Update flake.lock 2025-04-28

This makes builds not fail when my own binary cache is offline for some reason

.sops.yaml

@@ -1,7 +1,7 @@
 keys:
   - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
-  - &pianonix-ssh age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
+  - &pianonix-ssh age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c
   - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
   - &kardorf-ssh age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
 
@@ -20,7 +20,7 @@ creation_rules:
       - *primary
       - *builder-ssh
 
-  - path_regex: hosts/pianonix/secrets.yaml$
+  - path_regex: hosts/pianonix/secrets*
     key_groups:
     - age:
       - *primary

Readme.org

@@ -24,7 +24,7 @@ sops edit secrets/secrets.yaml
 ** Authorize new device
 - Generate public key from ssh -> Private age key generation not needed
 #+begin_src sh
-ssh-to-age < /etc/ssh/ssh_host_ed25519_key
+ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
 #+end_src
 - Add age public key to file:.sops.yaml
 - Update keys

flake.nix

@@ -2,16 +2,21 @@
   description = "Home Manager configuration of julian";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
     systems.url = "github:nix-systems/default-linux";
     nixos-hardware.url = "github:nixos/nixos-hardware";
     impermanence.url = "github:nix-community/impermanence";
     nix-colors.url = "github:misterio77/nix-colors";
     deploy-rs.url = "github:serokell/deploy-rs";
 
+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
@@ -28,16 +33,12 @@
     };
 
     # Various flakes
-    alacritty-theme = {
-      url = "github:alacritty/alacritty-theme";
-      flake = false;
-    };
     yazi-flavors = {
       url = "github:yazi-rs/flavors";
       flake = false;
     };
     nixvim = {
-      url = "github:nix-community/nixvim";
+      url = "github:nix-community/nixvim/nixos-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-matlab = {
@@ -88,7 +89,7 @@
 
     packages = forEachSystem (pkgs: import ./pkgs {inherit pkgs;});
     devShells = forEachSystem (pkgs: import ./shell.nix {inherit pkgs;});
-    formatter = forEachSystem (pkgs: pkgs.alejandra);
+    formatter = forEachSystem (pkgs: pkgs.alejandra); # nix fmt *
 
     nixosConfigurations = {
       # Main laptop
@@ -187,5 +188,15 @@
         };
       };
     };
+
+    # substitutes: nixos-generate --flake .#pianonix -f sd-aarch64 --system aarch64-linux
+    pianonix-image = inputs.nixos-generators.nixosGenerate {
+      system = "aarch64-linux";
+      format = "sd-aarch64";
+      modules = [./hosts/pianonix];
+      specialArgs = {
+        inherit inputs outputs;
+      };
+    };
   };
 }

homes/julian/aspi.nix

@@ -6,8 +6,9 @@
     ./features/direnv
     ./features/topgrade
     ./features/neovim
-    ./features/kitty
+    ./features/ghostty
     ./features/wezterm
+    ./features/alacritty
     ./features/yazi
     ./features/emacs
 
@@ -20,7 +21,7 @@
 
   hostName = "aspi";
   is-nixos = true;
-  terminal = "kitty";
+  terminal = "alacritty";
 
   #  -------   ----------
   # | eDP-1 | | HDMI-A-1 |

homes/julian/features/alacritty/alacritty.toml

@@ -1,3 +0,0 @@
-import = [
-    "~/.config/alacritty/theme/themes/smoooooth.toml"
-]

homes/julian/features/alacritty/default.nix

@@ -1,15 +1,12 @@
 {
   lib,
-  pkgs,
-  inputs,
   config,
   ...
 }: {
-  home.packages = with pkgs; [alacritty];
+  programs.alacritty = {
-
+    enable = true;
-  home.file = {
+    settings = {};
-    ".config/alacritty/theme".source = "${inputs.alacritty-theme}";
+    theme = "smoooooth";
-    ".config/alacritty/alacritty.toml".source = ./alacritty.toml;
   };
 
   home.sessionVariables.TERMINAL = lib.mkIf (config.terminal == "alacritty") "alacritty";

homes/julian/features/ghostty/default.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  programs.ghostty = {
+    enable = true;
+    enableFishIntegration = true;
+    settings = {
+      theme = "catppuccin-mocha";
+      font-size = 12;
+    };
+  };
+
+  home.sessionVariables.TERMINAL = lib.mkIf (config.terminal == "ghostty") "ghostty";
+}

homes/julian/features/hyprland/default.nix

@@ -24,7 +24,7 @@ in {
     ./zathura.nix
     ./waypipe.nix
 
-    ./hyprbars.nix
+    # ./hyprbars.nix
   ];
 
   xdg.portal = {
@@ -48,23 +48,21 @@ in {
     wf-recorder
     wl-clipboard
 
-    (pkgs.writeShellScriptBin
+    (pkgs.writeShellScriptBin "toggle-screen-mirroring" (
-      "toggle-screen-mirroring"
+      builtins.readFile ./toggle-screen-mirroring.sh
-      (builtins.readFile
+    ))
-        ./toggle-screen-mirroring.sh))
 
-    (
+    (pkgs.writeShellScriptBin "correct-workspace-locations" (
-      pkgs.writeShellScriptBin
+      lib.concatStringsSep "\n" (
-      "correct-workspace-locations"
+        builtins.concatLists (
-      (
+          map (
-        lib.concatStringsSep "\n"
+            monitor:
-        (
+              map (ws: "hyprctl dispatch moveworkspacetomonitor ${ws} ${monitor.name}") monitor.workspaces
-          builtins.concatLists (
-            map (monitor: map (ws: "hyprctl dispatch moveworkspacetomonitor ${ws} ${monitor.name}") monitor.workspaces) config.monitors
           )
+          config.monitors
         )
       )
-    )
+    ))
   ];
 
   services.cliphist = {
@@ -157,11 +155,17 @@ in {
     settings = {
       "$mod" = "SUPER";
 
+      # Environment variables programs like emacs have access to
+      env = "TERMINAL,${config.terminal}";
+
       # Monitors
       monitor = ",preferred,auto,1";
 
       # Autostart
-      exec-once = ["firefox"];
+      exec-once = [
+        (lib.getExe pkgs.firefox)
+        (lib.getExe pkgs.waybar)
+      ];
 
       # Look and Feel
       general = {
@@ -280,7 +284,7 @@ in {
           # opening applications
           "$mod, D, exec, wofi --show drun,run"
           "$mod, E, exec, pcmanfm"
-          "$mod, Return, exec, kitty"
+          "$mod, Return, exec, ${config.terminal}"
           "$mod, B, exec, firefox"
           "$mod, C, exec, qalculate-gtk"
 

homes/julian/features/hyprland/waybar/config.json

@@ -12,7 +12,14 @@
 
     "modules-center": [],
 
-    "modules-right": ["idle_inhibitor", "disk", "cpu", "memory", "pulseaudio", "battery", "clock", "tray"],
+    "modules-right": ["idle_inhibitor", "custom/nixos-update", "disk", "cpu", "memory", "pulseaudio", "battery", "clock", "tray"],
+
+    "custom/nixos-update": {
+        "exec": "frajul-auto-upgrade-status",
+        "return-type": "json",
+        "interval": 2,
+        "on-click-right": "frajul-auto-upgrade-toggle"
+    },
 
     "hyprland/workspaces": {
         "on-scroll-up": "hyprctl dispatch workspace m+1",
@@ -35,6 +42,7 @@
     },
 
     "idle_inhibitor": {
+        "start-activated": true,
         "format": "{icon}",
         "format-icons": {
             "activated": "",

homes/julian/features/hyprland/waybar/default.nix

@@ -10,7 +10,7 @@
 in {
   programs.waybar = {
     enable = true;
-    systemd.enable = true;
+    # systemd.enable = true;
     settings.mainBar = builtins.fromJSON (builtins.readFile ./config.json);
   };
 

homes/julian/features/i3/i3/config-kardorf

@@ -142,8 +142,8 @@ bindsym $mod+Shift+9 move container to workspace number $ws9; workspace $ws9
 bindsym $mod+Shift+0 move container to workspace number $ws10; workspace $ws10
 
 # Monitor config
-set $monitor_left "DVI-D-0"
+set $monitor_left "DVI-D-1"
-set $monitor_right "DVI-D-1"
+set $monitor_right "DVI-D-2"
 
 workspace $ws1 output $monitor_left
 workspace $ws2 output $monitor_left

homes/julian/features/i3/i3/scripts/open-messaging

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-start_if_not_running()
-{
-    program=$1
-    pidof -sq $program
-    if [ "$?" -eq "1" ]; then
-        start_program $1
-    else
-        echo "$program is already running"
-    fi
-}
-
-start_program()
-{
-    program=$1
-    echo "Starting $program..."
-    $program & > /dev/null
-}
-
-i3-msg 'workspace 9; append_layout ~/.config/i3/workspace-messaging.json'
-start_program nheko
-sleep 0.1
-start_program telegram-desktop
-sleep 0.1
-start_program thunderbird
-sleep 0.1

homes/julian/features/i3/i3/scripts/pulse_popup

@@ -1,20 +0,0 @@
-#!/bin/sh
-
-HDMI_SINK="alsa_output.pci-0000_00_1f.3-platform-skl_hda_dsp_generic.HiFi__hw_sofhdadsp_3__sink"
-LAPTOP_SINK="alsa_output.pci-0000_00_1f.3-platform-skl_hda_dsp_generic.HiFi__hw_sofhdadsp__sink"
-
-HDMI_ICON=$(pactl info | grep -q $HDMI_SINK && echo "checkbox")
-LAPTOP_ICON=$(pactl info | grep -q $LAPTOP_SINK && echo "checkbox")
-
-HDMI_VOLUME=$(pactl get-sink-volume $HDMI_SINK | head -n 1 | awk '{print $5}')
-LAPTOP_VOLUME=$(pactl get-sink-volume $LAPTOP_SINK | head -n 1 | awk '{print $5}')
-
-read -r -d '' CONF <<EOF
-Open Pavucontrol,pavucontrol,pavucontrol
-
-^sep()
-HDMI - $HDMI_VOLUME,pactl set-default-sink $HDMI_SINK,$HDMI_ICON
-Laptop - $LAPTOP_VOLUME,pactl set-default-sink $LAPTOP_SINK,$LAPTOP_ICON
-EOF
-
-echo "$CONF" | jgmenu --simple

homes/julian/features/neovim/default.nix

@@ -36,6 +36,8 @@
     opts = {
       number = false;
       relativenumber = false;
+      ignorecase = true;
+      smartcase = true;
     };
     clipboard.register = "unnamedplus"; # Use system clipboard
 
@@ -49,7 +51,7 @@
         key = "<leader><space>";
       }
       {
-        action = "<cmd>Telescope file_browser<cr>";
+        action = "<cmd>Telescope file_browser path=%:p:h<cr>";
         key = "<leader>.";
       }
       {
@@ -140,17 +142,21 @@
       };
 
       lsp = {
-        enable = true;
+        enable = true; # includes lsp-config, default settings for the lsps
         servers = {
           rust_analyzer = {
             enable = true;
             installCargo = true;
             installRustc = true;
           };
-          nixd.enable = true;
+          nixd.enable = true; # nix
-          pyright.enable = true;
+          pyright.enable = true; # python
-          dockerls.enable = true;
+          dockerls.enable = true; # docker
-          lua_ls.enable = true;
+          lua_ls.enable = true; # lua
+          clangd.enable = true; # c, c++
+          dartls.enable = true; # dart, flutter
+          digestif.enable = true; # latex
+          tinymist.enable = true; # typst
         };
       };
     };

homes/julian/features/suites/cli/default.nix

@@ -40,6 +40,7 @@
     wireguard-tools # wg-quick
     xorg.xkill
     zip
+    dig
 
     ## My scripts
     frajul.edit-config

homes/julian/features/suites/desktop/default.nix

@@ -22,6 +22,7 @@
     calibre # ebook manager and viewer
     # digikam
     discord
+    discord-ptb # in case discord updates take their time
     # dvdisaster
     # element-desktop
     # rocketchat-desktop
@@ -31,10 +32,11 @@
     nheko
     evince # Simple pdf reader, good for focusing on document content
     firefox
+    vivaldi
     # geogebra
     cheese
     handbrake
-    kitty # Terminal
+    # kitty # Terminal, already available as feature
     libnotify
     libreoffice
     mate.engrampa
@@ -61,8 +63,12 @@
     zotero # Manage papers and other sources
     pdfpc # Present slides in pdf form
 
+    networkmanager-openvpn
+    keepassxc
+
     ## My scripts
     frajul.open-messaging
     frajul.xwacomcalibrate
+    frajul.pob2-frajul
   ];
 }

homes/julian/features/suites/development/default.nix

@@ -29,6 +29,10 @@
         standalone
         amsmath
         preview
+        # needed for org mode export
+        wrapfig
+        capt-of
+        biblatex
         ;
     })
     matlab # Using nix-matlab overlay defined in flake
@@ -58,6 +62,7 @@
 
     ## My scripts
     frajul.deploy-to-pianopi
+    frajul.rtklib
 
     (pkgs.writeShellScriptBin "matlab-rsp" ''
       matlab -desktop -sd "/home/julian/git/uwa-channel-model" -softwareopengl

homes/julian/features/yazi/default.nix

@@ -26,7 +26,7 @@
   programs.yazi.enable = true;
   programs.yazi.enableFishIntegration = true;
   programs.yazi.settings.manager = {
-    sort_by = "modified";
+    sort_by = "mtime";
     sort_reverse = true;
     show_hidden = true;
   };

homes/julian/global/default.nix

@@ -20,7 +20,7 @@
         "flakes"
         "ca-derivations"
       ];
-      # warn-dirty = false; # TODO: do I want it? also for systems
+      warn-dirty = false; # TODO: do I want it? also for systems
     };
   };
 

homes/julian/hm-standalone-config.nix

@@ -39,5 +39,8 @@
     ];
 
     # nix.settings. # warn-dirty = false; # TODO: do I want this
+    #
+    # Ensure we can still build when missing-server is not accessible
+    fallback = true;
   };
 }

homes/julian/kardorf.nix

@@ -6,13 +6,13 @@
     ./features/direnv
     ./features/topgrade
     ./features/neovim
-    ./features/kitty
+    ./features/ghostty
     ./features/wezterm
     ./features/yazi
     ./features/emacs
 
-    ./features/hyprland
+    # ./features/hyprland
-    # ./features/i3
+    ./features/i3
 
     ./features/suites/cli
     ./features/suites/desktop
@@ -21,7 +21,7 @@
 
   hostName = "kardorf";
   is-nixos = true;
-  terminal = "kitty";
+  terminal = "ghostty";
 
   #  ---------   ---------
   # | DVI-D-1 | | DVI-D-2 |

homes/julian/pianonix.nix

@@ -14,8 +14,8 @@
   is-nixos = true;
   terminal = "wezterm";
 
-  services.syncthing.tray.enable = true;
+  # services.syncthing.tray.enable = true;
-  services.syncthing.tray.command = "syncthingtray --wait"; # Wait for tray to become available
+  # services.syncthing.tray.command = "syncthingtray --wait"; # Wait for tray to become available
 
   home.packages = with pkgs; [
     music-reader
@@ -27,9 +27,33 @@
     onboard
   ];
 
+  programs.firefox = {
+    enable = true;
+
+    profiles.default = {
+      isDefault = true;
+
+      settings = {
+        "browser.startup.homepage" = "https://sheets.julian-mutter.de";
+        "browser.startup.page" = 1; # 0=blank, 1=home page, 3=restore previous session
+      };
+    };
+  };
+
+  programs.chromium = {
+    enable = true;
+
+    # commandLineArgs = [
+    #   "--homepage=https://sheets.julian-mutter.de"
+    #   "--no-first-run"
+    # ];
+  };
+
   # Autostart link
   home.file = {
-    ".config/autostart/sheet-organizer.desktop".source = "${pkgs.sheet-organizer}/share/applications/sheet-organizer.desktop";
+    # ".config/autostart/sheet-organizer.desktop".source = "${pkgs.sheet-organizer}/share/applications/sheet-organizer.desktop";
+    # ".config/autostart/firefox.desktop".source = "${pkgs.firefox}/share/applications/firefox.desktop";
+    ".config/autostart/chromium.desktop".source = "${pkgs.chromium}/share/applications/chromium.desktop";
     ".config/sheet-organizer/config.toml".text = ''
       working_directory = "/home/julian/Klavier"
     '';

homes/julian/v3ms/default.nix

@@ -19,7 +19,7 @@
   is-nixos = false;
   # terminal = "kitty";
 
-  home.sessionPath = [ "/snap/bin" ];
+  home.sessionPath = ["/snap/bin"];
 
   home.packages =
     lib.lists.concatMap (packages-list-file: import packages-list-file {inherit pkgs;})

hosts/aspi/default.nix

@@ -4,6 +4,9 @@
 
     ../common/global
     ../common/users/julian
+    ../common/users/yukari
+    ../common/users/pob
+    ../common/optional/binarycaches.nix
 
     ../common/optional/remote-builder.nix
     ../common/optional/boot-efi.nix
@@ -17,7 +20,7 @@
     ../common/optional/virtualbox.nix
 
     ../common/optional/podman.nix
-    ../common/optional/wireguard.nix
+    # ../common/optional/wireguard.nix
     ../common/optional/flatpak.nix
 
     ../common/optional/avahi.nix
@@ -31,8 +34,14 @@
       enable = true;
       overrideSettings = false;
     };
+    frajulAutoUpgrade = {
+      enable = true;
+      flakePath = "/home/julian/.dotfiles";
+    };
   };
 
+  services.desktopManager.plasma6.enable = true;
+
   services.blueman.enable = true;
   services.upower.enable = true;
 

hosts/builder/default.nix

@@ -1,22 +1,39 @@
 # sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118
 # or
 # deploy .#builder
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   imports = [
     ./hardware-configuration.nix
 
-    ../common/global
+    ../common/global/fish.nix # fish for admin
+    ../common/global/locale.nix
+    ../common/global/nix.nix
+    ../common/global/sops.nix
+    ../common/global/root.nix
   ];
 
   networking.hostName = "builder";
   system.stateVersion = "23.11";
 
+  networking.networkmanager.enable = true;
+  networking.nameservers = [
+    "192.168.3.252"
+    "172.30.20.10"
+    "1.1.1.1"
+  ];
+
+  users.mutableUsers = false;
   users.users.nix = {
     isNormalUser = true;
     description = "Nix";
     extraGroups = [
       "networkmanager"
       "wheel"
+      "docker"
     ];
   };
 
@@ -30,14 +47,33 @@
     substituters = [
       "https://nix-community.cachix.org"
       "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "https://devenv.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
     ];
-    trusted-public-keys = ["nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="];
 
     trusted-users = ["nix"];
     max-jobs = "auto";
     cores = 0;
+
+    # Ensure we can still build when missing-server is not accessible
+    fallback = true;
   };
 
+  # system.autoUpgrade = {
+  #   enable = true;
+  #   flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
+  #   flags = [
+  #     "--recreate-lock-file" # update lock file
+  #   ];
+  #   dates = "02:13";
+  # };
+
   # optimize store by hardlinking store files
   nix.optimise.automatic = true;
   nix.optimise.dates = ["03:15"];
@@ -83,9 +119,28 @@
   services.openssh = {
     enable = true;
     # require public key authentication for better security
-    settings.PasswordAuthentication = true;
+    settings.PasswordAuthentication = false;
     settings.KbdInteractiveAuthentication = false;
     settings.PermitRootLogin = "yes";
+    # Add older algorithms for jenkins ssh-agents-plugin to be compatible
+    settings.Macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+      "hmac-sha2-512"
+      "hmac-sha2-256"
+      "umac-128@openssh.com"
+    ];
+    settings.KexAlgorithms = [
+      "diffie-hellman-group-exchange-sha1"
+      "diffie-hellman-group14-sha1"
+      "mlkem768x25519-sha256"
+      "sntrup761x25519-sha512"
+      "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group-exchange-sha256"
+    ];
   };
   users.users."root".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
@@ -183,7 +238,16 @@
     url = "https://gitlab.julian-mutter.de";
     name = "builder";
     tokenFile = config.sops.secrets."gitea_token".path;
-    labels = []; # use default labels
+    labels = [
+      # provide a debian base with nodejs for actions
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # devenv
+      "devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
+      # provide native execution on the host
+      "nixos:host"
+    ];
   };
 
   virtualisation.docker.enable = true;
@@ -241,4 +305,41 @@
       };
     };
   };
+
+  services.gitlab-runner.enable = true;
+  # runner for everything else
+  #
+  sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
+  services.gitlab-runner.services.default = {
+    # File should contain at least these two variables:
+    authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
+    dockerImage = "alpine:latest";
+    dockerVolumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+  };
+
+  ### Jenkins node
+  users.users.jenkins = {
+    createHome = true;
+    home = "/var/lib/jenkins";
+    group = "jenkins";
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
+    ];
+    packages = with pkgs; [
+      git
+      devenv
+    ];
+    extraGroups = [
+      "docker"
+    ];
+  };
+
+  users.groups.jenkins = {};
+  programs.java = {
+    enable = true;
+    package = pkgs.jdk21; # Same as jenkins version on home
+  };
 }

hosts/common/global/auto-upgrade.nix

@@ -0,0 +1,16 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  system.hydraAutoUpgrade = {
+    # Only enable if not dirty
+    enable = inputs.self ? rev;
+    dates = "*:0/10"; # Every 10 minutes
+    instance = "http://hydra.julian-mutter.de";
+    project = "dotfiles";
+    jobset = "main";
+    job = "hosts.${config.networking.hostName}";
+    oldFlakeRef = "self";
+  };
+}

hosts/common/global/default.nix

@@ -2,6 +2,8 @@
 {
   inputs,
   outputs,
+  pkgs,
+  lib,
   ...
 }: {
   imports =
@@ -22,10 +24,18 @@
   hardware.enableRedistributableFirmware = true;
 
   # Networking
-  networking.networkmanager.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    plugins = with pkgs; [
+      networkmanager-openconnect
+    ];
+  };
   services.resolved.enable = true;
 
-  programs.dconf.enable = true;
+  networking.nameservers = lib.mkDefault [
+    "1.1.1.1"
+    "8.8.8.8"
+  ];
 
   # HM
   home-manager.useGlobalPkgs = true;

hosts/common/global/nix.nix

@@ -26,26 +26,6 @@
   ];
   # warn-dirty = false;
 
-  # Setup binary caches
-  nix.settings = {
-    substituters = [
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-      "https://hyprland.cachix.org"
-      "http://binarycache.julian-mutter.de"
-    ];
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
-    ];
-
-    trusted-users = [
-      "root"
-      "@wheel"
-    ]; # needed for devenv to add custom caches
-  };
-
   nix.gc = {
     automatic = true;
     dates = "weekly";

hosts/common/optional/authentication.nix

@@ -1,8 +1,14 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   # Make programs like nextcloud client access saved passwords
-  programs.seahorse.enable = true;
   services.gnome.gnome-keyring.enable = true;
 
+  programs.seahorse.enable = true;
+  programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
+
   # Make authentication work for e.g. gparted
   security.polkit.enable = true;
   systemd = {

hosts/common/optional/binarycaches.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  outputs,
+  ...
+}: {
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "http://binarycache.julian-mutter.de"
+      "https://devenv.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+    ];
+
+    trusted-users = [
+      "root"
+      "@wheel"
+    ]; # needed for devenv to add custom caches
+
+    # Ensure we can still build when missing-server is not accessible
+    fallback = true;
+  };
+}

hosts/common/optional/openssh.nix

@@ -13,7 +13,7 @@ in {
       PasswordAuthentication = false;
       PermitRootLogin = "no";
 
-      # TODO: what does this d
+      # TODO: what does this do
       # Let WAYLAND_DISPLAY be forwarded
       AcceptEnv = "WAYLAND_DISPLAY";
       X11Forwarding = true;
@@ -34,7 +34,7 @@ in {
   #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
   #     extraHostNames =
   #       [
-  #         "${hostname}.m7.rs"
+  #         # "${hostname}.m7.rs"
   #       ]
   #       ++
   #         # Alias for localhost if it's the same host

hosts/common/optional/pipewire.nix

@@ -3,6 +3,7 @@
   services.pulseaudio.enable = false;
   services.pipewire = {
     enable = true;
+    wireplumber.enable = true;
     alsa.enable = true;
     alsa.support32Bit = true;
     pulse.enable = true;
@@ -14,6 +15,14 @@
           "module.x11.bell" = false;
         };
       };
+      "10-increase-buffer" = {
+        "context.properties" = {
+          "default.clock.rate" = 48000;
+          "default.clock.quantum" = 1024;
+          "default.clock.min-quantum" = 1024;
+          "default.clock.max-quantum" = 2048;
+        };
+      };
     };
   };
 }

hosts/common/secrets.yaml

@@ -14,29 +14,38 @@ sops:
         - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTY3lFZlIyRnZOMzNQdnJ2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBualdnWmtBTThhZDFVdDRP
-            Z0xQQnY1eHFYekVMV3M0UE5hK2xkbStveFRnCncwVVduSEFFQkpwME5XQzF2Z0tK
+            WHlMamk1MFhUYUwwa0hyQmpobGNocC9VR0ZVCmc3N1FjcUZCNUdTTm91OVpwZDhP
-            MnhFQ3ZZMk51aGJHUmJFbHA4d1dmdkEKLS0tIHBkVEhaZEY5ZGtYcXRkZzREa0xR
+            bTNXekp2bDd3Tjh6a2ZVTVNTSW9RTU0KLS0tIGJpcUVHb2ZlODgvelhwQ0JFU3l5
-            eUNsNjE2VS9MTjNtYWluUjJhYXVuTmcKq175s9vx1tPVS+voO+HSkyaT+GbjC/Z+
+            WU5VanhYMTUvNklYazJxOXVveXhpM2cKCo+4FhhcbRylASEbQb9rAQUzEO1D+0AR
-            PyKVKyqFAJCRcNP2byaFgAHjXtDFZdipt/0lbw+4UfHrZGpn+9B59Q==
+            52Jzc9s9rSdypeBRE7SaSOI4eVnkEjPfyhNFvMdxiBzBj7GdocpmCw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRmxCNUE4MTdZNWlOcmxX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4STZpU0ZnRzVVOFFRUXZG
-            RmhDS2NpQ0hoWG83SDlIeVhXaFdxNE4yTUVzCkRxS3M5aU5mdWZkYnpNeC9YR3BX
+            akcwS2Z5V3lmQzRTSGNHT2hDME5JMks2QTNNClpkZzNMc0wyRjVEaVlBRFlyNFhs
-            N1NEdzlyTm9YT3NQSnowWTZUc1FvYWsKLS0tICs2OVo2djNjUW0yOG41ZTJQeFFB
+            M1pyeW1XdnZubnRxMzEzMFJoK0lkVVEKLS0tIENhRExzUWRWMUlObmhxazM5cU9y
-            djFENU5USG1QSnRVdlErN1h5bXJhYzQKPDvAHIMR/vT47zbeK3NsS+jSl4HSFRIA
+            aDFyaDJackFoaEZOYWdTbWt0ODB1bm8Kg1VDAj5/i8ZbYxspIdXrI474YN5YkV4H
-            NbSKwTbEGn963metTh4HJItdWBAOyiCc3l1Ye49ms9JhYM8n4wHLRQ==
+            86maCRDfUxO5lvu4zBa9pOmFtJ2iuJ2MxDnmCSHTl+GOk8yyUT8JhA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
+        - recipient: age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeHJ3NmMzaTh0Zm13Vm1r
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveE9NV2JCOW9odlN6Wmkw
-            RmNtMi9FYmJGUmxXeEppM3Fnazl1NTl3ajJjCjFrbXM4WGdOV05qckhkbjlSODZR
+            WFEvU2pka3htV2FTTFlpc05ES2JjbGxTaFJZCjhYdG1sRVBFaEF3YjNkWEw3Ny8x
-            a0VuakllVTdOc2Uxd3BqRmtsN3NJdHcKLS0tIHRRMXFEcWNZOFE4dFJycGdGTzdP
+            MlYyTjJBMHA2YVpHRkkwWW5hNDdrS1UKLS0tIFZXTFNVbkd6VFExc0dSVU4vd3JF
-            WittUTFFNU5kUWdGcncwdWRQSi9STTgK3GuwolsItCEt3Dh5Lycb8TjfaHTuV/JB
+            ajlFY2pvWW13VGxOZ0hEc3dMbU9IeUUKNSf7ycj+1XHhsoghmY2iR1BwIySqfIOF
-            P2KSuVsbgjYuCJSknYmSZ+9gdTYC8cVqDnKo7HYFNrCDHZ0P4QwGSg==
+            zawE+MQcQg0u+fy6Aik26eUGvQG3rya2Fx2+3VlAbKB+rbiP0fwsgg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxaTNJNkJ0RVJiYlRzcmlX
+            TmEweVdLaGpoVXMxZEFDU3dOZTJCRjdiNENBCkZ3bjJUNm1vcmY1ZUpZcEo4OGxa
+            UWJKSjNKL002UDhmTmJER2M0MjJ3aG8KLS0tIFMvZjBkOS83T3NDUE82M3kweVNw
+            VXhoN0VyWkVxMEJPQ3orVUNDK21rRU0KvnmuFxcCpP+LZg7v5jaStw9F0owVrQl9
+            AkIq7GUJh7xewLxcVZfiBRpXMhw/mM8LYnd2KGP8R/TfYg+v0//+5A==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-04-23T07:00:17Z"
     mac: ENC[AES256_GCM,data:JgaTIRbzD0hs2o86xUlQrPN2cPXvsuTH/zKG5xbQIDaYcEvD/mkuVa3hfnYKrA91kWg2Y1DgEi9583+o6UCl/+ldY4ptu+xpnYfyQFdhM4rB+KoP/pDt8vQKQ3zAX8fpAkugCgTTbuvm3TfQ1nt98V8boyhCn4JHNC1T0j7ZtZI=,iv:G3YJOLeDWDKuANo2mxS2JAdrRaonD87CU9BpCZZrlRs=,tag:mcKIdP5cSQUwNL2tcv/o6g==,type:str]

hosts/common/users/julian/default.nix

@@ -17,12 +17,15 @@ in {
       "networkmanager"
       "wheel"
       "audio"
+      "realtime"
+      "rtkit"
       "network"
       "video"
       "podman"
       "docker"
       "git"
       "gamemode"
+      "dialout"
     ];
 
     openssh.authorizedKeys.keys = lib.splitString "\n" (

hosts/common/users/pob/default.nix

@@ -0,0 +1,28 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in {
+  users.mutableUsers = false;
+  users.users.pob = {
+    description = "A helper user to use another profile for some applications";
+    group = "pob";
+    isNormalUser = true;
+    shell = pkgs.fish;
+    extraGroups = ifTheyExist [
+      "networkmanager"
+    ];
+    packages = with pkgs; [
+      firefox
+      wineWowPackages.stable # 32-bit and 64-bit wine
+      winetricks
+    ];
+  };
+  users.groups.pob = {};
+
+  security.sudo.extraConfig = ''
+    julian ALL=(pob) NOPASSWD: ALL
+  '';
+}

hosts/common/users/yukari/default.nix

@@ -0,0 +1,100 @@
+{
+  pkgs,
+  config,
+  lib,
+  outputs,
+  ...
+}: let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in {
+  users.mutableUsers = false;
+  users.users.yukari = {
+    description = "Yukari";
+    group = "yukari";
+    isNormalUser = true;
+    shell = pkgs.fish;
+    extraGroups = ifTheyExist [
+      "networkmanager"
+      "audio"
+      "network"
+      "video"
+      "podman"
+      "docker"
+      "git"
+      "gamemode"
+    ];
+
+    createHome = true;
+    hashedPassword = "$y$j9T$rGuTL0rfiy7ht8L58BGCw0$fN.KwHjYlIitFEPHndKvV06ezgeWzP3/58o1kkviZwB";
+    packages = [pkgs.home-manager];
+  };
+  users.groups.yukari = {};
+
+  home-manager.users.yukari = {
+    imports =
+      [
+        ../../../../homes/julian/features/fonts
+        ../../../../homes/julian/features/suites/cli
+      ]
+      ++ (builtins.attrValues outputs.homeManagerModules);
+
+    home = {
+      username = lib.mkDefault "yukari";
+      homeDirectory = lib.mkDefault "/home/${config.home.username}";
+      stateVersion = lib.mkDefault "23.11";
+
+      sessionPath = ["$HOME/.local/bin"];
+
+      packages = with pkgs; [
+        arandr
+        calibre # ebook manager and viewer
+        # digikam
+        discord
+        discord-ptb # in case discord updates take their time
+        # dvdisaster
+        # element-desktop
+        # rocketchat-desktop
+        thunderbird
+        tdesktop # telegram
+        # schildichat-desktop # not updated regularly
+        nheko
+        evince # Simple pdf reader, good for focusing on document content
+        firefox
+        vivaldi
+        # geogebra
+        cheese
+        handbrake
+        # kitty # Terminal, already available as feature
+        libnotify
+        libreoffice
+        mate.engrampa
+        nomacs # Image viewer
+        kdePackages.okular # Pdf reader with many features, good for commenting documents
+        pavucontrol
+        pdfsam-basic # Split, merge, etc for pdfs
+        qalculate-gtk # Nice gui calculator
+        qpdfview
+        # qutebrowser
+        # realvnc-vnc-viewer
+        rpi-imager # make isos
+        # rustdesk
+        tor-browser
+        unstable.path-of-building # Path of Building
+        # frajul.pob-dev-version # Path of Building
+        vlc
+        wineWowPackages.stable # 32-bit and 64-bit wine
+        winetricks
+        xclip # x11 clipboard access from terminal
+        xfce.mousepad # simple text editor
+        xournalpp # Edit pdf files
+        zoom-us # Video conferencing
+        zotero # Manage papers and other sources
+        pdfpc # Present slides in pdf form
+      ];
+    };
+    programs = {
+      home-manager.enable = true;
+      git.enable = true;
+    };
+  };
+}

hosts/kardorf/default.nix

@@ -5,13 +5,18 @@
     ../common/global
     ../common/users/julian
     ../common/users/wolfi
+    ../common/optional/binarycaches.nix
 
+    ../common/optional/xserver.nix
     ../common/optional/remote-builder.nix
     ../common/optional/boot-efi.nix
 
-    ../common/optional/greetd.nix
+    # ../common/optional/greetd.nix
-    # ../common/optional/gdm.nix
+
-    # ../common/optional/i3.nix
+    ../common/optional/gdm.nix
+    ../common/optional/i3.nix
+
+    ../common/optional/openssh.nix
 
     ../common/optional/authentication.nix
     ../common/optional/pcmanfm.nix
@@ -29,8 +34,7 @@
 
   programs.kdeconnect.enable = true;
 
-  # services.xserver.desktopManager.xfce.enable = true;
+  services.desktopManager.plasma6.enable = true;
-  services.xserver.desktopManager.plasma6.enable = true;
 
   # Enable CUPS to print documents.
   services.printing.enable = true;

hosts/kardorf/hardware-configuration.nix

@@ -80,9 +80,10 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  # Use latest version of driver
-  # hardware.nvidia.modesetting.enable = true; # produces errors, display manager fails to start
+  # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  hardware.nvidia.modesetting.enable = true; # produces errors, display manager fails to start
 
-  # hardware.nvidia.nvidiaSettings = true;
+  hardware.nvidia.nvidiaSettings = true;
   hardware.nvidia.open = false;
 }

hosts/pianonix/default.nix

@@ -15,27 +15,51 @@
 
     ../common/global
     ../common/users/julian
+    ../common/optional/binarycaches.nix
 
     ../common/optional/pipewire.nix
     ../common/optional/remote-builder.nix
     ../common/optional/pcmanfm.nix
     ../common/optional/redshift.nix
     ../common/optional/authentication.nix
+
+    ../common/optional/avahi.nix
   ];
 
   # disko.devices.disk.main.device = "/dev/mmcblk1";
 
-  # networking.wireless.enable = true;
+  # enabled by fish, disabling speeds up builds
-  # networking.wireless.environmentFile = config.sops.secrets."wifi/pianonix".path;
+  documentation.man.generateCaches = false;
-  # networking.wireless.networks = {
+
-  #   "@SSID@".psk = "@PSK@";
+  networking.enableIPv6 = false; # This only leads to issues with avahi
+
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true; # bluetooth gui
+  # raspberry pi specific
+  # systemd.services.btattach = {
+  #   before = [ "bluetooth.service" ];
+  #   after = [ "dev-ttyAMA0.device" ];
+  #   wantedBy = [ "multi-user.target" ];
+  #   serviceConfig = {
+  #     ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
+  #   };
   # };
+  # networking.wireless.enable = true;
+  # networking.wireless.secretsFile = config.sops.secrets."wifi/pianonix".path;
+  # networking.wireless.networks = {
+  #   "SMARTments".pskRaw = "ext:PSK";
+  # };
+
+  # networking.networkmanager.enable = lib.mkForce false;
+
+  services.gnome.at-spi2-core.enable = true; # for onboard
+
   networking.hostName = "pianonix";
   system.stateVersion = "22.11";
 
   sops.secrets."vnc-passwd" = {
     owner = config.users.users.julian.name;
-    sopsFile = ./vnc-passwd;
+    sopsFile = ./secrets-vnc-passwd.bin;
     format = "binary";
   };
   sops.secrets."wifi/pianonix" = {};
@@ -44,6 +68,18 @@
   # sops.secrets."syncthing/public-keys/aspi-nix" = { };
   # sops.secrets."syncthing/public-keys/pianonix" = { };
 
+  sops.secrets."wg-config" = {
+    sopsFile = ./secrets-wg-config.bin;
+    format = "binary";
+  };
+
+  networking.wg-quick.interfaces = {
+    home = {
+      configFile = config.sops.secrets."wg-config".path;
+      autostart = true; # This interface is started on boot
+    };
+  };
+
   modules = {
     syncthing = {
       enable = true;
@@ -53,6 +89,7 @@
 
   # Enable the Desktop Environment.
   # services.xserver.displayManager.lightdm.enable = true;
+  services.displayManager.defaultSession = "xfce";
   services.displayManager.autoLogin = {
     enable = true;
     user = "julian";
@@ -72,10 +109,11 @@
     };
   };
 
-  boot.loader.timeout = 1; # Set boot loader timeout to 1s
+  boot.loader.timeout = lib.mkForce 1; # Set boot loader timeout to 1s
 
   # De-facto disable network manager, which is enabled by gnome
   # networking.networkmanager.unmanaged = [ "*" ];
+  services.xserver.enable = true;
   services.xserver.desktopManager = {
     xfce = {
       enable = true;

hosts/pianonix/hardware-configuration.nix

@@ -14,9 +14,15 @@
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
   boot.extraModulePackages = [];
+  boot.kernelPackages = pkgs.linuxPackages_latest; # use latest linux kernel
+  boot.supportedFilesystems = lib.mkForce [
+    # remove zfs, since its incompatible with latest kernel
+    "vfat"
+    "ext4"
+  ];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+    device = "/dev/disk/by-label/NIXOS_SD";
     fsType = "ext4";
   };
 

hosts/pianonix/secrets-vnc-passwd.bin

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:13hToequR4A=,iv:U7a6mIOYanQjozPrL92edFrhdyuSJj14pqVa2tGE/zA=,tag:uyeE3dj7NTKPi0jNLkFMLA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWEFYNThYQkpuTW10MjNM\nU3pWYmE5UnBPUzhQSTltc3hXdk9EWkg5czI0CmxnK3FuYitGci9ndnRCZms4a0lD\nOWh4alF1MEtJUis5YVNyYXRLbVppNnMKLS0tIEQ5WVVIMzlIV0pnc2ZWMnc5bjE4\nR3lpbzJiRmljcWI4SWlOS2svZVBSYnMKYIfhDjNZPDxmws3Z3P55K7V/NHiukQ0u\n00Kk603U+1JhgfJBk0Y3tMo//vKCHQj87wtZoqDLEN7Gu+ZtHhkhow==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSVpBR1NPY0svSWNWYzFC\nZE1uTjZTRm9XM24wcXByajVDYUJ4Y3FmNUc0CkJMMXRtUE5mSjYwU25MYy9xNFlP\ndUNmYmJ5RVF0dG5LYjA4L1NnNEtCMVEKLS0tIFl0Slovd2NiWjg1VXJ1VDJwTWJQ\nTWFZeW1ZYisvenVycWYwZ1lkOXBaVVUKqGu6Q8IbiUAzazLKN95uAtmXJMPzx02u\nr/R8q7ugG8lX5pWX3H3P7vtBz57Oo3rWlRpUhN/4+PpijkJNUyr3XQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-01T16:14:57Z",
+		"mac": "ENC[AES256_GCM,data:zKz8OX1yi68Qn3X6HwdbgTCr/3ZVBh5Wz4KUACmWG3XhOEVi8uoDEdAxfKMDBqNzXLeDmxxTKj6TMLkk68ozDYJqu0OevVritnZqvBTr9VKGpMPBFN3DuaeqSZ6wjHGbce1iqO0kusnwopRbEWHmr/lZxiXTNgLPdN+p5Aszi54=,iv:resppfGPecKvKwqNwqecDBcXGhcTWSGZis8hf1jT0Us=,tag:V80P25Pr4HD9pUUrQHZSQg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

hosts/pianonix/secrets-wg-config.bin

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:SFc3K1hvBjeCS6ikLZl3vIPFJqsUrZZi9yO9tVuv14exKhOuK17HN/d+cYMtVxGwqQ/biFdXYdP8/sfTPwwZgd/wRLT2xRDMOg5ru7kj8sEhcOEYmrgYRLo3ImdWANFaxelWOmjEvzphTQ7guvXTo7BACUA9AygYa9Ou9bklYImWhOCsk8e9uz5afLZXscidiqUqqFuJNo3QGMDEAxFI2YC3OpLwEj5zlsI4AXEEHRVUxU1sVtspdolDaeiFIs/JW4jLu/2la6JyGJUluYXAThzL1LO39NA/MSNskMSedatz89vnCd9CP6Q3eT93vrUYAEY=,iv:e+tWIlHm4NH1w8AQAw6tvgCX9XOiroE1XmrSua3Bcg4=,tag:RwGpKtG9JzQ3TgcnzEV5Rg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYTFjRnpPVDAvQ0ZHZU0v\neEduOTVockFoZGhuMmZNd0w3bVFCVUQzUlI4CmZTaktOQWxrTDNpYXlPTm9SdlZZ\nN0dURmlHVFlHSjZpbkpGb09lTmVzWm8KLS0tIDhMWlFIRWFkQjcya0hjeUdUSklB\nbWlqNlVoR1BnWG9TM0RhWnI4a0J4YUEKGWIX77EVXYFVyA2u6CkF1cGfwd4Gq0Vb\nNqrlMUYEDZ5nO/eLWsAt2kj1/YFjkGw0iI02HLRHdxQ59vFyl3CS1Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlZGdktzSGp0bzIyUjlR\nUU9LSXRrZTgxcEZwczhidWVOdGRnRFYrOVZZCmx3VzM4V2dsWmZpUWxNUG82MzU2\nT3dmQjRwdmRJbTJxVm9vQjJKU3JXSncKLS0tIFlhYy9uQW5aa1E0K3Q1RUFSQkZP\nR29sY3RCYVg5bGdqMU1uc0E3Szhmb0kKFzKHUVNDdHWfycb7xWeAyIVlC4ab7ivR\nVlfmbPAXq2THw/s4zk/ckfE5RP82a1aX4++XRa7fm5KXpI8vExjJ5A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-14T06:56:31Z",
+		"mac": "ENC[AES256_GCM,data:DrcOET5U6veg0qhcBjQQ5neCdTUufMxhIz4ZQzvzd+YxKfAqaq8R1PW5VVlUjhDBaUH9i3J1Wj6X4E600uhayY0E9I5VqfO84hqlosfZWPiWPO8prK46Y7R3Ybdh9uvWQxiaSxy8KHXsdDgsBFLlmLe/QvsDSUv56rPofkm06vg=,iv:XBFP8ANpsszeXqQIE/v7+GmZGlFtxgE/EtgL/Cc3x+8=,tag:ZJgO+hLuwIatE55wo94RVw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}

hosts/pianonix/vnc-passwd

@@ -1,28 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:13hToequR4A=,iv:U7a6mIOYanQjozPrL92edFrhdyuSJj14pqVa2tGE/zA=,tag:uyeE3dj7NTKPi0jNLkFMLA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWUp5TU9kWTNpa0s5TFRC\nK1hoc0d0K3JQYWN3VVVWM2JvemtieGo2UGpVCit5MUcvZldBZkNNZ3ZWTWRtd0Zx\nT3I4aTdUcitPRmhhV0htZlhEYjhRakUKLS0tIEdmYUI4N1g1Nkp3YzdtaHJybVcz\neFNwUnd0Vyt2MTBpRTZlMzZnNHJGd1EKy/0zXv9CPf5k0ky7TBGY9GbcIeQyPk1L\nKmMCuWMLX0yTGqB3M3/UNdoc4L0q//7keUZH5PlkxJbnu6IN3fE5qg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdy9tZlZtNFJPRFNUUUNI\nUWtPZmZOY1V5SHc5bTZOZVluTUV6N3dlQWprClVqK2tKNFlBWHdyNDF1Q0d2bi9z\naldTTDdWYzZ6WmgrNHlZSDlTSU9SbmsKLS0tIDJZM2Y4ZDVmZk54eTZLOTU4Ui9X\nR3l3WDkwRWUyakFLdGZXeDJxRUJsaHMK6hgZ1KYe9qx4tO7RervEAKGjNHg4mi0E\nxx3I9P8MFzPiCVKG5ZNxRx25y7H4bQSRRtxIlXIhqzf2+5Q6U7/Hrw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cUg4dUlCY0IwS3pPeTF5\nZTVkRTkzaVBYTmh0MmYyaHlOaFRHSnk5dWs4CmhvaTlSOTFDQzZmbHVudXpwQitV\nQjhRQWl3OHNLVGJYMm1ObVEyQmhxS0kKLS0tIDJsZnN4K2pUOEdIYVg4ZlQ5Ujhn\nNlpGL1hMVXd5cWR2YkdIVmJiblMzR1EKJYS51sKQ/tBV7dv88pOxJhzHQGckoF8q\nwIioVjs9sm4JBgQqSIbVhXwnKl05IUkyAgw6LfsbSJz3nKe7lmmRpg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-12-01T16:14:57Z",
-		"mac": "ENC[AES256_GCM,data:zKz8OX1yi68Qn3X6HwdbgTCr/3ZVBh5Wz4KUACmWG3XhOEVi8uoDEdAxfKMDBqNzXLeDmxxTKj6TMLkk68ozDYJqu0OevVritnZqvBTr9VKGpMPBFN3DuaeqSZ6wjHGbce1iqO0kusnwopRbEWHmr/lZxiXTNgLPdN+p5Aszi54=,iv:resppfGPecKvKwqNwqecDBcXGhcTWSGZis8hf1jT0Us=,tag:V80P25Pr4HD9pUUrQHZSQg==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}

modules/home-manager/terminal.nix

@@ -1,9 +1,4 @@
-{
+{lib, ...}: {
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
   options.terminal = lib.mkOption {
     type = lib.types.str;
     example = "alacritty";

modules/nixos/default.nix

@@ -1,4 +1,5 @@
 {
   # hydra-auto-upgrade = import ./hydra-auto-upgrade.nix;
   syncthing = import ./syncthing.nix;
+  frajulAutoUpgrade = import ./frajul-auto-upgrade.nix;
 }

modules/nixos/frajul-auto-upgrade.nix

@@ -0,0 +1,173 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.modules.frajulAutoUpgrade;
+
+  flagFile = "/var/lib/frajul-auto-upgrade/flag";
+  lockFile = "/var/lib/frajul-auto-upgrade/lock";
+  lastStatusFile = "/var/lib/frajul-auto-upgrade/last-status";
+  lastAttemptFile = "/var/lib/frajul-auto-upgrade/last-attempt";
+in {
+  options.modules.frajulAutoUpgrade = {
+    enable = lib.mkEnableOption "NixOS auto-upgrade on boot";
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = "User account to run the upgrade service as.";
+    };
+
+    flakePath = lib.mkOption {
+      type = lib.types.path;
+      description = "The path to your flake";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Ensure the flag directory exists
+    systemd.tmpfiles.rules = [
+      "d /var/lib/frajul-auto-upgrade 0755 root root -"
+      "f ${flagFile} 0766 root root -"
+      "f ${lastStatusFile} 0644 root root -"
+      "f ${lastAttemptFile} 0644 root root -"
+    ];
+
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "frajul-auto-upgrade" ''
+        #!/bin/sh
+        FLAG_FILE="${flagFile}"
+        LOCK_FILE="${lockFile}"
+        LAST_STATUS_FILE="${lastStatusFile}"
+        LAST_ATTEMPT_FILE="${lastAttemptFile}"
+
+        TODAY=$(date +%Y-%m-%d)
+
+        if [ ! -f "$FLAG_FILE" ] || [ "$(cat "$FLAG_FILE")" != "enabled" ]; then
+          echo "Auto upgrade disabled. Exiting."
+          exit 0
+        fi
+
+        # Check if already attempted today
+        if [ -f "$LAST_ATTEMPT_FILE" ]; then
+          LAST_ATTEMPT_DATE=$(cut -d' ' -f1 "$LAST_ATTEMPT_FILE")
+          if [ "$LAST_ATTEMPT_DATE" = "$TODAY" ]; then
+            echo "Update already attempted today. Skipping."
+            exit 0
+          fi
+        fi
+
+        if [ -f "$LOCK_FILE" ]; then
+          echo "Already running"
+          exit 1
+        fi
+
+        echo $$ > "$LOCK_FILE"
+        trap 'rm -f "$LOCK_FILE"' EXIT
+
+        if /run/current-system/sw/bin/nix flake update --flake "${cfg.flakePath}" && /run/current-system/sw/bin/nixos-rebuild switch --flake "${cfg.flakePath}"; then
+            echo "success" > "$LAST_STATUS_FILE"
+        else
+            echo "failure" > "$LAST_STATUS_FILE"
+            git -C "${cfg.flakePath}" restore flake.lock
+        fi
+
+        # Write full timestamp
+        date '+%Y-%m-%d %H:%M:%S' > "$LAST_ATTEMPT_FILE"
+      '')
+
+      (pkgs.writeShellScriptBin "frajul-auto-upgrade-status" ''
+        #!/bin/sh
+        FLAG_FILE="${flagFile}"
+        LOCK_FILE="${lockFile}"
+        LAST_STATUS_FILE="${lastStatusFile}"
+        LAST_ATTEMPT_FILE="${lastAttemptFile}"
+
+        if [ -f "$LOCK_FILE" ]; then
+          ICON=" "
+          STATUS="running"
+        elif [ -f "$FLAG_FILE" ] && [ "$(cat "$FLAG_FILE")" == "enabled" ]; then
+          LAST_STATUS="unknown"
+          LAST_ATTEMPT="never"
+          if [ -f "$LAST_STATUS_FILE" ]; then
+            LAST_STATUS=$(cat "$LAST_STATUS_FILE")
+          fi
+
+          if [ -f "$LAST_ATTEMPT_FILE" ]; then
+            LAST_ATTEMPT=$(cat "$LAST_ATTEMPT_FILE")
+          fi
+
+          if [ "$LAST_STATUS" = "success" ]; then
+            ICON=""
+          elif [ "$LAST_STATUS" = "failure" ]; then
+            ICON=""
+          else
+            ICON=""
+          fi
+
+          STATUS="enabled (last attempt: $LAST_ATTEMPT, $LAST_STATUS)"
+        else
+          ICON=" "
+          STATUS="disabled"
+        fi
+
+        echo "{\"text\": \"$ICON\", \"tooltip\": \"NixOS Auto Update: $STATUS\"}"
+      '')
+
+      (pkgs.writeShellScriptBin "frajul-auto-upgrade-toggle" ''
+        #!/bin/sh
+        FLAG_FILE="${flagFile}"
+        LOCK_FILE="${lockFile}"
+
+        if [ ! -f "$FLAG_FILE" ] || [ "$(cat "$FLAG_FILE")" != "enabled" ]; then
+          echo "enabled" > "$FLAG_FILE"
+        else
+          echo "disabled" > "$FLAG_FILE"
+          if [ -f "$LOCK_FILE" ]; then
+            kill -TERM "$(cat "$LOCK_FILE")"
+          fi
+        fi
+      '')
+    ];
+
+    # Fixes error: repository path '...' is not owned by current user
+    environment.etc."root/.gitconfig".text = ''
+      [safe]
+        directory = ${cfg.flakePath}
+    '';
+
+    systemd.services.frajul-auto-upgrade = {
+      description = "Frajul's NixOS Auto Upgrade";
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+      restartIfChanged = false; # Do not start service on nixos switch
+
+      path = with pkgs; [
+        coreutils
+        gnutar
+        xz.bin
+        gzip
+        gitMinimal
+        config.nix.package.out
+        config.programs.ssh.package
+      ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.user;
+        ExecStart = "/run/current-system/sw/bin/frajul-auto-upgrade";
+      };
+    };
+    systemd.timers.frajul-auto-upgrade = {
+      description = "Run Frajul's NixOS Auto Upgrade at boot";
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "1min";
+        AccuracySec = "10s";
+        Unit = "frajul-auto-upgrade.service";
+      };
+    };
+  };
+}

modules/nixos/hydra-auto-upgrade.nix

@@ -0,0 +1,132 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.system.hydraAutoUpgrade;
+in {
+  # Taken from Misterio
+  options = {
+    system.hydraAutoUpgrade = {
+      enable = lib.mkEnableOption "periodic hydra-based auto upgrade";
+      operation = lib.mkOption {
+        type = lib.types.enum [
+          "switch"
+          "boot"
+        ];
+        default = "switch";
+      };
+      dates = lib.mkOption {
+        type = lib.types.str;
+        default = "04:40";
+        example = "daily";
+      };
+
+      instance = lib.mkOption {
+        type = lib.types.str;
+        example = "http://hydra.julian-mutter.de";
+      };
+      project = lib.mkOption {
+        type = lib.types.str;
+        example = "dotfiles";
+      };
+      jobset = lib.mkOption {
+        type = lib.types.str;
+        example = "main";
+      };
+      job = lib.mkOption {
+        type = lib.types.str;
+        default = config.networking.hostName;
+      };
+
+      oldFlakeRef = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = ''
+          Current system's flake reference
+
+          If non-null, the service will only upgrade if the new config is newer
+          than this one's.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.enable -> !config.system.autoUpgrade.enable;
+        message = ''
+          hydraAutoUpgrade and autoUpgrade are mutually exclusive.
+        '';
+      }
+    ];
+    systemd.services.nixos-upgrade = {
+      description = "NixOS Upgrade";
+      restartIfChanged = false;
+      unitConfig.X-StopOnRemoval = false;
+      serviceConfig.Type = "oneshot";
+
+      path = with pkgs; [
+        config.nix.package.out
+        config.programs.ssh.package
+        coreutils
+        curl
+        gitMinimal
+        gnutar
+        gzip
+        jq
+        nvd
+      ];
+
+      script = let
+        buildUrl = "${cfg.instance}/job/${cfg.project}/${cfg.jobset}/${cfg.job}/latest";
+      in
+        (lib.optionalString (cfg.oldFlakeRef != null) ''
+          eval="$(curl -sLH 'accept: application/json' "${buildUrl}" | jq -r '.jobsetevals[0]')"
+          flake="$(curl -sLH 'accept: application/json' "${cfg.instance}/eval/$eval" | jq -r '.flake')"
+          echo "New flake: $flake" >&2
+          new="$(nix flake metadata "$flake" --json | jq -r '.lastModified')"
+          echo "Modified at: $(date -d @$new)" >&2
+
+          echo "Current flake: ${cfg.oldFlakeRef}" >&2
+          current="$(nix flake metadata "${cfg.oldFlakeRef}" --json | jq -r '.lastModified')"
+          echo "Modified at: $(date -d @$current)" >&2
+
+          if [ "$new" -le "$current" ]; then
+            echo "Skipping upgrade, not newer" >&2
+            exit 0
+          fi
+        '')
+        + ''
+          profile="/nix/var/nix/profiles/system"
+          path="$(curl -sLH 'accept: application/json' ${buildUrl} | jq -r '.buildoutputs.out.path')"
+
+          if [ "$(readlink -f "$profile")" = "$path" ]; then
+            echo "Already up to date" >&2
+            exit 0
+          fi
+
+          echo "Building $path" >&2
+          nix build --no-link "$path"
+
+          echo "Comparing changes" >&2
+          nvd --color=always diff "$profile" "$path"
+
+          echo "Activating configuration" >&2
+          "$path/bin/switch-to-configuration" test
+
+          echo "Setting profile" >&2
+          nix build --no-link --profile "$profile" "$path"
+
+          echo "Adding to bootloader" >&2
+          "$path/bin/switch-to-configuration" boot
+        '';
+
+      startAt = cfg.dates;
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+    };
+  };
+}

overlays/default.nix

@@ -25,11 +25,11 @@
   my-pkgs = final: prev: {frajul = import ../pkgs {pkgs = final;};};
 
   nixpkgs-stable-unstable = final: prev: {
-    unstable = import inputs.nixpkgs {
+    unstable = import inputs.nixpkgs-unstable {
       system = prev.system;
       config.allowUnfree = true;
     };
-    stable = import inputs.nixpkgs-stable {
+    stable = import inputs.nixpkgs {
       system = prev.system;
       config.allowUnfree = true;
     };

pkgs/default.nix

@@ -12,4 +12,6 @@
   acer-battery-health-mode = pkgs.callPackage ./acer-battery-health-mode {};
   pob2 = pkgs.callPackage ./pob2 {};
   wl-ocr = pkgs.callPackage ./wl-ocr {};
+  rtklib = pkgs.qt6Packages.callPackage ./rtklib {};
+  pob2-frajul = pkgs.callPackage ./pob2-frajul {};
 }

pkgs/open-messaging/default.nix

@@ -3,7 +3,7 @@
   nheko,
   telegram-desktop,
   thunderbird,
-  discord,
+  discord, # TODO: discord not available for aarch64, this leads to flake evaluation for this arch fail.
 }:
 writeShellApplication {
   name = "open-messaging";
@@ -20,7 +20,7 @@ writeShellApplication {
     sleep 0.1
     nheko &
     sleep 0.1
-    telegram-desktop &
+    Telegram &
     sleep 0.1
     discord &
   '';

pkgs/pob2-frajul/default.nix

@@ -0,0 +1,16 @@
+{
+  writeShellApplication,
+  xhost,
+}:
+writeShellApplication {
+  name = "pob2-frajul";
+
+  runtimeInputs = [
+    xhost
+  ];
+
+  text = ''
+    xhost +
+    sudo -u pob -i sh /home/pob/pob2.sh
+  '';
+}

pkgs/rtklib/default.nix

@@ -0,0 +1,40 @@
+{
+  stdenv,
+  fetchFromGitHub,
+  cmake,
+  pkg-config,
+  qtbase,
+  wrapQtAppsHook,
+  qtserialport,
+  qttools,
+  ...
+}:
+stdenv.mkDerivation rec {
+  pname = "RTKLIB";
+  version = "b34L";
+
+  src = fetchFromGitHub {
+    owner = "rtklibexplorer";
+    repo = "${pname}";
+    rev = "${version}";
+    hash = "sha256-bQcia3aRQNcZ55fvJViAxpo2Ev276HFTZ28SEXJD5Ds=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    qtbase
+    qtserialport
+    qttools
+  ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_DATAROOTDIR=share"
+  ];
+
+  doCheck = true;
+}

shell.nix

@@ -3,6 +3,9 @@
     NIX_CONFIG = "extra-experimental-features = nix-command flakes ca-derivations";
     nativeBuildInputs = with pkgs; [
       nix
+      deploy-rs # for deploy
+      nixos-generators # for nixos-generate -f iso --flake .#host
+      nh # nix helper for nice interfaces
       home-manager
       git