Nix fmt

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
Add usbguard service
2026-05-20 13:22:34 +02:00 · 2026-05-04 20:40:09 +02:00 · 2026-05-04 19:51:01 +02:00 · 2026-05-04 19:50:35 +02:00
64 changed files with 721 additions and 353 deletions
@@ -75,11 +75,20 @@
    };
  };

-  outputs = inputs @ {nixpkgs, nixpkgs-stable, ...}: let
+  outputs = inputs @ {
+    nixpkgs,
+    nixpkgs-stable,
+    ...
+  }: let
    system = "x86_64-linux";
+    pkgs = nixpkgs.legacyPackages.${system};
    args = {
-      inherit inputs nixpkgs system;
-      pkgs = nixpkgs.legacyPackages.${system};
+      inherit
+        inputs
+        nixpkgs
+        system
+        pkgs
+        ;
      pkgs-stable = nixpkgs-stable.legacyPackages.${system};
    };
    merge = nixpkgs.lib.foldl nixpkgs.lib.recursiveUpdate {};
@@ -89,6 +98,7 @@
      (import ./home/programs/group/flake.nix args)
      (import ./home/programs/nixy/flake.nix args)
      {
+        formatter.${system} = pkgs.alejandra;
        nixosConfigurations = {
          h-laptop = import ./hosts/laptop/flake.nix args;
          h-work = import ./hosts/work/flake.nix args;
@@ -63,8 +63,14 @@
      exec = "brave --incognito";
      icon = "brave-browser";
      terminal = false;
-      categories = ["Network" "WebBrowser"];
-      mimeType = ["text/html" "text/xml"];
+      categories = [
+        "Network"
+        "WebBrowser"
+      ];
+      mimeType = [
+        "text/html"
+        "text/xml"
+      ];
    };
    brave-tor = {
      name = "Brave (Private window w/Tor)";
@@ -72,7 +78,10 @@
      exec = "brave --tor";
      icon = "brave-browser";
      terminal = false;
-      categories = ["Network" "WebBrowser"];
+      categories = [
+        "Network"
+        "WebBrowser"
+      ];
    };
  };
 }
@@ -44,10 +44,8 @@ in {
        st = "status";
        br = "branch";
        df = "!git hist | peco | awk '{print $2}' | xargs -I {} git diff {}^ {}";
-        hist = ''
-          log --pretty=format:"%Cgreen%h %Creset%cd %Cblue[%cn] %Creset%s%C(yellow)%d%C(reset)" --graph --date=relative --decorate --all'';
-        llog = ''
-          log --graph --name-status --pretty=format:"%C(red)%h %C(reset)(%cd) %C(green)%an %Creset%s %C(yellow)%d%Creset" --date=relative'';
+        hist = ''log --pretty=format:"%Cgreen%h %Creset%cd %Cblue[%cn] %Creset%s%C(yellow)%d%C(reset)" --graph --date=relative --decorate --all'';
+        llog = ''log --graph --name-status --pretty=format:"%C(red)%h %C(reset)(%cd) %C(green)%an %Creset%s %C(yellow)%d%Creset" --date=relative'';
        edit-unmerged = "!f() { git ls-files --unmerged | cut -f2 | sort -u ; }; hx `f`";
      };
    };
@@ -16,12 +16,15 @@ in {
      update.method = "never";
      git = {
        commit.signOff = true;
-        overrideGpg = true; 
+        overrideGpg = true;
        parseEmoji = true;
      };
      gui = {
        theme = {
-          activeBorderColor = [accent "bold"];
+          activeBorderColor = [
+            accent
+            "bold"
+          ];
          inactiveBorderColor = [muted];
        };
        showListFooter = false;
@@ -10,12 +10,12 @@
      go
      bun
      nodejs
-      air
-      duckdb
      claude-code
      inputs.bun2nix.packages.${stdenv.hostPlatform.system}.default
    ])
    ++ (with pkgs-stable; [
+      air
+      duckdb
      docker
      python3
      jq
@@ -8,5 +8,7 @@
    configDirectory = "$HOME/.config/nixos";
  };

-  homeManagerModules.nixy = {imports = [./default.nix];};
+  homeManagerModules.nixy = {
+    imports = [./default.nix];
+  };
 }
@@ -1,4 +1,8 @@
-{inputs, pkgs, ...}: {
+{
+  inputs,
+  pkgs,
+  ...
+}: {
  imports = [inputs.nvf.homeManagerModules.default];
  # Packages needed by snacks image preview
  home.packages = with pkgs; [
@@ -62,19 +62,31 @@
      }
      {
        key = "<MiddleMouse>";
-        mode = ["n" "i" "v"];
+        mode = [
+          "n"
+          "i"
+          "v"
+        ];
        action = "<nop>";
        silent = true;
      }
      {
        key = "<2-MiddleMouse>";
-        mode = ["n" "i" "v"];
+        mode = [
+          "n"
+          "i"
+          "v"
+        ];
        action = "<nop>";
        silent = true;
      }
      {
        key = "<3-MiddleMouse>";
-        mode = ["n" "i" "v"];
+        mode = [
+          "n"
+          "i"
+          "v"
+        ];
        action = "<nop>";
        silent = true;
      }
@@ -218,7 +230,11 @@
      # Save
      {
        key = "<C-s>";
-        mode = ["n" "i" "v"];
+        mode = [
+          "n"
+          "i"
+          "v"
+        ];
        silent = true;
        action = "<cmd>w<cr>";
        desc = "Save file";
@@ -227,7 +243,11 @@
      # Deactivate "esc"
      {
        key = "<Esc>";
-        mode = ["n" "i" "v"];
+        mode = [
+          "n"
+          "i"
+          "v"
+        ];
        silent = true;
        action = "<Nop>";
        desc = "Disable Escape";
@@ -66,8 +66,7 @@
        key = "<leader>fc";
        mode = "n";
        silent = true;
-        action = ''
-          <cmd>lua Snacks.picker.files({ cwd = vim.fn.stdpath("config") })<cr>'';
+        action = ''<cmd>lua Snacks.picker.files({ cwd = vim.fn.stdpath("config") })<cr>'';
        desc = "Find Config File";
      }
      {
@@ -14,13 +14,9 @@

  c = config.lib.stylix.colors;

-  stripProtocol = url:
-    lib.removePrefix "https://" (lib.removePrefix "http://" url);
+  stripProtocol = url: lib.removePrefix "https://" (lib.removePrefix "http://" url);

-  stripDomain = url:
-    builtins.head (
-      lib.splitString "/" (stripProtocol url)
-    );
+  stripDomain = url: builtins.head (lib.splitString "/" (stripProtocol url));

  mkCard = item: let
    domain = stripDomain item.url;
@@ -69,13 +65,15 @@
        items = result.pending;
      };
  in
-    lib.concatMapStrings (chunk:
-      if chunk.isCards
-      then ''
-        <div class="cards">
-          ${lib.concatMapStrings mkCard chunk.items}
-        </div>''
-      else mkFolder chunk.folder)
+    lib.concatMapStrings (
+      chunk:
+        if chunk.isCards
+        then ''
+          <div class="cards">
+            ${lib.concatMapStrings mkCard chunk.items}
+          </div>''
+        else mkFolder chunk.folder
+    )
    chunks;

  mkFolder = folder: let
@@ -145,9 +143,7 @@
    )
    items;

-  publicBookmarks =
-    pkgs.writeText "qutebrowser-public-bookmarks"
-    (collectBookmarks "" bookmarkList);
+  publicBookmarks = pkgs.writeText "qutebrowser-public-bookmarks" (collectBookmarks "" bookmarkList);
 in {
  config = {
    xdg.dataFile."qutebrowser/bookmarks.html".text = ''
@@ -27,7 +27,10 @@
    genericName = "Web Browser";
    exec = "qutebrowser --temp-basedir %U";
    icon = "qutebrowser";
-    categories = ["Network" "WebBrowser"];
+    categories = [
+      "Network"
+      "WebBrowser"
+    ];
  };

  programs.qutebrowser = {
@@ -7,7 +7,11 @@
      };
      new_instance_open_target = "window";
      "tabs.last_close" = "close";
-      "statusbar.widgets" = ["keypress" "url" "progress"];
+      "statusbar.widgets" = [
+        "keypress"
+        "url"
+        "progress"
+      ];

      # Adblock
      "content.blocking.enabled" = true;
@@ -26,7 +30,12 @@
      "downloads.location.prompt" = false;

      # Editor (Ctrl+e in text fields)
-      "editor.command" = ["ghostty" "-e" "nvim" "{}"];
+      "editor.command" = [
+        "ghostty"
+        "-e"
+        "nvim"
+        "{}"
+      ];

      # Tabs
      # "tabs.show" = "switching";
@@ -29,8 +29,10 @@
    "qutebrowser/greasemonkey/return-youtube-dislike.user.js".source = inputs.qs-return-youtube-dislike;
    "qutebrowser/greasemonkey/sponsorblock-lite.user.js".source = inputs.qs-sponsorblock-lite;
    "qutebrowser/greasemonkey/dont-track-me-google.user.js".source = inputs.qs-dont-track-me-google;
-    "qutebrowser/greasemonkey/i-dont-care-about-cookies.user.js".source = inputs.qs-i-dont-care-about-cookies;
-    "qutebrowser/greasemonkey/tracking-token-stripper.user.js".source = inputs.qs-tracking-token-stripper;
+    "qutebrowser/greasemonkey/i-dont-care-about-cookies.user.js".source =
+      inputs.qs-i-dont-care-about-cookies;
+    "qutebrowser/greasemonkey/tracking-token-stripper.user.js".source =
+      inputs.qs-tracking-token-stripper;
    "qutebrowser/greasemonkey/bypass-paywalls-clean.user.js".source = inputs.qs-bypass-paywalls-clean;
    "qutebrowser/greasemonkey/anti-adblock-fuckoff.user.js".source = inputs.qs-anti-adblock-fuckoff;
  };
@@ -1,4 +1,10 @@
 # Import all shell configurations
 {
-  imports = [./fzf.nix ./zsh.nix ./starship.nix ./zoxide.nix ./eza.nix];
+  imports = [
+    ./fzf.nix
+    ./zsh.nix
+    ./starship.nix
+    ./zoxide.nix
+    ./eza.nix
+  ];
 }
@@ -20,7 +20,9 @@ in {
        "$git_status"
        "$character"
      ];
-      directory = {style = accent;};
+      directory = {
+        style = accent;
+      };

      character = {
        success_symbol = "[❯](${accent})";
@@ -7,7 +7,12 @@
 }: let
  fetch = config.theme.fetch; # neofetch, nerdfetch, pfetch
 in {
-  home.packages = with pkgs; [bat ripgrep tldr witr];
+  home.packages = with pkgs; [
+    bat
+    ripgrep
+    tldr
+    witr
+  ];

  # Add go binaries to the PATH
  home.sessionPath = ["$HOME/go/bin"];
@@ -22,7 +27,14 @@ in {
    autosuggestion.enable = true;
    syntaxHighlighting = {
      enable = true;
-      highlighters = ["main" "brackets" "pattern" "regexp" "root" "line"];
+      highlighters = [
+        "main"
+        "brackets"
+        "pattern"
+        "regexp"
+        "root"
+        "line"
+      ];
    };
    historySubstringSearch.enable = true;

@@ -33,9 +45,7 @@ in {
    };

    profileExtra = lib.optionalString (config.home.sessionPath != []) ''
-      export PATH="$PATH''${PATH:+:}${
-        lib.concatStringsSep ":" config.home.sessionPath
-      }"
+      export PATH="$PATH''${PATH:+:}${lib.concatStringsSep ":" config.home.sessionPath}"
    '';

    shellAliases = {
@@ -1,10 +1,22 @@
 {
  programs.caelestia.settings = {
    session.commands = {
-      shutdown = ["systemctl" "poweroff"];
-      logout = ["loginctl" "lock-session"];
-      hibernate = ["systemctl" "hibernate"];
-      reboot = ["systemctl" "reboot"];
+      shutdown = [
+        "systemctl"
+        "poweroff"
+      ];
+      logout = [
+        "loginctl"
+        "lock-session"
+      ];
+      hibernate = [
+        "systemctl"
+        "hibernate"
+      ];
+      reboot = [
+        "systemctl"
+        "reboot"
+      ];
    };
    launcher = {
      actionPrefix = "/";
@@ -13,7 +25,10 @@
          name = "Calculator";
          icon = "calculate";
          description = "Do simple math equations (powered by Qalc)";
-          command = ["autocomplete" "calc"];
+          command = [
+            "autocomplete"
+            "calc"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -21,7 +36,10 @@
          name = "Shutdown";
          icon = "power_settings_new";
          description = "Shutdown the system";
-          command = ["systemctl" "poweroff"];
+          command = [
+            "systemctl"
+            "poweroff"
+          ];
          enabled = true;
          dangerous = true;
        }
@@ -29,7 +47,10 @@
          name = "Reboot";
          icon = "cached";
          description = "Reboot the system";
-          command = ["systemctl" "reboot"];
+          command = [
+            "systemctl"
+            "reboot"
+          ];
          enabled = true;
          dangerous = true;
        }
@@ -37,7 +58,11 @@
          name = "Logout";
          icon = "exit_to_app";
          description = "Log out of the current session";
-          command = ["loginctl" "terminate-user" ""];
+          command = [
+            "loginctl"
+            "terminate-user"
+            ""
+          ];
          enabled = true;
          dangerous = true;
        }
@@ -45,7 +70,10 @@
          name = "Lock";
          icon = "lock";
          description = "Lock the current session";
-          command = ["loginctl" "lock-session"];
+          command = [
+            "loginctl"
+            "lock-session"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -53,7 +81,10 @@
          name = "Sleep";
          icon = "bedtime";
          description = "Suspend then hibernate";
-          command = ["systemctl" "suspend-then-hibernate"];
+          command = [
+            "systemctl"
+            "suspend-then-hibernate"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -61,7 +92,12 @@
          name = "Restart caelestia";
          icon = "cached";
          description = "Restart caelestia";
-          command = ["hyprctl" "dispatch" "exec" "caelestia-shell kill | sleep 1 | caelestia-shell"];
+          command = [
+            "hyprctl"
+            "dispatch"
+            "exec"
+            "caelestia-shell kill | sleep 1 | caelestia-shell"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -69,7 +105,11 @@
          name = "Emoji Picker";
          icon = "mood";
          description = "Toggle the emoji picker";
-          command = ["caelestia" "emoji" "-p"];
+          command = [
+            "caelestia"
+            "emoji"
+            "-p"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -77,7 +117,10 @@
          name = "Clipboard History";
          icon = "content_paste";
          description = "Toggle the clipboard history";
-          command = ["caelestia" "clipboard"];
+          command = [
+            "caelestia"
+            "clipboard"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -85,7 +128,10 @@
          name = "Delete from Clipboard History";
          icon = "content_paste_off";
          description = "Delete a line from the clipboard history";
-          command = ["caelestia" "clipboard"];
+          command = [
+            "caelestia"
+            "clipboard"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -101,7 +147,10 @@
          name = "Hyprpicker";
          icon = "colorize";
          description = "Pick an hex color";
-          command = ["hyprpicker" "-a"];
+          command = [
+            "hyprpicker"
+            "-a"
+          ];
          enabled = true;
          dangerous = false;
        }
@@ -122,14 +122,16 @@

  colorsHash = builtins.hashString "sha256" (builtins.toJSON colors);

-  customCli = inputs.caelestia-cli.packages.${pkgs.stdenv.hostPlatform.system}.default.overrideAttrs (oldAttrs: {
-    name = "${oldAttrs.name or "caelestia-cli"}-themed-${colorsHash}";
-    postUnpack = ''
-      mkdir -p $sourceRoot/src/caelestia/data/schemes/custom/main
-      cp ${customSchemeFile} $sourceRoot/src/caelestia/data/schemes/custom/main/dark.txt
-      echo "Custom scheme added to source"
-    '';
-  });
+  customCli =
+    inputs.caelestia-cli.packages.${pkgs.stdenv.hostPlatform.system}.default.overrideAttrs
+    (oldAttrs: {
+      name = "${oldAttrs.name or "caelestia-cli"}-themed-${colorsHash}";
+      postUnpack = ''
+        mkdir -p $sourceRoot/src/caelestia/data/schemes/custom/main
+        cp ${customSchemeFile} $sourceRoot/src/caelestia/data/schemes/custom/main/dark.txt
+        echo "Custom scheme added to source"
+      '';
+    });
 in {
  programs.caelestia.cli.package = customCli;
 }
@@ -7,9 +7,8 @@
  colors = config.lib.stylix.colors;

  mkMenu = menu: let
-    configFile =
-      pkgs.writeText "config.yaml"
-      (lib.generators.toYAML {} {
+    configFile = pkgs.writeText "config.yaml" (
+      lib.generators.toYAML {} {
        anchor = "bottom-right";
        border = "#${colors.base0D}80";
        background = "#${colors.base01}EE";
@@ -19,7 +18,8 @@
        rows_per_column = 5;

        inherit menu;
-      });
+      }
+    );
  in
    pkgs.writeShellScriptBin "menu" ''
      exec ${lib.getExe pkgs.wlr-which-key} ${configFile}
@@ -32,7 +32,8 @@ in {
    bind =
      [
        # Applications
-        ("$shiftMod, A, exec, "
+        (
+          "$shiftMod, A, exec, "
          + lib.getExe (mkMenu [
            {
              key = "a";
@@ -84,14 +85,16 @@ in {
              desc = "Qutebrowser (Temp session)";
              cmd = "${pkgs.qutebrowser}/bin/qutebrowser --temp-basedir";
            }
-          ]))
+          ])
+        )

        # Web links
        "$mod,B, exec, uwsm app -- ${pkgs.qutebrowser}/bin/qutebrowser" # Browser (Qutebrowser)

        # Power
        "$mod, X, global, caelestia:session" # Powermenu
-        ("$shiftMod, X, exec, "
+        (
+          "$shiftMod, X, exec, "
          + lib.getExe (mkMenu [
            {
              key = "l";
@@ -123,7 +126,8 @@ in {
              desc = "Restart caelestia";
              cmd = "hyprctl dispatch exec 'caelestia-shell kill | sleep 1 | caelestia-shell'";
            }
-          ]))
+          ])
+        )

        # Quick launch
        "$mod,RETURN, exec, uwsm app -- ${pkgs.ghostty}/bin/ghostty" # Ghostty (terminal)
@@ -154,13 +158,17 @@ in {
        ", Print, global, caelestia:screenshotFreeze" # Capture region (freeze)
        "$shiftMod+Alt, S, global, caelestia:screenshot" # Capture region
      ]
-      ++ (builtins.concatLists (builtins.genList (i: let
-          ws = i + 1;
-        in [
-          "$mod,code:1${toString i}, workspace, ${toString ws}"
-          "$mod SHIFT,code:1${toString i}, movetoworkspace, ${toString ws}"
-        ])
-        9));
+      ++ (builtins.concatLists (
+        builtins.genList (
+          i: let
+            ws = i + 1;
+          in [
+            "$mod,code:1${toString i}, workspace, ${toString ws}"
+            "$mod SHIFT,code:1${toString i}, movetoworkspace, ${toString ws}"
+          ]
+        )
+        9
+      ));

    bindm = [
      "$mod,mouse:272, movewindow" # Move Window (mouse)
@@ -62,9 +62,6 @@ in {
      ];

      monitor = [
-        "eDP-2,highres,0x0,1" # My internal laptop screen
-        "desc:AOC U34G2G1 0x00000E06,3440x1440@99.98,auto,1" # My external monitor
-        "desc:Philips Consumer Electronics Company PHL 221B8L ZV02144013987,highres,0x0,1"
        ",prefered,auto,1" # default
      ];

@@ -39,4 +39,6 @@
  '';

  command = "bash ${keyboard-backlight}/bin/keyboard-backlight &";
-in {wayland.windowManager.hyprland.settings.exec-once = [command];}
+in {
+  wayland.windowManager.hyprland.settings.exec-once = [command];
+}
@@ -8,8 +8,7 @@
      splash = false;
    };
  };
-  systemd.user.services.hyprpaper.Unit.After =
-    lib.mkForce "graphical-session.target";
+  systemd.user.services.hyprpaper.Unit.After = lib.mkForce "graphical-session.target";

  wayland.windowManager.hyprland.settings.exec-once = [
    "systemctl --user enable --now hyprpaper.service"
@@ -117,14 +117,17 @@ with lib; let
    desktopName = "Neovim (Ghostty)";
    exec = ''ghostty --title="Neovim Editor" -e nvim %F'';
    terminal = false;
-    categories = ["Development" "TextEditor"];
+    categories = [
+      "Development"
+      "TextEditor"
+    ];
    mimeTypes = mimeMap.code ++ mimeMap.text;
  };

  associations = with lists;
-    listToAttrs (flatten (mapAttrsToList
-      (key: map (type: attrsets.nameValuePair type defaultApps."${key}"))
-      mimeMap));
+    listToAttrs (
+      flatten (mapAttrsToList (key: map (type: attrsets.nameValuePair type defaultApps."${key}")) mimeMap)
+    );
 in {
  home.packages = [nvim-ghostty];

@@ -12,6 +12,7 @@
    ../../nixos/users.nix
    ../../nixos/utils.nix
    ../../nixos/hyprland.nix
+    ../../nixos/usbguard.nix

    ../../nixos/omen.nix # CHANGEME: For my laptop only, remove this (OMEN 16)

@@ -20,6 +21,29 @@
    ./variables.nix
  ];

+  # USBGuard:
+  # Allow all USB devices until a proper policy is configured.
+  # Run `sudo usbguard generate-policy` with your devices plugged in,
+  # then set rules = "<output>" and switch implicitPolicyTarget to "block".
+  # services.usbguard.implicitPolicyTarget = lib.mkForce "allow";
+
+  services.usbguard.rules = ''
+    allow id 1532:02a1 serial "" name "Razer Ornata V3" hash "wfuIjBhhGuge8gflyA526SKqKoy8rHJZQZ+2o6usMiE=" parent-hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" with-interface { 03:01:01 03:00:01 03:00:02 } with-connect-type "unknown"
+    allow id 1d6b:0002 serial "0000:05:00.3" name "xHCI Host Controller" hash "4a4NgfdUaJO43rkCzmWRSeHHR/uUh5+SNsXnhosm9qs=" parent-hash "ldMchY4Tt4GPUYo30eNGvai+Fs/EdnVY3vMyxJUq4Nk=" with-interface 09:00:00 with-connect-type ""
+    allow id 1d6b:0003 serial "0000:05:00.3" name "xHCI Host Controller" hash "d+DNGWARDtv9nEK2ZvnNOCtFernuMu5/e/oZ7kCppqQ=" parent-hash "ldMchY4Tt4GPUYo30eNGvai+Fs/EdnVY3vMyxJUq4Nk=" with-interface 09:00:00 with-connect-type ""
+    allow id 0bda:c85c serial "00e04c000001" name "Bluetooth Radio" hash "Q/wlToV8WQgEYHBW/UIhnSwCCusCGqAR2D5gspSCImQ=" parent-hash "4a4NgfdUaJO43rkCzmWRSeHHR/uUh5+SNsXnhosm9qs=" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired"
+    allow id 30c9:009f serial "01.00.00" name "HP True Vision FHD Camera" hash "eYW5fqReJd29tfHXkEktKC63dGfDpmlRMo5uMGUWwME=" parent-hash "icotY3rI59mWiKsGxc59BGZZeBjfbuH0b4NUByj3cbQ=" with-interface { 0e:01:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 fe:01:01 } with-connect-type "hardwired"
+    allow id 03f0:036b serial "" name "HP USB-C Dock G5" hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" parent-hash "Hp8B0Enf+ACRT2tyy0EqXj7eNsFDAnTRZadzuh/Iqd4=" with-interface { 09:00:01 09:00:02 } with-connect-type "hotplug"
+    allow id 03f0:066b serial "" name "HP USB-C Dock G5" hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" parent-hash "rJ3LKdvkCK3SUrCU3lV8qVbmPjA+r9Fe5106x2HlgK4=" with-interface 09:00:00 with-connect-type "hotplug"
+    allow id 03f0:056b serial "201604140001" name "USB Audio" hash "OxQ8HQenW3/4HSGEBOSYFS15rXDTOaNDnjMbICweHgw=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown"
+    allow id 03f0:086b serial "" name "USB2734" hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 09:00:01 09:00:02 } with-connect-type "unknown"
+    allow id 03f0:046b serial "11AD1D0A89EA2D08310E0B00" name "HP USB-C Dock G5" hash "DEGeuj1u4lwqrzp0UksFX7mSEY9JnGLxg7yxGbglAKE=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 11:00:00 ff:03:00 03:00:00 } with-connect-type "unknown"
+    allow id 03f0:076b serial "" name "USB5734" hash "BshoqybYo0IKgoDORYPRtbhhlmQrYAxPQb2EAm1JsWA=" parent-hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" with-interface 09:00:00 with-connect-type "unknown"
+    allow id 0bda:8153 serial "000001000000" name "USB 10/100/1000 LAN" hash "utEnXKJ57kRUbPcGUaNWhEyoOEbLOYAFxvlsyC0PZkk=" parent-hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" with-interface { ff:ff:00 02:06:00 0a:00:00 0a:00:00 } with-connect-type "unknown"
+    allow id 046d:0ab7 serial "2046BAB04T68" name "Blue Microphones" hash "cC6AQ2e1Q/BeFeostpbf1mH2WpoUmt6bhau4NlA3niU=" parent-hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown"
+    allow id 13fd:5900 serial "50026B76861EE752    " name "External" hash "Xebp3uQRrhCKBHdGRVKXH0I5Vdawi4mSpuu0ttKgDyE=" parent-hash "BshoqybYo0IKgoDORYPRtbhhlmQrYAxPQb2EAm1JsWA=" with-interface { 08:06:50 08:06:62 } with-connect-type "unknown"
+  '';
+
  home-manager.users."${config.var.username}" = import ./home.nix;

  # Don't touch this
@@ -1,4 +1,8 @@
-{inputs, nixpkgs, ...}:
+{
+  inputs,
+  nixpkgs,
+  ...
+}:
 nixpkgs.lib.nixosSystem {
  modules = [
    {
@@ -11,7 +11,13 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "uas" "usbhid" "sd_mod"];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "uas"
+    "usbhid"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModulePackages = [];
@@ -24,7 +30,10 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/5251-9B85";
    fsType = "vfat";
-    options = ["fmask=0077" "dmask=0077"];
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
  };

  swapDevices = [];
@@ -36,7 +36,9 @@
  home = {
    inherit (config.var) username;
    homeDirectory = "/home/" + config.var.username;
-    file.".face" = {source = ./profile_picture.png;};
+    file.".face" = {
+      source = ./profile_picture.png;
+    };

    sessionVariables = {
      AQ_DRM_DEVICES = "/dev/dri/card2:/dev/dri/card1"; # CHANGEME: Related to the GPU
@@ -46,10 +48,16 @@
    stateVersion = "24.05";
  };

-  programs.home-manager.enable = true;
+  wayland.windowManager.hyprland.settings.monitor = [
+    "eDP-2,highres,0x0,1" # My internal laptop screen
+    "desc:AOC U34G2G1 0x00000E06,3440x1440@99.98,auto,1" # My external monitor
+  ];

-  programs.nixy = {
-    enable = true;
-    configDirectory = config.var.configDirectory;
+  programs = {
+    home-manager.enable = true;
+    nixy = {
+      enable = true;
+      configDirectory = config.var.configDirectory;
+    };
  };
 }
@@ -14,11 +14,21 @@ in {
    age.keyFile = "${home}/.config/sops/age/keys.txt";
    defaultSopsFile = ./secrets.yaml;
    secrets = {
-      ssh-config = {path = "${home}/.ssh/config";};
-      github-key = {path = "${home}/.ssh/github";};
-      jack-key = {path = "${home}/.ssh/jack";};
-      signing-key = {path = "${home}/.ssh/key";};
-      signing-pub-key = {path = "${home}/.ssh/key.pub";};
+      ssh-config = {
+        path = "${home}/.ssh/config";
+      };
+      github-key = {
+        path = "${home}/.ssh/github";
+      };
+      jack-key = {
+        path = "${home}/.ssh/jack";
+      };
+      signing-key = {
+        path = "${home}/.ssh/key";
+      };
+      signing-pub-key = {
+        path = "${home}/.ssh/key.pub";
+      };
    };
  };

@@ -42,7 +52,10 @@ in {
  '';

  systemd.user.services.mbsync.Unit.After = ["sops-nix.service"];
-  home.packages = with pkgs; [sops age];
+  home.packages = with pkgs; [
+    sops
+    age
+  ];

  wayland.windowManager.hyprland.settings.exec-once = ["systemctl --user start sops-nix"];
 }
@@ -11,10 +11,7 @@
  config.var = {
    hostname = "h-laptop";
    username = "hadi";
-    configDirectory =
-      "/home/"
-      + config.var.username
-      + "/.config/nixos"; # The path of the nixos configuration directory
+    configDirectory = "/home/" + config.var.username + "/.config/nixos"; # The path of the nixos configuration directory

    keyboardLayout = "fr";

@@ -1,4 +1,8 @@
-{inputs, nixpkgs, ...}:
+{
+  inputs,
+  nixpkgs,
+  ...
+}:
 nixpkgs.lib.nixosSystem {
  modules = [
    {_module.args = {inherit inputs;};}
@@ -9,7 +9,14 @@
  ...
 }: {
  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = ["dm-snapshot"];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModulePackages = [];
@@ -20,12 +27,18 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/DD15-1125";
    fsType = "vfat";
-    options = ["fmask=0077" "dmask=0077"];
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
  };
  fileSystems."/mnt/data" = {
    device = "/dev/disk/by-uuid/0b055155-0134-448c-b1ca-e81030ff064e";
    fsType = "btrfs";
-    options = ["subvol=/" "compress=zstd"]; # adapte selon si t'as des subvolumes
+    options = [
+      "subvol=/"
+      "compress=zstd"
+    ]; # adapte selon si t'as des subvolumes
  };
  swapDevices = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -35,6 +48,5 @@
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
@@ -26,5 +26,8 @@
    };
  };

-  environment.systemPackages = with pkgs; [sops age];
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
 }
@@ -11,10 +11,7 @@
  config.var = {
    hostname = "jack";
    username = "hadi";
-    configDirectory =
-      "/home/"
-      + config.var.username
-      + "/.config/nixos"; # The path of the nixos configuration directory
+    configDirectory = "/home/" + config.var.username + "/.config/nixos"; # The path of the nixos configuration directory

    keyboardLayout = "fr";

@@ -1,4 +1,8 @@
-{inputs, nixpkgs, ...}:
+{
+  inputs,
+  nixpkgs,
+  ...
+}:
 nixpkgs.lib.nixosSystem {
  modules = [
    {
@@ -12,7 +12,14 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-intel"];
  boot.extraModulePackages = [];
@@ -25,7 +32,10 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/043E-1755";
    fsType = "vfat";
-    options = ["fmask=0077" "dmask=0077"];
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
  };

  swapDevices = [];
@@ -39,10 +39,15 @@
    stateVersion = "24.05";
  };

-  programs.home-manager.enable = true;
+  wayland.windowManager.hyprland.settings.monitor = [
+    "desc:Philips Consumer Electronics Company PHL 221B8L ZV02144013987,highres,0x0,1"
+  ];

-  programs.nixy = {
-    enable = true;
-    configDirectory = config.var.configDirectory;
+  programs = {
+    home-manager.enable = true;
+    nixy = {
+      enable = true;
+      configDirectory = config.var.configDirectory;
+    };
  };
 }
@@ -14,10 +14,18 @@ in {
    age.keyFile = "${home}/.config/sops/age/keys.txt";
    defaultSopsFile = ./secrets.yaml;
    secrets = {
-      ssh-config = {path = "${home}/.ssh/config";};
-      netrc = {path = "${home}/.netrc";};
-      github-key = {path = "${home}/.ssh/github";};
-      gitlab-key = {path = "${home}/.ssh/gitlab";};
+      ssh-config = {
+        path = "${home}/.ssh/config";
+      };
+      netrc = {
+        path = "${home}/.netrc";
+      };
+      github-key = {
+        path = "${home}/.ssh/github";
+      };
+      gitlab-key = {
+        path = "${home}/.ssh/gitlab";
+      };
    };
  };

@@ -41,7 +49,10 @@ in {
  '';

  systemd.user.services.mbsync.Unit.After = ["sops-nix.service"];
-  home.packages = with pkgs; [sops age];
+  home.packages = with pkgs; [
+    sops
+    age
+  ];

  wayland.windowManager.hyprland.settings.exec-once = ["systemctl --user start sops-nix"];
 }
@@ -11,10 +11,7 @@
  config.var = {
    hostname = "h-work";
    username = "hadrien";
-    configDirectory =
-      "/home/"
-      + config.var.username
-      + "/.config/nixos"; # The path of the nixos configuration directory
+    configDirectory = "/home/" + config.var.username + "/.config/nixos"; # The path of the nixos configuration directory

    keyboardLayout = "fr";

@@ -13,7 +13,9 @@
      enable = true;
      extraConfig = {
        "10-disable-camera" = {
-          "wireplumber.profiles" = {main."monitor.libcamera" = "disabled";};
+          "wireplumber.profiles" = {
+            main."monitor.libcamera" = "disabled";
+          };
        };
      };
    };
@@ -1,5 +1,9 @@
 # Home-manager configuration for NixOS
-{inputs, pkgs, ...}: {
+{
+  inputs,
+  pkgs,
+  ...
+}: {
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
@@ -35,7 +35,10 @@ in {
    settings = {
      download-buffer-size = 262144000; # 250 MB (250 * 1024 * 1024)
      auto-optimise-store = true;
-      experimental-features = ["nix-command" "flakes"];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
      substituters = [
        # high priority since it's almost always used
        "https://cache.nixos.org?priority=10"
@@ -55,8 +55,7 @@ in {
        # Optimized configuration for switchable graphics laptops
        offload = {
          enable = true; # Mode optimized for power saving
-          enableOffloadCmd =
-            true; # Allows running applications with dedicated GPU
+          enableOffloadCmd = true; # Allows running applications with dedicated GPU
        };
        # sync.enable disabled as offload is generally better for laptops
        sync.enable = false;
@@ -5,9 +5,8 @@
  pkgs,
  ...
 }: let
-  hp-omen-linux-module =
-    pkgs.callPackage
-    ({
+  hp-omen-linux-module = pkgs.callPackage (
+    {
      kernel ? config.boot.kernelPackages.kernel,
      stdenv,
      fetchFromGitHub,
@@ -33,7 +32,8 @@
          install hp-wmi.ko -Dm444 -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/platform/x86/hp/
          runHook postInstall
        '';
-      })) {kernel = config.boot.kernelPackages.kernel;};
+      })
+  ) {kernel = config.boot.kernelPackages.kernel;};
 in {
  boot.extraModulePackages = [hp-omen-linux-module];
  boot.kernelModules = ["hp-wmi"];
@@ -11,8 +11,7 @@
      };
    };
    tmp.cleanOnBoot = true;
-    kernelPackages =
-      pkgs.linuxPackages_latest; # _zen, _hardened, _rt, _rt_latest, etc.
+    kernelPackages = pkgs.linuxPackages_latest; # _zen, _hardened, _rt, _rt_latest, etc.

    # Silent boot
    kernelParams = [
@@ -38,5 +37,7 @@
  };

  # To avoid systemd services hanging on shutdown
-  systemd.settings.Manager = { DefaultTimeoutStopSec = "10s"; };
+  systemd.settings.Manager = {
+    DefaultTimeoutStopSec = "10s";
+  };
 }
@@ -0,0 +1,10 @@
+{config, ...}: {
+  services.usbguard = {
+    enable = true;
+    implicitPolicyTarget = "block";
+    IPCAllowedUsers = [
+      "root"
+      config.var.username
+    ];
+  };
+}
@@ -13,7 +13,10 @@ in {
    users.${username} = {
      isNormalUser = true;
      description = "${username} account";
-      extraGroups = ["networkmanager" "wheel"];
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
    };
  };
 }
@@ -21,11 +21,17 @@ in {
    enable = autoUpgrade;
    dates = "04:00";
    flake = "${configDir}";
-    flags = ["--update-input" "nixpkgs" "--commit-lock-file"];
+    flags = [
+      "--update-input"
+      "nixpkgs"
+      "--commit-lock-file"
+    ];
    allowReboot = false;
  };

-  time = {timeZone = timeZone;};
+  time = {
+    timeZone = timeZone;
+  };
  i18n.defaultLocale = defaultLocale;
  i18n.extraLocaleSettings = {
    LC_ADDRESS = extraLocale;
@@ -65,7 +71,10 @@ in {
    dbus = {
      enable = true;
      implementation = "broker";
-      packages = with pkgs; [gcr gnome-settings-daemon];
+      packages = with pkgs; [
+        gcr
+        gnome-settings-daemon
+      ];
    };
    gvfs.enable = true;
    upower.enable = true;
@@ -115,7 +124,10 @@ in {
    xdgOpenUsePortal = true;
    config = {
      common.default = ["gtk"];
-      hyprland.default = ["gtk" "hyprland"];
+      hyprland.default = [
+        "gtk"
+        "hyprland"
+      ];
    };

    extraPortals = [pkgs.xdg-desktop-portal-gtk];
@@ -49,7 +49,10 @@ in {
    };
  };

-  users.users.jellyfin.extraGroups = ["video" "render"];
+  users.users.jellyfin.extraGroups = [
+    "video"
+    "render"
+  ];

  services.cloudflared.tunnels."${config.var.tunnelId}".ingress = {
    "media.${config.var.domain}" = "http://localhost:8096";
@@ -1,19 +1,27 @@
-{ config, inputs, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  inputs,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  imports = [
    (mkContainer {
      name = "wallpapers";
      hostIp = "10.233.4.1";
      containerIp = "10.233.4.2";
-      nixosConfig = { pkgs, ... }: {
+      nixosConfig = {pkgs, ...}: {
        services.nginx = {
          enable = true;
          virtualHosts."wallpapers" = {
            root = "${inputs.awesome-wallpapers.packages.${pkgs.system}.default}/share/awesome-wallpapers";
-            listen = [{ addr = "0.0.0.0"; port = 8080; }];
+            listen = [
+              {
+                addr = "0.0.0.0";
+                port = 8080;
+              }
+            ];
            locations."/" = {
              tryFiles = "$uri $uri/ /index.html";
            };
@@ -23,7 +31,7 @@ in
            '';
          };
        };
-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -51,7 +51,10 @@ in {
            };
          };
        };
-        networking.firewall.allowedTCPPorts = [8080 8081];
+        networking.firewall.allowedTCPPorts = [
+          8080
+          8081
+        ];
        system.stateVersion = "24.05";
      };
    })
@@ -1,22 +1,29 @@
-{ config, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  imports = [
    (mkContainer {
      name = "cyberchef";
      hostIp = "10.233.5.1";
      containerIp = "10.233.5.2";
-      nixosConfig = { pkgs, ... }: {
+      nixosConfig = {pkgs, ...}: {
        services.nginx = {
          enable = true;
          virtualHosts."cyberchef" = {
            root = "${pkgs.cyberchef}/share/cyberchef";
-            listen = [{ addr = "0.0.0.0"; port = 8080; }];
+            listen = [
+              {
+                addr = "0.0.0.0";
+                port = 8080;
+              }
+            ];
          };
        };
-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -1,21 +1,24 @@
-{ config, inputs, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-  domain = config.var.domain;
-in
 {
+  config,
+  inputs,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+  domain = config.var.domain;
+in {
  imports = [
    (mkContainer {
      name = "def-creds";
      hostIp = "10.233.6.1";
      containerIp = "10.233.6.2";
-      nixosConfig = { ... }: {
-        imports = [ inputs.default-creds.nixosModules.default ];
+      nixosConfig = {...}: {
+        imports = [inputs.default-creds.nixosModules.default];
        services.default-creds = {
          enable = true;
          port = 8087;
        };
-        networking.firewall.allowedTCPPorts = [ 8087 ];
+        networking.firewall.allowedTCPPorts = [8087];
        systemd.services.default-creds.environment = {
          HOST = lib.mkForce "0.0.0.0";
          PUBLIC_UMAMI_URL = "https://umami.${domain}";
@@ -1,14 +1,17 @@
-{ config, pkgs, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
  domain = config.var.domain;
  catppuccin-gitea = pkgs.fetchzip {
    url = "https://github.com/catppuccin/gitea/releases/download/v1.0.2/catppuccin-gitea.tar.gz";
    sha256 = "sha256-rZHLORwLUfIFcB6K9yhrzr+UwdPNQVSadsw6rg8Q7gs=";
    stripRoot = false;
  };
-in
-{
+in {
  imports = [
    (mkContainer {
      name = "gitea";
@@ -19,17 +22,19 @@ in
        hostPath = "/var/lib/gitea";
        isReadOnly = false;
      };
-      nixosConfig = { lib, ... }: {
+      nixosConfig = {lib, ...}: {
        users.users.gitea.uid = lib.mkForce 978;
        users.groups.gitea.gid = lib.mkForce 968;

        services.postgresql = {
          enable = true;
-          ensureDatabases = [ "gitea" ];
-          ensureUsers = [{
-            name = "gitea";
-            ensureDBOwnership = true;
-          }];
+          ensureDatabases = ["gitea"];
+          ensureUsers = [
+            {
+              name = "gitea";
+              ensureDBOwnership = true;
+            }
+          ];
        };

        services.gitea = {
@@ -69,7 +74,7 @@ in
          ln -sfn ${catppuccin-gitea} /var/lib/gitea/custom/public/assets/css
        '';

-        networking.firewall.allowedTCPPorts = [ 3002 ];
+        networking.firewall.allowedTCPPorts = [3002];
        system.stateVersion = "24.05";
      };
    })
@@ -1,41 +1,87 @@
-{ config, lib, ... }:
-let
-  inherit (import ../mk-container.nix { inherit lib config; }) mkContainer;
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ../mk-container.nix {inherit lib config;}) mkContainer;
  domain = config.var.domain;
  hostIp = "10.233.12.1";

  # Convert 6-char hex color to "H S L" string for glance (integers, no % sign)
-  hexToGlanceHsl = hex:
-    let
-      h = lib.toLower hex;
-      d = c:
-        if c == "a" then 10 else if c == "b" then 11 else if c == "c" then 12
-        else if c == "d" then 13 else if c == "e" then 14 else if c == "f" then 15
-        else lib.toInt c;
-      byte = pos: d (builtins.substring pos 1 h) * 16 + d (builtins.substring (pos + 1) 1 h);
-      ri = byte 0; gi = byte 2; bi = byte 4;
-      r = ri * 1.0 / 255.0;
-      g = gi * 1.0 / 255.0;
-      b = bi * 1.0 / 255.0;
-      mx = if r >= g && r >= b then "r" else if g >= b then "g" else "b";
-      mn = if r <= g && r <= b then "r" else if g <= b then "g" else "b";
-      cmax = if mx == "r" then r else if mx == "g" then g else b;
-      cmin = if mn == "r" then r else if mn == "g" then g else b;
-      delta = cmax - cmin;
-      l = (cmax + cmin) / 2.0;
-      s = if delta < 0.0001 then 0.0
-          else if l <= 0.5 then delta / (cmax + cmin)
-          else delta / (2.0 - cmax - cmin);
-      hue =
-        if delta < 0.0001 then 0.0
-        else if mx == "r" then let raw = 60.0 * (g - b) / delta; in if raw < 0.0 then raw + 360.0 else raw
-        else if mx == "g" then 60.0 * ((b - r) / delta + 2.0)
-        else 60.0 * ((r - g) / delta + 4.0);
-    in "${toString (builtins.floor (hue + 0.5))} ${toString (builtins.floor (s * 100.0 + 0.5))} ${toString (builtins.floor (l * 100.0 + 0.5))}";
+  hexToGlanceHsl = hex: let
+    h = lib.toLower hex;
+    d = c:
+      if c == "a"
+      then 10
+      else if c == "b"
+      then 11
+      else if c == "c"
+      then 12
+      else if c == "d"
+      then 13
+      else if c == "e"
+      then 14
+      else if c == "f"
+      then 15
+      else lib.toInt c;
+    byte = pos: d (builtins.substring pos 1 h) * 16 + d (builtins.substring (pos + 1) 1 h);
+    ri = byte 0;
+    gi = byte 2;
+    bi = byte 4;
+    r = ri * 1.0 / 255.0;
+    g = gi * 1.0 / 255.0;
+    b = bi * 1.0 / 255.0;
+    mx =
+      if r >= g && r >= b
+      then "r"
+      else if g >= b
+      then "g"
+      else "b";
+    mn =
+      if r <= g && r <= b
+      then "r"
+      else if g <= b
+      then "g"
+      else "b";
+    cmax =
+      if mx == "r"
+      then r
+      else if mx == "g"
+      then g
+      else b;
+    cmin =
+      if mn == "r"
+      then r
+      else if mn == "g"
+      then g
+      else b;
+    delta = cmax - cmin;
+    l = (cmax + cmin) / 2.0;
+    s =
+      if delta < 0.0001
+      then 0.0
+      else if l <= 0.5
+      then delta / (cmax + cmin)
+      else delta / (2.0 - cmax - cmin);
+    hue =
+      if delta < 0.0001
+      then 0.0
+      else if mx == "r"
+      then let
+        raw = 60.0 * (g - b) / delta;
+      in
+        if raw < 0.0
+        then raw + 360.0
+        else raw
+      else if mx == "g"
+      then 60.0 * ((b - r) / delta + 2.0)
+      else 60.0 * ((r - g) / delta + 4.0);
+  in "${toString (builtins.floor (hue + 0.5))} ${toString (builtins.floor (s * 100.0 + 0.5))} ${
+    toString (builtins.floor (l * 100.0 + 0.5))
+  }";

  c = config.stylix.base16Scheme;
-in
-{
+in {
  # 0444 so the glance user inside the container can read the bind-mounted file
  sops.secrets.adguard-pwd.mode = "0444";

@@ -49,10 +95,13 @@ in
        hostPath = config.sops.secrets.adguard-pwd.path;
        isReadOnly = true;
      };
-      nixosConfig = { lib, ... }: {
+      nixosConfig = {lib, ...}: {
        _module.args.domain = domain;
        _module.args.adguardUrl = "http://${hostIp}:3000";
-        imports = [ ./home.nix ./server.nix ];
+        imports = [
+          ./home.nix
+          ./server.nix
+        ];

        services.glance = {
          enable = true;
@@ -64,9 +113,9 @@ in
            theme = {
              light = false;
              background-color = hexToGlanceHsl c.base00; # background
-              primary-color    = hexToGlanceHsl c.base0D; # accent (iris/purple)
-              positive-color   = hexToGlanceHsl c.base0B; # positive (pine/teal)
-              negative-color   = hexToGlanceHsl c.base08; # negative (love/rose)
+              primary-color = hexToGlanceHsl c.base0D; # accent (iris/purple)
+              positive-color = hexToGlanceHsl c.base0B; # positive (pine/teal)
+              negative-color = hexToGlanceHsl c.base08; # negative (love/rose)
            };
          };
        };
@@ -77,7 +126,12 @@ in
            proxy_cache_path /var/cache/nginx/glance levels=1:2 keys_zone=glance:1m inactive=30m max_size=100m;
          '';
          virtualHosts."glance" = {
-            listen = [{ addr = "0.0.0.0"; port = 8080; }];
+            listen = [
+              {
+                addr = "0.0.0.0";
+                port = 8080;
+              }
+            ];
            locations."/" = {
              proxyPass = "http://127.0.0.1:5678";
              extraConfig = ''
@@ -90,7 +144,7 @@ in
          };
        };

-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -1,4 +1,4 @@
-{ domain, ... }: {
+{domain, ...}: {
  services.glance.settings.pages = [
    {
      name = "Home";
@@ -1,43 +1,50 @@
-{ config, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  imports = [
    (mkContainer {
      name = "mazanoke";
      hostIp = "10.233.7.1";
      containerIp = "10.233.7.2";
-      nixosConfig = { pkgs, ... }:
-        let
-          version = "1.1.5";
-          mazanoke-pkg = pkgs.stdenv.mkDerivation {
-            inherit version;
-            pname = "mazanoke";
-            src = pkgs.fetchFromGitHub {
-              owner = "civilblur";
-              repo = "mazanoke";
-              rev = "v${version}";
-              hash = "sha256-B/AF4diMNxN94BzpZP/C+K8kNj9q+4SDKWa/qd4LrVU=";
-            };
-            installPhase = ''
-              mkdir -p $out/share/mazanoke
-              cp -r ./index.html ./favicon.ico ./manifest.json ./service-worker.js ./assets $out/share/mazanoke/
-            '';
+      nixosConfig = {pkgs, ...}: let
+        version = "1.1.5";
+        mazanoke-pkg = pkgs.stdenv.mkDerivation {
+          inherit version;
+          pname = "mazanoke";
+          src = pkgs.fetchFromGitHub {
+            owner = "civilblur";
+            repo = "mazanoke";
+            rev = "v${version}";
+            hash = "sha256-B/AF4diMNxN94BzpZP/C+K8kNj9q+4SDKWa/qd4LrVU=";
          };
-        in
-        {
-          services.nginx = {
-            enable = true;
-            virtualHosts."mazanoke" = {
-              root = "${mazanoke-pkg}/share/mazanoke";
-              listen = [{ addr = "0.0.0.0"; port = 8080; }];
-              locations."/" = { index = "index.html"; };
-            };
-          };
-          networking.firewall.allowedTCPPorts = [ 8080 ];
-          system.stateVersion = "24.05";
+          installPhase = ''
+            mkdir -p $out/share/mazanoke
+            cp -r ./index.html ./favicon.ico ./manifest.json ./service-worker.js ./assets $out/share/mazanoke/
+          '';
        };
+      in {
+        services.nginx = {
+          enable = true;
+          virtualHosts."mazanoke" = {
+            root = "${mazanoke-pkg}/share/mazanoke";
+            listen = [
+              {
+                addr = "0.0.0.0";
+                port = 8080;
+              }
+            ];
+            locations."/" = {
+              index = "index.html";
+            };
+          };
+        };
+        networking.firewall.allowedTCPPorts = [8080];
+        system.stateVersion = "24.05";
+      };
    })
  ];

@@ -1,20 +1,22 @@
-{ config, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  imports = [
    (mkContainer {
      name = "mealie";
      hostIp = "10.233.8.1";
      containerIp = "10.233.8.2";
      internet = true;
-      nixosConfig = { ... }: {
+      nixosConfig = {...}: {
        services.mealie = {
          enable = true;
          port = 8080;
        };
-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -1,5 +1,7 @@
-{ lib, config }:
-
+{
+  lib,
+  config,
+}:
 # Returns a NixOS module (attrset), to be used in `imports`.
 #
 # Options:
@@ -7,62 +9,64 @@
 #   externalInterface - WAN interface for NAT, required when internet = true
 #   bindMounts        - host paths to mount into the container (see containers.<name>.bindMounts)
 #   config            - NixOS module for the container
-
 let
-  nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable {
-    services.nginx.serverTokens = false;
-  };
-in
-
-{
-  mkContainer =
-    {
-      name,
-      hostIp,
-      containerIp,
-      internet ? false,
-      externalInterface ? config.var.networkInterface,
-      bindMounts ? {},
-      nixosConfig,
-    }:
-    assert lib.assertMsg
-      (lib.stringLength "ve-${name}" <= 15)
-      "mkContainer: interface name 've-${name}' is ${toString (lib.stringLength "ve-${name}")} chars, max is 15";
-    {
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = hostIp;
-        localAddress = containerIp;
-        inherit bindMounts;
-        config = { ... }: {
-          imports = [ nixosConfig nginxHardening ];
-          networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ];
+  nginxHardening = {config, ...}:
+    lib.mkIf config.services.nginx.enable {
+      services.nginx.serverTokens = false;
+    };
+in {
+  mkContainer = {
+    name,
+    hostIp,
+    containerIp,
+    internet ? false,
+    externalInterface ? config.var.networkInterface,
+    bindMounts ? {},
+    nixosConfig,
+  }:
+    assert lib.assertMsg (lib.stringLength "ve-${name}" <= 15)
+    "mkContainer: interface name 've-${name}' is ${toString (lib.stringLength "ve-${name}")} chars, max is 15";
+      {
+        containers.${name} = {
+          autoStart = true;
+          privateNetwork = true;
+          hostAddress = hostIp;
+          localAddress = containerIp;
+          inherit bindMounts;
+          config = {...}: {
+            imports = [
+              nixosConfig
+              nginxHardening
+            ];
+            networking.nameservers = lib.mkIf internet [
+              "1.1.1.1"
+              "1.0.0.1"
+            ];
+          };
        };
-      };
-    }
-    // (lib.optionalAttrs internet {
-      boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault true;
-      networking.nat = {
-        enable = true;
-        externalInterface = externalInterface;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-      # CONTAINER-FWD (defined by another module) blocks all forwarding by default.
-      # Insert rules in FORWARD before it: allow return traffic, block LAN, allow internet.
-      networking.firewall.extraCommands = ''
-        iptables -I FORWARD 1 -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT
-        iptables -I FORWARD 1 -s ${containerIp} -d 192.168.0.0/16 -j DROP
-        iptables -I FORWARD 1 -s ${containerIp} -d 172.16.0.0/12 -j DROP
-        iptables -I FORWARD 1 -s ${containerIp} -d 10.0.0.0/8 -j DROP
-        iptables -I FORWARD 1 -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-      '';
-      networking.firewall.extraStopCommands = ''
-        iptables -D FORWARD -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT 2>/dev/null || true
-        iptables -D FORWARD -s ${containerIp} -d 192.168.0.0/16 -j DROP 2>/dev/null || true
-        iptables -D FORWARD -s ${containerIp} -d 172.16.0.0/12 -j DROP 2>/dev/null || true
-        iptables -D FORWARD -s ${containerIp} -d 10.0.0.0/8 -j DROP 2>/dev/null || true
-        iptables -D FORWARD -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-      '';
-    });
+      }
+      // (lib.optionalAttrs internet {
+        boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault true;
+        networking.nat = {
+          enable = true;
+          externalInterface = externalInterface;
+          internalInterfaces = ["ve-${name}"];
+        };
+        # CONTAINER-FWD (defined by another module) blocks all forwarding by default.
+        # Insert rules in FORWARD before it: allow return traffic, block LAN, allow internet.
+        networking.firewall.extraCommands = ''
+          iptables -I FORWARD 1 -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT
+          iptables -I FORWARD 1 -s ${containerIp} -d 192.168.0.0/16 -j DROP
+          iptables -I FORWARD 1 -s ${containerIp} -d 172.16.0.0/12 -j DROP
+          iptables -I FORWARD 1 -s ${containerIp} -d 10.0.0.0/8 -j DROP
+          iptables -I FORWARD 1 -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        '';
+        networking.firewall.extraStopCommands = ''
+          iptables -D FORWARD -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT 2>/dev/null || true
+          iptables -D FORWARD -s ${containerIp} -d 192.168.0.0/16 -j DROP 2>/dev/null || true
+          iptables -D FORWARD -s ${containerIp} -d 172.16.0.0/12 -j DROP 2>/dev/null || true
+          iptables -D FORWARD -s ${containerIp} -d 10.0.0.0/8 -j DROP 2>/dev/null || true
+          iptables -D FORWARD -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+        '';
+      });
 }
@@ -17,8 +17,14 @@ in {
      AllowTcpForwarding = false;
      ClientAliveInterval = 300;
      ClientAliveCountMax = 2;
-      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
-      Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"];
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+      ];
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+      ];
    };
  };

@@ -1,19 +1,21 @@
-{ config, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  imports = [
    (mkContainer {
      name = "stirling-pdf";
      hostIp = "10.233.9.1";
      containerIp = "10.233.9.2";
-      nixosConfig = { ... }: {
+      nixosConfig = {...}: {
        services.stirling-pdf = {
          enable = true;
          environment."SERVER_PORT" = "8080";
        };
-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -1,8 +1,10 @@
-{ config, lib, ... }:
-let
-  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
-in
 {
+  config,
+  lib,
+  ...
+}: let
+  inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
+in {
  sops.secrets.umami-secret.mode = "0400";

  imports = [
@@ -14,7 +16,7 @@ in
        hostPath = config.sops.secrets.umami-secret.path;
        isReadOnly = true;
      };
-      nixosConfig = { ... }: {
+      nixosConfig = {...}: {
        services.umami = {
          enable = true;
          settings = {
@@ -27,7 +29,7 @@ in
        };
        # PrivateUsers breaks systemd-creds inside nspawn containers (nested user namespaces)
        systemd.services.umami.serviceConfig.PrivateUsers = lib.mkForce false;
-        networking.firewall.allowedTCPPorts = [ 8080 ];
+        networking.firewall.allowedTCPPorts = [8080];
        system.stateVersion = "24.05";
      };
    })
@@ -16,8 +16,7 @@
      border-size = 2;
      animation-speed = "medium"; # "fast" | "medium" | "slow"
      fetch = "none"; # "nerdfetch" | "neofetch" | "pfetch" | "none"
-      textColorOnWallpaper =
-        config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
+      textColorOnWallpaper = config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
    };
    description = "Theme configuration options";
  };
@@ -16,8 +16,7 @@
      border-size = 4;
      animation-speed = "fast"; # "fast" | "medium" | "slow"
      fetch = "none"; # "nerdfetch" | "neofetch" | "pfetch" | "none"
-      textColorOnWallpaper =
-        config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
+      textColorOnWallpaper = config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
    };
    description = "Theme configuration options";
  };
@@ -16,8 +16,7 @@
      border-size = 4;
      animation-speed = "medium"; # "fast" | "medium" | "slow"
      fetch = "none"; # "nerdfetch" | "neofetch" | "pfetch" | "none"
-      textColorOnWallpaper =
-        config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
+      textColorOnWallpaper = config.lib.stylix.colors.base00; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
    };
    description = "Theme configuration options";
  };
Author	SHA1	Message	Date
Hadi	d71c9d8169	Nix fmt Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-04 20:40:09 +02:00
Hadi	e805c868a7	Add usbguard service Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-04 19:51:01 +02:00
Hadi	0fd0a73e92	Move monitor to host's home.nix file Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-04 19:50:35 +02:00