Merge pull request 'zsh: add fr function' (#56) from develop into release-25.11

Reviewed-on: #56

.envrc

@@ -1 +1,2 @@
+# shellcheck shell=bash
 use flake

.forgejo/workflows/build-tests.yml

@@ -1,9 +1,10 @@
+---
 name: Build tests
 
 on:
   pull_request:
     branches:
-      - release-25.11
+      - release-*
 
 jobs:
   build-hosts:

.forgejo/workflows/deploy-docs.yml

@@ -1,3 +1,4 @@
+---
 name: Deploy docs
 
 on:
@@ -18,5 +19,8 @@ jobs:
           STORE_PATH=$(nix build .#synix-docs --print-out-paths --no-link)
           echo "STORE_PATH=$STORE_PATH" >> $GITHUB_ENV
 
+      - name: Check external links
+        run: nix run nixpkgs#lychee -- --exclude-loopback docs/
+
       - name: Update symlink
         run: ln -sfn ${{ env.STORE_PATH }} /var/www/doc

.forgejo/workflows/flake-check.yml

@@ -1,6 +1,8 @@
+---
 name: Flake check
 
-on: [pull_request]
+on:
+  pull_request:
 
 jobs:
   flake-check:
@@ -11,5 +13,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Check formatting
+        run: nix fmt -- --check
+
       - name: Run flake check
-        run: nix flake check --impure
+        run: nix flake check --impure --all-systems

apps/create/create.sh

@@ -11,9 +11,6 @@ HOSTNAME=""
 # Templates with Home Manager configurations
 HM_CONFIGS=("hyprland")
 
-# This will get overwritten by the derivation
-TEMPLATES_DIR=""
-
 # Print usage information
 usage() {
     cat <<EOF

apps/rebuild/rebuild.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 # NixOS and standalone Home Manager rebuild script
 
 # Defaults
@@ -60,7 +61,7 @@ Rebuild_nixos() {
   [[ -n "$TARGET_HOST" || -n "$BUILD_HOST" ]] && CMD+=("--ask-sudo-password")
 
   # Build config first so we can diff it
-  local BUILD_CMD=("nixos-rebuild" "build" "--flake" "$FLAKE")
+  local BUILD_CMD=("nixos-rebuild" "build" "--no-build-output" "--flake" "$FLAKE")
   [ "$SHOW_TRACE" = 1 ] && BUILD_CMD+=("--show-trace")
   [ -n "$BUILD_HOST" ] && BUILD_CMD+=("--build-host" "$BUILD_HOST")
 
@@ -101,7 +102,7 @@ Rebuild_home() {
 
   # Build config first so we can diff it
   if [ "$ROLLBACK" = 0 ]; then
-    local BUILD_CMD=("home-manager" "build" "--flake" "$FLAKE")
+    local BUILD_CMD=("home-manager" "build" "--no-out-link" "--flake" "$FLAKE")
     [ "$SHOW_TRACE" = 1 ] && BUILD_CMD+=("--show-trace")
     _status "Building Home Manager configuration '$FLAKE'..."
     _status "Executing command: ${BUILD_CMD[*]}"

apps/update-packages/update-packages.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 SYSTEM="x86_64-linux"
 IGNORE_PACKAGES=(
   "pyman"

docs/getting-started/add-configs.md

@@ -1,6 +1,6 @@
 # Add NixOS and Home Manager configurations
 
-Choose a configuration template from [this list](https://git.sid.ovh/sid/synix/tree/master/apps/create/templates).
+Choose a configuration template from [this list](https://git.sid.ovh/sid/synix/src/branch/release-25.11/templates/nix-configs).
 
 Run the `create` script to add your desired configuration template to your nix-config flake:
 
@@ -14,7 +14,7 @@ nix --experimental-features "nix-command flakes" run git+https://git.sid.ovh/sid
 -f ~/.config/nixos
 ```
 
-> Change the architecture if needed. Supported architectures are listet under `supportedSystems` inside [`flake.nix`](https://git.sid.ovh/sid/synix/blob/master/flake.nix).
+> Change the architecture if needed. Supported architectures are listet under `supportedSystems` inside [`flake.nix`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/flake.nix).
 
 See the script's help page for reference:
 

docs/getting-started/create-nix-config.md

@@ -1,6 +1,6 @@
 # Create your own nix-config flake
 
-Create an empty directory and apply a [nix-config template](https://git.sid.ovh/sid/synix/tree/master/templates/nix-config) to it:
+Create an empty directory and apply a [nix-config template](https://git.sid.ovh/sid/synix/src/branch/release-25.11/templates/nix-configs) to it:
 
 ```bash
 mkdir -p ~/.config/nixos

docs/getting-started/install-instructions.md

@@ -1,6 +1,6 @@
 # Installation Guide
 
-This guide will walk you through installing NixOS using the provided installation script [`install.sh`](https://git.sid.ovh/sid/synix/blob/master/apps/install/install.sh).
+This guide will walk you through installing NixOS using the provided installation script [`install.sh`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/apps/install/install.sh).
 
 ## Prerequisites
 
@@ -114,7 +114,8 @@ git clone YOUR_GIT_REPO_URL ~/.config/nixos
 Home Manager is not installed by default. Enter the development shell to apply the configuration:
 
 ```bash
-nix-shell ~/.config/nixos/shell.nix --run 'rebuild home'
+nix --experimental-features "nix-command flakes" develop git+https://git.sid.ovh/sid/synix#devShells.x86_64-linux.install-hm \
+--command "rebuild home"
 ```
 
 ### 8. Reboot your System

docs/modules/home/bemenu.md

@@ -2,7 +2,7 @@
 
 `bemenu` is a dynamic menu library and client program inspired by dmenu.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/bemenu).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/bemenu).
 If you use this repository's [Hyprland module](./hyprland.md), it is enabled by default.
 
 ## References

docs/modules/home/common.md

@@ -2,7 +2,7 @@
 
 The common module sets some opinionated defaults.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/common).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/common).
 
 It is recommended to import it in your Home Manager configuration as some synix modules may depend on it:
 

docs/modules/home/gemini-cli.md

@@ -1,65 +0,0 @@
-# Gemini CLI
-
-An open-source AI agent that brings the power of Gemini directly into your terminal.
-
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/gemini-cli).
-
-## References
-
-- [GitHub](https://github.com/google-gemini/gemini-cli)
-- [CLI Docs](https://github.com/google-gemini/gemini-cli/tree/main/docs/cli)
-
-## Setup
-
-The package must be set by you. Easiest option is to use the synix overlay:
-
-```nix
-{ inputs, pkgs, ... }:
-
-{
-  imports = [
-    inputs.synix.homeModules.gemini-cli
-  ];
-
-  programs.gemini-cli = {
-    enable = true;
-    package = pkgs.synix.gemini-cli;
-  };
-}
-```
-
-Gemini CLI reads environment variables, such as your API key, from `~/.gemini/.env`. You can manage it with sops-nix:
-
-```nix
-{ config, ... }:
-
-{
-  sops.secrets.gemini-api-key = { };
-  sops.templates.gemini-cli-env = {
-    content = ''
-      GEMINI_API_KEY=${config.sops.placeholder.gemini-api-key}
-    '';
-    path = config.home.homeDirectory + "/.gemini/.env";
-  };
-}
-```
-
-Set `gemini-api-key` in your `secrets.yaml`:
-
-> Replace `abc123` with your Gemini API key.
-
-```yaml
-gemini-api-key: abc123
-```
-
-## Troubleshooting
-
-These are some common warnings and errors you might encounter when using Gemini CLI:
-
-### Error saving user settings file
-
-```
-Error saving user settings file: Error: EROFS: read-only file system, open '/home/you/.gemini/settings.json'
-```
-
-This is intended behavior.

docs/modules/home/gpg.md

@@ -2,7 +2,7 @@
 
 This module sets some defaults for gpg, mainly to let your gpg-agent handle ssh keys.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/gpg).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/gpg).
 
 ## SSH Setup
 

docs/modules/home/hyprland.md

@@ -6,17 +6,17 @@ This module extends the options of and sets some defaults for [Hyprland](https:/
 - XDG mime support and user directories
 - enable Waybar as status bar
 - enable dunst as notification service
-- some [packages](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/packages.nix)
+- some [packages](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/packages.nix)
-- [keybindings](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/binds/default.nix)
+- [keybindings](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/binds/default.nix)
 - manage default applications via the new `applications` option
 
 > Always import both NixOS and Home Manager modules from `synix` when using Hyprland.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/hyprland).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland).
 
 ## Keybindings
 
-The ["Master Layout"](https://wiki.hyprland.org/Configuring/Master-Layout/) is the only supported window layout.
+The ["Master Layout"](https://wiki.hypr.land/Configuring/Layouts/Master-Layout/) is the only supported window layout.
 
 > `$mod`, `modifier` or `SUPER` refer to the same key which is the Windows key by default.
 
@@ -59,7 +59,7 @@ Keybinding | Function
 `SUPER LMB` | Move window by dragging
 `SUPER RMB` | Resize window by dragging
 
-Some [media keys](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/binds/mediakeys.nix) are also supported.
+Some [media keys](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/binds/mediakeys.nix) are also supported.
 
 ## Default applications
 
@@ -73,7 +73,7 @@ To add default applications to Hyprland, you need to do the following steps:
 
 ### 1. Look for an existing category
 
-Check if a fitting category for your application exists in [`applications/default.nix`](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/applications/default.nix).
+Check if a fitting category for your application exists in [`applications/default.nix`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/applications/default.nix).
 Categories are listed under `options.wayland.windowManager.hyprland.applications`, for example:
 
 ```nix
@@ -133,13 +133,13 @@ in
 }
 ```
 
-> The function [`genMimeAssociations`](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/applications/genMimeAssociations.nix) might be useful here. See [`feh`'s config](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/applications/feh/default.nix) as an example.
+> The function [`genMimeAssociations`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/applications/genMimeAssociations.nix) might be useful here. See [`feh`'s config](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/applications/feh/default.nix) as an example.
 
 > Available MIME types can be found [here](https://www.iana.org/assignments/media-types/media-types.xhtml).
 
 ### 3. Import the directory
 
-You then need to import this directory in [`applications/default.nix`](https://git.sid.ovh/sid/synix/blob/master/modules/home/hyprland/applications/default.nix).
+You then need to import this directory in [`applications/default.nix`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/applications/default.nix).
 Look for the comment `# add your application directories here`:
 
 ```nix

docs/modules/home/kitty.md

@@ -2,7 +2,7 @@
 
 `kitty` is a cross-platform, fast, feature-rich, GPU based terminal emulator.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/kitty).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/kitty).
 If you use this repository's [Hyprland module](./hyprland.md), it is enabled by default.
 
 ## References

docs/modules/home/lf.md

@@ -1,11 +0,0 @@
-# lf
-
-> Note: This module is not actively maintained. Expect things to break!
-
-`lf` is a terminal file manager.
-
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/lf).
-
-## References
-
-- [GitHub](https://github.com/gokcehan/lf)

docs/modules/home/networkmanager-dmenu.md

@@ -2,7 +2,7 @@
 
 networkmanager-dmenu allows you to control NetworkManager via dmenu.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/networkmanager-dmenu).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/networkmanager-dmenu).
 If you use this repository's [Hyprland module](./hyprland.md), it is enabled by default.
 
 ## References

docs/modules/home/nextcloud-sync.md

@@ -1,75 +0,0 @@
-# Nextcloud sync client
-
-Because every other client sucks.
-
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/nextcloud-sync).
-
-## Setup
-
-This is an example home config:
-
-```nix
-{ inputs, config, ... }:
-
-{
-  imports = [
-    inputs.synix.homeModules.nextcloud-sync
-  ];
-
-  services.nextcloud-sync = {
-    enable = true;
-    remote = "cloud.sid.ovh"; # just the URL without `https://`
-    passwordFile = config.sops.secrets.nextcloud.path;
-    connections = [ # absolute paths without trailing /
-      {
-        local = "/home/sid/aud";
-        remote = "/aud";
-      }
-      {
-        local = "/home/sid/doc";
-        remote = "/doc";
-      }
-      {
-        local = "/home/sid/img";
-        remote = "/img";
-      }
-      {
-        local = "/home/sid/vid";
-        remote = "/vid";
-      }
-    ];
-  };
-}
-```
-
-## Usage
-
-You can manually sync by running:
-
-```bash
-nextcloud-sync-all
-```
-
-This will synchronize all defined connections.
-
-## Troubleshooting
-
-Each listed connection spawns a systemd user service and timer. Using the example above, we get:
-
-```plaintext
-nextcloud-sync-aud.service
-nextcloud-sync-aud.timer
-nextcloud-sync-doc.service
-nextcloud-sync-doc.timer
-nextcloud-sync-img.service
-nextcloud-sync-img.timer
-nextcloud-sync-vid.service
-nextcloud-sync-vid.timer
-```
-
-Check their status to know what might go wrong:
-
-```bash
-systemctl --user status nextcloud-sync-doc.service
-journalctl --user -xeu nextcloud-sync-doc.service
-```

docs/modules/home/nixvim.md

@@ -2,7 +2,7 @@
 
 This module provides some defaults to quickly set up Nixvim with some plugins. 
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/nixvim).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/nixvim).
 
 ## Config
 
@@ -88,7 +88,7 @@ key | action
 `<C-A-K>` | next quickfix item
 `<leader>ca` | apply code action
 
-See [keymaps.nix](https://git.sid.ovh/sid/synix/blob/master/modules/home/nixvim/keymaps.nix) and [plugins](https://git.sid.ovh/sid/synix/blob/master/modules/home/nixvim/plugins/) for more details.
+See [keymaps.nix](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/nixvim/keymaps.nix) and [plugins](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/nixvim/plugins/) for more details.
 
 These commands do not have keymaps yet but might be useful anyway:
 

docs/modules/home/password-manager.md

@@ -2,7 +2,7 @@
 
 This module will automatically install [`pass`](https://www.passwordstore.org/) as your password manager. It also provides a custom version of [`passmenu`](https://git.zx2c4.com/password-store/tree/contrib/dmenu/passmenu) using `bemenu` for Wayland sessions called `passmenu-bemenu` and configures [passff](https://codeberg.org/PassFF/passff) for your web browser.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/password-manager).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/password-manager).
 
 ## Setup
 

docs/modules/home/sops.md

@@ -4,7 +4,7 @@ For more information on how to use this module, see the [Sops NixOS module docum
 
 For extensive documentation, read the [Readme on GitHub](https://github.com/Mic92/sops-nix/blob/master/README.md).
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/sops).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/sops).
 
 ## 1. Generate an age key
 

docs/modules/home/stylix.md

@@ -2,7 +2,7 @@
 
 This module wraps [stylix](https://github.com/nix-community/stylix), a theming framework for NixOS, Home Manager, nix-darwin, and Nix-on-Droid.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/stylix).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/stylix).
 
 ## References
 
@@ -30,11 +30,11 @@ stylix = {
 };
 ```
 
-Replace `SCHEME` with the name of your scheme. Available schemes are listed as `validSchemes` in [our stylix module](https://git.sid.ovh/sid/synix/tree/master/modules/home/stylix/default.nix).
+Replace `SCHEME` with the name of your scheme. Available schemes are listed as `validSchemes` in [our stylix module](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/stylix/default.nix).
 
 ## Create a scheme
 
-You can create your own scheme in `schemes/<scheme>.yaml`. To make it available via `stylix.scheme`, you need to add it to `validSchemes` and `customSchemes` in [the module's `default.nix`](https://git.sid.ovh/sid/synix/tree/master/modules/home/stylix/default.nix). Make sure that the resulting scheme name is a valid [colorscheme in nixvim](https://github.com/nix-community/nixvim/tree/main/plugins/colorschemes).
+You can create your own scheme in `schemes/<scheme>.yaml`. To make it available via `stylix.scheme`, you need to add it to `validSchemes` and `customSchemes` in [the module's `default.nix`](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/stylix/default.nix). Make sure that the resulting scheme name is a valid [colorscheme in nixvim](https://github.com/nix-community/nixvim/tree/main/colorschemes).
 
 It is recommended to set colors according to their purpose / name. This means that `base00` should always be a rather dark color for the background and `base08` a reddish color.
 

docs/modules/home/virtualisation.md

@@ -2,7 +2,7 @@
 
 Home Manager module to go with the [Virtualisation NixOS module](../nixos/virtualisation.md).
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/virtualisation).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/virtualisation).
 
 ## Setup
 

docs/modules/home/waybar.md

@@ -2,7 +2,7 @@
 
 Waybar is a highly customizable Wayland bar for Sway and Wlroots based compositors.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/waybar).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/waybar).
 If you use this repository's [Hyprland module](./hyprland.md), it is enabled by default.
 
 ## References

docs/modules/home/yazi.md

@@ -2,7 +2,7 @@
 
 Terminal file manager written in Rust.
 
-View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/home/yazi).
+View the [*synix* Home Manager module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/home/hyprland/applications/yazi).
 If you use this repository's [Hyprland module](./hyprland.md), it is enabled by default.
 
 ## References

docs/modules/nixos/audio.md

@@ -2,7 +2,7 @@
 
 PipeWire is a server for handling audio, video streams, and hardware on Linux.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/audio).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/audio).
 
 ## References
 

docs/modules/nixos/baibot.md

@@ -2,7 +2,7 @@
 
 Baibot is a Matrix AI bot.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/baibot).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/baibot).
 
 ## References
 

docs/modules/nixos/cifsmount.md

@@ -4,7 +4,7 @@
 
 This module allows you to automount cifs shares after the login of the specified user. The remote has to have a running samba server.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/cifsMount).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/cifsMount).
 
 ## Config
 

docs/modules/nixos/common.md

@@ -2,7 +2,7 @@
 
 The common module sets some opinionated defaults.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/common).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/common).
 
 It is recommended to import it in your NixOS configuration as some synix modules may depend on it:
 

docs/modules/nixos/device.md

@@ -2,7 +2,7 @@
 
 This module lets you set some defaults for a device type.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/device).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/device).
 
 Available devices are:
 

docs/modules/nixos/ftp-webserver.md

@@ -4,4 +4,4 @@
 
 This module sets up a simple ftp web server behind a reverse proxy (`ftp.domain.tld` by default).
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/ftp-webserver).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/ftp-webserver).

docs/modules/nixos/headplane.md

@@ -2,7 +2,7 @@
 
 A feature-complete Web UI for Headscale.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/headplane).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/headplane).
 
 ## References
 

docs/modules/nixos/headscale.md

@@ -2,7 +2,7 @@
 
 Headscale is an open source, self-hosted implementation of the Tailscale control server.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/headscale).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/headscale).
 
 ## References
 

docs/modules/nixos/i2pd.md

@@ -2,7 +2,7 @@
 
 I2P is an End-to-End encrypted and anonymous Internet.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/i2pd).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/i2pd).
 
 ## References
 

docs/modules/nixos/jellyfin.md

@@ -2,7 +2,7 @@
 
 Jellyfin is a free and open-source media server and suite of multimedia applications.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/jellyfin).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/jellyfin).
 
 ## References
 

docs/modules/nixos/jirafeau.md

@@ -2,8 +2,8 @@
 
 Jirafeau is a project that allows "one-click filesharing", making it easy to upload a file and give it a unique link.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/jirafeau).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/jirafeau).
 
 ## References
 
-- [docs](https://github.com/Newlode/jirafeauhttps://github.com/Newlode/jirafeau)
+- [docs](https://github.com/Newlode/jirafeau)

docs/modules/nixos/mailserver.md

@@ -2,7 +2,7 @@
 
 A simple NixOS mailserver.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/mailserver).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/mailserver).
 
 ## References
 

docs/modules/nixos/matrix-synapse.md

@@ -2,7 +2,7 @@
 
 Synapse is a [Matrix](https://matrix.org/) homeserver. Matrix is an open network for secure, decentralised communication.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/matrix-synapse).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/matrix-synapse).
 
 ## References
 
@@ -40,7 +40,7 @@ nix-shell -p livekit --run "livekit-server generate-keys | tail -1 | awk '{print
 
 ## Config
 
-[Coturn has its own module](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/matrix-synapse), making it easy to outsource to a small VPS with a static IPv4 address.
+[Coturn has its own module](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/matrix-synapse), making it easy to outsource to a small VPS with a static IPv4 address.
 If you do so, both machines need the secret `coturn/static-auth-secret`.
 
 In the following example, both services run on the same machine:

docs/modules/nixos/maubot.md

@@ -4,7 +4,7 @@ A plugin-based Matrix bot system.
 
 > Warning: Maubot uses [deprecated `libolm`](https://github.com/mautrix/go/issues/262).
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/maubot).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/maubot).
 
 ## References
 

docs/modules/nixos/mcpo.md

@@ -2,7 +2,7 @@
 
 A simple MCP-to-OpenAPI proxy server.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/mcpo).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/mcpo).
 
 ## References
 
@@ -10,7 +10,7 @@ View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/ma
 
 ## Configuration
 
-You have to provide a package, for example from [synix](https://git.sid.ovh/sid/synix/tree/master/pkgs/mcpo/default.nix).
+You have to provide a package, for example from [synix](https://git.sid.ovh/sid/synix/src/branch/release-25.11/pkgs/mcpo/default.nix).
 
 Setting `mcpServers` is required. The following example runs a NixOS MCP server using [mcp-nixos](https://github.com/utensils/mcp-nixos).
 
@@ -43,6 +43,6 @@ Each tool will be accessible under its own unique route `127.0.0.1:8000/<mcp-ser
 
 ## Open WebUI Integration
 
-Follow the [official Open WebUI integration documentation starting at *Step 2*](https://docs.openwebui.com/openapi-servers/open-webui/#step-2-connect-tool-server-in-open-webui).
+Follow the [official Open WebUI integration documentation starting at *Step 2*](https://docs.openwebui.com/features/extensibility/plugin/tools/openapi-servers/open-webui#step-2-connect-tool-server-in-open-webui).
 
 In Open WebUI, users have to set *Function Calling* to *Native* in *Settings* > *General* > *Advanced Parameters*. Then, they can enable MCP servers in a chat by clicking *More* (the plus sign) in the bottom left of the prompt window.

docs/modules/nixos/miniflux.md

@@ -2,7 +2,7 @@
 
  Miniflux is a minimalist and opinionated feed reader.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/miniflux).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/miniflux).
 
 ## References
 

docs/modules/nixos/normalUsers.md

@@ -2,7 +2,7 @@
 
 This module automates user creation for normal users.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/normalUsers).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/normalUsers).
 
 ## Config
 

docs/modules/nixos/nvidia.md

@@ -4,7 +4,7 @@ NixOS module that configures your Nvidia GPU with proprietary drivers.
 
 > Tested on Turing and Ampere. Should work with most modern Nvidia GPUs.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/nvidia).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/nvidia).
 
 ## Setup
 

docs/modules/nixos/open-webui-oci.md

@@ -2,13 +2,13 @@
 
 Open WebUI is an extensible, self-hosted AI interface that adapts to your workflow, all while operating entirely offline.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/open-webui-oci).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/open-webui-oci).
 
 ## References
 
 - [Homepage](https://openwebui.com/)
 - [GitHub](https://github.com/open-webui/open-webui)
-- [Environment Configuration](https://docs.openwebui.com/getting-started/env-configuration/)
+- [Environment Configuration](https://docs.openwebui.com/reference/env-configuration/)
 - [Nixpkgs Docker tools](https://github.com/NixOS/nixpkgs/blob/master/doc/build-helpers/images/dockertools.section.md)
 
 ## Configuration

docs/modules/nixos/print-server.md

@@ -4,4 +4,4 @@
 
 This module sets up a printing server with a web interface.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/print-server).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/print-server).

docs/modules/nixos/radicale.md

@@ -2,7 +2,7 @@
 
 A simple CalDAV and CardDAV server.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/radicale).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/radicale).
 
 ## References
 

docs/modules/nixos/rss-bridge.md

@@ -2,7 +2,7 @@
 
 RSS-Bridge is a PHP web application. It generates web feeds for websites that don't have one.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/rss-bridge).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/rss-bridge).
 
 ## References
 

docs/modules/nixos/sops.md

@@ -2,7 +2,7 @@
 
 Atomic secret provisioning for NixOS based on sops.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/sops).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/sops).
 
 ## References
 

docs/modules/nixos/virtualisation.md

@@ -2,7 +2,7 @@
 
 Virtualisation using QEMU via libvirt and managed through Virt-manager with VFIO support.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/virtualisation).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/virtualisation).
 
 ## Overview
 

docs/modules/nixos/webpage.md

@@ -2,4 +2,4 @@
 
 A very simple module to serve a static web page behind a reverse proxy using nginx.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/webPage).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/webPage).

docs/modules/nixos/windows-oci.md

@@ -2,7 +2,7 @@
 
 Windows inside a Docker container.
 
-View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/tree/master/modules/nixos/windows-oci).
+View the [*synix* NixOS module on Forgejo](https://git.sid.ovh/sid/synix/src/branch/release-25.11/modules/nixos/windows-oci).
 
 ## References
 

flake.lock

@@ -258,11 +258,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776796298,
+        "lastModified": 1778507602,
-        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
+        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
+        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
         "type": "github"
       },
       "original": {
@@ -349,11 +349,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777851538,
+        "lastModified": 1779506708,
-        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
+        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
+        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
         "type": "github"
       },
       "original": {
@@ -465,11 +465,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777673416,
+        "lastModified": 1779467186,
-        "narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=",
+        "narHash": "sha256-nOesoDCiXcUftqbRBMz9tt4blI5PvljMWbm3kuCA+0s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26ef669cffa904b6f6832ab57b77892a37c1a671",
+        "rev": "b77b3de8775677f84492abe84635f87b0e153f0f",
         "type": "github"
       },
       "original": {
@@ -511,11 +511,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777906128,
+        "lastModified": 1779900588,
-        "narHash": "sha256-ei9g+4pCXhacUwnYuljs9v75hwfTqnfU+J6s6s8hfvc=",
+        "narHash": "sha256-b/yda4uMmjpw4uhXI4d0JNv09WtGoXis2JjD5l1Qbts=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "c278c296b010e2a32838c8d4539a2d72c1686d4d",
+        "rev": "dd8bdde89853bfb3eae0eb28e3d3a9320b3b8a3c",
         "type": "github"
       },
       "original": {
@@ -605,11 +605,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1777581180,
+        "lastModified": 1778680496,
-        "narHash": "sha256-JcDBTZkkz68WlZKYDoD+MZG8b3dnIJXqMvyuVx3Wkdg=",
+        "narHash": "sha256-tUq1WASV0dHLv3j18log8V6Esq0NYkXuzNH2EHsstcg=",
         "owner": "nix-community",
         "repo": "stylix",
-        "rev": "a2538cd28ae2140ffce9cee9108b8d569a9c4fed",
+        "rev": "fc5bec2e44678eeaa221d566d447a0257a884737",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,7 +3,6 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
 
     nix.url = "github:DeterminateSystems/nix-src/flake-schemas";
-
     flake-schemas.url = "github:DeterminateSystems/flake-schemas";
 
     git-hooks.url = "github:cachix/git-hooks.nix";
@@ -29,50 +28,69 @@
       ...
     }@inputs:
     let
-      supportedSystems = [
+      inherit (self) outputs;
+
+      systems = [
         "x86_64-linux"
         "aarch64-linux" # For testing only. Use at your own risk.
       ];
 
-      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+      lib = nixpkgs.lib.extend (_final: _prev: { inherit (self.lib) utils; });
 
-      nixpkgsFor = forAllSystems (
+      mkPkgs =
-        system:
+        {
+          system,
+          config ? { },
+        }:
         import nixpkgs {
           inherit system;
+          inherit config;
           overlays = [
-            self.overlays.default
+            self.overlays.modifications
+            self.overlays.additions
             inputs.nix.overlays.default
+            (final: prev: { synix = self.overlays.additions final prev; })
           ];
-        }
-      );
-
-      test = {
-        system = "x86_64-linux";
-        lib = nixpkgs.lib.extend (final: prev: self.outputs.lib or { });
-        inputs = inputs // {
-          synix = self;
         };
-        outputs = { };
+
-        overlays = [
+      forAllSystems =
-          self.overlays.default
+        function:
-          self.overlays.additions
+        lib.genAttrs systems (
-          self.overlays.modifications
+          system:
-          (final: prev: { synix = self.packages."${final.system}"; })
+          function (mkPkgs {
-        ];
+            inherit system;
-      };
+          })
+        );
+
+      mkNixosConfiguration =
+        system: modules:
+        nixpkgs.lib.nixosSystem {
+          inherit system modules;
+          specialArgs = {
+            inherit inputs outputs lib;
+          };
+        };
+
+      mkHomeConfiguration =
+        system: modules:
+        inputs.home-manager.lib.homeManagerConfiguration {
+          pkgs = mkPkgs { inherit system; };
+          inherit modules;
+          extraSpecialArgs = {
+            inherit inputs outputs;
+          };
+        };
     in
     {
       inherit (inputs.flake-schemas) schemas;
 
       apps = forAllSystems (
-        system:
+        pkgs:
         let
-          pkgs = nixpkgs.legacyPackages.${system};
+          mkApp = name: description: {
-          mkApp = name: desc: {
             type = "app";
             program = pkgs.lib.getExe (pkgs.callPackage ./apps/${name} { });
-            meta.description = desc;
+            meta.description = description;
           };
         in
         {
@@ -86,13 +104,17 @@
       );
 
       lib = {
-        utils = import ./lib/utils.nix { lib = nixpkgs.lib; };
+        utils = import ./lib/utils.nix { inherit (nixpkgs) lib; };
+        helpers = {
+          inherit mkPkgs;
+        };
       };
 
       packages = forAllSystems (
-        system:
+        pkgs:
         let
-          allArchs = import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; };
+          inherit (pkgs.stdenv.hostPlatform) system;
+          allArchs = import ./pkgs { inherit pkgs; };
           x64only =
             if system == "x86_64-linux" then
               {
@@ -111,109 +133,93 @@
 
       # test configs
       nixosConfigurations = {
-        nixos-hyprland = nixpkgs.lib.nixosSystem {
+        nixos-hyprland = mkNixosConfiguration "x86_64-linux" [ ./tests/build/nixos-hyprland ];
-          inherit (test) system;
+        nixos-server = mkNixosConfiguration "x86_64-linux" [ ./tests/build/nixos-server ];
-          modules = [
-            ./tests/build/nixos-hyprland
-            { nixpkgs.overlays = test.overlays; }
-          ];
-          specialArgs = {
-            inherit (test) inputs outputs lib;
-          };
-        };
-        nixos-server = nixpkgs.lib.nixosSystem {
-          inherit (test) system;
-          modules = [
-            ./tests/build/nixos-server
-            { nixpkgs.overlays = test.overlays; }
-          ];
-          specialArgs = {
-            inherit (test) inputs outputs lib;
-          };
-        };
       };
       homeConfigurations = {
-        hm-hyprland = inputs.home-manager.lib.homeManagerConfiguration {
+        hm-hyprland = mkHomeConfiguration "x86_64-linux" [ ./tests/build/hm-hyprland ];
-          pkgs = import nixpkgs {
-            inherit (test) overlays system;
-          };
-          extraSpecialArgs = {
-            inherit (test) inputs outputs;
-          };
-          modules = [
-            ./tests/build/hm-hyprland
-          ];
-        };
       };
 
       devShells = forAllSystems (
-        system:
+        pkgs:
         let
-          pkgs = nixpkgsFor.${system};
+          inherit (pkgs.stdenv.hostPlatform) system;
+          inherit (self.checks.${system}.pre-commit-check) shellHook enabledPackages;
         in
         {
-          default =
+          default = pkgs.mkShell {
-            let
+            inherit shellHook;
-              inherit (self.checks.${system}.pre-commit-check) shellHook enabledPackages;
+            nativeBuildInputs = [
-            in
+              enabledPackages
-            pkgs.mkShell {
+              pkgs.nix
-              inherit shellHook;
+              pkgs.lychee
-              nativeBuildInputs = [
+            ]
-                enabledPackages
+            ++ (with pkgs; [
-                pkgs.nix
+              (python313.withPackages (
-              ]
+                p: with p; [
-              ++ (with pkgs; [
+                  mkdocs
-                (python313.withPackages (
+                  mkdocs-material
-                  p: with p; [
+                  mkdocs-material-extensions
-                    mkdocs
+                  pygments
-                    mkdocs-material
+                ]
-                    mkdocs-material-extensions
+              ))
-                    pygments
+            ]);
-                  ]
+          };
-                ))
+          nix-config = pkgs.mkShell {
-              ]);
+            inherit shellHook;
-            };
+            nativeBuildInputs = [ enabledPackages ];
+          };
+          install-hm = pkgs.mkShell {
+            NIX_CONFIG = "extra-experimental-features = nix-command flakes";
+            nativeBuildInputs = [ pkgs.home-manager ];
+          };
         }
       );
 
       formatter = forAllSystems (
-        system:
+        pkgs:
         let
-          pkgs = nixpkgs.legacyPackages.${system};
+          inherit (pkgs.stdenv.hostPlatform) system;
-          config = self.checks.${system}.pre-commit-check.config;
+          inherit (self.checks.${system}.pre-commit-check.config) package configFile;
-          inherit (config) package configFile;
-          script = ''
-            ${pkgs.lib.getExe package} run --all-files --config ${configFile}
-          '';
         in
-        pkgs.writeShellScriptBin "pre-commit-run" script
+        pkgs.writeShellScriptBin "pre-commit-run" "${pkgs.lib.getExe package} run --all-files --config ${configFile}"
       );
 
       checks = forAllSystems (
-        system:
+        pkgs:
         let
-          pkgs = nixpkgs.legacyPackages.${system};
+          inherit (pkgs.stdenv.hostPlatform) system;
-          flakePkgs = self.packages.${system};
-          overlaidPkgs = import nixpkgs {
-            inherit system;
-            overlays = [ self.overlays.modifications ];
-          };
         in
         {
           pre-commit-check = inputs.git-hooks.lib.${system}.run {
             src = ./.;
             hooks = {
-              nixfmt.enable = true;
+              actionlint.enable = true;
+              nixfmt = {
+                enable = true;
+                settings.width = 120;
+              };
+              shellcheck.enable = true;
+              statix.enable = true;
+              yamllint = {
+                enable = true;
+                excludes = [
+                  "secrets.yaml"
+                  "modules/home/stylix/schemes/*.yaml"
+                ];
+                settings.configData = "{rules: {line-length: {max: 120}}}";
+              };
             };
           };
-          build-packages = pkgs.linkFarm "flake-packages-${system}" flakePkgs;
+
-          build-overlays = pkgs.linkFarm "flake-overlays-${system}" {
+          build-additions = pkgs.linkFarm "added-packages-${system}" self.packages.${system};
-            kicad = overlaidPkgs.kicad;
+          build-modifications = pkgs.linkFarm "modified-packages-${system}" (
-          };
+            lib.filterAttrs (_: v: lib.isDerivation v) (self.overlays.modifications pkgs pkgs)
+          );
 
           synapse-test =
             let
-              testPkgs = import nixpkgs {
+              testPkgs = mkPkgs {
                 inherit system;
                 config.permittedInsecurePackages = [ "olm-3.2.16" ];
               };

mkdocs.yml

@@ -1,3 +1,4 @@
+---
 site_name: synix docs
 repo_url: https://git.sid.ovh/sid/synix
 site_url: https://doc.sid.ovh/synix
@@ -20,7 +21,7 @@ markdown_extensions:
   - pymdownx.superfences
 
 nav:
-  - Home: index.md # do not change
+  - Home: index.md  # do not change
   - Introduction to Nix:
       - Overview: introduction-to-nix/overview.md
       - Install Nix: introduction-to-nix/install-nix.md
@@ -67,7 +68,6 @@ nav:
           - hyprland: modules/home/hyprland.md
           - kitty: modules/home/kitty.md
           - networkmanager-dmenu: modules/home/networkmanager-dmenu.md
-          - nextcloud-sync: modules/home/nextcloud-sync.md
           - nixvim: modules/home/nixvim.md
           - password-manager: modules/home/password-manager.md
           - sops: modules/home/sops.md

modules/home/common/cdf.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 # change directory with fzf
 # Usage: cdf [optional_relative_path]
 #   - If no argument, searches from $HOME.
@@ -67,7 +68,8 @@ function cdf() {
     "--preview=tree -C {} | head -50"
     "--preview-window=right:50%:wrap"
   )
-  local selected=$(find "${find_args[@]}" 2>/dev/null | fzf "${fzf_args[@]}")
+  local selected
+  selected=$(find "${find_args[@]}" 2>/dev/null | fzf "${fzf_args[@]}")
   
   if [[ -n "$selected" ]]; then
     cd "$selected" || echo "Failed to cd into '$selected'"

modules/home/common/fr.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# find and replace strings with rg
+# Usage: fr OLD NEW
+
+fr() {
+  rg -lF "$1" | xargs sed -i "s|$1|$2|g"
+}

modules/home/common/zsh.nix

@@ -12,6 +12,7 @@ in
       PROMPT='%F{green}%n%f@%F{blue}%m%f %B%1~%b > '
       RPROMPT='[%F{yellow}%?%f]'
     ''
-    + builtins.readFile ./cdf.sh;
+    + builtins.readFile ./cdf.sh
+    + builtins.readFile ./fr.sh;
   };
 }

modules/home/hyprland/applications/bitwarden/default.nix

@@ -0,0 +1,48 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.wayland.windowManager.hyprland;
+  app = cfg.applications.password-manager.default;
+
+  inherit (lib) mkDefault mkIf;
+in
+{
+  imports = [ ../../../rofi-rbw ];
+
+  config = mkIf (cfg.enable && app == "rofi-rbw") {
+    programs = {
+      rbw = {
+        enable = true;
+        settings = {
+          # email = "you@example.tld"; # You have to set this in your config
+          pinentry = mkDefault pkgs.pinentry-gnome3;
+          lock_timeout = mkDefault 3600;
+        };
+      };
+
+      rofi-rbw = {
+        enable = true;
+        package = mkDefault pkgs.rofi-rbw-wayland;
+        settings = {
+          selector = mkDefault "bemenu";
+          selector-args = mkDefault "-i -l 20";
+          action = mkDefault "copy";
+          typing-key-delay = mkDefault 0;
+        };
+      };
+
+      librewolf = mkIf config.programs.librewolf.enable {
+        profiles.default.extensions.packages =
+          with inputs.nur.legacyPackages."${pkgs.stdenv.hostPlatform.system}".repos.rycee.firefox-addons; [
+            bitwarden
+          ];
+      };
+    };
+  };
+}

modules/home/hyprland/applications/default.nix

@@ -22,7 +22,7 @@ let
     {
       default = mkOption {
         type = types.str;
-        default = default;
+        inherit default;
         description = "The default application to use for the ${default}.";
       };
       bind = mkOption {
@@ -38,12 +38,8 @@ let
     };
 
   # generate lists of all binds and window rules and remove empty strings
-  binds = filter (s: s != "") (
+  binds = filter (s: s != "") (builtins.concatLists (map (app: app.bind or [ "" ]) (attrValues apps)));
-    builtins.concatLists (map (app: app.bind or [ "" ]) (attrValues apps))
+  windowrules = filter (s: s != "") (builtins.concatLists (map (app: app.windowrule or [ "" ]) (attrValues apps)));
-  );
-  windowrules = filter (s: s != "") (
-    builtins.concatLists (map (app: app.windowrule or [ "" ]) (attrValues apps))
-  );
 
   inherit (lib)
     attrValues
@@ -56,6 +52,7 @@ let
 in
 {
   imports = [
+    ./bitwarden
     ./bemenu
     ./dmenu-bluetooth
     ./dunst-toggle

modules/home/hyprland/applications/dunst-toggle/dunst-toggle.nix

@@ -5,7 +5,7 @@ let
   pkill = "${pkgs.procps}/bin/pkill";
   signal = "${toString config.programs.waybar.settings.mainBar."custom/notifications".signal}";
 in
-(pkgs.writeShellScriptBin "dunst-toggle" ''
+pkgs.writeShellScriptBin "dunst-toggle" ''
   ${dunst} set-paused toggle
   ${pkill} -RTMIN+${signal} waybar
-'')
+''

modules/home/hyprland/applications/newsboat/default.nix

@@ -9,7 +9,7 @@ let
   cfg = config.wayland.windowManager.hyprland;
   app = cfg.applications.rssreader.default;
   reloadTime = "${toString config.programs.newsboat.reloadTime}";
-  newsboat-reload = (import ./newsboat-reload.nix { inherit config pkgs; });
+  newsboat-reload = import ./newsboat-reload.nix { inherit config pkgs; };
 
   inherit (lib) mkIf;
 in
@@ -27,9 +27,11 @@ in
       timers.newsboat-reload = {
         Unit.Description = "Reload newsboat every ${reloadTime} minutes";
 
-        Timer.OnBootSec = "10sec";
+        Timer = {
-        Timer.OnUnitActiveSec = "${reloadTime}min";
+          OnBootSec = "10sec";
-        Timer.Unit = "newsboat-reload.service";
+          OnUnitActiveSec = "${reloadTime}min";
+          Unit = "newsboat-reload.service";
+        };
 
         Install.WantedBy = [ "timers.target" ];
       };

modules/home/hyprland/applications/newsboat/newsboat-reload.nix

@@ -5,6 +5,6 @@ let
   notify = "${pkgs.libnotify}/bin/notify-send";
   signal = "${toString config.programs.waybar.settings.mainBar."custom/newsboat".signal}";
 in
-(pkgs.writeShellScriptBin "newsboat-reload" ''
+pkgs.writeShellScriptBin "newsboat-reload" ''
   ${notify} -u low 'Newsboat' 'Reloading RSS feeds...' && ${newsboat} -x reload && ${notify} -u low 'Newsboat' 'RSS feeds reloaded.' && pkill -RTMIN+${signal} waybar
-'')
+''

modules/home/hyprland/applications/presentation-mode-bemenu/default.nix

@@ -14,9 +14,7 @@ in
 {
   config = mkIf (cfg.enable && app == "presentation-mode-bemenu") {
     home.packages = [
-      (pkgs.writeShellScriptBin "presentation-mode-bemenu" (
+      (pkgs.writeShellScriptBin "presentation-mode-bemenu" (builtins.readFile ./presentation-mode-bemenu.sh))
-        builtins.readFile ./presentation-mode-bemenu.sh
-      ))
     ];
   };
 }

modules/home/hyprland/applications/presentation-mode-bemenu/presentation-mode-bemenu.sh

@@ -1,5 +1,6 @@
+#!/usr/bin/env bash
 # Variables
-DISPLAYS=( $(hyprctl monitors | grep -E '^Monitor' | awk '{print $2}') )
+mapfile -t DISPLAYS < <(hyprctl monitors | grep -E '^Monitor' | awk '{print $2}')
 EXTEND_RIGHT="Extend to right of main"
 EXTEND_LEFT="Extend to left of main"
 MIRROR="Mirror main"

modules/home/hyprland/applications/screenshot/screenshot.nix

@@ -5,7 +5,7 @@
 let
   screenshotDir = "${config.xdg.userDirs.pictures}/screenshots";
 in
-(pkgs.writeShellScriptBin "screenshot" ''
+pkgs.writeShellScriptBin "screenshot" ''
   mkdir -p ${screenshotDir}
   ${pkgs.hyprshot}/bin/hyprshot --mode $1 --output-folder ${screenshotDir} --filename screenshot_$(date +"%Y-%m-%d_%H-%M-%S").png
-'')
+''

modules/home/hyprland/binds/default.nix

@@ -27,7 +27,7 @@ in
     wayland.windowManager.hyprland = {
       settings = {
         bind = binds;
-        bindm = (import ./mouse.nix);
+        bindm = import ./mouse.nix;
       };
     };
   };

modules/home/hyprland/cursor.nix

@@ -9,17 +9,19 @@ let
   inherit (lib) mkForce;
 in
 {
-  home.pointerCursor = {
+  home = {
-    name = mkForce "Bibata-Original-Ice";
+    pointerCursor = {
-    size = mkForce 24;
+      name = mkForce "Bibata-Original-Ice";
-    package = mkForce pkgs.bibata-cursors;
+      size = mkForce 24;
-  };
+      package = mkForce pkgs.bibata-cursors;
+    };
 
-  home.packages = [ pkgs.hyprcursor ];
+    packages = [ pkgs.hyprcursor ];
 
-  home.sessionVariables = {
+    sessionVariables = {
-    HYPRCURSOR_THEME = config.home.pointerCursor.name;
+      HYPRCURSOR_THEME = config.home.pointerCursor.name;
-    HYPRCURSOR_SIZE = toString config.home.pointerCursor.size;
+      HYPRCURSOR_SIZE = toString config.home.pointerCursor.size;
+    };
   };
 
   # wayland.windowManager.hyprland.cursor.no_hardware_cursors = true;

modules/home/hyprland/default.nix

@@ -78,12 +78,6 @@ in
     # auto discover fonts in `home.packages`
     fonts.fontconfig.enable = true;
 
-    # notifications
-    services.dunst = {
-      enable = mkDefault true;
-      waylandDisplay = config.home.sessionVariables.WAYLAND_DISPLAY;
-    };
-
     # install some applications
     home.packages = import ./packages.nix { inherit pkgs; }; # use programs.PACKAGE or services.SERVICE when possible
 
@@ -94,11 +88,19 @@ in
       fi
     '';
 
-    services.udiskie = {
+    # notifications
-      enable = mkDefault true;
+    services = {
-      tray = mkDefault "never";
+      dunst = {
-    };
+        enable = mkDefault true;
+        waylandDisplay = config.home.sessionVariables.WAYLAND_DISPLAY;
+      };
 
-    services.network-manager-applet.enable = mkDefault true;
+      udiskie = {
+        enable = mkDefault true;
+        tray = mkDefault "never";
+      };
+
+      network-manager-applet.enable = mkDefault true;
+    };
   };
 }

modules/home/hyprland/xdg/default.nix

@@ -20,8 +20,10 @@ in
       enable = mkDefault true;
       createDirectories = mkDefault true;
     };
-    portal.enable = mkDefault true;
+    portal = {
-    portal.extraPortals = [ portal ];
+      enable = mkDefault true;
-    portal.configPackages = [ portal ];
+      extraPortals = [ portal ];
+      configPackages = [ portal ];
+    };
   };
 }

modules/home/librewolf/search/default.nix

@@ -19,13 +19,13 @@ let
     in
     {
       urls = [ { template = engine.url; } ];
-      icon = engine.icon;
+      inherit (engine) icon;
       updateInterval = if (isUrl engine.icon) then every_day else null;
       definedAliases = optional (engine ? alias) engine.alias;
     };
 
   transformedEngines = mapAttrs' (name: engine: {
-    name = name;
+    inherit name;
     value = transformEngine engine;
   }) engines;
 
@@ -79,7 +79,7 @@ in
     profiles.default.search.engines = mapAttrs (_: name: transformedEngines.${name}) (
       listToAttrs (
         map (name: {
-          name = name;
+          inherit name;
           value = name;
         }) cfg.searchEngines
       )

modules/home/nixvim/plugins/treesitter.nix

@@ -16,17 +16,19 @@ in
 {
   config = {
     programs.nixvim = {
-      plugins.treesitter = {
+      plugins = {
-        enable = mkDefault true;
+        treesitter = {
-        nixvimInjections = mkDefault true;
+          enable = mkDefault true;
-        settings = {
+          nixvimInjections = mkDefault true;
-          folding.enable = mkDefault true;
+          settings = {
-          highlight.enable = mkDefault true;
+            folding.enable = mkDefault true;
-          indent.enable = mkDefault true;
+            highlight.enable = mkDefault true;
+            indent.enable = mkDefault true;
+          };
         };
+        treesitter-context = mkIf plugin.enable { enable = mkDefault true; };
+        treesitter-textobjects = mkIf plugin.enable { enable = mkDefault true; };
       };
-      plugins.treesitter-context = mkIf plugin.enable { enable = mkDefault true; };
-      plugins.treesitter-textobjects = mkIf plugin.enable { enable = mkDefault true; };
     };
 
     # Fix for: ERROR `cc` executable not found.

modules/home/password-manager/default.nix

@@ -9,7 +9,7 @@
 let
   cfg = config.programs.passwordManager;
   passmenuScript = pkgs.writeShellScriptBin "passmenu-bemenu" (builtins.readFile ./passmenu); # TODO: override original passmenu script coming from pass itself
-  passff-host = pkgs.passff-host;
+  inherit (pkgs) passff-host;
 
   inherit (lib)
     mkDefault

modules/home/stylix/default.nix

@@ -29,8 +29,7 @@ let
     "moonfly"
     "oxocarbon"
   ];
-  schemeName =
+  schemeName = if builtins.elem cfg.scheme needsSuffix then "${cfg.scheme}-${cfg.polarity}" else cfg.scheme;
-    if builtins.elem cfg.scheme needsSuffix then "${cfg.scheme}-${cfg.polarity}" else cfg.scheme;
 
   inherit (lib)
     mkDefault

modules/home/waybar/modules/newsboat.nix

@@ -10,13 +10,13 @@ let
     let
       newsboat = "${pkgs.newsboat}/bin/newsboat";
     in
-    (pkgs.writeShellScriptBin "newsboat-print-unread" ''
+    pkgs.writeShellScriptBin "newsboat-print-unread" ''
       UNREAD=$(${newsboat} -x print-unread | awk '{print $1}')
 
       if [[ $UNREAD -gt 0 ]]; then
       	printf " %i" "$UNREAD"
       fi
-    '');
+    '';
 
   inherit (lib) mkDefault;
 in

modules/home/waybar/modules/timer/timer.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 TIMER_FILE="/tmp/timer" # file to store the current time
 SIGNAL=11 # signal number to send to status bar
 STATUS_BAR="waybar" # Support for more status bars?
@@ -16,7 +17,7 @@ start_timer() {
     notify-send "Timer Started" "Your countdown timer has been started."
 
     trap "exit" INT TERM
-    trap "rm -f -- '$TIMER_FILE'" EXIT
+    trap 'rm -f -- "$TIMER_FILE"' EXIT
 
     while [ $total_seconds -gt 0 ]; do
       hours=$(( total_seconds / 3600 ))
@@ -62,7 +63,7 @@ if [ "$1" = "start" ]; then
   MINUTES=${MINUTES:-0}
   SECONDS=${SECONDS:-0}
 
-  start_timer $HOURS $MINUTES $SECONDS
+  start_timer "$HOURS" "$MINUTES" "$SECONDS"
 
 elif [ "$1" = "stop" ]; then
   notify-send "Timer Stopped" "Your countdown timer has been stopped."

modules/nixos/bluetooth/default.nix

@@ -4,10 +4,16 @@ let
   inherit (lib) mkDefault;
 in
 {
-  hardware.bluetooth.enable = mkDefault true;
+  hardware = {
-  hardware.bluetooth.powerOnBoot = mkDefault false;
+    bluetooth = {
-  hardware.bluetooth.settings.General.Enable = mkDefault "Source,Sink,Media,Socket";
+      enable = mkDefault true;
-  hardware.bluetooth.settings.General.Experimental = mkDefault true;
+      powerOnBoot = mkDefault false;
+      settings.General = {
+        Enable = mkDefault "Source,Sink,Media,Socket";
+        Experimental = mkDefault true;
+      };
+    };
+  };
 
   environment.systemPackages = with pkgs; [
     blueman

modules/nixos/cifsMount/default.nix

@@ -84,8 +84,6 @@ in
     ) { } cfg.remotes;
 
     # Ensure that all cifs-mount services are started with the graphical session
-    systemd.user.targets.graphical-session.wants = map (
+    systemd.user.targets.graphical-session.wants = map (remote: "cifs-mount-${remote.shareName}.service") cfg.remotes;
-      remote: "cifs-mount-${remote.shareName}.service"
-    ) cfg.remotes;
   };
 }

modules/nixos/common/boot.nix

@@ -1,20 +1,20 @@
 { lib, pkgs, ... }:
 
 {
-  # fix CVE-2026-31431
+  boot = {
-  boot.kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (
+    # fix CVE-2026-31431
-    lib.mkDefault pkgs.linuxPackages_6_18
+    kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (lib.mkDefault pkgs.linuxPackages_6_18);
-  );
 
-  # fix CVE-2026-43500
+    # fix CVE-2026-43500
-  boot.extraModprobeConfig = ''
+    extraModprobeConfig = ''
-    install esp4 ${pkgs.coreutils}/bin/false
+      install esp4 ${pkgs.coreutils}/bin/false
-    install esp6 ${pkgs.coreutils}/bin/false
+      install esp6 ${pkgs.coreutils}/bin/false
-    install rxrpc ${pkgs.coreutils}/bin/false
+      install rxrpc ${pkgs.coreutils}/bin/false
-  '';
+    '';
-  boot.blacklistedKernelModules = [
+    blacklistedKernelModules = [
-    "esp4"
+      "esp4"
-    "esp6"
+      "esp6"
-    "rxrpc"
+      "rxrpc"
-  ];
+    ];
+  };
 }

modules/nixos/common/environment.nix

@@ -9,55 +9,59 @@ let
   inherit (lib) mkDefault optionals;
 in
 {
-  environment.systemPackages =
+  environment = {
-    with pkgs;
+    systemPackages =
-    [
+      with pkgs;
-      cryptsetup
+      [
-      curl
+        cryptsetup
-      dig
+        curl
-      dnsutils
+        dig
-      fzf
+        dnsutils
-      gptfdisk
+        fzf
-      iproute2
+        gptfdisk
-      jq
+        iproute2
-      lm_sensors
+        jq
-      lsof
+        lm_sensors
-      netcat-openbsd
+        lsof
-      nettools
+        netcat-openbsd
-      nixos-container
+        nettools
-      nmap
+        nixos-container
-      nurl
+        nmap
-      p7zip
+        nurl
-      pciutils
+        p7zip
-      psmisc
+        pciutils
-      rclone
+        psmisc
-      rsync
+        rclone
-      tcpdump
+        rsync
-      tmux
+        tcpdump
-      tree
+        tmux
-      unzip
+        tree
-      usbutils
+        unzip
-      wget
+        usbutils
-      xxd
+        wget
-      zip
+        xxd
+        zip
 
-      (callPackage ../../../apps/rebuild { })
+        (callPackage ../../../apps/rebuild { })
-    ]
+      ]
-    ++ optionals (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) [
+      ++ optionals (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) [
-      pkgs.kitty.terminfo
+        pkgs.kitty.terminfo
-    ];
+      ];
 
-  environment.shellAliases = {
+    shellAliases = {
-    l = "ls -lh";
+      l = "ls -lh";
-    ll = "ls -lAh";
+      ll = "ls -lAh";
-    ports = "ss -tulpn";
+      ports = "ss -tulpn";
-    publicip = "curl ifconfig.me/all";
+      publicip = "curl ifconfig.me/all";
-    sudo = "sudo "; # make aliases work with `sudo`
+      sudo = "sudo "; # make aliases work with `sudo`
+    };
+
+    # saves one instance of nixpkgs.
+    ldso32 = null;
   };
 
-  # saves one instance of nixpkgs.
+  boot = {
-  environment.ldso32 = null;
+    tmp.cleanOnBoot = mkDefault true;
-
+    initrd.systemd.enable = mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
-  boot.tmp.cleanOnBoot = mkDefault true;
+  };
-  boot.initrd.systemd.enable = mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
 }

modules/nixos/common/well-known.nix

@@ -2,16 +2,13 @@
   # avoid TOFU MITM
   programs.ssh.knownHosts = {
     "github.com".hostNames = [ "github.com" ];
-    "github.com".publicKey =
+    "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 
     "gitlab.com".hostNames = [ "gitlab.com" ];
-    "gitlab.com".publicKey =
+    "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
 
     "git.sr.ht".hostNames = [ "git.sr.ht" ];
-    "git.sr.ht".publicKey =
+    "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
   };
   # TODO: add synix
 }

modules/nixos/coturn/default.nix

@@ -42,12 +42,8 @@ in
       static-auth-secret-file = mkIf cfg.sops config.sops.secrets."coturn/static-auth-secret".path;
       realm = mkDefault "turn.${config.networking.domain}";
 
-      cert =
+      cert = mkIf (!cfg.no-tls && cfg.sops) "${config.security.acme.certs.${cfg.realm}.directory}/full.pem";
-        mkIf (!cfg.no-tls && cfg.sops)
+      pkey = mkIf (!cfg.no-tls && cfg.sops) "${config.security.acme.certs.${cfg.realm}.directory}/key.pem";
-          "${config.security.acme.certs.${cfg.realm}.directory}/full.pem";
-      pkey =
-        mkIf (!cfg.no-tls && cfg.sops)
-          "${config.security.acme.certs.${cfg.realm}.directory}/key.pem";
 
       extraConfig = ''
         # ban private IP ranges

modules/nixos/device/server.nix

@@ -33,11 +33,13 @@ in
 
   fonts.fontconfig.enable = mkDefault false;
 
-  xdg.autostart.enable = mkDefault false;
+  xdg = {
-  xdg.icons.enable = mkDefault false;
+    autostart.enable = mkDefault false;
-  xdg.menus.enable = mkDefault false;
+    icons.enable = mkDefault false;
-  xdg.mime.enable = mkDefault false;
+    menus.enable = mkDefault false;
-  xdg.sounds.enable = mkDefault false;
+    mime.enable = mkDefault false;
+    sounds.enable = mkDefault false;
+  };
 
   programs.git.package = mkDefault pkgs.gitMinimal;
 
@@ -48,22 +50,25 @@ in
     viAlias = mkDefault true;
   };
 
-  # emergency mode is useless on headless machines
+  systemd = {
-  systemd.enableEmergencyMode = false;
+    # emergency mode is useless on headless machines
+    enableEmergencyMode = false;
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+
+    # force reboots
+    settings.Manager = {
+      RuntimeWatchdogSec = mkDefault "15s";
+      RebootWatchdogSec = mkDefault "30s";
+      KExecWatchdogSec = mkDefault "1m";
+    };
+  };
+
   boot.initrd.systemd.suppressedUnits = mkIf config.systemd.enableEmergencyMode [
     "emergency.service"
     "emergency.target"
   ];
-
-  systemd.sleep.extraConfig = ''
-    AllowSuspend=no
-    AllowHibernation=no
-  '';
-
-  # force reboots
-  systemd.settings.Manager = {
-    RuntimeWatchdogSec = mkDefault "15s";
-    RebootWatchdogSec = mkDefault "30s";
-    KExecWatchdogSec = mkDefault "1m";
-  };
 }

modules/nixos/device/vm.nix

@@ -4,7 +4,9 @@ let
   inherit (lib) mkDefault;
 in
 {
-  services.qemuGuest.enable = mkDefault true;
+  services = {
-  services.spice-vdagentd.enable = mkDefault true;
+    qemuGuest.enable = mkDefault true;
-  services.spice-webdavd.enable = mkDefault true;
+    spice-vdagentd.enable = mkDefault true;
+    spice-webdavd.enable = mkDefault true;
+  };
 }

modules/nixos/ftp-webserver/default.nix

@@ -2,9 +2,9 @@
 
 let
   cfg = config.services.ftp-webserver;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
   fqdn = if (cfg.subdomain != "") then "${cfg.subdomain}.${domain}" else domain;
-  nginx = config.services.nginx;
+  inherit (config.services) nginx;
 
   inherit (lib)
     mkEnableOption
@@ -35,7 +35,7 @@ in
 
   config = mkIf cfg.enable {
     services.nginx.virtualHosts."${fqdn}" = {
-      root = cfg.root;
+      inherit (cfg) root;
       locations."/" = {
         extraConfig = ''
           autoindex on;
@@ -43,7 +43,7 @@ in
           autoindex_localtime on;
         '';
       };
-      forceSSL = cfg.forceSSL;
+      inherit (cfg) forceSSL;
       enableACME = cfg.forceSSL;
       sslCertificate = mkIf cfg.forceSSL "${config.security.acme.certs."${fqdn}".directory}/cert.pem";
       sslCertificateKey = mkIf cfg.forceSSL "${config.security.acme.certs."${fqdn}".directory}/key.pem";

modules/nixos/headplane/default.nix

@@ -7,10 +7,10 @@
 
 let
   cfg = config.services.headplane;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
-  subdomain = cfg.reverseProxy.subdomain;
+  inherit (cfg.reverseProxy) subdomain;
   fqdn = if (cfg.reverseProxy.enable && subdomain != "") then "${subdomain}.${domain}" else domain;
-  headscale = config.services.headscale;
+  inherit (config.services) headscale;
 
   inherit (lib)
     mkDefault
@@ -55,7 +55,7 @@ in
 
     services.nginx.virtualHosts = mkIf cfg.reverseProxy.enable {
       "${fqdn}" = mkVirtualHost {
-        port = cfg.settings.server.port;
+        inherit (cfg.settings.server) port;
         ssl = cfg.reverseProxy.forceSSL;
       };
     };
@@ -63,7 +63,7 @@ in
     sops.secrets =
       let
         owner = headscale.user;
-        group = headscale.group;
+        inherit (headscale) group;
         mode = "0400";
       in
       {

modules/nixos/headscale/default.nix

@@ -6,8 +6,8 @@
 
 let
   cfg = config.services.headscale;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
-  subdomain = cfg.reverseProxy.subdomain;
+  inherit (cfg.reverseProxy) subdomain;
   fqdn = if (cfg.reverseProxy.enable && subdomain != "") then "${subdomain}.${domain}" else domain;
   acl = "headscale/acl.hujson";
 

modules/nixos/hyprland/default.nix

@@ -8,23 +8,9 @@ in
 
   programs.dconf.enable = true; # fixes nixvim hm module
 
-  services.flatpak.enable = true;
+  services = {
-
+    flatpak.enable = true;
-  xdg.portal = {
+    gnome.gnome-keyring.enable = true;
-    enable = true;
+    udisks2.enable = mkDefault true;
-    extraPortals = with pkgs; [
-      xdg-desktop-portal-gtk
-    ];
-    config.common.default = "gtk";
   };
-
-  services.gnome.gnome-keyring.enable = true;
-  security.pam.services = {
-    login = {
-      enableGnomeKeyring = true;
-    };
-    hyprlock = { };
-  };
-
-  services.udisks2.enable = mkDefault true;
 }

modules/nixos/jellyfin/default.nix

@@ -7,8 +7,8 @@
 
 let
   cfg = config.services.jellyfin;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
-  subdomain = cfg.reverseProxy.subdomain;
+  inherit (cfg.reverseProxy) subdomain;
   fqdn = if (cfg.reverseProxy.enable && subdomain != "") then "${subdomain}.${domain}" else domain;
 
   inherit (lib)
@@ -48,9 +48,7 @@ in
     ];
 
     systemd.tmpfiles.rules =
-      (map (
+      (map (library: "d ${cfg.dataDir}/libraries/${library} 0770 ${cfg.user} ${cfg.group} -") cfg.libraries)
-        library: "d ${cfg.dataDir}/libraries/${library} 0770 ${cfg.user} ${cfg.group} -"
-      ) cfg.libraries)
       ++ [
         "z ${cfg.dataDir} 0770 ${cfg.user} ${cfg.group} -"
         "Z ${cfg.dataDir}/libraries 0770 ${cfg.user} ${cfg.group} -"

modules/nixos/jirafeau/default.nix

@@ -2,8 +2,8 @@
 
 let
   cfg = config.services.jirafeau;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
-  subdomain = cfg.reverseProxy.subdomain;
+  inherit (cfg.reverseProxy) subdomain;
   fqdn = if (cfg.reverseProxy.enable && subdomain != "") then "${subdomain}.${domain}" else domain;
 
   inherit (lib)

modules/nixos/librechat-oci/default.nix

@@ -8,75 +8,351 @@
 let
   cfg = config.services.librechat-oci;
 
-  image = pkgs.dockerTools.pullImage {
+  defaultImages = {
-    imageName = "ghcr.io/danny-avila/librechat";
+    librechat = pkgs.dockerTools.pullImage {
-    imageDigest = "sha256:a46254938507971e0d4f7ed3f9d116bd9b118f4810b5b75eb716baf575645068";
+      imageName = "ghcr.io/danny-avila/librechat";
-    hash = "sha256-zevUN6vrs3hymwCGFmk/YXlUzYjN37H+EO5aLxYchyc=";
+      imageDigest = "sha256:a46254938507971e0d4f7ed3f9d116bd9b118f4810b5b75eb716baf575645068";
-    finalImageName = "ghcr.io/danny-avila/librechat";
+      hash = "sha256-zevUN6vrs3hymwCGFmk/YXlUzYjN37H+EO5aLxYchyc=";
-    finalImageTag = "v0.8.5";
+      finalImageName = "ghcr.io/danny-avila/librechat";
+      finalImageTag = "v0.8.5";
+    };
+
+    meilisearch = pkgs.dockerTools.pullImage {
+      imageName = "getmeili/meilisearch";
+      imageDigest = "sha256:b839a48d008d4e67e57f78dcff5b21d5e8b8fa066bacd11f97824d6307abb0dd";
+      hash = "sha256-+hypvjFDSdnnWAO4tARTnjNd/6HlF6pMg1L6UUffdYM=";
+      finalImageName = "getmeili/meilisearch";
+      finalImageTag = "v1.44.0";
+    };
+
+    mongodb = pkgs.dockerTools.pullImage {
+      imageName = "mongo";
+      imageDigest = "sha256:098862b1339f031900ca66cf8fef799e616d6324fa41b9a263f2ec899552c1ef";
+      hash = "sha256-XuWnvcqAAkAGshdQtnngKOOJP2Bd33FXTbGHTRX3nUc=";
+      finalImageName = "mongo";
+      finalImageTag = "8.0.20";
+    };
+
+    vectordb = pkgs.dockerTools.pullImage {
+      imageName = "pgvector/pgvector";
+      imageDigest = "sha256:8809cfffff0082cf260c9ac752f1dd1afc77f6f0a55c4e6411321e78efc3d9a5";
+      hash = "sha256-rc6gQLMzv8UOZVLmWKGUESNIo+iPf5DR7T79AmbzWc4=";
+      finalImageName = "pgvector/pgvector";
+      finalImageTag = "0.8.0-pg15-trixie";
+    };
+
+    ragApi = pkgs.dockerTools.pullImage {
+      imageName = "registry.librechat.ai/danny-avila/librechat-rag-api-dev-lite";
+      imageDigest = "sha256:6dfb6832661ff9c26fa329c823ce266059e33567670a763e9ecb9b566b8daa68";
+      hash = "sha256-k8pkEgbqT4NU2+2ZjdRFlfFvMUk/1p+pkysbELh95pM=";
+      finalImageName = "registry.librechat.ai/danny-avila/librechat-rag-api-dev-lite";
+      finalImageTag = "latest";
+    };
   };
 
   defaultEnv = {
+    # Server
     HOST = "0.0.0.0";
-    PORT = "3080";
+    PORT = toString cfg.port;
     NO_INDEX = "true";
-    DEBUG_LOGGING = "false";
+    TRUST_PROXY = "1";
+
+    # Logging
     CONSOLE_JSON = "false";
-    ALLOW_REGISTRATION = "true";
+    DEBUG_LOGGING = "true";
-    ALLOW_EMAIL_LOGIN = "true";
+    DEBUG_CONSOLE = "false";
+    AGENT_DEBUG_LOGGING = "false";
+    DEBUG_OPENAI = "false";
+
+    # Node
+    NODE_MAX_OLD_SPACE_SIZE = "6144";
+
+    # Search
     SEARCH = "true";
     MEILI_NO_ANALYTICS = "true";
+
+    # Moderation
+    OPENAI_MODERATION = "false";
+    BAN_VIOLATIONS = "true";
+    BAN_DURATION = "1000 * 60 * 60 * 2";
+    BAN_INTERVAL = "20";
+    LOGIN_VIOLATION_SCORE = "1";
+    REGISTRATION_VIOLATION_SCORE = "1";
+    CONCURRENT_VIOLATION_SCORE = "1";
+    MESSAGE_VIOLATION_SCORE = "1";
+    NON_BROWSER_VIOLATION_SCORE = "20";
+    TTS_VIOLATION_SCORE = "0";
+    STT_VIOLATION_SCORE = "0";
+    FORK_VIOLATION_SCORE = "0";
+    IMPORT_VIOLATION_SCORE = "0";
+    FILE_UPLOAD_VIOLATION_SCORE = "0";
+    LOGIN_MAX = "7";
+    LOGIN_WINDOW = "5";
+    REGISTER_MAX = "5";
+    REGISTER_WINDOW = "60";
+    LIMIT_CONCURRENT_MESSAGES = "true";
+    CONCURRENT_MESSAGE_MAX = "2";
+    LIMIT_MESSAGE_IP = "true";
+    MESSAGE_IP_MAX = "40";
+    MESSAGE_IP_WINDOW = "1";
+    LIMIT_MESSAGE_USER = "false";
+    MESSAGE_USER_MAX = "40";
+    MESSAGE_USER_WINDOW = "1";
+    ILLEGAL_MODEL_REQ_SCORE = "5";
+
+    # Registration and login
+    ALLOW_EMAIL_LOGIN = "true";
+    ALLOW_REGISTRATION = "false";
+    ALLOW_SOCIAL_LOGIN = "false";
+    ALLOW_SOCIAL_REGISTRATION = "false";
+    ALLOW_PASSWORD_RESET = "false";
+    ALLOW_UNVERIFIED_EMAIL_LOGIN = "true";
+    SESSION_EXPIRY = "1000 * 60 * 15";
+    REFRESH_TOKEN_EXPIRY = "(1000 * 60 * 60 * 24) * 7";
+
+    # OpenID
+    OPENID_SCOPE = "openid profile email";
+    OPENID_CALLBACK_URL = "/oauth/openid/callback";
+    OPENID_AUTO_REDIRECT = "false";
+    OPENID_USE_PKCE = "false";
+    OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE = "user.read";
+
+    # OAuth callback URLs
+    DISCORD_CALLBACK_URL = "/oauth/discord/callback";
+    FACEBOOK_CALLBACK_URL = "/oauth/facebook/callback";
+    GITHUB_CALLBACK_URL = "/oauth/github/callback";
+    GOOGLE_CALLBACK_URL = "/oauth/google/callback";
+    APPLE_CALLBACK_URL = "/oauth/apple/callback";
+    SAML_CALLBACK_URL = "/oauth/saml/callback";
+
+    # Entra ID
+    USE_ENTRA_ID_FOR_PEOPLE_SEARCH = "false";
+    ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS = "false";
+    OPENID_GRAPH_SCOPES = "User.Read,People.Read,GroupMember.Read.All";
+
+    # Shared links
+    ALLOW_SHARED_LINKS = "true";
+    ALLOW_SHARED_LINKS_PUBLIC = "false";
+
+    # UI
+    APP_TITLE = "LibreChat";
+    HELP_AND_FAQ_URL = "https://librechat.ai";
+
+    # Flux
+    FLUX_API_BASE_URL = "https://api.us1.bfl.ai";
+
+    # Email
+    EMAIL_PORT = "25";
+    EMAIL_FROM = "noreply@librechat.ai";
+
+    # Azure Blob Storage
+    AZURE_STORAGE_PUBLIC_ACCESS = "false";
+    AZURE_CONTAINER_NAME = "files";
   };
 
+  mkImageOption =
+    name: description:
+    mkOption {
+      type = types.package;
+      default = defaultImages.${name};
+      inherit description;
+    };
+
   inherit (lib)
     literalExpression
     mkEnableOption
     mkIf
     mkOption
     mkOverride
+    optional
     types
     ;
 in
 {
   options.services.librechat-oci = {
     enable = mkEnableOption "LibreChat container with Podman.";
-    image = mkOption {
+
-      type = types.package;
+    images = {
-      default = image;
+      librechat = mkImageOption "librechat" "The LibreChat Docker image (`pkgs.dockerTools.pullImage`).";
-      description = "The Docker image to use (`pkgs.dockerTools.pullImage`).";
+      meilisearch = mkImageOption "meilisearch" "The Meilisearch Docker image (`pkgs.dockerTools.pullImage`).";
+      mongodb = mkImageOption "mongodb" "The MongoDB Docker image (`pkgs.dockerTools.pullImage`).";
+      vectordb = mkImageOption "vectordb" "The pgvector Docker image (`pkgs.dockerTools.pullImage`).";
+      ragApi = mkImageOption "ragApi" "The LibreChat RAG API Docker image (`pkgs.dockerTools.pullImage`).";
     };
+
+    configFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = literalExpression "./librechat.yaml";
+      description = "Path to the `librechat.yaml` configuration file.";
+    };
+
     externalUrl = mkOption {
       type = types.nullOr types.str;
       default = null;
-      example = literalExpression "http://${config.networking.domain}";
+      example = literalExpression ''"https://chat.example.com"'';
-      description = "Public URL to configure for LibreChat.";
+      description = "Public URL to configure for LibreChat (sets DOMAIN_CLIENT and DOMAIN_SERVER).";
     };
+
     port = mkOption {
       type = types.port;
       default = 3080;
-      description = "Which port the LibreChat server listens to.";
+      description = "Which port the LibreChat server listens on.";
     };
+
+    meiliPort = mkOption {
+      type = types.port;
+      default = 7700;
+      description = "Which port Meilisearch listens on.";
+    };
+
+    ragPort = mkOption {
+      type = types.port;
+      default = 8000;
+      description = "Which port the RAG API listens on.";
+    };
+
     environment = mkOption {
       default = { };
       type = types.attrsOf types.str;
       description = ''
         Extra environment variables for LibreChat.
-        For more details see <https://docs.librechat.ai/docs/configuration/dotenv>
+        These are merged on top of the defaults and can override them.
+        For secrets use <option>environmentFile</option> instead.
+        See <https://docs.librechat.ai/docs/configuration/dotenv>.
       '';
     };
+
     environmentFile = mkOption {
-      description = "Environment file to be passed to the LibreChat container.";
       type = types.nullOr types.path;
       default = null;
-      example = "config.sops.templates.librechat-env.path";
+      example = literalExpression "config.sops.templates.librechat-env.path";
+      description = ''
+        Environment file passed to the LibreChat, Meilisearch, and RAG API
+        containers. Use this for secrets such as JWT_SECRET, CREDS_KEY,
+        MEILI_MASTER_KEY, and API keys.
+      '';
     };
   };
 
   config = mkIf cfg.enable {
-    virtualisation.podman = {
+    virtualisation = {
-      enable = true;
+      podman = {
-      autoPrune.enable = true;
+        enable = true;
-      dockerCompat = true;
+        autoPrune.enable = true;
+        dockerCompat = true;
+      };
+
+      oci-containers = {
+        backend = "podman";
+
+        containers = {
+          librechat-mongodb = {
+            image = with cfg.images.mongodb; "${imageName}:${imageTag}";
+            imageFile = cfg.images.mongodb;
+            cmd = [
+              "mongod"
+              "--noauth"
+            ];
+            volumes = [
+              "librechat_mongodb_data:/data/db:rw"
+            ];
+            log-driver = "journald";
+            extraOptions = [
+              "--network-alias=mongodb"
+              "--network=librechat_default"
+            ];
+          };
+
+          librechat-meilisearch = {
+            image = with cfg.images.meilisearch; "${imageName}:${imageTag}";
+            imageFile = cfg.images.meilisearch;
+            environment = {
+              MEILI_NO_ANALYTICS = "true";
+              MEILI_HOST = "http://meilisearch:${toString cfg.meiliPort}";
+            };
+            environmentFiles = optional (cfg.environmentFile != null) cfg.environmentFile;
+            volumes = [
+              "librechat_meili_data:/meili_data:rw"
+            ];
+            log-driver = "journald";
+            extraOptions = [
+              "--network-alias=meilisearch"
+              "--network=librechat_default"
+            ];
+          };
+
+          librechat-vectordb = {
+            image = with cfg.images.vectordb; "${imageName}:${imageTag}";
+            imageFile = cfg.images.vectordb;
+            environment = {
+              POSTGRES_DB = "mydatabase";
+              POSTGRES_USER = "myuser";
+              POSTGRES_PASSWORD = "mypassword";
+            };
+            volumes = [
+              "librechat_pgdata:/var/lib/postgresql/data:rw"
+            ];
+            log-driver = "journald";
+            extraOptions = [
+              "--network-alias=vectordb"
+              "--network=librechat_default"
+            ];
+          };
+
+          librechat-rag-api = {
+            image = with cfg.images.ragApi; "${imageName}:${imageTag}";
+            imageFile = cfg.images.ragApi;
+            environment = {
+              DB_HOST = "vectordb";
+              RAG_PORT = toString cfg.ragPort;
+            };
+            environmentFiles = optional (cfg.environmentFile != null) cfg.environmentFile;
+            dependsOn = [ "librechat-vectordb" ];
+            log-driver = "journald";
+            extraOptions = [
+              "--network-alias=rag_api"
+              "--network=librechat_default"
+            ];
+          };
+
+          librechat = {
+            image = with cfg.images.librechat; "${imageName}:${imageTag}";
+            imageFile = cfg.images.librechat;
+            environment =
+              defaultEnv
+              // {
+                MONGO_URI = "mongodb://mongodb:27017/LibreChat";
+                MEILI_HOST = "http://meilisearch:${toString cfg.meiliPort}";
+                RAG_PORT = toString cfg.ragPort;
+                RAG_API_URL = "http://rag_api:${toString cfg.ragPort}";
+                DOMAIN_CLIENT = if cfg.externalUrl != null then cfg.externalUrl else "http://localhost:${toString cfg.port}";
+                DOMAIN_SERVER = if cfg.externalUrl != null then cfg.externalUrl else "http://localhost:${toString cfg.port}";
+              }
+              // cfg.environment;
+            environmentFiles = optional (cfg.environmentFile != null) cfg.environmentFile;
+            volumes = [
+              "librechat_images:/app/client/public/images:rw"
+              "librechat_uploads:/app/uploads:rw"
+              "librechat_logs:/app/logs:rw"
+            ]
+            ++ optional (cfg.configFile != null) "${cfg.configFile}:/app/librechat.yaml:ro";
+
+            ports = [
+              "0.0.0.0:${toString cfg.port}:${toString cfg.port}/tcp"
+            ];
+            dependsOn = [
+              "librechat-mongodb"
+              "librechat-rag-api"
+            ];
+            log-driver = "journald";
+            extraOptions = [
+              "--network-alias=api"
+              "--network=librechat_default"
+            ];
+          };
+        };
+      };
     };
 
     networking.firewall.interfaces =
@@ -87,161 +363,173 @@ in
         "${matchAll}".allowedUDPPorts = [ 53 ];
       };
 
-    virtualisation.oci-containers.backend = "podman";
+    systemd = {
+      services = {
+        podman-librechat-mongodb = {
+          serviceConfig.Restart = mkOverride 90 "always";
+          after = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_mongodb_data.service"
+          ];
+          requires = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_mongodb_data.service"
+          ];
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
 
-    virtualisation.oci-containers.containers."librechat-mongodb" = {
+        podman-librechat-meilisearch = {
-      image = "mongo:7.0";
+          serviceConfig.Restart = mkOverride 90 "always";
-      environment = {
+          after = [
-        MONGO_INITDB_ROOT_USERNAME = "root";
+            "podman-network-librechat_default.service"
-        MONGO_INITDB_ROOT_PASSWORD = "librechat";
+            "podman-volume-librechat_meili_data.service"
-        MONGO_INITDB_DATABASE = "LibreChat";
+          ];
+          requires = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_meili_data.service"
+          ];
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-librechat-vectordb = {
+          serviceConfig.Restart = mkOverride 90 "always";
+          after = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_pgdata.service"
+          ];
+          requires = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_pgdata.service"
+          ];
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-librechat-rag-api = {
+          serviceConfig.Restart = mkOverride 90 "always";
+          after = [
+            "podman-network-librechat_default.service"
+            "podman-librechat-vectordb.service"
+          ];
+          requires = [
+            "podman-network-librechat_default.service"
+            "podman-librechat-vectordb.service"
+          ];
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-librechat = {
+          serviceConfig.Restart = mkOverride 90 "always";
+          after = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_images.service"
+            "podman-volume-librechat_uploads.service"
+            "podman-volume-librechat_logs.service"
+            "podman-librechat-mongodb.service"
+            "podman-librechat-meilisearch.service"
+            "podman-librechat-rag-api.service"
+          ];
+          requires = [
+            "podman-network-librechat_default.service"
+            "podman-volume-librechat_images.service"
+            "podman-volume-librechat_uploads.service"
+            "podman-volume-librechat_logs.service"
+            "podman-librechat-mongodb.service"
+            "podman-librechat-meilisearch.service"
+            "podman-librechat-rag-api.service"
+          ];
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-network-librechat_default = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStop = "podman network rm -f librechat_default";
+          };
+          script = ''
+            podman network inspect librechat_default || podman network create librechat_default
+          '';
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_mongodb_data = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_mongodb_data || podman volume create librechat_mongodb_data";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_meili_data = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_meili_data || podman volume create librechat_meili_data";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_pgdata = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_pgdata || podman volume create librechat_pgdata";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_images = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_images || podman volume create librechat_images";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_uploads = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_uploads || podman volume create librechat_uploads";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
+
+        podman-volume-librechat_logs = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = "podman volume inspect librechat_logs || podman volume create librechat_logs";
+          partOf = [ "podman-compose-librechat-root.target" ];
+          wantedBy = [ "podman-compose-librechat-root.target" ];
+        };
       };
-      volumes = [
-        "librechat_mongodb_data:/data/db:rw"
-      ];
-      log-driver = "journald";
-      extraOptions = [
-        "--network=host"
-      ];
-    };
 
-    virtualisation.oci-containers.containers.librechat = {
+      targets.podman-compose-librechat-root = {
-      image = toString cfg.image;
+        unitConfig.Description = "Root target generated by compose2nix.";
-      environment =
+        wantedBy = [ "multi-user.target" ];
-        defaultEnv
-        // {
-          MONGO_URI = "mongodb://root:librechat@localhost:27017/LibreChat?authSource=admin";
-        }
-        // cfg.environment;
-      volumes = [
-        "librechat_data:/app/client/data:rw"
-        "librechat_images:/app/client/public/images:rw"
-        "librechat_uploads:/app/api/server/files/uploads:rw"
-        "librechat_logs:/app/logs:rw"
-      ];
-      ports = [
-        "${toString cfg.port}:${toString cfg.port}"
-      ];
-      log-driver = "journald";
-      extraOptions = [
-        "--network=host"
-      ];
-    };
-
-    systemd.services."podman-librechat-mongodb" = {
-      serviceConfig = {
-        Restart = mkOverride 90 "always";
       };
-      after = [
-        "podman-volume-librechat_mongodb_data.service"
-      ];
-      requires = [
-        "podman-volume-librechat_mongodb_data.service"
-      ];
-      partOf = [
-        "podman-compose-librechat-root.target"
-      ];
-      wantedBy = [
-        "podman-compose-librechat-root.target"
-      ];
-    };
-
-    systemd.services."podman-librechat" = {
-      serviceConfig = {
-        Restart = mkOverride 90 "always";
-      };
-      after = [
-        "podman-volume-librechat_data.service"
-        "podman-volume-librechat_images.service"
-        "podman-volume-librechat_uploads.service"
-        "podman-volume-librechat_logs.service"
-        "podman-librechat-mongodb.service"
-      ];
-      requires = [
-        "podman-volume-librechat_data.service"
-        "podman-volume-librechat_images.service"
-        "podman-volume-librechat_uploads.service"
-        "podman-volume-librechat_logs.service"
-        "podman-librechat-mongodb.service"
-      ];
-      partOf = [
-        "podman-compose-librechat-root.target"
-      ];
-      wantedBy = [
-        "podman-compose-librechat-root.target"
-      ];
-    };
-
-    systemd.services."podman-volume-librechat_data" = {
-      path = [ pkgs.podman ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        podman volume inspect librechat_data || podman volume create librechat_data
-      '';
-      partOf = [ "podman-compose-librechat-root.target" ];
-      wantedBy = [ "podman-compose-librechat-root.target" ];
-    };
-
-    systemd.services."podman-volume-librechat_images" = {
-      path = [ pkgs.podman ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        podman volume inspect librechat_images || podman volume create librechat_images
-      '';
-      partOf = [ "podman-compose-librechat-root.target" ];
-      wantedBy = [ "podman-compose-librechat-root.target" ];
-    };
-
-    systemd.services."podman-volume-librechat_uploads" = {
-      path = [ pkgs.podman ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        podman volume inspect librechat_uploads || podman volume create librechat_uploads
-      '';
-      partOf = [ "podman-compose-librechat-root.target" ];
-      wantedBy = [ "podman-compose-librechat-root.target" ];
-    };
-
-    systemd.services."podman-volume-librechat_logs" = {
-      path = [ pkgs.podman ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        podman volume inspect librechat_logs || podman volume create librechat_logs
-      '';
-      partOf = [ "podman-compose-librechat-root.target" ];
-      wantedBy = [ "podman-compose-librechat-root.target" ];
-    };
-
-    systemd.services."podman-volume-librechat_mongodb_data" = {
-      path = [ pkgs.podman ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        podman volume inspect librechat_mongodb_data || podman volume create librechat_mongodb_data
-      '';
-      partOf = [ "podman-compose-librechat-root.target" ];
-      wantedBy = [ "podman-compose-librechat-root.target" ];
-    };
-
-    systemd.targets."podman-compose-librechat-root" = {
-      unitConfig = {
-        Description = "Root target generated by compose2nix.";
-      };
-      wantedBy = [ "multi-user.target" ];
     };
   };
 }

modules/nixos/mailserver/default.nix

@@ -8,7 +8,7 @@
 
 let
   cfg = config.mailserver;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
   fqdn = "${cfg.subdomain}.${domain}";
 
   inherit (lib)
@@ -74,7 +74,7 @@ in
         nameValuePair "${user}@${domain}" {
           name = "${user}@${domain}";
           aliases = map (alias: "${alias}@${domain}") (accConf.aliases or [ ]);
-          sendOnly = accConf.sendOnly;
+          inherit (accConf) sendOnly;
           quota = mkDefault "5G";
           hashedPasswordFile = config.sops.secrets."mailserver/accounts/${user}".path;
         }

modules/nixos/matrix-synapse/bridges.nix

@@ -23,7 +23,7 @@ let
 
     services."mautrix-${name}" = {
       enable = true;
-      package = cfg.bridges.${name}.package;
+      inherit (cfg.bridges.${name}) package;
       environmentFile = mkIf cfg.sops config.sops.templates."mautrix-${name}/env-file".path;
       settings = {
         bridge = {
@@ -71,33 +71,29 @@ let
         mode = "0400";
       in
       {
-        secrets."mautrix-${name}/encryption-pickle-key" = {
+        secrets = {
-          inherit owner group mode;
+          "mautrix-${name}/encryption-pickle-key" = {
-        };
+            inherit owner group mode;
-        secrets."mautrix-${name}/provisioning-shared-secret" = {
+          };
-          inherit owner group mode;
+          "mautrix-${name}/provisioning-shared-secret" = {
-        };
+            inherit owner group mode;
-        secrets."mautrix-${name}/public-media-signing-key" = {
+          };
-          inherit owner group mode;
+          "mautrix-${name}/public-media-signing-key" = {
-        };
+            inherit owner group mode;
-        secrets."mautrix-${name}/direct-media-server-key" = {
+          };
-          inherit owner group mode;
+          "mautrix-${name}/direct-media-server-key" = {
+            inherit owner group mode;
+          };
         };
         templates."mautrix-${name}/env-file" = {
           inherit owner group mode;
           content = ''
-            MAUTRIX_${toUpper name}_ENCRYPTION_PICKLE_KEY=${
+            MAUTRIX_${toUpper name}_ENCRYPTION_PICKLE_KEY=${config.sops.placeholder."mautrix-${name}/encryption-pickle-key"}
-              config.sops.placeholder."mautrix-${name}/encryption-pickle-key"
-            }
             MAUTRIX_${toUpper name}_PROVISIONING_SHARED_SECRET=${
               config.sops.placeholder."mautrix-${name}/provisioning-shared-secret"
             }
-            MAUTRIX_${toUpper name}_PUBLIC_MEDIA_SIGNING_KEY=${
+            MAUTRIX_${toUpper name}_PUBLIC_MEDIA_SIGNING_KEY=${config.sops.placeholder."mautrix-${name}/public-media-signing-key"}
-              config.sops.placeholder."mautrix-${name}/public-media-signing-key"
+            MAUTRIX_${toUpper name}_DIRECT_MEDIA_SERVER_KEY=${config.sops.placeholder."mautrix-${name}/direct-media-server-key"}
-            }
-            MAUTRIX_${toUpper name}_DIRECT_MEDIA_SERVER_KEY=${
-              config.sops.placeholder."mautrix-${name}/direct-media-server-key"
-            }
           '';
         };
       }

modules/nixos/matrix-synapse/default.nix

@@ -84,77 +84,74 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.postgresql = {
+    services = {
-      enable = true;
+      postgresql = {
-      initialScript = pkgs.writeText "synapse-init.sql" ''
+        enable = true;
-        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        initialScript = pkgs.writeText "synapse-init.sql" ''
-        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-          TEMPLATE template0
+          CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-          LC_COLLATE = 'C'
+            TEMPLATE template0
-          LC_CTYPE = 'C';
+            LC_COLLATE = 'C'
-      '';
+            LC_CTYPE = 'C';
-    };
+        '';
+      };
 
-    services.matrix-synapse = mkMerge [
+      matrix-synapse = mkMerge [
-      {
+        {
-        settings = {
+          settings = {
-          registration_shared_secret_path =
+            registration_shared_secret_path = mkIf cfg.sops config.sops.secrets."matrix/registration-shared-secret".path;
-            mkIf cfg.sops
+            server_name = config.networking.domain;
-              config.sops.secrets."matrix/registration-shared-secret".path;
+            public_baseurl = baseUrl;
-          server_name = config.networking.domain;
+            listeners = [
-          public_baseurl = baseUrl;
+              {
-          listeners = [
+                inherit (cfg) port;
-            {
+                bind_addresses = [ "127.0.0.1" ];
-              inherit (cfg) port;
+                resources = [
-              bind_addresses = [ "127.0.0.1" ];
+                  {
-              resources = [
+                    compress = true;
-                {
+                    names = [ "client" ];
-                  compress = true;
+                  }
-                  names = [ "client" ];
+                  {
-                }
+                    compress = false;
-                {
+                    names = [ "federation" ];
-                  compress = false;
+                  }
-                  names = [ "federation" ];
+                ];
-                }
+                tls = false;
-              ];
+                type = "http";
-              tls = false;
+                x_forwarded = true;
-              type = "http";
+              }
-              x_forwarded = true;
+            ];
-            }
+          };
-          ];
+        }
+        (mkIf cfg.coturn.enable {
+          settings = {
+            turn_uris = with cfg.coturn; [
+              "turn:${realm}:${toString listening-port}?transport=udp"
+              "turn:${realm}:${toString listening-port}?transport=tcp"
+              "turn:${realm}:${toString tls-listening-port}?transport=udp"
+              "turn:${realm}:${toString tls-listening-port}?transport=tcp"
+              "turn:${realm}:${toString alt-listening-port}?transport=udp"
+              "turn:${realm}:${toString alt-listening-port}?transport=tcp"
+              "turn:${realm}:${toString alt-tls-listening-port}?transport=udp"
+              "turn:${realm}:${toString alt-tls-listening-port}?transport=tcp"
+            ];
+            extraConfigFiles = mkIf cfg.sops [ config.sops.templates."coturn/static-auth-secret.env".path ];
+            turn_user_lifetime = "1h";
+          };
+        })
+      ];
+
+      nginx.virtualHosts."${cfg.settings.server_name}" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations = {
+          "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+          "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          "/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          "/_synapse".proxyPass = "http://127.0.0.1:${toString cfg.port}";
         };
-      }
+      };
-      (mkIf cfg.coturn.enable {
-        settings = {
-          turn_uris = with cfg.coturn; [
-            "turn:${realm}:${toString listening-port}?transport=udp"
-            "turn:${realm}:${toString listening-port}?transport=tcp"
-            "turn:${realm}:${toString tls-listening-port}?transport=udp"
-            "turn:${realm}:${toString tls-listening-port}?transport=tcp"
-            "turn:${realm}:${toString alt-listening-port}?transport=udp"
-            "turn:${realm}:${toString alt-listening-port}?transport=tcp"
-            "turn:${realm}:${toString alt-tls-listening-port}?transport=udp"
-            "turn:${realm}:${toString alt-tls-listening-port}?transport=tcp"
-          ];
-          extraConfigFiles = mkIf cfg.sops [ config.sops.templates."coturn/static-auth-secret.env".path ];
-          turn_user_lifetime = "1h";
-        };
-      })
-    ];
-
-    environment.shellAliases = mkIf cfg.sops {
-      register_new_matrix_user = "${cfg.package}/bin/register_new_matrix_user -k $(sudo cat ${cfg.settings.registration_shared_secret_path})";
-    };
-
-    services.nginx.virtualHosts."${cfg.settings.server_name}" = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-
-      locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      locations."/_synapse".proxyPass = "http://127.0.0.1:${toString cfg.port}";
     };
 
     sops = mkIf cfg.sops {

modules/nixos/matrix-synapse/livekit.nix

@@ -6,51 +6,53 @@
 
 let
   cfg = config.services.matrix-synapse;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
 
   inherit (lib) mkIf mkDefault;
 in
 {
   config = mkIf cfg.enable {
-    services.livekit = {
+    services = {
-      enable = true;
+      livekit = {
-      settings.port = mkDefault 7880;
+        enable = true;
-      settings.room.auto_create = mkDefault false;
+        settings.port = mkDefault 7880;
-      openFirewall = mkDefault true;
+        settings.room.auto_create = mkDefault false;
-      keyFile = mkIf cfg.sops config.sops.templates."livekit/key".path;
+        openFirewall = mkDefault true;
-    };
+        keyFile = mkIf cfg.sops config.sops.templates."livekit/key".path;
+      };
 
-    services.lk-jwt-service = {
+      lk-jwt-service = {
-      enable = true;
+        enable = true;
-      port = mkDefault 8080;
+        port = mkDefault 8080;
-      livekitUrl = "wss://${domain}/livekit/sfu";
+        livekitUrl = "wss://${domain}/livekit/sfu";
-      keyFile = mkIf cfg.sops config.sops.templates."livekit/key".path;
+        keyFile = mkIf cfg.sops config.sops.templates."livekit/key".path;
-    };
+      };
 
-    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
+      nginx.virtualHosts = {
-
+        "${domain}".locations = {
-    services.nginx.virtualHosts = {
+          "^~ /livekit/jwt/" = {
-      "${domain}".locations = {
+            priority = 400;
-        "^~ /livekit/jwt/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.lk-jwt-service.port}/";
-          priority = 400;
+          };
-          proxyPass = "http://127.0.0.1:${toString config.services.lk-jwt-service.port}/";
+          "^~ /livekit/sfu/" = {
-        };
+            priority = 400;
-        "^~ /livekit/sfu/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.livekit.settings.port}/";
-          priority = 400;
+            proxyWebsockets = true;
-          proxyPass = "http://127.0.0.1:${toString config.services.livekit.settings.port}/";
+            extraConfig = ''
-          proxyWebsockets = true;
+              proxy_send_timeout 120;
-          extraConfig = ''
+              proxy_read_timeout 120;
-            proxy_send_timeout 120;
+              proxy_buffering off;
-            proxy_read_timeout 120;
+              proxy_set_header Accept-Encoding gzip;
-            proxy_buffering off;
+              proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Accept-Encoding gzip;
+              proxy_set_header Connection "upgrade";
-            proxy_set_header Upgrade $http_upgrade;
+            '';
-            proxy_set_header Connection "upgrade";
+          };
-          '';
         };
       };
     };
 
+    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
+
     sops = mkIf cfg.sops {
       secrets."livekit/key" = { };
       templates."livekit/key".content = ''

modules/nixos/maubot/default.nix

@@ -76,7 +76,7 @@ in
     sops = mkIf cfg.sops (
       let
         owner = user.name;
-        group = user.group;
+        inherit (user) group;
         mode = "0400";
       in
       {
@@ -98,9 +98,7 @@ in
             ''
               admins:
             ''
-            + concatLines (
+            + concatLines (map (admin: "  ${admin}: ${config.sops.placeholder."maubot/admins/${admin}"}") cfg.admins)
-              map (admin: "  ${admin}: ${config.sops.placeholder."maubot/admins/${admin}"}") cfg.admins
-            )
           );
         };
       }

modules/nixos/mcpo/default.nix

@@ -28,6 +28,12 @@ in
       default = null;
     };
 
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+      description = "Port on which the mcpo service should listen.";
+    };
+
     user = mkOption {
       type = types.str;
       description = "The user the mcpo service will run as.";
@@ -90,7 +96,7 @@ in
 
     users.users."${cfg.user}" = {
       isSystemUser = true;
-      group = cfg.group;
+      inherit (cfg) group;
     };
 
     users.groups."${cfg.group}" = { };
@@ -100,7 +106,7 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
-        ExecStart = "${getExe cfg.package} --config ${configFile}";
+        ExecStart = "${getExe cfg.package} --port ${toString cfg.port} --config ${configFile}";
         Restart = "on-failure";
         User = cfg.user;
         Group = cfg.group;

modules/nixos/miniflux/default.nix

@@ -6,8 +6,8 @@
 
 let
   cfg = config.services.miniflux;
-  domain = config.networking.domain;
+  inherit (config.networking) domain;
-  subdomain = cfg.reverseProxy.subdomain;
+  inherit (cfg.reverseProxy) subdomain;
   fqdn = if (cfg.reverseProxy.enable && subdomain != "") then "${subdomain}.${domain}" else domain;
   port = 8085;
 

modules/nixos/nginx/default.nix

@@ -50,8 +50,7 @@ in
             "1.1.1.1"
             "2606:4700:4700::1111"
           ];
-          resolvers =
+          resolvers = if config.networking.nameservers == [ ] then cloudflare else config.networking.nameservers;
-            if config.networking.nameservers == [ ] then cloudflare else config.networking.nameservers;
         in
         map escapeIPv6 resolvers;
 
@@ -60,7 +59,7 @@ in
       virtualHosts = {
         "${config.networking.domain}" = mkDefault {
           enableACME = cfg.forceSSL;
-          forceSSL = cfg.forceSSL;
+          inherit (cfg) forceSSL;
         };
       };
     };

modules/nixos/normalUsers/default.nix

@@ -21,7 +21,7 @@ in
       types.submodule {
         options = {
           extraGroups = mkOption {
-            type = (types.listOf types.str);
+            type = types.listOf types.str;
             default = [ ];
             description = "Extra groups for the user";
             example = [ "wheel" ];
@@ -37,7 +37,7 @@ in
             description = "Initial password for the user";
           };
           sshKeyFiles = mkOption {
-            type = (types.listOf types.path);
+            type = types.listOf types.path;
             default = [ ];
             description = "SSH key files for the user";
             example = [ "/path/to/id_rsa.pub" ];