chore: code cleanup

2025-12-06 00:57:22 +01:00 · 2024-07-18 23:12:04 +02:00 · 2024-07-18 23:12:04 +02:00 · 3eecea6503
commit 3eecea6503
parent bb59145f85
42 changed files with 4232 additions and 4479 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
--- a/flake.nix
+++ b/flake.nix
@ -3,93 +3,90 @@

  inputs = {
    
-    nixpkgs.url = github:nixos/nixpkgs/nixos-unstable;
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    
-    nixpkgs-stable.url = github:NixOS/nixpkgs/nixos-24.05;
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05";
    
    # user-level configuration
    home-manager = {
-      url = github:nix-community/home-manager;
+      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    # overlay to access bleeding edge emacs
    emacs-overlay = {
-      url = github:nix-community/emacs-overlay;
+      url = "github:nix-community/emacs-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    # nix user repository
    # i use this mainly to not have to build all firefox extensions
    # myself as well as for the emacs-init package (tbd)
-    nur.url = github:nix-community/NUR;
+    nur.url = "github:nix-community/NUR";
    
    # provides GL to non-NixOS hosts
-    nixgl.url = github:guibou/nixGL;
+    nixgl.url = "github:guibou/nixGL";
    
    # manages all theming using Home-Manager
-    stylix.url = github:danth/stylix;
+    stylix.url = "github:danth/stylix";
    
    # nix secrets management
-    sops-nix.url = github:Mic92/sops-nix;
+    sops-nix.url = "github:Mic92/sops-nix";
    
    # enable secure boot on NixOS
-    lanzaboote.url = github:nix-community/lanzaboote;
+    lanzaboote.url = "github:nix-community/lanzaboote";
    
    # nix for android
    nix-on-droid = {
-      url = github:t184256/nix-on-droid/release-23.05;
+      url = "github:t184256/nix-on-droid/release-23.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    # generate NixOS images
    nixos-generators = {
-      url = github:nix-community/nixos-generators;
+      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    # patches for gaming on nix
    nix-gaming = {
-      url = github:fufexan/nix-gaming;
+      url = "github:fufexan/nix-gaming";
    };
    
    # hardware quirks on nix
    nixos-hardware = {
-      url = github:NixOS/nixos-hardware/master;
+      url = "github:NixOS/nixos-hardware/master";
    };
    
    # dynamic library loading
    nix-alien = {
-      url = github:thiagokokada/nix-alien;
+      url = "github:thiagokokada/nix-alien";
    };
    
    # automatic nintendo switch payload injection
    nswitch-rcm-nix = {
-      url = github:Swarsel/nswitch-rcm-nix;
+      url = "github:Swarsel/nswitch-rcm-nix";
    };
    
  };

  outputs = inputs@{
-    self,
-      
-      nixpkgs,
-      nixpkgs-stable,
-      home-manager,
-      nix-on-droid,
-      nixos-generators,
-      emacs-overlay,
-      nur,
-      nixgl,
-      stylix,
-      sops-nix,
-      lanzaboote,
-      nix-gaming,
-      nixos-hardware,
-      nix-alien,
-      nswitch-rcm-nix,
-      
-      ...
+    
+    nixpkgs,
+    nixpkgs-stable,
+    home-manager,
+    nix-on-droid,
+    emacs-overlay,
+    nur,
+    nixgl,
+    stylix,
+    sops-nix,
+    lanzaboote,
+    nixos-hardware,
+    nix-alien,
+    nswitch-rcm-nix,
+    
+    ...
  }: let
    
    system = "x86_64-linux"; # not very portable, but I do not use other architectures at the moment
@ -106,16 +103,6 @@
                            config.allowUnfree = true;
                          };
    
-    # for ovm arm hosts
-    armpkgs = import nixpkgs { system = "aarch64-linux";
-                            overlays = [ emacs-overlay.overlay
-                                         nur.overlay
-                                         nixgl.overlay
-                                       ];
-                            config.allowUnfree = true;
-                          };
-    
-    
    # NixOS modules that can only be used on NixOS systems
    nixModules = [ stylix.nixosModules.stylix
                   sops-nix.nixosModules.sops
--- a/index.html
+++ b/index.html
--- a/profiles/TEMPLATE/home.nix
+++ b/profiles/TEMPLATE/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, fetchFromGitHub, ... }:
+{ config, pkgs, ... }:

 {

@ -118,7 +118,7 @@
      };

      keybindings = let
-        modifier = config.wayland.windowManager.sway.config.modifier;
+        inherit (config.wayland.windowManager.sway.config) modifier;
      in {
        # TEMPLATE
        "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\"";
--- a/profiles/TEMPLATE/nixos.nix
+++ b/profiles/TEMPLATE/nixos.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ pkgs, ... }:

 {

@ -67,7 +67,7 @@
      };
  
      monospace = {
-        package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
+        package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
        name = "FiraCode Nerd Font Mono";
      };
  
--- a/profiles/common/home.nix
+++ b/profiles/common/home.nix
@ -155,15 +155,15 @@
    noto-fonts-cjk-sans

 # cura
-    (let cura5 = appimageTools.wrapType2 rec {
-           name = "cura5";
-           version = "5.4.0";
-           src = fetchurl {
-             url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-modern.AppImage";
-             hash = "sha256-QVv7Wkfo082PH6n6rpsB79st2xK2+Np9ivBg/PYZd74=";
-           };
-           extraPkgs = pkgs: with pkgs; [ ];
-         }; in writeScriptBin "cura" ''
+(let cura5 = appimageTools.wrapType2 rec {
+       name = "cura5";
+       version = "5.4.0";
+       src = fetchurl {
+         url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-modern.AppImage";
+         hash = "sha256-QVv7Wkfo082PH6n6rpsB79st2xK2+Np9ivBg/PYZd74=";
+       };
+       extraPkgs = pkgs: with pkgs; [ ];
+     }; in writeScriptBin "cura" ''
          #! ${pkgs.bash}/bin/bash
          # AppImage version of Cura loses current working directory and treats all paths relateive to $HOME.
          # So we convert each of the files passed as argument to an absolute path.
@ -178,15 +178,15 @@
          exec "${cura5}/bin/cura5" "''${args[@]}"
          '')

-    #E: hides scratchpad depending on state, calls emacsclient for edit and then restores the scratchpad state
-    (pkgs.writeShellScriptBin "e" ''
+  #E: hides scratchpad depending on state, calls emacsclient for edit and then restores the scratchpad state
+  (pkgs.writeShellScriptBin "e" ''
       bash ~/.dotfiles/scripts/editor_nowait.sh "$@"
       '')
-    (pkgs.writeShellScriptBin "timer" ''
+  (pkgs.writeShellScriptBin "timer" ''
       sleep "$1"; while true; do spd-say "$2"; sleep 0.5; done;
       '')

-    (pkgs.writeScriptBin "project" ''
+  (pkgs.writeScriptBin "project" ''
 #! ${pkgs.bash}/bin/bash
 if [ "$1" == "rust" ]; then
 cp ~/.dotfiles/templates/rust_flake.nix ./flake.nix
@ -214,10 +214,10 @@
 direnv allow
 '')

-    (pkgs.writeShellApplication {
-      name = "pass-fuzzel";
-      runtimeInputs = [ pkgs.pass pkgs.fuzzel ];
-      text = ''
+  (pkgs.writeShellApplication {
+    name = "pass-fuzzel";
+    runtimeInputs = [ pkgs.pass pkgs.fuzzel ];
+    text = ''
       shopt -s nullglob globstar

       typeit=0
@ -243,12 +243,12 @@
       fi
       notify-send -u critical -a pass -t 1000 "Copied/Typed Password"
     '';
-    })
+  })

-    (pkgs.writeShellApplication {
-      name = "pass-fuzzel-otp";
-      runtimeInputs = [ pkgs.fuzzel (pkgs.pass.withExtensions (exts: [exts.pass-otp]))];
-      text = ''
+  (pkgs.writeShellApplication {
+    name = "pass-fuzzel-otp";
+    runtimeInputs = [ pkgs.fuzzel (pkgs.pass.withExtensions (exts: [exts.pass-otp]))];
+    text = ''
       shopt -s nullglob globstar

       typeit=0
@ -274,42 +274,44 @@
       fi
       notify-send -u critical -a pass -t 1000 "Copied/Typed OTPassword"
     '';
-    })
+  })

-    (pkgs.writeShellApplication {
-      name = "cdw";
-      runtimeInputs = [ pkgs.fzf ];
-      text = ''
+  (pkgs.writeShellApplication {
+    name = "cdw";
+    runtimeInputs = [ pkgs.fzf ];
+    text = ''
    cd "$(git worktree list | fzf | awk '{print $1}')"
    '';
-    })
+  })

-    (pkgs.writeShellApplication {
-      name = "cdb";
-      runtimeInputs = [ pkgs.fzf ];
-      text = ''
+  (pkgs.writeShellApplication {
+    name = "cdb";
+    runtimeInputs = [ pkgs.fzf ];
+    text = ''
    git checkout "$(git branch --list | grep -v "^\*" | fzf | awk '{print $1}')"
    '';
-    })
+  })

-    (pkgs.writeShellApplication {
-      name = "bak";
-      text = ''
+  (pkgs.writeShellApplication {
+    name = "bak";
+    text = ''
      cp "$1"{,.bak}
    '';
-    })
+  })

 ];

-sops.defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
-sops.validateSopsFiles = false;
-
-# since we are using the home-manager implementation, we need to specify the runtime path for each secret
-sops.secrets.mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
-sops.secrets.nautilus = {path = "/run/user/1000/secrets/nautilus";};
-sops.secrets.leon = {path = "/run/user/1000/secrets/leon";};
-sops.secrets.swarselmail = {path = "/run/user/1000/secrets/swarselmail";};
-sops.secrets.caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
+sops = {
+  defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
+  validateSopsFiles = false;
+  secrets = {
+    mrswarsel = {path = "/run/user/1000/secrets/mrswarsel";};
+    nautilus = {path = "/run/user/1000/secrets/nautilus";};
+    leon = {path = "/run/user/1000/secrets/leon";};
+    swarselmail = {path = "/run/user/1000/secrets/swarselmail";};
+    caldav = {path = "${config.home.homeDirectory}/.emacs.d/.caldav";};
+  };
+};

 programs.ssh= {
  enable = true;
@ -512,28 +514,29 @@ home.file = {
 xdg.configFile = {
  "tridactyl/tridactylrc".source = ../../programs/firefox/tridactyl/tridactylrc;
  "tridactyl/themes/base16-codeschool.css".source = ../../programs/firefox/tridactyl/themes/base16-codeschool.css;
-  };
+};

 home.sessionVariables = {
  EDITOR = "bash ~/.dotfiles/scripts/editor.sh";
 };

-# zsh Integration is enabled by default for these
-programs.bottom.enable = true;
-programs.imv.enable = true;
-programs.sioyek.enable = true;
-programs.bat.enable = true;
-programs.carapace.enable = true;
-programs.wlogout.enable = true;
-programs.swayr.enable = true;
-programs.yt-dlp.enable = true;
-programs.mpv.enable = true;
-programs.jq.enable = true;
-programs.nix-index.enable = true;
-programs.ripgrep.enable = true;
-programs.pandoc.enable = true;
-programs.fzf.enable = true;
-programs.zoxide.enable = true;
+programs = {
+  bottom.enable = true;
+  imv.enable = true;
+  sioyek.enable = true;
+  bat.enable = true;
+  carapace.enable = true;
+  wlogout.enable = true;
+  swayr.enable = true;
+  yt-dlp.enable = true;
+  mpv.enable = true;
+  jq.enable = true;
+  nix-index.enable = true;
+  ripgrep.enable = true;
+  pandoc.enable = true;
+  fzf.enable = true;
+  zoxide.enable = true;
+};

 programs.password-store = {
  enable = true;
@ -543,7 +546,7 @@ programs.password-store = {
 programs.direnv = {
  enable = true;
  nix-direnv.enable = true;
-  };
+};

 programs.eza = {
  enable = true;
@ -836,7 +839,7 @@ accounts.email = {
    };
    mbsync = {
      enable = false;
-      };
+    };
  };

  accounts.nautilus = {
@ -913,7 +916,7 @@ programs.emacs = {
      # build the rest of the packages myself
      # org-calfw is severely outdated on MELPA and throws many warnings on emacs startup
      # build the package from the haji-ali fork, which is well-maintained
-       (epkgs.trivialBuild rec {
+      (epkgs.trivialBuild rec {
        pname = "calfw";
        version = "1.0.0-20231002";
        src = pkgs.fetchFromGitHub {
@ -925,7 +928,7 @@ programs.emacs = {
        packageRequires = [ epkgs.howm ];
      })

-       (epkgs.trivialBuild rec {
+      (epkgs.trivialBuild rec {
        pname = "fast-scroll";
        version = "1.0.0-20191016";
        src = pkgs.fetchFromGitHub {
@ -1142,19 +1145,19 @@ programs.firefox = {
    ];
  };
  policies = {
-      CaptivePortal = false;
-      DisableFirefoxStudies = true;
-      DisablePocket = true;
-      DisableTelemetry = true;
-      DisableFirefoxAccounts = false;
-      NoDefaultBookmarks = true;
-      OfferToSaveLogins = false;
-      OfferToSaveLoginsDefault = false;
-      EnableTrackingProtection = true;
-      };
+    CaptivePortal = false;
+    DisableFirefoxStudies = true;
+    DisablePocket = true;
+    DisableTelemetry = true;
+    DisableFirefoxAccounts = false;
+    NoDefaultBookmarks = true;
+    OfferToSaveLogins = false;
+    OfferToSaveLoginsDefault = false;
+    EnableTrackingProtection = true;
+  };
  profiles.default = {
    isDefault = true;
-    userChrome = (builtins.readFile ../../programs/firefox/chrome/userChrome.css);
+    userChrome = builtins.readFile ../../programs/firefox/chrome/userChrome.css;
    extensions = with pkgs.nur.repos.rycee.firefox-addons; [
      tridactyl
      browserpass
@ -1172,42 +1175,10 @@ programs.firefox = {
      widegithub
      enhanced-github
      unpaywall
-      # fastforwardteam
      don-t-fuck-with-paste
      plasma-integration
-
-  #     (let version = "3.4.5.0";
-  #                             in buildFirefoxXpiAddon {
-  # pname = "bypass-paywalls-clean";
-  # inherit version;
-  # addonId = "magnolia@12.34";
-  # url =
-  #   "https://gitlab.com/magnolia1234/bpc-uploads/-/raw/master/bypass_paywalls_clean-3.4.5.0.xpi";
-  # sha256 = "703d30c15b88291bd0305cc59013693aea5f75a40ea98fb8e252d1c7bfb43514";
-  # meta = with lib; {
-  #   homepage =
-  #     "https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean";
-  #   description = "Bypass Paywalls of (custom) news sites";
-  #   license = licenses.mit;
-  #   platforms = platforms.all;
-  # };
-  # })
-
-      (buildFirefoxXpiAddon {
-        pname = ":emoji:";
-        version = "0.1.3";
-        addonId = "gonelf@gmail.com";
-        url = "https://addons.mozilla.org/firefox/downloads/file/3365324/emojidots-0.1.3.xpi";
-        sha256 = "4f7cc25c478fe52eb82f37c9ff4978dcaa3f95020398c5b184e517f6efa2c201";
-        meta = with lib;
-          {
-            description = "emoji autocomplete anywhere on the internet";
-            mozPermissions = [ "https://gist.githubusercontent.com/gonelf/d8ae3ccb7902b501c4a5dd625d4089da/raw/5eeda197ba92f8c8139e846a1225d5640077e06f/emoji_pretty.json" "tabs" "storage"];
-            platforms = platforms.all;
-          };
-      })
-
    ];
+
    search.engines = {
      "Nix Packages" = {
        urls = [{
@ -1317,9 +1288,10 @@ wayland.windowManager.sway = {
  enable = true;
  checkConfig = false; # delete this line once SwayFX is fixed upstream
  package = pkgs.swayfx;
-  # package = pkgs.sway;
-  systemd.enable = true;
-  systemd.xdgAutostart = true;
+  systemd = {
+    enable = true;
+    xdgAutostart = true;
+  };
  wrapperFeatures.gtk = true;
  config = rec {
    modifier = "Mod4";
@ -1327,7 +1299,7 @@ wayland.windowManager.sway = {
    menu = "fuzzel";
    bars = [{ command = "waybar";}];
    keybindings = let
-      modifier = config.wayland.windowManager.sway.config.modifier;
+      inherit (config.wayland.windowManager.sway.config) modifier;
    in {
      "${modifier}+q" = "kill";
      "${modifier}+f" = "exec firefox";
@ -1490,7 +1462,7 @@ wayland.windowManager.sway = {
        #   criteria = {
        #     app_id="^$";
        #     class="^$";
-          # };
+        # };
        # }
        {

@ -1539,7 +1511,7 @@ wayland.windowManager.sway = {
  # exec hash dbus-update-activation-environment 2>/dev/null && dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK
  # ";
  extraConfig =let
-    modifier = config.wayland.windowManager.sway.config.modifier;
+    inherit (config.wayland.windowManager.sway.config) modifier;
    swayfxSettings = "
        blur enable
        blur_xray disable
@ -1550,7 +1522,6 @@ wayland.windowManager.sway = {
        titlebar_separator disable
        default_dim_inactive 0.02
    ";
-    swayfxSettingsOff = "";
  in "
      exec_always autotiling
      set $exit \"exit: [s]leep, [p]oweroff, [r]eboot, [l]ogout\"
--- a/profiles/common/nixos.nix
+++ b/profiles/common/nixos.nix
@ -1,31 +1,35 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:

 {
-
-  home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+  };

 services.xserver = {
-  xkb.layout = "us";
-  xkb.variant = "altgr-intl";
+  xkb = {
+    layout = "us";
+    variant = "altgr-intl";
+  };
 };

 nix.settings.experimental-features = ["nix-command" "flakes"];

 users.mutableUsers = false;

-# use ozone for wayland - chromium apps
-  environment.sessionVariables.NIXOS_OZONE_WL = "1";
-
-  # wordlist for look
-  environment.wordlist.enable = true;
-  # gstreamer plugins for nautilus (used for file metadata)
-  environment.sessionVariables.GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
-    gst-plugins-good
-    gst-plugins-bad
-    gst-plugins-ugly
-    gst-libav
-  ]);
+environment = {
+  wordlist.enable = true;
+  sessionVariables = {
+    NIXOS_OZONE_WL = "1";
+    GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
+      gst-plugins-good
+      gst-plugins-bad
+      gst-plugins-ugly
+      gst-libav
+    ]);
+  };
+};
+# gstreamer plugins for nautilus (used for file metadata)

 time.hardwareClockInLocalTime = true;

@ -47,27 +51,31 @@ nix.optimise = {
 };

 # systemd
-  systemd.extraConfig = ''
+systemd.extraConfig = ''
  DefaultTimeoutStartSec=60s
  DefaultTimeoutStopSec=15s
 '';

-hardware.graphics = {
-  enable = true;
-  enable32Bit = true;
-};
+hardware = {
+  graphics = {
+    enable = true;
+    enable32Bit = true;
+  };

-hardware.pulseaudio= {
-  enable = true;
-  package = pkgs.pulseaudioFull;
-};
+  pulseaudio= {
+    enable = true;
+    package = pkgs.pulseaudioFull;
+  };

-hardware.enableAllFirmware = true;
+  enableAllFirmware = true;

-hardware.bluetooth.powerOnBoot = true;
-hardware.bluetooth.settings = {
-  General = {
-    Enable = "Source,Sink,Media,Socket";
+  bluetooth = {
+    powerOnBoot = true;
+    settings = {
+      General = {
+        Enable = "Source,Sink,Media,Socket";
+      };
+    };
  };
 };

@ -278,17 +286,19 @@ systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.servic

 time.timeZone = "Europe/Vienna";

-i18n.defaultLocale = "en_US.UTF-8";
-i18n.extraLocaleSettings = {
-  LC_ADDRESS = "de_AT.UTF-8";
-  LC_IDENTIFICATION = "de_AT.UTF-8";
-  LC_MEASUREMENT = "de_AT.UTF-8";
-  LC_MONETARY = "de_AT.UTF-8";
-  LC_NAME = "de_AT.UTF-8";
-  LC_NUMERIC = "de_AT.UTF-8";
-  LC_PAPER = "de_AT.UTF-8";
-  LC_TELEPHONE = "de_AT.UTF-8";
-  LC_TIME = "de_AT.UTF-8";
+i18n = {
+  defaultLocale = "en_US.UTF-8";
+  extraLocaleSettings = {
+    LC_ADDRESS = "de_AT.UTF-8";
+    LC_IDENTIFICATION = "de_AT.UTF-8";
+    LC_MEASUREMENT = "de_AT.UTF-8";
+    LC_MONETARY = "de_AT.UTF-8";
+    LC_NAME = "de_AT.UTF-8";
+    LC_NUMERIC = "de_AT.UTF-8";
+    LC_PAPER = "de_AT.UTF-8";
+    LC_TELEPHONE = "de_AT.UTF-8";
+    LC_TIME = "de_AT.UTF-8";
+  };
 };

 sops = {
@ -400,17 +410,16 @@ environment.systemPackages = with pkgs; [

 ];

-programs.dconf.enable = true;
-programs.evince.enable = true;
-programs.kdeconnect.enable = true;
+programs = {
+  dconf.enable = true;
+  evince.enable = true;
+  kdeconnect.enable = true;
+};

-
-# zsh section, do not delete ------
 programs.zsh.enable = true;
 users.defaultUserShell = pkgs.zsh;
 environment.shells = with pkgs; [ zsh ];
 environment.pathsToLink = [ "/share/zsh" ];
-# ---------------------------------

 services.blueman.enable = true;

@ -421,24 +430,26 @@ hardware.sane = {
 };

 # enable discovery and usage of network devices (esp. printers)
-  services.printing.enable = true;
-  services.printing.drivers = [
+services.printing = {
+  enable = true;
+  drivers = [
    pkgs.gutenprint
    pkgs.gutenprintBin
  ];
-  services.printing.browsedConf = ''
+  browsedConf = ''
 BrowseDNSSDSubTypes _cups,_print
 BrowseLocalProtocols all
 BrowseRemoteProtocols all
 CreateIPPPrinterQueues All
-
 BrowseProtocols all
    '';
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;
-    openFirewall = true;
-  };
+};
+
+services.avahi = {
+  enable = true;
+  nssmdns4 = true;
+  openFirewall = true;
+};

 services.gvfs.enable = true;

@ -473,10 +484,6 @@ services.pcscd.enable = true;

 hardware.ledger.enable = true;

-# environment.systemPackages = with pkgs; [
-# --- IN SYSTEM PACKAGES SECTION ---
-# ];
-
 services.udev.packages = with pkgs; [
  yubikey-personalization
  ledger-udev-rules
--- a/profiles/fourside/hardware-configuration.nix
+++ b/profiles/fourside/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
  imports =
--- a/profiles/fourside/home.nix
+++ b/profiles/fourside/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, fetchFromGitHub, ... }:
+{ config, pkgs, ... }:

 {

@ -97,7 +97,7 @@


      keybindings = let
-        modifier = config.wayland.windowManager.sway.config.modifier;
+        inherit (config.wayland.windowManager.sway.config) modifier;
      in {
        "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\"";
        "XF86MonBrightnessUp"  = "exec brightnessctl set +5%";
--- a/profiles/fourside/nixos.nix
+++ b/profiles/fourside/nixos.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, pkgs, ... }:

 {

@ -94,7 +94,7 @@
      };
  
      monospace = {
-        package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
+        package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
        name = "FiraCode Nerd Font Mono";
      };
  
@ -143,10 +143,10 @@

  services.nswitch-rcm = {
    enable = true;
-    package =  (pkgs.fetchurl {
+    package =  pkgs.fetchurl {
      url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin";
      hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI=";
-    });
+    };
  };

  users.users.swarsel = {
--- a/profiles/mysticant/configuration.nix
+++ b/profiles/mysticant/configuration.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:

 {
  environment.packages = with pkgs; [
--- a/profiles/remote/oracle/matrix/nixos.nix
+++ b/profiles/remote/oracle/matrix/nixos.nix
@ -1,4 +1,4 @@
-{ config, pkgs, modulesPath, unstable, sops, ... }: let
+{ config, pkgs, sops, ... }: let
  matrixDomain = "swatrix.swarsel.win";
 in {

@ -23,13 +23,42 @@ in {

  nix.settings.experimental-features = ["nix-command" "flakes"];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.dnstokenfull = {owner="acme";};
-  sops.templates."certs.secret".content = ''
-  CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
-  '';
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      dnstokenfull = {owner="acme";};
+      matrixsharedsecret = {owner="matrix-synapse";};
+      mautrixtelegram_as = {owner="matrix-synapse";};
+      mautrixtelegram_hs = {owner="matrix-synapse";};
+      mautrixtelegram_api_id = {owner="matrix-synapse";};
+      mautrixtelegram_api_hash = {owner="matrix-synapse";};
+    };
+    templates = {
+      "certs.secret".content = ''
+          CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+          '';
+      "matrix_user_register.sh".content = ''
+          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
+          '';
+      mautrixtelegram = {
+        owner = "matrix-synapse";
+        content = ''
+          MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
+          MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
+          MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
+          MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
+          '';
+      };
+      matrixshared = {
+        owner = "matrix-synapse";
+        content = ''
+          registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
+          '';
+      };
+    };
+  };

  documentation = {
    enable = false;
@ -59,8 +88,8 @@ in {
          "~ ^(/_matrix|/_synapse/client)" = {
            proxyPass = "http://localhost:8008";
            extraConfig = ''
-                client_max_body_size 0;
-              '';
+                        client_max_body_size 0;
+                      '';
          };
        };
      };
@ -69,18 +98,19 @@ in {

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = false;
-  networking.hostName = "swatrix";
-  networking.enableIPv6 = false;
-  # networking.domain = "subnet03112148.vcn03112148.oraclevcn.com";
-  networking.domain = "swarsel.win";
-  networking.firewall.extraCommands = ''
-  iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT
-  '';
+  networking = {
+    hostName = "swatrix";
+    enableIPv6 = false;
+    domain = "swarsel.win";
+    firewall.extraCommands = ''
+          iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
+          iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
+          iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT
+          iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT
+          iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT
+          iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT
+          '';
+  };
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
@ -97,55 +127,31 @@ in {

  boot.loader.grub.device = "nodev";

-  sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
-  sops.templates."matrix_user_register.sh".content = ''
-  register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
-  '';
-  sops.templates.matrixshared.owner = "matrix-synapse";
-  sops.templates.matrixshared.content = ''
-  registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
-  '';
-  sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
-  sops.templates.mautrixtelegram.owner = "matrix-synapse";
-  sops.templates.mautrixtelegram.content = ''
-  MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
-  MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
-  MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
-  MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
-  '';
-  # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
-  # sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
-  # sops.templates.mautrixwhatsapp.content = ''
-  # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
-  # '';
-
-  services.postgresql.enable = true;
-  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
-    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
-    CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
-    CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
-    CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-  '';
-
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+            CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+            CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
+            CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+            CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
+            CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+          '';
+  };
  services.matrix-synapse = {
    settings.app_service_config_files = [
      "/var/lib/matrix-synapse/telegram-registration.yaml"
@ -154,12 +160,11 @@ in {
      "/var/lib/matrix-synapse/doublepuppet.yaml"
    ];
    enable = true;
-    settings.server_name = matrixDomain;
-    settings.public_baseurl = "https://${matrixDomain}";
-    extraConfigFiles = [
-      config.sops.templates.matrixshared.path
-    ];
-    settings.listeners = [
+    settings = {
+      server_name = matrixDomain;
+      public_baseurl = "https://${matrixDomain}";
+    };
+    listeners = [
      { port = 8008;
        bind_addresses = [ "0.0.0.0" ];
        type = "http";
@ -173,6 +178,9 @@ in {
        ];
      }
    ];
+    extraConfigFiles = [
+      config.sops.templates.matrixshared.path
+    ];
  };

  services.mautrix-telegram = {
@ -196,9 +204,6 @@ in {
        database = "postgresql:///mautrix-telegram?host=/run/postgresql";
      };
      bridge = {
-        # login_shared_secret_map = {
-          # matrixDomain = "as_token:doublepuppet";
-        # };
        relaybot.authless_portals = true;
        allow_avatar_remove = true;
        allow_contact_info = true;
@ -211,12 +216,6 @@ in {
          "*" = "relaybot";
          "@swarsel:${matrixDomain}" = "admin";
        };
-        # Animated stickers conversion requires additional packages in the
-        # service's path.
-        # If this isn't a fresh installation, clearing the bridge's uploaded
-        # file cache might be necessary (make a database backup first!):
-        # delete from telegram_file where \
-        #   mime_type in ('application/gzip', 'application/octet-stream')
        animated_sticker = {
          target = "gif";
          args = {
@ -236,7 +235,6 @@ in {

  services.mautrix-whatsapp = {
    enable = true;
-    # environmentFile = config.sops.templates.mautrixwhatsapp.path;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
@ -284,7 +282,6 @@ in {
  services.mautrix-signal = {
    enable = true;
    registerToSynapse = false; # this has the same effect as registering to app_service_config_file above
-    # environmentFile = config.sops.templates.mautrixwhatsapp.path;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
@ -328,10 +325,10 @@ in {

  systemd.services."restart-bridges" = {
    script = ''
-    systemctl restart mautrix-whatsapp.service
-    systemctl restart mautrix-signal.service
-    systemctl restart mautrix-telegram.service
-    '';
+            systemctl restart mautrix-whatsapp.service
+            systemctl restart mautrix-signal.service
+            systemctl restart mautrix-telegram.service
+            '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
--- a/profiles/remote/oracle/sync/hardware-configuration.nix
+++ b/profiles/remote/oracle/sync/hardware-configuration.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
  imports =
--- a/profiles/remote/oracle/sync/nixos.nix
+++ b/profiles/remote/oracle/sync/nixos.nix
@ -1,4 +1,4 @@
-{ config, pkgs, modulesPath, ... }:
+{ config, pkgs, ... }:

 {
  imports = [
@ -18,14 +18,16 @@

  nix.settings.experimental-features = ["nix-command" "flakes"];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.swarsel = { owner = "root";};
-  sops.secrets.dnstokenfull = {owner="acme";};
-  sops.templates."certs.secret".content = ''
-  CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
-  '';
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
+    validateSopsFiles = false;
+    secrets.swarsel = { owner = "root";};
+    secrets.dnstokenfull = {owner="acme";};
+    templates."certs.secret".content = ''
+    CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+    '';
+  };

  security.acme = {
    acceptTerms = true;
@ -51,57 +53,59 @@
          "/" = {
            proxyPass = "http://localhost:27701";
            extraConfig = ''
-                client_max_body_size 0;
-              '';
+                  client_max_body_size 0;
+                '';
          };
        };
      };

-        "sync.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://localhost:8384/";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
+      "sync.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:8384/";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
          };
        };
+      };

-        "swagit.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://localhost:3000";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
+      "swagit.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:3000";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
          };
        };
+      };
    };
  };

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = false;
-  networking.hostName = "sync";
-  networking.enableIPv6 = false;
-  networking.domain = "subnet03112148.vcn03112148.oraclevcn.com";
-  networking.firewall.extraCommands = ''
-  iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
-  iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
-  '';
+  networking = {
+    hostName = "sync";
+    enableIPv6 = false;
+    domain = "subnet03112148.vcn03112148.oraclevcn.com";
+    firewall.extraCommands = ''
+    iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
+    iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
+    '';
+  };
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
@ -125,8 +129,8 @@
    openFirewall = true;
    users = [
      {
-      username = "Swarsel";
-      passwordFile = config.sops.secrets.swarsel.path;
+        username = "Swarsel";
+        passwordFile = config.sops.secrets.swarsel.path;
      }
    ];
  };
--- a/profiles/sandbox/hardware-configuration.nix
+++ b/profiles/sandbox/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
  imports =
--- a/profiles/sandbox/nixos.nix
+++ b/profiles/sandbox/nixos.nix
@ -1,4 +1,4 @@
-{ config, pkgs, modulesPath, unstable, sops, ... }: let
+{ config, pkgs, unstable, sops, ... }: let
    matrixDomain = "swatrix.swarsel.win";
  in {

--- a/profiles/server1/TEMPLATE/nixos.nix
+++ b/profiles/server1/TEMPLATE/nixos.nix
@ -1,37 +1,41 @@
 { pkgs, modulesPath, ... }:

-{
-  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-  ];
+  {
+    imports = [
+      (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ];

-  environment.systemPackages = with pkgs; [
-    git
-    gnupg
-    ssh-to-age
-  ];
+    environment.systemPackages = with pkgs; [
+      git
+      gnupg
+      ssh-to-age
+    ];

-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
-  };
+    services.xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };

-  nix.settings.experimental-features = ["nix-command" "flakes"];
+    nix.settings.experimental-features = ["nix-command" "flakes"];

-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.hostName = "TEMPLATE"; # Define your hostname.
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  networking.firewall.enable = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-  };
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../../../secrets/keys/authorized_keys
-  ];
-  # users.users.root.password = "TEMPLATE";
+    proxmoxLXC = {
+manageNetwork = true; # manage network myself
+manageHostName = false; # manage hostname myself
+};
+    networking = {
+hostName = "TEMPLATE"; # Define your hostname.
+useDHCP = true;
+enableIPv6 = false;
+firewall.enable = false;
+};
+    services.openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+    };
+    users.users.root.openssh.authorizedKeys.keyFiles = [
+      ../../../secrets/keys/authorized_keys
+    ];
+    # users.users.root.password = "TEMPLATE";

-  system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
-}
+    system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+  }
--- a/profiles/server1/calibre/hardware-configuration.nix
+++ b/profiles/server1/calibre/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/calibre/nixos.nix
+++ b/profiles/server1/calibre/nixos.nix
@ -1,101 +1,70 @@
 { config, pkgs, modulesPath, ... }:

-{
-  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-    ./hardware-configuration.nix
-  ];
+  {
+    imports = [
+      (modulesPath + "/virtualisation/proxmox-lxc.nix")
+      ./hardware-configuration.nix
+    ];

-  environment.systemPackages = with pkgs; [
-    git
-    gnupg
-    ssh-to-age
-    calibre
-  ];
+    environment.systemPackages = with pkgs; [
+      git
+      gnupg
+      ssh-to-age
+      calibre
+    ];

-  users.groups.lxc_shares = {
-    gid = 10000;
-    members = [
-            "kavita"
-            "calibre-web"
-            "root"
-          ];
-  };
+    users.groups.lxc_shares = {
+      gid = 10000;
+      members = [
+              "kavita"
+              "calibre-web"
+              "root"
+            ];
+    };

-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
-  };
+    services.xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };

-  nix.settings.experimental-features = ["nix-command" "flakes"];
+    nix.settings.experimental-features = ["nix-command" "flakes"];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.kavita = { owner = "kavita";};
-  # sops.secrets.smbuser = { };
-  # sops.secrets.smbpassword = { };
-  # sops.secrets.smbdomain = { };
-  # sops.templates."smb.cred".content = ''
-  # user=${config.sops.placeholder.smbuser}
-  # password=${config.sops.placeholder.smbpassword}
-  # domain=${config.sops.placeholder.smbdomain}
-  # '';
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.hostName = "calibre"; # Define your hostname.
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  networking.firewall.enable = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-  };
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../../../secrets/keys/authorized_keys
-  ];
+    sops = {
+age.sshKeyPaths = [ "/etc/ssh/sops" ];
+defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
+validateSopsFiles = false;
+secrets.kavita = { owner = "kavita";};
+};
+    proxmoxLXC = {
+manageNetwork = true; # manage network myself
+manageHostName = false; # manage hostname myself
+};
+    networking = {
+hostName = "calibre"; # Define your hostname.
+useDHCP = true;
+enableIPv6 = false;
+firewall.enable = false;
+};
+    services.openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+    };
+    users.users.root.openssh.authorizedKeys.keyFiles = [
+      ../../../secrets/keys/authorized_keys
+    ];

-  system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+    system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change

-  environment.shellAliases = {
-    nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
-  };
+    environment.shellAliases = {
+      nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
+    };
+
+    services.kavita = {
+      enable = true;
+      user = "kavita";
+      port = 8080;
+      tokenKeyFile = config.sops.secrets.kavita.path;
+    };


-    # services.calibre-server = {
-    # enable = true;
-    # user = "calibre-server";
-    # auth.enable = true;
-    # auth.userDb = "/srv/calibre/users.sqlite";
-    # libraries = [
-    #   /media/Books/main
-    #   /media/Books/diverse
-    #   /media/Books/language
-    #   /media/Books/science
-    #   /media/Books/sport
-    #   /media/Books/novels
-    # ];
-  # };
-
-  # services.calibre-web = {
-  #   enable = true;
-  #   user = "calibre-web";
-  #   group = "calibre-web";
-  #   listen.port = 8083;
-  #   listen.ip = "0.0.0.0";
-  #   options = {
-  #     enableBookUploading = true;
-  #     enableKepubify = true;
-  #     enableBookConversion = true;
-  #   };
-  # };
-
-  services.kavita = {
-    enable = true;
-    user = "kavita";
-    port = 8080;
-    tokenKeyFile = config.sops.secrets.kavita.path;
-  };
-
-
-}
+  }
--- a/profiles/server1/jellyfin/hardware-configuration.nix
+++ b/profiles/server1/jellyfin/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/jellyfin/nixos.nix
+++ b/profiles/server1/jellyfin/nixos.nix
@ -31,16 +31,16 @@

  nix.settings.experimental-features = ["nix-command" "flakes"];

-  # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  # sops.defaultSopsFile = "/.dotfiles/secrets/jellyfin/secrets.yaml";
-  # sops.validateSopsFiles = false;
-
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.hostName = "jellyfin"; # Define your hostname.
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  networking.firewall.enable = false;
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
+  };
+  networking = {
+    hostName = "jellyfin"; # Define your hostname.
+    useDHCP = true;
+    enableIPv6 = false;
+    firewall.enable = false;
+  };
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
@ -55,18 +55,18 @@
    nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
  };

-   nixpkgs.config.packageOverrides = pkgs: {
-     vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-   };
-   hardware.graphics = {
-     enable = true;
-     extraPackages = with pkgs; [
-       intel-media-driver # LIBVA_DRIVER_NAME=iHD
-       vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-       vaapiVdpau
-       libvdpau-va-gl
-     ];
-   };
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # LIBVA_DRIVER_NAME=iHD
+      vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+      vaapiVdpau
+      libvdpau-va-gl
+    ];
+  };

  services.jellyfin = {
    enable = true;
--- a/profiles/server1/matrix/hardware-configuration.nix
+++ b/profiles/server1/matrix/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/matrix/nixos.nix
+++ b/profiles/server1/matrix/nixos.nix
@ -1,25 +1,35 @@
-{ config, pkgs, modulesPath, unstable, sops, ... }: let
+{ config, pkgs, modulesPath, sops, ... }: let
  matrixDomain = "matrix2.swarsel.win";
 in {
  
  
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
+  services = {
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+      listenAddresses = [{
+        port = 22;
+        addr = "0.0.0.0";
+      }];
+    };
  };
+  
  nix.settings.experimental-features = ["nix-command" "flakes"];
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-    listenAddresses = [{
-      port = 22;
-      addr = "0.0.0.0";
-    }];
+  
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
  };
+  
+  networking = {
+    useDHCP = true;
+    enableIPv6 = false;
+  };
+  
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../../../secrets/keys/authorized_keys
  ];
@ -38,8 +48,10 @@ in {
    # this module is hence not in the modules list, we add it ourselves
  ];

-  networking.hostName = "matrix"; # Define your hostname.
-  networking.firewall.enable = false;
+  networking = {
+    hostName = "matrix"; # Define your hostname.
+    firewall.enable = false;
+  };
  environment.systemPackages = with pkgs; [
    git
    gnupg
@ -49,85 +61,94 @@ in {
    ffmpeg
  ];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
-  sops.templates."matrix_user_register.sh".content = ''
-  register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
-  '';
-  sops.templates.matrixshared.owner = "matrix-synapse";
-  sops.templates.matrixshared.content = ''
-  registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
-  '';
-  sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
-  sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
-  sops.templates.mautrixtelegram.owner = "matrix-synapse";
-  sops.templates.mautrixtelegram.content = ''
-  MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
-  MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
-  MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
-  MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
-  '';
-  # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
-  # sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
-  # sops.templates.mautrixwhatsapp.content = ''
-  # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
-  # '';
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      matrixsharedsecret = {owner="matrix-synapse";};
+      mautrixtelegram_as = {owner="matrix-synapse";};
+      mautrixtelegram_hs = {owner="matrix-synapse";};
+      mautrixtelegram_api_id = {owner="matrix-synapse";};
+      mautrixtelegram_api_hash = {owner="matrix-synapse";};
+    };
+    templates = {
+      "matrix_user_register.sh".content = ''
+          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
+          '';
+      matrixshared = {
+        owner = "matrix-synapse";
+        content = ''
+          registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
+          '';
+      };
+      mautrixtelegram = {
+        owner = "matrix-synapse";
+        content = ''
+          MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
+          MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
+          MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
+          MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
+          '';
+      };
+    };
+  };

-  services.postgresql.enable = true;
-  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
-    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
-    CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
-    CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-    CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
-    CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-  '';
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+            CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+            CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
+            CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+            CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+            CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
+            CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
+              TEMPLATE template0
+              LC_COLLATE = "C"
+              LC_CTYPE = "C";
+          '';
+  };

  services.matrix-synapse = {
-    settings.app_service_config_files = [
-      "/var/lib/matrix-synapse/telegram-registration.yaml"
-      "/var/lib/matrix-synapse/whatsapp-registration.yaml"
-      "/var/lib/matrix-synapse/signal-registration.yaml"
-      "/var/lib/matrix-synapse/doublepuppet.yaml"
-    ];
    enable = true;
-    settings.server_name = matrixDomain;
-    settings.public_baseurl = "https://${matrixDomain}";
+    settings = {
+      app_service_config_files = [
+        "/var/lib/matrix-synapse/telegram-registration.yaml"
+        "/var/lib/matrix-synapse/whatsapp-registration.yaml"
+        "/var/lib/matrix-synapse/signal-registration.yaml"
+        "/var/lib/matrix-synapse/doublepuppet.yaml"
+      ];
+      server_name = matrixDomain;
+      public_baseurl = "https://${matrixDomain}";
+      listeners = [
+        { port = 8008;
+          bind_addresses = [ "0.0.0.0" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = [ "client" "federation" ];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
    extraConfigFiles = [
      config.sops.templates.matrixshared.path
    ];
-    settings.listeners = [
-      { port = 8008;
-        bind_addresses = [ "0.0.0.0" ];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = [ "client" "federation" ];
-            compress = true;
-          }
-        ];
-      }
-    ];
  };

  services.mautrix-telegram = {
@ -151,9 +172,6 @@ in {
        database = "postgresql:///mautrix-telegram?host=/run/postgresql";
      };
      bridge = {
-        # login_shared_secret_map = {
-          # matrixDomain = "as_token:doublepuppet";
-        # };
        relaybot.authless_portals = true;
        allow_avatar_remove = true;
        allow_contact_info = true;
@ -166,12 +184,6 @@ in {
          "*" = "relaybot";
          "@swarsel:${matrixDomain}" = "admin";
        };
-        # Animated stickers conversion requires additional packages in the
-        # service's path.
-        # If this isn't a fresh installation, clearing the bridge's uploaded
-        # file cache might be necessary (make a database backup first!):
-        # delete from telegram_file where \
-        #   mime_type in ('application/gzip', 'application/octet-stream')
        animated_sticker = {
          target = "gif";
          args = {
@ -191,7 +203,6 @@ in {

  services.mautrix-whatsapp = {
    enable = true;
-    # environmentFile = config.sops.templates.mautrixwhatsapp.path;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
@ -238,7 +249,6 @@ in {

  services.mautrix-signal = {
    enable = true;
-    # environmentFile = config.sops.templates.mautrixwhatsapp.path;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
@ -282,10 +292,10 @@ in {

  systemd.services."restart-bridges" = {
    script = ''
-    systemctl restart mautrix-whatsapp.service
-    systemctl restart mautrix-signal.service
-    systemctl restart mautrix-telegram.service
-    '';
+            systemctl restart mautrix-whatsapp.service
+            systemctl restart mautrix-signal.service
+            systemctl restart mautrix-telegram.service
+            '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
--- a/profiles/server1/nginx/hardware-configuration.nix
+++ b/profiles/server1/nginx/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/nginx/nixos.nix
+++ b/profiles/server1/nginx/nixos.nix
@ -20,19 +20,25 @@

  nix.settings.experimental-features = ["nix-command" "flakes"];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.dnstokenfull = {owner="acme";};
-  sops.templates."certs.secret".content = ''
-  CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
-  '';
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.hostName = "nginx"; # Define your hostname.
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  networking.firewall.enable = false;
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
+    validateSopsFiles = false;
+    secrets.dnstokenfull = {owner="acme";};
+    templates."certs.secret".content = ''
+    CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+    '';
+  };
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
+  };
+  networking = {
+    hostName = "nginx"; # Define your hostname.
+    useDHCP = true;
+    enableIPv6 = false;
+    firewall.enable = false;
+  };
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
@ -72,11 +78,11 @@
          "/" = {
            proxyPass = "https://192.168.1.5";
            extraConfig = ''
-            client_max_body_size 0;
-            '';
+              client_max_body_size 0;
+              '';
          };
          # "/push/" = {
-            # proxyPass = "http://192.168.2.5:7867";
+          # proxyPass = "http://192.168.2.5:7867";
          # };
          "/.well-known/carddav" = {
            return = "301 $scheme://$host/remote.php/dav";
@ -95,108 +101,104 @@
          "~ ^(/_matrix|/_synapse/client)" = {
            proxyPass = "http://192.168.1.23:8008";
            extraConfig = ''
-                client_max_body_size 0;
-              '';
+                  client_max_body_size 0;
+                '';
          };
        };
      };


-        "sound.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://192.168.1.13:4040";
-              proxyWebsockets = true;
-              extraConfig = ''
-                proxy_redirect          http:// https://;
-                proxy_read_timeout      600s;
-                proxy_send_timeout      600s;
-                proxy_buffering         off;
-                proxy_request_buffering off;
-                client_max_body_size    0;
-              '';
-            };
+      "sound.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://192.168.1.13:4040";
+            proxyWebsockets = true;
+            extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                '';
          };
        };
-
-        "scan.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://192.168.1.24:28981";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-
-        "screen.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://192.168.1.16:8096";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-
-        "matrix.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "~ ^(/_matrix|/_synapse/client)" = {
-              proxyPass = "http://192.168.1.20:8008";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-
-        "scroll.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://192.168.1.22:8080";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-
-        "blog.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "https://192.168.1.7";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-
      };
+
+      "scan.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://192.168.1.24:28981";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
+          };
+        };
+      };
+
+      "screen.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://192.168.1.16:8096";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
+          };
+        };
+      };
+
+      "matrix.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "~ ^(/_matrix|/_synapse/client)" = {
+            proxyPass = "http://192.168.1.20:8008";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
+          };
+        };
+      };
+
+      "scroll.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "http://192.168.1.22:8080";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
+          };
+        };
+      };
+
+      "blog.swarsel.win" = {
+        enableACME = true;
+        forceSSL = true;
+        acmeRoot = null;
+        locations = {
+          "/" = {
+            proxyPass = "https://192.168.1.7";
+            extraConfig = ''
+                  client_max_body_size 0;
+                '';
+          };
+        };
+      };
+
    };
-
-
-
-
+  };

 }
--- a/profiles/server1/paperless/hardware-configuration.nix
+++ b/profiles/server1/paperless/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/paperless/nixos.nix
+++ b/profiles/server1/paperless/nixos.nix
@ -9,23 +9,33 @@
  
  
  
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
+  services = {
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+      listenAddresses = [{
+        port = 22;
+        addr = "0.0.0.0";
+      }];
+    };
  };
+  
  nix.settings.experimental-features = ["nix-command" "flakes"];
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-    listenAddresses = [{
-      port = 22;
-      addr = "0.0.0.0";
-    }];
+  
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
  };
+  
+  networking = {
+    useDHCP = true;
+    enableIPv6 = false;
+  };
+  
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../../../secrets/keys/authorized_keys
  ];
@ -52,13 +62,17 @@
    ssh-to-age
  ];

-  networking.hostName = "paperless"; # Define your hostname.
-  networking.firewall.enable = false;
+  networking = {
+    hostName = "paperless"; # Define your hostname.
+    firewall.enable = false;
+  };

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.admin = { owner = "paperless";};
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
+    validateSopsFiles = false;
+    secrets.admin = { owner = "paperless";};
+  };

  services.paperless = {
    enable = true;
--- a/profiles/server1/sound/hardware-configuration.nix
+++ b/profiles/server1/sound/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/sound/nixos.nix
+++ b/profiles/server1/sound/nixos.nix
@ -9,23 +9,33 @@
  
  
  
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
+  services = {
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+      listenAddresses = [{
+        port = 22;
+        addr = "0.0.0.0";
+      }];
+    };
  };
+  
  nix.settings.experimental-features = ["nix-command" "flakes"];
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-    listenAddresses = [{
-      port = 22;
-      addr = "0.0.0.0";
-    }];
+  
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
  };
+  
+  networking = {
+    useDHCP = true;
+    enableIPv6 = false;
+  };
+  
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../../../secrets/keys/authorized_keys
  ];
@ -40,32 +50,38 @@

  proxmoxLXC.privileged = true; # manage hostname myself

-  users.groups.lxc_pshares = {
-    gid = 110000;
-    members = [
-      "navidrome"
-      "mpd"
-      "root"
-    ];
-  };
+  users = {
+    groups = {
+      lxc_pshares = {
+        gid = 110000;
+        members = [
+          "navidrome"
+          "mpd"
+          "root"
+        ];
+      };

-  users.groups.navidrome = {
-    gid = 61593;
-  };
+      navidrome = {
+        gid = 61593;
+      };

-  users.groups.mpd = {};
+      mpd = {};
+    };

-  users.users.navidrome = {
-    isSystemUser = true;
-    uid = 61593;
-    group = "navidrome";
-    extraGroups  = [ "audio" "utmp" ];
-  };
+    users = {
+      navidrome = {
+        isSystemUser = true;
+        uid = 61593;
+        group = "navidrome";
+        extraGroups  = [ "audio" "utmp" ];
+      };

-  users.users.mpd = {
-    isSystemUser = true;
-    group = "mpd";
-    extraGroups  = [ "audio" "utmp" ];
+      mpd = {
+        isSystemUser = true;
+        group = "mpd";
+        extraGroups  = [ "audio" "utmp" ];
+      };
+    };
  };

  sound = {
@ -73,8 +89,10 @@
  };

  hardware.enableAllFirmware = true;
-  networking.hostName = "sound"; # Define your hostname.
-  networking.firewall.enable = false;
+  networking = {
+    hostName = "sound"; # Define your hostname.
+    firewall.enable = false;
+  };
  environment.systemPackages = with pkgs; [
    git
    gnupg
@ -84,10 +102,12 @@
    mpv
  ];

-  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  sops.defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
-  sops.validateSopsFiles = false;
-  sops.secrets.mpdpass = { owner = "mpd";};
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
+    validateSopsFiles = false;
+    secrets.mpdpass = { owner = "mpd";};
+  };

  services.navidrome = {
    enable = true;
--- a/profiles/server1/spotifyd/hardware-configuration.nix
+++ b/profiles/server1/spotifyd/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/spotifyd/nixos.nix
+++ b/profiles/server1/spotifyd/nixos.nix
@ -1,4 +1,4 @@
-{ config, pkgs, modulesPath, ... }:
+{ pkgs, modulesPath, ... }:

 {
  
@ -9,23 +9,33 @@
  
  
  
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "altgr-intl";
+  services = {
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+    };
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+      listenAddresses = [{
+        port = 22;
+        addr = "0.0.0.0";
+      }];
+    };
  };
+  
  nix.settings.experimental-features = ["nix-command" "flakes"];
-  proxmoxLXC.manageNetwork = true; # manage network myself
-  proxmoxLXC.manageHostName = false; # manage hostname myself
-  networking.useDHCP = true;
-  networking.enableIPv6 = false;
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "yes";
-    listenAddresses = [{
-      port = 22;
-      addr = "0.0.0.0";
-    }];
+  
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
  };
+  
+  networking = {
+    useDHCP = true;
+    enableIPv6 = false;
+  };
+  
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../../../secrets/keys/authorized_keys
  ];
@ -56,18 +66,16 @@
  };

  hardware.enableAllFirmware = true;
-  networking.hostName = "spotifyd"; # Define your hostname.
-  networking.firewall.enable = false;
+  networking = {
+    hostName = "spotifyd"; # Define your hostname.
+    firewall.enable = false;
+  };
  environment.systemPackages = with pkgs; [
    git
    gnupg
    ssh-to-age
  ];

-  # sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-  # sops.defaultSopsFile = "/.dotfiles/secrets/spotifyd/secrets.yaml";
-  # sops.validateSopsFiles = false;
-
  services.spotifyd = {
    enable = true;
    settings = {
--- a/profiles/server1/transmission/hardware-configuration.nix
+++ b/profiles/server1/transmission/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:

 {
  imports = [ ];
--- a/profiles/server1/transmission/nixos.nix
+++ b/profiles/server1/transmission/nixos.nix
@ -1,358 +1,270 @@
 { config, pkgs, modulesPath, ... }:

-            {
-              imports = [
-                (modulesPath + "/virtualisation/proxmox-lxc.nix")
-                ./hardware-configuration.nix
-                # ./openvpn.nix #this file holds the vpn login data
-              ];
+{
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ./hardware-configuration.nix
+    # ./openvpn.nix #this file holds the vpn login data
+  ];

-              environment.systemPackages = with pkgs; [
-                git
-                gnupg
-                ssh-to-age
-                openvpn
-                jq
-                iptables
-                busybox
-                wireguard-tools
-              ];
+  environment.systemPackages = with pkgs; [
+    git
+    gnupg
+    ssh-to-age
+    openvpn
+    jq
+    iptables
+    busybox
+    wireguard-tools
+  ];

-              users.groups.lxc_shares = {
-                gid = 10000;
-                members = [
-                  "vpn"
-                  "radarr"
-                  "sonarr"
-                  "lidarr"
-                  "readarr"
-                  "root"
-                ];
-              };
-              users.groups.vpn = {};
+  users.groups.lxc_shares = {
+    gid = 10000;
+    members = [
+      "vpn"
+      "radarr"
+      "sonarr"
+      "lidarr"
+      "readarr"
+      "root"
+    ];
+  };
+  users.groups.vpn = {};

-              users.users.vpn = {
-                isNormalUser = true;
-                group = "vpn";
-                home = "/home/vpn";
-              };
+  users.users.vpn = {
+    isNormalUser = true;
+    group = "vpn";
+    home = "/home/vpn";
+  };

-              services.xserver = {
-                layout = "us";
-                xkbVariant = "altgr-intl";
-              };
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "altgr-intl";
+  };

-              nix.settings.experimental-features = ["nix-command" "flakes"];
+  nix.settings.experimental-features = ["nix-command" "flakes"];

-              sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-              sops.defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
-              sops.validateSopsFiles = false;
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
+    validateSopsFiles = false;
+  };

-              boot.kernelModules = [ "tun" ];
-              proxmoxLXC.manageNetwork = true; # manage network myself
-              proxmoxLXC.manageHostName = false; # manage hostname myself
-              networking.hostName = "transmission"; # Define your hostname.
-              networking.useDHCP = true;
-              networking.enableIPv6 = false;
-              networking.firewall.enable = false;
+  boot.kernelModules = [ "tun" ];
+  proxmoxLXC = {
+    manageNetwork = true; # manage network myself
+    manageHostName = false; # manage hostname myself
+  };
+  networking = {
+    hostName = "transmission"; # Define your hostname.
+    useDHCP = true;
+    enableIPv6 = false;
+    firewall.enable = false;
+  };

-              services.radarr = {
-                enable = true;
-              };
+  services = {
+    radarr = {
+      enable = true;
+    };
+    readarr = {
+      enable = true;
+    };
+    sonarr = {
+      enable = true;
+    };
+    lidarr = {
+      enable = true;
+    };
+    prowlarr = {
+      enable = true;
+    };
+  };

-              services.readarr = {
-                enable = true;
-              };
-              services.sonarr = {
-                enable = true;
-              };
-              services.lidarr = {
-                enable = true;
-              };
-              services.prowlarr = {
-                enable = true;
-              };
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = ''
+                    200     vpn
+                    '';
+  };
+  environment.etc = {
+    "openvpn/iptables.sh" =
+      { source = ../../../scripts/server1/iptables.sh;
+        mode = "0755";
+      };
+    "openvpn/update-resolv-conf" =
+      { source = ../../../scripts/server1/update-resolv-conf;
+        mode = "0755";
+      };
+    "openvpn/routing.sh" =
+      { source = ../../../scripts/server1/routing.sh;
+        mode = "0755";
+      };
+    "openvpn/ca.rsa.2048.crt" =
+      { source = ../../../secrets/certs/ca.rsa.2048.crt;
+        mode = "0644";
+      };
+    "openvpn/crl.rsa.2048.pem" =
+      { source = ../../../secrets/certs/crl.rsa.2048.pem;
+        mode = "0644";
+      };
+  };
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    listenAddresses = [{
+      port = 22;
+      addr = "0.0.0.0";
+    }];
+  };
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../secrets/keys/authorized_keys
+  ];

-              # networking.interfaces = {
-                  # lo = {
-                    # useDHCP = false;
-                    # ipv4.addresses = [
-                      # { address = "127.0.0.1"; prefixLength = 8; }
-                    # ];
-                  # };
-              #
-                  # eth0 = {
-                    # useDHCP = true;
-                  # };
-                # };
+  system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+  # users.users.root.password = "TEMPLATE";

-              # networking.firewall.extraCommands = ''
-              # sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
-              # '';
-              networking.iproute2 = {
-                enable = true;
-                rttablesExtraConfig = ''
-                200     vpn
-                '';
-              };
-              # boot.kernel.sysctl = {
-              #   "net.ipv4.conf.all.rp_filter" = 2;
-              #   "net.ipv4.conf.default.rp_filter" = 2;
-              #   "net.ipv4.conf.eth0.rp_filter" = 2;
-              # };
-              environment.etc = {
-                "openvpn/iptables.sh" =
-                  { source = ../../../scripts/server1/iptables.sh;
-                    mode = "0755";
-                  };
-                "openvpn/update-resolv-conf" =
-                  { source = ../../../scripts/server1/update-resolv-conf;
-                    mode = "0755";
-                  };
-                "openvpn/routing.sh" =
-                  { source = ../../../scripts/server1/routing.sh;
-                    mode = "0755";
-                  };
-                "openvpn/ca.rsa.2048.crt" =
-                  { source = ../../../secrets/certs/ca.rsa.2048.crt;
-                    mode = "0644";
-                  };
-                "openvpn/crl.rsa.2048.pem" =
-                  { source = ../../../secrets/certs/crl.rsa.2048.pem;
-                    mode = "0644";
-                  };
-              };
-              services.openssh = {
-                enable = true;
-                settings.PermitRootLogin = "yes";
-                listenAddresses = [{
-                                   port = 22;
-                                   addr = "0.0.0.0";
-                                 }];
-              };
-              users.users.root.openssh.authorizedKeys.keyFiles = [
-                ../../../secrets/keys/authorized_keys
-              ];
+  environment.shellAliases = {
+    nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
+  };

-              system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
-              # users.users.root.password = "TEMPLATE";
-
-              environment.shellAliases = {
-                nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
-              };
-
-              sops.secrets.vpnuser = {};
-              sops.secrets.rpcuser = {owner="vpn";};
-              sops.secrets.vpnpass = {};
-              sops.secrets.rpcpass = {owner="vpn";};
-              sops.secrets.vpnprot = {};
-              sops.secrets.vpnloc = {};
-              # sops.secrets.crlpem = {};
-              # sops.secrets.capem = {};
-              sops.templates."transmission-rpc".owner = "vpn";
-              sops.templates."transmission-rpc".content = builtins.toJSON {
-                rpc-username = config.sops.placeholder.rpcuser;
-                rpc-password = config.sops.placeholder.rpcpass;
-              };
-
-              sops.templates.pia.content = ''
-              ${config.sops.placeholder.vpnuser}
-              ${config.sops.placeholder.vpnpass}
-              '';
-
-              sops.templates.vpn.content = ''
-                client
-                dev tun
-                proto ${config.sops.placeholder.vpnprot}
-                remote ${config.sops.placeholder.vpnloc}
-                resolv-retry infinite
-                nobind
-                persist-key
-                persist-tun
-                cipher aes-128-cbc
-                auth sha1
-                tls-client
-                remote-cert-tls server
-
-                auth-user-pass ${config.sops.templates.pia.path}
-                compress
-                verb 1
-                reneg-sec 0
-
-                crl-verify /etc/openvpn/crl.rsa.2048.pem
-                ca /etc/openvpn/ca.rsa.2048.crt
-
-                disable-occ
-                dhcp-option DNS 209.222.18.222
-                dhcp-option DNS 209.222.18.218
-                dhcp-option DNS 8.8.8.8
-                route-noexec
-              '';
-
-              # services.pia.enable = true;
-              # services.pia.authUserPass.username = "na";
-              # services.pia.authUserPass.password = "na";
-
-
-            #     systemd.services.openvpn-vpn = {
-            # wantedBy = [ "multi-user.target" ];
-            # after = [ "network.target" ];
-            # description = "OpenVPN connection to pia";
-            # serviceConfig = {
-            #   Type = "forking";
-            #   RuntimeDirectory="openvpn";
-            #   PrivateTmp=true;
-            #   KillMode="mixed";
-            #   ExecStart = ''@${pkgs.openvpn}/sbin/openvpn openvpn --daemon ovpn-pia --status /run/openvpn/pia.status 10 --cd /etc/openvpn --script-security 2 --config ${config.sops.templates.vpn.path} --writepid /run/openvpn/pia.pid'';
-            #   PIDFile=''/run/openvpn/pia.pid'';
-            #   ExecReload=''/run/current-system/sw/bin/kill -HUP $MAINPID'';
-            #   WorkingDirectory="/etc/openvpn";
-            #   Restart="on-failure";
-            #   RestartSec=30;
-            #   ProtectSystem="yes";
-            #   DeviceAllow=["/dev/null rw" "/dev/net/tun rw"];
-            # };
-         # };
-          services.openvpn.servers = {
-            pia = {
-              autoStart = false;
-              updateResolvConf = true;
-#               up = ''
-# export INTERFACE="tun0"
-# export VPNUSER="vpn"
-# export LOCALIP="192.168.1.191"
-# export NETIF="eth0"
-# export VPNIF="tun0"
-# export GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
-# iptables -F -t nat
-# iptables -F -t mangle
-# iptables -F -t filter
-# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
-# iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
-# iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
-# iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
-# iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
-# iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
-# iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-# iptables -A INPUT -i $INTERFACE -j REJECT
-# iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
-# iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
-# iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
-# iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-# iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
-# if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
-# ip rule add from all fwmark 0x1 lookup $VPNUSER
-# fi
-# ip route replace default via $GATEWAYIP table $VPNUSER
-# ip route append default via 127.0.0.1 dev lo table $VPNUSER
-# ip route flush cache
-              # '';
-              # down = "bash /etc/openvpn/update-resolv-conf";
-              # these are outsourced to a local file, I am not sure if it can be done with sops-nix
-              # authUserPass = {
-                # username = "TODO:secrets";
-                # password = "TODO:secrets";
-              # };
-              config = "config ${config.sops.templates.vpn.path}";
-            };
-          };
-
-        services.transmission = {
-          enable = true;
-          credentialsFile = config.sops.templates."transmission-rpc".path;
-          user = "vpn";
-          group = "lxc_shares";
-          settings = {
-
-          alt-speed-down= 8000;
-          alt-speed-enabled= false;
-          alt-speed-time-begin= 0;
-          alt-speed-time-day= 127;
-          alt-speed-time-enabled= true;
-          alt-speed-time-end= 360;
-          alt-speed-up= 2000;
-          bind-address-ipv4= "0.0.0.0";
-          bind-address-ipv6= "::";
-          blocklist-enabled= false;
-          blocklist-url= "http://www.example.com/blocklist";
-          cache-size-mb= 4;
-          dht-enabled= false;
-          download-dir= "/media/Eternor/New";
-          download-limit= 100;
-          download-limit-enabled= 0;
-          download-queue-enabled= true;
-          download-queue-size= 5;
-          encryption= 2;
-          idle-seeding-limit= 30;
-          idle-seeding-limit-enabled= false;
-          incomplete-dir= "/var/lib/transmission-daemon/Downloads";
-          incomplete-dir-enabled= false;
-          lpd-enabled= false;
-          max-peers-global= 200;
-          message-level= 1;
-          peer-congestion-algorithm= "";
-          peer-id-ttl-hours= 6;
-          peer-limit-global= 100;
-          peer-limit-per-torrent= 40;
-          peer-port= 22371;
-          peer-port-random-high= 65535;
-          peer-port-random-low= 49152;
-          peer-port-random-on-start= false;
-          peer-socket-tos= "default";
-          pex-enabled= false;
-          port-forwarding-enabled= false;
-          preallocation= 1;
-          prefetch-enabled= true;
-          queue-stalled-enabled= true;
-          queue-stalled-minutes= 30;
-          ratio-limit= 2;
-          ratio-limit-enabled= false;
-          rename-partial-files= true;
-          rpc-authentication-required= true;
-          rpc-bind-address= "0.0.0.0";
-          rpc-enabled= true;
-          rpc-host-whitelist= "";
-          rpc-host-whitelist-enabled= true;
-          rpc-port= 9091;
-          rpc-url= "/transmission/";
-          rpc-whitelist= "127.0.0.1,192.168.3.2";
-          rpc-whitelist-enabled= true;
-          scrape-paused-torrents-enabled= true;
-          script-torrent-done-enabled= false;
-          seed-queue-enabled= false;
-          seed-queue-size= 10;
-          speed-limit-down= 6000;
-          speed-limit-down-enabled= true;
-          speed-limit-up= 500;
-          speed-limit-up-enabled= true;
-          start-added-torrents= true;
-          trash-original-torrent-files= false;
-          umask= 2;
-          upload-limit= 100;
-          upload-limit-enabled= 0;
-          upload-slots-per-torrent= 14;
-          utp-enabled= false;
-          };
+  sops = {
+    templates = {
+      "transmission-rpc" = {
+        owner = "vpn";
+        content = builtins.toJSON {
+          rpc-username = config.sops.placeholder.rpcuser;
+          rpc-password = config.sops.placeholder.rpcpass;
        };
+      };

-      # services.nginx = {
-      #       enable = true;
-      #       virtualHosts = {
+      pia.content = ''
+                  ${config.sops.placeholder.vpnuser}
+                  ${config.sops.placeholder.vpnpass}
+                  '';

-      #         "192.168.1.192" = {
-      #           locations = {
-      #             "/transmission" = {
-      #               proxyPass = "http://127.0.0.1:9091";
-      #               extraConfig = ''
-      #               proxy_set_header Host $host;
-      #               proxy_set_header X-Real-IP $remote_addr;
-      #               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      #               '';
-      #             };
-      #           };
-      #         };
-      #       };
-      # };
+      vpn.content = ''
+                    client
+                    dev tun
+                    proto ${config.sops.placeholder.vpnprot}
+                    remote ${config.sops.placeholder.vpnloc}
+                    resolv-retry infinite
+                    nobind
+                    persist-key
+                    persist-tun
+                    cipher aes-128-cbc
+                    auth sha1
+                    tls-client
+                    remote-cert-tls server
+
+                    auth-user-pass ${config.sops.templates.pia.path}
+                    compress
+                    verb 1
+                    reneg-sec 0
+
+                    crl-verify /etc/openvpn/crl.rsa.2048.pem
+                    ca /etc/openvpn/ca.rsa.2048.crt
+
+                    disable-occ
+                    dhcp-option DNS 209.222.18.222
+                    dhcp-option DNS 209.222.18.218
+                    dhcp-option DNS 8.8.8.8
+                    route-noexec
+                  '';
+    };
+    secrets = {
+      vpnuser = {};
+      rpcuser = {owner="vpn";};
+      vpnpass = {};
+      rpcpass = {owner="vpn";};
+      vpnprot = {};
+      vpnloc = {};
+    };
+  };
+  services.openvpn.servers = {
+    pia = {
+      autoStart = false;
+      updateResolvConf = true;
+      config = "config ${config.sops.templates.vpn.path}";
+    };
+  };
+
+  services.transmission = {
+    enable = true;
+    credentialsFile = config.sops.templates."transmission-rpc".path;
+    user = "vpn";
+    group = "lxc_shares";
+    settings = {
+
+      alt-speed-down= 8000;
+      alt-speed-enabled= false;
+      alt-speed-time-begin= 0;
+      alt-speed-time-day= 127;
+      alt-speed-time-enabled= true;
+      alt-speed-time-end= 360;
+      alt-speed-up= 2000;
+      bind-address-ipv4= "0.0.0.0";
+      bind-address-ipv6= "::";
+      blocklist-enabled= false;
+      blocklist-url= "http://www.example.com/blocklist";
+      cache-size-mb= 4;
+      dht-enabled= false;
+      download-dir= "/media/Eternor/New";
+      download-limit= 100;
+      download-limit-enabled= 0;
+      download-queue-enabled= true;
+      download-queue-size= 5;
+      encryption= 2;
+      idle-seeding-limit= 30;
+      idle-seeding-limit-enabled= false;
+      incomplete-dir= "/var/lib/transmission-daemon/Downloads";
+      incomplete-dir-enabled= false;
+      lpd-enabled= false;
+      max-peers-global= 200;
+      message-level= 1;
+      peer-congestion-algorithm= "";
+      peer-id-ttl-hours= 6;
+      peer-limit-global= 100;
+      peer-limit-per-torrent= 40;
+      peer-port= 22371;
+      peer-port-random-high= 65535;
+      peer-port-random-low= 49152;
+      peer-port-random-on-start= false;
+      peer-socket-tos= "default";
+      pex-enabled= false;
+      port-forwarding-enabled= false;
+      preallocation= 1;
+      prefetch-enabled= true;
+      queue-stalled-enabled= true;
+      queue-stalled-minutes= 30;
+      ratio-limit= 2;
+      ratio-limit-enabled= false;
+      rename-partial-files= true;
+      rpc-authentication-required= true;
+      rpc-bind-address= "0.0.0.0";
+      rpc-enabled= true;
+      rpc-host-whitelist= "";
+      rpc-host-whitelist-enabled= true;
+      rpc-port= 9091;
+      rpc-url= "/transmission/";
+      rpc-whitelist= "127.0.0.1,192.168.3.2";
+      rpc-whitelist-enabled= true;
+      scrape-paused-torrents-enabled= true;
+      script-torrent-done-enabled= false;
+      seed-queue-enabled= false;
+      seed-queue-size= 10;
+      speed-limit-down= 6000;
+      speed-limit-down-enabled= true;
+      speed-limit-up= 500;
+      speed-limit-up-enabled= true;
+      start-added-torrents= true;
+      trash-original-torrent-files= false;
+      umask= 2;
+      upload-limit= 100;
+      upload-limit-enabled= 0;
+      upload-slots-per-torrent= 14;
+      utp-enabled= false;
+    };
+  };


-            }
+}
--- a/profiles/threed/hardware-configuration.nix
+++ b/profiles/threed/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
  imports =
--- a/profiles/threed/home.nix
+++ b/profiles/threed/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, fetchFromGitHub, ... }:
+{ config, pkgs, ... }:

 {

@ -76,7 +76,7 @@
      };

      keybindings = let
-        modifier = config.wayland.windowManager.sway.config.modifier;
+        inherit (config.wayland.windowManager.sway.config) modifier;
      in {
        "${modifier}+F2"  = "exec brightnessctl set +5%";
        "${modifier}+F1"= "exec brightnessctl set 5%-";
--- a/profiles/threed/nixos.nix
+++ b/profiles/threed/nixos.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ lib, pkgs, ... }:

 {
  
@ -71,7 +71,7 @@
      };
  
      monospace = {
-        package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
+        package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
        name = "FiraCode Nerd Font Mono";
      };
  
--- a/profiles/winters/home.nix
+++ b/profiles/winters/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, fetchFromGitHub, ... }:
+{ config, pkgs, ... }:

 {

@ -97,11 +97,11 @@
      ];


-      keybindings = let
-        modifier = config.wayland.windowManager.sway.config.modifier;
-      in {
+      # keybindings = let
+      # inherit (config.wayland.windowManager.sway.config) modifier;
+      # in {

-      };
+      # };

      startup = [
        
--- a/profiles/winters/nixos.nix
+++ b/profiles/winters/nixos.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ pkgs, ... }:

 {

@ -88,7 +88,7 @@
      };
  
      monospace = {
-        package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; });
+        package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; };
        name = "FiraCode Nerd Font Mono";
      };
  
--- a/programs/emacs/early-init.el
+++ b/programs/emacs/early-init.el
@ -38,23 +38,23 @@
              right-margin-width 1)

 (setq-default default-frame-alist
-      (append
-       (list
-        '(undecorated . t) ; no title bar, borders etc.
-        '(background-color . "#1D252C") ; load doom-citylight colors to avoid white flash
-        '(foreground-color . "#A0B3C5") ; load doom-citylight colors to avoid white flash
-        '(vertical-scroll-bars . nil)
-        '(horizontal-scroll-bars . nil)
-        '(internal-border-width . 5)
-        '(tool-bar-lines . 0)
-        '(menu-bar-lines . 0))))
+              (append
+               (list
+                '(undecorated . t) ; no title bar, borders etc.
+                '(background-color . "#1D252C") ; load doom-citylight colors to avoid white flash
+                '(foreground-color . "#A0B3C5") ; load doom-citylight colors to avoid white flash
+                '(vertical-scroll-bars . nil)
+                '(horizontal-scroll-bars . nil)
+                '(internal-border-width . 5)
+                '(tool-bar-lines . 0)
+                '(menu-bar-lines . 0))))

 (add-hook
-    'after-make-frame-functions
-    (lambda (frame)
-      (with-selected-frame frame
-        (when (display-graphic-p)
-          (define-key input-decode-map (kbd "C-i") [DUMMY-i])
-          (define-key input-decode-map (kbd "C-[") [DUMMY-lsb])
-          (define-key input-decode-map (kbd "C-m") [DUMMY-m])
-          ))))
+ 'after-make-frame-functions
+ (lambda (frame)
+   (with-selected-frame frame
+     (when (display-graphic-p)
+       (define-key input-decode-map (kbd "C-i") [DUMMY-i])
+       (define-key input-decode-map (kbd "C-[") [DUMMY-lsb])
+       (define-key input-decode-map (kbd "C-m") [DUMMY-m])
+       ))))
--- a/programs/emacs/init.el
+++ b/programs/emacs/init.el
@ -57,19 +57,19 @@
    (cons beg end)))

 (defun crux-duplicate-current-line-or-region (arg)
-    "Duplicates the current line or region ARG times.
+  "Duplicates the current line or region ARG times.
  If there's no region, the current line will be duplicated.  However, if
  there's a region, all lines that region covers will be duplicated."
-    (interactive "p")
-    (pcase-let* ((origin (point))
-                 (`(,beg . ,end) (crux-get-positions-of-line-or-region))
-                 (region (buffer-substring-no-properties beg end)))
-      (dotimes (_i arg)
-        (goto-char end)
-        (newline)
-        (insert region)
-        (setq end (point)))
-      (goto-char (+ origin (* (length region) arg) arg))))
+  (interactive "p")
+  (pcase-let* ((origin (point))
+               (`(,beg . ,end) (crux-get-positions-of-line-or-region))
+               (region (buffer-substring-no-properties beg end)))
+    (dotimes (_i arg)
+      (goto-char end)
+      (newline)
+      (insert region)
+      (setq end (point)))
+    (goto-char (+ origin (* (length region) arg) arg))))

 (defun crux-duplicate-and-comment-current-line-or-region (arg)
  "Duplicates and comments the current line or region ARG times.
@ -219,22 +219,22 @@ create a new one."
  (evil-next-visual-line))

 ;; run the python inferior shell immediately upon entering a python buffer
-    ;; (add-hook 'python-mode-hook 'swarsel/run-python)
+;; (add-hook 'python-mode-hook 'swarsel/run-python)

-  ;; (defun swarsel/run-python ()
-  ;;   (save-selected-window
-  ;;     (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))
+;; (defun swarsel/run-python ()
+;;   (save-selected-window
+;;     (switch-to-buffer-other-window (process-buffer (python-shell-get-or-create-process (python-shell-parse-command))))))

 ;; reload python shell automatically
 (defun my-python-shell-run ()
  (interactive)
  (when (get-buffer-process "*Python*")
-     (set-process-query-on-exit-flag (get-buffer-process "*Python*") nil)
-     (kill-process (get-buffer-process "*Python*"))
-     ;; Uncomment If you want to clean the buffer too.
-     ;;(kill-buffer "*Python*")
-     ;; Not so fast!
-     (sleep-for 0.5))
+    (set-process-query-on-exit-flag (get-buffer-process "*Python*") nil)
+    (kill-process (get-buffer-process "*Python*"))
+    ;; Uncomment If you want to clean the buffer too.
+    ;;(kill-buffer "*Python*")
+    ;; Not so fast!
+    (sleep-for 0.5))
  (run-python (python-shell-parse-command) nil nil)
  (python-shell-send-buffer)
  ;; Pop new window only if shell isnt visible
@ -533,13 +533,13 @@ create a new one."
  (setq forge-add-default-bindings nil))

 ;; enables 2-char inline search
-  (use-package evil-snipe
-    :after evil
-    :demand
-    :config
-    (evil-snipe-mode +1)
-    ;; replace 1-char searches (f&t) with this better UI
-    (evil-snipe-override-mode +1))
+(use-package evil-snipe
+  :after evil
+  :demand
+  :config
+  (evil-snipe-mode +1)
+  ;; replace 1-char searches (f&t) with this better UI
+  (evil-snipe-override-mode +1))

 ;; for parentheses-heavy languades modify evil commands to keep balance of parantheses
 (use-package evil-cleverparens)
@ -770,7 +770,7 @@ create a new one."
  :hook (org-mode . swarsel/org-mode-setup)
  :bind
  (("C-<tab>" . org-fold-outer)
-  ("C-c s" . org-store-link))
+   ("C-c s" . org-store-link))
  :config
  (setq org-ellipsis " ⤵"
        org-link-descriptive t
@ -914,7 +914,7 @@ create a new one."
 (setq TeX-auto-save t)
 (setq TeX-save-query nil)
 (setq TeX-parse-self t)
-  (setq-default TeX-master nil)
+(setq-default TeX-master nil)

 (add-hook 'LaTeX-mode-hook 'visual-line-mode)
 (add-hook 'LaTeX-mode-hook 'flyspell-mode)
@ -923,7 +923,7 @@ create a new one."
 (setq LaTeX-electric-left-right-brace t)
 (setq font-latex-fontify-script nil)
 (setq TeX-electric-sub-and-superscript t)
-  ;; (setq reftex-plug-into-AUCTeX t)
+;; (setq reftex-plug-into-AUCTeX t)

 (use-package org-download
  :after org
@ -951,106 +951,106 @@ create a new one."
  :hook (org-mode . org-modern-mode))

 (use-package org-present
-    :bind (:map org-present-mode-keymap
-           ("q" . org-present-quit)
-           ("<left>" . swarsel/org-present-prev)
-           ("<up>" . 'ignore)
-           ("<down>" . 'ignore)
-           ("<right>" . swarsel/org-present-next))
-    :hook ((org-present-mode . swarsel/org-present-start)
-           (org-present-mode-quit . swarsel/org-present-end))
-    )
+  :bind (:map org-present-mode-keymap
+              ("q" . org-present-quit)
+              ("<left>" . swarsel/org-present-prev)
+              ("<up>" . 'ignore)
+              ("<down>" . 'ignore)
+              ("<right>" . swarsel/org-present-next))
+  :hook ((org-present-mode . swarsel/org-present-start)
+         (org-present-mode-quit . swarsel/org-present-end))
+  )


-    (use-package hide-mode-line)
+(use-package hide-mode-line)

-    (defun swarsel/org-present-start ()
-      (setq-local face-remapping-alist '((default (:height 1.5) variable-pitch)
-                                         (header-line (:height 4.0) variable-pitch)
-                                         (org-document-title (:height 1.75) org-document-title)
-                                         (org-code (:height 1.55) org-code)
-                                         (org-verbatim (:height 1.55) org-verbatim)
-                                         (org-block (:height 1.25) org-block)
-                                         (org-block-begin-line (:height 0.7) org-block)
-                                         ))
-      (dolist (face '((org-level-1 . 1.1)
-                                                    (org-level-2 . 1.2)
-                                                    (org-level-3 . 1.2)
-                                                    (org-level-4 . 1.2)
-                                                    (org-level-5 . 1.2)
-                                                    (org-level-6 . 1.2)
-                                                    (org-level-7 . 1.2)
-                                                    (org-level-8 . 1.2)))
-                                      (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))
+(defun swarsel/org-present-start ()
+  (setq-local face-remapping-alist '((default (:height 1.5) variable-pitch)
+                                     (header-line (:height 4.0) variable-pitch)
+                                     (org-document-title (:height 1.75) org-document-title)
+                                     (org-code (:height 1.55) org-code)
+                                     (org-verbatim (:height 1.55) org-verbatim)
+                                     (org-block (:height 1.25) org-block)
+                                     (org-block-begin-line (:height 0.7) org-block)
+                                     ))
+  (dolist (face '((org-level-1 . 1.1)
+                  (org-level-2 . 1.2)
+                  (org-level-3 . 1.2)
+                  (org-level-4 . 1.2)
+                  (org-level-5 . 1.2)
+                  (org-level-6 . 1.2)
+                  (org-level-7 . 1.2)
+                  (org-level-8 . 1.2)))
+    (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))

-      (setq header-line-format " ")
-      (setq visual-fill-column-width 90)
-      (setq indicate-buffer-boundaries nil)
-      (setq inhibit-message nil)
-      (breadcrumb-mode 0)
-      (org-display-inline-images)
-      (global-hl-line-mode 0)
-      (display-line-numbers-mode 0)
-      (org-modern-mode 0)
-      (evil-insert-state 1)
-      (beginning-of-buffer)
-      (org-present-read-only)
-      ;; (org-present-hide-cursor)
-      (swarsel/org-present-slide)
-      )
+  (setq header-line-format " ")
+  (setq visual-fill-column-width 90)
+  (setq indicate-buffer-boundaries nil)
+  (setq inhibit-message nil)
+  (breadcrumb-mode 0)
+  (org-display-inline-images)
+  (global-hl-line-mode 0)
+  (display-line-numbers-mode 0)
+  (org-modern-mode 0)
+  (evil-insert-state 1)
+  (beginning-of-buffer)
+  (org-present-read-only)
+  ;; (org-present-hide-cursor)
+  (swarsel/org-present-slide)
+  )

-    (defun swarsel/org-present-end ()
-           (setq-local face-remapping-alist '((default variable-pitch default)))
-           (dolist (face '((org-level-1 . 1.1)
-                                                    (org-level-2 . 0.9)
-                                                    (org-level-3 . 0.9)
-                                                    (org-level-4 . 0.9)
-                                                    (org-level-5 . 0.9)
-                                                    (org-level-6 . 0.9)
-                                                    (org-level-7 . 0.9)
-                                                    (org-level-8 . 0.9)))
-                                      (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))
-           (setq header-line-format nil)
-           (setq visual-fill-column-width 150)
-           (setq indicate-buffer-boundaries t)
-           (setq inhibit-message nil)
-           (breadcrumb-mode 1)
-           (global-hl-line-mode 1)
-           (display-line-numbers-mode 1)
-           (org-remove-inline-images)
-           (org-modern-mode 1)
-           (evil-normal-state 1)
-           ;; (org-present-show-cursor)
-           )
+(defun swarsel/org-present-end ()
+  (setq-local face-remapping-alist '((default variable-pitch default)))
+  (dolist (face '((org-level-1 . 1.1)
+                  (org-level-2 . 0.9)
+                  (org-level-3 . 0.9)
+                  (org-level-4 . 0.9)
+                  (org-level-5 . 0.9)
+                  (org-level-6 . 0.9)
+                  (org-level-7 . 0.9)
+                  (org-level-8 . 0.9)))
+    (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))
+  (setq header-line-format nil)
+  (setq visual-fill-column-width 150)
+  (setq indicate-buffer-boundaries t)
+  (setq inhibit-message nil)
+  (breadcrumb-mode 1)
+  (global-hl-line-mode 1)
+  (display-line-numbers-mode 1)
+  (org-remove-inline-images)
+  (org-modern-mode 1)
+  (evil-normal-state 1)
+  ;; (org-present-show-cursor)
+  )

-  (defun swarsel/org-present-slide ()
-    (org-overview)
-    (org-show-entry)
-    (org-show-children)
-      )
+(defun swarsel/org-present-slide ()
+  (org-overview)
+  (org-show-entry)
+  (org-show-children)
+  )

-  (defun swarsel/org-present-prev ()
-    (interactive)
-    (org-present-prev)
-    (swarsel/org-present-slide))
+(defun swarsel/org-present-prev ()
+  (interactive)
+  (org-present-prev)
+  (swarsel/org-present-slide))

-  (defun swarsel/org-present-next ()
-    (interactive)
-    (unless (eobp)
+(defun swarsel/org-present-next ()
+  (interactive)
+  (unless (eobp)
    (org-next-visible-heading 1)
    (org-fold-show-entry))
-    (when (eobp)
+  (when (eobp)
    (org-present-next)
    (swarsel/org-present-slide)
    ))

 (defun clojure-leave-clojure-mode-function ()
- )
+  )

 (add-hook 'buffer-list-update-hook #'clojure-leave-clojure-mode-function)
-    (add-hook 'org-present-mode-hook 'swarsel/org-present-start)
-    (add-hook 'org-present-mode-quit-hook 'swarsel/org-present-end)
-    (add-hook 'org-present-after-navigate-functions 'swarsel/org-present-slide)
+(add-hook 'org-present-mode-hook 'swarsel/org-present-start)
+(add-hook 'org-present-mode-quit-hook 'swarsel/org-present-end)
+(add-hook 'org-present-after-navigate-functions 'swarsel/org-present-slide)

 (use-package nix-mode
  :mode "\\.nix\\'")
@ -1129,21 +1129,21 @@ create a new one."
 (use-package devdocs)

 (add-hook 'python-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))
+          (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))
 (add-hook 'python-ts-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))
+          (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))

 (add-hook 'c-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("c"))))
+          (lambda () (setq-local devdocs-current-docs '("c"))))
 (add-hook 'c-ts-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("c"))))
+          (lambda () (setq-local devdocs-current-docs '("c"))))

 (add-hook 'c++-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("cpp"))))
+          (lambda () (setq-local devdocs-current-docs '("cpp"))))
 (add-hook 'c++-ts-mode-hook
-        (lambda () (setq-local devdocs-current-docs '("cpp"))))
+          (lambda () (setq-local devdocs-current-docs '("cpp"))))

-; (devdocs-update-all)
+                                        ; (devdocs-update-all)

 (use-package projectile
  :diminish projectile-mode
@ -1155,7 +1155,7 @@ create a new one."
  ;; NOTE: Set this to the folder where you keep your Git repos!
  (when (file-directory-p swarsel-projects-directory)
    (setq projectile-project-search-path (list swarsel-projects-directory)))
-(setq projectile-switch-project-action #'magit-status))
+  (setq projectile-switch-project-action #'magit-status))

 (use-package magit
  :config
@ -1184,8 +1184,8 @@ create a new one."
                 forge-gitea-repository)))

 (use-package git-timemachine
-   :hook (git-time-machine-mode . evil-normalize-keymaps)
-   :init (setq git-timemachine-show-minibuffer-details t))
+  :hook (git-time-machine-mode . evil-normalize-keymaps)
+  :init (setq git-timemachine-show-minibuffer-details t))

 (use-package rainbow-delimiters
  :hook (prog-mode . rainbow-delimiters-mode))
@ -1294,7 +1294,7 @@ create a new one."
  ;; (add-to-list 'completion-at-point-functions #'cape-dict)
  ;; (add-to-list 'completion-at-point-functions #'cape-elisp-symbol)
  ;; (add-to-list 'completion-at-point-functions #'cape-line)
-)
+  )

 (use-package rustic
  :init
@ -1328,7 +1328,7 @@ create a new one."
                          (concat
                           "-o ControlPath=/tmp/ssh-tramp-%%r@%%h:%%p "
                           "-o ControlMaster=auto -o ControlPersist=yes"))
-)
+  )

 (use-package diff-hl
  :hook
@ -1642,19 +1642,19 @@ create a new one."
          (:maildir "/Drafts"     :key ?d)
          (:maildir "/All Mail"     :key ?a)))

-(setq user-mail-address "leon@swarsel.win"
-      user-full-name "Leon Schwarzäugl")
+  (setq user-mail-address "leon@swarsel.win"
+        user-full-name "Leon Schwarzäugl")


-(setq mu4e-user-mail-address-list '(leon.schwarzaeugl@gmail.com leon@swarsel.win nautilus.dw@gmail.com mrswarsel@gmail.com)))
+  (setq mu4e-user-mail-address-list '(leon.schwarzaeugl@gmail.com leon@swarsel.win nautilus.dw@gmail.com mrswarsel@gmail.com)))


 (add-hook 'mu4e-compose-mode-hook #'swarsel/mu4e-send-from-correct-address)
 (add-hook 'mu4e-compose-post-hook #'swarsel/mu4e-restore-default)

 (use-package mu4e-alert
-:config
-(setq mu4e-alert-set-default-style 'libnotify))
+  :config
+  (setq mu4e-alert-set-default-style 'libnotify))

 (add-hook 'after-init-hook #'mu4e-alert-enable-notifications)

--- a/templates/cu_flake.nix
+++ b/templates/cu_flake.nix
@ -8,7 +8,6 @@
  outputs = {nixpkgs, ...}: let
    system = "x86_64-linux";
    pkgs = import nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };
-    llvm = pkgs.llvmPackages_latest;
  in {
    devShells.${system}.default = pkgs.mkShell {

--- a/templates/rust_flake.nix
+++ b/templates/rust_flake.nix
@ -5,7 +5,7 @@
    rust-overlay.url = "github:oxalica/rust-overlay";
  };

-  outputs = {self, nixpkgs, rust-overlay, ...}: let
+  outputs = { nixpkgs, rust-overlay, ...}: let
    system = "x86_64-linux";
    pkgs = import nixpkgs {
      inherit system;