nix: add t14 system configuration

meaning reencrypt shared secrets to the new key...
also, make use of nixos-hardware's module for t14

nix/.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &it age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
   - &loki age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
   - &nixpi age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
+  - &t14 age1qnyrhen4ynpa6t0ljgjnhz5zpf0ennzt4ezskeq78nsnpvlyh5ws6ergnx
   - &monoceros age1yzlnedt49kd429jssj73v3yz5z7deyg82dq0gq86lp6dft4edg7qrcjs5v
   - &backup age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
   - &surtur age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
@@ -17,6 +18,11 @@ creation_rules:
       - age:
           - *backup
           - *nixpi
+  - path_regex: hosts/t14/*.*
+    key_groups:
+      - age:
+          - *backup
+          - *t14
   - path_regex: hosts/monoceros/*.*
     key_groups:
       - age:

nix/flake.lock

@@ -261,6 +261,26 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1701728041,
+        "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "napalm": {
       "inputs": {
         "flake-utils": [
@@ -308,6 +328,22 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1701656485,
+        "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1691853136,
@@ -453,6 +489,8 @@
         "attic": "attic",
         "authentik-nix": "authentik-nix",
         "disko": "disko",
+        "home-manager": "home-manager_2",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
         "sops-nix": "sops-nix"
       }

nix/flake.nix

@@ -2,8 +2,13 @@
   description = "NixOS configuration for all the things (as many as we can get)";
 
   inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  inputs.home-manager = {
+    url = "github:nix-community/home-manager";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
   inputs.disko.url = "github:nix-community/disko";
   inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
+  inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master";
   inputs.agenix.url = "github:ryantm/agenix";
   inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
   inputs.sops-nix.url = "github:Mic92/sops-nix";
@@ -13,7 +18,9 @@
   outputs = {
     self,
     nixpkgs,
+    home-manager,
     disko,
+    nixos-hardware,
     agenix,
     sops-nix,
     attic,
@@ -58,6 +65,31 @@
       ];
     };
 
+    nixosConfigurations.t14 = nixpkgs.lib.nixosSystem {
+      # inherit pkgs system;
+      modules = let
+        usr = "mko";
+      in [
+        nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen2
+        disko.nixosModules.disko
+        sops-nix.nixosModules.sops
+
+        ./hosts/t14/configuration.nix
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.extraSpecialArgs = {inherit usr;};
+          home-manager.users.${usr} = {
+            home.stateVersion = "23.11";
+            imports = [
+              ./hosts/t14/home.nix
+            ];
+          };
+        }
+      ];
+    };
+
     nixosConfigurations.monoceros = nixpkgs.lib.nixosSystem {
       # inherit pkgs system;
       modules = [

nix/hosts/t14/configuration.nix

@@ -0,0 +1,374 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disko-config.nix
+
+    # ./modules/podman.nix
+
+    ../../modules/base.nix
+    ../../modules/dnscrypt.nix
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      generateKey = false;
+    };
+
+    secrets.rootPassphrase.owner = "root";
+    secrets.mkoPassphrase.owner = "root";
+    # used as "cloaking_rules"
+    secrets.extraHosts.owner = "dnscrypt-proxy";
+  };
+
+  # nixpkgs.currentSystem = "x86_64-linux";
+  nix.settings.trusted-users = ["@wheel" "root" "mko"];
+
+  # forbid hibernation due to zfs-on-root.
+  boot.kernelParams = ["amd_pstate=active" "nohibernate"];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 42;
+  boot.loader.systemd-boot.netbootxyz.enable = false;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.supportedFilesystems = ["zfs"];
+  boot.zfs.forceImportRoot = true;
+
+  boot.initrd.kernelModules = ["zfs" "e1000e"];
+
+  boot.binfmt = {
+    emulatedSystems = [
+      "wasm32-wasi"
+      "aarch64-linux"
+    ];
+  };
+
+  environment.etc = {
+    "greetd/environments".text = ''
+      sway
+    '';
+    "walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg".source = ./walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg;
+  };
+
+  sound = {
+    enable = true;
+    mediaKeys = {enable = true;};
+  };
+  hardware.pulseaudio.enable = false;
+
+  fonts = {
+    packages = with pkgs; [
+      #    font-awesome
+      #    google-fonts
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-emoji
+      fira-code
+      cascadia-code
+      (nerdfonts.override {
+        fonts = ["FiraCode" "JetBrainsMono" "CascadiaCode"];
+      })
+    ];
+
+    enableDefaultPackages = true;
+    fontDir.enable = true;
+
+    fontconfig = {
+      enable = true;
+      defaultFonts = {
+        monospace = ["FiraCode Nerd Font"];
+        sansSerif = ["Noto Sans"];
+        serif = ["Noto Serif"];
+        emoji = ["Noto Color Emoji"];
+      };
+    };
+  };
+
+  environment = {
+    variables = {
+      EDITOR = "vim";
+      VISUAL = "vim";
+      MOZ_ENABLE_WAYLAND = "1";
+      NIXOS_OZONE_WL = "1";
+      NIXPKGS_ALLOW_UNFREE = "0";
+      TERMINAL = "kitty";
+      WLR_NO_HARDWARE_CURSORS = "1";
+      XCURSOR_SIZE = "16";
+      XDG_CURRENT_DESKTOP = "sway";
+      XDG_SESSION_TYPE = "wayland";
+      _JAVA_AWT_WM_NONREPARENTING = "1";
+    };
+    systemPackages = with pkgs; [
+      home-manager
+      openssl
+      libinput
+      dmidecode
+      pamixer
+      git
+      wol
+      vim
+      wget
+      curl
+      kitty
+      brave
+      go_1_21
+      cargo
+      chainsaw
+      topgrade
+    ];
+  };
+
+  networking = {
+    # hostId = pkgs.lib.mkForce "00000000";
+    hostId = "deadb33f";
+    hostName = "t14";
+
+    nftables.enable = true;
+
+    networkmanager.enable = true;
+    # interfaces.enp0s25.wakeOnLan.enable = true;
+
+    firewall = {
+      allowPing = true;
+    };
+
+    # Configure network proxy if necessary
+    # networking.proxy.default = "http://user:password@proxy:port/";
+    # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+  };
+
+  users.users = {
+    root = {
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
+      ];
+      # hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
+      hashedPassword = "$y$j9T$yNhN6CYvKBWz/HnLv2gp//$0fFgtV4xzBijxWxUg1oTH74GoekdMK6UZUQWby5fZi4";
+      subUidRanges = [
+        {
+          count = 65535;
+          startUid = 65536 * 28; # 1835008, docker
+        }
+      ];
+    };
+
+    mko = {
+      isNormalUser = true;
+      createHome = true;
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
+      ];
+      hashedPasswordFile = config.sops.secrets.mkoPassphrase.path;
+      extraGroups = [
+        "wheel"
+        "networkmanager"
+        "audio"
+        "camera"
+        "kvm"
+        "lp"
+        "scanner"
+        "video"
+        "console"
+      ];
+      subUidRanges = [
+        {
+          count = 65535;
+          startUid = 65536 * 28; # 1835008, docker
+        }
+      ];
+    };
+  };
+  users.users.mko.group = "mko";
+  users.groups.mko = {};
+
+  users.groups.wheel.members = ["mko"];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  security = {
+    doas = {
+      enable = false;
+      extraRules = [
+        {
+          users = ["mko"];
+          keepEnv = true; # Optional, retains environment variables while running commands
+          persist = true; # Optional, only require password verification a single time
+        }
+      ];
+    };
+    sudo = {
+      enable = true;
+      extraRules = [
+        {
+          commands = [
+            {
+              command = "${pkgs.systemd}/bin/systemctl suspend";
+              options = ["NOPASSWD"];
+            }
+            {
+              command = "${pkgs.systemd}/bin/reboot";
+              options = ["NOPASSWD"];
+            }
+            {
+              command = "${pkgs.systemd}/bin/poweroff";
+              options = ["NOPASSWD"];
+            }
+          ];
+          groups = ["wheel"];
+        }
+      ];
+    };
+    pam.services.swaylock = {};
+    polkit.enable = true;
+  };
+
+  services = {
+    atd.enable = true;
+
+    udev.extraRules = ''
+      # wol
+      ACTION=="add", SUBSYSTEM=="net", NAME=="en*", RUN+="${pkgs.ethtool}/bin/ethtool -s $name wol g"
+    '';
+
+    pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
+    };
+
+    blueman.enable = true;
+
+    dbus.enable = true;
+
+    dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.extraHosts.path;
+
+    greetd = {
+      enable = true;
+      settings = {
+        default_session.command = ''
+          ${pkgs.greetd.tuigreet}/bin/tuigreet \
+            --time \
+            --asterisks \
+            --user-menu \
+            --cmd sway
+        '';
+      };
+    };
+
+    power-profiles-daemon.enable = true;
+    #tlp.enable =
+    #  lib.mkDefault ((lib.versionOlder (lib.versions.majorMinor lib.version) "23.11")
+    #    || !config.services.power-profiles-daemon.enable);
+    #auto-cpufreq.enable = true;
+    #auto-cpufreq.settings = {
+    #  battery = {
+    #    governor = "powersave";
+    #    turbo = "never";
+    #  };
+    #  charger = {
+    #    governor = "schedutil";
+    #    turbo = "auto";
+    #  };
+    #};
+
+    prometheus = {
+      # WIP.
+      enable = true;
+      # openFirewall = true;
+      port = 9090;
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [
+            "logind"
+            "systemd"
+          ];
+          port = 9100;
+        };
+      };
+
+      scrapeConfigs = [
+        {
+          job_name = "node";
+          static_configs = [
+            {
+              targets = [
+                "${config.networking.hostName}.local:${toString config.services.prometheus.exporters.node.port}"
+              ];
+            }
+          ];
+        }
+      ];
+    };
+
+    # TS is enabled in the imported module, this is additional config.
+    tailscale = {
+      useRoutingFeatures = "both";
+      # accept-routes = true;
+    };
+
+    zfs = {
+      autoScrub = {
+        enable = true;
+        interval = "weekly";
+      };
+      trim.enable = true;
+    };
+  };
+
+  hardware = {
+    bluetooth = {
+      enable = true;
+      # HSP & HFP daemon (apparently needs to be false now because of wire plumber)
+      hsphfpd.enable = false;
+      settings = {General = {Enable = "Source,Sink,Media,Socket";};};
+    };
+    opengl = {
+      enable = true;
+      extraPackages = with pkgs; [
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+  };
+
+  xdg = {
+    portal = {
+      enable = true;
+      wlr.enable = true;
+      extraPortals = with pkgs; [
+        xdg-desktop-portal-wlr
+        xdg-desktop-portal-gtk
+      ];
+    };
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # Does not work with flakes - yet™.
+  system.copySystemConfiguration = false;
+}

nix/hosts/t14/disko-config.nix

@@ -0,0 +1,162 @@
+{
+  config,
+  disks ? ["/dev/nvme0n1"],
+  lib,
+  ...
+}: {
+  disko.devices = {
+    disk = {
+      nvme0n1 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        mode = ""; # == single disk
+        options = {
+          ashift = "12";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          encryption = "aes-256-gcm";
+          keyformat = "passphrase";
+          keylocation = "file:///root/.zfs-zroot-pool.key";
+          #postCreateHook = ''
+          #  "zfs change-key -o keylocation=prompt zroot/$name"
+          #'';
+          checksum = "sha512";
+          atime = "off";
+          compression = "zstd";
+          "com.sun:auto-snapshot" = "false";
+        };
+        mountpoint = null;
+        postCreateHook = "zfs snapshot zroot@blank";
+
+        datasets = {
+          # can be rebuilt.
+          local = {
+            type = "zfs_fs";
+            mountpoint = null;
+            options."com.sun:auto-snapshot" = "false";
+          };
+          "local/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+          };
+          "system" = {
+            type = "zfs_fs";
+            mountpoint = null;
+            options = {
+              "com.sun:auto-snapshot" = "false";
+            };
+          };
+          # system root.
+          "system/nixos" = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "system/nixos/var" = {
+            type = "zfs_fs";
+            mountpoint = "/var";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "system/nixos/var/log" = {
+            type = "zfs_fs";
+            mountpoint = "/var/log";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "system/nixos/var/cache" = {
+            type = "zfs_fs";
+            mountpoint = "/var/cache";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "system/nixos/var/containers-storage" = {
+            type = "zfs_fs";
+            mountpoint = "/var/lib/containers/storage";
+            options = {
+              "com.sun:auto-snapshot" = "false";
+              acltype = "posixacl";
+            };
+          };
+          # frequently snapshot and backed up data.
+          userdata = {
+            type = "zfs_fs";
+            mountpoint = "/DATA";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # keylocation = "file:///root/.zfs-DATA.key";
+              "com.sun:auto-snapshot" = "false";
+            };
+          };
+          "userdata/home" = {
+            type = "zfs_fs";
+            mountpoint = "/DATA/home";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # keylocation = "file:///root/.zfs-DATA-home.key";
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "userdata/home/root" = {
+            type = "zfs_fs";
+            mountpoint = "/root";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "userdata/home/root-cache" = {
+            type = "zfs_fs";
+            mountpoint = "/root/.cache";
+            options."com.sun:auto-snapshot" = "false";
+          };
+          "userdata/home/root-config" = {
+            type = "zfs_fs";
+            mountpoint = "/root/.config";
+            options = {
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "userdata/services" = {
+            type = "zfs_fs";
+            mountpoint = "/DATA/services";
+            options."com.sun:auto-snapshot" = "false";
+          };
+        };
+      };
+    };
+  };
+}

nix/hosts/t14/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/hosts/t14/home.nix

@@ -0,0 +1,125 @@
+{
+  config,
+  lib,
+  pkgs,
+  usr,
+  ...
+}: {
+  imports = [
+    # ./modules/desktop/waybar.nix
+    # ./modules/desktop/wayland.nix
+    ./modules/desktop/sway.nix
+  ];
+
+  # home.enableNixpkgsReleaseCheck = false;
+  home = {
+    username = lib.mkForce "${usr}";
+    homeDirectory = lib.mkForce "/home/${usr}";
+
+    packages = with pkgs; [
+      actionlint
+      asciinema
+      asciiquarium
+      bat
+      bc
+      black
+      sqlite
+      bun
+      caddy
+      cliphist
+      cowsay
+      curlie
+      dig
+      dive
+      dogdns
+      doggo
+      entr
+      eza
+      exif
+      exiftool
+      fd
+      feh
+      ffmpeg
+      figlet
+      file
+      firefox-wayland
+      chromium
+      fx
+      gcc
+      glow
+      gnumake
+      go_1_21
+      gofumpt
+      golangci-lint
+      golangci-lint-langserver
+      gopls
+      goreleaser
+      gotools
+      graph-easy
+      graphviz
+      hadolint
+      hugo
+      ipcalc
+      jq
+      killall
+      libtelnet
+      lolcat
+      lsof
+      mpv-unwrapped
+      neofetch
+      netcat
+      networkmanagerapplet
+      nixfmt
+      nmap
+      nodePackages.prettier
+      nodePackages.typescript
+      nodePackages.typescript-language-server
+      nodePackages.yaml-language-server
+      nodejs
+      pciutils
+      pgcli
+      pulsemixer
+      pylint
+      python3
+      python39Packages.pipx
+      ripgrep
+      rnix-lsp
+      rsync
+      shellcheck
+      shfmt
+      signal-desktop
+      # slack
+      statix
+      p7zip
+      unzip
+      usbutils
+      v4l-utils
+      wev
+      whois
+      xdg-utils
+      youtube-dl
+      yq-go
+      zip
+    ];
+
+    stateVersion = lib.mkForce "23.11";
+  };
+
+  services = {
+    blueman-applet.enable = true;
+    network-manager-applet.enable = true;
+  };
+
+  programs = {
+    #fzf = {
+    #  enable = true;
+    #  enableZshIntegration = true;
+    #};
+    gh = {enable = true;};
+    home-manager = {enable = true;};
+    obs-studio = {
+      enable = true;
+      plugins = with pkgs.obs-studio-plugins; [wlrobs];
+    };
+  };
+}

nix/hosts/t14/modules/desktop/dracula.sway

@@ -0,0 +1,8 @@
+# class                 border  bground text    indicator child_border
+client.focused          #6272A4 #6272A4 #F8F8F2 #6272A4   #6272A4
+client.focused_inactive #44475A #44475A #F8F8F2 #44475A   #44475A
+client.unfocused        #282A36 #282A36 #BFBFBF #282A36   #282A36
+client.urgent           #44475A #FF5555 #F8F8F2 #FF5555   #FF5555
+client.placeholder      #282A36 #282A36 #F8F8F2 #282A36   #282A36
+
+client.background       #F8F8F2

nix/hosts/t14/modules/desktop/sway-inputs.sway

@@ -0,0 +1,60 @@
+input 1:1:AT_Translated_Set_2_keyboard
+{
+	# laptop kbd
+	xkb_layout gb,sk
+	xkb_options grp:win_space_toggle,compose:ralt
+	xkb_variant ",qwerty"
+	repeat_delay 280
+	repeat_rate 55
+}
+
+input 1133:16522:Logitech_MX_Keys
+{
+	xkb_layout gb,sk
+	xkb_options grp:win_space_toggle,compose:ralt
+	xkb_variant ",qwerty"
+	repeat_delay 280
+	repeat_rate 55
+}
+
+# wired
+input 1452:592:Keychron_Keychron_K2
+{
+	xkb_layout gb,sk
+	xkb_options grp:win_space_toggle,compose:ralt
+	xkb_variant ",qwerty"
+	repeat_delay 280
+	repeat_rate 55
+}
+
+# wireless
+input 1452:592:Keychron_K2 {
+	xkb_layout gb,sk
+	xkb_options grp:win_space_toggle,compose:ralt
+	xkb_variant ",qwerty"
+	repeat_delay 280
+	repeat_rate 55
+}
+
+input 1102:4619:DLL07A7:01_044E:120B
+{
+	# touchpad
+	accel_profile adaptive
+
+	tap enabled
+	# disable-while-typing
+	dwt enabled
+	natural_scroll enabled
+	scroll_method two_finger
+	# lrm treats 1 finger as left click, 2 fingers as right click, and 3
+	# fingers as middle click.
+	tap_button_map lrm
+}
+input 1149:8264:Primax_Kensington_Eagle_Trackball
+{
+	# scroll_factor 1.5
+	scroll_factor 0.5
+	natural_scroll enabled
+	accel_profile adaptive
+	dwt enabled
+}

nix/hosts/t14/modules/desktop/sway.nix

@@ -0,0 +1,693 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  # bash script to let dbus know about important env variables and
+  # propagate them to relevent services run at the end of sway config
+  # see
+  # https://github.com/emersion/xdg-desktop-portal-wlr/wiki/"It-doesn't-work"-Troubleshooting-Checklist
+  # note: this is pretty much the same as  /etc/sway/config.d/nixos.conf but also restarts
+  # some user services to make sure they have the correct environment variables
+  dbus-sway-environment = pkgs.writeTextFile {
+    name = "dbus-sway-environment";
+    destination = "/bin/dbus-sway-environment";
+    executable = true;
+
+    text = ''
+      dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
+      systemctl --user stop pipewire pipewire-media-session xdg-desktop-portal xdg-desktop-portal-wlr
+      systemctl --user start pipewire pipewire-media-session xdg-desktop-portal xdg-desktop-portal-wlr
+    '';
+  };
+
+  # currently, there is some friction between sway and gtk:
+  # https://github.com/swaywm/sway/wiki/GTK-3-settings-on-Wayland
+  # the suggested way to set gtk settings is with gsettings
+  # for gsettings to work, we need to tell it where the schemas are
+  # using the XDG_DATA_DIR environment variable
+  # run at the end of sway config
+  configure-gtk = pkgs.writeTextFile {
+    name = "configure-gtk";
+    destination = "/bin/configure-gtk";
+    executable = true;
+    text = let
+      schema = pkgs.gsettings-desktop-schemas;
+      datadir = "${schema}/share/gsettings-schemas/${schema.name}";
+    in ''
+      export XDG_DATA_DIRS=${datadir}:$XDG_DATA_DIRS
+      gnome_schema=org.gnome.desktop.interface
+      gsettings set $gnome_schema gtk-theme 'Dracula'
+    '';
+  };
+in {
+  home.packages = with pkgs; [
+    dbus-sway-environment
+    configure-gtk
+
+    kitty
+    alacritty # gpu accelerated terminal
+
+    wayland
+    xdg-utils # for opening default programs when clicking links
+    glib # gsettings
+    dracula-theme # gtk theme
+    gnome3.adwaita-icon-theme # default gnome cursors
+    swaylock
+    swayidle
+    grim # screenshot functionality
+    slurp # screenshot functionality
+    wl-clipboard # wl-copy and wl-paste for copy/paste from stdin / stdout
+    bemenu # wayland clone of dmenu
+    mako # notification system developed by swaywm maintainer
+    wdisplays # tool to configure displays manually
+    kanshi
+    wofi
+    avizo
+    light
+  ];
+
+  ## enable sway window manager
+  #programs.sway = {
+  #  enable = true;
+  #  wrapperFeatures.gtk = true;
+  #};
+  wayland.windowManager.sway = {
+    enable = true;
+    config = rec {
+      modifier = "Mod4"; # super key
+      # Use kitty as default terminal
+      terminal = "kitty";
+      startup = [
+        # Launch Firefox on start
+        # {command = "firefox";}
+        {command = "kitty";}
+      ];
+    };
+    extraConfig = ''
+      set {
+      	$mod Mod4
+        # $mod4 Mod4
+      	$left h
+      	$down j
+      	$up k
+      	$right l
+      	$lock exec swaylock -efFc "#000000"
+
+      	$bg "/etc/walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg"
+
+        ###  # $gtk_theme "Dracula"
+        ###  $gtk_theme "Yaru-purple-dark"
+        ###  $gtk_font_name "CascadiaCodePL ExtraLight"
+        ###  $gtk_font_size "10.4"
+        ###  $icon_theme "Flat-Remix-Blue-Dark"
+        ###  # $icon_theme "Yaru-blue-dark"
+        ###  # $gtk_cursor_theme "Yaru"
+        ###  $gtk_cursor_theme "Adwaita"
+        ###  $cursor_size 16
+        ###  $theme "Yaru-purple-dark"
+
+      	$laptop_screen "eDP-1"
+      	$ext_screen "Dell Inc. DELL U2412M Y1H5T27N1EVL"
+      	$pri $laptop_screen
+      	$sec $ext_screen
+
+      	$term KITTY_ENABLE_WAYLAND=1 kitty -1 # qterminal alacritty
+      	$menu wofi --show drun --allow-markup swaymsg exec --
+      	$othermenu XDG_DATA_DIRS=/usr/share/:/usr/local/share/:/var/lib/flatpak/exports/share/:$HOME/.local/share/flatpak/exports/share/ j4-dmenu-desktop --dmenu="bemenu -n -p \"applications\" -l 30 --fn 'FiraCode Retina 17'" --term="kitty" --no-generic --display-binary
+      	$nutermmenu kitty --class 'launcher' bash -c 'compgen -c | sort -u | fzf | xargs -r kitty'
+      	$bemenu XDG_DATA_DIRS=/usr/share/:/usr/local/share/:/var/lib/flatpak/exports/share/:$HOME/.local/share/flatpak/exports/share/ bemenu-run --fork -l 5 -n -p "▶" --fn 'FiraCode Retina 17' | xargs swaymsg exec
+      	$gtk_font_name "CascadiaCodePL ExtraLight"
+      	$gtk_font_size "10.4"
+      }
+
+      output "*" bg $bg fill
+
+      default_border pixel 0
+      default_floating_border normal
+      # hide_edge_borders --i3 both
+      # smart_borders on
+
+      # works also for non-floating windows
+      # normal - drag floating windows by holding down $mod and left mouse button.
+      # resize them with right mouse button + $mod.
+      # inverse for $mod+left click to resize, $mod+right click to drag
+      # floating_modifier $mod normal
+
+      # clipboard sync
+      # exec wl-paste -pw wl-copy
+
+      # Only enable outer gaps when there is exactly one container
+      #smart_gaps inverse_outer
+      # Only enable gaps on a workspace when there is at least one container
+      #smart_gaps on
+      smart_gaps inverse_outer
+
+      # Activate smart borders (always)
+      #smart_borders on
+      # Activate smart borders (only when there are effectively no gaps)
+      #smart_borders no_gaps
+
+      # Hide edge borders only if there is one window with no gaps
+      #hide_edge_borders smart_no_gaps
+
+      gaps outer 8
+      # gaps outer -3
+      gaps inner 5
+
+      font pango:FiraCode Retina weight=700 14px
+
+      # seat seat0 xcursor_theme $gtk_cursor_theme $cursor_size
+      exec_always --no-startup-id
+      {
+        #swaymsg output $pri bg $bg fill #000000
+      	#swaymsg output $sec bg $bg fill #000000
+      	gsettings set org.gnome.desktop.interface font-name '$gtk_font_name $gtk_font_size'
+      	gsettings set org.gnome.desktop.wm.preferences button-layout 'icon:close'
+      	gsettings set org.gnome.desktop.peripherals.touchpad tap-to-click true
+      	gsettings set org.gtk.Settings.FileChooser window-size '(1100,700)'
+
+      	pgrep mako && pkill mako
+        # pgrep kanshi && pkill kanshi
+      	pgrep swayrd && pkill swayrd
+      	pgrep swayidle && pkill swayidle
+        pgrep avizo && pkill avizo
+        pgrep nm-applet && pkill nm-applet
+
+        mako
+        # kanshi
+      	env RUST_BACKTRACE=1 swayrd > /tmp/swayrd.log 2>&1
+      		# timeout 545 'pgrep -u $(id -u) swaylock || notify-send -t 20000 -r 344334 -u critical "Idle timeout" "Screen is locking soon"' \
+
+      	swayidle -w \
+      		timeout 545 'pgrep swaylock || notify-send -t 18000 -u normal "Idle timeout" "Screen is locking soon"' \
+      		timeout 600 "$lock" \
+      		timeout 15 'pgrep swaylock && swaymsg "output * power off"' \
+      		resume 'swaymsg "output * power on"' \
+      		before-sleep "pgrep swaylock || $lock"
+        avizo-service
+
+        # TODO(me):
+        # 	https://github.com/slgobinath/SafeEyes
+        nm-applet --indicator
+        # lxpolkit
+      }
+
+      exec nm-applet --indicator
+
+      # hide mouse after 5 seconds inactivity
+      seat * hide_cursor 5000
+
+      bindgesture swipe:right workspace prev
+      bindgesture swipe:left workspace next
+
+      # Allow container movements by pinching them
+      bindgesture pinch:inward+up move up
+      bindgesture pinch:inward+down move down
+      bindgesture pinch:inward+left move left
+      bindgesture pinch:inward+right move right
+
+      bindswitch --reload --locked lid:on exec --no-startup-id $(swaymsg output $laptop_screen disable && kanshictl reload)
+      bindswitch --reload --locked lid:off exec --no-startup-id $(swaymsg output $laptop_screen enable && kanshictl reload)
+
+      exec --no-startup-id swaymsg focus output $pri
+
+      #--- Window Decorations
+      set
+      {
+      	$nofocus	#202020
+      	$focus		#202020
+      	$titletxt	#FFFFE8
+      	$titlepad	10 center #000000
+      	$gaps_change	20
+      }
+      #--- Notifications
+      set
+      {
+      	$n_anchor	top-center
+      	$n_layer	overlay
+      	$n_dim		600
+      	$n_margin	20
+      	$n_padding	10
+      	$n_border	3
+      	$n_bg		#202020
+      	$n_fg		#FFFFE8
+      }
+
+      bindsym
+      {
+        ctrl+alt+l exec --no-startup-id $lock
+        $mod+grave exec $lock
+
+        --no-warn $mod+Return exec $term
+        --no-warn $mod+t exec $term
+      	$mod+ctrl+Shift+t exec qterminal
+        --no-warn $mod+Shift+q kill
+      	alt+Shift+F1 exec $menu
+      	alt+F1 exec $albert
+      	alt+F2 exec $bemenu
+      	alt+F3 exec $othermenu
+      	alt+Shift+F2 exec $nutermmenu
+      	$mod+ctrl+k exec QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_QPA_PLATFORMTHEME=wayland keepassxc
+      }
+
+      include ${./sway-inputs.sway}
+
+      focus_follows_mouse yes
+      focus_wrapping false
+      popup_during_fullscreen smart
+
+
+      for_window [app_id="^launcher$"] floating enable, border none, resize set width 25 ppt height 100 ppt, move position 0 px 0 px
+
+      #--- Floating Windows ------------------------------------------------------
+      for_window [window_role="pop-up"] floating enable
+      for_window [window_role="pop-up"]	floating enable; border normal $border
+      for_window [class="pop-up"]		floating enable; border normal $border
+      for_window [window_role="bubble"] floating enable
+      for_window [window_role="task_dialog"] floating enable
+      for_window [window_role="task_dialog"]	floating enable; border normal $border
+      for_window [window_role="Preferences"] floating enable
+      for_window [window_role = "dialog"] floating enable
+      for_window [window_type="dialog"] floating enable
+      for_window [window_role = "task_dialog"] floating enable
+      for_window [window_type="menu"] floating enable
+      for_window [app_id = "floating"] floating enable
+      for_window [app_id = "floating_update"] floating enable, resize set width 1000px height 600px
+      for_window [class = "(?i)pinentry"] floating enable
+      for_window [window_role="About"] floating enable
+      for_window [title = "About Mozilla Firefox"] floating enable
+      for_window [instance="Farge"] floating enable
+      for_window [title = ".*kdbx - KeePass"] floating enable, resize set 1276px 814pxofor_window [app_id = "virt-manager"] floating enable
+      for_window [app_id = "xfce-polkit"] floating enable
+
+      for_window [app_id = "keepassxc"] floating enable, resize set 1276px 814px
+
+      for_window [title = "^Open File$"] floating enable
+      for_window [app_id = "avizo-service"] border pixel 0, sticky toggle
+      no_focus [app_id="avizo-service"]
+      for_window [window_role = "GtkFileChooserDialog"] resize set 590 340
+      for_window [window_role = "GtkFiileChooserDialog"] move position center
+
+      for_window [title="Save File"] floating enable
+      for_window [app_id="wdisplays"] floating enable
+      for_window [app_id="floating_shell_portrait"] floating enable, border pixel 1, sticky enable, resize set width 30 ppt height 40 ppt
+      for_window [app_id="floating_shell"] floating enable, border pixel 1, sticky enable
+      for_window [app_id = "qt5ct"] floating enable
+      for_window [app_id = "gnome-tweaks"] floating enable
+      for_window [class = "Bluetooth-sendto" instance = "bluetooth-sendto"] floating enable
+      for_window [window_role = "Preferences"] floating enable
+      for_window [app_id="(?i)(?:blueman-manager|azote|gnome-disks|nwg-shell-config)"] floating enable
+      for_window [app_id="(?i)(?:pavucontrol|nm-connection-editor|gsimplecal|galculator)"] floating enable
+      for_window [class="MEGAsync"]		floating enable; border pixel 0
+      for_window [title=".*JetBrains.*"]	floating enable; border pixel 1
+      for_window [class="matplotlib"]		floating enable; border normal $border
+      for_window [class="dosbox"]		floating enable; border normal $border
+      for_window [app_id = "nm-openconnect-auth-dialog"] floating enable
+      for_window [app_id="nm-connection-editor"]
+      {
+      	floating enable
+      	resize set width  882px
+      	resize set height 600px
+      }
+      #for_window [app_id="pavucontrol"]
+      #{
+      #	floating enable
+      #	resize set width  882px
+      #	resize set height 600px
+      #}
+      # for_window [app_id="ulauncher"]		border none
+
+      # Scratchpad terminal
+      for_window [title="(?i)$criteria"] floating enable, move absolute position 1500px 300px, resize set 1200px 700px, move to scratchpad, mark $criteria
+
+      # Waybar Tooltips don't steel focus
+      no_focus [app_id="waybar"]
+      for_window [app_id="waybar" floating] {
+          move position cursor
+          move down 60px # adjust if some menus still don't fit
+      }
+
+      #--- Applications with CSD -------------------------------------------------
+      for_window [app_id="glade"]		border pixel 2
+      for_window [app_id="baobab"]		border pixel 2
+      for_window [title=".*eston.*"]		border pixel 0
+      for_window [app_id="wdisplays"]		border pixel 0
+      for_window [app_id="gnome-.*"]		border pixel 1
+      for_window [app_id="qterminal"]		border pixel 2
+      for_window [app_id="xterm"]		border pixel 2
+      for_window [title=".*Brave.*"]		border pixel 1 inhibit_idle fullscreen
+      for_window [title=".*Firefox.*"]	border pixel 2 inhibit_idle fullscreen
+      for_window [title="Firefox.*"]	border pixel 2 inhibit_idle fullscreen
+      for_window [app_id="firefox"]	border pixel 2 inhibit_idle fullscreen
+      # for_window [title=".*Firefox.*"]	border none inhibit_idle fullscreen
+      # for_window [app_id="firefox"]	border none inhibit_idle fullscreen
+      for_window [class="Firefox"]	border pixel 2 inhibit_idle fullscreen
+      for_window [class="swayfox"]	border pixel 2 inhibit_idle fullscreen
+      for_window [class="vlc"]		border pixel 2 inhibit_idle visible fullscreen
+      for_window [app_id="vlc"]		border pixel 2 inhibit_idle visible fullscreen
+      for_window [title=".*VLC*."]		border pixel 2 inhibit_idle visible fullscreen
+      for_window [title="VLC*."]		border pixel 2 inhibit_idle visible fullscreen
+
+      # prevent screen locking if any app is fullscreen.
+      # matching per-class is tedious.
+      for_window [class=".*"] inhibit_idle fullscreen
+      for_window [app_id=".*"] inhibit_idle fullscreen
+
+      for_window [app_id="org.gnome.Nautilus"]		border pixel 1
+      for_window [app_id="dolphin"]		border pixel 1
+      # for_window [app_id="kitty"]		border pixel 1
+      for_window [app_id="kitty"]		border pixel 2
+
+
+      # for_window [title="^video0 - mpv$"] floating enable, sticky enable, resize set height 260 px, move absolute position 0 px 820 px, border none
+      for_window [title="^video0 - mpv$"] floating enable, sticky enable, resize set height 130 px, border none
+      for_window [title="Firefox Developer Edition — Sharing Indicator$"] floating enable, resize set height 16 px, border none
+      for_window [title="Picture-in-Picture"] floating enable
+
+      #--- Xtk Applications ------------------------------------------------------
+      for_window [title="xclock"]		floating enable
+      for_window [title="Calculator"]		floating enable
+
+      assign [app_id="telegram"] C
+      assign [class="Signal"] C
+      assign [title="Ferdi"] C
+      assign [title="Discord"] C
+      assign [class="Discord"] C
+      assign [class="vlc"] M
+
+
+      bindsym
+      {
+        Alt+Shift+e exec BEMOJI_PICKER_CMD="bemenu -n -l 10  -p 🔎 --fn 'Fira Code Retina 20" bemoji -c -n --private
+
+        # as per https://github.com/japhir/ArchConfigs/blob/master/swayconfig
+        # add the webcam screen for video recording
+        $mod+ctrl+Shift+a exec mpv --no-osc --demuxer-lavf-format=video4linux2 --demuxer-lavf-o-set=input_format=mjpeg av://v4l2:/dev/video0 || notify-send "failed to start webcam"
+
+      	# screenshot of all outputs
+      	print exec grim $(xdg-user-dir PICTURES)/screenshots/grim-$(date +'%Y-%m-%dT%H-%M-%S').png
+      	# screenshot of an area
+      	Shift+print exec grim -g "$(slurp)" - | wl-copy
+      	# screenshot of a window
+      	Control+print exec winprint.sh
+      	# colour picker / eyedropper
+      	Control+Shift+print exec grim -g "$(slurp -p)" -t ppm - | convert - -format '%[pixel:p{0,0}]' txt: | wl-copy
+      	$mod+c exec gnome-calculator
+      	# -w: Always open a new window for browsing specified URIs.
+      	$mod+n exec nautilus -w
+      	$mod+Shift+n exec nemo
+      	$mod+m exec QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_QPA_PLATFORMTHEME=wayland vlc
+      	$mod+Shift+b exec brave-browser-beta --incognito $chromium_flags
+      	$mod+Shift+w exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 ~/Downloads/firefox-dev/firefox --class=swayfox --private-window
+      	$mod+Ctrl+Shift+w exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 systemctl --user start ff_nn
+      	$mod+Shift+g exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 firefox --class=swayfox --private-window
+      }
+
+
+      #
+      # Borders
+      #
+      bindsym --to-code
+      {
+      	$mod+ctrl+semicolon border toggle
+      }
+
+      #
+      # Gaps
+      #
+      bindsym --to-code
+      {
+      	# $mod+ctrl+minus gaps inner 2px
+      	# $mod+ctrl+equal gaps inner 2px
+      	$mod+z       gaps outer current plus 5
+      	$mod+Shift+z gaps outer current minus 5
+      	$mod+x       gaps inner current plus 5
+      	$mod+Shift+x gaps inner current minus 5
+      }
+
+      # Notifications
+      bindsym Control+Space exec makoctl dismiss
+      bindsym Control+Shift+Space exec makoctl dismiss --all
+      bindsym Control+Alt+Space exec makoctl set-mode do-not-disturb
+      bindsym Control+Alt+Shift+Space exec makoctl set-mode default
+
+      #
+      # Moving around:
+      #
+      bindsym --no-warn
+      {
+      	# Move your focus around
+        $mod+$left focus left
+      	$mod+$down focus down
+      	$mod+$up focus up
+      	$mod+$right focus right
+      	# Or use $mod+[up|down|left|right]
+        $mod+Left focus left
+      	$mod+Down focus down
+      	$mod+Up focus up
+      	$mod+Right focus right
+
+      	# Move the focused window with the same, but add Shift
+        $mod+Shift+$left move left
+      	$mod+Shift+$down move down
+      	$mod+Shift+$up move up
+      	$mod+Shift+$right move right
+      	# Ditto, with arrow keys
+        $mod+Shift+Left move left
+      	$mod+Shift+Down move down
+      	$mod+Shift+Up move up
+      	$mod+Shift+Right move right
+
+        $mod+Shift+c move position center
+      }
+
+      bindsym --to-code
+      {
+      	$mod+Shift+comma  workspace prev_on_output
+      	$mod+Shift+period workspace next_on_output
+      	$mod+Shift+tab    workspace back_and_forth
+      	$mod+comma focus output left
+      	$mod+period focus output right
+      	$mod+F2 workspace C
+      	$mod+F3 workspace M
+      }
+
+      # Move focused container to workspace
+      bindsym --to-code
+      {
+      	$mod+Shift+F2 move container to workspace C
+      	$mod+Shift+F3 move container to workspace M
+      }
+
+      #
+      # Workspaces:
+      #
+      # Switch to workspace
+      bindsym --no-warn
+      {
+        $mod+1 workspace number 1
+        $mod+2 workspace number 2
+        $mod+3 workspace number 3
+        $mod+4 workspace number 4
+        $mod+5 workspace number 5
+        $mod+6 workspace number 6
+        $mod+7 workspace number 7
+        $mod+8 workspace number 8
+        $mod+9 workspace number 9
+        $mod+0 workspace number 10
+      }
+
+      # Move focused container to workspace
+      bindsym --no-warn
+      {
+        $mod+Shift+1 move container to workspace number 1
+        $mod+Shift+2 move container to workspace number 2
+        $mod+Shift+3 move container to workspace number 3
+        $mod+Shift+4 move container to workspace number 4
+        $mod+Shift+5 move container to workspace number 5
+        $mod+Shift+6 move container to workspace number 6
+        $mod+Shift+7 move container to workspace number 7
+        $mod+Shift+8 move container to workspace number 8
+        $mod+Shift+9 move container to workspace number 9
+        $mod+Shift+0 move container to workspace number 10
+      }
+
+      #
+      # Workspace-monitor assignments
+      #
+      workspace 0 output $pri
+      workspace 1 output $pri
+      workspace 2 output $pri
+      workspace 3 output $pri
+      workspace 4 output $pri
+      workspace 5 output $pri
+      workspace 6 output $pri
+      workspace 7 output $pri
+      workspace 8 output $pri
+      workspace 9 output $pri
+      workspace C output $pri
+      workspace M output $pri
+      workspace 10 output $sec
+      workspace 11 output $sec
+      workspace 12 output $sec
+      workspace 13 output $sec
+      workspace 14 output $sec
+      workspace 15 output $sec
+      workspace 16 output $sec
+      workspace 17 output $sec
+      workspace 18 output $sec
+      workspace 19 output $sec
+      workspace 20 output $ter
+      workspace 21 output $ter
+      workspace 22 output $ter
+      workspace 23 output $ter
+      workspace 24 output $ter
+      workspace 25 output $ter
+      workspace 26 output $ter
+      workspace 27 output $ter
+      workspace 28 output $ter
+      workspace 29 output $ter
+
+      #
+      # Layout stuff:
+      #
+      bindsym --no-warn
+      {
+      	# You can "split" the current object of your focus with
+      	# $mod+b or $mod+v, for horizontal and vertical splits
+      	# respectively.
+        $mod+b splith
+        $mod+v splitv
+
+      	# Switch the current container between different layout styles
+        $mod+s layout stacking
+        $mod+w layout tabbed
+        $mod+e layout toggle split
+
+      	# Make the current focus fullscreen
+        $mod+f fullscreen
+
+      	# for in-container fullscreen chromium
+      	# ref: https://www.reddit.com/r/i3wm/comments/egvj3k/chrome_tabs_not_visible_in_full_screen_mode/fdeps34/
+      	$mod+Shift+f split v; focus parent; fullscreen toggle; focus child
+
+      	# Toggle the current focus between tiling and floating mode
+      	#bindsym $mod+Shift+space floating toggle
+      	$mod+Shift+d floating toggle
+
+      	# Swap focus between the tiling area and the floating area
+      	#bindsym $mod+space focus mode_toggle
+      	$mod+d focus mode_toggle
+
+      	# Move focus to the parent container
+      	$mod+a focus parent
+
+      	# focus the child container
+      	$mod+alt+a focus child
+      }
+
+      #
+      # Scratchpad:
+      #
+      	# Sway has a "scratchpad", which is a bag of holding for windows.
+      	# You can send windows there and get them back later.
+
+      bindsym --to-code
+      {
+      	# Move the currently focused window to the scratchpad
+      	$mod+Shift+minus move scratchpad
+
+      	# Show the next scratchpad window or hide the focused scratchpad window.
+      	# If there are multiple scratchpad windows, this command cycles through them.
+      	$mod+minus scratchpad show
+      }
+
+      #
+      # Resizing containers:
+      #
+      mode "resize"
+      {
+      	# left will shrink the containers width
+      	# right will grow the containers width
+      	# up will shrink the containers height
+      	# down will grow the containers height
+      	bindsym --no-warn
+      	{
+      	$left resize shrink width 10px
+      	$down resize grow height 10px
+      	$up resize shrink height 10px
+      	$right resize grow width 10px
+
+      	# Ditto, with arrow keys
+      	Left resize shrink width 10px
+      	Down resize grow height 10px
+      	Up resize shrink height 10px
+      	Right resize grow width 10px
+
+      	# Return to default mode
+      	Return mode "default"
+      	Escape mode "default"
+      	$mod+r mode "default"
+      	}
+      }
+      bindsym --no-warn $mod+r mode "resize"
+      bindsym $mod+Shift+r --no-warn reload; exec kanshictl reload
+
+      # kudos to github.com/rbnis for the following menu-like section inspiration
+      # https://github.com/rbnis/dotfiles/blob/dfd6f956f6d00a1012a3a167d947773095dac7fd/.config/sway/config#L228-L235
+      set $mode_sys System: (l) lock, (e) logout, (s) suspend, (r) reboot, (S) shutdown, (⏎,␛) return
+      mode "$mode_sys" {
+      	bindsym {
+      		l exec --no-startup-id $lock, mode "default"
+      		e exit
+      		s exec --no-startup-id systemctl suspend -i, mode "default"
+      		r exec --no-startup-id systemctl reboot, mode "default"
+      		Shift+s exec --no-startup-id systemctl poweroff -i, mode "default"
+      		# return to default mode
+      		Return mode "default"
+      		Escape mode "default"
+      		$mod+Shift+e mode "default"
+      	}
+      }
+      bindsym --no-warn $mod+Shift+e mode "$mode_sys"
+
+      bindsym XF86Sleep exec "systemctl suspend -i"
+
+      #
+      # media keys
+      #
+      bindsym
+      {
+        # depends on avizo-service
+      	--locked XF86AudioRaiseVolume exec volumectl -u up
+      	--locked XF86AudioLowerVolume exec volumectl -u down
+      	--locked XF86AudioMute exec volumectl toggle-mute
+      	--locked XF86AudioMicMute exec volumectl -m toggle-mute
+      	--locked XF86MonBrightnessUp exec lightctl up
+      	--locked XF86MonBrightnessDown exec lightctl down
+
+        ### --locked XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%
+      	### --locked XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%
+      	### --locked XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle;exec notify-send -t3600 'audio muted'
+      	### --locked XF86AudioMicMute exec pactl set-source-mute @DEFAULT_SOURCE@ toggle;exec notify-send -t 3600 'mic mute toggle'
+      	### --locked XF86MonBrightnessUp exec light -A 5
+      	### --locked XF86MonBrightnessDown exec light -U 5
+
+      	--locked $mod+Ctrl+p exec playerctl play-pause
+      	--locked $mod+Ctrl+n exec playerctl next
+      	--locked $mod+Ctrl+Shift+n exec playerctl previous
+      	--locked XF86AudioPlay exec playerctl play-pause
+      	--locked XF86AudioNext exec playerctl next
+      	--locked XF86AudioPrev exec playerctl previous
+
+      	# --locked XF86AudioMute exec amixer set Master toggle
+      	# --locked XF86AudioMicMute exec amixer set Capture toggle;exec notify-send -t 3600 'mic mute toggle'
+      	# --locked XF86AudioMicMute exec ydotool key 248:1 248:0;exec notify-send -t 3600 'mic mute toggle'
+      }
+
+      include ${./dracula.sway}
+    '';
+  };
+}

nix/hosts/t14/modules/podman.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  virtualisation = {
+    containers.storage.settings = {
+      # configure for zfs.
+      storage = {
+        driver = "zfs";
+        graphroot = "/var/lib/containers/storage";
+        runroot = "/run/containers/storage";
+      };
+    };
+
+    ## setup podman.
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enable = true;
+    };
+    oci-containers = {
+      ## use podman as the default container engine.
+      backend = "podman";
+    };
+  };
+}

nix/hosts/t14/secrets.yaml

@@ -0,0 +1,41 @@
+rootPassphrase: ENC[AES256_GCM,data:tWktdXDtI6dbF1cZprTdajj1IW4U7tQG/fNBdqnFzTDkbVLHMuZbu4eeKpDUWD+ERg2hAKjWoMdmKJKoz63pCvka3/DozTc2WQ==,iv:LMFFdy/YPqfBPp36mGyQhoK17GblQzgn706/fhZtX8I=,tag:qqQuRs25eOtTw8yXJed5xw==,type:str]
+mkoPassphrase: ENC[AES256_GCM,data:HdpXH/xYlCcVTEKbd2InUBTfJTBaZK24sjlyZzLYZsdLW+dEN+cnP282iTSuaXKjqj/3TVs+nEdCRe41ymzcMyKPT56Pjb/J9g==,iv:PreIb/HsrRuCFuD4t14Y2JpjJ/kzyIOSgkdcHhzVldg=,tag:aJf1EBhll7LsIJZsOGmIyw==,type:str]
+extraHosts: ENC[AES256_GCM,data:u7MKvqraIIFldVIO02fh1p7Ok3nYsATwscxG3F2lLOmmuiXa5H7pn8K4d7ZhGnHEdy8XpHC/VbFIWBperXeYuWoWtL2ggV0pLFJ3SOjJwW21jnIQMY4633fZ6WdFjeXG6rW2qNAEm1Rrnb7g/SQnFMYN/VY1STIuM+/btEwxvuxOvYSP95O5g0xkgjZE/w2HZPAQYbZH0OVL9m0AJvY3PGm0jibeBS/O6K1WWByl/0A0McCUgqpbkM7338yBYSo691FsndLcAvicc3aCVZWMc/vAtmiwmE2dezE0gDz6rXLKC4lF1EdbMaHw9y9bMXMedwt0Ujj2ytAkC8mkVORdwoYpYDz4PR/n4IV1KZCAPdZHPoE40XK+whC2ZAx9LFE5b0NVUo64cU+nX6yqDA4B2nqNoprCLaHrJajEyIqdGYOlXqHV7tsxnWqzhSYptl78qHLf0e26H3Sh2csWTCi1xpQg1p4bP5gcZqC10xoe5jWmhFbHhdaXxNowX15Oqw4PBez3wFtBxXCkIkXktjfNJ3vG5yoIiPzqoQbECQW7B4zAEpGxTw==,iv:0uVhgydgeDaJNgd/e4Uq1pku39QF/NugZ87NdfP9DWs=,tag:EGEMuOElqMNjVk/S9qwy6A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWUpMT3BLMzBGdUNPYWZL
+            N2JZbU1YVmZNVEFQRVNsSXdyRGU4YnMwbkh3CncvSmZaQnh4VFkzS2ZOYUpOd3hD
+            VVkwbmNTSVdHd3VaT2toZXJsS2lSV28KLS0tIDJYT25keE80di81UENFQXdRc20w
+            Rm9NaEViOTNyU3dXQXRJL09yUDNKRWsKXNhKsu7BpMrugmp9efOcmE3J4kW5hAw1
+            MRwrflbmB0566Y2A3RGqoL7sdbn0KMJ9uxswrbsdXWKKMrZCg+kuVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RjNMRk85SXVncWdPdU9L
+            RytmTVphUGJIcnl1QUVnM3N5QlVqc3V4Q2xFCjRlVVg1Zk5RRlU3K0g0cHZtdUYr
+            Q1cvUTJRZWlvSzlxSmNTOGdMb3VzOTQKLS0tIFVrcDhDZ1NXWEFxbGl3TDloYW10
+            RmR5UXp2ZnlaQmg0d21JMEJDcU5YdW8K75Jkr3h+FhUeCYFlIi07UHJ751iphGJo
+            EfzCe6O6Hw5mtNYRdTELRVT/nzlgtKD3S6KQLX/cgJqyoUo1mqeWeA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qnyrhen4ynpa6t0ljgjnhz5zpf0ennzt4ezskeq78nsnpvlyh5ws6ergnx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZGZtVklXS09NekRiNERV
+            WjBzKzJIZWl5SS8yK3VpRnhsL2Vnc1F4RHpJClQvUFkrSy96WHBWaXMyUWZWSUxv
+            U1NGTlU3SkhzV0phYkpjM3ZkV3I1YXcKLS0tIHJKcTFKKzc4SFBZZFJMZ0FZMjZz
+            SCtsL3UwYVBXaFVrZXNKK1Rnd3ZvVm8K//8USwJzMcO5GALB0ZtMporm3FP6FKS5
+            Y8a+Io9NYL5LovhX0O/0PUJaxI0Banw5SCOlyfa2Vg2czGsMQ9bqLQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-08T22:41:05Z"
+    mac: ENC[AES256_GCM,data:0RbS0a4EKhqrcy4qgGEqLNxlpPjD2RW1Mnrwz2dTHgPX5vBZ26dNShJQVIikrNwK246kOc7G0dKWAMQKTs6WI/kGiIGzsECDhFYLxH/CXe7d7PS5o7TsQ/gJUjTz6i3O1LtY9ew1PCCausZ+ej+Whalu6eYCx/XNk6q3TSsS1Lw=,iv:TrOi4MFvPXOHpEZXjYd/hTfutf4+qvReJrrKqNGawcs=,tag:Cu+DrwUgtM4cbV1teOJ+xw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

nix/modules/zsh-aliases.zsh

@@ -0,0 +1,37 @@
+alias ls='eza -al --group --group-directories-first'
+alias am='sudo -i'
+alias mv='mv -i'
+alias cp='cp -i'
+alias ln='ln -i'
+alias free='free -m -l -t'
+alias c='clear'
+alias hs='history | grep -i'
+alias neofetch='neofetch --disable "theme" "icons" packages de hostname cpu gpu resolution title'
+alias wget='wget -c' # allows to restore progress after interruption
+alias zshist="vim ~/.zsh_history"
+alias agentssh="ssh-add ~/.ssh/$kee"
+alias rsync-copy='rsync -avz --progress -h'
+alias rsync-move='rsync -avz --progress -h --remove-source-files'
+alias rsync-synchronize='rsync -avzu --delete --progress -h'
+alias rsync-update='rsync -avzu --progress -h'
+alias tmpdir='nutmp=$(mktemp -d);cd "$nutmp";unset nutmp'
+alias ta='tmux a -t0'
+alias tmux='TERM=xterm-256color tmux'
+alias urlencode='python2 -c "import urllib, sys; print urllib.quote_plus(  sys.argv[1] if len(sys.argv) > 1 else sys.stdin.read()[0:-1], \"\")"'
+alias urldecode='python2 -c "import urllib, sys; print urllib.unquote_plus(sys.argv[1] if len(sys.argv) > 1 else sys.stdin.read()[0:-1])"'
+alias diff="diff -Naru --color"
+alias ip='ip -color'
+alias nmcs='nmcli conn show'
+alias keyz='ssh-add -l'
+alias gitagain='GIT_COMMITTER_DATE="$(git show -s --format=%ci HEAD)" git commit -v --amend'
+[ -z "$IN_NIX_SHELL" ] && {
+	if command -v nixGLIntel &> /dev/null; then
+		alias gor='nixGLIntel go run'
+	fi
+}
+alias signal-desktop='signal-desktop --use-tray-icon --enable-features=UseOzonePlatform --ozone-platform=wayland'
+alias dotfiles="cd $dfHome"
+alias -g VV=' |& vim -'
+alias -g LL=' |& less'
+alias normalise-unicode="python -c \"import unicodedata; import sys; arg=sys.argv[1]; print(unicodedata.normalize('NFKD', arg))\""
+alias attic='nix run github:zhaofengli/attic'

nix/modules/zsh.nix

@@ -1,13 +1,16 @@
-{pkgs, ...}: {
-  users.defaultUserShell = pkgs.zsh;
+{pkgs, ...}: let
+  shellInit = ''
+    ZSH="$HOME/.oh-my-zsh"
+    ZSH_CACHE_DIR="$ZSH/cache"
+    ZSH_COMPDUMP="~/.zcompdump"
+    ZSH_DISABLE_COMPFIX=true
 
-  programs.zsh.interactiveShellInit = ''
-        if [[ ! -f $HOME/.local/share/zinit/zinit.git/zinit.zsh ]]; then
-        print -P "%F{33} %F{220}Installing %F{33}ZDHARMA-CONTINUUM%F{220} Initiative Plugin Manager (%F{33}zdharma-continuum/zinit%F{220})…%f"
-        command mkdir -p "$HOME/.local/share/zinit" && command chmod g-rwX "$HOME/.local/share/zinit"
-        command git clone https://github.com/zdharma-continuum/zinit "$HOME/.local/share/zinit/zinit.git" && \
-            print -P "%F{33} %F{34}Installation successful.%f%b" || \
-            print -P "%F{160} The clone has failed.%f%b"
+    if [[ ! -f $HOME/.local/share/zinit/zinit.git/zinit.zsh ]]; then
+      print -P "%F{33} %F{220}Installing %F{33}ZDHARMA-CONTINUUM%F{220} Initiative Plugin Manager (%F{33}zdharma-continuum/zinit%F{220})…%f"
+      command mkdir -p "$HOME/.local/share/zinit" && command chmod g-rwX "$HOME/.local/share/zinit"
+      command git clone https://github.com/zdharma-continuum/zinit "$HOME/.local/share/zinit/zinit.git" && \
+        print -P "%F{33} %F{34}Installation successful.%f%b" || \
+        print -P "%F{160} The clone has failed.%f%b"
     fi
 
     source "$HOME/.local/share/zinit/zinit.git/zinit.zsh"
@@ -73,5 +76,41 @@
 
     # eval "$(starship init zsh)"
     # zinit load sindresorhus/pure
+
+    setopt emacs
+    # setopt autocd
+    setopt \
+      alwaystoend \
+      autocd
+
+    source ${./zsh-aliases.zsh}
+
+    export TERM='xterm-256color'
+
+    # make home-manager not manage the shell configuration
+    HMVARSFILE="$HOME/.nix-profile/etc/profile.d/hm-session-vars.sh"
+    if [ -f "$HMVARSFILE" ]; then . "$HMVARSFILE"; fi
+
+    PATH="$HOME/.cargo/bin:$HOME/go/bin:$PATH"
+
+    zstyle ':completion:*:*:*:*:descriptions' format '%F{green}-- %d --%f'
+    zstyle ':completion:*:*:*:*:corrections' format '%F{yellow}!- %d (errors: %e) -!%f'
+    zstyle ':completion:*:messages' format ' %F{purple} -- %d --%f'
+    zstyle ':completion:*:warnings' format ' %F{red}-- no matches found --%f'
+    # zstyle ':completion:*' group-name ""
+    zstyle ':completion:*:*:-command-:*:*' group-order alias builtins functions commands
+    # zstyle ':completion:*' file-list all
+    zstyle ':completion:*' squeeze-slashes true
+    zstyle ':completion:*:*:cp:*' file-sort modification
+    # This way the completion script does not have to parse Bazel's options
+    # repeatedly. The 'cache-path' directory in must be created manually.
+    zstyle ':completion:*' use-cache on
+    zstyle ':completion:*' cache-path $ZSH_CACHE_DIR
   '';
+in {
+  users.defaultUserShell = pkgs.zsh;
+
+  programs.zsh.interactiveShellInit = shellInit;
+  programs.zsh.loginShellInit = shellInit;
+  programs.zsh.shellInit = shellInit;
 }

nix/secrets/dnscrypt-proxy.yaml

@@ -1,4 +1,4 @@
-dnscrypt-proxy-forwardingRules: ENC[AES256_GCM,data:WpW6b333rUPBTjPbSp+RvSvPovgk9DUxD7EfpPuTBrBlzBULh2Z61mML7vbtqnJ0nL6jRH3AEhxQDhJ9IEMc0RvZcH/j3y/f5/dmioVEZG210us5/DWt1i+/U0BLfsUoN6w31F/7mvB13hTEeQ2wZICQjQB5AneiRnNxrCXtgk2axnVae/3jEDLrw+dI5ryC+8uUQQ4GVT7NQjWfQxhM6sSjjN/JxtBlrCsDtZd5YylfvzoCbHZ4F9vAIEUZh3Ac8W6l0B9WKeIgGn3phXkdcLlKQwzMUlF7j9e1tpTTtm2mXc92JW21yVUrr7KyuynriYi+wUPMxXZGUAsALFRZk1G+Lwj7syU4s479S2gLgXWt,iv:BnuBe4xA07hZ7GE/3Lt24I6dMhKnSYfFHvftFBtbI8k=,tag:1TKeJ4KEqaah3QrGDnCYEg==,type:str]
+dnscrypt-proxy-forwardingRules: ENC[AES256_GCM,data:E+nXxabEEYURb94zG1Zl1L5jYTfi+YCUVqeVzs8A0PEk4HLKD6KuRySQPAohLz20C4+L5BFHou3knS+ogiWtu8Rti6hOpdGKTbjmSTFbGIz/XylU7IjjKP6D/f9zftrWXkSi8p1hGm1h/zYyxO2H4LTL2IWTmLnFf3ETtn9ABOjZfG+aEezKfSD5c82U8wi0kNgaOY3UGAKjJzrHuj4IwTI8G95FDXasoNnduvQrtcV3EmjIXSNBcOSryihFcJCnN+n3Cras6eHe9t2GCs6bMjnV/9GH+tN6a1MdA+weuCS5VirwxNf3jzRV/ruMORluB0zyHYm3mKrZmPoxvHmMO4uLM22O4Aao+F06AjMZI5oW,iv:UGDcLqDeAix9ccUppzfWWq19A8ZOfOZRNo6P1X2e4Vc=,tag:agbeRgfOBKJv94D7IyfXmw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -8,50 +8,68 @@ sops:
         - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VVNDcEs0RDNuSlJ2OFFy
-            NkNvdzBoUytWd2pRVEFMYnJ2Z3NHTEJRRG1JCkZYTTdnTGUrdnBFUjFpUDh4UldN
-            Y0RvRVN0OVFVZGNxaEQ1TjFGWG0rNTgKLS0tIE5EUTRsMUQwR2xHOFF4K2lncW1r
-            cWU5NFZSUFNrM3dzNENSOW1tOHdzVTQKMfH1pB0gLvvwYlB8GRONPEr5kpoxV0rB
-            fA/5kTdb1tWBvH1wNpAUomig5bGM4ncHzQjB1Qcqt1Zop5tEvfjlHw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Q25lWldWSUtjQXFEK25a
+            OUFTc2RzQjdBOEFKR1o2dlpZNGJVQ1ErUFJNCkZpYmNtazlMZjdvWGVqNHo4K2JU
+            NjhCQ2dJQUhtMVErSjdBdmxvMW5Qd0kKLS0tIEZtUmJqMmNTdlBJNzFCMWlNVFJ3
+            UXkwdzZnUk5kVFFIbGp1VUtTWlgraWcKnpGuhhKNijN9q3qgDC8jWTIcpMWBdGkR
+            iB4xYnYfy4zYdl9Pd0AggsqvxdJ9v0z/jLX5NnoSvaxG4mjp7qUgkg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MlljRU1Td2tFSCs5VmFF
-            dllGaDJKU2dFYUxJdWhEbmwxaUJRM3NadjNjCkxFZTBXb2M4ZjBtVlpTblNjRjhZ
-            K3NkZWc4bnVwSVNldHZuL3ZDb2FXWVEKLS0tIGRvV1N5cVFrL1hzZ2pQQ3JLNmtM
-            S01VMm14VUdPY3lqc0pha2pKTGkrTjQKCLW3LwUOFfP1VWK8MgwoHe8Py1HrvVGE
-            gWeLHFD1pR2NdSn0nDan7CcKL3+P2F1cFyqv8+Ff06ehXWB3gbm3Jw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL3RsdEpZL1U3ZHlyZW55
+            c2x1dU5LSVp1WGhWcnVrQjZFVmw2b2pnc1dFCktPOVpmaGJtalNDSDQzc1psdmJv
+            VGd5dFBiS0pwUUpuWXlOMzBhNkd5SEEKLS0tIGM4bjRSdmYwY3BrODMrYzJ5Y0JW
+            UytVaVRydVhlS0lwMVViN2ZxQnVBS2MKNq/kU2dxo4EcSiYU9NDS3oN83e3p8glA
+            Pyu4MM3hBos6i3x7ZQZMWufUT9KJZvktLJfQ4j+TkGD7BIqR1fCWQQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ3pZNVhMZVBXeGcxeFUx
-            dElJV2hwM2RuZXVGVUVWMmhDVjNsdlAvb0RvCnFmSk1zRGJ2Ulh3NnJlSFZETUNT
-            TGJiS1dhOEFPSXZwVzNrNTV0UUpoamsKLS0tIHFLVk5Va2NTK2VlcjM5bnlYajhx
-            cEE4YjJOaVJ4bDFObXpXU093amhXM3MKHgm8DCwqqj+6yLFoNHFWGA1K45AWXzkp
-            XonJ+vWAQGIM4sVYvzCYSx6QaZk5PVnWq8NcPlzeWSelYtOTPkRiQg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eDhGdzlTK1JyMHZqTnJN
+            Q2pKYW5ObjlweWgvK1BrdVdzY1VMZ3BVRjJzCmVZUDEydEVuS1BrcVpwc3lNL0lQ
+            TDRkeGQ0elpqckZ4OWtmRGFPdjdQYVkKLS0tIE1hMFZENGM5am5qd1pKVHRkaGRn
+            UWpNdi9qN0dtSnRMKzYzK0NCa1RYM1EK8tpKAjHgi8mrCthcXjDpPfi9jVRaUPn7
+            hjDbEnkzE7M7kSlRCSKAoe5do1MBqqgr1FK3pJcejG3g9orZ2wPEuQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMFQ3ZTZtZjFCMnpCUk9R
-            bHdsZUwrcWZEczVBbFplWnJPVktOdjNJU0Y0CjJPZDlWcGFIQVVMUjJIcTMwSzl5
-            V0hESWtZcmZ2S1FmVUNnVnhTKzZaYW8KLS0tIDBnU2VkSHdGZGJlSEhNNE82a3NJ
-            WFZzSjZqRzFVcjU3SzBLOEQyWFJqcnMKEtXIPnCYJe2+d9MWLWLAxKWQF8uPMoM3
-            pPJlfzKarVfYJ+PxmTcH4+xbberEZDdrjikvZL6CluZBQuTHoOrdOA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaFRkbWVTY3J3eU1HNzBy
+            SklmanMzdHUzbDZsKzl3bk1IdFI3d1FrWDBNCi9XOTR2QmE4blQ1YzBrTVdxellh
+            aHUzZm80SmpUcllGYm43dmFYcGppTGsKLS0tIENpT2QyWVpXZFFmbWUvMXlxYzk2
+            d080TFRha3JGVTI5dU13K042TWdhS1UKHyfnTeXNzunJJ4JXetKISA0I5XjJlq6h
+            UdU31BfwlZOHTaeun9bXzRiL93hQOdixCbq94h7L9D6271N/LvcpIg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eFRuOGZPS2tDTElITDRm
-            UzFDbFVuUXVxbnhjWC9BNXZsNEtPblVXNW5nClNUTGRVVDljNzRjTEUzVUFvRW9a
-            Q1VOeTNYV2VrY2tLR1NaVG9CbjVrSXcKLS0tIEQ3MjhEQnNwV2RUYUJGL1UzKzln
-            aXNhWE9iWmdPZlJaWmd5MHVqYUlITkkK+mudBNg2DwXjFNP3RP5Xqw2bksK10B4P
-            MVDpC9Du2hOljpJlJ0R2AQL0oxixu/ts9eDG5ZtSdtGIJv7JJWJctg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLR09DZnZiT1Vpdmh6bFQ4
+            TjYrSDJJR25WTXM0SEhoUWx3S2pxUVc1VDBnCjI4ZkdJb28rM2QwYitVZWdxeVV0
+            VWc3elFpNFBjSlRWL0s0aERhR0VUVzgKLS0tIFhEOUVxNUhhQ2tYeFJuZThTa0pR
+            RVhLRnpHemVYeUFOZnhjSlRQNTdUbGsKkhmBKb5x3YHM4TiuZRtxYHd/IYdDkAcb
+            w23lLGKXZ+fdJUn6nYOPdnV89KRC6mkJsoWDVlS06tAFWIw8zgzJQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-11T20:43:18Z"
-    mac: ENC[AES256_GCM,data:lrcjh3u7yUl8tvmMQS8S0SM/OQ8DAv/ctGx9NYWj0UoIHyMpsWDu2qFEO6S7oeK0f8k9mxYEmopDcMUSWprYpeJ4fR8IFFjJXsHqD0QVktVCjivmURPiu24dkGge2yVGSySnL126OwdKd/8LAagd5wj1Tj7VhbgsDS4R6DMB9uo=,iv:bUCt4xLaas0zEYkQGh6MPhnZAx7Zp/0r+xhYyy0YGXs=,tag:CWmGA5smxj4QFqaQRJ+ivQ==,type:str]
+        - recipient: age1qnyrhen4ynpa6t0ljgjnhz5zpf0ennzt4ezskeq78nsnpvlyh5ws6ergnx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoT2xXTW1nc2g5KzB1VmtI
+            YzBidmhsamRnU0pKK3NTZFU3SEpGMUpSSVFjCnV4NEFmTjJTTzFPRmdlcUt0d0Fy
+            dXM5UXBTQjZ4cTRSWVZhQjk4c083ZmsKLS0tIHdRczJoRkhwaFJ4bjRpaWVsK2s0
+            TnUwa2dqSGRNN0ZXZ3I5ejhNRE1BcU0KVgIlp8QgIKeJVj0vQcHVTJSl4ye6mt5E
+            56Ff0hfdPO5j5P+NxnRuW9n6H8EXoNxmxjfQYhiI/H5BZEkwDqVQQQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yzlnedt49kd429jssj73v3yz5z7deyg82dq0gq86lp6dft4edg7qrcjs5v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubDJja1V2YW9LMmh2RHda
+            elR5ajJLY2VCU1pVMnRTNjRySit5MVJLVFFrCmZ1Mm5xazIzdjlYZ1U1U0tSQ0dp
+            a1oyQTlVSStqSi80aFR1MFRNSUI5YkkKLS0tIEowMVAydFlBRG51S0twVmNLcVdt
+            RGVKVlduNmV1eEIrbWVPQ0l3NndGK0kKrVEhQFkMSAsArRYCAe45rTtjuOkHgcFZ
+            Nzns/aAehpuXJhuY3w09sA1xDWcx1wKkvL3yGqIbJzF08oXC4+OTJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-04T14:06:01Z"
+    mac: ENC[AES256_GCM,data:id3N5LbDVS7Aarz2PPCcSvx5ggmv+zn51Mvn0oNCjGhDzgg/GKlBpXi4Nz8a20p2XVb/ceOPbGQEWMtY1mF5KvrHEB+QLTMN5kq7reQ6RpWhnTZiNxFiD2/IROkUA+lvKXKdGFElydtjQ7lnK7oR2tuWRvVCjwktnPJoLHHIgKw=,iv:EGis0MNSeX1gOS9mu+oBfolNbR5AIx/Fwr2YaS8Ojzc=,tag:DezMtg0BCTb1jMTiY8FGCA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

nix/secrets/net.yaml

@@ -25,47 +25,65 @@ sops:
         - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZsZkRKQTdwNzVBdmFK
-            dW9VMjVHOWNDdG5NMDNPTDRQZVNMOW04YnhjCjdtRWs3cW9DeldSQmZ3WStzYmNu
-            RVBxSFM3c3UyTFNRVUQ5bUl3OVlEaFEKLS0tIGdXakpGTmtTUFljTy9aRUlMSkZt
-            UDZ2MmNqN0JuSWJCNnJqN0hsSllFVGMKh+mXWPVPI9vaG+CjRefRn9VUvomMtnQQ
-            ZhTZ3g0Y3OXUPFNxQAvjCjsjqbLI1OA6OKO50w9m284YS95D4GPcYA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdTBUTmpLbEdFVHVWeHBY
+            OTBzYnJtU1ppQ3ZtZmlxMG5uQi9HMm16TG4wCndkNUJyeFpHYlM0TW85N1NaaEdi
+            dVlaeUJmSjJRM01rbDhja0dGcXZFOFUKLS0tICtzL3FFQzBCcWUzVU9RMG1YQjJG
+            M2txNGFrN0dSVVNoOWZJSURabHJBUVUKJhgzLV+lKoC7O5OoY2W6amACnh/TDS/F
+            jLudwV70yq5/f9aQAlt3O8NhGoz8SRl4hvdfTLea5xw3RclkcnY3lg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NHg0TW42SjVqQ1k3QXhi
-            bVVPR045ZUxtNm1EMWxySGx3RVZHWUhnd1ZjCmRkdE4zcjdmOTlnMTE3WWppSTNx
-            eVdVejBIQWFBb245R3FwUVRrVWFFK0kKLS0tIHRVbTJ6NUg0YjVVNUg4c3gvUy9y
-            UFJGWjhIc0JZcUNtblRLNXA4S0hhUWMKYEkumg2XYVpG+lOEUIk8SKWw4yB52fkJ
-            FKF1YrLszQHpbFytu7rv1HR/EGpQ8FlEVnrcviDti3D6MQOXeswhvw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYW5xM0ZkcWplMHV3MG01
+            VXhWNGg1WlhUMkR0L1VOYndZL01SZmMyNVdjCklZUCt4WXpZZm5PUzVHOW04VDZU
+            dm9XNHRpZWhqemJtQVVEQTljQlk2TWcKLS0tIDlmQS9UWEpPUjc2cDl1bFVPMUZs
+            QllSSkd4M01zeUpwc0w3MEE4RGhxb0kKtZ21DBCVo2vt/gH18YGYR+eldaErmPXo
+            PpmzyL2k5oNHTSvs0Von5M8iAQpfGT+gMygkhpguNxXSb1CzRNS/kw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSVYyNW5nMUFIT0RvQVkw
-            dTZPcGFvWXFDZktYTW1KMWZUcHhBcUsraHdzClpOeTF0Q3hqTXZIUUk1QjhDbnVp
-            UkZtU0VaZWdWWU16cWJiVGJRTGZyQlkKLS0tIFoza1NhdkRBNjJTU0FVWVoveE9U
-            VXNTenJPeHJrb0JiSHBRWW1IT1lsMEUK1Pb2MM9E7MT3heXnRmf2U4VnsK775qBN
-            9E9MDygvbWMZnFyEq0t6Mk8jHRwyUHI1EMxD+m+KYPYDiLpdbFHBuQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlN29yeHBzcGJKS1lRcW82
+            dGw0RWNDYnZsY3BtU0JyWWF2Z1ROenNGR0F3CklQZlg3NUZkb2VmNDdSbUFrbDhS
+            VEU2eDd3QnptMlVYdUZjUVJCVDFIUGcKLS0tIDNDVklGK0hxcFJkRlZjOExYOFZr
+            RjFBUXRicmdYU2FiRkF6Y255Uzl4UmcKQtu6if/eISs69h/ue4Emq6GmRXQhVsVu
+            txrUnFodMYc4Eh2nRsX/LAVoGB0zuyQF+rC9Mkd6TlmExlfDFWwVXQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXM2Y5MGpKdHVsY1M1OHh1
-            cmVhOERlSzRVaS85RTVmYnVIK0ZvbkZqU3pBCmgyK2t5LzN3cGpjbXNwZmhBYkI4
-            Q29xZkxoWXpzdGwxZVVOWVRmWXhNNkUKLS0tIHFtOVFmTnFvMWtBWmh3U3ljRy9i
-            eVlqSDJSSTk1dEdhUFlheU80L1A1Zm8Kag8Xi/si2ezZtWXZDP0DHYYZ0zuSihD+
-            SNAXuZ1US31G4I18I65XmhabBE+HFNpD/9dZWSlfzRiLznRyTKBJWg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucmRSWk5LSjBmK09IUVhC
+            aEpLTmpSbjVlUnZvdnI0WmlDYVNDQnMyOVVzCnIxWmJQWkEvQ2VnTGViamZyTTFF
+            MXZObnFQWVFVNUVPU3RwaXVHdFJqbjgKLS0tIDZ0cnpnQWRhcXFOSE1xYkxGQTdO
+            S0JMZGdNa0hDNkhEQ05pWE1tYzFxWmMK0buhFpZKQbAlwdItkQVxRKOLfW+RHtwE
+            pGzx0UsWTivz9SGLTMlOFuSbwAuzhWUWCYUeRdSA2PovaRjNR3t3Gw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRFoyNmRwNVdwY0xIV0Nx
-            VXdVdVZTK2F3Vkk4MlA5ZXlnQXNIcXNEYVRrCkorSWZHeGxYK1M4VTF3cldmQnJl
-            aUpMUFJIV01jOEhucm81RkNEM3kySWMKLS0tIHNJQnJHbXE0N0JTYUZmSVpzaWhZ
-            RnV3QjNPQW8zUzZjRElYRy9OeXRvdHMKr3WmkO6RDi7cdRHS22E2uM0sgixS90jE
-            D1IHbrOUAmL7W1i4461SFzUEzfqv9IACtxwBSsTz9Z50MT9rB+FBJQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1c0syai9lV0RUYUROVzR3
+            SkZ1aHNWMGV4WTVYOHVoTFlMYmVpakFQR1ZRCk9HVktjcllYdnJrQVBqUnZoSndz
+            WnJCdWtEdjV2ZmxyQlE3RzdVa2xFSWMKLS0tIEZCMjlOS1huRjM5enFMUndsYjRU
+            REhIanFSS292M0RHUWorbDBjcHplQjgKsEI+Tdscu2hBcXrbf1xG8L34zp2HFYTd
+            PDHLCWL7Fu/JOhpodGsPmPAEUJ9JjeAxYyuFxv/F9VB92V5oUGOiJw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qnyrhen4ynpa6t0ljgjnhz5zpf0ennzt4ezskeq78nsnpvlyh5ws6ergnx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxY0g1UGUyMTJld0l2M3Zn
+            M0t3aXB1QytzdDdNOXI2OWw3WityR1JOOEc0CkVhT2pmU0F1ZDJLRHFWYWFwZEwv
+            elNOcDNuM2VMbmN0QnhlWGdrRGg0bmcKLS0tIFFra3RRaXltaG51VDlHbVg1VHpX
+            dE1pTThPUTduZlUzTDJhUU9IVXBlU2sKltHQZc7+KUtzjxWSXB7s5gkfoQy2b4lj
+            zzqUuciUKDtMAxjRkiTuk0uC+DQ0VAeBt71TMvCiog03eEuVc0iLKg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yzlnedt49kd429jssj73v3yz5z7deyg82dq0gq86lp6dft4edg7qrcjs5v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWS9EWVFzOExQTkxteFpT
+            b2owL0FYa3pNTHJZRDd2d2pldUlmdTlybG0wCi9wazRFN3J3TzFMRnpCb0JkSHRa
+            aHdSN0lHUWN0QWNOZzNobzhIaGViMkUKLS0tIDZTdjBiVXNwdWlUcHZOUnlQSWly
+            OWNleUQzY0EwTzVWcUlPTkNjNHpCUmMK7RCL1R/O+Hnb4f4oqkfFNH2vnaSaaE6G
+            uvv1ze9iBgy6e42bR/FXuq6F4ImocdGTJMAlrgSFm/Pq7bNVj7HbFg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-11-14T22:34:49Z"
     mac: ENC[AES256_GCM,data:Vh3Y0koRayFjHbvzqmjoGx+WGbuJZ9DqysY7juGvBNCtcsTlpuQz1+rZ3YglQ1oiP3l5pdHCOjUBNFk+TnOA2FJYggUvOzzUweQqmWNrg3jbjhnHpq0UyZO8UZ7sH8zYIqSRPc86H0uxyuhVDUe2Nrwa5+VxpJ2H5IYRcM61HWU=,iv:bxfppv2wqIaNcwi2pYNKIZk9G27itTpB5ovTpBXpHh8=,tag:X001tTdlTNE9gklbT7RjHg==,type:str]