home: vim: oil: explicitly remove icons

They started appearing on the latest bump, it looks like my
configuration started including `nvim-web-devicons` (see [1]).

I'll probably remove this configuration on the next nixpkgs bump (it's a
good canary to check that I *never* include icons in the future).

[1]: https://github.com/NixOS/nixpkgs/pull/382668

.envrc

@@ -1,3 +1,4 @@
+# shellcheck shell=bash
 if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
     source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
 fi

.nvim.lua

@@ -1,18 +0,0 @@
-local lspconfig = require("lspconfig")
-
--- FIXME: https://github.com/folke/neodev.nvim ?
-lspconfig.lua_ls.setup({
-    settings = {
-        Lua = {
-            runtime = {
-                version = "LuaJIT",
-            },
-            workspace = {
-                checkThirdParty = false,
-                library = {
-                    vim.env.VIMRUNTIME,
-                },
-            },
-        },
-    },
-})

.woodpecker/check.yml

@@ -7,17 +7,17 @@ steps:
   commands:
   - nix flake check
 
-- name: notifiy
+- name: notify
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
   - nix run '.#matrix-notifier'
   when:

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707830867,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709336216,
-        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
+        "lastModified": 1738453229,
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703887061,
-        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709988192,
-        "narHash": "sha256-qxwIkl85P0I1/EyTT+NJwzbXdOv86vgZxcv4UKicjK8=",
+        "lastModified": 1740624780,
+        "narHash": "sha256-8TP61AI3QBQsjzVUQFIV8NoB5nbYfJB3iHczhBikDkU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b0b0c3d94345050a7f86d1ebc6c56eea4389d030",
+        "rev": "b8869e4ead721bbd4f0d6b927e8395705d4f16e6",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709703039,
-        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
+        "lastModified": 1740560979,
+        "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
+        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
         "type": "github"
       },
       "original": {
@@ -167,12 +167,21 @@
       }
     },
     "nur": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
       "locked": {
-        "lastModified": 1710013455,
-        "narHash": "sha256-qzOpU4APTso6JLA+/F4zlO/yL8++n/CsUpmxbQAsy/4=",
+        "lastModified": 1740655932,
+        "narHash": "sha256-BSTcgL2C74x0TgVdVEWfIz2SHkwIFMN0Dvv1lCoOhCA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "cf1e9b0e085368cc489c765f285f1d07c2ec8d36",
+        "rev": "1ca8ff37f33a560c4a292ed83774434854f0b39a",
         "type": "github"
       },
       "original": {
@@ -185,23 +194,17 @@
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-utils": [
-          "futils"
-        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1708018599,
-        "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
+        "lastModified": 1737465171,
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
         "type": "github"
       },
       "original": {
@@ -238,6 +241,27 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733222881,
+        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -55,6 +55,10 @@
       owner = "nix-community";
       repo = "NUR";
       ref = "master";
+      inputs = {
+        flake-parts.follows = "flake-parts";
+        nixpkgs.follows = "nixpkgs";
+      };
     };
 
     pre-commit-hooks = {
@@ -63,9 +67,7 @@
       repo = "pre-commit-hooks.nix";
       ref = "master";
       inputs = {
-        flake-utils.follows = "futils";
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs";
       };
     };
 

flake/dev-shells.nix

@@ -7,7 +7,6 @@
 
         nativeBuildInputs = with pkgs; [
           gitAndTools.pre-commit
-          lua-language-server
           nixpkgs-fmt
         ];
 

flake/home-manager.nix

@@ -25,7 +25,7 @@ let
       inherit system;
 
       overlays = (lib.attrValues self.overlays) ++ [
-        inputs.nur.overlay
+        inputs.nur.overlays.default
       ];
     };
 

flake/nixos.nix

@@ -7,7 +7,7 @@ let
     }
     {
       nixpkgs.overlays = (lib.attrValues self.overlays) ++ [
-        inputs.nur.overlay
+        inputs.nur.overlays.default
       ];
     }
     # Include generic settings

hosts/homes/ambroisie@mousqueton/default.nix

@@ -15,6 +15,9 @@
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;
 
+      # Frequent reboots mean that session persistence can be handy
+      enableResurrect = true;
+
       terminalFeatures = {
         # HTerm uses `xterm-256color` as its `$TERM`, so use that here
         xterm-256color = { };

hosts/nixos/aramis/home.nix

@@ -2,7 +2,7 @@
 {
   my.home = {
     # Use graphical pinentry
-    bitwarden.pinentry = "gtk2";
+    bitwarden.pinentry = pkgs.pinentry-gtk2;
     # Ebook library
     calibre.enable = true;
     # Some amount of social life
@@ -14,7 +14,7 @@
     # Blue light filter
     gammastep.enable = true;
     # Use a small popup to enter passwords
-    gpg.pinentry = "gtk2";
+    gpg.pinentry = pkgs.pinentry-gtk2;
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client

hosts/nixos/porthos/secrets/acme/dns-key.age

@@ -1,8 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg bQFr9oAnbo1rI/MpUV8wQz/Xj7iZY4ZU+Swf0nSIQFw
-zama2XJ0gdvUlD2GHMhmZqHSxHe+dKSfXnHoWDcSw7Y
--> ssh-ed25519 jPowng gitUwSKTNKWLSxnwa185O7x/u0ul93g8wPESdZaKRk8
-uvBIfAUkZp5sg6rfeEGvL5ZDV8m2uSEotW02kjPN3Hw
---- SZxe5f/CUZBvPQa2Sz/UBY3L68rMkIGGRuZPk7YE+Vg
-¾r ú
&…¥‹{~v?¨}=Ä
-}+
¿SQ’M[²]Œ±kMÒAàtŒÃmMë/£µLsü|Þ…m©CÀñiYC}ƒŽ‡çxŽ€
+-> ssh-ed25519 cKojmg Ec0xt1uJTva8MxUdoTVX5m3uWaIiRlodf345FEM7Uzs
+aJIneWFJPB5HVeoUGp57agXih9YeZ6xMEbyQ+zJtWQY
+-> ssh-ed25519 jPowng B5XotRgv7s/FUegGhceBj7EoukewNUOIFl4TFRQf1EQ
+PgGCBd/Pqwp7ayqi7okHBGF1SfFpwT4KlHJ/np6p2uQ
+--- AeLgwGz6k3OABb53cXNaCU/sgI4FlU1s6p8PhAaFOlg
+1ÌÉCÔ¹ð¤ŽULfI1¸Hm»Ûòb}m”” ÁÅ¡ìg•ß0¦¢–¤`X<16>G>\>¹8rŽz+Š›Y ™¼`—Ê¢.JBUÏ!z¸Z50ú*õ¡ÙŸ¤×ÖÇ®I<C2AE>ôÔ]¹
‹ÏåI
+ĵ<18>¿–oÒÛ°…g„®„ÒêÁ³Â¿Ÿt’©nƒºãcz[»{
+jçå&ÁõõNæ°Nÿo{õš½‚
-eP¾=L‰™
6¦.SP:»e¶–

hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 cKojmg xRtF3XVc7yPicAV/E4U7mn0itvD0h1BWBTjwunuoe2E
-OkB9sjGB3ulH4Feuyj3Ed0DBG4+mghW/Qpum9oXL/8c
--> ssh-ed25519 jPowng 1r8drqhz1yZdTq0Kvqya+ArU1C2fkN7Gg9LiWWfeUFg
-cjbxntVwHvqLaJpiKs/Y8ojeb6e3/cLFcsoeuoobfFg
---- B1qA2PylJBrdZxZtCzlU2kRPvxLM+IrXTvR+ERxVtTY
-"W9<57>Äbg¸©~Ì/áÕb4ãÕ†ú³ÜÔIÊ
-Û}ð
§ËÅË-³²ªNó±”ÑC7vWœbºØ?¦8=œÉwÆBÃUpJClï²OÈ™³œnOÁ\

hosts/nixos/porthos/secrets/pdf-edit/login.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk
+Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA
+-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4
+zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY
+--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc
+ü4+ø2{‘hE7!Ò­GA`×<>_@Íß—´
¡R_ý§6J„ñL4v,‚6%ô‡øó#^®	Ù¹
åB­§OøF‚|’7ܽÉL]œÙjR¨
+BþóÛ¾éaòs]xS<78>Î	pbÞo#¬J1QŸ=t}5Õ>Oï‘{+¼.
M"7e»yý÷—

hosts/nixos/porthos/secrets/secrets.nix

@@ -31,8 +31,14 @@ in
     publicKeys = all;
   };
 
-  "lohr/secret.age".publicKeys = all;
-  "lohr/ssh-key.age".publicKeys = all;
+  "lohr/secret.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
+  "lohr/ssh-key.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
 
   "matrix/mail.age" = {
     owner = "matrix-synapse";
@@ -42,9 +48,6 @@ in
     owner = "matrix-synapse";
     publicKeys = all;
   };
-  "matrix/sliding-sync-secret.age" = {
-    publicKeys = all;
-  };
 
   "mealie/mail.age" = {
     publicKeys = all;
@@ -71,13 +74,24 @@ in
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;
 
+  "pdf-edit/login.age".publicKeys = all;
+
   "podgrab/password.age".publicKeys = all;
 
   "pyload/credentials.age".publicKeys = all;
 
-  "sso/auth-key.age".publicKeys = all;
-  "sso/ambroisie/password-hash.age".publicKeys = all;
-  "sso/ambroisie/totp-secret.age".publicKeys = all;
+  "sso/auth-key.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
+  "sso/ambroisie/password-hash.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
+  "sso/ambroisie/totp-secret.age" = {
+    owner = "nginx-sso";
+    publicKeys = all;
+  };
 
   "tandoor-recipes/secret-key.age".publicKeys = all;
 

hosts/nixos/porthos/services.nix

@@ -10,6 +10,11 @@ in
     adblock = {
       enable = true;
     };
+    # Audiobook and podcast library
+    audiobookshelf = {
+      enable = true;
+      port = 9599;
+    };
     # Backblaze B2 backup
     backup = {
       enable = true;
@@ -64,9 +69,6 @@ in
       mailConfigFile = secrets."matrix/mail".path;
       # Only necessary when doing the initial registration
       secretFile = secrets."matrix/secret".path;
-      slidingSync = {
-        secretFile = secrets."matrix/sliding-sync-secret".path;
-      };
     };
     mealie = {
       enable = true;
@@ -93,6 +95,9 @@ in
     nextcloud = {
       enable = true;
       passwordFile = secrets."nextcloud/password".path;
+      collabora = {
+        enable = true;
+      };
     };
     nix-cache = {
       enable = true;
@@ -122,19 +127,10 @@ in
       passwordFile = secrets."paperless/password".path;
       secretKeyFile = secrets."paperless/secret-key".path;
     };
-    # The whole *arr software suite
-    pirate = {
+    # Sometimes, editing PDFs is useful
+    pdf-edit = {
       enable = true;
-      # ... But not Lidarr because I don't care for music that much
-      lidarr = {
-        enable = false;
-      };
-    };
-    # Podcast automatic downloader
-    podgrab = {
-      enable = true;
-      passwordFile = secrets."podgrab/password".path;
-      port = 9598;
+      loginFile = secrets."pdf-edit/login".path;
     };
     # Regular backups
     postgresql-backup.enable = true;
@@ -146,13 +142,16 @@ in
     rss-bridge.enable = true;
     # Usenet client
     sabnzbd.enable = true;
-    # Because I stilll need to play sysadmin
-    ssh-server.enable = true;
-    # Recipe manager
-    tandoor-recipes = {
+    # The whole *arr software suite
+    servarr = {
       enable = true;
-      secretKeyFile = secrets."tandoor-recipes/secret-key".path;
+      # ... But not Lidarr because I don't care for music that much
+      lidarr = {
+        enable = false;
+      };
     };
+    # Because I still need to play sysadmin
+    ssh-server.enable = true;
     # Torrent client and webui
     transmission = {
       enable = true;

modules/home/atuin/default.nix

@@ -1,15 +1,19 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.atuin;
 in
 {
   options.my.home.atuin = with lib; {
     enable = my.mkDisableOption "atuin configuration";
+
+    # I want the full experience by default
+    package = mkPackageOption pkgs "atuin" { };
   };
 
   config = lib.mkIf cfg.enable {
     programs.atuin = {
       enable = true;
+      inherit (cfg) package;
 
       flags = [
         # I *despise* this hijacking of the up key, even though I use Ctrl-p

modules/home/bitwarden/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.bitwarden;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.bitwarden = with lib; {
     enable = my.mkDisableOption "bitwarden configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {

modules/home/calibre/default.nix

@@ -5,11 +5,13 @@ in
 {
   options.my.home.calibre = with lib; {
     enable = mkEnableOption "calibre configuration";
+
+    package = mkPackageOption pkgs "calibre" { };
   };
 
   config = lib.mkIf cfg.enable {
     home.packages = with pkgs; [
-      calibre
+      cfg.package
     ];
   };
 }

modules/home/direnv/default.nix

@@ -7,9 +7,9 @@ in
     enable = my.mkDisableOption "direnv configuration";
 
     defaultFlake = mkOption {
-      type = types.str;
-      default = "pkgs";
-      example = "nixpkgs";
+      type = with types; nullOr str;
+      default = null;
+      example = "pkgs";
       description = ''
         Which flake from the registry should be used for
         <command>use pkgs</command> by default.
@@ -39,7 +39,7 @@ in
       in
       lib.my.genAttrs' files linkLibFile;
 
-    home.sessionVariables = {
+    home.sessionVariables = lib.mkIf (cfg.defaultFlake != null) {
       DIRENV_DEFAULT_FLAKE = cfg.defaultFlake;
     };
   };

modules/home/direnv/lib/android.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 # shellcheck disable=2155
 use_android() {
@@ -32,10 +32,16 @@ use_android() {
             -b|--build-tools)
                 build_tools_version="$2"
                 shift 2
+                if ! [ -e "$ANDROID_HOME/build-tools/$build_tools_version" ]; then
+                    log_error "use_android: build-tools version '$build_tools_version' does not exist"
+                fi
                 ;;
             -n|--ndk)
                 ndk_version="$2"
                 shift 2
+                if ! [ -e "$ANDROID_HOME/ndk/$ndk_version" ]; then
+                    log_error "use_android: NDK version '$ndk_version' does not exist"
+                fi
                 ;;
             --)
                 shift

modules/home/direnv/lib/nix.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 use_pkgs() {
     if ! has nix; then

modules/home/direnv/lib/postgres.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 layout_postgres() {
     if ! has postgres || ! has initdb; then

modules/home/direnv/lib/python.sh

@@ -1,4 +1,4 @@
-#shellcheck shell=bash
+# shellcheck shell=bash
 
 layout_poetry() {
     if ! has poetry; then
@@ -9,12 +9,12 @@ layout_poetry() {
 
     if [[ ! -f pyproject.toml ]]; then
         # shellcheck disable=2016
-        log_error 'layout_poetry: no pyproject.toml found. Use `poetry new` or `poetry init` to create one first'
+        log_error 'layout_poetry: no pyproject.toml found. Use `poetry init` to create one first'
         return 1
     fi
 
     # create venv if it doesn't exist
-    poetry run true
+    poetry run -q -- true
 
     # shellcheck disable=2155
     export VIRTUAL_ENV=$(poetry env info --path)
@@ -23,3 +23,35 @@ layout_poetry() {
     watch_file pyproject.toml
     watch_file poetry.lock
 }
+
+layout_uv() {
+    if ! has uv; then
+        # shellcheck disable=2016
+        log_error 'layout_uv: `uv` is not in PATH'
+        return 1
+    fi
+
+    if [[ ! -f pyproject.toml ]]; then
+        # shellcheck disable=2016
+        log_error 'layout_uv: no pyproject.toml found. Use `uv init` to create one first'
+        return 1
+    fi
+
+    local default_venv="$PWD/.venv"
+    : "${VIRTUAL_ENV:=$default_venv}"
+
+    # Use non-default venv path if required
+    if [ "$VIRTUAL_ENV" != "$default_venv" ]; then
+        export UV_PROJECT_ENVIRONMENT="$VIRTUAL_ENV"
+    fi
+
+    # create venv if it doesn't exist
+    uv venv -q
+
+    export VIRTUAL_ENV
+    export UV_ACTIVE=1
+    PATH_add "$VIRTUAL_ENV/bin"
+    watch_file pyproject.toml
+    watch_file uv.lock
+    watch_file .python-version
+}

modules/home/discord/default.nix

@@ -7,11 +7,13 @@ in
 {
   options.my.home.discord = with lib; {
     enable = mkEnableOption "discord configuration";
+
+    package = mkPackageOption pkgs "discord" { };
   };
 
   config = lib.mkIf cfg.enable {
     home.packages = with pkgs; [
-      discord
+      cfg.package
     ];
 
     xdg.configFile."discord/settings.json".source =

modules/home/firefox/default.nix

@@ -61,19 +61,21 @@ in
           "ui.systemUsesDarkTheme" = true; # Dark mode
         };
 
-        extensions = with pkgs.nur.repos.rycee.firefox-addons; ([
-          bitwarden
-          consent-o-matic
-          form-history-control
-          reddit-comment-collapser
-          reddit-enhancement-suite
-          refined-github
-          sponsorblock
-          ublock-origin
-        ]
-        ++ lib.optional (cfg.tridactyl.enable) tridactyl
-        ++ lib.optional (cfg.ff2mpv.enable) ff2mpv
-        );
+        extensions = {
+          packages = with pkgs.nur.repos.rycee.firefox-addons; ([
+            bitwarden
+            consent-o-matic
+            form-history-control
+            reddit-comment-collapser
+            reddit-enhancement-suite
+            refined-github
+            sponsorblock
+            ublock-origin
+          ]
+          ++ lib.optional (cfg.tridactyl.enable) tridactyl
+          ++ lib.optional (cfg.ff2mpv.enable) ff2mpv
+          );
+        };
       };
     };
   };

modules/home/firefox/tridactyl/tridactylrc

@@ -4,7 +4,7 @@
 " Use dark color scheme
 colorscheme dark
 
-" Make tridactyl open Vim in my prefered terminal
+" Make tridactyl open Vim in my preferred terminal
 set editorcmd @editorcmd@
 
 " Remove editor file after use
@@ -15,8 +15,8 @@ bind --mode=input <C-i> editor_rm
 
 " Binds {{{
 " Reddit et al. {{{
-" Toggle comments on Reddit, Hacker News, Lobste.rs
-bind ;c hint -Jc [class*="expand"],[class*="togg"],[class="comment_folder"]
+" Toggle comments on Reddit, Hacker News, Lobste.rs, LWN
+bind ;c hint -Jc [class*="expand"],[class*="togg"],[class="comment_folder"],[class="CommentTitle"]
 
 " Make `gu` take me back to subreddit from comments
 bindurl reddit.com gu urlparent 3
@@ -26,8 +26,8 @@ bindurl www.google.com f hint -Jc #search a
 bindurl www.google.com F hint -Jbc #search a
 
 " Only hint search results on DuckDuckGo
-bindurl ^https://duckduckgo.com f hint -Jc [data-testid="result-title-a"]
-bindurl ^https://duckduckgo.com F hint -Jbc [data-testid="result-title-a"]
+bindurl ^https://duckduckgo.com f hint -Jc [data-testid="result"]
+bindurl ^https://duckduckgo.com F hint -Jbc [data-testid="result"]
 
 " Only hint item pages on Hacker News
 bindurl news.ycombinator.com ;f hint -Jc .age > a

modules/home/gdb/default.nix

@@ -6,33 +6,28 @@ in
   options.my.home.gdb = with lib; {
     enable = my.mkDisableOption "gdb configuration";
 
+    package = mkPackageOption pkgs "gdb" { };
+
     rr = {
       enable = my.mkDisableOption "rr configuration";
 
-      package = mkOption {
-        type = types.package;
-        default = pkgs.rr;
-        defaultText = literalExample "pkgs.rr";
-        description = ''
-          Package providing rr
-        '';
-      };
+      package = mkPackageOption pkgs "rr" { };
     };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
       home.packages = with pkgs; [
-        gdb
+        cfg.package
       ];
 
       xdg = {
         configFile."gdb/gdbinit".source = ./gdbinit;
-        dataFile. "gdb/.keep".text = "";
+        stateFile."gdb/.keep".text = "";
       };
 
       home.sessionVariables = {
-        GDBHISTFILE = "${config.xdg.dataHome}/gdb/gdb_history";
+        GDBHISTFILE = "${config.xdg.stateHome}/gdb/gdb_history";
       };
     }
 

modules/home/git/default.nix

@@ -123,11 +123,6 @@ in
         defaultBranch = "main";
       };
 
-      # Local configuration, not-versioned
-      include = {
-        path = "config.local";
-      };
-
       merge = {
         conflictStyle = "zdiff3";
       };
@@ -167,8 +162,8 @@ in
       };
     };
 
-    # Multiple identities
-    includes = [
+    includes = lib.mkAfter [
+      # Multiple identities
       {
         condition = "gitdir:~/git/EPITA/";
         contents = {
@@ -187,6 +182,10 @@ in
           };
         };
       }
+      # Local configuration, not-versioned
+      {
+        path = "config.local";
+      }
     ];
 
     ignores =

modules/home/gpg/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.gpg;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.gpg = with lib; {
     enable = my.mkDisableOption "gpg configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {
@@ -22,7 +17,7 @@ in
     services.gpg-agent = {
       enable = true;
       enableSshSupport = true; # One agent to rule them all
-      pinentryFlavor = cfg.pinentry;
+      pinentryPackage = cfg.pinentry;
       extraConfig = ''
         allow-loopback-pinentry
       '';

modules/home/gtk/default.nix

@@ -21,12 +21,12 @@ in
     };
 
     iconTheme = {
-      package = pkgs.gnome.gnome-themes-extra;
+      package = pkgs.gnome-themes-extra;
       name = "Adwaita";
     };
 
     theme = {
-      package = pkgs.gnome.gnome-themes-extra;
+      package = pkgs.gnome-themes-extra;
       name = "Adwaita";
     };
   };

modules/home/mail/accounts/default.nix

@@ -26,20 +26,7 @@ let
   };
 
   migaduConfig = {
-    imap = {
-      host = "imap.migadu.com";
-      port = 993;
-      tls = {
-        enable = true;
-      };
-    };
-    smtp = {
-      host = "smtp.migadu.com";
-      port = 465;
-      tls = {
-        enable = true;
-      };
-    };
+    flavor = "migadu.com";
   };
 
   gmailConfig = {
@@ -58,7 +45,7 @@ in
 {
   config.accounts.email.accounts = {
     personal = lib.mkMerge [
-      # Common configuraton
+      # Common configuration
       (mkConfig {
         domain = "belanyi.fr";
         address = "bruno";
@@ -70,7 +57,7 @@ in
     ];
 
     gmail = lib.mkMerge [
-      # Common configuraton
+      # Common configuration
       (mkConfig {
         domain = "gmail.com";
         address = "brunobelanyi";

modules/home/nix/default.nix

@@ -22,12 +22,16 @@ in
   options.my.home.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
+    gc = {
+      enable = my.mkDisableOption "nix GC configuration";
+    };
+
     cache = {
       selfHosted = my.mkDisableOption "self-hosted cache";
     };
 
     inputs = {
-      link = my.mkDisableOption "link inputs to `/etc/nix/inputs/`";
+      link = my.mkDisableOption "link inputs to `$XDG_CONFIG_HOME/nix/inputs/`";
 
       addToRegistry = my.mkDisableOption "add inputs and self to registry";
 
@@ -60,6 +64,22 @@ in
       };
     }
 
+    (lib.mkIf cfg.gc.enable {
+      nix.gc = {
+        automatic = true;
+
+        # Every week, with some wiggle room
+        frequency = "weekly";
+        randomizedDelaySec = "10min";
+
+        # Use a persistent timer for e.g: laptops
+        persistent = true;
+
+        # Delete old profiles automatically after 15 days
+        options = "--delete-older-than 15d";
+      };
+    })
+
     (lib.mkIf cfg.cache.selfHosted {
       nix = {
         settings = {
@@ -96,7 +116,7 @@ in
     })
 
     (lib.mkIf cfg.inputs.addToNixPath {
-      home.sessionVariables.NIX_PATH = "${config.xdg.configHome}/nix/inputs\${NIX_PATH:+:$NIX_PATH}";
+      nix.nixPath = [ "${config.xdg.configHome}/nix/inputs" ];
     })
   ]);
 }

modules/home/packages/default.nix

@@ -1,6 +1,7 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, osConfig, ... }:
 let
   cfg = config.my.home.packages;
+  useGlobalPkgs = osConfig.home-manager.useGlobalPkgs or false;
 in
 {
   options.my.home.packages = with lib; {
@@ -26,9 +27,10 @@ in
       fd
       file
       ripgrep
+      tree
     ] ++ cfg.additionalPackages);
 
-    nixpkgs.config = {
+    nixpkgs.config = lib.mkIf (!useGlobalPkgs) {
       inherit (cfg) allowAliases allowUnfree;
     };
   };

modules/home/pager/default.nix

@@ -15,8 +15,12 @@ in
       # Clear the screen on start and exit
       LESS = "-R -+X -c";
       # Better XDG compliance
-      LESSHISTFILE = "${config.xdg.dataHome}/less/history";
-      LESSKEY = "${config.xdg.configHome}/less/lesskey";
+      LESSHISTFILE = "${config.xdg.stateHome}/less/history";
     };
+
+    xdg.configFile."lesskey".text = ''
+      # Quit without clearing the screen on `Q`
+      Q toggle-option -!^Predraw-on-quit\nq
+    '';
   };
 }

modules/home/secrets/secrets.nix

@@ -1,6 +1,6 @@
 # Common secrets
 let
-  keys = import ../../keys;
+  keys = import ../../../keys;
 
   all = builtins.attrValues keys.users;
 in

modules/home/tmux/default.nix

@@ -20,6 +20,8 @@ in
 
     enablePassthrough = mkEnableOption "tmux DCS passthrough sequence";
 
+    enableResurrect = mkEnableOption "tmux-resurrect plugin";
+
     terminalFeatures = mkOption {
       type = with types; attrsOf (submodule {
         options = {
@@ -30,7 +32,7 @@ in
       });
 
       default = { ${config.my.home.terminal.program} = { }; };
-      defaultText = litteralExpression ''
+      defaultText = literalExpression ''
         { ''${config.my.home.terminal.program} = { }; };
       '';
       example = { xterm-256color = { }; };
@@ -47,9 +49,12 @@ in
     clock24 = true; # I'm one of those heathens
     escapeTime = 0; # Let vim do its thing instead
     historyLimit = 100000; # Bigger buffer
+    mouse = false; # I dislike mouse support
+    focusEvents = true; # Report focus events
     terminal = "tmux-256color"; # I want accurate termcap info
+    aggressiveResize = true; # Automatic resize when switching client size
 
-    plugins = with pkgs.tmuxPlugins; [
+    plugins = with pkgs.tmuxPlugins; builtins.filter (attr: attr != { }) [
       # Open high-lighted files in copy mode
       open
       # Better pane management
@@ -77,9 +82,23 @@ in
           set -g status-right '#{prefix_highlight} %a %Y-%m-%d %H:%M'
         '';
       }
+      # Resurrect sessions
+      (lib.optionalAttrs cfg.enableResurrect {
+        plugin = resurrect;
+        extraConfig = ''
+          set -g @resurrect-dir '${config.xdg.stateHome}/tmux/resurrect'
+        '';
+      })
     ];
 
     extraConfig = ''
+      # Refresh configuration
+      bind-key -N "Source tmux.conf" R source-file ${config.xdg.configHome}/tmux/tmux.conf \; display-message "Sourced tmux.conf!"
+
+      # Accept sloppy Ctrl key when switching windows, on top of default mapping
+      bind-key -N "Select the previous window" C-p previous-window
+      bind-key -N "Select the next window" C-n next-window
+
       # Better vim mode
       bind-key -T copy-mode-vi 'v' send -X begin-selection
       ${

modules/home/vim/after/ftplugin/json.vim

@@ -0,0 +1,6 @@
+" Create the `b:undo_ftplugin` variable if it doesn't exist
+call ftplugined#check_undo_ft()
+
+" Use a small indentation value on JSON files
+setlocal shiftwidth=2
+let b:undo_ftplugin.='|setlocal shiftwidth<'

modules/home/vim/after/ftplugin/netrw.vim

@@ -1,6 +0,0 @@
-" Create the `b:undo_ftplugin` variable if it doesn't exist
-call ftplugined#check_undo_ft()
-
-" Don't show Netrw in buffer list
-setlocal bufhidden=delete
-let b:undo_ftplugin='|setlocal bufhidden<'

modules/home/vim/after/ftplugin/query.vim

@@ -0,0 +1,6 @@
+" Create the `b:undo_ftplugin` variable if it doesn't exist
+call ftplugined#check_undo_ft()
+
+" Use a small indentation value on query files
+setlocal shiftwidth=2
+let b:undo_ftplugin.='|setlocal shiftwidth<'

modules/home/vim/after/plugin/mappings/commentary.lua

@@ -1,10 +0,0 @@
-local wk = require("which-key")
-
-local keys = {
-    name = "Comment/uncomment",
-    c = "Current line",
-    u = "Uncomment the current and adjacent commented lines",
-    ["gc"] = "Uncomment the current and adjacent commented lines",
-}
-
-wk.register(keys, { prefix = "gc" })

modules/home/vim/after/plugin/mappings/misc.lua

@@ -1,7 +0,0 @@
-local wk = require("which-key")
-
-local keys = {
-    ["<leader>"] = { "<cmd>nohls<CR>", "Clear search highlight" },
-}
-
-wk.register(keys, { prefix = "<leader>" })

modules/home/vim/after/plugin/mappings/telescope.lua

@@ -1,15 +0,0 @@
-local wk = require("which-key")
-local telescope_builtin = require("telescope.builtin")
-
-local keys = {
-    f = {
-        name = "Fuzzy finder",
-        b = { telescope_builtin.buffers, "Open buffers" },
-        f = { telescope_builtin.git_files, "Git tracked files" },
-        F = { telescope_builtin.find_files, "Files" },
-        g = { telescope_builtin.live_grep, "Grep string" },
-        G = { telescope_builtin.grep_string, "Grep string under cursor" },
-    },
-}
-
-wk.register(keys, { prefix = "<leader>" })

modules/home/vim/after/plugin/mappings/tree-sitter-textobjects.lua

@@ -1,30 +0,0 @@
-local wk = require("which-key")
-
-local motions = {
-    ["]m"] = "Next method start",
-    ["]M"] = "Next method end",
-    ["]S"] = "Next statement start",
-    ["]]"] = "Next class start",
-    ["]["] = "Next class end",
-    ["[m"] = "Previous method start",
-    ["[M"] = "Previous method end",
-    ["[S"] = "Previous statement start",
-    ["[["] = "Previous class start",
-    ["[]"] = "Previous class end",
-}
-
-local objects = {
-    ["aa"] = "a parameter",
-    ["ia"] = "inner parameter",
-    ["ab"] = "a block",
-    ["ib"] = "inner block",
-    ["ac"] = "a class",
-    ["ic"] = "inner class",
-    ["af"] = "a function",
-    ["if"] = "inner function",
-    ["ak"] = "a comment",
-    ["aS"] = "a statement",
-}
-
-wk.register(motions, { mode = "n" })
-wk.register(objects, { mode = "o" })

modules/home/vim/after/plugin/mappings/unimpaired.lua

@@ -3,126 +3,124 @@ local wk = require("which-key")
 local lsp = require("ambroisie.lsp")
 
 local keys = {
-    -- Edition and navigation mappins
-    ["["] = {
-        name = "Previous",
-        ["<space>"] = "Insert blank line above",
-        ["<C-L>"] = "Previous location list file",
-        ["<C-Q>"] = "Previous quickfix list file",
-        ["<C-T>"] = "Previous tag in preview window",
-        a = "Previous argument",
-        A = "First argument",
-        b = "Previous buffer",
-        B = "First buffer",
-        e = "Exchange previous line",
-        f = "Previous file in directory",
-        l = "Previous location list entry",
-        L = "First Location list entry",
-        n = "Previous conflict marker/diff hunk",
-        p = "Paste line above",
-        P = "Paste line above",
-        q = "Previous quickfix list entry",
-        Q = "First quickfix list entry",
-        t = "Previous matching tag",
-        T = "First matching tag",
-        z = "Previous fold",
-        -- Encoding
-        C = "C string encode",
-        u = "URL encode",
-        x = "XML encode",
-        y = "C string encode",
-        -- Custom
-        d = { lsp.goto_prev_diagnostic, "Previous diagnostic" },
-    },
-    ["]"] = {
-        name = "Next",
-        ["<space>"] = "Insert blank line below",
-        ["<C-L>"] = "Next location list file",
-        ["<C-Q>"] = "Next quickfix list file",
-        ["<C-T>"] = "Next tag in preview window",
-        a = "Next argument",
-        A = "Last argument",
-        b = "Next buffer",
-        B = "Last buffer",
-        e = "Exchange next line",
-        f = "Next file in directory",
-        l = "Next location list entry",
-        L = "Last Location list entry",
-        n = "Next conflict marker/diff hunk",
-        p = "Paste line below",
-        P = "Paste line below",
-        q = "Next quickfix list entry",
-        Q = "Last quickfix list entry",
-        t = "Next matching tag",
-        T = "Last matching tag",
-        z = "Next fold",
-        -- Decoding
-        C = "C string decode",
-        u = "URL decode",
-        x = "XML decode",
-        y = "C string decode",
-        -- Custom
-        d = { lsp.goto_next_diagnostic, "Next diagnostic" },
-    },
+    -- Previous
+    { "[", group = "Previous" },
+    -- Edition and navigation mappings
+    { "[<space>", desc = "Insert blank line above" },
+    { "[<C-L>", desc = "Previous location list file" },
+    { "[<C-Q>", desc = "Previous quickfix list file" },
+    { "[<C-T>", desc = "Previous tag in preview window" },
+    { "[a", desc = "Previous argument" },
+    { "[A", desc = "First argument" },
+    { "[b", desc = "Previous buffer" },
+    { "[B", desc = "First buffer" },
+    { "[e", desc = "Exchange previous line" },
+    { "[f", desc = "Previous file in directory" },
+    { "[l", desc = "Previous location list entry" },
+    { "[L", desc = "First Location list entry" },
+    { "[n", desc = "Previous conflict marker/diff hunk" },
+    { "[p", desc = "Paste line above" },
+    { "[P", desc = "Paste line above" },
+    { "[q", desc = "Previous quickfix list entry" },
+    { "[Q", desc = "First quickfix list entry" },
+    { "[t", desc = "Previous matching tag" },
+    { "[T", desc = "First matching tag" },
+    { "[z", desc = "Previous fold" },
+    -- Encoding
+    { "[C", desc = "C string encode" },
+    { "[u", desc = "URL encode" },
+    { "[x", desc = "XML encode" },
+    { "[y", desc = "C string encode" },
+    -- Custom
+    { "[d", lsp.goto_prev_diagnostic, desc = "Previous diagnostic" },
 
-    -- Option mappings
-    ["[o"] = {
-        name = "Enable option",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatEnable<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        r = "Relative line numbers",
-        p = { "<cmd>lwindow<CR>", "Location list" },
-        q = { "<cmd>cwindow<CR>", "Quickfix list" },
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
-    ["]o"] = {
-        name = "Option off",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatDisable<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        p = { "<cmd>lclose<CR>", "Location list" },
-        q = { "<cmd>cclose<CR>", "Quickfix list" },
-        r = "Relative line numbers",
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
-    ["yo"] = {
-        name = "Option toggle",
-        b = "Light background",
-        c = "Cursor line",
-        d = "Diff",
-        f = { "<cmd>FormatToggle<CR>", "LSP Formatting" },
-        h = "Search high-lighting",
-        i = "Case insensitive search",
-        l = "List mode",
-        n = "Line numbers",
-        p = { "<Plug>(qf_loc_toggle)", "Location list" },
-        q = { "<Plug>(qf_qf_toggle)", "Quickfix list" },
-        r = "Relative line numbers",
-        u = "Cursor column",
-        v = "Virtual editing",
-        w = "Text wrapping",
-        x = "Cursor line and column",
-        z = "Spell checking",
-    },
+    -- Next
+    { "]", group = "Next" },
+    -- Edition and navigation mappings
+    { "]<space>", desc = "Insert blank line below" },
+    { "]<C-L>", desc = "Next location list file" },
+    { "]<C-Q>", desc = "Next quickfix list file" },
+    { "]<C-T>", desc = "Next tag in preview window" },
+    { "]a", desc = "Next argument" },
+    { "]A", desc = "Last argument" },
+    { "]b", desc = "Next buffer" },
+    { "]B", desc = "Last buffer" },
+    { "]e", desc = "Exchange next line" },
+    { "]f", desc = "Next file in directory" },
+    { "]l", desc = "Next location list entry" },
+    { "]L", desc = "Last Location list entry" },
+    { "]n", desc = "Next conflict marker/diff hunk" },
+    { "]p", desc = "Paste line below" },
+    { "]P", desc = "Paste line below" },
+    { "]q", desc = "Next quickfix list entry" },
+    { "]Q", desc = "Last quickfix list entry" },
+    { "]t", desc = "Next matching tag" },
+    { "]T", desc = "Last matching tag" },
+    { "]z", desc = "Next fold" },
+    -- Decoding
+    { "]C", desc = "C string decode" },
+    { "]u", desc = "URL decode" },
+    { "]x", desc = "XML decode" },
+    { "]y", desc = "C string decode" },
+    -- Custom
+    { "]d", lsp.goto_next_diagnostic, desc = "Next diagnostic" },
+
+    -- Enable option
+    { "[o", group = "Enable option" },
+    { "[ob", desc = "Light background" },
+    { "[oc", desc = "Cursor line" },
+    { "[od", desc = "Diff" },
+    { "[of", "<cmd>FormatEnable<CR>", desc = "LSP Formatting" },
+    { "[oh", desc = "Search high-lighting" },
+    { "[oi", desc = "Case insensitive search" },
+    { "[ol", desc = "List mode" },
+    { "[on", desc = "Line numbers" },
+    { "[or", desc = "Relative line numbers" },
+    { "[op", "<cmd>lwindow<CR>", desc = "Location list" },
+    { "[oq", "<cmd>cwindow<CR>", desc = "Quickfix list" },
+    { "[ou", desc = "Cursor column" },
+    { "[ov", desc = "Virtual editing" },
+    { "[ow", desc = "Text wrapping" },
+    { "[ox", desc = "Cursor line and column" },
+    { "[oz", desc = "Spell checking" },
+
+    -- Disable option
+    { "]o", group = "Disable option" },
+    { "]ob", desc = "Light background" },
+    { "]oc", desc = "Cursor line" },
+    { "]od", desc = "Diff" },
+    { "]of", "<cmd>FormatDisable<CR>", desc = "LSP Formatting" },
+    { "]oh", desc = "Search high-lighting" },
+    { "]oi", desc = "Case insensitive search" },
+    { "]ol", desc = "List mode" },
+    { "]on", desc = "Line numbers" },
+    { "]op", "<cmd>lclose<CR>", desc = "Location list" },
+    { "]oq", "<cmd>cclose<CR>", desc = "Quickfix list" },
+    { "]or", desc = "Relative line numbers" },
+    { "]ou", desc = "Cursor column" },
+    { "]ov", desc = "Virtual editing" },
+    { "]ow", desc = "Text wrapping" },
+    { "]ox", desc = "Cursor line and column" },
+    { "]oz", desc = "Spell checking" },
+
+    -- Toggle option
+    { "yo", group = "Toggle option" },
+    { "yob", desc = "Light background" },
+    { "yoc", desc = "Cursor line" },
+    { "yod", desc = "Diff" },
+    { "yof", "<cmd>FormatToggle<CR>", desc = "LSP Formatting" },
+    { "yoh", desc = "Search high-lighting" },
+    { "yoi", desc = "Case insensitive search" },
+    { "yol", desc = "List mode" },
+    { "yon", desc = "Line numbers" },
+    { "yop", "<Plug>(qf_loc_toggle)", desc = "Location list" },
+    { "yoq", "<Plug>(qf_qf_toggle)", desc = "Quickfix list" },
+    { "yor", desc = "Relative line numbers" },
+    { "you", desc = "Cursor column" },
+    { "yov", desc = "Virtual editing" },
+    { "yow", desc = "Text wrapping" },
+    { "yox", desc = "Cursor line and column" },
+    { "yoz", desc = "Spell checking" },
 }
 
-wk.register(keys)
+wk.add(keys)

modules/home/vim/after/queries/diff/highlights.scm

@@ -0,0 +1,5 @@
+; extends
+
+; I want to the line added/removed markers to be the correct color
+"+" @diff.plus
+"-" @diff.minus

modules/home/vim/default.nix

@@ -40,25 +40,18 @@ in
       lualine-lsp-progress # Show progress for LSP servers
 
       # tpope essentials
-      vim-commentary # Easy comments
       vim-eunuch # UNIX integrations
       vim-fugitive # A 'git' wrapper
       vim-git # Sane git syntax files
       vim-repeat # Enanche '.' for plugins
       vim-rsi # Readline mappings
       vim-unimpaired # Some ex command mappings
-      vim-vinegar # Better netrw
 
       # Languages
-      rust-vim
       vim-beancount
-      vim-jsonnet
-      vim-nix
-      vim-toml
 
       # General enhancements
       vim-qf # Better quick-fix list
-      nvim-osc52 # Send clipboard data through terminal escape for SSH
 
       # Other wrappers
       git-messenger-vim # A simple blame window
@@ -70,7 +63,6 @@ in
       none-ls-nvim # LSP integration for linters and formatters
       nvim-treesitter.withAllGrammars # Better highlighting
       nvim-treesitter-textobjects # More textobjects
-      nvim-ts-context-commentstring # Comment string in nested language blocks
       plenary-nvim # 'null-ls', 'telescope' dependency
 
       # Completion
@@ -88,6 +80,7 @@ in
       dressing-nvim # Integrate native UI hooks with Telescope etc...
       gitsigns-nvim # Fast git UI integration
       nvim-surround # Deal with pairs, now in Lua
+      oil-nvim # Better alternative to NetrW
       telescope-fzf-native-nvim # Use 'fzf' fuzzy matching algorithm
       telescope-lsp-handlers-nvim # Use 'telescope' for various LSP actions
       telescope-nvim # Fuzzy finder interface
@@ -105,8 +98,11 @@ in
       nixpkgs-fmt
 
       # Shell
-      nodePackages.bash-language-server
+      bash-language-server
       shfmt
+
+      # Generic
+      typos-lsp
     ];
   };
 

modules/home/vim/ftdetect/gn.lua

@@ -1,7 +0,0 @@
--- Use GN filetype for Chromium Generate Ninja files
-vim.filetype.add({
-    extension = {
-        gn = "gn",
-        gni = "gn",
-    },
-})

modules/home/vim/ftdetect/kbuild.lua

@@ -1,6 +0,0 @@
--- Kbuild is just a Makefile under a different name
-vim.filetype.add({
-    filename = {
-        ["Kbuild"] = "make",
-    },
-})

modules/home/vim/ftdetect/tikz.lua

@@ -1,6 +0,0 @@
--- Use LaTeX filetype for TikZ files
-vim.filetype.add({
-    extension = {
-        tikz = "tex",
-    },
-})

modules/home/vim/init.vim

@@ -1,4 +1,4 @@
-" Basic configuraion {{{
+" Basic configuration {{{
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 " Use UTF-8
 set encoding=utf-8
@@ -38,10 +38,10 @@ set tabstop=8
 
 " File parameters {{{
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
-" Disable backups, we have source control for that
-set nobackup
-" Disable swapfiles too
+" Disable swap files
 set noswapfile
+" Enable undo files
+set undofile
 " }}}
 
 " UI and UX parameters {{{
@@ -86,8 +86,29 @@ set mouse=
 " Set dark mode by default
 set background=dark
 
-" 24 bit colors
-set termguicolors
+" Setup some overrides for gruvbox
+lua << EOF
+local gruvbox = require("gruvbox")
+local colors = gruvbox.palette
+
+gruvbox.setup({
+    overrides = {
+        -- Only URLs should be underlined
+        ["@string.special.path"] = { link = "GruvboxOrange" },
+        -- Revert back to the better diff highlighting
+        DiffAdd = { fg = colors.green, bg = "NONE" },
+        DiffChange = { fg = colors.aqua, bg = "NONE" },
+        DiffDelete = { fg = colors.red, bg = "NONE" },
+        DiffText = { fg = colors.yellow, bg = colors.bg0 },
+        -- Directories "pop" better in blue
+        Directory = { link = "GruvboxBlueBold" },
+    },
+    italic = {
+        -- Comments should not be italic, for e.g: box drawing
+        comments = false,
+    },
+})
+EOF
 " Use my preferred colorscheme
 colorscheme gruvbox
 " }}}

modules/home/vim/lua/ambroisie/lsp.lua

@@ -5,7 +5,7 @@ local lsp_format = require("lsp-format")
 
 --- Move to the next/previous diagnostic, automatically showing the diagnostics
 --- float if necessary.
---- @param forward whether to go forward or backwards
+--- @param forward bool whether to go forward or backwards
 local function goto_diagnostic(forward)
     vim.validate({
         forward = { forward, "boolean" },
@@ -42,7 +42,7 @@ end
 
 --- shared LSP configuration callback
 --- @param client native client configuration
---- @param bufnr int? buffer number of the attched client
+--- @param bufnr int? buffer number of the attached client
 M.on_attach = function(client, bufnr)
     -- Format on save
     lsp_format.on_attach(client, bufnr)
@@ -87,31 +87,30 @@ M.on_attach = function(client, bufnr)
     end
 
     local keys = {
-        K = { vim.lsp.buf.hover, "Show symbol information" },
-        ["<C-k>"] = { vim.lsp.buf.signature_help, "Show signature information" },
-        ["gd"] = { vim.lsp.buf.definition, "Go to definition" },
-        ["gD"] = { vim.lsp.buf.declaration, "Go to declaration" },
-        ["gi"] = { vim.lsp.buf.implementation, "Go to implementation" },
-        ["gr"] = { vim.lsp.buf.references, "List all references" },
-
-        ["<leader>c"] = {
-            name = "Code",
-            a = { vim.lsp.buf.code_action, "Code actions" },
-            d = { cycle_diagnostics_display, "Cycle diagnostics display" },
-            D = { show_buffer_diagnostics, "Show buffer diagnostics" },
-            r = { vim.lsp.buf.rename, "Rename symbol" },
-            s = { vim.lsp.buf.signature_help, "Show signature" },
-            t = { vim.lsp.buf.type_definition, "Go to type definition" },
-            w = {
-                name = "Workspace",
-                a = { vim.lsp.buf.add_workspace_folder, "Add folder to workspace" },
-                l = { list_workspace_folders, "List folders in workspace" },
-                r = { vim.lsp.buf.remove_workspace_folder, "Remove folder from workspace" },
-            },
-        },
+        buffer = bufnr,
+        -- LSP navigation
+        { "K", vim.lsp.buf.hover, desc = "Show symbol information" },
+        { "<C-k>", vim.lsp.buf.signature_help, desc = "Show signature information" },
+        { "gd", vim.lsp.buf.definition, desc = "Go to definition" },
+        { "gD", vim.lsp.buf.declaration, desc = "Go to declaration" },
+        { "gi", vim.lsp.buf.implementation, desc = "Go to implementation" },
+        { "gr", vim.lsp.buf.references, desc = "List all references" },
+        -- Code
+        { "<leader>c", group = "Code" },
+        { "<leader>ca", vim.lsp.buf.code_action, desc = "Code actions" },
+        { "<leader>cd", cycle_diagnostics_display, desc = "Cycle diagnostics display" },
+        { "<leader>cD", show_buffer_diagnostics, desc = "Show buffer diagnostics" },
+        { "<leader>cr", vim.lsp.buf.rename, desc = "Rename symbol" },
+        { "<leader>cs", vim.lsp.buf.signature_help, desc = "Show signature" },
+        { "<leader>ct", vim.lsp.buf.type_definition, desc = "Go to type definition" },
+        -- Workspace
+        { "<leader>cw", group = "Workspace" },
+        { "<leader>cwa", vim.lsp.buf.add_workspace_folder, desc = "Add folder to workspace" },
+        { "<leader>cwl", list_workspace_folders, desc = "List folders in workspace" },
+        { "<leader>cwr", vim.lsp.buf.remove_workspace_folder, desc = "Remove folder from workspace" },
     }
 
-    wk.register(keys, { buffer = bufnr })
+    wk.add(keys)
 end
 
 return M

modules/home/vim/lua/ambroisie/utils.lua

@@ -48,4 +48,22 @@ M.list_lsp_clients = function(bufnr)
     return names
 end
 
+--- partially apply a function with given arguments
+M.partial = function(f, ...)
+    local a = { ... }
+    local a_len = select("#", ...)
+
+    return function(...)
+        local tmp = { ... }
+        local tmp_len = select("#", ...)
+
+        -- Merge arg lists
+        for i = 1, tmp_len do
+            a[a_len + i] = tmp[i]
+        end
+
+        return f(unpack(a, 1, a_len + tmp_len))
+    end
+end
+
 return M

modules/home/vim/plugin/numbertoggle.lua

@@ -7,17 +7,28 @@ local numbertoggle = vim.api.nvim_create_augroup("numbertoggle", { clear = true
 vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "InsertLeave", "WinEnter" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "if &nu | setlocal rnu | endif",
+    callback = function()
+        if vim.opt.number:get() then
+            vim.opt.relativenumber = true
+        end
+    end,
 })
 vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "InsertEnter", "WinLeave" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "if &nu | setlocal nornu | endif",
+    callback = function()
+        if vim.opt.number:get() then
+            vim.opt.relativenumber = false
+        end
+    end,
 })
 
 -- Never show the sign column in a terminal buffer
 vim.api.nvim_create_autocmd({ "TermOpen" }, {
     pattern = "*",
     group = numbertoggle,
-    command = "setlocal nonu nornu",
+    callback = function()
+        vim.opt.number = false
+        vim.opt.relativenumber = false
+    end,
 })

modules/home/vim/plugin/settings/git.lua

@@ -1,58 +1,75 @@
 local gitsigns = require("gitsigns")
+local utils = require("ambroisie.utils")
 local wk = require("which-key")
 
+--- Transform `f` into a function which acts on the current visual selection
+local function make_visual(f)
+    return function()
+        local first = vim.fn.line("v")
+        local last = vim.fn.line(".")
+        f({ first, last })
+    end
+end
+
+local function nav_hunk(dir)
+    if vim.wo.diff then
+        local map = {
+            prev = "[c",
+            next = "]c",
+        }
+        vim.cmd.normal({ map[dir], bang = true })
+    else
+        gitsigns.nav_hunk(dir)
+    end
+end
+
 gitsigns.setup({
     current_line_blame_opts = {
         -- Show the blame quickly
         delay = 100,
     },
+    -- Work-around for https://github.com/lewis6991/gitsigns.nvim/issues/929
+    signs_staged_enable = false,
 })
 
 local keys = {
     -- Navigation
-    ["[c"] = { "&diff ? '[c' : '<cmd>Gitsigns prev_hunk<CR>'", "Previous hunk/diff", expr = true },
-    ["]c"] = { "&diff ? ']c' : '<cmd>Gitsigns next_hunk<CR>'", "Next hunk/diff", expr = true },
-
+    { "[c", utils.partial(nav_hunk, "prev"), desc = "Previous hunk/diff" },
+    { "]c", utils.partial(nav_hunk, "next"), desc = "Next hunk/diff" },
     -- Commands
-    ["<leader>g"] = {
-        name = "Git",
-        -- Actions
-        b = { gitsigns.toggle_current_line_blame, "Toggle blame virtual text" },
-        d = { gitsigns.diffthis, "Diff buffer" },
-        -- stylua: ignore
-        D = { function() gitsigns.diffthis("~") end, "Diff buffer against last commit" },
-        g = { "<cmd>Git<CR>", "Git status" },
-        h = { gitsigns.toggle_deleted, "Show deleted hunks" },
-        L = { "<cmd>:sp<CR><C-w>T:Gllog --follow -- %:p<CR>", "Current buffer log" },
-        m = { "<Plug>(git-messenger)", "Current line blame" },
-        p = { gitsigns.preview_hunk, "Preview hunk" },
-        r = { gitsigns.reset_hunk, "Restore hunk" },
-        R = { gitsigns.reset_buffer, "Restore buffer" },
-        s = { gitsigns.stage_hunk, "Stage hunk" },
-        S = { gitsigns.stage_buffer, "Stage buffer" },
-        u = { gitsigns.undo_stage_hunk, "Undo stage hunk" },
-        ["["] = { gitsigns.prev_hunk, "Previous hunk" },
-        ["]"] = { gitsigns.next_hunk, "Next hunk" },
-    },
+    { "<leader>g", group = "Git" },
+    { "<leader>gb", gitsigns.toggle_current_line_blame, desc = "Toggle blame virtual text" },
+    { "<leader>gd", gitsigns.diffthis, desc = "Diff buffer" },
+    { "<leader>gD", utils.partial(gitsigns.diffthis, "~"), desc = "Diff buffer against last commit" },
+    { "<leader>gg", "<cmd>Git<CR>", desc = "Git status" },
+    { "<leader>gh", gitsigns.toggle_deleted, desc = "Show deleted hunks" },
+    { "<leader>gL", "<cmd>:sp<CR><C-w>T:Gllog --follow -- %:p<CR>", desc = "Current buffer log" },
+    { "<leader>gm", "<Plug>(git-messenger)", desc = "Current line blame" },
+    { "<leader>gp", gitsigns.preview_hunk, desc = "Preview hunk" },
+    { "<leader>gr", gitsigns.reset_hunk, desc = "Restore hunk" },
+    { "<leader>gR", gitsigns.reset_buffer, desc = "Restore buffer" },
+    { "<leader>gs", gitsigns.stage_hunk, desc = "Stage hunk" },
+    { "<leader>gS", gitsigns.stage_buffer, desc = "Stage buffer" },
+    { "<leader>gu", gitsigns.undo_stage_hunk, desc = "Undo stage hunk" },
+    { "<leader>g[", utils.partial(gitsigns.nav_hunk, "prev"), desc = "Previous hunk" },
+    { "<leader>g]", utils.partial(gitsigns.nav_hunk, "next"), desc = "Next hunk" },
 }
 
 local objects = {
-    ["ih"] = { gitsigns.select_hunk, "Git hunk" },
+    mode = "o",
+    { "ih", gitsigns.select_hunk, desc = "Git hunk" },
 }
-
+-- Visual
 local visual = {
-    ["ih"] = { gitsigns.select_hunk, "Git hunk" },
-
-    -- Only the actual command can make use of the visual selection...
-    ["<leader>g"] = {
-        name = "Git",
-        p = { ":Gitsigns preview_hunk<CR>", "Preview selection" },
-        r = { ":Gitsigns reset_hunk<CR>", "Restore selection" },
-        s = { ":Gitsigns stage_hunk<CR>", "Stage selection" },
-        u = { ":Gitsigns undo_stage_hunk<CR>", "Undo stage selection" },
-    },
+    mode = { "x" },
+    { "ih", gitsigns.select_hunk, desc = "Git hunk" },
+    { "<leader>g", group = "Git" },
+    { "<leader>gp", gitsigns.preview_hunk, desc = "Preview selection" },
+    { "<leader>gr", make_visual(gitsigns.reset_hunk), desc = "Restore selection" },
+    { "<leader>gs", make_visual(gitsigns.stage_hunk), desc = "Stage selection" },
+    { "<leader>gu", gitsigns.undo_stage_hunk, desc = "Undo stage selection" },
 }
 
-wk.register(keys, { buffer = bufnr })
-wk.register(objects, { buffer = bufnr, mode = "o" })
-wk.register(visual, { buffer = bufnr, mode = "x" })
+wk.add(keys)
+wk.add(objects)
+wk.add(visual)

modules/home/vim/plugin/settings/lspconfig.lua

@@ -53,8 +53,8 @@ if utils.is_executable("pyright") then
     })
 end
 
-if utils.is_executable("ruff-lsp") then
-    lspconfig.ruff_lsp.setup({
+if utils.is_executable("ruff") then
+    lspconfig.ruff.setup({
         capabilities = capabilities,
         on_attach = lsp.on_attach,
     })
@@ -74,5 +74,31 @@ if utils.is_executable("bash-language-server") then
         filetypes = { "bash", "sh", "zsh" },
         capabilities = capabilities,
         on_attach = lsp.on_attach,
+        settings = {
+            bashIde = {
+                shfmt = {
+                    -- Simplify the code
+                    simplifyCode = true,
+                    -- Indent switch cases
+                    caseIndent = true,
+                },
+            },
+        },
+    })
+end
+
+-- Starlark
+if utils.is_executable("starpls") then
+    lspconfig.starpls.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
+-- Generic
+if utils.is_executable("typos-lsp") then
+    lspconfig.typos_lsp.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
     })
 end

modules/home/vim/plugin/settings/null-ls.lua

@@ -18,16 +18,6 @@ null_ls.register({
     }),
 })
 
--- C, C++
-null_ls.register({
-    null_ls.builtins.formatting.clang_format.with({
-        -- Only used if available, but prefer clangd formatting if available
-        condition = function()
-            return utils.is_executable("clang-format") and not utils.is_executable("clangd")
-        end,
-    }),
-})
-
 -- Nix
 null_ls.register({
     null_ls.builtins.formatting.nixpkgs_fmt.with({
@@ -56,29 +46,3 @@ null_ls.register({
         condition = utils.is_executable_condition("isort"),
     }),
 })
-
--- Shell (non-POSIX)
-null_ls.register({
-    null_ls.builtins.formatting.shfmt.with({
-        -- Indent with 4 spaces, simplify the code, indent switch cases,
-        -- add space after redirection, use bash dialect
-        extra_args = { "-i", "4", "-s", "-ci", "-sr", "-ln", "bash" },
-        -- Restrict to bash and zsh
-        filetypes = { "bash", "zsh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shfmt"),
-    }),
-})
-
--- Shell (POSIX)
-null_ls.register({
-    null_ls.builtins.formatting.shfmt.with({
-        -- Indent with 4 spaces, simplify the code, indent switch cases,
-        -- add space after redirection, use POSIX
-        extra_args = { "-i", "4", "-s", "-ci", "-sr", "-ln", "posix" },
-        -- Restrict to POSIX sh
-        filetypes = { "sh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shfmt"),
-    }),
-})

modules/home/vim/plugin/settings/oil.lua

@@ -0,0 +1,36 @@
+local oil = require("oil")
+local wk = require("which-key")
+
+local detail = false
+
+oil.setup({
+    -- Don't show icons
+    columns = {},
+    view_options = {
+        -- Show files and directories that start with "." by default
+        show_hidden = true,
+        -- But never '..'
+        is_always_hidden = function(name, bufnr)
+            return name == ".."
+        end,
+    },
+    keymaps = {
+        ["gd"] = {
+            desc = "Toggle file detail view",
+            callback = function()
+                detail = not detail
+                if detail then
+                    oil.set_columns({ "icon", "permissions", "size", "mtime" })
+                else
+                    oil.set_columns({ "icon" })
+                end
+            end,
+        },
+    },
+})
+
+local keys = {
+    { "-", oil.open, desc = "Open parent directory" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/settings/ssh.lua

@@ -1,17 +0,0 @@
-if not require("ambroisie.utils").is_ssh() then
-    return
-end
-
-local function copy(lines, _)
-    require("osc52").copy(table.concat(lines, "\n"))
-end
-
-local function paste()
-    return { vim.fn.split(vim.fn.getreg(""), "\n"), vim.fn.getregtype("") }
-end
-
-vim.g.clipboard = {
-    name = "osc52",
-    copy = { ["+"] = copy, ["*"] = copy },
-    paste = { ["+"] = paste, ["*"] = paste },
-}

modules/home/vim/plugin/settings/telescope.lua

@@ -1,4 +1,6 @@
 local telescope = require("telescope")
+local telescope_builtin = require("telescope.builtin")
+local wk = require("which-key")
 
 telescope.setup({
     defaults = {
@@ -22,3 +24,14 @@ telescope.setup({
 
 telescope.load_extension("fzf")
 telescope.load_extension("lsp_handlers")
+
+local keys = {
+    { "<leader>f", group = "Fuzzy finder" },
+    { "<leader>fb", telescope_builtin.buffers, desc = "Open buffers" },
+    { "<leader>ff", telescope_builtin.git_files, desc = "Git tracked files" },
+    { "<leader>fF", telescope_builtin.find_files, desc = "Files" },
+    { "<leader>fg", telescope_builtin.live_grep, desc = "Grep string" },
+    { "<leader>fG", telescope_builtin.grep_string, desc = "Grep string under cursor" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/settings/tree-sitter.lua

@@ -1,4 +1,5 @@
 local ts_config = require("nvim-treesitter.configs")
+
 ts_config.setup({
     highlight = {
         enable = true,
@@ -14,16 +15,16 @@ ts_config.setup({
             -- Jump to matching text objects
             lookahead = true,
             keymaps = {
-                ["aa"] = "@parameter.outer",
-                ["ia"] = "@parameter.inner",
-                ["ab"] = "@block.outer",
-                ["ib"] = "@block.inner",
-                ["ac"] = "@class.outer",
-                ["ic"] = "@class.inner",
-                ["af"] = "@function.outer",
-                ["if"] = "@function.inner",
-                ["ak"] = "@comment.outer",
-                ["aS"] = "@statement.outer",
+                ["aa"] = { query = "@parameter.outer", desc = "a parameter" },
+                ["ia"] = { query = "@parameter.inner", desc = "inner parameter" },
+                ["ab"] = { query = "@block.outer", desc = "a block" },
+                ["ib"] = { query = "@block.inner", desc = "inner block" },
+                ["ac"] = { query = "@class.outer", desc = "a class" },
+                ["ic"] = { query = "@class.inner", desc = "inner class" },
+                ["af"] = { query = "@function.outer", desc = "a function" },
+                ["if"] = { query = "@function.inner", desc = "inner function" },
+                ["ak"] = { query = "@comment.outer", desc = "a comment" },
+                ["aS"] = { query = "@statement.outer", desc = "a statement" },
             },
         },
         move = {
@@ -31,22 +32,22 @@ ts_config.setup({
             -- Add to jump list
             set_jumps = true,
             goto_next_start = {
-                ["]m"] = "@function.outer",
-                ["]S"] = "@statement.outer",
-                ["]]"] = "@class.outer",
+                ["]m"] = { query = "@function.outer", desc = "Next method start" },
+                ["]S"] = { query = "@statement.outer", desc = "Next statement start" },
+                ["]]"] = { query = "@class.outer", desc = "Next class start" },
             },
             goto_next_end = {
-                ["]M"] = "@function.outer",
-                ["]["] = "@class.outer",
+                ["]M"] = { query = "@function.outer", desc = "Next method end" },
+                ["]["] = { query = "@class.outer", desc = "Next class end" },
             },
             goto_previous_start = {
-                ["[m"] = "@function.outer",
-                ["[S"] = "@statement.outer",
-                ["[["] = "@class.outer",
+                ["[m"] = { query = "@function.outer", desc = "Previous method start" },
+                ["[S"] = { query = "@statement.outer", desc = "Previous statement start" },
+                ["[["] = { query = "@class.outer", desc = "Previous class start" },
             },
             goto_previous_end = {
-                ["[M"] = "@function.outer",
-                ["[]"] = "@class.outer",
+                ["[M"] = { query = "@function.outer", desc = "Previous method end" },
+                ["[]"] = { query = "@class.outer", desc = "Previous class end" },
             },
         },
     },

modules/home/vim/plugin/settings/which-key.lua

@@ -1,2 +1,33 @@
 local wk = require("which-key")
-wk.setup()
+wk.setup({
+    icons = {
+        -- I don't like icons
+        mappings = false,
+        breadcrumb = "»",
+        separator = "➜",
+        group = "+",
+        ellipsis = "…",
+        keys = {
+            Up = " ",
+            Down = " ",
+            Left = " ",
+            Right = " ",
+            C = "<C>",
+            M = "<M>",
+            D = "<D>",
+            S = "<S>",
+            CR = "<CR>",
+            Esc = "<Esc> ",
+            NL = "<NL>",
+            BS = "<BS>",
+            Space = "<space>",
+            Tab = "<Tab> ",
+        },
+    },
+})
+
+local keys = {
+    { "<leader><leader>", vim.cmd.nohlsearch, desc = "Clear search highlight" },
+}
+
+wk.add(keys)

modules/home/vim/plugin/signtoggle.lua

@@ -4,17 +4,23 @@ local signtoggle = vim.api.nvim_create_augroup("signtoggle", { clear = true })
 vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "WinEnter" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=yes",
+    callback = function()
+        vim.opt.signcolumn = "yes"
+    end,
 })
 vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "WinLeave" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=yes",
+    callback = function()
+        vim.opt.signcolumn = "no"
+    end,
 })
 
 -- Never show the sign column in a terminal buffer
 vim.api.nvim_create_autocmd({ "TermOpen" }, {
     pattern = "*",
     group = signtoggle,
-    command = "setlocal signcolumn=no",
+    callback = function()
+        vim.opt.signcolumn = "no"
+    end,
 })

modules/home/wget/default.nix

@@ -20,7 +20,7 @@ in
     };
 
     xdg.configFile."wgetrc".text = ''
-      hsts-file = ${config.xdg.dataHome}/wget-hsts
+      hsts-file = ${config.xdg.stateHome}/wget-hsts
     '';
   };
 }

modules/home/wm/default.nix

@@ -58,7 +58,7 @@ in
               service = "some-service-name";
             }
           ];
-          description = "list of block configurations, merged with the defauls";
+          description = "list of block configurations, merged with the defaults";
         };
       };
     };

modules/home/wm/i3/default.nix

@@ -127,9 +127,10 @@ in
             { class = "^Blueman-.*$"; }
             { title = "^htop$"; }
             { class = "^Thunderbird$"; instance = "Mailnews"; window_role = "filterlist"; }
-            { class = "^Pavucontrol.*$"; }
+            { class = "^pavucontrol.*$"; }
             { class = "^Arandr$"; }
-            { class = ".?blueman-manager.*$"; }
+            { class = "^\\.blueman-manager-wrapped$"; }
+            { class = "^\\.arandr-wrapped$"; }
           ];
         };
 
@@ -371,8 +372,7 @@ in
           };
 
         startup = [
-          # FIXME
-          # { commdand; always; notification; }
+          # NOTE: rely on systemd user services instead...
         ];
 
         window = {

modules/home/wm/screen-lock/default.nix

@@ -2,7 +2,7 @@
 let
   cfg = config.my.home.wm.screen-lock;
 
-  notficationCmd =
+  notificationCmd =
     let
       duration = toString (cfg.notify.delay * 1000);
       notifyCmd = "${lib.getExe pkgs.libnotify} -u critical -t ${duration}";
@@ -48,7 +48,7 @@ in
           "-notify"
           "${toString cfg.notify.delay}"
           "-notifier"
-          notficationCmd
+          notificationCmd
         ];
       };
     };

modules/home/xdg/default.nix

@@ -11,7 +11,7 @@ in
     enable = true;
     # File types
     mime.enable = true;
-    # File associatons
+    # File associations
     mimeApps = {
       enable = true;
     };
@@ -30,9 +30,11 @@ in
     };
     # A tidy home is a tidy mind
     dataFile = {
+      "tig/.keep".text = ""; # `tig` uses `XDG_DATA_HOME` specifically...
+    };
+    stateFile = {
       "bash/.keep".text = "";
-      "gdb/.keep".text = "";
-      "tig/.keep".text = "";
+      "python/.keep".text = "";
     };
   };
 
@@ -43,13 +45,13 @@ in
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
     GRADLE_USER_HOME = "${dataHome}/gradle";
-    HISTFILE = "${dataHome}/bash/history";
+    HISTFILE = "${stateHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";
-    PSQL_HISTORY = "${dataHome}/psql_history";
+    PSQL_HISTORY = "${stateHome}/psql_history";
     PYTHONPYCACHEPREFIX = "${cacheHome}/python/";
     PYTHONUSERBASE = "${dataHome}/python/";
     PYTHON_HISTORY = "${stateHome}/python/history";
-    REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
+    REDISCLI_HISTFILE = "${stateHome}/redis/rediscli_history";
     REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
     _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";

modules/home/zsh/default.nix

@@ -68,7 +68,7 @@ in
           ignoreSpace = true;
           ignoreDups = true;
           share = false;
-          path = "${config.xdg.dataHome}/zsh/zsh_history";
+          path = "${config.xdg.stateHome}/zsh/zsh_history";
         };
 
         plugins = [

modules/home/zsh/options.zsh

@@ -12,7 +12,7 @@ setopt rc_quotes
 setopt auto_resume
 # Show history expansion before running a command
 setopt hist_verify
-# Append commands to history as they are exectuted
+# Append commands to history as they are executed
 setopt inc_append_history_time
 # Remove useless whitespace from commands
 setopt hist_reduce_blanks

modules/nixos/hardware/bluetooth/default.nix

@@ -20,28 +20,10 @@ in
 
     # Support for additional bluetooth codecs
     (lib.mkIf cfg.loadExtraCodecs {
-      hardware.pulseaudio = {
+      services.pulseaudio = {
         extraModules = [ pkgs.pulseaudio-modules-bt ];
         package = pkgs.pulseaudioFull;
       };
-
-      services.pipewire.wireplumber.configPackages = [
-        (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
-          bluez_monitor.properties = {
-            -- SBC XQ provides better audio
-            ["bluez5.enable-sbc-xq"] = true,
-
-            -- mSBC provides better audio + microphone
-            ["bluez5.enable-msbc"] = true,
-
-            -- Synchronize volume with bluetooth device
-            ["bluez5.enable-hw-volume"] = true,
-
-            -- FIXME: Some devices may now support both hsp_ag and hfp_ag
-            ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
-          }
-        '')
-      ];
     })
 
     # Support for A2DP audio profile

modules/nixos/hardware/graphics/default.nix

@@ -26,28 +26,30 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
-      hardware.opengl = {
+      hardware.graphics = {
         enable = true;
       };
     }
 
     # AMD GPU
     (lib.mkIf (cfg.gpuFlavor == "amd") {
-      boot.initrd.kernelModules = lib.mkIf cfg.amd.enableKernelModule [ "amdgpu" ];
+      hardware.amdgpu = {
+        initrd.enable = cfg.amd.enableKernelModule;
+        # Vulkan
+        amdvlk = lib.mkIf cfg.amd.amdvlk {
+          enable = true;
+          support32Bit = {
+            enable = true;
+          };
+        };
+      };
 
-      hardware.opengl = {
+      hardware.graphics = {
         extraPackages = with pkgs; [
           # OpenCL
           rocmPackages.clr
           rocmPackages.clr.icd
-        ]
-        ++ lib.optional cfg.amd.amdvlk amdvlk
-        ;
-
-        extraPackages32 = with pkgs; [
-        ]
-        ++ lib.optional cfg.amd.amdvlk driversi686Linux.amdvlk
-        ;
+        ];
       };
     })
 
@@ -59,7 +61,7 @@ in
         VDPAU_DRIVER = "va_gl";
       };
 
-      hardware.opengl = {
+      hardware.graphics = {
         extraPackages = with pkgs; [
           # Open CL
           intel-compute-runtime
@@ -69,6 +71,13 @@ in
           intel-vaapi-driver
           libvdpau-va-gl
         ];
+
+        extraPackages32 = with pkgs.driversi686Linux; [
+          # VA API
+          intel-media-driver
+          intel-vaapi-driver
+          libvdpau-va-gl
+        ];
       };
     })
   ]);

modules/nixos/hardware/sound/default.nix

@@ -54,10 +54,7 @@ in
 
     # Pulseaudio setup
     (lib.mkIf cfg.pulse.enable {
-      # ALSA
-      sound.enable = true;
-
-      hardware.pulseaudio.enable = true;
+      services.pulseaudio.enable = true;
     })
   ]);
 }

modules/nixos/hardware/trackball/default.nix

@@ -11,7 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     services.xserver = {
       # This section must be *after* the one configured by `libinput`
-      # for the `ScrollMethod` configuration to not be overriden
+      # for the `ScrollMethod` configuration to not be overridden
       inputClassSections = lib.mkAfter [
         # MX Ergo
         ''

modules/nixos/profiles/default.nix

@@ -1,4 +1,4 @@
-# Configuration that spans accross system and home, or are almagations of modules
+# Configuration that spans across system and home, or are almagations of modules
 { ... }:
 {
   imports = [

modules/nixos/profiles/laptop/default.nix

@@ -9,7 +9,7 @@ in
 
   config = lib.mkIf cfg.enable {
     # Enable touchpad support
-    services.xserver.libinput.enable = true;
+    services.libinput.enable = true;
 
     # Enable TLP power management
     my.services.tlp.enable = true;

modules/nixos/services/aria/default.nix

@@ -65,9 +65,7 @@ in
       aria-rpc = {
         port = cfg.rpcPort;
         # Proxy websockets for RPC
-        extraConfig = {
-          locations."/".proxyWebsockets = true;
-        };
+        websocketsLocations = [ "/" ];
       };
     };
 

modules/nixos/services/audiobookshelf/default.nix

@@ -0,0 +1,53 @@
+# Audiobook and podcast library
+{ config, lib, ... }:
+let
+  cfg = config.my.services.audiobookshelf;
+in
+{
+  options.my.services.audiobookshelf = with lib; {
+    enable = mkEnableOption "Audiobookshelf, a self-hosted podcast manager";
+
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+      example = 4242;
+      description = "The port on which Audiobookshelf will listen for incoming HTTP traffic.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.audiobookshelf = {
+      enable = true;
+      inherit (cfg) port;
+
+      group = "media";
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      audiobookshelf = {
+        inherit (cfg) port;
+        # Proxy websockets for RPC
+        websocketsLocations = [ "/" ];
+      };
+    };
+
+    services.fail2ban.jails = {
+      audiobookshelf = ''
+        enabled = true
+        filter = audiobookshelf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/audiobookshelf.conf".text = ''
+        [Definition]
+        failregex = ^.*ERROR: \[Auth\] Failed login attempt for username ".*" from ip <ADDR>
+        journalmatch = _SYSTEMD_UNIT=audiobookshelf.service
+      '';
+    };
+  };
+}

modules/nixos/services/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./adblock
     ./aria
+    ./audiobookshelf
     ./backup
     ./blog
     ./calibre-web
@@ -13,8 +14,10 @@
     ./forgejo
     ./gitea
     ./grocy
+    ./homebox
     ./indexers
     ./jellyfin
+    ./komga
     ./lohr
     ./matrix
     ./mealie
@@ -25,7 +28,7 @@
     ./nginx
     ./nix-cache
     ./paperless
-    ./pirate
+    ./pdf-edit
     ./podgrab
     ./postgresql
     ./postgresql-backup
@@ -33,6 +36,7 @@
     ./quassel
     ./rss-bridge
     ./sabnzbd
+    ./servarr
     ./ssh-server
     ./tandoor-recipes
     ./tlp

modules/nixos/services/flood/default.nix

@@ -1,5 +1,5 @@
 # A nice UI for various torrent clients
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   cfg = config.my.services.flood;
 in
@@ -13,31 +13,13 @@ in
       example = 3000;
       description = "Internal port for Flood UI";
     };
-
-    stateDir = mkOption {
-      type = types.str;
-      default = "flood";
-      example = "floodUI";
-      description = "Directory under `/var/run` for storing Flood's files";
-    };
   };
 
   config = lib.mkIf cfg.enable {
-    systemd.services.flood = {
-      description = "Flood torrent UI";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
+    services.flood = {
+      enable = true;
 
-      serviceConfig = {
-        ExecStart = lib.concatStringsSep " " [
-          (lib.getExe pkgs.flood)
-          "--port ${builtins.toString cfg.port}"
-          "--rundir /var/lib/${cfg.stateDir}"
-        ];
-        DynamicUser = true;
-        StateDirectory = cfg.stateDir;
-        ReadWritePaths = "";
-      };
+      inherit (cfg) port;
     };
 
     my.services.nginx.virtualHosts = {
@@ -45,5 +27,7 @@ in
         inherit (cfg) port;
       };
     };
+
+    # NOTE: unfortunately flood does not log connection failures for fail2ban
   };
 }

modules/nixos/services/forgejo/default.nix

@@ -1,4 +1,4 @@
-# A low-ressource, full-featured git forge.
+# A low-resource, full-featured git forge.
 { config, lib, ... }:
 let
   cfg = config.my.services.forgejo;
@@ -83,7 +83,11 @@ in
         # I configure my backup system manually below.
         dump.enable = false;
 
-        mailerPasswordFile = lib.mkIf cfg.mail.enable cfg.mail.passwordFile;
+        secrets = {
+          mailer = lib.mkIf cfg.mail.enable {
+            PASSWD = cfg.mail.passwordFile;
+          };
+        };
 
         settings = {
           DEFAULT = {

modules/nixos/services/gitea/default.nix

@@ -1,4 +1,4 @@
-# A low-ressource, full-featured git forge.
+# A low-resource, full-featured git forge.
 { config, lib, ... }:
 let
   cfg = config.my.services.gitea;

modules/nixos/services/grocy/default.nix

@@ -36,5 +36,7 @@ in
       forceSSL = true;
       useACMEHost = config.networking.domain;
     };
+
+    # NOTE: unfortunately grocy does not log connection failures for fail2ban
   };
 }

modules/nixos/services/homebox/default.nix

@@ -0,0 +1,42 @@
+# Home inventory made easy
+{ config, lib, ... }:
+let
+  cfg = config.my.services.homebox;
+in
+{
+  options.my.services.homebox = with lib; {
+    enable = mkEnableOption "Homebox home inventory";
+
+    port = mkOption {
+      type = types.port;
+      default = 7745;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.homebox = {
+      enable = true;
+
+      settings = {
+        # FIXME: mailer?
+        HBOX_WEB_PORT = toString cfg.port;
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      homebox = {
+        inherit (cfg) port;
+      };
+    };
+
+    my.services.backup = {
+      paths = [
+        config.services.homebox.settings.HBOX_STORAGE_DATA
+      ];
+    };
+
+    # NOTE: unfortunately homebox does not log connection failures for fail2ban
+  };
+}

modules/nixos/services/jellyfin/default.nix

@@ -27,19 +27,31 @@ in
     my.services.nginx.virtualHosts = {
       jellyfin = {
         port = 8096;
+        websocketsLocations = [ "/socket" ];
         extraConfig = {
           locations."/" = {
             extraConfig = ''
               proxy_buffering off;
             '';
           };
-          # Too bad for the repetition...
-          locations."/socket" = {
-            proxyPass = "http://127.0.0.1:8096/";
-            proxyWebsockets = true;
-          };
         };
       };
     };
+
+    services.fail2ban.jails = {
+      jellyfin = ''
+        enabled = true
+        filter = jellyfin
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/jellyfin.conf".text = ''
+        [Definition]
+        failregex = ^.*Authentication request for .* has been denied \(IP: "?<ADDR>"?\)\.
+        journalmatch = _SYSTEMD_UNIT=jellyfin.service
+      '';
+    };
   };
 }

modules/nixos/services/komga/default.nix

@@ -0,0 +1,55 @@
+# A Comics/Manga media server
+{ config, lib, ... }:
+let
+  cfg = config.my.services.komga;
+in
+{
+  options.my.services.komga = with lib; {
+    enable = mkEnableOption "Komga comics server";
+
+    port = mkOption {
+      type = types.port;
+      default = 4584;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.komga = {
+      enable = true;
+
+      group = "media";
+
+      settings = {
+        server.port = cfg.port;
+        logging.level.org.gotson.komga = "DEBUG"; # Needed for fail2ban
+      };
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      komga = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      komga = ''
+        enabled = true
+        filter = komga
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/komga.conf".text = ''
+        [Definition]
+        failregex = ^.* ip=<HOST>,.*Bad credentials.*$
+        journalmatch = _SYSTEMD_UNIT=komga.service
+      '';
+    };
+  };
+}

modules/nixos/services/lohr/default.nix

@@ -99,7 +99,7 @@ in
         };
       };
       "${lohrHome}/.ssh/id_ed25519" = {
-        "f+" = {
+        "L+" = {
           user = "lohr";
           group = "lohr";
           mode = "0700";

modules/nixos/services/matrix/default.nix

@@ -26,21 +26,6 @@ in
       description = "Shared secret to register users";
     };
 
-    slidingSync = {
-      port = mkOption {
-        type = types.port;
-        default = 8009;
-        example = 8084;
-        description = "Port used by sliding sync server";
-      };
-
-      secretFile = mkOption {
-        type = types.str;
-        example = "/var/lib/matrix/sliding-sync-secret-file.env";
-        description = "Secret file which contains SYNCV3_SECRET definition";
-      };
-    };
-
     mailConfigFile = mkOption {
       type = types.str;
       example = "/var/lib/matrix/email-config.yaml";
@@ -106,17 +91,6 @@ in
       ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile;
     };
 
-    services.matrix-sliding-sync = {
-      enable = true;
-
-      settings = {
-        SYNCV3_SERVER = "https://${matrixDomain}";
-        SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}";
-      };
-
-      environmentFile = cfg.slidingSync.secretFile;
-    };
-
     my.services.nginx.virtualHosts = {
       # Element Web app deployment
       chat = {
@@ -130,9 +104,6 @@ in
               "m.identity_server" = {
                 "base_url" = "https://vector.im";
               };
-              "org.matrix.msc3575.proxy" = {
-                "url" = "https://matrix-sync.${domain}";
-              };
             };
             showLabsSettings = true;
             defaultCountryCode = "FR"; # cocorico
@@ -152,10 +123,6 @@ in
       matrix-client = {
         port = clientPort.private;
       };
-      # Sliding sync
-      matrix-sync = {
-        inherit (cfg.slidingSync) port;
-      };
     };
 
     # Those are too complicated to use my wrapper...
@@ -178,11 +145,6 @@ in
 
             "/_matrix" = proxyToClientPort;
             "/_synapse/client" = proxyToClientPort;
-
-            # Sliding sync
-            "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-              proxyPass = "http://${config.services.matrix-sliding-sync.settings.SYNCV3_BINDADDR}";
-            };
           };
 
         listen = [
@@ -228,7 +190,6 @@ in
             client = {
               "m.homeserver" = { "base_url" = "https://${matrixDomain}"; };
               "m.identity_server" = { "base_url" = "https://vector.im"; };
-              "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; };
             };
             # ACAO required to allow element-web on any URL to request this json file
           in

modules/nixos/services/mealie/default.nix

@@ -35,12 +35,8 @@ in
 
         # Use PostgreSQL
         DB_ENGINE = "postgres";
-        POSTGRES_USER = "mealie";
-        POSTGRES_PASSWORD = "";
-        POSTGRES_SERVER = "/run/postgresql";
-        # Pydantic and/or mealie doesn't handle the URI correctly, hijack it
-        # with query parameters...
-        POSTGRES_DB = "mealie?host=/run/postgresql&dbname=mealie";
+        # Make it work with socket auth
+        POSTGRES_URL_OVERRIDE = "postgresql://mealie:@/mealie?host=/run/postgresql";
       };
     };
 
@@ -66,7 +62,30 @@ in
     my.services.nginx.virtualHosts = {
       mealie = {
         inherit (cfg) port;
+
+        extraConfig = {
+          # Allow bulk upload of recipes for import/export
+          locations."/".extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
       };
     };
+
+    services.fail2ban.jails = {
+      mealie = ''
+        enabled = true
+        filter = mealie
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/mealie.conf".text = ''
+        [Definition]
+        failregex = ^.*ERROR.*Incorrect username or password from <HOST>
+        journalmatch = _SYSTEMD_UNIT=mealie.service
+      '';
+    };
   };
 }

modules/nixos/services/miniflux/default.nix

@@ -48,5 +48,21 @@ in
         inherit (cfg) port;
       };
     };
+
+    services.fail2ban.jails = {
+      miniflux = ''
+        enabled = true
+        filter = miniflux
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/miniflux.conf".text = ''
+        [Definition]
+        failregex = ^.*msg="[^"]*(Incorrect|Invalid) username or password[^"]*".*client_ip=<ADDR>
+        journalmatch = _SYSTEMD_UNIT=miniflux.service
+      '';
+    };
   };
 }

modules/nixos/services/navidrome/default.nix

@@ -52,5 +52,21 @@ in
         inherit (cfg) port;
       };
     };
+
+    services.fail2ban.jails = {
+      navidrome = ''
+        enabled = true
+        filter = navidrome
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/navidrome.conf".text = ''
+        [Definition]
+        failregex = ^.*msg="Unsuccessful login".*X-Real-Ip:\[<HOST>\]
+        journalmatch = _SYSTEMD_UNIT=navidrome.service
+      '';
+    };
   };
 }

modules/nixos/services/nextcloud/collabora.nix

@@ -0,0 +1,50 @@
+# Document editor with Nextcloud
+{ config, lib, ... }:
+let
+  cfg = config.my.services.nextcloud.collabora;
+in
+{
+  options.my.services.nextcloud.collabora = with lib; {
+    enable = mkEnableOption "Collabora integration";
+
+    port = mkOption {
+      type = types.port;
+      default = 9980;
+      example = 8080;
+      description = "Internal port for API";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.collabora-online = {
+      enable = true;
+      inherit (cfg) port;
+
+      aliasGroups = [
+        {
+          host = "https://collabora.${config.networking.domain}";
+          # Allow using from nextcloud
+          aliases = [ "https://${config.services.nextcloud.hostName}" ];
+        }
+      ];
+
+      settings = {
+        # Rely on reverse proxy for SSL
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      collabora = {
+        inherit (cfg) port;
+        websocketsLocations = [
+          "~ ^/cool/(.*)/ws$"
+          "^~ /cool/adminws"
+        ];
+      };
+    };
+  };
+}

modules/nixos/services/nextcloud/default.nix

@@ -4,6 +4,10 @@ let
   cfg = config.my.services.nextcloud;
 in
 {
+  imports = [
+    ./collabora.nix
+  ];
+
   options.my.services.nextcloud = with lib; {
     enable = mkEnableOption "Nextcloud";
     maxSize = mkOption {
@@ -31,7 +35,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud28;
+      package = pkgs.nextcloud30;
       hostName = "nextcloud.${config.networking.domain}";
       home = "/var/lib/nextcloud";
       maxUploadSize = cfg.maxSize;
@@ -87,5 +91,25 @@ in
         "${config.services.nextcloud.home}/data/appdata_*/preview"
       ];
     };
+
+    services.fail2ban.jails = {
+      nextcloud = ''
+        enabled = true
+        filter = nextcloud
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/nextcloud.conf".text = ''
+        [Definition]
+        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+        failregex = ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+                    ^[^{]*\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
+        journalmatch = _SYSTEMD_UNIT=phpfpm-nextcloud.service
+      '';
+    };
   };
 }

modules/nixos/services/nginx/default.nix

@@ -17,6 +17,16 @@ let
         '';
       };
 
+      websocketsLocations = mkOption {
+        type = with types; listOf str;
+        default = [ ];
+        example = [ "/socket" ];
+        description = ''
+          Which locations on this virtual host should be configured for
+          websockets.
+        '';
+      };
+
       port = mkOption {
         type = with types; nullOr port;
         default = null;
@@ -59,14 +69,15 @@ let
 
       extraConfig = mkOption {
         type = types.attrs; # FIXME: forward type of virtualHosts
-        example = litteralExample ''
-          {
-            locations."/socket" = {
-              proxyPass = "http://127.0.0.1:8096/";
-              proxyWebsockets = true;
-            };
-          }
-        '';
+        example = {
+          extraConfig = ''
+            add_header X-Clacks-Overhead "GNU Terry Pratchett";
+          '';
+
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
         default = { };
         description = ''
           Any extra configuration that should be applied to this virtual host.
@@ -76,10 +87,6 @@ let
   });
 in
 {
-  imports = [
-    ./sso
-  ];
-
   options.my.services.nginx = with lib; {
     enable = mkEnableOption "Nginx";
 
@@ -88,7 +95,7 @@ in
         type = types.str;
         example = "/var/lib/acme/creds.env";
         description = ''
-          Gandi API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
+          OVH API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
         '';
       };
     };
@@ -100,26 +107,19 @@ in
     virtualHosts = mkOption {
       type = types.attrsOf virtualHostOption;
       default = { };
-      example = litteralExample ''
-        {
-          gitea = {
-            subdomain = "git";
-            port = 8080;
-          };
-          dev = {
-            root = "/var/www/dev";
-          };
-          jellyfin = {
-            port = 8096;
-            extraConfig = {
-              locations."/socket" = {
-                proxyPass = "http://127.0.0.1:8096/";
-                proxyWebsockets = true;
-              };
-            };
-          };
-        }
-      '';
+      example = {
+        gitea = {
+          subdomain = "git";
+          port = 8080;
+        };
+        dev = {
+          root = "/var/www/dev";
+        };
+        jellyfin = {
+          port = 8096;
+          websocketsLocations = [ "/socket" ];
+        };
+      };
       description = ''
         List of virtual hosts to set-up using default settings.
       '';
@@ -163,25 +163,21 @@ in
             };
           };
         });
-        example = litteralExample ''
-          {
-            alice = {
-              passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt";
-              totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt";
-            };
-          }
-        '';
+        example = {
+          alice = {
+            passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt";
+            totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt";
+          };
+        };
         description = "Definition of users";
       };
 
       groups = mkOption {
         type = with types; attrsOf (listOf str);
-        example = litteralExample ''
-          {
-            root = [ "alice" ];
-            users = [ "alice" "bob" ];
-          }
-        '';
+        example = {
+          root = [ "alice" ];
+          users = [ "alice" "bob" ];
+        };
         description = "Groups of users";
       };
     };
@@ -203,6 +199,19 @@ in
           } configured.
         '';
       }))
+      ++ (lib.flip lib.mapAttrsToList cfg.virtualHosts (_: { subdomain, ... } @ args:
+      let
+        proxyPass = [ "port" "socket" ];
+        proxyPassUsed = lib.any (v: args.${v} != null) proxyPass;
+      in
+      {
+        assertion = args.websocketsLocations != [ ] -> proxyPassUsed;
+        message = ''
+          Subdomain '${subdomain}' can only use 'websocketsLocations' with one of ${
+            lib.concatStringsSep ", " (builtins.map (v: "'${v}'") proxyPass)
+          }.
+        '';
+      }))
       ++ (
       let
         ports = lib.my.mapFilter
@@ -244,11 +253,18 @@ in
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
-      recommendedZstdSettings = true;
 
       virtualHosts =
         let
           domain = config.networking.domain;
+          mkProxyPass = { websocketsLocations, ... }: proxyPass:
+            let
+              websockets = lib.genAttrs websocketsLocations (_: {
+                inherit proxyPass;
+                proxyWebsockets = true;
+              });
+            in
+            { "/" = { inherit proxyPass; }; } // websockets;
           mkVHost = ({ subdomain, ... } @ args: lib.nameValuePair
             "${subdomain}.${domain}"
             (lib.my.recursiveMerge [
@@ -259,8 +275,7 @@ in
               }
               # Proxy to port
               (lib.optionalAttrs (args.port != null) {
-                locations."/".proxyPass =
-                  "http://127.0.0.1:${toString args.port}";
+                locations = mkProxyPass args "http://127.0.0.1:${toString args.port}";
               })
               # Serve filesystem content
               (lib.optionalAttrs (args.root != null) {
@@ -268,8 +283,7 @@ in
               })
               # Serve to UNIX socket
               (lib.optionalAttrs (args.socket != null) {
-                locations."/".proxyPass =
-                  "http://unix:${args.socket}";
+                locations = mkProxyPass args "http://unix:${args.socket}";
               })
               # Redirect to a different domain
               (lib.optionalAttrs (args.redirect != null) {
@@ -289,6 +303,7 @@ in
 
                 locations."/" = {
                   extraConfig =
+                    # FIXME: check that X-User is dropped otherwise
                     (args.extraConfig.locations."/".extraConfig or "") + ''
                       # Use SSO
                       auth_request /sso-auth;
@@ -422,7 +437,8 @@ in
         {
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
-            dnsProvider = "gandiv5";
+            dnsProvider = "ovh";
+            dnsPropagationCheck = false; # OVH is slow
             inherit (cfg.acme) credentialsFile;
           };
         };

modules/nixos/services/nginx/sso/default.nix

@@ -1,89 +0,0 @@
-# I must override the module to allow having runtime secrets
-{ config, lib, pkgs, utils, ... }:
-let
-  cfg = config.services.nginx.sso;
-  pkg = lib.getBin cfg.package;
-  confPath = "/var/lib/nginx-sso/config.json";
-in
-{
-  disabledModules = [ "services/security/nginx-sso.nix" ];
-
-
-  options.services.nginx.sso = with lib; {
-    enable = mkEnableOption "nginx-sso service";
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.nginx-sso;
-      defaultText = "pkgs.nginx-sso";
-      description = ''
-        The nginx-sso package that should be used.
-      '';
-    };
-
-    configuration = mkOption {
-      type = types.attrsOf types.unspecified;
-      default = { };
-      example = literalExample ''
-        {
-          listen = { addr = "127.0.0.1"; port = 8080; };
-
-          providers.token.tokens = {
-            myuser = "MyToken";
-          };
-
-          acl = {
-            rule_sets = [
-              {
-                rules = [ { field = "x-application"; equals = "MyApp"; } ];
-                allow = [ "myuser" ];
-              }
-            ];
-          };
-        }
-      '';
-      description = ''
-        nginx-sso configuration
-        (<link xlink:href="https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration">documentation</link>)
-        as a Nix attribute set.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.nginx-sso = {
-      description = "Nginx SSO Backend";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        StateDirectory = "nginx-sso";
-        WorkingDirectory = "/var/lib/nginx-sso";
-        # The files to be merged might not have the correct permissions
-        ExecStartPre = ''+${pkgs.writeShellScript "merge-nginx-sso-config" ''
-          rm -f '${confPath}'
-          ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath}
-
-          # Fix permissions
-          chown nginx-sso:nginx-sso ${confPath}
-          chmod 0600 ${confPath}
-        ''
-        }'';
-        ExecStart = lib.mkForce ''
-          ${lib.getExe pkg} \
-            --config ${confPath} \
-            --frontend-dir ${pkg}/share/frontend
-        '';
-        Restart = "always";
-        User = "nginx-sso";
-        Group = "nginx-sso";
-      };
-    };
-
-    users.users.nginx-sso = {
-      isSystemUser = true;
-      group = "nginx-sso";
-    };
-
-    users.groups.nginx-sso = { };
-  };
-}

modules/nixos/services/nix-cache/default.nix

@@ -40,7 +40,7 @@ in
         inherit (cfg) priority;
       };
 
-      signKeyPath = cfg.secretKeyFile;
+      signKeyPaths = [ cfg.secretKeyFile ];
     };
 
     my.services.nginx.virtualHosts = {

modules/nixos/services/paperless/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   cfg = config.my.services.paperless;
 in
@@ -61,11 +61,6 @@ in
           PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
           PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER";
 
-          # Use PostgreSQL
-          PAPERLESS_DBHOST = "/run/postgresql";
-          PAPERLESS_DBUSER = "paperless";
-          PAPERLESS_DBNAME = "paperless";
-
           # Security settings
           PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
           PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
@@ -80,63 +75,18 @@ in
           # Misc
           PAPERLESS_TIME_ZONE = config.time.timeZone;
           PAPERLESS_ADMIN_USER = cfg.username;
-
-          # Fix classifier hangs
-          LD_LIBRARY_PATH = "${lib.getLib pkgs.mkl}/lib";
         };
 
       # Admin password
       passwordFile = cfg.passwordFile;
-    };
 
-    systemd.services = {
-      paperless-scheduler = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
+      # Secret key
+      environmentFile = cfg.secretKeyFile;
 
-        serviceConfig = {
-          EnvironmentFile = cfg.secretKeyFile;
-        };
+      # Automatic PostgreSQL provisioning
+      database = {
+        createLocally = true;
       };
-
-      paperless-consumer = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
-
-        serviceConfig = {
-          EnvironmentFile = cfg.secretKeyFile;
-        };
-      };
-
-      paperless-web = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
-
-        serviceConfig = {
-          EnvironmentFile = cfg.secretKeyFile;
-        };
-      };
-
-      paperless-task-queue = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
-
-        serviceConfig = {
-          EnvironmentFile = cfg.secretKeyFile;
-        };
-      };
-    };
-
-    # Set-up database
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "paperless" ];
-      ensureUsers = [
-        {
-          name = "paperless";
-          ensureDBOwnership = true;
-        }
-      ];
     };
 
     # Set-up media group
@@ -152,11 +102,7 @@ in
         sso = {
           enable = true;
         };
-
-        # Enable websockets on root
-        extraConfig = {
-          locations."/".proxyWebsockets = true;
-        };
+        websocketsLocations = [ "/" ];
       };
     };
 

modules/nixos/services/pdf-edit/default.nix

@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pdf-edit;
+in
+{
+  options.my.services.pdf-edit = with lib; {
+    enable = mkEnableOption "PDF edition service";
+
+    port = mkOption {
+      type = types.port;
+      default = 8089;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    loginFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/pdf-edit/login.env";
+      description = ''
+        `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
+        defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.stirling-pdf = lib.mkIf cfg.enable {
+      enable = true;
+
+      environment = {
+        SERVER_PORT = cfg.port;
+        SECURITY_CSRFDISABLED = "false";
+
+        SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
+        INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
+
+        SECURITY_ENABLELOGIN = "true";
+        SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
+      };
+
+      environmentFiles = [ cfg.loginFile ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      pdf-edit = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow upload of PDF files up to 1G
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      stirling-pdf = ''
+        enabled = true
+        filter = stirling-pdf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/stirling-pdf.conf".text = ''
+        [Definition]
+        failregex = ^.*Failed login attempt from IP: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
+      '';
+    };
+  };
+}

modules/nixos/services/podgrab/default.nix

@@ -13,7 +13,16 @@ in
       example = "/run/secrets/password.env";
       description = ''
         The path to a file containing the PASSWORD environment variable
-        definition for Podgrab's authentification.
+        definition for Podgrab's authentication.
+      '';
+    };
+
+    dataDir = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/mnt/podgrab";
+      description = ''
+        Path to the directory to store the podcasts. Use default if null
       '';
     };
 
@@ -29,8 +38,14 @@ in
     services.podgrab = {
       enable = true;
       inherit (cfg) passwordFile port;
+
+      group = "media";
+      dataDirectory = lib.mkIf (cfg.dataDir != null) cfg.dataDir;
     };
 
+    # Set-up media group
+    users.groups.media = { };
+
     my.services.nginx.virtualHosts = {
       podgrab = {
         inherit (cfg) port;

modules/nixos/services/postgresql/default.nix

@@ -14,30 +14,34 @@ in
     # Let other services enable postgres when they need it
     (lib.mkIf cfg.enable {
       services.postgresql = {
-        package = pkgs.postgresql_13;
+        package = pkgs.postgresql_17;
       };
     })
 
     # Taken from the manual
     (lib.mkIf cfg.upgradeScript {
-      containers.temp-pg.config.services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql_13;
-      };
-
       environment.systemPackages =
         let
-          newpg = config.containers.temp-pg.config.services.postgresql;
+          pgCfg = config.services.postgresql;
+          newPackage' = pkgs.postgresql_17;
+
+          oldPackage = if pgCfg.enableJIT then pgCfg.package.withJIT else pgCfg.package;
+          oldData = pgCfg.dataDir;
+          oldBin = "${if pgCfg.extensions == [] then oldPackage else oldPackage.withPackages pgCfg.extensions}/bin";
+
+          newPackage = if pgCfg.enableJIT then newPackage'.withJIT else newPackage';
+          newData = "/var/lib/postgresql/${newPackage.psqlSchema}";
+          newBin = "${if pgCfg.extensions == [] then newPackage else newPackage.withPackages pgCfg.extensions}/bin";
         in
         [
           (pkgs.writeScriptBin "upgrade-pg-cluster" ''
             #!/usr/bin/env bash
 
-            set -x
-            export OLDDATA="${config.services.postgresql.dataDir}"
-            export NEWDATA="${newpg.dataDir}"
-            export OLDBIN="${config.services.postgresql.package}/bin"
-            export NEWBIN="${newpg.package}/bin"
+            set -eux
+            export OLDDATA="${oldData}"
+            export NEWDATA="${newData}"
+            export OLDBIN="${oldBin}"
+            export NEWBIN="${newBin}"
 
             if [ "$OLDDATA" -ef "$NEWDATA" ]; then
               echo "Cannot migrate to same data directory" >&2
@@ -46,14 +50,21 @@ in
 
             install -d -m 0700 -o postgres -g postgres "$NEWDATA"
             cd "$NEWDATA"
-            sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
+            sudo -u postgres "$NEWBIN/initdb" -D "$NEWDATA"
 
             systemctl stop postgresql    # old one
 
-            sudo -u postgres $NEWBIN/pg_upgrade \
+            sudo -u postgres "$NEWBIN/pg_upgrade" \
               --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
-              --old-bindir $OLDBIN --new-bindir $NEWBIN \
+              --old-bindir "$OLDBIN" --new-bindir "$NEWBIN" \
               "$@"
+
+            cat << EOF
+              Run the following commands after setting:
+              services.postgresql.package = pkgs.postgresql_${lib.versions.major newPackage.version}
+                  sudo -u postgres vacuumdb --all --analyze-in-stages
+                  ${newData}/delete_old_cluster.sh
+            EOF
           '')
         ];
     })