🔧 [pi4] Temporary disable Actual budget

➕ [pi4] ADd roomba dependency to home assistant️
🔒 [pi4] Do not require password for sudo️
2025-08-12 16:40:05 +00:00 · 2025-08-12 16:40:04 +00:00 · 2025-08-12 16:40:04 +00:00 · 2025-08-11 21:10:50 +02:00 · 2025-08-11 20:48:52 +02:00 · 2025-08-10 16:59:29 +02:00
161 changed files with 4783 additions and 380 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
 shared/secrets/weather-api-key filter=git-crypt diff=git-crypt
--- a/.gitea/assets/desktop.png
+++ b/.gitea/assets/desktop.png
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,5 @@
 # Symlink create by `nix build`
 result
 # IDEs
 .idea
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,11 @@
 keys:
  - &thinkpad age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
  - &desktop age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
  - &pi4 age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
 creation_rules:
  - path_regex: shared/secrets/secrets.yaml$
    key_groups:
      - age:
          - *thinkpad
          - *desktop
          - *pi4
--- a/README.md
+++ b/README.md
@ -1,4 +1,65 @@
 # NixOS Configurations
-WIP!
+My NixOS configurations with dotfiles for my systems.
 ![Screenshot of desktop](./.gitea/assets/desktop.png)
 ## Uses
 |        |            |
 | ------ | ---------- |
 | WM     | Hyprland   |
 | Shell  | Fish       |
 | Prompt | Starship   |
 | Theme  | Catppuccin |
 | GPU    | Nvidia     |
 | Panel  | Hyprpanel  |
 | Runner | Rofi       |
 | Fetch  | Fastfetch  |
 ## Commands
 First time run, will create a shell with the minimum dependencies in order to download the rest
 ```Shell
 nix develop . --experimental-features 'nix-command flakes'
 just switch-now
 ```
 Scripts below will not run unless the necessary packages have been added to the path, either in a shell or by running nixos-rebuild
 Format all .nix files
 ```Shell
  just fmt
 ```
 Rebuild and test Nix configuration
 - Will add all new files to git and format all nix-files
 ```Shell
  just test
 ```
 Rebuild and switch Nix configuration
 - Will add all new files to git and format all nix-files
 ```Shell
  just switch
 ```
 Update and switch
 - Will update the flakes and nix-channel, then switch if there are no errors
 ```Shell
  just update-all
 ```
 To update a single flake and rebuild
 ```Shell
  just update zen-browser
 ```
--- a/biome.jsonc
+++ b/biome.jsonc
@ -0,0 +1,12 @@
 {
  "$schema": "https://biomejs.dev/schemas/2.0.5/schema.json",
  "formatter": {
    "enabled": true,
    "indentStyle": "space"
  },
  "linter": {
    "enabled": false
  }
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -1,291 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Enable networking
  networking.networkmanager.enable = true;
  # Set your time zone.
  time.timeZone = "Europe/Oslo";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "nb_NO.UTF-8";
    LC_IDENTIFICATION = "nb_NO.UTF-8";
    LC_MEASUREMENT = "nb_NO.UTF-8";
    LC_MONETARY = "nb_NO.UTF-8";
    LC_NAME = "nb_NO.UTF-8";
    LC_NUMERIC = "nb_NO.UTF-8";
    LC_PAPER = "nb_NO.UTF-8";
    LC_TELEPHONE = "nb_NO.UTF-8";
    LC_TIME = "nb_NO.UTF-8";
  };
  # Configure console keymap
  console.keyMap = "uk";
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.martin = {
    isNormalUser = true;
    description = "martin";
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [];
  };
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  environment.variables = {  
    EDITOR = "nvim";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    gnupg
    firefox
    wget
    git
    kitty
    swaynotificationcenter
    pipewire
    wireplumber
    xdg-utils
    xdg-desktop-portal-gtk
    xdg-desktop-portal-hyprland
    hyprpolkitagent
    waybar
    rofi-wayland
    kdePackages.dolphin
    kdePackages.qtwayland
    kdePackages.qtsvg
    kdePackages.qt6ct
    spotify
    protonmail-desktop
    adw-gtk3
    glib
    adwaita-icon-theme
    jetbrains.rust-rover
    jetbrains.webstorm
    vscodium
    stremio
    docker
    rustup
    nodejs
    pnpm
    fastfetch
    freetube
    nixd
  ];
  home-manager = {
    backupFileExtension = "backup";
    users.martin = {
      gtk = {
        enable = true;
        theme = {
          name = "Adwaita-dark";
          package = pkgs.gnome-themes-extra;
        };
      };
      home = {
        username = "martin";
        homeDirectory = "/home/martin";
        sessionVariables = {
          EDITOR = "nvim";
        };
        stateVersion = "24.11";
      };
      programs = {
 	git = {
 	  enable = true;
 	  userName = "Martin Berg Alstad";
 	  userEmail = "git@martials.no";
 	};
 	kitty.enable = true;
 	neovim = {
          enable = true;
          vimAlias = true;
        };
      };
    };
    #wayland.windowManager.hyprland.enable = true;
  };
  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
  };
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  programs = {
    bash = {
      # Starts the OS using Bash, then starts fish if it's not running
      interactiveShellInit = ''
        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
        then
          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
        fi
      '';
    };
    dconf = {
      enable = true;
    };
    fish.enable = true;
    gnupg.agent.enable = true;
    hyprland = {
      enable = true;
      xwayland.enable = true;
    };
    kdeconnect = {
      enable = true;
    };
    # Required for nvim with flakes
    # nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    steam = {
      enable = true;
      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
      localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
    };
  };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  security.rtkit.enable = true;
  services = {
    displayManager.sddm = {
      enable = true;
      wayland.enable = true;
    };
    flatpak.enable = true;
    gnome = {
      gnome-keyring.enable = true;
    };
    pcscd.enable = true;
    pipewire = {
      enable = true;
      alsa = {
        enable = true;
        support32Bit = true;
      };
      pulse.enable = true;
    };
    tailscale = {
      enable = true;
    };
    xserver = {
      enable = true;
      # Load Nvidia driver for Xorg and Wayland
      videoDrivers = ["nvidia"];
      # Configure keymap in X11
      xkb = {
        layout = "gb";
        variant = "";
      };
    };
  };
  virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  qt = {
    enable = true;
    #platformTheme = "gnome";
    #style = "adwaita-dark";
  };
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Enable OpenGL
  hardware.graphics = {
    enable = true;
  };
  hardware.nvidia = {
    # Required
    modesetting.enable = true;
    # Use closed-source drivers
    open = false;
    # Enable the Nvidia settings menu
    nvidiaSettings = true;
  };
  xdg.mime.defaultApplications = {
    "text/html" = "io.github.zen_browser.zen.desktop";
    "x-scheme-handler/http" = "io.github.zen_browser.zen.desktop";
    "x-scheme-handler/https" = "io.github.zen_browser.zen.desktop";
    "x-scheme-handler/about" = "io.github.zen_browser.zen.desktop";
    "x-scheme-handler/unknown" = "io.github.zen_browser.zen.desktop";
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,103 @@
 {
  "nodes": {
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "catppuccin": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1754727511,
        "narHash": "sha256-iRqRCeeXEQ5HSB6zI6Wja7ZfY0PPRx5yelgjtoX2iMo=",
        "owner": "catppuccin",
        "repo": "nix",
        "rev": "7b55c4947c02f79dfd249432ccb0ada2726c29e2",
        "type": "github"
      },
      "original": {
        "owner": "catppuccin",
        "repo": "nix",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "simple-nixos-mailserver",
          "flake-compat"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "simple-nixos-mailserver",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1742649964,
        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "simple-nixos-mailserver",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -7,11 +105,33 @@
        ]
      },
      "locked": {
-        "lastModified": 1735053786,
+        "lastModified": 1753592768,
-        "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=",
+        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84",
+        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "zen-browser",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1752603129,
        "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
        "type": "github"
      },
      "original": {
@ -22,11 +142,107 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734649271,
+        "lastModified": 1753694789,
-        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
+        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-25_05": {
      "locked": {
        "lastModified": 1747610100,
        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1754689972,
        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1754498491,
        "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1754689972,
        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1747179050,
        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1752480373,
        "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
+        "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
        "type": "github"
      },
      "original": {
@ -38,8 +254,113 @@
    },
    "root": {
      "inputs": {
        "catppuccin": "catppuccin",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "simple-nixos-mailserver": "simple-nixos-mailserver",
        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix",
        "zen-browser": "zen-browser"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "git-hooks": "git-hooks",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-25_05": "nixpkgs-25_05"
      },
      "locked": {
        "lastModified": 1747965231,
        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "rev": "53007af63fade28853408370c4c600a63dd97f41",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "ref": "nixos-25.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1754328224,
        "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=",
        "owner": "mic92",
        "repo": "sops-nix",
        "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4",
        "type": "github"
      },
      "original": {
        "owner": "mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "spicetify-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1754196919,
        "narHash": "sha256-0zATw65mNql9H8e7HWVBPpijMSbDVeK7JNivRBcUScM=",
        "owner": "Gerg-L",
        "repo": "spicetify-nix",
        "rev": "24fcb94f7792ab755b933e1c9516996530ac1fbd",
        "type": "github"
      },
      "original": {
        "owner": "Gerg-L",
        "repo": "spicetify-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1754713785,
        "narHash": "sha256-/XEjh0nXEzHX5H84AAEP1vJopIGf0Z4sbfqKklwQaHk=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
        "rev": "7564df093b5d6aac0be47a0cd6336e5a36ece598",
        "type": "github"
      },
      "original": {
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -1,32 +1,202 @@
 {
-  description = "NixOS configuration";
+  description = "Martin's NixOS configuration - Based on EmergentMind/nix-config";
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #
    # ========= Official NixOS and HM Package Sources =========
    #
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
    # The next two are for pinning to stable vs unstable regardless of what the above is set to
    # This is particularly useful when an upcoming stable release is in beta because you can effectively
    # keep 'nixpkgs-stable' set to stable for critical packages while setting 'nixpkgs' to the beta branch to
    # get a jump start on deprecation changes.
    # See also 'stable-packages' and 'unstable-packages' overlays at 'overlays/default.nix"
    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    #
    # ========= Utilities =========
    #
    # Secrets management
    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Catppuccin theming
    catppuccin.url = "github:catppuccin/nix";
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
    # Spotify
    spicetify-nix = {
      url = "github:Gerg-L/spicetify-nix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    # Browser
    zen-browser.url = "github:0xc000022070/zen-browser-flake";
  };
-  outputs = inputs@{ nixpkgs, home-manager, ... }:
+  outputs =
-  let
+    {
-    system = "x86_64-linux";
+      self,
-  in
+      nixpkgs,
-  {
+      home-manager,
-    nixosConfigurations = {
+      ...
-      nixos = nixpkgs.lib.nixosSystem {
+    }@inputs:
-        system = system;
+    let
-        modules = [
+      inherit (self) outputs;
-	  ./configuration.nix
+      common = import ./shared/common.nix;
-	  home-manager.nixosModules.home-manager
+      theme = import ./shared/theme.nix;
-	  {
+
-            home-manager.useGlobalPkgs = true;
+      #
-            home-manager.useUserPackages = true;
+      # ========= Architectures =========
-            home-manager.users.martin = import ./home.nix;
+      #
-	  }
+      forAllSystems = nixpkgs.lib.genAttrs [
-	];
+        "x86_64-linux"
        "aarch64-linux"
      ];
      # ========== Extend lib with lib.custom ==========
      # NOTE: This approach allows lib.custom to propagate into hm
      # see: https://github.com/nix-community/home-manager/pull/3454
      customLib = (_self: _super: { custom = import ./lib { inherit (nixpkgs) lib; }; });
      lib = nixpkgs.lib.extend customLib;
      libHm = home-manager.lib.extend customLib;
      systems = builtins.map (config: defaultAttrs // config) [
        {
          hostName = "desktop";
          nvidia.enable = true;
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
        }
        {
          hostName = "thinkpad";
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
        }
        {
          hostName = "pi4";
          system = "aarch64-linux";
          wayland.enable = false;
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
          address.private = common.localIpAddr 188;
        }
        {
          hostName = "homelab";
          wayland.enable = false;
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
          address.private = common.localIpAddr 231;
          address.tailnet = common.tailnetAddr "admin";
        }
      ];
      defaultAttrs = {
        hostName = builtins.abort "hostName is required";
        system = "x86_64-linux";
        username = common.username;
        version = common.system.version;
        wayland.enable = true;
        nvidia.enable = false;
      };
      knownSystems = [
        {
          # Samsung S23 FE
          hostName = "localhost-y4maoyqm";
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
        }
        {
          # OnePlus 8
          hostName = "localhost-4izgka9k";
          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
        }
      ];
    in
    {
      #
      # ========= Overlays =========
      #
      # Custom modifications/overrides to upstream packages
      overlays = import ./overlays.nix { inherit inputs; };
      #
      # ========= Host Configurations =========
      #
      nixosConfigurations = builtins.listToAttrs (
        builtins.map (
          {
            hostName,
            system,
            username,
            ...
          }@systemConfig:
          {
            name = hostName;
            value = nixpkgs.lib.nixosSystem {
              inherit system;
              specialArgs = {
                inherit
                  outputs
                  inputs
                  common
                  theme
                  lib
                  systemConfig
                  systems
                  knownSystems
                  ;
                isDarwin = false;
              };
              modules = [
                ./hosts/${hostName}
                home-manager.nixosModules.home-manager
                {
                  home-manager = {
                    # Backups conflicting files in case of error
                    backupFileExtension = "bkp";
                    useGlobalPkgs = true;
                    useUserPackages = true;
                    extraSpecialArgs = {
                      inherit
                        inputs
                        common
                        theme
                        libHm
                        systemConfig
                        systems
                        ;
                    };
                    users.${username} = import ./hosts/${hostName}/home-manager;
                  };
                }
                {
                  nixpkgs.overlays = [ ];
                }
              ];
            };
          }
        ) systems
      );
      #
      # ========= Formatting =========
      #
      # Nix formatter available through 'nix fmt' https://github.com/NixOS/nixfmt
      formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
      #
      # ========= DevShell =========
      #
      # Custom shell for bootstrapping on new hosts, modifying nix-config, and secrets management
      devShells = forAllSystems (
        system:
        import ./shell.nix {
          pkgs = nixpkgs.legacyPackages.${system};
        }
      );
    };
  };
 }
--- a/home.nix
+++ b/home.nix
@ -1,41 +0,0 @@
 { config, pkgs, ... }:
 {
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
  home = {
    username = "martin";
    homeDirectory = "/home/martin";
    # You can update Home Manager without changing this value. See
    # the Home Manager release notes for a list of state version
    # changes in each release.
    stateVersion = "24.11";
  };
  # Let Home Manager install and manage itself.
  programs = {
    git = {
      enable = true;
      userName = "Martin Berg Alstad";
      userEmail = "git@martials.no";
    };
    home-manager.enable = true;
    kitty.enable = true;
    neovim = {
      enable = true;
      vimAlias = true;
      viAlias = true;
    };
  };
  services = {
    gpg-agent = {
      enable = true;
      pinentryPackage = pkgs.pinentry-curses;
    };
  };
 }
--- a/hosts/desktop/bluetooth.nix
+++ b/hosts/desktop/bluetooth.nix
@ -0,0 +1,18 @@
 { pkgs, ... }:
 {
  hardware.bluetooth = {
    enable = true;
    input = {
      # Required to get PS3 controllers working
      General = {
        ClassicBondedOnly = false;
        UserspaceHID = false;
      };
    };
    powerOnBoot = true;
    package = pkgs.unstable.bluez;
  };
  services.blueman.enable = true;
 }
--- a/hosts/desktop/common.nix
+++ b/hosts/desktop/common.nix
@ -0,0 +1,4 @@
 {
  monitor1 = "DP-1";
  monitor2 = "DP-3";
 }
--- a/hosts/desktop/default.nix
+++ b/hosts/desktop/default.nix
@ -0,0 +1,15 @@
 {
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    (lib.custom.relativeToDesktop "modules")
    ./bluetooth.nix
    ./hardware-configuration.nix
  ];
  boot.kernelPackages = pkgs.linuxPackages_6_12;
 }
--- a/hosts/desktop/hardware-configuration.nix
+++ b/hosts/desktop/hardware-configuration.nix
@ -1,29 +1,42 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+{
-# and may be overwritten by future invocations.  Please make changes
+  config,
-# to /etc/nixos/configuration.nix instead.
+  lib,
-{ config, lib, pkgs, modulesPath, ... }:
+  modulesPath,
  ...
 }:
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ahci"
    "nvme"
    "usb_storage"
    "usbhid"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/5e3f0f97-4bb4-4a53-ace2-9ed19ff9e8ea";
+    device = "/dev/disk/by-uuid/5e3f0f97-4bb4-4a53-ace2-9ed19ff9e8ea";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=@" ];
+    options = [ "subvol=@" ];
-    };
+  };
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/D188-48A9";
+    device = "/dev/disk/by-uuid/D188-48A9";
-      fsType = "vfat";
+    fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+    options = [
-    };
+      "fmask=0077"
      "dmask=0077"
    ];
  };
  swapDevices = [ ];
--- a/hosts/desktop/home-manager/default.nix
+++ b/hosts/desktop/home-manager/default.nix
@ -0,0 +1,14 @@
 {
  lib,
  ...
 }:
 {
  imports = [
    (lib.custom.relativeToDesktop "home-manager")
    ./hyprpaper.nix
    ./settings.nix
  ];
  programs.git.signing.key = "706F53DD087A91DE";
 }
--- a/hosts/desktop/home-manager/hyprpaper.nix
+++ b/hosts/desktop/home-manager/hyprpaper.nix
@ -0,0 +1,29 @@
 # Wallpapers
 {
  lib,
  theme,
  ...
 }:
 {
  services.hyprpaper.settings =
    let
      wallpaper1 = builtins.toString theme.wallpaper.monitor1;
      wallpaper2 = builtins.toString theme.wallpaper.monitor2;
    in
    {
      preload = lib.mkForce [
        wallpaper1
        wallpaper2
      ];
      wallpaper =
        let
          common = import ../common.nix;
        in
        lib.mkForce [
          "${common.monitor1},${wallpaper1}"
          "${common.monitor2},${wallpaper2}"
        ];
    };
 }
--- a/hosts/desktop/home-manager/settings.nix
+++ b/hosts/desktop/home-manager/settings.nix
@ -0,0 +1,12 @@
 { lib, ... }:
 {
  wayland.windowManager.hyprland.settings.monitor =
    let
      common = import ../common.nix;
    in
    lib.mkForce [
      "${common.monitor1}, 3440x1440@175, 0x0, 1"
      "${common.monitor2}, 3840x2160@60, 3440x0, 1.5, transform, 1"
    ];
 }
--- a/hosts/desktop/home-manager/zen/chrome/userChrome.css
+++ b/hosts/desktop/home-manager/zen/chrome/userChrome.css
@ -0,0 +1,113 @@
 /* Catppuccin Mocha Blue userChrome.css*/
@media (prefers-color-scheme: dark) {
  :root {
    --zen-colors-primary: #313244 !important;
    --zen-primary-color: #89b4fa !important;
    --zen-colors-secondary: #313244 !important;
    --zen-colors-tertiary: #181825 !important;
    --zen-colors-border: #89b4fa !important;
    --toolbarbutton-icon-fill: #89b4fa !important;
    --lwt-text-color: #cdd6f4 !important;
    --toolbar-field-color: #cdd6f4 !important;
    --tab-selected-textcolor: rgb(171, 197, 247) !important;
    --toolbar-field-focus-color: #cdd6f4 !important;
    --toolbar-color: #cdd6f4 !important;
    --newtab-text-primary-color: #cdd6f4 !important;
    --arrowpanel-color: #cdd6f4 !important;
    --arrowpanel-background: #1e1e2e !important;
    --sidebar-text-color: #cdd6f4 !important;
    --lwt-sidebar-text-color: #cdd6f4 !important;
    --lwt-sidebar-background-color: #11111b !important;
    --toolbar-bgcolor: #313244 !important;
    --newtab-background-color: #1e1e2e !important;
    --zen-themed-toolbar-bg: #181825 !important;
    --zen-main-browser-background: #181825 !important;
  }
  #permissions-granted-icon {
    color: #181825 !important;
  }
  .sidebar-placesTree {
    background-color: #1e1e2e !important;
  }
  #zen-workspaces-button {
    background-color: #1e1e2e !important;
  }
  #TabsToolbar {
    background-color: #181825 !important;
  }
  #urlbar-background {
    background-color: #1e1e2e !important;
  }
  .content-shortcuts {
    background-color: #1e1e2e !important;
    border-color: #89b4fa !important;
  }
  .urlbarView-url {
    color: #89b4fa !important;
  }
  #zenEditBookmarkPanelFaviconContainer {
    background: #11111b !important;
  }
  toolbar .toolbarbutton-1 {
    &:not([disabled]) {
      &:is([open], [checked])
        > :is(
          .toolbarbutton-icon,
          .toolbarbutton-text,
          .toolbarbutton-badge-stack
        ) {
        fill: #11111b;
      }
    }
  }
  .identity-color-blue {
    --identity-tab-color: #89b4fa !important;
    --identity-icon-color: #89b4fa !important;
  }
  .identity-color-turquoise {
    --identity-tab-color: #94e2d5 !important;
    --identity-icon-color: #94e2d5 !important;
  }
  .identity-color-green {
    --identity-tab-color: #a6e3a1 !important;
    --identity-icon-color: #a6e3a1 !important;
  }
  .identity-color-yellow {
    --identity-tab-color: #f9e2af !important;
    --identity-icon-color: #f9e2af !important;
  }
  .identity-color-orange {
    --identity-tab-color: #fab387 !important;
    --identity-icon-color: #fab387 !important;
  }
  .identity-color-red {
    --identity-tab-color: #f38ba8 !important;
    --identity-icon-color: #f38ba8 !important;
  }
  .identity-color-pink {
    --identity-tab-color: #f5c2e7 !important;
    --identity-icon-color: #f5c2e7 !important;
  }
  .identity-color-purple {
    --identity-tab-color: #cba6f7 !important;
    --identity-icon-color: #cba6f7 !important;
  }
 }
--- a/hosts/desktop/home-manager/zen/chrome/userContent.css
+++ b/hosts/desktop/home-manager/zen/chrome/userContent.css
@ -0,0 +1,157 @@
 /* Catppuccin Mocha Blue userContent.css*/
@media (prefers-color-scheme: dark) {
  /* Common variables affecting all pages */
  @-moz-document url-prefix("about:") {
    :root {
      --in-content-page-color: #cdd6f4 !important;
      --color-accent-primary: #89b4fa !important;
      --color-accent-primary-hover: rgb(163, 197, 251) !important;
      --color-accent-primary-active: rgb(138, 153, 250) !important;
      background-color: #1e1e2e !important;
      --in-content-page-background: #1e1e2e !important;
    }
  }
  /* Variables and styles specific to about:newtab and about:home */
  @-moz-document url("about:newtab"), url("about:home") {
    :root {
      --newtab-background-color: #1e1e2e !important;
      --newtab-background-color-secondary: #313244 !important;
      --newtab-element-hover-color: #313244 !important;
      --newtab-text-primary-color: #cdd6f4 !important;
      --newtab-wordmark-color: #cdd6f4 !important;
      --newtab-primary-action-background: #89b4fa !important;
    }
    .icon {
      color: #89b4fa !important;
    }
    .search-wrapper .logo-and-wordmark .logo {
      background: url("zen-logo-mocha.svg"),
        url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
        no-repeat center !important;
      display: inline-block !important;
      height: 82px !important;
      width: 82px !important;
      background-size: 82px !important;
    }
    @media (max-width: 609px) {
      .search-wrapper .logo-and-wordmark .logo {
        background-size: 64px !important;
        height: 64px !important;
        width: 64px !important;
      }
    }
    .card-outer:is(:hover, :focus, .active):not(.placeholder) .card-title {
      color: #89b4fa !important;
    }
    .top-site-outer .search-topsite {
      background-color: #89b4fa !important;
    }
    .compact-cards .card-outer .card-context .card-context-icon.icon-download {
      fill: #a6e3a1 !important;
    }
  }
  /* Variables and styles specific to about:preferences */
  @-moz-document url-prefix("about:preferences") {
    :root {
      --zen-colors-tertiary: #181825 !important;
      --in-content-text-color: #cdd6f4 !important;
      --link-color: #89b4fa !important;
      --link-color-hover: rgb(163, 197, 251) !important;
      --zen-colors-primary: #313244 !important;
      --in-content-box-background: #313244 !important;
      --zen-primary-color: #89b4fa !important;
    }
    groupbox,
    moz-card {
      background: #1e1e2e !important;
    }
    button,
    groupbox menulist {
      background: #313244 !important;
      color: #cdd6f4 !important;
    }
    .main-content {
      background-color: #11111b !important;
    }
    .identity-color-blue {
      --identity-tab-color: #8aadf4 !important;
      --identity-icon-color: #8aadf4 !important;
    }
    .identity-color-turquoise {
      --identity-tab-color: #8bd5ca !important;
      --identity-icon-color: #8bd5ca !important;
    }
    .identity-color-green {
      --identity-tab-color: #a6da95 !important;
      --identity-icon-color: #a6da95 !important;
    }
    .identity-color-yellow {
      --identity-tab-color: #eed49f !important;
      --identity-icon-color: #eed49f !important;
    }
    .identity-color-orange {
      --identity-tab-color: #f5a97f !important;
      --identity-icon-color: #f5a97f !important;
    }
    .identity-color-red {
      --identity-tab-color: #ed8796 !important;
      --identity-icon-color: #ed8796 !important;
    }
    .identity-color-pink {
      --identity-tab-color: #f5bde6 !important;
      --identity-icon-color: #f5bde6 !important;
    }
    .identity-color-purple {
      --identity-tab-color: #c6a0f6 !important;
      --identity-icon-color: #c6a0f6 !important;
    }
  }
  /* Variables and styles specific to about:addons */
  @-moz-document url-prefix("about:addons") {
    :root {
      --zen-dark-color-mix-base: #181825 !important;
      --background-color-box: #1e1e2e !important;
    }
  }
  /* Variables and styles specific to about:protections */
  @-moz-document url-prefix("about:protections") {
    :root {
      --zen-primary-color: #1e1e2e !important;
      --social-color: #cba6f7 !important;
      --coockie-color: #89dceb !important;
      --fingerprinter-color: #f9e2af !important;
      --cryptominer-color: #b4befe !important;
      --tracker-color: #a6e3a1 !important;
      --in-content-primary-button-background-hover: rgb(81, 83, 105) !important;
      --in-content-primary-button-text-color-hover: #cdd6f4 !important;
      --in-content-primary-button-background: #45475a !important;
      --in-content-primary-button-text-color: #cdd6f4 !important;
    }
    .card {
      background-color: #313244 !important;
    }
  }
 }
--- a/hosts/desktop/home-manager/zen/chrome/zen-logo.svg
+++ b/hosts/desktop/home-manager/zen/chrome/zen-logo.svg
@ -0,0 +1,13 @@
 <svg width="1024" height="1024" viewBox="0 0 1024 1024" fill="none" xmlns="http://www.w3.org/2000/svg">
  <g clip-path="url(#clip0_15_9)">
    <rect width="1024" height="1024" rx="225" fill="#11111b"/>
    <circle cx="512" cy="512" r="340" stroke="#cdd6f4" stroke-width="70"/>
    <circle cx="512" cy="512" r="224.915" stroke="#cdd6f4" stroke-width="51"/>
    <circle cx="512" cy="512" r="129.018" stroke="#cdd6f4" stroke-width="31"/>
  </g>
  <defs>
    <clipPath id="clip0_15_9">
      <rect width="1024" height="1024" fill="white"/>
    </clipPath>
  </defs>
 </svg>
--- a/hosts/desktop/home-manager/zen/default.nix
+++ b/hosts/desktop/home-manager/zen/default.nix
@ -0,0 +1,7 @@
 {
  # TODO merge with shared
  home.file.".zen/audtxq7n.default/chrome" = {
    source = ./chrome;
    recursive = true;
  };
 }
--- a/hosts/pi4/actual.nix
+++ b/hosts/pi4/actual.nix
@ -0,0 +1,44 @@
 { config, common, ... }:
 let
  domain = "beta.budget.${common.domain}";
  port = 8084;
 in
 {
  networking.nat = {
    enable = false;
    internalInterfaces = [ "ve-*" ];
    externalInterface = "wlan0";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };
  containers.actual = {
    autoStart = false;
    privateNetwork = true;
    hostAddress = "192.168.10.188";
    localAddress = "192.168.10.11";
    config =
      { ... }:
      {
        networking.firewall.allowedTCPPorts = [ port ];
        services = {
          actual = {
            enable = false;
            settings = {
              inherit port;
              loginMethod = "password";
            };
          };
        };
        system.stateVersion = common.system.version;
      };
  };
  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.containers.actual.localAddress}:${toString port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/pi4/boot.nix
+++ b/hosts/pi4/boot.nix
@ -0,0 +1,16 @@
 { pkgs, ... }:
 {
  boot = {
    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
    initrd.availableKernelModules = [
      "xhci_pci"
      "usbhid"
      "usb_storage"
    ];
    loader = {
      grub.enable = false;
      generic-extlinux-compatible.enable = true;
    };
  };
 }
--- a/hosts/pi4/caddy.nix
+++ b/hosts/pi4/caddy.nix
@ -0,0 +1,91 @@
 { common, ... }:
 let
  domain = common.domain;
 in
 {
  services.caddy = {
    enable = false;
    email = "cert@${domain}";
    virtualHosts =
      let
        localProxy = proxyTo "localhost";
        homelabProxy = proxyTo "192.168.10.231";
        proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
        redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
      in
      {
        "beta.${domain}".extraConfig = ''
          redir https://${domain}{uri}
        '';
        "git.${domain}".extraConfig = ''
          ${redirect "code"}
        '';
        "kitchenowl.${domain}".extraConfig = ''
          ${redirect "grocery"}
        '';
        # Gitea
        "code.${domain}".extraConfig = ''
          ${homelabProxy 3000}
        '';
        # Forgejo
        "beta.code.${domain}".extraConfig = ''
          ${localProxy 8001}
        '';
        # Nextcloud
        "nextcloud.${domain}".extraConfig = ''
          redir /.well-known/carddav /remote.php/dav 301
          redir /.well-known/caldav /remote.php/dav 301
          ${homelabProxy 11000}
        '';
        # Kitchenowl
        "grocery.${domain}".extraConfig = ''
          ${homelabProxy 800}
        '';
        # Actual Budget
        "budget.${domain}".extraConfig = ''
          ${homelabProxy 5006}
        '';
        # Uptime Kuma
        "status.${domain}".extraConfig = ''
          ${homelabProxy 3001}
        '';
        # Headscale
        "vpn.${domain}".extraConfig = ''
          reverse_proxy /web* 192.168.10.231:8084
          reverse_proxy * 192.168.10.231:8082
        '';
        # Headscale SmartDNS
        "dns.${domain}".extraConfig = ''
          ${homelabProxy 8082}
        '';
        # FreshRSS
        "rss.${domain}".extraConfig = ''
          ${homelabProxy 8085}
        '';
        # Ente backend
        "api.ente.${domain}".extraConfig = ''
          ${homelabProxy 8083}
        '';
        # Ente Photos frontend
        "ente.${domain}".extraConfig = ''
          ${homelabProxy 3003}
        '';
        # Ente Auth frontend
        "mfa.${domain}".extraConfig = ''
          ${homelabProxy 3004}
        '';
        # Homepage / portfolio
        "${domain}".extraConfig = ''
          ${homelabProxy 4321}
        '';
        # Yamtrack
        "track.${domain}".extraConfig = ''
          ${homelabProxy 8090}
        '';
        # Donetick
        "chore.${domain}".extraConfig = ''
          ${homelabProxy 2021}
        '';
      };
  };
 }
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -0,0 +1,20 @@
 { lib, ... }:
 {
  imports = with lib.custom; [
    (relativeToBase "modules")
    ./actual.nix
    ./boot.nix
    ./caddy.nix
    ./forgejo.nix
    ./hardware.nix
    ./headscale.nix
    ./home-assitant.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./nginx.nix
    ./podman.nix
    ./postgres.nix
    ./security
  ];
 }
--- a/hosts/pi4/forgejo.nix
+++ b/hosts/pi4/forgejo.nix
@ -0,0 +1,94 @@
 {
  config,
  pkgs,
  lib,
  systemConfig,
  common,
  ...
 }:
 let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
  domain = "beta.code.${common.domain}";
  passwordKey = "forgejo/admin-pass";
  runnerTokenKey = "forgejo/runner-token";
 in
 {
  services = {
    nginx.virtualHosts.${domain} = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
      serverAliases = [ "beta.git.${common.domain}" ];
    };
    forgejo = {
      enable = true;
      database.type = "postgres";
      # Enable support for Git Large File Storage
      lfs.enable = true;
      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
      settings = {
        server = {
          DOMAIN = domain;
          # You need to specify this to remove the port from URLs in the web UI.
          ROOT_URL = "https://${domain}/";
          HTTP_PORT = 8002;
        };
        # You can temporarily allow registration to create an admin user.
        service.DISABLE_REGISTRATION = true;
        # Add support for actions, based on act: https://github.com/nektos/act
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "github";
        };
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
        mailer = lib.mkIf config.mailserver.enable {
          ENABLED = true;
          PROTOCOL = "smtps";
          SMTP_ADDR = config.mailserver.fqdn;
          FROM = "noreply-forgejo@${common.domain}";
          USER = "${systemConfig.username}@${common.domain}";
        };
      };
    };
    gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = "monolith";
        url = "https://${domain}";
        # Obtaining the path to the runner token file may differ
        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
        labels = [
          "docker:docker://node:20-bullseye"
          "native:host"
        ];
      };
    };
  };
  sops.secrets = {
    ${passwordKey}.owner = "forgejo";
    ${runnerTokenKey}.owner = "forgejo";
  };
  # Create a single admin user / update password if exists
  systemd.services.forgejo.preStart =
    let
      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
      pwd = config.sops.secrets.${passwordKey};
      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
      email = "git@${common.domain}";
    in
    ''
      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
      ## Alter an existing user. Will prompt new password on login
      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
    '';
 }
--- a/hosts/pi4/hardware.nix
+++ b/hosts/pi4/hardware.nix
@ -0,0 +1,12 @@
 {
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [ "noatime" ];
    };
    # TODO mount ext hdd
  };
  hardware.enableRedistributableFirmware = true;
 }
--- a/hosts/pi4/headscale.nix
+++ b/hosts/pi4/headscale.nix
@ -0,0 +1,66 @@
 {
  config,
  common,
  ...
 }:
 let
  cfg = config.services.headscale;
  domain = "beta.vpn.${common.domain}";
  dnsDomain = "secure.${common.domain}";
 in
 {
  networking.firewall = {
    trustedInterfaces = [ config.services.tailscale.interfaceName ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };
  services = {
    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8083;
      settings = {
        database = {
          postgres = {
            host = "/run/postgresql";
            name = "headscale";
            port = config.services.postgresql.settings.port;
            user = cfg.user;
          };
          type = "postgres";
        };
        dns = {
          base_domain = dnsDomain;
          magic_dns = true;
        };
        logtail.enabled = false;
        server_url = "https://${domain}";
      };
    };
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };
    };
    postgresql =
      let
        psql = cfg.settings.database.postgres;
      in
      {
        ensureDatabases = [ psql.name ];
        ensureUsers = [
          {
            name = psql.user;
            ensureDBOwnership = true;
          }
        ];
      };
  };
 }
--- a/hosts/pi4/home-assitant.nix
+++ b/hosts/pi4/home-assitant.nix
@ -0,0 +1,73 @@
 { pkgs, common, ... }:
 let
  dbName = "hass";
  domain = "beta.home.${common.domain}";
  port = 8085;
 in
 {
  services = {
    home-assistant = {
      enable = true;
      package =
        (pkgs.home-assistant.override {
          extraPackages =
            py: with py; [
              # Postgres
              psycopg2
              # Roomba
              roombapy
            ];
        }).overrideAttrs
          (oldAttrs: {
            # Avoid long install checks
            doInstallCheck = false;
          });
      extraComponents = [
        # Components required to complete the onboarding
        "esphome"
        "met"
        "radio_browser"
      ];
      config = {
        # Includes dependencies for a basic setup
        # https://www.home-assistant.io/integrations/default_config/
        default_config = { };
        homeassistant = {
          name = "Hjem";
          unit_system = "metric";
          temperature_unit = "C";
        };
        http = {
          server_host = "::1";
          trusted_proxies = [ "::1" ];
          use_x_forwarded_for = true;
          server_port = port;
        };
        recorder.db_url = "postgresql://@/${dbName}";
      };
    };
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        proxy_buffering off;
      '';
      locations."/" = {
        proxyPass = "http://[::1]:${toString port}";
        proxyWebsockets = true;
      };
    };
    postgresql = {
      enable = true;
      ensureDatabases = [ dbName ];
      ensureUsers = [
        {
          name = dbName;
          ensureDBOwnership = true;
        }
      ];
    };
  };
 }
--- a/hosts/pi4/home-manager/default.nix
+++ b/hosts/pi4/home-manager/default.nix
@ -0,0 +1,9 @@
 { lib, ... }:
 {
  imports = with lib.custom; [
    (relativeToBase "home-manager")
  ];
  programs.git.signing.key = "E3FA0E995C0D0E5E";
 }
--- a/hosts/pi4/mailserver.nix
+++ b/hosts/pi4/mailserver.nix
@ -0,0 +1,44 @@
 {
  config,
  inputs,
  common,
  systemConfig,
  ...
 }:
 let
  passwordHashKey = "mailserver/password-hash";
 in
 {
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
  ];
  mailserver = {
    enable = false;
    # stateVersion = 1; TODO uncomment on 25.11
    fqdn = "mail.${common.domain}";
    domains = [
      common.domain
    ];
    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "${systemConfig.username}@${common.domain}" = {
        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
      };
    };
    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  networking.firewall.allowedTCPPorts = [
    25
    465
    587
  ];
  sops.secrets.${passwordHashKey}.neededForUsers = true;
 }
--- a/hosts/pi4/nextcloud.nix
+++ b/hosts/pi4/nextcloud.nix
@ -0,0 +1,90 @@
 # https://mich-murphy.com/configure-nextcloud-nixos/
 {
  pkgs,
  config,
  common,
  ...
 }:
 let
  adminPassKey = "nextcloud/admin-pass";
  domain = "beta.nextcloud.${common.domain}";
  dbname = "nextcloud";
  dbuser = dbname;
 in
 {
  security.acme = {
    acceptTerms = true;
    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
  };
  services = {
    nextcloud = {
      enable = true;
      autoUpdateApps.enable = true;
      config = {
        adminpassFile = config.sops.secrets.${adminPassKey}.path;
        dbtype = "pgsql";
        dbname = dbname;
        dbuser = dbuser;
        # default directory for postgresql, ensures automatic setup of db
        dbhost = "/run/postgresql";
        adminuser = "admin";
      };
      extraApps = {
        inherit (config.services.nextcloud.package.packages.apps)
          contacts
          deck
          notes
          tasks
          ;
      };
      extraAppsEnable = true;
      hostName = domain;
      https = true;
      maxUploadSize = "0"; # No max limit
      package = pkgs.nextcloud31;
      settings = {
        default_phone_region = "NO";
        trusted_domains = [
          domain
        ];
      };
    };
    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      forceSSL = true;
      enableACME = true;
    };
    postgresql = {
      ensureDatabases = [ dbname ];
      ensureUsers = [
        {
          name = dbuser;
          ensureDBOwnership = true;
        }
      ];
    };
    postgresqlBackup = {
      enable = true;
      location = "/data/backup/nextclouddb";
      databases = [ dbname ];
      # time to start backup in systemd.time format
      startAt = "*-*-* 23:15:00";
    };
  };
  sops.secrets.${adminPassKey}.neededForUsers = true;
  # ensure postgresql db is started with nextcloud
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
 }
--- a/hosts/pi4/nginx.nix
+++ b/hosts/pi4/nginx.nix
@ -0,0 +1,94 @@
 {
  common,
  ...
 }:
 let
  domain = common.domain;
  proxyTo = address: port: {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "${address}:${builtins.toString port}";
  };
  proxyLocations = locations: {
    enableACME = true;
    forceSSL = true;
    inherit locations;
  };
  homelab = "http://${common.localIpAddr 231}";
  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
  redirect = subdomain: {
    enableACME = true;
    forceSSL = true;
    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
  };
 in
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      # Beta is currently stable
      "www.${domain}" = redirect "";
      "beta.${domain}" = redirect "";
      "dev.${domain}" = homelabProxy 4322;
      "git.${domain}" = redirect "code";
      "kitchenowl.${domain}" = redirect "grocery";
      # Gitea
      "code.${domain}" = homelabProxy 3000;
      # Nextcloud
      "nextcloud.${domain}" = proxyLocations {
        "/".proxyPass = "${homelab}:11000";
        "/.well-known/carddav".return = "301 /remote.php/dav";
        "/.well-known/caldav".return = "301 /remote.php/dav";
      };
      # Kitchenowl
      "grocery.${domain}" = homelabProxy 800;
      # Actual budget
      "budget.${domain}" = homelabProxy 5006;
      # Uptime Kuma
      "status.${domain}" = homelabProxy 3001;
      # Headscale
      "vpn.${domain}" = proxyLocations {
        "/web".proxyPass = "${homelab}:8084";
        "/" = {
          proxyPass = "${homelab}:8082";
          extraConfig = ''
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_redirect http:// https://;
            proxy_buffering off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
          '';
        };
      };
      # Headscale SmartDNS
      "dns.${domain}" = homelabProxy 8082;
      # FreshRSS
      "rss.${domain}" = homelabProxy 8085;
      # Ente backend
      "api.ente.${domain}" = homelabProxy 8083;
      # Ente Photos frontend
      "ente.${domain}" = homelabProxy 3003;
      # Ente Auth frontend
      "mfa.${domain}" = homelabProxy 3004;
      # Homepage / portfolio
      "${domain}" = homelabProxy 4321;
      # Yamtrack
      "track.${domain}" = homelabProxy 8090;
      # Donetick
      "chore.${domain}" = homelabProxy 2021;
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@${domain}";
  };
 }
--- a/hosts/pi4/podman.nix
+++ b/hosts/pi4/podman.nix
@ -0,0 +1,23 @@
 { pkgs, ... }:
 {
  virtualisation = {
    # Enable common container config files in /etc/containers
    containers.enable = true;
    podman = {
      enable = true;
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };
  # Useful other development tools
  environment.systemPackages = with pkgs; [
    podman-tui # status of containers in the terminal
    podman-compose # start group of containers for dev
  ];
 }
--- a/hosts/pi4/postgres.nix
+++ b/hosts/pi4/postgres.nix
@ -0,0 +1,11 @@
 { pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser        auth-method
      local all       all           trust
    '';
  };
 }
--- a/hosts/pi4/security/default.nix
+++ b/hosts/pi4/security/default.nix
@ -0,0 +1,22 @@
 { systemConfig, ... }:
 {
  imports = [
    ./firewall.nix
  ];
  security.sudo.extraRules = [
    {
      users = [ systemConfig.username ];
      runAs = "ALL:ALL";
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  services.pcscd.enable = true;
 }
--- a/hosts/pi4/security/firewall.nix
+++ b/hosts/pi4/security/firewall.nix
@ -0,0 +1,17 @@
 { common, ... }:
 {
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80
        443
      ];
      extraInputRules = ''
        ip saddr ${common.localIpRange} accept
      '';
    };
    nftables.enable = true;
  };
 }
--- a/hosts/thinkpad/battery.nix
+++ b/hosts/thinkpad/battery.nix
@ -0,0 +1,6 @@
 {
  services = {
    upower.enable = true;
    power-profiles-daemon.enable = true;
  };
 }
--- a/hosts/thinkpad/bluetooth.nix
+++ b/hosts/thinkpad/bluetooth.nix
@ -0,0 +1,14 @@
 { pkgs, ... }:
 {
  environment.systemPackages = [
    pkgs.bluez
  ];
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true; # powers up the default Bluetooth controller on boot
  };
  services.blueman.enable = true;
 }
--- a/hosts/thinkpad/common.nix
+++ b/hosts/thinkpad/common.nix
@ -0,0 +1,4 @@
 {
  # Empty matches all monitors
  monitor1 = "";
 }
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -0,0 +1,23 @@
 {
  pkgs,
  lib,
  ...
 }:
 {
  imports = [
    (lib.custom.relativeToDesktop "modules")
    ./battery.nix
    ./bluetooth.nix
    ./hardware-configuration.nix
    ./security.nix
  ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  environment.systemPackages = with pkgs; [
    brightnessctl
    hyprsunset # Blue light filter
  ];
 }
--- a/hosts/thinkpad/hardware-configuration.nix
+++ b/hosts/thinkpad/hardware-configuration.nix
@ -0,0 +1,57 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/5ac9c425-35ae-47d5-a683-68ee0dbfc2bc";
    fsType = "ext4";
  };
  boot.initrd.luks.devices."luks-99b73f22-3fa1-42b5-ad48-54b0ccff72cc".device =
    "/dev/disk/by-uuid/99b73f22-3fa1-42b5-ad48-54b0ccff72cc";
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/3CFB-D12A";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/thinkpad/home-manager/default.nix
+++ b/hosts/thinkpad/home-manager/default.nix
@ -0,0 +1,14 @@
 {
  lib,
  ...
 }:
 {
  imports = [
    (lib.custom.relativeToDesktop "home-manager")
    ./hyprland
    ./zen
  ];
  programs.git.signing.key = "848D71DE0590C199";
 }
--- a/hosts/thinkpad/home-manager/hyprland/default.nix
+++ b/hosts/thinkpad/home-manager/hyprland/default.nix
@ -0,0 +1,8 @@
 # Home configurations for Hyprland. For system configs, see ./modules/hyprland
 {
  imports = [
    ./hyprlock.nix
    ./hyprpanel.nix
    ./settings.nix
  ];
 }
--- a/hosts/thinkpad/home-manager/hyprland/hyprlock.nix
+++ b/hosts/thinkpad/home-manager/hyprland/hyprlock.nix
@ -0,0 +1,15 @@
 { pkgs, lib, ... }:
 {
  # TODO fingerprint prompt using $FPRINTPROMPT
  programs.hyprlock = {
    package = pkgs.unstable.hyprlock;
    settings = {
      auth."fingerprint:enabled" = true;
      # Override removed settings shared config
      general = lib.mkForce {
        hide_cursor = true;
      };
    };
  };
 }
--- a/hosts/thinkpad/home-manager/hyprland/hyprpanel.nix
+++ b/hosts/thinkpad/home-manager/hyprland/hyprpanel.nix
@ -0,0 +1,16 @@
 {
  lib,
  ...
 }:
 {
  programs.hyprpanel.settings.bar.layouts."*".right = lib.mkForce [
    "kbinput"
    "volume"
    "network"
    "systray"
    "clock"
    "battery"
    "notifications"
  ];
 }
--- a/hosts/thinkpad/home-manager/hyprland/settings.nix
+++ b/hosts/thinkpad/home-manager/hyprland/settings.nix
@ -0,0 +1,33 @@
 {
  lib,
  ...
 }:
 {
  wayland.windowManager.hyprland.settings = {
    monitor =
      let
        common = import ../../common.nix;
      in
      lib.mkForce [
        "${common.monitor1}, 1920x1080@60.05, 0x0, 1"
      ];
    # Autostart
    exec-once = [
      "hyprsunset -t 5000" # Set blue light filter
    ];
    input = {
      sensitivity = lib.mkForce 0.4; # -1.0 - 1.0, 0 means no modification.
      touchpad.natural_scroll = lib.mkForce true;
    };
    gestures = {
      workspace_swipe = lib.mkForce true;
      workspace_swipe_distance = lib.mkForce 150;
      workspace_swipe_min_speed_to_force = lib.mkForce 0;
      workspace_swipe_cancel_ratio = lib.mkForce 0.5;
    };
  };
 }
--- a/hosts/thinkpad/home-manager/zen/chrome/userChrome.css
+++ b/hosts/thinkpad/home-manager/zen/chrome/userChrome.css
@ -0,0 +1,113 @@
 /* Catppuccin Mocha Blue userChrome.css*/
@media (prefers-color-scheme: dark) {
  :root {
    --zen-colors-primary: #313244 !important;
    --zen-primary-color: #89b4fa !important;
    --zen-colors-secondary: #313244 !important;
    --zen-colors-tertiary: #181825 !important;
    --zen-colors-border: #89b4fa !important;
    --toolbarbutton-icon-fill: #89b4fa !important;
    --lwt-text-color: #cdd6f4 !important;
    --toolbar-field-color: #cdd6f4 !important;
    --tab-selected-textcolor: rgb(171, 197, 247) !important;
    --toolbar-field-focus-color: #cdd6f4 !important;
    --toolbar-color: #cdd6f4 !important;
    --newtab-text-primary-color: #cdd6f4 !important;
    --arrowpanel-color: #cdd6f4 !important;
    --arrowpanel-background: #1e1e2e !important;
    --sidebar-text-color: #cdd6f4 !important;
    --lwt-sidebar-text-color: #cdd6f4 !important;
    --lwt-sidebar-background-color: #11111b !important;
    --toolbar-bgcolor: #313244 !important;
    --newtab-background-color: #1e1e2e !important;
    --zen-themed-toolbar-bg: #181825 !important;
    --zen-main-browser-background: #181825 !important;
  }
  #permissions-granted-icon {
    color: #181825 !important;
  }
  .sidebar-placesTree {
    background-color: #1e1e2e !important;
  }
  #zen-workspaces-button {
    background-color: #1e1e2e !important;
  }
  #TabsToolbar {
    background-color: #181825 !important;
  }
  #urlbar-background {
    background-color: #1e1e2e !important;
  }
  .content-shortcuts {
    background-color: #1e1e2e !important;
    border-color: #89b4fa !important;
  }
  .urlbarView-url {
    color: #89b4fa !important;
  }
  #zenEditBookmarkPanelFaviconContainer {
    background: #11111b !important;
  }
  toolbar .toolbarbutton-1 {
    &:not([disabled]) {
      &:is([open], [checked])
        > :is(
          .toolbarbutton-icon,
          .toolbarbutton-text,
          .toolbarbutton-badge-stack
        ) {
        fill: #11111b;
      }
    }
  }
  .identity-color-blue {
    --identity-tab-color: #89b4fa !important;
    --identity-icon-color: #89b4fa !important;
  }
  .identity-color-turquoise {
    --identity-tab-color: #94e2d5 !important;
    --identity-icon-color: #94e2d5 !important;
  }
  .identity-color-green {
    --identity-tab-color: #a6e3a1 !important;
    --identity-icon-color: #a6e3a1 !important;
  }
  .identity-color-yellow {
    --identity-tab-color: #f9e2af !important;
    --identity-icon-color: #f9e2af !important;
  }
  .identity-color-orange {
    --identity-tab-color: #fab387 !important;
    --identity-icon-color: #fab387 !important;
  }
  .identity-color-red {
    --identity-tab-color: #f38ba8 !important;
    --identity-icon-color: #f38ba8 !important;
  }
  .identity-color-pink {
    --identity-tab-color: #f5c2e7 !important;
    --identity-icon-color: #f5c2e7 !important;
  }
  .identity-color-purple {
    --identity-tab-color: #cba6f7 !important;
    --identity-icon-color: #cba6f7 !important;
  }
 }
--- a/hosts/thinkpad/home-manager/zen/chrome/userContent.css
+++ b/hosts/thinkpad/home-manager/zen/chrome/userContent.css
@ -0,0 +1,157 @@
 /* Catppuccin Mocha Blue userContent.css*/
@media (prefers-color-scheme: dark) {
  /* Common variables affecting all pages */
  @-moz-document url-prefix("about:") {
    :root {
      --in-content-page-color: #cdd6f4 !important;
      --color-accent-primary: #89b4fa !important;
      --color-accent-primary-hover: rgb(163, 197, 251) !important;
      --color-accent-primary-active: rgb(138, 153, 250) !important;
      background-color: #1e1e2e !important;
      --in-content-page-background: #1e1e2e !important;
    }
  }
  /* Variables and styles specific to about:newtab and about:home */
  @-moz-document url("about:newtab"), url("about:home") {
    :root {
      --newtab-background-color: #1e1e2e !important;
      --newtab-background-color-secondary: #313244 !important;
      --newtab-element-hover-color: #313244 !important;
      --newtab-text-primary-color: #cdd6f4 !important;
      --newtab-wordmark-color: #cdd6f4 !important;
      --newtab-primary-action-background: #89b4fa !important;
    }
    .icon {
      color: #89b4fa !important;
    }
    .search-wrapper .logo-and-wordmark .logo {
      background: url("zen-logo-mocha.svg"),
        url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
        no-repeat center !important;
      display: inline-block !important;
      height: 82px !important;
      width: 82px !important;
      background-size: 82px !important;
    }
    @media (max-width: 609px) {
      .search-wrapper .logo-and-wordmark .logo {
        background-size: 64px !important;
        height: 64px !important;
        width: 64px !important;
      }
    }
    .card-outer:is(:hover, :focus, .active):not(.placeholder) .card-title {
      color: #89b4fa !important;
    }
    .top-site-outer .search-topsite {
      background-color: #89b4fa !important;
    }
    .compact-cards .card-outer .card-context .card-context-icon.icon-download {
      fill: #a6e3a1 !important;
    }
  }
  /* Variables and styles specific to about:preferences */
  @-moz-document url-prefix("about:preferences") {
    :root {
      --zen-colors-tertiary: #181825 !important;
      --in-content-text-color: #cdd6f4 !important;
      --link-color: #89b4fa !important;
      --link-color-hover: rgb(163, 197, 251) !important;
      --zen-colors-primary: #313244 !important;
      --in-content-box-background: #313244 !important;
      --zen-primary-color: #89b4fa !important;
    }
    groupbox,
    moz-card {
      background: #1e1e2e !important;
    }
    button,
    groupbox menulist {
      background: #313244 !important;
      color: #cdd6f4 !important;
    }
    .main-content {
      background-color: #11111b !important;
    }
    .identity-color-blue {
      --identity-tab-color: #8aadf4 !important;
      --identity-icon-color: #8aadf4 !important;
    }
    .identity-color-turquoise {
      --identity-tab-color: #8bd5ca !important;
      --identity-icon-color: #8bd5ca !important;
    }
    .identity-color-green {
      --identity-tab-color: #a6da95 !important;
      --identity-icon-color: #a6da95 !important;
    }
    .identity-color-yellow {
      --identity-tab-color: #eed49f !important;
      --identity-icon-color: #eed49f !important;
    }
    .identity-color-orange {
      --identity-tab-color: #f5a97f !important;
      --identity-icon-color: #f5a97f !important;
    }
    .identity-color-red {
      --identity-tab-color: #ed8796 !important;
      --identity-icon-color: #ed8796 !important;
    }
    .identity-color-pink {
      --identity-tab-color: #f5bde6 !important;
      --identity-icon-color: #f5bde6 !important;
    }
    .identity-color-purple {
      --identity-tab-color: #c6a0f6 !important;
      --identity-icon-color: #c6a0f6 !important;
    }
  }
  /* Variables and styles specific to about:addons */
  @-moz-document url-prefix("about:addons") {
    :root {
      --zen-dark-color-mix-base: #181825 !important;
      --background-color-box: #1e1e2e !important;
    }
  }
  /* Variables and styles specific to about:protections */
  @-moz-document url-prefix("about:protections") {
    :root {
      --zen-primary-color: #1e1e2e !important;
      --social-color: #cba6f7 !important;
      --coockie-color: #89dceb !important;
      --fingerprinter-color: #f9e2af !important;
      --cryptominer-color: #b4befe !important;
      --tracker-color: #a6e3a1 !important;
      --in-content-primary-button-background-hover: rgb(81, 83, 105) !important;
      --in-content-primary-button-text-color-hover: #cdd6f4 !important;
      --in-content-primary-button-background: #45475a !important;
      --in-content-primary-button-text-color: #cdd6f4 !important;
    }
    .card {
      background-color: #313244 !important;
    }
  }
 }
--- a/hosts/thinkpad/home-manager/zen/chrome/zen-logo.svg
+++ b/hosts/thinkpad/home-manager/zen/chrome/zen-logo.svg
@ -0,0 +1,13 @@
 <svg width="1024" height="1024" viewBox="0 0 1024 1024" fill="none" xmlns="http://www.w3.org/2000/svg">
  <g clip-path="url(#clip0_15_9)">
    <rect width="1024" height="1024" rx="225" fill="#11111b"/>
    <circle cx="512" cy="512" r="340" stroke="#cdd6f4" stroke-width="70"/>
    <circle cx="512" cy="512" r="224.915" stroke="#cdd6f4" stroke-width="51"/>
    <circle cx="512" cy="512" r="129.018" stroke="#cdd6f4" stroke-width="31"/>
  </g>
  <defs>
    <clipPath id="clip0_15_9">
      <rect width="1024" height="1024" fill="white"/>
    </clipPath>
  </defs>
 </svg>
--- a/hosts/thinkpad/home-manager/zen/default.nix
+++ b/hosts/thinkpad/home-manager/zen/default.nix
@ -0,0 +1,7 @@
 {
  # TODO merge with shared
  home.file.".zen/xdaxqlov.default/chrome" = {
    source = ./chrome;
    recursive = true;
  };
 }
--- a/hosts/thinkpad/security.nix
+++ b/hosts/thinkpad/security.nix
@ -0,0 +1,38 @@
 { pkgs, ... }:
 {
  security = {
    pam.services = {
      gdm-fingerprint.text = ''
        auth       required                    pam_shells.so
        auth       requisite                   pam_nologin.so
        auth       requisite                   pam_faillock.so      preauth
        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
        auth       optional                    pam_permit.so
        auth       required                    pam_env.so
        auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
        auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
        account    include                     login
        password   required                    pam_deny.so
        session    include                     login
        session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
      '';
      login.fprintAuth = false;
    };
  };
  # Start the driver at boot
  systemd.services.fprintd = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig.Type = "simple";
  };
  # Install the driver
  services.fprintd = {
    enable = true;
    tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
  };
 }
--- a/88
+++ b/88
@ -0,0 +1,88 @@
 # List all receipes
 default:
    @just --list
 # Format all files in repo
 fmt:
    treefmt --on-unmatched info
 # Clean user files
 clean-user:
    nh clean user
 # Clean all files
 clean-all:
    nh clean all
 # Build a specific host but don't activate it. Host must use same system as target system
 build HOST:
    git add .
    just fmt
    nh os build . -H {{HOST}}
 # Switch to new config, but don't add to bootloader
 test *FLAGS:
    git add .
    just fmt
    nh os test . {{FLAGS}}
 # Add new configuration to bootloader, but don't activate it now
 boot *FLAGS:
    git add .
    just fmt
    nh os test . {{FLAGS}}
 # Switch to new config and add to bootloader
 switch *FLAGS:
    git add .
    just fmt
    nh os switch . {{FLAGS}}
 # Switch to new config and add to bootloader without formatting or adding to git
 switch-now *FLAGS:
    nh os switch . {{FLAGS}}
 update-all *FLAGS:
    nix flake update
    just switch {{FLAGS}}
 update PKG:
    nix flake update {{PKG}}
    just switch
 # Encrypt all files in the repo using git-crypt
 lock:
    git-crypt lock
 # Decrypt all files in the repo using git-crypt and the user's GPG key
 unlock:
    git-crypt unlock ~/.config/git/crypt-key
 # Connect to tailnet or sign-in if not registered
 start-tailscale:
    tailscale up --login-server https://vpn.martials.no
 # Generate a new SSH key without passphrase
 generate-ssh:
    ssh-keygen -t ed25519 -a 32 -f ~/.ssh/id_ed25519 -P ""
 # Generate a new age key from an existing ssh key (without passphrase)
 generate-age-from-ssh:
    mkdir -p ~/.config/sops/age
    nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
 # Get a public age key from an existing age private key
 get-public-age-key:
    nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
 # Get the public ssh key from the current user
 get-public-ssh-key:
    cat ~/.ssh/id_ed25519.pub
 # Edit the SOPS secrets file
 edit-secrets:
    nix run nixpkgs#sops -- shared/secrets/secrets.yaml
 # Hash a string using the mkpasswd command
 hash PASS:
    echo "{{PASS}}" | mkpasswd -s
--- a/lib/default.nix
+++ b/lib/default.nix
@ -0,0 +1,27 @@
 # FIXME(lib.custom): Add some stuff from hmajid2301/dotfiles/lib/module/default.nix, as simplifies option declaration
 { lib, ... }:
 with builtins;
 {
  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (readFile filePath));
  # use path relative to the root of the project
  relativeToRoot = lib.path.append ../.;
  relativeToBase = lib.path.append ../shared/base;
  relativeToDesktop = lib.path.append ../shared/desktop;
  scanPaths =
    path:
    map (f: (path + "/${f}")) (
      attrNames (
        lib.attrsets.filterAttrs (
          path: _type:
          (_type == "directory") # include directories
          || (
            (path != "default.nix") # ignore default.nix
            && (lib.strings.hasSuffix ".nix" path) # include .nix files
          )
        ) (readDir path)
      )
    );
 }
--- a/overlays.nix
+++ b/overlays.nix
@ -0,0 +1,11 @@
 { inputs, ... }:
 {
  # Gives access to unstable packages everywhere
  unstable-packages = final: _prev: {
    unstable = import inputs.nixpkgs-unstable {
      system = final.system;
      config.allowUnfree = true;
    };
  };
 }
--- a/1
+++ b/1
@ -1 +0,0 @@
 /nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1
--- a/shared/assets/Catppuccin.png
+++ b/shared/assets/Catppuccin.png
--- a/shared/assets/catppuccin_high.png
+++ b/shared/assets/catppuccin_high.png
--- a/shared/assets/catppuccin_page_curl.png
+++ b/shared/assets/catppuccin_page_curl.png
--- a/shared/assets/downtown.gif
+++ b/shared/assets/downtown.gif
--- a/shared/assets/ekg_v2.png
+++ b/shared/assets/ekg_v2.png
--- a/shared/assets/face.png
+++ b/shared/assets/face.png
--- a/shared/assets/nixos_waves.png
+++ b/shared/assets/nixos_waves.png
--- a/shared/base/home-manager/default.nix
+++ b/shared/base/home-manager/default.nix
@ -0,0 +1,12 @@
 { inputs, ... }:
 {
  imports = [
    inputs.catppuccin.homeModules.catppuccin
    ./development
    ./shell
    ./gpg.nix
    ./home-manager.nix
    ./ssh.nix
  ];
 }
--- a/shared/base/home-manager/development/default.nix
+++ b/shared/base/home-manager/development/default.nix
@ -0,0 +1,6 @@
 {
  imports = [
    ./git.nix
    ./helix.nix
  ];
 }
--- a/shared/base/home-manager/development/git.nix
+++ b/shared/base/home-manager/development/git.nix
@ -0,0 +1,35 @@
 { pkgs, common, ... }:
 {
  home.packages = with pkgs; [
    git-crypt
    gitmoji-cli
  ];
  programs.git =
    let
      package = pkgs.git.override { withLibsecret = true; };
    in
    {
      enable = true;
      package = package;
      userName = "Martin Berg Alstad";
      userEmail = "git@${common.domain}";
      aliases = {
        amend = "commit --amend";
        cm = "commit";
        s = "status";
        p = "push";
      };
      signing.signByDefault = true;
      extraConfig = {
        pull.rebase = true;
        push.autoSetupRemote = true;
        safe.directory = "/etc/nixos";
        credential.helper = "${package}/bin/git-credential-libsecret";
      };
    };
 }
--- a/shared/base/home-manager/development/helix.nix
+++ b/shared/base/home-manager/development/helix.nix
@ -0,0 +1,111 @@
 {
  pkgs,
  lib,
  theme,
  ...
 }:
 {
  catppuccin.helix = {
    enable = true;
    flavor = theme.flavor;
  };
  programs = {
    fish.shellAliases.edit = "hx";
    helix =
      let
        prettier = format: {
          command = lib.getExe pkgs.nodePackages.prettier;
          args = [
            "--stdin-filepath"
            "file.${format}"
          ];
        };
        biome = format: {
          command = lib.getExe pkgs.biome;
          args = [
            "check"
            "--stdin-file-path=file.${format}"
            "--write"
          ];
        };
      in
      {
        enable = true;
        defaultEditor = true;
        extraPackages = with pkgs; [
          # Markdown
          marksman
          markdown-oxide
          # Html, css, Json, Eslint
          vscode-langservers-extracted
          # Yaml
          ansible-language-server
          yaml-language-server
        ];
        settings = {
          editor = {
            auto-save = {
              after-delay.enable = true;
              focus-lost = true;
            };
            cursor-shape = {
              normal = "block";
              insert = "bar";
              select = "underline";
            };
            lsp = {
              display-inlay-hints = true;
              display-messages = true;
            };
          };
          keys.normal = {
            C-f = ":format";
          };
        };
        languages.language = [
          {
            name = "css";
            formatter = biome "css";
            auto-format = true;
          }
          {
            name = "json";
            language-servers = [
              "vscode-json-language-server"
            ];
            formatter = biome "json";
            auto-format = true;
          }
          {
            name = "jsonc";
            language-servers = [
            ];
            formatter = biome "jsonc";
            file-types = [
              "jsonc"
            ];
            auto-format = true;
          }
          {
            name = "markdown";
            formatter = prettier "md";
            auto-format = true;
          }
          {
            name = "nix";
            formatter.command = lib.getExe pkgs.nixfmt-rfc-style;
            auto-format = true;
          }
          {
            name = "yaml";
            formatter = prettier "yaml";
            auto-format = true;
          }
        ];
      };
  };
 }
--- a/shared/base/home-manager/gpg.nix
+++ b/shared/base/home-manager/gpg.nix
@ -0,0 +1,10 @@
 { pkgs, ... }:
 {
  programs.gpg.enable = true;
  services.gpg-agent = {
    enable = true;
    enableFishIntegration = true;
    pinentry.package = pkgs.pinentry-curses;
  };
 }
--- a/shared/base/home-manager/home-manager.nix
+++ b/shared/base/home-manager/home-manager.nix
@ -0,0 +1,16 @@
 {
  systemConfig,
  common,
  ...
 }:
 {
  home = {
    username = systemConfig.username;
    homeDirectory = common.dir.home;
    stateVersion = systemConfig.version;
  };
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
 }
--- a/shared/base/home-manager/shell/bat.nix
+++ b/shared/base/home-manager/shell/bat.nix
@ -0,0 +1,13 @@
 { theme, ... }:
 {
  catppuccin.bat = {
    enable = true;
    flavor = theme.flavor;
  };
  programs = {
    bat.enable = true;
    fish.shellAliases.cat = "bat";
  };
 }
--- a/shared/base/home-manager/shell/btop.nix
+++ b/shared/base/home-manager/shell/btop.nix
@ -0,0 +1,10 @@
 { theme, ... }:
 {
  catppuccin.btop = {
    enable = true;
    flavor = theme.flavor;
  };
  programs.btop.enable = true;
 }
--- a/shared/base/home-manager/shell/default.nix
+++ b/shared/base/home-manager/shell/default.nix
@ -0,0 +1,11 @@
 {
  imports = [
    ./bat.nix
    ./btop.nix
    ./eza.nix
    ./fastfetch.nix
    ./fish.nix
    ./fzf.nix
    ./zoxide.nix
  ];
 }
--- a/shared/base/home-manager/shell/eza.nix
+++ b/shared/base/home-manager/shell/eza.nix
@ -0,0 +1,12 @@
 {
  programs = {
    eza = {
      enable = true;
      colors = "always";
      enableFishIntegration = true;
      git = true;
      icons = "always";
    };
    fish.shellAliases.ls = "eza";
  };
 }
--- a/shared/base/home-manager/shell/fastfetch.nix
+++ b/shared/base/home-manager/shell/fastfetch.nix
@ -0,0 +1,63 @@
 { lib, ... }:
 {
  programs = {
    fish.shellAliases.fetch = "fastfetch";
    fastfetch = {
      enable = true;
      settings = {
        logo = {
          source = "${lib.custom.relativeToRoot "shared/assets/Catppuccin.png"}";
          type = "kitty";
          height = 18;
          padding.top = 2;
        };
        display.separator = " ";
        modules =
          let
            keyColor = "34";
            module = type: key: {
              inherit type key keyColor;
            };
            formatModule = type: key: format: {
              inherit
                type
                key
                format
                keyColor
                ;
            };
          in
          [
            "break"
            "break"
            {
              type = "title";
              keyWidth = 10;
            }
            "break"
            (module "os" " ")
            (module "kernel" " ")
            (formatModule "packages" " " "{} (nixpkgs)")
            (module "shell" " ")
            (module "terminal" " ")
            (module "wm" " ")
            (module "theme" " ")
            (module "cursor" " ")
            (module "terminalfont" " ")
            (module "uptime" " ")
            (formatModule "datetime" " " "{1}-{3}-{11}")
            (module "cpu" " ")
            (module "gpu" "󰤽 ")
            (module "sound" " ")
            (module "lm" " ")
            "break"
            "colors"
            "break"
            "break"
          ];
      };
    };
  };
 }
--- a/shared/base/home-manager/shell/fish.nix
+++ b/shared/base/home-manager/shell/fish.nix
@ -0,0 +1,55 @@
 { pkgs, theme, ... }:
 {
  catppuccin = {
    fish = {
      enable = true;
      flavor = theme.flavor;
    };
    starship = {
      enable = true;
      flavor = theme.flavor;
    };
  };
  programs = {
    fish = {
      enable = true;
      # Start starship when creating a new shell
      interactiveShellInit = ''
        starship init fish | source
        ${pkgs.fortune}/bin/fortune | ${pkgs.cowsay}/bin/cowsay -f tux
      '';
      plugins = [
        {
          # !! to get the previous command
          # https://github.com/BrewingWeasel/fishbang
          name = "fishbang";
          src = pkgs.fetchFromGitHub {
            owner = "BrewingWeasel";
            repo = "fishbang";
            rev = "50389667eb9ac79edcff9b987c83e1de8ac93921";
            hash = "sha256-IneNWyfo29C7FDA5b6pTZRX3HpP6y/dRM6GXuLq2+zc=";
          };
        }
      ];
      shellAliases = {
        nix-shell = "nix-shell --run fish"; # Start nix-shells using fish
      };
    };
    starship = {
      enable = true;
      settings = {
        directory.substitutions = {
          "Documents" = "󰈙 ";
          "Downloads" = " ";
          "Music" = "󰓃 ";
          "Pictures" = " ";
          "Git" = " ";
          "nextcloud" = " ";
        };
      };
    };
  };
 }
--- a/shared/base/home-manager/shell/fzf.nix
+++ b/shared/base/home-manager/shell/fzf.nix
@ -0,0 +1,13 @@
 { theme, ... }:
 {
  catppuccin.fzf = {
    enable = true;
    flavor = theme.flavor;
  };
  programs.fzf = {
    enable = true;
    enableFishIntegration = true;
  };
 }
--- a/shared/base/home-manager/shell/zoxide.nix
+++ b/shared/base/home-manager/shell/zoxide.nix
@ -0,0 +1,10 @@
 # cd alternative
 {
  programs = {
    fish.shellAliases.cd = "z";
    zoxide = {
      enable = true;
      enableFishIntegration = true;
    };
  };
 }
--- a/shared/base/home-manager/ssh.nix
+++ b/shared/base/home-manager/ssh.nix
@ -0,0 +1,32 @@
 # ~/.ssh/config
 {
  systemConfig,
  systems,
  common,
  ...
 }:
 with builtins;
 {
  programs.ssh = {
    enable = true;
    matchBlocks = listToAttrs (
      map (system: {
        name = system.hostName;
        value =
          let
            hostName =
              if (system ? address && system.address ? tailnet) then
                system.address.tailnet
              else
                common.tailnetAddr system.hostName;
          in
          {
            port = 22;
            user = systemConfig.username;
            hostname = hostName;
          };
      }) systems
    );
  };
 }
--- a/shared/base/modules/default.nix
+++ b/shared/base/modules/default.nix
@ -0,0 +1,11 @@
 {
  imports = [
    ./development
    ./networking.nix
    ./nix-helper.nix
    ./nixos.nix
    ./security
    ./shell.nix
    ./users.nix
  ];
 }
--- a/shared/base/modules/development/default.nix
+++ b/shared/base/modules/development/default.nix
@ -0,0 +1,13 @@
 { pkgs, ... }:
 {
  imports = [
    ./formatters.nix
    ./nix.nix
  ];
  environment.systemPackages = with pkgs; [
    git
    just
  ];
 }
--- a/shared/base/modules/development/formatters.nix
+++ b/shared/base/modules/development/formatters.nix
@ -0,0 +1,10 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    biome # Linter + formatter
    nixfmt-rfc-style
    treefmt
    shfmt
  ];
 }
--- a/shared/base/modules/development/nix.nix
+++ b/shared/base/modules/development/nix.nix
@ -0,0 +1,8 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    nixd
    nil
  ];
 }
--- a/shared/base/modules/networking.nix
+++ b/shared/base/modules/networking.nix
@ -0,0 +1,19 @@
 { pkgs, systemConfig, ... }:
 {
  environment.systemPackages = with pkgs; [
    wget
  ];
  networking = {
    networkmanager.enable = true;
    hostName = systemConfig.hostName;
  };
  programs.ssh.enableAskPassword = false;
  services = {
    openssh.enable = true;
    tailscale.enable = true;
  };
 }
--- a/shared/base/modules/nix-helper.nix
+++ b/shared/base/modules/nix-helper.nix
@ -0,0 +1,14 @@
 # Nix-Helper: github.com/viperML/nh
 { common, ... }:
 {
  programs.nh = {
    enable = true;
    flake = common.root;
    clean = {
      enable = true;
      dates = "weekly";
      extraArgs = "--keep-since 30d";
    };
  };
 }
--- a/shared/base/modules/nixos.nix
+++ b/shared/base/modules/nixos.nix
@ -0,0 +1,28 @@
 {
  pkgs,
  outputs,
  systemConfig,
  ...
 }:
 {
  environment.systemPackages = with pkgs; [
    nix-prefetch-github # Cmd to get rev and hash from GitHub
  ];
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nixpkgs = {
    # Allow unfree packages
    config.allowUnfree = true;
    overlays = [ outputs.overlays.unstable-packages ];
  };
  system = {
    rebuild.enableNg = true;
    stateVersion = systemConfig.version;
  };
 }
--- a/shared/base/modules/security/default.nix
+++ b/shared/base/modules/security/default.nix
@ -0,0 +1,9 @@
 {
  imports = [
    ./keyring.nix
    ./sops.nix
    ./ssh.nix
  ];
  programs.gnupg.agent.enable = true;
 }
--- a/shared/base/modules/security/keyring.nix
+++ b/shared/base/modules/security/keyring.nix
@ -0,0 +1,3 @@
 {
  services.gnome.gnome-keyring.enable = true;
 }
--- a/shared/base/modules/security/sops.nix
+++ b/shared/base/modules/security/sops.nix
@ -0,0 +1,20 @@
 {
  inputs,
  lib,
  systemConfig,
  ...
 }:
 {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
  sops = {
    defaultSopsFile = lib.custom.relativeToRoot "shared/secrets/secrets.yaml";
    defaultSopsFormat = "yaml";
    age.keyFile = "/home/${systemConfig.username}/.config/sops/age/keys.txt";
    secrets.password-hash.neededForUsers = true;
  };
 }
--- a/shared/base/modules/security/ssh.nix
+++ b/shared/base/modules/security/ssh.nix
@ -0,0 +1,33 @@
 # /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
 {
  systemConfig,
  systems,
  knownSystems,
  common,
  ...
 }:
 with builtins;
 let
  allSystems = knownSystems ++ systems;
 in
 {
  programs.ssh.knownHosts = listToAttrs (
    map (system: {
      name = system.hostName;
      value = {
        extraHostNames = [
          (
            if (system ? address && system.address ? tailnet) then
              system.address.tailnet
            else
              common.tailnetAddr system.hostName
          )
        ];
        publicKey = system.ssh.publicKey;
      };
    }) allSystems
  );
  users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
    map (system: system.ssh.publicKey) allSystems
  );
 }
--- a/shared/base/modules/shell.nix
+++ b/shared/base/modules/shell.nix
@ -0,0 +1,19 @@
 # For Fish dotfiles, see: /home-manager/fish.nix
 { pkgs, ... }:
 {
  programs = {
    bash = {
      # Starts the OS using Bash, then starts fish if it's not running
      interactiveShellInit = ''
        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
        then
          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
        fi
      '';
    };
    fish.enable = true;
  };
 }
--- a/shared/base/modules/users.nix
+++ b/shared/base/modules/users.nix
@ -0,0 +1,18 @@
 { config, systemConfig, ... }:
 let
  username = systemConfig.username;
 in
 {
  users = {
    mutableUsers = false;
    users.${username} = {
      isNormalUser = true;
      hashedPasswordFile = config.sops.secrets.password-hash.path;
      description = username;
      extraGroups = [
        "networkmanager"
        "wheel"
      ];
    };
  };
 }
--- a/shared/common.nix
+++ b/shared/common.nix
@ -0,0 +1,39 @@
 rec {
  default = {
    browser = "zen";
    calculator = "gnome-calculator";
    fileManager = "nautilus";
    imageViewer = "imv";
    lockScreen = "hyprlock";
    terminal = "kitty";
  };
  dir = {
    home = "/home/${username}";
    pictures = "${dir.home}/Pictures";
  };
  domain = "martials.no";
  tailnetDomain = "dns.${domain}";
  localIpPrefix = "192.168.10.";
  localIpRange = "${localIpPrefix}0/24";
  localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
  tailnetAddr = host: "${host}.${tailnetDomain}";
  keymaps = {
    layout = "gb,no";
    options = "grp:alt_shift_toggle"; # Toggle using ALT + SHIFT
  };
  username = "martin";
  root = ../.;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.version = "25.05";
 }
--- a/shared/desktop/home-manager/cursors.nix
+++ b/shared/desktop/home-manager/cursors.nix
@ -0,0 +1,15 @@
 { theme, ... }:
 {
  catppuccin.cursors = {
    enable = true;
    flavor = theme.flavor;
    accent = "dark";
  };
  home.pointerCursor = {
    gtk.enable = true;
    x11.enable = true;
    size = 16;
  };
 }
--- a/shared/desktop/home-manager/default-applications.nix
+++ b/shared/desktop/home-manager/default-applications.nix
@ -0,0 +1,23 @@
 {
  xdg.mimeApps = {
    enable = true;
    defaultApplications =
      let
        browser = "zen.desktop";
        imageViewer = "imv.desktop";
        pdfReader = "sioyek.desktop";
      in
      {
        "text/html" = browser;
        "x-scheme-handler/http" = browser;
        "x-scheme-handler/https" = browser;
        "x-scheme-handler/about" = browser;
        "x-scheme-handler/unknown" = browser;
        "image/jpg" = imageViewer;
        "image/jpeg" = imageViewer;
        "image/png" = imageViewer;
        "image/gif" = imageViewer;
        "application/pdf" = pdfReader;
      };
  };
 }
--- a/shared/desktop/home-manager/default.nix
+++ b/shared/desktop/home-manager/default.nix
@ -0,0 +1,31 @@
 {
  lib,
  common,
  ...
 }:
 let
  dir = common.dir;
 in
 {
  imports = [
    (lib.custom.relativeToBase "home-manager")
    ./development
    ./hyprland
    ./media
    ./rofi
    ./shell
    ./zen
    ./cursors.nix
    ./default-applications.nix
    ./freetube.nix
    ./gtk.nix
    ./kitty.nix
    ./nextcloud.nix
    ./sioyek.nix
    ./spicetify.nix
  ];
  home.sessionVariables = {
    XDG_PICTURES_DIR = dir.pictures; # Define the default dir for pictures
  };
 }
--- a/shared/desktop/home-manager/development/default.nix
+++ b/shared/desktop/home-manager/development/default.nix
@ -0,0 +1,7 @@
 {
  imports = [
    ./zed.nix
  ];
  # TODO set Wayland vmOptions in Jetbrains products, Requires current installed version in path
  # -Dawt.toolkit.name=WLToolKit
 }
--- a/shared/desktop/home-manager/development/zed.nix
+++ b/shared/desktop/home-manager/development/zed.nix
@ -0,0 +1,56 @@
 { pkgs, theme, ... }:
 {
  programs.zed-editor = {
    enable = true;
    package = pkgs.unstable.zed-editor;
    extensions = [
      "html"
      "catppuccin"
      "catppuccin-icons"
      "toml"
      "nix"
      "git-firefly"
      "just"
      "biome"
    ];
    userSettings =
      let
        font = "${theme.nerdFont} Nerd Font";
        fontSize = 14;
      in
      {
        agent = {
          default_model = {
            provider = "ollama";
            model = "deepseek-r1:8b";
          };
        };
        autosave = "on_focus_change";
        auto_update = false;
        base_keymap = "JetBrains";
        buffer_font_family = font;
        features = {
          edit_prediction_provider = "zed";
        };
        icon_theme = {
          mode = theme.mode;
          light = "Catppuccin Latte";
          dark = "Catppuccin Mocha";
        };
        ui_font_family = font;
        ui_font_size = fontSize;
        buffer_font_size = fontSize;
        tabs = {
          file_icons = true;
          git_status = true;
        };
        theme = {
          mode = theme.mode;
          light = "Catppuccin Latte";
          dark = "Catppuccin Mocha";
        };
        lsp.nil.initialization_options.formatting.command = [ "nixfmt" ];
      };
  };
 }
--- a/shared/desktop/home-manager/freetube.nix
+++ b/shared/desktop/home-manager/freetube.nix
@ -0,0 +1,53 @@
 { pkgs, ... }:
 {
  catppuccin.freetube.enable = true;
  programs.freetube = {
    enable = true;
    package = pkgs.unstable.freetube;
    settings = {
      allowDashAv1Formats = true;
      checkForUpdates = false;
      currentLocale = "en-GB";
      defaultTheatreMode = true;
      defaultQuality = "1080";
      displayVideoPlayButton = false;
      region = "NO";
      useSponsorBlock = true;
      sponsorBlockSponsor = {
        color = "CatppuccinMochaGreen";
        skip = "autoSkip";
      };
      sponsorBlockSelfPromo = {
        color = "CatppuccinMochaYellow";
        skip = "showInSeekBar";
      };
      sponsorBlockInteraction = {
        color = "CatppuccinMochaPink";
        skip = "showInSeekBar";
      };
      sponsorBlockIntro = {
        color = "CatppuccinMochaSapphire";
        skip = "doNothing";
      };
      sponsorBlockOutro = {
        color = "CatppuccinMochaBlue";
        skip = "doNothing";
      };
      sponsorBlockRecap = {
        color = "CatppuccinMochaMauve";
        skip = "doNothing";
      };
      sponsorBlockMusicOffTopic = {
        color = "CatppuccinMochaFlamingo";
        skip = "doNothing";
      };
      sponsorBlockFiller = {
        color = "CatppuccinMochaMauve";
        skip = "doNothing";
      };
    };
  };
 }
--- a/shared/desktop/home-manager/gtk.nix
+++ b/shared/desktop/home-manager/gtk.nix
@ -0,0 +1,13 @@
 { ... }:
 {
  dconf = {
    enable = true;
    settings = {
      # Prefer dark mode for all GTK apps
      "org/gnome/desktop/interface".color-scheme = "prefer-dark";
    };
  };
  gtk.enable = true;
 }
--- a/shared/desktop/home-manager/hyprland/binds.nix
+++ b/shared/desktop/home-manager/hyprland/binds.nix
@ -0,0 +1,102 @@
 { common, ... }:
 let
  app = common.default;
 in
 {
  wayland.windowManager.hyprland.settings = {
    "$mainMod" = "SUPER";
    "$shiftMod" = "$mainMod SHIFT";
    "$ctrlMod" = "$mainMod CTRL";
    "$menu" = "rofi -show drun";
    bind = [
      "$mainMod,  Q, exec, ${app.terminal}"
      "$mainMod,  C, killactive,"
      "$shiftMod, M, exit,"
      "$mainMod,  E, exec, ${app.fileManager}"
      "$mainMod,  V, togglefloating,"
      "$mainMod,  R, exec, $menu"
      "$mainMod,  P, pseudo," # dwindle
      "$mainMod,  J, togglesplit," # dwindle
      "$mainMod,  B, exec, ${app.browser}"
      "$mainMod,  L, exec, ${app.lockScreen}"
      "$mainMod,  K, exec, [float] ${app.calculator}"
      "$mainMod,  ESCAPE, exec, hyprpanel t dashboardmenu"
      # Move focus with mainMod + arrow keys
      "$mainMod, left, movefocus, l"
      "$mainMod, right, movefocus, r"
      "$mainMod, up, movefocus, u"
      "$mainMod, down, movefocus, d"
      # Move window with ctrl + mainMod + arrow keys
      "$ctrlMod, left, movewindow, l"
      "$ctrlMod, right, movewindow, r"
      "$ctrlMod, up, movewindow, u"
      "$ctrlMod, down, movewindow, d"
      # Switch workspaces with mainMod + [0-9]
      "$mainMod, 1, workspace, 1"
      "$mainMod, 2, workspace, 2"
      "$mainMod, 3, workspace, 3"
      "$mainMod, 4, workspace, 4"
      "$mainMod, 5, workspace, 5"
      "$mainMod, 6, workspace, 6"
      "$mainMod, 7, workspace, 7"
      "$mainMod, 8, workspace, 8"
      "$mainMod, 9, workspace, 9"
      "$mainMod, 0, workspace, 10"
      # Move active window to a workspace with mainMod + SHIFT + [0-9]
      "$shiftMod, 1, movetoworkspace, 1"
      "$shiftMod, 2, movetoworkspace, 2"
      "$shiftMod, 3, movetoworkspace, 3"
      "$shiftMod, 4, movetoworkspace, 4"
      "$shiftMod, 5, movetoworkspace, 5"
      "$shiftMod, 6, movetoworkspace, 6"
      "$shiftMod, 7, movetoworkspace, 7"
      "$shiftMod, 8, movetoworkspace, 8"
      "$shiftMod, 9, movetoworkspace, 9"
      "$shiftMod, 0, movetoworkspace, 10"
      # Example special workspace (scratchpad)
      "$mainMod, S, togglespecialworkspace, magic"
      "$shiftMod, S, movetoworkspace, special:magic"
      # Scroll through existing workspaces with mainMod + scroll
      "$mainMod, mouse_down, workspace, e+1"
      "$mainMod, mouse_up, workspace, e-1"
    ];
    binde = [
      # Resize the focused window
      "$shiftMod, right, resizeactive, 20 0"
      "$shiftMod, left, resizeactive, -20 0"
      "$shiftMod, up, resizeactive, 0 -20"
      "$shiftMod, down, resizeactive, 0 20"
    ];
    bindm = [
      # Move/resize windows with mainMod + LMB/RMB and dragging
      "$mainMod, mouse:272, movewindow"
      "$mainMod, mouse:273, resizewindow"
    ];
    bindl = [
      ", XF86AudioNext, exec, playerctl next"
      ", XF86AudioPause, exec, playerctl play-pause"
      ", XF86AudioPlay, exec, playerctl play-pause"
      ", XF86AudioPrev, exec, playerctl previous"
    ];
    bindel = [
      # Laptop multimedia keys for volume and LCD brightness
      ",XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
      ",XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
      ",XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
      ",XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
      ",XF86MonBrightnessUp, exec, brightnessctl s 10%+"
      ",XF86MonBrightnessDown, exec, brightnessctl s 10%-"
    ];
  };
 }
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`shared/secrets/weather-api-key filter=git-crypt diff=git-crypt`
		`@ -1 +0,0 @@`
			`/nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1`