refactored system

2026-01-22 00:13:33 +01:00 · 2026-01-22 00:13:33 +01:00 · 386d889455
commit 386d889455
parent 6a62e2f23f
55 changed files with 336 additions and 580 deletions
--- a/flake.nix
+++ b/flake.nix
@ -2,112 +2,36 @@
  description = "Complete system and home config";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    nur.url = "github:nix-community/nur";
  };
  outputs = { self, nixpkgs, home-manager, ... }@inputs: {
    nixosConfigurations = {
      nova = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
        modules = [
          {
            networking.hostName = "nova";
          }
          ./system
          ./system/alt.nix
          ./system/btrbk.nix
          ./system/cast.nix
          ./system/desktop.nix
          ./system/ergodox.nix
          ./system/gnome.nix
          ./system/guest.nix
          ./system/hardware/nova.nix
          ./system/plasma.nix
          ./system/steam.nix
          ./system/yubikey.nix
          # ./system/distrobox.nix
        ];
      };
      tron = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
        modules = [
          {
            networking.hostName = "tron";
          }
          ./system
          ./system/desktop.nix
          ./system/hardware/tron.nix
          ./system/gnome.nix
          ./system/btrbk.nix
          ./system/yubikey.nix
        ];
      };
      romulus = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
        modules = [
          {
            networking.hostName = "romulus";
            environment.systemPackages = [
              nixpkgs.wl-clipboard
            ];
            programs.sway.enable = true;
            security.rtkit.enable = true;
          }
          ./system
          ./system/desktop.nix
          ./system/hardware/romulus.nix
        ];
      };
      arielle = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
-        modules = [
+        modules = [ ./hosts/arielle ];
          {
            networking.hostName = "arielle";
            networking.domain = "ktiu.net";
            boot.loader.grub.enable = true;
            boot.loader.grub.device = "/dev/sda";
          }
          ./system/hardware/arielle.nix
          ./system
          ./system/web-server
          #infrastructure
          ./system/web-server/mail
          ./system/web-server/radicale.nix
          ./system/web-server/outline.nix
          ./system/web-server/forgejo.nix
          # ./system/web-server/jenkins.nix
          # web hosting
          ./system/web-server/oopsidentify.nix
          ./system/web-server/fundkorb-button.nix
          ./system/web-server/ksh-map.nix
        ];
      };
      homer = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
-        modules = [
+        modules = [ ./hosts/homer ];
-          {
+      };
-            networking.hostName = "homer";
+
-          }
+      mila = nixpkgs.lib.nixosSystem {
-          ./system
+        specialArgs = { inherit inputs; };
-          ./system/desktop.nix
+        modules = [ ./hosts/mila ];
-          ./system/hardware/homer.nix
+      };
-          ./system/gnome.nix
+
-          ./system/steam.nix
+      nova = nixpkgs.lib.nixosSystem {
-          ./system/remote-desktop.nix
+        specialArgs = { inherit inputs; };
-          ./system/media.nix
+        modules = [ ./hosts/nova ];
          ./system/guest.nix
        ];
      };
    };
--- a/home/firefox.nix
+++ b/home/firefox.nix
@ -72,8 +72,7 @@
              definedAliases = [ "@no" ];
            };
            "Home manager options" = {
-              # urls = [{ template = "https://home-manager-options.extranix.com/?query={searchTerms}&release=release-${osConfig.system.nixos.release}"; }];
+              urls = [{ template = "https://home-manager-options.extranix.com/?query={searchTerms}&release=release-${osConfig.system.nixos.release}"; }];
              urls = [{ template = "https://home-manager-options.extranix.com/?query={searchTerms}&release=release-25.05"; }];
              icon = "https://mipmip.github.io/home-manager-option-search/images/favicon.png";
              updateInterval = 24 * 60 * 60 * 1000;
              definedAliases = [ "@hm" ];
--- a/home/fish.nix
+++ b/home/fish.nix
@ -1,7 +1,10 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 {
  home.shellAliases = {
-    top      = "btm --battery";
+    top       = "btm --battery";
    du        = "dust";
    ymd       = "date +'%Y-%m-%d'";
    dmy       = "date +'%-d.-%-m.%Y'";
    v         = "nvim";
@ -9,12 +12,13 @@
    R         = "R --no-save --no-restore";
    cdg       = "cd \$(git rev-parse --show-toplevel)";
  };
  programs.fish = {
    enable = true;
    interactiveShellInit = "fish_add_path ${config.xdg.dataHome}/npm/packages/bin";
-    shellAbbrs = {
+
      openconnect = "openconnect --config=/home/till/.config/openconnect/config";
    };
    shellInit = ''
      set -gx EDITOR "nvim"
      set -gx VISUAL "nvim"
--- a/home/gpg.nix
+++ b/home/gpg.nix
@ -1,6 +1,11 @@
 { config, pkgs, ... }:
 {
  programs.gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-gnome3;
    enableSSHSupport = true;
  };
  programs.gpg.settings = {
    no-emit-version = true;
@ -23,5 +28,4 @@
    '';
    target = "../.gnupg/scdaemon.conf";
  };
 }
--- a/home/mail/default.nix
+++ b/home/mail/default.nix
@ -225,7 +225,7 @@
          enable = true;
          extraConfig.from = "kein_schlussstrich_hessen@systemli.org";
        };
-        passwordCommand = "secret-tool lookup server mail.systemli.org account kein_schlussstrich_hessen@systemli.org";
+        passwordCommand = "pass other/ksh_systemli";
      };
    };
--- a/home/nvim/autocommands.vim
+++ b/home/nvim/autocommands.vim
@ -9,9 +9,3 @@ augroup netrw
  autocmd!
  autocmd FileType netrw setl bufhidden=wipe
 augroup end
 augroup repl
  autocmd!
  autocmd TermOpen * setlocal nonumber norelativenumber
  autocmd TermOpen * nmap <buffer> Q :bdelete!<enter>
 augroup end
--- a/home/ssh.nix
+++ b/home/ssh.nix
@ -1,4 +1,13 @@
-{ config, ... }:
+{ config, osConfig, ... }:
 let
  certs =  {
    uni = "${config.home.homeDirectory}/.ssh/tstraube@${osConfig.networking.hostname}";
    personal = "${config.home.homeDirectory}/.ssh/till@${osConfig.networking.hostname}";
  };
 in
 {
  programs.ssh = {
@ -8,18 +17,48 @@
    matchBlocks = {
-      gu = {
+      "hrz login.server.uni-frankfurt.de" = {
        hostname = "login.server.uni-frankfurt.de";
        user = "tstraube";
-        identityFile = "${config.home.homeDirectory}/.ssh/tstraube";
+        identityFile = certs.uni;
      };
-      geocom = {
+      geocom3 = {
-        hostname = "geocom.uni-frankfurt.de";
+        hostname = "141.2.194.220";
-        user = "till";
+        user = "tstraube";
-        identityFile = "${config.home.homeDirectory}/.ssh/tstraube";
+        identityFile = certs.uni;
      };
      geocom2 = {
        hostname = "141.2.194.235";
        user = "till";
        identityFile = certs.uni;
      };
      "gitlab gitlab.rz.uni-frankfurt.de" = {
        hostname = "gitlab.rz.uni-frankfurt.de";
        user = "tstraube";
        identityFile = certs.uni;
      };
      "arielle arielle.ktiu.net" = {
        hostname = "arielle.ktiu.net";
        user = "till";
        identityFile = certs.personal;
      };
      "homer fernseher" = {
        hostname = "homer";
        user = "till";
        identityFile = certs.personal;
      };
      # "mila" = {
      #   hostname = "mila";
      #   user = "till";
      #   identityFile = certs.personal;
      # };
    };
  };
 }
--- a/hosts/arielle/default.nix
+++ b/hosts/arielle/default.nix
@ -0,0 +1,13 @@
 { ... }:
 {
  networking.hostName = "arielle";
  networking.domain = "ktiu.net";
  imports = [
    ./hardware
    ../system
    ../system/web-server
    ../system/mail-server
  ];
 }
--- a/hosts/arielle/hardware.nix
+++ b/hosts/arielle/hardware.nix
@ -0,0 +1,28 @@
 { lib, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/087544b8-4941-436b-be6c-e32bc3787b12";
    fsType = "ext4";
  };
  swapDevices = [ 
    { device = "/dev/disk/by-uuid/9408a2ce-646d-406e-8407-c9bafd0a728c"; }
  ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/homer/default.nix
+++ b/hosts/homer/default.nix
@ -0,0 +1,16 @@
 { ... }:
 {
  networking.hostName = "homer";
  imports = [
    ./hardware.nix
    ../system
    ../system/desktop
    ../system/desktop/gnome.nix
    ../system/desktop/steam.nix
    ../system/desktop/remote-desktop.nix
    ../system/media-server.nix
    ../users/guest.nix
  ];
 }
--- a/system/hardware/homer.nix
+++ b/system/hardware/homer.nix
@ -1,13 +1,13 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+{ config, lib, modulesPath, ... }:
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/hardware/network/broadcom-43xx.nix")
+    (modulesPath + "/hardware/network/broadcom-43xx.nix")
-      (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
@ -53,14 +53,12 @@
   ];
 };
-  swapDevices = [ ];
+  swapDevices = [{
    device = "/swapfile";
    size = 8 * 1045;
  }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/hosts/mila/default.nix
+++ b/hosts/mila/default.nix
@ -0,0 +1,12 @@
 { ... }:
 {
  networking.hostname = "mila";
  imports = [
    ./hardware.nix
    ../system
    ../system/desktop
    ../system/desktop/gnome.nix
  ];
 }
--- a/hosts/nova/default.nix
+++ b/hosts/nova/default.nix
@ -0,0 +1,18 @@
 { config, pkgs, ... }:
 {
  networking.hostName = "nova";
  imports = [
    ./hardware.nix
    ../users/alt.nix
    ../users/guest.nix
    ../system
    ../system/desktop
    ../system/desktop/gnome.nix
    # ../system/desktop/cast.nix
    ../system/desktop/ergodox.nix
    ../system/desktop/steam.nix
    ../system/desktop/yubikey.nix
  ];
 }
--- a/system/hardware/nova.nix
+++ b/system/hardware/nova.nix
@ -10,6 +10,9 @@ in
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "v4l2loopback" ];
@ -24,15 +27,6 @@ in
    options = [ "subvol=root" "compress=zstd" "discard=async" ];
  };
  # the following subvolumes are automatically mounted and won't be snapshotted:
  # /home/till/.local/share/Steam
  # /home/till/.local/share/Trash
  # /home/till/.cache
  # /home/till/tmp
  # /home/till/.mozilla/firefox/till/storage
  # /home/till/.config/Mattermost/Cache
  # /home/till/.config/Mattermost/Code\ Cache
  fileSystems."/nix" = subvolume // {
    options = [ "subvol=nix" "compress=zstd" "noatime" "discard=async" ];
  };
--- a/system/alt.nix
+++ b/system/alt.nix
@ -1,14 +0,0 @@
 { config, pkgs, ... }:
 {
  users.users.alt = {
    home = "/home/alt";
    isSystemUser = true;
    group = "users";
    description = "Alt";
    extraGroups = [
      "networkmanager"
    ];
    shell = pkgs.fish;
  };
 }
--- a/system/btrbk.nix
+++ b/system/btrbk.nix
@ -1,18 +0,0 @@
 { config, pkgs, ... }:
 {
  services.btrbk = {
    instances.btrbk = {
      onCalendar = "hourly";
      settings = {
        subvolume = "/home";
        snapshot_preserve = "40d";
        snapshot_preserve_min = "4d";
        snapshot_dir = "/btrbk_snapshots";
        target = "/run/media/till/backup/${config.networking.hostName}";
        target_preserve_min = "no";
        target_preserve = "10d 10w 24m";
      };
    };
  };
 }
--- a/system/cosmic.nix
+++ b/system/cosmic.nix
@ -1,5 +0,0 @@
 { config, pkgs, ... }:
 {
   services.desktopManager.cosmic.enable = true;
 }
--- a/system/default.nix
+++ b/system/default.nix
@ -1,6 +1,14 @@
 { config, pkgs, ... }:
 {
  imports = [
    ../users/till.nix
  ];
  networking.networkmanager.enable = true;
  users.mutableUsers = true;
  time.timeZone = "Europe/Berlin";
  programs.fish.enable = true;
  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
@ -9,22 +17,6 @@
    optimise.automatic = true;
  };
  time.timeZone = "Europe/Berlin";
  programs.fish.enable = true;
  users.mutableUsers = true;
  users.users.till = {
    isNormalUser = true;
    description = "Till";
    extraGroups = [ "wheel" ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keyFiles = [
      ./ssh/till${"@"}nova.pub
    ];
  };
  environment.systemPackages = with pkgs; [
    dig.dnsutils
    file
@ -32,19 +24,20 @@
    htop
    killall
    neovim
    netutils
    pwgen
    tree
    unzip
    wget
  ];
-  services = {
+  services.ntp.enable = true;
-    ntp.enable = true;
+
-    openssh.enable = true;
+  services.openssh = {
-    openssh.settings.PasswordAuthentication = false;
+    enable = true;
-    openssh.settings.PermitRootLogin = "no";
+    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "no";
  };
  system.stateVersion = "22.11";
 }
--- a/system/desktop/btrbk.nix
+++ b/system/desktop/btrbk.nix
@ -0,0 +1,16 @@
 { config, ... }:
 {
  services.btrbk.instances.btrbk = {
    onCalendar = "hourly";
    settings = {
      subvolume = "/home";
      snapshot_preserve = "40d";
      snapshot_preserve_min = "4d";
      snapshot_dir = "/btrbk_snapshots";
      target = "/run/media/till/backup/${config.networking.hostName}";
      target_preserve_min = "no";
      target_preserve = "10d 10w 24m";
    };
  };
 }
--- a/system/desktop/cast.nix
+++ b/system/desktop/cast.nix
--- a/system/desktop/default.nix
+++ b/system/desktop/default.nix
@ -3,12 +3,9 @@
 {
  imports = [
    ./interception-tools.nix
-    ./secrets.nix
+    ./btrbk.nix
  ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.networkmanager = {
    enable = true;
    plugins = with pkgs; [ networkmanager-openvpn ];
@ -20,12 +17,6 @@
    LC_PAPER = "de_DE.UTF-8";
  };
  users.users.till = {
    extraGroups = [
      "networkmanager"
    ];
  };
  services.pulseaudio.enable = false;
  services.pipewire = {
--- a/system/desktop/ergodox-udev.nix
+++ b/system/desktop/ergodox-udev.nix
@ -1,9 +1,7 @@
-{ config, pkgs, ... }:
+{ ... }:
 {
-  services.udev = {
+  services.udev.extraRules = ''
    extraRules = ''
      KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="wheel"
-    '';
+  '';
  };
 }
--- a/system/desktop/gnome.nix
+++ b/system/desktop/gnome.nix
@ -9,13 +9,13 @@
    defaultSession = "gnome";
  };
-  environment.gnome.excludePackages = (with pkgs; [ 
+  environment.gnome.excludePackages = with pkgs; [ 
    gnome-tour
    geary
    yelp
    gnome-contacts
    gnome-initial-setup
-  ]);
+  ];
  environment.systemPackages = with pkgs; [
    gnome-sound-recorder
@ -24,12 +24,10 @@
  ];
  services.gnome.gnome-browser-connector.enable = true;
-
+  # services.gnome.gnome-keyring.enable = lib.mkForce false;
  services.gnome.gnome-keyring.enable = lib.mkForce false;
  programs.kdeconnect = {
    enable = true;
    package = lib.mkForce pkgs.gnomeExtensions.gsconnect;
  };
 }
--- a/system/desktop/interception-tools.nix
+++ b/system/desktop/interception-tools.nix
--- a/system/desktop/media.nix
+++ b/system/desktop/media.nix
--- a/system/desktop/remote-desktop.nix
+++ b/system/desktop/remote-desktop.nix
@ -0,0 +1,5 @@
 { config, pkgs, ... }:
 {
  services.gnome.gnome-remote-desktop.enable = true;
 }
--- a/system/desktop/yubikey-pam.nix
+++ b/system/desktop/yubikey-pam.nix
@ -1,7 +1,6 @@
 { config, pkgs, ... }:
 {
  services.pcscd.enable = true;
  environment.systemPackages = with pkgs; [
@ -20,9 +19,8 @@
    # '';
  };
-  security.pam.services = {
+  # security.pam.services = {
-    login.u2fAuth = true;
+  #   login.u2fAuth = true;
-    sudo.u2fAuth = true;
+  #   sudo.u2fAuth = true;
-  };
+  # };
 }
--- a/system/distrobox.nix
+++ b/system/distrobox.nix
@ -1,10 +0,0 @@
 { config, pkgs, ... }:
 {
  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
  };
  environment.systemPackages = [ pkgs.distrobox ];
 }
--- a/system/hardware/arielle.nix
+++ b/system/hardware/arielle.nix
@ -1,33 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/087544b8-4941-436b-be6c-e32bc3787b12";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/9408a2ce-646d-406e-8407-c9bafd0a728c"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/system/hardware/ernst.nix
+++ b/system/hardware/ernst.nix
@ -1,33 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "ums_realtek" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/35ee7723-47bd-49de-b211-73550c14d765";
      fsType = "ext4";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/system/hardware/romulus.nix
+++ b/system/hardware/romulus.nix
@ -1,58 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
      fsType = "btrfs";
      options = [ "subvol=root" "compress=zstd" ];
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d1bb3d19-d95f-4486-8350-2f3a5b473881";
  fileSystems."/swap" =
    { device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
      fsType = "btrfs";
      options = [ "subvol=swap" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
      fsType = "btrfs";
      options = [ "subvol=home" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
      fsType = "btrfs";
      options = [ "subvol=nix" "noatime" "compress=zstd" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/EB36-69BF";
      fsType = "vfat";
    };
  swapDevices = [ { device = "/swap/swapfile"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/system/hardware/tron.nix
+++ b/system/hardware/tron.nix
@ -1,64 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 let
  subvolume = {
    # device = "/dev/disk/by-uuid/6a0d25d4-0253-4467-85cc-ab3e0ef71f54";
    fsType = "btrfs";
  };
 in
 {
  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "v4l2loopback" ];
  boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
  boot.initrd.luks.devices."cryptroot" = {
    # device = "/dev/disk/by-uuid/eaad533f-8586-4002-9c53-5aecf8e7abd8";
    allowDiscards = true;
  };
  fileSystems."/" = subvolume // {
    options = [ "subvol=root" "compress=zstd" "discard=async" ];
  };
  # the following subvolumes are automatically mounted and won't be snapshotted:
  # /home/till/.local/share/Steam
  # /home/till/.local/share/Trash
  # /home/till/.cache
  # /home/till/tmp
  # /home/till/.mozilla/firefox/till/storage
  # /home/till/.config/Mattermost/Cache
  # /home/till/.config/Mattermost/Code\ Cache
  fileSystems."/nix" = subvolume // {
    options = [ "subvol=nix" "compress=zstd" "noatime" "discard=async" ];
  };
  fileSystems."/home" = subvolume // {
    options = [ "subvol=home" "compress=zstd" "discard=async" ];
  };
  fileSystems."/boot" = {
    # device = "/dev/disk/by-uuid/7362-C4C4";
    fsType = "vfat";
  };
  swapDevices = [{
    device = "/swapfile";
    size = 8 * 1045;
  }];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.trackpoint.enable = true;
  boot.kernelParams = [ "psmouse.elantech_smbus=0" ];
 }
--- a/system/hyprland.nix
+++ b/system/hyprland.nix
@ -1,17 +0,0 @@
 { config, pkgs, ... }:
 {
  programs.uwsm.enable = true;
  programs.hyprland = {
    enable = true;
    withUWSM = true;
  };
  programs.waybar.enable = true;
  environment.systemPackages = with pkgs; [
    swaynotificationcenter
    tofi
  ];
 }
--- a/system/web-server/mail/default.nix
+++ b/system/web-server/mail/default.nix
--- a/system/web-server/mail/dkim.nix
+++ b/system/web-server/mail/dkim.nix
--- a/system/web-server/mail/dovecot.nix
+++ b/system/web-server/mail/dovecot.nix
--- a/system/web-server/mail/postfix.nix
+++ b/system/web-server/mail/postfix.nix
--- a/system/web-server/mail/roundcube.nix
+++ b/system/web-server/mail/roundcube.nix
--- a/system/plasma.nix
+++ b/system/plasma.nix
@ -1,5 +0,0 @@
 { config, pkgs, ... }:
 {
  services.desktopManager.plasma6.enable = true;
 }
--- a/system/remote-desktop.nix
+++ b/system/remote-desktop.nix
@ -1,5 +0,0 @@
 { config, pkgs, ... }:
 {
  services.gnome.gnome-remote-desktop.enable = true
 }
--- a/system/secrets.nix
+++ b/system/secrets.nix
@ -1,14 +0,0 @@
 { config, pkgs, ... }:
 {
  programs.gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-gnome3;
    enableSSHSupport = true;
    settings = {
      # disable-scdaemon = "";
    };
  };
 }
--- a/system/steam.nix
+++ b/system/steam.nix
@ -1,5 +0,0 @@
 { config, pkgs, ... }:
 {
  programs.steam.enable = true;
 }
--- a/system/sway.nix
+++ b/system/sway.nix
@ -1,20 +0,0 @@
 { config, pkgs, ... }:
 {
  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };
  programs.waybar.enable = true;
  services.gnome.gnome-keyring.enable = true;
  environment.systemPackages = with pkgs; [
    grim
    slurp
    wl-clipboard
    swaynotificationcenter
    tofi
  ];
 }
--- a/system/web-server/default.nix
+++ b/system/web-server/default.nix
@ -1,64 +1,16 @@
-{ config, pkgs, ... }:
+{ ... }:
 {
-  nixpkgs.config.allowUnfree = true;
+  imports = [
    ./nginx.nix
    ./letsencrypt.nix
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+    ./forgejo.nix
-
+    ./outline.nix
-  services.nginx = {
+    ./radicale.nix
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "${config.networking.domain}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "200 'This domain used for e-mail hosting only.'";
          extraConfig = ''
            add_header Content-Type text/plain;
          '';
        };
      };
      "${config.networking.fqdn}-80" = {
        serverAliases = [
          "*.ktiu.net"
          "*.t9e.me"
        ];
        locations."/.well-known/acme-challenge" = {
          root = "/var/lib/acme/.challenges";
        };
        locations."/" = {
          return = "301 https://$host$request_uri";
        };
      };
      "${config.networking.fqdn}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "404";
        };
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "till@ktiu.net";
    certs."${config.networking.domain}" = {
      domain = config.networking.domain;
      webroot = "/var/lib/acme/.challenges";
      group = config.services.nginx.group;
      extraDomainNames = [ config.networking.fqdn ];
    };
  };
    # ./ksh.nix
    ./ksh-map.nix
    ./oopsidenfiy.nix
  ];
 }
--- a/system/web-server/jenkins.nix
+++ b/system/web-server/jenkins.nix
@ -1,23 +0,0 @@
 { config, pkgs, ... }:
 {
  services.jenkins = {
    enable = true;
    port = 7401;
  };
  security.acme.certs."${config.networking.domain}".extraDomainNames = [
    "jenkins.${config.networking.domain}"
  ];
  services.nginx.virtualHosts = {
    "jenkins.${config.networking.domain}" = {
      onlySSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.jenkins.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/system/web-server/kein-schlussstrich-hessen.org
+++ b/system/web-server/kein-schlussstrich-hessen.org
@ -11,7 +11,7 @@
    serverAliases = [
      "www.kein-schlussstrich-hessen.de"
      "www.kein-schlussstrich-hessen.org"
-    ]
+    ];
    globalRedirect = "kein-schlussstrich-hessen.org";
    enableACME = true;
  };
--- a/system/web-server/letsencrypt.nix
+++ b/system/web-server/letsencrypt.nix
@ -0,0 +1,29 @@
 { config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "till@ktiu.net";
    certs."${config.networking.domain}" = {
      domain = config.networking.domain;
      webroot = "/var/lib/acme/.challenges";
      group = config.services.nginx.group;
      extraDomainNames = [ config.networking.fqdn ];
    };
  };
  services.nginx.virtualHosts = {
    "${config.networking.fqdn}-80" = {
      serverAliases = [
        "*.ktiu.net"
        "*.t9e.me"
      ];
      locations."/.well-known/acme-challenge" = {
        root = "/var/lib/acme/.challenges";
      };
      locations."/" = {
        return = "301 https://$host$request_uri";
      };
    };
  };
 }
--- a/system/web-server/nginx.nix
+++ b/system/web-server/nginx.nix
@ -0,0 +1,34 @@
 { config, ... }:
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "${config.networking.domain}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "200 'This domain used for e-mail hosting only.'";
          extraConfig = ''
            add_header Content-Type text/plain;
          '';
        };
      };
      "${config.networking.fqdn}" = {
        onlySSL = true;
        useACMEHost = config.networking.domain;
        locations."/" = {
          return = "404";
        };
      };
    };
  };
 }
--- a/system/web-server/outline.nix
+++ b/system/web-server/outline.nix
@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 {
  # imports = [ ./dex.nix ];
  # environment.systemPackages = with pkgs; [
  #   openssl
--- a/system/xfce.nix
+++ b/system/xfce.nix
@ -1,7 +0,0 @@
 { config, pkgs, ... }:
 {
   services.xserver.enable = true;
   services.xserver.displayManager.lightdm.enable = true;
   services.xserver.desktopManager.xfce.enable = true;
 }
--- a/template.nix
+++ b/template.nix
@ -0,0 +1,7 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
  ];
 }
--- a/system/ssh/till@nova.pub
+++ b/system/ssh/till@nova.pub
--- a/users/alt.nix
+++ b/users/alt.nix
@ -0,0 +1,10 @@
 { config, pkgs, ... }:
 {
  users.users.alt = {
    isNormalUser = true;
    description = "Alt";
    extraGroups = [ "networkmanager" ];
    shell = pkgs.fish;
  };
 }
--- a/system/guest.nix
+++ b/system/guest.nix
@ -2,16 +2,12 @@
 {
  users.users.guest = {
    home = "/home/guest";
    isNormalUser = true;
    group = "users";
    description = "Guest";
-    extraGroups = [
+    extraGroups = [ "networkmanager" ];
      "networkmanager"
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keyFiles = [
-      ./ssh/till${"@"}nova.pub
+      ../../till${"@"}nova.pub
    ];
  };
 }
--- a/users/till.nix
+++ b/users/till.nix
@ -0,0 +1,16 @@
 { pkgs, ... }:
 {
  users.users.till = {
    isNormalUser = true;
    description = "Till";
    extraGroups = [
      "wheel"
      "networkmanager"
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keyFiles = [
      ../../till${"@"}nova.pub
    ];
  };
 }