huge

2025-12-31 15:03:16 +02:00
parent c93c93a810
commit fa32ae5510
69 changed files with 1093 additions and 659 deletions
@@ -1,44 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption getExe;
-in {
-  programs = {
-    atuin = {
-      enable = true;
-      flags = [
-        "--disable-up-arrow"
-      ];
-    };
-    fish = {
-      enable = true; # friendly interactive shell in rust
-      shellAliases = {
-        cd = "z";
-        ed = "$EDITOR";
-        jf = "jj-fzf"; # think of jeff
-        jo = "joshuto"; # think of josh
-        l = "ls -lah";
-        la = "ls -ah";
-        ll = "ls -lh";
-        p = "pueue";
-        s = "systemctl";
-        stui = "systemctl-tui";
-      };
-      shellAbbrs = {
-        pa = "pueue add --";
-        pl = "pueue log";
-      };
-      interactiveShellInit = ''
-        bind \e\[3\;5~ kill-word
-        bind \cH backward-kill-word
-        set fish_greeting
-        set fish_cursor_default     block      blink
-        # ${getExe pkgs.bat-extras.batman} --export-env | source
-        if test -e ~/.profile; source ~/.profile; end
-      '';
-    };
-  };
-}
@@ -57,7 +57,7 @@ in {
          variant =
            "colemak_dh"
            + (
-              if osConfig.module.host.name == "dunamis"
+              if osConfig.unexplrd.host.name == "dunamis"
              then "_ortho"
              else ""
            )
@@ -34,11 +34,11 @@
      };
    };
  in {
-    polkit-agent = mkGraphicalService {
-      Service = {
-        Type = "simple";
-        ExecStart = pkgs.mate.mate-polkit + "/libexec/polkit-mate-authentication-agent-1";
-      };
-    };
+    # polkit-agent = mkGraphicalService {
+    #   Service = {
+    #     Type = "simple";
+    #     ExecStart = pkgs.mate.mate-polkit + "/libexec/polkit-mate-authentication-agent-1";
+    #   };
+    # };
  };
 }
@@ -0,0 +1,7 @@
+{
+  programs.atuin = {
+    flags = [
+      "--disable-up-arrow"
+    ];
+  };
+}
@@ -1,6 +1,15 @@
 {
  imports = [
+    ./atuin.nix
+    ./fish.nix
+    ./ghostty.nix
+    ./helix.nix
+    ./kitty.nix
+    ./oh-my-posh.nix
    ./syncthing.nix
+    ./wezterm.nix
    ./wl-kbptr.nix
+    ./yazi.nix
+    ./zed-editor.nix
  ];
 }
@@ -0,0 +1,34 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) getExe;
+in {
+  programs.fish = {
+    shellAliases = {
+      cd = "z";
+      ed = "$EDITOR";
+      jf = "jj-fzf"; # think of jeff
+      jo = "joshuto"; # think of josh
+      l = "ls -lah";
+      la = "ls -ah";
+      ll = "ls -lh";
+      p = "pueue";
+      s = "systemctl";
+      stui = "systemctl-tui";
+    };
+    shellAbbrs = {
+      pa = "pueue add --";
+      pl = "pueue log";
+    };
+    interactiveShellInit = ''
+      bind \e\[3\;5~ kill-word
+      bind \cH backward-kill-word
+      set fish_greeting
+      set fish_cursor_default     block      blink
+      # ${getExe pkgs.bat-extras.batman} --export-env | source
+      if test -e ~/.profile; source ~/.profile; end
+    '';
+  };
+}
@@ -5,7 +5,6 @@
  ...
 }: {
  programs.ghostty = {
-    enable = true;
    package = perSystem.ghostty.ghostty;
    settings = {
      gtk-single-instance = true;
@@ -7,8 +7,7 @@
  inherit (lib) getExe;
 in {
  programs.helix = {
-    enable = true; # vim-like editor in rust
-    defaultEditor = true;
+    # defaultEditor = true;
    settings = {
      editor = {
        bufferline = "multiple";
@@ -4,7 +4,6 @@
  ...
 }: {
  programs.kitty = {
-    enable = true;
    settings = {
      tab_bar_edge = "bottom";
      tab_bar_align = "left";
@@ -4,7 +4,6 @@
  ...
 }: {
  programs.oh-my-posh = {
-    enable = true;
    settings = {
      # version = 2;
      final_space = true;
@@ -6,7 +6,6 @@
  ...
 }: {
  programs.wezterm = {
-    enable = true;
    # package = inputs.wezterm.packages.${pkgs.system}.default;
    extraConfig = let
      arrows = {
@@ -5,8 +5,6 @@
  ...
 }: {
  programs.yazi = {
-    enable = true; # file manager in rust
-    enableNushellIntegration = true;
    shellWrapperName = "y";
    settings = {
      opener = {
@@ -4,10 +4,9 @@
  lib,
  ...
 }: let
-  inherit (lib) getExe;
+  inherit (lib) getExe mkForce;
 in {
  programs.zed-editor = {
-    enable = true;
    extensions = [
      "bash"
      "fsharp"
@@ -6,11 +6,6 @@
    ./pipewire.nix
  ];
  fonts.fontDir.enable = true;
-  security = {
-    pam = {
-      services.greetd.enableGnomeKeyring = config.services.greetd.enable && config.services.gnome.gnome-keyring.enable;
-    };
-  };
  services.udisks2.enable = true;
  programs.dconf.enable = true;
 }
@@ -5,21 +5,16 @@
  ...
 }: let
  inherit (lib) mkEnableOption mkIf;
-  cfg = config.module.desktop.gnome-keyring;
+  cfg = config.module.gnome-keyring;
 in {
  options = {
-    module.desktop.gnome-keyring.enable = mkEnableOption "enable gnome keyring";
+    module.gnome-keyring.enable = mkEnableOption "enable gnome keyring";
  };

  config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [
-      gcr_4
-      libsecret
-    ];
+    environment.systemPackages = with pkgs; [gcr_4 libsecret];
    programs.seahorse.enable = true;
    services.gnome.gnome-keyring.enable = true;
-    xdg.portal.config.common = {
-      "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
-    };
+    xdg.portal.config.common."org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
  };
 }
@@ -31,6 +31,7 @@ in {
      };
    })
    (mkIf (cfg.displayManager == "greetd") {
+      security.pam.services.greetd.enableGnomeKeyring = config.services.greetd.enable && config.services.gnome.gnome-keyring.enable;
      programs.regreet.enable = true;
      services.greetd = {
        enable = true;
@@ -5,57 +5,60 @@
 }: let
  inherit (lib) mkEnableOption mkIf;

-  cfg = config.sound.pipewire;
+  cfg = config.module.pipewire;
 in {
  options = {
-    sound.pipewire.enable = mkEnableOption "enable pipewire";
+    module.pipewire.enable = mkEnableOption "enable pipewire";
  };

  config = mkIf cfg.enable {
-    security.rtkit.enable = true;
+    security.rtkit = {
+      enable = true;
+      args = ["--no-canary"];
+    };
    services.pulseaudio.enable = false;
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      pulse.enable = true;
-
-      extraConfig = {
-        pipewire = {
-          "92-low-latency" = {
-            "context.properties" = {
-              "default.clock.rate" = 48000;
-              "default.clock.allowed-rates" = [
-                44100
-                48000
-                88200
-                96000
-              ];
-
-              "default.clock.min-quantum" = 512;
-              "default.clock.quantum" = 4096;
-              "default.clock.max-quantum" = 8192;
-            };
-          };
-
-          "93-no-resampling" = {
-            "context.properties" = {
-              "default.clock.rate" = 48000;
-              "default.clock.allowed-rates" = [
-                44100
-                48000
-                96000
-                192000
-              ];
-            };
-          };
-
-          "94-no-upmixing" = {
-            "stream.properties" = {
-              "channelmix.upmix" = false;
-            };
-          };
-        };
+      # extraConfig.pipewire."92-low-latency" = {
+      #   "context.properties" = {
+      #     "default.clock.rate" = 48000;
+      #     "default.clock.quantum" = 32;
+      #     "default.clock.min-quantum" = 32;
+      #     "default.clock.max-quantum" = 32;
+      #   };
+      # };
+      wireplumber.extraConfig."10-alsa-vm" = {
+        "api.alsa.period-size" = 1024 / 2; # seems to fix random crackling
      };
+      extraConfig.pipewire-pulse."93-auto-connect" = {
+        "pulse.cmd" = [
+          {
+            cmd = "load-module";
+            args = "module-switch-on-connect";
+          }
+        ];
+      };
+      # extraConfig.pipewire-pulse."92-low-latency" = {
+      #   "context.properties" = [
+      #     {
+      #       name = "libpipewire-module-protocol-pulse";
+      #       args = {};
+      #     }
+      #   ];
+      #   "pulse.properties" = {
+      #     "pulse.min.req" = "32/48000";
+      #     "pulse.default.req" = "32/48000";
+      #     "pulse.max.req" = "32/48000";
+      #     "pulse.min.quantum" = "32/48000";
+      #     "pulse.max.quantum" = "32/48000";
+      #   };
+      #   "stream.properties" = {
+      #     "node.latency" = "32/48000";
+      #     "resample.quality" = 1;
+      #   };
+      # };
    };
  };
 }
@@ -17,7 +17,7 @@ in {
  };
  config = mkIf cfg.enable {
    module.desktop.displayManager = "cosmic";
-    sound.pipewire.enable = true;
+    module.pipewire.enable = true;

    environment.sessionVariables.COSMIC_DATA_CONTROL_ENABLED = 1;
    services.desktopManager.cosmic.enable = true;
@@ -4,8 +4,8 @@
    ./cosmic
    ./dms
    ./gnome
-    ./hyprland
-    ./niri
-    ./plasma
+    # ./hyprland
+    # ./niri
+    # ./plasma
  ];
 }
@@ -23,26 +23,25 @@ in {
      enable = true;
      extraPortals = with pkgs; [xdg-desktop-portal-gnome xdg-desktop-portal-gtk];
      config.niri.default = ["gnome" "gtk"];
+      config.common."org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
    };

-    module.desktop.gnome-keyring.enable = true;
-    sound.pipewire.enable = true;
+    module.gnome-keyring.enable = true;
+    module.pipewire.enable = true;

    services.gvfs.enable = true;
-
-    programs.niri = {
-      enable = true;
-      package = perSystem.niri-flake.niri-unstable;
-    };
-
    systemd.user.services.niri-flake-polkit.enable = false;

-    programs.dankMaterialShell = {
-      enable = true;
-      greeter = {
+    programs = {
+      niri.enable = true;
+      niri.package = perSystem.niri-flake.niri-unstable;
+      dankMaterialShell = {
        enable = true;
-        configHome = "/home/user";
-        compositor.name = "niri";
+        greeter = {
+          enable = true;
+          configHome = "/home/user";
+          compositor.name = "niri";
+        };
      };
    };
  };
@@ -14,7 +14,7 @@ in {
  config = lib.mkMerge [
    (mkIf cfg.enable {
      module.desktop.displayManager = "gdm";
-      sound.pipewire.enable = true;
+      module.pipewire.enable = true;
      services.desktopManager.gnome.enable = true;
      environment.gnome.excludePackages = with pkgs; [
        orca
@@ -5,7 +5,7 @@
  ...
 }: let
  inherit (lib) mkIf mkEnableOption getExe;
-  cfg = config.desktop.niri;
+  cfg = config.desktop.jay;
 in {
  options = {
    desktop.niri.enable =
@@ -15,11 +15,9 @@ in {
  };
  config = lib.mkMerge [
    (mkIf cfg.enable {
-      module.desktop = {
-        displayManager = "greetd";
-        gnome-keyring.enable = true;
-      };
-      sound.pipewire.enable = true;
+      module.desktop.displayManager = "greetd";
+      module.gnome-keyring.enable = true;
+      module.pipewire.enable = true;

      # nixpkgs.overlays = [inputs.niri.overlays.default];

@@ -1,45 +0,0 @@
-{
-  lib,
-  pkgs,
-  ...
-}: {
-  boot.tmp.cleanOnBoot = lib.mkDefault true;
-
-  console.font = "${pkgs.spleen}/share/consolefonts/spleen-16x32.psfu";
-
-  environment = {
-    ldso32 = null;
-    # memoryAllocator.provider = "mimalloc"; # weird memory consumption stuff
-    variables = {
-      LESS = "-R --mouse";
-    };
-  };
-
-  networking.networkmanager.enable = true;
-
-  services.openssh.settings = {
-    X11Forwarding = false;
-    KbdInteractiveAuthentication = false;
-    PasswordAuthentication = false;
-    UseDns = false;
-    # unbind gnupg sockets if they exists
-    StreamLocalBindUnlink = true;
-
-    # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
-    KexAlgorithms = [
-      "curve25519-sha256"
-      "curve25519-sha256@libssh.org"
-      "diffie-hellman-group16-sha512"
-      "diffie-hellman-group18-sha512"
-      "sntrup761x25519-sha512@openssh.com"
-    ];
-  };
-
-  services.journald.extraConfig = ''
-    SystemMaxUse=1G
-  '';
-  systemd.coredump.extraConfig = ''
-    Storage=none
-    ProcessSizeMax=0
-  '';
-}
@@ -1,8 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./misc
-    ./stylix
-    ./virt
-  ];
-}
@@ -1,6 +0,0 @@
-{
-  imports = [
-    ./opentabletdriver.nix
-    ./qmk-vial.nix
-  ];
-}
@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption;
-in {
-  options = {
-    module.misc.opentabletdriver.enable =
-      mkEnableOption "enables opentabletdriver";
-  };
-  config = mkIf config.module.misc.opentabletdriver.enable {
-    hardware.opentabletdriver = {
-      enable = true;
-      daemon.enable = true;
-      blacklistedKernelModules = [
-        "hid-uclogic"
-        "wacom"
-      ];
-    };
-  };
-}
@@ -1,17 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption;
-in {
-  options = {
-    module.misc.qmk-vial.enable =
-      mkEnableOption "adds a udev rule for vial keyboards";
-  };
-  config = mkIf config.module.misc.qmk-vial.enable {
-    services.udev.extraRules = ''
-      KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
-    '';
-  };
-}
@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./libvirt.nix
-    ./podman.nix
-    ./docker.nix
-  ];
-}
@@ -1,29 +0,0 @@
-{
-  # pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.module.virt.docker;
-in {
-  options = {
-    module.virt.docker.enable =
-      mkEnableOption "enable docker";
-  };
-  config = mkIf cfg.enable {
-    virtualisation.docker = {
-      enable = true;
-      rootless = {
-        enable = true;
-        setSocketVariable = true;
-      };
-      storageDriver = "btrfs";
-      autoPrune.enable = true;
-      #defaultNetwork.settings = {
-      #  dns_enabled = true;
-      #};
-    };
-    virtualisation.oci-containers.backend = "docker";
-  };
-}
@@ -1,35 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.module.virt.libvirt;
-in {
-  options = {
-    module.virt.libvirt.enable =
-      mkEnableOption "enables virtualisation";
-  };
-  config = mkIf cfg.enable {
-    virtualisation.libvirtd = {
-      enable = true;
-      qemu = {
-        package = pkgs.qemu_kvm;
-        runAsRoot = false;
-        swtpm.enable = true;
-        vhostUserPackages = [pkgs.virtiofsd];
-        # ovmf = {
-        #   enable = true;
-        #   packages = [
-        #     (pkgs.OVMF.override {
-        #       secureBoot = true;
-        #       tpmSupport = true;
-        #     })
-        #     .fd
-        #   ];
-        # };
-      };
-    };
-  };
-}
@@ -1,29 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.module.virt.podman;
-in {
-  options = {
-    module.virt.podman.enable =
-      mkEnableOption "enables podman";
-  };
-  config = mkIf cfg.enable {
-    virtualisation = {
-      containers.enable = true;
-      podman = {
-        enable = true;
-        dockerCompat = true;
-        defaultNetwork.settings.dns_enabled = true;
-      };
-    };
-    virtualisation.oci-containers.backend = "podman";
-    environment.systemPackages = with pkgs; [
-      podman-tui
-      podman-compose
-    ];
-  };
-}
@@ -0,0 +1,20 @@
+{
+  # pkgs,
+  config,
+  lib,
+  ...
+}: {
+  virtualisation.docker = {
+    enable = true;
+    rootless = {
+      enable = true;
+      setSocketVariable = true;
+    };
+    storageDriver = "btrfs";
+    autoPrune.enable = true;
+    #defaultNetwork.settings = {
+    #  dns_enabled = true;
+    #};
+  };
+  virtualisation.oci-containers.backend = "docker";
+}
@@ -0,0 +1,26 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu = {
+      package = pkgs.qemu_kvm;
+      runAsRoot = false;
+      swtpm.enable = true;
+      vhostUserPackages = [pkgs.virtiofsd];
+      # ovmf = {
+      #   enable = true;
+      #   packages = [
+      #     (pkgs.OVMF.override {
+      #       secureBoot = true;
+      #       tpmSupport = true;
+      #     })
+      #     .fd
+      #   ];
+      # };
+    };
+  };
+}
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  hardware.opentabletdriver = {
+    enable = true;
+    daemon.enable = true;
+    blacklistedKernelModules = [
+      "hid-uclogic"
+      "wacom"
+    ];
+  };
+}
@@ -0,0 +1,20 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+  environment.systemPackages = with pkgs; [
+    podman-tui
+    podman-compose
+  ];
+}
@@ -0,0 +1,9 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  services.udev.extraRules = ''
+    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
+  '';
+}
@@ -1,21 +0,0 @@
-{
-  inputs,
-  pkgs,
-  ...
-}: {
-  imports = with inputs; [
-    chaotic.nixosModules.default
-    ./loader.nix
-    ./lanzaboote.nix
-  ];
-  boot = {
-    consoleLogLevel = 0;
-    kernel.sysctl."vm.swappiness" = 10;
-    # kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelPackages = pkgs.linuxPackages_latest;
-    plymouth.enable = true;
-    initrd = {
-      systemd.enable = true;
-    };
-  };
-}
@@ -1,14 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: {
-  boot.loader = {
-    timeout = 0;
-    efi.canTouchEfiVariables = true;
-    systemd-boot = {
-      consoleMode = "auto";
-      configurationLimit = lib.mkOverride 1337 10;
-    };
-  };
-}
@@ -6,23 +6,25 @@
  ...
 }: let
  inherit (lib) mkDefault mkOption mkEnableOption mkIf;
-  cfg = config.module.config;
+  cfg = config.unexplrd.config;
+  cfgHost = config.unexplrd.host;
 in {
  imports = [
-    ./boot
    ./hardware
    ./misc
+    ./module/lanzaboote.nix
+    ./module/locale.nix
    ./networking
    ./nix
    ./security
-    ./locale.nix
+    ./stylix
    ./programs.nix
    ./services.nix
    ./sops.nix
    ./users.nix
  ];
  options = {
-    module.host = {
+    unexplrd.host = {
      name = mkOption {
        type = lib.types.str;
      };
@@ -36,7 +38,7 @@ in {
        type = lib.types.enum ["laptop" "server" "workstation"];
      };
    };
-    module.config = {
+    unexplrd.config = {
      laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
      powerSave = mkEnableOption "set to use various power saving daemons";
      secureBoot = mkEnableOption "set if secure boot is configured";
@@ -50,11 +52,9 @@ in {
  };
  config = lib.mkMerge [
    {
-      system.stateVersion = config.module.host.stateVersion;
-      networking = {
-        hostName = config.module.host.name;
-        hostId = config.module.host.id;
-      };
+      system.stateVersion = cfgHost.stateVersion;
+      networking.hostName = cfgHost.name;
+      networking.hostId = cfgHost.id;
    }
    {
      boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
@@ -1,3 +1,59 @@
 {
-  imports = [./slim.nix ./zram.nix];
+  lib,
+  pkgs,
+  # inputs,
+  ...
+}: {
+  imports = [
+    # inputs.chaotic.nixosModules.default
+    ./slim.nix
+  ];
+  boot = {
+    consoleLogLevel = 0;
+    kernel.sysctl."vm.swappiness" = 10;
+    plymouth.enable = true;
+    initrd = {
+      systemd.enable = true;
+    };
+
+    kernelPackages = pkgs.linuxPackages_latest;
+    # kernelPackages = pkgs.linuxPackages_cachyos;
+
+    loader = {
+      timeout = 0;
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        consoleMode = "auto";
+        configurationLimit = lib.mkOverride 1337 10;
+      };
+    };
+    tmp.cleanOnBoot = lib.mkDefault true;
+  };
+
+  console.font = "${pkgs.spleen}/share/consolefonts/spleen-16x32.psfu";
+
+  environment = {
+    ldso32 = null;
+    # memoryAllocator.provider = "mimalloc"; # weird memory consumption stuff
+    variables = {
+      LESS = "-R --mouse";
+    };
+  };
+
+  networking.networkmanager.enable = true;
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+  '';
+  systemd.coredump.extraConfig = ''
+    Storage=none
+    ProcessSizeMax=0
+  '';
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 25;
+    priority = 5;
+  };
 }
@@ -1,8 +0,0 @@
-{
-  zramSwap = {
-    enable = true;
-    algorithm = "zstd";
-    memoryPercent = 25;
-    priority = 5;
-  };
-}
@@ -8,7 +8,7 @@
  ];
  boot = {
    lanzaboote = {
-      enable = config.module.config.secureBoot;
+      enable = config.unexplrd.config.secureBoot;
      pkiBundle = "/var/lib/sbctl";
    };
  };
@@ -4,9 +4,10 @@
  ...
 }: let
  inherit (lib) types mkOption;
+  cfg = config.unexplrd.config;
 in {
  options = {
-    module.config = {
+    unexplrd.config = {
      locale = mkOption {
        type = types.strMatching "[a-z]{2}_[A-Z]{2}\\.UTF-8";
        default = "en_US.UTF-8";
@@ -19,9 +20,9 @@ in {
    };
  };
  config = {
-    time.timeZone = config.module.config.timeZone;
+    time.timeZone = cfg.timeZone;
    i18n = let
-      inherit (config.module.config) locale;
+      inherit (cfg) locale;
    in {
      defaultLocale = locale;
      extraLocaleSettings = {
@@ -1,18 +1,11 @@
 {
-  networking = {
-    hosts = import ./hosts.nix;
-    networkmanager = {
-      ethernet.macAddress = "stable";
-      wifi = {
-        macAddress = "random";
-        scanRandMacAddress = true;
-      };
-    };
-    wireless.iwd = {
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
+  networking.networkmanager = {
+    ethernet.macAddress = "stable";
+    wifi.macAddress = "random";
+    wifi.scanRandMacAddress = true;
+  };
+  networking.wireless.iwd = {
+    settings.General.AddressRandomization = "network";
+    settings.Settings.AlwaysRandomizeAddress = true;
  };
 }
@@ -1,3 +1,5 @@
 {
-  "192.168.1.42" = ["dunamis"];
+  networking.hosts = {
+    "192.168.1.42" = ["dunamis"];
+  };
 }
@@ -1,7 +1,7 @@
 {
  pkgs,
  # inputs,
-  config,
+  # config,
  lib,
  ...
 }: {
@@ -15,33 +15,35 @@
      automatic = true;
      dates = ["weekly"];
    };
-    settings = {
-      auto-optimise-store = true;
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        # for container in builds support
-        "auto-allocate-uids"
-        "cgroups"
-
-        # Enable the use of the fetchClosure built-in function in the Nix language.
-        # "fetch-closure"
-
-        # Allow derivation builders to call Nix, and thus build derivations recursively.
-        # "recursive-nix"
-
-        # Allow the use of the impure-env setting.
-        # "configurable-impure-env"
-      ];
-      use-xdg-base-directories = true;
-    };
  };
-  # no longer need to pre-allocate build users for everything
-  nix.settings.auto-allocate-uids = lib.mkDefault true;
-  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
-  nix.settings.use-cgroups = true;
+  nix.settings = {
+    auto-optimise-store = true;
+    experimental-features = [
+      "nix-command"
+      "flakes"

-  # for container in builds support
-  nix.settings.system-features = ["uid-range"];
-  systemd.services.nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce []; # (lib.remove "~cgroup" config.systemd.services.nix-daemon.serviceConfig.RestrictNamespaces);
+      # for container in builds support
+      "auto-allocate-uids"
+      "cgroups"
+
+      # Enable the use of the fetchClosure built-in function in the Nix language.
+      # "fetch-closure"
+
+      # Allow derivation builders to call Nix, and thus build derivations recursively.
+      # "recursive-nix"
+
+      # Allow the use of the impure-env setting.
+      # "configurable-impure-env"
+    ];
+    # no longer need to pre-allocate build users for everything
+    auto-allocate-uids = lib.mkDefault true;
+
+    # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+    use-cgroups = true;
+
+    # for container in builds support
+    system-features = ["uid-range"];
+
+    use-xdg-base-directories = true;
+  };
 }
@@ -1,7 +1,6 @@
 {
  imports = [
    ./common.nix
-    ./distibuted-build.nix
    ./substituters.nix
  ];
 }
@@ -1,49 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  ...
-}: let
-  isBuildHost = config.module.host.name == "dunamis";
-in {
-  config = lib.mkMerge [
-    (lib.mkIf isBuildHost {
-      nix = let
-        inherit (builtins) readFile;
-        inherit (config.users.users) user;
-      in {
-        sshServe = {
-          enable = true;
-          keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-          protocol = "ssh-ng";
-          trusted = true;
-          write = true;
-        };
-      };
-    })
-    (lib.mkIf (!isBuildHost) {
-      nix = let
-        inherit (builtins) readFile;
-        inherit (config.networking) hostName;
-        inherit (config.sops) secrets;
-        inherit (inputs) mysecrets;
-        pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-      in {
-        distributedBuilds = true;
-        buildMachines = [
-          {
-            hostName = "dunamis";
-            maxJobs = 3;
-            protocol = "ssh-ng";
-            publicHostKey = pubHost;
-            speedFactor = 2;
-            sshKey = secrets."ssh-${hostName}-user".path;
-            sshUser = "nix-ssh";
-            supportedFeatures = ["benchmark" "big-parallel" "kvm" "nixos-test"];
-            system = "x86_64-linux";
-          }
-        ];
-      };
-    })
-  ];
-}
@@ -14,6 +14,7 @@
  };
  environment.systemPackages = with pkgs; [
    (lib.hiPrio uutils-coreutils-noprefix)
+    git
    helix
    nushell
  ];
@@ -66,7 +66,7 @@

    # Userspace
    # restrict usage of ptrace
-    "kernel.yama.ptrace_scope" = 2;
+    # "kernel.yama.ptrace_scope" = 2; # breaks anti-cheat

    # ASLR memory protection (64-bit systems)
    "vm.mmap_rnd_bits" = 32;
@@ -94,8 +94,8 @@
    "net.core.default_qdisc" = "cake";
  };
  boot.kernelParams = [
-    "systemd.unified_cgroup_hierarchy=1"
-    "cgroup_no_v1=all"
+    # "systemd.unified_cgroup_hierarchy=1"
+    # "cgroup_no_v1=all"
    "amd_iommu=force_isolation"
    "debugfs=off"
    "efi=disable_early_pci_dma"
@@ -0,0 +1,11 @@
+{
+  security.pam.loginLimits = [
+    {
+      domain = "*"; # Applies to all users/sessions
+      type = "-"; # Set both soft and hard limits
+      item = "core"; # The soft/hard limit item
+      value = "0"; # Core dumps size is limited to 0 (effectively disabled)
+    }
+  ];
+  systemd.coredump.enable = false;
+}
@@ -4,44 +4,39 @@
  pkgs,
  ...
 }: let
-  inherit (lib) mkIf mkDefault;
-  systemd-services-hardened = fetchGit {
-    url = "https://github.com/wallago/nix-system-services-hardened.git";
-    ref = "main";
-    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
-  };
-  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
+  inherit (lib) mkIf;
 in {
-  imports =
-    [./boot.nix ./ssh.nix]
-    ++ fromHardened [
-      "accounts-daemon"
-      "getty"
-      # "nix-daemon" # TODO: breaks cgroups, ...
-      "nscd"
-      "rescue"
-      "sshd"
-      "systemd-machined"
-      "systemd-rfkill"
-      "systemd-udevd"
-    ];
+  imports = [
+    ./boot.nix
+    ./coredump.nix
+    ./services.nix
+    ./ssh.nix
+  ];
+
  networking.modemmanager.enable = false;
+
+  nix.settings.allowed-users = ["@users"];
+  nix.settings.trusted-users = ["@wheel"];
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim)
+  ];
+
  security =
    lib.attrsets.recursiveUpdate {
      # doas.enable = true;
      polkit.enable = true;
      sudo-rs.enable = false;
      sudo.enable = false;
+
+      wrappers = {
+        newgrp.enable = false;
+        pkexec.enable = false;
+        sg.enable = false;
+        su.enable = false;
+      };
    } {
      sudo-rs.execWheelOnly = true;
-      pam.loginLimits = [
-        {
-          domain = "*"; # Applies to all users/sessions
-          type = "-"; # Set both soft and hard limits
-          item = "core"; # The soft/hard limit item
-          value = "0"; # Core dumps size is limited to 0 (effectively disabled)
-        }
-      ];
      # pam.sshAgentAuth.enable = true;
      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
@@ -61,25 +56,20 @@ in {
      '';
    };

-  environment.systemPackages = with pkgs; [
-    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
-  ];
-  systemd.coredump.enable = false;
-  services = {
-    chrony = {
-      enable = true;
-      enableNTS = true;
-      servers = [
-        "time.cloudflare.com iburst nts"
-        "ntppool1.time.nl iburst nts"
-        "nts.netnod.se iburst nts"
-        "ptbtime1.ptb.de iburst nts"
-        "time.dfm.dk iburst nts"
-        "time.cifelli.xyz iburst nts"
-      ];
-    };
-    dbus.implementation = "broker";
+  services.dbus.implementation = "broker";
+  services.chrony = {
+    enable = true;
+    enableRTCTrimming = false;
+    enableNTS = true;
+    extraConfig = "rtcsync";
+    extraFlags = ["-r" "-s"];
+    servers = [
+      "time.cloudflare.com iburst nts"
+      "ntppool1.time.nl iburst nts"
+      "nts.netnod.se iburst nts"
+      "ptbtime1.ptb.de iburst nts"
+      "time.dfm.dk iburst nts"
+      "time.cifelli.xyz iburst nts"
+    ];
  };
-
-  nix.settings.allowed-users = mkDefault ["@users"];
 }
@@ -0,0 +1,29 @@
+{
+  # config,
+  lib,
+  # pkgs,
+  ...
+}: let
+  systemd-services-hardened = fetchGit {
+    url = "https://github.com/wallago/nix-system-services-hardened.git";
+    ref = "main";
+    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
+  };
+  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
+in {
+  imports = fromHardened [
+    "accounts-daemon"
+    "getty"
+    # "nix-daemon" # TODO: breaks cgroups, ...
+    "nscd"
+    "rescue"
+    "sshd"
+    "systemd-machined"
+    "systemd-rfkill"
+    "systemd-udevd"
+  ];
+  systemd.services = {
+    nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
+    sshd.serviceConfig.ProtectHome = lib.mkForce "no";
+  };
+}
@@ -3,7 +3,7 @@
    lib.attrsets.recursiveUpdate {
      # hardware.openrgb.enable = true;
      avahi.enable = true;
-      dnscrypt-proxy.enable = true;
+      # dnscrypt-proxy.enable = true;
      flatpak.enable = true;
      fstrim.enable = true;
      fwupd.enable = true;
@@ -9,7 +9,7 @@
  inherit (lib) optionalAttrs;
  inherit (lib.types) bool str;

-  cfg = config.module.stylix;
+  cfg = config.unexplrd.stylix;

  fromBase16Schemes = f: "${pkgs.base16-schemes}/share/themes/${f}.yaml";

@@ -312,7 +312,7 @@ in {
  ];

  options = {
-    module.stylix = {
+    unexplrd.stylix = {
      enable = mkEnableOption "enable stylix";

      useCursor = mkOption {
@@ -2,20 +2,18 @@
  inputs,
  config,
  pkgs,
-  lib,
  ...
 }: let
-  inherit (config.networking) hostName;
  inherit (config.sops) secrets;
  inherit (inputs) mysecrets;
  sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
 in {
-  users.groups.admin = {};
+  users = {
+    mutableUsers = false;

-  nix.settings.trusted-users = ["user" "admin"];
-  users.mutableUsers = false;
-  users.users = {
-    admin = {
+    # groups.admin = {};
+
+    users.admin = {
      isNormalUser = true;
      description = "System administrator";
      extraGroups = ["wheel"]; # wheel = sudo
@@ -28,7 +26,7 @@ in {
        "sarien"
      ];
    };
-    user = {
+    users.user = {
      extraGroups = ["video" "libvirtd" "dialout"];
      hashedPasswordFile = secrets."user-password-hashed".path;
      isNormalUser = true;
@@ -33,5 +33,5 @@
    music = homeDir "music";
  };

-  dconf.settings."org/gnome/desktop/interface".enable-animations = false;
+  # dconf.settings."org/gnome/desktop/interface".enable-animations = false;
 }
@@ -3,5 +3,6 @@
    ./common.nix
    ./flatpak.nix
    ./programs.nix
+    ./services.nix
  ];
 }
@@ -1,5 +1,7 @@
 {
+  config,
  inputs,
+  lib,
  pkgs,
  ...
 }: {
@@ -34,9 +36,7 @@
        "com.github.PintaProject.Pinta" # bootleg paint
        "org.gimp.GIMP" # the holy gimp
        "org.kde.kdenlive" # video editor
-        {
-          appId = "com.collabora.Office";
-        }
+        "com.collabora.Office" # libreoffice but pretty pixel-wasting ui
      ]
      ++ [
        # chatting
@@ -71,10 +71,10 @@
        "com.bitwarden.desktop"
        "com.github.johnfactotum.Foliate" # book reader
        "com.github.tchx84.Flatseal" # control flatpak permissions
-        "com.logseq.Logseq"
+        # "com.logseq.Logseq"
        "com.obsproject.Studio"
        "com.usebottles.bottles" # wine containers
-        "de.capypara.FieldMonitor" # libvirt
+        "de.capypara.FieldMonitor" # qemu and rdp/vnc client
        "org.qbittorrent.qBittorrent" # torrents
        "io.github.amit9838.mousam" # weather
        "io.github.finefindus.Hieroglyphic" # find latex symbols (in rust)
@@ -83,6 +83,7 @@
        "md.obsidian.Obsidian"
        "me.iepure.devtoolbox" # some cool utils
        "org.nicotine_plus.Nicotine" # soulseek
+        (lib.mkIf config.programs.distrobox.enable "com.ranfdev.DistroShelf")
      ];
    overrides = let
      homeNoNetwork = {
@@ -11,18 +11,9 @@
  inherit (osConfig.virtualisation) libvirtd;
  inherit (osConfig.hardware) bluetooth;
 in {
-  imports = with flake.modules.hm-programs;
-    [
-      yazi
-      helix
-      fish
-      oh-my-posh
-      wezterm
-      ghostty
-    ]
-    ++ [./vicinae.nix];
-
-  syncthing.enable = true;
+  imports = with flake.homeModules; [
+    programs
+  ];

  systemd.user.settings.Manager.DefaultEnvironment = {
    TERMINAL = "wezterm";
@@ -37,14 +28,19 @@ in {
    # NPM_CONFIG_TMP = ''"$XDG_RUNTIME_DIR"/npm'';
  };

-  services = {
-    # pueue.enable = true; # process queue in rust
-    ssh-agent.enable = true;
-  };
-
  programs =
    lib.attrsets.recursiveUpdate
    {
+      atuin.enable = true;
+      fish.enable = true; # friendly interactive shell in rust
+      oh-my-posh.enable = true;
+
+      helix.enable = true;
+      yazi.enable = true;
+
+      wezterm.enable = true;
+      ghostty.enable = true;
+
      bat.enable = true; # cat in rust
      btop.enable = true;
      # direnv.enable = true;
@@ -60,6 +56,7 @@ in {
      nix-index-database.comma.enable = true;
      nix-index.enable = true;
      nix-your-shell.enable = true;
+      obsidian.enable = true;
      pay-respects.enable = true; # thefuck in rust
      ripgrep.enable = true; # grep in rust
      zellij.enable = true;
@@ -68,16 +65,31 @@ in {
    }
    {
      btop.settings.update_ms = 200;
+      btop.package = pkgs.btop-rocm;

      difftastic.git.enable = true;
      difftastic.git.diffToolMode = true;

-      git.signing.format = "ssh";
+      helix.defaultEditor = true;

+      git.signing.format = "ssh";
      git.settings.alias.cl = "clone";
      git.settings.alias.co = "checkout";

      keychain.keys = ["id_ed25519"];
+
+      obsidian.package = perSystem.mypackages.obsidian-bwrapped.override {
+        bwrapperOpts = {
+          sockets.x11 = false;
+          mounts.readWrite = [
+            "$HOME/Obsidian"
+          ];
+        };
+      };
+      # obsidian.vaults = {
+      #   personal.target = "Obsidian/Personal";
+      #   university.target = "Obsidian/University";
+      # };
    };

  home.packages = with pkgs;
@@ -103,6 +115,70 @@ in {
      systemctl-tui # systemctl tui in rust
      trashy # trash cli in rust
      up # ultimate plumber in go
+
+      (perSystem.mypackages.prismlauncher-bwrapped.override {
+        addPkgs = with pkgs; [mangohud gamemode gamescope glfw3-minecraft];
+        packageOverrides = {
+          jdks = with pkgs; [
+            # graalvmPackages.graalvm-ce
+            # zulu8
+            zulu17
+            zulu
+          ];
+        };
+      })
+      (perSystem.mypackages.zen-browser-bwrapped.override {
+        bwrapperOpts = {
+          sockets.x11 = false;
+        };
+      })
+      (perSystem.mypackages.legcord-bwrapped.override {
+        bwrapperOpts = {
+          sockets.x11 = false;
+        };
+      })
+      (perSystem.mypackages.helium-browser-bwrapped.override {
+        bwrapperOpts = {
+          sockets.x11 = false;
+          mounts.readWrite = [
+            # "$XDG_DOCUMENTS_DIR"
+            "$XDG_DOWNLOAD_DIR"
+            # "$XDG_MUSIC_DIR"
+            # "$XDG_VIDEOS_DIR"
+            # "$XDG_PICTURES_DIR"
+          ];
+        };
+      })
+      (pkgs.mkBwrapper rec {
+        app = {
+          addPkgs = with pkgs; [mangohud gamemode gamescope];
+          package = pkgs.heroic.override {
+            extraPkgs = pkgs: app.addPkgs;
+          };
+          id = "com.heroicgameslauncher.hgl_bwrapper";
+          runScript = "heroic";
+          # isFhsenv = true;
+        };
+        dbus.session.talks = [
+          "com.canonical.Unity"
+          "org.freedesktop.Notifications"
+          "org.freedesktop.PowerManagement"
+          "org.freedesktop.ScreenSaver"
+          "org.gnome.SettingsDaemon.MediaKeys"
+          "org.kde.StatusNotifierWatcher"
+        ];
+        dbus.system.talks = [
+          "org.freedesktop.UDisks2"
+          "org.freedesktop.UPower"
+        ];
+        mounts.readWrite = [
+          "/storage/games/heroic"
+          "$HOME/.config/wine-tools"
+        ];
+        mounts.read = [
+          "$XDG_CONFIG_HOME/mangohud"
+        ];
+      })
    ]
    ++ [
      (pkgs.writeShellApplication {
@@ -150,6 +226,8 @@ in {
      # sonusmix # pipewire routing tool in rust
    ];

+  xdg.systemDirs.data = ["/home/user/.bwrapper/helium/local/share"];
+
  # xdg.desktopEntries.uni = {
  #   actions."Copy".exec = "fish -c \"~/.local/bin/uni --copy\"";
  #   categories = ["Utility" "X-Launch" "Network"];
@@ -0,0 +1,17 @@
+{inputs, ...}: {
+  imports = [inputs.vicinae.homeManagerModules.default];
+
+  syncthing.enable = true;
+
+  services.easyeffects.enable = true;
+
+  # services.pueue.enable = true; # process queue in rust
+  services.ssh-agent.enable = true;
+
+  services.vicinae = {
+    enable = true;
+    systemd.enable = true;
+  };
+
+  xdg.configFile."vicinae/settings.json".enable = false;
+}
@@ -1,7 +0,0 @@
-{inputs, ...}: {
-  imports = [inputs.vicinae.homeManagerModules.default];
-
-  services.vicinae.enable = true;
-
-  xdg.configFile."vicinae/vicinae.json".enable = false;
-}