.editorconfig

@@ -24,6 +24,14 @@ charset = unset
 indent_style = unset
 indent_size = unset
 
+[*.rom]
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+charset = unset
+indent_style = unset
+indent_size = unset
+
 [*.py]
 indent_size = 4
 

.gitignore

@@ -7,7 +7,7 @@ vm
 iso
 doi
 
-pkgs/_sources/.shake*
-
+# PubSolarOS
 tags
 /owners
+pkgs/_sources/.shake*

flake.lock

@@ -42,11 +42,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665392861,
-        "narHash": "sha256-bCd8fYJMAb0LzabsiXl4nxECDoz483bJOCa2hjox7N0=",
+        "lastModified": 1667294277,
+        "narHash": "sha256-YhVGYUpPZNpJZ8z3Sq9aT6n1/B8vKtfRfwaCtbsosxk=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "ef56fd8979b5f4e800c4716f62076e00600b1172",
+        "rev": "b7177030643374e698c29e993c2808efa7b85aaf",
         "type": "github"
       },
       "original": {
@@ -276,11 +276,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665996265,
-        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
+        "lastModified": 1667299227,
+        "narHash": "sha256-vAJPFSDYUq3DdCL8OzTg4xObRNW+yA1Pt+NzbhGu1f8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
+        "rev": "f0ecd4b1db5e15103e955b18cb94bea4296e5c45",
         "type": "github"
       },
       "original": {
@@ -308,11 +308,11 @@
     },
     "latest_2": {
       "locked": {
-        "lastModified": 1665940183,
-        "narHash": "sha256-cPe3F7CtnxU9YbJpc3Adl4d9kX+turqTv5FxM98i8vg=",
+        "lastModified": 1667231093,
+        "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "104e8082de1b20f9d0e1f05b1028795ed0e0e4bc",
+        "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
         "type": "github"
       },
       "original": {
@@ -322,6 +322,22 @@
         "type": "github"
       }
     },
+    "master": {
+      "locked": {
+        "lastModified": 1667394072,
+        "narHash": "sha256-RFTHGjI46hg3ggVwSdssAsni5q5YRsQl2SENv5PPAnQ=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "07c0c2707bfc78e2b615eb69977ffc6e366c5ec6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "naersk": {
       "inputs": {
         "nixpkgs": [
@@ -359,11 +375,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1666014999,
-        "narHash": "sha256-gvKl8xlPJreezNG1NVTJv/HdGC69MSrM+IpCxS+eFvw=",
+        "lastModified": 1667318659,
+        "narHash": "sha256-mRXqCdlnxPgm3Wk7mNAOanl7B3Q3U5scYTEiyYmNEOE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1935dd8fdab8e022a9d958419663162fd840014c",
+        "rev": "b3a8f7ed267e0a7ed100eb7d716c9137ff120fe3",
         "type": "github"
       },
       "original": {
@@ -379,11 +395,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1666016402,
-        "narHash": "sha256-Cm/nrdUMXwXiFQforG1Mv8OA4o8yhuVx6E1eDFH4rew=",
+        "lastModified": 1666812839,
+        "narHash": "sha256-0nBDgjPU+iDsvz89W+cDEyhnFGSwCJmwDl/gMGqYiU0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "688db42a1eb34853f050267ff65c975f664312f0",
+        "rev": "41f3518bc194389df22a3d198215eae75e6b5ab9",
         "type": "github"
       },
       "original": {
@@ -394,11 +410,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1665987993,
-        "narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
+        "lastModified": 1667283320,
+        "narHash": "sha256-qHvB/6XBKVjjJJCUM+z6/t9HzUC7J55wdY3KJ/ZWSHo=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
+        "rev": "18934557eeba8fa2e575b0fd4ab95186e2e3bde3",
         "type": "github"
       },
       "original": {
@@ -460,11 +476,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1664550666,
-        "narHash": "sha256-eXfMRd9uItEp3PsYI31FSVGPG9dVC6yF++65ZrGwW8A=",
+        "lastModified": 1667246446,
+        "narHash": "sha256-LTnDoH6B8cez7RAc7K/DJqFrnZr75OMtVsNqtIHIPBU=",
         "owner": "berberman",
         "repo": "nvfetcher",
-        "rev": "9763ad40d59a044e90726653d9253efaeeb053b2",
+        "rev": "d5d1289327f26e870991656b2c5598ce62693311",
         "type": "github"
       },
       "original": {
@@ -473,6 +489,22 @@
         "type": "github"
       }
     },
+    "pub-solar": {
+      "locked": {
+        "lastModified": 1654372286,
+        "narHash": "sha256-z1WrQkL67Sosz1VnuKQLpzEkEl4ianeLpWJX8Q6bVQY=",
+        "owner": "pub-solar",
+        "repo": "nixpkgs",
+        "rev": "4995a873a796c54cc49e5dca9e1d20350eceec7b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pub-solar",
+        "ref": "fix/use-latest-unstable-yubikey-agent",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -481,12 +513,14 @@
         "digga": "digga",
         "home": "home",
         "latest": "latest_2",
+        "master": "master",
         "naersk": "naersk",
         "nixos": "nixos",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nur": "nur",
-        "nvfetcher": "nvfetcher"
+        "nvfetcher": "nvfetcher",
+        "pub-solar": "pub-solar"
       }
     },
     "utils": {

flake.nix

@@ -10,6 +10,8 @@
       # Track channels with commits tested and built by hydra
       nixos.url = "github:nixos/nixpkgs/nixos-22.05";
       latest.url = "github:nixos/nixpkgs/nixos-unstable";
+      master.url = "github:nixos/nixpkgs/master";
+      pub-solar.url = "github:pub-solar/nixpkgs/fix/use-latest-unstable-yubikey-agent";
 
       digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
       digga.inputs.nixpkgs.follows = "nixos";
@@ -57,7 +59,7 @@
         inherit self inputs;
 
         channelsConfig = {
-          # allowUnfree = true;
+          allowUnfree = true;
         };
 
         supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
@@ -68,6 +70,7 @@
             overlays = [ ];
           };
           latest = { };
+          master = { };
         };
 
         lib = import ./lib { lib = digga.lib // nixos.lib; };
@@ -125,6 +128,13 @@
               iso = base ++ [ base-user graphical pub-solar-iso ];
               pubsolaros = [ full-install base-user users.root ];
               anonymous = [ pubsolaros users.pub-solar ];
+
+              b12f = pubsolaros ++ [ users.ben social gaming mobile ];
+              biolimo = b12f ++ [ graphical ];
+              chocolatebar = b12f ++ [ graphical virtualisation ];
+
+              yule = pubsolaros ++ [ users.yule ];
+              droppie = yule ++ [ ];
             };
           };
         };
@@ -135,11 +145,13 @@
           importables = rec {
             profiles = digga.lib.rakeLeaves ./users/profiles;
             suites = with profiles; rec {
-              base = [ direnv git ];
+              base = [ direnv ];
             };
           };
           users = {
             pub-solar = { suites, ... }: { imports = suites.base; };
+            ben = { suites, ... }: { imports = suites.base; };
+            yule = { suites, ... }: { imports = suites.base; };
           }; # digga.lib.importers.rakeLeaves ./users/hm;
         };
 
@@ -147,6 +159,10 @@
 
         homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
 
-        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
+        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
+          droppie = {
+            sshUser = "yule";
+          };
+        };
       };
 }

hosts/biolimo/.config/sway/config.d/autostart.conf

@@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc

hosts/biolimo/.config/sway/config.d/custom-keybindings.conf

@@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

hosts/biolimo/.config/sway/config.d/input-defaults.conf

@@ -0,0 +1,9 @@
+input "1739:0:Synaptics_TM3288-011" {
+  dwt enabled
+  tap enabled
+  middle_emulation enabled
+}
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}

hosts/biolimo/.config/sway/config.d/screens.conf

@@ -0,0 +1,20 @@
+set $internal eDP-1
+set $middle "Hewlett Packard HP E231 3CQ4290S5J"
+set $standup "Hewlett Packard HP E231 3CQ4251F33"
+
+output $internal {
+  scale 1
+  pos 1080 1080
+}
+
+output $middle {
+  scale 1
+
+  pos 1080 0
+}
+
+output $standup {
+  scale 1
+  transform 90
+  pos 0 0
+}

hosts/biolimo/biolimo.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    pub-solar.paranoia.enable = true;
+    pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+    pub-solar.core.hibernation.resumeOffset = 15296512;
+
+    hardware.cpu.intel.updateMicrocode = true;
+
+    networking.firewall.allowedTCPPorts = [ 5000 ];
+
+    networking.networkmanager.wifi.backend = mkForce "wpa_supplicant";
+
+    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
+      xdg.configFile = mkIf psCfg.sway.enable {
+        "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+        "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+        "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+        "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
+      };
+
+      home.packages = [
+        inkscape
+      ];
+    };
+  };
+}

hosts/biolimo/configuration.nix

@@ -0,0 +1,26 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
+

hosts/biolimo/default.nix

@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./biolimo.nix
+  ] ++ suites.biolimo;
+}

hosts/biolimo/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/abc3fe04-368e-46eb-8c7a-3a829bb2deab";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3B67-0CAB";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 18 * 1024;  # 18 GB
+    }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

hosts/chocolatebar/.config/sway/config.d/autostart.conf

@@ -0,0 +1,6 @@
+# Autostart applications
+#
+# Example:
+# exec swayidle
+
+exec keepassxc

hosts/chocolatebar/.config/sway/config.d/custom-keybindings.conf

@@ -0,0 +1,19 @@
+# Touchpad controls
+#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
+
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

hosts/chocolatebar/.config/sway/config.d/input-defaults.conf

@@ -0,0 +1,4 @@
+input * {
+  xkb_layout us(intl),de
+  xkb_options ctrl:nocaps
+}

hosts/chocolatebar/.config/sway/config.d/screens.conf

@@ -0,0 +1,18 @@
+set $left DP-3
+set $middle DP-1
+set $right HDMI-A-1
+
+output $left {
+  scale 1
+  pos 0 0
+}
+
+output $middle {
+  scale 1
+  pos 1920 0
+}
+
+output $right {
+  scale 1
+  pos 3840 0
+}

hosts/chocolatebar/chocolatebar.nix

@@ -0,0 +1,64 @@
+{ config, pkgs, lib, self, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+    ./virtualisation
+    ./factorio
+  ];
+
+  config = {
+    hardware.cpu.amd.updateMicrocode = true;
+
+    hardware.opengl.extraPackages = with pkgs; [
+      rocm-opencl-icd
+      rocm-opencl-runtime
+    ];
+
+    pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
+    pub-solar.core.hibernation.resumeOffset = 115075072;
+
+    services.openssh.openFirewall = true;
+    networking.firewall.allowedTCPPorts = [ 443 ] ++ (if psCfg.sway.vnc.enable then [ 5901 ] else [ ]);
+
+    environment.systemPackages = with pkgs; [
+      wayvnc
+      drone-docker-runner
+      stdenv.cc.cc.lib
+    ];
+
+    age.secrets."vnc-key.pem" = {
+      file = "${self}/secrets/vnc-key-chocolatebar.pem";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+    age.secrets."vnc-cert.pem" = {
+      file = "${self}/secrets/vnc-cert-chocolatebar.pem";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+    pub-solar.sway.vnc.enable = true;
+    pub-solar.ci-runner.enable = true;
+
+    home-manager.users."${psCfg.user.name}" = {
+      xdg.configFile = mkIf psCfg.sway.enable {
+        "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
+        "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
+        "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+      };
+
+      home.sessionVariables = {
+        NIX_CC = "${pkgs.stdenv.cc}";
+      };
+    };
+
+    # For OpenProject development with https
+    security.pki.certificates = [
+      (builtins.readFile ./step-roots.pem)
+    ];
+  };
+}

hosts/chocolatebar/configuration.nix

@@ -0,0 +1,25 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/chocolatebar/default.nix

@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./chocolatebar.nix
+  ] ++ suites.chocolatebar;
+}

hosts/chocolatebar/factorio/default.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, self, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+
+  far-reach = pkgs.stdenv.mkDerivation rec {
+    pname = "factorio-far-reach";
+    version = "1.1.2";
+    src = ./far-reach_1.1.2.zip;
+    phases = [ "installPhase" ];
+    deps = [ ];
+    installPhase = ''
+      mkdir -p $out
+      cp $src far-reach_1.1.2.zip
+    '';
+  };
+in
+{
+  config = {
+    services.factorio = {
+      enable = true;
+      port = 34197; # The default, but make it explicit
+      lan = true;
+      admins = [
+        "doubtwriter"
+        "kattykat"
+      ];
+      openFirewall = true;
+      autosave-interval = 3;
+      game-name = "Babes plays v2";
+      requireUserVerification = false;
+      mods = [
+        far-reach
+      ];
+    };
+  };
+}

hosts/chocolatebar/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbcore" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/a3a74208-b244-4268-b374-e58265810fce";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/12FD-62A8";
+      fsType = "vfat";
+    };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 68 * 1024; # 68 GB
+    }
+  ];
+
+}

hosts/chocolatebar/step-roots.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6DCCAY2gAwIBAgIQD4Q4blCl/ZrTIRU2QpqEOTAKBggqhkjOPQQDAjBSMSMw
+IQYDVQQKExpPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQTErMCkGA1UEAxMiT3Bl
+blByb2plY3QgRGV2ZWxvcG1lbnQgQ0EgUm9vdCBDQTAeFw0yMjEwMTgxMTE1NDBa
+Fw0zMjEwMTUxMTE1NDBaMFIxIzAhBgNVBAoTGk9wZW5Qcm9qZWN0IERldmVsb3Bt
+ZW50IENBMSswKQYDVQQDEyJPcGVuUHJvamVjdCBEZXZlbG9wbWVudCBDQSBSb290
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu4rN0lOtgxoC83UKONMy2Ns7
+tI0/u6qPp/Cw92xhaTdh/X9ZWKqIhp2VGj2HUJOOfQXrFew7jbLGOvvoXib0Y6NF
+MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
+FPjV1zK2GZu8x4uR0QDotk5kNinEMAoGCCqGSM49BAMCA0kAMEYCIQDS2OpCnHM7
+RV7fFHT3KsG3q4lA3dJUKGighQaQ2qOwNwIhAOMmWGWd3EaD87q4RROyVt3h7vIN
+nMJRu7L9il84hFF2
+-----END CERTIFICATE-----

hosts/chocolatebar/virtualisation/create-service.nix

@@ -0,0 +1,97 @@
+{ config, pkgs, lib, vm, ... }:
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  varsFile = "${xdg.dataHome}/libvirt/OVMF_VARS_${vm.name}.fd";
+  generateXML = import ./guest-xml.nix;
+in
+{
+  serviceConfig = {
+    Type = "oneshot";
+    RemainAfterExit = "yes";
+    Restart = "no";
+  };
+
+  script =
+    let
+      networkXML = pkgs.writeText "network.xml" (import ./network-xml.nix { inherit config; inherit pkgs; inherit lib; });
+      machineXML = pkgs.writeText "${vm.name}.xml" (vm.generateXML { inherit config; inherit pkgs; inherit lib; inherit vm; varsFile = varsFile; });
+    in
+    ''
+      echo "Checking if ${vm.name} is already running"
+      STATUS=$(${pkgs.libvirt}/bin/virsh list --all | grep "${vm.name}" | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 }' )
+      if [[ $STATUS != "shut off" && $STATUS != "" ]]; then
+        echo "Domain ${vm.name} is already running or in an inconsistent state:"
+        ${pkgs.libvirt}/bin/virsh list --all
+        exit 0
+      fi
+
+      echo "Creating network XML"
+      NET_TMP_FILE="/tmp/network.xml"
+
+      NETUUID="$(${pkgs.libvirt}/bin/virsh net-uuid 'default' || true)"
+      (sed "s/UUID/$NETUUID/" '${networkXML}') > "$NET_TMP_FILE"
+
+      echo "Defining and starting network"
+      ${pkgs.libvirt}/bin/virsh net-define "$NET_TMP_FILE"
+      ${pkgs.libvirt}/bin/virsh net-start 'default' || true
+
+      VARS_FILE=${varsFile}
+      if [ ! -f "$VARS_FILE" ]; then
+        echo "Copying vars filej"
+        cp /run/libvirt/nix-ovmf/OVMF_VARS.fd "$VARS_FILE"
+      fi
+
+      echo "Replacing USB device IDs in the XML"
+      # Load the template contents into a tmp file
+      TMP_FILE="/tmp/${vm.name}.xml"
+      cat "${machineXML}" > "$TMP_FILE"
+
+      # Set VM UUID
+      UUID="$(${pkgs.libvirt}/bin/virsh domuuid '${vm.name}' || true)"
+      sed -i "s/UUID/''${UUID}/" "$TMP_FILE"
+
+      ${if vm.handOverUSBDevices then ''
+        # Hand over mouse
+        USB_BUS=5
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c52b | grep 'Bus 005' | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc52b | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+
+        # Hand over keyboard
+        USB_BUS=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 7)
+        USB_DEV=$(${pkgs.usbutils}/bin/lsusb | grep 046d:c328 | cut -b 18)
+        LINE_NUMBER=$(cat $TMP_FILE | grep -n -A 1 0xc328 | tail -n 1 | cut -b 1,2,3)
+        sed -i "''${LINE_NUMBER}s/.*/<address bus=\"''${USB_BUS}\" device=\"''${USB_DEV}\" \/>/" "$TMP_FILE"
+      '' else ""}
+
+      # TODO: Set correct pci address for the GPU too
+
+      # Setup looking glass shm file
+      echo "Setting up looking glass shm file"
+      ${pkgs.coreutils-full}/bin/truncate -s 0 /dev/shm/looking-glass
+      ${pkgs.coreutils-full}/bin/dd if=/dev/zero of=/dev/shm/looking-glass bs=1M count=32
+
+      # Load and start the xml definition
+      echo "Loading and starting the VM XML definition"
+      ${pkgs.libvirt}/bin/virsh define "$TMP_FILE"
+      ${pkgs.libvirt}/bin/virsh start '${vm.name}'
+    '';
+
+  preStop =
+    ''
+      ${pkgs.libvirt}/bin/virsh shutdown '${vm.name}'
+      let "timeout = $(date +%s) + 10"
+      while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${vm.name}$')" -gt 0 ]; do
+        if [ "$(date +%s)" -ge "$timeout" ]; then
+          # Meh, we warned it...
+          ${pkgs.libvirt}/bin/virsh destroy '${vm.name}'
+        else
+          # The machine is still running, let's give it some time to shut down
+          sleep 0.5
+        fi
+      done
+
+      ${pkgs.libvirt}/bin/virsh net-destroy 'default' || true
+    '';
+}

hosts/chocolatebar/virtualisation/default.nix

@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  createService = import ./create-service.nix;
+  generateXML = import ./guest-xml.nix;
+  generateTailsXML = import ./tails-xml.nix;
+
+  isolateGPU = "rx550x";
+  memory = 48; # in GB
+  handOverUSBDevices = true;
+
+  isolateAnyGPU = isolateGPU != null;
+in
+{
+  config = mkIf psCfg.virtualisation.enable {
+    boot.extraModprobeConfig = mkIf isolateAnyGPU (concatStringsSep "\n" [
+      "softdep amdgpu pre: vfio vfio_pci"
+      (if isolateGPU == "rx5700xt"
+      then "options vfio-pci ids=1002:731f,1002:ab38"
+      else "options vfio-pci ids=1002:699f,1002:aae0"
+      )
+    ]);
+
+    systemd.user.services = {
+      vm-windows = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "windows";
+          disk = "/dev/disk/by-id/ata-SanDisk_SDSSDA240G_162402455603";
+          id = "http://microsoft.com/win/10";
+          gpu = true;
+          mountHome = false;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-manjaro = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "manjaro";
+          disk = "/dev/disk/by-id/ata-KINGSTON_SM2280S3G2240G_50026B726B0265CE";
+          id = "https://manjaro.org/download/#i3";
+          gpu = true;
+          mountHome = true;
+          memory = memory;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = handOverUSBDevices;
+          generateXML = generateXML;
+        };
+      };
+      vm-tails = createService {
+        inherit config;
+        inherit pkgs;
+        inherit lib;
+        vm = {
+          name = "tails";
+          disk = "/var/lib/vms/tails/tails-amd64-5.4.iso";
+          # disk = "/var/lib/vms/nixos/nixos-minimal.iso";
+          id = "https://tails.boum.org/install/index.en.html";
+          gpu = false;
+          mountHome = false;
+          memory = 16;
+          isolateGPU = isolateGPU;
+          handOverUSBDevices = false;
+          generateXML = generateTailsXML;
+        };
+      };
+    };
+  };
+}

hosts/chocolatebar/virtualisation/guest-xml.nix

@@ -0,0 +1,246 @@
+{ config, pkgs, lib, vm, varsFile, ... }:
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in
+''
+  <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+    <name>${vm.name}</name>
+    <uuid>UUID</uuid>
+    <metadata>
+      <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+        <libosinfo:os id="${vm.id}"/>
+      </libosinfo:libosinfo>
+    </metadata>
+    <memory unit='GB'>${toString vm.memory}</memory>
+    <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement='static'>12</vcpu>
+    <cputune>
+      <vcpupin vcpu='0' cpuset='6'/>
+      <vcpupin vcpu='1' cpuset='7'/>
+      <vcpupin vcpu='2' cpuset='8'/>
+      <vcpupin vcpu='3' cpuset='9'/>
+      <vcpupin vcpu='4' cpuset='10'/>
+      <vcpupin vcpu='5' cpuset='11'/>
+      <vcpupin vcpu='6' cpuset='18'/>
+      <vcpupin vcpu='7' cpuset='19'/>
+      <vcpupin vcpu='8' cpuset='20'/>
+      <vcpupin vcpu='9' cpuset='21'/>
+      <vcpupin vcpu='10' cpuset='22'/>
+      <vcpupin vcpu='11' cpuset='23'/>
+    </cputune>
+    <resource>
+      <partition>/machine</partition>
+    </resource>
+    <os>
+      <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+      <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+      <nvram>${varsFile}</nvram>
+      <boot dev='hd'/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <hyperv>
+        <relaxed state='on'/>
+        <vapic state='on'/>
+        <spinlocks state='on' retries='8191'/>
+        <vendor_id state='on' value='wahtever'/>
+      </hyperv>
+      <kvm>
+        <hidden state='on'/>
+      </kvm>
+      <vmport state='off'/>
+    </features>
+    <cpu mode='custom' match='exact' check='full'>
+      <model fallback='forbid'>EPYC-IBPB</model>
+      <vendor>AMD</vendor>
+      <topology sockets='1' dies='1' cores='6' threads='2'/>
+      <feature policy='require' name='x2apic'/>
+      <feature policy='require' name='tsc-deadline'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clwb'/>
+      <feature policy='require' name='umip'/>
+      <feature policy='require' name='stibp'/>
+      <feature policy='require' name='arch-capabilities'/>
+      <feature policy='require' name='ssbd'/>
+      <feature policy='require' name='xsaves'/>
+      <feature policy='require' name='cmp_legacy'/>
+      <feature policy='require' name='perfctr_core'/>
+      <feature policy='require' name='clzero'/>
+      <feature policy='require' name='wbnoinvd'/>
+      <feature policy='require' name='amd-ssbd'/>
+      <feature policy='require' name='virt-ssbd'/>
+      <feature policy='require' name='rdctl-no'/>
+      <feature policy='require' name='skip-l1dfl-vmentry'/>
+      <feature policy='require' name='mds-no'/>
+      <feature policy='require' name='pschange-mc-no'/>
+      <feature policy='disable' name='monitor'/>
+      <feature policy='disable' name='svm'/>
+      <feature policy='require' name='topoext'/>
+    </cpu>
+    <clock offset='utc'>
+      <timer name='rtc' tickpolicy='catchup'/>
+      <timer name='pit' tickpolicy='delay'/>
+      <timer name='hpet' present='no'/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled='no'/>
+      <suspend-to-disk enabled='no'/>
+    </pm>
+    <devices>
+      <emulator>${pkgs.qemu}/bin/qemu-system-x86_64</emulator>
+      <disk type='block' device='disk'>
+        <driver name='qemu' type='raw' cache='none' discard='unmap' />
+        <source dev='${vm.disk}'/>
+        <backingStore/>
+        <target dev='vdb' bus='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+      </disk>
+      <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+        <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='sata' index='0'>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+      </controller>
+      <controller type='pci' index='0' model='pcie-root'/>
+      <controller type='pci' index='1' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='1' port='0x10'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+      </controller>
+      <controller type='pci' index='2' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='2' port='0x11'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+      </controller>
+      <controller type='pci' index='3' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='3' port='0x12'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+      </controller>
+      <controller type='pci' index='4' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='4' port='0x13'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+      </controller>
+      <controller type='pci' index='5' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='5' port='0x14'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+      </controller>
+      <controller type='pci' index='6' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='6' port='0x15'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+      </controller>
+      <controller type='pci' index='7' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='7' port='0x16'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+      </controller>
+      <controller type='pci' index='8' model='pcie-to-pci-bridge'>
+        <model name='pcie-pci-bridge'/>
+        <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </controller>
+      <controller type='pci' index='9' model='pcie-root-port'>
+        <model name='pcie-root-port'/>
+        <target chassis='9' port='0x17'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+      </controller>
+      <controller type='virtio-serial' index='0'>
+        <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+      </controller>
+      ${if vm.mountHome then ''
+        <filesystem type='mount' accessmode='mapped'>
+          <source dir='/home/${psCfg.user.name}'/>
+          <target dir='/media/home'/>
+          <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+        </filesystem>
+      '' else ""}
+      <interface type='network'>
+        <mac address='52:54:00:44:cd:ac'/>
+        <source network='default'/>
+        <model type='virtio'/>
+        <address type='pci' domain='0x0000' bus='0x08' slot='0x01' function='0x0'/>
+      </interface>
+      <console type='pty'>
+        <target type='serial' port='0'/>
+      </console>
+      <input type='tablet' bus='usb'>
+        <address type='usb' bus='0' port='1'/>
+      </input>
+      <input type='mouse' bus='virtio'/>
+      <input type='keyboard' bus='virtio'/>
+      <graphics type='spice' autoport='yes' listen='127.0.0.1'>
+        <listen type='address' address='127.0.0.1'/>
+        <image compression='off'/>
+      </graphics>
+      <video>
+        <model type='cirrus' vram='16384' heads='1' primary='yes'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+      </video>
+      ${if vm.handOverUSBDevices then ''
+        <hostdev mode='subsystem' type='usb' managed='yes'>
+          <source>
+            <vendor id='0x046d'/>
+            <product id='0xc328'/>
+            <address bus='1' device='1'/>
+          </source>
+          <address type='usb' bus='0' port='4'/>
+        </hostdev>
+        <hostdev mode='subsystem' type='usb' managed='yes'>
+          <source>
+            <vendor id='0x046d'/>
+            <product id='0xc52b'/>
+            <address bus='1' device='1'/>
+          </source>
+          <address type='usb' bus='0' port='5'/>
+        </hostdev>
+      '' else ""}
+      ${if vm.gpu && vm.isolateGPU != null then ''
+        <hostdev mode='subsystem' type='pci' managed='yes'>
+          <driver name='vfio'/>
+          <source>
+            <address domain='0x0000' bus='0x0b' slot='0x00' function='0x0'/>
+          </source>
+          <rom bar='on' file='/etc/nixos/hosts/chocolatebar/virtualisation/${vm.isolateGPU}.rom'/>
+          <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0' multifunction='on'/>
+        </hostdev>
+        <hostdev mode='subsystem' type='pci' managed='yes'>
+          <driver name='vfio'/>
+          <source>
+            <address domain='0x0000' bus='0x0b' slot='0x00' function='0x1'/>
+          </source>
+          <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x1'/>
+        </hostdev>
+      '' else ""}
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='2'/>
+      </redirdev>
+      <redirdev bus='usb' type='spicevmc'>
+        <address type='usb' bus='0' port='3'/>
+      </redirdev>
+      <memballoon model='virtio'>
+        <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+      </memballoon>
+      <shmem name='looking-glass'>
+        <model type='ivshmem-plain'/>
+        <size unit='M'>32</size>
+      </shmem>
+    </devices>
+    <qemu:commandline>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='ich9-intel-hda,bus=pcie.0,addr=0x1b'/>
+      <qemu:arg value='-device'/>
+      <qemu:arg value='hda-micro,audiodev=hda'/>
+      <qemu:arg value='-audiodev'/>
+      <qemu:arg value='pa,id=hda,server=unix:/run/user/1001/pulse/native'/>
+    </qemu:commandline>
+  </domain>
+''

hosts/chocolatebar/virtualisation/network-xml.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, lib, ... }:
+''
+  <network>
+    <name>default</name>
+    <uuid>UUID</uuid>
+    <forward mode='nat'>
+      <nat>
+        <port start='1024' end='65535'/>
+      </nat>
+    </forward>
+    <bridge name='virbr0' stp='on' delay='0'/>
+    <mac address='52:54:00:bd:a0:73'/>
+    <ip address='192.168.122.1' netmask='255.255.255.0'>
+      <dhcp>
+        <range start='192.168.122.2' end='192.168.122.254'/>
+      </dhcp>
+    </ip>
+  </network>
+''

hosts/chocolatebar/virtualisation/tails-xml.nix

@@ -0,0 +1,183 @@
+{ config, pkgs, lib, vm, varsFile, ... }:
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  home = config.home-manager.users."${psCfg.user.name}".home;
+in
+''
+    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+      <name>${vm.name}</name>
+      <uuid>UUID</uuid>
+      <metadata>
+        <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+          <libosinfo:os id="${vm.id}"/>
+        </libosinfo:libosinfo>
+      </metadata>
+      <memory unit='GB'>${toString vm.memory}</memory>
+      <currentMemory unit='GB'>${toString vm.memory}</currentMemory>
+    <vcpu placement="static">8</vcpu>
+    <os>
+      <type arch="x86_64" machine="pc-q35-7.0">hvm</type>
+      <boot dev="cdrom"/>
+    </os>
+    <features>
+      <acpi/>
+      <apic/>
+      <vmport state="off"/>
+    </features>
+    <cpu mode="host-passthrough" check="none" migratable="on"/>
+    <clock offset="utc">
+      <timer name="rtc" tickpolicy="catchup"/>
+      <timer name="pit" tickpolicy="delay"/>
+      <timer name="hpet" present="no"/>
+    </clock>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <pm>
+      <suspend-to-mem enabled="no"/>
+      <suspend-to-disk enabled="no"/>
+    </pm>
+    <devices>
+      <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+      <disk type="file" device="cdrom">
+        <driver name="qemu" type="raw"/>
+        <source file="${vm.disk}"/>
+        <target dev="sda" bus="sata"/>
+        <readonly/>
+        <address type="drive" controller="0" bus="0" target="0" unit="0"/>
+      </disk>
+      <controller type="usb" index="0" model="qemu-xhci" ports="15">
+        <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
+      </controller>
+      <controller type="pci" index="0" model="pcie-root"/>
+      <controller type="pci" index="1" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="1" port="0x10"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="2" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="2" port="0x11"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
+      </controller>
+      <controller type="pci" index="3" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="3" port="0x12"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
+      </controller>
+      <controller type="pci" index="4" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="4" port="0x13"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
+      </controller>
+      <controller type="pci" index="5" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="5" port="0x14"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
+      </controller>
+      <controller type="pci" index="6" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="6" port="0x15"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
+      </controller>
+      <controller type="pci" index="7" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="7" port="0x16"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/>
+      </controller>
+      <controller type="pci" index="8" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="8" port="0x17"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/>
+      </controller>
+      <controller type="pci" index="9" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="9" port="0x18"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/>
+      </controller>
+      <controller type="pci" index="10" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="10" port="0x19"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/>
+      </controller>
+      <controller type="pci" index="11" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="11" port="0x1a"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/>
+      </controller>
+      <controller type="pci" index="12" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="12" port="0x1b"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/>
+      </controller>
+      <controller type="pci" index="13" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="13" port="0x1c"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/>
+      </controller>
+      <controller type="pci" index="14" model="pcie-root-port">
+        <model name="pcie-root-port"/>
+        <target chassis="14" port="0x1d"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/>
+      </controller>
+      <controller type="sata" index="0">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
+      </controller>
+      <controller type="virtio-serial" index="0">
+        <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
+      </controller>
+      <interface type="network">
+        <mac address="52:54:00:58:5e:36"/>
+        <source network="default"/>
+        <model type="virtio"/>
+        <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
+      </interface>
+      <serial type="pty">
+        <target type="isa-serial" port="0">
+          <model name="isa-serial"/>
+        </target>
+      </serial>
+      <console type="pty">
+        <target type="serial" port="0"/>
+      </console>
+      <channel type="unix">
+        <target type="virtio" name="org.qemu.guest_agent.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="1"/>
+      </channel>
+      <channel type="spicevmc">
+        <target type="virtio" name="com.redhat.spice.0"/>
+        <address type="virtio-serial" controller="0" bus="0" port="2"/>
+      </channel>
+      <input type="tablet" bus="usb">
+        <address type="usb" bus="0" port="1"/>
+      </input>
+      <input type="mouse" bus="ps2"/>
+      <input type="keyboard" bus="ps2"/>
+      <graphics type="spice" autoport="yes">
+        <listen type="address"/>
+        <image compression="off"/>
+      </graphics>
+      <sound model="ich9">
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/>
+      </sound>
+      <audio id="1" type="spice"/>
+      <video>
+        <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/>
+        <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
+      </video>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="2"/>
+      </redirdev>
+      <redirdev bus="usb" type="spicevmc">
+        <address type="usb" bus="0" port="3"/>
+      </redirdev>
+      <memballoon model="virtio">
+        <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
+      </memballoon>
+      <rng model="virtio">
+        <backend model="random">/dev/urandom</backend>
+        <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
+      </rng>
+    </devices>
+  </domain>''

hosts/droppie/configuration.nix

@@ -0,0 +1,29 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    device = "nodev";
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+

hosts/droppie/default.nix

@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./droppie.nix
+  ] ++ suites.droppie;
+}

hosts/droppie/droppie.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, lib, self, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    hardware.cpu.intel.updateMicrocode = true;
+
+    pub-solar.core.disk-encryption-active = false;
+    pub-solar.core.lite = true;
+
+    security.sudo.extraRules = [
+      {
+        users = [ "${psCfg.user.name}" ];
+        commands = [
+          {
+            command = "ALL";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+
+    services.openssh.knownHosts = {
+      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
+    };
+
+    systemd.services.ssh-tunnel-cloud-pub-solar = {
+      unitConfig = {
+        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
+        After = [ "network.target" ];
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o 'ServerAliveInterval 10' -o 'ExitOnForwardFailure yes' -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
+        User = psCfg.user.name;
+        Group = "users";
+        Restart = "always";
+        RestartSec = "5s";
+      };
+      wantedBy = [ "default.target" ];
+    };
+
+    services.ddclient = {
+      enable = true;
+      ipv6 = true;
+      domains = [ "backup.b12f.io" ];
+      server = "ddns.hosting.de";
+      username = "b12f";
+      use = "web, web=http://checkip6.spdyn.de/, web-skip=''";
+      passwordFile = "/run/agenix/dyndns-droppie.key";
+    };
+
+    age.secrets."dyndns-droppie.key" = {
+      file = "${self}/secrets/dyndns-droppie.key";
+      mode = "400";
+      owner = "root";
+    };
+  };
+}

hosts/droppie/hardware-configuration.nix

@@ -0,0 +1,54 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "usbhid" "uas" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
+      fsType = "xfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/A24C-F252";
+      fsType = "vfat";
+    };
+
+  fileSystems."/media/internal" =
+    {
+      device = "/dev/disk/by-uuid/5cf314a8-82f4-4037-a724-62d2ff226cff";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/2ef980f1-1f27-4d2a-9789-00f45e791fcc";
+      fsType = "xfs";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

modules/audio/mopidy.nix

@@ -5,7 +5,7 @@ pkgs: {
     mopidy-soundcloud
     mopidy-youtube
     mopidy-local
-    mopidy-jellyfin
+    # mopidy-jellyfin
   ];
 
   configuration = ''

modules/core/boot.nix

@@ -1,8 +1,8 @@
 { config, pkgs, lib, ... }:
-with lib;
 let
   cfg = config.pub-solar.core;
 in
+with lib;
 {
   options.pub-solar.core.iso-options.enable = mkOption {
     type = types.bool;

modules/devops/default.nix

@@ -12,6 +12,7 @@ in
   config = mkIf cfg.enable {
     home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
       home.packages = [
+        croc
         drone-cli
         nmap
         pgcli
@@ -20,6 +21,7 @@ in
         restic
         shellcheck
         terraform_0_15
+        tea
       ];
     };
   };

modules/mobile/default.nix

@@ -0,0 +1,19 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.mobile;
+in
+{
+  options.pub-solar.mobile = {
+    enable = mkEnableOption "Add android adb and tooling";
+  };
+
+  config = mkIf cfg.enable {
+    programs.adb.enable = true;
+
+    users.users = with pkgs; lib.setAttrByPath [ psCfg.user.name ] {
+      extraGroups = [ "adbusers" ];
+    };
+  };
+}

modules/paperless/default.nix

@@ -0,0 +1,37 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.paperless;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  options.pub-solar.paperless = {
+    enable = mkEnableOption "All you need to go paperless";
+    ocrLanguage = mkOption {
+      description = "OCR language";
+      type = types.str;
+      example = "eng+deu";
+      default = "eng";
+    };
+    consumptionDir = mkOption {
+      description = "Directory to be watched";
+      type = types.str;
+      example = "/var/lib/paperless/consume";
+      default = "/home/${psCfg.user.name}/Documents";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.paperless-ng = {
+      enable = true;
+      consumptionDir = cfg.consumptionDir;
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = cfg.ocrLanguage;
+      };
+    };
+    environment.systemPackages = [
+      pkgs.hplip
+    ];
+  };
+}

modules/paranoia/default.nix

@@ -22,6 +22,10 @@ in
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
 
+    services.tor.settings = {
+      UseBridges = true;
+    };
+
     # The options below are directly taken from or inspired by
     # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
 

modules/printing/default.nix

@@ -25,6 +25,7 @@ in
     hardware.sane = {
       enable = true;
       brscan4.enable = true;
+      extraBackends = [ pkgs.hplipWithPlugin ];
     };
   };
 }

modules/sway/config/config.d/custom-keybindings.conf

@@ -36,3 +36,11 @@ bindsym $mod+Ctrl+r exec record-screen
 # Launcher
 set $menu exec alacritty --class launcher -e env TERMINAL_COMMAND="alacritty -e" sway-launcher
 bindsym $mod+Space exec $menu
+
+set $mode_vncclient In VNCClient mode. Press $mod+Num_Lock or $mod+Shift+Escape to return.
+bindsym $mod+Num_Lock mode "$mode_vncclient"
+bindsym $mod+Shift+Escape mode "$mode_vncclient"
+mode "$mode_vncclient" {
+    bindsym $mod+Num_Lock mode "default"
+    bindsym $mod+Shift+Escape mode "default"
+}

modules/sway/config/wayvnc/config.nix

@@ -0,0 +1,8 @@
+{ psCfg, pkgs }: "
+address=0.0.0.0
+enable_auth=true
+username=${psCfg.user.name}
+password=testtest
+private_key_file=/run/agenix/vnc-key.pem
+certificate_file=/run/agenix/vnc-cert.pem
+"

modules/sway/default.nix

@@ -13,6 +13,8 @@ in
       description = "Choose sway's default terminal";
     };
 
+    vnc.enable = mkEnableOption "Enable vnc service";
+
     v4l2loopback.enable = mkOption {
       type = types.bool;
       default = true;
@@ -93,6 +95,8 @@ in
         systemd.user.services.waybar = import ./waybar.service.nix { inherit pkgs psCfg; };
         systemd.user.targets.sway-session = import ./sway-session.target.nix { inherit pkgs psCfg; };
 
+        systemd.user.services.wayvnc = mkIf psCfg.sway.vnc.enable (import ./wayvnc.service.nix pkgs);
+
         xdg.configFile."sway/config".text = import ./config/config.nix { inherit config pkgs; };
         xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
         xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
@@ -101,6 +105,7 @@ in
         xdg.configFile."sway/config.d/mode_system.conf".text = import ./config/config.d/mode_system.conf.nix { inherit pkgs psCfg; };
         xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
         xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
+        xdg.configFile."wayvnc/config".text = import ./config/wayvnc/config.nix { inherit psCfg; inherit pkgs; };
       };
     })
   ]);

modules/sway/wayvnc.service.nix

@@ -0,0 +1,19 @@
+pkgs:
+{
+  Unit = {
+    Description = "A VNC server for wlroots based Wayland compositors ";
+    Documentation = "https://github.com/any1/wayvnc";
+    BindsTo = [ "sway-session.target" ];
+    After = [ "graphical-session-pre.target" "network-online.target" ];
+    Wants = [ "graphical-session-pre.target" "network-online.target" ];
+  };
+
+  Service = {
+    Type = "simple";
+    ExecStart = "${pkgs.wayvnc}/bin/wayvnc -r -p 0.0.0.0 5901";
+  };
+
+  Install = {
+    WantedBy = [ "sway-session.target" ];
+  };
+}

modules/terminal-life/nvim/default.nix

@@ -56,6 +56,16 @@ let
     };
   };
 
+  vim-mdx-js = pkgs.vimUtils.buildVimPlugin {
+    name = "vim-mdx-js";
+    src = pkgs.fetchFromGitHub {
+      owner = "jxnblk";
+      repo = "vim-mdx-js";
+      rev = "17179d7f2a73172af5f9a8d65b01a3acf12ddd50";
+      sha256 = "wfYCvw9JVGG8p8PQhRPT6CeGGf2OVz9SR2KQM0LjQhY=";
+    };
+  };
+
   apprentice = pkgs.vimUtils.buildVimPlugin {
     name = "vim-apprentice";
     src = pkgs.fetchFromGitHub {
@@ -90,13 +100,13 @@ in
     nodePackages.vue-language-server
     nodePackages.vscode-langservers-extracted
     nodePackages.yaml-language-server
+    vscode-extensions.angular.ng-template
     python39Packages.python-lsp-server
     python3Full
     solargraph
     rnix-lsp
     rust-analyzer
     terraform-ls
-    universal-ctags
   ];
 
   plugins = with pkgs.vimPlugins; [
@@ -117,7 +127,6 @@ in
     quick-scope
     suda-vim
     syntastic
-    vim-gutentags
     vim-vinegar
     workspace
 
@@ -156,6 +165,7 @@ in
     vim-toml
     vim-vue
     yats-vim
+    vim-mdx-js
   ];
 
   extraConfig = builtins.concatStringsSep "\n" [

modules/terminal-life/nvim/lsp.vim

@@ -74,7 +74,8 @@ lua <<EOF
 
   -- Add additional capabilities supported by nvim-cmp
   local capabilities = vim.lsp.protocol.make_client_capabilities()
-  capabilities = require('cmp_nvim_lsp').update_capabilities(capabilities)
+  -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
+  capabilities.textDocument.completion.completionItem.snippetSupport = true
 
   -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
   capabilities.textDocument.completion.completionItem.snippetSupport = true
@@ -173,6 +174,13 @@ lua <<EOF
     end
   end -- ‡
 
+  -- configure floating diagnostics appearance, symbols
+  local signs = { Error = " ", Warn = " ", Hint = " ", Info = " " }
+  for type, icon in pairs(signs) do
+    local hl = "DiagnosticSign" .. type
+    vim.fn.sign_define(hl, { text = icon, texthl = hl, numhl = hl })
+  end
+
   -- Set completeopt to have a better completion experience
   vim.o.completeopt = 'menuone,noselect'
 

modules/terminal-life/zsh/default.nix

@@ -134,6 +134,5 @@ in
     source ${pkgs.fzf}/share/fzf/completion.zsh
     source ${pkgs.git-bug}/share/zsh/site-functions/git-bug
     eval "$(direnv hook zsh)"
-  ''
-  + builtins.readFile ./fzf.zsh;
+  '';
 }

overlays/overrides.nix

@@ -4,6 +4,8 @@ channels: final: prev: {
 
   inherit (channels.latest)
     cachix
+    docker
+    docker-compose
     dhall
     discord
     element-desktop
@@ -19,6 +21,16 @@ channels: final: prev: {
     tdesktop
     arduino
     arduino-cli
+    steam
+    firefox
+    ;
+
+  inherit (channels.pub-solar)
+    yubikey-agent
+    ;
+
+  inherit (channels.master)
+    factorio-headless
     ;
 
 

pkgs/default.nix

@@ -19,6 +19,5 @@ with final; {
   wcwd = writeShellScriptBin "wcwd" (import ./wcwd.nix final);
   drone-docker-runner = writeShellScriptBin "drone-docker-runner" (import ./drone-docker-runner.nix final);
   record-screen = writeShellScriptBin "record-screen" (import ./record-screen.nix final);
-
-  # ps-fixes
+  scan2paperless = writeShellScriptBin "scan2paperless" (import ./scan2paperless.nix final);
 }

pkgs/drone-docker-runner.nix

@@ -8,7 +8,7 @@ self: with self; ''
         --env=DRONE_RPC_SECRET=$(${self.libsecret}/bin/secret-tool lookup drone rpc-secret) \
         --env=DRONE_RUNNER_CAPACITY=8 \
         --env=DRONE_RUNNER_NAME=$(${self.inetutils}/bin/hostname) \
-        --publish=3000:3000 \
+        --publish=30010:30010 \
         --restart=always \
         --name=drone-runner \
         drone/drone-runner-docker:1

pkgs/scan2paperless.nix

@@ -0,0 +1,3 @@
+self: with self; ''
+  export PATH=${lib.makeBinPath [ pkgs.coreutils pkgs.sane-frontends pkgs.sane-backends pkgs.ghostscript pkgs.imagemagick ]}
+''

profiles/base-user/home.nix

@@ -9,7 +9,7 @@ in
     ./session-variables.nix
   ];
 
-  home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
+  home-manager.users = pkgs.lib.setAttrByPath [ psCfg.user.name ] {
     # Let Home Manager install and manage itself.
     programs.home-manager.enable = true;
 

profiles/core/default.nix

@@ -0,0 +1,132 @@
+{ self, config, lib, pkgs, inputs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
+  imports = [ ../cachix ];
+
+  config = {
+    pub-solar.terminal-life.enable = true;
+    pub-solar.audio.enable = true;
+    pub-solar.crypto.enable = true;
+    pub-solar.devops.enable = true;
+
+    # This is just a representation of the nix default
+    nix.systemFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+
+    environment = {
+
+      systemPackages = with pkgs; [
+        # Core unix utility packages
+        coreutils-full
+        progress
+        dnsutils
+        inetutils
+        mtr
+        pciutils
+        usbutils
+        gitFull
+        git-lfs
+        git-bug
+        wget
+        openssl
+        openssh
+        curl
+        htop
+        lsof
+        psmisc
+        xdg-utils
+        sysfsutils
+        renameutils
+        nfs-utils
+        moreutils
+        mailutils
+        keyutils
+        input-utils
+        elfutils
+        binutils
+        dateutils
+        diffutils
+        findutils
+        exfat
+        file
+
+        # zippit
+        zip
+        unzip
+
+        # Modern modern utilities
+        p7zip
+        croc
+        jq
+
+        # Nix specific utilities
+        niv
+        manix
+        nix-index
+        nix-tree
+        nixpkgs-review
+        # Build broken, python2.7-PyJWT-2.0.1.drv' failed
+        #nixops
+        psos
+        nvd
+
+        # Fun
+        neofetch
+      ];
+    };
+
+    fonts = {
+      fonts = with pkgs; [ powerline-fonts dejavu_fonts ];
+
+      fontconfig.defaultFonts = {
+
+        monospace = [ "DejaVu Sans Mono for Powerline" ];
+
+        sansSerif = [ "DejaVu Sans" ];
+
+      };
+    };
+
+    nix = {
+      # use nix-dram, a patched nix command, see: https://github.com/dramforever/nix-dram
+      package = inputs.nix-dram.packages.${pkgs.system}.nix-dram;
+
+      # Improve nix store disk usage
+      autoOptimiseStore = true;
+      gc.automatic = true;
+      optimise.automatic = true;
+
+      # Prevents impurities in builds
+      useSandbox = true;
+
+      # give root and @wheel special privileges with nix
+      trustedUsers = [ "root" "@wheel" ];
+
+      # Generally useful nix option defaults
+      extraOptions = ''
+        min-free = 536870912
+        keep-outputs = true
+        keep-derivations = true
+        fallback = true
+        # used by nix-dram
+        default-flake = flake:nixpkgs
+      '';
+    };
+
+    # For rage encryption, all hosts need a ssh key pair
+    services.openssh = {
+      enable = true;
+      openFirewall = lib.mkDefault true;
+      passwordAuthentication = false;
+    };
+
+    # Service that makes Out of Memory Killer more effective
+    services.earlyoom.enable = true;
+
+    # Use latest LTS linux kernel by default
+    boot.kernelPackages = pkgs.linuxPackages_5_15;
+
+    boot.supportedFilesystems = [ "ntfs" ];
+  };
+}

profiles/gaming/default.nix

@@ -3,7 +3,4 @@ let inherit (lib) fileContents;
 in
 {
   pub-solar.gaming.enable = true;
-  pub-solar.docker.enable = true;
-  pub-solar.docker.enable = true;
-  pub-solar.docker.enable = true;
-};
+}

profiles/iot/default.nix

@@ -0,0 +1,8 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  pub-solar.graphical.enable = false;
+  pub-solar.x-os.localProxyService.enable = false;
+  pub-solar.sway.enable = false;
+}

profiles/mobile/default.nix

@@ -0,0 +1,6 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  pub-solar.mobile.enable = true;
+}

profiles/virtualisation/default.nix

@@ -0,0 +1,6 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  pub-solar.virtualisation.enable = true;
+}

secrets/dyndns-droppie.key

@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj
+3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm
+eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L
+jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv
+Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd
+enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY
+XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J
+fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f
+DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c
+8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4
+QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc
+-> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg
+58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI
+-> ssh-rsa wVtlwQ
+RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ
+J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg
+bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP
+EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp
+KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0
+SJDLmHOos2RKTmx06aidDg
+-> Dz(k-grease ~FF p m)E{J3E
+7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP
+MzOYiM+PIQmn
+--- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4
+l%Àu¯¯ÃE„\ÎüÔ?2\&ÚwG&@¡­W£~9"úŠ^ÊƆý¼Á<>oån^šë<C5A1>㻳xšèOI‡¢uOíò‡21c*ãm¸%ô)ý#”جeõIÙ6îA/i

secrets/mopidy.conf

@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
+za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
+wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
+kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
+To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
+2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
+M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
+SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
+Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
+8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
+zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
+-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
+FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
+-> ssh-rsa 8daibg
+XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
+iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
+kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
+JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
+CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
+CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
+4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
+ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
+9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
+tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
+3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
+-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
+mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
+-> ssh-rsa 2ggJWw
+h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
+lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
+GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
+XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
+Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
+DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
+F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
+565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
+
+-> }L0d&,o-grease QVMP gPkF4&,`
+YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
+yYwVUyIh4eeH4oOdz3ssnmB3gg
+--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
+ö™:üŠØþI{ˆzþ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ
…çë
Q¡5<C2A1>c{ºÈz–j…lÁRAØãàÛH”
L	y£ø²W•6¢¢l>¸–ߪ}­m¤Ý¿óÆbѱ“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇ<C39B>ÕTÉÞ­™é¼Ì#
mÍi@êiö:°zõ愲jbc(ƦŸýìùô{ô™¨ª¯©âwã(ÖθÈäyÔ§`iÌó_ïC-`ŽP‘ô³²e«¶ç<C2B6>CÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«<C2BF>—Lˆ<Nw½µýÆ<>„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>….
}É‘^h¿óÖ®îÍ<C3AE>ø.Ÿ’<C5B8>»ËË¿GÑà”›ÿ~ÝŒd¢EoZ=|×C•O
ö”x7›,Nƒ•ïú¹PÖ䥈%*I%®kÎ[<5B>ØÐ|-<2D>ÈžT¦úe~3¥6ËÞ!C"Öai/kDmì]<5D>íJ÷Û>ü¬n^»OýÚ—MãÌíü‚SÁ°7„¼»<C2BC>1P\ý€ú?x\;B¸#u”BŽ$hѵ:¶Ë

secrets/secrets.nix

@@ -1,9 +1,60 @@
 let
   # set ssh public keys here for your system and user
-  system = "";
-  user = "";
-  allKeys = [ system user ];
+  bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
+
+  biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
+  biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
+
+  chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
+  chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
+
+  droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos";
+  droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie";
+
+  allKeys = [
+    bbcom
+
+    biolimo-host
+    biolimo-user
+
+    chocolatebar-host
+    chocolatebar-user
+  ];
+
+  biolimoKeys = [
+    bbcom
+
+    biolimo-host
+    biolimo-user
+  ];
+
+  chocolatebarKeys = [
+    bbcom
+
+    chocolatebar-host
+    chocolatebar-user
+  ];
+
+  droppieKeys = [
+    bbcom
+
+    droppie-host
+    droppie-user
+  ];
 in
 {
-  "secret.age".publicKeys = allKeys;
+  "keyfile-biolimo.bin".publicKeys = biolimoKeys;
+
+  "keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+
+  "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys;
+  "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys;
+
+  "drone-runner-exec-config".publicKeys = allKeys;
+
+  "dyndns-droppie.key".publicKeys = droppieKeys;
+
+  "mopidy.conf".publicKeys = allKeys;
 }

users/ben/.config/msmtp/config

@@ -0,0 +1,72 @@
+account hello@benjaminbaedorf.eu
+  host mail.hosting.de
+  port 587
+  protocol smtp
+  auth on
+  from hello@benjaminbaedorf.eu
+  user hello@benjaminbaedorf.eu
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account benjamin.baedorf@rwth-aachen.de
+  host mail.rwth-aachen.de
+  port 587
+  protocol smtp
+  auth on
+  from benjamin.baedorf@rwth-aachen.de
+  user bb564306@rwth-aachen.de
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account b.baedorf@openproject.com
+  host smtp.mailbox.org
+  port 587
+  protocol smtp
+  auth on
+  from b.baedorf@openproject.com
+  user b.baedorf@openproject.com
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account byb@miom.space
+  host mail.hosting.de
+  port 587
+  protocol smtp
+  auth on
+  from byb@miom.space
+  user byb@miom.space
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account admins@pub.solar
+  host mail.greenbaum.cloud
+  port 587
+  protocol smtp
+  auth on
+  from admins@pub.solar
+  user admins@pub.solar
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account crew@pub.solar
+  host mail.greenbaum.cloud
+  port 587
+  protocol smtp
+  auth on
+  from crew@pub.solar
+  user crew@pub.solar
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+account mail@b12f.io
+  host mail.b12f.io
+  port 587
+  protocol smtp
+  auth on
+  from mail@b12f.io
+  user mail@b12f.io
+  tls on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
+
+account default : hello@benjaminbaedorf.eu

users/ben/.config/mutt/admins@pub.solar.muttrc

@@ -0,0 +1,19 @@
+# vim: filetype=muttrc
+
+set from = "pub.solar Admins <admins@pub.solar>"
+set sendmail = "msmtp -a admins@pub.solar"
+set signature = "~/.config/mutt/admins@pub.solar.signature"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+admins\@pub.solar/INBOX"
+set postponed   = "+admins\@pub.solar/Drafts"
+set record      = "+admins\@pub.solar/Sent"
+set trash       = "+admins\@pub.solar/Trash"
+mbox-hook   = "+admins\@pub.solar/Archive"
+unmailboxes *
+mailboxes +admins\@pub.solar/INBOX \
+          +admins\@pub.solar/Drafts \
+          +admins\@pub.solar/Sent \
+          +admins\@pub.solar/Archive \
+          +admins\@pub.solar/Trash

users/ben/.config/mutt/admins@pub.solar.signature

@@ -0,0 +1,7 @@
+
+pub.solar Admins (they/them)
+
+MAIL: admins@pub.solar
+GIT: git.b12f.io/pub-solar
+MATRIX: #general:pub.solar
+WEB: pub.solar

users/ben/.config/mutt/b.baedorf@openproject.com.muttrc

@@ -0,0 +1,24 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <b.baedorf@openproject.com>"
+set sendmail = "msmtp -a b.baedorf@openproject.com"
+set signature = "~/.config/mutt/b.baedorf@openproject.com.signature"
+
+set pgp_default_key="DB94333951EC9A362B33FBA5069CA2D117AB5CCF"
+
+set imap_user = b.baedorf@openproject.com
+set imap_pass = `secret-tool lookup service smtp host smtp.mailbox.org user b.baedorf@openproject.com`
+
+set folder      = imaps://imap.mailbox.org:993
+
+set spoolfile   = "+INBOX"
+set postponed   = "+Drafts"
+set record      = "+Sent"
+set trash       = "+Trash"
+mbox-hook   = "+Archive"
+unmailboxes *
+mailboxes +INBOX \
+          +Drafts \
+          +Sent \
+          +Archive \
+          +Trash

users/ben/.config/mutt/b.baedorf@openproject.com.signature

@@ -0,0 +1,18 @@
+
+Benjamin Bädorf
+Senior Frontend Engineer
+
+OpenProject GmbH
+Krausenstraße 9
+10117 Berlin
+
+E: b.baedorf@openproject.com
+GPG: DB94 3339 51EC 9A36 2B33  FBA5 069C A2D1 17AB 5CC
+
+T: +49 9599 899 22
+M: +49 151 2266 2777
+I: www.openproject.org
+
+Amtsgericht Berlin-Charlottenburg HRB 117935
+Geschäftsführer Niels Lindenthal
+UStID DE211309779

users/ben/.config/mutt/benjamin.baedorf@rwth-aachen.de.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <benjamin.baedorf@rwth-aachen.de>"
+set sendmail = "msmtp -a benjamin.baedorf@rwth-aachen.de"
+set signature = "~/.config/mutt/hello@benjaminbaedorf.eu.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+benjamin.baedorf\@rwth-aachen.de/INBOX"
+set postponed   = "+benjamin.baedorf\@rwth-aachen.de/Drafts"
+set record      = "+benjamin.baedorf\@rwth-aachen.de/Sent"
+set trash       = "+benjamin.baedorf\@rwth-aachen.de/Trash"
+mbox-hook   = "+benjamin.baedorf\@rwth-aachen.de/Journal"
+unmailboxes *
+mailboxes +benjamin.baedorf\@rwth-aachen.de/INBOX \
+          +benjamin.baedorf\@rwth-aachen.de/Drafts \
+          +benjamin.baedorf\@rwth-aachen.de/Sent \
+          +benjamin.baedorf\@rwth-aachen.de/Journal \
+          +benjamin.baedorf\@rwth-aachen.de/Trash

users/ben/.config/mutt/byb@miom.space.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <byb@miom.space>"
+set sendmail = "msmtp -a byb@miom.space"
+set signature = "~/.config/mutt/byb@miom.space.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+byb\@miom.space/INBOX"
+set postponed   = "+byb\@miom.space/Drafts"
+set record      = "+byb\@miom.space/Sent"
+set trash       = "+byb\@miom.space/Trash"
+mbox-hook   = "+byb\@miom.space/Archive"
+unmailboxes *
+mailboxes +byb\@miom.space/INBOX \
+          +byb\@miom.space/Drafts \
+          +byb\@miom.space/Sent \
+          +byb\@miom.space/Archive \
+          +byb\@miom.space/Trash

users/ben/.config/mutt/byb@miom.space.signature

@@ -0,0 +1,10 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer at MiOM 202
+
+MAIL: byb@miom.space
+TEL: +49 15 778 959 877
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/mutt/crew@pub.solar.muttrc

@@ -0,0 +1,19 @@
+# vim: filetype=muttrc
+
+set from = "pub.solar crew <crew@pub.solar>"
+set sendmail = "msmtp -a crew@pub.solar"
+set signature = "~/.config/mutt/crew@pub.solar.signature"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+crew\@pub.solar/INBOX"
+set postponed   = "+crew\@pub.solar/Drafts"
+set record      = "+crew\@pub.solar/Sent"
+set trash       = "+crew\@pub.solar/Trash"
+mbox-hook   = "+crew\@pub.solar/Archive"
+unmailboxes *
+mailboxes +crew\@pub.solar/INBOX \
+          +crew\@pub.solar/Drafts \
+          +crew\@pub.solar/Sent \
+          +crew\@pub.solar/Archive \
+          +crew\@pub.solar/Trash

users/ben/.config/mutt/crew@pub.solar.signature

@@ -0,0 +1,8 @@
+
+pub.solar crew (they/them)
+
+MAIL: crew@pub.solar
+MASTODON: @crew@pub.solar
+GIT: git.b12f.io/pub-solar
+MATRIX: #general:pub.solar
+WEB: pub.solar

users/ben/.config/mutt/hello@benjaminbaedorf.eu.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <hello@benjaminbaedorf.eu>"
+set sendmail = "msmtp -a hello@benjaminbaedorf.eu"
+set signature = "~/.config/mutt/hello@benjaminbaedorf.eu.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+hello\@benjaminbaedorf.eu/INBOX"
+set postponed   = "+hello\@benjaminbaedorf.eu/Drafts"
+set record      = "+hello\@benjaminbaedorf.eu/Sent"
+set trash       = "+hello\@benjaminbaedorf.eu/Trash"
+mbox-hook   = "+hello\@benjaminbaedorf.eu/Archive"
+unmailboxes *
+mailboxes +hello\@benjaminbaedorf.eu/INBOX \
+          +hello\@benjaminbaedorf.eu/Drafts \
+          +hello\@benjaminbaedorf.eu/Sent \
+          +hello\@benjaminbaedorf.eu/Archive \
+          +hello\@benjaminbaedorf.eu/Trash

users/ben/.config/mutt/hello@benjaminbaedorf.eu.signature

@@ -0,0 +1,10 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer
+
+MAIL: hello@benjaminbaedorf.eu
+TEL: +49 15 778 959 877
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/mutt/mail@b12f.io.muttrc

@@ -0,0 +1,21 @@
+# vim: filetype=muttrc
+
+set from = "Benjamin Bädorf <mail@b12f.io>"
+set sendmail = "msmtp -a mail@b12f.io"
+set signature = "~/.config/mutt/mail@b12f.io.signature"
+
+set pgp_default_key="4332E0D02B214D31376C366E4406E80E13CD656C"
+
+set mbox_type   = Maildir
+set folder      = ~/Mail
+set spoolfile   = "+mail\@b12f.io/INBOX"
+set postponed   = "+mail\@b12f.io/Drafts"
+set record      = "+mail\@b12f.io/Sent"
+set trash       = "+mail\@b12f.io/Trash"
+mbox-hook   = "+mail\@b12f.io/Archive"
+unmailboxes *
+mailboxes +mail\@b12f.io/INBOX \
+          +mail\@b12f.io/Drafts \
+          +mail\@b12f.io/Sent \
+          +mail\@b12f.io/Archive \
+          +mail\@b12f.io/Trash

users/ben/.config/mutt/mail@b12f.io.signature

@@ -0,0 +1,10 @@
+
+Benjamin Yule Bädorf (they/them)
+Software Engineer
+
+MAIL: mail@b12f.io
+TEL: +49 15 778 959 877
+GPG: 4332 E0D0 2B21 4D31 376C  366E 4406 E80E 13CD 656C
+GIT: git.b12f.io/b12f
+MATRIX: @b12f:pub.solar
+WEB: benjaminbaedorf.eu

users/ben/.config/offlineimap/config

@@ -0,0 +1,109 @@
+[general]
+pythonfile = $XDG_CONFIG_HOME/offlineimap/functions.py
+metadata = $XDG_DATA_HOME/offlineimap
+accounts = BBEU, MiOM, AdminsPubSolar, CrewPubSolar, b12f, RWTH
+
+[Account BBEU]
+localrepository = LocalBBEU
+remoterepository = RemoteBBEU
+
+[Repository LocalBBEU]
+type = Maildir
+localfolders = ~/Mail/hello@benjaminbaedorf.eu
+
+[Repository RemoteBBEU]
+type = IMAP
+remotehost = mail.hosting.de
+remoteuser = hello@benjaminbaedorf.eu
+remotepasseval = get_secret("service", "smtp", "host", "mail.hosting.de", "user", "hello@benjaminbaedorf.eu")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account OPGmail]
+localrepository = LocalOPGmail
+remoterepository = RemoteOPGmail
+
+[Repository LocalOPGmail]
+type = Maildir
+localfolders = ~/Mail/b.baedorf@openproject.com
+
+[Repository RemoteOPGmail]
+type = IMAP
+remotehost = imap.gmail.com
+remoteuser = b.baedorf@openproject.com
+remotepasseval = get_secret("service", "smtp", "host", "smtp.gmail.com", "user", "b.baedorf@openproject.com")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account MiOM]
+localrepository = LocalMiOM
+remoterepository = RemoteMiOM
+
+[Repository LocalMiOM]
+type = Maildir
+localfolders = ~/Mail/byb@miom.space
+
+[Repository RemoteMiOM]
+type = IMAP
+remotehost = mail.hosting.de
+remoteuser = byb@miom.space
+remotepasseval = get_secret("service", "smtp", "host", "mail.hosting.de", "user", "byb@miom.space")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account AdminsPubSolar]
+localrepository = LocalAdminsPubSolar
+remoterepository = RemoteAdminsPubSolar
+
+[Repository LocalAdminsPubSolar]
+type = Maildir
+localfolders = ~/Mail/admins@pub.solar
+
+[Repository RemoteAdminsPubSolar]
+type = IMAP
+remotehost = mail.greenbaum.cloud
+remoteuser = admins@pub.solar
+remotepasseval = get_secret("service", "smtp", "host", "mail.greenbaum.cloud", "user", "admins@pub.solar")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account CrewPubSolar]
+localrepository = LocalCrewPubSolar
+remoterepository = RemoteCrewPubSolar
+
+[Repository LocalCrewPubSolar]
+type = Maildir
+localfolders = ~/Mail/crew@pub.solar
+
+[Repository RemoteCrewPubSolar]
+type = IMAP
+remotehost = mail.greenbaum.cloud
+remoteuser = crew@pub.solar
+remotepasseval = get_secret("service", "smtp", "host", "mail.greenbaum.cloud", "user", "crew@pub.solar")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account b12f]
+localrepository = Localb12f
+remoterepository = Remoteb12f
+
+[Repository Localb12f]
+type = Maildir
+localfolders = ~/Mail/mail@b12f.io
+
+[Repository Remoteb12f]
+type = IMAP
+remotehost = mail.b12f.io
+remoteuser = mail@b12f.io
+remotepasseval = get_secret("service", "smtp", "host", "mail.b12f.io", "user", "mail@b12f.io")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt
+
+[Account RWTH]
+localrepository = LocalRWTH
+remoterepository = RemoteRWTH
+
+[Repository LocalRWTH]
+type = Maildir
+localfolders = ~/Mail/benjamin.baedorf@rwth-aachen.de
+
+[Repository RemoteRWTH]
+type = IMAP
+remotehost = mail.rwth-aachen.de
+remoteuser = bb564306@rwth-aachen.de
+remotepasseval = get_secret("service", "smtp", "host", "mail.rwth-aachen.de", "user", "bb564306@rwth-aachen.de")
+sslcacertfile = /etc/ssl/certs/ca-certificates.crt

users/ben/default.nix

@@ -0,0 +1,59 @@
+{ config, hmUsers, pkgs, lib, ... }:
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./home.nix
+  ];
+
+  config = {
+    home-manager.users = { inherit (hmUsers) ben; };
+
+    services.yubikey-agent.enable = true;
+
+    pub-solar = {
+      # These are your personal settings
+      # The only required settings are `name` and `password`,
+      # The rest is used for programs like git
+      user = {
+        name = "ben";
+        description = "b12f";
+        password = "$6$LO2YoaHwuRQhUoSz$iHw9avM887eJg9cIty2nmG4Ibkol3YpviEhYpivVQP31VrnihFz/6LyugxD7X4VmXx9nxvcYIZnN90rlGxwjT.";
+        fullName = "Benjamin Bädorf";
+        email = "hello@benjaminbaedorf.eu";
+        gpgKeyId = "4406E80E13CD656C";
+        publicKeys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar"
+        ];
+      };
+
+      paperless.enable = true;
+      arduino.enable = true;
+      email.enable = true;
+      uhk.enable = true;
+      audio.spotify.enable = true;
+      audio.spotify.username = "spotify@benjaminbaedorf.eu";
+    };
+
+    # Needed for the udev rules for solaar
+    hardware.logitech.wireless.enable = true;
+    networking.hosts =
+      let
+        localDomains = [
+          "openproject.local"
+          "traefik.local"
+          "nextcloud.local"
+          "step.local"
+          "saas-1.openproject.local"
+          "transmission.local"
+        ];
+      in
+      {
+        "127.0.0.1" = localDomains;
+        "::1" = localDomains;
+      };
+  };
+}

users/ben/home.nix

@@ -0,0 +1,115 @@
+{ config, pkgs, lib, self, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./session-variables.nix
+  ];
+
+  home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
+    home.packages = with pkgs; [
+      tigervnc
+      dogecoin
+      nodejs
+      itch
+      solaar
+    ];
+
+    programs.ssh = {
+      enable = true;
+      matchBlocks = {
+        "git.b12f.io" = {
+          hostname = "git.b12f.io";
+          user = "git";
+          port = 2222;
+        };
+
+        "aur.archlinux.org" = {
+          user = "aur";
+        };
+
+        "leavieler.art" = {
+          hostname = "web5svsvy.wh.hosting.zone";
+          user = "web5svsvy_cgzqa3";
+          port = 2244;
+        };
+
+        "benjaminbaedorf.eu" = {
+          hostname = "web5svsvy.wh.hosting.zone";
+          user = "web5svsvy_cgzqa3";
+          port = 2244;
+        };
+
+        "miom.space" = {
+          hostname = "web7dgkba.wh.hosting.zone";
+          user = "web7dgkba_c9em8f";
+          port = 2244;
+        };
+
+        "latenight.blue" = {
+          hostname = "latenight.blue";
+          user = "lnb";
+          extraOptions = {
+            MACs = "hmac-sha2-512-etm@openssh.com";
+          };
+        };
+
+        "blacktea.io" = {
+          hostname = "latenight.blue";
+          user = "lnb";
+          extraOptions = {
+            MACs = "hmac-sha2-512-etm@openssh.com";
+          };
+        };
+
+        "laurakirst.de" = {
+          hostname = "webj4bsux.wh.hosting.zone";
+          user = "webj4bsux_36qkrk";
+          port = 2244;
+        };
+      };
+    };
+
+    xdg.configFile."mutt/accounts.muttrc".text = ''
+      source ./hello@benjaminbaedorf.eu.muttrc
+
+      macro index <f1> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/hello@benjaminbaedorf.eu.muttrc<enter><change-folder>!<enter>'
+      macro index <f2> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/benjamin.baedorf@rwth-aachen.de.muttrc<enter><change-folder>!<enter>'
+      macro index <f3> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/b.baedorf@openproject.com.muttrc<enter><change-folder>!<enter>'
+      macro index <f4> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/byb@miom.space.muttrc<enter><change-folder>!<enter>'
+      macro index <f5> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/mail@b12f.io.muttrc<enter><change-folder>!<enter>'
+      macro index <f6> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/admins@pub.solar.muttrc<enter><change-folder>!<enter>'
+      macro index <f7> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/crew@pub.solar.muttrc<enter><change-folder>!<enter>'
+    '';
+    xdg.configFile."mutt/hello@benjaminbaedorf.eu.muttrc".source = ./.config/mutt + "/hello@benjaminbaedorf.eu.muttrc";
+    xdg.configFile."mutt/benjamin.baedorf@rwth-aachen.de.muttrc".source = ./.config/mutt + "/benjamin.baedorf@rwth-aachen.de.muttrc";
+    xdg.configFile."mutt/hello@benjaminbaedorf.eu.signature".source = ./.config/mutt + "/hello@benjaminbaedorf.eu.signature";
+    xdg.configFile."mutt/b.baedorf@openproject.com.muttrc".source = ./.config/mutt + "/b.baedorf@openproject.com.muttrc";
+    xdg.configFile."mutt/b.baedorf@openproject.com.signature".source = ./.config/mutt + "/b.baedorf@openproject.com.signature";
+    xdg.configFile."mutt/byb@miom.space.muttrc".source = ./.config/mutt + "/byb@miom.space.muttrc";
+    xdg.configFile."mutt/byb@miom.space.signature".source = ./.config/mutt + "/byb@miom.space.signature";
+    xdg.configFile."mutt/mail@b12f.io.muttrc".source = ./.config/mutt + "/mail@b12f.io.muttrc";
+    xdg.configFile."mutt/mail@b12f.io.signature".source = ./.config/mutt + "/mail@b12f.io.signature";
+    xdg.configFile."mutt/admins@pub.solar.muttrc".source = ./.config/mutt + "/admins@pub.solar.muttrc";
+    xdg.configFile."mutt/admins@pub.solar.signature".source = ./.config/mutt + "/admins@pub.solar.signature";
+    xdg.configFile."mutt/crew@pub.solar.muttrc".source = ./.config/mutt + "/crew@pub.solar.muttrc";
+    xdg.configFile."mutt/crew@pub.solar.signature".source = ./.config/mutt + "/crew@pub.solar.signature";
+    xdg.configFile."offlineimap/config".source = ./.config/offlineimap/config;
+    xdg.configFile."msmtp/config".source = ./.config/msmtp/config;
+    # xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
+  };
+
+  age.secrets."mopidy.conf" = {
+    file = "${self}/secrets/mopidy.conf";
+    mode = "700";
+    owner = "mopidy";
+  };
+  services.mopidy.extraConfigFiles = [ "/run/agenix/mopidy.conf" ];
+
+  programs.ssh.extraConfig = "
+    PubkeyAcceptedKeyTypes +ssh-rsa
+  ";
+}

users/ben/session-variables.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  DRONE_RPC_PROTO = "https";
+  DRONE_RPC_HOST = "ci.b12f.io";
+in
+{
+  home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
+    home.sessionVariables = {
+      inherit DRONE_RPC_HOST;
+      inherit DRONE_RPC_PROTO;
+      DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST;
+
+      RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups";
+      RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password";
+    };
+  };
+}

users/yule/default.nix

@@ -0,0 +1,35 @@
+{ config, hmUsers, pkgs, lib, ... }:
+let
+  psCfg = config.pub-solar;
+in
+{
+  config = {
+    home-manager.users = { inherit (hmUsers) yule; };
+
+    pub-solar = {
+      # These are your personal settings
+      # The only required settings are `name` and `password`,
+      # The rest is used for programs like git
+      user = {
+        name = "yule";
+        description = "b12f";
+        password = "$6$pHMaL9DfxhvnLGy5$ka9bRU5p1lPTF0YHPZDM9Miq79iXuaXb6GLeALM1eX5djdsHYnpvVWjrmImWmcghGXsrDwpmXZPSJUU.gFpuA1";
+        fullName = "Benjamin Bädorf";
+        email = "hello@benjaminbaedorf.eu";
+        gpgKeyId = "4406E80E13CD656C";
+        publicKeys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
+
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
+
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar"
+        ];
+      };
+    };
+  };
+}