WIP: home/{hyprland,waybar}: init

2024-10-05 12:19:51 +02:00
63 changed files with 1041 additions and 868 deletions
--- a/flake.lock
+++ b/flake.lock
@ -69,6 +69,19 @@
        "type": "github"
      }
    },
+    "fonts": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668957008,
+        "narHash": "sha256-er2eUfNSG9qdBh0JvtxtftQjFfTFjRqqD8dnk5nZ1qw=",
+        "path": "/home/h7x4/git/fonts",
+        "type": "path"
+      },
+      "original": {
+        "path": "/home/h7x4/git/fonts",
+        "type": "path"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -76,11 +89,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726989464,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "lastModified": 1718530513,
+        "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
        "type": "github"
      },
      "original": {
@ -90,6 +103,26 @@
        "type": "github"
      }
    },
+    "home-manager-local": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1719170506,
+        "narHash": "sha256-AROqng7/S3mTByq8DBVR6r0iW1yZH+otJkqOwLHvELE=",
+        "ref": "refs/heads/fix-stalonetrayrc-path",
+        "rev": "0e5656163c2f9ac6e2cc4de3b44beb7a137abbe6",
+        "revCount": 3588,
+        "type": "git",
+        "url": "file:///home/h7x4/git/home-manager"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:///home/h7x4/git/home-manager"
+      }
+    },
    "matrix-synapse-next": {
      "inputs": {
        "nixpkgs": [
@ -158,11 +191,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728006367,
-        "narHash": "sha256-Bdf5twzinaacnn1JBogvxq0S8Ytm+25mWD2cfJ7fvpo=",
+        "lastModified": 1719278718,
+        "narHash": "sha256-gWQb4P9CZgKzTn4F4eWMYeUv2AQOXFlcFmFXh2apoyA=",
        "owner": "infinidoge",
        "repo": "nix-minecraft",
-        "rev": "a3a7888df1b87bdababfd9f0b00b574ee4c2e204",
+        "rev": "b6ff85f3b416a700ac35e33c214d7c9f4fe071fa",
        "type": "github"
      },
      "original": {
@ -173,11 +206,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1728193676,
-        "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
+        "lastModified": 1719145550,
+        "narHash": "sha256-K0i/coxxTEl30tgt4oALaylQfxqbotTSNb1/+g+mKMQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
+        "rev": "e4509b3a560c87a8d4cb6f9992b8915abf9e36d8",
        "type": "github"
      },
      "original": {
@ -188,27 +221,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1728156290,
-        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
+        "lastModified": 1719099622,
+        "narHash": "sha256-YzJECAxFt+U5LPYf/pCwW/e1iUd2PF21WITHY9B/BAs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
+        "rev": "5e8e3b89adbd0be63192f6e645e0a54080004924",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-24.05",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1728018373,
-        "narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=",
+        "lastModified": 1719254875,
+        "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
+        "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
        "type": "github"
      },
      "original": {
@ -240,7 +273,9 @@
    "root": {
      "inputs": {
        "dotfiles": "dotfiles",
+        "fonts": "fonts",
        "home-manager": "home-manager",
+        "home-manager-local": "home-manager-local",
        "matrix-synapse-next": "matrix-synapse-next",
        "maunium-stickerpicker": "maunium-stickerpicker",
        "minecraft": "minecraft",
@ -279,11 +314,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1728342863,
-        "narHash": "sha256-OeVSBqpigXgX3tuvkO2B3xN1ONSF0iFTbi6et7YhX+M=",
+        "lastModified": 1719268571,
+        "narHash": "sha256-pcUk2Fg5vPXLUEnFI97qaB8hto/IToRfqskFqsjvjb8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "84d006846f98b2bfed3796f1ccc8e62faf0c2ae9",
+        "rev": "c2ea1186c0cbfa4d06d406ae50f3e4b085ddc9b3",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,11 +1,10 @@
 {
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.11";
-    # nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
+    nixpkgs.url = "nixpkgs/nixos-24.05";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";

    home-manager = {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@ -88,7 +87,7 @@
        android_sdk.accept_license = true;
        segger-jlink.acceptLicense = true;
        permittedInsecurePackages = [
-          "segger-jlink-qt4-796s"
+          "segger-jlink-qt4-794l"
        ];
      };

@ -98,16 +97,32 @@
          config.allowUnfree = true;
          config.segger-jlink.acceptLicense = true;
          config.permittedInsecurePackages = [
-            "segger-jlink-qt4-796s"
+            "segger-jlink-qt4-794s"
          ];
        };
      in [
        (self: super: {
          inherit (nonrecursive-unstable-pkgs)
-              calibre
-              fcitx5-mozc
+            atuin
+            wstunnel
+            nrf-udev
+            nrfutil
            ;
        })
+
+        (import ./overlays/wayland-ime-integration.nix)
+
+        # https://github.com/NixOS/nixpkgs/pull/251706
+        (self: super: {
+          mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
+          fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { };
+        })
+
+        (self: super: {
+          mpv-unwrapped = super.mpv-unwrapped.override {
+            ffmpeg = super.ffmpeg_6-full;
+          };
+        })
      ];
    };

@ -208,11 +223,7 @@
            "specialArgs"
          ]));
    in {
-      dosei = nixSys "dosei" {
-        modules = [{
-          home-manager.users.h7x4.home.uid = 1001;
-        }];
-      };
+      dosei = nixSys "dosei" { };
      kasei = nixSys "kasei" { };
      europa = nixSys "europa" { };
      tsuki = nixSys "tsuki" {
--- a/home/home.nix
+++ b/home/home.nix
@ -10,34 +10,22 @@ in {

    ./programs/aria2.nix
    ./programs/atuin.nix
-    ./programs/bash.nix
-    ./programs/bat.nix
    ./programs/beets.nix
-    ./programs/bottom.nix
    ./programs/comma.nix
    ./programs/direnv
-    ./programs/eza.nix
-    ./programs/fzf.nix
    ./programs/gdb.nix
-    ./programs/gh-dash.nix
    ./programs/gh.nix
+    ./programs/gh-dash.nix
    ./programs/git
    ./programs/gpg
-    ./programs/home-manager.nix
    ./programs/jq.nix
    ./programs/less.nix
-    ./programs/man.nix
    ./programs/neovim
    ./programs/nix-index
-    ./programs/pandoc.nix
-    ./programs/ripgrep.nix
    ./programs/ssh
    ./programs/tealdeer
-    ./programs/texlive.nix
    ./programs/thunderbird.nix
-    ./programs/tmux
-    ./programs/yt-dlp.nix
-    ./programs/zoxide.nix
+    ./programs/tmux.nix
    ./programs/zsh

    ./services/nix-channel-update.nix
@ -45,22 +33,20 @@ in {

    ./modules/colors.nix
    ./modules/shellAliases.nix
-    ./modules/uidGid.nix
  ] ++ optionals graphics [
    ./config/gtk.nix

    ./programs/alacritty.nix
    ./programs/emacs
-    ./programs/feh.nix
    ./programs/firefox.nix
-    ./programs/mpv.nix
+    ./programs/hyprland.nix
    ./programs/ncmpcpp.nix
    ./programs/newsboat
-    ./programs/obs-studio.nix
    ./programs/qutebrowser.nix
    ./programs/rofi.nix
    ./programs/taskwarrior.nix
    ./programs/vscode
+    ./programs/waybar.nix
    # ./programs/xmobar
    ./programs/xmonad
    ./programs/zathura.nix
@ -69,15 +55,12 @@ in {
    ./services/copyq.nix
    ./services/dunst.nix
    ./services/fcitx5.nix
-    ./services/gnome-keyring.nix
-    ./services/keybase.nix
    ./services/mpd.nix
-    ./services/network-manager.nix
-    ./services/picom.nix
-    ./services/polybar.nix
-    ./services/screen-locker.nix
+    # ./services/picom.nix
+    # ./services/polybar.nix
+    # ./services/screen-locker.nix
    # ./services/stalonetray.nix
-    ./services/sxhkd.nix
+    # ./services/sxhkd.nix
    ./services/tumblerd.nix
  ];

@ -151,6 +134,51 @@ in {

  fonts.fontconfig.enable = mkForce true;

+  programs = {
+    home-manager.enable = true;
+
+    bash = {
+      enable = true;
+      historyFile = "${config.xdg.dataHome}/bash_history";
+      historySize = 100000;
+      bashrcExtra = ''
+        source "${config.xdg.configHome}/mutable_env.sh"
+      '';
+    };
+
+    bat.enable = true;
+    bottom = {
+      enable = true;
+      settings.flags.enable_gpu = true;
+    };
+    eza.enable = true;
+    feh.enable = mkIf graphics true;
+    fzf = {
+      enable = true;
+      defaultCommand = "fd --type f";
+    };
+    man = {
+      enable = true;
+      generateCaches = true;
+    };
+    mpv.enable = mkIf graphics true;
+    obs-studio.enable = mkIf graphics true;
+    ssh = {
+      enable = true;
+      includes = [ "mutable_config" ];
+    };
+    texlive = {
+      enable = true;
+      # packageSet = pkgs.texlive.combined.scheme-medium;
+    };
+    zoxide.enable = true;
+  };
+
+  services = {
+    gnome-keyring.enable = mkIf graphics true;
+    network-manager-applet.enable = mkIf graphics true;
+  };
+
  manual = {
    html.enable = true;
    manpages.enable = true;
--- a/home/modules/uidGid.nix
+++ b/home/modules/uidGid.nix
@ -1,13 +0,0 @@
-{ lib, ... }:
-{
-  options.home = {
-    uid = lib.mkOption {
-      default = 1000;
-      type = lib.types.ints.between 0 60000;
-    };
-    gid = lib.mkOption {
-      default = 1000;
-      type = lib.types.ints.between 0 60000;
-    };
-  };
-}
--- a/home/packages.nix
+++ b/home/packages.nix
@ -5,14 +5,13 @@
    cloc
    cyme
    czkawka
+    delta
    diskonaut
    duf
    duff
    ffmpeg
    file
    glances
-    gpauth
-    gpclient
    gpg-tui
    gping
    graphviz
@ -20,6 +19,7 @@
    httpie
    imagemagick
    kepubify
+    # keybase
    keymapviz
    libwebp
    lnav
@ -39,15 +39,18 @@
    # nixops
    nmap
    ouch
+    pandoc
    parallel
    progress
    pwntools
    python3
    rclone
+    ripgrep
    rsync
    # sc-im
    slack-term
    tea
+    tealdeer
    terminal-parrot
    termtosvg
    toilet
@ -59,6 +62,7 @@
    waifu2x-converter-cpp
    wavemon
    wiki-tui
+    yt-dlp
    yubico-pam
    yubikey-agent
    yubikey-manager
@ -85,8 +89,8 @@
      geogebra
      ghidra
      gimp
-      gnome-font-viewer
-      seahorse
+      gnome.gnome-font-viewer
+      gnome.seahorse
      google-chrome
      imhex
      inkscape
--- a/home/programs/alacritty.nix
+++ b/home/programs/alacritty.nix
@ -43,9 +43,9 @@
        duration = 20;
      };

-      general.live_config_reload = true;
+      live_config_reload = true;

-      terminal.shell = {
+      shell = {
        program = "${pkgs.zsh}/bin/zsh";
        args = [ "--login" ];
      };
--- a/home/programs/atuin.nix
+++ b/home/programs/atuin.nix
@ -1,7 +1,9 @@
 { config, ... }:
 let
  cfg = config.programs.atuin;
-  xdg_runtime_dir = "/run/user/${toString config.home.uid}";
+
+  # TODO: retrieve this in a more dynamic and correct manner
+  xdg_runtime_dir = "/run/user/1000";
 in
 {
  programs.atuin = {
--- a/home/programs/bash.nix
+++ b/home/programs/bash.nix
@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  programs.bash = {
-    enable = true;
-    historyFile = "${config.xdg.dataHome}/bash_history";
-    historySize = 100000;
-    bashrcExtra = ''
-      source "${config.xdg.configHome}/mutable_env.sh"
-    '';
-  };
-}
--- a/home/programs/bat.nix
+++ b/home/programs/bat.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.bat.enable = true;
-}
--- a/home/programs/bottom.nix
+++ b/home/programs/bottom.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  programs.bottom = {
-    enable = true;
-    settings.flags.enable_gpu = true;
-  };
-}
--- a/home/programs/eza.nix
+++ b/home/programs/eza.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.eza.enable = true;
-}
--- a/home/programs/feh.nix
+++ b/home/programs/feh.nix
@ -1,4 +0,0 @@
-{ machineVars, ... }:
-{
-  programs.feh.enable = !machineVars.headless;
-}
--- a/home/programs/fzf.nix
+++ b/home/programs/fzf.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  programs.fzf = {
-    enable = true;
-    defaultCommand = "fd --type f";
-  };
-}
--- a/home/programs/git/default.nix
+++ b/home/programs/git/default.nix
@ -48,71 +48,15 @@ in
      aliases = {
        aliases = "!git config --get-regexp alias | sed -re 's/alias\\.(\\S*)\\s(.*)$/\\1 = \\2/g'";
        delete-merged = "!git branch --merged | grep -v '\\*' | xargs -n 1 git branch -d";
+        graph = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold yellow)%d%C(reset)' --all";
+        graphv = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(bold yellow)%d%C(reset)%n''          %C(white)%s%C(reset) %C(dim white)- %an%C(reset)' --all";
        forcepush = "push --force-with-lease --force-if-includes";
        authors = "shortlog --summary --numbered --email";
        si = "switch-interactive";
-        ff = "fixup-fixup";
-        fi = "fixup-interactive";
-        rf = "rebase-fixups";
-        pp = "post-pr";
        subs = "submodule update --init --recursive";
        rebase-author = "rebase -i -x \"git commit --amend --reset-author -CHEAD\"";
        git = "!git";
-      } // (let
-        c = c: s: "%C(${c})${s}%C(reset)";
-      in {
-        graph = let
-          fmt = lib.concatStringsSep "" [
-            " - "
-            (c "bold blue" "%h")
-            " - "
-            (c "bold green" "(%ar)")
-            " "
-            (c "white" "> %s")
-            " "
-            (c "dim white" "- %an")
-            (c "bold yellow" "%d")
-          ];
-        in "log --graph --abbrev-commit --decorate --format=format:'${fmt}' --all";
-
-        graphv = let
-          fmt = lib.concatStringsSep "" [
-            (c "bold blue" "%h")
-            " - "
-            (c "bold cyan" "%aD")
-            " "
-            (c "bold green" "(%ar)")
-            (c "bold yellow" "%d")
-            "%n"
-            "          "
-            (c "white" "%s")
-            " "
-            (c "dim white" "- %an")
-          ];
-        in "log --graph --abbrev-commit --decorate --format=format:'${fmt}' --all";
-
-        l = let
-          fmt = lib.concatStringsSep "%n" (map (x: if builtins.isList x then lib.concatStringsSep " " x else x) [
-            [ (c "bold yellow" "%H") (c "auto" "%d") ]
-            [ (c "bold white" "Author:") (c "bold cyan" "%aN <%aE>") (c "bold green" "(%ah)") ]
-            [ (c "bold white" "Committer:") (c "bold cyan" "%cN <%cE>") (c "bold green" "(%ah)") ]
-            [ (c "bold white" "GPG: (%G?)") (c "bold magenta" "%GF") "-" (c "bold cyan" "%GS") (c "bold blue" "(%GT) ") ]
-            ""
-            (c "bold white" "# %s")
-            "%+b"
-            (c "dim yellow" "%+N")
-          ]);
-          # sedExpressions = let
-          #   colorExpr = "\\x1B\\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]";
-          #   colorEndExpr = "\\x1B\\[m";
-          #   colored = x: "${colorExpr}${x}${colorEndExpr}";
-          # in lib.concatMapStringsSep " " (x: "-e '${x}'") [
-          #   "s|${colored "GPG: \\(N\\)"} ${colored "F3CDA86CC55A9F10D7A069819F2F7D8250F35146"} - ${colored "h7x4 <h7x4@nani.wtf>"} ${colored "\\(ultimate\\)"}|GPG: h7x4|"
-          #   "s|${colored "GPG: \\(N\\)"} ${colored ""} - ${colored ""} ${colored "\\(undefined\\)"}||"
-          # ];
-        in "log --decorate --format=tformat:'${fmt}'";
-        # in "!git log --color=always --format=format:'${fmt}' | sed -E ${sedExpressions} | $PAGER";
-      });
+      };

      extraConfig = {
        core = {
@ -326,21 +270,6 @@ in
        (builtins.replaceStrings ["hours" "tcommit"] ["minutes" "tmcommit"])
      ];
    })
-    (pkgs.writeShellApplication {
-      name = "git-fixup-fixup";
-      runtimeInputs = with pkgs; [ cfg.package ];
-      text = lib.fileContents ./scripts/git-fixup-fixup.sh;
-    })
-    (pkgs.writeShellApplication {
-      name = "git-rebase-fixups";
-      runtimeInputs = with pkgs; [ cfg.package gnused ];
-      text = lib.fileContents ./scripts/git-rebase-fixups.sh;
-    })
-    (pkgs.writeShellApplication {
-      name = "git-fixup-interactive";
-      runtimeInputs = with pkgs; [ cfg.package gnused gnugrep fzf ];
-      text = lib.fileContents ./scripts/git-fixup-interactive.sh;
-    })
    (pkgs.writeShellApplication {
      name = "git-switch-interactive";
      runtimeInputs = with pkgs; [ cfg.package fzf gnused coreutils ];
@ -349,21 +278,6 @@ in
        "SC2001" # (style): See if you can use ${variable//search/replace} instead. (sed invocation)
      ];
    })
-    ((pkgs.writers.writePython3Bin "git-post-pr" {
-      libraries = with pkgs.python3Packages; [
-        tkinter
-      ];
-      flakeIgnore = [
-        "E501" # I like long lines grr
-      ];
-    } (lib.fileContents ./scripts/git-post-pr.py)).overrideAttrs (_: {
-      postFixup = ''
-        wrapProgram $out/bin/git-post-pr \
-          --prefix PATH : ${lib.makeBinPath [
-            pkgs.github-cli
-          ]}
-      '';
-    }))

    pkgs.git-absorb
  ];
--- a/home/programs/git/scripts/git-fixup-fixup.sh
+++ b/home/programs/git/scripts/git-fixup-fixup.sh
@ -1,14 +0,0 @@
-if [ -n "${1:-}" ]; then
-  TARGET_COMMIT="$1"
-  shift
-else
-  TARGET_COMMIT="HEAD"
-fi
-
-COMMIT_MESSAGE=$(git log -1 --pretty=format:'%s' "$TARGET_COMMIT")
-
-if [[ $COMMIT_MESSAGE =~ ^fixup!* ]]; then
-  git commit -m "$COMMIT_MESSAGE" "$@"
-else
-  git commit --fixup "$TARGET_COMMIT" "$@"
-fi
--- a/home/programs/git/scripts/git-fixup-interactive.sh
+++ b/home/programs/git/scripts/git-fixup-interactive.sh
@ -1,18 +0,0 @@
-if [ -n "${1:-}" ]; then
-  TARGET_BRANCH="$1"
-  shift
-else
-  TARGET_BRANCH=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
-fi
-
-FORK_POINT=$(git merge-base --fork-point "$TARGET_BRANCH")
-
-COMMITS_SINCE_FORK_POINT=$(git log --format=format:'%s' "$FORK_POINT"..HEAD | grep -v -E '^fixup!')
-
-RESULT=$(fzf <<<"$COMMITS_SINCE_FORK_POINT")
-
-if [ "$RESULT" == "" ]; then
-  echo "Doing nothing..."
-else
-  git commit -m "fixup! $RESULT" "$@"
-fi
--- a/home/programs/git/scripts/git-post-pr.py
+++ b/home/programs/git/scripts/git-post-pr.py
@ -1,130 +0,0 @@
-import argparse
-import json
-import subprocess
-import tkinter
-
-# TODO: add support for gitea, and maybe other git hosting options.
-
-
-def parse_args() -> argparse.Namespace:
-    parser = argparse.ArgumentParser(
-        prog="post-pr",
-        description="Post links to PRs",
-    )
-
-    parser.add_argument("-n", "--no-clipboard", action="store_true", help="do not copy the message to the clipboard")
-
-    pr_id = parser.add_mutually_exclusive_group()
-    pr_id.add_argument("-c", "--current-branch", action="store_true", help="generate post for the PR for the current branch")
-    pr_id.add_argument("-l", "--latest", action="store_true", help="generate post for the latest PR for the current user")
-    pr_id.add_argument("pr_id", nargs="?", default=None, help="generate post for the PR with the given ID")
-    args = parser.parse_args()
-
-    if not any([args.current_branch, args.latest, args.pr_id,]):
-        args.current_branch = True
-
-    return args
-
-
-def _gh(args: list[str]) -> str:
-    try:
-        return subprocess.check_output(["gh"] + args).decode("utf8")
-    except subprocess.CalledProcessError as e:
-        raise RuntimeError(f"GitHub CLI command failed: 'gh {' '.join(args)}'") from e
-
-
-def _gh_retcode(args: list[str]) -> int:
-    return subprocess.run(["gh"] + args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL).returncode
-
-
-def ensure_gh_installed():
-    try:
-        if _gh_retcode(["--version"]) != 0:
-            raise RuntimeError("GitHub CLI (gh) is not installed, please install it")
-    except FileNotFoundError:
-        raise RuntimeError("GitHub CLI (gh) is not installed, please install it")
-
-
-def ensure_gh_authenticated():
-    if _gh_retcode(["auth", "status"]) != 0:
-        raise RuntimeError("Failed to authenticate with GitHub, please run 'gh auth login'")
-
-
-GH_PR_JSON_FIELDS = ",".join([
-    "additions",
-    "deletions",
-    "state",
-    "title",
-    "url",
-])
-
-
-def fetch_pr_data(current_branch: bool, latest: bool, pr_id: str | None) -> dict[str, any]:
-    if pr_id:
-        pr_data = _gh(["pr", "view", pr_id, "--json", GH_PR_JSON_FIELDS])
-        pr_data = json.loads(pr_data)
-
-    elif latest:
-        pr_list = _gh(["pr", "list", "--author", "@me", "--limit", "1", "--json", GH_PR_JSON_FIELDS])
-        pr_list = json.loads(pr_list)
-
-        if len(pr_list) == 0:
-            raise RuntimeError("Failed to find PR, are you sure you have any open PRs?")
-
-        pr_data = pr_list[0]
-
-    elif current_branch:
-        pr_data = _gh(["pr", "view", "--json", GH_PR_JSON_FIELDS])
-        pr_data = json.loads(pr_data)
-
-    return pr_data
-
-
-def format_message(pr_data: dict[str, any]) -> str:
-    additions = pr_data["additions"]
-    deletions = pr_data["deletions"]
-
-    title = pr_data["title"]
-    pr_url = pr_data["url"]
-    pr_state = pr_data["state"]
-
-    state_html = f"({pr_state.lower()}) " if pr_state != "OPEN" else ""
-    additions_html = f"+{additions}" if additions > 0 else str(additions)
-    deletions_html = f"-{deletions}" if deletions > 0 else str(deletions)
-
-    return f"""{state_html}{pr_url} {title} [diff: {additions_html}/{deletions_html}]"""
-
-
-def copy_to_clipboard(message: str):
-    r = tkinter.Tk()
-    r.withdraw()
-    r.clipboard_clear()
-    r.clipboard_append(message)
-    r.update()
-    r.destroy()
-
-
-def main():
-    args = parse_args()
-
-    ensure_gh_installed()
-    ensure_gh_authenticated()
-
-    pr_data = fetch_pr_data(args.current_branch, args.latest, args.pr_id)
-    message = format_message(pr_data)
-
-    print("Message:\n")
-    print(f"    {message}\n")
-
-    if not args.no_clipboard:
-        copy_to_clipboard(message)
-        print("Copied to clipboard")
-
-
-if __name__ == "__main__":
-    try:
-        main()
-    except Exception as e:
-        print(f"Error: {e}")
-        exit(1)
-
--- a/home/programs/git/scripts/git-rebase-fixups.sh
+++ b/home/programs/git/scripts/git-rebase-fixups.sh
@ -1,10 +0,0 @@
-if [ -n "${1:-}" ]; then
-  TARGET_BRANCH="$1"
-  shift
-else
-  TARGET_BRANCH=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
-fi
-
-FORK_POINT=$(git merge-base --fork-point "$TARGET_BRANCH")
-
-git rebase "$FORK_POINT" --autosquash "$@"
--- a/home/programs/home-manager.nix
+++ b/home/programs/home-manager.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.home-manager.enable = true;
-}
--- a/home/programs/hyprland.nix
+++ b/home/programs/hyprland.nix
@ -0,0 +1,323 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.wayland.windowManager.hyprland;
+in
+{
+  home.sessionVariables = {
+    WLR_NO_HARDWARE_CURSORS = "1";
+    WLR_RENDERER_ALLOW_SOFTWARE = "1";
+    XDG_CURRENT_DESKTOP = "Hyprland";
+    XDG_SESSION_DESKTOP = "Hyprland";
+    XDG_SESSION_TYPE = "wayland";
+    GDK_BACKEND = "wayland,x11,*";
+    QT_QPA_PLATFORM = "wayland;xcb";
+    NIXOS_OZONE_WL = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    SDL_VIDEODRIVER = "wayland";
+    OZONE_PLATFORM = "wayland";
+    CLUTTER_BACKEND = "wayland";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    # QT_QPA_PLATFORMTHEME = "qt6ct";
+    QT_AUTO_SCREEN_SCALE_FACTOR = "1";
+
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+  };
+
+  home.packages = with pkgs; [
+    wl-clipboard-rs
+  ];
+
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      general = {
+        disable_loading_bar = true;
+        grace = 300;
+        hide_cursor = true;
+        no_fade_in = false;
+      };
+
+      background = [
+        {
+          path = "screenshot";
+          blur_passes = 3;
+          blur_size = 8;
+        }
+      ];
+
+      input-field = [
+        {
+          size = "200, 50";
+          position = "0, -80";
+          monitor = "";
+          dots_center = true;
+          fade_on_empty = false;
+          font_color = "rgb(202, 211, 245)";
+          inner_color = "rgb(91, 96, 120)";
+          outer_color = "rgb(24, 25, 38)";
+          outline_thickness = 5;
+          placeholder_text = ''Password...'';
+          shadow_passes = 2;
+        }
+      ];
+    };
+  };
+
+  services.hypridle = {
+    enable = true;
+    settings = {
+      general = {
+        ignore_dbus_inhibit = false;
+        lock_cmd = "pidof hyprlock || hyprlock";
+        before_sleep_cmd = "loginctl lock-session";
+        after_sleep_cmd = "hyprctl dispatch dpms on";
+      };
+
+      listener = [
+        {
+          timeout = 900;
+          on-timeout = "hyprlock";
+        }
+        {
+          timeout = 1200;
+          on-timeout = "hyprctl dispatch dpms off";
+          on-resume = "hyprctl dispatch dpms on";
+        }
+      ];
+    };
+  };
+
+  wayland.windowManager.hyprland = {
+    enable = true;
+
+    settings = let
+      scratchpads = [
+        (rec {
+          title = "Floating terminal";
+          class = "floatingTerminal";
+          command = "alacritty --class ${class} -e tmux new-session -A -s f";
+          size = { h = 90; w = 95; };
+          keys = [
+            "$mod, RETURN"
+            "$mod, SPACE"
+          ];
+        })
+        (rec {
+          title = "Ncmpcpp";
+          class = "floatingNcmpcpp";
+          command = "alacritty --class ${class} -e ncmpcpp";
+          size = { h = 95; w = 95; };
+          keys = [ "$mod, Q" ];
+        })
+        # "$mod, W, emacs"
+        # "$mod, E, filebrowser"
+        # "$mod, X, taskwarriortui"
+      ];
+    in {
+      "$mod" = "SUPER";
+
+      # https://github.com/xkbcommon/libxkbcommon/blob/master/include/xkbcommon/xkbcommon-keysyms.h
+      bind = [
+        "$mod SHIFT, Q, exit"
+        "$mod, R, exec, ${pkgs.rofi}/bin/rofi -show drun"
+        "$mod, T, togglefloating"
+
+        # TODO: fix this for upcoming releases
+        "$mod, F, fullscreen, 2"
+        "$mod, C, exec, hyprctl reload"
+
+        "$mod, BACKSPACE, killactive"
+
+        "$mod SHIFT, RETURN, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
+        "$mod SHIFT, SPACE, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
+
+        "$mod, j, layoutmsg,cyclenext"
+        "$mod, k, layoutmsg,cycleprev"
+        "$mod SHIFT, j, layoutmsg, swapnext"
+        "$mod SHIFT, k, layoutmsg, swapprev"
+
+        "$mod, 1, focusworkspaceoncurrentmonitor, 1"
+        "$mod, 2, focusworkspaceoncurrentmonitor, 2"
+        "$mod, 3, focusworkspaceoncurrentmonitor, 3"
+        "$mod, 4, focusworkspaceoncurrentmonitor, 4"
+        "$mod, 5, focusworkspaceoncurrentmonitor, 5"
+        "$mod, 6, focusworkspaceoncurrentmonitor, 6"
+        "$mod, 7, focusworkspaceoncurrentmonitor, 7"
+        "$mod, 8, focusworkspaceoncurrentmonitor, 8"
+        "$mod, 9, focusworkspaceoncurrentmonitor, 9"
+
+        "$mod SHIFT, 1, movetoworkspacesilent, 1"
+        "$mod SHIFT, 2, movetoworkspacesilent, 2"
+        "$mod SHIFT, 3, movetoworkspacesilent, 3"
+        "$mod SHIFT, 4, movetoworkspacesilent, 4"
+        "$mod SHIFT, 5, movetoworkspacesilent, 5"
+        "$mod SHIFT, 6, movetoworkspacesilent, 6"
+        "$mod SHIFT, 7, movetoworkspacesilent, 7"
+        "$mod SHIFT, 8, movetoworkspacesilent, 8"
+        "$mod SHIFT, 9, movetoworkspacesilent, 9"
+
+        "$mod, b, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s mozc"
+        "$mod, n, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-no"
+        "$mod, m, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-us"
+
+        # TODO: ensure exists in environment
+        "$mod, l, exec, loginctl lock-session"
+
+        # TODO: fix
+        # "super + minus" = "${pkgs.xcalib}/bin/xcalib -invert -alter"
+
+        # TODO: fix
+        ", Print, exec, ${lib.getExe pkgs.grimblast} copy area"
+
+        # "SHIFT, Print, exec, ${lib.getExe pkgs.grimblast} copy area"
+        # "shift + @Print" = "${pkgs.maim}/bin/maim --hidecursor --nokeyboard $SCREENSHOT_DIR/$(date +%s).png"
+
+        # TODO: Add boomer as package
+        # "super + @Print" = "boomer"
+      ]
+      ++
+      (lib.pipe scratchpads [
+        (map ({ keys, command, class, ... }:
+          (map (key: let
+            # TODO: rewrite this to take arguments instead of creating n copies
+            invokeIfNotRunningAndToggleWorkspace = pkgs.writeShellApplication {
+              name = "hyprland-toggle-scratchpad-${class}";
+              runtimeInputs = [ cfg.package pkgs.jq ];
+              text = ''
+                SCRATCHPAD_PROGRAM_EXISTS=$(hyprctl clients -j | jq -r '[.[].class]|any(. == "${class}")')
+                CURRENT_WORKSPACE_ID=$(hyprctl activeworkspace -j | jq -r '.id')
+
+                if [ "$SCRATCHPAD_PROGRAM_EXISTS" != "true" ]; then
+                  ${command} &
+                  hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
+                  hyprctl dispatch focuswindow "class:${class}"
+                else
+                  SCRATCHPAD_PROGRAM_WORKSPACE_ID=$(hyprctl clients -j | jq '.[] | select( .class == "${class}") | .workspace.id')
+                  if [ "$SCRATCHPAD_PROGRAM_WORKSPACE_ID" != "$CURRENT_WORKSPACE_ID" ]; then
+                    hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
+                    hyprctl dispatch focuswindow "class:${class}"
+                  else
+                    hyprctl dispatch movetoworkspacesilent "special:${class}Ws,class:${class}"
+                  fi
+                fi
+              '';
+            };
+          in "${key}, exec, ${lib.getExe invokeIfNotRunningAndToggleWorkspace}"
+          ) keys)
+        ))
+        lib.flatten
+      ]);
+
+      bindl = [
+        "$mod, p, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
+        ",XF86AudioPlay, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
+        ",XF86AudioPrev, exec, ${pkgs.mpc_cli}/bin/mpc prev"
+        ",XF86AudioNext, exec, ${pkgs.mpc_cli}/bin/mpc next"
+      ];
+
+      bindle = [
+        ",XF86MonBrightnessUp, exec, ${lib.getExe pkgs.brightnessctl} s +5%"
+        ",XF86MonBrightnessDown, exec, ${lib.getExe pkgs.brightnessctl} s 5%-"
+        ",XF86AudioLowerVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
+        ",XF86AudioRaiseVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
+        "$mod ,F7, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
+        "$mod ,F8, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
+      ];
+
+      windowrulev2 = [
+        "float,class:(Rofi)"
+
+        "workspace 2,class:(firefox)"
+        "workspace 2,class:(google-chrome)"
+
+        "workspace 3,class:(Emacs)"
+        "workspace 3,class:(Code)"
+        "workspace 3,class:(code-url-handler)"
+
+        "workspace 5,class:(discord)"
+        "workspace 5,class:(Element)"
+      ]
+      ++
+      (lib.pipe scratchpads [
+        (map ({ class, size, ... }: [
+          "workspace special:${class}Ws, class:^${class}$"
+          "float, class:^${class}$"
+          "size ${toString size.w}% ${toString size.h}%, class:^${class}$"
+          "move ${toString ((100 - size.w) / 2)}% ${toString ((100 - size.h) / 2)}%, class:^${class}$"
+        ]))
+        lib.flatten
+      ]);
+
+      monitor = [
+        "DP-2, 1920x1080@144.00Hz, 0x0, 1"
+        "DVI-D-1, 1920x1080@144.00Hz, 1920x0, 1"
+        ",preferred,auto,1"
+      ];
+
+      general = {
+        gaps_in = 5;
+        gaps_out = 15;
+
+        border_size = 2;
+
+        "col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
+        "col.inactive_border" = "rgba(595959aa)";
+
+        resize_on_border = false;
+        allow_tearing = false;
+        layout = "master";
+      };
+
+      decoration = {
+        rounding = 10;
+
+        # Change transparency of focused and unfocused windows
+        active_opacity = 1.0;
+        inactive_opacity = 1.0;
+
+        drop_shadow = true;
+        shadow_range = 4;
+        shadow_render_power = 3;
+        "col.shadow" = "rgba(1a1a1aee)";
+
+        # https://wiki.hyprland.org/Configuring/Variables/#blur
+        blur = {
+          enabled = true;
+          size = 3;
+          passes = 1;
+
+          vibrancy = 0.1696;
+        };
+      };
+
+      animations.enabled = false;
+
+      master = {
+          new_status = "slave";
+      };
+
+      misc = {
+          force_default_wallpaper = 0; # Set to 0 or 1 to disable the anime mascot wallpapers
+          disable_hyprland_logo = false; # If true disables the random hyprland logo / anime girl background. :(
+      };
+
+      input ={
+          kb_layout = "us";
+          kb_variant = "";
+          kb_model = "";
+          kb_options = "";
+          kb_rules = "";
+
+          follow_mouse = 1;
+
+          sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
+
+          touchpad = {
+              natural_scroll = false;
+          };
+      };
+    };
+  };
+}
--- a/home/programs/man.nix
+++ b/home/programs/man.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  programs.man = {
-    enable = true;
-    generateCaches = true;
-  };
-}
--- a/home/programs/mpv.nix
+++ b/home/programs/mpv.nix
@ -1,4 +0,0 @@
-{ machineVars, ... }:
-{
-  programs.mpv.enable = !machineVars.headless;
-}
--- a/home/programs/ncmpcpp.nix
+++ b/home/programs/ncmpcpp.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{pkgs, ...}:
 {
  programs.ncmpcpp = {
    enable = true;
@ -332,11 +332,11 @@
      window_border_color = "green";
      active_window_border = "red";

-      visualizer_data_source = "/run/user/${toString config.home.uid}/mpd/visualizer.fifo";
+      visualizer_data_source = "/tmp/mpd.fifo";
      visualizer_output_name = "Visualizer feed";
      visualizer_in_stereo = "no";
-      # visualizer_type = "spectrum"; # spectrum, ellipse, wave_filled, wave
-      # visualizer_look = "+█"; # wave | spectrum, ellipse, wave_filled
+      visualizer_type = "spectrum"; # spectrum, ellipse, wave_filled, wave
+      visualizer_look = "+█"; # wave | spectrum, ellipse, wave_filled
    };
  };
 }
--- a/home/programs/neovim/default.nix
+++ b/home/programs/neovim/default.nix
@ -21,6 +21,7 @@
      vim-surround
      vim-fugitive
      vim-css-color
+      vim-wayland-clipboard
      semshi
      {
        plugin = goyo-vim;
@ -66,58 +67,25 @@
      }
      limelight-vim
      vim-tmux-navigator
+      vim-polyglot
      lightline-vim
-      vim-better-whitespace
      {
-        plugin = nvim-treesitter.withAllGrammars;
+        plugin = rainbow;
        config = ''
-        packadd! nvim-treesitter
-        lua << EOF
-          require'nvim-treesitter.configs'.setup {
-            highlight = {
-              enable = true,
-            },
-          }
-        EOF
-        '';
-      }
-      {
-        plugin = rainbow-delimiters-nvim;
-        config = ''
-        lua << EOF
-          local rainbow_delimiters = require 'rainbow-delimiters'
-          vim.g.rainbow_delimiters = {
-            ["highlight"] = {
-              'RainbowDelimiterRed',
-              'RainbowDelimiterYellow',
-              'RainbowDelimiterBlue',
-              'RainbowDelimiterGreen',
-              'RainbowDelimiterViolet',
-              'RainbowDelimiterCyan',
-            },
-          }
-        EOF
+          let g:rainbow_active = 1
        '';
      }
      {
        plugin = vim-monokai;
        config = ''
          colorscheme monokai
-
-          autocmd ColorScheme monokai highlight Normal ctermbg=0
-          autocmd ColorScheme monokai highlight LineNr ctermbg=0
-          autocmd ColorScheme monokai highlight CursorLineNR ctermbg=0 ctermfg=208
-          autocmd ColorScheme monokai highlight SignColumn ctermbg=0
-          autocmd ColorScheme monokai highlight GitGutterAdd ctermbg=0
-          autocmd ColorScheme monokai highlight GitGutterChange ctermbg=0
-          autocmd ColorScheme monokai highlight GitGutterDelete ctermbg=0
-
-          autocmd ColorScheme monokai highlight RainbowDelimiterRed    { fg = g:terminal_color_9 }
-          autocmd ColorScheme monokai highlight RainbowDelimiterYellow { fg = g:terminal_color_11 }
-          autocmd ColorScheme monokai highlight RainbowDelimiterBlue   { fg = g:terminal_color_12 }
-          autocmd ColorScheme monokai highlight RainbowDelimiterGreen  { fg = g:terminal_color_10 }
-          autocmd ColorScheme monokai highlight RainbowDelimiterViolet { fg = g:terminal_color_13 }
-          autocmd ColorScheme monokai highlight RainbowDelimiterCyan   { fg = g:terminal_color_14 }
+          autocmd ColorScheme * highlight Normal ctermbg=0
+          autocmd ColorScheme * highlight LineNr ctermbg=0
+          autocmd ColorScheme * highlight CursorLineNR ctermbg=0 ctermfg=208
+          autocmd ColorScheme * highlight SignColumn ctermbg=0
+          autocmd ColorScheme * highlight GitGutterAdd ctermbg=0
+          autocmd ColorScheme * highlight GitGutterChange ctermbg=0
+          autocmd ColorScheme * highlight GitGutterDelete ctermbg=0
        '';
      }
    ];
--- a/home/programs/newsboat/sources.nix
+++ b/home/programs/newsboat/sources.nix
@ -37,7 +37,6 @@ in {
    (mkSource [ "japanese" "language" ] "https://www.outlier-linguistics.com/blogs/japanese.atom")
    (mkSource [ "language" ] "https://feeds.feedburner.com/blogspot/Ckyi")
    (mkSource [ "japanese" "language" "old" ] "http://feeds.feedburner.com/LocalizingJapan")
-    (mkSource [ "japanese" "language" ] "https://wesleycrobertson.wordpress.com/feed/")
    (mkSource [ "tech" "vim" "old" ] "https://castel.dev/rss.xml")
    (mkSource [ "tech" "functional-programming" "old" ] "https://skilpat.tumblr.com/rss")
    (mkSource [ "tech" ] "https://resocoder.com/feed/")
--- a/home/programs/obs-studio.nix
+++ b/home/programs/obs-studio.nix
@ -1,4 +0,0 @@
-{ machineVars, ... }:
-{
-  programs.obs-studio.enable = !machineVars.headless;
-}
--- a/home/programs/pandoc.nix
+++ b/home/programs/pandoc.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.pandoc.enable = true;
-}
--- a/home/programs/ripgrep.nix
+++ b/home/programs/ripgrep.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.ripgrep.enable = true;
-}
--- a/home/programs/ssh/default.nix
+++ b/home/programs/ssh/default.nix
@ -10,11 +10,5 @@
    mode = "0444";
  };

-  programs.ssh = {
-    enable = true;
-    includes = [
-      config.sops.secrets."ssh/secret-config".path
-      "mutable_config"
-    ];
-  };
+  programs.ssh.includes = [ config.sops.secrets."ssh/secret-config".path ];
 }
--- a/home/programs/texlive.nix
+++ b/home/programs/texlive.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  programs.texlive = {
-    enable = true;
-    # packageSet = pkgs.texlive.combined.scheme-medium;
-  };
-}
--- a/home/programs/tmux/default.nix
+++ b/home/programs/tmux/default.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{pkgs, ...}:
 {
  programs.tmux = {
    enable = true;
@ -19,25 +19,7 @@
      tmux-fzf
      urlview
    ];
-    extraConfig = let
-      fileContentsWithoutShebang = script: lib.pipe script [
-        lib.fileContents
-        (lib.splitString "\n")
-        (lib.drop 3) # remove shebang
-        (lib.concatStringsSep "\n")
-      ];
-
-      fcitx5-status = (pkgs.writeShellApplication {
-        name = "tmux-fcitx5-status";
-        runtimeInputs = with pkgs; [ dbus ];
-        text = fileContentsWithoutShebang ./scripts/fcitx5-status.sh;
-      });
-      mpd-status = (pkgs.writeShellApplication {
-        name = "tmux-mpd-status";
-        runtimeInputs = with pkgs; [ mpc-cli gawk gnugrep ];
-        text = fileContentsWithoutShebang ./scripts/mpd-status.sh;
-      });
-    in ''
+    extraConfig = ''
      # Don't rename windows automatically after rename with ','
      set-option -g allow-rename off

@ -109,8 +91,8 @@
      ### DESIGN CHANGES ###
      ######################

-      set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default]  #[fg=green]#(${lib.getExe fcitx5-status})  #[fg=red]%H:%M   '
-      set-option -g status-right '#[fg=red]#(${lib.getExe mpd-status})'
+      set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default]  #[fg=green]#(~/.scripts/tmux/fcitx)  #[fg=red]%H:%M   '
+      set-option -g status-right '#[fg=red]#(~/.scripts/tmux/mpd)'
      set-window-option -g window-status-current-style fg=magenta
      set-option -g status-style 'bg=black fg=default'
      set-option -g default-shell '${pkgs.zsh}/bin/zsh'
--- a/home/programs/tmux/scripts/fcitx5-status.sh
+++ b/home/programs/tmux/scripts/fcitx5-status.sh
@ -1,26 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p dbus
-
-printState() {
-  STATUS=$(dbus-send --session --print-reply=literal --dest='org.fcitx.Fcitx5' '/controller' 'org.fcitx.Fcitx.Controller1.CurrentInputMethod' | tr -d '[:space:]')
-
-  case $STATUS in
-    keyboard-us)
-      echo 'US'
-    ;;
-    keyboard-no)
-      echo 'NO'
-    ;;
-    mozc)
-      echo '日本語'
-    ;;
-    *)
-      echo "$STATUS?"
-    ;;
-  esac
-}
-
-while :; do
-  printState
-  sleep 1
-done
--- a/home/programs/tmux/scripts/mpd-status.sh
+++ b/home/programs/tmux/scripts/mpd-status.sh
@ -1,29 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i sh -p mpc-cli gawk gnugrep
-
-while true; do
-  MPC_OUTPUT=$(mpc --format '[[%artist% - ]%title%]|[%file%]')
-
-  TITLE=$(head -n 1 <<<"$MPC_OUTPUT")
-
-  if [ ${#TITLE} -gt 60 ]; then
-    TITLE=$(awk '{print substr($0,0,57) "..."}' <<<"$TITLE")
-  fi
-
-  LINE2=$(head -n 2 <<<"$MPC_OUTPUT" | tail -n 1)
-
-  PLAY_STATUS_RAW=$(awk '{print $1}' <<<"$LINE2")
-
-  if [ "$PLAY_STATUS_RAW" == "[playing]" ]; then
-    PLAY_STATUS="▶"
-  elif [ "$PLAY_STATUS_RAW" == "[paused]" ]; then
-    PLAY_STATUS="⏸"
-  else
-    PLAY_STATUS="??"
-  fi
-
-  TIME=$(awk '{print $3}' <<<"$LINE2")
-
-  echo -e "$PLAY_STATUS $TITLE | [$TIME]"
-  sleep 1
-done
--- a/home/programs/waybar.nix
+++ b/home/programs/waybar.nix
@ -0,0 +1,239 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.programs.waybar;
+  cfgs = cfg.settings.mainBar;
+in
+{
+  programs.waybar = {
+    enable = true;
+    systemd.enable = true;
+
+    settings = {
+      mainBar = {
+        layer = "top";
+        position = "top";
+        height = 30;
+
+        # TODO: configure this per machine
+        output = [ "DP-2" ];
+
+        modules-left = [ "hyprland/workspaces"  ];
+        modules-center = [ "clock" ];
+        modules-right = [ "mpd" "cpu" "memory" "wireplumber" "pulseaudio/slider" "tray" ];
+
+        "hyprland/workspaces" = {
+          all-outputs = true;
+          disable-scroll = true;
+          persistent-workspaces = {
+            ${lib.head cfgs.output} = [ 1 2 3 4 5 6 7 8 ];
+          };
+        };
+
+        "mpd" = {
+          format = "{filename}";
+        };
+
+        "cpu" = {
+          format = "[#] {usage}%";
+        };
+
+        "memory" = {
+          format = "{used}/{total}Gb";
+        };
+
+        "wireplumber" = {
+          format = "{volume}% {icon}";
+          format-muted = "[M]";
+        };
+
+        "pulseaudio/slider" = {
+          orientation = "horizontal";
+        };
+
+        "tray" = {
+          icon-size = 20;
+          spacing = 8;
+        };
+      };
+    };
+
+    style = let
+      c = config.colors.defaultColorSet;
+    in ''
+      * {
+          font-family: FiraCode, FontAwesome, Roboto, Helvetica, Arial, sans-serif;
+          font-size: 13px;
+      }
+
+      window#waybar {
+          background-color: ${c.background};
+          color: ${c.foreground};
+      }
+
+      #pulseaudio-slider trough {
+          min-height: 10px;
+          min-width: 100px;
+      }
+
+      /**** DEFAULT ****/
+
+      window#waybar.hidden {
+          opacity: 0.2;
+      }
+
+      button {
+          /* Use box-shadow instead of border so the text isn't offset */
+          box-shadow: inset 0 -3px transparent;
+          /* Avoid rounded borders under each button name */
+          border: none;
+          border-radius: 0;
+      }
+
+      /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+      button:hover {
+          background: inherit;
+          box-shadow: inset 0 -3px #ffffff;
+      }
+
+
+      #workspaces button.empty {
+          color: ${c.yellow};
+      }
+
+      #workspaces button {
+          padding: 0 5px;
+          color: ${c.magenta};
+          background-color: transparent;
+      }
+
+      #workspaces button.visible {
+          color: ${c.green};
+      }
+
+      #workspaces button.urgent {
+          background-color: ${c.red};
+      }
+
+      #workspaces button:hover {
+          background: rgba(0, 0, 0, 0.2);
+      }
+
+      #mode {
+          background-color: #64727D;
+          box-shadow: inset 0 -3px #ffffff;
+      }
+
+      #clock,
+      #battery,
+      #cpu,
+      #memory,
+      #disk,
+      #temperature,
+      #backlight,
+      #network,
+      #pulseaudio,
+      #wireplumber,
+      #custom-media,
+      #tray,
+      #mode,
+      #idle_inhibitor,
+      #scratchpad,
+      #power-profiles-daemon,
+      #mpd {
+          padding: 0 10px;
+          color: ${c.foreground};
+      }
+
+      #window,
+      #workspaces {
+          margin: 0 4px;
+      }
+
+      /* If workspaces is the leftmost module, omit left margin */
+      .modules-left > widget:first-child > #workspaces {
+          margin-left: 0;
+      }
+
+      /* If workspaces is the rightmost module, omit right margin */
+      .modules-right > widget:last-child > #workspaces {
+          margin-right: 0;
+      }
+
+      #clock {
+          background-color: #64727D;
+      }
+
+      #cpu {
+          background-color: ${c.cyan};
+          color: #000000;
+      }
+
+      #memory {
+          background-color: ${c.yellow};
+          color: #000000;
+      }
+
+      #network {
+          background-color: #2980b9;
+      }
+
+      #network.disconnected {
+          background-color: #f53c3c;
+      }
+
+      #pulseaudio {
+          background-color: #f1c40f;
+          color: #000000;
+      }
+
+      #pulseaudio.muted {
+          background-color: #90b1b1;
+          color: #2a5c45;
+      }
+
+      #wireplumber {
+          background-color: #fff0f5;
+          color: #000000;
+      }
+
+      #wireplumber.muted {
+          background-color: #f53c3c;
+      }
+
+      #tray {
+          background-color: #2980b9;
+      }
+
+      #tray > .passive {
+          -gtk-icon-effect: dim;
+      }
+
+      #tray > .needs-attention {
+          -gtk-icon-effect: highlight;
+          background-color: #eb4d4b;
+      }
+
+      #mpd {
+          background-color: #66cc99;
+          color: #2a5c45;
+      }
+
+      #mpd.disconnected {
+          background-color: #f53c3c;
+      }
+
+      #mpd.stopped {
+          background-color: #90b1b1;
+      }
+
+      #mpd.paused {
+          background-color: #51a37a;
+      }
+    '';
+    # background-color: rgba(0,0,0,0);
+    # border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+
+    #style = ''
+    #'';
+  };
+}
--- a/home/programs/xmonad/xmonad.hs
+++ b/home/programs/xmonad/xmonad.hs
@ -168,7 +168,7 @@ myKeys conf@(XConfig {XMonad.modMask = modm}) = M.fromList $
    , ((modm .|. shiftMask , xK_space ),    spawn $ myTerminal ++ " -e tmux")

    -- , ((modm               , xK_v ),        spawn "rofi -modi lpass:$HOME/.scripts/rofi/lpass//rofi-lpass -show lpass")
-    -- , ((modm .|. shiftMask, xK_d     ), viewDropboxStatus)
+    , ((modm .|. shiftMask, xK_d     ), viewDropboxStatus)
    ]

 termIsOpen :: X Bool
--- a/home/programs/yt-dlp.nix
+++ b/home/programs/yt-dlp.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.yt-dlp.enable = true;
-}
--- a/home/programs/zoxide.nix
+++ b/home/programs/zoxide.nix
@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.zoxide.enable = true;
-}
--- a/home/services/dunst.nix
+++ b/home/services/dunst.nix
@ -3,7 +3,7 @@
  services.dunst = {
    enable = true;
    iconTheme = {
-      package = pkgs.adwaita-icon-theme;
+      package = pkgs.gnome.adwaita-icon-theme;
      name = "Adwaita";
      size = "32x32";
    };
@ -13,9 +13,9 @@
        class = "Dunst";
        browser = "${pkgs.xdg-utils}/bin/xdg-open";

-        offset = let 
-          status-bar-height = config.services.polybar.settings."bar/top".height;
-        in "15x${toString (status-bar-height + 10)}";
+        # offset = let
+        #   status-bar-height = config.services.polybar.settings."bar/top".height;
+        # in "15x${toString (status-bar-height + 10)}";

        corner_radius = 0;
        font = "Droid Sans 9";
--- a/home/services/gnome-keyring.nix
+++ b/home/services/gnome-keyring.nix
@ -1,4 +0,0 @@
-{ machineVars, ... }:
-{
-  services.gnome-keyring.enable = !machineVars.headless;
-}
--- a/home/services/keybase.nix
+++ b/home/services/keybase.nix
@ -1,5 +0,0 @@
-{ ... }:
-{
-  services.keybase.enable = true;
-  services.kbfs.enable = true;
-}
--- a/home/services/mpd.nix
+++ b/home/services/mpd.nix
@ -1,141 +1,28 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.mpd;
-in
+{ config, ... }:
 {
-  services.mpd = {
+  services.mpd = rec {
    enable = true;
    musicDirectory = config.xdg.userDirs.music;
-    playlistDirectory = "${cfg.musicDirectory}/playlists/MPD";
+    playlistDirectory = "${musicDirectory}/playlists/MPD";
    network.startWhenNeeded = true;

+    # TODO: make the path specific to the user unit
    extraConfig = ''
-      pid_file "/run/user/${toString config.home.uid}/mpd/pid"
-
-      zeroconf_enabled "no"
-
-      replaygain "auto"
-
-      restore_paused "yes"
-
-      auto_update "no"
+      audio_output {
+        type "fifo"
+        name "Visualizer feed"
+        path "/tmp/mpd.fifo"
+        format "44100:16:2"
+      }

      audio_output {
        type "pipewire"
        name "PipeWire Sound Server"
      }
-
-      audio_output {
-        type "fifo"
-        name "Visualizer feed"
-        path "/run/user/${toString config.home.uid}/mpd/visualizer.fifo"
-        format "44100:16:2"
-      }
-
-      resampler {
-        plugin "soxr"
-        quality "very high"
-      }
-
-      playlist_plugin {
-        name "cue"
-        enabled "true"
-      }
-
-      playlist_plugin {
-        name "m3u"
-        enabled "true"
-      }
-
-      playlist_plugin {
-        name "extm3u"
-        enabled "true"
-      }
-
-      playlist_plugin {
-        name "flac"
-        enabled "true"
-      }
-
-      playlist_plugin {
-        name "rss"
-        enabled "true"
-      }
    '';
  };

+  # TODO: disable auto_update and use systemd path to listen for changes
  # TODO: upstream unix socket support to home-manager
-
-  systemd.user.services.mpd = {
-    Unit = {
-      Documentation = [
-        "man:mpd(1)"
-        "man:mpd.conf(5)"
-      ];
-    };
-    Service = {
-      WatchdogSec = 120;
-
-      # for io_uring
-      LimitMEMLOCK = "64M";
-
-      # allow MPD to use real-time priority 40
-      LimitRTPRIO = 40;
-      LimitRTTIME = "infinity";
-
-      PrivateUsers = true;
-      ProtectSystem = true;
-      NoNewPrivileges = true;
-      ProtectKernelTunables = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-    };
-  };
-
-  systemd.user.paths.mpd-update-library = {
-    Unit = {
-      Description = "Watchdog that updates the mpd library whenever the files are modified";
-      Documentation = [
-        "man:mpd(1)"
-        "man:mpd.conf(5)"
-      ];
-      WantedBy = [ "paths.target" ];
-    };
-    Path = {
-      PathChanged = cfg.musicDirectory;
-      Unit = "mpd-update-library.service";
-      TriggerLimitIntervalSec = "1s";
-      TriggerLimitBurst = "1";
-    };
-  };
-
-  systemd.user.services.mpd-update-library = {
-    Unit = {
-      Description = "Watchdog that updates the mpd library whenever the files are modified";
-      Documentation = [
-        "man:mpd(1)"
-        "man:mpd.conf(5)"
-      ];
-    };
-    Service = {
-      Type = "oneshot";
-      ExecStart = "${lib.getExe pkgs.mpc-cli} update --wait";
-
-      PrivateUsers = true;
-      ProtectSystem = true;
-      NoNewPrivileges = true;
-      ProtectKernelTunables = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-    };
-  };
 }

--- a/home/services/network-manager.nix
+++ b/home/services/network-manager.nix
@ -1,4 +0,0 @@
-{ machineVars, ... }:
-{
-  services.network-manager-applet.enable = !machineVars.headless;
-}
--- a/home/services/sxhkd.nix
+++ b/home/services/sxhkd.nix
@ -22,11 +22,11 @@ in

      # Volume

-      "super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
+      "super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";

-      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
+      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";

-      "XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle";
+      "XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";

      # Music

--- a/home/shell.nix
+++ b/home/shell.nix
@ -14,19 +14,6 @@
      exe = if pkg.meta ? mainProgram then pkg.meta.mainProgram else name;
    in "${pkg}/bin/${exe}";
 in {
-  sops.secrets."nordicsemi/envvars" = {
-    sopsFile = ../secrets/home.yaml;
-  };
-
-
-  programs.bash.bashrcExtra = ''
-    source "${config.sops.secrets."nordicsemi/envvars".path}"
-  '';
-
-  programs.zsh.envExtra = ''
-    source "${config.sops.secrets."nordicsemi/envvars".path}"
-  '';
-
  local.shell.aliases = {

    # ░█▀▄░█▀▀░█▀█░█░░░█▀█░█▀▀░█▀▀░█▄█░█▀▀░█▀█░▀█▀░█▀▀
@ -303,11 +290,6 @@ in {
      view-latex = "${pkgs.texlive.combined.scheme-full}/bin/latexmk -pdf -pvc main.tex";

      reload-tmux = "${p "tmux"} source $HOME/.config/tmux/tmux.conf";
-
-      nordic-vpn = lib.concatStringsSep " | " [
-        "${p "gpauth"} \"$NORDIC_VPN_ENDPOINT\" --gateway --browser default 2>/dev/null"
-        "sudo ${p "gpclient"} connect \"$NORDIC_VPN_ENDPOINT\" --as-gateway --cookie-on-stdin"
-      ];
    };

    # ░█▀▀░█▀▀░█▀█░█▀▀░█▀▄░█▀█░▀█▀░█▀▀░█▀▄
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -12,7 +12,9 @@ in {
    ./programs/ssh.nix
    ./programs/usbtop.nix

+    ./services/cups.nix
    ./services/dbus.nix
+    ./services/logrotate.nix
    ./services/openssh.nix
    ./services/pcscd.nix
    ./services/pipewire.nix
@ -23,8 +25,6 @@ in {
    ./services/xserver.nix
  ];

-  systemd.enableStrictShellChecks = true;
-
  sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml";

  time.timeZone = "Europe/Oslo";
@ -132,8 +132,6 @@ in {
    };

    irqbalance.enable = true;
-
-    displayManager.defaultSession = "none+xmonad";
  };

  programs = {
@ -141,6 +139,7 @@ in {
    git.enable = true;
    tmux.enable = true;
    zsh.enable = true;
+    hyprland.enable = true;
  };

  system.extraDependencies =
--- a/hosts/common/nix-builders/bob.nix
+++ b/hosts/common/nix-builders/bob.nix
@ -3,6 +3,7 @@
  sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };

  nix.buildMachines = [{
+    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-bob";
    system = "x86_64-linux";
    speedFactor = 5;
@ -13,8 +14,8 @@
      "big-paralell"
    ];
    mandatoryFeatures = [ ];
-    sshUser = "oysteikt";
-    sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
+    # sshUser = secrets.ssh.users.pvv.normalUser;
+    # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
  }];

  programs.ssh = {
--- a/hosts/common/nix-builders/isvegg.nix
+++ b/hosts/common/nix-builders/isvegg.nix
@ -1,15 +1,16 @@
-{ config, ... }:
+{ config, secrets, ... }:
 {
  sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };

  nix.buildMachines = [{
+    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-isvegg";
    system = "x86_64-linux";
    speedFactor = 1;
    maxJobs = 8;
    supportedFeatures = [ ];
    mandatoryFeatures = [ ];
-    sshUser = "oysteikt";
+    sshUser = secrets.ssh.users.pvv.normalUser;
    sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
  }];

--- a/hosts/common/nix-builders/tsuki.nix
+++ b/hosts/common/nix-builders/tsuki.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, secrets, ... }:
 {
  # TODO: install public key on tsuki declaratively
  sops.secrets = {
@ -7,6 +7,7 @@
  };

  nix.buildMachines = [{
+    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-tsukir";
    system = "x86_64-linux";
    speedFactor = 2;
@ -25,8 +26,7 @@
    extraConfig = ''
      Host nix-builder-tsukir
        HostName gingakei.loginto.me
-        Port 45497
-        IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path}
+        Port ${toString secrets.ports.ssh.home-in}
    '';

    # knownHosts.tsukir = {
--- a/hosts/common/services/cups.nix
+++ b/hosts/common/services/cups.nix
@ -0,0 +1,71 @@
+{ config, lib, ... }:
+{
+  systemd.services = lib.mkIf config.services.printing.enable {
+    cups.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true; 
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+    cups-browsed.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+  };
+}
--- a/hosts/common/services/logrotate.nix
+++ b/hosts/common/services/logrotate.nix
@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}
--- a/hosts/common/services/printing.nix
+++ b/hosts/common/services/printing.nix
@ -1,77 +1,4 @@
-{ config, lib, ... }:
-let
-  cfg = config.services.printing;
-in
+{ config, ... }:
 {
-  # services.printing.enable = !config.machineVars.headless;
-  services.printing.enable = false;
-
-  systemd.services = lib.mkIf cfg.enable {
-    cups.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-    cups-browsed.serviceConfig = lib.mkIf cfg.enable {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-  };
+  services.printing.enable = !config.machineVars.headless;
 }
--- a/hosts/common/services/xserver.nix
+++ b/hosts/common/services/xserver.nix
@ -1,5 +1,14 @@
 { config, ... }:
 {
+  services.displayManager = {
+    enable = true;
+    defaultSession = "none+xmonad";
+    sddm = {
+      enable = !config.machineVars.headless;
+      wayland.enable = true;
+    };
+  };
+
  services.xserver = {
    enable = !config.machineVars.headless;

@ -13,13 +22,15 @@
    #   xfce.enable = !config.machineVars.headless;
    # };

-    displayManager.lightdm.enable = !config.machineVars.headless;
+    # displayManager.lightdm.enable = !config.machineVars.headless;

    windowManager.xmonad = {
      enable = true;
      enableContribAndExtras = true;
      enableConfiguredRecompile = true;
-      extraPackages = hPkgs: with hPkgs; [ dbus ];
+      extraPackages = hPkgs: with hPkgs; [
+        dbus
+      ];
    };
  };
 }
--- a/hosts/dosei/configuration.nix
+++ b/hosts/dosei/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
@ -77,11 +77,14 @@
    fstrim.enable = true;
  };

-  nix.buildMachines = lib.mkForce [ ];
-
  hardware = {
    bluetooth.enable = true;
    enableRedistributableFirmware = true;
    keyboard.zsa.enable = true;
+    opengl = {
+      enable = true;
+      driSupport = true;
+      driSupport32Bit = true;
+    };
  };
 }
--- a/hosts/kasei/configuration.nix
+++ b/hosts/kasei/configuration.nix
@ -18,6 +18,8 @@

  system.stateVersion = "22.05";

+  security.pam.services.hyprlock = {};
+
  boot.binfmt.emulatedSystems = [
    "x86_64-windows"
    "aarch64-linux"
@ -80,7 +82,7 @@
  services = {
    openssh = {
      enable = true;
-      settings.X11Forwarding = true;
+      # settings.X11Forwarding = true;
    };
    xserver.videoDrivers = [ "amdgpu" ];
    tailscale.enable = true;
--- a/hosts/tsuki/services/matrix/coturn.nix
+++ b/hosts/tsuki/services/matrix/coturn.nix
@ -1,23 +1,16 @@
-{ config, lib, secrets, ... }:
-let
-  cfg = config.services.coturn;
-in
+{ secrets, ... }:
 {
-  services.coturn = let
-    # certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost;
-    certName = "nani.wtf";
-    certDir = config.security.acme.certs.${certName}.directory;
-  in rec {
+  services.coturn = rec {
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
-    min-port = 46000;
-    max-port = 47000;
+    min-port = secrets.ports.matrix.coturn.min;
+    max-port = secrets.ports.matrix.coturn.max;
    use-auth-secret = true;
    static-auth-secret = secrets.keys.matrix.static-auth-secret;
    realm = "turn.nani.wtf";
-    cert = "${certDir}/cert.pem";
-    pkey = "${certDir}/key.pem";
+    cert = "${secrets.keys.certificates.server.crt}";
+    pkey = "${secrets.keys.certificates.server.key}";
    extraConfig = ''
      # for debugging
      verbose
@ -47,19 +40,4 @@ in
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    '';
  };
-
-  networking.firewall = lib.mkIf cfg.enable {
-    interfaces.enp2s0 = let
-      range = [{
-        from = cfg.min-port;
-        to = cfg.max-port;
-      }];
-    in
-    {
-      allowedUDPPortRanges = range;
-      allowedUDPPorts = [ cfg.listening-port ];
-      allowedTCPPortRanges = range;
-      allowedTCPPorts = [ cfg.listening-port ];
-    };
-  };
 }
--- a/hosts/tsuki/services/matrix/default.nix
+++ b/hosts/tsuki/services/matrix/default.nix
@ -25,11 +25,9 @@

    settings = {
      turn_uris = let
-        inherit (config.services.coturn) realm listening-port;
-      in [
-        "turn:${realm}:${toString listening-port}?transport=udp"
-        "turn:${realm}:${toString listening-port}?transport=tcp"
-      ];
+        inherit (config.services.coturn) realm;
+        p = toString secrets.ports.matrix.default;
+      in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
      turn_shared_secret = config.services.coturn.static-auth-secret;
      turn_user_lifetime = "1h";

@ -69,7 +67,7 @@
          user = "matrix-synapse";
          database = "matrix-synapse";
          host = "/var/run/postgresql";
-          port = config.services.postgresql.settings.port;
+          port = secrets.ports.postgres;
        };
      };

@ -94,4 +92,19 @@
  };

  services.redis.servers."".enable = true;
+
+  networking.firewall = {
+    interfaces.enp2s0 = let
+      range = with config.services.coturn; [ {
+      from = secrets.ports.matrix.coturn.min;
+      to = secrets.ports.matrix.coturn.max;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ secrets.ports.matrix.default ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ secrets.ports.matrix.default ];
+    };
+  };
 }
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, inputs, ... }:
+{ pkgs, lib, config, secrets, inputs, ... }:
 {
  sops.secrets."cloudflare/api-key" = {};

@ -37,18 +37,19 @@
    recommendedZstdSettings = true;

    upstreams = let
+      inherit (secrets) ips ports;
      srv = config.services;
      sa = config.local.socketActivation;
    in {
      "atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
-      "dynmap".servers."localhost:8123" = { };
+      "dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
      "grafana".servers."unix:/run/grafana/grafana.sock" = { };
      "headscale".servers."localhost:${s srv.headscale.port}" = { };
      "hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
-      "idrac".servers."10.0.0.201" = { };
+      "idrac".servers."${ips.idrac}" = { };
      "kanidm".servers."localhost:8300" = { };
-      "osuchan".servers."localhost:${s srv.osuchan.port}" = { };
-      "plex".servers."localhost:32400" = { };
+      "osuchan".servers."localhost:${s ports.osuchan}" = { };
+      "plex".servers."localhost:${s ports.plex}" = { };
      "vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
      "wstunnel".servers = let
        inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
@ -60,7 +61,7 @@
    virtualHosts = let
      inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
      inherit (lib.lists) head drop;
-      domains = [ "nani.wtf" ];
+      inherit (secrets) domains keys;

      cloudflare-origin-pull-ca = builtins.fetchurl {
        url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
@ -69,7 +70,7 @@

      # nonCFHost =
      #   subdomains: extraSettings: let
-      #     settings = {
+      #     settings = with keys.certificates; {
      #       useACMEHost = "nani.wtf";
      #       forceSSL = true;
      #       kTLS = true;
@ -83,7 +84,7 @@

      host =
        subdomains: extraSettings: let
-          settings = {
+          settings = with keys.certificates; {
            serverAliases = drop 1 (generateServerAliases domains subdomains);
            useACMEHost = "nani.wtf";
            forceSSL = true;
--- a/hosts/tsuki/services/postgres.nix
+++ b/hosts/tsuki/services/postgres.nix
@ -48,7 +48,32 @@ in {
    requires = [ "postgresql.service" ];
  };

-  systemd.services.postgresql.serviceConfig.ReadWritePaths = [ cfg.dataDir ];
+  systemd.services.postgresql = {
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = 3;
+      ReadWritePaths = [ cfg.dataDir ];
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      # PrivateMounts = true;
+      RestrictSUIDSGID = true;
+      ProtectHostname = true;
+      LockPersonality = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      ProtectProc = "invisible";
+      ProtectHome = true;
+      # PrivateNetwork = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      UMask = "0077";
+      # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+    };
+  };

  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/tsuki/services/samba.nix
+++ b/hosts/tsuki/services/samba.nix
@ -5,25 +5,26 @@
    enable = true;
    # openFirewall = true;

-    settings = {
-      global = {
-        "workgroup" = "TSUKI";
-        "server string" = "smbnix";
-        "netbios name" = "smbnix";
+    extraConfig = ''
+      workgroup = TSUKI
+      server string = smbnix
+      netbios name = smbnix

-        "security" = "user";
+      security = user

-        "use sendfile" = "yes";
-        "min protocol" = "SMB2";
-        "smb encrypt" = "desired";
+      use sendfile = yes
+      min protocol = SMB2
+      smb encrypt = desired

      # note: localhost is the ipv6 localhost ::1
-        "hosts allow" = "100.107.69.8 100.100.65.88";
-        "hosts deny" = "0.0.0.0/0";
+      hosts allow = 100.107.69.8 100.100.65.88
+      hosts deny = 0.0.0.0/0

-        "guest ok" = "no";
-        "map to guest" = "never";
-      };
+      guest ok = no
+      map to guest = never
+    '';
+
+    shares = {
      cirno = {
        path = "/data/cirno";
        browseable = "yes";
@ -65,4 +66,15 @@

  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 139 445 ];
  networking.firewall.interfaces."tailscale0".allowedUDPPorts = [ 137 138 ];
+
+
+  systemd.slices.system-samba = {
+    description = "Samba slice";
+    after = [ "system.slice" ];
+    requires = [ "system.slice" ];
+  };
+
+  systemd.services.samba-smbd.serviceConfig.Slice = "system-samba.slice";
+  systemd.services.samba-nmbd.serviceConfig.Slice = "system-samba.slice";
+  systemd.services.samba-winbindd.serviceConfig.Slice = "system-samba.slice";
 }
--- a/hosts/tsuki/services/vaultwarden.nix
+++ b/hosts/tsuki/services/vaultwarden.nix
@ -21,6 +21,39 @@ in {

  systemd.services.vaultwarden = lib.mkIf cfg.enable {
    requires = [ "postgresql.service" ];
+
+    serviceConfig = {
+      # Extra hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      # MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0007";
+    };
  };

  services.postgresql = lib.mkIf cfg.enable {
--- a/overlays/wayland-ime-integration.nix
+++ b/overlays/wayland-ime-integration.nix
@ -0,0 +1,20 @@
+final: prev: let
+  inherit (prev) lib;
+
+  wrapWithWaylandIMEFlag = pkg: let
+    binaryName = lib.removePrefix "${lib.getBin pkg}/bin/" (lib.getExe pkg);
+  in pkg.overrideAttrs (prev': {
+    postInstall = (prev'.postInstall or "") + ''
+      wrapProgram "$out/bin/${binaryName}" \
+        --add-flags "--enable-wayland-ime"
+    '';
+  });
+
+  programList = [
+    "element-desktop"
+    "vscode"
+    "chromium"
+    "discord"
+  ];
+in
+  lib.genAttrs programList (name: wrapWithWaylandIMEFlag prev.${name})
--- a/package-overrides/mozc.nix
+++ b/package-overrides/mozc.nix
@ -102,9 +102,9 @@ buildBazelPackage {
    })
    (fetchurl rec {
      name = "jawiki";
-      url = "https://dumps.wikimedia.org/${name}/20241101/${name}-20241101-all-titles-in-ns0.gz";
+      url = "https://dumps.wikimedia.org/${name}/20240620/${name}-20240620-all-titles-in-ns0.gz";
      recursiveHash = true;
-      hash = "sha256-gyg6aSsbT7wNvlIu5H5Qmi5O2LBIoZU13U+OgZCEmac=";
+      hash = "sha256-p1LP8mHYknUPEB9u9CLCP1/uUjCVfb/mdpnOPawGcqQ=";
      downloadToTemp = true;
      postFetch = ''
        mkdir -p "$out"
--- a/secrets/home.yaml
+++ b/secrets/home.yaml
@ -1,8 +1,6 @@
 git:
    nordicsemi-config: ENC[AES256_GCM,data:ziuM41RTsxkiutxjj8Pl5YuoETkxQNWEbGKd2Y99E0kTV9fL67g+YeGjeVFXErraeB/+jBVpjitK3lSHxlpxZLWckZ0G6A7NAFNagY9cORCFlLb+egyKb44xu8vBt4V5eA==,iv:yG06oluENc038cm5A9tpmSQtaGjd6nYDi/FnBd3A8Rk=,tag:ky6bCsYLOZmWObHnJ816Zw==,type:str]
    nordicsemi-maintenance-repos-config: ENC[AES256_GCM,data:oZ5hgpJj6ENM4S360Zo7SKGbZCDlBZ2NMJ/xRw7MUUvrFcvNSmhSf+WjjJbh+IXr2J82g92guI4Gw/1sOwyfmDfTo0cmKAGY1ZXIjHgSfpdufyl+sGWhpVG+fxmcqQTuiWYkCdLE3Rr+JoTCQ9f8N54uYJHU9X3MeFyrZjaPQA6tFDT8EIq35HifptN1uFEQyKxwaN9iKRyFEI3C9i6mvLYW6XuYYK+oirPgCecaMB3aVZotsMcLnO9C51N2hKKGdkx/JT/jqqAJ4IYUExDNTnBxvgKCrEldaqRGqi9F/3iPVuNSKCUG0uefG3010OhiwnU8WrXblw9jHSHkZ5crIhC2S/y9fzvA+ZuJUctan+GuoIG7VbqdLy0Jz2FXGDs6qNQX6/I0Eud7ajvIHAz+Zp/lVF8U91BwzY2dXLdEKK+KRHtT5gXWXPQHO3HEBlYjxVsMf0V/1WGuUeAQMu46q7YRuRuwuBNVFj2QkRKJo8TX8vXeWrdpzR6qQ4RynioUmI+GLZY=,iv:1wEwje63Ui6aKVq0yNtVsODmWe0kYkBt3pbp/RKqr/s=,tag:Ujhi6tRNphbPtFUL5m8jpw==,type:str]
-nordicsemi:
-    envvars: ENC[AES256_GCM,data:6vx077unPWt6WRy0oZKC3qpVA8BKigYDdhsZ2rmLYFtzW//01CrRgXX420UB,iv:e2hJuRj4A8ZBGG0j2YINdvM3IXzpCnJK0Sm5AXhOTZM=,tag:9SdpNIFSiLhI073dk3cC5g==,type:str]
 ssh:
    secret-config: ""
 sops:
@ -20,8 +18,8 @@ sops:
            QllyaVlIVEVrSlJDZzlwdFpoRlg3bmsKYBGLYmsfFu6GuRUPGsS0+vkUv1QzJXZl
            D9CFcRQw0Xzti0DvDj7cWrCJ32F1eYRp/9LWyG1CEjfoNEKyUJZ2qQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-07T23:05:27Z"
-    mac: ENC[AES256_GCM,data:0EgnvPIiDHfE6YYVISwMdYycXUXRkvJLpi5llNF5HMCUMQNFIPemb4OkPbcZhP0HkZCRQC6pFhTXWMU9NbxpTmDWHV0+pNrlkX4PiRKjCJ7Yqq9dNkJzCfq7091ZYYCH9UrgKIyi6+/6jGANI1sq+QuEyZFVPYMnaeSVo+ntqVE=,iv:pJogp+pCfkDaTGh/Qy+GDcELw35Q4Sa8iMKU4JfGCRk=,tag:JGpN4HymcHpJS47fGx6cjg==,type:str]
+    lastmodified: "2024-08-05T07:31:00Z"
+    mac: ENC[AES256_GCM,data:eD+cXSj7xvIY9hyXTwCmV/HJNR1SInXYp0yKCtFTuBzXL5u1nwi0hbN6iHe7xi5otlrddGCwYAIjogAQrE01Y06Y7+ZSdpQNPadz16q4sDa5z71pbzXy/vCZdTlcFL3MMWMhwVmLZtjJO90gQ1iWd1wza12JmbO3KqkFLIuKwnQ=,iv:Qr9k/J+ZU09KruDwrJGaj+5PR0Kv+Gu7zcgDhF/KLOY=,tag:DfspqZZSKTmEOXH2NuVo5Q==,type:str]
    pgp:
        - created_at: "2024-07-08T12:27:24Z"
          enc: |-