snowfall lib migration WIP

2025-08-06 12:18:08 +02:00 · 2025-08-06 12:18:08 +02:00 · b9dadac2af
commit b9dadac2af
parent dc2440015e
31 changed files with 9106 additions and 382 deletions
--- a/modules/nixos/gpg/default.nix
+++ b/modules/nixos/gpg/default.nix
@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.gpg;
+in {
+  options.${namespace}.gpg = with types; {
+    enable = mkBoolOpt false "Enable gpg with emacs/terminal support";
+  };
+
+  config = mkIf cfg.enable {
+    programs.gnupg.agent = {
+      enable = true;
+      settings = {
+        pinentry-program = lib.mkForce "${pkgs.pinentry-curses}/bin/pinentry-curses";
+      };
+    };
+  };
+}
--- a/modules/nixos/hardware/bluetooth/default.nix
+++ b/modules/nixos/hardware/bluetooth/default.nix
@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.hardware.bluetooth;
+in {
+  options.${namespace}.hardware.bluetooth = with types; {
+    enable = mkBoolOpt false "Enable bluetooth support";
+  };
+
+  config =
+    mkIf cfg.enable {
+      hardware.bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+      settings = {
+        General = {
+          Experimental = true;
+        };
+      };
+    };
+      services.blueman.enable = true;
+    };
+}
--- a/modules/nixos/hardware/printing/default.nix
+++ b/modules/nixos/hardware/printing/default.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.hardware.printing;
+in {
+  options.${namespace}.hardware.printing = with types; {
+    enable = mkBoolOpt false "Enable printers support";
+  };
+
+  config =
+    mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [
+system-config-printer
+];
+      services.printing.enable = true;
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+    };
+}
--- a/modules/nixos/impermanence/default.nix
+++ b/modules/nixos/impermanence/default.nix
@ -0,0 +1,116 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.impermanence;
+  persist = cfg.persistentStorage;
+  rootIsBtrfs = config.fileSystems."/".fsType == "btrfs";
+in {
+  options.${namespace}.impermanence = with types; {
+    enable = mkBoolOpt false "Enable impermanence";
+    persistentStorage = lib.mkOption {
+      type = lib.types.path;
+      default = "/persist";
+      description = ''
+        Volume with persistent information, that won't be destroyed after reboot
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    fileSystems.${persist}.neededForBoot = true;
+    environment.persistence."${persist}/system" = {
+      hideMounts = true;
+      directories = [
+        "/var/lib/sbctl"
+        "/etc/nixos"
+        "/var/log"
+        "/var/lib/bluetooth"
+        "/var/lib/nixos"
+        "/var/lib/flatpak"
+        "/var/lib/zerotier-one"
+        "/var/lib/systemd/coredump"
+        "/var/lib/acme"
+        #"/var/lib/conduwuit"
+        "/etc/NetworkManager/system-connections"
+        {
+          directory = "/var/lib/colord";
+          user = "colord";
+          group = "colord";
+          mode = "u=rwx,g=rx,o=";
+        }
+      ];
+      files = [
+        "/etc/machine-id"
+        {
+          file = "/var/keys/secret_file";
+          parentDirectory = {mode = "u=rwx,g=,o=";};
+        }
+      ];
+    };
+    systemd.tmpfiles.rules = [
+      "d ${persist}/home/ 0777 root root -" # /persist/home created, owned by root
+      "d ${persist}/ollama/ 0755 ollama ollama"
+      "d ${persist}/open-webui/ 0755 ollama ollama"
+      "d ${persist}/conduwuit/ 0755 conduwuit conduwuit"
+      #"d /persist/home/${username} 0700 ${username} users -" # /persist/home/<user> created, owned by that user
+      #"d /persist/nixos-config 0700 ${username} users -"
+    ];
+
+    programs.fuse.userAllowOther = true;
+
+    #https://blog.decent.id/post/nixos-systemd-initrd/
+    boot.initrd.systemd.services.btrfs-rollback-impermanence = lib.mkIf (rootIsBtrfs && config.boot.initrd.systemd.enable) {
+      description = "Rollback BTRFS root dataset to blank snapshot";
+      wantedBy = ["initrd.target"];
+      requires = ["initrd-root-device.target"];
+      after = [
+        "initrd-root-device.target"
+        # LUKS/TPM process
+        "systemd-cryptsetup@root_vg.service"
+        "local-fs-pre.target"
+      ];
+      before = [
+        "sysroot.mount"
+        "create-needed-for-boot-dirs.service"
+      ];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        mkdir -p /btrfs_tmp
+        mount /dev/mapper/root_vg /btrfs_tmp
+        if [[ -e /btrfs_tmp/root ]]; then
+            mkdir -p /btrfs_tmp/old_roots
+            timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+            mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+        fi
+
+        delete_subvolume_recursively() {
+            IFS=$'\n'
+            for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+                delete_subvolume_recursively "/btrfs_tmp/$i"
+            done
+            btrfs subvolume delete "$1"
+        }
+
+        for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +7); do
+            delete_subvolume_recursively "$i"
+        done
+
+        btrfs subvolume create /btrfs_tmp/root
+        umount /btrfs_tmp
+      '';
+    };
+  };
+}
--- a/modules/nixos/loginManagers/sddm/default.nix
+++ b/modules/nixos/loginManagers/sddm/default.nix
@ -0,0 +1,46 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.loginManagers.sddm;
+in {
+  options.${namespace}.loginManagers.sddm = with types; {
+    enable = mkBoolOpt false "Enable sddm as login manager";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      (catppuccin-sddm.override {
+        flavor = "mocha";
+        #	font = "";
+        fontSize = "16";
+        #background;
+        loginBackground = false;
+      })
+      wvkbd
+    ];
+    services.xserver.enable = true;
+    services.displayManager.sddm = {
+      enable = true;
+      theme = "catppuccin-mocha";
+      package = mkDefault pkgs.kdePackages.sddm;
+      wayland.enable = mkDefault config.${username}.presets.wayland.enable;
+      settings = {
+        General = {
+          InputMethod = "wvkbd-mobintl"; # Enables optional virtual keyboard at login (SDDM). Useful for touchscreens or accessibility.
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/presets/default/default.nix
+++ b/modules/nixos/presets/default/default.nix
@ -0,0 +1,79 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.presets.default;
+in {
+  options.${namespace}.presets.default = with types; {
+    enable = mkBoolOpt false "Enable preset with all the default settings - locale, time, etc";
+  };
+
+  config = mkIf cfg.enable {
+    # Set your time zone.
+    time.timeZone = "Europe/Berlin";
+
+    # Select internationalisation properties.
+    i18n.defaultLocale = "ru_RU.UTF-8";
+
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "de_DE.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+    programs.nh = {
+      enable = true;
+      clean.enable = true;
+      clean.extraArgs = "--keep-since 4d --keep 3";
+      flake = "/etc/nixos-config";
+    };
+    environment.systemPackages = with pkgs; [
+      nix-output-monitor
+      fzf
+      lazygit
+      git
+      btop
+      comma
+      snowfallorg.flake
+    ];
+    programs.bash = {
+      shellAliases = {
+        ls = "${pkgs.eza}/bin/eza --icons=always";
+      };
+    };
+    # Configure keymap in X11
+    services.xserver.xkb = {
+      layout = "us,ru";
+      variant = "";
+      options = "grp:caps_toggle";
+    };
+    console.keyMap = "us";
+    nix = {
+      settings = {
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+        auto-optimise-store = true;
+        substituters = [
+          "https://nix-gaming.cachix.org"
+          "https://nix-community.cachix.org"
+        ];
+        trusted-public-keys = [
+          "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        ];
+      };
+    };
+  };
+}
--- a/modules/nixos/presets/gaming/default.nix
+++ b/modules/nixos/presets/gaming/default.nix
@ -0,0 +1,62 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.presets.gaming;
+in {
+  options.${namespace}.presets.gaming = with types; {
+    enable = mkBoolOpt false "Enable everything that you need for gaming";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      unzip
+      wget
+      xdotool
+      xorg.xprop
+      xorg.xrandr
+      unixtools.xxd
+      xorg.xwininfo
+      yad
+      protonup-qt
+      protontricks
+      bottles
+    ];
+    programs.steam = {
+      enable = true;
+      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+      localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
+      package = pkgs.steam.override {
+        extraPkgs = pkgs:
+          with pkgs; [
+            xorg.libXcursor
+            xorg.libXi
+            xorg.libXinerama
+            xorg.libXScrnSaver
+            libpng
+            libpulseaudio
+            libvorbis
+            sdl3
+            SDL2
+            stdenv.cc.cc.lib
+            libkrb5
+            keyutils
+            gamescope
+          ];
+      };
+    };
+    programs.gamemode.enable = true;
+  };
+}
--- a/modules/nixos/presets/wayland/default.nix
+++ b/modules/nixos/presets/wayland/default.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.presets.wayland;
+in {
+  options.${namespace}.presets.wayland = with types; {
+    enable = mkBoolOpt false "Enable preset with MUST HAVE wayland things";
+  };
+
+  config = mkIf cfg.enable {
+    environment.sessionVariables = {
+      NIXOS_OZONE_WL = "1";
+    };
+    environment.systemPackages = with pkgs; [
+      wl-clipboard
+      git-credential-manager
+      egl-wayland
+    ];
+    hardware.graphics.enable = true;
+  };
+}
--- a/modules/nixos/presets/workstation/default.nix
+++ b/modules/nixos/presets/workstation/default.nix
@ -0,0 +1,114 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.presets.workstation;
+in {
+  options.${namespace}.presets.workstation = with types; {
+    enable = mkBoolOpt false "Enable workstation preset";
+  };
+
+  config = mkIf cfg.enable {
+    ${namespace} = {
+      presets.default = enabled;
+      presets.wayland = enabled;
+      hardware.printing = enabled;
+      hardware.bluetooth = enabled;
+      gpg = enabled;
+      services.syncthing = {
+	enable = true;
+	user = "kylekrein";
+      };
+    };
+
+    programs.direnv = {
+      enable = true;
+      nix-direnv.enable = true;
+    };
+    networking.networkmanager.enable = true;
+    services.udisks2.enable = true;
+
+    environment.systemPackages = with pkgs;
+    with pkgs.${namespace}; [
+      libreoffice
+      root-files
+      pass
+      gparted
+      qdirstat
+      exfatprogs
+      kitty
+      tealdeer
+      telegram-desktop
+      vlc
+      git-credential-manager
+      kitty-themes
+      solaar
+      pdfarranger
+      densify
+      gimp3
+
+      #kde
+      kdePackages.gwenview
+      kdePackages.ark
+
+      # user packages
+      obs-studio
+      neovim
+      localsend
+
+      gdb
+      element-desktop
+    ];
+    programs.kdeconnect.enable = true;
+  programs.kdeconnect.package = lib.mkDefault pkgs.kdePackages.kdeconnect-kde;
+    fonts.packages = with pkgs; [
+    nerd-fonts.jetbrains-mono
+    font-awesome
+    nerd-fonts.symbols-only
+    hack-font
+    # microsoft fonts:
+    #corefonts
+    #vistafonts
+  ];
+    environment.sessionVariables = {
+    MANPAGER = "emacsclient -c";
+    EDITOR = "emacsclient -c";
+  };
+    hardware = {
+    logitech.wireless.enable = true;
+  };
+
+  security.polkit.enable = true;
+
+  #programs.thunar = {
+  #	enable = true;
+  #	plugins = with pkgs.xfce; [
+  #		thunar-archive-plugin
+  #		thunar-volman
+  #	];
+  # };
+  #programs.xfconf.enable = true; # so thunar can save config
+  #services.gvfs.enable = true; # Mount, trash, and other functionalities
+  #services.tumbler.enable = true; # Thumbnail support for images
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+  };
+}
--- a/modules/nixos/programs/dolphin/default.nix
+++ b/modules/nixos/programs/dolphin/default.nix
@ -0,0 +1,71 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.programs.dolphin;
+in {
+  options.${namespace}.programs.dolphin = with types; {
+    enable = mkBoolOpt false "Enable dolphin on non Kde environments";
+  };
+
+  config =
+    mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [
+    kdePackages.qtwayland
+    kdePackages.qtsvg
+    kdePackages.kio-fuse #to mount remote filesystems via FUSE
+    kdePackages.kio-extras #extra protocols support (sftp, fish and more)
+    kdePackages.kio-admin
+    libheif #https://github.com/NixOS/nixpkgs/issues/164021
+    libheif.out
+
+    #kde
+    kdePackages.breeze-icons
+    kdePackages.breeze
+    kdePackages.kdesdk-thumbnailers
+    kdePackages.kdegraphics-thumbnailers
+    kdePackages.kservice
+    kdePackages.kdbusaddons
+    kdePackages.kfilemetadata
+    kdePackages.kconfig
+    kdePackages.kcoreaddons
+    kdePackages.kcrash
+    kdePackages.kguiaddons
+    kdePackages.ki18n
+    kdePackages.kitemviews
+    kdePackages.kwidgetsaddons
+    kdePackages.kwindowsystem
+    shared-mime-info
+
+    #kde support tools
+    #libsForQt5.qt5ct
+    #qt6ct
+    kdePackages.kimageformats
+    kdePackages.dolphin
+    kdePackages.dolphin-plugins
+  ];
+  xdg = {
+    menus.enable = true;
+    mime.enable = true;
+  };
+
+  #https://discourse.nixos.org/t/dolphin-does-not-have-mime-associations/48985/3
+  # This fixes the unpopulated MIME menus
+  environment.etc."/xdg/menus/plasma-applications.menu".text = builtins.readFile "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+  environment.etc."/xdg/menus/applications.menu".text = builtins.readFile "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+  #environment.pathsToLink = [
+  #	"share/thumbnailers"
+  #];
+    };
+}
--- a/modules/nixos/programs/sops/.sops.yaml
+++ b/modules/nixos/programs/sops/.sops.yaml
@ -0,0 +1,13 @@
+keys:
+  - &primary age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+  - &kylekrein-framework12 age10s6c9har9pg2a0md30fhpp2mfy89xxrrnu5dwrjtqzh3lktcdaysq7st65
+  - &kylekrein-mac age12apyh4f5m002npnfq5kansrzme6umtzsvc6m96fjz752gg8c7a8s8e48xd
+  - &kylekrein-homepc age1z6d8gk5fhm5mkkcrm4dycs4ugqaar3ls2h5ehwul9qcqhl9x4q8szmz6c7
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
+      - *kylekrein-framework12
+      - *kylekrein-mac
+      - *kylekrein-homepc
--- a/modules/nixos/programs/sops/default.nix
+++ b/modules/nixos/programs/sops/default.nix
@ -0,0 +1,36 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.programs.sops;
+  impermanence = config.${namespace}.impermanence;
+  keyPath =
+    if impermanence.enable
+    then "${impermanence.persistentStorage}/sops/age/keys.txt"
+    else "/var/lib/sops/age/keys.txt";
+in {
+  options.${namespace}.programs.sops = with types; {
+    enable = mkBoolOpt true "Enable KyleKrein's default sops settings";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [sops];
+    sops.defaultSopsFile = ./secrets/secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key" "${impermanence.persistentStorage}/home/kylekrein/.ssh/id_ed25519" "/home/kylekrein/.ssh/id_ed25519"];
+    sops.age.keyFile = keyPath;
+    # This will generate a new key if the key specified above does not exist
+    sops.age.generateKey = true;
+  };
+}
--- a/modules/nixos/programs/sops/secrets/secrets.yaml
+++ b/modules/nixos/programs/sops/secrets/secrets.yaml
@ -0,0 +1,58 @@
+users:
+    kylekrein: ENC[AES256_GCM,data:DNLVQ4IPFhUG9MR9hk2BuElvfNZIky3nMGWgilutRwvT3wl25vOLEETrBFoWUO+2ZgLSnhtwWtIJhNlRlTK/rsrUNVTOdwq9AA==,iv:Z+dhr33Wotm064IcwtNfFpvQeL03T29Dn3Bl9VqPL1g=,tag:Qe3sOY0DegSKDptBjnbFrQ==,type:str]
+    tania: ENC[AES256_GCM,data:veo/dKQpztSGLfCxpWqoTOlPqSaNeNW2pYrTU9z125hjBVt2LC8X+mDp8vA0r8QFKpkGr1BiwviUTuXsSO1IXn3nHfDGsHQqFQ==,iv:q3pCcil1wiKe5xC6QEn3Q4wV1icW+3CCUQw6QZIINWU=,tag:XvBfIEORfdTcUihtcJQZVg==,type:str]
+    andrej: ENC[AES256_GCM,data:x/cWcswSDMFxXSLXe1JWGnQAuPYWM5AU4X3WxVAqUIifcYWxxynMfL9LXEgo3sP1IvRyp4FW+voWQrJM/KGdbYkkrAJNhbD7/Q==,iv:C51H9Zz4nxB+K1cohRq+1oPQ/ckDgVCMW4vB4+3wEt8=,tag:8ENLfMIoHbJGxceCKZulxg==,type:str]
+services:
+    conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str]
+    gitlab:
+        dbPassword: ENC[AES256_GCM,data:itn9xyNZO+xkSk0GKvLzjLRzM0uZ+TalqLtj6tyjKXM=,iv:U8bX/On89wz6Lz4R2/fZ+FWRObehlnjFhUQdAhmxb60=,tag:oEbee14jCGfRs8i5bJZ5FA==,type:str]
+        rootPassword: ENC[AES256_GCM,data:lXq+GIn6ooTzZL4iMYFzx3kn8gdcdsNaLQ/zVCr75Nw=,iv:mGp9gxL9uABpbod/ZNNyEllBbcfrQuFG4pQgs0v/xbk=,tag:CZzj4hauh/Qi8fvtmaZ/KQ==,type:str]
+        secret: ENC[AES256_GCM,data:W7PfRh80hzMZrJebHgs4CJeeABWIVVkh3ByTF1Yfavw=,iv:WnLEACeCZOf+YpF4RzQCXG6uPEq7zrE6u7DQQLZjL/Q=,tag:3qjnIeoptMsIxIbTh5TR+Q==,type:str]
+        dbsecret: ENC[AES256_GCM,data:5VJdhvr1z3sYlXJz0u1eKk5UBt9rKzMiTQcawA64/K0dL6A3WCppnmHeLw6X0vJPnZ6uqJuEDyV7DU5nEg==,iv:fk0oDjYfxzWD2SmVSlwrvJeiHrMxUhR41bqQJ5IXs18=,tag:9cSlRX+bvr8vjBtxwqbeFw==,type:str]
+        otpsecret: ENC[AES256_GCM,data:enBP2fsr+VaHuK93GGDtgGMSf20yxgLloHIHIibFfLo=,iv:iLLVuypLXySsw363Y9CSz5Kqa3CCNQFwURdOoi5Ig20=,tag:CgUMcT+x/134JJaScHLlOQ==,type:str]
+        activeRecordSalt: ENC[AES256_GCM,data:kbIImurv4lpcJJMQlEVJJpuuBTw/OUG+PW3Y9kQlIVM=,iv:1ymv3gmRhff49uaTLrIkWA0rX1wtRdfpa0551zHvsko=,tag:KDrDNg9sKRomGH8psS17gA==,type:str]
+        activeRecordPrimaryKey: ENC[AES256_GCM,data:AfL5kKmD2uqzq07xCCELDPLtZinE4b4RAmqd9xWAxgg=,iv:3Mhadey/k6k3/Ysb2KQ4eb9lDzHQJRAKP8R1Fw4wFdg=,tag:/0wS7lVkuoYTMCut8UEXWg==,type:str]
+        activeRecordDeterministicKey: ENC[AES256_GCM,data:pJBZAL60XeCrW7CPx76WcWpsYOwlR4OWmIP/61vNL3k=,iv:t/YmnVFge6kLiQjXD6RKNn7r5Oy1Aeyi3ZIaP57Nhig=,tag:L4aU4h4KdbsSNDpgybaV3g==,type:str]
+        oidcKeyBase: ENC[AES256_GCM,data:hHBdaIynMg8eWiwDjDfN+8PcUjOPl9VzG6lu2Z1eRrC2PaVXORg1Eh6YPi83efqhaSbONHeiORGsLM/NYHFcviEvQ8aZXb9y/ojKPHdyjYvkedIU1alyfWqiz8+xP/H2JFPgMdDsO6Tt4IswTMCfbNOXY2+RwImLACxTDoeY9LX2wklrGWh7F7DqAYymM2T6PrulJqGtbrep3yEylb5kqPZU34aJQzdZ7/zA5EW68xTOWEElCcxfkr2ThCywk6quUQaaCsqVAjZhULRDYfDA/umF8r6S7eNh0eFm6X17xsLTgkSMkx4gLvaUxtLG9bGM/5FJ6823hyRSTNXZx0cV7f195mqeUhn6rvUIl6qC8O7Ln6auWxjuJDRo+1Phr4J3dQMBXBaG2WpQFufgXNw8qWpMEqpiN6CjXhFYWJT/TxCZR+Bdxqt8Fegk0DjcEQFbJDOKKV3/JMu1hIsydeVRTmyy06EbBKSfAIgFddQIA7DmxqK6tqLRtITQ1K9xGnt4msiqgfv1XiyeTo+vmptYVDGLSLtB6yfOKvs/U31RlNESwcHwIqlisl1bex5HV10OCcMkFVhhffoiT1Swdj9ilMhd3TkgL2uJstC26QuyB4Gdnmz28MWU28JXP7qVf0rvq6nNPYAKpO3LgNPx5JrCz6DGCxSZiJOQ0fYDxz5QC2EznAbmZachg8tBb4Hmd/CvEtMMvWfkxueadTV7fWR0l3R4H1cizUF8j2NIfqWb6TQLIy25PaOSNnyZ+a4NFZDgZQcpl4zbCLVKHEKGDGhMr4SpEtKzasZSwv1jw7TZoiN8I2g1hSdZRCq3KJ2nAIGvlZd8NUTsksxsIXcxaoM1rfl4dIOfHm3H+HcKmnMYafnCH0EgdRZeAv1sonDzUOEl2G8myUTa3xNlR43lauIG0ipat83UO6INFh4N0TFJtirPHjm72ZMfUK89ut5fWnYqiKopkJEtAy7Bk1EUbXwuRfBDB34m8AFdDGbVWWVaoVJkSuIr8PHMsFhJRGn1TUit7tDQfgPvLpPD0Wiq2PBgoExZ8qLYUDdOCvTxWnZ+gpTRghiBebulNR0xGOCeopg4qiMZ7rWfUJHsqNUazpak1JPIWC8wYIJ4vojjIH1TCpl11lYUvXy1ffFkcWBYplsGYBuY3qpXG/Od3yrdwPKzhHPjPpWDdxZJBW91HRdq0qhq9mYIr28kqGF4Mg60cGGdin+/O0jcfzWzwhjibEfrfuzBqhHknTPXDTlKPBctdvcQZRUsOS0d6SrNRXOvvzlSTrUowaQTSrZNzNDpAt3VKYJDnXGgwnAZSk8zhRM7J6bc9artgm75qBWuZCxLHbcqyBeWVRALYPkWp5h1bLCaGHgC7x986d0mGxfU9p2szIRyacbJN/ITIuDuDmvBt9NWydkkdT3GZE9uhbxQMgfkKyLyXvf7LrF1iSmIos15tYCZrxAcu0LMo2mqW51e92uc4AXE8rVB4k7z2j19F5sW9GMQgKOk6qT1CSpzfHvPpVdKQ5cVVj4X5GZOao5flo1tO/sNwE92Jpc/jLw96737rRDGe9vSkdbyhSS1wrF4+P59QPxsdelSAYZF6YMgSN0yCJFuRLWfj6IpxpBIEEuB5QACCHnDiWi9cFEwRaq6EX6f87Joznd9o1kwASmMXpkXqv/rLorjlqdXajwdFXEmNUFMqX90va7LvlZJPHhvXmgJCwdHAKacQj1m0Ji4EqSZhM/I1uEhG6zTc2jE46N2peVf2JytEGpbgF/m2pyGJDDQ5SDIfG+4AdUXVTk68wl0Q2SSjBb4d/N8XNfPHHToXEuNsNmHZx/4Yt9b+RJqzl3Mi+HOvJP/mz8wR7TxceHnuqE0RTvl9TYN0MXkXVfh6ECj6AaDuiL930IYabRZ5do7eMaA2OYZoPvZA4udoctDApyzs0Dn0gVu9sFXUgmNV7YnkETeEtjKEn/sjWmkMFQ+vJoK27H4OuILxYj5jtBhWbjNYeheBVo5jXmANakDO95vlLhlp2t11LrEoR59dNVVvvN3zDuX1/EYI0OvS4Isl7HTk8ud0+8tfzywGAY3LtEhpEffe91gqEleu2atKYWZQ8917ugvmGkNQ5SNJloDFtUFvAAjJypoovQ6JxQOgFGSsgKMMUMSyuUQnjkxThrGL6oMavAGKElJn6xFc48xSvS4dluTotqwzN2gaV5a98PFbw4zda3ltx2uJD3XxYqr1J92P39YMjKihFIALrcXIESV0Aehfap3WATjlRLikTq726wo2n+k,iv:P8C/7NUd1G/VbKz7iWjTVXxMFOxZQxX5d0V4Tj6KeCw=,tag:iq4s3ahqkmf4e7BffjlIcQ==,type:str]
+sops:
+    age:
+        - recipient: age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU2dMcDZjNHhFMmltNkRJ
+            VlZiYk1hdE1Dczhya3J4Q1EyUlY3ekZtVUFnCkpvN2Y0OFNUTnFtbFIxZVhDdnc3
+            YWh3S3FWeXFHTlU4Y0ZOZmI5d1F1dTAKLS0tIFhWSWp1d29ORnJGYWZxMDJib0ho
+            NTFaWFE0Rk4yU2hXYjRsUFhZY3pTR2cKoQkn7UJVh7uIyCEezrd34arkRxScIL3O
+            4P/6eDoqXJBkvzwDgidqLLcwuu1nanJpbmr662gRuZmnybwEVp504g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10s6c9har9pg2a0md30fhpp2mfy89xxrrnu5dwrjtqzh3lktcdaysq7st65
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRU8vd0I0bjRma1pveWVn
+            ZWFKci9ld2NuRmFla3R0azgzaHl0N20rMHlzCmpaaE1HYmYzVW1RWUw1L0hBclJk
+            eUlDTWk3ZXJ5Z25HYXJFODQ4T1lHMFUKLS0tIDg0QlhoQll1Q01BY2thSEFTN0RH
+            cGd4ZG9VUWVxeFlZL2VuVlFsRWVseDQKHKkQONzFlbKMFFzNeATkpUqJdWIAlEL8
+            QqUvujs1mMCWw9dqXhlT2ik7LHQO6yp5Oh4gxLg8nhZqs5O+leNdQQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12apyh4f5m002npnfq5kansrzme6umtzsvc6m96fjz752gg8c7a8s8e48xd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Wmc1alppT1BSS0NKcDZ0
+            TWNOKzVmQkpmeG1YZ0p4Tm5BVlBxaS81VW44CllubzREc3g0dVB4dUhuMWJDMGtm
+            UTVBYlZjT3JEWExoSDV5a1BzYk1BMUUKLS0tICtnK2xNalBEWjFPZis2UFRubWxl
+            aDdZNVZqRnM5U3hRK1gyNFllRVJXMEkKko3YM1MtoWR01/YN/1QtTgtWsGf+r8MH
+            dZaWrIyAbRMeR/aBSZ3VjiuP1d2G7YtT1fa7/jaXd0igiYu2gWDu9A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z6d8gk5fhm5mkkcrm4dycs4ugqaar3ls2h5ehwul9qcqhl9x4q8szmz6c7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheDVNcVRKTHdxa01zTjJi
+            NUxGVVlleTNaZnJ6QVhreU9XbGkwaVh6R1N3CkR5T0VKTnd6N0hteDlOUHdKcS9p
+            YWwzL2lwTExyaUcrcXQ2dG4xOGpZN0UKLS0tIFJZU1hXMUtOSklXYjdtWkt6UTFl
+            MU43ZWEwMXEwdGx5d0hUNlhiaGdjWU0K9UoNQOnMxTy0KdfiYOgm0TxH5qFUV3gi
+            f7z2RzR44ndf0nHwIzr8e1bmF9q5mc685Wq9qyM7aLCE+yUU/vUO7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-30T16:15:59Z"
+    mac: ENC[AES256_GCM,data:mmJH3BEqsrboGaQM7yWuHF1MWREC4bLc+RAZgsqlNvhgoWLoaVDLuBjEfuXCDPdnvDPesbUrI8HHA5gz523C0PoJdkoFcRoVOwhLqj6tJjT4JnlaTgpBMN5UqBqt9Gm68mqekE0bm7ihdc3lnn/OkRrxJI3Th5KzUC4zMmdjVsI=,iv:K0f75ft3PQdQ1AUFzrannvLv03fl6FS6se/muMcyQkY=,tag:y3FJQDthKoWvoMHdmcvRQA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/modules/nixos/security/users/default.nix
+++ b/modules/nixos/security/users/default.nix
@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.security.users;
+in {
+  options.${namespace}.security.users = with types; {
+    enable = mkBoolOpt true "Enable security measures for users, that include immutable users, disabled root access and ssh rules";
+  };
+
+  config = mkIf cfg.enable {
+    users = {
+      mutableUsers = false;
+      users = {
+        root = {
+          # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
+          # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
+          hashedPassword = "!"; # disable root logins, nothing hashes to !
+        };
+      };
+    };
+    # Enable the OpenSSH daemon.
+    services.openssh = {
+      enable = true;
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "no";
+    };
+    networking.firewall.allowedTCPPorts = [22];
+    networking.firewall.allowedUDPPorts = [22];
+  };
+}
--- a/modules/nixos/services/syncthing/default.nix
+++ b/modules/nixos/services/syncthing/default.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.services.syncthing;
+  impermanence = config.${namespace}.impermanence;
+in {
+  options.${namespace}.services.syncthing = with types; {
+    enable = mkBoolOpt false "Enable syncthing service for the user";
+    user = lib.mkOption {
+        type = lib.types.singleLineStr;
+        default = "";
+        example = "nixos";
+        description = ''
+          User, that will use the syncthing service (only one at a time)
+        '';
+      };
+  };
+
+  config =
+    mkIf cfg.enable {
+      systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true"; # Don't create default ~/Sync folder
+  services.syncthing = {
+    inherit (cfg) user;
+    configDir = optional (impermanence.enable) "${impermanence.persistentStorage}/home/${cfg.user}/.config/syncthing";
+    enable = true;
+  };
+    };
+}
--- a/modules/nixos/windowManagers/niri/default.nix
+++ b/modules/nixos/windowManagers/niri/default.nix
@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.windowManagers.niri;
+in {
+  options.${namespace}.windowManagers.niri = with types; {
+    enable = mkBoolOpt false "Enable Niri as your window manager";
+  };
+
+  config =
+    mkIf cfg.enable {
+      ${namespace} = {
+	loginManagers.sddm.enable = mkDefault true;
+	 security.pam.services.hyprlock = {};
+  programs.niri = {
+    enable = true;
+    package = pkgs.niri-unstable;
+  };
+  niri-flake.cache.enable = true;
+  environment.systemPackages = with pkgs; [
+    wl-clipboard
+    wayland-utils
+    libsecret
+    gamescope
+    xwayland-satellite-unstable
+    swaybg
+  ];
+      };
+    };
+}