WIP: home/{hyprland,waybar}: init

flake.nix

@@ -101,6 +101,8 @@
           inherit (nonrecursive-unstable-pkgs) atuin wstunnel;
         })
 
+        (import ./overlays/wayland-ime-integration.nix)
+
         # https://github.com/NixOS/nixpkgs/pull/251706
         (self: super: {
           mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
@@ -188,6 +190,7 @@
                   useGlobalPkgs = true;
                   extraSpecialArgs = {
                     inherit inputs;
+                    inherit unstable-pkgs;
                     inherit (self) extendedLib;
                     inherit (config) machineVars;
                     secrets = secrets.outputs.settings;

home/home.nix

@@ -35,12 +35,14 @@ in {
     ./programs/alacritty.nix
     ./programs/emacs
     ./programs/firefox.nix
+    ./programs/hyprland.nix
     ./programs/ncmpcpp.nix
     ./programs/newsboat
     ./programs/qutebrowser.nix
     ./programs/rofi.nix
     ./programs/taskwarrior.nix
     ./programs/vscode
+    ./programs/waybar.nix
     # ./programs/xmobar
     ./programs/xmonad
     ./programs/zathura.nix
@@ -50,11 +52,11 @@ in {
     ./services/dunst.nix
     ./services/fcitx5.nix
     ./services/mpd.nix
-    ./services/picom.nix
+    # ./services/picom.nix
-    ./services/polybar.nix
+    # ./services/polybar.nix
-    ./services/screen-locker.nix
+    # ./services/screen-locker.nix
     # ./services/stalonetray.nix
-    ./services/sxhkd.nix
+    # ./services/sxhkd.nix
     ./services/tumblerd.nix
   ];
 
@@ -97,6 +99,7 @@ in {
     sessionVariables = {
       CARGO_NET_GIT_FETCH_WITH_CLI = "true";
       PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
+      _JAVA_AWT_WM_NONREPARENTING = "1";
     };
   };
 

home/packages.nix

@@ -17,6 +17,7 @@
     gpg-tui
     gping
     graphviz
+    hexyl
     httpie
     imagemagick
     jq
@@ -24,6 +25,7 @@
     # keybase
     keymapviz
     libwebp
+    lnav
     lolcat
     mdcat
     mediainfo
@@ -44,6 +46,7 @@
     pandoc
     parallel
     progress
+    pwntools
     python3
     rclone
     ripgrep
@@ -89,10 +92,12 @@
       discord
       element-desktop
       geogebra
+      ghidra
       gimp
       gnome.gnome-font-viewer
       gnome.seahorse
       google-chrome
+      imhex
       inkscape
       insomnia
       iwgtk

home/programs/gh.nix

@@ -4,7 +4,7 @@
     enable = true;
     settings = {
       gitProtocol = "ssh";
-      pager = "${pkgs.bat}/git/bat";
+      pager = "${pkgs.bat}/bin/bat";
       aliases = {
         co = "pr checkout";
         pv = "pr view";

home/programs/hyprland.nix

@@ -0,0 +1,323 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.wayland.windowManager.hyprland;
+in
+{
+  home.sessionVariables = {
+    WLR_NO_HARDWARE_CURSORS = "1";
+    WLR_RENDERER_ALLOW_SOFTWARE = "1";
+    XDG_CURRENT_DESKTOP = "Hyprland";
+    XDG_SESSION_DESKTOP = "Hyprland";
+    XDG_SESSION_TYPE = "wayland";
+    GDK_BACKEND = "wayland,x11,*";
+    QT_QPA_PLATFORM = "wayland;xcb";
+    NIXOS_OZONE_WL = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    SDL_VIDEODRIVER = "wayland";
+    OZONE_PLATFORM = "wayland";
+    CLUTTER_BACKEND = "wayland";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    # QT_QPA_PLATFORMTHEME = "qt6ct";
+    QT_AUTO_SCREEN_SCALE_FACTOR = "1";
+
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+  };
+
+  home.packages = with pkgs; [
+    wl-clipboard-rs
+  ];
+
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      general = {
+        disable_loading_bar = true;
+        grace = 300;
+        hide_cursor = true;
+        no_fade_in = false;
+      };
+
+      background = [
+        {
+          path = "screenshot";
+          blur_passes = 3;
+          blur_size = 8;
+        }
+      ];
+
+      input-field = [
+        {
+          size = "200, 50";
+          position = "0, -80";
+          monitor = "";
+          dots_center = true;
+          fade_on_empty = false;
+          font_color = "rgb(202, 211, 245)";
+          inner_color = "rgb(91, 96, 120)";
+          outer_color = "rgb(24, 25, 38)";
+          outline_thickness = 5;
+          placeholder_text = ''Password...'';
+          shadow_passes = 2;
+        }
+      ];
+    };
+  };
+
+  services.hypridle = {
+    enable = true;
+    settings = {
+      general = {
+        ignore_dbus_inhibit = false;
+        lock_cmd = "pidof hyprlock || hyprlock";
+        before_sleep_cmd = "loginctl lock-session";
+        after_sleep_cmd = "hyprctl dispatch dpms on";
+      };
+
+      listener = [
+        {
+          timeout = 900;
+          on-timeout = "hyprlock";
+        }
+        {
+          timeout = 1200;
+          on-timeout = "hyprctl dispatch dpms off";
+          on-resume = "hyprctl dispatch dpms on";
+        }
+      ];
+    };
+  };
+
+  wayland.windowManager.hyprland = {
+    enable = true;
+
+    settings = let
+      scratchpads = [
+        (rec {
+          title = "Floating terminal";
+          class = "floatingTerminal";
+          command = "alacritty --class ${class} -e tmux new-session -A -s f";
+          size = { h = 90; w = 95; };
+          keys = [
+            "$mod, RETURN"
+            "$mod, SPACE"
+          ];
+        })
+        (rec {
+          title = "Ncmpcpp";
+          class = "floatingNcmpcpp";
+          command = "alacritty --class ${class} -e ncmpcpp";
+          size = { h = 95; w = 95; };
+          keys = [ "$mod, Q" ];
+        })
+        # "$mod, W, emacs"
+        # "$mod, E, filebrowser"
+        # "$mod, X, taskwarriortui"
+      ];
+    in {
+      "$mod" = "SUPER";
+
+      # https://github.com/xkbcommon/libxkbcommon/blob/master/include/xkbcommon/xkbcommon-keysyms.h
+      bind = [
+        "$mod SHIFT, Q, exit"
+        "$mod, R, exec, ${pkgs.rofi}/bin/rofi -show drun"
+        "$mod, T, togglefloating"
+
+        # TODO: fix this for upcoming releases
+        "$mod, F, fullscreen, 2"
+        "$mod, C, exec, hyprctl reload"
+
+        "$mod, BACKSPACE, killactive"
+
+        "$mod SHIFT, RETURN, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
+        "$mod SHIFT, SPACE, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
+
+        "$mod, j, layoutmsg,cyclenext"
+        "$mod, k, layoutmsg,cycleprev"
+        "$mod SHIFT, j, layoutmsg, swapnext"
+        "$mod SHIFT, k, layoutmsg, swapprev"
+
+        "$mod, 1, focusworkspaceoncurrentmonitor, 1"
+        "$mod, 2, focusworkspaceoncurrentmonitor, 2"
+        "$mod, 3, focusworkspaceoncurrentmonitor, 3"
+        "$mod, 4, focusworkspaceoncurrentmonitor, 4"
+        "$mod, 5, focusworkspaceoncurrentmonitor, 5"
+        "$mod, 6, focusworkspaceoncurrentmonitor, 6"
+        "$mod, 7, focusworkspaceoncurrentmonitor, 7"
+        "$mod, 8, focusworkspaceoncurrentmonitor, 8"
+        "$mod, 9, focusworkspaceoncurrentmonitor, 9"
+
+        "$mod SHIFT, 1, movetoworkspacesilent, 1"
+        "$mod SHIFT, 2, movetoworkspacesilent, 2"
+        "$mod SHIFT, 3, movetoworkspacesilent, 3"
+        "$mod SHIFT, 4, movetoworkspacesilent, 4"
+        "$mod SHIFT, 5, movetoworkspacesilent, 5"
+        "$mod SHIFT, 6, movetoworkspacesilent, 6"
+        "$mod SHIFT, 7, movetoworkspacesilent, 7"
+        "$mod SHIFT, 8, movetoworkspacesilent, 8"
+        "$mod SHIFT, 9, movetoworkspacesilent, 9"
+
+        "$mod, b, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s mozc"
+        "$mod, n, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-no"
+        "$mod, m, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-us"
+
+        # TODO: ensure exists in environment
+        "$mod, l, exec, loginctl lock-session"
+
+        # TODO: fix
+        # "super + minus" = "${pkgs.xcalib}/bin/xcalib -invert -alter"
+
+        # TODO: fix
+        ", Print, exec, ${lib.getExe pkgs.grimblast} copy area"
+
+        # "SHIFT, Print, exec, ${lib.getExe pkgs.grimblast} copy area"
+        # "shift + @Print" = "${pkgs.maim}/bin/maim --hidecursor --nokeyboard $SCREENSHOT_DIR/$(date +%s).png"
+
+        # TODO: Add boomer as package
+        # "super + @Print" = "boomer"
+      ]
+      ++
+      (lib.pipe scratchpads [
+        (map ({ keys, command, class, ... }:
+          (map (key: let
+            # TODO: rewrite this to take arguments instead of creating n copies
+            invokeIfNotRunningAndToggleWorkspace = pkgs.writeShellApplication {
+              name = "hyprland-toggle-scratchpad-${class}";
+              runtimeInputs = [ cfg.package pkgs.jq ];
+              text = ''
+                SCRATCHPAD_PROGRAM_EXISTS=$(hyprctl clients -j | jq -r '[.[].class]|any(. == "${class}")')
+                CURRENT_WORKSPACE_ID=$(hyprctl activeworkspace -j | jq -r '.id')
+
+                if [ "$SCRATCHPAD_PROGRAM_EXISTS" != "true" ]; then
+                  ${command} &
+                  hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
+                  hyprctl dispatch focuswindow "class:${class}"
+                else
+                  SCRATCHPAD_PROGRAM_WORKSPACE_ID=$(hyprctl clients -j | jq '.[] | select( .class == "${class}") | .workspace.id')
+                  if [ "$SCRATCHPAD_PROGRAM_WORKSPACE_ID" != "$CURRENT_WORKSPACE_ID" ]; then
+                    hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
+                    hyprctl dispatch focuswindow "class:${class}"
+                  else
+                    hyprctl dispatch movetoworkspacesilent "special:${class}Ws,class:${class}"
+                  fi
+                fi
+              '';
+            };
+          in "${key}, exec, ${lib.getExe invokeIfNotRunningAndToggleWorkspace}"
+          ) keys)
+        ))
+        lib.flatten
+      ]);
+
+      bindl = [
+        "$mod, p, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
+        ",XF86AudioPlay, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
+        ",XF86AudioPrev, exec, ${pkgs.mpc_cli}/bin/mpc prev"
+        ",XF86AudioNext, exec, ${pkgs.mpc_cli}/bin/mpc next"
+      ];
+
+      bindle = [
+        ",XF86MonBrightnessUp, exec, ${lib.getExe pkgs.brightnessctl} s +5%"
+        ",XF86MonBrightnessDown, exec, ${lib.getExe pkgs.brightnessctl} s 5%-"
+        ",XF86AudioLowerVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
+        ",XF86AudioRaiseVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
+        "$mod ,F7, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
+        "$mod ,F8, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
+      ];
+
+      windowrulev2 = [
+        "float,class:(Rofi)"
+
+        "workspace 2,class:(firefox)"
+        "workspace 2,class:(google-chrome)"
+
+        "workspace 3,class:(Emacs)"
+        "workspace 3,class:(Code)"
+        "workspace 3,class:(code-url-handler)"
+
+        "workspace 5,class:(discord)"
+        "workspace 5,class:(Element)"
+      ]
+      ++
+      (lib.pipe scratchpads [
+        (map ({ class, size, ... }: [
+          "workspace special:${class}Ws, class:^${class}$"
+          "float, class:^${class}$"
+          "size ${toString size.w}% ${toString size.h}%, class:^${class}$"
+          "move ${toString ((100 - size.w) / 2)}% ${toString ((100 - size.h) / 2)}%, class:^${class}$"
+        ]))
+        lib.flatten
+      ]);
+
+      monitor = [
+        "DP-2, 1920x1080@144.00Hz, 0x0, 1"
+        "DVI-D-1, 1920x1080@144.00Hz, 1920x0, 1"
+        ",preferred,auto,1"
+      ];
+
+      general = {
+        gaps_in = 5;
+        gaps_out = 15;
+
+        border_size = 2;
+
+        "col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
+        "col.inactive_border" = "rgba(595959aa)";
+
+        resize_on_border = false;
+        allow_tearing = false;
+        layout = "master";
+      };
+
+      decoration = {
+        rounding = 10;
+
+        # Change transparency of focused and unfocused windows
+        active_opacity = 1.0;
+        inactive_opacity = 1.0;
+
+        drop_shadow = true;
+        shadow_range = 4;
+        shadow_render_power = 3;
+        "col.shadow" = "rgba(1a1a1aee)";
+
+        # https://wiki.hyprland.org/Configuring/Variables/#blur
+        blur = {
+          enabled = true;
+          size = 3;
+          passes = 1;
+
+          vibrancy = 0.1696;
+        };
+      };
+
+      animations.enabled = false;
+
+      master = {
+          new_status = "slave";
+      };
+
+      misc = {
+          force_default_wallpaper = 0; # Set to 0 or 1 to disable the anime mascot wallpapers
+          disable_hyprland_logo = false; # If true disables the random hyprland logo / anime girl background. :(
+      };
+
+      input ={
+          kb_layout = "us";
+          kb_variant = "";
+          kb_model = "";
+          kb_options = "";
+          kb_rules = "";
+
+          follow_mouse = 1;
+
+          sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
+
+          touchpad = {
+              natural_scroll = false;
+          };
+      };
+    };
+  };
+}

home/programs/neovim/default.nix

@@ -21,6 +21,7 @@
       vim-surround
       vim-fugitive
       vim-css-color
+      vim-wayland-clipboard
       semshi
       {
         plugin = goyo-vim;

home/programs/ssh/pvv.nix

@@ -10,26 +10,35 @@ let
       proxyJump = lib.mkDefault null;
       addressFamily = "inet";
     }
-    "dagali"
-    "drolsum"
-    "demiurgen"
-    "eirin"
     [ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
-    "ildkule"
-    "shark"
-    "buskerud"
     [ "bicep" "pvv-databases" ]
     "bob"
-    "knutsen"
+    [ "brzeczyszczykiewicz" "brez" "bokhylle" ]
+    "buskerud"
+    "dagali"
+    "demiurgen"
+    "drolsum"
+    "eirin"
+    "georg"
+    "ildkule"
     "isvegg"
-    "tom"
+    "knutsen"
     [ "microbel" "pvv-users" "pvv-mail" ]
+    "orchid"
+    "shark"
+    "tallulah"
+    "tom"
+    "venture"
   ];
 
   rootMachines = [
-    [ "sleipner" "pvv-salt" ]
+    [ "ameno" "pvv-dns" ]
     [ "balduzius" "pvv-krb" ]
     [ "innovation" "pvv-minecraft" ]
+    "ludvigsen"
+    [ "principal" "pvv-backup" ]
+    [ "skrott" "dibbler" ]
+    [ "sleipner" "pvv-salt" ]
   ];
 
   # Either( String [String] AttrSet{String} ) -> AttrSet{String}

home/programs/waybar.nix

@@ -0,0 +1,239 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.programs.waybar;
+  cfgs = cfg.settings.mainBar;
+in
+{
+  programs.waybar = {
+    enable = true;
+    systemd.enable = true;
+
+    settings = {
+      mainBar = {
+        layer = "top";
+        position = "top";
+        height = 30;
+
+        # TODO: configure this per machine
+        output = [ "DP-2" ];
+
+        modules-left = [ "hyprland/workspaces"  ];
+        modules-center = [ "clock" ];
+        modules-right = [ "mpd" "cpu" "memory" "wireplumber" "pulseaudio/slider" "tray" ];
+
+        "hyprland/workspaces" = {
+          all-outputs = true;
+          disable-scroll = true;
+          persistent-workspaces = {
+            ${lib.head cfgs.output} = [ 1 2 3 4 5 6 7 8 ];
+          };
+        };
+
+        "mpd" = {
+          format = "{filename}";
+        };
+
+        "cpu" = {
+          format = "[#] {usage}%";
+        };
+
+        "memory" = {
+          format = "{used}/{total}Gb";
+        };
+
+        "wireplumber" = {
+          format = "{volume}% {icon}";
+          format-muted = "[M]";
+        };
+
+        "pulseaudio/slider" = {
+          orientation = "horizontal";
+        };
+
+        "tray" = {
+          icon-size = 20;
+          spacing = 8;
+        };
+      };
+    };
+
+    style = let
+      c = config.colors.defaultColorSet;
+    in ''
+      * {
+          font-family: FiraCode, FontAwesome, Roboto, Helvetica, Arial, sans-serif;
+          font-size: 13px;
+      }
+
+      window#waybar {
+          background-color: ${c.background};
+          color: ${c.foreground};
+      }
+
+      #pulseaudio-slider trough {
+          min-height: 10px;
+          min-width: 100px;
+      }
+
+      /**** DEFAULT ****/
+
+      window#waybar.hidden {
+          opacity: 0.2;
+      }
+
+      button {
+          /* Use box-shadow instead of border so the text isn't offset */
+          box-shadow: inset 0 -3px transparent;
+          /* Avoid rounded borders under each button name */
+          border: none;
+          border-radius: 0;
+      }
+
+      /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+      button:hover {
+          background: inherit;
+          box-shadow: inset 0 -3px #ffffff;
+      }
+
+
+      #workspaces button.empty {
+          color: ${c.yellow};
+      }
+
+      #workspaces button {
+          padding: 0 5px;
+          color: ${c.magenta};
+          background-color: transparent;
+      }
+
+      #workspaces button.visible {
+          color: ${c.green};
+      }
+
+      #workspaces button.urgent {
+          background-color: ${c.red};
+      }
+
+      #workspaces button:hover {
+          background: rgba(0, 0, 0, 0.2);
+      }
+
+      #mode {
+          background-color: #64727D;
+          box-shadow: inset 0 -3px #ffffff;
+      }
+
+      #clock,
+      #battery,
+      #cpu,
+      #memory,
+      #disk,
+      #temperature,
+      #backlight,
+      #network,
+      #pulseaudio,
+      #wireplumber,
+      #custom-media,
+      #tray,
+      #mode,
+      #idle_inhibitor,
+      #scratchpad,
+      #power-profiles-daemon,
+      #mpd {
+          padding: 0 10px;
+          color: ${c.foreground};
+      }
+
+      #window,
+      #workspaces {
+          margin: 0 4px;
+      }
+
+      /* If workspaces is the leftmost module, omit left margin */
+      .modules-left > widget:first-child > #workspaces {
+          margin-left: 0;
+      }
+
+      /* If workspaces is the rightmost module, omit right margin */
+      .modules-right > widget:last-child > #workspaces {
+          margin-right: 0;
+      }
+
+      #clock {
+          background-color: #64727D;
+      }
+
+      #cpu {
+          background-color: ${c.cyan};
+          color: #000000;
+      }
+
+      #memory {
+          background-color: ${c.yellow};
+          color: #000000;
+      }
+
+      #network {
+          background-color: #2980b9;
+      }
+
+      #network.disconnected {
+          background-color: #f53c3c;
+      }
+
+      #pulseaudio {
+          background-color: #f1c40f;
+          color: #000000;
+      }
+
+      #pulseaudio.muted {
+          background-color: #90b1b1;
+          color: #2a5c45;
+      }
+
+      #wireplumber {
+          background-color: #fff0f5;
+          color: #000000;
+      }
+
+      #wireplumber.muted {
+          background-color: #f53c3c;
+      }
+
+      #tray {
+          background-color: #2980b9;
+      }
+
+      #tray > .passive {
+          -gtk-icon-effect: dim;
+      }
+
+      #tray > .needs-attention {
+          -gtk-icon-effect: highlight;
+          background-color: #eb4d4b;
+      }
+
+      #mpd {
+          background-color: #66cc99;
+          color: #2a5c45;
+      }
+
+      #mpd.disconnected {
+          background-color: #f53c3c;
+      }
+
+      #mpd.stopped {
+          background-color: #90b1b1;
+      }
+
+      #mpd.paused {
+          background-color: #51a37a;
+      }
+    '';
+    # background-color: rgba(0,0,0,0);
+    # border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+
+    #style = ''
+    #'';
+  };
+}

home/programs/zed/default.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, unstable-pkgs, lib, ... }:
 {
-  home.packages = with pkgs; [ zed-editor ];
+  home.packages = with unstable-pkgs; [ zed-editor ];
 
   xdg.configFile."zed/settings.json".source = let
     format = pkgs.formats.json { };

home/services/dunst.nix

@@ -13,9 +13,9 @@
         class = "Dunst";
         browser = "${pkgs.xdg-utils}/bin/xdg-open";
 
-        offset = let 
+        # offset = let
-          status-bar-height = config.services.polybar.settings."bar/top".height;
+        #   status-bar-height = config.services.polybar.settings."bar/top".height;
-        in "15x${toString (status-bar-height + 10)}";
+        # in "15x${toString (status-bar-height + 10)}";
 
         corner_radius = 0;
         font = "Droid Sans 9";

hosts/common/default.nix

@@ -12,7 +12,9 @@ in {
     ./programs/ssh.nix
     ./programs/usbtop.nix
 
+    ./services/cups.nix
     ./services/dbus.nix
+    ./services/logrotate.nix
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix
@@ -130,8 +132,6 @@ in {
     };
 
     irqbalance.enable = true;
-
-    displayManager.defaultSession = "none+xmonad";
   };
 
   programs = {
@@ -139,6 +139,7 @@ in {
     git.enable = true;
     tmux.enable = true;
     zsh.enable = true;
+    hyprland.enable = true;
   };
 
   system.extraDependencies =

hosts/common/services/cups.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+{
+  systemd.services = lib.mkIf config.services.printing.enable {
+    cups.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true; 
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+    cups-browsed.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+  };
+}

hosts/common/services/logrotate.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}

hosts/common/services/xserver.nix

@@ -1,5 +1,14 @@
 { config, ... }:
 {
+  services.displayManager = {
+    enable = true;
+    defaultSession = "none+xmonad";
+    sddm = {
+      enable = !config.machineVars.headless;
+      wayland.enable = true;
+    };
+  };
+
   services.xserver = {
     enable = !config.machineVars.headless;
 
@@ -13,13 +22,15 @@
     #   xfce.enable = !config.machineVars.headless;
     # };
 
-    displayManager.lightdm.enable = !config.machineVars.headless;
+    # displayManager.lightdm.enable = !config.machineVars.headless;
 
     windowManager.xmonad = {
       enable = true;
       enableContribAndExtras = true;
       enableConfiguredRecompile = true;
-      extraPackages = hPkgs: with hPkgs; [ dbus ];
+      extraPackages = hPkgs: with hPkgs; [
+        dbus
+      ];
     };
   };
 }

hosts/dosei/services/journald-remote.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  # TODO: Reproducible certificates
+  services.journald.remote = {
+    enable = true;
+    settings.Remote = {
+      # ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
+      # ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
+      ServerKeyFile = "/etc/journald-remote-certs/key.pem";
+      ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  # systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
+  #   "key.pem:/etc/journald-remote-certs/key.pem"
+  #   "cert.pem:/etc/journald-remote-certs/cert.pem"
+  # ];
+}

hosts/europa/configuration.nix

@@ -5,6 +5,7 @@
 
     ./services/avahi.nix
     ./services/docker.nix
+    ./services/journald-remote.nix
   ];
 
   boot.loader.systemd-boot.enable = true;

hosts/europa/services/journald-remote.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.journald.upload = {
+    enable = true;
+    settings.Upload = {
+      URL = "https://10.250.14.105:19532";
+      # ServerKeyFile = toString ./key.pem;
+      # ServerCertificateFile = toString ./cert.pem;
+      ServerKeyFile = "-";
+      ServerCertificateFile = "-";
+      TrustedCertificateFile = "-";
+    };
+  };  
+}

hosts/kasei/configuration.nix

@@ -13,6 +13,8 @@
 
   system.stateVersion = "22.05";
 
+  security.pam.services.hyprlock = {};
+
   boot.binfmt.emulatedSystems = [
     "x86_64-windows"
     "aarch64-linux"
@@ -74,7 +76,7 @@
   services = {
     openssh = {
       enable = true;
-      settings.X11Forwarding = true;
+      # settings.X11Forwarding = true;
     };
     xserver.videoDrivers = [ "amdgpu" ];
     tailscale.enable = true;

overlays/wayland-ime-integration.nix

@@ -0,0 +1,20 @@
+final: prev: let
+  inherit (prev) lib;
+
+  wrapWithWaylandIMEFlag = pkg: let
+    binaryName = lib.removePrefix "${lib.getBin pkg}/bin/" (lib.getExe pkg);
+  in pkg.overrideAttrs (prev': {
+    postInstall = (prev'.postInstall or "") + ''
+      wrapProgram "$out/bin/${binaryName}" \
+        --add-flags "--enable-wayland-ime"
+    '';
+  });
+
+  programList = [
+    "element-desktop"
+    "vscode"
+    "chromium"
+    "discord"
+  ];
+in
+  lib.genAttrs programList (name: wrapWithWaylandIMEFlag prev.${name})