nixos-wsl: commit tmpfiles workaround

TODO: move impl to system, this isn't even needed on WSL

flake.nix

@@ -6,7 +6,7 @@
                  # ^^^^^^^^^^^^^ this part is optional
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
 
-    nixpkgs-yt-dlp-2024.url = "github:NixOS/nixpkgs/528db5fa94041f0b4909a855d8b9fb9b44fa4f5d";
+    nixpkgs-nix-du.url = "github:NixOS/nixpkgs/c933cf4698e5189b35dd83bf4d7a81aef16d464a";
 
     # this seems to be a popular way to declare systems
     systems.url = "github:nix-systems/default";
@@ -42,8 +42,22 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    # https://github.com/nix-community/lanzaboote/releases
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.1";
+
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # no inputs.nixpkgs.follows so i can use cachix
-    hyprland.url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
+    # https://github.com/hyprwm/Hyprland/releases
+    # hyprland.url = "git+https://github.com/hyprwm/Hyprland?rev=v0.4.1&submodules=1";
+    hyprland = {
+      type = "git";
+      url = "https://github.com/hyprwm/Hyprland";
+      submodules = true;
+      # ref = "refs/tags/v0.44.1";
+    };
 
     hyprwm-contrib = {
       url = "github:hyprwm/contrib";
@@ -68,9 +82,14 @@
     };
 
     stylix = {
-      url = "github:danth/stylix?ref=e8e3304c2f8cf2ca60dcfc736a7422af2f24b8a8";
+      url = "github:danth/stylix";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
+      inputs.base16.follows = "base16";
+    };
+
+    base16 = {
+      url = "github:SenchoPens/base16.nix";
     };
 
     nixfiles-assets = {
@@ -132,7 +151,7 @@
     # My username
     username = "nullbite";
     # My current timezone for any mobile devices (i.e., my laptop)
-    mobileTimeZone = "America/New_York";
+    mobileTimeZone = "Europe/Amsterdam";
 
     # Variables to be passed to NixOS modules in the vars attrset
     vars = {
@@ -338,7 +357,7 @@
     # (extraS|s)pecialArgs to pass variables
     nixosModules = (import ./modules/nixos) moduleInputs;
     homeManagerModules = (import ./modules/home-manager) moduleInputs;
-    packages = eachSystem (system: let pkgs = import nixpkgs { inherit system; };
+    packages = eachSystem (system: let pkgs = import nixpkgs-unstable { inherit system; };
       in (
         import ./pkgs { inherit pkgs; }) // {
           iso = let
@@ -377,6 +396,18 @@
         hostname = "nixos-wsl";
       };
 
+      # for eval testing
+      rpi4-x86_64 = mkSystem {
+        nixpkgs = inputs.nixpkgs-unstable;
+        home-manager = inputs.home-manager-unstable;
+        system = "x86_64-linux";
+        stateVersion = "24.11";
+        hostname = "rpi4";
+        extraModules = [{
+            nixpkgs.hostPlatform = "x86_64-linux";
+        }];
+      };
+
       rpi4 = mkSystem {
         nixpkgs = inputs.nixpkgs-unstable;
         home-manager = inputs.home-manager-unstable;

home/common/theme.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.nixfiles.theming;
+  mkDefaultStylix = lib.mkOverride 999;
 
   toCaps = s: with lib.strings; with builtins;
     (toUpper (substring 0 1 s)) + toLower (substring 1 ((stringLength s)-1) s);
@@ -20,7 +21,7 @@ let
     };
     packages = {
       cursors = catppuccin-cursors."${toLower flavor}${toCaps accent}";
-      kvantum = catppuccin-kvantum.override { variant = toCaps flavor; accent = toCaps accent; };
+      kvantum = catppuccin-kvantum.override { variant = toLower flavor; accent = toLower accent; };
       icons = catppuccin-papirus-folders.override { flavor = toLower flavor; accent = toLower accent; };
       gtk = catppuccin-gtk.override { variant = toLower flavor; accents = [ (toLower accent) ]; };
     };
@@ -66,7 +67,7 @@ in {
       });
 
       theme = lib.mkDefault {
-        package = pkgs.gnome.gnome-themes-extra;
+        package = pkgs.gnome-themes-extra;
         name = "Adwaita-dark";
       };
 
@@ -80,9 +81,9 @@ in {
       enable = true;
       autoEnable = true;
       cursor = {
-        package = lib.mkDefault ctp.packages.cursors;
+        package = mkDefaultStylix ctp.packages.cursors;
-        name = lib.mkDefault ctp.names.cursors;
+        name = mkDefaultStylix ctp.names.cursors;
-        size = lib.mkDefault 24;
+        size = mkDefaultStylix 24;
         # x11.enable = lib.mkDefault true;
         # gtk.enable = lib.mkDefault true;
       };

home/common/wm/default.nix

@@ -19,8 +19,9 @@ in
     ./keybinds.nix
   ];
   config = lib.mkIf cfg.enable {
-    # Common options for standalone window managers; many of these (or
+    # Common options for standalone window managers. many of these (or
-    # alternatives thereof) are pulled in by desktop environments.
+    # alternatives thereof) would normally be pulled in by desktop
+    # environments; we want to create a similar experience for window managers.
 
     nixfiles.theming.enable = lib.mkDefault true;
     nixfiles.programs.dunst.enable = lib.mkDefault true;
@@ -34,8 +35,8 @@ in
         exec "${pcmanfm-qt}/bin/pcmanfm-qt" "$@"
       '';
     in [
-      qt5ct
+      libsForQt5.qt5ct
-      qt6ct
+      kdePackages.qt6ct
       swaybg
       swayidle
       libsForQt5.qtstyleplugin-kvantum
@@ -49,9 +50,9 @@ in
       nwg-look
       nwg-displays
 
-      # very consistent
+      # very consistent (ok it's actually a little better now)
       (catppuccin-papirus-folders.override {accent = "mauve"; flavor = "mocha"; })
-      (pkgs.catppuccin-kvantum.override {accent = "Mauve"; variant = "Mocha"; })
+      (pkgs.catppuccin-kvantum.override {accent = "mauve"; variant = "mocha"; })
       catppuccin-cursors.mochaMauve
 
       arc-theme

home/package-sets/communication.nix

@@ -48,6 +48,8 @@ in
       thunderbird
       vesktop
       rustdesk-pkg
+      tor-browser
+      onionshare
     ] ++ [
       irssi
     ];

home/package-sets/gaming.nix

@@ -6,10 +6,7 @@ in
 {
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = let
-      prismlauncher-config = (final: prev: {
+    in lib.mkAfter [ ];
-        prismlauncher = prev.prismlauncher.override { withWaylandGLFW = true; };
-      });
-    in lib.mkAfter [ prismlauncher-config ];
 
     nixfiles.common.wm.autostart = [
       "steam -silent"

home/package-sets/multimedia.nix

@@ -26,6 +26,7 @@ in
       audacity
       picard
       spicetify-cli
+      (kodi.withPackages (_: [])) # this is required to get python libs
     ] ++ [
       yt-dlp
       gallery-dl

home/package-sets/productivity.nix

@@ -8,6 +8,11 @@ in
     home.packages = with pkgs; optionals config.nixfiles.meta.graphical [
       libreoffice-fresh
       obsidian
+      anki
+
+      # mapping/GIS
+      qgis
+      josm
     ] ++ [
       pandoc
     ];

home/sessions/default.nix

@@ -2,5 +2,6 @@
 {
   imports = [
     ./hyprland
+    ./plasma.nix
   ];
 }

home/sessions/hyprland/default.nix

@@ -276,7 +276,7 @@ in
           "$mod, O, togglesplit," # dwindle"
 
           "$mod, f, fullscreen"
-          "$mod SHIFT, f, fakefullscreen"
+          "$mod SHIFT, f, fullscreenstate, -1 2"
           "$mod CTRL, f, fullscreen, 1"
 
           # Move focus with mod + arrow keys
@@ -339,8 +339,8 @@ in
           "$mod, mouse_up, workspace, e-1"
 
           # show this file (help)
-          ("$mod, slash, exec, ${terminal} -e ${pkgs.neovim}/bin/nvim '+set nomodifiable' '+noremap q :q<CR>'  "
+          # ("$mod, slash, exec, ${terminal} -e ${pkgs.neovim}/bin/nvim '+set nomodifiable' '+noremap q :q<CR>'  "
-          + lib.escapeShellArg (args.vars.self.outPath + "/home/sessions/hyprland/default.nix"))
+          # + lib.escapeShellArg (args.vars.self.outPath + "/home/sessions/hyprland/default.nix"))
 
           # edit this file
           ("$mod SHIFT, slash, exec, ${terminal} -e ${pkgs.neovim}/bin/nvim "

home/sessions/plasma.nix

@@ -0,0 +1,35 @@
+{ pkgs, config, lib, osConfig ? {}, ... }:
+let
+  inherit (lib) mkOption mkEnableOption;
+  cfg = config.nixfiles.sessions.plasma;
+in
+{
+  options.nixfiles.sessions.plasma = {
+    enable = lib.mkOption {
+      description = "Whether to enable the Plasma session home configuration.";
+      type = with lib.types; bool;
+      default = osConfig.nixfiles.sessions.plasma.enable or false;
+      example = true;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+
+    # TODO make this a generic implementation
+    home.packages = let
+      startupScript = pkgs.writeShellScript "autostart-script"
+        (lib.concatStringsSep "\n"
+        (builtins.map (x: "sh -c ${lib.escapeShellArg x} &") config.nixfiles.common.wm.autostart));
+
+      name = "home-manager-autostart";
+      desktopFilePkg = pkgs.makeDesktopItem {
+        inherit name;
+        desktopName = "Home Manager Autostart";
+        exec = startupScript;
+      };
+      autostartPkg = pkgs.runCommand name {} ''
+        mkdir -p $out/etc/xdg/autostart
+        ln -s "${desktopFilePkg}/share/applications/${name}.desktop" "$out/etc/xdg/autostart/"
+      '';
+    in [ autostartPkg ];
+  };
+}

home/standalone.nix

@@ -1,9 +1,10 @@
 # Home Manager default nixfiles entrypoint. This serves as an alternative to
 # default.nix, which sets up some more appropriate options for home-manager
-{ pkgs, config, lib, ... }:
+{ inputs, pkgs, config, lib, ... }:
 {
   imports = [
     ./.
+    inputs.stylix.homeManagerModules.stylix
   ];
   config = {
     # bash is more common on my standalone machines for some reason (low

home/stylix.nix

@@ -1,10 +1,11 @@
 { pkgs, lib, config, inputs, ... }@args:
 {
-  imports = [ inputs.stylix.homeManagerModules.stylix ];
+  imports = [ ];
   config = {
     stylix = lib.mkMerge [
       {
         targets.vim.enable = lib.mkDefault false;
+        targets.neovim.enable = lib.mkDefault false;
         targets.gtk.enable = lib.mkDefault false;
         targets.fzf.enable = lib.mkDefault false;
         # the ring is styled light so it's light on light which looks worse than the default theme

hosts/nixos-wsl/configuration.nix

@@ -40,9 +40,9 @@
     };
 
     fonts.packages = with pkgs; [
-      (nerdfonts.override { fonts = [ "FiraCode" ]; })
+      nerd-fonts.fira-code
       noto-fonts
-      noto-fonts-cjk
+      noto-fonts-cjk-sans
     ];
 
 

hosts/nullbox/backup.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) escapeShellArg;
+  secret = name: config.age.secrets."${name}".path;
+  fs = config.fileSystems."/srv/mcserver";
+in
+{
+  config = {
+    age.secrets.restic-rclone.file   = ../../secrets/restic-rclone.age;
+    age.secrets.restic-password.file = ../../secrets/restic-password.age;
+
+    systemd.services.restic-backups-system = {
+      path = with pkgs; [ btrfs-progs ];
+    };
+
+    services.restic.backups.system = {
+
+      # create an atomic backup
+      backupPrepareCommand = ''
+        set -Eeuxo pipefail
+
+        if btrfs subvol delete /srv/mcserver/@restic; then
+          echo "Old restic snapshot deleted.";
+        fi
+
+        btrfs subvol snapshot -r /srv/mcserver /srv/mcserver/@restic
+      '';
+      backupCleanupCommand = ''
+        btrfs subvolume delete /srv/mcserver/@restic
+      '';
+
+      rcloneConfigFile = secret "restic-rclone";
+      passwordFile = secret "restic-password";
+      repository = "rclone:restic:";
+      exclude = [
+        ".snapshots"
+      ];
+      paths = [
+        "/srv/mcserver/@restic"
+      ];
+      dynamicFilesFrom = ''
+        echo
+      '';
+
+      extraBackupArgs = [
+        "--tag=auto"
+        "--group-by=host,tag"
+      ];
+
+    };
+  };
+}

hosts/nullbox/configuration.nix

@@ -15,6 +15,8 @@
       ./mcserver.nix
 
       ./impermanence.nix
+
+      ./backup.nix
     ];
 
   config = {
@@ -39,32 +41,52 @@
     # hardware.nvidia.package = lib.mkForce config.boot.kernelPackages.nvidiaPackages.production;
     hardware.nvidia.open = lib.mkForce false;
 
-    specialisation.plasma.configuration = {
+    specialisation.hyprland.configuration = {
-      system.nixos.tags = [ "Plasma" ];
+      system.nixos.tags = [ "Hyprland" ];
       nixfiles = {
-        session = "plasma";
+        session = "hyprland";
       };
     };
 
 
     hardware.cpu.intel.updateMicrocode = true;
 
+    services.udev.extraRules = ''
+      # motherboard has a faulty USB hub or something; whenever *any* program
+      # tries to enumerate USB devices (which is a lot of programs for some
+      # reason), it hangs for several seconds. this disables the faulty hub.
+      SUBSYSTEMS=="usb", ACTION=="add", KERNEL=="usb2", ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0003", ATTRS{serial}=="0000:00:14.0", ATTRS{busnum}=="2", ATTR{authorized}="0"
+    '';
+
     # nixfiles
     nixfiles = {
       profile.workstation.enable = true;
       programs.adb.enable = true;
       workarounds.nvidiaPrimary = true;
       programs.greetd = {
-        preset = "tuigreet";
         settings = {
-          autologin = true;
+          randr = [ "--output" "HDMI-A-3" "--off" ];
+          autologin = false;
           autologinUser = "nullbite";
-          autolock = true;
+          autolock = false;
         };
       };
-      programs.unbound.enable = true;
       common.remoteAccess.enable = true;
-      session = lib.mkDefault "hyprland";
+      common.bootnext = {
+        enable = true;
+        entries = {
+          windows = {
+            name = "Windows Boot Manager";
+            efiPartUUID = "6fc437f5-b917-42b2-9d5d-1439a14e105b";
+            desktopEntry = {
+              name = "Windows";
+              icon = "microsoft-windows";
+            };
+          };
+        };
+      };
+      # session = lib.mkDefault "hyprland";
+      session = lib.mkDefault "plasma";
       hardware.nvidia.modesetting.enable = true;
       packageSets.gaming.enable = true;
     };
@@ -87,6 +109,9 @@
       };
     };
 
+    # temporary while i am away from server
+    boot.kernelPackages = pkgs.linuxPackages_6_6;
+
     networking.wg-quick.interfaces.wg0 = {
       configFile = "/etc/wireguard/wg0.conf";
       autostart = true;

hosts/nullbox/hardware-configuration.nix

@@ -41,19 +41,33 @@
       fsType = "vfat";
     };
 
-  fileSystems."/srv/mcserver" =
+  fileSystems."/srv/mcserver-old" =
     { device = "/dev/disk/by-uuid/7204ff85-6404-4bd7-ba0d-3fb23a5cf52c";
       fsType = "btrfs";
       options = [ "subvol=@mcserver" ];
     };
 
-  fileSystems."/srv/mcserver/.snapshots" =
+  fileSystems."/srv/mcserver-old/.snapshots" =
     { device = "/dev/disk/by-uuid/7204ff85-6404-4bd7-ba0d-3fb23a5cf52c";
       fsType = "btrfs";
       options = [ "subvol=snapshots/@mcserver" ];
     };
 
-  swapDevices = [ ];
+  fileSystems."/srv/mcserver" =
+    { device = "/dev/disk/by-uuid/e36d1ab4-d18b-434e-80b5-0efca0652eb5";
+      fsType = "btrfs";
+      options = [ "subvol=@mcserver" ];
+    };
+
+  fileSystems."/srv/mcserver/.snapshots" =
+    { device = "/dev/disk/by-uuid/e36d1ab4-d18b-434e-80b5-0efca0652eb5";
+      fsType = "btrfs";
+      options = [ "subvol=snapshots/@mcserver" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/4b86cbd6-6fc5-47d4-9d44-35eec59cb785"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/nullbox/impermanence.nix

@@ -94,7 +94,8 @@ in {
           "/var/db/sudo/lectured"
 
           # remember login stuff
-          "/var/cache/tuigreet"
+          { directory = "/var/cache/tuigreet"; user = "greeter"; group = "greeter"; }
+          { directory = "/var/cache/regreet"; user = "greeter"; group = "greeter"; }
         ];
 
         files = [

hosts/rpi4/backup.nix

@@ -23,6 +23,7 @@ in
         "/opt"
         "/var/lib/gitea"
         "/var/lib/tailscale"
+        "/var/lib/private/anki-sync-server"
         "/etc"
       ];
       dynamicFilesFrom = ''

hosts/rpi4/configuration.nix

@@ -22,23 +22,34 @@
       "/opt/hassio"
       "/opt/hassio/.snapshots"
     ];
-    fn = (x: { options = [ "compress=zstd commit=300" ];});
+    fn = (x: { options = [ "compress=zstd" "commit=300" "noatime" ];});
   in lib.genAttrs mounts fn;
 
   # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
   boot.loader.grub.enable = false;
   # Enables the generation of /boot/extlinux/extlinux.conf
-  boot.loader.generic-extlinux-compatible.enable = true;
+  boot.loader.generic-extlinux-compatible = {
+    enable = true;
+    configurationLimit = 5;
+  };
+
+  # temporary while i am away from server
+  boot.kernelPackages = pkgs.linuxPackages_6_6;
 
   nixfiles = {
     profile.server.enable = true;
   };
 
+  hardware.rtl-sdr.enable = true;
+
   # VPN services
   age.secrets.wg0 = {
     file = ../../secrets/wireguard-rpi4.age;
   };
-  services.tailscale.enable = true;
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+  };
 
   systemd.services.wg-quick-wg0.serviceConfig.execStartPre = pkgs.writeShellScript "wait-dns" ''
     until ${lib.getExe pkgs.getent} ahostsv4 example.com ; do echo sleep 1 ; done

hosts/rpi4/reddit-subscriptions.txt

@@ -5,6 +5,7 @@ autism
 beatsaber
 Bitwarden
 boykisser
+btd6
 ConservativeRap
 crackheadcraigslist
 crackwatch
@@ -19,11 +20,12 @@ femboymemes
 feminineboys
 flatpak
 geometrydash
-garn47
 homeassistant
 ihaveihaveihavereddit
+LinkedInLunatics
 linux
 linux_gaming
+losercity
 NixOS
 NonBinaryTalk
 okbuddyhetero
@@ -32,6 +34,7 @@ prismlauncher
 rust
 rustjerk
 selfhosted
+Shark_Park
 steam
 SteamDeck
 talesfromtechsupport

hosts/rpi4/services.nix

@@ -46,6 +46,10 @@
       mode = "0750";
     };
 
+    age.secrets.anki = {
+      file = ../../secrets/anki-user.age;
+    };
+
     users.groups.secrets = {};
     users.users.acme.extraGroups = [ "secrets" ];
 
@@ -74,6 +78,8 @@
             "*.nbt.sh"
             "proot.link"
             "*.proot.link"
+            "nullbite.xyz"
+            "*.nullbite.xyz"
           ];
         };
       };
@@ -94,6 +100,7 @@
       secrets = {
         jwtSecretFile = config.age.secrets.authelia-jwt.path;
         storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+        sessionSecretFile = config.age.secrets.authelia-session.path;
       };
       settings = {
         access_control.default_policy = "one_factor";
@@ -115,6 +122,9 @@
             default_redirection_url = "https://admin.proot.link";
           }
         ];
+        session.redis = {
+          host = config.services.redis.servers.authelia.unixSocket;
+        };
         notifier.filesystem.filename = "/var/lib/authelia-${inst}/notification.txt";
         authentication_backend.file.path = config.age.secrets.authelia-users.path;
         server.port = lib.mkIf (opts ? port) (opts.port or null);
@@ -127,6 +137,16 @@
       };
     };
 
+    services.redis = {
+      servers.authelia = {
+        enable = true;
+      };
+    };
+
+    users.users."${config.services.authelia.instances.main.user}".extraGroups = let
+      name = config.services.redis.servers.authelia.user;
+    in [ name ];
+
     services.nginx = {
       enable = true;
       recommendedProxySettings = true;
@@ -195,9 +215,9 @@
 
         # libreddit auth 8087
         "libreddit.protogen.io" = {
-          useACMEHost = "protogen.io";
-          forceSSL = true;
           locations."/".return = "302 https://redlib.protogen.io$request_uri";
+          forceSSL = true;
+          useACMEHost = "protogen.io";
         };
         "redlib.protogen.io" = mkAuthProxy 8087;
         "rss.protogen.io" = mkReverseProxy 8082;
@@ -237,6 +257,8 @@
         "uptime.protogen.io" = mkReverseProxy 3001;
         "kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io";
 
+        "anki.protogen.io" = mkReverseProxy config.services.anki-sync-server.port;
+
         "trackmap.protogen.io" = let
           root = pkgs.modpacks.notlite-ctm-static;
         in {
@@ -280,7 +302,7 @@
           locations."/" = {
             return = "302 https://protogen.io$request_uri";
           };
-          serverAliases = [ "www.nullbite.com" "nullbite.dev" "www.nullbite.dev" "www.protogen.io" ];
+          serverAliases = [ "www.nullbite.com" "nullbite.dev" "www.nullbite.dev" "www.protogen.io" "nullbite.xyz" "www.nullbite.xyz" ];
         };
 
         # show blank page for unknown hosts
@@ -312,11 +334,29 @@
         (lib.filter (x: x != ""))
         (lib.concatStringsSep "+")
       ];
+      REDLIB_DEFAULT_SHOW_NSFW = "on";
+      REDLIB_DEFAULT_BLUR_NSFW = "on";
+      REDLIB_DEFAULT_BLUR_SPOILER = "on";
+      REDLIB_DEFAULT_USE_HLS = "on";
+      REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION = "on";
+
+      REDLIB_ENABLE_RSS = "on";
     };
+
     services.redlib = {
       enable = true;
       port = 8087;
-      package = pkgs.redlib;
+    };
+
+    services.anki-sync-server = {
+      enable = true;
+      address = "127.0.0.1";
+      users = [
+        {
+          username = "nullbite";
+          passwordFile = config.age.secrets.anki.path;
+        }
+      ];
     };
   };
 }

hosts/slab/configuration.nix

@@ -19,6 +19,12 @@
       };
     }
 
+    # Lanzaboote workaround (nix-community/lanzaboote#173)
+    (lib.mkIf config.boot.lanzaboote.enable {
+      "/efi/EFI/Linux" = { device = "/boot/EFI/Linux"; options = [ "bind" ]; };
+      "/efi/EFI/nixos" = { device = "/boot/EFI/nixos"; options = [ "bind" ]; };
+    })
+
     (lib.genAttrs [ "/.btrfsroot" "/" "/home" "/nix" ] ( fs: {
       options = [ "compress=zstd" ];
     }))
@@ -33,34 +39,48 @@
       ./supergfxd.nix
     ];
 
-  specialisation.plasma.configuration = {
+  # specialisation.plasma.configuration = {
-    system.nixos.tags = [ "Plasma" ];
+  #   system.nixos.tags = [ "Plasma" ];
-    nixfiles = {
+  #   nixfiles = {
-      session = "plasma";
+  #     session = "plasma";
-    };
+  #   };
-    services.displayManager.sddm.enable = lib.mkForce true;
+  #   services.displayManager.sddm.enable = lib.mkForce true;
-    services.xserver.displayManager.startx.enable = lib.mkForce false;
+  #   # services.xserver.displayManager.startx.enable = lib.mkForce false;
+  # };
+
+  specialisation.hyprland.configuration = {
+    system.nixos.tags = [ "Hyprland" ];
+    nixfiles.session = "hyprland";
   };
 
   nixfiles.supergfxd.profile = lib.mkDefault "Integrated";
 
-  # who needs a display manager?
-  services.displayManager.sddm.enable = false;
-
   nixfiles = {
     profile.workstation.enable = true;
     common.remoteAccess.enable = true;
+    common.bootnext = {
+      enable = true;
+      entries.windows = {
+        name = "Windows Boot Manager";
+        efiPartUUID = "c8505f55-1f48-47fc-9b3b-3ba16062cafd";
+        desktopEntry = {
+          name = "Windows";
+          icon = "microsoft-windows";
+        };
+      };
+    };
     hardware.opengl.enable = true;
+    hardware.gps.enable = true;
     packageSets = {
       gaming.enable = true;
       fun.enable = true;
     };
-    session = lib.mkDefault "hyprland";
+    # session = lib.mkDefault "hyprland";
+    session = lib.mkDefault "plasma";
     programs = {
       adb.enable = true;
       unbound.enable = false;
       greetd = {
-        preset = "tuigreet";
         settings = {
           autologin = true;
           autologinUser = "nullbite";
@@ -102,13 +122,22 @@
     #   device = "nodev";
     # };
     systemd-boot = {
-      enable = true;
+      enable = lib.mkForce (!config.boot.lanzaboote.enable);
       xbootldrMountPoint = "/boot";
       netbootxyz.enable = true;
       memtest86.enable = true;
     };
   };
 
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+    settings.reboot-for-bitlocker = true;
+  };
+
+  # GPS data from my phone
+  services.gpsd.devices = lib.mkIf config.nixfiles.hardware.gps.enable [ "tcp://pixel.magpie-moth.ts.net:6000" ];
+
   # systemd power/suspend configuration
   systemd.targets = lib.genAttrs ["suspend" "hybrid-sleep" "suspend-then-hibernate"] (_: {
     enable = false;
@@ -141,7 +170,7 @@
   # }}}
 
   # Set your time zone.
-  time.timeZone = vars.mobileTimeZone;
+  # time.timeZone = vars.mobileTimeZone;
 
   services.asusd.enable = true;
 

hosts/slab/nvidia-optimus.nix

@@ -27,7 +27,10 @@
         nvidiaSettings = false;
 
         # Optionally, you may need to select the appropriate driver version for your specific GPU.
-        package = config.boot.kernelPackages.nvidiaPackages.stable;
+        package = let
+          stable = config.boot.kernelPackages.nvidiaPackages.stable;
+          version = stable;
+        in version;
 
         prime = {
           offload = {

overlays/mitigations.nix

@@ -1,8 +1,23 @@
 nixfiles: final: prev:
 let
-  inherit (prev) lib callPackage fetchFromGitHub;
+  pkgsStable = import nixfiles.inputs.nixpkgs.outPath { inherit (prev) system; };
-  inherit (prev.lib) recurseIntoAttrs optionalAttrs;
+  updateTime = nixfiles.inputs.nixpkgs-unstable.lastModified;
-  isNewer = ref: ver: (builtins.compareVersions ver ref) == 1;
+
+  inherit (final) lib callPackage fetchFromGitHub;
+  inherit (lib) recurseIntoAttrs optionalAttrs
+    versionOlder versionAtLeast;
+
+  pkgsFromFlake = flake: (import flake.outPath) { inherit (prev) system; };
+  pkgsFromInput = name: pkgsFromFlake nixfiles.inputs.${name};
+  pickFixed = ours: theirs: if versionAtLeast ours.version theirs.version then ours else theirs;
+  pickNewer = ours: theirs: if versionOlder theirs.version ours.version then ours else theirs;
+
+  hold = now: days: ours: theirs: let
+      seconds = days * 24 * 60 * 60;
+      endTimestamp = now + seconds;
+    in if now < endTimestamp then ours else theirs;
+
+  optionalPkg = cond: val: if cond then val else null;
 
   gimp-with-plugins-good = let
     badPlugins = [ "gap" ];
@@ -11,24 +26,36 @@ let
     filteredPlugins = lib.filterAttrs pluginFilter prev.gimpPlugins;
     plugins = lib.mapAttrsToList (_: v: v) filteredPlugins;
   in prev.gimp-with-plugins.override { inherit plugins; };
+
+# this also causes an infinite recursion and i have no idea why
+# in nixfiles.inputs.nixpkgs.lib.filterAttrs (k: v: v != null) {
 in {
+  nix-du = let
+    old = prev.nix-du;
+    new = (pkgsFromInput "nixpkgs-nix-du").nix-du;
+  in pickNewer old new;
+
   gimp-with-plugins = gimp-with-plugins-good;
 
-  yt-dlp = let
+  easyeffects = let
-    pkgs-y = (import nixfiles.inputs.nixpkgs-yt-dlp-2024.outPath) { inherit (prev) system;};
+    stable = pkgsStable.easyeffects;
-  in if ((builtins.compareVersions "2024.5.27" prev.yt-dlp.version) == 1)
+    unstable = prev.easyeffects;
-    then (final.python3Packages.toPythonApplication pkgs-y.python3Packages.yt-dlp)
+  in if updateTime < 1726148749 then stable else unstable;
-    else prev.yt-dlp;
+
+  compsize = let
+    stable = pkgsStable.compsize;
+    unstable = prev.compsize;
+    now = 1724786296;
+  in hold now 7 stable unstable;
+
+  qgis = let
+    stable = pkgsStable.qgis;
+    unstable = prev.qgis;
+    now = 1733871491;
+  in hold now 7 stable unstable;
 
   redlib = let
     redlib-new = final.callPackage nixfiles.packages.${prev.system}.redlib.override {};
     inherit (prev) redlib;
-    notOlder = (builtins.compareVersions redlib-new.version redlib.version) >= 0;
+  in pickNewer redlib-new redlib;
-  in if notOlder then redlib-new else redlib;
 }
-  # # can't optionalAttrs for version checks because it breaks lazy eval and causes infinite recursion
-  # // {
-  #   obsidian = let
-  #     pkg = final.callPackage "${nixfiles.inputs.nixpkgs-unstable}/pkgs/applications/misc/obsidian" { electron = final.electron_28; };
-  #   in if isNewer "1.4.16" prev.obsidian.version then prev.obsidian else pkg;
-  # }

overlays/modpacks.nix

@@ -3,8 +3,8 @@ let
   inherit (final) lib;
   inherit (lib) fakeHash;
   notlite = let
-    commit = "1e519c6bd8267cc84ca40fcecc6d2453fac81e1b";
+    commit = "0e42bfbc6189db5848252d7dc7a638103d9d44ee";
-    packHash = "sha256-rK+yuQ/wS0QWaPglFvljnkY0FJNgXwFd+SweZZDCHWw=";
+    packHash = "sha256-X9a7htRhJcSRXu4uDvzSjdjCyWg+x7Dqws9pIlQtl6A=";
   in final.fetchPackwizModpack {
       url = "https://gitea.protogen.io/nullbite/notlite/raw/commit/${commit}/pack.toml";
       inherit packHash;

pkgs/atool-wrapped/default.nix

@@ -5,7 +5,7 @@
   lzip,
   plzip,
   lzop,
-  lzma,
+  xz,
   zip,
   unzip,
   arj,
@@ -16,7 +16,7 @@
   lha,
   unfree ? false }:
 let
-  wrappedPath = lib.makeBinPath ([lzip plzip lzop lzma zip unzip arj rpm cpio p7zip] ++ lib.optionals unfree [unrar lha]);
+  wrappedPath = lib.makeBinPath ([lzip plzip lzop xz zip unzip arj rpm cpio p7zip] ++ lib.optionals unfree [unrar lha]);
 in
 stdenvNoCC.mkDerivation {
   name = "atool-wrapped";

pkgs/redlib/auth-fix.patch

@@ -1,30 +0,0 @@
-From bd47c206a1d94c8382570b69730d72562d777454 Mon Sep 17 00:00:00 2001
-From: Matthew Esposito <matt@matthew.science>
-Date: Thu, 30 May 2024 18:08:45 -0400
-Subject: [PATCH] fix(oauth): Make Android user-agent patching unconditional
-
----
- src/client.rs | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/client.rs b/src/client.rs
-index 5b8fe8f..5ea9d1c 100644
---- a/src/client.rs
-+++ b/src/client.rs
-@@ -181,11 +181,12 @@ fn request(method: &'static Method, path: String, redirect: bool, quarantine: bo
- 		)
- 	};
- 
--	// Check if multi sub requested, or if submitted was requested. If so, replace "Android" with a tricky word.
-+	// Replace "Android" with a tricky word.
- 	// Issues: #78/#115, #116
--	if path.contains('+') || path.contains("/submitted") {
--		user_agent = user_agent.replace("Android", "Andr\u{200B}oid");
--	}
-+	// If you include the word "Android", you will get a number of different errors
-+	// I guess they don't expect mobile traffic on the endpoints we use
-+	// Scrawled on wall for next poor soul: Run the test suite.
-+	user_agent = user_agent.replace("Android", "Andr\u{200B}oid");
- 
- 	// Build request to Reddit. When making a GET, request gzip compression.
- 	// (Reddit doesn't do brotli yet.)

pkgs/redlib/default.nix

@@ -5,23 +5,26 @@
 , rustPlatform
 , fetchFromGitHub
 , darwin
+, nix-update-script
 }:
 rustPlatform.buildRustPackage rec {
   pname = "redlib";
-  version = "0.34.0";
+  version = "0.35.1-unstable-2024-12-02";
 
   src = fetchFromGitHub {
     owner = "redlib-org";
     repo = "redlib";
-    rev = "refs/tags/v${version}";
+    rev = "d7ec07cd0d713fc308e1004663b0053db8f00a0f";
-    hash = "sha256-JpuCX2ae9me+zHxQj5jqQlgDci2NV+TEVUAqnuTn3cA=";
+    hash = "sha256-bAsSLZWGLMrD21xdQtD5NyNsNSZwLOd/+6ujZpbsyQg=";
   };
 
   patches = [
-    ./auth-fix.patch
+    # this is so the commit hash can be embedded so redlib doesn't complain
+    # about the server being outdated unless it's /actually/ outdated
+    ./no-hash.patch
   ];
 
-  cargoHash = "sha256-gkRblCHUFiprZeYtu43GIGBZqCq5l/HEGaQN91XbfSs=";
+  cargoHash = "sha256-5eQRioAdB1OharUwAZEuPe7NpZOFvqAyh2m+NVio8EI=";
 
   buildInputs = lib.optionals stdenv.isDarwin [
     darwin.apple_sdk.frameworks.Security
@@ -30,8 +33,14 @@ rustPlatform.buildRustPackage rec {
   checkFlags = [
     # All these test try to connect to Reddit.
     "--skip=test_fetching_subreddit_quarantined"
+    "--skip=test_gated_and_quarantined"
     "--skip=test_fetching_nsfw_subreddit"
     "--skip=test_fetching_ws"
+    "--skip=test_private_sub"
+    "--skip=test_banned_sub"
+    "--skip=test_gated_sub"
+    "--skip=test_rate_limit_check"
+    "--skip=test_default_subscriptions"
 
     "--skip=test_obfuscated_share_link"
     "--skip=test_share_link_strip_json"
@@ -44,16 +53,20 @@ rustPlatform.buildRustPackage rec {
     "--skip=test_oauth_client"
     "--skip=test_oauth_client_refresh"
     "--skip=test_oauth_token_exists"
+    "--skip=test_oauth_headers_len"
   ];
 
   env = {
     SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+    GIT_HASH=src.rev;
   };
 
   passthru.tests = {
     inherit (nixosTests) redlib;
   };
 
+  passthru.updateScript = nix-update-script { extraArgs = [ "--version=branch=main" ]; };
+
   meta = {
     changelog = "https://github.com/redlib-org/redlib/releases/tag/v${version}";
     description = "Private front-end for Reddit (Continued fork of Libreddit)";

pkgs/redlib/no-hash.patch

@@ -0,0 +1,10 @@
+diff --git a/build.rs b/build.rs
+index 0bdbda0..869c7e6 100644
+--- a/build.rs
++++ b/build.rs
+@@ -21,5 +21,4 @@ fn main() {
+ 	)
+ 	.unwrap_or_default();
+ 	let git_hash = if output == String::default() { "dev".into() } else { output };
+-	println!("cargo:rustc-env=GIT_HASH={git_hash}");
+ }

secrets/anki-user.age

@@ -0,0 +1,45 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ Py/ogGTqlQKlRecdysJUoN/Y0WyX4gp8E78/jdrf7wQ
+elo9bSDa5LkTi7bsJbfUM1LGnZgtll4ZSaONjBz/Qbc
+-> ssh-rsa I7EAZw
+QOko8NtkGmL83hUfyUB7hljd2NRPiumDBWY8vAA4vmWyq/Gv71gKjKfB50cqo4Oq
+vxHVlZM+g0PQhJlCLZH4gZwoVniXRtsVo7KlLRI13VpPMmPfN2mLlhvmKmxy+1r9
+RXvYk9Z/NYe6Zz24c17QsxGSyIwXLxdTjvaRH8+pkx3EuIYdS++rONH21B+EkfAJ
+KRCsla/vfhGaC2DeOyR7K4hasfbfIiuPEPgeMy55LdHRMjPddKut5YnrD+4r3iXK
+O3ct4/w8+k7NKWsRKYY8I8FzQJ2ADJpfcAK2NBo3M5QkM6xD7rXFGNHcl+vztzUG
+a+uUsjeZPtyvSdja8uyaF08OVQ41qYGZurnDEVaBcg6f5wfDA0msAqMjeNFs5ayN
+4EFq11AiR2gZEJ0vyKNOrPQH9J2KiGKZFt699j0oasFgKWHdrhNlQdDjUy3ylU3L
+nSurQFPg+8qolFS7hwiiv0orxV8eaBjwE7yvp8UZK1/XC1imcEShbvyIbTEEezDQ
+
+-> ssh-rsa 0pGLuA
+oXi/tWHfAs/sDj8JtEsfQe5mMFywpKb6WukrCTpo0qAZfdEl6wyvf9j+IFPUUxL9
++dzNM0fGnBRQOMpU7AeB7wZznK062VxWrOUYWO5qrofhTpJpfib3zSX3M5TLecxr
+1s+s0Goim3xWJs03XwKeheqSFT2mwRNSmyk+dYgI8dQ7goA1hUn6jZqH+gg2miHI
+0XYppYDGmmuQ+rtvvnt/2r+Gp0WUPHQuB5TTs9BhtZL15mMShL9XN5hIyict+wZR
+DNRKwTbJzR3cw+i2IvHGDB8sGLbeCDOqGngvVCkGhELMxTQLd4epnW+wfVmKBqc9
+Oky9INruZxL2TD/pcXwOC1TQC7pRmLT9yZ6p0YMAr7fpvTe20dWewVUE0X2Eisbn
+dIob5dusJjs2uqWTKs5j3FZcGfrHeGpWGjanCOovkSONER6IwVB+LdnLf7MB+WM3
+M8voAfaa5RbG/UjhDwSrvJvIMQOHbkljq2/8R1F3x+iVeVrK96w/9a8NStQBaSiA
+
+-> ssh-rsa JoBDow
+duiQ9RqFrUdCUs828+tECTLk6VUZSNuz8bBw2uMcXQeet7I2CKWELpBPGEHj5JGL
+79LF/SRcxC9kb4jEFo+TO0qH3JDeSZ03NUcG9Re1bAbAoP1qNPbeK8dAl1dsC0g7
+p/ADm15+uYiiertHbD6iCp0E234ZiFN9tEOITR4NhUQVDJC0uMmRYL4FgWxvxPJp
+IvEovvrNen9dy0dpzihcOC2fv3nt8QpuhMS6OQtanSvilrwxGD+MmuSJ1FEb9p1e
+biPH8atNotBbqDPJV784e42hgUouLEM1tnRcujZfofENE6Eoe5/RcmjIec4JtFyi
+4aU9Vnh7LFX6v38hZZswpegWDav4W158EFxSz4JjIMdYPYAeUJXOJPT+jXacTDIJ
+hv8g3ztDWCgW8KA2odOHO6jQ1dMn8o0n+JXgnTvxzGvOyflr9dTbg2YvrDzE7LZY
+qujfGxIn5SHPCBPTPef0NQIpBv/HidlX47VV3UmSBaMxeBLENB4aH1c3g02MZPpG
+
+-> ssh-rsa wzTCUg
+ND8YpDmFhYeKH5bRFSWO6X69imBfsH/iKlDkyRyGgWuldMTmAyAg7TB8A56SEH4Y
+uqEUNjWK1aNMibXnkT1TfdWjBIndsUV3gWVd8JezMvbWdG7ukuj1jV4grFl8MOmi
+uZCoQlJmFMiyuBBdhqe2+w3MpxV8kTEXjytQApRvZC+EiwF5nQvhZH/lv4Sl12n7
+6seWeKxpwOpnZU6fqfVEqwuZFvBIgllv6Ff2KfJ413OCr6UDZj+U8sK4HEr6x4EL
+ET6Sh57VXV3ntoFS1z0wBvgQh/Ed2aFSQdDAll5W8QTB91mYAFRBHXfrOqOpBecN
+O86J/beml1Sz20QAEMujFGUhgHSTw1mrBId9a0CAUn7+bZN7HTBpnKaBufubj9MN
+LwRe6PwA2GgGdnVweHxVYI6OUmYCWkMyvG42rFjd3WDl3ev7r0pTQsnKdAH9DH1R
+M3QShaLXhFrvnVei+qmAYQo7ab1gLr9bCW3kPBhVMBTyZbSBue/zhl/Dh3mQFSyZ
+
+--- aI2L8OoxgqsBI7ORqDkrOcwdJwd5YEcqVkOWZw03YE0
+Ò}Órïÿ#”-“<>VG—e°yGÌÙË
ă¡jurlU›ˆ°{'˜ÿí¢Q¨°0§urJ@Få

secrets/authelia-session.age

@@ -1,47 +1,45 @@
 age-encryption.org/v1
--> ssh-ed25519 YUrFgQ 42WuYgB9B/1sV+Q8qvMq/65u1Ed0hREmJKKOATv0r3M
+-> ssh-ed25519 YUrFgQ TztZqKKRIE8zJon7oqC7EbM7T7yx9845g27qV6pyASI
-Ypm4fT9GizmjTTpD51VWs0+cZ1VMOQElDJjxNb8Hv/E
+O0EsKk/1M1IVr6QjhzSSTsR2aa96xsyXDIQGwrEyY6I
 -> ssh-rsa I7EAZw
-ZOmiFsTngJAdLrGRBmp/oYxkHnP0Jc/dtGMSNrsc8cpGWFmG7jz634V6Z6WPIXDc
+hVcxzwHX2oGyEvAQ1KRxjXCZ3547JsrdqSYpruAC8dL6TUPywxjZxtRVPuThRYPP
-LsRo+UjNQeZzq8Dhayvg0rxi1jG8y6T4jqrDMNL9lHOcLzP2P3tJ7MMiXbTz6REe
+x0/ZQDFxggV/tuoSYrRSdUy9SB/HCX2trWUMYprJh4QBb7Vb+6tXg2mSbWyZXd2B
-gBxB/dbluFf5QEbKkbg2OgqXdfdb2yqJkVw3TJa8v72sCuLrgGZuVclBlgxISP1x
+CPKw+nCkOoG64gY+qSdrz1FojxmCGuQ98xcTjF4OYu1dVY4EeEesVb18VQeLp3u9
-UQADBVevUCS9tHE9xCsIEUcZJVFjrsxXnyT0QirqLJTQldpogYuTWAre7gKON7Sr
+4Lklcr8Vo4pf+K9hA1g9H5TuzYsInrmw8NljII9jOcKK1E0J51gAUBkhy6MTklZx
-fulaKfq/BdKBr5XrtSTh8H1+t0wiQJ1DjfjoghgU8MATFj84yWEyusOAr9YHmFmf
+jR0dUmlVI5ZabFlRpeMRP+jV4ZB0mRpnntP79M1Wxw4NKRW7mjkfVgdDbTINcZk7
-w1pzy3D2G6OTc8hyWG7JuGunWnnr5D+7WOQwNUjBqMRCcW7wI2Vb0ikkUctJ/4Ws
+bq4LH1zA/zJedFunqZltDLzXsSh/4uev73sZxPnsPh1AYb15QYRLyW9foYH7FVKk
-XIjL7evBM5HvskwK438lFl+XaBkGXdCWHm6JrOkD3RTLLZFjYQnSdDMIALTUu4MC
+yNhDjJP2IiMFATu5jaA1tnUIEtSIgZy9pWBHCBl6J/d9Df2woCvYLpvLdlVQ5gk5
-VE+VESpENmq7czckbxJpUKgI+LSS5hPty2DMSHS5SuFW8CV98bPB8TFiR1MMs9Ud
+P2Cvm1TqSuXcYlEZArmpH0G8nYPx/o0HJ6axUv0MwXhilM5NjhT4fF8NX3JW8864
 
 -> ssh-rsa 0pGLuA
-bsz1aks3oNSbtc4NAV+Tm00a4EySmzwSc2kjcssod+TbguoYmyELuuEpPVLbiRmn
+JW3hrOO2HkHdFlJEVtkJeNErjsdnVs2Rrq89u+nBJgeWeO0aslcr0k8oPDPXGpN6
-GskJN+6rOHvFKJFtcIn22wEN6n+c445qNzvAPUKq3KFzSYmGtuKJDCvAgY+JkkTg
+xLdLFs8k4ShHqVinPM88mFcZsBadLAWrCrjw6d1JHcpiMkiq8oOKkuBOQLgTbZMn
-lIeViZVSf9rwrGesAixrd7GoaWbrdhifHVIH6fPF6cyb2ufSj8NDDL8Fq55z8Q6d
+0q01X8PctElcX2i+DxTkA9Pv/kXM4Pf4AbAnoumO9H225dXECwyV7e9oAIaj0pqT
-YTe25iCtVmrmlKjW5m37sOrSoSsGvhfMMc/VyrYu+Is3SsAzYURKVSH9JgQSTc3X
+Vo5w3R4xOztLx03RLsQRnrXT2xN1sF30CN1hXhb6vh1NB2Mc+ERrUSa46SYkMZ3s
-rtGI8Yx2Hgk7z7uFDe3RKDJXV85nZzl0Vhid4TYlZ1QUc9JtsPAm8Sh8SMofNmnD
+x+/nirbOP6f+qWkxTe/X/konQGZgftnHbke4eZYmEQ1FPFMa4bwJrw5crU+5aqR6
-GBU3C8j/1bs4qwX/s9UrqJJz0+ibAZ60gM0dr+r805k+hJR7iAiwTh9v3M067bVm
+v7fWH/6m9cm/aQVteiYEdzYP6s3Mpu/SN04QdFZtXUtrBndCf3NhMSlBlCKOLTAX
-4fr4xBoqMXr08t6elyQKKJtLweKSnTJQF/6BptcZapwJTWmxO9zrujag5Qse+csR
+67Z16/zSn+O3U9JhxevpWCIk3aLm63Zs4jqhBKT1KMIu5IOAwfebtIhbLRo99e5B
-jewrsuUddqngOKdHknmQwgoIRzbW3rCtmqjgbDoOvF1xEAONgoDJuUBiULt2elPC
+0/6GajNHT6DtxYAC0SoGUnWDed8KPngMI5hCXY3oVjopR5VCCLNe2yMByScGN3rX
 
 -> ssh-rsa JoBDow
-MbVKzWRHhCenqinwJcGxFW4tMaFfwZtA7Fp6L+f6DTCDbtuE9ovt2bbfJ6/yzJjE
+nJRweRkogrfs+k4vAk0lNOOVwA3jx7GUY4HEyi6BgKyJFzKaGsn8lcnxETaiAyGq
-kEiEnLzNVZbVccdREDdI3kq8wiFJKuBVbOZXCGmk2rgVUzgwXO5FfHqM1dul5foW
+S4LL4GJzsjJBqlUjAGHEHklh+4BbIJKa+RBvO7lRnNmh+DC3A3s2HLrnCx6jYLJ1
-cJuzYfBAtmEnVCI0LjwTw+4nNnMzykhh/9OKjEUQ8bVFH+leFjgAeJdcTD5hWUtG
+ZERCxiIo26MlvkSz6yk4XsluK7wg8b/2kwJAjRGIqRptl2PgWCtoWaw5KOp2BmFe
-w8WAlttos0gnFcxtPm1X+JN1Gyu1oiVGVk+u/hxWs7zAdAixPtICt5ZB3TLelyu8
+CdfrIKz3kC+1G8Xn9qUxPRhUUkjfGla/bKIGyGg7xCAi6P18bMWQzs7DO44/9UI7
-yWbMARZ4uLtPzgy0asSlmeOZ8r0oaTHWieLP30F1alsyakFbO6qXQZGEVNfx4z0e
+mqxR62d0wX126bu98yoW6Xvbp10/LsKFeoJHcuP0yHiHJ28YLmNt+AXBRSsTQb59
-AvMnPz+SSLQ9OIdThnYOjDDAkT79I5xuY7YeGoDkTy6a8JEo1SdXkf+0SAtE/Ihx
+2YXXtUZSmOWLiv380+PgAaT92QTW4a/m127HZSgAkVN8InNO12YmEcv6zWwwGw3E
-TTDhar+pjV+eV72fMbhbMvENcVb0o4edP/mCJXl8Wjz/RSlQs+huiF+RDEs0RX18
+4r63z0IxjjcT0aKMRYIDIzQ2DSYIcCO1ImaWRpCQpX8P7M04CpEa85q5SVkWXN+b
-iua+wAylwb1ZLYL4hzsxxUodngbroGwglaMMMCbV4wOYR9LPfwP6hy8/EvY30IxU
+DckkH88azjB64xwhmdnIOhUrCKHvZGwYvjunyuf+XLH/E75o6XZuLKRF/lK5uGWC
 
 -> ssh-rsa wzTCUg
-mIms/oP6KFSxBaulSRvNT3oTdMijcUZRQgPCiysvJBkpSSsIpoH2DSBhLqs2z7RS
+OpQspznWcve14f0UIr6WNZIm7nXXyeBP+MD6MzsxW2I+JQN9YbAT4y7a4Qphfis+
-XvavUqn6FJCOQHb/c9TXoP00Mwx3X/mpn8mAxddnNH+19ZboFEAj9qgXMuWygjro
+lb9lQhe2PiX1zil+mUOilflSmVSfbxihC3lkWcrZG2Ov+U3U3Cdbv4T8ZWxp8nkq
-CeO7h0TjYq55pubTS68BWb4BhIvAGQmIeFd7QyozdFOnAQ1Wdw+UjAuRl2GGEIAW
+xHz3JkR97b7FXCprc3Z4gPY8bq7XIh6U0RzY3XCaDCuAXDirsVLd10byKB2LDWk/
-ztk8yeU2zp5Jo8Nqc6GFNlZR7OYx8mlMAUvkdo53bU7fTM0EfsxRuP9aNO/HXoSS
+D5FCOs/gdiCUP75fGNMuQqQiWn8IrfaMAZyh4XoFrBGhxbGIIifujc/Clp3QPJuC
-8OOGQzt+qefFoqDYWS16ftLafrBqdWps+ivWzn0Bh2CtdemdOKMDosBDtrHcLKL5
+P5VCldocm+b6Lskgdy1kPfeQbP3H4tcTNcbuDV/FitrM620k7gnfY9MCTRnwJKOY
-qOgae79fQd5x9HF8UHqunGijgcGxnm0GHOT5mIGWw9ms4RzyhC58HVqOFmS0SIOW
+ww2H39IjVHnzKw3Xdj05jqeRtWoassLE4T6xysqOixyD1XciMmjyDrt5rqNaNchY
-/SdHspEoFpY3E0ImHbDhDwfOcHbYzLllX9uf+0Nif8SMYGhEMa9loxYK1yKZVGHt
+jWk+lUBNM+ipcFvEV/Ivcxk2Cd8yrxWX1rWBQz9HCZqo+gKEFe+O5l2dXVHK5GOw
-NiBFidgH/8OECkDjmatBtzigYyq7Tk+Ct2eZZJSAyeP2VVNYT4uqtmp24hfBlLBR
+0aJwE3gPLJkSpPAINMVVlonlkXgoeFUVp1wG55xz7EmpQm/NYnd9PXilp/UWnvBM
 
---- anDEUDvExEekm+KJ9jnPJRT52weZhy7l6dCeqeKltr0
+--- h1O4L8FUSX0ZTrvHxfuDP3op6n4Lm6vBN3ZPo2aL/fE
-aD=˽˜t.$¡f˜DV›F}3ãzÖ5ücæ3*=¤…-ÚŽù³L?ú–ã˜^
+[gÝtÄè,¿;Ga>‹uðNV|‰¿\× p"Ž°z@Õq#…ËN‚¶3“d|KZfÁ¨+è“æîÝö—œ"6üž.Ö<˜„Cïµ`pŽÚß<¯áøîÊ€ÑóCQbEšt
-hP§©È¬Ÿ6T*|îXU¬c”
-IL<EFBFBD>Õ&<ïqŒÏ¶É‡¨jkƒ >ö±ØÐr¶ @%]ÊÀñe϶¡w[¹áy…Ö( l˜½~Ù•têK²Ö{"œöZ¯&ÿ·6r»cÎEüûW2¤0r<30>5¸$­¯”	¡!¸Œ<C2B8>JßÞGOsšÚ‹Ô”Sˆ›†Fm@Ó—a,Jú•ûÓût¨¹}é'¤4:&ÿc0AAz

secrets/secrets.nix

@@ -25,5 +25,7 @@ in
 
   "restic-rclone.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;
   "restic-password.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;
+
+  "anki-user.age".publicKeys = [ rpi4 ] ++ all-user;
 }
 

system/common/bootnext.nix

@@ -0,0 +1,138 @@
+{ config, lib, pkgs, options, ... }:
+let
+  inherit (lib) types escapeShellArg;
+  cfg = config.nixfiles.common.bootnext;
+  bootNextScriptMain = pkgs.writeShellScript "bootnext-wrapped" ''
+    set -Eeuxo pipefail
+
+    PATH=${lib.escapeShellArg (with pkgs; lib.makeBinPath [ gnugrep coreutils efibootmgr ])}
+    export PATH
+
+    function do_bootnext() {
+      uuid="$1"
+      shift
+      entryName="$1"
+      shift
+
+      efibootmgr -n "$(efibootmgr | grep -Fi "$uuid" | grep -F "$entryName" | cut -d' ' -f1 | tr -dc '[:digit:]')"
+    }
+
+    case "$1" in
+    ${lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (name: value:
+        "  ${escapeShellArg name}) do_bootnext ${escapeShellArg value.efiPartUUID} ${escapeShellArg value.name} ;;"
+      ) cfg.entries
+    )}
+      *) echo "Boot entry \"$1\" not configured."; exit 1;;
+    esac
+  '';
+
+  bootNextScript = pkgs.writeShellScriptBin "bootnext" ''
+    # this wrapper is needed because the sudoers config needs the path to the
+    # actual script and self referencing is a pain. this way we can guarantee
+    # that the script passed is exactly the same as the one in the sudoers
+    # config. i could use realpath but this is probably safer since it is not
+    # evaluated at runtime. who knows.
+    if [[ "$(id -u)" -ne 0 ]]; then
+      exec sudo ${escapeShellArg bootNextScriptMain} "$@"
+    else
+      exec ${escapeShellArg bootNextScriptMain} "$@"
+    fi
+  '';
+
+  desktopWrapper = pkgs.writeShellScript "bootnext-desktop-wrapper" ''
+    if ${pkgs.libsForQt5.kdialog}/bin/kdialog --warningyesno "Are you sure you want to reboot?" ; then
+      ${bootNextScript}/bin/bootnext "$@"
+      reboot
+    fi
+  '';
+
+  bootnextDesktopEntries = pkgs.symlinkJoin {
+    name = "bootnext-desktop-entries";
+      paths = lib.mapAttrsToList (name: value: pkgs.makeDesktopItem {
+        name = "bootnext-reboot-${name}";
+        desktopName = "Reboot into ${value.desktopEntry.name}";
+        comment = "Select the entry defined by the `${name}` configuration in the bootnext script and then reboot.";
+        icon = "${value.desktopEntry.icon}";
+        keywords = [ "bootnext" "reboot" "${name}" "${value.desktopEntry.name}" ];
+        exec = "${desktopWrapper} ${name}";
+      }) (lib.filterAttrs (_: value: value.desktopEntry.enable) cfg.entries);
+  };
+
+in
+{
+  options = {
+    nixfiles.common.bootnext = {
+      enable = lib.mkOption {
+        description = ''
+          Whether to enable the bootnext wrapper command for controlling boot order
+        '';
+        type = types.bool;
+        default = false;
+        example = true;
+      };
+      enableDesktopEntries = lib.mkEnableOption "generation of bootnext Desktop entries" // { default = true; };
+      entries = let
+        entryModule = {name, config, ... }: {
+          options = let
+            uuidType = with types; lib.mkOptionType {
+              name = "uuid";
+              description = "UUID";
+              descriptionClass = "noun";
+              check = let
+                uuidRegex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}$";
+              in x: str.check x && (builtins.match uuidRegex x) != null;
+              inherit (str) merge;
+            };
+          in {
+            efiPartUUID = lib.mkOption {
+              description = "UUID of EFI partition containing boot entry";
+              type = uuidType;
+              apply = lib.strings.toLower;
+            };
+            name = lib.mkOption {
+              description = "Name of boot entry as it appears in efibootmgr";
+              type = types.str;
+              example = "Windows Boot Manager";
+            };
+            desktopEntry = {
+              enable = lib.mkOption {
+                description = "Whether to generate this desktop entry.";
+                type = types.bool;
+                default = true;
+                example = false;
+              };
+              name = lib.mkOption {
+                description = "Display name of boot entry for desktop entry.";
+                type = types.str;
+                default = config.name;
+                example = "Windows";
+              };
+              icon = lib.mkOption {
+                description = "Path or name of icon to use for desktop entry";
+                type = with types; nullOr str;
+                default = null;
+              };
+            };
+          };
+        };
+      in lib.mkOption {
+        description = "bootnext entry";
+        type = with types; attrsOf (submodule entryModule);
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ bootNextScript ] ++ lib.optional cfg.enableDesktopEntries bootnextDesktopEntries;
+
+    security.sudo.extraRules = lib.mkAfter [
+      {
+        commands = [
+          { command = "${bootNextScriptMain}"; options = [ "NOPASSWD" ]; }
+        ];
+        groups = [ "wheel" ];
+      }
+    ];
+  };
+}

system/common/default.nix

@@ -5,5 +5,6 @@
     ./remote.nix
     ./wm.nix
     ./nix.nix
+    ./bootnext.nix
   ];
 }

system/common/nix.nix

@@ -70,6 +70,14 @@ in
       # fallback to building locally if binary cache fails (home-manager should be
       # able to handle simple rebuilds offline)
       nix.settings.fallback = lib.mkDefault true;
+
+      # trust all members of wheel. this technically can give you root power,
+      # but if you've compromised a member of wheel, you might as well already
+      # be root; you could easily intercept a sudo call.
+      nix.settings.trusted-users = [
+        "@wheel"
+        "root"
+      ];
     })
   ];
 }

system/common/remote.nix

@@ -19,7 +19,10 @@ in
       openFirewall = true;
     };
 
-    services.tailscale.enable = true;
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
 
     networking.wireguard.enable = true;
   };

system/default.nix

@@ -19,6 +19,7 @@ in
     ./minecraft.nix # imports inputs.nix-minecraft
     inputs.impermanence.nixosModules.impermanence
     inputs.agenix.nixosModules.default
+    inputs.lanzaboote.nixosModules.lanzaboote
     ./stylix.nix # imports inputs.stylix
   ];
   config = {};

system/hardware/default.nix

@@ -6,5 +6,6 @@
     ./opengl.nix
     ./sound.nix
     ./binfmt.nix
+    ./gps.nix
   ];
 }

system/hardware/gps.nix

@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.nixfiles.hardware.gps;
+in
+{
+  options = {
+    nixfiles.hardware.gps = {
+      enable = lib.mkEnableOption "GPS configuration";
+      gpsdBridge = lib.mkOption {
+        description = "Whether to enable bridging of gpsd data to Geoclue2";
+        default = true;
+        example = false;
+        type = lib.types.bool;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.geoclue2 = {
+      enable = true;
+    };
+
+    environment.etc."geoclue/conf.d/00-nmea-socket.conf".text = lib.mkIf cfg.gpsdBridge ''
+      [network-nmea]
+      enable=true
+      nmea-socket=/run/gpsd-nmea/nmea.sock
+    '';
+
+    # this could probably be a systemd socket but i don't know how to make those
+    systemd.services.gpsd-nmea-bridge = lib.mkIf cfg.gpsdBridge {
+        path = with pkgs; [
+          gpsd
+          coreutils
+          socat
+        ];
+        description = "gpsd to Geoclue2 GPS data bridge";
+        before = [ "geoclue.service" ];
+        wantedBy = [ "geoclue.service" "multi-user.target" ];
+        serviceConfig = {
+          RuntimeDirectory = "gpsd-nmea";
+          ExecStart = pkgs.writeShellScript "gpsd-nmea-bridge" ''
+            exec socat -U UNIX-LISTEN:''${RUNTIME_DIRECTORY}/nmea.sock,fork,reuseaddr,mode=777 SYSTEM:'gpspipe -Br | stdbuf -oL tail -n+4'
+            '';
+        };
+      };
+    services.gpsd.enable = lib.mkIf cfg.gpsdBridge true;
+  };
+}

system/hardware/nvidia.nix

@@ -68,7 +68,10 @@ in
       nvidiaSettings = lib.mkDefault true;
 
       # Optionally, you may need to select the appropriate driver version for your specific GPU.
-      package = lib.mkDefault config.boot.kernelPackages.nvidiaPackages.stable;
+      package = let
+        stable = config.boot.kernelPackages.nvidiaPackages.stable;
+        version = stable;
+      in lib.mkDefault version;
     };
   };
 }

system/minecraft.nix

@@ -20,13 +20,13 @@
 
         modpackFiles = lib.mkOption {
           description = "List of files from modpack to copy into server directory";
-          type = with lib.types; listOf string;
+          type = with lib.types; listOf str;
           default = [ ];
         };
 
         modpackSymlinks = lib.mkOption {
           description = "List of files from modpack to symlink into server directory";
-          type = with lib.types; listOf string;
+          type = with lib.types; listOf str;
           default = [ ];
         };
       };

system/package-sets/gaming.nix

@@ -28,10 +28,7 @@ in
           ];
         };
       });
-      prismlauncherWayland = (final: prev: {
+    in [ steamGamescopeFix ];
-        prismlauncher = prev.prismlauncher.override { withWaylandGLFW = true; };
-      });
-    in [ steamGamescopeFix prismlauncherWayland ];
 
     programs.steam = {
       enable = lib.mkDefault true;

system/profile/base.nix

@@ -67,10 +67,14 @@ in
 
         fd
         ripgrep
-        sbctl # TODO move this elsewhere
         comma
         nil
 
+        # UEFI utils
+        efitools
+        sbctl
+        sbsigntool
+
         # network utilities
         inetutils
         socat

system/profile/pc.nix

@@ -24,6 +24,12 @@ in
     # FIXME find somewhere else to put this
     networking.networkmanager.enable = lib.mkDefault true;  # Easiest to use and most distros use this by default.
 
+    # contains icons for bootnext desktop entries (the Windows icon); there's
+    # probably no reason to *not* include this.
+    environment.systemPackages = with pkgs; [
+      nixfiles-assets
+    ];
+
     # enable option sets
     nixfiles = {
       hardware = {
@@ -32,6 +38,21 @@ in
       };
     };
 
+    # enable filesystems
+    boot.supportedFilesystems = {
+      # not yet; need kernel 6.7. update the lts kernel first.
+      # bcachefs = mkDefault true;
+      cifs = mkDefault true;
+      ext4 = mkDefault true;
+      ecryptfs = mkDefault true;
+      exfat = mkDefault true;
+      f2fs = mkDefault true;
+      nfs = mkDefault true;
+      squashfs = mkDefault true;
+      vfat = mkDefault true;
+      xfs = mkDefault true;
+    };
+
     # probably unnecessary, this will be enabled by whatever session i use
     # Enable the X11 windowing system.
     # services.xserver.enable = true;

system/profile/workstation.nix

@@ -34,9 +34,9 @@ in
     services.flatpak.enable = mkDefault true;
 
     fonts.packages = with pkgs; [
-      (nerdfonts.override { fonts = [ "FiraCode" ]; })
+      nerd-fonts.fira-code
       font-awesome
-      noto-fonts-cjk
+      noto-fonts-cjk-sans
       (google-fonts.override { fonts = [ "NovaSquare" ];})
     ];
 

system/programs/greetd.nix

@@ -1,9 +1,9 @@
 { pkgs, config, lib, options, ... }:
 let
   cfg = config.nixfiles.programs.greetd;
-  inherit (lib.types) bool enum nullOr str path listOf;
+  inherit (lib) types optional optionals escapeShellArg escapeShellArgs;
+  inherit (types) bool enum nullOr str path listOf;
   inherit (builtins) isNull;
-  inherit (lib) optional optionals;
   optionalsSet = val: optionals (!(isNull val));
   optionalSet = val: optional (!(isNull val));
   sessions = config.services.displayManager.sessionData.desktops;
@@ -13,6 +13,12 @@ let
   loginwrap=pkgs.writeShellScriptBin "loginwrap" ''
     exec "$SHELL" -lc 'exec "$@"' "login-wrapper" "$@"
   '';
+
+  mkPresetOption = x: lib.mkOption {
+    description = "${x} greetd configuration";
+    type = bool;
+    default = false;
+  };
 in
 {
   config = lib.mkIf cfg.enable {
@@ -57,7 +63,34 @@ in
         ];
       };
     };
-    nixfiles.programs.greetd.presets.${cfg.preset}.enable = true;
+
+    # regreet config (it is configured through an upstream module; the only
+    # greetd-specific config set is default_session, so we can configure it
+    # here instead of above.)
+    programs.regreet = let
+      # lets us use wlr-randr
+      wrapperPackage = pkgs.writeShellScriptBin "regreet-wrapper" ''
+        ${cfg.settings.graphicalInit}
+
+        exec ${escapeShellArg (lib.getExe pkgs.greetd.regreet)} "$@"
+      '';
+    in lib.mkIf cfg.presets.regreet.enable {
+      enable = lib.mkDefault true;
+      package = wrapperPackage;
+      settings = {
+        background.path = cfg.settings.wallpaper;
+        fit = lib.mkDefault "Fill";
+        appearance.greeting_msg = cfg.settings.greeting;
+      };
+    };
+
+    # self config
+    nixfiles.programs.greetd = {
+      presets.${cfg.preset}.enable = true;
+      settings.graphicalInit = lib.optionalString (cfg.settings.randr != null) ''
+        ${lib.getExe pkgs.wlr-randr} ${escapeShellArgs cfg.settings.randr}
+      '';
+    };
   };
 
   options.nixfiles.programs.greetd = {
@@ -66,7 +99,7 @@ in
     preset = lib.mkOption {
       description = "greetd configuration to enable (shorthand for presets.<preset>.enable)";
       type = enum (lib.mapAttrsToList (name: value: name) options.nixfiles.programs.greetd.presets);
-      default = "tuigreet";
+      default = "regreet";
     };
 
     settings = {
@@ -94,6 +127,20 @@ in
         default = null;
         example = [ "Hyprland" ];
       };
+
+      graphicalInit = lib.mkOption {
+        description = "Commands to run upon initialization of a graphical greeter.";
+        type = lib.types.lines;
+        default = "";
+      };
+
+      randr = lib.mkOption {
+        description = "Options to pass to wlr-randr";
+        type = nullOr (listOf str);
+        default = null;
+        example = [ "--output" "HDMI-A-3" "--off" ];
+      };
+
       loginShell = lib.mkOption {
         description = "Wrap in login shell to source .profile/.zshenv/etc. (if configurable).";
         type = bool;
@@ -135,10 +182,8 @@ in
         example = true;
       };
     };
-    presets.tuigreet.enable = lib.mkOption {
+
-      description = "tuigreet greetd configuration";
+    presets.regreet.enable = mkPresetOption "regreet";
-      type = bool;
+    presets.tuigreet.enable = mkPresetOption "tuigreet";
-      default = false;
-    };
   };
 }

system/sessions/hyprland.nix

@@ -3,6 +3,8 @@ let
   cfg = config.nixfiles.sessions.hyprland;
   flake-package = inputs.hyprland.packages.${pkgs.system}.hyprland;
   flake-portal = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland;
+
+  nvidiaEnabled = (lib.elem "nvidia" config.services.xserver.videoDrivers);
 in
 {
   # imports = [
@@ -64,7 +66,7 @@ in
         # NIXOS_OZONE_WL = "1"; # this is breaking things for some reason
       }
 
-      (lib.mkIf config.hardware.nvidia.modesetting.enable {
+      (lib.mkIf (nvidiaEnabled && config.hardware.nvidia.modesetting.enable) {
         WLR_NO_HARDWARE_CURSORS = "1";
       })
     ];

system/sessions/plasma.nix

@@ -15,9 +15,11 @@ in
   };
 
   config = mkIf cfg.enable {
+    nixfiles.programs.greetd.enable = lib.mkDefault true;
+    nixfiles.programs.greetd.settings.command = lib.mkDefault [ "${pkgs.kdePackages.plasma-workspace}/libexec/plasma-dbus-run-session-if-needed" "startplasma-wayland" ];
+
     services.xserver.enable = true;
-    services.displayManager.sddm.enable = mkDefault true;
+    services.desktopManager.plasma6.enable = true;
-    services.xserver.desktopManager.plasma6.enable = true;
     services.displayManager.defaultSession = "plasma";
     programs.kdeconnect.enable = mkDefault true;
     nixfiles.meta.wayland = true;
@@ -46,7 +48,8 @@ in
 
     environment.systemPackages = with pkgs; [
       # this fixes tiny file dialogs for Minecraft
-      libsForQt5.kdialog
+      kdePackages.kdialog
+      kdePackages.yakuake
     ];
   };
 }

system/stylix.nix

@@ -10,7 +10,7 @@
       # this naming is confusing as shit
       # this enables color theming of things by stylix
       autoEnable = lib.mkDefault config.stylix.enable;
-      # this enables installation of fonts/images/etc
+      # this enables the entire module. keep this off by default.
       enable = lib.mkDefault false;
 
       # an image i like
@@ -22,8 +22,7 @@
         # use system config in home-manager
         followSystem = lib.mkDefault true;
 
-        # I will manually import within home-manager so it works standalone
+        autoImport = lib.mkDefault true;
-        autoImport = lib.mkDefault false;
       };
     };
   };

update.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix-update
+
+set -Eeuxo pipefail
+
+if [[ "$#" -ne 0 ]] ; then
+	until [[ "$#" -le 0 ]]; do
+		case "$1" in
+			pkgs|packages) DO_PACKAGES=1;;
+			flake) DO_FLAKE=1;;
+		esac
+		shift
+	done
+else
+	DO_PACKAGES=1
+	DO_FLAKE=1
+fi
+
+cd "$(dirname "$0")"
+
+
+[[ -n "${DO_FLAKE:+x}" ]] && nix flake update || true
+
+if [[ -n "${DO_PACKAGES:+x}" ]] ; then
+	nix-update --flake redlib --version=branch=main
+fi