flake: home-manager: export NixOS homes

And here is what the last few commits were building up to.

This is neat, but won't be useful *very* often.

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762618334,
+        "lastModified": 1750173260,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1761588595,
+        "lastModified": 1696426674,
-        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1751413152,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765911976,
+        "lastModified": 1750779888,
-        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766171975,
+        "lastModified": 1751429452,
-        "narHash": "sha256-47Ee0bTidhF/3/sHuYnWRuxcCrrm0mBNDxBkOTd3wWQ=",
+        "narHash": "sha256-4s5vRtaqdNhVBnbOWOzBNKrRa0ShQTLoEPjJp3joeNI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bb35f07cc95a73aacbaf1f7f46bb8a3f40f265b5",
+        "rev": "df12269039dcf752600b1bcc176bacf2786ec384",
         "type": "github"
       },
       "original": {
@@ -175,11 +175,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1766070988,
+        "lastModified": 1751271578,
-        "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
+        "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
+        "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
         "type": "github"
       },
       "original": {
@@ -196,19 +196,20 @@
         ],
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1766242030,
+        "lastModified": 1741294988,
-        "narHash": "sha256-GdaKIZrzm4fbFf9jBVmeQFZTwYPxUlSTZrSId/JNMAU=",
+        "narHash": "sha256-3408u6q615kVTb23WtDriHRmCBBpwX7iau6rvfipcu4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "30006228925f07c5c2a270bb95dc8da35d9942dc",
+        "rev": "b30c245e2c44c7352a27485bfd5bc483df660f0e",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "main",
+        "ref": "master",
         "repo": "NUR",
         "type": "github"
       }
@@ -240,6 +241,27 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733222881,
+        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -54,7 +54,7 @@
       type = "github";
       owner = "nix-community";
       repo = "NUR";
-      ref = "main";
+      ref = "master";
       inputs = {
         flake-parts.follows = "flake-parts";
         nixpkgs.follows = "nixpkgs";

flake/default.nix

@@ -13,6 +13,7 @@ flake-parts.lib.mkFlake { inherit inputs; } {
     ./checks.nix
     ./dev-shells.nix
     ./home-manager.nix
+    ./hosts.nix
     ./lib.nix
     ./nixos.nix
     ./overlays.nix

flake/home-manager.nix

@@ -1,5 +1,7 @@
-{ self, inputs, lib, ... }:
+{ self, config, inputs, lib, ... }:
 let
+  inherit (config) hosts;
+
   defaultModules = [
     # Include generic settings
     "${self}/modules/home"
@@ -19,14 +21,14 @@ let
       # Enable home-manager
       programs.home-manager.enable = true;
     }
+    # Import common modules
+    "${self}/modules/common"
   ];
 
-  mkHome = name: system: inputs.home-manager.lib.homeManagerConfiguration {
+  mkHomeCommon = mainModules: system: inputs.home-manager.lib.homeManagerConfiguration {
     pkgs = inputs.nixpkgs.legacyPackages.${system};
 
-    modules = defaultModules ++ [
+    modules = defaultModules ++ mainModules;
-      "${self}/hosts/homes/${name}"
-    ];
 
     # Use my extended lib in NixOS configuration
     inherit (self) lib;
@@ -37,24 +39,41 @@ let
     };
   };
 
-  homes = {
+  mkHome = name: mkHomeCommon [ "${self}/hosts/homes/${name}" ];
+
+  mkNixosHome = name: mkHomeCommon [
+    "${self}/hosts/nixos/${name}/home.nix"
+    "${self}/hosts/nixos/${name}/profiles.nix"
+  ];
+in
+{
+  hosts.homes = {
     "ambroisie@bazin" = "x86_64-linux";
     "ambroisie@mousqueton" = "x86_64-linux";
   };
-in
+
-{
   perSystem = { system, ... }: {
     # Work-around for https://github.com/nix-community/home-manager/issues/3075
     legacyPackages = {
       homeConfigurations =
         let
-          filteredHomes = lib.filterAttrs (_: v: v == system) homes;
+          filteredHomes = lib.filterAttrs (_: v: v == system) hosts.homes;
           allHomes = filteredHomes // {
             # Default configuration
             ambroisie = system;
           };
+          homeManagerHomes = lib.mapAttrs mkHome allHomes;
+
+          filteredNixosHosts = lib.filterAttrs (_: v: v == system) hosts.nixos;
+          nixosHomes' = lib.mapAttrs mkNixosHome filteredNixosHosts;
+          nixosHomeUsername = (host: self.nixosConfigurations.${host}.config.my.user.name);
+          nixosHomes = lib.mapAttrs' (host: lib.nameValuePair "${nixosHomeUsername host}@${host}") nixosHomes';
         in
-        lib.mapAttrs mkHome allHomes;
+        lib.foldl' lib.mergeAttrs { }
+          [
+            homeManagerHomes
+            nixosHomes
+          ];
     };
   };
 }

flake/hosts.nix

@@ -0,0 +1,21 @@
+# Define `hosts.{darwin,home,nixos}` options for consumption in other modules
+{ lib, ... }:
+let
+  mkHostsOption = description: lib.mkOption {
+    inherit description;
+    type = with lib.types; attrsOf str;
+    default = { };
+    example = { name = "x86_64-linux"; };
+  };
+in
+{
+  options = {
+    hosts = {
+      darwin = mkHostsOption "Darwin hosts";
+
+      homes = mkHostsOption "Home Manager hosts";
+
+      nixos = mkHostsOption "NixOS hosts";
+    };
+  };
+}

flake/nixos.nix

@@ -1,4 +1,4 @@
-{ self, inputs, lib, ... }:
+{ self, config, inputs, lib, ... }:
 let
   defaultModules = [
     {
@@ -12,6 +12,8 @@ let
     }
     # Include generic settings
     "${self}/modules/nixos"
+    # Import common modules
+    "${self}/modules/common"
   ];
 
   buildHost = name: system: lib.nixosSystem {
@@ -30,8 +32,12 @@ let
   };
 in
 {
-  flake.nixosConfigurations = lib.mapAttrs buildHost {
+  config = {
-    aramis = "x86_64-linux";
+    hosts.nixos = {
-    porthos = "x86_64-linux";
+      aramis = "x86_64-linux";
+      porthos = "x86_64-linux";
+    };
+
+    flake.nixosConfigurations = lib.mapAttrs buildHost config.hosts.nixos;
   };
 }

flake/overlays.nix

@@ -1,4 +1,4 @@
-{ self, lib, ... }:
+{ self, ... }:
 let
   default-overlays = import "${self}/overlays";
 
@@ -8,7 +8,7 @@ let
 
     # Expose my custom packages
     pkgs = _final: prev: {
-      ambroisie = lib.recurseIntoAttrs (import "${self}/pkgs" { pkgs = prev; });
+      ambroisie = prev.recurseIntoAttrs (import "${self}/pkgs" { pkgs = prev; });
     };
   };
 in

hosts/nixos/aramis/home.nix

@@ -18,7 +18,9 @@
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client
+      jellyfin-media-player # Wraps the webui and mpv together
       pavucontrol # Audio mixer GUI
+      trgui-ng # Transmission remote
     ];
     # Minimal video player
     mpv.enable = true;
@@ -26,8 +28,6 @@
     nm-applet.enable = true;
     # Terminal
     terminal.program = "alacritty";
-    # Transmission remote
-    trgui.enable = true;
     # Zathura document viewer
     zathura.enable = true;
   };

hosts/nixos/porthos/default.nix

@@ -7,6 +7,7 @@
     ./hardware.nix
     ./home.nix
     ./networking.nix
+    ./profiles.nix
     ./secrets
     ./services.nix
     ./system.nix

hosts/nixos/porthos/profiles.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  # Nothing
+}

hosts/nixos/porthos/secrets/secrets.nix

@@ -83,9 +83,18 @@ in
   "servarr/autobrr/session-secret.age".publicKeys = all;
   "servarr/cross-seed/configuration.json.age".publicKeys = all;
 
-  "sso/auth-key.age".publicKeys = all;
+  "sso/auth-key.age" = {
-  "sso/ambroisie/password-hash.age".publicKeys = all;
+    owner = "nginx-sso";
-  "sso/ambroisie/totp-secret.age".publicKeys = all;
+    publicKeys = all;
+  };
+  "sso/ambroisie/password-hash.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
+  "sso/ambroisie/totp-secret.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
 
   "tandoor-recipes/secret-key.age".publicKeys = all;
 

modules/common/default.nix

@@ -0,0 +1,28 @@
+# Modules that are common to various module systems
+# Usually with very small differences, if any, between them.
+{ lib, _class, ... }:
+let
+  allowedClass = [
+    "darwin"
+    "homeManager"
+    "nixos"
+  ];
+
+  allowedClassString = lib.concatStringSep ", " (builtins.map lib.escapeNixString allowedClass);
+in
+{
+  imports = [
+    ./profiles
+  ];
+
+  config = {
+    assertions = [
+      {
+        assertion = builtins.elem _class allowedClass;
+        message = ''
+          `_class` specialArgs must be one of ${allowedClassString}.
+        '';
+      }
+    ];
+  };
+}

modules/common/profiles/bluetooth/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, _class, ... }:
+let
+  cfg = config.my.profiles.bluetooth;
+in
+{
+  options.my.profiles.bluetooth = with lib; {
+    enable = mkEnableOption "bluetooth profile";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.optionalAttrs (_class == "homeManager") {
+      my.home.bluetooth.enable = true;
+    })
+
+    (lib.optionalAttrs (_class == "nixos") {
+      my.hardware.bluetooth.enable = true;
+    })
+  ]);
+}

modules/common/profiles/default.nix

@@ -0,0 +1,25 @@
+# Configuration that spans across system and home, or are almagations of modules
+{ config, lib, _class, ... }:
+{
+  imports = [
+    ./bluetooth
+    ./devices
+    ./gtk
+    ./laptop
+    ./wm
+    ./x
+  ];
+
+  config = lib.mkMerge [
+    # Transparently enable home-manager profiles as well
+    (lib.optionalAttrs (_class != "homeManager") {
+      home-manager.users.${config.my.user.name} = {
+        config = {
+          my = {
+            inherit (config.my) profiles;
+          };
+        };
+      };
+    })
+  ];
+}

modules/common/profiles/devices/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, _class, ... }:
+let
+  cfg = config.my.profiles.devices;
+in
+{
+  options.my.profiles.devices = with lib; {
+    enable = mkEnableOption "devices profile";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.optionalAttrs (_class == "nixos") {
+      my.hardware = {
+        ergodox.enable = true;
+
+        trackball.enable = true;
+      };
+
+      # MTP devices auto-mount via file explorers
+      services.gvfs.enable = true;
+    })
+  ]);
+}

modules/common/profiles/gtk/default.nix

@@ -0,0 +1,21 @@
+{ config, lib, _class, ... }:
+let
+  cfg = config.my.profiles.gtk;
+in
+{
+  options.my.profiles.gtk = with lib; {
+    enable = mkEnableOption "gtk profile";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.optionalAttrs (_class == "homeManager") {
+      # GTK theme configuration
+      my.home.gtk.enable = true;
+    })
+
+    (lib.optionalAttrs (_class == "nixos") {
+      # Allow setting GTK configuration using home-manager
+      programs.dconf.enable = true;
+    })
+  ]);
+}

modules/common/profiles/laptop/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, _class, ... }:
+let
+  cfg = config.my.profiles.laptop;
+in
+{
+  options.my.profiles.laptop = with lib; {
+    enable = mkEnableOption "laptop profile";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.optionalAttrs (_class == "homeManager") {
+      # Enable battery notifications
+      my.home.power-alert.enable = true;
+    })
+
+    (lib.optionalAttrs (_class == "nixos") {
+      # Enable touchpad support
+      services.libinput.enable = true;
+
+      # Enable TLP power management
+      my.services.tlp.enable = true;
+
+      # Enable upower power management
+      my.hardware.upower.enable = true;
+    })
+  ]);
+}

modules/common/profiles/wm/default.nix

@@ -0,0 +1,38 @@
+{ config, lib, _class, ... }:
+let
+  cfg = config.my.profiles.wm;
+
+  applyWm = wm: configs: lib.mkIf (cfg.windowManager == wm) (lib.my.merge configs);
+in
+{
+  options.my.profiles.wm = with lib; {
+    windowManager = mkOption {
+      type = with types; nullOr (enum [ "i3" ]);
+      default = null;
+      example = "i3";
+      description = "Which window manager to use";
+    };
+  };
+
+  config = lib.mkMerge [
+    (applyWm "i3" [
+      (lib.optionalAttrs (_class == "homeManager") {
+        # i3 settings
+        my.home.wm.windowManager = "i3";
+        # Screenshot tool
+        my.home.flameshot.enable = true;
+        # Auto disk mounter
+        my.home.udiskie.enable = true;
+      })
+
+      (lib.optionalAttrs (_class == "nixos") {
+        # Enable i3
+        services.xserver.windowManager.i3.enable = true;
+        # udiskie fails if it can't find this dbus service
+        services.udisks2.enable = true;
+        # Ensure i3lock can actually unlock the session
+        security.pam.services.i3lock.enable = true;
+      })
+    ])
+  ];
+}

modules/common/profiles/x/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, _class, ... }:
+let
+  cfg = config.my.profiles.x;
+in
+{
+  options.my.profiles.x = with lib; {
+    enable = mkEnableOption "X profile";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.optionalAttrs (_class == "homeManager") {
+      # X configuration
+      my.home.x.enable = true;
+    })
+
+    (lib.optionalAttrs (_class == "nixos") {
+      # Enable the X11 windowing system.
+      services.xserver.enable = true;
+      # Nice wallpaper
+      services.xserver.displayManager.lightdm.background =
+        let
+          wallpapers = "${pkgs.plasma5Packages.plasma-workspace-wallpapers}/share/wallpapers";
+        in
+        "${wallpapers}/summer_1am/contents/images/2560x1600.jpg";
+    })
+  ]);
+}

modules/home/atuin/default.nix

@@ -6,6 +6,7 @@ in
   options.my.home.atuin = with lib; {
     enable = my.mkDisableOption "atuin configuration";
 
+    # I want the full experience by default
     package = mkPackageOption pkgs "atuin" { };
 
     daemon = {

modules/home/default.nix

@@ -38,7 +38,6 @@
     ./ssh
     ./terminal
     ./tmux
-    ./trgui
     ./udiskie
     ./vim
     ./wget

modules/home/delta/default.nix

@@ -14,34 +14,53 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    programs.delta = {
+    assertions = [
-      enable = true;
+      {
+        # For its configuration
+        assertion = cfg.enable -> cfg.git.enable;
+        message = ''
+          `config.my.home.delta` must enable `config.my.home.delta.git` to be
+          properly configured.
+        '';
+      }
+      {
+        assertion = cfg.enable -> config.programs.git.enable;
+        message = ''
+          `config.my.home.delta` relies on `config.programs.git` to be
+          enabled.
+        '';
+      }
+    ];
 
-      inherit (cfg) package;
+    home.packages = [ cfg.package ];
 
-      enableGitIntegration = cfg.git.enable;
+    programs.git = lib.mkIf cfg.git.enable {
+      delta = {
+        enable = true;
+        inherit (cfg) package;
 
-      options = {
+        options = {
-        features = "diff-highlight decorations";
+          features = "diff-highlight decorations";
 
-        # Less jarring style for `diff-highlight` emulation
+          # Less jarring style for `diff-highlight` emulation
-        diff-highlight = {
+          diff-highlight = {
-          minus-style = "red";
+            minus-style = "red";
-          minus-non-emph-style = "red";
+            minus-non-emph-style = "red";
-          minus-emph-style = "bold red 52";
+            minus-emph-style = "bold red 52";
 
-          plus-style = "green";
+            plus-style = "green";
-          plus-non-emph-style = "green";
+            plus-non-emph-style = "green";
-          plus-emph-style = "bold green 22";
+            plus-emph-style = "bold green 22";
 
-          whitespace-error-style = "reverse red";
+            whitespace-error-style = "reverse red";
-        };
+          };
 
-        # Personal preference for easier reading
+          # Personal preference for easier reading
-        decorations = {
+          decorations = {
-          commit-style = "raw"; # Do not recolor meta information
+            commit-style = "raw"; # Do not recolor meta information
-          keep-plus-minus-markers = true;
+            keep-plus-minus-markers = true;
-          paging = "always";
+            paging = "always";
+          };
         };
       };
     };

modules/home/discord/default.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.my.home.discord;
+
+  jsonFormat = pkgs.formats.json { };
 in
 {
   options.my.home.discord = with lib; {
@@ -10,15 +12,14 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    programs.discord = {
+    home.packages = with pkgs; [
-      enable = true;
+      cfg.package
+    ];
 
-      inherit (cfg) package;
+    xdg.configFile."discord/settings.json".source =
-
+      jsonFormat.generate "discord.json" {
-      settings = {
         # Do not keep me from using the app just to force an update
         SKIP_HOST_UPDATE = true;
       };
-    };
   };
 }

modules/home/firefox/default.nix

@@ -52,7 +52,6 @@ in
           "browser.newtabpage.activity-stream.feeds.sections" = false;
           "browser.newtabpage.activity-stream.feeds.system.topstories" = false; # Disable top stories
           "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; # Disable pocket
-          "browser.urlbar.trimURLs" = false; # Always show the `http://` prefix
           "extensions.pocket.enabled" = false; # Disable pocket
           "media.eme.enabled" = true; # Enable DRM
           "media.gmp-widevinecdm.enabled" = true; # Enable DRM

modules/home/git/default.nix

@@ -21,31 +21,29 @@ in
   config.programs.git = lib.mkIf cfg.enable {
     enable = true;
 
+    # Who am I?
+    userEmail = mkMailAddress "bruno" "belanyi.fr";
+    userName = "Bruno BELANYI";
+
     inherit (cfg) package;
 
+    aliases = {
+      git = "!git";
+      lol = "log --graph --decorate --pretty=oneline --abbrev-commit --topo-order";
+      lola = "lol --all";
+      assume = "update-index --assume-unchanged";
+      unassume = "update-index --no-assume-unchanged";
+      assumed = "!git ls-files -v | grep ^h | cut -c 3-";
+      pick = "log -p -G";
+      push-new = "!git push -u origin "
+        + ''"$(git branch | grep '^* ' | cut -f2- -d' ')"'';
+      root = "git rev-parse --show-toplevel";
+    };
+
     lfs.enable = true;
 
     # There's more
-    settings = {
+    extraConfig = {
-      # Who am I?
-      user = {
-        email = mkMailAddress "bruno" "belanyi.fr";
-        name = "Bruno BELANYI";
-      };
-
-      alias = {
-        git = "!git";
-        lol = "log --graph --decorate --pretty=oneline --abbrev-commit --topo-order";
-        lola = "lol --all";
-        assume = "update-index --assume-unchanged";
-        unassume = "update-index --no-assume-unchanged";
-        assumed = "!git ls-files -v | grep ^h | cut -c 3-";
-        pick = "log -p -G";
-        push-new = "!git push -u origin "
-          + ''"$(git branch | grep '^* ' | cut -f2- -d' ')"'';
-        root = "git rev-parse --show-toplevel";
-      };
-
       # Makes it a bit more readable
       blame = {
         coloring = "repeatedLines";

modules/home/nix/default.nix

@@ -69,7 +69,7 @@ in
         automatic = true;
 
         # Every week, with some wiggle room
-        dates = "weekly";
+        frequency = "weekly";
         randomizedDelaySec = "10min";
 
         # Use a persistent timer for e.g: laptops

modules/home/ssh/default.nix

@@ -17,7 +17,6 @@ in
     {
       programs.ssh = {
         enable = true;
-        enableDefaultConfig = false;
 
         includes = [
           # Local configuration, not-versioned
@@ -54,12 +53,11 @@ in
             identityFile = "~/.ssh/shared_rsa";
             user = "ambroisie";
           };
-
-          # `*` is automatically made the last match block by the module
-          "*" = {
-            addKeysToAgent = "yes";
-          };
         };
+
+        extraConfig = ''
+          AddKeysToAgent yes
+        '';
       };
     }
 

modules/home/tmux/default.nix

@@ -48,7 +48,7 @@ in
     keyMode = "vi"; # Home-row keys and other niceties
     clock24 = true; # I'm one of those heathens
     escapeTime = 0; # Let vim do its thing instead
-    historyLimit = 1000000; # Bigger buffer
+    historyLimit = 100000; # Bigger buffer
     mouse = false; # I dislike mouse support
     focusEvents = true; # Report focus events
     terminal = "tmux-256color"; # I want accurate termcap info
@@ -61,8 +61,8 @@ in
       pain-control
       # Better session management
       sessionist
-      # X clipboard integration
       {
+        # X clipboard integration
         plugin = yank;
         extraConfig = ''
           # Use 'clipboard' because of misbehaving apps (e.g: firefox)
@@ -71,8 +71,8 @@ in
           set -g @yank_action 'copy-pipe'
         '';
       }
-      # Show when prefix has been pressed
       {
+        # Show when prefix has been pressed
         plugin = prefix-highlight;
         extraConfig = ''
           # Also show when I'm in copy or sync mode

modules/home/trgui/default.nix

@@ -1,17 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.my.home.trgui;
-in
-{
-  options.my.home.trgui = with lib; {
-    enable = mkEnableOption "Transmission GUI onfiguration";
-
-    package = mkPackageOption pkgs "TrguiNG" { default = "trgui-ng"; };
-  };
-
-  config = lib.mkIf cfg.enable {
-    home.packages = with pkgs; [
-      cfg.package
-    ];
-  };
-}

modules/home/vim/default.nix

@@ -80,6 +80,7 @@ in
       nvim-surround # Deal with pairs, now in Lua
       oil-nvim # Better alternative to NetrW
       telescope-fzf-native-nvim # Use 'fzf' fuzzy matching algorithm
+      telescope-lsp-handlers-nvim # Use 'telescope' for various LSP actions
       telescope-nvim # Fuzzy finder interface
       which-key-nvim # Show available mappings
     ];

modules/home/vim/ftdetect/glsl.lua

@@ -0,0 +1,7 @@
+-- Use GLSL filetype for common shader file extensions
+vim.filetype.add({
+    extension = {
+        frag = "glsl",
+        vert = "glsl",
+    },
+})

modules/home/vim/init.vim

@@ -81,6 +81,9 @@ set updatetime=250
 " Disable all mouse integrations
 set mouse=
 
+" Set dark mode by default
+set background=dark
+
 " Setup some overrides for gruvbox
 lua << EOF
 local gruvbox = require("gruvbox")

modules/home/vim/plugin/settings/lspconfig.lua

@@ -1,3 +1,4 @@
+local lspconfig = require("lspconfig")
 local lsp = require("ambroisie.lsp")
 local utils = require("ambroisie.utils")
 
@@ -24,27 +25,59 @@ vim.diagnostic.config({
 -- Inform servers we are able to do completion, snippets, etc...
 local capabilities = require("cmp_nvim_lsp").default_capabilities()
 
--- Shared configuration
+-- C/C++
-vim.lsp.config("*", {
+if utils.is_executable("clangd") then
-    capabilities = capabilities,
+    lspconfig.clangd.setup({
-    on_attach = lsp.on_attach,
+        capabilities = capabilities,
-})
+        on_attach = lsp.on_attach,
+    })
+end
 
-local servers = {
+-- Haskell
-    -- C/C++
+if utils.is_executable("haskell-language-server-wrapper") then
-    clangd = {},
+    lspconfig.hls.setup({
-    -- Haskell
+        capabilities = capabilities,
-    hls = {},
+        on_attach = lsp.on_attach,
-    -- Nix
+    })
-    nil_ls = {},
+end
-    -- Python
+
-    pyright = {},
+-- Nix
-    ruff = {},
+if utils.is_executable("nil") then
-    -- Rust
+    lspconfig.nil_ls.setup({
-    rust_analyzer = {},
+        capabilities = capabilities,
-    -- Shell
+        on_attach = lsp.on_attach,
-    bashls = {
+    })
+end
+
+-- Python
+if utils.is_executable("pyright") then
+    lspconfig.pyright.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
+if utils.is_executable("ruff") then
+    lspconfig.ruff.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
+-- Rust
+if utils.is_executable("rust-analyzer") then
+    lspconfig.rust_analyzer.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
+-- Shell
+if utils.is_executable("bash-language-server") then
+    lspconfig.bashls.setup({
         filetypes = { "bash", "sh", "zsh" },
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
         settings = {
             bashIde = {
                 shfmt = {
@@ -55,17 +88,28 @@ local servers = {
                 },
             },
         },
-    },
+    })
-    -- Starlark
+end
-    starpls = {},
+
-    -- Generic
+-- Starlark
-    harper_ls = {},
+if utils.is_executable("starpls") then
-    typos_lsp = {},
+    lspconfig.starpls.setup({
-}
+        capabilities = capabilities,
-
+        on_attach = lsp.on_attach,
-for server, config in pairs(servers) do
+    })
-    if not vim.tbl_isempty(config) then
+end
-        vim.lsp.config(server, config)
+
-    end
+-- Generic
-    vim.lsp.enable(server)
+if utils.is_executable("harper-ls") then
+    lspconfig.harper_ls.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
+if utils.is_executable("typos-lsp") then
+    lspconfig.typos_lsp.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
 end

modules/home/vim/plugin/settings/telescope.lua

@@ -23,6 +23,7 @@ telescope.setup({
 })
 
 telescope.load_extension("fzf")
+telescope.load_extension("lsp_handlers")
 
 local keys = {
     { "<leader>f", group = "Fuzzy finder" },

modules/home/xdg/default.nix

@@ -56,7 +56,4 @@ in
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
     _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";
   };
-
-  # Some modules *optionally* use `XDG_*_HOME` when told to
-  config.home.preferXdgDirectories = lib.mkIf cfg.enable true;
 }

modules/home/zsh/default.nix

@@ -1,6 +1,14 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.my.home.zsh;
+
+  # Have a nice relative path for XDG_CONFIG_HOME, without leading `/`
+  relativeXdgConfig =
+    let
+      noHome = lib.removePrefix config.home.homeDirectory;
+      noSlash = lib.removePrefix "/";
+    in
+    noSlash (noHome config.xdg.configHome);
 in
 {
   options.my.home.zsh = with lib; {
@@ -8,22 +16,16 @@ in
 
     launchTmux = mkEnableOption "auto launch tmux at shell start";
 
-    completionSync = {
-      enable = mkEnableOption "zsh-completion-sync plugin";
-    };
-
     notify = {
       enable = mkEnableOption "zsh-done notification";
 
       exclude = mkOption {
         type = with types; listOf str;
         default = [
-          "bat"
           "delta"
           "direnv reload"
           "fg"
           "git (?!push|pull|fetch)"
-          "home-manager (?!switch|build)"
           "htop"
           "less"
           "man"
@@ -55,7 +57,7 @@ in
 
       programs.zsh = {
         enable = true;
-        dotDir = "${config.xdg.configHome}/zsh"; # Don't clutter $HOME
+        dotDir = "${relativeXdgConfig}/zsh"; # Don't clutter $HOME
         enableCompletion = true;
 
         history = {
@@ -72,7 +74,7 @@ in
         plugins = [
           {
             name = "fast-syntax-highlighting";
-            file = "share/zsh/plugins/fast-syntax-highlighting/fast-syntax-highlighting.plugin.zsh";
+            file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
             src = pkgs.zsh-fast-syntax-highlighting;
           }
           {
@@ -122,18 +124,6 @@ in
       };
     }
 
-    (lib.mkIf cfg.completionSync.enable {
-      programs.zsh = {
-        plugins = [
-          {
-            name = "zsh-completion-sync";
-            file = "share/zsh-completion-sync/zsh-completion-sync.plugin.zsh";
-            src = pkgs.zsh-completion-sync;
-          }
-        ];
-      };
-    })
-
     (lib.mkIf cfg.notify.enable {
       programs.zsh = {
         plugins = [

modules/nixos/default.nix

@@ -5,7 +5,6 @@
   imports = [
     ./hardware
     ./home
-    ./profiles
     ./programs
     ./secrets
     ./services

modules/nixos/hardware/graphics/default.nix

@@ -15,6 +15,8 @@ in
 
     amd = {
       enableKernelModule = lib.my.mkDisableOption "Kernel driver module";
+
+      amdvlk = lib.mkEnableOption "Use AMDVLK instead of Mesa RADV driver";
     };
 
     intel = {
@@ -33,6 +35,13 @@ in
     (lib.mkIf (cfg.gpuFlavor == "amd") {
       hardware.amdgpu = {
         initrd.enable = cfg.amd.enableKernelModule;
+        # Vulkan
+        amdvlk = lib.mkIf cfg.amd.amdvlk {
+          enable = true;
+          support32Bit = {
+            enable = true;
+          };
+        };
       };
 
       hardware.graphics = {

modules/nixos/home/default.nix

@@ -13,8 +13,13 @@ in
 
   config = lib.mkIf cfg.enable {
     home-manager = {
-      # Not a fan of out-of-directory imports, but this is a good exception
+      users.${config.my.user.name} = {
-      users.${config.my.user.name} = import "${inputs.self}/modules/home";
+        # Not a fan of out-of-directory imports, but this is a good exception
+        imports = [
+          "${inputs.self}/modules/common"
+          "${inputs.self}/modules/home"
+        ];
+      };
 
       # Nix Flakes compatibility
       useGlobalPkgs = true;

modules/nixos/profiles/bluetooth/default.nix

@@ -1,15 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.profiles.bluetooth;
-in
-{
-  options.my.profiles.bluetooth = with lib; {
-    enable = mkEnableOption "bluetooth profile";
-  };
-
-  config = lib.mkIf cfg.enable {
-    my.hardware.bluetooth.enable = true;
-
-    my.home.bluetooth.enable = true;
-  };
-}

modules/nixos/profiles/default.nix

@@ -1,12 +0,0 @@
-# Configuration that spans across system and home, or are almagations of modules
-{ ... }:
-{
-  imports = [
-    ./bluetooth
-    ./devices
-    ./gtk
-    ./laptop
-    ./wm
-    ./x
-  ];
-}

modules/nixos/profiles/devices/default.nix

@@ -1,20 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.profiles.devices;
-in
-{
-  options.my.profiles.devices = with lib; {
-    enable = mkEnableOption "devices profile";
-  };
-
-  config = lib.mkIf cfg.enable {
-    my.hardware = {
-      ergodox.enable = true;
-
-      trackball.enable = true;
-    };
-
-    # MTP devices auto-mount via file explorers
-    services.gvfs.enable = true;
-  };
-}

modules/nixos/profiles/gtk/default.nix

@@ -1,17 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.profiles.gtk;
-in
-{
-  options.my.profiles.gtk = with lib; {
-    enable = mkEnableOption "gtk profile";
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Allow setting GTK configuration using home-manager
-    programs.dconf.enable = true;
-
-    # GTK theme configuration
-    my.home.gtk.enable = true;
-  };
-}

modules/nixos/profiles/laptop/default.nix

@@ -1,23 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.profiles.laptop;
-in
-{
-  options.my.profiles.laptop = with lib; {
-    enable = mkEnableOption "laptop profile";
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Enable touchpad support
-    services.libinput.enable = true;
-
-    # Enable TLP power management
-    my.services.tlp.enable = true;
-
-    # Enable upower power management
-    my.hardware.upower.enable = true;
-
-    # Enable battery notifications
-    my.home.power-alert.enable = true;
-  };
-}

modules/nixos/profiles/wm/default.nix

@@ -1,31 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.profiles.wm;
-in
-{
-  options.my.profiles.wm = with lib; {
-    windowManager = mkOption {
-      type = with types; nullOr (enum [ "i3" ]);
-      default = null;
-      example = "i3";
-      description = "Which window manager to use";
-    };
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf (cfg.windowManager == "i3") {
-      # Enable i3
-      services.xserver.windowManager.i3.enable = true;
-      # i3 settings
-      my.home.wm.windowManager = "i3";
-      # Screenshot tool
-      my.home.flameshot.enable = true;
-      # Auto disk mounter
-      my.home.udiskie.enable = true;
-      # udiskie fails if it can't find this dbus service
-      services.udisks2.enable = true;
-      # Ensure i3lock can actually unlock the session
-      security.pam.services.i3lock.enable = true;
-    })
-  ];
-}

modules/nixos/profiles/x/default.nix

@@ -1,23 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.my.profiles.x;
-in
-{
-  options.my.profiles.x = with lib; {
-    enable = mkEnableOption "X profile";
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Enable the X11 windowing system.
-    services.xserver.enable = true;
-    # Nice wallpaper
-    services.xserver.displayManager.lightdm.background =
-      let
-        wallpapers = "${pkgs.kdePackages.plasma-workspace-wallpapers}/share/wallpapers";
-      in
-      "${wallpapers}/summer_1am/contents/images/2560x1600.jpg";
-
-    # X configuration
-    my.home.x.enable = true;
-  };
-}

modules/nixos/services/default.nix

@@ -38,7 +38,6 @@
     ./servarr
     ./ssh-server
     ./tandoor-recipes
-    ./thelounge
     ./tlp
     ./transmission
     ./vikunja

modules/nixos/services/homebox/default.nix

@@ -39,7 +39,7 @@ in
 
     my.services.backup = {
       paths = [
-        (lib.removePrefix "file://" config.services.homebox.settings.HBOX_STORAGE_CONN_STRING)
+        config.services.homebox.settings.HBOX_STORAGE_DATA
       ];
     };
 

modules/nixos/services/matrix/bridges.nix

@@ -1,143 +0,0 @@
-# Matrix bridges for some services I use
-{ config, lib, ... }:
-let
-  cfg = config.my.services.matrix.bridges;
-  synapseCfg = config.services.matrix-synapse;
-
-  domain = config.networking.domain;
-  serverName = synapseCfg.settings.server_name;
-
-  mkBridgeOption = n: lib.mkEnableOption "${n} bridge" // { default = cfg.enable; };
-  mkPortOption = n: default: lib.mkOption {
-    type = lib.types.port;
-    inherit default;
-    example = 8080;
-    description = "${n} bridge port";
-  };
-  mkEnvironmentFileOption = n: lib.mkOption {
-    type = lib.types.str;
-    example = "/run/secret/matrix/${lib.toLower n}-bridge-secrets.env";
-    description = ''
-      Path to a file which should contain the secret values for ${n} bridge.
-
-      Using through the following format:
-
-      ```
-      MATRIX_APPSERVICE_AS_TOKEN=<the_as_value>
-      MATRIX_APPSERVICE_HS_TOKEN=<the_hs_value>
-      ```
-
-      Each bridge should use a different set of secrets, as they each register
-      their own independent double-puppetting appservice.
-    '';
-  };
-in
-{
-  options.my.services.matrix.bridges = with lib; {
-    enable = mkEnableOption "bridges configuration";
-
-    admin = mkOption {
-      type = types.str;
-      default = "ambroisie";
-      example = "admin";
-      description = "Local username for the admin";
-    };
-
-    facebook = {
-      enable = mkBridgeOption "Facebook";
-
-      port = mkPortOption "Facebook" 29321;
-
-      environmentFile = mkEnvironmentFileOption "Facebook";
-    };
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.facebook.enable {
-      services.mautrix-meta.instances.facebook = {
-        enable = true;
-        # Automatically register the bridge with synapse
-        registerToSynapse = true;
-
-        # Provide `AS_TOKEN`, `HS_TOKEN`
-        inherit (cfg.facebook) environmentFile;
-
-        settings = {
-          homeserver = {
-            domain = serverName;
-            address = "http://localhost:${toString config.my.services.matrix.port}";
-          };
-
-          appservice = {
-            hostname = "localhost";
-            inherit (cfg.facebook) port;
-            address = "http://localhost:${toString cfg.facebook.port}";
-            public_address = "https://facebook-bridge.${domain}";
-
-            as_token = "$MATRIX_APPSERVICE_AS_TOKEN";
-            hs_token = "$MATRIX_APPSERVICE_HS_TOKEN";
-
-            bot = {
-              username = "fbbot";
-            };
-          };
-
-          backfill = {
-            enabled = true;
-          };
-
-          bridge = {
-            delivery_receipts = true;
-            permissions = {
-              "*" = "relay";
-              ${serverName} = "user";
-              "@${cfg.admin}:${serverName}" = "admin";
-            };
-          };
-
-          database = {
-            type = "postgres";
-            uri = "postgres:///mautrix-meta-facebook?host=/var/run/postgresql/";
-          };
-
-          double_puppet = {
-            secrets = {
-              ${serverName} = "as_token:$MATRIX_APPSERVICE_AS_TOKEN";
-            };
-          };
-
-          network = {
-            # Don't be picky on Facebook/Messenger
-            allow_messenger_com_on_fb = true;
-            displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FB)'';
-          };
-
-          provisioning = {
-            shared_secret = "disable";
-          };
-        };
-      };
-
-      services.postgresql = {
-        enable = true;
-        ensureDatabases = [ "mautrix-meta-facebook" ];
-        ensureUsers = [{
-          name = "mautrix-meta-facebook";
-          ensureDBOwnership = true;
-        }];
-      };
-
-      systemd.services.mautrix-meta-facebook = {
-        wants = [ "postgres.service" ];
-        after = [ "postgres.service" ];
-      };
-
-      my.services.nginx.virtualHosts = {
-        # Proxy to the bridge
-        "facebook-bridge" = {
-          inherit (cfg.facebook) port;
-        };
-      };
-    })
-  ];
-}

modules/nixos/services/matrix/default.nix

@@ -1,49 +1,24 @@
-# Matrix homeserver setup.
+# Matrix homeserver setup, using different endpoints for federation and client
+# traffic. The main trick for this is defining two nginx servers endpoints for
+# matrix.domain.com, each listening on different ports.
+#
+# Configuration shamelessly stolen from [1]
+#
+# [1]: https://github.com/alarsyo/nixos-config/blob/main/services/matrix.nix
 { config, lib, pkgs, ... }:
 
 let
   cfg = config.my.services.matrix;
 
-  adminPkg = pkgs.synapse-admin-etkecc;
+  federationPort = { public = 8448; private = 11338; };
-
+  clientPort = { public = 443; private = 11339; };
   domain = config.networking.domain;
   matrixDomain = "matrix.${domain}";
-
-  serverConfig = {
-    "m.server" = "${matrixDomain}:443";
-  };
-  clientConfig = {
-    "m.homeserver" = {
-      "base_url" = "https://${matrixDomain}";
-      "server_name" = domain;
-    };
-    "m.identity_server" = {
-      "base_url" = "https://vector.im";
-    };
-  };
-
-  # ACAO required to allow element-web on any URL to request this json file
-  mkWellKnown = data: ''
-    default_type application/json;
-    add_header Access-Control-Allow-Origin *;
-    return 200 '${builtins.toJSON data}';
-  '';
 in
 {
-  imports = [
-    ./bridges.nix
-  ];
-
   options.my.services.matrix = with lib; {
     enable = mkEnableOption "Matrix Synapse";
 
-    port = mkOption {
-      type = types.port;
-      default = 8448;
-      example = 8008;
-      description = "Internal port for listeners";
-    };
-
     secretFile = mkOption {
       type = with types; nullOr str;
       default = null;
@@ -83,22 +58,22 @@ in
         enable_registration = false;
 
         listeners = [
+          # Federation
           {
-            inherit (cfg) port;
             bind_addresses = [ "::1" ];
-            type = "http";
+            port = federationPort.private;
-            tls = false;
+            tls = false; # Terminated by nginx.
             x_forwarded = true;
-            resources = [
+            resources = [{ names = [ "federation" ]; compress = false; }];
-              {
+          }
-                names = [ "client" ];
+
-                compress = true;
+          # Client
-              }
+          {
-              {
+            bind_addresses = [ "::1" ];
-                names = [ "federation" ];
+            port = clientPort.private;
-                compress = false;
+            tls = false; # Terminated by nginx.
-              }
+            x_forwarded = true;
-            ];
+            resources = [{ names = [ "client" ]; compress = false; }];
           }
         ];
 
@@ -121,12 +96,19 @@ in
       chat = {
         root = pkgs.element-web.override {
           conf = {
-            default_server_config = clientConfig;
+            default_server_config = {
-            show_labs_settings = true;
+              "m.homeserver" = {
-            default_country_code = "FR"; # cocorico
+                "base_url" = "https://${matrixDomain}";
-            room_directory = {
+                "server_name" = domain;
+              };
+              "m.identity_server" = {
+                "base_url" = "https://vector.im";
+              };
+            };
+            showLabsSettings = true;
+            defaultCountryCode = "FR"; # cocorico
+            roomDirectory = {
               "servers" = [
-                domain
                 "matrix.org"
                 "mozilla.org"
               ];
@@ -134,54 +116,99 @@ in
           };
         };
       };
-      matrix = {
+      # Dummy VHosts for port collision detection
-        # Somewhat unused, but necessary for port collision detection
+      matrix-federation = {
-        inherit (cfg) port;
+        port = federationPort.private;
-
+      };
-        extraConfig = {
+      matrix-client = {
-          locations = {
+        port = clientPort.private;
-            # Or do a redirect instead of the 404, or whatever is appropriate
-            # for you. But do not put a Matrix Web client here! See the
-            # Element web section above.
-            "/".return = "404";
-
-            "/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
-            "/_synapse".proxyPass = "http://[::1]:${toString cfg.port}";
-
-            "= /admin".return = "307 /admin/";
-            "/admin/" = {
-              alias = "${adminPkg}/";
-              priority = 500;
-              tryFiles = "$uri $uri/ /index.html";
-            };
-            "~ ^/admin/.*\\.(?:css|js|jpg|jpeg|gif|png|svg|ico|woff|woff2|ttf|eot|webp)$" = {
-              priority = 400;
-              root = adminPkg;
-              extraConfig = ''
-                rewrite ^/admin/(.*)$ /$1 break;
-                expires 30d;
-                more_set_headers "Cache-Control: public";
-              '';
-            };
-          };
-        };
       };
     };
 
-    # Setup well-known locations
+    # Those are too complicated to use my wrapper...
     services.nginx.virtualHosts = {
+      ${matrixDomain} = {
+        onlySSL = true;
+        useACMEHost = domain;
+
+        locations =
+          let
+            proxyToClientPort = {
+              proxyPass = "http://[::1]:${toString clientPort.private}";
+            };
+          in
+          {
+            # Or do a redirect instead of the 404, or whatever is appropriate
+            # for you. But do not put a Matrix Web client here! See the
+            # Element web section below.
+            "/".return = "404";
+
+            "/_matrix" = proxyToClientPort;
+            "/_synapse/client" = proxyToClientPort;
+          };
+
+        listen = [
+          { addr = "0.0.0.0"; port = clientPort.public; ssl = true; }
+          { addr = "[::]"; port = clientPort.public; ssl = true; }
+        ];
+
+      };
+
+      # same as above, but listening on the federation port
+      "${matrixDomain}_federation" = {
+        onlySSL = true;
+        serverName = matrixDomain;
+        useACMEHost = domain;
+
+        locations."/".return = "404";
+
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:${toString federationPort.private}";
+        };
+
+        listen = [
+          { addr = "0.0.0.0"; port = federationPort.public; ssl = true; }
+          { addr = "[::]"; port = federationPort.public; ssl = true; }
+        ];
+      };
+
       "${domain}" = {
         forceSSL = true;
         useACMEHost = domain;
 
-        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        locations."= /.well-known/matrix/server".extraConfig =
-        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          let
+            server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; };
+          in
+          ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${matrixDomain}"; };
+              "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+            # ACAO required to allow element-web on any URL to request this json file
+          in
+          ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
       };
     };
 
     # For administration tools.
     environment.systemPackages = [ pkgs.matrix-synapse ];
 
+    networking.firewall.allowedTCPPorts = [
+      clientPort.public
+      federationPort.public
+    ];
+
     my.services.backup = {
       paths = [
         config.services.matrix-synapse.dataDir

modules/nixos/services/mealie/default.nix

@@ -32,7 +32,6 @@ in
         BASE_URL = "https://mealie.${config.networking.domain}";
         TZ = config.time.timeZone;
         ALLOw_SIGNUP = "false";
-        TOKEN_TIME = 24 * 180; # 180 days
       };
 
       # Automatic PostgreSQL provisioning
@@ -54,12 +53,6 @@ in
       };
     };
 
-    my.services.backup = {
-      paths = [
-        "/var/lib/mealie"
-      ];
-    };
-
     services.fail2ban.jails = {
       mealie = ''
         enabled = true

modules/nixos/services/nextcloud/collabora.nix

@@ -16,12 +16,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.nextcloud = {
-      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps) richdocuments;
-      };
-    };
-
     services.collabora-online = {
       enable = true;
       inherit (cfg) port;

modules/nixos/services/nextcloud/default.nix

@@ -35,7 +35,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud32;
+      package = pkgs.nextcloud31;
       hostName = "nextcloud.${config.networking.domain}";
       home = "/var/lib/nextcloud";
       maxUploadSize = cfg.maxSize;
@@ -62,16 +62,6 @@ in
         # Allow using the push service without hard-coding my IP in the configuration
         bendDomainToLocalhost = true;
       };
-
-      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps)
-          calendar
-          contacts
-          deck
-          tasks
-          ;
-        # notify_push is automatically installed by the module
-      };
     };
 
     # The service above configures the domain, no need for my wrapper

modules/nixos/services/nginx/default.nix

@@ -444,7 +444,7 @@ in
         };
     };
 
-    systemd.services."acme-order-renew-${domain}" = {
+    systemd.services."acme-${domain}" = {
       serviceConfig = {
         Environment = [
           # Since I do a "weird" setup with a wildcard CNAME

modules/nixos/services/tandoor-recipes/default.nix

@@ -26,16 +26,18 @@ in
     services.tandoor-recipes = {
       enable = true;
 
-      database = {
-        createLocally = true;
-      };
-
       port = cfg.port;
       extraConfig =
         let
           tandoorRecipesDomain = "recipes.${config.networking.domain}";
         in
         {
+          # Use PostgreSQL
+          DB_ENGINE = "django.db.backends.postgresql";
+          POSTGRES_HOST = "/run/postgresql";
+          POSTGRES_USER = "tandoor_recipes";
+          POSTGRES_DB = "tandoor_recipes";
+
           # Security settings
           ALLOWED_HOSTS = tandoorRecipesDomain;
           CSRF_TRUSTED_ORIGINS = "https://${tandoorRecipesDomain}";
@@ -47,12 +49,27 @@ in
 
     systemd.services = {
       tandoor-recipes = {
+        after = [ "postgresql.target" ];
+        requires = [ "postgresql.target" ];
+
         serviceConfig = {
           EnvironmentFile = cfg.secretKeyFile;
         };
       };
     };
 
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "tandoor_recipes" ];
+      ensureUsers = [
+        {
+          name = "tandoor_recipes";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
     my.services.nginx.virtualHosts = {
       recipes = {
         inherit (cfg) port;

modules/nixos/services/thelounge/default.nix

@@ -1,59 +0,0 @@
-# Web IRC client
-{ config, lib, ... }:
-let
-  cfg = config.my.services.thelounge;
-in
-{
-  options.my.services.thelounge = with lib; {
-    enable = mkEnableOption "The Lounge, a self-hosted web IRC client";
-
-    port = mkOption {
-      type = types.port;
-      default = 9050;
-      example = 4242;
-      description = "The port on which The Lounge will listen for incoming HTTP traffic.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.thelounge = {
-      enable = true;
-      inherit (cfg) port;
-
-      extraConfig = {
-        reverseProxy = true;
-      };
-    };
-
-    my.services.nginx.virtualHosts = {
-      irc = {
-        inherit (cfg) port;
-        # Proxy websockets for RPC
-        websocketsLocations = [ "/" ];
-
-        extraConfig = {
-          locations."/".extraConfig = ''
-            proxy_read_timeout 1d;
-          '';
-        };
-      };
-    };
-
-    services.fail2ban.jails = {
-      thelounge = ''
-        enabled = true
-        filter = thelounge
-        port = http,https
-      '';
-    };
-
-    environment.etc = {
-      "fail2ban/filter.d/thelounge.conf".text = ''
-        [Definition]
-        failregex = Authentication failed for user .* from <HOST>$
-                    Authentication for non existing user attempted from <HOST>$
-        journalmatch = _SYSTEMD_UNIT=thelounge.service
-      '';
-    };
-  };
-}

modules/nixos/services/transmission/default.nix

@@ -71,14 +71,10 @@ in
       };
     };
 
+    # Transmission wants to eat *all* my RAM if left to its own devices
     systemd.services.transmission = {
       serviceConfig = {
-        # Transmission wants to eat *all* my RAM if left to its own devices
         MemoryMax = "33%";
-        # Avoid errors due to high number of open files.
-        LimitNOFILE = 1048576;
-        # Longer stop timeout to finish all torrents
-        TimeoutStopSec = "5m";
       };
     };
 

pkgs/comma/comma

@@ -12,9 +12,9 @@ usage() {
 
 find_program() {
     local CANDIDATE
-    CANDIDATE="$(nix-locate --minimal --at-root --whole-name "/bin/$1")"
+    CANDIDATE="$(nix-locate --top-level --minimal --at-root --whole-name "/bin/$1")"
     if [ "$(printf '%s\n' "$CANDIDATE" | wc -l)" -gt 1 ]; then
-        CANDIDATE="$(printf '%s' "$CANDIDATE" | "${COMMA_PICKER:-fzf-tmux}")"
+        CANDIDATE="$(printf '%s' "$CANDIDATE" | fzf-tmux)"
     fi
     printf '%s' "$CANDIDATE"
 }

pkgs/lohr/default.nix

@@ -10,6 +10,7 @@ rustPlatform.buildRustPackage rec {
     hash = "sha256-dunQgtap+XCK5LoSyOqIY/6p6HizBeiyPWNuCffwjDU=";
   };
 
+  useFetchCargoVendor = true;
   cargoHash = "sha256-R3/N/43+bGx6acE/rhBcrk6kS5zQu8NJ1sVvKJJkK9w=";
 
   meta = with lib; {