tidy files, switch to alejandra for formatting, add private aliases to mailserver

data/normal_drive_data.nix

@@ -1,4 +1,4 @@
-{ }: rec {
+{}: rec {
   # Mountpoints
   root_mountpoint = "/";
   boot_mountpoint = "/boot";

data/usb_data.nix

@@ -1,4 +1,4 @@
-{ ... }: rec {
+{}: rec {
   # Mountpoints
   mountpoint = "/usb";
 

deployNodes.nix

@@ -1,5 +1,9 @@
-{ nixosConfigurations, deploy-rs, ... }:
+{
-let activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
+  nixosConfigurations,
+  deploy-rs,
+  ...
+}: let
+  activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
 in {
   tablet = {
     hostname = "tablet.internal.genderfucked.monster";

extras/mk-enc-usb.nix

@@ -1,31 +1,33 @@
-{ stdenv, bash, parted, cryptsetup, e2fsprogs }:
+{
-let usb_data = import ../hosts/lappy/hardware/usb_data.nix { };
+  stdenv,
-in stdenv.mkDerivation {
+  bash,
-  name = "mk-enc-usb";
+  parted,
-  src = ./mk-enc-usb.sh;
+  cryptsetup,
-  unpackPhase = ''
+  e2fsprogs,
-    for srcFile in $src; do
+}: let
-      cp $srcFile $(stripHash $srcFile)
+  usb_data = import ../hosts/lappy/hardware/usb_data.nix {};
-    done
+in
-  '';
+  stdenv.mkDerivation {
+    name = "mk-enc-usb";
+    src = ./mk-enc-usb.sh;
+    unpackPhase = ''
+      for srcFile in $src; do
+        cp $srcFile $(stripHash $srcFile)
+      done
+    '';
 
-  inherit bash;
+    inherit bash parted cryptsetup e2fsprogs;
-  inherit parted;
-  inherit cryptsetup;
-  inherit e2fsprogs;
 
-  patchPhase = ''
+    patchPhase = ''
-    substituteAllInPlace mk-enc-usb.sh
+      substituteAllInPlace mk-enc-usb.sh
-    substituteInPlace mk-enc-usb.sh \
+      substituteInPlace mk-enc-usb.sh \
-      --replace "@TEST@" "nyaaaaa" \
+        --replace "@USB_ENCRYPTED_PARTLABEL@" "${usb_data.encrypted_partlabel}" \
-      --replace "@USB_ENCRYPTED_PARTLABEL@" "${usb_data.encrypted_partlabel}" \
+        --replace "@USB_UNENCRYPTED_LABEL@" "${usb_data.unencrypted_label}"
-      --replace "@USB_UNENCRYPTED_LABEL@" "${usb_data.unencrypted_label}"
+    '';
 
-  '';
+    installPhase = ''
-
+      mkdir -p $out/bin
-  installPhase = ''
+      cp mk-enc-usb.sh $out/bin/mk-enc-usb
-    mkdir -p $out/bin
+      chmod +x $out/bin/mk-enc-usb
-    cp mk-enc-usb.sh $out/bin/mk-enc-usb
+    '';
-    chmod +x $out/bin/mk-enc-usb
+  }
-  '';
-}

extras/mk-normal-enc-ssd.nix

@@ -1,31 +1,35 @@
-{ stdenv, bash, parted, cryptsetup, e2fsprogs, dosfstools }:
+{
-let ssd_data = import ../hosts/normal-enc/hardware/ssd_data.nix { };
+  stdenv,
-in stdenv.mkDerivation {
+  bash,
-  name = "mk-normal-enc-ssd";
+  parted,
-  src = ./mk-normal-enc-ssd.sh;
+  cryptsetup,
-  unpackPhase = ''
+  e2fsprogs,
-    for srcFile in $src; do
+  dosfstools,
-      cp $srcFile $(stripHash $srcFile)
+}: let
-    done
+  ssd_data = import ../hosts/normal-enc/hardware/ssd_data.nix {};
-  '';
+in
+  stdenv.mkDerivation {
+    name = "mk-normal-enc-ssd";
+    src = ./mk-normal-enc-ssd.sh;
+    unpackPhase = ''
+      for srcFile in $src; do
+        cp $srcFile $(stripHash $srcFile)
+      done
+    '';
 
-  inherit bash;
+    inherit bash parted cryptsetup e2fsprogs dosfstools;
-  inherit parted;
-  inherit cryptsetup;
-  inherit e2fsprogs;
-  inherit dosfstools;
 
-  patchPhase = ''
+    patchPhase = ''
-    substituteAllInPlace mk-normal-enc-ssd.sh
+      substituteAllInPlace mk-normal-enc-ssd.sh
-    substituteInPlace mk-normal-enc-ssd.sh \
+      substituteInPlace mk-normal-enc-ssd.sh \
-      --replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
+        --replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
-      --replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
+        --replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
-      --replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
+        --replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
-  '';
+    '';
 
-  installPhase = ''
+    installPhase = ''
-    mkdir -p $out/bin
+      mkdir -p $out/bin
-    cp mk-normal-enc-ssd.sh $out/bin/mk-normal-enc-ssd
+      cp mk-normal-enc-ssd.sh $out/bin/mk-normal-enc-ssd
-    chmod +x $out/bin/mk-normal-enc-ssd
+      chmod +x $out/bin/mk-normal-enc-ssd
-  '';
+    '';
-}
+  }

extras/shenanigans-hotspot.nix

@@ -1,5 +1,11 @@
-{ lib, pkgs, nixpkgs, config, tree, ... }:
+{
-let
+  lib,
+  pkgs,
+  nixpkgs,
+  config,
+  tree,
+  ...
+}: let
   wifiInterface = "shenanigans0";
   wifiMac = "00:0F:55:A8:2B:8E";
 
@@ -9,7 +15,7 @@ let
   ssid = "Shenanigans";
   password = "password123";
 in {
-  boot.extraModulePackages = with config.boot.kernelPackages; [ rtl8812au ];
+  boot.extraModulePackages = with config.boot.kernelPackages; [rtl8812au];
   nixpkgs.config.allowBroken = true;
 
   services.udev.extraRules = ''
@@ -21,15 +27,19 @@ in {
     }", NAME="${usbethInterface}"
   '';
 
-  networking.interfaces."${wifiInterface}".ipv4.addresses = [{
+  networking.interfaces."${wifiInterface}".ipv4.addresses = [
-    address = "192.168.2.1";
+    {
-    prefixLength = 24;
+      address = "192.168.2.1";
-  }];
+      prefixLength = 24;
+    }
+  ];
 
-  networking.interfaces."${usbethInterface}".ipv4.addresses = [{
+  networking.interfaces."${usbethInterface}".ipv4.addresses = [
-    address = "192.168.2.1";
+    {
-    prefixLength = 24;
+      address = "192.168.2.1";
-  }];
+      prefixLength = 24;
+    }
+  ];
 
   networking.networkmanager.unmanaged = [
     # Wifi
@@ -39,11 +49,12 @@ in {
     "mac:${usbethMac}"
   ];
 
-  systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
+  systemd.services.wifi-relay = let
+    inherit (pkgs) iptables gnugrep;
   in {
     description = "iptables rules for wifi-relay";
-    after = [ "dhcpd4.service" ];
+    after = ["dhcpd4.service"];
-    wantedBy = [ "multi-user.target" ];
+    wantedBy = ["multi-user.target"];
     script = ''
       ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${wifiInterface} -j MASQUERADE
       ${iptables}/bin/iptables -w -I FORWARD -i ${wifiInterface} -s 192.168.2.0/24 -j ACCEPT
@@ -55,13 +66,13 @@ in {
   };
 
   networking.firewall = {
-    trustedInterfaces = [ wifiInterface usbethInterface ];
+    trustedInterfaces = [wifiInterface usbethInterface];
     checkReversePath = lib.mkForce false;
-    allowedTCPPorts = [ 53 80 443 ];
+    allowedTCPPorts = [53 80 443];
   };
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.firewall.allowedUDPPorts = [ 53 67 ];
+  networking.firewall.allowedUDPPorts = [53 67];
 
   services.hostapd = {
     enable = true;
@@ -72,7 +83,7 @@ in {
 
   services.dhcpd4 = {
     enable = true;
-    interfaces = [ "${usbethInterface}" ];
+    interfaces = ["${usbethInterface}"];
     extraConfig = ''
       subnet 192.168.2.0 netmask 255.255.255.0 {
         range 192.168.2.100 192.168.2.200;

flake.lock

@@ -138,11 +138,11 @@
         "utils": "utils_4"
       },
       "locked": {
-        "lastModified": 1670058827,
+        "lastModified": 1670157315,
-        "narHash": "sha256-T+yyncPpZWeIkFrG/Cgj21iopULY3BZGWIhcT5ZmCgM=",
+        "narHash": "sha256-GMeuuDKTaqnYFGQA3ZqlLoeeWi30RdJZV+ukOnTCu+w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "eb3598cf44aa10f2a16fe38488a102c0f474d766",
+        "rev": "17bbfcb82458ac2270dec71ce1f7044deb4f1ca3",
         "type": "github"
       },
       "original": {
@@ -191,11 +191,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1669791787,
+        "lastModified": 1670064435,
-        "narHash": "sha256-KBfoA2fOI5+wCrm7PR+j7jHqXeTkVRPQ0m5fcKchyuU=",
+        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e76c78d20685a043d23f5f9e0ccd2203997f1fb1",
+        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
         "type": "github"
       },
       "original": {
@@ -240,11 +240,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1669922720,
+        "lastModified": 1670085069,
-        "narHash": "sha256-xzoKL4RtKRECdrWHAM14OBaNdJRToc+AA9zmUWuo5eY=",
+        "narHash": "sha256-IO9HcAjncPp/0sUGcCUWVwa0XoBVFQKx+oY+8EBRcTc=",
         "owner": "kittywitch",
         "repo": "tree",
-        "rev": "fbe8ae96d7f4fb369d32dbbe8434606b23354caf",
+        "rev": "501675588cb663a9bd18056002de697f4e91b667",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,8 +13,7 @@
     tree-input.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     # update whenever
-    nixpkgs-fixed.url =
+    nixpkgs-fixed.url = "github:nixos/nixpkgs/?branch=nixos-unstable&rev=e76c78d20685a043d23f5f9e0ccd2203997f1fb1";
-      "github:nixos/nixpkgs/?branch=nixos-unstable&rev=e76c78d20685a043d23f5f9e0ccd2203997f1fb1";
 
     nur.url = "github:nix-community/NUR";
 
@@ -31,5 +30,5 @@
     gitlab_artifacts_sync.inputs.nixpkgs.follows = "nixpkgs-fixed";
   };
 
-  outputs = { ... }@inputs: import ./outputs.nix inputs;
+  outputs = {...} @ inputs: import ./outputs.nix inputs;
 }

home/apps/aegisub.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }: {
-  home.packages = with pkgs;
-    [
-      # NOINLINE
-      aegisub
-    ];
-}

home/apps/aria2.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{...}: {
   programs.aria2 = {
     enable = true;
     settings = {
@@ -10,9 +10,7 @@
       dht-entry-point = "dht.transmissionbt.com:6881";
       dht-entry-point6 = "dht.transmissionbt.com:6881";
       enable-peer-exchange = true;
-      bt-tracker =
+      bt-tracker = "udp://tracker.coppersurfer.tk:6969/announce,udp://tracker.leechers-paradise.org:6969/announce,udp://tracker.opentrackr.org:1337/announce,udp://9.rarbg.to:2710/announce,udp://exodus.desync.com:6969/announce,udp://tracker.openbittorrent.com:80/announce,udp://tracker.tiny-vps.com:6969/announce,udp://retracker.lanta-net.ru:2710/announce,udp://tracker.torrent.eu.org:451/announce,udp://tracker.cyberia.is:6969/announce,udp://torrentclub.tech:6969/announce,udp://open.stealth.si:80/announce,udp://denis.stalker.upeer.me:6969/announce,udp://tracker.moeking.me:6969/announce,udp://open.demonii.si:1337/announce,udp://ipv4.tracker.harry.lu:80/announce,udp://tracker3.itzmx.com:6961/announce,udp://explodie.org:6969/announce,udp://valakas.rollo.dnsabr.com:2710/announce,udp://tracker.nyaa.uk:6969/announce,udp://tracker.iamhansen.xyz:2000/announce,udp://tracker.filepit.to:6969/announce,udp://tracker-udp.gbitt.info:80/announce,udp://retracker.netbynet.ru:2710/announce,udp://retracker.akado-ural.ru:80/announce,udp://opentor.org:2710/announce,udp://tracker.yoshi210.com:6969/announce,udp://tracker.filemail.com:6969/announce,udp://tracker.ds.is:6969/announce,udp://newtoncity.org:6969/announce,udp://bt2.archive.org:6969/announce,udp://bt1.archive.org:6969/announce,https://tracker.fastdownload.xyz:443/announce,https://opentracker.xyz:443/announce,https://opentracker.co:443/announce,http://tracker.bt4g.com:2095/announce,http://opentracker.xyz:80/announce,http://open.trackerlist.xyz:80/announce,http://h4.trakx.nibba.trade:80/announce,udp://xxxtor.com:2710/announce,udp://tracker.uw0.xyz:6969/announce,udp://tracker.tvunderground.org.ru:3218/announce,udp://tracker.nextrp.ru:6969/announce,udp://tracker.msm8916.com:6969/announce,udp://tracker.lelux.fi:6969/announce,udp://retracker.sevstar.net:2710/announce,udp://npserver.intranet.pw:4201/announce,https://tracker.nanoha.org:443/announce,https://tracker.hama3.net:443/announce,http://www.proxmox.com:6969/announce,http://tracker.tvunderground.org.ru:3218/announce,http://tracker.opentrackr.org:1337/announce,http://tracker.bz:80/announce,http://torrentclub.tech:6969/announce,http://t.nyaatracker.com:80/announce,http://retracker.sevstar.net:2710/announce,http://open.acgtracker.com:1096/announce,http://explodie.org:6969/announce,udp://tracker4.itzmx.com:2710/announce,udp://tracker2.itzmx.com:6961/announce,udp://tracker.swateam.org.uk:2710/announce,udp://tr.bangumi.moe:6969/announce,udp://qg.lorzl.gq:2710/announce,udp://chihaya.toss.li:9696/announce,https://tracker.vectahosting.eu:2053/announce,https://tracker.lelux.fi:443/announce,https://tracker.gbitt.info:443/announce,https://opentracker.acgnx.se:443/announce,http://www.loushao.net:8080/announce,http://vps02.net.orel.ru:80/announce,http://tracker4.itzmx.com:2710/announce,http://tracker3.itzmx.com:6961/announce,http://tracker2.itzmx.com:6961/announce,http://tracker1.itzmx.com:8080/announce,http://tracker01.loveapp.com:6789/announce,http://tracker.yoshi210.com:6969/announce,http://tracker.torrentyorg.pl:80/announce,http://tracker.lelux.fi:80/announce,http://tracker.gbitt.info:80/announce,http://tracker.frozen-layer.net:6969/announce,http://sukebei.tracker.wf:8888/announce,http://pow7.com:80/announce,http://opentracker.acgnx.se:80/announce,http://open.acgnxtracker.com:80/announce,http://newtoncity.org:6969/announce,http://mail2.zelenaya.net:80/announce,http://bt-tracker.gamexp.ru:2710/announce,http://acg.rip:6699/announce";
-        "udp://tracker.coppersurfer.tk:6969/announce,udp://tracker.leechers-paradise.org:6969/announce,udp://tracker.opentrackr.org:1337/announce,udp://9.rarbg.to:2710/announce,udp://exodus.desync.com:6969/announce,udp://tracker.openbittorrent.com:80/announce,udp://tracker.tiny-vps.com:6969/announce,udp://retracker.lanta-net.ru:2710/announce,udp://tracker.torrent.eu.org:451/announce,udp://tracker.cyberia.is:6969/announce,udp://torrentclub.tech:6969/announce,udp://open.stealth.si:80/announce,udp://denis.stalker.upeer.me:6969/announce,udp://tracker.moeking.me:6969/announce,udp://open.demonii.si:1337/announce,udp://ipv4.tracker.harry.lu:80/announce,udp://tracker3.itzmx.com:6961/announce,udp://explodie.org:6969/announce,udp://valakas.rollo.dnsabr.com:2710/announce,udp://tracker.nyaa.uk:6969/announce,udp://tracker.iamhansen.xyz:2000/announce,udp://tracker.filepit.to:6969/announce,udp://tracker-udp.gbitt.info:80/announce,udp://retracker.netbynet.ru:2710/announce,udp://retracker.akado-ural.ru:80/announce,udp://opentor.org:2710/announce,udp://tracker.yoshi210.com:6969/announce,udp://tracker.filemail.com:6969/announce,udp://tracker.ds.is:6969/announce,udp://newtoncity.org:6969/announce,udp://bt2.archive.org:6969/announce,udp://bt1.archive.org:6969/announce,https://tracker.fastdownload.xyz:443/announce,https://opentracker.xyz:443/announce,https://opentracker.co:443/announce,http://tracker.bt4g.com:2095/announce,http://opentracker.xyz:80/announce,http://open.trackerlist.xyz:80/announce,http://h4.trakx.nibba.trade:80/announce,udp://xxxtor.com:2710/announce,udp://tracker.uw0.xyz:6969/announce,udp://tracker.tvunderground.org.ru:3218/announce,udp://tracker.nextrp.ru:6969/announce,udp://tracker.msm8916.com:6969/announce,udp://tracker.lelux.fi:6969/announce,udp://retracker.sevstar.net:2710/announce,udp://npserver.intranet.pw:4201/announce,https://tracker.nanoha.org:443/announce,https://tracker.hama3.net:443/announce,http://www.proxmox.com:6969/announce,http://tracker.tvunderground.org.ru:3218/announce,http://tracker.opentrackr.org:1337/announce,http://tracker.bz:80/announce,http://torrentclub.tech:6969/announce,http://t.nyaatracker.com:80/announce,http://retracker.sevstar.net:2710/announce,http://open.acgtracker.com:1096/announce,http://explodie.org:6969/announce,udp://tracker4.itzmx.com:2710/announce,udp://tracker2.itzmx.com:6961/announce,udp://tracker.swateam.org.uk:2710/announce,udp://tr.bangumi.moe:6969/announce,udp://qg.lorzl.gq:2710/announce,udp://chihaya.toss.li:9696/announce,https://tracker.vectahosting.eu:2053/announce,https://tracker.lelux.fi:443/announce,https://tracker.gbitt.info:443/announce,https://opentracker.acgnx.se:443/announce,http://www.loushao.net:8080/announce,http://vps02.net.orel.ru:80/announce,http://tracker4.itzmx.com:2710/announce,http://tracker3.itzmx.com:6961/announce,http://tracker2.itzmx.com:6961/announce,http://tracker1.itzmx.com:8080/announce,http://tracker01.loveapp.com:6789/announce,http://tracker.yoshi210.com:6969/announce,http://tracker.torrentyorg.pl:80/announce,http://tracker.lelux.fi:80/announce,http://tracker.gbitt.info:80/announce,http://tracker.frozen-layer.net:6969/announce,http://sukebei.tracker.wf:8888/announce,http://pow7.com:80/announce,http://opentracker.acgnx.se:80/announce,http://open.acgnxtracker.com:80/announce,http://newtoncity.org:6969/announce,http://mail2.zelenaya.net:80/announce,http://bt-tracker.gamexp.ru:2710/announce,http://acg.rip:6699/announce";
-
     };
   };
 }

home/apps/file-roller.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ gnome.file-roller ]; }
+{pkgs, ...}: {home.packages = with pkgs; [gnome.file-roller];}

home/apps/firefox.nix

@@ -1,5 +1,9 @@
-{ config, nixosConfig, pkgs, ... }:
+{
-let isGnome = nixosConfig.services.xserver.desktopManager.gnome.enable;
+  nixosConfig,
+  pkgs,
+  ...
+}: let
+  isGnome = nixosConfig.services.xserver.desktopManager.gnome.enable;
 in {
   programs.firefox = {
     enable = true;
@@ -79,7 +83,7 @@ in {
         "browser.safebrowsing.malware.enabled" = false;
         "browser.safebrowsing.downloads.enabled" = false;
 
-        # don't let websites replace right click 
+        # don't let websites replace right click
         "dom.event.contextmenu.enabled" = false;
 
         # disable geoip
@@ -106,9 +110,8 @@ in {
           ];
           newElementCount = 22;
           placements = {
-            PersonalToolbar = [ "import-button" "personal-bookmarks" ];
+            PersonalToolbar = ["import-button" "personal-bookmarks"];
-            TabsToolbar =
+            TabsToolbar = ["tabbrowser-tabs" "new-tab-button" "alltabs-button"];
-              [ "tabbrowser-tabs" "new-tab-button" "alltabs-button" ];
             nav-bar = [
               "back-button"
               "forward-button"
@@ -120,7 +123,7 @@ in {
               "_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action"
               "offline-qr-code_rugk_github_io-browser-action"
             ];
-            toolbar-menubar = [ "menubar-items" ];
+            toolbar-menubar = ["menubar-items"];
             widget-overflow-fixed-list = [
               "a11y_css_ffoodd-browser-action"
               "dontfuckwithpaste_raim_ist-browser-action"

home/apps/kitty.nix

@@ -1,6 +1,4 @@
-{ config, nixosConfig, ... }:
+{nixosConfig, ...}: {
-
-{
   wayland.windowManager.sway.extraSessionCommands = ''
     export KITTY_CACHE_DIRECTORY="/tmp/kitty";
   '';
@@ -9,7 +7,9 @@
     font.name = "Comic Code";
     settings = {
       font_size =
-        if nixosConfig.networking.hostName == "tablet" then 12 else 20;
+        if nixosConfig.networking.hostName == "tablet"
+        then 12
+        else 20;
       bold_font = "auto";
       italic_font = "auto";
       bold_italic_font = "auto";

home/apps/mpv.nix

@@ -1,11 +1,10 @@
-{ config, pkgs, ... }:
+{pkgs, ...}: let
-let
+  listen-password-file =
-  listen-password-file = if pkgs.stdenv.isLinux then
+    if pkgs.stdenv.isLinux
-    "/secrets/music_stream_password"
+    then "/secrets/music_stream_password"
-  else
+    else "$HOME/.secrets/music_stream_password";
-    "$HOME/.secrets/music_stream_password";
 in {
-  home.packages = with pkgs; [ mpv ffmpeg yt-dlp ];
+  home.packages = with pkgs; [mpv ffmpeg yt-dlp];
   programs.mpv = {
     enable = true;
     config = {

home/apps/mullvad.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ mullvad-vpn ]; }
+{pkgs, ...}: {home.packages = with pkgs; [mullvad-vpn];}

home/apps/musicutil.nix

@@ -1 +1 @@
-{ inputs, pkgs, ... }: { home.packages = with pkgs; [ musicutil ]; }
+{pkgs, ...}: {home.packages = with pkgs; [musicutil];}

home/apps/nautilus.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ gnome.nautilus ]; }
+{pkgs, ...}: {home.packages = with pkgs; [gnome.nautilus];}

home/apps/nicotine-plus.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ nicotine-plus ]; }
+{pkgs, ...}: {home.packages = with pkgs; [nicotine-plus];}

home/apps/obsidian.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ obsidian ]; }
+{pkgs, ...}: {home.packages = with pkgs; [obsidian];}

home/apps/pavucontrol.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ pavucontrol ]; }
+{pkgs, ...}: {home.packages = with pkgs; [pavucontrol];}

home/apps/quassel.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
-  home.packages = with pkgs; [ quasselClient ];
+  home.packages = with pkgs; [quasselClient];
   xdg.configFile."quassel-irc.org/style.qss".source = ./quassel-style.qss;
 }

home/apps/rclone.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ rclone ]; }
+{pkgs, ...}: {home.packages = with pkgs; [rclone];}

home/apps/restic.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ restic ]; }
+{pkgs, ...}: {home.packages = with pkgs; [restic];}

home/apps/rofi/default.nix

@@ -1,5 +1,5 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
-  home.packages = with pkgs; [ rofi ];
+  home.packages = with pkgs; [rofi];
   home.file.".local/share/rofi/themes/rofi-nord.rasi".source = ./rofi-nord.rasi;
   home.file.".config/rofi/config.rasi".source = ./config.rasi;
 }

home/apps/strawberry.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ strawberry ]; }
+{pkgs, ...}: {home.packages = with pkgs; [strawberry];}

home/apps/telegram.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ kotatogram-desktop ]; }
+{pkgs, ...}: {home.packages = with pkgs; [kotatogram-desktop];}

home/apps/vivaldi.nix

@@ -1,7 +1,7 @@
-{ config, pkgs, ... }: {
+{pkgs, ...}: {
   home.packages = with pkgs; [
     vivaldi
     vivaldi-ffmpeg-codecs
-    #vivaldi-widevine 
+    #vivaldi-widevine
   ];
 }

home/backup-apps.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ gitlab_archiver ]; }
+{pkgs, ...}: {home.packages = with pkgs; [gitlab_archiver];}

home/base/ssh.nix

@@ -1,10 +1,11 @@
-{ lib, ... }: {
+{lib, ...}: {
   programs.ssh.enable = true;
-  programs.ssh.matchBlocks = (lib.mkMerge
+  programs.ssh.matchBlocks =
-    (lib.forEach [ "hetzner-vm" "storage" "vault" "buildbox" ] (hostname: {
+    lib.mkMerge
+    (lib.forEach ["hetzner-vm" "storage" "vault" "buildbox"] (hostname: {
       "${hostname}" = {
         user = "root";
         hostname = "${hostname}.servers.genderfucked.monster";
       };
-    })));
+    }));
 }

home/base/zsh.nix

@@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{pkgs, ...}: let
-let usb_data = import ../../data/usb_data.nix { };
+  usb_data = import ../../data/usb_data.nix {};
 in {
-  home.packages = with pkgs; [ exa bat ripgrep vault age ];
+  home.packages = with pkgs; [exa bat ripgrep vault age];
   programs.zsh = {
     enable = true;
     enableSyntaxHighlighting = true;
@@ -9,10 +9,10 @@ in {
     oh-my-zsh = {
       enable = true;
       theme = "afowler";
-      plugins = [ ];
+      plugins = [];
     };
     shellAliases = {
-      nixdirfmt = "nixfmt $(fd -e nix)";
+      nixdirfmt = "alejandra .";
       exa = "exa --time-style long-iso";
       ls = "exa -G";
       la = "exa -Ga";

home/bluetooth/bluetooth.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }: {
+{...}: {
   services.blueman-applet.enable = true;
   services.mpris-proxy.enable = true;
 }

home/dev/all/archives.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
   home.packages = with pkgs; [
     libarchive
     zip

home/dev/all/debugging.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ gdb lldb ]; }
+{pkgs, ...}: {home.packages = with pkgs; [gdb lldb];}

home/dev/all/deploy-rs.nix

@@ -1 +1 @@
-{ pkgs, inputs, ... }: { home.packages = with pkgs.deploy-rs; [ deploy-rs ]; }
+{pkgs, ...}: {home.packages = with pkgs.deploy-rs; [deploy-rs];}

home/dev/all/editors.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ nano ]; }
+{pkgs, ...}: {home.packages = with pkgs; [nano];}

home/dev/all/extra.nix

@@ -1,4 +1,4 @@
-{ pkgs, inputs, ... }: {
+{pkgs, ...}: {
   home.packages = with pkgs; [
     jq
     ripgrep
@@ -7,6 +7,6 @@
     tmux
     socat
     file
-    (pkgs.busybox.override { enableAppletSymlinks = false; })
+    (pkgs.busybox.override {enableAppletSymlinks = false;})
   ];
 }

home/dev/all/git.nix

@@ -1,10 +1,10 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
   programs.git = {
     enable = true;
     lfs.enable = true;
     package = pkgs.gitAndTools.gitFull;
     userName = "Chaos";
     userEmail = "chaoticryptidz@owo.monster";
-    extraConfig = { credential = { helper = "store"; }; };
+    extraConfig = {credential = {helper = "store";};};
   };
 }

home/dev/all/info.nix

@@ -1,3 +1,3 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
-  home.packages = with pkgs; [ neofetch inxi htop usbutils iotop ];
+  home.packages = with pkgs; [neofetch inxi htop usbutils iotop];
 }

home/dev/all/network.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
   home.packages = with pkgs; [
     curl
     wget

home/dev/all/vcs.nix

@@ -1 +0,0 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ gitAndTools.gitFull ]; }

home/dev/small/small.nix

@@ -1,4 +1,4 @@
-{ tree, ... }: {
+{tree, ...}: {
   # basically everything apart from home.all.dev.debugging and home.all.dev.deploy-rs
   imports = with tree; [
     home.dev.all.archives
@@ -7,6 +7,5 @@
     home.dev.all.git
     home.dev.all.info
     home.dev.all.network
-    home.dev.all.vcs
   ];
 }

home/gaming/emulators/ds.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ melonDS ]; }
+{pkgs, ...}: {home.packages = with pkgs; [melonDS];}

home/gaming/games/minecraft.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ multimc jdk17 ]; }
+{pkgs, ...}: {home.packages = with pkgs; [multimc jdk17];}

home/gaming/games/osu.nix

@@ -1 +1 @@
-{ config, pkgs, ... }: { home.packages = with pkgs; [ osu-lazer ]; }
+{pkgs, ...}: {home.packages = with pkgs; [osu-lazer];}

home/gaming/platforms/lutris.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ lutris ]; }
+{pkgs, ...}: {home.packages = with pkgs; [lutris];}

home/gaming/platforms/steam.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ steam ]; }
+{pkgs, ...}: {home.packages = with pkgs; [steam];}

home/gui/base/gtk.nix

@@ -1,4 +1,8 @@
-{ nixosConfig, pkgs, ... }: {
+{
+  nixosConfig,
+  pkgs,
+  ...
+}: {
   gtk = {
     enable = true;
     iconTheme = {
@@ -11,7 +15,10 @@
     };
     font = {
       name = "Comic Code";
-      size = if nixosConfig.networking.hostName == "tablet" then 10 else 16;
+      size =
+        if nixosConfig.networking.hostName == "tablet"
+        then 10
+        else 16;
       package = pkgs.comic-code;
     };
   };

home/gui/base/qt.nix

@@ -1,6 +1,4 @@
-{ config, pkgs, ... }:
+{pkgs, ...}: {
-
-{
   qt = {
     enable = true;
     platformTheme = "gtk";

home/gui/base/xdg.nix

@@ -1 +1 @@
-{ pkgs, ... }: { home.packages = with pkgs; [ xdg-utils ]; }
+{pkgs, ...}: {home.packages = with pkgs; [xdg-utils];}

home/gui/environments/gnome/default.nix

@@ -1,5 +1,10 @@
-{ tree, nixosConfig, pkgs, lib, inputs, ... }:
+{
-let
+  tree,
+  nixosConfig,
+  pkgs,
+  inputs,
+  ...
+}: let
   hm = inputs.home-manager.lib.hm;
 
   font-sizes-all = {
@@ -13,19 +18,18 @@ let
     };
   };
 
-  font-sizes = if nixosConfig.networking.hostName == "tablet" then
+  font-sizes =
-    font-sizes-all.tablet
+    if nixosConfig.networking.hostName == "tablet"
-  else
+    then font-sizes-all.tablet
-    font-sizes-all.default;
+    else font-sizes-all.default;
-
 in {
-  imports = with tree; [ home.apps.kitty home.apps.rofi ];
+  imports = with tree; [home.apps.kitty home.apps.rofi];
 
-  home.packages = with pkgs; [ dconf2nix gnome.dconf-editor xclip ];
+  home.packages = with pkgs; [dconf2nix gnome.dconf-editor xclip];
 
   dconf.enable = true;
   dconf.settings = {
-    "org/gnome/mutter" = { dynamic-workspaces = false; };
+    "org/gnome/mutter" = {dynamic-workspaces = false;};
 
     "org/gnome/desktop/interface" = {
       # Clock at Top Bar
@@ -52,14 +56,14 @@ in {
     };
     "org/gnome/desktop/input-sources" = {
       # TODO: see if this changes when using gnome wayland?
-      sources = [ (hm.gvariant.mkTuple [ "xkb" "gb" ]) ];
+      sources = [(hm.gvariant.mkTuple ["xkb" "gb"])];
       per-window = false;
     };
     "org/gnome/desktop/media-handling" = {
       # growl i hate this until i sometimes dont in which case i love it
       automount = false;
     };
-    "org/gnome/desktop/notifications" = { show-in-lockscreen = false; };
+    "org/gnome/desktop/notifications" = {show-in-lockscreen = false;};
     "org/gnome/desktop/peripherals/mouse" = {
       # NO!
       natural-scroll = false;
@@ -81,36 +85,36 @@ in {
       remove-old-trash-files = true;
     };
     # use location services to set time
-    "org/gnome/system/location" = { enabled = true; };
+    "org/gnome/system/location" = {enabled = true;};
-    "org/gnome/desktop/datetime" = { automatic-timezone = true; };
+    "org/gnome/desktop/datetime" = {automatic-timezone = true;};
     "org/gnome/desktop/wm/keybindings" = {
       # mostly just i3wm stock keybinds
-      close = [ "<Shift><Alt>q" ];
+      close = ["<Shift><Alt>q"];
-      maximize = [ "<Shift><Alt>f" ];
+      maximize = ["<Shift><Alt>f"];
-      toggle-fullscreen = [ "<Alt>f" ];
+      toggle-fullscreen = ["<Alt>f"];
 
       # Workspace Switch
-      switch-to-workspace-1 = [ "<Alt>1" ];
+      switch-to-workspace-1 = ["<Alt>1"];
-      switch-to-workspace-2 = [ "<Alt>2" ];
+      switch-to-workspace-2 = ["<Alt>2"];
-      switch-to-workspace-3 = [ "<Alt>3" ];
+      switch-to-workspace-3 = ["<Alt>3"];
-      switch-to-workspace-4 = [ "<Alt>4" ];
+      switch-to-workspace-4 = ["<Alt>4"];
-      switch-to-workspace-5 = [ "<Alt>5" ];
+      switch-to-workspace-5 = ["<Alt>5"];
-      switch-to-workspace-6 = [ "<Alt>6" ];
+      switch-to-workspace-6 = ["<Alt>6"];
-      switch-to-workspace-7 = [ "<Alt>7" ];
+      switch-to-workspace-7 = ["<Alt>7"];
-      switch-to-workspace-8 = [ "<Alt>8" ];
+      switch-to-workspace-8 = ["<Alt>8"];
-      switch-to-workspace-9 = [ "<Alt>9" ];
+      switch-to-workspace-9 = ["<Alt>9"];
 
       # Workspace Move Window
       # TODO: Hardcoded for UK keyboards
-      move-to-workspace-1 = [ "<Shift><Alt>exclam" ];
+      move-to-workspace-1 = ["<Shift><Alt>exclam"];
-      move-to-workspace-2 = [ "<Shift><Alt>quotedbl" ];
+      move-to-workspace-2 = ["<Shift><Alt>quotedbl"];
-      move-to-workspace-3 = [ "<Shift><Alt>sterling" ];
+      move-to-workspace-3 = ["<Shift><Alt>sterling"];
-      move-to-workspace-4 = [ "<Shift><Alt>dollar" ];
+      move-to-workspace-4 = ["<Shift><Alt>dollar"];
-      move-to-workspace-5 = [ "<Shift><Alt>percent" ];
+      move-to-workspace-5 = ["<Shift><Alt>percent"];
-      move-to-workspace-6 = [ "<Shift><Alt>asciicircum" ];
+      move-to-workspace-6 = ["<Shift><Alt>asciicircum"];
-      move-to-workspace-7 = [ "<Shift><Alt>ampersand" ];
+      move-to-workspace-7 = ["<Shift><Alt>ampersand"];
-      move-to-workspace-8 = [ "<Shift><Alt>asterisk" ];
+      move-to-workspace-8 = ["<Shift><Alt>asterisk"];
-      move-to-workspace-9 = [ "<Shift><Alt>parenleft" ];
+      move-to-workspace-9 = ["<Shift><Alt>parenleft"];
     };
     "org/gnome/desktop/wm/preferences" = {
       num-workspaces = 9;
@@ -118,10 +122,10 @@ in {
       titlebar-uses-system-font = true;
     };
     "org/gnome/settings-daemon/plugins/media-keys" = {
-      area-screenshot = [ ];
+      area-screenshot = [];
-      area-screenshot-clip = [ "<Shift>Print" ];
+      area-screenshot-clip = ["<Shift>Print"];
-      screenshot = [ ];
+      screenshot = [];
-      screenshot-clip = [ "Print" ];
+      screenshot-clip = ["Print"];
       custom-keybindings = [
         # Rofi & Kitty
         "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/rofi/"
@@ -139,7 +143,7 @@ in {
       name = "kitty";
     };
     "org/gnome/shell" = {
-      enabled-extensions = [ "just-perfection-desktop@just-perfection" ];
+      enabled-extensions = ["just-perfection-desktop@just-perfection"];
     };
     "org/gnome/shell/extensions/just-perfection" = {
       activities-button = true;

home/gui/environments/sway/gammastep.nix

@@ -1,6 +1,4 @@
-{ config, lib, ... }:
+{...}: {
-
-{
   services.gammastep = {
     enable = true;
     tray = true;

home/gui/environments/sway/mako.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{...}: {
   programs.mako = {
     enable = true;
     defaultTimeout = 3000;

home/gui/environments/sway/sway.nix

@@ -1,6 +1,12 @@
-{ config, pkgs, lib, tree, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  tree,
+  ...
+}: {
   # import default terminal
-  imports = with tree; [ home.apps.kitty home.apps.rofi ];
+  imports = with tree; [home.apps.kitty home.apps.rofi];
 
   home.sessionVariables = {
     XDG_CURRENT_DESKTOP = "sway";
@@ -9,6 +15,7 @@
     SDL_VIDEODRIVER = "wayland";
     QT_QPA_PLATFORM = "wayland";
     QT_WAYLAND_DISABLE_WINDOWDECORATION = 1;
+    # For Ghidra to make windows work properly
     _JAVA_AWT_WM_NONREPARENTING = 1;
     XCURSOR_SIZE = 64;
     QT_AUTO_SCREEN_SCALE_FACTOR = 1;
@@ -44,25 +51,23 @@
         {
           position = "top";
           fonts = {
-            names = [ "Comic Code" ];
+            names = ["Comic Code"];
             size = 14.0;
           };
           statusCommand = lib.escapeShellArgs [
-            #"/home/chaoticryptidz/Projects/gobar/gobar "
             "${pkgs.gobar}/bin/gobar"
             "-config"
             "cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
           ];
-
         }
-        { command = "${pkgs.waybar}/bin/waybar"; }
+        {command = "${pkgs.waybar}/bin/waybar";}
       ];
 
-      output = { "*" = { bg = "~/.local/share/wallpaper.jpg fill"; }; };
+      output = {"*" = {bg = "~/.local/share/wallpaper.jpg fill";};};
-      input = { "*" = { xkb_layout = "gb"; }; };
+      input = {"*" = {xkb_layout = "gb";};};
 
       fonts = {
-        names = [ "Comic Code" ];
+        names = ["Comic Code"];
         size = 18.0;
       };
 
@@ -81,7 +86,7 @@
         }
       ];
 
-      seat = { "*" = { "xcursor_theme" = "Adwaita 24"; }; };
+      seat = {"*" = {"xcursor_theme" = "Adwaita 24";};};
 
       gaps = {
         top = 10;
@@ -98,49 +103,45 @@
         titlebar = false;
       };
 
-      keybindings = {
+      keybindings =
-        "${cfg.modifier}+Return" = "exec ${cfg.terminal}";
+        {
+          "${cfg.modifier}+Return" = "exec ${cfg.terminal}";
 
-        "${cfg.modifier}+Left" = "focus left";
+          "${cfg.modifier}+Left" = "focus left";
-        "${cfg.modifier}+Down" = "focus down";
+          "${cfg.modifier}+Down" = "focus down";
-        "${cfg.modifier}+Up" = "focus up";
+          "${cfg.modifier}+Up" = "focus up";
-        "${cfg.modifier}+Right" = "focus right";
+          "${cfg.modifier}+Right" = "focus right";
 
-        "${cfg.modifier}+Shift+Left" = "move left";
+          "${cfg.modifier}+Shift+Left" = "move left";
-        "${cfg.modifier}+Shift+Down" = "move down";
+          "${cfg.modifier}+Shift+Down" = "move down";
-        "${cfg.modifier}+Shift+Up" = "move up";
+          "${cfg.modifier}+Shift+Up" = "move up";
-        "${cfg.modifier}+Shift+Right" = "move right";
+          "${cfg.modifier}+Shift+Right" = "move right";
 
-        "${cfg.modifier}+Shift+space" = "floating toggle";
+          "${cfg.modifier}+Shift+space" = "floating toggle";
-        "${cfg.modifier}+space" = "focus mode_toggle";
+          "${cfg.modifier}+space" = "focus mode_toggle";
 
-        "XF86AudioRaiseVolume" =
+          "XF86AudioRaiseVolume" = "exec ${pactl} set-sink-volume @DEFAULT_SINK@ +5%";
-          "exec ${pactl} set-sink-volume @DEFAULT_SINK@ +5%";
+          "XF86AudioLowerVolume" = "exec ${pactl} set-sink-volume @DEFAULT_SINK@ -5%";
-        "XF86AudioLowerVolume" =
+          "XF86AudioMute" = "exec ${pactl} set-sink-mute @DEFAULT_SINK@ toggle";
-          "exec ${pactl} set-sink-volume @DEFAULT_SINK@ -5%";
+          "XF86AudioMicMute" = "exec ${pactl} set-source-mute @DEFAULT_SOURCE@  toggle";
-        "XF86AudioMute" = "exec ${pactl} set-sink-mute @DEFAULT_SINK@ toggle";
+          "XF86MonBrightnessDown" = "exec sudo xbacklight -time 1 -dec +5";
-        "XF86AudioMicMute" =
+          "XF86MonBrightnessUp" = "exec sudo xbacklight -time 1 -inc +5";
-          "exec ${pactl} set-source-mute @DEFAULT_SOURCE@  toggle";
+          "Print" = "exec ${pkgs.grim}/bin/grim -t png - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png";
-        "XF86MonBrightnessDown" = "exec sudo xbacklight -time 1 -dec +5";
+          "Shift+Print" = ''
-        "XF86MonBrightnessUp" = "exec sudo xbacklight -time 1 -inc +5";
+            exec ${pkgs.grim}/bin/grim -t png -g "$(${pkgs.slurp}/bin/slurp -d)" - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png'';
-        "Print" =
-          "exec ${pkgs.grim}/bin/grim -t png - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png";
-        "Shift+Print" = ''
-          exec ${pkgs.grim}/bin/grim -t png -g "$(${pkgs.slurp}/bin/slurp -d)" - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png'';
 
-        "${cfg.modifier}+d" = "exec ${menu}";
+          "${cfg.modifier}+d" = "exec ${menu}";
-        "${cfg.modifier}+f" = "fullscreen";
+          "${cfg.modifier}+f" = "fullscreen";
 
-        "${cfg.modifier}+Shift+q" = "kill";
+          "${cfg.modifier}+Shift+q" = "kill";
-        "${cfg.modifier}+Shift+c" = "reload";
+          "${cfg.modifier}+Shift+c" = "reload";
 
-        "${cfg.modifier}+r" = "mode resize";
+          "${cfg.modifier}+r" = "mode resize";
-      } // (lib.foldl lib.recursiveUpdate { } (map (workspace: {
+        }
-        "${cfg.modifier}+${workspace}" = "workspace ${workspace}";
+        // (lib.foldl lib.recursiveUpdate {} (map (workspace: {
-        "${cfg.modifier}+Shift+${workspace}" =
+          "${cfg.modifier}+${workspace}" = "workspace ${workspace}";
-          "move container to workspace ${workspace}";
+          "${cfg.modifier}+Shift+${workspace}" = "move container to workspace ${workspace}";
-      }) [ "1" "2" "3" "4" "5" "6" "7" "8" "9" ]));
+        }) ["1" "2" "3" "4" "5" "6" "7" "8" "9"]));
     };
   };
 }
-

home/gui/environments/sway/waybar-bottom.nix

@@ -1,12 +1,13 @@
-_: {
+{...}: {
   programs.waybar = {
     enable = true;
-    settings = [{
+    settings = [
-      position = "bottom";
+      {
-
+        position = "bottom";
-      modules-left = [ ];
+        modules-left = [];
-      modules-center = [ ];
+        modules-center = [];
-      modules-right = [ "tray" ];
+        modules-right = ["tray"];
-    }];
+      }
+    ];
   };
 }

home/gui/environments/sway/zsh-autostart.nix

@@ -1,4 +1,4 @@
-_: {
+{...}: {
   programs.zsh.profileExtra = ''
     # If running from tty1 start sway
       if [ "$(tty)" = "/dev/tty1" ]; then

home/home-folders.nix

@@ -1,16 +1,20 @@
-{ config, lib, ... }: {
+{
-  systemd.user.tmpfiles.rules = (map (dir:
+  config,
-    "d ${config.home.homeDirectory}/${dir} - ${config.home.username} users") [
+  lib,
-      "Projects"
+  ...
-      "Temp"
+}: {
-      "Music"
+  systemd.user.tmpfiles.rules = map (dir: "d ${config.home.homeDirectory}/${dir} - ${config.home.username} users") [
-      "Mounts"
+    "Projects"
-      "Mounts/Storage"
+    "Temp"
-      "Mounts/Storage-Public"
+    "Music"
-      "Mounts/Backups"
+    "Mounts"
-      "Mounts/Backups-Crypt"
+    "Mounts/Storage"
-      "Mounts/Photos-Crypt"
+    "Mounts/Storage-Public"
-      "Mounts/Temp1"
+    "Mounts/Backups"
-      "Mounts/Temp2"
+    "Mounts/Backups-Crypt"
-    ]);
+    "Mounts/Photos-Crypt"
+    "Mounts/Public"
+    "Mounts/Temp1"
+    "Mounts/Temp2"
+  ];
 }

home/programming/editors/vscode.nix

@@ -1,7 +1,17 @@
-{ config, nixosConfig, pkgs, ... }:
+{
-let
+  config,
-  font-size = if nixosConfig.networking.hostName == "tablet" then 18 else 24;
+  nixosConfig,
-  zoom-level = if nixosConfig.networking.hostName == "tablet" then -2 else 0;
+  pkgs,
+  ...
+}: let
+  font-size =
+    if nixosConfig.networking.hostName == "tablet"
+    then 18
+    else 24;
+  zoom-level =
+    if nixosConfig.networking.hostName == "tablet"
+    then -2
+    else 0;
 in {
   programs.vscode-mod = {
     enable = true;

home/programming/languages/go.nix

@@ -1,6 +1,4 @@
-{ config, pkgs, ... }:
+{pkgs, ...}: {
-
+  home.packages = with pkgs; [go gopls go-outline gotools];
-{
+  programs.vscode-mod.extensions = with pkgs; [vscode-extensions.golang.go];
-  home.packages = with pkgs; [ go gopls go-outline gotools ];
-  programs.vscode-mod.extensions = with pkgs; [ vscode-extensions.golang.go ];
 }

home/programming/languages/nix.nix

@@ -1,14 +1,16 @@
-{ config, pkgs, ... }:
+{pkgs, ...}: {
-
+  home.packages = with pkgs; [alejandra];
-{
-  home.packages = with pkgs; [ nixfmt ];
 
   programs.vscode-mod.extensions = with pkgs; [
     vscode-extensions.bbenoist.nix
-    vscode-extensions.brettm12345.nixfmt-vscode
+    vscode-extensions.kamadorueda.alejandra
   ];
 
   programs.vscode-mod.userSettings."[nix]" = {
-    "editor.defaultFormatter" = "brettm12345.nixfmt-vscode";
+    "editor.defaultFormatter" = "kamadorueda.alejandra";
+    "editor.formatOnSave" = true;
+  };
+  programs.vscode-mod.userSettings = {
+    "alejandra.program" = "alejandra";
   };
 }

home/programming/languages/rust.nix

@@ -1,6 +1,5 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
-  programs.vscode-mod.extensions = with pkgs;
+  programs.vscode-mod.extensions = with pkgs; [vscode-extensions.matklad.rust-analyzer];
-    [ vscode-extensions.matklad.rust-analyzer ];
+  home.packages = with pkgs; [rustc cargo clippy rust-analyzer rustfmt];
-  home.packages = with pkgs; [ rustc cargo clippy rust-analyzer rustfmt ];
+  home.sessionVariables = {RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc;};
-  home.sessionVariables = { RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc; };
 }

home/reversing/reversing.nix

@@ -1,8 +1,8 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
   home.packages = with pkgs; [
     binwalk
     file
-    binutils # strings
+    binutils
     diffoscope
   ];
 }

home/ssh-usb.nix

@@ -1,11 +1,11 @@
-{ ... }:
+{...}: let
-let usb_data = (import ../data/usb_data.nix { });
+  usb_data = import ../data/usb_data.nix {};
 in {
   programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
   programs.git.extraConfig = {
     gpg.format = "ssh";
     commit.gpgsign = "true";
     tag.gpgsign = "true";
-    user = { signingKey = "${usb_data.ssh_priv_path}"; };
+    user = {signingKey = "${usb_data.ssh_priv_path}";};
   };
 }

hosts/buildbox/buildbox.nix

@@ -1,5 +1,10 @@
-{ modulesPath, tree, config, pkgs, lib, ... }:
+{
-let secrets = config.services.secrets.secrets;
+  tree,
+  config,
+  pkgs,
+  ...
+}: let
+  secrets = config.services.secrets.secrets;
 in {
   imports = with tree; [
     users.root
@@ -87,9 +92,9 @@ in {
   };
 
   systemd.services.mdadm-monitor = {
-    requires = [ "network.target" ];
+    requires = ["network.target"];
-    wantedBy = [ "multi-user.target" ];
+    wantedBy = ["multi-user.target"];
-    path = with pkgs; [ mdadm msmtp ];
+    path = with pkgs; [mdadm msmtp];
     script = ''
       exec mdadm --monitor --scan
     '';
@@ -100,7 +105,7 @@ in {
   };
 
   home-manager.users.root = {
-    imports = with tree; [ home.base home.dev.small ];
+    imports = with tree; [home.base home.dev.small];
     home.stateVersion = "22.05";
   };
 
@@ -109,4 +114,3 @@ in {
 
   system.stateVersion = "22.05";
 }
-

hosts/buildbox/hardware.nix

@@ -1,8 +1,7 @@
-{ config, lib, pkgs, modulesPath, ... }: {
+{config, ...}: {
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.initrd.kernelModules = ["dm-snapshot"];
-  boot.initrd.availableKernelModules =
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
-    [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.kernelModules = ["kvm-amd"];
-  boot.kernelModules = [ "kvm-amd" ];
 
   boot.initrd.services.swraid.mdadmConf =
     config.environment.etc."mdadm.conf".text;
@@ -22,6 +21,6 @@
     efiSupport = false;
     version = 2;
     device = "nodev";
-    devices = [ "/dev/sda" "/dev/sdb" ];
+    devices = ["/dev/sda" "/dev/sdb"];
   };
 }

hosts/buildbox/networking.nix

@@ -1,15 +1,15 @@
-{ ... }: {
+{...}: {
   systemd.services.systemd-networkd-wait-online.enable = false;
 
   networking = {
     resolvconf.useLocalResolver = false;
     networkmanager.dns = "none";
   };
-  networking.nameservers = [ "1.1.1.1" ];
+  networking.nameservers = ["1.1.1.1"];
 
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedTCPPorts = [22];
 
   networking.enableIPv6 = true;
   networking.usePredictableInterfaceNames = false;
@@ -18,8 +18,8 @@
     enable = true;
     networks.eth0 = {
       name = "eth0";
-      address = [ "144.76.97.18" ];
+      address = ["144.76.97.18"];
-      gateway = [ "144.76.97.1" ];
+      gateway = ["144.76.97.1"];
     };
   };
 }

hosts/buildbox/secrets.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{...}: {
   services.secrets = {
     enable = true;
 

hosts/darwin.nix

@@ -1,26 +1,36 @@
-{ self, nixpkgs-unstable, nix-darwin-unstable, tree, ... }@inputs:
+{
-let
+  self,
-
+  nixpkgs-unstable,
-  defaultSpecialArgs = defaults.defaultSpecialArgs // {
+  nix-darwin-unstable,
-    inputs = inputs // {
+  tree,
-      # set these to the correct versions from inputs
+  ...
-      nixpkgs = inputs.nixpkgs-unstable;
+} @ inputs: let
-      home-manager = inputs.home-manager-unstable;
+  defaultSpecialArgs =
-      darwin = inputs.nix-darwin-unstable;
+    defaults.defaultSpecialArgs
+    // {
+      inputs =
+        inputs
+        // {
+          # set these to the correct versions from inputs
+          nixpkgs = inputs.nixpkgs-unstable;
+          home-manager = inputs.home-manager-unstable;
+          darwin = inputs.nix-darwin-unstable;
+        };
     };
-  };
 
-  defaultModules = defaults.defaultModules ++ [
+  defaultModules =
-    # NO_INLINE
+    defaults.defaultModules
-    tree.impure.profiles.base-darwin
+    ++ [
-    inputs.home-manager-unstable.darwinModules.home-manager
+      # NO_INLINE
-  ];
+      tree.impure.profiles.base-darwin
+      inputs.home-manager-unstable.darwinModules.home-manager
+    ];
 
   darwinSystem = nix-darwin-unstable.lib.darwinSystem;
 in {
   "MacMini" = darwinSystem {
     specialArgs = defaultSpecialArgs;
     system = "aarch64-darwin";
-    modules = defaultModules ++ [ ./macmini/default.nix ];
+    modules = defaultModules ++ [./macmini/default.nix];
   };
 }

hosts/default.nix

@@ -1,4 +1,4 @@
-{ ... }@inputs: {
+{...} @ inputs: {
   nixosConfigurations = import ./nixos.nix inputs;
   #darwinConfigurations = import ./darwin.nix inputs;
 }

hosts/hetzner-vm/hardware.nix

@@ -1,9 +1,9 @@
-{ modulesPath, ... }: {
+{modulesPath, ...}: {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
-  boot.initrd.kernelModules = [ "nvme" ];
+  boot.initrd.kernelModules = ["nvme"];
   fileSystems."/" = {
     device = "/dev/sda1";
     fsType = "ext4";

hosts/hetzner-vm/hetzner-vm.nix

@@ -1,6 +1,11 @@
-{ modulesPath, tree, config, pkgs, lib, ... }:
-
 {
+  modulesPath,
+  tree,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
   imports = with tree; [
     users.root
 
@@ -19,7 +24,6 @@
     hosts.hetzner-vm.profiles.mpd
     hosts.hetzner-vm.profiles.mailserver
     hosts.hetzner-vm.profiles.gitlab-static-sites
-    #hosts.hetzner-vm.profiles.lappy-dev
     hosts.hetzner-vm.profiles.misskey
     hosts.hetzner-vm.profiles.wireguard
 
@@ -28,10 +32,10 @@
     ./secrets.nix
   ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [80 443];
 
   home-manager.users.root = {
-    imports = with tree; [ home.base home.dev.small ];
+    imports = with tree; [home.base home.dev.small];
     home.stateVersion = "22.05";
   };
 
@@ -40,4 +44,3 @@
 
   system.stateVersion = "22.05";
 }
-

hosts/hetzner-vm/modules/mailserver/default.nix

@@ -1,16 +1,20 @@
-{ config, lib, ... }:
+{
-with lib;
+  config,
-let cfg = config.mailserver;
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mailserver;
 in {
   options.mailserver = {
     enable = mkEnableOption "mailserver";
 
-    fqdn = mkOption { type = types.str; };
+    fqdn = mkOption {type = types.str;};
 
-    domains = mkOption { type = types.listOf types.str; };
+    domains = mkOption {type = types.listOf types.str;};
 
     ssl_config = mkOption {
-      type = (types.submodule {
+      type = types.submodule {
         options = {
           useACME = mkOption {
             type = types.bool;
@@ -25,8 +29,8 @@ in {
             default = "/var/lib/acme/${cfg.fqdn}/key.pem";
           };
         };
-      });
+      };
-      default = { };
+      default = {};
     };
 
     debug_mode = mkOption {
@@ -46,23 +50,33 @@ in {
 
     accounts = mkOption {
       # where name = email for login
-      type = types.attrsOf (types.submodule ({ config, name, ... }: {
+      type = types.attrsOf (types.submodule ({
+        config,
+        name,
+        ...
+      }: {
         options = {
           name = mkOption {
             type = types.str;
             default = name;
           };
-          passwordFile = mkOption { type = types.str; };
+          passwordFile = mkOption {type = types.str;};
-          aliases = mkOption { type = types.listOf types.str; };
+          aliases = mkOption {type = types.listOf types.str;};
-          sieveScript = mkOption { type = types.nullOr types.lines; };
+          sieveScript = mkOption {type = types.nullOr types.lines;};
         };
       }));
     };
 
+    extra_aliases_file = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+
     sieve_directory = mkOption {
       type = types.str;
       default = "/var/sieve";
     };
+
     dkim_directory = mkOption {
       type = types.str;
       default = "/var/dkim";
@@ -79,23 +93,31 @@ in {
     };
 
     vmail_config = mkOption {
-      type = (types.submodule {
+      type = types.submodule {
         options = {
-          user_group_name = mkOption {
+          user = mkOption {
             type = types.str;
             default = "vmail";
           };
-          user_group_id = mkOption {
+          group = mkOption {
+            type = types.str;
+            default = "${cfg.vmail_config.user}";
+          };
+          user_id = mkOption {
             type = types.number;
             default = 5000;
           };
+          group_id = mkOption {
+            type = types.number;
+            default = cfg.vmail_config.user_id;
+          };
           directory = mkOption {
             type = types.str;
-            default = "/home/${cfg.vmail_config.user_group_name}";
+            default = "/home/${cfg.vmail_config.user}";
           };
         };
-      });
+      };
-      default = { };
+      default = {};
     };
   };
 }

hosts/hetzner-vm/modules/mailserver/dovecot.nix

@@ -1,13 +1,20 @@
-{ config, pkgs, lib, ... }:
+{
-let
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
   mail_config = config.mailserver;
+
+  vmail_config = mail_config.vmail_config;
+
   passwdDir = "/run/dovecot2";
   passwdFile = "${passwdDir}/passwd";
 
-  bool2int = x: if x then "1" else "0";
+  bool2int = x:
-
+    if x
-  # maildir in format "/${domain}/${user}"
+    then "1"
-  dovecotMaildir = "maildir:${mail_config.vmail_config.directory}/%d/%n";
+    else "0";
 
   postfixCfg = config.services.postfix;
   dovecot2Cfg = config.services.dovecot2;
@@ -29,7 +36,7 @@ let
 
     for f in ${
       builtins.toString
-      (lib.mapAttrsToList (name: value: passwordFiles."${name}")
+      (lib.mapAttrsToList (name: value: value.passwordFile)
         mail_config.accounts)
     }; do
       if [ ! -f "$f" ]; then
@@ -39,13 +46,10 @@ let
     done
 
     cat <<EOF > ${passwdFile}
-    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
+    ${
-      "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${
+      lib.concatStringsSep "\n"
-        builtins.toString mail_config.vmail_config.user_group_id
+      (lib.mapAttrsToList (name: value: "${name}:$(head -n 1 ${value.passwordFile})") mail_config.accounts)
-      }:${
+    }
-        builtins.toString mail_config.vmail_config.user_group_id
-      }::${mail_config.vmail_config.directory}:/run/current-system/sw/bin/nologin:")
-      mail_config.accounts)}
     EOF
 
     chmod 600 ${passwdFile}
@@ -54,7 +58,7 @@ let
   pipeBin = pkgs.stdenv.mkDerivation {
     name = "pipe_bin";
     src = ./pipe_bin;
-    buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
+    buildInputs = with pkgs; [makeWrapper coreutils bash rspamd];
     buildCommand = ''
       mkdir -p $out/pipe/bin
       cp $src/* $out/pipe/bin/
@@ -68,21 +72,25 @@ let
     '';
   };
 in {
-  config = (lib.mkIf (mail_config.enable) {
+  config = lib.mkIf (mail_config.enable) {
     services.dovecot2 = {
       enable = true;
       enableImap = true;
-      enablePop3 = false;
+      enableLmtp = true;
-      enablePAM = false;
       enableQuota = true;
-      mailGroup = mail_config.vmail_config.user_group_name;
+      enablePop3 = false;
-      mailUser = mail_config.vmail_config.user_group_name;
+      enablePAM = false; # Not using PAM for Auth
-      mailLocation = dovecotMaildir;
+
+      mailUser = vmail_config.user;
+      mailGroup = vmail_config.group;
+      mailLocation = "maildir:${vmail_config.directory}/%d/%n";
+
       sslServerCert = mail_config.ssl_config.cert;
       sslServerKey = mail_config.ssl_config.key;
-      enableLmtp = true;
+
-      modules = [ pkgs.dovecot_pigeonhole ];
+      # For Sieve
-      protocols = [ "sieve" ];
+      modules = with pkgs; [dovecot_pigeonhole];
+      protocols = ["sieve"];
 
       sieveScripts = {
         after = builtins.toFile "spam.sieve" ''
@@ -136,7 +144,6 @@ in {
             mail_plugins = $mail_plugins imap_sieve
         }
 
-        mail_access_groups = "${mail_config.vmail_config.user_group_name}"
         ssl = required
         ssl_min_protocol = TLSv1.2
         ssl_prefer_server_ciphers = yes
@@ -156,12 +163,14 @@ in {
             mail_plugins = $mail_plugins sieve
         }
 
-        passdb {
+        mail_access_groups = "${vmail_config.group}"
-            driver = passwd-file
-            args = ${passwdFile}
-        }
 
         userdb {
+            driver = static
+            args = uid=${toString vmail_config.user_id} gid=${toString vmail_config.group_id}
+        }
+
+        passdb {
             driver = passwd-file
             args = ${passwdFile}
         }
@@ -212,6 +221,6 @@ in {
       '';
     };
 
-    systemd.services.postfix.restartTriggers = [ genPasswdScript ];
+    systemd.services.postfix.restartTriggers = [genPasswdScript];
-  });
+  };
 }

hosts/hetzner-vm/modules/mailserver/firewall.nix

@@ -1,18 +1,26 @@
-{ ... }: {
+{
-  networking.firewall = {
+  lib,
-    allowedTCPPorts = [
+  config,
-      # SMTP
+  ...
-      25
+}: let
-      # Submission
+  mail_config = config.mailserver;
-      587
+in {
-      # Submission w/ SSL
+  config = lib.mkIf config.mailserver.enable {
-      465
+    networking.firewall = {
-      # IMAP
+      allowedTCPPorts = [
-      143
+        # SMTP
-      # IMAP w/ SSL
+        25
-      993
+        # Submission
-      # Sieve
+        587
-      4190
+        # Submission w/ SSL
-    ];
+        465
+        # IMAP
+        143
+        # IMAP w/ SSL
+        993
+        # Sieve
+        4190
+      ];
+    };
   };
 }

hosts/hetzner-vm/modules/mailserver/opendkim.nix

@@ -1,5 +1,10 @@
-{ config, lib, pkgs, ... }:
+{
-let
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   mail_config = config.mailserver;
   dkimUser = config.services.opendkim.user;
   dkimGroup = config.services.opendkim.group;
@@ -9,69 +14,71 @@ let
 
   domains = mail_config.domains;
 
-  createDomainDkimCert = dom:
+  createDomainDkimCert = dom: let
-    let
+    dkim_key = "${keyDir}/${dom}.${selector}.key";
-      dkim_key = "${keyDir}/${dom}.${selector}.key";
+    dkim_txt = "${keyDir}/${dom}.${selector}.txt";
-      dkim_txt = "${keyDir}/${dom}.${selector}.txt";
+  in ''
-    in ''
+    if [ ! -f "${dkim_key}" ]
-      if [ ! -f "${dkim_key}" ]
+    then
-      then
+        ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
-          ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
+                                             -d "${dom}" \
-                                               -d "${dom}" \
+                                             --bits="1024" \
-                                               --bits="1024" \
+                                             --directory="${keyDir}"
-                                               --directory="${keyDir}"
+        mv "${keyDir}/${selector}.private" "${dkim_key}"
-          mv "${keyDir}/${selector}.private" "${dkim_key}"
+        mv "${keyDir}/${selector}.txt" "${dkim_txt}"
-          mv "${keyDir}/${selector}.txt" "${dkim_txt}"
+        echo "Generated key for domain ${dom} selector ${selector}"
-          echo "Generated key for domain ${dom} selector ${selector}"
+    fi
-      fi
+  '';
-    '';
 
   createAllCerts =
-    lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
+    concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
 
-  keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n"
+  keyTable = pkgs.writeText "opendkim-KeyTable" (concatStringsSep "\n"
-    (lib.flip map domains
+    (flip map domains
       (dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
 
-  signingTable = pkgs.writeText "opendkim-SigningTable"
+  signingTable =
-    (lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}")));
+    pkgs.writeText "opendkim-SigningTable"
+    (concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
 
   dkim = config.services.opendkim;
-  args = [ "-f" "-l" ]
+  args =
-    ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
+    ["-f" "-l"]
+    ++ optionals (dkim.configFile != null) ["-x" dkim.configFile];
 in {
-  config = (lib.mkIf (mail_config.enable) {
+  config = mkIf (mail_config.enable) {
     services.opendkim = {
       enable = true;
       selector = selector;
       keyPath = keyDir;
       domains = "csl:${builtins.concatStringsSep "," domains}";
       configFile = pkgs.writeText "opendkim.conf" (''
-        Canonicalization relaxed/relaxed
+          Canonicalization relaxed/relaxed
-        UMask 0002
+          UMask 0002
-        Socket ${dkim.socket}
+          Socket ${dkim.socket}
-        KeyTable file:${keyTable}
+          KeyTable file:${keyTable}
-        SigningTable file:${signingTable}
+          SigningTable file:${signingTable}
-      '' + (lib.optionalString mail_config.debug_mode ''
+        ''
-        Syslog yes
+        + (optionalString mail_config.debug_mode ''
-        SyslogSuccess yes
+          Syslog yes
-        LogWhy yes
+          SyslogSuccess yes
-      ''));
+          LogWhy yes
+        ''));
     };
 
-    users.users =
+    users.users = optionalAttrs (config.services.postfix.user == "postfix") {
-      lib.optionalAttrs (config.services.postfix.user == "postfix") {
+      postfix.extraGroups = ["${dkimGroup}"];
-        postfix.extraGroups = [ "${dkimGroup}" ];
+    };
-      };
 
     systemd.services.opendkim = {
-      preStart = lib.mkForce createAllCerts;
+      preStart = mkForce createAllCerts;
       serviceConfig = {
-        ExecStart = lib.mkForce
+        ExecStart =
-          "${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}";
+          mkForce
-        PermissionsStartOnly = lib.mkForce false;
+          "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
+        PermissionsStartOnly = mkForce false;
       };
     };
-    systemd.tmpfiles.rules = [ "d '${keyDir}' - ${dkimUser} ${dkimGroup} - -" ];
+    systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
-  });
+  };
 }

hosts/hetzner-vm/modules/mailserver/postfix.nix

@@ -1,16 +1,18 @@
-{ config, pkgs, lib, ... }:
+{
-
+  config,
-let
+  pkgs,
+  lib,
+  ...
+}: let
   mail_config = config.mailserver;
-  submissionHeaderCleanupRules =
+  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
-    pkgs.writeText "submission_header_cleanup_rules" (''
+    /^Received:/            IGNORE
-      /^Received:/            IGNORE
+    /^X-Originating-IP:/    IGNORE
-      /^X-Originating-IP:/    IGNORE
+    /^X-Mailer:/            IGNORE
-      /^X-Mailer:/            IGNORE
+    /^User-Agent:/          IGNORE
-      /^User-Agent:/          IGNORE
+    /^X-Enigmail:/          IGNORE
-      /^X-Enigmail:/          IGNORE
+    /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${mail_config.fqdn}>
-      /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${mail_config.fqdn}>
+  '';
-    '');
 
   inetSocket = addr: port: "inet:[${toString port}@${addr}]";
   unixSocket = sock: "unix:${sock}";
@@ -22,30 +24,29 @@ let
 
   # valiases_postfix :: Map String [String]
   valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
-    (name: value:
+    (name: value: let
-      let to = name;
+      to = name;
-      in map (from: { "${from}" = to; }) (value.aliases ++ lib.singleton name))
+    in
+      map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name))
     mail_config.accounts));
 
   # all_valiases_postfix :: Map String [String]
-  all_valiases_postfix = mergeLookupTables [ valiases_postfix ];
+  all_valiases_postfix = mergeLookupTables [valiases_postfix];
 
   # lookupTableToString :: Map String [String] -> String
-  lookupTableToString = attrs:
+  lookupTableToString = attrs: let
-    let valueToString = value: lib.concatStringsSep ", " value;
+    valueToString = value: lib.concatStringsSep ", " value;
-    in lib.concatStringsSep "\n"
+  in
+    lib.concatStringsSep "\n"
     (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
 
-  # valiases_file :: Path
-  valiases_file = let
-    content = lookupTableToString (mergeLookupTables [ all_valiases_postfix ]);
-  in builtins.toFile "valias" content;
-
-  # vhosts_file :: Path
   vhosts_file =
     builtins.toFile "vhosts" (lib.concatStringsSep "\n" mail_config.domains);
-  vaccounts_file =
+
-    builtins.toFile "vaccounts" (lookupTableToString all_valiases_postfix);
+  aliases_accounts_file = let
+    content = lookupTableToString (mergeLookupTables [all_valiases_postfix]);
+  in
+    builtins.toFile "aliases_accounts" content;
 
   mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
 
@@ -61,27 +62,42 @@ let
     smtpd_client_restrictions = "permit_sasl_authenticated,reject";
     smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
     smtpd_sender_restrictions = "reject_sender_login_mismatch";
-    smtpd_recipient_restrictions =
+    smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
-      "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
     cleanup_service_name = "submission-header-cleanup";
   };
 
   tls_allowed = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
   tls_disallow = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
 in {
-  config = (lib.mkIf (mail_config.enable) {
+  config = lib.mkIf (mail_config.enable) {
+    systemd.tmpfiles.rules = lib.mkIf (mail_config.extra_aliases_file != null) [
+      # folder to store the extra aliases file
+      "f /run/postfix_extra_aliases 660 root root"
+    ];
+
+    systemd.services.postfix-extra-aliases-setup = lib.mkIf (mail_config.extra_aliases_file != null) {
+      wantedBy = ["multi-user.target"];
+      partOf = ["postfix.service"];
+      before = ["postfix-setup.service"];
+      script = ''
+        cat ${aliases_accounts_file} ${mail_config.extra_aliases_file} > /run/postfix_extra_aliases
+      '';
+    };
+
     services.postfix = {
       enable = true;
       hostname = "${mail_config.fqdn}";
       networksStyle = "host";
-      mapFiles."valias" = valiases_file;
+
-      mapFiles."vaccounts" = vaccounts_file;
+      mapFiles."aliases_accounts" =
+        if (mail_config.extra_aliases_file == null)
+        then aliases_accounts_file
+        else "/run/postfix_extra_aliases";
+
       sslCert = mail_config.ssl_config.cert;
       sslKey = mail_config.ssl_config.key;
       enableSubmission = true;
       enableSubmissions = true;
-      virtual =
-        lookupTableToString (mergeLookupTables [ all_valiases_postfix ]);
 
       config = {
         # Extra Config
@@ -91,13 +107,12 @@ in {
         disable_vrfy_command = true;
         message_size_limit = "20971520";
 
-        virtual_uid_maps =
+        virtual_uid_maps = "static:${toString mail_config.vmail_config.user_id}";
-          "static:${toString mail_config.vmail_config.user_group_id}";
+        virtual_gid_maps = "static:${toString mail_config.vmail_config.group_id}";
-        virtual_gid_maps =
-          "static:${toString mail_config.vmail_config.user_group_id}";
         virtual_mailbox_base = "${mail_config.vmail_config.directory}";
         virtual_mailbox_domains = vhosts_file;
-        virtual_mailbox_maps = mappedFile "valias";
+        virtual_mailbox_maps = mappedFile "aliases_accounts";
+        virtual_alias_maps = mappedFile "aliases_accounts";
         virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
         lmtp_destination_recipient_limit = "1";
 
@@ -118,11 +133,7 @@ in {
           "check_policy_service unix:private/policy-spf"
         ];
 
-        # TLS settings, inspired by https://github.com/jeaye/nix-files
-        # Submission by mail clients is handled in submissionOptions
         smtpd_tls_security_level = "may";
-
-        # strong might suffice and is computationally less expensive
         smtpd_tls_eecdh_grade = "ultra";
 
         # Only Alow Modern TLS
@@ -155,12 +166,10 @@ in {
           "unix:/run/opendkim/opendkim.sock"
           "unix:/run/rspamd/rspamd-milter.sock"
         ];
-        non_smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ];
+        non_smtpd_milters = ["unix:/run/opendkim/opendkim.sock"];
 
         milter_protocol = "6";
-        milter_mail_macros =
+        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
-          "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
-
       };
 
       submissionOptions = submissionOptions;
@@ -170,7 +179,7 @@ in {
         "lmtp" = {
           # Add headers when delivering, see http://www.postfix.org/smtp.8.html
           # D => Delivered-To, O => X-Original-To, R => Return-Path
-          args = [ "flags=O" ];
+          args = ["flags=O"];
         };
         "policy-spf" = {
           type = "unix";
@@ -189,9 +198,9 @@ in {
           chroot = false;
           maxproc = 0;
           command = "cleanup";
-          args = [ "-o" "header_checks=pcre:${submissionHeaderCleanupRules}" ];
+          args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
         };
       };
     };
-  });
+  };
 }

hosts/hetzner-vm/modules/mailserver/rspamd.nix

@@ -1,16 +1,17 @@
-{ config, pkgs, lib, ... }:
+{
-
+  config,
-let
+  lib,
+  ...
+}: let
   mail_config = config.mailserver;
 
-  ports = (import ../../ports.nix { });
+  ports = import ../../ports.nix {};
 
   postfixCfg = config.services.postfix;
   rspamdCfg = config.services.rspamd;
   rspamdSocket = "rspamd.service";
 in {
-  config = (lib.mkIf (mail_config.enable) {
+  config = lib.mkIf (mail_config.enable) {
-
     services.rspamd = {
       enable = true;
       debug = mail_config.debug_mode;
@@ -51,10 +52,12 @@ in {
 
       workers.rspamd_proxy = {
         type = "rspamd_proxy";
-        bindSockets = [{
+        bindSockets = [
-          socket = "/run/rspamd/rspamd-milter.sock";
+          {
-          mode = "0664";
+            socket = "/run/rspamd/rspamd-milter.sock";
-        }];
+            mode = "0664";
+          }
+        ];
         count = 1;
         extraConfig = ''
           milter = yes;
@@ -69,13 +72,14 @@ in {
       workers.controller = {
         type = "controller";
         count = 1;
-        bindSockets = [{
+        bindSockets = [
-          socket = "/run/rspamd/worker-controller.sock";
+          {
-          mode = "0666";
+            socket = "/run/rspamd/worker-controller.sock";
-        }];
+            mode = "0666";
-        includes = [ ];
+          }
+        ];
+        includes = [];
       };
-
     };
 
     services.redis.servers.rspamd = {
@@ -84,16 +88,15 @@ in {
     };
 
     systemd.services.rspamd = {
-      requires = [ "redis-rspamd.service" ];
+      requires = ["redis-rspamd.service"];
-      after = [ "redis-rspamd.service" ];
+      after = ["redis-rspamd.service"];
     };
 
     systemd.services.postfix = {
-      after = [ rspamdSocket ];
+      after = [rspamdSocket];
-      requires = [ rspamdSocket ];
+      requires = [rspamdSocket];
     };
 
-    users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
+    users.extraUsers.${postfixCfg.user}.extraGroups = [rspamdCfg.group];
-  });
+  };
 }
-

hosts/hetzner-vm/modules/mailserver/ssl.nix

@@ -1,10 +1,12 @@
-{ config, pkgs, lib, ... }:
+{
-let
+  config,
+  lib,
+  ...
+}: let
   mail_config = config.mailserver;
   acmeRoot = "/var/lib/acme/acme-challenge";
-
 in {
-  config = (lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
+  config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
     services.nginx = {
       enable = true;
       virtualHosts."${mail_config.fqdn}" = {
@@ -17,7 +19,7 @@ in {
     };
 
     security.acme.certs."${mail_config.fqdn}" = {
-      reloadServices = [ "postfix.service" "dovecot2.service" ];
+      reloadServices = ["postfix.service" "dovecot2.service"];
     };
-  });
+  };
 }

hosts/hetzner-vm/modules/mailserver/vmail.nix

@@ -1,63 +1,74 @@
-{ config, pkgs, lib, ... }:
+{
-let
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
   mail_config = config.mailserver;
 
-  v = mail_config.vmail_config;
+  vmail_config = mail_config.vmail_config;
+  vmail_user = vmail_config.user;
+  vmail_group = vmail_config.group;
+
   sieve_directory = mail_config.sieve_directory;
 
-  virtualMailUsersActivationScript =
+  virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" ''
-    pkgs.writeScript "activate-virtual-mail-users" ''
+    #!${pkgs.stdenv.shell}
-      #!${pkgs.stdenv.shell}
 
-      set -euo pipefail
+    set -euo pipefail
 
-      # Create directory to store user sieve scripts if it doesn't exist
+    # Create directory to store user sieve scripts if it doesn't exist
-      if (! test -d "${sieve_directory}"); then
+    if (! test -d "${sieve_directory}"); then
-        mkdir "${sieve_directory}"
+      mkdir "${sieve_directory}"
-        chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}"
+      chown "${vmail_user}:${vmail_group}" "${sieve_directory}"
-        chmod 770 "${sieve_directory}"
+      chmod 770 "${sieve_directory}"
-      fi
+    fi
-
-      # Copy user's sieve script to the correct location (if it exists).  If it
-      # is null, remove the file.
-      ${lib.concatMapStringsSep "\n" ({ name, sieveScript }:
-        if lib.isString sieveScript then ''
-          if (! test -d "${sieve_directory}/${name}"); then
-            mkdir -p "${sieve_directory}/${name}"
-            chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}"
-            chmod 770 "${sieve_directory}/${name}"
-          fi
-          cat << 'EOF' > "${sieve_directory}/${name}/default.sieve"
-          ${sieveScript}
-          EOF
-          chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}/default.sieve"
-        '' else ''
-          if (test -f "${sieve_directory}/${name}/default.sieve"); then
-            rm "${sieve_directory}/${name}/default.sieve"
-          fi
-          if (test -f "${sieve_directory}/${name}.svbin"); then
-            rm "${sieve_directory}/${name}/default.svbin"
-          fi
-        '') (map (user: { inherit (user) name sieveScript; })
-          (lib.attrValues mail_config.accounts))}
-    '';
 
+    # Copy user's sieve script to the correct location (if it exists).  If it
+    # is null, remove the file.
+    ${lib.concatMapStringsSep "\n" ({
+      name,
+      sieveScript,
+    }:
+      if lib.isString sieveScript
+      then ''
+        if (! test -d "${sieve_directory}/${name}"); then
+          mkdir -p "${sieve_directory}/${name}"
+          chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}"
+          chmod 770 "${sieve_directory}/${name}"
+        fi
+        cat << 'EOF' > "${sieve_directory}/${name}/default.sieve"
+        ${sieveScript}
+        EOF
+        chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}/default.sieve"
+      ''
+      else ''
+        if (test -f "${sieve_directory}/${name}/default.sieve"); then
+          rm "${sieve_directory}/${name}/default.sieve"
+        fi
+        if (test -f "${sieve_directory}/${name}.svbin"); then
+          rm "${sieve_directory}/${name}/default.svbin"
+        fi
+      '') (map (user: {inherit (user) name sieveScript;})
+      (lib.attrValues mail_config.accounts))}
+  '';
 in {
-  config = (lib.mkIf (mail_config.enable) {
+  config = lib.mkIf (mail_config.enable) {
-    users.users."${v.user_group_name}" = {
+    users.users."${vmail_user}" = {
-      name = "${v.user_group_name}";
       isSystemUser = true;
-      uid = v.user_group_id;
+
-      home = v.directory;
+      home = vmail_config.directory;
       createHome = true;
-      group = "${v.user_group_name}";
+
+      uid = vmail_config.user_id;
+      group = "${vmail_group}";
     };
-    users.groups."${v.user_group_name}" = { gid = v.user_group_id; };
+    users.groups."${vmail_group}" = {gid = vmail_config.group_id;};
     systemd.services.activate-virtual-mail-users = {
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = ["multi-user.target"];
-      before = [ "dovecot2.service" ];
+      before = ["dovecot2.service"];
-      serviceConfig = { ExecStart = virtualMailUsersActivationScript; };
+      serviceConfig = {ExecStart = virtualMailUsersActivationScript;};
       enable = true;
     };
-  });
+  };
 }

hosts/hetzner-vm/modules/mailserver/webmail.nix

@@ -1,7 +1,11 @@
-{ config, lib, ... }:
+{
-let mail_config = config.mailserver;
+  config,
+  lib,
+  ...
+}: let
+  mail_config = config.mailserver;
 in {
-  config = (lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {
+  config = lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {
     services.roundcube = {
       enable = true;
       hostName = "${mail_config.roundcube_url}";
@@ -14,5 +18,5 @@ in {
         ${mail_config.extra_roundcube_config}
       '';
     };
-  });
+  };
 }

hosts/hetzner-vm/modules/piped/backend.nix

@@ -1,58 +1,69 @@
-{ config, lib, pkgs, ... }:
+{
-with lib;
+  config,
-let
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.services.piped;
 
-  backend_config = {
+  backend_config =
-    PORT = cfg.internalBackendPort;
+    {
-    HTTP_WORKERS = cfg.httpWorkers;
+      PORT = cfg.internalBackendPort;
-    PROXY_PART = "https://${cfg.proxyDomain}";
+      HTTP_WORKERS = cfg.httpWorkers;
-    API_URL = "https://${cfg.backendDomain}";
+      PROXY_PART = "https://${cfg.proxyDomain}";
-    FRONTEND_URL = "https://${cfg.frontendDomain}";
+      API_URL = "https://${cfg.backendDomain}";
-    DISABLE_REGISTRATION = cfg.disableRegistrations;
+      FRONTEND_URL = "https://${cfg.frontendDomain}";
-    COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
+      DISABLE_REGISTRATION = cfg.disableRegistrations;
-    FEED_RETENTION = cfg.feedRetentionDays;
+      COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
-    SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
+      FEED_RETENTION = cfg.feedRetentionDays;
-    SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
+      SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
-    DISABLE_RYD = cfg.disableRYD;
+      SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers;
-    DISABLE_LBRY = cfg.disableLBRYStreams;
+      DISABLE_RYD = cfg.disableRYD;
-    RYD_PROXY_URL = cfg.rydAPIURL;
+      DISABLE_LBRY = cfg.disableLBRYStreams;
-    SENTRY_DSN = cfg.sentryDSN;
+      RYD_PROXY_URL = cfg.rydAPIURL;
-    "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
+      SENTRY_DSN = cfg.sentryDSN;
-    "hibernate.connection.driver_class" = "org.postgresql.Driver";
+      "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
-    "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
+      "hibernate.connection.driver_class" = "org.postgresql.Driver";
-    "hibernate.connection.username" = "piped";
+      "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
-    "hibernate.connection.password" = "password";
+      "hibernate.connection.username" = "piped";
-  } // (optionalAttrs cfg.enableCaptcha {
+      "hibernate.connection.password" = "password";
-    CAPTCHA_API_URL = cfg.captchaAPIURL;
+    }
-    # This is substituted in the PreStart of piped-backend.service
+    // (optionalAttrs cfg.enableCaptcha {
-    CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
+      CAPTCHA_API_URL = cfg.captchaAPIURL;
-      "CAPTCHA_API_KEY_FILE"
+      # This is substituted in the PreStart of piped-backend.service
-    else
+      CAPTCHA_API_KEY =
-      cfg.captchaAPIKey;
+        if cfg.captchaAPIKeyFile != ""
-  }) // (optionalAttrs cfg.enableFederation {
+        then "CAPTCHA_API_KEY_FILE"
-    MATRIX_SERVER = cfg.matrixServerAddr;
+        else cfg.captchaAPIKey;
-    # also substituted
+    })
-    MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
+    // (optionalAttrs cfg.enableFederation {
-      "MATRIX_TOKEN_FILE"
+      MATRIX_SERVER = cfg.matrixServerAddr;
-    else
+      # also substituted
-      cfg.matrixToken;
+      MATRIX_TOKEN =
-  });
+        if cfg.matrixTokenFile != ""
+        then "MATRIX_TOKEN_FILE"
+        else cfg.matrixToken;
+    });
 
-  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
+  cfgToString = v:
-  backend_config_file = pkgs.writeText "config.properties"
+    if builtins.isBool v
+    then boolToString v
+    else toString v;
+  backend_config_file =
+    pkgs.writeText "config.properties"
     (concatStringsSep "\n"
       (mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
-
 in {
   config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
-    systemd.tmpfiles.rules = [ "d /run/piped-backend - piped piped" ];
+    systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"];
 
     systemd.services.piped-backend = {
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = ["multi-user.target"];
       serviceConfig = {
         WorkingDirectory = "/run/piped-backend";
-        ExecStartPre = let confFile = "/run/piped-backend/config.properties";
+        ExecStartPre = let
+          confFile = "/run/piped-backend/config.properties";
         in "${pkgs.writeShellScript "piped-backend-init" ''
           [ -f "${confFile}" ] && rm ${confFile}
           cp ${backend_config_file} ${confFile}
@@ -61,9 +72,9 @@ in {
             sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" ${confFile}
           ''}
           ${optionalString
-          (cfg.enableFederation && cfg.matrixTokenFile != "") ''
+            (cfg.enableFederation && cfg.matrixTokenFile != "") ''
-            sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile}
+              sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile}
-          ''}
+            ''}
         ''}";
         ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
 
@@ -76,18 +87,18 @@ in {
         ProtectHome = true;
         ProtectKernelLogs = true;
         ProtectProc = "invisible";
-        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
         RestrictNamespaces = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
       };
     };
 
     systemd.services.piped-password = {
       serviceConfig.Type = "oneshot";
-      wantedBy = [ "piped-backend.service" ];
+      wantedBy = ["piped-backend.service"];
-      wants = [ "postgresql.service" ];
+      wants = ["postgresql.service"];
-      after = [ "postgresql.service" ];
+      after = ["postgresql.service"];
       script = ''
         ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
       '';
@@ -96,11 +107,13 @@ in {
 
     services.postgresql = {
       enable = true;
-      ensureUsers = [{
+      ensureUsers = [
-        name = "piped";
+        {
-        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
+          name = "piped";
-      }];
+          ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
-      ensureDatabases = [ "piped" ];
+        }
+      ];
+      ensureDatabases = ["piped"];
     };
 
     services.nginx.virtualHosts."${cfg.backendDomain}" = {

hosts/hetzner-vm/modules/piped/default.nix

@@ -1,17 +1,22 @@
-{ config, lib, pkgs, ... }:
+{
-with lib;
+  config,
-let cfg = config.services.piped;
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.piped;
 in {
   options.services.piped = {
     enable = mkEnableOption "piped";
 
-    frontendDomain = mkOption { type = types.str; };
+    frontendDomain = mkOption {type = types.str;};
     backendDomain = mkOption {
       type = types.nullOr types.str;
       default = null;
       description = "Set to null to use project default backend";
     };
-    proxyDomain = mkOption { type = types.str; };
+    proxyDomain = mkOption {type = types.str;};
     #rydProxyDomain = mkOption { type = types.str; };
 
     disableFrontend = mkOption {
@@ -58,8 +63,7 @@ in {
 
     sponsorblockServers = mkOption {
       type = types.listOf types.str;
-      default =
+      default = ["https://sponsor.ajay.app" "https://sponsorblock.kavin.rocks"];
-        [ "https://sponsor.ajay.app" "https://sponsorblock.kavin.rocks" ];
       description = "Days subscriptions are stored for unauthenticated users";
     };
 
@@ -72,15 +76,13 @@ in {
     disableLBRYStreams = mkOption {
       type = types.bool;
       default = false;
-      description =
+      description = "Disable showing streams provided by LBRY Youtube Partnership";
-        "Disable showing streams provided by LBRY Youtube Partnership";
     };
 
     enableCompromisedPasswordCheck = mkOption {
       type = types.bool;
       default = true;
-      description =
+      description = "Use the haveibeenpwned API to check if user password have been compromised";
-        "Use the haveibeenpwned API to check if user password have been compromised";
     };
 
     enableCaptcha = mkOption {
@@ -174,11 +176,11 @@ in {
     };
   };
 
-  config = lib.mkIf (cfg.enable && (!cfg.disableBackend || !cfg.disableProxy)) {
+  config = mkIf (cfg.enable && (!cfg.disableBackend || !cfg.disableProxy)) {
     users.users."piped" = {
       isSystemUser = true;
       group = "piped";
     };
-    users.groups.piped = { };
+    users.groups.piped = {};
   };
 }

hosts/hetzner-vm/modules/piped/frontend.nix

@@ -1,15 +1,19 @@
-{ config, lib, pkgs, ... }:
+{
-with lib;
+  config,
-let
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.services.piped;
   frontend-package =
-    (pkgs.piped-frontend.override { backendDomain = cfg.backendDomain; });
+    pkgs.piped-frontend.override {backendDomain = cfg.backendDomain;};
 in {
-  config = lib.mkIf (cfg.enable && !cfg.disableFrontend) {
+  config = mkIf (cfg.enable && !cfg.disableFrontend) {
     services.nginx.virtualHosts."${cfg.frontendDomain}" = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { root = "${frontend-package}/share/piped-frontend"; };
+      locations."/" = {root = "${frontend-package}/share/piped-frontend";};
     };
   };
 }

hosts/hetzner-vm/modules/piped/proxy.nix

@@ -1,6 +1,10 @@
-{ config, lib, pkgs, ... }:
+{
-with lib;
+  config,
-let
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.services.piped;
 
   proxy_nginx_extras = ''
@@ -23,11 +27,11 @@ let
     access_log off;
   '';
 in {
-  config = lib.mkIf (cfg.enable && !cfg.disableProxy) {
+  config = mkIf (cfg.enable && !cfg.disableProxy) {
     systemd.services.piped-proxy = {
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = ["multi-user.target"];
       environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}";
-      environment.IPV4_ONLY = lib.mkIf cfg.proxyIPv4Only "1";
+      environment.IPV4_ONLY = mkIf cfg.proxyIPv4Only "1";
       serviceConfig = {
         WorkingDirectory = "/run/piped-proxy";
         ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy";
@@ -41,10 +45,10 @@ in {
         ProtectHome = true;
         ProtectKernelLogs = true;
         ProtectProc = "invisible";
-        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
         RestrictNamespaces = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
       };
     };
 
@@ -53,15 +57,19 @@ in {
       enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
-        extraConfig = proxy_nginx_extras + ''
+        extraConfig =
-          add_header Cache-Control "public, max-age=604800";
+          proxy_nginx_extras
-        '';
+          + ''
+            add_header Cache-Control "public, max-age=604800";
+          '';
       };
       locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = {
         proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
-        extraConfig = proxy_nginx_extras + ''
+        extraConfig =
-          add_header Cache-Control private always;
+          proxy_nginx_extras
-        '';
+          + ''
+            add_header Cache-Control private always;
+          '';
       };
     };
   };

hosts/hetzner-vm/networking.nix

@@ -1,9 +1,9 @@
-{ ... }: {
+{...}: {
   systemd.services.systemd-networkd-wait-online.enable = false;
 
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedTCPPorts = [22];
 
   networking.enableIPv6 = true;
   networking.usePredictableInterfaceNames = false;
@@ -12,8 +12,8 @@
     enable = true;
     networks.eth0 = {
       name = "eth0";
-      address = [ "2a01:4f9:c010:8beb::1/64" ];
+      address = ["2a01:4f9:c010:8beb::1/64"];
-      gateway = [ "fe80::1" ];
+      gateway = ["fe80::1"];
     };
   };
 }

hosts/hetzner-vm/ports.nix

@@ -1,4 +1,4 @@
-{ }: {
+{}: {
   mpd = 6600; # default
   mpd-opus = 8012;
   mpd-flac = 8013;

hosts/hetzner-vm/profiles/gitlab-static-sites.nix

@@ -1,5 +1,5 @@
-{ config, ... }:
+{config, ...}: let
-let secrets = config.services.secrets.secrets;
+  secrets = config.services.secrets.secrets;
 in {
   services.gitlab_artifacts_sync = {
     enable = true;
@@ -8,7 +8,7 @@ in {
       {
         repoName = "ChaotiCryptidz/VaultUI";
         domain = "vaultui.owo.monster";
-        domainOptions = { withTryFiles = true; };
+        domainOptions = {withTryFiles = true;};
       }
       {
         repoName = "ChaotiCryptidz/music_library_website";

hosts/hetzner-vm/profiles/invidious.nix

@@ -1,5 +1,5 @@
-{ inputs, pkgs, ... }:
+{...}: let
-let ports = (import ../ports.nix { });
+  ports = import ../ports.nix {};
 in {
   services.invidious = {
     enable = true;
@@ -15,14 +15,14 @@ in {
       default_user_preferences = {
         locale = "en-US";
         region = "GB";
-        captions = [ "English (auto-generated)" "English" "" ];
+        captions = ["English (auto-generated)" "English" ""];
         dark_mode = true;
-        feed_menu = [ "Subscriptions" "Popular" ];
+        feed_menu = ["Subscriptions" "Popular"];
         default_home = "Subscriptions";
         max_results = 30;
         annotations = true;
         annotations_subscribed = true;
-        comments = [ ];
+        comments = [];
         player_style = "invidious";
         related_videos = true;
         autoplay = true;

hosts/hetzner-vm/profiles/lappy-dev.nix

@@ -1,10 +0,0 @@
-{ ... }: {
-  services.nginx.virtualHosts."lappy-dev.owo.monster" = {
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/".proxyPass =
-        "http://lappy.tailscale-internal.genderfucked.monster:8088";
-    };
-  };
-}

hosts/hetzner-vm/profiles/mailserver.nix

@@ -1,10 +1,10 @@
-{ config, ... }:
+{config, ...}: let
-let secrets = config.services.secrets.secrets;
+  secrets = config.services.secrets.secrets;
 in {
   config.mailserver = {
     enable = true;
     fqdn = "mail.owo.monster";
-    domains = [ "owo.monster" "kitteh.pw" ];
+    domains = ["owo.monster" "kitteh.pw"];
 
     debug_mode = true;
     extra_roundcube_config = ''
@@ -14,6 +14,8 @@ in {
       $config['username_domain_forced'] = true;
     '';
 
+    extra_aliases_file = "/tmp/e";
+
     accounts = {
       "chaos@owo.monster" = {
         name = "chaos@owo.monster";
@@ -22,7 +24,7 @@ in {
           "all@owo.monster"
           "chaoticryptidz@owo.monster"
 
-          # TODO: legacy - to be deprecated by 2023-01-01 
+          # TODO: legacy - to be deprecated by 2023-01-01
           "kitteh@owo.monster"
           "kitteh@kitteh.pw"
         ];
@@ -31,13 +33,13 @@ in {
       "misskey@owo.monster" = {
         name = "misskey@owo.monster";
         passwordFile = "${secrets.misskey_mail_passwd.path}";
-        aliases = [ ];
+        aliases = [];
         sieveScript = null;
       };
       "system@owo.monster" = {
         name = "system@owo.monster";
         passwordFile = "${secrets.system_mail_passwd.path}";
-        aliases = [ ];
+        aliases = [];
         sieveScript = null;
       };
     };

hosts/hetzner-vm/profiles/misskey.nix

@@ -1,6 +1,9 @@
-{ pkgs, tree, ... }:
+{
-let
+  pkgs,
-  ports = (import ../ports.nix { });
+  tree,
+  ...
+}: let
+  ports = import ../ports.nix {};
 
   misskeyDomain = "social.owo.monster";
 
@@ -41,9 +44,9 @@ let
     outgoingAddressFamily = "dual";
   };
 
-  misskeyConfigFile = builtins.toFile "default.yml"
+  misskeyConfigFile =
-    (pkgs.lib.generators.toYAML { } misskeyConfig);
+    builtins.toFile "default.yml"
-
+    (pkgs.lib.generators.toYAML {} misskeyConfig);
 in {
   users.users."misskey" = {
     isNormalUser = true;
@@ -54,16 +57,16 @@ in {
     home.packages = misskeyPackages;
     home.stateVersion = "22.05";
 
-    imports = with tree; [ home.base home.dev.small ];
+    imports = with tree; [home.base home.dev.small];
   };
 
-  systemd.tmpfiles.rules = [ "d /home/misskey/misskey-files - misskey users" ];
+  systemd.tmpfiles.rules = ["d /home/misskey/misskey-files - misskey users"];
 
   systemd.services.misskey-files = {
     serviceConfig.Type = "oneshot";
-    wantedBy = [ "misskey.service" ];
+    wantedBy = ["misskey.service"];
-    after = [ "home-manager-misskey.service" "network.target" ];
+    after = ["home-manager-misskey.service" "network.target"];
-    path = with pkgs; [ bash git rsync ] ++ misskeyPackages;
+    path = with pkgs; [bash git rsync] ++ misskeyPackages;
 
     script = ''
       mkdir -p /home/misskey/misskey || true
@@ -85,9 +88,9 @@ in {
 
   systemd.services.misskey-password = {
     serviceConfig.Type = "oneshot";
-    wantedBy = [ "misskey.service" ];
+    wantedBy = ["misskey.service"];
-    wants = [ "postgresql.service" ];
+    wants = ["postgresql.service"];
-    after = [ "postgresql.service" ];
+    after = ["postgresql.service"];
     script = ''
       ${pkgs.postgresql}/bin/psql -c "ALTER USER misskey WITH PASSWORD 'password';"
     '';
@@ -95,17 +98,16 @@ in {
   };
 
   systemd.services.misskey = {
-    wantedBy = [ "multi-user.target" ];
+    wantedBy = ["multi-user.target"];
-    after = [ "misskey-password.service" "misskey-files.service" ];
+    after = ["misskey-password.service" "misskey-files.service"];
-    wants = [ "postgresql.service" "redis-misskey.service" ];
+    wants = ["postgresql.service" "redis-misskey.service"];
-    path = with pkgs; [ bash git ] ++ misskeyPackages;
+    path = with pkgs; [bash git] ++ misskeyPackages;
     environment.NODE_ENV = "production";
     serviceConfig = {
       User = "misskey";
       WorkingDirectory = "/home/misskey/misskey";
       ExecStartPre = "${pkgs.yarn}/bin/yarn migrate";
-      ExecStart =
+      ExecStart = "${pkgs.nodejs}/bin/node --experimental-json-modules packages/backend/built/index.js";
-        "${pkgs.nodejs}/bin/node --experimental-json-modules packages/backend/built/index.js";
       #TimeoutSec = 60;
       #StandardOutput = "syslog";
       #StandardError = "syslog";
@@ -127,11 +129,13 @@ in {
 
   services.postgresql = {
     enable = true;
-    ensureUsers = [{
+    ensureUsers = [
-      name = "misskey";
+      {
-      ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES";
+        name = "misskey";
-    }];
+        ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES";
-    ensureDatabases = [ "misskey" ];
+      }
+    ];
+    ensureDatabases = ["misskey"];
     initialScript = pkgs.writeText "init" ''
       create user misskey with password 'password';
       grant all privileges on database misskey to misskey;
@@ -143,4 +147,3 @@ in {
     port = ports.misskey-redis;
   };
 }
-

hosts/hetzner-vm/profiles/mpd-broadcast/broadcast.nix

@@ -1,10 +1,10 @@
-{ tree, ... }: {
+{tree, ...}: {
   imports = with tree;
     [
       # systemwide pulseaudio w/ recv native localhost
       # to broadcast to all speakers over rtp
       profiles.sound.pulseaudio.pulse-systemwide
       profiles.sound.pulseaudio.pulse-recv-native-localhost
-    ] ++ [ ./hosts/lappy.nix ./hosts/raspberry.nix ];
+    ]
-
+    ++ [./hosts/lappy.nix ./hosts/raspberry.nix];
 }

hosts/hetzner-vm/profiles/mpd-broadcast/hosts/lappy.nix

@@ -1,5 +1,4 @@
-{ pkgs, ... }:
+{pkgs, ...}: let
-let
   sink_name = "roc-lappy";
   description = "Lappy ROC Output";
   ip_addr = "100.115.10.34";
@@ -12,4 +11,3 @@ in {
     }
   '';
 }
-

hosts/hetzner-vm/profiles/mpd-broadcast/hosts/raspberry.nix

@@ -1,5 +1,4 @@
-{ pkgs, ... }:
+{pkgs, ...}: let
-let
   sink_name = "roc-raspberry";
   description = "Raspberry ROC Output";
   ip_addr = "100.118.202.64";

hosts/hetzner-vm/profiles/mpd.nix

@@ -1,18 +1,23 @@
-{ config, pkgs, lib, tree, ... }:
+{
-let
+  config,
-  ports = (import ../ports.nix { });
+  pkgs,
+  ...
+}: let
+  ports = import ../ports.nix {};
   secrets = config.services.secrets.secrets;
 in {
-  environment.systemPackages = with pkgs; [ mpc_cli ];
+  environment.systemPackages = with pkgs; [mpc_cli];
 
   services.mpd = {
     enable = true;
     network.listenAddress = "0.0.0.0";
     musicDirectory = "https://storage-webdav.owo.monster/music_ro/";
-    credentials = [{
+    credentials = [
-      passwordFile = "${secrets.mpd_control_password.path}";
+      {
-      permissions = [ "read" "add" "control" "admin" ];
+        passwordFile = "${secrets.mpd_control_password.path}";
-    }];
+        permissions = ["read" "add" "control" "admin"];
+      }
+    ];
     extraConfig = ''
       host_permissions "127.0.0.1 read,add,control,admin"
       samplerate_converter "0"
@@ -53,18 +58,18 @@ in {
         proxyPass = "http://127.0.0.1:${toString ports.mpd-opus}";
         extraConfig = ''
           auth_basic "Music Password";
-          auth_basic_user_file ${secrets.music_stream_passwd.path}; 
+          auth_basic_user_file ${secrets.music_stream_passwd.path};
         '';
       };
       "/flac" = {
         proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}";
         extraConfig = ''
           auth_basic "Music Password";
-          auth_basic_user_file ${secrets.music_stream_passwd.path}; 
+          auth_basic_user_file ${secrets.music_stream_passwd.path};
         '';
       };
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 6600 ];
+  networking.firewall.allowedTCPPorts = [6600];
 }

hosts/hetzner-vm/profiles/piped.nix

@@ -1,5 +1,5 @@
-{ ... }:
+{...}: let
-let ports = (import ../ports.nix { });
+  ports = import ../ports.nix {};
 in {
   services.piped = {
     enable = true;

hosts/hetzner-vm/profiles/quassel.nix

@@ -1,14 +1,16 @@
-_: {
+{...}: {
   services.quassel = {
     enable = true;
-    interfaces = [ "0.0.0.0" ];
+    interfaces = ["0.0.0.0"];
   };
 
-  services.postgresql.ensureDatabases = [ "quassel" ];
+  services.postgresql.ensureDatabases = ["quassel"];
-  services.postgresql.ensureUsers = [{
+  services.postgresql.ensureUsers = [
-    name = "quassel";
+    {
-    ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
+      name = "quassel";
-  }];
+      ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
+    }
+  ];
   services.postgresql.authentication = "host quassel quassel localhost trust";
-  networking.firewall.allowedTCPPorts = [ 4242 ];
+  networking.firewall.allowedTCPPorts = [4242];
 }

hosts/hetzner-vm/profiles/restic.nix

@@ -1,17 +1,21 @@
-{ lib, config, pkgs, ... }:
+{
-let
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
   secrets = config.services.secrets.secrets;
   mail_config = config.mailserver;
 
   backupPrepareCommand = "${
-      (pkgs.writeShellScriptBin "backupPrepareCommand" ''
+    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
-        systemctl start ${
+      systemctl start ${
-          lib.concatStringsSep " "
+        lib.concatStringsSep " "
-          (lib.forEach config.services.postgresqlBackup.databases
+        (lib.forEach config.services.postgresqlBackup.databases
-            (db: "postgresqlBackup-${db}"))
+          (db: "postgresqlBackup-${db}"))
-        } --wait
+      } --wait
-      '')
+    '')
-    }/bin/backupPrepareCommand";
+  }/bin/backupPrepareCommand";
 in {
   environment.systemPackages = [
     (pkgs.writeShellScriptBin "restic-hetzner-vm" ''
@@ -58,7 +62,7 @@ in {
   services.postgresqlBackup = {
     enable = true;
     backupAll = false;
-    databases = [ "postgres" "invidious" "misskey" "quassel" "roundcube" ];
+    databases = ["postgres" "invidious" "misskey" "quassel" "roundcube"];
     compression = "zstd";
   };
 }

hosts/hetzner-vm/profiles/wireguard.nix

@@ -1,9 +1,9 @@
-{ config, ... }:
+{config, ...}: let
-let secrets = config.services.secrets.secrets;
+  secrets = config.services.secrets.secrets;
 in {
   networking.wg-quick.interfaces = {
     wg0 = {
-      address = [ "10.69.42.1/32" ];
+      address = ["10.69.42.1/32"];
       listenPort = 51820;
       privateKeyFile = "${secrets.wg_privkey.path}";
       peers = [
@@ -11,29 +11,29 @@ in {
         {
           publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
           presharedKeyFile = "${secrets.wg_preshared_tablet.path}";
-          allowedIPs = [ "10.69.42.2/32" ];
+          allowedIPs = ["10.69.42.2/32"];
         }
         # vault
         {
           publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
           presharedKeyFile = "${secrets.wg_preshared_vault.path}";
           endpoint = "vault.servers.genderfucked.monster:51820";
-          allowedIPs = [ "10.69.42.3/32" ];
+          allowedIPs = ["10.69.42.3/32"];
         }
         # storage
         {
           publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
           presharedKeyFile = "${secrets.wg_preshared_storage.path}";
-          allowedIPs = [ "10.69.42.4/32" ];
+          allowedIPs = ["10.69.42.4/32"];
         }
         # iphone8
         {
           publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
           presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
-          allowedIPs = [ "10.69.42.5/32" ];
+          allowedIPs = ["10.69.42.5/32"];
         }
       ];
     };
   };
-  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.allowedUDPPorts = [51820];
 }

hosts/hetzner-vm/secrets.nix

@@ -1,12 +1,11 @@
-{ pkgs, ... }: {
+{pkgs, ...}: {
   services.secrets = {
     enable = true;
 
-    extraPackages = with pkgs;
+    extraPackages = with pkgs; [
-      [
+      # for music & mail passwd files
-        # for music & mail passwd files
+      apacheHttpd
-        apacheHttpd
+    ];
-      ];
 
     secrets = {
       mpd_control_password = {
@@ -16,6 +15,13 @@
           simple_get "/api-keys/mpd" .password > $secretFile
         '';
       };
+      private_mail_aliases = {
+        user = "root";
+        group = "root";
+        fetchScript = ''
+          kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > $secretFile
+        '';
+      };
       music_stream_passwd = {
         user = "nginx";
         group = "nginx";
@@ -71,31 +77,31 @@
       };
       wg_privkey = {
         fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $secretFile 
+          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $secretFile
         '';
       };
       wg_preshared_tablet = {
         path = "/secrets/wg_preshared_tablet";
         fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $secretFile 
+          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $secretFile
         '';
       };
       wg_preshared_vault = {
         path = "/secrets/wg_preshared_vault";
         fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $secretFile 
+          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $secretFile
         '';
       };
       wg_preshared_storage = {
         path = "/secrets/wg_preshared_storage";
         fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $secretFile 
+          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $secretFile
         '';
       };
       wg_preshared_iphone8 = {
         path = "/secrets/wg_preshared_iphone8";
         fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $secretFile 
+          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $secretFile
         '';
       };
     };

hosts/macmini/default.nix

@@ -1,4 +1,8 @@
-{ pkgs, tree, ... }: {
+{
+  pkgs,
+  tree,
+  ...
+}: {
   users.users.chaos = {
     name = "chaos";
     home = "/Users/chaos";
@@ -16,5 +20,4 @@
       home.apps.mpv
     ];
   };
-
 }