workflow: use envars for s3 region and endpoint

workflow: try hex encoded secret
workflow: use runner.temp variable
2025-04-14 15:12:57 -04:00 · 2025-04-14 14:35:50 -04:00 · 2025-04-14 14:19:20 -04:00 · 2025-04-14 13:46:03 -04:00 · 2025-04-14 13:37:13 -04:00 · 2025-04-14 13:29:51 -04:00
23 changed files with 953 additions and 284 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -1,3 +0,0 @@
-[*.nix]
-indent_style = space
-indent_size = 2
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@ -49,9 +49,15 @@ jobs:
            accept-flake-config = true
            system-features = nixos-test benchmark big-parallel kvm
            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
-            download-buffer-size = 1073741824
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version

      - name: Sync repository
        uses: actions/checkout@v4
@ -60,16 +66,21 @@ jobs:

      - name: build
        run: |
+          # package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
+          # nix build -L "$package"
          nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}"

      - name: cache
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
        run: |
-          nix run \
-            github:cything/nixcp -- push \
+          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
            --bucket nixcache \
-            --endpoint $AWS_ENDPOINT_URL \
            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            result
+            -u https://nix-community.cachix.org \
+            $package

  build-homes:
    strategy:
@ -80,6 +91,7 @@ jobs:
          - yt@chunk
        os:
          - ubuntu-latest
+          # - macos-latest
    runs-on: ${{ matrix.os }}

    steps:
@ -108,9 +120,15 @@ jobs:
            accept-flake-config = true
            system-features = nixos-test benchmark big-parallel kvm
            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
-            download-buffer-size = 1073741824
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version

      - name: Sync repository
        uses: actions/checkout@v4
@ -123,10 +141,13 @@ jobs:
          nix build -L "$package"

      - name: cache
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
        run: |
-          nix run \
-            github:cything/nixcp -- push \
+          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
            --bucket nixcache \
-            --endpoint $AWS_ENDPOINT_URL \
            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            result
+            -u https://nix-community.cachix.org \
+            $package
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@ -24,8 +24,8 @@ jobs:
        os:
          - ubuntu-latest
          - ubuntu-24.04-arm
-          # - macos-latest
-          # - macos-13
+          - macos-latest
+          - macos-13
    runs-on: ${{ matrix.os }}

    steps:
@ -42,19 +42,33 @@ jobs:
            accept-flake-config = true
            system-features = nixos-test benchmark big-parallel kvm
            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix
+          nix --version
+
+      - name: Sync repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - run: nix build -L ${{ matrix.package }}

-      - name: cache
+      - name: cache result
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
        run: |
-          nix run \
-            github:cything/nixcp -- push \
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
            --bucket nixcache \
-            --endpoint $AWS_ENDPOINT_URL \
            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            result
+            -u https://nix-community.cachix.org \
+            "${{ matrix.package }}"

      - name: prepare tarball to upload
        run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
--- a/README.md
+++ b/README.md
@ -0,0 +1,40 @@
+# infra
+## ./home
+- [home-manager](https://github.com/nix-community/home-manager) configuration files
+- foot, tmux, and zsh are configured in Nix
+- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager
+
+## ./hosts
+- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers
+- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh
+### ./hosts/ytnix
+- personal laptop
+- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now
+
+### ./hosts/chunk
+- the overworked server with 5% SLA
+- very short and concise [`default.nix`](hosts/chunk/default.nix)
+- services organized in their modules
+- some services run through `virtualisation.oci-containers`:
+    - [immich](hosts/chunk/immich.nix)
+    - [conduwuit](hosts/chunk/conduwuit.nix)
+
+### ./hosts/titan
+- got this cause chunk would go down way too often :(
+- hosted on azure for "reliability"
+- runs:
+    - [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`)
+    - [uptime-kuma](hosts/titan/uptime-kuma.nix)
+    - [ntfy-sh](hosts/titan/ntfy.nix)
+
+## ./secrets
+- secrets
+- see [`.sops.yaml`](.sops.yaml) for who privy to what
+
+## backups
+- hourly borgbackup to [rsync.net](https://rsync.net)
+- see [modules/backup](modules/backup.nix)
+
+## monitoring
+- [status.cything.io](https://status.cything.io/): uptime kuma (reliable)
+- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@ -1,8 +0,0 @@
-#!/bin/sh
-
-# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook
-set -eu
-set -f # disable globbing
-export IFS=' '
-echo "Uploading paths" $OUT_PATHS
-exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd&parallel-compression=true" $OUT_PATHS
--- a/flake.lock
+++ b/flake.lock
@ -1,6 +1,171 @@
 {
  "nodes": {
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1738524606,
+        "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "main",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
+    "cachix": {
+      "inputs": {
+        "devenv": "devenv",
+        "flake-compat": "flake-compat_2",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1737621947,
+        "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
+        "owner": "cachix",
+        "repo": "cachix",
+        "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "master",
+        "repo": "cachix",
+        "type": "github"
+      }
+    },
+    "cachix_2": {
+      "inputs": {
+        "devenv": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "flake-compat": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "git-hooks": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1728672398,
+        "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
+        "owner": "cachix",
+        "repo": "cachix",
+        "rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "latest",
+        "repo": "cachix",
+        "type": "github"
+      }
+    },
+    "complement": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741891349,
+        "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=",
+        "owner": "girlbossceo",
+        "repo": "complement",
+        "rev": "e587b3df569cba411aeac7c20b6366d03c143745",
+        "type": "github"
+      },
+      "original": {
+        "owner": "girlbossceo",
+        "ref": "main",
+        "repo": "complement",
+        "type": "github"
+      }
+    },
+    "conduwuit": {
+      "inputs": {
+        "attic": "attic",
+        "cachix": "cachix",
+        "complement": "complement",
+        "crane": "crane_2",
+        "fenix": "fenix",
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils",
+        "liburing": "liburing",
+        "nix-filter": "nix-filter",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rocksdb": "rocksdb"
+      },
+      "locked": {
+        "lastModified": 1743780871,
+        "narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=",
+        "owner": "girlbossceo",
+        "repo": "conduwuit",
+        "rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "girlbossceo",
+        "repo": "conduwuit",
+        "type": "github"
+      }
+    },
    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "conduwuit",
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722960479,
+        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_2": {
+      "locked": {
+        "lastModified": 1739936662,
+        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "ref": "master",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_3": {
      "locked": {
        "lastModified": 1737689766,
        "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
@ -15,13 +180,13 @@
        "type": "github"
      }
    },
-    "crane_2": {
+    "crane_4": {
      "locked": {
-        "lastModified": 1746291859,
-        "narHash": "sha256-DdWJLA+D5tcmrRSg5Y7tp/qWaD05ATI4Z7h22gd1h7Q=",
+        "lastModified": 1741148495,
+        "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "dfd9a8dfd09db9aad544c4d3b6c47b12562544a5",
+        "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53",
        "type": "github"
      },
      "original": {
@ -30,17 +195,75 @@
        "type": "github"
      }
    },
-    "flake-compat": {
+    "devenv": {
+      "inputs": {
+        "cachix": "cachix_2",
+        "flake-compat": [
+          "conduwuit",
+          "cachix",
+          "flake-compat"
+        ],
+        "git-hooks": [
+          "conduwuit",
+          "cachix",
+          "git-hooks"
+        ],
+        "nix": "nix",
+        "nixpkgs": [
+          "conduwuit",
+          "cachix",
+          "nixpkgs"
+        ]
+      },
      "locked": {
-        "lastModified": 1717312683,
-        "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
+        "lastModified": 1733323168,
+        "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=",
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "conduwuit",
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1740724364,
+        "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=",
        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
+        "repo": "fenix",
+        "rev": "edf7d9e431cda8782e729253835f178a356d3aab",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "main",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
@ -61,7 +284,101 @@
        "type": "github"
      }
    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "ref": "master",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_4": {
+      "locked": {
+        "lastModified": 1717312683,
+        "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "conduwuit",
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "conduwuit",
+          "cachix",
+          "devenv",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
@ -69,11 +386,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1740872218,
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
        "type": "github"
      },
      "original": {
@ -96,6 +413,7 @@
      },
      "original": {
        "owner": "numtide",
+        "ref": "main",
        "repo": "flake-utils",
        "type": "github"
      }
@ -136,22 +454,40 @@
        "type": "github"
      }
    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "garage": {
      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
+        "crane": "crane_3",
+        "flake-compat": "flake-compat_4",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1748012719,
-        "narHash": "sha256-s6VG70nqLCzAOLRgZ3oETQ8VJcsrEUol2vjTiYyesK4=",
+        "lastModified": 1742547966,
+        "narHash": "sha256-AJfw+XRaRyrlpb9Wy6rVz44JePy0AXWPECXVPBnrOfI=",
        "owner": "deuxfleurs-org",
        "repo": "garage",
-        "rev": "37e5621dde5c25ccac4f6da4d7c60f45fc71ff88",
+        "rev": "14d2f2b18da015508d4a1e31b2f014da5188d516",
        "type": "github"
      },
      "original": {
@ -160,7 +496,59 @@
        "type": "github"
      }
    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "conduwuit",
+          "cachix",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "conduwuit",
+          "cachix",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1733318908,
+        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "conduwuit",
+          "cachix",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
@ -189,11 +577,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748529677,
-        "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=",
+        "lastModified": 1743948087,
+        "narHash": "sha256-B6cIi2ScgVSROPPlTti6len+TdR0K25B9R3oKvbw3M8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "da282034f4d30e787b8a10722431e8b650a907ef",
+        "rev": "ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7",
        "type": "github"
      },
      "original": {
@ -204,9 +592,9 @@
    },
    "lanzaboote": {
      "inputs": {
-        "crane": "crane_2",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts",
+        "crane": "crane_4",
+        "flake-compat": "flake-compat_5",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -214,11 +602,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1747056319,
-        "narHash": "sha256-qSKcBaISBozadtPq6BomnD+wIYTZIkiua3UuHLaD52c=",
+        "lastModified": 1741442524,
+        "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "2e425f3da6ce7f5b34fa6eaf7a2a7f78dbabcc85",
+        "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4",
        "type": "github"
      },
      "original": {
@ -228,9 +616,42 @@
        "type": "github"
      }
    },
+    "libgit2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1697646580,
+        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
+        "owner": "libgit2",
+        "repo": "libgit2",
+        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "libgit2",
+        "repo": "libgit2",
+        "type": "github"
+      }
+    },
+    "liburing": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740613216,
+        "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=",
+        "owner": "axboe",
+        "repo": "liburing",
+        "rev": "e1003e496e66f9b0ae06674869795edf772d5500",
+        "type": "github"
+      },
+      "original": {
+        "owner": "axboe",
+        "ref": "master",
+        "repo": "liburing",
+        "type": "github"
+      }
+    },
    "nil": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -250,6 +671,85 @@
        "type": "github"
      }
    },
+    "nix": {
+      "inputs": {
+        "flake-compat": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "flake-parts": "flake-parts_2",
+        "libgit2": "libgit2",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-23-11": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "nixpkgs-regression": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ],
+        "pre-commit-hooks": [
+          "conduwuit",
+          "cachix",
+          "devenv"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727438425,
+        "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
+        "owner": "domenkozar",
+        "repo": "nix",
+        "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
+        "type": "github"
+      },
+      "original": {
+        "owner": "domenkozar",
+        "ref": "devenv-2.24",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1731533336,
+        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "ref": "main",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "conduwuit",
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -257,11 +757,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748145500,
-        "narHash": "sha256-t9fx0l61WOxtWxXCqlXPWSuG/0XMF9DtE2T7KXgMqJw=",
+        "lastModified": 1743911143,
+        "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "a98adbf54d663395df0b9929f6481d4d80fc8927",
+        "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb",
        "type": "github"
      },
      "original": {
@ -277,11 +777,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747646130,
-        "narHash": "sha256-B4+JyeF6u7FINPD1Fzc7QiDlmG1L06z/34MqMlBfPDQ=",
+        "lastModified": 1743410259,
+        "narHash": "sha256-tjdkPPkRT1Mj72yrpN8oUxYw9SaG8wOQWD3auS1bvSs=",
        "owner": "nix-community",
        "repo": "nix-ld",
-        "rev": "14ad0c0a26dae752c93fa9fa59437bfd2b8aaf69",
+        "rev": "140451db1cadeef1e7e9e054332b67b7be808916",
        "type": "github"
      },
      "original": {
@ -292,11 +792,107 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748370509,
-        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
+        "lastModified": 1726042813,
+        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1724316499,
+        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1730531603,
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1717432640,
+        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1733212471,
+        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1744463964,
+        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
+        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
        "type": "github"
      },
      "original": {
@ -312,18 +908,18 @@
          "lanzaboote",
          "flake-compat"
        ],
-        "gitignore": "gitignore",
+        "gitignore": "gitignore_2",
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1746537231,
-        "narHash": "sha256-Wb2xeSyOsCoTCTj7LOoD6cdKLEROyFAArnYoS+noCWo=",
+        "lastModified": 1740915799,
+        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "fa466640195d38ec97cf0493d6d6882bc4d14969",
+        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
        "type": "github"
      },
      "original": {
@ -332,20 +928,55 @@
        "type": "github"
      }
    },
+    "rocksdb": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741308171,
+        "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=",
+        "owner": "girlbossceo",
+        "repo": "rocksdb",
+        "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986",
+        "type": "github"
+      },
+      "original": {
+        "owner": "girlbossceo",
+        "ref": "v9.11.1",
+        "repo": "rocksdb",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
+        "conduwuit": "conduwuit",
        "garage": "garage",
        "home-manager": "home-manager",
        "lanzaboote": "lanzaboote",
        "nil": "nil",
        "nix-index-database": "nix-index-database",
        "nix-ld": "nix-ld",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_5",
        "rust-overlay": "rust-overlay_4",
        "sops-nix": "sops-nix",
        "vscode-extensions": "vscode-extensions"
      }
    },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740691488,
+        "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
@ -376,11 +1007,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747017456,
-        "narHash": "sha256-C/U12fcO+HEF071b5mK65lt4XtAIZyJSSJAg9hdlvTk=",
+        "lastModified": 1741228283,
+        "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "5b07506ae89b025b14de91f697eba23b48654c52",
+        "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
        "type": "github"
      },
      "original": {
@ -417,11 +1048,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748486227,
-        "narHash": "sha256-veMuFa9cq/XgUXp1S57oC8K0TIw3XyZWL2jIyGWlW0c=",
+        "lastModified": 1743906877,
+        "narHash": "sha256-Thah1oU8Vy0gs9bh5QhNcQh1iuQiowMnZPbrkURonZA=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "4bf1892eb81113e868efe67982b64f1da15c8c5a",
+        "rev": "9d00c6b69408dd40d067603012938d9fbe95cfcd",
        "type": "github"
      },
      "original": {
@ -437,11 +1068,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1743910657,
+        "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "523f58a4faff6c67f5f685bed33a7721e984c304",
        "type": "github"
      },
      "original": {
@ -495,19 +1126,34 @@
        "type": "github"
      }
    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "vscode-extensions": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1748397853,
-        "narHash": "sha256-tudGoP5caIJ5TzkV6wnsmUk7Spx21oWMKpkmPbjRNZc=",
+        "lastModified": 1743904774,
+        "narHash": "sha256-dHnwYLz1b6ohGP2DjWKpDFEZ9WOm4vYuPXKUna08awU=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "ac4fc8eb9a1ee5eeb3c0a30f57652e4c5428d3a5",
+        "rev": "da51d4cab526bef885e8c95ab2b9455bfe0940d4",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,8 @@
    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
    rust-overlay.url = "github:oxalica/rust-overlay";
    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    conduwuit.url = "github:girlbossceo/conduwuit";
+    conduwuit.inputs.nixpkgs.follows = "nixpkgs";
    nix-ld.url = "github:nix-community/nix-ld";
    nix-ld.inputs.nixpkgs.follows = "nixpkgs";
    nil.url = "github:oxalica/nil";
--- a/garnix.yaml
+++ b/garnix.yaml
@ -0,0 +1,6 @@
+builds:
+  include:
+    - 'nixosConfigurations.*'
+    - 'homeConfigurations.*'
+    - '*.aarch64-linux.*'
+    - '*.x86_64-linux.*'
--- a/home/kitty.nix
+++ b/home/kitty.nix
@ -7,13 +7,13 @@
      package = pkgs.ibm-plex;
      size = 12;
    };
+    themeFile = "GitHub_Dark";
    settings = {
      enable_audio_bell = true;
      # how many windows should be open before kitty asks
      # for confirmation
      confirm_os_window_close = 0;
      clear_all_shortcuts = true;
-      background_opacity = 0.9;

      # will probably lower this later but the max allowed is actually 4GB
      # this is NOT stored in memory and can only be viewed with scrollback_pager
@ -21,7 +21,7 @@
      # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
      "scrollback_pager" = "bat --pager='less -FR +G'";
      # "scrollback_lines" = 20000;
-      # wheel_scroll_multiplier = 50;
+      wheel_scroll_multiplier = 50;
    };
    keybindings = {
      # kitty_mod is ctrl+shift by default
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -8,7 +8,7 @@
    ./common.nix
    ../irssi.nix
    ../kitty.nix
-    # ../codium.nix
+    ../codium.nix
  ];
  home = {
    username = "yt";
@ -28,7 +28,10 @@
  home.packages =
    with pkgs;
    lib.flatten [
+      ungoogled-chromium
+      librewolf
      bitwarden-desktop
+      bitwarden-cli
      fastfetch
      (with kdePackages; [
        gwenview
@ -38,58 +41,32 @@
      signal-desktop
      btop
      jq
+      sqlite
      usbutils
      calibre
      tor-browser
      wtype
      bat
      rclone
+      go
      (rust-bin.selectLatestNightlyWith (
        toolchain:
        toolchain.default.override {
          extensions = [ "rust-src" ];
-          targets = [ "aarch64-unknown-linux-musl" ];
        }
      ))
+      pwgen
      gnumake
      unzip
      anki-bin
+      trezorctl
+      q
      gdb
      fuzzel
      hugo
+      ghidra
      sccache
      awscli2
-      p7zip
-      qbittorrent
-      android-tools
-      (python313.withPackages (
-        p: with p; [
-          python-lsp-server
-          pip
-          virtualenv
-        ]
-      ))
-      scrcpy
-      syncthing
-      (with llvmPackages; [
-        clangUseLLVM
-        compiler-rt
-        libllvm
-      ])
-      nix-output-monitor
-      cinny-desktop
-      minio-client
-      keepassxc
-      jujutsu
-      ffmpeg
-      typst
-      pavucontrol
-
-      # reversing
-      radare2
-      jadx
-      frida-tools
-      mitmproxy
      (cutter.withPlugins (
        p: with p; [
          rz-ghidra
@ -97,6 +74,36 @@
          sigdb
        ]
      ))
+      p7zip
+      qbittorrent
+      android-tools
+      frida-tools
+      mitmproxy
+      (python313.withPackages (
+        p: with p; [
+          python-lsp-server
+          pip
+          virtualenv
+        ]
+      ))
+      jadx
+      scrcpy
+      syncthing
+      syncthingtray
+      (with llvmPackages; [
+        clangUseLLVM
+        compiler-rt
+        libllvm
+      ])
+      nix-output-monitor
+      wl-clipboard-rs
+      pixelflasher
+      cinny-desktop
+      freetube
+      gopls
+      rust-analyzer
+      minio-client
+      nil
    ];

  home.sessionVariables = {
@ -148,56 +155,10 @@
    enable = true;
    viAlias = true;
    vimAlias = true;
-    extraPackages = with pkgs; [
-      lua-language-server
-      nixd
-      rust-analyzer
-      fzf
-      fd
-      ripgrep
-      bat
-      delta
-      taplo
-      llvmPackages.clang-tools
-      pyright
-      tree-sitter
-      nodejs
-      nixfmt-rfc-style
-    ];
  };

  programs.ssh = {
    enable = true;
    addKeysToAgent = "yes";
  };
-
-  programs.firefox.enable = true;
-
-  programs.emacs = {
-    enable = true;
-    extraPackages = _: with pkgs; [
-      rust-analyzer
-      nil
-      ispell
-    ];
-  };
-
-  gtk = {
-    enable = true;
-    theme.package = pkgs.gnome-themes-extra;
-    theme.name = "Adwaita-dark";
-  };
-
-  qt = {
-    enable = true;
-    platformTheme.name = "adwaita";
-    style.name = "adwaita-dark";
-    style.package = pkgs.adwaita-qt;
-  };
-
-  dconf.settings = {
-    "org/gnome/desktop/interface" = {
-      color-scheme = "prefer-dark";
-    };
-  };
 }
--- a/home/zsh/default.nix
+++ b/home/zsh/default.nix
@ -37,6 +37,12 @@
      searchDownKey = "^n";
    };

+    # prezto = {
+    #   enable = true;
+    #   caseSensitive = false;
+    #   editor.keymap = "vi";
+    # };
+
    initExtra = ''
      # disable control+s to pause terminal
      unsetopt FLOW_CONTROL
@ -79,11 +85,14 @@
    shellAliases = {
      "vi" = "nvim";
      "vim" = "nvim";
+      "t" = "tmux";
+      "tl" = "tmux list-sessions";
+      "ta" = "tmux new-session -A -s";
      "se" = "sudoedit";
      "s" = "sudo";
-      "nrs" = "sudo nixos-rebuild switch -L --flake ~/nixos-config";
-      "nrt" = "sudo nixos-rebuild test -L --flake ~/nixos-config";
-      "hrs" = "home-manager switch -L --flake ~/nixos-config";
+      "nrs" = "sudo nixos-rebuild switch -L --flake . --log-format internal-json -v |& nom --json";
+      "nrt" = "sudo nixos-rebuild test -L --flake . --log-format internal-json -v |& nom --json";
+      "hrs" = "home-manager switch -L --flake .";
      "g" = "git";
      "ga" = "git add";
      "gaa" = "git add --all";
@ -91,6 +100,7 @@
      "gc" = "git commit --verbose";
      "gcmsg" = "git commit --message";
      "gd" = "git diff";
+      "gdca" = "git diff --cached";
      "gds" = "git diff --staged";
      "gl" = "git log --stat";
      "glg" = "git log --graph";
@ -103,11 +113,6 @@
      "gs" = "git status --short";
      "gss" = "git status";
      "code" = "codium";
-      "jl" = "jj log -n 10";
-      "jll" = "jj log";
-      "jd" = "jj diff";
-      "jn" = "jj new";
-      "jm" = "jj describe -m";
    };
  };

--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -1,5 +1,6 @@
 {
  pkgs,
+  lib,
  ...
 }:
 {
@ -69,10 +70,7 @@
    networkmanager.enable = true;
    firewall = {
      enable = true;
-      trustedInterfaces = [
-        "tailscale0"
-        "podman1"
-      ];
+      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = [
        22
        80
@ -81,6 +79,32 @@
      allowedUDPPorts = [
        443
      ];
+      extraCommands =
+        let
+          ethtool = lib.getExe pkgs.ethtool;
+          tc = lib.getExe' pkgs.iproute2 "tc";
+        in
+        ''
+          # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
+          ${ethtool} -K ens18 tso off
+
+          # clear existing rules
+          ${tc} qdisc del dev ens18 root || true
+
+          # create HTB hierarchy
+          ${tc} qdisc add dev ens18 root handle 1: htb default 10
+          ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
+          # rest
+          ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
+          # caddy
+          ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
+
+          # mark traffic
+          iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
+
+          # route marked packets
+          ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
+        '';
    };
    interfaces.ens18 = {
      ipv6.addresses = [
@ -133,7 +157,6 @@

  environment.systemPackages = with pkgs; [
    vim
-    neovim
    wget
    curl
    tree
@ -161,8 +184,7 @@
  my.containerization.enable = true;
  my.authelia.enable = true;
  my.karakeep = {
-    enable = false;
+    enable = true;
    dataDir = "/opt/karakeep";
  };
-  my.roundcube.enable = true;
 }
--- a/hosts/chunk/garage.nix
+++ b/hosts/chunk/garage.nix
@ -25,7 +25,7 @@
      compression_level = "none";
    };
    environmentFile = config.sops.secrets."garage/env".path;
-    logLevel = "info";
+    logLevel = "warn";
  };

  services.caddy.virtualHosts = {
--- a/hosts/chunk/postgres.nix
+++ b/hosts/chunk/postgres.nix
@ -19,5 +19,8 @@
      }
    ];
  };
-  services.postgresqlBackup.enable = true;
+  services.postgresqlBackup = {
+    enable = true;
+    startAt = "hourly";
+  };
 }
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@ -14,22 +14,22 @@ let
        --config ${config.sops.secrets."rclone/config".path} \
        --allow-other \
        --cache-dir /var/cache/rclone \
-        --transfers 16 \
-        --vfs-cache-mode writes \
+        --transfers 64 \
+        --vfs-cache-mode full \
        --vfs-cache-min-free-space 5G \
        --dir-cache-time 30d \
+        --no-checksum \
        --no-modtime \
        --vfs-fast-fingerprint \
-        --vfs-read-chunk-size 128M \
-        --vfs-read-chunk-streams 0 \
-        --sftp-concurrency 64 \
+        --vfs-read-chunk-size 8M \
+        --vfs-read-chunk-streams 16 \
+        --sftp-concurrency 128 \
        --sftp-chunk-size 255k \
        --buffer-size 0 \
        --write-back-cache \
        ${remote} ${mount}
    '';
    ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}";
-    Restart = "on-failure";
  };
 in
 {
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -1,7 +1,6 @@
 { inputs, config, pkgs, ... }:
 {
  nix = {
-    package = pkgs.lix;
    settings = {
      experimental-features = "nix-command flakes";
      auto-optimise-store = true;
@ -39,7 +38,7 @@
  i18n.defaultLocale = "en_US.UTF-8";
  time.timeZone = "America/New_York";
  networking = {
-    firewall.logRefusedConnections = true;
+    firewall.logRefusedConnections = false;
    nameservers = [
      # quad9 (unfiltered)
      "2620:fe::10"
@ -56,7 +55,6 @@
      "nts.teambelgium.net"
      "c.st1.ntp.br"
    ];
-    nftables.enable = true;
  };
  services.chrony = {
    enable = true;
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -44,11 +44,10 @@
      efi.canTouchEfiVariables = true;
    };
    tmp.cleanOnBoot = true;
-    kernelPackages = pkgs.linuxPackages_6_14;
+    kernelPackages = pkgs.linuxKernel.packages.linux_zen;
    extraModulePackages = with config.boot.kernelPackages; [
      rtl8821ce
    ];
-    kernelModules = [ "8821ce" ];
    kernelParams = [
      # see https://github.com/tomaspinho/rtl8821ce#pcie-active-state-power-management
      "pcie_aspm=off"
@ -61,10 +60,7 @@
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
-    kernel.sysctl = {
-      "kernel.sysrq" = 1;
-      # "net.ipv4.ip_forward" = 1;
-    };
+    kernel.sysctl."kernel.sysrq" = 1;
    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };

@ -91,12 +87,12 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      trustedInterfaces = [
-        "tailscale0"
-      ];
-      extraInputRules = ''
-        ip saddr 192.168.100.0/24 tcp dport 9234 accept
-      '';
+      trustedInterfaces = [ "tailscale0" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
    };
    hosts = {
      "100.122.132.30" = [ "s3.cy7.sh" ];
@ -109,10 +105,8 @@
    pulse.enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
-    wireplumber.extraConfig."10-bluetooth-enhancements" = {
-      "wireplumber.settings" = {
-        "bluetooth.autoswitch-to-headset-profile" = false;
-      };
+    wireplumber.extraConfig.bluetoothEnhancements = {
+      # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
      "monitor.bluez.properties" = {
        "bluez5.enable-sbc-xq" = true;
        "bluez5.enable-msbc" = true;
@ -120,27 +114,27 @@
        "bluez5.roles" = [
          "a2dp_sink"
          "a2dp_source"
+          "hsp_hs"
+          "hsp_ag"
          "hfp_hf"
          "hfp_ag"
        ];
      };
    };
    # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters
-    wireplumber.extraConfig."11-disable-suspend" = {
-      "monitor.bluez.rules" = [
-        {
+    wireplumber.extraConfig.disableSuspend = {
+      "monitor.bluez.rules" = {
        matches = [
          {
-              "device.name" = "bluez_card.*";
+            "node.name" = "bluez_output.*";
          }
        ];
+      };
      actions = {
        update-props = {
          "session.suspend-timeout-seconds" = 0;
        };
      };
-        }
-      ];
    };
  };

@ -210,7 +204,7 @@
  services.displayManager = {
    enable = true;
    autoLogin.user = "yt";
-    defaultSession = "sway";
+    defaultSession = "plasma";
    sddm = {
      enable = true;
      wayland.enable = true;
@ -219,14 +213,10 @@
  };

  fonts = {
-    packages =
-      (with pkgs; [
+    packages = with pkgs; [
+      nerd-fonts.roboto-mono
      ibm-plex
-      ])
-      ++ (with pkgs.nerd-fonts; [
-        roboto-mono
-        jetbrains-mono
-      ]);
+    ];
    enableDefaultPackages = true;
  };

@ -248,7 +238,6 @@
      "/home/yt/Games"
      "/home/yt/Videos"
      "/home/yt/.bitmonero"
-      "/home/yt/vms"
    ];
    repo = "yt";
    passFile = config.sops.secrets."borg/rsyncnet".path;
@ -277,10 +266,6 @@
    enable = true;
    qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
  };
-  # virtualisation.vmware.host = {
-  #   enable = true;
-  #   package = pkgs.vmware-workstation;
-  # };
  programs.virt-manager.enable = true;
  my.containerization.enable = true;

@ -331,7 +316,6 @@
      xorg.libxshmfence
      xorg.libXxf86vm
      xorg.libSM
-      xorg.libICE
      gtk3
      pango
      gdk-pixbuf
@ -376,6 +360,12 @@
    ];
  };

+  services.ollama.enable = false;
+
+  services.trezord.enable = true;
+
+  programs.niri.enable = false;
+  programs.niri.package = pkgs.niri-unstable;
  programs.xwayland.enable = true;

  services.udev.extraHwdb = ''
@ -400,32 +390,7 @@
  programs.ccache.enable = true;
  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
  programs.fuse.userAllowOther = true;
-  nix.settings.sandbox = true;
+  nix.settings.sandbox = false;

  programs.ssh.startAgent = true;
-
-  programs.sway = {
-    enable = true;
-    wrapperFeatures.gtk = true;
-    extraPackages = with pkgs; [
-      rofi-wayland
-      cliphist
-      rofimoji
-      grim
-      slurp
-      swaylock
-      swayidle
-      brightnessctl
-      waybar
-      wl-clipboard
-    ];
-  };
-
-  programs.ghidra = {
-    enable = true;
-    package = pkgs.ghidra.withExtensions (p: with p; [
-      findcrypt
-      ret-sync
-    ]);
-  };
 }
--- a/hosts/ytnix/hardware-configuration.nix
+++ b/hosts/ytnix/hardware-configuration.nix
@ -82,5 +82,5 @@
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@ -68,7 +68,6 @@ in
            ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
-            token_endpoint_auth_method = "client_secret_basic";
          }
          {
            client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";
--- a/modules/backup.nix
+++ b/modules/backup.nix
@ -21,7 +21,7 @@ let
    "/var/lib/docker"
    "/var/lib/containers" # podman
    "/var/lib/systemd"
-    "/var/lib/libvirt/images"
+    "/var/lib/libvirt"
    "**/.rustup"
    "**/.cargo"
    "**/.docker"
@ -47,7 +47,7 @@ in
    };
    startAt = lib.mkOption {
      type = lib.types.str;
-      default = "daily";
+      default = "hourly";
      description = "see systemd.timer(5)";
    };
    jobName = lib.mkOption {
@ -98,9 +98,8 @@ in
      failOnWarnings = false;

      prune.keep = {
-        daily = 7;
-        weekly = 12;
-        monthly = -1;
+        within = "2d";
+        daily = 365;
      };
      extraPruneArgs = [ "--stats" ];
    };
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -19,9 +19,9 @@ in
        plugins = [
          # error message will tell you the correct version tag to use
          # (still need the @ to pass nix config check)
-          "github.com/caddy-dns/cloudflare@v0.2.2-0.20250420134112-006ebb07b349"
+          "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de"
        ];
-        hash = "sha256-2U+icm4GtI5Fww6U8nKzQ/+pPf63T3scTGuj1zjj4b4=";
+        hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc=";
      };
      logFormat = lib.mkForce "level INFO";
      acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
--- a/modules/roundcube.nix
+++ b/modules/roundcube.nix
@ -31,7 +31,6 @@ in
        "contextmenu"
        "custom_from"
        "thunderbird_labels"
-        "managesieve"
      ];
      dicts = with pkgs.aspellDicts; [ en ];
      extraConfig = ''
@ -39,8 +38,6 @@ in
        $config['smtp_host'] = "ssl://smtp.migadu.com:465";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
-        $config['managesieve_host'] = "tls://imap.migadu.com";
-        $config['managesieve_port'] = 4190;
      '';
    };

@ -51,7 +48,6 @@ in

    services.caddy.virtualHosts."mail.cy7.sh".extraConfig = ''
      import common
-      import authelia
      root ${roundcube.package}
      php_fastcgi unix/${fpm.socket}
      file_server
--- a/overlay/default.nix
+++ b/overlay/default.nix
@ -7,6 +7,9 @@
      pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
    in
    {
+      conduwuit = pkgFrom inputs.conduwuit "default";
+      attic-server = pkgFrom inputs.attic "attic-server";
+      attic = pkgFrom inputs.attic "attic";
      garage = (
        (pkgFrom inputs.garage "default").overrideAttrs {
          meta.mainProgram = "garage";
Author	SHA1	Message	Date
cy	9960ac71fc	workflow: use envars for s3 region and endpoint	2025-04-14 15:12:57 -04:00
cy	114aca9541	workflow: try hex encoded secret	2025-04-14 14:35:50 -04:00
cy	0bfef139ee	workflow: use runner.temp variable	2025-04-14 14:19:20 -04:00
cy	dbfd590562	dogfood nixcp	2025-04-14 13:46:03 -04:00
cy	892f42ed2a	use nixpkgs unstable	2025-04-14 13:37:13 -04:00
cy	1573032ace	try not using lix	2025-04-14 13:29:51 -04:00
cy	e452f2b753	just don't use matrix anymore	2025-04-14 13:29:51 -04:00
cy	1d851c93f1	install nil	2025-04-14 13:29:51 -04:00
cy	fecdb66f77	use lix from nixpkgs	2025-04-14 10:45:00 -04:00