Add changed vi keybindings

* move tunnel for nextcloud-web into separate file
* add script to check for running backups and shutdown server otherwise

.editorconfig

@@ -24,6 +24,14 @@ charset = unset
 indent_style = unset
 indent_size = unset
 
+[*.rom]
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+charset = unset
+indent_style = unset
+indent_size = unset
+
 [*.py]
 indent_size = 4
 

.gitignore

@@ -7,7 +7,7 @@ vm
 iso
 doi
 
-pkgs/_sources/.shake*
-
+# PubSolarOS
 tags
 /owners
+pkgs/_sources/.shake*

flake.lock

@@ -235,6 +235,37 @@
         "type": "github"
       }
     },
+    "master": {
+      "locked": {
+        "lastModified": 1675254005,
+        "narHash": "sha256-n1qq2Qcz7DvPiB6emdRk/dx4uUgaFy0ojgKg3NBIwTU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1efc432d4f72c0e3146c1dd2e8a3ffa705be8a04",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1636849918,
+        "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixos": {
       "locked": {
         "lastModified": 1675154384,
@@ -251,6 +282,25 @@
         "type": "github"
       }
     },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1674666581,
+        "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1674550793,
@@ -266,6 +316,22 @@
         "type": "github"
       }
     },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1637186689,
+        "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1672791794,
@@ -294,6 +360,22 @@
         "type": "indirect"
       }
     },
+    "pub-solar": {
+      "locked": {
+        "lastModified": 1654372286,
+        "narHash": "sha256-z1WrQkL67Sosz1VnuKQLpzEkEl4ianeLpWJX8Q6bVQY=",
+        "owner": "pub-solar",
+        "repo": "nixpkgs",
+        "rev": "4995a873a796c54cc49e5dca9e1d20350eceec7b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pub-solar",
+        "ref": "fix/use-latest-unstable-yubikey-agent",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -303,9 +385,12 @@
         "flake-compat": "flake-compat",
         "home": "home",
         "latest": "latest",
+        "master": "master",
         "nixos": "nixos",
+        "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
-        "nur": "nur"
+        "nur": "nur",
+        "pub-solar": "pub-solar"
       }
     },
     "utils": {

flake.nix

@@ -36,6 +36,11 @@
     agenix.inputs.darwin.follows = "darwin";
 
     nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+
+    master.url = "github:nixos/nixpkgs/master";
+    pub-solar.url = "github:pub-solar/nixpkgs/fix/use-latest-unstable-yubikey-agent";
   };
 
   outputs = {
@@ -54,7 +59,7 @@
       inherit self inputs;
 
       channelsConfig = {
-        # allowUnfree = true;
+        allowUnfree = true;
       };
 
       supportedSystems = ["x86_64-linux" "aarch64-linux"];
@@ -124,11 +129,19 @@
             // {
               users = digga.lib.rakeLeaves ./users;
             };
+
           suites = with profiles; rec {
             base = [users.pub-solar users.root];
             iso = base ++ [base-user graphical pub-solar-iso];
             pubsolaros = [full-install base-user users.root];
             anonymous = [pubsolaros users.pub-solar];
+
+            b12f = pubsolaros ++ [users.ben social gaming mobile];
+            biolimo = b12f ++ [graphical];
+            chocolatebar = b12f ++ [graphical virtualisation];
+
+            yule = pubsolaros ++ [users.yule];
+            droppie = yule ++ [];
           };
         };
       };
@@ -142,19 +155,26 @@
             base = [direnv git];
           };
         };
-        users = {
-          pub-solar = {suites, ...}: {
+        users = let
+          default = {suites, ...}: {
             imports = suites.base;
-
             home.stateVersion = "21.03";
           };
-        }; # digga.lib.importers.rakeLeaves ./users/hm;
+        in {
+          pub-solar = default;
+          ben = default;
+          yule = default;
+        };
       };
 
       devshell = ./shell;
 
       homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
 
-      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {};
+      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
+        droppie = {
+          sshUser = "yule";
+        };
+      };
     };
 }

hosts/biolimo/.config/sway/config.d/autostart.conf

@@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc

hosts/biolimo/.config/sway/config.d/custom-keybindings.conf

@@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

hosts/biolimo/.config/sway/config.d/input-defaults.conf

@@ -0,0 +1,9 @@
+input "1739:0:Synaptics_TM3288-011" {
+  dwt enabled
+  tap enabled
+  middle_emulation enabled
+}
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}

hosts/biolimo/.config/sway/config.d/screens.conf

@@ -0,0 +1,20 @@
+set $internal eDP-1
+set $middle "Hewlett Packard HP E231 3CQ4290S5J"
+set $standup "Hewlett Packard HP E231 3CQ4251F33"
+
+output $internal {
+  scale 1
+  pos 1080 1080
+}
+
+output $middle {
+  scale 1
+
+  pos 1080 0
+}
+
+output $standup {
+  scale 1
+  transform 90
+  pos 0 0
+}

hosts/biolimo/biolimo.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    pub-solar.paranoia.enable = true;
+    pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+    pub-solar.core.hibernation.resumeOffset = 15296512;
+
+    hardware.cpu.intel.updateMicrocode = true;
+
+    networking.firewall.allowedTCPPorts = [5000];
+
+    networking.networkmanager.wifi.backend = mkForce "wpa_supplicant";
+
+    home-manager = with pkgs;
+      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+        xdg.configFile = mkIf psCfg.sway.enable {
+          "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+          "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+          "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+          "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
+        };
+
+        home.packages = [
+          inkscape
+        ];
+      };
+  };
+}

hosts/biolimo/configuration.nix

@@ -0,0 +1,25 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/biolimo/default.nix

@@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./biolimo.nix
+    ]
+    ++ suites.biolimo;
+}

hosts/biolimo/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/abc3fe04-368e-46eb-8c7a-3a829bb2deab";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3B67-0CAB";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 18 * 1024; # 18 GB
+    }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

hosts/chocolatebar/.config/sway/config.d/autostart.conf

@@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc

hosts/chocolatebar/.config/sway/config.d/custom-keybindings.conf

@@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

hosts/chocolatebar/.config/sway/config.d/input-defaults.conf

@@ -0,0 +1,4 @@
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}

hosts/chocolatebar/.config/sway/config.d/screens.conf

@@ -0,0 +1,18 @@
+set $left DP-3
+set $middle DP-1
+set $right HDMI-A-1
+
+output $left {
+  scale 1
+  pos 0 0
+}
+
+output $middle {
+  scale 1
+  pos 1920 0
+}
+
+output $right {
+  scale 1
+  pos 3840 0
+}

hosts/chocolatebar/chocolatebar.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+    ./virtualisation
+    ./factorio
+  ];
+
+  config = {
+    hardware.cpu.amd.updateMicrocode = true;
+
+    hardware.opengl.extraPackages = with pkgs; [
+      rocm-opencl-icd
+      rocm-opencl-runtime
+    ];
+
+    pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+    pub-solar.core.hibernation.resumeOffset = 115075072;
+
+    age.secrets."drone-runner-exec-config" = {
+      file = "${self}/secrets/drone-runner-exec-config";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+
+    pub-solar.docker-ci-runner = {
+      enable = true;
+      runnerVarsFile = config.age.secrets.drone-runner-exec-config.path;
+    };
+
+    services.openssh.openFirewall = true;
+    networking.firewall.allowedTCPPorts =
+      [443]
+      ++ (
+        if psCfg.sway.vnc.enable
+        then [5901]
+        else []
+      );
+    networking.firewall.allowedUDPPorts = [43050];
+
+    environment.systemPackages = with pkgs; [
+      wayvnc
+      drone-docker-runner
+      stdenv.cc.cc.lib
+      pkgs.hplip
+    ];
+
+    age.secrets."vnc-key.pem" = {
+      file = "${self}/secrets/vnc-key-chocolatebar.pem";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+    age.secrets."vnc-cert.pem" = {
+      file = "${self}/secrets/vnc-cert-chocolatebar.pem";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+    pub-solar.sway.vnc.enable = true;
+
+    home-manager.users."${psCfg.user.name}" = {
+      xdg.configFile = mkIf psCfg.sway.enable {
+        "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+        "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+        "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+      };
+
+      home.sessionVariables = {
+        NIX_CC = "${pkgs.stdenv.cc}";
+      };
+    };
+
+    # For OpenProject development with https
+    security.pki.certificates = [
+      (builtins.readFile ./step-roots.pem)
+    ];
+  };
+}

hosts/chocolatebar/configuration.nix

@@ -0,0 +1,25 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/chocolatebar/default.nix

@@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./chocolatebar.nix
+    ]
+    ++ suites.chocolatebar;
+}

hosts/chocolatebar/factorio/default.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+
+  far-reach = pkgs.stdenv.mkDerivation rec {
+    pname = "factorio-far-reach";
+    version = "1.1.2";
+    src = ./far-reach_1.1.2.zip;
+    phases = ["installPhase"];
+    deps = [];
+    installPhase = ''
+      mkdir -p $out
+      cp $src far-reach_1.1.2.zip
+    '';
+  };
+in {
+  config = {
+    services.factorio = {
+      enable = true;
+      port = 34197; # The default, but make it explicit
+      lan = true;
+      game-password = "pls-dont-grief";
+      admins = [
+        "doubtwriter"
+        "kattykat"
+      ];
+      openFirewall = true;
+      autosave-interval = 3;
+      game-name = "Babes plays v2";
+      requireUserVerification = false;
+      bind = "::";
+      mods = [
+        far-reach
+      ];
+    };
+
+    networking.firewall.allowedUDPPorts = [34197];
+    networking.firewall.allowedTCPPorts = [34197];
+  };
+}

hosts/chocolatebar/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbcore" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a3a74208-b244-4268-b374-e58265810fce";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/12FD-62A8";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 68 * 1024; # 68 GB
+    }
+  ];
+}

hosts/chocolatebar/step-roots.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6DCCAY2gAwIBAgIQD4Q4blCl/ZrTIRU2QpqEOTAKBggqhkjOPQQDAjBSMSMw
+IQYDVQQKExpPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQTErMCkGA1UEAxMiT3Bl
+blByb2plY3QgRGV2ZWxvcG1lbnQgQ0EgUm9vdCBDQTAeFw0yMjEwMTgxMTE1NDBa
+Fw0zMjEwMTUxMTE1NDBaMFIxIzAhBgNVBAoTGk9wZW5Qcm9qZWN0IERldmVsb3Bt
+ZW50IENBMSswKQYDVQQDEyJPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQSBSb290
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu4rN0lOtgxoC83UKONMy2Ns7
+tI0/u6qPp/Cw92xhaTdh/X9ZWKqIhp2VGj2HUJOOfQXrFew7jbLGOvvoXib0Y6NF
+MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
+FPjV1zK2GZu8x4uR0QDotk5kNinEMAoGCCqGSM49BAMCA0kAMEYCIQDS2OpCnHM7
+RV7fFHT3KsG3q4lA3dJUKGighQaQ2qOwNwIhAOMmWGWd3EaD87q4RROyVt3h7vIN
+nMJRu7L9il84hFF2
+-----END CERTIFICATE-----

hosts/chocolatebar/virtualisation/create-service.nix

@@ -0,0 +1,112 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  varsFile = "${xdg.dataHome}/libvirt/OVMF_VARS_${vm.name}.fd";
+  generateXML = import ./guest-xml.nix;
+in {
+  serviceConfig = {
+    Type = "oneshot";
+    RemainAfterExit = "yes";
+    Restart = "no";
+  };
+
+  script = let
+    networkXML = pkgs.writeText "network.xml" (import ./network-xml.nix {
+      inherit config;
+      inherit pkgs;
+      inherit lib;
+    });
+    machineXML = pkgs.writeText "${vm.name}.xml" (vm.generateXML {
+      inherit config;
+      inherit pkgs;
+      inherit lib;
+      inherit vm;
+      varsFile = varsFile;
+    });
+  in ''
+    echo "Checking if ${vm.name} is already running"
+    STATUS=$(${pkgs.libvirt}/bin/virsh list --all | grep "${vm.name}" | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 }' )
+    if [[ $STATUS != "shut off" && $STATUS != "" ]]; then
+      echo "Domain ${vm.name} is already running or in an inconsistent state:"
+      ${pkgs.libvirt}/bin/virsh list --all
+      exit 0
+    fi
+
+    echo "Creating network XML"
+    NET_TMP_FILE="/tmp/network.xml"
+
+    NETUUID="$(${pkgs.libvirt}/bin/virsh net-uuid 'default' || true)"
+    (sed "s/UUID/$NETUUID/" '${networkXML}') > "$NET_TMP_FILE"
+
+    echo "Defining and starting network"
+    ${pkgs.libvirt}/bin/virsh net-define "$NET_TMP_FILE"
+    ${pkgs.libvirt}/bin/virsh net-start 'default' || true
+
+    VARS_FILE=${varsFile}
+    if [ ! -f "$VARS_FILE" ]; then
+      echo "Copying vars filej"
+      cp /run/libvirt/nix-ovmf/OVMF_VARS.fd "$VARS_FILE"
+    fi
+
+    echo "Replacing USB device IDs in the XML"
+    # Load the template contents into a tmp file
+    TMP_FILE="/tmp/${vm.name}.xml"
+    cat "${machineXML}" > "$TMP_FILE"
+
+    # Set VM UUID
+    UUID="$(${pkgs.libvirt}/bin/virsh domuuid '${vm.name}' || true)"
+    sed -i "s/UUID/''${UUID}/" "$TMP_FILE"
+
+    ${
+      if vm.handOverUSBDevices
+      then ''
+        # Hand over mouse
+        USB_BUS=3
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c52b | grep "Bus 00''${USB_BUS}" | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc52b | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+
+        # Hand over keyboard
+        USB_BUS=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 7)
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc328 | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+      ''
+      else ""
+    }
+
+    # TODO: Set correct pci address for the GPU too
+
+    # Setup looking glass shm file
+    echo "Setting up looking glass shm file"
+    ${pkgs.coreutils-full}/bin/truncate -s 0 /dev/shm/looking-glass
+    ${pkgs.coreutils-full}/bin/dd if=/dev/zero of=/dev/shm/looking-glass bs=1M count=32
+
+    # Load and start the xml definition
+    echo "Loading and starting the VM XML definition"
+    ${pkgs.libvirt}/bin/virsh define "$TMP_FILE"
+    ${pkgs.libvirt}/bin/virsh start '${vm.name}'
+  '';
+
+  preStop = ''
+    ${pkgs.libvirt}/bin/virsh shutdown '${vm.name}'
+    let "timeout = $(date +%s) + 10"
+    while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${vm.name}$')" -gt 0 ]; do
+      if [ "$(date +%s)" -ge "$timeout" ]; then
+        # Meh, we warned it...
+        ${pkgs.libvirt}/bin/virsh destroy '${vm.name}'
+      else
+        # The machine is still running, let's give it some time to shut down
+        sleep 0.5
+      fi
+    done
+
+    ${pkgs.libvirt}/bin/virsh net-destroy 'default' || true
+  '';
+}

hosts/chocolatebar/virtualisation/default.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  createService = import ./create-service.nix;
+  generateXML = import ./guest-xml.nix;
+  generateTailsXML = import ./tails-xml.nix;
+
+  isolateGPU = "rx550x";
+  memory = 48; # in GB
+  handOverUSBDevices = false;
+
+  isolateAnyGPU = isolateGPU != null;
+in {
+  config = mkIf psCfg.virtualisation.enable {
+    boot.extraModprobeConfig = mkIf isolateAnyGPU (concatStringsSep "\n" [
+      "softdep amdgpu pre: vfio vfio_pci"
+      (
+        if isolateGPU == "rx5700xt"
+        then "options vfio-pci ids=1002:731f,1002:ab38"
+        else "options vfio-pci ids=1002:699f,1002:aae0"
+      )
+    ]);
+
+    systemd.user.services = {
+      vm-windows = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "windows";
+          disk = "/dev/disk/by-id/ata-SanDisk_SDSSDA240G_162402455603";
+          id = "http://microsoft.com/win/10";
+          gpu = true;
+          mountHome = false;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-manjaro = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "manjaro";
+          disk = "/dev/disk/by-id/ata-KINGSTON_SM2280S3G2240G_50026B726B0265CE";
+          id = "https://manjaro.org/download/#i3";
+          gpu = true;
+          mountHome = true;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-tails = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "tails";
+          disk = "/var/lib/vms/tails/tails-amd64-5.4.iso";
+          # disk = "/var/lib/vms/nixos/nixos-minimal.iso";
+          id = "https://tails.boum.org/install/index.en.html";
+          gpu = false;
+          mountHome = false;
+          memory = 16;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = false;
+          generateXML = generateTailsXML;
+        };
+      };
+    };
+  };
+}

hosts/chocolatebar/virtualisation/guest-xml.nix

@@ -0,0 +1,263 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  varsFile,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in ''
+  <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+    <name>${vm.name}</name>
+    <uuid>UUID</uuid>
+    <metadata>
+      <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+        <libosinfo:os id="${vm.id}"/>
+      </libosinfo:libosinfo>
+    </metadata>
+    <memory unit='GB'>${toString vm.memory}</memory>
+    <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement='static'>12</vcpu>
+    <cputune>
+      <vcpupin vcpu='0' cpuset='6'/>
+      <vcpupin vcpu='1' cpuset='7'/>
+      <vcpupin vcpu='2' cpuset='8'/>
+      <vcpupin vcpu='3' cpuset='9'/>
+      <vcpupin vcpu='4' cpuset='10'/>
+      <vcpupin vcpu='5' cpuset='11'/>
+      <vcpupin vcpu='6' cpuset='18'/>
+      <vcpupin vcpu='7' cpuset='19'/>
+      <vcpupin vcpu='8' cpuset='20'/>
+      <vcpupin vcpu='9' cpuset='21'/>
+      <vcpupin vcpu='10' cpuset='22'/>
+      <vcpupin vcpu='11' cpuset='23'/>
+    </cputune>
+    <resource>
+      <partition>/machine</partition>
+    </resource>
+    <os>
+      <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+      <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+      <nvram>${varsFile}</nvram>
+      <boot dev='hd'/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <hyperv>
+        <relaxed state='on'/>
+        <vapic state='on'/>
+        <spinlocks state='on' retries='8191'/>
+        <vendor_id state='on' value='wahtever'/>
+      </hyperv>
+      <kvm>
+        <hidden state='on'/>
+      </kvm>
+      <vmport state='off'/>
+    </features>
+    <cpu mode='custom' match='exact' check='full'>
+      <model fallback='forbid'>EPYC-IBPB</model>
+      <vendor>AMD</vendor>
+      <topology sockets='1' dies='1' cores='6' threads='2'/>
+      <feature policy='require' name='x2apic'/>
+      <feature policy='require' name='tsc-deadline'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clwb'/>
+      <feature policy='require' name='umip'/>
+      <feature policy='require' name='stibp'/>
+      <feature policy='require' name='arch-capabilities'/>
+      <feature policy='require' name='ssbd'/>
+      <feature policy='require' name='xsaves'/>
+      <feature policy='require' name='cmp_legacy'/>
+      <feature policy='require' name='perfctr_core'/>
+      <feature policy='require' name='clzero'/>
+      <feature policy='require' name='wbnoinvd'/>
+      <feature policy='require' name='amd-ssbd'/>
+      <feature policy='require' name='virt-ssbd'/>
+      <feature policy='require' name='rdctl-no'/>
+      <feature policy='require' name='skip-l1dfl-vmentry'/>
+      <feature policy='require' name='mds-no'/>
+      <feature policy='require' name='pschange-mc-no'/>
+      <feature policy='disable' name='monitor'/>
+      <feature policy='disable' name='svm'/>
+      <feature policy='require' name='topoext'/>
+    </cpu>
+    <clock offset='utc'>
+      <timer name='rtc' tickpolicy='catchup'/>
+      <timer name='pit' tickpolicy='delay'/>
+      <timer name='hpet' present='no'/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled='no'/>
+      <suspend-to-disk enabled='no'/>
+    </pm>
+    <devices>
+      <emulator>${pkgs.qemu}/bin/qemu-system-x86_64</emulator>
+      <disk type='block' device='disk'>
+        <driver name='qemu' type='raw' cache='none' discard='unmap' />
+        <source dev='${vm.disk}'/>
+        <backingStore/>
+        <target dev='vdb' bus='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+      </disk>
+      <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+        <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='sata' index='0'>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+      </controller>
+      <controller type='pci' index='0' model='pcie-root'/>
+      <controller type='pci' index='1' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='1' port='0x10'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+      </controller>
+      <controller type='pci' index='2' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='2' port='0x11'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+      </controller>
+      <controller type='pci' index='3' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='3' port='0x12'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+      </controller>
+      <controller type='pci' index='4' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='4' port='0x13'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+      </controller>
+      <controller type='pci' index='5' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='5' port='0x14'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+      </controller>
+      <controller type='pci' index='6' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='6' port='0x15'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+      </controller>
+      <controller type='pci' index='7' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='7' port='0x16'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+      </controller>
+      <controller type='pci' index='8' model='pcie-to-pci-bridge'>
+        <model name='pcie-pci-bridge'/>
+        <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='pci' index='9' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='9' port='0x17'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+      </controller>
+      <controller type='virtio-serial' index='0'>
+        <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+      </controller>
+      ${
+    if vm.mountHome
+    then ''
+      <filesystem type='mount' accessmode='mapped'>
+        <source dir='/home/${psCfg.user.name}'/>
+        <target dir='/media/home'/>
+        <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+      </filesystem>
+    ''
+    else ""
+  }
+      <interface type='network'>
+        <mac address='52:54:00:44:cd:ac'/>
+        <source network='default'/>
+        <model type='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x08' slot='0x01' function='0x0'/>
+      </interface>
+      <console type='pty'>
+        <target type='serial' port='0'/>
+      </console>
+      <input type='tablet' bus='usb'>
+        <address type='usb' bus='0' port='1'/>
+      </input>
+      <input type='mouse' bus='virtio'/>
+      <input type='keyboard' bus='virtio'/>
+      <graphics type='spice' autoport='yes' listen='127.0.0.1'>
+        <listen type='address' address='127.0.0.1'/>
+        <image compression='off'/>
+      </graphics>
+      <video>
+        <model type='cirrus' vram='16384' heads='1' primary='yes'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+      </video>
+      ${
+    if vm.handOverUSBDevices
+    then ''
+      <hostdev mode='subsystem' type='usb' managed='yes'>
+        <source>
+          <vendor id='0x046d'/>
+          <product id='0xc328'/>
+          <address bus='1' device='1'/>
+        </source>
+        <address type='usb' bus='0' port='4'/>
+      </hostdev>
+      <hostdev mode='subsystem' type='usb' managed='yes'>
+        <source>
+          <vendor id='0x046d'/>
+          <product id='0xc52b'/>
+          <address bus='1' device='1'/>
+        </source>
+        <address type='usb' bus='0' port='5'/>
+      </hostdev>
+    ''
+    else ""
+  }
+      ${
+    if vm.gpu && vm.isolateGPU != null
+    then ''
+      <hostdev mode='subsystem' type='pci' managed='yes'>
+        <driver name='vfio'/>
+        <source>
+          <address domain='0x0000' bus='0x0b' slot='0x00' function='0x0'/>
+        </source>
+        <rom bar='on' file='/etc/nixos/hosts/chocolatebar/virtualisation/${vm.isolateGPU}.rom'/>
+        <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0' multifunction='on'/>
+      </hostdev>
+      <hostdev mode='subsystem' type='pci' managed='yes'>
+        <driver name='vfio'/>
+        <source>
+          <address domain='0x0000' bus='0x0b' slot='0x00' function='0x1'/>
+        </source>
+        <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x1'/>
+      </hostdev>
+    ''
+    else ""
+  }
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='2'/>
+      </redirdev>
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='3'/>
+      </redirdev>
+      <memballoon model='virtio'>
+        <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+      </memballoon>
+      <shmem name='looking-glass'>
+        <model type='ivshmem-plain'/>
+        <size unit='M'>32</size>
+      </shmem>
+    </devices>
+    <qemu:commandline>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='ich9-intel-hda,bus=pcie.0,addr=0x1b'/>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='hda-micro,audiodev=hda'/>
+      <qemu:arg value='-audiodev'/>
+      <qemu:arg value='pa,id=hda,server=unix:/run/user/1001/pulse/native'/>
+    </qemu:commandline>
+  </domain>
+''

hosts/chocolatebar/virtualisation/network-xml.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: ''
+  <network>
+    <name>default</name>
+    <uuid>UUID</uuid>
+    <forward mode='nat'>
+      <nat>
+        <port start='1024' end='65535'/>
+      </nat>
+    </forward>
+    <bridge name='virbr0' stp='on' delay='0'/>
+    <mac address='52:54:00:bd:a0:73'/>
+    <ip address='192.168.122.1' netmask='255.255.255.0'>
+      <dhcp>
+        <range start='192.168.122.2' end='192.168.122.254'/>
+      </dhcp>
+    </ip>
+  </network>
+''

hosts/chocolatebar/virtualisation/tails-xml.nix

@@ -0,0 +1,188 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  varsFile,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in ''
+    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+      <name>${vm.name}</name>
+      <uuid>UUID</uuid>
+      <metadata>
+        <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+          <libosinfo:os id="${vm.id}"/>
+        </libosinfo:libosinfo>
+      </metadata>
+      <memory unit='GB'>${toString vm.memory}</memory>
+      <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement="static">8</vcpu>
+    <os>
+      <type arch="x86_64" machine="pc-q35-7.0">hvm</type>
+      <boot dev="cdrom"/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <vmport state="off"/>
+    </features>
+    <cpu mode="host-passthrough" check="none" migratable="on"/>
+    <clock offset="utc">
+      <timer name="rtc" tickpolicy="catchup"/>
+      <timer name="pit" tickpolicy="delay"/>
+      <timer name="hpet" present="no"/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled="no"/>
+      <suspend-to-disk enabled="no"/>
+    </pm>
+    <devices>
+      <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+      <disk type="file" device="cdrom">
+        <driver name="qemu" type="raw"/>
+        <source file="${vm.disk}"/>
+        <target dev="sda" bus="sata"/>
+        <readonly/>
+        <address type="drive" controller="0" bus="0" target="0" unit="0"/>
+      </disk>
+      <controller type="usb" index="0" model="qemu-xhci" ports="15">
+        <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
+      </controller>
+      <controller type="pci" index="0" model="pcie-root"/>
+      <controller type="pci" index="1" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="1" port="0x10"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="2" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="2" port="0x11"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
+      </controller>
+      <controller type="pci" index="3" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="3" port="0x12"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
+      </controller>
+      <controller type="pci" index="4" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="4" port="0x13"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
+      </controller>
+      <controller type="pci" index="5" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="5" port="0x14"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
+      </controller>
+      <controller type="pci" index="6" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="6" port="0x15"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
+      </controller>
+      <controller type="pci" index="7" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="7" port="0x16"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/>
+      </controller>
+      <controller type="pci" index="8" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="8" port="0x17"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/>
+      </controller>
+      <controller type="pci" index="9" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="9" port="0x18"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="10" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="10" port="0x19"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/>
+      </controller>
+      <controller type="pci" index="11" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="11" port="0x1a"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/>
+      </controller>
+      <controller type="pci" index="12" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="12" port="0x1b"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/>
+      </controller>
+      <controller type="pci" index="13" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="13" port="0x1c"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/>
+      </controller>
+      <controller type="pci" index="14" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="14" port="0x1d"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/>
+      </controller>
+      <controller type="sata" index="0">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
+      </controller>
+      <controller type="virtio-serial" index="0">
+        <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
+      </controller>
+      <interface type="network">
+        <mac address="52:54:00:58:5e:36"/>
+        <source network="default"/>
+        <model type="virtio"/>
+        <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
+      </interface>
+      <serial type="pty">
+        <target type="isa-serial" port="0">
+          <model name="isa-serial"/>
+        </target>
+      </serial>
+      <console type="pty">
+        <target type="serial" port="0"/>
+      </console>
+      <channel type="unix">
+        <target type="virtio" name="org.qemu.guest_agent.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="1"/>
+      </channel>
+      <channel type="spicevmc">
+        <target type="virtio" name="com.redhat.spice.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="2"/>
+      </channel>
+      <input type="tablet" bus="usb">
+        <address type="usb" bus="0" port="1"/>
+      </input>
+      <input type="mouse" bus="ps2"/>
+      <input type="keyboard" bus="ps2"/>
+      <graphics type="spice" autoport="yes">
+        <listen type="address"/>
+        <image compression="off"/>
+      </graphics>
+      <sound model="ich9">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/>
+      </sound>
+      <audio id="1" type="spice"/>
+      <video>
+        <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
+      </video>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="2"/>
+      </redirdev>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="3"/>
+      </redirdev>
+      <memballoon model="virtio">
+        <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
+      </memballoon>
+      <rng model="virtio">
+        <backend model="random">/dev/urandom</backend>
+        <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
+      </rng>
+    </devices>
+  </domain>''

hosts/droppie/configuration.nix

@@ -0,0 +1,30 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    device = "nodev";
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}

hosts/droppie/default.nix

@@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./droppie.nix
+    ]
+    ++ suites.droppie;
+}

hosts/droppie/droppie.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+    ./nextcloud-web-tunnel.nix
+    ./restic-backup.nix
+  ];
+
+  config = {
+    hardware.cpu.intel.updateMicrocode = true;
+
+    pub-solar.core.disk-encryption-active = false;
+    pub-solar.core.lite = true;
+
+    security.sudo.extraRules = [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+
+    services.ddclient = {
+      enable = true;
+      ipv6 = true;
+      domains = ["backup.b12f.io"];
+      server = "ddns.hosting.de";
+      username = "b12f";
+      use = "web, web=http://checkip6.spdyn.de/, web-skip=''";
+      passwordFile = "/run/agenix/dyndns-droppie.key";
+    };
+
+    age.secrets."dyndns-droppie.key" = {
+      file = "${self}/secrets/dyndns-droppie.key";
+      mode = "400";
+      owner = "root";
+    };
+  };
+}

hosts/droppie/hardware-configuration.nix

@@ -0,0 +1,52 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/A24C-F252";
+    fsType = "vfat";
+  };
+
+  fileSystems."/media/internal" = {
+    device = "/dev/disk/by-uuid/5cf314a8-82f4-4037-a724-62d2ff226cff";
+    fsType = "ext4";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/2ef980f1-1f27-4d2a-9789-00f45e791fcc";
+    fsType = "xfs";
+  };
+
+  swapDevices = [{device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852";}];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/droppie/nextcloud-web-tunnel.nix

@@ -0,0 +1,29 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  config = {
+    services.openssh.knownHosts = {
+      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
+    };
+
+    systemd.services.ssh-tunnel-cloud-pub-solar = {
+      unitConfig = {
+        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
+        After = ["network.target"];
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o 'ServerAliveInterval 10' -o 'ExitOnForwardFailure yes' -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
+        User = psCfg.user.name;
+        Group = "users";
+        Restart = "always";
+        RestartSec = "5s";
+      };
+      wantedBy = ["default.target"];
+    };
+  };
+}

hosts/droppie/restic-backup.nix

@@ -0,0 +1,50 @@
+{pkgs, ...}: let
+  shutdownWaitMinutes = 15;
+  shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" ''
+    STATUS_FILES="/media/internal/backups-pub-solar/status"
+
+    running=""
+
+    for f in $STATUS_FILES; do
+      declare started
+      declare finished
+
+      started=$(source $f ; echo ''${BACKUP_STARTED})
+      finished=$(source $f ; echo ''${BACKUP_FINISHED})
+
+      if [ -z "''${finished}" ]; then
+        echo "backup $(dirname $f) still running"
+        running="yes"
+        break
+      fi
+    done
+
+    if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then
+      echo "backups are still running"
+      exit 1
+    fi
+
+    echo "WARNING: System will be shut down within the next 15 minutes" | wall
+
+    sleep 10
+
+    shutdown -P +${builtins.toString shutdownWaitMinutes}
+  '';
+in {
+  systemd.services."shutdown-after-backup" = {
+    enable = true;
+    serviceConfig = {
+      ExecStart = "${shutdownScript}/bin/shutdown-wait";
+      Type = "oneshot";
+    };
+  };
+
+  systemd.timers."shutdown-after-backup" = {
+    enable = true;
+    timerConfig = {
+      OnCalendar = "3..9:* Etc/UTC";
+    };
+    wantedBy = ["timers.target"];
+    partOf = ["shutdown-after-backup.service"];
+  };
+}

modules/audio/mopidy.nix

@@ -5,7 +5,7 @@ pkgs: {
     mopidy-soundcloud
     mopidy-youtube
     mopidy-local
-    mopidy-jellyfin
+    # mopidy-jellyfin
   ];
 
   configuration = ''

modules/core/networking.nix

@@ -46,12 +46,16 @@ in {
     nix.settings.trusted-public-keys = cfg.publicKeys;
 
     # These entries get added to /etc/hosts
-    networking.hosts = {
-      "127.0.0.1" =
+    networking.hosts = let
+      hostnames =
         []
         ++ lib.optionals cfg.enableCaddy ["caddy.local"]
         ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
+        ++ lib.optionals config.pub-solar.paperless.enable ["paperless.local"]
         ++ lib.optionals cfg.enableHelp ["help.local"];
+    in {
+      "127.0.0.1" = hostnames;
+      "::1" = hostnames;
     };
 
     # Caddy reverse proxy for local services like cups
@@ -71,6 +75,15 @@ in {
             }
           '')
 
+        (lib.optionalString
+          config.pub-solar.paperless.enable
+          ''
+            paperless.local:80 {
+              request_header Host localhost:28981
+              reverse_proxy localhost:28981
+            }
+          '')
+
         (lib.optionalString
           cfg.enableHelp
           ''

modules/devops/default.nix

@@ -16,6 +16,7 @@ in {
     home-manager = with pkgs;
       pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
         home.packages = [
+          croc
           drone-cli
           nmap
           pgcli
@@ -24,6 +25,7 @@ in {
           restic
           shellcheck
           terraform
+          tea
         ];
       };
   };

modules/gaming/default.nix

@@ -18,9 +18,8 @@ in {
       steam = pkgs.steam.override {};
     };
 
-    home-manager = with pkgs;
-      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
-        home.packages = [
+    home-manager.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
+      home.packages = with pkgs; [
         playonlinux
         godot
         obs-studio

modules/mobile/default.nix

@@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.mobile;
+in {
+  options.pub-solar.mobile = {
+    enable = mkEnableOption "Add android adb and tooling";
+  };
+
+  config = mkIf cfg.enable {
+    programs.adb.enable = true;
+
+    users.users = with pkgs;
+      lib.setAttrByPath [psCfg.user.name] {
+        extraGroups = ["adbusers"];
+      };
+  };
+}

modules/paperless/default.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.paperless;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  options.pub-solar.paperless = {
+    enable = mkEnableOption "All you need to go paperless";
+    ocrLanguage = mkOption {
+      description = "OCR language";
+      type = types.str;
+      example = "eng+deu";
+      default = "eng";
+    };
+    consumptionDir = mkOption {
+      description = "Directory to be watched";
+      type = types.str;
+      example = "/var/lib/paperless/consume";
+      default = "/home/${psCfg.user.name}/Documents";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.paperless = {
+      enable = true;
+      user = psCfg.user.name;
+      consumptionDir = cfg.consumptionDir;
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = cfg.ocrLanguage;
+        PAPERLESS_ADMIN_USER = psCfg.user.name;
+        PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
+      };
+    };
+  };
+}

modules/paranoia/default.nix

@@ -23,6 +23,10 @@ in {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
 
+    services.tor.settings = {
+      UseBridges = true;
+    };
+
     # The options below are directly taken from or inspired by
     # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
 

modules/printing/default.nix

@@ -28,6 +28,7 @@ in {
     hardware.sane = {
       enable = true;
       brscan4.enable = true;
+      extraBackends = [pkgs.hplipWithPlugin];
     };
   };
 }

modules/sway/config/config.d/custom-keybindings.conf

@@ -36,3 +36,11 @@ bindsym $mod+Ctrl+r exec record-screen
 # Launcher
 set $menu exec alacritty --class launcher -e env TERMINAL_COMMAND="alacritty -e" sway-launcher
 bindsym $mod+Space exec $menu
+
+set $mode_vncclient In VNCClient mode. Press $mod+Num_Lock or $mod+Shift+Escape to return.
+bindsym $mod+Num_Lock mode "$mode_vncclient"
+bindsym $mod+Shift+Escape mode "$mode_vncclient"
+mode "$mode_vncclient" {
+    bindsym $mod+Num_Lock mode "default"
+    bindsym $mod+Shift+Escape mode "default"
+}

modules/sway/config/wayvnc/config.nix

@@ -0,0 +1,11 @@
+{
+  psCfg,
+  pkgs,
+}: "
+address=0.0.0.0
+enable_auth=true
+username=${psCfg.user.name}
+password=testtest
+private_key_file=/run/agenix/vnc-key.pem
+certificate_file=/run/agenix/vnc-cert.pem
+"

modules/sway/default.nix

@@ -16,6 +16,8 @@ in {
       description = "Choose sway's default terminal";
     };
 
+    vnc.enable = mkEnableOption "Enable vnc service";
+
     v4l2loopback.enable = mkOption {
       type = types.bool;
       default = true;
@@ -96,6 +98,12 @@ in {
           systemd.user.services.waybar = import ./waybar.service.nix {inherit pkgs psCfg;};
           systemd.user.targets.sway-session = import ./sway-session.target.nix {inherit pkgs psCfg;};
 
+          systemd.user.services.wayvnc = mkIf psCfg.sway.vnc.enable (import ./wayvnc.service.nix pkgs);
+          xdg.configFile."wayvnc/config".text = import ./config/wayvnc/config.nix {
+            inherit psCfg;
+            inherit pkgs;
+          };
+
           xdg.configFile."sway/config".text = import ./config/config.nix {inherit config pkgs;};
           xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
           xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;

modules/sway/wayvnc.service.nix

@@ -0,0 +1,18 @@
+pkgs: {
+  Unit = {
+    Description = "A VNC server for wlroots based Wayland compositors ";
+    Documentation = "https://github.com/any1/wayvnc";
+    BindsTo = ["sway-session.target"];
+    After = ["graphical-session-pre.target" "network-online.target"];
+    Wants = ["graphical-session-pre.target" "network-online.target"];
+  };
+
+  Service = {
+    Type = "simple";
+    ExecStart = "${pkgs.wayvnc}/bin/wayvnc -r -p 0.0.0.0 5901";
+  };
+
+  Install = {
+    WantedBy = ["sway-session.target"];
+  };
+}

modules/terminal-life/bash/default.nix

@@ -54,6 +54,23 @@ in {
     bleopt history_share=1
     bleopt filename_ls_colors="$LS_COLORS"
 
+    # Bash vim mode keybindings
+    if [[ $- == *i* ]]; then # in interactive session
+      set -o vi
+
+      ble-bind -m vi_imap -f 'ENTER' 'vi_imap/complete'
+      ble-bind -m vi_imap -f 'TAB' 'vi_imap/complete'
+
+      ble-bind -m vi_imap -f 'j j' 'vi_imap/normal-mode'
+      ble-bind -m vi_imap -f 'ESC' 'vi_imap/normal-mode'
+
+      ble-bind -m vi_nmap -f 'h' 'vi_nmap/insert-mode'
+      ble-bind -m vi_nmap -f 'i' 'vi-command/backward-line'
+      ble-bind -m vi_nmap -f 'j' 'vi-command/backward-char'
+      ble-bind -m vi_nmap -f 'k' 'vi-command/forward-line'
+      ble-bind -m vi_nmap -f 'l' 'vi-command/forward-char'
+    fi
+
     # end of .bashrc
     [[ ''${BLE_VERSION-} ]] && ble-attach
   '';

modules/terminal-life/nvim/default.nix

@@ -60,7 +60,6 @@ in {
     quick-scope
     suda-vim
     syntastic
-    vim-gutentags
     vim-vinegar
     vim-workspace-nvfetcher
 

modules/terminal-life/nvim/lsp.vim

@@ -74,6 +74,8 @@ lua <<EOF
 
   -- Add additional capabilities supported by nvim-cmp
   local capabilities = require('cmp_nvim_lsp').default_capabilities()
+  -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
+  capabilities.textDocument.completion.completionItem.snippetSupport = true
 
   -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
   capabilities.textDocument.completion.completionItem.snippetSupport = true
@@ -172,6 +174,13 @@ lua <<EOF
     end
   end -- ‡
 
+  -- configure floating diagnostics appearance, symbols
+  local signs = { Error = " ", Warn = " ", Hint = " ", Info = " " }
+  for type, icon in pairs(signs) do
+    local hl = "DiagnosticSign" .. type
+    vim.fn.sign_define(hl, { text = icon, texthl = hl, numhl = hl })
+  end
+
   -- Set completeopt to have a better completion experience
   vim.o.completeopt = 'menuone,noselect'
 

overlays/overrides.nix

@@ -4,6 +4,8 @@ channels: final: prev: {
   inherit
     (channels.latest)
     cachix
+    docker
+    docker-compose
     dhall
     discord
     element-desktop
@@ -17,6 +19,18 @@ channels: final: prev: {
     tdesktop
     arduino
     arduino-cli
+    steam
+    firefox
+    ;
+
+  inherit
+    (channels.pub-solar)
+    yubikey-agent
+    ;
+
+  inherit
+    (channels.master)
+    factorio-headless
     ;
 
   haskellPackages =

pkgs/default.nix

@@ -19,6 +19,5 @@ with final; {
   wcwd = writeShellScriptBin "wcwd" (import ./wcwd.nix final);
   drone-docker-runner = writeShellScriptBin "drone-docker-runner" (import ./drone-docker-runner.nix final);
   record-screen = writeShellScriptBin "record-screen" (import ./record-screen.nix final);
-
-  # ps-fixes
+  scan2paperless = writeShellScriptBin "scan2paperless" (import ./scan2paperless.nix final);
 }

pkgs/drone-docker-runner.nix

@@ -9,7 +9,7 @@ with self; ''
         --env=DRONE_RPC_SECRET=$(${self.libsecret}/bin/secret-tool lookup drone rpc-secret) \
         --env=DRONE_RUNNER_CAPACITY=8 \
         --env=DRONE_RUNNER_NAME=$(${self.inetutils}/bin/hostname) \
-        --publish=3000:3000 \
+        --publish=30010:30010 \
         --restart=always \
         --name=drone-runner \
         drone/drone-runner-docker:1

pkgs/lgcl.nix

@@ -1,4 +1,5 @@
-self: with self; let
+self:
+with self; let
   looking-glass-client = self.looking-glass-client.overrideAttrs (old: {
     meta.platforms = ["x86_64-linux" "aarch64-linux"];
   });

pkgs/mopidy-jellyfin.nix

@@ -1,4 +1,5 @@
-self: with self; let
+self:
+with self; let
   websocket-client = python39.pkgs.buildPythonPackage rec {
     pname = "websocket-client";
     version = "1.2.1";

pkgs/scan2paperless.nix

@@ -0,0 +1,4 @@
+self:
+with self; ''
+  export PATH=${lib.makeBinPath [pkgs.coreutils pkgs.sane-frontends pkgs.sane-backends pkgs.ghostscript pkgs.imagemagick]}
+''

pkgs/uhk-agent.nix

@@ -1,4 +1,5 @@
-self: with self; let
+self:
+with self; let
   uhk-agent-bin = stdenv.mkDerivation rec {
     pname = "uhk-agent-bin";
     version = "1.5.14";

profiles/base-user/default.nix

@@ -27,6 +27,7 @@ in {
           "lp"
           "scanner"
         ];
+        shell = pkgs.bash;
         initialHashedPassword =
           if psCfg.user.password != null
           then psCfg.user.password

profiles/base-user/home.nix

@@ -12,7 +12,7 @@ in {
     ./session-variables.nix
   ];
 
-  home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+  home-manager.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
     # Let Home Manager install and manage itself.
     programs.home-manager.enable = true;
 

profiles/core/default.nix

@@ -0,0 +1,135 @@
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: let
+  inherit (lib) fileContents;
+in {
+  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
+  imports = [../cachix];
+
+  config = {
+    pub-solar.terminal-life.enable = true;
+    pub-solar.audio.enable = true;
+    pub-solar.crypto.enable = true;
+    pub-solar.devops.enable = true;
+
+    # This is just a representation of the nix default
+    nix.systemFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+
+    environment = {
+      systemPackages = with pkgs; [
+        # Core unix utility packages
+        coreutils-full
+        progress
+        dnsutils
+        inetutils
+        mtr
+        pciutils
+        usbutils
+        gitFull
+        git-lfs
+        git-bug
+        wget
+        openssl
+        openssh
+        curl
+        htop
+        lsof
+        psmisc
+        xdg-utils
+        sysfsutils
+        renameutils
+        nfs-utils
+        moreutils
+        mailutils
+        keyutils
+        input-utils
+        elfutils
+        binutils
+        dateutils
+        diffutils
+        findutils
+        exfat
+        file
+
+        # zippit
+        zip
+        unzip
+
+        # Modern modern utilities
+        p7zip
+        croc
+        jq
+
+        # Nix specific utilities
+        niv
+        manix
+        nix-index
+        nix-tree
+        nixpkgs-review
+        # Build broken, python2.7-PyJWT-2.0.1.drv' failed
+        #nixops
+        psos
+        nvd
+
+        # Fun
+        neofetch
+      ];
+    };
+
+    fonts = {
+      fonts = with pkgs; [powerline-fonts dejavu_fonts];
+
+      fontconfig.defaultFonts = {
+        monospace = ["DejaVu Sans Mono for Powerline"];
+
+        sansSerif = ["DejaVu Sans"];
+      };
+    };
+
+    nix = {
+      # use nix-dram, a patched nix command, see: https://github.com/dramforever/nix-dram
+      package = inputs.nix-dram.packages.${pkgs.system}.nix-dram;
+
+      # Improve nix store disk usage
+      autoOptimiseStore = true;
+      gc.automatic = true;
+      optimise.automatic = true;
+
+      # Prevents impurities in builds
+      useSandbox = true;
+
+      # give root and @wheel special privileges with nix
+      trustedUsers = ["root" "@wheel"];
+
+      # Generally useful nix option defaults
+      extraOptions = ''
+        min-free = 536870912
+        keep-outputs = true
+        keep-derivations = true
+        fallback = true
+        # used by nix-dram
+        default-flake = flake:nixpkgs
+      '';
+    };
+
+    # For rage encryption, all hosts need a ssh key pair
+    services.openssh = {
+      enable = true;
+      openFirewall = lib.mkDefault true;
+      passwordAuthentication = false;
+    };
+
+    # Service that makes Out of Memory Killer more effective
+    services.earlyoom.enable = true;
+
+    # Use latest LTS linux kernel by default
+    boot.kernelPackages = pkgs.linuxPackages_5_15;
+
+    boot.supportedFilesystems = ["ntfs"];
+  };
+}

profiles/gaming/default.nix

@@ -8,5 +8,4 @@
   inherit (lib) fileContents;
 in {
   pub-solar.gaming.enable = true;
-  pub-solar.docker.enable = true;
 }

profiles/iot/default.nix

@@ -0,0 +1,13 @@
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) fileContents;
+in {
+  pub-solar.graphical.enable = false;
+  pub-solar.x-os.localProxyService.enable = false;
+  pub-solar.sway.enable = false;
+}

profiles/mobile/default.nix

@@ -0,0 +1,11 @@
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) fileContents;
+in {
+  pub-solar.mobile.enable = true;
+}

profiles/virtualisation/default.nix

@@ -0,0 +1,11 @@
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) fileContents;
+in {
+  pub-solar.virtualisation.enable = true;
+}

secrets/b12f-env-secrets

@@ -0,0 +1,55 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+A5s6AqsL5vXDpDDaSM8wylfV/ULMuLU0mTkOvSvaI/XtLp1DfH6+hjL1ca5ET+yh
+pgaCDlv/ITXOSGDawbK3PTLkVoTEVAIgbFTy2d3yP1o91n77d3dqdFMkflxar7wS
+AnbIYOE0hL9q3BBgO3n00AjojeF0hiV9kdyYMNF3je3zcQPML9poP+QWghX4rpH2
+W8dRb0LsowtUxREwEZ2i8UDIQ0nM/cwxyxHJ/jcT3VeasXDuXZEpFS/SwJHzFvJT
+5Ez/+ByOCaJ8E4ShHX8BOuZasikwI9EuiWHCj/eTJXytmFezCWY3ZI3MHjaUXHhL
+j3v3h1PQ2UxQApuhkG40zF6fhAGK7VFNEgAoF68V2eTB3ugm9qT4SiK392v5EnoU
+nOKY0PHCCnOgZGOM3Zx1mvZpDdWEpqI5in6bHMWpRjqzTeYwi6P5l/aItqGBm0D5
+erxwsLQMJLm9EbcSjFw9VYmwFky4jZOFSN9kSc/GiZM6ThZOVa7Dey4wicbU9YVf
+Ye6eiWjsFCPqXhylgRqFd/gf0MNyp7QNIOlbDmLenWVO/QLB9z0ANiQbz9PEMIng
+o74CsQeQcfO0hMcggHHMp2LILiNn9S1U429pCEtDGVpojnbtME1n2RMHbHfXpgVM
+qCf8bzcjgQrZBZrZ438qXiXObUV2R7yrG8AA4ilmKBw
+-> ssh-ed25519 TnSWKQ ZMWSfg5/Xhz58jMDmucQevWJMx9CR/pvGdcxY9nE9Es
+n1QCG5p74ScQyFQx6lX2gTU+GLoULlNjjAunp2e6Hjc
+-> ssh-rsa 8daibg
+aXyfsNZx2LEnm1ij2KJSyukYwxrPPYxc03xdoFMiPj2KMfdOdVcSRYQeyX3mym/Q
+mj7SCEZQPmAocvU8KOKphG7+MOvLhgyTdwkf+CBjCiU28pkuDrYjI1j5md9MK4ln
+auJ/XUJypBmpEp7eduRluk5Mxc82NjPXrGFARjatKj+d2/9PO+1FGawjj+er2FS9
+BpK9op0mLX0/BXl764Luqsh3pG+p5cSjTAqpfXuO1Dzp1Q3EcOCj2x3sT24elGAf
+8zOe6yBD+Uo027LAovqUf72Kzg/Fc+YfZbuLp65ybhIY0uF1arg4p+3grzWWBdI0
+3howkDSudgA9QBkyMsP0mQ6bwyfpYUKFFWpxwaGaVWY/WUXI5K1J2olSgZc60FvW
+BzQj0TTm8XeKo1i8PBV/er1mrJGwvwvb1VWFBYp/w3hDA/du0cFlfsPIX8WuhORX
+vRZJQZ5sVHU1qYHBTtwlan5D18AUpMUNZf1XVZb08NMOsez1YSlKHia26CTQurG1
+KxSxNIe76DEa3q5sLgRDEIvP4JtfKEdKuzPsUYR148ADZSPxVpWpUaYXedsO+JDt
+JYcsOEJxG1uEvEg2S1heTgpJVK0wK3tp5qODUil0ZyIPo7YXG9frMcOXIkEmxZSm
+/tzJ0voYzCeCNbrYuv7GsAcPUfXo2zIPJ3b7NkQ01uw
+-> ssh-rsa kFDS0A
+Au7S8JypcYKfb01y7hh85V84zhM5JMTF2KN2PGV2l+DsSuTqW5HzrzPOK7gXFfTU
+Um1tU2SeezORYpbtaCSpNbrkVdOdvcXG+ItJvLIwfAnlsRPNdWYtco18erEiQxkw
+DrlSqWb+UFHUhoUyaEj7ub2IzFkYxMIabX2PQL+bRY0b9+Bk5wV8LhWVr0OPl6zv
+TSoZUxMts9JsALAK7AIR7hfA9F9qSRgc5ivPnJddVhxb85bZsg2PPfmLbg2flOmY
+H8ZH/q7JvZ0D4RVxk3+V1jDDZCYv4eGsqCAqklDPRAnBq7KrDC04XExIXpy/OYhf
+GDmGrEFfT24ZOIMOJoRDsyECpTD3E81FuDJyn5+hHmTu0qmy6sWaJteOSqbJ46D8
+vPUhYeLB9b4sSvn0v1viUkRcfJZO6J5Ndh2TMg7SoJ3bOC2gK/sKbUi6w00gfjKg
+PqdBs+nNaTerKNuEVQnpEwk1jiEbqYAjlcSn40zjXQ84lLXvGVlmoKmV6tAhJsH/
+W2zfqSzqFRnYky3pCsFEogaUCeIendpb+oR1rVvbHntIPk2x/rEe1fb5NJ2ipPaI
+UE3R5bRdnZbqgVTXp8oQpHGIysDWMOp05hXlV1yi5L1cfa+av0kufWGh9SxzJ0Hb
+JHu4gJ3kEDrhSoHaG8+9s0Uhpr6fWNjcK+h3jQELJzI
+-> ssh-ed25519 2Ca8Kg 7zqdy50BjjvIGcvmaeM0bkSwivSmrkge7ppnHWPMcwg
+XEjHTeULveua7OsuKHnUSDwDaLBSpjfKzOH5MX6oBbA
+-> ssh-rsa 2ggJWw
+A2jGJC1GKUr5hHb4yeluJwYPuslSMBzmR6LehAyCJ17iTkIyO6Km5tfyq6ee0Q+H
+0wcxiXexzyn1QJhTovpbPSe+fBcBWCnhmyfFCxzPk3cq9ip64ngPmAbim0dLP7PC
+WUB1B8Ly2nhbT+j5UcZNQt2Q+83SFkqzNIjl+pJbq8Iau3iwWFntbhe0TDqcHsOf
+Uw+E8UUSsGinYPcXZXrW5ZWNovVgXgr5KCSdX4QfcH7r5qNQMSjNpeT6kOMPg5Qj
+ad3zTwMusbpDZxQdk6LcKZqlHSUBJxE4GKqtbHQ+JnF8DwolBWpjQUSS/Hz4c/de
+9YLYYxK0H1IgZpv49alRpexnRuHVUhl1HixJRIpFaNm9tj0ezkt0AK7Y+e5J+x2Y
+vyitzuuJezG75hBC3fFQLUosJm8kJ0YtqIfQsu/8OjDnZJhjCq0QijxHZexAF+9X
+HBsMvj+XjGwNj045dN0PQzRPeTT2JAZDNIE/piwUdy9HgAAWdZzFONG2lp3fCl8+
+
+-> d-grease "9JT y*PWo L yF
+7Ig0w+Lz7Z8us57rZ/h9hZLNL7KQjcfNQt4jPBG2Qg
+--- MLI+SiGgDJp5XLYzfpZpXdSgMc9y1+Ufs+NsiVYKp3o
+>Ïl¾Ÿ€á,ÞJŽ[Ê”lêàü}fT{Ñ¥Þµ<a's;$…°Å.À~k®œ
‰)˜¡L\Å6"‡…ß«‚	dó$ÿ.ƒ? Y)‰…“úJÅ›÷Â)‹¼þ;¥Q—6±„Ów&‡A…?SŸt°^©òzƒG*t‘Ó«OŠXlˆÁ<14>ˆÍ{ÞI£û¶Ç½­ž²ÓäO±»øûUŒýGuø

secrets/dyndns-droppie.key

@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj
+3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm
+eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L
+jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv
+Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd
+enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY
+XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J
+fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f
+DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c
+8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4
+QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc
+-> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg
+58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI
+-> ssh-rsa wVtlwQ
+RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ
+J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg
+bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP
+EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp
+KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0
+SJDLmHOos2RKTmx06aidDg
+-> Dz(k-grease ~FF p m)E{J3E
+7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP
+MzOYiM+PIQmn
+--- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4
+l%Àu¯¯ÃE„\ÎüÔ?2\&ÚwG&@¡­W£~9"úŠ^ÊƆý¼Á<>oån^šë<C5A1>㻳xšèOI‡¢uOíò‡21c*ãm¸%ô)ý#”جeõIÙ6îA/i

secrets/mopidy.conf

@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
+za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
+wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
+kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
+To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
+2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
+M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
+SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
+Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
+8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
+zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
+-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
+FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
+-> ssh-rsa 8daibg
+XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
+iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
+kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
+JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
+CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
+CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
+4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
+ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
+9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
+tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
+3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
+-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
+mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
+-> ssh-rsa 2ggJWw
+h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
+lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
+GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
+XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
+Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
+DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
+F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
+565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
+
+-> }L0d&,o-grease QVMP gPkF4&,`
+YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
+yYwVUyIh4eeH4oOdz3ssnmB3gg
+--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
+ö™:üŠØþI{ˆzþ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ
…çë
Q¡5<C2A1>c{ºÈz–j…lÁRAØãàÛH”
L	y£ø²W•6¢¢l>¸–ߪ}­m¤Ý¿óÆbѱ“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇ<C39B>ÕTÉÞ­™é¼Ì#
mÍi@êiö:°zõ愲jbc(ƦŸýìùô{ô™¨ª¯©âwã(ÖθÈäyÔ§`iÌó_ïC-`ŽP‘ô³²e«¶ç<C2B6>CÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«<C2BF>—Lˆ<Nw½µýÆ<>„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>….
}É‘^h¿óÖ®îÍ<C3AE>ø.Ÿ’<C5B8>»ËË¿GÑà”›ÿ~ÝŒd¢EoZ=|×C•O
ö”x7›,Nƒ•ïú¹PÖ䥈%*I%®kÎ[<5B>ØÐ|-<2D>ÈžT¦úe~3¥6ËÞ!C"Öai/kDmì]<5D>íJ÷Û>ü¬n^»OýÚ—MãÌíü‚SÁ°7„¼»<C2BC>1P\ý€ú?x\;B¸#u”BŽ$hѵ:¶Ë

secrets/secrets.nix

@@ -1,8 +1,61 @@
 let
   # set ssh public keys here for your system and user
-  system = "";
-  user = "";
-  allKeys = [system user];
+  bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
+
+  biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
+  biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
+
+  chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
+  chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
+
+  droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos";
+  droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie";
+
+  allKeys = [
+    bbcom
+
+    biolimo-host
+    biolimo-user
+
+    chocolatebar-host
+    chocolatebar-user
+  ];
+
+  biolimoKeys = [
+    bbcom
+
+    biolimo-host
+    biolimo-user
+  ];
+
+  chocolatebarKeys = [
+    bbcom
+
+    chocolatebar-host
+    chocolatebar-user
+  ];
+
+  droppieKeys = [
+    bbcom
+
+    droppie-host
+    droppie-user
+  ];
 in {
-  "secret.age".publicKeys = allKeys;
+  "keyfile-biolimo.bin".publicKeys = biolimoKeys;
+
+  "keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+
+  "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys;
+  "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys;
+
+  "drone-runner-exec-config".publicKeys = allKeys;
+
+  "dyndns-droppie.key".publicKeys = droppieKeys;
+
+  "mopidy.conf".publicKeys = allKeys;
+
+  "b12f-env-secrets".publicKeys = biolimoKeys ++ chocolatebarKeys;
 }

users/ben/.config/msmtp/config

@@ -0,0 +1,72 @@
+account hello@benjaminbaedorf.eu
+  host mail.hosting.de
+  port 587
+  protocol smtp
+  auth on
+  from hello@benjaminbaedorf.eu
+  user hello@benjaminbaedorf.eu
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account benjamin.baedorf@rwth-aachen.de
+  host mail.rwth-aachen.de
+  port 587
+  protocol smtp
+  auth on
+  from benjamin.baedorf@rwth-aachen.de
+  user bb564306@rwth-aachen.de
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account b.baedorf@openproject.com
+  host smtp.mailbox.org
+  port 587
+  protocol smtp
+  auth on
+  from b.baedorf@openproject.com
+  user b.baedorf@openproject.com
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account byb@miom.space
+  host mail.hosting.de
+  port 587
+  protocol smtp
+  auth on
+  from byb@miom.space
+  user byb@miom.space
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account admins@pub.solar
+  host mail.greenbaum.cloud
+  port 587
+  protocol smtp
+  auth on
+  from admins@pub.solar
+  user admins@pub.solar
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account crew@pub.solar
+  host mail.greenbaum.cloud
+  port 587
+  protocol smtp
+  auth on
+  from crew@pub.solar
+  user crew@pub.solar
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account mail@b12f.io
+  host mail.b12f.io
+  port 587
+  protocol smtp
+  auth on
+  from mail@b12f.io
+  user mail@b12f.io
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+
+account default : hello@benjaminbaedorf.eu

users/ben/.config/mutt/admins@pub.solar.muttrc

@@ -0,0 +1,19 @@
+# vim: filetype=muttrc
+
+set from = "pub.solar Admins <admins@pub.solar>"
+set sendmail = "msmtp -a admins@pub.solar"
+set signature = "~/.config/mutt/admins@pub.solar.signature"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+admins\@pub.solar/INBOX"
+set postponed   = "+admins\@pub.solar/Drafts"
+set record      = "+admins\@pub.solar/Sent"
+set trash       = "+admins\@pub.solar/Trash"
+mbox-hook   = "+admins\@pub.solar/Archive"
+unmailboxes *
+mailboxes +admins\@pub.solar/INBOX \
+          +admins\@pub.solar/Drafts \
+          +admins\@pub.solar/Sent \
+          +admins\@pub.solar/Archive \
+          +admins\@pub.solar/Trash

users/ben/.config/mutt/admins@pub.solar.signature

@@ -0,0 +1,7 @@
+
+pub.solar Admins (they/them)
+
+MAIL: admins@pub.solar
+GIT: git.b12f.io/pub-solar
+MATRIX: #general:pub.solar
+WEB: pub.solar

users/ben/.config/mutt/b.baedorf@openproject.com.muttrc

@@ -0,0 +1,24 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <b.baedorf@openproject.com>"
+set sendmail = "msmtp -a b.baedorf@openproject.com"
+set signature = "~/.config/mutt/b.baedorf@openproject.com.signature"
+
+set pgp_default_key="DB94333951EC9A362B33FBA5069CA2D117AB5CCF"
+
+set imap_user = b.baedorf@openproject.com
+set imap_pass = `secret-tool lookup service smtp host smtp.mailbox.org user b.baedorf@openproject.com`
+
+set folder      = imaps://imap.mailbox.org:993
+
+set spoolfile   = "+INBOX"
+set postponed   = "+Drafts"
+set record      = "+Sent"
+set trash       = "+Trash"
+mbox-hook   = "+Archive"
+unmailboxes *
+mailboxes +INBOX \
+          +Drafts \
+          +Sent \
+          +Archive \
+          +Trash

users/ben/.config/mutt/b.baedorf@openproject.com.signature

@@ -0,0 +1,18 @@
+
+Benjamin Bädorf
+Senior Frontend Engineer
+
+OpenProject GmbH
+Krausenstraße 9
+10117 Berlin
+
+E: b.baedorf@openproject.com
+GPG: DB94 3339 51EC 9A36 2B33  FBA5 069C A2D1 17AB 5CC
+
+T: +49 9599 899 22
+M: +49 151 2266 2777
+I: www.openproject.org
+
+Amtsgericht Berlin-Charlottenburg HRB 117935
+Geschäftsführer Niels Lindenthal
+UStID DE211309779

users/ben/.config/mutt/benjamin.baedorf@rwth-aachen.de.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <benjamin.baedorf@rwth-aachen.de>"
+set sendmail = "msmtp -a benjamin.baedorf@rwth-aachen.de"
+set signature = "~/.config/mutt/hello@benjaminbaedorf.eu.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+benjamin.baedorf\@rwth-aachen.de/INBOX"
+set postponed   = "+benjamin.baedorf\@rwth-aachen.de/Drafts"
+set record      = "+benjamin.baedorf\@rwth-aachen.de/Sent"
+set trash       = "+benjamin.baedorf\@rwth-aachen.de/Trash"
+mbox-hook   = "+benjamin.baedorf\@rwth-aachen.de/Journal"
+unmailboxes *
+mailboxes +benjamin.baedorf\@rwth-aachen.de/INBOX \
+          +benjamin.baedorf\@rwth-aachen.de/Drafts \
+          +benjamin.baedorf\@rwth-aachen.de/Sent \
+          +benjamin.baedorf\@rwth-aachen.de/Journal \
+          +benjamin.baedorf\@rwth-aachen.de/Trash

users/ben/.config/mutt/byb@miom.space.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <byb@miom.space>"
+set sendmail = "msmtp -a byb@miom.space"
+set signature = "~/.config/mutt/byb@miom.space.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+byb\@miom.space/INBOX"
+set postponed   = "+byb\@miom.space/Drafts"
+set record      = "+byb\@miom.space/Sent"
+set trash       = "+byb\@miom.space/Trash"
+mbox-hook   = "+byb\@miom.space/Archive"
+unmailboxes *
+mailboxes +byb\@miom.space/INBOX \
+          +byb\@miom.space/Drafts \
+          +byb\@miom.space/Sent \
+          +byb\@miom.space/Archive \
+          +byb\@miom.space/Trash

users/ben/.config/mutt/byb@miom.space.signature

@@ -0,0 +1,9 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer at MiOM 202
+
+MAIL: byb@miom.space
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/mutt/crew@pub.solar.muttrc

@@ -0,0 +1,19 @@
+# vim: filetype=muttrc
+
+set from = "pub.solar crew <crew@pub.solar>"
+set sendmail = "msmtp -a crew@pub.solar"
+set signature = "~/.config/mutt/crew@pub.solar.signature"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+crew\@pub.solar/INBOX"
+set postponed   = "+crew\@pub.solar/Drafts"
+set record      = "+crew\@pub.solar/Sent"
+set trash       = "+crew\@pub.solar/Trash"
+mbox-hook   = "+crew\@pub.solar/Archive"
+unmailboxes *
+mailboxes +crew\@pub.solar/INBOX \
+          +crew\@pub.solar/Drafts \
+          +crew\@pub.solar/Sent \
+          +crew\@pub.solar/Archive \
+          +crew\@pub.solar/Trash

users/ben/.config/mutt/crew@pub.solar.signature

@@ -0,0 +1,8 @@
+
+pub.solar crew (they/them)
+
+MAIL: crew@pub.solar
+MASTODON: @crew@pub.solar
+GIT: git.b12f.io/pub-solar
+MATRIX: #general:pub.solar
+WEB: pub.solar

users/ben/.config/mutt/hello@benjaminbaedorf.eu.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <hello@benjaminbaedorf.eu>"
+set sendmail = "msmtp -a hello@benjaminbaedorf.eu"
+set signature = "~/.config/mutt/hello@benjaminbaedorf.eu.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+hello\@benjaminbaedorf.eu/INBOX"
+set postponed   = "+hello\@benjaminbaedorf.eu/Drafts"
+set record      = "+hello\@benjaminbaedorf.eu/Sent"
+set trash       = "+hello\@benjaminbaedorf.eu/Trash"
+mbox-hook   = "+hello\@benjaminbaedorf.eu/Archive"
+unmailboxes *
+mailboxes +hello\@benjaminbaedorf.eu/INBOX \
+          +hello\@benjaminbaedorf.eu/Drafts \
+          +hello\@benjaminbaedorf.eu/Sent \
+          +hello\@benjaminbaedorf.eu/Archive \
+          +hello\@benjaminbaedorf.eu/Trash

users/ben/.config/mutt/hello@benjaminbaedorf.eu.signature

@@ -0,0 +1,9 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer
+
+MAIL: hello@benjaminbaedorf.eu
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/mutt/mail@b12f.io.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <mail@b12f.io>"
+set sendmail = "msmtp -a mail@b12f.io"
+set signature = "~/.config/mutt/mail@b12f.io.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+mail\@b12f.io/INBOX"
+set postponed   = "+mail\@b12f.io/Drafts"
+set record      = "+mail\@b12f.io/Sent"
+set trash       = "+mail\@b12f.io/Trash"
+mbox-hook   = "+mail\@b12f.io/Archive"
+unmailboxes *
+mailboxes +mail\@b12f.io/INBOX \
+          +mail\@b12f.io/Drafts \
+          +mail\@b12f.io/Sent \
+          +mail\@b12f.io/Archive \
+          +mail\@b12f.io/Trash

users/ben/.config/mutt/mail@b12f.io.signature

@@ -0,0 +1,9 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer
+
+MAIL: mail@b12f.io
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/offlineimap/config

@@ -0,0 +1,109 @@
+[general]
+pythonfile = $XDG_CONFIG_HOME/offlineimap/functions.py
+metadata = $XDG_DATA_HOME/offlineimap
+accounts = BBEU, MiOM, b12f, RWTH, AdminsPubSolar, CrewPubSolar
+
+[Account BBEU]
+localrepository = LocalBBEU
+remoterepository = RemoteBBEU
+
+[Repository LocalBBEU]
+type = Maildir
+localfolders = ~/Mail/hello@benjaminbaedorf.eu
+
+[Repository RemoteBBEU]
+type = IMAP
+remotehost = mail.hosting.de
+remoteuser = hello@benjaminbaedorf.eu
+remotepasseval = get_secret("service", "smtp", "host", "mail.hosting.de", "user", "hello@benjaminbaedorf.eu")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account OPGmail]
+localrepository = LocalOPGmail
+remoterepository = RemoteOPGmail
+
+[Repository LocalOPGmail]
+type = Maildir
+localfolders = ~/Mail/b.baedorf@openproject.com
+
+[Repository RemoteOPGmail]
+type = IMAP
+remotehost = imap.gmail.com
+remoteuser = b.baedorf@openproject.com
+remotepasseval = get_secret("service", "smtp", "host", "smtp.gmail.com", "user", "b.baedorf@openproject.com")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account MiOM]
+localrepository = LocalMiOM
+remoterepository = RemoteMiOM
+
+[Repository LocalMiOM]
+type = Maildir
+localfolders = ~/Mail/byb@miom.space
+
+[Repository RemoteMiOM]
+type = IMAP
+remotehost = mail.hosting.de
+remoteuser = byb@miom.space
+remotepasseval = get_secret("service", "smtp", "host", "mail.hosting.de", "user", "byb@miom.space")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account AdminsPubSolar]
+localrepository = LocalAdminsPubSolar
+remoterepository = RemoteAdminsPubSolar
+
+[Repository LocalAdminsPubSolar]
+type = Maildir
+localfolders = ~/Mail/admins@pub.solar
+
+[Repository RemoteAdminsPubSolar]
+type = IMAP
+remotehost = mail.greenbaum.cloud
+remoteuser = admins@pub.solar
+remotepasseval = get_secret("service", "smtp", "host", "mail.greenbaum.cloud", "user", "admins@pub.solar")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account CrewPubSolar]
+localrepository = LocalCrewPubSolar
+remoterepository = RemoteCrewPubSolar
+
+[Repository LocalCrewPubSolar]
+type = Maildir
+localfolders = ~/Mail/crew@pub.solar
+
+[Repository RemoteCrewPubSolar]
+type = IMAP
+remotehost = mail.greenbaum.cloud
+remoteuser = crew@pub.solar
+remotepasseval = get_secret("service", "smtp", "host", "mail.greenbaum.cloud", "user", "crew@pub.solar")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account b12f]
+localrepository = Localb12f
+remoterepository = Remoteb12f
+
+[Repository Localb12f]
+type = Maildir
+localfolders = ~/Mail/mail@b12f.io
+
+[Repository Remoteb12f]
+type = IMAP
+remotehost = mail.b12f.io
+remoteuser = mail@b12f.io
+remotepasseval = get_secret("service", "smtp", "host", "mail.b12f.io", "user", "mail@b12f.io")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account RWTH]
+localrepository = LocalRWTH
+remoterepository = RemoteRWTH
+
+[Repository LocalRWTH]
+type = Maildir
+localfolders = ~/Mail/benjamin.baedorf@rwth-aachen.de
+
+[Repository RemoteRWTH]
+type = IMAP
+remotehost = mail.rwth-aachen.de
+remoteuser = bb564306@rwth-aachen.de
+remotepasseval = get_secret("service", "smtp", "host", "mail.rwth-aachen.de", "user", "bb564306@rwth-aachen.de")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt

users/ben/default.nix

@@ -0,0 +1,71 @@
+{
+  self,
+  config,
+  hmUsers,
+  pkgs,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  imports = [
+    ./home.nix
+  ];
+
+  config = {
+    home-manager.users = {inherit (hmUsers) ben;};
+
+    services.yubikey-agent.enable = true;
+
+    age.secrets.b12f-env-secrets = {
+      file = "${self}/secrets/b12f-env-secrets";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+
+    pub-solar = {
+      # These are your personal settings
+      # The only required settings are `name` and `password`,
+      # The rest is used for programs like git
+      user = {
+        name = "ben";
+        description = "b12f";
+        password = "$6$LO2YoaHwuRQhUoSz$iHw9avM887eJg9cIty2nmG4Ibkol3YpviEhYpivVQP31VrnihFz/6LyugxD7X4VmXx9nxvcYIZnN90rlGxwjT.";
+        fullName = "Benjamin Bädorf";
+        email = "hello@benjaminbaedorf.eu";
+        gpgKeyId = "4406E80E13CD656C";
+        publicKeys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar"
+        ];
+      };
+
+      paperless = {
+        enable = false;
+        ocrLanguage = "nld+deu";
+      };
+      arduino.enable = true;
+      email.enable = true;
+      uhk.enable = true;
+      audio.spotify.enable = true;
+      audio.spotify.username = "spotify@benjaminbaedorf.eu";
+    };
+
+    # Needed for the udev rules for solaar
+    hardware.logitech.wireless.enable = true;
+    networking.hosts = let
+      localDomains = [
+        "openproject.local"
+        "traefik.local"
+        "nextcloud.local"
+        "step.local"
+        "saas-1.openproject.local"
+        "transmission.local"
+      ];
+    in {
+      "127.0.0.1" = localDomains;
+      "::1" = localDomains;
+    };
+  };
+}

users/ben/home.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./session-variables.nix
+  ];
+
+  home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+    home.packages = with pkgs; [
+      inkscape
+      digikam
+      nix-output-monitor
+      tigervnc
+      dogecoin
+      nodejs
+      solaar
+    ];
+
+    programs.ssh = {
+      enable = true;
+      matchBlocks = {
+        "git.b12f.io" = {
+          hostname = "git.b12f.io";
+          user = "git";
+          port = 2222;
+        };
+
+        "aur.archlinux.org" = {
+          user = "aur";
+        };
+
+        "leavieler.art" = {
+          hostname = "web5svsvy.wh.hosting.zone";
+          user = "web5svsvy_cgzqa3";
+          port = 2244;
+        };
+
+        "benjaminbaedorf.eu" = {
+          hostname = "web5svsvy.wh.hosting.zone";
+          user = "web5svsvy_cgzqa3";
+          port = 2244;
+        };
+
+        "miom.space" = {
+          hostname = "web7dgkba.wh.hosting.zone";
+          user = "web7dgkba_c9em8f";
+          port = 2244;
+        };
+
+        "latenight.blue" = {
+          hostname = "latenight.blue";
+          user = "lnb";
+          extraOptions = {
+            MACs = "hmac-sha2-512-etm@openssh.com";
+          };
+        };
+
+        "blacktea.io" = {
+          hostname = "latenight.blue";
+          user = "lnb";
+          extraOptions = {
+            MACs = "hmac-sha2-512-etm@openssh.com";
+          };
+        };
+
+        "laurakirst.de" = {
+          hostname = "webj4bsux.wh.hosting.zone";
+          user = "webj4bsux_36qkrk";
+          port = 2244;
+        };
+      };
+    };
+
+    xdg.configFile."mutt/accounts.muttrc".text = ''
+      source ./hello@benjaminbaedorf.eu.muttrc
+
+      macro index <f1> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/hello@benjaminbaedorf.eu.muttrc<enter><change-folder>!<enter>'
+      macro index <f2> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/benjamin.baedorf@rwth-aachen.de.muttrc<enter><change-folder>!<enter>'
+      macro index <f3> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/b.baedorf@openproject.com.muttrc<enter><change-folder>!<enter>'
+      macro index <f4> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/byb@miom.space.muttrc<enter><change-folder>!<enter>'
+      macro index <f5> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/mail@b12f.io.muttrc<enter><change-folder>!<enter>'
+      macro index <f6> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/admins@pub.solar.muttrc<enter><change-folder>!<enter>'
+      macro index <f7> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/crew@pub.solar.muttrc<enter><change-folder>!<enter>'
+    '';
+    xdg.configFile."mutt/hello@benjaminbaedorf.eu.muttrc".source = ./.config/mutt + "/hello@benjaminbaedorf.eu.muttrc";
+    xdg.configFile."mutt/benjamin.baedorf@rwth-aachen.de.muttrc".source = ./.config/mutt + "/benjamin.baedorf@rwth-aachen.de.muttrc";
+    xdg.configFile."mutt/hello@benjaminbaedorf.eu.signature".source = ./.config/mutt + "/hello@benjaminbaedorf.eu.signature";
+    xdg.configFile."mutt/b.baedorf@openproject.com.muttrc".source = ./.config/mutt + "/b.baedorf@openproject.com.muttrc";
+    xdg.configFile."mutt/b.baedorf@openproject.com.signature".source = ./.config/mutt + "/b.baedorf@openproject.com.signature";
+    xdg.configFile."mutt/byb@miom.space.muttrc".source = ./.config/mutt + "/byb@miom.space.muttrc";
+    xdg.configFile."mutt/byb@miom.space.signature".source = ./.config/mutt + "/byb@miom.space.signature";
+    xdg.configFile."mutt/mail@b12f.io.muttrc".source = ./.config/mutt + "/mail@b12f.io.muttrc";
+    xdg.configFile."mutt/mail@b12f.io.signature".source = ./.config/mutt + "/mail@b12f.io.signature";
+    xdg.configFile."mutt/admins@pub.solar.muttrc".source = ./.config/mutt + "/admins@pub.solar.muttrc";
+    xdg.configFile."mutt/admins@pub.solar.signature".source = ./.config/mutt + "/admins@pub.solar.signature";
+    xdg.configFile."mutt/crew@pub.solar.muttrc".source = ./.config/mutt + "/crew@pub.solar.muttrc";
+    xdg.configFile."mutt/crew@pub.solar.signature".source = ./.config/mutt + "/crew@pub.solar.signature";
+    xdg.configFile."offlineimap/config".source = ./.config/offlineimap/config;
+    xdg.configFile."msmtp/config".source = ./.config/msmtp/config;
+    # xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
+
+    #
+    # programs.zsh = {
+    #   initExtra = import ./zshrc.nix {inherit config;};
+    # };
+  };
+
+  age.secrets."mopidy.conf" = {
+    file = "${self}/secrets/mopidy.conf";
+    mode = "700";
+    owner = "mopidy";
+  };
+  services.mopidy.extraConfigFiles = ["/run/agenix/mopidy.conf"];
+
+  programs.ssh.extraConfig = "
+    PubkeyAcceptedKeyTypes +ssh-rsa
+  ";
+}

users/ben/session-variables.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  DRONE_RPC_PROTO = "https";
+  DRONE_RPC_HOST = "ci.b12f.io";
+in {
+  home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+    home.sessionVariables = {
+      inherit DRONE_RPC_HOST;
+      inherit DRONE_RPC_PROTO;
+      DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST;
+
+      RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups";
+      RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password";
+    };
+  };
+}

users/ben/zshrc.nix

@@ -0,0 +1,3 @@
+{config, ...}: ''
+  source ${config.age.secrets.b12f-env-secrets.path}
+''

users/yule/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  hmUsers,
+  pkgs,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  config = {
+    home-manager.users = {inherit (hmUsers) yule;};
+
+    pub-solar = {
+      # These are your personal settings
+      # The only required settings are `name` and `password`,
+      # The rest is used for programs like git
+      user = {
+        name = "yule";
+        description = "b12f";
+        password = "$6$pHMaL9DfxhvnLGy5$ka9bRU5p1lPTF0YHPZDM9Miq79iXuaXb6GLeALM1eX5djdsHYnpvVWjrmImWmcghGXsrDwpmXZPSJUU.gFpuA1";
+        fullName = "Benjamin Bädorf";
+        email = "hello@benjaminbaedorf.eu";
+        gpgKeyId = "4406E80E13CD656C";
+        publicKeys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
+
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
+
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar"
+        ];
+      };
+    };
+  };
+}