Merge pull request 'Remove digga from b12f branch' (#257 ) from remove-digga/b12f into b12f

Reviewed-on: #257
fix: Fix nix flake check and devshell
2023-10-03 14:23:14 +02:00 · 2023-10-03 14:21:09 +02:00 · 2023-10-03 13:50:01 +02:00 · 2023-10-03 13:34:34 +02:00 · 2023-10-03 13:13:52 +02:00 · 2023-09-29 18:21:08 +02:00
171 changed files with 3770 additions and 1499 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -27,6 +27,14 @@ charset = unset
 indent_style = unset
 indent_size = unset

+[*.rom]
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+charset = unset
+indent_style = unset
+indent_size = unset
+
 [*.py]
 indent_size = 4

--- a/.gitignore
+++ b/.gitignore
@ -7,7 +7,7 @@ vm
 iso
 doi

-pkgs/_sources/.shake*
-
+# PubSolarOS
 tags
 /owners
+pkgs/_sources/.shake*
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,112 +0,0 @@
-# Changelog
-
-## [v0.10.0](https://github.com/divnix/devos/tree/v0.10.0) (2021-05-24)
-
-**Implemented enhancements:**
-
- Providing an interface to nixpkgs.config [\#237](https://github.com/divnix/devos/issues/237)
- Making the user available in profiles [\#230](https://github.com/divnix/devos/issues/230)
- copy evaluation store paths to iso [\#195](https://github.com/divnix/devos/issues/195)
- Extract custom system builds from devosSystem out of lib [\#170](https://github.com/divnix/devos/issues/170)
- Allow setting of channel host-wide [\#117](https://github.com/divnix/devos/issues/117)
- alacritty: CSIu support [\#51](https://github.com/divnix/devos/issues/51)
-
-**Fixed bugs:**
-
- Cachix timeouts + how to disable nrdxp cachix \(if needed\) [\#294](https://github.com/divnix/devos/issues/294)
- default.nix flake-compat is broken [\#285](https://github.com/divnix/devos/issues/285)
- All suites return "attribute missing" [\#282](https://github.com/divnix/devos/issues/282)
- nix is built two times [\#203](https://github.com/divnix/devos/issues/203)
- fix lib docs [\#166](https://github.com/divnix/devos/issues/166)
-
-**Closed issues:**
-
- eliminate userFlakeNixOS [\#257](https://github.com/divnix/devos/issues/257)
- devos-as-library [\#214](https://github.com/divnix/devos/issues/214)
-
-**Merged pull requests:**
-
- Update evalArgs to match the new planned API [\#239](https://github.com/divnix/devos/pull/239)
-
-## [v0.9.0](https://github.com/divnix/devos/tree/v0.9.0) (2021-04-19)
-
-**Implemented enhancements:**
-
- pin inputs into iso live registry [\#190](https://github.com/divnix/devos/issues/190)
- Pass 'self' to lib [\#169](https://github.com/divnix/devos/issues/169)
- doc: quickstart "ISO. What next?" [\#167](https://github.com/divnix/devos/issues/167)
- Integrate Android AOSP putting mobile under control [\#149](https://github.com/divnix/devos/issues/149)
- Inoculate host identity on first use [\#132](https://github.com/divnix/devos/issues/132)
- kubenix support [\#130](https://github.com/divnix/devos/issues/130)
- Improve Home Manager support: profiles/suites, modules, extern, flake outputs [\#119](https://github.com/divnix/devos/issues/119)
- Local CA \(between hosts\) [\#104](https://github.com/divnix/devos/issues/104)
- Q5: git annex for machine state [\#68](https://github.com/divnix/devos/issues/68)
- name space ./pkgs overlays [\#60](https://github.com/divnix/devos/issues/60)
- remap global keys easily [\#57](https://github.com/divnix/devos/issues/57)
- make pass state part of this repo's structure [\#56](https://github.com/divnix/devos/issues/56)
- Incorporate ./shells [\#38](https://github.com/divnix/devos/issues/38)
- Encrypt with \(r\)age [\#37](https://github.com/divnix/devos/issues/37)
-
-**Fixed bugs:**
-
- `pathsToImportedAttrs` does not accept directories [\#221](https://github.com/divnix/devos/issues/221)
- Cachix caches aren't added to the configuration [\#208](https://github.com/divnix/devos/issues/208)
- Issues with current changelog workflow [\#205](https://github.com/divnix/devos/issues/205)
- iso: systemd service startup [\#194](https://github.com/divnix/devos/issues/194)
- Help adding easy-hls-nix to devos [\#174](https://github.com/divnix/devos/issues/174)
- `flk update` fails because of obsolete flag [\#159](https://github.com/divnix/devos/issues/159)
- Expected that not all packages are exported? [\#151](https://github.com/divnix/devos/issues/151)
- Segmentation fault when generating iso [\#150](https://github.com/divnix/devos/issues/150)
-
-**Documentation:**
-
- doc: split iso [\#193](https://github.com/divnix/devos/issues/193)
- lib: can depend on pkgs \(a la nixpkgs\#pkgs/pkgs-lib\) [\#147](https://github.com/divnix/devos/pull/147)
-
-**Closed issues:**
-
- FRRouting router implementation [\#154](https://github.com/divnix/devos/issues/154)
- ARM aarch64 Support [\#72](https://github.com/divnix/devos/issues/72)
-
-## [v0.8.0](https://github.com/divnix/devos/tree/v0.8.0) (2021-03-02)
-
-**Implemented enhancements:**
-
- semi automatic update for /pkgs [\#118](https://github.com/divnix/devos/issues/118)
- Home-manager external modules from flakes [\#106](https://github.com/divnix/devos/issues/106)
-
-**Fixed bugs:**
-
- My emacsGcc overlay is not working [\#146](https://github.com/divnix/devos/issues/146)
- local flake registry freezes branches [\#142](https://github.com/divnix/devos/issues/142)
- nixos-option no longer works after collect garbage [\#138](https://github.com/divnix/devos/issues/138)
- Profiles imports are brittle, causing failure if imported twice [\#136](https://github.com/divnix/devos/issues/136)
-
-## [0.7.0](https://github.com/divnix/devos/tree/0.7.0) (2021-02-20)
-
-**Implemented enhancements:**
-
- add zoxide [\#53](https://github.com/divnix/devos/issues/53)
- Multiarch support? [\#17](https://github.com/divnix/devos/issues/17)
- initial multiArch support [\#18](https://github.com/divnix/devos/pull/18)
-
-**Fixed bugs:**
-
- Missing shebang from flk.sh [\#131](https://github.com/divnix/devos/issues/131)
- Rename Meta Issue [\#128](https://github.com/divnix/devos/issues/128)
- specialisations break the `system` argument [\#46](https://github.com/divnix/devos/issues/46)
- Revert "Add extraArgs to lib.nixosSystem call to add system args." [\#47](https://github.com/divnix/devos/pull/47)
-
-**Documentation:**
-
- update home-manager urls [\#62](https://github.com/divnix/devos/pull/62)
-
-**Closed issues:**
-
- add github action for cachix build ci [\#59](https://github.com/divnix/devos/issues/59)
-
-## [12052020](https://github.com/divnix/devos/tree/12052020) (2020-12-06)
-
-## [07092020](https://github.com/divnix/devos/tree/07092020) (2020-07-09)
-
-\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,33 +0,0 @@
-# Quick branch overview
-
-We work with several branches in this repo. This document aims to explain how
-to contribute changes to the existing branches.
-
-### `main` branch
-
- Changes to `modules` and `profiles` should go [the main branch](https://git.pub.solar/pub-solar/os/src/branch/main)
- Changes can get accepted via: Pull Request
- Branch protected from direct `git push`
-
-### `infra` branch
-
- Changes to the [pub.solar](https://pub.solar) infrastructure should be merged [into this branch](https://git.pub.solar/pub-solar/os/src/branch/infra)
- Changes can get accepted via: Pull Request
- Branch protected from direct `git push`
-
-### `momo/main` branch
-
- Changes to the [Momo](https://momo.koeln) infrastructure should be merged [into this branch](https://git.pub.solar/pub-solar/os/src/branch/momo/main)
- Changes can get accepted via: Pull Request
- Deployment of changes is [automatic via CI pipeline](https://git.pub.solar/pub-solar/os/src/commit/43bd7421509f7cc9ba06d7c740f3f536a4a2af76/.drone.yml#L20-L38)
- Branch protected from direct `git push`
-
-### `$USER` branches
-
- User's custom hosts and changes can be worked on in these branches
- Direct `git push` possible
- Examples:
-  - [hensoko](https://git.pub.solar/pub-solar/os/src/branch/hensoko)
-  - [b12f](https://git.pub.solar/pub-solar/os/src/branch/b12f)
-  - [axeman](https://git.pub.solar/pub-solar/os/src/branch/axeman)
-  - [teutat3s](https://git.pub.solar/pub-solar/os/src/branch/teutat3s)
--- a/18
+++ b/18
@ -1,18 +0,0 @@
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/LICENSE.md
+++ b/LICENSE.md
@ -1,660 +0,0 @@
-### GNU AFFERO GENERAL PUBLIC LICENSE
-
-Version 3, 19 November 2007
-
-Copyright (C) 2007 Free Software Foundation, Inc.
-<https://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this
-license document, but changing it is not allowed.
-
-### Preamble
-
-The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works. By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains
-free software for all its users.
-
-When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate. Many developers of free software are heartened and
-encouraged by the resulting cooperation. However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community. It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server. Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals. This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing
-under this license.
-
-The precise terms and conditions for copying, distribution and
-modification follow.
-
-### TERMS AND CONDITIONS
-
-#### 0. Definitions.
-
-"This License" refers to version 3 of the GNU Affero General Public
-License.
-
-"Copyright" also means copyright-like laws that apply to other kinds
-of works, such as semiconductor masks.
-
-"The Program" refers to any copyrightable work licensed under this
-License. Each licensee is addressed as "you". "Licensees" and
-"recipients" may be individuals or organizations.
-
-To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of
-an exact copy. The resulting work is called a "modified version" of
-the earlier work or a work "based on" the earlier work.
-
-A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy. Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies. Mere interaction with a user
-through a computer network, with no transfer of a copy, is not
-conveying.
-
-An interactive user interface displays "Appropriate Legal Notices" to
-the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License. If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-#### 1. Source Code.
-
-The "source code" for a work means the preferred form of the work for
-making modifications to it. "Object code" means any non-source form of
-a work.
-
-A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form. A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities. However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work. For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-The Corresponding Source need not include anything that users can
-regenerate automatically from other parts of the Corresponding Source.
-
-The Corresponding Source for a work in source code form is that same
-work.
-
-#### 2. Basic Permissions.
-
-All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met. This License explicitly affirms your unlimited
-permission to run the unmodified Program. The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work. This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-You may make, run and propagate covered works that you do not convey,
-without conditions so long as your license otherwise remains in force.
-You may convey covered works to others for the sole purpose of having
-them make modifications exclusively for you, or provide you with
-facilities for running those works, provided that you comply with the
-terms of this License in conveying all material for which you do not
-control copyright. Those thus making or running the covered works for
-you must do so exclusively on your behalf, under your direction and
-control, on terms that prohibit them from making any copies of your
-copyrighted material outside their relationship with you.
-
-Conveying under any other circumstances is permitted solely under the
-conditions stated below. Sublicensing is not allowed; section 10 makes
-it unnecessary.
-
-#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such
-circumvention is effected by exercising rights under this License with
-respect to the covered work, and you disclaim any intention to limit
-operation or modification of the work as a means of enforcing, against
-the work's users, your or third parties' legal rights to forbid
-circumvention of technological measures.
-
-#### 4. Conveying Verbatim Copies.
-
-You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-#### 5. Conveying Modified Source Versions.
-
-You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these
-conditions:
-
- a) The work must carry prominent notices stating that you modified
-  it, and giving a relevant date.
- b) The work must carry prominent notices stating that it is
-  released under this License and any conditions added under
-  section 7. This requirement modifies the requirement in section 4
-  to "keep intact all notices".
- c) You must license the entire work, as a whole, under this
-  License to anyone who comes into possession of a copy. This
-  License will therefore apply, along with any applicable section 7
-  additional terms, to the whole of the work, and all its parts,
-  regardless of how they are packaged. This License gives no
-  permission to license the work in any other way, but it does not
-  invalidate such permission if you have separately received it.
- d) If the work has interactive user interfaces, each must display
-  Appropriate Legal Notices; however, if the Program has interactive
-  interfaces that do not display Appropriate Legal Notices, your
-  work need not make them do so.
-
-A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit. Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-#### 6. Conveying Non-Source Forms.
-
-You may convey a covered work in object code form under the terms of
-sections 4 and 5, provided that you also convey the machine-readable
-Corresponding Source under the terms of this License, in one of these
-ways:
-
- a) Convey the object code in, or embodied in, a physical product
-  (including a physical distribution medium), accompanied by the
-  Corresponding Source fixed on a durable physical medium
-  customarily used for software interchange.
- b) Convey the object code in, or embodied in, a physical product
-  (including a physical distribution medium), accompanied by a
-  written offer, valid for at least three years and valid for as
-  long as you offer spare parts or customer support for that product
-  model, to give anyone who possesses the object code either (1) a
-  copy of the Corresponding Source for all the software in the
-  product that is covered by this License, on a durable physical
-  medium customarily used for software interchange, for a price no
-  more than your reasonable cost of physically performing this
-  conveying of source, or (2) access to copy the Corresponding
-  Source from a network server at no charge.
- c) Convey individual copies of the object code with a copy of the
-  written offer to provide the Corresponding Source. This
-  alternative is allowed only occasionally and noncommercially, and
-  only if you received the object code with such an offer, in accord
-  with subsection 6b.
- d) Convey the object code by offering access from a designated
-  place (gratis or for a charge), and offer equivalent access to the
-  Corresponding Source in the same way through the same place at no
-  further charge. You need not require recipients to copy the
-  Corresponding Source along with the object code. If the place to
-  copy the object code is a network server, the Corresponding Source
-  may be on a different server (operated by you or a third party)
-  that supports equivalent copying facilities, provided you maintain
-  clear directions next to the object code saying where to find the
-  Corresponding Source. Regardless of what server hosts the
-  Corresponding Source, you remain obligated to ensure that it is
-  available for as long as needed to satisfy these requirements.
- e) Convey the object code using peer-to-peer transmission,
-  provided you inform other peers where the object code and
-  Corresponding Source of the work are being offered to the general
-  public at no charge under subsection 6d.
-
-A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal,
-family, or household purposes, or (2) anything designed or sold for
-incorporation into a dwelling. In determining whether a product is a
-consumer product, doubtful cases shall be resolved in favor of
-coverage. For a particular product received by a particular user,
-"normally used" refers to a typical or common use of that class of
-product, regardless of the status of the particular user or of the way
-in which the particular user actually uses, or expects or is expected
-to use, the product. A product is a consumer product regardless of
-whether the product has substantial commercial, industrial or
-non-consumer uses, unless such uses represent the only significant
-mode of use of the product.
-
-"Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to
-install and execute modified versions of a covered work in that User
-Product from a modified version of its Corresponding Source. The
-information must suffice to ensure that the continued functioning of
-the modified object code is in no case prevented or interfered with
-solely because modification has been made.
-
-If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information. But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or
-updates for a work that has been modified or installed by the
-recipient, or for the User Product in which it has been modified or
-installed. Access to a network may be denied when the modification
-itself materially and adversely affects the operation of the network
-or violates the rules and protocols for communication across the
-network.
-
-Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-#### 7. Additional Terms.
-
-"Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law. If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it. (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.) You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders
-of that material) supplement the terms of this License with terms:
-
- a) Disclaiming warranty or limiting liability differently from the
-  terms of sections 15 and 16 of this License; or
- b) Requiring preservation of specified reasonable legal notices or
-  author attributions in that material or in the Appropriate Legal
-  Notices displayed by works containing it; or
- c) Prohibiting misrepresentation of the origin of that material,
-  or requiring that modified versions of such material be marked in
-  reasonable ways as different from the original version; or
- d) Limiting the use for publicity purposes of names of licensors
-  or authors of the material; or
- e) Declining to grant rights under trademark law for use of some
-  trade names, trademarks, or service marks; or
- f) Requiring indemnification of licensors and authors of that
-  material by anyone who conveys the material (or modified versions
-  of it) with contractual assumptions of liability to the recipient,
-  for any liability that these contractual assumptions directly
-  impose on those licensors and authors.
-
-All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10. If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term. If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions; the
-above requirements apply either way.
-
-#### 8. Termination.
-
-You may not propagate or modify a covered work except as expressly
-provided under this License. Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-However, if you cease all violation of this License, then your license
-from a particular copyright holder is reinstated (a) provisionally,
-unless and until the copyright holder explicitly and finally
-terminates your license, and (b) permanently, if the copyright holder
-fails to notify you of the violation by some reasonable means prior to
-60 days after the cessation.
-
-Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License. If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-#### 9. Acceptance Not Required for Having Copies.
-
-You are not required to accept this License in order to receive or run
-a copy of the Program. Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance. However,
-nothing other than this License grants you permission to propagate or
-modify any covered work. These actions infringe copyright if you do
-not accept this License. Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-#### 10. Automatic Licensing of Downstream Recipients.
-
-Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License. You are not responsible
-for enforcing compliance by third parties with this License.
-
-An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations. If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License. For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-#### 11. Patents.
-
-A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based. The
-work thus licensed is called the contributor's "contributor version".
-
-A contributor's "essential patent claims" are all patent claims owned
-or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version. For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement). To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients. "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-A patent license is "discriminatory" if it does not include within the
-scope of its coverage, prohibits the exercise of, or is conditioned on
-the non-exercise of one or more of the rights that are specifically
-granted under this License. You may not convey a covered work if you
-are a party to an arrangement with a third party that is in the
-business of distributing software, under which you make payment to the
-third party based on the extent of your activity of conveying the
-work, and under which the third party grants, to any of the parties
-who would receive the covered work from you, a discriminatory patent
-license (a) in connection with copies of the covered work conveyed by
-you (or copies made from those copies), or (b) primarily for and in
-connection with specific products or compilations that contain the
-covered work, unless you entered into that arrangement, or that patent
-license was granted, prior to 28 March 2007.
-
-Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-#### 12. No Surrender of Others' Freedom.
-
-If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under
-this License and any other pertinent obligations, then as a
-consequence you may not convey it at all. For example, if you agree to
-terms that obligate you to collect a royalty for further conveying
-from those to whom you convey the Program, the only way you could
-satisfy both those terms and this License would be to refrain entirely
-from conveying the Program.
-
-#### 13. Remote Network Interaction; Use with the GNU General Public License.
-
-Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your
-version supports such interaction) an opportunity to receive the
-Corresponding Source of your version by providing access to the
-Corresponding Source from a network server at no charge, through some
-standard or customary means of facilitating copying of software. This
-Corresponding Source shall include the Corresponding Source for any
-work covered by version 3 of the GNU General Public License that is
-incorporated pursuant to the following paragraph.
-
-Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work. The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-#### 14. Revised Versions of this License.
-
-The Free Software Foundation may publish revised and/or new versions
-of the GNU Affero General Public License from time to time. Such new
-versions will be similar in spirit to the present version, but may
-differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation. If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever
-published by the Free Software Foundation.
-
-If the Program specifies that a proxy can decide which future versions
-of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-Later license versions may give you additional or different
-permissions. However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-#### 15. Disclaimer of Warranty.
-
-THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
-WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
-PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
-DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
-CORRECTION.
-
-#### 16. Limitation of Liability.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
-CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
-ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
-NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
-LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
-TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
-PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-#### 17. Interpretation of Sections 15 and 16.
-
-If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-END OF TERMS AND CONDITIONS
-
-### How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these
-terms.
-
-To do so, attach the following notices to the program. It is safest to
-attach them to the start of each source file to most effectively state
-the exclusion of warranty; and each file should have at least the
-"copyright" line and a pointer to where the full notice is found.
-
-        <one line to give the program's name and a brief idea of what it does.>
-        Copyright (C) <year>  <name of author>
-
-        This program is free software: you can redistribute it and/or modify
-        it under the terms of the GNU Affero General Public License as
-        published by the Free Software Foundation, either version 3 of the
-        License, or (at your option) any later version.
-
-        This program is distributed in the hope that it will be useful,
-        but WITHOUT ANY WARRANTY; without even the implied warranty of
-        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-        GNU Affero General Public License for more details.
-
-        You should have received a copy of the GNU Affero General Public License
-        along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper
-mail.
-
-If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source. For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code. There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for
-the specific requirements.
-
-You should also get your employer (if you work as a programmer) or
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. For more information on this, and how to apply and follow
-the GNU AGPL, see <https://www.gnu.org/licenses/>.
--- a/default.nix
+++ b/default.nix
@ -1,35 +0,0 @@
-let
-  inherit (default.inputs.nixos) lib;
-
-  default = (import ./lib/compat).defaultNix;
-
-  ciSystems = [
-    "aarch64-linux"
-    "x86_64-linux"
-  ];
-
-  filterSystems =
-    lib.filterAttrs
-    (system: _: lib.elem system ciSystems);
-
-  recurseIntoAttrsRecursive = lib.mapAttrs (
-    _: v:
-      if lib.isAttrs v
-      then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v)
-      else v
-  );
-
-  systemOutputs =
-    lib.filterAttrs
-    (
-      name: set:
-        lib.isAttrs set
-        && lib.any
-        (system: set ? ${system} && name != "legacyPackages")
-        ciSystems
-    )
-    default.outputs;
-
-  ciDrvs = lib.mapAttrs (_: system: filterSystems system) systemOutputs;
-in
-  (recurseIntoAttrsRecursive ciDrvs) // {shell = import ./shell.nix;}
--- a/flake.lock
+++ b/flake.lock
@ -1,12 +1,50 @@
 {
  "nodes": {
+    "adblock-unbound": {
+      "inputs": {
+        "adblockStevenBlack": "adblockStevenBlack",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688055723,
+        "narHash": "sha256-8WtkSAr4qYA3o6kiOCESK3rHJmIsa6TMBrT3/Cbfvro=",
+        "owner": "MayNiklas",
+        "repo": "nixos-adblock-unbound",
+        "rev": "9356ccd526fdcf91bfee7f0ebebae831349d43cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "MayNiklas",
+        "repo": "nixos-adblock-unbound",
+        "type": "github"
+      }
+    },
+    "adblockStevenBlack": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1665337238,
+        "narHash": "sha256-LYYjWMy4xXXqnM3ROKseS7y0faNLYyyDPqUe1+Uf+RE=",
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "rev": "ff7d9bed83732bd3980ae452927541c6c4b15382",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "type": "github"
+      }
+    },
    "agenix": {
      "inputs": {
        "darwin": [
-          "darwin"
+          "nix-darwin"
        ],
        "nixpkgs": [
-          "nixos"
+          "nixpkgs"
        ]
      },
      "locked": {
@ -23,42 +61,43 @@
        "type": "github"
      }
    },
-    "darwin": {
+    "deno2nix": {
      "inputs": {
-        "nixpkgs": [
-          "nixos"
-        ]
+        "devshell": "devshell",
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1688307440,
-        "narHash": "sha256-7PTjbN+/+b799YN7Tk2SS5Vh8A0L3gBo8hmB7Y0VXug=",
-        "owner": "LnL7",
-        "repo": "nix-darwin",
-        "rev": "b06bab83bdf285ea0ae3c8e145a081eb95959047",
-        "type": "github"
+        "lastModified": 1686513235,
+        "narHash": "sha256-gVYRft/579iBC1J3gukn1CMIWrKksHm/GRA47+nvXRc=",
+        "ref": "refs/heads/main",
+        "rev": "193e1c9447d56fe434e4ab0983b2bb92f1c22255",
+        "revCount": 36,
+        "type": "git",
+        "url": "https://git.pub.solar/b12f/deno2.nix.git"
      },
      "original": {
-        "owner": "LnL7",
-        "repo": "nix-darwin",
-        "type": "github"
+        "type": "git",
+        "url": "https://git.pub.solar/b12f/deno2.nix.git"
      }
    },
-    "deploy": {
+    "deploy-rs": {
      "inputs": {
        "flake-compat": [
          "flake-compat"
        ],
        "nixpkgs": [
-          "nixos"
+          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1686747123,
-        "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
+        "lastModified": 1695052866,
+        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
+        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
        "type": "github"
      },
      "original": {
@ -69,18 +108,19 @@
    },
    "devshell": {
      "inputs": {
-        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "digga",
+          "scan2paperless",
+          "deno2nix",
          "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1671489820,
-        "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
+        "lastModified": 1685972731,
+        "narHash": "sha256-VpwVUthxs3AFgvWxGTHu+KVDnS/zT3xkCtmjX2PjNQs=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
+        "rev": "6b2554d28d46bfa6e24b941e999a145760dad0e1",
        "type": "github"
      },
      "original": {
@ -89,43 +129,25 @@
        "type": "github"
      }
    },
-    "digga": {
+    "devshell_2": {
      "inputs": {
-        "darwin": [
-          "darwin"
-        ],
-        "deploy": [
-          "deploy"
-        ],
-        "devshell": "devshell",
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-utils": "flake-utils_2",
-        "flake-utils-plus": "flake-utils-plus",
-        "home-manager": [
-          "home"
-        ],
-        "nixlib": [
-          "nixos"
-        ],
        "nixpkgs": [
-          "nixos"
+          "scan2paperless",
+          "nixpkgs"
        ],
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1674947971,
-        "narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=",
-        "owner": "pub-solar",
-        "repo": "digga",
-        "rev": "2da608bd8afb48afef82c6b1b6d852a36094a497",
+        "lastModified": 1685972731,
+        "narHash": "sha256-VpwVUthxs3AFgvWxGTHu+KVDnS/zT3xkCtmjX2PjNQs=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "6b2554d28d46bfa6e24b941e999a145760dad0e1",
        "type": "github"
      },
      "original": {
-        "owner": "pub-solar",
-        "ref": "fix/bootstrap-iso",
-        "repo": "digga",
+        "owner": "numtide",
+        "repo": "devshell",
        "type": "github"
      }
    },
@ -145,50 +167,65 @@
        "type": "github"
      }
    },
-    "flake-utils": {
+    "flake-compat_2": {
+      "flake": false,
      "locked": {
-        "lastModified": 1642700792,
-        "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "edolstra",
+        "repo": "flake-compat",
        "type": "github"
      }
    },
-    "flake-utils-plus": {
+    "flake-parts": {
      "inputs": {
-        "flake-utils": [
-          "digga",
-          "flake-utils"
-        ]
+        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1654029967,
-        "narHash": "sha256-my3GQ3mQIw/1f6GPV1IhUZrcYQSWh0YJAMPNBjhXJDw=",
-        "owner": "gytis-ivaskevicius",
-        "repo": "flake-utils-plus",
-        "rev": "6271cf3842ff9c8a9af9e3508c547f86bc77d199",
+        "lastModified": 1693611461,
+        "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
        "type": "github"
      },
      "original": {
-        "owner": "gytis-ivaskevicius",
-        "ref": "refs/pull/120/head",
-        "repo": "flake-utils-plus",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1685518550,
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
        "type": "github"
      },
      "original": {
@ -197,18 +234,36 @@
        "type": "github"
      }
    },
-    "home": {
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1685518550,
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
      "inputs": {
        "nixpkgs": [
-          "nixos"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1687871164,
-        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
+        "lastModified": 1695108154,
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
        "type": "github"
      },
      "original": {
@ -218,35 +273,89 @@
        "type": "github"
      }
    },
-    "latest": {
+    "master": {
      "locked": {
-        "lastModified": 1689850295,
-        "narHash": "sha256-fUYf6WdQlhd2H+3aR8jST5dhFH1d0eE22aes8fNIfyk=",
+        "lastModified": 1693817516,
+        "narHash": "sha256-nhmWHJhGutkDr7NMDoqPifsrLTcKLtWpX2m3F0hkiR0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5df4d78d54f7a34e9ea1f84a22b4fd9baebc68d0",
+        "rev": "8c27922a0e2de18f1fadb4f2bd65d5cb9de16b64",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixos": {
+    "mobile-nixos": {
+      "flake": false,
      "locked": {
-        "lastModified": 1689680872,
-        "narHash": "sha256-brNix2+ihJSzCiKwLafbyejrHJZUP0Fy6z5+xMOC27M=",
+        "lastModified": 1696124168,
+        "narHash": "sha256-EzGHYAR7rozQQLZEHbKEcb5VpUFGoxwEsM0OWfW4wqU=",
        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "08700de174bc6235043cb4263b643b721d936bdb",
+        "repo": "mobile-nixos",
+        "rev": "7cee346c3f8e73b25b1cfbf7a086a7652c11e0f3",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.05",
-        "repo": "nixpkgs",
+        "repo": "mobile-nixos",
+        "type": "github"
+      }
+    },
+    "musnix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1690426816,
+        "narHash": "sha256-vvOrLE6LlBVYigA1gSrlkknFwfuq9qmLA4h6ubiJ22g=",
+        "owner": "musnix",
+        "repo": "musnix",
+        "rev": "e651b06f8a3ac7d71486984100e8a79334da8329",
+        "type": "github"
+      },
+      "original": {
+        "owner": "musnix",
+        "repo": "musnix",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1695686713,
+        "narHash": "sha256-rJATx5B/nwlBpt7CJUf85LV27qWPbul5UVV8fu6ABPg=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "e236a1e598a9a59265897948ac9874c364b9555f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nixos-flake": {
+      "locked": {
+        "lastModified": 1692742948,
+        "narHash": "sha256-19LQQFGshuQNrrXZYVt+mWY0O3NbhEXeMy3MZwzYZGo=",
+        "owner": "srid",
+        "repo": "nixos-flake",
+        "rev": "2c25190ceacdaaae7e8afbecfa87096bb499a431",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "repo": "nixos-flake",
        "type": "github"
      }
    },
@ -265,13 +374,79 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs": {
      "locked": {
-        "lastModified": 1672791794,
-        "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
+        "lastModified": 1690272529,
+        "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1693471703,
+        "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1696039360,
+        "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
+        "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1686412476,
+        "narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "21951114383770f96ae528d0ae68824557768e81",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1693158576,
+        "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
        "type": "github"
      },
      "original": {
@ -283,15 +458,118 @@
    },
    "root": {
      "inputs": {
+        "adblock-unbound": "adblock-unbound",
        "agenix": "agenix",
-        "darwin": "darwin",
-        "deploy": "deploy",
-        "digga": "digga",
+        "deploy-rs": "deploy-rs",
        "flake-compat": "flake-compat",
-        "home": "home",
-        "latest": "latest",
-        "nixos": "nixos",
-        "nixos-hardware": "nixos-hardware"
+        "flake-parts": "flake-parts",
+        "home-manager": "home-manager",
+        "master": "master",
+        "mobile-nixos": "mobile-nixos",
+        "musnix": "musnix",
+        "nix-darwin": "nix-darwin",
+        "nixos-flake": "nixos-flake",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_2",
+        "scan2paperless": "scan2paperless",
+        "unstable": "unstable"
+      }
+    },
+    "scan2paperless": {
+      "inputs": {
+        "deno2nix": "deno2nix",
+        "devshell": "devshell_2",
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1693298356,
+        "narHash": "sha256-bOwygw67/iX2kAFCwsnmEjIXnE22S0tumoLc6j5OepE=",
+        "ref": "refs/heads/main",
+        "rev": "a66e3c9f80f7cc45beefd1408cec92553d3301e0",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.pub.solar/b12f/scan2paperless.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pub.solar/b12f/scan2paperless.git"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1696019113,
+        "narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "utils": {
--- a/flake.nix
+++ b/flake.nix
@ -1,172 +1,117 @@
 {
-  description = "A highly structured configuration database.";
+  description = "b12f hosts";

  nixConfig.extra-experimental-features = "nix-command flakes";

  inputs = {
    # Track channels with commits tested and built by hydra
-    nixos.url = "github:nixos/nixpkgs/nixos-23.05";
-    latest.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    flake-compat.url = "github:edolstra/flake-compat";
    flake-compat.flake = false;

-    digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
-    digga.inputs.nixpkgs.follows = "nixos";
-    digga.inputs.nixlib.follows = "nixos";
-    digga.inputs.home-manager.follows = "home";
-    digga.inputs.deploy.follows = "deploy";
-    digga.inputs.darwin.follows = "darwin";
-    digga.inputs.flake-compat.follows = "flake-compat";
+    nix-darwin.url = "github:lnl7/nix-darwin/master";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";

-    home.url = "github:nix-community/home-manager/release-23.05";
-    home.inputs.nixpkgs.follows = "nixos";
+    home-manager.url = "github:nix-community/home-manager/release-23.05";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";

-    darwin.url = "github:LnL7/nix-darwin";
-    darwin.inputs.nixpkgs.follows = "nixos";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    nixos-flake.url = "github:srid/nixos-flake";

-    deploy.url = "github:serokell/deploy-rs";
-    deploy.inputs.nixpkgs.follows = "nixos";
-    deploy.inputs.flake-compat.follows = "flake-compat";
+    deploy-rs.url = "github:serokell/deploy-rs";
+    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+    deploy-rs.inputs.flake-compat.follows = "flake-compat";

    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixos";
-    agenix.inputs.darwin.follows = "darwin";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "nix-darwin";

    nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    mobile-nixos.url = "github:nixos/mobile-nixos";
+    mobile-nixos.flake = false;
+
+    master.url = "github:nixos/nixpkgs/master";
+    scan2paperless.url = "git+https://git.pub.solar/b12f/scan2paperless.git";
+    musnix.url = "github:musnix/musnix";
+    adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
+    adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = {
-    self,
-    digga,
-    nixos,
-    home,
-    nixos-hardware,
-    agenix,
-    deploy,
-    ...
-  } @ inputs:
-    digga.lib.mkFlake
-    {
-      inherit self inputs;
+  outputs = inputs@{ self, ... }:
+    inputs.flake-parts.lib.mkFlake { inherit inputs; } {
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];

-      channelsConfig = {
-        # allowUnfree = true;
-      };
+      imports = [
+        inputs.nixos-flake.flakeModule
+        ./lib
+        ./modules
+        ./hosts
+        ./users
+      ];

-      supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
-
-      channels = {
-        nixos = {
-          imports = [(digga.lib.importOverlays ./overlays)];
+      perSystem = args@{ system, pkgs, config, ... }: {
+        _module.args = {
+          inherit inputs;
+          pkgs = import inputs.nixpkgs {
+            inherit system;
            overlays = [
-            (self: super: {
-              deploy-rs = {
-                inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
-                lib = inputs.deploy.lib.x86_64-linux;
-              };
-            })
+              inputs.agenix.overlays.default
            ];
          };
-        latest = {};
+          unstable = import inputs.unstable { inherit system; };
+          master = import inputs.master { inherit system; };
        };

-      lib = import ./lib {lib = digga.lib // nixos.lib;};
-
-      sharedOverlays = [
-        (final: prev: {
-          __dontExport = true;
-          lib = prev.lib.extend (lfinal: lprev: {
-            our = self.lib;
-          });
-        })
-        agenix.overlays.default
-
-        (import ./pkgs)
-      ];
-
-      nixos = {
-        hostDefaults = {
-          system = "x86_64-linux";
-          channelName = "nixos";
-          imports = [(digga.lib.importExportableModules ./modules)];
-          modules = [
-            {lib.our = self.lib;}
-            # FIXME: upstream module causes a huge number of unnecessary
-            # dependencies to be pulled in for all systems -- many of them are
-            # graphical. should only be imported as needed.
-            # digga.nixosModules.bootstrapIso
-            digga.nixosModules.nixConfig
-            home.nixosModules.home-manager
-            agenix.nixosModules.age
-          ];
-        };
-
-        imports = [(digga.lib.importHosts ./hosts)];
-        hosts = {
-          # Set host-specific properties here
-          bootstrap = {
-            modules = [
-              digga.nixosModules.bootstrapIso
-            ];
-          };
-          PubSolarOS = {
-            tests = [
-              #(import ./tests/first-test.nix {
-              #  pkgs = nixos.legacyPackages.x86_64-linux;
-              #  lib = nixos.lib;
-              #})
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [
+            deploy-rs
+            nixpkgs-fmt
+            agenix
+            cachix
+            editorconfig-checker
+            nix
+            nodePackages.prettier
+            nvfetcher
+            shellcheck
+            shfmt
+            treefmt
+            nixos-generators
          ];
        };
      };
-        importables = rec {
-          profiles =
-            digga.lib.rakeLeaves ./profiles
-            // {
-              users = digga.lib.rakeLeaves ./users;
-            };
-          suites = with profiles; rec {
-            base = [users.pub-solar users.root];
-            iso = base ++ [base-user graphical pub-solar-iso];
-            pubsolaros = [full-install base-user users.root];
-            anonymous = [pubsolaros users.pub-solar];
-          };
-        };
+
+      flake = {
+        deploy.nodes = self.b12f-os.lib.deploy.mkDeployNodes self.nixosConfigurations {
+          chocolatebar = {
+            sshUser = "b12f";
          };

-      home = {
-        imports = [(digga.lib.importExportableModules ./users/modules)];
-        modules = [];
-        importables = rec {
-          profiles = digga.lib.rakeLeaves ./users/profiles;
-          suites = with profiles; rec {
-            base = [direnv git];
-          };
-        };
-        users = {
-          pub-solar = {suites, ...}: {
-            imports = suites.base;
-
-            home.stateVersion = "21.03";
-          };
-        }; # digga.lib.importers.rakeLeaves ./users/hm;
+          biolimo = {
+            sshUser = "b12f";
          };

-      devshell = ./shell;
+          droppie = {
+            hostname = "backup.b12f.io";
+            sshUser = "yule";
+          };

-      homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
+          pie = {
+            hostname = "pie.local";
+            sshUser = "yule";
+          };

-      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
-        #example = {
-        #  hostname = "example.com:22";
-        #  sshUser = "bartender";
-        #  fastConnect = true;
-        #  profilesOrder = ["system" "direnv"];
-        #  profiles.direnv = {
-        #    user = "bartender";
-        #    path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
-        #  };
-        #};
+          maoam = {
+            sshUser = "b12f";
+          };
+        };
      };
    };
 }
--- a/hosts/PubSolarOS.nix
+++ b/hosts/PubSolarOS.nix
@ -1,21 +0,0 @@
-{suites, ...}: {
-  ### root password is empty by default ###
-  ### default password: pub-solar, optional: add your SSH keys
-  imports =
-    suites.iso;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.networkmanager.enable = true;
-
-  fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-}
--- a/hosts/biolimo/.config/sway/config.d/autostart.conf
+++ b/hosts/biolimo/.config/sway/config.d/autostart.conf
@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc
--- a/hosts/biolimo/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/biolimo/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/biolimo/.config/sway/config.d/input-defaults.conf
+++ b/hosts/biolimo/.config/sway/config.d/input-defaults.conf
@ -0,0 +1,9 @@
+input "1739:0:Synaptics_TM3288-011" {
+  dwt enabled
+  tap enabled
+  middle_emulation enabled
+}
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}
--- a/hosts/biolimo/.config/sway/config.d/screens.conf
+++ b/hosts/biolimo/.config/sway/config.d/screens.conf
@ -0,0 +1,20 @@
+set $internal eDP-1
+set $middle "Hewlett Packard HP E231 3CQ4290S5J"
+set $standup "Hewlett Packard HP E231 3CQ4251F33"
+
+output $internal {
+  scale 1
+  pos 1080 1080
+}
+
+output $middle {
+  scale 1
+
+  pos 1080 0
+}
+
+output $standup {
+  scale 1
+  transform 90
+  pos 0 0
+}
--- a/hosts/biolimo/configuration.nix
+++ b/hosts/biolimo/configuration.nix
@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  pub-solar.graphical.enable = true;
+  pub-solar.sway.enable = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  pub-solar.paranoia.enable = true;
+  pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+  pub-solar.core.hibernation.resumeOffset = 15296512;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  networking.networkmanager.wifi.backend = mkForce "wpa_supplicant";
+
+  services.printing.drivers = [
+    pkgs.cups-brother-hl3140cw
+  ];
+
+  home-manager = with pkgs;
+    pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+      xdg.configFile = mkIf psCfg.sway.enable {
+        "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+        "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+        "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+        "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
+      };
+
+      home.packages = [
+        inkscape
+      ];
+    };
+
+  # For OpenProject development with https
+  security.pki.certificates = [
+    (builtins.readFile ./step-roots.pem)
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
--- a/hosts/biolimo/default.nix
+++ b/hosts/biolimo/default.nix
@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+  ];
+}
--- a/hosts/biolimo/hardware-configuration.nix
+++ b/hosts/biolimo/hardware-configuration.nix
@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/abc3fe04-368e-46eb-8c7a-3a829bb2deab";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3B67-0CAB";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 18 * 1024; # 18 GB
+    }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
--- a/hosts/biolimo/step-roots.pem
+++ b/hosts/biolimo/step-roots.pem
@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAYKgAwIBAgIRAKlV2S+BzAlsxoFGjtf8Bf8wCgYIKoZIzj0EAwIwTDEg
+MB4GA1UEChMXT3BlblByb2plY3QgRGV2ZWxvcG1lbnQxKDAmBgNVBAMTH09wZW5Q
+cm9qZWN0IERldmVsb3BtZW50IFJvb3QgQ0EwHhcNMjMwNzA1MTIwMjM1WhcNMzMw
+NzAyMTIwMjM1WjBMMSAwHgYDVQQKExdPcGVuUHJvamVjdCBEZXZlbG9wbWVudDEo
+MCYGA1UEAxMfT3BlblByb2plY3QgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABICa0iNxImT7/HtI9Am8AowzFdPaLuDC1NJwKRnA
+tglghS2HmAXkzxoUW8UZ91TTNEmesNGW/nT/rpvSfZt9FtmjRTBDMA4GA1UdDwEB
+/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBTCCyuQg8z8pOxd
+UGcsZDT4KzFS3DAKBggqhkjOPQQDAgNIADBFAiEA3+ZUCj3SJ1estz4kyQyoIXVb
+gXk2rFHQQgIDSbRPoL0CIEu4u9YTxjRg7DdnARh4CPWi63VSZ5iwIbeuzEi4PO8q
+-----END CERTIFICATE-----
--- a/hosts/bootstrap.nix
+++ b/hosts/bootstrap.nix
@ -1,54 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  profiles,
-  ...
-}:
-with lib; let
-  # Gets hostname of host to be bundled inside iso
-  # Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
-  getFqdn = config: let
-    net = config.networking;
-    fqdn =
-      if (net ? domain) && (net.domain != null)
-      then "${net.hostName}.${net.domain}"
-      else net.hostName;
-  in
-    fqdn;
-in {
-  # build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
-  imports = [
-    # profiles.networking
-    profiles.users.root # make sure to configure ssh keys
-    profiles.users.pub-solar
-    profiles.base-user
-    profiles.graphical
-    profiles.pub-solar-iso
-  ];
-
-  config = {
-    boot.loader.systemd-boot.enable = true;
-
-    # will be overridden by the bootstrapIso instrumentation
-    fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-    system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
-
-    # mkForce because a similar transformation gets double applied otherwise
-    # https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L17
-    # https://github.com/NixOS/nixpkgs/blob/aecd4d8349b94f9bd5718c74a5b789f233f67326/nixos/modules/installer/cd-dvd/installation-cd-base.nix#L21-L22
-    isoImage = {
-      isoBaseName = mkForce (getFqdn config);
-      isoName = mkForce "${config.system.nixos.label}-${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso";
-    };
-
-    # This value determines the NixOS release from which the default
-    # settings for stateful data, like file locations and database versions
-    # on your system were taken. It‘s perfectly fine and recommended to leave
-    # this value at the release version of the first install of this system.
-    # Before changing this value read the documentation for this option
-    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-    system.stateVersion = "21.05"; # Did you read the comment?
-  };
-}
--- a/hosts/chocolatebar/.config/sway/config.d/autostart.conf
+++ b/hosts/chocolatebar/.config/sway/config.d/autostart.conf
@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc
--- a/hosts/chocolatebar/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/chocolatebar/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/chocolatebar/.config/sway/config.d/input-defaults.conf
+++ b/hosts/chocolatebar/.config/sway/config.d/input-defaults.conf
@ -0,0 +1,4 @@
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}
--- a/hosts/chocolatebar/.config/sway/config.d/screens.conf
+++ b/hosts/chocolatebar/.config/sway/config.d/screens.conf
@ -0,0 +1,18 @@
+set $left DP-3
+set $middle DP-2
+set $right DP-1
+
+output $left {
+  scale 1
+  pos 0 0
+}
+
+output $middle {
+  scale 1
+  pos 1920 0
+}
+
+output $right {
+  scale 1
+  pos 3840 0
+}
--- a/hosts/chocolatebar/configuration.nix
+++ b/hosts/chocolatebar/configuration.nix
@ -0,0 +1,117 @@
+{
+  config,
+  pkgs,
+  flake,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  pub-solar.graphical.enable = true;
+  pub-solar.sway.enable = true;
+  pub-solar.virtualisation.enable = true;
+
+  hardware.cpu.amd.updateMicrocode = true;
+
+  hardware.opengl.extraPackages = with pkgs; [
+    rocm-opencl-icd
+    rocm-opencl-runtime
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  pub-solar.paranoia.enable = true;
+  pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+  pub-solar.core.hibernation.resumeOffset = 115075072;
+
+  pub-solar.paperless.sync.masterNode = true;
+
+  age.secrets."drone-runner-exec-config" = {
+    file = "${flake.self}/secrets/drone-runner-exec-config";
+    mode = "400";
+    owner = psCfg.user.name;
+  };
+
+  pub-solar.docker-ci-runner = {
+    enable = true;
+    runnerVarsFile = config.age.secrets.drone-runner-exec-config.path;
+  };
+
+  pub-solar.paperless.scannerDefaultDevice = "hp3900:libusb:005:004";
+
+  services.openssh.openFirewall = true;
+  networking.firewall.allowedTCPPorts =
+    [443]
+    ++ (
+      if psCfg.sway.vnc.enable
+      then [5901]
+      else []
+    );
+  networking.firewall.allowedUDPPorts = [43050];
+
+  environment.systemPackages = with pkgs; [
+    wayvnc
+    drone-docker-runner
+    stdenv.cc.cc.lib
+    pkgs.hplip
+  ];
+
+  age.secrets."vnc-key.pem" = {
+    file = "${flake.self}/secrets/vnc-key-chocolatebar.pem";
+    mode = "400";
+    owner = psCfg.user.name;
+  };
+  age.secrets."vnc-cert.pem" = {
+    file = "${flake.self}/secrets/vnc-cert-chocolatebar.pem";
+    mode = "400";
+    owner = psCfg.user.name;
+  };
+  pub-solar.sway.vnc.enable = true;
+
+  services.printing.drivers = [
+    pkgs.cups-brother-hl3140cw
+  ];
+
+  services.udev.extraRules = ''
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="04f9", ATTRS{idProduct}=="209e", ATTRS{serial}=="000W0H924252", MODE="0664", GROUP="lp", SYMLINK+="usb/lp0"
+  '';
+
+  home-manager.users."${psCfg.user.name}" = {
+    xdg.configFile = mkIf psCfg.sway.enable {
+      "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+      "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+    };
+
+    home.sessionVariables = {
+      NIX_CC = "${pkgs.stdenv.cc}";
+    };
+
+    home.packages = with pkgs; [
+      lmms
+      audacity
+    ];
+  };
+
+  musnix = {
+    enable = true;
+    kernel.realtime = true;
+  };
+
+  # For OpenProject development with https
+  security.pki.certificates = [
+    (builtins.readFile ./step-roots.pem)
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
--- a/hosts/chocolatebar/default.nix
+++ b/hosts/chocolatebar/default.nix
@ -0,0 +1,9 @@
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+
+    ./virtualisation
+    # ./factorio
+  ];
+}
--- a/hosts/chocolatebar/factorio/default.nix
+++ b/hosts/chocolatebar/factorio/default.nix
@ -0,0 +1,46 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+
+  far-reach = pkgs.stdenv.mkDerivation rec {
+    pname = "factorio-far-reach";
+    version = "1.1.2";
+    src = ./far-reach_1.1.2.zip;
+    phases = ["installPhase"];
+    deps = [];
+    installPhase = ''
+      mkdir -p $out
+      cp $src far-reach_1.1.2.zip
+    '';
+  };
+in {
+  config = {
+    services.factorio = {
+      enable = true;
+      port = 34197; # The default, but make it explicit
+      lan = true;
+      game-password = "pls-dont-grief";
+      admins = [
+        "doubtwriter"
+        "kattykat"
+      ];
+      openFirewall = true;
+      autosave-interval = 3;
+      game-name = "Babes plays v2";
+      requireUserVerification = false;
+      bind = "::";
+      mods = [
+        far-reach
+      ];
+    };
+
+    networking.firewall.allowedUDPPorts = [34197];
+    networking.firewall.allowedTCPPorts = [34197];
+  };
+}
--- a/hosts/chocolatebar/factorio/far-reach_1.1.2.zip
+++ b/hosts/chocolatebar/factorio/far-reach_1.1.2.zip
--- a/hosts/chocolatebar/hardware-configuration.nix
+++ b/hosts/chocolatebar/hardware-configuration.nix
@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbcore" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a3a74208-b244-4268-b374-e58265810fce";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/12FD-62A8";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 68 * 1024; # 68 GB
+    }
+  ];
+}
--- a/hosts/chocolatebar/step-roots.pem
+++ b/hosts/chocolatebar/step-roots.pem
@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6DCCAY2gAwIBAgIQD4Q4blCl/ZrTIRU2QpqEOTAKBggqhkjOPQQDAjBSMSMw
+IQYDVQQKExpPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQTErMCkGA1UEAxMiT3Bl
+blByb2plY3QgRGV2ZWxvcG1lbnQgQ0EgUm9vdCBDQTAeFw0yMjEwMTgxMTE1NDBa
+Fw0zMjEwMTUxMTE1NDBaMFIxIzAhBgNVBAoTGk9wZW5Qcm9qZWN0IERldmVsb3Bt
+ZW50IENBMSswKQYDVQQDEyJPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQSBSb290
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu4rN0lOtgxoC83UKONMy2Ns7
+tI0/u6qPp/Cw92xhaTdh/X9ZWKqIhp2VGj2HUJOOfQXrFew7jbLGOvvoXib0Y6NF
+MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
+FPjV1zK2GZu8x4uR0QDotk5kNinEMAoGCCqGSM49BAMCA0kAMEYCIQDS2OpCnHM7
+RV7fFHT3KsG3q4lA3dJUKGighQaQ2qOwNwIhAOMmWGWd3EaD87q4RROyVt3h7vIN
+nMJRu7L9il84hFF2
+-----END CERTIFICATE-----
--- a/hosts/chocolatebar/virtualisation/create-service.nix
+++ b/hosts/chocolatebar/virtualisation/create-service.nix
@ -0,0 +1,112 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  varsFile = "${xdg.dataHome}/libvirt/OVMF_VARS_${vm.name}.fd";
+  generateXML = import ./guest-xml.nix;
+in {
+  serviceConfig = {
+    Type = "oneshot";
+    RemainAfterExit = "yes";
+    Restart = "no";
+  };
+
+  script = let
+    networkXML = pkgs.writeText "network.xml" (import ./network-xml.nix {
+      inherit config;
+      inherit pkgs;
+      inherit lib;
+    });
+    machineXML = pkgs.writeText "${vm.name}.xml" (vm.generateXML {
+      inherit config;
+      inherit pkgs;
+      inherit lib;
+      inherit vm;
+      varsFile = varsFile;
+    });
+  in ''
+    echo "Checking if ${vm.name} is already running"
+    STATUS=$(${pkgs.libvirt}/bin/virsh list --all | grep "${vm.name}" | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 }' )
+    if [[ $STATUS != "shut off" && $STATUS != "" ]]; then
+      echo "Domain ${vm.name} is already running or in an inconsistent state:"
+      ${pkgs.libvirt}/bin/virsh list --all
+      exit 0
+    fi
+
+    echo "Creating network XML"
+    NET_TMP_FILE="/tmp/network.xml"
+
+    NETUUID="$(${pkgs.libvirt}/bin/virsh net-uuid 'default' || true)"
+    (sed "s/UUID/$NETUUID/" '${networkXML}') > "$NET_TMP_FILE"
+
+    echo "Defining and starting network"
+    ${pkgs.libvirt}/bin/virsh net-define "$NET_TMP_FILE"
+    ${pkgs.libvirt}/bin/virsh net-start 'default' || true
+
+    VARS_FILE=${varsFile}
+    if [ ! -f "$VARS_FILE" ]; then
+      echo "Copying vars filej"
+      cp /run/libvirt/nix-ovmf/OVMF_VARS.fd "$VARS_FILE"
+    fi
+
+    echo "Replacing USB device IDs in the XML"
+    # Load the template contents into a tmp file
+    TMP_FILE="/tmp/${vm.name}.xml"
+    cat "${machineXML}" > "$TMP_FILE"
+
+    # Set VM UUID
+    UUID="$(${pkgs.libvirt}/bin/virsh domuuid '${vm.name}' || true)"
+    sed -i "s/UUID/''${UUID}/" "$TMP_FILE"
+
+    ${
+      if vm.handOverUSBDevices
+      then ''
+        # Hand over mouse
+        USB_BUS=3
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c52b | grep "Bus 00''${USB_BUS}" | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc52b | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+
+        # Hand over keyboard
+        USB_BUS=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 7)
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc328 | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+      ''
+      else ""
+    }
+
+    # TODO: Set correct pci address for the GPU too
+
+    # Setup looking glass shm file
+    echo "Setting up looking glass shm file"
+    ${pkgs.coreutils-full}/bin/truncate -s 0 /dev/shm/looking-glass
+    ${pkgs.coreutils-full}/bin/dd if=/dev/zero of=/dev/shm/looking-glass bs=1M count=32
+
+    # Load and start the xml definition
+    echo "Loading and starting the VM XML definition"
+    ${pkgs.libvirt}/bin/virsh define "$TMP_FILE"
+    ${pkgs.libvirt}/bin/virsh start '${vm.name}'
+  '';
+
+  preStop = ''
+    ${pkgs.libvirt}/bin/virsh shutdown '${vm.name}'
+    let "timeout = $(date +%s) + 10"
+    while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${vm.name}$')" -gt 0 ]; do
+      if [ "$(date +%s)" -ge "$timeout" ]; then
+        # Meh, we warned it...
+        ${pkgs.libvirt}/bin/virsh destroy '${vm.name}'
+      else
+        # The machine is still running, let's give it some time to shut down
+        sleep 0.5
+      fi
+    done
+
+    ${pkgs.libvirt}/bin/virsh net-destroy 'default' || true
+  '';
+}
--- a/hosts/chocolatebar/virtualisation/default.nix
+++ b/hosts/chocolatebar/virtualisation/default.nix
@ -0,0 +1,82 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  createService = import ./create-service.nix;
+  generateXML = import ./guest-xml.nix;
+  generateTailsXML = import ./tails-xml.nix;
+
+  isolateGPU = "rx550x";
+  memory = 32; # in GB
+  handOverUSBDevices = false;
+
+  isolateAnyGPU = isolateGPU != null;
+in {
+  config = mkIf psCfg.virtualisation.enable {
+    boot.extraModprobeConfig = mkIf isolateAnyGPU (concatStringsSep "\n" [
+      "softdep amdgpu pre: vfio vfio_pci"
+      (
+        if isolateGPU == "rx5700xt"
+        then "options vfio-pci ids=1002:731f,1002:ab38"
+        else "options vfio-pci ids=1002:699f,1002:aae0"
+      )
+    ]);
+
+    systemd.user.services = {
+      vm-windows = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "windows";
+          disk = "/dev/disk/by-id/ata-SanDisk_SDSSDA240G_162402455603";
+          id = "http://microsoft.com/win/10";
+          gpu = true;
+          mountHome = false;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-manjaro = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "manjaro";
+          disk = "/dev/disk/by-id/ata-KINGSTON_SM2280S3G2240G_50026B726B0265CE";
+          id = "https://manjaro.org/download/#i3";
+          gpu = true;
+          mountHome = true;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-tails = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "tails";
+          disk = "/var/lib/vms/tails/tails-amd64-5.4.iso";
+          # disk = "/var/lib/vms/nixos/nixos-minimal.iso";
+          id = "https://tails.boum.org/install/index.en.html";
+          gpu = false;
+          mountHome = false;
+          memory = 16;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = false;
+          generateXML = generateTailsXML;
+        };
+      };
+    };
+  };
+}
--- a/hosts/chocolatebar/virtualisation/guest-xml.nix
+++ b/hosts/chocolatebar/virtualisation/guest-xml.nix
@ -0,0 +1,263 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  varsFile,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in ''
+  <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+    <name>${vm.name}</name>
+    <uuid>UUID</uuid>
+    <metadata>
+      <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+        <libosinfo:os id="${vm.id}"/>
+      </libosinfo:libosinfo>
+    </metadata>
+    <memory unit='GB'>${toString vm.memory}</memory>
+    <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement='static'>12</vcpu>
+    <cputune>
+      <vcpupin vcpu='0' cpuset='6'/>
+      <vcpupin vcpu='1' cpuset='7'/>
+      <vcpupin vcpu='2' cpuset='8'/>
+      <vcpupin vcpu='3' cpuset='9'/>
+      <vcpupin vcpu='4' cpuset='10'/>
+      <vcpupin vcpu='5' cpuset='11'/>
+      <vcpupin vcpu='6' cpuset='18'/>
+      <vcpupin vcpu='7' cpuset='19'/>
+      <vcpupin vcpu='8' cpuset='20'/>
+      <vcpupin vcpu='9' cpuset='21'/>
+      <vcpupin vcpu='10' cpuset='22'/>
+      <vcpupin vcpu='11' cpuset='23'/>
+    </cputune>
+    <resource>
+      <partition>/machine</partition>
+    </resource>
+    <os>
+      <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+      <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+      <nvram>${varsFile}</nvram>
+      <boot dev='hd'/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <hyperv>
+        <relaxed state='on'/>
+        <vapic state='on'/>
+        <spinlocks state='on' retries='8191'/>
+        <vendor_id state='on' value='wahtever'/>
+      </hyperv>
+      <kvm>
+        <hidden state='on'/>
+      </kvm>
+      <vmport state='off'/>
+    </features>
+    <cpu mode='custom' match='exact' check='full'>
+      <model fallback='forbid'>EPYC-IBPB</model>
+      <vendor>AMD</vendor>
+      <topology sockets='1' dies='1' cores='6' threads='2'/>
+      <feature policy='require' name='x2apic'/>
+      <feature policy='require' name='tsc-deadline'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clwb'/>
+      <feature policy='require' name='umip'/>
+      <feature policy='require' name='stibp'/>
+      <feature policy='require' name='arch-capabilities'/>
+      <feature policy='require' name='ssbd'/>
+      <!--feature policy='require' name='xsaves'/-->
+      <feature policy='require' name='cmp_legacy'/>
+      <feature policy='require' name='perfctr_core'/>
+      <feature policy='require' name='clzero'/>
+      <feature policy='require' name='wbnoinvd'/>
+      <feature policy='require' name='amd-ssbd'/>
+      <feature policy='require' name='virt-ssbd'/>
+      <feature policy='require' name='rdctl-no'/>
+      <feature policy='require' name='skip-l1dfl-vmentry'/>
+      <feature policy='require' name='mds-no'/>
+      <feature policy='require' name='pschange-mc-no'/>
+      <feature policy='disable' name='monitor'/>
+      <feature policy='disable' name='svm'/>
+      <feature policy='require' name='topoext'/>
+    </cpu>
+    <clock offset='utc'>
+      <timer name='rtc' tickpolicy='catchup'/>
+      <timer name='pit' tickpolicy='delay'/>
+      <timer name='hpet' present='no'/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled='no'/>
+      <suspend-to-disk enabled='no'/>
+    </pm>
+    <devices>
+      <emulator>${pkgs.qemu}/bin/qemu-system-x86_64</emulator>
+      <disk type='block' device='disk'>
+        <driver name='qemu' type='raw' cache='none' discard='unmap' />
+        <source dev='${vm.disk}'/>
+        <backingStore/>
+        <target dev='vdb' bus='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+      </disk>
+      <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+        <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='sata' index='0'>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+      </controller>
+      <controller type='pci' index='0' model='pcie-root'/>
+      <controller type='pci' index='1' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='1' port='0x10'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+      </controller>
+      <controller type='pci' index='2' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='2' port='0x11'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+      </controller>
+      <controller type='pci' index='3' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='3' port='0x12'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+      </controller>
+      <controller type='pci' index='4' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='4' port='0x13'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+      </controller>
+      <controller type='pci' index='5' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='5' port='0x14'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+      </controller>
+      <controller type='pci' index='6' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='6' port='0x15'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+      </controller>
+      <controller type='pci' index='7' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='7' port='0x16'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+      </controller>
+      <controller type='pci' index='8' model='pcie-to-pci-bridge'>
+        <model name='pcie-pci-bridge'/>
+        <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='pci' index='9' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='9' port='0x17'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+      </controller>
+      <controller type='virtio-serial' index='0'>
+        <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+      </controller>
+      ${
+    if vm.mountHome
+    then ''
+      <filesystem type='mount' accessmode='mapped'>
+        <source dir='/home/${psCfg.user.name}'/>
+        <target dir='/media/home'/>
+        <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+      </filesystem>
+    ''
+    else ""
+  }
+      <interface type='network'>
+        <mac address='52:54:00:44:cd:ac'/>
+        <source network='default'/>
+        <model type='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x08' slot='0x01' function='0x0'/>
+      </interface>
+      <console type='pty'>
+        <target type='serial' port='0'/>
+      </console>
+      <input type='tablet' bus='usb'>
+        <address type='usb' bus='0' port='1'/>
+      </input>
+      <input type='mouse' bus='virtio'/>
+      <input type='keyboard' bus='virtio'/>
+      <graphics type='spice' autoport='yes' listen='127.0.0.1'>
+        <listen type='address' address='127.0.0.1'/>
+        <image compression='off'/>
+      </graphics>
+      <video>
+        <model type='cirrus' vram='16384' heads='1' primary='yes'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+      </video>
+      ${
+    if vm.handOverUSBDevices
+    then ''
+      <hostdev mode='subsystem' type='usb' managed='yes'>
+        <source>
+          <vendor id='0x046d'/>
+          <product id='0xc328'/>
+          <address bus='1' device='1'/>
+        </source>
+        <address type='usb' bus='0' port='4'/>
+      </hostdev>
+      <hostdev mode='subsystem' type='usb' managed='yes'>
+        <source>
+          <vendor id='0x046d'/>
+          <product id='0xc52b'/>
+          <address bus='1' device='1'/>
+        </source>
+        <address type='usb' bus='0' port='5'/>
+      </hostdev>
+    ''
+    else ""
+  }
+      ${
+    if vm.gpu && vm.isolateGPU != null
+    then ''
+      <hostdev mode='subsystem' type='pci' managed='yes'>
+        <driver name='vfio'/>
+        <source>
+          <address domain='0x0000' bus='0x0b' slot='0x00' function='0x0'/>
+        </source>
+        <rom bar='on' file='/etc/nixos/hosts/chocolatebar/virtualisation/${vm.isolateGPU}.rom'/>
+        <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0' multifunction='on'/>
+      </hostdev>
+      <hostdev mode='subsystem' type='pci' managed='yes'>
+        <driver name='vfio'/>
+        <source>
+          <address domain='0x0000' bus='0x0b' slot='0x00' function='0x1'/>
+        </source>
+        <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x1'/>
+      </hostdev>
+    ''
+    else ""
+  }
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='2'/>
+      </redirdev>
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='3'/>
+      </redirdev>
+      <memballoon model='virtio'>
+        <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+      </memballoon>
+      <shmem name='looking-glass'>
+        <model type='ivshmem-plain'/>
+        <size unit='M'>32</size>
+      </shmem>
+    </devices>
+    <qemu:commandline>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='ich9-intel-hda,bus=pcie.0,addr=0x1b'/>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='hda-micro,audiodev=hda'/>
+      <qemu:arg value='-audiodev'/>
+      <qemu:arg value='pa,id=hda,server=unix:/run/user/1003/pulse/native'/>
+    </qemu:commandline>
+  </domain>
+''
--- a/hosts/chocolatebar/virtualisation/network-xml.nix
+++ b/hosts/chocolatebar/virtualisation/network-xml.nix
@ -0,0 +1,23 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: ''
+  <network>
+    <name>default</name>
+    <uuid>UUID</uuid>
+    <forward mode='nat'>
+      <nat>
+        <port start='1024' end='65535'/>
+      </nat>
+    </forward>
+    <bridge name='virbr0' stp='on' delay='0'/>
+    <mac address='52:54:00:bd:a0:73'/>
+    <ip address='192.168.122.1' netmask='255.255.255.0'>
+      <dhcp>
+        <range start='192.168.122.2' end='192.168.122.254'/>
+      </dhcp>
+    </ip>
+  </network>
+''
--- a/hosts/chocolatebar/virtualisation/rx550x.rom
+++ b/hosts/chocolatebar/virtualisation/rx550x.rom
--- a/hosts/chocolatebar/virtualisation/rx5700xt.rom
+++ b/hosts/chocolatebar/virtualisation/rx5700xt.rom
--- a/hosts/chocolatebar/virtualisation/tails-xml.nix
+++ b/hosts/chocolatebar/virtualisation/tails-xml.nix
@ -0,0 +1,188 @@
+{
+  config,
+  pkgs,
+  lib,
+  vm,
+  varsFile,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in ''
+    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+      <name>${vm.name}</name>
+      <uuid>UUID</uuid>
+      <metadata>
+        <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+          <libosinfo:os id="${vm.id}"/>
+        </libosinfo:libosinfo>
+      </metadata>
+      <memory unit='GB'>${toString vm.memory}</memory>
+      <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement="static">8</vcpu>
+    <os>
+      <type arch="x86_64" machine="pc-q35-7.0">hvm</type>
+      <boot dev="cdrom"/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <vmport state="off"/>
+    </features>
+    <cpu mode="host-passthrough" check="none" migratable="on"/>
+    <clock offset="utc">
+      <timer name="rtc" tickpolicy="catchup"/>
+      <timer name="pit" tickpolicy="delay"/>
+      <timer name="hpet" present="no"/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled="no"/>
+      <suspend-to-disk enabled="no"/>
+    </pm>
+    <devices>
+      <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+      <disk type="file" device="cdrom">
+        <driver name="qemu" type="raw"/>
+        <source file="${vm.disk}"/>
+        <target dev="sda" bus="sata"/>
+        <readonly/>
+        <address type="drive" controller="0" bus="0" target="0" unit="0"/>
+      </disk>
+      <controller type="usb" index="0" model="qemu-xhci" ports="15">
+        <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
+      </controller>
+      <controller type="pci" index="0" model="pcie-root"/>
+      <controller type="pci" index="1" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="1" port="0x10"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="2" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="2" port="0x11"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
+      </controller>
+      <controller type="pci" index="3" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="3" port="0x12"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
+      </controller>
+      <controller type="pci" index="4" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="4" port="0x13"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
+      </controller>
+      <controller type="pci" index="5" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="5" port="0x14"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
+      </controller>
+      <controller type="pci" index="6" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="6" port="0x15"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
+      </controller>
+      <controller type="pci" index="7" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="7" port="0x16"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/>
+      </controller>
+      <controller type="pci" index="8" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="8" port="0x17"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/>
+      </controller>
+      <controller type="pci" index="9" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="9" port="0x18"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="10" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="10" port="0x19"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/>
+      </controller>
+      <controller type="pci" index="11" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="11" port="0x1a"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/>
+      </controller>
+      <controller type="pci" index="12" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="12" port="0x1b"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/>
+      </controller>
+      <controller type="pci" index="13" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="13" port="0x1c"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/>
+      </controller>
+      <controller type="pci" index="14" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="14" port="0x1d"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/>
+      </controller>
+      <controller type="sata" index="0">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
+      </controller>
+      <controller type="virtio-serial" index="0">
+        <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
+      </controller>
+      <interface type="network">
+        <mac address="52:54:00:58:5e:36"/>
+        <source network="default"/>
+        <model type="virtio"/>
+        <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
+      </interface>
+      <serial type="pty">
+        <target type="isa-serial" port="0">
+          <model name="isa-serial"/>
+        </target>
+      </serial>
+      <console type="pty">
+        <target type="serial" port="0"/>
+      </console>
+      <channel type="unix">
+        <target type="virtio" name="org.qemu.guest_agent.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="1"/>
+      </channel>
+      <channel type="spicevmc">
+        <target type="virtio" name="com.redhat.spice.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="2"/>
+      </channel>
+      <input type="tablet" bus="usb">
+        <address type="usb" bus="0" port="1"/>
+      </input>
+      <input type="mouse" bus="ps2"/>
+      <input type="keyboard" bus="ps2"/>
+      <graphics type="spice" autoport="yes">
+        <listen type="address"/>
+        <image compression="off"/>
+      </graphics>
+      <sound model="ich9">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/>
+      </sound>
+      <audio id="1" type="spice"/>
+      <video>
+        <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
+      </video>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="2"/>
+      </redirdev>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="3"/>
+      </redirdev>
+      <memballoon model="virtio">
+        <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
+      </memballoon>
+      <rng model="virtio">
+        <backend model="random">/dev/urandom</backend>
+        <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
+      </rng>
+    </devices>
+  </domain>''
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -0,0 +1,43 @@
+{ withSystem, self, inputs, ...}:
+{
+  flake = {
+    nixosConfigurations = {
+      biolimo = self.nixos-flake.lib.mkLinuxSystem {
+        nixpkgs.hostPlatform = "x86_64-linux";
+        imports = [
+          self.nixosModules.base
+          ./biolimo
+          self.nixosModules.b12f
+        ];
+      };
+
+      chocolatebar = self.nixos-flake.lib.mkLinuxSystem {
+        nixpkgs.hostPlatform = "x86_64-linux";
+        imports = [
+          self.nixosModules.base
+          ./chocolatebar
+          self.nixosModules.b12f
+        ];
+      };
+
+      pie = self.nixos-flake.lib.mkLinuxSystem {
+        nixpkgs.hostPlatform = "aarch64-linux";
+        imports = [
+          self.nixosModules.base
+          inputs.nixos-hardware.nixosModules.raspberry-pi-4
+          ./pie
+          self.nixosModules.yule
+        ];
+      };
+
+      # maoam = self.nixos-flake.lib.mkLinuxSystem {
+      #   nixpkgs.hostPlatform = "aarch64-linux";
+      #   imports = [
+      #     self.nixosModules.base
+      #     ./maoam
+      #     self.nixosModules.yule
+      #   ];
+      # };
+    };
+  };
+}
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -0,0 +1,68 @@
+{
+  config,
+  pkgs,
+  lib,
+  flake,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    device = "nodev";
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  pub-solar.core.disk-encryption-active = false;
+  pub-solar.core.lite = true;
+
+  security.sudo.extraRules = [
+    {
+      users = ["${psCfg.user.name}"];
+      commands = [
+        {
+          command = "ALL";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];
+
+  services.ddclient = {
+    enable = false;
+    ipv6 = true;
+    domains = ["backup.b12f.io"];
+    server = "ddns.hosting.de";
+    username = "b12f";
+    use = "web, web=https://ipcheck-ds.wieistmeineip.de/callback/, web-skip='ip\":\"'";
+    passwordFile = "/run/agenix/dyndns-droppie.key";
+  };
+
+  age.secrets."dyndns-droppie.key" = {
+    file = "${flake.self}/secrets/dyndns-droppie.key";
+    mode = "400";
+    owner = "root";
+  };
+
+  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
+  age.secrets."droppie-ssh-root.key" = {
+    file = "${flake.self}/secrets/droppie-ssh-root.key";
+    path = "/home/${psCfg.user.name}/.ssh/id_ed25519";
+    mode = "400";
+    owner = psCfg.user.name;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
--- a/hosts/droppie/default.nix
+++ b/hosts/droppie/default.nix
@ -0,0 +1,9 @@
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+
+    ./nextcloud-web-tunnel.nix
+    ./restic-backup.nix
+  ];
+}
--- a/hosts/droppie/hardware-configuration.nix
+++ b/hosts/droppie/hardware-configuration.nix
@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/A24C-F252";
+    fsType = "vfat";
+  };
+
+  fileSystems."/media/internal" = {
+    device = "/dev/disk/by-uuid/5cf314a8-82f4-4037-a724-62d2ff226cff";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852";}];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/droppie/nextcloud-web-tunnel.nix
+++ b/hosts/droppie/nextcloud-web-tunnel.nix
@ -0,0 +1,29 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  config = {
+    services.openssh.knownHosts = {
+      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
+    };
+
+    systemd.services.ssh-tunnel-cloud-pub-solar = {
+      unitConfig = {
+        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
+        After = ["network.target"];
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
+        User = psCfg.user.name;
+        Group = "users";
+        Restart = "always";
+        RestartSec = "5s";
+      };
+      wantedBy = ["default.target"];
+    };
+  };
+}
--- a/hosts/droppie/restic-backup.nix
+++ b/hosts/droppie/restic-backup.nix
@ -0,0 +1,50 @@
+{pkgs, ...}: let
+  shutdownWaitMinutes = 15;
+  shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" ''
+    STATUS_FILES="/media/internal/backups-pub-solar/status"
+
+    running=""
+
+    for f in $STATUS_FILES; do
+      declare started
+      declare finished
+
+      started=$(source $f ; echo ''${BACKUP_STARTED})
+      finished=$(source $f ; echo ''${BACKUP_FINISHED})
+
+      if [ -z "''${finished}" ]; then
+        echo "backup $(dirname $f) still running"
+        running="yes"
+        break
+      fi
+    done
+
+    if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then
+      echo "backups are still running"
+      exit 1
+    fi
+
+    echo "WARNING: System will be shut down within the next 15 minutes" | wall
+
+    sleep 10
+
+    shutdown -P +${builtins.toString shutdownWaitMinutes}
+  '';
+in {
+  systemd.services."shutdown-after-backup" = {
+    enable = true;
+    serviceConfig = {
+      ExecStart = "${shutdownScript}/bin/shutdown-wait";
+      Type = "oneshot";
+    };
+  };
+
+  systemd.timers."shutdown-after-backup" = {
+    enable = true;
+    timerConfig = {
+      OnCalendar = "*-*-* 03..09:30:00 Etc/UTC";
+    };
+    wantedBy = ["timers.target"];
+    partOf = ["shutdown-after-backup.service"];
+  };
+}
--- a/hosts/maoam/configuration.nix
+++ b/hosts/maoam/configuration.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Use Network Manager
+  networking.wireless.enable = false;
+  networking.networkmanager.enable = true;
+
+  # Use PulseAudio
+  hardware.pulseaudio.enable = true;
+
+  # Enable Bluetooth
+  hardware.bluetooth.enable = true;
+
+  # Bluetooth audio
+  hardware.pulseaudio.package = pkgs.pulseaudioFull;
+
+  # Enable power management options
+  powerManagement.enable = true;
+
+  # It's recommended to keep enabled on these constrained devices
+  zramSwap.enable = true;
+
+  # Auto-login for phosh
+  services.xserver.desktopManager.phosh = {
+    user = "b12f";
+  };
+
+  mobile.boot.stage-1.firmware = [
+    config.mobile.device.firmware
+  ];
+
+  services.openssh.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
--- a/hosts/maoam/default.nix
+++ b/hosts/maoam/default.nix
@ -0,0 +1,8 @@
+{ flake, pkgs, ... }: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ((import "${flake.inputs.mobile-nixos}/lib/configuration.nix") { device = "pine64-pinephone"; })
+    "${flake.inputs.mobile-nixos}/examples/phosh/phosh.nix"
+  ];
+}
--- a/hosts/maoam/hardware-configuration.nix
+++ b/hosts/maoam/hardware-configuration.nix
@ -0,0 +1,18 @@
+# NOTE: this file was generated by the Mobile NixOS installer.
+{ config, lib, pkgs, ... }:
+{
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/51a668b8-fa2e-4d3e-ac3f-73ca002d0004";
+      fsType = "ext4";
+    };
+  };
+
+  boot.initrd.luks.devices = {
+    "LUKS-MAOAM-ROOTFS" = {
+      device = "/dev/disk/by-uuid/5dd0cc1e-abfa-4192-94da-ac43622116fb";
+    };
+  };
+
+  nix.settings.max-jobs = lib.mkDefault 2;
+}
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -0,0 +1,63 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.timeout = 5;
+
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+
+  boot.supportedFilesystems = [ "zfs" ];
+  networking.hostId = "34234773";
+
+  boot.kernelPackages = pkgs.linuxPackages_6_1;
+
+  pub-solar.core.disk-encryption-active = false;
+  pub-solar.core.lite = true;
+
+  networking.defaultGateway = {
+    address = "192.168.178.1";
+    interface = "enabcm6e4ei0";
+  };
+
+  networking.interfaces.enabcm6e4ei0.ipv4.addresses = [
+    {
+      address = "192.168.178.2";
+      prefixLength = 24;
+    }
+  ];
+
+  security.sudo.extraRules = [
+    {
+      users = ["${psCfg.user.name}"];
+      commands = [
+        {
+          command = "ALL";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -0,0 +1,10 @@
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+
+    ./unbound.nix
+    ./dhcpd.nix
+    ./wake-droppie.nix
+  ];
+}
--- a/hosts/pie/dhcpd.nix
+++ b/hosts/pie/dhcpd.nix
@ -0,0 +1,84 @@
+{ pkgs, adblock-unbound, ... }:
+{
+  networking.firewall.allowedUDPPorts = [ 67 ];
+
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      interfaces-config = {
+        dhcp-socket-type = "raw";
+        interfaces = [
+          "enabcm6e4ei0"
+          "wlan0"
+        ];
+      };
+
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+
+      rebind-timer = 2000;
+      renew-timer = 1000;
+      valid-lifetime = 4000;
+
+      subnet4 = [
+        {
+          subnet = "192.168.178.0/24";
+          pools = [
+            { pool = "192.168.178.2 - 192.168.178.255"; }
+          ];
+
+          option-data = [
+            {
+              name = "domain-name-servers";
+              space = "dhcp4";
+              csv-format = true;
+              data = "192.168.178.2";
+              always-send = true;
+            }
+            {
+              name = "routers";
+              data = "192.168.178.1";
+              always-send = true;
+            }
+          ];
+
+          reservations = [
+            {
+              hostname = "droppie.local";
+              hw-address = "08:f1:ea:97:0f:0c";
+              ip-address = "192.168.178.3";
+            }
+            {
+              hostname = "pie.local";
+              hw-address = "dc:a6:32:5c:31:64";
+              ip-address = "192.168.178.2";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  services.kea.dhcp6 = {
+    enable = true;
+    settings = {
+      interfaces-config = {
+        dhcp-socket-type = "raw";
+        interfaces = [
+          "enabcm6e4ei0"
+          "wlan0"
+        ];
+      };
+      lease-database = {
+        name = "/var/lib/kea/dhcp6.leases";
+        persist = true;
+        type = "memfile";
+      };
+      rebind-timer = 2000;
+      renew-timer = 1000;
+    };
+  };
+}
--- a/hosts/pie/hardware-configuration.nix
+++ b/hosts/pie/hardware-configuration.nix
@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "uas" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "zroot/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DA7C-BE8B";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -0,0 +1,38 @@
+{ pkgs, lib, ... }: {
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        include = [
+          "\"${pkgs.adlist.unbound-adblockStevenBlack}\""
+        ];
+        interface = [ "0.0.0.0" ];
+        access-control = [ "192.168.178.0/24 allow" ];
+        local-zone = [
+          "\"b12f.io\" static"
+          "\"local\" static"
+          "\"box\" static"
+        ];
+        local-data = [
+          "\"backup.b12f.io. 10800 IN A 192.168.178.3\""
+          "\"pie.local. 10800 IN A 192.168.178.2\""
+          "\"fritz.box. 10800 IN A 192.168.178.1\""
+        ];
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "9.9.9.9@53#quad9"
+            "2620:fe::fe@53#quad9"
+          ];
+          forward-tls-upstream = "no";
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/pie/wake-droppie.nix
+++ b/hosts/pie/wake-droppie.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "30 1 * * * root ${pkgs.wakeonlan}/bin/wakeonlan 08:f1:ea:97:0f:0c"
+    ];
+  };
+}
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,10 +1,16 @@
-{lib}:
-lib.makeExtensible (self: let
-  callLibs = file: import file {lib = self;};
-in rec {
+{ lib, inputs, ... }: {
+  # Configuration common to all Linux systems
+  flake = {
+    b12f-os.lib = let
+      callLibs = file: import file {inherit lib;};
+    in rec {
      ## Define your own library functions here!
      #id = x: x;
      ## Or in files, containing functions that take {lib}
      #foo = callLibs ./foo.nix;
      ## In configs, they can be used under "lib.our"
-})
+
+      deploy = import ./deploy.nix { inherit inputs lib; };
+    };
+  };
+}
--- a/lib/deploy.nix
+++ b/lib/deploy.nix
@ -0,0 +1,62 @@
+/*
+ * The contents of this file are adapted from digga
+ * https://github.com/divnix/digga
+ *
+ * Licensed under the MIT license
+ */
+
+{ lib, inputs }: let
+  getFqdn = c: let
+    net = c.config.networking;
+    fqdn =
+      if (net ? domain) && (net.domain != null)
+      then "${net.hostName}.${net.domain}"
+      else net.hostName;
+  in
+    fqdn;
+in {
+  mkDeployNodes = systemConfigurations: extraConfig:
+  /*
+   *
+   Synopsis: mkNodes _systemConfigurations_ _extraConfig_
+
+   Generate the `nodes` attribute expected by deploy-rs
+   where _systemConfigurations_ are `nodes`.
+
+   _systemConfigurations_ should take the form of a flake's
+   _nixosConfigurations_. Note that deploy-rs does not currently support
+   deploying to darwin hosts.
+
+   _extraConfig_, if specified, will be merged into each of the
+   nodes' configurations.
+
+   Example _systemConfigurations_ input:
+
+   ```
+   {
+   hostname-1 = {
+   fastConnection = true;
+   sshOpts = [ "-p" "25" ];
+   };
+   hostname-2 = {
+   sshOpts = [ "-p" "19999" ];
+   sshUser = "root";
+   };
+   }
+   ```
+   *
+   */
+    lib.recursiveUpdate
+    (lib.mapAttrs
+      (
+        _: c: {
+          hostname = getFqdn c;
+          profiles.system = {
+            user = "root";
+            path = inputs.deploy-rs.lib.${c.pkgs.stdenv.hostPlatform.system}.activate.nixos c;
+          };
+        }
+      )
+      systemConfigurations)
+    extraConfig;
+}
--- a/modules/arduino/default.nix
+++ b/modules/arduino/default.nix
@ -6,7 +6,7 @@
 }:
 with lib; let
  psCfg = config.pub-solar;
-  cfg = config.pub-solar.devops;
+  cfg = config.pub-solar.arduino;
 in {
  options.pub-solar.arduino = {
    enable = mkEnableOption "Life with home automation";
--- a/modules/audio/default.nix
+++ b/modules/audio/default.nix
@ -66,33 +66,14 @@ in {

    # rtkit is optional but recommended
    security.rtkit.enable = true;
-    # Enable sound using pipewire-pulse, default config:
-    # https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire.conf.in
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
-    };
-
-    # Make pulseaudio listen on port 4713 for mopidy, extending the default
-    # config: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire-pulse.conf.in
-    environment.etc = mkIf cfg.mopidy.enable {
-      "pipewire/pipewire-pulse.conf.d/99-custom.conf".text = ''
-        {
-          "context.modules": [
-            {
-              "name": "libpipewire-module-protocol-pulse",
-              "args": {
-                "server.address": ["unix:native", "tcp:4713"],
-                "vm.overrides": {
-                  "pulse.min.quantum": "1024/48000"
-                }
-              }
-            }
-          ]
-        }
-      '';
+      wireplumber.enable = true;
+      # If you want to use JACK applications, uncomment this
+      jack.enable = true;
    };

    # Enable bluetooth
@ -113,8 +94,38 @@ in {
      };
    };
    services.blueman.enable = mkIf cfg.bluetooth.enable true;
+    environment.etc."wireplumber/bluetooth.lua.d/51-bluez-config.lua" = mkIf cfg.bluetooth.enable {
+      text = ''
+        bluez_monitor.properties = {
+          ["bluez5.enable-sbc-xq"] = true,
+          ["bluez5.enable-msbc"] = true,
+          ["bluez5.enable-hw-volume"] = true,
+          ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+        }
+      '';
+    };

    # Enable audio server & client
    services.mopidy = mkIf cfg.mopidy.enable ((import ./mopidy.nix) pkgs);
+
+    # Make pulseaudio listen on port 4713 for mopidy, extending the default
+    # config: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire-pulse.conf.in
+    environment.etc."pipewire/pipewire-pulse.conf.d/99-custom.conf" = mkIf cfg.mopidy.enable {
+      text = ''
+        {
+          "context.modules": [
+            {
+              "name": "libpipewire-module-protocol-pulse",
+              "args": {
+                "server.address": ["unix:native", "tcp:4713"],
+                "vm.overrides": {
+                  "pulse.min.quantum": "1024/48000"
+                }
+              }
+            }
+          ]
+        }
+      '';
      };
-}
+    };
+  }
--- a/modules/audio/mopidy.nix
+++ b/modules/audio/mopidy.nix
@ -5,7 +5,7 @@ pkgs: {
    mopidy-soundcloud
    mopidy-youtube
    mopidy-local
-    mopidy-jellyfin
+    # mopidy-jellyfin
  ];

  configuration = ''
--- a/profiles/base-user/.config/mimeapps.list
+++ b/profiles/base-user/.config/mimeapps.list
--- a/modules/ci-runner/default.nix
+++ b/modules/ci-runner/default.nix
@ -2,7 +2,7 @@
  lib,
  config,
  pkgs,
-  self,
+  flake,
  ...
 }:
 with lib; let
@ -37,7 +37,7 @@ in {
    };

    age.secrets."drone-runner-exec-config" = {
-      file = "${self}/secrets/drone-runner-exec-config";
+      file = "${flake.self}/secrets/drone-runner-exec-config";
      mode = "700";
      owner = psCfg.user.name;
    };
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -12,7 +12,6 @@ in {
    ./fonts.nix
    ./i18n.nix
    ./networking.nix
-    ./nix.nix
    ./packages.nix
    ./services.nix
  ];
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -46,22 +46,26 @@ in {
    nix.settings.trusted-public-keys = cfg.publicKeys;

    # These entries get added to /etc/hosts
-    networking.hosts = {
-      "127.0.0.1" =
+    networking.hosts = let
+      hostnames =
        []
        ++ lib.optionals cfg.enableCaddy ["caddy.local"]
        ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
+        ++ lib.optionals config.pub-solar.paperless.enable ["paperless.local"]
        ++ lib.optionals cfg.enableHelp ["help.local"];
+    in {
+      "127.0.0.1" = hostnames;
+      "::1" = hostnames;
    };

    # Caddy reverse proxy for local services like cups
    services.caddy = {
-      enable = lib.mkDefault cfg.enableCaddy;
-      globalConfig = lib.mkDefault ''
+      enable = cfg.enableCaddy;
+      globalConfig = ''
        default_bind 127.0.0.1
        auto_https off
      '';
-      extraConfig = lib.mkDefault (concatStringsSep "\n" [
+      extraConfig = (concatStringsSep "\n" [
        (lib.optionalString
          config.pub-solar.printing.enable
          ''
@ -71,6 +75,15 @@ in {
            }
          '')

+        (lib.optionalString
+          config.pub-solar.paperless.enable
+          ''
+            paperless.local:80 {
+              request_header Host localhost:${builtins.toString config.services.paperless.port}
+              reverse_proxy localhost:${builtins.toString config.services.paperless.port}
+            }
+          '')
+
        (lib.optionalString
          cfg.enableHelp
          ''
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,97 @@
+{
+  self,
+  inputs,
+  ...
+}: {
+  # Configuration common to all Linux systems
+  flake = {
+    nixosModules = rec {
+      arduino = import ./arduino;
+      audio = import ./audio;
+      ci-runner = import ./ci-runner;
+      core = import ./core;
+      crypto = import ./crypto;
+      devops = import ./devops;
+      docker = import ./docker;
+      docker-ci-runner = import ./docker-ci-runner;
+      email = import ./email;
+      gaming = import ./gaming;
+      graphical = import ./graphical;
+      mobile = import ./mobile;
+      nix = import ./nix;
+      nextcloud = import ./nextcloud;
+      office = import ./office;
+      paperless = import ./paperless;
+      paranoia = import ./paranoia;
+      printing = import ./printing;
+      social = import ./social;
+      sway = import ./sway;
+      terminal-life = import ./terminal-life;
+      uhk = import ./uhk;
+      user = import ./user;
+      virtualisation = import ./virtualisation;
+
+      base.imports = [
+        self.nixosModules.home-manager
+        inputs.agenix.nixosModules.default
+        inputs.musnix.nixosModules.musnix
+
+        ({
+          flake,
+          pkgs,
+          lib,
+          unstable,
+          master,
+          ...
+        }: {
+          nixpkgs.overlays = (import ../overlays) ++ [
+            (prev: next: {
+              scan2paperless = inputs.scan2paperless.legacyPackages.${prev.system}.scan2paperless;
+              nixd = inputs.unstable.legacyPackages.${prev.system}.nixd;
+
+              factorio-headless = inputs.master.legacyPackages.${prev.system}.factorio-headless;
+              paperless-ngx = inputs.master.legacyPackages.${prev.system}.paperless-ngx;
+              waybar = inputs.master.legacyPackages.${prev.system}.waybar;
+              element-desktop = inputs.master.legacyPackages.${prev.system}.element-desktop;
+
+              adlist = inputs.adblock-unbound.packages.${prev.system};
+            })
+          ];
+
+          nix.nixPath = [
+            "nixpkgs=${inputs.nixpkgs}"
+            "nixos-config=${./lib/compat/nixos}"
+            "home-manager=${inputs.home-manager}"
+          ];
+        })
+
+        self.nixosModules.arduino
+        self.nixosModules.audio
+        self.nixosModules.ci-runner
+        self.nixosModules.core
+        self.nixosModules.crypto
+        self.nixosModules.devops
+        self.nixosModules.docker
+        self.nixosModules.docker-ci-runner
+        self.nixosModules.email
+        self.nixosModules.gaming
+        self.nixosModules.graphical
+        self.nixosModules.mobile
+        self.nixosModules.nix
+        self.nixosModules.nextcloud
+        self.nixosModules.office
+        self.nixosModules.paperless
+        self.nixosModules.paranoia
+        self.nixosModules.printing
+        self.nixosModules.social
+        self.nixosModules.sway
+        self.nixosModules.terminal-life
+        self.nixosModules.uhk
+        self.nixosModules.user
+        self.nixosModules.virtualisation
+
+        self.nixosModules.root
+      ];
+    };
+  };
+}
--- a/modules/devops/default.nix
+++ b/modules/devops/default.nix
@ -16,6 +16,7 @@ in {
    home-manager = with pkgs;
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
        home.packages = [
+          croc
          drone-cli
          nmap
          pgcli
@ -24,6 +25,7 @@ in {
          restic
          shellcheck
          terraform
+          tea
        ];
      };
  };
--- a/modules/docker-ci-runner/default.nix
+++ b/modules/docker-ci-runner/default.nix
@ -2,7 +2,6 @@
  lib,
  config,
  pkgs,
-  self,
  ...
 }:
 with lib; let
--- a/modules/gaming/default.nix
+++ b/modules/gaming/default.nix
@ -18,9 +18,8 @@ in {
      steam = pkgs.steam.override {};
    };

-    home-manager = with pkgs;
-      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
-        home.packages = [
+    home-manager.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
+      home.packages = with pkgs; [
        playonlinux
        godot
        obs-studio
--- a/modules/mobile/default.nix
+++ b/modules/mobile/default.nix
@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.mobile;
+in {
+  options.pub-solar.mobile = {
+    enable = mkEnableOption "Add android adb and tooling";
+  };
+
+  config = mkIf cfg.enable {
+    programs.adb.enable = true;
+
+    users.users = with pkgs;
+      lib.setAttrByPath [psCfg.user.name] {
+        extraGroups = ["adbusers"];
+      };
+  };
+}
--- a/modules/nix-path.nix
+++ b/modules/nix-path.nix
@ -1,11 +0,0 @@
-{
-  channel,
-  inputs,
-  ...
-}: {
-  nix.nixPath = [
-    "nixpkgs=${channel.input}"
-    "nixos-config=${../lib/compat/nixos}"
-    "home-manager=${inputs.home}"
-  ];
-}
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@ -2,7 +2,7 @@
  config,
  pkgs,
  lib,
-  inputs,
+  flake,
  ...
 }: {
  nix = {
@ -10,6 +10,7 @@
    package = pkgs.nix;
    gc.automatic = true;
    optimise.automatic = true;
+
    settings = {
      # Improve nix store disk usage
      auto-optimise-store = true;
@ -20,6 +21,7 @@
      # Allow only group wheel to connect to the nix daemon
      allowed-users = ["@wheel"];
    };
+
    # Generally useful nix option defaults
    extraOptions = lib.mkForce ''
      experimental-features = flakes nix-command
@ -28,5 +30,11 @@
      keep-derivations = true
      fallback = true
    '';
+
+    nixPath = [
+      "nixpkgs=${flake.inputs.nixpkgs}"
+      "nixos-config=${../../lib/compat/nixos}"
+      "home-manager=${flake.inputs.home-manager}"
+    ];
  };
 }
--- a/modules/paperless/default.nix
+++ b/modules/paperless/default.nix
@ -0,0 +1,146 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.paperless;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  options.pub-solar.paperless = {
+    enable = mkEnableOption "All you need to go paperless";
+    ocrLanguage = mkOption {
+      description = "OCR language";
+      type = types.str;
+      example = "eng+deu";
+      default = "eng";
+    };
+
+    dataDir = mkOption {
+      description = "Directory to save data in";
+      type = types.str;
+      example = "/home/pub_solar/Paperless";
+      default = "${xdg.dataHome}/Paperless";
+    };
+
+    consumptionDir = mkOption {
+      description = "Directory to be watched";
+      type = types.str;
+      example = "/var/lib/paperless/consume";
+      default = "/var/lib/paperless/consume";
+    };
+
+    sync = {
+      enable = mkEnableOption ''
+          You can use this option to sync several paperless instances, for example via nextcloud.
+          It will sync the media directory and database, automatically merging sqlite dbs via dump and import.
+          Logs, the classification model, and other files are left unsynced.
+        '';
+
+      masterNode = mkEnableOption "If this node is the master node, it will only export paperless data, otherwise it will only import";
+
+      directory = mkOption {
+        description = "Directory to sync with.";
+        type = types.str;
+        example = "/home/pub_solar/Nextcloud/Paperless";
+        default = "/home/${psCfg.user.name}/Nextcloud/Paperless";
+      };
+    };
+
+    scannerDefaultDevice = mkOption {
+      description = ''
+        The scanner device. To find this, use `scanimage -L`.
+
+        For example, your output might be the following:
+
+        ```
+        device `v4l:/dev/video3' is a Noname Logitech StreamCam virtual device
+        device `hp3900:libusb:005:002' is a Hewlett-Packard Scanjet G3010 flatbed scanner
+        ```
+
+        Here, the scannerDevice is `hp3900:libusb:005:002`.
+      '';
+      type = types.str;
+      example = "hp3900:libusb:005:002";
+      default = "";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.paperless = {
+      enable = true;
+      user = psCfg.user.name;
+      consumptionDir = cfg.consumptionDir;
+      dataDir = cfg.dataDir;
+      address = "paperless.local";
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = cfg.ocrLanguage;
+        PAPERLESS_ADMIN_USER = psCfg.user.name;
+        PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
+        PAPERLESS_URL = "http://paperless.local";
+      };
+    };
+
+    home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+      home.packages = with pkgs; [
+        scan2paperless
+        sane-backends
+        python310Packages.img2pdf
+      ];
+      home.sessionVariables = {
+        SCANNER_DEFAULT_DEVICE = cfg.scannerDefaultDevice;
+        SCANNER_OUTPUT_DIR = cfg.consumptionDir;
+      };
+      systemd.user.sessionVariables = {
+        SCANNER_DEFAULT_DEVICE = cfg.scannerDefaultDevice;
+        SCANNER_OUTPUT_DIR = cfg.consumptionDir;
+      };
+    };
+
+    systemd = let
+      copy-out = pkgs.writeShellScriptBin "copy-out" ''
+        ${pkgs.systemd}/bin/systemctl stop paperless-web.service paperless-task-queue.service paperless-scheduler.service paperless-consumer.service
+        cp -r ${cfg.dataDir}/media ${cfg.sync.directory}/
+        cp ${cfg.dataDir}/db.sqlite3 ${cfg.sync.directory}/db.sqlite3
+        cp ${cfg.dataDir}/celerybeat-schedule.db ${cfg.sync.directory}/celerybeat-schedule.db
+        cp ${cfg.dataDir}/classification_model.pickle ${cfg.sync.directory}/classification_model.pickle
+        cp ${cfg.dataDir}/src-version ${cfg.sync.directory}/src-version
+        chown -R ${psCfg.user.name}:users ${cfg.sync.directory}
+        ${pkgs.systemd}/bin/systemctl start paperless-web.service paperless-task-queue.service paperless-scheduler.service paperless-consumer.service
+      '';
+
+      copy-in = pkgs.writeShellScriptBin "copy-in" ''
+        ${pkgs.systemd}/bin/systemctl stop paperless-web.service paperless-task-queue.service paperless-scheduler.service paperless-consumer.service
+        cp -r ${cfg.sync.directory}/media ${cfg.dataDir}/
+        cp ${cfg.sync.directory}/db.sqlite3 ${cfg.dataDir}/db.sqlite3
+        cp ${cfg.sync.directory}/celerybeat-schedule.db ${cfg.dataDir}/celerybeat-schedule.db
+        cp ${cfg.sync.directory}/classification_model.pickle ${cfg.dataDir}/classification_model.pickle
+        cp ${cfg.sync.directory}/src-version ${cfg.dataDir}/src-version
+        ${pkgs.systemd}/bin/systemctl start paperless-web.service paperless-task-queue.service paperless-scheduler.service paperless-consumer.service
+      '';
+    in mkIf cfg.sync.enable {
+      services.nextcloud-paperless-autosync = {
+        unitConfig = {
+          Description = "Auto sync paperless to or from Nextcloud";
+          After = "network-online.target";
+        };
+        serviceConfig = {
+          Type = "simple";
+          ExecStart= if cfg.sync.masterNode then "${copy-out}/bin/copy-out" else "${copy-in}/bin/copy-in";
+          TimeoutStopSec = "180";
+          KillMode = "process";
+          KillSignal = "SIGINT";
+        };
+        wantedBy = ["multi-user.target"];
+      };
+
+      timers.nextcloud-paperless-autosync = {
+        unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 30 minutes";
+        timerConfig.OnUnitActiveSec = "30min";
+        wantedBy = ["multi-user.target" "timers.target"];
+      };
+    };
+  };
+}
--- a/modules/paranoia/default.nix
+++ b/modules/paranoia/default.nix
@ -23,12 +23,16 @@ in {
    pub-solar.core.hibernation.enable = true;
    services.logind.lidSwitch = "hibernate";

+    services.tor.settings = {
+      UseBridges = true;
+    };
+
    # The options below are directly taken from or inspired by
    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18

    # Don't set this if you need sftp
    services.openssh.allowSFTP = false;
-    services.openssh.openFirewall = false; # Lock yourself out
+    # services.openssh.openFirewall = false; # Lock yourself out

    # Limit the use of sudo to the group wheel
    security.sudo.execWheelOnly = true;
@ -40,7 +44,7 @@ in {
    # fileSystems."/".options = [ "noexec" ];

    services.openssh = {
-      kbdInteractiveAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
      extraConfig = ''
        AllowTcpForwarding yes
        X11Forwarding no
--- a/modules/printing/default.nix
+++ b/modules/printing/default.nix
@ -27,7 +27,7 @@ in {
    ];
    hardware.sane = {
      enable = true;
-      brscan4.enable = true;
+      extraBackends = [pkgs.hplipWithPlugin];
    };
  };
 }
--- a/modules/sway/config/config.d/custom-keybindings.conf
+++ b/modules/sway/config/config.d/custom-keybindings.conf
@ -33,3 +33,11 @@ bindsym $mod+Ctrl+r exec record-screen
 # Launcher
 set $menu exec alacritty --class launcher -e env TERMINAL_COMMAND="alacritty -e" sway-launcher
 bindsym $mod+Space exec $menu
+
+set $mode_vncclient In VNCClient mode. Press $mod+Num_Lock or $mod+Shift+Escape to return.
+bindsym $mod+Num_Lock mode "$mode_vncclient"
+bindsym $mod+Shift+Escape mode "$mode_vncclient"
+mode "$mode_vncclient" {
+    bindsym $mod+Num_Lock mode "default"
+    bindsym $mod+Shift+Escape mode "default"
+}
--- a/modules/sway/config/wayvnc/config.nix
+++ b/modules/sway/config/wayvnc/config.nix
@ -0,0 +1,11 @@
+{
+  psCfg,
+  pkgs,
+}: "
+address=0.0.0.0
+enable_auth=true
+username=${psCfg.user.name}
+password=testtest
+private_key_file=/run/agenix/vnc-key.pem
+certificate_file=/run/agenix/vnc-cert.pem
+"
--- a/modules/sway/default.nix
+++ b/modules/sway/default.nix
@ -16,6 +16,8 @@ in {
      description = "Choose sway's default terminal";
    };

+    vnc.enable = mkEnableOption "Enable vnc service";
+
    v4l2loopback.enable = mkOption {
      type = types.bool;
      default = true;
@ -96,6 +98,12 @@ in {
          systemd.user.services.waybar = import ./waybar.service.nix {inherit pkgs psCfg;};
          systemd.user.targets.sway-session = import ./sway-session.target.nix {inherit pkgs psCfg;};

+          systemd.user.services.wayvnc = mkIf psCfg.sway.vnc.enable (import ./wayvnc.service.nix pkgs);
+          xdg.configFile."wayvnc/config".text = import ./config/wayvnc/config.nix {
+            inherit psCfg;
+            inherit pkgs;
+          };
+
          xdg.configFile."sway/config".text = import ./config/config.nix {inherit config pkgs;};
          xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
          xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
--- a/modules/sway/wayvnc.service.nix
+++ b/modules/sway/wayvnc.service.nix
@ -0,0 +1,18 @@
+pkgs: {
+  Unit = {
+    Description = "A VNC server for wlroots based Wayland compositors ";
+    Documentation = "https://github.com/any1/wayvnc";
+    BindsTo = ["sway-session.target"];
+    After = ["graphical-session-pre.target" "network-online.target"];
+    Wants = ["graphical-session-pre.target" "network-online.target"];
+  };
+
+  Service = {
+    Type = "simple";
+    ExecStart = "${pkgs.wayvnc}/bin/wayvnc -r -p 0.0.0.0 5901";
+  };
+
+  Install = {
+    WantedBy = ["sway-session.target"];
+  };
+}
--- a/modules/terminal-life/bash/default.nix
+++ b/modules/terminal-life/bash/default.nix
@ -1,7 +1,6 @@
 {
  config,
  pkgs,
-  self,
  ...
 }: let
  psCfg = config.pub-solar;
@ -18,6 +17,8 @@ in {

  # Run when initializing an interactive shell
  initExtra = ''
+    # Use fzf's CTRL-R history widget
+    source ${pkgs.fzf}/share/fzf/key-bindings.bash
    # Show current directory at the top in Alacritty
    PROMPT_COMMAND='echo -e -n "\e]2;$(basename "$PWD" | sed "s/${psCfg.user.name}/~/")\e\\"'

@ -104,8 +105,6 @@ in {
    irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
    drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
    no = "manix \"\" | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview=\"manix '{}'\" | xargs manix";
-    # fix nixos-option
-    nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
    myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
    nnn = "nnn -d -e -H -r";
  };
--- a/modules/terminal-life/default.nix
+++ b/modules/terminal-life/default.nix
@ -2,7 +2,6 @@
  lib,
  config,
  pkgs,
-  self,
  ...
 }:
 with lib; let
@ -24,17 +23,6 @@ in {
  config = mkIf cfg.enable {
    programs.command-not-found.enable = false;

-    environment.systemPackages = with pkgs; [
-      screen
-    ];
-
-    # Starship is a fast and featureful shell prompt
-    # starship.toml has sane defaults that can be changed there
-    programs.starship = {
-      enable = true;
-      settings = import ./starship.toml.nix;
-    };
-
    home-manager = with pkgs;
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
        home.packages = [
@ -55,19 +43,29 @@ in {
              ];
          }))
          powerline
+          screen
          silver-searcher
          watson
        ];

+        # Starship is a fast and featureful shell prompt
+        # starship.toml has sane defaults that can be changed there
+        programs.starship = {
+          enable = true;
+          settings = import ./starship.toml.nix;
+        };
+
        programs.bash = import ./bash {
          inherit config;
          inherit pkgs;
-          inherit self;
+          inherit lib;
        };
+
        programs.fzf = import ./fzf {
          inherit config;
          inherit pkgs;
        };
+
        programs.neovim = import ./nvim {
          inherit config;
          inherit pkgs;
--- a/modules/terminal-life/fzf/default.nix
+++ b/modules/terminal-life/fzf/default.nix
@ -10,5 +10,8 @@
    "--color=fg:#d3d1d4,header:#7accd7,info:#e5c463,pointer:#ef9062"
    "--color=marker:#ef9062,fg+:#303030,prompt:#e5c463,hl+:#7accd7"
  ];
-  enableBashIntegration = true;
+  # Use ble.sh for completions, see
+  # modules/terminal-life/bash/default.nix -> bleopt complete_menu_style=desc
+  # and https://github.com/akinomyoga/ble.sh/wiki/Manual-%C2%A77-Completion
+  enableBashIntegration = false;
 }
--- a/modules/terminal-life/nvim/lsp.vim
+++ b/modules/terminal-life/nvim/lsp.vim
@ -74,6 +74,8 @@ lua <<EOF

  -- Add additional capabilities supported by nvim-cmp
  local capabilities = require('cmp_nvim_lsp').default_capabilities()
+  -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
+  capabilities.textDocument.completion.completionItem.snippetSupport = true

  -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
  capabilities.textDocument.completion.completionItem.snippetSupport = true
@ -172,6 +174,13 @@ lua <<EOF
    end
  end -- ‡

+  -- configure floating diagnostics appearance, symbols
+  local signs = { Error = " ", Warn = " ", Hint = " ", Info = " " }
+  for type, icon in pairs(signs) do
+    local hl = "DiagnosticSign" .. type
+    vim.fn.sign_define(hl, { text = icon, texthl = hl, numhl = hl })
+  end
+
  -- Set completeopt to have a better completion experience
  vim.o.completeopt = 'menuone,noselect'

--- a/profiles/base-user/.config/dircolors
+++ b/profiles/base-user/.config/dircolors
--- a/profiles/base-user/.config/git/config.nix
+++ b/profiles/base-user/.config/git/config.nix
--- a/profiles/base-user/.config/git/gitmessage.nix
+++ b/profiles/base-user/.config/git/gitmessage.nix
--- a/profiles/base-user/.config/git/global_gitignore.nix
+++ b/profiles/base-user/.config/git/global_gitignore.nix
--- a/profiles/base-user/.config/libinput-gestures.conf
+++ b/profiles/base-user/.config/libinput-gestures.conf
--- a/profiles/base-user/.config/mako/config
+++ b/profiles/base-user/.config/mako/config
--- a/modules/user/.config/mimeapps.list
+++ b/modules/user/.config/mimeapps.list
--- a/profiles/base-user/.config/mutt/base16.muttrc
+++ b/profiles/base-user/.config/mutt/base16.muttrc
--- a/profiles/base-user/.config/mutt/mailcap
+++ b/profiles/base-user/.config/mutt/mailcap
--- a/profiles/base-user/.config/mutt/muttrc
+++ b/profiles/base-user/.config/mutt/muttrc
--- a/profiles/base-user/.config/offlineimap/functions.py
+++ b/profiles/base-user/.config/offlineimap/functions.py
--- a/profiles/base-user/.config/user-dirs.dirs
+++ b/profiles/base-user/.config/user-dirs.dirs
--- a/profiles/base-user/.config/user-dirs.locale
+++ b/profiles/base-user/.config/user-dirs.locale
--- a/profiles/base-user/.config/waybar/colorscheme.css
+++ b/profiles/base-user/.config/waybar/colorscheme.css
--- a/profiles/base-user/.config/waybar/config
+++ b/profiles/base-user/.config/waybar/config
--- a/profiles/base-user/.config/waybar/style.css
+++ b/profiles/base-user/.config/waybar/style.css
--- a/profiles/base-user/.config/xmodmap
+++ b/profiles/base-user/.config/xmodmap
--- a/profiles/base-user/.config/xsettingsd/xsettingsd.conf
+++ b/profiles/base-user/.config/xsettingsd/xsettingsd.conf
--- a/profiles/base-user/.local/share/nvim/json-schemas/caddy_schema.json
+++ b/profiles/base-user/.local/share/nvim/json-schemas/caddy_schema.json
--- a/profiles/base-user/.local/share/scripts/base16.sh
+++ b/profiles/base-user/.local/share/scripts/base16.sh
--- a/profiles/base-user/.xinitrc
+++ b/profiles/base-user/.xinitrc
--- a/profiles/base-user/assets/wallpaper.jpg
+++ b/profiles/base-user/assets/wallpaper.jpg
--- a/Show more
+++ b/Show more