WIP: init drone-exec-runner-in-docker on ryzensun

Merge branch 'feature/update-drone-config-for-kvm-tests' into teutat3s-drone-exec-runner
2022-10-24 18:35:55 +02:00 · 2022-10-24 18:23:00 +02:00 · 2022-10-24 18:12:29 +02:00 · 2022-10-24 17:49:18 +02:00 · 2022-10-24 17:33:45 +02:00 · 2022-10-24 17:23:45 +02:00
214 changed files with 9570 additions and 3913 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -11,12 +11,10 @@ steps:
      event:
        - pull_request
    environment:
-      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
+      NIX_FLAGS: "--print-build-logs --verbose"
    commands:
      - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS'
      - nix $$NIX_FLAGS develop --command nix flake show
      - nix $$NIX_FLAGS develop --command treefmt --fail-on-change
      - nix $$NIX_FLAGS develop --command editorconfig-checker
      - nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
 ---
@ -29,11 +27,12 @@ node:
 steps:
  - name: "Tests"
    environment:
-      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
+      NIX_FLAGS: "--print-build-logs --verbose"
    commands:
      - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS'
      - nix $$NIX_FLAGS build ".#checks.x86_64-linux.customTestFor-PubSolarOS-firstTest"
      - nix-store --read-log result
      - if [ ! -e /dev/kvm ]; then exit 1; fi
      - nix $$NIX_FLAGS flake check
      - nix $$NIX_FLAGS develop --command echo OK
@ -55,7 +54,6 @@ steps:
      - cd tritonshell
      - nix develop --command mput -p -f ../result/foot_wayland_info.png ~~/public/$${TARGET_DIR}/foot_wayland_info.png
      - nix develop --command mput -p -f ../result/test-wayland.out ~~/public/$${TARGET_DIR}/test-wayland.out
 trigger:
  ref:
    - refs/tags/v*
@ -95,7 +93,7 @@ steps:
  - name: "Build ISO"
    image: docker.nix-community.org/nixpkgs/nix-flakes:latest
    environment:
-      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
+      NIX_FLAGS: "--print-build-logs --verbose"
    volumes:
      - name: file-exchange
        path: /var/nix/iso-cache
@ -113,8 +111,9 @@ steps:
      - nix run nixpkgs#gnused -- --in-place "s/$ISO_NAME/PubSolarOS-latest.iso/" PubSolarOS-latest.iso.sha256
  - name: "Publish ISO"
-    # https://github.com/appleboy/drone-scp/pull/141 got merged, yay
+    # custom drone-scp image, source: https://git.b12f.io/pub-solar/drone-scp/
-    image: appleboy/drone-scp:1.6.5-linux-amd64
+    # docker build --tag registry.greenbaum.cloud/library/drone-scp:v1.6.5 --file ./docker/Dockerfile.linux.amd64 .
    image: registry.greenbaum.cloud/library/drone-scp:v1.6.5
    volumes:
      - name: file-exchange
        path: /var/nix/iso-cache
@ -127,7 +126,7 @@ steps:
        from_secret: iso_web_ssh_port
      key:
        from_secret: iso_web_ssh_key
-      target: /data/srv/www/os/download
+      target: /srv/os/download
      source:
        - /var/nix/iso-cache/*.iso
        - /var/nix/iso-cache/*.iso.sha256
@ -149,6 +148,6 @@ volumes:
 ---
 kind: signature
-hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67
+hmac: 3e6a89e903e214f21d488eba82863683b130ef6dbc2dc352377d4fd94ab3cd0c
 ...
--- a/.drone/setup_ssh.sh
+++ b/.drone/setup_ssh.sh
@ -0,0 +1,11 @@
 #!/usr/bin/env sh
 set -e
 # Setup ssh inside container
 mkdir -p ~/.ssh
 echo "$GITEA_SSH_KEY" > ~/.ssh/id_rsa
 echo "[git.b12f.io]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4uaREL7acSSCNAX+voDYl1Kj7JipP62fR5x1UyGP9u" >> ~/.ssh/known_hosts
 echo "Host git.b12f.io" >> ~/.ssh/config
 echo "  Port 2222" >> ~/.ssh/config
 chmod -R 600 ~/.ssh
--- a/.drone/upstream-branch.sh
+++ b/.drone/upstream-branch.sh
@ -0,0 +1,12 @@
 #!/usr/bin/env sh
 set -e
 set -u
 LOCAL="$DRONE_BRANCH"
 [ "$LOCAL" = "main" ] && UPSTREAM=origin/devos || UPSTREAM=origin/main
 git fetch --all
 git checkout "$LOCAL"
 git merge "$UPSTREAM"
 git push origin "$LOCAL"
--- a/.editorconfig
+++ b/.editorconfig
@ -15,9 +15,6 @@ end_of_line = unset
 insert_final_newline = unset
 trim_trailing_whitespace = unset
 indent_size = unset
 charset = unset
 indent_style = unset
 indent_size = unset
 [{.*,secrets}/**]
 end_of_line = unset
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -1,2 +0,0 @@
 # Formatted code using treefmt and alejandra
 73bf158392a427d188b7aad36244b94506f57a15
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,38 @@
 ---
 name: Bug report
 about: Create a report to help improve
 title: ''
 labels: 'bug'
 assignees: ''
 ---
 Your issue may already be reported!
 Please search on the [issue tracker](../) before creating one.
 ## Expected Behavior
 <!--- What should happen? -->
 <!--- How it should work? -->
 ## Current Behavior
 <!--- What happens instead of the expected behavior? -->
 ## Possible Solution
 <!--- Not obligatory, but suggest a fix/reason for the bug, -->
 <!--- or ideas how to implement the addition or change -->
 ## Steps to Reproduce
 <!--- An unambiguous set of steps to reproduce this bug. -->
 <!--- Linked fork or gist if needed. -->
 1.
 2.
 3.
 4.
 ## Context
 <!--- How has this issue affected you? What are you trying to accomplish? -->
 <!--- Providing context helps us come up with a solution that is most useful in the real world. -->
 ## Your Environment
 <!--- Include relevant details about the environment you experienced the bug in. -->
 <!--- If you have run `bud update`, for example, post the flake.lock file. -->
--- a/.github/ISSUE_TEMPLATE/community_request.md
+++ b/.github/ISSUE_TEMPLATE/community_request.md
@ -0,0 +1,22 @@
 ---
 name: Commuity Request
 about: inspire contribution to the `community` branch
 title: ''
 labels: 'community'
 assignees: ''
 ---
 Your issue may already be reported!
 Please search on the [issue tracker](../) before creating one.
 ## Ideas
 <!--- The `community` branch is meant to provide various preconfigured system options, -->
 <!--- useful to all kinds of users. -->
 <!--- The point is to engage the community for what it thinks are -->
 <!--- sane defaults for various tools. -->
 ## Requests
 <!--- Have a tool that you'd like to see a system profile for? -->
 <!--- Feel free to request it here. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,24 @@
 ---
 name: Feature request
 about: Suggest an idea
 title: ''
 labels: 'enhancement'
 assignees: ''
 ---
 Your issue may already be reported!
 Please search on the [issue tracker](../) before creating one.
 ## Would your feature fix an existing issue?
 <!--- If your idea is related to, or resolves other issues, please mention. -->
 ## Describe the solution you'd like
 <!--- What you want to happen. -->
 ## Describe alternatives you've considered
 <!--- Any alternative solutions or features you've considered? -->
 ## Additional context
 <!--- Is this feature only useful for a particular usecase? -->
 <!--- Please elaborate. -->
--- a/.github/ISSUE_TEMPLATE/upstream_notice.md
+++ b/.github/ISSUE_TEMPLATE/upstream_notice.md
@ -0,0 +1,16 @@
 ---
 name: Upstream notice (Issues or Changes)
 about: Create an upstream notice to help our research
 title: '[ <put the upstream project> ]: <topic>'
 labels: 'upstream'
 assignees: ''
 ---
 ## Link
 <!-- just place a link to the upstream issue, or PR -->
 ## Context
 <!-- We want to make this as cheap for you as possible.
 Context is not required but helpful -->
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -0,0 +1,29 @@
 name: "Check & Cachix"
 on:
  push:
    branches:
      - main
      - trying
      - staging
 jobs:
  check:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.3.4
    - uses: cachix/install-nix-action@v13
      with:
        install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210415_76980a1/install
        extra_nix_config: |
          experimental-features = nix-command flakes
          system-features = nixos-test benchmark big-parallel kvm recursive-nix
          substituters = https://nrdxp.cachix.org https://nix-community.cachix.org https://cache.nixos.org
          trusted-public-keys = nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
    - uses: cachix/cachix-action@v10
      with:
        name: nrdxp
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: nix -Lv flake check
    - run: nix -Lv build ".#nixosConfigurations.NixOS.config.system.build.toplevel"
    - run: nix -Lv develop -c echo OK
    - run: nix -Lv develop --command bud --help
--- a/.github/workflows/mdbook_docs.yml
+++ b/.github/workflows/mdbook_docs.yml
@ -0,0 +1,27 @@
 name: Deploy Docs to GitHub Pages
 on:
  push:
    branches:
      - main
 jobs:
  deploy:
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@v2
      - name: Setup mdBook
        uses: peaceiris/actions-mdbook@v1
        with:
          mdbook-version: 'latest'
      - run: mdbook build doc
      - name: Deploy
        uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_branch: gh-pages
          publish_dir: ./doc/book
          cname: devos.divnix.com
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,71 @@
 name: Release
 on:
  push:
    tags:
      - v*
 jobs:
  changelog:
    name: Update Changelog
    runs-on: ubuntu-latest
    steps:
      - name: Get version from tag
        env:
          GITHUB_REF: ${{ github.ref }}
        run: |
          export CURRENT_VERSION=${GITHUB_TAG/refs\/tags\/v/}
          echo "CURRENT_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          ref: main
      - name: Update Changelog
        uses: heinrichreimer/github-changelog-generator-action@v2.1.1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          issues: false
          issuesWoLabels: false
          pullRequests: true
          prWoLabels: true
          addSections: '{"documentation":{"prefix":"**Documentation:**","labels":["documentation"]}}'
      - uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: Update Changelog for tag ${{ env.CURRENT_VERSION }}
          file_pattern: CHANGELOG.md
  release_notes:
    name: Create Release Notes
    runs-on: ubuntu-latest
    needs: changelog
    steps:
      - name: Get version from tag
        env:
          GITHUB_REF: ${{ github.ref }}
        run: |
          export CURRENT_VERSION=${GITHUB_TAG/refs\/tags\/v/}
          echo "CURRENT_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          ref: main
      - name: Get Changelog Entry
        id: changelog_reader
        uses: mindsers/changelog-reader-action@v1
        with:
          version: ${{ env.CURRENT_VERSION }}
          path: ./CHANGELOG.md
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ github.ref }}
          body: ${{ steps.changelog_reader.outputs.log_entry }}
          draft: false
          prerelease: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -109,4 +109,6 @@
 ## [07092020](https://github.com/divnix/devos/tree/07092020) (2020-07-09)
-\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
+
 \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,33 +0,0 @@
 # Quick branch overview
 We work with several branches in this repo. This document aims to explain how
 to contribute changes to the existing branches.
 ### `main` branch
 - Changes to `modules` and `profiles` should go [the main branch](https://git.pub.solar/pub-solar/os/src/branch/main)
 - Changes can get accepted via: Pull Request
 - Branch protected from direct `git push`
 ### `infra` branch
 - Changes to the [pub.solar](https://pub.solar) infrastructure should be merged [into this branch](https://git.pub.solar/pub-solar/os/src/branch/infra)
 - Changes can get accepted via: Pull Request
 - Branch protected from direct `git push`
 ### `momo/main` branch
 - Changes to the [Momo](https://momo.koeln) infrastructure should be merged [into this branch](https://git.pub.solar/pub-solar/os/src/branch/momo/main)
 - Changes can get accepted via: Pull Request
 - Deployment of changes is [automatic via CI pipeline](https://git.pub.solar/pub-solar/os/src/commit/43bd7421509f7cc9ba06d7c740f3f536a4a2af76/.drone.yml#L20-L38)
 - Branch protected from direct `git push`
 ### `$USER` branches
 - User's custom hosts and changes can be worked on in these branches
 - Direct `git push` possible
 - Examples:
  - [hensoko](https://git.pub.solar/pub-solar/os/src/branch/hensoko)
  - [b12f](https://git.pub.solar/pub-solar/os/src/branch/b12f)
  - [axeman](https://git.pub.solar/pub-solar/os/src/branch/axeman)
  - [teutat3s](https://git.pub.solar/pub-solar/os/src/branch/teutat3s)
--- a/README.md
+++ b/README.md
@ -10,36 +10,36 @@ At its core, it's a NixOS installation running our configuration. The UX
 decisions and the way the project is structured are what make it
 _PubSolarOS_:
- Reproducibility is king, and the future is with declarative and functional
+* Reproducibility is king, and the future is with declarative and functional
    programming. Even if Nix does not turn out to be the end-all-be-all of
    reproducible package management (Guix looks good), it has a plethora
    of packages, a very active and helpful community, and very solid
    software engineering practices.
- Because reproducibility is king, we're using nix flakes for locking flake
+* Because reproducibility is king, we're using nix flakes for locking flake
    dependencies. [Digga](https://github.com/divnix/digga) is our flake
    utility library, made by the wonderful people of the Divnix community.
- Physical devices are not shared anymore nowadays. Only seldomly will you
+* Physical devices are not shared anymore nowadays. Only seldomly will you
    find shared devices that need more than one user account. For this
    reason, only one user (excluding `root`) is assumed.
- Keyboard navigation wins where it matters; ergonomics, programmability,
+* Keyboard navigation wins where it matters; ergonomics, programmability,
    efficiency, and speed. We use a tiling window manager (`sway`) and
    prioritize cli-based solutions where sensible. The editor is `neovim`
    configured to be just as opiniated as the operating system it is a part
    of. For mailing, `neomutt` is the default, but we're more divided on
    that part.
- We like new and shiny things, so we've moved to Wayland and pipewire.
+* We like new and shiny things, so we've moved to Wayland and pipewire.
- SICHERHEIT is written in capital letters at pub.solar, so we have first-
+* SICHERHEIT is written in capital letters at pub.solar, so we have first-
    class disk-encryption support. Currently in the works is a paranoid
    mode where the device can only hibernate (no more sleep or lockscreen)
    so your data is locked any time you leave the device.
- Free software is better. If we can avoid it, nonfree software is avoided.
+* Free software is better. If we can avoid it, nonfree software is avoided.
    By default, `allowUnfree` is `false` so we don't ship non-free software
    in a basic PubSolarOS ISO. However, nothing prevents you from using
    as much non-free software as you like.
- Automation is better. The reproducibility of nix feels so much more
+* Automation is better. The reproducibility of nix feels so much more
    powerful once you're deploying your new configuration from your laptop
-  to all your other devices with one command. [We have an automated CI using drone](https://ci.pub.solar/pub-solar/os).
+    to all your other devices with one command. [We have an automated CI using drone](https://ci.b12f.io/pub-solar/os).
- Community is important. We just like working on this together, and it
+* Community is important. We just like working on this together, and it
    feels really good to see our progress at the end of a
    [hakken.irl](https://pub.solar/hakken) session.
--- a/default.nix
+++ b/default.nix
@ -5,25 +5,21 @@ let
  ciSystems = [
    "aarch64-linux"
    "i686-linux"
    "x86_64-linux"
  ];
-  filterSystems =
+  filterSystems = lib.filterAttrs
    lib.filterAttrs
    (system: _: lib.elem system ciSystems);
-  recurseIntoAttrsRecursive = lib.mapAttrs (
+  recurseIntoAttrsRecursive = lib.mapAttrs (_: v:
    _: v:
    if lib.isAttrs v
    then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v)
    else v
  );
-  systemOutputs =
+  systemOutputs = lib.filterAttrs
-    lib.filterAttrs
+    (name: set: lib.isAttrs set
    (
      name: set:
        lib.isAttrs set
      && lib.any
      (system: set ? ${system} && name != "legacyPackages")
      ciSystems
@ -32,4 +28,4 @@ let
  ciDrvs = lib.mapAttrs (_: system: filterSystems system) systemOutputs;
 in
-  (recurseIntoAttrsRecursive ciDrvs) // {shell = import ./shell.nix;}
+(recurseIntoAttrsRecursive ciDrvs) // { shell = import ./shell.nix; }
--- a/doc/CONTRIBUTING.md
+++ b/doc/CONTRIBUTING.md
@ -1,5 +1,4 @@
 # TL;DR;
 - **Target Branch**: `main`
 - **Merge Policy**: green check: merge away. yellow circle: have patience. red x: try again.
 - **Docs**: every change set is expected to contain doc updates
@ -10,6 +9,5 @@
  make use of the `./examples` & `./e2e` and wire test up in the devshell. 
 ### Within the Devshell (`nix develop`)
 - **Hooks**: please `git commit` within the devshell
 - **Fail Early**: please run `check-all` from within the devshell on your local machine
--- a/doc/SUMMARY.md
+++ b/doc/SUMMARY.md
@ -28,3 +28,4 @@
  - [NixOS](./api-reference-nixos.md)
 - [Library Reference]()
 - [Contributing](./CONTRIBUTING.md)
--- a/doc/api-reference-channels.md
+++ b/doc/api-reference-channels.md
@ -1,76 +1,91 @@
 # Channels API Container
 Configure your channels that you can use throughout your configurations.
 > #### ⚠ Gotcha ⚠
 >
 > Devshell & (non-host-specific) Home-Manager `pkgs` instances are rendered off the
 > `nixos.hostDefaults.channelName` (default) channel.
 ## channels
 ## channels
 nixpkgs channels to create
-_*Type*_:
+
 *_Type_*:
 attribute set of submodules or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## channels.\<name\>.config
 nixpkgs config for this channel
-_*Type*_:
+
 *_Type_*:
 attribute set or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## channels.\<name\>.input
 ## channels.\<name\>.input
 nixpkgs flake input to use for this channel
-_*Type*_:
+
 *_Type_*:
 nix flake
 _*Default*_
 *_Default_*
 ```
 "self.inputs.<name>"
 ```
 ## channels.\<name\>.overlays
 ## channels.\<name\>.overlays
 overlays to apply to this channel
 these will get exported under the 'overlays' flake output
 as \<channel\>/\<name\> and any overlay pulled from \<inputs\>
 will be filtered out
-_*Type*_:
+
 *_Type_*:
 list of valid Nixpkgs overlay or path convertible to its or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## channels.\<name\>.patches
 patches to apply to this channel
-_*Type*_:
+
 *_Type_*:
 list of paths
 _*Default*_
 *_Default_*
 ```
 []
 ```
--- a/doc/api-reference-devshell.md
+++ b/doc/api-reference-devshell.md
@ -1,59 +1,72 @@
 # Devshell API Container
 Configure your devshell module collections of your environment.
 ## devshell
 ## devshell
 Modules to include in your DevOS shell. the `modules` argument
 will be exported under the `devshellModules` output
-_*Type*_:
+
 *_Type_*:
 submodule or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## devshell.exportedModules
 ## devshell.exportedModules
 modules to include in all hosts and export to devshellModules output
-_*Type*_:
+
 *_Type_*:
 list of valid module or path convertible to its or anything convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## devshell.externalModules
 ## devshell.externalModules
 The `externalModules` option has been removed.
 Any modules that should be exported should be defined with the `exportedModules`
 option and all other modules should just go into the `modules` option.
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## devshell.modules
 ## devshell.modules
 modules to include that won't be exported
 meant importing modules from external flakes
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
--- a/doc/api-reference-home.md
+++ b/doc/api-reference-home.md
@ -1,97 +1,119 @@
 # Home-Manager API Container
 Configure your home manager modules, profiles & suites.
 ## home
 ## home
 hosts, modules, suites, and profiles for home-manager
-_*Type*_:
+
 *_Type_*:
 submodule or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## home.exportedModules
 ## home.exportedModules
 modules to include in all hosts and export to homeModules output
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## home.externalModules
 ## home.externalModules
 The `externalModules` option has been removed.
 Any modules that should be exported should be defined with the `exportedModules`
 option and all other modules should just go into the `modules` option.
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## home.importables
 ## home.importables
 Packages of paths to be passed to modules as `specialArgs`.
-_*Type*_:
+
 *_Type_*:
 attribute set
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## home.importables.suites
 ## home.importables.suites
 collections of profiles
-_*Type*_:
+
 *_Type_*:
 null or attribute set of list of paths or anything convertible to its or path convertible to it
 _*Default*_
 *_Default_*
 ```
 null
 ```
 ## home.modules
 ## home.modules
 modules to include that won't be exported
 meant importing modules from external flakes
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## home.users
 ## home.users
 HM users that can be deployed portably without a host.
-_*Type*_:
+
 *_Type_*:
 attribute set of HM user configs
 _*Default*_
 *_Default_*
 ```
 {}
 ```
--- a/doc/api-reference-nixos.md
+++ b/doc/api-reference-nixos.md
@ -1,191 +1,234 @@
 # NixOS API Container
 Configure your nixos modules, profiles & suites.
 ## nixos
 ## nixos
 hosts, modules, suites, and profiles for NixOS
-_*Type*_:
+
 *_Type_*:
 submodule or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## nixos.hostDefaults
 ## nixos.hostDefaults
 Defaults for all hosts.
 the modules passed under hostDefaults will be exported
 to the 'nixosModules' flake output.
 They will also be added to all hosts.
-_*Type*_:
+
 *_Type_*:
 submodule
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## nixos.hostDefaults.channelName
 ## nixos.hostDefaults.channelName
 Channel this host should follow
-_*Type*_:
+
 *_Type_*:
 channel defined in `channels`
 ## nixos.hostDefaults.exportedModules
 ## nixos.hostDefaults.exportedModules
 modules to include in all hosts and export to nixosModules output
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## nixos.hostDefaults.externalModules
 ## nixos.hostDefaults.externalModules
 The `externalModules` option has been removed.
 Any modules that should be exported should be defined with the `exportedModules`
 option and all other modules should just go into the `modules` option.
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## nixos.hostDefaults.modules
 ## nixos.hostDefaults.modules
 modules to include that won't be exported
 meant importing modules from external flakes
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## nixos.hostDefaults.system
 ## nixos.hostDefaults.system
 system for this host
-_*Type*_:
+
 *_Type_*:
 null or system defined in `supportedSystems`
 _*Default*_
 *_Default_*
 ```
 null
 ```
 ## nixos.hosts
 ## nixos.hosts
 configurations to include in the nixosConfigurations output
-_*Type*_:
+
 *_Type_*:
 attribute set of submodules
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## nixos.hosts.\<name\>.channelName
 ## nixos.hosts.\<name\>.channelName
 Channel this host should follow
-_*Type*_:
+
 *_Type_*:
 null or channel defined in `channels`
 _*Default*_
 *_Default_*
 ```
 null
 ```
 ## nixos.hosts.\<name\>.modules
 modules to include
-_*Type*_:
+
 *_Type_*:
 list of valid modules or anything convertible to it or path convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 ## nixos.hosts.\<name\>.system
 ## nixos.hosts.\<name\>.system
 system for this host
-_*Type*_:
+
 *_Type_*:
 null or system defined in `supportedSystems`
 _*Default*_
 *_Default_*
 ```
 null
 ```
 ## nixos.hosts.\<name\>.tests
 ## nixos.hosts.\<name\>.tests
 tests to run
-_*Type*_:
+
 *_Type_*:
 list of valid NixOS test or path convertible to its or anything convertible to it
 _*Default*_
 *_Default_*
 ```
 []
 ```
 _*Example*_
 *_Example_*
 ```
 {"_type":"literalExpression","text":"[\n  {\n    name = \"testname1\";\n    machine = { ... };\n    testScript = ''\n      # ...\n    '';\n  }\n  ({ corutils, writers, ... }: {\n    name = \"testname2\";\n    machine = { ... };\n    testScript = ''\n      # ...\n    '';\n  })\n  ./path/to/test.nix\n];\n"}
 ```
 ## nixos.importables
 ## nixos.importables
 Packages of paths to be passed to modules as `specialArgs`.
-_*Type*_:
+
 *_Type_*:
 attribute set
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## nixos.importables.suites
 ## nixos.importables.suites
 collections of profiles
-_*Type*_:
+
 *_Type_*:
 null or attribute set of list of paths or anything convertible to its or path convertible to it
 _*Default*_
 *_Default_*
 ```
 null
 ```
--- a/doc/api-reference.md
+++ b/doc/api-reference.md
@ -1,5 +1,4 @@
 # Top Level API
 `digga`'s top level API. API Containers are documented in their respective sub-chapter:
 - [Channels](./api-reference-channels.md)
@ -9,55 +8,73 @@
 - [Darwin](./api-reference-darwin.md)
 ## channelsConfig
 nixpkgs config for all channels
-_*Type*_:
+
 *_Type_*:
 attribute set or path convertible to it
 _*Default*_
 *_Default_*
 ```
 {}
 ```
 ## inputs
 ## inputs
 The flake's inputs
-_*Type*_:
+*_Type_*:
 attribute set of nix flakes
 ## outputsBuilder
 ## outputsBuilder
 builder for flake system-spaced outputs
 The builder gets passed an attrset of all channels
-_*Type*_:
+
 *_Type_*:
 function that evaluates to a(n) attribute set or path convertible to it
 _*Default*_
 *_Default_*
 ```
 "channels: { }"
 ```
 ## self
 ## self
 The flake to create the DevOS outputs for
-_*Type*_:
+*_Type_*:
 nix flake
 ## supportedSystems
 ## supportedSystems
 The systems supported by this flake
-_*Type*_:
+
 *_Type_*:
 list of strings
 _*Default*_
 *_Default_*
 ```
-["aarch64-linux","aarch64-darwin","x86_64-darwin","x86_64-linux"]
+["aarch64-linux","aarch64-darwin","i686-linux","x86_64-darwin","x86_64-linux"]
 ```
--- a/doc/book.toml
+++ b/doc/book.toml
@ -1,9 +1,5 @@
 [book]
-authors = [
+authors = ["Timothy DeHerrera"]
  "Timothy DeHerrera",
  "Parthiv Seetharaman",
  "David Arnold",
 ]
 language = "en"
 multilingual = false
 src = "."
--- a/doc/concepts/hosts.md
+++ b/doc/concepts/hosts.md
@ -28,10 +28,10 @@ is best saved for [profile modules](./profiles.md).
 This is a good place to import sets of profiles, called [suites](./suites.md),
 that you intend to use on your machine.
 ## Example
 flake.nix:
 ```nix
 {
  nixos = {
@ -47,7 +47,6 @@ flake.nix:
 ```
 hosts/librem.nix:
 ```nix
 { suites, ... }:
 {
--- a/doc/concepts/overrides.md
+++ b/doc/concepts/overrides.md
@ -1,10 +1,8 @@
 # Overrides
 Each NixOS host follows one channel. But many times it is useful to get packages
 or modules from different channels.
 ## Packages
 You can make use of `overlays/overrides.nix` to override specific packages in the
 default channel to be pulled from other channels. That file is simply an example
 of how any overlay can get `channels` as their first argument.
@ -12,7 +10,6 @@ of how any overlay can get `channels` as their first argument.
 You can add overlays to any channel to override packages from other channels.
 Pulling the manix package from the `latest` channel:
 ```nix
 channels: final: prev: {
  __dontExport = true;
@ -31,7 +28,6 @@ You can also pull modules from other channels. All modules have access to the
 `disabledModules` to remove modules from the current channel.
 To pull zsh module from the `latest` channel this code can be placed in any module, whether its your host file, a profile, or a module in ./modules etc:
 ```nix
 { latestModulesPath }:
 {
@ -41,7 +37,6 @@ To pull zsh module from the `latest` channel this code can be placed in any modu
 ```
 > ##### _Note:_
 >
 > Sometimes a modules name will change from one branch to another.
 [nixpkgs-modules]: https://github.com/NixOS/nixpkgs/tree/master/nixos/modules
--- a/doc/concepts/profiles.md
+++ b/doc/concepts/profiles.md
@ -6,7 +6,6 @@ built into the NixOS module system for a reason: to elegantly provide a clear
 separation of concerns.
 ## Creation
 Profiles are created with the `rakeLeaves` function which recursively collects
 `.nix` files from within a folder. The recursion stops at folders with a `default.nix` 
 in them. You end up with an attribute set with leaves(paths to profiles) or
@ -15,14 +14,12 @@ nodes(attrsets leading to more nodes or leaves).
 A profile is used for quick modularization of [interelated bits](./profiles.md#subprofiles).
 > ##### _Notes:_
->
+> * For _declaring_ module options, there's the [modules](../outputs/modules.md) directory.
-> - For _declaring_ module options, there's the [modules](../outputs/modules.md) directory.
+> * This directory takes inspiration from
 > - This directory takes inspiration from
 >   [upstream](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/profiles)
 >   .
 ### Nested profiles
 Profiles can be nested in attribute sets due to the recursive nature of `rakeLeaves`.
 This can be useful to have a set of profiles created for a specific purpose. It is
 sometimes useful to have a `common` profile that has high level concerns related
@ -31,7 +28,6 @@ to all its sister profiles.
 ### Example
 profiles/develop/common.nix:
 ```nix
 {
  imports = [ ./zsh ];
@ -40,7 +36,6 @@ profiles/develop/common.nix:
 ```
 profiles/develop/zsh.nix:
 ```nix
 {  ... }:
 {
@ -50,7 +45,6 @@ profiles/develop/zsh.nix:
 ```
 The examples above will end up with a profiles set like this:
 ```nix
 {
  develop = {
@ -61,7 +55,6 @@ The examples above will end up with a profiles set like this:
 ```
 ## Conclusion
 Profiles are the most important concept in DevOS. They allow us to keep our
 Nix expressions self contained and modular. This way we can maximize reuse
 across hosts while minimizing boilerplate. Remember, anything machine
--- a/doc/concepts/suites.md
+++ b/doc/concepts/suites.md
@ -1,5 +1,4 @@
 # Suites
 Suites provide a mechanism for users to easily combine and name collections of
 profiles.
@ -9,7 +8,6 @@ argument (one that can be use in an `imports` line) to your hosts. All lists def
 in `suites` are flattened and type-checked as paths.
 ## Definition
 ```nix
 rec {
  workstation = [ profiles.develop profiles.graphical users.nixos ];
@ -18,9 +16,7 @@ rec {
 ```
 ## Usage
 `hosts/my-laptop.nix`:
 ```nix
 { suites, ... }:
 {
--- a/doc/concepts/users.md
+++ b/doc/concepts/users.md
@ -1,5 +1,4 @@
 > ##### _Note:_
 >
 > This  section and its semantics need a conceptiual rework.
 > Since recently [portable home configurations][portableuser]
 > that are not bound to any specific host are a thing.
@ -9,12 +8,11 @@
 Users are a special case of [profiles](profiles.md) that define system
 users and [home-manager][home-manager] configurations. For your convenience,
 home manager is wired in by default so all you have to worry about is declaring
-your users.
+your users. For a fully fleshed out example, check out the developers personal
 [branch](https://github.com/divnix/devos/tree/nrd/users/nrd/default.nix).
 ## Basic Usage
 `users/myuser/default.nix`:
 ```nix
 { ... }:
 {
@ -30,7 +28,6 @@ your users.
 ```
 ## Home Manager
 Home Manager support follows the same principles as regular nixos configurations,
 it even gets its own namespace in your `flake.nix` as `home`.
@ -40,9 +37,7 @@ User profiles can be collected in a similar fashion as system ones into a `suite
 argument that gets passed to your home-manager users.
 ### Example
 `flake.nix`
 ```nix
 {
  home.users.nixos = { suites, ... }: {
@ -51,14 +46,24 @@ argument that gets passed to your home-manager users.
 }
 ```
 ## External Usage
 ## External Usage
 You can easily use the defined home-manager configurations outside of NixOS
 using the `homeConfigurations` flake output.
 This is great for keeping your environment consistent across Unix-like systems,
 including macOS.
 ### From within the projects devshell:
 ```sh
 # builds the pub-solar user defined in the PubSolarOS host
 nix build '.#homeConfigurations."pub-solar@PubSolarOS".activationPackage'
 # build and activate
 nix build '.#homeConfigurations."pub-solar@PubSolarOS".activationPackage' && ./result/activate && unlink result
 ```
 ### Manually from outside the project:
 ```sh
 # build
 nix build "github:divnix/devos#homeConfigurations.nixos@NixOS.home.activationPackage"
@ -68,5 +73,5 @@ nix build "github:divnix/devos#homeConfigurations.nixos@NixOS.home.activationPac
 ```
 [home-manager]: https://nix-community.github.io/home-manager
-[modules-list]: https://github.com/divnix/digga/tree/main/users/modules/module-list.nix
+[modules-list]: https://github.com/divnix/devos/tree/main/users/modules/module-list.nix
 [portableuser]: https://digga.divnix.com/api-reference-home.html#homeusers
--- a/doc/integrations/cachix.md
+++ b/doc/integrations/cachix.md
@ -1,5 +1,4 @@
 # Cachix
 The system will automatically pull a cachix.nix at the root if one exists.
 This is usually created automatically by a `sudo cachix use`. If you're more
 inclined to keep the root clean, you can drop any generated files in the
--- a/doc/integrations/deploy.md
+++ b/doc/integrations/deploy.md
@ -1,5 +1,4 @@
 # deploy-rs
 [Deploy-rs][d-rs] is a tool for managing NixOS remote machines. It was
 chosen for devos after the author experienced some frustrations with the
 stateful nature of nixops' db. It was also designed from scratch to support
@ -12,7 +11,6 @@ the command line.
 ## Usage
 Just add your ssh key to the host:
 ```nix
 { ... }:
 {
@ -23,7 +21,6 @@ Just add your ssh key to the host:
 ```
 And the private key to your user:
 ```nix
 { ... }:
 {
@ -42,20 +39,16 @@ And the private key to your user:
 ```
 And run the deployment:
 ```sh
 deploy '.#hostName' --hostname host.example.com
 ```
 > ##### _Note:_
 >
 > Your user will need **passwordless** sudo access
 ### Home Manager
 Digga's `lib.mkDeployNodes` provides only `system` profile.
 In order to deploy your `home-manager` configuration you should provide additional profile(s) to deploy-rs config:
 ```nix
 # Initially, this line looks like this: deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
 deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations
@ -79,4 +72,5 @@ Substitute `<HOSTNAME>`, `<HM_PROFILE>` and `<YOUR_USERNAME>` placeholders (omit
 `<ANOTHER_HM_PROFILE>` is there to illustrate deploying multiple `home-manager` configurations. Either substitute those as well,
 or remove them altogether. Don't forget the `profileOrder` variable.
 [d-rs]: https://github.com/serokell/deploy-rs
--- a/doc/integrations/hercules.md
+++ b/doc/integrations/hercules.md
@ -1,5 +1,4 @@
 # Hercules CI
 If you start adding your own packages and configurations, you'll probably have
 at least a few binary artifacts. With hercules we can build every package in
 our configuration automatically, on every commit. Additionally, we can have it
@ -9,7 +8,6 @@ This will work whether your copy is a fork, or a bare template, as long as your
 repo is hosted on GitHub.
 ## Setup
 Just head over to [hercules-ci.com](https://hercules-ci.com) to make an account.
 Then follow the docs to set up an [agent][agent], if you want to deploy to a
@ -17,7 +15,6 @@ binary cache (and of course you do), be sure _not_ to skip the
 [binary-caches.json][cache].
 ## Ready to Use
 The repo is already set up with the proper _default.nix_ file, building all
 declared packages, checks, profiles and shells. So you can see if something
 breaks, and never build the same package twice!
@ -26,7 +23,6 @@ If you want to get fancy, you could even have hercules
 [deploy your configuration](https://docs.hercules-ci.com/hercules-ci-effects/guide/deploy-a-nixos-machine/)!
 > ##### _Note:_
 >
 > Hercules doesn't have access to anything encrypted in the
 > [secrets folder](../../secrets), so none of your secrets will accidentally get
 > pushed to a cache by mistake.
--- a/doc/integrations/index.md
+++ b/doc/integrations/index.md
@ -1,5 +1,4 @@
 # Integrations
 This section explores some of the optional tools included with devos to provide
 a solution to common concerns such as ci and remote deployment. An effort is
 made to choose tools that treat nix, and where possible flakes, as first class
--- a/doc/integrations/nvfetcher.md
+++ b/doc/integrations/nvfetcher.md
@ -1,5 +1,4 @@
 # nvfetcher
 [NvFetcher][nvf] is a workflow companion for updating nix sources.
 You can specify an origin source and an update configuration, and
@ -16,7 +15,6 @@ and commit the results.
 ## Usage
 Statically fetching (not tracking) a particular tag from a github repo:
 ```toml
 [manix]
 src.manual = "v0.6.3"
@ -24,7 +22,6 @@ fetch.github = "mlvzk/manix"
 ```
 Tracking the latest github _release_ from a github repo:
 ```toml
 [manix]
 src.github = "mlvzk/manix" # responsible for tracking
@ -32,7 +29,6 @@ fetch.github = "mlvzk/manix" # responsible for fetching
 ```
 Tracking the latest commit of a git repository and fetch from a git repo:
 ```toml
 [manix]
 src.git = "https://github.com/mlvzk/manix.git" # responsible for tracking
@ -40,7 +36,6 @@ fetch.git = "https://github.com/mlvzk/manix.git" # responsible for fetching
 ```
 > ##### _Note:_
 >
 > Please refer to the [NvFetcher Readme][nvf-readme] for more options.
 [nvf]: https://github.com/berberman/nvfetcher
--- a/doc/outputs/index.md
+++ b/doc/outputs/index.md
@ -1,4 +1,3 @@
 # Layout
 Each of the following sections is a directory whose contents are output to the
 outside world via the flake's outputs. Check each chapter for details.
--- a/doc/outputs/modules.md
+++ b/doc/outputs/modules.md
@ -1,5 +1,4 @@
 # Modules
 The modules directory is a replica of nixpkg's NixOS [modules][nixpkgs-modules]
 , and follows the same semantics. This allows for trivial upstreaming into
 nixpkgs proper once your module is sufficiently stable.
@ -7,21 +6,18 @@ nixpkgs proper once your module is sufficiently stable.
 All modules linked in _module-list.nix_ are automatically exported via
 `nixosModules.<file-basename>`, and imported into all [hosts](../concepts/hosts.md).
 > ##### _Note:_
 >
 > This is reserved for declaring brand new module options. If you just want to
 > declare a coherent configuration of already existing and related NixOS options
 > , use [profiles](../concepts/profiles.md) instead.
 ## Semantics
 In case you've never written a module for nixpkgs before, here is a brief
 outline of the process.
 ### Declaration
 modules/services/service-category/my-service.nix:
 ```nix
 { config, lib, ... }:
 let
@ -41,9 +37,7 @@ in
 ```
 ### Import
 modules/module-list.nix:
 ```nix
 [
  ./services/service-category/my-service.nix
@ -53,9 +47,7 @@ modules/module-list.nix:
 ## Usage
 ### Internal
 profiles/profile-category/my-profile.nix:
 ```nix
 { ... }:
 {
@ -64,9 +56,7 @@ profiles/profile-category/my-profile.nix:
 ```
 ### External
 flake.nix:
 ```nix
 {
  # inputs omitted
--- a/doc/outputs/overlays.md
+++ b/doc/outputs/overlays.md
@ -1,5 +1,4 @@
 # Overlays
 Writing overlays is a common occurence when using a NixOS system. Therefore,
 we want to keep the process as simple and straightforward as possible.
@ -10,9 +9,7 @@ exported via `overlays.<channel>/<pkgName>` _as well as_
 write it.
 ## Example
 overlays/kakoune.nix:
 ```nix
 final: prev: {
  kakoune = prev.kakoune.override {
--- a/doc/outputs/pkgs.md
+++ b/doc/outputs/pkgs.md
@ -1,5 +1,4 @@
 # Packages
 Similar to [modules](./modules.md), the pkgs directory mirrors the upstream
 [nixpkgs/pkgs][pkgs], and for the same reason; if you ever want to upstream
 your package, it's as simple as dropping it into the nixpkgs/pkgs directory.
@ -20,24 +19,20 @@ date.
 This is best understood by the simple example below.
 ## Example
 It is possible to specify sources separately to keep them up to date semi 
 automatically.
 The basic rules are specified in pkgs/sources.toml:
 ```toml
 # nvfetcher.toml
 [libinih]
 src.github = "benhoyt/inih"
 fetch.github = "benhoyt/inih"
 ```
 After changes to this file as well as to update the packages specified in there run 
 nvfetcher (for more details see [nvfetcher](https://github.com/berberman/nvfetcher)).
 The pkgs overlay is managed in
 pkgs/default.nix:
 ```nix
 final: prev: {
  # keep sources first, this makes sources available to the pkgs
@ -50,7 +45,6 @@ final: prev: {
 Lastly the example package is in
 pkgs/development/libraries/libinih/default.nix:
 ```nix
 { stdenv, meson, ninja, lib, sources, ... }:
 stdenv.mkDerivation {
@ -65,8 +59,8 @@ stdenv.mkDerivation {
 }
 ```
 ## Migration from flake based approach
 ## Migration from flake based approach
 Previous to nvfetcher it was possible to manage sources via a pkgs/flake.nix, the main changes from there are that sources where in the attribute "srcs" (now "sources") and the contents of the sources where slightly different.
 In order to switch to the new system, rewrite pkgs/flake.nix to a pkgs/sources.toml file using the documentation of nvfetcher,
 add the line that calls the sources at the beginning of pkgs/default.nix, and 
@ -75,7 +69,6 @@ accomodate the small changes in the packages as can be seen from the example.
 The example package looked like:
 pkgs/flake.nix:
 ```nix
 {
  description = "Package sources";
@ -88,7 +81,6 @@ pkgs/flake.nix:
 ```
 pkgs/default.nix:
 ```nix
 final: prev: {
  # then, call packages with `final.callPackage`
@ -97,7 +89,6 @@ final: prev: {
 ```
 pkgs/development/libraries/libinih/default.nix:
 ```nix
 { stdenv, meson, ninja, lib, srcs, ... }:
 let inherit (srcs) libinih; in
--- a/doc/secrets.md
+++ b/doc/secrets.md
@ -1,11 +1,9 @@
 # Secrets
 Secrets are managed using [agenix][agenix]
 so you can keep your flake in a public repository like GitHub without
 exposing your password or other sensitive data.
 ## Agenix
 Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets
 within the nix store because it is world-readable.
@ -19,7 +17,6 @@ matching ssh private key can read the data. The [age module][age module] will ad
 encrypted files to the nix store and decrypt them on activation to `/run/agenix`.
 ### Setup
 All hosts must have openssh enabled, this is done by default in the core profile.
 You need to populate your `secrets/secrets.nix` with the proper ssh public keys.
@ -27,7 +24,6 @@ Be extra careful to make sure you only add public keys, you should never share a
 private key!!
 secrets/secrets.nix:
 ```nix
 let
  system = "<system ssh key>";
@ -41,25 +37,22 @@ this file doesn't exist you likely need to enable openssh and rebuild your syste
 Your users ssh public key is probably stored in `~/.ssh/id_ed25519.pub` or
 `~/.ssh/id_rsa.pub`. If you haven't generated a ssh key yet, be sure do so:
 ```sh
 ssh-keygen -t ed25519
 ```
 > ##### _Note:_
 >
 > The underlying tool used by agenix, rage, doesn't work well with password protected
 > ssh keys. So if you have lots of secrets you might have to type in your password many
 > times.
 ### Secrets
 ### Secrets
 You will need the `agenix` command to create secrets. DevOS conveniently provides that
 in the devShell, so just run `nix develop` whenever you want to edit secrets. Make sure
 to always run `agenix` while in the `secrets/` folder, so it can pick up your `secrets.nix`.
 To create secrets, simply add lines to your `secrets/secrets.nix`:
 ```
 let
  ...
@ -69,26 +62,21 @@ in
  "secret.age".publicKeys = allKeys;
 }
 ```
 That would tell agenix to create a `secret.age` file that is encrypted with the `system`
 and `user` ssh public key.
 Then go into the `secrets` folder and run:
 ```sh
 agenix -e secret.age
 ```
 This will create the `secret.age`, if it doesn't already exist, and allow you to edit it.
 If you ever change the `publicKeys` entry of any secret make sure to rekey the secrets:
 ```sh
 agenix --rekey
 ```
 ### Usage
 Once you have your secret file encrypted and ready to use, you can utilize the [age module][age module]
 to ensure that your secrets end up in `/run/secrets`.
@ -101,14 +89,15 @@ In any profile that uses a NixOS module that requires a secret you can enable a
 }
 ```
 Then you can just pass the path `/run/agenix/mysecret` to the module.
 You can make use of the many options provided by the age module to customize where and how
 secrets get decrypted. You can learn about them by looking at the
 [age module][age module].
 > ##### _Note:_
 >
 > You can take a look at the [agenix repository][agenix] for more information
 > about the tool.
--- a/doc/start/index.md
+++ b/doc/start/index.md
@ -1,49 +1,50 @@
 # Quick Start
 The only dependency is nix, so make sure you have it [installed][install-nix].
 ## Get the Template
-
+If you currently don't have flakes setup, you can utilize the digga shell to pull the template:
 If you currently don't have flakes setup, you can utilize the digga shell to
 pull the template:
 ```sh
 nix-shell "https://github.com/divnix/digga/archive/main.tar.gz" \
  --run "nix flake init -t github:divnix/digga"
 ```
 If you already have flakes support, you can directly pull the template:
 ```sh
 nix flake init -t github:divnix/digga
 ```
 Then make sure to create the git repository:
 ```sh
 git init
 git add .
-git commit
+git commit -m init
 ```
-Finally, run `nix-shell` to get to an interactive shell with all the
+To drop into a nix-shell, if you don't have flakes setup, use the digga shell to create a `flake.lock`:
-dependencies, including the unstable nix version required. You can run `menu` to
+```sh
-confirm that you are using digga (expected output includes [docs], [general
+nix-shell "https://github.com/divnix/digga/archive/main.tar.gz" \
-commands], [linter], etc.).
+  --run "nix flake lock"
 ```
 Or if you do have flakes support, just run:
 ```sh
 nix flake lock
 ```
 Finally, run `nix-shell` to get to an interactive shell with all the dependencies, including the unstable nix
 version required. You can run `menu` to confirm that you are using digga (expected output includes [docs], [general commands], [linter], etc.).
 In addition, the [binary cache](../integrations/cachix.md) is added for faster deployment.
-> # _Notes:_
+> ##### _Notes:_
 >
 > - Flakes ignore files that have not been added to git, so be sure to stage new
 >   files before building the system.
 > - You can choose to simply clone the repo with git if you want to follow
 >   upstream changes.
-> - If the `nix-shell -p cachix --run "cachix use nrdxp"` line doesn't work you
+> - If the `nix-shell -p cachix --run "cachix use nrdxp"` line doesn't work
->   can try with sudo: `sudo nix-shell -p cachix --run "cachix use nrdxp"`
+>   you can try with sudo: `sudo nix-shell -p cachix --run "cachix use nrdxp"`
-## Next Steps
+## Next Steps:
 - [Make installable ISO](./iso.md)
 [install-nix]: https://nixos.org/manual/nix/stable/#sect-multi-user-installation
--- a/doc/tests.md
+++ b/doc/tests.md
@ -6,29 +6,18 @@ configuration, and, optionally, run them in
 [CI](./integrations/hercules.md).
 ## Unit Tests
 Unit tests can be created from regular derivations, and they can do
 almost anything you can imagine. By convention, it is best to test your
 packages during their [check phase][check]. All packages and their tests will
 be built during CI.
 ## Integration Tests
-
+All your profiles defined in suites will be tested in a NixOS VM.
 All your profiles defined in suites can be tested against an individual host.
 Simply use digga's pre-baked `digga.lib.allProfilesTest` like so:
 ```nix
 {
  hosts = {
    Morty.tests = [ allProfilesTest ];
  };
 }
 ```
 You can write integration tests for one or more NixOS VMs that can,
 optionally, be networked together, and yes, it's as awesome as it sounds!
-Be sure to use the `mkTest` function from Digga, `digga.lib.mkTest`
+Be sure to use the `mkTest` function from digga, `digga.lib.pkgs-lib.mkTest`
 which wraps the official [testing-python][testing-python] function to ensure
 that the system is setup exactly as it is for a bare DevOS system. There are
 already great resources for learning how to use these tests effectively,
@ -37,7 +26,7 @@ and the examples in [nixpkgs][nixos-tests].
 [test-doc]: https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests
 [test-blog]: https://www.haskellforall.com/2020/11/how-to-use-nixos-for-lightweight.html
-[default]: https://github.com/divnix/devos/tree/core/tests/default.nix
+[default]: https://github.com/divnix/devos/tree/main/tests/default.nix
 [run-test]: https://github.com/NixOS/nixpkgs/blob/6571462647d7316aff8b8597ecdf5922547bf365/lib/debug.nix#L154-L166
 [nixos-tests]: https://github.com/NixOS/nixpkgs/tree/master/nixos/tests
 [testing-python]: https://github.com/NixOS/nixpkgs/tree/master/nixos/lib/testing-python.nix
--- a/flake.lock
+++ b/flake.lock
@ -2,19 +2,16 @@
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": [
          "darwin"
        ],
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
-        "lastModified": 1682101079,
+        "lastModified": 1665870395,
-        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
        "type": "github"
      },
      "original": {
@ -23,6 +20,21 @@
        "type": "github"
      }
    },
    "blank": {
      "locked": {
        "lastModified": 1625557891,
        "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=",
        "owner": "divnix",
        "repo": "blank",
        "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8",
        "type": "github"
      },
      "original": {
        "owner": "divnix",
        "repo": "blank",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -30,11 +42,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1696360011,
+        "lastModified": 1666614183,
-        "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
+        "narHash": "sha256-R5+bCtUquwSfQmRBbCYc6FT6xtCaAebh0KE187e8458=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
+        "rev": "0f90e1c34caedd0bf765ebe47b92dd1ceffafcc8",
        "type": "github"
      },
      "original": {
        "owner": "LnL7",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "darwin_2": {
      "inputs": {
        "nixpkgs": [
          "digga",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1651916036,
        "narHash": "sha256-UuD9keUGm4IuVEV6wdSYbuRm7CwfXE63hVkzKDjVsh4=",
        "owner": "LnL7",
        "repo": "nix-darwin",
        "rev": "2f2bdf658d2b79bada78dc914af99c53cad37cba",
        "type": "github"
      },
      "original": {
@ -45,20 +78,18 @@
    },
    "deploy": {
      "inputs": {
-        "flake-compat": [
+        "flake-compat": "flake-compat",
          "flake-compat"
        ],
        "nixpkgs": [
          "nixos"
        ],
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1695052866,
+        "lastModified": 1659725433,
-        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
+        "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
+        "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
        "type": "github"
      },
      "original": {
@ -76,11 +107,30 @@
        ]
      },
      "locked": {
-        "lastModified": 1671489820,
+        "lastModified": 1655976588,
-        "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
+        "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
+        "rev": "899ca4629020592a13a46783587f6e674179d1db",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "devshell_2": {
      "inputs": {
        "flake-utils": "flake-utils_4",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1663445644,
        "narHash": "sha256-+xVlcK60x7VY1vRJbNUEAHi17ZuoQxAIH4S4iUFUGBA=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "e3dc3e21594fe07bdb24bdf1c8657acaa4cb8f66",
        "type": "github"
      },
      "original": {
@ -91,21 +141,18 @@
    },
    "digga": {
      "inputs": {
-        "darwin": [
+        "blank": "blank",
-          "darwin"
+        "darwin": "darwin_2",
        ],
        "deploy": [
          "deploy"
        ],
        "devshell": "devshell",
-        "flake-compat": [
+        "flake-compat": "flake-compat_2",
          "flake-compat"
        ],
        "flake-utils": "flake-utils_2",
        "flake-utils-plus": "flake-utils-plus",
        "home-manager": [
          "home"
        ],
        "latest": "latest",
        "nixlib": [
          "nixos"
        ],
@ -115,11 +162,11 @@
        "nixpkgs-unstable": "nixpkgs-unstable"
      },
      "locked": {
-        "lastModified": 1674947971,
+        "lastModified": 1661600857,
-        "narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=",
+        "narHash": "sha256-KfQCcTtfvU0PXV4fD9XKIMcKx9lUUR0xWJoBgc12fKE=",
        "owner": "pub-solar",
        "repo": "digga",
-        "rev": "2da608bd8afb48afef82c6b1b6d852a36094a497",
+        "rev": "c902b3ef0aa45cb4f336c390f647bb182c38a221",
        "type": "github"
      },
      "original": {
@ -129,14 +176,53 @@
        "type": "github"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
          "nix-autobahn",
          "nixpkgs"
        ],
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
        "lastModified": 1655188051,
        "narHash": "sha256-Cf/qNGb7Xw84TPPep0iIZLLhSXiFq9h+tt6TnfaQMrE=",
        "ref": "main",
        "rev": "522a4e99be1f8fcc94b94666c3a44677d668f539",
        "revCount": 1067,
        "type": "git",
        "url": "https://github.com/nix-community/fenix"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://github.com/nix-community/fenix"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
+        "lastModified": 1648199409,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1650374568,
        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
        "type": "github"
      },
      "original": {
@ -162,10 +248,7 @@
    },
    "flake-utils-plus": {
      "inputs": {
-        "flake-utils": [
+        "flake-utils": "flake-utils_2"
          "digga",
          "flake-utils"
        ]
      },
      "locked": {
        "lastModified": 1654029967,
@ -184,11 +267,11 @@
    },
    "flake-utils_2": {
      "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1644229661,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
        "type": "github"
      },
      "original": {
@ -197,19 +280,48 @@
        "type": "github"
      }
    },
-    "fork": {
+    "flake-utils_3": {
      "locked": {
-        "lastModified": 1692960587,
+        "lastModified": 1653893745,
-        "narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=",
+        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
-        "owner": "teutat3s",
+        "owner": "numtide",
-        "repo": "nixpkgs",
+        "repo": "flake-utils",
-        "rev": "312709dd70684f52496580e533d58645526b1c90",
+        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
        "type": "github"
      },
      "original": {
-        "owner": "teutat3s",
+        "owner": "numtide",
-        "ref": "nvfetcher-fix",
+        "repo": "flake-utils",
-        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "flake-utils_4": {
      "locked": {
        "lastModified": 1642700792,
        "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_5": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
@ -220,27 +332,27 @@
        ]
      },
      "locked": {
-        "lastModified": 1695108154,
+        "lastModified": 1665996265,
-        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
+        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "07682fff75d41f18327a871088d20af2710d4744",
+        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.05",
+        "ref": "release-22.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "latest": {
      "locked": {
-        "lastModified": 1696604326,
+        "lastModified": 1657265485,
-        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
+        "narHash": "sha256-PUQ9C7mfi0/BnaAUX2R/PIkoNCb/Jtx9EpnhMBNrO/o=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
+        "rev": "b39924fc7764c08ae3b51beef9a3518c414cdb7d",
        "type": "github"
      },
      "original": {
@ -250,29 +362,140 @@
        "type": "github"
      }
    },
    "latest_2": {
      "locked": {
        "lastModified": 1666539104,
        "narHash": "sha256-jeuC+d375wHHxMOFLgu7etseCQVJuPNKoEc9X9CsErg=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "0e6df35f39651504249a05191f9a78d251707e22",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "master": {
      "locked": {
        "lastModified": 1666615827,
        "narHash": "sha256-oAf8l7eMEFjXMVsrQgHnRUeQbSrY/Amjm8xnUioNbJ8=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "f93f9f43c6b3347b2091a8a41421d31e84cb9275",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "naersk": {
      "inputs": {
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
        "lastModified": 1662220400,
        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
        "owner": "nmattia",
        "repo": "naersk",
        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
        "type": "github"
      },
      "original": {
        "owner": "nmattia",
        "repo": "naersk",
        "type": "github"
      }
    },
    "nix-autobahn": {
      "inputs": {
        "fenix": "fenix",
        "naersk": [
          "naersk"
        ],
        "nixpkgs": [
          "latest"
        ],
        "utils": "utils_2"
      },
      "locked": {
        "lastModified": 1655761558,
        "narHash": "sha256-BGKT0RQGJ1CtTssfPhI4PABV1Gh6Wyq/cf6GN30TUAY=",
        "owner": "wucke13",
        "repo": "nix-autobahn",
        "rev": "85861fdd5cc32b65e75db4e6be478fe2da455dba",
        "type": "github"
      },
      "original": {
        "owner": "wucke13",
        "repo": "nix-autobahn",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1636849918,
        "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos": {
      "locked": {
-        "lastModified": 1696697597,
+        "lastModified": 1666528161,
-        "narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=",
+        "narHash": "sha256-PFOQSC0x4xPD1p/GZIbpKuoEBu6M8HnEOeNRiBUCELA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
+        "rev": "471d92178b978fcbad8db27c2e8a4e737d4e0e27",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.05",
+        "ref": "nixos-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1666016402,
        "narHash": "sha256-Cm/nrdUMXwXiFQforG1Mv8OA4o8yhuVx6E1eDFH4rew=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "688db42a1eb34853f050267ff65c975f664312f0",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1696614066,
+        "lastModified": 1665987993,
-        "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
+        "narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
+        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
        "type": "github"
      },
      "original": {
@ -281,43 +504,156 @@
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1637186689,
        "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1672791794,
+        "lastModified": 1657292830,
-        "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
+        "narHash": "sha256-ldfVSTveWceDCmW6gf3B4kR6vwmz/XS80y5wsLLHFJU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
+        "rev": "334ec8b503c3981e37a04b817a70e8d026ea9e84",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1643381941,
        "narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "5efc8ca954272c4376ac929f4c5ffefcc20551d5",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "locked": {
        "lastModified": 0,
        "narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
        "path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
        "type": "path"
      },
      "original": {
        "id": "nur",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "darwin": "darwin",
        "deploy": "deploy",
        "digga": "digga",
        "flake-compat": "flake-compat",
        "fork": "fork",
        "home": "home",
-        "latest": "latest",
+        "latest": "latest_2",
        "master": "master",
        "naersk": "naersk",
        "nix-autobahn": "nix-autobahn",
        "nixos": "nixos",
-        "nixos-hardware": "nixos-hardware"
+        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nur": "nur",
        "triton-vmtools": "triton-vmtools",
        "tritonshell": "tritonshell"
      }
    },
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
        "lastModified": 1655114284,
        "narHash": "sha256-2yz3TexDtxXMMjYKn1SImavH3Zflkxte6/5ESncu5E4=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
        "rev": "7db73875ac0d9280ae93b14232249d9c1496583a",
        "type": "github"
      },
      "original": {
        "owner": "rust-lang",
        "ref": "nightly",
        "repo": "rust-analyzer",
        "type": "github"
      }
    },
    "triton-vmtools": {
      "inputs": {
        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "latest"
        ]
      },
      "locked": {
        "dir": "vmtools",
        "lastModified": 1665580523,
        "narHash": "sha256-cpe/wE10iXQ7Rnbmpu0i2oUqw306lLs+NKSJ+e+/4Sk=",
        "ref": "main",
        "rev": "b6bb5c4f37bf184f2072618b82c51a552eaf8168",
        "revCount": 26,
        "type": "git",
        "url": "https://git.b12f.io/pub-solar/infra?dir=vmtools"
      },
      "original": {
        "dir": "vmtools",
        "ref": "main",
        "type": "git",
        "url": "https://git.b12f.io/pub-solar/infra?dir=vmtools"
      }
    },
    "tritonshell": {
      "inputs": {
        "devshell": "devshell_2",
        "flake-utils": "flake-utils_5",
        "nixpkgs": [
          "latest"
        ]
      },
      "locked": {
        "lastModified": 1665580466,
        "narHash": "sha256-q8kVIE3XaOSCVl7oqkaKs2LDEbBcZRIzlnSG8PIKRQ0=",
        "ref": "main",
        "rev": "70d759b6d8b5e076bee6a28255614ab3d75f6763",
        "revCount": 49,
        "type": "git",
        "url": "https://git.greenbaum.cloud/dev/tritonshell"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.greenbaum.cloud/dev/tritonshell"
      }
    },
    "utils": {
      "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1648297722,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
        "type": "github"
      },
      "original": {
@ -325,6 +661,21 @@
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "utils_2": {
      "locked": {
        "lastModified": 1653893745,
        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
        "ref": "master",
        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
        "revCount": 58,
        "type": "git",
        "url": "https://github.com/numtide/flake-utils"
      },
      "original": {
        "type": "git",
        "url": "https://github.com/numtide/flake-utils"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -2,26 +2,23 @@
  description = "A highly structured configuration database.";
  nixConfig.extra-experimental-features = "nix-command flakes";
  nixConfig.extra-substituters = "https://nix-dram.cachix.org https://dram.cachix.org  https://nrdxp.cachix.org https://nix-community.cachix.org";
  nixConfig.extra-trusted-public-keys = "nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=";
-  inputs = {
+  inputs =
    {
      # Track channels with commits tested and built by hydra
-    nixos.url = "github:nixos/nixpkgs/nixos-23.05";
+      nixos.url = "github:nixos/nixpkgs/nixos-22.05";
      latest.url = "github:nixos/nixpkgs/nixos-unstable";
-
+      master.url = "github:nixos/nixpkgs/master";
    fork.url = "github:teutat3s/nixpkgs/nvfetcher-fix";
    flake-compat.url = "github:edolstra/flake-compat";
    flake-compat.flake = false;
      digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
      digga.inputs.nixpkgs.follows = "nixos";
      digga.inputs.nixlib.follows = "nixos";
      digga.inputs.home-manager.follows = "home";
      digga.inputs.deploy.follows = "deploy";
    digga.inputs.darwin.follows = "darwin";
    digga.inputs.flake-compat.follows = "flake-compat";
-    home.url = "github:nix-community/home-manager/release-23.05";
+      home.url = "github:nix-community/home-manager/release-22.05";
      home.inputs.nixpkgs.follows = "nixos";
      darwin.url = "github:LnL7/nix-darwin";
@ -29,52 +26,62 @@
      deploy.url = "github:serokell/deploy-rs";
      deploy.inputs.nixpkgs.follows = "nixos";
    deploy.inputs.flake-compat.follows = "flake-compat";
      agenix.url = "github:ryantm/agenix";
      agenix.inputs.nixpkgs.follows = "nixos";
-    agenix.inputs.darwin.follows = "darwin";
+
      naersk.url = "github:nmattia/naersk";
      naersk.inputs.nixpkgs.follows = "nixos";
      nixos-hardware.url = "github:nixos/nixos-hardware";
      nixos-generators.url = "github:nix-community/nixos-generators";
      # PubSolarOS additions
      triton-vmtools.url = "git+https://git.b12f.io/pub-solar/infra?ref=main&dir=vmtools";
      triton-vmtools.inputs.nixpkgs.follows = "latest";
      tritonshell.url = "git+https://git.greenbaum.cloud/dev/tritonshell?ref=main";
      tritonshell.inputs.nixpkgs.follows = "latest";
      nix-autobahn.url = "github:wucke13/nix-autobahn";
      nix-autobahn.inputs.nixpkgs.follows = "latest";
      nix-autobahn.inputs.naersk.follows = "naersk";
    };
-  outputs = {
+  outputs =
-    self,
+    { self
-    digga,
+    , digga
-    nixos,
+    , nixos
-    home,
+    , home
-    nixos-hardware,
+    , nixos-hardware
-    agenix,
+    , nur
-    deploy,
+    , agenix
-    ...
+    , deploy
    , tritonshell
    , nix-autobahn
    , ...
    } @ inputs:
    digga.lib.mkFlake
      {
        inherit self inputs;
        channelsConfig = {
-        # allowUnfree = true;
+          allowUnfree = true;
        };
-      supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
+        supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
        channels = {
          nixos = {
-          imports = [(digga.lib.importOverlays ./overlays)];
+            imports = [ (digga.lib.importOverlays ./overlays) ];
-          overlays = [
+            overlays = [ ];
            (self: super: {
              deploy-rs = {
                inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
                lib = inputs.deploy.lib.x86_64-linux;
          };
-            })
+          latest = { };
-          ];
+          master = { };
        };
        latest = {};
        fork = {};
        };
-      lib = import ./lib {lib = digga.lib // nixos.lib;};
+        lib = import ./lib { lib = digga.lib // nixos.lib; };
        sharedOverlays = [
          (final: prev: {
@ -83,7 +90,8 @@
              our = self.lib;
            });
          })
-        agenix.overlays.default
+          nur.overlay
          agenix.overlay
          (import ./pkgs)
        ];
@ -92,9 +100,9 @@
          hostDefaults = {
            system = "x86_64-linux";
            channelName = "nixos";
-          imports = [(digga.lib.importExportableModules ./modules)];
+            imports = [ (digga.lib.importExportableModules ./modules) ];
            modules = [
-            {lib.our = self.lib;}
+              { lib.our = self.lib; }
              # FIXME: upstream module causes a huge number of unnecessary
              # dependencies to be pulled in for all systems -- many of them are
              # graphical. should only be imported as needed.
@ -105,9 +113,9 @@
            ];
          };
-        imports = [(digga.lib.importHosts ./hosts)];
+          imports = [ (digga.lib.importHosts ./hosts) ];
          hosts = {
-          # Set host-specific properties here
+            /* set host specific properties here */
            bootstrap = {
              modules = [
                digga.nixosModules.bootstrapIso
@ -115,43 +123,44 @@
            };
            PubSolarOS = {
              tests = [
-              #(import ./tests/first-test.nix {
+                (import ./tests/first-test.nix { pkgs = nixos.legacyPackages.x86_64-linux; lib = nixos.lib; })
              #  pkgs = nixos.legacyPackages.x86_64-linux;
              #  lib = nixos.lib;
              #})
              ];
            };
            fae = {
              system = "aarch64-linux";
            };
            powder = {
              system = "x86_64-linux";
            };
          };
          importables = rec {
-          profiles =
+            profiles = digga.lib.rakeLeaves ./profiles // {
            digga.lib.rakeLeaves ./profiles
            // {
              users = digga.lib.rakeLeaves ./users;
            };
            suites = with profiles; rec {
-            base = [users.pub-solar users.root];
+              base = [ users.pub-solar users.root ];
-            iso = base ++ [base-user graphical pub-solar-iso];
+              iso = base ++ [ base-user graphical pub-solar-iso ];
-            pubsolaros = [full-install base-user users.root];
+              pubsolaros = [ full-install base-user users.root ];
-            anonymous = [pubsolaros users.pub-solar];
+              anonymous = [ pubsolaros users.pub-solar ];
              teutat3s = pubsolaros ++ [ users.teutat3s ];
              dumpyourvms = teutat3s ++ [ graphical ];
              ryzensun = teutat3s ++ [ graphical ];
            };
          };
        };
        home = {
-        imports = [(digga.lib.importExportableModules ./users/modules)];
+          imports = [ (digga.lib.importExportableModules ./users/modules) ];
-        modules = [];
+          modules = [ ];
          importables = rec {
            profiles = digga.lib.rakeLeaves ./users/profiles;
            suites = with profiles; rec {
-            base = [direnv git];
+              base = [ direnv ];
            };
          };
          users = {
-          pub-solar = {suites, ...}: {
+            pub-solar = { suites, ... }: { imports = suites.base; };
-            imports = suites.base;
+            teutat3s = { suites, ... }: { imports = suites.base; };
            home.stateVersion = "21.03";
          };
          }; # digga.lib.importers.rakeLeaves ./users/hm;
        };
@ -160,16 +169,26 @@
        homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
-        #example = {
+          fae = {
-        #  hostname = "example.com:22";
+            hostname = "fae.fritz.box:22";
-        #  sshUser = "bartender";
+            sshUser = "pub-solar";
-        #  fastConnect = true;
+            fastConnect = true;
-        #  profilesOrder = ["system" "direnv"];
+            profilesOrder = [ "system" "direnv" ];
-        #  profiles.direnv = {
+            profiles.direnv = {
-        #    user = "bartender";
+              user = "pub-solar";
-        #    path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
+              path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar;
        #  };
        #};
            };
          };
          powder = {
            hostname = "80.71.153.194";
            sshUser = "root";
            profilesOrder = [ "system" "direnv" ];
            profiles.direnv = {
              user = "pub-solar";
              path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar;
            };
          };
        };
      }
  ;
 }
--- a/hosts/PubSolarOS.nix
+++ b/hosts/PubSolarOS.nix
@ -1,15 +1,17 @@
-{suites, ...}: {
+{ suites, ... }:
 {
  ### root password is empty by default ###
  ### default password: pub-solar, optional: add your SSH keys
  imports =
-    suites.iso;
+    suites.iso
  ;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.networkmanager.enable = true;
-  fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
+  fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
--- a/hosts/bootstrap.nix
+++ b/hosts/bootstrap.nix
@ -1,14 +1,10 @@
-{
+{ config, lib, pkgs, profiles, ... }:
-  config,
+with lib;
-  lib,
+let
  pkgs,
  profiles,
  ...
 }:
 with lib; let
  # Gets hostname of host to be bundled inside iso
  # Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
-  getFqdn = config: let
+  getFqdn = config:
    let
      net = config.networking;
      fqdn =
        if (net ? domain) && (net.domain != null)
@ -16,7 +12,8 @@ with lib; let
        else net.hostName;
    in
      fqdn;
-in {
+in
 {
  # build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
  imports = [
    # profiles.networking
@ -31,7 +28,7 @@ in {
    boot.loader.systemd-boot.enable = true;
    # will be overridden by the bootstrapIso instrumentation
-    fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
+    fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
    system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
--- a/hosts/dumpyourvms/.config/sway/config.d/applications.conf
+++ b/hosts/dumpyourvms/.config/sway/config.d/applications.conf
@ -0,0 +1,14 @@
 assign [app_id="firefox"] $ws2
 # seahorse
 for_window [title="seahorse"] floating enabled
 # NetworkManager
 for_window [app_id="nm-connection-editor"] floating enabled
 # thunderbird
 for_window [title="New Task:*"] floating enabled
 for_window [title="Edit Task:*"] floating enabled
 for_window [title="New Event:*"] floating enabled
 for_window [title="Edit Event:*"] floating enabled
--- a/hosts/dumpyourvms/.config/sway/config.d/autostart.conf
+++ b/hosts/dumpyourvms/.config/sway/config.d/autostart.conf
@ -0,0 +1,6 @@
 # Autostart applications
 #
 # Example:
 # exec swayidle
 exec qMasterPassword
--- a/hosts/dumpyourvms/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/dumpyourvms/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,3 @@
 # switch keyboard input language
 bindsym $mod+tab exec swaymsg input "1452:628:Apple_Inc._Apple_Internal_Keyboard_/_Trackpad" xkb_switch_layout next
--- a/hosts/dumpyourvms/.config/sway/config.d/input-defaults.conf
+++ b/hosts/dumpyourvms/.config/sway/config.d/input-defaults.conf
@ -0,0 +1,35 @@
 ### Input configuration
 #
 # You can get the names of your inputs by running: swaymsg -t get_inputs
 # Read `man 5 sway-input` for more information about this section.
 input "type:keyboard" {
  xkb_layout us(intl),de
  xkb_model pc105
  xkb_options ctrl:nocaps
 }
 input "type:touchpad" {
  tap enabled
  natural_scroll enabled
 }
 # Touchpad controls
 #bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
 # Screen brightness controls
 bindsym XF86MonBrightnessUp exec "brightnessctl -d gmux_backlight set +10%"
 bindsym XF86MonBrightnessDown exec "brightnessctl -d gmux_backlight set 10%-"
 # Keyboard backlight brightness controls
 bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
 bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
 # Pulse Audio controls
 bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
 bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
 bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
 # Media player controls
 bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
 bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
 bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/dumpyourvms/.config/sway/config.d/screens.conf
+++ b/hosts/dumpyourvms/.config/sway/config.d/screens.conf
@ -0,0 +1,41 @@
 ### Output configuration
 #
 # Example configuration:
 #
 #   output HDMI-A-1 resolution 1920x1080 position 1920,0
 #
 # You can get the names of your outputs by running: swaymsg -t get_outputs
 set $main_screen eDP-1
 set $displayport DP-1
 set $hmdi HDMI-A-1
 output $main_screen scale 2
 output $displayport scale 2
 output $hdmi scale 1
 output $main_screen pos 0 0
 output $displayport pos 0 -1080
 output $hdmi pos 1440 0
 #bindswitch lid:on output $main_screen disable
 #bindswitch lid:off output $main_screen enable
 bindsym $mod+Shift+x output $main_screen toggle
 # TODO when using more monitors
 ## Manual management of external displays
 # Set the shortcuts and what they do
 #set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
 #mode "$mode_display" {
 #    bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
 #    bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
 #    bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
 #    bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
 #    bindsym o output HDMI-A-1 disable, mode "default"
 #
 #    # back to normal: Enter or Escape
 #    bindsym Return mode "default"
 #    bindsym Escape mode "default"
 #}
 ## Declare here the shortcut to bring the display selection menu
 #bindsym $mod+x mode "$mode_display"
--- a/hosts/dumpyourvms/consul-agent-ca.pem
+++ b/hosts/dumpyourvms/consul-agent-ca.pem
@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDbzCCAxSgAwIBAgIRAMK20/fFF0YVThq8xm/YvBswCgYIKoZIzj0EAwIwgbkx
 CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
 bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
 FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
 IDI1ODgxOTUyODQyOTMwNjIxMjY4NDgwMTUxODE3OTM2NjUxNzc4NzAeFw0xOTEx
 MDYwMDI3MzVaFw0yNDExMDQwMDI3MzVaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
 CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
 bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
 Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyNTg4MTk1Mjg0MjkzMDYyMTI2
 ODQ4MDE1MTgxNzkzNjY1MTc3ODcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQE
 SZ2kc9rKUNX3czze+rFR/bZdLx3JEYrpcSXKkpv1wr68E1Jqhi/8Dm8b62Ei/Bc6
 ZhoJvtB2Shtl+6LbjccUo4H6MIH3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
 BTADAQH/MGgGA1UdDgRhBF9hZjo4MzoyZTpiOToyZTozMzo5MDplOTpkMjpiNzpj
 NjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4YzozMDo0Mjo3OTo4
 ZDo0ZDpmZDozMjo2NzpiYjBqBgNVHSMEYzBhgF9hZjo4MzoyZTpiOToyZTozMzo5
 MDplOTpkMjpiNzpjNjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4
 YzozMDo0Mjo3OTo4ZDo0ZDpmZDozMjo2NzpiYjAKBggqhkjOPQQDAgNJADBGAiEA
 zKCV25P6HqFEa1iUVQnsNAp/WHUwxNlR0OctZSdiuIkCIQDiRK03ZYSK/hmY9kXV
 42nj6kO8MexfiYN4IE4URmzYnA==
 -----END CERTIFICATE-----
--- a/hosts/dumpyourvms/default.nix
+++ b/hosts/dumpyourvms/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./dumpyourvms.nix
  ] ++ suites.dumpyourvms;
 }
--- a/hosts/dumpyourvms/dumpyourvms.nix
+++ b/hosts/dumpyourvms/dumpyourvms.nix
@ -0,0 +1,153 @@
 { config, pkgs, lib, self, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./hardware-configuration.nix
  ];
  config = {
    age.secrets.environment-secrets = {
      file = "${self}/secrets/environment-secrets.age";
      mode = "700";
      owner = "teutat3s";
    };
    pub-solar = {
      audio.mopidy.enable = lib.mkForce false;
      core.hibernation = {
        enable = true;
        resumeDevice = "/dev/mapper/cryptroot";
        resumeOffset = 47366144;
      };
      virtualisation.enable = true;
    };
    # fix backlight for keyboard and brightness, adjust function key binding,
    # intel_pstate for cpu schedutil, resume offset for swapfile, disable amdgpu driver
    boot.kernelParams = [ "acpi_backlight=video" "hid_apple.fnmode=2" "intel_pstate=passive" ];
    boot.loader.efi.canTouchEfiVariables = true;
    #boot.resumeDevice = "/dev/mapper/cryptroot";
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    systemd.sleep.extraConfig = ''
      HibernateMode=shutdown
    '';
    hardware = {
      cpu.intel.updateMicrocode = true;
      facetimehd.enable = true;
    };
    services.resolved = {
      enable = true;
      # DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS
      # when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579
      extraConfig = ''
        DNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 5.9.164.112#dns3.digitalcourage.de 89.233.43.71#unicast.censurfridns.dk 94.130.110.185#ns1.dnsprivacy.at 145.100.185.15#dnsovertls.sinodun.com 145.100.185.16#dnsovertls1.sinodun.com 185.49.141.37#getdnsapi.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net 2a01:4f8:251:554::2#dns3.digitalcourage.de 2a01:3a0:53:53::0#unicast.censurfridns.dk 2a01:4f8:c0c:3c03::2#ns1.dnsprivacy.at 2a01:4f8:c0c:3bfc::2#ns2.dnsprivacy.at 2001:610:1:40ba:145:100:185:15#dnsovertls.sinodun.com 2001:610:1:40ba:145:100:185:16#dnsovertls1.sinodun.com 2a04:b900:0:100::38#getdnsapi.net
        FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
        Domains=~.
        DNSOverTLS=yes
        DNSSEC=false
      '';
    };
    services.mozillavpn.enable = true;
    networking = import ./networking.nix;
    security.pki.certificateFiles = [ ./consul-agent-ca.pem ];
    services.unbound = import ./unbound.nix;
    # Disable dedicated GPU, use integrated Intel GPU to save battery
    # Set default brightness to 50%
    # https://ubuntuforums.org/showthread.php?t=2409856
    services.cron.systemCronJobs = [
      "@reboot root ${pkgs.util-linux}/bin/rfkill block bluetooth"
      "@reboot root ${pkgs.coreutils}/bin/sleep 10; ${pkgs.coreutils}/bin/echo OFF > /sys/kernel/debug/vgaswitcheroo/switch"
      "@reboot root ${pkgs.coreutils}/bin/sleep 11; ${pkgs.coreutils}/bin/echo 510 > /sys/class/backlight/gmux_backlight/brightness"
    ];
    # Increase console font size for HiDPI display
    console = {
      earlySetup = true;
      font = lib.mkForce "ter-i32b";
      packages = [ pkgs.terminus_font ];
    };
    # Thunderbolt tools
    services.hardware.bolt.enable = true;
    powerManagement = {
      # Use new schedutil govenor
      # https://github.com/NixOS/nixpkgs/pull/42330
      # https://www.kernel.org/doc/html/v5.10/admin-guide/pm/cpufreq.html#schedutil
      cpuFreqGovernor = lib.mkDefault "schedutil";
      # brcmfmac being loaded during hibernation would inhibit a successful resume
      # https://bugzilla.kernel.org/show_bug.cgi?id=101681#c116.
      # Also brcmfmac could randomly crash on resume from sleep.
      powerUpCommands = lib.mkBefore "${pkgs.kmod}/bin/modprobe brcmfmac";
      powerDownCommands = lib.mkBefore "${pkgs.kmod}/bin/rmmod brcmfmac";
    };
    # change lid switch behaviour
    #services.logind.lidSwitch = "hibernate";
    # TLP for power management
    services.tlp = {
      enable = true;
      settings = {
        CPU_SCALING_GOVERNOR_ON_AC = "performance";
        CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
        CPU_BOOST_ON_AC = 1;
        CPU_BOOST_ON_BAT = 0;
      };
    };
    services.udev.extraRules =
      # Disable XHC1 wakeup signal to avoid resume getting triggered some time
      # after suspend. Reboot required for this to take effect.
      lib.optionalString
        (lib.versionAtLeast config.boot.kernelPackages.kernel.version "3.13")
        ''SUBSYSTEM=="pci", KERNEL=="0000:00:14.0", ATTR{power/wakeup}="disabled"'';
    services.printing.enable = true;
    services.printing.drivers = [ pkgs.brlaser ];
    home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      # Custom device sway configs
      xdg.configFile = mkIf psCfg.sway.enable {
        "sway/config.d/10-applications.conf".source = ./.config/sway/config.d/applications.conf;
        "sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
        "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
        "sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
        "sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
      };
    };
    users.users.teutat3s = {
      extraGroups = [ "unbound" ];
    };
    # WLAN frequency compliance (e.g. check for radar with DFS)
    #
    # Radeon driver seems to work better than amdgpu with Radeon R9 M370X
    hardware.firmware = with pkgs; [ wireless-regdb ];
    boot.extraModprobeConfig = ''
      options cfg80211 ieee80211_regdom="DE"
    '';
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "21.05"; # Did you read the comment?
  };
 }
--- a/hosts/dumpyourvms/hardware-configuration.nix
+++ b/hosts/dumpyourvms/hardware-configuration.nix
@ -0,0 +1,41 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      #(modulesPath + "/hardware/network/broadcom-43xx.nix")
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/17bbb016-d27c-47da-8805-58c6395891e8";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c100b9a7-99d7-44d9-b7c2-3892a5f233c4";
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/06B8-5414";
      fsType = "vfat";
    };
  swapDevices = [
    {
      device = "/swapfile";
      size = 18432;
    }
  ];
  # high-resolution display
  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/hosts/dumpyourvms/networking.nix
+++ b/hosts/dumpyourvms/networking.nix
@ -0,0 +1,88 @@
 {
  networkmanager.dns = "systemd-resolved";
  #resolvconf.enable = true;
  hosts = {
    "10.0.0.42" = [ "nomad.service.consul" "nomad.service.cgn-1.consul" ];
    "10.0.0.66" = [ "consul.service.cgn-1.consul" ];
    "10.0.1.9" = [ "consul.service.lev-1.consul" ];
    "10.0.0.70" = [ "vault.service.consul" "vault.service.cgn-1.consul" ];
    "10.0.0.200" = [ "headnode.cgn-1" ];
    "10.0.0.201" = [ "cn01.cgn-1" ];
    "10.0.0.202" = [ "cn02.cgn-1" ];
    "10.0.0.205" = [ "cn05.cgn-1" ];
    "10.0.0.206" = [ "cn06.cgn-1" ];
    "10.0.0.207" = [ "cn07.cgn-1" ];
    "10.0.0.208" = [ "cn08.cgn-1" ];
    "10.0.1.200" = [ "headnode.lev-1" ];
    "10.0.1.201" = [ "cn01.lev-1" ];
    "10.0.1.202" = [ "cn02.lev-1" ];
    "10.0.1.203" = [ "cn03.lev-1" ];
    "10.0.1.204" = [ "cn04.lev-1" ];
    "10.0.1.205" = [ "cn05.lev-1" ];
    "10.0.1.206" = [ "cn00.lev-1" ];
    "10.0.1.207" = [ "cn06.lev-1" ];
    "10.0.1.208" = [ "cn07.lev-1" ];
    "10.101.64.10" = [ "wifi.bahn.de" ];
  };
  wireguard.enable = true;
  wg-quick.interfaces = {
    wg0 = {
      address = [ "10.8.8.6/32" ];
      privateKeyFile = "/etc/wireguard/wg0.privatekey";
      peers = [
        {
          publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
          allowedIPs = [ "10.8.8.16/32" "10.0.0.0/24" "10.88.88.0/24" ];
          endpoint = "85.88.23.16:51820";
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      address = [ "10.13.0.1/32" ];
      privateKeyFile = "/etc/wireguard/wg1.privatekey";
      mtu = 1412;
      peers = [
        {
          publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs=";
          allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ];
          endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820";
          persistentKeepalive = 25;
        }
      ];
    };
    wg2 = {
      address = [ "10.6.6.4/32" ];
      privateKeyFile = "/etc/wireguard/wg2.privatekey";
      peers = [
        {
          publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
          presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
          allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ];
          endpoint = "85.88.23.127:51820";
          persistentKeepalive = 16;
        }
      ];
    };
    wg3 = {
      address = [ "10.11.11.2/32" ];
      privateKeyFile = "/etc/wireguard/wg3.privatekey";
      mtu = 1300;
      peers = [
        {
          publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
          presharedKeyFile = "/etc/wireguard/wg3.presharedkey";
          allowedIPs = [ "10.11.11.1/32" "192.168.1.0/24" "10.0.1.0/24" ];
          endpoint = "80.71.153.1:51820";
          persistentKeepalive = 16;
        }
      ];
    };
  };
 }
--- a/hosts/dumpyourvms/unbound.nix
+++ b/hosts/dumpyourvms/unbound.nix
@ -0,0 +1,52 @@
 {
  enable = false;
  localControlSocketPath = "/run/unbound/unbound.ctl";
  settings = {
    server = {
      cache-max-ttl = 14400;
      cache-min-ttl = 1200;
      aggressive-nsec = true;
      prefetch = false;
      rrset-roundrobin = true;
      use-caps-for-id = true;
      do-ip6 = false;
      hide-identity = true;
      hide-version = true;
      do-not-query-localhost = false;
      tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
    };
    # fritz.box stub zone
    stub-zone = {
      name = "fritz.box";
      stub-addr = "192.168.13.1";
    };
    # DNS over DLS forwarding
    forward-zone = {
      name = ".";
      forward-tls-upstream = true;
      forward-addr = [
        "5.1.66.255@853#dot.ffmuc.net"
        "185.150.99.255@853#dot.ffmuc.net"
        "89.233.43.71@853#unicast.censurfridns.dk"
        "94.130.110.185@853#ns1.dnsprivacy.at"
        "2001:678:e68:f000::@853#dot.ffmuc.net"
        "2001:678:ed0:f000::@853#dot.ffmuc.net"
        "2a01:3a0:53:53::0@853#unicast.censurfridns.dk"
        "2a01:4f8:c0c:3c03::2@853#ns1.dnsprivacy.at"
        "2a01:4f8:c0c:3bfc::2@853#ns2.dnsprivacy.at"
        "2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com"
        "2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com"
        "2a04:b900:0:100::38@853#getdnsapi.net"
        "145.100.185.15@853#dnsovertls.sinodun.com"
        "145.100.185.16@853#dnsovertls1.sinodun.com"
        "185.49.141.37@853#getdnsapi.net"
      ];
    };
  };
 }
--- a/hosts/fae.nix
+++ b/hosts/fae.nix
@ -0,0 +1,93 @@
 { config, lib, pkgs, profiles, ... }:
 {
  imports = [
    # profiles.networking
    #profiles.core
    "${fetchTarball {
      url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz";
      sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4";
      }
    }/raspberry-pi/4"
    profiles.users.root # make sure to configure ssh keys
    profiles.users.pub-solar
    profiles.base-user
    profiles.pub-solar-iso
  ];
  config = {
    pub-solar.core.iso-options.enable = true;
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-label/NIXOS_SD";
        fsType = "ext4";
        options = [ "noatime" ];
      };
    };
    environment.systemPackages = with pkgs; [
      (kodi-gbm.withPackages (p: with p; [ jellyfin netflix youtube ]))
    ];
    services.openssh.enable = true;
    networking.firewall = {
      allowedTCPPorts = [ 8080 ];
      allowedUDPPorts = [ 8080 ];
    };
    security.sudo.extraConfig = lib.mkAfter ''
      %wheel    ALL=(ALL) NOPASSWD:ALL
    '';
    nix = {
      autoOptimiseStore = true;
      gc.automatic = true;
      optimise.automatic = true;
      useSandbox = true;
      allowedUsers = [ "@wheel" ];
      trustedUsers = [ "root" "@wheel" ];
      extraOptions = ''
        min-free = 536870912
        keep-outputs = true
        keep-derivations = true
        fallback = true
      '';
    };
    # Enable GPU acceleration
    hardware.raspberry-pi."4".fkms-3d.enable = true;
    # Define a user account for kodi
    users.extraUsers.kodi.isNormalUser = true;
    services.xserver = {
      enable = true;
      desktopManager.kodi.enable = true;
      desktopManager.kodi.package = pkgs.kodi-gbm;
      displayManager = {
        autoLogin.enable = true;
        autoLogin.user = "kodi";
      };
    };
    hardware.pulseaudio.enable = true;
    # custom raspi boot loader is already present
    boot.loader.systemd-boot.enable = lib.mkForce false;
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "21.05"; # Did you read the comment?
  };
 }
--- a/hosts/powder/default.nix
+++ b/hosts/powder/default.nix
@ -0,0 +1,6 @@
 { ... }:
 {
  imports = [
    ./powder.nix
  ];
 }
--- a/hosts/powder/hardware-configuration.nix
+++ b/hosts/powder/hardware-configuration.nix
@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-label/nixos";
      autoResize = true;
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-label/boot";
      fsType = "vfat";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-label/ephemeral0";
      fsType = "ext4";
      options = [
        "defaults"
        "nofail"
      ];
    };
  swapDevices = [ ];
  networking.useDHCP = lib.mkDefault false;
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/powder/powder.nix
+++ b/hosts/powder/powder.nix
@ -0,0 +1,83 @@
 { config, inputs, lib, pkgs, profiles, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    profiles.users.root # make sure to configure ssh keys
    profiles.users.pub-solar
    profiles.base-user
  ];
  config = {
    pub-solar.core.iso-options.enable = true;
    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    # Force getting the hostname from cloud-init
    networking.hostName = lib.mkDefault "";
    # Set your time zone.
    # time.timeZone = "Europe/Amsterdam";
    # Select internationalisation properties.
    console = {
      font = "Lat2-Terminus16";
      keyMap = "us";
    };
    # List packages installed in system profile. To search, run:
    # $ nix search wget
    environment.systemPackages = with pkgs; [
      git
      vim
      wget
      caddy
      # triton tools for retrieving metadata inside zones, e.g. mdata-get
      inputs.triton-vmtools
    ];
    # Some programs need SUID wrappers, can be configured further or are
    # started in user sessions.
    # programs.mtr.enable = true;
    # programs.gnupg.agent = {
    #   enable = true;
    #   enableSSHSupport = true;
    # };
    # List services that you want to enable:
    services.cloud-init.enable = true;
    services.cloud-init.ext4.enable = true;
    services.cloud-init.network.enable = true;
    # use the default NixOS cloud-init config, but add some SmartOS customization to it
    environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
      datasource_list: [ SmartOS ]
      # Do not create the centos/ubuntu/debian user
      users: [ ]
      # mount second disk with label ephemeral0, gets formated by cloud-init
      # this will fail to get added to /etc/fstab as it's read-only, but should
      # mount at boot anyway
      mounts:
      - [ vdb, /data, auto, "defaults,nofail" ]
    '';
    # Enable the OpenSSH daemon.
    services.openssh.enable = true;
    # Triton manages firewall rules via the triton fwrule subcommand
    networking.firewall.enable = false;
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "22.05"; # Did you read the comment?
  };
 }
--- a/hosts/ryzensun/.config/sway/config.d/autostart.conf
+++ b/hosts/ryzensun/.config/sway/config.d/autostart.conf
@ -0,0 +1,6 @@
 # Autostart applications
 #
 # Example:
 # exec swayidle
 exec qMasterPassword
--- a/hosts/ryzensun/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/ryzensun/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,2 @@
 # switch keyboard input language
 bindsym $mod+tab exec swaymsg input "1118:1896:Microsoft_Microsoft___SiderWinderTM_X4_Keyboard_Consumer_Control" xkb_switch_layout next
--- a/hosts/ryzensun/.config/sway/config.d/input-defaults.conf
+++ b/hosts/ryzensun/.config/sway/config.d/input-defaults.conf
@ -0,0 +1,33 @@
 ### Input configuration
 #
 # You can get the names of your inputs by running: swaymsg -t get_inputs
 # Read `man 5 sway-input` for more information about this section.
 input "type:keyboard" {
  xkb_layout us(intl),de
  xkb_options ctrl:nocaps
 }
 input "type:touchpad" {
  natural_scroll enabled
 }
 # Touchpad controls
 #bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
 # Screen brightness controls
 bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%"
 bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-"
 # Keyboard backlight brightness controls
 bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
 bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
 # Pulse Audio controls
 bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
 bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
 bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
 # Media player controls
 bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
 bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
 bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/ryzensun/.config/sway/config.d/screens.conf
+++ b/hosts/ryzensun/.config/sway/config.d/screens.conf
@ -0,0 +1,33 @@
 ### Output configuration
 #
 # Example configuration:
 #
 #   output HDMI-A-1 resolution 1920x1080 position 1920,0
 #
 # You can get the names of your outputs by running: swaymsg -t get_outputs
 set $main_screen HDMI-A-1
 output $main_screen scale 2
 #bindswitch lid:on output $main_screen disable
 #bindswitch lid:off output $main_screen enable
 bindsym $mod+Shift+x output $main_screen toggle
 # TODO when using more monitors
 ## Manual management of external displays
 # Set the shortcuts and what they do
 #set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
 #mode "$mode_display" {
 #    bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
 #    bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
 #    bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
 #    bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
 #    bindsym o output HDMI-A-1 disable, mode "default"
 #
 #    # back to normal: Enter or Escape
 #    bindsym Return mode "default"
 #    bindsym Escape mode "default"
 #}
 ## Declare here the shortcut to bring the display selection menu
 #bindsym $mod+x mode "$mode_display"
--- a/hosts/ryzensun/default.nix
+++ b/hosts/ryzensun/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./ryzensun.nix
  ] ++ suites.ryzensun;
 }
--- a/hosts/ryzensun/hardware-configuration.nix
+++ b/hosts/ryzensun/hardware-configuration.nix
@ -0,0 +1,35 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/bad2e49e-c8e7-4516-a6f8-77db999d12b0";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/ef6c5bb0-0bcf-4af4-bbc9-02c849999e54";
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/2C62-C8B5";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # high-resolution display
  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/hosts/ryzensun/ryzensun.nix
+++ b/hosts/ryzensun/ryzensun.nix
@ -0,0 +1,57 @@
 { config, pkgs, lib, self, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./hardware-configuration.nix
  ];
  config = {
    age.secrets = {
      environment-secrets = {
        file = "${self}/secrets/environment-secrets.age";
        mode = "700";
        owner = "teutat3s";
      };
      drone_exec_runner_config = {
        file = "${self}/secrets/drone_exec_runner_config";
        mode = "700";
        owner = "999";
      };
    };
    pub-solar.nextcloud.enable = mkForce false;
    pub-solar.docker.enable = true;
    pub-solar.virtualisation.enable = true;
    pub-solar.docker-ci-runner = {
      enable = true;
      enableKvm = true;
      nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
      runnerEnvironment = {
        DRONE_RUNNER_CAPACITY = "1";
        DRONE_RUNNER_LABELS = "hosttype:baremetal";
      };
      runnerVarsFile = "/run/agenix/drone_exec_runner_config";
    };
    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
      "sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
      "sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
      "sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
    };
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "21.05"; # Did you read the comment?
  };
 }
--- a/lib/compat/default.nix
+++ b/lib/compat/default.nix
@ -1,21 +1,14 @@
 let
-  lock = builtins.fromJSON (builtins.readFile builtins.path {
+  rev = "e7e5d481a0e15dcd459396e55327749989e04ce0";
-    path = ../../flake.lock;
+  flake = (import
    name = "lockPath";
  });
  flake =
    import
    (
      fetchTarball {
-        url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+        url = "https://github.com/edolstra/flake-compat/archive/${rev}.tar.gz";
-        sha256 = lock.nodes.flake-compat.locked.narHash;
+        sha256 = "0zd3x46fswh5n6faq4x2kkpy6p3c6j593xbdlbsl40ppkclwc80x";
      }
    )
    {
-      src = builtins.path {
+      src = ../../.;
-        path = ../../.;
+    });
        name = "projectRoot";
      };
    };
 in
-  flake
+flake
--- a/lib/compat/nixos/default.nix
+++ b/lib/compat/nixos/default.nix
@ -1,4 +1,5 @@
-{...}: let
+{ ... }:
 let
  inherit (default.inputs.nixos) lib;
  host = configs.${hostname} or configs.PubSolarOS;
@ -6,4 +7,4 @@
  default = (import ../.).defaultNix;
  hostname = lib.fileContents /etc/hostname;
 in
-  host
+host
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,10 +1,2 @@
-{lib}:
+{ lib }:
-lib.makeExtensible (self: let
+lib.makeExtensible (self: { })
  callLibs = file: import file {lib = self;};
 in rec {
  ## Define your own library functions here!
  #id = x: x;
  ## Or in files, containing functions that take {lib}
  #foo = callLibs ./foo.nix;
  ## In configs, they can be used under "lib.our"
 })
--- a/modules/arduino/default.nix
+++ b/modules/arduino/default.nix
@ -1,23 +1,19 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.devops;
-in {
+in
 {
  options.pub-solar.arduino = {
    enable = mkEnableOption "Life with home automation";
  };
  config = mkIf cfg.enable {
-    users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
+    users.users = pkgs.lib.setAttrByPath [ psCfg.user.name ] {
-      extraGroups = ["dialout"];
+      extraGroups = [ "dialout" ];
    };
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      home.packages = [
        arduino
        arduino-cli
--- a/modules/audio/default.nix
+++ b/modules/audio/default.nix
@ -1,14 +1,11 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.audio;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in {
+in
 {
  options.pub-solar.audio = {
    enable = mkEnableOption "Life in highs and lows";
    mopidy.enable = mkEnableOption "Life with mopidy";
@ -23,14 +20,12 @@ in {
  };
  config = mkIf cfg.enable {
-    users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
+    users.users = pkgs.lib.setAttrByPath [ psCfg.user.name ] {
-      extraGroups = ["audio"];
+      extraGroups = [ "audio" ];
    };
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
-      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+      home.packages = [
        home.packages =
          [
        # easyeffects, e.g. for microphone noise filtering
        easyeffects
        mu
@ -40,12 +35,7 @@ in {
        # Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
        pulseaudio
        vimpc
-          ]
+      ] ++ (if cfg.spotify.enable then [ pkgs.spotify-tui ] else [ ]);
          ++ (
            if cfg.spotify.enable
            then [pkgs.spotify-tui]
            else []
          );
      xdg.configFile."vimpc/vimpcrc".source = ./.config/vimpc/vimpcrc;
      systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
@ -64,54 +54,37 @@ in {
      };
    };
-    # rtkit is optional but recommended
+    # Enable sound using pipewire-pulse
    security.rtkit.enable = true;
    # Enable sound using pipewire-pulse, default config:
    # https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire.conf.in
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      config.pipewire = {
        context.default.clock = {
          allowed-rates = [ 44100 48000 88200 96000 ];
          rate = 44100;
        };
      };
      config.pipewire-pulse = builtins.fromJSON (builtins.readFile ./pipewire-pulse.conf.json);
    };
-    # Make pulseaudio listen on port 4713 for mopidy, extending the default
+    # Bluetooth configuration using wireplumber
-    # config: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire-pulse.conf.in
+    # https://nixos.wiki/wiki/PipeWire#Bluetooth_Configuration
-    environment.etc = mkIf cfg.mopidy.enable {
+    environment.etc = mkIf cfg.bluetooth.enable {
-      "pipewire/pipewire-pulse.conf.d/99-custom.conf".text = ''
+      "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
-        {
+        bluez_monitor.properties = {
-          "context.modules": [
+          ["bluez5.enable-sbc-xq"] = true,
-            {
+          ["bluez5.enable-msbc"] = true,
-              "name": "libpipewire-module-protocol-pulse",
+          ["bluez5.enable-hw-volume"] = true,
-              "args": {
+          ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
                "server.address": ["unix:native", "tcp:4713"],
                "vm.overrides": {
                  "pulse.min.quantum": "1024/48000"
                }
              }
            }
          ]
        }
      '';
    };
    # Enable bluetooth
-    hardware.bluetooth = mkIf cfg.bluetooth.enable {
+    hardware.bluetooth.enable = mkIf cfg.bluetooth.enable true;
      enable = true;
      # Disable bluetooth on startup to save battery
      powerOnBoot = false;
      # Disable useless SIM Access Profile plugin
      disabledPlugins = [
        "sap"
      ];
      settings = {
        General = {
          # Enables experimental features and interfaces.
          # Makes BlueZ Battery Provider available
          Experimental = true;
        };
      };
    };
    services.blueman.enable = mkIf cfg.bluetooth.enable true;
    # Enable audio server & client
--- a/modules/audio/easyeffects.service.nix
+++ b/modules/audio/easyeffects.service.nix
@ -1,4 +1,5 @@
-pkgs: {
+pkgs:
 {
  Service = {
    Type = "dbus";
    BusName = "com.github.wwmm.easyeffects";
--- a/modules/audio/pipewire-pulse.conf.json
+++ b/modules/audio/pipewire-pulse.conf.json
@ -0,0 +1,42 @@
 {
  "context.properties": {},
  "context.spa-libs": {
    "audio.convert.*": "audioconvert/libspa-audioconvert",
    "support.*": "support/libspa-support"
  },
  "context.modules": [
    {
      "name": "libpipewire-module-rtkit",
      "args": {},
      "flags": [
        "ifexists",
        "nofail"
      ]
    },
    {
      "name": "libpipewire-module-protocol-native"
    },
    {
      "name": "libpipewire-module-client-node"
    },
    {
      "name": "libpipewire-module-adapter"
    },
    {
      "name": "libpipewire-module-metadata"
    },
    {
      "name": "libpipewire-module-protocol-pulse",
      "args": {
        "server.address": [
          "unix:native",
          "tcp:4713"
        ],
        "vm.overrides": {
          "pulse.min.quantum": "1024/48000"
        }
      }
    }
  ],
  "stream.properties": {}
 }
--- a/modules/ci-runner/default.nix
+++ b/modules/ci-runner/default.nix
@ -1,14 +1,10 @@
-{
+{ lib, config, pkgs, self, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  self,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.ci-runner;
-in {
+in
 {
  options.pub-solar.ci-runner = {
    enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner";
  };
@ -30,8 +26,8 @@ in {
        pkgs.libvirt
      ];
-      wantedBy = ["multi-user.target"];
+      wantedBy = [ "multi-user.target" ];
-      after = ["network.target" "libvirtd.service"];
+      after = [ "network.target" "libvirtd.service" ];
      script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config'';
    };
--- a/modules/core/boot.nix
+++ b/modules/core/boot.nix
@ -1,12 +1,9 @@
-{
+{ config, pkgs, lib, ... }:
-  config,
+with lib;
-  pkgs,
+let
  lib,
  ...
 }:
 with lib; let
  cfg = config.pub-solar.core;
-in {
+in
 {
  options.pub-solar.core.iso-options.enable = mkOption {
    type = types.bool;
    default = false;
@ -33,13 +30,13 @@ in {
        };
      };
-      loader.systemd-boot.enable = lib.mkDefault true;
+      loader.systemd-boot.enable = true;
      # Use latest LTS linux kernel by default
-      kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1;
+      kernelPackages = pkgs.linuxPackages_5_15;
      # Support ntfs drives
-      supportedFilesystems = ["ntfs"];
+      supportedFilesystems = [ "ntfs" ];
    };
  };
 }
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -1,11 +1,10 @@
-{
+{ config, lib, ... }:
-  config,
+
-  lib,
+with lib;
-  ...
+let
 }:
 with lib; let
  cfg = config.pub-solar.core;
-in {
+in
 {
  imports = [
    ./boot.nix
    ./hibernation.nix
--- a/modules/core/fonts.nix
+++ b/modules/core/fonts.nix
@ -1,14 +1,12 @@
 { config, pkgs, lib, ... }:
 {
  config,
  pkgs,
  lib,
  ...
 }: {
  fonts = {
-    fonts = with pkgs; [powerline-fonts dejavu_fonts];
+    fonts = with pkgs; [ powerline-fonts dejavu_fonts ];
    fontconfig.defaultFonts = {
-      monospace = ["DejaVu Sans Mono for Powerline"];
+      monospace = [ "DejaVu Sans Mono for Powerline" ];
-      sansSerif = ["DejaVu Sans"];
+      sansSerif = [ "DejaVu Sans" ];
    };
  };
 }
--- a/modules/core/hibernation.nix
+++ b/modules/core/hibernation.nix
@ -1,12 +1,9 @@
-{
+{ config, pkgs, lib, ... }:
-  config,
+with lib;
-  pkgs,
+let
  lib,
  ...
 }:
 with lib; let
  cfg = config.pub-solar.core.hibernation;
-in {
+in
 {
  options.pub-solar.core.hibernation = {
    enable = mkOption {
      type = types.bool;
@ -15,8 +12,8 @@ in {
    };
    resumeDevice = mkOption {
-      type = types.nullOr types.str;
+      type = types.str;
-      default = null;
+      default = "/dev/sda1";
      description = "The location of the hibernation resume swap file.";
    };
@ -29,8 +26,10 @@ in {
  config = {
    boot = mkIf cfg.enable {
-      resumeDevice = mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
+      resumeDevice = cfg.resumeDevice;
-      kernelParams = mkIf (cfg.resumeOffset != null) ["resume_offset=${builtins.toString cfg.resumeOffset}"];
+      kernelParams =
        if (cfg.resumeOffset == null && cfg.enable) then builtins.abort "config.pub-solar.resumeOffset has to be set if config.pub-solar.enable is true."
        else [ "resume_offset=${builtins.toString cfg.resumeOffset}" ];
    };
  };
 }
--- a/modules/core/i18n.nix
+++ b/modules/core/i18n.nix
@ -1,10 +1,6 @@
 { config, pkgs, lib, ... }:
 with lib;
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; {
  config = {
    # Set your time zone.
    time.timeZone = "Europe/Berlin";
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -1,12 +1,10 @@
 { config, pkgs, lib, ... }:
 with lib;
 let cfg = config.pub-solar.core;
 in
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  cfg = config.pub-solar.core;
 in {
  options.pub-solar.core = {
    enableCaddy = mkOption {
      type = types.bool;
@ -19,49 +17,48 @@ in {
    binaryCaches = mkOption {
      type = types.listOf types.str;
-      default = [];
+      default = [ ];
      description = "Binary caches to use.";
    };
    publicKeys = mkOption {
      type = types.listOf types.str;
-      default = [];
+      default = [ ];
      description = "Public keys of binary caches.";
    };
  };
  config = {
-    # disable NetworkManager and systemd-networkd -wait-online by default
+    # disable NetworkManager-wait-online by default
    systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
    systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
    networking.networkmanager = {
      # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
      enable = true;
-      wifi.backend = "iwd";
+      # not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
      #wifi.backend = "iwd";
    };
    networking.firewall.enable = true;
    # Customized binary caches list (with fallback to official binary cache)
-    nix.settings.substituters = cfg.binaryCaches;
+    nix.binaryCaches = cfg.binaryCaches;
-    nix.settings.trusted-public-keys = cfg.publicKeys;
+    nix.binaryCachePublicKeys = cfg.publicKeys;
    # These entries get added to /etc/hosts
    networking.hosts = {
-      "127.0.0.1" =
+      "127.0.0.1" = [ ]
-        []
+        ++ lib.optionals cfg.enableCaddy [ "caddy.local" ]
-        ++ lib.optionals cfg.enableCaddy ["caddy.local"]
+        ++ lib.optionals config.pub-solar.printing.enable [ "cups.local" ]
-        ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
+        ++ lib.optionals cfg.enableHelp [ "help.local" ];
        ++ lib.optionals cfg.enableHelp ["help.local"];
    };
    # Caddy reverse proxy for local services like cups
    services.caddy = {
-      enable = lib.mkDefault cfg.enableCaddy;
+      enable = cfg.enableCaddy;
-      globalConfig = lib.mkDefault ''
+      globalConfig = ''
        default_bind 127.0.0.1
        auto_https off
      '';
-      extraConfig = lib.mkDefault (concatStringsSep "\n" [
+      extraConfig = concatStringsSep "\n" [
        (lib.optionalString
          config.pub-solar.printing.enable
          ''
@ -79,7 +76,7 @@ in {
              file_server
            }
          '')
-      ]);
+      ];
    };
  };
 }
--- a/modules/core/nix.nix
+++ b/modules/core/nix.nix
@ -1,28 +1,21 @@
 { config, pkgs, lib, inputs, ... }:
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }: {
  nix = {
    # Use default version alias for nix package
    package = pkgs.nix;
    # Improve nix store disk usage
    autoOptimiseStore = true;
    gc.automatic = true;
    optimise.automatic = true;
    settings = {
      # Improve nix store disk usage
      auto-optimise-store = true;
    # Prevents impurities in builds
-      sandbox = true;
+    useSandbox = true;
-      # Give root and @wheel special privileges with nix
+    # give root and @wheel special privileges with nix
-      trusted-users = ["root" "@wheel"];
+    trustedUsers = [ "root" "@wheel" ];
-      # Allow only group wheel to connect to the nix daemon
+    # This is just a representation of the nix default
-      allowed-users = ["@wheel"];
+    systemFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
    };
    # Generally useful nix option defaults
-    extraOptions = lib.mkForce ''
+    extraOptions = ''
      experimental-features = flakes nix-command
      min-free = 536870912
      keep-outputs = true
      keep-derivations = true
--- a/modules/core/packages.nix
+++ b/modules/core/packages.nix
@ -1,16 +1,13 @@
-{
+{ config, pkgs, lib, ... }:
-  config,
+
-  pkgs,
+with lib;
-  lib,
+let
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.core;
-in {
+in
 {
  environment = {
-    systemPackages = with pkgs;
+    systemPackages = with pkgs; [
      [
      # Core unix utility packages
      coreutils-full
      dnsutils
@ -24,7 +21,6 @@ in {
      openssh
      curl
      htop
        btop
      lsof
      psmisc
      file
@ -38,6 +34,7 @@ in {
      croc
      jq
    ]
    ++ lib.optionals (!cfg.lite) [
      mtr
@ -61,7 +58,6 @@ in {
      exfat
      # Nix specific utilities
        alejandra
      niv
      manix
      nix-index
--- a/modules/core/services.nix
+++ b/modules/core/services.nix
@ -1,16 +1,13 @@
 { config, pkgs, lib, ... }:
 {
  config,
  pkgs,
  lib,
  ...
 }: {
  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
    enable = true;
    # If you don't want the host to have SSH actually opened up to the net,
    # set `services.openssh.openFirewall` to false in your config.
    openFirewall = lib.mkDefault true;
-    settings.PasswordAuthentication = lib.mkDefault false;
+    passwordAuthentication = false;
  };
  # Service that makes Out of Memory Killer more effective
--- a/modules/crypto/default.nix
+++ b/modules/crypto/default.nix
@ -1,26 +1,22 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.crypto;
-in {
+in
 {
  options.pub-solar.crypto = {
    enable = mkEnableOption "Life in private";
  };
  config = mkIf cfg.enable {
-    services.udev.packages = [pkgs.yubikey-personalization];
+    services.udev.packages = [ pkgs.yubikey-personalization ];
-    services.dbus.packages = [pkgs.gcr];
+    services.dbus.packages = [ pkgs.gcr ];
    services.pcscd.enable = true;
    services.gnome.gnome-keyring.enable = true;
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
      services.gpg-agent = {
--- a/modules/crypto/polkit-gnome-authentication-agent.service.nix
+++ b/modules/crypto/polkit-gnome-authentication-agent.service.nix
@ -1,15 +1,16 @@
-pkgs: {
+pkgs:
 {
  Unit = {
    Description = "Legacy polkit authentication agent for GNOME";
-    Documentation = ["https://gitlab.freedesktop.org/polkit/polkit/"];
+    Documentation = [ "https://gitlab.freedesktop.org/polkit/polkit/" ];
-    BindsTo = ["sway-session.target"];
+    BindsTo = [ "sway-session.target" ];
-    After = ["sway-session.target"];
+    After = [ "sway-session.target" ];
  };
  Service = {
    Type = "simple";
    ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  };
  Install = {
-    WantedBy = ["sway-session.target"];
+    WantedBy = [ "sway-session.target" ];
  };
 }
--- a/modules/devops/default.nix
+++ b/modules/devops/default.nix
@ -1,20 +1,16 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.devops;
-in {
+in
 {
  options.pub-solar.devops = {
    enable = mkEnableOption "Life automated";
  };
  config = mkIf cfg.enable {
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      home.packages = [
        drone-cli
        nmap
--- a/modules/docker-ci-runner/default.nix
+++ b/modules/docker-ci-runner/default.nix
@ -1,11 +1,7 @@
-{
+{ lib, config, pkgs, self, ... }:
-  lib,
+
-  config,
+with lib;
-  pkgs,
+let
  self,
  ...
 }:
 with lib; let
  bootstrap = pkgs.writeScript "bootstrap.sh" ''
    #!/usr/bin/env bash
@ -27,7 +23,7 @@ with lib; let
    export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
    mkdir -p $(dirname \\$nix_user_config_file)
-    echo '{"extra-experimental-features":{"nix-command flakes":true}}' > \\$nix_user_config_file
+    echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org  https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file
    chown -R build /home/build/
    curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
@ -44,9 +40,10 @@ with lib; let
  '';
  psCfg = config.pub-solar;
  cfg = config.pub-solar.docker-ci-runner;
-in {
+in
 {
  options.pub-solar.docker-ci-runner = {
-    enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user.";
+    enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner";
    enableKvm = lib.mkOption {
      description = ''
@ -60,7 +57,6 @@ in {
      description = ''
        Location of nix cache that is shared between builds
      '';
      default = "/var/lib/docker-ci-runner";
      type = types.path;
    };
@ -91,7 +87,7 @@ in {
          image = "debian";
          autoStart = true;
          entrypoint = "bash";
-          cmd = ["/bootstrap.sh"];
+          cmd = [ "/bootstrap.sh" ];
          volumes = [
            "${cfg.runnerVarsFile}:/run/vars"
@ -101,14 +97,9 @@ in {
          environment = cfg.runnerEnvironment;
-          extraOptions = lib.mkIf cfg.enableKvm ["--device=/dev/kvm"];
+          extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ];
        };
      };
    };
    # Fix container not stopping correctly and holding the system 120s upon
    # shutdown / reboot
    systemd.services.docker-drone-exec-runner.preStop = ''
      docker stop drone-exec-runner
    '';
  };
 }
--- a/modules/docker/default.nix
+++ b/modules/docker/default.nix
@ -1,27 +1,23 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.docker;
-in {
+in
 {
  options.pub-solar.docker = {
    enable = mkEnableOption "Life in metal boxes";
  };
  config = mkIf cfg.enable {
    virtualisation.docker.enable = true;
-    virtualisation.docker.package = pkgs.docker_24;
+    users.users = with pkgs; pkgs.lib.setAttrByPath [ psCfg.user.name ] {
-    users.users = with pkgs;
+      extraGroups = [ "docker" ];
      pkgs.lib.setAttrByPath [psCfg.user.name] {
        extraGroups = ["docker"];
    };
    environment.systemPackages = with pkgs; [
      docker-compose
      docker-compose_2
    ];
  };
 }
--- a/modules/email/default.nix
+++ b/modules/email/default.nix
@ -1,20 +1,16 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.email;
-in {
+in
 {
  options.pub-solar.email = {
    enable = mkEnableOption "Life in headers";
  };
  config = mkIf cfg.enable {
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      home.packages = [
        w3m
        urlscan
--- a/modules/email/offlineimap.nix
+++ b/modules/email/offlineimap.nix
@ -0,0 +1 @@
--- a/modules/gaming/default.nix
+++ b/modules/gaming/default.nix
@ -1,13 +1,10 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.gaming;
-in {
+in
 {
  options.pub-solar.gaming = {
    enable = mkEnableOption "Life in shooters";
  };
@ -15,11 +12,10 @@ in {
  config = mkIf cfg.enable {
    programs.steam.enable = true;
    nixpkgs.config.packageOverrides = pkgs: {
-      steam = pkgs.steam.override {};
+      steam = pkgs.steam.override { };
    };
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      home.packages = [
        playonlinux
        godot
--- a/modules/gaming/steam.nix
+++ b/modules/gaming/steam.nix
@ -0,0 +1 @@
--- a/modules/graphical/alacritty.nix
+++ b/modules/graphical/alacritty.nix
@ -66,97 +66,29 @@
      x = 0;
      y = 0;
    };
    use_thin_strokes = true;
  };
  key_bindings = [
-    {
+    { key = "V"; mods = "Control|Alt"; action = "Paste"; }
-      key = "V";
+    { key = "C"; mods = "Control|Alt"; action = "Copy"; }
-      mods = "Control|Alt";
+    { key = "Paste"; action = "Paste"; }
-      action = "Paste";
+    { key = "Copy"; action = "Copy"; }
-    }
+    { key = "Q"; mods = "Command"; action = "Quit"; }
-    {
+    { key = "W"; mods = "Command"; action = "Quit"; }
-      key = "C";
+    { key = "Insert"; mods = "Shift"; action = "PasteSelection"; }
-      mods = "Control|Alt";
+    { key = "Key0"; mods = "Control"; action = "ResetFontSize"; }
-      action = "Copy";
+    { key = "Equals"; mods = "Control"; action = "IncreaseFontSize"; }
-    }
+    { key = "PageUp"; mods = "Shift"; action = "ScrollPageUp"; }
-    {
+    { key = "PageDown"; mods = "Shift"; action = "ScrollPageDown"; }
-      key = "Paste";
+    { key = "Minus"; mods = "Control"; action = "DecreaseFontSize"; }
-      action = "Paste";
+    { key = "H"; mode = "Vi|~Search"; action = "ScrollToBottom"; }
-    }
+    { key = "H"; mode = "Vi|~Search"; action = "ToggleViMode"; }
-    {
+    { key = "I"; mode = "Vi|~Search"; action = "Up"; }
-      key = "Copy";
+    { key = "K"; mode = "Vi|~Search"; action = "Down"; }
-      action = "Copy";
+    { key = "J"; mode = "Vi|~Search"; action = "Left"; }
-    }
+    { key = "L"; mode = "Vi|~Search"; action = "Right"; }
    {
      key = "Q";
      mods = "Command";
      action = "Quit";
    }
    {
      key = "W";
      mods = "Command";
      action = "Quit";
    }
    {
      key = "Insert";
      mods = "Shift";
      action = "PasteSelection";
    }
    {
      key = "Key0";
      mods = "Control";
      action = "ResetFontSize";
    }
    {
      key = "Equals";
      mods = "Control";
      action = "IncreaseFontSize";
    }
    {
      key = "PageUp";
      mods = "Shift";
      action = "ScrollPageUp";
    }
    {
      key = "PageDown";
      mods = "Shift";
      action = "ScrollPageDown";
    }
    {
      key = "Minus";
      mods = "Control";
      action = "DecreaseFontSize";
    }
    {
      key = "H";
      mode = "Vi|~Search";
      action = "ScrollToBottom";
    }
    {
      key = "H";
      mode = "Vi|~Search";
      action = "ToggleViMode";
    }
    {
      key = "I";
      mode = "Vi|~Search";
      action = "Up";
    }
    {
      key = "K";
      mode = "Vi|~Search";
      action = "Down";
    }
    {
      key = "J";
      mode = "Vi|~Search";
      action = "Left";
    }
    {
      key = "L";
      mode = "Vi|~Search";
      action = "Right";
    }
  ];
  # Base16 Burn 256 - alacritty color config
@ -232,30 +164,12 @@
    };
    indexed_colors = [
-      {
+      { index = 16; color = "0xdf5923"; }
-        index = 16;
+      { index = 17; color = "0xd70000"; }
-        color = "0xdf5923";
+      { index = 18; color = "0x2d2a2e"; }
-      }
+      { index = 19; color = "0x303030"; }
-      {
+      { index = 20; color = "0xd3d1d4"; }
-        index = 17;
+      { index = 21; color = "0x303030"; }
        color = "0xd70000";
      }
      {
        index = 18;
        color = "0x2d2a2e";
      }
      {
        index = 19;
        color = "0x303030";
      }
      {
        index = 20;
        color = "0xd3d1d4";
      }
      {
        index = 21;
        color = "0x303030";
      }
    ];
  };
 }
--- a/modules/graphical/default.nix
+++ b/modules/graphical/default.nix
@ -1,34 +1,31 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.graphical;
-  yamlFormat = pkgs.formats.yaml {};
+  yamlFormat = pkgs.formats.yaml { };
-  recursiveMerge = attrList: let
+  recursiveMerge = attrList:
    let
      f = attrPath:
-      zipAttrsWith (
+        zipAttrsWith (n: values:
-        n: values:
+          if tail values == [ ]
          if tail values == []
          then head values
          else if all isList values
          then unique (concatLists values)
          else if all isAttrs values
-          then f (attrPath ++ [n]) values
+          then f (attrPath ++ [ n ]) values
          else last values
        );
    in
-    f [] attrList;
+    f [ ] attrList;
-in {
+in
 {
  options.pub-solar.graphical = {
    enable = mkEnableOption "Life in color";
    alacritty = {
      settings = mkOption {
        type = yamlFormat.type;
-        default = {};
+        default = { };
      };
    };
    autologin.enable = mkOption {
@ -66,7 +63,7 @@ in {
    services.getty.autologinUser = mkIf cfg.autologin.enable (mkForce "${psCfg.user.name}");
-    qt = {
+    qt5 = {
      enable = true;
      platformTheme = "gtk2";
      style = "gtk2";
@ -74,7 +71,7 @@ in {
    # Required for running Gnome apps outside the Gnome DE, see https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
    programs.dconf.enable = true;
-    services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
+    services.udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ];
    # Enable Sushi, a quick previewer for nautilus
    services.gnome.sushi.enable = true;
    # Enable GVfs, a userspace virtual filesystem
@ -95,8 +92,7 @@ in {
      source-sans-pro
    ];
-    home-manager = with pkgs;
+    home-manager = with pkgs; setAttrByPath [ "users" psCfg.user.name ] {
      setAttrByPath ["users" psCfg.user.name] {
      home.packages = [
        alacritty
        foot
@ -123,7 +119,7 @@ in {
      ];
      xdg.configFile."alacritty/alacritty.yml" = {
-          source = yamlFormat.generate "alacritty.yml" (recursiveMerge [(import ./alacritty.nix) cfg.alacritty.settings]);
+        source = yamlFormat.generate "alacritty.yml" (recursiveMerge [ (import ./alacritty.nix) cfg.alacritty.settings ]);
      };
      gtk = {
@ -145,6 +141,7 @@ in {
          gtk-xft-rgba = "rgb";
          gtk-application-prefer-dark-theme = "true";
        };
      };
      # Fix KeepassXC rendering issue
--- a/modules/graphical/network-manager-applet.service.nix
+++ b/modules/graphical/network-manager-applet.service.nix
@ -1,15 +1,16 @@
-pkgs: {
+pkgs:
 {
  Unit = {
-    Description = "Network Manager applet";
+    Description = "Lightweight Wayland notification daemon";
-    BindsTo = ["sway-session.target"];
+    BindsTo = [ "sway-session.target" ];
-    After = ["sway-session.target"];
+    After = [ "sway-session.target" ];
    # ConditionEnvironment requires systemd v247 to work correctly
-    ConditionEnvironment = ["WAYLAND_DISPLAY"];
+    ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
  };
  Service = {
    ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet --sm-disable --indicator";
  };
  Install = {
-    WantedBy = ["sway-session.target"];
+    WantedBy = [ "sway-session.target" ];
  };
 }
--- a/modules/hm-system-defaults.nix
+++ b/modules/hm-system-defaults.nix
@ -1,4 +1,4 @@
-{config, ...}: {
+{ config, ... }: {
  home-manager.sharedModules = [
    {
      home.sessionVariables = {
--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@ -1,20 +1,16 @@
-{
+{ lib, config, pkgs, ... }:
-  lib,
+with lib;
-  config,
+let
  pkgs,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.nextcloud;
-in {
+in
 {
  options.pub-solar.nextcloud = {
    enable = mkEnableOption "Life in sync";
  };
  config = mkIf cfg.enable {
-    home-manager = with pkgs;
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
      systemd.user.services.nextcloud-client = import ./nextcloud.service.nix pkgs;
    };
  };
--- a/modules/nextcloud/nextcloud.service.nix
+++ b/modules/nextcloud/nextcloud.service.nix
@ -1,11 +1,12 @@
-pkgs: {
+pkgs:
 {
  Unit = {
    Description = "Nextcloud Client";
-    BindsTo = ["sway-session.target"];
+    BindsTo = [ "sway-session.target" ];
-    Wants = ["graphical-session-pre.target"];
+    Wants = [ "graphical-session-pre.target" ];
-    After = ["graphical-session-pre.target"];
+    After = [ "graphical-session-pre.target" ];
    # ConditionEnvironment requires systemd v247 to work correctly
-    ConditionEnvironment = ["WAYLAND_DISPLAY"];
+    ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
  };
  Service = {
    Type = "simple";
@ -15,6 +16,6 @@ pkgs: {
    Restart = "on-failure";
  };
  Install = {
-    WantedBy = ["sway-session.target"];
+    WantedBy = [ "sway-session.target" ];
  };
 }
--- a/modules/nix-path.nix
+++ b/modules/nix-path.nix
@ -1,8 +1,4 @@
-{
+{ channel, inputs, ... }: {
  channel,
  inputs,
  ...
 }: {
  nix.nixPath = [
    "nixpkgs=${channel.input}"
    "nixos-config=${../lib/compat/nixos}"
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`# Formatted code using treefmt and alejandra`
			`73bf158392a427d188b7aad36244b94506f57a15`
		`@ -0,0 +1,3 @@`
							`# switch keyboard input language`
							`bindsym $mod+tab exec swaymsg input "1452:628:Apple_Inc._Apple_Internal_Keyboard_/_Trackpad" xkb_switch_layout next`
		`@ -0,0 +1,2 @@`
							`# switch keyboard input language`
							`bindsym $mod+tab exec swaymsg input "1118:1896:Microsoft_Microsoft___SiderWinderTM_X4_Keyboard_Consumer_Control" xkb_switch_layout next`