chore: clean up tree-wide

.sops.yaml

@@ -1,7 +1,7 @@
 keys:
   - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: \.(yaml|json|env|ini)$
     key_groups:
     - age:
       - *admin

flake.nix

@@ -1,4 +1,5 @@
 {
+  # TODO: use flake-parts and remove snowfall-lib
   outputs =
     inputs:
     inputs.snowfall-lib.mkFlake {
@@ -17,6 +18,7 @@
 
     # The following are used for less boilerplate.
     flake-parts.url = "github:hercules-ci/flake-parts";
+    #TODO: remove snowfall
     snowfall-lib = {
       url = "github:snowfallorg/lib";
       inputs.nixpkgs.follows = "nixpkgs";

homes/x86_64-linux/rafiq/cli/default.nix

@@ -1,12 +1,8 @@
-{ inputs, pkgs, ... }:
+{ pkgs, inputs, ... }:
 {
+  imports = [ inputs.nix-index-database.hmModules.nix-index ];
   programs = {
-    nh.enable = true;
-    tealdeer = {
-      enable = true;
-      enableAutoUpdates = true;
-      settings.updates.auto_update = true;
-    };
+    tealdeer.enable = true;
     direnv = {
       enable = true;
       nix-direnv.enable = true;
@@ -19,22 +15,20 @@
   home = {
     shellAliases = {
       windows = "sudo systemctl reboot --boot-loader-entry=auto-windows";
-      v = "nvim";
+      v = "$EDITOR";
       e = "edit";
-      cd = "z";
+      cd = "z"; # zoxide
       ai = "aichat -r %shell% -e";
     };
     packages = with pkgs; [
       ripgrep
       aichat
-      devenv
       pantheon.rebuild
       pantheon.deploy
       pantheon.edit
       pantheon.commit
     ];
   };
-
   xdg.configFile."aichat/config.yaml".text = ''
     model: gemini:gemini-2.0-flash
     clients:

homes/x86_64-linux/rafiq/cli/editor/_nvf/autocomplete.nix

@@ -3,28 +3,23 @@
   blink-cmp = {
     enable = true;
     friendly-snippets.enable = true;
-    sourcePlugins = {
-      ripgrep.enable = true;
-    };
+    sourcePlugins.ripgrep.enable = true;
     setupOpts = {
-      completion.documentation.auto_show_delay_ms = 0;
-      signature.enabled = true;
+      # Disable completion in markdown files
+      # TODO: Disable completion when in comments
       enabled =
         lib.generators.mkLuaInline
           # lua
           ''
-            --- Disable completion for markdown
             function()
               return not vim.tbl_contains({"markdown"}, vim.bo.filetype)
                 and vim.bo.buftype ~= "prompt"
                 and vim.b.completion ~= false
             end
           '';
-      cmdline = {
-        enabled = true;
-        sources = null;
-        completion.menu.auto_show = false;
-      };
+      completion.documentation.auto_show_delay_ms = 0;
+      # Show e.g. function parameters
+      signature.enabled = true;
     };
   };
 }

homes/x86_64-linux/rafiq/cli/editor/_nvf/binds.nix

@@ -1,15 +1,6 @@
 {
-  hardtime-nvim = {
-    enable = true;
-    setupOpts = {
-      max_count = 1;
-      disabled_keys = {
-        "<Up>" = [ ];
-        "<Down>" = [ ];
-        "<Right>" = [ ];
-        "<Left>" = [ ];
-      };
-    };
-  };
+  hardtime-nvim.enable = true;
+  # Hint when movements are inefficient but don't block
+  hardtime-nvim.setupOpts.restriction_mode = "hint";
   whichKey.enable = true;
 }

homes/x86_64-linux/rafiq/cli/editor/_nvf/keymaps.nix

@@ -1,23 +0,0 @@
-[
-  {
-    desc = "Open the file path under the cursor, making the file if it doesn't exist.";
-    key = "gf";
-    mode = "n";
-    action = ":cd %:p:h<CR>:e <cfile><CR>";
-    silent = true;
-  }
-  {
-    desc = "";
-    key = "<C-u>";
-    mode = "n";
-    action = "<C-u>zz";
-    silent = true;
-  }
-  {
-    desc = "";
-    key = "<C-d>";
-    mode = "n";
-    action = "<C-d>zz";
-    silent = true;
-  }
-]

homes/x86_64-linux/rafiq/cli/editor/_nvf/lsp.nix

@@ -1,7 +1,9 @@
 {
   enable = true;
+  # Show virtual text hints
   inlayHints.enable = true;
   lightbulb.enable = true;
+  # Show icons for lsp actions
   lspkind.enable = true;
   null-ls.enable = true;
   otter-nvim = {

homes/x86_64-linux/rafiq/cli/editor/_nvf/notes.nix

@@ -1,3 +0,0 @@
-{
-  todo-comments.enable = true;
-}

homes/x86_64-linux/rafiq/cli/editor/_nvf/options.nix

@@ -1,9 +0,0 @@
-{
-  autoindent = true;
-  backspace = "indent,eol,start";
-  cursorline = true;
-  expandtab = true;
-  shiftwidth = 2;
-  smartindent = true;
-  tabstop = 2;
-}

homes/x86_64-linux/rafiq/cli/editor/_nvf/treesitter.nix

@@ -1,6 +0,0 @@
-{
-  autotagHtml = true;
-  fold = true;
-  indent.disable = [ "markdown" ];
-  textobjects.enable = true;
-}

homes/x86_64-linux/rafiq/cli/editor/_nvf/ui.nix

@@ -4,10 +4,13 @@
     globalStyle = "rounded";
   };
   breadcrumbs.enable = true;
+  # Show color values e.g. #ffffff
   colorizer.enable = true;
+  # Highlight matching symbols
   illuminate.enable = true;
   noice.enable = true;
   noice.setupOpts.notify.enabled = false;
+  # Make folds look nicer
   nvim-ufo.enable = true;
   smartcolumn.enable = true;
 }

homes/x86_64-linux/rafiq/cli/editor/_nvf/utility.nix

@@ -1,6 +1,4 @@
 {
-  ccc.enable = true;
-  mkdir.enable = true;
   motion.hop.enable = true;
   yazi-nvim = {
     enable = true;

homes/x86_64-linux/rafiq/cli/editor/_nvf/visuals.nix

@@ -2,7 +2,6 @@
   indent-blankline.enable = true;
   fidget-nvim.enable = true;
   fidget-nvim.setupOpts.notification.override_vim_notify = true;
-  nvim-cursorline.enable = true;
   nvim-web-devicons.enable = true;
   rainbow-delimiters.enable = true;
 }

homes/x86_64-linux/rafiq/cli/editor/default.nix

@@ -1,31 +1,45 @@
-{ lib, pkgs, ... }:
-let
-  inherit (lib) singleton;
-in
 {
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  imports = [ inputs.nvf.homeManagerModules.default ];
   home.sessionVariables.EDITOR = "nvim";
-  persistDirs = singleton ".local/share/nvf";
   programs.nvf.enable = true;
   programs.nvf.settings.vim = {
-    hideSearchHighlight = true;
     syntaxHighlighting = true;
-    telescope.enable = true;
+    hideSearchHighlight = true;
     searchCase = "ignore";
+    undoFile.enable = true;
+    telescope.enable = true;
     fzf-lua.enable = true;
     git.enable = true;
-    undoFile.enable = true;
     autopairs.nvim-autopairs.enable = true;
     autocomplete = import ./_nvf/autocomplete.nix { inherit lib; };
     binds = import ./_nvf/binds.nix;
-    keymaps = import ./_nvf/keymaps.nix;
     languages = import ./_nvf/languages.nix;
     lsp = import ./_nvf/lsp.nix;
     navigation = import ./_nvf/navigation.nix;
-    notes = import ./_nvf/notes.nix;
-    options = import ./_nvf/options.nix;
+    notes.todo-comments.enable = true;
+    options = {
+      autoindent = true;
+      backspace = "indent,eol,start";
+      cursorline = true;
+      expandtab = true;
+      shiftwidth = 2;
+      smartindent = true;
+      tabstop = 2;
+    };
     snippets = import ./_nvf/snippets.nix { inherit pkgs; };
     statusline = import ./_nvf/statusline.nix;
-    treesitter = import ./_nvf/treesitter.nix;
+    treesitter = {
+      autotagHtml = true;
+      fold = true;
+      indent.disable = [ "markdown" ];
+      textobjects.enable = true;
+    };
     ui = import ./_nvf/ui.nix;
     utility = import ./_nvf/utility.nix;
     visuals = import ./_nvf/visuals.nix;

homes/x86_64-linux/rafiq/cli/fetch.nix

@@ -1,10 +1,7 @@
-{ lib, pkgs, ... }:
-let
-  inherit (lib) singleton;
-in
+{ pkgs, ... }:
 {
   home = {
-    packages = singleton pkgs.fastfetch;
+    packages = [ pkgs.fastfetch ];
     sessionVariables.FETCH = "hyfetch";
     shellAliases.fetch = "hyfetch";
   };
@@ -16,8 +13,8 @@ in
       light_dark = "dark";
       lightness = 0.5;
       color_align = {
+        # Flag color alignment
         mode = "horizontal";
-        custom_colors = [ ];
         fore_back = null;
       };
       backend = "fastfetch";

homes/x86_64-linux/rafiq/cli/file-browser.nix

@@ -3,18 +3,6 @@
   programs.yazi = {
     enable = true;
     shellWrapperName = "t";
-    settings = {
-      mgr = {
-        sort_by = "natural";
-      };
-      opener = {
-        play = [
-          {
-            run = "vlc \"$@\"";
-            desc = "Open";
-          }
-        ];
-      };
-    };
+    settings.mgr.sort_by = "natural";
   };
 }

homes/x86_64-linux/rafiq/cli/finder.nix

@@ -1,6 +1,5 @@
 {
-  programs.fzf = {
-    enable = true;
-    enableZshIntegration = true;
-  };
+  programs.fzf.enable = true;
+  #TODO: fish
+  programs.fzf.enableZshIntegration = true;
 }

homes/x86_64-linux/rafiq/cli/multiplexer.nix

@@ -4,11 +4,16 @@
   pkgs,
   ...
 }:
+let
+  zjstatus = inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default;
+in
 {
   home.sessionVariables.MULTIPLEXER = "zellij";
+  # Persists sessions
   persistDirs = [ "/.cache/zellij" ];
   programs.zellij = {
     enable = true;
+    #TODO: fish
     enableZshIntegration = true;
     settings = {
       pane_frames = false;
@@ -19,44 +24,38 @@
   xdg.configFile."zellij/layouts/default.kdl".text = # kdl
     ''
       layout {
-          default_tab_template {
-              pane size=1 borderless=true {
-                  plugin location="file:${
-                    inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default
-                  }/bin/zjstatus.wasm" {
-                      format_left   "{mode} ${osConfig.hostname}"
-                      format_center "{tabs}"
-                      format_right  "{datetime}"
-                      format_space  ""
-                      format_hide_on_overlength "true"
-                      format_precedence "lrc"
+        default_tab_template {
+          pane size=1 borderless=true {
+            plugin location="file:${zjstatus}/bin/zjstatus.wasm" {
+              format_left   "{mode} ${osConfig.hostname}"
+              format_center "{tabs}"
+              format_right  "{datetime}"
+              format_space  ""
+              format_hide_on_overlength "true"
+              format_precedence "lrc"
 
-                      border_enabled  "false"
-                      border_char     "─"
-                      border_format   "#[fg=#6C7086]{char}"
-                      border_position "top"
+              border_enabled  "false"
+              hide_frame_for_single_pane "false"
 
-                      hide_frame_for_single_pane "false"
+              mode_default_to_mode "normal"
+              mode_normal  "#[bg=#89B4FA] {name} "
+              mode_locked  "#[bg=#f55e18] {name} "
+              mode_session "#[bg=#00ff00] {name} "
 
-                      mode_default_to_mode "normal"
-                      mode_normal  "#[bg=#89B4FA] {name} "
-                      mode_locked  "#[bg=#f55e18] {name} "
-                      mode_session "#[bg=#00ff00] {name} "
+              tab_normal   "#[fg=#6C7086] {index} "
+              tab_active   "#[fg=#9399B2,bold,italic] {index} "
+              tab_display_count         "3"  // limit to showing 3 tabs
+              tab_truncate_start_format "..."
+              tab_truncate_end_format   "..."
 
-                      tab_normal   "#[fg=#6C7086] {index} "
-                      tab_active   "#[fg=#9399B2,bold,italic] {index} "
-                      tab_display_count         "3"  // limit to showing 3 tabs
-                      tab_truncate_start_format "..."
-                      tab_truncate_end_format   "..."
-
-                      //TODO: disable if we are not on ssh
-                      datetime        "#[fg=#6C7086,bold] {format}"
-                      datetime_format "%H:%M:%S"
-                      datetime_timezone "Asia/Singapore"
-                  }
-              }
-              children
+              //TODO: disable if we are not on ssh
+              datetime        "#[fg=#6C7086,bold] {format}"
+              datetime_format "%H:%M:%S"
+              datetime_timezone "Asia/Singapore"
+            }
           }
+          children
+        }
       }
     '';
 }

homes/x86_64-linux/rafiq/cli/shell.nix

@@ -1,12 +1,13 @@
 { lib, pkgs, ... }:
 let
   inherit (builtins) toString;
-  inherit (lib) mkOrder;
+  inherit (lib) getExe mkOrder;
   screensaverTimeout = toString 100;
-  screensaverCommand = "${pkgs.cbonsai}/bin/cbonsai -S -w 0.1 -L 40 -M 2 -b 2";
+  screensaverCommand = "${getExe pkgs.cbonsai} -S -w 0.1 -L 40 -M 2 -b 2";
 in
 {
   home.shell.enableShellIntegration = true;
+  #TODO: change to fish
   home.sessionVariables.SHELL = "zsh";
   programs.zsh = {
     enable = true;

homes/x86_64-linux/rafiq/cli/utilities/starship.nix

@@ -4,6 +4,7 @@ let
 in
 {
   programs.starship = {
+    #TODO: enable after switching to fish
     enable = false;
     # settings = {
     #   add_newline = false;

homes/x86_64-linux/rafiq/default.nix

@@ -11,13 +11,5 @@ in
 {
   imports =
     (optional osConfig.desktop.enable (import-tree ./desktop))
-    ++ singleton (import-tree ./cli)
-    ++ [
-      inputs.nix-index-database.hmModules.nix-index
-      inputs.nvf.homeManagerModules.default
-    ];
-
-  config = {
-    stylix.image = ./desktop/wallpaper.png;
-  };
+    ++ singleton (import-tree ./cli);
 }

homes/x86_64-linux/rafiq/desktop/browser.nix

@@ -1,13 +1,13 @@
 {
   lib,
   inputs,
-  system,
+  pkgs,
   ...
 }:
 let
   inherit (builtins) map listToAttrs;
   inherit (lib.lists) findFirstIndex;
-  inherit (inputs.nur.legacyPackages.${system}.repos.rycee) firefox-addons;
+  inherit (inputs.nur.legacyPackages.${pkgs.stdenv.hostPlatform.system}.repos.rycee) firefox-addons;
   profiles = listToAttrs (
     map (name: {
       inherit name;
@@ -36,6 +36,11 @@ let
 in
 {
   home.sessionVariables.BROWSER = "firefox";
-  programs.firefox = { inherit profiles; };
+  persistDirs = [ ".mozilla/firefox" ];
+  programs.firefox = {
+    enable = true;
+    inherit profiles;
+  };
+  stylix.targets.firefox.colorTheme.enable = true;
   stylix.targets.firefox.profileNames = syncedProfiles;
 }

homes/x86_64-linux/rafiq/desktop/default.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  persistDirs = [
+    "docs"
+    "repos"
+    "vids"
+    "tmp"
+    ".cache/Smart Code ltd/Stremio"
+    ".local/share/Smart Code ltd/Stremio"
+  ];
+  programs = {
+    obs-studio.enable = true;
+    vesktop.enable = true;
+    thunderbird.enable = true;
+    thunderbird.profiles.rafiq.isDefault = true;
+  };
+  home.packages = with pkgs; [ stremio ];
+  stylix.image = ./wallpaper.png;
+}

homes/x86_64-linux/rafiq/desktop/launcher.nix

@@ -1,7 +1,3 @@
 {
   home.sessionVariables.LAUNCHER = "fuzzel";
-  programs.wofi = {
-    style = null;
-    settings = { };
-  };
 }

homes/x86_64-linux/rafiq/desktop/lockscreen.nix

@@ -1,35 +1,29 @@
+let
+  styling = {
+    halign = "center";
+    valign = "center";
+    zindex = 1;
+    shadow_passes = 5;
+    shadow_size = 5;
+  };
+in
 {
   home.sessionVariables.LOCKSCREEN = "hyprlock";
   programs.hyprlock.settings = {
     general.hide_cursor = true;
     general.ignore_empty_input = true;
-
-    background = {
-      blur_passes = 5;
-      blur_size = 5;
-    };
-
+    background.blur_passes = 5;
+    background.blur_size = 5;
     label = {
       text = ''hi, $USER.'';
       font_size = 32;
-      halign = "center";
-      valign = "center";
       position = "0, 0";
-      zindex = 1;
-      shadow_passes = 5;
-      shadow_size = 5;
-    };
-
+    }// styling;
     input-field = {
+      placeholder_text = "";
       fade_on_empty = true;
       size = "200, 45";
-      halign = "center";
-      valign = "center";
       position = "0, -5%";
-      placeholder_text = "";
-      zindex = 1;
-      shadow_passes = 5;
-      shadow_size = 5;
-    };
+    } // styling;
   };
 }

homes/x86_64-linux/rafiq/desktop/misc.nix

@@ -1,26 +0,0 @@
-{ pkgs, ... }:
-{
-  persistDirs = [
-    "docs"
-    "repos"
-    "vids"
-    "tmp"
-    ".cache/Smart Code ltd/Stremio"
-    ".local/share/Smart Code ltd/Stremio"
-  ];
-  programs = {
-    obs-studio.enable = true;
-    vesktop = {
-      enable = true;
-      # https://github.com/Vencord/Vesktop/blob/main/src/shared/settings.d.ts
-      settings = { };
-      # https://github.com/Vendicated/Vencord/blob/main/src/api/Settings.ts
-      vencord.settings = { };
-    };
-    thunderbird.enable = true;
-    thunderbird.profiles.rafiq.isDefault = true;
-  };
-  home.packages = with pkgs; [
-    stremio
-  ];
-}

homes/x86_64-linux/rafiq/desktop/notification-daemon.nix

@@ -1,6 +1,5 @@
 {
   home.sessionVariables.NOTIFICATION_DAEMON = "mako";
-  services.mako.settings = {
-    default-timeout = 10000;
-  };
+  services.mako.enable = true;
+  services.mako.settings.default-timeout = 10000;
 }

homes/x86_64-linux/rafiq/desktop/status-bar.nix

@@ -3,6 +3,7 @@
   home.sessionVariables.STATUS_BAR = "waybar";
   stylix.targets.waybar.addCss = false;
   programs.waybar = {
+    enable = true;
     settings = [
       {
         #TODO: review the rest of the modules to see what else can be added

homes/x86_64-linux/rafiq/desktop/terminal.nix

@@ -1,5 +1,5 @@
 {
   home.sessionVariables.TERMINAL = "ghostty -e";
-  #TODO: fix image preview
+  programs.ghostty.enable = true;
   programs.ghostty.settings.confirm-close-surface = false;
 }

homes/x86_64-linux/rafiq/desktop/window-manager/_hyprland/keybinds.nix

@@ -6,10 +6,12 @@
     "$hypr, Q, exec, uwsm stop"
     "SUPER, W, killactive"
 
-    "SUPER, return, exec, uwsm app -- $TERMINAL $MULTIPLEXER"
+    "SUPER, return, exec, uwsm app -- $TERMINAL"
     "SUPER, O, exec, uwsm app -- $BROWSER"
     "SUPER, Escape, exec, uwsm app -- $LOCKSCREEN"
+    #TODO:add file browser
 
+    #TODO: make it directional
     "SUPER, H, cyclenext, visible"
     "SUPER, L, cyclenext, visible prev"
     "SUPER_ALT, H, movewindow, l"
@@ -20,25 +22,28 @@
     "ALT_SHIFT, J, resizeactive, 0 -10%"
     "ALT_SHIFT, K, resizeactive, 0 10%"
     "ALT_SHIFT, L, resizeactive, 10% 0"
-    "$hypr, V, togglefloating"
     "SUPER_CTRL, H, workspace, r-1"
     "SUPER_CTRL, L, workspace, r+1"
     "$hypr, H, movetoworkspace, r-1"
     "$hypr, L, movetoworkspace, r+1"
+
+    "$hypr, V, togglefloating"
   ];
 
   bindr = [
+    # Activates on SUPER without any other modifier
     "SUPER, Super_L, exec, uwsm app -- $($LAUNCHER --launch-prefix=\"uwsm app -- \")"
   ];
 
   bindle = [
-    "SUPER, 6, exec, wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%-"
+    "SUPER, 6, exec, ${pkgs.wireplumber}/bin/wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%-"
     "SUPER, 7, exec, ${pkgs.playerctl}/bin/playerctl previous"
     "SUPER, 8, exec, ${pkgs.playerctl}/bin/playerctl -a play-pause"
     "SUPER, 9, exec, ${pkgs.playerctl}/bin/playerctl next"
-    "SUPER, 0, exec, wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%+"
-    "$meh, mouse_up, resizeactive, 10% 10%"
-    "$meh, mouse_down, resizeactive, -10% -10%"
+    "SUPER, 0, exec, ${pkgs.wireplumber}/bin/wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%+"
+
+    "ALT, mouse_up, resizeactive, 10% 10%"
+    "ALT, mouse_down, resizeactive, -10% -10%"
   ];
 
   bindm = [

homes/x86_64-linux/rafiq/desktop/window-manager/_hyprland/settings.nix

@@ -1,30 +0,0 @@
-{
-  lib,
-  pkgs,
-  osConfig,
-  ...
-}:
-let
-  inherit (lib) mkMerge;
-  inherit (osConfig.desktop) mainMonitor;
-in
-mkMerge [
-  (import ./decoration.nix)
-  (import ./keybinds.nix { inherit pkgs; })
-  {
-    ecosystem.no_update_news = true;
-    xwayland.force_zero_scaling = true;
-
-    monitor = [
-      "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}"
-      ", preferred, auto, 1"
-    ];
-
-    exec-once = [
-      "uwsm app -- $LOCKSCREEN"
-      "uwsm app -- $NOTIFICATION_DAEMON"
-      "uwsm app -- $STATUS_BAR"
-    ];
-
-  }
-]

homes/x86_64-linux/rafiq/desktop/window-manager/default.nix

@@ -1,12 +1,21 @@
+{ lib, pkgs, ... }:
+let
+  inherit (lib) mkMerge;
+in
 {
-  lib,
-  pkgs,
-  osConfig,
-  ...
-}:
-{
-  wayland.windowManager.hyprland.settings = import ./_hyprland/settings.nix {
-    inherit pkgs osConfig lib;
-  };
+  wayland.windowManager.hyprland.settings = mkMerge [
+    (import ./_hyprland/decoration.nix)
+    (import ./_hyprland/keybinds.nix { inherit pkgs; })
+    {
+      ecosystem.no_update_news = true;
+      xwayland.force_zero_scaling = true;
+      monitor = [ ", preferred, auto, 1" ];
+      exec-once = [
+        "uwsm app -- $LOCKSCREEN"
+        "uwsm app -- $NOTIFICATION_DAEMON"
+        "uwsm app -- $STATUS_BAR"
+      ];
+    }
+  ];
   # TODO: add gamescope here or in nixos desktop module
 }

lib/default.nix

@@ -1,6 +1,13 @@
 { lib, ... }:
 let
-  inherit (lib) singleton;
+  inherit (lib) mkOption singleton;
+  inherit (lib.types)
+    int
+    str
+    port
+    path
+    attrs
+    ;
   inherit (lib.strings) splitString;
   inherit (builtins) length concatStringsSep tail;
 in
@@ -15,31 +22,31 @@ rec {
     if len <= count then list else (shortenList count (tail list));
 
   # Modules
-  mkAttrOption = lib.mkOption {
-    type = lib.types.attrs;
+  mkAttrOption = mkOption {
+    type = attrs;
     default = { };
   };
   mkIntOption =
     default:
-    lib.mkOption {
-      type = lib.types.int;
+    mkOption {
+      type = int;
       inherit default;
     };
-  mkStrOption = lib.mkOption {
-    type = lib.types.str;
+  mkStrOption = mkOption {
+    type = str;
     default = "";
   };
   mkPortOption =
-    port:
-    lib.mkOption {
-      type = lib.types.port;
-      default = port;
+    default:
+    mkOption {
+      type = port;
+      inherit default;
     };
   mkPathOption =
-    path:
-    lib.mkOption {
-      type = lib.types.path;
-      default = path;
+    default:
+    mkOption {
+      type = path;
+      inherit default;
     };
 
   # Domains

lib/modules/default.nix

@@ -38,6 +38,7 @@ in
       name,
       defaultPort,
       persistDirs ? [ ],
+      #TODO: specify required secrets
       extraOptions ? { },
       extraConfig ? { },
     }:

modules/home/default.nix

@@ -9,17 +9,11 @@ let
   inherit (lib.types) listOf str;
 in
 {
-  imports = [
-    inputs.impermanence.homeManagerModules.impermanence
-  ];
-
-  options = {
-    persistDirs = mkOption {
-      type = listOf str;
-      default = [ ];
-    };
+  imports = [ inputs.impermanence.homeManagerModules.impermanence ];
+  options.persistDirs = mkOption {
+    type = listOf str;
+    default = [ ];
   };
-
   config = {
     # Helper options
     home.persistence."/persist/home/${config.home.username}" = {
@@ -29,20 +23,16 @@ in
 
     # Global options
     persistDirs = [
+      # For system activation
       ".ssh"
       ".config/sops/age"
     ];
-
-    programs = {
-      ssh = {
-        enable = true;
-        extraConfig = ''
-          Host *
-            SetEnv TERM=xterm-256color
-        '';
-      };
-    };
-
+    programs.ssh.enable = true;
+    # To set colors properly when on ssh
+    programs.ssh.extraConfig = ''
+      Host *
+        SetEnv TERM=xterm-256color
+    '';
     home.stateVersion = "24.11";
   };
 }

modules/nixos/default.nix

@@ -2,7 +2,6 @@
   inputs,
   lib,
   config,
-  system,
   ...
 }:
 let
@@ -50,7 +49,6 @@ in
       default = [ ];
     };
   };
-
   config = {
     # Helper options
     environment.persistence."/persist".directories = config.persistDirs;
@@ -60,63 +58,50 @@ in
       "/var/lib/systemd"
       "/var/lib/nixos"
     ];
-
     stylix.enable = true;
-    nixpkgs = {
-      hostPlatform = system;
-      config.allowUnfree = true;
-    };
-    nix.settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        "pipe-operators"
-      ];
-      trusted-users = [ "@wheel" ];
-    };
-    system.stateVersion = "25.05"; # Did you read the comment?
+    nixpkgs.config.allowUnfree = true;
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "pipe-operators"
+    ];
+    nix.settings.trusted-users = [ "@wheel" ];
+    system.stateVersion = "25.05";
     time.timeZone = "Asia/Singapore";
     i18n.defaultLocale = "en_US.UTF-8";
     users = {
+      # Don't allow imperative configuration
       mutableUsers = false;
+      users.root.openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
       groups.users = {
         gid = 100;
         members = [ "${config.mainUser.name}" ];
       };
       users."${config.mainUser.name}" = {
-        linger = true;
         uid = 1000;
         isNormalUser = true;
         hashedPasswordFile = config.sops.secrets."${config.mainUser.name}/hashedPassword".path;
         extraGroups = [ "wheel" ];
         openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
       };
-      users.root.openssh.authorizedKeys.keys = singleton config.mainUser.publicKey;
     };
-    services.getty.autologinUser = config.mainUser.name;
     security.sudo.wheelNeedsPassword = false;
     sops = {
       defaultSopsFile = get-file "secrets/secrets.yaml";
-      age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
+      age.sshKeyPaths = [ "/persist/home/${config.mainUser.name}/.ssh/id_ed25519" ];
       secrets = {
         "keys/openrouter" = { };
         "keys/gemini" = { };
-        "keys/cvt-jira" = { };
         "keys/cloudflare" = { };
         "keys/telegram_bot" = { };
-        "misc/cvt-jira-link" = { };
         "rafiq/hashedPassword".neededForUsers = true;
         "rafiq/personalEmailPassword" = { };
         "rafiq/workEmailPassword" = { };
-        "tailscale/client-id" = { };
-        "tailscale/client-secret" = { };
       };
     };
     environment.shellInit = # sh
       ''
         export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
-        export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
-        export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
       '';
   };
 }

modules/nixos/desktop/audio/default.nix

@@ -1,9 +1,6 @@
-{ config, ... }:
 {
-  config = {
-    services.pipewire = {
-      enable = true;
-      pulse.enable = true;
-    };
+  services.pipewire = {
+    enable = true;
+    pulse.enable = true;
   };
 }

modules/nixos/desktop/browser/firefox/default.nix

@@ -1,18 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib)
-    mkEnableOption
-    optional
-    singleton
-    ;
-  cfg = config.desktop.browser.firefox;
-in
-{
-  options.desktop.browser.firefox.enable = mkEnableOption "";
-
-  config.home-manager.sharedModules = optional cfg.enable {
-    persistDirs = singleton ".mozilla/firefox";
-    programs.firefox.enable = true;
-    stylix.targets.firefox.colorTheme.enable = true;
-  };
-}

modules/nixos/desktop/browser/tor-browser/default.nix

@@ -12,10 +12,6 @@ in
   options.desktop.browser.tor-browser.enable = mkEnableOption "";
 
   config = mkIf cfg.enable {
-    services.tor = {
-      enable = true;
-      client.enable = true;
-    };
     home-manager.sharedModules = singleton {
       persistDirs = singleton ".tor project";
       home.packages = singleton pkgs.tor-browser;

modules/nixos/desktop/default.nix

@@ -29,6 +29,7 @@ in
 
   config = mkIf cfg.enable {
     fonts.packages = singleton font-awesome;
+    services.getty.autologinUser = config.mainUser.name;
     home-manager.sharedModules = optional cfg.enableWaylandUtilities {
       home.packages = [ wl-clipboard-rs ];
     };

modules/nixos/desktop/notification-daemon/default.nix

@@ -1,14 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib) mkEnableOption singleton;
-  cfg = config.desktop.notification-daemon;
-in
-{
-  options.desktop.notification-daemon = {
-    mako.enable = mkEnableOption "";
-  };
-
-  config.home-manager.sharedModules = singleton {
-    services.mako.enable = cfg.mako.enable;
-  };
-}

modules/nixos/desktop/status-bar/default.nix

@@ -1,12 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkEnableOption singleton;
-  cfg = config.desktop.status-bar;
-in
-{
-  options.desktop.status-bar = {
-    waybar.enable = mkEnableOption "";
-  };
-
-  config.home-manager.sharedModules = singleton { programs.waybar.enable = cfg.waybar.enable; };
-}

modules/nixos/desktop/terminal/default.nix

@@ -1,24 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib) mkEnableOption singleton optional;
-  inherit (pkgs) kitty;
-  cfg = config.desktop.terminal;
-in
-{
-  options.desktop.terminal = {
-    kitty.enable = mkEnableOption "";
-    ghostty.enable = mkEnableOption "";
-  };
-
-  config = {
-    home-manager.sharedModules = singleton {
-      home.packages = optional cfg.kitty.enable kitty;
-      programs.ghostty.enable = cfg.ghostty.enable;
-    };
-  };
-}

modules/nixos/desktop/window-manager/hyprland/default.nix

@@ -37,6 +37,7 @@ in
         # Null the packages since we use them system wide
         package = null;
         portalPackage = null;
+        settings.monitor = [ "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}" ];
       };
       xdg.configFile."uwsm/env".text = # sh
         ''

modules/nixos/networking/default.nix

@@ -3,6 +3,10 @@ let
   inherit (lib) mkDefault singleton;
 in
 {
+  sops.secrets = {
+    "tailscale/client-id".sopsFile = ./tailscale.yaml;
+    "tailscale/client-secret".sopsFile = ./tailscale.yaml;
+  };
   networking = {
     enableIPv6 = false;
     useDHCP = mkDefault true;

modules/nixos/networking/tailscale.yaml

@@ -0,0 +1,18 @@
+tailscale:
+    client-id: ENC[AES256_GCM,data:kQ4H9b2h8DN+5eTvwIYHZ6s=,iv:/nC3LM0qDNj3wIm9XZd7UUn5SxmAOA1dofsDGElKjVU=,tag:AIj5F7KkORujLDe+ZOxJgw==,type:str]
+    client-secret: ENC[AES256_GCM,data:O0cKyuK+FfK2E1mzQpkgybPrqEs0fH1y3jCOG6usT++6x3sWuJNvT56OIHpVNu8GH/6BIBsnenC1J/sVNTYIzA==,iv:FugIzSjNpoe9Bwy+x/GHl0BpCtbogQXpY7s3ICevQc0=,tag:1kQIO4ekjKuvexQ923YE3g==,type:str]
+sops:
+    age:
+        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbTNsZE5lN2JOT1Jsd2hz
+            OWpDWTFzTW05Nzl5K1AyMmgxcVV2eHlBRlF3Cnc3VW5IN014ck8zM3BIWnBMNFFt
+            UnE4aGhGNERUOTlwZEJyNWF1Q1o0RXcKLS0tIFlZSFFoaDlOMnBMSFVyT3FMbFZj
+            ckl5RVZiMnkzV0RFQXN1aHZKM2doMnMKD6BjRdqsHiKDth4aBiZ1lvlcO1OgY36O
+            cGkZjuH45L4a0Y0kvptq3iZ/iPnmX8hw8n/gdplzUkpBzdsNPebvSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-01T21:11:39Z"
+    mac: ENC[AES256_GCM,data:YWgrMqqJgrGe+40a9CSDpAAgwPOeGXRFb58c6X6PxDHve3u5vQfHh+wkC0TFxadMsYcJTczRYf8YWuAwf7kFoO7ofYs+PfEi4ydKhl8WY9nXTsq+BFT4rDl/BaCfQw6qWD5/TKTtxm2pdtBNrG7bNeZJ8cVSOO/wsjoqrrbh3fk=,iv:8BXOX5O5apYLhZOWihagQBVldmsVoV+uEcejcO3cC0I=,tag:vansSul5Ebwooay48uYNZQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

modules/nixos/server/web-apps/mattermost/default.nix

@@ -1,93 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) singleton;
-  inherit (lib.pantheon) mkStrOption;
-  inherit (lib.pantheon.modules) mkWebApp;
-  cfg = config.server.web-apps.mattermost;
-  upstreamCfg = config.services.mattermost;
-  mkDir = directory: {
-    inherit directory;
-    inherit (upstreamCfg) user group;
-    mode = "0750";
-  };
-in
-mkWebApp {
-  inherit config;
-  name = "mattermost";
-  defaultPort = 8065;
-  persistDirs = [
-    (mkDir cfg.configDir)
-    (mkDir cfg.logDir)
-    (mkDir cfg.dataDir)
-  ];
-  extraOptions = {
-    teamName = mkStrOption;
-    configDir = mkStrOption // {
-      default = "/etc/mattermost";
-    };
-    dataDir = mkStrOption // {
-      default = "/var/lib/mattermost";
-    };
-    logDir = mkStrOption // {
-      default = "/var/log/mattermost";
-    };
-  };
-  extraConfig = {
-    assertions = [
-      {
-        assertion = config.services.postgresql.enable;
-        message = "You must enable a local instance of postgresql.";
-      }
-    ];
-    services.mattermost = {
-      enable = true;
-      inherit (cfg)
-        configDir
-        dataDir
-        logDir
-        port
-        ;
-      host = "0.0.0.0";
-      siteUrl = "https://${cfg.domain}";
-    };
-    services.matterbridge = {
-      enable = true;
-      inherit (upstreamCfg) user group;
-      configPath = config.sops.templates."matterbridge-conf".path;
-    };
-    sops.secrets."matterbridge/mattermost-password" = { };
-    sops.templates."matterbridge-conf" = {
-      owner = upstreamCfg.user;
-      content = # toml
-        ''
-          [[gateway]]
-          name="gateway1"
-          enable=true
-
-          [[gateway.inout]]
-          account="mattermost.${config.hostname}"
-          channel="matterbridge"
-
-          [mattermost.${config.hostname}]
-          Server="${cfg.domain}"
-          Team="${cfg.teamName}"
-          Login="matterbridge"
-          Password="${config.sops.placeholder."matterbridge/mattermost-password"}"
-          RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
-          PrefixMessagesWithNick=true
-          PreserveThreading=true
-        '';
-    };
-    services.nginx.virtualHosts.${cfg.domain}.locations."~ /api/v[0-9]+/(users/)?websocket$" = {
-      proxyPass = "http://${config.hostname}:${toString cfg.port}";
-      proxyWebsockets = true;
-    };
-    services.postgresql = {
-      ensureDatabases = singleton upstreamCfg.database.name;
-      ensureUsers = singleton {
-        name = upstreamCfg.database.user;
-        ensureDBOwnership = true;
-      };
-    };
-  };
-}

packages/rebuild/default.nix

@@ -1,4 +1,7 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
+let
+  inherit (lib) getExe;
+in
 pkgs.writeShellScriptBin "rebuild" # sh
   ''
     QUICK=false
@@ -54,14 +57,14 @@ pkgs.writeShellScriptBin "rebuild" # sh
 
       if "$TEST_SHELL"; then
         info "Testing $1..."
-        nh os test "''${args[@]}" || exit 1
+        ${getExe pkgs.nh} os test "''${args[@]}" || exit 1
         git diff HEAD --color=always --stat --patch
         spawn_test_shell "$1"
         info "Rebuilding $1..."
-        nh os boot "''${args[@]}" || exit 1
+        ${getExe pkgs.nh} os boot "''${args[@]}" || exit 1
       else
         info "Rebuilding $1 on $HOSTNAME..."
-        nh os switch "''${args[@]}" || exit 1
+        ${getExe pkgs.nh} os switch "''${args[@]}" || exit 1
       fi
 
       if ! "$NO_GENERATION_CHECK"; then

secrets/secrets.yaml

@@ -6,21 +6,13 @@ rafiq:
 keys:
     openrouter: ENC[AES256_GCM,data:Uddc0leKVD2xxpvDpsTJV3qZ4oe89Uz6dJMuzF/TeI5iIrG+DNIAYPcnIQiA6LDScO9mag8XNiYpYH7lyMnUg1cvThChiVhO+A==,iv:RHSrL/L74dSvLKAvGwyMME53RzKr2+RDnI8xBpDJVng=,tag:d81mr26SeStmAa8UgEF/LA==,type:str]
     gemini: ENC[AES256_GCM,data:t4XTzJLMbHBG7LNaWMwO0YyYHREYOp4Zn95Kwshunnpwq9ezVv+0,iv:ZHq1ytak7Qy5a/zHghwEIWRinDWAkk2Vxw4iu/Q/UPk=,tag:Wyk0FqLTOWelznWHg/anxg==,type:str]
-    cvt-jira: ENC[AES256_GCM,data:y9enN905hAxp9F6TPcnYdcnA7VQQjTsysltBn7k9CVtOYUDBX5UKCbO4VEE=,iv:Hy/RshBTSFqEVlHq/fi/UqNdbzBvMaBmXnSHAz0WplY=,tag:bBgB+HJdHRu4bg/f9vq9nw==,type:str]
     cloudflare: ENC[AES256_GCM,data:nrtHnQR0Oon9BrSN0AeAjl8H8B7quuwSu/Qjabe9HFpWgcZq9n1JCA==,iv:ovyHqy5iKXDYXe4H7eRA51+kODhP+vAWoc98cS/6zG0=,tag:JyktO6EMRZ00CRhTb03+fg==,type:str]
     telegram_bot: ENC[AES256_GCM,data:qGJx1Bph94oU2USjZL4h2NqV5ueCiYIvEbx84Xg687F5//MItLAS58MZdUPSuQ==,iv:WmldN5Je4miamLXCK6Cv17TTGmaBq/lde2czsEgNBi4=,tag:aU27eDE5PbYAniKEXk+MRA==,type:str]
-misc:
-    cvt-jira-link: ENC[AES256_GCM,data:J3XpDV2yjO5DMd5JF2stCBWZntTxenHuj+kXGAOs8oI=,iv:1YqJ6NF24CtA+E8ZB0M/7//xihFggyMMj0k0voaVPa0=,tag:XTZqC4gAy5ld0nFyAqL/Ww==,type:str]
 librechat:
     creds_key: ENC[AES256_GCM,data:/fzPgZiDnyWZalJUBFpFQ2/anxvbX3XLp18n+x1xfzOMisq52ISB5VJOzi9xaNRNruQEoh/lva9gDbIgNyzduA==,iv:xGgufMc/tPOLCKEb2MnEkxmf0FPpENGW1FcCm15CW6k=,tag:9aR+DndXkCg1sboxTFuygQ==,type:str]
     creds_iv: ENC[AES256_GCM,data:fbBD9RsuEHwDETwiYtAS9kBxgTy6zubrxHWpcuoEsR0=,iv:uZcwIfDPPn4XUf8IZkI29VH9CiKvEOlWuUaWgSjl1Kc=,tag:qbgiQU7bWSFjoGEwoptCpg==,type:str]
     jwt_secret: ENC[AES256_GCM,data:ZhDNIXrCaRWWfrlPxpBfnmeUluW0z72KGpQv9mGyf1kCCnfx3V2lPMm6QS6biajC+4oPVfgwqcXc4Lvs8OqU9g==,iv:1Ecj8fh+M5kw8cmVD96U6QgE7fNy9cbQV9v2Q305puc=,tag:U1ZglGWdTH1TGfcIIORMHQ==,type:str]
     jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str]
-matterbridge:
-    mattermost-password: ENC[AES256_GCM,data:sMk4M2gADl1iPA7XEH1/D3sw,iv:YnTYTo0NVJVLtS/uhaodoCuyDqJf6IKCojKFljKSFCE=,tag:8vEK0RyxopiPUcML6hwqpg==,type:str]
-tailscale:
-    client-id: ENC[AES256_GCM,data:YxL4lpnSpz+UQQdoVK/KC/o=,iv:ZGV/ZAdvpmUUlRcbP60ALcxMVzdiXiAxedRyl4sZbaQ=,tag:18Qmvw9aK8CaUUKXE7C7MA==,type:str]
-    client-secret: ENC[AES256_GCM,data:+PZ3iqj/s6HOoCZJqglt+uzGXy5bJmnqqt7dQReZj/5HTNUlE+QqnCdXNoQkGqnuZ/TN44AExZpowh6NXYyGVQ==,iv:LCZgNZz7qCfk1zXcZTczSoA0a9BF36sV+IpB+ce73P0=,tag:E/vVE6persTCPKbOvvmTjw==,type:str]
 sops:
     age:
         - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
@@ -32,7 +24,7 @@ sops:
             WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY
             M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-29T19:38:14Z"
-    mac: ENC[AES256_GCM,data:vn5y4Jlbv6foOB15XWE8kVsxIfTqswUDNsOoOyL/84AZtD69E5QpiUE6ed1DmQAcKxEI/H8OYbdijFYJ5jB8CGp8huwuQ4h+dYKDV+OtX7uk6w2E31fcJ54xCYdpHA3rTyiEh3S5aS+YLcEsHWmHlwebBxYg3tIwXDSOcVrIGgo=,iv:KfpSrigxu8dxjHO1sINTAuZ0mfRVsHsliqHRxfWQq4E=,tag:z3lBzeBETxZOQ9/hSFd/cg==,type:str]
+    lastmodified: "2025-07-01T21:34:46Z"
+    mac: ENC[AES256_GCM,data:NvJ6lCb80dsVMH4T4f4ZPO0b4JI44LfMvdanVaWtXDpi6FHJsF4OY8dftIyTBjacaLzdrVoT+JFfP3BrAnuEaZrCrfE1E+IRF4x/9NG4c4Cw++Jxgs7z7d01iYEjWJoVVPCLVnV32LGIq6nQltx2GFEVAsvV5zukJ/aJjvcIpQA=,iv:FWGaIdok23jgxMUs3d5ddK2iyJoOBliwv/yJDxmKLE0=,tag:FfLYymjZEJtW4cfFNhlNFg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

systems/x86_64-linux/desktop.nix

@@ -1,13 +1,9 @@
 {
   desktop = {
     enable = true;
-    browser.firefox.enable = true;
     lockscreen.hyprlock.enable = true;
     launcher.fuzzel.enable = true;
     media-player.vlc.enable = true;
-    notification-daemon.mako.enable = true;
-    status-bar.waybar.enable = true;
-    terminal.ghostty.enable = true;
     window-manager.hyprland.enable = true;
   };