bump ftb-app to 1.27.3

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

.github/settings.yml

@@ -1,204 +1,173 @@
 # Have borrowed this config from nix-community/infra
 repository:
-  # See https://developer.github.com/v3/repos/#edit for all available settings.
+    # See https://developer.github.com/v3/repos/#edit for all available settings.
 
-  # The name of the repository. Changing this will rename the repository
-  name: nix-dotfiles
-
-  # A short description of the repository that will show up on GitHub
-  description: RAD-Dev Infra
-
-  # A URL with more information about the repository
-  # homepage: "https://nix-community.org"
-
-  # A comma-separated list of topics to set on the repository
-  topics: "nixos"
-
-  # Either `true` to make the repository private, or `false` to make it public.
-  private: false
-
-  # Either `true` to enable issues for this repository, `false` to disable them.
-  has_issues: true
-
-  # Either `true` to enable projects for this repository, or `false` to disable them.
-  # If projects are disabled for the organization, passing `true` will cause an API error.
-  has_projects: true
-
-  # Either `true` to enable the wiki for this repository, `false` to disable it.
-  has_wiki: false
-
-  # Either `true` to enable downloads for this repository, `false` to disable them.
-  has_downloads: false
-
-  # Updates the default branch for this repository.
-  default_branch: main
-
-  # Either `true` to allow squash-merging pull requests, or `false` to prevent
-  # squash-merging.
-  allow_squash_merge: true
-
-  # Either `true` to allow merging pull requests with a merge commit, or `false`
-  # to prevent merging pull requests with merge commits.
-  allow_merge_commit: false
-
-  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
-  # rebase-merging.
-  allow_rebase_merge: true
-
-  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
-  delete_branch_on_merge: true
-
-  # Either `true` to enable automated security fixes, or `false` to disable
-  # automated security fixes.
-  enable_automated_security_fixes: true
-
-  # Either `true` to enable vulnerability alerts, or `false` to disable
-  # vulnerability alerts.
-  enable_vulnerability_alerts: true
-
-  allow_auto_merge: true
+    # The name of the repository. Changing this will rename the repository
+    name: nix-dotfiles
+    # A short description of the repository that will show up on GitHub
+    description: RAD-Dev Infra
+    # A URL with more information about the repository
+    # homepage: "https://nix-community.org"
 
+    # A comma-separated list of topics to set on the repository
+    topics: "nixos"
+    # Either `true` to make the repository private, or `false` to make it public.
+    private: false
+    # Either `true` to enable issues for this repository, `false` to disable them.
+    has_issues: true
+    # Either `true` to enable projects for this repository, or `false` to disable them.
+    # If projects are disabled for the organization, passing `true` will cause an API error.
+    has_projects: true
+    # Either `true` to enable the wiki for this repository, `false` to disable it.
+    has_wiki: false
+    # Either `true` to enable downloads for this repository, `false` to disable them.
+    has_downloads: false
+    # Updates the default branch for this repository.
+    default_branch: main
+    # Either `true` to allow squash-merging pull requests, or `false` to prevent
+    # squash-merging.
+    allow_squash_merge: true
+    # Either `true` to allow merging pull requests with a merge commit, or `false`
+    # to prevent merging pull requests with merge commits.
+    allow_merge_commit: false
+    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+    # rebase-merging.
+    allow_rebase_merge: true
+    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+    delete_branch_on_merge: true
+    # Either `true` to enable automated security fixes, or `false` to disable
+    # automated security fixes.
+    enable_automated_security_fixes: true
+    # Either `true` to enable vulnerability alerts, or `false` to disable
+    # vulnerability alerts.
+    enable_vulnerability_alerts: true
+    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
-  - name: bug
-    color: '#d73a4a'
-    description: Something isn't working
-  - name: CI/CD
-    # If including a `#`, make sure to wrap it with quotes!
-    color: '#0e8a16'
-    description: Related to GH Actions or Hydra
-  - name: documentation
-    color: '#0075ca'
-    description: Improvements or additions to documentation
-  - name: duplicate
-    color: '#cfd3d7'
-    description: This issue or pull request already exists
-  - name: enhancement
-    color: '#a2eeef'
-    description: New feature or request
-  - name: good first issue
-    color: '#7057ff'
-    description: Good for newcomers
-  - name: help wanted
-    color: '#008672'
-    description: Extra attention is needed
-  - name: high priority
-    color: '#BF480A'
-    description: A major vurnability was detected
-  - name: invalid
-    color: '#e4e669'
-    description: This doesn't seem right
-  - name: new user
-    color: '#C302A1'
-    description: A new user was added to the Flake
-  - name: question
-    color: '#d876e3'
-    description: Further information is requested
-  - name: wontfix
-    color: '#ffffff'
-    description: This will not be worked on
-  - name: dependencies
-    color: '#cb4ed5'
-    description: Used for PR's related to flake.lock updates
-  - name: automated
-    color: '#42b528'
-    description: PR was automatically generated (through a bot or CI/CD)
-
+    - name: bug
+      color: '#d73a4a'
+      description: Something isn't working
+    - name: CI/CD
+      # If including a `#`, make sure to wrap it with quotes!
+      color: '#0e8a16'
+      description: Related to GH Actions or Hydra
+    - name: documentation
+      color: '#0075ca'
+      description: Improvements or additions to documentation
+    - name: duplicate
+      color: '#cfd3d7'
+      description: This issue or pull request already exists
+    - name: enhancement
+      color: '#a2eeef'
+      description: New feature or request
+    - name: good first issue
+      color: '#7057ff'
+      description: Good for newcomers
+    - name: help wanted
+      color: '#008672'
+      description: Extra attention is needed
+    - name: high priority
+      color: '#BF480A'
+      description: A major vurnability was detected
+    - name: invalid
+      color: '#e4e669'
+      description: This doesn't seem right
+    - name: new user
+      color: '#C302A1'
+      description: A new user was added to the Flake
+    - name: question
+      color: '#d876e3'
+      description: Further information is requested
+    - name: wontfix
+      color: '#ffffff'
+      description: This will not be worked on
+    - name: dependencies
+      color: '#cb4ed5'
+      description: Used for PR's related to flake.lock updates
+    - name: automated
+      color: '#42b528'
+      description: PR was automatically generated (through a bot or CI/CD)
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
-  - title: Go-Live
-    description: >-
-      All requirements for official go-live:
-      - Automated testing via Hydra/Actions
-      - Automated deployments via Hydra/Actions
-      - 90+% testing coverage
-      - Functional formatter with custom rules
-      - palatine-hill is fully stable, enough so that jeeves can be migrated
-    # The state of the milestone. Either `open` or `closed`
-    state: open
-  - title: Jeeves Migration
-    description: >-
-      Test common use-cases for Jeeves
-      - Quadro GPU support
-      - Multi-GPU support
-      - Plex support
-      - Docker support
-      - ZFS support
-
-
+    - title: Go-Live
+      description: >-
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
+      # The state of the milestone. Either `open` or `closed`
+      state: open
+    - title: Jeeves Migration
+      description: >-
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
-  # - username: numtide-bot
-  # Note: `permission` is only valid on organization-owned repositories.
-  # The permission to grant the collaborator. Can be one of:
-  # * `pull` - can pull, but not push to or administer this repository.
-  # * `push` - can pull and push, but not administer this repository.
-  # * `admin` - can pull, push and administer this repository.
-  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-  # permission: push
+# - username: numtide-bot
+# Note: `permission` is only valid on organization-owned repositories.
+# The permission to grant the collaborator. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: push
 
 # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
 teams:
-  # - name: admin
-    # The permission to grant the team. Can be one of:
-    # * `pull` - can pull, but not push to or administer this repository.
-    # * `push` - can pull and push, but not administer this repository.
-    # * `admin` - can pull, push and administer this repository.
-    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-    # permission: admin
-
+# - name: admin
+# The permission to grant the team. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: admin
 branches:
-  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
 
-  # not available in the api yet
-  # `Require merge queue`: true
-  # `Merge method`: Rebase and merge
-  # `Maximum pull requests to build`: 1
-  # `Maximum pull requests to merge`: 1
-  # defaults:
-  # `Maximum pull requests to build`: 5
-  # `Minimum pull requests to merge`: 1 or 5 minutes
-  # `Maximum pull requests to merge`: 5
-  # `Only merge non-failing pull requests`: true
-  # `Consider check failed after`: 60 minutes
+    # not available in the api yet
+    # `Require merge queue`: true
+    # `Merge method`: Rebase and merge
+    # `Maximum pull requests to build`: 1
+    # `Maximum pull requests to merge`: 1
+    # defaults:
+    # `Maximum pull requests to build`: 5
+    # `Minimum pull requests to merge`: 1 or 5 minutes
+    # `Maximum pull requests to merge`: 5
+    # `Only merge non-failing pull requests`: true
+    # `Consider check failed after`: 60 minutes
+    - name: main
+      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+      # Branch Protection settings. Set to null to disable
+      protection:
+        # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
 
-  - name: main
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
-    # Branch Protection settings. Set to null to disable
-    protection:
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
-
-      # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
-      required_pull_request_reviews:
-        # # The number of approvals required. (1-6)
-        required_approving_review_count: 1
-        # # Dismiss approved reviews automatically when a new commit is pushed.
-        dismiss_stale_reviews: true
-        # # Blocks merge until code owners have reviewed.
-        require_code_owner_reviews: false
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        # dismissal_restrictions:
-        #   users: []
-        #   teams: []
-        require_last_push_approval: false
-      # Required. Require status checks to pass before merging. Set to null to disable
-      # required_status_checks:
+        # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
+        required_pull_request_reviews:
+            # # The number of approvals required. (1-6)
+            required_approving_review_count: 1
+            # # Dismiss approved reviews automatically when a new commit is pushed.
+            dismiss_stale_reviews: true
+            # # Blocks merge until code owners have reviewed.
+            require_code_owner_reviews: false
+            # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+            # dismissal_restrictions:
+            #   users: []
+            #   teams: []
+            require_last_push_approval: false
+        # Required. Require status checks to pass before merging. Set to null to disable
+        # required_status_checks:
         # Required. Require branches to be up to date before merging.
         # strict: false
         # Required. The list of status checks to require in order to merge into this branch
         # contexts:
         #   - buildbot/nix-eval
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
-      # Disabled for bors to work
-      required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
-        apps: []
-        # TODO: make a buildbot instance
-        # users: ["nix-infra-bot"]
-        teams: []
+        # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+        enforce_admins: true
+        # Disabled for bors to work
+        required_linear_history: true
+        # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+        restrictions:
+            apps: []
+            # TODO: make a buildbot instance
+            # users: ["nix-infra-bot"]
+            teams: []

.github/workflows/flake-health-checks.yml

@@ -1,48 +1,47 @@
 name: "Check Nix flake"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Perform Nix flake checks"
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
-        with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
-      - uses: actions/checkout@v4
-      - run: nix flake check --accept-flake-config
-      - run: nix ./utils/attic-push.bash
-  build-checks:
-    name: "Build nix outputs"
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
-        with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
-      - uses: actions/checkout@v4
-      - name: Build all outputs
-        run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
-      - name: Push to Attic
-        run: nix ./utils/attic-push.bash
-        continue-on-error: true
+    health-check:
+        name: "Perform Nix flake checks"
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os: [ubuntu-latest]
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix flake check --accept-flake-config
+            - run: nix ./utils/attic-push.bash
+    build-checks:
+        name: "Build nix outputs"
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os: [ubuntu-latest]
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - name: Build all outputs
+              run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.github/workflows/flake-update.yml

@@ -1,152 +1,112 @@
 name: "Update flakes"
 on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "00 12 * * *"
+    repository_dispatch:
+    workflow_dispatch:
+    schedule:
+        - cron: "00 12 * * *"
 jobs:
-  createPullRequest:
-    runs-on: ubuntu-latest
-    # if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
-    steps:
-      - uses: actions/checkout@v4
-      # - name: Login to Docker Hub
-        # uses: docker/login-action@v3
-        # with:
-        #   username: ${{ secrets.DOCKERHUB_USERNAME }}
-        #   password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Install Nix
-        uses: cachix/install-nix-action@v24
-        with:
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
-        with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
-      - name: Calculate pre-drv
-        run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
-      # - name: Pull latest docker images
-      #   run: nix ./utils/fetch-docker.sh
-      - name: Update flake.lock (part 1)
-        run: nix flake update
-      - name: Calculate post-drv
-        run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff --  --build .
-      # - name: Calculate diff
-      #   run: nix ./utils/diff-evals.sh
-      # - name: Read diff into environment
-      #   run: |
-      #     delimiter="$(openssl rand -hex 8)"
-      #     {
-      #     echo "POSTDIFF<<${delimiter}"
-      #     cat post-diff
-      #     echo "${delimiter}"
-      #     } >> $GITHUB_ENV
+    update_lockfile:
+        runs-on: ubuntu-latest
+        #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+            - name: Install nix
+              uses: https://github.com/DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - name: Get pre-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh pre
+            - name: Update flake.lock
+              id: update
+              run: |
+                nix flake update 2> >(tee /dev/stderr) | awk '
+                  /^• Updated input/ {in_update = 1; print; next}
+                  in_update && !/^warning:/ {print}
+                  /^$/ {in_update = 0}
+                ' > update.log
 
+                echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
+                cat update.log >> $GITHUB_ENV
+                echo "EOF" >> $GITHUB_ENV
 
-      # - name: Restore flake.lock for next step
-      #   run: git restore flake.lock
-      # - name: Update flake.lock
-      #   id: update
-      #   uses: DeterminateSystems/update-flake-lock@main
-      #   with:
-      #     token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-      #     pr-body: |
-      #       Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+                rm update.log
+            - name: Get post-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh post
+            - name: Calculate diff
+              run: nix ./utils/diff-evals.sh
+            - name: Read file contents
+              id: read_file
+              uses: guibranco/github-file-reader-action-v2@latest
+              with:
+                path: "post-diff"
+            - name: Write PR body template
+              uses: https://github.com/DamianReeves/write-file-action@v1.3
+              with:
+                path: pr_body.template
+                contents: |
+                    - The following Nix Flake inputs were updated:
 
-      #       ```
-      #       {{ env.GIT_COMMIT_MESSAGE }}
-      #       ```
+                    ```
+                    ${{ env.UPDATE_LOG }}
+                    ```
 
-      #       ```
-      #       {{ env.POSTDIFF }}
-      #       ```
-      #     pr-labels: |                  # Labels to be set on the PR
-      #       dependencies
-      #       automated
-  update_lockfile:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install nix
-        uses: https://github.com/DeterminateSystems/nix-installer-action@main
+                    ```
+                    ${{ steps.read_file.outputs.contents }}
+                    ```
 
-      - name: Update flake.lock
-        id: update
-        run: |
-          nix flake update 2> >(tee /dev/stderr) | awk '
-            /^• Updated input/ {in_update = 1; print; next}
-            in_update && !/^warning:/ {print}
-            /^$/ {in_update = 0}
-          ' > update.log
+                    Auto-generated by [update.yml][1] with the help of
+                    [create-pull-request][2].
 
-          echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
-          cat update.log >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
+                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
+                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
+            - name: Generate PR body
+              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
+              with:
+                files: "pr_body.template"
+                output-filename: "pr_body.md"
+            - name: Save PR body
+              id: pr_body
+              uses: juliangruber/read-file-action@v1
+              with:
+                path: "pr_body.md"
+            - name: Remove temporary files
+              run: |
+                rm pr_body.template
+                rm pr_body.md
+                rm pre.json
+                rm post.json
+                rm post-diff
+            - name: Create Pull Request
+              id: create-pull-request
+              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
+              uses: https://nayeonie.com/ahuston-0/create-pull-request@main
+              with:
+                token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
+                body: ${{ steps.pr_body.outputs.content }}
+                author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
+                title: 'automated: Update `flake.lock`'
+                commit-message: |
+                    automated: Update `flake.lock`
 
-          rm update.log
-
-      - name: Write PR body template
-        uses: https://github.com/DamianReeves/write-file-action@v1.3
-        with:
-          path: pr_body.template
-          contents: |
-            - The following Nix Flake inputs were updated:
-
-            ```
-            ${{ env.UPDATE_LOG }}
-            ```
-
-            Auto-generated by [update.yml][1] with the help of
-            [create-pull-request][2].
-
-            [1]: https://forgejo.stefka.eu/jiriks74/nix.nvim/src/branch/main/.github/workflows/update.yml
-            [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
-
-      - name: Generate PR body
-        uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
-        with:
-          files: "pr_body.template"
-          output-filename: "pr_body.md"
-      - name: Save PR body
-        id: pr_body
-        uses: juliangruber/read-file-action@v1
-        with:
-          path: "pr_body.md"
-
-      - name: Remove temporary files
-        run: |
-          rm pr_body.template
-          rm pr_body.md
-
-      - name: Create Pull Request
-        id: create-pull-request
-        # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
-        uses: https://nayeonie.com/ahuston-0/create-pull-request@main
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
-          body: ${{ steps.pr_body.outputs.content }}
-          author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
-          title: 'automated: Update `flake.lock`'
-          commit-message: |
-            automated: Update `flake.lock`
-
-            ${{ steps.pr_body.outputs.content }}
-
-          branch: update-flake-lock
-          delete-branch: true
-      - name: Push to Attic
-        run: nix ./utils/attic-push.bash
-        continue-on-error: true
-      - name: Print PR number
-        run: |
-          echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
-          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+                    ${{ steps.pr_body.outputs.content }}
+                branch: update-flake-lock
+                delete-branch: true
+                pr-labels: | # Labels to be set on the PR
+                    dependencies
+                    automated
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true
+            - name: Print PR number
+              run: |
+                echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
+                echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
-  pull-requests: write
-  contents: write
+    pull-requests: write
+    contents: write

.github/workflows/lock-health-checks.yml

@@ -1,17 +1,16 @@
 name: "Check flake.lock"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Check health of `flake.lock`"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/flake-checker-action@main
-        with:
-          fail-mode: true
+    health-check:
+        name: "Check health of `flake.lock`"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+            - uses: DeterminateSystems/flake-checker-action@main
+              with:
+                fail-mode: true

.github/workflows/nix-fmt.yml

@@ -1,26 +1,25 @@
 name: "Check Nix formatting"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Perform Nix format checks"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-      - name: Setup Attic cache
-        uses: ryanccn/attic-action@v0
-        with:
-          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-          cache: ${{ secrets.ATTIC_CACHE }}
-          token: ${{ secrets.ATTIC_TOKEN }}
-          skip-push: "true"
-      - uses: actions/checkout@v4
-      - run: nix fmt -- --check .
-      - name: Push to Attic
-        run: nix ./utils/attic-push.bash
-        continue-on-error: true
+    health-check:
+        name: "Perform Nix format checks"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix fmt -- --check .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.sops.yaml

@@ -1,51 +1,46 @@
 keys:
-  # The PGP keys in keys/
-  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
-
-  # Generate AGE keys from SSH keys with:
-  #   ssh-keygen -A
-  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
-  # cspell:disable
-  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
-  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
+    # The PGP keys in keys/
+    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
+    # Generate AGE keys from SSH keys with:
+    #   ssh-keygen -A
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # cspell:disable
+    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
-  # cspell:enable
-
+    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    # cspell:enable
 servers: &servers
-  - *palatine-hill
-
+    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
-  - path_regex: users/alice/secrets.*\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *palatine-hill
-          - *artemision
-          - *artemision-home
-
-  - path_regex: systems/palatine-hill/secrets.*\.yaml$
-    key_groups:
-      - pgp: 
-          - *admin_alice
-        age:
-          - *palatine-hill
-
-  - path_regex: systems/artemision/secrets.*\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *artemision
-  - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *palatine-hill
+    - path_regex: users/alice/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill
+            - *artemision
+            - *artemision-home
+    - path_regex: systems/palatine-hill/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill
+    - path_regex: systems/artemision/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *artemision
+    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill

.vscode/settings.json

@@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
+    "nix"
+  ],
   "cSpell.words": [
     "aarch",
     "abmlevel",

docs/CONTRIBUTING.md

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 
 ### Review Process
 
@@ -94,11 +94,11 @@ rules.
   PR has been tested on at least one machine
    - Issues which bypass the quorum process must have a second reviewer tagged
    - All critical issues which bypass the approval process must have an RCA issue
-    opened and the RCA logged into the `inc/` folder
+     opened and the RCA logged into the `inc/` folder
    - The second reviewer has 2 weeks to retroactively review and approve the PR
    - If the retro does not happen in the given window, an issue shall be opened
-    to either re-review the PR or to revert and replace the fix with a
-    permanent solution
+     to either re-review the PR or to revert and replace the fix with a
+     permanent solution
 - Critical issues must be tagged to `Nix Flake Features` project, and must have
   a priority of `High` and an estimate tagged. Start and end date are not needed
 

docs/sample-setup.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#git --command bash
 
-set -o errexit   # abort on nonzero exitstatus
-set -o nounset   # abort on unbound variable
-set -o pipefail  # don't hide errors within pipes
+set -o errexit  # abort on nonzero exitstatus
+set -o nounset  # abort on unbound variable
+set -o pipefail # don't hide errors within pipes
 
 PROCEED="N"
 
@@ -50,60 +50,58 @@ GITBASE="systems"
 FEATUREBRANCH="feature/adding-$MACHINENAME"
 
 if [ $PROCEED != "Y" ]; then
-    echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
-
-
 if [ $CREATEPARTS = "Y" ]; then
-    # Create partition table
-    sudo parted "/dev/$DRIVE" -- mklabel gpt
+  # Create partition table
+  sudo parted "/dev/$DRIVE" -- mklabel gpt
 
-    # Create boot part
-    sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
-    sudo parted "/dev/$DRIVE" -- set 1 esp on
-    sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
+  # Create boot part
+  sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
+  sudo parted "/dev/$DRIVE" -- set 1 esp on
+  sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
 
-    # Create luks part
-    sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
-    sudo parted "/dev/$DRIVE" -- set 2 lvm on
+  # Create luks part
+  sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
+  sudo parted "/dev/$DRIVE" -- set 2 lvm on
 
-    LUKSPART="nixos-pv"
-    sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
+  LUKSPART="nixos-pv"
+  sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
+  sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
 
-    # Create lvm part
-    sudo pvcreate "/dev/mapper/$LUKSPART"
-    sudo pvresize "/dev/mapper/$LUKSPART"
-    sudo pvdisplay
+  # Create lvm part
+  sudo pvcreate "/dev/mapper/$LUKSPART"
+  sudo pvresize "/dev/mapper/$LUKSPART"
+  sudo pvdisplay
 
-    # Create volume group
-    sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
-    sudo vgchange -a y "$VOLGROUP"
-    sudo vgdisplay
+  # Create volume group
+  sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
+  sudo vgchange -a y "$VOLGROUP"
+  sudo vgdisplay
 
-    # Create swap part on LVM
-    if [ $SWAPSIZE != 0 ]; then
-        sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
-        sudo mkswap -L NIXSWAP -c "$SWAPPATH"
-    fi
+  # Create swap part on LVM
+  if [ $SWAPSIZE != 0 ]; then
+    sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+    sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  fi
 
-    # Create home part on LVM, leaving plenty of room for snapshots
-    sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
-    sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
+  # Create home part on LVM, leaving plenty of room for snapshots
+  sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
+  sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
 
-    # Create root part on LVM, keeping in mind most data will be on /home or /nix
-    sudo lvcreate -L 5G "$VOLGROUP" -n root
-    sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
+  # Create root part on LVM, keeping in mind most data will be on /home or /nix
+  sudo lvcreate -L 5G "$VOLGROUP" -n root
+  sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
 
-    # Create nix part on LVM
-    sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
-    sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
+  # Create nix part on LVM
+  sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
 
-    sudo lvdisplay
+  sudo lvdisplay
 
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
 # Mount partitions
@@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
 
 # Enable swap if SWAPSIZE is non-zero
 if [ $SWAPSIZE != 0 ]; then
-    sudo swapon "/dev/$VOLGROUP/swap"
+  sudo swapon "/dev/$VOLGROUP/swap"
 fi
 
 # Clone the repo
@@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
 cat "$DOTS/id_ed25519_ghdeploy.pub"
 
 if [ $SOPS == "Y" ]; then
-    # Create ssh host-keys
-    sudo ssh-keygen -A
-    sudo mkdir -p /mnt/etc/ssh
-    sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
+  # Create ssh host-keys
+  sudo ssh-keygen -A
+  sudo mkdir -p /mnt/etc/ssh
+  sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
 
-    # Get line where AGE comment is and insert new AGE key two lines down
-    AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
-    AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
-    sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
+  # Get line where AGE comment is and insert new AGE key two lines down
+  AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
+  AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
+  sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
 
-    # Add server name
-    SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
+  # Add server name
+  SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
 
-    # Add creation rules
-    CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    # TODO: below was not working when last attempted
-    read -r -d '' PATHRULE <<-EOF
+  # Add creation rules
+  CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  # TODO: below was not working when last attempted
+  read -r -d '' PATHRULE <<-EOF
   - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
     key_groups:
       - pgp: *$OWNERORADMINS
         age:
           - *$MACHINENAME
 EOF
-    sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
 fi
 
 read -r -p "press enter to continue"

flake.lock

@@ -78,11 +78,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1740974607,
-        "narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
+        "lastModified": 1742327995,
+        "narHash": "sha256-cvqCqT7op8uRCIPUYK8CPJbRRmKytFtOzHqomMyO7u8=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "093c063a23aa38f31082a554f03899127750aee3",
+        "rev": "d91a2ea080804c3a9213d6e460e8cff68cfacf8d",
         "type": "gitlab"
       },
       "original": {
@@ -95,11 +95,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1739223196,
-        "narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
+        "lastModified": 1741628778,
+        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
+        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
         "type": "github"
       },
       "original": {
@@ -127,11 +127,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1740872218,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
         "type": "github"
       },
       "original": {
@@ -232,11 +232,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737465171,
-        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "lastModified": 1741379162,
+        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
         "type": "github"
       },
       "original": {
@@ -312,11 +312,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740845322,
-        "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
+        "lastModified": 1742326330,
+        "narHash": "sha256-Tumt3tcMXJniSh7tw2gW+WAnVLeB3WWm+E+yYFnLBXo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
+        "rev": "22a36aa709de7dd42b562a433b9cefecf104a6ee",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740923452,
-        "narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
+        "lastModified": 1742213523,
+        "narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
+        "rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
         "type": "github"
       },
       "original": {
@@ -352,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740886574,
-        "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
+        "lastModified": 1742174123,
+        "narHash": "sha256-pDNzMoR6m1ZSJToZQ6XDTLVSdzIzmFl1b8Pc3f7iV6Y=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
+        "rev": "2cfb4e1ca32f59dd2811d7a6dd5d4d1225f0955c",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740947705,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "lastModified": 1742217219,
+        "narHash": "sha256-pLRjj0jTL1TloB0ptEwVF51IJJX8a17dSxg+gqiWb30=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "83900d5154d840dfae1e0367c5290f59b9dccf03",
         "type": "github"
       },
       "original": {
@@ -403,11 +403,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1740646007,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "lastModified": 1742217307,
+        "narHash": "sha256-3fwpN7KN226ghLlpO9TR0/WpgQOmOj1e8bieUxpIYSk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "4f4d97d7b7be387286cc9c988760a7ebaa5be1f1",
         "type": "github"
       },
       "original": {
@@ -426,11 +426,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741017582,
-        "narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
+        "lastModified": 1742073730,
+        "narHash": "sha256-Um3vjr+nh7MdvdRjPkRX0RiicOWttZd1CuCVEKvOQz8=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
+        "rev": "f8b6e1d4ea6c9c958b27445c70434b00e8d7f520",
         "type": "github"
       },
       "original": {
@@ -441,11 +441,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740981371,
-        "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
+        "lastModified": 1742276595,
+        "narHash": "sha256-bsg9y3NoMGu0jgTI5XbxvzQFc9JtZB51i500WlVws80=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
+        "rev": "2b3795787eba0066a2bc8bba7362422e5713840f",
         "type": "github"
       },
       "original": {
@@ -457,28 +457,31 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1740872140,
-        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "lastModified": 1740877520,
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1735563628,
-        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "lastModified": 1742268799,
+        "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "rev": "da044451c6a70518db5b730fe277b70f494188f1",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -493,11 +496,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1740408283,
-        "narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
+        "lastModified": 1741693509,
+        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "496a4a11162bdffb9a7b258942de138873f019f7",
+        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
         "type": "github"
       },
       "original": {
@@ -517,11 +520,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740915799,
-        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
+        "lastModified": 1742300892,
+        "narHash": "sha256-QmF0proyjXI9YyZO9GZmc7/uEu5KVwCtcdLsKSoxPAI=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
+        "rev": "ea26a82dda75bee6783baca6894040c8e6599728",
         "type": "github"
       },
       "original": {
@@ -559,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740969088,
-        "narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
+        "lastModified": 1742265167,
+        "narHash": "sha256-RB0UEF9IXIgwuuBFC+s9H4rDyvmMZePHlBAK4vRAwf4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
+        "rev": "87f0965f9f5b13fca9f38074eee8369dc767550d",
         "type": "github"
       },
       "original": {
@@ -579,11 +582,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1742239755,
+        "narHash": "sha256-ptn8dR4Uat3UUadGYNnB7CIH9SQm8mK69D2A/twBUXQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "787afce414bcce803b605c510b60bf43c11f4b55",
         "type": "github"
       },
       "original": {
@@ -620,11 +623,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1740959323,
-        "narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
+        "lastModified": 1742299802,
+        "narHash": "sha256-enlpX8hwrfmjv/dHTKWzAB5Cwt1Kr6+ptikjX3Ob+FY=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
+        "rev": "ff9ae322bcaeccabc65812390000276455331123",
         "type": "github"
       },
       "original": {
@@ -700,11 +703,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1740351358,
-        "narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
+        "lastModified": 1741468895,
+        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
+        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
         "type": "github"
       },
       "original": {
@@ -716,11 +719,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1740272597,
-        "narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
+        "lastModified": 1740877430,
+        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
+        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
         "type": "github"
       },
       "original": {

flake.nix

@@ -26,7 +26,8 @@
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     systems.url = "github:nix-systems/default";
 
     # attic = {

shell.nix

@@ -45,6 +45,10 @@ forEachSystem (
         treefmt
         statix
         nixfmt-rfc-style
+        jsonfmt
+        mdformat
+        shfmt
+        yamlfmt
       ];
     };
   in

systems/artemision/configuration.nix

@@ -32,7 +32,7 @@
   };
 
   boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
     useSystemdBoot = true;
     default = true;
   };
@@ -88,6 +88,10 @@
 
   programs.adb.enable = true;
 
+  environment.variables = {
+    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
+  };
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
     #secrets = {

systems/artemision/desktop.nix

@@ -7,6 +7,7 @@
     hyprland = {
       enable = true;
       xwayland.enable = true;
+      withUWSM = true;
     };
     hyprlock.enable = true;
     gnupg.agent = {

systems/artemision/programs.nix

@@ -18,8 +18,6 @@
     croc
     deadnix
     direnv
-    discord
-    discord-canary
     easyeffects
     eza
     fanficfare
@@ -44,6 +42,7 @@
     kitty
     kubectl
     kubernetes-helm
+    libreoffice-fresh
     libtool
     lsof
     lynis

systems/palatine-hill/attic/sync-attic.bash

@@ -2,9 +2,9 @@
 #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
 
 sync_directories=(
-    /ZFS/ZFS-primary/hydra
+  /ZFS/ZFS-primary/hydra
 )
 
 for dir in "${sync_directories[@]}"; do
-    find "$dir"  -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
+  find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
 done

systems/palatine-hill/docker/act-runner.nix

@@ -23,6 +23,7 @@ in
         "${act_path}/stable-latest-main/config.yaml:/config.yaml"
         "${act_path}/stable-latest-main/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -45,6 +46,7 @@ in
         "${act_path}/stable-latest-1/config.yaml:/config.yaml"
         "${act_path}/stable-latest-1/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -67,6 +69,7 @@ in
         "${act_path}/stable-latest-2/config.yaml:/config.yaml"
         "${act_path}/stable-latest-2/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -89,6 +92,7 @@ in
         "${act_path}/stable-latest-3/config.yaml:/config.yaml"
         "${act_path}/stable-latest-3/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -111,6 +115,7 @@ in
         "${act_path}/stable-latest-4/config.yaml:/config.yaml"
         "${act_path}/stable-latest-4/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";
@@ -133,6 +138,7 @@ in
         "${act_path}/stable-latest-5/config.yaml:/config.yaml"
         "${act_path}/stable-latest-5/data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
       ];
       environment = {
         CONFIG_FILE = "/config.yaml";

systems/palatine-hill/docker/default.nix

@@ -31,47 +31,47 @@
     default-address-pools = [
       {
         base = "169.254.2.0/23";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.4.0/22";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.8.0/21";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.16.0/20";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.32.0/19";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.64.0/18";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.128.0/18";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.192.0/19";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.224.0/20";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.240.0/21";
-        size = "28";
+        size = 28;
       }
       {
         base = "169.254.248.0/22";
-        size = "28";
+        size = 28;
       }
     ];
     mtu = 9000;

systems/palatine-hill/docker/nextcloud.nix

@@ -100,7 +100,7 @@ in
       };
       "docker/collabora" = {
         owner = "www-data";
-        restartUnits = [ "docker-collabora.service" ];
+        restartUnits = [ "docker-collabora-code.service" ];
       };
     };
   };

systems/palatine-hill/docker/watchtower.bash

@@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
 label="$1"
 label_val="$2"
 
-if (( $# != 2 )); then
-    echo "usage: $0 label label_value"
+if (($# != 2)); then
+  echo "usage: $0 label label_value"
 fi
 
 containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

systems/palatine-hill/postgresql.nix

@@ -19,6 +19,8 @@ in
       enable = true;
       enableJIT = true;
       package = pkgs.postgresql_16;
+      enableAllPreloadedLibraries = true;
+      configurePgStatStatements = true;
       identMap = ''
         # ArbitraryMapName systemUser DBUser
            superuser_map      root      postgres

treefmt.toml

@@ -12,3 +12,21 @@ command = "nixfmt"
 #options = []
 # Glob pattern of files to include
 includes = [ "*.nix" ]
+
+[formatter.jsonfmt]
+command = "jsonfmt"
+excludes = []
+includes = ["*.json"]
+options = ["-w"]
+
+[formatter.shfmt]
+command = "shfmt"
+excludes = []
+includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
+options = ["-i", "2", "-s", "-w"]
+
+[formatter.yamlfmt]
+command = "yamlfmt"
+excludes = []
+includes = ["*.yaml", "*.yml"]
+options = ["-formatter","indent=4"]

users/alice/home.nix

@@ -16,6 +16,7 @@
       ./home/gammastep.nix
       ./home/doom
       ./home/hypr
+      ./home/waybar.nix
       ./non-server.nix
     ];
 

users/alice/home/hypr/default.nix

@@ -8,6 +8,7 @@
 {
   xdg.configFile = {
     "hypr/hyprland.conf".source = ./hyprland.conf;
+    "hypr/show-hide.sh".source = ./show-hide.sh;
   };
 
   imports = [

users/alice/home/hypr/hypridle.nix

@@ -18,14 +18,14 @@
       listener = [
         {
           timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
-          on-resume = "brightnessctl -r"; # monitor backlight restore.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
         }
         # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
         {
           timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
-          on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
         }
         {
           timeout = 300; # 5min

users/alice/home/hypr/hyprland.conf

@@ -22,6 +22,9 @@ monitor=,preferred,auto,auto
 # exec-once = waybar & hyprpaper & firefox
 exec-once = wired &
 
+exec-once = wired
+exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
+
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
 
@@ -207,3 +210,7 @@ bind = $mainMod, P, exec, bwm
 
 # lock screen
 bind = $mainMod, L, exec, loginctl lock-session
+# hide active window
+bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
+# show hide window
+bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

users/alice/home/hypr/hyprlock.nix

@@ -11,7 +11,8 @@
     settings = {
       general = {
         immediate_render = true;
-        no_fade_in = true;
+        # disabling as config doesn't exist
+        #no_fade_in = true;
       };
       background = {
         monitor = "";
@@ -54,7 +55,8 @@
         dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
         dots_center = false;
         dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
-        dots_fade_time = 200; # Milliseconds until a dot fully fades in
+        # disabling as config doesn't exist
+        # dots_fade_time = 200; # Milliseconds until a dot fully fades in
         dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
         # disabling due to stylix
         # outer_color = "rgb(151515)";
@@ -70,7 +72,8 @@
         #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
         fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
         fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
-        fail_transition = 300; # transition time in ms between normal outer_color and fail_color
+        # disabling as config doesn't exist
+        #fail_transition = 300; # transition time in ms between normal outer_color and fail_color
         capslock_color = -1;
         numlock_color = -1;
         bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

users/alice/home/hypr/show-hide.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+stack_file="/tmp/hide_window_pid_stack.txt"
+
+function hide_window() {
+  pid=$(hyprctl activewindow -j | jq '.pid')
+  hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
+  echo "$pid" >>$stack_file
+}
+
+function show_window() {
+  pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
+  [ -z "$pid" ] && exit
+
+  current_workspace=$(hyprctl activeworkspace -j | jq '.id')
+  hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
+}
+
+if [ -n "$1" ]; then
+  if [ "$1" == "h" ]; then
+    hide_window >>/dev/null
+  else
+    show_window >>/dev/null
+  fi
+fi

users/alice/home/waybar.json

@@ -0,0 +1,40 @@
+[
+  {
+    "height": 20,
+    "layer": "top",
+    "position": "top",
+    "output": [
+      "eDP-2",
+      "eDP-1",
+      "HDMI-0",
+      "DP-0"
+    ],
+    "hyprland/workspaces": {
+      "active-only": true,
+      "all-outputs": false,
+      "show-special": true,
+      "move-to-monitor": true,
+      "format": "{icon} {windows}",
+      "format-window-separator": " ",
+      "format-icons": {
+        "1": "󰎤",
+        "2": "󰎧",
+        "3": "󰎪",
+        "default": "",
+        "empty": "󱓼",
+        "urgent": "󱨇"
+      },
+      "persistent-workspaces": {
+        "1": "HDMI-0"
+      },
+      "on-scroll-down": "hyprctl dispatch workspace e-1",
+      "on-scroll-up": "hyprctl dispatch workspace e+1",
+      "window-rewrite": {
+        "title<Steam>": ""
+      },
+      "window-rewrite-default": "",
+      "window-rewrite-separator": " ",
+      "sort-by": "number"
+    }
+  }
+]

users/alice/home/waybar.nix

@@ -2,6 +2,6 @@
 lib.mkIf (!machineConfig.server) {
   programs.waybar = {
     enable = true;
-    #settings = builtins.fromJSON (import ./waybar.json);
+    settings = builtins.fromJSON (builtins.readFile ./waybar.json);
   };
 }

users/alice/non-server.nix

@@ -64,5 +64,6 @@
     zathura
     obsidian
     libreoffice-qt-fresh
+    wlr-randr
   ];
 }

users/alice/secrets.yaml

@@ -8,6 +8,7 @@ alice:
     attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
     attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
     attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
+    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -41,8 +42,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-26T04:17:36Z"
-    mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
+    lastmodified: "2025-03-18T22:08:52Z"
+    mac: ENC[AES256_GCM,data:3Hr8FyzfZvvtyusqdDOjggDGFlBwyOq2VND+/jtNbY5i5JPK+qTkamn98IKkcHSPooaIVzEAek91fZDo90mYRhCzEwfbLATmFXPHsZHUg+5nD8VzcNUWQDb2/ey4RPhzTMtXfY9v9wdIcTdBKYKSZ61puptSX8nJ2S74ag6B5AY=,iv:J+VxUvwWE496DqTsVXdlpxgkf8zGT9uDvt6RLrmc0n0=,tag:X2Qg3DDzOTBDqo+6eQPHvw==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -57,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.3
+    version: 3.9.4

utils/attic-push.bash

@@ -6,17 +6,21 @@
 set -e
 
 # retrieve all paths under 2G
-nix_paths=$(nix path-info --json --all --closure-size \
-  | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
-  | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+# nix_paths=$(nix path-info --json --all --closure-size \
+#   | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
+#   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+
+# retrieve all paths
+nix_paths=$(nix path-info --json --all --closure-size |
+  jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
+  jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 
 readarray -t nix_path_array < <(echo "$nix_paths")
 
 batchsize=1000
 
-for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
-do
-    part=( "${nix_path_array[@]:i:batchsize}" )
+for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
+  part=("${nix_path_array[@]:i:batchsize}")
 
-    attic push nix-cache "${part[@]}"
+  attic push nix-cache "${part[@]}"
 done

utils/attic-token.bash

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
-if (( $# != 3 )); then
-   echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
-   exit 1
+if (($# != 3)); then
+  echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
+  exit 1
 fi
 
 cache="$1"
@@ -10,27 +10,27 @@ cache_pattern="$2"
 token_type="$3"
 
 case $token_type in
-    "cache-creator")
-        atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
-            --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
-            --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
-            --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
-        ;;
-    "admin")
-        atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
-            --push "$cache_pattern" --configure-cache "$cache_pattern" \
-            --configure-cache-retention "$cache_pattern"
-        ;;
-    "writer")
-        atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
-            --push "$cache_pattern"
-        ;;
-    "reader")
-        atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
-        ;;
-    *)
-        echo "invalid token type: $token_type"
-        echo "available options: cache-creator, admin, writer, reader"
-        exit 1
-        ;;
+"cache-creator")
+  atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
+    --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
+    --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
+    --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
+  ;;
+"admin")
+  atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
+    --push "$cache_pattern" --configure-cache "$cache_pattern" \
+    --configure-cache-retention "$cache_pattern"
+  ;;
+"writer")
+  atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
+    --push "$cache_pattern"
+  ;;
+"reader")
+  atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
+  ;;
+*)
+  echo "invalid token type: $token_type"
+  echo "available options: cache-creator, admin, writer, reader"
+  exit 1
+  ;;
 esac

utils/diff-evals.sh

@@ -10,15 +10,4 @@ set -e
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
 
-readarray -t pre_drv < "$parent_path/pre-drv"
-readarray -t post_drv < "$parent_path/post-drv"
-
-post_drv_path="$parent_path/post-diff"
-# cleanup any files with the same name
-rm "$post_drv_path" || true
-touch "$post_drv_path"
-
-for i in $(seq 0 $(( "${#pre_drv[@]}" -1 ))); do
-    echo "Diffing updates to $(echo "${pre_drv[$i]}" | cut -f 2- -d '-')" >> "$post_drv_path"
-    nvd diff "${pre_drv[$i]}" "${post_drv[$i]}" >> "$post_drv_path"
-done
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"

utils/eval-to-drv.sh

@@ -8,15 +8,12 @@ set -v
 set -e
 
 if [ "$#" -ne 1 ]; then
-    echo "$0 (pre|post)"
-    exit 1
+  echo "$0 (pre|post)"
+  exit 1
 fi
 
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-out_path="$parent_path/$1-drv"
+out_path="$parent_path/$1.json"
 
-
-drv=$(nix flake check --verbose 2> >(grep -P -o "derivation evaluated to (/nix/store/.*\.drv)" | grep -P -o "/nix/store/.*\.drv"))
-
-echo "$drv" > "$out_path"
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"

utils/fetch-docker.sh

@@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
 # relpath is the relative path to the parent_path where you want the file written
 # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
 images=(
-    "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
+  "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
 )
 IFS=","
 while read -r name tag arch os relpath; do
-    nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
-    git --no-pager diff "$parent_path/$relpath"
-done<<< "${images[@]}"
+  nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
+  git --no-pager diff "$parent_path/$relpath"
+done <<<"${images[@]}"

utils/sops-mergetool-new.sh

@@ -2,7 +2,10 @@
 
 # Rename CLI parameters to friendlier names
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
 
 # Load the mergetool scripts
 TOOL_MODE=merge
@@ -20,7 +23,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
   rm $base_decrypted || true
   rm $local_decrypted || true
   rm $remote_decrypted || true
@@ -30,12 +33,12 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 
 # Create a merge-diff to compare against
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 cp "$merged_decrypted" "$backup_decrypted"
 
 # Set up variables for the mergetool
@@ -48,7 +51,7 @@ MERGED="$merged_decrypted"
 BACKUP="$backup_decrypted"
 
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
   # If the contents haven't changed, then fail
   if test "$MERGED" -nt "$BACKUP"; then
     return 0
@@ -61,5 +64,4 @@ check_unchanged () {
 run_merge_tool "${mergetool}" true
 
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
-
+sops --encrypt "$merged_decrypted" >"$merged"

utils/sops-mergetool.sh

@@ -6,7 +6,10 @@ set -x
 
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
 
 echo "$base"
 echo "$local_"
@@ -18,7 +21,7 @@ echo "$merged"
 mergetool="$(git config --get merge.tool)"
 GIT_DIR="$(git --exec-path)"
 if test "$mergetool" = ""; then
-  echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
+  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
   exit 1
 fi
 
@@ -32,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
   rm $base_decrypted || true
   rm $local_decrypted || true
   rm $remote_decrypted || true
@@ -42,13 +45,13 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 
 # Create a merge-diff to compare against
 set +e
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 set -e
 cp "$merged_decrypted" "$backup_decrypted"
 
@@ -66,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
 source "$GIT_DIR/mergetools/$mergetool"
 
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
   # If the contents haven't changed, then fail
   if test "$MERGED" -nt "$BACKUP"; then
     return 0
@@ -82,5 +85,4 @@ merge_cmd
 set -eu
 
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
-
+sops --encrypt "$merged_decrypted" >"$merged"