nixos: system: podman: persist data

TODO:
* Look at for more inspiration https://github.com/nix-community/impermanence/pull/108
* Do home-manager
* Common files https://github.com/nix-community/impermanence/issues/10

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718371084,
-        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717285511,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719438532,
-        "narHash": "sha256-/Vmso2ZMoFE3M7d1MRsQ2K5sR8CVKnrM6t1ys9Xjpz4=",
+        "lastModified": 1730837930,
+        "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "1a4f12ae0bda877ec4099b429cf439aad897d7e9",
+        "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
         "type": "github"
       },
       "original": {
@@ -150,13 +150,29 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1697303681,
+        "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719254875,
-        "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
+        "lastModified": 1730785428,
+        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
+        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
         "type": "github"
       },
       "original": {
@@ -168,11 +184,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1719564461,
-        "narHash": "sha256-wCFs1sf1tPoV3nCG5N5KaakAKm88FyzN6pRdOsOqNZg=",
+        "lastModified": 1730885145,
+        "narHash": "sha256-UPrBEY0No1O3ULb67xYjRh2r3u7MnZovfo1oYSPCIxI=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "7369862c4a8f293f6fde79044369dad7dfc04798",
+        "rev": "c0d8828600ef47d475e6ec33513bf9af6eb6b991",
         "type": "github"
       },
       "original": {
@@ -194,11 +210,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719259945,
-        "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
+        "lastModified": 1730814269,
+        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
+        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
         "type": "github"
       },
       "original": {
@@ -214,6 +230,7 @@
         "flake-parts": "flake-parts",
         "futils": "futils",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
         "pre-commit-hooks": "pre-commit-hooks",

flake.nix

@@ -43,6 +43,13 @@
       };
     };
 
+    impermanence = {
+      type = "github";
+      owner = "nix-community";
+      repo = "impermanence";
+      ref = "master";
+    };
+
     nixpkgs = {
       type = "github";
       owner = "NixOS";

hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 cKojmg xRtF3XVc7yPicAV/E4U7mn0itvD0h1BWBTjwunuoe2E
-OkB9sjGB3ulH4Feuyj3Ed0DBG4+mghW/Qpum9oXL/8c
--> ssh-ed25519 jPowng 1r8drqhz1yZdTq0Kvqya+ArU1C2fkN7Gg9LiWWfeUFg
-cjbxntVwHvqLaJpiKs/Y8ojeb6e3/cLFcsoeuoobfFg
---- B1qA2PylJBrdZxZtCzlU2kRPvxLM+IrXTvR+ERxVtTY
-"W9<57>Äbg¸©~Ì/áÕb4ãÕ†ú³ÜÔIÊ
-Û}ð
§ËÅË-³²ªNó±”ÑC7vWœbºØ?¦8=œÉwÆBÃUpJClï²OÈ™³œnOÁ\

hosts/nixos/porthos/secrets/pdf-edit/login.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk
+Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA
+-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4
+zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY
+--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc
+ü4+ø2{‘hE7!Ò­GA`×<>_@Íß—´
¡R_ý§6J„ñL4v,‚6%ô‡øó#^®	Ù¹
åB­§OøF‚|’7ܽÉL]œÙjR¨
+BþóÛ¾éaòs]xS<78>Î	pbÞo#¬J1QŸ=t}5Õ>Oï‘{+¼.
M"7e»yý÷—

hosts/nixos/porthos/secrets/secrets.nix

@@ -48,9 +48,6 @@ in
     owner = "matrix-synapse";
     publicKeys = all;
   };
-  "matrix/sliding-sync-secret.age" = {
-    publicKeys = all;
-  };
 
   "mealie/mail.age" = {
     publicKeys = all;
@@ -77,13 +74,24 @@ in
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;
 
+  "pdf-edit/login.age".publicKeys = all;
+
   "podgrab/password.age".publicKeys = all;
 
   "pyload/credentials.age".publicKeys = all;
 
-  "sso/auth-key.age".publicKeys = all;
-  "sso/ambroisie/password-hash.age".publicKeys = all;
-  "sso/ambroisie/totp-secret.age".publicKeys = all;
+  "sso/auth-key.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
+  "sso/ambroisie/password-hash.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
+  "sso/ambroisie/totp-secret.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
 
   "tandoor-recipes/secret-key.age".publicKeys = all;
 

hosts/nixos/porthos/services.nix

@@ -69,9 +69,6 @@ in
       mailConfigFile = secrets."matrix/mail".path;
       # Only necessary when doing the initial registration
       secretFile = secrets."matrix/secret".path;
-      slidingSync = {
-        secretFile = secrets."matrix/sliding-sync-secret".path;
-      };
     };
     mealie = {
       enable = true;
@@ -127,20 +124,10 @@ in
       passwordFile = secrets."paperless/password".path;
       secretKeyFile = secrets."paperless/secret-key".path;
     };
-    # The whole *arr software suite
-    pirate = {
+    # Sometimes, editing PDFs is useful
+    pdf-edit = {
       enable = true;
-      # ... But not Lidarr because I don't care for music that much
-      lidarr = {
-        enable = false;
-      };
-    };
-    # Podcast automatic downloader
-    podgrab = {
-      enable = true;
-      passwordFile = secrets."podgrab/password".path;
-      dataDir = "/data/media/podcasts";
-      port = 9598;
+      loginFile = secrets."pdf-edit/login".path;
     };
     # Regular backups
     postgresql-backup.enable = true;
@@ -152,7 +139,15 @@ in
     rss-bridge.enable = true;
     # Usenet client
     sabnzbd.enable = true;
-    # Because I stilll need to play sysadmin
+    # The whole *arr software suite
+    servarr = {
+      enable = true;
+      # ... But not Lidarr because I don't care for music that much
+      lidarr = {
+        enable = false;
+      };
+    };
+    # Because I still need to play sysadmin
     ssh-server.enable = true;
     # Recipe manager
     tandoor-recipes = {

modules/home/atuin/default.nix

@@ -1,15 +1,19 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.atuin;
 in
 {
   options.my.home.atuin = with lib; {
     enable = my.mkDisableOption "atuin configuration";
+
+    # I want the full experience by default
+    package = mkPackageOption pkgs "atuin" { };
   };
 
   config = lib.mkIf cfg.enable {
     programs.atuin = {
       enable = true;
+      inherit (cfg) package;
 
       flags = [
         # I *despise* this hijacking of the up key, even though I use Ctrl-p

modules/home/calibre/default.nix

@@ -5,11 +5,13 @@ in
 {
   options.my.home.calibre = with lib; {
     enable = mkEnableOption "calibre configuration";
+
+    package = mkPackageOption pkgs "calibre" { };
   };
 
   config = lib.mkIf cfg.enable {
     home.packages = with pkgs; [
-      calibre
+      cfg.package
     ];
   };
 }

modules/home/direnv/lib/android.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 # shellcheck disable=2155
 use_android() {
@@ -32,10 +32,16 @@ use_android() {
             -b|--build-tools)
                 build_tools_version="$2"
                 shift 2
+                if ! [ -e "$ANDROID_HOME/build-tools/$build_tools_version" ]; then
+                    log_error "use_android: build-tools version '$build_tools_version' does not exist"
+                fi
                 ;;
             -n|--ndk)
                 ndk_version="$2"
                 shift 2
+                if ! [ -e "$ANDROID_HOME/ndk/$ndk_version" ]; then
+                    log_error "use_android: NDK version '$ndk_version' does not exist"
+                fi
                 ;;
             --)
                 shift

modules/home/direnv/lib/nix.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 use_pkgs() {
     if ! has nix; then

modules/home/direnv/lib/postgres.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 layout_postgres() {
     if ! has postgres || ! has initdb; then

modules/home/direnv/lib/python.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 layout_poetry() {
     if ! has poetry; then
@@ -9,12 +9,12 @@ layout_poetry() {
 
     if [[ ! -f pyproject.toml ]]; then
         # shellcheck disable=2016
-        log_error 'layout_poetry: no pyproject.toml found. Use `poetry new` or `poetry init` to create one first'
+        log_error 'layout_poetry: no pyproject.toml found. Use `poetry init` to create one first'
         return 1
     fi
 
     # create venv if it doesn't exist
-    poetry run true
+    poetry run -q -- true
 
     # shellcheck disable=2155
     export VIRTUAL_ENV=$(poetry env info --path)
@@ -23,3 +23,34 @@ layout_poetry() {
     watch_file pyproject.toml
     watch_file poetry.lock
 }
+
+layout_uv() {
+    if ! has uv; then
+        # shellcheck disable=2016
+        log_error 'layout_uv: `uv` is not in PATH'
+        return 1
+    fi
+
+    if [[ ! -f pyproject.toml ]]; then
+        # shellcheck disable=2016
+        log_error 'layout_uv: no pyproject.toml found. Use `uv init` to create one first'
+        return 1
+    fi
+
+    local default_venv="$PWD/.venv"
+    : "${VIRTUAL_ENV:=$default_venv}"
+
+    # Use non-default venv path if required
+    if [ "$VIRTUAL_ENV" != "$default_venv" ]; then
+        export UV_PROJECT_ENVIRONMENT="$VIRTUAL_ENV"
+    fi
+
+    # create venv if it doesn't exist
+    uv venv -q
+
+    export VIRTUAL_ENV
+    export UV_ACTIVE=1
+    PATH_add "$VIRTUAL_ENV/bin"
+    watch_file pyproject.toml
+    watch_file uv.lock
+}

modules/home/discord/default.nix

@@ -7,11 +7,13 @@ in
 {
   options.my.home.discord = with lib; {
     enable = mkEnableOption "discord configuration";
+
+    package = mkPackageOption pkgs "discord" { };
   };
 
   config = lib.mkIf cfg.enable {
     home.packages = with pkgs; [
-      discord
+      cfg.package
     ];
 
     xdg.configFile."discord/settings.json".source =

modules/home/firefox/tridactyl/tridactylrc

@@ -4,7 +4,7 @@
 " Use dark color scheme
 colorscheme dark
 
-" Make tridactyl open Vim in my prefered terminal
+" Make tridactyl open Vim in my preferred terminal
 set editorcmd @editorcmd@
 
 " Remove editor file after use

modules/home/gdb/default.nix

@@ -6,33 +6,28 @@ in
   options.my.home.gdb = with lib; {
     enable = my.mkDisableOption "gdb configuration";
 
+    package = mkPackageOption pkgs "gdb" { };
+
     rr = {
       enable = my.mkDisableOption "rr configuration";
 
-      package = mkOption {
-        type = types.package;
-        default = pkgs.rr;
-        defaultText = literalExample "pkgs.rr";
-        description = ''
-          Package providing rr
-        '';
-      };
+      package = mkPackageOption pkgs "rr" { };
     };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
       home.packages = with pkgs; [
-        gdb
+        cfg.package
       ];
 
       xdg = {
         configFile."gdb/gdbinit".source = ./gdbinit;
-        dataFile. "gdb/.keep".text = "";
+        stateFile."gdb/.keep".text = "";
       };
 
       home.sessionVariables = {
-        GDBHISTFILE = "${config.xdg.dataHome}/gdb/gdb_history";
+        GDBHISTFILE = "${config.xdg.stateHome}/gdb/gdb_history";
       };
     }
 

modules/home/gtk/default.nix

@@ -21,12 +21,12 @@ in
     };
 
     iconTheme = {
-      package = pkgs.gnome.gnome-themes-extra;
+      package = pkgs.gnome-themes-extra;
       name = "Adwaita";
     };
 
     theme = {
-      package = pkgs.gnome.gnome-themes-extra;
+      package = pkgs.gnome-themes-extra;
       name = "Adwaita";
     };
   };

modules/home/mail/accounts/default.nix

@@ -58,7 +58,7 @@ in
 {
   config.accounts.email.accounts = {
     personal = lib.mkMerge [
-      # Common configuraton
+      # Common configuration
       (mkConfig {
         domain = "belanyi.fr";
         address = "bruno";
@@ -70,7 +70,7 @@ in
     ];
 
     gmail = lib.mkMerge [
-      # Common configuraton
+      # Common configuration
       (mkConfig {
         domain = "gmail.com";
         address = "brunobelanyi";

modules/home/nix/default.nix

@@ -22,6 +22,10 @@ in
   options.my.home.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
+    gc = {
+      enable = my.mkDisableOption "nix GC configuration";
+    };
+
     cache = {
       selfHosted = my.mkDisableOption "self-hosted cache";
     };
@@ -60,6 +64,22 @@ in
       };
     }
 
+    (lib.mkIf cfg.gc.enable {
+      nix.gc = {
+        automatic = true;
+
+        # Every week, with some wiggle room
+        frequency = "weekly";
+        randomizedDelaySec = "10min";
+
+        # Use a persistent timer for e.g: laptops
+        persistent = true;
+
+        # Delete old profiles automatically after 15 days
+        options = "--delete-older-than 15d";
+      };
+    })
+
     (lib.mkIf cfg.cache.selfHosted {
       nix = {
         settings = {

modules/home/nixpkgs/default.nix

@@ -13,8 +13,8 @@ in
     ];
 
     home.sessionVariables = {
-      GITHUB_TOKEN = ''$(cat ${lib.escapeShellArg config.age.secrets."github/token".path})'';
-      GITHUB_API_TOKEN = ''$(cat ${lib.escapeShellArg config.age.secrets."github/token".path})'';
+      GITHUB_TOKEN = ''$(cat "${config.age.secrets."github/token".path}")'';
+      GITHUB_API_TOKEN = ''$(cat "${config.age.secrets."github/token".path}")'';
     };
   };
 }

modules/home/pager/default.nix

@@ -15,7 +15,7 @@ in
       # Clear the screen on start and exit
       LESS = "-R -+X -c";
       # Better XDG compliance
-      LESSHISTFILE = "${config.xdg.dataHome}/less/history";
+      LESSHISTFILE = "${config.xdg.stateHome}/less/history";
       LESSKEY = "${config.xdg.configHome}/less/lesskey";
     };
   };

modules/home/tmux/default.nix

@@ -30,7 +30,7 @@ in
       });
 
       default = { ${config.my.home.terminal.program} = { }; };
-      defaultText = litteralExpression ''
+      defaultText = literalExpression ''
         { ''${config.my.home.terminal.program} = { }; };
       '';
       example = { xterm-256color = { }; };

modules/home/vim/after/ftplugin/netrw.vim

@@ -1,6 +0,0 @@
-" Create the `b:undo_ftplugin` variable if it doesn't exist
-call ftplugined#check_undo_ft()
-
-" Don't show Netrw in buffer list
-setlocal bufhidden=delete
-let b:undo_ftplugin='|setlocal bufhidden<'

modules/home/vim/after/plugin/mappings/misc.lua

@@ -1,7 +0,0 @@
-local wk = require("which-key")
-
-local keys = {
-    ["<leader>"] = { "<cmd>nohls<CR>", "Clear search highlight" },
-}
-
-wk.register(keys, { prefix = "<leader>" })

modules/home/vim/after/plugin/mappings/telescope.lua

@@ -1,15 +0,0 @@
-local wk = require("which-key")
-local telescope_builtin = require("telescope.builtin")
-
-local keys = {
-    f = {
-        name = "Fuzzy finder",
-        b = { telescope_builtin.buffers, "Open buffers" },
-        f = { telescope_builtin.git_files, "Git tracked files" },
-        F = { telescope_builtin.find_files, "Files" },
-        g = { telescope_builtin.live_grep, "Grep string" },
-        G = { telescope_builtin.grep_string, "Grep string under cursor" },
-    },
-}
-
-wk.register(keys, { prefix = "<leader>" })

modules/home/vim/after/plugin/mappings/tree-sitter-textobjects.lua

@@ -1,30 +0,0 @@
-local wk = require("which-key")
-
-local motions = {
-    ["]m"] = "Next method start",
-    ["]M"] = "Next method end",
-    ["]S"] = "Next statement start",
-    ["]]"] = "Next class start",
-    ["]["] = "Next class end",
-    ["[m"] = "Previous method start",
-    ["[M"] = "Previous method end",
-    ["[S"] = "Previous statement start",
-    ["[["] = "Previous class start",
-    ["[]"] = "Previous class end",
-}
-
-local objects = {
-    ["aa"] = "a parameter",
-    ["ia"] = "inner parameter",
-    ["ab"] = "a block",
-    ["ib"] = "inner block",
-    ["ac"] = "a class",
-    ["ic"] = "inner class",
-    ["af"] = "a function",
-    ["if"] = "inner function",
-    ["ak"] = "a comment",
-    ["aS"] = "a statement",
-}
-
-wk.register(motions, { mode = "n" })
-wk.register(objects, { mode = "o" })

modules/home/vim/after/plugin/mappings/unimpaired.lua

@@ -3,126 +3,124 @@ local wk = require("which-key")
 local lsp = require("ambroisie.lsp")
 
 local keys = {
-    -- Edition and navigation mappins
-    ["["] = {
-        name = "Previous",
-        ["<space>"] = "Insert blank line above",
-        ["<C-L>"] = "Previous location list file",
-        ["<C-Q>"] = "Previous quickfix list file",
-        ["<C-T>"] = "Previous tag in preview window",
-        a = "Previous argument",
-        A = "First argument",
-        b = "Previous buffer",
-        B = "First buffer",
-        e = "Exchange previous line",
-        f = "Previous file in directory",
-        l = "Previous location list entry",
-        L = "First Location list entry",
-        n = "Previous conflict marker/diff hunk",
-        p = "Paste line above",
-        P = "Paste line above",
-        q = "Previous quickfix list entry",
-        Q = "First quickfix list entry",
-        t = "Previous matching tag",
-        T = "First matching tag",
-        z = "Previous fold",
-        -- Encoding
-        C = "C string encode",
-        u = "URL encode",
-        x = "XML encode",
-        y = "C string encode",
-        -- Custom
-        d = { lsp.goto_prev_diagnostic, "Previous diagnostic" },
-    },
-    ["]"] = {
-        name = "Next",
-        ["<space>"] = "Insert blank line below",
-        ["<C-L>"] = "Next location list file",
-        ["<C-Q>"] = "Next quickfix list file",
-        ["<C-T>"] = "Next tag in preview window",
-        a = "Next argument",
-        A = "Last argument",
-        b = "Next buffer",
-        B = "Last buffer",
-        e = "Exchange next line",
-        f = "Next file in directory",
-        l = "Next location list entry",
-        L = "Last Location list entry",
-        n = "Next conflict marker/diff hunk",
-        p = "Paste line below",
-        P = "Paste line below",
-        q = "Next quickfix list entry",
-        Q = "Last quickfix list entry",
-        t = "Next matching tag",
-        T = "Last matching tag",
-        z = "Next fold",
-        -- Decoding
-        C = "C string decode",
-        u = "URL decode",
-        x = "XML decode",
-        y = "C string decode",
-        -- Custom
-        d = { lsp.goto_next_diagnostic, "Next diagnostic" },
-    },
+    -- Previous
+    { "[", group = "Previous" },
+    -- Edition and navigation mappings
+    { "[<space>", desc = "Insert blank line above" },
+    { "[<C-L>", desc = "Previous location list file" },
+    { "[<C-Q>", desc = "Previous quickfix list file" },
+    { "[<C-T>", desc = "Previous tag in preview window" },
+    { "[a", desc = "Previous argument" },
+    { "[A", desc = "First argument" },
+    { "[b", desc = "Previous buffer" },
+    { "[B", desc = "First buffer" },
+    { "[e", desc = "Exchange previous line" },
+    { "[f", desc = "Previous file in directory" },
+    { "[l", desc = "Previous location list entry" },
+    { "[L", desc = "First Location list entry" },
+    { "[n", desc = "Previous conflict marker/diff hunk" },
+    { "[p", desc = "Paste line above" },
+    { "[P", desc = "Paste line above" },
+    { "[q", desc = "Previous quickfix list entry" },
+    { "[Q", desc = "First quickfix list entry" },
+    { "[t", desc = "Previous matching tag" },
+    { "[T", desc = "First matching tag" },
+    { "[z", desc = "Previous fold" },
+    -- Encoding
+    { "[C", desc = "C string encode" },
+    { "[u", desc = "URL encode" },
+    { "[x", desc = "XML encode" },
+    { "[y", desc = "C string encode" },
+    -- Custom
+    { "[d", lsp.goto_prev_diagnostic, desc = "Previous diagnostic" },
 
-    -- Option mappings
-    ["[o"] = {
-        name = "Enable option",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatEnable<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        r = "Relative line numbers",
-        p = { "<cmd>lwindow<CR>", "Location list" },
-        q = { "<cmd>cwindow<CR>", "Quickfix list" },
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
-    ["]o"] = {
-        name = "Option off",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatDisable<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        p = { "<cmd>lclose<CR>", "Location list" },
-        q = { "<cmd>cclose<CR>", "Quickfix list" },
-        r = "Relative line numbers",
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
-    ["yo"] = {
-        name = "Option toggle",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatToggle<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        p = { "<Plug>(qf_loc_toggle)", "Location list" },
-        q = { "<Plug>(qf_qf_toggle)", "Quickfix list" },
-        r = "Relative line numbers",
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
+    -- Next
+    { "]", group = "Next" },
+    -- Edition and navigation mappings
+    { "]<space>", desc = "Insert blank line below" },
+    { "]<C-L>", desc = "Next location list file" },
+    { "]<C-Q>", desc = "Next quickfix list file" },
+    { "]<C-T>", desc = "Next tag in preview window" },
+    { "]a", desc = "Next argument" },
+    { "]A", desc = "Last argument" },
+    { "]b", desc = "Next buffer" },
+    { "]B", desc = "Last buffer" },
+    { "]e", desc = "Exchange next line" },
+    { "]f", desc = "Next file in directory" },
+    { "]l", desc = "Next location list entry" },
+    { "]L", desc = "Last Location list entry" },
+    { "]n", desc = "Next conflict marker/diff hunk" },
+    { "]p", desc = "Paste line below" },
+    { "]P", desc = "Paste line below" },
+    { "]q", desc = "Next quickfix list entry" },
+    { "]Q", desc = "Last quickfix list entry" },
+    { "]t", desc = "Next matching tag" },
+    { "]T", desc = "Last matching tag" },
+    { "]z", desc = "Next fold" },
+    -- Decoding
+    { "]C", desc = "C string decode" },
+    { "]u", desc = "URL decode" },
+    { "]x", desc = "XML decode" },
+    { "]y", desc = "C string decode" },
+    -- Custom
+    { "]d", lsp.goto_next_diagnostic, desc = "Next diagnostic" },
+
+    -- Enable option
+    { "[o", group = "Enable option" },
+    { "[ob", desc = "Light background" },
+    { "[oc", desc = "Cursor line" },
+    { "[od", desc = "Diff" },
+    { "[of", "<cmd>FormatEnable<CR>", desc = "LSP Formatting" },
+    { "[oh", desc = "Search high-lighting" },
+    { "[oi", desc = "Case insensitive search" },
+    { "[ol", desc = "List mode" },
+    { "[on", desc = "Line numbers" },
+    { "[or", desc = "Relative line numbers" },
+    { "[op", "<cmd>lwindow<CR>", desc = "Location list" },
+    { "[oq", "<cmd>cwindow<CR>", desc = "Quickfix list" },
+    { "[ou", desc = "Cursor column" },
+    { "[ov", desc = "Virtual editing" },
+    { "[ow", desc = "Text wrapping" },
+    { "[ox", desc = "Cursor line and column" },
+    { "[oz", desc = "Spell checking" },
+
+    -- Disable option
+    { "]o", group = "Disable option" },
+    { "]ob", desc = "Light background" },
+    { "]oc", desc = "Cursor line" },
+    { "]od", desc = "Diff" },
+    { "]of", "<cmd>FormatDisable<CR>", desc = "LSP Formatting" },
+    { "]oh", desc = "Search high-lighting" },
+    { "]oi", desc = "Case insensitive search" },
+    { "]ol", desc = "List mode" },
+    { "]on", desc = "Line numbers" },
+    { "]op", "<cmd>lclose<CR>", desc = "Location list" },
+    { "]oq", "<cmd>cclose<CR>", desc = "Quickfix list" },
+    { "]or", desc = "Relative line numbers" },
+    { "]ou", desc = "Cursor column" },
+    { "]ov", desc = "Virtual editing" },
+    { "]ow", desc = "Text wrapping" },
+    { "]ox", desc = "Cursor line and column" },
+    { "]oz", desc = "Spell checking" },
+
+    -- Toggle option
+    { "yo", group = "Toggle option" },
+    { "yob", desc = "Light background" },
+    { "yoc", desc = "Cursor line" },
+    { "yod", desc = "Diff" },
+    { "yof", "<cmd>FormatToggle<CR>", desc = "LSP Formatting" },
+    { "yoh", desc = "Search high-lighting" },
+    { "yoi", desc = "Case insensitive search" },
+    { "yol", desc = "List mode" },
+    { "yon", desc = "Line numbers" },
+    { "yop", "<Plug>(qf_loc_toggle)", desc = "Location list" },
+    { "yoq", "<Plug>(qf_qf_toggle)", desc = "Quickfix list" },
+    { "yor", desc = "Relative line numbers" },
+    { "you", desc = "Cursor column" },
+    { "yov", desc = "Virtual editing" },
+    { "yow", desc = "Text wrapping" },
+    { "yox", desc = "Cursor line and column" },
+    { "yoz", desc = "Spell checking" },
 }
 
-wk.register(keys)
+wk.add(keys)

modules/home/vim/after/queries/diff/highlights.scm

@@ -0,0 +1,5 @@
+; extends
+
+; I want to the line added/removed markers to be the correct color
+"+" @diff.plus
+"-" @diff.minus

modules/home/vim/default.nix

@@ -46,14 +46,9 @@ in
       vim-repeat # Enanche '.' for plugins
       vim-rsi # Readline mappings
       vim-unimpaired # Some ex command mappings
-      vim-vinegar # Better netrw
 
       # Languages
-      rust-vim
       vim-beancount
-      vim-jsonnet
-      vim-nix
-      vim-toml
 
       # General enhancements
       vim-qf # Better quick-fix list
@@ -85,6 +80,7 @@ in
       dressing-nvim # Integrate native UI hooks with Telescope etc...
       gitsigns-nvim # Fast git UI integration
       nvim-surround # Deal with pairs, now in Lua
+      oil-nvim # Better alternative to NetrW
       telescope-fzf-native-nvim # Use 'fzf' fuzzy matching algorithm
       telescope-lsp-handlers-nvim # Use 'telescope' for various LSP actions
       telescope-nvim # Fuzzy finder interface
@@ -104,6 +100,9 @@ in
       # Shell
       bash-language-server
       shfmt
+
+      # Generic
+      typos-lsp
     ];
   };
 

modules/home/vim/init.vim

@@ -1,4 +1,4 @@
-" Basic configuraion {{{
+" Basic configuration {{{
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 " Use UTF-8
 set encoding=utf-8
@@ -38,10 +38,10 @@ set tabstop=8
 
 " File parameters {{{
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
-" Disable backups, we have source control for that
-set nobackup
-" Disable swapfiles too
+" Disable swap files
 set noswapfile
+" Enable undo files
+set undofile
 " }}}
 
 " UI and UX parameters {{{
@@ -100,7 +100,13 @@ gruvbox.setup({
         DiffChange = { fg = colors.aqua, bg = "NONE" },
         DiffDelete = { fg = colors.red, bg = "NONE" },
         DiffText = { fg = colors.yellow, bg = colors.bg0 },
-    }
+        -- Directories "pop" better in blue
+        Directory = { link = "GruvboxBlueBold" },
+    },
+    italic = {
+        -- Comments should not be italic, for e.g: box drawing
+        comments = false,
+    },
 })
 EOF
 " Use my preferred colorscheme

modules/home/vim/lua/ambroisie/lsp.lua

@@ -42,7 +42,7 @@ end
 
 --- shared LSP configuration callback
 --- @param client native client configuration
---- @param bufnr int? buffer number of the attched client
+--- @param bufnr int? buffer number of the attached client
 M.on_attach = function(client, bufnr)
     -- Format on save
     lsp_format.on_attach(client, bufnr)
@@ -87,31 +87,30 @@ M.on_attach = function(client, bufnr)
     end
 
     local keys = {
-        K = { vim.lsp.buf.hover, "Show symbol information" },
-        ["<C-k>"] = { vim.lsp.buf.signature_help, "Show signature information" },
-        ["gd"] = { vim.lsp.buf.definition, "Go to definition" },
-        ["gD"] = { vim.lsp.buf.declaration, "Go to declaration" },
-        ["gi"] = { vim.lsp.buf.implementation, "Go to implementation" },
-        ["gr"] = { vim.lsp.buf.references, "List all references" },
-
-        ["<leader>c"] = {
-            name = "Code",
-            a = { vim.lsp.buf.code_action, "Code actions" },
-            d = { cycle_diagnostics_display, "Cycle diagnostics display" },
-            D = { show_buffer_diagnostics, "Show buffer diagnostics" },
-            r = { vim.lsp.buf.rename, "Rename symbol" },
-            s = { vim.lsp.buf.signature_help, "Show signature" },
-            t = { vim.lsp.buf.type_definition, "Go to type definition" },
-            w = {
-                name = "Workspace",
-                a = { vim.lsp.buf.add_workspace_folder, "Add folder to workspace" },
-                l = { list_workspace_folders, "List folders in workspace" },
-                r = { vim.lsp.buf.remove_workspace_folder, "Remove folder from workspace" },
-            },
-        },
+        buffer = bufnr,
+        -- LSP navigation
+        { "K", vim.lsp.buf.hover, desc = "Show symbol information" },
+        { "<C-k>", vim.lsp.buf.signature_help, desc = "Show signature information" },
+        { "gd", vim.lsp.buf.definition, desc = "Go to definition" },
+        { "gD", vim.lsp.buf.declaration, desc = "Go to declaration" },
+        { "gi", vim.lsp.buf.implementation, desc = "Go to implementation" },
+        { "gr", vim.lsp.buf.references, desc = "List all references" },
+        -- Code
+        { "<leader>c", group = "Code" },
+        { "<leader>ca", vim.lsp.buf.code_action, desc = "Code actions" },
+        { "<leader>cd", cycle_diagnostics_display, desc = "Cycle diagnostics display" },
+        { "<leader>cD", show_buffer_diagnostics, desc = "Show buffer diagnostics" },
+        { "<leader>cr", vim.lsp.buf.rename, desc = "Rename symbol" },
+        { "<leader>cs", vim.lsp.buf.signature_help, desc = "Show signature" },
+        { "<leader>ct", vim.lsp.buf.type_definition, desc = "Go to type definition" },
+        -- Workspace
+        { "<leader>cw", group = "Workspace" },
+        { "<leader>cwa", vim.lsp.buf.add_workspace_folder, desc = "Add folder to workspace" },
+        { "<leader>cwl", list_workspace_folders, desc = "List folders in workspace" },
+        { "<leader>cwr", vim.lsp.buf.remove_workspace_folder, desc = "Remove folder from workspace" },
     }
 
-    wk.register(keys, { buffer = bufnr })
+    wk.add(keys)
 end
 
 return M

modules/home/vim/lua/ambroisie/utils.lua

@@ -48,4 +48,22 @@ M.list_lsp_clients = function(bufnr)
     return names
 end
 
+--- partially apply a function with given arguments
+M.partial = function(f, ...)
+    local a = { ... }
+    local a_len = select("#", ...)
+
+    return function(...)
+        local tmp = { ... }
+        local tmp_len = select("#", ...)
+
+        -- Merge arg lists
+        for i = 1, tmp_len do
+            a[a_len + i] = tmp[i]
+        end
+
+        return f(unpack(a, 1, a_len + tmp_len))
+    end
+end
+
 return M

modules/home/vim/plugin/numbertoggle.lua

@@ -7,17 +7,28 @@ local numbertoggle = vim.api.nvim_create_augroup("numbertoggle", { clear = true
 vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "InsertLeave", "WinEnter" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "if &nu | setlocal rnu | endif",
+    callback = function()
+        if vim.opt.number:get() then
+            vim.opt.relativenumber = true
+        end
+    end,
 })
 vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "InsertEnter", "WinLeave" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "if &nu | setlocal nornu | endif",
+    callback = function()
+        if vim.opt.number:get() then
+            vim.opt.relativenumber = false
+        end
+    end,
 })
 
 -- Never show the sign column in a terminal buffer
 vim.api.nvim_create_autocmd({ "TermOpen" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "setlocal nonu nornu",
+    callback = function()
+        vim.opt.number = false
+        vim.opt.relativenumber = false
+    end,
 })

modules/home/vim/plugin/settings/git.lua

@@ -1,58 +1,75 @@
 local gitsigns = require("gitsigns")
+local utils = require("ambroisie.utils")
 local wk = require("which-key")
 
+--- Transform `f` into a function which acts on the current visual selection
+local function make_visual(f)
+    return function()
+        local first = vim.fn.line("v")
+        local last = vim.fn.line(".")
+        f({ first, last })
+    end
+end
+
+local function nav_hunk(dir)
+    if vim.wo.diff then
+        local map = {
+            prev = "[c",
+            next = "]c",
+        }
+        vim.cmd.normal({ map[dir], bang = true })
+    else
+        gitsigns.nav_hunk(dir)
+    end
+end
+
 gitsigns.setup({
     current_line_blame_opts = {
         -- Show the blame quickly
         delay = 100,
     },
+    -- Work-around for https://github.com/lewis6991/gitsigns.nvim/issues/929
+    signs_staged_enable = false,
 })
 
 local keys = {
     -- Navigation
-    ["[c"] = { "&diff ? '[c' : '<cmd>Gitsigns prev_hunk<CR>'", "Previous hunk/diff", expr = true },
-    ["]c"] = { "&diff ? ']c' : '<cmd>Gitsigns next_hunk<CR>'", "Next hunk/diff", expr = true },
-
+    { "[c", utils.partial(nav_hunk, "prev"), desc = "Previous hunk/diff" },
+    { "]c", utils.partial(nav_hunk, "next"), desc = "Next hunk/diff" },
     -- Commands
-    ["<leader>g"] = {
-        name = "Git",
-        -- Actions
-        b = { gitsigns.toggle_current_line_blame, "Toggle blame virtual text" },
-        d = { gitsigns.diffthis, "Diff buffer" },
-        -- stylua: ignore
-        D = { function() gitsigns.diffthis("~") end, "Diff buffer against last commit" },
-        g = { "<cmd>Git<CR>", "Git status" },
-        h = { gitsigns.toggle_deleted, "Show deleted hunks" },
-        L = { "<cmd>:sp<CR><C-w>T:Gllog --follow -- %:p<CR>", "Current buffer log" },
-        m = { "<Plug>(git-messenger)", "Current line blame" },
-        p = { gitsigns.preview_hunk, "Preview hunk" },
-        r = { gitsigns.reset_hunk, "Restore hunk" },
-        R = { gitsigns.reset_buffer, "Restore buffer" },
-        s = { gitsigns.stage_hunk, "Stage hunk" },
-        S = { gitsigns.stage_buffer, "Stage buffer" },
-        u = { gitsigns.undo_stage_hunk, "Undo stage hunk" },
-        ["["] = { gitsigns.prev_hunk, "Previous hunk" },
-        ["]"] = { gitsigns.next_hunk, "Next hunk" },
-    },
+    { "<leader>g", group = "Git" },
+    { "<leader>gb", gitsigns.toggle_current_line_blame, desc = "Toggle blame virtual text" },
+    { "<leader>gd", gitsigns.diffthis, desc = "Diff buffer" },
+    { "<leader>gD", utils.partial(gitsigns.diffthis, "~"), desc = "Diff buffer against last commit" },
+    { "<leader>gg", "<cmd>Git<CR>", desc = "Git status" },
+    { "<leader>gh", gitsigns.toggle_deleted, desc = "Show deleted hunks" },
+    { "<leader>gL", "<cmd>:sp<CR><C-w>T:Gllog --follow -- %:p<CR>", desc = "Current buffer log" },
+    { "<leader>gm", "<Plug>(git-messenger)", desc = "Current line blame" },
+    { "<leader>gp", gitsigns.preview_hunk, desc = "Preview hunk" },
+    { "<leader>gr", gitsigns.reset_hunk, desc = "Restore hunk" },
+    { "<leader>gR", gitsigns.reset_buffer, desc = "Restore buffer" },
+    { "<leader>gs", gitsigns.stage_hunk, desc = "Stage hunk" },
+    { "<leader>gS", gitsigns.stage_buffer, desc = "Stage buffer" },
+    { "<leader>gu", gitsigns.undo_stage_hunk, desc = "Undo stage hunk" },
+    { "<leader>g[", utils.partial(gitsigns.nav_hunk, "prev"), desc = "Previous hunk" },
+    { "<leader>g]", utils.partial(gitsigns.nav_hunk, "next"), desc = "Next hunk" },
 }
 
 local objects = {
-    ["ih"] = { gitsigns.select_hunk, "Git hunk" },
+    mode = "o",
+    { "ih", gitsigns.select_hunk, desc = "Git hunk" },
 }
-
+-- Visual
 local visual = {
-    ["ih"] = { gitsigns.select_hunk, "Git hunk" },
-
-    -- Only the actual command can make use of the visual selection...
-    ["<leader>g"] = {
-        name = "Git",
-        p = { ":Gitsigns preview_hunk<CR>", "Preview selection" },
-        r = { ":Gitsigns reset_hunk<CR>", "Restore selection" },
-        s = { ":Gitsigns stage_hunk<CR>", "Stage selection" },
-        u = { ":Gitsigns undo_stage_hunk<CR>", "Undo stage selection" },
-    },
+    mode = { "x" },
+    { "ih", gitsigns.select_hunk, desc = "Git hunk" },
+    { "<leader>g", group = "Git" },
+    { "<leader>gp", gitsigns.preview_hunk, desc = "Preview selection" },
+    { "<leader>gr", make_visual(gitsigns.reset_hunk), desc = "Restore selection" },
+    { "<leader>gs", make_visual(gitsigns.stage_hunk), desc = "Stage selection" },
+    { "<leader>gu", gitsigns.undo_stage_hunk, desc = "Undo stage selection" },
 }
 
-wk.register(keys, { buffer = bufnr })
-wk.register(objects, { buffer = bufnr, mode = "o" })
-wk.register(visual, { buffer = bufnr, mode = "x" })
+wk.add(keys)
+wk.add(objects)
+wk.add(visual)

modules/home/vim/plugin/settings/lspconfig.lua

@@ -84,3 +84,11 @@ if utils.is_executable("starpls") then
         on_attach = lsp.on_attach,
     })
 end
+
+-- Generic
+if utils.is_executable("typos-lsp") then
+    lspconfig.typos_lsp.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end

modules/home/vim/plugin/settings/oil.lua

@@ -0,0 +1,34 @@
+local oil = require("oil")
+local wk = require("which-key")
+
+local detail = false
+
+oil.setup({
+    view_options = {
+        -- Show files and directories that start with "." by default
+        show_hidden = true,
+        -- But never '..'
+        is_always_hidden = function(name, bufnr)
+            return name == ".."
+        end,
+    },
+    keymaps = {
+        ["gd"] = {
+            desc = "Toggle file detail view",
+            callback = function()
+                detail = not detail
+                if detail then
+                    oil.set_columns({ "icon", "permissions", "size", "mtime" })
+                else
+                    oil.set_columns({ "icon" })
+                end
+            end,
+        },
+    },
+})
+
+local keys = {
+    { "-", oil.open, desc = "Open parent directory" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/settings/telescope.lua

@@ -1,4 +1,6 @@
 local telescope = require("telescope")
+local telescope_builtin = require("telescope.builtin")
+local wk = require("which-key")
 
 telescope.setup({
     defaults = {
@@ -22,3 +24,14 @@ telescope.setup({
 
 telescope.load_extension("fzf")
 telescope.load_extension("lsp_handlers")
+
+local keys = {
+    { "<leader>f", group = "Fuzzy finder" },
+    { "<leader>fb", telescope_builtin.buffers, desc = "Open buffers" },
+    { "<leader>ff", telescope_builtin.git_files, desc = "Git tracked files" },
+    { "<leader>fF", telescope_builtin.find_files, desc = "Files" },
+    { "<leader>fg", telescope_builtin.live_grep, desc = "Grep string" },
+    { "<leader>fG", telescope_builtin.grep_string, desc = "Grep string under cursor" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/settings/tree-sitter.lua

@@ -1,4 +1,5 @@
 local ts_config = require("nvim-treesitter.configs")
+
 ts_config.setup({
     highlight = {
         enable = true,
@@ -14,16 +15,16 @@ ts_config.setup({
             -- Jump to matching text objects
             lookahead = true,
             keymaps = {
-                ["aa"] = "@parameter.outer",
-                ["ia"] = "@parameter.inner",
-                ["ab"] = "@block.outer",
-                ["ib"] = "@block.inner",
-                ["ac"] = "@class.outer",
-                ["ic"] = "@class.inner",
-                ["af"] = "@function.outer",
-                ["if"] = "@function.inner",
-                ["ak"] = "@comment.outer",
-                ["aS"] = "@statement.outer",
+                ["aa"] = { query = "@parameter.outer", desc = "a parameter" },
+                ["ia"] = { query = "@parameter.inner", desc = "inner parameter" },
+                ["ab"] = { query = "@block.outer", desc = "a block" },
+                ["ib"] = { query = "@block.inner", desc = "inner block" },
+                ["ac"] = { query = "@class.outer", desc = "a class" },
+                ["ic"] = { query = "@class.inner", desc = "inner class" },
+                ["af"] = { query = "@function.outer", desc = "a function" },
+                ["if"] = { query = "@function.inner", desc = "inner function" },
+                ["ak"] = { query = "@comment.outer", desc = "a comment" },
+                ["aS"] = { query = "@statement.outer", desc = "a statement" },
             },
         },
         move = {
@@ -31,22 +32,22 @@ ts_config.setup({
             -- Add to jump list
             set_jumps = true,
             goto_next_start = {
-                ["]m"] = "@function.outer",
-                ["]S"] = "@statement.outer",
-                ["]]"] = "@class.outer",
+                ["]m"] = { query = "@function.outer", desc = "Next method start" },
+                ["]S"] = { query = "@statement.outer", desc = "Next statement start" },
+                ["]]"] = { query = "@class.outer", desc = "Next class start" },
             },
             goto_next_end = {
-                ["]M"] = "@function.outer",
-                ["]["] = "@class.outer",
+                ["]M"] = { query = "@function.outer", desc = "Next method end" },
+                ["]["] = { query = "@class.outer", desc = "Next class end" },
             },
             goto_previous_start = {
-                ["[m"] = "@function.outer",
-                ["[S"] = "@statement.outer",
-                ["[["] = "@class.outer",
+                ["[m"] = { query = "@function.outer", desc = "Previous method start" },
+                ["[S"] = { query = "@statement.outer", desc = "Previous statement start" },
+                ["[["] = { query = "@class.outer", desc = "Previous class start" },
             },
             goto_previous_end = {
-                ["[M"] = "@function.outer",
-                ["[]"] = "@class.outer",
+                ["[M"] = { query = "@function.outer", desc = "Previous method end" },
+                ["[]"] = { query = "@class.outer", desc = "Previous class end" },
             },
         },
     },

modules/home/vim/plugin/settings/which-key.lua

@@ -1,2 +1,33 @@
 local wk = require("which-key")
-wk.setup()
+wk.setup({
+    icons = {
+        -- I don't like icons
+        mappings = false,
+        breadcrumb = "»",
+        separator = "➜",
+        group = "+",
+        ellipsis = "…",
+        keys = {
+            Up = " ",
+            Down = " ",
+            Left = " ",
+            Right = " ",
+            C = "<C>",
+            M = "<M>",
+            D = "<D>",
+            S = "<S>",
+            CR = "<CR>",
+            Esc = "<Esc> ",
+            NL = "<NL>",
+            BS = "<BS>",
+            Space = "<space>",
+            Tab = "<Tab> ",
+        },
+    },
+})
+
+local keys = {
+    { "<leader><leader>", vim.cmd.nohlsearch, desc = "Clear search highlight" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/signtoggle.lua

@@ -4,17 +4,23 @@ local signtoggle = vim.api.nvim_create_augroup("signtoggle", { clear = true })
 vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "WinEnter" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=yes",
+    callback = function()
+        vim.opt.signcolumn = "yes"
+    end,
 })
 vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "WinLeave" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=yes",
+    callback = function()
+        vim.opt.signcolumn = "no"
+    end,
 })
 
 -- Never show the sign column in a terminal buffer
 vim.api.nvim_create_autocmd({ "TermOpen" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=no",
+    callback = function()
+        vim.opt.signcolumn = "no"
+    end,
 })

modules/home/wget/default.nix

@@ -20,7 +20,7 @@ in
     };
 
     xdg.configFile."wgetrc".text = ''
-      hsts-file = ${config.xdg.dataHome}/wget-hsts
+      hsts-file = ${config.xdg.stateHome}/wget-hsts
     '';
   };
 }

modules/home/wm/default.nix

@@ -58,7 +58,7 @@ in
               service = "some-service-name";
             }
           ];
-          description = "list of block configurations, merged with the defauls";
+          description = "list of block configurations, merged with the defaults";
         };
       };
     };

modules/home/wm/i3/default.nix

@@ -371,8 +371,7 @@ in
           };
 
         startup = [
-          # FIXME
-          # { commdand; always; notification; }
+          # NOTE: rely on systemd user services instead...
         ];
 
         window = {

modules/home/wm/screen-lock/default.nix

@@ -2,7 +2,7 @@
 let
   cfg = config.my.home.wm.screen-lock;
 
-  notficationCmd =
+  notificationCmd =
     let
       duration = toString (cfg.notify.delay * 1000);
       notifyCmd = "${lib.getExe pkgs.libnotify} -u critical -t ${duration}";
@@ -48,7 +48,7 @@ in
           "-notify"
           "${toString cfg.notify.delay}"
           "-notifier"
-          notficationCmd
+          notificationCmd
         ];
       };
     };

modules/home/xdg/default.nix

@@ -11,7 +11,7 @@ in
     enable = true;
     # File types
     mime.enable = true;
-    # File associatons
+    # File associations
     mimeApps = {
       enable = true;
     };
@@ -34,6 +34,9 @@ in
       "gdb/.keep".text = "";
       "tig/.keep".text = "";
     };
+    stateFile = {
+      "python/.keep".text = "";
+    };
   };
 
   # I want a tidier home
@@ -43,13 +46,13 @@ in
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
     GRADLE_USER_HOME = "${dataHome}/gradle";
-    HISTFILE = "${dataHome}/bash/history";
+    HISTFILE = "${stateHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";
-    PSQL_HISTORY = "${dataHome}/psql_history";
+    PSQL_HISTORY = "${stateHome}/psql_history";
     PYTHONPYCACHEPREFIX = "${cacheHome}/python/";
     PYTHONUSERBASE = "${dataHome}/python/";
     PYTHON_HISTORY = "${stateHome}/python/history";
-    REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
+    REDISCLI_HISTFILE = "${stateHome}/redis/rediscli_history";
     REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
     _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";

modules/home/zsh/default.nix

@@ -68,7 +68,7 @@ in
           ignoreSpace = true;
           ignoreDups = true;
           share = false;
-          path = "${config.xdg.dataHome}/zsh/zsh_history";
+          path = "${config.xdg.stateHome}/zsh/zsh_history";
         };
 
         plugins = [

modules/home/zsh/options.zsh

@@ -12,7 +12,7 @@ setopt rc_quotes
 setopt auto_resume
 # Show history expansion before running a command
 setopt hist_verify
-# Append commands to history as they are exectuted
+# Append commands to history as they are executed
 setopt inc_append_history_time
 # Remove useless whitespace from commands
 setopt hist_reduce_blanks

modules/nixos/hardware/bluetooth/default.nix

@@ -18,6 +18,13 @@ in
       services.blueman.enable = true;
     }
 
+    # Persist bluetooth files
+    {
+      my.system.persist.directories = [
+        "/var/lib/bluetooth"
+      ];
+    }
+
     # Support for additional bluetooth codecs
     (lib.mkIf cfg.loadExtraCodecs {
       hardware.pulseaudio = {

modules/nixos/hardware/networking/default.nix

@@ -22,6 +22,11 @@ in
   config = lib.mkMerge [
     (lib.mkIf cfg.wireless.enable {
       networking.networkmanager.enable = true;
+
+      # Persist NetworkManager files
+      my.system.persist.directories = [
+        "/etc/NetworkManager/system-connections"
+      ];
     })
   ];
 }

modules/nixos/hardware/trackball/default.nix

@@ -11,7 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     services.xserver = {
       # This section must be *after* the one configured by `libinput`
-      # for the `ScrollMethod` configuration to not be overriden
+      # for the `ScrollMethod` configuration to not be overridden
       inputClassSections = lib.mkAfter [
         # MX Ergo
         ''

modules/nixos/profiles/default.nix

@@ -1,4 +1,4 @@
-# Configuration that spans accross system and home, or are almagations of modules
+# Configuration that spans across system and home, or are almagations of modules
 { ... }:
 {
   imports = [

modules/nixos/services/aria/default.nix

@@ -71,6 +71,8 @@ in
       };
     };
 
+    # FIXME: persistence?
+
     # NOTE: unfortunately aria2 does not log connection failures for fail2ban
   };
 }

modules/nixos/services/audiobookshelf/default.nix

@@ -35,5 +35,23 @@ in
         };
       };
     };
+
+    # FIXME: persistence?
+
+    services.fail2ban.jails = {
+      audiobookshelf = ''
+        enabled = true
+        filter = audiobookshelf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/audiobookshelf.conf".text = ''
+        [Definition]
+        failregex = ^.*ERROR: \[Auth\] Failed login attempt for username ".*" from ip <ADDR>
+        journalmatch = _SYSTEMD_UNIT=audiobookshelf.service
+      '';
+    };
   };
 }

modules/nixos/services/blog/default.nix

@@ -41,5 +41,12 @@ in
 
     # Those are all subdomains, no problem
     my.services.nginx.virtualHosts = hostsInfo;
+
+    my.system.persist.directories = [
+      "/var/www/blog"
+      "/var/www/cv"
+      "/var/www/dev"
+      "/var/www/key"
+    ];
   };
 }

modules/nixos/services/calibre-web/default.nix

@@ -53,6 +53,11 @@ in
       ];
     };
 
+    my.system.persist.directories = [
+      "/var/lib/${config.services.calibre-web.dataDir}"
+      cfg.libraryPath
+    ];
+
     services.fail2ban.jails = {
       calibre-web = ''
         enabled = true

modules/nixos/services/default.nix

@@ -16,6 +16,7 @@
     ./grocy
     ./indexers
     ./jellyfin
+    ./komga
     ./lohr
     ./matrix
     ./mealie
@@ -26,7 +27,7 @@
     ./nginx
     ./nix-cache
     ./paperless
-    ./pirate
+    ./pdf-edit
     ./podgrab
     ./postgresql
     ./postgresql-backup
@@ -34,6 +35,7 @@
     ./quassel
     ./rss-bridge
     ./sabnzbd
+    ./servarr
     ./ssh-server
     ./tandoor-recipes
     ./tlp

modules/nixos/services/flood/default.nix

@@ -27,5 +27,9 @@ in
         inherit (cfg) port;
       };
     };
+
+    # FIXME: persistence?
+
+    # NOTE: unfortunately flood does not log connection failures for fail2ban
   };
 }

modules/nixos/services/forgejo/default.nix

@@ -1,4 +1,4 @@
-# A low-ressource, full-featured git forge.
+# A low-resource, full-featured git forge.
 { config, lib, ... }:
 let
   cfg = config.my.services.forgejo;
@@ -147,6 +147,11 @@ in
       ];
     };
 
+    my.system.persist.directories = [
+      config.services.gitea.lfs.contentDir
+      config.services.gitea.repositoryRoot
+    ];
+
     services.fail2ban.jails = {
       forgejo = ''
         enabled = true

modules/nixos/services/gitea/default.nix

@@ -1,4 +1,4 @@
-# A low-ressource, full-featured git forge.
+# A low-resource, full-featured git forge.
 { config, lib, ... }:
 let
   cfg = config.my.services.gitea;
@@ -131,6 +131,11 @@ in
       ];
     };
 
+    my.system.persist.directories = [
+      config.services.gitea.lfs.contentDir
+      config.services.gitea.repositoryRoot
+    ];
+
     services.fail2ban.jails = {
       gitea = ''
         enabled = true

modules/nixos/services/grocy/default.nix

@@ -36,5 +36,10 @@ in
       forceSSL = true;
       useACMEHost = config.networking.domain;
     };
+
+    # FIXME: backup
+    # FIXME: persistence
+
+    # NOTE: unfortunately grocy does not log connection failures for fail2ban
   };
 }

modules/nixos/services/indexers/default.nix

@@ -33,6 +33,10 @@ in
           port = jackettPort;
         };
       };
+
+      my.system.persist.directories = [
+        config.services.jackett.dataDir
+      ];
     })
 
     (lib.mkIf cfg.nzbhydra.enable {
@@ -45,6 +49,10 @@ in
           port = nzbhydraPort;
         };
       };
+
+      my.system.persist.directories = [
+        config.services.nzbhydra2.dataDir
+      ];
     })
 
     (lib.mkIf cfg.prowlarr.enable {
@@ -58,6 +66,10 @@ in
         };
       };
 
+      my.system.persist.directories = [
+        "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}"
+      ];
+
       services.fail2ban.jails = {
         prowlarr = ''
           enabled = true

modules/nixos/services/jellyfin/default.nix

@@ -41,5 +41,25 @@ in
         };
       };
     };
+
+    my.system.persist.directories = [
+      "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}"
+    ];
+
+    services.fail2ban.jails = {
+      jellyfin = ''
+        enabled = true
+        filter = jellyfin
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/jellyfin.conf".text = ''
+        [Definition]
+        failregex = ^.*Authentication request for .* has been denied \(IP: "?<ADDR>"?\)\.
+        journalmatch = _SYSTEMD_UNIT=jellyfin.service
+      '';
+    };
   };
 }

modules/nixos/services/komga/default.nix

@@ -0,0 +1,55 @@
+# A Comics/Manga media server
+{ config, lib, ... }:
+let
+  cfg = config.my.services.komga;
+in
+{
+  options.my.services.komga = with lib; {
+    enable = mkEnableOption "Komga comics server";
+
+    port = mkOption {
+      type = types.port;
+      default = 4584;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.komga = {
+      enable = true;
+      inherit (cfg) port;
+
+      group = "media";
+    };
+
+    systemd.services.komga.environment = {
+      LOGGING_LEVEL_ORG_GOTSON_KOMGA = "DEBUG"; # Needed for fail2ban
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      komga = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      komga = ''
+        enabled = true
+        filter = komga
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/komga.conf".text = ''
+        [Definition]
+        failregex = ^.* ip=<HOST>,.*Bad credentials.*$
+        journalmatch = _SYSTEMD_UNIT=komga.service
+      '';
+    };
+  };
+}

modules/nixos/services/lohr/default.nix

@@ -107,5 +107,9 @@ in
         };
       };
     };
+
+    my.system.persist.directories = [
+      "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}"
+    ];
   };
 }

modules/nixos/services/matrix/default.nix

@@ -26,21 +26,6 @@ in
       description = "Shared secret to register users";
     };
 
-    slidingSync = {
-      port = mkOption {
-        type = types.port;
-        default = 8009;
-        example = 8084;
-        description = "Port used by sliding sync server";
-      };
-
-      secretFile = mkOption {
-        type = types.str;
-        example = "/var/lib/matrix/sliding-sync-secret-file.env";
-        description = "Secret file which contains SYNCV3_SECRET definition";
-      };
-    };
-
     mailConfigFile = mkOption {
       type = types.str;
       example = "/var/lib/matrix/email-config.yaml";
@@ -106,17 +91,6 @@ in
       ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile;
     };
 
-    services.matrix-sliding-sync = {
-      enable = true;
-
-      settings = {
-        SYNCV3_SERVER = "https://${matrixDomain}";
-        SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}";
-      };
-
-      environmentFile = cfg.slidingSync.secretFile;
-    };
-
     my.services.nginx.virtualHosts = {
       # Element Web app deployment
       chat = {
@@ -130,9 +104,6 @@ in
               "m.identity_server" = {
                 "base_url" = "https://vector.im";
               };
-              "org.matrix.msc3575.proxy" = {
-                "url" = "https://matrix-sync.${domain}";
-              };
             };
             showLabsSettings = true;
             defaultCountryCode = "FR"; # cocorico
@@ -152,10 +123,6 @@ in
       matrix-client = {
         port = clientPort.private;
       };
-      # Sliding sync
-      matrix-sync = {
-        inherit (cfg.slidingSync) port;
-      };
     };
 
     # Those are too complicated to use my wrapper...
@@ -178,11 +145,6 @@ in
 
             "/_matrix" = proxyToClientPort;
             "/_synapse/client" = proxyToClientPort;
-
-            # Sliding sync
-            "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-              proxyPass = "http://${config.services.matrix-sliding-sync.settings.SYNCV3_BINDADDR}";
-            };
           };
 
         listen = [
@@ -228,7 +190,6 @@ in
             client = {
               "m.homeserver" = { "base_url" = "https://${matrixDomain}"; };
               "m.identity_server" = { "base_url" = "https://vector.im"; };
-              "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; };
             };
             # ACAO required to allow element-web on any URL to request this json file
           in
@@ -253,5 +214,9 @@ in
         config.services.matrix-synapse.dataDir
       ];
     };
+
+    my.system.persist.directories = [
+      config.services.matrix-synapse.dataDir
+    ];
   };
 }

modules/nixos/services/mealie/default.nix

@@ -71,5 +71,24 @@ in
         };
       };
     };
+
+    # FIXME: backup
+    # FIXME: persistence
+
+    services.fail2ban.jails = {
+      mealie = ''
+        enabled = true
+        filter = mealie
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/mealie.conf".text = ''
+        [Definition]
+        failregex = ^.*ERROR.*Incorrect username or password from <HOST>
+        journalmatch = _SYSTEMD_UNIT=mealie.service
+      '';
+    };
   };
 }

modules/nixos/services/miniflux/default.nix

@@ -48,5 +48,24 @@ in
         inherit (cfg) port;
       };
     };
+
+    # FIXME: backup
+    # FIXME: persistence
+
+    services.fail2ban.jails = {
+      miniflux = ''
+        enabled = true
+        filter = miniflux
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/miniflux.conf".text = ''
+        [Definition]
+        failregex = ^.*msg="[^"]*(Incorrect|Invalid) username or password[^"]*".*client_ip=<ADDR>
+        journalmatch = _SYSTEMD_UNIT=miniflux.service
+      '';
+    };
   };
 }

modules/nixos/services/monitoring/default.nix

@@ -130,5 +130,10 @@ in
         inherit (cfg.grafana) port;
       };
     };
+
+    my.system.persist.directories = [
+      config.services.grafana.dataDir
+      "/var/lib/${config.services.prometheus.stateDir}"
+    ];
   };
 }

modules/nixos/services/navidrome/default.nix

@@ -52,5 +52,25 @@ in
         inherit (cfg) port;
       };
     };
+
+    my.system.persist.directories = [
+      "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}"
+    ];
+
+    services.fail2ban.jails = {
+      navidrome = ''
+        enabled = true
+        filter = navidrome
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/navidrome.conf".text = ''
+        [Definition]
+        failregex = ^.*msg="Unsuccessful login".*X-Real-Ip:\[<HOST>\]
+        journalmatch = _SYSTEMD_UNIT=navidrome.service
+      '';
+    };
   };
 }

modules/nixos/services/nextcloud/default.nix

@@ -31,7 +31,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud29;
+      package = pkgs.nextcloud30;
       hostName = "nextcloud.${config.networking.domain}";
       home = "/var/lib/nextcloud";
       maxUploadSize = cfg.maxSize;
@@ -87,5 +87,30 @@ in
         "${config.services.nextcloud.home}/data/appdata_*/preview"
       ];
     };
+
+    my.system.persist.directories = [
+      config.services.nextcloud.home
+      config.services.nextcloud.datadir
+    ];
+
+    services.fail2ban.jails = {
+      nextcloud = ''
+        enabled = true
+        filter = nextcloud
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/nextcloud.conf".text = ''
+        [Definition]
+        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+        failregex = ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
+        journalmatch = _SYSTEMD_UNIT=phpfpm-nextcloud.service
+      '';
+    };
   };
 }

modules/nixos/services/nginx/default.nix

@@ -59,14 +59,12 @@ let
 
       extraConfig = mkOption {
         type = types.attrs; # FIXME: forward type of virtualHosts
-        example = litteralExample ''
-          {
-            locations."/socket" = {
-              proxyPass = "http://127.0.0.1:8096/";
-              proxyWebsockets = true;
-            };
-          }
-        '';
+        example = {
+          locations."/socket" = {
+            proxyPass = "http://127.0.0.1:8096/";
+            proxyWebsockets = true;
+          };
+        };
         default = { };
         description = ''
           Any extra configuration that should be applied to this virtual host.
@@ -100,26 +98,24 @@ in
     virtualHosts = mkOption {
       type = types.attrsOf virtualHostOption;
       default = { };
-      example = litteralExample ''
-        {
-          gitea = {
-            subdomain = "git";
-            port = 8080;
-          };
-          dev = {
-            root = "/var/www/dev";
-          };
-          jellyfin = {
-            port = 8096;
-            extraConfig = {
-              locations."/socket" = {
-                proxyPass = "http://127.0.0.1:8096/";
-                proxyWebsockets = true;
-              };
+      example = {
+        gitea = {
+          subdomain = "git";
+          port = 8080;
+        };
+        dev = {
+          root = "/var/www/dev";
+        };
+        jellyfin = {
+          port = 8096;
+          extraConfig = {
+            locations."/socket" = {
+              proxyPass = "http://127.0.0.1:8096/";
+              proxyWebsockets = true;
             };
           };
-        }
-      '';
+        };
+      };
       description = ''
         List of virtual hosts to set-up using default settings.
       '';
@@ -163,25 +159,21 @@ in
             };
           };
         });
-        example = litteralExample ''
-          {
-            alice = {
-              passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt";
-              totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt";
-            };
-          }
-        '';
+        example = {
+          alice = {
+            passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt";
+            totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt";
+          };
+        };
         description = "Definition of users";
       };
 
       groups = mkOption {
         type = with types; attrsOf (listOf str);
-        example = litteralExample ''
-          {
-            root = [ "alice" ];
-            users = [ "alice" "bob" ];
-          }
-        '';
+        example = {
+          root = [ "alice" ];
+          users = [ "alice" "bob" ];
+        };
         description = "Groups of users";
       };
     };
@@ -465,5 +457,9 @@ in
         }
       ];
     };
+
+    my.system.persist.directories = [
+      config.users.user.acme.home
+    ];
   };
 }

modules/nixos/services/nginx/sso/default.nix

@@ -59,15 +59,10 @@ in
         StateDirectory = "nginx-sso";
         WorkingDirectory = "/var/lib/nginx-sso";
         # The files to be merged might not have the correct permissions
-        ExecStartPre = ''+${pkgs.writeShellScript "merge-nginx-sso-config" ''
+        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
           rm -f '${confPath}'
           ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath}
-
-          # Fix permissions
-          chown nginx-sso:nginx-sso ${confPath}
-          chmod 0600 ${confPath}
-        ''
-        }'';
+        '';
         ExecStart = lib.mkForce ''
           ${lib.getExe pkg} \
             --config ${confPath} \

modules/nixos/services/nix-cache/default.nix

@@ -40,7 +40,7 @@ in
         inherit (cfg) priority;
       };
 
-      signKeyPath = cfg.secretKeyFile;
+      signKeyPaths = [ cfg.secretKeyFile ];
     };
 
     my.services.nginx.virtualHosts = {

modules/nixos/services/paperless/default.nix

@@ -166,5 +166,10 @@ in
         config.services.paperless.mediaDir
       ];
     };
+
+    my.system.persist.directories = [
+      config.services.paperless-ng.dataDir
+      config.services.paperless-ng.mediaDir
+    ];
   };
 }

modules/nixos/services/pdf-edit/default.nix

@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pdf-edit;
+in
+{
+  options.my.services.pdf-edit = with lib; {
+    enable = mkEnableOption "PDF edition service";
+
+    port = mkOption {
+      type = types.port;
+      default = 8089;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    loginFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/pdf-edit/login.env";
+      description = ''
+        `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
+        defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.stirling-pdf = lib.mkIf cfg.enable {
+      enable = true;
+
+      environment = {
+        SERVER_PORT = cfg.port;
+        SECURITY_CSRFDISABLED = "false";
+
+        SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
+        INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
+
+        SECURITY_ENABLELOGIN = "true";
+        SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
+      };
+
+      environmentFiles = [ cfg.loginFile ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      pdf-edit = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow upload of PDF files up to 1G
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      stirling-pdf = ''
+        enabled = true
+        filter = stirling-pdf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/stirling-pdf.conf".text = ''
+        [Definition]
+        failregex = ^.*Failed login attempt from IP: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
+      '';
+    };
+  };
+}

modules/nixos/services/podgrab/default.nix

@@ -13,7 +13,7 @@ in
       example = "/run/secrets/password.env";
       description = ''
         The path to a file containing the PASSWORD environment variable
-        definition for Podgrab's authentification.
+        definition for Podgrab's authentication.
       '';
     };
 
@@ -51,5 +51,10 @@ in
         inherit (cfg) port;
       };
     };
+
+    my.system.persist.directories = [
+      config.systemd.services.podgrab.environment.CONFIG
+      config.systemd.services.podgrab.environment.DATA
+    ];
   };
 }

modules/nixos/services/postgresql-backup/default.nix

@@ -24,5 +24,9 @@ in
         (config.services.postgresqlBackup.location + "/*.prev.sql.gz")
       ];
     };
+
+    my.system.persist.directories = [
+      config.services.postgresqlBackup.location
+    ];
   };
 }

modules/nixos/services/postgresql/default.nix

@@ -18,6 +18,13 @@ in
       };
     })
 
+    # Only persist directory if the actual service is enabled
+    (lib.mkIf config.services.postgresql.enable {
+      my.system.persist.directories = [
+        config.services.postgresql.dataDir
+      ];
+    })
+
     # Taken from the manual
     (lib.mkIf cfg.upgradeScript {
       environment.systemPackages =

modules/nixos/services/pyload/default.nix

@@ -53,6 +53,9 @@ in
       };
     };
 
+    # FIXME: backup
+    # FIXME: persistence
+
     # FIXME: fail2ban
   };
 }

modules/nixos/services/quassel/default.nix

@@ -46,5 +46,9 @@ in
       # Because Quassel does not use the socket, I simply trust its connection
       authentication = "host quassel quassel localhost trust";
     };
+
+    my.system.persist.directories = [
+      config.services.quassel.dataDir
+    ];
   };
 }

modules/nixos/services/rss-bridge/default.nix

@@ -22,5 +22,9 @@ in
       forceSSL = true;
       useACMEHost = config.networking.domain;
     };
+
+    my.system.persist.directories = [
+      config.services.rss-bridge.dataDir
+    ];
   };
 }

modules/nixos/services/sabnzbd/default.nix

@@ -24,6 +24,10 @@ in
       };
     };
 
+    my.system.persist.files = [
+      config.services.sabnzbd.configFile
+    ];
+
     services.fail2ban.jails = {
       sabnzbd = ''
         enabled = true

modules/nixos/services/servarr/default.nix

@@ -4,12 +4,13 @@
 # [1]: https://youtu.be/I26Ql-uX6AM
 { config, lib, ... }:
 let
-  cfg = config.my.services.pirate;
+  cfg = config.my.services.servarr;
 
   ports = {
     bazarr = 6767;
     lidarr = 8686;
     radarr = 7878;
+    readarr = 8787;
     sonarr = 8989;
   };
 
@@ -18,6 +19,11 @@ let
       enable = true;
       group = "media";
     };
+
+    # Thankfully those old style services all define users with homes
+    my.system.persist.directories = [
+      config.users.user.${service}.home
+    ];
   };
 
   mkRedirection = service: {
@@ -52,7 +58,7 @@ let
   ]);
 in
 {
-  options.my.services.pirate = {
+  options.my.services.servarr = {
     enable = lib.mkEnableOption "Media automation";
 
     bazarr = {
@@ -67,6 +73,10 @@ in
       enable = lib.my.mkDisableOption "Radarr";
     };
 
+    readarr = {
+      enable = lib.my.mkDisableOption "Readarr";
+    };
+
     sonarr = {
       enable = lib.my.mkDisableOption "Sonarr";
     };
@@ -85,6 +95,9 @@ in
     # Radarr for movies
     (mkFullConfig "radarr")
     (mkFail2Ban "radarr")
+    # Readarr for books
+    (mkFullConfig "readarr")
+    (mkFail2Ban "readarr")
     # Sonarr for shows
     (mkFullConfig "sonarr")
     (mkFail2Ban "sonarr")

modules/nixos/services/ssh-server/default.nix

@@ -20,6 +20,14 @@ in
       };
     };
 
+    # Persist SSH keys
+    my.system.persist.files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+
     # Opens the relevant UDP ports.
     programs.mosh.enable = true;
   };

modules/nixos/services/tandoor-recipes/default.nix

@@ -82,5 +82,10 @@ in
         };
       };
     };
+
+    # FIXME: backup
+    # FIXME: persistence
+
+    # NOTE: unfortunately tandoor-recipes does not log connection failures for fail2ban
   };
 }

modules/nixos/services/transmission/default.nix

@@ -90,5 +90,11 @@ in
       allowedTCPPorts = [ cfg.peerPort ];
       allowedUDPPorts = [ cfg.peerPort ];
     };
+
+    my.system.persist.directories = [
+      config.services.transmission.home
+    ];
+
+    # NOTE: unfortunately transmission does not log connection failures for fail2ban
   };
 }

modules/nixos/services/vikunja/default.nix

@@ -41,7 +41,7 @@ in
         service = {
           # Only allow registration of users through the CLI
           enableregistration = false;
-          # Ues the host's timezone
+          # Use the host's timezone
           timezone = config.time.timeZone;
           # Use UNIX socket for serving the API
           unixsocket = socketPath;
@@ -99,5 +99,9 @@ in
         config.services.vikunja.settings.files.basepath
       ];
     };
+
+    # FIXME: persistence
+
+    # NOTE: unfortunately vikunja does not log connection failures for fail2ban
   };
 }

modules/nixos/services/wireguard/default.nix

@@ -206,7 +206,7 @@ in
       ];
     }
 
-    # Additional inteface is only used to get access to "LAN" from wireguard
+    # Additional interface is only used to get access to "LAN" from wireguard
     (lib.mkIf cfg.internal.enable {
       networking.wg-quick.interfaces."${cfg.internal.name}" = mkInterface [
         "${cfg.net.v4.subnet}.0/${toString cfg.net.v4.mask}"

modules/nixos/services/woodpecker/server/default.nix

@@ -61,5 +61,7 @@ in
         port = cfg.rpcPort;
       };
     };
+
+    # FIXME: persistence
   };
 }

modules/nixos/system/default.nix

@@ -9,6 +9,7 @@
     ./language
     ./nix
     ./packages
+    ./persist
     ./podman
     ./polkit
     ./printing

modules/nixos/system/docker/default.nix

@@ -23,5 +23,9 @@ in
         ];
       };
     };
+
+    my.system.persist.directories = [
+      "/var/lib/docker"
+    ];
   };
 }

modules/nixos/system/nix/default.nix

@@ -22,6 +22,10 @@ in
   options.my.system.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
+    gc = {
+      enable = my.mkDisableOption "nix GC configuration";
+    };
+
     cache = {
       selfHosted = my.mkDisableOption "self-hosted cache";
     };
@@ -62,6 +66,22 @@ in
       };
     }
 
+    (lib.mkIf cfg.gc.enable {
+      nix.gc = {
+        automatic = true;
+
+        # Every week, with some wiggle room
+        dates = "weekly";
+        randomizedDelaySec = "10min";
+
+        # Use a persistent timer for e.g: laptops
+        persistent = true;
+
+        # Delete old profiles automatically after 15 days
+        options = "--delete-older-than 15d";
+      };
+    })
+
     (lib.mkIf cfg.cache.selfHosted {
       nix = {
         settings = {

modules/nixos/system/packages/default.nix

@@ -14,12 +14,14 @@ in
 
   config = lib.mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
-      vim
       wget
     ];
 
     programs = {
-      vim.defaultEditor = true; # Modal editing is life
+      vim = {
+        enable = true;
+        defaultEditor = true; # Modal editing is life
+      };
 
       zsh = {
         enable = true; # Use integrations

modules/nixos/system/persist/default.nix

@@ -0,0 +1,65 @@
+# Ephemeral root configuration
+{ config, inputs, lib, ... }:
+let
+  cfg = config.my.system.persist;
+in
+{
+  imports = [
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  options.my.system.persist = with lib; {
+    enable = mkEnableOption "stateless system configuration";
+
+    mountPoint = lib.mkOption {
+      type = types.str;
+      default = "/persistent";
+      example = "/etc/nix/persist";
+      description = ''
+        Which mount point should be used to persist this system's files and
+        directories.
+      '';
+    };
+
+    files = lib.mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [
+        "/etc/nix/id_rsa"
+      ];
+      description = ''
+        Additional files in the root to link to persistent storage.
+      '';
+    };
+
+    directories = lib.mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [
+        "/var/lib/libvirt"
+      ];
+      description = ''
+        Additional directories in the root to link to persistent storage.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.persistence."${cfg.mountPoint}" = {
+      files = [
+        "/etc/machine-id"
+      ]
+      ++ cfg.files
+      ;
+
+      directories = [
+        "/etc/nixos"
+        "/var/log"
+        "/var/lib/nixos"
+        "/var/lib/systemd/coredump"
+      ]
+      ++ cfg.directories
+      ;
+    };
+  };
+}

modules/nixos/system/podman/default.nix

@@ -44,5 +44,9 @@ in
         ];
       };
     };
+
+    my.system.persist.directories = [
+      "/var/lib/containers"
+    ];
   };
 }

overlays/downgrade-transmission/default.nix

@@ -0,0 +1,14 @@
+self: prev:
+{
+  transmission_4 = prev.transmission_4.overrideAttrs (_: {
+    version = "4.0.5";
+
+    src = self.fetchFromGitHub {
+      owner = "transmission";
+      repo = "transmission";
+      rev = "4.0.5";
+      hash = "sha256-gd1LGAhMuSyC/19wxkoE2mqVozjGPfupIPGojKY0Hn4=";
+      fetchSubmodules = true;
+    };
+  });
+}

pkgs/cgt-calc/default.nix

@@ -0,0 +1,47 @@
+{ lib
+, fetchFromGitHub
+, python3Packages
+, withTeXLive ? true
+, texliveSmall
+}:
+python3Packages.buildPythonApplication rec {
+  pname = "cgt-calc";
+  version = "1.13.0";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "KapJI";
+    repo = "capital-gains-calculator";
+    rev = "v${version}";
+    hash = "sha256-y/Y05wG89nccXyxfjqazyPJhd8dOkfwRJre+Rzx97Hw=";
+  };
+
+  build-system = with python3Packages; [
+    poetry-core
+  ];
+
+  dependencies = with python3Packages; [
+    defusedxml
+    jinja2
+    pandas
+    requests
+    types-requests
+    yfinance
+  ];
+
+  makeWrapperArgs = lib.optionals withTeXLive [
+    "--prefix"
+    "PATH"
+    ":"
+    "${lib.getBin texliveSmall}/bin"
+  ];
+
+  meta = with lib; {
+    description = "UK capital gains tax calculator";
+    homepage = "https://github.com/KapJI/capital-gains-calculator";
+    license = with licenses; [ mit ];
+    mainProgram = "cgt-calc";
+    maintainers = with maintainers; [ ambroisie ];
+    platforms = platforms.unix;
+  };
+}

pkgs/default.nix

@@ -2,6 +2,8 @@
 pkgs.lib.makeScope pkgs.newScope (pkgs: {
   bw-pass = pkgs.callPackage ./bw-pass { };
 
+  cgt-calc = pkgs.callPackage ./cgt-calc { };
+
   change-audio = pkgs.callPackage ./change-audio { };
 
   change-backlight = pkgs.callPackage ./change-backlight { };

pkgs/lohr/default.nix

@@ -1,16 +1,16 @@
 { lib, fetchFromGitHub, rustPlatform }:
 rustPlatform.buildRustPackage rec {
   pname = "lohr";
-  version = "0.4.5";
+  version = "0.4.6";
 
   src = fetchFromGitHub {
     owner = "alarsyo";
     repo = "lohr";
     rev = "v${version}";
-    hash = "sha256-p6E/r+OxFTpxDpOKSlacOxvRLfHSKg1mHNAfTytfqDY=";
+    hash = "sha256-dunQgtap+XCK5LoSyOqIY/6p6HizBeiyPWNuCffwjDU=";
   };
 
-  cargoHash = "sha256-hext0S0o9D9pN9epzXtD5dwAYMPCLpBBOBT4FX0mTMk=";
+  cargoHash = "sha256-EUhyrhPe+mUgMmm4o+bxRIiSNReJRfw+/O1fPr8r7lo=";
 
   meta = with lib; {
     description = "Git mirroring daemon";

pkgs/unbound-zones-adblock/default.nix

@@ -1,7 +1,7 @@
 { lib, gawk, stdenvNoCC, stevenblack-blocklist }:
 stdenvNoCC.mkDerivation {
   name = "unbound-zones-adblock";
-  version = stevenblack-blocklist.rev;
+  inherit (stevenblack-blocklist) version;
 
   src = stevenblack-blocklist;
 
@@ -30,7 +30,7 @@ stdenvNoCC.mkDerivation {
     description = "Unified host lists, ready to be used by unbound";
     longDescription = ''
       This is a simple derivation based on StevenBlack's unified hosts list.
-      The files have been modified for easy use wih unbound.
+      The files have been modified for easy use with unbound.
     '';
     homepage = "https://github.com/StevenBlack/hosts";
     license = licenses.mit;