WIP: home manager

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixlib": {
       "locked": {
-        "lastModified": 1734829460,
-        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734915500,
-        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736012469,
-        "narHash": "sha256-/qlNWm/IEVVH7GfgAIyP6EsVZI6zjAx1cV5zNyrs+rI=",
+        "lastModified": 1738142207,
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8f3e1f807051e32d8c95cd12b9b421623850a34d",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
         "type": "github"
       },
       "original": {

flake.nix

@@ -9,9 +9,13 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, nixos-generators }: {
+  outputs = { self, nixpkgs, nixos-generators, home-manager }: {
     nixosConfigurations = {
       Yura-PC = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -27,6 +31,24 @@
           ./modules
           ./hosts/common.nix
           ./hosts/vm
+
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.users.jdoe = import ./home.nix;
+
+            # Optionally, use home-manager.extraSpecialArgs to pass
+            # arguments to home.nix
+          }
+        ];
+      };
+      router = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./modules
+          ./hosts/common.nix
+          ./hosts/router
         ];
       };
     };
@@ -37,6 +59,7 @@
         modules = [
           ./modules
           ./hosts/common.nix
+          ./hosts/vm/proxmox.nix
           ./hosts/vm
         ];
         format = "proxmox";

hosts/Yura-PC/default.nix

@@ -23,10 +23,16 @@
     "sysrq_always_enabled=1"
   ];
 
+  # https://nixos.wiki/wiki/OSX-KVM
+  boot.extraModprobeConfig = ''
+    options kvm_amd nested=1
+    options kvm_amd emulate_invalid_guest_state=0
+    options kvm ignore_msrs=1
+  '';
+
   boot.loader.timeout = 3;
   boot.loader.systemd-boot.configurationLimit = 5;
   boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
-  boot.extraModulePackages = with config.boot.kernelPackages; [ zfs ];
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback
   hardware.graphics = {
@@ -104,6 +110,7 @@
     group = "cazzzer";
     extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "geoclue" ];
     packages = with pkgs; [
+      # Python
       python3
       poetry
 
@@ -115,6 +122,9 @@
       nodejs_22
       pnpm
       bun
+
+      # Nix
+      nixd
     ];
   };
 
@@ -143,7 +153,6 @@
   virtualisation.docker.enableOnBoot = false;
   virtualisation.docker.package = pkgs.docker_27;
   virtualisation.docker.storageDriver = "zfs";
-  
 
   # https://discourse.nixos.org/t/firefox-does-not-use-kde-window-decorations-and-cursor/32132/3
   # programs.dconf.enable = true;
@@ -171,31 +180,6 @@
     
     # For JetBrains stuff
     # https://github.com/NixOS/nixpkgs/issues/240444
-    curl
-    expat
-    fontconfig
-    freetype
-    fuse
-    fuse3
-    glib
-    icu
-    libclang.lib
-    libdbusmenu
-    libsecret
-    libxcrypt-legacy
-    libxml2
-    nss
-    openssl
-    python3
-    stdenv.cc.cc
-    xorg.libX11
-    xorg.libXcursor
-    xorg.libXext
-    xorg.libXi
-    xorg.libXrender
-    xorg.libXtst
-    xz
-    zlib
   ];
 
   # attempt to fix flatpak firefox cjk fonts
@@ -240,8 +224,9 @@
     helix
     jetbrains-toolbox # or maybe do invidual ones?
     # jetbrains.rust-rover
-    # jetbrains.pycharm-professional
-    # jetbrains.webstorm
+    jetbrains.clion
+    jetbrains.pycharm-professional
+    jetbrains.webstorm
     android-studio
     mediainfo
     micro
@@ -275,6 +260,7 @@
   # services.openssh.enable = true;
 
   # Open ports in the firewall.
+  # networking.nftables.enable = true;
   networking.firewall.allowedTCPPorts = [ 8080 ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.

hosts/common.nix

@@ -1,4 +1,11 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, inputs, ... }: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+  ];
+
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 

hosts/router/default.nix

@@ -0,0 +1,576 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "cazzzer.com";
+  ldomain = "l.${domain}";
+
+  if_wan = "wan";
+  if_lan = "lan";
+  if_lan10 = "lan.10";
+  if_lan20 = "lan.20";
+
+  wan_ip4 = "192.168.1.61/24";
+  wan_gw4 = "192.168.1.254";
+
+  lan_p4 = "10.19.1"; # .0/24
+  lan10_p4 = "10.19.10"; # .0/24
+  lan20_p4 = "10.19.20"; # .0/24
+
+  pd_from_wan = ""; # ::/60
+  lan_p6 = "${pd_from_wan}9"; # ::/64
+  lan10_p6 = "${pd_from_wan}a"; # ::/64
+  lan20_p6 = "${pd_from_wan}2"; # ::/64
+
+  ula_p = "fdab:07d3:581d"; # ::/48
+  lan_ula_p = "${ula_p}:0001"; # ::/64
+  lan10_ula_p = "${ula_p}:0010"; # ::/64
+  lan20_ula_p = "${ula_p}:0020"; # ::/64
+  lan_ula_addr = "${lan_ula_p}::1";
+  lan10_ula_addr = "${lan10_ula_p}::1";
+  lan20_ula_addr = "${lan20_ula_p}::1";
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.kernelParams = [
+    "sysrq_always_enabled=1"
+  ];
+
+  boot.loader.systemd-boot.configurationLimit = 5;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
+  boot.growPartition = true;
+
+  environment.etc.hosts.mode = "0644";
+  networking.hostName = "grouter";
+
+  # It is impossible to do multiple prefix requests with networkd,
+  # so I use dhcpcd for this
+  # https://github.com/systemd/systemd/issues/22571
+  networking.dhcpcd.enable = true;
+  # https://github.com/systemd/systemd/issues/22571#issuecomment-2094905496
+  # https://gist.github.com/csamsel/0f8cca3b2e64d7e4cc47819ec5ba9396
+  networking.dhcpcd.extraConfig = ''
+    duid
+    ipv6only
+    nodhcp6
+    noipv6rs
+    nohook resolv.conf, yp, hostname, ntp
+    option rapid_commit
+
+    interface ${if_wan}
+      ipv6rs
+      dhcp6
+
+      # this doesn't play well with networkd
+      # ia_na
+      # ia_pd 1 ${if_lan}/0
+      # ia_pd 2 ${if_lan10}/0
+      # ia_pd 3 ${if_lan20}/0
+
+      # request the leases just for routing (so that the att box knows we're here)
+      # actual ip assignments are static, based on $pd_from_wan
+      ia_pd 1 -
+      ia_pd 2 -
+      # ia_pd 3 -
+      # ia_pd 4 -
+      # ia_pd 5 -
+      # ia_pd 6 -
+      # ia_pd 7 -
+      # ia_pd 8 -
+  '';
+
+  networking.useNetworkd = true;
+  systemd.network.enable = true;
+  systemd.network = {
+    # Global options
+    config.networkConfig = {
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
+    };
+
+    # This is applied by udev, not networkd
+    # https://nixos.wiki/wiki/Systemd-networkd
+    # https://nixos.org/manual/nixos/stable/#sec-rename-ifs
+    links = {
+      "10-wan" = {
+        matchConfig.PermanentMACAddress = "bc:24:11:4f:c9:c4";
+        linkConfig.Name = if_wan;
+      };
+      "10-lan" = {
+        matchConfig.PermanentMACAddress = "bc:24:11:83:d8:de";
+        linkConfig.Name = if_lan;
+      };
+    };
+
+    netdevs = {
+      "10-vlan10" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = if_lan10;
+        };
+        vlanConfig.Id = 10;
+      };
+      "10-vlan20" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = if_lan20;
+        };
+        vlanConfig.Id = 20;
+      };
+    };
+
+    networks = {
+      "10-wan" = {
+        matchConfig.Name = if_wan;
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          # DHCP = "ipv4";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          # let dhcpcd handle this
+          Address = [ wan_ip4 ];
+          IPv6AcceptRA = false;
+        };
+        routes = [ { Gateway = wan_gw4; } ];
+        # make routing on this interface a dependency for network-online.target
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "20-lan" = {
+        matchConfig.Name = "lan";
+        vlan = [
+          if_lan10
+          if_lan20
+        ];
+        networkConfig = {
+          IPv4Forwarding = true;
+          IPv6SendRA = true;
+          Address = [ "${lan_p4}.1/24" ];
+        };
+        ipv6Prefixes = [
+          {
+            # AddressAutoconfiguration = false;
+            Prefix = "${lan_p6}::/64";
+            Assign = true;
+            # Token = [ "static:::1" "eui64" ];
+            Token = [ "static:::1" ];
+          }
+          {
+            Prefix = "${lan_ula_p}::/64";
+            Assign = true;
+            Token = [ "static:::1" ];
+          }
+        ];
+        ipv6SendRAConfig = {
+          Managed = true;
+          OtherInformation = true;
+          EmitDNS = true;
+          DNS = [ lan_ula_addr ];
+        };
+      };
+      "30-vlan10"  = {
+        matchConfig.Name = if_lan10;
+        networkConfig = {
+          IPv6SendRA = true;
+          Address = [ "${lan10_p4}.1/24" ];
+        };
+        ipv6Prefixes = [
+          {
+            Prefix = "${lan10_p6}::/64";
+            Assign = true;
+            Token = [ "static:::1" ];
+          }
+          {
+            Prefix = "${lan10_ula_p}::/64";
+            Assign = true;
+            Token = [ "static:::1" ];
+          }
+        ];
+      };
+      "30-vlan20"  = {
+        matchConfig.Name = if_lan20;
+        networkConfig = {
+          IPv6SendRA = true;
+          Address = [ "${lan20_p4}.1/24" ];
+        };
+        ipv6Prefixes = [
+          {
+            Prefix = "${lan20_p6}::/64";
+            Assign = true;
+            Token = [ "static:::1" ];
+          }
+          {
+            Prefix = "${lan20_ula_p}::/64";
+            Assign = true;
+            Token = [ "static:::1" ];
+          }
+        ];
+      };
+    };
+  };
+
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      define WAN_IF = "${if_wan}"
+      define LAN_IF = "${if_lan}"
+      define LAN_IPV4_SUBNET = ${lan_p4}.0/24
+      define LAN_IPV6_SUBNET = ${lan_p6}::/64
+      define LAN_IPV6_ULA = ${lan_ula_p}::/64
+      define LAN_IPV4_HOST = ${lan_p4}.100
+      define LAN_IPV6_HOST = ${lan_p6}::1:1000
+
+      define ALLOWED_TCP_PORTS = { ssh, https, 19999 }
+      define ALLOWED_UDP_PORTS = { domain }
+
+      chain input {
+          type filter hook input priority filter; policy drop;
+
+          # Allow established and related connections
+          ct state established,related accept
+
+          # Allow all traffic from loopback interface
+          iifname lo accept
+
+          # Allow ICMPv6 on link local addrs
+          ip6 nexthdr icmpv6 ip6 saddr fe80::/10 accept
+          ip6 nexthdr icmpv6 ip6 daddr fe80::/10 accept # TODO: not sure if necessary
+
+          # Allow all ICMPv6 from LAN
+          iifname $LAN_IF ip6 saddr { $LAN_IPV6_SUBNET, $LAN_IPV6_ULA } ip6 nexthdr icmpv6 accept
+          # Allow DHCPv6 client traffic
+          ip6 daddr { fe80::/10, ff02::/16 } udp dport dhcpv6-server accept
+
+          # Allow all ICMP from LAN
+          iifname $LAN_IF ip saddr $LAN_IPV4_SUBNET ip protocol icmp accept
+
+          # Allow specific services from LAN
+          iifname $LAN_IF ip saddr $LAN_IPV4_SUBNET tcp dport $ALLOWED_TCP_PORTS accept
+          iifname $LAN_IF ip6 saddr { $LAN_IPV6_SUBNET, $LAN_IPV6_ULA } tcp dport $ALLOWED_TCP_PORTS accept
+          iifname $LAN_IF ip saddr $LAN_IPV4_SUBNET udp dport $ALLOWED_UDP_PORTS accept
+          iifname $LAN_IF ip6 saddr { $LAN_IPV6_SUBNET, $LAN_IPV6_ULA } udp dport $ALLOWED_UDP_PORTS accept
+
+          # Allow SSH from WAN (if needed)
+          iifname $WAN_IF tcp dport ssh accept
+      }
+
+      chain forward {
+          type filter hook forward priority filter; policy drop;
+
+          # Allow established and related connections
+          ct state established,related accept
+
+          # Port forwarding
+          iifname $WAN_IF tcp dport https ip daddr $LAN_IPV4_HOST accept
+
+          # Allowed IPv6 ports
+          iifname $WAN_IF tcp dport https ip6 daddr $LAN_IPV6_HOST accept
+
+          # Allow traffic from LAN to WAN
+          iifname $LAN_IF ip saddr $LAN_IPV4_SUBNET oifname $WAN_IF accept
+          iifname $LAN_IF ip6 saddr $LAN_IPV6_SUBNET oifname $WAN_IF accept
+      }
+
+      chain output {
+          # Accept anything out of self by default
+          type filter hook output priority filter; policy accept;
+      }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          iifname $WAN_IF tcp dport https dnat ip to $LAN_IPV4_HOST
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          # theoretically shouldn't need to check the input interface here,
+          # as it would be filtered by the forwarding rules
+          oifname $WAN_IF ip saddr $LAN_IPV4_SUBNET masquerade
+
+          # Optional IPv6 masquerading (big L if enabled)
+          # oifname $WAN_IF ip6 saddr $LAN_IPV6_ULA masquerade
+      }
+    '';
+  };
+
+  services.kea.dhcp4.enable = true;
+  services.kea.dhcp4.settings = {
+    interfaces-config.interfaces = [
+      if_lan
+    ];
+    dhcp-ddns.enable-updates = true;
+    ddns-qualifying-suffix = "default.${ldomain}";
+    subnet4 = [
+      {
+        id = 1;
+        subnet = "${lan_p4}.0/24";
+        ddns-qualifying-suffix = "lan.${ldomain}";
+        pools = [ { pool = "${lan_p4}.100 - ${lan_p4}.199"; } ];
+        option-data = [
+          {
+            name = "routers";
+            data = "${lan_p4}.1";
+          }
+          {
+            name = "domain-name-servers";
+            data = "${lan_p4}.1";
+          }
+        ];
+        reservations = [
+          {
+            hw-address = "bc:24:11:b7:27:4d";
+            hostname = "archy";
+            ip-address = "${lan_p4}.69";
+          }
+        ];
+      }
+    ];
+  };
+
+  services.kea.dhcp6.enable = true;
+  services.kea.dhcp6.settings = {
+    interfaces-config.interfaces = [
+      if_lan
+    ];
+    # TODO: https://kea.readthedocs.io/en/latest/arm/ddns.html#dual-stack-environments
+    dhcp-ddns.enable-updates = true;
+    ddns-qualifying-suffix = "default6.${ldomain}";
+    subnet6 = [
+      {
+        id = 1;
+        interface = if_lan;
+        subnet = "${lan_p6}::/64";
+        ddns-qualifying-suffix = "lan6.${ldomain}";
+        rapid-commit = true;
+        pools = [ { pool = "${lan_p6}::1:1000/116"; } ];
+        reservations = [
+          {
+            duid = "00:04:59:c3:ce:9a:08:cf:fb:b7:fe:74:9c:e3:b7:44:bf:01";
+            hostname = "archy";
+            ip-addresses = [ "${lan_p6}::69" ];
+          }
+        ];
+      }
+    ];
+  };
+
+  services.kea.dhcp-ddns.enable = true;
+  services.kea.dhcp-ddns.settings = {
+    forward-ddns = {
+      ddns-domains = [
+        {
+          name = "${ldomain}.";
+          dns-servers = [
+            {
+              ip-address = "::1";
+              port = 1053;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  services.resolved.enable = false;
+  networking.resolvconf.enable = true;
+  networking.resolvconf.useLocalResolver = true;
+
+  services.adguardhome.enable = true;
+  services.adguardhome.mutableSettings = false;
+  services.adguardhome.settings = {
+    dns = {
+      bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
+      upstream_dns = [
+        "quic://p0.freedns.controld.com"  # Default upstream
+        "[/${ldomain}/][::1]:1053"        # Local domains to Knot (ddns)
+      ];
+    };
+    # https://adguard-dns.io/kb/general/dns-filtering-syntax/
+    user_rules = [
+      # DNS rewrites
+      "|grouter.${domain}^$dnsrewrite=${lan_ula_addr}"
+
+      # Allowed exceptions
+      "@@||googleads.g.doubleclick.net"
+    ];
+  };
+
+  services.knot.enable = true;
+  services.knot.settings = {
+    server = {
+      # listen = "0.0.0.0@1053";
+      listen = "::1@1053";
+    };
+    # TODO: templates
+    zone = [
+      {
+        domain = ldomain;
+        storage = "/var/lib/knot/zones";
+        file = "${ldomain}.zone";
+        acl = [ "allow_localhost_update" ];
+      }
+    ];
+    acl = [
+      {
+        id = "allow_localhost_update";
+        address = [ "::1" "127.0.0.1" ];
+        action = [ "update" ];
+      }
+    ];
+  };
+  # Ensure the zone file exists
+  system.activationScripts.knotZoneFile = ''
+    ZONE_DIR="/var/lib/knot/zones"
+    ZONE_FILE="$ZONE_DIR/${ldomain}.zone"
+
+    # Create the directory if it doesn't exist
+    mkdir -p "$ZONE_DIR"
+
+    # Check if the zone file exists
+    if [ ! -f "$ZONE_FILE" ]; then
+      # Create the zone file with a basic SOA record
+      # Serial; Refresh; Retry; Expire; Negative Cache TTL;
+      echo "${ldomain}. 3600 SOA ns.${ldomain}. admin.${ldomain}. 1 86400 900 691200 3600" > "$ZONE_FILE"
+      echo "Created new zone file: $ZONE_FILE"
+    else
+      echo "Zone file already exists: $ZONE_FILE"
+    fi
+
+    # Ensure proper ownership and permissions
+    chown -R knot:knot "/var/lib/knot"
+    chmod 644 "$ZONE_FILE"
+  '';
+
+  # https://wiki.nixos.org/wiki/Prometheus
+  services.prometheus = {
+    enable = true;
+    exporters = {
+      # TODO: DNS, Kea, Knot, other exporters
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "node";
+        static_configs = [{
+          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+        }];
+      }
+    ];
+  };
+
+  # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
+  services.grafana = {
+    enable = true;
+    settings.server.http_port = 3001;
+    provision = {
+      enable = true;
+      datasources.settings.datasources = [
+        {
+          name = "Prometheus";
+          type = "prometheus";
+          url = "http://localhost:${toString config.services.prometheus.port}";
+        }
+      ];
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."grouter.${domain}".extraConfig = ''
+      reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
+      tls internal
+    '';
+  };
+
+  # services.netdata.enable = true;
+
+  # Enable the X11 windowing system.
+  # You can disable this if you're only using the Wayland session.
+  services.xserver.enable = false;
+
+  # Enable the KDE Plasma Desktop Environment.
+  # Useful for debugging with wireshark.
+  services.displayManager.sddm.enable = false;
+  services.displayManager.sddm.wayland.enable = true;
+  services.desktopManager.plasma6.enable = true;
+  # No need for audio in VM
+  services.pipewire.enable = false;
+
+  # VM services
+  services.qemuGuest.enable = true;
+  services.spice-vdagentd.enable = true;
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.KbdInteractiveAuthentication = false;
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.groups = {
+    cazzzer = {
+      gid = 1000;
+    };
+  };
+  users.users.cazzzer = {
+    password = "";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
+    ];
+    isNormalUser = true;
+    description = "Yura";
+    uid = 1000;
+    group = "cazzzer";
+    extraGroups = [ "wheel" "docker" "wireshark" ];
+  };
+
+  programs.firefox.enable = true;
+  programs.fish.enable = true;
+  programs.git.enable = true;
+  programs.neovim.enable = true;
+  programs.bat.enable = true;
+  programs.htop.enable = true;
+  programs.wireshark.enable = true;
+  programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default
+
+  environment.systemPackages = with pkgs; [
+    dust
+    eza
+    fastfetch
+    fd
+    kdePackages.filelight
+    kdePackages.kate
+    kdePackages.yakuake
+    ldns
+    lsof
+    micro
+    mpv
+    ripgrep
+    rustscan
+    starship
+    tealdeer
+    waypipe
+    whois
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

hosts/router/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/vm/default.nix

@@ -9,15 +9,7 @@
     [ # Include the results of the hardware scan.
 #      ./hardware-configuration-vm.nix
     ];
-  mods.kb-input.enable = true;
-
-#  boot.kernelParams = [ "console=tty0" ];
-  proxmox.qemuConf.bios = "ovmf";
-  proxmox.qemuExtraConf = {
-    machine = "q35";
-#    efidisk0 = "local-lvm:vm-9999-disk-1";
-    cpu = "host";
-  };
+  mods.kb-input.enable = false;
 
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
@@ -28,10 +20,8 @@
     "sysrq_always_enabled=1"
   ];
 
-#  boot.loader.timeout = lib.mkForce 3;
   boot.loader.systemd-boot.configurationLimit = 5;
   boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
-  boot.extraModulePackages = with config.boot.kernelPackages; [ zfs ];
 
   environment.etc.hosts.mode = "0644";
 
@@ -58,7 +48,7 @@
 
   # VM services
   services.cloud-init.enable = true;
-  services.cloud-init.network.enable = false;
+#  services.cloud-init.network.enable = false;
   services.qemuGuest.enable = true;
   services.spice-vdagentd.enable = true;
   services.openssh.enable = true;
@@ -89,7 +79,6 @@
   programs.firefox.enable = true;
   programs.fish.enable = true;
   programs.git.enable = true;
-  programs.lazygit.enable = true;
   programs.neovim.enable = true;
 
   programs.bat.enable = true;
@@ -112,9 +101,7 @@
   ];
 
   environment.systemPackages = with pkgs; [
-    darkman
     dust
-    efibootmgr
     eza
     fastfetch
     fd
@@ -123,18 +110,14 @@
     kdePackages.filelight
     kdePackages.kate
     kdePackages.yakuake
-    gnumake
-    helix
-    mediainfo
+    ldns
     micro
     mpv
     ripgrep
     starship
     tealdeer
-    tela-circle-icon-theme
     waypipe
     whois
-    yt-dlp
     zfs
   ];
 

hosts/vm/proxmox.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+#  boot.kernelParams = [ "console=tty0" ];
+  proxmox.qemuConf.bios = "ovmf";
+  proxmox.qemuExtraConf = {
+    machine = "q35";
+#    efidisk0 = "local-lvm:vm-9999-disk-1";
+    cpu = "host";
+  };
+}

modules/workarounds/flatpak.nix

@@ -24,7 +24,7 @@ in {
       aggregated = pkgs.buildEnv {
         name = "system-fonts-and-icons";
         paths = builtins.attrValues {
-          inherit (pkgs.libsForQt5) breeze-qt5;
+          inherit (pkgs.kdePackages) breeze;
           inherit
             (pkgs)
             noto-fonts