Merge branch 'main' of orion:kiri/nixos-config

hosts/orion/system.nix

@@ -10,9 +10,9 @@
     ../../modules/nixos/caddy.nix
     ../../modules/nixos/bitwarden.nix
     ../../modules/nixos/firewall.nix
-    ../../modules/nixos/copyparty.nix
+    ../../modules/nixos/syncthing.nix
+    ../../modules/nixos/filebrowser.nix
     ../../modules/nixos/home-assistant.nix
-    ../../modules/nixos/glance.nix
     ../../modules/nixos/radicale.nix
     ../../modules/nixos/actual-budget.nix
     ../../modules/nixos/gitea.nix

hosts/polaris/system.nix

@@ -3,10 +3,22 @@
   imports = [
     ../../modules/nixos/desktop.nix
 
+    ../../modules/nixos/ssh.nix
     ./hardware-configuration.nix
     ./variables.nix
   ];
 
+  networking = {
+    interfaces = {
+      enp5s0 = {
+        wakeOnLan.enable = true;
+      };
+    };
+    firewall = {
+      allowedUDPPorts = [ 9 ];
+    };
+  };
+
   home-manager.users."${config.var.username}" = import ./home.nix;
 
   system.stateVersion = "24.05";

modules/home-manager/accounts/calendar.nix

@@ -1,10 +1,19 @@
 { config, pkgs, ... }:
+let
+  calendarsPath = "${config.xdg.dataHome}/calendars";
+in
 {
   programs.pimsync.enable = true;
   services.pimsync.enable = true;
 
+  systemd.user.tmpfiles.rules = [
+    "d ${calendarsPath} 0700 - - - -"
+    "d ${calendarsPath}/radicale 0700 - - - -"
+    "d ${calendarsPath}/university 0700 - - - -"
+  ];
+
   accounts.calendar = {
-    basePath = "${config.xdg.dataHome}/calendars";
+    basePath = calendarsPath;
     accounts = {
       "radicale" = {
         primary = true;

modules/home-manager/desktop.nix

@@ -23,7 +23,6 @@
     ./kitty.nix
     ./lazygit.nix
     ./nh.nix
-    ./rclone.nix
     ./spicetify.nix
     ./ssh.nix
     ./thunar.nix
@@ -90,6 +89,8 @@
       cmatrix
 
       libreoffice-qt6-fresh
+
+      trash-cli
     ];
   };
 }

modules/home-manager/gpg.nix

@@ -2,7 +2,8 @@
   config,
   pkgs,
   ...
-}: {
+}:
+{
   programs.gpg = {
     enable = true;
     homedir = "${config.xdg.dataHome}/gnupg";
@@ -15,6 +16,9 @@
     pinentry = {
       package = pkgs.pinentry-gnome3;
     };
-    sshKeys = ["CD848796822630B280FC6DFA55F24A20040F22B5"];
+    sshKeys = [
+      "CD848796822630B280FC6DFA55F24A20040F22B5"
+      "B8FBDFBD7F42C444C17E086E0EE2E34FB43A7187"
+    ];
   };
 }

modules/home-manager/hyprland/default.nix

@@ -144,24 +144,14 @@ in
 
       windowrule = [
         "match:title hyprpanel-settings, float on"
-        "match:class xdg-desktop-portal-gtk, float on, center on, size monitor_w/2 monitor_h/2"
+        "match:class xdg-desktop-portal-gtk, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
-        # Bitwarden extension
+        # Match on bitwarden chrome extension id
-
+        "match:class .*nngceckbapebfimnlniiiahkandclblb.*, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
-        # idle inhibit while watching videos
+        "match:class imv, float on, center on, max_size (monitor_w * 0.8) (monitor_h * 0.8)"
-        #"idleinhibit focus, class:^(mpv|.+exe|celluloid)$"
-        #"idleinhibit focus, class:^(zen)$, title:^(.*YouTube.*)$"
-        #"idleinhibit fullscreen, class:^(zen)$"
-
-        #"dimaround, class:^(gcr-prompter)$"
-        #"dimaround, class:^(xdg-desktop-portal-gtk)$"
-        #"dimaround, class:^(polkit-gnome-authentication-agent-1)$"
-        #"dimaround, class:^(zen)$, title:^(File Upload)$"
       ];
 
       layerrule = [
         "match:namespace vicinae, no_anim on, blur on, ignore_alpha 0"
-        #"no_anim, launcher"
-        #"no_anim, ^ags-.*"
       ];
 
       input = {

modules/home-manager/nixCats/default.nix

@@ -45,6 +45,7 @@ let
           typescript
           typescript-language-server
 
+          rustc
           rust-analyzer
           rustfmt
 
@@ -55,6 +56,13 @@ let
           isort
 
           astro-language-server
+
+          tinymist
+          typstyle
+
+          ltex-ls-plus
+
+          harper
         ];
       };
 
@@ -103,6 +111,8 @@ let
 
           lualine-nvim
           bufferline-nvim
+
+          zen-mode-nvim
         ];
 
       };

modules/home-manager/nixCats/lua/plugins/coding.lua

@@ -171,13 +171,25 @@ require("lz.n").load({
       require("luasnip.loaders.from_vscode").lazy_load()
     end,
   },
+  {
+    -- lazydev makes your lsp way better in your config without needing extra lsp configuration.
+    "lazydev.nvim",
+    cmd = "LazyDev",
+    ft = "lua",
+    after = function()
+      require("lazydev").setup({
+        library = {
+          { words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" },
+        },
+      })
+    end,
+  },
   {
     "blink.cmp",
     before = function()
       -- Trigger lazydev so it's ready for blink source
       require("lz.n").trigger_load({ "lazydev.nvim", "luasnip" })
     end,
-    event = "VimEnter",
     after = function()
       require("blink.cmp").setup({
         keymap = {

modules/home-manager/nixCats/lua/plugins/lsp.lua

@@ -1,167 +1,172 @@
 require("lz.n").load({
   {
-    {
+    "nvim-lspconfig",
-      -- lazydev makes your lsp way better in your config without needing extra lsp configuration.
+    event = { "BufReadPre", "BufNewFile" },
-      "lazydev.nvim",
+    after = function()
-      cmd = "LazyDev",
+      vim.api.nvim_create_autocmd("LspAttach", {
-      ft = "lua",
+        group = vim.api.nvim_create_augroup("kickstart-lsp-attach", { clear = true }),
-      after = function()
+        callback = function(args)
-        require("lazydev").setup({
+          -- Get the client and buffer from the event arguments [cite: 119]
-          library = {
+          local client = vim.lsp.get_client_by_id(args.data.client_id)
-            { words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" },
+          local bufnr = args.buf
+
+          local map = function(keys, func, desc, mode)
+            mode = mode or "n"
+            vim.keymap.set(mode, keys, func, { buffer = bufnr, desc = "LSP: " .. desc })
+          end
+
+          -- Mappings (Standard LSP functions from lsp-defaults) [cite: 20-23]
+          map("grn", vim.lsp.buf.rename, "[R]e[n]ame")
+          map("gra", vim.lsp.buf.code_action, "[G]oto Code [A]ction", { "n", "x" })
+          map("grD", vim.lsp.buf.declaration, "[G]oto [D]eclaration")
+
+          -- Telescope Mappings
+          map("grr", require("telescope.builtin").lsp_references, "[G]oto [R]eferences")
+          map("gri", require("telescope.builtin").lsp_implementations, "[G]oto [I]mplementation")
+          map("grd", require("telescope.builtin").lsp_definitions, "[G]oto [D]efinition")
+          map("gO", require("telescope.builtin").lsp_document_symbols, "Open Document Symbols")
+          map("gW", require("telescope.builtin").lsp_dynamic_workspace_symbols, "Open Workspace Symbols")
+          map("grt", require("telescope.builtin").lsp_type_definitions, "[G]oto [T]ype Definition")
+
+          -- Highlight references (Document Highlight)
+          if client and client:supports_method("textDocument/documentHighlight", bufnr) then
+            local highlight_augroup = vim.api.nvim_create_augroup("kickstart-lsp-highlight", { clear = false })
+            vim.api.nvim_create_autocmd({ "CursorHold", "CursorHoldI" }, {
+              buffer = bufnr,
+              group = highlight_augroup,
+              callback = vim.lsp.buf.document_highlight,
+            })
+
+            vim.api.nvim_create_autocmd({ "CursorMoved", "CursorMovedI" }, {
+              buffer = bufnr,
+              group = highlight_augroup,
+              callback = vim.lsp.buf.clear_references,
+            })
+
+            vim.api.nvim_create_autocmd("LspDetach", {
+              group = vim.api.nvim_create_augroup("kickstart-lsp-detach", { clear = true }),
+              callback = function(event)
+                vim.lsp.buf.clear_references()
+                vim.api.nvim_clear_autocmds({ group = "kickstart-lsp-highlight", buffer = event.buf })
+              end,
+            })
+          end
+
+          -- Inlay Hints
+          if client and client:supports_method("textDocument/inlayHint", bufnr) then
+            map("<leader>th", function()
+              vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled({ bufnr = bufnr }))
+            end, "[T]oggle Inlay [H]ints")
+          end
+        end,
+      })
+
+      -- 1. Setup Diagnostics (Visuals)
+      vim.diagnostic.config({
+        severity_sort = true,
+        -- underline = { severity = vim.diagnostic.severity.ERROR },
+        signs = {
+          text = {
+            [vim.diagnostic.severity.ERROR] = " ",
+            [vim.diagnostic.severity.WARN] = " ",
+            [vim.diagnostic.severity.INFO] = " ",
+            [vim.diagnostic.severity.HINT] = "󰠠 ",
           },
-        })
+        },
-      end,
+        virtual_text = {
-    },
+          source = "if_many",
-    {
+          spacing = 4,
-      "nvim-lspconfig",
+          prefix = "●",
-      event = { "BufReadPre", "BufNewFile" },
+          format = function(diagnostic)
-      after = function()
+            local diagnostic_message = {
-        vim.api.nvim_create_autocmd("LspAttach", {
+              [vim.diagnostic.severity.ERROR] = diagnostic.message,
-          group = vim.api.nvim_create_augroup("kickstart-lsp-attach", { clear = true }),
+              [vim.diagnostic.severity.WARN] = diagnostic.message,
-          callback = function(args)
+              [vim.diagnostic.severity.INFO] = diagnostic.message,
-            -- Get the client and buffer from the event arguments [cite: 119]
+              [vim.diagnostic.severity.HINT] = diagnostic.message,
-            local client = vim.lsp.get_client_by_id(args.data.client_id)
+            }
-            local bufnr = args.buf
+            return diagnostic_message[diagnostic.severity]
-
-            local map = function(keys, func, desc, mode)
-              mode = mode or "n"
-              vim.keymap.set(mode, keys, func, { buffer = bufnr, desc = "LSP: " .. desc })
-            end
-
-            -- Mappings (Standard LSP functions from lsp-defaults) [cite: 20-23]
-            map("grn", vim.lsp.buf.rename, "[R]e[n]ame")
-            map("gra", vim.lsp.buf.code_action, "[G]oto Code [A]ction", { "n", "x" })
-            map("grD", vim.lsp.buf.declaration, "[G]oto [D]eclaration")
-
-            -- Telescope Mappings
-            map("grr", require("telescope.builtin").lsp_references, "[G]oto [R]eferences")
-            map("gri", require("telescope.builtin").lsp_implementations, "[G]oto [I]mplementation")
-            map("grd", require("telescope.builtin").lsp_definitions, "[G]oto [D]efinition")
-            map("gO", require("telescope.builtin").lsp_document_symbols, "Open Document Symbols")
-            map("gW", require("telescope.builtin").lsp_dynamic_workspace_symbols, "Open Workspace Symbols")
-            map("grt", require("telescope.builtin").lsp_type_definitions, "[G]oto [T]ype Definition")
-
-            -- Highlight references (Document Highlight)
-            if client and client:supports_method("textDocument/documentHighlight", bufnr) then
-              local highlight_augroup = vim.api.nvim_create_augroup("kickstart-lsp-highlight", { clear = false })
-              vim.api.nvim_create_autocmd({ "CursorHold", "CursorHoldI" }, {
-                buffer = bufnr,
-                group = highlight_augroup,
-                callback = vim.lsp.buf.document_highlight,
-              })
-
-              vim.api.nvim_create_autocmd({ "CursorMoved", "CursorMovedI" }, {
-                buffer = bufnr,
-                group = highlight_augroup,
-                callback = vim.lsp.buf.clear_references,
-              })
-
-              vim.api.nvim_create_autocmd("LspDetach", {
-                group = vim.api.nvim_create_augroup("kickstart-lsp-detach", { clear = true }),
-                callback = function(event)
-                  vim.lsp.buf.clear_references()
-                  vim.api.nvim_clear_autocmds({ group = "kickstart-lsp-highlight", buffer = event.buf })
-                end,
-              })
-            end
-
-            -- Inlay Hints
-            if client and client:supports_method("textDocument/inlayHint", bufnr) then
-              map("<leader>th", function()
-                vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled({ bufnr = bufnr }))
-              end, "[T]oggle Inlay [H]ints")
-            end
           end,
-        })
+        },
+      })
 
-        -- 1. Setup Diagnostics (Visuals)
+      vim.lsp.config("lua_ls", {
-        vim.diagnostic.config({
+        settings = {
-          severity_sort = true,
+          Lua = {
-          underline = { severity = vim.diagnostic.severity.ERROR },
+            runtime = { version = "LuaJIT" },
-          signs = {
+            signatureHelp = { enabled = true },
-            text = {
+            diagnostics = { globals = { "nixCats", "vim" } },
-              [vim.diagnostic.severity.ERROR] = " ",
+            telemetry = { enabled = false },
-              [vim.diagnostic.severity.WARN] = " ",
+            completion = { callSnippet = "Replace" },
-              [vim.diagnostic.severity.INFO] = " ",
+          },
-              [vim.diagnostic.severity.HINT] = "󰠠 ",
+        },
+      })
+      vim.lsp.enable("lua_ls")
+
+      -- Nix
+      vim.lsp.config("nixd", {
+        settings = {
+          nixd = {
+            nixpkgs = { expr = nixCats.extra("nixdExtras.nixpkgs") },
+            options = {
+              nixos = { expr = nixCats.extra("nixdExtras.nixos_options") },
+              ["home-manager"] = { expr = nixCats.extra("nixdExtras.home_manager_options") },
             },
+            formatting = { command = { "nixfmt" } },
           },
-          virtual_text = {
+        },
-            source = "if_many",
+      })
-            spacing = 4,
+      vim.lsp.enable("nixd")
-            prefix = "●",
-            format = function(diagnostic)
-              local diagnostic_message = {
-                [vim.diagnostic.severity.ERROR] = diagnostic.message,
-                [vim.diagnostic.severity.WARN] = diagnostic.message,
-                [vim.diagnostic.severity.INFO] = diagnostic.message,
-                [vim.diagnostic.severity.HINT] = diagnostic.message,
-              }
-              return diagnostic_message[diagnostic.severity]
-            end,
-          },
-        })
 
-        vim.lsp.config("lua_ls", {
+      -- Dafny
-          settings = {
+      vim.lsp.enable("dafny")
-            Lua = {
-              runtime = { version = "LuaJIT" },
-              signatureHelp = { enabled = true },
-              diagnostics = { globals = { "nixCats", "vim" } },
-              telemetry = { enabled = false },
-              completion = { callSnippet = "Replace" },
-            },
-          },
-        })
-        vim.lsp.enable("lua_ls")
 
-        -- Nix
+      -- TypeScript/JS
-        vim.lsp.config("nixd", {
+      vim.lsp.enable("ts_ls")
-          settings = {
-            nixd = {
-              nixpkgs = { expr = nixCats.extra("nixdExtras.nixpkgs") },
-              options = {
-                nixos = { expr = nixCats.extra("nixdExtras.nixos_options") },
-                ["home-manager"] = { expr = nixCats.extra("nixdExtras.home_manager_options") },
-              },
-              formatting = { command = { "nixfmt" } },
-            },
-          },
-        })
-        vim.lsp.enable("nixd")
 
-        -- Dafny
+      -- Rust
-        vim.lsp.enable("dafny")
+      vim.lsp.enable("rust_analyzer")
 
-        -- TypeScript/JS
+      -- Python
-        vim.lsp.enable("ts_ls")
+      vim.lsp.config("basedpyright", {
-
+        settings = {
-        -- Rust
+          basedpyright = {
-        vim.lsp.enable("rust_analyzer")
+            analysis = {
-
+              autoSearchPaths = true,
-        -- Python
+              useLibraryCodeForTypes = true,
-        vim.lsp.config("basedpyright", {
+              diagnosticMode = "openFilesOnly",
-          settings = {
+              typeCheckingMode = "standard",
-            basedpyright = {
+              inlayHints = {
-              analysis = {
+                variableTypes = true,
-                autoSearchPaths = true,
+                callArgumentNames = true,
-                useLibraryCodeForTypes = true,
+                functionReturnTypes = true,
-                diagnosticMode = "openFilesOnly",
-                typeCheckingMode = "standard",
-                inlayHints = {
-                  variableTypes = true,
-                  callArgumentNames = true,
-                  functionReturnTypes = true,
-                },
               },
             },
           },
-        })
+        },
-        vim.lsp.enable("basedpyright")
+      })
+      vim.lsp.enable("basedpyright")
 
-        vim.lsp.enable("astro")
+      vim.lsp.enable("astro")
-      end,
+
-    },
+      vim.lsp.config("tinymist", {
+        settings = {
+          tinymist = {
+            formatterMode = "typstyle",
+          },
+        },
+      })
+      vim.lsp.enable("tinymist")
+
+      vim.lsp.config("ltex_plus", {
+        settings = {
+          ltex = {
+            language = "nl",
+          },
+        },
+      })
+      vim.lsp.enable("ltex_plus")
+
+      vim.lsp.enable("harper_ls")
+    end,
   },
 })

modules/home-manager/nixCats/lua/plugins/ui.lua

@@ -195,4 +195,16 @@ require("lz.n").load({
       })
     end,
   },
+  {
+    "zen-mode.nvim",
+    after = function()
+      require("zen-mode").setup({
+        window = {
+          options = {
+            linebreak = true,
+          },
+        },
+      })
+    end,
+  },
 })

modules/home-manager/rclone.nix

@@ -1,32 +1,70 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  ...
+}:
 {
   programs.rclone = {
     enable = true;
-    remotes = {
-      gdrive = {
-        config = {
-          type = "drive";
-          scope = "drive";
 
-          root_folder_id = "";
+    # Give rclone access to the ssh agent
+    package = pkgs.writeShellScriptBin "rclone" ''
+      export GNUPGHOME="${config.xdg.dataHome}/gnupg"
+      export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
+      exec ${pkgs.rclone}/bin/rclone "$@"
+    '';
+
+    remotes = {
+      # gdrive = {
+      #   config = {
+      #     type = "drive";
+      #     scope = "drive";
+      #
+      #     root_folder_id = "";
+      #   };
+      #
+      #   secrets = {
+      #     token = "${config.xdg.configHome}/rclone/gdrive_token";
+      #
+      #     client_id = "${config.xdg.configHome}/rclone/gdrive_client_id";
+      #     client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops?
+      #   };
+      #
+      #   mounts = {
+      #     "/" = {
+      #       enable = true;
+      #       mountPoint = "${config.home.homeDirectory}/gdrive";
+      #
+      #       options = {
+      #         dir-cache-time = "5m";
+      #         poll-interval = "10s";
+      #       };
+      #     };
+      #   };
+      # };
+
+      orion = {
+        config = {
+          type = "sftp";
+          user = config.var.username;
         };
 
         secrets = {
-          token = "${config.xdg.configHome}/rclone/gdrive_token";
+          host = config.sops.secrets.orion_ip.path;
-
-          client_id = "${config.xdg.configHome}/rclone/gdrive_client_id";
-          client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops?
         };
 
         mounts = {
-          "/" = {
+          "/var/lib/filebrowser/files" = {
             enable = true;
-            mountPoint = "${config.home.homeDirectory}/gdrive";
+
+            mountPoint = "${config.home.homeDirectory}/orion";
 
             options = {
-              dir-cache-time = "5000h";
+              dir-cache-time = "5m";
               poll-interval = "10s";
-              vfs-cache-mode = "full";
+              # Network optimizations
+              "buffer-size" = "32M";
+              "vfs-read-chunk-size" = "32M";
             };
           };
         };

modules/home-manager/ssh.nix

@@ -4,6 +4,15 @@
     enable = true;
     enableDefaultConfig = false;
 
+    matchBlocks = {
+      "github-work" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "/home/kiri/.ssh/github-work.pub";
+        identitiesOnly = true;
+      };
+    };
+
     includes = [
       config.sops.secrets.ssh_config_orion.path
     ];

modules/home-manager/todoman.nix

@@ -7,7 +7,7 @@
       time_format = "%H:%M"
       default_list = "personal"
       default_due = 0
-      default_command = "list --sort due"
+      default_command = "list --sort priority,due"
       humanize = True
     '';
   };

modules/nixos/desktop.nix

@@ -7,6 +7,8 @@
     ./fonts.nix
     ./sddm.nix
     ./hyprland.nix
+    ./printing.nix
     ./systemd-boot.nix
+    ./syncthing.nix
   ];
 }

modules/nixos/filebrowser.nix

@@ -0,0 +1,128 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  storageRoot = "/var/lib/filebrowser/files";
+  publishDirName = "_publish";
+
+  processorScript = pkgs.writeShellScriptBin "process-docs" ''
+    SRC_ROOT="${storageRoot}"
+    OUT_ROOT="${storageRoot}/${publishDirName}"
+
+    # Function to compile a single file
+    compile_file() {
+      local file="$1"
+      # Remove SRC_ROOT prefix to get relative path
+      local rel_path="''${file#$SRC_ROOT/}"
+      # Construct target path (swap extension to .pdf)
+      local target="$OUT_ROOT/''${rel_path%.*}.pdf"
+      local target_dir
+      target_dir=$(${pkgs.coreutils}/bin/dirname "$target")
+
+      echo "Processing: $rel_path"
+      ${pkgs.coreutils}/bin/mkdir -p "$target_dir"
+
+      echo "Debug: Checking font visibility..."
+      typst fonts
+
+      if [[ "$file" == *.md ]]; then
+        pandoc "$file" -o "$target" --pdf-engine=typst -V mainfont="Libertinus Serif"
+      elif [[ "$file" == *.typ ]]; then
+        typst compile "$file" "$target"
+      fi
+
+      # Ensure filebrowser can read the new file
+      ${pkgs.coreutils}/bin/chown filebrowser:filebrowser "$target"
+    }
+
+    export -f compile_file
+    export SRC_ROOT OUT_ROOT
+
+    # 1. Initial Scan: Find all .md/.typ files not inside the export dir
+    # and update them if the source is newer than the target
+    ${pkgs.findutils}/bin/find "$SRC_ROOT" -type f \( -name "*.md" -o -name "*.typ" \) \
+      -not -path "$SRC_ROOT/${publishDirName}/*" | while read -r file; do
+        rel="''${file#$SRC_ROOT/}"
+        tgt="$OUT_ROOT/''${rel%.*}.pdf"
+
+        # Only compile if target doesn't exist or source is newer
+        if [ ! -f "$tgt" ] || [ "$file" -nt "$tgt" ]; then
+          compile_file "$file"
+        fi
+    done
+
+    # 2. Watcher Mode
+    echo "Starting watcher on $SRC_ROOT..."
+    # --exclude matches the export dir to prevent infinite loops
+    ${pkgs.inotify-tools}/bin/inotifywait -m -r -e close_write,moved_to \
+      --exclude "${publishDirName}" \
+      --format '%w%f' "$SRC_ROOT" | while read -r file; do
+        if [[ "$file" == *.md ]] || [[ "$file" == *.typ ]]; then
+           compile_file "$file"
+        fi
+    done
+  '';
+
+in
+{
+
+  imports = [
+    ./fonts.nix
+  ];
+
+  services.filebrowser = {
+    enable = true;
+
+    settings = {
+      root = storageRoot;
+      port = 9876;
+      branding.name = "Jelle's Files";
+    };
+  };
+
+  services.caddy.virtualHosts."files.jelles.net".extraConfig = ''
+    reverse_proxy :${toString config.services.filebrowser.settings.port}
+  '';
+
+  # Auto compile pdfs
+  systemd.services.pdf-watcher = {
+    description = "Auto-compile MD and Typst to PDF";
+    after = [ "filebrowser.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      User = "filebrowser";
+      Group = "filebrowser";
+      ExecStart = "${processorScript}/bin/process-docs";
+
+      WorkingDirectory = storageRoot;
+      Environment = [
+        "HOME=/var/lib/filebrowser"
+        "XDG_CACHE_HOME=/var/lib/filebrowser/.cache"
+        # 3"TYPST_FONT_PATHS=${lib.makeSearchPath "share/fonts" fontPackages}"
+      ];
+
+      Restart = "always";
+    };
+
+    path = with pkgs; [
+      typst
+      pandoc
+    ];
+  };
+
+  # Allow my user to access the filebrowser directory
+  users.users."${config.var.username}".extraGroups = [ "filebrowser" ];
+
+  systemd.services.filebrowser.serviceConfig = {
+    UMask = lib.mkForce "0007";
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z /var/lib/filebrowser 0750 filebrowser filebrowser -" # Explicitly secure the data dir root
+    "Z /var/lib/filebrowser/files 2770 filebrowser filebrowser -" # Sticky group on files
+  ];
+}

modules/nixos/fonts.nix

@@ -20,6 +20,12 @@
       nerd-fonts.meslo-lg
       openmoji-color
       twemoji-color-font
+
+      fira-sans
+      merriweather
+
+      lexend
+      literata
     ];
 
     enableDefaultPackages = false;

modules/nixos/homepage.nix

@@ -0,0 +1,165 @@
+{ config, pkgs, ... }:
+let
+  # Define standard colors/icons for consistency
+  domain = "jelles.net";
+in
+{
+  # Enable the Homepage Dashboard service
+  services.homepage-dashboard = {
+    enable = true;
+    listenPort = 8082; # Different from Glance (8101)
+    allowedHosts = "dashboard.${domain}";
+
+    # 1. Service Discovery & API Secrets
+    # For live stats (widgets), Homepage needs API keys.
+    # You can reference sops secrets here if you map them to a file readable by the homepage user.
+    # For now, I have set them to placeholders or disabled the API widgets where secrets are required.
+
+    services = [
+      {
+        "Personal" = [
+          {
+            "Home Assistant" = {
+              href = "https://home.${domain}";
+              description = "Smart Home Control";
+              icon = "home-assistant.png";
+              # To enable live stats (lights on, etc), un-comment and add a Long Lived Access Token:
+              # widget = {
+              #   type = "homeassistant";
+              #   url = "http://127.0.0.1:8123";
+              #   key = "YOUR_LONG_LIVED_TOKEN";
+              # };
+            };
+          }
+          {
+            "Actual Budget" = {
+              href = "https://finance.${domain}";
+              description = "Finance Tracking";
+              icon = "actual-budget.png";
+            };
+          }
+          {
+            "Vaultwarden" = {
+              href = "https://vault.${domain}";
+              description = "Password Manager";
+              icon = "bitwarden.png";
+              # Widget to show status
+              widget = {
+                type = "vaultwarden";
+                url = "https://vault.${domain}";
+              };
+            };
+          }
+          {
+            "Radicale" = {
+              href = "https://radicale.${domain}";
+              description = "Calendar & Contacts";
+              icon = "radicale.png";
+            };
+          }
+        ];
+      }
+      {
+        "Code & Files" = [
+          {
+            "Gitea" = {
+              href = "https://git.${domain}";
+              description = "Git Server";
+              icon = "gitea.png";
+            };
+          }
+          {
+            "FileBrowser" = {
+              href = "https://files.${domain}";
+              description = "Web File Manager";
+              icon = "filebrowser.png";
+            };
+          }
+        ];
+      }
+      {
+        "Websites" = [
+          {
+            "Community" = {
+              href = "https://community.${domain}";
+              icon = "globe.png";
+              description = "Community Site";
+            };
+          }
+          {
+            "Zentire" = {
+              href = "https://zentire.${domain}";
+              icon = "globe.png";
+              description = "Zentire Site";
+            };
+          }
+        ];
+      }
+    ];
+
+    # 2. Widgets (Calendar, Search, Resources)
+    widgets = [
+      {
+        search = {
+          provider = "google";
+          target = "_blank";
+        };
+      }
+      {
+        # Shows system stats. Requires 'glances' or similar installed,
+        # but Homepage can also just show simple resources if running locally.
+        resources = {
+          cpu = true;
+          memory = true;
+          disk = "/";
+        };
+      }
+      {
+        # Calendar Widget linked to Radicale
+        # You need the "Private Export URL" for your calendar from Radicale.
+        calendar = {
+          showTime = true;
+          maxEvents = 10;
+          integrations = [
+            {
+              type = "ical";
+              url = "https://radicale.${domain}/kiri/personal.ics"; # Verify this path in your Radicale
+              name = "Personal";
+              color = "blue";
+              # If your Radicale is private, you might need to pass auth in the URL
+              # e.g. https://user:pass@radicale.jelles.net/...
+            }
+          ];
+        };
+      }
+    ];
+
+    settings = {
+      title = "Orion Dashboard";
+      background = {
+        # Using the wallpaper from your config if accessible, or a hex color
+        image = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/leef_dark_purple_minimalist.png";
+        opacity = 50;
+      };
+      layout = {
+        "Personal" = {
+          style = "row";
+          columns = 4;
+        };
+        "Code & Files" = {
+          style = "row";
+          columns = 2;
+        };
+        "Websites" = {
+          style = "row";
+          columns = 2;
+        };
+      };
+    };
+  };
+
+  # Expose Homepage via Caddy
+  services.caddy.virtualHosts."dashboard.${domain}".extraConfig = ''
+    reverse_proxy :8082
+  '';
+}

modules/nixos/printing.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      cups-filters
+      cups-browsed
+      cnijfilter2
+    ];
+  };
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+}

modules/nixos/syncthing.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  devices = {
+    "altair" = {
+      id = "HDHWROJ-ZLNQKCL-PN6WGHA-IGJHIRI-3UHDYUU-LUJHYK4-UMKWLAZ-VFISJQF";
+    };
+    "orion" = {
+      id = "7ESQ3BX-FEW7656-ZPT3CKF-FLXON26-HXRNTDW-THSJBNF-LFWCHFB-ASP4WAG";
+    };
+    "polaris" = {
+      id = "6YBO3OK-3QVMKWL-ZOS4ZTF-G53CY6K-WYZJNFG-DTYCUA4-WJF2LRC-PJT3NAL";
+    };
+  };
+
+  username = config.var.username;
+  hostname = config.var.hostname;
+  isOrion = hostname == "orion";
+
+  # On desktops, sync to home directory. On server, sync to filebrowser storage.
+  syncPath = if isOrion then "/var/lib/filebrowser/files" else "/home/${username}/sync";
+  group = if isOrion then "filebrowser" else "users";
+in
+{
+  # 1. Firewall rules for synchronization
+  networking.firewall = {
+    allowedTCPPorts = [ 22000 ];
+    allowedUDPPorts = [
+      22000
+      21027
+    ];
+  };
+
+  # 3. Syncthing Service Configuration
+  services.syncthing = {
+    enable = true;
+
+    user = username;
+    group = group;
+
+    overrideDevices = true; # Overrides any devices added via Web UI
+    overrideFolders = true; # Overrides any folders added via Web UI
+
+    settings = {
+      devices = devices;
+
+      folders = {
+        "sync" = {
+          path = syncPath;
+          devices = builtins.attrNames devices; # Share with all defined devices
+          # Ensure new files are readable by the group (chmod 770 approx)
+          ignorePerms = true;
+        };
+      };
+
+      gui = {
+        # access the GUI on localhost:8384
+        theme = "black";
+      };
+    };
+  };
+
+  # 4. Permission Hardening for Orion
+  # Force syncthing to write files with group-write permissions (007 umask = 770 perms)
+  systemd.services.syncthing.serviceConfig.UMask = lib.mkIf isOrion "0007";
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/syncthing 0700 ${username} ${group} -"
+  ];
+}

modules/themes/kanagawa-wave.nix

@@ -133,23 +133,6 @@
     };
 
     polarity = "dark";
-    image = pkgs.fetchurl {
+    image = ./wallpapers/green_leaves_minimalist.png;
-      url = "https://files.jelles.net/public/green-leaves.png";
-      sha256 = "sha256-XVj5dDJL383QqUjmdqjpr35odXIU0sQO5WM9yAuRgN0=";
-    };
-    # image = pkgs.fetchurl {
-    #   url = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/leef_dark_purple_minimalist.png";
-    #   sha256 = "sha256-q6ufFdC/tMSb+mllw7XhilkAObemXXyps2SBlnMt7mY=";
-    # };
-
-    # image = pkgs.fetchurl {
-    #   url = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/alone-cloud_dark.png";
-    #   sha256 = "sha256-L4Esjo6LEwhBEN29WX445F+54rlnvOtAMKsQz8Qpyuc=";
-    # };
-
-    # image = pkgs.fetchurl {
-    #   url = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/the-cloud-is-hidding-the-moon_dark.png";
-    #   sha256 = "sha256-EEH2cHsVromD+X5VFF3YObNuSSRbDnpfqEN6fjCztbc=";
-    # };
   };
 }

secrets/default.nix

@@ -13,6 +13,7 @@
     secrets = {
       radicale_pass = { };
       university_calendar_url = { };
+      orion_ip = { };
       ssh_config_orion = {
         mode = "0600";
       };

secrets/secrets.yaml

@@ -1,6 +1,7 @@
 radicale_pass: ENC[AES256_GCM,data:zdUxtJKNPC8SzajhFKo=,iv:H55GWMiQLJvZx6rAufkk807lZflg0sepxoq6z0XJ/q4=,tag:MoDOuF37PeF7QEpUxBntEg==,type:str]
 university_calendar_url: ENC[AES256_GCM,data:y5UtZVC0KJPUz//6S0QsrNeFGQshc88zieQgmlur75VFw9y5CJpnZRpdhLnYva00z5HBkxYQelLqS/I5GrXexWtC7Y7d1dCcQ+IZ0K7GGJ5NrYtjNXfMhzNSlhqjvl5lBGb+S565kel3VsCTyo/YRxdbBN6FA/oQNsx8/AvTgtsPeFkQRDGlGkybFRfWHWuTIDLL,iv:rZK9utRrm/KAkVRUjC3VR09MvDZjpoLx7BgaidzQo3o=,tag:tGWGoQCsS3zZh818OKixPw==,type:str]
 ssh_config_orion: ENC[AES256_GCM,data:P2jH5BDIzeHSIwTBcZwTOXKes727xK0Xoj9W64GmEszEPZw8vA==,iv:hSY9mFdC82pBbOjMFuzoR2eufhjY2MGERJ4ODmcogbA=,tag:ejF535LrQwwH66nQG3qLGw==,type:str]
+orion_ip: ENC[AES256_GCM,data:RCK6EKOEDaTu1uR2d/8=,iv:5JhIkVQEELB6MoPh49xq+0CrbPjI/6+qfqUHRqCza5s=,tag:+00T4+pWOWRj7R1ft39HAw==,type:str]
 sops:
     age:
         - recipient: age122w85pqj508ukv0rd388mahecgfckmpgnsgz0zcyec37ljae2epsdnvxpl
@@ -21,7 +22,7 @@ sops:
             ODdTa0VlYjg0ajJuUWhiRVUrR1VSTHMK6NVeKyMTomvZoqAtJN1SshIZdd2fHFBy
             Waghxmi6x/93lf54E1ZiXZQ+LDCjqqmMY8jgoF00XCo0WeURlHXpaw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-29T18:05:48Z"
+    lastmodified: "2025-12-01T16:01:07Z"
-    mac: ENC[AES256_GCM,data:j0pHRA3c5lRdyLjqxlP2MTzIYb3WYAy7p+FttOjTQpXcyT5dFykXuu8rv+MQTmWdvHLQKC4iuZ7HTSO9qx8SbAuxHBWpoycpy3cZpmFp5T5crCl65AVQ/yRZKD9gRxkhnVW7aAK1kC3Mq07PamznvX/b7eEJ8h3tvmymuw6z/vY=,iv:W430t2YAXVcJztbO+fNdlOyjjy6+cH5r5YwuM2QdIdc=,tag:dDRJSslL9/Hac465A/TstA==,type:str]
+    mac: ENC[AES256_GCM,data:LAXl/FJafDOEOYrukqfzGMIXZzihX2zHMIQaR735MHWsTr3DSkCUqZ5IPEn9EmUSDkO8SaS0QdhRk0h7IhzS4MOsAAMdEtAEec4k0f9sMCLRWbV/G4tYxESPeuQNwdwS0iPsBsMQgvH93u7ttR59zyzQE1izal5nMwK3yQmNV5s=,iv:R3bnPXQY38Zf9BJuEP+inbRIVvAmLvEyGrlWzl3N9YI=,tag:eetYNetPvKXiJnR7AA3dwA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0