19 files changed, 117 insertions, 45 deletions

diff --git a/modules/root/bluetooth.nix b/modules/root/bluetooth.nix
index d55eade..1f41c7e 100644
--- a/modules/root/bluetooth.nix
+++ b/modules/root/bluetooth.nix
@@ -3,7 +3,7 @@
 		bluetooth.enable = lib.mkEnableOption "enables bluetooth support";
 	};
 
-	config = {
+	config = lib.mkIf config.bluetooth.enable {
 		hardware.bluetooth.enable = true;
 		services.blueman.enable = true;
 	};
diff --git a/modules/root/default.nix b/modules/root/default.nix
index e108318..7f647b5 100644
--- a/modules/root/default.nix
+++ b/modules/root/default.nix
@@ -5,6 +5,7 @@
 		./bluetooth.nix
 		./bootloader.nix
 		./doas.nix
+		./firewall.nix
 		./fonts.nix
 		./home-manager.nix
 		./hosts.nix
@@ -17,7 +18,9 @@
 		./printing.nix
 		./secrets.nix
 		./ssh.nix
+		./suspend.nix
 		./tlp.nix
+		./udev.nix
 		./wifi.nix
 		./x11.nix
 		./zsh.nix
@@ -44,6 +47,7 @@
 	printing.enable        = lib.mkDefault true;
 	tlp.enable             = lib.mkDefault true;
 	scanning.enable        = lib.mkDefault true;
+	suspend.enable         = lib.mkDefault true;
 	wifi.enable            = lib.mkDefault true;
 	xserver.enable         = lib.mkDefault true;
 	zsh.enable             = lib.mkDefault true;
diff --git a/modules/root/firewall.nix b/modules/root/firewall.nix
new file mode 100644
index 0000000..e038cbe
--- /dev/null
+++ b/modules/root/firewall.nix
@@ -0,0 +1,7 @@
+{
+	networking.firewall = {
+		allowedTCPPorts = [
+			8080
+		];
+	};
+}
diff --git a/modules/root/fonts.nix b/modules/root/fonts.nix
index 3ae8eef..256e1ab 100644
--- a/modules/root/fonts.nix
+++ b/modules/root/fonts.nix
@@ -7,10 +7,8 @@
 		fonts.packages = with pkgs; [
 			commit-mono
 			inter
+			nerd-fonts.jetbrains-mono
 			tamzen
-			(nerdfonts.override {
-				fonts = [ "JetBrainsMono" ];
-			})
 		];
 	};
 }
diff --git a/modules/root/hosts.nix b/modules/root/hosts.nix
index 14daaf1..cb526f2 100644
--- a/modules/root/hosts.nix
+++ b/modules/root/hosts.nix
@@ -1,10 +1,12 @@
-{
+{ hostname, ... }: {
+	networking.hostName = hostname;  # From flake.nix
 	networking.hosts = {
 		"192.168.1.9"   = [ "optiplex" ];
 		"192.168.1.30"  = [ "localgit" ];
 		"192.168.1.11"  = [ "truenas-home" ];
 		"192.168.77.11" = [ "truenas-office" ];
 		"192.168.77.8"  = [ "publicgit" "tjkeller" ];
+		"192.168.77.3"  = [ "devel" ];
 		"173.9.253.3"   = [
 			"git.tjkeller.xyz"
 			"piped.tjkeller.xyz"
@@ -12,4 +14,5 @@
 			"tjkeller.xyz"
 		];
 	};
+	environment.etc.hosts.mode = "0644";  # Allow temporary imperative modifications
 }
diff --git a/modules/root/normaluser.nix b/modules/root/normaluser.nix
index fc243ea..88eb338 100644
--- a/modules/root/normaluser.nix
+++ b/modules/root/normaluser.nix
@@ -4,9 +4,14 @@
 	};
 	users.users.${userDetails.username} = {
 		description = userDetails.fullname;
-		#home = userDetails.home.root;
+		#home = userDetails.home;
 		isNormalUser = true;
 		hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
-		extraGroups = [ "wheel" "nixbld" ];
+		extraGroups = [
+			"i2c"
+			"nixbld"
+			"video"
+			"wheel"
+		];
 	};
 }
diff --git a/modules/root/printing.nix b/modules/root/printing.nix
index 69ff573..f0d0dd8 100644
--- a/modules/root/printing.nix
+++ b/modules/root/printing.nix
@@ -10,6 +10,7 @@
 			enable = true;
 			drivers = [
 				pkgs.epson-escpr2
+				pkgs.workcentre-7800-series
 			];
 		};
 
diff --git a/modules/root/resources/secrets/secrets.yaml b/modules/root/resources/secrets/secrets.yaml
index 03f9517..fcba4a6 100644
--- a/modules/root/resources/secrets/secrets.yaml
+++ b/modules/root/resources/secrets/secrets.yaml
@@ -1,10 +1,6 @@
-wpa_supplicant-conf: ENC[AES256_GCM,data:0FI1Re1PbiJmtsqb5Ddj1g/e22FkSOxHtbhchybFJAn1Q6PBYpMM/myMUQqZDqCNDhR8f+b2LYcrFx+c9g+yDsR9VcgVe/NK1U5jvep5go3JIibR0NmtfPVZNMvThmVnzO+6aGtggjN8PTx4nm+GKzf7YZPV/buYRdWExJRf0loXgNM8iLtjnu1QGZjWNBtFGbTRHeiax1QhvPrawp76PNrdpzD3EkY26HZ2TRfXFP8ta93T43sac9iVj+U3ggn9MTNvLDGiOF1lAN/W69EeCnyzw3sbxCsuSYFQ4GKkggaehje58VpsG7rZMIHYhI6PQcctO6WUupBi80KcBCnQQKy0Pir7GUPwhw1NPKuOgTX9Otz1dXxJgNk+gA4NTmyCWh2LO0utW0bjAAoqhn5sti5TssxqT2q+bw8KiAqRMZKyj8JDKg4cpMCVUbSH4fcIK1ADXa0OzItgVZnhEKJeD0SYqScXoRlExiDxHG/yrYuJYKtUQSrYJXjJJcTreTyMXWUh1E/nvS7egnXFMYYxDdTvJ5bQ/Zp94FI+twhNfMxKF5qo2gcGUHjQu/M=,iv:LKr6fcQ2emSjQmEt1HgyLpFLg4ZxDOVgJEfkm4nQzbY=,tag:M+oo8dpWclIRaPyW17Ldwg==,type:str]
+wpa_supplicant-conf: ENC[AES256_GCM,data:fvYez82qSJ1LXiOVtgGiJuwzFC++V5rNJ3x5zK1PDUf0ohwpOVrC+P3A0Rob5LURBZL0KFSIBIbJ5Iq/bRtsAD6ZgIwsKQxi3fLRanUbx2PM6JFpDYWgKlvxWMPtNp0hlicdZny7ayRXXA3Y4FOFScLPfl+5perzw8+6M3YRoeTAeDQAlhkA9BzOmg3UHZsZgKvuNYhSO2oQubEyYRhBMN5opACyyC8E96lPIplZytuvB7L4LH4VQHnqryUqXdVjXv/UIhZx4QU+jkTR5KHG0M9oG9pcWi/gpQD69hesQhOhKF+K71Bg507F29rM6WK2m6mdg5xA2BX3WQeddxc1m/hkBpQBDUk1SC58z4fQ4feITy4pAJLYzHyvMVm7CSDv0mSgfOAS/i4GdMArHG2FYSPnJ0/pfOpOQgH73PuDqgjMyRepiwUC6DILsqvmjMEXp3DZrYxvuGTbhahd/EHUzuNrOe9Wcw5NH+vucmdDzihsJ6UO56mQ7Dr+/4QFiQ8MHA+wm63MvS16YG3bDOJXIt7mTPREdFGG2YtXJfnZLLYXzsnNJGihwyCXkC0QFJRRPZyr6bYpxdEWyDnNXFzkajYlP/+EqC8RbIFYAYz3aJogjCPtp5P5JI7dqmJ8ALkFFBY=,iv:b5hJnjKOJx1I13QCNJsKGDbQ7g+27eX1XkSVaGcJhA4=,tag:6QumSrB7myeS/SU5bEAKRQ==,type:str]
 hashed-root-password: ENC[AES256_GCM,data:KUoB8Z0ifh7lE9ir9AqkiMRHfw6rusXw3KC1dLIRd4YpbTiNI+cAdC474LR721+LNWoj5ZytSdDsVyS+t3o076rV4sgWgL17jPPf+H2KE5FOmQKYTUiHfSBsLKyyhpie4tpFJWv/3cCW8Q==,iv:0sZPz3V7IqTGbF3Fnm+FbgBS3GTnHsRx0OzIoAE1H64=,tag:H6CQlANfiD6ZuQhONKyMAQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
           enc: |
@@ -15,8 +11,7 @@ sops:
             UkJ1SGJrWXNtbmlmc2c4M1IxdUpVOWMKjaakq+n8ZijGjaNVM8/dQApaVFp9+q3K
             nhvon4p5KUFE+myABnEknaSZ5UcvW6ZLff9AB7l35NZhGXAhv+y6HA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-09T16:42:38Z"
-    mac: ENC[AES256_GCM,data:LUBRGB/NdT2Lvrecb4w3Xbq4ulMyhHwNjuGyH/fjFJOcNfOCNmwaxIRN59CBi65UxGe93mgYYKJtbCKUZA9JhEfC81e+wkD0ZpEaNBu2YAYetf6hE9LqlYO05QIf/qwXySkCXRKdDl5afcmBVXTj+6qDEljkGtWX7CPLlodvuSQ=,iv:EfYL215e52Ir3SSTba7WGFSTQHgtqzyfWUWTBS+lwrU=,tag:VjE1o7WCT/PWIxk2/b/eow==,type:str]
-    pgp: []
+    lastmodified: "2025-07-10T02:39:52Z"
+    mac: ENC[AES256_GCM,data:dn9v2ur5/sIrQL4HrQvTYcXpja+JwE2TMheT/AasZlhcYHI2NhLNwgpcDzITQbnnf+WAWYz3vjyEnP8tYuxO1Bggu+dDjAHMV8AfceYHnqJFPK4L9Kb8hBK93+7uOE38kjfsV3fZ3JS7dU3DkpNV6Geqa8cQ0u2bN3Yiz8YnaiQ=,iv:GGoDCZ/l4s7atWmRsbopq/WgxhQipaKHhSVQWi0TK8U=,tag:gkYht8PMOcTFhHOABKj4Ig==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2
diff --git a/modules/root/resources/x11/xinit-startx-xdg.patch b/modules/root/resources/x11/xinit-startx-xdg.patch
deleted file mode 100644
index c1bca97..0000000
--- a/modules/root/resources/x11/xinit-startx-xdg.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/startx.cpp b/startx.cpp
-index dfbebe1..472a1b0 100644
---- a/startx.cpp
-+++ b/startx.cpp
-@@ -272,7 +272,7 @@ if [ x"$enable_xauth" = x1 ] ; then
-     dummy=0
-
-     XCOMM create a file with auth information for the server. ':0' is a dummy.
--    xserverauthfile=$HOME/.serverauth.$$
-+    xserverauthfile="${XAUTHORITY:-$HOME/.Xauthority}"
-     trap "rm -f '$xserverauthfile'" HUP INT QUIT ILL TRAP BUS TERM
-     xauth -q -f "$xserverauthfile" << EOF
- add :$dummy . $mcookie
-
diff --git a/modules/root/secrets.nix b/modules/root/secrets.nix
index 47262fd..045e3f4 100644
--- a/modules/root/secrets.nix
+++ b/modules/root/secrets.nix
@@ -4,7 +4,7 @@
 	sops = {
 		defaultSopsFile = ./resources/secrets/secrets.yaml;
 		defaultSopsFormat = "yaml";
-		age.keyFile = "${userDetails.home.root}/.config/sops/age/keys.txt";
+		age.keyFile = "${userDetails.home}/.config/sops/age/keys.txt";
 
 		secrets = {
 			wpa_supplicant-conf = { };
diff --git a/modules/root/software/default.nix b/modules/root/software/default.nix
index 8d1e987..5f6494d 100644
--- a/modules/root/software/default.nix
+++ b/modules/root/software/default.nix
@@ -5,6 +5,7 @@
 		./desktop.nix
 		./development.nix
 		./docker.nix
+		./overlays.nix
 		./system.nix
 		./utilities.nix
 		./virtualisation.nix
diff --git a/modules/root/software/desktop.nix b/modules/root/software/desktop.nix
index 88101d8..b8cd1e7 100644
--- a/modules/root/software/desktop.nix
+++ b/modules/root/software/desktop.nix
@@ -30,10 +30,10 @@
 			pcmanfm
 			redshift
 			scrot
+			st
 			sxiv
 			wpa_supplicant_gui
 			zathura
-			(callPackage ./derivations/st {})
 		] ++ pkgs.lib.optionals config.software.desktop.chromium.enable [
 			# Chrome
 			config.software.desktop.chromium.package
@@ -44,17 +44,16 @@
 			prusa-slicer
 		] ++ pkgs.lib.optionals config.software.desktop.crypto.enable [
 			# Crypto Wallets
-			bisq2
-			electrum
-			monero-gui
+			sparrow
 		] ++ pkgs.lib.optionals config.software.desktop.graphics.enable [
 			# Graphics
 			blender
 			geeqie
-			gimp
+			gimp3
 			inkscape
 		] ++ pkgs.lib.optionals config.software.desktop.office.enable [
 			# Office
+			kdePackages.okular
 			libreoffice
 			pdfchain
 			thunderbird
diff --git a/modules/root/software/development.nix b/modules/root/software/development.nix
index 2a4dfba..af8a8a7 100644
--- a/modules/root/software/development.nix
+++ b/modules/root/software/development.nix
@@ -5,7 +5,7 @@
 
 	config = lib.mkIf config.software.development.enable {
 		environment.systemPackages = with pkgs; [
-			adb-sync
+			#adb-sync
 			android-tools
 			gcc
 			git
@@ -14,5 +14,10 @@
 			lua
 			pkg-config
 		];
+
+		# Open 1313 for hugo serve
+		networking.firewall.allowedTCPPorts = [
+			1313
+		];
 	};
 }
diff --git a/modules/root/software/overlays.nix b/modules/root/software/overlays.nix
new file mode 100644
index 0000000..bdb23fd
--- /dev/null
+++ b/modules/root/software/overlays.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }: {
+	nixpkgs.overlays = with pkgs; [
+		(final: prev: {
+			crazydiskinfo = (callPackage ./derivations/crazydiskinfo {});
+			lowbat        = (callPackage ./derivations/lowbat {});
+			workcentre-7800-series = (callPackage ./derivations/xerox-workcentre-7800-series-driver {});
+
+			# Use my vimv-rs until pr gets merged
+			vimv-rs = prev.vimv-rs.overrideAttrs (oldAttrs: {
+				src = fetchFromGitHub {
+					owner = "tjkeller-xyz";
+					repo = "vimv-rs";
+					rev = "5deb76fb81dd4acf3c4809087ff3a1d846ab4769";
+					sha256 = "sha256-XMn+5mIxSEHaR31ixMi6o7PSkN1iYjDT4aOiQkfEwpA=";
+				};
+			});
+		})
+		(import ./derivations/st/overrides.nix)
+	];
+}
diff --git a/modules/root/software/system.nix b/modules/root/software/system.nix
index f0a31f2..4c81596 100644
--- a/modules/root/software/system.nix
+++ b/modules/root/software/system.nix
@@ -5,6 +5,7 @@
 		dash  # TODO should be default /bin/sh
 		exfat
 		git  # Needed for home-manager
+		ntfs3g
 		python3
 		sops  # Secrets
 	];
diff --git a/modules/root/software/utilities.nix b/modules/root/software/utilities.nix
index dabf163..79285a1 100644
--- a/modules/root/software/utilities.nix
+++ b/modules/root/software/utilities.nix
@@ -1,5 +1,6 @@
 { pkgs, ... }: {
 	environment.systemPackages = with pkgs; [
+		crazydiskinfo
 		entr
 		fastfetch
 		ffmpeg
@@ -7,11 +8,13 @@
 		jq
 		light
 		lm_sensors
+		lowbat
 		mediainfo
 		neovim
 		nmap
 		openssl
 		p7zip
+		pavolctld
 		powertop
 		pv
 		rsync
@@ -22,11 +25,10 @@
 		testdisk
 		tmux
 		uhubctl
+		vimv-rs
 		wget
 		wireguard-tools
 		xxHash
 		yt-dlp
-		(callPackage ./derivations/lowbat {})
-		(callPackage ./derivations/pavolctld {})
 	];
 }
diff --git a/modules/root/suspend.nix b/modules/root/suspend.nix
new file mode 100644
index 0000000..814ae95
--- /dev/null
+++ b/modules/root/suspend.nix
@@ -0,0 +1,16 @@
+{ lib, config, ... }: {
+	options = {
+		suspend.enable = lib.mkEnableOption "enables suspend";
+	};
+
+	config = lib.mkIf (! config.suspend.enable) {
+		# Disable suspend targets
+		systemd.targets = builtins.listToAttrs (map (name: {
+			inherit name;
+			value = {
+				enable = false;
+				unitConfig.DefaultDependencies = "no";
+			};
+		}) ["sleep" "suspend" "hibernate" "hybrid-sleep"]);
+	};
+}
diff --git a/modules/root/udev.nix b/modules/root/udev.nix
new file mode 100644
index 0000000..17ed204
--- /dev/null
+++ b/modules/root/udev.nix
@@ -0,0 +1,5 @@
+{ pkgs, ... }: {
+	services.udev.extraRules = ''
+		SUBSYSTEM=="backlight", ACTION=="add", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
+	'';
+}
diff --git a/modules/root/x11.nix b/modules/root/x11.nix
index fd15c52..f5a07b4 100644
--- a/modules/root/x11.nix
+++ b/modules/root/x11.nix
@@ -8,6 +8,30 @@
 		services.xserver.displayManager.startx.enable = true;
 		services.libinput.enable = true;  # Enable touchpad support
 
+		# Apply startx patch to create serverauth file in /tmp instead of home directory
+		nixpkgs.overlays = with pkgs; [
+			(final: prev: {
+				xorg = prev.xorg // {
+					xinit = (prev.xorg.xinit.overrideAttrs (finalAttrs: previousAttrs: {
+						version = "1.4.4";
+						patchtag = "${finalAttrs.version}-1";  # Archlinux xinit package tagged release to fetch patch from
+						# Override src since is hardcoded to 1.4.2
+						src = prev.fetchurl {
+							url = "mirror://xorg/individual/app/xinit-${finalAttrs.version}.tar.xz";
+							sha256 = "sha256-QKR8ehZMf5gc43h7Szf35BH7QyMdzeVD1wCUB12s/vk=";
+						};
+						patches = [
+							(prev.fetchpatch {
+								url = "https://gitlab.archlinux.org/archlinux/packaging/packages/xorg-xinit/-/raw/${finalAttrs.patchtag}/06_move_serverauthfile_into_tmp.diff";
+								sha256 = "1whzs5bw7ph12r3abs1g9fydibkr291jh56a0zp17d4x070jnkda";
+							})
+						];
+					}));
+				};
+			})
+		];
+
+		# Install basic X utilities
 		environment.systemPackages = with pkgs; [
 			unclutter
 			xcape
@@ -19,12 +43,12 @@
 			xorg.xrandr
 			xorg.xset
 			xwallpaper
-			# Patch startx to be compliant with xdg base dir spec
-			(xorg.xinit.overrideAttrs (old: rec {
-				patches = [
-					./resources/x11/xinit-startx-xdg.patch
-				];
-			}))
 		];
+
+		# Enable TearFree option by default
+		# Not all video drivers support this option
+		services.xserver.deviceSection = ''
+			Option "TearFree" "true"
+		'';
 	};
 }