neovim: add sql language injection in the javascript

This reverts commit a501f2ea16.

Makefile

@@ -32,13 +32,13 @@ help:
 define machine_rule
 .PHONY: $(1)
 $(1): ;
-	systemctl --user reset-failed
-	sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
+	# systemctl --user reset-failed
+	sudo nix run -L $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
 endef
 
 define vps_rule
 .PHONY: $(1)
-$(1): ; nix run .#deploy/$(1) -- $(BUILD_ARGS)
+$(1): ; nix run -L .#deploy/$(1) -- $(BUILD_ARGS)
 
 endef
 
@@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
 
 .PHONY: rollback
 rollback:
-	sudo nixos-rebuild --rollback
+	sudo nixos-rebuild switch --rollback
 
 ################################################################################
 # Editor

disko/luks-btrfs.nix

@@ -0,0 +1,63 @@
+{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
+{
+  disko = {
+    inherit memSize;
+
+    devices = {
+      disk = {
+        main = {
+          type = "disk";
+          inherit device;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+                priority = 1;
+              };
+              cryptoroot = {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "luksroot";
+                  settings.allowDiscards = true;
+                  passwordFile = "/tmp/secret.key";
+                  content = {
+                    type = "btrfs";
+                    extraArgs = [ "-f" ];
+                    subvolumes = {
+                      root = {
+                        mountpoint = "/";
+                        mountOptions = [ "compress=zstd" ];
+                      };
+                      persistent = {
+                        mountpoint = "/persistent";
+                        mountOptions = [ "compress=zstd" "noatime" ];
+                      };
+                      nix = {
+                        mountpoint = "/nix";
+                        mountOptions = [ "compress=zstd" "noatime" ];
+                      };
+                      swap = {
+                        mountpoint = "/.swapvol";
+                        mountOptions = [ "noatime" ];
+                        swap.swapfile.size = swapSize;
+                      };
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1715290355,
-        "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -23,6 +23,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727531434,
+        "narHash": "sha256-b+GBgCWd2N6pkiTkRZaMFOPztPO4IVTaclYPrQl2uLk=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "b709e1cc33fcde71c7db43850a55ebe6449d0959",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "firefox-addons": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -30,11 +50,11 @@
       },
       "locked": {
         "dir": "repos/rycee/pkgs/firefox-addons",
-        "lastModified": 1713127732,
-        "narHash": "sha256-07prd+in1ZUcxETxPyWtFjl7xPKwlXzk9a47Q3RnHXU=",
+        "lastModified": 1727605244,
+        "narHash": "sha256-LQOKClgjj4L8gSl0duMqBQFTfD1d2o92JZ0lBhIg9iA=",
         "owner": "nix-community",
         "repo": "nur-combined",
-        "rev": "6edb2a1a43dbd2f8b32876268a530ce82c64013f",
+        "rev": "03735bab40042843097839f2fabac72793f5f669",
         "type": "github"
       },
       "original": {
@@ -50,11 +70,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1714641030,
-        "narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=",
+        "lastModified": 1726153070,
+        "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e",
+        "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
         "type": "github"
       },
       "original": {
@@ -79,12 +99,15 @@
       }
     },
     "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -94,24 +117,6 @@
       }
     },
     "flake-utils_3": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_4": {
       "inputs": {
         "systems": "systems_3"
       },
@@ -131,11 +136,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1716173274,
-        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "lastModified": 1728729581,
+        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
         "type": "github"
       },
       "original": {
@@ -173,11 +178,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713818326,
-        "narHash": "sha256-aw3xbVPJauLk/bbrlakIYxKpeuMWzA2feGrkIpIuXd8=",
+        "lastModified": 1727383923,
+        "narHash": "sha256-4/vacp3CwdGoPf8U4e/N8OsGYtO09WTcQK5FqYfJbKs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "67de98ae6eed5ad6f91b1142356d71a87ba97f21",
+        "rev": "ffe2d07e771580a005e675108212597e5b367d2d",
         "type": "github"
       },
       "original": {
@@ -194,20 +199,35 @@
         ]
       },
       "locked": {
-        "lastModified": 1715381426,
-        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
+        "lastModified": 1726989464,
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1727556076,
+        "narHash": "sha256-5Iplxbdn/7kQp4UYXMnUMFL2i2lyysOhRyzvvtPe1Qc=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "fff0d95cf40609941769a443a001b25fb95b68ab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "lan-mouse": {
       "inputs": {
         "nixpkgs": [
@@ -216,11 +236,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1713168888,
-        "narHash": "sha256-pNd6KbkLlZtXKQvHWYwQB/Wbqa7lQYVffpSq5uWJqzQ=",
+        "lastModified": 1726858237,
+        "narHash": "sha256-fAHjrIZV9cxAtJmp1SEP11ubvX3Er6lqUHUb7NBFuA8=",
         "owner": "feschber",
         "repo": "lan-mouse",
-        "rev": "36855a1a1767f4a777bad580d5a76fec1be5d9d1",
+        "rev": "b071201dcb000a09330df81784d2ef2c0446da90",
         "type": "github"
       },
       "original": {
@@ -240,11 +260,11 @@
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
-        "lastModified": 1714571717,
-        "narHash": "sha256-o4tqlTzi9kcVub167kTGXgCac9jM3kW4+v9MH/ue4Hk=",
+        "lastModified": 1726716330,
+        "narHash": "sha256-mIuOP4I51eFLquRaxMKx67pHmhatZrcVPjfHL98v/M8=",
         "owner": "oxalica",
         "repo": "nil",
-        "rev": "2f3ed6348bbf1440fcd1ab0411271497a0fbbfa4",
+        "rev": "c8e8ce72442a164d89d3fdeaae0bcc405f8c015a",
         "type": "github"
       },
       "original": {
@@ -279,11 +299,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716244689,
-        "narHash": "sha256-tFsMxZcbg8WAmNmmL/WxFjp4wgCK2XzTDkM5PNZqCZQ=",
+        "lastModified": 1731097096,
+        "narHash": "sha256-hMBcuTUJs1+zQ5nwTA06isLxk/vUd1r5qs95JRJ5L5E=",
         "ref": "refs/heads/main",
-        "rev": "881339ef7077b5c1d07041a0024575a4170c0174",
-        "revCount": 83,
+        "rev": "20bf0c7e51e1e5ebf5f3754332f134a8ca0ce04c",
+        "revCount": 94,
         "type": "git",
         "url": "https://git.pleshevski.ru/pleshevskiy/nixeovim"
       },
@@ -310,23 +330,23 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1714640452,
-        "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=",
+        "lastModified": 1725233747,
+        "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716128955,
-        "narHash": "sha256-3DNg/PV+X2V7yn8b/fUR2ppakw7D9N4sjVBGk6nDwII=",
+        "lastModified": 1728979988,
+        "narHash": "sha256-GBJRnbFLDg0y7ridWJHAP4Nn7oss50/VNgqoXaf/RVk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f9256de8281f2ccd04985ac5c30d8f69aefadbe8",
+        "rev": "7881fbfd2e3ed1dfa315fca889b2cfd94be39337",
         "type": "github"
       },
       "original": {
@@ -338,27 +358,27 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "lastModified": 1729044727,
+        "narHash": "sha256-GKJjtPY+SXfLF/yTN7M2cAnQB6RERFKnQhD8UvPSf3M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "dc2e0028d274394f73653c7c90cc63edbb696be1",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1706487304,
-        "narHash": "sha256-LE8lVX28MV2jWJsidW13D2qrHU/RUUONendL2Q/WlJg=",
+        "lastModified": 1718428119,
+        "narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "90f456026d284c22b3e3497be980b2e47d0b28ac",
+        "rev": "e6cea36f83499eb4e9cd184c8a8e823296b50ad5",
         "type": "github"
       },
       "original": {
@@ -371,11 +391,13 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-utils": "flake-utils_2",
         "hardware": "hardware",
         "home-manager": "home-manager_2",
         "home-manager-unstable": "home-manager-unstable",
+        "impermanence": "impermanence",
         "lan-mouse": "lan-mouse",
         "nil": "nil",
         "nixeovim": "nixeovim",
@@ -393,11 +415,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710987136,
-        "narHash": "sha256-Q8GRdlAIKZ8tJUXrbcRO1pA33AdoPfTUirsSnmGQnOU=",
+        "lastModified": 1716257780,
+        "narHash": "sha256-R+NjvJzKEkTVCmdrKRfPE4liX/KMGVqGUwwS5H8ET8A=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "97596b54ac34ad8184ca1eef44b1ec2e5c2b5f9e",
+        "rev": "4e5e3d2c5c9b2721bd266f9e43c14e96811b89d2",
         "type": "github"
       },
       "original": {
@@ -408,21 +430,17 @@
     },
     "rust-overlay_2": {
       "inputs": {
-        "flake-utils": [
-          "nil",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "nil",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1714529851,
-        "narHash": "sha256-YMKJW880f7LHXVRzu93xa6Ek+QLECIu0IRQbXbzZe38=",
+        "lastModified": 1726453838,
+        "narHash": "sha256-pupsow4L79SBfNwT6vh/5RAbVZuhngIA0RTCZksXmZY=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "9ca720fdcf7865385ae3b93ecdf65f1a64cb475e",
+        "rev": "ca2e79cd22625d214b8437c2c4080ce79bd9f7d2",
         "type": "github"
       },
       "original": {
@@ -433,15 +451,14 @@
     },
     "rust-overlay_3": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1715393623,
-        "narHash": "sha256-nSUFcUqyTQQ/aYFIB05mpCzytcKvfKMy3ZQAe0fP26A=",
+        "lastModified": 1727663505,
+        "narHash": "sha256-83j/GrHsx8GFUcQofKh+PRPz6pz8sxAsZyT/HCNdey8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "8eb8671512cb0c72c748058506e50c54fb5d8e2b",
+        "rev": "c2099c6c7599ea1980151b8b6247a8f93e1806ee",
         "type": "github"
       },
       "original": {
@@ -504,11 +521,11 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1715552757,
-        "narHash": "sha256-ZOgCSIcdvG8+RcZCXSAEmb/LZ2Ap9wU4nvbxNDA+QN0=",
+        "lastModified": 1727849733,
+        "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "18b44306b2636fc7f238a9d946c7b8aac217122d",
+        "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,9 +1,14 @@
 {
   inputs = {
     flake-utils.url = "github:numtide/flake-utils";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     hardware.url = "github:NixOS/nixos-hardware/master";
+    impermanence.url = "github:nix-community/impermanence";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
 
@@ -14,7 +19,7 @@
     };
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-23.11";
+      url = "github:nix-community/home-manager/release-24.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     home-manager-unstable = {
@@ -82,7 +87,7 @@
                   set -e
                   ${nixos-rebuild}/bin/nixos-rebuild switch --flake .#${hostname} $@
                   ${lib.optionalString machine.config.hardware.pulseaudio.systemWide ''
-                    systemctl restart pulseaudio.service
+                    systemctl restart alsa-store.service
                   ''}
                 '')
                 localMachines);
@@ -99,6 +104,11 @@
               # Path to the agenix configuration file
               RULES = "./.agenix_config.nix";
             };
+            disk = pkgs.mkShell {
+              packages = [
+                inputs.disko.packages.${system}.disko
+              ];
+            };
             tools = pkgs.mkShell {
               packages = with pkgs; [
                 mkpasswd
@@ -131,7 +141,9 @@
               modules =
                 (with inputs; [
                   agenix.nixosModules.default
-                  home-manager.nixosModule
+                  home-manager.nixosModules.default
+                  disko.nixosModules.disko
+                  impermanence.nixosModules.impermanence
                 ])
                 ++ [
                   # deployment settings
@@ -147,6 +159,7 @@
                   })
                   # base home manager settings
                   ({ ... }: {
+                    home-manager.backupFileExtension = "backup";
                     home-manager.useGlobalPkgs = true;
                     home-manager.useUserPackages = true;
                     home-manager.extraSpecialArgs = {
@@ -158,7 +171,6 @@
                           ./modules/home-manager
                           inputs.wired.homeManagerModules.default
                           inputs.lan-mouse.homeManagerModules.default
-                          "${inputs.home-manager-unstable}/modules/services/window-managers/river.nix"
                         ];
                       }
                     ];
@@ -166,8 +178,12 @@
                 ]
                 ++ extraModules
                 ++ [ ./modules/nixos ]
-                ++ [ ./hosts/${hostname}/configuration.nix ];
+                ++ [ ./hosts/${hostname}/configuration.nix ]
+                ++ [ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix" ];
             })
           (import ./hosts inputs);
+      diskoConfigurations = {
+        asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
+      };
     };
 }

hosts/asus-gl553vd/configs/boot.nix

@@ -1,13 +1,10 @@
-{ ... }:
-
 {
-  # Use the systemd-boot EFI boot loader.
   boot.loader = {
+    timeout = 1;
     systemd-boot = {
       enable = true;
-      configurationLimit = 10;
+      configurationLimit = 20;
     };
-
     efi.canTouchEfiVariables = true;
   };
 }

hosts/asus-gl553vd/configs/default.nix

@@ -1,8 +1,7 @@
-{ ... }:
-
 {
   imports = [
     ./boot.nix
+    ./imp.nix
     ./networking.nix
     ./wireguard
   ];

hosts/asus-gl553vd/configs/imp.nix

@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+
+{
+  # A setup which would clean root subvolume between boots remove automatically removed roots that
+  # are older than one day:
+  # 
+  # Source: https://github.com/nix-community/impermanence
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/mapper/luksroot /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
+        delete_subvolume_recursively "$i"
+    done
+
+    echo 1 | tee /btrfs_tmp/root/sys/class/leds/asus\:\:kbd_backlight/brightness
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+    rm -r /btrfs_tmp
+  '';
+
+  age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
+    "ssh_host_rsa_key"
+    "ssh_host_ed25519_key"
+  ];
+
+  environment.persistence = {
+    "/persistent/system" = {
+      hideMounts = true;
+      directories = [
+        "/var/lib/bluetooth"
+        "/var/lib/nixos"
+        "/var/lib/systemd/coredump"
+        "/etc/NetworkManager/system-connections"
+      ];
+      files = [
+        "/etc/machine-id"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+      ];
+    };
+    "/persistent/docker" = lib.mkIf config.virtualisation.docker.enable {
+      hideMounts = true;
+      directories = map (v: "/var/lib/docker/${v}") [
+        "containers"
+        "volumes"
+        "image"
+        "overlay2"
+        "network"
+      ];
+      files = [ "/var/lib/docker/engine-id" ];
+    };
+    "/presistent/ollama" = lib.mkIf config.services.ollama.enable {
+      hideMounts = true;
+      directories  = [
+        "/var/lib/private/ollama"
+      ];
+    };
+  };
+}

hosts/asus-gl553vd/configs/networking.nix

@@ -1,13 +1,10 @@
-{ ... }:
-
 {
   networking = {
     hostName = "laptop"; # Define your hostname.
 
     networkmanager.enable = true;
 
-    firewall.allowedTCPPortRanges = [
-      { from = 33000; to = 33999; }
-    ];
+    useDHCP = false;
+    interfaces.wlp2s0.useDHCP = true;
   };
 }

hosts/asus-gl553vd/configuration.nix

@@ -1,4 +1,4 @@
-{ globalData, ... }:
+{ globalData, pkgs, ... }:
 
 {
   imports = [
@@ -7,7 +7,11 @@
     ./users
   ];
 
-  local.yubikey.enable = true;
+  local.yubikey = {
+    enable = true;
+    serial = "28058247";
+    unplug.enable = true;
+  };
 
   ################################################################################
   # Services
@@ -22,12 +26,25 @@
   ################################################################################
   # Programs
   ################################################################################
-  local.programs.browsers.tor-browser = {
+  services.ollama = {
     enable = true;
-    container = {
+    package = pkgs.unstable.ollama;
+  };
+
+
+  local.programs.communication = {
+    telegram = {
       enable = true;
-      externalInterface = "wg0";
-      sshAuthorizedKeys = globalData.publicKeys.users.jan;
+      package = pkgs.unstable.tdesktop;
+    };
+    simplex-chat = {
+      enable = true;
+      package = pkgs.unstable.simplex-chat-desktop;
+      openFirewall = true;
     };
   };
+
+  environment.shellInit = ''
+    [ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +local: > /dev/null || true
+  '';
 }

hosts/asus-gl553vd/disk-config.nix

@@ -0,0 +1,3 @@
+import ../../disko/luks-btrfs.nix {
+  device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
+}

hosts/asus-gl553vd/hardware-configuration/default.nix

@@ -1,16 +1,7 @@
-{ ... }:
-
 {
-  # Include the results of the hardware scan.
-  imports = [ ./generated.nix ];
-
-  # Enable keyboard on the boot
-  boot.initrd.availableKernelModules = [ "hid_asus" ];
-
-  boot.kernelModules = [
-    # Enable containers
-    # See: https://github.com/NixOS/nixpkgs/issues/38676
-    "veth"
+  imports = [
+    ./generated.nix # Include the results of the hardware scan.
+    ./manual.nix
   ];
 
 
@@ -29,7 +20,7 @@
   };
 
   # configure mouse and touchpad
-  services.xserver.libinput = {
+  services.libinput = {
     enable = true;
     touchpad = {
       accelSpeed = "0.5";

hosts/asus-gl553vd/hardware-configuration/generated.nix

@@ -1,36 +1,56 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:
 
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot = {
-    initrd = {
-      availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-      kernelModules = [ ];
-    };
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
 
-    kernelModules = [ "kvm-intel" ];
-    extraModulePackages = [ ];
+  boot.initrd = {
+    availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
+    kernelModules = [ ];
+    luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
   };
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
-      fsType = "ext4";
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=root" "compress=zstd" ];
+    };
+
+    "/persistent" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=persistent" "compress=zstd" ];
+      neededForBoot = true;
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "compress=zstd" "noatime" ];
+    };
+
+    "/.swapvol" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=swap" "noatime" ];
     };
 
     "/boot" = {
-      device = "/dev/disk/by-uuid/499C-4EBD";
+      device = "/dev/disk/by-uuid/94EE-CA0D";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
   };
 
-  swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
+  swapDevices = [{ device = "/.swapvol/swapfile"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -40,6 +60,6 @@
   # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
 
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/asus-gl553vd/hardware-configuration/manual.nix

@@ -0,0 +1,24 @@
+{ ... }:
+
+{
+  boot.kernelModules = [
+    # Enable containers
+    # See: https://github.com/NixOS/nixpkgs/issues/38676
+    "veth"
+  ];
+
+  # Enable keyboard on the boot
+  boot.initrd.availableKernelModules = [ "hid_asus" ];
+
+  boot.blacklistedKernelModules = [ "nouveau" ];
+
+  fileSystems."/home/jan" = {
+    device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
+    fsType = "ext4";
+    options = [
+      "defaults"
+      "X-mount.subdir=home/jan"
+      "X-mount.mkdir"
+    ];
+  };
+}

hosts/asus-gl553vd/users/jan.nix

@@ -1,4 +1,4 @@
-{ hostsPath, usersPath, ... }:
+{ hostsPath, usersPath, lib, ... }:
 
 let
   asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");

hosts/home/configs/printer.nix

@@ -6,7 +6,7 @@
   services = {
     avahi = {
       enable = true;
-      nssmdns = true;
+      nssmdns4 = true;
     };
     printing = {
       enable = true;

hosts/home/configuration.nix

@@ -1,4 +1,4 @@
-{ globalData, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
@@ -7,28 +7,111 @@
     ./users
   ];
 
-  local.yubikey.enable = true;
-
   ################################################################################
   # Programs
   ################################################################################
-  local.programs.browsers.tor-browser = {
-    enable = true;
-    container = {
-      enable = true;
-      externalInterface = "wg0";
-      sshAuthorizedKeys = globalData.publicKeys.users.jan;
-    };
-  };
 
   ################################################################################
   # Services
   ################################################################################
   local.services.i2pd.enable = true;
+  local.services.kubo.enable = true;
 
   local.services.octoprint.enable = true;
 
   virtualisation.docker.enable = true;
   # Torrent client
-  services.transmission.enable = true;
+  services.transmission = {
+    enable = true;
+    settings = {
+      rpc-bind-address = "192.168.7.10";
+      rpc-port = 9091;
+      rpc-whitelist = "192.168.7.*";
+    };
+  };
+
+  services.ollama = {
+    enable = true;
+    package = pkgs.unstable.ollama;
+    acceleration = "rocm";
+  };
+
+  programs.sniffnet.enable = true;
+
+  ################################################################################
+  # Containers
+  ################################################################################
+
+  environment.shellInit = ''
+    [ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +local: > /dev/null || true
+  '';
+
+  local.programs.communication = {
+    telegram = {
+      enable = true;
+      package = pkgs.unstable.tdesktop;
+    };
+    simplex-chat = {
+      enable = true;
+      package = pkgs.unstable.simplex-chat-desktop;
+      openFirewall = true;
+    };
+  };
+
+  containers.games = {
+    autoStart = true;
+    bindMounts = {
+      "${config.services.transmission.settings.download-dir}" = { };
+      "/tmp/.X11-unix" = { };
+      "/run/opengl-driver/lib" = { };
+      "/run/opengl-driver-32/lib" = { };
+    };
+    allowedDevices = [
+      {
+        modifier = "r";
+        node = "/dev/kfd";
+      }
+      {
+        modifier = "r";
+        node = "/dev/dri";
+      }
+    ];
+    config = { pkgs, ... }: {
+      nixpkgs.config.allowUnfree = true;
+      system.stateVersion = "23.11";
+
+      users.groups.transmission = config.users.groups.transmission;
+      users.users.john = {
+        isNormalUser = true;
+        home = "/home/john";
+        password = "hello";
+        extraGroups = [ "pulse-access" "transmission" ];
+        packages = with pkgs; [
+          # wine
+          wineWowPackages.stable
+          winetricks
+          # community edition
+          fallout-ce
+          fallout2-ce
+          openmw
+          openxcom
+          # tools
+          innoextract
+          vim
+          unzip
+          p7zip
+          unrar-wrapper
+          wget
+        ];
+      };
+      environment.sessionVariables = {
+        DISPLAY = ":0";
+        PULSE_SERVER = "tcp:127.0.0.1:4713";
+        XAUTHORITY = "/home/john/.Xauthority";
+
+        WINEPREFIX = "/home/john/.wine";
+        WINEARCH = "win32";
+      };
+    };
+  };
 }

hosts/home/hardware-configuration/default.nix

@@ -26,6 +26,11 @@
   # extra configs
   hardware.bluetooth.enable = true;
 
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+  };
+
   # All monitors in the right order
   # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/x11/xserver.nix#L83
   services.xserver.xrandrHeads = [

hosts/home/users/jan.nix

@@ -33,30 +33,28 @@ in
       ];
     };
 
+    local.games.endless-sky.enable = true;
+
     # Extra packages
     home.packages = with pkgs.unstable; [
-      # game dev
-      blender
+      ## game dev
+      blender-hip
       godot_4
       libresprite
 
-      # 3d printer
-      cura
+      ## 3d printer
+      # Cannot build unstable Cura!
+      # See: https://github.com/NixOS/nixpkgs/issues/325896
+      # it's too old in the nixpkgs!
+      # See: https://github.com/NixOS/nixpkgs/issues/186570
+      pkgs.cura
 
-      # electronics
-      kicad-small
+      ## electronics
+      # kicad-small
       # librepcb
 
       # tools
       bind.dnsutils
-
-      kubo # ipfs
     ];
-
-    # games
-    local.games = {
-      mindustry.enable = true;
-      widelands.enable = true;
-    };
   };
 }

hosts/istal/hardware-configuration/default.nix

@@ -5,4 +5,11 @@
     ./generated.nix
     ./networking.secret.nix
   ];
+
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
 }

hosts/istal/services/default.nix

@@ -1,5 +1,9 @@
-{ ... }:
-
 {
-  imports = [ ./wireguard ];
+  imports = [
+    ./forgejo-runners
+    ./wireguard
+    # ./docker-registry-proxy.nix
+    ./nginx.nix
+    ./renovate.nix
+  ];
 }

hosts/istal/services/docker-registry-proxy.nix

@@ -0,0 +1,20 @@
+{...}:
+
+{
+  services.dockerRegistry = {
+    enable = true;
+    enableGarbageCollect = true;
+    extraConfig = {
+      proxy.remoteurl = "https://registry-1.docker.io";
+    };
+  };
+
+  services.nginx = {
+    upstreams.docker-hub-registry.servers."localhost:5000" = { };
+    virtualHosts."docker-hub.pleshevski.ru" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/v2/".proxyPass = "http://docker-hub-registry";
+    };
+  };
+}

hosts/istal/services/forgejo-runners/default.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+
+let
+  NODE_OPTIONS = "--max_old_space_size=4096";
+in
+{
+  age.secrets.forgejo-runner-token-istal-docker.file = ./forgejo-runner-token-istal-docker.age;
+  age.secrets.forgejo-runner-token-codeberg-docker.file = ./forgejo-runner-token-codeberg-docker.age;
+
+  virtualisation.docker.enable = true;
+
+  services.gitea-actions-runner = {
+    package = pkgs.unstable.forgejo-runner;
+    instances = {
+      istal-docker = {
+        enable = true;
+        name = "istal-docker";
+        url = "https://git.pleshevski.ru";
+        labels = [ ];
+        tokenFile = config.age.secrets.forgejo-runner-token-istal-docker.path;
+        settings = {
+          runner = {
+            envs = { inherit NODE_OPTIONS; };
+
+            timeout = "1h";
+          };
+        };
+      };
+      codeberg-docker = {
+        enable = true;
+        name = "codeberg-docker";
+        url = "https://codeberg.org";
+        labels = [ ];
+        tokenFile = config.age.secrets.forgejo-runner-token-codeberg-docker.path;
+        settings = {
+          runner = {
+            envs = { inherit NODE_OPTIONS; };
+
+            timeout = "1h";
+          };
+        };
+      };
+    };
+  };
+}

hosts/istal/services/nginx.nix

@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dmitriy@pleshevski.ru";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}

hosts/istal/services/renovate.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+
+{
+  age.secrets.renovate-gitea-token.file = ./renovate-gitea-token.age;
+  age.secrets.renovate-github-token.file = ./renovate-github-token.age;
+
+  services.renovate = {
+    enable = true;
+    package = pkgs.unstable.renovate;
+    schedule = "0..3,10..23:00/15";
+    credentials = {
+      RENOVATE_TOKEN = config.age.secrets.renovate-gitea-token.path;
+      GITHUB_COM_TOKEN = config.age.secrets.renovate-github-token.path;
+    };
+    runtimePackages = with pkgs.unstable; [
+      nodePackages.pnpm
+      nodePackages.npm
+      python312
+      poetry
+      gnumake
+      cargo
+    ];
+    settings = {
+      platform = "gitea";
+      endpoint = "https://git.pleshevski.ru";
+      assignees = [ "pleshevskiy" ];
+      autodiscover = true;
+      packageRules = [
+        {
+          matchUpdateTypes = [ "minor" "patch" "pin" "digest" ];
+          automerge = true;
+        }
+      ];
+      automergeStrategy = "fast-forward";
+      onboardingConfig = {
+        "$schema" = "https://docs.renovatebot.com/renovate-schema.json";
+        extends = [ "config:recommended" ];
+        configMigration = true;
+      };
+      globalExtends = ["npm:unpublishSafe"];
+
+      cacheHardTtlMinutes = 30;
+      httpCacheTtlDays = 1;
+    };
+  };
+
+  # systemd.services.renovate.environment.LOG_LEVEL = "debug";
+}

hosts/tatos/configuration.nix

@@ -6,6 +6,8 @@
     ./services
   ];
 
+  local.system.kernel = "hardened";
+
   networking.hostName = "tatos";
 
   users.users.root.openssh.authorizedKeys.keys = globalData.publicKeys.users.jan;

hosts/tatos/services/wireguard/default.nix

@@ -79,7 +79,7 @@ in
         }
         # Phone 2 m
         {
-          publicKey = "0+ejwId5JcTeMvoz+I/ACpmpUFjD7rl9wqz8H/OAHEw=";
+          publicKey = "p1GR0Ax2wrqnnd/coKYA4p0lvhdY9Mkk4iwhPxZfl3I=";
           allowedIPs = [ "10.20.30.6/32" ];
         }
         # Phone 3 n
@@ -87,6 +87,11 @@ in
           publicKey = "IUw38F1ik2y2XoPh3Nd1VVxHz9nfKDfNKyzBaEi0rjc=";
           allowedIPs = [ "10.20.30.7/32" ];
         }
+        # Laptop m
+        {
+          publicKey = "dF5YEeK1nw2V4GNLwg67M+r8NMA315KpueQMk+ZFO1M=";
+          allowedIPs = [ "10.20.30.8/32" ];
+        }
       ];
     };
   };

misc/wg-client-conf.nix

@@ -1,4 +1,3 @@
-# use nix-build -E (import <system>/misc/wg-client-conf.nix {})
 { pkgs ? import <nixpkgs> { }
 , address
 , privateKey

modules/home-manager/configs/window-manager/xmonad/default.nix

@@ -63,8 +63,22 @@ in
       xclip # access x clipboard from a console
       dmenu # menu for x window system
       nitrogen # wallpaper manager
+      rofimoji # emoji picker
     ];
 
+    programs.rofi.pass = {
+      enable = true;
+      extraConfig = ''
+        EDITOR='wezterm start -- nvim'
+
+        URL_field='url'
+        USERNAME_field='login'
+        AUTOTYPE_field='autotype'
+
+        default_autotype='user :tab pass'
+      '';
+    };
+
     xsession = {
       enable = true;
 

modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs

@@ -233,10 +233,13 @@ myManageHook = manageApps
     anyOf :: [Query Bool] -> Query Bool
     anyOf = foldl (<||>) (pure False)
 
+    machine = stringProperty "WM_CLIENT_MACHINE"
     role = stringProperty "WM_WINDOW_ROLE"
     isPopup = role =? "pop-up"
     isPinentry = anyOf [className =? "Gcr-promter", className =? "Pinentry"]
 
+    isGameMachine = machine =? "games"
+
     isWezterm = className =? "org.wezfurlong.wezterm"
     isAlacritty = className =? "Alacritty"
     isTerminal = anyOf [isWezterm, isAlacritty]
@@ -246,6 +249,7 @@ myManageHook = manageApps
       composeOne
         [ -- apps
           className =? "Gimp" -?> doFloat,
+          isGameMachine -?> doFloat,
           -- general
           anyOf
             [ resource =? "desktop_window",
@@ -273,10 +277,15 @@ myKeys conf =
         ("M-S-<Return>", spawn $ XMonad.terminal conf),
         -- launch a 'flameshot' to screenshot
         ("M-S-s", safeSpawn "flameshot" ["gui"]),
-        -- launch 'librewolf' browser
+        -- launch browsers
         ("M-S-b", spawn "librewolf"),
+        ("M-S-t", spawn "tor-browser"),
         -- launch 'dmenu_run' to choose applications
-        ("M-p", spawn "dmenu_run")
+        ("M-r", spawn "dmenu_run"),
+        -- launch 'rofi-pass' to use password manager
+        ("M-p", spawn "rofi-pass --last-used"),
+        -- launch 'rofimoji' to pick emoji
+        ("M-e", spawn "rofimoji --action copy")
         -- Open calculator
         -- ("<XF86Calculator>", spawn "gnome-calculator"),
       ]

modules/home-manager/games.nix

@@ -8,10 +8,14 @@ in
     mindustry.enable = mkEnableOption "mindustry";
     widelands.enable = mkEnableOption "widelands";
     unciv.enable = mkEnableOption "unciv";
+    freeciv.enable = mkEnableOption "freeciv";
+    endless-sky.enable = mkEnableOption "endless-sky";
   };
 
   config.home.packages =
     lib.optional cfg.mindustry.enable pkgs.unstable.mindustry
     ++ lib.optional cfg.widelands.enable pkgs.widelands
-    ++ lib.optional cfg.unciv.enable pkgs.unstable.unciv;
+    ++ lib.optional cfg.unciv.enable pkgs.unstable.unciv
+    ++ lib.optional cfg.freeciv.enable pkgs.unstable.freeciv
+    ++ lib.optional cfg.endless-sky.enable pkgs.unstable.endless-sky;
 }

modules/home-manager/programs/aerc.nix

@@ -85,9 +85,12 @@ in
           "text/plain" = "colorize";
           "text/rfc822-headers" = "colorize";
           # "text/*" = "${pkgs.bat}/bin/bat -fpp --file-name='$AERC_FILENAME'";
-          "message/delivery-status" = "cat | colorize";
+          "message/*" = "cat | colorize";
           "application/pgp-keys" = "gpg";
           ".filename,~\\.gpg" = "gpg --decrypt";
+          ".filename,~\\.xml\\.gz" = "${pkgs.gzip}/bin/gunzip |"
+            + "${pkgs.xmlformat}/bin/xmlformat |"
+            + "${pkgs.bat}/bin/bat -fpp --file-name='$AERC_FILENAME' --language xml";
         };
 
         openers = { };
@@ -125,10 +128,6 @@ in
             "\\" = fill "filter";
             "n" = exec "next-result";
             "N" = exec "prev-result";
-            #"D" = exec "modify-labels +deleted -inbox";
-            #"A" = exec "modify-labels -inbox";
-            #"ms" = exec "modify-labels +spam -inbox";
-            #"mS" = exec "modify-labels -spam +inbox";
           }
         ];
 
@@ -154,15 +153,14 @@ in
           }
         ];
 
-        compose = lib.mkMerge [
-          globalBinds
-          {
-            "$ex" = "<C-x>";
-            "<C-k>" = exec "prev-field";
-            "<C-j>" = exec "next-field";
-            "<tab>" = exec "next-field";
-          }
-        ];
+        compose = {
+          "$ex" = "<C-x>";
+          "<C-k>" = exec "prev-field";
+          "<C-j>" = exec "next-field";
+          "<tab>" = exec "next-field";
+          "<C-l>" = exec "next-tab";
+          "<C-h>" = exec "prev-tab";
+        };
 
         "compose::editor" = {
           "$noinherit" = "true";

modules/home-manager/programs/argos-translate.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.local.programs.argos-translate; in
+{
+  options.local.programs.argos-translate = with lib; {
+    enable = mkEnableOption "argostranslate";
+    package = mkPackageOption pkgs.python311Packages "argostranslate" {};
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [ cfg.package ];
+
+    programs.zsh.shellAliases = lib.mkIf config.programs.zsh.enable {
+      en2ru = "${cfg.package}/bin/argos-translate --from en --to ru";
+      ru2en = "${cfg.package}/bin/argos-translate --from ru --to en";
+    };
+  };
+}

modules/home-manager/programs/communication.nix

@@ -4,15 +4,19 @@
 let cfg = config.local.programs.communication; in
 {
   options.local.programs.communication = with lib; {
-    simplex-chat.enable = mkEnableOption "SimplexChat";
-    telegram.enable = mkEnableOption "tdesktop. telegram client";
-    matrix.enable = mkEnableOption "nheko. matrix client";
-    skype.enable = mkEnableOption "skype";
+    matrix = {
+      enable = mkEnableOption "nheko. matrix client";
+      package = mkPackageOption pkgs "nheko" { };
+    };
+    tox = {
+      enable = mkEnableOption "tox";
+      package = mkPackageOption pkgs "qtox" { };
+    };
   };
 
-  config.home.packages = with pkgs.unstable;
-    lib.optional cfg.simplex-chat.enable simplex-chat-desktop
-    ++ lib.optional cfg.telegram.enable tdesktop
-    ++ lib.optional cfg.matrix.enable nheko
-    ++ lib.optional cfg.skype.enable skypeforlinux;
+  config = {
+    home.packages =
+      lib.optional cfg.matrix.enable cfg.matrix.package
+      ++ lib.optional cfg.tox.enable cfg.tox.package;
+  };
 }

modules/home-manager/programs/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./aerc.nix
+    ./argos-translate.nix
     ./communication.nix
     ./dev-tools.nix
     ./flameshot.nix

modules/home-manager/programs/dev-tools.nix

@@ -88,6 +88,10 @@ in
           ]
         ))
       ];
+
+      programs.zsh.initExtra = ''
+        source <(kubectl completion zsh)
+      '';
     })
 
     (lib.mkIf cfg.psql.enable {

modules/home-manager/programs/file-managers/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./nautilus.nix
+    ./nnn.nix
     ./vifm
   ];
 }

modules/home-manager/programs/file-managers/nautilus.nix

@@ -8,5 +8,5 @@ in
     enable = mkEnableOption "nautilus";
   };
 
-  config.home.packages = with pkgs.unstable; lib.optional cfg.enable gnome.nautilus;
+  config.home.packages = with pkgs.unstable; lib.optional cfg.enable nautilus;
 }

modules/home-manager/programs/file-managers/nnn.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.local.programs.file-managers.nnn;
+in
+{
+  options.local.programs.file-managers.nnn = with lib; {
+    enable = mkEnableOption "nnn";
+    package = mkPackageOption pkgs "nnn" {};
+  };
+
+  config.home.packages = lib.optional cfg.enable cfg.package;
+}

modules/home-manager/programs/file-managers/vifm/vifmrc

@@ -11,7 +11,7 @@
 " If you would like to use another vi clone such as Elvis or Vile
 " you will need to change this setting.
 
-set vicmd=vim
+set vicmd=nvim
 
 " This makes vifm perform file operations on its own instead of relying on
 " standard utilities like `cp`.  While using `cp` and alike is a more universal
@@ -128,12 +128,12 @@ mark h ~/
 " %m run the command in a menu window
 
 command! df df -h %m 2> /dev/null
-command! diff vim -d %f %F
+command! diff nvim -d %f %F
 command! zip zip -r %c.zip %f
 command! run !! ./%f
 command! make !!make %a
 command! mkcd :mkdir %a | cd %a
-command! vgrep vim "+grep %a"
+command! vgrep nvim "+grep %a"
 command! reload :write | restart full
 
 " ------------------------------------------------------------------------------
@@ -316,11 +316,6 @@ nnoremap S :sort<cr>
 nnoremap w :view<cr>
 vnoremap w :view<cr>gv
 
-" Open file in existing instance of gvim
-nnoremap o :!gvim --remote-tab-silent %f<cr>
-" Open file in new instance of gvim
-nnoremap O :!gvim %f<cr>
-
 " Open file in the background using its default program
 nnoremap gb :file &<cr>l
 
@@ -354,8 +349,6 @@ nnoremap ,t :!xterm &<cr>
 
 " Open editor to edit vifmrc and apply settings after returning to vifm
 nnoremap ,c :write | edit $MYVIFMRC | restart full<cr>
-" Open gvim to edit vifmrc
-nnoremap ,C :!gvim --remote-tab-silent $MYVIFMRC &<cr>
 
 " Toggle wrap setting on ,w key
 nnoremap ,w :set wrap!<cr>

modules/home-manager/shell.nix

@@ -9,7 +9,7 @@
 
     programs.zsh = {
       enable = true;
-      enableAutosuggestions = true;
+      autosuggestion.enable = true;
       enableCompletion = true;
       defaultKeymap = "viins";
       dotDir = ".config/zsh";

modules/machine.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 {
   imports = [ ./common.nix ];
@@ -35,5 +35,19 @@
   ################################################################################
   local.programs.pass.enable = lib.mkDefault true;
 
-  local.programs.browsers.librewolf.enable = lib.mkDefault true;
+  local.programs.browsers = {
+    librewolf.enable = lib.mkDefault true;
+    tor-browser.enable = lib.mkDefault true;
+    ungoogled-chromium.enable = lib.mkDefault true;
+  };
+
+  security.sudo.extraRules = [{
+    commands = [
+      {
+        command = "/run/current-system/sw/bin/nixos-container";
+        options = [ "NOPASSWD" ];
+      }
+    ];
+    groups = [ "wheel" ];
+  }];
 }

modules/nixos/configs/keyboard.nix

@@ -9,11 +9,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.xserver = {
-      xkbModel = "pc105";
+    services.xserver.xkb = {
+      model = "pc105";
       layout = "us,us";
-      xkbVariant = "dvorak,";
-      xkbOptions = "grp:win_space_toggle";
+      variant = "dvorak,";
+      options = "grp:win_space_toggle";
     };
 
     console.useXkbConfig = true;

modules/nixos/configs/lockscreen/i3lock.nix

@@ -11,7 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     programs.i3lock = {
       enable = true;
-      u2fSupport = lib.mkDefault config.local.yubikey.enable;
+      u2fSupport = lib.mkDefault config.security.pam.u2f.enable;
     };
 
     programs.xss-lock.enable = true;

modules/nixos/configs/nix.nix

@@ -42,6 +42,11 @@ in
           };
         };
       })
+      (final: prev: {
+        sniffnet = (import inputs.nixpkgs-unstable {
+          inherit (config.nixpkgs) config system;
+        }).sniffnet;
+      })
       (final: prev: {
         unstable = import inputs.nixpkgs-unstable {
           inherit (config.nixpkgs) config overlays system;

modules/nixos/configs/security.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.local.security.sudo;
+in
+{
+  options.local.security.sudo = with lib; {
+    nopasswd = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          commands = mkOption {
+            type = with types; listOf (either str package);
+          };
+          groups = mkOption {
+            type = types.listOf types.str;
+            default = [ "wheel" ];
+          };
+        };
+      });
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf (cfg.nopasswd != [ ]) {
+    security.sudo.extraRules = lib.flip map cfg.nopasswd (rule: {
+      inherit (rule) groups;
+      commands = lib.flip map rule.commands (cmd:
+        {
+          command = "${cmd}";
+          options = [ "NOPASSWD" ];
+        }
+      );
+    });
+  };
+
+}

modules/nixos/configs/sound.nix

@@ -1,17 +1,35 @@
 { config, pkgs, lib, ... }:
 
+let
+  cfg = config.local.sound;
+in
 {
-  options.local.sound.enable = lib.mkEnableOption "sound";
+  options.local.sound = {
+    enable = lib.mkEnableOption "sound";
+    systemWide = lib.mkEnableOption "systemWide";
+  };
 
-  config = lib.mkIf config.local.sound.enable {
+  config = lib.mkIf cfg.enable {
     sound = {
       enable = true;
       mediaKeys.enable = true;
     };
 
-    hardware.pulseaudio = {
-      enable = true;
-      package = pkgs.pulseaudioFull;
-    };
+    hardware.pulseaudio = lib.mkMerge [
+      {
+        enable = true;
+        package = pkgs.pulseaudioFull;
+      }
+      (lib.mkIf cfg.systemWide {
+        systemWide = true;
+        support32Bit = true;
+        tcp = {
+          enable = true;
+          anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
+        };
+      })
+    ];
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.systemWide [ 4713 ];
   };
 }

modules/nixos/configs/system.nix

@@ -40,7 +40,7 @@ in
     })
 
     (lib.mkIf (cfg.kernel == "stable") {
-      boot.kernelPackages = pkgs.unstable.linuxPackages_6_6;
+      boot.kernelPackages = pkgs.unstable.linuxPackages_6_10;
     })
 
     (lib.mkIf (cfg.kernel == "latest") {

modules/nixos/configs/window-manager/hyprland.nix

@@ -14,7 +14,7 @@ in
       package = pkgs.unstable.hyprland;
     };
 
-    programs.gnupg.agent.pinentryFlavor = "gtk2";
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
 
     local.lockscreen.waylock.enable = lib.mkDefault true;
   };

modules/nixos/configs/window-manager/river.nix

@@ -14,7 +14,7 @@ in
       package = pkgs.unstable.river;
     };
 
-    programs.gnupg.agent.pinentryFlavor = "gtk2";
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
 
     local.lockscreen.waylock.enable = lib.mkDefault true;
   };

modules/nixos/configs/window-manager/xmonad.nix

@@ -10,19 +10,18 @@ let cfg = config.local.window-manager.xmonad; in
       packages = [ pkgs.dconf ];
     };
 
+    services.displayManager.defaultSession = "none+xmonad";
+
     services.xserver = {
       enable = true;
-      displayManager = {
-        defaultSession = "none+xmonad";
-        lightdm = {
-          enable = true;
-          # greeters.tiny.enable = true;
-        };
+      displayManager.lightdm = {
+        enable = true;
+        # greeters.tiny.enable = true;
       };
       windowManager.xmonad.enable = true;
     };
 
-    programs.gnupg.agent.pinentryFlavor = "gtk2";
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
 
     local.lockscreen.i3lock.enable = lib.mkDefault true;
   };

modules/nixos/configs/yubikey.nix

@@ -1,32 +1,71 @@
 { config, lib, pkgs, ... }:
 
-let cfg = config.local.yubikey; in
+let
+  cfg = config.local.yubikey;
+
+  control = if cfg.multi-factor.enable then "required" else "sufficient";
+in
 {
   options.local.yubikey = with lib; {
     enable = mkEnableOption "yubikey";
+
+    serial = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+
+    multi-factor.enable = mkEnableOption "multi-factor" // { default = true; };
+
+    unplug = {
+      enable = mkEnableOption "Do action when a Yubikey is unplugged";
+      model = mkOption {
+        type = types.str;
+        default = "407";
+      };
+      command = mkOption {
+        type = types.str;
+        default = "${pkgs.systemd}/bin/loginctl lock-sessions";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.yubikey-manager pkgs.yubikey-personalization ];
 
-    security.pam.u2f = {
-      enable = true;
-      control = "required";
-      cue = lib.mkDefault true;
-    };
+    security.pam =
+      if cfg.serial == null then
+        {
+          u2f = {
+            enable = true;
+            inherit control;
+            cue = lib.mkDefault true;
+          };
 
-    services.udev.packages = [ pkgs.yubikey-personalization ];
-    security.pam.services = {
-      login.u2fAuth = true;
-      sudo.u2fAuth = true;
-    };
-    services.pcscd.enable = true;
+          services = {
+            login.u2fAuth = lib.mkDefault true;
+            sudo.u2fAuth = lib.mkDefault true;
+          };
+        }
+      else
+        {
+          yubico = {
+            enable = true;
+            inherit control;
+            mode = "challenge-response";
+            id = [ cfg.serial ];
+          };
+        };
 
-    services.udev.extraRules = lib.mkIf config.programs.xss-lock.enable ''
-      ACTION=="remove",\
-       ENV{DEVTYPE}=="usb_device",\
-       ENV{PRODUCT}=="1050/402/543",\
-       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
-    '';
+    services.pcscd.enable = cfg.serial != null;
+
+    services.udev = {
+      packages = [ pkgs.yubikey-personalization ];
+      extraRules = lib.mkIf cfg.unplug.enable ''
+        ACTION=="remove",\
+         ENV{DEVTYPE}=="usb_device",\
+         ENV{PRODUCT}=="1050/${cfg.unplug.model}/543",\
+         RUN+="${cfg.unplug.command}"
+      '';
+    };
   };
 }

modules/nixos/programs/browsers/default.nix

@@ -1,8 +1,107 @@
-{ ... }:
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.local.programs.browsers;
+
+  contPackages =
+    lib.optional cfg.tor-browser.enable cfg.tor-browser.finalPackage
+    ++ lib.optional cfg.librewolf.enable cfg.librewolf.finalPackage
+    ++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.finalPackage
+    ++ lib.optional cfg.ungoogled-chromium.enable cfg.ungoogled-chromium.package;
+
+  hostPackages = lib.flip map contPackages (p:
+    let
+      hostRunBrowser = pkgs.writeScript "cont-run-browser" ''
+        sudo nixos-container run browsers -- su -l jan -c "$*"
+      '';
+
+      hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" ''
+        ${hostRunBrowser} ${p.meta.mainProgram} $@
+      '';
+    in
+    pkgs.runCommand "${p.meta.mainProgram}" { } ''
+      mkdir $out
+      cp -r ${hostBrowserScript}/bin $out/bin
+      cp -r ${p}/share $out/share
+    ''
+  );
+
+  isEnable = cfg.tor-browser.enable
+    or cfg.librewolf.enable
+    or cfg.mullvad-browser.enable;
+in
 {
   imports = [
     ./tor-browser.nix
     ./mullvad-browser.nix
     ./librewolf.nix
+    ./ungoogled-chromium.nix
   ];
+
+  config = lib.mkIf isEnable {
+    environment.systemPackages = hostPackages;
+
+    local.sound.systemWide = true;
+
+    containers.browsers = {
+      autoStart = true;
+      ephemeral = true;
+      restartIfChanged = false;
+
+      bindMounts = lib.mkMerge [
+        {
+          "/tmp/.X11-unix" = { };
+          "/home/jan/Downloads" = {
+            isReadOnly = false;
+            hostPath = "/home/jan/downloads/browser";
+          };
+        }
+        (lib.mkIf config.hardware.graphics.enable {
+          "/run/opengl-driver/lib" = { };
+        })
+        (lib.mkIf config.hardware.graphics.enable32Bit {
+          "/run/opengl-driver-32/lib" = { };
+        })
+        (lib.mkIf cfg.librewolf.enable {
+          "/home/jan/.librewolf" = {
+            isReadOnly = false;
+            hostPath = "/persistent/per-machine/browsers/home/jan/.librewolf";
+          };
+        })
+        (lib.mkIf cfg.ungoogled-chromium.enable {
+          "/home/jan/.config/chromium" = {
+            isReadOnly = false;
+            hostPath = "/persistent/per-machine/browsers/home/jan/.config/chromium";
+          };
+        })
+        (lib.mkIf config.local.programs.communication.telegram.enable {
+          "/home/jan/downloads/telegram" = { };
+        })
+      ];
+
+      config = { pkgs, ... }: {
+        system.stateVersion = "23.11";
+
+        fonts = {
+          inherit (config.fonts) enableDefaultPackages packages;
+          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
+        };
+
+        networking.hosts = config.networking.hosts;
+
+        users.users.jan = {
+          isNormalUser = true;
+          home = "/home/jan";
+          password = "hello";
+          extraGroups = [ "pulse-access" ];
+          packages = contPackages;
+        };
+
+        environment.sessionVariables = {
+          DISPLAY = ":0";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
+        };
+      };
+    };
+  };
 }

modules/nixos/programs/browsers/librewolf.nix

@@ -2,27 +2,26 @@
 
 let
   cfg = config.local.programs.browsers.librewolf;
-  isPassEnabled = config.local.programs.pass.enable;
 
   policiesJson = pkgs.callPackage ./policies.nix {
     firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}";
-    withPassffAddon = isPassEnabled;
     withRedirectorAddon = true;
     withSidebarTabsAddon = true;
     withAllSearchEngines = true;
   };
 
-  librewolf' = with pkgs.unstable; librewolf.override {
-    extraPoliciesFiles = librewolf.unwrapped.extraPoliciesFiles ++ [ policiesJson ];
-    nativeMessagingHosts = lib.optional isPassEnabled passff-host;
+  finalLibrewolf = cfg.package.override {
+    extraPoliciesFiles = cfg.package.unwrapped.extraPoliciesFiles ++ [ policiesJson ];
   };
 in
 {
   options.local.programs.browsers.librewolf = with lib; {
     enable = mkEnableOption "librewolf";
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = [ librewolf' ];
+    package = mkPackageOption pkgs "librewolf" {};
+    finalPackage = mkOption {
+      type = types.package;
+      readOnly = true;
+      default = finalLibrewolf;
+    };
   };
 }

modules/nixos/programs/browsers/mullvad-browser.nix

@@ -10,7 +10,7 @@ let
     withAllSearchEngines = true;
   };
 
-  mullvadBrowser = pkgs.mullvad-browser.overrideAttrs (attrs: {
+  finalMullvadBrowser = cfg.package.overrideAttrs (attrs: {
     postInstall = ''
       rm $out/share/mullvad-browser/distribution/policies.json
 
@@ -21,9 +21,11 @@ in
 {
   options.local.programs.browsers.mullvad-browser = with lib; {
     enable = mkEnableOption "mullvad-browser";
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = [ mullvadBrowser ];
+    package = mkPackageOption pkgs "mullvad-browser" {};
+    finalPackage = mkOption {
+      type = types.package;
+      readOnly = true;
+      default = finalMullvadBrowser;
+    };
   };
 }

modules/nixos/programs/browsers/policies.nix

@@ -28,7 +28,7 @@ writeText "policies.json" (builtins.toJSON {
     SearchEngines = {
       Add = [
         {
-          Alias = "sx";
+          Alias = "@sx";
           Name = "SearXNG";
           Description = "SearXNG — a privacy-respecting, open metasearch engine";
           IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
@@ -36,28 +36,28 @@ writeText "policies.json" (builtins.toJSON {
         }
       ] ++ lib.optionals withAllSearchEngines [
         {
-          Alias = "np";
+          Alias = "@np";
           Name = "NixOS Packages";
           Description = "Search NixOS packages by name or description.";
           IconURL = "https://nixos.org/favicon.png";
           URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
         }
         {
-          Alias = "no";
+          Alias = "@no";
           Name = "NixOS Options";
           Description = "Search NixOS options by name or description.";
           IconURL = "https://nixos.org/favicon.png";
           URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
         }
         {
-          Alias = "ng";
+          Alias = "@ng";
           Name = "Noogle";
           Description = "Search for nix functions by name.";
           IconURL = "https://noogle.dev/favicon.png";
           URLTemplate = "https://noogle.dev/q?term={searchTerms}";
         }
         {
-          Alias = "hg";
+          Alias = "@hg";
           Name = "Hoogle";
           Description = ''
               Hoogle is a Haskell API search engine, which allows you to
@@ -106,5 +106,12 @@ writeText "policies.json" (builtins.toJSON {
         "yahoo@search.mozilla.org"
       ];
     };
+    Containers.Default = let cont = name: icon: color: { inherit name icon color; }; in [
+      (cont "per" "fingerprint" "blue")
+      (cont "wor" "briefcase" "orange")
+      (cont "com" "tree" "green")
+      (cont "fin" "dollar" "yellow")
+      (cont "sea" "circle" "purple")
+    ];
   };
 })

modules/nixos/programs/browsers/tor-browser.nix

@@ -5,7 +5,7 @@ let
 
   policiesJson = pkgs.callPackage ./policies.nix { };
 
-  torBrowser = (pkgs.tor-browser-bundle-bin.override {
+  finalTorBrowser = (cfg.package.override {
     mediaSupport = true;
     pulseaudioSupport = true;
   }).overrideAttrs (attrs: {
@@ -18,95 +18,11 @@ in
 {
   options.local.programs.browsers.tor-browser = with lib; {
     enable = mkEnableOption "tor-browser";
-    container = {
-      enable = mkEnableOption "tor-browser inside a container";
-      externalInterface = mkOption {
-        type = types.str;
-        default = "";
-      };
-      sshAuthorizedKeys = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
+    package = mkPackageOption pkgs "tor-browser-bundle-bin" {};
+    finalPackage = mkOption {
+      type = types.package;
+      readOnly = true;
+      default = finalTorBrowser;
     };
   };
-
-  config = lib.mkIf cfg.enable (lib.mkMerge [
-    (lib.mkIf (!cfg.container.enable) {
-      environment.systemPackages = [ torBrowser ];
-    })
-    (lib.mkIf cfg.container.enable (
-      let
-        hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
-          ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
-          ${pkgs.xorg.xhost}/bin/xhost +
-          ssh -X browser@192.168.7.11 tor-browser
-          ${pkgs.xorg.xhost}/bin/xhost -
-        '';
-
-        clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
-          PULSE_SERVER=tcp:192.168.7.10:4713 \
-          XAUTHORITY="/home/browser/.Xauthority" \
-          DBUS_SESSION_BUS_ADDRESS="" \
-          DISPLAY=192.168.7.10:0.0 \
-          ${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
-        '';
-      in
-      {
-        assertions = [
-          {
-            assertion = cfg.container.externalInterface != "";
-            message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access";
-          }
-          {
-            assertion = cfg.container.sshAuthorizedKeys != [ ];
-            message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container";
-          }
-        ];
-
-        environment.systemPackages = [ hostRunTorBrowser ];
-
-        hardware.pulseaudio = {
-          systemWide = true;
-          support32Bit = true;
-          tcp = {
-            enable = true;
-            anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
-          };
-        };
-
-        networking = {
-          firewall.allowedTCPPorts = [ 4713 6000 ];
-          nat = {
-            enable = true;
-            internalInterfaces = [ "ve-browser" ];
-            externalInterface = cfg.container.externalInterface;
-          };
-        };
-
-        containers.browser = {
-          autoStart = true;
-          privateNetwork = true;
-          hostAddress = "192.168.7.10";
-          localAddress = "192.168.7.11";
-
-          config = { ... }: {
-            system.stateVersion = "23.11";
-            services.openssh = {
-              enable = true;
-              settings.X11Forwarding = true;
-            };
-
-            users.extraUsers.browser = {
-              isNormalUser = true;
-              home = "/home/browser";
-              openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
-              extraGroups = [ "pulse-access" ];
-              packages = [ clientRunTorBrowser ];
-            };
-          };
-        };
-      }
-    ))
-  ]);
 }

modules/nixos/programs/browsers/ungoogled-chromium.nix

@@ -0,0 +1,8 @@
+{ pkgs, lib, ... }:
+
+{
+  options.local.programs.browsers.ungoogled-chromium = with lib; {
+    enable = mkEnableOption "ungoogled-chromium";
+    package = mkPackageOption pkgs "ungoogled-chromium" {};
+  };
+}

modules/nixos/programs/communication/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./skype.nix
+    ./telegram.nix
+    ./simplex-chat.nix
+  ];
+}

modules/nixos/programs/communication/simplex-chat.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.local.programs.communication.simplex-chat;
+in
+{
+  options.local.programs.communication.simplex-chat = with lib; {
+    enable = mkEnableOption "SimplexChat";
+    package = mkPackageOption pkgs "simplex-chat-desktop" { };
+    openFirewall = mkEnableOption "Open firewall to link mobile device";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [ 44000 ];
+    };
+  };
+}

modules/nixos/programs/communication/skype.nix

@@ -0,0 +1,73 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.local.programs.communication.skype;
+
+  hostRunPackage = pkgs.writeScript "cont-run" ''
+    sudo nixos-container run skype -- su -l jan -c "$*"
+  '';
+
+  hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
+    ${hostRunPackage} ${cfg.package.meta.mainProgram} $@
+  '';
+
+  hostSkype = pkgs.runCommand "${cfg.package.meta.mainProgram}" { } ''
+    mkdir $out
+    cp -r ${hostPackageScript}/bin $out/bin
+    cp -r ${cfg.package}/share $out/share
+  '';
+in
+{
+  options.local.programs.communication.skype = with lib; {
+    enable = mkEnableOption "skype";
+    package = mkPackageOption pkgs "skypeforlinux" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ hostSkype ];
+
+    local.sound.systemWide = true;
+
+    containers.skype = {
+      autoStart = true;
+      ephemeral = true;
+
+      bindMounts = lib.mkMerge [
+        {
+          "/tmp/.X11-unix" = { };
+          "/home/jan/downloads/skype" = { isReadonly = false; };
+        }
+        (lib.mkIf config.hardware.graphics.enable {
+          "/run/opengl-driver/lib" = { };
+        })
+        (lib.mkIf config.hardware.graphics.enable32Bit {
+          "/run/opengl-driver-32/lib" = { };
+        })
+      ];
+
+      config = { pkgs, ... }: {
+        system.stateVersion = "23.11";
+        nixpkgs.config.allowUnfree = true;
+
+        fonts = {
+          inherit (config.fonts) enableDefaultPackages packages;
+          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
+        };
+
+        users.users.jan = {
+          isNormalUser = true;
+          home = "/home/jan";
+          password = "hello";
+          extraGroups = [ "pulse-access" ];
+          packages = [ cfg.package ];
+        };
+
+        environment.sessionVariables = {
+          DISPLAY = ":0";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
+        };
+      };
+    };
+  };
+}

modules/nixos/programs/communication/telegram.nix

@@ -0,0 +1,77 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.local.programs.communication.telegram;
+
+  hostRunPackage = pkgs.writeScript "cont-run" ''
+    sudo nixos-container run telegram -- su -l jan -c "$*"
+  '';
+
+  hostPackageScript = pkgs.writeScriptBin "${cfg.package.meta.mainProgram}" ''
+    ${hostRunPackage} ${cfg.package.meta.mainProgram} $@
+  '';
+
+  hostTelegram = pkgs.runCommand "${cfg.package.meta.mainProgram}" { } ''
+    mkdir $out
+    cp -r ${hostPackageScript}/bin $out/bin
+    cp -r ${cfg.package}/share $out/share
+  '';
+in
+{
+  options.local.programs.communication.telegram = with lib; {
+    enable = mkEnableOption "tdesktop. telegram client";
+    package = mkPackageOption pkgs "tdesktop" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ hostTelegram ];
+
+    local.sound.systemWide = true;
+
+    containers.telegram = {
+      autoStart = true;
+      ephemeral = true;
+
+      bindMounts = lib.mkMerge [
+        {
+          "/tmp/.X11-unix" = { };
+          "/home/jan/downloads/telegram" = {
+            isReadOnly = false;
+          };
+        }
+        (lib.mkIf config.hardware.graphics.enable {
+          "/run/opengl-driver/lib" = { };
+        })
+        (lib.mkIf config.hardware.graphics.enable32Bit {
+          "/run/opengl-driver-32/lib" = { };
+        })
+        (lib.mkIf config.local.programs.browsers.librewolf.enable {
+          "/home/jan/downloads/browser" = { };
+        })
+      ];
+
+      config = { pkgs, ... }: {
+        system.stateVersion = "23.11";
+
+        fonts = {
+          inherit (config.fonts) enableDefaultPackages packages;
+          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
+        };
+
+        users.users.jan = {
+          isNormalUser = true;
+          home = "/home/jan";
+          password = "hello";
+          extraGroups = [ "pulse-access" ];
+          packages = [ cfg.package ];
+        };
+
+        environment.sessionVariables = {
+          DISPLAY = ":0";
+          PULSE_SERVER = "tcp:127.0.0.1:4713";
+        };
+      };
+    };
+  };
+}

modules/nixos/programs/default.nix

@@ -4,5 +4,7 @@
   imports = [
     ./pass.nix
     ./browsers
+    ./communication
+    ./editors
   ];
 }

modules/nixos/programs/editors/default.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  imports = [ ./jetbrains-idea.nix ];
+}

modules/nixos/programs/editors/jetbrains-idea.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.local.programs.editors.jetbrains-idea;
+in
+{
+  options.local.programs.editors.jetbrains-idea = with lib; {
+    enable = mkEnableOption "jetbrains idea-community";
+    package = mkPackageOption pkgs.jetbrains "idea-community" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    containers.jetbrains-idea = {
+      autoStart = true;
+      ephemeral = true;
+
+      bindMounts = {
+        "/tmp/.X11-unix" = { };
+        "/home/john/projects" = {
+          isReadOnly = false;
+          hostPath = "/home/jan/containers/jetbrains-idea/projects";
+        };
+      };
+
+      config = { pkgs, ... }: {
+        system.stateVersion = "23.11";
+
+        fonts = {
+          inherit (config.fonts) enableDefaultPackages packages;
+          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
+        };
+
+        users.users.john = {
+          isNormalUser = true;
+          home = "/home/john";
+          password = "hello";
+          extraGroups = [ "pulse-access" ];
+          packages = [ cfg.package ];
+        };
+
+        environment.sessionVariables = {
+          DISPLAY = ":0";
+        };
+      };
+    };
+  };
+}

modules/nixos/services/default.nix

@@ -6,7 +6,9 @@
     ./dnscrypt-proxy2.nix
     ./gnupg.nix
     ./i2pd.nix
+    ./kubo.nix
     ./octoprint.nix
+
     ./vpn
     ./fail2ban
   ];

modules/nixos/services/kubo.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.local.services.kubo.enable = lib.mkEnableOption "kubo. The InterPlanetary File System (IPFS)";
+
+  config = lib.mkIf config.local.services.kubo.enable {
+    services.kubo = {
+      enable = true;
+      package = pkgs.unstable.kubo;
+      # required to use ipfs companion browser extension
+      settings.Addresses.API = [ "/ip4/127.0.0.1/tcp/5001" ];
+    };
+  };
+}

modules/nixos/services/vpn/wireguard/client.nix

@@ -1,14 +1,20 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   cfg = config.local.services.vpn.wireguard;
+
+  addrsViaDefaultInterface = [
+    # cache.nixos.org
+    "151.101.86.217/32"
+    # tbank.ru
+    "178.248.236.218/32"
+  ];
 in
 {
   options.local.services.vpn.wireguard = with lib; {
     enable = mkEnableOption "Enable wireguard vpn";
     ip = mkOption {
       type = types.str;
-      description = "10.100.0.<num>/24";
       example = "10.100.0.1/24";
     };
     privateKeyFile = mkOption {
@@ -44,6 +50,22 @@ in
         # Path to the private key file.
         privateKeyFile = cfg.privateKeyFile;
 
+        postUp = ''
+          addr=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
+          interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
+        '' + lib.concatLines (map
+          (addr: "${pkgs.iproute}/bin/ip route add ${addr} via $addr dev $interface || true")
+          addrsViaDefaultInterface
+        );
+
+        preDown = ''
+          addr=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
+          interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
+        '' + lib.concatLines (map
+          (addr: "${pkgs.iproute}/bin/ip route del ${addr} via $addr dev $interface || true")
+          addrsViaDefaultInterface
+        );
+
         peers = [
           # For a client configuration, one peer entry for the server will suffice.
 

modules/vps.nix

@@ -7,7 +7,7 @@
   # Configs
   ################################################################################
   local.system = {
-    kernel = lib.mkDefault "hardened";
+    kernel = lib.mkDefault "stable";
     headless = lib.mkDefault true;
   };
 

neovim/configs/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./language-server.nix
+    ./line-limiter.nix
+  ];
+}

neovim/configs/language-server.nix

@@ -0,0 +1,86 @@
+{ config, lib, pkgs, ... }:
+
+let inherit (lib.nix2lua) call; in
+{
+  fn.lspconfig-eslint-on-attach = {
+    args = [ "client" "bufnr" ];
+    content = { bufnr, ... }: {
+      vim.augroup.eslint-fix = {
+        event = "BufWritePre";
+        buffer = bufnr;
+        command = "silent! EslintFixAll";
+      };
+    };
+  };
+
+  plugins.language-server.lspconfig.serverSettings = {
+    # nix
+    nil_ls = { };
+    # rust
+    rust_analyzer = {
+      settings.rust-analyzer = {
+        "server.path" = "rust-analyzer";
+        "updates.prompt" = false;
+        "updates.checkOnStartup" = false;
+        "checkOnSave.enable" = true;
+        "checkOnSave.command" = "clippy";
+        "cargo.autoreload" = true;
+      };
+    };
+    # linter for javascript, typescript, vue
+    eslint = {
+      on_attach = config.fn.lspconfig-eslint-on-attach.lambda;
+      flags = {
+        allow_incremental_sync = false;
+        debounce_text_changes = 1000;
+      };
+    };
+    # vue
+    volar = {
+      init_options = {
+        typescript.tsdk = "./node_modules/typescript/lib";
+      };
+    };
+    # python
+    pylsp = { };
+    # typescript, javascript
+    denols = {
+      root_dir = call "${config.plugin.nvim-lspconfig.varName}.util.root_pattern" [ "deno.json" "deno.jsonc" ];
+    };
+    # java
+    jdtls = {
+      cmd = [
+        "${pkgs.jdt-language-server}/bin/jdtls"
+        "--jvm-arg=-javaagent:${pkgs.lombok.out}/share/java/lombok.jar"
+        "--jvm-arg=-Xbootclasspath/a:${pkgs.lombok.out}/share/java/lombok.jar"
+      ];
+    };
+    # json
+    jsonls = { };
+    # css, scss, less
+    cssls = { };
+    css_variables = {
+      lookupFiles = [
+        "**/*.scss"
+        "**/*.less"
+        "**/*.css"
+      ];
+    };
+    # Grammar/Spell Checker
+    ltex = {
+      language = "en-US";
+      languageToolHttpServerUri = "http://localhost:8081";
+    };
+  };
+
+  plugins.language-server.typescript-tools = {
+    enable = true;
+    serverSettings = {
+      filetypes = [ "javascript" "javascriptreact" "typescript" "typescriptreact" "vue" ];
+      settings = {
+        tsserver_max_memory = "auto";
+        tsserver_plugins = [ "@vue/typescript-plugin" ];
+      };
+    };
+  };
+}

neovim/configs/line-limiter.nix

@@ -0,0 +1,48 @@
+{ lib, ... }:
+
+let
+  mkLineLimiterOpts = limit: {
+    colorcolumn = toString (limit + 1);
+    textwidth = limit;
+  };
+
+  mkLineLimiterGroup = { limit, pattern }:
+    lib.nameValuePair
+      "line-limiter-${toString limit}"
+      {
+        inherit pattern;
+        opt = mkLineLimiterOpts limit;
+      };
+in
+{
+  buffer.filetype = lib.listToAttrs [
+    (mkLineLimiterGroup {
+      limit = 100;
+      pattern = [
+        "nix"
+        "javascript,javascriptreact"
+        "typescript,typescriptreact"
+        "vue"
+        "rust"
+        "haskell"
+      ];
+    })
+    (mkLineLimiterGroup {
+      limit = 90;
+      pattern = [
+        "python"
+      ];
+    })
+    (mkLineLimiterGroup {
+      limit = 80;
+      pattern = [
+        "json"
+        "yaml"
+        "markdown"
+        "html,htmldjango"
+        "css,scss,less"
+        "sql,psql"
+      ];
+    })
+  ];
+}

neovim/dev.nix

@@ -1,84 +1,70 @@
-{ config, modulesPath, lib, pkgs, ... }:
+{ modulesPath, lib, pkgs, ... }:
 
 let
   inherit (lib.mod) ctrl;
-  inherit (lib.nix2lua) pipe1 require call call0;
-
-  mkLineLimiterGroup = { limit, pattern }:
-    lib.nameValuePair
-      "line-limiter-${toString limit}"
-      {
-        inherit pattern;
-        opt = {
-          colorcolumn = toString limit;
-          textwidth = limit;
-        };
-      };
+  inherit (lib.nix2lua) pipe1 require call0 nf var;
 in
 {
   imports = [
     "${modulesPath}/profiles/recommended.nix"
     ./snippets.nix
+    ./configs
+    ./plugins
   ];
 
   vim.opt = {
     list = true;
-    formatexpr = "neoformat#Neoformat(0, '', v:lnum, v:lnum + v:count)";
+    formatoptions = "roqnlj";
   };
 
   buffer.filetype = {
-    nix.opt.formatexpr = "neoformat#Neoformat(0, '', 0, 99999)";
-  } // lib.listToAttrs [
-    (mkLineLimiterGroup {
-      limit = 101;
-      pattern = [
-        "nix"
-        "javascript,javascriptreact"
-        "typescript,typescriptreact"
-        "rust"
-        "haskell"
-      ];
-    })
-    (mkLineLimiterGroup {
-      limit = 81;
-      pattern = [
-        "python"
-        "json"
-        "yaml"
-        "markdown"
-        "html"
-        "css"
-        "scss"
-        "less"
-        "sql"
-        "psql"
-      ];
-    })
-  ];
+    text-options = {
+      pattern = [ "txt" "markdown" "mail" "man" ];
+      opt = { formatoptions = "roqwnjp"; };
+    };
+  };
 
   filetype.detect = {
     d2 = "*.d2";
     nickel = "*.ncl";
     psql = "*.psql";
+    sql = "*.pgsql";
   };
 
   # Enable fast navigation between windows
   vim.keymap.set = map (k: { mode = "n"; lhs = ctrl k; rhs = "${ctrl "w"}${k}"; }) [ "h" "l" "j" "k" ];
 
-  plugins.style.nvim-treesitter.extraGrammars = {
-    tree-sitter-d2 = rec {
-      language = "d2";
-      version = "8a9d50043d58eedf1e375b0e2059e43efd856902";
-      # version = "e7507ddd983427cb71b4bd96b039c382c73d65c5";
-      src = pkgs.fetchFromGitea {
-        domain = "git.pleshevski.ru";
-        owner = "pleshevskiy";
-        repo = "tree-sitter-d2";
-        rev = version;
-        sha256 = "sha256-ZhVjxo7Xi7DaHN3qabUcykflY74bUqPcOA410fA3zRk=";
-        # sha256 = "sha256-m7ZCxnW4Q1bQp1GhntUF7l+p6DV1p/2AJXhVeRy8Rec=";
+  plugins.style.nvim-treesitter = {
+    extraGrammars = {
+      tree-sitter-d2 = rec {
+        language = "d2";
+        version = "1e6d8ca3d85c0031ff010759bb60804dd47b95f2";
+        src = pkgs.fetchFromGitea {
+          domain = "git.pleshevski.ru";
+          owner = "pleshevskiy";
+          repo = "tree-sitter-d2";
+          rev = version;
+          sha256 = "sha256-ld9zlJ7tXl/SyrHJXwPKviDHePbw/jhI9WPT3aNntt8=";
+        };
       };
     };
+
+    # Source: https://github.com/DariusCorvus/tree-sitter-language-injection.nvim/blob/main/lua/tree-sitter-language-injection/init.lua
+    extraQueries.javascript.injections =
+      let
+        lang = "sql";
+        langMatch = ''^//+( )*${lang}( )*|^/[*]+( )*${lang}( )*[*]+/$'';
+      in
+      ''
+        ((comment) @comment .
+         ([ (string(string_fragment) @injection.content)
+            (template_string(string_fragment) @injection.content)
+           ] @injection.content
+           )
+          (#match? @comment "${langMatch}")
+          (#set! injection.language "${lang}")
+         )
+      '';
   };
 
   plugins.style.neoformat.autoformat = {
@@ -108,45 +94,14 @@ in
     };
   };
 
-  fn.lspconfig-eslint-on-attach = {
-    args = [ "client" "bufnr" ];
-    content = { bufnr, ... }: {
-      vim.augroup.eslint-fix = {
-        event = "BufWritePre";
-        buffer = bufnr;
-        command = "silent! EslintFixAll";
-      };
-    };
-  };
-
-  plugins.language-server.lspconfig.serverSettings = {
-    nil_ls = { };
-    rust_analyzer = {
-      settings.rust-analyzer = {
-        "server.path" = "rust-analyzer";
-        "updates.prompt" = false;
-        "updates.checkOnStartup" = false;
-        "checkOnSave.enable" = true;
-        "checkOnSave.command" = "clippy";
-        "cargo.autoreload" = true;
-      };
-    };
-    tsserver = { };
-    eslint = {
-      on_attach = config.fn.lspconfig-eslint-on-attach.lambda;
-    };
-    volar = {
-      init_options = {
-        typescript.tsdk = "./node_modules/typescript/lib";
-      };
-    };
-    ltex = {
-      language = "en-US";
-      languageToolHttpServerUri = "http://localhost:8081";
-    };
-    pylsp = { };
-    denols = {
-      root_dir = call "${config.plugin.nvim-lspconfig.varName}.util.root_pattern" [ "deno.json" "deno.jsonc" ];
-    };
+  plugins.snippet.luasnip.settings = {
+    ext_opts = [
+      (nf (var "luasnip_types.choiceNode") {
+        active.virt_text = [ [ "●" "WarningMsg" ] ];
+      })
+      (nf (var "luasnip_types.insertNode") {
+        active.virt_text = [ [ "●" "Title" ] ];
+      })
+    ];
   };
 }

neovim/plugins/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./ollama.nix
+    ./spring-boot.nix
+  ];
+}

neovim/plugins/ollama.nix

@@ -0,0 +1,7 @@
+{
+  plugin.ollama-nvim = {
+    enable = true;
+    name = "ollama";
+    setupSettings = { };
+  };
+}

neovim/plugins/spring-boot.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  inherit (lib.nix2lua) pipe1 call0 call1;
+  inherit (pkgs) vimUtils fetchFromGitHub;
+
+  spring-boot-nvim = vimUtils.buildVimPlugin {
+    pname = "spring-boot";
+    version = "2024-08-10";
+    src = fetchFromGitHub {
+      owner = "JavaHello";
+      repo = "spring-boot.nvim";
+      rev = "995a705becbc711b703f9ab344745ececf6471a3";
+      hash = "sha256-Hri6WQnWTmFwlOUCVG8O1eELn9FhlvVpUC9lt+uIGkc=";
+    };
+  };
+in
+
+{
+  plugin.spring-boot-nvim = {
+    enable = true;
+    package = spring-boot-nvim;
+    name = "spring_boot";
+  };
+
+  plugin.nvim-lspconfig.beforeSetup = [
+    (pipe1 config.plugin.spring-boot-nvim.var (call1 "setup" {
+      java_cmd = "${pkgs.jdk22}/bin/java";
+      log_file = "/tmp/spring-boot.log";
+    }))
+    (pipe1 config.plugin.spring-boot-nvim.var (call0 "init_lsp_commands"))
+  ];
+
+  plugins.language-server.lspconfig.serverSettings.jdtls = {
+    init_options = {
+      bundles = (pipe1 config.plugin.spring-boot-nvim.var (call0 "java_extensions"));
+    };
+  };
+}

neovim/snippets.nix

@@ -12,35 +12,35 @@
           { jump = 2; text = "trueBody"; }
           { text = " else "; }
           { jump = 3; text = "falseBody"; }
+          { jump = 0; }
+        ];
+
+        "inherit".nodes = [
+          { text = "inherit "; }
+          {
+            jump = 1;
+            choices = [
+              {
+                nodes = [
+                  { text = "("; }
+                  { jump = 1; text = "lib"; }
+                  { text = ") "; }
+                ];
+              }
+              { text = ""; }
+            ];
+          }
+          { jump = 2; text = "filter"; }
           { text = ";"; }
+          { jump = 0; }
         ];
 
         "var".nodes = [
           { jump = 1; text = "name"; }
           { text = " = "; }
-          {
-            jump = 2;
-            choices = [
-              { kind = "insert"; text = "value"; }
-              {
-                nodes = [
-                  { jump = 1; }
-                  { text = "["; }
-                  { jump = 2; }
-                  { text = "]"; }
-                ];
-              }
-              {
-                nodes = [
-                  { jump = 1; }
-                  { text = "{"; }
-                  { jump = 2; }
-                  { text = "}"; }
-                ];
-              }
-            ];
-          }
+          { jump = 2; text = "value"; }
           { text = ";"; }
+          { jump = 0; }
         ];
 
         "module".nodes = [
@@ -61,17 +61,15 @@
             choices = [
               {
                 nodes = [
-                  { jump = 1; }
                   { text = "let "; }
-                  { jump = 2; }
+                  { jump = 1; }
                   { text = "in"; }
                 ];
               }
               {
                 nodes = [
-                  { jump = 1; }
                   { text = "with "; }
-                  { jump = 2; text = "lib"; }
+                  { jump = 1; text = "lib"; }
                   { text = ";"; }
                 ];
               }
@@ -87,6 +85,7 @@
             ];
           }
           { text = [ "" "}" ]; }
+          { jump = 0; }
         ];
       };
     }

notes/davmail.md

@@ -0,0 +1,19 @@
+# Davmail
+
+## Update refresh token
+
+Stop current `davmail.service` and clone properties to a temp file
+
+```sh
+sudo systemctl stop davmail.service
+cat $(sudo systemctl cat davmail.service | awk '/ExecStart=/ { print $2; }') > /tmp/davmail.properties
+```
+
+Start davmail manually
+
+```sh
+davmail /tmp/davmail.properties
+```
+
+Open renew link in the browser and copy `refreshToken` from
+`/tmp/davmail.properties`

notes/vpn.md

@@ -1,6 +1,6 @@
 # WireGuard
 
-## Generate keypair
+## Generate key pair
 
 ```sh
 umask 077
@@ -8,6 +8,20 @@ wg genkey > ./private
 wg pubkey < ./private > ./public
 ```
 
+
+## Configuration
+
+Then create QR code with configuration using the following command:
+
+```sh
+nix build -f ./misc/wg-client-conf.nix \
+  --argstr address "" \
+  --argstr dns "" \
+  --argstr privateKey "$(cat private)" \
+  --argstr serverPublicKey "" \
+  --argstr serverEndpoint ""
+```
+
 # References:
 
 - https://nixos.wiki/wiki/WireGuard

packages/micro-agent/default.nix

@@ -0,0 +1,20 @@
+{ buildNpmPackage, fetchFromGitHub }:
+
+# https://github.com/BuilderIO/micro-agent
+buildNpmPackage rec {
+  pname = "micro-agent";
+  version = "0.0.41";
+
+  src = fetchFromGitHub {
+    owner = "BuilderIO";
+    repo = "micro-agent";
+    rev = "v${version}";
+    hash = "sha256-NxnK8MgKPTZVIADd03fJ6egUWq5vgVxkOvqaD/T/12w=";
+  };
+
+  npmDepsHash = "sha256-exIqyldG5dcUt1xoVLQw/FLOOqfIpG44i3fdzG4cyvM=";
+
+  NODE_OPTIONS = "--openssl-legacy-provider";
+
+  npmFlags = [ "--ignore-scripts" ];
+}

readme.md

@@ -2,35 +2,6 @@
 
 This repository contains configurations for my personal vps and workstations.
 
-## Hosts
-
-Workstations:
-
-- **home** - Home desktop computer for work.
-- **asus-gl553vd** - My laptop for remote work.
-
-# Home Manager configs
-
-User configurations are included.
-
-### Themes
-
-| Name       | Palettes | Note    |
-| :--------- | :------- | :------ |
-| Catppuccin | Frappe   | Current |
-
-### Core Programs
-
-| Type           | Program |
-| :------------- | :------ |
-| Status Bar     | Polybar |
-| Window Manager | XMonad  |
-| Launcher       | Dmenu   |
-| Terminal       | Wezterm |
-| Editor         | Neovim  |
-| File Manager   | vifm    |
-| Shell          | Zsh     |
-
 ### Screenshots
 
 ![workspace](assets/screenshot_1.png)

users/jan/browser/Redirector.json

@@ -5,12 +5,12 @@
         {
             "description": "home youtube.com/youtu.be -> invidious",
             "exampleUrl": "https://www.youtube.com/",
-            "exampleResult": "https://inv.oikei.net/",
+            "exampleResult": "https://yewtu.be/",
             "error": null,
             "includePattern": "https://(?:www\\.)?(youtube\\.com|youtu.be)/$",
             "excludePattern": "",
             "patternDesc": "get home page ",
-            "redirectUrl": "https://inv.oikei.net/",
+            "redirectUrl": "https://yewtu.be/",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -22,12 +22,12 @@
         {
             "description": "youtu.be -> invidious",
             "exampleUrl": "https://youtu.be/MYRBI-X5nfhI?si=sSoZBk9bB7NSEE8j",
-            "exampleResult": "https://inv.oikei.net/watch?v=MYRBI-X5nfhI",
+            "exampleResult": "https://yewtu.be/watch?v=MYRBI-X5nfhI",
             "error": null,
             "includePattern": "https://youtu.be/([\\w-]+)(\\?.*)?",
             "excludePattern": "",
             "patternDesc": "get video id from url",
-            "redirectUrl": "https://inv.oikei.net/watch?v=$1",
+            "redirectUrl": "https://yewtu.be/watch?v=$1",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -39,12 +39,12 @@
         {
             "description": "youtube.com -> invidious",
             "exampleUrl": "https://www.youtube.com/watch?v=jQ-KdWyzKfE",
-            "exampleResult": "https://inv.oikei.net/watch?v=jQ-KdWyzKfE",
+            "exampleResult": "https://yewtu.be/watch?v=jQ-KdWyzKfE",
             "error": null,
             "includePattern": "https://(?:www\\.)?youtube\\.com/watch\\?v=([\\w-]+)(&.*)?",
             "excludePattern": "",
             "patternDesc": "get video id from url",
-            "redirectUrl": "https://inv.oikei.net/watch?v=$1",
+            "redirectUrl": "https://yewtu.be/watch?v=$1",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -56,12 +56,12 @@
         {
             "description": "youtube.com/shorts -> invidious",
             "exampleUrl": "https://www.youtube.com/shorts/jQkhyLSqlLg",
-            "exampleResult": "https://inv.oikei.net/watch?v=jQkhyLSqlLg",
+            "exampleResult": "https://yewtu.be/watch?v=jQkhyLSqlLg",
             "error": null,
             "includePattern": "https://(?:www\\.)?youtube\\.com/shorts/([\\w-]+)(&.*)?",
             "excludePattern": "",
             "patternDesc": "get video id from url",
-            "redirectUrl": "https://inv.oikei.net/watch?v=$1",
+            "redirectUrl": "https://yewtu.be/watch?v=$1",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -73,12 +73,12 @@
         {
             "description": "youtube.com/live -> invidious",
             "exampleUrl": "https://www.youtube.com/live/jQ-KdWyzKfE",
-            "exampleResult": "https://inv.oikei.net/watch?v=jQ-KdWyzKfE",
+            "exampleResult": "https://yewtu.be/watch?v=jQ-KdWyzKfE",
             "error": null,
             "includePattern": "https://(?:www\\.)?youtube\\.com/live/([\\w-]+)(\\?.*)?",
             "excludePattern": "",
             "patternDesc": "get video id from url",
-            "redirectUrl": "https://inv.oikei.net/watch?v=$1",
+            "redirectUrl": "https://yewtu.be/watch?v=$1",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -90,12 +90,12 @@
         {
             "description": "youtube.com/channel -> invidious",
             "exampleUrl": "https://www.youtube.com/@KdWyzKfE",
-            "exampleResult": "https://inv.oikei.net/@KdWyzKfE",
+            "exampleResult": "https://yewtu.be/@KdWyzKfE",
             "error": null,
             "includePattern": "https://(?:www\\.)?youtube\\.com/(@[\\w-]+)(\\?.*)?",
             "excludePattern": "",
             "patternDesc": "get channel name from url",
-            "redirectUrl": "https://inv.oikei.net/$1",
+            "redirectUrl": "https://yewtu.be/$1",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -107,12 +107,12 @@
         {
             "description": "indivious (old -> current)",
             "exampleUrl": "https://yt.cdaut.de/watch?v=jUnhS74uicE",
-            "exampleResult": "https://invidious.einfachzocken.eu/watch?v=jUnhS74uicE",
+            "exampleResult": "https://yewtu.be/watch?v=jUnhS74uicE",
             "error": null,
-            "includePattern": "https://(yt.cdaut.de|inv.oikei.net)/(.*)",
+            "includePattern": "https://(yt.cdaut.de|inv.oikei.net|invidious.einfachzocken.eu)/(.*)",
             "excludePattern": "",
             "patternDesc": "Redirect from old instances",
-            "redirectUrl": "https://invidious.einfachzocken.eu/$2",
+            "redirectUrl": "https://yewtu.be/$2",
             "patternType": "R",
             "processMatches": "noProcessing",
             "disabled": false,
@@ -139,4 +139,4 @@
             ]
         }
     ]
-}
+}

users/jan/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, inputs, globalData, ... }:
+{ config, pkgs, lib, inputs, globalData, packagesPath, ... }:
 
 {
   imports = [./davmail.secret.nix];
@@ -57,6 +57,7 @@
     imports = [
       ./email_accounts.secret.nix
       ./calendars.secret.nix
+      ./ssh.secret.nix
       ./git
     ];
 
@@ -94,22 +95,20 @@
     };
 
     local.programs.file-managers.vifm.enable = lib.mkDefault true;
+    local.programs.file-managers.nnn = {
+      enable = true;
+      package = pkgs.unstable.nnn;
+    };
 
     local.programs.aerc.enable = lib.mkDefault true;
 
-    local.programs.communication = {
-      telegram.enable = lib.mkDefault true;
-      matrix.enable = lib.mkDefault true;
-      simplex-chat.enable = lib.mkDefault (config.local.system.kernel != "hardened");
-    };
-
     local.programs.dev-tools = {
       base.enable = lib.mkDefault true;
       nix.enable = lib.mkDefault true;
       web.enable = lib.mkDefault true;
       psql = {
         enable = lib.mkDefault true;
-        package = lib.mkDefault pkgs.postgresql_14;
+        package = lib.mkDefault pkgs.postgresql_16;
       };
       eza.enable = lib.mkDefault true;
       direnv.enable = lib.mkDefault true;
@@ -120,6 +119,8 @@
 
     local.programs.flameshot.enable = lib.mkDefault true;
 
+    local.programs.argos-translate.enable = lib.mkDefault true;
+
     ################################################################################
     # Services
     ################################################################################
@@ -155,6 +156,11 @@
       # tools
       procs
       bottom
+      jq
+
+      nodePackages.vscode-langservers-extracted # html, css, json, eslint
+
+      (pkgs.callPackage (packagesPath + /micro-agent) {})
     ];
 
     home.file = {

users/jan/git/default.nix

@@ -25,6 +25,7 @@
     extraConfig = {
       init.defaultBranch = "main";
       pull.rebase = true;
+      advice.skippedCherryPicks = false;
     };
     aliases = {
       co = "switch";
@@ -46,7 +47,9 @@
       can = "commit --amend --no-edit";
 
       p = "push";
+      pt = "push --tags";
       po = "push origin";
+      pot = "push origin --tags";
       pf = "push --force-with-lease";
       pfo = "push --force-with-lease origin";
       pl = "pull";
@@ -70,8 +73,14 @@
 
       re = "restore";
       res = "restore --staged";
+      resw = "restore --staged --worktree";
+
+      rls = "ls-remote --heads";
+      rlso = "ls-remote --heads origin";
+      rlsu = "ls-remote --heads upstream";
 
       lo = "log --pretty=oneline";
+      los = "log --pretty='format:%s'";
 
       sma = "submodule add";
       smui = "submodule update --init";
@@ -83,6 +92,9 @@
       sai = "stash apply --index";
       sp = "stash pop";
       spi = "stash pop --index";
+
+      t = "tag";
+      tf = "tag --force";
     };
   };
 }