flake: bump inputs

I should be relying on `clangd` instead, which should always be
available whenever `clang-format` was.

.woodpecker/check.yml

@@ -9,15 +9,15 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
   - nix run '.#matrix-notifier'
   when:

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1715290355,
+        "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706830856,
-        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
+        "lastModified": 1715865404,
+        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
+        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703887061,
-        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706955260,
-        "narHash": "sha256-W3y0j77IDVbmbajudHoUr46RpswujUCl+D5Vru53UsI=",
+        "lastModified": 1715930644,
+        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "880d9bc2110f7cae59698f715b8ca42cdc53670c",
+        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706732774,
-        "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
+        "lastModified": 1715961556,
+        "narHash": "sha256-+NpbZRCRisUHKQJZF3CT+xn14ZZQO+KjxIIanH3Pvn4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
+        "rev": "4a6b83b05df1a8bd7d99095ec4b4d271f2956b64",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1706978646,
-        "narHash": "sha256-XEFktO8Ba41zKawf1Uf6FKIR1x0ShuoSddYXU4PQbx8=",
+        "lastModified": 1716149933,
+        "narHash": "sha256-0Ui2HmmKvSqxXfT5kCzTu2EO+kqYxavPZHROxQLsI14=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "66d6b7b355f3b10ea4140f8b85b2e274c24d442a",
+        "rev": "0d0e224fe23a49977d871ae2fe2f14c84b03322a",
         "type": "github"
       },
       "original": {
@@ -185,9 +185,6 @@
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-utils": [
-          "futils"
-        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
@@ -197,11 +194,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706424699,
-        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
+        "lastModified": 1715870890,
+        "narHash": "sha256-nacSOeXtUEM77Gn0G4bTdEOeFIrkCBXiyyFZtdGwuH0=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
+        "rev": "fa606cccd7b0ccebe2880051208e4a0f61bfc8c1",
         "type": "github"
       },
       "original": {

flake.nix

@@ -63,7 +63,6 @@
       repo = "pre-commit-hooks.nix";
       ref = "master";
       inputs = {
-        flake-utils.follows = "futils";
         nixpkgs.follows = "nixpkgs";
         nixpkgs-stable.follows = "nixpkgs";
       };

flake/default.nix

@@ -1,9 +1,9 @@
 { flake-parts
-, futils
+, systems
 , ...
 } @ inputs:
 let
-  mySystems = futils.lib.defaultSystems;
+  mySystems = import systems;
 in
 flake-parts.lib.mkFlake { inherit inputs; } {
   systems = mySystems;

hosts/homes/ambroisie@bazin/default.nix

@@ -1,5 +1,5 @@
 # Google Laptop configuration
-{ lib, pkgs, ... }:
+{ lib, options, pkgs, ... }:
 {
   services.gpg-agent.enable = lib.mkForce false;
 
@@ -12,8 +12,10 @@
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;
 
-      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
-      trueColorTerminals = [ "xterm-256color" ];
+      terminalFeatures = {
+        # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+        xterm-256color = { };
+      };
     };
 
     ssh = {
@@ -21,5 +23,21 @@
         package = pkgs.emptyDirectory;
       };
     };
+
+    zsh = {
+      notify = {
+        enable = true;
+
+        exclude = options.my.home.zsh.notify.exclude.default ++ [
+          "adb shell$" # Only interactive shell sessions
+        ];
+
+        ssh = {
+          enable = true;
+          # `notify-send` is proxied to the ChromeOS layer
+          useOsc777 = false;
+        };
+      };
+    };
   };
 }

hosts/homes/ambroisie@mousqueton/default.nix

@@ -15,8 +15,10 @@
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;
 
-      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
-      trueColorTerminals = [ "xterm-256color" ];
+      terminalFeatures = {
+        # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+        xterm-256color = { };
+      };
     };
   };
 }

hosts/nixos/aramis/home.nix

@@ -2,7 +2,7 @@
 {
   my.home = {
     # Use graphical pinentry
-    bitwarden.pinentry = "gtk2";
+    bitwarden.pinentry = pkgs.pinentry-gtk2;
     # Ebook library
     calibre.enable = true;
     # Some amount of social life
@@ -14,7 +14,7 @@
     # Blue light filter
     gammastep.enable = true;
     # Use a small popup to enter passwords
-    gpg.pinentry = "gtk2";
+    gpg.pinentry = pkgs.pinentry-gtk2;
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client

hosts/nixos/porthos/boot.nix

@@ -3,15 +3,14 @@
 
 {
   boot = {
-    # Use the GRUB 2 boot loader.
-    loader.grub = {
-      enable = true;
-      # Define on which hard drive you want to install Grub.
-      device = "/dev/disk/by-id/ata-HGST_HUS724020ALA640_PN2181P6J58M1P";
+    # Use the systemd-boot EFI boot loader.
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
     };
 
     initrd = {
-      availableKernelModules = [ "uhci_hcd" "ahci" "usbhid" ];
+      availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "usbhid" "sd_mod" ];
       kernelModules = [ "dm-snapshot" ];
     };
 

hosts/nixos/porthos/default.nix

@@ -16,11 +16,5 @@
   # Set your time zone.
   time.timeZone = "Europe/Paris";
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "20.09"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }

hosts/nixos/porthos/hardware.nix

@@ -1,5 +1,5 @@
 # Hardware configuration
-{ lib, modulesPath, ... }:
+{ modulesPath, ... }:
 
 {
   imports = [
@@ -11,9 +11,18 @@
     fsType = "ext4";
   };
 
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
   swapDevices = [
     { device = "/dev/disk/by-label/swap"; }
   ];
 
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  my.hardware = {
+    firmware = {
+      cpuFlavor = "intel";
+    };
+  };
 }

hosts/nixos/porthos/home.nix

@@ -1,11 +1,18 @@
 { ... }:
 {
   my.home = {
-    # Allow using 24bit color when SSH-ing from various clients
-    tmux.trueColorTerminals = [
+    nix = {
+      cache = {
+        # This server is the one serving the cache, don't try to query it
+        selfHosted = false;
+      };
+    };
+
+    # Allow using extended features when SSH-ing from various clients
+    tmux.terminalFeatures = {
       # My usual terminal, e.g: on laptop
-      "alacritty"
-    ];
+      alacritty = { };
+    };
 
     # Always start a tmux session when opening a shell session
     zsh.launchTmux = true;

hosts/nixos/porthos/install.sh

@@ -3,7 +3,7 @@
 SWAP_SIZE=16GiB
 
 parted /dev/sda --script -- \
-    mklabel msdos \
+    mklabel gpt \
     mkpart primary 512MiB -$SWAP_SIZE \
     mkpart primary linux-swap -$SWAP_SIZE 100% \
     mkpart ESP fat32 1MiB 512MiB \
@@ -11,14 +11,24 @@ parted /dev/sda --script -- \
 
 parted /dev/sdb --script -- \
     mklabel gpt \
-    mkpart primary 0MiB 100%
+    mkpart primary 0% 100%
+parted /dev/sdc --script -- \
+    mklabel gpt \
+    mkpart primary 0% 100%
+parted /dev/sdd --script -- \
+    mklabel gpt \
+    mkpart primary 0% 100%
 
 mkfs.ext4 -L media1 /dev/sda1
 mkfs.ext4 -L media2 /dev/sdb1
+mkfs.ext4 -L media3 /dev/sdc1
+mkfs.ext4 -L media4 /dev/sdd1
 
 pvcreate /dev/sda1
 pvcreate /dev/sdb1
-vgcreate lvm /dev/sda1 /dev/sdb1
+pvcreate /dev/sdc1
+pvcreate /dev/sdd1
+vgcreate lvm /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1
 lvcreate -l 100%FREE -n media lvm
 
 mkfs.ext4 -L nixos /dev/mapper/lvm-media
@@ -27,17 +37,17 @@ mkfs.fat -F 32 -n boot /dev/sda3
 
 mount /dev/disk/by-label/nixos /mnt
 swapon /dev/sda2
+mkdir -p /mnt/boot
+mount /dev/disk/by-label/boot /mnt/boot
 
 apt install sudo
 useradd -m -G sudo setupuser
-# shellcheck disable=2117
-su setupuser
 
 cat << EOF
 # Run the following commands as setup user
-curl -L https://nixos.org/nix/install | sh
-. $HOME/.nix-profile/etc/profile.d/nix.sh
-nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+nix profile install nixpkgs#nixos-install-tools
 sudo "$(which nixos-generate-config)" --root /mnt
 
 # Change uuids to labels
@@ -54,3 +64,6 @@ git crypt unlock
 
 nixos-install --root /mnt --flake '.#<hostname>'
 EOF
+
+# shellcheck disable=2117
+su setupuser

hosts/nixos/porthos/networking.nix

@@ -6,30 +6,17 @@
     hostName = "porthos"; # Define your hostname.
     domain = "belanyi.fr"; # Define your domain.
 
-
-    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    # Per-interface useDHCP will be mandatory in the future, so this generated config
-    # replicates the default behaviour.
-    useDHCP = false;
-
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    useDHCP = true;
     interfaces = {
-      bond0.useDHCP = true;
-      bonding_masters.useDHCP = true;
-      dummy0.useDHCP = true;
-      erspan0.useDHCP = true;
-      eth0.useDHCP = true;
-      eth1.useDHCP = true;
-      gre0.useDHCP = true;
-      gretap0.useDHCP = true;
-      ifb0.useDHCP = true;
-      ifb1.useDHCP = true;
-      ip6tnl0.useDHCP = true;
-      sit0.useDHCP = true;
-      teql0.useDHCP = true;
-      tunl0.useDHCP = true;
+      eno1.useDHCP = true;
+      eno2.useDHCP = true;
     };
   };
 
   # Which interface is used to connect to the internet
-  my.hardware.networking.externalInterface = "eth0";
+  my.hardware.networking.externalInterface = "eno1";
 }

hosts/nixos/porthos/secrets/forgejo/mail-password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg Lhgx43wR8PtAMf5v1eJxKlUBSAoOLdOOn/QaQrwF8zA
+jfUCpgNzkHCNTWCqtErDaLMmg1Oy+s9zUra1JLCi+J4
+-> ssh-ed25519 jPowng kSeQ/SmMrzd8ByVu3YHWeZyKmqFZvQSBnDunkB8e6wc
+WRmnfrV5xcRXA9t0ZXx6YvbRl0sX4PTrw63VVKX4Ei4
+--- a+LLM1gP9g1AbUapbeeKaS4cEcRBmPo3MHU2DSWTAds
+Ò,FÜÒ6”â⬘ixÌ<78>°Øe|
«
+²
+ÌÏœ,{†
ˆõvª!–†‰zÜ$P;ãé©TØÆÉKW
+ qGô

hosts/nixos/porthos/secrets/secrets.nix

@@ -21,13 +21,24 @@ in
   "drone/secret.age".publicKeys = all;
   "drone/ssh/private-key.age".publicKeys = all;
 
+  "forgejo/mail-password.age" = {
+    owner = "git";
+    publicKeys = all;
+  };
+
   "gitea/mail-password.age" = {
     owner = "git";
     publicKeys = all;
   };
 
-  "lohr/secret.age".publicKeys = all;
-  "lohr/ssh-key.age".publicKeys = all;
+  "lohr/secret.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
+  "lohr/ssh-key.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
 
   "matrix/mail.age" = {
     owner = "matrix-synapse";
@@ -41,6 +52,10 @@ in
     publicKeys = all;
   };
 
+  "mealie/mail.age" = {
+    publicKeys = all;
+  };
+
   "miniflux/credentials.age".publicKeys = all;
 
   "monitoring/password.age" = {

hosts/nixos/porthos/services.nix

@@ -10,6 +10,11 @@ in
     adblock = {
       enable = true;
     };
+    # Audiobook and podcast library
+    audiobookshelf = {
+      enable = true;
+      port = 9599;
+    };
     # Backblaze B2 backup
     backup = {
       enable = true;
@@ -36,14 +41,14 @@ in
     flood = {
       enable = true;
     };
-    # Gitea forge
-    gitea = {
+    # Forgejo forge
+    forgejo = {
       enable = true;
       mail = {
         enable = true;
-        host = "smtp.migadu.com:465";
-        user = lib.my.mkMailAddress "gitea" "belanyi.fr";
-        passwordFile = secrets."gitea/mail-password".path;
+        host = "smtp.migadu.com";
+        user = lib.my.mkMailAddress "forgejo" "belanyi.fr";
+        passwordFile = secrets."forgejo/mail-password".path;
       };
     };
     # Meta-indexers
@@ -68,6 +73,10 @@ in
         secretFile = secrets."matrix/sliding-sync-secret".path;
       };
     };
+    mealie = {
+      enable = true;
+      credentialsFile = secrets."mealie/mail".path;
+    };
     miniflux = {
       enable = true;
       credentialsFiles = secrets."miniflux/credentials".path;
@@ -130,6 +139,7 @@ in
     podgrab = {
       enable = true;
       passwordFile = secrets."podgrab/password".path;
+      dataDir = "/data/media/podcasts";
       port = 9598;
     };
     # Regular backups

modules/home/atuin/default.nix

@@ -25,6 +25,8 @@ in
         search_mode = "skim";
         # Show long command lines at the bottom
         show_preview = true;
+        # I like being able to edit my commands
+        enter_accept = false;
       };
     };
   };

modules/home/bitwarden/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.bitwarden;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.bitwarden = with lib; {
     enable = my.mkDisableOption "bitwarden configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {

modules/home/default.nix

@@ -39,6 +39,7 @@
     ./tmux
     ./udiskie
     ./vim
+    ./wget
     ./wm
     ./x
     ./xdg

modules/home/direnv/default.nix

@@ -7,9 +7,9 @@ in
     enable = my.mkDisableOption "direnv configuration";
 
     defaultFlake = mkOption {
-      type = types.str;
-      default = "pkgs";
-      example = "nixpkgs";
+      type = with types; nullOr str;
+      default = null;
+      example = "pkgs";
       description = ''
         Which flake from the registry should be used for
         <command>use pkgs</command> by default.
@@ -39,7 +39,7 @@ in
       in
       lib.my.genAttrs' files linkLibFile;
 
-    home.sessionVariables = {
+    home.sessionVariables = lib.mkIf (cfg.defaultFlake != null) {
       DIRENV_DEFAULT_FLAKE = cfg.defaultFlake;
     };
   };

modules/home/gdb/default.nix

@@ -26,7 +26,14 @@ in
         gdb
       ];
 
-      xdg.configFile."gdb/gdbinit".source = ./gdbinit;
+      xdg = {
+        configFile."gdb/gdbinit".source = ./gdbinit;
+        dataFile. "gdb/.keep".text = "";
+      };
+
+      home.sessionVariables = {
+        GDBHISTFILE = "${config.xdg.dataHome}/gdb/gdb_history";
+      };
     }
 
     (lib.mkIf cfg.rr.enable {

modules/home/git/default.nix

@@ -148,6 +148,10 @@ in
         autoStash = true;
       };
 
+      rerere = {
+        enabled = true;
+      };
+
       url = {
         "git@git.belanyi.fr:" = {
           insteadOf = "https://git.belanyi.fr/";

modules/home/gpg/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.gpg;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.gpg = with lib; {
     enable = my.mkDisableOption "gpg configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {
@@ -22,7 +17,7 @@ in
     services.gpg-agent = {
       enable = true;
       enableSshSupport = true; # One agent to rule them all
-      pinentryFlavor = cfg.pinentry;
+      pinentryPackage = cfg.pinentry;
       extraConfig = ''
         allow-loopback-pinentry
       '';

modules/home/nix/default.nix

@@ -12,7 +12,7 @@ let
       # Use pinned nixpkgs when using `nix run pkgs#<whatever>`
       pkgs = inputs.nixpkgs;
     }
-    (lib.optionalAttrs cfg.overrideNixpkgs {
+    (lib.optionalAttrs cfg.inputs.overrideNixpkgs {
       # ... And with `nix run nixpkgs#<whatever>`
       nixpkgs = inputs.nixpkgs;
     })
@@ -22,20 +22,26 @@ in
   options.my.home.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
-    linkInputs = my.mkDisableOption "link inputs to `$XDG_CONFIG_HOME/nix/inputs`";
+    cache = {
+      selfHosted = my.mkDisableOption "self-hosted cache";
+    };
 
-    addToRegistry = my.mkDisableOption "add inputs and self to registry";
+    inputs = {
+      link = my.mkDisableOption "link inputs to `/etc/nix/inputs/`";
 
-    addToNixPath = my.mkDisableOption "add inputs and self to nix path";
+      addToRegistry = my.mkDisableOption "add inputs and self to registry";
 
-    overrideNixpkgs = my.mkDisableOption "point nixpkgs to pinned system version";
+      addToNixPath = my.mkDisableOption "add inputs and self to nix path";
+
+      overrideNixpkgs = my.mkDisableOption "point nixpkgs to pinned system version";
+    };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
       assertions = [
         {
-          assertion = cfg.addToNixPath -> cfg.linkInputs;
+          assertion = cfg.inputs.addToNixPath -> cfg.inputs.link;
           message = ''
             enabling `my.home.nix.addToNixPath` needs to have
             `my.home.nix.linkInputs = true`
@@ -54,7 +60,21 @@ in
       };
     }
 
-    (lib.mkIf cfg.addToRegistry {
+    (lib.mkIf cfg.cache.selfHosted {
+      nix = {
+        settings = {
+          extra-substituters = [
+            "https://cache.belanyi.fr/"
+          ];
+
+          extra-trusted-public-keys = [
+            "cache.belanyi.fr:LPhrTqufwfxTceg1nRWueDWf7/2zSVY9K00pq2UI7tw="
+          ];
+        };
+      };
+    })
+
+    (lib.mkIf cfg.inputs.addToRegistry {
       nix.registry =
         let
           makeEntry = v: { flake = v; };
@@ -63,7 +83,7 @@ in
         makeEntries channels;
     })
 
-    (lib.mkIf cfg.linkInputs {
+    (lib.mkIf cfg.inputs.link {
       xdg.configFile =
         let
           makeLink = n: v: {
@@ -75,7 +95,7 @@ in
         makeLinks channels;
     })
 
-    (lib.mkIf cfg.addToNixPath {
+    (lib.mkIf cfg.inputs.addToNixPath {
       home.sessionVariables.NIX_PATH = "${config.xdg.configHome}/nix/inputs\${NIX_PATH:+:$NIX_PATH}";
     })
   ]);

modules/home/pager/default.nix

@@ -16,6 +16,7 @@ in
       LESS = "-R -+X -c";
       # Better XDG compliance
       LESSHISTFILE = "${config.xdg.dataHome}/less/history";
+      LESSKEY = "${config.xdg.configHome}/less/lesskey";
     };
   };
 }

modules/home/ssh/default.nix

@@ -49,7 +49,7 @@ in
           };
 
           porthos = {
-            hostname = "91.121.177.163";
+            hostname = "37.187.146.15";
             identityFile = "~/.ssh/shared_rsa";
             user = "ambroisie";
           };

modules/home/tmux/default.nix

@@ -5,6 +5,14 @@ let
     config.my.home.x.enable
     (config.my.home.wm.windowManager != null)
   ];
+
+  mkTerminalFlags = opt: flag:
+    let
+      mkFlag = term: ''set -as terminal-features ",${term}:${flag}"'';
+      enabledTerminals = lib.filterAttrs (_: v: v.${opt}) cfg.terminalFeatures;
+      terminals = lib.attrNames enabledTerminals;
+    in
+    lib.concatMapStringsSep "\n" mkFlag terminals;
 in
 {
   options.my.home.tmux = with lib; {
@@ -12,16 +20,22 @@ in
 
     enablePassthrough = mkEnableOption "tmux DCS passthrough sequence";
 
-    trueColorTerminals = mkOption {
-      type = with types; listOf str;
-      default = lib.my.nullableToList config.my.home.terminal.program;
-      defaultText = ''
-        `[ config.my.home.terminal.program ]` if it is non-null, otherwise an
-        empty list.
+    terminalFeatures = mkOption {
+      type = with types; attrsOf (submodule {
+        options = {
+          hyperlinks = my.mkDisableOption "hyperlinks through OSC8";
+
+          trueColor = my.mkDisableOption "24-bit (RGB) color support";
+        };
+      });
+
+      default = { ${config.my.home.terminal.program} = { }; };
+      defaultText = litteralExpression ''
+        { ''${config.my.home.terminal.program} = { }; };
       '';
-      example = [ "xterm-256color" ];
+      example = { xterm-256color = { }; };
       description = ''
-        $TERM values which should be considered to always support 24-bit color.
+        $TERM values which should be considered to have additional features.
       '';
     };
   };
@@ -32,7 +46,7 @@ in
     keyMode = "vi"; # Home-row keys and other niceties
     clock24 = true; # I'm one of those heathens
     escapeTime = 0; # Let vim do its thing instead
-    historyLimit = 50000; # Bigger buffer
+    historyLimit = 100000; # Bigger buffer
     terminal = "tmux-256color"; # I want accurate termcap info
 
     plugins = with pkgs.tmuxPlugins; [
@@ -89,13 +103,10 @@ in
         ''
       }
 
+      # Force OSC8 hyperlinks for each relevant $TERM
+      ${mkTerminalFlags "hyperlinks" "hyperlinks"}
       # Force 24-bit color for each relevant $TERM
-      ${
-        let
-          mkTcFlag = term: ''set -as terminal-features ",${term}:RGB"'';
-        in
-        lib.concatMapStringsSep "\n" mkTcFlag cfg.trueColorTerminals
-      }
+      ${mkTerminalFlags "trueColor" "RGB"}
     '';
   };
 }

modules/home/vim/after/ftplugin/bp.vim

@@ -0,0 +1,7 @@
+" Create the `b:undo_ftplugin` variable if it doesn't exist
+call ftplugined#check_undo_ft()
+
+" Add comment format
+setlocal comments=b://,s1:/*,mb:*,ex:*/
+setlocal commentstring=//\ %s
+let b:undo_ftplugin.='|setlocal comments< commentstring<'

modules/home/vim/after/ftplugin/json.vim

@@ -0,0 +1,6 @@
+" Create the `b:undo_ftplugin` variable if it doesn't exist
+call ftplugined#check_undo_ft()
+
+" Use a small indentation value on JSON files
+setlocal shiftwidth=2
+let b:undo_ftplugin.='|setlocal shiftwidth<'

modules/home/vim/default.nix

@@ -105,7 +105,7 @@ in
       nixpkgs-fmt
 
       # Shell
-      shellcheck
+      nodePackages.bash-language-server
       shfmt
     ];
   };

modules/home/vim/ftdetect/blueprint.lua

@@ -0,0 +1,6 @@
+-- Use `bp` filetype for Blueprint files
+vim.filetype.add({
+    extension = {
+        bp = "bp",
+    },
+})

modules/home/vim/init.vim

@@ -88,6 +88,23 @@ set background=dark
 
 " 24 bit colors
 set termguicolors
+" Setup some overrides for gruvbox
+lua << EOF
+local gruvbox = require("gruvbox")
+local colors = gruvbox.palette
+
+gruvbox.setup({
+    overrides = {
+        -- Only URLs should be underlined
+        ["@string.special.path"] = { link = "GruvboxOrange" },
+        -- Revert back to the better diff highlighting
+        DiffAdd = { fg = colors.green, bg = "NONE" },
+        DiffChange = { fg = colors.aqua, bg = "NONE" },
+        DiffDelete = { fg = colors.red, bg = "NONE" },
+        DiffText = { fg = colors.yellow, bg = colors.bg0 },
+    }
+})
+EOF
 " Use my preferred colorscheme
 colorscheme gruvbox
 " }}}

modules/home/vim/lua/ambroisie/lsp.lua

@@ -51,8 +51,7 @@ M.on_attach = function(client, bufnr)
     local wk = require("which-key")
 
     local function list_workspace_folders()
-        local utils = require("ambroisie.utils")
-        utils.dump(vim.lsp.buf.list_workspace_folders())
+        vim.print(vim.lsp.buf.list_workspace_folders())
     end
 
     local function cycle_diagnostics_display()

modules/home/vim/lua/ambroisie/utils.lua

@@ -1,11 +1,5 @@
 local M = {}
 
---- pretty print lua object
---- @param obj any object to pretty print
-M.dump = function(obj)
-    print(vim.inspect(obj))
-end
-
 --- checks if a given command is executable
 --- @param cmd string? command to check
 --- @return boolean executable
@@ -15,7 +9,7 @@ end
 
 --- return a function that checks if a given command is executable
 --- @param cmd string? command to check
---- @return fun(cmd: string): boolean executable
+--- @return fun(): boolean executable
 M.is_executable_condition = function(cmd)
     return function()
         return M.is_executable(cmd)
@@ -40,11 +34,11 @@ M.is_ssh = function()
     return false
 end
 
---- list all active LSP clients for current buffer
+--- list all active LSP clients for specific buffer, or all buffers
 --- @param bufnr int? buffer number
 --- @return table all active LSP client names
 M.list_lsp_clients = function(bufnr)
-    local clients = vim.lsp.buf_get_clients(bufnr)
+    local clients = vim.lsp.get_active_clients({ bufnr = bufnr })
     local names = {}
 
     for _, client in ipairs(clients) do

modules/home/vim/plugin/settings/lspconfig.lua

@@ -29,16 +29,17 @@ if utils.is_executable("clangd") then
     })
 end
 
--- Nix
-if utils.is_executable("nil") then
-    lspconfig.nil_ls.setup({
+-- Haskell
+if utils.is_executable("haskell-language-server-wrapper") then
+    lspconfig.hls.setup({
         capabilities = capabilities,
         on_attach = lsp.on_attach,
     })
 end
 
-if utils.is_executable("rnix-lsp") then
-    lspconfig.rnix.setup({
+-- Nix
+if utils.is_executable("nil") then
+    lspconfig.nil_ls.setup({
         capabilities = capabilities,
         on_attach = lsp.on_attach,
     })
@@ -52,6 +53,13 @@ if utils.is_executable("pyright") then
     })
 end
 
+if utils.is_executable("ruff-lsp") then
+    lspconfig.ruff_lsp.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
 -- Rust
 if utils.is_executable("rust-analyzer") then
     lspconfig.rust_analyzer.setup({
@@ -59,3 +67,12 @@ if utils.is_executable("rust-analyzer") then
         on_attach = lsp.on_attach,
     })
 end
+
+-- Shell
+if utils.is_executable("bash-language-server") then
+    lspconfig.bashls.setup({
+        filetypes = { "bash", "sh", "zsh" },
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end

modules/home/vim/plugin/settings/lualine.lua

@@ -10,7 +10,7 @@ local function list_spell_languages()
 end
 
 local function list_lsp_clients()
-    local client_names = utils.list_lsp_clients()
+    local client_names = utils.list_lsp_clients(0)
 
     if #client_names == 0 then
         return ""

modules/home/vim/plugin/settings/null-ls.lua

@@ -18,48 +18,16 @@ null_ls.register({
     }),
 })
 
--- C, C++
-null_ls.register({
-    null_ls.builtins.formatting.clang_format.with({
-        -- Only used if available, but prefer clangd formatting if available
-        condition = function()
-            return utils.is_executable("clang-format") and not utils.is_executable("clangd")
-        end,
-    }),
-})
-
--- Haskell
-null_ls.register({
-    null_ls.builtins.formatting.brittany.with({
-        -- Only used if available
-        condition = utils.is_executable_condition("brittany"),
-    }),
-})
-
 -- Nix
 null_ls.register({
     null_ls.builtins.formatting.nixpkgs_fmt.with({
-        -- Only used if available, but prefer rnix if available
-        condition = function()
-            return utils.is_executable("nixpkgs-fmt")
-                and not utils.is_executable("rnix-lsp")
-                and not utils.is_executable("nil")
-        end,
+        -- Only used if available
+        condition = utils.is_executable_condition("nixpkgs-fmt"),
     }),
 })
 
 -- Python
 null_ls.register({
-    null_ls.builtins.diagnostics.flake8.with({
-        -- Only used if available, but prefer pflake8 if available
-        condition = function()
-            return utils.is_executable("flake8") and not utils.is_executable("pflake8")
-        end,
-    }),
-    null_ls.builtins.diagnostics.pyproject_flake8.with({
-        -- Only used if available
-        condition = utils.is_executable_condition("pflake8"),
-    }),
     null_ls.builtins.diagnostics.mypy.with({
         -- Only used if available
         condition = utils.is_executable_condition("mypy"),
@@ -81,22 +49,6 @@ null_ls.register({
 
 -- Shell (non-POSIX)
 null_ls.register({
-    null_ls.builtins.code_actions.shellcheck.with({
-        -- Restrict to bash and zsh
-        filetypes = { "bash", "zsh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
-    null_ls.builtins.diagnostics.shellcheck.with({
-        -- Show error code in message
-        diagnostics_format = "[#{c}] #{m}",
-        -- Require explicit empty string test, use bash dialect
-        extra_args = { "-s", "bash", "-o", "avoid-nullary-conditions" },
-        -- Restrict to bash and zsh
-        filetypes = { "bash", "zsh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
     null_ls.builtins.formatting.shfmt.with({
         -- Indent with 4 spaces, simplify the code, indent switch cases,
         -- add space after redirection, use bash dialect
@@ -110,22 +62,6 @@ null_ls.register({
 
 -- Shell (POSIX)
 null_ls.register({
-    null_ls.builtins.code_actions.shellcheck.with({
-        -- Restrict to POSIX sh
-        filetypes = { "sh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
-    null_ls.builtins.diagnostics.shellcheck.with({
-        -- Show error code in message
-        diagnostics_format = "[#{c}] #{m}",
-        -- Require explicit empty string test
-        extra_args = { "-o", "avoid-nullary-conditions" },
-        -- Restrict to POSIX sh
-        filetypes = { "sh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
     null_ls.builtins.formatting.shfmt.with({
         -- Indent with 4 spaces, simplify the code, indent switch cases,
         -- add space after redirection, use POSIX

modules/home/wget/default.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.home.wget;
+in
+{
+  options.my.home.wget = with lib; {
+    enable = my.mkDisableOption "wget configuration";
+
+    package = mkPackageOption pkgs "wget" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [
+      cfg.package
+    ];
+
+
+    home.sessionVariables = lib.mkIf cfg.enable {
+      WGETRC = "${config.xdg.configHome}/wgetrc";
+    };
+
+    xdg.configFile."wgetrc".text = ''
+      hsts-file = ${config.xdg.dataHome}/wget-hsts
+    '';
+  };
+}

modules/home/xdg/default.nix

@@ -42,14 +42,16 @@ in
     ANDROID_USER_HOME = "${configHome}/android";
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
-    GDBHISTFILE = "${dataHome}/gdb/gdb_history";
+    GRADLE_USER_HOME = "${dataHome}/gradle";
     HISTFILE = "${dataHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";
-    LESSHISTFILE = "${dataHome}/less/history";
-    LESSKEY = "${configHome}/less/lesskey";
     PSQL_HISTORY = "${dataHome}/psql_history";
-    REPO_CONFIG_DIR = "${configHome}/repo";
+    PYTHONPYCACHEPREFIX = "${cacheHome}/python/";
+    PYTHONUSERBASE = "${dataHome}/python/";
+    PYTHON_HISTORY = "${stateHome}/python/history";
     REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
+    REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
+    _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";
   };
 }

modules/home/zsh/default.nix

@@ -15,81 +15,152 @@ in
     enable = my.mkDisableOption "zsh configuration";
 
     launchTmux = mkEnableOption "auto launch tmux at shell start";
-  };
 
-  config = lib.mkIf cfg.enable {
-    home.packages = with pkgs; [
-      zsh-completions
-    ];
+    notify = {
+      enable = mkEnableOption "zsh-done notification";
 
-    programs.zsh = {
-      enable = true;
-      dotDir = "${relativeXdgConfig}/zsh"; # Don't clutter $HOME
-      enableCompletion = true;
-
-      history = {
-        size = 500000;
-        save = 500000;
-        extended = true;
-        expireDuplicatesFirst = true;
-        ignoreSpace = true;
-        ignoreDups = true;
-        share = false;
-        path = "${config.xdg.dataHome}/zsh/zsh_history";
+      exclude = mkOption {
+        type = with types; listOf str;
+        default = [
+          "delta"
+          "direnv reload"
+          "fg"
+          "git (?!push|pull|fetch)"
+          "htop"
+          "less"
+          "man"
+          "nvim"
+          "tail -f"
+          "tmux"
+          "vim"
+        ];
+        example = [ "command --long-running-option" ];
+        description = ''
+          List of exclusions which should not be create a notification. Accepts
+          Perl regexes (implicitly anchored with `^\s*`).
+        '';
       };
 
-      plugins = [
-        {
-          name = "fast-syntax-highlighting";
-          file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
-          src = pkgs.zsh-fast-syntax-highlighting;
-        }
-        {
-          name = "agkozak-zsh-prompt";
-          file = "share/zsh/site-functions/agkozak-zsh-prompt.plugin.zsh";
-          src = pkgs.agkozak-zsh-prompt;
-        }
-      ];
+      ssh = {
+        enable = mkEnableOption "notify through SSH/non-graphical connections";
 
-      # Modal editing is life, but CLI benefits from emacs gymnastics
-      defaultKeymap = "emacs";
-
-      # Make those happen early to avoid doing double the work
-      initExtraFirst = ''
-        ${
-          lib.optionalString cfg.launchTmux ''
-            # Launch tmux unless already inside one
-            if [ -z "$TMUX" ]; then
-              exec tmux new-session
-            fi
-          ''
-        }
-      '';
-
-      initExtra = ''
-        source ${./completion-styles.zsh}
-        source ${./extra-mappings.zsh}
-        source ${./options.zsh}
-
-        # Source local configuration
-        if [ -f "$ZDOTDIR/zshrc.local" ]; then
-          source "$ZDOTDIR/zshrc.local"
-        fi
-      '';
-
-      localVariables = {
-        # I like having the full path
-        AGKOZAK_PROMPT_DIRTRIM = 0;
-        # Because I *am* from EPITA
-        AGKOZAK_PROMPT_CHAR = [ "42sh$" "42sh#" ":" ];
-        # Easy on the eyes
-        AGKOZAK_COLORS_BRANCH_STATUS = "magenta";
-        # I don't like moving my eyes
-        AGKOZAK_LEFT_PROMPT_ONLY = 1;
+        useOsc777 = lib.my.mkDisableOption "use OSC-777 for notifications";
       };
-
-      # Enable VTE integration
-      enableVteIntegration = true;
     };
   };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      home.packages = with pkgs; [
+        zsh-completions
+      ];
+
+      programs.zsh = {
+        enable = true;
+        dotDir = "${relativeXdgConfig}/zsh"; # Don't clutter $HOME
+        enableCompletion = true;
+
+        history = {
+          size = 500000;
+          save = 500000;
+          extended = true;
+          expireDuplicatesFirst = true;
+          ignoreSpace = true;
+          ignoreDups = true;
+          share = false;
+          path = "${config.xdg.dataHome}/zsh/zsh_history";
+        };
+
+        plugins = [
+          {
+            name = "fast-syntax-highlighting";
+            file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
+            src = pkgs.zsh-fast-syntax-highlighting;
+          }
+          {
+            name = "agkozak-zsh-prompt";
+            file = "share/zsh/site-functions/agkozak-zsh-prompt.plugin.zsh";
+            src = pkgs.agkozak-zsh-prompt;
+          }
+        ];
+
+        # Modal editing is life, but CLI benefits from emacs gymnastics
+        defaultKeymap = "emacs";
+
+        # Make those happen early to avoid doing double the work
+        initExtraFirst = lib.mkBefore ''
+          ${
+            lib.optionalString cfg.launchTmux ''
+              # Launch tmux unless already inside one
+              if [ -z "$TMUX" ]; then
+                exec tmux new-session
+              fi
+            ''
+          }
+        '';
+
+        initExtra = lib.mkAfter ''
+          source ${./completion-styles.zsh}
+          source ${./extra-mappings.zsh}
+          source ${./options.zsh}
+
+          # Source local configuration
+          if [ -f "$ZDOTDIR/zshrc.local" ]; then
+            source "$ZDOTDIR/zshrc.local"
+          fi
+        '';
+
+        localVariables = {
+          # I like having the full path
+          AGKOZAK_PROMPT_DIRTRIM = 0;
+          # Because I *am* from EPITA
+          AGKOZAK_PROMPT_CHAR = [ "42sh$" "42sh#" ":" ];
+          # Easy on the eyes
+          AGKOZAK_COLORS_BRANCH_STATUS = "magenta";
+          # I don't like moving my eyes
+          AGKOZAK_LEFT_PROMPT_ONLY = 1;
+        };
+
+        # Enable VTE integration
+        enableVteIntegration = true;
+      };
+    }
+
+    (lib.mkIf cfg.notify.enable {
+      programs.zsh = {
+        plugins = [
+          {
+            name = "zsh-done";
+            file = "share/zsh/site-functions/done.plugin.zsh";
+            src = pkgs.ambroisie.zsh-done;
+          }
+        ];
+
+        # `localVariables` values don't get merged correctly due to their type,
+        # don't use `mkIf`
+        localVariables = {
+          DONE_EXCLUDE =
+            let
+              joined = lib.concatMapStringsSep "|" (c: "(${c})") cfg.notify.exclude;
+            in
+            ''^\s*(${joined})'';
+        }
+        # Enable `zsh-done` through SSH, if configured
+        // lib.optionalAttrs cfg.notify.ssh.enable {
+          DONE_ALLOW_NONGRAPHICAL = 1;
+        };
+
+        # Use OSC-777 to send the notification through SSH
+        initExtra = lib.mkIf cfg.notify.ssh.useOsc777 ''
+          done_send_notification() {
+            local exit_status="$1"
+            local title="$2"
+            local message="$3"
+
+            ${lib.getExe pkgs.ambroisie.osc777} "$title" "$message"
+          }
+        '';
+      };
+    })
+  ]);
 }

modules/nixos/hardware/bluetooth/default.nix

@@ -25,8 +25,8 @@ in
         package = pkgs.pulseaudioFull;
       };
 
-      environment.etc = {
-        "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
+      services.pipewire.wireplumber.configPackages = [
+        (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
           bluez_monitor.properties = {
             -- SBC XQ provides better audio
             ["bluez5.enable-sbc-xq"] = true,
@@ -40,8 +40,8 @@ in
             -- FIXME: Some devices may now support both hsp_ag and hfp_ag
             ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
           }
-        '';
-      };
+        '')
+      ];
     })
 
     # Support for A2DP audio profile

modules/nixos/profiles/laptop/default.nix

@@ -9,7 +9,7 @@ in
 
   config = lib.mkIf cfg.enable {
     # Enable touchpad support
-    services.xserver.libinput.enable = true;
+    services.libinput.enable = true;
 
     # Enable TLP power management
     my.services.tlp.enable = true;

modules/nixos/services/audiobookshelf/default.nix

@@ -0,0 +1,39 @@
+# Audiobook and podcast library
+{ config, lib, ... }:
+let
+  cfg = config.my.services.audiobookshelf;
+in
+{
+  options.my.services.audiobookshelf = with lib; {
+    enable = mkEnableOption "Audiobookshelf, a self-hosted podcast manager";
+
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+      example = 4242;
+      description = "The port on which Audiobookshelf will listen for incoming HTTP traffic.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.audiobookshelf = {
+      enable = true;
+      inherit (cfg) port;
+
+      group = "media";
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      audiobookshelf = {
+        inherit (cfg) port;
+        # Proxy websockets for RPC
+        extraConfig = {
+          locations."/".proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

modules/nixos/services/backup/default.nix

@@ -89,6 +89,16 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Essential files which should always be backed up
+    my.services.backup.paths = lib.flatten [
+      # Should be unique to a given host, used by some software (e.g: ZFS)
+      "/etc/machine-id"
+      # Contains the UID/GID map, and other useful state
+      "/var/lib/nixos"
+      # SSH host keys (and public keys for convenience)
+      (builtins.map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys)
+    ];
+
     services.restic.backups.backblaze = {
       # Take care of included and excluded files
       paths = cfg.paths;

modules/nixos/services/blog/default.nix

@@ -35,7 +35,7 @@ in
         useACMEHost = domain;
         default = true;
 
-        locations."/".return = "302 https://belanyi.fr$request_uri";
+        locations."/".return = "302 https://${domain}$request_uri";
       };
     };
 

modules/nixos/services/default.nix

@@ -4,18 +4,21 @@
   imports = [
     ./adblock
     ./aria
+    ./audiobookshelf
     ./backup
     ./blog
     ./calibre-web
     ./drone
     ./fail2ban
     ./flood
+    ./forgejo
     ./gitea
     ./grocy
     ./indexers
     ./jellyfin
     ./lohr
     ./matrix
+    ./mealie
     ./miniflux
     ./monitoring
     ./navidrome

modules/nixos/services/forgejo/default.nix

@@ -0,0 +1,162 @@
+# A low-ressource, full-featured git forge.
+{ config, lib, ... }:
+let
+  cfg = config.my.services.forgejo;
+in
+{
+  options.my.services.forgejo = with lib; {
+    enable = mkEnableOption "Forgejo";
+    port = mkOption {
+      type = types.port;
+      default = 3042;
+      example = 8080;
+      description = "Internal port";
+    };
+    mail = {
+      enable = mkEnableOption {
+        description = "mailer configuration";
+      };
+      host = mkOption {
+        type = types.str;
+        example = "smtp.example.com";
+        description = "Host for the mail account";
+      };
+      port = mkOption {
+        type = types.port;
+        default = 465;
+        example = 587;
+        description = "Port for the mail account";
+      };
+      user = mkOption {
+        type = types.str;
+        example = "forgejo@example.com";
+        description = "User for the mail account";
+      };
+      passwordFile = mkOption {
+        type = types.str;
+        example = "/run/secrets/forgejo-mail-password.txt";
+        description = "Password for the mail account";
+      };
+      protocol = mkOption {
+        type = types.str;
+        default = "smtps";
+        example = "smtp";
+        description = "Protocol for connection";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.enable -> !config.my.services.gitea.enable;
+        message = ''
+          `config.my.services.forgejo` is incompatible with
+          `config.my.services.gitea`.
+        '';
+      }
+    ];
+
+    services.forgejo =
+      let
+        inherit (config.networking) domain;
+        forgejoDomain = "git.${domain}";
+      in
+      {
+        enable = true;
+
+        user = "git";
+        group = "git";
+
+        lfs.enable = true;
+
+        useWizard = false;
+
+        database = {
+          type = "postgres"; # Automatic setup
+          user = "git"; # User needs to be the same as forgejo user
+          name = "git"; # Name must be the same as user for `ensureDBOwnership`
+        };
+
+        # NixOS module uses `forgejo dump` to backup repositories and the database,
+        # but it produces a single .zip file that's not very backup friendly.
+        # I configure my backup system manually below.
+        dump.enable = false;
+
+        mailerPasswordFile = lib.mkIf cfg.mail.enable cfg.mail.passwordFile;
+
+        settings = {
+          DEFAULT = {
+            APP_NAME = "Ambroisie's forge";
+          };
+
+          server = {
+            HTTP_PORT = cfg.port;
+            DOMAIN = forgejoDomain;
+            ROOT_URL = "https://${forgejoDomain}";
+          };
+
+          mailer = lib.mkIf cfg.mail.enable {
+            ENABLED = true;
+            SMTP_ADDR = cfg.mail.host;
+            SMTP_PORT = cfg.mail.port;
+            FROM = "Forgejo <${cfg.mail.user}>";
+            USER = cfg.mail.user;
+            PROTOCOL = cfg.mail.protocol;
+          };
+
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+
+          session = {
+            # only send cookies via HTTPS
+            COOKIE_SECURE = true;
+          };
+        };
+      };
+
+    users.users.git = {
+      description = "Forgejo Service";
+      home = config.services.forgejo.stateDir;
+      useDefaultShell = true;
+      group = "git";
+      isSystemUser = true;
+    };
+    users.groups.git = { };
+
+    my.services.nginx.virtualHosts = {
+      # Proxy to Forgejo
+      git = {
+        inherit (cfg) port;
+      };
+      # Redirect `forgejo.` to actual forge subdomain
+      forgejo = {
+        redirect = config.services.forgejo.settings.server.ROOT_URL;
+      };
+    };
+
+    my.services.backup = {
+      paths = [
+        config.services.forgejo.lfs.contentDir
+        config.services.forgejo.repositoryRoot
+      ];
+    };
+
+    services.fail2ban.jails = {
+      forgejo = ''
+        enabled = true
+        filter = forgejo
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/forgejo.conf".text = ''
+        [Definition]
+        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=forgejo.service
+      '';
+    };
+  };
+}

modules/nixos/services/gitea/default.nix

@@ -18,9 +18,15 @@ in
       };
       host = mkOption {
         type = types.str;
-        example = "smtp.example.com:465";
+        example = "smtp.example.com";
         description = "Host for the mail account";
       };
+      port = mkOption {
+        type = types.port;
+        default = 465;
+        example = 587;
+        description = "Port for the mail account";
+      };
       user = mkOption {
         type = types.str;
         example = "gitea@example.com";
@@ -31,17 +37,11 @@ in
         example = "/run/secrets/gitea-mail-password.txt";
         description = "Password for the mail account";
       };
-      type = mkOption {
+      protocol = mkOption {
         type = types.str;
-        default = "smtp";
+        default = "smtps";
         example = "smtp";
-        description = "Password for the mail account";
-      };
-      tls = mkOption {
-        type = types.bool;
-        default = true;
-        example = false;
-        description = "Use TLS for connection";
+        description = "Protocol for connection";
       };
     };
   };
@@ -58,6 +58,8 @@ in
         appName = "Ambroisie's forge";
 
         user = "git";
+        group = "git";
+
         lfs.enable = true;
 
         useWizard = false;
@@ -84,11 +86,11 @@ in
 
           mailer = lib.mkIf cfg.mail.enable {
             ENABLED = true;
-            HOST = cfg.mail.host;
-            FROM = cfg.mail.user;
+            SMTP_ADDR = cfg.mail.host;
+            SMTP_PORT = cfg.mail.port;
+            FROM = "Gitea <${cfg.mail.user}>";
             USER = cfg.mail.user;
-            MAILER_TYPE = cfg.mail.type;
-            IS_TLS_ENABLED = cfg.mail.tls;
+            PROTOCOL = cfg.mail.protocol;
           };
 
           service = {
@@ -107,11 +109,6 @@ in
       home = config.services.gitea.stateDir;
       useDefaultShell = true;
       group = "git";
-
-      # The service for gitea seems to hardcode the group as
-      # gitea, so, uh, just in case?
-      extraGroups = [ "gitea" ];
-
       isSystemUser = true;
     };
     users.groups.git = { };

modules/nixos/services/lohr/default.nix

@@ -59,21 +59,6 @@ in
           "LOHR_HOME=${lohrHome}"
           "LOHR_CONFIG="
         ];
-        ExecStartPre = lib.mkIf (cfg.sshKeyFile != null) ''+${
-          pkgs.writeScript "copy-ssh-key" ''
-            #!${pkgs.bash}/bin/bash
-            # Ensure the key is not there
-            mkdir -p '${lohrHome}/.ssh'
-            rm -f '${lohrHome}/.ssh/id_ed25519'
-
-            # Move the key into place
-            cp ${cfg.sshKeyFile} '${lohrHome}/.ssh/id_ed25519'
-
-            # Fix permissions
-            chown -R lohr:lohr '${lohrHome}/.ssh'
-            chmod -R 0700 '${lohrHome}/.ssh'
-          ''
-        }'';
         ExecStart =
           let
             configFile = settingsFormat.generate "lohr-config.yaml" cfg.setting;
@@ -103,5 +88,24 @@ in
         inherit (cfg) port;
       };
     };
+
+    # SSH key provisioning
+    systemd.tmpfiles.settings."10-lohr" = lib.mkIf (cfg.sshKeyFile != null) {
+      "${lohrHome}/.ssh" = {
+        d = {
+          user = "lohr";
+          group = "lohr";
+          mode = "0700";
+        };
+      };
+      "${lohrHome}/.ssh/id_ed25519" = {
+        "L+" = {
+          user = "lohr";
+          group = "lohr";
+          mode = "0700";
+          argument = cfg.sshKeyFile;
+        };
+      };
+    };
   };
 }

modules/nixos/services/mealie/default.nix

@@ -0,0 +1,79 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.mealie;
+in
+{
+  options.my.services.mealie = with lib; {
+    enable = mkEnableOption "Mealie service";
+
+    port = mkOption {
+      type = types.port;
+      default = 4537;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    credentialsFile = mkOption {
+      type = types.str;
+      example = "/var/lib/mealie/credentials.env";
+      description = ''
+        Configuration file for secrets.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.mealie = {
+      enable = true;
+      inherit (cfg) port credentialsFile;
+
+      settings = {
+        # Basic settings
+        BASE_URL = "https://mealie.${config.networking.domain}";
+        TZ = config.time.timeZone;
+        ALLOw_SIGNUP = "false";
+
+        # Use PostgreSQL
+        DB_ENGINE = "postgres";
+        POSTGRES_USER = "mealie";
+        POSTGRES_PASSWORD = "";
+        POSTGRES_SERVER = "/run/postgresql";
+        # Pydantic and/or mealie doesn't handle the URI correctly, hijack it
+        # with query parameters...
+        POSTGRES_DB = "mealie?host=/run/postgresql&dbname=mealie";
+      };
+    };
+
+    systemd.services = {
+      mealie = {
+        after = [ "postgresql.service" ];
+        requires = [ "postgresql.service" ];
+      };
+    };
+
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "mealie" ];
+      ensureUsers = [
+        {
+          name = "mealie";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      mealie = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow bulk upload of recipes for import/export
+          locations."/".extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
+      };
+    };
+  };
+}

modules/nixos/services/nextcloud/default.nix

@@ -31,7 +31,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud28;
+      package = pkgs.nextcloud29;
       hostName = "nextcloud.${config.networking.domain}";
       home = "/var/lib/nextcloud";
       maxUploadSize = cfg.maxSize;

modules/nixos/services/podgrab/default.nix

@@ -17,6 +17,15 @@ in
       '';
     };
 
+    dataDir = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/mnt/podgrab";
+      description = ''
+        Path to the directory to store the podcasts. Use default if null
+      '';
+    };
+
     port = mkOption {
       type = types.port;
       default = 8080;
@@ -29,8 +38,14 @@ in
     services.podgrab = {
       enable = true;
       inherit (cfg) passwordFile port;
+
+      group = "media";
+      dataDirectory = lib.mkIf (cfg.dataDir != null) cfg.dataDir;
     };
 
+    # Set-up media group
+    users.groups.media = { };
+
     my.services.nginx.virtualHosts = {
       podgrab = {
         inherit (cfg) port;

modules/nixos/services/postgresql/default.nix

@@ -20,24 +20,28 @@ in
 
     # Taken from the manual
     (lib.mkIf cfg.upgradeScript {
-      containers.temp-pg.config.services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql_13;
-      };
-
       environment.systemPackages =
         let
-          newpg = config.containers.temp-pg.config.services.postgresql;
+          pgCfg = config.services.postgresql;
+          newPackage' = pkgs.postgresql_13;
+
+          oldPackage = if pgCfg.enableJIT then pgCfg.package.withJIT else pgCfg.package;
+          oldData = pgCfg.dataDir;
+          oldBin = "${if pgCfg.extraPlugins == [] then oldPackage else oldPackage.withPackages pgCfg.extraPlugins}/bin";
+
+          newPackage = if pgCfg.enableJIT then newPackage'.withJIT else newPackage';
+          newData = "/var/lib/postgresql/${newPackage.psqlSchema}";
+          newBin = "${if pgCfg.extraPlugins == [] then newPackage else newPackage.withPackages pgCfg.extraPlugins}/bin";
         in
         [
           (pkgs.writeScriptBin "upgrade-pg-cluster" ''
             #!/usr/bin/env bash
 
-            set -x
-            export OLDDATA="${config.services.postgresql.dataDir}"
-            export NEWDATA="${newpg.dataDir}"
-            export OLDBIN="${config.services.postgresql.package}/bin"
-            export NEWBIN="${newpg.package}/bin"
+            set -eux
+            export OLDDATA="${oldData}"
+            export NEWDATA="${newData}"
+            export OLDBIN="${oldBin}"
+            export NEWBIN="${newBin}"
 
             if [ "$OLDDATA" -ef "$NEWDATA" ]; then
               echo "Cannot migrate to same data directory" >&2
@@ -46,14 +50,21 @@ in
 
             install -d -m 0700 -o postgres -g postgres "$NEWDATA"
             cd "$NEWDATA"
-            sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
+            sudo -u postgres "$NEWBIN/initdb" -D "$NEWDATA"
 
             systemctl stop postgresql    # old one
 
-            sudo -u postgres $NEWBIN/pg_upgrade \
+            sudo -u postgres "$NEWBIN/pg_upgrade" \
               --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
-              --old-bindir $OLDBIN --new-bindir $NEWBIN \
+              --old-bindir "$OLDBIN" --new-bindir "$NEWBIN" \
               "$@"
+
+            cat << EOF
+              Run the following commands after setting:
+              services.postgresql.package = pkgs.postgresql_${lib.versions.major newPackage.version}
+                  sudo -u postgres vacuumdb --all --analyze-in-stages
+                  ${newData}/delete_old_cluster.sh
+            EOF
           '')
         ];
     })

modules/nixos/services/pyload/default.nix

@@ -39,31 +39,12 @@ in
         downloadDirectory
         port
         ;
-    };
 
-    # Use pyload user/media group when downloading files
-    systemd.services.pyload = {
-      serviceConfig = {
-        User = lib.mkForce "pyload";
-        Group = lib.mkForce "media";
-        DynamicUser = lib.mkForce false;
-      };
-    };
-
-    # And make sure the download directory has the correct owners
-    systemd.tmpfiles.settings.pyload = {
-      ${cfg.downloadDirectory}.d = {
-        user = "pyload";
-        group = "media";
-      };
-    };
-
-    # Set-up pyload user and media group
-    users.users.pyload = {
-      isSystemUser = true;
+      # Use media group when downloading files
       group = "media";
     };
 
+    # Set-up media group
     users.groups.media = { };
 
     my.services.nginx.virtualHosts = {

modules/nixos/services/rss-bridge/default.nix

@@ -11,7 +11,9 @@ in
   config = lib.mkIf cfg.enable {
     services.rss-bridge = {
       enable = true;
-      whitelist = [ "*" ]; # Whitelist all
+      config = {
+        system.enabled_bridges = [ "*" ]; # Whitelist all
+      };
       virtualHost = "rss-bridge.${config.networking.domain}";
     };
 

modules/nixos/services/tandoor-recipes/default.nix

@@ -73,6 +73,13 @@ in
     my.services.nginx.virtualHosts = {
       recipes = {
         inherit (cfg) port;
+
+        extraConfig = {
+          # Allow bulk upload of recipes for import/export
+          locations."/".extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
       };
     };
   };

modules/nixos/services/vikunja/default.nix

@@ -30,8 +30,6 @@ in
       frontendScheme = "https";
       frontendHostname = vikunjaDomain;
 
-      setupNginx = false;
-
       database = {
         type = "postgres";
         user = "vikunja";
@@ -61,28 +59,11 @@ in
     # This is a weird setup
     my.services.nginx.virtualHosts = {
       ${subdomain} = {
-        # Serve the root for the web-ui
-        root = config.services.vikunja.package-frontend;
-
-        extraConfig = {
-          locations = {
-            "/" = {
-              tryFiles = "try_files $uri $uri/ /";
-            };
-
-            # Serve the API through a UNIX socket
-            "~* ^/(api|dav|\\.well-known)/" = {
-              proxyPass = "http://unix:${socketPath}";
-              extraConfig = ''
-                client_max_body_size 20M;
-              '';
-            };
-          };
-        };
+        socket = socketPath;
       };
     };
 
-    systemd.services.vikunja-api = {
+    systemd.services.vikunja = {
       serviceConfig = {
         # Use a system user to simplify using the CLI
         DynamicUser = lib.mkForce false;

modules/nixos/services/wireguard/default.nix

@@ -13,7 +13,7 @@ let
     porthos = {
       clientNum = 1;
       publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ=";
-      externalIp = "91.121.177.163";
+      externalIp = "37.187.146.15";
     };
 
     # "Clients"

modules/nixos/services/woodpecker/agent-exec/default.nix

@@ -44,6 +44,8 @@ in
       serviceConfig = {
         # Same option as upstream, without @setuid
         SystemCallFilter = lib.mkForce "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap";
+        # NodeJS requires RWX memory...
+        MemoryDenyWriteExecute = lib.mkForce false;
 
         BindPaths = [
           "/nix/var/nix/daemon-socket/socket"

modules/nixos/services/woodpecker/default.nix

@@ -8,6 +8,12 @@
 
   options.my.services.woodpecker = with lib; {
     enable = mkEnableOption "Woodpecker CI";
+    forge = mkOption {
+      type = types.enum [ "gitea" "forgejo" ];
+      default = "forgejo";
+      example = "gitea";
+      description = "Which Forge to connect to";
+    };
     runners = mkOption {
       type = with types; listOf (enum [ "exec" "docker" ]);
       default = [ ];

modules/nixos/services/woodpecker/server/default.nix

@@ -17,7 +17,7 @@ in
         WOODPECKER_GRPC_ADDR = ":${toString cfg.rpcPort}";
 
         WOODPECKER_GITEA = "true";
-        WOODPECKER_GITEA_URL = config.services.gitea.settings.server.ROOT_URL;
+        WOODPECKER_GITEA_URL = config.services.${cfg.forge}.settings.server.ROOT_URL;
 
         WOODPECKER_LOG_LEVEL = "debug";
       };

modules/nixos/system/nix/default.nix

@@ -56,6 +56,8 @@ in
 
         settings = {
           experimental-features = [ "nix-command" "flakes" ];
+          # Trusted users are equivalent to root, and might as well allow wheel
+          trusted-users = [ "root" "@wheel" ];
         };
       };
     }

overlays/gruvbox-nvim-better-diff/colours.patch

@@ -1,28 +0,0 @@
-From 416b3c9c5e783d173ac0fd5310a76c1b144b92c1 Mon Sep 17 00:00:00 2001
-From: eeeXun <sdes96303@gmail.com>
-Date: Thu, 19 Oct 2023 02:34:12 +0800
-Subject: Use better diff colours
-
----
- README.md       | 3 ++-
- lua/gruvbox.lua | 7 ++++---
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/lua/gruvbox.lua b/lua/gruvbox.lua
-index ceba0735..a319fc6a 100644
---- a/lua/gruvbox.lua
-+++ b/lua/gruvbox.lua
-@@ -360,9 +361,9 @@ local function get_groups()
-     PmenuSel = { fg = colors.bg2, bg = colors.blue, bold = config.bold },
-     PmenuSbar = { bg = colors.bg2 },
-     PmenuThumb = { bg = colors.bg4 },
--    DiffDelete = { bg = colors.dark_red },
--    DiffAdd = { bg = colors.dark_green },
--    DiffChange = { bg = colors.dark_aqua },
--    DiffText = { bg = colors.yellow, fg = colors.bg0 },
-+    DiffDelete = { fg = colors.red },
-+    DiffAdd = { fg = colors.green },
-+    DiffChange = { fg = colors.aqua },
-+    DiffText = { fg = colors.yellow, bg = colors.bg0 },
-     SpellCap = { link = "GruvboxBlueUnderline" },
-     SpellBad = { link = "GruvboxRedUnderline" },

overlays/gruvbox-nvim-better-diff/generated.nix

@@ -1,24 +0,0 @@
-{ vimUtils, fetchFromGitHub }:
-
-_final: _prev: {
-  gruvbox-nvim = vimUtils.buildVimPlugin {
-    pname = "gruvbox.nvim";
-    version = "2023-10-07";
-
-    src = fetchFromGitHub {
-      owner = "ellisonleao";
-      repo = "gruvbox.nvim";
-      rev = "477c62493c82684ed510c4f70eaf83802e398898";
-      sha256 = "0250c24c6n6yri48l288irdawhqs16qna3y74rdkgjd2jvh66vdm";
-    };
-
-    patches = [
-      # Inspired by https://github.com/ellisonleao/gruvbox.nvim/pull/291
-      ./colours.patch
-    ];
-
-    meta = {
-      homepage = "https://github.com/ellisonleao/gruvbox.nvim/";
-    };
-  };
-}

overlays/gruvbox-nvin-expose-palette/generated.nix

@@ -0,0 +1,14 @@
+{ fetchpatch, ... }:
+
+_final: prev: {
+  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (oa: {
+    patches = (oa.patches or [ ]) ++ [
+      # https://github.com/ellisonleao/gruvbox.nvim/pull/319
+      (fetchpatch {
+        name = "expose-color-palette.patch";
+        url = "https://github.com/ellisonleao/gruvbox.nvim/commit/07a493ba4f8b650aab9ed9e486caa89822be0996.patch";
+        hash = "sha256-iGwt8qIHe2vaiAUcpaUxyGlM472F89vobTdQ7CF/H70=";
+      })
+    ];
+  });
+}

overlays/tandoor-recipes-failing-test/default.nix

@@ -1,9 +0,0 @@
-_self: super:
-{
-  tandoor-recipes = super.tandoor-recipes.overridePythonAttrs (oa: {
-    disabledTests = (oa.disabledTests or [ ]) ++ [
-      "test_search_count"
-      "test_url_import_regex_replace"
-    ];
-  });
-}

pkgs/zsh-done/default.nix

@@ -2,13 +2,13 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "zsh-done";
-  version = "0.1.0";
+  version = "0.1.1";
 
   src = fetchFromGitHub {
     owner = "ambroisie";
     repo = "zsh-done";
     rev = "v${version}";
-    hash = "sha256-DC7urJDXPP9vBYABrJF5KZ4HfMbrpHIVogSmEB8PWLA=";
+    hash = "sha256-dyhPhoMrAfDWtrBX5TA+B3G7QZ7gBhoDGNOEqGsCBQU=";
   };
 
   dontConfigure = true;
@@ -26,7 +26,7 @@ stdenvNoCC.mkDerivation rec {
     description = ''
       A zsh plug-in to receive notifications when long processes finish
     '';
-    homepage = "https://gitea.belanyi.fr/ambroisie/zsh-done";
+    homepage = "https://git.belanyi.fr/ambroisie/zsh-done";
     license = licenses.mit;
     platforms = platforms.unix;
     maintainers = with maintainers; [ ambroisie ];

templates/c++-cmake/.woodpecker/check.yml

@@ -1,7 +1,12 @@
 labels:
-  type: exec
+  backend: local
 
 steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
 - name: nix flake check
   image: bash
   commands:
@@ -9,17 +14,17 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
-  - nix run '.#matrix-notifier'
+  - nix run github:ambroisie/matrix-notifier
   when:
     status:
     - failure

templates/c++-cmake/flake.nix

@@ -52,7 +52,7 @@
 
             meta = with lib; {
               description = "A C++ project";
-              homepage = "https://gitea.belanyi.fr/ambroisie/project";
+              homepage = "https://git.belanyi.fr/ambroisie/project";
               license = licenses.mit;
               maintainers = with maintainers; [ ambroisie ];
               platforms = platforms.unix;

templates/c++-cmake/tests/unit/CMakeLists.txt

@@ -1,15 +1,15 @@
 find_package(GTest)
 
-if (${GTest_FOUND})
-include(GoogleTest)
+if(${GTest_FOUND})
+  include(GoogleTest)
 
-add_executable(dummy_test dummy_test.cc)
-target_link_libraries(dummy_test PRIVATE common_options)
+  add_executable(dummy_test dummy_test.cc)
+  target_link_libraries(dummy_test PRIVATE common_options)
 
-target_link_libraries(dummy_test PRIVATE
-  GTest::gtest
-  GTest::gtest_main
-)
+  target_link_libraries(dummy_test PRIVATE
+    GTest::gtest
+    GTest::gtest_main
+  )
 
-gtest_discover_tests(dummy_test)
-endif (${GTest_FOUND})
+  gtest_discover_tests(dummy_test)
+endif()

templates/c++-meson/.woodpecker/check.yml

@@ -1,7 +1,12 @@
 labels:
-  type: exec
+  backend: local
 
 steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
 - name: nix flake check
   image: bash
   commands:
@@ -9,17 +14,17 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
-  - nix run '.#matrix-notifier'
+  - nix run github:ambroisie/matrix-notifier
   when:
     status:
     - failure

templates/c++-meson/flake.nix

@@ -52,7 +52,7 @@
 
             meta = with lib; {
               description = "A C++ project";
-              homepage = "https://gitea.belanyi.fr/ambroisie/project";
+              homepage = "https://git.belanyi.fr/ambroisie/project";
               license = licenses.mit;
               maintainers = with maintainers; [ ambroisie ];
               platforms = platforms.unix;

templates/default.nix

@@ -5,6 +5,10 @@
   };
   "c++-meson" = {
     path = ./c++-meson;
-    description = "A C++ project using CMake";
+    description = "A C++ project using Meson";
+  };
+  "rust-cargo" = {
+    path = ./rust-cargo;
+    description = "A Rust project using Cargo";
   };
 }

templates/rust-cargo/.envrc

@@ -0,0 +1,5 @@
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
+fi
+
+use flake

templates/rust-cargo/.gitignore

@@ -0,0 +1,6 @@
+# Rust build directory
+/target
+
+# Nix generated files
+/.pre-commit-config.yaml
+/result

templates/rust-cargo/.woodpecker/check.yml

@@ -0,0 +1,31 @@
+labels:
+  backend: local
+
+steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
+- name: nix flake check
+  image: bash
+  commands:
+  - nix flake check
+
+- name: notifiy
+  image: bash
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
+  commands:
+  - nix run github:ambroisie/matrix-notifier
+  when:
+    status:
+    - failure
+    - success

templates/rust-cargo/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "project"
+version = "0.0.0"

templates/rust-cargo/Cargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "project"
+version = "0.0.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

templates/rust-cargo/flake.nix

@@ -0,0 +1,112 @@
+{
+  description = "A Rust project";
+
+  inputs = {
+    futils = {
+      type = "github";
+      owner = "numtide";
+      repo = "flake-utils";
+      ref = "main";
+    };
+
+    nixpkgs = {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      ref = "nixos-unstable";
+    };
+
+    pre-commit-hooks = {
+      type = "github";
+      owner = "cachix";
+      repo = "pre-commit-hooks.nix";
+      ref = "master";
+      inputs = {
+        flake-utils.follows = "futils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+  };
+
+  outputs = { self, futils, nixpkgs, pre-commit-hooks }:
+    {
+      overlays = {
+        default = final: _prev: {
+          project = with final; rustPlatform.buildRustPackage {
+            pname = "project";
+            version = (final.lib.importTOML ./Cargo.toml).package.version;
+
+            src = self;
+
+            cargoLock = {
+              lockFile = "${self}/Cargo.lock";
+            };
+
+            meta = with lib; {
+              description = "A Rust project";
+              homepage = "https://git.belanyi.fr/ambroisie/project";
+              license = licenses.mit;
+              maintainers = with maintainers; [ ambroisie ];
+            };
+          };
+        };
+      };
+    } // futils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          overlays = [
+            self.overlays.default
+          ];
+        };
+
+        pre-commit = pre-commit-hooks.lib.${system}.run {
+          src = self;
+
+          hooks = {
+            clippy = {
+              enable = true;
+              settings = {
+                denyWarnings = true;
+              };
+            };
+
+            nixpkgs-fmt = {
+              enable = true;
+            };
+
+            rustfmt = {
+              enable = true;
+            };
+          };
+        };
+      in
+      {
+        checks = {
+          inherit (self.packages.${system}) project;
+        };
+
+        devShells = {
+          default = pkgs.mkShell {
+            inputsFrom = with self.packages.${system}; [
+              project
+            ];
+
+            packages = with pkgs; [
+              clippy
+              rust-analyzer
+              rustfmt
+            ];
+
+            RUST_SRC_PATH = "${pkgs.rust.packages.stable.rustPlatform.rustLibSrc}";
+
+            inherit (pre-commit) shellHook;
+          };
+        };
+
+        packages = futils.lib.flattenTree {
+          default = pkgs.project;
+          inherit (pkgs) project;
+        };
+      });
+}

templates/rust-cargo/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}