SwarselSystems: NixOS + Emacs Configuration

{ self, inputs, pkgs, lib, ... }:
let
  profilesPath = "${self}/profiles";
  sharedOptions = {
    isBtrfs = true;
  };
in
{

  imports = [
    # ---- nixos-hardware here ----

    ./hardware-configuration.nix
    ./disk-config.nix

    "${profilesPath}/nixos/optional/virtualbox.nix"
    # "${profilesPath}/nixos/optional/vmware.nix"
    "${profilesPath}/nixos/optional/autologin.nix"
    "${profilesPath}/nixos/optional/nswitch-rcm.nix"
    "${profilesPath}/nixos/optional/gaming.nix"

    inputs.home-manager.nixosModules.home-manager
    {
      home-manager.users.swarsel.imports = [
        "${profilesPath}/home/optional/gaming.nix"
      ];
    }
  ];

  boot = {
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  };

  networking = {
    hostName = "TEMPLATE";
    firewall.enable = true;
  };

  swarselsystems = lib.recursiveUpdate
    {
      wallpaper = self + /wallpaper/lenovowp.png;
      hasBluetooth = true;
      hasFingerprint = true;
      isImpermanence = true;
      isSecureBoot = true;
      isCrypted = true;
      isSwap = true;
      swapSize = "32G";
      rootDisk = "TEMPLATE";
    }
    sharedOptions;

  home-manager.users.swarsel.swarselsystems = lib.recursiveUpdate
    {
      isLaptop = true;
      isNixos = true;
      flakePath = "/home/swarsel/.dotfiles";
      cpuCount = 16;
      startup = [
        { command = "nextcloud --background"; }
        { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
        { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
        { command = "ANKI_WAYLAND=1 anki"; }
        { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; }
        { command = "nm-applet"; }
        { command = "feishin"; }
      ];
    }
    sharedOptions;
}

{ lib, pkgs, config, rootDisk, ... }:
let
  type = "btrfs";
  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
  subvolumes = {
    "/root" = {
      mountpoint = "/";
      mountOptions = [
        "subvol=root"
        "compress=zstd"
        "noatime"
      ];
    };
    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/home";
      mountOptions = [
        "subvol=home"
        "compress=zstd"
        "noatime"
      ];
    };
    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/persist";
      mountOptions = [
        "subvol=persist"
        "compress=zstd"
        "noatime"
      ];
    };
    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/var/log";
      mountOptions = [
        "subvol=log"
        "compress=zstd"
        "noatime"
      ];
    };
    "/nix" = {
      mountpoint = "/nix";
      mountOptions = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
      ];
    };
    "/swap" = lib.mkIf config.swarselsystems.isSwap {
      mountpoint = "/.swapvol";
      swap.swapfile.size = config.swarselsystems.swapSize;
    };
  };
in
{
  disko.devices = {
    disk = {
      disk0 = {
        type = "disk";
        device = config.swarselsystems.rootDisk;
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              priority = 1;
              name = "ESP";
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "defaults" ];
              };
            };
            root = lib.mkIf (!config.swarselsystems.isCrypted) {
              size = "100%";
              content = {
                inherit type subvolumes extraArgs;
                postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                  MNTPOINT=$(mktemp -d)
                  mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
                  trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                  btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                '';
              };
            };
            luks = lib.mkIf config.swarselsystems.isCrypted {
              size = "100%";
              content = {
                type = "luks";
                name = "cryptroot";
                passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
                settings = {
                  allowDiscards = true;
                  # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
                  crypttabExtraOpts = [
                    "fido2-device=auto"
                    "token-timeout=10"
                  ];
                };
                content = {
                  inherit type subvolumes extraArgs;
                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                    MNTPOINT=$(mktemp -d)
                    mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                  '';
                };
              };
            };
          };
        };
      };
    };
  };

  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;

  environment.systemPackages = [
    pkgs.yubikey-manager
  ];
}

{ lib, ... }:
{

  # Auto upgrade nix package and the daemon service.
  services.nix-daemon.enable = true;
  services.karabiner-elements.enable = true;

  home-manager.users."leon.schwarzaeugl".home = {
    username = lib.mkForce "leon.schwarzaeugl";
    swarselsystems = {
      isDarwin = true;
      isLaptop = true;
      isNixos = false;
      isBtrfs = false;
    };
  };
}

{ pkgs, ... }: {
  environment = {
    packages = with pkgs; [
      vim
      git
      openssh
      # toybox
      dig
      man
      gnupg
      curl
      deadnix
      statix
      nixpgks-fmt
      nvd
    ];

    etcBackupExtension = ".bak";
    extraOutputsToInstall = [
      "doc"
      "info"
      "devdoc"
    ];
    motd = null;
  };

  android-integration = {
    termux-open.enable = true;
    xdg-open.enable = true;
    termux-open-url.enable = true;
    termux-reload-settings.enable = true;
    termux-setup-storage.enable = true;
  };

  # Backup etc files instead of failing to activate generation if a file already exists in /etc

  # Read the changelog before changing this value
  system.stateVersion = "23.05";

  # Set up nix for flakes
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
}

{ self, inputs, lib, ... }:
let
  profilesPath = "${self}/profiles";
in
{
  imports = [

    "${profilesPath}/nixos/server"
    ./hardware-configuration.nix

    inputs.home-manager.nixosModules.home-manager
    {
      home-manager.users.swarsel.imports = [
        "${profilesPath}/home/server"
      ];
    }
  ];

  sops = {
    defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
  };

  services.nginx = {
    virtualHosts = {
      "sync.swarsel.win" = {
        enableACME = true;
        forceSSL = true;
        acmeRoot = null;
        locations = {
          "/" = {
            proxyPass = "http://localhost:8384/";
            extraConfig = ''
              client_max_body_size 0;
            '';
          };
        };
      };
    };
  };

  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "nodev";
  };
  zramSwap.enable = false;

  networking = {
    nftables.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [ 8384 22000 ];
    firewall.allowedUDPPorts = [ 21027 22000 ];
    hostName = "sync";
    enableIPv6 = false;
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall.extraCommands = ''
      iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
    '';
  };

  # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change

  # do not manage OCI syncthing through nix config
  services.syncthing = {
    enable = true;
    guiAddress = "0.0.0.0:8384";
    openDefaultPorts = true;
  };


  swarselsystems = {
    hasBluetooth = false;
    hasFingerprint = false;
    isImpermanence = false;
    isLinux = true;
    isBtrfs = false;
    flakePath = "/root/.dotfiles";
    server = {
      enable = true;
      forgejo = true;
      ankisync = true;
    };
  };

}

~SwarselSystems~
                         IP of primary interface: \4
                                                             The Password for all users & root is 'setup'.
                                                             Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
                                                             Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).

swarsel-install -n chaostheatre

{ self, pkgs, inputs, outputs, config, lib, modulesPath, ... }:
let
  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
in
{

  imports = [
    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
    "${modulesPath}/installer/cd-dvd/channel.nix"

    "${self}/profiles/iso/minimal.nix"

    inputs.home-manager.nixosModules.home-manager
    {
      home-manager.users.swarsel.imports = [
        "${self}/profiles/home/common/settings.nix"
      ] ++ (builtins.attrValues outputs.homeModules);
    }
  ];

  home-manager.users.swarsel.home = {
    file = {
      ".bash_history" = {
        source = self + /programs/bash/.bash_history;
      };
    };
  };
  home-manager.users.root.home = {
    stateVersion = "23.05";
    file = {
      ".bash_history" = {
        source = self + /programs/bash/.bash_history;
      };
    };
  };

  # environment.etc."issue".text = "\x1B[32m~SwarselSystems~\x1B[0m\nIP of primary interface: \x1B[31m\\4\x1B[0m\nThe Password for all users & root is '\x1B[31msetup\x1B[0m'.\nInstall the system remotely by running '\x1B[33mbootstrap -n <HOSTNAME> -d <IP_FROM_ABOVE> [--impermanence] [--encryption]\x1B[0m' on a machine with deployed secrets.\nAlternatively, run '\x1B[33mswarsel-install -d <DISK> -f <flake>\x1B[0m' for a local install.\n";
  environment.etc."issue".source = "${self}/programs/etc/issue";
  networking.dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";

  isoImage = {
    makeEfiBootable = true;
    makeUsbBootable = true;
    squashfsCompression = "zstd -Xcompression-level 3";
  };

  nixpkgs = {
    hostPlatform = lib.mkDefault "x86_64-linux";
    config.allowUnfree = true;
  };

  services.getty.autologinUser = lib.mkForce "swarsel";

  users = {
    allowNoPasswordLogin = true;
    groups.swarsel = { };
    users = {
      swarsel = {
        name = "swarsel";
        group = "swarsel";
        isNormalUser = true;
        password = "setup"; # this is overwritten after install
        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        extraGroups = [ "wheel" ];
      };
      root = {
        # password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
        openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
      };
    };
  };

  boot = {
    loader.systemd-boot.enable = lib.mkForce true;
    loader.efi.canTouchEfiVariables = true;
  };

  programs.bash.shellAliases = {
    "swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --";
  };

  system.activationScripts.cache = {
    text = ''
      mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
      mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
      mkdir -p -m=0777 /home/swarsel/.local/share/nix/
      printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
      mkdir -p /root/.local/share/nix/
      printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
    '';
  };
  systemd = {
    services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
    targets = {
      sleep.enable = false;
      suspend.enable = false;
      hibernate.enable = false;
      hybrid-sleep.enable = false;
    };
  };

  system.stateVersion = lib.mkForce "23.05";

  networking = {
    hostName = "drugstore";
    wireless.enable = false;
  };

}

{ self, outputs, config, ... }:
{

  imports = [
    inputs.stylix.homeManagerModules.stylix
    inputs.sops-nix.homeManagerModules.sops
    inputs.nix-index-database.hmModules.nix-index
    ./profiles/home/common
  ] ++ (builtins.attrValues outputs.homeModules);

  nixpkgs = {
    overlays = [ outputs.overlays.default ];
    config = {
      allowUnfree = true;
    };
  };

  services.xcape = {
    enable = true;
    mapExpression = {
      Control_L = "Escape";
    };
  };

  programs.zsh.initExtra = "
  export GPG_TTY=\"$(tty)\"
  export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
  gpgconf --launch gpg-agent
        ";

  swarselsystems = {
    isLaptop = true;
    isNixos = false;
    wallpaper = self + /wallpaper/surfacewp.png;
  };

}

{ self, pkgs, lib, ... }:
let
  profilesPath = "${self}/profiles";
in
{

  imports = [
    ./hardware-configuration.nix
    "${profilesPath}/nixos/optional/autologin.nix"
  ];

  environment.variables = {
    WLR_RENDERER_ALLOW_SOFTWARE = 1;
  };

  services.qemuGuest.enable = true;

  boot = {
    loader.systemd-boot.enable = lib.mkForce true;
    loader.efi.canTouchEfiVariables = true;
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  };

  networking = {
    hostName = "chaostheatre";
    firewall.enable = true;
  };


  swarselsystems = {
    wallpaper = self + /wallpaper/lenovowp.png;
    initialSetup = true;
    isPublic = true;
    isLinux = true;
  };

  home-manager.users.swarsel.swarselsystems = {
    isNixos = true;
    isPublic = true;
    flakePath = "/home/swarsel/.dotfiles";
  };
}

# Adapted from https://code.kulupu.party/thesuess/home-manager/src/branch/main/modules/river.nix
shopt -s nullglob globstar

otp=0
typeit=0
while :; do
    case ${1:-} in
    -t | --type)
        typeit=1
        ;;
    -o | --otp)
        otp=1
        ;;
    *) break ;;
    esac
    shift
done

export PASSWORD_STORE_DIR=~/.local/share/password-store
prefix=${PASSWORD_STORE_DIR-~/.local/share/password-store}
if [[ $otp -eq 0 ]]; then
    password_files=("$prefix"/**/*.gpg)
else
    password_files=("$prefix"/otp/**/*.gpg)
fi
password_files=("${password_files[@]#"$prefix"/}")
password_files=("${password_files[@]%.gpg}")

password=$(printf '%s\n' "${password_files[@]}" | fuzzel --dmenu "$@")

[[ -n $password ]] || exit
if [[ $otp -eq 0 ]]; then
    if [[ $typeit -eq 0 ]]; then
        pass show -c "$password" &> /tmp/pass-fuzzel
    else
        pass show "$password" | {
            IFS= read -r pass
            printf %s "$pass"
        } | wtype -
    fi
else
    if [[ $typeit -eq 0 ]]; then
        pass otp -c "$password" &> /tmp/pass-fuzzel
    else
        pass otp "$password" | {
            IFS= read -r pass
            printf %s "$pass"
        } | wtype -
    fi
fi
notify-send -u critical -a pass -t 1000 "Copied/Typed Password"

{ self, name, writeShellApplication, libnotify, pass, fuzzel, wtype }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ libnotify (pass.withExtensions (exts: [ exts.pass-otp ])) fuzzel wtype ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

# taken from https://github.com/NixOS/nixpkgs/issues/186570#issuecomment-1627797219
{ appimageTools, fetchurl, writeScriptBin, pkgs, ... }:


let
  cura5 = appimageTools.wrapType2 rec {
    pname = "cura5";
    version = "5.9.0";
    src = fetchurl {
      url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-X64.AppImage";
      hash = "sha256-STtVeM4Zs+PVSRO3cI0LxnjRDhOxSlttZF+2RIXnAp4=";
    };
    extraPkgs = pkgs: with pkgs; [ ];
  };
in
writeScriptBin "cura" ''
  #! ${pkgs.bash}/bin/bash
  # AppImage version of Cura loses current working directory and treats all paths relative to $HOME.
  # So we convert each of the files passed as argument to an absolute path.
  # This fixes use cases like `cd /path/to/my/files; cura mymodel.stl anothermodel.stl`.
  args=()
  for a in "$@"; do
      if [ -e "$a" ]; then
         a="$(realpath "$a")"
      fi
      args+=("$a")
  done
  exec "${cura5}/bin/cura5" "''${args[@]}"
''

{ name, writeShellApplication, fzf, findutils, home-manager, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ fzf findutils home-manager ];
  text = ''
    genpath=$(home-manager generations | head -1 | awk '{print $7}')
    dirs=$(find "$genpath/specialisation" -type l 2>/dev/null; [ -d "$genpath" ] && echo "$genpath")
    "$(echo "$dirs" | fzf --prompt="Choose home-manager specialisation to activate")"/activate
  '';
}

{ name, writeShellApplication, fzf, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ fzf ];
  text = ''
    cd "$(git worktree list | fzf | awk '{print $1}')"
  '';
}

{ name, writeShellApplication, fzf, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ fzf ];
  text = ''
    git checkout "$(git branch --list | grep -v "^\*" | fzf | awk '{print $1}')"
  '';
}

{ name, writeShellApplication, ... }:

writeShellApplication {
  inherit name;
  text = ''
    cp -r "$1"{,.bak}
  '';
}

{ name, writeShellApplication, speechd, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ speechd ];
  text = ''
    sleep "$1"; while true; do spd-say "$2"; sleep 0.5; done;
  '';
}

wait=0
while :; do
    case ${1:-} in
    -w | --wait)
        wait=1
        ;;
    *) break ;;
    esac
    shift
done

STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep kittyterm || true)
if [ "$STR" == "" ]; then
    swaymsg '[title="kittyterm"]' scratchpad show
    emacsclient -c -a "" "$@"
    swaymsg '[title="kittyterm"]' scratchpad show
else
    if [[ $wait -eq 0 ]]; then
        emacsclient -n -c -a "" "$@"
    else
        emacsclient -c -a "" "$@"
    fi
fi

{ self, name, writeShellApplication, emacs30-pgtk, sway, jq }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ emacs30-pgtk sway jq ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

# Adapted from https://github.com/bennofs/nix-index/blob/master/command-not-found.sh
command_not_found_handle() {
    if [ -n "${MC_SID-}" ] || ! [ -t 1 ]; then
        >&2 echo "$1: command not found"
        return 127
    fi

    echo -n "searching nix-index..."
    ATTRS=$(@nix-locate@ --minimal --no-group --type x --type s --top-level --whole-name --at-root "/bin/$1")

    case $(echo -n "$ATTRS" | grep -c "^") in
    0)
        >&2 echo -ne "$(@tput@ el1)\r"
        >&2 echo "$1: command not found"
        ;;
    *)
        >&2 echo -ne "$(@tput@ el1)\r"
        >&2 echo "The program ‘$(@tput@ setaf 4)$1$(@tput@ sgr0)’ is currently not installed."
        >&2 echo "It is provided by the following derivation(s):"
        while read -r ATTR; do
            ATTR=${ATTR%.out}
            >&2 echo "  $(@tput@ setaf 12)nixpkgs#$(@tput@ setaf 4)$ATTR$(@tput@ sgr0)"
        done <<< "$ATTRS"
        ;;
    esac

    return 127
}

command_not_found_handler() {
    command_not_found_handle "$@"
    return $?
}

kitty=0
element=0
vesktop=0
spotifyplayer=0
while :; do
    case ${1:-} in
    -k | --kitty)
        kitty=1
        ;;
    -e | --element)
        element=1
        ;;
    -d | --vesktop)
        vesktop=1
        ;;
    -s | --spotifyplayer)
        spotifyplayer=1
        ;;
    *) break ;;
    esac
    shift
done

if [[ $kitty -eq 1 ]]; then
    STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep kittyterm || true)
    CHECK=$(swaymsg -t get_tree | grep kittyterm || true)
    if [ "$CHECK" == "" ]; then
        exec kitty -T kittyterm -o confirm_os_window_close=0 zellij attach --create kittyterm &
        sleep 1
    fi
    if [ "$STR" == "" ]; then
        exec swaymsg '[title="kittyterm"]' scratchpad show
    else
        exec swaymsg '[title="kittyterm"]' scratchpad show
    fi
elif [[ $element -eq 1 ]]; then
    STR=$(swaymsg -t get_tree | grep Element || true)
    if [ "$STR" == "" ]; then
        exec element-desktop
    else
        exec swaymsg '[app_id=Element]' kill
    fi
elif [[ $vesktop -eq 1 ]]; then
    STR=$(swaymsg -t get_tree | grep vesktop || true)
    if [ "$STR" == "" ]; then
        exec vesktop
    else
        exec swaymsg '[app_id=vesktop]' kill
    fi
elif [[ $spotifyplayer -eq 1 ]]; then
    STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep spotifytui || true)
    CHECK=$(swaymsg -t get_tree | grep spotifytui || true)
    if [ "$CHECK" == "" ]; then
        exec kitty -T spotifytui -o confirm_os_window_close=0 spotify_player &
        sleep 1
    fi
    if [ "$STR" == "" ]; then
        exec swaymsg '[title="spotifytui"]' scratchpad show
    else
        exec swaymsg '[title="spotifytui"]' scratchpad show
    fi
fi

{ self, name, writeShellApplication, kitty, element-desktop, vesktop, spotify-player, jq }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ kitty element-desktop vesktop spotify-player jq ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

KITTIES=$(($(pgrep -P 1 kitty | wc -l) - 1))

if [[ $KITTIES -lt 1 ]]; then
    exec kitty -o confirm_os_window_close=0 zellij attach --create main
else
    exec kitty -o confirm_os_window_close=0 zellij attach --create "temp $KITTIES"
fi

{ self, name, writeShellApplication, kitty }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ kitty ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

CFG=$(git --git-dir="$HOME"/.dotfiles/.git --work-tree="$HOME"/.dotfiles/ status -s | wc -l)
CSE=$(git --git-dir="$DOCUMENT_DIR_PRIV"/CSE_TUWIEN/.git --work-tree="$DOCUMENT_DIR_PRIV"/CSE_TUWIEN/ status -s | wc -l)
PASS=$(($(git --git-dir="$HOME"/.local/share/password-store/.git --work-tree="$HOME"/.local/share/password-store/ status -s | wc -l) + $(git --git-dir="$HOME"/.local/share/password-store/.git --work-tree="$HOME"/.local/share/password-store/ diff origin/main..HEAD | wc -l)))

if [[ $CFG != 0 ]]; then
    CFG_STR='CONFIG'
else
    CFG_STR=''
fi

if [[ $CSE != 0 ]]; then
    CSE_STR=' CSE'
else
    CSE_STR=''
fi

if [[ $PASS != 0 ]]; then
    PASS_STR=' PASS'
else
    PASS_STR=''
fi

OUT="$CFG_STR""$CSE_STR""$PASS_STR"
echo "$OUT"

{ self, name, writeShellApplication, git }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ git ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

if swaymsg opacity plus 0.01 -q; then
    swaymsg opacity 1
else
    swaymsg opacity 0.95
fi

{ self, name, writeShellApplication, sway }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ sway ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

set -euo pipefail

OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999)
OLD_TRANSID=${OLD_TRANSID#transid marker was }

sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" |
    sed '$d' |
    cut -f17- -d' ' |
    sort |
    uniq |
    while read -r path; do
        path="/$path"
        if [ -L "$path" ]; then
            : # The path is a symbolic link, so is probably handled by NixOS already
        elif [ -d "$path" ]; then
            : # The path is a directory, ignore
        else
            echo "$path"
        fi
    done

{ self, name, writeShellApplication }:
writeShellApplication {
  inherit name;
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

updates="$({ cd /home/swarsel/.dotfiles && nix flake lock --update-input nixpkgs && nix build .#nixosConfigurations."$(eval hostname)".config.system.build.toplevel && nvd diff /run/current-system ./result | grep -c '\[U'; } || true)"

alt="has-updates"
if [[ $updates -eq 0 ]]; then
    alt="updated"
fi

tooltip="System updated"
if [[ $updates != 0 ]]; then
    tooltip=$(cd ~/.dotfiles && nvd diff /run/current-system ./result | grep -e '\[U' | awk '{ for (i=3; i<NF; i++) printf $i " "; if (NF >= 3) print $NF; }' ORS='\\n')
    echo "{ \"text\":\"$updates\", \"alt\":\"$alt\", \"tooltip\":\"$tooltip\" }"
else
    echo "{ \"text\":\"\", \"alt\":\"$alt\", \"tooltip\":\"\" }"
fi

{ self, name, writeShellApplication, nvd }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ nvd ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

{ name, writeShellApplication, jq, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ jq ];
  text = ''
    count=$(curl -u Swarsel:"$(cat /run/user/1000/secrets/github_notif)" https://api.github.com/notifications | jq '. | length')

    if [[ "$count" != "0" ]]; then
        echo "{\"text\":\"$count\"}"
    fi
  '';
}

SHARESCREEN="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$(hostname)".config.home-manager.users."$(whoami)".swarselsystems.sharescreen)"

touch /tmp/screenshare.state
STATE=$(< /tmp/screenshare.state)

if [[ $STATE != "1" ]]; then
    wl-mirror "$SHARESCREEN" &
    sleep 0.1
    swaymsg output "$SHARESCREEN" mode "$SWARSEL_LO_RES"
    echo 1 > /tmp/screenshare.state
    swaymsg '[app_id=at.yrlf.wl_mirror] move to workspace 12:S'
    swaymsg '[app_id=at.yrlf.wl_mirror] fullscreen'
else
    swaymsg output "$SHARESCREEN" mode "$SWARSEL_HI_RES"
    echo 0 > /tmp/screenshare.state
    swaymsg '[app_id=at.yrlf.wl_mirror] kill'
fi

{ self, name, writeShellApplication, sway }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ sway ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

# highly inspired by https://github.com/EmergentMind/nix-config/blob/dev/scripts/bootstrap-nixos.sh
set -eo pipefail

target_hostname=""
target_destination=""
target_user="swarsel"
ssh_port="22"
persist_dir=""
disk_encryption=0
temp=$(mktemp -d)

function help_and_exit() {
    echo
    echo "Remotely installs SwarselSystem on a target machine including secret deployment."
    echo
    echo "USAGE: $0 -n <target_hostname> -d <target_destination> [OPTIONS]"
    echo
    echo "ARGS:"
    echo "  -n <target_hostname>                    specify target_hostname of the target host to deploy the nixos config on."
    echo "  -d <target_destination>                 specify ip or url to the target host."
    echo "                                          target during install process."
    echo
    echo "OPTIONS:"
    echo "  -u <target_user>                        specify target_user with sudo access. nix-config will be cloned to their home."
    echo "                                          Default='${target_user}'."
    echo "  --port <ssh_port>                       specify the ssh port to use for remote access. Default=${ssh_port}."
    echo "  --debug                                 Enable debug mode."
    echo "  -h | --help                             Print this help."
    exit 0
}

function cleanup() {
    rm -rf "$temp"
}
trap cleanup exit

function red() {
    echo -e "\x1B[31m[!] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[31m[!] $($2) \x1B[0m"
    fi
}
function green() {
    echo -e "\x1B[32m[+] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[32m[+] $($2) \x1B[0m"
    fi
}
function yellow() {
    echo -e "\x1B[33m[*] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[33m[*] $($2) \x1B[0m"
    fi
}

function yes_or_no() {
    echo -en "\x1B[32m[+] $* [y/n] (default: y): \x1B[0m"
    while true; do
        read -rp "" yn
        yn=${yn:-y}
        case $yn in
        [Yy]*) return 0 ;;
        [Nn]*) return 1 ;;
        esac
    done
}

function update_sops_file() {
    key_name=$1
    key_type=$2
    key=$3

    if [ ! "$key_type" == "hosts" ] && [ ! "$key_type" == "users" ]; then
        red "Invalid key type passed to update_sops_file. Must be either 'hosts' or 'users'."
        exit 1
    fi
    cd "${git_root}"

    SOPS_FILE=".sops.yaml"
    sed -i "{
                                                # Remove any * and & entries for this host
                                                /[*&]$key_name/ d;
                                                # Inject a new age: entry
                                                # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
                                                /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
                                                # Inject a new hosts or user: entry
                                                /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
                                                }" $SOPS_FILE
    green "Updating .sops.yaml"
    cd -
}

while [[ $# -gt 0 ]]; do
    case "$1" in
    -n)
        shift
        target_hostname=$1
        ;;
    -d)
        shift
        target_destination=$1
        ;;
    -u)
        shift
        target_user=$1
        ;;
    --port)
        shift
        ssh_port=$1
        ;;
    --debug)
        set -x
        ;;
    -h | --help) help_and_exit ;;
    *)
        echo "Invalid option detected."
        help_and_exit
        ;;
    esac
    shift
done

green "~SwarselSystems~ remote installer"
green "Reading system information for $target_hostname ..."

DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
green "Root Disk: $DISK"

CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
if [[ $CRYPTED == "true" ]]; then
    green "Encryption: ✓"
    disk_encryption=1
else
    red "Encryption: X"
    disk_encryption=0
fi

IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
if [[ $IMPERMANENCE == "true" ]]; then
    green "Impermanence: ✓"
    persist_dir="/persist"
else
    red "Impermanence: X"
    persist_dir=""
fi

SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
if [[ $SWAP == "true" ]]; then
    green "Swap: ✓"
else
    red "Swap: X"
fi

SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
    green "Secure Boot: ✓"
else
    red "Secure Boot: X"
fi

ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
# ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
scp_cmd="scp -oport=${ssh_port} -o StrictHostKeyChecking=no"

if [[ -z ${FLAKE} ]]; then
    FLAKE=/home/"$target_user"/.dotfiles
fi
if [ ! -d "$FLAKE" ]; then
    cd /home/"$target_user"
    yellow "Flake directory not found - cloning repository from GitHub"
    git clone git@github.com:Swarsel/.dotfiles.git || (yellow "Could not clone repository via SSH - defaulting to HTTPS" && git clone https://github.com/Swarsel/.dotfiles.git)
    FLAKE=/home/"$target_user"/.dotfiles
fi

cd "$FLAKE"
git_root=$(git rev-parse --show-toplevel)
# ------------------------
green "Wiping known_hosts of $target_destination"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
# ------------------------
green "Preparing a new ssh_host_ed25519_key pair for $target_hostname."
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/$persist_dir/etc/ssh"
# Generate host ssh key pair without a passphrase
ssh-keygen -t ed25519 -f "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key" -C root@"$target_hostname" -N ""
# Set the correct permissions so sshd will accept the key
chmod 600 "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key"
echo "Adding ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
# This will fail if we already know the host, but that's fine
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
# ------------------------
# when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
# via the config
if [ "$disk_encryption" -eq 1 ]; then
    while true; do
        green "Set disk encryption passphrase:"
        read -rs luks_passphrase
        green "Please confirm passphrase:"
        read -rs luks_passphrase_confirm
        if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
            $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
            break
        else
            red "Passwords do not match"
        fi
    done
fi
# ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"

green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"

mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
# ------------------------

green "Deploying minimal NixOS installation on $target_destination"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"

echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
# ------------------------

while true; do
    read -rp "Press Enter to continue once the remote host has finished booting."
    if nc -z "$target_destination" "${ssh_port}" 2> /dev/null; then
        green "$target_destination is booted. Continuing..."
        break
    else
        yellow "$target_destination is not yet ready."
    fi
done

# ------------------------

if [[ $SECUREBOOT == "true" ]]; then
    green "Setting up secure boot keys"
    $ssh_root_cmd "mkdir -p /var/lib/sbctl"
    read -ra scp_call <<< "${scp_cmd}"
    sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
    $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
fi
# ------------------------
green "Disabling initialSetup"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix

if [ -n "$persist_dir" ]; then
    $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
    $ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true"
fi
# ------------------------
green "Generating an age key based on the new ssh_host_ed25519_key."
target_key=$(
    ssh-keyscan -p "$ssh_port" -t ssh-ed25519 "$target_destination" 2>&1 |
        grep ssh-ed25519 |
        cut -f2- -d" " ||
        (
            red "Failed to get ssh key. Host down?"
            exit 1
        )
)
host_age_key=$(nix shell nixpkgs#ssh-to-age.out -c sh -c "echo $target_key | ssh-to-age")

if grep -qv '^age1' <<< "$host_age_key"; then
    red "The result from generated age key does not match the expected format."
    yellow "Result: $host_age_key"
    yellow "Expected format: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    exit 1
else
    echo "$host_age_key"
fi

green "Updating nix-secrets/.sops.yaml"
update_sops_file "$target_hostname" "hosts" "$host_age_key"
yellow ".sops.yaml has been updated. There may be superfluous entries, you might need to edit manually."
if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
    vim "${git_root}"/.sops.yaml
fi
green "Updating all secrets files to reflect updates .sops.yaml"
sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
# --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "chown $target_user:users /home/swarsel/.ssh/ssh_host_ed25519_key"
# __________________________

if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
    green "Adding ssh host fingerprints for git{lab,hub}"
    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts"
    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts"
fi
# --------------------------

if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $target_hostname?"; then
    green "Adding ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
    ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
    green "Copying full nix-config to $target_hostname"
    cd "${git_root}"
    just sync "$target_user" "$target_destination"

    if [ -n "$persist_dir" ]; then
        $ssh_root_cmd "cp -r /home/$target_user/.dotfiles $persist_dir/.dotfiles || true"
        $ssh_root_cmd "cp -r /home/$target_user/.ssh $persist_dir/.ssh || true"
    fi

    if yes_or_no "Do you want to rebuild immediately?"; then
        green "Rebuilding nix-config on $target_hostname"
        yellow "Reminder: The password is 'setup'"
        $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json"
        $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
    fi
else
    echo
    green "NixOS was successfully installed!"
    echo "Post-install config build instructions:"
    echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
    echo "just sync $target_user $target_destination"
    echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
    echo "cd nix-config"
    # see above FIXME:(bootstrap)
    echo "sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
    # echo "just rebuild"
    echo
fi

if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
    cd "${git_root}"
    deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
    nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
    (pre-commit run --all-files 2> /dev/null || true) &&
        git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" &&
        git add "$git_root/.sops.yaml" &&
        git add "$git_root/secrets" &&
        (git commit -m "feat: deployed $target_hostname" || true) && git push
fi

{ self, name, writeShellApplication, openssh }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ openssh ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

set -eo pipefail

target_config="chaostheatre"
target_user="swarsel"

function help_and_exit() {
    echo
    echo "Builds SwarselSystem configuration."
    echo
    echo "USAGE: $0 [OPTIONS]"
    echo
    echo "ARGS:"
    echo "  -n <target_config>                       specify nixos config to build."
    echo "                                          Default: chaostheatre"
    echo "  -u <target_user>                        specify user to deploy for."
    echo "                                          Default: swarsel"
    echo "  -h | --help                             Print this help."
    exit 0
}

function red() {
    echo -e "\x1B[31m[!] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[31m[!] $($2) \x1B[0m"
    fi
}
function green() {
    echo -e "\x1B[32m[+] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[32m[+] $($2) \x1B[0m"
    fi
}
function yellow() {
    echo -e "\x1B[33m[*] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[33m[*] $($2) \x1B[0m"
    fi
}

while [[ $# -gt 0 ]]; do
    case "$1" in
    -n)
        shift
        target_config=$1
        ;;
    -u)
        shift
        target_user=$1
        ;;
    -h | --help) help_and_exit ;;
    *)
        echo "Invalid option detected."
        help_and_exit
        ;;
    esac
    shift
done

cd /home/"$target_user"

if [ ! -d /home/"$target_user"/.dotfiles ]; then
    green "Cloning repository from GitHub"
    git clone https://github.com/Swarsel/.dotfiles.git
else
    red "A .dotfiles repository is in the way. Please (re-)move the repository and try again."
    exit 1
fi

local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub)
read -ra pub_arr <<< "$pub_key"

cd .dotfiles
if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    yellow "The ssh key for this configuration is not available."
    green "Adjusting flake.nix so that the configuration is buildable"
    sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
    git add flake.nix
else
    green "Valid SSH key found! Continuing with installation"
fi
sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix

green "Installing flake $target_config"
sudo nixos-rebuild --show-trace --flake .#"$target_config" boot
yellow "Please keep in mind that this is only a demo of the configuration. Things might break unexpectedly."

{ self, name, writeShellApplication, git }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ git ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

set -eo pipefail

target_config="chaostheatre"
target_hostname="chaostheatre"
target_user="swarsel"
persist_dir=""
disk_encryption=0

function help_and_exit() {
    echo
    echo "Locally installs SwarselSystem on this machine."
    echo
    echo "USAGE: $0 -n <target_config> [OPTIONS]"
    echo
    echo "ARGS:"
    echo "  -n <target_config>                      specify the nixos config to deploy."
    echo "                                          Default: chaostheatre"
    echo "                                          Default: chaostheatre"
    echo "  -u <target_user>                        specify user to deploy for."
    echo "                                          Default: swarsel"
    echo "  -h | --help                             Print this help."
    exit 0
}

function red() {
    echo -e "\x1B[31m[!] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[31m[!] $($2) \x1B[0m"
    fi
}
function green() {
    echo -e "\x1B[32m[+] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[32m[+] $($2) \x1B[0m"
    fi
}
function yellow() {
    echo -e "\x1B[33m[*] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[33m[*] $($2) \x1B[0m"
    fi
}

while [[ $# -gt 0 ]]; do
    case "$1" in
    -n)
        shift
        target_config=$1
        target_hostname=$1
        ;;
    -u)
        shift
        target_user=$1
        ;;
    -h | --help) help_and_exit ;;
    *)
        echo "Invalid option detected."
        help_and_exit
        ;;
    esac
    shift
done

function cleanup() {
    sudo rm -rf .cache/nix
    sudo rm -rf /root/.cache/nix
}
trap cleanup exit

green "~SwarselSystems~ remote installer"

cd /home/"$target_user"

sudo rm -rf /root/.cache/nix
sudo rm -rf .cache/nix
sudo rm -rf .dotfiles

green "Cloning repository from GitHub"
git clone https://github.com/Swarsel/.dotfiles.git

green "Reading system information for $target_config ..."
DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
green "Root Disk: $DISK"

CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
if [[ $CRYPTED == "true" ]]; then
    green "Encryption: ✓"
    disk_encryption=1
else
    red "Encryption: X"
    disk_encryption=0
fi

IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
if [[ $IMPERMANENCE == "true" ]]; then
    green "Impermanence: ✓"
    persist_dir="/persist"
else
    red "Impermanence: X"
    persist_dir=""
fi

SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
if [[ $SWAP == "true" ]]; then
    green "Swap: ✓"
else
    red "Swap: X"
fi

SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
    green "Secure Boot: ✓"
else
    red "Secure Boot: X"
fi

local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub)
read -ra pub_arr <<< "$pub_key"

cd .dotfiles
if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    yellow "The ssh key for this configuration is not available."
    green "Adjusting flake.nix so that the configuration is buildable"
    sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
    git add flake.nix
else
    green "Valid SSH key found! Continuing with installation"
fi

if [ "$disk_encryption" -eq 1 ]; then
    while true; do
        green "Set disk encryption passphrase:"
        read -rs luks_passphrase
        green "Please confirm passphrase:"
        read -rs luks_passphrase_confirm
        if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
            echo "$luks_passphrase" > /tmp/disko-password
            break
        else
            red "Passwords do not match"
        fi
    done
fi

green "Setting up disk"
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks
sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/
sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/
sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"

green "Generating hardware configuration"
sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/

green "Injecting initialSetup"
sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix

git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
sudo mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
green "Installing flake $target_config"
sudo nixos-install --flake .#"$target_config"
green "Installation finished! Reboot to see changes"

{ self, name, writeShellApplication, git }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ git ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

set -eo pipefail

target_config="chaostheatre"
target_user="swarsel"

function help_and_exit() {
    echo
    echo "Locally installs SwarselSystem on this machine."
    echo
    echo "USAGE: $0 -d <disk> [OPTIONS]"
    echo
    echo "ARGS:"
    echo "  -d <disk>                               specify disk to install on."
    echo "  -n <target_config>                      specify the nixos config to deploy."
    echo "                                          Default: chaostheatre"
    echo "                                          Default: chaostheatre"
    echo "  -u <target_user>                        specify user to deploy for."
    echo "                                          Default: swarsel"
    echo "  -h | --help                             Print this help."
    exit 0
}

function green() {
    echo -e "\x1B[32m[+] $1 \x1B[0m"
    if [ -n "${2-}" ]; then
        echo -e "\x1B[32m[+] $($2) \x1B[0m"
    fi
}

while [[ $# -gt 0 ]]; do
    case "$1" in
    -n)
        shift
        target_config=$1
        ;;
    -u)
        shift
        target_user=$1
        ;;
    -h | --help) help_and_exit ;;
    *)
        echo "Invalid option detected."
        help_and_exit
        ;;
    esac
    shift
done

function cleanup() {
    sudo rm -rf .cache/nix
    sudo rm -rf /root/.cache/nix
}
trap cleanup exit

sudo rm -rf .cache/nix
sudo rm -rf /root/.cache/nix

green "~SwarselSystems~ remote post-installer"

cd /home/"$target_user"/.dotfiles

SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_config".config.swarselsystems.isSecureBoot)"

if [[ $SECUREBOOT == "true" ]]; then
    green "Setting up secure boot keys"
    sudo mkdir -p /var/lib/sbctl
    sbctl create-keys || true
    sbctl enroll-keys --ignore-immutable --microsoft || true
fi

green "Disabling initialSetup"
sed -i '/swarselsystems\.initialSetup = true;/d' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
sudo nixos-rebuild --flake .#"$target_config" switch
green "Post-install finished!"

{ self, name, writeShellApplication, git }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ git ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

{ name, writeShellApplication, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ ];
  text = ''
    date -d"$1" +%s
  '';
}

{ name, writeShellApplication, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ ];
  text = ''
    date -d @"$1" 2>/dev/null || date -r "$1"
  '';
}

{ name, writeShellApplication, ... }:

writeShellApplication {
  inherit name;
  runtimeInputs = [ ];
  text = ''
    nix shell github:nixos/nixpkgs/"$1"#"$2";
  '';
}

{ lib
, python3
, fetchFromGitHub
, makeDesktopItem
, writeShellScript
, ...
}:
let
  wrapper = writeShellScript "eontimer-wrapper" ''
    export QT_QPA_PLATFORM=xcb
    exec @out@/bin/EonTimer
  '';
in
python3.pkgs.buildPythonApplication rec {
  pname = "eontimer";
  version = "3.0.0-rc.6";
  pyproject = true;

  src = fetchFromGitHub {
    owner = "DasAmpharos";
    repo = "EonTimer";
    rev = version;
    hash = "sha256-+XN/VGGlEg2gVncRZrWDOZ2bfxt8xyIu22F2wHlG6YI=";
  };

  build-system = [
    python3.pkgs.setuptools
    python3.pkgs.wheel
  ];

  dependencies = with python3.pkgs; [
    altgraph
    certifi
    charset-normalizer
    idna
    libsass
    macholib
    packaging
    pillow
    pipdeptree
    platformdirs
    pyinstaller
    pyinstaller-hooks-contrib
    pyside6
    requests
    setuptools
    shiboken6
    urllib3
  ];

  nativeBuildInputs = [
    python3.pkgs.pyinstaller
  ];

  buildPhase = ''
    runHook preBuild

    pyinstaller --clean --noconfirm EonTimer.spec

    runHook postBuild
  '';

  installPhase = ''
    runHook preInstall

    mkdir -p $out/bin
    mkdir -p $out/share/applications
    cp dist/EonTimer $out/bin/
    install -Dm755 -T ${wrapper} $out/bin/eontimer
    substituteInPlace $out/bin/eontimer --subst-var out

    runHook postInstall
  '';

  postInstall = ''
    install -Dm755 -t $out/share/applications ${
         makeDesktopItem {
           name = "eontimer";
           desktopName = "EonTimer";
           comment = "Start EonTimer";
           exec = "eontimer";
         }
       }/share/applications/eontimer.desktop
  '';



  meta = {
    description = "Pokémon RNG Timer";
    homepage = "https://github.com/DasAmpharos/EonTimer";
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ ];
    mainProgram = "eon-timer";
  };
}

set -euo pipefail

if [ ! -d "$(pwd)/.git" ]; then
    git init
fi
nix flake init --template "$FLAKE"#"$1"
direnv allow

{ self, name, writeShellApplication }:
writeShellApplication {
  inherit name;
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

{ name, pkgs, ... }:
let
  base = pkgs.appimageTools.defaultFhsEnvArgs;
in
pkgs.buildFHSEnv (base // {
  name = "fhs";
  targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [ pkgs.pkg-config ];
  profile = "export FHS=1";
  runScript = "zsh";
  extraOutputsToInstall = [ "dev" ];
})

swaymsg output eDP-1 power on > /dev/null 2>&1 || true
swaymsg output eDP-2 power on > /dev/null 2>&1 || true

{ self, name, writeShellApplication, sway }:
writeShellApplication {
  inherit name;
  runtimeInputs = [ sway ];
  text = builtins.readFile "${self}/scripts/${name}.sh";
}

{ appimageTools, fetchurl, ... }:
let
  pname = "mgba";
  version = "0.10.4";
  src = fetchurl {
    url = "https://github.com/mgba-emu/mgba/releases/download/${version}/mGBA-${version}-appimage-x64.appimage";
    hash = "sha256-rDihDfuA8DqxvCe6UeavCzpjeU+fSqUbFnyTNC2dc1I=";
  };
  appimageContents = appimageTools.extractType2 { inherit pname version src; };
in
appimageTools.wrapType2 {
  inherit pname version src;
  extraInstallCommands = ''
    install -Dm444 ${appimageContents}/io.mgba.mGBA.desktop -t $out/share/applications
    substituteInPlace $out/share/applications/io.mgba.mGBA.desktop \
      --replace-fail 'Exec=mgba-qt %f' 'Exec=mgba'
    cp -r ${appimageContents}/usr/share/icons $out/share
  '';

}

{ lib, ... }:
let
  moduleNames = lib.swarselsystems.readNix "modules/nixos";
in
lib.swarselsystems.mkModules moduleNames "nixos"

{ lib, ... }:
let
  moduleNames = lib.swarselsystems.readNix "modules/home";
in
lib.swarselsystems.mkModules moduleNames "home"

{ lib, ... }:
let
  importNames = lib.swarselsystems.readNix "profiles/nixos/common";
in
{
  imports = lib.swarselsystems.mkImports importNames "profiles/nixos/common";

  nixpkgs.config.permittedInsecurePackages = [
    "jitsi-meet-1.0.8043"
    "electron-29.4.6"
    "SDL_ttf-2.0.11"
  ];

}

{ lib, config, outputs, inputs, ... }:
{

  nixpkgs = {
    overlays = [ outputs.overlays.default ];
    config = {
      allowUnfree = true;
    };
  };

  nix =
    let
      flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
    in
    {
      settings = {
        experimental-features = [
          "nix-command"
          "flakes"
          "ca-derivations"
          "cgroups"
          "pipe-operators"
        ];
        trusted-users = [ "@wheel" "swarsel" ];
        connect-timeout = 5;
        bash-prompt-prefix = "$SHLVL:\\w ";
        bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
        fallback = true;
        min-free = 128000000;
        max-free = 1000000000;
        flake-registry = "";
        auto-optimise-store = true;
        warn-dirty = false;
        max-jobs = 1;
        use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
      };
      channel.enable = false;
      registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
      nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
    };


  system.stateVersion = lib.mkDefault "23.05";

}

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    # yubikey packages
    gnupg
    yubikey-personalization
    yubikey-personalization-gui
    yubico-pam
    yubioath-flutter
    yubikey-manager
    yubikey-manager-qt
    yubikey-touch-detector
    yubico-piv-tool
    cfssl
    pcsctools
    pcscliteWithPolkit.out

    # ledger packages
    ledger-live-desktop

    # pinentry
    dbus
    swaylock-effects
    syncthingtray-minimal

    # secure boot
    sbctl

    libsForQt5.qt5.qtwayland

    # nix package database
    nix-index
    nixos-generators

    # commit hooks
    pre-commit

    # proc info
    acpi

    # better make for general tasks
    just

    # keyboards
    qmk
    vial
    via

    # theme related
    adwaita-icon-theme

    # kde-connect
    xdg-desktop-portal
    xdg-desktop-portal-wlr

    # bluetooth
    bluez

    # lsp-related -------------------------------
    # nix
    # latex
    # texlab
    ghostscript_headless
    # wireguard
    wireguard-tools
    # rust
    # rust-analyzer
    # clippy
    # rustfmt
    # go
    # go
    # gopls
    # nix
    nixd
    # zig
    zig
    zls
    # cpp
    # clang-tools
    # + cuda
    # cudatoolkit
    # ansible
    # ansible-lint
    ansible-language-server
    # molecule
    #lsp-bridge / python
    # gcc
    # gdb
    # (python3.withPackages (ps: with ps; [ jupyter ipython pyqt5 epc orjson sexpdata six setuptools paramiko numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server ]))
    # (python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server]))
    # --------------------------------------------

    # (stdenv.mkDerivation {
    #   name = "oama";

    #   src = pkgs.fetchurl {
    #     name = "oama";
    #     url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
    #     sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
    #   };

    #   phases = [
    #     "unpackPhase"
    #   ];

    #   unpackPhase = ''
    #     mkdir -p $out/bin
    #     tar xvf $src -C $out/
    #     mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
    #   '';

    # })

  ];
}

{ inputs, config, lib, ... }:
{
  home-manager = lib.mkIf config.swarselsystems.withHomeManager {
    useGlobalPkgs = true;
    useUserPackages = true;
    extraSpecialArgs = inputs; # used mainly for inputs.self
  };
}

_:
{
  services.xserver = {
    xkb = {
      layout = "us";
      variant = "altgr-intl";
    };
  };
}

{ pkgs, config, lib, ... }:
{
  sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };

  users = {
    mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
    users.swarsel = {
      isNormalUser = true;
      description = "Leon S";
      password = lib.mkIf config.swarselsystems.initialSetup "setup";
      hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
      extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
      packages = with pkgs; [ ];
    };
  };
}

{ lib, pkgs, ... }:
{
  environment = {
    wordlist.enable = true;
    sessionVariables = {
      NIXOS_OZONE_WL = "1";
      GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
        gst-plugins-good
        gst-plugins-bad
        gst-plugins-ugly
        gst-libav
      ]);
    };
  };
  # gstreamer plugins for nautilus (used for file metadata)
}

_:
{

  security.pam.services = {
    login.u2fAuth = true;
    sudo.u2fAuth = true;
    swaylock.u2fAuth = true;
    swaylock.fprintAuth = false;
  };
  security.polkit.enable = true;

  security.sudo.extraConfig = ''
    Defaults    env_keep+=SSH_AUTH_SOCK
  '';

}

_:
{
  nix.gc = {
    automatic = true;
    randomizedDelaySec = "14m";
    dates = "weekly";
    options = "--delete-older-than 10d";
  };
}

_:
{
  nix.optimise = {
    automatic = true;
    dates = [ "weekly" ];
  };
}

_:
{
  # systemd
  systemd.extraConfig = ''
    DefaultTimeoutStartSec=60s
    DefaultTimeoutStopSec=15s
  '';
}

{ pkgs, config, lib, ... }:
{

  hardware = {
    # opengl.driSupport32Bit = true is replaced with graphics.enable32Bit and hence redundant
    graphics = {
      enable = true;
      enable32Bit = true;
    };


    trackpoint = lib.mkIf config.swarselsystems.trackpoint.isAvailable {
      enable = true;
      inherit (config.swarselsystems.trackpoint) device;
    };

    keyboard.qmk.enable = true;

    enableAllFirmware = true;

    bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
      enable = true;
      package = pkgs.stable.bluez;
      powerOnBoot = true;
      settings = {
        General = {
          Enable = "Source,Sink,Media,Socket";
        };
      };
    };
  };

  services.fprintd.enable = lib.mkIf config.swarselsystems.hasFingerprint true;
}

{ config, pkgs, lib, ... }: {

  services.pulseaudio = {
    enable = lib.mkIf (!config.services.pipewire.enable) true;
    package = pkgs.pulseaudioFull;
  };

}

_: {
  security.rtkit.enable = true; # this is required for pipewire real-time access

  services.pipewire = {
    enable = true;
    pulse.enable = true;
    jack.enable = true;
    audio.enable = true;
    wireplumber.enable = true;
    alsa = {
      enable = true;
      support32Bit = true;
    };
  };
}

{ lib, config, ... }:
{
  networking = {
    nftables.enable = lib.mkDefault true;
    enableIPv6 = lib.mkDefault true;
    firewall = {
      checkReversePath = lib.mkDefault false;
      enable = lib.mkDefault true;
      allowedUDPPorts = [ 51820 ]; # 51820: wireguard
      allowedTCPPortRanges = [
        { from = 1714; to = 1764; } # kde-connect
      ];
      allowedUDPPortRanges = [
        { from = 1714; to = 1764; } # kde-connect
      ];
    };

    networkmanager = {
      enable = true;
      ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
        environmentFiles = [
          "${config.sops.templates."network-manager.env".path}"
        ];
        profiles = {
          "Ernest Routerford" = {
            connection = {
              id = "Ernest Routerford";
              permissions = "";
              type = "wifi";
            };
            ipv4 = {
              dns-search = "";
              method = "auto";
            };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              dns-search = "";
              method = "auto";
            };
            wifi = {
              mac-address-blacklist = "";
              mode = "infrastructure";
              ssid = "Ernest Routerford";
            };
            wifi-security = {
              auth-alg = "open";
              key-mgmt = "wpa-psk";
              psk = "$ERNEST";
            };
          };

          LAN-Party = {
            connection = {
              autoconnect = "false";
              id = "LAN-Party";
              type = "ethernet";
            };
            ethernet = {
              auto-negotiate = "true";
              cloned-mac-address = "preserve";
              mac-address = "90:2E:16:D0:A1:87";
            };
            ipv4 = { method = "shared"; };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            proxy = { };
          };

          eduroam = {
            "802-1x" = {
              eap = "ttls;";
              identity = "$EDUID";
              password = "$EDUPASS";
              phase2-auth = "mschapv2";
            };
            connection = {
              id = "eduroam";
              type = "wifi";
            };
            ipv4 = { method = "auto"; };
            ipv6 = {
              addr-gen-mode = "default";
              method = "auto";
            };
            proxy = { };
            wifi = {
              mode = "infrastructure";
              ssid = "eduroam";
            };
            wifi-security = {
              auth-alg = "open";
              key-mgmt = "wpa-eap";
            };
          };

          local = {
            connection = {
              autoconnect = "false";
              id = "local";
              type = "ethernet";
            };
            ethernet = { };
            ipv4 = {
              address1 = "10.42.1.1/24";
              method = "shared";
            };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            proxy = { };
          };

          HH40V_39F5 = {
            connection = {
              id = "HH40V_39F5";
              type = "wifi";
            };
            ipv4 = { method = "auto"; };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            proxy = { };
            wifi = {
              band = "bg";
              mode = "infrastructure";
              ssid = "HH40V_39F5";
            };
            wifi-security = {
              key-mgmt = "wpa-psk";
              psk = "$FRAUNS";
            };
          };

          magicant = {
            connection = {
              id = "magicant";
              type = "wifi";
            };
            ipv4 = { method = "auto"; };
            ipv6 = {
              addr-gen-mode = "default";
              method = "auto";
            };
            proxy = { };
            wifi = {
              mode = "infrastructure";
              ssid = "magicant";
            };
            wifi-security = {
              auth-alg = "open";
              key-mgmt = "wpa-psk";
              psk = "$HANDYHOTSPOT";
            };
          };

          wireguardvpn = {
            connection = {
              id = "HomeVPN";
              type = "wireguard";
              autoconnect = "false";
              interface-name = "wg1";
            };
            wireguard = { private-key = "$WIREGUARDPRIV"; };
            "wireguard-peer.$WIREGUARDPUB" = {
              endpoint = "$WIREGUARDENDPOINT";
              allowed-ips = "0.0.0.0/0";
            };
            ipv4 = {
              method = "ignore";
              address1 = "192.168.3.3/32";
            };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "ignore";
            };
            proxy = { };
          };

          "sweden-aes-128-cbc-udp-dns" = {
            connection = {
              autoconnect = "false";
              id = "PIA Sweden";
              type = "vpn";
            };
            ipv4 = { method = "auto"; };
            ipv6 = {
              addr-gen-mode = "stable-privacy";
              method = "auto";
            };
            proxy = { };
            vpn = {
              auth = "sha1";
              ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
              challenge-response-flags = "2";
              cipher = "aes-128-cbc";
              compress = "yes";
              connection-type = "password";
              crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
              dev = "tun";
              password-flags = "0";
              remote = "sweden.privacy.network:1198";
              remote-cert-tls = "server";
              reneg-seconds = "0";
              service-type = "org.freedesktop.NetworkManager.openvpn";
              username = "$VPNUSER";
            };
            vpn-secrets = { password = "$VPNPASS"; };
          };

          Hotspot = {
            connection = {
              autoconnect = "false";
              id = "Hotspot";
              type = "wifi";
            };
            ipv4 = { method = "shared"; };
            ipv6 = {
              addr-gen-mode = "default";
              method = "ignore";
            };
            proxy = { };
            wifi = {
              mode = "ap";
              ssid = "Hotspot-swarsel";
            };
            wifi-security = {
              group = "ccmp;";
              key-mgmt = "wpa-psk";
              pairwise = "ccmp;";
              proto = "rsn;";
              psk = "$HOTSPOT";
            };
          };

        };
      };
    };
  };

  systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
}

_:
{
  time = {
    timeZone = "Europe/Vienna";
    # hardwareClockInLocalTime = true;
  };

  i18n = {
    defaultLocale = "en_US.UTF-8";
    extraLocaleSettings = {
      LC_ADDRESS = "de_AT.UTF-8";
      LC_IDENTIFICATION = "de_AT.UTF-8";
      LC_MEASUREMENT = "de_AT.UTF-8";
      LC_MONETARY = "de_AT.UTF-8";
      LC_NAME = "de_AT.UTF-8";
      LC_NUMERIC = "de_AT.UTF-8";
      LC_PAPER = "de_AT.UTF-8";
      LC_TELEPHONE = "de_AT.UTF-8";
      LC_TIME = "de_AT.UTF-8";
    };
  };
}

{ self, config, lib, ... }:
let
  certsSopsFile = self + /secrets/certs/secrets.yaml;
in
{
  sops = lib.mkIf (!config.swarselsystems.isPublic) {

    age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";

    validateSopsFiles = false;

    secrets = {
      ernest = { };
      frauns = { };
      hotspot = { };
      eduid = { };
      edupass = { };
      handyhotspot = { };
      vpnuser = { };
      vpnpass = { };
      wireguardpriv = { };
      wireguardpub = { };
      wireguardendpoint = { };
      stashuser = { };
      stashpass = { };
      githubforgeuser = { };
      githubforgepass = { };
      gitlabforgeuser = { };
      gitlabforgepass = { };
      "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = "swarsel"; };
      "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = "swarsel"; };
    };
    templates = {
      "network-manager.env".content = ''
        ERNEST=${config.sops.placeholder.ernest}
        FRAUNS=${config.sops.placeholder.frauns}
        HOTSPOT=${config.sops.placeholder.hotspot}
        EDUID=${config.sops.placeholder.eduid}
        EDUPASS=${config.sops.placeholder.edupass}
        HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
        VPNUSER=${config.sops.placeholder.vpnuser}
        VPNPASS=${config.sops.placeholder.vpnpass}
        WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
        WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
        WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
      '';
      # ".authinfo" = {
      #   owner = "swarsel";
      #   path = "${config.users.users.swarsel.home}/.emacs.d/.authinfo";
      #   content = ''
      #     machine stash.swarsel.win:443 port https login ${config.sops.placeholder.stashuser} password ${config.sops.placeholder.stashpass}
      #     machine gitlab.com/api/v4 login ${config.sops.placeholder.githubforgeuser} password ${config.sops.placeholder.githubforgepass}
      #     machine api.github.com login ${config.sops.placeholder.gitlabforgeuser} password ${config.sops.placeholder.gitlabforgepass}
      #   '';
      # };
    };
  };
}

{ lib, config, ... }:
{
  stylix = lib.recursiveUpdate
    {
      targets.grub.enable = false; # the styling makes grub more ugly
      image = config.swarselsystems.wallpaper;
    }
    config.swarselsystems.stylix;
  home-manager.users.swarsel = {
    stylix = {
      targets = {
        emacs.enable = false;
        waybar.enable = false;
      };
    };
  };
}

_:
{
  programs = {
    dconf.enable = true;
    evince.enable = true;
    kdeconnect.enable = true;
  };
}

{ pkgs, ... }:
{
  programs.ssh.startAgent = false;

  services.pcscd.enable = true;

  hardware.ledger.enable = true;

  services.udev.packages = with pkgs; [
    yubikey-personalization
    ledger-udev-rules
    qmk-udev-rules
    vial
    via
  ];
}

{ pkgs, ... }:
{
  services.greetd = {
    enable = true;
    settings = {
      initial_session.command = "sway";
      # initial_session.user ="swarsel";
      default_session.command = ''
        ${pkgs.greetd.tuigreet}/bin/tuigreet \
          --time \
          --asterisks \
          --user-menu \
          --cmd sway
      '';
    };
  };

  environment.etc."greetd/environments".text = ''
    sway
  '';
}

{ pkgs, ... }:
{
  programs.nix-ld = {
    enable = true;
    libraries = with pkgs; [
      SDL
      SDL2
      SDL2_image
      SDL2_mixer
      SDL2_ttf
      SDL_image
      SDL_mixer
      SDL_ttf
      alsa-lib
      at-spi2-atk
      at-spi2-core
      atk
      bzip2
      cairo
      cups
      curl
      dbus
      dbus-glib
      expat
      ffmpeg
      flac
      fontconfig
      freeglut
      freetype
      fuse3
      gdk-pixbuf
      glew110
      glib
      stable.gnome2.GConf
      pango
      gtk2
      gtk3
      icu
      libGL
      libappindicator-gtk2
      libappindicator-gtk3
      libcaca
      libcanberra
      libcap
      libdbusmenu-gtk2
      libdrm
      libelf
      libgcrypt
      libglvnd
      libidn
      libindicator-gtk2
      libjpeg
      libmikmod
      libnotify
      libogg
      libpng
      libpng12
      libpulseaudio
      librsvg
      libsamplerate
      libtheora
      libtiff
      libudev0-shim
      libunwind
      libusb1
      libuuid
      libva
      libvdpau
      libvorbis
      libvpx
      libxkbcommon
      libxml2
      libz
      mesa
      nspr
      nss
      openssl
      pango
      pipewire
      pixman
      speex
      stdenv.cc.cc
      steam-fhsenv-without-steam
      systemd
      tbb
      vulkan-loader
      xorg.libICE
      xorg.libSM
      xorg.libX11
      xorg.libXScrnSaver
      xorg.libXcomposite
      xorg.libXcursor
      xorg.libXdamage
      xorg.libXext
      xorg.libXfixes
      xorg.libXft
      xorg.libXi
      xorg.libXinerama
      xorg.libXmu
      xorg.libXrandr
      xorg.libXrender
      xorg.libXt
      xorg.libXtst
      xorg.libXxf86vm
      xorg.libxcb
      xorg.libxshmfence
      zlib
    ];
  };
}

{ config, lib, ... }:
let
  mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
in
{

  security.sudo.extraConfig = lib.mkIf config.swarselsystems.isImpermanence ''
    # rollback results in sudo lectures after each reboot
    Defaults lecture = never
  '';

  # This script does the actual wipe of the system
  # So if it doesn't run, the btrfs system effectively acts like a normal system
  # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix

  boot.initrd.systemd.enable = lib.mkIf config.swarselsystems.isImpermanence true;

  boot.initrd.systemd.services.rollback = lib.mkIf config.swarselsystems.isImpermanence {
    description = "Rollback BTRFS root subvolume to a pristine state";
    wantedBy = [ "initrd.target" ];
    # make sure it's done after encryption
    # i.e. LUKS/TPM process
    after = lib.swarselsystems.mkIfElseList config.swarselsystems.isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
    requires = lib.mkIf (!config.swarselsystems.isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
    # mount the root fs before clearing
    before = [ "sysroot.mount" ];
    unitConfig.DefaultDependencies = "no";
    serviceConfig.Type = "oneshot";
    script = ''
      mkdir -p /mnt

      # We first mount the btrfs root to /mnt
      # so we can manipulate btrfs subvolumes.
      mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
      btrfs subvolume list -o /mnt/root

      # While we're tempted to just delete /root and create
      # a new snapshot from /root-blank, /root is already
      # populated at this point with a number of subvolumes,
      # which makes `btrfs subvolume delete` fail.
      # So, we remove them first.
      #
      # /root contains subvolumes:
      # - /root/var/lib/portables
      # - /root/var/lib/machines

      btrfs subvolume list -o /mnt/root |
      cut -f9 -d' ' |
      while read subvolume; do
        echo "deleting /$subvolume subvolume..."
        btrfs subvolume delete "/mnt/$subvolume"
      done &&
      echo "deleting /root subvolume..." &&
      btrfs subvolume delete /mnt/root

      echo "restoring blank /root subvolume..."
      btrfs subvolume snapshot /mnt/root-blank /mnt/root

      # Once we're done rolling back to a blank snapshot,
      # we can unmount /mnt and continue on the boot process.
      umount /mnt
    '';
  };


  environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
    hideMounts = true;
    directories =
      [
        "/.cache/nix"
        "/srv"
        "/etc/nixos"
        "/etc/nix"
        "/etc/NetworkManager/system-connections"
        # "/etc/secureboot"
        "/home/swarsel/.dotfiles"
        "/var/db/sudo"
        "/var/cache"
        "/var/lib"
      ];

    files = [
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

}

{ pkgs, ... }:
{
  system.activationScripts.diff = {
    supportsDryActivation = true;
    text = ''
      ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
           /run/current-system "$systemConfig"
    '';
  };
}

_:
{
  services.gnome.gnome-keyring = {
    enable = true;
  };

  programs.seahorse.enable = true;
}

{ pkgs, ... }:
{

  programs.sway = {
    enable = true;
    package = pkgs.swayfx;
    wrapperFeatures = {
      base = true;
      gtk = true;
    };

    extraSessionCommands = ''
      export XDG_SESSION_DESKTOP=sway
      export SDL_VIDEODRIVER=wayland
      export QT_QPA_PLATFORM=wayland-egl
      export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
      export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
      export MOZ_ENABLE_WAYLAND=1
      export MOZ_DISABLE_RDD_SANDBOX=1
    '';
  };

}

{ pkgs, ... }:
{

  xdg.portal = {
    enable = true;
    config = {
      common = {
        default = "wlr";
      };
    };
    wlr.enable = true;
    wlr.settings.screencast = {
      output_name = "eDP-1";
      chooser_type = "simple";
      chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
    };
  };

}

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    distrobox
    boxbuddy
  ];

  virtualisation.podman = {
    enable = true;
    package = pkgs.stable.podman;
  };

}

_:
{
  services.logind = {
    lidSwitch = "suspend";
    lidSwitchDocked = "ignore";
  };
  services.acpid = {
    enable = true;
    lidEventCommands =
      ''
        export PATH=$PATH:/run/current-system/sw/bin
        export WAYLAND_DISPLAY=wayland-1
        export XDG_RUNTIME_DIR=/run/user/1000
        export SWAYSOCK=$(ls /run/user/1000/sway-ipc.* | head -n 1)

        LID_STATE=$(cat /proc/acpi/button/lid/*/state | grep -q closed && echo "closed" || echo "open")
        DOCKED=$(swaymsg -t get_outputs | grep -q 'HDMI\|DP' && echo "docked" || echo "undocked")

        if [ "$LID_STATE" == "closed" ] && [ "$DOCKED" == "docked" ]; then
            swaymsg output eDP-2 disable
        else
            swaymsg output eDP-2 enable
        fi
      '';
  };
}

{ pkgs, lib, ... }:
{
  systemd.user.services."battery-low" = {
    enable = true;
    description = "Notify user if battery is below 10%";
    partOf = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    serviceConfig = {
      Type = "simple";
      ExecStart = pkgs.writeShellScript "battery-low-notification"
        ''
          if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
          then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
          fi;
        '';
    };
  };
  systemd.user.timers."battery-low" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      # Every Minute
      OnCalendar = "*-*-* *:*:00";
      Unit = "battery-low.service";
    };
  };
}

{ lib, config, ... }:
{
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
    };
    lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
  };
}

{ self, lib, ... }:
let
  importNames = lib.swarselsystems.readNix "profiles/nixos/server";
  profilesPath = "${self}/profiles";
in
{
  imports = lib.swarselsystems.mkImports importNames "profiles/nixos/server" ++ [
    "${profilesPath}/nixos/common/settings.nix"
    "${profilesPath}/nixos/common/home-manager.nix"
    "${profilesPath}/nixos/common/xserver.nix"
    "${profilesPath}/nixos/common/gc.nix"
    "${profilesPath}/nixos/common/store.nix"
    "${profilesPath}/nixos/common/time.nix"
    "${profilesPath}/nixos/common/users.nix"
    "${profilesPath}/nixos/common/nix-ld.nix"
  ];
}

{ lib, config, ... }:
{
  environment.shellAliases = lib.recursiveUpdate
    {
      npswitch = "cd ${config.swarselsystems.flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch; cd -;";
      nswitch = "sudo nixos-rebuild --flake ${config.swarselsystems.flakePath}#$(hostname) switch;";
      npiswitch = "cd ${config.swarselsystems.flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch --impure; cd -;";
      nipswitch = "cd ${config.swarselsystems.flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch --impure; cd -;";
      niswitch = "sudo nixos-rebuild --flake ${config.swarselsystems.flakePath}#$(hostname) switch --impure;";
    }
    config.swarselsystems.shellAliases;

  nixpkgs.config.permittedInsecurePackages = [
    # matrix
    "olm-3.2.16"
    # sonarr
    "aspnetcore-runtime-wrapped-6.0.36"
    "aspnetcore-runtime-6.0.36"
    "dotnet-sdk-wrapped-6.0.428"
    "dotnet-sdk-6.0.428"
    #
    "SDL_ttf-2.0.11"
  ];

}

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    gnupg
    nix-index
    ssh-to-age
    git
    emacs
    vim
  ];
}

{ config, lib, ... }:
{
  sops = {
    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ];
    defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml";
    validateSopsFiles = false;
  };

}

{ pkgs, ... }:
{
  services = {
    # add a user with sudo smbpasswd -a <user>
    samba = {
      package = pkgs.samba4Full;
      # extraConfig = ''
      #   workgroup = WORKGROUP
      #   server role = standalone server
      #   dns proxy = no

      #   pam password change = yes
      #   map to guest = bad user
      #   create mask = 0664
      #   force create mode = 0664
      #   directory mask = 0775
      #   force directory mode = 0775
      #   follow symlinks = yes
      # '';

      enable = true;
      openFirewall = true;
      settings.Eternor = {
        browseable = "yes";
        "read only" = "no";
        "guest ok" = "no";
        path = "/Vault/Eternor";
        writable = "true";
        comment = "Eternor";
        "valid users" = "Swarsel";
      };
    };


    avahi = {
      publish.enable = true;
      publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
      nssmdns4 = true;
      enable = true;
      openFirewall = true;
    };

    # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
    samba-wsdd = {
      enable = true;
      openFirewall = true;
    };
  };
}

{ pkgs, config, ... }:
{
  environment.systemPackages = with pkgs; [
    lego
  ];

  # users.users.acme = {};

  sops = {
    # secrets.dnstokenfull = { owner = "acme"; };
    secrets.dnstokenfull = { };
    templates."certs.secret".content = ''
      CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
    '';
  };

  security.acme = {
    acceptTerms = true;
    preliminarySelfsigned = false;
    defaults.email = "mrswarsel@gmail.com";
    defaults.dnsProvider = "cloudflare";
    defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
  };

  services.nginx = {
    enable = true;
    statusPage = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    # virtualHosts are defined in the respective sections
  };

}

{ self, ... }:
{
  services.openssh = {
    enable = true;
  };
  users.users.swarsel.openssh.authorizedKeys.keyFiles = [
    (self + /secrets/keys/ssh/nbl-imba-2.pub)
    (self + /secrets/keys/ssh/magicant.pub)
  ];
  users.users.root.openssh.authorizedKeys.keyFiles = [
    (self + /secrets/keys/ssh/nbl-imba-2.pub)
    (self + /secrets/keys/ssh/magicant.pub)
  ];
  security.sudo.extraConfig = ''
    Defaults    env_keep+=SSH_AUTH_SOCK
  '';

}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.kavita {
    environment.systemPackages = with pkgs; [
      calibre
    ];


    users.users.jellyfin = {
      extraGroups = [ "users" ];
    };

    sops.secrets.kavita = { owner = "kavita"; };

    networking.firewall.allowedTCPPorts = [ 8080 ];

    services.kavita = {
      enable = true;
      user = "kavita";
      settings.Port = 8080;
      tokenKeyFile = config.sops.secrets.kavita.path;
    };

    services.nginx = {
      virtualHosts = {
        "scroll.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:8080";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };
}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.jellyfin {
    users.users.jellyfin = {
      extraGroups = [ "video" "render" "users" ];
    };
    nixpkgs.config.packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
    };
    hardware.graphics = {
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
        vaapiVdpau
        libvdpau-va-gl
      ];
    };
    services.jellyfin = {
      enable = true;
      user = "jellyfin";
      openFirewall = true; # this works only for the default ports
    };

    services.nginx = {
      virtualHosts = {
        "screen.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:8096";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

{ pkgs, lib, inputs, config, ... }:
let
  secretsDirectory = builtins.toString inputs.nix-secrets;
in
{
  config = lib.mkIf config.swarselsystems.server.navidrome {
    environment.systemPackages = with pkgs; [
      pciutils
      alsa-utils
      mpv
    ];

    users = {
      groups = {
        navidrome = {
          gid = 61593;
        };
      };

      users = {
        navidrome = {
          isSystemUser = true;
          uid = 61593;
          group = "navidrome";
          extraGroups = [ "audio" "utmp" "users" "pipewire" ];
        };
      };
    };


    hardware = {
      # opengl.enable = true;
      enableAllFirmware = true;
    };

    networking.firewall.allowedTCPPorts = [ 4040 ];

    services.navidrome = {
      enable = true;
      openFirewall = true;
      settings = {
        LogLevel = "error";
        Address = "127.0.0.1";
        Port = 4040;
        MusicFolder = "/Vault/Eternor/Musik";
        EnableSharing = true;
        EnableTranscodingConfig = true;
        Scanner.GroupAlbumReleases = true;
        ScanSchedule = "@every 24h";
        MPVPath = "${pkgs.mpv}/bin/mpv";
        MPVCommandTemplate = "mpv --audio-device=%d --no-audio-display --pause %f";
        Jukebox = {
          Enabled = true;
          Default = "pch";
          Devices = [
            [ "pch" "alsa/sysdefault:CARD=PCH" ]
          ];
        };
        # Switch using --impure as these credential files are not stored within the flake
        # sops-nix is not supported for these which is why we need to resort to these
        LastFM.ApiKey = builtins.readFile "${secretsDirectory}/navidrome/lastfm-secret";
        LastFM.Secret = builtins.readFile "${secretsDirectory}/navidrome/lastfm-key";
        Spotify.ID = builtins.readFile "${secretsDirectory}/navidrome/spotify-id";
        Spotify.Secret = builtins.readFile "${secretsDirectory}/navidrome/spotify-secret";
        UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
        UIWelcomeMessage = "~SwarselSound~";
      };
    };

    services.nginx = {
      virtualHosts = {
        "sound.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:4040";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_redirect          http:// https://;
                proxy_read_timeout      600s;
                proxy_send_timeout      600s;
                proxy_buffering         off;
                proxy_request_buffering off;
                client_max_body_size    0;
              '';
            };
          };
        };
      };
    };
  };


}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.spotifyd {
    users.groups.spotifyd = {
      gid = 65136;
    };

    users.users.spotifyd = {
      isSystemUser = true;
      uid = 65136;
      group = "spotifyd";
      extraGroups = [ "audio" "utmp" "pipewire" ];
    };

    networking.firewall.allowedTCPPorts = [ 1025 ];

    services.pipewire.systemWide = true;

    services.spotifyd = {
      enable = true;
      settings = {
        global = {
          dbus_type = "session";
          use_mpris = false;
          device = "sysdefault:CARD=PCH";
          device_name = "SwarselSpot";
          mixer = "alsa";
          zeroconf_port = 1025;
        };
      };
    };
  };

}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.mpd {
    users = {
      groups = {
        mpd = { };
      };

      users = {
        mpd = {
          isSystemUser = true;
          group = "mpd";
          extraGroups = [ "audio" "utmp" ];
        };
      };
    };

    sops = {
      secrets.mpdpass = { owner = "mpd"; };
    };

    environment.systemPackages = with pkgs; [
      pciutils
      alsa-utils
      mpv
    ];

    services.mpd = {
      enable = true;
      musicDirectory = "/media";
      user = "mpd";
      group = "mpd";
      network = {
        port = 3254;
        listenAddress = "any";
      };
      credentials = [
        {
          passwordFile = config.sops.secrets.mpdpass.path;
          permissions = [
            "read"
            "add"
            "control"
            "admin"
          ];
        }
      ];
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf (config.swarselsystems.server.mpd || config.swarselsystems.server.navidrome) {

    security.rtkit.enable = true; # this is required for pipewire real-time access

    services.pipewire = {
      enable = true;
      pulse.enable = true;
      jack.enable = true;
      audio.enable = true;
      wireplumber.enable = true;
      alsa = {
        enable = true;
        support32Bit = true;
      };
    };
  };

}

{ config, lib, pkgs, sops, ... }:
let
  matrixDomain = "swatrix.swarsel.win";
  baseUrl = "https://${matrixDomain}";
  clientConfig."m.homeserver".base_url = baseUrl;
  serverConfig."m.server" = "${matrixDomain}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in
{

  config = lib.mkIf config.swarselsystems.server.matrix {
    environment.systemPackages = with pkgs; [
      matrix-synapse
      lottieconverter
      ffmpeg
    ];

    sops = {
      secrets = {
        matrixsharedsecret = { owner = "matrix-synapse"; };
        mautrixtelegram_as = { owner = "matrix-synapse"; };
        mautrixtelegram_hs = { owner = "matrix-synapse"; };
        mautrixtelegram_api_id = { owner = "matrix-synapse"; };
        mautrixtelegram_api_hash = { owner = "matrix-synapse"; };
      };
      templates = {
        "matrix_user_register.sh".content = ''
          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
        '';
        matrixshared = {
          owner = "matrix-synapse";
          content = ''
            registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
          '';
        };
        mautrixtelegram = {
          owner = "matrix-synapse";
          content = ''
            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
          '';
        };
      };
    };

    services.postgresql = {
      enable = true;
      initialScript = pkgs.writeText "synapse-init.sql" ''
        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
        CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
        CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
        CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
        CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
        CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
        CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
      '';
    };

    services.matrix-synapse = {
      enable = true;
      settings = {
        app_service_config_files = [
          "/var/lib/matrix-synapse/telegram-registration.yaml"
          "/var/lib/matrix-synapse/whatsapp-registration.yaml"
          "/var/lib/matrix-synapse/signal-registration.yaml"
          "/var/lib/matrix-synapse/doublepuppet.yaml"
        ];
        server_name = matrixDomain;
        public_baseurl = "https://${matrixDomain}";
        listeners = [
          {
            port = 8008;
            bind_addresses = [
              "127.0.0.1"
              # "::1"
            ];
            type = "http";
            tls = false;
            x_forwarded = true;
            resources = [
              {
                names = [ "client" "federation" ];
                compress = true;
              }
            ];
          }
        ];
      };
      extraConfigFiles = [
        config.sops.templates.matrixshared.path
      ];
    };

    services.mautrix-telegram = {
      enable = true;
      environmentFile = config.sops.templates.mautrixtelegram.path;
      settings = {
        homeserver = {
          address = "http://localhost:8008";
          domain = matrixDomain;
        };
        appservice = {
          address = "http://localhost:29317";
          hostname = "localhost";
          port = "29317";
          provisioning.enabled = true;
          id = "telegram";
          # ephemeral_events = true; # not needed due to double puppeting
          public = {
            enabled = false;
          };
          database = "postgresql:///mautrix-telegram?host=/run/postgresql";
        };
        bridge = {
          relaybot.authless_portals = true;
          allow_avatar_remove = true;
          allow_contact_info = true;
          sync_channel_members = true;
          startup_sync = true;
          sync_create_limit = 0;
          sync_direct_chats = true;
          telegram_link_preview = true;
          permissions = {
            "*" = "relaybot";
            "@swarsel:${matrixDomain}" = "admin";
          };
          animated_sticker = {
            target = "gif";
            args = {
              width = 256;
              height = 256;
              fps = 30; # only for webm
              background = "020202"; # only for gif, transparency not supported
            };
          };
        };
      };
    };
    systemd.services.mautrix-telegram.path = with pkgs; [
      lottieconverter # for animated stickers conversion, unfree package
      ffmpeg # if converting animated stickers to webm (very slow!)
    ];

    services.mautrix-whatsapp = {
      enable = true;
      registerToSynapse = false;
      settings = {
        homeserver = {
          address = "http://localhost:8008";
          domain = matrixDomain;
        };
        appservice = {
          address = "http://localhost:29318";
          hostname = "127.0.0.1";
          port = 29318;
          database = {
            type = "postgres";
            uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
          };
        };
        bridge = {
          displayname_template = "{{or .FullName .PushName .JID}} (WA)";
          history_sync = {
            backfill = true;
            max_initial_conversations = -1;
            message_count = -1;
            request_full_sync = true;
            full_sync_config = {
              days_limit = 900;
              size_mb_limit = 5000;
              storage_quota_mb = 5000;
            };
          };
          login_shared_secret_map = {
            matrixDomain = "as_token:doublepuppet";
          };
          sync_manual_marked_unread = true;
          send_presence_on_typing = true;
          parallel_member_sync = true;
          url_previews = true;
          caption_in_message = true;
          extev_polls = true;
          permissions = {
            "*" = "relay";
            "@swarsel:${matrixDomain}" = "admin";
          };
        };
      };
    };

    services.mautrix-signal = {
      enable = true;
      registerToSynapse = false;
      settings = {
        homeserver = {
          address = "http://localhost:8008";
          domain = matrixDomain;
        };
        appservice = {

          address = "http://localhost:29328";
          hostname = "127.0.0.1";
          port = 29328;
          database = {
            type = "postgres";
            uri = "postgresql:///mautrix-signal?host=/run/postgresql";
          };
        };
        bridge = {
          displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
          login_shared_secret_map = {
            matrixDomain = "as_token:doublepuppet";
          };
          caption_in_message = true;
          permissions = {
            "*" = "relay";
            "@swarsel:${matrixDomain}" = "admin";
          };
        };
      };
    };

    # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
    # messages out after a while.

    systemd.timers."restart-bridges" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "1d";
        OnUnitActiveSec = "1d";
        Unit = "restart-bridges.service";
      };
    };

    systemd.services."restart-bridges" = {
      script = ''
        systemctl restart mautrix-whatsapp.service
        systemctl restart mautrix-signal.service
        systemctl restart mautrix-telegram.service
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
    };

    services.nginx = {
      virtualHosts = {
        "swatrix.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          listen = [
            {
              addr = "0.0.0.0";
              port = 8448;
              ssl = true;
              extraParameters = [
                "default_server"
              ];
            }
            {
              addr = "[::0]";
              port = 8448;
              ssl = true;
              extraParameters = [
                "default_server"
              ];
            }
            {
              addr = "0.0.0.0";
              port = 443;
              ssl = true;
            }
            {
              addr = "[::0]";
              port = 443;
              ssl = true;
            }
          ];
          locations = {
            "~ ^(/_matrix|/_synapse/client)" = {
              # proxyPass = "http://localhost:8008";
              proxyPass = "http://localhost:8008";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
            "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
            "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
          };
        };
      };
    };
  };


}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.nextcloud {

    sops.secrets.nextcloudadminpass = {
      owner = "nextcloud";
      group = "nextcloud";
      mode = "0440";
    };

    services.nextcloud = {
      enable = true;
      package = pkgs.nextcloud30;
      hostName = "stash.swarsel.win";
      home = "/Vault/apps/nextcloud";
      datadir = "/Vault/data/nextcloud";
      https = true;
      configureRedis = true;
      maxUploadSize = "4G";
      extraApps = {
        inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
      };
      config = {
        adminuser = "admin";
        adminpassFile = config.sops.secrets.nextcloudadminpass.path;
        dbtype = "sqlite";
      };
    };


    services.nginx = {
      virtualHosts = {
        "stash.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          # config is automatically added by nixos nextcloud config.
          # hence, only provide certificate
        };
      };
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.immich {

    users.users.immich = {
      extraGroups = [ "video" "render" "users" ];
    };

    # sops.secrets.nextcloudadminpass = { owner = "nextcloud"; };

    services.immich = {
      enable = true;
      port = 3001;
      openFirewall = true;
      mediaLocation = "/Vault/Eternor/Immich";
      environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
    };


    services.nginx = {
      virtualHosts = {
        "shots.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:3001";
              extraConfig = ''
                client_max_body_size    0;

                proxy_http_version 1.1;
                proxy_set_header   Upgrade    $http_upgrade;
                proxy_set_header   Connection "upgrade";
                proxy_redirect     off;

                proxy_read_timeout 600s;
                proxy_send_timeout 600s;
                send_timeout       600s;
              '';
            };
          };
        };
      };
    };

  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.paperless {

    users.users.paperless = {
      extraGroups = [ "users" ];
    };


    sops.secrets.paperless_admin = { owner = "paperless"; };

    services.paperless = {
      enable = true;
      mediaDir = "/Vault/Eternor/Paperless";
      dataDir = "/Vault/data/paperless";
      user = "paperless";
      port = 28981;
      passwordFile = config.sops.secrets.paperless_admin.path;
      address = "127.0.0.1";
      settings = {
        PAPERLESS_OCR_LANGUAGE = "deu+eng";
        PAPERLESS_URL = "https://scan.swarsel.win";
        PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
          optimize = 1;
          invalidate_digital_signatures = true;
          pdfa_image_compression = "lossless";
        };
      };
    };

    services.nginx = {
      virtualHosts = {
        "scan.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:28981";
              extraConfig = ''
                client_max_body_size    0;
              '';
            };
          };
        };
      };
    };
  };

}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.transmission {

    # this user/group section is probably unneeded
    users = {
      groups = {
        dockeruser = {
          gid = 1155;
        };
        radarr = { };
        readarr = { };
        sonarr = { };
        lidarr = { };
        prowlarr = { };
      };
      users = {
        dockeruser = {
          isSystemUser = true;
          uid = 1155;
          group = "docker";
          extraGroups = [ "users" ];
        };
        radarr = {
          isSystemUser = true;
          group = "radarr";
          extraGroups = [ "users" ];
        };
        readarr = {
          isSystemUser = true;
          group = "readarr";
          extraGroups = [ "users" ];
        };
        sonarr = {
          isSystemUser = true;
          group = "sonarr";
          extraGroups = [ "users" ];
        };
        lidarr = {
          isSystemUser = true;
          group = "lidarr";
          extraGroups = [ "users" ];
        };
        prowlarr = {
          isSystemUser = true;
          group = "prowlarr";
          extraGroups = [ "users" ];
        };
      };
    };

    virtualisation.docker.enable = true;
    environment.systemPackages = with pkgs; [
      docker
    ];

    services = {
      radarr = {
        enable = true;
        openFirewall = true;
        dataDir = "/Vault/apps/radarr";
      };
      readarr = {
        enable = true;
        openFirewall = true;
        dataDir = "/Vault/apps/readarr";
      };
      sonarr = {
        enable = true;
        openFirewall = true;
        dataDir = "/Vault/apps/sonarr";
      };
      lidarr = {
        enable = true;
        openFirewall = true;
        dataDir = "/Vault/apps/lidarr";
      };
      prowlarr = {
        enable = true;
        openFirewall = true;
      };

      nginx = {
        virtualHosts = {
          "store.swarsel.win" = {
            enableACME = false;
            forceSSL = false;
            acmeRoot = null;
            locations = {
              "/" = {
                proxyPass = "http://localhost:9091";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/radarr" = {
                proxyPass = "http://localhost:7878";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/readarr" = {
                proxyPass = "http://localhost:8787";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/sonarr" = {
                proxyPass = "http://localhost:8989";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/lidarr" = {
                proxyPass = "http://localhost:8686";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/prowlarr" = {
                proxyPass = "http://localhost:9696";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
            };
          };
        };
      };
    };
  };
}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.syncthing {

    users.users.syncthing = {
      extraGroups = [ "users" ];
      group = "syncthing";
      isSystemUser = true;
    };

    users.groups.syncthing = { };

    services.syncthing = {
      enable = true;
      user = "swarsel";
      dataDir = "/Vault/data/syncthing";
      configDir = "/Vault/apps/syncthing";
      guiAddress = "0.0.0.0:8384";
      openDefaultPorts = true;
      relay.enable = false;
      settings = {
        urAccepted = -1;
        devices = {
          "magicant" = {
            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
          };
          "sync (@oracle)" = {
            id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
          };
          "nbl-imba-2" = {
            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
          };
        };
        folders = {
          "Default Folder" = lib.mkForce {
            path = "/Vault/data/syncthing/Sync";
            type = "receiveonly";
            versioning = null;
            devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ];
            id = "default";
          };
          "Obsidian" = {
            path = "/Vault/data/syncthing/Obsidian";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ];
            id = "yjvni-9eaa7";
          };
          "Org" = {
            path = "/Vault/data/syncthing/Org";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ];
            id = "a7xnl-zjj3d";
          };
          "Vpn" = {
            path = "/Vault/data/syncthing/Vpn";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ];
            id = "hgp9s-fyq3p";
          };
          "Documents" = {
            path = "/Vault/data/syncthing/Documents";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "magicant" "nbl-imba-2" ];
            id = "hgr3d-pfu3w";
          };
          # ".elfeed" = {
          #   path = "/Vault/data/syncthing/.elfeed";
          #   devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ];
          #   id = "h7xbs-fs9v1";
          # };
        };
      };
    };

    services.nginx = {
      virtualHosts = {
        "storync.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:8384";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.restic {

    # TODO

  };
}

{ self, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.monitoring {

    sops.secrets = {
      grafanaadminpass = {
        owner = "grafana";
      };
      prometheusadminpass = {
        owner = "grafana";
      };
    };

    users.users.nextcloud-exporter = {
      extraGroups = [ "nextcloud" ];
    };

    users.users.grafana = {
      extraGroups = [ "users" ];
    };

    services.grafana = {
      enable = true;
      dataDir = "/Vault/data/grafana";
      provision = {
        enable = true;
        datasources.settings = {
          datasources = [
            {
              name = "prometheus";
              type = "prometheus";
              url = "https://status.swarsel.win/prometheus";
              editable = false;
              access = "proxy";
              basicAuth = true;
              basicAuthUser = "admin";
              jsonData = {
                httpMethod = "POST";
                manageAlerts = true;
                prometheusType = "Prometheus";
                prometheusVersion = "> 2.50.x";
                cacheLevel = "High";
                disableRecordingRules = false;
                incrementalQueryOverlapWindow = "10m";
              };
              secureJsonData = {
                basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
              };
            }
          ];
        };
      };

      settings = {
        security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
        server = {
          http_port = 3000;
          http_addr = "127.0.0.1";
          protocol = "http";
          domain = "status.swarsel.win";
        };
      };
    };

    services.prometheus = {
      enable = true;
      webExternalUrl = "https://status.swarsel.win/prometheus";
      port = 9090;
      listenAddress = "127.0.0.1";
      globalConfig = {
        scrape_interval = "10s";
      };
      webConfigFile = self + /programs/server/prometheus/web.config;
      scrapeConfigs = [
        {
          job_name = "node";
          static_configs = [{
            targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
          }];
        }
        {
          job_name = "zfs";
          static_configs = [{
            targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
          }];
        }
        {
          job_name = "nginx";
          static_configs = [{
            targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
          }];
        }
        {
          job_name = "nextcloud";
          static_configs = [{
            targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
          }];
        }
      ];
      exporters = {
        node = {
          enable = true;
          port = 9000;
          enabledCollectors = [ "systemd" ];
          extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
        };
        zfs = {
          enable = true;
          port = 9134;
          pools = [
            "Vault"
          ];
        };
        restic = {
          enable = false;
          port = 9753;
        };
        nginx = {
          enable = true;
          port = 9113;
          sslVerify = false;
          scrapeUri = "http://localhost/nginx_status";
        };
        nextcloud = lib.mkIf config.swarselsystems.server.nextcloud {
          enable = true;
          port = 9205;
          url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info";
          username = "admin";
          passwordFile = config.sops.secrets.nextcloudadminpass.path;
        };
      };
    };


    services.nginx = {
      virtualHosts = {
        "status.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:3000";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
            "/prometheus" = {
              proxyPass = "http://localhost:9090";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

{ pkgs, lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.jenkins {

    services.jenkins = {
      enable = true;
      withCLI = true;
      port = 8088;
      packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
      listenAddress = "127.0.0.1";
      home = "/Vault/apps/jenkins";
    };



    services.nginx = {
      virtualHosts = {
        "servant.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:8088";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.emacs {

    networking.firewall.allowedTCPPorts = [ 9812 ];

    services.emacs = {
      enable = true;
      install = true;
      startWithGraphical = false;
    };

  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.freshrss {

    users.users.freshrss = {
      extraGroups = [ "users" ];
      group = "freshrss";
      isSystemUser = true;
    };

    users.groups.freshrss = { };

    sops.secrets.fresh = { owner = "freshrss"; };

    services.freshrss = {
      enable = true;
      virtualHost = "signpost.swarsel.win";
      baseUrl = "https://signpost.swarsel.win";
      # authType = "none";
      dataDir = "/Vault/data/tt-rss";
      defaultUser = "Swarsel";
      passwordFile = config.sops.secrets.fresh.path;
    };

    services.nginx = {
      virtualHosts = {
        "signpost.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
        };
      };
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.forgejo {

    networking.firewall.allowedTCPPorts = [ 3000 ];

    services.forgejo = {
      enable = true;
      settings = {
        DEFAULT = {
          APP_NAME = "~SwaGit~";
        };
        server = {
          PROTOCOL = "http";
          HTTP_PORT = 3000;
          HTTP_ADDR = "0.0.0.0";
          DOMAIN = "swagit.swarsel.win";
          ROOT_URL = "https://swagit.swarsel.win";
        };
        service = {
          DISABLE_REGISTRATION = true;
          SHOW_REGISTRATION_BUTTON = false;
        };
      };
    };

    services.nginx = {
      virtualHosts = {
        "swagit.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:3000";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

{ lib, config, ... }:
{
  config = lib.mkIf config.swarselsystems.server.ankisync {

    networking.firewall.allowedTCPPorts = [ 22701 ];

    sops.secrets.swarsel = { owner = "root"; };

    services.anki-sync-server = {
      enable = true;
      port = 27701;
      address = "0.0.0.0";
      openFirewall = true;
      users = [
        {
          username = "Swarsel";
          passwordFile = config.sops.secrets.swarsel.path;
        }
      ];
    };

    services.nginx = {
      virtualHosts = {
        "synki.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "http://localhost:27701";
              extraConfig = ''
                client_max_body_size 0;
              '';
            };
          };
        };
      };
    };
  };

}

_:
{

  nix.settings.experimental-features = "nix-command flakes";
  nixpkgs = {
    hostPlatform = "x86_64-darwin";
    overlays = [ outputs.overlays.default ];
    config = {
      allowUnfree = true;
    };
  };

  system.stateVersion = 4;
}

{ pkgs, ... }:
{
  specialisation = {
    gaming.configuration = {
      networking = {
        firewall = {
          allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma;
          allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard
          allowedTCPPortRanges = [
            { from = 27015; to = 27030; } # barotrauma
            { from = 27036; to = 27037; } # barotrauma
          ];
          allowedUDPPortRanges = [
            { from = 27000; to = 27031; } # barotrauma
            { from = 58962; to = 58964; } # barotrauma
          ];
        };
      };

      programs.steam = {
        enable = true;
        package = pkgs.steam;
        extraCompatPackages = [
          pkgs.proton-ge-bin
        ];
      };

      hardware.xone.enable = true;

      environment.systemPackages = [
        pkgs.linuxKernel.packages.linux_6_12.xone
      ];
    };
  };

}

{ lib, pkgs, ... }:
{

  specialisation = {
    VBox.configuration = {
      virtualisation.virtualbox = {
        host = {
          enable = true;
          enableExtensionPack = true;
        };
        # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
        guest = {
          enable = false;
        };
      };
      # run an older kernel to provide compatibility with windows vm
      boot.kernelPackages = lib.mkForce pkgs.linuxPackages;
    };
  };

}

_:
{

  virtualisation.vmware.host.enable = true;
  virtualisation.vmware.guest.enable = true;
}

_:
{
  services = {
    getty.autologinUser = "swarsel";
    greetd.settings.initial_session.user = "swarsel";
  };
}

{ pkgs, ... }:
{
  services.nswitch-rcm = {
    enable = true;
    package = pkgs.fetchurl {
      url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin";
      hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI=";
    };
  };
}

{ self, pkgs, config, ... }:
let
  owner = "swarsel";
  sopsFile = self + /secrets/work/secrets.yaml;
in
{
  sops = {
    secrets = {
      clad = {
        inherit owner sopsFile;
      };
      dcad = {
        inherit owner sopsFile;
      };
      wsad = {
        inherit owner sopsFile;
      };
      imbad = {
        inherit owner sopsFile;
      };
    };
  };

  # boot.initrd.luks.yubikeySupport = true;
  programs = {
    zsh.shellInit = ''
      export CLAD="$(cat ${config.sops.secrets.clad.path})"
      export DCAD="$(cat ${config.sops.secrets.dcad.path})"
      export GOVC_PASSWORD="$(cat ${config.sops.secrets.dcad.path})"
      export WSAD="$(cat ${config.sops.secrets.wsad.path})"
      export IMBAD="$(cat ${config.sops.secrets.imbad.path})"
      export DCUSER="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT"
      export GOVC_USERNAME="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT"
      export PACKER_SSH_EXTRA_ARGS='"--scp-extra-args","'-O'"'
    '';

    browserpass.enable = true;
    _1password.enable = true;
    _1password-gui = {
      enable = true;
      polkitPolicyOwners = [ "swarsel" ];
    };
  };

  networking = {
    firewall.trustedInterfaces = [ "virbr0" ];
    search = [
      "vbc.ac.at"
      "clip.vbc.ac.at"
      "imp.univie.ac.at"
    ];
  };

  virtualisation = {
    docker.enable = true;
    spiceUSBRedirection.enable = true;
    libvirtd = {
      enable = true;
      qemu = {
        package = pkgs.qemu_kvm;
        runAsRoot = true;
        swtpm.enable = true;
        vhostUserPackages = with pkgs; [ virtiofsd ];
        ovmf = {
          enable = true;
          packages = [
            (pkgs.OVMFFull.override {
              secureBoot = true;
              tpmSupport = true;
            }).fd
          ];
        };
      };
    };
  };

  environment.systemPackages = with pkgs; [
    # (python39.withPackages (ps: with ps; [
    # cryptography
    # ]))
    #   docker
    python39
    qemu
    packer
    gnumake
    libisoburn
    govc
    terraform
    graphviz

    # vm
    virt-manager
    virt-viewer
    virtiofsd
    spice
    spice-gtk
    spice-protocol
    win-virtio
    win-spice
  ];


  services = {
    spice-vdagentd.enable = true;
    openssh = {
      enable = true;
      extraConfig = ''
          '';
    };

    syncthing = {
      settings = {
        "winters" = {
          id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
        };
        folders = {
          "Documents" = {
            path = "/home/swarsel/Documents";
            devices = [ "magicant" "winters" ];
            id = "hgr3d-pfu3w";
          };
        };
      };
    };
  };

  # cgroups v1 is required for centos7 dockers
  specialisation = {
    cgroup_v1.configuration = {
      boot.kernelParams = [
        "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1"
        "systemd.unified_cgroup_hierarchy=0"
      ];
    };
  };

}

{ lib, pkgs, ... }:
{

  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    warn-dirty = false;
  };

  boot = {
    # initrd.systemd.enable = true;
    kernelPackages = pkgs.linuxPackages_latest;
    supportedFilesystems = lib.mkForce [ "brtfs" "vfat" ];
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot = {
        enable = true;
        configurationLimit = lib.mkDefault 5;
        consoleMode = lib.mkDefault "max";
      };
    };
  };

  services = {
    qemuGuest.enable = true;
    openssh = {
      enable = true;
      ports = lib.mkDefault [ 22 ];
      settings.PermitRootLogin = "yes";
      authorizedKeysFiles = lib.mkForce [
        "/etc/ssh/authorized_keys.d/%u"
      ];
    };
  };

  security.sudo.extraConfig = ''
    Defaults    env_keep+=SSH_AUTH_SOCK
    Defaults lecture = never
  '';

  security.pam = {
    sshAgentAuth.enable = true;
    services = {
      sudo.u2fAuth = true;
    };
  };

  environment.systemPackages = with pkgs; [
    curl
    git
    gnupg
    rsync
    ssh-to-age
    sops
    vim
    just
    sbctl
  ];

  programs = {
    git.enable = true;
  };

  fileSystems."/boot".options = [ "umask=0077" ];

  networking.networkmanager.enable = true;


}

{ lib, ... }:
let
  importNames = lib.swarselsystems.readNix "profiles/home/common";
in
{
  imports = lib.swarselsystems.mkImports importNames "profiles/home/common";
}

{ lib, config, ... }:
{
  nix = lib.mkIf (!config.swarselsystems.isNixos) {
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
        "ca-derivations"
        "cgroups"
        "pipe-operators"
      ];
      trusted-users = [ "@wheel" "swarsel" ];
      connect-timeout = 5;
      bash-prompt-prefix = "$SHLVL:\\w ";
      bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
      fallback = true;
      min-free = 128000000;
      max-free = 1000000000;
      auto-optimise-store = true;
      warn-dirty = false;
      max-jobs = 1;
      use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
    };
  };

  nixpkgs.overlays = lib.mkIf config.swarselsystems.isNixos (lib.mkForce null);

  programs.home-manager.enable = lib.mkIf (!config.swarselsystems.isNixos) true;

  home = {
    username = lib.mkDefault "swarsel";
    homeDirectory = lib.mkDefault "/home/${config.home.username}";
    stateVersion = lib.mkDefault "23.05";
    keyboard.layout = "us";
    sessionVariables = {
      FLAKE = "${config.home.homeDirectory}/.dotfiles";
    };
  };

}

{ config, lib, ... }:
{
  sops = lib.mkIf (!config.swarselsystems.isPublic) {
    age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" "${config.home.homeDirectory}/.ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";

    validateSopsFiles = false;
    secrets = {
      mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; };
      nautilus = { path = "/run/user/1000/secrets/nautilus"; };
      leon = { path = "/run/user/1000/secrets/leon"; };
      swarselmail = { path = "/run/user/1000/secrets/swarselmail"; };
      github_notif = { path = "/run/user/1000/secrets/github_notif"; };
      u2f_keys = { path = "${config.home.homeDirectory}/.config/Yubico/u2f_keys"; };
    };
  };
}

_:
{
  programs.ssh = {
    enable = true;
    forwardAgent = true;
    extraConfig = ''
      SetEnv TERM=xterm-256color
      ServerAliveInterval 20
    '';
    matchBlocks = {
      # Local machines
      "pfsense" = {
        hostname = "192.168.1.1";
        user = "root";
      };
      "winters" = {
        hostname = "192.168.1.2";
        user = "swarsel";
      };
      "minecraft" = {
        hostname = "130.61.119.129";
        user = "opc";
      };
      "sync" = {
        hostname = "193.122.53.173";
        user = "root"; #this is a oracle vm server but needs root due to nixos-infect
      };
      "songdiver" = {
        hostname = "89.168.100.65";
        user = "ubuntu";
      };
      "pkv" = {
        hostname = "46.232.248.161";
        user = "root";
      };
      "efficient" = {
        hostname = "g0.complang.tuwien.ac.at";
        user = "ep01427399";
      };
    };
  };
}

{ lib, config, ... }:
{
  stylix = lib.mkIf (!config.swarselsystems.isNixos) (lib.recursiveUpdate
    {
      image = config.swarselsystems.wallpaper;
      targets = {
        emacs.enable = false;
        waybar.enable = false;
      };
    }
    config.swarselsystems.stylix);
}

_:
{
  xdg.desktopEntries = {

    cura = {
      name = "Ultimaker Cura";
      genericName = "Cura";
      exec = "cura";
      terminal = false;
      categories = [ "Application" ];
    };

    anki = {
      name = "Anki Flashcards";
      genericName = "Anki";
      exec = "anki";
      terminal = false;
      categories = [ "Application" ];
    };

    element = {
      name = "Element Matrix Client";
      genericName = "Element";
      exec = "element-desktop -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";
      terminal = false;
      categories = [ "Application" ];
    };

    emacsclient-newframe = {
      name = "Emacs (Client, New Frame)";
      genericName = "Emacs (Client, New Frame)";
      exec = "emacsclient -r %u";
      icon = "emacs";
      terminal = false;
      categories = [ "Development" "TextEditor" ];
    };

  };

  xdg.mimeApps = {

    enable = true;
    defaultApplications = {
      "x-scheme-handler/http" = [ "firefox.desktop" ];
      "x-scheme-handler/https" = [ "firefox.desktop" ];
      "x-scheme-handler/chrome" = [ "firefox.desktop" ];
      "text/plain" = [ "emacsclient.desktop" ];
      "text/csv" = [ "emacsclient.desktop" ];
      "text/html" = [ "firefox.desktop" ];
      "application/x-extension-htm" = [ "firefox.desktop" ];
      "application/x-extension-html" = [ "firefox.desktop" ];
      "application/x-extension-shtml" = [ "firefox.desktop" ];
      "application/xhtml+xml" = [ "firefox.desktop" ];
      "application/x-extension-xhtml" = [ "firefox.desktop" ];
      "application/x-extension-xht" = [ "firefox.desktop" ];
      "image/png" = [ "imv.desktop" ];
      "image/jpeg" = [ "imv.desktop" ];
      "image/gif" = [ "imv.desktop" ];
      "image/svg" = [ "imv.desktop" ];
      "image/webp" = [ "firefox.desktop" ];
      "image/vnd.adobe.photoshop" = [ "gimp.desktop" ];
      "image/vnd.dxf" = [ "org.inkscape.Inkscape.desktop" ];
      "audio/flac" = [ "mpv.desktop" ];
      "audio/mp3" = [ "mpv.desktop" ];
      "audio/ogg" = [ "mpv.desktop" ];
      "audio/wav" = [ "mpv.desktop" ];
      "video/mp4" = [ "umpv.desktop" ];
      "video/mkv" = [ "umpv.desktop" ];
      "video/flv" = [ "umpv.desktop" ];
      "video/3gp" = [ "umpv.desktop" ];
      "application/pdf" = [ "org.gnome.Evince.desktop" ];
      "application/metalink+xml" = [ "emacsclient.desktop" ];
      "application/sql" = [ "emacsclient.desktop" ];
      "application/vnd.ms-powerpoint" = [ "impress.desktop" ];
      "application/msword" = [ "writer.desktop" ];
      "application/vnd.ms-excel" = [ "calc.desktop" ];
    };
    associations = {
      added = {
        "application/x-zerosize" = [ "emacsclient.desktop" ];
      };
    };
  };
}

{ self, lib, ... }:
{
  home.file = {
    "init.el" = lib.mkDefault {
      source = self + /programs/emacs/init.el;
      target = ".emacs.d/init.el";
    };
    "early-init.el" = {
      source = self + /programs/emacs/early-init.el;
      target = ".emacs.d/early-init.el";
    };
    # on NixOS, Emacs does not find the aspell dicts easily. Write the configuration manually
    ".aspell.conf" = {
      source = self + /programs/config/.aspell.conf;
      target = ".aspell.conf";
    };
    ".gitmessage" = {
      source = self + /programs/git/.gitmessage;
      target = ".gitmessage";
    };
  };

  xdg.configFile = {
    "tridactyl/tridactylrc".source = self + /programs/firefox/tridactyl/tridactylrc;
    "tridactyl/themes/base16-codeschool.css".source = self + /programs/firefox/tridactyl/themes/base16-codeschool.css;
    "swayidle/config".source = self + /programs/swayidle/config;
  };
}

{ config, ... }:
{
  home.sessionVariables = {
    EDITOR = "e -w";
    DISPLAY = ":0";
    SWARSEL_LO_RES = config.swarselsystems.lowResolution;
    SWARSEL_HI_RES = config.swarselsystems.highResolution;
  };
}

{ pkgs, ... }:
{
  programs = {
    bottom.enable = true;
    imv.enable = true;
    sioyek.enable = true;
    bat = {
      enable = true;
      extraPackages = with pkgs.bat-extras; [ batdiff batman batgrep batwatch ];
    };
    carapace.enable = true;
    wlogout.enable = true;
    swayr.enable = true;
    yt-dlp.enable = true;
    mpv.enable = true;
    jq.enable = true;
    ripgrep.enable = true;
    pandoc.enable = true;
    fzf.enable = true;
    zoxide.enable = true;
  };
}

{ self, pkgs, ... }:
{
  programs.nix-index =
    let
      commandNotFound = pkgs.runCommandLocal "command-not-found.sh" { } ''
        mkdir -p $out/etc/profile.d
        substitute ${self + /scripts/command-not-found.sh}        \
          $out/etc/profile.d/command-not-found.sh                 \
          --replace-fail @nix-locate@ ${pkgs.nix-index}/bin/nix-locate \
          --replace-fail @tput@ ${pkgs.ncurses}/bin/tput
      '';
    in

    {
      enable = true;
      package = pkgs.symlinkJoin {
        name = "nix-index";
        paths = [ commandNotFound ];
      };
    };
}

{ pkgs, ... }:
{
  programs.password-store = {
    enable = true;
    settings = {
      PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
    };
    package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]);
  };
}

_:
{
  programs.direnv = {
    enable = true;
    silent = true;
    nix-direnv.enable = true;
  };
}

_:
{
  programs.eza = {
    enable = true;
    icons = "auto";
    git = true;
    extraOptions = [
      "-l"
      "--group-directories-first"
    ];
  };
}

{ lib, ... }:
{
  programs.git = {
    enable = true;
    aliases = {
      a = "add";
      c = "commit";
      cl = "clone";
      co = "checkout";
      b = "branch";
      i = "init";
      m = "merge";
      s = "status";
      r = "restore";
      p = "pull";
      pp = "push";
    };
    signing = {
      key = "0x76FD3810215AE097";
      signByDefault = true;
    };
    userEmail = lib.mkDefault "leon.schwarzaeugl@gmail.com";
    userName = "Leon Schwarzäugl";
    difftastic.enable = true;
    lfs.enable = true;
    includes = [
      {
        contents = {
          github = {
            user = "Swarsel";
          };
          commit = {
            template = "~/.gitmessage";
          };
        };
      }
    ];
  };
}

_:
{
  programs.fuzzel = {
    enable = true;
    settings = {
      main = {
        layer = "overlay";
        lines = "10";
        width = "40";
      };
      border.radius = "0";
    };
  };
}

_:
{
  programs.starship = {
    enable = true;
    enableZshIntegration = true;
    settings = {
      add_newline = false;
      format = "$shlvl$character";
      right_format = "$all";
      command_timeout = 3000;

      directory.substitutions = {
        "Documents" = "󰈙 ";
        "Downloads" = " ";
        "Music" = " ";
        "Pictures" = " ";
      };

      git_status = {
        style = "bg:#394260";
        format = "[[($all_status$ahead_behind)](fg:#769ff0 bg:#394260)]($style) ";
      };

      character = {
        success_symbol = "[λ](bold green)";
        error_symbol = "[λ](bold red)";
      };

      shlvl = {
        disabled = false;
        symbol = "↳";
        format = "[$symbol]($style) ";
        repeat = true;
        repeat_offset = 1;
        style = "blue";
      };

      nix_shell = {
        disabled = false;
        heuristic = true;
        format = "[$symbol$name]($style)";
        symbol = " ";
      };

      aws.symbol = " ";
      buf.symbol = " ";
      c.symbol = " ";
      conda.symbol = " ";
      dart.symbol = " ";
      directory.read_only = " 󰌾";
      docker_context.symbol = " ";
      elixir.symbol = " ";
      elm.symbol = " ";
      fossil_branch.symbol = " ";
      git_branch.symbol = " ";
      golang.symbol = " ";
      guix_shell.symbol = " ";
      haskell.symbol = " ";
      haxe.symbol = " ";
      hg_branch.symbol = " ";
      hostname.ssh_symbol = " ";
      java.symbol = " ";
      julia.symbol = " ";
      lua.symbol = " ";
      memory_usage.symbol = "󰍛 ";
      meson.symbol = "󰔷 ";
      nim.symbol = "󰆥 ";
      nodejs.symbol = " ";

      os.symbols = {
        Alpaquita = " ";
        Alpine = " ";
        Amazon = " ";
        Android = " ";
        Arch = " ";
        Artix = " ";
        CentOS = " ";
        Debian = " ";
        DragonFly = " ";
        Emscripten = " ";
        EndeavourOS = " ";
        Fedora = " ";
        FreeBSD = " ";
        Garuda = "󰛓 ";
        Gentoo = " ";
        HardenedBSD = "󰞌 ";
        Illumos = "󰈸 ";
        Linux = " ";
        Mabox = " ";
        Macos = " ";
        Manjaro = " ";
        Mariner = " ";
        MidnightBSD = " ";
        Mint = " ";
        NetBSD = " ";
        NixOS = " ";
        OpenBSD = "󰈺 ";
        openSUSE = " ";
        OracleLinux = "󰌷 ";
        Pop = " ";
        Raspbian = " ";
        Redhat = " ";
        RedHatEnterprise = " ";
        Redox = "󰀘 ";
        Solus = "󰠳 ";
        SUSE = " ";
        Ubuntu = " ";
        Unknown = " ";
        Windows = "󰍲 ";
      };

      package.symbol = "󰏗 ";
      pijul_channel.symbol = " ";
      python.symbol = " ";
      rlang.symbol = "󰟔 ";
      ruby.symbol = " ";
      rust.symbol = " ";
      scala.symbol = " ";
    };
  };
}

_:
{
  programs.kitty = {
    enable = true;
    keybindings = { };
    settings = {
      scrollback_lines = 10000;
      enable_audio_bell = false;
      notify_on_cmd_finish = "always 20";
    };
  };
}

{ config, pkgs, lib, ... }:
{
  programs.zsh = {
    enable = true;
    shellAliases = lib.recursiveUpdate
      {
        hg = "history | grep";
        hmswitch = "home-manager --flake ${config.swarselsystems.flakePath}#$(whoami)@$(hostname) switch |& nom";
        nswitch = "sudo nixos-rebuild --flake ${config.swarselsystems.flakePath}#$(hostname) --show-trace --log-format internal-json -v switch |& nom --json";
        nboot = "sudo nixos-rebuild --flake ${config.swarselsystems.flakePath}#$(hostname) --show-trace --log-format internal-json -v boot |& nom --json";
        magit = "emacsclient -nc -e \"(magit-status)\"";
        config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
        g = "git";
        c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
        passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
        passpull = "cd ~/.local/share/password-store; git pull; cd -;";
        hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
        cd = "z";
        cd-orig = "cd";
        cat-orig = "cat";
        cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
        nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
        nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
        nix-ldd-locate = "nix-locate --minimal --top-level -w ";
        nix-store-search = "ls /nix/store | grep";
        fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
        lt = "eza -las modified --total-size";
        boot-diff = "nix store diff-closures /run/*-system";
        gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
        cc = "wl-copy";
      }
      config.swarselsystems.shellAliases;
    autosuggestion.enable = true;
    enableCompletion = true;
    syntaxHighlighting.enable = true;
    autocd = false;
    cdpath = [
      "~/.dotfiles"
      # "~/Documents/GitHub"
    ];
    defaultKeymap = "emacs";
    dirHashes = {
      dl = "$HOME/Downloads";
      gh = "$HOME/Documents/GitHub";
    };
    history = {
      expireDuplicatesFirst = true;
      path = "$HOME/.histfile";
      save = 10000;
      size = 10000;
    };
    historySubstringSearch = {
      enable = true;
      searchDownKey = "^[OB";
      searchUpKey = "^[OA";
    };
    plugins = [
      {
        name = "fzf-tab";
        src = pkgs.zsh-fzf-tab;
      }
    ];
    initExtra = ''
      bindkey "^[[1;5D" backward-word
      bindkey "^[[1;5C" forward-word

      my-backward-delete-word() {
          # Copy the global WORDCHARS variable to a local variable. That way any
          # modifications are scoped to this function only
          local WORDCHARS=$WORDCHARS
          # Use bash string manipulation to remove `:` so our delete will stop at it
          WORDCHARS="''${WORDCHARS//:}"
          # Use bash string manipulation to remove `/` so our delete will stop at it
          WORDCHARS="''${WORDCHARS//\/}"
          # Use bash string manipulation to remove `.` so our delete will stop at it
          WORDCHARS="''${WORDCHARS//.}"
          # zle <widget-name> will run an existing widget.
          zle backward-delete-word
      }
      zle -N my-backward-delete-word
      bindkey '^H' my-backward-delete-word

      # This will be our `ctrl+alt+w` command
      my-backward-delete-whole-word() {
          # Copy the global WORDCHARS variable to a local variable. That way any
          # modifications are scoped to this function only
          local WORDCHARS=$WORDCHARS
          # Use bash string manipulation to add `:` to WORDCHARS if it's not present
          # already.
          [[ ! $WORDCHARS == *":"* ]] && WORDCHARS="$WORDCHARS"":"
          # zle <widget-name> will run that widget.
          zle backward-delete-word
      }
      # `zle -N` will create a new widget that we can use on the command line
      zle -N my-backward-delete-whole-word
      # bind this new widget to `ctrl+alt+w`
      bindkey '^W' my-backward-delete-whole-word
    '';
  };
}

{ self, config, pkgs, ... }:
{

  programs.zellij = {
    enable = true;
  };

  home.packages = with pkgs; [
    zjstatus
  ];

  xdg.configFile = {
    "zellij/config.kdl".text = import "${self}/programs/zellij/config.kdl.nix" { inherit config; };
    "zellij/layouts/default.kdl".text = import "${self}/programs/zellij/layouts/default.kdl.nix" { inherit config pkgs; };
  };

}

{ pkgs, ... }:
let
  tmux-super-fingers = pkgs.tmuxPlugins.mkTmuxPlugin
    {
      pluginName = "tmux-super-fingers";
      version = "unstable-2023-01-06";
      src = pkgs.fetchFromGitHub {
        owner = "artemave";
        repo = "tmux_super_fingers";
        rev = "2c12044984124e74e21a5a87d00f844083e4bdf7";
        sha256 = "sha256-cPZCV8xk9QpU49/7H8iGhQYK6JwWjviL29eWabuqruc=";
      };
    };
in
{

  home.packages = with pkgs; [
    lsof
    sesh
  ];

  programs.tmux = {
    enable = true;
    shell = "${pkgs.zsh}/bin/zsh";
    terminal = "tmux-256color";
    historyLimit = 100000;
    plugins = with pkgs;
      [
        tmuxPlugins.tmux-thumbs
        {
          plugin = tmux-super-fingers;
          extraConfig = "set -g @super-fingers-key f";
        }

        tmuxPlugins.sensible
        # must be before continuum edits right status bar
        {
          plugin = tmuxPlugins.catppuccin;
          extraConfig = ''
            set -g @catppuccin_flavour 'frappe'
            set -g @catppuccin_window_tabs_enabled on
            set -g @catppuccin_date_time "%H:%M"
          '';
        }
        {
          plugin = tmuxPlugins.resurrect;
          extraConfig = ''
            set -g @resurrect-strategy-vim 'session'
            set -g @resurrect-strategy-nvim 'session'
            set -g @resurrect-capture-pane-contents 'on'
          '';
        }
        {
          plugin = tmuxPlugins.continuum;
          extraConfig = ''
            set -g @continuum-restore 'on'
            set -g @continuum-boot 'on'
            set -g @continuum-save-interval '10'
          '';
        }
        tmuxPlugins.better-mouse-mode
        tmuxPlugins.yank
      ];
    extraConfig = ''
      set -g default-terminal "tmux-256color"
      set -ag terminal-overrides ",xterm-256color:RGB"

      set-option -g prefix C-a
      unbind-key C-b
      bind-key C-a send-prefix

      set -g mouse on

      # Open new split at cwd of current split
      bind | split-window -h -c "#{pane_current_path}"
      bind - split-window -v -c "#{pane_current_path}"

      # Use vim keybindings in copy mode
      set-window-option -g mode-keys vi

      # v in copy mode starts making selection
      bind-key -T copy-mode-vi v send-keys -X begin-selection
      bind-key -T copy-mode-vi C-v send-keys -X rectangle-toggle
      bind-key -T copy-mode-vi y send-keys -X copy-selection-and-cancel

      # Escape turns on copy mode
      bind Escape copy-mode

      set-option -g status-position top

      # make Prefix p paste the buffer.
      unbind p
      bind p paste-buffer

    '';
  };
}

{ lib, config, ... }:
{
  programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };
  services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };
  # this is needed so that mbsync can use the passwords from sops
  systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];

  programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };

  programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };

  accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
    maildirBasePath = "Mail";
    accounts.leon = {
      primary = true;
      address = "leon.schwarzaeugl@gmail.com";
      userName = "leon.schwarzaeugl@gmail.com";
      realName = "Leon Schwarzäugl";
      passwordCommand = "cat ${config.sops.secrets.leon.path}";
      gpg = {
        key = "0x76FD3810215AE097";
        signByDefault = true;
      };
      imap.host = "imap.gmail.com";
      smtp.host = "smtp.gmail.com";
      mu.enable = true;
      msmtp = {
        enable = true;
      };
      mbsync = {
        enable = true;
        create = "maildir";
        expunge = "both";
        patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
        extraConfig = {
          channel = {
            Sync = "All";
          };
          account = {
            Timeout = 120;
            PipelineDepth = 1;
          };
        };
      };
    };

    accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
      address = "leon@swarsel.win";
      userName = "8227dc594dd515ce232eda1471cb9a19";
      realName = "Leon Schwarzäugl";
      passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
      smtp = {
        host = "in-v3.mailjet.com";
        port = 587;
        tls = {
          enable = true;
          useStartTls = true;
        };
      };
      mu.enable = false;
      msmtp = {
        enable = true;
      };
      mbsync = {
        enable = false;
      };
    };

    accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
      primary = false;
      address = "nautilus.dw@gmail.com";
      userName = "nautilus.dw@gmail.com";
      realName = "Nautilus";
      passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
      imap.host = "imap.gmail.com";
      smtp.host = "smtp.gmail.com";
      msmtp.enable = true;
      mu.enable = true;
      mbsync = {
        enable = true;
        create = "maildir";
        expunge = "both";
        patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
        extraConfig = {
          channel = {
            Sync = "All";
          };
          account = {
            Timeout = 120;
            PipelineDepth = 1;
          };
        };
      };
    };
    accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
      primary = false;
      address = "mrswarsel@gmail.com";
      userName = "mrswarsel@gmail.com";
      realName = "Swarsel";
      passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
      imap.host = "imap.gmail.com";
      smtp.host = "smtp.gmail.com";
      msmtp.enable = true;
      mu.enable = true;
      mbsync = {
        enable = true;
        create = "maildir";
        expunge = "both";
        patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
        extraConfig = {
          channel = {
            Sync = "All";
          };
          account = {
            Timeout = 120;
            PipelineDepth = 1;
          };
        };
      };
    };
  };
}

{ self, lib, config, pkgs, ... }:
{

  # needed for elfeed
  sops.secrets.fever = lib.mkIf (!config.swarselsystems.isPublic) { path = "${config.home.homeDirectory}/.emacs.d/.fever"; };

  # enable emacs overlay for bleeding edge features
  # also read init.el file and install use-package packages
  programs.emacs = {
    enable = true;
    package = pkgs.emacsWithPackagesFromUsePackage {
      config = self + /programs/emacs/init.el;
      package = pkgs.emacs-pgtk;
      alwaysEnsure = true;
      alwaysTangle = true;
      extraEmacsPackages = epkgs: [
        epkgs.mu4e
        epkgs.use-package
        epkgs.lsp-bridge
        epkgs.doom-themes
        epkgs.vterm
        epkgs.treesit-grammars.with-all-grammars

        # build the rest of the packages myself
        # org-calfw is severely outdated on MELPA and throws many warnings on emacs startup
        # build the package from the haji-ali fork, which is well-maintained

        (epkgs.trivialBuild rec {
          pname = "eglot-booster";
          version = "main-29-10-2024";

          src = pkgs.fetchFromGitHub {
            owner = "jdtsmith";
            repo = "eglot-booster";
            rev = "e6daa6bcaf4aceee29c8a5a949b43eb1b89900ed";
            hash = "sha256-PLfaXELkdX5NZcSmR1s/kgmU16ODF8bn56nfTh9g6bs=";
          };

          packageRequires = [ epkgs.jsonrpc epkgs.eglot ];
        })
        (epkgs.trivialBuild rec {
          pname = "calfw";
          version = "1.0.0-20231002";
          src = pkgs.fetchFromGitHub {
            owner = "haji-ali";
            repo = "emacs-calfw";
            rev = "bc99afee611690f85f0cd0bd33300f3385ddd3d3";
            hash = "sha256-0xMII1KJhTBgQ57tXJks0ZFYMXIanrOl9XyqVmu7a7Y=";
          };
          packageRequires = [ epkgs.howm ];
        })

        (epkgs.trivialBuild rec {
          pname = "fast-scroll";
          version = "1.0.0-20191016";
          src = pkgs.fetchFromGitHub {
            owner = "ahungry";
            repo = "fast-scroll";
            rev = "3f6ca0d5556fe9795b74714304564f2295dcfa24";
            hash = "sha256-w1wmJW7YwXyjvXJOWdN2+k+QmhXr4IflES/c2bCX3CI=";
          };
          packageRequires = [ ];
        })

      ];
    };
  };

  services.emacs = {
    enable = true;
    # socketActivation.enable = false;
    # startWithUserSession = "graphical";
  };
}

{ self, config, lib, ... }:
{
  programs.waybar = {

    enable = true;
    systemd = {
      enable = true;
      target = "sway-sessions.target";
    };
    settings = {
      mainBar = {
        ipc = true;
        id = "bar-0";
        layer = "top";
        position = "top";
        modules-left = [ "sway/workspaces" "custom/outer-right-arrow-dark" "sway/window" ];
        modules-center = [ "sway/mode" "privacy" "custom/github" "custom/configwarn" "custom/nix-updates" ];
        "sway/mode" = {
          format = "<span style=\"italic\" font-weight=\"bold\">{}</span>";
        };

        modules-right = config.swarselsystems.waybarModules;

        "custom/pseudobat" = lib.mkIf (!config.swarselsystems.isLaptop) {
          format = "";
          on-click-right = "wlogout -p layer-shell";
        };

        "custom/configwarn" = {
          exec = "waybarupdate";
          interval = 60;
        };

        "custom/scratchpad-indicator" = {
          interval = 3;
          exec = "swaymsg -t get_tree | jq 'recurse(.nodes[]) | first(select(.name==\"__i3_scratch\")) | .floating_nodes | length | select(. >= 1)'";
          format = "{} ";
          on-click = "swaymsg 'scratchpad show'";
          on-click-right = "swaymsg 'move scratchpad'";
        };

        "custom/github" = {
          format = "{}  ";
          return-type = "json";
          interval = 60;
          exec = "github-notifications";
          on-click = "xdg-open https://github.com/notifications";
        };

        # "custom/nix-updates" = {
        #   exec = "update-checker";
        #   on-click = "update-checker && notify-send 'The system has been updated'";
        #   interval = "once";
        #   tooltip = true;
        #   return-type = "json";
        #   format = "{} {icon}";
        #   format-icon = {
        #     "has-updates" = "";
        #     "updated" = " ";
        #   };
        # };

        idle_inhibitor = {
          format = "{icon}";
          format-icons = {
            activated = "";
            deactivated = "";
          };
        };

        "group/hardware" = {
          orientation = "inherit";
          drawer = {
            "transition-left-to-right" = false;
          };
          modules = [
            "tray"
            "temperature"
            "power-profiles-daemon"
            "custom/left-arrow-light"
            "custom/left-arrow-dark"
            "custom/scratchpad-indicator"
            "custom/left-arrow-light"
            "disk"
            "custom/left-arrow-dark"
            "memory"
            "custom/left-arrow-light"
            "cpu"
            "custom/left-arrow-dark"
            "backlight/slider"
            "idle_inhibitor"
          ];
        };

        "backlight/slider" = {
          min = 0;
          max = 100;
          orientation = "horizontal";
          device = "intel_backlight";
        };

        power-profiles-daemon = {
          format = "{icon}";
          tooltip-format = "Power profile: {profile}\nDriver: {driver}";
          tooltip = true;
          format-icons = {
            "default" = "";
            "performance" = "";
            "balanced" = "";
            "power-saver" = "";
          };
        };

        temperature = {
          hwmon-path = lib.mkIf (!config.swarselsystems.temperatureHwmon.isAbsolutePath) config.swarselsystems.temperatureHwmon.path;
          hwmon-path-abs = lib.mkIf config.swarselsystems.temperatureHwmon.isAbsolutePath config.swarselsystems.temperatureHwmon.path;
          input-filename = lib.mkIf config.swarselsystems.temperatureHwmon.isAbsolutePath config.swarselsystems.temperatureHwmon.input-filename;
          critical-threshold = 80;
          format-critical = " {temperatureC}°C";
          format = " {temperatureC}°C";

        };

        mpris = {
          format = "{player_icon} {title} <small>[{position}/{length}]</small>";
          format-paused = "{player_icon}  <i>{title} <small>[{position}/{length}]</small></i>";
          player-icons = {
            "default" = "▶ ";
            "mpv" = "🎵 ";
            "spotify" = " ";
          };
          status-icons = {
            "paused" = " ";
          };
          interval = 1;
          title-len = 20;
          artist-len = 20;
          album-len = 10;
        };
        "custom/left-arrow-dark" = {
          format = "";
          tooltip = false;
        };
        "custom/outer-left-arrow-dark" = {
          format = "";
          tooltip = false;
        };
        "custom/left-arrow-light" = {
          format = "";
          tooltip = false;
        };
        "custom/right-arrow-dark" = {
          format = "";
          tooltip = false;
        };
        "custom/outer-right-arrow-dark" = {
          format = "";
          tooltip = false;
        };
        "custom/right-arrow-light" = {
          format = "";
          tooltip = false;
        };
        "sway/workspaces" = {
          disable-scroll = true;
          format = "{name}";
        };

        "clock#1" = {
          min-length = 8;
          interval = 1;
          format = "{:%H:%M:%S}";
          # on-click-right= "gnome-clocks";
          tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
        };

        "clock#2" = {
          format = "{:%d. %B %Y}";
          # on-click-right= "gnome-clocks";
          tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
        };

        pulseaudio = {
          format = "{icon} {volume:2}%";
          format-bluetooth = "{icon} {volume}%";
          format-muted = "MUTE";
          format-icons = {
            headphones = "";
            default = [
              ""
              ""
            ];
          };
          scroll-step = 1;
          on-click = "pamixer -t";
          on-click-right = "pavucontrol";
        };

        memory = {
          interval = 5;
          format = " {}%";
          tooltip-format = "Memory: {used:0.1f}G/{total:0.1f}G\nSwap: {swapUsed}G/{swapTotal}G";
        };
        cpu = {
          format = config.swarselsystems.cpuString;
          min-length = 6;
          interval = 5;
          format-icons = [ "▁" "▂" "▃" "▄" "▅" "▆" "▇" "█" ];
          # on-click-right= "com.github.stsdc.monitor";
          on-click-right = "kitty -o confirm_os_window_close=0 btm";

        };
        "custom/vpn" = {
          format = "()";
          exec = "echo '{\"class\": \"connected\"}'";
          exec-if = "test -d /proc/sys/net/ipv4/conf/tun0";
          return-type = "json";
          interval = 5;
        };
        battery = {
          states = {
            "warning" = 60;
            "error" = 30;
            "critical" = 15;
          };
          interval = 5;
          format = "{icon} {capacity}%";
          format-charging = "{capacity}% ";
          format-plugged = "{capacity}% ";
          format-icons = [
            ""
            ""
            ""
            ""
            ""
          ];
          on-click-right = "wlogout -p layer-shell";
        };
        disk = {
          interval = 30;
          format = "Disk {percentage_used:2}%";
          path = "/";
          states = {
            "warning" = 80;
            "critical" = 90;
          };
          tooltip-format = "{used} used out of {total} on {path} ({percentage_used}%)\n{free} free on {path} ({percentage_free}%)";
        };
        tray = {
          icon-size = 20;
        };
        network = {
          interval = 5;
          format-wifi = "{signalStrength}% ";
          format-ethernet = "";
          format-linked = "{ifname} (No IP) ";
          format-disconnected = "Disconnected ⚠";
          format-alt = "{ifname}: {ipaddr}/{cidr}";
          tooltip-format-ethernet = "{ifname} via {gwaddr}: {essid} {ipaddr}/{cidr}\n\n⇡{bandwidthUpBytes} ⇣{bandwidthDownBytes}";
          tooltip-format-wifi = "{ifname} via {gwaddr}: {essid} {ipaddr}/{cidr} \n{signaldBm}dBm @ {frequency}MHz\n\n⇡{bandwidthUpBytes} ⇣{bandwidthDownBytes}";
        };
      };
    };
    style = builtins.readFile (self + /programs/waybar/style.css);
  };
}

{ self, pkgs, lib, ... }:
let
  lock-false = {
    Value = false;
    Status = "locked";
  };
  lock-true = {
    Value = true;
    Status = "locked";
  };
in
{
  programs.firefox = {
    enable = true;
    package = pkgs.firefox; # uses overrides
    policies = {
      # CaptivePortal = false;
      AppAutoUpdate = false;
      BackgroundAppUpdate = false;
      DisableBuiltinPDFViewer = true;
      DisableFirefoxStudies = true;
      DisablePocket = true;
      DisableFirefoxScreenshots = true;
      DisableTelemetry = true;
      DisableFirefoxAccounts = false;
      DisableProfileImport = true;
      DisableProfileRefresh = true;
      DisplayBookmarksToolbar = "always";
      DontCheckDefaultBrowser = true;
      NoDefaultBookmarks = true;
      OfferToSaveLogins = false;
      OfferToSaveLoginsDefault = false;
      PasswordManagerEnabled = false;
      DisableMasterPasswordCreation = true;
      ExtensionUpdate = false;
      EnableTrackingProtection = {
        Value = true;
        Locked = true;
        Cryptomining = true;
        Fingerprinting = true;
        EmailTracking = true;
        # Exceptions = ["https://example.com"]
      };
      PDFjs = {
        Enabled = false;
        EnablePermissions = false;
      };
      Handlers = {
        mimeTypes."application/pdf".action = "saveToDisk";
      };
      extensions = {
        pdf = {
          action = "useHelperApp";
          ask = true;
          handlers = [
            {
              name = "GNOME Document Viewer";
              path = "${pkgs.evince}/bin/evince";
            }
          ];
        };
      };
      FirefoxHome = {
        Search = true;
        TopSites = true;
        SponsoredTopSites = false;
        Highlights = true;
        Pocket = false;
        SponsoredPocket = false;
        Snippets = false;
        Locked = true;
      };
      FirefoxSuggest = {
        WebSuggestions = false;
        SponsoredSuggestions = false;
        ImproveSuggest = false;
        Locked = true;
      };
      SanitizeOnShutdown = {
        Cache = true;
        Cookies = false;
        Downloads = true;
        FormData = true;
        History = false;
        Sessions = false;
        SiteSettings = false;
        OfflineApps = true;
        Locked = true;
      };
      SearchEngines = {
        PreventInstalls = true;
        Remove = [
          "Bing" # Fuck you
        ];
      };
      UserMessaging = {
        ExtensionRecommendations = false; # Don’t recommend extensions while the user is visiting web pages
        FeatureRecommendations = false; # Don’t recommend browser features
        Locked = true; # Prevent the user from changing user messaging preferences
        MoreFromMozilla = false; # Don’t show the “More from Mozilla” section in Preferences
        SkipOnboarding = true; # Don’t show onboarding messages on the new tab page
        UrlbarInterventions = false; # Don’t offer suggestions in the URL bar
        WhatsNew = false; # Remove the “What’s New” icon and menuitem
      };
      ExtensionSettings = {
        "3rdparty".Extensions = {
          # https://github.com/gorhill/uBlock/blob/master/platform/common/managed_storage.json
          "uBlock0@raymondhill.net".adminSettings = {
            userSettings = rec {
              uiTheme = "dark";
              uiAccentCustom = true;
              uiAccentCustom0 = "#0C8084";
              cloudStorageEnabled = lib.mkForce false;
              importedLists = [
                "https://filters.adtidy.org/extension/ublock/filters/3.txt"
                "https://github.com/DandelionSprout/adfilt/raw/master/LegitimateURLShortener.txt"
              ];
              externalLists = lib.concatStringsSep "\n" importedLists;
            };
            selectedFilterLists = [
              "CZE-0"
              "adguard-generic"
              "adguard-annoyance"
              "adguard-social"
              "adguard-spyware-url"
              "easylist"
              "easyprivacy"
              "https://github.com/DandelionSprout/adfilt/raw/master/LegitimateURLShortener.txt"
              "plowe-0"
              "ublock-abuse"
              "ublock-badware"
              "ublock-filters"
              "ublock-privacy"
              "ublock-quick-fixes"
              "ublock-unbreak"
              "urlhaus-1"
            ];
          };
        };

      };

    };

    profiles.default = {
      id = 0;
      isDefault = true;
      userChrome = builtins.readFile (self + /programs/firefox/chrome/userChrome.css);
      extensions = {
        packages = with pkgs.nur.repos.rycee.firefox-addons; [
          tridactyl
          tampermonkey
          sidebery
          browserpass
          clearurls
          darkreader
          enhancer-for-youtube
          istilldontcareaboutcookies
          translate-web-pages
          ublock-origin
          reddit-enhancement-suite
          sponsorblock
          web-archives
          single-file
          widegithub
          enhanced-github
          unpaywall
          don-t-fuck-with-paste
          plasma-integration

          # configure the default the same as trusted in order not to be annoyed
          noscript

          # configure a shortcut 'ctrl+shift+c' with behaviour 'do nothing' in order to disable the dev console shortcut
          (buildFirefoxXpiAddon {
            pname = "shortkeys";
            version = "4.0.2";
            addonId = "Shortkeys@Shortkeys.com";
            url = "https://addons.mozilla.org/firefox/downloads/file/3673761/shortkeys-4.0.2.xpi";
            sha256 = "c6fe12efdd7a871787ac4526eea79ecc1acda8a99724aa2a2a55c88a9acf467c";
            meta = with lib;
              {
                description = "Easily customizable custom keyboard shortcuts for Firefox. To configure this addon go to Addons (ctrl+shift+a) ->Shortkeys ->Options. Report issues here (please specify that the issue is found in Firefox): https://github.com/mikecrittenden/shortkeys";
                mozPermissions = [
                  "tabs"
                  "downloads"
                  "clipboardWrite"
                  "browsingData"
                  "storage"
                  "bookmarks"
                  "sessions"
                  "<all_urls>"
                ];
                platforms = platforms.all;
              };
          })

        ];
      };

      settings = {
        "extensions.autoDisableScopes" = 0;
        "browser.startup.homepage" = "https://outlook.office.com|https://satellite.vbc.ac.at|https://bitbucket.vbc.ac.at|https://github.com";
        "browser.bookmarks.showMobileBookmarks" = lock-true;
        "toolkit.legacyUserProfileCustomizations.stylesheets" = lock-true;
        "browser.search.suggest.enabled" = lock-false;
        "browser.search.suggest.enabled.private" = lock-false;
        "browser.urlbar.suggest.searches" = lock-false;
        "browser.urlbar.showSearchSuggestionsFirst" = lock-false;
        "browser.topsites.contile.enabled" = lock-false;
        "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false;
        "browser.newtabpage.activity-stream.feeds.snippets" = lock-false;
        "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false;
        "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false;
        "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false;
        "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false;
        "browser.newtabpage.activity-stream.showSponsored" = lock-false;
        "browser.newtabpage.activity-stream.system.showSponsored" = lock-false;
        "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false;
      };

      search = {
        default = "Kagi";
        privateDefault = "Kagi";
        engines = {
          "Kagi" = {
            urls = [{
              template = "https://kagi.com/search";
              params = [
                { name = "q"; value = "{searchTerms}"; }
              ];
            }];
            iconUpdateURL = "https://kagi.com/favicon.ico";
            updateInterval = 24 * 60 * 60 * 1000; # every day
            definedAliases = [ "@k" ];
          };

          "Nix Packages" = {
            urls = [{
              template = "https://search.nixos.org/packages";
              params = [
                { name = "type"; value = "packages"; }
                { name = "query"; value = "{searchTerms}"; }
              ];
            }];
            icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
            definedAliases = [ "@np" ];
          };

          "NixOS Wiki" = {
            urls = [{
              template = "https://nixos.wiki/index.php?search={searchTerms}";
            }];
            iconUpdateURL = "https://nixos.wiki/favicon.png";
            updateInterval = 24 * 60 * 60 * 1000; # every day
            definedAliases = [ "@nw" ];
          };

          "NixOS Options" = {
            urls = [{
              template = "https://search.nixos.org/options";
              params = [
                { name = "query"; value = "{searchTerms}"; }
              ];
            }];

            icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
            definedAliases = [ "@no" ];
          };

          "Home Manager Options" = {
            urls = [{
              template = "https://home-manager-options.extranix.com/";
              params = [
                { name = "query"; value = "{searchTerms}"; }
              ];
            }];

            icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
            definedAliases = [ "@hm" "@ho" "@hmo" ];
          };

          "Google".metaData.alias = "@g";
        };
        force = true; # this is required because otherwise the search.json.mozlz4 symlink gets replaced on every firefox restart
      };
    };
  };
}

{ config, lib, ... }:
let
  inherit (config.swarselsystems) monitors;
  workplaceSets = lib.mapAttrs' lib.swarselsystems.eachOutput monitors;
  workplaceOutputs = map (key: lib.getAttr key workplaceSets) (lib.attrNames workplaceSets);
in
{
  wayland.windowManager.sway = {
    enable = true;
    checkConfig = false; # delete this line once SwayFX is fixed upstream
    package = lib.mkIf config.swarselsystems.isNixos null;
    systemd = {
      enable = true;
      xdgAutostart = true;
    };
    wrapperFeatures.gtk = true;
    config = rec {
      modifier = "Mod4";
      # terminal = "kitty";
      menu = "fuzzel";
      bars = [{
        command = "waybar";
        mode = "hide";
        hiddenState = "hide";
        position = "top";
        extraConfig = "modifier Mod4";
      }];
      keybindings =
        let
          inherit (config.wayland.windowManager.sway.config) modifier;
        in
        lib.recursiveUpdate
          {
            "${modifier}+q" = "kill";
            "${modifier}+f" = "exec firefox";
            "${modifier}+Shift+f" = "exec swaymsg fullscreen";
            "${modifier}+Space" = "exec fuzzel";
            "${modifier}+Shift+Space" = "floating toggle";
            "${modifier}+e" = "exec emacsclient -nquc -a emacs -e \"(dashboard-open)\"";
            "${modifier}+Shift+m" = "exec emacsclient -nquc -a emacs -e \"(mu4e)\"";
            "${modifier}+Shift+c" = "exec emacsclient -nquc -a emacs -e \"(swarsel/open-calendar)\"";
            "${modifier}+m" = "exec swaymsg workspace back_and_forth";
            "${modifier}+a" = "exec swarselcheck -s";
            "${modifier}+x" = "exec swarselcheck -k";
            "${modifier}+d" = "exec swarselcheck -d";
            "${modifier}+w" = "exec swarselcheck -e";
            "${modifier}+Shift+t" = "exec opacitytoggle";
            "${modifier}+Shift+F12" = "move scratchpad";
            "${modifier}+F12" = "scratchpad show";
            "${modifier}+c" = "exec qalculate-gtk";
            "${modifier}+p" = "exec pass-fuzzel";
            "${modifier}+o" = "exec pass-fuzzel --otp";
            "${modifier}+Shift+p" = "exec pass-fuzzel --type";
            "${modifier}+Shift+o" = "exec pass-fuzzel --otp --type";
            "${modifier}+Ctrl+p" = "exec 1password --quick-acces";
            "${modifier}+Escape" = "mode $exit";
            "${modifier}+Shift+Escape" = "exec kitty -o confirm_os_window_close=0 btm";
            "${modifier}+h" = "exec hyprpicker | wl-copy";
            "${modifier}+s" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
            "${modifier}+Shift+s" = "exec slurp | grim -g - Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')";
            "${modifier}+Shift+v" = "exec wf-recorder -g '$(slurp -f %o -or)' -f ~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv";
            "${modifier}+1" = "workspace 1:一";
            "${modifier}+Shift+1" = "move container to workspace 1:一";
            "${modifier}+2" = "workspace 2:二";
            "${modifier}+Shift+2" = "move container to workspace 2:二";
            "${modifier}+3" = "workspace 3:三";
            "${modifier}+Shift+3" = "move container to workspace 3:三";
            "${modifier}+4" = "workspace 4:四";
            "${modifier}+Shift+4" = "move container to workspace 4:四";
            "${modifier}+5" = "workspace 5:五";
            "${modifier}+Shift+5" = "move container to workspace 5:五";
            "${modifier}+6" = "workspace 6:六";
            "${modifier}+Shift+6" = "move container to workspace 6:六";
            "${modifier}+7" = "workspace 7:七";
            "${modifier}+Shift+7" = "move container to workspace 7:七";
            "${modifier}+8" = "workspace 8:八";
            "${modifier}+Shift+8" = "move container to workspace 8:八";
            "${modifier}+9" = "workspace 9:九";
            "${modifier}+Shift+9" = "move container to workspace 9:九";
            "${modifier}+0" = "workspace 10:十";
            "${modifier}+Shift+0" = "move container to workspace 10:十";
            "${modifier}+Ctrl+m" = "workspace 11:M";
            "${modifier}+Ctrl+Shift+m" = "move container to workspace 11:M";
            "${modifier}+Ctrl+s" = "workspace 12:S";
            "${modifier}+Ctrl+Shift+s" = "move container to workspace 12:S";
            "${modifier}+Ctrl+e" = "workspace 13:E";
            "${modifier}+Ctrl+Shift+e" = "move container to workspace 13:E";
            "${modifier}+Ctrl+t" = "workspace 14:T";
            "${modifier}+Ctrl+Shift+t" = "move container to workspace 14:T";
            "${modifier}+Ctrl+l" = "workspace 15:L";
            "${modifier}+Ctrl+Shift+l" = "move container to workspace 15:L";
            "${modifier}+Ctrl+f" = "workspace 16:F";
            "${modifier}+Ctrl+Shift+f" = "move container to workspace 16:F";
            "${modifier}+Left" = "focus left";
            "${modifier}+Right" = "focus right";
            "${modifier}+Down" = "focus down";
            "${modifier}+Up" = "focus up";
            "${modifier}+Shift+Left" = "move left 40px";
            "${modifier}+Shift+Right" = "move right 40px";
            "${modifier}+Shift+Down" = "move down 40px";
            "${modifier}+Shift+Up" = "move up 40px";
            "${modifier}+Ctrl+Shift+c" = "reload";
            "${modifier}+Ctrl+Shift+r" = "exec swarsel-displaypower";
            "${modifier}+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
            "${modifier}+r" = "mode resize";
            "${modifier}+Return" = "exec swarselzellij";
            "${modifier}+Print" = "exec screenshare";
            # "XF86AudioRaiseVolume" = "exec pa 5%";
            "XF86AudioRaiseVolume" = "exec pamixer -i 5";
            # "XF86AudioLowerVolume" = "exec pactl set-sink-volume @DEFAULT_SINK@ -5%";
            "XF86AudioLowerVolume" = "exec pamixer -d 5";
            # "XF86AudioMute" = "exec pactl set-sink-mute @DEFAULT_SINK@ toggle";
            "XF86AudioMute" = "exec pamixer -t";
            "XF86MonBrightnessUp" = "exec brightnessctl set +5%";
            "XF86MonBrightnessDown" = "exec brightnessctl set 5%-";
            "XF86Display" = "exec wl-mirror eDP-1";
          }
          config.swarselsystems.keybindings;
      modes = {
        resize = {
          Down = "resize grow height 10 px or 10 ppt";
          Escape = "mode default";
          Left = "resize shrink width 10 px or 10 ppt";
          Return = "mode default";
          Right = "resize grow width 10 px or 10 ppt";
          Up = "resize shrink height 10 px or 10 ppt";
          Tab = "move position center, resize set width 50 ppt height 50 ppt";
        };
      };
      defaultWorkspace = "workspace 1:一";
      output = lib.mapAttrs' lib.swarselsystems.eachMonitor monitors;
      input = config.swarselsystems.standardinputs;
      workspaceOutputAssign = workplaceOutputs;
      startup = config.swarselsystems.startup ++ [
        { command = "kitty -T kittyterm -o confirm_os_window_close=0 zellij attach --create kittyterm"; }
        { command = "sleep 60; kitty -T spotifytui -o confirm_os_window_close=0 spotify_player"; }
      ];
      seat = {
        "*" = {
          hide_cursor = "when-typing enable";
        };
      };
      window = {
        border = 1;
        titlebar = false;
      };
      assigns = {
        "15:L" = [{ app_id = "teams-for-linux"; }];
      };
      floating = {
        border = 1;
        criteria = [
          { app_id = "qalculate-gtk"; }
          { app_id = "blueman"; }
          { app_id = "pavucontrol"; }
          { app_id = "syncthingtray"; }
          { app_id = "Element"; }
          { class = "1Password"; }
          { app_id = "com.nextcloud.desktopclient.nextcloud"; }
          { title = "(?:Open|Save) (?:File|Folder|As)"; }
          { title = "^Add$"; }
          { title = "^Picture-in-Picture$"; }
          { title = "Syncthing Tray"; }
          { app_id = "vesktop"; }
          { window_role = "pop-up"; }
          { window_role = "bubble"; }
          { window_role = "dialog"; }
          { window_role = "task_dialog"; }
          { window_role = "menu"; }
          { window_role = "Preferences"; }
        ];
        titlebar = false;
      };
      window = {
        commands = [
          {
            command = "opacity 0.95";
            criteria = {
              class = ".*";
            };
          }
          {
            command = "opacity 1";
            criteria = {
              app_id = "Gimp-2.10";
            };
          }
          {
            command = "opacity 0.99";
            criteria = {
              app_id = "firefox";
            };
          }
          {
            command = "opacity 0.99";
            criteria = {
              app_id = "chromium-browser";
            };
          }
          {
            command = "sticky enable, shadows enable";
            criteria = {
              title = "^Picture-in-Picture$";
            };
          }
          {
            command = "resize set width 60 ppt height 60 ppt, opacity 0.8, sticky enable, border normal, move container to scratchpad";
            criteria = {
              title = "^kittyterm$";
            };
          }
          {
            command = "resize set width 60 ppt height 60 ppt, opacity 0.95, sticky enable, border normal, move container to scratchpad";
            criteria = {
              title = "^spotifytui$";
            };
          }
          {

            command = "resize set width 60 ppt height 60 ppt, sticky enable, move container to scratchpad";
            criteria = {
              class = "Spotify";
            };
          }
          {
            command = "resize set width 60 ppt height 60 ppt, sticky enable";
            criteria = {
              app_id = "vesktop";
            };
          }
          {
            command = "resize set width 60 ppt height 60 ppt, sticky enable";
            criteria = {
              class = "Element";
            };
          }
          # {
          #   command = "resize set width 60 ppt height 60 ppt, sticky enable, move container to scratchpad";
          #   criteria = {
          #     app_id="^$";
          #     class="^$";
          # };
          # }
        ];
      };
      gaps = {
        inner = 5;
      };
    };
    extraSessionCommands = ''
      export SDL_VIDEODRIVER=wayland
      export QT_QPA_PLATFORM=wayland
      export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
      export _JAVA_AWT_WM_NONREPARENTING=1
      export XDG_CURRENT_DESKTOP=sway
      export XDG_SESSION_DESKTOP=sway
      export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox";
      export ANKI_WAYLAND=1;
      export OBSIDIAN_USE_WAYLAND=1;
    '';
    # extraConfigEarly = "
    # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK
    # exec hash dbus-update-activation-environment 2>/dev/null && dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK
    # ";
    extraConfig =
      let
        inherit (config.wayland.windowManager.sway.config) modifier;
        swayfxSettings = config.swarselsystems.swayfxConfig;
      in
      "
              exec_always autotiling
              set $exit \"exit: [s]leep, [l]ock, [p]oweroff, [r]eboot, [u]ser logout\"

              mode $exit {
                bindsym --to-code {
                  s exec \"systemctl suspend\", mode \"default\"
                  l exec \"swaylock --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2 --daemonize\"
                  p exec \"systemctl poweroff\"
                  r exec \"systemctl reboot\"
                  u exec \"swaymsg exit\"

                  Return mode \"default\"
                  Escape mode \"default\"
                  ${modifier}+Escape mode \"default\"
                }
              }

              exec systemctl --user import-environment
              exec swayidle -w

              seat * hide_cursor 2000

              ${swayfxSettings}
              ";
  };
}

{ self, pkgs, ... }:
{
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    enableExtraSocket = true;
    pinentryPackage = pkgs.pinentry.gtk2;
    defaultCacheTtl = 600;
    maxCacheTtl = 7200;
    extraConfig = ''
      allow-loopback-pinentry
      allow-emacs-pinentry
    '';
    sshKeys = [
      "4BE7925262289B476DBBC17B76FD3810215AE097"
    ];
  };

  programs.gpg = {
    enable = true;
    publicKeys = [
      {
        source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
        trust = 5;
      }
    ];
  };

  # assure correct permissions
  systemd.user.tmpfiles.rules = [
    "d /home/swarsel/.gnupg 700 swarsel users"
  ];

}

_:
{
  services.gammastep = {
    enable = true;
    provider = "manual";
    latitude = 48.210033;
    longitude = 16.363449;
  };
}

{ self, lib, ... }:
let
  importNames = lib.swarselsystems.readNix "profiles/home/server";
  profilesPath = "${self}/profiles";
in
{
  imports = lib.swarselsystems.mkImports importNames "profiles/home/server" ++ [
    "${profilesPath}/home/common/settings.nix"
  ];
}

{ self, lib, ... }:
{
  home.file = {
    "init.el" = lib.mkForce {
      source = self + /programs/emacs/server.el;
      target = ".emacs.d/init.el";
    };
  };
}

{ self, ... }:
let
  profilesPath = "${self}/profiles";
in
{
  imports = [
    "${profilesPath}/home/common/settings.nix"
  ];
}

{ pkgs, ... }:
{
  # specialisation = {
  #   gaming.configuration = {
  home.packages = with pkgs; [
    lutris
    wine
    winetricks
    libudev-zero
    dwarfs
    fuse-overlayfs
    # steam
    steam-run
    patchelf
    gamescope
    vulkan-tools
    moonlight-qt
    ns-usbloader

    quark-goldleaf

    # gog games installing
    heroic

    # minecraft
    prismlauncher # has overrides
    temurin-bin-17

    pokefinder
    retroarch
    flips
  ];
  #   };
  # };
}

{ config, pkgs, lib, ... }:
{
  home.packages = with pkgs; [
    stable.teams-for-linux
    shellcheck
    dig
    docker
    postman
    rclone
    awscli2
    libguestfs-with-appliance
    stable.prometheus.cli
    tigervnc
  ];

  home.sessionVariables = {
    DOCUMENT_DIR_PRIV = lib.mkForce "${config.home.homeDirectory}/Documents/Private";
    DOCUMENT_DIR_WORK = lib.mkForce "${config.home.homeDirectory}/Documents/Work";
  };
  programs = {
    git.userEmail = "leon.schwarzaeugl@imba.oeaw.ac.at";

    zsh = {
      shellAliases = {
        dssh = "ssh -l dc_adm_schwarzaeugl";
        cssh = "ssh -l cl_adm_schwarzaeugl";
        wssh = "ssh -l ws_adm_schwarzaeugl";
      };
      cdpath = [
        "~/Documents/Work"
      ];
      dirHashes = {
        d = "$HOME/.dotfiles";
        w = "$HOME/Documents/Work";
        s = "$HOME/.dotfiles/secrets";
        pr = "$HOME/Documents/Private";
        ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles";
      };
    };

    ssh = {
      matchBlocks = {
        "uc" = {
          hostname = "uc.clip.vbc.ac.at";
          user = "stack";
        };
        "uc.stg" = {
          hostname = "uc.staging.clip.vbc.ac.at";
          user = "stack";
        };
        "uc.staging" = {
          hostname = "uc.staging.clip.vbc.ac.at";
          user = "stack";
        };
        "uc.dev" = {
          hostname = "uc.dev.clip.vbc.ac.at";
          user = "stack";
        };
        "cbe" = {
          hostname = "cbe.vbc.ac.at";
          user = "dc_adm_schwarzaeugl";
        };
        "cbe.stg" = {
          hostname = "cbe.staging.clip.vbc.ac.at";
          user = "dc_adm_schwarzaeugl";
        };
        "cbe.staging" = {
          hostname = "cbe.staging.clip.vbc.ac.at";
          user = "dc_adm_schwarzaeugl";
        };
        "*.vbc.ac.at" = {
          user = "dc_adm_schwarzaeugl";
        };
      };
    };

    firefox = {
      profiles = {
        dc_adm = lib.recursiveUpdate
          {
            id = 1;
            settings = {
              "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at";
            };
          }
          config.swarselsystems.firefox;
        cl_adm = lib.recursiveUpdate
          {
            id = 2;
            settings = {
              "browser.startup.homepage" = "https://portal.azure.com";
            };
          }
          config.swarselsystems.firefox;
        ws_adm = lib.recursiveUpdate { id = 3; } config.swarselsystems.firefox;
      };
    };

    chromium = {
      enable = true;
      package = pkgs.chromium;

      extensions = [
        # 1password
        "gejiddohjgogedgjnonbofjigllpkmbf"
        # dark reader
        "eimadpbcbfnmbkopoojfekhnkhdbieeh"
        # ublock origin
        "cjpalhdlnbpafiamejdnhcphjbkeiagm"
        # i still dont care about cookies
        "edibdbjcniadpccecjdfdjjppcpchdlm"
        # browserpass
        "naepdomgkenhinolocfifgehidddafch"
      ];
    };
  };

  xdg = {
    mimeApps = {
      defaultApplications = {
        "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
      };
    };
    desktopEntries =
      let
        terminal = false;
        categories = [ "Application" ];
        icon = "firefox";
      in
      {
        firefox_dc = {
          name = "Firefox (dc_adm)";
          genericName = "Firefox dc";
          exec = "firefox -p dc_adm";
          inherit terminal categories icon;
        };

        firefox_ws = {
          name = "Firefox (ws_adm)";
          genericName = "Firefox ws";
          exec = "firefox -p ws_adm";
          inherit terminal categories icon;
        };

        firefox_cl = {
          name = "Firefox (cl_adm)";
          genericName = "Firefox cl";
          exec = "firefox -p cl_adm";
          inherit terminal categories icon;
        };

      };
  };

}

(defun swarsel/toggle-evil-state ()
  (interactive)
  (if (or (evil-emacs-state-p) (evil-insert-state-p))
      (evil-normal-state)
    (evil-emacs-state)))

(defun swarsel/last-buffer () (interactive) (switch-to-buffer nil))

(defun swarsel/mu4e-switch-account ()
  (interactive)
  (let ((account (completing-read "Select account: " mu4e-user-mail-address-list)))
    (setq user-mail-address account)))

(defun swarsel/mu4e-rfs--matching-address ()
  (cl-loop for to-data in (mu4e-message-field mu4e-compose-parent-message :to)
           for to-email = (pcase to-data
                            (`(_ . email) email)
                            (x (mu4e-contact-email x)))
           for to-name =  (pcase to-data
                            (`(_ . name) name)
                            (x (mu4e-contact-name x)))
           when (mu4e-user-mail-address-p to-email)
           return (list to-name to-email)))

(defun swarsel/mu4e-send-from-correct-address ()
  (when mu4e-compose-parent-message
    (save-excursion
      (when-let ((dest (swarsel/mu4e-rfs--matching-address)))
        (cl-destructuring-bind (from-user from-addr) dest
          (setq user-mail-address from-addr)
          (message-position-on-field "From")
          (message-beginning-of-line)
          (delete-region (point) (line-end-position))
          (insert (format "%s <%s>" (or from-user user-full-name) from-addr)))))))

(defun swarsel/mu4e-restore-default ()
  (setq user-mail-address "leon@swarsel.win"
        user-full-name "Leon Schwarzäugl"))

(defun swarsel/with-buffer-name-prompt-and-make-subdirs ()
  (let ((parent-directory (file-name-directory buffer-file-name)))
    (when (and (not (file-exists-p parent-directory))
               (y-or-n-p (format "Directory `%s' does not exist! Create it? " parent-directory)))
      (make-directory parent-directory t))))

(add-to-list 'find-file-not-found-functions #'swarsel/with-buffer-name-prompt-and-make-subdirs)

(defun crux-get-positions-of-line-or-region ()
  "Return positions (beg . end) of the current line or region."
  (let (beg end)
    (if (and mark-active (> (point) (mark)))
        (exchange-point-and-mark))
    (setq beg (line-beginning-position))
    (if mark-active
        (exchange-point-and-mark))
    (setq end (line-end-position))
    (cons beg end)))

(defun crux-duplicate-current-line-or-region (arg)
  "Duplicates the current line or region ARG times.
  If there's no region, the current line will be duplicated.  However, if
  there's a region, all lines that region covers will be duplicated."
  (interactive "p")
  (pcase-let* ((origin (point))
               (`(,beg . ,end) (crux-get-positions-of-line-or-region))
               (region (buffer-substring-no-properties beg end)))
    (dotimes (_i arg)
      (goto-char end)
      (newline)
      (insert region)
      (setq end (point)))
    (goto-char (+ origin (* (length region) arg) arg))))

(defun crux-duplicate-and-comment-current-line-or-region (arg)
  "Duplicates and comments the current line or region ARG times.
If there's no region, the current line will be duplicated.  However, if
there's a region, all lines that region covers will be duplicated."
  (interactive "p")
  (pcase-let* ((origin (point))
               (`(,beg . ,end) (crux-get-positions-of-line-or-region))
               (region (buffer-substring-no-properties beg end)))
    (comment-or-uncomment-region beg end)
    (setq end (line-end-position))
    (dotimes (_ arg)
      (goto-char end)
      (newline)
      (insert region)
      (setq end (point)))
    (goto-char (+ origin (* (length region) arg) arg))))

(defun prot-org--id-get ()
  "Get the CUSTOM_ID of the current entry.
If the entry already has a CUSTOM_ID, return it as-is, else
create a new one."
  (let* ((pos (point))
         (id (org-entry-get pos "CUSTOM_ID")))
    (if (and id (stringp id) (string-match-p "\\S-" id))
        id
      (setq id (org-id-new "h"))
      (org-entry-put pos "CUSTOM_ID" id)
      id)))

(declare-function org-map-entries "org")

(defun prot-org-id-headlines ()
  "Add missing CUSTOM_ID to all headlines in current file."
  (interactive)
  (org-map-entries
   (lambda () (prot-org--id-get))))

(defun prot-org-id-headline ()
  "Add missing CUSTOM_ID to headline at point."
  (interactive)
  (prot-org--id-get))

(advice-add 'message :around #'who-called-me?)

(advice-remove 'message #'who-called-me?)

(defun suppress-messages (old-fun &rest args)
  (cl-flet ((silence (&rest args1) (ignore)))
    (advice-add 'message :around #'silence)
    (unwind-protect
        (apply old-fun args)
      (advice-remove 'message #'silence))))

(advice-add 'pixel-scroll-precision :around #'suppress-messages)
(advice-add 'mu4e--server-filter :around #'suppress-messages)
(advice-add 'org-unlogged-message :around #'suppress-messages)
(advice-add 'magit-auto-revert-mode--init-kludge  :around #'suppress-messages)
(advice-add 'push-mark  :around #'suppress-messages)
(advice-add 'evil-insert  :around #'suppress-messages)
(advice-add 'evil-visual-char  :around #'suppress-messages)

;; to reenable
;; (advice-remove 'timer-event-handler #'suppress-messages)

(defun who-called-me? (old-fun format &rest args)
  (let ((trace nil) (n 1) (frame nil))
    (while (setf frame (backtrace-frame n))
      (setf n     (1+ n)
            trace (cons (cadr frame) trace)) )
    (apply old-fun (concat "<<%S>>\n" format) (cons trace args))))

;; enable to get message backtrace, the first function shown in backtrace calls the other functions
;; (advice-add 'message :around #'who-called-me?)

;; disable to stop receiving backtrace
(advice-remove 'message #'who-called-me?)

(defun up-directory (path)
  "Move up a directory in PATH without affecting the kill buffer."
  (interactive "p")
  (if (string-match-p "/." (minibuffer-contents))
      (let ((end (point)))
        (re-search-backward "/.")
        (forward-char)
        (delete-region (point) end))))

(define-key minibuffer-local-filename-completion-map
            [C-backspace] #'up-directory)

(defun swarsel/org-mode-setup ()
  (variable-pitch-mode 1)
  (add-hook 'org-tab-first-hook 'org-end-of-line)
  (visual-line-mode 1))

(defun swarsel/org-mode-visual-fill ()
  (setq visual-fill-column-width 150
        visual-fill-column-center-text t)
  (visual-fill-column-mode 1))

(defun swarsel/run-formatting ()
  (interactive)
  (let ((default-directory (expand-file-name "~/.dotfiles")))
    (shell-command "nixpkgs-fmt . > /dev/null")))

(defun swarsel/org-babel-tangle-config ()
  (interactive)
  (when (string-equal (buffer-file-name)
                      swarsel-swarsel-org-filepath)
    ;; Dynamic scoping to the rescue
    (let ((org-confirm-babel-evaluate nil))
      ;; (org-html-export-to-html)
      (org-babel-tangle)
      (swarsel/run-formatting)
      )))

(setq org-html-htmlize-output-type nil)

;; (add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))

(defun org-fold-outer ()
  (interactive)
  (org-beginning-of-line)
  (if (string-match "^*+" (thing-at-point 'line t))
      (outline-up-heading 1))
  (outline-hide-subtree)
  )

(defun swarsel/corfu-normal-return (&optional arg)
  (interactive)
  (corfu-quit)
  (newline)
  )

(defun swarsel/corfu-quit-and-up (&optional arg)
  (interactive)
  (corfu-quit)
  (evil-previous-visual-line))

(defun swarsel/corfu-quit-and-down (&optional arg)
  (interactive)
  (corfu-quit)
  (evil-next-visual-line))

(defun swarsel/minibuffer-setup-hook ()
  (setq gc-cons-threshold most-positive-fixnum))

(defun swarsel/minibuffer-exit-hook ()
  (setq gc-cons-threshold (* 32 1024 1024)))

(add-hook 'minibuffer-setup-hook #'swarsel/minibuffer-setup-hook)
(add-hook 'minibuffer-exit-hook #'swarsel/minibuffer-exit-hook)

;; Emulate vim in emacs
(use-package evil
  :init
  (setq evil-want-integration t) ; loads evil
  (setq evil-want-keybinding nil) ; loads "helpful bindings" for other modes
  (setq evil-want-C-u-scroll t) ; scrolling using C-u
  (setq evil-want-C-i-jump nil) ; jumping with C-i
  (setq evil-want-Y-yank-to-eol t) ; give Y some utility
  (setq evil-shift-width 2) ; uniform indent
  (setq evil-respect-visual-line-mode nil) ; i am torn on this one
  (setq evil-split-window-below t)
  (setq evil-vsplit-window-right t)
  :config
  (evil-mode 1)

  ;; make normal mode respect wrapped lines
  (define-key evil-normal-state-map (kbd "j") 'evil-next-visual-line)
  (define-key evil-normal-state-map (kbd "<down>") 'evil-next-visual-line)
  (define-key evil-normal-state-map (kbd "k") 'evil-previous-visual-line)
  (define-key evil-normal-state-map (kbd "<up>") 'evil-previous-visual-line)

  (define-key evil-normal-state-map (kbd "C-z") nil)
  (define-key evil-insert-state-map (kbd "C-z") nil)
  (define-key evil-visual-state-map (kbd "C-z") nil)
  (define-key evil-motion-state-map (kbd "C-z") nil)
  (define-key evil-operator-state-map (kbd "C-z") nil)
  (define-key evil-replace-state-map (kbd "C-z") nil)
  (define-key global-map (kbd "C-z") nil)
  (evil-set-undo-system 'undo-tree)

  ;; Don't use evil-mode in these contexts, or use it in a specific mode
  (evil-set-initial-state 'messages-buffer-mode 'emacs)
  (evil-set-initial-state 'dashboard-mode 'emacs)
  (evil-set-initial-state 'dired-mode 'emacs)
  (evil-set-initial-state 'cfw:details-mode 'emacs)
  (evil-set-initial-state 'Custom-mode 'emacs) ; god knows why this mode is in uppercase
  (evil-set-initial-state 'mu4e-headers-mode 'normal)
  (evil-set-initial-state 'python-inferior-mode 'normal)
  (add-hook 'org-capture-mode-hook 'evil-insert-state)
  (add-to-list 'evil-buffer-regexps '("COMMIT_EDITMSG" . insert)))

(use-package evil-collection
  :after evil
  :config
  (evil-collection-init)
  (setq forge-add-default-bindings nil))

;; enables 2-char inline search
(use-package evil-snipe
  :after evil
  :demand
  :config
  (evil-snipe-mode +1)
  ;; replace 1-char searches (f&t) with this better UI
  (evil-snipe-override-mode +1))

;; for parentheses-heavy languades modify evil commands to keep balance of parantheses
(use-package evil-cleverparens)

;; enables surrounding text with S
(use-package evil-surround
  :config
  (global-evil-surround-mode 1))

(use-package evil-visual-mark-mode
  :config (evil-visual-mark-mode))

(use-package evil-textobj-tree-sitter)
;; bind `function.outer`(entire function block) to `f` for use in things like `vaf`, `yaf`
(define-key evil-outer-text-objects-map "f" (evil-textobj-tree-sitter-get-textobj "function.outer"))
;; bind `function.inner`(function block without name and args) to `f` for use in things like `vif`, `yif`
(define-key evil-inner-text-objects-map "f" (evil-textobj-tree-sitter-get-textobj "function.inner"))

;; You can also bind multiple items and we will match the first one we can find
(define-key evil-outer-text-objects-map "a" (evil-textobj-tree-sitter-get-textobj ("if_statement.outer" "conditional.outer" "loop.outer") '((python-mode . ((if_statement.outer) @if_statement.outer)) (python-ts-mode . ((if_statement.outer) @if_statement.outer)))))

(use-package evil-numbers)

(use-package which-key
  :init (which-key-mode)
  :diminish which-key-mode
  :config
  (setq which-key-idle-delay 0.3))

(use-package helpful
  :bind
  (("C-h f" . helpful-callable)
   ("C-h v" . helpful-variable)
   ("C-h k" . helpful-key)
   ("C-h C-." . helpful-at-point))
  :config
  (setq help-window-select nil))

(use-package org
  ;;:diminish (org-indent-mode)
  :hook (org-mode . swarsel/org-mode-setup)
  :bind
  (("C-<tab>" . org-fold-outer)
   ("C-c s" . org-store-link))
  :config
  (setq org-ellipsis " ⤵"
        org-link-descriptive t
        org-hide-emphasis-markers t)
  (setq org-startup-folded t)
  (setq org-support-shift-select t)

  (setq org-agenda-start-with-log-mode t)
  (setq org-log-done 'time)
  (setq org-log-into-drawer t)
  (setq org-startup-with-inline-images t)
  (setq org-export-headline-levels 6)
  (setq org-image-actual-width nil)
  (setq org-format-latex-options '(:foreground "White" :background default :scale 2.0 :html-foreground "Black" :html-background "Transparent" :html-scale 1.0 :matchers ("begin" "$1" "$" "$$" "\\(" "\\[")))

  (setq org-agenda-files '("/home/swarsel/Nextcloud/Org/Tasks.org"
                           "/home/swarsel/Nextcloud/Org/Archive.org"
                           ))

  (setq org-refile-targets
        '((swarsel-archive-org-file :maxlevel . 1)
          (swarsel-tasks-org-file :maxlevel . 1)))

  )

(use-package org-appear
  :hook (org-mode . org-appear-mode)
  :init
  (setq org-appear-autolinks t)
  (setq org-appear-autokeywords t)
  (setq org-appear-autoentities t)
  (setq org-appear-autosubmarkers t))

(use-package visual-fill-column
  :hook (org-mode . swarsel/org-mode-visual-fill))

(setq org-fold-core-style 'overlays)

(use-package auctex)
(setq TeX-auto-save t)
(setq TeX-save-query nil)
(setq TeX-parse-self t)
(setq-default TeX-engine 'luatex)
(setq-default TeX-master nil)

(add-hook 'LaTeX-mode-hook 'visual-line-mode)
(add-hook 'LaTeX-mode-hook 'flyspell-mode)
(add-hook 'LaTeX-mode-hook 'LaTeX-math-mode)
(add-hook 'LaTeX-mode-hook 'reftex-mode)
(setq LaTeX-electric-left-right-brace t)
(setq font-latex-fontify-script nil)
(setq TeX-electric-sub-and-superscript t)
;; (setq reftex-plug-into-AUCTeX t)

(use-package org-fragtog)
(add-hook 'org-mode-hook 'org-fragtog-mode)
(add-hook 'markdown-mode-hook 'org-fragtog-mode)

(use-package org-modern
  :config (setq org-modern-block-name
                '((t . t)
                  ("src" "»" "∥")))
  :hook (org-mode . org-modern-mode))

(use-package org-present
  :bind (:map org-present-mode-keymap
              ("q" . org-present-quit)
              ("<left>" . swarsel/org-present-prev)
              ("<up>" . 'ignore)
              ("<down>" . 'ignore)
              ("<right>" . swarsel/org-present-next))
  :hook ((org-present-mode . swarsel/org-present-start)
         (org-present-mode-quit . swarsel/org-present-end))
  )


(use-package hide-mode-line)

(defun swarsel/org-present-start ()
  (setq-local face-remapping-alist '((default (:height 1.5) variable-pitch)
                                     (header-line (:height 4.0) variable-pitch)
                                     (org-document-title (:height 1.75) org-document-title)
                                     (org-code (:height 1.55) org-code)
                                     (org-verbatim (:height 1.55) org-verbatim)
                                     (org-block (:height 1.25) org-block)
                                     (org-block-begin-line (:height 0.7) org-block)
                                     ))
  (dolist (face '((org-level-1 . 1.1)
                  (org-level-2 . 1.2)
                  (org-level-3 . 1.2)
                  (org-level-4 . 1.2)
                  (org-level-5 . 1.2)
                  (org-level-6 . 1.2)
                  (org-level-7 . 1.2)
                  (org-level-8 . 1.2)))
    (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))

  (setq header-line-format " ")
  (setq visual-fill-column-width 90)
  (setq indicate-buffer-boundaries nil)
  (setq inhibit-message nil)
  ;; (breadcrumb-mode 0)
  (org-display-inline-images)
  (global-hl-line-mode 0)
  ;; (display-line-numbers-mode 0)
  (org-modern-mode 0)
  (evil-insert-state 1)
  (beginning-of-buffer)
  (org-present-read-only)
  ;; (org-present-hide-cursor)
  (swarsel/org-present-slide)
  )

(defun swarsel/org-present-end ()
  (setq-local face-remapping-alist '((default variable-pitch default)))
  (dolist (face '((org-level-1 . 1.1)
                  (org-level-2 . 0.9)
                  (org-level-3 . 0.9)
                  (org-level-4 . 0.9)
                  (org-level-5 . 0.9)
                  (org-level-6 . 0.9)
                  (org-level-7 . 0.9)
                  (org-level-8 . 0.9)))
    (set-face-attribute (car face) nil :font swarsel-alt-font :weight 'medium :height (cdr face)))
  (setq header-line-format nil)
  (setq visual-fill-column-width 150)
  (setq indicate-buffer-boundaries t)
  (setq inhibit-message nil)
  ;; (breadcrumb-mode 1)
  (global-hl-line-mode 1)
  ;; (display-line-numbers-mode 1)
  (org-remove-inline-images)
  (org-modern-mode 1)
  (evil-normal-state 1)
  ;; (org-present-show-cursor)
  )

(defun swarsel/org-present-slide ()
  (org-overview)
  (org-show-entry)
  (org-show-children)
  )

(defun swarsel/org-present-prev ()
  (interactive)
  (org-present-prev)
  (swarsel/org-present-slide))

(defun swarsel/org-present-next ()
  (interactive)
  (unless (eobp)
    (org-next-visible-heading 1)
    (org-fold-show-entry))
  (when (eobp)
    (org-present-next)
    (swarsel/org-present-slide)
    ))

(defun clojure-leave-clojure-mode-function ()
  )

(add-hook 'buffer-list-update-hook #'clojure-leave-clojure-mode-function)
(add-hook 'org-present-mode-hook 'swarsel/org-present-start)
(add-hook 'org-present-mode-quit-hook 'swarsel/org-present-end)
(add-hook 'org-present-after-navigate-functions 'swarsel/org-present-slide)

(setq markdown-command "pandoc")

(use-package markdown-mode
  :ensure t
  :mode ("README\\.md\\'" . gfm-mode)
  :init (setq markdown-command "multimarkdown")
  :bind (:map markdown-mode-map
              ("C-c C-e" . markdown-do)))

(add-hook 'markdown-mode-hook
          (lambda ()
            (local-set-key (kbd "C-c C-x C-l") 'org-latex-preview)
            (local-set-key (kbd "C-c C-x C-u") 'markdown-toggle-url-hiding)
            ))

;; change the text size of the current buffer
(defhydra hydra-text-scale (:timeout 4)
  "scale text"
  ("j" text-scale-increase "in")
  ("k" text-scale-decrease "out")
  ("f" nil "finished" :exit t))

(use-package mu4e
  :ensure nil
  ;; :load-path "/usr/share/emacs/site-lisp/mu4e/"
  ;;:defer 20 ; Wait until 20 seconds after startup
  :config

  ;; This is set to 't' to avoid mail syncing issues when using mbsync
  (setq send-mail-function 'sendmail-send-it)
  (setq mu4e-change-filenames-when-moving t)
  (setq mu4e-mu-binary (executable-find "mu"))
  (setq mu4e-hide-index-messages t)

  (setq mu4e-update-interval 180)
  (setq mu4e-get-mail-command "mbsync -a")
  (setq mu4e-maildir "~/Mail")

  ;; enable inline images
  (setq mu4e-view-show-images t)
  ;; use imagemagick, if available
  (when (fboundp 'imagemagick-register-types)
    (imagemagick-register-types))

  (setq mu4e-drafts-folder "/Drafts")
  (setq mu4e-sent-folder   "/Sent Mail")
  (setq mu4e-refile-folder "/All Mail")
  (setq mu4e-trash-folder  "/Trash")

  (setq mu4e-maildir-shortcuts
        '((:maildir "/leon/Inbox"    :key ?1)
          (:maildir "/nautilus/Inbox" :key ?2)
          (:maildir "/mrswarsel/Inbox"     :key ?3)
          (:maildir "/Sent Mail"     :key ?s)
          (:maildir "/Trash"     :key ?t)
          (:maildir "/Drafts"     :key ?d)
          (:maildir "/All Mail"     :key ?a)))

  (setq user-mail-address "leon@swarsel.win"
        user-full-name "Leon Schwarzäugl")


  (setq mu4e-user-mail-address-list '(leon.schwarzaeugl@gmail.com leon@swarsel.win nautilus.dw@gmail.com mrswarsel@gmail.com)))


(add-hook 'mu4e-compose-mode-hook #'swarsel/mu4e-send-from-correct-address)
(add-hook 'mu4e-compose-post-hook #'swarsel/mu4e-restore-default)

(use-package mu4e-alert
  :config
  (setq mu4e-alert-set-default-style 'libnotify))

(add-hook 'after-init-hook #'mu4e-alert-enable-notifications)

(mu4e t)