chore(nixos): bumped to HEAD of 24.05

The Asynchronous Lint Engine replaces the deprecated syntastic

.envrc

@@ -0,0 +1,2 @@
+use flake
+watch_file flake.nix

.gitignore

@@ -1,6 +1,5 @@
 *.swp
 .direnv
-.envrc
 Deployments/syncserver.nix
 examples
 result

README.rst

@@ -1,12 +1,12 @@
 MIO Ops
 =======
 
-NixOps_ deployment configuration for MIO_.
+NixOS_ deployment configuration for MIO_.
 
 The canonical home for this repo is
-https://source.mcwhirter.io/craige/mio-ops
+https://reciproka.dev/craige/mio-ops
 
 Support buy donating ADA: addr1q8dpxmt0xk9xr27jff25ksxxf9wpqwsdpl46d02mtqd233t3s7uvrk5la8rqv9gh4d36pm8v9f2gcjt9tt7wj32vm4aqkvunma
 
-.. _NixOps: https://nixos.org/nixops
+.. _NixOS: https://nixos.org/
 .. _MIO: https://mcwhirter.io/

default.nix

@@ -13,7 +13,7 @@ with import ./nix args; {
       alejandraUnstable # The Uncompromising Nix Code Formatter
       cardanoNodeProject.cardano-cli # required for KES key rotation
       niv
-      nixopsUnstable # work around for issue #127423
+      nixops_unstable_minimal # work around for issue #127423
       tea # Gitea official CLI client
       treefmt # one CLI to format the code tree
     ];

flake.nix

@@ -0,0 +1,15 @@
+{
+  description = "mio-ops deployment";
+
+  inputs = {
+    cardano-node.url = "github:input-output-hk/cardano-node/?ref=1.35.7";
+    daedalus.url = "github:input-output-hk/daedalus/?ref=5.2.0";
+    iohkNix.url = "github:input-output-hk/iohk-nix/?ref=df1da282f996ec46b33379407df99613a1fbafdd";
+    nix.url = "github:NixOS/nix/?ref=2.13.3";
+    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
+    nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
+    utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = {...} @ args: import ./outputs.nix args;
+}

hardware/purism_librem_15.nix

@@ -2,10 +2,11 @@
 {
   config,
   lib,
+  modulesPath,
   pkgs,
   ...
 }: {
-  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
 
   boot = {
     initrd = {
@@ -16,26 +17,28 @@
         "usbhid" # USB HID transport layer
         "usb_storage" # USB Mass Storage support
         "sd_mod" # SCSI disk support
-        "aesni_intel" # AES-NI + SSE2 implementation of AEGIS-128
-        "cryptd" # Software async crypto daemon
       ];
-      kernelModules = ["dm-snapshot"];
-      luks.devices."cryptroot".device = "/dev/disk/by-uuid/52040288-dea9-4e74-9438-d0946b48a1f4";
     };
-    kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
+    kernelModules = ["hid_multitouch" "kvm-intel" "psmouse"]; # Enable kvm for libvirtd
   };
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/848e15eb-992b-499f-89b1-be8bc59af41c";
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/0bdc11fc-c497-47ff-bcc2-3044f81f40be";
       fsType = "ext4";
     };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/a9d48855-edaf-40b9-9296-58e9b7c7eb96";
+    "/home" = {
+      device = "/dev/disk/by-uuid/9c8a9dd1-b234-4a6d-ad62-3962e85d4063";
       fsType = "ext4";
     };
+  };
 
-  swapDevices = [{device = "/dev/disk/by-uuid/ac308d76-cc12-4a73-83ee-64a2ad07b91e";}];
+  swapDevices = [{device = "/dev/disk/by-uuid/05aed0b0-3a79-44f2-aa4d-e5e5724643f2";}];
+
+  networking.useDHCP = lib.mkDefault true;
 
   nix.settings.max-jobs = lib.mkDefault 4;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hardware/raspberry_pi_3_model_B.nix

@@ -17,7 +17,7 @@
     };
     kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
     kernelParams = [
-      "cma=32M" # Needed for the virtual console to work on the RPi 3
+      "cma=320M" # Needed for the virtual console to work on the RPi 3
       "console=ttyS0,115200n8" # Enable the serial console
       "console=tty0"
     ];
@@ -31,9 +31,10 @@
       raspberryPi = {
         enable = false;
         version = 3;
-        uboot.enable = true;
         firmwareConfig = ''
           arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          display_auto_detect=1  # Enable auto detection of screen resolution
+          gpu_mem=128
           hdmi_force_hotplug=1   # Enable headless booting
         '';
       };

hardware/system76_lemurPro.nix

@@ -0,0 +1,74 @@
+# Hardware configuration file for the System76 Lemur Pro v12 (lemp12)
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "thunderbolt" # USB4 and Thunderbolt 3 support
+        "sdhci_pci" # Secure Digital Host Controller Interface (SD cards)
+        "nvme" # NVMe drives (really fast SSDs)
+        "sd_mod" # SCSI disk support
+        "usb_storage" # USB Mass Storage support
+        "xhci_pci" # USB 3.0 (eXtensible Host Controller Interface)
+      ];
+      kernelModules = ["dm-snapshot"];
+      luks = {
+        devices = {
+          "cryptroot" = {
+            device = "/dev/disk/by-label/cryptroot";
+            allowDiscards = true;
+            preLVM = true;
+          };
+          "cryptmirror" = {
+            device = "/dev/disk/by-label/cryptmirror";
+            allowDiscards = true;
+            preLVM = true;
+          };
+        };
+      };
+    };
+    kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-label/EFI";
+      fsType = "vfat";
+    };
+    "/var/lib/backup" = {
+      device = "/dev/disk/by-label/backup";
+      fsType = "ext4";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+      discardPolicy = "both";
+    }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nix.settings.max-jobs = lib.mkDefault 4;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware = {
+    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    system76 = {
+      enableAll = true; # all recommended configuration for system76 systems
+      power-daemon.enable = true;
+    };
+  };
+}

hardware/system76_thelioMira.nix

@@ -0,0 +1,74 @@
+# Hardware configuration file for the System76 Thelio Mira
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "nvme" # NVMe drives (really fast SSDs)
+        "sd_mod" # SCSI disk support
+        "usb_storage" # USB Mass Storage support
+        "usbhid"
+        "xhci_pci" # USB 3.0 (eXtensible Host Controller Interface)
+      ];
+      kernelModules = ["dm-snapshot"];
+      luks = {
+        devices = {
+          "cryptroot" = {
+            device = "/dev/disk/by-label/cryptroot";
+            allowDiscards = true;
+            preLVM = true;
+          };
+          "cryptstore" = {
+            device = "/dev/disk/by-label/cryptstore";
+            allowDiscards = true;
+            preLVM = true;
+          };
+        };
+      };
+    };
+    kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+    "/nix" = {
+      device = "/dev/disk/by-label/nixStore";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/677E-FD28";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+      discardPolicy = "both";
+    }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nix.settings.max-jobs = lib.mkDefault 12;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware = {
+    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    system76 = {
+      enableAll = true; # all recommended configuration for system76 systems
+      power-daemon.enable = true;
+    };
+  };
+}

hosts/buaidheach.nix

@@ -1,19 +0,0 @@
-# NixOps configuration for buaidheach
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ../networks/pi3B_rack.nix
-    ../profiles/transmission.nix
-    ../secrets/transmission.nix
-  ];
-
-  # Comment out deployment when building the SD Image.
-  deployment.targetHost = "10.42.0.212";
-  networking.hostName = "buaidheach"; # Define your hostname.
-
-  system.stateVersion = "22.05"; # The version of NixOS originally installed
-}

hosts/ceitidh.nix

@@ -11,7 +11,7 @@
   ];
 
   # Comment out deployment when building the SD Image.
-  deployment.targetHost = "10.42.0.213";
+  deployment.targetHost = "10.42.0.203";
   networking.hostName = "ceitidh"; # Define your hostname.
 
   environment.systemPackages = with pkgs; [

hosts/cuallaidh.nix

@@ -10,7 +10,6 @@
     ../networks/linode.nix
     ../profiles/coturn.nix
     #../profiles/cryptpad.nix
-    ../profiles/forgejo.nix
     #../profiles/hydra.nix
     ../profiles/iog.nix
     ../profiles/ipv6.nix
@@ -22,7 +21,6 @@
     ../profiles/nixpkgs-dev.nix
     ../profiles/taskserver.nix
     ../profiles/tt-rss.nix
-    ../secrets/forgejo.nix
     ../secrets/tt-rss.nix
   ];
 
@@ -36,11 +34,31 @@
     }
   ];
 
-  services.tmate = {
+  services = {
+    tmate = {
       enable = true;
       openFirewall = true;
       sshHostname = "tmate.mcwhirter.io";
     };
+    nginx = {
+      virtualHosts."git.mcwhirter.io" = {
+        enableACME = true;
+        forceSSL = true;
+        globalRedirect = "reciproka.dev"; # Redirect permanently to the host
+      };
+      virtualHosts."source.mcwhirter.io" = {
+        enableACME = true;
+        forceSSL = true;
+        globalRedirect = "reciproka.dev"; # Redirect permanently to the host
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {"git.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
+    certs = {"source.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
+  };
 
   system.stateVersion = "19.03"; # The version of NixOS originally installed
 }

hosts/dionach.nix

@@ -6,54 +6,30 @@
 }: {
   imports = [
     ../hardware/purism_librem_15.nix # Include results of the hardware scan.
-    ../profiles/android.nix # Provide an Android dev environment
-    ../profiles/cron-craige.nix # Provide Craige's cron jobs
-    ../profiles/daedalus.nix # The open source cryptocurrency wallet for ADA
-    ../profiles/desktop-feeds.nix # Tools for news feeds and podcasts
-    ../profiles/desktopCraige.nix # Craige's desktop tools and apps
-    ../profiles/haskell-dev.nix # Haskell dev environment
-    ../profiles/host_common.nix # Common host configuration options
-    ../profiles/iog.nix # IOHK environment
-    ../profiles/keyboard.nix
-    ../profiles/neomutt.nix # Neomutt email
-    ../profiles/nix-community.nix # Nix community aarch64 tooling
-    ../profiles/nix-mio-ops.nix # mio-ops Nix tooling
-    ../profiles/nixpkgs-dev.nix # Nix pkgs dev tools
-    ../profiles/openssh.nix # Enable and configure openssh
-    ../profiles/pantheon.nix # Enable and configure the pantheon desktop
-    ../profiles/pipewire.nix # Enable and pipewire audio system
-    ../profiles/powerManagement.nix # Power management for laptops
-    ../profiles/qemu.nix # Qemu virtualisation
-    ../profiles/typingTutor.nix # Typing tutorials
-    ../profiles/weechat.nix # Weechat environment
-    #../profiles/xmonad.nix # Xmonad desktop environment
-    ../profiles/yubikey.nix # Yubikey tooling
-    ../secrets/craige.nix # Ssshhhhh!
-    ../secrets/root.nix # Ssshhhhh!
-    #../secrets/wireless.nix # Hey look! A squirrel!
+    ../profiles/desktop_common.nix
+    ../profiles/steam.nix
   ];
 
-  deployment.targetHost = "localhost";
-
-  nixpkgs = {
-    config = {
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "openssl-1.0.2u"
-      ];
-    };
-    overlays = [(import ../overlays/ncmpcpp.nix)];
-  };
+  deployment.targetHost = "10.42.0.190";
 
   # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
-  boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
-  boot.extraModprobeConfig = "options kvm_intel nested=1";
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/nvme0n1"; # or "nodev" for efi only
+      useOSProber = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = "1";
+    extraModprobeConfig = "options kvm_intel nested=1";
+  };
 
   networking = {
     hostName = "dionach"; # Define your hostname.
-    networkmanager.enable = true; # Enables network support via NetworkManager.
+    firewall = {
+      enable = true;
+      checkReversePath = false; # Needed for libvirtd
+      allowedTCPPorts = [15000];
+    };
   };
 
   systemd.network.networks.enp0s20f0u4u4i5.ipv6SendRAConfig = {
@@ -62,160 +38,11 @@
     OtherInformation = true;
   };
 
-  fonts.fonts = with pkgs; [
-    anonymousPro
-    dejavu_fonts # A typeface family based on the Bitstream Vera fonts
-    fira-code # Monospace font with programming ligaturess
-    font-awesome
-    hack-font # A typeface designed for source code
-    jetbrains-mono
-    #monoid         # Customisable coding font with alternates, ligatures and contextual positioning
-    nerdfonts # Iconic font aggregator, collection, & patcher
-    open-sans # Used in in my polybar configuration
-    xkcd-font # Font based handwriting in xkcd comics
-  ];
-
-  # List packages installed in system profile. To search, run:
-  environment.systemPackages = with pkgs; [
-    bash
-    binutils
-    bluez-tools
-    brave # Privacy-oriented browser
-    bridge-utils # for brctl
-    chromium
-    clang
-    ddrescue
-    docutils # Python Documentation Utilities
-    electrum # Bitcoin wallet
-    element-desktop # A feature-rich client for Matrix.org
-    evince
-    exiftool # A tool to read, write and edit EXIF meta information
-    ffmpeg-full # record, convert and stream audio and video
-    file
-    librewolf # Firefox fork, focused on privacy, security and freedom
-    gcc
-    gimp
-    gnumake
-    gnused
-    google-authenticator # 2FA
-    google-chrome # A freeware web browser developed by Google
-    graphviz # Graph visualization tools
-    imagemagick
-    inetutils # Common network utilies
-    inotify-tools
-    iptables # iptables
-    libmtp
-    libgphoto2
-    libreoffice-fresh # Libreoffice - fresh version
-    lxmenu-data # required by pcmanfm
-    mkpasswd
-    mp3info # MP3 tag editor / query tool
-    mpd
-    mtpfs
-    ncmpcpp
-    nextcloud-client
-    nvme-cli # NVM-Express user space tooling for Linux
-    obs-studio # Free and open source software for video recording and live streaming
-    openjdk8
-    openssl # A cryptographic library that implements the SSL and TLS protocols
-    p7zip
-    pandoc
-    pavucontrol
-    pcmanfm
-    pstree # Show the set of running processes as a tree
-    pwgen
-    python3Full
-    #python311Packages.restview # ReStructuredText viewer
-    python311Packages.sphinx # A tool that makes it easy to create intelligent and beautifulul documentation for Python projects
-    radiotray-ng # Internet radio player
-    rdiff-backup # External backups
-    shared-mime-info # required by pcmanfm
-    shotwell
-    signal-desktop
-    smartmontools # Tools for monitoring the health of hard drives
-    sshfs
-    taskwarrior # Highly flexible command-line tool to manage TODO lists
-    tcpdump # tcpdump
-    tectonic
-    tdesktop # Telegram Desktop messaging app
-    texlive.combined.scheme-full
-    tmate # Instant Terminal Sharing
-    tpm-tools
-    #tor-browser-bundle-bin
-    tree # Command to produce a depth indented directory listing
-    udevil
-    unrar
-    unzip
-    vcsh
-    wget
-    wesnoth # Turn-based strategy game
-    xorg.xev
-    zip # zip all the zip's
-    zlib
-    zlib.dev
-  ];
-
-  services.acpid.enable = true;
-  services.blueman.enable = true;
-  services.gvfs.enable = true; # required by pcmanfm
   services.kbfs.enable = true;
 
-  services.xserver.desktopManager.enlightenment.enable = true;
-
-  networking.firewall = {
-    enable = true;
-    checkReversePath = false; # Needed for libvirtd
-    allowedTCPPorts = [15000];
-  };
-
-  # Virtualisation configuration:
-  virtualisation = {
-    libvirtd = {
-      enable = true; # Enable libvirtd
-      qemu = {
-        #package = pkgs.qemu_kvm;   # Enable guest only for the same arch
-        package = pkgs.qemu; # Enable full emulation
-        verbatimConfig = ''
-          user = "craige"
-          group = "libvirtd"
-        '';
-      };
-      onShutdown = "shutdown"; # Set gust VMs to shutdown on host shutdown
-      extraConfig = ''
-        disk_bus = "virtio"
-      '';
-    };
-  };
-
-  # Enable sound.
-  sound.enable = true;
-  hardware = {
-    #pulseaudio = {
-    #  enable = true;
-    #  systemWide = false;
-    #  package = pkgs.pulseaudioFull;
-    #};
-    bluetooth = {
-      enable = true;
-      #hsphfpd.enable = true;
-      settings = {Policy = {AutoEnable = "true";};};
-    };
-    opengl.enable = true;
-  };
-
-  # The below pair are set to overcome flakey connections / busy servers that
-  # fail to respond to ssh keep alive requests, sometimes triggering:
-  # client_loop: send disconnect: Broken pipe
-  programs.ssh.extraConfig = ''
-    ServerAliveInterval 20
-    TCPKeepAlive no
-  '';
-
-  users.groups = {lp.members = ["messagebus"];};
-
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "20.03"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/doilidh.nix

@@ -8,7 +8,7 @@
   imports = [../networks/pi3B_rack.nix];
 
   # Comment out deployment when building the SD Image.
-  deployment.targetHost = "10.42.0.214";
+  deployment.targetHost = "10.42.0.204";
   networking.hostName = "doilidh"; # Define your hostname.
 
   environment.systemPackages = with pkgs; [];

hosts/eamhair.nix

@@ -8,7 +8,7 @@
   imports = [../networks/pi3B_rack.nix];
 
   # Comment out deployment when building the SD Image.
-  deployment.targetHost = "10.42.0.215";
+  deployment.targetHost = "10.42.0.205";
   networking.hostName = "eamhair"; # Define your hostname.
 
   environment.systemPackages = with pkgs; [];

hosts/sanganto.nix

@@ -0,0 +1,126 @@
+# NixOS configuration for ŝanĝanto
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../hardware/system76_thelioMira.nix # Include results of the hardware scan.
+    ../profiles/cron-craige.nix # Provide Craige's cron jobs
+    ../profiles/desktopCraige.nix # Craige's desktop tools and apps
+    ../profiles/haskell-dev.nix # Haskell dev environment
+    ../profiles/host_common.nix # Common host configuration options
+    ../profiles/iog.nix # IOHK environment
+    ../profiles/keyboard.nix
+    ../profiles/neomutt.nix # Neomutt email
+    ../profiles/nix-community.nix # Nix community aarch64 tooling
+    ../profiles/nixpkgs-dev.nix # Nix pkgs dev tools
+    ../profiles/openssh.nix # Enable and configure openssh
+    ../profiles/pantheon.nix # Enable and configure the pantheon desktop
+    ../profiles/pipewire.nix # Enable and pipewire audio system
+    ../profiles/xmonad.nix # Xmonad desktop environment
+    ../profiles/yubikey.nix # Yubikey tooling
+    ../secrets/craige.nix # Ssshhhhh!
+    ../secrets/root.nix # Ssshhhhh!
+  ];
+
+  deployment.targetHost = "10.42.0.11";
+
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      permittedInsecurePackages = [
+        "openssl-1.0.2u"
+      ];
+    };
+    overlays = [(import ../overlays/ncmpcpp.nix)];
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = "1";
+    extraModprobeConfig = "options kvm_intel nested=1";
+  };
+
+  networking = {
+    hostName = "sanganto"; # Define your hostname.
+    networkmanager.enable = true; # Enables network support via NetworkManager.
+  };
+
+  fonts.packages = with pkgs; [
+    anonymousPro
+    dejavu_fonts # A typeface family based on the Bitstream Vera fonts
+    fira-code # Monospace font with programming ligaturess
+    font-awesome
+    hack-font # A typeface designed for source code
+    jetbrains-mono
+    nerdfonts # Iconic font aggregator, collection, & patcher
+    open-sans # Used in in my polybar configuration
+    xkcd-font # Font based handwriting in xkcd comics
+  ];
+
+  # List packages installed in system profile. To search, run:
+  environment.systemPackages = with pkgs; [
+  ];
+
+  services = {
+    acpid.enable = true;
+    blueman.enable = true;
+    gvfs.enable = true; # required by pcmanfm
+    kbfs.enable = true;
+  };
+
+  networking.firewall = {
+    enable = true;
+    checkReversePath = false; # Needed for libvirtd
+    allowedTCPPorts = [15000];
+  };
+
+  # Virtualisation configuration:
+  virtualisation = {
+    libvirtd = {
+      enable = true; # Enable libvirtd
+      qemu = {
+        #package = pkgs.qemu_kvm;   # Enable guest only for the same arch
+        package = pkgs.qemu; # Enable full emulation
+        verbatimConfig = ''
+          user = "craige"
+          group = "libvirtd"
+        '';
+      };
+      onShutdown = "shutdown"; # Set gust VMs to shutdown on host shutdown
+      extraConfig = ''
+        disk_bus = "virtio"
+      '';
+    };
+  };
+
+  # Enable sound.
+  sound.enable = true;
+  hardware = {
+    bluetooth = {
+      enable = true;
+      settings = {Policy = {AutoEnable = "true";};};
+    };
+    opengl.enable = true;
+  };
+
+  # The below pair are set to overcome flakey connections / busy servers that
+  # fail to respond to ssh keep alive requests, sometimes triggering:
+  # client_loop: send disconnect: Broken pipe
+  programs.ssh.extraConfig = ''
+    ServerAliveInterval 20
+    TCPKeepAlive no
+  '';
+
+  users.groups = {lp.members = ["messagebus"];};
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/sercanto.nix

@@ -0,0 +1,132 @@
+# NixOS configuration for serĉanto
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../hardware/system76_lemurPro.nix # Include results of the hardware scan.
+    ../profiles/cron-craige.nix # Provide Craige's cron jobs
+    ../profiles/desktopCraige.nix # Craige's desktop tools and apps
+    ../profiles/haskell-dev.nix # Haskell dev environment
+    ../profiles/host_common.nix # Common host configuration options
+    ../profiles/iog.nix # IOHK environment
+    ../profiles/keyboard.nix
+    ../profiles/neomutt.nix # Neomutt email
+    ../profiles/nix-community.nix # Nix community aarch64 tooling
+    ../profiles/nix-mio-ops.nix # mio-ops Nix tooling
+    ../profiles/nixpkgs-dev.nix # Nix pkgs dev tools
+    ../profiles/openssh.nix # Enable and configure openssh
+    ../profiles/pantheon.nix # Enable and configure the pantheon desktop
+    ../profiles/pipewire.nix # Enable and pipewire audio system
+    ../profiles/powerManagement.nix # Power management for laptops
+    ../profiles/xmonad.nix # Xmonad desktop environment
+    ../profiles/yubikey.nix # Yubikey tooling
+    ../secrets/craige.nix # Ssshhhhh!
+    ../secrets/root.nix # Ssshhhhh!
+    #../secrets/wireless.nix # Hey look! A squirrel!
+  ];
+
+  deployment.targetHost = "10.42.0.180";
+
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      permittedInsecurePackages = [
+        "openssl-1.0.2u"
+      ];
+    };
+    overlays = [(import ../overlays/ncmpcpp.nix)];
+  };
+
+  boot = {
+    loader = {
+      systemd-boot = {
+        enable = true;
+        configurationLimit = 5;
+      };
+      efi.canTouchEfiVariables = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = "1";
+    extraModprobeConfig = "options kvm_intel nested=1";
+  };
+
+  networking = {
+    hostName = "sercanto"; # Define your hostname.
+    networkmanager.enable = true; # Enables network support via NetworkManager.
+  };
+
+  fonts.packages = with pkgs; [
+    anonymousPro
+    dejavu_fonts # A typeface family based on the Bitstream Vera fonts
+    fira-code # Monospace font with programming ligaturess
+    font-awesome
+    hack-font # A typeface designed for source code
+    jetbrains-mono
+    nerdfonts # Iconic font aggregator, collection, & patcher
+    open-sans # Used in in my polybar configuration
+    xkcd-font # Font based handwriting in xkcd comics
+  ];
+
+  # List packages installed in system profile. To search, run:
+  environment.systemPackages = with pkgs; [
+  ];
+
+  services = {
+    acpid.enable = true;
+    blueman.enable = true;
+    gvfs.enable = true; # required by pcmanfm
+    kbfs.enable = true;
+  };
+
+  networking.firewall = {
+    enable = true;
+    checkReversePath = false; # Needed for libvirtd
+    allowedTCPPorts = [15000];
+  };
+
+  # Virtualisation configuration:
+  virtualisation = {
+    libvirtd = {
+      enable = true; # Enable libvirtd
+      qemu = {
+        #package = pkgs.qemu_kvm;   # Enable guest only for the same arch
+        package = pkgs.qemu; # Enable full emulation
+        verbatimConfig = ''
+          user = "craige"
+          group = "libvirtd"
+        '';
+      };
+      onShutdown = "shutdown"; # Set gust VMs to shutdown on host shutdown
+      extraConfig = ''
+        disk_bus = "virtio"
+      '';
+    };
+  };
+
+  # Enable sound.
+  sound.enable = true;
+  hardware = {
+    bluetooth = {
+      enable = true;
+      settings = {Policy = {AutoEnable = "true";};};
+    };
+    opengl.enable = true;
+  };
+
+  # The below pair are set to overcome flakey connections / busy servers that
+  # fail to respond to ssh keep alive requests, sometimes triggering:
+  # client_loop: send disconnect: Broken pipe
+  programs.ssh.extraConfig = ''
+    ServerAliveInterval 20
+    TCPKeepAlive no
+  '';
+
+  users.groups = {lp.members = ["messagebus"];};
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

images/sd-image_buaidheach.nix

@@ -1,4 +0,0 @@
-# SD image for buaidheach
-{...}: {
-  imports = [./sd-image_paidh-aarch64.nix ../hosts/buaidheach.nix];
-}

networks/pi3B_rack.nix

@@ -6,7 +6,6 @@
     ../profiles/host_common.nix
     ../profiles/pi_common.nix
     ../profiles/server_common.nix
-    ../secrets/wireless-pi3B.nix
   ];
 
   # Ensure the right package architecture is used
@@ -17,7 +16,7 @@
   };
 
   networking.wireless.enable =
-    true; # Toggles wireless support via wpa_supplicant.
+    false; # Toggles wireless support via wpa_supplicant.
 
   systemd.network.networks.eth0.ipv6SendRAConfig = {
     EmitDNS = true;

nix/sources.json

@@ -1,95 +0,0 @@
-{
-    "cardano-node": {
-        "branch": "refs/tags/1.35.7",
-        "description": "The core component that is used to participate in a Cardano decentralised blockchain.",
-        "homepage": "https://cardano.org",
-        "owner": "input-output-hk",
-        "repo": "cardano-node",
-        "rev": "f0b4ac897dcbefba9fa0d247b204a24543cf55f6",
-        "sha256": "0s2jkj4mwl03hxg4ff9kyw41s32xbf31rnhag2m1qrglgsh8wzw9",
-        "type": "tarball",
-        "url": "https://github.com/input-output-hk/cardano-node/archive/f0b4ac897dcbefba9fa0d247b204a24543cf55f6.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "daedalus": {
-        "branch": "release/5.2.0",
-        "description": "The open source cryptocurrency wallet for ada, built to grow with the community",
-        "homepage": "https://daedaluswallet.io/",
-        "owner": "input-output-hk",
-        "repo": "daedalus",
-        "rev": "2990f5a44189097b3de2e7e7a19caa8062a8ae7b",
-        "sha256": "1w2w7qfashbqimcywzvhh0z5jrlfaja04sgi6p5hp08adwad6r92",
-        "type": "tarball",
-        "url": "https://github.com/input-output-hk/daedalus/archive/2990f5a44189097b3de2e7e7a19caa8062a8ae7b.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "iohk-nix": {
-        "branch": "master",
-        "description": "nix scripts shared across projects",
-        "homepage": null,
-        "owner": "input-output-hk",
-        "repo": "iohk-nix",
-        "rev": "df1da282f996ec46b33379407df99613a1fbafdd",
-        "sha256": "0vpcyrswxkynn2q37qsrhvf62whk2ijpcwqnamxcchcq6lwfpn0l",
-        "type": "tarball",
-        "url": "https://github.com/input-output-hk/iohk-nix/archive/df1da282f996ec46b33379407df99613a1fbafdd.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "mcwhirter-io": {
-        "branch": "consensus",
-        "rev": "a53a2f8a8a23eb0579ba6d0ec1c6e749bfcf8467",
-        "sha256": "1b72841hbj6wqsb37ma4y148lx287qjmcbr9p1dbzras6k4xvdlz",
-        "type": "tarball",
-        "url": "https://source.mcwhirter.io/craige/mcwhirter.io/archive/a53a2f8a8a23eb0579ba6d0ec1c6e749bfcf8467.tar.gz",
-        "url_template": "https://source.mcwhirter.io/craige/mcwhirter.io/archive/<rev>.tar.gz"
-    },
-    "niv": {
-        "branch": "master",
-        "description": "Easy dependency management for Nix projects",
-        "homepage": "https://github.com/nmattia/niv",
-        "owner": "nmattia",
-        "repo": "niv",
-        "rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41",
-        "sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7",
-        "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixos2111": {
-        "branch": "nixos-21.11",
-        "description": "Nix Packages collection",
-        "homepage": "",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "63198c9ccefdbd337cef0d85db0ea2689f4ce418",
-        "sha256": "05gc6xyv8a2dppngm1q44j85j769lr90lg20s6jv62gfg344i50r",
-        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/63198c9ccefdbd337cef0d85db0ea2689f4ce418.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixpkgs": {
-        "branch": "nixos-23.05",
-        "builtin": false,
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
-        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "6da4bc6cb07cba1b8e53d139cbf1d2fb8061d967",
-        "sha256": "0jgcqcbj41g04w4b48c6z4x2mrjx41i36lp6rzh9h4r1cdm74prm",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6da4bc6cb07cba1b8e53d139cbf1d2fb8061d967.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixpkgsUnstable": {
-        "branch": "nixos-unstable",
-        "description": "Nix Packages collection",
-        "homepage": "",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "da45bf6ec7bbcc5d1e14d3795c025199f28e0de0",
-        "sha256": "0f4f9xh4rkgk9in2hzwm371vahppdixbdb73ki1v5dq1r2iv015h",
-        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/da45bf6ec7bbcc5d1e14d3795c025199f28e0de0.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    }
-}

nix/sources.nix

@@ -1,141 +0,0 @@
-# This file has been generated by Niv.
-let
-  #
-  # The fetchers. fetch_<type> fetches specs of type <type>.
-  #
-  fetch_file = pkgs: spec:
-    if spec.builtin or true
-    then builtins_fetchurl {inherit (spec) url sha256;}
-    else pkgs.fetchurl {inherit (spec) url sha256;};
-
-  fetch_tarball = pkgs: spec:
-    if spec.builtin or true
-    then builtins_fetchTarball {inherit (spec) url sha256;}
-    else pkgs.fetchzip {inherit (spec) url sha256;};
-
-  fetch_git = spec:
-    builtins.fetchGit {
-      url = spec.repo;
-      inherit (spec) rev ref;
-    };
-
-  fetch_builtin-tarball = spec:
-    builtins.trace ''
-      WARNING:
-        The niv type "builtin-tarball" will soon be deprecated. You should
-        instead use `builtin = true`.
-
-        $ niv modify <package> -a type=tarball -a builtin=true
-    ''
-    builtins_fetchTarball {inherit (spec) url sha256;};
-
-  fetch_builtin-url = spec:
-    builtins.trace ''
-      WARNING:
-        The niv type "builtin-url" will soon be deprecated. You should
-        instead use `builtin = true`.
-
-        $ niv modify <package> -a type=file -a builtin=true
-    '' (builtins_fetchurl {inherit (spec) url sha256;});
-
-  #
-  # Various helpers
-  #
-
-  # The set of packages used when specs are fetched using non-builtins.
-  mkPkgs = sources: let
-    sourcesNixpkgs =
-      import (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;})
-      {};
-    hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
-    hasThisAsNixpkgsPath = <nixpkgs> == ./.;
-  in
-    if builtins.hasAttr "nixpkgs" sources
-    then sourcesNixpkgs
-    else if hasNixpkgsPath && !hasThisAsNixpkgsPath
-    then import <nixpkgs> {}
-    else
-      abort ''
-        Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-        add a package called "nixpkgs" to your sources.json.
-      '';
-
-  # The actual fetching function.
-  fetch = pkgs: name: spec:
-    if !builtins.hasAttr "type" spec
-    then abort "ERROR: niv spec ${name} does not have a 'type' attribute"
-    else if spec.type == "file"
-    then fetch_file pkgs spec
-    else if spec.type == "tarball"
-    then fetch_tarball pkgs spec
-    else if spec.type == "git"
-    then fetch_git spec
-    else if spec.type == "builtin-tarball"
-    then fetch_builtin-tarball spec
-    else if spec.type == "builtin-url"
-    then fetch_builtin-url spec
-    else
-      abort
-      "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
-
-  # Ports of functions for older nix versions
-
-  # a Nix version of mapAttrs if the built-in doesn't exist
-  mapAttrs =
-    builtins.mapAttrs
-    or (f: set:
-      with builtins;
-        listToAttrs (map (attr: {
-          name = attr;
-          value = f attr set.${attr};
-        }) (attrNames set)));
-
-  # fetchTarball version that is compatible between all the versions of Nix
-  builtins_fetchTarball = {
-    url,
-    sha256,
-  } @ attrs: let
-    inherit (builtins) lessThan nixVersion fetchTarball;
-  in
-    if lessThan nixVersion "1.12"
-    then fetchTarball {inherit url;}
-    else fetchTarball attrs;
-
-  # fetchurl version that is compatible between all the versions of Nix
-  builtins_fetchurl = {
-    url,
-    sha256,
-  } @ attrs: let
-    inherit (builtins) lessThan nixVersion fetchurl;
-  in
-    if lessThan nixVersion "1.12"
-    then fetchurl {inherit url;}
-    else fetchurl attrs;
-
-  # Create the final "sources" from the config
-  mkSources = config:
-    mapAttrs (name: spec:
-      if builtins.hasAttr "outPath" spec
-      then
-        abort
-        "The values in sources.json should not have an 'outPath' attribute"
-      else spec // {outPath = fetch config.pkgs name spec;})
-    config.sources;
-
-  # The "config" used by the fetchers
-  mkConfig = {
-    sourcesFile ? ./sources.json,
-    sources ? builtins.fromJSON (builtins.readFile sourcesFile),
-    pkgs ? mkPkgs sources,
-  }: rec {
-    # The sources, i.e. the attribute set of spec name to spec
-    inherit sources;
-
-    # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
-    inherit pkgs;
-  };
-in
-  mkSources (mkConfig {})
-  // {
-    __functor = _: settings: mkSources (mkConfig settings);
-  }

nixops.nix

@@ -25,9 +25,10 @@
   iolear-beag = import hosts/iolear-beag.nix;
   doilidh = import hosts/doilidh.nix;
   eamhair = import hosts/eamhair.nix;
-  buaidheach = import hosts/buaidheach.nix;
   ceitidh = import hosts/ceitidh.nix;
   paidh-uachdar = import hosts/paidh-uachdar.nix;
+  sanganto = import hosts/sanganto.nix;
+  sercanto = import hosts/sercanto.nix;
   sithlainnir = import hosts/sithlainnir.nix;
   teintidh = import hosts/teintidh.nix;
 }

outputs.nix

@@ -0,0 +1,21 @@
+{
+  self,
+  daedalus,
+  nix,
+  nixpkgs,
+  nixpkgsUnstable,
+  utils,
+  ...
+} @ inputs:
+(utils.lib.eachDefaultSystem (system: let
+  pkgs = nixpkgs.legacyPackages."${system}";
+in {
+  devShell =
+    pkgs.callPackage
+    ./shell.nix {
+      inherit (nix.packages."${pkgs.system}") nix;
+      inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
+    };
+}))
+// {
+}

overlays/ncmpcpp.nix

@@ -0,0 +1,6 @@
+# Enable the visualiser in ncmpcpp
+self: super: {
+  ncmpcpp = super.ncmpcpp.override {
+    visualizerSupport = true;
+  };
+}

profiles/cardano-node.nix

@@ -3,15 +3,15 @@
   config,
   pkgs,
   lib,
+  cardano-node,
+  iohkNix,
   ...
 }: let
-  sources = import ../nix/sources.nix;
-  cardanoNodeProject = import (sources.cardano-node + "/nix") {
-    gitrev = sources.cardano-node.rev;
+  cardanoNodeProject = import (cardano-node + "/nix") {
+    gitrev = cardano-node.rev;
   };
-  iohkNix = import (sources.iohk-nix) {};
 in {
-  imports = [../secrets/cardano/producers.nix "${sources.cardano-node}/nix/nixos"];
+  imports = [../secrets/cardano/producers.nix "${cardano-node.cardano-node}/nix/nixos"];
 
   environment.systemPackages = [cardanoNodeProject.cardano-cli];
 

profiles/daedalus.nix

@@ -2,11 +2,11 @@
 {
   config,
   pkgs,
+  daedalus,
   lib,
   ...
 }: let
-  sources = import ../nix/sources.nix;
-  daedalusProject = import sources.daedalus {};
+  daedalusProject = import daedalus.daedalus {};
   daedalusMainnet = daedalusProject.daedalus;
   #daedalusFlight = daedalusProject.daedalus {--argstr cluster mainnet_flight -o daedalusFlight};
 in {

profiles/desktopCraige.nix

@@ -1,4 +1,4 @@
-# Craige's desktop requirements
+# Craige's NixOS desktop requirements
 {
   config,
   pkgs,
@@ -14,11 +14,34 @@
   environment.systemPackages = with pkgs; [
     byobu # text-based window manager and terminal multiplexer.
     caprine-bin # an elegant Facebook Messenger desktop app
+    element-desktop # A feature-rich client for Matrix.org
+    enlightenment.terminology # Powerful terminal emulator based on EFL
+    firefox # A web browser built from Firefox source tree
+    ffmpeg-full # record, convert and stream audio and video
+    gimp # The GNU Image Manipulation Program
     gopass # password file manager
+    libreoffice # Comprehensive, professional-quality productivity suite
+    mpd # A flexible, powerful daemon for playing music
+    ncmpcpp # A featureful ncurses based MPD client inspired by ncmpc
+    nextcloud-client # Nextcloud themed desktop client
+    nvme-cli # NVM-Express user space tooling for Linux
+    pandoc # Conversion between documentation formats
+    pavucontrol # PulseAudio Volume Control
+    pwgen # Password generator
+    siji # An iconic bitmap font based on Stlarch with additional glyphs
     shared-mime-info # A database of common MIME types
+    shotwell # Photo organizer
+    signal-desktop # Private, simple, and secure messenger
+    sshfs # allows remote filesystems to be mounted over SSH
     sweethome3d.application # design and visualise homes
+    taskwarrior # Highly flexible command-line tool to manage TODO lists
     termonad # Terminal emulator configurable in Haskell
-    whalebird # Mastodon client
+    texliveFull # TeX Live environment
+    tmate # Instant Terminal Sharing
+    tor-browser-bundle-bin # Tor Browser Bundle built by torproject.org
+    tuba # Fediverse client
+    unzip # An extraction utility for archives compressed in .zip format
+    vcsh # Version Control System for $HOME
     yt-dlp # Command-line tool to download videos
   ];
 }

profiles/desktop_common.nix

@@ -26,11 +26,12 @@
     element-desktop # A feature-rich client for Matrix.org
     librewolf # Firefox fork, focused on privacy, security and freedom
     gnome.gnome-tweaks # A tool to customize advanced GNOME 3 options
-    google-chrome # A freeware web browser developed by Google
+    krita # A free and open source painting application
     libreoffice-fresh
     mplayer # A movie player that supports many video formats
     nextcloud-client # Nextcloud desktop client
     pwgen # Password generator
+    rsync
     shotwell # Photo organizer
     signal-desktop # Private, simple, and secure messenger
     usbutils # Tools for working with USB devices, such as lsusb
@@ -46,35 +47,58 @@
       true; # A daemon for delivering ACPI events to userspace programs
     blueman.enable = true; # GTK-based Bluetooth Manager
     devmon.enable = true; # Enable external device automounting.`
+    displayManager = {
+      defaultSession = "pantheon"; # Set GNOME as the default session
+    };
+    libinput = {
+      enable = true; # Enable touchpad support.
+      touchpad = {
+        tapping = true;
+        tappingButtonMap = "lrm"; # Set the touchpad button mappeing
+      };
+    };
     udev.packages = [
       pkgs.android-udev-rules # Android udev rules list
     ];
     udisks2.enable = true; # Enable udisks2
 
+    pantheon = {
+      apps.enable = true;
+      contractor.enable = true;
+    };
+
     xserver = {
       enable = true;
       desktopManager = {
-        gnome.enable = true; # Enable GNOME desktop environment
+        gnome.enable = false; # Enable GNOME desktop environment
+        pantheon.enable = true; # Enable Pantheon desktop environment
       };
       displayManager = {
-        defaultSession = "gnome"; # Set GNOME as the default session
-        gdm.enable = true; # Enable the GNOME display manager
+        gdm.enable = false; # Enable the GNOME display manager
+        lightdm.greeters.pantheon.enable = true;
       };
-      libinput.enable = true; # Enable touchpad support.
+    };
+
+    pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
     };
   };
 
   sound.enable = true; # Enable sound.
+  security.rtkit.enable = true; # realtime scheduling for sound
 
   # Configure common hardware settings
   hardware = {
     pulseaudio = {
-      enable = true;
-      package = pkgs.pulseaudioFull;
+      enable = false;
     };
     bluetooth = {
       enable = true; # Enable bluetooth
-      hsphfpd.enable = true;
       settings = {
         General = {
           Enable = "Source,Sink,Media,Socket";
@@ -86,7 +110,7 @@
     opengl.enable = true;
   };
 
-  # Configure Firefox and Chromium
+  # Configure libreWolf and Chromium
   nixpkgs.config = {allowUnfree = true;};
 
   programs = {

profiles/forgejo.nix

@@ -1,121 +0,0 @@
-# NixOps configuration for the hosts running Forgejo
-{
-  config,
-  pkgs,
-  lib,
-  sources,
-  ...
-}: let
-  sources = import ../nix/sources.nix;
-  unstable = import sources.nixpkgsUnstable {};
-in {
-  services.gitea = {
-    enable = true; # Enable Forgejo
-    appName = "mcwhirter.io: Forgejo Service"; # Give the site a name
-    database = {
-      type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
-    };
-    disableRegistration = true;
-    domain = "source.mcwhirter.io"; # Domain name
-    rootUrl = "https://source.mcwhirter.io/"; # Root web URL
-    httpPort = 3002; # Provided unique port
-    package = unstable.forgejo; # a soft fork of gitea
-    settings = let
-      docutils = pkgs.python39.withPackages (ps:
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
-    in {
-      mailer = {
-        ENABLED = true;
-        FROM = "gitea@mcwhirter.io";
-      };
-      repository = {DEFAULT_BRANCH = "consensus";};
-      service = {REGISTER_EMAIL_CONFIRM = true;};
-      "markup.restructuredtext" = {
-        ENABLED = true;
-        FILE_EXTENSIONS = ".rst";
-        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
-        IS_INPUT_FILE = false;
-      };
-      ui = {
-        DEFAULT_THEME = "forgejo-auto"; # Set the default theme
-        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,gitea";
-      };
-    };
-  };
-
-  systemd = {
-    services = {
-      gitea = {
-        # Ensure gitea starts after nixops keys are loaded
-        after = ["gitea-dbpass-key.service"];
-        wants = ["gitea-dbpass-key.service"];
-      };
-    };
-  };
-
-  services.postgresql = {
-    enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local gitea all ident map=gitea-users
-    '';
-    identMap =
-      # Map the gitea user to postgresql
-      ''
-        gitea-users gitea gitea
-      '';
-    ensureDatabases = ["gitea"]; # Ensure the database persists
-    ensureUsers = [
-      {
-        name = "gitea"; # Ensure the database user persists
-        ensurePermissions = {
-          # Ensure the database permissions persist
-          "DATABASE gitea" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
-      }
-    ];
-  };
-
-  services.postgresqlBackup.databases = ["gitea"];
-
-  services.nginx = {
-    enable = true; # Enable Nginx
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    virtualHosts."source.mcwhirter.io" = {
-      # Forgejo hostname
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
-    };
-    virtualHosts."git.mcwhirter.io" = {
-      # Hostname to be redirected
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
-    };
-    virtualHosts."code.mcwhirter.io" = {
-      # Hostname to be redirected
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = {
-      "code.mcwhirter.io".email = "craige@mcwhirter.io";
-      "git.mcwhirter.io".email = "craige@mcwhirter.io";
-      "source.mcwhirter.io".email = "craige@mcwhirter.io";
-    };
-  };
-
-  users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
-}

profiles/games-kids.nix

@@ -2,11 +2,9 @@
 {
   config,
   pkgs,
+  nixpkgsUnstable,
   ...
-}: let
-  sources = import ../nix/sources.nix;
-  unstable = import sources.nixpkgsUnstable {};
-in {
+}: {
   imports = [
     ../profiles/minecraftClient.nix # Play Minecraft :-)
   ];
@@ -20,7 +18,7 @@ in {
     freeciv # Multiplayer (or single player), turn-based strategy game
     freedroidrpg # Isometric 3D RPG similar to game Diablo
     gcompris # Educational software suite, kids aged 2 to 10
-    unstable.grapejuice # Simple Wine+Roblox management tool
+    nixpkgsUnstable.grapejuice # Simple Wine+Roblox management tool
     #lincity_ng      # City building game
     meritous # Action-adventure dungeon crawl game
     minetest # Infinite-world block sandbox game

profiles/gitea_home.nix

@@ -1,76 +0,0 @@
-# NixOps configuration for the hosts running Gitea
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  services.gitea = {
-    enable = true; # Enable Gitea
-    appName = "taigh,mcwhirter.io: Gitea Service"; # Give the site a name
-    database = {
-      type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
-    };
-    domain = "source.taigh.mcwhirter.io"; # Domain name
-    rootUrl = "http://source.taigh.mcwhirter.io/"; # Root web URL
-    httpPort = 3001; # Provided unique port
-    extraConfig = let
-      docutils = pkgs.python37.withPackages (ps:
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
-    in ''
-      [mailer]
-      ENABLED = true
-      FROM = "gitea@mcwhirter.io"
-      [service]
-      REGISTER_EMAIL_CONFIRM = true
-      [markup.restructuredtext]
-      ENABLED = true
-      FILE_EXTENSIONS = .rst
-      RENDER_COMMAND = ${docutils}/bin/rst2html.py
-      IS_INPUT_FILE = false
-    '';
-  };
-
-  services.postgresql = {
-    enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local gitea all ident map=gitea-users
-    '';
-    identMap =
-      # Map the gitea user to postgresql
-      ''
-        gitea-users gitea gitea
-      '';
-  };
-
-  services.nginx = {
-    enable = true; # Enable Nginx
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    #recommendedTlsSettings = true;
-    virtualHosts."source.taigh.mcwhirter.io" = {
-      # Gitea hostname
-      #enableACME = true;                                    # Use ACME certs
-      #forceSSL = true;                                      # Force SSL
-      locations."/".proxyPass = "http://localhost:3001/"; # Proxy Gitea
-    };
-  };
-
-  # Configure firewall defaults:
-  networking = {
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [80];
-      trustedInterfaces = ["lo"];
-    };
-  };
-
-  #security.acme.certs = {
-  #    "source.mcwhirter.io".email = "craige@mcwhirter.io";
-  #};
-}

profiles/host_common.nix

@@ -26,7 +26,7 @@
   # Set the defaul console properties
   console = {
     keyMap = "us"; # Set the default console key map
-    font = "ter-powerline-v16Rv"; # Set the default console font
+    font = "ter-powerline-v32n"; # Set the default console font
   };
 
   time.timeZone = "Australia/Brisbane"; # Set your preferred timezone:
@@ -37,12 +37,15 @@
   security.sudo.wheelNeedsPassword = false;
 
   # Configure and install required fonts
-  fonts.enableDefaultFonts = true;
-  fonts.fontDir.enable = true;
-  fonts.fonts = with pkgs; [
+  fonts = {
+    enableDefaultPackages = true;
+    fontDir.enable = true;
+    packages = with pkgs; [
       powerline-fonts # Required for Powerline prompts
+      powerline-symbols # Powerline symbols
     ];
-  fonts.fontconfig.includeUserConf = false;
+    fontconfig.includeUserConf = false;
+  };
 
   # Adapted from gchristensen and clever
   nix = {

profiles/iog.nix

@@ -3,15 +3,13 @@
   config,
   pkgs,
   lib,
+  nix,
   ...
-}: let
-  sources = import ../nix/sources.nix;
-  nixVersion = (import sources.nixpkgs {}).nixVersions.nix_2_13;
-in {
+}: {
   imports = [../profiles/terminal-recording.nix ../profiles/nix-direnv.nix];
 
   nix = {
-    package = nixVersion;
+    package = nix;
     settings = {
       substituters = [
         "https://cache.nixos.org"
@@ -38,9 +36,9 @@ in {
     systemPackages = with pkgs; [
       awscli # Unified tool to manage your AWS services
       bitwarden-cli # CLI client for Bitwarden
+      brave # Privacy-oriented browser
       buildkite-agent # Buildkite for IOHK
       cue # A data constraint language
-      discord # cross-platform voice and text chat
       docker # Pack, ship and run any application as a lightweight container
       docker-compose # Multi-container orchestration for Docker
       freerdp # A Remote Desktop Protocol Client, xfreerdp
@@ -50,7 +48,6 @@ in {
       jq # A lightweight and flexible command-line JSON processor
       keybase-gui # The Keybase official client
       magic-wormhole # Securely transfer data between computers
-      python38Packages.grip # Preview GitHub Markdown files like locally
       s3fs # Mount an S3 bucket as filesystem through FUSE
       shellcheck # Shell script analysis tool
       slack-dark # Slack desktop client
@@ -65,9 +62,6 @@ in {
 
   services = {
     keybase.enable = true;
-    #postgresql = {
-    #  enable = true;                  # Ensure postgresql is enabled
-    #  package = pkgs.postgresql_10;   # Set the required version, if needed
   };
 
   users.groups.docker.members = ["craige"];

profiles/ipv6.nix

@@ -0,0 +1,12 @@
+# NixOps configuration for the hosts running a TURN server (coturn)
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking = {
+    enableIPv6 = true;
+    tempAddresses = "disabled";
+  };
+}

profiles/mastodon.nix

@@ -17,6 +17,7 @@
       extraConfig = {
         WEB_DOMAIN = "social.mcwhirter.io";
       };
+      streamingProcesses = 5;
     };
   };
 
@@ -30,6 +31,8 @@
       # Required to redirect requests to the mastodon service
       "mcwhirter.io" = {
         locations."/.well-known/host-meta".extraConfig = "return 301 $scheme://social.mcwhirter.io$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
       };
       "social.mcwhirter.io" = {
         enableACME = true; # Use ACME certs

profiles/matrix.nix

@@ -129,11 +129,7 @@
       ensureUsers = [
         {
           name = "matrix-synapse"; # Ensure the database user persists
-          ensurePermissions = {
-            # Ensure the database permissions persist
-            "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
-            "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }
       ];
       # Initial database creation

profiles/neovim.nix

@@ -11,6 +11,8 @@
       configure = {
         packages.myPlugins = with pkgs.vimPlugins; {
           start = [
+            ale # Asynchronous Lint Engine
+            deoplete-nvim # an extensible and asynchronous completion framework
             formatter-nvim # A format runner for neovim
             fugitive # Vim Git wrapper
             fzf-vim # Full path fuzzy file, buffer, mru, tag, finder for Vim
@@ -18,15 +20,15 @@
             indentLine # Display thin vertical lines at each indentation level
             lualine-nvim
             YouCompleteMe # A code-completion engine for Vim
+            neomake # asynchronously run programs like vim-terraform
             nerdcommenter # Comment functions so powerful—no comment necessary
             nerdtree # File system explorer
             nerdtree-git-plugin # Plugin for nerdtree showing git status
             nvim-treesitter # configurations and abstraction layer for Neovim.
             onedarkpro-nvim # Dark and light themes for Neovim
-            #statix                # Lints and suggestions for the nix programming language
             supertab # Allows you to use <Tab> for all your insert completion
-            syntastic # Syntax checking hacks
-            vim-addon-nix # Scripts assisting writing .nix files
+            vim-terraform # tab completion, syntax highlighting, indentation
+            vim-terraform-completion
             vim-cue # Cue filetype plugin for Vim
             vim-lastplace
             vim-markdown-toc # Generate table of contents for Markdown files
@@ -327,6 +329,7 @@
                 javascript = treefmt,
                 lua = treefmt,
                 mint = treefmt,
+                markdown = treefmt,
                 nix = treefmt,
                 rego = treefmt,
                 ruby = treefmt,

profiles/nextcloud.nix

@@ -20,15 +20,20 @@
       dbpassFile = "/run/keys/nextcloud-dbpass"; # Where to find the database password
       adminpassFile = "/run/keys/nextcloud-admin"; # Where to find the admin password
       adminuser = "root"; # Set the admin user name
-      overwriteProtocol = "https"; # Force Nextcloud to always use HTTPS
-      defaultPhoneRegion = "AU"; # Country code for automatic phone-number detection
     };
     autoUpdateApps = {
       enable = true; # Run regular auto update of all apps installed
       startAt = "01:00:00"; # When to run the update
     };
-    enableBrokenCiphersForSSE = false; # force upgrade to SSL v3
-    package = pkgs.nextcloud26;
+    package = pkgs.nextcloud29;
+    extraApps = with config.services.nextcloud.package.packages.apps; {
+      inherit calendar contacts deck gpoddersync notes tasks twofactor_webauthn;
+    };
+    extraAppsEnable = true;
+    settings = {
+      default_phone_region = "AU"; # Country code for automatic phone-number detection
+      overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS
+    };
   };
 
   systemd = {
@@ -43,15 +48,19 @@
 
   services.postgresql = {
     enable = true; # Ensure postgresql is enabled
+    authentication = ''
+      local nextcloud all ident map=nextcloud-users
+    '';
+    identMap =
+      # Map the nextcloud user to postgresql
+      ''
+        nextcloud-users nextcloud nextcloud
+      '';
     ensureDatabases = ["nextcloud"]; # Ensure the database persists
     ensureUsers = [
       {
         name = "nextcloud"; # Ensure the database user persists
-        ensurePermissions = {
-          # Ensure the database permissions persist
-          "DATABASE nextcloud" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }
     ];
   };
@@ -70,7 +79,8 @@
       forceSSL = true; # Force SSL
     };
     virtualHosts."owncloud.mcwhirter.io" = {
-      # Hostname to be redirected
+      enableACME = true;
+      forceSSL = true;
       globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
     };
   };
@@ -83,7 +93,10 @@
 
   security.acme = {
     acceptTerms = true;
-    certs = {"cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
+    certs = {
+      "cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
+      "owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
+    };
   };
 
   users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204

profiles/nix-community.nix

@@ -1,6 +1,10 @@
 # Use the Nix community aarch64 server as a build server
 # https://github.com/nix-community/aarch64-build-box
 {
+  programs.ssh.knownHosts."aarch64.nixos.community" = {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";
+  };
+
   nix = {
     distributedBuilds = true;
     buildMachines = [

profiles/nix-direnv.nix

@@ -23,7 +23,7 @@
 
   nixpkgs.overlays = [
     (self: super: {
-      nix-direnv = super.nix-direnv.override {enableFlakes = true;};
+      #nix-direnv = super.nix-direnv.override {enableFlakes = true;};
     })
   ];
 }

profiles/nixpkgs-dev.nix

@@ -15,10 +15,10 @@
   environment = {
     systemPackages = with pkgs; [
       cabal2nix # Convert Cabal files into Nix build instructions
-      nixfmt # An opinionated formatter for Nix
+      nixfmt-rfc-style # An opinionated formatter for Nix
       nix-prefetch-github # Prefetch sources from github
       nix-prefetch-git # Prefetch sources from git
-      nix-review # Review pull-requests on https://github.com/NixOS/nixpkgs
+      nixpkgs-review # Review pull-requests on https://github.com/NixOS/nixpkgs
       nix-top # Tracks what nix is building
       nix-universal-prefetch # Uses nixpkgs fetchers to figure out hashes
       nodePackages.node2nix # Generate Nix expressions to build NPM packages

profiles/pantheon.nix

@@ -0,0 +1,24 @@
+# Configuration for my pantheon desktop requirements
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    libinput.enable = true; # Enable touchpad support.
+    pantheon = {
+      apps.enable = true;
+      contractor.enable = true;
+    };
+    xserver = {
+      enable = true; # Enable the X11 windowing system.
+      desktopManager = {
+        pantheon.enable = true;
+      };
+    };
+  };
+  programs = {
+    dconf.enable = true;
+    pantheon-tweaks.enable = true; # additional system settings
+  };
+}

profiles/pipewire.nix

@@ -0,0 +1,31 @@
+# Common configuration for pipewire on MIO desktops
+{
+  config,
+  pkgs,
+  ...
+}: {
+  security.rtkit.enable = true;
+
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+  };
+
+  environment.etc = {
+    "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
+      bluez_monitor.properties = {
+      	["bluez5.enable-sbc-xq"] = true,
+      	["bluez5.enable-msbc"] = true,
+      	["bluez5.enable-hw-volume"] = true,
+      	["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+      }
+    '';
+  };
+
+  hardware.pulseaudio.enable = false;
+  sound.enable = true; # Enable sound.
+}

profiles/powerManagement.nix

@@ -13,10 +13,29 @@
 
   services = {
     logind = {
-      lidSwitch = "hibernate";
+      lidSwitch = "suspend-then-hibernate";
       lidSwitchDocked = "ignore";
+      # powerKey = "suspend-then-hibernate"; # Enable in 23.11
+      extraConfig = ''
+        HandlePowerKey=suspend-then-hibernate
+        IdleAction=suspend-then-hibernate
+        IdleActionSec=10m
+      '';
+    };
+    thermald.enable = true;
+    auto-cpufreq = {
+      enable = true;
+      settings = {
+        battery = {
+          governor = "powersave";
+          turbo = "never";
+        };
+        charger = {
+          governor = "performance";
+          turbo = "auto";
+        };
+      };
     };
-    tlp.enable = false;
     upower = {
       enable = true; # Enable application power managemetn support
       percentageCritical = 15;
@@ -24,4 +43,14 @@
       criticalPowerAction = "Hibernate";
     };
   };
+
+  programs.xss-lock = {
+    enable = true;
+    lockerCommand = "${pkgs.xscreensaver}/bin/screensaver-command -lock";
+    extraOptions = [
+      "-n ${pkgs.libnotify}/bin/notify-send \"Locking screen now\""
+      "IdleAction=lock"
+      "IdleActionSec=5m"
+    ];
+  };
 }

profiles/server_common.nix

@@ -4,10 +4,7 @@
   pkgs,
   lib,
   ...
-}: let
-  sources = import ../nix/sources.nix;
-  nixpkgs2111 = (import sources.nixos2111 {}).pkgs;
-in {
+}: {
   imports = [
     ../profiles/openssh.nix
     ../secrets/user-craige.nix
@@ -20,7 +17,7 @@ in {
   };
 
   services.postgresql = {
-    package = pkgs.postgresql_11;
+    package = pkgs.postgresql_16;
   };
 
   security.polkit.enable = false; # avoid CVE-2021-4034 (PwnKit)

profiles/steam.nix

@@ -0,0 +1,19 @@
+# Steam configuration for NixOS
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+  };
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "steam"
+      "steam-original"
+      "steam-run"
+    ];
+}

profiles/taskserver.nix

@@ -9,6 +9,7 @@
     enable = true; # Enable Taskwarrior server
     fqdn = "task.mcwhirter.io"; # Server's public domain name
     listenHost = "task.mcwhirter.io"; # Sets listening IP & opens firewall
+    openFirewall = true;
     organisations = {
       teaghlach = {
         groups = ["teaghlach"];

profiles/tt-rss.nix

@@ -34,11 +34,7 @@
     ensureUsers = [
       {
         name = "tt_rss"; # Ensure the database user persists
-        ensurePermissions = {
-          # Ensure the database permissions persist
-          "DATABASE tt_rss" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }
     ];
   };

profiles/xmonad.nix

@@ -8,6 +8,17 @@
 
   services = {
     devmon.enable = true; # Enable external device automounting.
+    displayManager = {
+      defaultSession = "none+xmonad"; # Set to use xmonad as default
+      sddm.enable = false; # Enable the Plasma display manager
+    };
+    libinput = {
+      enable = true; # Enable touchpad support.
+      touchpad = {
+        tapping = true;
+        tappingButtonMap = "lrm"; # Set the touchpad button mappeing
+      };
+    };
     udisks2.enable = true; # Enable udisks2.
 
     xserver = {
@@ -18,12 +29,9 @@
         plasma5.enable = true; # Enable Plasma desktop environment
       };
       displayManager = {
-        defaultSession = "none+xmonad"; # Set KDE configured to use xmonad as default
         gdm.enable = false; # Enable the GNOME display manager
-        sddm.enable = true; # Enable the Plasma display manager
+        lightdm.greeters.pantheon.enable = true;
       };
-      layout = "us"; # Set your preferred keyboard layout.
-      libinput.enable = true; # Enable touchpad support.
       windowManager = {
         # Open configuration for the window manager.
         xmonad.enable = true; # Enable xmonad.
@@ -37,6 +45,7 @@
           haskellPackages.xmonad
         ];
       };
+      xkb.layout = "us"; # Set your preferred keyboard layout.
     };
   };
 
@@ -48,22 +57,31 @@
   };
 
   # Install any additional fonts that I require to be used with xmonad
-  fonts.fonts = with pkgs; [
-    open-sans # Used in in my xmobar configuration
+  fonts.packages = with pkgs; [
+    open-sans # Used in in my polybar configuration
+    siji # An iconic bitmap font based on Stlarch with additional glyphs
   ];
 
   # Install other packages that I require to be used with xmonad.
   environment.systemPackages = with pkgs; [
+    dunst # Lightweight and customizable notification daemon
     feh # A light-weight image viewer to set backgrounds
-    haskellPackages.libmpd # Shows MPD status in xmobar
+    haskellPackages.libmpd # Shows MPD status in polybar
     mpc_cli # CLI for MPD, called from xmonad
     libnotify # Notification client for my Xmonad setup
-    scrot # CLI screen capture utility
+    polybarFull # A fast and easy-to-use tool for creating status bars
+    rofi # run dialog and dmenu replacement
+    flameshot # Powerful yet simple to use screenshot software
     xbrightness # X11 brigthness and gamma software control
     xflux # Adjusts your screen to emit warmer light at night
     xorg.xrandr # CLI to X11 RandR extension
     xscreensaver # My preferred screensaver
+    (haskellPackages.ghcWithPackages (hpkgs: [
+      hpkgs.xmonad
+      hpkgs.xmonad-contrib
+    ]))
   ];
 
   programs.dconf.enable = true;
+  programs.light.enable = true; # install backlight control and udev rules
 }

profiles/yubikey.nix

@@ -40,8 +40,8 @@
   environment = {
     systemPackages = with pkgs; [
       paperkey # Store OpenPGP or GnuPG on paper
-      pinentry_curses # GnuPG’s interface to passphrase input
-      pinentry_qt # GnuPG’s interface to passphrase input
+      pinentry-curses # GnuPG’s interface to passphrase input
+      pinentry-qt # GnuPG’s interface to passphrase input
       yubikey-manager # CLI tool for configuring any YubiKey over USB
       yubikey-manager-qt # Configure any YubiKey over USB interfaces
       yubikey-personalization # Lib & CLI tool to personalize YubiKeys
@@ -57,10 +57,10 @@
 
   programs = {
     ssh.startAgent = false; # Disable the SSH Agent
-    gnupg.agent = {
+    gnupg.agent = with pkgs; {
       enable = true; # Enable GPG Agent
       enableSSHSupport = true; # Enable SSH agent support in GnuPG agent
-      pinentryFlavor = "qt";
+      pinentryPackage = pinentry-qt;
     };
   };
 }

shell.nix

@@ -0,0 +1,15 @@
+{
+  pkgs ? import <nixpkgs> {},
+  mkShell,
+  alejandra,
+  nix,
+}:
+with pkgs;
+  mkShell {
+    buildInputs = [
+      alejandra # The Uncompromising Nix Code Formatter
+      nix # Powerful package manager, makes packaging reliable & reproducible
+      tea # Gitea official CLI client
+      treefmt # one CLI to format the code tree
+    ];
+  }