      ];
+
+      # host defaults
+      hostDefaults = {
+        system = "x86_64-linux";
+        modules = [
+          home-manager.nixosModules.home-manager
+          gnome-autounlock-keyring.nixosModules.default
+          catppuccin.nixosModules.catppuccin
+          ./common
+        ];
+
+        specialArgs = {
+          inherit self inputs home-manager;
+        };
+      };
+
+      # hosts
+      hosts = {
+        "olympus.bastion" = {
+          modules = [
+            ./common/generic-vm.nix
+            ./hosts/olympus/bastion
+          ];
+        };
+
+        aoife = {
+          modules = [
+            lanzaboote.nixosModules.lanzaboote
+            ./common/desktop
+            ./hosts/thalassa/aoife
+          ];
+        };
+
+        eevee = {
+          modules = [
+            ./common/desktop
+            ./hosts/olympus/eevee
+          ];
+        };
+      };
+
+      # deploy-rs
+      deploy = {
+        user = "root";
+        nodes = {
+          "bastion-olympus" = {
+            hostname = "bastion.olympus";
+            fastConnection = true;
+            remoteBuild = true;
+            profiles = {
+              system = {
+                path = deploy.lib.x86_64-linux.activate.nixos self.nixosConfigurations."olympus.bastion";
+              };
+            };
+          };
+
+          aoife = {
+            remoteBuild = true;
+            fastConnection = true;
+            hostname = "aoife";
+            profiles.system.path = deploy.lib.x86_64-linux.activate.nixos self.nixosConfigurations.aoife;
+          };
+
+          eevee = {
+            fastConnection = true;
+            hostname = "eevee.olympus";
+            profiles.system.path = deploy.lib.x86_64-linux.activate.nixos self.nixosConfigurations.eevee;
+          };
+        };
+      };
+
+      # Outputs
+      outputsBuilder = channels: {
+        devShells.default = channels.nixpkgs.mkShell {
+          name = "devShell";
+          VAULT_ADDR = "http://vault.olympus:8200/";
+          NH_FLAKE = "/home/vivian/src/infrastructure-new";
+          packages = with pkgs; [
+            # attic.packages.${system}.attic
+            apply-local
+            deploy.packages.${system}.deploy-rs
+            deadnix
+            statix
+            # vault
+            yamllint
+            jq
+            fup-repl
+            nh
+            nixfmt-rfc-style
+          ];
+        };
+      };
+
+      # Checks
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy.lib // {
+        x86_64-linux.mac = pkgs.stdenvNoCC.mkDerivation {
+          name = "mac check";
+          src = self;
+          dontBuild = true;
+          doCheck = true;
+          checkPhase = ''
+            echo "Hello World"
+          '';
+          installPhase = "mkdir $out";
+        };
+      };
+    };
+}

hosts/olympus/bastion/containers/common.nix

@@ -0,0 +1,12 @@
+# common container config
+{ lib, ... }: {
+  imports = [
+    ../../../../common
+  ];
+  # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+  networking.useHostResolvConf = lib.mkForce false;
+  services.resolved.enable = true;
+
+  system.stateVersion = lib.mkDefault "24.05";
+}
+

hosts/olympus/bastion/containers/default.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  hostAddress = "10.42.99.1";
+  hostAddress6 = "fc00::1";
+in
+{
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-+" ];
+    externalInterface = "ens18";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    8384
+    22000
+  ];
+  networking.firewall.allowedUDPPorts = [
+    22000
+    21027
+  ];
+
+  # Containers network is
+  # * 10.42.99.0/24
+  # * fc00:x
+
+  users.groups.backup = {
+    gid = 10000;
+    members = [ "vivian" ];
+  };
+
+  containers = {
+    syncthing = {
+      autoStart = true;
+      inherit hostAddress hostAddress6;
+      localAddress = "10.42.99.2";
+      localAddress6 = "fc00::2";
+
+      forwardPorts = [
+        {
+          containerPort = 8384;
+          hostPort = 8384;
+          protocol = "tcp";
+        }
+      ];
+
+      bindMounts = {
+        "/data" = {
+          hostPath = "/mnt/backup";
+          isReadOnly = false;
+        };
+      };
+
+      specialArgs = {
+        inherit inputs;
+      };
+
+      config =
+        { pkgs, ... }:
+        {
+          users.groups.backup = {
+            gid = 10000;
+            members = [ "syncthing" ];
+          };
+
+          imports = [
+            ./common.nix
+            ./syncthing.nix
+            inputs.home-manager.nixosModules.home-manager
+            inputs.gnome-autounlock-keyring.nixosModules.default
+            inputs.catppuccin.nixosModules.catppuccin
+          ];
+        };
+    };
+  };
+}

hosts/olympus/bastion/containers/dns.nix

@@ -0,0 +1,7 @@
+{ ... }: {
+   services.v.dns = {
+    enable = true;
+    openFirewall = true;
+    mode = "server";
+  };
+}

hosts/olympus/bastion/containers/syncthing.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    guiAddress = "0.0.0.0:8384";
+  };
+}

hosts/olympus/bastion/default.nix

@@ -0,0 +1,47 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./containers
+    ./immich.nix
+    # ./vms.nix
+  ];
+
+  programs.nix-ld.enable = true;
+
+  meta = {
+    ipv4 = "10.42.42.4";
+    ipv6 = "2001:41f0:9639:1:80f0:7cff:fecb:bd6d";
+    mac = "82:F0:7C:CB:BD:6D";
+  };
+
+  services.scrutiny = {
+    enable = true;
+    openFirewall = true;
+    influxdb.enable = true;
+    collector.enable = false;
+  };
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+  virtualisation.docker.enable = true;
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ vault ];
+
+  networking.useNetworkd = true;
+}

hosts/olympus/bastion/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot = {
+
+    initrd.availableKernelModules =
+      [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/backup" = {
+    device = "/dev/disk/by-uuid/83b1e87f-975f-4150-b673-81087f84f0bb";
+    fsType = "ext4";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
+
+}

hosts/olympus/bastion/immich.nix

@@ -0,0 +1,78 @@
+{ config, pkgs, ... }:
+{
+  boot.kernel.sysctl = { "vm.overcommit_memory" = 1; };
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.docker.autoPrune.enable = true;
+
+
+  systemd.services.init-filerun-network-and-files = {
+    description = "Create the network bridge for Immich.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.Type = "oneshot";
+    script =
+      let
+        dockercli = "${config.virtualisation.docker.package}/bin/docker";
+      in
+      ''
+        # immich-net network
+        check=$(${dockercli} network ls | grep "immich-net" || true)
+        if [ -z "$check" ]; then
+          ${dockercli} network create immich-net
+        else
+          echo "immich-net already exists in docker"
+        fi
+      '';
+  };
+
+  virtualisation.oci-containers.containers = {
+    immich = {
+      autoStart = true;
+      image = "ghcr.io/imagegenius/immich:latest";
+      volumes = [
+        "/mnt/backup/immich/config:/config"
+        "/mnt/backup/immich/photos:/photos"
+        "/mnt/backup/replicated/photos:/replicated"
+        "/mnt/backup/immich/config/machine-learning:/config/machine-learning"
+      ];
+      ports = [ "2283:8080" ];
+      environment = {
+        PUID = "1000";
+        PGID = "1000";
+        TZ = "Europe/Amsterdam"; # Change this to your timezone
+        DB_HOSTNAME = "postgres14";
+        DB_USERNAME = "postgres";
+        DB_PASSWORD = "postgres";
+        DB_DATABASE_NAME = "immich";
+        REDIS_HOSTNAME = "redis";
+      };
+      extraOptions = [
+        "--network=immich-net"
+        "--pull=always"
+        # "--gpus=all"
+      ];
+    };
+
+    redis = {
+      autoStart = true;
+      image = "redis";
+      ports = [ "6379:6379" ];
+      extraOptions = [ "--network=immich-net" ];
+    };
+
+    postgres14 = {
+      autoStart = true;
+      image = "tensorchord/pgvecto-rs:pg14-v0.2.0";
+      ports = [ "5432:5432" ];
+      volumes = [ "pgdata:/var/lib/postgresql/data" ];
+      environment = {
+        POSTGRES_USER = "postgres";
+        POSTGRES_PASSWORD = "postgres";
+        POSTGRES_DB = "immich";
+      };
+      extraOptions = [ "--network=immich-net" ];
+    };
+  };
+}

hosts/olympus/bastion/vms.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, inputs, ... }: {
+  imports = [
+    inputs.microvm.nixosModules.host
+  ];
+
+  microvm.vms = {
+    test-vm = {
+      inherit pkgs;
+
+      # (Optional) A set of special arguments to be passed to the MicroVM's NixOS modules.
+      #specialArgs = {};
+
+      # The configuration for the MicroVM.
+      # Multiple definitions will be merged as expected.
+      config = {
+        # It is highly recommended to share the host's nix-store
+        # with the VMs to prevent building huge images.
+        microvm.hypervisor = "crosvm";
+        microvm.shares = [{
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "ro-store";
+          proto = "virtiofs";
+        }];
+
+        # Any other configuration for your MicroVM
+        # [...]
+      };
+
+    };
+  };
+}

hosts/olympus/eevee/default.nix

@@ -0,0 +1,53 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }: {
+  imports = [ ./hardware-configuration.nix ./hardware.nix ];
+
+  # Bootloader.
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd = {
+      kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
+    };
+    loader.systemd-boot.configurationLimit = 5;
+  };
+
+  fileSystems."/".options = [ "compress=zstd" ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "nl_NL.UTF-8";
+    LC_IDENTIFICATION = "nl_NL.UTF-8";
+    LC_MEASUREMENT = "nl_NL.UTF-8";
+    LC_MONETARY = "nl_NL.UTF-8";
+    LC_NAME = "nl_NL.UTF-8";
+    LC_NUMERIC = "nl_NL.UTF-8";
+    LC_PAPER = "nl_NL.UTF-8";
+    LC_TELEPHONE = "nl_NL.UTF-8";
+    LC_TIME = "nl_NL.UTF-8";
+  };
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+
+  environment.systemPackages = with pkgs; [ wireguard-tools ];
+
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  home-manager = {
+    users.vivian = import ./home;
+  };
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/olympus/eevee/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  boot = {
+
+    initrd.availableKernelModules =
+      [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/947a98af-9a4e-4811-a2ca-9aa00b319e9c";
+    fsType = "btrfs";
+    options = [ "subvol=@" ];
+  };
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/D883-F146";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/a99402e1-6f2a-4c4b-b69f-aae2fd13ffc0"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/olympus/eevee/hardware.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+{
+  hardware = {
+    enableAllFirmware = true;
+    nvidia = {
+      package = config.boot.kernelPackages.nvidiaPackages.beta;
+
+      # Open drivers cause gdm to crash
+      open = false;
+
+      # nvidia-drm.modeset=1
+      modesetting.enable = true;
+      powerManagement.enable = false;
+    };
+
+    # Hardware acceleration
+    graphics.enable = true;
+
+    logitech.wireless = {
+      enable = true;
+      enableGraphical = true;
+    };
+  };
+  services = {
+
+    hardware.bolt.enable = true;
+
+    xserver.videoDrivers = [ "nvidia" ];
+
+    # udev
+    udev.packages = with pkgs; [
+      android-udev-rules
+      logitech-udev-rules
+      wooting-udev-rules
+    ];
+
+    # SSD Trim
+    fstrim.enable = true;
+  };
+
+  # FS
+  fileSystems."/".options = [ "compress=zstd" ];
+}

hosts/olympus/eevee/home/.gitignore

@@ -0,0 +1 @@
+*dconf_dump*

hosts/olympus/eevee/home/default.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }: {
+  dconf.settings."org/gnome/desktop/peripherals/mouse" = {
+    accel-profile = "flat";
+  };
+
+  home.packages = with pkgs; [
+  ];
+}

hosts/thalassa/aoife/69-probe-rs.rules

@@ -0,0 +1,146 @@
+# Copy this file to /etc/udev/rules.d/
+# If rules fail to reload automatically, you can refresh udev rules
+# with the command "udevadm control --reload"
+
+# This rules are based on the udev rules from the OpenOCD project, with unsupported probes removed.
+# See http://openocd.org/ for more details.
+#
+# This file is available under the GNU General Public License v2.0
+
+ACTION!="add|change", GOTO="probe_rs_rules_end"
+
+SUBSYSTEM=="gpio", MODE="0660", GROUP="plugdev", TAG+="uaccess"
+
+SUBSYSTEM!="usb|tty|hidraw", GOTO="probe_rs_rules_end"
+
+# Please keep this list sorted by VID:PID
+
+# STMicroelectronics ST-LINK V1
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3744", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# STMicroelectronics ST-LINK/V2
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# STMicroelectronics ST-LINK/V2.1
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="374b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3752", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# STMicroelectronics STLINK-V3
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="374d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="374e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="374f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3753", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3754", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# SEGGER J-Link
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0101", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0102", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0103", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0104", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0105", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0107", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0108", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1001", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1002", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1003", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1004", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1005", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1006", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1007", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1008", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1009", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100c", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="100f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1010", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1011", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1012", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1013", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1014", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1015", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1016", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1017", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1018", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1019", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101c", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="101f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1020", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1021", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1022", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1023", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1024", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1025", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1026", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1027", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1028", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1029", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102c", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="102f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1050", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1051", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1052", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1053", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1054", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1055", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1056", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1057", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1058", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1059", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105c", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="105f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1060", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1061", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1062", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1063", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1064", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1065", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1066", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1067", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1068", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="1069", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106c", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106d", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106e", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="1366", ATTRS{idProduct}=="106f", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# FT232H
+ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6014", MODE="660", GROUP="plugdev", TAG+="uaccess"
+# FT2232x
+ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="660", GROUP="plugdev", TAG+="uaccess"
+# FT4232H
+ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# FTDI-based Olimex devices
+ATTRS{idVendor}=="0x15ba", ATTRS{idProduct}=="0x0003", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0x15ba", ATTRS{idProduct}=="0x0004", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0x15ba", ATTRS{idProduct}=="0x002a", MODE="660", GROUP="plugdev", TAG+="uaccess"
+ATTRS{idVendor}=="0x15ba", ATTRS{idProduct}=="0x002b", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# Espressif USB JTAG/serial debug unit
+ATTRS{idVendor}=="303a", ATTRS{idProduct}=="1001", MODE="660", GROUP="plugdev", TAG+="uaccess"
+# Espressif USB Bridge
+ATTRS{idVendor}=="303a", ATTRS{idProduct}=="1002", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+# CMSIS-DAP compatible adapters
+ATTRS{product}=="*CMSIS-DAP*", MODE="660", GROUP="plugdev", TAG+="uaccess"
+# WCH Link (CMSIS-DAP compatible adapter)
+ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="8011", MODE="660", GROUP="plugdev", TAG+="uaccess"
+
+LABEL="probe_rs_rules_end"

hosts/thalassa/aoife/README.md

@@ -0,0 +1,22 @@
+# Aoife
+This is the NixOS config for my laptop `aoife`.
+
+## Hardware
+This is a Thinkpad Z16 Gen 1.
+
+**CPU**: AMD Ryzen 9 PRO 6950H (16 cores) @ 4.935GHz
+
+**RAM**: 32GB LPDDR5 6400MHz
+
+**SCREEN**: 16" 3840 x 2400 OLED
+
+**GPU**: AMD Radeon™ RX 6500M, 4 GB, GDDR6
+
+
+## Software
+**OS**: NixOS
+
+**DE**: Gnome
+
+**Shell**: ZSH (grml)
+

hosts/thalassa/aoife/default.nix

@@ -0,0 +1,98 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z
+    ./hardware.nix
+    ./uni.nix
+  ];
+
+  meta = {
+    mac = "04:7b:cb:b6:2d:88";
+    isLaptop = true;
+  };
+
+  users.users.vivian.extraGroups = [ "adbusers" ];
+
+  # Bootloader.
+  boot = {
+
+    bootspec.enable = true;
+    initrd.kernelModules = [ "amdgpu" ];
+    resumeDevice = "/dev/nvme0n1p2";
+    loader.systemd-boot.enable = lib.mkForce false; # Using lanzaboote instead
+
+    kernel.sysctl = {
+      "perf_event_paranoid" = 1;
+      "kptr_restrict" = 0;
+    };
+    lanzaboote = {
+      enable = true;
+      configurationLimit = 5;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+
+  home-manager.users.vivian = import ./home;
+  programs = {
+    nix-ld.enable = true;
+    nix-ld.libraries = with pkgs; [
+      # Add any missing dynamic libraries for unpackaged programs
+
+      # here, NOT in environment.systemPackages
+    ];
+
+    hyprland = {
+      enable = true;
+      withUWSM = true;
+    };
+    hyprlock.enable = true;
+    evolution.enable = false;
+  };
+
+  services = {
+    hypridle.enable = true;
+    xserver.displayManager.gdm.enable = true;
+
+    flatpak.enable = true;
+
+    gnome.gnome-keyring.enable = true;
+
+    ollama = {
+      enable = false;
+      acceleration = "rocm";
+      rocmOverrideGfx = "10.3.4";
+    };
+
+    interception-tools = {
+      enable = true;
+      plugins = [ pkgs.interception-tools-plugins.caps2esc ];
+      udevmonConfig = ''
+        - JOB: "${pkgs.interception-tools}/bin/intercept -g $DEVNODE | ${pkgs.interception-tools-plugins.caps2esc}/bin/caps2esc | ${pkgs.interception-tools}/bin/uinput -d $DEVNODE"
+          DEVICE:
+            EVENTS:
+              EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
+      '';
+    };
+  };
+
+  # Enable Ozone rendering for Chromium and Electron apps.
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/thalassa/aoife/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  boot = {
+
+    initrd.availableKernelModules =
+      [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "sdhci_pci" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/c184866a-9a53-4a9f-9a1f-493792af7ea9";
+    fsType = "btrfs";
+    options = [ "subvol=@" ];
+  };
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/5BB8-7503";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/bedb5b75-578e-441f-a9eb-2ecff1f4cfca"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+}

hosts/thalassa/aoife/hardware.nix

@@ -0,0 +1,83 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    pciutils
+    usbutils
+    lshw
+  ];
+
+  boot = {
+    kernelParams = [
+      "amdgpu.dcdebugmask=0x10" # Disables partial screen refresh, fixes flicker
+      "kvm.enable_virt_at_load=0"
+    ];
+  };
+
+  hardware = {
+    enableAllFirmware = true;
+    bluetooth.enable = true;
+
+    # OpenGL + Vulkan
+    graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        mesa
+      ];
+    };
+
+    amdgpu = {
+      initrd.enable = true;
+      opencl.enable = true;
+      # Temp disabled as it breaks GTK
+      # amdvlk.enable = true;
+    };
+  };
+  services = {
+    fwupd.enable = true;
+
+    hardware.bolt.enable = true;
+
+    fprintd = {
+      enable = true;
+      # fprintd test suite fails
+      package = pkgs.fprintd.overrideAttrs {
+        mesonCheckFlags = [
+          "--no-suite"
+          "fprintd:TestPamFprintd"
+        ];
+      };
+    };
+
+    # Video Driver
+    xserver = {
+      # videoDrivers = [ "displaylink" ];
+      dpi = 280;
+    };
+
+    # SSD Trim
+    fstrim.enable = true;
+
+    # Power Management
+    upower.enable = true;
+    thermald.enable = true;
+  };
+
+  # hardware.trackpoint.enable = true;
+
+  # FS
+  fileSystems."/".options = [ "compress=zstd" ];
+
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+  };
+
+  security = {
+    tpm2 = {
+      enable = true;
+      pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+      tctiEnvironment.enable = true;
+    };
+  }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.vivian.extraGroups = [ "tss" ]; # tss group has access to TPM devices
+}

hosts/thalassa/aoife/home/.gitignore

@@ -0,0 +1 @@
+*dconf_dump*

hosts/thalassa/aoife/home/default.nix

@@ -0,0 +1,46 @@
+{ pkgs, ... }: {
+  imports = [
+    ./starship.nix
+    ./hyprland.nix
+  ];
+
+
+  # Custom dconf settings
+  dconf.settings."org/gnome/desktop/input-sources" = {
+    # xkb-options = [ "caps:swapescape" ];
+  };
+
+  programs.zsh.envExtra = ''
+    source ~/.zshrc.secrets
+  '';
+
+  home.packages = with pkgs; [
+    eduvpn-client
+    localsend
+    typst
+  ];
+
+
+  programs.ssh.enable = true;
+  programs.ssh.matchBlocks = {
+    "student-linux.tudelft.nl" = {
+      user = "vroest";
+    };
+    "login.delftblue.tudelft.nl" = {
+      user = "vroest";
+    };
+    "cese01" = {
+      hostname = "cese01.ewi.tudelft.nl";
+      user = "vroest";
+      proxyJump = "student-linux.tudelft.nl";
+    };
+    "cese" = {
+      user = "root";
+      hostname = "10.0.3.121";
+      proxyJump = "cese01";
+    };
+    "bastion.olympus" = { };
+    "bastion.hades" = { };
+  };
+
+}

hosts/thalassa/aoife/home/eww/eww.scss

@@ -0,0 +1,138 @@
+$light-gray: #9699b7;
+
+* {
+    all: unset; //Unsets everything so you can style everything from scratch
+    font-family: "JetBrainsMono"
+}
+
+tooltip {
+    background-color: $base;
+    border-radius: 5px
+}
+
+button {
+    transition: background-color 200ms, color 200ms;
+}
+
+.active {
+    color: $pink;
+    font-size: 1.4rem;
+}
+
+.inactive {
+    color: $base;
+    font-size: 1.4rem;
+}
+
+.inactive:hover {
+    color: $light-gray;
+}
+
+.bar {
+    background-color: $mantle;
+}
+
+.clock {
+    font-weight: bold;
+    background-color: $base;
+    color: $text;
+    border-radius: 10px;
+    padding: 0.2rem;
+    margin: 0.5rem;
+}
+
+.date {
+    font-size: 1.5rem;
+    color: $text;
+}
+
+
+.battery {
+    font-family: monospace;
+    font-size: 1.5rem;
+    color: $teal;
+}
+
+.volume,
+.dnd,
+.wifi {
+    font-family: monospace;
+    font-size: 1.5rem;
+    color: $mauve;
+    padding: 0 5px;
+}
+
+
+// battery menu
+.batterywindow {
+    background-color: $mantle;
+    border-radius: 5px;
+    font-size: 18px;
+    font-weight: normal;
+    color: $text;
+
+    progressbar {
+        border-radius: 5px;
+    }
+
+    progressbar progress {
+        background-color: $green;
+    }
+
+    progressbar trough {
+        background-color: $base;
+    }
+
+    .batterymenu {
+        padding: 10px;
+    }
+
+}
+
+// Calendar
+.cal {
+    background-color: $mantle;
+    border-radius: 5px;
+    font-size: 18px;
+    font-weight: normal;
+
+    .cal-in {
+        padding: 0px 10px 0px 10px;
+        color: $text;
+
+        .cal {
+            &.highlight {
+                padding: 20px;
+            }
+
+            padding: 5px 5px 5px 5px;
+            margin-left: 10px;
+        }
+    }
+}
+
+calender {
+    color: $text;
+}
+
+calendar:selected {
+    color: $mauve;
+}
+
+calendar.header {
+    color: $overlay0;
+    font-weight: bold;
+}
+
+calendar.button {
+    color: $base;
+}
+
+calendar.highlight {
+    color: $overlay0;
+    font-weight: bold;
+}
+
+calendar:indeterminate {
+    color: $text;
+}

hosts/thalassa/aoife/home/eww/eww.yuck

@@ -0,0 +1,164 @@
+(defwidget bar []
+  (centerbox
+    :orientation "v"
+    (box
+      :valign "start"
+      :hexpand false
+      :vexpand false
+      :orientation "v"
+      :space-evenly false
+    )
+    
+    (workspaces
+      :halign "center"
+      :vexpand true
+      :hexpand false
+      :orientation "v"
+    )
+    
+    (box :valign "end" :hexpand false :vexpand true :orientation "v" :space-evenly false
+      (wifi)
+      (do-not-disturb)
+      (volume)
+      (battery)
+      (time)
+    )
+  )
+)
+
+;; ━━━ BATTERY ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+(defwidget battery []
+  (eventbox :onclick "eww open batterywindow --toggle"
+    (label
+      :text `${
+      EWW_BATTERY.BAT0.status == "Charging" ? "" :
+      EWW_BATTERY.BAT0.capacity < 10 ? "" :
+      EWW_BATTERY.BAT0.capacity < 20 ? "" :
+      EWW_BATTERY.BAT0.capacity < 30 ? "" :
+      EWW_BATTERY.BAT0.capacity < 40 ? "" :
+      EWW_BATTERY.BAT0.capacity < 50 ? "" :
+      EWW_BATTERY.BAT0.capacity < 60 ? "" :
+      EWW_BATTERY.BAT0.capacity < 70 ? "" :
+      EWW_BATTERY.BAT0.capacity < 80 ? "" :
+      EWW_BATTERY.BAT0.capacity < 90 ? "" : ""
+      }`
+      :class "battery"
+    ))
+)
+
+(defwidget batterymenu []
+  (box :orientation "v"
+    :class "batterymenu"
+    (label :text "${EWW_BATTERY.BAT0.status}: ${EWW_BATTERY.BAT0.capacity}%")
+    (progress :value "${EWW_BATTERY.BAT0.capacity}" :orientation "h") ; TODO: change class (and color) on low juice
+  )
+)
+
+(defwindow batterywindow
+  :monitor 0
+  :geometry (geometry
+    :x "53px"
+    :y "30px"
+    :anchor "bottom left"
+  )
+  (batterymenu)
+)
+
+; ━━━ do-not-disturb ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+(defvar dnd "")
+(defwidget do-not-disturb []
+  (eventbox
+    :orientation "h"
+    :halign "center"
+    :space-evenly false
+    :onclick "nohup ./scripts/do-not-disturb.sh &"
+    (label
+      :text {dnd}
+      :class "dnd"
+    )
+  )
+)
+
+;; ━━━ WIFI ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+(defpoll wifi :interval "30s" "./scripts/wifi.sh")
+
+(defwidget wifi []
+  (box
+    :orientation "h"
+    :halign "center"
+    :space-evenly false
+    (label
+      :text {wifi.icon}
+      :tooltip {wifi.status}
+      :class "wifi"
+    )
+  )
+)
+
+;; ━━━ VOLUME ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+(defpoll volume :interval "1s" "./scripts/volume.sh")
+(defwidget volume []
+  (eventbox
+    :orientation "h"
+    :halign "center"
+    :space-evenly false
+    :onclick "pamixer -t"
+    (label
+      :text {volume.icon}
+      :tooltip "${volume.percent}%"
+      :class "volume"
+    )
+  )
+)
+
+;; ━━━ TIME ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+(defpoll hour :interval "10s" "date +%H")
+(defpoll minute :interval "10s" "date +%M")
+(defpoll dateVar :interval "600s" "date '+%A %d.%m.%y'")
+
+(defwidget time []
+  (eventbox
+    :cursor "hand"
+    :hexpand false
+    :vexpand false
+    :tooltip "${dateVar}"
+    :onclick "eww open calendar --toggle &"
+    (box :orientation "v" :hexpand false :vexpand false :space-evenly false :class "clock"
+      (label :class "date" :text "${hour}")
+      
+      (label :class "date" :text "${minute}")
+    )
+  )
+)
+
+;; Calendar
+(defpoll calendar_day :interval "20h" "date '+%d'")
+(defpoll calendar_year :interval "20h" "date '+%Y'")
+(defwidget cal []
+  (box :class "cal" :orientation "v"
+    (box :class "cal-in"
+      (calendar :class "cal"
+        :day calendar_day
+      :year calendar_year))))
+
+(defwindow calendar
+  :monitor 0
+  :geometry (geometry :x "53px"
+    :y "5px"
+    :anchor "bottom left"
+    :width "270px"
+  :height "60px")
+  (cal))
+
+(deflisten workspaces_listen "./scripts/workspaces.sh")
+(defwidget workspaces []
+  (literal :content workspaces_listen))
+
+(defwindow bar
+  :monitor 0
+  :exclusive false
+  :geometry (geometry :height "1080px" :x "-4px" :y "0px"
+    :width "52px"
+  :anchor "top left")
+  :stacking "fg"
+  (bar))

hosts/thalassa/aoife/home/eww/scripts/do-not-disturb.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -p jq -i bash
+
+if makoctl mode | rg -q "do-not-disturb"; then
+    eww update dnd=""
+    makoctl mode -r do-not-disturb > /dev/null
+else
+    eww update dnd=""
+    makoctl mode -a do-not-disturb > /dev/null
+fi

hosts/thalassa/aoife/home/eww/scripts/getvol

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if command -v pamixer &>/dev/null; then
+    if [ true == $(pamixer --get-mute) ]; then
+        echo 0
+        exit
+    else
+        pamixer --get-volume
+    fi
+else
+    amixer -D pulse sget Master | awk -F '[^0-9]+' '/Left:/{print $3}'
+fi

hosts/thalassa/aoife/home/eww/scripts/volume.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+per="???"
+
+if pamixer --get-mute | rg -q true; then
+    icon="婢"
+elif [ "$per" -gt 66 ]; then
+    icon="墳" # high
+elif [ "$per" -gt 33 ]; then
+    icon="奔" # med
+else
+    icon="奄" #low
+fi
+
+printf "{\"icon\": \"${icon}\", \"percent\": \"${per}\"}"

hosts/thalassa/aoife/home/eww/scripts/wifi.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if wpa_cli status | rg -q "wpa_state=COMPLETED"; then
+    icon="直"
+    status="Connected"
+else
+    icon="睊"
+    status="offline"
+fi
+
+printf "{\"icon\": \"${icon}\", \"status\": \"${status}\"}" 

hosts/thalassa/aoife/home/eww/scripts/workspaces.lua

@@ -0,0 +1,21 @@
+#!/usr/bin/env lua
+
+aw = io.popen("hyprctl monitors | grep active | sed 's/()/(1)/g' | sort | awk 'NR>1{print $1}' RS='(' FS=')'")
+active_workspace = aw:read("*a")
+aw:close()
+
+box = "(box :orientation \"v\" :spacing 1 :space-evenly \"true\" "
+
+for i = 1,10 do
+    if i == tonumber(active_workspace) then
+        local btn = "(button :class \"active\" :onclick \"hyprctl dispatch workspace "..i.." \" \"\")"
+        box = box .. btn
+    else
+        local btn = "(button :class \"inactive\" :onclick \"hyprctl dispatch workspace "..i.."\" \"\")"
+        box = box .. btn
+    end
+end
+
+box = box .. ")"
+
+print(box)

hosts/thalassa/aoife/home/eww/scripts/workspaces.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+workspaces() {
+    ./scripts/workspaces.lua
+}
+
+workspaces
+
+tail -f /tmp/hypr/$HYPRLAND_INSTANCE_SIGNATURE/hyprland.log | grep --line-buffered "Changed to workspace" | while read -r; do 
+    workspaces
+done

hosts/thalassa/aoife/home/hyprland.nix

@@ -0,0 +1,333 @@
+{
+  pkgs,
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  terminal = "${config.programs.kitty.package}/bin/kitty -1";
+in
+{
+  imports = [
+    ./waybar.nix
+  ];
+
+  home.packages = with pkgs; [
+    hyprland-workspaces
+    inputs.gnome-autounlock-keyring.packages.${pkgs.system}.default
+    inputs.hyprland-qtutils.packages.${pkgs.system}.default
+  ];
+
+  programs = {
+    rofi = {
+      enable = true;
+      package = pkgs.rofi-wayland;
+      theme = {
+        listview.columns = 1;
+      };
+    };
+
+    hyprlock = {
+      enable = true;
+      settings =
+        let
+          color = "rgba(242, 243, 244, 0.75)";
+        in
+        {
+          auth.fingerprint.enabled = true;
+
+          background = {
+            path = "screenshot";
+            blur_passes = 3;
+          };
+        };
+    };
+
+    # eww = {
+    # enable = true;
+    # configDir = ./eww;
+    # };
+  };
+
+  services = {
+    gnome-keyring.enable = true;
+
+    mako = {
+      enable = true;
+      settings.defaultTimeout = 5000;
+    };
+
+    hypridle = {
+      enable = true;
+
+      settings = {
+        general = {
+          lock_cmd = "pidof hyprlock || hyprlock";
+          before_sleep_cmd = "loginctl lock-session";
+          after_sleep_cmd = "hyprctl dispatch dpms on";
+        };
+
+        listener = [
+          {
+            timeout = 300; # 5 mins
+            on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 10";
+            on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r";
+          }
+          {
+            timeout = 300; # 5 mins
+            on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd tpacpi:kbd_backlight set 0";
+            on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd tpacpi::kbd_backlight";
+          }
+          {
+            timeout = 600; # 10 mins
+            on-timeout = "loginctl lock-session";
+          }
+          {
+            timeout = 1200; # 20 mins, screen off
+            on-timeout = "hyprctl dispatch dpms off";
+            on-resume = "hyprctl dispatch dpms on";
+          }
+          {
+            timeout = 2400; # 40 mins
+            on-timeout = "systemctl suspend";
+          }
+        ];
+      };
+    };
+
+    hyprpaper =
+      let
+        wallpaper = ../../../../assets/wallpaper-nix-pink.png;
+      in
+      {
+        enable = true;
+        settings = {
+          preload = [ "${wallpaper}" ];
+          wallpaper = [ "eDP-1,${wallpaper}" ];
+
+          splash = false;
+          ipc = "off";
+        };
+      };
+
+  };
+
+  # Hack to ensure graphical dependent services start _after_ hyprland starts
+  # Needed as these services normally start after graphical-session-pre
+  systemd.user.services.hyprpaper.Unit.After = lib.mkForce "graphical-session.target";
+  systemd.user.services.waybar.Unit.After = lib.mkForce "graphical-session.target";
+  systemd.user.services.hypridle.Unit.After = lib.mkForce "graphical-session.target";
+
+  wayland.windowManager.hyprland =
+    let
+      toggle_mirror = pkgs.writeScriptBin "toggle_mirror.sh" ''
+        #!${pkgs.stdenv.shell}
+        if [ $(hyprctl monitors all -j | ${pkgs.jq}/bin/jq '.[1].activeWorkspace.id') = '-1' ]; then
+        	hyprctl keyword monitor ",preferred,auto,1"
+        else
+        	hyprctl keyword monitor ",preferred,auto,1,mirror,eDP-1"
+        fi
+      '';
+      # Autostart now handled by xdg.autoStart
+      startup = pkgs.writeScriptBin "startup.sh" ''
+        #!${pkgs.stdenv.shell}
+        # uwsm app -- ${pkgs.wl-clip-persist}/bin/wl-clip-persist -c both &
+      '';
+    in
+    {
+      enable = true;
+      systemd.enable = false; # using UWSM
+
+      plugins = with pkgs.hyprlandPlugins; [
+        hyprexpo
+      ];
+
+      settings =
+        let
+          inherit (builtins) genList concatLists toString;
+          wpctl = "${pkgs.wireplumber}/bin/wpctl";
+          brightnessctl = "${pkgs.brightnessctl}/bin/brightnessctl";
+          menu = "${config.programs.rofi.package}/bin/rofi -columns 1 -show combi -modes combi -combi-modes \"window,drun,run\"";
+          fileManager = "${pkgs.nautilus}/bin/nautilus";
+        in
+        {
+          "$mod" = "SUPER";
+          exec-once = [
+            "${startup}/bin/startup.sh"
+          ];
+          monitor = [
+            "eDP-1, 3840x2400@60,0x0,2"
+            ",highres,auto,1"
+          ];
+          input = {
+            touchpad.natural_scroll = true;
+          };
+          general = {
+            gaps_in = 5;
+            gaps_out = 10;
+            border_size = 2;
+            "col.active_border" = "rgba(babbf1ee) rgba(f4b8e4ee) 45deg";
+            "col.inactive_border" = "rgba(303446aa)";
+            layout = "dwindle";
+            # Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
+            allow_tearing = true;
+          };
+          group = {
+            "col.border_active" = "rgba(babbf1ee) rgba(f4b8e4ee) 45deg";
+            "col.border_inactive" = "rgba(232634aa)";
+
+            groupbar = {
+              font_size = 10;
+              height = 18;
+              "col.active" = "rgba(babbf1aa)";
+              "col.inactive" = "rgba(414559aa)";
+              text_color = "rgba(ffffffee)";
+            };
+          };
+
+          plugin.hyprexpo = {
+            workspace_method = "first 1";
+            enable_gesture = true;
+            gesture_positive = false;
+            gesture_fingers = 3;
+          };
+
+          decoration = {
+            rounding = 10;
+
+            blur = {
+              enabled = true;
+              size = 3;
+              passes = 1;
+            };
+
+            shadow = {
+              enabled = true;
+              color = "rgba(1a1a1aee)";
+              range = 4;
+              render_power = 3;
+            };
+          };
+          animations = {
+            enabled = "yes";
+
+            bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
+
+            animation = [
+              "windows, 1, 7, myBezier"
+              "windowsOut, 1, 7, default, popin 80%"
+              "border, 1, 10, default"
+              "borderangle, 1, 8, default"
+              "fade, 1, 4, default"
+              "workspaces, 1, 4, default"
+            ];
+          };
+          dwindle = {
+            preserve_split = "yes";
+            pseudotile = "yes";
+          };
+
+          gestures.workspace_swipe = true;
+
+          misc = {
+            force_default_wallpaper = 2;
+            disable_splash_rendering = true;
+            disable_hyprland_logo = true;
+            disable_autoreload = true;
+          };
+
+          windowrulev2 = [
+            "suppressevent maximize, class:.*"
+
+            "workspace 1 silent, class:^(Element)$"
+            "workspace 1 silent, class:^(discord)$"
+            "group, class:^(Element|discord)$,workspace:1"
+
+            "workspace 2 silent, class:^(firefox)$"
+            "float,class:^(firefox)$,title:^(Picture-in-Picture)$"
+
+            "workspace special:obsidian silent, class:^(obsidian)$"
+          ];
+
+          # l -> works when screen is locked
+          # e -> repeats when held
+          bindel = [
+            ",XF86AudioRaiseVolume,exec,${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%+"
+            ",XF86AudioLowerVolume,exec,${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%-"
+            ",XF86MonBrightnessUp,exec,${brightnessctl} -q s +5%"
+            ",XF86MonBrightnessDown,exec,${brightnessctl} -q s 5%-"
+          ];
+
+          bindl = [ ",XF86AudioMute, exec,${wpctl} set-mute @DEFAULT_AUDIO_SINK@ toggle" ];
+
+          bind =
+            [
+              "$mod, RETURN, exec, uwsm app -- ${terminal}"
+              "$mod, Q, killactive,"
+              "$mod SHIFT, Q, exec, uwsm stop,"
+              "$mod, E, exec, uwsm app -- ${fileManager}"
+              "$mod, V, togglefloating,"
+              "$mod, D, exec, uwsm app -- ${menu}"
+              "$mod, P, pseudo, # dwindle"
+              "$mod, J, togglesplit, # dwindle"
+              "$mod,m,fullscreen"
+
+              "$mod, L, exec, loginctl lock-session"
+
+              "$mod, space, hyprexpo:expo, toggle"
+
+              # Move focus with arrow keys
+              "$mod, left, movefocus, l"
+              "$mod, right, movefocus, r"
+              "$mod, up, movefocus, u"
+              "$mod, down, movefocus, d"
+
+              # Scratch workspace
+              "$mod, S, togglespecialworkspace, scratch"
+              "$mod SHIFT, S, movetoworkspace, special:scratch"
+
+              # Obsidian Workspace
+              "$mod, O, togglespecialworkspace, obsidian"
+              "$mod SHIFT, O, movetoworkspace, special:obsidian"
+
+              # Groups aka Tabs
+              "$mod,g,togglegroup"
+              "$mod,tab,changegroupactive"
+
+              # PrintScreen
+              ",Print,exec,uwsm app -- ${pkgs.grimblast}/bin/grimblast copysave area /home/vivian/cloud/Pictures/Screenshots/$(date +%s).png"
+              # Toggle Mirror for external displays on/off
+              ",XF86Display,exec,${toggle_mirror}/bin/toggle_mirror.sh"
+            ]
+            ++ (
+              # workspaces
+              # binds $mod + [shift +] {1..10} to [move to] workspace {1..10}
+              concatLists (
+                genList (
+                  x:
+                  let
+                    ws =
+                      let
+                        c = (x + 1) / 10;
+                      in
+                      toString (x + 1 - (c * 10));
+                  in
+                  [
+                    "$mod, ${ws}, workspace, ${toString (x + 1)}"
+                    "$mod SHIFT, ${ws}, movetoworkspacesilent, ${toString (x + 1)}"
+                  ]
+                ) 10
+              )
+
+            );
+
+          # Bind mouse
+          bindm = [
+            # Move/resize windows with mod + LMB/RMB and dragging
+            "$mod, mouse:272, movewindow"
+            "$mod, mouse:273, resizewindow"
+          ];
+        };
+    };
+}

hosts/thalassa/aoife/home/starship.nix

@@ -0,0 +1,17 @@
+{ pkgs, config, ...}:
+let
+  starshipNerdFont = pkgs.runCommand "starship-nerd-font.toml" { STARSHIP_CACHE = "/tmp"; } ''
+    ${config.programs.starship.package}/bin/starship preset nerd-font-symbols > $out
+  '';
+in{
+  programs.starship = {
+    enable = false;
+    enableZshIntegration = true;
+    enableFishIntegration = true;
+    enableNushellIntegration = true;
+
+    settings = {
+      nix_shell.heuristic = true;
+    } // builtins.fromTOML (builtins.readFile starshipNerdFont);
+  };
+}

hosts/thalassa/aoife/home/waybar.css

@@ -0,0 +1,125 @@
+/* Catppucin Frappe */
+@define-color base   #303446;
+@define-color mantle #292c3c;
+@define-color crust  #232634;
+
+@define-color text     #c6d0f5;
+@define-color subtext0 #a5adce;
+@define-color subtext1 #b5bfe2;
+
+@define-color surface0 #414559;
+@define-color surface1 #51576d;
+@define-color surface2 #626880;
+
+@define-color overlay0 #737994;
+@define-color overlay1 #838ba7;
+@define-color overlay2 #949cbb;
+
+@define-color blue      #8caaee;
+@define-color lavender  #babbf1;
+@define-color sapphire  #85c1dc;
+@define-color sky       #99d1db;
+@define-color teal      #81c8be;
+@define-color green     #a6d189;
+@define-color yellow    #e5c890;
+@define-color peach     #ef9f76;
+@define-color maroon    #ea999c;
+@define-color red       #e78284;
+@define-color mauve     #ca9ee6;
+@define-color pink      #f4b8e4;
+@define-color flamingo  #eebebe;
+@define-color rosewater #f2d5cf;
+
+
+window {
+  border: none;
+  font-family: DejaVuSansM Nerd Font, sans-serif;
+  font-size: 13px;
+  color: @text;
+}
+
+window#waybar {
+  color: @text;
+  background-color: rgba(0, 0, 0, 0);
+  transition-property: background-color;
+  transition-duration: 0.5s;
+  transition-duration: .5s;
+}
+
+window#waybar.hidden {
+  opacity: 0.2;
+}
+
+#workspaces {
+  /* background: @overlay0; */
+}
+
+#workspaces button {
+  color: @text;
+  /* background: @background3; */
+  /* margin: 7px 5px 10px 5px; */
+}
+
+#workspaces button:hover {
+  background: @surface0;
+  color: @text;
+}
+
+#workspaces button.active {
+  color: @crust;
+  background: @overlay2;
+  border: none;
+}
+
+#clock,
+#battery,
+#network,
+#power-profiles-daemon,
+#wireplumber {
+  padding: 0px 20px;
+	border-radius: 8px;
+  margin-left: 5px;
+  color: @crust;
+}
+
+#wireplumber {
+  padding: 0px 20px 0px 17px;
+  background-color: @teal;
+}
+
+#network {
+  padding: 0px 15px 0px 20px;
+  background-color: @green;
+}
+
+#battery {
+  background-color: @lavender;
+}
+
+#clock {
+  background-color: @pink;
+}
+
+#power-profiles-daemon {
+  background-color: @mauve;
+}
+
+@keyframes blink {
+  to {
+    background-color: rgba(30, 34, 42, 0.5);
+    color: #abb2bf;
+  }
+}
+
+#battery.critical:not(.charging) {
+  color: #f53c3c;
+  animation-name: blink;
+  animation-duration: 0.5s;
+  animation-timing-function: linear;
+  animation-iteration-count: infinite;
+  animation-direction: alternate;
+}
+
+label:focus {
+  background-color: #000000;
+}

hosts/thalassa/aoife/home/waybar.nix

@@ -0,0 +1,82 @@
+{ pkgs, config, ... }:
+let
+  terminal = "${config.programs.kitty.package}/bin/kitty -1";
+in
+{
+  programs.waybar = {
+    enable = true;
+    systemd.enable = true;
+    style = ./waybar.css;
+
+    settings = {
+      mainBar = {
+        layer = "top";
+        position = "top";
+        height = 30;
+        modules-left = [ "hyprland/workspaces" ];
+        modules-center = [ "clock" ];
+        modules-right = [
+          "wireplumber"
+          "power-profiles-daemon"
+          "network"
+          "battery"
+        ];
+
+        wireplumber = {
+          format = "󰕾 {volume}%";
+          format-muted = "󰖁";
+          on-click = "${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_SINK@ toggle";
+        };
+
+        network =
+          let
+            nmtui = pkgs.writeScriptBin "nmtui.sh" ''
+              #!${pkgs.stdenv.shell}
+              unset COLORTERM
+              TERM=xterm-old ${pkgs.networkmanager}/bin/nmtui
+            '';
+          in
+          {
+            format-wifi = "󰖩 {essid} ({signalStrength}%)";
+            format-ethernet = "󰈀 {ifname}: {ipaddr}/{cidr}";
+            format-disconnected = "󰌙 ";
+            tooltip-format = "{ifname}: {ipaddr}";
+            on-click = "${terminal} --execute ${nmtui}/bin/nmtui.sh";
+          };
+
+        power-profiles-daemon = {
+          format = "{icon}";
+          format-icons = {
+            performance = "󰓅";
+            balanced = "󰾅";
+            power-saver = "󰾆";
+          };
+        };
+
+        battery = {
+          states = {
+            warning = 30;
+            critical = 15;
+          };
+
+          format = "󱐋 {capacity}%";
+          format-discharging = "{icon}  {capacity}%";
+
+          format-icons = [
+            "󰂎"
+            "󰁺"
+            "󰁻"
+            "󰁼"
+            "󰁽"
+            "󰁾"
+            "󰁿"
+            "󰂀"
+            "󰂁"
+            "󰂂"
+            "󰁹"
+          ];
+        };
+      };
+    };
+  };
+}

hosts/thalassa/aoife/uni.nix

@@ -0,0 +1,33 @@
+# Config options needed for various university courses
+{ pkgs, lib, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    esp-generate
+    espflash
+  ];
+
+  users.extraGroups.plugdev = { };
+  users.extraUsers.vivian.extraGroups = [
+    "dialout"
+    "plugdev"
+  ];
+
+  hardware.saleae-logic.enable = true;
+
+  programs.nix-ld = {
+    enable = true;
+    package = pkgs.nix-ld-rs;
+    libraries = [
+
+    ];
+  };
+
+  services.udev.packages = [
+    pkgs.openocd # This should(?) be the same as the probe-rs rules below, but just to be sure
+    (pkgs.writeTextFile {
+      name = "probe-rs-udev";
+      destination = "/etc/udev/rules.d/69-probe-rs.rules";
+      text = builtins.readFile ./69-probe-rs.rules;
+    })
+  ];
+}

nixos/hosts/README.md

@@ -0,0 +1,2 @@
+# NixOS Hosts
+Each folder here is a separate geographical location, with `thalassa` being for roaming devices like laptops

nixos/hosts/default.nix

@@ -0,0 +1,5 @@
+{
+  hades = import ./hades;
+  olympus = import ./olympus;
+  thalassa = import ./thalassa;
+}

nixos/hosts/hades/_template/configuration.nix

@@ -0,0 +1,22 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }:
+
+{
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.allowedTCPPorts = [ ];
+}

nixos/hosts/hades/attic/configuration.nix

@@ -0,0 +1,90 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, config, ... }:
+let vs = config.vault-secrets.secrets;
+in {
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  vault-secrets.secrets.attic = { services = [ "atticd" ]; };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    ensureDatabases = [ "atticd" ];
+    ensureUsers = [{
+      name = "atticd";
+      ensureDBOwnership = true;
+    }];
+
+  };
+
+  services.atticd = {
+    enable = true;
+
+    credentialsFile = "${vs.attic}/environment";
+
+    settings = {
+      listen = "[::]:8080";
+      allowed-hosts = [ "attic.xirion.net" ];
+      api-endpoint = "https://attic.xirion.net/";
+      require-proof-of-possession = false;
+
+      garbage-collection = {
+        interval = "12 hours";
+        default-retention-period = "1 month";
+      };
+
+      compression = {
+        type = "zstd";
+        level = 8;
+      };
+
+      database.url = "postgresql://atticd?host=/run/postgresql";
+
+      storage = {
+        type = "s3";
+        region = "hades";
+        bucket = "attic";
+        endpoint = "http://garage.hades:3900";
+      };
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 64 * 1024; # 64 KiB
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16 * 1024; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 64 * 1024; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+}

nixos/hosts/hades/bastion/configuration.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }: {
+  networking.interfaces.eth0.useDHCP = true;
+
+  # mosh ssh
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    rustup
+    vault
+  ];
+
+  environment.noXlibs = lib.mkForce false;
+
+  system.stateVersion = "22.11";
+
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryFlavor = "curses";
+  };
+}

nixos/hosts/hades/bazarr/configuration.nix

@@ -0,0 +1,14 @@
+_: {
+  system.stateVersion = "22.11";
+  networking.interfaces.eth0.useDHCP = true;
+
+  fileSystems."/mnt/storage" = {
+    device = "storage:/mnt/storage";
+    fsType = "nfs";
+  };
+
+  services.bazarr = {
+    enable = true;
+    openFirewall = true;
+  };
+}

nixos/hosts/hades/database/configuration.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+let vs = config.vault-secrets.secrets;
+in {
+
+  system.stateVersion = "21.05";
+  networking.interfaces.eth0.useDHCP = true;
+
+  networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+
+  vault-secrets.secrets.database = {
+    user = "postgres";
+    group = "postgres";
+    services = [ "postgresql" ];
+  };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    enableTCPIP = true;
+    extraPlugins = [ ];
+    initdbArgs = [
+      "--encoding 'UTF-8'"
+      "--lc-collate='en_US.UTF-8'"
+      "--lc-ctype='en_US.UTF-8'"
+    ];
+    authentication = ''
+      host all all 192.168.0.1/23 md5
+      host all all  10.10.10.0/24 md5
+    '';
+    initialScript = "${vs.database}/initialScript";
+    settings = {
+      shared_preload_libraries = "pg_stat_statements";
+      "pg_stat_statements.track" = "all";
+      "pg_stat_statements.max" = 10000;
+      track_activity_query_size = 2048;
+    };
+  };
+}

nixos/hosts/hades/default.nix

@@ -0,0 +1,188 @@
+{
+  "opnsense" = {
+    ip = "192.168.0.1";
+    mac = "00:0d:b9:56:b1:d8";
+    nix = false;
+  };
+  "nyx-bmc" = {
+    ip = "192.168.0.99";
+    mac = "d0:50:99:f3:fa:42";
+    nix = false;
+  };
+  "nyx" = {
+    ip = "192.168.0.100";
+    mac = "d0:50:99:de:99:4c";
+    nix = false;
+  };
+  "unifi" = {
+    ip = "192.168.0.101";
+    mac = "5a:00:b7:6c:d1:e2";
+  };
+  "jellyfin" = {
+    ip = "192.168.0.102";
+    mac = "C6:7E:2B:DC:09:CC";
+    exposes.jellyfin = {
+      domain = "jf.0x76.dev";
+      port = 8096;
+    };
+  };
+  "vault-0" = {
+    ip = "192.168.0.103";
+    mac = "7A:14:15:ED:D1:E6";
+    tags = [ "vault" ];
+  };
+  "pmm" = {
+    ip = "192.168.0.104";
+    mac = "7A:A3:59:1D:69:07";
+  };
+  "overseerr" = {
+    ip = "192.168.0.105";
+    mac = "8E:21:7F:88:3A:83";
+    exposes.requests = {
+      domain = "requests.xirion.net";
+      port = 5055;
+    };
+  };
+  "tautulli" = {
+    ip = "192.168.0.106";
+    mac = "BE:30:DB:F8:C6:55";
+    exposes.tautulli = {
+      domain = "tautulli.xirion.net";
+      port = 8080;
+    };
+  };
+  "dns-1" = {
+    ip = "192.168.0.107";
+    mac = "12:84:3B:E0:8A:A0";
+    profile = "dns";
+    tags = [ "networking" ];
+  };
+  "dns-2" = {
+    ip = "192.168.0.108";
+    mac = "56:C3:9C:A5:41:81";
+    profile = "dns";
+    tags = [ "networking" ];
+  };
+  # ip = "192.168.0.109";
+  # ip = "192.168.0.110";
+  "rtorrent" = {
+    ip = "192.168.0.111";
+    mac = "7a:5f:9b:62:49:91";
+  };
+  "cshub2" = {
+    ip = "192.168.0.113";
+    mac = "26:8c:f6:f4:21:76";
+    nix = false;
+  };
+  "bastion" = {
+    ip = "192.168.0.114";
+    mac = "66:14:8e:b2:50:c4";
+  };
+  "storage" = {
+    ip = "192.168.0.115";
+    mac = "00:50:56:91:0d:69";
+    type = "vm";
+  };
+  "immich" = {
+    ip = "192.168.0.116";
+    mac = "06:8a:8e:3e:43:45";
+  };
+  "mail" = {
+    ip = "192.168.0.118";
+    mac = "00:50:56:91:3b:03";
+    nix = false;
+  };
+  "bazarr" = {
+    ip = "192.168.0.119";
+    mac = "DE:7C:32:7E:DD:A1";
+  };
+  "plex2" = {
+    ip = "192.168.0.120";
+    mac = "A2:2C:65:32:54:8A";
+    profile = "plex";
+  };
+  "garage" = {
+    ip = "192.168.0.121";
+    mac = "3A:19:32:A2:F8:96";
+    exposes = {
+      garage = {
+        domain = "g.xirion.net";
+        port = 3900;
+      };
+      fedi-media = {
+        domain = "fedi-media.xirion.net";
+        port = 3902;
+      };
+    };
+  };
+  "nginx" = {
+    ip = "192.168.0.122";
+    mac = "52:8E:72:31:AE:AC";
+  };
+  "reverseproxy" = {
+    ip = "192.168.0.123";
+    mac = "00:0c:29:9b:10:82";
+    nix = false;
+  };
+  "pve-storage" = {
+    ip = "192.168.0.124";
+    mac = "d4:3d:7e:35:0a:bf";
+    nix = false;
+  };
+  "lucy" = {
+    ip = "192.168.0.125";
+    mac = "5E:36:04:2D:38:DF";
+    type = "vm";
+  };
+  # ip = "192.168.0.126";
+  # ip = "192.168.0.127";
+  "attic" = {
+    ip = "192.168.0.128";
+    mac = "9E:AF:E9:FE:D4:D9";
+    exposes.attic = {
+      domain = "attic.xirion.net";
+      port = 8080;
+    };
+  };
+  "hassio" = {
+    ip = "192.168.0.129";
+    mac = "e6:80:32:fb:00:75";
+    exposes.ha = {
+      domain = "ha.xirion.net";
+      port = 8123;
+    };
+    nix = false;
+  };
+  # ip = "192.168.0.130";
+  # ip = "192.168.0.131";
+  "tudelft" = {
+    ip = "192.168.0.132";
+    mac = "AE:B3:93:4B:04:76";
+    exposes = {
+      grist = {
+        domain = "grist.tud.0x76.dev";
+        port = 8484;
+      };
+      dex = {
+        domain = "dex.tud.0x76.dev";
+        port = 8000;
+      };
+    };
+    nix = false;
+  };
+  "mastodon" = {
+    ip = "192.168.0.138";
+    mac = "52:60:8a:06:86:9c";
+  };
+  # ip = "192.168.0.140";
+  "archlinux" = {
+    ip = "192.168.0.200";
+    mac = "00:0c:29:e4:0d:17";
+    nix = false;
+  };
+  "HP781AFC" = {
+    ip = "192.168.0.201";
+    mac = "f4:ce:46:78:1a:fc";
+    nix = false;
+  };
+}

nixos/hosts/hades/dns/configuration.nix

@@ -0,0 +1,56 @@
+{ pkgs, ... }: {
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ dig dogdns ];
+
+  services.v.dns = {
+    enable = true;
+    openFirewall = true;
+    mode = "server";
+  };
+
+  services.unbound.settings.server = {
+    local-zone = [
+      "xirion.net typetransparent"
+      "attic.xirion.net typetransparent"
+      "o.xirion.net typetransparent"
+      "attic.xirion.net typetransparent"
+      "g.xirion.net typetransparent"
+      "fedi-media.xirion.net typetransparent"
+      "hades.xirion.net typetransparent"
+      "requests.xirion.net typetransparent"
+      "ha.xirion.net typetransparent"
+      "mail.xirion.net typetransparent"
+      "plex.xirion.net typetransparent"
+      "fedi.xirion.net typetransparent"
+      "grist.tud.0x76.dev typetransparent"
+      "dex.tud.0x76.dev typetransparent"
+    ];
+
+    local-data = [
+      ''"xirion.net A 192.168.0.122"''
+      ''"attic.xirion.net A 192.168.0.122"''
+      ''"hades.xirion.net A 192.168.0.122"''
+      ''"o.xirion.net A 192.168.0.122"''
+      ''"attic.xirion.net A 192.168.0.122"''
+      ''"g.xirion.net A 192.168.0.122"''
+      ''"fedi-media.xirion.net A 192.168.0.122"''
+      ''"requests.xirion.net A 192.168.0.122"''
+      ''"ha.xirion.net A 192.168.0.122"''
+      ''"mail.xirion.net A 192.168.0.122"''
+      ''"plex.xirion.net A 192.168.0.122"''
+      ''"fedi.xirion.net A 192.168.0.122"''
+      ''"grist.tud.0x76.dev A 192.168.0.122"''
+      ''"dex.tud.0x76.dev A 192.168.0.122"''
+    ];
+  };
+}

nixos/hosts/hades/garage/configuration.nix

@@ -0,0 +1,53 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, config, ... }:
+let vs = config.vault-secrets.secrets;
+in {
+  imports = [ ];
+
+  vault-secrets.secrets.garage = { };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ];
+
+  # Defines rpc_secret
+  systemd.services.garage.serviceConfig.EnvironmentFile = [ "${vs.garage}/environment" ];
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_0_9;
+    settings = {
+      db_engine = "lmdb"; # Recommended for mastodon
+      replication_mode = "1";
+      compression_level = 0;
+
+      # For inter-node comms
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "${config.meta.ipv4}:3901";
+
+      # Standard S3 api endpoint
+      s3_api = {
+        s3_region = "hades";
+        api_bind_addr = "[::]:3900";
+      };
+
+      # Static file serve endpoint
+      s3_web = {
+        bind_addr = "[::]:3902";
+        root_domain = "g.xirion.net";
+      };
+    };
+  };
+}

nixos/hosts/hades/immich/configuration.nix

@@ -0,0 +1,73 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, config, ... }:
+let
+  # https://github.com/immich-app/immich/releases
+  # version = "1.55.1";
+  dataDir = "/var/lib/immich";
+in {
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  # TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich
+
+  fileSystems."/mnt/storage" = {
+    device = "storage:/mnt/storage";
+    fsType = "nfs";
+  };
+  ids = {
+    # Unused uid/gid snagged from this list:
+    # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
+    uids.immich = 911;
+    gids.immich = 911;
+  };
+  users = {
+    groups = {
+      photos = { };
+      immich = { gid = config.ids.gids.immich; };
+    };
+
+    users.immich = {
+      isSystemUser = true;
+      group = "photos";
+      description = "Immich daemon user";
+      home = dataDir;
+      uid = config.ids.uids.immich;
+    };
+  };
+
+  # Postgres database configuration
+  services.postgresql = {
+    enable = true;
+
+    package = pkgs.postgresql_15;
+
+    ensureUsers = [{
+      name = "immich";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "immich" ];
+
+    # Allow connections from any docker IP addresses
+    authentication = ''
+      host immich immich 172.16.0.0/12 md5
+      host all all 127.0.0.1/32 ident
+    '';
+
+  };
+
+  # Allow docker containers to connect
+  networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+}

nixos/hosts/hades/jellyfin/configuration.nix

@@ -0,0 +1,59 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }:
+
+{
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  boot.tmp.useTmpfs = true;
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  fileSystems."/mnt/storage" = {
+    device = "storage:/mnt/storage";
+    fsType = "nfs";
+  };
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  users.groups.watchstate = { };
+  users.users.watchstate = {
+    isSystemUser = true;
+    group = "watchstate";
+  };
+
+  systemd.tmpfiles.rules =
+    [ "d '/var/lib/watchstate' 0755 watchstate watchstate -" ];
+
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  # Managed imperatively through its CLI
+  virtualisation.oci-containers.containers.watchstate = {
+    image = "ghcr.io/arabcoders/watchstate:latest";
+    extraOptions = [ "--pull=newer" ];
+    user = "0:0";
+    environment = {
+      WS_TZ = "Europe/Amsterdam";
+      WS_CRON_IMPORT = "1";
+      WS_CRON_EXPORT = "1";
+      WS_CRON_PROGRESS = "1";
+    };
+    ports = [ "8080:8080" ];
+    volumes = [ "/var/lib/watchstate:/config:rw" ];
+  };
+
+}

nixos/hosts/hades/lucy/configuration.nix

@@ -0,0 +1,76 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running `nixos-help`).
+
+{ pkgs, ... }:
+# let
+# Redefining the package instead of overriding as overriding GoModules seems broken
+# see: https://github.com/NixOS/nixpkgs/issues/86349
+# _nuclei-latest = pkgs.buildGoModule rec {
+#   pname = "nuclei";
+#   version = "2.9.2";
+#
+#   src = pkgs.fetchFromGitHub {
+#     owner = "projectdiscovery";
+#     repo = pname;
+#     rev = "1f9a065713924b28b203e2108fc76d7a1ec49068";
+#     hash = "sha256-QiegMoBy0gZMyQl2MRAwR14zXeh8wvVonyETdAzHbj0=";
+#   };
+#
+#   vendorHash = "sha256-0JNwoBqLKH1F/0Tr8o35gCSNT/2plIjIQvZRuzAZ5P8=";
+#
+#   modRoot = "./v2";
+#   subPackages = [ "cmd/nuclei/" ];
+#
+#   doCheck = false;
+# };
+# in {
+{
+  imports = [ ./hardware-configuration.nix ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ jq wget jre8 ];
+  boot.loader = {
+
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+    efi.efiSysMountPoint = "/boot";
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 25565 ];
+  };
+  users = {
+    extraUsers = {
+
+      laura.extraGroups = [ "wheel" ];
+      vivian.extraGroups = [ "wheel" ];
+
+      julia = {
+        isNormalUser = true;
+        shell = pkgs.zsh;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
+          # Below is Evelyn's keys
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnZSVdqSybDwVooSZ+SGFM0YNu15sO/jgVqCBGDm33wj0fML5T4oviUrY6yABh+eAgy/NAztgM7+6L8Hlze5DBeMwNAvj9gr9QSzUetW0iqCscZJ8dDbW30O9449gw2JY/XZzcFMZAP5QEQGEgG/6QQ3yRwA3DMCsGhQQ37l/aS+RsKYq3ZSN4f1nFJCrm397QB8r+bhaexufXqwumxe8rlefoUNNVnmu54FA8Pc3jSdsWT4s/3mqF6NiRa53w13SBWyS+zopCy1tTSnRszgAkldpE7Vft/QnmpFavAWHzpfArv/uFXQ3fx5Cj5t70zB6VJEtaBxhdKXeQUFBCn7fmwfjV0Un9b8jLW94uDhDD3059trhMvJvqKebuqyZe74MTZH0IC3IobpSb9fHHvxuRwUQOMkkJmjv1p2y2R6v7s2tA1sZlIEBmRDvZcKo4hPBe6q13OePV3O8KAFzCmPBIfE6kQ/nLc+3k9OjFWFTshdDXUYpSVGjNrv/IanCXbEs="
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0KA0uOoLXUN4LhU7LgtSk0atWyPlEz5LA8dIXs9xTl"
+
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfooZjMWXvXZu1ReOEACDZ0TMb2WJRBSOLlWE8y6fUh victor@aoife"
+        ];
+
+        extraGroups = [ "mc" "wheel" ];
+      };
+    };
+    groups.mc = { };
+  };
+}

nixos/hosts/hades/lucy/hardware-configuration.nix

@@ -0,0 +1,44 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot = {
+
+    initrd.availableKernelModules = [
+      "uhci_hcd"
+      "ehci_pci"
+      "ahci"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/749c02fd-209d-4974-917e-38b749d10ec2";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D021-72EB";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/hosts/hades/mastodon/configuration.nix

@@ -0,0 +1,111 @@
+{ config, pkgs, lib, ... }:
+let
+  vs = config.vault-secrets.secrets;
+  cfg = config.services.mastodon;
+in {
+  system.stateVersion = "21.05";
+  # Use DHCP with static leases
+  networking.interfaces.eth0.useDHCP = true;
+
+  # Better cache hits
+  environment.noXlibs = lib.mkForce false;
+  services = {
+    elasticsearch = {
+      enable = true;
+      cluster_name = "mastodon-es";
+      package = pkgs.elasticsearch7;
+    };
+
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      settings = {
+        shared_preload_libraries = "pg_stat_statements";
+        "pg_stat_statements.track" = "all";
+        "pg_stat_statements.max" = 10000;
+        track_activity_query_size = 2048;
+      };
+      # The rest of the database setup is handled by mastodon
+    };
+
+    mastodon = {
+      enable = true;
+      package = pkgs.v.glitch-soc;
+      streamingProcesses = 3;
+      webPort = 55001;
+      enableUnixSocket = false;
+      localDomain = "xirion.net";
+      trustedProxy = "192.168.0.122";
+      mediaAutoRemove = {
+        enable = true;
+        olderThanDays = 30;
+        startAt = "daily";
+      };
+
+      configureNginx = false;
+
+      redis.createLocally = true;
+
+      elasticsearch = {
+        host = "127.0.0.1";
+        inherit (config.services.elasticsearch) port;
+      };
+
+      database.createLocally = true;
+
+      smtp = {
+        createLocally = false;
+        fromAddress = "mastodon@xirion.net";
+        host = "mail.0x76.dev";
+        user = "mastodon@xirion.net";
+        authenticate = true;
+        port = 587;
+        passwordFile = "${vs.mastodon}/smtp-password";
+      };
+
+      extraConfig = {
+        BIND = "0.0.0.0";
+        SINGLE_USER_MODE = "false";
+        EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
+        DEFAULT_LOCALE = "en";
+
+        WEB_DOMAIN = "fedi.xirion.net";
+        ALTERNATE_DOMAINS = "meowy.tech";
+
+        SMTP_AUTH_METHOD = "plain";
+        SMTP_OPENSSL_VERIFY_MODE = "none";
+
+        RAILS_SERVE_STATIC_FILES = "false";
+
+        AUTHORIZED_FETCH = "true";
+
+        # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
+        # https://shivering-isles.com/Mastodon-and-Amazon-S3
+        S3_ENABLED = "true";
+        S3_REGION = "hades";
+        S3_BUCKET = "mastodon";
+        S3_ENDPOINT = "http://garage.hades:3900";
+        S3_ALIAS_HOST = "fedi-media.xirion.net";
+
+        DEEPL_PLAN = "free";
+      };
+    };
+  };
+
+  vault-secrets.secrets.mastodon = {
+    services = [ "mastodon-init-dirs" "mastodon" "mastodon-media-autoremove" ];
+    inherit (cfg) user group;
+  };
+
+  # Append the init-dirs script to add AWS/Minio secrets
+  systemd.services.mastodon-init-dirs.script = ''
+    cat >> /var/lib/mastodon/.secrets_env <<EOF
+    AWS_ACCESS_KEY_ID="$(cat ${vs.mastodon}/garageKeyId)"
+    AWS_SECRET_ACCESS_KEY="$(cat ${vs.mastodon}/garageSecretKey)"
+    DEEPL_API_KEY="$(cat ${vs.mastodon}/deeplAPIKey)"
+    EOF
+  '';
+
+  networking.firewall = let cfg = config.services.mastodon;
+  in { allowedTCPPorts = [ cfg.webPort ]; };
+}

nixos/hosts/hades/minio/configuration.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+let vs = config.vault-secrets.secrets;
+in {
+  system.stateVersion = "22.11";
+
+  networking.firewall.allowedTCPPorts = [ 9000 9001 ];
+
+  networking.interfaces.eth0.useDHCP = true;
+
+  vault-secrets.secrets.minio = { };
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = "${vs.minio}/environment";
+    package = pkgs.minio_legacy_fs;
+  };
+}

nixos/hosts/hades/nginx/configuration.nix

@@ -0,0 +1,156 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }:
+let
+  proxy = url: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = url;
+      proxyWebsockets = true;
+    };
+  };
+in {
+  imports = [ ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  security.acme = {
+
+    defaults.email = "vivian@0x76.dev";
+    acceptTerms = true;
+    preliminarySelfsigned = true;
+  };
+
+  services.v.nginx.autoExpose = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedBrotliSettings = true;
+    clientMaxBodySize = "1024m";
+
+    package = pkgs.nginxMainline;
+    virtualHosts = {
+      "xirion.net" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = {
+          "/".extraConfig = ''
+            add_header Content-Type 'text/html; charset=UTF-8';
+            return 200 'Hello, World!';
+          '';
+
+          # Mastodon federation
+          "= /.well-known/host-meta".extraConfig = ''
+            return 301 https://fedi.xirion.net$request_uri;
+          '';
+          "/.well-known/webfinger".extraConfig = ''
+            add_header Access-Control-Allow-Origin '*';
+            return 301 https://fedi.xirion.net$request_uri;
+          '';
+        };
+      };
+
+      "peepeepoopoo.xirion.net" = proxy
+        "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
+
+      "plex.xirion.net" = {
+        # Since we want a secure connection, we force SSL
+        forceSSL = true;
+        enableACME = true;
+
+        extraConfig = ''
+          #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+          send_timeout 100m;
+
+          # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+          ssl_stapling on;
+          ssl_stapling_verify on;
+
+          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+          ssl_prefer_server_ciphers on;
+          #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+          # Forward real ip and host to Plex
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $server_addr;
+          proxy_set_header Referer $server_addr;
+          proxy_set_header Origin $server_addr;
+
+          # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+          # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+          client_max_body_size 100M;
+
+          # Plex headers
+          proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+          proxy_set_header X-Plex-Device $http_x_plex_device;
+          proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+          proxy_set_header X-Plex-Platform $http_x_plex_platform;
+          proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+          proxy_set_header X-Plex-Product $http_x_plex_product;
+          proxy_set_header X-Plex-Token $http_x_plex_token;
+          proxy_set_header X-Plex-Version $http_x_plex_version;
+          proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
+          proxy_set_header X-Plex-Provides $http_x_plex_provides;
+          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
+          proxy_set_header X-Plex-Model $http_x_plex_model;
+
+          # Buffering off send to the client as soon as the data is received from Plex.
+          proxy_redirect off;
+          proxy_buffering off;
+        '';
+        locations."/" = {
+
+          proxyWebsockets = true;
+          proxyPass = "http://plex2.hades:32400/";
+        };
+      };
+
+      "fedi.xirion.net" = {
+        enableACME = true;
+        forceSSL = true;
+
+        root = "${pkgs.v.glitch-soc}/public/";
+        locations = {
+          "/".tryFiles = "$uri @proxy";
+
+          # 	location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+          #     	add_header Cache-Control "public, max-age=31536000, immutable";
+          #     	add_header Strict-Transport-Security "max-age=31536000";
+          #     	try_files $uri @proxy;
+          #   	}
+
+          # 	location /sw.js {
+          #     	add_header Cache-Control "public, max-age=0";
+          #     	add_header Strict-Transport-Security "max-age=31536000";
+          #    		try_files $uri @proxy;
+          #   	}
+
+          "@proxy" = {
+            proxyPass = "http://192.168.0.138:55001";
+            proxyWebsockets = true;
+          };
+
+          "/api/v1/streaming" = {
+            proxyPass = "http://192.168.0.138:55000";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+}

nixos/hosts/hades/overseerr/README.md

@@ -0,0 +1,2 @@
+# Overseerr & co.
+This LXC container hosts all my *arr services and overseerr

nixos/hosts/hades/overseerr/configuration.nix

@@ -0,0 +1,30 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ ... }: {
+  imports = [
+    ./radarr.nix
+    ./sonarr.nix
+    ./lidarr.nix
+    ./prowlarr.nix
+    ./unpackerr.nix
+    ./overseerr.nix
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+  fileSystems."/mnt/storage" = {
+    device = "storage:/mnt/storage";
+    fsType = "nfs";
+  };
+
+  virtualisation.podman.enable = true;
+  virtualisation.oci-containers.backend = "podman";
+}

nixos/hosts/hades/overseerr/lidarr.nix

@@ -0,0 +1,31 @@
+{ config, ... }:
+let vs = config.vault-secrets.secrets;
+in {
+  networking.firewall.allowedTCPPorts = [ 8686 ];
+
+  vault-secrets.secrets.lidarr = {
+    quoteEnvironmentValues = false; # Needed for docker
+    services = [ "podman-lidarr" ];
+  };
+
+  virtualisation.oci-containers.containers.lidarr = {
+    image = "randomninjaatk/lidarr-extended:latest";
+    extraOptions = [ "--pull=newer" ];
+    environment = {
+      TZ = "Europe/Amsterdam";
+      dlClientSource = "deezer";
+      enableVideoScript = "false";
+    };
+    environmentFiles = [
+      # This file defines arlToken
+      "${vs.lidarr}/environment"
+    ];
+    ports = [ "8686:8686" ];
+    volumes = [
+      "/var/lib/lidarr/config:/config"
+      "/var/lib/lidarr/downloads:/downloads-lidarr-extended"
+      "/mnt/storage/plex/Music:/music"
+      "/mnt/storage/plex/MusicVideos:/music-videos"
+    ];
+  };
+}

nixos/hosts/hades/overseerr/overseerr.nix

@@ -0,0 +1,10 @@
+_: {
+  networking.firewall.allowedTCPPorts = [ 5055 ];
+  # TODO: Write NixOS package https://github.com/NixOS/nixpkgs/issues/135885
+  virtualisation.oci-containers.containers.overseerr = {
+    image = "ghcr.io/sct/overseerr:1.33.2";
+    environment = { TZ = "Europe/Amsterdam"; };
+    ports = [ "5055:5055" ];
+    volumes = [ "/var/lib/overseerr/config:/app/config" ];
+  };
+}

nixos/hosts/hades/overseerr/prowlarr.nix

@@ -0,0 +1,11 @@
+_: {
+  services.prowlarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  virtualisation.oci-containers.containers.flaresolverr = {
+    image = "flaresolverr/flaresolverr:v3.3.10";
+    ports = [ "8191:8191" ];
+  };
+}