update nixos

This reverts commit c3d9242e2e335ea6095cb474d3bcd8afad5c856d.

aplysia.nix

@@ -1,9 +1,14 @@
 { config, pkgs, ... }:
 
+let
+  trnsmssnIface = "wg-trnsmssn";
+in
 {
   imports =
     [
+      /etc/nixos/hardware-configuration.nix
       ./common-headless.nix
+      ./tailscale.nix
     ];
 
   boot.supportedFilesystems = ["zfs"];
@@ -26,11 +31,31 @@
     hostId = "34a820f1";
   };
 
-  services.openssh.enable = true;
+  users = {
+    users = {
+      gebner.extraGroups = [
+        "transmission"
+        "nilotica"
+      ];
 
-  users.extraUsers.gebner = {
-    isNormalUser = true;
-    extraGroups = ["wheel" "transmission"];
+      nilotica = {
+        group = "nilotica";
+        isNormalUser = true;
+      };
+
+      transmission = {
+        group = "transmission";
+        uid = config.ids.uids.transmission;
+      };
+    };
+
+    groups = {
+      nilotica = {};
+
+      transmission = {
+        gid = config.ids.gids.transmission;
+      };
+    };
   };
 
   boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;
@@ -42,11 +67,19 @@
     fsType = "zfs";
   };
 
+  fileSystems."/boota".options = [ "nofail" ];
+  fileSystems."/bootb".options = [ "nofail" ];
+  fileSystems."/bootc".options = [ "nofail" ];
+  fileSystems."/bootd".options = [ "nofail" ];
+  fileSystems."/boote".options = [ "nofail" ];
+  fileSystems."/bootf".options = [ "nofail" ];
+
   services.samba = {
     enable = true;
     extraConfig = ''
       passdb backend = tdbsam
       unix password sync = no
+      min protocol = NT1
     '';
     shares = {
       export = {
@@ -57,26 +90,116 @@
     };
   };
 
-  services.transmission = {
-    enable = true;
-    settings = {
-      download-dir = "/mnt/aplysia/torrents";
-      incomplete-dir = "/mnt/aplysia/torrents";
+  containers.trnsmssn =
+  let
+    homeDir = "/mnt/aplysia/torrents";
+  in rec {
+    config = {
+      services.transmission = {
+        enable = true;
+        settings = {
+          download-dir = homeDir;
+          incomplete-dir = homeDir;
 
-      peer-port = 51413;
+          speed-limit-down = 5000;
+          speed-limit-down-enabled = true;
+          speed-limit-up = 800;
+          speed-limit-up-enabled = true;
+
+          peer-port = 7455;
+
+          rpc-bind-address = localAddress;
+          rpc-whitelist-enabled = false;
+        };
+      };
+
+      networking.firewall = {
+        enable = true;
+        interfaces.${trnsmssnIface}.allowedTCPPorts = [
+          config.services.transmission.settings.peer-port
+        ];
+        interfaces.eth0.allowedTCPPorts = [
+          9091
+        ];
+      };
+
+      networking.nameservers = [ "193.138.218.74" ];
+
+      networking.interfaces.${trnsmssnIface} = {
+        ipv4.addresses = [ { address = "10.64.157.93"; prefixLength = 32; } ];
+        ipv6.addresses = [ { address = "fc00:bbbb:bbbb:bb01::1:9d5c"; prefixLength = 128; } ];
+        ipv4.routes = [
+          { address = "0.0.0.0"; prefixLength = 1; }
+          { address = "128.0.0.0"; prefixLength = 1; }
+        ];
+        ipv6.routes = [ { address = "::"; prefixLength = 0; } ];
+      };
+
+      environment.systemPackages = with pkgs; [ wireguard-tools ];
     };
+
+    privateNetwork = true;
+    interfaces = [ trnsmssnIface ];
+
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+
+    autoStart = true;
+
+    bindMounts.${homeDir} = {
+      hostPath = homeDir;
+      isReadOnly = false;
+    };
+  };
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.${trnsmssnIface} = {
+      privateKeyFile = "/etc/wgkeys/mullvad";
+      peers = [
+        {
+          allowedIPs = ["0.0.0.0/0" "::/0"];
+          publicKey = "5y66WShsFXqM5K7/4CPEGCWfk7PQyNhVBT2ILjbGm2I=";
+          endpoint = "se15-wireguard.mullvad.net:51820";
+        }
+      ];
+      allowedIPsAsRoutes = false;
+    };
+  };
+  systemd.services."container@trnsmssn" = {
+    requires = [ "wireguard-${trnsmssnIface}.service" ];
+    after = [ "wireguard-${trnsmssnIface}.service" ];
   };
 
   networking.firewall = {
     allowedTCPPorts = [
       445 139 # samba
-      config.services.transmission.settings.peer-port
+      config.services.rsyncd.port
     ];
     allowedUDPPorts = [
       137 138 # samba
     ];
   };
 
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."transmission-proxy" = {
+      serverName = "localhost";
+      listen = [
+        { addr = "localhost"; port = 9091; }
+      ];
+      locations."/transmission/" = {
+        proxyPass = "http://192.168.100.11:9091";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
   environment.systemPackages = with pkgs; [
     transmission
     samba
@@ -87,4 +210,38 @@
     ${pkgs.hdparm}/bin/hdparm -B127 -S100 /dev/sd{a,b,c,d,e,f}
   '';
 
+  services.rsyncd = {
+    enable = true;
+    settings = {
+      lr_mobile = {
+        path = "/mnt/aplysia/fotos/lr_mobile";
+        "read only" = "yes";
+      };
+    };
+  };
+
+  systemd.services.backup-fotos = rec {
+    wants = [ "network.target" "mnt-aplysia.mount" ];
+    after = wants;
+
+    serviceConfig = {
+      User = "gebner";
+      Group = "users";
+      Type = "oneshot";
+    };
+
+    script = ''
+      ${pkgs.rclone}/bin/rclone sync -v --update --use-server-modtime \
+        /mnt/aplysia/fotos/lightroom/ \
+        glacier:gebner-fotos-raw-backup/
+    '';
+  };
+  systemd.timers.backup-fotos = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "Mon,Fri 03:00";
+      Persistent = true;
+    };
+  };
+
 }

archachatina.nix

@@ -3,10 +3,20 @@
 {
   imports =
     [
-      ./common.nix
+      /etc/nixos/hardware-configuration.nix
+      ./common-headless.nix
+      # ./sway.nix
+      ./i3.nix
       ./large-sw.nix
       ./uefi.nix
       ./fstrim.nix
+      # ./qemu-user.nix
+      ./atmega.nix
+      ./v4l2loopback.nix
+      ./huion.nix
+      ./rtl8761b.nix
+      ./unstable-nix.nix
+      ./nm-restart.nix
     ];
 
   environment.etc."lvm/lvm.conf".text = ''
@@ -14,55 +24,61 @@
       issue_discards = 1
     }
   '';
-  boot.initrd.luks.devices = [
-    {
-      name = "sda2_crypt";
+  boot.initrd.luks.devices = {
+    sda2_crypt = {
       device = "/dev/disk/by-uuid/2e2e2824-e357-4a75-bddc-8cf386cd0f53";
       preLVM = true;
       allowDiscards = true;
-    }
-  ];
+    };
+  };
 
   networking.hostName = "archachatina"; # Define your hostname.
   networking.hostId = "cc7ea3ba";
 
   hardware.cpu.intel.updateMicrocode = true;
 
-  services.wakeonlan.interfaces = [
-    {
-      interface = "enp3s0";
-      method = "magicpacket";
-    }
-  ];
+  networking.interfaces."enp3s0".wakeOnLan.enable = true;
+
+  # services.xserver.displayManager.defaultSession = pkgs.lib.mkForce "sway";
+  #
+  # users.extraUsers.presentation = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "networkmanager" "audio" ];
+  #   # shell = "${pkgs.zsh}/bin/zsh";
+  #   shell = "/run/current-system/sw/bin/fish";
+  #
+  #   password = if config.virtualisation != null then "" else null;
+  # };
 
   environment.systemPackages = with pkgs; [
     beets
-    mediainfo
-    flac
 
-    recoll
-    uvccapture
-
-    # libratbag
+    piper
   ];
 
   services.thermald.enable = true;
 
-  virtualisation.docker.enable = true;
-  users.extraUsers.gebner.extraGroups = [ "docker" "libvirtd" ];
+  virtualisation.virtualbox.host = {
+    enable = true;
+    # enableExtensionPack = true;
+  };
+  # nixpkgs.config.allowUnfree = true;
 
-  # virtualisation.virtualbox.host.enable = true;
-
-  # virtualisation.libvirtd.enable = true;
+  virtualisation.libvirtd = {
+    enable = true;
+  };
   networking.firewall.checkReversePath = false;
-  # fileSystems."/var/lib/libvirt/images/vaccaria" = {
-  #   device = "//vaccaria.mtlaa.gebner.org/export/tmp/vms";
-  #   fsType = "cifs";
-  #   options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/vaccaria"
-  #     "forceuid" "forcegid" "uid=0" "gid=0" ];
-  # };
+  fileSystems."/var/lib/libvirt/images/vaccaria" = {
+    device = "//vaccaria.htdf.gebner.org/export/tmp/vms";
+    fsType = "cifs";
+    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/vaccaria"
+      "forceuid" "forcegid" "uid=0" "gid=0" ];
+  };
 
-  hardware.opengl.driSupport32Bit = true;
+  hardware.opengl.extraPackages = with pkgs; [
+    rocm-opencl-icd
+    # rocm-runtime-ext
+  ];
 
   services.nix-serve = {
     enable = true;
@@ -72,8 +88,7 @@
 
   services.openssh.forwardX11 = true;
 
-  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
-    # mesa_drivers = self.stable.mesa_drivers;
+  # nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
   #     mesa_drivers = self.mesaDarwinOr (
   #       let mo = self.mesa_noglu.override {
   #             llvmPackages = pkgs.llvmPackages_39;
@@ -82,9 +97,11 @@
   #           };
   #       in mo.drivers
   #     );
-  };
+  # };
 
+  #boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_latest;
   # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;
+  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_5_8;
 
   services.xserver = {
     videoDrivers = [ "amdgpu" ];
@@ -93,6 +110,17 @@
     '';
   };
 
-  services.transmission.enable = true;
+  services.postgresql = {
+    enable = true;
+    extraPlugins = [ pkgs.postgis ];
+  };
+
+  services.ratbagd.enable = true;
+
+  # virtualisation.anbox = {
+  #   enable = true;
+  # };
+
+  system.stateVersion = "18.03";
 
 }

atmega.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  services.udev.extraRules =
+    let action = '' OWNER := "gebner" ''; in ''
+    # Atmel ATMega32U4
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff4", ${action}
+    # Atmel USBKEY AT90USB1287
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ffb", ${action}
+    # Atmel ATMega32U2
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff0", ${action}
+  '';
+}

basic-tools.nix

@@ -6,7 +6,8 @@
     # nox
     wget
     neovim
-    zsh
+    neovim-remote
+    # zsh
     gitFull gitAndTools.hub tig
     gnumake
     m4
@@ -17,33 +18,45 @@
     pwgen
     gcc
     silver-searcher
+    ripgrep
     fzf
     tree
-    python
     python3
     python3Packages.ipython
+    lua
+    perl
     gdb
-    bind nmap tcpdump telnet
+    bind nmap tcpdump (pkgs.inetutils or telnet)
+    usbutils
     dstat
     which
     zip
     file
     unzip
     elinks
+    links2
     ctags
     nix-prefetch-scripts
-    nix-repl
+    (pkgs.wireguard-tools or pkgs.wireguard or pkgs.hello)
     jq
+    #b2sum
+    strace
+    ncdu
+    hyperfine
   ];
 
   environment.variables.EDITOR = "${pkgs.neovim}/bin/nvim";
 
-  programs.zsh = {
-    enable = true;
-    promptInit = "";
-  };
+  # programs.zsh = {
+  #   enable = true;
+  #   promptInit = "";
+  # };
 
   programs.bash = {
     enableCompletion = true;
   };
+
+  programs.fish = {
+    enable = true;
+  };
 }

bluez-alsa.nix

@@ -0,0 +1,69 @@
+{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook
+, alsaLib, bluez, glib, sbc, dbus
+
+# optional, but useful utils
+, readline, libbsd, ncurses
+
+# optional codecs
+, aacSupport ? true, fdk_aac
+# TODO: aptxSupport
+}:
+
+with stdenv.lib;
+
+stdenv.mkDerivation rec {
+  pname = "bluez-alsa";
+  version = "3.0.0";
+
+  src = fetchFromGitHub {
+    owner = "Arkq";
+    repo = "bluez-alsa";
+    rev = "v${version}";
+    sha256 = "1jlsgxyqfhncfhx1sy3ry0dp6p95kd4agh7g2b7g51h0c4cv74h8";
+  };
+
+  nativeBuildInputs = [ pkgconfig autoreconfHook ];
+
+  buildInputs = [
+    alsaLib bluez glib sbc dbus
+    readline libbsd ncurses
+  ]
+  ++ optional aacSupport fdk_aac;
+
+  configureFlags = [
+    "--with-alsaplugindir=${placeholder "out"}/lib/alsa-lib"
+    "--with-dbusconfdir=${placeholder "out"}/share/dbus-1/system.d"
+    "--enable-rfcomm"
+    "--enable-hcitop"
+    "--enable-msbc"
+  ]
+  ++ optional aacSupport "--enable-aac";
+
+  meta = {
+    description = "Bluez 5 Bluetooth Audio ALSA Backend";
+    longDescription = ''
+      Bluez-ALSA (BlueALSA) is an ALSA backend for Bluez 5 audio interface.
+      Bluez-ALSA registers all Bluetooth devices with audio profiles in Bluez
+      under a virtual ALSA PCM device called `bluealsa` that supports both
+      playback and capture.
+
+      Some backstory: Bluez 5 removed built-in support for ALSA in favor of a
+      generic interface for 3rd party appliations. Thereafter, PulseAudio
+      implemented a backend for that interface and became the only way to get
+      Bluetooth audio with Bluez 5. Users prefering ALSA stayed on Bluez 4.
+      However, Bluez 4 eventually became deprecated.
+
+      This package is a rebirth of a direct interface between ALSA and Bluez 5,
+      that, unlike PulseAudio, provides KISS near-metal-like experience. It is
+      not possible to run BluezALSA and PulseAudio Bluetooth at the same time
+      due to limitations in Bluez, but it is possible to run PulseAudio over
+      BluezALSA if you disable `bluetooth-discover` and `bluez5-discover`
+      modules in PA and configure it to play/capture sound over `bluealsa` PCM.
+    '';
+    homepage = src.meta.homepage;
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.oxij maintainers.lheckemann ];
+  };
+
+}

common-gui.nix

@@ -0,0 +1,132 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./pipewire.nix
+  ];
+
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [ fcitx5-mozc fcitx5-table-other fcitx5-m17n fcitx5-rime rime-data ];
+  };
+
+  fonts = {
+    enableDefaultFonts = false;
+    fontconfig = {
+      allowBitmaps = false;
+    };
+    fonts = with pkgs; [
+      # xorg.fontbhlucidatypewriter100dpi
+      # xorg.fontbhlucidatypewriter75dpi
+      # freefont_ttf
+      gyre-fonts # TrueType substitutes for standard PostScript fonts
+      # xorg.fontbh100dpi
+      # xorg.fontmiscmisc
+      # xorg.fontcursormisc
+      unifont
+
+      noto-fonts-emoji
+      noto-fonts-cjk
+
+      cantarell-fonts # from gnome3 module
+
+      merriweather
+      merriweather-sans
+      open-sans
+      # libertine # breaks 
+
+      dejavu_fonts
+      liberation_ttf
+      ubuntu_font_family
+
+      wqy_microhei
+      ipafont
+      ipaexfont
+      source-han-serif
+      source-han-sans
+
+      inconsolata
+      # iosevka
+      fira fira-mono fira-code
+      source-code-pro
+      stix-two
+
+      font-awesome_5
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    (writeScriptBin "gsd-xsettings"
+      ''
+        #!/bin/sh
+        exec ${gnome3.gnome-settings-daemon}/libexec/gsd-xsettings "$@"
+      '')
+
+    libinput
+    libnotify
+
+    gsettings-desktop-schemas
+  ];
+
+  # prevent satanic torture
+  qt.platformTheme = "qt5ct";
+
+  hardware.uinput.enable = true;
+  users.extraUsers.gebner.extraGroups = [ "input" "tty" "audio" "video" "uinput" ];
+
+  services.dbus.packages = with pkgs; [ gcr ];
+  services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
+
+  # copied from gnome3 module
+  security.polkit.enable = true;
+  services.udisks2.enable = true;
+  services.accounts-daemon.enable = true;
+  services.geoclue2.enable = true;
+  services.gnome.at-spi2-core.enable = true;
+  services.gnome.gnome-keyring.enable = true;
+  services.gvfs.enable = true;
+  programs.seahorse.enable = true;
+  services.gnome.sushi.enable = true;
+  services.gnome.gnome-settings-daemon.enable = true;
+  services.telepathy.enable = true;
+  networking.networkmanager.enable = true;
+  services.upower.enable = config.powerManagement.enable;
+  programs.dconf.enable = true;
+  services.gnome.glib-networking.enable = true;
+  services.flatpak.enable = true;
+  xdg.portal = {
+    enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  };
+  # Needed for themes and backgrounds
+  environment.pathsToLink = [ "/share" ];
+
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluezFull;
+  };
+  services.blueman.enable = true;
+
+  programs.gnupg = {
+    agent.enable = true;
+    agent.pinentryFlavor = "gnome3";
+  };
+
+  # https://github.com/NixOS/nixpkgs/pull/54083
+  environment.extraSetup = ''
+    if [ -d  $out/share/gsettings-schemas/ ]; then
+      # Create the standard schemas directory
+      mkdir -p $out/share/glib-2.0/schemas
+      # symlink any schema files to the standard schema directory
+      for d in $out/share/gsettings-schemas/*; do
+        # Force symlink, in case there are duplicates
+        ln -fs $d/glib-2.0/schemas/*.xml $out/share/glib-2.0/schemas
+      done
+      # and compile them
+      if [ -w $out/share/glib-2.0/schemas ]; then
+        ${pkgs.glib.dev}/bin/glib-compile-schemas $out/share/glib-2.0/schemas
+      fi
+    fi
+  '';
+
+}

common-headless.nix

@@ -3,16 +3,17 @@
 {
   imports =
     [
-      /etc/nixos/hardware-configuration.nix
       ./basic-tools.nix
       ./common-sw.nix
     ];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  nix.useSandbox = true;
-  nix.binaryCaches = [ https://cache.nixos.org ];
-  nix.trustedBinaryCaches = [ https://cache.nixos.org ];
+  nix.settings = {
+    sandbox = true;
+    substituters = [ "https://cache.nixos.org" ];
+    trusted-substituters = [ "https://cache.nixos.org" ];
+  };
   nix.extraOptions = ''
     auto-optimise-store = true
     binary-caches-parallel-connections = 10
@@ -21,13 +22,13 @@
   networking.networkmanager.enable = true;
   networking.firewall.enable = true;
 
-  time.timeZone = "Europe/Vienna";
+  time.timeZone = "Europe/Amsterdam";
 
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
+    settings.PermitRootLogin = "no";
+    settings.PasswordAuthentication = false;
   };
   programs.ssh.startAgent = false;
 
@@ -36,16 +37,40 @@
   services.printing = {
     enable = true;
     browsing = true;
-    drivers = [ pkgs.stable.hplip ];
+    drivers = [ pkgs.hplip ];
   };
-  # services.colord.enable = true;
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+
+  virtualisation.containers.containersConf.settings = {
+    engine = {
+      cgroup_manager = "cgroupfs";
+    };
+  };
+
+  virtualisation.containers = {
+    registries.search = [ "docker.io" ];
+  };
+
+  virtualisation.lxd.enable = true;
+  virtualisation.lxd.recommendedSysctlSettings = true;
+  virtualisation.lxd.package = pkgs.lxd;
+  virtualisation.lxc.lxcfs.enable = true;
+
+  systemd.enableUnifiedCgroupHierarchy = pkgs.lib.mkForce true;
 
   boot.kernel.sysctl = {
     "kernel.perf_event_paranoid" = "0";
     "kernel.kptr_restrict" = pkgs.lib.mkForce "0";
 
     # IntelliJ
-    "fs.inotify.max_user_watches" = 524288;
+    "fs.inotify.max_user_watches" = pkgs.lib.mkDefault 524288;
+
+    # undo lxd "recommendedSysctlSettings"
+    "kernel.dmesg_restrict" = pkgs.lib.mkForce 0;
   };
 
   # gapt: `ulimit -n` was 256
@@ -54,31 +79,60 @@
   ];
 
   fileSystems."/mnt/vaccaria" = {
-    device = "//vaccaria.mtlaa.gebner.org/export";
+    device = "//vaccaria.htdf.gebner.org/export";
     fsType = "cifs";
-    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/vaccaria" "vers=1.0" ];
+    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/vaccaria" "vers=1.0"  ];
   };
 
   fileSystems."/mnt/aplysia" = {
-    device = "//aplysia.mtlaa.gebner.org/export";
+    device = "//aplysia.htdf.gebner.org/export";
     fsType = "cifs";
-    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/aplysia" "vers=1.0" ];
+    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/aplysia" "vers=1.0"  ];
   };
 
   fileSystems."/mnt/aruanus" = {
     device = "//aruanus.htdf.gebner.org/export";
     fsType = "cifs";
-    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/aruanus" "vers=1.0" ];
+    options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/aruanus" "vers=1.0"  ];
   };
 
   users.extraUsers.gebner = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "transmission" ];
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "audio"
+      "transmission"
+      "lxd"
+      "libvirtd"
+      "vboxusers"
+      "wireshark"
+    ];
     # shell = "${pkgs.zsh}/bin/zsh";
+    shell = "/run/current-system/sw/bin/fish";
 
     password = if config.virtualisation != null then "" else null;
   };
 
-  system.fsPackages = [ pkgs.ntfs3g ];
+  users.groups = {
+    transmission = {
+      gid = config.ids.gids.transmission;
+    };
+  };
+
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      # LC_TIME = "en_GB.UTF-8";
+      # LC_PAPER = "de_AT.UTF-8";
+    };
+    supportedLocales = [ "all" ]; # https://github.com/NixOS/nixpkgs/pull/177318
+  };
+
+  system.fsPackages = with pkgs; [
+    ntfs3g
+    exfatprogs
+  ];
 
 }

common-sw.nix

@@ -1,134 +1,111 @@
 { config, pkgs, ... }:
 
 {
+  imports = [
+    ./fix-firefox.nix
+  ];
+
   environment.systemPackages = with pkgs.haskellPackages; with pkgs; [
-    gitg
     gmpc
+    mpdevil
     m4
-    subversion
-    openjdk8
+    (pkgs.openjdk or pkgs.openjdk14 or pkgs.openjdk12 or pkgs.openjdk11 or pkgs.openjdk10 or openjdk8)
     sbt scala
-    stable.chromium
+    ungoogled-chromium
+    # chromium
+    firefox
     qalculate-gtk
-    speedcrunch
+    libqalculate
     viewnior
     gnupg
-    pass xclip pwgen
+    (pass.withExtensions (ext: [ ext.pass-otp ]))
+    xclip pwgen
     remmina
     ledger
-    hledger
-    hledger-diff
+    # hledger
+    # hledger-diff
     cmake ninja
+    bear
     mpv
-    stable.wireshark-gtk
     neomutt notmuch
-    stable.goldendict
     patchelf
-    bazaar
-    tokei loc
+    loc
+    tokei
     ripgrep
     imagemagick
     mercurial
+    (pkgs.man-pages or manpages)
 
-    androidenv.platformTools # adb & fastboot
+    dfeet
+
+    geoipWithDatabase
+
+    nix-index
+
+    alacritty
+
+    neovim-qt
+
+    clinfo
 
     lm_sensors
     hdparm
+    smartmontools
     lsof
 
     pdfpc
-
-    # haskell dev
-    cabal2nix
-    cabal-install
-    # ghc-mod
+    poppler_utils
 
     # emacs
     emacs
-    emacsPackages.cask
     ghostscript # for auctex
     aspell
 
-    nodejs
+    (pkgs.nodejs_latest or pkgs.nodejs-12_x or pkgs.nodejs-11_x or pkgs.nodejs-10_x or nodejs-9_x)
 
     mediainfo
 
     isync
-    mu
     msmtp
     vdirsyncer khard khal
 
+    rclone
+    duplicity
+    restic
+    magic-wormhole
+
     linuxPackages.perf
 
+    qrencode zbar
+
     veriT
     minisat
     picosat
     glucose
     prover9
     eprover
+    vampire
     metis-prover
     spass
     z3
-    stable.cvc4
+    cvc4
     graphviz
+    open-wbo
     # toysolver
-    oldstable.haskellPackages.tip-lib
-
-    emacsPackages.proofgeneral
-
-    oldstablePkgs # protect nixpkgs checkout from GC
-    stablePkgs
-  ] ++ (with aspellDicts; [ en de fr nl ]);
-
-  nixpkgs.config.packageOverrides = pkgs: with pkgs; let
-    fetchNixPkgs = { rev, sha256 }:
-    fetchFromGitHub {
-      inherit sha256 rev;
-      owner = "NixOS";
-      repo = "nixpkgs-channels";
-    };
-    oldstablePkgs = fetchNixPkgs {
-      rev = "5237768d62a40236d24fafbd9f4f97f3227399ce";
-      sha256 = "1j707pwm6ll2cvmqvwfxxq21gd9q7l6s3vi3vc01jklplj2v20is";
-    };
-    stablePkgs = fetchNixPkgs {
-      rev = "19879836d10f64a10658d1e2a84fc54b090e2087";
-      sha256 = "1x41ch2mgzs85ivvyp3zqkbh4i0winjg69g5x0p3q7avgrhkl7ph";
-    };
-  in {
-    # idea-community-eap = pkgs.idea.idea-community.overrideDerivation (oldAttrs: rec {
-    #     name = "idea-community-${version}";
-    #     version = "2017.2.eap";
-    #     src = pkgs.fetchurl {
-    #       url = "https://download.jetbrains.com/idea/ideaIC-172.3544.6-no-jdk.tar.gz";
-    #       sha256 = "72874a0393a6388b04353a359eea1d1242f59d6e7b96a4cf43c793602ac7ccdb";
-    #     };
-    #   });
-    idea-community-eap = pkgs.idea.idea-community;
-
-    # clion-eap = pkgs.idea.clion.overrideDerivation (oldAttrs: rec {
-    #   name = "clion-${version}";
-    #   version = "2017.1.eap";
-    #   src = pkgs.fetchurl {
-    #     url = "http://download.jetbrains.com/cpp/CLion-2017.1-RC.tar.gz";
-    #     sha256 = "1rv9rcjv4kv39l9r4g5kqbd4y175301a6kr3js3szkjmhqd50qq3";
-    #   };
-    # });
-    clion-eap = pkgs.idea.clion;
-
-    # neovim = pkgs.neovim.override {
-    #   extraPythonPackages = [ pkgs.pythonPackages.websocket_client ];
-    # };
-
-    oldstablePkgs = oldstablePkgs;
-    oldstable = import oldstablePkgs {};
-    stablePkgs = stablePkgs;
-    stable = import stablePkgs {};
-
-    qutebrowser = pkgs.qutebrowser.override { withWebEngineDefault = true; };
-  };
+  ] ++ (with aspellDicts; [ en de fr nl ])
+    ++ (with gst_all_1; [ gstreamer gstreamer.dev
+      gst-plugins-bad gst-plugins-good gst-plugins-base gst-plugins-ugly ]);
 
   nixpkgs.config.allowTexliveBuilds = true;
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.allowUnfreePredicate = (pkg: true);
+  nixpkgs.config.android_sdk.accept_license = true;
+
+  programs.adb.enable = true;
+  users.extraUsers.gebner.extraGroups = [ "adbusers" ];
+
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    khal = pkgs.khal.overridePythonAttrs (_: { doCheck = false; });
+  };
 
 }

common.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [
-      ./common-headless.nix
-      ./i3.nix
-    ];
-
-}

decoysnail.nix

@@ -3,18 +3,53 @@
 {
   imports =
     [
-      ./common.nix
+      ./common-headless.nix
+      # ./i3.nix
+      ./sway.nix
       ./large-sw.nix
       ./uefi.nix
+      ./fstrim.nix
+      ./atmega.nix
+      ./v4l2loopback.nix
+      ./huion.nix
+      ./nvim05.nix
+      ./nm-restart.nix
     ];
 
-  boot.initrd.luks.devices = [
-    {
-      name = "sda2_crypt";
-      device = "/dev/disk/by-uuid/6c687d35-1b43-4799-b71c-a5b5c21b3e2a";
-      preLVM = true;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a16ae3f7-11df-47fc-a8df-f22c474ec1c1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3C5C-049B";
+      fsType = "vfat";
+    };
+
+  #swapDevices = [
+  #  { device = "/dev/disk/by-uuid/b7274abd-58a5-4acc-8481-30e105e94eec"; }
+  #];
+
+  nix.settings.max-jobs = pkgs.lib.mkDefault 6;
+  powerManagement.cpuFreqGovernor = pkgs.lib.mkDefault "powersave";
+
+  environment.etc."lvm/lvm.conf".text = ''
+    devices {
+      issue_discards = 1
     }
-  ];
+  '';
+  boot.initrd.luks.devices = {
+    sda_crypt = {
+      device = "/dev/disk/by-partuuid/00292928-0088-4887-9e5d-2f2eccb4816f";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
 
   networking = {
     hostName = "decoysnail";
@@ -27,14 +62,56 @@
 
   services.thermald.enable = true;
 
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "overlay2";
+  hardware.opengl = {
+    extraPackages = with pkgs; [ beignet ];
+    driSupport32Bit = true;
   };
-  users.extraUsers.gebner.extraGroups = [ "docker" ];
 
-  hardware.opengl.driSupport32Bit = true;
+  #services.avahi.nssmdns = true;
+  #services.nscd.enable = pkgs.lib.mkOverride 10 true;
 
-  services.avahi.nssmdns = true;
+  services.openssh.forwardX11 = true;
+
+  system.stateVersion = "19.09";
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = ["10.59.0.4/16"];
+    privateKeyFile = "/etc/wgkeys/decoysnail";
+    allowedIPsAsRoutes = true;
+    postSetup = ''
+      ${pkgs.systemd}/bin/resolvectl domain wg0 '~htdf.gebner.org' '~mtlaa.gebner.org' '~ams.gebner.org'
+      ${pkgs.systemd}/bin/resolvectl dns wg0 10.57.0.1
+    '';
+    peers = [{
+      publicKey = "ByLlJbevlTBooAo2RIZGGJvBHKqA9qiOpHBvR5yuJX4=";
+      allowedIPs = ["10.56.0.0/14" "10.60.1.1"];
+      # endpoint = "mtlaa-gw.gebner.org:35869";
+      # endpoint = "84.112.114.160:35869";
+      endpoint = "127.0.0.1:35869";
+      persistentKeepalive = 25;
+    }];
+  };
+
+  systemd.services.wstunnel = {
+    path = [ pkgs.wstunnel ];
+    wantedBy = [ "wireguard-wg0.service" ];
+    after = [ "network.target" ];
+    script = ''
+      wstunnel -L 35869:htdf-gw.gebner.org:35869 -u wss://gebner.org
+    '';
+  };
+
+  services.resolved = {
+    domains = [];
+    enable = true;
+  };
+
+  # services.xserver = {
+  #   videoDrivers = [ "intel" ];
+  # };
+
+  fonts.fontconfig = {
+    subpixel.rgba = "none";
+  };
 
 }

euhadra.nix

@@ -1,11 +1,16 @@
 { config, pkgs, ... }:
 
+let mpdStreamingPort = 8080; in
 {
   imports =
     [
-      ./common.nix
+      /etc/nixos/hardware-configuration.nix
+      ./common-headless.nix
+      ./sway.nix
       ./uefi.nix
       ./fstrim.nix
+      # ./nebula.nix
+      ./tailscale.nix
     ];
 
   environment.etc."lvm/lvm.conf".text = ''
@@ -13,27 +18,44 @@
       issue_discards = 1
     }
   '';
-  boot.initrd.luks.devices = [
-    {
-      name = "euhadra_crypt";
+  boot.initrd.luks.devices = {
+    euhadra_crypt = {
       device = "/dev/disk/by-uuid/328a9ede-0958-490b-8e82-62b06b839e21";
       preLVM = true;
       allowDiscards = true;
-    }
-  ];
+    };
+  };
 
   networking.hostName = "euhadra";
   networking.hostId = "ddb5f0fd";
 
+  hardware.cpu.intel.updateMicrocode = true;
+
   services.mpd = {
     enable = true;
-    network.listenAddress = "any";
-    musicDirectory = "/mnt/vaccaria/music";
+    # network.listenAddress = "127.0.0.1";
+    musicDirectory = "/mnt/aplysia/music";
     extraConfig = ''
+      bind_to_address "10.59.0.6"
+      bind_to_address "100.97.134.100"
+
+      # audio_output {
+      #   type "alsa"
+      #   name "dac"
+      #   device "sysdefault:CARD=QAMP"
+      # }
+
       audio_output {
-        type "alsa"
-        name "dac"
-        device "sysdefault:CARD=QAMP"
+        type "pulse"
+        name "pulse"
+        server "127.0.0.1"
+      }
+
+      audio_output {
+        type "httpd"
+        name "http"
+        encoder "flac"
+        port "${toString mpdStreamingPort}"
       }
 
       replaygain "auto"
@@ -41,9 +63,43 @@
     '';
   };
 
+  services.pipewire = {
+    config.pipewire-pulse = {
+      "pulse.properties"."server.address" = [
+        "unix:native"
+        "tcp:127.0.0.1:4713"
+        "tcp:100.97.134.100:4713"
+      ];
+    };
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = ["10.59.0.6/16"];
+    privateKeyFile = "/etc/wgkeys/euhadra";
+    allowedIPsAsRoutes = true;
+    postSetup = ''
+      ${pkgs.systemd}/bin/resolvectl domain wg0 '~htdf.gebner.org' '~mtlaa.gebner.org' '~ams.gebner.org'
+      ${pkgs.systemd}/bin/resolvectl dns wg0 10.58.0.1
+    '';
+    peers = [{
+      publicKey = "ByLlJbevlTBooAo2RIZGGJvBHKqA9qiOpHBvR5yuJX4=";
+      allowedIPs = ["10.56.0.0/14" "10.60.1.1"];
+      endpoint = "htdf-gw.gebner.org:35869";
+      # endpoint = "80.109.29.104:35869";
+      # endpoint = "127.0.0.1:35869";
+    }];
+  };
+  # systemd.services.wireguard-wg0.wantedBy = pkgs.lib.mkOverride 10 [];
+
+  services.resolved = {
+    domains = [];
+    enable = true;
+  };
+
   networking.firewall.allowedTCPPorts = [
     config.services.mpd.network.port
     4713 # pulseaudio
+    mpdStreamingPort # mpd streaming
   ];
 
   environment.systemPackages = with pkgs; [ mpc_cli ];
@@ -52,15 +108,19 @@
 
   nixpkgs.config.mpv.vaapiSupport = true;
 
-  hardware.pulseaudio = {
-    zeroconf.publish.enable = true;
-    tcp = {
-      enable = true;
-      anonymousClients.allowedIpRanges = [
-        "127.0.0.1"
-        "10.57.0.0/16"
-      ];
-    };
-  };
+  # hardware.pulseaudio = {
+  #   systemWide = true;
+  #   zeroconf.publish.enable = true;
+  #   tcp = {
+  #     enable = true;
+  #     anonymousClients.allowedIpRanges = [
+  #       "127.0.0.1"
+  #       "10.57.0.0/16"
+  #     ];
+  #   };
+  # };
 
+  system.stateVersion = "22.05";
+
+  time.timeZone = pkgs.lib.mkOverride 10 "US/Pacific";
 }

fix-firefox.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+# unreserve ctrl+w shortcuts
+
+{
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    firefox-unwrapped = stdenv.mkDerivation {
+      inherit (firefox-unwrapped) name version;
+
+      nativeBuildInputs = [ unzip zip ];
+
+      buildCommand = ''
+        mkdir -p $out
+        cp -ra ${firefox-unwrapped}/. $out/.
+        chmod +w -R $out
+        sed -i "s|${firefox-unwrapped}|$out|g" $out/bin/firefox
+
+        j=$out/lib/firefox/browser/omni.ja
+        f=localization/en-US/browser/browserSets.ftl
+        mkdir browser
+        cd browser
+        # corrupt zip files??
+        unzip $j || true
+        patch $f <${./fix-firefox.patch}
+        rm $j
+        zip -0DXqr $j *
+      '';
+
+      inherit (firefox-unwrapped) meta;
+      passthru = {
+        inherit (firefox-unwrapped.passthru) version isFirefox3Like gtk
+          nspr gssSupport browserName ffmpegSupport gtk3 binaryName;
+      };
+    };
+  };
+}
+

fix-firefox.patch

@@ -0,0 +1,31 @@
+--- localization/en-US/browser/browserSets.ftl~	2020-08-31 11:28:51.148881026 +0200
++++ localization/en-US/browser/browserSets.ftl	2020-08-31 19:07:11.687530527 +0200
+@@ -9,16 +9,16 @@
+     .label = Zoom
+ 
+ window-new-shortcut =
+-    .key = N
++    .keycode = VK_F20
+ 
+ window-minimize-shortcut =
+     .key = M
+ 
+ close-shortcut =
+-    .key = W
++    .keycode = VK_F17
+ 
+ tab-new-shortcut =
+-    .key = T
++    .key = T
+ 
+ location-open-shortcut =
+     .key = L
+@@ -185,7 +185,7 @@
+ ## global menu.
+ 
+ quit-app-shortcut =
+-    .key = Q
++    .keycode = VK_F18
+ 
+ help-shortcut =
+     .key = ?

flake.lock

@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1693158576,
+        "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "flake-utils": "flake-utils"
+      },
+      "locked": {
+        "lastModified": 1638172912,
+        "narHash": "sha256-jxhQGNEsZTdop/Br3JPS+xmBf6t9cIWRzVZFxbT76Rw=",
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "rev": "166d6ebd9f0de03afc98060ac92cba9c71cfe550",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gytis-ivaskevicius",
+        "ref": "v1.3.1",
+        "repo": "flake-utils-plus",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,35 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    utils.url = "github:gytis-ivaskevicius/flake-utils-plus/v1.3.1";
+
+    # neovim-overlay = {
+    #   url = "github:nix-community/neovim-nightly-overlay";
+    #   inputs.nixpkgs.follows = "nixpkgs";
+    # };
+  };
+
+  outputs = inputs@{ self, nixpkgs, utils, ... }: utils.lib.mkFlake {
+    inherit self inputs;
+
+    channels.nixpkgs.input = nixpkgs;
+
+    channels.nixpkgs.patches = [ ];
+
+    nix.generateRegistryFromInputs = true;
+
+    hostDefaults = {
+      modules = [
+        ({ ... }: { nix.extraOptions = "warn-dirty = false"; })
+      ];
+    };
+
+    hosts = {
+      petalius.modules = [ ./petalius.nix ];
+      flammea.modules = [ ./flammea.nix ];
+      decoysnail.modules = [ ./decoysnail.nix ];
+    };
+
+  };
+}

flammea.nix

@@ -0,0 +1,195 @@
+{ config, pkgs, ... }:
+
+let mpdStreamingPort = 8080; in
+{
+  imports =
+    [
+      ./common-headless.nix
+      # ./sway.nix
+      # ./i3.nix
+      ./gnome3.nix
+      ./large-sw.nix
+      ./uefi.nix
+      ./fstrim.nix
+      # ./qemu-user.nix
+      ./atmega.nix
+      ./v4l2loopback.nix
+      ./huion.nix
+      ./spacenav.nix
+      ./nvim05.nix
+      ./nm-restart.nix
+      ./tailscale.nix
+    ];
+
+  hardware.enableRedistributableFirmware = true;
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [
+    "kvm-amd"
+    "zenpower"
+  ];
+  boot.extraModulePackages = [ ];
+  boot.supportedFilesystems = [ "zfs" ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3b8c5c8a-fff2-49ba-98bd-ceb01d6d57c3";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1FA2-93AB";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  environment.etc."lvm/lvm.conf".text = ''
+    devices {
+      issue_discards = 1
+    }
+  '';
+  boot.initrd.luks.devices = {
+    nvme0n1p2_crypt = {
+      device = "/dev/disk/by-uuid/0fd33358-83dc-4acd-b6b8-0f079082367e";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
+  networking.hostName = "flammea"; # Define your hostname.
+  networking.hostId = "390adc00";
+
+  hardware.cpu.amd.updateMicrocode = true;
+
+  networking.interfaces."enp42s0".wakeOnLan.enable = true;
+
+  # users.extraUsers.presentation = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "networkmanager" "audio" ];
+  #   # shell = "${pkgs.zsh}/bin/zsh";
+  #   shell = "/run/current-system/sw/bin/fish";
+  #
+  #   password = if config.virtualisation != null then "" else null;
+  # };
+
+  environment.systemPackages = with pkgs; [
+    beets
+    piper
+    ddcutil
+    ddcui
+  ];
+
+  services.thermald.enable = true;
+
+  virtualisation.virtualbox.host = {
+    enable = true;
+    enableExtensionPack = true;
+  };
+  # nixpkgs.config.allowUnfree = true;
+
+  # virtualisation.libvirtd = {
+  #   enable = true;
+  # };
+  # networking.firewall.checkReversePath = false;
+  # fileSystems."/var/lib/libvirt/images/vaccaria" = {
+  #   device = "//vaccaria.htdf.gebner.org/export/tmp/vms";
+  #   fsType = "cifs";
+  #   options = [ "noauto" "x-systemd.automount" "credentials=/etc/smbcredentials/vaccaria"
+  #     "forceuid" "forcegid" "uid=0" "gid=0" ];
+  # };
+
+  hardware.opengl.extraPackages = with pkgs; [
+    rocm-opencl-icd
+    rocm-runtime
+  ];
+
+  # services.nix-serve = {
+  #   enable = true;
+  #   secretKeyFile = "/etc/nix-serve/secret.key";
+  # };
+  # networking.firewall.allowedTCPPorts = [ config.services.nix-serve.port ];
+
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
+  services.openssh.settings.X11Forwarding = true;
+
+  fileSystems."/mnt/aplysia".device = pkgs.lib.mkOverride 10 "//aplysia.auroch-boa.ts.net/export";
+
+  time.timeZone = pkgs.lib.mkOverride 10 "US/Pacific";
+
+  # nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
+  #     mesa_drivers = self.mesaDarwinOr (
+  #       let mo = self.mesa_noglu.override {
+  #             llvmPackages = pkgs.llvmPackages_39;
+  #             grsecEnabled = false;
+  #             enableTextureFloats = true;
+  #           };
+  #       in mo.drivers
+  #     );
+  # };
+
+  boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_6_1;
+
+  # services.xserver = {
+  #   videoDrivers = [ "amdgpu" ];
+  #   deviceSection = ''
+  #     Option "TearFree" "on"
+  #   '';
+  # };
+
+  services.ratbagd.enable = true;
+
+  # virtualisation.anbox = {
+  #   enable = true;
+  # };
+
+  services.udev.extraRules = ''
+    # allow admin use of i2c devices
+    ACTION=="add", KERNEL=="i2c-[0-9]*", GROUP="wheel", MODE="666"
+  '';
+
+  system.stateVersion = "22.11";
+
+  # services.mpd = {
+  #   enable = true;
+  #   # network.listenAddress = "127.0.0.1";
+  #   # musicDirectory = "/mnt/aplysia/music";
+  #   musicDirectory = "/home/gebner/Music";
+  #   user = "gebner";
+  #   extraConfig = ''
+  #     bind_to_address "100.125.210.32"
+  #
+  #     # audio_output {
+  #     #   type "alsa"
+  #     #   name "dac"
+  #     #   device "sysdefault:CARD=QAMP"
+  #     # }
+  #
+  #     audio_output {
+  #       type "pulse"
+  #       name "pulse"
+  #       server "127.0.0.1"
+  #     }
+  #
+  #     audio_output {
+  #       type "httpd"
+  #       name "http"
+  #       encoder "flac"
+  #       port "${toString mpdStreamingPort}"
+  #     }
+  #
+  #     replaygain "auto"
+  #     restore_paused "yes"
+  #   '';
+  # };
+  #
+  # environment.etc."pipewire/pipewire-pulse.conf.d/listen.conf".text = ''
+  #   pulse.properties = {
+  #     server.address = [
+  #       "unix:native"
+  #       "tcp:127.0.0.1:4713"
+  #       # "tcp:100.97.134.100:4713"
+  #     ]
+  #   }
+  # '';
+}

freecad-asm3.nix

@@ -0,0 +1,78 @@
+with import <nixpkgs> { }; let der =
+
+{ stdenv, mkDerivation, fetchFromGitHub, fetchpatch, cmake, ninja, coin3d,
+xercesc, ode, eigen, qtbase, qttools, qtwebengine, qtxmlpatterns, wrapQtAppsHook,
+opencascade-occt, gts, hdf5, vtk, medfile, zlib, python3Packages, swig,
+gfortran, libXmu, soqt, libf2c, libGLU, makeWrapper, pkgconfig, mpi ? null }:
+
+let
+  pythonPackages = python3Packages;
+in mkDerivation rec {
+  pname = "freecad-assembly3";
+  version = "08.18";
+
+  src = fetchFromGitHub {
+    owner = "realthunder";
+    repo = "FreeCAD";
+    rev = "04c80c99eee0f7d2f761bdc7d8b32c077adefdec";
+    sha256 = "1f40biy2gc16awb233lha77xabwf2p3jvzzjrp0lnsl2gk4l9w8h";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    ninja
+    pkgconfig
+    pythonPackages.pyside2-tools
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    cmake coin3d xercesc ode eigen opencascade-occt gts
+    zlib swig gfortran soqt libf2c makeWrapper mpi vtk hdf5 medfile
+    libGLU libXmu qtbase qttools qtwebengine qtxmlpatterns
+  ] ++ (with pythonPackages; [
+    matplotlib pycollada shiboken2 pyside2 pyside2-tools pivy python boost
+  ]);
+
+  cmakeFlags = [
+    "-DBUILD_QT5=ON"
+    "-DSHIBOKEN_INCLUDE_DIR=${pythonPackages.shiboken2}/include"
+    "-DSHIBOKEN_LIBRARY=Shiboken2::libshiboken"
+    ("-DPYSIDE_INCLUDE_DIR=${pythonPackages.pyside2}/include"
+      + ";${pythonPackages.pyside2}/include/PySide2/QtCore"
+      + ";${pythonPackages.pyside2}/include/PySide2/QtWidgets"
+      + ";${pythonPackages.pyside2}/include/PySide2/QtGui"
+      )
+    "-DPYSIDE_LIBRARY=PySide2::pyside2"
+  ];
+
+  # This should work on both x86_64, and i686 linux
+  preBuild = ''
+    export NIX_LDFLAGS="-L${gfortran.cc}/lib64 -L${gfortran.cc}/lib $NIX_LDFLAGS";
+  '';
+
+  # Their main() removes PYTHONPATH=, and we rely on it.
+  preConfigure = ''
+    sed '/putenv("PYTHONPATH/d' -i src/Main/MainGui.cpp
+
+    qtWrapperArgs+=(--prefix PYTHONPATH : "$PYTHONPATH")
+  '';
+
+  qtWrapperArgs = [
+    "--set COIN_GL_NO_CURRENT_CONTEXT_CHECK 1"
+  ];
+
+  postFixup = ''
+    mv $out/share/doc $out
+  '';
+
+  meta = with stdenv.lib; {
+    description = "General purpose Open Source 3D CAD/MCAD/CAx/CAE/PLM modeler";
+    homepage = "https://www.freecadweb.org/";
+    license = licenses.lgpl2Plus;
+    maintainers = with maintainers; [ viric gebner ];
+    platforms = platforms.linux;
+  };
+}
+
+; in libsForQt514.callPackage der { mpi = openmpi; }

fstrim.nix

@@ -8,7 +8,7 @@
       Type = "oneshot";
     };
 
-    script = "fstrim -v /";
+    script = "${pkgs.utillinux.bin}/bin/fstrim -v /";
 
     startAt = "04:00";
   };

gnome3.nix

@@ -1,30 +1,106 @@
 { config, pkgs, ... }:
 
 {
-  programs.ibus.enable = true;
-  programs.ibus.plugins = [ pkgs.ibus-anthy pkgs.mozc ];
-
-  environment.systemPackages = with pkgs; [
-    xlibs.xwininfo # for gnome maximus extension
-    unzip
-    gnome3.libgweather
+  imports = [
+    ./pipewire.nix
   ];
 
+  i18n.inputMethod = {
+    enabled = "ibus";
+    ibus.engines = with pkgs.ibus-engines; [ mozc table-others m17n rime ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    gnome.gnome-tweaks
+    pavucontrol
+    paprefs
+    playerctl
+    xorg.xlsclients
+    gthumb
+  ];
+
+  hardware.pulseaudio.enable = false;
+
   fonts = {
+    enableDefaultFonts = false;
+    fontconfig = {
+      allowBitmaps = false;
+    };
     fonts = with pkgs; [
-      inconsolata
-      dejavu_fonts
-      ipafont
+      # xorg.fontbhlucidatypewriter100dpi
+      # xorg.fontbhlucidatypewriter75dpi
+      # freefont_ttf
+      gyre-fonts # TrueType substitutes for standard PostScript fonts
+      # xorg.fontbh100dpi
+      # xorg.fontmiscmisc
+      # xorg.fontcursormisc
       unifont
+
+      noto-fonts-emoji
+      noto-fonts-cjk
+
+      cantarell-fonts # from gnome3 module
+
+      merriweather
+      merriweather-sans
+      open-sans
+      # libertine # breaks 
+
+      dejavu_fonts
+      liberation_ttf
       ubuntu_font_family
+
+      wqy_microhei
+      ipafont
+      ipaexfont
+      source-han-serif
+      source-han-sans
+
+      inconsolata
+      iosevka
+      fira fira-mono fira-code
+      source-code-pro
+      stix-two
+
+      font-awesome_5
     ];
   };
 
-  services.xserver.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.displayManager.desktopManagerHandlesLidAndPower = false;
-  services.xserver.desktopManager.gnome3.enable = true;
-  services.xserver.layout = "us";
-  services.xserver.xkbVariant = "altgr-intl";
-  services.xserver.xkbOptions = "caps:ctrl_modifier";
+  # prevent satanic torture
+  qt.platformTheme = "qt5ct";
+
+  hardware.uinput.enable = true;
+  users.extraUsers.gebner.extraGroups = [ "input" "tty" "audio" "video" "uinput" ];
+
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluezFull;
+  };
+  services.blueman.enable = true;
+
+  programs.gnupg = {
+    agent.enable = true;
+    agent.pinentryFlavor = "gnome3";
+  };
+
+  services.xserver = {
+    enable = true;
+    # libinput.enable = true;
+    displayManager.gdm.enable = true;
+    # displayManager.defaultSession = "gnome";
+
+    desktopManager.gnome = {
+      enable = true;
+    };
+  };
+
+  # rust winit's wayland support is broken for input methods
+  environment.sessionVariables.WINIT_UNIX_BACKEND = "x11";
+
+  # services.xserver.enable = true;
+  # services.xserver.displayManager.gdm.enable = true;
+  # services.xserver.displayManager.desktopManagerHandlesLidAndPower = false;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbVariant = "altgr-intl";
+  # services.xserver.xkbOptions = "caps:ctrl_modifier";
 }

huion.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  services.xserver.digimend.enable = true;
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="input", ENV{ID_BUS}=="usb" ENV{ID_VENDOR_ID}=="256c", \
+      ATTRS{name}=="* Touch *", ENV{ID_INPUT.tags}="low_res_touch"
+  '';
+}

i3.nix

@@ -1,71 +1,43 @@
 { config, pkgs, ... }:
 
 {
-  # programs.ibus.enable = true;
-  # programs.ibus.plugins = [ pkgs.ibus-anthy pkgs.mozc ];
-  i18n.inputMethod = {
-    enabled = "fcitx";
-    fcitx.engines = with pkgs.fcitx-engines; [ mozc anthy table-other m17n ];
-  };
+  imports = [
+    ./common-gui.nix
+  ];
 
-  environment.systemPackages = with pkgs; with gnome3; [
+  environment.systemPackages = with pkgs; [
     i3
     i3status
     rofi
     rofi-pass
-    pa_applet
     feh
-    gnome_keyring
+    gnome3.gnome-keyring
     networkmanagerapplet
-    gnome_terminal
-    nautilus # in closure of gnome-terminal anyhow
-    colord
+    gnome3.nautilus # in closure of gnome-terminal anyhow
+    pcmanfm
+    # colord
     evince
     arandr
-    xss-lock i3lock
+    xss-lock i3lock i3lock-color
     xdotool
     scrot
     pavucontrol
-    dconf-editor
+    pasystray
+    gnome3.dconf-editor
+    unclutter-xfixes
+    dunst
+
+    xorg.xev
 
     # gnome3 core packages
-    desktop_file_utils shared_mime_info
+    desktop-file-utils shared-mime-info
     glib gtk3
-    glib_networking gvfs dconf
-    gnome_settings_daemon
-    gnome_themes_standard defaultIconTheme
-    hicolor_icon_theme
+    glib-networking gvfs dconf
+    gnome3.gnome-settings-daemon
+    gnome-themes-extra gnome3.adwaita-icon-theme
+    hicolor-icon-theme
   ];
 
-  fonts = {
-    enableDefaultFonts = false;
-    fonts = with pkgs; [
-      xorg.fontbhlucidatypewriter100dpi
-      xorg.fontbhlucidatypewriter75dpi
-      dejavu_fonts
-      freefont_ttf
-      gyre-fonts # TrueType substitutes for standard PostScript fonts
-      liberation_ttf
-      xorg.fontbh100dpi
-      xorg.fontmiscmisc
-      xorg.fontcursormisc
-      # unifont
-
-      wqy_microhei
-      inconsolata
-      dejavu_fonts
-      ipafont
-      ipaexfont
-      # unifont
-      ubuntu_font_family
-      source-code-pro
-      fira
-      stable.noto-fonts-emoji
-
-      cantarell_fonts # from gnome3 module
-    ];
-  };
-
   services.xserver = {
     enable = true;
 
@@ -75,21 +47,21 @@
       # # slim.autoLogin = true;
 
       lightdm.enable = true;
+      # startx.enable = true;
+      # sddm.enable = true;
+
+      defaultSession = "i3wm";
     };
 
     desktopManager = {
-      default = "i3wm";
       xterm.enable = false;
 
       session = [ {
         name = "i3wm";
         start = ''
           export XDG_DATA_DIRS=/run/current-system/sw/share/''${XDG_DATA_DIRS:+:}$XDG_DATA_DIRS
-          export $(${pkgs.gnome3.gnome_keyring}/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh,gpg)
-          export XDG_CURRENT_DESKTOP=GNOME
-          for m in xsettings; do
-            ${pkgs.gnome3.gnome_settings_daemon}/libexec/gsd-$m &
-          done
+          export $(${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
+          export XDG_CURRENT_DESKTOP=X-Generic
           i3 &
           waitPID=$!
         '';
@@ -98,48 +70,13 @@
 
     updateDbusEnvironment = true;
 
-    windowManager = {
-      default = "i3";
-      i3.enable = true;
-    };
-
     layout = "us";
     xkbVariant = "altgr-intl";
     xkbOptions = "caps:ctrl_modifier";
   };
 
-  services.dbus.packages = with pkgs; [ dunst gnome3.gcr ];
-  services.udev.packages = [ pkgs.gnome3.gnome_settings_daemon ];
-
-  # copied from gnome3 module
-  security.polkit.enable = true;
-  services.udisks2.enable = true;
-  services.accounts-daemon.enable = true;
-  services.geoclue2.enable = true;
-  services.gnome3.at-spi2-core.enable = true;
-  # services.gnome3.evolution-data-server.enable = true;
-  # services.gnome3.gnome-documents.enable = true;
-  services.gnome3.gnome-keyring.enable = true;
-  #services.gnome3.gnome-online-accounts.enable = true;
-  # services.gnome3.gnome-user-share.enable = true;
-  services.gnome3.gvfs.enable = true;
-  services.gnome3.seahorse.enable = true;
-  services.gnome3.sushi.enable = true;
-  # services.gnome3.tracker.enable = true;
-  services.telepathy.enable = true;
-  networking.networkmanager.enable = true;
-  services.upower.enable = config.powerManagement.enable;
-  hardware.bluetooth.enable = true;
-  # Needed for themes and backgrounds
-  environment.pathsToLink = [ "/share" ];
-  environment.variables.GIO_EXTRA_MODULES = with pkgs.gnome3; [
-    "${pkgs.lib.getLib dconf}/lib/gio/modules"
-    "${glib_networking.out}/lib/gio/modules"
-    "${gvfs}/lib/gio/modules" ];
-
-  hardware.pulseaudio = {
-    enable = true;
-    zeroconf.discovery.enable = true;
-  };
+  # services.dbus.socketActivated = true;
+  services.dbus.packages = with pkgs; [ dunst ];
+  systemd.packages = [ pkgs.dunst ];
 
 }

large-sw.nix

@@ -2,35 +2,65 @@
 
 {
   environment.systemPackages = with pkgs.haskellPackages; with pkgs; [
-    idea-community-eap
-    clion-eap
+    jetbrains.idea-community
+    # idea.clion
     texlive.combined.scheme-full biber
-    stable.gimp
-    stable.inkscape
-    jabref
-    stable.libreoffice-fresh
-    stable.calibre
+    gimp
+    inkscape
+    # jabref
+    libreoffice-fresh
+    # calibre
+    # goldendict
 
-    # qutebrowser
-
-    open-wbo # only in 17.09+
+    xournal
+    xournalpp
 
     vscode
-    clang
 
-    stack
+    ccls
+    sumneko-lua-language-server
+    texlab
+    rnix-lsp
+    pyright
+    nodePackages.typescript-language-server
+    rust-analyzer
 
-    stable.coq_8_6
+    # stack
 
-    # cargo rustc
+    elan
+    # coq
+    # emacsPackages.proofgeneral
+
+    # virtmanager
+
+    (if lib.hasAttr "curaPlugins" pkgs then
+      cura.override {
+        plugins = with curaPlugins; [ octoprint rawmouse ];
+      }
+     else cura)
+    openscad
+    freecad
+    calculix
+    meshlab
+
+    audacious
+    flac
+    clementine
+
+    uvccapture
+
+    yarn
+
+    gnome3.baobab
+
+    rustup
   ] ++ (with aspellDicts; [ en de fr nl ]);
 
-  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
-    myemacs = emacs25.override {
-      withGTK2 = false;
-      withGTK3 = true;
-      withXwidgets = true;
-    };
+  programs.wireshark = {
+    enable = true;
+    package = pkgs.wireshark;
   };
 
+  hardware.opengl.driSupport32Bit = true;
+
 }

mastus/blog.nix

@@ -1,46 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        rewrite ^(.*) https://gebner.org$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      root /srv/www.gebner.org;
-      error_page 404 403 /pages/404.html;
-    }
-  '';
-}

mastus/configuration.nix

@@ -6,15 +6,18 @@
       /etc/nixos/hardware-configuration.nix
       ../basic-tools.nix
       ./backup.nix
+      ./duplicity.nix
 
       ./mail.nix
       ./www.nix
-      ./gogs.nix
+      ./gitea.nix
       ./letsencrypt.nix
-      ./blog.nix
+      ./website.nix
+      ./wstunnel.nix
       ./radicale.nix
-      ./ttrss.nix
+      # ./ttrss.nix
       ./dns.nix
+      ./nebula.nix
     ];
 
   boot.loader.grub.enable = true;

mastus/dns.nix

@@ -9,7 +9,7 @@ let
       IN AAAA 2a02:2770:3:0:21a:4aff:feac:bc0e
   '';
 
-  timestamp = "1497294847";
+  timestamp = "1664458744";
 
   heNsServers = ''
     @ IN NS ns1.he.net.
@@ -48,9 +48,9 @@ in
           misuji ${misuji}
           mastus ${mastus}
 
-          home-gw IN A 80.109.2.154
-          htdf-gw IN A 80.109.2.154
-          mtlaa-gw IN A 84.112.114.160
+          home-gw IN A 80.109.29.104
+          htdf-gw IN A 80.109.29.104
+          ams-gw IN A 82.217.167.76
 
           @ ${mastus}
           www IN CNAME mastus

mastus/duplicity.nix

@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+
+  environment.systemPackages = [ pkgs.duplicity ];
+
+}

mastus/fts_xapian.nix

@@ -0,0 +1,35 @@
+{ stdenv, fetchFromGitHub, autoconf, automake, pkg-config, dovecot, libtool, xapian, icu64, sqlite }:
+stdenv.mkDerivation rec {
+  pname = "fts-xapian";
+  version = "1.3.2";
+
+  src = fetchFromGitHub {
+    owner = "grosjo";
+    repo = "fts-xapian";
+    rev = version;
+    sha256 = "12rgchx1ikwxbhdgychcfrhfnmx1rzl1l5zhmzchjkh44cwmpdbh";
+  };
+
+  buildInputs = [ dovecot xapian icu64 sqlite ];
+
+  nativeBuildInputs = [ autoconf automake libtool pkg-config ];
+
+  preConfigure = ''
+    export PANDOC=false
+    autoreconf -vi
+  '';
+
+  configureFlags = [
+    "--with-dovecot=${dovecot}/lib/dovecot"
+    "--without-dovecot-install-dirs"
+    "--with-moduledir=$(out)/lib/dovecot"
+  ];
+
+  meta = with stdenv.lib; {
+    homepage = "https://github.com/grosjo/fts-xapian";
+    description = "Dovecot FTS plugin based on Xapian";
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ julm ];
+    platforms = platforms.unix;
+  };
+}

mastus/gitblit.nix

@@ -1,77 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  gitblitWar = pkgs.fetchurl {
-    url = "http://dl.bintray.com/gitblit/releases/gitblit-1.6.2.war";
-    sha256 = "01gqarpwqbx1ix5zycfxw4172q5l8hhxvb7f92y3lz8l6x42l7i9";
-  };
-
-  gitHome = "/srv/git.gebner.org";
-in
-{
-  containers.gitblit = {
-    config = { config, pkgs, ... }: {
-      users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
-      users.extraGroups.git = { };
-
-      systemd.services.createGitDir = {
-        wantedBy = [ "winstone-gitblit.service" ];
-        serviceConfig.Type = "oneshot";
-        script = ''
-          mkdir -p ${gitHome}
-          chown git:git -R ${gitHome}
-        '';
-      };
-
-      services.winstone.gitblit = {
-        user = "git";
-        group = "git";
-        warFile = "${gitblitWar}";
-        extraJavaOptions = [ "-DGITBLIT_HOME=${gitHome}" ];
-      };
-    };
-
-    privateNetwork = true;
-    hostAddress = "192.168.100.10";
-    localAddress = "192.168.101.10";
-  };
-
-  services.nginx.appendConfig = ''
-  http {
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name git.gebner.org;
-
-      rewrite ^(.*) https://$host$1 permanent;
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name git.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/mastus.key;
-      ssl_certificate /var/lib/acme/gebner.org/git.cert;
-
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-        proxy_pass http://gitblit;
-        client_max_body_size 30M;
-        break;
-      }
-    }
-
-    upstream gitblit {
-      server 192.168.100.10:8080;
-    }
-  }
-  '';
-}

mastus/gitea.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+{
+  services.gitea = rec {
+    enable = true;
+    stateDir = "/srv/git.gebner.org";
+    appName = "Gabriel Ebner's git server";
+    domain = "git.gebner.org";
+    rootUrl = "https://git.gebner.org/";
+    httpPort = 8001;
+    cookieSecure = true;
+    log.level = "Info";
+    disableRegistration = true;
+    settings = {
+      picture = {
+        DISABLE_GRAVATAR = "false";
+        AVATAR_UPLOAD_PATH = "${stateDir}/data/avatars";
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    (let cfg = config.services.gitea; in pkgs.writeScriptBin "gitea" ''
+      exec ${pkgs.sudo}/bin/sudo -u ${cfg.user} \
+        env GITEA_WORK_DIR=${cfg.stateDir} ${pkgs.gitea}/bin/gitea "$@"
+    '')
+  ];
+
+  services.nginx = {
+    recommendedProxySettings = true;
+    virtualHosts."git.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
+        extraConfig = ''
+          proxy_buffering off;
+          client_max_body_size 256M;
+        '';
+      };
+    };
+  };
+}

mastus/gogs.nix

@@ -1,125 +1,45 @@
 { config, pkgs, ... }:
-let
-  gitHome = "/srv/git.gebner.org";
-
-  gogs = pkgs.callPackage ../pkgs/gogs.nix { };
-
-  gogsPort = 8001;
-  gogsConfig = pkgs.writeText "gogs.ini" ''
-APP_NAME = Gogs: Go Git Service
-RUN_USER = git
-RUN_MODE = prod
-
-[database]
-DB_TYPE = sqlite3
-HOST = 127.0.0.1:3306
-NAME = gogs
-USER = root
-PASSWD = 
-SSL_MODE = disable
-PATH = ${gitHome}/data/gogs.db
-
-[repository]
-ROOT = ${gitHome}/gogs-repositories
-
-[server]
-DOMAIN = git.gebner.org
-HTTP_PORT = ${toString gogsPort}
-ROOT_URL = https://git.gebner.org/
-DISABLE_SSH = false
-SSH_PORT = 22
-OFFLINE_MODE = true
-
-[mailer]
-ENABLED = false
-
-[service]
-REGISTER_EMAIL_CONFIRM = false
-ENABLE_NOTIFY_MAIL = false
-DISABLE_REGISTRATION = true
-REQUIRE_SIGNIN_VIEW = false
-
-[picture]
-DISABLE_GRAVATAR = false
-AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars
-
-[session]
-PROVIDER = file
-
-[log]
-ROOT_PATH = ${gitHome}/logs
-MODE = file
-LEVEL = Info
-
-[security]
-INSTALL_LOCK = true
-'';
-in
 {
-  users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
+  users.extraUsers.git = { home = config.services.gogs.stateDir; extraGroups = [ "git" ]; };
   users.extraGroups.git = { };
 
-  systemd.services.gogs = {
-    path = with pkgs; [ git openssh bash ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "simple";
-      Restart = "always";
-      User = "git";
-      Group = "git";
-      ExecStart = "${gogs}/gogs web -c ${gogsConfig}";
-      WorkingDirectory = gitHome;
-    };
+  services.gogs = rec {
+    enable = true;
+    stateDir = "/srv/git.gebner.org";
+    user = "git";
+    group = "git";
+    appName = "Gabriel Ebner's git server";
+    domain = "git.gebner.org";
+    rootUrl = "https://git.gebner.org/";
+    httpPort = 8001;
+    cookieSecure = true;
+    extraConfig = ''
+      [picture]
+      DISABLE_GRAVATAR = false
+      AVATAR_UPLOAD_PATH = ${stateDir}/data/avatars
+
+      [log]
+      ROOT_PATH = ${stateDir}/logs
+      MODE = file
+      LEVEL = Info
+
+      [service]
+      DISABLE_REGISTRATION = true
+    '';
   };
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name git.gebner.org;
-
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
-
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name git.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-        proxy_pass http://gogs;
-        client_max_body_size 30M;
-        break;
-      }
-    }
-
-    upstream gogs {
-      server 127.0.0.1:${toString gogsPort};
-    }
-  '';
+  services.nginx = {
+    recommendedProxySettings = true;
+    virtualHosts."git.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}";
+        extraConfig = ''
+          proxy_buffering off;
+          client_max_body_size 30M;
+        '';
+      };
+    };
+  };
 }

mastus/letsencrypt.nix

@@ -3,18 +3,18 @@
 {
   security.acme.certs = {
     "gebner.org" = {
-      webroot = "/var/lib/acme/www";
+      webroot = "/var/lib/acme/acme-challenge";
       email = "gebner@gebner.org";
-      extraDomains = {
-        "git.gebner.org" = null;
-        "mail.gebner.org" = null;
-        "gebner.org" = null;
-        "www.gebner.org" = null;
-        "gabrielebner.at" = null;
-        "www.gabrielebner.at" = null;
-        "2b7e.org" = null;
-        "www.2b7e.org" = null;
-      };
+      extraDomainNames = [
+        "git.gebner.org"
+        "mail.gebner.org"
+        "gebner.org"
+        "www.gebner.org"
+        "gabrielebner.at"
+        "www.gabrielebner.at"
+        "2b7e.org"
+        "www.2b7e.org"
+      ];
 
       postRun = ''
         systemctl reload nginx
@@ -26,4 +26,6 @@
     };
   };
 
+  security.acme.acceptTerms = true;
+
 }

mastus/mail.nix

@@ -18,6 +18,7 @@
     extraAliases = ''
       ge: gebner
       cutintro: gebner
+      gebne: gebner
     '';
     hostname = "mastus.gebner.org";
     sslCert = "/var/lib/acme/gebner.org/fullchain.pem";
@@ -67,8 +68,6 @@
     sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
     sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
     extraConfig = ''
-      ssl_protocols = !SSLv2 !SSLv3
-
       service auth {
         unix_listener /var/lib/postfix/queue/private/auth {
           mode = 0660
@@ -76,7 +75,30 @@
           group = postfix
         }
       }
+
+      # # use mailPlugins.globally.enable after nixos 20.09
+      # mail_plugins = fts fts_xapian
+      #
+      # plugin {
+      #   plugin = fts fts_xapian
+      #
+      #   fts = xapian
+      #   fts_xapian = partial=2 full=20 attachments=1 verbose=0
+      #
+      #   fts_autoindex = yes
+      #   fts_enforced = yes
+      #
+      #   fts_autoindex_exclude = Trash
+      #   fts_autoindex_exclude2 = spam
+      # }
+      #
+      # default_vsz_limit = 0
+      #
+      # service indexer-worker {
+      #   vsz_limit = 0
+      # }
     '';
+    # modules = [ (pkgs.callPackage ./fts_xapian.nix {}) ];
   };
   systemd.services.dovecotSslKey = rec {
     wantedBy = [ "dovecot2.service" ];

mastus/nebula.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+
+let mastus = "37.252.120.145";
+in {
+  services.nebula.networks.gabriel = {
+    enable = true;
+    ca = "/etc/nebula/gabriel/ca.crt";
+    cert = "/etc/nebula/gabriel/mastus.crt";
+    key = "/etc/nebula/gabriel/mastus.key";
+
+    isLighthouse = true;
+    staticHostMap = {
+      "192.168.18.36" = [ "${mastus}:4242" ];
+    };
+
+    firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
+
+    settings = {
+      serve_dns = true;
+      lighthouse.dns = { host = "192.168.18.36"; port = 5353; };
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 4242 ];
+}

mastus/radicale.nix

@@ -5,77 +5,56 @@ in
 {
   services.radicale = {
     enable = true;
-    config = ''
-      [server]
-      hosts = 127.0.0.1:${toString radicalePort}
-      ssl = false
-      dns_lookup = false
+    package = pkgs.radicale3.overrideDerivation (_: {
+      #patches = [ ./radicale1249.patch ];
+      doCheck = false;
+      pytestCheckPhase = "true";
+    });
+    settings = {
+      server = {
+        hosts = "127.0.0.1:${toString radicalePort}";
+        ssl = false;
+      };
 
-      [storage]
-      filesystem_folder = /var/lib/radicale/storage
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
 
-      [auth]
-      type = IMAP
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/var/lib/radicale/htpasswd";
+        htpasswd_encryption = "bcrypt";
+      };
 
-      [rights]
-      type = owner_only
-    '';
+      rights = {
+        type = "owner_only";
+      };
+    };
   };
 
-  security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "radicale.gebner.org" ];
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name radicale.gebner.org;
+  services.nginx = {
+    recommendedProxySettings = true;
+    virtualHosts."radicale.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString radicalePort}";
+      };
+      # Fake nextcloud api:
+      # https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/1#note_857357
+      extraConfig = ''
+        rewrite ^/remote.php/carddav / redirect;
+        rewrite ^/remote.php/caldav / redirect;
 
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
+        location /remote.php/webdav {
+                return 200;
+        }
+      '';
+    };
+  };
 
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
+  environment.systemPackages = with pkgs; [ apacheHttpd ];
 
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name radicale.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-        proxy_connect_timeout       900;
-        proxy_send_timeout          900;
-        proxy_read_timeout          900;
-        send_timeout                900;
-        proxy_pass http://radicale;
-        client_max_body_size 30M;
-        break;
-      }
-    }
-
-    upstream radicale {
-      server 127.0.0.1:${toString radicalePort};
-    }
-  '';
 }

mastus/radicale1249.patch

@@ -0,0 +1,37 @@
+diff --git a/radicale/app/propfind.py b/radicale/app/propfind.py
+index 52d0b00..ee7cf28 100644
+--- a/radicale/app/propfind.py
++++ b/radicale/app/propfind.py
+@@ -350,8 +350,8 @@ class ApplicationPartPropfind(ApplicationBase):
+                 permission = "r"
+                 status = "read"
+             else:
+-                permission = ""
+-                status = "NO"
++                permission = "r"
++                status = "read"
+             logger.debug(
+                 "%s has %s access to %s",
+                 repr(user) if user else "anonymous user", status, target)
+@@ -362,8 +362,8 @@ class ApplicationPartPropfind(ApplicationBase):
+                     path: str, user: str) -> types.WSGIResponse:
+         """Manage PROPFIND request."""
+         access = Access(self._rights, user, path)
+-        if not access.check("r"):
+-            return httputils.NOT_ALLOWED
++        #if not access.check("r"):
++        #    return httputils.NOT_ALLOWED
+         try:
+             xml_content = self._read_xml_request_body(environ)
+         except RuntimeError as e:
+@@ -380,8 +380,8 @@ class ApplicationPartPropfind(ApplicationBase):
+             item = next(items_iter, None)
+             if not item:
+                 return httputils.NOT_FOUND
+-            if not access.check("r", item):
+-                return httputils.NOT_ALLOWED
++            #if not access.check("r", item):
++            #    return httputils.NOT_ALLOWED
+             # put item back
+             items_iter = itertools.chain([item], items_iter)
+             allowed_items = self._collect_allowed_items(items_iter, user)

mastus/ttrss.nix

@@ -2,7 +2,13 @@
 {
   containers.ttrss = {
     config = {
-      users.extraUsers.ttrss = {};
+      users.users.ttrss = {
+        group = "ttrss";
+        isSystemUser = true;
+      };
+      users.groups.ttrss = {};
+
+      users.users.tt_rss.isSystemUser = true;
 
       services.postgresql = {
         enable = true;
@@ -19,6 +25,7 @@
         user = "ttrss";
 
         pool = "ttrss";
+        virtualHost = null;
 
         database = {
           type = "pgsql";
@@ -32,23 +39,21 @@
       };
 
       services.phpfpm = {
-        extraConfig = ''
-          error_log = /var/log/phpfpm.log
-          log_level = notice
-        '';
-
-        poolConfigs = {
-          ttrss = ''
-              listen = 9000
-              user = ttrss
-              pm = dynamic
-              pm.max_children = 75
-              pm.start_servers = 10
-              pm.min_spare_servers = 5
-              pm.max_spare_servers = 20
-              pm.max_requests = 500
-              catch_workers_output = 1
-          '';
+        pools = {
+          ttrss = {
+            user = "ttrss";
+            group = "ttrss";
+            settings = {
+              listen = "9000";
+              pm = "dynamic";
+              "pm.max_children" = 75;
+              "pm.start_servers" = 10;
+              "pm.min_spare_servers" = 5;
+              "pm.max_spare_servers" = 20;
+              "pm.max_requests" = 500;
+              catch_workers_output = 1;
+            };
+          };
         };
       };
 
@@ -63,61 +68,28 @@
 
   networking.nat.enable = true;
   networking.nat.internalInterfaces = ["ve-+"];
-  networking.nat.externalInterface = "enp0s3";
+  networking.nat.externalInterface = "ens3";
 
-  security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "reader.gebner.org" ];
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name reader.gebner.org;
-
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
-
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name reader.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        root /var/lib/containers/ttrss/var/lib/tt-rss;
-        index index.php;
-      }
-
-      location /cache {
-        deny all;
-      }
-      location = /config.php {
-        deny all;
-      }
-
-      location ~ \.php$ {
+  services.nginx = {
+    virtualHosts."reader.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        root = "/var/lib/containers/ttrss/var/lib/tt-rss";
+        index = "index.php";
+      };
+      locations."/cache".extraConfig = "deny all;";
+      locations."= /config.php".extraConfig = "deny all;";
+      locations."~ \\.php$".extraConfig = ''
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass 192.168.100.11:9000;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
         include ${pkgs.nginx}/conf/fastcgi_params;
-      }
-    }
-  '';
+      '';
+    };
+  };
+
 }

mastus/vmtest.nix

@@ -9,7 +9,7 @@ let
     boot.enableContainers = true;
 
     systemd.services.setupVM = rec {
-      wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
+      wantedBy = [ "gitea.service" "dovecot2.service" "nginx.service" ];
       before = wantedBy;
       serviceConfig = {
         Type = "oneshot";
@@ -17,14 +17,22 @@ let
       };
       script = ''
         mkdir -p /srv/git.gebner.org
-        chown git:git -R /srv/git.gebner.org
+        chown gitea:gitea -R /srv/git.gebner.org
       '';
     };
 
-    environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ];
+    environment.systemPackages = with pkgs; [
+      elinks
+      carddav-util
+      fcgi
+      wstunnel
+      sqlite-interactive
+    ];
+
+    security.acme.server = "http://localhost";
 
     networking.extraHosts = ''
-      127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org
+      127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
 
       # disable letsencrypt
       127.0.0.111 acme-v01.api.letsencrypt.org

mastus/website.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+
+  services.nginx = {
+    virtualHosts."gebner.org" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/srv/www.gebner.org";
+      extraConfig = ''
+        access_log /var/log/nginx/website_access.log;
+
+        error_page 404 403 /404.html;
+
+        location / {
+          try_files $uri $uri/ @not_found;
+        }
+
+        location @not_found {
+          try_files /404.cgi =404;
+          fastcgi_intercept_errors on;
+          fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+        }
+      '';
+    };
+  };
+
+  services.fcgiwrap = {
+    enable = true;
+    user = "nobody";
+    group = "nogroup";
+  };
+}

mastus/wstunnel.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+let
+  port = 58613;
+in
+
+{
+
+  systemd.services.wstunnel = rec {
+    path = [ pkgs.wstunnel ];
+    wantedBy = [ "nginx.service" ];
+    after = [ "network.target" ];
+    script = ''
+      wstunnel --server --restrictTo=htdf-gw.gebner.org:35869 ws://localhost:${toString port}
+    '';
+  };
+
+  services.nginx.virtualHosts."gebner.org".locations = {
+    "/wstunnel/udp/htdf-gw.gebner.org/35869" = {
+      proxyWebsockets = true;
+      proxyPass = "http://localhost:${toString port}";
+    };
+  };
+}

mastus/www.nix

@@ -16,21 +16,18 @@
 
   services.nginx = {
     enable = true;
-    httpConfig = ''
-      server {
-        listen [::]:80;
-        listen 80;
-        server_name _;
 
-        location /.well-known/acme-challenge {
-          default_type text/plain;
-          alias /var/lib/acme/www/.well-known/acme-challenge;
-        }
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
 
-        location / {
-          rewrite ^(.*) https://gebner.org$1 permanent;
-        }
-      }
-    '';
+    sslDhparam = "/etc/nginx/dhparam.pem";
+
+    virtualHosts."_" = {
+      default = true;
+      addSSL = true;
+      useACMEHost = "gebner.org";
+      globalRedirect = "gebner.org";
+    };
   };
+
 }

murex.nix

@@ -0,0 +1,147 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    /etc/nixos/hardware-configuration.nix
+    ./basic-tools.nix
+  ];
+
+  boot.loader.grub.enable = false;
+
+  boot.loader.raspberryPi = {
+    enable = true;
+    version = 3;
+    uboot.enable = true;
+  };
+
+  boot.kernelPackages = pkgs.linuxPackages_5_4;
+
+  boot.kernelParams = [
+    "cma=32M" # for virtual console, see https://nixos.wiki/wiki/NixOS_on_ARM
+    "console=tty0"
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+  # hardware.firmware = with pkgs; [
+  #   (stdenv.mkDerivation {
+  #     name = "broadcom-rpi3bplus-extra";
+  #     src = fetchurl {
+  #       url = "https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/b518de4/brcm/brcmfmac43455-sdio.txt";
+  #       sha256 = "0r4bvwkm3fx60bbpwd83zbjganjnffiq1jkaj0h20bwdj9ysawg9";
+  #     };
+  #     phases = [ "installPhase" ];
+  #     installPhase = ''
+  #       mkdir -p $out/lib/firmware/brcm
+  #       cp $src $out/lib/firmware/brcm/brcmfmac43455-sdio.txt
+  #     '';
+  #   })
+  # ];
+  # networking.wireless.enable = true;
+  # networking.networkmanager.enable = true;
+  networking.wireless.iwd.enable = true;
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+  };
+
+  networking.hostName = "murex";
+  #networking.hostId = "34a820f1";
+
+  time.timeZone = "Europe/Amsterdam";
+
+  environment.systemPackages = with pkgs; [
+    raspberrypi-tools
+  ];
+
+  users.extraUsers.gebner = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" "audio" "dialout" ];
+    shell = pkgs.fish;
+  };
+
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+  };
+
+  documentation.nixos.enable = false;
+
+  services.octoprint = {
+    enable = true;
+    plugins = ps: with ps; [
+      printtimegenius
+      touchui
+      # psucontrol
+    ];
+  };
+  # systemd.services.setupGpioForRelais = rec {
+  #   wantedBy = [ "octoprint.service" ];
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     RemainAfterExit = "yes";
+  #   };
+  #   script = let gpio = toString (458 + 17); in ''
+  #     if echo ${gpio} > /sys/class/gpio/export; then
+  #       echo high > /sys/class/gpio/gpio${gpio}/direction
+  #     fi
+  #     chown octoprint:dialout /sys/class/gpio/gpio${gpio}/value
+  #   '';
+  # };
+  users.users.${config.services.octoprint.user}.extraGroups = [
+    "dialout" # ttyUSB access
+  ];
+
+  systemd.services.ethKernelPanicFix = rec {
+    wantedBy = [ "networking.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+    };
+    # https://github.com/raspberrypi/linux/issues/2449
+    script = ''
+      ${pkgs.ethtool}/bin/ethtool -K eth0 tx-tcp-segmentation off tx-tcp6-segmentation off
+    '';
+  };
+
+  services.mjpg-streamer = {
+    enable = true;
+    # inputPlugin = "input_uvc.so -r 1920x1080";
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      # config.services.octoprint.port
+      # 5050 # mjpg-streamer
+      80
+    ];
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."murex.ams.gebner.org" = {
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.octoprint.port}";
+        proxyWebsockets = true;
+        # do not cache that octoprint is inaccessible on startup
+        extraConfig = ''
+          proxy_cache off;
+          proxy_set_header Accept-Encoding "*";
+          client_max_body_size 50M;
+        '';
+      };
+      locations."/webcam/".proxyPass = "http://localhost:5050/?action=stream";
+      locations."/webcampic/".proxyPass = "http://localhost:5050/?action=snapshot";
+    };
+  };
+
+  system.stateVersion = "20.09";
+}

nebula.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+
+let mastus = "37.252.120.145"; hostname = config.networking.hostName;
+in {
+  services.nebula.networks.gabriel = {
+    enable = true;
+    ca = "/etc/nebula/gabriel/ca.crt";
+    cert = "/etc/nebula/gabriel/${hostname}.crt";
+    key = "/etc/nebula/gabriel/${hostname}.key";
+
+    listen.host = "[::]";
+    listen.port = 0; # dynamic ip
+
+    staticHostMap = {
+      "192.168.18.36" = [ "${mastus}:4242" ];
+    };
+    lighthouses = [
+      "192.168.18.36"
+    ];
+
+    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
+    firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
+  };
+
+  networking.firewall.allowedUDPPorts = [ 4242 ];
+}

nm-restart.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  systemd.services.NetworkManager.restartIfChanged = false;
+  systemd.services.NetworkManager-dispatcher.restartIfChanged = false;
+  systemd.services.NetworkManager-wait-online.restartIfChanged = false;
+  systemd.services.wpa_supplicant.restartIfChanged = false;
+  systemd.services.systemd-resolved.restartIfChanged = false;
+}

nvim05.nix

@@ -0,0 +1,21 @@
+{ config, inputs, ... }:
+
+{
+  # nixpkgs.overlays = [ inputs.neovim-overlay.overlay ];
+
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    # neovim-unwrapped = neovim-unwrapped.overrideDerivation (orig: {
+    #   patches = orig.patches ++ [ ];
+    # });
+
+    # neovim-qt-unwrapped = neovim-qt-unwrapped.overrideDerivation (_: {
+    #   version = "0.2.17.9999";
+    #   src = fetchFromGitHub {
+    #     owner  = "equalsraf";
+    #     repo   = "neovim-qt";
+    #     rev    = "67cc4e414a8e64a475e55230818fab0f78415634";
+    #     sha256 = "sha256-3jYYY7T7L4rMsxIxJwY32izmlJKrrqbmU4DZ2Aow5uE=";
+    #   };
+    # });
+  };
+}

petalius.nix

@@ -3,42 +3,73 @@
 {
   imports =
     [
-      ./common.nix
+      ./common-headless.nix
+      ./sway.nix
+      # ./i3.nix
       ./large-sw.nix
       ./uefi.nix
       ./fstrim.nix
+      ./atmega.nix
+      ./v4l2loopback.nix
+      ./huion.nix
+      ./nvim05.nix
+      ./nm-restart.nix
+      # ./nebula.nix
+      ./tailscale.nix
     ];
 
+  hardware.enableRedistributableFirmware = true;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [
+    "kvm-intel"
+    "rmi_smbus"
+    "i2c_hid"
+    "psmouse"
+  ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c87491ed-0dd6-4eb4-bef2-fe4c707e91f2";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/E526-BAB7";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.settings.max-jobs = 4;
+
   environment.etc."lvm/lvm.conf".text = ''
     devices {
       issue_discards = 1
     }
   '';
-  boot.initrd.luks.devices = [
-    {
-      name = "nvme0n1p2";
+  boot.initrd.luks.devices = {
+    nvme0n1p2 = {
       device = "/dev/disk/by-uuid/5ca3d7ec-3f9e-4a08-8bc2-b26bfc3459c5";
       preLVM = true;
       allowDiscards = true;
-    }
-  ];
-
-  services.xserver = {
-    dpi = 120;
-
-    libinput.enable = true;
-    config = ''
-      Section "InputClass"
-        Identifier "touchpad"
-        Driver "libinput"
-        MatchDevicePath "/dev/input/event*"
-        MatchIsPointer "true"
-      EndSection
-    '';
-
-    videoDrivers = [ "modesetting" ];
-    useGlamor = true;
+    };
   };
+
+  # services.xserver = {
+  #   dpi = 120;
+  #
+  #   libinput.enable = true;
+  #   config = ''
+  #     Section "InputClass"
+  #       Identifier "touchpad"
+  #       Driver "libinput"
+  #       MatchDevicePath "/dev/input/event*"
+  #       MatchIsPointer "true"
+  #     EndSection
+  #   '';
+  #
+  #   videoDrivers = [ "modesetting" ];
+  #   useGlamor = true;
+  # };
   programs.light.enable = true;
 
   services.tlp.enable = true;
@@ -46,29 +77,34 @@
   networking.hostName = "petalius";
   networking.hostId = "cf58caa9";
 
-  systemd.services.ModemManager = {
-    enable = true;
-    wantedBy = [ "multi-user.target" ];
-  };
+  hardware.cpu.intel.updateMicrocode = true;
+
+  # systemd.services.ModemManager = {
+  #   enable = true;
+  #   wantedBy = [ "multi-user.target" ];
+  # };
 
   hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
 
   nixpkgs.config.packageOverrides = pkgs: rec {
   };
 
-  environment.systemPackages = with pkgs; [
-    unison
-  ];
+  # environment.systemPackages = with pkgs; [
+  #   unison
+  # ];
 
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "overlay2";
-  };
-  users.extraUsers.gebner.extraGroups = [ "docker" ];
+  users.extraUsers.gebner.extraGroups = [ "libvirtd" ];
+  virtualisation.libvirtd.enable = true;
 
-  #virtualisation.virtualbox.host.enable = true;
+  virtualisation.waydroid.enable = true;
 
-  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;
+  # virtualisation.virtualbox.host.enable = true;
+
+  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_5_4;
+
+  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_5_5;
+
+  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages_4_19;
   boot.kernelPatches = [
     # { patch = ./len0073.patch; name = "len0073"; }
   ];
@@ -76,14 +112,70 @@
     # "psmouse.synaptics_intertouch=1"
     "psmouse.proto=imps"
   ];
-  boot.kernelModules = [
-    "rmi_smbus"
-    "i2c_hid"
-    "psmouse"
-  ];
 
+  # time.timeZone = pkgs.lib.mkOverride 10 "Asia/Tokyo";
   # time.timeZone = pkgs.lib.mkOverride 10 "Europe/London";
+  # time.timeZone = pkgs.lib.mkOverride 10 "Europe/Lisbon";
+  # time.timeZone = pkgs.lib.mkOverride 10 "US/Eastern";
+  time.timeZone = pkgs.lib.mkOverride 10 "US/Pacific";
 
   #services.avahi.nssmdns = true;
 
+  system.stateVersion = "22.11";
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = ["10.59.0.2/16"];
+    privateKeyFile = "/etc/wgkeys/petalius";
+    allowedIPsAsRoutes = true;
+    postSetup = ''
+      ${pkgs.systemd}/bin/resolvectl domain wg0 '~htdf.gebner.org' '~mtlaa.gebner.org' '~ams.gebner.org'
+      ${pkgs.systemd}/bin/resolvectl dns wg0 10.58.0.1
+    '';
+    peers = [{
+      publicKey = "ByLlJbevlTBooAo2RIZGGJvBHKqA9qiOpHBvR5yuJX4=";
+      allowedIPs = ["10.56.0.0/14" "10.60.1.1"];
+      endpoint = "htdf-gw.gebner.org:35869";
+      # endpoint = "80.109.29.104:35869";
+      # endpoint = "127.0.0.1:35869";
+    }];
+  };
+  systemd.services.wireguard-wg0.wantedBy = pkgs.lib.mkOverride 10 [];
+
+  systemd.services.wstunnel = {
+    path = [ pkgs.wstunnel ];
+    wantedBy = [ "wireguard-wg0.service" ];
+    after = [ "network.target" ];
+    script = ''
+      wstunnel -L 35869:htdf-gw.gebner.org:35869 -u wss://gebner.org
+    '';
+  };
+
+  services.resolved = {
+    domains = [];
+    enable = true;
+  };
+
+  # environment.systemPackages = [
+  #   (pkgs.callPackage ./bluez-alsa.nix {})
+  # ];
+
+  services.fwupd.enable = true;
+
+  users.extraUsers.gebner2 = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      # "networkmanager"
+      "audio"
+      # "transmission"
+      # "lxd"
+      # "libvirtd"
+      # "vboxusers"
+      # "wireshark"
+      "input" "tty" "audio" "video" "uinput"
+    ];
+    # shell = "${pkgs.zsh}/bin/zsh";
+    shell = "/run/current-system/sw/bin/fish";
+  };
+
 }

pipewire.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+
+{
+
+  users.extraUsers.gebner.extraGroups = [ "bluetooth" ];
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+
+    # media-session.config.bluez-monitor.rules = [
+    #   {
+    #     # Matches all cards
+    #     matches = [ { "device.name" = "~bluez_card.*"; } ];
+    #     actions = {
+    #       "update-props" = {
+    #         "bluez5.reconnect-profiles" = [ "hfp_hf" "hsp_hs" "a2dp_sink" ];
+    #         "bluez5.msbc-support" = true;
+    #       };
+    #     };
+    #   }
+    # ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    pulseaudio
+    alsaUtils
+    carla
+    qjackctl
+    pipewire.lib
+    helvum
+  ];
+
+}

pkgs/eclipse-5.nix

@@ -0,0 +1,32 @@
+with import <nixpkgs> {};
+stdenv.mkDerivation rec {
+  name = "eclipse-clp-${version}";
+  version = "5.10_147";
+
+  src = fetchurl {
+    url = "http://eclipseclp.org/Distribution/Old/${version}/src/eclipse_src.tgz";
+    sha256 = "1473b1byfjgygf80sqyjjl53pvybcyyr397w23f2gn64cv68f6qx";
+  };
+
+  # configureFlags = [ "--without-tcl" ];
+
+  preConfigure = ''
+    find -name Makefile.in | xargs sed -i "s,/bin/\(cp\|mv\|chmod\|pwd\),${coreutils}&,g"
+    sed -i "s,/bin/pwd,pwd,g;s,/usr/bin/ranlib,ranlib,g" RUNME
+    sed -i "s/-fforce-mem/-D_GNU_SOURCE/" configure
+    cp sepia/include/*.h icparc_solvers/
+  '';
+
+  postConfigure = ''
+    ln -s Makefile.*_* Makefile    # rename Makefile.x86_64_linux
+  '';
+
+  postInstall = ''
+    # eclipse puts files in bin/x86_64_linux...
+    mv $out/bin/*/* $out/bin/
+    rmdir $out/bin/*/
+  '';
+
+  buildInputs = [ tcl-8_5 gmp ];
+  # tcltk, java, mysqlclient, latex
+}

pkgs/gogs.nix

@@ -1,21 +0,0 @@
-{ nixpkgs ? import <nixpkgs> {} }: with nixpkgs;
-stdenv.mkDerivation rec {
-  name = "gogs-${version}";
-  version = "0.9.48";
-
-  src = fetchzip {
-    url = "https://github.com/gogits/gogs/releases/download/v${version}/linux_amd64.zip";
-    sha256 = "1z00lqcz7nwbyavs1mwgsr9zjnqrjjmqvxy43p8gap768y45pvlb";
-  };
-
-  buildPhase = ''
-    patchelf \
-      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-      --set-rpath ${pam}/lib \
-      gogs
-  '';
-
-  installPhase = ''
-    cp -ra ./ $out/
-  '';
-}

pkgs/yourkit.nix

@@ -1,11 +1,11 @@
 with import <nixpkgs> {};
 stdenv.mkDerivation rec {
   name = "yjp-${version}";
-  version = "2017.02-b53";
+  version = "2017.02-b75";
 
   src = fetchurl {
-    url = "https://www.yourkit.com/download/${name}.zip";
-    sha256 = "0ms1pq5badk6wb468s6kxqb2c9ll1sbjz2p61sdbpjp59a1sv2gx";
+    url = "https://www.yourkit.com/download/YourKit-JavaProfiler-${version}.zip";
+    sha256 = "0m0xjyp2plwpfgy2fps86k3cqv49268s4piasyszc00gf5n5cban";
   };
 
   nativeBuildInputs = [ unzip makeWrapper patchelf ];

pulseaudio.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+
+{
+
+  hardware.pulseaudio = {
+    enable = true;
+    zeroconf.discovery.enable = true;
+    daemon.config = {
+      flat-volumes = "no";
+      avoid-resampling = "yes";
+      resample-method = "speex-float-10";
+      default-sample-format = "s32le";
+      default-sample-rate = "96000";
+    };
+    # package = pkgs.pulseaudio-hsphfpd;
+    package = pkgs.pulseaudioFull;
+    extraModules = [ pkgs.pulseaudio-modules-bt ];
+  };
+
+  # hardware.bluetooth.hsphfpd.enable = true;
+
+  users.extraUsers.gebner.extraGroups = [ "bluetooth" ];
+
+  services.pipewire = {
+    enable = true;
+  };
+
+  # causes recompilation
+  # nixpkgs.config.pulseaudio = true;
+
+}

qemu-user.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, lib, ... }:
+
+let
+  arm = {
+    interpreter = "${pkgs.qemu}/bin/qemu-arm";
+    magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00'';
+    mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+  };
+  aarch64 = {
+    interpreter = "${pkgs.qemu}/bin/qemu-aarch64";
+    magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00'';
+    mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+  };
+  riscv64 = {
+    interpreter = "${pkgs.qemu}/bin/qemu-riscv64";
+    magicOrExtension = ''\x7fELF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00'';
+    mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+  };
+in {
+  boot.binfmt.registrations = {
+    inherit arm;
+    inherit aarch64;
+    inherit riscv64;
+  };
+  nix.extraOptions = ''
+    extra-platforms = armv6l-linux armv7l-linux aarch64-linux riscv64-linux i686-linux
+  '';
+  nix.sandboxPaths = [ "/run/binfmt" "${pkgs.qemu}" ];
+}

remote-ssh-install-cd.nix

@@ -0,0 +1,16 @@
+with import <nixpkgs> {};
+(pkgs.nixos ({ config, pkgs, ... }: {
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
+    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+  ];
+
+  networking.hostName = "nixos-install";
+
+  systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmLT+dRGdvDQS/1+34f86Dr62UUUCyoBoQDa3Keyy0oMQqdgWK+4qIVOzvKKn2/nZ7rbNDXEnZ1wJ2+BvQ8V1QAl7I6GvkLJifZpztZ9B0o8t6fnGRMoi3BXu2cdb+HBvKvTZH0A+WU/OEwc4HF/+o2DyrTytYNucBgWaIUGZDw4RzUfoAurQ827Eslrz34qRaEk/Q+BGE2G8bDzrEHmf2wR6apuA7mF0961CNq09DNtYUTuxnqWVuzg1yOFQ0e8K4NzjqvRoproK3472/6Wifg20V7CoKE/81IocfVCuCvLuUyyQ6HHlq7MmJowCZzGs6L7SmXOMeponUTSZ1ivZ9 gebner@archachatina"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9n0cCLVTBg8IhXvonlNU3kJ5ScOVzoHdnXaffVAq+UihNQYayDtLlFetYD4RvjAgoxb8xkLKM0PWjYJicVntuPz0GhHVKlZeWIqgDG+Ec8w+7PI2Fc2WF1fLatTRBH7lwDMd7eEhPLPY5FVfqTtvEAL6aIV9uzJ0coHeh1GPp6YQ9kgobuGTxpa0r8wtd/7Q7uKkkuxfqZW6Aig56xohNYHkcI2LAJgv5e4Cim1GR/2kXY4EHfxPfxAhzx0ZIxRdp0kAmkLHEbeEUASs1kd6n/5XtmJgjl9605QrCXrKXQXf+czTbjKu5isOimFdKlXwLZYVaZd1iPPvzSNcYhMat gebner@petalius"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTO3cgQHCgHEBK8SeHJ+Nh/pNHCBASw04VCnuVBv9EW1gApGLx4K1F1nsS/TJR9N+ayxADbAfKOTyJ5Dj6AyG16im8UM1or+GMpkXeY+t9HbFt7aHt8Ogn3P4G7VZyEwTvTEifNjmCrIdaAFnDztBoGMo0oR8MT+ry58byiMH5tIlt8yKsYdE5M1UzAyrwbTmAf8N3WxgQQv1wTvIET9+OrcY4Pw1z55Tft44ZdvQDghCRTUHz9kGpHSlOXYxa0ht+pPRLiufbsAvs5Ue+TwQmVVuAHbGn+tNrBlvYPjuNHCfiXXcGiBqNVNaWb28DCCCuchzpu9hAUXr8MbQuOnH gebner@decoysnail"
+  ];
+})).isoImage

rtl8761b.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+{
+
+  hardware.firmware = with pkgs; [ (stdenv.mkDerivation rec {
+    name = "rtl8761b-fw";
+
+    fw = fetchurl {
+      url = "https://github.com/Realtek-OpenSource/android_hardware_realtek/raw/e58b611f34f2f5ff57bb0d8cdf1b2e4751e3ccbd/bt/rtkbt/Firmware/BT/rtl8761b_fw";
+      sha256 = "0b59a1f2422c006837c4b5e46b59d49bfdbca1defb958adbbc0d57ebdc19cc82";
+    };
+    config = fetchurl {
+      url = "https://github.com/Realtek-OpenSource/android_hardware_realtek/raw/e58b611f34f2f5ff57bb0d8cdf1b2e4751e3ccbd/bt/rtkbt/Firmware/BT/rtl8761b_config";
+      sha256 = "aa86a092ee58e96256331d5c28c199ceaadec434460e98e7dea20e411e1aa570";
+    };
+
+    unpackPhase = ":";
+    buildPhase = ''
+      dn=$out/lib/firmware
+      mkdir -p $dn/rtl_bt
+      ln -s ${fw} $dn/rtl_bt/rtl8761b_fw.bin
+      ln -s ${config} $dn/rtl_bt/rtl8761b_config.bin
+    '';
+    installPhase = ":";
+  }) ];
+
+}

spacenav.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    spnavcfg
+  ];
+
+  hardware.spacenavd.enable = true;
+
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    spacenavd = spacenavd.overrideDerivation (_: {
+      patches = spacenavd.patches ++ [
+        (fetchpatch {
+          url = "https://github.com/FreeSpacenav/spacenavd/commit/fbf9019470f2511d24a368e2c9113361b58483d5.patch";
+          sha256 = "1i98c3k4x8f35kpfp4b9xcwgq45mdjab2frp8c2jl6y62fs84d6j";
+        })
+      ];
+    });
+  };
+
+}

sway.nix

@@ -0,0 +1,84 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./common-gui.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    i3status
+    (waybar.override { pulseSupport = true; })
+    rofi-wayland
+    ydotool
+    wtype
+    wl-clipboard
+    feh
+    gnome3.gnome-keyring
+    networkmanagerapplet
+    pcmanfm
+    evince
+    grim
+    mako
+    pavucontrol
+    paprefs
+    gnome3.dconf-editor
+
+    xdg_utils # for xdg-open
+
+    # gnome3 core packages
+    desktop-file-utils shared-mime-info
+    glib gtk3
+    glib-networking gvfs dconf
+    gnome-themes-extra gnome3.adwaita-icon-theme
+    hicolor-icon-theme
+
+    # for QT_QPA_PLATFORM=wayland
+    qt5.qtwayland
+
+    wdisplays
+
+    playerctl
+
+    xorg.xlsclients
+  ];
+
+  # services.dbus.socketActivated = true;
+
+  programs.sway = {
+    enable = true;
+
+    wrapperFeatures.gtk = true;
+
+    extraSessionCommands = ''
+      export SDL_VIDEODRIVER=wayland
+
+      # https://github.com/swaywm/sway/issues/4506
+      export QT_QPA_PLATFORM=xcb
+      # export QT_QPA_PLATFORM=wayland
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
+
+      # Fix for some Java AWT applications (e.g. Android Studio),
+      # use this if they aren't displayed properly:
+      export _JAVA_AWT_WM_NONREPARENTING=1
+
+      # rust winit's wayland support is broken for input methods
+      export WINIT_UNIX_BACKEND=x11
+
+      export XDG_DATA_DIRS=/run/current-system/sw/share/''${XDG_DATA_DIRS:+:}$XDG_DATA_DIRS
+      export $(${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh,gpg)
+      export XDG_CURRENT_DESKTOP=sway
+    '';
+  };
+
+  # services.xserver = {
+  #   enable = true;
+  #   libinput.enable = true;
+  #   # displayManager.lightdm.enable = true;
+  #   displayManager.defaultSession = "sway";
+  # };
+
+  services.dbus.packages = with pkgs; [ mako ];
+
+  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-wlr ];
+
+}

tailscale.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }: {
+  # make the tailscale command usable to users
+  environment.systemPackages = [ pkgs.tailscale ];
+
+  # enable the tailscale service
+  services.tailscale.enable = true;
+
+  networking.firewall.checkReversePath = "loose";
+}

theba.nix

@@ -1,74 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [
-      ./common.nix
-      ./large-sw.nix
-      ./uefi.nix
-      ./fstrim.nix
-    ];
-
-  environment.etc."lvm/lvm.conf".text = ''
-    devices {
-      issue_discards = 1
-    }
-  '';
-  boot.initrd.luks.devices = [
-    {
-      name = "sda2_crypt";
-      device = "/dev/disk/by-uuid/a7482f34-1d7b-4181-9f3c-f6bbbdb8679d";
-      preLVM = true;
-      allowDiscards = true;
-    }
-  ];
-
-  services.xserver = {
-    libinput.enable = true;
-    config = ''
-      Section "InputClass"
-        Identifier "touchpad"
-        Driver "libinput"
-        MatchDevicePath "/dev/input/event*"
-        MatchIsPointer "true"
-      EndSection
-    '';
-
-    videoDrivers = [ "modesetting" ];
-    useGlamor = true;
-  };
-  programs.light.enable = true;
-
-  services.tlp.enable = true;
-
-  networking.hostName = "theba"; # Define your hostname.
-  networking.hostId = "b29b900f";
-
-  # services.colord.enable = true;
-
-  systemd.services.ModemManager.enable = true;
-
-  hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
-
-  nixpkgs.config.packageOverrides = pkgs: rec {
-  };
-
-  environment.systemPackages = with pkgs; [
-    unison
-  ];
-
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "overlay2";
-  };
-  users.extraUsers.gebner.extraGroups = [ "docker" ];
-
-  # virtualisation.virtualbox.host.enable = true;
-
-  # boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;
-
-  # time.timeZone = pkgs.lib.mkOverride 10 "Europe/London";
-
-  services.avahi.nssmdns = true;
-
-}

uefi.nix

@@ -4,6 +4,4 @@
   # Use the gummiboot efi boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.initrd.kernelModules = [ "fbcon" ];
 }

unstable-nix.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+
+  nix.package = pkgs.nixUnstable;
+
+  nix.extraOptions = ''
+    experimental-features = flakes nix-command
+  '';
+
+}

v4l2loopback.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+
+  boot = {
+    kernelModules = [ "v4l2loopback" ];
+    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+  };
+
+}

vaccaria.nix

@@ -3,6 +3,7 @@
 {
   imports =
     [
+      /etc/nixos/hardware-configuration.nix
       ./common-headless.nix
     ];
 
@@ -15,12 +16,7 @@
     hostId = "3d551a7c";
   };
 
-  services.openssh.enable = true;
-
-  users.extraUsers.gebner = {
-    isNormalUser = true;
-    extraGroups = ["wheel" "transmission"];
-  };
+  users.extraUsers.gebner.extraGroups = ["transmission"];
 
   boot.supportedFilesystems = ["zfs"];
   boot.kernelPackages = pkgs.lib.mkOverride 10 pkgs.linuxPackages;
@@ -32,11 +28,21 @@
     fsType = "zfs";
   };
 
+  fileSystems."/home/drebner" = pkgs.lib.mkOverride 10 {
+    device = "vaccaria/drebner";
+    fsType = "zfs";
+  };
+
+  users.extraUsers.drebner = {
+    isNormalUser = true;
+  };
+
  services.samba = {
    enable = true;
    extraConfig = ''
      passdb backend = tdbsam
      unix password sync = no
+     min protocol = NT1
    '';
    shares = {
      export = {
@@ -44,6 +50,11 @@
        "read only" = "no";
        path = "/mnt/vaccaria";
      };
+     drebner = {
+       "guest ok" = "no";
+       "read only" = "no";
+       path = "/home/drebner";
+     };
    };
  };
 
@@ -61,6 +72,7 @@
     allowedTCPPorts = [
       445 139 # samba
       config.services.transmission.settings.peer-port
+      config.services.rsyncd.port
     ];
     allowedUDPPorts = [
       137 138 # samba
@@ -70,32 +82,47 @@
   environment.systemPackages = with pkgs; [
     transmission
     samba
+    rdiff-backup
   ];
 
 
   # fancontrol
   boot.kernelModules = ["it87"];
-  systemd.services.fancontrol =
-    let fancontrolConfig = pkgs.writeText "fancontrol" ''
-      # Configuration file generated by pwmconfig, changes will be lost
-      INTERVAL=10
-      DEVPATH=hwmon0=devices/pci0000:00/0000:00:18.3 hwmon2=devices/platform/it87.552
-      DEVNAME=hwmon0=k10temp hwmon2=it8720
-      FCTEMPS=hwmon2/pwm3=hwmon0/temp1_input hwmon2/pwm1=hwmon0/temp1_input
-      FCFANS=hwmon2/pwm3=hwmon2/fan1_input hwmon2/pwm1=hwmon2/fan1_input
-      MINTEMP=hwmon2/pwm3=40 hwmon2/pwm1=40
-      MAXTEMP=hwmon2/pwm3=65 hwmon2/pwm1=65
-      MINSTART=hwmon2/pwm3=150 hwmon2/pwm1=150
-      MINSTOP=hwmon2/pwm3=0 hwmon2/pwm1=100
-    ''; in {
-    description = "fancontrol from lm_sensors";
-    wantedBy = ["multi-user.target"];
-    serviceConfig.ExecStart = "${pkgs.lm_sensors}/bin/fancontrol ${fancontrolConfig}";
-  };
+  # systemd.services.fancontrol =
+  #   let fancontrolConfig = pkgs.writeText "fancontrol" ''
+  #     # Configuration file generated by pwmconfig, changes will be lost
+  #     INTERVAL=10
+  #     DEVPATH=hwmon1=devices/pci0000:00/0000:00:18.3 hwmon0=devices/platform/it87.552
+  #     DEVNAME=hwmon1=k10temp hwmon0=it8720
+  #     FCTEMPS=hwmon0/pwm3=hwmon1/temp1_input hwmon0/pwm1=hwmon1/temp1_input
+  #     FCFANS=hwmon0/pwm3=hwmon0/fan1_input hwmon0/pwm1=hwmon0/fan1_input
+  #     MINTEMP=hwmon0/pwm3=40 hwmon0/pwm1=40
+  #     MAXTEMP=hwmon0/pwm3=65 hwmon0/pwm1=65
+  #     MINSTART=hwmon0/pwm3=150 hwmon0/pwm1=150
+  #     MINSTOP=hwmon0/pwm3=0 hwmon0/pwm1=100
+  #   ''; in {
+  #   description = "fancontrol from lm_sensors";
+  #   wantedBy = ["multi-user.target"];
+  #   serviceConfig.ExecStart = "${pkgs.lm_sensors}/bin/fancontrol ${fancontrolConfig}";
+  # };
 
   # hdd spindown
   powerManagement.powerUpCommands = ''
-    ${pkgs.hdparm}/bin/hdparm -B127 -S100 /dev/sd{a,b,c,d,e,f}
+    ${pkgs.hdparm}/bin/hdparm -B200 -S0 /dev/sd{a,b,c,d,e,f}
   '';
 
+  services.rsyncd = {
+    enable = true;
+    modules = {
+      lr_mobile = {
+        path = "/mnt/vaccaria/fotos/lr_mobile";
+        "read only" = "yes";
+      };
+    };
+  };
+
+  users.extraUsers.gebner.openssh.authorizedKeys.keys = [
+    ''command="rdiff-backup --server --restrict-read-only /",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiZhy9mm9sUeomfe9Vj5JhNE4l7YOkj7Yiii5Ni2RzUyj/dc9pxvNJSI+om/ruwb1n2gIYi0bOpwrZGiyvrUrpiqLcOwU6IOYLxnQ3E9nHLX3rsGMIyJtMcoBOcTY/rJMogqA4m6uMaaPEaeBlS5F/qb5UGIvQ7YlW1rF75RJ/QXrdL3Y7R3OJbG90QGR5EThs/1HOEBUKgkEcPQDodzNvZ8hFtznWrCw5bMSQYGMfY4WBc1b7UdLaYZ6vghQgsZ5IyvFDvCNTHTfhObYhv71YMXDkocAyI8XecNP1hoJ67oZ1xn06LEUEMiuXIQ4Ss7RYZLzNc2yrd5RYqCdd4x1n backups@aruanus''
+  ];
+
 }