Migrate mail client to Mu4e

2022-09-18 18:49:01 +02:00
30 changed files with 612 additions and 1057 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,5 +1 @@
 secrets/soundcloud_token filter=git-crypt diff=git-crypt
 secrets/bandcamp_token filter=git-crypt diff=git-crypt
 assets/bitwig/activation.bwreg filter=lfs diff=lfs merge=lfs -text
 assets/bitwig/bitwig-studio.deb filter=lfs diff=lfs merge=lfs -text
 assets/bitwig/bitwig.jar filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@@ -1 +0,0 @@
 !*.jar
--- a/5
+++ b/5
@@ -1,9 +1,8 @@
 switch:
-	nixos-rebuild switch --target-host root@localhost \
+	sudo nixos-rebuild switch --flake path://$(PWD)#
    --build-host root@localhost --flake path://$(PWD)#panacea
 update:
-	nix flake update --commit-lock-file
+	nix flake update . --commit-lock-file
 upgrade:
 	make update && make switch
--- a/assets/bitwig/activation.bwreg
+++ b/assets/bitwig/activation.bwreg
--- a/assets/bitwig/bitwig-studio.deb
+++ b/assets/bitwig/bitwig-studio.deb
--- a/assets/bitwig/bitwig.jar
+++ b/assets/bitwig/bitwig.jar
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,59 +1,56 @@
-{
+{ config, lib, pkgs, inputs, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 with pkgs;
-{
+let hybrid-codec-vaapiIntel = vaapiIntel.override { enableHybridCodec = true; };
 in {
  # Kernel configuration
  boot = {
-    blacklistedKernelModules = [
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
      "btusb"
      "bluetooth"
    ];
    kernelParams = [
-      "zfs.zfs_arc_max=8589934592"
+      "zfs.zfs_arc_max=1073741824"
-      "zfs.zfs_arc_min=1073741824"
+      "zfs.zfs_arc_meta_limit_percent=90"
      "i915.i915_enable_fbc=1"
      "workqueue.power_efficient=y"
      "nohibernate"
      "ipv6.disable=1"
    ];
    kernelModules = [ "i915" "acpi_call" "kvm-intel" ];
    extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
    blacklistedKernelModules = [ "btusb" ];
    supportedFilesystems = [ "zfs" ];
    zfs = {
      requestEncryptionCredentials = true;
-      package = zfs_unstable;
+      enableUnstable = true;
    };
  };
-  # Device firmware updates
+  # Intel CPU tweaks
  hardware.cpu.intel.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
  services.fwupd.enable = true;
-  # Secure boot using lanzaboote
+  # GPU Hardware acceleration
  hardware.opengl.extraPackages =
    [ intel-media-driver hybrid-codec-vaapiIntel vaapiVdpau libvdpau-va-gl ];
  # Bootloader configuration
  boot.loader = {
    efi.canTouchEfiVariables = true;
    systemd-boot = {
-      enable = false;
+      enable = true;
      configurationLimit = 50;
      editor = false;
    };
    timeout = 3;
  };
  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };
  # Run Nix garbage collector and enable flakes
  nix = {
    settings = {
      auto-optimise-store = true;
-      trusted-users = [
+      trusted-users = [ "root" "coolneng" ];
        "root"
        "coolneng"
      ];
      lazy-trees = true;
      eval-cores = 2;
    };
    gc = {
      automatic = true;
@@ -66,13 +63,20 @@ with pkgs;
      gc-keep-outputs = true
      experimental-features = nix-command flakes
    '';
    package = nixUnstable;
  };
  # Clean tmp directory on shutdown
-  boot.tmp.cleanOnBoot = true;
+  boot.cleanTmpDir = true;
-  # Keep logs for a month
+  # Keep logs for a week
-  services.journald.extraConfig = "MaxRetentionSec=4week";
+  services.journald.extraConfig = "MaxRetentionSec=1week";
  # Allow propietary software and build packages with Pulseaudio support
  nixpkgs.config = {
    allowUnfree = true;
    pulseaudio = true;
  };
  # Scrub zpool monthly
  services.zfs.autoScrub = {
@@ -85,18 +89,13 @@ with pkgs;
  services.chrony.enable = true;
  # NixOS version
-  system.stateVersion = "24.05";
+  system.stateVersion = "22.05";
  # Create coolneng user
  users.users.coolneng = {
    isNormalUser = true;
    home = "/home/coolneng";
-    extraGroups = [
+    extraGroups = [ "wheel" "video" "audio" "libvirtd" "lp" ];
      "wheel"
      "video"
      "audio"
      "lp"
    ];
    shell = fish;
  };
@@ -111,19 +110,14 @@ with pkgs;
      group = "systemd-network";
    };
    secrets.syncthing.file = secrets/syncthing.age;
    secrets.samba-ugent.file = secrets/samba-ugent.age;
    secrets.msmtp.file = secrets/msmtp.age;
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };
  # Use same version of nixpkgs for nix-shell
-  nix.nixPath =
+  nix.nixPath = let path = toString ./.;
-    let
+  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
      path = toString ./.;
    in
    [
      "nixpkgs=${inputs.nixpkgs}"
      "nixos-config=${path}/configuration.nix"
    ];
  # Auto-upgrade the system
  system.autoUpgrade = {
@@ -131,26 +125,14 @@ with pkgs;
    dates = "22:30";
    flake = "/home/coolneng/Projects/panacea";
    flags = [
      "--update-input"
      "agenix"
      "--update-input"
      "nixpkgs"
      "--commit-lock-file"
    ];
  };
  # Add required dependencies to the auto-upgrade service
  systemd.services.nixos-upgrade.path = [
    coreutils
    gnutar
    xz.bin
    gzip
    gitMinimal
    config.nix.package.out
    config.programs.ssh.package
    git-crypt
    git-lfs
    inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
  ];
  # Configure git for auto-upgrade
  programs.git = {
    enable = true;
@@ -164,13 +146,6 @@ with pkgs;
  # Enable fish package completion
  programs.fish.enable = true;
  # Enable nix-index
  programs.command-not-found.enable = false;
  programs.nix-index = {
    enable = true;
    enableFishIntegration = true;
  };
  # Import other configuration modules
  imports = [
    ./modules/hardware-configuration.nix
@@ -184,7 +159,10 @@ with pkgs;
    ./modules/periodic.nix
    ./modules/power.nix
    ./modules/monitoring.nix
-    ./modules/latest-zfs-kernel.nix
+    ./modules/device.nix
    ./overlays/nix-direnv.nix
    ./overlays/openconnect-sso.nix
    ./overlays/cyrus-sasl-oauth2.nix
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -2,19 +2,16 @@
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1762618334,
+        "lastModified": 1662241716,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "narHash": "sha256-urqPvSvvGUhkwzTDxUI8N1nsdMysbAfjmBNZaTYBZRU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "rev": "c96da5835b76d3d8e8d99a0fec6fe32f8539ee2e",
        "type": "github"
      },
      "original": {
@@ -23,21 +20,6 @@
        "type": "github"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1765739568,
        "narHash": "sha256-gQYx35Of4UDKUjAYvmxjUEh/DdszYeTtT6MDin4loGE=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "67d2baff0f9f677af35db61b32b5df6863bcc075",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "cyrus-sasl-xoauth2": {
      "flake": false,
      "locked": {
@@ -54,395 +36,34 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "determinate": {
      "inputs": {
        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
        "nix": "nix",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1765254444,
        "narHash": "sha256-kAO/ZeBnjaF+uqOP6qweXlRk2ylocLuv/9Dn8FsuPlU=",
        "rev": "3ccc0297525e51ac3d7905509e0616c9c8350108",
        "revCount": 316,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.14.0/019b0160-c5de-7941-9c26-cb47bc17eec3/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
      }
    },
    "determinate-nixd-aarch64-darwin": {
      "flake": false,
      "locked": {
        "narHash": "sha256-6PWoqx52nvlWzlElTjcn7KAPKitfcKZYEFSsC3PoEoE=",
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS"
      },
      "original": {
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS"
      }
    },
    "determinate-nixd-aarch64-linux": {
      "flake": false,
      "locked": {
        "narHash": "sha256-b1e25BUPL7Qf0QVbYlfZ/+QiClrP/SHIjMPtA47aOLc=",
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux"
      },
      "original": {
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux"
      }
    },
    "determinate-nixd-x86_64-linux": {
      "flake": false,
      "locked": {
        "narHash": "sha256-8EI2f8IftPcRFlR6K4+cpIEAVf5UIeMCjHysEtVqDw0=",
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux"
      },
      "original": {
        "type": "file",
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1761588595,
        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "determinate",
          "nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1748821116,
        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
        "revCount": 377,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
      }
    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": [
          "determinate",
          "nix"
        ],
        "nixpkgs": [
          "determinate",
          "nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1747372754,
        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
        "revCount": 1026,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
          "pre-commit",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "lanzaboote": {
      "inputs": {
        "crane": "crane",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit": "pre-commit",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1765887029,
        "narHash": "sha256-s6LGO6kMlHRdnspV0LReSi47iaYaJ/Oveb4rM9fklPM=",
        "owner": "nix-community",
        "repo": "lanzaboote",
        "rev": "5a8c9b5339588bb6ec388da5d0a6e701a46a82c4",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "lanzaboote",
        "type": "github"
      }
    },
    "local-bitwig": {
      "flake": false,
      "locked": {
        "lastModified": 1765321606,
        "narHash": "sha256-WteEWi5GPrGGfzLNTEmgQaH5/DAT/zeZofbBE6D+Po8=",
        "path": "/home/coolneng/Projects/panacea/assets/bitwig",
        "type": "path"
      },
      "original": {
        "path": "/home/coolneng/Projects/panacea/assets/bitwig",
        "type": "path"
      }
    },
    "nix": {
      "inputs": {
        "flake-parts": "flake-parts",
        "git-hooks-nix": "git-hooks-nix",
        "nixpkgs": "nixpkgs",
        "nixpkgs-23-11": "nixpkgs-23-11",
        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
        "lastModified": 1765252170,
        "narHash": "sha256-p98D44tYJMgB5Qet5S8cTQFdffk/GmoaGkpQtZ3hqJU=",
        "rev": "1ddd28880651054346c34009d7bb9de36f1db2c1",
        "revCount": 23362,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.14.0/019b0159-8907-7fab-a120-9d287c7e6d2e/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
      }
    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765267181,
        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
        "owner": "Mic92",
        "repo": "nix-index-database",
        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "nix-index-database",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1764440730,
        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761597516,
+        "lastModified": 1663357389,
-        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "narHash": "sha256-oYA2nVRSi6yhCBqS5Vz465Hw+3BQOVFEhfbfy//3vTs=",
        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
        "revCount": 811874,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
      }
    },
    "nixpkgs-23-11": {
      "locked": {
        "lastModified": 1717159533,
        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "rev": "da6a05816e7fa5226c3f61e285ef8d9dfc868f3c",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
        "repo": "nixpkgs",
        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
        "type": "github"
      }
    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1764611609,
        "narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=",
        "rev": "8c29968b3a942f2903f90797f9623737c215737c",
        "revCount": 905078,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.905078%2Brev-8c29968b3a942f2903f90797f9623737c215737c/019add91-3add-7a0d-8a25-9569cbe01efe/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1766309749,
        "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
-    "pre-commit": {
+    "openconnect-sso": {
-      "inputs": {
+      "flake": false,
        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore",
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1765464257,
+        "lastModified": 1639475764,
-        "narHash": "sha256-dixPWKiHzh80PtD0aLuxYNQ0xP+843dfXG/yM3OzaYQ=",
+        "narHash": "sha256-VvhPYafFfvhp7ZlygZ0kTyczkLY/5e0ip5OElX2CwhM=",
-        "owner": "cachix",
+        "owner": "vlaci",
-        "repo": "pre-commit-hooks.nix",
+        "repo": "openconnect-sso",
-        "rev": "09e45f2598e1a8499c3594fe11ec2943f34fe509",
+        "rev": "4430cb09aefe15108e5f3b40b94ed792fbe9548b",
        "type": "github"
      },
      "original": {
-        "owner": "cachix",
+        "owner": "vlaci",
-        "repo": "pre-commit-hooks.nix",
+        "repo": "openconnect-sso",
        "type": "github"
      }
    },
@@ -450,48 +71,8 @@
      "inputs": {
        "agenix": "agenix",
        "cyrus-sasl-xoauth2": "cyrus-sasl-xoauth2",
-        "determinate": "determinate",
+        "nixpkgs": "nixpkgs",
-        "lanzaboote": "lanzaboote",
+        "openconnect-sso": "openconnect-sso"
        "local-bitwig": "local-bitwig",
        "nix-index-database": "nix-index-database",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_3"
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765680428,
        "narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -2,80 +2,42 @@
  description = "System configuration for panacea";
  nixConfig = {
-    extra-substituters = "https://cachix.cachix.org https://nix-community.cachix.org https://install.determinate.systems";
+    extra-substituters =
      "https://cachix.cachix.org https://nix-community.cachix.org";
    extra-trusted-public-keys = ''
      cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=
-      nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
+            nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs='';
      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
    '';
  };
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    openconnect-sso = {
      url = "github:vlaci/openconnect-sso";
      flake = false;
    };
    cyrus-sasl-xoauth2 = {
      url = "github:robn/sasl2-oauth";
      flake = false;
    };
    nix-index-database = {
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lanzaboote = {
      url = "github:nix-community/lanzaboote";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    local-bitwig = {
      url = "path:/home/coolneng/Projects/panacea/assets/bitwig";
      flake = false;
    };
  };
-  outputs =
+  outputs = { self, nixpkgs, agenix, ... }@inputs:
    { self, nixpkgs, ... }@inputs:
    let
      system = "x86_64-linux";
-      pkgs = import nixpkgs {
+      pkgs = import pkgs { inherit system; };
        inherit system;
        config.allowUnfree = true;
        overlays = [
          (final: prev: {
            emacs-vterm = (
              (pkgs.emacsPackagesFor pkgs.emacs-pgtk).emacsWithPackages (
                epkgs: with epkgs; [
                  vterm
                  mu4e
                ]
              )
            );
          })
        ];
      };
      lib = nixpkgs.lib;
-    in
+    in {
    {
      nixosConfigurations.panacea = lib.nixosSystem {
        inherit system;
-        modules = [
+        modules = [ (import ./configuration.nix) agenix.nixosModules.age ];
-          (import ./configuration.nix)
+        specialArgs = { inherit inputs; };
          inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd
          inputs.agenix.nixosModules.age
          inputs.nix-index-database.nixosModules.nix-index
          inputs.lanzaboote.nixosModules.lanzaboote
          inputs.determinate.nixosModules.default
        ];
        specialArgs = {
          inherit inputs;
          inherit pkgs;
        };
      };
    };
--- a/modules/audio.nix
+++ b/modules/audio.nix
@@ -1,26 +1,40 @@
-{
+{ config, lib, pkgs, inputs, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 with pkgs;
 let
  # HACK Replace youtube-dl with yt-dlp in mopidy-youtube
  mopidy-youtube-yt_dlp = mopidy-youtube.overrideAttrs (old: rec {
-    propagatedBuildInputs = old.propagatedBuildInputs ++ [
+    src = python3Packages.fetchPypi {
-      python3.pkgs.yt-dlp
+      version = "3.6";
-      python3.pkgs.ytmusicapi
+      pname = "Mopidy-YouTube";
-    ];
+      sha256 = "sha256-92tJpCu0S79Z1yYaQUnNMxN1rD+8Wr0rtt4GVnldZ9A=";
    };
    propagatedBuildInputs = old.propagatedBuildInputs
      ++ [ python3.pkgs.yt-dlp ];
  });
  latest-mopidy-somafm = mopidy-somafm.overrideAttrs (old: rec {
    src = python3Packages.fetchPypi {
      version = "2.0.2";
      pname = "Mopidy-SomaFM";
      sha256 = "DC0emxkoWfjGHih2C8nINBFByf521Xf+3Ks4JRxNPLM=";
    };
  });
  soundcloud_token = builtins.readFile ../secrets/soundcloud_token;
-  bandcamp_token = builtins.readFile ../secrets/bandcamp_token;
+  latest-mopidy-soundcloud = mopidy-soundcloud.overrideAttrs (old: rec {
    src = fetchFromGitHub {
      owner = "mopidy";
      repo = "mopidy-soundcloud";
      rev = "fc766b0bf17feb4fc989029b92a315a10ff453ee";
      sha256 = "sha256-LftBbfs5KqqkhFQVZRh/AQKQQ+18x8RapRU1mTB7FD8=";
    };
-in
+    propagatedBuildInputs = old.propagatedBuildInputs
-{
+      ++ [ python3.pkgs.beautifulsoup4 ];
  });
 in {
  # Configure pipewire as sound server
  services.pipewire = {
    enable = true;
@@ -30,13 +44,12 @@ in
    };
    pulse.enable = true;
    wireplumber.enable = true;
-    # Enable pipewire-pulse's audio via TCP
+    config.pipewire-pulse = let
-    extraConfig.pipewire-pulse.tcp-server = {
+      defaultConf = lib.importJSON
        "${inputs.nixpkgs}/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json";
    in lib.recursiveUpdate defaultConf {
      "pulse.properties" = {
-        "server.address" = [
+        "server.address" = [ "unix:native" "tcp:127.0.0.1:4713" ];
          "unix:native"
          "tcp:127.0.0.1:4713"
        ];
      };
    };
  };
@@ -50,21 +63,21 @@ in
      mopidy-local
      mopidy-youtube-yt_dlp
      mopidy-bandcamp
-      mopidy-somafm
+      latest-mopidy-somafm
-      mopidy-soundcloud
+      latest-mopidy-soundcloud
    ];
-    settings = {
+    configuration = ''
-      audio.output = "pulsesink server=127.0.0.1";
+      [audio]
      output = pulsesink server=127.0.0.1
-      local = {
+      [local]
-        media_dir = "/home/coolneng/Music";
+      media_dir = /home/coolneng/Music
-        directories = ''
+      directories =
        Album Artists       local:directory?type=artist&role=albumartist
        Albums              local:directory?type=album
        Artists             local:directory?type=artist
        Genres              local:directory?type=genre
-        '';
+      excluded_file_extensions =
        excluded_file_extensions = ''
        .directory
        .html
        .jpeg
@@ -73,33 +86,26 @@ in
        .nfo
        .png
        .txt
      [mpd]
      zeroconf = ""
      [m3u]
      playlists_dir = /home/coolneng/.config/mpd/playlists
      base_dir = /home/coolneng/Music
      [youtube]
      allow_cache = true
      search_results = 50
      youtube_dl_package = yt_dlp
      [somafm]
      encoding = aac
      quality = highest
      [soundcloud]
      auth_token = ${soundcloud_token}
      explore_songs = 100
    '';
        scan_timeout = 3000;
      };
      mpd.zeroconf = "";
      m3u = {
        playlists_dir = "/home/coolneng/.config/mpd/playlists";
        base_dir = "/home/coolneng/Music";
      };
      youtube = {
        search_results = 50;
        youtube_dl_package = "yt_dlp";
        musicapi_enabled = true;
      };
      somafm = {
        encoding = "aac";
        quality = "highest";
      };
      soundcloud = {
        auth_token = soundcloud_token;
        explore_songs = 100;
      };
      bandcamp.identity = bandcamp_token;
    };
  };
 }
--- a/modules/cachix.nix
+++ b/modules/cachix.nix
@@ -5,9 +5,9 @@ let
  folder = ../cachix;
  toImport = name: value: folder + ("/" + name);
  filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
-  imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
+  imports = lib.mapAttrsToList toImport
-in
+    (lib.filterAttrs filterCaches (builtins.readDir folder));
-{
+in {
  inherit imports;
  nix.binaryCaches = [ "https://cache.nixos.org/" ];
 }
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # ZFS automatic snapshots
@@ -21,10 +16,10 @@
    enable = true;
    user = "coolneng";
    dataDir = "/home/coolneng";
-    settings = {
+    key = config.age.secrets.syncthing.path;
    devices.zion = {
      id = "FLI2RS7-GNI5PDM-SQRNF7P-YJIOXJ7-46FRPEI-NRLQGBC-HXRWG7O-RKOVLAF";
-        addresses = [ "tcp://192.168.128.2:22000" ];
+      addresses = [ "tcp://192.168.13.2:22000" ];
    };
    folders = {
      Documents = {
@@ -84,13 +79,75 @@
        path = "/home/coolneng/Files";
        devices = [ "zion" ];
      };
        Audio = {
          id = "tarrs-5mxck";
          path = "/home/coolneng/Audio";
          devices = [ "zion" ];
        };
      };
    };
  };
  # Automount external storage
  systemd.mounts = [
    # USB
    {
      what = "/dev/sda1";
      where = "/usb";
      mountConfig = { TimeoutSec = "5"; };
    }
    # SD card
    {
      what = "/dev/mmcblk0p1";
      where = "/sdcard";
      mountConfig = { TimeoutSec = "5"; };
    }
    # UGent Samba
    {
      what = "//files.ugent.be/akasroua/home";
      type = "cifs";
      where = "/ugent";
      options =
        "credentials=${config.age.secrets.samba-ugent.path},noperm,vers=3.0,sec=ntlmv2i";
      mountConfig = { TimeoutSec = "5"; };
    }
  ];
  systemd.automounts = [
    # USB
    {
      where = "/usb";
      automountConfig = { TimeoutIdleSec = "5"; };
      wantedBy = [ "default.target" ];
    }
    # SD card
    {
      where = "/sdcard";
      automountConfig = { TimeoutIdleSec = "5"; };
      wantedBy = [ "default.target" ];
    }
    # UGent Samba
    {
      where = "/ugent";
      automountConfig = { TimeoutIdleSec = "5"; };
      wantedBy = [ "default.target" ];
    }
  ];
  # HACK Workaround to change the configuration of keyutils in order to get CIFS working
  environment.etc."request-key.conf" = {
    text = let
      upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
      keyctl = "${pkgs.keyutils}/bin/keyctl";
    in ''
      #OP     TYPE          DESCRIPTION  CALLOUT_INFO  PROGRAM
      # -t is required for DFS share servers...
      create  cifs.spnego   *            *             ${upcall} -t %k
      create  dns_resolver  *            *             ${upcall} %k
      # Everything below this point is essentially the default configuration,
      # modified minimally to work under NixOS. Notably, it provides debug
      # logging.
      create  user          debug:*      negate        ${keyctl} negate %k 30 %S
      create  user          debug:*      rejected      ${keyctl} reject %k 30 %c %S
      create  user          debug:*      expired       ${keyctl} reject %k 30 %c %S
      create  user          debug:*      revoked       ${keyctl} reject %k 30 %c %S
      create  user          debug:loop:* *             |${pkgs.coreutils}/bin/cat
      create  user          debug:*      *             ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
      negate  *             *            *             ${keyctl} negate %k 30 %S
    '';
  };
 }
--- a/modules/development.nix
+++ b/modules/development.nix
@@ -1,14 +1,8 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # Improve nix-shell and direnv integration
  environment.pathsToLink = [ "/share/nix-direnv" ];
  programs.direnv.enable = true;
  # Set up podman
  virtualisation = {
@@ -30,7 +24,4 @@
  # Run unpatched binaries with Nix
  programs.nix-ld.enable = true;
  # Embedded development with PlatformIO
  services.udev.packages = with pkgs; [ platformio ];
 }
--- a/modules/device.nix
+++ b/modules/device.nix
@@ -0,0 +1,31 @@
 { config, lib, pkgs, ... }:
 with pkgs;
 {
  # HACK Enable internal microphone when headphones are plugged in and add workaround for frequent WiFi disconnects
  hardware.firmware = [
    (writeTextDir "/lib/firmware/hda-jack-retask.fw" ''
      [codec]
      0x10ec0293 0x17aa2233 0
      [pincfg]
      0x12 0x90a60130
      0x13 0x40000000
      0x14 0x90170110
      0x15 0x03211040
      0x16 0x21211010
      0x18 0x411111f0
      0x19 0x21a11010
      0x1a 0x40f000f0
      0x1b 0x411111f0
      0x1d 0x40738105
      0x1e 0x411111f0
    '')
  ];
  boot.extraModprobeConfig = ''
    options snd-hda-intel patch=hda-jack-retask.fw
    options mac80211 beacon_loss_count=500
  '';
 }
--- a/modules/gui.nix
+++ b/modules/gui.nix
@@ -1,22 +1,29 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with pkgs;
-{
+let
  waybar-audio-patch = waybar.overrideAttrs (old: rec {
    src = fetchFromGitHub {
      owner = "IsaacWoods";
      repo = "Waybar";
      rev = "cfe363daf4d9389971adbf1b791a3573344bf1c5";
      sha256 = "sha256-y7n3qXhJU/Ku1Pz85Cl7+RyQbYCgPmmuSyj4DQZW8BU=";
    };
  });
 in {
  # Display manager
-  services.greetd = {
+  services.xserver.enable = true;
  services.xserver.displayManager = {
    defaultSession = "sway";
    autoLogin = {
      enable = true;
    settings = rec {
      initial_session = {
        command = "${sway}/bin/sway";
      user = "coolneng";
    };
-      default_session = initial_session;
+    lightdm = {
      enable = true;
      greeter.enable = false;
    };
  };
@@ -28,13 +35,13 @@ with pkgs;
      swaylock
      swayidle
      swaybg
-      rofi
+      rofi-wayland
-      waybar
+      waybar-audio-patch
-      cliphist
+      clipman
      wl-clipboard
      grim
      slurp
-      swayimg
+      imv
      kanshi
      kitty
      qt5.qtwayland
@@ -51,7 +58,6 @@ with pkgs;
      export NVIM_LISTEN_ADDRESS=/tmp/nvimsocket
      export GIT_CONFIG_NOSYSTEM=true
      export SYSTEMD_LESS=FRSMK
      export WLR_RENDERER=vulkan
    '';
    wrapperFeatures.gtk = true;
  };
@@ -72,10 +78,13 @@ with pkgs;
    };
  };
  # Bar
  programs.waybar.enable = true;
  # GPG agent
  programs.gnupg.agent = {
    enable = true;
-    pinentryPackage = pinentry-gnome3;
+    pinentryFlavor = "gnome3";
  };
  # Tmux
@@ -90,14 +99,10 @@ with pkgs;
  # Integrate pass with the browser
  programs.browserpass.enable = true;
  programs.firefox.enable = true;
  # Enable WebRTC screensharing
  xdg.portal = {
    enable = true;
    wlr.enable = true;
  };
  # Allow dbus to communicate with storage devices
  services.udisks2.enable = true;
 }
--- a/modules/hardware-configuration.nix
+++ b/modules/hardware-configuration.nix
@@ -1,76 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ];
    "nvme"
    "xhci_pci"
    "usbhid"
  ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "syscea/stateful/root";
+    { device = "syscea/stateful/root";
      fsType = "zfs";
    };
-  fileSystems."/nix" = {
+  fileSystems."/nix" =
-    device = "syscea/ephemeral/nix";
+    { device = "syscea/ephemeral/nix";
      fsType = "zfs";
    };
-  fileSystems."/ugent" = {
+  fileSystems."/sdcard" =
-    device = "systemd-1";
+    { device = "systemd-1";
      fsType = "autofs";
    };
-  fileSystems."/home/coolneng" = {
+  fileSystems."/usb" =
-    device = "syscea/stateful/home";
+    { device = "systemd-1";
      fsType = "autofs";
    };
  fileSystems."/home/coolneng" =
    { device = "syscea/stateful/home";
      fsType = "zfs";
    };
-  fileSystems."/tmp" = {
+  fileSystems."/tmp" =
-    device = "syscea/ephemeral/tmp";
+    { device = "syscea/ephemeral/tmp";
      fsType = "zfs";
    };
-  fileSystems."/home/coolneng/Downloads" = {
+  fileSystems."/home/coolneng/Downloads" =
-    device = "syscea/stateful/home/downloads";
+    { device = "syscea/stateful/home/downloads";
      fsType = "zfs";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/C374-A2FD";
+    { device = "/dev/disk/by-uuid/4851-6B40";
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/1231a42f-a71a-4c67-b4d8-7506c02a8328"; }
+    [ { device = "/dev/disk/by-uuid/c8e252ac-941f-4290-8212-42c1bc2bff69"; }
    ];
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/latest-zfs-kernel.nix
+++ b/modules/latest-zfs-kernel.nix
@@ -1,28 +0,0 @@
 {
  lib,
  pkgs,
  config,
  ...
 }:
 let
  isUnstable = config.boot.zfs.package == pkgs.zfs_unstable;
  zfsCompatibleKernelPackages = lib.filterAttrs (
    name: kernelPackages:
    (builtins.match "linux_[0-9]+_[0-9]+" name) != null
    && (builtins.tryEval kernelPackages).success
    && (
      (!isUnstable && !kernelPackages.zfs.meta.broken)
      || (isUnstable && !kernelPackages.zfs_unstable.meta.broken)
    )
  ) pkgs.linuxKernel.packages;
  latestKernelPackage = lib.last (
    lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
      builtins.attrValues zfsCompatibleKernelPackages
    )
  );
 in
 {
  # Note this might jump back and worth as kernel get added or removed.
  boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.hostPlatform pkgs.zfs) latestKernelPackage;
 }
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with pkgs;
@@ -11,8 +6,7 @@ let
  sender = "akasroua@disroot.org";
  recipient = "akasroua+smart@disroot.org";
-in
+in {
 {
  # Notify when a disk starts going haywire
  services.smartd = {
    enable = true;
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,15 +1,8 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
-let
+let wireguard_port = "51902";
  wireguard_port = "1194";
-in
+in {
 {
  # Set hostname, hostid and enable WiFi
  networking = {
    hostName = "panacea";
@@ -27,50 +20,32 @@ in
    useNetworkd = true;
    dhcpcd.enable = false;
  };
-  systemd.network.wait-online.enable = false;
+  systemd.services."systemd-networkd-wait-online".enable = false;
-  # Enable mDNS
+  # Disable DNSSEC
-  services.resolved = {
+  services.resolved.dnssec = "false";
    enable = true;
    llmnr = "false";
    extraConfig = ''
      MulticastDNS=yes
    '';
  };
  # Prioritize ethernet over WiFi
-  systemd.network.networks."40-enp0s31f6" = {
+  systemd.network.networks."40-enp0s31f6".dhcpV4Config.RouteMetric = 10;
-    dhcpV4Config.RouteMetric = 10;
+  systemd.network.networks."40-wlan0".dhcpV4Config.RouteMetric = 20;
    networkConfig.MulticastDNS = "yes";
  };
  systemd.network.networks."40-wlan0" = {
    dhcpV4Config.RouteMetric = 20;
    networkConfig.MulticastDNS = "yes";
  };
  # Static IP for home network
  systemd.network.networks."24-home" = {
    name = "wlan0";
    matchConfig = {
      Name = "wlan0";
-      SSID = "anakinosi-5GHz";
+      SSID = "WiFi-5.0-CE42";
    };
-    address = [ "192.168.129.3/23" ];
+    address = [ "192.168.13.131/24" ];
-    gateway = [ "192.168.128.1" ];
+    gateway = [ "192.168.13.1" ];
-    dns = [ "192.168.128.2" ];
+    dns = [ "192.168.13.2" ];
-    networkConfig.MulticastDNS = "yes";
+    networkConfig.DNSSEC = "no";
  };
-  systemd.network.networks."25-home" = {
+  # Enable zeroconf
-    name = "wlan0";
+  services.avahi = {
-    matchConfig = {
+    enable = true;
-      Name = "wlan0";
+    nssmdns = true;
      SSID = "Aminkas-5Ghz";
    };
    address = [ "192.168.13.3/24" ];
    gateway = [ "192.168.13.1" ];
    dns = [ "1.1.1.1" ];
    networkConfig.MulticastDNS = "yes";
  };
  # VPN setup
@@ -84,45 +59,38 @@ in
      PrivateKeyFile = config.age.secrets.wireguard.path;
      FirewallMark = 34952;
    };
-    wireguardPeers = [
+    wireguardPeers = [{
-      {
+      wireguardPeerConfig = {
        PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU=";
-        AllowedIPs = [
+        AllowedIPs = [ "0.0.0.0/0" ];
-          "0.0.0.0/0"
+        Endpoint = "coolneng.duckdns.org:1194";
-          "::0"
+      };
-        ];
+    }];
        Endpoint = "psydnd.org:1194";
      }
    ];
  };
  systemd.network.networks."wg0" = {
    matchConfig.Name = "wg0";
    linkConfig.ActivationPolicy = "manual";
    networkConfig = {
-      Address = [
+      Address = "10.8.0.2/32";
-        "10.8.0.2/32"
+      DNS = "10.8.0.1";
        "fd00::2/128"
      ];
      DNS = [
        "10.8.0.1"
        "fd00::2"
      ];
      DNSDefaultRoute = true;
      Domains = "~.";
    };
-    routingPolicyRules = [
+    routingPolicyRules = [{
-      {
+      routingPolicyRuleConfig = {
        FirewallMark = 34952;
        InvertRule = true;
        Table = 1000;
        Priority = 10;
-      }
+      };
-    ];
+    }];
-    routes = [
+    routes = [{
-      {
+      routeConfig = {
        Gateway = "10.8.0.1";
        GatewayOnLink = true;
        Table = 1000;
-      }
+      };
-    ];
+    }];
  };
  # Firewall configuration
@@ -132,27 +100,15 @@ in
    ];
    allowedUDPPorts = [
      54982 # Calibre Wireless
      5353 # mDNS
    ];
    # Allow wireguard traffic
    extraCommands = ''
-      iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN
+      ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN
-      iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN
+      ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN
    '';
    extraStopCommands = ''
-      iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true
+      ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true
-      iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true
+      ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true
    '';
  };
  # Enable localhost SSH
  services.openssh = {
    enable = true;
    openFirewall = false;
    startWhenNeeded = true;
    settings = {
      PermitRootLogin = "without-password";
      PasswordAuthentication = false;
    };
  };
 }
--- a/modules/periodic.nix
+++ b/modules/periodic.nix
@@ -1,65 +1,67 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with pkgs;
 let
-  isync-oauth2 = (isync.override { withCyrusSaslXoauth2 = true; });
+  emacs-vterm = ((emacsPackagesFor emacs28NativeComp).emacsWithPackages
    (epkgs: with epkgs; [ vterm pdf-tools ]));
  isync-oauth2 = isync.overrideAttrs
    (div: rec { buildInputs = [ openssl patched-cyrus-sasl-oauth2 zlib ]; });
-in
+in {
-{
+  # Upgrade Doom Emacs weekly
  # Upgrade Doom Emacs daily
  systemd.user.services.doom-upgrade = {
    description = "Upgrade Doom Emacs";
-    path = [
+    path = [ bash emacs-vterm git coreutils ];
      bash
      emacs-vterm
      git
      coreutils
    ];
    script = ''
-      /home/coolneng/.emacs.d/bin/doom -! upgrade
+      ${pkgs.bash}/bin/bash -c "/home/coolneng/.emacs.d/bin/doom -! upgrade"
    '';
    serviceConfig.Type = "oneshot";
-    startAt = "22:00:00";
+    startAt = "Mon 22:00:00";
    after = [ "network-online.target" ];
  };
  # Clean up Doom Emacs monthly
  systemd.user.services.doom-purge = {
    description = "Purge Doom Emacs";
    path = [ bash emacs-vterm git coreutils ];
    script = ''
      ${pkgs.bash}/bin/bash -c "/home/coolneng/.emacs.d/bin/doom -! purge"
    '';
    serviceConfig.Type = "oneshot";
    startAt = "*-*-13 20:00:00";
  };
  # Upgrade Neovim plugins weekly
  systemd.user.services.vim-plug-upgrade = {
    description = "Upgrade Vim-Plug";
    path = [ git neovim ];
    script = "${pkgs.neovim}/bin/nvim +PlugUpgrade +PlugUpdate +qa";
    serviceConfig.Type = "oneshot";
    startAt = "Wed 18:00:00";
    after = [ "network-online.target" ];
  };
  # Push password-store changes to git daily
  systemd.user.services.password-store-push = {
    description = "Push password-store changes to git";
-    path = [
+    path = [ pass-wayland git gitAndTools.pass-git-helper ];
      pass-wayland
      git
      pass-git-helper
    ];
    script = "${pkgs.pass-wayland}/bin/pass git push";
    serviceConfig.Type = "oneshot";
    startAt = "18:00:00";
    after = [ "network-online.target" ];
  };
-  # Sync mail using IMAP IDLE
+  # Sync mail using IDLE
-  systemd.user.services.goimapnotify = {
+  systemd.user.services.goimapnotify-ugent = {
-    description = "Sync mail using IMAP IDLE";
+    description = "Sync UGent mail using IMAP IDLE";
    wantedBy = [ "default.target" ];
-    path = [
+    path = [ goimapnotify pass-wayland isync-oauth2 mu python39 gnupg nix ];
      goimapnotify
      pass-wayland
      isync-oauth2
      mu
      procps
      emacs-vterm
    ];
    script = ''
-      ${pkgs.goimapnotify}/bin/goimapnotify -conf /home/coolneng/.config/goimapnotify/goimapnotify.yaml
+      ${pkgs.goimapnotify}/bin/goimapnotify -conf /home/coolneng/.config/goimapnotify/ugent.conf
    '';
    serviceConfig = {
-      ExecStartPre = "/home/coolneng/.local/share/scripts/mail-sync";
+      ExecStartPre = "/home/coolneng/.local/share/scripts/mail-sync ugent";
      Type = "simple";
      Restart = "always";
      RestartSec = 20;
@@ -67,25 +69,36 @@ in
    after = [ "network-online.target" ];
  };
-  # Do a full mail sync periodically
+  systemd.user.services.goimapnotify-gmail = {
-  systemd.user.services.periodic-mail-sync = {
+    description = "Sync gmail mail using IMAP IDLE";
    description = "Run a mail sync operation periodically";
    wantedBy = [ "default.target" ];
-    path = [
+    path = [ goimapnotify pass-wayland isync-oauth2 mu ];
      pass-wayland
      isync-oauth2
      mu
      procps
      emacs-vterm
      python3
      gnupg
      nix
    ];
    script = ''
-      /home/coolneng/.local/share/scripts/mail-sync -a
+      ${pkgs.goimapnotify}/bin/goimapnotify -conf /home/coolneng/.config/goimapnotify/gmail.conf
    '';
    serviceConfig = {
      ExecStartPre = "/home/coolneng/.local/share/scripts/mail-sync gmail";
      Type = "simple";
      Restart = "always";
      RestartSec = 20;
    };
    after = [ "network-online.target" ];
  };
  systemd.user.services.goimapnotify-disroot = {
    description = "Sync disroot mail using IMAP IDLE";
    wantedBy = [ "default.target" ];
    path = [ goimapnotify pass-wayland isync-oauth2 mu ];
    script = ''
      ${pkgs.goimapnotify}/bin/goimapnotify -conf /home/coolneng/.config/goimapnotify/disroot.conf
    '';
    serviceConfig = {
      ExecStartPre = "/home/coolneng/.local/share/scripts/mail-sync disroot";
      Type = "simple";
      Restart = "always";
      RestartSec = 20;
    };
    after = [ "network-online.target" ];
    startAt = "*-*-* *:00,30:00";
  };
  # HACK Change home partition permissions for mopidy
@@ -95,34 +108,36 @@ in
    script = "chmod 751 /home/coolneng";
    serviceConfig.Type = "oneshot";
    after = [ "home-coolneng.mount" ];
-    before = [
+    before = [ "mopidy.service" "mopidy-scan.service" ];
      "mopidy.service"
      "mopidy-scan.service"
    ];
  };
  # Push panacea changes to git daily
  systemd.user.services.panacea-push = {
    description = "Push panacea changes to git";
-    path = [
+    path = [ pass-wayland git gitAndTools.pass-git-helper ];
      pass-wayland
      git
      pass-git-helper
    ];
    script = "${pkgs.git}/bin/git -C /home/coolneng/Projects/panacea push";
    serviceConfig.Type = "oneshot";
-    startAt = "18:00:00";
+    startAt = "14:00:00";
    after = [ "network-online.target" ];
  };
-  # Show notification when the battery is low
+  # Clean up Mopidy cache monthly
-  systemd.user.services.swaynag-battery = {
+  systemd.services.mopidy-cleanup = {
-    description = "Show notification when the battery is low";
+    description = "Clean up Mopidy cache monthly";
-    path = [
+    path = [ coreutils ];
-      swaynag-battery
+    script = "${pkgs.coreutils}/bin/rm -rf /var/lib/mopidy/.cache/*";
-      sway
+    serviceConfig.Type = "oneshot";
-    ];
+    startAt = "*-*-15 14:00:00";
-    script = "${pkgs.swaynag-battery}/bin/swaynag-battery --threshold 10";
+    after = [ "network-online.target" ];
-    wantedBy = [ "sway-session.target" ];
+  };
  # Pull changes from zion daily
  systemd.user.services.zion-pull = {
    description = "Pull zion changes to git";
    path = [ git ];
    script = "${pkgs.git}/bin/git -C /home/coolneng/Projects/zion pull";
    serviceConfig.Type = "oneshot";
    startAt = "10:00:00";
    after = [ "network-online.target" ];
  };
 }
--- a/modules/power.nix
+++ b/modules/power.nix
@@ -1,16 +1,33 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 {
-  # Enable power-profiles-daemon
+  # Enable the auto-cpufreq daemon
-  services.power-profiles-daemon.enable = true;
+  services.auto-cpufreq.enable = true;
  # Enable the TLP daemon
  services.tlp.enable = true;
  # Suspend when the battery is critical
  services.udev.extraRules = ''
    SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{model_name}=="01AV405", ATTR{capacity}=="[0-5]", RUN+="${config.systemd.package}/bin/systemctl suspend -i"
  '';
  # Enable thinkfan
  services.thinkfan = {
    enable = true;
    levels = [
      [ 0 0 47 ]
      [ 1 47 69 ]
      [ 2 69 74 ]
      [ 3 74 78 ]
      [ 4 78 82 ]
      [ 5 82 85 ]
      [ 6 85 87 ]
      [ 7 87 32767 ]
    ];
  };
  # HACK Workaround to enable the service the first time
  systemd.services.thinkfan.preStart = ''
    /run/current-system/sw/bin/modprobe  -r thinkpad_acpi && /run/current-system/sw/bin/modprobe thinkpad_acpi
  '';
 }
--- a/modules/printing.nix
+++ b/modules/printing.nix
@@ -1,18 +1,10 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # Enable CUPS
  services.printing = {
    enable = true;
-    drivers = with pkgs; [
+    drivers = with pkgs; [ brgenml1cupswrapper ];
      brgenml1cupswrapper
      hplip
    ];
  };
  # Enable SANE
--- a/modules/software.nix
+++ b/modules/software.nix
@@ -1,33 +1,16 @@
-{
+{ config, lib, pkgs, inputs, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 with pkgs;
 let
-  custom-mpv = (
+  emacs-vterm = ((emacsPackagesFor emacs28NativeComp).emacsWithPackages
-    mpv-unwrapped.wrapper {
+    (epkgs: with epkgs; [ vterm pdf-tools ]));
-      mpv = mpv-unwrapped;
+  isync-oauth2 = isync.overrideAttrs
-      scripts = with mpvScripts; [
+    (div: rec { buildInputs = [ openssl db patched-cyrus-sasl-oauth2 zlib ]; });
-        sponsorblock-minimal
+  mpv-sponsorblock =
-        mpv-cheatsheet
+    (mpv-with-scripts.override { scripts = [ mpvScripts.sponsorblock ]; });
      ];
    }
  );
-  patched-bitwig = bitwig-studio.overrideAttrs (old: rec {
+in {
    src = "${inputs.local-bitwig}/bitwig-studio.deb";
    postInstall = ''
      cp -r ${inputs.local-bitwig}/bitwig.jar $out/libexec/bin/bitwig.jar
    '';
  });
 in
 {
  environment.systemPackages = [
    # Monitoring
    htop
@@ -36,11 +19,11 @@ in
    gnupg
    pass-wayland
    passff-host
-    pass-git-helper
+    gitAndTools.pass-git-helper
-    inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
+    inputs.agenix.defaultPackage.x86_64-linux
    git-crypt
    git-lfs
    # Browsers
    firefox
    ungoogled-chromium
    # LaTeX
    texlive.combined.scheme-full
@@ -48,6 +31,7 @@ in
    texlab
    # Text editors
    neovim
    neovim-remote
    emacs-vterm
    # Emacs dependencies
    (ripgrep.override { withPCRE2 = true; })
@@ -62,56 +46,61 @@ in
    git
    direnv
    nix-direnv
    podman-compose
    gnumake
-    pre-commit
+    gitAndTools.pre-commit
-    emacs-lsp-booster
+    delta
    # Rice
    adapta-gtk-theme
    paper-icon-theme
    # Audio
    mopidy
    ncmpcpp
-    mpc
+    mpc_cli
    pulsemixer
    easyeffects
    patched-bitwig
    # Productivity
    fff
    zathura
    libreoffice-fresh
-    simple-scan
+    gnome3.simple-scan
    bc
-    pdfgrep
+    citrix_workspace
    # Mail stack
    mu
-    (isync.override { withCyrusSaslXoauth2 = true; })
+    isync-oauth2
    msmtp
    w3m
    urlscan
    # Media
    gimp
-    custom-mpv
+    mpv-sponsorblock
    nodePackages.webtorrent-cli
    deluge
    yt-dlp-light
    ffmpeg
    calibre
    beets
    # File management
    zip
    unzip
    unar
    cifs-utils
    keyutils
    # Overlays
    cachix
-    # Budgeting
+    # Networking
-    beancount
+    openconnect-sso
-    beancount-language-server
+    # Communication
-    fava
+    gomuks
    # Programming tools
    ## Shell
    shellcheck
    shfmt
    ## Nix
-    nixfmt-rfc-style
+    nixfmt
    ## Python
-    ty
+    nodePackages.pyright
-    ruff
+    black
    ## C/C++
    clang-tools
    ## Go
@@ -122,13 +111,13 @@ in
  ];
  # Fonts declaration
-  fonts.packages = with pkgs; [
+  fonts.fonts = with pkgs; [
    google-fonts
    inconsolata-nerdfont
    terminus_font_ttf
    iosevka-bin
    libertine
-    nerd-fonts.inconsolata
+    emacs-all-the-icons-fonts
    nerd-fonts.symbols-only
  ];
 }
--- a/overlays/cyrus-sasl-oauth2.nix
+++ b/overlays/cyrus-sasl-oauth2.nix
@@ -0,0 +1,24 @@
 { config, lib, pkgs, inputs, ... }:
 let
  cyrus-sasl-xoauth2 = with pkgs;
    stdenv.mkDerivation {
      name = "cyrus-sasl-xoauth2";
      src = inputs.cyrus-sasl-xoauth2;
      nativeBuildInputs =
        [ autoreconfHook inputs.nixpkgs.legacyPackages."${system}".cyrus_sasl ];
    };
 in {
  nixpkgs.overlays = [
    (final: prev: {
      patched-cyrus-sasl-oauth2 = prev.cyrus_sasl.overrideAttrs (div: rec {
        postInstall = ''
          for lib in ${cyrus-sasl-xoauth2}/lib/sasl2/*; do
            ln -sf $lib $out/lib/sasl2/
          done
        '';
      });
    })
  ];
 }
--- a/overlays/nix-direnv.nix
+++ b/overlays/nix-direnv.nix
@@ -0,0 +1,11 @@
 { config, lib, pkgs, ... }:
 with pkgs;
 {
  nixpkgs.overlays = [
    (self: super: {
      nix-direnv = super.nix-direnv.override { enableFlakes = true; };
    })
  ];
 }
--- a/overlays/openconnect-sso.nix
+++ b/overlays/openconnect-sso.nix
@@ -0,0 +1,3 @@
 { config, lib, pkgs, inputs, ... }: {
  nixpkgs.overlays = [ (import "${inputs.openconnect-sso}/overlay.nix") ];
 }
--- a/secrets/bandcamp_token
+++ b/secrets/bandcamp_token
--- a/secrets/samba-ugent.age
+++ b/secrets/samba-ugent.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,8 +1,9 @@
 let
-  coolneng = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC57m1j/G6iQyi2EpU3nj3+df5Z4PL/XbiOmDcqA7ODg";
+  coolneng =
-in
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC57m1j/G6iQyi2EpU3nj3+df5Z4PL/XbiOmDcqA7ODg";
-{
+in {
  "wireguard.age".publicKeys = [ coolneng ];
  "syncthing.age".publicKeys = [ coolneng ];
  "samba-ugent.age".publicKeys = [ coolneng ];
  "msmtp.age".publicKeys = [ coolneng ];
 }
--- a/secrets/soundcloud_token
+++ b/secrets/soundcloud_token