wip: add specus VPN

if mbsync is enabled for a homemanager account, aerc wants to use the
  maildir, which is stupid

.bin/unicode

@@ -0,0 +1,8 @@
+import sys
+import unicodedata
+
+for index, character in enumerate(sys.stdin.read().strip()):
+  try:
+    print(index, character, hex(ord(character)), unicodedata.category(character), unicodedata.name(character))
+  except:
+    print(index, character, hex(ord(character)))

.github/workflows/niveum.yml

@@ -11,4 +11,4 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: cachix/install-nix-action@v16
-    - run: nix run .#build-${{matrix.system}}
+    - run: nix run .?submodules=1#apps.nixinate.${{matrix.system}}-dry-run

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "secrets"]
+	path = secrets
+	url = ssh://gitea@code.kmein.de:22022/kfm/niveum-secrets.git

ci.nix

@@ -1,99 +0,0 @@
-{
-  inputs,
-  system,
-  name,
-}: let
-  nixpkgs = inputs.nixos-stable;
-  pkgs = nixpkgs.legacyPackages.${system};
-  ensureFiles = paths:
-    pkgs.runCommand "directory" {} ''
-      set -efu
-      mkdir $out
-      cd $out
-      ${
-        nixpkgs.lib.concatMapStringsSep "\n" (path: ''
-          mkdir -p "$(dirname ${nixpkgs.lib.escapeShellArg path})"
-          echo foo > ${nixpkgs.lib.escapeShellArg path}
-        '')
-        paths
-      }
-    '';
-  nixPath = nixpkgs.lib.concatStringsSep ":" ([
-      "niveum=${toString ./.}"
-      "nixos-config=${toString ./.}/systems/${name}/configuration.nix"
-      "system-secrets=${systemSecrets}"
-      "secrets=${sharedSecrets}"
-      "nixpkgs=${
-        toString (
-          if name == "kabsa" || name == "manakish"
-          then inputs.nixos-unstable
-          else inputs.nixos-stable
-        )
-      }"
-    ]
-    ++ nixpkgs.lib.mapAttrsToList (name: value: "${name}=${value}") inputs);
-  # cd ~/.password-store/shared && find * -type f | sed 's/.gpg$//'
-  sharedSecrets = ensureFiles [
-    "di.fm/key"
-    "eduroam/identity"
-    "eduroam/password"
-    "github/notification.token"
-    "hass/token"
-    "mail/cock"
-    "mail/fastmail"
-    "mail/gmail/amroplay"
-    "mail/gmail/kieran.meinhardt"
-    "mail/meinhaki"
-    "mail/dslalewa"
-    "mail/fsklassp"
-    "mail/posteo"
-    "mega/password"
-    "nextcloud-fysi/password"
-    "nextcloud/password"
-    "openweathermap.key"
-    "restic/password"
-    "traadfri.key"
-    "miniflux/password"
-    "wifi/Aether.psk"
-    "spotify/username"
-    "spotify/password"
-  ];
-  systemSecrets = let
-    basic = ["retiolum.ed25519" "retiolum.key" "syncthing/cert.pem" "syncthing/key.pem" "ssh/passphrase"];
-  in
-    {
-      zaatar = ensureFiles (["moodle.token" "telegram/moodle-dl.token" "mpd-web.key"] ++ basic);
-      kabsa = ensureFiles basic;
-      manakish = ensureFiles basic;
-      tahina = ensureFiles basic;
-      tabula = ensureFiles basic;
-      ful = ensureFiles (["root.password"] ++ basic);
-      makanek = ensureFiles ([
-          "grafana/admin"
-          "irc/retiolum"
-          "irc/hackint"
-          "irc/libera"
-          "irc/oftc"
-          "matrix/nibbana"
-          "maxmind/license.key"
-          "moodle-dl/faye.token"
-          "nextcloud/admin"
-          "nextcloud/database"
-          "telegram/nachtischsatan.token"
-          "telegram/reverse.token"
-          "telegram/odyssey.token"
-          "telegram/betacode.token"
-          "telegram/moodle-dl.token"
-          "telegram/proverb.token"
-          "telegram/menstruation.token"
-          "telegram/cool_village.token"
-          "telegram/kmein.token"
-          "telegram/krebs.token"
-          "telegram/prometheus.token"
-          "weechat/relay"
-        ]
-        ++ basic);
-    }
-    .${name};
-in
-  toString (pkgs.writers.writeDash "build" "NIX_PATH=${nixPath} nix-build '<nixpkgs/nixos>' -A system --dry-run")

configs/aerc.nix

@@ -11,135 +11,209 @@
   };
   hu-defaults = {
     imap.host = "mailbox.cms.hu-berlin.de";
+    imap.port = 993;
     smtp.host = "mailhost.cms.hu-berlin.de";
+    smtp.port = 25;
+    smtp.tls.useStartTls = true;
   };
-  passwordCommandFrom = path: toString (pkgs.writers.writeDash "email-credentials" "echo ${lib.escapeShellArg (lib.strings.fileContents path)}");
 in {
+  age.secrets = {
+    email-password-cock = {
+      file = ../secrets/email-password-cock.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-fysi = {
+      file = ../secrets/email-password-fysi.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-posteo = {
+      file = ../secrets/email-password-posteo.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-meinhark = {
+      file = ../secrets/email-password-meinhark.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-meinhaki = {
+      file = ../secrets/email-password-meinhaki.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-dslalewa = {
+      file = ../secrets/email-password-dslalewa.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    email-password-fsklassp = {
+      file = ../secrets/email-password-fsklassp.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+  };
+
   home-manager.users.me = {
+    services.mbsync = {
+      enable = true;
+      frequency = "daily";
+      preExec = "${pkgs.coreutils}/bin/mkdir -p ${config.home-manager.users.me.accounts.email.maildirBasePath}";
+      postExec = "${pkgs.notmuch}/bin/notmuch new";
+    };
+
+    programs.notmuch = {
+      enable = true;
+      extraConfig = {
+        database.path = config.home-manager.users.me.accounts.email.maildirBasePath;
+        new.tags = "";
+        user.name = defaults.realName;
+        user.primary_email = config.home-manager.users.me.accounts.email.accounts.posteo.address;
+      };
+    };
+
+    programs.mbsync = {
+      enable = true;
+      extraConfig = lib.concatStringsSep "\n\n" (lib.mapAttrsToList (name: account: ''
+          IMAPAccount ${name}
+          CertificateFile /etc/ssl/certs/ca-certificates.crt
+          Host ${account.imap.host}
+          PassCmd "${toString account.passwordCommand}"
+          User ${account.userName}
+          SSLType IMAPS
+          ${lib.optionalString (lib.isInt account.imap.port) "Port ${toString account.imap.port}"}
+
+          IMAPStore ${name}-remote
+          Account ${name}
+
+          MaildirStore ${name}-local
+          Path ${config.home-manager.users.me.accounts.email.maildirBasePath}/${name}/
+          SubFolders Verbatim
+
+          Channel ${name}
+          Create Near
+          Expunge None
+          Far :${name}-remote:
+          Near :${name}-local:
+          Patterns *
+          Remove None
+          SyncState *
+        '')
+        config.home-manager.users.me.accounts.email.accounts);
+    };
+
     accounts.email.accounts = rec {
       hu-student =
-        defaults
-        // hu-defaults
-        // rec {
-          userName = "meinhark";
-          address = "kieran.felix.meinhardt@hu-berlin.de";
-          aliases = ["${userName}@hu-berlin.de"];
-          passwordCommand = passwordCommandFrom <secrets/eduroam/password>;
-        };
+        lib.recursiveUpdate defaults
+        (lib.recursiveUpdate hu-defaults
+          rec {
+            userName = "meinhark";
+            address = "kieran.felix.meinhardt@hu-berlin.de";
+            aliases = ["${userName}@hu-berlin.de"];
+            passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-meinhark.path}";
+          });
       hu-student-cs =
-        defaults
-        // hu-defaults
-        // rec {
-          userName = "meinhark";
-          address = "kieran.felix.meinhardt@informatik.hu-berlin.de";
-          aliases = ["${userName}@informatik.hu-berlin.de"];
-          imap.host = "mailbox.informatik.hu-berlin.de";
-          smtp.host = "mailhost.informatik.hu-berlin.de";
-          passwordCommand = passwordCommandFrom <secrets/eduroam/password>;
-        };
+        lib.recursiveUpdate defaults
+        (lib.recursiveUpdate hu-defaults
+          rec {
+            userName = "meinhark";
+            address = "kieran.felix.meinhardt@informatik.hu-berlin.de";
+            aliases = ["${userName}@informatik.hu-berlin.de"];
+            imap.host = "mailbox.informatik.hu-berlin.de";
+            smtp.host = "mailhost.informatik.hu-berlin.de";
+            passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-meinhark.path}";
+          });
       hu-employee =
-        defaults
-        // hu-defaults
-        // rec {
-          userName = "meinhaki";
-          address = "kieran.meinhardt@hu-berlin.de";
-          aliases = ["${userName}@hu-berlin.de"];
-          passwordCommand = passwordCommandFrom <secrets/mail/meinhaki>;
-          signature = {
-            showSignature = "append";
-            text = ''
-              ${defaults.realName}
-              Studentische Hilfskraft / Administrator ALEW
-              Humboldt-Universität zu Berlin
+        lib.recursiveUpdate defaults
+        (lib.recursiveUpdate hu-defaults
+          rec {
+            userName = "meinhaki";
+            address = "kieran.meinhardt@hu-berlin.de";
+            aliases = ["${userName}@hu-berlin.de"];
+            passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-meinhaki.path}";
+            aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
+            signature = {
+              showSignature = "append";
+              text = ''
+                ${defaults.realName}
+                Studentische Hilfskraft / Administrator ALEW
+                Humboldt-Universität zu Berlin
 
-              Telefon: +49 (0)30 2093 9634
-              Raum 3.212, Dorotheenstraße 24, 10117 Berlin-Mitte
-              https://alew.hu-berlin.de
-            '';
-          };
-        };
+                Telefon: +49 (0)30 2093 9634
+                Raum 3.212, Dorotheenstraße 24, 10117 Berlin-Mitte
+                https://alew.hu-berlin.de
+              '';
+            };
+          });
       hu-admin =
-        defaults
-        // hu-defaults
-        // rec {
-          userName = "dslalewa";
-          address = "admin.alew.vglsprwi@hu-berlin.de";
-          aliases = ["${userName}@hu-berlin.de"];
-          passwordCommand = passwordCommandFrom <secrets/mail/dslalewa>;
-          inherit (hu-employee) signature;
-        };
+        lib.recursiveUpdate defaults
+        (lib.recursiveUpdate hu-defaults
+          rec {
+            userName = "dslalewa";
+            address = "admin.alew.vglsprwi@hu-berlin.de";
+            aliases = ["${userName}@hu-berlin.de"];
+            passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-dslalewa.path}";
+            inherit (hu-employee) signature;
+            aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
+          });
       hu-fsi =
-        defaults
-        // hu-defaults
-        // rec {
-          userName = "fsklassp";
-          passwordCommand = passwordCommandFrom <secrets/mail/fsklassp>;
-          address = "${userName}@hu-berlin.de";
-          realName = "FSI Klassische Philologie";
-          signature = {
-            showSignature = "append";
-            text = ''
-              Fachschafts-Initiative
+        lib.recursiveUpdate defaults
+        (lib.recursiveUpdate hu-defaults
+          rec {
+            userName = "fsklassp";
+            passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-fsklassp.path}";
+            address = "${userName}@hu-berlin.de";
+            realName = "FSI Klassische Philologie";
+            aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
+            signature = {
+              showSignature = "append";
+              text = ''
+                Fachschafts-Initiative
 
-              Humboldt-Universität zu Berlin
-              Sprach- und literaturwissenschaftliche Fakultät
-              Institut für klassische Philologie
-              Unter den Linden 6
-              10099 Berlin
-            '';
-          };
-        };
+                Humboldt-Universität zu Berlin
+                Sprach- und literaturwissenschaftliche Fakultät
+                Institut für klassische Philologie
+                Unter den Linden 6
+                10099 Berlin
+              '';
+            };
+          });
       fysi =
-        defaults
-        // rec {
+        lib.recursiveUpdate defaults
+        rec {
           address = "kieran@fysi.tech";
           userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/fastmail>;
+          passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-fysi.path}";
           flavor = "fastmail.com";
         };
       cock =
-        defaults
-        // rec {
+        lib.recursiveUpdate defaults
+        rec {
           address = "2210@cock.li";
           userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/cock>;
+          passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-cock.path}";
           realName = "";
           imap.host = "mail.cock.li";
           smtp.host = imap.host;
         };
-      google-amro =
-        defaults
-        // rec {
-          address = "amroplay@gmail.com";
-          userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/gmail/amroplay>;
-          flavor = "gmail.com";
-          aerc.enable = false;
-        };
-      google-kieran =
-        defaults
-        // rec {
-          address = "kieran.meinhardt@gmail.com";
-          userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/gmail/kieran.meinhardt>;
-          flavor = "gmail.com";
-          aerc.enable = false;
-          folders = {
-            drafts = "[Gmail]/Entwürfe";
-            sent = "[Gmail]/Gesendet";
-            trash = "[Gmail]/Papierkorb";
-          };
-        };
       posteo =
-        defaults
-        // rec {
+        lib.recursiveUpdate defaults
+        rec {
           address = "kieran.meinhardt@posteo.net";
           aliases = ["kmein@posteo.de"];
           userName = address;
           imap.host = "posteo.de";
           smtp.host = imap.host;
           primary = true;
-          passwordCommand = passwordCommandFrom <secrets/mail/posteo>;
+          passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.email-password-posteo.path}";
           # himalaya = { enable = true; backend = "imap"; sender = "smtp"; };
         };
     };
@@ -177,7 +251,7 @@ in {
           K = ":prev-folder<Enter>";
           H = ":collapse-folder<Enter>";
           L = ":expand-folder<Enter>";
-          "<space>" = ":read -t<Enter>";
+          "<space>" = ":read -t<Enter>:next<Enter>";
           v = ":mark -t<Enter>";
           V = ":mark -v<Enter>";
           F = ":flag -t<Enter>";
@@ -277,7 +351,7 @@ in {
         general.pgp-provider = "gpg";
         viewer = {pager = "${pkgs.less}/bin/less -R";};
         compose = {
-          address-book-cmd = "khard email --parsable '%s'";
+          address-book-cmd = "khard email --remove-first-line --parsable '%s'";
           no-attachment-warning = "(attach|attached|attachments?|anbei|Anhang|angehängt)";
         };
         filters = {

configs/alacritty.nix

@@ -47,7 +47,7 @@
   alacritty-pkg = pkgs.symlinkJoin {
     name = "alacritty";
     paths = [
-      (pkgs.writeDashBin "alacritty" ''
+      (pkgs.writers.writeDashBin "alacritty" ''
         ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml msg create-window "$@" ||
         ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml "$@"
       '')
@@ -62,7 +62,7 @@ in {
   ];
 
   environment.etc = {
-    "themes/dark/alacritty.yml".source = alacritty-cfg (import <niveum/lib/colours/papercolor-dark.nix>);
-    "themes/light/alacritty.yml".source = alacritty-cfg (import <niveum/lib/colours/papercolor-light.nix>);
+    "themes/dark/alacritty.yml".source = alacritty-cfg (import ../lib/colours/owickstrom-dark.nix);
+    "themes/light/alacritty.yml".source = alacritty-cfg (import ../lib/colours/owickstrom-light.nix);
   };
 }

configs/backup.nix

@@ -3,7 +3,7 @@
   config,
   ...
 }: let
-  inherit (import <niveum/lib>) restic;
+  inherit (import ../lib) restic;
 in {
   services.restic.backups.niveum = {
     initialize = true;
@@ -12,7 +12,7 @@ in {
       OnCalendar = "8:00";
       RandomizedDelaySec = "1h";
     };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
     extraBackupArgs = [
       "--exclude=/home/kfm/projects/nixpkgs/.git"
       "--exclude=node_modules"
@@ -21,6 +21,7 @@ in {
       "/home/kfm/work"
       "/home/kfm/projects"
       "/home/kfm/notes"
+      "/home/kfm/Maildir"
       "/home/kfm/cloud"
       "/home/kfm/.gnupg"
       "/home/kfm/.ssh"
@@ -38,7 +39,7 @@ in {
 
   environment.systemPackages = [
     (pkgs.writers.writeDashBin "restic-niveum" ''
-      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${<secrets/restic/password>} "$@"
+      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} "$@"
     '')
     (pkgs.writers.writeDashBin "restic-mount" ''
       mountdir=$(mktemp -d)
@@ -46,7 +47,7 @@ in {
       clean() {
         rm -r "$mountdir"
       }
-      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${<secrets/restic/password>} mount "$mountdir"
+      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} mount "$mountdir"
     '')
   ];
 }

configs/cloud.nix

@@ -4,16 +4,8 @@
   pkgs,
   ...
 }: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../lib) tmpfilesConfig;
 in {
-  imports = [
-    <niveum/modules/dropbox.nix>
-  ];
-
-  niveum = {
-    dropbox.enable = false;
-  };
-
   systemd.tmpfiles.rules = map tmpfilesConfig [
     {
       type = "L+";
@@ -55,13 +47,13 @@ in {
     script = let
       kieran = {
         user = "kieran";
-        password = lib.fileContents <secrets/nextcloud/password>;
+        passwordFile = config.age.secrets.nextcloud-password-kieran.path;
         endpoint = "https://cloud.xn--kiern-0qa.de";
         target = "${config.users.users.me.home}/notes";
       };
     in ''
       mkdir -p ${lib.escapeShellArg kieran.target}
-      ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password ${lib.escapeShellArg kieran.password} --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint}
+      ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password "$(cat ${kieran.passwordFile})" --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint}
     '';
     serviceConfig = {
       Type = "oneshot";
@@ -81,9 +73,9 @@ in {
     (let
       kieran = {
         user = "kieran.meinhardt@gmail.com";
-        password = lib.fileContents <secrets/mega/password>;
+        passwordFile = config.age.secrets.mega-password.path;
       };
-      megatools = command: "${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password ${lib.escapeShellArg kieran.password}";
+      megatools = command: ''${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password "$(cat ${kieran.passwordFile})"'';
     in
       pkgs.writers.writeDashBin "book-mega" ''
         set -efu
@@ -104,6 +96,13 @@ in {
       '')
   ];
 
+  age.secrets.mega-password = {
+    file = ../secrets/mega-password.age;
+    owner = config.users.users.me.name;
+    group = config.users.users.me.group;
+    mode = "400";
+  };
+
   fileSystems."/media/moodle" = {
     device = "zaatar.r:/moodle";
     fsType = "nfs";
@@ -120,9 +119,9 @@ in {
     openDefaultPorts = true;
     configDir = "/home/kfm/.config/syncthing";
     dataDir = "/home/kfm/.config/syncthing";
-    cert = toString <system-secrets/syncthing/cert.pem>;
-    key = toString <system-secrets/syncthing/key.pem>;
-    inherit ((import <niveum/lib>).syncthing) devices;
+    cert = config.age.secrets.syncthing-cert.path;
+    key = config.age.secrets.syncthing-key.path;
+    inherit ((import ../lib).syncthing) devices;
     folders = let
       cloud-dir = "${config.users.users.me.home}/cloud";
     in {

configs/default.nix

@@ -2,36 +2,27 @@
   pkgs,
   lib,
   config,
-  options,
+  niveumPackages,
+  inputs,
   ...
 }: let
   inherit (lib.strings) makeBinPath;
-  inherit (import <niveum/lib>) localAddresses kieran;
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-  defaultApplications = (import <niveum/lib>).defaultApplications {inherit pkgs;};
+  inherit (import ../lib) localAddresses kieran;
+  defaultApplications = (import ../lib).defaultApplications {inherit pkgs;};
 in {
   imports = [
-    <home-manager/nixos>
-    <niveum/modules/system-dependent.nix>
+    inputs.self.nixosModules.system-dependent
+    inputs.self.nixosModules.traadfri
+    inputs.self.nixosModules.power-action
     {
       boot.supportedFilesystems = ["ntfs"];
     }
-    {
-      nix.nixPath = [
-        "/var/src"
-        "nixpkgs-overlays=${toString ../overlays}"
-      ];
-    }
     {
       nixpkgs = {
         config = {
           allowUnfree = true;
           packageOverrides = pkgs: {
             dmenu = pkgs.writers.writeDashBin "dmenu" ''exec ${pkgs.rofi}/bin/rofi -dmenu "$@"'';
-            gfs-fonts = pkgs.callPackage <niveum/packages/gfs-fonts.nix> {};
-            tocharian-font = pkgs.callPackage <niveum/packages/tocharian-font.nix> {};
-            iolanguage = pkgs.callPackage <niveum/packages/iolanguage.nix> {};
-            ix = pkgs.callPackage <niveum/packages/ix.nix> {};
           };
           permittedInsecurePackages = [
             "qtwebkit-5.212.0-alpha4"
@@ -43,6 +34,22 @@ in {
       boot.cleanTmpDir = true;
       boot.loader.timeout = 1;
     }
+    {
+      age.secrets = {
+        di-fm-key = {
+          file = ../secrets/di-fm-key.age;
+          owner = config.users.users.me.name;
+          group = config.users.users.me.group;
+          mode = "400";
+        };
+        restic = {
+          file = ../secrets/restic.age;
+          owner = config.users.users.me.name;
+          group = config.users.users.me.group;
+          mode = "400";
+        };
+      };
+    }
     {
       home-manager.users.me = {
         programs.zathura = {
@@ -86,7 +93,7 @@ in {
           cd "$(mktemp -d)"
           pwd
         '';
-        swallow = command: "${scripts.swallow}/bin/swallow ${command}";
+        swallow = command: "${niveumPackages.swallow}/bin/swallow ${command}";
       in {
         "ß" = "${pkgs.util-linux}/bin/setsid";
         cat = "${pkgs.bat}/bin/bat --style=plain";
@@ -226,7 +233,6 @@ in {
     ./clipboard.nix
     ./cloud.nix
     ./direnv.nix
-    ./distrobump.nix
     ./docker.nix
     ./dunst.nix
     ./flix.nix
@@ -244,7 +250,7 @@ in {
     ./neovim.nix
     ./nix.nix
     ./newsboat.nix
-    ./flameshot-once.nix
+    ./flameshot.nix
     ./packages.nix
     ./picom.nix
     ./stardict.nix
@@ -262,10 +268,9 @@ in {
     ./sshd.nix
     ./sound.nix
     ./sudo.nix
-    ./nsxiv.nix
     ./themes.nix
     ./tmux.nix
-    # ./traadfri.nix
+    ./traadfri.nix
     ./unclutter.nix
     ./vscode.nix
     ./watson.nix

configs/dunst.nix

@@ -3,7 +3,7 @@
   pkgs,
   ...
 }: let
-  inherit (import <niveum/lib>) defaultApplications colours theme;
+  inherit (import ../lib) defaultApplications colours theme;
 in {
   home-manager.users.me.services.dunst = {
     enable = true;

configs/flameshot-once.nix

@@ -1,52 +0,0 @@
-{
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (import <niveum/lib>) defaultApplications;
-  flameshot-once = pkgs.callPackage <stockholm/krebs/5pkgs/simple/flameshot-once> {};
-in {
-  environment.systemPackages = [
-    (flameshot-once.override {
-      name = "flameshot-once-kmein";
-      config = {
-        imgur = {
-          enable = true;
-          createUrl = "http://p.r/image";
-          deleteUrl = "http://p.r/image/delete/%1";
-          xdg-open.browser = (defaultApplications pkgs).browser;
-        };
-        settings.General = {
-          autoCloseIdleDaemon = true;
-          drawColor = "#ff0000";
-          drawThickness = 2;
-          checkForUpdates = false;
-          showDesktopNotification = true;
-          disabledTrayIcon = true;
-          showHelp = false;
-          squareMagnifier = true;
-          uploadWithoutConfirmation = true;
-          buttons = [
-            "TYPE_ARROW"
-            "TYPE_CIRCLE"
-            "TYPE_CIRCLECOUNT"
-            "TYPE_COPY"
-            "TYPE_DRAWER"
-            "TYPE_EXIT"
-            "TYPE_IMAGEUPLOADER"
-            "TYPE_MARKER"
-            "TYPE_MOVESELECTION"
-            "TYPE_PENCIL"
-            "TYPE_PIXELATE"
-            "TYPE_RECTANGLE"
-            "TYPE_SAVE"
-            "TYPE_SELECTION"
-            # "TYPE_SELECTIONINDICATOR"
-            "TYPE_TEXT"
-            "TYPE_UNDO"
-          ];
-        };
-      };
-    })
-  ];
-}

configs/flameshot.nix

@@ -0,0 +1,23 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  home-manager.users.me = {
+    services.flameshot = {
+      enable = true;
+      settings.General = {
+        autoCloseIdleDaemon = true;
+        drawColor = "#ff0000";
+        drawThickness = 2;
+        checkForUpdates = false;
+        showDesktopNotification = true;
+        disabledTrayIcon = true;
+        showHelp = false;
+        squareMagnifier = true;
+        uploadWithoutConfirmation = true;
+        buttons = ''@Variant(\0\0\0\x7f\0\0\0\vQList<int>\0\0\0\0\x10\0\0\0\x2\0\0\0\x5\0\0\0\x13\0\0\0\xa\0\0\0\x1\0\0\0\xc\0\0\0\xd\0\0\0\x6\0\0\0\x8\0\0\0\0\0\0\0\xf\0\0\0\x4\0\0\0\xb\0\0\0\x3\0\0\0\x12\0\0\0\x9)'';
+      };
+    };
+  };
+}

configs/flix.nix

@@ -4,14 +4,16 @@
   ...
 }: let
   flixLocation = "/media/flix";
+  flixLocationNew = "/media/flix-new";
   cacheLocation = "/var/cache/flix";
   indexFilename = "index";
+  indexFilenameNew = "index-new";
   flixUser = "flix";
   flixGroup = "users";
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../lib) tmpfilesConfig;
 in {
   fileSystems.${flixLocation} = {
-    device = "prism.r:/export";
+    device = "prism.r:/export/download";
     fsType = "nfs";
     options = [
       "noauto"
@@ -26,6 +28,20 @@ in {
     ];
   };
 
+  fileSystems.${flixLocationNew} = {
+    device = "//yellow.r/public";
+    fsType = "cifs";
+    options = [
+      "guest"
+      "nofail"
+      "noauto"
+      "ro"
+      "x-systemd.automount"
+      "x-systemd.device-timeout=1"
+      "x-systemd.idle-timeout=1min"
+    ];
+  };
+
   systemd.tmpfiles.rules = [
     (tmpfilesConfig {
       type = "d";
@@ -39,7 +55,10 @@ in {
   systemd.services.flix-index = {
     description = "Flix indexing service";
     wants = ["network-online.target"];
-    script = "cp ${flixLocation}/download/index ./${indexFilename}";
+    script = ''
+      cp ${flixLocation}/index ./${indexFilename}
+      cp ${flixLocationNew}/index ./${indexFilenameNew}
+    '';
     startAt = "hourly";
     serviceConfig = {
       Type = "oneshot";
@@ -69,11 +88,10 @@ in {
     '')
     (pkgs.writers.writeDashBin "flixmenu" ''
       set -efu
-      cd "${flixLocation}/download"
-
-      [ -f "${cacheLocation}/${indexFilename}" ] || exit 1
-
-      ${pkgs.dmenu}/bin/dmenu -i -p flix -l 5 "$@" < ${cacheLocation}/${indexFilename} \
+      (
+        ${pkgs.gnused}/bin/sed 's#^\.#${flixLocation}#' ${cacheLocation}/${indexFilename}
+        ${pkgs.gnused}/bin/sed 's#^\.#${flixLocationNew}#' ${cacheLocation}/${indexFilenameNew}
+      ) | ${pkgs.dmenu}/bin/dmenu -i -p flix -l 5 "$@" \
         | ${pkgs.findutils}/bin/xargs -I '{}' ${pkgs.util-linux}/bin/setsid ${pkgs.xdg-utils}/bin/xdg-open '{}'
     '')
   ];

configs/fonts.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: let
+{
+  pkgs,
+  niveumPackages,
+  ...
+}: let
   zip-font = name: arguments: let
     directory = pkgs.fetchzip arguments;
   in
@@ -76,7 +80,7 @@ in {
       font-awesome
       galatia-sil
       gentium
-      gfs-fonts
+      niveumPackages.gfs-fonts
       gyre-fonts
       ibm-plex
       jetbrains-mono
@@ -96,7 +100,7 @@ in {
       source-sans-pro
       source-serif-pro
       theano
-      tocharian-font
+      niveumPackages.tocharian-font
       vistafonts
       vollkorn
       zilla-slab

configs/git.nix

@@ -2,9 +2,10 @@
   pkgs,
   config,
   lib,
+  inputs,
   ...
 }: let
-  inherit (import <niveum/lib>) kieran ignorePaths;
+  inherit (import ../lib) kieran ignorePaths;
 in {
   environment.systemPackages = [
     pkgs.mr
@@ -18,7 +19,7 @@ in {
     pkgs.gitstats
     pkgs.patch
     pkgs.patchutils
-    pkgs.git-preview
+    inputs.self.packages.x86_64-linux.git-preview
   ];
 
   environment.shellAliases = {

configs/hledger.nix

@@ -3,11 +3,12 @@
   pkgs,
   ...
 }: {
-  imports = [<niveum/modules/hledger.nix>];
-
   environment.systemPackages = let
-    timeLedger = "$HOME/projects/ledger/time.timeclock";
+    ledgerDirectory = "$HOME/projects/ledger";
+    timeLedger = "${ledgerDirectory}/time.timeclock";
+    git = "${pkgs.git}/bin/git -C ${ledgerDirectory}";
   in [
+    pkgs.hledger
     (pkgs.writers.writeDashBin "hora-edit" ''
       $EDITOR + "${timeLedger}" && ${pkgs.git}/bin/git -C "$(${pkgs.coreutils}/bin/dirname ${timeLedger})" commit --all --message "$(${pkgs.coreutils}/bin/date -Im)"
     '')
@@ -21,16 +22,18 @@
         | sed 's/(fillidefilla:\(.*\))/\1/g' \
         | xsv select date,amount,total,account,description
     '')
-  ];
 
-  niveum.hledger = {
-    enable = true;
-    ledgerFile = "$HOME/projects/ledger/all.journal";
-    server = {
-      enable = false;
-      user = config.users.users.me;
-      package = pkgs.hledger-web;
-    };
-    package = pkgs.hledger;
-  };
+    (pkgs.writers.writeDashBin "hledger-git" ''
+      if [ "$1" = entry ]; then
+        ${pkgs.hledger}/bin/hledger balance -V > "${ledgerDirectory}/balance.txt"
+        ${git} add balance.txt
+        ${git} commit --all --message="$(date -Im)"
+      else
+        ${git} $*
+      fi
+    '')
+    (pkgs.writers.writeDashBin "hledger-edit" ''
+      $EDITOR ${ledgerDirectory}/current.journal
+    '')
+  ];
 }

configs/hu-berlin.nix

@@ -5,7 +5,7 @@
   ...
 }: let
   inherit (lib.strings) fileContents;
-  inherit (import <niveum/lib>) sshPort;
+  inherit (import ../lib) sshPort;
   eduroam = {
     identity = fileContents <secrets/eduroam/identity>;
     password = fileContents <secrets/eduroam/password>;
@@ -15,10 +15,9 @@
     "gid=${toString config.users.groups.users.gid}"
     "sec=ntlmv2"
     "workgroup=german"
-    "username=meinhaki"
-    "password=${lib.strings.fileContents <secrets/mail/meinhaki>}"
+    "credentials=${config.age.secrets.cifs-credentials-hu-berlin.path}"
     "noauto"
-    "x-systemd.requires=hu-vpn.service"
+    # "x-systemd.requires=hu-vpn.service"
     "x-systemd.automount"
     "x-systemd.device-timeout=1"
     "x-systemd.idle-timeout=1min"
@@ -36,6 +35,8 @@ in {
     options = hu-berlin-cifs-options;
   };
 
+  age.secrets.cifs-credentials-hu-berlin.file = ../secrets/cifs-credentials-hu-berlin.age;
+
   home-manager.users.me.programs.ssh = {
     matchBlocks = {
       "alew.hu-berlin.de" = {
@@ -65,16 +66,21 @@ in {
   systemd.services.hu-vpn = {
     enable = true;
     wants = ["network-online.target"];
+    serviceConfig.LoadCredential = "password:${config.age.secrets.email-password-meinhark.path}";
     script = ''
-      ${pkgs.openfortivpn}/bin/openfortivpn -c ${
+      if ${pkgs.wirelesstools}/bin/iwgetid | ${pkgs.gnugrep}/bin/grep --invert-match eduroam
+      then
+        ${pkgs.openfortivpn}/bin/openfortivpn \
+          --password="$(cat "$CREDENTIALS_DIRECTORY/password")" \
+          --config=${
         pkgs.writeText "hu-berlin.config" ''
           host = forti-ssl.vpn.hu-berlin.de
           port = 443
-          trusted-cert = 42193a913d276d9eb86217612956e1e6464d6f07bed5393a4787c87adc4bd359
-          username = ${eduroam.identity}
-          password = ${eduroam.password}
+          username = meinhark
+          trusted-cert = 9e5dea8e077970d245900839f437ef7fb9551559501c7defd70af70ea568573d
         ''
       }
+      fi
     '';
   };
 }

configs/i3.nix

@@ -2,12 +2,12 @@
   config,
   pkgs,
   lib,
+  niveumPackages,
   ...
 }: let
-  inherit (import <niveum/lib>) defaultApplications colours;
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-  klem = import <niveum/packages/scripts/klem.nix> {
-    inherit pkgs lib;
+  inherit (import ../lib) defaultApplications colours;
+  klem = niveumPackages.klem.override {
+    config.dmenu = "${pkgs.dmenu}/bin/dmenu -i -p klem";
     config.scripts = {
       "p.r" = pkgs.writers.writeDash "p.r" ''
         ${pkgs.curl}/bin/curl -fSs http://p.r --data-binary @- \
@@ -36,10 +36,10 @@
         ${pkgs.coreutils}/bin/tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
       '';
       "ipa" = pkgs.writers.writeDash "ipa" ''
-        ${scripts.ipa}/bin/ipa
+        ${niveumPackages.ipa}/bin/ipa
       '';
       "betacode" = pkgs.writers.writeDash "betacode" ''
-        ${scripts.betacode}/bin/betacode
+        ${niveumPackages.betacode}/bin/betacode
       '';
       "curl" = pkgs.writers.writeDash "curl" ''
         ${pkgs.curl}/bin/curl -fSs "$(${pkgs.coreutils}/bin/cat)"
@@ -47,6 +47,9 @@
       ocr = pkgs.writers.writeDash "ocr" ''
         ${pkgs.tesseract4}/bin/tesseract -l eng+deu - stdout
       '';
+      emojai = pkgs.writers.writeDash "emojai" ''
+        ${pkgs.curl}/bin/curl https://www.emojai.app/api/generate -X POST -H 'Content-Type: application/json' --data-raw "$(${pkgs.jq}/bin/jq -sR '{emoji:.}')" | ${pkgs.jq}/bin/jq -r .result
+      '';
     };
   };
 
@@ -57,6 +60,23 @@
     i3-msg move container to workspace $(($(i3-msg -t get_workspaces | tr , '\n' | grep '"num":' | cut -d : -f 2 | sort -rn | head -1) + 1))
   '';
 in {
+  age.secrets = {
+    github-token-i3status-rust = {
+      file = ../secrets/github-token-i3status-rust.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    openweathermap-api-key = {
+      file = ../secrets/openweathermap-api-key.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+  };
+
+  programs.slock.enable = true;
+
   services.xserver = {
     displayManager.defaultSession = "none+i3";
     windowManager.i3 = {
@@ -79,14 +99,19 @@ in {
     '';
   };
 
-  home-manager.users.me.xsession.windowManager.i3 = {
+  home-manager.users.me.xsession.windowManager.i3 = let
+    modifier = "Mod4";
+  in {
     enable = true;
+    extraConfig = ''
+      bindsym --release ${modifier}+Shift+w exec /run/wrappers/bin/slock
+    '';
     config = rec {
       fonts = {
         names = ["Sans"];
         size = 10.0;
       };
-      modifier = "Mod4";
+      inherit modifier;
       window = {
         titlebar = false;
         border = 1;
@@ -175,13 +200,17 @@ in {
               text = colours.foreground;
             };
           };
-          statusCommand = "env I3RS_GITHUB_TOKEN=${lib.strings.fileContents <secrets/github/notification.token>} ${pkgs.i3status-rust}/bin/i3status-rs ${
-            (pkgs.formats.toml {}).generate "i3status-rust.toml" (import <niveum/lib/i3status-rust.nix> {
-              inherit (config.niveum) batteryName wirelessInterface;
-              inherit colours;
-              inherit pkgs;
-            })
-          }";
+          statusCommand = toString (pkgs.writers.writeDash "i3status-rust" ''
+            export I3RS_GITHUB_TOKEN="$(cat ${config.age.secrets.github-token-i3status-rust.path})"
+            export OPENWEATHERMAP_API_KEY="$(cat ${config.age.secrets.openweathermap-api-key.path})"
+            ${pkgs.i3status-rust}/bin/i3status-rs ${
+              (pkgs.formats.toml {}).generate "i3status-rust.toml" (import ../lib/i3status-rust.nix {
+                inherit (config.niveum) batteryName wirelessInterface;
+                inherit (config.home-manager.users.me.accounts.email) accounts;
+                inherit colours;
+                inherit pkgs;
+              })
+            }'');
         }
       ];
       modes.resize = {
@@ -235,9 +264,8 @@ in {
         "${modifier}+Return" = "exec ${(defaultApplications pkgs).terminal}";
         "${modifier}+t" = "exec ${(defaultApplications pkgs).fileManager}";
         "${modifier}+y" = "exec ${(defaultApplications pkgs).browser}";
-        "${modifier}+0" = "exec ${scripts.menu-calc}/bin/=";
+        "${modifier}+0" = "exec ${niveumPackages.menu-calc}/bin/=";
 
-        "${modifier}+Shift+w" = "exec ${scripts.k-lock}/bin/k-lock";
         "${modifier}+d" = "exec ${pkgs.writers.writeDash "run" ''exec rofi -modi run,ssh,window -show run''}";
         "${modifier}+Shift+d" = "exec ${
           pkgs.writers.writeDash "notemenu" ''
@@ -260,16 +288,22 @@ in {
         }";
         "${modifier}+p" = "exec rofi-pass";
         "${modifier}+Shift+p" = "exec rofi-pass --insert";
-        "${modifier}+u" = "exec ${scripts.unicodmenu}/bin/unicodmenu";
+        "${modifier}+u" = "exec ${niveumPackages.unicodmenu}/bin/unicodmenu";
 
         "${modifier}+F6" = "exec ${pkgs.xorg.xkill}/bin/xkill";
-        "${modifier}+F7" = "exec ${scripts.showkeys-toggle}/bin/showkeys-toggle";
+        "${modifier}+F7" = "exec ${pkgs.writers.writeDash "showkeys-toggle" ''
+          if ${pkgs.procps}/bin/pgrep screenkey; then
+            exec ${pkgs.procps}/bin/pkill screenkey
+          else
+            exec ${pkgs.screenkey}/bin/screenkey
+          fi
+        ''}";
         "${modifier}+F8" = "exec switch-theme toggle";
         "${modifier}+F9" = "exec ${pkgs.redshift}/bin/redshift -O 4000 -b 0.85";
         "${modifier}+F10" = "exec ${pkgs.redshift}/bin/redshift -x";
         "${modifier}+F11" = "exec ${pkgs.xcalib}/bin/xcalib -invert -alter";
         "${modifier}+F12" = "exec ${klem}/bin/klem";
-        "Print" = "exec flameshot-once";
+        "Print" = "exec flameshot gui";
         "XF86AudioLowerVolume" = "exec ${pkgs.pamixer}/bin/pamixer -d 5";
         "XF86AudioMute" = "exec ${pkgs.pamixer}/bin/pamixer -t";
         "XF86AudioRaiseVolume" = "exec ${pkgs.pamixer}/bin/pamixer -i 5";
@@ -279,9 +313,9 @@ in {
         "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
         "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
         "XF86AudioStop" = "exec ${pkgs.playerctl}/bin/playerctl stop";
-        "XF86ScreenSaver" = "exec ${scripts.k-lock}/bin/k-lock";
+        "XF86ScreenSaver" = "exec ${niveumPackages.k-lock}/bin/k-lock";
 
-        "XF86Display" = "exec ${scripts.dmenurandr}/bin/dmenurandr";
+        "XF86Display" = "exec ${niveumPackages.dmenu-randr}/bin/dmenu-randr";
 
         # key names detected with xorg.xev:
         # XF86WakeUp (fn twice)

configs/khal.nix

@@ -8,14 +8,29 @@
   kmeinCloud = {
     davEndpoint = "https://cloud.xn--kiern-0qa.de/remote.php/dav";
     username = "kieran";
-    password = lib.fileContents <secrets/nextcloud/password>;
+    passwordFile = config.age.secrets.nextcloud-password-kieran.path;
   };
   fysiCloud = {
     davEndpoint = "https://nextcloud.fysi.dev/remote.php/dav";
     username = "kmein";
-    password = lib.fileContents <secrets/nextcloud-fysi/password>;
+    passwordFile = config.age.secrets.nextcloud-password-fysi.path;
   };
 in {
+  age.secrets = {
+    nextcloud-password-kieran = {
+      file = ../secrets/nextcloud-password-kieran.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+    nextcloud-password-fysi = {
+      file = ../secrets/nextcloud-password-fysi.age;
+      owner = config.users.users.me.name;
+      group = config.users.users.me.group;
+      mode = "400";
+    };
+  };
+
   environment.systemPackages = [
     pkgs.khal
     pkgs.vdirsyncer
@@ -167,19 +182,19 @@ in {
         type = "carddav"
         url = "${kmeinCloud.davEndpoint}/addressbooks/users/${kmeinCloud.username}/"
         username = "${kmeinCloud.username}"
-        password = "${kmeinCloud.password}"
+        password.fetch = ["command", "cat", "${kmeinCloud.passwordFile}"]
 
         [storage kalender_cloud]
         type = "caldav"
         url = "${kmeinCloud.davEndpoint}/calendars/${kmeinCloud.username}/"
         username = "${kmeinCloud.username}"
-        password = "${kmeinCloud.password}"
+        password.fetch = ["command", "cat", "${kmeinCloud.passwordFile}"]
 
         [storage fysi_cloud]
         type = "caldav"
         url = "${fysiCloud.davEndpoint}/calendars/${fysiCloud.username}/"
         username = "${fysiCloud.username}"
-        password = "${fysiCloud.password}"
+        password.fetch = ["command", "cat", "${fysiCloud.passwordFile}"]
       '';
     };
   };

configs/mpv.nix

@@ -2,10 +2,10 @@
   pkgs,
   lib,
   config,
+  niveumPackages,
   ...
 }: let
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-  swallow = command: "${scripts.swallow}/bin/swallow ${command}";
+  swallow = command: "${niveumPackages.swallow}/bin/swallow ${command}";
 in {
   environment.shellAliases.smpv = swallow "mpv";
 
@@ -37,7 +37,7 @@ in {
       };
       scripts = [
         pkgs.mpvScripts.youtube-quality
-        (pkgs.callPackage <niveum/packages/mpv-visualizer.nix> {})
+        niveumPackages.mpv-visualizer
       ];
     };
   };

configs/neovim.nix

@@ -1,30 +1,22 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  niveumPackages,
+  ...
+}: {
   environment.variables.EDITOR = pkgs.lib.mkForce "nvim";
   environment.shellAliases.vi = "nvim";
   environment.shellAliases.vim = "nvim";
   environment.shellAliases.view = "nvim -R";
 
-  nixpkgs.config.packageOverrides = pkgs: {
-    vimPlugins =
-      pkgs.vimPlugins
-      // {
-        cheat-sh-vim = pkgs.callPackage <niveum/packages/vimPlugins/cheat-sh.nix> {};
-        vim-fetch = pkgs.callPackage <niveum/packages/vimPlugins/vim-fetch.nix> {};
-        vim-colors-paramount = pkgs.callPackage <niveum/packages/vimPlugins/vim-colors-paramount.nix> {};
-        vim-256noir = pkgs.callPackage <niveum/packages/vimPlugins/vim-256noir.nix> {};
-        icalendar-vim = pkgs.callPackage <niveum/packages/vimPlugins/icalendar-vim.nix> {};
-        jq-vim = pkgs.callPackage <niveum/packages/vimPlugins/jq-vim.nix> {};
-        vim-fsharp = pkgs.callPackage <niveum/packages/vimPlugins/vim-fsharp.nix> {};
-        vim-reason-plus = pkgs.callPackage <niveum/packages/vimPlugins/vim-reason-plus.nix> {};
-        vim-mail = pkgs.callPackage <niveum/packages/vimPlugins/vim-mail.nix> {};
-      };
-  };
-
   environment.systemPackages = [
     (pkgs.writers.writeDashBin "vim" ''neovim "$@"'')
     (pkgs.neovim.override {
       configure = {
-        customRC = builtins.readFile <niveum/lib/vim/init.vim>;
+        customRC = ''
+          source ${../lib/vim/init.vim}
+
+          luafile ${../lib/vim/init.lua}
+        '';
         packages.nvim = with pkgs.vimPlugins; {
           start = [
             ale
@@ -34,11 +26,12 @@
             undotree
             tabular
             # vimwiki
-            vim-colors-paramount
+            niveumPackages.vimPlugins-vim-colors-paramount
+            nvim-lspconfig
             vim-commentary
             vim-css-color
             vim-eunuch
-            vim-fetch
+            niveumPackages.vimPlugins-vim-fetch
             vim-fugitive
             vim-gitgutter
             vim-repeat
@@ -61,8 +54,8 @@
             elm-vim
             emmet-vim
             haskell-vim
-            icalendar-vim
-            jq-vim
+            niveumPackages.vimPlugins-icalendar-vim
+            niveumPackages.vimPlugins-jq-vim
             rust-vim
             typescript-vim
             vim-javascript
@@ -71,7 +64,7 @@
             vimtex
             vim-pandoc
             vim-pandoc-syntax
-            vim-256noir
+            niveumPackages.vimPlugins-vim-256noir
           ];
         };
       };

configs/networkmanager.nix

@@ -42,8 +42,6 @@
     };
   };
 in {
-  imports = [<niveum/modules/networkmanager-declarative.nix>];
-
   programs.nm-applet.enable = true;
 
   networking.networkmanager = {
@@ -55,39 +53,6 @@ in {
     wifi.macAddress = "random";
     ethernet.macAddress = "random";
     unmanaged = ["docker*"];
-    profiles = lib.mapAttrs profile {
-      Aether = {
-        connection.uuid = "7138bb0f-1aeb-4905-890e-a6628427aa21";
-        ipv6.addr-gen-mode = "stable";
-        wifi.cloned-mac-address = "stable";
-        wifi-security = {
-          psk = lib.strings.fileContents <secrets/wifi/Aether.psk>;
-          auth-alg = "open";
-          key-mgmt = "wpa-psk";
-        };
-      };
-      FactoryCommunityGuest = {
-        connection.uuid = "fb1f2e52-651e-48b5-a72c-1accddf31afb";
-        connection.timestamp = "1631885129";
-        wifi.seen-bssids = "54:EC:2F:19:30:DC;54:EC:2F:19:5C:9C;54:EC:2F:58:E4:3C;";
-        wifi-security = {
-          psk = "Factory4ever";
-          auth-alg = "open";
-          key-mgmt = "wpa-psk";
-        };
-      };
-      o2-WLAN66 = {
-        connection.uuid = "c563aec3-f344-4ffb-8d1c-60a6cdac8fe0";
-        wifi-security = {
-          psk = "PK3468KV488T934U";
-          auth-alg = "open";
-          key-mgmt = "wpa-psk";
-        };
-      };
-      "WIFI@DB".connection.uuid = "4eff4e94-8850-4e9f-a338-1787d0d90479";
-      eduroam = eduroamProfile;
-      eduroam_5GHz = eduroamProfile;
-    };
   };
 
   users.users.me.extraGroups = ["networkmanager"];

configs/newsboat.nix

@@ -4,8 +4,6 @@
   lib,
   ...
 }: let
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-
   ytdl-format = "'bestvideo[height<=?720][fps<=?30][vcodec!=?vp9]+bestaudio/best'";
 
   youtube-download = "${pkgs.ts}/bin/ts ${pkgs.yt-dlp}/bin/yt-dlp -f ${ytdl-format} --add-metadata";

configs/nix.nix

@@ -1,13 +1,9 @@
 {pkgs, ...}: {
   nixpkgs = {
     config.allowUnfree = true;
-    overlays = [
-      (import <nix-writers/pkgs>)
-      (import <stockholm/krebs/5pkgs>)
-    ];
   };
   nix = {
-    package = pkgs.nixUnstable;
+    package = pkgs.nixFlakes;
     extraOptions = "experimental-features = nix-command flakes";
   };
 }

configs/nsxiv.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}: let
-  important-directories = pkgs.writeText "directories" ''
-    h	~/
-    d	~/cloud/Dropbox/
-    g	~/cloud/gdrive/
-    s	~/cloud/Seafile/
-    kk	~/cloud/keybase/private/kmein/
-    kp	~/cloud/keybase/public/kmein/
-    t	/tmp
-    D	~/Downloads
-    cf	''${XDG_CONFIG_HOME:-$HOME/.config}
-  '';
-in {
-  environment.systemPackages = [pkgs.nsxiv];
-
-  # TODO fix
-  home-manager.users.me.xdg.configFile."nsxiv/exec/key-handler".source = pkgs.writers.writeDash "key-handler" ''
-    PATH=$PATH:${
-      lib.makeBinPath [
-        pkgs.gnused
-        pkgs.gawk
-        pkgs.dmenu
-        pkgs.coreutils
-        pkgs.libnotify
-        pkgs.imagemagick
-        pkgs.xclip
-      ]
-    }
-
-    echo >&2 key "$1" pressed
-    while read file; do
-        case "$1" in
-        "c")
-          [ -z "$destdir" ] && destdir="$(sed "s/\s.*#.*$//;/^\s*$/d" ${important-directories} | awk '{print $2}' | dmenu -l 20 -i -p "Copy file(s) to where?" | sed "s|~|$HOME|g")"
-          [ -z "$destdir" ] && exit
-          [ ! -d "$destdir" ] && notify-send "$destdir is not a directory, cancelled." && exit
-          cp "$file" "$destdir" && notify-send -i "$(readlink -f "$file")" "$file copied to $destdir." &
-          ;;
-        "m")
-          [ -z "$destdir" ] && destdir="$(sed "s/\s.*#.*$//;/^\s*$/d" ${important-directories} | awk '{print $2}' | dmenu -l 20 -i -p "Move file(s) to where?" | sed "s|~|$HOME|g")"
-          [ -z "$destdir" ] && exit
-          [ ! -d "$destdir" ] && notify-send "$destdir is not a directory, cancelled." && exit
-          mv "$file" "$destdir" && notify-send -i "$(readlink -f "$file")" "$file moved to $destdir." &
-          ;;
-        "r")
-          convert -rotate 90 "$file" "$file" ;;
-        "R")
-          convert -rotate -90 "$file" "$file" ;;
-        "f")
-          convert -flop "$file" "$file" ;;
-        "y")
-          echo -n "$file" | xclip -selection clipboard &&
-          notify-send "$file copied to clipboard" & ;;
-        "Y")
-          readlink -f "$file" | xclip -selection clipboard &&
-            notify-send "$(readlink -f "$file") copied to clipboard" & ;;
-        "d")
-          [ "$(printf "No\\nYes" | dmenu -i -p "Really delete $file?")" = "Yes" ] && rm "$file" && notify-send "$file deleted." ;;
-        esac
-      done
-  '';
-}

configs/packages.nix

@@ -1,14 +1,12 @@
 {
+  config,
   pkgs,
   lib,
+  inputs,
+  niveumPackages,
   ...
 }: let
-  hc = pkgs.callPackage <stockholm/tv/5pkgs/simple/hc.nix> {utillinux = pkgs.util-linux;};
-  worldradio = pkgs.callPackage <niveum/packages/worldradio.nix> {};
-  menstruation = pkgs.callPackage <menstruation-backend> {};
-  pandoc-doc = pkgs.callPackage <niveum/packages/man/pandoc.nix> {};
-
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
+  worldradio = pkgs.callPackage ../packages/worldradio.nix {};
 
   zoteroStyle = {
     name,
@@ -55,8 +53,6 @@
         ' $out/astrolog/astrolog.as
       '';
     });
-
-  recht = pkgs.callPackage <recht> {};
 in {
   home-manager.users.me.home.file = {
     ".csl".source = cslDirectory;
@@ -79,6 +75,7 @@ in {
     ffmpeg
     imagemagick
     exiftool
+    nsxiv
     # ARCHIVE TOOLS
     unzip
     unrar
@@ -137,68 +134,65 @@ in {
     okular # the word is nucular
     xournalpp # for annotating pdfs
     pdfpc # presenter console for pdf slides
-    hc # print files as qr codes
+    niveumPackages.hc # print files as qr codes
     yt-dlp
     espeak
     bc # calculator
     pari # gp -- better calculator
     rink # unit converter
-    scripts.auc
-    scripts.stackoverflow
-    scripts.infschmv
-    scripts.qrpaste
-    scripts.ttspaste
-    scripts.new-mac # get a new mac address
-    scripts.scanned
-    scripts.default-gateway
-    scripts.showkeys-toggle
-    scripts.kirciuoklis
-    scripts.favicon
-    scripts.heuretes
-    scripts.ipa # XSAMPA to IPA converter
-    scripts.playlist
-    scripts.mpv-tv
-    scripts.devanagari
-    scripts.betacode # ancient greek betacode to unicode converter
-    scripts.meteo
-    scripts.mahlzeit
-    recht
-    scripts.vimv
-    scripts.swallow # window swallowing
-    scripts.literature-quote
+    niveumPackages.auc
+    niveumPackages.cheat-sh
+    niveumPackages.infschmv
+    niveumPackages.qrpaste
+    niveumPackages.ttspaste
+    niveumPackages.new-mac # get a new mac address
+    niveumPackages.scanned
+    niveumPackages.default-gateway
+    niveumPackages.kirciuoklis
+    niveumPackages.image-convert-favicon
+    niveumPackages.heuretes
+    niveumPackages.ipa # XSAMPA to IPA converter
+    niveumPackages.pls
+    niveumPackages.mpv-tv
+    niveumPackages.devanagari
+    niveumPackages.betacode # ancient greek betacode to unicode converter
+    niveumPackages.meteo
+    niveumPackages.mahlzeit
+    niveumPackages.vimv
+    niveumPackages.swallow # window swallowing
+    niveumPackages.literature-quote
     jless # less(1) for json
-    scripts.notetags
-    scripts.booksplit
-    scripts.dmenurandr
-    scripts.interdimensional-cable
-    scripts.dmenubluetooth
-    scripts.manual-sort
-    scripts.much-scripts
-    scripts.dns-sledgehammer
+    niveumPackages.booksplit
+    niveumPackages.dmenu-randr
+    niveumPackages.dmenu-bluetooth
+    niveumPackages.manual-sort
+    niveumPackages.dns-sledgehammer
     ts
-    scripts.vg
-    scripts.fkill
-    scripts.wttr
-    scripts.unicodmenu
-    scripts.closest
-    scripts.trans
-    scripts.mpv-radio
+    niveumPackages.vg
+    niveumPackages.fkill
+    niveumPackages.wttr
+    niveumPackages.unicodmenu
+    niveumPackages.closest
+    niveumPackages.trans
+    (niveumPackages.mpv-radio.override {
+      di-fm-key-file = config.age.secrets.di-fm-key.path;
+    })
     # kmein.slide
     termdown
-    scripts.alarm
-    scripts.tolino-screensaver
-    scripts.rfc
-    scripts.tag
-    scripts.timer
-    python3Packages.eyeD3
-    scripts.menu-calc
+    niveumPackages.image-convert-tolino
+    niveumPackages.rfc
+    niveumPackages.tag
+    niveumPackages.timer
+    niveumPackages.menu-calc
     nix-prefetch-git
-    scripts.nix-git
+    niveumPackages.nix-git
     nixfmt
     par
     qrencode
 
-    menstruation
+    inputs.menstruation-backend.defaultPackage.x86_64-linux
+    inputs.agenix.packages.x86_64-linux.default
+    inputs.recht.defaultPackage.x86_64-linux
 
     (pkgs.writers.writeDashBin "worldradio" ''
       shuf ${worldradio} | ${pkgs.findutils}/bin/xargs ${pkgs.mpv}/bin/mpv --no-video
@@ -208,24 +202,24 @@ in {
       ${pkgs.openssh}/bin/ssh makanek "cd /var/lib/weechat/logs && grep --ignore-case --color=always --recursive $@" | ${pkgs.less}/bin/less --raw-control-chars
     '')
 
-    (pkgs.writers.writeDashBin "ncmpcpp-zaatar" ''MPD_HOST=${(import <niveum/lib/local-network.nix>).zaatar} exec ${pkgs.ncmpcpp}/bin/ncmpcpp "$@"'')
-    (pkgs.writers.writeDashBin "mpc-zaatar" ''MPD_HOST=${(import <niveum/lib/local-network.nix>).zaatar} exec ${pkgs.mpc_cli}/bin/mpc "$@"'')
+    (pkgs.writers.writeDashBin "ncmpcpp-zaatar" ''MPD_HOST=${(import ../lib/local-network.nix).zaatar} exec ${pkgs.ncmpcpp}/bin/ncmpcpp "$@"'')
+    (pkgs.writers.writeDashBin "mpc-zaatar" ''MPD_HOST=${(import ../lib/local-network.nix).zaatar} exec ${pkgs.mpc_cli}/bin/mpc "$@"'')
+
+    inputs.scripts.packages.x86_64-linux.alarm
 
     spotify
     ncspot
     playerctl
 
     nix-index
-    scripts.nix-index-update
+    niveumPackages.nix-index-update
 
     #krebs
-    dic
-    cyberlocker-tools
-    untilport
-    kpaste
-    irc-announce
-    git-preview
-    ircaids
+    niveumPackages.dic
+    niveumPackages.cyberlocker-tools
+    niveumPackages.untilport
+    niveumPackages.kpaste
+    config.nur.repos.mic92.ircsink
 
     (python3.withPackages (py: [
       py.black
@@ -239,6 +233,13 @@ in {
     ]))
     # python3Packages.poetry
 
+    # language servers
+    pyright
+    haskell-language-server
+    texlab
+    nil
+    rust-analyzer
+
     html-tidy
     nodePackages.csslint
     nodePackages.jsonlint
@@ -252,14 +253,14 @@ in {
     latexrun
     (aspellWithDicts (dict: [dict.de dict.en dict.en-computers]))
     # haskellPackages.pandoc-citeproc
-    scripts.text2pdf
+    niveumPackages.text2pdf
     lowdown
     glow # markdown to term
     libreoffice
     # gnumeric
     dia
     pandoc
-    pandoc-doc
+    niveumPackages.man-pandoc
     # proselint
     asciidoctor
     wordnet
@@ -270,11 +271,17 @@ in {
     shellcheck
 
     (pkgs.writers.writeDashBin "hass-cli" ''
-      HASS_SERVER=http://zaatar.r:8123 HASS_TOKEN=${lib.strings.fileContents <secrets/hass/token>} exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
+      HASS_SERVER=http://zaatar.r:8123 HASS_TOKEN="$(cat ${config.age.secrets.home-assistant-token.path})"  exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
     '')
-    scripts.rofi-hass
   ];
 
+  age.secrets.home-assistant-token = {
+    file = ../secrets/home-assistant-token.age;
+    owner = config.users.users.me.name;
+    group = config.users.users.me.group;
+    mode = "400";
+  };
+
   home-manager.users.me.xdg.configFile."pycodestyle".text = ''
     [pycodestyle]
     max-line-length = 110

configs/picom.nix

@@ -3,10 +3,23 @@
     enable = true;
     activeOpacity = 1;
     fade = true;
-    fadeDelta = 5;
+    fadeDelta = 1;
     inactiveOpacity = 0.9;
     shadow = true;
     menuOpacity = 0.9;
     shadowOpacity = 0.3;
+    fadeExclude = [
+      "class_g = 'slock'" # don't want a transparent lock screen!
+      "name *?= 'slock'"
+      "focused = 1"
+    ];
+    opacityRules = [
+      # opacity-rule overrides both inactive and active opacity
+
+      # video in browser tabs
+      # substring /regex match of title bar text
+      "99:name *?= 'Youtube'"
+      "99:WM_CLASS@:s *= 'mpv$'"
+    ];
   };
 }

configs/power-action.nix

@@ -5,15 +5,13 @@
 }: let
   suspend = pkgs.writers.writeDash "suspend" "${pkgs.systemd}/bin/systemctl suspend";
 in {
-  imports = [<stockholm/krebs/3modules/power-action.nix>];
-
-  krebs.power-action = {
+  services.power-action = {
     enable = true;
     plans.suspend = {
       upperLimit = 7;
       lowerLimit = 0;
       charging = false;
-      action = pkgs.writeDash "suspend-wrapper" ''
+      action = pkgs.writers.writeDash "suspend-wrapper" ''
         /run/wrappers/bin/sudo ${suspend}
       '';
     };
@@ -21,6 +19,6 @@ in {
   };
 
   security.sudo.extraConfig = ''
-    ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend}
+    ${config.services.power-action.user} ALL= (root) NOPASSWD: ${suspend}
   '';
 }

configs/printing.nix

@@ -1,5 +1,5 @@
 {pkgs, ...}: let
-  inherit (import <niveum/lib>) localAddresses;
+  inherit (import ../lib) localAddresses;
   hp-driver = pkgs.hplip;
 in {
   services.printing = {

configs/retiolum.nix

@@ -3,14 +3,10 @@
   pkgs,
   ...
 }: {
-  imports = [
-    <retiolum/modules/retiolum>
-  ];
-
   networking.hosts = {"42:0:ca48:f98f:63d7:31ce:922b:245d" = ["go"];};
 
   services.tinc.networks.retiolum = {
-    rsaPrivateKeyFile = toString <system-secrets/retiolum.key>;
-    ed25519PrivateKeyFile = toString <system-secrets/retiolum.ed25519>;
+    rsaPrivateKeyFile = config.age.secrets.retiolum-rsa.path;
+    ed25519PrivateKeyFile = config.age.secrets.retiolum-ed25519.path;
   };
 }

configs/ssh.nix

@@ -4,24 +4,40 @@
   lib,
   ...
 }: let
-  inherit (import <niveum/lib>) sshPort kieran;
-  externalNetwork = import <niveum/lib/external-network.nix>;
+  inherit (import ../lib) sshPort kieran;
+  externalNetwork = import ../lib/external-network.nix;
   sshIdentity = name: "${config.users.users.me.home}/.ssh/${name}";
-  ssh-passphrase = lib.strings.fileContents <system-secrets/ssh/passphrase>;
 in {
-  services.xserver.displayManager.sessionCommands = toString (pkgs.writeScript "ssh-add" ''
-    #!${pkgs.expect}/bin/expect -f
-    spawn ${pkgs.openssh}/bin/ssh-add
-    expect "Enter passphrase for *:"
-    send "${ssh-passphrase}\n";
-    expect "Identity added: *"
-    interact
-  '');
-
-  programs.ssh.startAgent = true;
-
   users.users.me.openssh.authorizedKeys.keys = kieran.sshKeys pkgs;
 
+  home-manager.users.me = {
+    services.gpg-agent = rec {
+      enable = true;
+      enableSshSupport = true;
+      defaultCacheTtlSsh = 2 * 60 * 60;
+      maxCacheTtlSsh = 4 * defaultCacheTtlSsh;
+      sshKeys = [
+        "568047C91DE03A23883E340F15A9C24D313E847C"
+        "BB3EE102DB8CD45540A78A6B18B511B67061F6B4" # kfm@manakish ed25519
+        "3F8986755818B5762A096BE212777EAAC441DD9D" # fysiweb rsa
+        "0E4ABD229432486CC432639BB0986B2CDE365105" # agenix ed25519
+        "A1E8D32CBFCDBD2DE798E2298D795CCFD785AE06" # kfm@kabsa ed25519
+      ];
+    };
+  };
+
+  environment.extraInit = ''
+    if [[ -z "$SSH_AUTH_SOCK" ]]; then
+      export SSH_AUTH_SOCK="$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)"
+    fi
+  '';
+
+  environment.interactiveShellInit = ''
+    GPG_TTY="$(tty)"
+    export GPG_TTY
+    ${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye > /dev/null
+  '';
+
   home-manager.users.me.programs.ssh = {
     enable = true;
     matchBlocks = rec {

configs/sshd.nix

@@ -4,7 +4,7 @@
   pkgs,
   ...
 }: let
-  inherit (import <niveum/lib>) sshPort kieran;
+  inherit (import ../lib) sshPort kieran;
 in {
   users.motd = "Welcome to ${config.networking.hostName}!";
 

configs/stardict.nix

@@ -158,6 +158,16 @@
         sha256 = "03f9wdmkgpjifpms7dyh10ma29wf3ka1j3zlp1av0cybhdldk2a8";
       };
     };
+    turkish = {
+      BabylonTurkishEnglish = pkgs.fetchzip {
+        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_Turkish_English-2.4.2.tar.bz2";
+        sha256 = "17rv46r95nkikg7aszqmfrbgdhz9ny52w423m8n01g3p93shdb4i";
+      };
+      BabylonEnglishTurkish = pkgs.fetchzip {
+        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_English_Turkish-2.4.2.tar.bz2";
+        sha256 = "063dl02s8ii8snsxgma8wi49xwr6afk6ysq0v986fygx5511353f";
+      };
+    };
   };
 
   makeStardictDataDir = dicts: pkgs.linkFarm "dictionaries" (lib.mapAttrsToList (name: path: {inherit name path;}) dicts);
@@ -169,7 +179,7 @@
       exec ${pkgs.sdcv}/bin/sdcv --color --only-data-dir --data-dir ${makeStardictDataDir dicts} "$@"
     '';
 
-  sdcvPager = pkgs.writeDash "sdcvPager" ''
+  sdcvPager = pkgs.writers.writeDash "sdcvPager" ''
     export PATH=${lib.makeBinPath [pkgs.gnused pkgs.ncurses pkgs.less]}
     sed "
       s!<sup>1</sup>!¹!gI
@@ -292,7 +302,8 @@ in {
     // dictionaries.sanskrit
     // dictionaries.oed
     // dictionaries.russian
-    // dictionaries.englishGerman));
+    // dictionaries.englishGerman
+    // dictionaries.turkish));
 
   environment.systemPackages = [
     # pkgs.goldendict
@@ -302,6 +313,7 @@ in {
     (makeStardict "sd-russian" dictionaries.russian)
     (makeStardict "sd" dictionaries.englishGerman)
     (makeStardict "jbo" dictionaries.lojban)
+    (makeStardict "sd-turkish" dictionaries.turkish)
   ];
 }
 /*

configs/telegram-bots/astrology.nix

@@ -4,8 +4,6 @@
   lib,
   ...
 }: let
-  unstable = import <nixos-unstable> {inherit (config.nixpkgs) config;};
-
   toSymbols = pkgs.writers.writeDash "to-symbols" ''
     ${pkgs.gnused}/bin/sed '
       s/\bTri\b/△/;
@@ -46,14 +44,14 @@ in {
   niveum.telegramBots.transits = {
     enable = true;
     time = "*:0/1";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["-1001796440545"];
     command = toString (pkgs.writers.writeDash "common-transits" ''
       now=$(${pkgs.coreutils}/bin/date +%_H:%M | ${pkgs.gnused}/bin/sed 's/^\s*//')
       date=$(${pkgs.coreutils}/bin/date +'%m %d %Y')
       {
-        ${unstable.astrolog}/bin/astrolog -qd $date -zN Berlin -Yt -Yd -d -R Uranus Neptune Pluto "North Node" -A 2
-        ${unstable.astrolog}/bin/astrolog -Yt -Yd -q 10 22 1999 6:32 -zN Kassel -td $date -R Uranus Neptune Pluto "North Node"
+        ${pkgs.astrolog}/bin/astrolog -qd $date -zN Berlin -Yt -Yd -d -R Uranus Neptune Pluto "North Node" -A 2
+        ${pkgs.astrolog}/bin/astrolog -Yt -Yd -q 10 22 1999 6:32 -zN Kassel -td $date -R Uranus Neptune Pluto "North Node"
       } | ${toSymbols} | ${pkgs.coreutils}/bin/sort -n | ${pkgs.gnugrep}/bin/grep "^$now" || :
     '');
   };

configs/telegram-bots/autorenkalender.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }: let
   autorenkalender-package = pkgs.fetchFromGitHub {
@@ -15,12 +16,14 @@ in {
   niveum.telegramBots.autorenkalender = {
     enable = true;
     time = "07:00";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["@autorenkalender"];
     parseMode = "Markdown";
     command = "${autorenkalender}/bin/autorenkalender";
   };
 
+  age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age;
+
   niveum.passport.services = [
     {
       title = "Autorenkalender";

configs/telegram-bots/celan.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }: let
   celan = pkgs.fetchzip {
@@ -11,7 +12,7 @@ in {
   niveum.telegramBots.celan = {
     enable = true;
     time = "08:00";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["@PaulCelan"];
     command = toString (pkgs.writers.writeDash "random-celan" ''
       cd ${celan}

configs/telegram-bots/default.nix

@@ -2,17 +2,13 @@
   config,
   pkgs,
   lib,
+  inputs,
   ...
 }: let
-  nixpkgs-21-11 = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz") {
-    config.permittedInsecurePackages = [
-      "python3.9-poetry-1.1.12"
-    ];
-  };
-  telebots = nixpkgs-21-11.callPackage <telebots> {};
+  telebots = inputs.telebots.defaultPackage.x86_64-linux;
   reverseDirectory = "/run/telegram-reverse";
   proverbDirectory = "/run/telegram-proverb";
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../../lib) tmpfilesConfig;
 in {
   imports = [
     ./literature-quote.nix
@@ -23,7 +19,6 @@ in {
     ./nachtischsatan.nix
     ./tlg-wotd.nix
     ./celan.nix
-    <niveum/modules/telegram-bot.nix>
   ];
 
   systemd.tmpfiles.rules = map (path:
@@ -52,33 +47,45 @@ in {
     }
   ];
 
+  age.secrets = {
+    telegram-token-reverse.file = ../../secrets/telegram-token-reverse.age;
+    telegram-token-betacode.file = ../../secrets/telegram-token-betacode.age;
+    telegram-token-proverb.file = ../../secrets/telegram-token-proverb.age;
+  };
+
   systemd.services.telegram-reverse = {
     wantedBy = ["multi-user.target"];
     description = "Telegram reverse bot";
     path = [pkgs.ffmpeg];
-    environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents <system-secrets/telegram/reverse.token>;
     enable = true;
-    script = "${telebots}/bin/telegram-reverse";
+    script = ''
+      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-reverse
+    '';
     serviceConfig.Restart = "always";
     serviceConfig.WorkingDirectory = reverseDirectory;
+    serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-reverse.path}";
   };
 
   systemd.services.telegram-betacode = {
     wantedBy = ["multi-user.target"];
     description = "Telegram beta code bot";
-    environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents <system-secrets/telegram/betacode.token>;
     enable = true;
-    script = "${telebots}/bin/telegram-betacode";
+    script = ''
+      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-betacode
+    '';
     serviceConfig.Restart = "always";
+    serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-betacode.path}";
   };
 
   systemd.services.telegram-proverb = {
     wantedBy = ["multi-user.target"];
     description = "Telegram proverb bot";
-    environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents <system-secrets/telegram/proverb.token>;
     enable = true;
-    script = "${telebots}/bin/telegram-proverb";
+    script = ''
+      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-proverb
+    '';
     serviceConfig.Restart = "always";
     serviceConfig.WorkingDirectory = proverbDirectory;
+    serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-proverb.path}";
   };
 }

configs/telegram-bots/hesychius.nix

@@ -1,14 +1,16 @@
 {
   pkgs,
+  config,
+  inputs,
   lib,
   ...
 }: let
-  hesychius = <scripts> + "/hesychius/hesychius.txt";
+  hesychius = inputs.scripts.outPath + "/hesychius/hesychius.txt";
 in {
   niveum.telegramBots.hesychius = {
     enable = true;
     time = "08:00";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["@HesychiosAlexandreus"];
     command = "${pkgs.coreutils}/bin/shuf -n1 ${hesychius}";
   };

configs/telegram-bots/literature-quote.nix

@@ -1,17 +1,16 @@
 {
   pkgs,
+  config,
   lib,
+  niveumPackages,
   ...
-}: let
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-  inherit (scripts) literature-quote;
-in {
+}: {
   niveum.telegramBots.quotebot = {
     enable = true;
     time = "08/6:00";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["-1001760262519"];
-    command = "${literature-quote}/bin/literature-quote";
+    command = "${niveumPackages.literature-quote}/bin/literature-quote";
     parseMode = "Markdown";
   };
 

configs/telegram-bots/nachtischsatan.nix

@@ -1,9 +1,10 @@
 {
   pkgs,
+  config,
   lib,
   ...
 }: let
-  nachtischsatan-bot = {token}:
+  nachtischsatan-bot = {tokenFile}:
     pkgs.writers.writePython3 "nachtischsatan-bot" {
       libraries = [pkgs.python3Packages.python-telegram-bot];
     } ''
@@ -18,11 +19,12 @@
           update.message.reply_text("*flubberflubber*")
 
 
-      updater = Updater('${token}')
+      with open('${tokenFile}', 'r') as tokenFile:
+          updater = Updater(tokenFile.read().strip())
 
-      updater.dispatcher.add_handler(MessageHandler(Filters.all, flubber))
-      updater.start_polling()
-      updater.idle()
+          updater.dispatcher.add_handler(MessageHandler(Filters.all, flubber))
+          updater.start_polling()
+          updater.idle()
     '';
 in {
   systemd.services.telegram-nachtischsatan = {
@@ -30,11 +32,13 @@ in {
     description = "*flubberflubber*";
     enable = true;
     script = toString (nachtischsatan-bot {
-      token = lib.strings.fileContents <system-secrets/telegram/nachtischsatan.token>;
+      tokenFile = config.age.secrets.telegram-token-nachtischsatan.path;
     });
     serviceConfig.Restart = "always";
   };
 
+  age.secrets.telegram-token-nachtischsatan.file = ../../secrets/telegram-token-nachtischsatan.age;
+
   niveum.passport.services = [
     {
       title = "Nachtischsatan-Bot";

configs/telegram-bots/smyth.nix

@@ -1,4 +1,5 @@
 {
+  config,
   pkgs,
   lib,
   ...
@@ -6,7 +7,7 @@
   niveum.telegramBots.smyth = {
     enable = true;
     time = "08:00";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     chatIds = ["@HerbertWeirSmyth"];
     command = toString (pkgs.writers.writeDash "random-smyth" ''
       set -efu

configs/telegram-bots/tlg-wotd.nix

@@ -1,13 +1,14 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }: {
   niveum.telegramBots.tlg-wotd = {
     enable = true;
     time = "9:30";
-    token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
     chatIds = ["@tlgwotd"];
+    tokenFile = config.age.secrets.telegram-token-kmein.path;
     command = toString (pkgs.writers.writeDash "tlg-wotd" ''
       ${pkgs.curl}/bin/curl -sSL http://stephanus.tlg.uci.edu/Iris/Wotd \
       | ${pkgs.recode}/bin/recode html..utf8 \

configs/tor.nix

@@ -1,4 +1,5 @@
 {pkgs, ...}: {
   services.tor.enable = true;
-  environment.systemPackages = [pkgs.tor];
+  services.tor.client.enable = true;
+  environment.systemPackages = [pkgs.tor pkgs.torsocks];
 }

configs/traadfri.nix

@@ -1,13 +1,12 @@
 {
+  config,
   pkgs,
   lib,
   ...
 }: let
-  inherit (import <niveum/lib>) localAddresses;
+  inherit (import ../lib) localAddresses;
   living-room-id = 131090;
 in {
-  imports = [<niveum/modules/traadfri.nix>];
-
   environment.systemPackages = [
     (pkgs.writers.writeDashBin "traadfri-party" ''
       while true; do
@@ -20,11 +19,18 @@ in {
     '')
   ];
 
+  age.secrets.traadfri-key = {
+    file = ../secrets/traadfri-key.age;
+    owner = config.users.users.me.name;
+    group = config.users.users.me.group;
+    mode = "400";
+  };
+
   niveum.traadfri = {
     enable = true;
     user = "kmein";
     host = localAddresses.tradfri;
-    key = lib.strings.fileContents <secrets/traadfri.key>;
+    keyFile = config.age.secrets.traadfri-key.path;
     rooms = {
       corridor = 131080;
       kitchen = 131081;

configs/wallpaper.nix

@@ -2,18 +2,27 @@
   pkgs,
   lib,
   ...
-}: {
-  imports = [<stockholm/krebs/3modules/fetchWallpaper.nix>];
+}: let
+  url = "http://prism.r/realwallpaper-krebs-stars-berlin.png";
+  stateDir = "~/.cache/wallpaper";
+in {
+  systemd.user.services.wallpaper = {
+    wantedBy = ["graphical-session.target"];
+    after = ["network.target"];
+    script = ''
+      set -euf
 
-  krebs.fetchWallpaper = {
-    enable = true;
-    url = "http://prism.r/realwallpaper-krebs-stars-berlin.png";
-  };
-
-  users.users.fetchWallpaper.isSystemUser = true;
-
-  services.xserver = {
-    display = lib.mkForce 0; # needed for fetchWallpaper to find the X display
-    displayManager.sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +LOCAL:";
+      mkdir -p ${stateDir}
+      chmod o+rx ${stateDir}
+      cd ${stateDir}
+      (${pkgs.curl}/bin/curl -s -o wallpaper.tmp -z wallpaper.tmp ${lib.escapeShellArg url} && cp wallpaper.tmp wallpaper) || :
+      ${pkgs.feh}/bin/feh --no-fehbg --bg-scale wallpaper
+    '';
+    startAt = "*:00,10,20,30,40,50";
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "15s";
+      StartLimitBurst = 0;
+    };
   };
 }

configs/zsh.nix

@@ -77,7 +77,11 @@
 
       precmd () {
         vcs_info
-        RPROMPT="$vcs_info_msg_0_"
+        if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ] || [ -n "$SSH_CONNECTION" ]; then
+          RPROMPT="$(hostname)"
+        else
+          RPROMPT="$vcs_info_msg_0_"
+        fi
         if [[ -n $IN_NIX_SHELL ]]; then
           PROMPT='%B%~%b %(?.%F{${promptColours.success}}.%F{${promptColours.failure}})λ%f '
         else

flake.lock

@@ -1,6 +1,188 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1680281360,
+        "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e64961977f60388dd0b49572bb0fc453b871f896",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "blessings": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1549397368,
+        "narHash": "sha256-YVIGRG+/ey4nFEZl1ZPHj7Hx/Of3rsUGnkLK4V4zZd0=",
+        "ref": "refs/heads/master",
+        "rev": "d94712a015636efe7ec79bc0a2eec6739d0be779",
+        "revCount": 18,
+        "type": "git",
+        "url": "https://cgit.krebsco.de/blessings"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://cgit.krebsco.de/blessings"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_6": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_7": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_8": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_9": {
       "locked": {
         "lastModified": 1676283394,
         "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
@@ -18,56 +200,71 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
-          "nixos-unstable"
+          "nixpkgs"
         ],
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1676367705,
-        "narHash": "sha256-un5UbRat9TwruyImtwUGcKF823rCEp4fQxnsaLFL7CM=",
+        "lastModified": 1681092193,
+        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "da72e6fc6b7dc0c3f94edbd310aae7cd95c678b5",
+        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "master",
+        "ref": "release-22.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
-    "krops": {
+    "menstruation-backend": {
       "inputs": {
         "flake-utils": [
           "flake-utils"
         ],
         "nixpkgs": [
-          "nixos-stable"
-        ]
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1661273257,
-        "narHash": "sha256-cywpSH3D291AwdO/ecJxHeN2Vuuz0cIy/NEXMsFT+Og=",
+        "lastModified": 1677075142,
+        "narHash": "sha256-0RXVZcK2YtPckd/3+jb+yLpeXZ6jnQe25w9idztDXi8=",
         "owner": "kmein",
-        "repo": "krops",
-        "rev": "542bc544ec8b0b807933a812d098e601683b0956",
+        "repo": "menstruation.rs",
+        "rev": "e34af4393963cdbadb456b7b9ae2e95e6db7b8a3",
         "type": "github"
       },
       "original": {
         "owner": "kmein",
-        "repo": "krops",
+        "repo": "menstruation.rs",
         "type": "github"
       }
     },
-    "menstruation-backend": {
-      "flake": false,
+    "menstruation-backend_2": {
+      "inputs": {
+        "flake-utils": [
+          "menstruation-telegram",
+          "menstruation-backend",
+          "rust-overlay",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "menstruation-telegram",
+          "menstruation-backend",
+          "rust-overlay",
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_2"
+      },
       "locked": {
-        "lastModified": 1667816906,
-        "narHash": "sha256-VdckYVSQZfqThPb06Y5TGSI+kkibgM/G9pH5SQHIybI=",
+        "lastModified": 1677075142,
+        "narHash": "sha256-0RXVZcK2YtPckd/3+jb+yLpeXZ6jnQe25w9idztDXi8=",
         "owner": "kmein",
         "repo": "menstruation.rs",
-        "rev": "95c495d453c35f20a6a5641a88a862c668404acf",
+        "rev": "e34af4393963cdbadb456b7b9ae2e95e6db7b8a3",
         "type": "github"
       },
       "original": {
@@ -77,13 +274,17 @@
       }
     },
     "menstruation-telegram": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "menstruation-backend": "menstruation-backend_2",
+        "nixpkgs": "nixpkgs_3"
+      },
       "locked": {
-        "lastModified": 1667816918,
-        "narHash": "sha256-yQSl0iKqHm7qFLELY8e7OzRRdnqSBbzJmQIYgkXlJpQ=",
+        "lastModified": 1677075205,
+        "narHash": "sha256-2+xuAhsS3y2qB0ObVPCHXrmnTsIZ8uI5HFI4+Ash8PY=",
         "owner": "kmein",
         "repo": "menstruation-telegram",
-        "rev": "828872cf9c425442705a95019eceee397bc1c03f",
+        "rev": "f7ddb6d9610aacb50ec66a3ce1bdc49fe4664a49",
         "type": "github"
       },
       "original": {
@@ -92,29 +293,81 @@
         "type": "github"
       }
     },
-    "nix-writers": {
-      "flake": false,
+    "nixinate": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1675197881,
-        "narHash": "sha256-gYtduNF59yqv4BgW4fC+tZHKE7cpOkZf+Y34psyFO5U=",
-        "ref": "refs/heads/master",
-        "rev": "d1424777b5f2e12cbd80efd1b55335dcba7c32bd",
-        "revCount": 38,
-        "type": "git",
-        "url": "https://cgit.krebsco.de/nix-writers"
+        "lastModified": 1671116920,
+        "narHash": "sha256-QmDGsUUmAGn77UTR7eQJmebl8f3IIUCtmbbAdJqKA3s=",
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "rev": "b4d17b8e2a4abc47e93e1a1c466e0286a63640d8",
+        "type": "github"
       },
       "original": {
-        "type": "git",
-        "url": "https://cgit.krebsco.de/nix-writers"
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "type": "github"
       }
     },
-    "nixos-stable": {
+    "nixpkgs": {
       "locked": {
-        "lastModified": 1676375384,
-        "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
+        "lastModified": 1665296151,
+        "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c43f676c938662072772339be6269226c77b51b8",
+        "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1665296151,
+        "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1669418739,
+        "narHash": "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "695b3515251873e0a7e2021add4bba643c56cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "695b3515251873e0a7e2021add4bba643c56cde3",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1681269223,
+        "narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "87edbd74246ccdfa64503f334ed86fa04010bab9",
         "type": "github"
       },
       "original": {
@@ -124,30 +377,112 @@
         "type": "github"
       }
     },
-    "nixos-unstable": {
+    "nixpkgs_5": {
       "locked": {
-        "lastModified": 1676300157,
-        "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=",
+        "lastModified": 1677158633,
+        "narHash": "sha256-t7za78oRkDIjdFQF0PCilfCziFyhfowCgs9Ry+sEvE4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462",
+        "rev": "129b6f78121802d18d215c9f9e04d7971c58ea0c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "recht": {
-      "flake": false,
+    "nixpkgs_6": {
       "locked": {
-        "lastModified": 1669719044,
-        "narHash": "sha256-WsLWlTM2Hrurj9kVajybIOavV9QPYiJweMCOQR6h+YI=",
+        "lastModified": 1665296151,
+        "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1659446231,
+        "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1665296151,
+        "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_9": {
+      "locked": {
+        "lastModified": 1669418739,
+        "narHash": "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "695b3515251873e0a7e2021add4bba643c56cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "695b3515251873e0a7e2021add4bba643c56cde3",
+        "type": "github"
+      }
+    },
+    "nur": {
+      "locked": {
+        "lastModified": 1681454031,
+        "narHash": "sha256-JOamj7vKkFRp5mJ7FKt5dPfCmWj33sZLnBGDt15c/sc=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "8a35714f0be00235e2a1c8b759e6dc3888763d8b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
+    "recht": {
+      "inputs": {
+        "blessings": "blessings",
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1677165419,
+        "narHash": "sha256-pjYpXg+09rayon6uhSNd30ryrT2zYLOlDLBHQ9pnGZg=",
         "owner": "kmein",
         "repo": "recht",
-        "rev": "7c15b13328fb5cee01012c488ff235ee730cac70",
+        "rev": "5fa158ce21de797bd95a934dab8d4403b7531d20",
         "type": "github"
       },
       "original": {
@@ -158,11 +493,11 @@
     },
     "retiolum": {
       "locked": {
-        "lastModified": 1676473689,
-        "narHash": "sha256-TGQbsiIojBj4DvGhhkI3i2dq9NmU2Vkt+i7Rw2U/BEg=",
+        "lastModified": 1681246809,
+        "narHash": "sha256-3RUAwk0ApPjq2Ms8KiAh+gG6EJKWurIur612w2m3Zu8=",
         "ref": "refs/heads/master",
-        "rev": "30152917194d6e54ce68e45b499323356db3ae7c",
-        "revCount": 283,
+        "rev": "c8ddb36f3d85be762aeb1893a79da36014f55658",
+        "revCount": 296,
         "type": "git",
         "url": "https://git.thalheim.io/Mic92/retiolum"
       },
@@ -173,32 +508,119 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
-        "krops": "krops",
         "menstruation-backend": "menstruation-backend",
         "menstruation-telegram": "menstruation-telegram",
-        "nix-writers": "nix-writers",
-        "nixos-stable": "nixos-stable",
-        "nixos-unstable": "nixos-unstable",
+        "nixinate": "nixinate",
+        "nixpkgs": "nixpkgs_4",
+        "nur": "nur",
         "recht": "recht",
         "retiolum": "retiolum",
         "scripts": "scripts",
-        "stockholm": "stockholm",
         "telebots": "telebots",
         "tinc-graph": "tinc-graph",
         "traadfri": "traadfri",
-        "tuna": "tuna"
+        "voidrice": "voidrice"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1677033035,
+        "narHash": "sha256-w6XsKaW46kZNEk2vVfuoNIBEq/YzDy9kNk8cU0xJZEQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "6c9e8ea3ba73a9fed29ddc1cc52ade8e5c946a8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1677033035,
+        "narHash": "sha256-w6XsKaW46kZNEk2vVfuoNIBEq/YzDy9kNk8cU0xJZEQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "6c9e8ea3ba73a9fed29ddc1cc52ade8e5c946a8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_3": {
+      "inputs": {
+        "flake-utils": "flake-utils_6",
+        "nixpkgs": "nixpkgs_6"
+      },
+      "locked": {
+        "lastModified": 1677119371,
+        "narHash": "sha256-L0Da4eKzDZrsy8ysOS1lhgDjAgEqGvYGf/lXaRd5/YQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "c67c79ea25664d66e74ae91a6fa0d6c65d12d3a7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_4": {
+      "inputs": {
+        "flake-utils": "flake-utils_8",
+        "nixpkgs": "nixpkgs_8"
+      },
+      "locked": {
+        "lastModified": 1677119371,
+        "narHash": "sha256-L0Da4eKzDZrsy8ysOS1lhgDjAgEqGvYGf/lXaRd5/YQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "c67c79ea25664d66e74ae91a6fa0d6c65d12d3a7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
       }
     },
     "scripts": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": [
+          "scripts",
+          "rust-overlay",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "scripts",
+          "rust-overlay",
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_3"
+      },
       "locked": {
-        "lastModified": 1675238486,
-        "narHash": "sha256-Hs9NKK0UFaNqrui2VauBnMnV/14U3eNWaI12EmVYXWY=",
+        "lastModified": 1677271864,
+        "narHash": "sha256-BghYMB/lauerExMsDtGZNGZGdoGuF7LPtbmpyh9ycyA=",
         "owner": "kmein",
         "repo": "scripts",
-        "rev": "5cefa5f112e7fe54e0302b7bc33bc06e1f762002",
+        "rev": "79bffac7f9eda1b3be76f2a4ff18d81b44c74390",
         "type": "github"
       },
       "original": {
@@ -207,30 +629,32 @@
         "type": "github"
       }
     },
-    "stockholm": {
-      "flake": false,
+    "systems": {
       "locked": {
-        "lastModified": 1676206058,
-        "narHash": "sha256-httLH/By88YYpnfYAEnke2gnLiayMlcznia0aDNqK28=",
-        "ref": "refs/heads/master",
-        "rev": "5234e1c7eaf478bc4ebd0edb48547168e91eba02",
-        "revCount": 11364,
-        "type": "git",
-        "url": "https://cgit.krebsco.de/stockholm"
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
       },
       "original": {
-        "type": "git",
-        "url": "https://cgit.krebsco.de/stockholm"
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     },
     "telebots": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": "flake-utils_7",
+        "nixpkgs": "nixpkgs_7"
+      },
       "locked": {
-        "lastModified": 1623510321,
-        "narHash": "sha256-MxYNNL81RXZkYLd4IgiNTSo1X80kTuDzsdGNSA0f1y8=",
+        "lastModified": 1677156381,
+        "narHash": "sha256-OMhqYJO2bWtL6osTMpQhA4ySUl4gvJTI13m1agipHJ0=",
         "owner": "kmein",
         "repo": "telebots",
-        "rev": "22931c9457e092c4e413555dbe61819d77844246",
+        "rev": "5527e359e8394f2f66067de7f61587eb65055209",
         "type": "github"
       },
       "original": {
@@ -240,13 +664,21 @@
       }
     },
     "tinc-graph": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_4"
+      },
       "locked": {
-        "lastModified": 1666162569,
-        "narHash": "sha256-7ebWs/ryDebUMONkn6dPckNnUGrEuPQScoY+O/+vo+Q=",
+        "lastModified": 1677160040,
+        "narHash": "sha256-UhyZaIZ88vN/7fiBcamfV77eHjQnL8zSVznaqxLgbhs=",
         "owner": "kmein",
         "repo": "tinc-graph",
-        "rev": "72a4b305fcb49cfd6d456103cda45888a6b34bbe",
+        "rev": "f705ca35e30ab0daf9cf52000e58931d7c5c42b5",
         "type": "github"
       },
       "original": {
@@ -256,13 +688,16 @@
       }
     },
     "traadfri": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": "flake-utils_9",
+        "nixpkgs": "nixpkgs_9"
+      },
       "locked": {
-        "lastModified": 1640451803,
-        "narHash": "sha256-zS/b93uFpPM9basNP7ngmm+YjYV0IUQAmNghetHA6Ss=",
+        "lastModified": 1677165914,
+        "narHash": "sha256-3N08NabgDwTUy1n5wxpT27iddFrgXW35E1x2UgAKkDQ=",
         "owner": "kmein",
         "repo": "traadfri",
-        "rev": "cf46bd09cd3263b90a09b0ca979aa705a4c3671c",
+        "rev": "11571116ed5d2c6478c615d663d1f96f57a97ba9",
         "type": "github"
       },
       "original": {
@@ -271,22 +706,6 @@
         "type": "github"
       }
     },
-    "tuna": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1627117248,
-        "narHash": "sha256-OfqbWLblJY4BJlrCpn8EkHoP3baNJSDTbw45SPaX+0Q=",
-        "owner": "kmein",
-        "repo": "tuna",
-        "rev": "1cbed44069a3009738afdafecefe0a05316039a6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "kmein",
-        "repo": "tuna",
-        "type": "github"
-      }
-    },
     "utils": {
       "locked": {
         "lastModified": 1667395993,
@@ -301,6 +720,22 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "voidrice": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1681301489,
+        "narHash": "sha256-5Zz33Q3E4A9nsEmxPQikYeX7Rvu3hM+PlXx/0SIqG34=",
+        "owner": "Lukesmithxyz",
+        "repo": "voidrice",
+        "rev": "d4ff2ebaf3e88efe20cae0d1e592fddfc433c96e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Lukesmithxyz",
+        "repo": "voidrice",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,193 +2,316 @@
   description = "niveum: packages, modules, systems";
 
   inputs = {
-    nixos-stable.url = "github:NixOS/nixpkgs/nixos-22.11";
-    nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-
+    agenix.url = "github:ryantm/agenix";
     flake-utils.url = "github:numtide/flake-utils";
-    home-manager = {
-      url = "github:nix-community/home-manager/master";
-      inputs.nixpkgs.follows = "nixos-unstable";
-    };
-    krops = {
-      url = "github:kmein/krops";
-      inputs.nixpkgs.follows = "nixos-stable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
+    home-manager.url = "github:nix-community/home-manager/release-22.11";
+    menstruation-backend.url = "github:kmein/menstruation.rs";
+    menstruation-telegram.url = "github:kmein/menstruation-telegram";
+    nixinate.url = "github:matthewcroughan/nixinate";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    nur.url = "github:nix-community/NUR";
+    recht.url = "github:kmein/recht";
+    scripts.url = "github:kmein/scripts";
     retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum";
+    telebots.url = "github:kmein/telebots";
+    tinc-graph.url = "github:kmein/tinc-graph";
+    traadfri.url = "github:kmein/traadfri";
+    voidrice.url = "github:Lukesmithxyz/voidrice";
 
-    # legacy
-    menstruation-backend = {
-      url = "github:kmein/menstruation.rs";
-      flake = false;
-    };
-    menstruation-telegram = {
-      url = "github:kmein/menstruation-telegram";
-      flake = false;
-    };
-    nix-writers = {
-      url = "git+https://cgit.krebsco.de/nix-writers";
-      flake = false;
-    };
-    recht = {
-      url = "github:kmein/recht";
-      flake = false;
-    };
-    scripts = {
-      url = "github:kmein/scripts";
-      flake = false;
-    };
-    stockholm = {
-      url = "git+https://cgit.krebsco.de/stockholm";
-      flake = false;
-    };
-    telebots = {
-      url = "github:kmein/telebots";
-      flake = false;
-    };
-    tinc-graph = {
-      url = "github:kmein/tinc-graph";
-      flake = false;
-    };
-    traadfri = {
-      url = "github:kmein/traadfri";
-      flake = false;
-    };
-    tuna = {
-      url = "github:kmein/tuna";
-      flake = false;
-    };
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    menstruation-backend.inputs.flake-utils.follows = "flake-utils";
+    menstruation-backend.inputs.nixpkgs.follows = "nixpkgs";
+    nixinate.inputs.nixpkgs.follows = "nixpkgs";
+    tinc-graph.inputs.flake-utils.follows = "flake-utils";
+    tinc-graph.inputs.nixpkgs.follows = "nixpkgs";
+    voidrice.flake = false;
   };
 
-  outputs = {
+  outputs = inputs @ {
     self,
-    flake-utils,
+    nixpkgs,
+    nur,
     home-manager,
-    krops,
-    menstruation-backend,
-    menstruation-telegram,
-    nix-writers,
-    nixos-unstable,
-    nixos-stable,
-    recht,
+    nixinate,
+    agenix,
     retiolum,
-    scripts,
-    stockholm,
-    telebots,
-    tinc-graph,
-    traadfri,
-    tuna,
-  } @ inputs: let
-    system = "x86_64-linux";
-    pkgs = nixos-stable.legacyPackages.${system};
-    home =
-      if nixos-stable.lib.inPureEvalMode or false
-      then _: /nonexistent
-      else import lib/home.nix;
-    source = {
-      sources,
-      unstable,
-      name,
-    }:
-      {
-        niveum.file = toString ./.;
-        nixos-config.symlink = "niveum/systems/${name}/configuration.nix";
-        system-secrets.pass = {
-          dir = toString (home /.password-store);
-          name = "systems/${name}";
-        };
-        secrets.pass = {
-          dir = toString (home /.password-store);
-          name = "shared";
-        };
-        nixpkgs.git = {
-          url = "https://github.com/NixOS/nixpkgs";
-          ref =
-            (
-              if unstable
-              then inputs.nixos-unstable
-              else inputs.nixos-stable
-            )
-            .rev;
-          shallow = true;
-        };
-      }
-      // nixos-stable.lib.mapAttrs' (name: value: {
-        inherit name;
-        value.git = {
-          url = let
-            github = x: "https://github.com/${x}";
-          in
-            {
-              home-manager = github "nix-community/home-manager";
-              menstruation-backend = github "kmein/menstruation.rs";
-              menstruation-telegram = github "kmein/menstruation-telegram";
-              nixos-unstable = github "NixOS/nixpkgs";
-              nix-writers = "https://cgit.krebsco.de/nix-writers";
-              recht = github "kmein/recht";
-              retiolum = "https://git.thalheim.io/Mic92/retiolum";
-              stockholm = "https://cgit.krebsco.de/stockholm";
-              scripts = github "kmein/scripts";
-              telebots = github "kmein/telebots";
-              tinc-graph = github "kmein/tinc-graph";
-              traadfri = github "kmein/traadfri";
-            }
-            .${name};
-          ref = value.rev;
-          shallow = true;
-        };
-      }) (nixos-stable.lib.filterAttrs (name: _: builtins.elem name sources) inputs);
-    deployScriptFor = {
-      name,
-      user ? "root",
-      host,
-      unstable ? false,
-      sshPort ? (import ./lib/default.nix).sshPort,
-      sources,
-    }:
-      toString (krops.packages.${system}.writeDeploy "deploy-${name}" {
-        source = krops.lib.evalSource [(source {inherit sources unstable name;})];
-        target = "${user}@${host}:${toString sshPort}";
-        useNixOutputMonitor = true;
-      });
-  in {
-    apps.${system} = let
-      forSystems = f: builtins.listToAttrs (map f (builtins.attrNames (builtins.readDir ./systems)));
-      externalNetwork = import ./lib/external-network.nix;
-      deployScripts = forSystems (name: {
-        name = "deploy-${name}";
-        value = {
-          type = "app";
-          program = deployScriptFor {
-            inherit name;
-            host =
-              if externalNetwork ? name
-              then externalNetwork.${name}
-              else "${name}.r";
-            unstable = false; # name == "kabsa" || name == "manakish";
-            sources =
-              ["nix-writers" "nixpkgs" "retiolum" "stockholm"]
-              ++ {
-                zaatar = ["traadfri" "nixos-unstable"];
-                ful = [];
-                tahina = [];
-                tabula = [];
-                kabsa = ["traadfri" "nixos-unstable" "home-manager" "menstruation-backend" "recht"];
-                manakish = ["traadfri" "nixos-unstable" "home-manager" "menstruation-backend" "recht"];
-                makanek = ["nixos-unstable" "menstruation-telegram" "menstruation-backend" "scripts" "telebots" "tinc-graph"];
-              }
-              .${name};
+    flake-utils,
+    ...
+  }:
+    {
+      apps = nixinate.nixinate.x86_64-linux self;
+
+      nixosModules = {
+        htgen = import modules/htgen.nix;
+        moodle-dl = import modules/moodle-dl.nix;
+        networkmanager-declarative = import modules/networkmanager-declarative.nix;
+        passport = import modules/passport.nix;
+        panoptikon = import modules/panoptikon.nix;
+        power-action = import modules/power-action.nix;
+        specus = import modules/specus.nix;
+        system-dependent = import modules/system-dependent.nix;
+        telegram-bot = import modules/telegram-bot.nix;
+        traadfri = import modules/traadfri.nix;
+      };
+
+      lib = {
+        panoptikon = import lib/panoptikon.nix;
+      };
+
+      nixosConfigurations = {
+        ful = nixpkgs.lib.nixosSystem rec {
+          system = "aarch64-linux";
+          specialArgs = {
+            niveumPackages = inputs.self.packages.${system};
+            niveumLib = inputs.self.lib;
+            inherit inputs;
           };
+          modules = [
+            {
+              _module.args.nixinate = {
+                host = "ful";
+                sshUser = "root";
+                buildOn = "remote";
+                substituteOnTarget = true;
+                hermetic = false;
+              };
+            }
+            systems/ful/configuration.nix
+            agenix.nixosModules.default
+            inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
+            inputs.self.nixosModules.panoptikon
+            retiolum.nixosModules.retiolum
+            nur.nixosModules.nur
+          ];
         };
-      });
-      ciScripts = forSystems (name: {
-        name = "build-${name}";
-        value = {
-          type = "app";
-          program = import ./ci.nix {inherit name system inputs;};
+        zaatar = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          specialArgs = {
+            niveumPackages = inputs.self.packages.${system};
+            inherit inputs;
+          };
+          modules = [
+            {
+              _module.args.nixinate = {
+                host = "zaatar";
+                sshUser = "root";
+                buildOn = "remote";
+                substituteOnTarget = true;
+                hermetic = false;
+              };
+            }
+            systems/zaatar/configuration.nix
+            inputs.self.nixosModules.moodle-dl
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+          ];
         };
-      });
-    in
-      deployScripts // ciScripts;
-  };
+        makanek = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          # for using inputs in other config files
+          specialArgs = {
+            niveumPackages = inputs.self.packages.${system};
+            inherit inputs;
+          };
+          modules = [
+            {
+              _module.args.nixinate = {
+                host = "makanek";
+                sshUser = "root";
+                buildOn = "remote";
+                substituteOnTarget = true;
+                hermetic = false;
+              };
+            }
+            systems/makanek/configuration.nix
+            inputs.self.nixosModules.telegram-bot
+            inputs.self.nixosModules.htgen
+            inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+            nur.nixosModules.nur
+          ];
+        };
+        tahina = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            systems/tahina/configuration.nix
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+          ];
+        };
+        tabula = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            systems/tabula/configuration.nix
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+          ];
+        };
+        manakish = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          specialArgs = {
+            niveumPackages = inputs.self.packages.${system};
+            inherit inputs;
+          };
+          modules = [
+            {
+              _module.args.nixinate = {
+                host = "manakish";
+                sshUser = "root";
+                buildOn = "remote";
+                substituteOnTarget = true;
+                hermetic = false;
+              };
+            }
+            systems/manakish/configuration.nix
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+            home-manager.nixosModules.home-manager
+            nur.nixosModules.nur
+          ];
+        };
+        kabsa = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          specialArgs = {
+            niveumPackages = inputs.self.packages.${system};
+            inherit inputs;
+          };
+          modules = [
+            {
+              _module.args.nixinate = {
+                host = "kabsa";
+                sshUser = "root";
+                buildOn = "remote";
+                substituteOnTarget = true;
+                hermetic = false;
+              };
+            }
+            systems/kabsa/configuration.nix
+            agenix.nixosModules.default
+            retiolum.nixosModules.retiolum
+            inputs.self.nixosModules.specus
+            home-manager.nixosModules.home-manager
+            nur.nixosModules.nur
+          ];
+        };
+      };
+    }
+    // flake-utils.lib.eachSystem [flake-utils.lib.system.x86_64-linux flake-utils.lib.system.aarch64-linux] (system: let
+      pkgs = import nixpkgs {
+        inherit system;
+        overlays = [
+          nur.overlay
+          (self: super: {
+            mpv = super.mpv.override {scripts = [inputs.self.packages.${system}.mpv-visualizer];};
+            dmenu = super.writers.writeDashBin "dmenu" ''exec ${pkgs.rofi}/bin/rofi -dmenu "$@"'';
+          })
+        ];
+      };
+      wrapScript = {
+        packages ? [],
+        name,
+        script,
+      }:
+        pkgs.writers.writeDashBin name ''PATH=$PATH:${nixpkgs.lib.makeBinPath (packages ++ [pkgs.findutils pkgs.coreutils pkgs.gnused pkgs.gnugrep])} ${script} "$@"'';
+    in {
+      packages = rec {
+        auc = pkgs.callPackage packages/auc.nix {};
+        betacode = pkgs.callPackage packages/betacode.nix {};
+        cheat-sh = pkgs.callPackage packages/cheat-sh.nix {};
+        closest = pkgs.callPackage packages/closest {};
+        cyberlocker-tools = pkgs.callPackage packages/cyberlocker-tools.nix {};
+        default-gateway = pkgs.callPackage packages/default-gateway.nix {};
+        depp = pkgs.callPackage packages/depp.nix {};
+        devanagari = pkgs.callPackage packages/devanagari {};
+        devour = pkgs.callPackage packages/devour.nix {};
+        dic = pkgs.callPackage packages/dic.nix {};
+        dirmir = pkgs.callPackage packages/dirmir.nix {};
+        dmenu-bluetooth = pkgs.callPackage packages/dmenu-bluetooth.nix {};
+        dmenu-scrot = pkgs.callPackage packages/dmenu-scrot.nix {};
+        dns-sledgehammer = pkgs.callPackage packages/dns-sledgehammer.nix {};
+        fkill = pkgs.callPackage packages/fkill.nix {};
+        fzfmenu = pkgs.callPackage packages/fzfmenu.nix {};
+        genius = pkgs.callPackage packages/genius.nix {};
+        gfs-fonts = pkgs.callPackage packages/gfs-fonts.nix {};
+        git-preview = pkgs.callPackage packages/git-preview.nix {};
+        hc = pkgs.callPackage packages/hc.nix {};
+        heuretes = pkgs.callPackage packages/heuretes.nix {};
+        htgen = pkgs.callPackage packages/htgen.nix {};
+        image-convert-favicon = pkgs.callPackage packages/image-convert-favicon.nix {};
+        image-convert-tolino = pkgs.callPackage packages/image-convert-tolino.nix {};
+        infschmv = pkgs.callPackage packages/infschmv.nix {};
+        iolanguage = pkgs.callPackage packages/iolanguage.nix {};
+        ipa = pkgs.writers.writePython3Bin "ipa" {flakeIgnore = ["E501"];} (builtins.readFile packages/ipa.py);
+        ix = pkgs.callPackage packages/ix.nix {};
+        jsesh = pkgs.callPackage packages/jsesh.nix {};
+        k-lock = pkgs.callPackage packages/k-lock.nix {};
+        kirciuoklis = pkgs.callPackage packages/kirciuoklis.nix {};
+        klem = pkgs.callPackage packages/klem.nix {};
+        kpaste = pkgs.callPackage packages/kpaste.nix {};
+        literature-quote = pkgs.callPackage packages/literature-quote.nix {};
+        mahlzeit = pkgs.haskellPackages.callPackage packages/mahlzeit.nix {};
+        man-pandoc = pkgs.callPackage packages/man/pandoc.nix {};
+        man-pdf = pkgs.callPackage packages/man-pdf.nix {};
+        mansplain = pkgs.callPackage packages/mansplain.nix {};
+        manual-sort = pkgs.callPackage packages/manual-sort.nix {};
+        menu-calc = pkgs.callPackage packages/menu-calc.nix {};
+        meteo = pkgs.callPackage packages/meteo.nix {};
+        mpv-radio = pkgs.callPackage packages/mpv-radio.nix {di-fm-key-file = "/dev/null";};
+        mpv-tv = pkgs.callPackage packages/mpv-tv.nix {};
+        mpv-visualizer = pkgs.callPackage packages/mpv-visualizer.nix {};
+        new-mac = pkgs.callPackage packages/new-mac.nix {};
+        nix-git = pkgs.callPackage packages/nix-git.nix {};
+        nix-index-update = pkgs.callPackage packages/nix-index-update.nix {inherit system;};
+        opustags = pkgs.callPackage packages/opustags.nix {};
+        pls = pkgs.callPackage packages/pls.nix {};
+        qrpaste = pkgs.callPackage packages/qrpaste.nix {};
+        rfc = pkgs.callPackage packages/rfc.nix {};
+        scanned = pkgs.callPackage packages/scanned.nix {};
+        swallow = pkgs.callPackage packages/swallow.nix {};
+        text2pdf = pkgs.callPackage packages/text2pdf.nix {};
+        timer = pkgs.callPackage packages/timer.nix {};
+        tocharian-font = pkgs.callPackage packages/tocharian-font.nix {};
+        trans = pkgs.callPackage packages/trans.nix {};
+        ttspaste = pkgs.callPackage packages/ttspaste.nix {};
+        unicodmenu = pkgs.callPackage packages/unicodmenu.nix {};
+        untilport = pkgs.callPackage packages/untilport.nix {};
+        vg = pkgs.callPackage packages/vg.nix {};
+        vimPlugins-cheat-sh-vim = pkgs.callPackage packages/vimPlugins/cheat-sh.nix {};
+        vimPlugins-icalendar-vim = pkgs.callPackage packages/vimPlugins/icalendar-vim.nix {};
+        vimPlugins-jq-vim = pkgs.callPackage packages/vimPlugins/jq-vim.nix {};
+        vimPlugins-vim-256noir = pkgs.callPackage packages/vimPlugins/vim-256noir.nix {};
+        vimPlugins-vim-colors-paramount = pkgs.callPackage packages/vimPlugins/vim-colors-paramount.nix {};
+        vimPlugins-vim-fetch = pkgs.callPackage packages/vimPlugins/vim-fetch.nix {};
+        vimPlugins-vim-fsharp = pkgs.callPackage packages/vimPlugins/vim-fsharp.nix {};
+        vimPlugins-vim-mail = pkgs.callPackage packages/vimPlugins/vim-mail.nix {};
+        vimPlugins-vim-reason-plus = pkgs.callPackage packages/vimPlugins/vim-reason-plus.nix {};
+        vimv = pkgs.callPackage packages/vimv.nix {};
+        weechat-declarative = pkgs.callPackage packages/weechat-declarative.nix {};
+        weechatScripts-hotlist2extern = pkgs.callPackage packages/weechatScripts/hotlist2extern.nix {};
+        wttr = pkgs.callPackage packages/wttr.nix {};
+
+        itl = pkgs.callPackage packages/itl.nix {};
+        itools = pkgs.callPackage packages/itools.nix {itl = itl;};
+
+        booksplit = wrapScript {
+          script = inputs.voidrice.outPath + "/.local/bin/booksplit";
+          name = "booksplit";
+          packages = [pkgs.ffmpeg pkgs.glibc.bin];
+        };
+        dmenu-randr = wrapScript {
+          script = inputs.voidrice.outPath + "/.local/bin/displayselect";
+          name = "dmenu-randr";
+          packages = [pkgs.dmenu pkgs.bc pkgs.psmisc pkgs.util-linux pkgs.xorg.xrandr pkgs.gawk pkgs.libnotify pkgs.arandr (pkgs.writers.writeDashBin "setbg" "")];
+        };
+        tag = wrapScript {
+          script = inputs.voidrice.outPath + "/.local/bin/tag";
+          name = "tag";
+          packages = [pkgs.ffmpeg];
+        };
+      };
+    });
 }

lib/default.nix

@@ -40,7 +40,7 @@ rec {
 
   sshPort = 22022;
 
-  colours = import ./colours/papercolor-dark.nix;
+  colours = import ./colours/owickstrom-dark.nix;
 
   theme = pkgs: {
     gtk = {
@@ -72,7 +72,7 @@ rec {
     sshKeys = pkgs:
       pkgs.lib.strings.splitString "\n" (pkgs.lib.strings.fileContents (pkgs.fetchurl {
         url = "https://github.com/kmein.keys";
-        sha256 = "09c6ny0rmpid1m0pc1wsmb3wyy9g721lf4kv55i4lrp42b3i2d5b";
+        hash = "sha256-TvvPwplrH9cw7NE4GKqbE5ga+oBHM+TkjxYQ3b1fpLI=";
       }));
   };
 

lib/email.nix

@@ -2,7 +2,6 @@
   cock = rec {
     user = "2210@cock.li";
     address = user;
-    password = lib.strings.fileContents <secrets/mail/cock>;
     imap = "mail.cock.li";
     smtp = imap;
     smtpSettings = smtp: "smtp://${smtp}:587";

lib/i3status-rust.nix

@@ -3,6 +3,7 @@
   wirelessInterface,
   colours,
   batteryName,
+  accounts,
 }: let
   inherit (pkgs) lib;
 
@@ -10,8 +11,6 @@
     pkgs.writers.writeDash "setsid-command" ''
       ${pkgs.util-linux}/bin/setsid ${script}
     '';
-
-  accounts = import <niveum/lib/email.nix> {inherit lib;};
 in {
   theme = {
     name = "plain";
@@ -22,8 +21,6 @@ in {
       info_fg = colours.cyan.bright;
       warning_fg = colours.yellow.bright;
       warning_bg = colours.background;
-      alternating_tint_bg = colours.background;
-      alternating_tint_fg = colours.foreground;
       critical_bg = colours.background;
       good_bg = colours.background;
       idle_bg = colours.background;
@@ -44,7 +41,6 @@ in {
       format = "{location}: {temp}C";
       service = {
         name = "openweathermap";
-        api_key = lib.strings.fileContents <secrets/openweathermap.key>;
         city_id = "2950159";
         units = "metric";
       };
@@ -53,7 +49,7 @@ in {
       block = "custom";
       interval = 60 * 5;
       command = let
-        spacetime = import <niveum/configs/spacetime.nix>;
+        spacetime = import ../configs/spacetime.nix;
       in
         pkgs.writers.writePython3 "sun.py" {
           libraries = [pkgs.python3Packages.astral];
@@ -114,7 +110,8 @@ in {
       interval = 60 * 5;
       command = let
         query-account = name: account: "${pkgs.writers.writeDash "query-imap-${name}" ''
-          ${pkgs.coreutils}/bin/timeout 1 ${pkgs.curl}/bin/curl -sSL -u ${lib.escapeShellArg "${account.user}:${account.password}"} imaps://${account.imap} -X 'STATUS INBOX (UNSEEN)' \
+          password=$(${toString account.passwordCommand})
+          ${pkgs.coreutils}/bin/timeout 1 ${pkgs.curl}/bin/curl -sSL -u ${lib.escapeShellArg account.userName}:"$password" imaps://${account.imap.host} -X 'STATUS INBOX (UNSEEN)' \
             | ${pkgs.gnugrep}/bin/grep -Eo '[0-9]+' \
             | sed 's/^/{"${name}":/;s/$/}/'
         ''} &";
@@ -130,7 +127,7 @@ in {
               text: (if $sum > 0 then $sum | tostring else "" end),
               icon: "mail",
               state: (
-                if .uni > 0 or .["work-uni"] > 0 or .posteo > 0 then
+                if .["hu-student"] > 0 or .["hu-employee"] > 0 or .posteo > 0 then
                   "Warning"
                 elif $sum > 0 then
                   "Info"

lib/panoptikon.nix

@@ -0,0 +1,45 @@
+{
+  pkgs,
+  lib,
+  niveumPackages,
+  config,
+  ...
+}: {
+  # watcher scripts
+  url = address:
+    pkgs.writers.writeDash "watch-url" ''
+      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} \
+        | ${pkgs.python3Packages.html2text}/bin/html2text --decode-errors=ignore
+    '';
+  urlSelector = selector: address:
+    pkgs.writers.writeDash "watch-url-selector" ''
+      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} \
+        | ${pkgs.htmlq}/bin/htmlq ${lib.escapeShellArg selector} \
+        | ${pkgs.python3Packages.html2text}/bin/html2text
+    '';
+  urlJSON = {jqScript ? "."}: address:
+    pkgs.writers.writeDash "watch-url-json" ''
+      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} | ${pkgs.jq}/bin/jq -f ${pkgs.writeText "script.jq" jqScript}
+    '';
+
+  # reporter scripts
+  kpaste-irc = {
+    target,
+    retiolumLink ? false,
+    server ? "irc.r",
+    messagePrefix ? "change detected: ",
+    nick ? ''"$PANOPTIKON_WATCHER"-watcher'',
+  }:
+    pkgs.writers.writeDash "kpaste-irc-reporter" ''
+      ${niveumPackages.kpaste}/bin/kpaste \
+        | ${pkgs.gnused}/bin/sed -n "${
+        if retiolumLink
+        then "2"
+        else "3"
+      }s/^/${messagePrefix}/p" \
+        | ${config.nur.repos.mic92.ircsink}/bin/ircsink \
+          --nick ${nick} \
+          --server ${server} \
+          --target ${target}
+    '';
+}

lib/streams.nix

@@ -956,6 +956,11 @@ in
       stream = soma-fm "scanner";
       tags = [tags.soma tags.text];
     }
+    {
+      station = "Al Jazeera Arabic";
+      stream = "https://live-hls-audio-web-aja.getaj.net/VOICE-AJA/01.m3u8";
+      tags = [tags.text tags.arabic];
+    }
     {
       desc = "Celebrating NASA and Space Explorers everywhere.";
       logo = "http://soma.fm/img/missioncontrol120.jpg";
@@ -1842,71 +1847,127 @@ in
       stream = dr "p8jazz";
       tags = [tags.jazz tags.danish];
     }
+    {
+      station = "CNN morse code slow";
+      stream = "http://cw.dimebank.com:8080/CNNslow";
+      tags = [tags.text];
+    }
+    {
+      station = "CNN morse code fast";
+      stream = "http://cw.dimebank.com:8080/CNNfast";
+      tags = [tags.text];
+    }
+    {
+      station = "XXX orchestral";
+      stream = "http://orion.shoutca.st:8978/stream";
+      tags = [tags.classical];
+    }
+    {
+      station = "XXX greek";
+      stream = "http://radio.hostchefs.net:8046/stream?1520818130148";
+      tags = [tags.greek];
+    }
+    {
+      station = "XXX turkish or greek";
+      stream = "https://onairmediagroup.live24.gr/kralfm100xanthi";
+      tags = [tags.greek tags.turkish];
+    }
+    {
+      station = "Hard Rock Hell Radio";
+      tags = [tags.rock];
+      stream = "http://andromeda.shoutca.st:9254/stream";
+    }
+    {
+      station = "Divyavani";
+      tags = [tags.trad tags.indian];
+      stream = "https://divyavani.radioca.st/stream";
+    }
+    {
+      station = "XXX sanskrit radio";
+      tags = [tags.text tags.indian];
+      stream = "https://stream-23.zeno.fm/m08mkwsyw8quv?zs=0w7MJFPdRfavhR_zPt0M2g";
+    }
+    {
+      station = "Radio Mariam Arabic";
+      stream = "http://www.dreamsiteradiocp4.com:8014/stream";
+      tags = [tags.text tags.arabic];
+    }
+    {
+      station = "Kamchatka Live Rock";
+      stream = "https://radio.kamchatkalive.ru:8103/rock";
+      tags = [tags.rock];
+    }
+    {
+      station = "Kamchatka Live Chillout";
+      stream = "https://radio.kamchatkalive.ru:8103/chillout";
+      tags = [tags.chill];
+    }
+    {
+      station = "Kamchatka Live Dance";
+      stream = "https://radio.kamchatkalive.ru:8103/dance";
+      tags = [tags.party];
+    }
+    {
+      tags = [tags.arabic tags.text];
+      stream = "http://n02.radiojar.com/sxfbks1vfy8uv.mp3";
+      station = "Bahrain Radio 102.3 FM (Arabic Stories)";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      stream = "http://s2.voscast.com:12312/;";
+      station = "Bahrain Quran Radio";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      stream = "http://162.244.81.30:8224/;";
+      station = "Quran Radio Lebanon";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      station = "Coptic for God";
+      stream = "http://66.70.249.70:5832/stream";
+    }
+    {
+      stream = "http://stream-025.zeno.fm/5y95pu36sm0uv?";
+      station = "Hayat FM";
+      tags = [tags.arabic tags.text tags.holy];
+    }
+    {
+      stream = "http://uk2.internet-radio.com:8151/stream";
+      station = "The Quran Radio";
+      tags = [tags.arabic tags.text tags.holy];
+    }
   ]
+  ++ map (name: {
+    stream = "https://${name}.stream.publicradio.org/${name}.aac";
+    station = "${name} | Your Classical";
+    tags = [tags.classical];
+  }) ["ycradio" "guitar" "cms" "relax" "lullabies" "choral" "favorites" "chambermusic" "concertband" "holiday"]
 /*
       (caster-fm "TODO" "noasrv" 10182) # https://github.com/cccruzr/albumsyoumusthear/blob/7e00baf575e4d357cd275d54d1aeb717321141a8/HLS/IBERO_90_1.m3u
       (caster-fm "TODO" "shaincast" 20866) # https://github.com/cccruzr/albumsyoumusthear/blob/7e00baf575e4d357cd275d54d1aeb717321141a8/HLS/IBERO_90_1.m3u
 
-CNN news in morse code
-http://cw.dimebank.com:8080/CNNslow
-http://cw.dimebank.com:8080/CNNfast
-
-Orchestral
-http://orion.shoutca.st:8978/stream
 
 LoFi / Chill
 http://ice55.securenetsystems.net/DASH76
 
-News background music
-https://c13014-l-hls.u.core.cdn.streamfarm.net/1000153copo/hk2.m3u8
-
-?
-http://94.23.221.158:9163/stream
-
-Greek radio
-http://radio.hostchefs.net:8046/stream?1520818130148
 
 : http://audiokrishna.com/stations/japa2.mp3
-http://185.105.4.53:2339//;stream.mp3
-http://cast5.servcast.net:1390/;stream.mp3
-
-Hard rock
-http://andromeda.shoutca.st:9254/stream
 
 Rock alternative
 http://icy.unitedradio.it/VirginRockAlternative.mp3
 
-American nautical weather news
-http://ca.radioboss.fm:8149/stream
 
 Christian radio in all languages
 https://jesuscomingfm.com/#
 tamazight http://live.jesuscomingfm.com:8462/;
 
-supposedly good Greek radio
-https://onairmediagroup.live24.gr/kralfm100xanthi
 
 Somali Radio
 http://n0b.radiojar.com/1pu7hhf8kfhvv
 
-Sanskrit
-https://stream-23.zeno.fm/m08mkwsyw8quv?zs=0w7MJFPdRfavhR_zPt0M2g
-https://divyavani.radioca.st/stream
 
 Chillout from kassel
 https://server4.streamserver24.com:2199/tunein/ejanowsk.pls
-
-Radio Mariam Arabic (Rome)
-http://www.dreamsiteradiocp4.com:8014/stream
-
-https://radio.kamchatkalive.ru:8103/rock
-https://radio.kamchatkalive.ru:8103/chillout
-https://radio.kamchatkalive.ru:8103/dance
-
-Fuṣḥā Stories (Bahrain Radio 102.3 FM)
-http://n02.radiojar.com/sxfbks1vfy8uv.mp3
-
-Bahrain Quran Radio
-http://s2.voscast.com:12312/;
 */
 

lib/vim/init.lua

@@ -0,0 +1,86 @@
+local opts = { noremap=true, silent=true }
+vim.keymap.set('n', '<space>e', vim.diagnostic.open_float, opts)
+vim.keymap.set('n', '[d', vim.diagnostic.goto_prev, opts)
+vim.keymap.set('n', ']d', vim.diagnostic.goto_next, opts)
+vim.keymap.set('n', '<space>q', vim.diagnostic.setloclist, opts)
+
+-- Use an on_attach function to only map the following keys
+-- after the language server attaches to the current buffer
+local on_attach = function(client, bufnr)
+  -- Enable completion triggered by <c-x><c-o>
+  vim.api.nvim_buf_set_option(bufnr, 'omnifunc', 'v:lua.vim.lsp.omnifunc')
+
+  -- Mappings.
+  -- See `:help vim.lsp.*` for documentation on any of the below functions
+  local bufopts = { noremap=true, silent=true, buffer=bufnr }
+  vim.keymap.set('n', 'gD', vim.lsp.buf.declaration, bufopts)
+  vim.keymap.set('n', 'gd', vim.lsp.buf.definition, bufopts)
+  vim.keymap.set('n', 'K', vim.lsp.buf.hover, bufopts)
+  vim.keymap.set('n', 'gi', vim.lsp.buf.implementation, bufopts)
+  vim.keymap.set('n', '<C-k>', vim.lsp.buf.signature_help, bufopts)
+  vim.keymap.set('n', '<space>wa', vim.lsp.buf.add_workspace_folder, bufopts)
+  vim.keymap.set('n', '<space>wr', vim.lsp.buf.remove_workspace_folder, bufopts)
+  vim.keymap.set('n', '<space>wl', function()
+    print(vim.inspect(vim.lsp.buf.list_workspace_folders()))
+  end, bufopts)
+  vim.keymap.set('n', '<space>D', vim.lsp.buf.type_definition, bufopts)
+  vim.keymap.set('n', '<space>rn', vim.lsp.buf.rename, bufopts)
+  vim.keymap.set('n', '<space>ca', vim.lsp.buf.code_action, bufopts)
+  vim.keymap.set('n', 'gr', vim.lsp.buf.references, bufopts)
+  vim.keymap.set('n', '<space>f', function() vim.lsp.buf.format { async = true } end, bufopts)
+end
+
+local lsp_flags = {
+  -- This is the default in Nvim 0.7+
+  debounce_text_changes = 150,
+}
+
+language_servers = {
+  pyright = {}, -- pyright
+  -- tsserver = {}, -- typescript-language-server
+  -- elmls = {}, -- elm-language-server
+  -- denols = {}, -- deno built in
+  -- bashls = {}, -- bash-language-server
+  hls = {}, -- haskell-language-server
+  -- html = {}, -- vscode-langservers-extracted
+  -- jsonls = {}, -- vscode-langservers-extracted
+  nil_ls = {}, -- github:oxalica/nil
+  -- rnix = {}, -- rnix-lsp
+  -- jqls = {}, -- jq-lsp
+  rust_analyzer = { ["rust-analyzer"] = {} },
+  -- eslint?
+  -- volar? vls?
+  texlab = {
+    texlab = {
+      auxDirectory = ".",
+      bibtexFormatter = "texlab",
+      build = {
+        args = { "-pdf", "-interaction=nonstopmode", "-synctex=1", "%f" },
+        executable = "latexmk",
+        forwardSearchAfter = false,
+        onSave = false
+      },
+      chktex = {
+        onEdit = false,
+        onOpenAndSave = false
+      },
+      diagnosticsDelay = 300,
+      formatterLineLength = 80,
+      forwardSearch = {
+        args = {}
+      },
+      latexFormatter = "latexindent",
+      latexindent = {
+        modifyLineBreaks = false
+      }
+    }
+  }
+}
+
+for server, settings in pairs(language_servers) do
+  require('lspconfig')[server].setup{
+    on_attach = on_attach,
+    flags = lsp_flags,
+    settings = settings,
+  }
+end

modules/dropbox.nix

@@ -1,34 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.niveum.dropbox;
-in {
-  options.niveum.dropbox = {enable = mkEnableOption "Dropbox";};
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [pkgs.dropbox-cli];
-
-    networking.firewall = {
-      allowedTCPPorts = [17500];
-      allowedUDPPorts = [17500];
-    };
-
-    systemd.user.services.dropbox = {
-      description = "Dropbox synchronisation service";
-      wantedBy = ["graphical-session.target"];
-      serviceConfig = {
-        ExecStart = "${pkgs.dropbox.out}/bin/dropbox";
-        ExecReload = "${pkgs.coreutils.out}/bin/kill -HUP $MAINPID";
-        KillMode = "control-group"; # upstream recommends process
-        Restart = "on-failure";
-        PrivateTmp = true;
-        ProtectSystem = "full";
-        Nice = 10;
-      };
-    };
-  };
-}

modules/hledger.nix

@@ -1,86 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.niveum.hledger;
-  hledger-git = pkgs.writers.writeDashBin "hledger-git" ''
-    LEDGER_DIR="$(dirname $LEDGER_FILE)"
-    GIT="${pkgs.git}/bin/git -C ''${LEDGER_DIR}"
-    if [ "$1" = entry ]; then
-      ${cfg.package}/bin/hledger balance -V > "$LEDGER_DIR/balance.txt"
-      $GIT add balance.txt
-      $GIT commit --all --message="$(date -Im)"
-    else
-      $GIT $*
-    fi
-  '';
-  hledger-edit = pkgs.writers.writeDashBin "hledger-edit" ''
-    LEDGER_DIR="$(dirname $LEDGER_FILE)"
-    $EDITOR ''${LEDGER_DIR}/current.journal
-  '';
-in {
-  options.niveum.hledger = {
-    enable = mkEnableOption "hledger";
-    package = mkOption {
-      type = types.package;
-      default = pkgs.hledger;
-    };
-    ledgerFile = mkOption {
-      type = types.str;
-      default = null;
-    };
-    server = {
-      enable = mkEnableOption "hledger server";
-      port = mkOption {
-        type = types.port;
-        default = 5000;
-      };
-      host = mkOption {
-        type = types.str;
-        default = "127.0.0.1";
-      };
-      capabilities = mkOption {
-        type = types.listOf (types.enum ["view" "add" "manage"]);
-        default = ["view" "add"];
-      };
-      flags = mkOption {
-        type = types.listOf types.str;
-        default = [];
-      };
-      user = mkOption {type = types.attrs;};
-      package = mkOption {
-        type = types.package;
-        default = pkgs.hledger-web;
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [cfg.package hledger-git hledger-edit];
-
-    environment.variables.LEDGER_FILE =
-      mkIf (cfg.ledgerFile != null) cfg.ledgerFile;
-
-    systemd.services.hledger-web = mkIf cfg.server.enable {
-      description = "hledger server";
-      wantedBy = ["multi-user.target"];
-      serviceConfig = {
-        Restart = "always";
-        ExecStart = ''
-          ${cfg.server.package}/bin/hledger-web \
-          --port=${toString cfg.server.port} \
-          --host=${cfg.server.host} \
-          --capabilities=${concatStringsSep "," cfg.server.capabilities} \
-          ${concatStringsSep " " cfg.server.flags}
-        '';
-        User = cfg.server.user.name;
-        PrivateTemp = true;
-        RuntimeDirectory = "hledger-web";
-        WorkingDirectory = "%t/hledger-web";
-      };
-    };
-  };
-}

modules/htgen.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  htgen = pkgs.callPackage ../packages/htgen.nix {};
+in {
+  options.services.htgen = lib.mkOption {
+    default = {};
+    type = lib.types.attrsOf (lib.types.submodule ({config, ...}: {
+      options = {
+        enable = lib.mkEnableOption "htgen-${config._module.args.name}";
+        port = lib.mkOption {
+          type = lib.types.int;
+        };
+        script = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+    }));
+  };
+  config = {
+    systemd.services =
+      lib.mapAttrs' (
+        name: cfg:
+          lib.nameValuePair "htgen-${name}" {
+            wantedBy = ["multi-user.target"];
+            after = ["network.target"];
+            environment = {
+              HOME = "/var/lib/htgen-${name}";
+              HTGEN_PORT = toString cfg.port;
+              HTGEN_SCRIPT = cfg.script;
+            };
+            serviceConfig = {
+              SyslogIdentifier = "htgen-${name}";
+              DynamicUser = true;
+              StateDirectory = "htgen-${name}";
+              PrivateTmp = true;
+              Restart = "always";
+              ExecStart = "${htgen}/bin/htgen --serve";
+            };
+          }
+      )
+      config.services.htgen;
+  };
+}

modules/minecraft.nix

@@ -1,13 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.niveum.minecraft;
-in {
-  options.niveum.minecraft = {enable = mkEnableOption "Minecraft";};
-
-  config = mkIf cfg.enable {environment.systemPackages = [pkgs.minecraft];};
-}

modules/moodle-dl.nix

@@ -23,6 +23,13 @@ in {
         '';
       };
 
+      tokensFile = mkOption {
+        type = types.path;
+        description = ''
+          Path to a JSON file containing a "token" key and, optionally, a "telegram"."token" key.
+        '';
+      };
+
       notifyOnly = mkOption {
         default = false;
         type = types.bool;
@@ -74,7 +81,7 @@ in {
           Group = config.users.groups.moodle-dl.name;
           WorkingDirectory = cfg.directory;
           ExecStart = "${cfg.package}/bin/moodle-dl ${lib.optionalString cfg.notifyOnly "--without-downloading-files"}";
-          ExecStartPre = "${pkgs.coreutils}/bin/ln -sfn ${toString moodle-dl-json} ${cfg.directory}/config.json";
+          ExecStartPre = pkgs.writers.writeDash "moodle-dl-config" "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${toString moodle-dl-json} ${toString cfg.tokensFile} > ${cfg.directory}/config.json";
         }
         (mkIf (cfg.directory == stateDirectoryDefault) {StateDirectory = "moodle-dl";})
       ];

modules/panoptikon.nix

@@ -0,0 +1,130 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  options.services.panoptikon = {
+    enable = lib.mkEnableOption "Generic command output / website watcher";
+    watchers = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule (watcher: {
+        options = {
+          script = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              A script whose stdout is to be watched.
+            '';
+            example = ''
+              pkgs.writers.writeDash "github-meta" '''
+                ''${pkgs.curl}/bin/curl -sSL https://api.github.com/meta | ''${pkgs.jq}/bin/jq
+              '''
+            '';
+          };
+          frequency = lib.mkOption {
+            type = lib.types.str;
+            description = ''
+              How often to run the script. See systemd.time(7) for more information about the format.
+            '';
+            example = "*:0/3";
+            default = "daily";
+          };
+          reporters = lib.mkOption {
+            type = lib.types.listOf lib.types.path;
+            description = ''
+              A list of scripts that take the diff (if any) via stdin and report it (e.g. to IRC, Telegram or Prometheus). The name of the watcher will be in the $PANOPTIKON_WATCHER environment variable.
+            '';
+            example = ''
+              [
+                (pkgs.writers.writeDash "telegram-reporter" '''
+                  ''${pkgs.curl}/bin/curl -X POST https://api.telegram.org/bot''${TOKEN}/sendMessage \
+                    -d chat_id=123456 \
+                    -d text="$(cat)"
+                ''')
+                (pkgs.writers.writeDash "notify" '''
+                  ''${pkgs.libnotify}/bin/notify-send "$PANOPTIKON_WATCHER has changed."
+                ''')
+              ]
+            '';
+          };
+        };
+        config = {};
+      }));
+    };
+  };
+
+  config = let
+    cfg = config.services.panoptikon;
+  in
+    lib.mkIf cfg.enable {
+      users.extraUsers.panoptikon = {
+        isSystemUser = true;
+        createHome = true;
+        home = "/var/lib/panoptikon";
+        group = "panoptikon";
+      };
+
+      users.extraGroups.panoptikon = {};
+
+      systemd.timers = lib.attrsets.mapAttrs' (watcherName: _:
+        lib.nameValuePair "panoptikon-${watcherName}" {
+          timerConfig.RandomizedDelaySec = toString (60 * 60);
+        })
+      cfg.watchers;
+
+      systemd.services =
+        {
+          setup-panoptikon = {
+            enable = true;
+            wantedBy = ["multi-user.target"];
+            serviceConfig = {
+              Type = "oneshot";
+              User = "panoptikon";
+              Group = "panoptikon";
+              WorkingDirectory = "/var/lib/panoptikon";
+              Restart = "on-failure";
+            };
+            script = ''
+              ${pkgs.git}/bin/git init --quiet
+              ${pkgs.git}/bin/git config user.email "panoptikon@${config.networking.hostName}"
+              ${pkgs.git}/bin/git config user.name Panoptikon
+            '';
+          };
+        }
+        // lib.attrsets.mapAttrs' (watcherName: watcherOptions:
+          lib.nameValuePair "panoptikon-${watcherName}" {
+            enable = true;
+            after = ["setup-panoptikon.service"];
+            startAt = watcherOptions.frequency;
+            serviceConfig = {
+              Type = "oneshot";
+              User = "panoptikon";
+              Group = "panoptikon";
+              WorkingDirectory = "/var/lib/panoptikon";
+              RestartSec = "60";
+              Restart = "on-failure";
+            };
+            unitConfig = {
+              StartLimitIntervalSec = "300";
+              StartLimitBurst = "5";
+            };
+            environment.PANOPTIKON_WATCHER = watcherName;
+            wants = ["network-online.target"];
+            script = ''
+              set -efu
+
+              ${watcherOptions.script} > ${watcherName}
+              ${pkgs.git}/bin/git add ${watcherName}
+              ${pkgs.git}/bin/git commit --message "${watcherName} / $(${pkgs.coreutils}/bin/date -Is)" || :
+
+              if [ -n "$(${pkgs.git}/bin/git diff HEAD^ -- ${watcherName})" ]; then
+                ${lib.strings.concatMapStringsSep "\n" (reporter: ''
+                  ${pkgs.git}/bin/git diff HEAD^ -- ${watcherName} | ${reporter}
+                '')
+                watcherOptions.reporters}
+                :
+              fi
+            '';
+          })
+        cfg.watchers;
+    };
+}

modules/power-action.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.power-action;
+
+  out = {
+    options.services.power-action = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "power-action";
+    battery = mkOption {
+      type = types.str;
+      default = "BAT0";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "power-action";
+    };
+    startAt = mkOption {
+      type = types.str;
+      default = "*:0/1";
+    };
+    plans = mkOption {
+      type = with types;
+        attrsOf (submodule {
+          options = {
+            charging = mkOption {
+              type = nullOr bool;
+              default = null;
+              description = ''
+                check for charging status.
+                null = don't care
+                true = only if system is charging or unknown
+                false = only if system is discharging
+              '';
+            };
+            upperLimit = mkOption {
+              type = int;
+            };
+            lowerLimit = mkOption {
+              type = int;
+            };
+            action = mkOption {
+              type = path;
+            };
+          };
+        });
+    };
+  };
+
+  imp = {
+    systemd.services.power-action = {
+      serviceConfig = rec {
+        ExecStart = startScript;
+        User = cfg.user;
+      };
+      startAt = cfg.startAt;
+    };
+  };
+
+  startScript = pkgs.writers.writeDash "power-action" ''
+    set -euf
+
+    power="$(${powerlvl})"
+    state="$(${state})"
+    ${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)}
+  '';
+  charging_check = plan:
+    if (plan.charging == null)
+    then ""
+    else if plan.charging
+    then ''&& [ "$state" = "true" ]''
+    else ''&& ! [ "$state" = "true" ]'';
+
+  writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
+
+  powerlvl = pkgs.writers.writeDash "powerlvl" ''
+    cat /sys/class/power_supply/${cfg.battery}/capacity
+  '';
+
+  state = pkgs.writers.writeDash "state" ''
+    if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ]
+      then echo "false"
+      else echo "true"
+    fi
+  '';
+in
+  out

modules/specus.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  specusMachines = {
+    servers = {
+      makanek = {
+        ipv4 = "10.100.0.1";
+        publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
+      };
+      ful = {
+        ipv4 = "10.100.0.2";
+        publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
+      };
+    };
+    clients = {
+      kabsa = {
+        ipv4 = "10.100.0.101";
+        publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
+      };
+    };
+  };
+in {
+  options.services.specus = {
+    server = {
+      enable = lib.mkEnableOption "Specus private VPN (server)";
+    };
+    client = {
+      enable = lib.mkEnableOption "Specus private VPN (client)";
+    };
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Private key file of the server/client machine";
+    };
+  };
+
+  config = let
+    cfg = config.services.specus;
+    specusPort = 22;
+  in
+    {
+      assertions = [
+        {
+          assertion =
+            !(cfg.server.enable && cfg.client.enable);
+          message = "specus: systems cannot be client and server at the same time";
+        }
+      ];
+    }
+    // lib.mkIf cfg.server.enable {
+      networking.nat = {
+        enable = true;
+        externalInterface = "eth0"; # TODO
+        internalInterfaces = ["specus"];
+      };
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces.specus = {
+        ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        listenPort = specusPort;
+        privateKeyFile = cfg.privateKeyFile;
+        peers =
+          lib.mapAttrsToList (clientName: clientConfig: {
+            publicKey = clientConfig.publicKey;
+            allowedIPs = ["${clientConfig.ipv4}/32"];
+          })
+          specusMachines.clients;
+      };
+    }
+    // lib.mkIf cfg.client.enable {
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
+        lib.nameValuePair "specus-${serverName}" {
+          ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
+          listenPort = specusPort;
+          privateKeyFile = cfg.privateKeyFile;
+          peers = [
+            {
+              allowedIPs = ["0.0.0.0/0"];
+              endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
+              persistentKeepalive = 25;
+              publicKey = serverConfig.publicKey;
+            }
+          ];
+        })
+      specusMachines.servers;
+    };
+}

modules/spotifyd.nix

@@ -1,64 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.services.spotifyd;
-  toml = pkgs.formats.toml {};
-  spotifydConf =
-    if cfg.settings != {}
-    then toml.generate "spotify.conf" cfg.settings
-    else pkgs.writeText "spotifyd.conf" cfg.config;
-in {
-  options = {
-    services.spotifyd = {
-      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
-
-      config = mkOption {
-        default = "";
-        type = types.lines;
-        description = ''
-          (Deprecated) Configuration for Spotifyd. For syntax and directives, see
-          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
-        '';
-      };
-
-      settings = mkOption {
-        default = {};
-        type = toml.type;
-        description = ''
-          Configuration for Spotifyd. For syntax and directives, see
-          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = (cfg.config == "" && cfg.settings != {}) || (cfg.config != "" && cfg.settings == {});
-        message = "Using the stringly typed .config attribute is discouraged. Use the TOML typed .settings attribute instead.";
-      }
-    ];
-
-    systemd.services.spotifyd = {
-      wantedBy = ["multi-user.target"];
-      after = ["network-online.target" "sound.target"];
-      description = "spotifyd, a Spotify playing daemon";
-      environment.SHELL = "/bin/sh";
-      serviceConfig = {
-        ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --cache-path /var/cache/spotifyd --config-path ${spotifydConf}";
-        Restart = "always";
-        RestartSec = 12;
-        DynamicUser = true;
-        CacheDirectory = "spotifyd";
-        SupplementaryGroups = ["audio"];
-      };
-    };
-  };
-
-  meta.maintainers = [maintainers.anderslundstedt];
-}

modules/telegram-bot.nix

@@ -11,19 +11,27 @@ with lib; let
     nameValuePair "telegram-bot-${name}" {
       enable = bot.enable;
       startAt = bot.time;
-      serviceConfig.Type = "oneshot";
+      serviceConfig = {
+        Type = "oneshot";
+        LoadCredential = "token:${bot.tokenFile}";
+      };
       wants = ["network-online.target"];
-      script = strings.concatStringsSep "\n" (["QUOTE=$(${bot.command})" "if [ -n \"$QUOTE\" ]; then" "echo $QUOTE >&2"]
-        ++ map (chatId: ''
-          ${pkgs.curl}/bin/curl -X POST "https://api.telegram.org/bot${bot.token}/sendMessage" \
-            -d chat_id="${chatId}" \
-            -d text="$QUOTE" ${
-            lib.strings.optionalString (bot.parseMode != null)
-            "-d parse_mode=${bot.parseMode}"
-          } | ${pkgs.jq}/bin/jq -e .ok
-        '')
-        bot.chatIds
-        ++ ["fi"]);
+      script = ''
+        export TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")"
+        QUOTE=$(${bot.command})
+        if [ -n "$QUOTE" ]; then
+          echo $QUOTE >&2
+          ${strings.concatStringsSep "\n" (map (chatId: ''
+            ${pkgs.curl}/bin/curl -X POST "https://api.telegram.org/bot''${TOKEN}/sendMessage" \
+              -d chat_id="${chatId}" \
+              -d text="$QUOTE" ${
+              lib.strings.optionalString (bot.parseMode != null)
+              "-d parse_mode=${bot.parseMode}"
+            } | ${pkgs.jq}/bin/jq -e .ok
+          '')
+          bot.chatIds)}
+        fi
+      '';
     };
 in {
   options.niveum.telegramBots = mkOption {
@@ -31,7 +39,7 @@ in {
       options = {
         enable = mkEnableOption "Telegram bot";
         time = mkOption {type = types.str;};
-        token = mkOption {type = types.strMatching "[0-9A-Za-z:-]+";};
+        tokenFile = mkOption {type = types.path;};
         chatIds = mkOption {
           type = types.listOf (types.strMatching "-?[0-9]+|@[A-Za-z0-9]+");
         };

modules/traadfri.nix

@@ -2,19 +2,17 @@
   pkgs,
   lib,
   config,
+  inputs,
   ...
 }:
 with lib; let
   cfg = config.niveum.traadfri;
-  traadfri = pkgs.callPackage <traadfri> {
-    libcoap = pkgs.callPackage <niveum/packages/libcoap.nix> {tls = true;};
-  };
 in {
   options.niveum.traadfri = {
     enable = mkEnableOption "Trådfri CLI";
     user = mkOption {type = types.str;};
     host = mkOption {type = types.str;};
-    key = mkOption {type = types.str;};
+    keyFile = mkOption {type = types.path;};
     rooms = mkOption {
       type = types.attrsOf types.int;
       default = {};
@@ -29,10 +27,10 @@ in {
     environment.systemPackages =
       [
         (pkgs.writers.writeDashBin "traadfri" ''
-          TRAADFRI_USER="${cfg.user}" \
-          TRAADFRI_KEY="${cfg.key}" \
-          TRAADFRI_HUB="${cfg.host}" \
-          ${traadfri}/bin/traadfri $@
+          export TRAADFRI_USER="${cfg.user}"
+          export TRAADFRI_KEY="$(cat ${lib.escapeShellArg cfg.keyFile})"
+          export TRAADFRI_HUB="${cfg.host}"
+          ${inputs.traadfri.defaultPackage.x86_64-linux}/bin/traadfri $@
         '')
       ]
       ++ lib.mapAttrsToList (name: value:

modules/tuna.nix

@@ -1,103 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  tuna = pkgs.callPackage <tuna> {};
-  cfg = config.services.tuna;
-in {
-  imports = [];
-
-  options.services.tuna = {
-    enable = mkEnableOption "Tuna, an MPD web UI for radio streams";
-
-    webPort = mkOption {
-      type = types.port;
-      default = 4200;
-    };
-
-    stations = mkOption {
-      default = [];
-      type = types.listOf (types.submodule {
-        options = {
-          id = mkOption {
-            type = types.int;
-            description = "A unique identifier of the station";
-          };
-          station = mkOption {
-            type = types.str;
-            description = "Name of the station that should be displayed";
-          };
-          desc = mkOption {
-            type = types.nullOr types.str;
-            description = "Short description of the station (optional)";
-          };
-          logo = mkOption {
-            type = types.str;
-            description = "URL to a logo of the station (any size)";
-          };
-          stream = mkOption {
-            type = types.str;
-            description = "URL to the stream of the radio station (in a format supported by MPD such as MP3, OGG, ...)";
-          };
-        };
-      });
-    };
-
-    stationsFile = mkOption {
-      type = types.path;
-      default = (pkgs.formats.json {}).generate "stations.json" cfg.stations;
-    };
-
-    package = mkOption {
-      type = types.package;
-      default = tuna;
-    };
-
-    mpd = {
-      host = mkOption {
-        type = types.str;
-        default = "localhost";
-        description = "The host where MPD is listening.";
-        example = "localhost";
-      };
-
-      port = mkOption {
-        type = types.port;
-        default = config.services.mpd.network.port;
-        description = "The port where MPD is listening.";
-        example = 6600;
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.users.tuna = {
-      isSystemUser = true;
-      group = "tuna";
-    };
-    users.groups.tuna = {};
-    # ref https://github.com/florianheinemann/MPD.FM/blob/9d037cf87597b26ae2f10ba9feea48946ad6cc68/service/MPD.FM.service
-    systemd.services.tuna = {
-      wantedBy = ["multi-user.target"];
-      after = ["mpd.service"];
-      script = "${cfg.package}/bin/tuna";
-      environment = {
-        NODE_ENV = "production";
-        MPD_HOST = cfg.mpd.host;
-        MPD_PORT = toString cfg.mpd.port;
-        PORT = toString cfg.webPort;
-        STATION_FILE = cfg.stationsFile;
-      };
-      serviceConfig = {
-        Restart = "always";
-        StandardOutput = "syslog";
-        StandardError = "syslog";
-        SyslogIdentifier = "tuna";
-        User = "tuna";
-      };
-    };
-  };
-}

overlays/overlays.nix

@@ -1,6 +0,0 @@
-self: super:
-with super.lib; let
-  eval = import <nixpkgs/nixos/lib/eval-config.nix>;
-  paths = (eval {modules = [(import <nixos-config>)];}).config.nixpkgs.overlays;
-in
-  foldl' (flip extends) (_: super) paths self

packages/betacode.nix

@@ -0,0 +1,16 @@
+{
+  writers,
+  haskell,
+  haskellPackages,
+}:
+writers.writeHaskellBin "betacode" {
+  libraries = [
+    (haskell.lib.unmarkBroken (haskell.lib.doJailbreak haskellPackages.betacode))
+    haskellPackages.text
+  ];
+} ''
+  import qualified Data.Text.IO as T
+  import qualified Data.Text as T
+  import Text.BetaCode
+  main = T.interact (either (error . T.unpack) id . fromBeta)
+''

packages/cheat-sh.nix

@@ -0,0 +1,9 @@
+# https://nitter.net/igor_chubin/status/1557793569104183298
+{
+  writers,
+  curl,
+}:
+writers.writeDashBin "so" ''
+  IFS=+
+  ${curl}/bin/curl -sSL http://cht.sh/"$*"
+''

packages/closest/default.nix

@@ -0,0 +1,18 @@
+{
+  writers,
+  fetchurl,
+  haskellPackages,
+}:
+writers.writeDashBin "closest" ''
+  ${
+    writers.writeHaskellBin "closest" {
+      libraries = with haskellPackages; [parallel optparse-applicative edit-distance];
+      ghcArgs = ["-O3" "-threaded"];
+    } (builtins.readFile ./distance.hs)
+  }/bin/closest +RTS -N4 -RTS --dictionary ${
+    fetchurl {
+      url = "https://gist.github.com/MarvinJWendt/2f4f4154b8ae218600eb091a5706b5f4/raw/36b70dd6be330aa61cd4d4cdfda6234dcb0b8784/wordlist-german.txt";
+      sha256 = "0vr4lmlckgvj4s8sk502sknq9pf3297rvasj5sqqm05zzbdgpppj";
+    }
+  } "$@"
+''

packages/cyberlocker-tools.nix

@@ -0,0 +1,23 @@
+{pkgs}:
+pkgs.symlinkJoin {
+  name = "cyberlocker-tools";
+  paths = [
+    (pkgs.writers.writeDashBin "cput" ''
+      set -efu
+      path=''${1:-$(hostname)}
+      path=$(echo "/$path" | sed -E 's:/+:/:')
+      url=http://c.r$path
+
+      ${pkgs.curl}/bin/curl -fSs --data-binary @- "$url"
+      echo "$url"
+    '')
+    (pkgs.writers.writeDashBin "cdel" ''
+      set -efu
+      path=$1
+      path=$(echo "/$path" | sed -E 's:/+:/:')
+      url=http://c.r$path
+
+      ${pkgs.curl}/bin/curl -f -X DELETE "$url"
+    '')
+  ];
+}

packages/daybook.nix

@@ -1,33 +0,0 @@
-{
-  lib,
-  stdenv,
-  makeWrapper,
-  pandoc,
-  fetchFromGitHub,
-}:
-stdenv.mkDerivation {
-  name = "daybook";
-  src = fetchFromGitHub {
-    owner = "kmein";
-    repo = "daybook";
-    rev = "db2c34830e09183c80f3381bf5e4c44d52f05d53";
-    sha256 = "0nbsv8f12qh5spq7zhimhdf3p7msk33xrb0ilqvlc6jmlkpislmv";
-  };
-  nativeBuildInputs = [makeWrapper];
-  buildInputs = [pandoc];
-  buildPhase = ''
-    mkdir -p $out/man/man1
-    pandoc --standalone --to man daybook.1.md -o $out/man/man1/daybook.1
-  '';
-  installPhase = ''
-    mkdir -p $out/bin
-    install daybook $out/bin
-    wrapProgram $out/bin/daybook --prefix PATH ":" ${pandoc}/bin ;
-  '';
-  meta = with lib; {
-    homepage = https://github.com/kmein/daybook;
-    description = "A diary writing utility in sh";
-    license = licenses.mit;
-    platforms = platforms.linux;
-  };
-}

packages/default-gateway.nix

@@ -0,0 +1,8 @@
+{
+  writers,
+  iproute2,
+  jq,
+}:
+writers.writeDashBin "default-gateway" ''
+  ${iproute2}/bin/ip -json route | ${jq}/bin/jq --raw-output '.[0].gateway'
+''

packages/dic.nix

@@ -0,0 +1,43 @@
+{
+  fetchgit,
+  lib,
+  stdenv,
+  coreutils,
+  curl,
+  gnugrep,
+  gnused,
+  util-linux,
+}:
+stdenv.mkDerivation {
+  name = "dic";
+
+  src = fetchgit {
+    url = https://cgit.ni.krebsco.de/dic;
+    rev = "refs/tags/v1.1.1";
+    sha256 = "1gbj967a5hj53fdkkxijqgwnl9hb8kskz0cmpjq7v65ffz3v6vag";
+  };
+
+  phases = [
+    "unpackPhase"
+    "installPhase"
+  ];
+
+  installPhase = let
+    path = lib.makeBinPath [
+      coreutils
+      curl
+      gnused
+      gnugrep
+      util-linux
+    ];
+  in ''
+    mkdir -p $out/bin
+
+    sed \
+      's,^main() {$,&\n  PATH=${path}; export PATH,' \
+      < ./dic \
+      > $out/bin/dic
+
+    chmod +x $out/bin/dic
+  '';
+}

packages/dirmir.nix

@@ -0,0 +1,24 @@
+{writers}:
+writers.writeDashBin "dirmir" ''
+  SOURCE="$1"
+  TARGET="$2"
+
+  if [ ! -d "$SOURCE" ] || [ $# -ne 2 ]; then
+    echo >/dev/stderr "Usage: dirmir SOURCE TARGET"
+    exit 1
+  fi
+
+  if [ -e "$TARGET" ]; then
+    echo >/dev/stderr "$TARGET" already exists. Please use a different name.
+    exit 1
+  fi
+
+  find "$SOURCE" | while read -r entry; do
+    if [ -d "$entry" ]; then
+      mkdir -p "$TARGET/$entry"
+    else
+      # create a file with the same permissions as $entry
+      install -m "$(stat -c %a "$entry")" /dev/null "$TARGET/$entry"
+    fi
+  done
+''

packages/dmenu-bluetooth.nix

@@ -0,0 +1,64 @@
+{
+  writers,
+  libnotify,
+  dmenu,
+  bluez5,
+  lib,
+}:
+writers.writeDashBin "dmenu-bluetooth" ''
+  # UI for connecting to bluetooth devices
+  set -efu
+  PATH=$PATH=${lib.makeBinPath [libnotify dmenu bluez5]}
+
+  bluetooth_notify() {
+    notify-send --app-name=" Bluetooth" "$@"
+  }
+
+  chose_device() {
+    # the output from `bluetoothctl {paired-,}devices` has a first column which always contains `Device` followed by a MAC address and the device name
+    cut -d ' ' -f2- | dmenu -i -l 5 -p "Bluetooth device"
+  }
+
+  bluetoothctl scan on &
+
+  case "$(printf "pair\nconnect\ndisconnect" | dmenu -i)" in
+    pair)
+      chosen="$(bluetoothctl devices | chose_device)"
+      chosen_name="$(echo "$chosen" | cut -d ' ' -f2-)"
+
+      bluetooth_notify "$chosen_name" "Pairing ..."
+
+      if bluetoothctl pair "$(echo "$chosen" | cut -d ' ' -f1)"; then
+        bluetooth_notify "✔ $chosen_name" "Paired with device."
+      else
+        test "$chosen" && bluetooth_notify "❌ $chosen_name" "Failed to pair with device."
+      fi
+    ;;
+
+    connect)
+      chosen="$(bluetoothctl paired-devices | chose_device)"
+      chosen_name="$(echo "$chosen" | cut -d ' ' -f2-)"
+
+      bluetooth_notify "$chosen_name" "Trying to connect ..."
+
+      if bluetoothctl connect "$(echo "$chosen" | cut -d ' ' -f1)"; then
+        bluetooth_notify "✔ $chosen_name" "Connected to device."
+      else # something was selected but it didn't work
+        test "$chosen" && bluetooth_notify "❌ $chosen_name" "Failed to connect to device."
+      fi
+    ;;
+
+    disconnect)
+      chosen="$(bluetoothctl paired-devices | chose_device)"
+      chosen_name="$(echo "$chosen" | cut -d ' ' -f2-)"
+
+      bluetooth_notify "$chosen_name" "Disconnecting ..."
+
+      if bluetoothctl disconnect "$(echo "$chosen" | cut -d ' ' -f1)"; then
+        bluetooth_notify "✔ $chosen_name" "Disconnected from device."
+      else # something was selected but it didn't work
+        test "$chosen" && bluetooth_notify "❌ $chosen_name" "Failed to disconnect from device."
+      fi
+    ;;
+  esac
+''

packages/dmenu-scrot.nix

@@ -0,0 +1,42 @@
+{
+  writers,
+  lib,
+  dmenu,
+  scrot,
+  libnotify,
+  xclip,
+  screenshotsDirectory ? "/tmp",
+}:
+writers.writeDashBin "dmenu-scrot" ''
+  # ref https://gitlab.com/dwt1/dotfiles/-/blob/master/.dmenu/dmenu-scrot.sh
+  PATH=$PATH:${lib.makeBinPath [dmenu scrot libnotify xclip]}
+
+  APP_NAME="📸 Scrot"
+  IMG_PATH="${screenshotsDirectory}"
+  TIME=3000 #Miliseconds notification should remain visible
+
+  cmd=$(printf "fullscreen\nsection\nupload_fullscreen\nupload_section\n" | dmenu -p 'Screenshot')
+
+  cd "$IMG_PATH" || exit
+  case ''${cmd%% *} in
+    fullscreen)
+      scrot -d 1 \
+        && notify-send -u low -t $TIME -a "$APP_NAME" 'Screenshot (full screen) saved.'
+      ;;
+
+    section)
+      scrot -s \
+        && notify-send -u low -t $TIME -a "$APP_NAME" 'Screenshot (section) saved.'
+      ;;
+
+    upload_fullscreen)
+      scrot -d 1 -e "kpaste < \$f" | tail --lines=1 | xclip -selection clipboard -in \
+        && notify-send -u low -t $TIME -a "$APP_NAME" "Screenshot (full screen) uploaded: $(xclip -selection clipboard -out)"
+      ;;
+
+    upload_section)
+      scrot -s -e "kpaste < \$f" | tail --lines=1 | xclip -selection clipboard -in \
+        &&  notify-send -u low -t $TIME -a "$APP_NAME" "Screenshot (section) uploaded: $(xclip -selection clipboard -out)"
+      ;;
+  esac
+''

packages/dns-sledgehammer.nix

@@ -0,0 +1,7 @@
+{
+  writers,
+  coreutils,
+}:
+writers.writeDashBin "dns-sledgehammer" ''
+  ${coreutils}/bin/printf '%s\n' 'nameserver 1.1.1.1' 'options edns0' > /etc/resolv.conf
+''

packages/fkill.nix

@@ -0,0 +1,22 @@
+{
+  writers,
+  lib,
+  procps,
+  gawk,
+  gnused,
+  fzf,
+}:
+writers.writeBashBin "fkill" ''
+  PATH=$PATH:${lib.makeBinPath [procps gawk gnused fzf]}
+
+  if [ "$UID" != "0" ]; then
+      pid=$(ps -f -u "$UID" | sed 1d | fzf -m | awk '{print $2}')
+  else
+      pid=$(ps -ef | sed 1d | fzf -m | awk '{print $2}')
+  fi
+
+  if [ "x$pid" != "x" ]
+  then
+      echo "$pid" | xargs kill "-''${1:-9}"
+  fi
+''

packages/fzfmenu.nix

@@ -0,0 +1,53 @@
+{
+  st,
+  fzf,
+  writers,
+  dash,
+  lib,
+}:
+writers.writeBashBin "fzfmenu" ''
+  # fzfmenu - fzf as dmenu replacement
+  # https://github.com/junegunn/fzf/wiki/Examples#fzf-as-dmenu-replacement
+  set -efu
+
+  PATH=$PATH:${lib.makeBinPath [st fzf dash]}
+
+  input=$(mktemp -u --suffix .fzfmenu.input)
+  output=$(mktemp -u --suffix .fzfmenu.output)
+  mkfifo "$input"
+  mkfifo "$output"
+  chmod 600 "$input" "$output"
+
+  for i in "$@"; do
+    case $i in
+      -p)
+        PROMPT="$2"
+        shift
+        shift
+        break ;;
+      -l)
+        # no reason to filter number of lines
+        shift
+        shift
+        break ;;
+      -i)
+        # we do this anyway
+        shift
+        break ;;
+      *)
+        echo "Unknown option $1" >&2
+        shift ;;
+    esac
+  done
+
+  # it's better to use st here (starts a lot faster than pretty much everything else)
+  st -c fzfmenu -n fzfmenu -g 85x10 \
+    -e dash \
+    -c "cat $input | fzf --reverse --prompt="''${PROMPT+> }" --print-query $* | tee $output" & disown
+
+  # handle ctrl+c outside child terminal window
+  trap 'kill $! 2>/dev/null; rm -f $input $output' EXIT
+
+  cat > "$input"
+  cat "$output"
+''

packages/genius.nix

@@ -0,0 +1,28 @@
+{
+  writers,
+  curl,
+  coreutils,
+  gnused,
+  pandoc,
+}:
+writers.writeDashBin "genius" ''
+  ${coreutils}/bin/test "$#" -eq 2 || (
+    echo "usage: $0 <artist> <song>"
+    exit 1
+  )
+
+  normalize() {
+    ${coreutils}/bin/tr -d -c '0-9A-Za-z ' | ${coreutils}/bin/tr ' ' - | ${coreutils}/bin/tr '[:upper:]' '[:lower:]'
+  }
+
+  ARTIST=$(echo "$1" | normalize | ${gnused}/bin/sed 's/./\U&/')
+  TITLE=$(echo "$2" | normalize)
+  GENIUS_URL="https://genius.com/$ARTIST-$TITLE-lyrics"
+
+  ${curl}/bin/curl -s "$GENIUS_URL" \
+    | ${gnused}/bin/sed -ne '/class="lyrics"/,/<\/p>/p' \
+    | ${pandoc}/bin/pandoc -f html -s -t plain \
+    | ${gnused}/bin/sed 's/^_/\x1b[3m/g;s/_$/\x1b[0m/g;s/^\[/\n\x1b\[1m\[/g;s/\]$/\]\x1b[0m/g'
+
+  printf "\n%s\n" "$GENIUS_URL" >/dev/stderr
+''

packages/git-preview.nix

@@ -0,0 +1,23 @@
+{
+  coreutils,
+  git,
+  writers,
+}:
+writers.writeDashBin "git-preview" ''
+  set -efu
+  head_commit=$(${git}/bin/git log -1 --format=%H)
+  merge_commit=$1; shift
+  merge_message='Merge for git-preview'
+  preview_dir=$(${coreutils}/bin/mktemp --tmpdir -d git-preview.XXXXXXXX)
+  preview_name=$(${coreutils}/bin/basename "$preview_dir")
+  ${git}/bin/git worktree add --detach -f "$preview_dir" 2>/dev/null
+  ${git}/bin/git -C "$preview_dir" checkout -q "$head_commit"
+  ${git}/bin/git -C "$preview_dir" merge \
+      ''${GIT_PREVIEW_MERGE_STRATEGY+-s "$GIT_PREVIEW_MERGE_STRATEGY"} \
+      -m "$merge_message" \
+      -q \
+      "$merge_commit"
+  ${git}/bin/git -C "$preview_dir" diff "$head_commit.." "$@"
+  ${coreutils}/bin/rm -fR "$preview_dir"
+  ${coreutils}/bin/rm -R .git/worktrees/"$preview_name"
+''

packages/gourmet.nix

@@ -1,14 +0,0 @@
-# { stdenv, python }:
-{pkgs ? import <nixpkgs> {}}:
-with pkgs;
-with pkgs.python2Packages;
-  buildPythonApplication rec {
-    pname = "gourmet";
-    version = "0.17.4";
-    src = builtins.fetchTarball {
-      url = "https://github.com/thinkle/gourmet/archive/${version}.tar.gz";
-    };
-    buildInputs = [distutils_extra intltool];
-    propagatedBuildInputs = [sqlalchemy reportlab lxml];
-    meta = with stenv.lib; {maintainers = with maintainers; [kmein];};
-  }

packages/hc.nix

@@ -0,0 +1,49 @@
+{
+  fetchgit,
+  lib,
+  makeWrapper,
+  stdenv,
+  coreutils,
+  findutils,
+  gawk,
+  gnugrep,
+  qrencode,
+  texlive,
+  utillinux,
+  zbar,
+}:
+stdenv.mkDerivation rec {
+  name = "hc-${meta.version}";
+
+  src = fetchgit {
+    url = "https://cgit.krebsco.de/hc";
+    rev = "refs/tags/v${meta.version}";
+    sha256 = "09349gja22p0j3xs082kp0fnaaada14bafszn4r3q7rg1id2slfb";
+  };
+
+  nativeBuildInputs = [makeWrapper];
+
+  buildPhase = null;
+
+  installPhase = ''
+    mkdir -p $out/bin
+
+    cp $src/bin/hc $out/bin/hc
+
+    wrapProgram $out/bin/hc \
+      --prefix PATH : ${lib.makeBinPath [
+      coreutils
+      findutils
+      gawk
+      gnugrep
+      qrencode
+      texlive.combined.scheme-full
+      utillinux
+      zbar
+    ]}
+  '';
+
+  meta = {
+    version = "1.0.0";
+  };
+}

packages/heuretes.nix

@@ -0,0 +1,13 @@
+{
+  writers,
+  fetchurl,
+  xsv,
+}: let
+  database = fetchurl {
+    url = "http://c.krebsco.de/greek.csv";
+    hash = "sha256-SYL10kerNI0HzExG6JXh765+CBBCHLO95B6OKErQ/sU=";
+  };
+in
+  writers.writeDashBin "heuretes" ''
+    ${xsv}/bin/xsv search -s simple "^$*$" ${database} | ${xsv}/bin/xsv table
+  ''

packages/htgen.nix

@@ -0,0 +1,31 @@
+{
+  fetchgit,
+  lib,
+  pkgs,
+  stdenv,
+}:
+stdenv.mkDerivation rec {
+  pname = "htgen";
+  version = "1.3.1";
+
+  src = fetchgit {
+    url = "http://cgit.krebsco.de/htgen";
+    rev = "refs/tags/${version}";
+    sha256 = "0ml8kp89bwkrwy6iqclzyhxgv2qn9dcpwaafbmsr4mgcl70zx22r";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    {
+      echo '#! ${pkgs.dash}/bin/dash'
+      echo 'export PATH=${lib.makeBinPath [
+      pkgs.coreutils
+      pkgs.jq
+      pkgs.ucspi-tcp
+    ]}''${PATH+":$PATH"}'
+      sed 's:^Server=htgen$:&/${version}:' htgen
+    } > $out/bin/htgen
+    chmod +x $out/bin/htgen
+    cp -r examples $out
+  '';
+}

packages/image-convert-favicon.nix

@@ -0,0 +1,7 @@
+{
+  writers,
+  imagemagick,
+}:
+writers.writeDashBin "image-convert-favicon" ''
+  ${imagemagick}/bin/convert "$1" -define icon:auto-resize=64,48,32,16 "''${2-favicon.ico}"
+''

packages/image-convert-tolino.nix

@@ -0,0 +1,14 @@
+{
+  writers,
+  imagemagick,
+}:
+writers.writeDashBin "image-convert-tolino" ''
+  source_image="$1"
+
+  if [ -e "$source_image" ]; then
+    ${imagemagick}/bin/convert -type Grayscale -resize 758x1024 "$source_image" "suspend.jpg"
+  else
+    echo >/dev/stderr "$1 must exist."
+    exit 1
+  fi
+''

packages/infschmv.nix

@@ -0,0 +1,13 @@
+{
+  writers,
+  pup,
+  curl,
+  pandoc,
+  man,
+}:
+writers.writeDashBin "InfSchMV" ''
+  ${curl}/bin/curl -sSL https://www.berlin.de/corona/massnahmen/verordnung/ \
+    | ${pup}/bin/pup .textile \
+    | ${pandoc}/bin/pandoc -f html -t man -s \
+    | ${man}/bin/man -l -
+''

packages/ipa.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import sys
 
 # https://www.phon.ucl.ac.uk/home/sampa/x-sampa.htm

packages/itl.nix

@@ -0,0 +1,23 @@
+{ stdenv, fetchFromGitHub, cmake, lib }:
+stdenv.mkDerivation rec {
+  pname = "itl";
+  version = "0.8.0";
+  src = fetchFromGitHub {
+    owner = "arabeyes-org";
+    repo = "ITL";
+    rev = "v${version}";
+    sha256 = "sha256-GTicTbZmFbPhzInFob3cfvtTxOpUZuqsQz1w9CoWu9w=";
+  };
+  nativeBuildInputs = [cmake];
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_PREFIX=${placeholder "out"}"
+    "-DCMAKE_INSTALL_LIBDIR=lib"
+  ];
+  meta = {
+    homepage = "https://www.arabeyes.org/ITL";
+    description = "Islamic Tools and Libraries";
+    license = lib.licenses.lgpl2;
+    platforms = lib.platforms.all;
+    maintainer = [lib.maintainers.kmein];
+  };
+}

packages/itools.nix

@@ -0,0 +1,21 @@
+{ stdenv, fetchFromGitHub, itl, lib, autoreconfHook }:
+stdenv.mkDerivation rec {
+  pname = "itools";
+  version = "1.0";
+  src = fetchFromGitHub {
+    owner = "arabeyes-org";
+    repo = "itools";
+    rev = version;
+    sha256 = "sha256-g9bsjupC4Sb5ywAgUNbjYLbHZ/i994lbNSnX2JyaP3g=";
+  };
+  preAutoreconf = "autoupdate";
+  nativeBuildInputs = [autoreconfHook];
+  buildInputs = [itl];
+  meta = {
+    homepage = "https://www.arabeyes.org/ITL";
+    description = "The itools package is a set of user friendly applications utilizing Arabeyes' ITL library. ";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.all;
+    maintainer = [lib.maintainers.kmein];
+  };
+}