restructure

Signed-off-by: unexplrd <unexplrd@linerds.us>

modules/shared/nixos/boot/default.nix

@@ -0,0 +1,19 @@
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = with inputs; [
+    chaotic.nixosModules.default
+    ./loader.nix
+    ./lanzaboote.nix
+  ];
+  boot = {
+    plymouth.enable = true;
+    consoleLogLevel = 0;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    initrd = {
+      systemd.enable = true;
+    };
+  };
+}

modules/shared/nixos/boot/lanzaboote.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    lanzaboote.nixosModules.lanzaboote
+  ];
+  boot = {
+    lanzaboote = {
+      enable = config.module.config.secureBoot;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}

modules/shared/nixos/boot/loader.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.loader = {
+    timeout = 0;
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      consoleMode = "auto";
+      configurationLimit = lib.mkOverride 1337 10;
+    };
+  };
+}

modules/shared/nixos/default.nix

@@ -0,0 +1,90 @@
+{
+  config,
+  # inputs,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption mkIf;
+  cfg = config.module.config;
+in {
+  imports = [
+    ./boot
+    ./hardware
+    ./misc
+    ./networking
+    ./nix
+    ./security
+    ./programs.nix
+    ./services.nix
+    ./users.nix
+    ./sops.nix
+  ];
+  options = {
+    module.config = {
+      laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
+      powerSave = mkEnableOption "set to use various power saving daemons";
+      secureBoot = mkEnableOption "set if secure boot is configured";
+      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
+      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
+      vaapi = lib.mkOption {
+        type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]);
+        default = null;
+      };
+    };
+  };
+  config = lib.mkMerge [
+    {
+      boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
+      boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
+    }
+    (mkIf (cfg.laptop.homeRowMods) {
+      services.keyd = {
+        enable = true;
+        keyboards = {
+          internal = {
+            ids = ["0001:0001" "048d:c101"];
+            settings.main = let
+              idleTimeout = toString 220;
+              holdTimeout = toString 170;
+            in {
+              a = "lettermod(alt, a, ${idleTimeout}, ${holdTimeout})";
+              s = "lettermod(meta, s, ${idleTimeout}, ${holdTimeout})";
+              d = "lettermod(control, d, ${idleTimeout}, ${holdTimeout})";
+              f = "lettermod(shift, f, ${idleTimeout}, ${holdTimeout})";
+              j = "lettermod(shift, j, ${idleTimeout}, ${holdTimeout})";
+              k = "lettermod(control, k, ${idleTimeout}, ${holdTimeout})";
+              l = "lettermod(meta, l, ${idleTimeout}, ${holdTimeout})";
+              ";" = "lettermod(alt, ;, ${idleTimeout}, ${holdTimeout})";
+            };
+          };
+        };
+      };
+    })
+    (mkIf (cfg.powerSave) {
+      powerManagement.enable = true;
+      powerManagement.powertop.enable = true;
+      services.power-profiles-daemon.enable = true;
+      services.thermald.enable = true;
+      services.upower.enable = true;
+    })
+    (mkIf cfg.useIwd {
+      networking = {
+        networkmanager.wifi.backend = "iwd";
+        wireless.iwd.enable = true;
+      };
+    })
+    (mkIf (cfg.vaapi == "intel-media-driver") {
+      hardware.graphics.extraPackages = with pkgs; [
+        intel-compute-runtime
+        intel-media-driver
+        vpl-gpu-rt
+      ];
+    })
+    (mkIf (cfg.vaapi == "nvidia") {
+      hardware.graphics.extraPackages = with pkgs; [
+        nvidia-vaapi-driver
+      ];
+    })
+  ];
+}

modules/shared/nixos/hardware/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./facter.nix
+  ];
+}

modules/shared/nixos/hardware/facter.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (inputs) mysecrets;
+  inherit (config.networking) hostName;
+in {
+  imports = with inputs; [
+    nixos-facter-modules.nixosModules.facter
+  ];
+  facter.reportPath = "${mysecrets}/facter/${hostName}.json";
+  systemd.network.wait-online.enable = false;
+}

modules/shared/nixos/misc/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [./slim.nix ./zram.nix];
+}

modules/shared/nixos/misc/slim.nix

@@ -0,0 +1,20 @@
+{
+  # taken from https://github.com/NuschtOS/nixos-modules/blob/main/modules/slim.nix
+  documentation = {
+    # html docs and info are not required, man pages are enough
+    doc.enable = false;
+    info.enable = false;
+  };
+
+  # environment.defaultPackages = lib.mkForce [];
+
+  # programs.thunderbird.package = pkgs.thunderbird.override {cfg.speechSynthesisSupport = false;};
+
+  # during testing only 550K-650K of the tmpfs where used
+  security.wrapperDirSize = "10M";
+
+  services = {
+    orca.enable = false; # requires speechd
+    speechd.enable = false; # voice files are big and fat
+  };
+}

modules/shared/nixos/misc/zram.nix

@@ -0,0 +1,8 @@
+{
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 25;
+    priority = 5;
+  };
+}

modules/shared/nixos/networking/default.nix

@@ -0,0 +1,18 @@
+{
+  networking = {
+    hosts = import ./hosts.nix;
+    networkmanager = {
+      ethernet.macAddress = "stable";
+      wifi = {
+        macAddress = "random";
+        scanRandMacAddress = true;
+      };
+    };
+    wireless.iwd = {
+      settings = {
+        General.AddressRandomization = "network";
+        Settings.AlwaysRandomizeAddress = true;
+      };
+    };
+  };
+}

modules/shared/nixos/networking/hosts.nix

@@ -0,0 +1,3 @@
+{
+  "192.168.1.42" = ["dunamis"];
+}

modules/shared/nixos/nix/common.nix

@@ -0,0 +1,41 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    optimise = {
+      automatic = true;
+      dates = ["weekly"];
+    };
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        # for container in builds support
+        "auto-allocate-uids"
+        "cgroups"
+
+        # Enable the use of the fetchClosure built-in function in the Nix language.
+        "fetch-closure"
+
+        # Allow derivation builders to call Nix, and thus build derivations recursively.
+        # "recursive-nix"
+
+        # Allow the use of the impure-env setting.
+        # "configurable-impure-env"
+      ];
+    };
+  };
+  # no longer need to pre-allocate build users for everything
+  nix.settings.auto-allocate-uids = lib.mkDefault true;
+  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+  nix.settings.use-cgroups = true;
+
+  # for container in builds support
+  nix.settings.system-features = ["uid-range"];
+}

modules/shared/nixos/nix/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./common.nix
+    ./distibuted-build.nix
+    ./substituters.nix
+  ];
+}

modules/shared/nixos/nix/distibuted-build.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: let
+  isBuildHost = config.networking.hostName == "dunamis";
+in {
+  config = lib.mkMerge [
+    (lib.mkIf isBuildHost {
+      nix = let
+        inherit (builtins) readFile;
+        inherit (config.users.users) user;
+      in {
+        sshServe = {
+          enable = true;
+          keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
+          protocol = "ssh-ng";
+          trusted = true;
+          write = true;
+        };
+      };
+    })
+    (lib.mkIf (!isBuildHost) {
+      nix = let
+        inherit (builtins) readFile;
+        inherit (config.networking) hostName;
+        inherit (config.sops) secrets;
+        inherit (inputs) mysecrets;
+        pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+      in {
+        distributedBuilds = true;
+        buildMachines = [
+          {
+            hostName = "dunamis";
+            maxJobs = 3;
+            protocol = "ssh-ng";
+            publicHostKey = pubHost;
+            speedFactor = 2;
+            sshKey = secrets."ssh-${hostName}-user".path;
+            sshUser = "nix-ssh";
+            supportedFeatures = ["benchmark" "big-parallel" "kvm" "nixos-test"];
+            system = "x86_64-linux";
+          }
+        ];
+      };
+    })
+  ];
+}

modules/shared/nixos/nix/substituters.nix

@@ -0,0 +1,16 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://chaotic-nyx.cachix.org/"
+      "https://cosmic.cachix.org/"
+      "https://nix-community.cachix.org/"
+    ];
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}

modules/shared/nixos/programs.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  programs = {
+    fish.enable = true;
+    mosh.enable = true;
+    nix-ld.enable = true;
+    nh = {
+      enable = true;
+      flake = "/home/user/.config/nixos";
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    (lib.hiPrio uutils-coreutils-noprefix)
+    helix
+    nushell
+  ];
+}

modules/shared/nixos/security/default.nix

@@ -0,0 +1,123 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkDefault;
+in {
+  security = {
+    sudo.enable = false;
+    # doas.enable = true;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+    polkit = {
+      enable = true;
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (
+            subject.isInGroup("users")
+              && (
+                action.id == "org.freedesktop.login1.reboot" ||
+                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+                action.id == "org.freedesktop.login1.power-off" ||
+                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+              )
+            )
+          {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+    };
+    apparmor.enable = mkDefault true;
+    pam.sshAgentAuth.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
+  ];
+  services = {
+    dbus = {
+      apparmor = "enabled";
+      implementation = "broker";
+    };
+    ntpd-rs = {
+      enable = true;
+      #settings = {
+      #  server = {
+      #    require-nts = true;
+      #  };
+      #};
+    };
+  };
+  boot = {
+    kernel.sysctl = {
+      "dev.tty.ldisc_autoload" = 0;
+      "fs.protected_fifos" = 2;
+      "fs.protected_regular" = 2;
+      "fs.suid_dumpable" = 0;
+      "kernel.kptr_restrict" = 2;
+      "kernel_kexec_load_disabled" = 1;
+      # "kernel.modules_disabled" = 1;
+      "kernel.sysrq" = 0;
+      "kernel.unprivileged_bpf_disabled" = 1;
+      "net.ipv4.conf.all.forwarding" = 0;
+      "net.ipv4.conf.all.log_martians" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.default.log_martians" = 1;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+    };
+    kernelParams = [
+      "amd_iommu=force_isolation"
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      "page_alloc.shuffle=1"
+      "vsyscall=none"
+      # "ia32_emulation=0"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+    ];
+
+    blacklistedKernelModules = [
+      # Obscure network protocols
+      "ax25"
+      "netrom"
+      "rose"
+      # Old or rare or insufficiently audited filesystems
+      "adfs"
+      "affs"
+      "bfs"
+      "befs"
+      "cramfs"
+      "efs"
+      "erofs"
+      "exofs"
+      "freevxfs"
+      "f2fs"
+      "hfs"
+      "hpfs"
+      "jfs"
+      "minix"
+      "nilfs2"
+      "ntfs"
+      "omfs"
+      "qnx4"
+      "qnx6"
+      "sysv"
+      "ufs"
+    ];
+  };
+
+  nix.settings.allowed-users = mkDefault ["@users"];
+}

modules/shared/nixos/services.nix

@@ -0,0 +1,38 @@
+{
+  services = {
+    # hardware.openrgb.enable = true;
+    avahi.enable = true;
+    dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
+        require_dnssec = true;
+        server_names = ["mullvad-doh"];
+      };
+    };
+    flatpak.enable = true;
+    fstrim = {
+      enable = true;
+      interval = "daily";
+    };
+    fwupd.enable = true;
+    logind = {
+      lidSwitch = "ignore";
+      powerKey = "suspend";
+    };
+    opensnitch = {
+      enable = false;
+      settings = {
+        DefaultAaction = "deny";
+        Firewall = "iptables";
+        InterceptUnknown = true;
+        ProcMonitorMethod = "ebpf";
+      };
+    };
+    openssh.enable = true;
+    scx.enable = true;
+    scx.scheduler = "scx_flash";
+    syncthing.openDefaultPorts = true;
+    userborn.enable = true;
+  };
+}

modules/shared/nixos/sops.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (inputs) mysecrets;
+  inherit (config.networking) hostName;
+  dotSsh = name: "/home/user/.ssh/" + name;
+  sopsFile = mysecrets + "/hosts/${hostName}.yaml";
+  sshKey = {
+    mode = "0400";
+    owner = "user";
+  };
+in {
+  imports = with inputs; [
+    sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    defaultSopsFile = mysecrets + "/common.yaml";
+    secrets = {
+      "user-password-hashed".neededForUsers = true;
+      "ssh-config" = {
+        path = dotSsh "config";
+        mode = "0400";
+        owner = "user";
+      };
+      "ssh-${hostName}-user" = {
+        inherit sopsFile;
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_ed25519";
+      };
+      "ssh-${hostName}-user.pub" = {
+        inherit sopsFile;
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_ed25519.pub";
+      };
+      "ssh-unexplrd" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_unexplrd_ed25519";
+      };
+      "ssh-unexplrd.pub" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_unexplrd_ed25519.pub";
+      };
+      "ssh-uni" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_uni_ed25519";
+      };
+      "ssh-uni.pub" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_uni_ed25519.pub";
+      };
+    };
+  };
+}

modules/shared/nixos/users.nix

@@ -0,0 +1,33 @@
+{
+  inputs,
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.networking) hostName;
+  inherit (config.sops) secrets;
+  inherit (inputs) mysecrets;
+  sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
+in {
+  nix.settings.trusted-users = ["user"];
+  users.mutableUsers = false;
+  users.users = {
+    user = {
+      hashedPasswordFile = secrets."user-password-hashed".path;
+      extraGroups =
+        ["wheel" "video" "libvirtd" "dialout"]
+        # for lisgd
+        ++ lib.optional (hostName == "morphius" && config.desktop.niri.enable) "input";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      openssh.authorizedKeys.keyFiles = map sshKeys [
+        "dunamis"
+        "eldrid"
+        "legion"
+        "morphius"
+        "sarien"
+      ];
+    };
+  };
+}

modules/shared/user/common.nix

@@ -0,0 +1,14 @@
+{
+  inputs,
+  osConfig,
+  ...
+}: {
+  imports = with inputs; [
+    nix-index-database.hmModules.nix-index
+    self.homeModules.desktop
+    self.homeModules.programs
+  ];
+  inherit (osConfig) desktop;
+  home.stateVersion = osConfig.system.stateVersion;
+  home.sessionPath = ["$HOME/.local/bin"];
+}

modules/shared/user/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./common.nix
+    ./flatpak.nix
+    ./programs.nix
+  ];
+}

modules/shared/user/flatpak.nix

@@ -0,0 +1,134 @@
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = with inputs; [
+    nix-flatpak.homeManagerModules.nix-flatpak
+  ];
+  home.packages = with pkgs; [flatpak];
+  services.flatpak = {
+    enable = true;
+    uninstallUnmanaged = true;
+    update.auto = {
+      enable = true;
+      onCalendar = "weekly";
+    };
+    remotes = [
+      {
+        name = "flathub";
+        location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
+      }
+    ];
+    packages =
+      [
+        # browsers
+        "app.zen_browser.zen"
+        # "com.vivaldi.Vivaldi"
+        "net.mullvad.MullvadBrowser"
+        "org.torproject.torbrowser-launcher"
+      ]
+      ++ [
+        # editing
+        "com.github.PintaProject.Pinta" # bootleg paint
+        "org.gimp.GIMP" # the holy gimp
+        "org.kde.kdenlive" # video editor
+      ]
+      ++ [
+        # chatting
+        "im.riot.Riot" # matrix client
+        "io.github.kukuruzka165.materialgram" # telegram client
+        "io.github.spacingbat3.webcord" # discord client
+        # "org.mozilla.Thunderbird" # mail client
+        "org.signal.Signal"
+        # "org.telegram.desktop"
+      ]
+      ++ [
+        # media
+        # "ca.edestcroix.Recordbox" # music player
+        "com.github.neithern.g4music" # music player
+        # "io.bassi.Amberol" # music player
+        "io.freetubeapp.FreeTube" # youtube client
+        # "org.atheme.audacious" # music player
+      ]
+      ++ [
+        # gaming
+        "com.heroicgameslauncher.hgl" # gog/egs launcher
+        "com.valvesoftware.Steam"
+        "net.lutris.Lutris" # everything launcher
+        "org.prismlauncher.PrismLauncher" # minecraft launcher
+        "org.freedesktop.Platform.VulkanLayer.MangoHud//24.08"
+        "org.freedesktop.Platform.VulkanLayer.gamescope//24.08"
+      ]
+      ++ [
+        # misc
+        "app.drey.Warp" # share files using magic wormhole
+        "com.bitwarden.desktop"
+        "com.github.tchx84.Flatseal" # control flatpak permissions
+        "com.logseq.Logseq"
+        "com.obsproject.Studio"
+        "com.usebottles.bottles" # wine containers
+        "de.capypara.FieldMonitor" # libvirt
+        "de.haeckerfelix.Fragments" # torrents
+        "io.github.amit9838.mousam" # weather
+        "io.github.finefindus.Hieroglyphic" # find latex symbols (in rust)
+        "io.github.lainsce.Khronos" # log time for tasks
+        "io.gitlab.news_flash.NewsFlash" # rss reader
+        "me.iepure.devtoolbox" # some cool utils
+        "org.nicotine_plus.Nicotine" # soulseek
+      ];
+    overrides = let
+      homeNoNetwork = {
+        Context.share = ["!network"];
+        Context.filesystems = ["home"];
+      };
+      game.sockets = ["x11" "wayland"];
+      game.folder = folder: ["/storage/games/${folder}" "~/games/${folder}"];
+    in {
+      "global" = {
+        Context = {
+          sockets = ["wayland" "!x11" "!fallback-x11"];
+          filesystems = [
+            "!home"
+            "!host"
+            "!~/.ssh"
+            "/nix/store:ro"
+            "xdg-config/gtk-3.0:ro"
+            "xdg-config/gtk-4.0:ro"
+            "xdg-run/pipewire-0"
+            "~/.local/share/icons:ro"
+          ];
+        };
+        Environment = {
+          ELECTRON_OZONE_PLATFORM_HINT = "wayland";
+        };
+      };
+      "ca.edestcroix.Recordbox".Context.filesystems = ["xdg-music"];
+      "com.valvesoftware.Steam" = {
+        Context = {
+          inherit (game) sockets;
+          filesystems = game.folder "steam";
+        };
+        Environment.STEAM_FORCE_DESKTOPUI_SCALING = "1.3";
+      };
+      "net.lutris.Lutris".Context = {
+        inherit (game) sockets;
+        filesystems = game.folder "lutris";
+      };
+      "com.heroicgameslauncher.hgl".Context = {
+        inherit (game) sockets;
+        filesystems = game.folder "heroic";
+      };
+      "com.github.PintaProject.Pinta" = {inherit (homeNoNetwork) Context;};
+      "com.logseq.Logseq" = {inherit (homeNoNetwork) Context;};
+      "com.obsproject.Studio" = {inherit (homeNoNetwork) Context;};
+      "com.usebottles.Bottles".Context = {inherit (game) sockets;};
+      "io.bassi.Amberol" = {inherit (homeNoNetwork) Context;};
+      "io.freetubeapp.FreeTube" = {inherit (homeNoNetwork) Context;};
+      "org.atheme.audacious" = {inherit (homeNoNetwork) Context;};
+      "org.gimp.GIMP" = {inherit (homeNoNetwork) Context;};
+      "org.kde.kdenlive" = {inherit (homeNoNetwork) Context;};
+      "org.signal.Signal".Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret";
+    };
+  };
+}

modules/shared/user/programs.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  console.yazi.enable = true;
+  editor.helix.enable = true;
+  shell = {
+    fish.enable = true;
+    oh-my-posh.enable = true;
+  };
+  syncthing.enable = true;
+  # terminal.wezterm.enable = true;
+  terminal.ghostty.enable = true;
+  systemd.user.settings.Manager.DefaultEnvironment = {
+    TERMINAL = "ghostty";
+  };
+
+  services = {
+    pueue.enable = true; # process queue in rust
+    ssh-agent.enable = true;
+  };
+
+  programs = {
+    bat.enable = true; # cat in rust
+    btop = {
+      enable = true;
+      settings.update_ms = 200;
+    };
+    # direnv.enable = true;
+    # direnv.silent = true;
+    eza.enable = true; # ls in rust
+    fd.enable = true; # find in rust
+    fzf.enable = true; # fuzzy finder in rust
+    git = {
+      enable = true;
+      delta.enable = true; # diff in rust
+      signing.format = "ssh";
+      aliases = {
+        cl = "clone";
+        co = "checkout";
+        pom = "push origin main";
+      };
+    };
+    gitui.enable = true; # git ui in rust
+    jujutsu.enable = true; # vcs in rust
+    keychain = {
+      enable = true;
+      keys = ["id_ed25519"];
+    };
+    nix-index-database.comma.enable = true;
+    nix-index.enable = true;
+    nix-your-shell.enable = true;
+    pay-respects.enable = true; # thefuck in rust
+    ripgrep.enable = true; # grep in rust
+    zk.enable = true;
+    zoxide.enable = true; # fuzzy cd in rust
+    zellij.enable = true;
+  };
+
+  home.packages = with pkgs;
+    [
+      # development utils
+      alejandra # nix formatter in rust
+      # devenv # programming deps in rust
+      (mkIf config.programs.jujutsu.enable jj-fzf) # fuzzy finder jujutsu tui
+      just # make in rust
+      silicon # create code pics in rust
+    ]
+    ++ [
+      # console utils
+      # bluetuith # bluetooth tui in go
+      dua # disk space usage in rust
+      duf # better df in go
+      fend # calculator in rust
+      mprocs # process runner in rust
+      ouch # archive manager in rust
+      # procs # ps in rust
+      rbw # bitwarden cli in rust
+      sd # sed in rust
+      systemctl-tui # systemctl tui in rust
+      trashy # trash cli in rust
+    ]
+    ++ [
+      # misc apps
+      adwaita-icon-theme
+      # vial # qmk keyboard configuring app
+      pinentry-qt # pinentry for rbw
+      virt-manager # libvirt gui
+      # waycheck # check wayland protocols
+      gpu-screen-recorder-gtk
+    ]
+    ++ [
+      # gui libadwaita apps
+      celluloid # mpv gui in libadwaita
+      # gnome-text-editor
+      helvum # pipewire patchbay in rust
+      junction # app chooser
+      # loupe # image viewer and editor in rust
+      mission-center # task manager in rust (partly)
+      # nautilus # file manager
+      overskride # bluetooth gui in rust
+      papers # pdf reader in rust
+      pika-backup # borg gui in rust
+      pwvucontrol # pipewire gui in rust
+      sonusmix # pipewire routing tool in rust
+      # wdisplays # wlroots display configurator
+    ];
+
+  xdg.desktopEntries = {
+    uni = {
+      actions."Copy".exec = "fish -c \"~/.local/bin/uni --copy\"";
+      categories = ["Utility" "X-Launch" "Network"];
+      comment = "Select and open or copy URLs from a list.";
+      exec = "fish -c \"~/.local/bin/uni\"";
+      icon = "web-browser";
+      name = "Uni URL Handler";
+      startupNotify = true;
+      terminal = false;
+      type = "Application";
+    };
+  };
+}