improve a bit the monitor infrastructure for containers

This reverts commit 325f07bdd8.

README.md

@@ -33,4 +33,3 @@ My overlay is in here.
 ### assets
 
 assets, like scripts which I dont want to write in nix-lang.
-

flake.nix

@@ -1,46 +1,36 @@
 {
-
-  description = "my krops file";
-
   inputs = {
+
     secrets = {
-      url = "git+ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
+      url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
       flake = false;
     };
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
-    # colmena
-    # -------
-    colmena = {
-      url = "github:zhaofengli/colmena";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-legacy_2305.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs-legacy_2211.url = "github:nixos/nixpkgs/nixos-22.11";
+    nixpkgs-legacy_2205.url = "github:nixos/nixpkgs/nixos-22.05";
+    nixpkgs-legacy_2105.url = "github:nixos/nixpkgs/nixos-21.05";
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    nixos-anywhere.url = "github:nix-community/nixos-anywhere";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-23.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-legacy.url = "github:nixos/nixpkgs/nixos-22.05";
     polygon-art = {
       url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
     };
     sops-nix.url = "github:Mic92/sops-nix";
-    emacs-overlay = {
-      url = "github:nix-community/emacs-overlay";
-      flake = false;
-    };
     doom-emacs-nix = {
       url = "github:nix-community/nix-doom-emacs";
       inputs.nixpkgs.follows = "nixpkgs";
-      #inputs.emacs-overlay.follows = "emacs-overlay";
-    };
-    home-manager = {
-      url = "github:nix-community/home-manager/release-22.11";
-      inputs.nixpkgs.follows = "nixpkgs";
     };
     home-manager-utils = {
       url = "github:mrvandalo/home-manager-utils";
       inputs.home-manager.follows = "home-manager";
     };
-    cluster-module = {
-      url = "github:mrvandalo/module.cluster";
-      #url = "git+file:///home/palo/dev/nixos/module.cluster";
-    };
     nixpkgs-fmt = {
       url = "github:nix-community/nixpkgs-fmt";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -55,100 +45,180 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     private_assets = {
-      url = "git+ssh://gitea@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
-      flake = false;
+      #url = "git+file:///home/palo/dev/nixos/nixos-private-assets";
+      url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
+      flake = true;
     };
     retiolum = {
-      url = "github:krebs/retiolum";
-      flake = false;
+      url = "github:Mic92/retiolum";
+      #url = "git+file:///home/palo/dev/nixos/retiolum";
     };
+    srvos.url = "github:nix-community/srvos";
+    srvos_nixpkgs.follows = "srvos/nixpkgs";
     landingpage = {
       #url = "git+file:///home/palo/dev/landingpage";
       url = "github:mrVanDalo/landingpage";
     };
+    kmonad = {
+      url = "github:kmonad/kmonad?dir=nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    dns = {
+      url = "github:kirelagin/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixinate.url = "github:matthewcroughan/nixinate";
+    stylix = {
+      #url = "github:danth/stylix?ref=35cab8eb76c1d3672b2b290a64f357847c30d090";
+      url = "github:danth/stylix/release-23.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    smoke = {
+      url = github:SamirTalwar/smoke;
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    taskshell = {
+      url = "github:mrvandalo/taskshell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    overviewer.url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/overviewer.git?ref=main";
   };
 
   outputs =
     { self
-    , cluster-module
-    , colmena
+    , disko
+    , dns
     , doom-emacs-nix
-    , emacs-overlay
     , grocy-scanner
     , home-manager
     , home-manager-utils
+    , kmonad
+    , landingpage
+    , nixinate
+    , nixos-anywhere
+    , nixos-hardware
     , nixpkgs
     , nixpkgs-fmt
+    , nixpkgs-legacy_2105
+    , nixpkgs-legacy_2205
+    , nixpkgs-legacy_2211
+    , nixpkgs-legacy_2305
     , nixpkgs-unstable
-    , nixpkgs-legacy
+    , overviewer
+    , permown
     , polygon-art
     , private_assets
-    , permown
-    , secrets
-    , sops-nix
     , retiolum
-    , landingpage
+    , secrets
+    , srvos
+    , srvos_nixpkgs
+    , smoke
+    , sops-nix
+    , stylix
+    , taskshell
     }:
     let
       system = "x86_64-linux";
-      pkgs = nixpkgs.legacyPackages.${system};
 
-      pullNetworkPasswords = pkgs.writers.writeBashBin "pull-network-passwords" ''
-        # collect all network configurations and save them in the store
-        sudo ls /etc/NetworkManager/system-connections \
-            | while read file
-            do
-            sudo cat "/etc/NetworkManager/system-connections/$file" \
-                | ${pkgs.pass}/bin/pass insert -m "krops/desktop_secrets/network-manager/system-connections/$file"
-            done
-      '';
-      pushNetworkPasswords = pkgs.writers.writeBashBin "push-network-passwords" ''
-        echo "push network passwords to $1"
-      '';
-    in
-    {
-      # colmena
-      devShell.${system} =
-        pkgs.mkShell {
-          buildInputs = [
-            colmena.packages.${system}.colmena
-            pushNetworkPasswords
-            pullNetworkPasswords
-            nixpkgs-fmt.defaultPackage.${system}
+      pkgs = nixpkgs.legacyPackages.${system};
+      inherit (nixpkgs) lib;
+
+
+      meta = { nixpackages ? nixpkgs }: rec {
+        system = "x86_64-linux";
+        pkgs = import nixpackages {
+          inherit system;
+          config.allowUnfree = true;
+          config.permittedInsecurePackages = [
+            "python-2.7.18.6"
+            "python-2.7.18.7"
+            "electron-24.8.6" # for bitwarden
+          ];
+
+          overlays = [
+            (_self: _super: {
+              unstable = import nixpkgs-unstable {
+                inherit system;
+                config.allowUnfree = true;
+              };
+              legacy_2211 = import nixpkgs-legacy_2211 { inherit system; };
+              legacy_2205 = import nixpkgs-legacy_2205 { inherit system; };
+              legacy_2105 = nixpkgs-legacy_2105 { inherit system; };
+              legacy_2305 = nixpkgs-legacy_2105 { inherit system; };
+              polygon-art = polygon-art.packages.${system};
+              landingpage = landingpage.packages.${system}.plain;
+              kmonad = kmonad.packages.${system}.kmonad;
+              tasksh = taskshell.packages.${system}.tasksh;
+              overviewer = overviewer.packages.${system}.overviewer;
+              smoke = smoke.packages.${system}.default;
+            })
+            (import ./nixos/pkgs)
+          ];
+        };
+        specialArgs = {
+          inherit private_assets;
+          assets = ./nixos/assets;
+        };
+      };
+
+      # todo : why redefine it?
+      # Mic92 means, is not needed anymore
+      nixosSystem = args:
+        (lib.makeOverridable lib.nixosSystem)
+          (lib.recursiveUpdate args {
+            modules =
+              args.modules
+              ++ [
+                {
+                  config.nixpkgs.pkgs = lib.mkDefault args.pkgs;
+                  config.nixpkgs.localSystem = lib.mkDefault args.pkgs.stdenv.hostPlatform;
+                }
+              ];
+          });
+
+      nixosConfigurationSetup =
+        { name
+        , host ? "${name}.private"
+        , modules
+        , nixpackages ? nixpkgs
+        }:
+        nixosSystem {
+          inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs;
+          modules = modules ++ defaultModules ++ [
+            {
+              _module.args.nixinate = {
+                host = host;
+                sshUser = "root";
+                buildOn = "remote"; # valid args are "local" or "remote"
+                substituteOnTarget = false; # if buildOn is "local" then it will substitute on the target, "-s"
+                #hermetic = false; # ??? don't know what this is
+                nixOptions = [ "--max-jobs 1" ];
+              };
+            }
+            {
+              imports = [
+                ./nixos/machines/${name}/configuration.nix
+                (sopsModule name)
+              ];
+            }
           ];
         };
 
-      colmena =
-        let
-          sopsModule = name: { lib, ... }: {
-            sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
-            imports = [
-              sops-nix.nixosModules.sops
-            ];
-          };
-        in
+      defaultModules = [
         {
-
-          meta = {
-            nixpkgs = import nixpkgs {
-              system = "x86_64-linux";
-              overlays = [
-                (_self: _super: {
-                  # we assign the overlay created before to the overlays of nixpkgs.
-                  unstable = nixpkgs-unstable.legacyPackages.${pkgs.system};
-                  legacy = nixpkgs-legacy.legacyPackages.${pkgs.system};
-                  polygon-art = polygon-art.packages.${pkgs.system};
-                  landingpage = landingpage.packages.${pkgs.system}.plain;
-                })
-              ];
-            };
-            specialArgs = {
-              inherit private_assets retiolum;
-            };
-          };
-
-          defaults = { name, pkgs, lib, ... }: {
-            deployment.buildOnTarget = lib.mkDefault true;
+          # todo : find out what this is?
+          # make flake inputs accessiable in NixOS
+          _module.args.self = self;
+          _module.args.inputs = self.inputs;
+        }
+        ({ pkgs, lib, ... }:
+          {
+            # todo : check if this is still needed
             nix = {
               # no channesl needed this way
               nixPath = [ "nixpkgs=${pkgs.path}" ];
@@ -158,101 +228,176 @@
                 experimental-features = nix-command flakes
               '';
             };
-            environment.systemPackages = [
-              nixpkgs-fmt.defaultPackage.${system}
-              colmena.packages.${system}.colmena
-            ];
-            imports = [
-              ./nixos/machines/${name}/configuration.nix
-              cluster-module.nixosModules.tinc
-              (sopsModule name)
-              home-manager.nixosModules.home-manager
-              permown.nixosModules.permown
-            ];
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-          };
+          })
+        { nix.settings.substituters = [ "https://cache.nixos.org/" ]; }
+        {
+          boot.tmp.useTmpfs = lib.mkDefault true;
+          environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${system} ];
+          imports = [
+            permown.nixosModules.permown
+            disko.nixosModules.disko
+            kmonad.nixosModules.default
+            grocy-scanner.nixosModule
+          ];
+        }
+      ];
 
-          sterni = { name, nodes, pkgs, ... }: {
-            deployment.allowLocalDeployment = true;
-            deployment.targetHost = "${name}.private";
-            deployment.tags = [ "desktop" "online" "private" ];
-            imports = [
-              grocy-scanner.nixosModule
-            ];
-            home-manager.users.mainUser = {
-              imports = [
-                doom-emacs-nix.hmModule
-                home-manager-utils.hmModule
-              ];
-            };
+      homeManagerModules = { config, ... }: {
+        imports = [
+          home-manager.nixosModules.home-manager
+          stylix.nixosModules.stylix
+        ];
+        stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-light-medium.yaml";
+        stylix.image = ./nixos/assets/wallpaper.png;
+        stylix.fonts = {
+          serif = {
+            package = pkgs.ubuntu_font_family;
+            name = "Ubuntu";
           };
-
-          sternchen = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}.secret";
-            deployment.tags = [ "desktop" ];
-            imports = [
-              grocy-scanner.nixosModule
-            ];
-            home-manager.users.mainUser = {
-              imports = [
-                doom-emacs-nix.hmModule
-                home-manager-utils.hmModule
-              ];
-              programs.doom-emacs.enable = false;
-            };
+          sansSerif = {
+            package = pkgs.ubuntu_font_family;
+            name = "Ubuntu";
           };
+          monospace = {
+            package = pkgs.jetbrains-mono;
+            name = "JetBrains Mono";
+          };
+          emoji = {
+            package = pkgs.noto-fonts-emoji;
+            name = "Noto Color Emoji";
+          };
+          sizes.popups = 15;
+        };
 
-          pepe = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}.private";
-            deployment.tags = [ "server" "online" "private" ];
-            imports = [
-              grocy-scanner.nixosModule
+        home-manager.extraSpecialArgs = {
+          inherit private_assets;
+          assets = ./nixos/assets;
+        };
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.sharedModules = [
+          doom-emacs-nix.hmModule
+          home-manager-utils.hmModule
+          { stylix.targets.bemenu.enable = false; }
+        ];
+        home-manager.users.mainUser.home.stateVersion = "22.11";
+        home-manager.users.root.home.stateVersion = "22.11";
+      };
+
+      sopsModule = name: { lib, ... }: {
+        imports = [ sops-nix.nixosModules.sops ];
+        sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
+      };
+
+    in
+    {
+      devShells.${system}.default =
+        pkgs.mkShell {
+          buildInputs = [
+            nixpkgs-fmt.defaultPackage.${system}
+            nixos-anywhere.packages.${system}.nixos-anywhere
+          ];
+        };
+
+      apps = nixinate.nixinate.x86_64-linux self;
+
+      packages = with nixpkgs.lib; {
+        ${system} =
+          let
+            vms = mapAttrs'
+              (host: sys: {
+                name = "vm-${host}";
+                value = sys.config.system.build.vm;
+              })
+              self.nixosConfigurations;
+            sds = mapAttrs'
+              (host: sys: {
+                name = "sd-${host}";
+                value = sys.config.system.build.sdImage;
+              })
+              (filterAttrs
+                (n: hasAttrByPath [ "config" "system" "build" "sdImage" ])
+                self.nixosConfigurations);
+          in
+          vms // sds;
+      };
+
+      nixosConfigurations =
+        {
+          sternchen = nixosConfigurationSetup {
+            name = "sternchen";
+            host = "sternchen.secret";
+            #host = "192.168.178.25";
+            modules = [
+              nixos-hardware.nixosModules.lenovo-thinkpad-x220
+              homeManagerModules
             ];
           };
-
-          robi = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}.private";
-            deployment.tags = [ "server" "online" "private" ];
-            imports = [
+          cream = nixosConfigurationSetup {
+            name = "cream";
+            modules = [
+              nixos-hardware.nixosModules.framework-12th-gen-intel
+              retiolum.nixosModules.retiolum
+              private_assets.nixosModules.cream
+              homeManagerModules
+              { home-manager.users.mainUser.gui.enable = true; }
+              {
+                home-manager.users.mainUser = import ./nixos/homes/palo;
+                home-manager.users.root = import ./nixos/homes/root;
+              }
             ];
           };
-
-          bobi = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}.private";
-            deployment.buildOnTarget = false;
-            deployment.tags = [ "desktop" "usb" "private" ];
-            imports = [
-              grocy-scanner.nixosModule
+          cherry = nixosConfigurationSetup {
+            name = "cherry";
+            modules = [
+              nixos-hardware.nixosModules.framework-13th-gen-intel
+              homeManagerModules
+              { home-manager.users.mainUser.gui.enable = true; }
+              {
+                home-manager.users.mainUser = import ./nixos/homes/palo;
+                home-manager.users.root = import ./nixos/homes/root;
+              }
             ];
-            home-manager.users.mainUser = {
-              imports = [
-                doom-emacs-nix.hmModule
-                home-manager-utils.hmModule
-              ];
-            };
           };
-
-          mobi = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}.private";
-            deployment.buildOnTarget = false;
-            deployment.tags = [ "desktop" "usb" "private" ];
-            imports = [
-              grocy-scanner.nixosModule
+          chungus = nixosConfigurationSetup {
+            name = "chungus";
+            modules = [
+              homeManagerModules
+              retiolum.nixosModules.retiolum
+              private_assets.nixosModules.chungus
+              {
+                home-manager.users.mainUser = import ./nixos/homes/palo;
+                home-manager.users.root = import ./nixos/homes/root;
+              }
+            ];
+          };
+          orbi = nixosConfigurationSetup {
+            name = "orbi";
+            host = "95.216.66.212";
+            modules = [
+              homeManagerModules
+              srvos.nixosModules.hardware-hetzner-online-intel
+              srvos.nixosModules.server
+              srvos.nixosModules.mixins-terminfo
+              { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
+              {
+                home-manager.users.mainUser = import ./nixos/homes/palo;
+                home-manager.users.root = import ./nixos/homes/root;
+              }
+            ];
+          };
+          robi = nixosConfigurationSetup {
+            name = "robi";
+            modules = [
+              homeManagerModules
+              { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
+              {
+                home-manager.users.mainUser = import ./nixos/homes/palo;
+                home-manager.users.root = import ./nixos/homes/root;
+              }
             ];
-            home-manager.users.mainUser = {
-              imports = [
-                doom-emacs-nix.hmModule
-                home-manager-utils.hmModule
-              ];
-            };
           };
         };
     };
 }
 
-
-
-
-
-

images/lib/remote-access.nix

@@ -18,7 +18,6 @@
     }
     {
       # installed packages
-      nixpkgs.config.allowUnfree = true;
       environment.systemPackages = with pkgs; [
         #style
         most

images/machine-init-configuration.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+
+      "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
+      (import ./disko-config.nix { })
+    ];
+
+  networking.hostName = "nixos";
+
+  boot.supportedFilesystems = [ "zfs" ];
+  # head -c4 /dev/urandom | od -A none -t x4
+  networking.hostId = "4750e4b8";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
+
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    silver-searcher
+  ];
+
+  environment.extraInit = ''
+    # use vi shortcuts
+    # ----------------
+    set -o vi
+    EDITOR=vim
+  '';
+
+  services.openssh.enable = true;
+
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+
+}

images/remote-install/README.md

@@ -1,19 +1,18 @@
 # remote installation iso
 
-* `./config.nix` : to generate the installation image
-* `./remote-service.nix` : tor configuration you have to start on your machine.
-
+- `./config.nix` : to generate the installation image
+- `./remote-service.nix` : tor configuration you have to start on your machine.
 
 ## Steps
 
-* import `./remote-service.nix` in your `/etc/nixos/configuration.nix`
-* `nixos-rebuild switch`
-* run `remote-install-get-hiddenReceiver` and enter the result in `./config.nix` as `hiddenReceiver`
-* set the public key in `./config.nix`
-* run `nixos-generate -f install-iso -c ./config.nix`
-* prepare the usb stick : `sudo if=<path of the iso> of=/dev/<device> bs=4096`
-* boot the usb-stick at the new machine
-* run `remote-install-start-service`
-* after some time you will see a you can use to login to the new machine.
+- import `./remote-service.nix` in your `/etc/nixos/configuration.nix`
+- `nixos-rebuild switch`
+- run `remote-install-get-hiddenReceiver` and enter the result in `./config.nix` as `hiddenReceiver`
+- set the public key in `./config.nix`
+- run `nixos-generate -f install-iso -c ./config.nix`
+- prepare the usb stick : `sudo if=<path of the iso> of=/dev/<device> bs=4096`
+- boot the usb-stick at the new machine
+- run `remote-install-start-service`
+- after some time you will see a you can use to login to the new machine.
 
 Now you can do the normal installations procedure.

images/translate-setup/README.md

@@ -32,4 +32,3 @@ nix-shell -I nixpkgs=channel:nixos-unstable -p nixos-generators
 iptables -F # kill firewall
 python -m http.server 80 # nix-shell -p python3Full
 ```
-

images/translate-setup/config.nix

@@ -20,7 +20,6 @@
   '';
 
   networking.hostName = "translate";
-  nixpkgs.config.allowUnfree = true;
 
   programs.bash = {
     enableCompletion = true;

images/usb-init-configuration.nix

@@ -49,7 +49,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
+  system.stateVersion = "22.11"; # Did you read the comment?
 
 
 }

images/windows-rescue/README.md

@@ -2,12 +2,12 @@
 
 ## reset password
 
-* use `sfdisk -l` to list partitions
-* find the partition which holds `Windows/System32/config`
-* mount it `mkdir -p /media/sda2; mount /dev/sda2 /media/sda2`
-* `cd /media/sda2/Windows/System32/config`
-* list SAM database `chntpw -l SAM`
-* edit SAM database `chntpw -i SAM`
-* reboot
+- use `sfdisk -l` to list partitions
+- find the partition which holds `Windows/System32/config`
+- mount it `mkdir -p /media/sda2; mount /dev/sda2 /media/sda2`
+- `cd /media/sda2/Windows/System32/config`
+- list SAM database `chntpw -l SAM`
+- edit SAM database `chntpw -i SAM`
+- reboot
 
 more details [here](https://opensource.com/article/18/3/how-reset-windows-password-linux).

mqtt/.gitignore

@@ -1,2 +0,0 @@
-venv
-**/__pycache__

mqtt/fyrtur.py

@@ -1,147 +0,0 @@
-import time
-from enum import Enum
-from typing import Dict
-
-import paho.mqtt.client as mqtt
-import json
-import threading
-
-scene = "up-dark"
-
-
-class Position(Enum):
-    UP = 1
-    DOWN = 2
-    HALF = 3
-
-
-class Fyrtur:
-    def __init__(self, topic, top, bottom):
-        self.topic = topic
-        self.top = top
-        self.bottom = bottom
-        self.current_position = 100
-        self.wanted_position = 100
-
-    def update_position(self, payload):
-        self.current_position = payload["position"]
-
-    def needs_publish(self):
-        return self.wanted_position != self.current_position
-
-    def topic_and_payload_for_set(self):
-        payload = {"position": self.wanted_position}
-        return ("%s/set" % self.topic), json.dumps(payload)
-
-
-class FyrturWatcher:
-    def __init__(self, fyrturs: Dict[str, Fyrtur]):
-        self.fyrturs = fyrturs
-
-    def get_topics(self):
-        return [fyrtur.topic for fyrtur in self.fyrturs.values()]
-
-    def update_position(self, topic, payload):
-        for fyrtur in self.fyrturs.values():
-            if fyrtur.topic == topic:
-                fyrtur.update_position(payload)
-                return
-
-    def update(self, name, position: Position):
-        fyrtur: Fyrtur = self.fyrturs.get(name)
-        if position == Position.UP:
-            fyrtur.wanted_position = fyrtur.top
-        elif position == Position.DOWN:
-            fyrtur.wanted_position = fyrtur.bottom
-        elif position == Position.HALF:
-            fyrtur.wanted_position = round(
-                (fyrtur.top - fyrtur.bottom) / 2 + fyrtur.bottom
-            )
-
-    def publish(self, client):
-        for fyrtur in self.fyrturs.values():
-            if fyrtur.needs_publish():
-                topic, payload = fyrtur.topic_and_payload_for_set()
-                client.publish(topic, payload)
-                time.sleep(2)
-
-
-watcher = FyrturWatcher(
-    {
-        "office1": Fyrtur(topic="zigbee2mqtt/office_fyrtur_1", top=100, bottom=16),
-        "office2": Fyrtur(topic="zigbee2mqtt/office_fyrtur_2", top=100, bottom=22),
-        "bedroom": Fyrtur(topic="zigbee2mqtt/bedroom_fyrtur_1", top=100, bottom=16),
-    }
-)
-
-
-# The callback for when the client receives a CONNACK response from the server.
-def on_connect(client, _userdata, _flags, rc):
-    print("Connected with result code " + str(rc))
-
-    threading.Thread(target=loop_thread, args=(client,), daemon=True).start()
-
-    # Subscribing in on_connect() means that if we lose the connection and
-    # reconnect then subscriptions will be renewed.
-    client.subscribe("control/lights/set")
-    for topic in watcher.get_topics():
-        client.subscribe(topic)
-
-
-# The callback for when a PUBLISH message is received from the server.
-def on_message(client, _userdata, msg):
-    global scene
-    (topic, payload) = parse_message(msg)
-    if topic == "control/lights/set":
-        print("set scene %s -> %s" % (scene, payload["scene"]))
-        scene = payload["scene"]
-        update_scene(client)
-    else:
-        print("got %s" % topic)
-        watcher.update_position(topic, payload)
-
-
-def parse_message(msg):
-    m_decode = str(msg.payload.decode("utf-8", "ignore"))
-    payload = json.loads(m_decode)  # decode json data
-    return msg.topic, payload
-
-
-def update_scene(client):
-    if scene in ["night", "down"]:
-        watcher.update("office1", Position.DOWN)
-        watcher.update("office2", Position.DOWN)
-        watcher.update("bedroom", Position.DOWN)
-    elif scene in ["default", "up-bright", "up-dark", "outside"]:
-        watcher.update("office1", Position.UP)
-        watcher.update("office2", Position.UP)
-        watcher.update("bedroom", Position.UP)
-    elif scene in ["half"]:
-        watcher.update("office1", Position.HALF)
-        watcher.update("office2", Position.HALF)
-        watcher.update("bedroom", Position.HALF)
-    else:
-        watcher.update("office1", Position.UP)
-        watcher.update("office2", Position.UP)
-        watcher.update("bedroom", Position.UP)
-
-    watcher.publish(client)
-
-
-def loop_thread(client):
-    while True:
-        watcher.publish(client)
-        time.sleep(120)
-
-
-if __name__ == "__main__":
-    mqttClient = mqtt.Client()
-    mqttClient.on_connect = on_connect
-    mqttClient.on_message = on_message
-    mqttClient.username_pw_set("homeassistant", password="password")
-    mqttClient.connect("pepe.private", 1883, 60)
-    # Blocking call that processes network traffic, dispatches callbacks and
-    # handles reconnecting.
-    # Other loop*() functions are available that give a threaded interface and a
-    # manual interface.
-    mqttClient.loop_forever()

mqtt/heater.py

@@ -1,170 +0,0 @@
-import json
-import paho.mqtt.client as mqtt
-import threading
-import time
-from typing import Dict
-
-
-class Heater:
-    def __init__(self, topic):
-        self.not_initialized_yet = True
-        self.wanted_temperature = 14
-        self.actual_temperature = 14
-        self.topic = topic
-
-    def needs_publish(self):
-        if self.not_initialized_yet:
-            return True
-        else:
-            return self.wanted_temperature != self.actual_temperature
-
-    def update_actual_heating_point(self, payload):
-        heating_setpoint = int(payload["current_heating_setpoint"])
-        if self.not_initialized_yet:
-            self.not_initialized_yet = False
-            self.wanted_temperature = heating_setpoint
-            print(
-                "%s: update wanted temperature %d"
-                % (self.topic, self.actual_temperature)
-            )
-        self.actual_temperature = heating_setpoint
-        print(
-            "%s: update actual temperature %d" % (self.topic, self.actual_temperature)
-        )
-
-    def topic_and_payload_for_query(self):
-        payload = {
-            "current_heating_setpoint": "",
-            "occupied_heating_setpoint": "",
-            "unoccupied_heating_setpoint": "",
-            "local_temperature": "",
-            # "pi_heating_demand": "",
-            # "system_mode": "",
-        }
-        return ("%s/get" % self.topic), json.dumps(payload)
-
-    def topic_and_payload_for_set(self):
-        payload = {
-            "system_mode": "auto",
-            # "current_heating_setpoint": str(self.wanted_temperature),
-            "occupied_heating_setpoint": str(self.wanted_temperature),
-            "unoccupied_heating_setpoint": str(self.wanted_temperature),
-            "eurotronic_host_flags": {"window_open": True},
-        }
-        return ("%s/set" % self.topic), json.dumps(payload)
-
-
-class Watcher:
-    def __init__(self, heater: Dict[str, Heater]):
-        self.heater = heater
-
-    def publish(self, client):
-        for heater in self.heater.values():
-            if heater.needs_publish():
-                topic, payload = heater.topic_and_payload_for_set()
-                client.publish(topic, payload)
-                time.sleep(2)
-
-    def update(self, name, temperature):
-        heater: Heater = self.heater.get(name)
-        heater.wanted_temperature = temperature
-
-    def get_topics(self):
-        return [heater.topic for heater in self.heater.values()]
-
-    def update_actual_heating_point_for_topic(self, topic, payload):
-        for heater in self.heater.values():
-            if heater.topic == topic:
-                heater.update_actual_heating_point(payload)
-                return
-
-    def pull_values(self, client):
-        for heater in self.heater.values():
-            topic, payload = heater.topic_and_payload_for_query()
-            client.publish(topic, payload)
-
-
-scene = "default"
-
-watcher = Watcher(
-    {
-        "office1": Heater(topic="zigbee2mqtt/office_heater_1"),
-        "office2": Heater(topic="zigbee2mqtt/office_heater_2"),
-        "bedroom": Heater(topic="zigbee2mqtt/bedroom_heater_1"),
-        "storage": Heater(topic="zigbee2mqtt/storage_heater_1"),
-    }
-)
-
-
-# The callback for when the client receives a CONNACK response from the server.
-def on_connect(client, _userdata, _flags, rc):
-    print("Connected with result code " + str(rc))
-
-    threading.Thread(target=loop_thread, args=(client,), daemon=True).start()
-
-    # Subscribing in on_connect() means that if we lose the connection and
-    # reconnect then subscriptions will be renewed.
-    client.subscribe("control/lights/set")
-    for topic in watcher.get_topics():
-        client.subscribe(topic)
-    watcher.pull_values(client)
-
-
-# The callback for when a PUBLISH message is received from the server.
-def on_message(client, _userdata, msg):
-    global scene
-    (topic, payload) = parse_message(msg)
-    if topic == "control/lights/set":
-        print("set scene %s -> %s" % (scene, payload["scene"]))
-        scene = payload["scene"]
-        update_scene(client)
-    else:
-        print("got %s" % topic)
-        watcher.update_actual_heating_point_for_topic(topic, payload)
-
-
-def parse_message(msg):
-    m_decode = str(msg.payload.decode("utf-8", "ignore"))
-    payload = json.loads(m_decode)  # decode json data
-    return msg.topic, payload
-
-
-def update_scene(client):
-    if scene in ["night", "outside"]:
-        watcher.update("office1", 14)
-        watcher.update("office2", 14)
-        watcher.update("bedroom", 14)
-        watcher.update("storage", 14)
-    elif scene in ["default", "up-bright", "up-dark", "half", "down"]:
-        watcher.update("office1", 25)
-        watcher.update("office2", 25)
-        watcher.update("bedroom", 18)
-        watcher.update("storage", 18)
-    else:
-        watcher.update("office1", 14)
-        watcher.update("office2", 14)
-        watcher.update("bedroom", 14)
-        watcher.update("storage", 14)
-
-    watcher.publish(client)
-
-
-def loop_thread(client):
-    while True:
-        watcher.publish(client)
-        watcher.pull_values(client)
-        time.sleep(120)
-
-
-if __name__ == "__main__":
-    mqttClient = mqtt.Client()
-    mqttClient.on_connect = on_connect
-    mqttClient.on_message = on_message
-    mqttClient.username_pw_set("homeassistant", password="password")
-    mqttClient.connect("pepe.private", 1883, 60)
-
-    # Blocking call that processes network traffic, dispatches callbacks and
-    # handles reconnecting.
-    # Other loop*() functions are available that give a threaded interface and a
-    # manual interface.
-    mqttClient.loop_forever()

mqtt/requirements.txt

@@ -1 +0,0 @@
-paho-mqtt

mqtt/shell.nix

@@ -1,20 +0,0 @@
-{ pkgs ? import <nixpkgs> { } }:
-let
-
-  myPython = pkgs.python3.withPackages
-    (python-packages: with python-packages; [ paho-mqtt ]);
-
-  startServer = pkgs.writers.writeBashBin "start-server" ''
-    ${myPython}/bin/python ./heater.py
-  '';
-
-  reformat = pkgs.writers.writeBashBin "reformat" ''
-    ${pkgs.black}/bin/black --exclude venv ${toString ./.}
-  '';
-
-in
-pkgs.mkShell {
-
-  buildInputs = with pkgs; [ myPython startServer reformat ];
-
-}

nixos/assets/0001-make-atuin-on-zfs-fast-again.patch

@@ -0,0 +1,45 @@
+From 4797a2f62ab3d2716d313aa4a3170ba9672a93b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Fri, 22 Mar 2024 08:46:07 +0100
+Subject: [PATCH] make atuin on zfs fast again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ atuin-client/src/database.rs            | 4 ++--
+ atuin-client/src/record/sqlite_store.rs | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/atuin-client/src/database.rs b/atuin-client/src/database.rs
+index b0bcae31..d8db492b 100644
+--- a/atuin-client/src/database.rs
++++ b/atuin-client/src/database.rs
+@@ -137,9 +137,9 @@ pub async fn new(path: impl AsRef<Path>, timeout: f64) -> Result<Self> {
+         }
+
+         let opts = SqliteConnectOptions::from_str(path.as_os_str().to_str().unwrap())?
+-            .journal_mode(SqliteJournalMode::Wal)
++            .journal_mode(SqliteJournalMode::Memory)
+             .optimize_on_close(true, None)
+-            .synchronous(SqliteSynchronous::Normal)
++            .synchronous(sqlx::sqlite::SqliteSynchronous::Off)
+             .with_regexp()
+             .create_if_missing(true);
+
+diff --git a/atuin-client/src/record/sqlite_store.rs b/atuin-client/src/record/sqlite_store.rs
+index 6333bb27..1f25a55b 100644
+--- a/atuin-client/src/record/sqlite_store.rs
++++ b/atuin-client/src/record/sqlite_store.rs
+@@ -42,6 +42,8 @@ pub async fn new(path: impl AsRef<Path>, timeout: f64) -> Result<Self> {
+
+         let opts = SqliteConnectOptions::from_str(path.as_os_str().to_str().unwrap())?
+             .journal_mode(SqliteJournalMode::Wal)
++            .journal_mode(SqliteJournalMode::Memory)
++            .synchronous(sqlx::sqlite::SqliteSynchronous::Off)
+             .foreign_keys(true)
+             .create_if_missing(true);
+
+--
+2.43.1

nixos/assets/jack.sh

@@ -1,8 +1,10 @@
+#!/usr/bin/env bash
+
 set -e
 
 defaultDevice=PCH
 
-start_jack(){
+start_jack() {
 
   internal_device_number=-1
   komplete_device_number=$(aplay -l | grep Vestax | cut -d":" -f1 | cut -d" " -f2)
@@ -39,30 +41,27 @@ start_jack(){
   #
   # to find configuration options do
   # jack_control dp
-  if [[ $device_number -eq -1 ]]
-  then
+  if [[ $device_number -eq -1 ]]; then
     # we use alsa in reality, but pulse opens up all the pulse
     # sink and source stuff
     # jack_control ds pulse # not working for some reason
     jack_control ds alsa
     jack_control dps device hw:$defaultDevice
   else
-    jack_control ds  alsa
-    jack_control dps device hw:$device_number  # use usb card
+    jack_control ds alsa
+    jack_control dps device "hw:$device_number" # use usb card
   fi
 
-  jack_control dps duplex True                 # record and playback ports
-  jack_control dps hwmon  False                # no hardware monitoring
-  jack_control dps rate   48000                # use cd sample rate
-
+  jack_control dps duplex True # record and playback ports
+  jack_control dps hwmon False # no hardware monitoring
+  jack_control dps rate 48000  # use cd sample rate
 
   # nperiods are the splitup of the
   # sound-ring-buffer. 2 are ok for internal cards
   # but for usb you should use 3 because
   # you can have to write in junks to the card
   # so there is one backup slice in the middle
-  if [[ $internal_device_number -ne -1 ]]
-  then
+  if [[ $internal_device_number -ne -1 ]]; then
     jack_control dps nperiods 3
   fi
 
@@ -82,7 +81,7 @@ start_jack(){
   jack_control start
 }
 
-stop_jack(){
+stop_jack() {
   jack_control exit
 }
 
@@ -92,14 +91,18 @@ status_jack() {
   jack_control status
 }
 
-
 case $1 in
-  start) start_jack
-    ;;
-  stop) stop_jack
-    ;;
-  restart) stop_jack ; start_jack
-    ;;
-  *) status_jack
-    ;;
+start)
+  start_jack
+  ;;
+stop)
+  stop_jack
+  ;;
+restart)
+  stop_jack
+  start_jack
+  ;;
+*)
+  status_jack
+  ;;
 esac

nixos/assets/music-making.sh

@@ -1,50 +1,48 @@
+#!/usr/bin/env bash
 
-function stop_program(){
-    echo "stop $1"
-    sudo systemctl stop $1
+function stop_program() {
+  echo "stop $1"
+  sudo systemctl stop "$1"
 }
 
-function start_program(){
-    echo "start $1"
-    sudo systemctl stop $1
+function start_program() {
+  echo "start $1"
+  sudo systemctl stop "$1"
 }
 
-
-function start(){
-    echo "starting programs again"
-    echo "-----------------------"
-    echo
-    start_program backup.on-porani.insecure.timer
-    start_program backup.on-workhorse.insecure.timer
-    start_program backup.on-workout.insecure.timer
-    start_program syncthing.service
-    start_program tlp.service
-    start_program tor.service
+function start() {
+  echo "starting programs again"
+  echo "-----------------------"
+  echo
+  start_program backup.on-porani.insecure.timer
+  start_program backup.on-workhorse.insecure.timer
+  start_program backup.on-workout.insecure.timer
+  start_program syncthing.service
+  start_program tlp.service
+  start_program tor.service
 }
 
-function stop(){
-    echo "stopping programs"
-    echo "-----------------"
-    echo
-    stop_program backup.on-porani.insecure.timer
-    stop_program backup.on-workhorse.insecure.timer
-    stop_program backup.on-workout.insecure.timer
-    stop_program syncthing.service
-    stop_program tlp.service
-    stop_program tor.service
+function stop() {
+  echo "stopping programs"
+  echo "-----------------"
+  echo
+  stop_program backup.on-porani.insecure.timer
+  stop_program backup.on-workhorse.insecure.timer
+  stop_program backup.on-workout.insecure.timer
+  stop_program syncthing.service
+  stop_program tlp.service
+  stop_program tor.service
 }
 
-
 # ----
 # main
 # ----
 
-
 stop
 
 echo
 echo -n "wait to start again -> "
-read
+read -r
 echo
 
 start

nixos/assets/nginx-show-config.py

@@ -10,7 +10,7 @@ from tempfile import TemporaryDirectory
 
 
 def nginx_config() -> str:
-    reload_config ="/etc/nginx/nginx.conf"
+    reload_config = "/etc/nginx/nginx.conf"
     if os.path.exists(reload_config):
         return reload_config
     out = subprocess.check_output(["systemctl", "cat", "nginx"])
@@ -26,8 +26,9 @@ def main():
     config_path = nginx_config()
     with TemporaryDirectory() as temp_dir:
         temp_path = os.path.join(temp_dir, "nginx.conf")
-        with open(temp_path, "wb+") as temp_file, \
-                open(config_path, "rb") as config_file:
+        with open(temp_path, "wb+") as temp_file, open(
+            config_path, "rb"
+        ) as config_file:
             shutil.copyfileobj(config_file, temp_file)
             temp_file.flush()
             subprocess.check_call(["nginxfmt", temp_file.name])

nixos/assets/tinc/bobi_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA4N0Pm09nePnlTUtmJLVTxEP41i+9kd4tke6KjG+PIbGI0xrgZJBX
-sP6wK3vf5q3PZp6U3a452SjzSWKQtjXA94Zmr4HaWqYQJPtJlJcsNeWbx/I0WoaA
-918iltvgkLkPKITZ1Gp6iYtKjIn2vxOKv+Pm/YYSRGB4RE3GE5M7TVcitnC89lxm
-bK8GAnUs4xUXE4DWund0h81j7XWJpF6T3N3+rlCrfmEfYYmSYg2DRkprGHvAVP26
-kWzjei9sIfPVgL0iSprOxqfAw/3Sz0uk3Ny6YvsJU+N4e8QTKQTi75XlkAWbG9OF
-P1+1xFDX3d0MdPPNq2c6hHI4VmTMDYVqMPztZNOOKKe+GWBtz/Mlbb55cccNECYA
-eVrAkhgUqjFF2lOFK1j7Ivf8ogETUcYRCEaLEZyf5Q+DuHkGzct1DBVEKn23dR2E
-B8eDm4ap4YxmrZymPbbl5IUyc/d9pmm04MFWMOifDlw5KEH3+ia93ma3ByBI3UjP
-kAg8po3rh3WWjpI26E8icjSjkJ7f1rRsEWmNAf54JwPHkWBZIoUufVxvMNZ9PXn9
-7GdP2Z7z+Tn6zUDA62Z9DRDmRGEnuDio450dNMP6ZNWj6leYBbnkP5JtfpRymVKW
-GVJfpMwSlf/qP00Jd0WQQyICKQOIns+4jzCvRcOLzSaPj7OvgVUnx00CAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/mobi_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb
-BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i
-8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4
-DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3
-7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl
-UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M
-Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3
-vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/
-OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14
-3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k
-lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/pepe_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEAmAyz71GoQq2Mn4XeUVcN9yfgxeWT57li7i6Te9lq7OVAXQ+CBtD3
-puTMrW3/LXOIS678E2iMYPmdQzMZLmADi8+ZrXOqX98uceNv5bPrTJF0z/RA9Tif
-kfh78GcJCGHmZz+GGWu1ExtSa5ekBdamEtehW6vAGbrPM6Umu9B2UCn8zaSx+RGe
-Y7Z81wO21+ywUorMPTbHeuPYZW+Z8L+QKHO9NdYhzZ9zMPeVMi0x/mwIZqXJ57Wz
-57nx0rrPh+e+5cj3Jh+i4HC76mxPGCyCdvf+60d7W87UZxPqRiTLt2SwgltEKf56
-jBsVeOb5Fjzb6LcNGWfF8zNh0w6rAQsG4W7l93VlerTd46GtG2XW42JkGhuKb8JJ
-L1olPUmbcDbxlQGGUNaI7thAzubszAzinqyat3oU8NjgDJJIueHLmo752RW+yHUY
-giyRSBYtDRM9cE3s848WsToO5BtjXLkg/rC4WIWX2MNJFsAZXzfHWDmae+ajpoVy
-Gl6tGYbLhjd8KtSWB9kB0OWsV56f4KmWeRxHwTgylMO30l6v+XRdnoRUAp9wj8dV
-c6HJHnn5b2q4dk+qwWOYgwvpRFnSixbCCT4PoedEU9xVOzLmzxRtGmkzPsOXEOj5
-6r4Jvk0jw2LTkhEVX1CPblTrGpms9NO02SXNHkF/Akw7PGuJu+w3HZUCAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/porani_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = 9JI8y56NWiKMRS6g/k2H3VgTEw0q+8UEDDJdiCjOl8O
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA4Ff6XRvf83XSuWUkb70Yz+cWo1/dq4LBh5ZG7SJypdIXYnWQpQJc
-sLRfAS6nJZ6VixNADx7A03c8TdADVaAgl591rLd4CSzM22EgaOFstU2VO/MfMKHf
-v+WUQsrTE6CQ48SW+MDbSZZ7M7FRa/A6hwqZc5qygxdG/tgTei9pmTfqW+ZdQBWl
-IeCCINiNSA/fD+FjWXslZIFRZ5sQ7AYZJgL2nFAueY+cKtRZy3tcDL1v6mhDdIrE
-h8JjEUiayQDGnWmBlflLqE3ODqEsEKoL6W7epqK6PcwvZQxSNwrZe/wzH3oTC43m
-Yg7TQGr0v3SnSziXv3cJvcHfwr9+huo37wTbUJNmozGpI8nLszfUTEIfhbu2ODQv
-R2iM7FJcE4wV48y9aybEnESKA0vsjgI23RIQfxkN0oii7L6NAZVHgl/JJBOtCMXf
-V5uXAdOtkv9UvfofrrV0uahncvbz5efPTSPF8fS5EiwzWfDUW6KHrp/9+gDcnirn
-H8HvmmNVeOGWA1xlrKgi8kiBHv5BxCXfurD0aD6ZIlxdLjJCvGfnLnJZ6gr//GAf
-1BJJVei98uZzihNe4VbRF6Iaphns1KezsdygMsEV9gDIJw3IIqTukcUK7AcBXhb4
-IJ792j2iRwUOyiAcUYLeVYzAt3xFN6wPNcC/Opdo6TVbdMZu2uS1ZN8CAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/retiolum/host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = kc1SACqsoYjk5GimZfP+eszfJmUzZkMQhWeW42UKjfL
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA2ACttoosnRZ99o+OyMrxBdUWPqsT5btzSIQ5dU1XWqGjO4nRchCE
-8tO0b/4jqVgJVTRZVIUJQESZRlSmclsCAjdM8tsGj74CJrm7tBvgbBn2IObSs5+4
-oJWe57VsQaeHPuI2JZuGqv8Z3Esw+B07bQS5VTaC1ISo7vnLG/q5XLCbKHB9JZc/
-ztYbk4bEQHwbulfoPjD9FY3heLnTzqPw9Xr3ixao5gbAXfWNJM+iCluMq+Q2g1BD
-ozSnyYvaGLQ6h4yksDp+xuK8YCqiRj174EkXySI8Jee1CBMuI8ciX/5Q7yzvzscQ
-ZQ/MLVdx3MRW+VeT0ctaRzoA9E09ILqPe+56DjpsKzt4Ne8qeMG5HdpzO9UdNzTu
-MuibsCL7CJy5Ytl38PK+LAXHQr3Os1Z4OHjeTZ38vTAZcOUJZEkl6w9nO1XjcyBL
-rIaG+20Nx0ZU79MlJZFiG7ovlUiDfIEKNygng8v/yoTMaqMYLxQZ/leQwLMNLujo
-sku8+oV4Jvx4SyUjuAS6jgG9CnejLCnHP/yyDGdaMQSzmlzYXacLMfnPZE3r7bj1
-EjA6yQbkPixm7xLCyMm5u2leWtqtbg1oRA6Mw3UyYkNy3hiTU+jTvztEI3SCliDH
-yjGlESH4/edryKjLNjmYP77VFbM9ZSQ+QGlbMGPvjcn6XCdJGdxm3PUCAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/robi_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA1wwdd6+Qgn7fiC5C5ueeAsgfG6LlP+5zfb2r8/RZzFkKK+wX0QRx
-6i3Dm0SwAvkKYKowEHhpDg941CrkuTGN2wnKvxoUNvaAe+RBK2EZM3xPh0eTP33T
-igNEHAcdHlgwd3aaNRmYxC41uUlAjD8JPkQ14yAvi4ZMeDRGQxw3on7Mx8NBwgDp
-V2F45c9WpYzaocPCREQE7xLpY3prYpOljqd3hGnBQjdruxnAtIh7nb1SSlMci4RT
-Y2d6aOCiDKgtqrPtMSWp0RkuhIlT17AK1b/5+TE4vzcFNkt6xQJnH2rm7D9niXZ2
-+yzl5DsVONk4z29MnEInqzcVY8m6iypjjntBTkHtFWJc4ZMnJC9FBt7il4V2NL+/
-T7uHV1KDFwRZOtfd0WWlgpg3HsZLc+pmZNl77bggcc56+t3FC5UPZKMEEmU7TYtp
-jIPYnOV9C7ReaOpYvHJi/6NrtYUjBd2XbtD959cTFR9PpXMaNWh2R8+K7r/tFZrG
-q252aCc51J+JegfnhtTfOfPPn7BHV+ZsSQBjMrxz29igOlMPnyOvaxB4mxf6ipoX
-HDY7QnQ82HTZCGQ3vPVEgNz0MfsZU0VocazOYOh3RpKBbKaYqo1i8PqKpqfjC7aR
-AdbrqBXGFcBbXkna3BQDS4xmK35sUG08OR1g24uiNFKzy8rK+xcp790CAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/sputnik_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = ZK9iznseTpMqjaMgDJ7MdjYaq62QlEOFquLfVxlLpFK
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEAzBU8x9aB7F3sPJlcg9avJiSrsAoTHsMkfk6uRKFVjUjuNJgb3rjW
-gyQ7krftLAyxLkTYJzpD+4D+qWiudEgju7W+BU65/hudMIvBmbRYqXmcQlD9B9Pv
-0bVAazHJ80wN8GJD060Wq6XTtkrtAJhPmQSyMt0xU4WmWw/39QBX9rWtOTy75813
-qrfuv1I11YcVQ3jegPLUIzlZqz6LeouCXiP7IRIa+WUXIwAdAYtO/RJC+tty6zyI
-BXNd0Mkvpf0Qaw5joQJRXkdb1sWHOZYh75JW1QWqFMWCclkGG7/Dve4KzuO9N5XZ
-ZMs/MCtDkJQpweNDT3aaiqZa8Oj29OXs4HR4FFrvYkY+qqmKCUqS70FYLo45uNx1
-sRb7GKX8/dsPyOGHfXDuFTSXsKLh9gNLMlF/kuTQ2yJMfeMKdC5jDClL145Fm0ux
-akH/PWSS9DENxSu0GH1sTQnLyhc4mVzOehu1XfR9EALjYY0BNBUir7aAaiLTCbq9
-LKwMaF/D467W3j3Zp5xEAsf8xYC2CyMl1Df43zxcxLY+3K8/kUM2rkU7ocl2VT3o
-7yNC+JqQz41n4SDOXBZc6cfxUXj2MqqEw9Ywgs+aXZiSCaVOulhyXj0TSE1mX1NI
-woDHEzyx7q4AryQOWQsLq5JimI0v2/xN2yz+cNXoetDypjEWnws4e/ECAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/sternchen_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA1vhCFsFK0QSYDlXSS6ngpZbilplYtaPBzbxWYGAxa5vNtwoaO2Tz
-BZ4ptvE26TR2+Jygvlk5xdoNYAL/yhNI9p86vs/pA+sJmBlsYAWOA5qAnXoIL2u4
-1CBB9t+uMnQKhyPoBoDq6QXmM1HlFhxtkKVlLyEHxARxu7g/inFtghPqYD/HyjVJ
-V6h9OdKEgY+wcn6GGLXGjrSMAsIZP2w8fPQfS45UAtjK+cFODFKElxGZrjqgJP1w
-/Jw6nB03yKMGsMHNkiwC2BJbK3+pT92JfyqXRg3REw0hVMZghcsoNtWfBoNYLvFY
-qwk+bvf5bVdLxLMEv33+B3F8SScXuwMUpBwCeMi58ltt+OuOVhh8PLA9ncA6tGa9
-tzyUo7i8qjGTremSilWIdRYqOexriPKCdnYcJcw/L9Vl2H3QbIj7uVxbszQbqDGS
-KM43U5cXgpMIYI9CwxnWB8np7n/IXZFG5E+9afd4kYTLShzaObzu2I1yom0O4Ks7
-HsdvlsBgv4iT6ctquHtU6IFsa/Wfm4ntDiAcczoQEXs0F2v839FH62TPTY70xzyd
-wQhAdCegb6MYVmVmQL9jv8QDfxwUxtsohbW3ncBDYrdy2rmeiZDGaRJVEbyf6MKI
-OfaobRGXY0NnOURX9/fkXSydDKd3rIhOMubfUq0+Smm3YrsHWeZVvNMCAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/sterni_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEAu7Ajx9+mEaDK/ASZ5hoVj3X3IkWl+8MAhmj7dwnhqc4YrPrvwKE4
-cOnVcEUp4K4pyIHUG8zhsesstfpu/0owLQaz8Cekr4CyQWsjDfi7K/QiAN+v2O2m
-DQOjrYzDvRyBa20A2MnO1kZU/aFHE9qcIHefZhQUZyv97j+QcsE/FDuIH/RAua6/
-p+br2tfecePGH6f0fMk8dp+YbxcjjVyhJkjyaYF2r+n+YflDl5y3ngxUFJ0UnNE0
-RfYJf2NE1wzt4rIdnYobFP3vifDIeYj6M0LGHnURPsT6zP+zStZ81MYZKrNlTJ37
-sbZhorVmO6x46xEWaDUd7UqcKJBpb7u8iSAE4S3tHLFRxBs60dPS+3UEraiTvTHr
-FvWTq1Q+t/FivTxXEkVt74N5auOKbT5AAkztak21Izx6enspdx6da2aLuJD5I0OU
-3F4kd8lW5PqEZubkYziDwcVoNsx88hQzHi5l2aRdzY57o82+ltWw4xXmAFR2o605
-SwVJ4AUmORHuIoDYSR+UgbtKHguxVaTLVggdfvHzlDQ1VERwEU58awMwPLU1k+jP
-3QW7ehPLKRN+StB6LBlnmRD1ltkaPY5iy+NMXj17hJx0trpz3qoCuv+5TRvsGvQ7
-Je/G7c6suIGd4HbA9TvCinW6/JLbJQlDiG7MD2oCOPS1pdayUuB9Jw0CAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/workhorse_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = sPs48jzCdtTv0Viy2Of3HlXipfxH5Y8bA+KYVkOrSiK
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA01HJ49zxmnixWC9YMP0c3UFxZc4Hl5UK9nJvhMRBOuxm75kpzZsz
-3v6mSy1YrVE9rrGXYjZ76wKrRhchMpvrMKKD8/DRjVqTkuFwtGgUEigzpSFoSLtC
-u2Wis7Z6GW3nLgAS79NU9IUUEoeevND1zzglDb0HdERuiImiZVg3I+VXLyA31X3L
-Z/B7T4QLmZGIRvFw0y1TawMjFMJZmDBtzMqfO7behkms2O1ORAciGhGxmZ9gd7yk
-n/NKCpSSzeC6sJ28i33LRrWF3hRUXAEJFgq8YRxm6mjRoPLsJVsw2S98DvTcxmjN
-eyVnqPVQi7JuKrOQsewQvwV2KiqI9ibEYH1zZNXwy+l05b3QSaAcyRtDpwRW7FCY
-H4B3S0vjte75D4bEuYTFgT3wCzlAjdB7fPZ4jyZXdrP8G3IfbMmgsdECz5uIMwam
-UaSZISlHkSJv+erA8TMJLBnqAO7ERKYI7PRIDdIun0VtX2QjRJpWIdVpxEcL4fZU
-w6gzX8lOQe5NnoH/MFUfU0LyBuUH1k6WX7xdwrynUVS087vwaQN+H/VTp0QSX6PQ
-oCLYPCGKS2B/St954uaPanzeG7QZQpWbvttaFVmUSkilx78xqqu3zDm9pSofFKCX
-08TGlluy8JAwUqAxekQVKey2PdLmKjlMCcoUeNYbJybGplc9gv2hYhsCAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/assets/tinc/workout_host_file

@@ -1,14 +0,0 @@
-Ed25519PublicKey = r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA7/bur2JIXzNrsgjQ7kfoaLUVCC9S7HNNdDrlnSdum0sWvN9urdxS
-1OfzqG+kjDhQ0sS4fEeYyLMU8W3/aHkSbMjfKBiZS70bg5yHRepUEPZNqDqR3+rO
-LTAGWMi/IQQQmnfcN5SjaNY/ZyXoaPd1emlpV2UXBvXo/bQTl+pmOt7AIAh7Z7M6
-X5KAwU23kUwrfn/7zFCw98euNEPcCKpdF5oD4+G+S0PGfFvBmE6Xoi2blM1rcjJ4
-39IGVCsKAlW1Vg48yj7FypSSjaFvIW+kyRcNNTEZ4V5p50Vm7DfylfW96NqAOeuz
-2aSVaLhvmu8fU9z+g95MdGZOJYd57jFt76GbkwcLCF8KBCP9NhMfOQu0i1glk+AP
-CcJcDa/Oj7lLQVB2+holJhw5fkHH2Yi+L+UsjIF0iLiOSTjGJp4yRT9Al9pgMCj2
-O1JUMYxQ490mSFHBomNv1fq+f5VJnytEwAkJH6AgH+RIcAC5/r+sowfLv+Gy0ga8
-jKG6t9d/x6lRNv0x5sUhYkiUD9Naq0NncaZz1GtkBAyu+hUZx2+zg3r8He4XoiXx
-zWAQEgcW3X1/9VC7IBvaK9cdLG5pbeGCBaDv8S0Ue332mM0XNDlffjdC7Sg9f/TG
-YV8MHpR3RwwUqdi6WFPQqVz5Hv1pE02v/Uw6tby1UgAnzskrufPh+m8CAwEAAQ==
------END RSA PUBLIC KEY-----

nixos/components/README.md

@@ -0,0 +1,6 @@
+# components concept
+
+- components are kinda opinionated.
+- should be project agnostic (e.g.: configure bugwarrior via options but leave specifics out).
+- `component.<toplevel>.enabled` should usually be the default for all it subcomponents (`comonent.<topleve>.<subcomponent>.enabled`).
+  - But default should make sense here!

nixos/components/default.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  imports = [
+    ./gui
+    ./mainUser.nix
+    ./media
+    ./monitor
+    ./network
+    ./nixos
+    ./terminal
+    ./yubikey.nix
+  ];
+
+  # some system stuff
+  # -----------------
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+  #time.timeZone = lib.mkDefault "Pacific/Auckland";
+  #time.timeZone = lib.mkDefault "Asia/Singapore";
+  #time.timeZone = lib.mkDefault "Asia/Makassar";
+
+}

nixos/components/gui/audio.nix

@@ -0,0 +1,52 @@
+# TODO test `alsactl init` after suspend to reinit mic
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.gui.audio.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = mkIf (config.components.gui.pass.enable) {
+
+    security.rtkit.enable = true;
+
+    hardware.pulseaudio.enable = false;
+
+    hardware.bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      alsa-utils
+      alsaUtils
+
+      # PulseAudio control
+      # ------------------
+      ponymix
+      pavucontrol
+      lxqt.pavucontrol-qt
+    ];
+
+    services.pipewire = {
+      enable = true;
+      systemWide = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+
+    environment.etc = {
+      "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
+        bluez_monitor.properties = {
+          ["bluez5.enable-sbc-xq"] = true,
+          ["bluez5.enable-msbc"] = true,
+          ["bluez5.enable-hw-volume"] = true,
+          ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+        }
+      '';
+    };
+  };
+}

nixos/components/gui/browser.nix

@@ -0,0 +1,86 @@
+{ config, lib, ... }:
+let
+  backupFolder = "~/desktop/browser-images";
+  homeFolder = "/browsers";
+in
+{
+  config = lib.mkIf config.components.gui.enable {
+
+    programs.chromium.extensions = [
+      "nngceckbapebfimnlniiiahkandclblb" # bitwarden
+      "edibdbjcniadpccecjdfdjjppcpchdlm" # I still don't care about cookies
+      "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere
+      "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+      "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
+      "jinjaccalgkegednnccohejagnlnfdag" # Violentmonkey
+    ];
+
+    # overwrite use zram on small RAM systems
+    fileSystems."/share" = lib.mkDefault {
+      device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+    # overwrite use zram on small RAM systems
+    fileSystems."${homeFolder}" = lib.mkDefault {
+      device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+    services.browser = {
+      enable = lib.mkDefault true;
+      configList = {
+        development = {
+          home = "${homeFolder}/development-browser";
+          homeBackup = "${backupFolder}/development-browser";
+          gpu = false;
+        };
+        google = {
+          home = "${homeFolder}/google-browser";
+          homeBackup = "${backupFolder}/google-browser";
+          gpu = false;
+        };
+        finance = {
+          home = "${homeFolder}/finance-browser";
+          homeBackup = "${backupFolder}/finance-browser";
+          gpu = false;
+        };
+        facebook = {
+          home = "${homeFolder}/facebook-browser";
+          homeBackup = "${backupFolder}/facebook-browser";
+          gpu = false;
+        };
+        shopping = {
+          home = "${homeFolder}/shopping-browser";
+          homeBackup = "${backupFolder}/shopping-browser";
+          gpu = false;
+        };
+        jobrad = {
+          browserType = "chrome";
+          home = "${homeFolder}/jobrad-chrome";
+          homeBackup = "${backupFolder}/jobrad-chrome";
+          gpu = false;
+        };
+        firefox-tmp = {
+          browserType = "firefox";
+          home = "${homeFolder}/firefox-tmp";
+          homeBackup = "${backupFolder}/firefox-tmp-browser";
+          gpu = false;
+        };
+        chromium-tmp = {
+          browserType = "chrome";
+          home = "${homeFolder}/chromium-tmp";
+          homeBackup = "${backupFolder}/chrome-tmp-browser";
+          gpu = false;
+        };
+        google-tmp = {
+          browserType = "google";
+          home = "${homeFolder}/google-tmp";
+          homeBackup = "${backupFolder}google-tmp-browser";
+          gpu = false;
+        };
+
+      };
+    };
+  };
+}

nixos/components/gui/cups.nix

@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+with lib;
+{
+
+  options.components.gui.cups.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = mkIf (config.components.gui.cups.enable) {
+
+    hardware.printers.ensurePrinters = [
+      {
+        description = "Lexmark E350d";
+        deviceUri = "usb://Lexmark/E350d?serial=622Z9ZC";
+        location = "office";
+        name = "Lexmark_E350d";
+        model = "drv:///sample.drv/generic.ppd";
+        ppdOptions = {
+          job-sheets = "none, none";
+          media = "na_letter_8.5x11in";
+          sides = "one-sided";
+        };
+      }
+    ];
+
+  };
+}

nixos/components/gui/default.nix

@@ -0,0 +1,30 @@
+{ pkgs, lib, config, ... }:
+with lib;
+{
+  options.components.gui = {
+    enable = lib.mkEnableOption "GUI configurations";
+  };
+
+  imports = [
+    # todo : structure with home-manager and such is not cool, create another structure
+    ./audio.nix
+    ./browser.nix
+    ./cups.nix
+    ./fonts.nix
+    ./home-manager
+    ./kmonad.nix
+    ./noti.nix
+    ./pass.nix
+    ./steam.nix
+    ./suspend.nix
+    ./taskwarrior.nix
+    ./vscode.nix
+    ./wayland.nix
+    ./xorg
+  ];
+
+  config = mkIf config.components.gui.enable {
+    # todo extract xorg stuff to prepare wayland
+    environment.enableAllTerminfo = true;
+  };
+}

nixos/components/gui/fonts.nix

@@ -0,0 +1,36 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.gui.style.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = mkIf (config.components.gui.style.enable) {
+
+    fonts.packages = with pkgs; [
+
+      corefonts
+      hasklig
+      inconsolata
+      source-code-pro
+      symbola
+      ubuntu_font_family
+
+      # symbol fonts
+      # ------------
+      nerdfonts
+      powerline-fonts
+      font-awesome
+      fira-code-symbols
+      jetbrains-mono
+
+      # shell font
+      # ----------
+      terminus_font
+      gohufont
+
+    ];
+
+  };
+}

nixos/components/gui/home-manager/default.nix

@@ -0,0 +1,11 @@
+{ pkgs, lib, config, ... }:
+with lib;
+{
+
+  config = mkIf config.components.gui.enable {
+
+    # don't run autoload -U compinit && compinit before ~/.zshrc
+    programs.zsh.enableGlobalCompInit = false;
+
+  };
+}

nixos/components/gui/kmonad.nix

@@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+{
+
+  options.components.gui.kmonad.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = lib.mkIf (config.components.gui.kmonad.enable) {
+
+    # only needed if you have an UHK
+    hardware.keyboard.uhk.enable = true;
+    environment.systemPackages = [ pkgs.unstable.uhk-agent ];
+    users.users.mainUser.extraGroups = [ "input" ];
+
+    services.xserver = {
+      layout = "us";
+      xkbOptions = "compose:ralt";
+    };
+
+    services.kmonad = {
+      enable = true;
+      keyboards =
+        let
+          keyboard = device: leftOfSpace: {
+            device = device;
+            extraGroups = [ "video" ];
+            defcfg = {
+              enable = true;
+              fallthrough = true;
+              allowCommands = true;
+            };
+            config = ''
+              (defsrc
+                grv  1    2    3    4    5    6    7    8    9    0    -    =    bspc
+                tab  q    w    e    r    t    y    u    i    o    p    [    ]    \
+                caps a    s    d    f    g    h    j    k    l    ;    '    ret
+                lsft z    x    c    v    b    n    m    ,    .    /    rsft
+                ${lib.concatStringsSep " " leftOfSpace}           spc            ralt rmet cmp  rctl
+              )
+
+              (defalias sym (layer-toggle symbols))
+              (defalias alt (around (layer-toggle alt-qwerty)
+                                    (layer-toggle arrows)))
+
+              (deflayer qwerty
+                grv  1    2    3    4    5    6    7    8    9    0    -    =    bspc
+                tab  q    w    e    r    t    y    u    i    o    p    [    ]    \
+                esc  a    s    d    f    g    h    j    k    l    ;    '    ret
+                lsft z    x    c    v    b    n    m    ,    .    /    rsft
+                lctl lmet @alt           spc            @sym rmet cmp  rctrl
+              )
+
+              (deflayer symbols
+                _    ½    ²    ³    ⁴    ⁵    ⁶    ⁷    ⁸    ⁹    ∞    _    _    _
+                _    _    _    €    _    ™    _    ü    _    ö    _    _    _    _
+                caps ä    ß    _    _    _    _    _    _    _    _    _    _
+                _    _    _    ¢    _    _    _    _    _    _    _    _
+                _    _    _              _              _    _    _    _)
+
+              ;; alt                => alt
+              ;; alt + jkli         => left down right up
+              ;; alt + caps  + jkli => alt + left down right up
+              (deflayer alt-qwerty
+                (around lalt grv ) (around lalt 1) (around lalt 2) (around lalt 3) (around lalt 4) (around lalt 5  ) (around lalt 6) (around lalt 7) (around lalt 8) (around lalt 9) (around lalt 0) (around lalt -   ) (around lalt =  ) (around lalt bspc)
+                _                  (around lalt q) (around lalt w) (around lalt e) (around lalt r) (around lalt t  ) (around lalt y) (around lalt u) (around lalt i) (around lalt o) (around lalt p) (around lalt [   ) (around lalt ]  ) (around lalt \   )
+                _                  (around lalt a) (around lalt s) (around lalt d) (around lalt f) (around lalt g  ) (around lalt h) (around lalt j) (around lalt k) (around lalt l) (around lalt ;) (around lalt '   ) (around lalt ret)
+                _                  (around lalt z) (around lalt x) (around lalt c) (around lalt v) (around lalt b  ) (around lalt n) (around lalt m) (around lalt ,) (around lalt .) (around lalt /) (around lalt rsft)
+                _                  _                  _                                            (around lalt spc)                                 _               _               _               _
+              )
+              (deflayer arrows
+                _    _    _    _    _    _    _    _    _    _     _    _    _    _
+                _    _    _    _    _    _    _    _    up   _     _    _    _    _
+                lalt _    _    _    _    _    _    left down right _    _    _
+                _    _    _    _    _    _    _    _    _    _     _    _
+                _    _    _              _              _    _     _    _)
+            '';
+          };
+
+        in
+        {
+          nativ = keyboard "/dev/input/by-path/platform-i8042-serio-0-event-kbd" [ "lctl" "lmet" "lalt" ];
+          dasKeyboard = keyboard "/dev/input/by-id/usb-Metadot_-_Das_Keyboard_Das_Keyboard-event-kbd" [ "lctl" "lmet" "lalt" ];
+          uhk = keyboard "/dev/input/by-id/usb-Ultimate_Gadget_Laboratories_UHK_60_v2-event-kbd" [ "lctl" "lmet" "lalt" ];
+        };
+    };
+  };
+}

nixos/components/gui/noti.nix

@@ -0,0 +1,37 @@
+# notify me when a command is finished
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  options.components.gui.noti.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = mkIf (config.components.gui.noti.enable) {
+
+    sops.secrets.pushover_user_key = { };
+    sops.secrets.pushover_api_key = { };
+    sops.templates."noti.yaml".owner = config.users.users.mainUser.name;
+    sops.templates."noti.yaml".group = config.users.users.mainUser.group;
+    sops.templates."noti.yaml".content = ''
+      pushover:
+        userKey: ${config.sops.placeholder.pushover_user_key}
+        apiToken: ${config.sops.placeholder.pushover_api_key}
+    '';
+
+    home-manager.users.mainUser = {
+      home.packages = [
+        (pkgs.writers.writeBashBin "noti" ''
+          ${pkgs.noti}/bin/noti --file ${config.sops.templates."noti.yaml".path} "$@"
+        '')
+        (pkgs.writers.writeBashBin "noti-pushover" ''
+          ${pkgs.noti}/bin/noti --pushover --file ${config.sops.templates."noti.yaml".path} "$@"
+        '')
+      ];
+
+      ## not working :(
+      #programs.noti.enable = true;
+      #xdg.configFile."noti/noti.yaml".source = toString config.sops.templates."noti.yaml".path;
+    };
+  };
+}

nixos/components/gui/pass.nix

@@ -0,0 +1,50 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+
+  # desktop file
+  # ------------
+  # makes it possible to be used by other programs
+  desktopFile = name: bin:
+    pkgs.writeTextFile {
+      name = "${name}.desktop";
+      destination = "/share/applications/${name}.desktop";
+      text = ''
+        [Desktop Entry]
+        Categories=Application;Utility;
+        Comment=password dialog
+        Encoding=UTF-8
+        Exec=${bin}
+        Icon=gnome-lockscreen
+        Name=${name}
+        Terminal=false
+        Type=Application
+      '';
+    };
+
+in
+{
+  options.components.gui.pass.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+  config = mkIf (config.components.gui.pass.enable) {
+
+    environment.systemPackages = [
+      (pkgs.pass.withExtensions (ext: [ ext.pass-otp ]))
+      # todo : use upstream desktop file creator
+      (desktopFile "passmenu" "${pkgs.pass.withExtensions (ext: [ext.pass-otp])}/bin/passmenu --type -l 10")
+
+      pkgs.otpmenu
+
+      # todo ein script machen was hier tut
+      # zbarimg -q --raw 2018-12-18-114509.png   | pass otp insert mindcurv/cloudamqp/otp
+      pkgs.zbar
+
+      pkgs.ctmg
+      pkgs.pinentry
+      pkgs.pinentry-curses
+    ];
+  };
+}

nixos/components/gui/steam.nix

@@ -1,39 +1,32 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, lib, ... }:
 with lib;
-
-# steam
-# -------
-# Don't forget to run 'xhost +' with your user
-# to make sure the browser user can write to X
-let
-
-  bin = pkgs.writeShellScriptBin "steam" ''
-    /var/run/wrappers/bin/sudo -u steam -i ${pkgs.steam}/bin/steam $@
-  '';
-
-  cfg = config.programs.custom.steam;
-
-in
 {
+  options.components.gui.steam.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
 
-  options.programs.custom.steam.enable = mkEnableOption "enable steam";
-
-  config = mkIf cfg.enable {
+  config = mkIf (config.components.gui.steam.enable) {
 
     environment.systemPackages = [
-      bin
+      (pkgs.writeShellScriptBin "steam" ''
+        /var/run/wrappers/bin/sudo -u steam -i ${pkgs.steam}/bin/steam $@
+      '')
       pkgs.xorg.xhost
       # to use xbox controllers
       pkgs.xboxdrv
     ];
 
     users.users.steam = {
-      isNormalUser = true;
+      isNormalUser = false;
+      isSystemUser = true;
       home = "/home/steam";
       createHome = true;
       extraGroups = [ "audio" "input" "video" "pipewire" ];
+      group = "steam";
+      shell = pkgs.bashInteractive;
     };
+    users.groups.steam = { };
 
     # for steam
     # ---------
@@ -45,4 +38,3 @@ in
     '';
   };
 }
-

nixos/components/gui/suspend.nix

@@ -1,15 +1,12 @@
 { pkgs, config, lib, ... }:
 with lib;
-
-let
-
-  cfg = config.system.custom.suspend;
-in
 {
+  options.components.gui.suspend.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
 
-  options.system.custom.suspend.enable = mkEnableOption "use xlock in suspend";
-
-  config = mkIf cfg.enable {
+  config = mkIf (config.components.gui.suspend.enable) {
 
     systemd.services.screenlock = {
       before = [ "sleep.target" ];

nixos/components/gui/taskwarrior.nix

@@ -0,0 +1,90 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with types;
+let
+  mkMagicMergeOption = { description ? "", example ? { }, default ? { }, apply ? id, ... }:
+    mkOption {
+      inherit example description default apply;
+      type = with lib.types;
+        let
+          valueType = nullOr
+            (oneOf [
+              bool
+              int
+              float
+              str
+              (attrsOf valueType)
+              (listOf valueType)
+            ]) // {
+            description = "bool, int, float or str";
+            emptyValue.value = { };
+          };
+        in
+        valueType;
+    };
+in
+
+{
+  options.components.gui.taskwarrior.enable = mkOption {
+    type = bool;
+    default = config.components.gui.enable;
+  };
+
+  options.components.gui.taskwarrior.config = mkMagicMergeOption {
+    type = attrs;
+    default = { };
+  };
+
+  config = mkIf (config.components.gui.taskwarrior.enable) {
+
+    environment.systemPackages = with pkgs; [
+
+      unstable.taskwarrior-tui
+      taskwarrior
+      timewarrior
+      miller
+      tasksh
+      (pkgs.writeShellScriptBin "tsak" ''${pkgs.taskwarrior}/bin/task "$@"'')
+
+      (pkgs.writers.writeBashBin "calendar" ''
+        ${pkgs.taskwarrior}/bin/task calendar
+        ${pkgs.taskwarrior}/bin/task calendar_report
+      '')
+
+      unstable.vit
+      (pkgs.writers.writeBashBin "active" "${unstable.taskwarrior-tui}/bin/taskwarrior-tui -r active")
+      (pkgs.writers.writeBashBin "todo" "${unstable.taskwarrior-tui}/bin/taskwarrior-tui -r todo")
+
+      taskwarrior-hooks
+      vdirsyncer
+      khal
+      (pkgs.writers.writeBashBin "kalendar" ''
+        ${pkgs.vdirsyncer}/bin/vdirsyncer sync
+        ${pkgs.khal}/bin/ikhal
+      '')
+
+      # todo : before deleting this, put it in logseq
+      (python3Packages.bugwarrior.overrideAttrs (old: {
+        version = "develop";
+        src = pkgs.fetchFromGitHub {
+          owner = "ralphbean";
+          repo = "bugwarrior";
+          rev = "eb19a702a698f9c8c3ce2a1fe41f35872d9ae398";
+          sha256 = "sha256-Geon+ddE58WJ10L4unotzvmZj1Ye0yjZHVQgrR2YWgE=";
+        };
+        propagatedBuildInputs = old.propagatedBuildInputs ++ [
+          python3Packages.pydantic
+          python3Packages.tomli
+          python3Packages.email-validator
+          python3Packages.packaging
+        ];
+      }))
+    ];
+
+    #home-manager.users.mainUser.home.file.".config/bugwarrior/bugwarriorrc".source = ./bugwarriorc.ini;
+    #home-manager.users.mainUser.home.file.".config/bugwarrior/bugwarriorrc".source = (pkgs.formats.toml { }).generate "bugwarriorrc.toml" config.components.gui.taskwarrior.config;
+    home-manager.users.mainUser.home.file.".config/bugwarrior/bugwarrior.toml".source = (pkgs.formats.toml { }).generate "bugwarriorrc.toml" config.components.gui.taskwarrior.config;
+
+  };
+
+}

nixos/components/gui/vscode.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  options.components.gui.vscode.enable = mkOption {
+    type = lib.types.bool;
+    #default = config.components.gui.enable;
+    default = false;
+  };
+
+  config = mkIf (config.components.gui.vscode.enable) {
+    environment.systemPackages = with pkgs; [
+      (vscode-with-extensions.override {
+        vscodeExtensions = with vscode-extensions; [
+          bbenoist.nix
+          ms-python.python
+          ms-azuretools.vscode-docker
+          ms-vscode-remote.remote-ssh
+          vscodevim.vim
+          rust-lang.rust-analyzer
+          #github.copilot-labs
+          github.copilot
+          #github.copilot-chat
+        ];
+      })
+    ];
+  };
+}

nixos/components/gui/wayland.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+
+  options.components.gui.wayland.enable = mkOption {
+    type = lib.types.bool;
+    default = ! config.components.gui.xorg.enable;
+  };
+
+  config = mkIf config.components.gui.wayland.enable {
+    programs.hyprland.enable = true;
+  };
+}

nixos/components/gui/xorg/default.nix

@@ -1,55 +1,32 @@
 { config, pkgs, lib, ... }:
-
 with lib;
-
-let
-
-  cfg = config.system.custom.x11;
-
-in
 {
 
-  options.system.custom.x11 = {
-    enable = mkEnableOption "enable x11";
-    autoLoginUser = mkOption {
-      type = with types; str;
-      description = "user to login";
-    };
+  imports = [ ./xlock.nix ];
+
+  options.components.gui.xorg.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
   };
 
-  config = mkIf cfg.enable {
+
+  config = mkIf config.components.gui.xorg.enable {
+
+    # system.custom.fonts.enable = true;
 
     services.xserver = {
 
       enable = true;
 
-      # Configure video Drivers
-      # -----------------------
-      videoDrivers = [ "intel" ];
-      deviceSection = ''
-        Option "DRI" "2"
-        Option "TearFree" "true"
-      '';
-
-      # window-manager : Xmonad
-      # -----------------------
       displayManager = {
-        #defaultSession = lib.mkDefault "none+xmonad";
         defaultSession = lib.mkDefault "none+i3";
         autoLogin.enable = lib.mkDefault true;
-        autoLogin.user = cfg.autoLoginUser;
+        autoLogin.user = config.users.users.mainUser.name;
         lightdm.enable = lib.mkDefault true;
       };
 
-      desktopManager = {
-        xterm.enable = false;
-        #gnome3.enable = lib.mkDefault true;
-      };
-      windowManager = {
-        xmonad.enable = true;
-        xmonad.enableContribAndExtras = true;
-        i3.enable = true;
-      };
+      desktopManager.xterm.enable = false;
+      windowManager.i3.enable = true;
 
       # mouse/touchpad
       # --------------
@@ -59,24 +36,26 @@ in
           disableWhileTyping = true;
           tapping = true;
           scrollMethod = "twofinger";
-          accelSpeed = "2";
+          accelSpeed = "1.3";
+          naturalScrolling = true;
+          horizontalScrolling = true;
         };
       };
 
-      # Wacom configuraton
-      # ------------------
-      modules = [ pkgs.xf86_input_wacom ];
     };
 
     # Packages
     # --------
     environment.systemPackages = with pkgs; [
 
+      xclip
+      xtrlock-pam
+      xorg.xev
+
       dmenu
       arandr
       xcalib
       flameshot
-      xorg.xmodmap
       feh
 
     ];

nixos/components/gui/xorg/xlock.nix

@@ -0,0 +1,25 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let
+
+  name = "lock";
+
+  # the lock program
+  lockProgram = pkgs.writeShellScriptBin "${name}" ''
+    ${pkgs.xlockmore}/bin/xlock -mode life1d -size 1
+  '';
+
+in
+{
+  config = mkIf config.components.gui.xorg.enable {
+    environment.systemPackages = [
+      lockProgram
+      (pkgs.makeDesktopItem {
+        name = "lock";
+        desktopName = "lock";
+        exec = "${lockProgram}/bin/lock";
+        terminal = false;
+      })
+    ];
+  };
+}

nixos/components/mainUser.nix

@@ -1,10 +1,9 @@
 { config, pkgs, lib, ... }:
-
 with lib;
-
+with types;
 let
 
-  cfg = config.system.custom.mainUser;
+  cfg = config.components.mainUser;
 
   dockerGroup =
     if (config.virtualisation.docker.enable) then [ "docker" ] else [ ];
@@ -18,19 +17,20 @@ let
 in
 {
 
-  options.system.custom.mainUser = {
+  options.components.mainUser = {
 
-    enable = mkEnableOption "enable mainUser for a desktop system";
+    enable = mkEnableOption "enable mainUser for a system";
 
     userName = mkOption {
-      type = with types; str;
+      type = str;
+      default = "palo";
       description = ''
         name of the main user
       '';
     };
 
     uid = mkOption {
-      type = with types; int;
+      type = int;
       default = 1337;
       description = ''
         uid of main user
@@ -39,7 +39,7 @@ in
 
     extraGroups = mkOption {
       default = [ ];
-      type = with types; listOf str;
+      type = listOf str;
       description = ''
         list of groups the main user should also be in
       '';
@@ -47,7 +47,7 @@ in
 
     authorizedKeyFiles = mkOption {
       default = [ ];
-      type = with types; listOf str;
+      type = listOf str;
       description = ''
         list of keys allowed to login as this user
       '';
@@ -57,31 +57,27 @@ in
 
   config = mkIf cfg.enable {
 
-
     users = {
 
-      mutableUsers = true;
+      mutableUsers = lib.mkDefault true;
+
       defaultUserShell = pkgs.zsh;
 
+      groups.mainUser.name = cfg.userName;
+
       users.mainUser = {
         isNormalUser = true;
         name = cfg.userName;
         uid = cfg.uid;
         home = "/home/${cfg.userName}";
         initialPassword = cfg.userName;
-        extraGroups = [ "wheel" "networkmanager" "transmission" "wireshark" ]
+        extraGroups = [ "wheel" "networkmanager" "transmission" "wireshark" "audio" "pipewire" "input" ]
           ++ dockerGroup ++ vboxGroup ++ cfg.extraGroups;
         openssh.authorizedKeys.keyFiles = cfg.authorizedKeyFiles;
         group = config.users.groups.mainUser.name;
       };
 
-      groups.mainUser = {
-        name = cfg.userName;
-      };
-
     };
 
-
-
   };
 }

nixos/components/media/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+with lib;
+{
+  options.components.media = {
+    enable = lib.mkEnableOption "Media configurations";
+  };
+
+  imports = [
+    ./icecast.nix
+    ./tts.nix
+    ./video.nix
+  ];
+
+  config = mkIf config.components.media.enable { };
+}

nixos/components/media/icecast.nix

@@ -0,0 +1,71 @@
+# --------------------------------------------------
+# How to use?
+# * start the icecast
+# * connect via mixxx to it.
+# * add the podcast to mpd in the same network
+# --------------------------------------------------
+{ pkgs, config, lib, ... }:
+with lib;
+
+let
+  # todo : make option
+  user = "username";
+  password = "password";
+  mountPoint = "/radio.mp3";
+  maxListeners = 20;
+in
+
+{
+
+  options.components.media.icecast.enable = mkOption {
+    type = lib.types.bool;
+    #default = config.components.media.enable;
+    default = false;
+  };
+
+  config = mkIf (config.components.media.icecast.enable) {
+
+    services.icecast = {
+      enable = true;
+      hostname = config.networking.hostName;
+      admin = {
+        user = "palo";
+        password = "palo";
+      };
+      # http://icecast.org/docs/icecast-2.4.1/config-file.html
+      extraConf = ''
+        <mount type="normal">
+        <mount-name>${mountPoint}</mount-name>
+        <username>${user}</username>
+        <password>${password}</password>
+        <max-listeners>${toString maxListeners}</max-listeners>
+        <max-listener-duration>3600</max-listener-duration>
+        <charset>UTF8</charset>
+        <public>1</public>
+        <stream-name>Palos Awesome Stream</stream-name>
+        <stream-description>Kick ass Tracks</stream-description>
+        <stream-url>https://ingolf-wagner.de</stream-url>
+        <genre>classical</genre>
+        <bitrate>320</bitrate>
+        <type>application/ogg</type>
+        <subtype>vorbis</subtype>
+        <hidden>1</hidden>
+        <burst-size>65536</burst-size>
+        <mp3-metadata-interval>4096</mp3-metadata-interval>
+        </mount>
+      '';
+    };
+
+    # use port which I can see in iptable -L -v -n
+    networking.firewall = {
+      allowedTCPPorts = [ config.services.icecast.listen.port ];
+      allowedUDPPorts = [ config.services.icecast.listen.port ];
+    };
+
+    # don't want to have the service running all the time
+    # ---------------------------------------------------
+    systemd.services.icecast.wantedBy = lib.mkForce [ ];
+    systemd.services.icecast.after = lib.mkForce [ ];
+
+  };
+}

nixos/components/media/sanitize_folder.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# todo : add a dry-run
+
+sanitize() {
+  shopt -s extglob
+
+  filename=$(basename "$1")
+  directory=$(dirname "$1")
+
+  filename_clean="${filename//+([^[:alnum:]_-\\.])/_}"
+
+  if [[ $filename != "$filename_clean" ]]; then
+    mv -v --backup=numbered "$1" "$directory/$filename_clean"
+  fi
+}
+
+export -f sanitize
+find "$1" -depth -exec bash -c 'sanitize "$0"' {} \;

nixos/components/media/tts.nix

@@ -0,0 +1,74 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+
+  options.components.media.tts-server.enable = mkOption {
+    type = lib.types.bool;
+    #default = config.components.media.enable;
+    default = false;
+  };
+
+  options.components.media.tts-client.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.media.enable;
+  };
+
+  config = mkMerge [
+
+    (mkIf (config.components.media.tts-client.enable) {
+      environment.systemPackages = [
+        pkgs.espeak-ng
+        pkgs.tts
+        (pkgs.writers.writeDashBin "tts-en" ''
+          ${pkgs.tts}/bin/tts --model_name "tts_models/en/ljspeech/vits" "$@"
+        '')
+        (pkgs.writers.writeDashBin "tts-de" ''
+          ${pkgs.tts}/bin/tts --model_name "tts_models/de/thorsten/vits" "$@"
+        '')
+      ];
+    })
+
+    (mkIf (config.components.media.tts-server.enable) {
+
+      # find models with ${pkgs.tts}/bin/tts --list_models
+      services.tts = {
+        servers = {
+          english = {
+            enable = true;
+            port = 5300;
+            #model = "tts_models/en/ljspeech/tacotron2-DDC";
+            model = "tts_models/en/ljspeech/vits";
+          };
+          german = {
+            enable = true;
+            port = 5301;
+            #model = "tts_models/de/thorsten/tacotron2-DDC";
+            model = "tts_models/de/thorsten/vits";
+          };
+        };
+      };
+      # fixes some issues
+      systemd.services.tts-german.serviceConfig.RestrictAddressFamilies = [
+        "AF_UNIX"
+      ];
+      systemd.services.tts-english.serviceConfig.RestrictAddressFamilies = [
+        "AF_UNIX"
+      ];
+
+      services.nginx = {
+        recommendedProxySettings = true;
+        enable = true;
+        virtualHosts."tts.${config.networking.hostName}.private" = {
+          locations."/".proxyPass = "http://localhost:${toString config.services.tts.servers.english.port}";
+        };
+        virtualHosts."en.tts.${config.networking.hostName}.private" = {
+          locations."/".proxyPass = "http://localhost:${toString config.services.tts.servers.english.port}";
+        };
+        virtualHosts."de.tts.${config.networking.hostName}.private" = {
+          locations."/".proxyPass = "http://localhost:${toString config.services.tts.servers.german.port}";
+        };
+      };
+
+    })
+  ];
+}

nixos/components/media/video.nix

@@ -0,0 +1,162 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  obs-cmd = pkgs.unstable.rustPlatform.buildRustPackage
+    rec {
+      pname = "obs-cmd";
+      version = "v0.15.2";
+      src = pkgs.fetchFromGitHub {
+        owner = "grigio";
+        repo = "obs-cmd";
+        rev = version;
+        sha256 = "sha256-RRkP0QLWcJLKv8oqESjMgHGW1QScANG7+fzR/rwSyDI=";
+      };
+
+      cargoSha256 = "sha256-JqR7MAt2VNEnZGbn+hExtFG6F7X0KhFM1n7GZ+QaHc0=";
+      #cargoSha256 = fakeSha256;
+
+      meta = with lib; {
+        description = "a minimal obs CLI for obs-websocket v5";
+        homepage = "https://github.com/grigio/obs-cmd";
+        license = licenses.mit;
+        maintainers = [ maintainers.mrVanDalo ];
+        platforms = platforms.all;
+      };
+    };
+
+  # Lassulus streaming setup
+  # -------------------------
+  # ffmpeg \
+  #   -f pulse \
+  #   -i default \
+  #   -vaapi_device /dev/dri/renderD128 \
+  #   -f x11grab \
+  #   -video_size 1366x768 \
+  #   -i :0 \
+  #   -vf 'hwupload,scale_vaapi=format=nv12' \
+  #   -c:v h264_vaapi \
+  #   -c:a aac \
+  #   -b:a 96k \
+  #   -af "highpass=f=200, lowpass=f=3000" \
+  #   -qp 30 \
+  #   -f flv \
+  #   rtmp://lassul.us:1935/stream/nixos \
+  #   ./rc3-output-$(date +%d%H%M%S).mp4
+  #
+  # Dann abspielen mit :
+  # mpv rtmp://lassul.us:1935/stream/nixos
+
+  # show keyboard input on desktop for screencasts
+  screenKey = pkgs.symlinkJoin {
+    name = "screen-keys";
+    paths =
+      let
+        screenKeyScript = { position ? "bottom", size ? "small", ... }:
+          pkgs.writeShellScriptBin "screenkeys-${position}-${size}" # sh
+            ''
+              ${pkgs.screenkey}/bin/screenkey \
+                                --no-detach \
+                                --bg-color '#fdf6e3' \
+                                --font-color '#073642' \
+                                -p ${position} \
+                                -s ${size} \
+                                "$@"
+            '';
+      in
+      lib.flatten (lib.flip map [ "large" "small" "medium" ] (size:
+        lib.flip map [ "top" "center" "bottom" ]
+          (position: screenKeyScript { inherit size position; })));
+  };
+
+
+  mpvReview =
+    let
+      moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" ''
+        tmp_dir = "${dir}"
+
+        function move_current_track_${key}()
+          track = mp.get_property("path")
+          os.execute("mkdir -p '" .. tmp_dir .. "'")
+          os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'")
+          print("moved '" .. track .. "' to " .. tmp_dir)
+          mp.command("playlist-next")
+        end
+
+        mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key})
+      '';
+      delete = moveToDir "D" "./.graveyard";
+      good = moveToDir "G" "./.good";
+    in
+    pkgs.writers.writeDashBin "mpv-review" ''
+      exec ${pkgs.mpv}/bin/mpv --no-config --script=${delete} --script=${good} "$@"
+    '';
+
+  alphaSafe = pkgs.writers.writeBashBin "alpha-safe" ''
+    export PATH=${pkgs.gnused}/bin:$PATH
+    echo "$1" | sed 's/[^a-zA-Z0-9]/-/g' | sed 's/--/-/g' | sed 's/-$//g'
+  '';
+
+  sanitizeFolder = pkgs.writers.writeBashBin "sanitize-folder" (fileContents ./sanitize_folder.sh);
+
+in
+{
+
+  options.components.media.video.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.media.enable;
+  };
+
+  config = mkIf (config.components.media.video.enable) {
+
+
+    home-manager.sharedModules = [
+      {
+        programs.obs-studio = {
+          enable = true;
+          plugins = with pkgs.obs-studio-plugins; [
+            obs-backgroundremoval
+            obs-vaapi
+          ];
+        };
+      }
+    ];
+
+
+    boot.kernelModules = [ "v4l2loopback" ];
+    boot.extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
+
+    environment.systemPackages = with pkgs; [
+      unstable.youtube-dl
+      unstable.yt-dlp
+      mplayer
+      mpv
+      mpvReview
+
+      # sanitazion
+      alphaSafe
+      sanitizeFolder
+
+
+      # obs studio stuff
+      unstable.obs-cli
+      v4l-utils
+      obs-cmd
+
+      # to record your screen
+      # ---------------------
+      simplescreenrecorder
+      screenKey
+      #obs-studio
+
+      # to transcode video material
+      # ---------------------------
+      handbrake
+      ffmpeg-full
+
+
+    ];
+  };
+}
+

nixos/components/monitor/container.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+with lib;
+with types;
+{
+  imports = [ ./default.nix ];
+
+  config = {
+    components.monitor.enable = mkDefault true;
+    components.monitor.metrics.enable = mkDefault false;
+    components.monitor.opentelemetry.enable = false;
+
+    services.journald.extraConfig = "SystemMaxUse=1G";
+  };
+
+}

nixos/components/monitor/default.nix

@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+with lib;
+with types;
+{
+
+  options.components.monitor = {
+    enable = mkOption {
+      type = bool;
+      default = true;
+    };
+    metrics.enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+    };
+    logs.enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+    };
+  };
+
+  imports = [
+    ./logs-promtail.nix
+    ./metrics-export-zfs.nix
+    ./metrics-netdata.nix
+    ./metrics-prometheus.nix
+    ./metrics-telegraf.nix
+    ./opentelemetry.nix
+  ];
+
+  config = mkIf config.components.monitor.enable { };
+
+}

nixos/components/monitor/logs-promtail.nix

@@ -0,0 +1,178 @@
+{ config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.promtail;
+in
+{
+  options.components.monitor.promtail = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.logs.enable;
+    };
+    port = mkOption {
+      type = int;
+      default = 3500;
+      description = "port to provide promtail export";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.opentelemetry.enable {
+      services.opentelemetry-collector.settings = {
+        receivers.loki = {
+          protocols.http.endpoint = "127.0.0.1:${toString cfg.port}";
+          use_incoming_timestamp = true;
+        };
+        service.pipelines.logs.receivers = [ "loki" ];
+      };
+    })
+
+    (mkIf config.components.monitor.promtail.enable {
+      services.promtail = {
+        enable = true;
+        configuration = {
+          server. disable = true;
+          positions.filename = "/var/cache/promtail/positions.yaml";
+
+          clients = [
+            { url = "http://127.0.0.1:${toString cfg.port}/loki/api/v1/push"; }
+          ];
+
+          scrape_configs =
+
+            let
+              _replace = index: replacement: ''{{ Replace .Value "${toString index}" "${replacement}" 1 }}'';
+              _elseif = index: ''{{ else if eq .Value "${toString index}" }}'';
+              _if = index: ''{{ if eq .Value "${toString index}" }}'';
+              _end = ''{{ end }}'';
+              elseblock = index: replacement: "${_elseif index}${_replace index replacement}";
+              ifblock = index: replacement: "${_if index}${_replace index replacement}";
+              createTemplateLine = list: "${concatStrings (imap0 (index: replacement: if index == 0 then ifblock index replacement else elseblock index replacement) list)}${_end}";
+            in
+            [
+              {
+                job_name = "journal";
+                journal = {
+                  json = true;
+                  max_age = "12h";
+                  labels.job = "systemd-journal";
+                };
+                pipeline_stages = [
+                  {
+                    # Set of key/value pairs of JMESPath expressions. The key will be
+                    # the key in the extracted data while the expression will be the value,
+                    # evaluated as a JMESPath from the source data.
+                    json.expressions = {
+                      # journalctl -o json | jq and you'll see these
+                      boot_id = "_BOOT_ID";
+                      facility = "SYSLOG_FACILITY";
+                      facility_label = "SYSLOG_FACILITY";
+                      instance = "_HOSTNAME";
+                      msg = "MESSAGE";
+                      priority = "PRIORITY";
+                      priority_label = "PRIORITY";
+                      transport = "_TRANSPORT";
+                      unit = "_SYSTEMD_UNIT";
+                      # coredump
+                      #coredump_cgroup = "COREDUMP_CGROUP";
+                      #coredump_exe = "COREDUMP_EXE";
+                      #coredump_cmdline = "COREDUMP_CMDLINE";
+                      #coredump_uid = "COREDUMP_UID";
+                      #coredump_gid = "COREDUMP_GID";
+                    };
+                  }
+                  {
+                    # Set the unit (defaulting to the transport like audit and kernel)
+                    template = {
+                      source = "unit";
+                      template = "{{if .unit}}{{.unit}}{{else}}{{.transport}}{{end}}";
+                    };
+                  }
+                  {
+                    # Normalize session IDs (session-1234.scope -> session.scope) to limit number of label values
+                    replace = {
+                      source = "unit";
+                      expression = "^(session-\\d+.scope)$";
+                      replace = "session.scope";
+                    };
+                  }
+                  {
+                    # Map priority to human readable
+                    template = {
+                      source = "priority_label";
+                      #template = ''{{ if eq .Value "0" }}{{ Replace .Value "0" "emerg" 1 }}{{ else if eq .Value "1" }}{{ Replace .Value "1" "alert" 1 }}{{ else if eq .Value "2" }}{{ Replace .Value "2" "crit" 1 }}{{ else if eq .Value "3" }}{{ Replace .Value "3" "err" 1 }}{{ else if eq .Value "4" }}{{ Replace .Value "4" "warning" 1 }}{{ else if eq .Value "5" }}{{ Replace .Value "5" "notice" 1 }}{{ else if eq .Value "6" }}{{ Replace .Value "6" "info" 1 }}{{ else if eq .Value "7" }}{{ Replace .Value "7" "debug" 1 }}{{ end }}'';
+                      template = createTemplateLine [
+                        "emergency"
+                        "alert"
+                        "critical"
+                        "error"
+                        "warning"
+                        "notice"
+                        "info"
+                        "debug"
+                      ];
+                    };
+                  }
+                  {
+                    # Map facility to human readable
+                    template =
+                      {
+                        source = "facility_label";
+                        template = createTemplateLine [
+                          "kern" # Kernel messages
+                          "user" # User-level messages
+                          "mail" # Mail system	Archaic POSIX still supported and sometimes used (for more mail(1))
+                          "daemon" # System daemons	All daemons, including systemd and its subsystems
+                          "auth" # Security/authorization messages	Also watch for different facility 10
+                          "syslog" # Messages generated internally by syslogd	For syslogd implementations (not used by systemd, see facility 3)
+                          "lpr" # Line printer subsystem (archaic subsystem)
+                          "news" # Network news subsystem (archaic subsystem)
+                          "uucp" # UUCP subsystem (archaic subsystem)
+                          "clock" # Clock daemon	systemd-timesyncd
+                          "authpriv" # Security/authorization messages	Also watch for different facility 4
+                          "ftp" # FTP daemon
+                          "-" # NTP subsystem
+                          "-" # Log audit
+                          "-" # Log alert
+                          "cron" # Scheduling daemon
+                          "local0" # Local use 0 (local0)
+                          "local1" # Local use 1 (local1)
+                          "local2" # Local use 2 (local2)
+                          "local3" # Local use 3 (local3)
+                          "local4" # Local use 4 (local4)
+                          "local5" # Local use 5 (local5)
+                          "local6" # Local use 6 (local6)
+                          "local7" # Local use 7 (local7)
+                        ];
+                      };
+                  }
+                  {
+                    # Key is REQUIRED and the name for the label that will be created.
+                    # Value is optional and will be the name from extracted data whose value
+                    # will be used for the value of the label. If empty, the value will be
+                    # inferred to be the same as the key.
+                    labels = {
+                      boot_id = "";
+                      facility = "";
+                      facility_label = "";
+                      instance = "";
+                      priority = "";
+                      priority_label = "";
+                      transport = "";
+                      unit = "";
+                    };
+                  }
+                  {
+                    # Write the proper message instead of JSON
+                    output.source = "msg";
+                  }
+                ];
+              }
+            ];
+        };
+      };
+    })
+  ];
+}

nixos/components/monitor/metrics-export-zfs.nix

@@ -0,0 +1,32 @@
+{ pkgs, config, lib, ... }:
+with lib;
+with types;
+{
+  options.components.monitor.exporters.zfs.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.monitor.metrics.enable;
+  };
+
+  config = mkMerge [
+    (mkIf config.components.monitor.exporters.zfs.enable {
+
+      services.telegraf.extraConfig.inputs.zfs = { };
+
+      services.prometheus.exporters.zfs.enable = true;
+      services.opentelemetry-collector.settings = {
+        receivers.prometheus.config.scrape_configs = [
+          {
+            job_name = "zfs";
+            scrape_interval = "10s";
+            static_configs = [{
+              targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ];
+            }];
+          }
+        ];
+        service.pipelines.metrics.receivers = [ "prometheus" ];
+      };
+
+    })
+  ];
+
+}

nixos/components/monitor/metrics-netdata.nix

@@ -0,0 +1,35 @@
+{ lib, pkgs, config, ... }:
+with lib;
+with types;
+{
+  options.components.monitor.netdata = {
+    enable = mkOption {
+      type = bool;
+      default = config.components.monitor.metrics.enable;
+    };
+  };
+
+  config = mkIf config.components.monitor.netdata.enable {
+
+    # netdata sink
+    services.opentelemetry-collector.settings.receivers.prometheus.config.scrape_configs = [
+      {
+        job_name = "netdata";
+        scrape_interval = "10s";
+        metrics_path = "/api/v1/allmetrics";
+        params.format = [ "prometheus" ];
+        static_configs = [{ targets = [ "127.0.0.1:19999" ]; }];
+      }
+    ];
+
+    # https://docs.netdata.cloud/daemon/config/
+    services.netdata = {
+      enable = lib.mkDefault true;
+      config = {
+        global = {
+          "memory mode" = "ram";
+        };
+      };
+    };
+  };
+}

nixos/components/monitor/metrics-prometheus.nix

@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.prometheus;
+in
+{
+  options.components.monitor.prometheus = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.metrics.enable;
+    };
+    port = mkOption {
+      type = int;
+      default = 8090;
+      description = "port to provide Prometheus export";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.prometheus.enable {
+      services.prometheus = {
+        checkConfig = "syntax-only";
+        enable = true;
+      };
+    })
+
+    (mkIf config.components.monitor.prometheus.enable {
+      services.opentelemetry-collector.settings = {
+        exporters.prometheus.endpoint = "127.0.0.1:${toString cfg.port}";
+        service.pipelines.metrics.exporters = [ "prometheus" ];
+      };
+      services.prometheus.scrapeConfigs = [
+        {
+          job_name = "opentelemetry";
+          metrics_path = "/metrics";
+          scrape_interval = "10s";
+          static_configs = [{ targets = [ "localhost:${toString cfg.port}" ]; }];
+        }
+      ];
+    })
+
+  ];
+}

nixos/components/monitor/metrics-telegraf.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.telegraf;
+in
+{
+  options.components.monitor.telegraf = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.metrics.enable;
+    };
+    influxDBPort = mkOption {
+      type = int;
+      default = 8088;
+      description = "Port to listen on influxDB input";
+    };
+  };
+
+  config = lib.mkMerge [
+    (mkIf config.components.monitor.telegraf.enable {
+      # opentelemetry wireing
+      services.opentelemetry-collector.settings = {
+        receivers.influxdb.endpoint = "127.0.0.1:${toString cfg.influxDBPort}";
+        service.pipelines.metrics.receivers = [ "influxdb" ];
+      };
+      services.telegraf.extraConfig.outputs.influxdb_v2.urls = [ "http://127.0.0.1:${toString cfg.influxDBPort}" ];
+    })
+
+    (mkIf config.components.monitor.telegraf.enable {
+
+      systemd.services.telegraf.path = [ pkgs.inetutils ];
+
+      services.telegraf = {
+        enable = true;
+        extraConfig = {
+          # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
+          inputs = {
+            cpu = { };
+            diskio = { };
+            processes = { };
+            system = { };
+            systemd_units = { };
+            ping = [{ urls = [ "10.100.0.1" ]; }]; # actually important to make machine visible over wireguard
+          };
+        };
+      };
+    })
+  ];
+}

nixos/components/monitor/opentelemetry.nix

@@ -0,0 +1,205 @@
+{ pkgs, config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.opentelemetry;
+in
+{
+  options.components.monitor.opentelemetry = {
+    enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+      description = "weather or not to use opentelemetry";
+    };
+    receiver.endpoint = mkOption {
+      type = nullOr str;
+      default = null;
+      description = "endpoint to receive the opentelementry data from other collectors";
+    };
+    exporter.endpoint = mkOption {
+      type = nullOr str;
+      default = null;
+      description = "endpoint to ship opentelementry data too";
+    };
+    exporter.debug = mkOption {
+      type = nullOr (enum [ "logs" "metrics" ]);
+      default = null;
+      description = "enable debug exporter.";
+    };
+    metrics.endpoint = mkOption {
+      type = str;
+      default = "127.0.0.1:8100";
+      description = "endpoint on where to provide opentelementry metrics";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.opentelemetry.enable {
+      services.opentelemetry-collector = {
+        enable = true;
+        package = pkgs.unstable.opentelemetry-collector-contrib;
+      };
+    })
+
+    # add default tags to metrics
+    # todo : make sure we filter out metrics from otlp receivers
+    (mkIf config.components.monitor.enable {
+      services.opentelemetry-collector.settings = {
+
+        processors = {
+
+          # https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/resourcedetectionprocessor/README.md
+          "resourcedetection/system" = {
+            detectors = [ "system" ];
+            override = false;
+            system.hostname_sources = [ "os" ];
+          };
+
+          metricstransform.transforms = [
+            {
+              include = ".*";
+              match_type = "regexp";
+              action = "update";
+              operations = [{
+                action = "add_label";
+                new_label = "machine";
+                new_value = config.networking.hostName;
+              }];
+            }
+          ];
+        };
+      };
+    })
+    (mkIf config.components.monitor.metrics.enable {
+      services.opentelemetry-collector.settings = {
+        service.pipelines.metrics.processors = [
+          "metricstransform"
+          "resourcedetection/system"
+        ];
+      };
+    })
+    (mkIf config.components.monitor.logs.enable {
+      services.opentelemetry-collector.settings = {
+        service.pipelines.logs.processors = [ "resourcedetection/system" ];
+      };
+    })
+
+
+    (mkIf (config.components.monitor.opentelemetry.exporter.debug != null) {
+      services.opentelemetry-collector.settings = {
+        exporters.debug = {
+          verbosity = "detailed";
+          sampling_initial = 5;
+          sampling_thereafter = 200;
+        };
+        service.pipelines.${config.components.monitor.opentelemetry.exporter.debug} = {
+          exporters = [ "debug" ];
+        };
+
+      };
+    })
+
+    # ship to next instance
+    (mkIf (config.components.monitor.opentelemetry.exporter.endpoint != null) {
+      services.opentelemetry-collector.settings = {
+        exporters.otlp = {
+          endpoint = cfg.exporter.endpoint;
+          tls.insecure = true;
+        };
+      };
+    })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.exporter.endpoint != null &&
+        config.components.monitor.logs.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.logs.exporters = [ "otlp" ];
+        };
+      })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.exporter.endpoint != null &&
+        config.components.monitor.metrics.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.metrics.exporters = [ "otlp" ];
+        };
+      })
+
+    # ship from other instance
+    (mkIf (config.components.monitor.opentelemetry.receiver.endpoint != null) {
+      services.opentelemetry-collector.settings = {
+        receivers.otlp.protocols.grpc.endpoint = cfg.receiver.endpoint;
+      };
+    })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.receiver.endpoint != null &&
+        config.components.monitor.logs.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.logs.receivers = [ "otlp" ];
+        };
+      })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.receiver.endpoint != null &&
+        config.components.monitor.metrics.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.metrics.receivers = [ "otlp" ];
+        };
+      })
+
+
+
+    # scrape opentelemetry-colectors metrics
+    # todo: this should be collected another way (opentelemetry internal?)
+    # todo : enable me only when metrics.endpoint is set.
+    (mkIf config.components.monitor.metrics.enable {
+      services.opentelemetry-collector.settings = {
+        receivers = {
+          prometheus.config.scrape_configs = [
+            {
+              job_name = "otelcol";
+              scrape_interval = "10s";
+              static_configs = [{
+                targets = [ cfg.metrics.endpoint ];
+              }];
+              metric_relabel_configs = [
+                {
+                  source_labels = [ "__name__" ];
+                  regex = ".*grpc_io.*";
+                  action = "drop";
+                }
+              ];
+            }
+          ];
+        };
+
+        service = {
+          pipelines.metrics = {
+            receivers = [ "prometheus" ];
+          };
+
+          # todo : this should be automatically be collected
+          # open telemetries own metrics?
+          telemetry.metrics.address = cfg.metrics.endpoint;
+        };
+
+      };
+    })
+    (mkIf (! config.components.monitor.metrics.enable) {
+      services.opentelemetry-collector.settings = {
+        service.telemetry.metrics.level = "none";
+      };
+    })
+  ];
+
+}

nixos/components/network/avahi.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+
+  # true => ping chungus  working
+  # false => ping chungus  not working
+  services.resolved = {
+    llmnr = "false";
+    #extraConfig = "mDNS=false";
+  };
+
+  #systemd.services.systemd-resolved.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
+
+  #services.avahi.enable = false;
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    extraConfig = ''
+      [server]
+      disallow-other-stacks=yes
+    '';
+    interfaces = [ "tinc.private" ];
+  };
+}

nixos/components/network/default.nix

@@ -1,8 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
+with lib;
+with types;
 {
+  options.components.network = {
+    enable = mkOption {
+      type = bool;
+      default = true;
+    };
+  };
+
   imports = [
-    ./sshd
-    ./tinc
+    #./avahi.nix
     ./hosts.nix
+    ./nginx.nix
+    ./sshd
+    ./syncthing.nix
+    ./tinc
+    ./wifi.nix
+    ./wireguard.nix
   ];
+
+  config = mkIf config.components.network.enable { };
 }

nixos/components/network/hosts.nix

@@ -1,6 +1,6 @@
 {
   networking.extraHosts = ''
-    192.168.0.24 scanner
     144.76.13.147 robi
+    95.216.66.212 orbi
   '';
 }

nixos/components/network/nginx.nix

@@ -0,0 +1,279 @@
+{ config, lib, pkgs, assets, ... }:
+with lib;
+{
+  options.components.network.nginx.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.network.enable;
+  };
+
+  options.components.network.nginx.landingpage.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.network.nginx.enable;
+  };
+
+  config = mkMerge [
+    (mkIf (config.components.network.nginx.enable) {
+
+      environment.systemPackages = [
+        pkgs.nginx-config-formatter
+        (pkgs.writers.writePython3Bin "nginx-show-config" { flakeIgnore = [ "E265" "E225" "W292" ]; }
+          (lib.fileContents "${assets}/nginx-show-config.py"))
+      ];
+
+      security.acme.defaults.email = "contact@ingolf-wagner.de";
+      security.acme.acceptTerms = true;
+
+      services.nginx = {
+
+        # Use recommended settings
+        recommendedGzipSettings = lib.mkDefault true;
+        recommendedOptimisation = lib.mkDefault true;
+        recommendedProxySettings = lib.mkDefault true;
+        recommendedTlsSettings = lib.mkDefault true;
+
+        # for loki logging
+        commonHttpConfig = ''
+          log_format logfmt
+            'timestamp="$time_iso8601" '
+            'facility="nginx" '
+            'src_addr="$remote_addr" '
+            'body_bytes_sent="$body_bytes_sent" '
+            'request_time="$request_time" '
+            'response_status="$status" '
+            'request_method="$request_method" '
+            'request="$request" '
+            'host="$host" '
+            'upstream_cache_status="$upstream_cache_status" '
+            'upstream_addr="$upstream_addr" '
+            'http_x_forwarded_for="$http_x_forwarded_for" '
+            'http_referrer="$http_referer" '
+            'http_user_agent="$http_user_agent" ';
+
+           log_format json_combined escape=json
+             '{'
+                '"time_local":"$time_local",'
+                '"remote_addr":"$remote_addr",'
+                '"remote_user":"$remote_user",'
+                '"request":"$request",'
+                '"status": "$status",'
+                '"body_bytes_sent":"$body_bytes_sent",'
+                '"request_time":"$request_time",'
+                '"http_referrer":"$http_referer",'
+                '"http_user_agent":"$http_user_agent"'
+              '}';
+
+          # log to local journald
+          access_log syslog:server=unix:/dev/log,nohostname logfmt;
+        '';
+
+      };
+
+      services.nginx.package = pkgs.nginxMainline;
+
+    })
+
+    (mkIf (config.components.network.nginx.landingpage.enable) {
+
+      services.nginx.virtualHosts."${config.networking.hostName}.private" = {
+        default = lib.mkDefault true;
+        locations."/" = {
+          root = pkgs.landingpage.override {
+
+
+            jsonConfig = [
+              { title = "System Links"; }
+              {
+                text = "Syncthings";
+                items = map
+                  ({ name, host ? "${name}.private", ... }: {
+                    label = name;
+                    href = "http://${host}:8384/";
+                    image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
+                  })
+                  (lib.flatten (lib.mapAttrsToList (name: { ... }: { inherit name; })
+                    config.services.tinc.networks."private".hostSettings));
+              }
+              {
+                text = "robi";
+                items = [
+                  {
+                    label = "Jellyfin";
+                    href = "http://flix.ingolf-wagner.de/";
+                    image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif";
+                  }
+                  {
+                    label = "netdata";
+                    href = "http://robi.private:19999/";
+                    image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif";
+                  }
+                  {
+                    label = "logs";
+                    href = "http://grafana.robi.private/explore";
+                    image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg";
+                  }
+                  {
+                    label = "grafana";
+                    href = "http://grafana.robi.private/";
+                    image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg";
+                  }
+                  {
+                    label = "prometheus";
+                    href = "http://prometheus.robi.private/";
+                    image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg";
+                  }
+
+                ];
+              }
+              {
+                text = "chungus";
+                items = [
+                  {
+                    label = "HomeAssistant";
+                    href = "http://chungus.private:8123/";
+                    image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif";
+                  }
+                  {
+                    label = "Zigbee2Mqtt";
+                    href = "http://chungus.private:9666/";
+                    image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif";
+                  }
+                  {
+                    label = "Flix";
+                    href = "http://chungus:8096/";
+                    image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif";
+                  }
+                  {
+                    label = "netdata";
+                    href = "http://chungus.private:19999/";
+                    image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif";
+                  }
+                  {
+                    label = "logs";
+                    href = "http://grafana.chungus.private/explore";
+                    image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg";
+                  }
+                  {
+                    label = "grafana";
+                    href = "http://grafana.chungus.private/";
+                    image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg";
+                  }
+                  {
+                    label = "prometheus";
+                    href = "http://prometheus.chungus.private/";
+                    image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg";
+                  }
+                  {
+                    label = "Kitchen";
+                    href = "http://192.168.178.101/";
+                    image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp";
+                  }
+                  {
+                    label = "Living Room";
+                    href = "http://192.168.178.102/";
+                    image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp";
+                  }
+                ];
+              }
+              {
+                title = "Various Links";
+                items = [
+                  {
+                    label = "Terrapen";
+                    href = "http://192.168.178.31/";
+                    image = "https://i.giphy.com/W08brEWFt7EpA5y2jI.webp";
+                  }
+                  {
+                    label = "NeverSSL";
+                    href = "https://oldslowfreshlight.neverssl.com/";
+                    image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif";
+                  }
+                  {
+                    label = "Hetzner Cloud";
+                    href = "https://console.hetzner.cloud/projects";
+                    image =
+                      "https://media.giphy.com/media/NECZ8crkbXR0k/giphy.gif";
+                  }
+                  {
+                    label = "Pass the Popcorn";
+                    href = "https://passthepopcorn.me/";
+                    image =
+                      "https://media.giphy.com/media/NipFetnQOuKhW/giphy.gif";
+                  }
+                  {
+                    label = "redacted";
+                    href = "https://redacted.ch/";
+                    image =
+                      "https://media.giphy.com/media/ku5EcFe4PNGWA/giphy.gif";
+                  }
+                  {
+                    label = "Cups";
+                    href = "http://localhost:631/";
+                    image =
+                      "https://media.giphy.com/media/7hU7x4GPurk2c/giphy.gif";
+                  }
+                ];
+              }
+              {
+                text = "NixOS Links";
+                items = [
+                  {
+                    label = "NixOS Manual";
+                    href = "https://nixos.org/nixos/manual/";
+                    image =
+                      "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif";
+                  }
+                  {
+                    label = "Nixpkgs Manual";
+                    href = "https://nixos.org/nixpkgs/manual/";
+                    image =
+                      "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif";
+                  }
+                  {
+                    label = "NixOS Reference";
+                    href =
+                      "https://storage.googleapis.com/files.tazj.in/nixdoc/manual.html#sec-functions-library";
+                    image =
+                      "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif";
+                  }
+                  {
+                    label = "Nix Packages";
+                    href = "https://nixos.org/nixos/packages.html";
+                    image =
+                      "https://media.giphy.com/media/l2YWlohvjPnsvkdEc/giphy.gif";
+                  }
+                  {
+                    label = "NixOS Language specific helpers";
+                    href =
+                      "https://nixos.wiki/wiki/Language-specific_package_helpers";
+                    image =
+                      "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif";
+                  }
+                  {
+                    label = "NixOS Weekly";
+                    href = "https://weekly.nixos.org/";
+                    image =
+                      "https://media.giphy.com/media/lXiRLb0xFzmreM8k8/giphy.gif";
+                  }
+                  {
+                    label = "NixOS Security";
+                    href = "https://broken.sh/";
+                    image =
+                      "https://media.giphy.com/media/BqILAHjH1Ttm0/giphy.gif";
+                  }
+                  {
+                    label = "NixOS RFCs";
+                    href = "https://github.com/NixOS/rfcs/";
+                    image =
+                      "https://media.giphy.com/media/Uq9bGjGKg08M0/giphy.gif";
+                  }
+                ];
+              }
+              { urlEncode = true; }
+            ];
+
+          };
+        };
+      };
+    })
+  ];
+}

nixos/components/network/sshd/default.nix

@@ -1,35 +1,60 @@
 { pkgs, config, lib, ... }:
-
 with lib;
 with types;
-
 let
-  cfg = config.component.network.sshd;
   defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
+  cfg = config.components.network.sshd;
+
+  # maybe ascii-image-converter is also nice here
+  sshBanner = pkgs.runCommand "ssh-banner"
+    {
+      nativeBuildInputs = [
+        (pkgs.boxes.overrideAttrs (old: rec {
+          version = "2.3.0";
+          src = pkgs.fetchFromGitHub {
+            owner = "ascii-boxes";
+            repo = "boxes";
+            rev = "v${version}";
+            sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
+          };
+          nativeBuildInputs = old.nativeBuildInputs ++ [
+            pkgs.libunistring
+            pkgs.pcre2
+            pkgs.ncurses
+          ];
+          installPhase = ''
+            install -Dm755 -t $out/bin out/boxes
+            install -Dm644 -t $out/share/boxes boxes-config
+            install -Dm644 -t $out/share/man/man1 doc/boxes.1
+          '';
+        }))
+      ];
+    } ''
+    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
+  '';
+
+
 in
 {
 
   imports = [
     ./known-hosts-bootup.nix
-    ./known-hosts-private.nix
     ./known-hosts-public.nix
   ];
 
-  options.component.network.sshd = {
+  options.components.network.sshd = {
     enable = mkOption {
       type = bool;
       default = true;
-      description = "add ssh tools";
     };
     rootKeyFiles = mkOption {
       type = with types; listOf path;
       default = [ ];
       description = "keys to root login";
     };
-    tools.enable = mkOption {
+    sshguard.enable = mkOption {
       type = bool;
-      default = true;
-      description = "add ssh tools";
+      default = config.components.network.sshd.enable;
     };
     onlyTincAccess = mkOption {
       type = bool;
@@ -42,36 +67,28 @@ in
 
   config = mkMerge [
 
-    (mkIf cfg.tools.enable {
-      environment.systemPackages = [ pkgs.sshfs ];
-    })
-
     (mkIf cfg.enable {
 
+      environment.systemPackages = [
+        pkgs.sshfs
+        pkgs.mosh
+      ];
+
       services.openssh = {
         enable = true;
-        forwardX11 = false;
-        passwordAuthentication = false;
+        settings.X11Forwarding = false;
+        settings.PasswordAuthentication = false;
       };
 
-      users.users.root.openssh.authorizedKeys.keyFiles =
-        cfg.rootKeyFiles ++ defaultRootKeyFiles;
+      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
 
-      services.openssh.extraConfig = ''
-        Banner /etc/ssh/banner-line
-      '';
+      services.openssh.banner = builtins.readFile sshBanner;
 
-      environment.etc."ssh/banner-line".text =
-        let
-          text = config.networking.hostName;
-          size = 80 - (lib.stringLength text);
-          space = lib.fixedWidthString size " " "";
-        in
-        ''
-          ────────────────────────────────────────────────────────────────────────────────
-          ${space}${text}
-        '';
+    })
 
+    (mkIf cfg.sshguard.enable {
+      environment.systemPackages = [ pkgs.ipset ];
+      services.sshguard.enable = lib.mkDefault true;
     })
 
     (mkIf (cfg.onlyTincAccess && cfg.enable) {

nixos/components/network/sshd/known-hosts-bootup.nix

@@ -8,56 +8,78 @@ let
       # SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a";
     };
-
+    chungus = {
+      onionId = fileContents "${private_assets}/onion_id_chungus";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJpPfGAiARWgZbID+2IIT9dbo/PqgG/pkFsBaBUKGiu";
+    };
   };
 
 in
 {
 
-  services.openssh.knownHosts = {
-    "robi-init-ssh" = {
-      hostNames = [
-        "[robi]:2222"
-        "[144.76.13.147]:2222"
-      ];
-      # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
-    };
-  } // (mapAttrs'
-    (name:
-      { onionId, publicKey, ... }: {
-        name = "${name}-init-ssh";
-        value = {
-          hostNames = [ "[${onionId}]:2222" ];
-          inherit publicKey;
-        };
-      })
-    computers);
+  config = mkIf (config.components.network.sshd.enable) {
 
-  environment.systemPackages =
-    let
+    services.openssh.knownHosts = {
+      "robi-init-ssh" = {
+        hostNames = [
+          "[robi]:2222"
+          "[144.76.13.147]:2222"
+        ];
+        # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
+      };
+    } // (mapAttrs'
+      (name:
+        { onionId, publicKey, ... }: {
+          name = "${name}-init-ssh";
+          value = {
+            hostNames = [ "[${onionId}]:2222" ];
+            inherit publicKey;
+          };
+        })
+      computers);
 
-      ssh = mapAttrsToList
-        (name:
-          { onionId, ... }:
-          pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
-            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
-          '')
-        computers;
+    environment.systemPackages =
+      let
 
-      password = mapAttrsToList
-        (name:
-          { onionId, ... }:
-          pkgs.writers.writeDashBin "unlock-boot-${name}" ''
-            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
-            echo -n "enter password : "
-            read password
-            echo "$password" > /crypt-ramfs/passphrase
-            '
-          '')
-        computers;
+        sshTor = mapAttrsToList
+          (name:
+            { onionId, ... }:
+            pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" ''
+              ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
+            '')
+          computers;
 
-    in
-    ssh ++ password;
+        passwordTor = mapAttrsToList
+          (name:
+            { onionId, ... }:
+            pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" ''
+              ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
+              echo -n "enter password : "
+              read password
+              echo "$password" > /crypt-ramfs/passphrase
+              '
+            '')
+          computers;
 
+        unlockInit = mapAttrsToList
+          (name:
+            { public_ip, ... }:
+            pkgs.writers.writeDashBin "unlock-boot-${name}" ''
+              ${pkgs.openssh}/bin/ssh root@${public_ip} -p 2222 '
+              echo -n "enter password : "
+              read password
+              echo "$password" | systemctl default
+              '
+            '')
+          {
+            orbi = {
+              public_ip = "95.216.66.212";
+            };
+          };
+
+      in
+      sshTor ++ passwordTor ++ unlockInit;
+
+  };
 }

nixos/components/network/sshd/known-hosts-private.nix

@@ -1,64 +0,0 @@
-# generated by updateSshKeys.sh
-{ config, lib, ... }: {
-
-  services.openssh.knownHosts = {
-    #"robi_init" = {
-    #  hostNames = [
-    #    "robi:2222"
-    #    "144.76.13.147:2222"
-    #  ];
-    #  fingerprints
-    #  256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519)
-    # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA)
-    #  publicKey = "";
-    #};
-    "robi" = {
-      hostNames = [
-        "robi.private"
-        "robi"
-        "144.76.13.147"
-        "git.ingolf-wagner.de"
-        "taskd.ingolf-wagner.de"
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
-    };
-    "sternchen.secret" = {
-      hostNames = [
-        "sternchen.secret"
-        config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
-    };
-    "sterni.private" = {
-      hostNames = [
-        "sterni.private"
-        "sterni.secret"
-        config.module.cluster.services.tinc.private.hosts.sterni.tincIp
-        config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
-    };
-    "pepe.private" = {
-      hostNames = [
-        "pepe.private"
-        "pepe.lan"
-        config.module.cluster.services.tinc.private.hosts.pepe.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
-    };
-    "bobi.private" = {
-      hostNames = [
-        "bobi.private"
-        config.module.cluster.services.tinc.private.hosts.bobi.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
-    };
-    "mobi.private" = {
-      hostNames = [
-        "mobi.private"
-        config.module.cluster.services.tinc.private.hosts.mobi.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
-    };
-  };
-}

nixos/components/network/sshd/known-hosts-public.nix

@@ -1,95 +1,94 @@
-{ config, pkgs, lib, ... }:
-
+{ pkgs, config, lib, ... }:
 with lib;
-
 {
+  config = mkIf (config.components.network.sshd.enable) {
 
-  services.openssh.knownHosts = {
-    github = {
-      hostNames = [
-        "*.github.com"
-        # List generated with
-        # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
-        "192.30.252.*"
-        "192.30.253.*"
-        "192.30.254.*"
-        "192.30.255.*"
-        "185.199.108.*"
-        "185.199.109.*"
-        "185.199.110.*"
-        "185.199.111.*"
-        "13.229.188.59"
-        "13.250.177.223"
-        "18.194.104.89"
-        "18.195.85.27"
-        "35.159.8.160"
-        "52.74.223.119"
-      ];
-      publicKey =
-        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
-    };
-    gitlab = {
-      hostNames = [ "gitlab.com" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=";
-    };
-    gitlab-bk = {
-      hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw=";
-    };
-    # space-left
-    gitlabSpaceLeft = {
-      hostNames = [ "git.space-left.org" ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
-    };
-    # c-base
-    "bnd-cbase" = {
-      hostNames = [ "bnd.cbrp3.c-base.org" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E=";
-    };
-    "shell.cbase" = {
-      hostNames = [ "shell.c-base.org" ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo";
-    };
-    "kgb.cbase" = {
-      hostNames = [ "kgb.cbrp3.c-base.org" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8=";
-    };
-    "cns.cbase" = {
-      hostNames = [ "cns.c-base.org" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A=";
-    };
-    "lassulus" = {
-      hostNames = [ "[lassul.us]:45621" ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
-    };
-    renoise = {
-      hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE=";
-    };
-    git-renoise = {
-      hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ];
-      publicKey =
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH";
-    };
-    "siteground" = {
-      hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ];
-      publicKey =
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0=";
-    };
-    "cracksucht.de" = {
-      hostNames = [ "cracksucht.de" ];
-      publicKey =
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian";
+    services.openssh.knownHosts = {
+      github = {
+        hostNames = [
+          "*.github.com"
+          # List generated with
+          # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+          "192.30.252.*"
+          "192.30.253.*"
+          "192.30.254.*"
+          "192.30.255.*"
+          "185.199.108.*"
+          "185.199.109.*"
+          "185.199.110.*"
+          "185.199.111.*"
+          "13.229.188.59"
+          "13.250.177.223"
+          "18.194.104.89"
+          "18.195.85.27"
+          "35.159.8.160"
+          "52.74.223.119"
+        ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+      };
+      gitlab = {
+        hostNames = [ "gitlab.com" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=";
+      };
+      gitlab-bk = {
+        hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw=";
+      };
+      # space-left
+      gitlabSpaceLeft = {
+        hostNames = [ "git.space-left.org" ];
+        publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
+      };
+      # c-base
+      "bnd-cbase" = {
+        hostNames = [ "bnd.cbrp3.c-base.org" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E=";
+      };
+      "shell.cbase" = {
+        hostNames = [ "shell.c-base.org" ];
+        publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo";
+      };
+      "kgb.cbase" = {
+        hostNames = [ "kgb.cbrp3.c-base.org" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8=";
+      };
+      "cns.cbase" = {
+        hostNames = [ "cns.c-base.org" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A=";
+      };
+      "lassulus" = {
+        hostNames = [ "[lassul.us]:45621" ];
+        publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
+      };
+      renoise = {
+        hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE=";
+      };
+      git-renoise = {
+        hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ];
+        publicKey =
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH";
+      };
+      "siteground" = {
+        hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ];
+        publicKey =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0=";
+      };
+      "cracksucht.de" = {
+        hostNames = [ "cracksucht.de" ];
+        publicKey =
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian";
+      };
     };
+
   };
-
 }

nixos/components/network/syncthing.nix

@@ -0,0 +1,119 @@
+{ config, lib, pkgs, ... }:
+with lib; {
+
+  services.syncthing = {
+    guiAddress = lib.mkDefault "${config.networking.hostName}.private:8384";
+    overrideDevices = lib.mkDefault true;
+    settings.devices =
+      let
+        device = name: id: {
+          "${name}" = {
+            name = name;
+            id = id;
+            addresses = [ "tcp://${name}.private:22000" ];
+          };
+        };
+      in
+      {
+        "robi" = {
+          name = "robi";
+          id = "B6P22RF-5BC2LTZ-6GHVWRZ-5D3OLXC-D66E45Y-JEB3WYT-ZQ442WZ-5FFAMQ7";
+          addresses = [ "tcp://144.76.13.147:22000" ];
+        };
+        "orbi" = {
+          name = "orbi";
+          id = "5U5ZP6R-SUQO5SY-WICWWLZ-HPHQBM5-P27YSU6-66TWIBK-XLX4X5N-4O6TVAC";
+          addresses = [ "tcp://95.216.66.212:22000" ];
+        };
+      }
+      // (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF")
+      // (device "bobi" "FOJ3D27-W5OJMQR-7S77A3V-AS5BCG2-CIGWVMP-UBSVQNN-QZLHAIZ-IO7GKAE")
+      // (device "cream" "MQVKATH-THTPET5-KYAT7XX-BOIIIBA-P7OOF7Y-IWAUN53-S2VNVOY-BZWTGQK")
+      // (device "cherry" "WX2HZQ7-WAOL6YR-QJYFS2L-SVUJQB4-SKHZHVE-J7XCWLQ-6GRATXX-VJUMOAH")
+      // (device "chungus" "GZGW2YW-6RRUPDN-LFAOATC-56FS7LH-YC7R32N-LVA5JUX-3LSBYOX-BFR67QZ")
+      // (device "iPhone" "APFS6SA-VVTARXU-3WHHRZG-TE5N3T4-X4IC76V-T67EKZ6-NLGP3TW-EZYXYAH")
+      // (device "iPad" "JDDNVYD-H3WMSSS-WZ745KL-7QEGN6O-ZSGQLQU-YBR2L42-7FO7KJ4-BXPYDA5")
+      // {
+        bumba = {
+          name = "windows-bumba";
+          id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ";
+        };
+      }
+      // {
+        mors = {
+          name = "lassulus-mors";
+          id = "ZPRS57K-YK32ROQ-7A6MRAV-VOYXQ3I-CQCXISZ-C5PCV2A-GSFLG3I-K7UGGAH";
+          addresses = [ "tcp://mors.r:22000" ];
+        };
+      };
+
+    settings.folders = {
+
+      # needs to be on encrypted drives
+      # -------------------------------
+      oscar_cpap = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/oscar_cpap";
+        devices = [ "chungus" "cream" "cherry" ];
+      };
+      audiobooks = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/audiobooks";
+        devices = [ "chungus" "orbi" ];
+      };
+      logseq = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/logseq";
+        devices = [ "chungus" "cream" "cherry" "iPhone" "iPad" ];
+      };
+      lectures = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/lectures";
+        devices = [ "chungus" "orbi" ];
+      };
+      books = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/books";
+        devices = [ "chungus" "robi" "cream" "cherry" ];
+        versioning = {
+          type = "simple";
+          params.keep = "2";
+        };
+      };
+      password-store = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/password-store";
+        devices = [ "chungus" "cream" "mobi" "bobi" "cherry" ];
+        versioning = {
+          type = "simple";
+          params.keep = "10";
+        };
+      };
+      desktop = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/desktop";
+        devices = [ "chungus" "cream" "mobi" "bobi" "cherry" ];
+      };
+      finance = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/finance";
+        devices = [ "chungus" "cream" "mobi" "bobi" ];
+        versioning = {
+          type = "simple";
+          params.keep = "10";
+        };
+      };
+      # todo remove if zfs is is used
+      nextcloud_backup = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/lost-fotos";
+        devices = [ "chungus" "robi" ];
+        versioning = {
+          type = "simple";
+          params.keep = "2";
+        };
+      };
+    };
+  };
+
+}

nixos/components/network/tinc/default.nix

@@ -1,14 +1,37 @@
+{ lib, config, ... }:
+with lib;
 {
 
-  imports = [
-    ./private.nix
-    ./retiolum.nix
-    ./secret.nix
+  options.tinc = {
+    private = {
+      enable = mkEnableOption "private tinc setup";
+      ipv4 = mkOption { type = types.str; };
+      subnet = mkOption {
+        type = types.str;
+        default = "10.23.42.0/24";
+      };
+    };
+    secret = {
+      enable = mkEnableOption "secret tinc setup";
+      ipv4 = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf config.tinc.private.enable (import ./private.nix {
+      ipv4 = config.tinc.private.ipv4;
+      ipv6 = null;
+      inherit (lib) optionalString concatStringsSep mapAttrsToList;
+      inherit config;
+    }))
+    (mkIf config.tinc.secret.enable (import ./secret.nix {
+      ipv4 = config.tinc.secret.ipv4;
+      ipv6 = null;
+      inherit (lib) optionalString concatStringsSep mapAttrsToList;
+      inherit config;
+    }))
   ];
-
-  # keys for secret and private tinc network
-  sops.secrets.tinc_ed25519_key = { };
-  sops.secrets.tinc_rsa_key = { };
-
 }
 

nixos/components/network/tinc/private.nix

@@ -1,46 +1,181 @@
-{ config, lib, pkgs, ... }:
-
-{
-
-  networking.firewall.trustedInterfaces = [ "tinc.private" ];
-
-  users.groups."tinc.private" = { };
-  users.users."tinc.private" = {
-    group = "tinc.private";
-    isSystemUser = lib.mkDefault true;
+{ ipv4
+, ipv6
+, config
+, optionalString
+, concatStringsSep
+, mapAttrsToList
+, ...
+}:
+let
+  hosts = {
+    mobi = "10.23.42.23";
+    sterni = "10.23.42.24";
+    bobi = "10.23.42.25";
+    pepe = "10.23.42.26";
+    cream = "10.23.42.27";
+    chungus = "10.23.42.28";
+    cherry = "10.23.42.29";
+    robi = "10.23.42.111";
+    orbi = "10.23.42.100";
   };
+  subDomains = {
+    # orbi
+    "transmission2.orbi" = hosts.orbi;
+    "sonarr.orbi" = hosts.orbi;
+    "radarr.orbi" = hosts.orbi;
+    "prowlarr.orbi" = hosts.orbi;
+    "photoprism.orbi" = hosts.orbi;
+    # robi
+    "grafana.robi" = hosts.robi;
+    "loki.robi" = hosts.robi;
+    "prometheus.robi" = hosts.robi;
+    "sync.robi" = hosts.robi;
+    "transmission.robi" = hosts.robi;
+    "transmission2.robi" = hosts.robi;
+    "sonarr.robi" = hosts.robi;
+    "radarr.robi" = hosts.robi;
+    "tdarr.robi" = hosts.robi;
+    "prowlarr.robi" = hosts.robi;
+    "jellyseerr.robi" = hosts.robi;
+    "unmanic.robi" = hosts.robi;
+    # chungus
+    "de.tts.chungus" = hosts.chungus;
+    "en.tts.chungus" = hosts.chungus;
+    "flix.chungus" = hosts.chungus;
+    "git.chungus" = hosts.chungus;
+    "grafana.chungus" = hosts.chungus;
+    "loki.chungus" = hosts.chungus;
+    "prometheus.chungus" = hosts.chungus;
+    "s3.chungus" = hosts.chungus;
+    "minio.chungus" = hosts.chungus;
+    "sync.chungus" = hosts.chungus;
+    "tdarr.chungus" = hosts.chungus;
+    "tts.chungus" = hosts.chungus;
+    "paperless.chungus" = hosts.chungus;
+  };
+  network = "private";
+in
+{
+  networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
 
-  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-  module.cluster.services.tinc."private" = {
-    networkSubnet = "10.23.42.0/24";
-    extraConfig = ''
-      LocalDiscovery = yes
-    '';
-    privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
-    privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
-    hosts = {
-      pepe = {
-        tincIp = "10.23.42.26";
-        publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
-      };
-      sterni = {
-        tincIp = "10.23.42.24";
-        publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
-      };
-      mobi = {
-        tincIp = "10.23.42.23";
-        publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
-      };
-      bobi = {
-        tincIp = "10.23.42.25";
-        publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
-      };
-      robi = {
-        realAddress = [ "144.76.13.147" ];
-        tincIp = "10.23.42.111";
-        publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
+  sops.secrets.tinc_ed25519_key = { };
+
+  #  nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
+  services.tinc.networks = {
+    ${network} = {
+      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      interfaceType = "tap";
+      extraConfig = ''
+        LocalDiscovery = yes
+      '';
+      hostSettings = {
+        mobi = {
+          subnets = [{ address = hosts.mobi; }];
+          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
+        };
+        cream = {
+          subnets = [{ address = hosts.cream; }];
+          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
+        };
+        cherry = {
+          subnets = [{ address = hosts.cherry; }];
+          settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
+        };
+        sterni = {
+          subnets = [{ address = hosts.sterni; }];
+          settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
+        };
+        bobi = {
+          subnets = [{ address = hosts.bobi; }];
+          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
+        };
+        pepe = {
+          subnets = [{ address = hosts.pepe; }];
+          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
+        };
+        chungus = {
+          subnets = [{ address = hosts.chungus; }];
+          settings.Ed25519PublicKey = "mJP+zzYGv42KItpSf3lMkr3dwa5xW3n3hi0W2Z75jfJ";
+        };
+        robi = {
+          addresses = [{ address = "144.76.13.147"; }];
+          subnets = [{ address = hosts.robi; }];
+          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
+        };
+        orbi = {
+          addresses = [{ address = "95.216.66.212"; }];
+          subnets = [{ address = hosts.orbi; }];
+          settings.Ed25519PublicKey = "/1OE8xsnRT6egxd/+iH9TE+tzlwiUJeNsGFIIWyc70A";
+        };
       };
     };
   };
 
+  systemd.network.enable = true;
+  systemd.network.networks.${network}.extraConfig = ''
+    [Match]
+    Name = tinc.${network}
+    [Link]
+    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
+    MTUBytes=1377
+    [Network]
+    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
+    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
+    RequiredForOnline = no
+    LinkLocalAddressing = no
+  '';
+
+  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));
+
+  services.openssh.knownHosts = {
+    "orbi" = {
+      hostNames = [
+        "orbi.${network}"
+        hosts.orbi
+        "orbi"
+        "95.216.66.212"
+        "git.ingolf-wagner.de"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTqV5ch4BokqDniDgCquRwfTz6aXXMTdZovIvqShfLV";
+    };
+    "robi" = {
+      hostNames = [
+        "robi.${network}"
+        hosts.robi
+        "robi"
+        "144.76.13.147"
+        "taskd.ingolf-wagner.de"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
+    };
+    "sterni.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    };
+    "cream.${network}" = {
+      hostNames = [ "cream.${network}" hosts.cream ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
+    };
+    "cherry.${network}" = {
+      hostNames = [ "cherry.${network}" hosts.cream ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUXkewyZ94A7CeCyVvN0KCqPn+8x1BZaGWMAojlfCXO";
+    };
+    "pepe.${network}" = {
+      hostNames = [ "pepe.${network}" hosts.pepe ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
+    };
+    "chungus.${network}" = {
+      hostNames = [ "chungus.${network}" hosts.chungus ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9";
+    };
+    "bobi.${network}" = {
+      hostNames = [ "bobi.${network}" hosts.bobi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
+    };
+    "mobi.${network}" = {
+      hostNames = [ "mobi.${network}" hosts.mobi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
+    };
+  };
+
 }

nixos/components/network/tinc/retiolum.nix

@@ -1,34 +0,0 @@
-{ config, pkgs, lib, retiolum, ... }:
-{
-
-  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-  module.cluster.services.tinc."retiolum" = {
-    networkSubnet = "10.243.0.0/16";
-    port = 720;
-    extraConfig = ''
-      LocalDiscovery = yes
-      AutoConnect = yes
-    '';
-    privateEd25519KeyFile = toString config.sops.secrets.tinc_retiolum_ed25519_key.path;
-    privateRsaKeyFile = toString config.sops.secrets.tinc_retiolum_rsa_key.path;
-    hosts = {
-      pepe = {
-        tincIp = "10.243.23.1";
-        publicKey = lib.fileContents ../../../assets/tinc/retiolum/host_file;
-      };
-      sterni = {
-        tincIp = "10.243.23.3";
-        publicKey = lib.fileContents ../../../assets/tinc/retiolum/host_file;
-      };
-    };
-  };
-
-  networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts");
-  systemd.services."tinc.retiolum" = {
-    preStart = ''
-      cp -R ${retiolum}/hosts /etc/tinc/retiolum/ || true
-    '';
-  };
-
-}
-

nixos/components/network/tinc/secret.nix

@@ -1,33 +1,91 @@
-{ config, pkgs, lib, ... }:
+{ ipv4
+, ipv6
+, config
+, optionalString
+, concatStringsSep
+, mapAttrsToList
+, ...
+}:
+let
+  port = 721;
+  hosts = {
+    cherry = "10.123.42.29";
+    cream = "10.123.42.27";
+    robi = "10.123.42.123";
+    sternchen = "10.123.42.25";
+    sterni = "10.123.42.24";
+  };
+  network = "secret";
+in
 {
+  sops.secrets.tinc_ed25519_key = { };
 
-
-  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-  module.cluster.services.tinc."secret" = {
-    networkSubnet = "10.123.42.0/24";
-    port = 721;
-    extraConfig = ''
-      LocalDiscovery = yes
-      AutoConnect = yes
-    '';
-    privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
-    privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
-    hosts = {
-      sternchen = {
-        tincIp = "10.123.42.25";
-        publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file;
-      };
-      sterni = {
-        tincIp = "10.123.42.24";
-        publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
-      };
-      robi = {
-        realAddress = [ "144.76.13.147" ];
-        tincIp = "10.123.42.123";
-        publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
+  services.tinc.networks = {
+    ${network} = {
+      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      extraConfig = ''
+        LocalDiscovery = yes
+        Port = ${toString port}
+      '';
+      hostSettings = {
+        sternchen = {
+          subnets = [{ address = hosts.sternchen; }];
+          settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
+        };
+        cream = {
+          subnets = [{ address = hosts.cream; }];
+          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
+        };
+        cherry = {
+          subnets = [{ address = hosts.cherry; }];
+          settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
+        };
+        sterni = {
+          subnets = [{ address = hosts.sterni; }];
+          settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
+        };
+        robi = {
+          addresses = [{ address = "144.76.13.147"; port = port; }];
+          subnets = [{ address = hosts.robi; }];
+          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
+        };
       };
     };
   };
 
-}
+  systemd.network.enable = true;
+  systemd.network.networks.${network}.extraConfig = ''
+    [Match]
+    Name = tinc.${network}
+    [Link]
+    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
+    MTUBytes=1377
+    [Network]
+    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
+    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
+    RequiredForOnline = no
+    LinkLocalAddressing = no
+  '';
 
+  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
+
+  services.openssh.knownHosts = {
+    "cream.${network}" = {
+      hostNames = [ "cream.${network}" hosts.cream ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
+    };
+    "sternchen.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
+    };
+    "sterni.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    };
+    "robi" = {
+      hostNames = [ "robi.${network}" hosts.robi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
+    };
+  };
+
+}

nixos/components/network/wifi.nix

@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with types;
+{
+
+  options.components.network.wifi.enable = mkOption {
+    type = bool;
+    default = config.components.network.enable;
+  };
+
+  config = mkIf config.components.network.wifi.enable {
+
+    networking.usePredictableInterfaceNames = true;
+
+    networking.networkmanager.enable = true;
+    networking.networkmanager.wifi.powersave = lib.mkDefault true;
+    networking.networkmanager.extraConfig = ''
+      # The number of times a connection activation should be automatically tried
+      # before switching to another one. This value applies only to connections
+      # that can auto-connect and have a connection. autoconnect-retries property set to -1.
+      # If not specified, connections will be tried 4 times.
+      # Setting this value to 1 means to try activation once, without retry.
+      autoconnect-retries-default=999
+    '';
+
+
+    hardware.enableRedistributableFirmware = true;
+
+    # because Networkd-wait-online is just failing.
+    # systemd.services.systemd-networkd-wait-online.enable = false;
+    systemd.services.NetworkManager-wait-online.enable = false;
+
+    environment.systemPackages = [
+
+      (pkgs.writeShellScriptBin "scan-wifi" ''
+        # todo : use column to make a nice view
+        ${pkgs.wirelesstools}/bin/iwlist scan | \
+          grep -v "Interface doesn't support scanning" | \
+          sed -e '/^\s*$/d' | \
+          grep -e "ESSID" -e "Encrypt" | \
+          sed -e "s/Encryption key:on/encrypted/g" | \
+          sed -e "s/Encryption key:off/open/g" | \
+          sed -e "s/ESSID://g" | \
+          xargs -L 2 printf "%9s - '%s'\n"
+      '')
+
+    ];
+  };
+
+}
+

nixos/components/network/wireguard.nix

@@ -0,0 +1,27 @@
+{ lib, config, ... }:
+with lib;
+{
+
+  options.wireguard = {
+    wg0 = {
+      subnet = mkOption {
+        type = types.str;
+        default = "10.100.0.1/24";
+      };
+    };
+  };
+
+  # todo: use networking.wireguard  instead of networking wg-quick
+  # with dynamicEndpointRefreshSeconds
+  #config = {
+  #  systemd.services.wg-quick-wg0.serviceConfig = {
+  #    Restart = "always";
+  #    RestartSec = 50;
+  #    Type = mkForce "simple";
+  #    RemainAfterExit = mkForce false;
+  #  };
+  #};
+
+
+}
+

nixos/components/nixos/default.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+  imports = [ ./upgrade-diff.nix ];
+
+  options.components.nixos.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+  };
+
+  config = lib.mkIf (config.components.nixos.enable) { };
+
+}

nixos/components/nixos/upgrade-diff.nix

@@ -0,0 +1,22 @@
+# MIT Jörg Thalheim - https://github.com/Mic92/dotfiles/blob/c6cad4e57016945c4816c8ec6f0a94daaa0c3203/nixos/modules/upgrade-diff.nix
+{ config, lib, ... }:
+{
+
+  options.components.nixos.update-diff.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = config.components.nixos.enable;
+  };
+
+  config = lib.mkIf (config.components.nixos.update-diff.enable) {
+    system.activationScripts.diff = {
+      supportsDryActivation = true;
+      text = ''
+        if [[ -e /run/current-system ]]; then
+          echo "--- diff to current-system"
+          ${config.nix.package}/bin/nix --extra-experimental-features nix-command store diff-closures /run/current-system "$systemConfig"
+          echo "---"
+        fi
+      '';
+    };
+  };
+}

nixos/components/terminal/bash.nix

@@ -0,0 +1,38 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.terminal.bash.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+
+  config = mkIf (config.components.terminal.bash.enable) {
+
+    programs.bash = {
+
+      enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+
+      interactiveShellInit = "set -o vi";
+
+
+      shellAliases = {
+        ls = "ls --color=tty";
+        l = "ls -CFh";
+        la = "ls -Ah";
+        ll = "ls -lh";
+        lt = "ls -lct --reverse";
+        less = "less -S";
+        top = "htop";
+        version = "date '+%Y%m%d%H%M%S'";
+        vclip = "xclip -selection clipboard";
+        df = "df -h";
+        timestamp = "date +%Y%m%d%H%M%S";
+        nix-show-garbadge-roots = "ls -lh /nix/var/nix/gcroots/auto/";
+      };
+
+    };
+
+  };
+}

nixos/components/terminal/default.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  options.components.terminal = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+
+  imports = [
+    ./direnv.nix
+    ./git.nix
+    ./heygpt.nix
+    ./hoard.nix
+    ./oh-my-posh
+    ./remote-install.nix
+    ./wtf.nix
+    ./zsh.nix
+  ];
+
+  config = mkIf config.components.terminal.enable {
+    environment.systemPackages = [
+      pkgs.ranger # datei browser
+      pkgs.retry # retry command till success
+      pkgs.silver-searcher
+      pkgs.treefmt
+    ];
+  };
+}

nixos/components/terminal/direnv.nix

@@ -0,0 +1,26 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.terminal.direnv.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+  config = mkIf (config.components.terminal.direnv.enable) {
+
+    environment.systemPackages = [ pkgs.direnv ];
+
+    home-manager.sharedModules = [
+      {
+        programs.direnv.enable = true;
+        programs.git.ignores = [ ".envrc" ".direnv" ];
+      }
+    ];
+
+    programs.zsh.interactiveShellInit = ''
+      eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
+    '';
+    programs.bash.interactiveShellInit = ''
+      eval "$(${pkgs.direnv}/bin/direnv hook bash)"
+    '';
+  };
+}

nixos/components/terminal/git.nix

@@ -1,21 +1,17 @@
 { config, pkgs, lib, ... }:
-
 with lib;
-
-let
-
-  cfg = config.programs.custom.git;
-
-in
 {
+  options.components.terminal.git.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
 
-  options.programs.custom.git.enable =
-    mkEnableOption "install git and all its tools";
+  config = mkIf (config.components.terminal.git.enable) {
 
-  config = mkIf cfg.enable {
 
     environment.systemPackages = with pkgs; [
       git
+      gita
       tig
       lazygit
       git-crypt
@@ -23,9 +19,6 @@ in
       gitAndTools.gitSVN
       gitAndTools.git2cl
 
-      # merge tools
-      meld
-
       # activate using :
       # git config --global core.pager "diff-so-fancy | less --tabs=4 -RFX"
       gitAndTools.diff-so-fancy

nixos/components/terminal/heygpt.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+with lib;
+{
+  options.components.terminal.heygpt.enable = mkOption {
+    type = lib.types.bool;
+    #default = config.components.terminal.enable;
+    default = false;
+  };
+
+  config = mkIf (config.components.terminal.heygpt.enable) {
+    environment.systemPackages = [
+      (pkgs.writers.writeBashBin "heygpt" ''
+        export OPENAI_API_BASE="https://api.openai.com/v1"
+        export OPENAI_API_KEY=$(pass openai/apikey)
+        ${lib.getExe pkgs.unstable.heygpt} "$@"
+      '')
+      (pkgs.writers.writeBashBin "heygpt-models" ''
+        export OPENAI_API_KEY=$(pass openai/apikey)
+        ${getExe pkgs.curl} https://api.openai.com/v1/models \
+          -H "Authorization: Bearer $OPENAI_API_KEY" \
+          | ${getExe pkgs.jq} --raw-output '.data[] | .id' \
+          | ${getExe pkgs.gum} filter
+      '')
+    ];
+  };
+}

nixos/components/terminal/hoard.nix

@@ -0,0 +1,62 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  hoardSrc = pkgs.fetchFromGitHub {
+    owner = "Hyde46";
+    repo = "hoard";
+    rev = "v1.3.1";
+    sha256 = "sha256-Gm3X6/g5JQJEl7wRvWcO4j5XpROhtfRJ72LNaUeZRGc=";
+  };
+in
+{
+  options.components.terminal.hoard.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+
+  config = mkIf (config.components.terminal.hoard.enable) {
+
+    # todo : sync via syncthing
+    backup.dirs = [
+      "/root/.config/hoard"
+      "/home/palo/.config/hoard"
+    ];
+
+    environment.systemPackages = [ pkgs.legacy_2211.hoard ];
+
+    home-manager.users.mainUser = {
+      xdg.configFile."hoard/config.yml".text = builtins.toJSON {
+        version = "1.0.1";
+        default_namespace = "default";
+        config_home_path = "/home/palo/.config/hoard";
+        trove_path = "/home/palo/.config/hoard/trove.yml";
+        query_prefix = " >";
+        primary_color = [ 87 142 87 ];
+        secondary_color = [ 203 184 144 ];
+        tertiary_color = [ 30 30 30 ];
+        command_color = [ 30 30 30 ];
+        parameter_token = "#";
+        read_from_current_directory = true;
+      };
+      programs.zsh.initExtra = ''
+        export HOARD_NOBIND=1
+        source ${hoardSrc}/src/shell/hoard.zsh
+        bindkey '^x' _hoard_list_widget
+      '';
+    };
+
+    # use showkey -a
+    # Ctrl-h is equivalent to Ctrl-Backspace (for some reason)
+    programs.zsh.interactiveShellInit = ''
+      export HOARD_NOBIND=1
+      source ${hoardSrc}/src/shell/hoard.zsh
+      bindkey '^x' _hoard_list_widget
+    '';
+    programs.bash.interactiveShellInit = ''
+      export HOARD_NOBIND=1
+      source ${hoardSrc}/src/shell/hoard.bash
+      bind -x '"\C-x": __hoard_list'
+    '';
+
+  };
+}

nixos/components/terminal/oh-my-posh/default.nix

@@ -0,0 +1,26 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.terminal.oh-my-posh.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+
+  config = mkIf (config.components.terminal.oh-my-posh.enable) {
+
+    home-manager.users =
+      let
+        poshConfig = {
+          programs.oh-my-posh = {
+            enable = true;
+            # useTheme = "gruvbox";
+            settings = builtins.fromJSON (builtins.readFile ./gruvbox.json);
+          };
+        };
+      in
+      {
+        mainUser = poshConfig;
+        root = poshConfig;
+      };
+  };
+}

nixos/components/terminal/oh-my-posh/gruvbox.json

@@ -0,0 +1,65 @@
+{
+  "$schema": "https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/main/themes/schema.json",
+  "blocks": [
+    {
+      "alignment": "left",
+      "segments": [
+        {
+          "background": "#3A3A3A",
+          "foreground": "#ffffff",
+          "style": "powerline",
+          "template": "{{ if .WSL }}WSL at{{ end }} {{.Icon}} ",
+          "type": "os"
+        },
+        {
+          "background": "#fbf1c7",
+          "background_templates": ["{{ if .Root }}#af3a03{{ end }}"],
+          "foreground": "#282828",
+          "foreground_templates": ["{{ if .Root }}#fbf1c7{{ end }}"],
+          "powerline_symbol": "\ue0b0",
+          "style": "powerline",
+          "template": " {{ if .SSHSession }} {{ end }}{{ .HostName }} ",
+          "type": "session"
+        },
+        {
+          "background": "#458588",
+          "foreground": "#282828",
+          "powerline_symbol": "\ue0b0",
+          "properties": {
+            "style": "full"
+          },
+          "style": "powerline",
+          "template": " {{ .Path }} ",
+          "type": "path"
+        },
+        {
+          "background": "#98971A",
+          "background_templates": [
+            "{{ if or (.Working.Changed) (.Staging.Changed) }}#FF9248{{ end }}",
+            "{{ if and (gt .Ahead 0) (gt .Behind 0) }}#ff4500{{ end }}",
+            "{{ if gt .Ahead 0 }}#B388FF{{ end }}",
+            "{{ if gt .Behind 0 }}#B388FF{{ end }}"
+          ],
+          "foreground": "#282828",
+          "leading_diamond": "\ue0b6",
+          "powerline_symbol": "\ue0b0",
+          "properties": {
+            "branch_max_length": 25,
+            "fetch_stash_count": true,
+            "fetch_status": true,
+            "branch_icon": "\uE0A0 ",
+            "branch_identical_icon": "\u25CF"
+          },
+          "style": "powerline",
+          "template": " {{ .HEAD }}{{if .BranchStatus }} {{ .BranchStatus }}{{ end }}{{ if .Working.Changed }} \uf044 {{ .Working.String }}{{ end }}{{ if and (.Working.Changed) (.Staging.Changed) }} |{{ end }}{{ if .Staging.Changed }} \uf046 {{ .Staging.String }}{{ end }}{{ if gt .StashCount 0 }} \ueb4b {{ .StashCount }}{{ end }} ",
+          "trailing_diamond": "\ue0b4",
+          "type": "git"
+        }
+      ],
+      "type": "prompt"
+    }
+  ],
+  "console_title_template": "{{ .Folder }}",
+  "final_space": true,
+  "version": 2
+}

nixos/components/terminal/remote-install.nix

@@ -0,0 +1,26 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.terminal.remote-install.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+  config = mkIf (config.components.terminal.remote-install.enable) {
+
+    services.tor = {
+      enable = true;
+      client.enable = true;
+      relay.onionServices.liveos.map = [{ port = 1337; }];
+    };
+
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "remote-install-start-service" ''
+        echo "starting announcment server to receive remote-install iso onion id"
+        ${pkgs.nmap}/bin/ncat -k -l -p 1337
+      '')
+      (pkgs.writeShellScriptBin "remote-install-get-hiddenReceiver" ''
+        sudo cat /var/lib/tor/onion/liveos/hostname
+      '')
+    ];
+  };
+}

nixos/components/terminal/wtf.nix

@@ -1,4 +1,5 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, config, lib, ... }:
+with lib;
 let
 
   networkStatus =
@@ -54,7 +55,7 @@ let
   '';
 
   userHighlight = map ({ user, ... }: user)
-    (builtins.attrValues config.programs.custom.browser.configList)
+    (builtins.attrValues config.services.browser.configList)
   ++ [ "steam" ];
 
   activeUsers = pkgs.writers.writeBash "active-users" ''
@@ -112,8 +113,9 @@ let
           odd = "white";
         };
         locations = {
+          UTC = "Etc/UTC";
           Berlin = "Europe/Berlin";
-          India = "Asia/Kolkata";
+          Cuba = "America/Havana";
           Wellington = "Pacific/Auckland";
         };
         sort = "alphabetical";
@@ -263,7 +265,7 @@ let
       };
       grid = {
         columns = [ 33 12 28 36 0 ];
-        rows = [ 9 3 7 6 0 ];
+        rows = [ 9 4 6 6 0 ];
       };
       refreshInterval = 1;
       mods = with modules; {
@@ -374,23 +376,30 @@ let
     '';
 
 in
+
 {
+  options.components.terminal.wtf.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+  config = mkIf (config.components.terminal.wtf.enable) {
 
-  services.upower.enable = true;
+    services.upower.enable = true;
 
-  environment.systemPackages = [
-    pkgs.unstable.wtf
-    (createDashboard {
-      json = qJson;
-      name = "q";
-    })
-    (createDashboard {
-      json = newsJson;
-      name = "news";
-    })
-    #activeUsers
-    #activeTasks
-    pkgs.upower
-  ];
+    environment.systemPackages = [
+      pkgs.unstable.wtf
+      (createDashboard {
+        json = qJson;
+        name = "q";
+      })
+      (createDashboard {
+        json = newsJson;
+        name = "news";
+      })
+      #activeUsers
+      #activeTasks
+      pkgs.upower
+    ];
 
+  };
 }

nixos/components/terminal/zsh.nix

@@ -0,0 +1,51 @@
+{ pkgs, config, lib, ... }:
+with lib;
+{
+  options.components.terminal.zsh.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.terminal.enable;
+  };
+
+  config = mkIf (config.components.terminal.zsh.enable) {
+
+    # root uses zsh on default
+    users.users.root.shell = pkgs.zsh;
+
+    programs.zsh = {
+
+      enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+
+      shellAliases = {
+        ls = "ls --color=tty";
+        l = "ls -CFh";
+        la = "ls -Ah";
+        ll = "ls -lh";
+        lt = "ls -lct --reverse";
+        less = "less -S";
+        top = "htop";
+        version = "date '+%Y%m%d%H%M%S'";
+        vclip = "xclip -selection clipboard";
+        df = "df -h";
+        timestamp = "date +%Y%m%d%H%M%S";
+        nix-show-garbadge-roots = "ls -lh /nix/var/nix/gcroots/auto/";
+      };
+
+      interactiveShellInit = ''
+        kpaste() {
+          arg=cat
+          if [[ $# -ne 0 ]]; then
+            arg+=("''${@}")
+          elif [[ -t 0 ]] && [[ -o interactive ]]; then
+            arg=(wl-paste)
+          fi
+          "''${arg[@]}" | curl -sS http://p.r --data-binary @- | \
+            sed '$ {p;s|http://p.r|https://p.krebsco.de|}'
+        }
+      '';
+
+    };
+
+  };
+}

nixos/components/yubikey.nix

@@ -0,0 +1,66 @@
+# References:
+# * https://github.com/drduh/YubiKey-Guide
+# * https://nixos.wiki/wiki/Yubikey
+{ config, pkgs, lib, ... }:
+with lib;
+{
+
+  options.components.yubikey.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+  };
+
+  # todo move this tho home manager
+  config = mkIf config.components.yubikey.enable {
+
+    services.pcscd.enable = true;
+    services.udev.packages = [
+
+      pkgs.yubikey-personalization
+
+      # additional services, but I just want gpg
+      # pkgs.libu2f-host
+
+    ];
+
+    environment.systemPackages = [
+
+      # for `gpg --export $keyid | hokey lint` to check keys
+      #pkgs.haskellPackages.hopenpgp-tools
+
+      # for otp keys (but I use pass otp)
+      # pkgs.yubioath-desktop
+
+      (pkgs.writers.writeDashBin "gpg-reset-yubikey-id" ''
+        echo "reset gpg to make new key available"
+        set -x
+        set -e
+        ${pkgs.psmisc}/bin/killall gpg-agent
+        rm -r ~/.gnupg/private-keys-v1.d/
+        ${pkgs.gnupg}/bin/gpg --card-status
+        echo "now the new key should work"
+      '')
+
+    ];
+
+    ## managed by home-manager now
+    #environment.shellInit = ''
+    #  export GPG_TTY="$(tty)"
+    #  gpg-connect-agent /bye
+    #  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+    #'';
+    #programs = {
+    #  ssh.startAgent = false;
+    #  gnupg.agent = {
+    #    enable = true;
+    #    enableSSHSupport = true;
+    #  };
+    #};
+
+    ## managed by home-manager now
+    #security.pam.u2f.enable = true;
+    #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
+    #sops.secrets.yubikey_u2fAuthFile = { };
+
+  };
+}

nixos/homes/common/default.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports = [
+    ./packages.nix
+    ./terminal.nix
+    ./zfs.nix
+  ];
+  options.gui.enable = lib.mkEnableOption "should GUI packages be anabled?";
+}

nixos/homes/common/packages.nix

@@ -0,0 +1,64 @@
+{ config, pkgs, lib, ... }:
+with pkgs;
+with lib;
+{
+  config = mkMerge [
+    {
+      home.packages = [
+        bind.dnsutils
+        nmap
+        hexyl
+        ipcalc
+
+        units
+
+        parallel
+
+        wget
+        curl
+
+        gimoji
+
+        # todo : configure this properly
+        tldr
+
+        bandwhich
+
+        unzip
+        genpass
+        tree
+        killall
+        nix-tree
+
+        unstable.vulnix
+        (writers.writeBashBin "vulnix-system" ''
+          ${unstable.vulnix}/bin/vulnix --profile /nix/var/nix/profiles/system
+        '')
+      ];
+
+      programs.btop.enable = true;
+
+    }
+
+
+    (mkIf config.gui.enable {
+      home.packages = [
+        libreoffice
+        hunspell
+        hunspellDicts.de-de
+        hunspellDicts.en-us
+        aspell
+        aspellDicts.de
+        aspellDicts.en
+        aspellDicts.es
+
+        evince
+        sxiv
+        gimp
+        inkscape
+
+        transmission-remote-gtk
+      ];
+    })
+  ];
+}

nixos/homes/common/terminal.nix

@@ -0,0 +1,59 @@
+{ lib, pkgs, assets, ... }:
+{
+
+  programs.zsh = {
+    enable = true;
+    defaultKeymap = lib.mkDefault "viins";
+  };
+
+  programs.bash = {
+    enable = true;
+    bashrcExtra = ''
+      set -o vi
+    '';
+  };
+
+  programs.thefuck.enable = true;
+
+  # a better cat
+  programs.bat = {
+    enable = true;
+    config.theme = "gruvbox-light";
+  };
+
+  home.shellAliases.cat = "${pkgs.bat}/bin/bat --theme='gruvbox-light'";
+  home.shellAliases.llt = "${pkgs.eza}/bin/exa -a --tree";
+
+  # use z instead of cd
+  # use zi to fuzzy search through all registered directories
+  programs.zoxide = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  # provide better `Ctrl+r` command in terminal
+  programs.atuin = {
+    enable = true;
+    enableBashIntegration = true;
+    enableZshIntegration = true;
+    #package = pkgs.unstable.atuin;
+    package = pkgs.unstable.atuin.overrideAttrs (_old: {
+      # as cursed as doing mitigations=off in the kernel command line
+      patches = [ "${assets}/0001-make-atuin-on-zfs-fast-again.patch" ];
+    });
+    settings = {
+      auto_sync = true;
+      sync_frequency = "5m";
+      sync_address = "http://chungus.private:8888";
+      search_mode = "fuzzy";
+      style = "full";
+      inline_height = 20;
+      keymap_mode = "vim-normal";
+
+      # With workspace filtering enabled, Atuin will filter for commands executed
+      # in any directory within a git repository tree.
+      workspaces = true;
+
+    };
+  };
+}

nixos/homes/common/zfs.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+with pkgs;
+with lib;
+{
+  config = mkMerge [
+    {
+      home.packages = [
+        (
+          let
+            options = [
+              "name"
+              "mountpoint"
+              "compression"
+              "com.sun:auto-snapshot:yearly"
+              "com.sun:auto-snapshot:monthly"
+              "com.sun:auto-snapshot:daily"
+              "com.sun:auto-snapshot:hourly"
+            ];
+          in
+          pkgs.writers.writeBashBin "zfs-overview" ''
+            ${pkgs.zfs}/bin/zfs list -o ${concatStringsSep "," options} "$@"
+          ''
+        )
+      ];
+    }
+  ];
+}

nixos/homes/palo/default.nix

@@ -0,0 +1,79 @@
+{ pkgs, ... }: {
+
+  imports = [
+    ../common
+    ./doom-emacs.nix
+    ./editor.nix
+    ./git.nix
+    ./gpg.nix
+    ./i3.nix
+    ./packages
+    ./ssh.nix
+    ./stylix.nix
+    ./tmux.nix
+    ./yubikey.nix
+    ./zellij.nix
+    ./hyperland.nix
+  ];
+
+  home.stateVersion = "22.11";
+
+  programs.htop = {
+    enable = true;
+    settings.highlight_base_name = true;
+    settings.tree_view = true;
+  };
+
+  xdg.configFile."mimeapps.list".text = ''
+    [Default Applications]
+    text/html=browser-select.desktop
+    x-scheme-handler/http=browser-select.desktop
+    x-scheme-handler/https=browser-select.desktop
+    x-scheme-handler/about=browser-select.desktop
+    x-scheme-handler/mailto=thunderbird.desktop;
+    x-scheme-handler/unknown=browser-select.desktop
+    x-scheme-handler/postman=Postman.desktop
+    image/png=sxiv.desktop
+    image/jpeg=sxiv.desktop
+    x-scheme-handler/magnet=userapp-transmission-gtk-YPS6F2.desktop
+  '';
+
+  xdg.configFile."khal/config".text = ''
+    [calendars]
+
+    [[local_calendar]]
+    path = ~/.calendars/*
+    type = discover
+
+    [locale]
+    timeformat = %H:%M
+    dateformat = %Y-%m-%d
+    longdateformat = %Y-%m-%d
+    datetimeformat = %Y-%m-%d %H:%M
+    longdatetimeformat = %Y-%m-%d %H:%M
+  '';
+
+  xdg.configFile."vdirsyncer/config".text = ''
+    [general]
+    # A folder where vdirsyncer can store some metadata about each pair.
+    status_path = "~/.vdirsyncer/status/"
+
+    # CALDAV
+    [pair my_calendar]
+    a = "nextcloud_calendar"
+    b = "local_calendar"
+    collections = ["from a", "from b"]
+
+    [storage nextcloud_calendar]
+    type = "caldav"
+    url = "https://nextcloud.ingolf-wagner.de/"
+    username = "palo"
+    password.fetch = ["command", "${pkgs.pass}/bin/pass", "home/nextcloud/palo/nextcloudcmd-token"]
+
+    [storage local_calendar]
+    type = "filesystem"
+    path = "~/.calendars/"
+    fileext = ".ics"
+  '';
+
+}

nixos/homes/palo/doom-emacs.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  config = mkMerge [
+    {
+      home.packages = [ pkgs.ripgrep ];
+    }
+    (mkIf config.gui.enable {
+      programs.doom-emacs = {
+        enable = lib.mkDefault true;
+        doomPrivateDir = ./doom.d;
+        extraConfig = ''
+          ;; "monospace" means use the system default. However, the default is usually two
+          ;; points larger than I'd like, so I specify size 12 here.
+          (setq doom-font
+            (font-spec :family "Jetbrains Mono" :size ${toString 12} :weight 'light))
+          ;;(setq doom-font
+          ;; (font-spec :family "Terminus" :size ${toString 12} :weight 'light))
+        '';
+        #emacsPackagesOverlay = self: super: {
+        #  # fixes https://github.com/vlaci/nix-doom-emacs/issues/394
+        #  gitignore-mode = pkgs.emacsPackages.git-modes;
+        #  gitconfig-mode = pkgs.emacsPackages.git-modes;
+        #};
+      };
+    })
+    (mkIf (!config.gui.enable) {
+      programs.doom-emacs = {
+        enable = lib.mkDefault true;
+        doomPrivateDir = ./doom.d;
+        package = pkgs.emacs-nox;
+      };
+    })
+  ];
+}

nixos/homes/palo/doom.d/config.el

@@ -0,0 +1,4 @@
+;; configure theme
+(setq doom-theme 'doom-solarized-light)
+
+