about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2024-05-25 22:16:47 +0300
committerAzat Bahawi <azat@bahawi.net>2024-05-25 22:16:47 +0300
commit364e8a98ad25127f2a51696ec03729e3a783044f (patch)
tree1ac46553d1dca1259da539eddc7db100eaf5c137
parent2024-05-05 (diff)
2024-05-25
-rw-r--r--checks.nix13
-rw-r--r--configurations/default.nix5
-rw-r--r--configurations/eonwe/default.nix11
-rw-r--r--configurations/manwe/default.nix3
-rw-r--r--configurations/melian/default.nix10
-rw-r--r--configurations/varda/default.nix4
-rw-r--r--configurations/yavanna/default.nix2
-rw-r--r--flake.lock376
-rw-r--r--flake.nix37
-rw-r--r--lib/default.nix19
-rw-r--r--lib/my.nix11
-rw-r--r--modules/common/documentation.nix2
-rw-r--r--modules/common/home-manager.nix1
-rw-r--r--modules/common/networking.nix16
-rw-r--r--modules/common/nix.nix230
-rw-r--r--modules/common/security.nix12
-rw-r--r--modules/common/stylix.nix2
-rw-r--r--modules/common/systemd.nix3
-rw-r--r--modules/common/xdg.nix5
-rw-r--r--modules/default.nix10
-rw-r--r--modules/firefox/userContent.css7
-rw-r--r--modules/nginx.nix18
-rw-r--r--modules/openssh.nix1
-rw-r--r--modules/postgresql.nix2
-rw-r--r--modules/profiles/default.nix11
-rw-r--r--modules/profiles/dev/default.nix3
-rw-r--r--modules/profiles/headful.nix2
-rw-r--r--modules/profiles/headless.nix14
-rw-r--r--modules/qutebrowser.nix5
-rw-r--r--modules/shadowsocks.nix3
-rw-r--r--modules/soju.nix4
-rw-r--r--modules/sound.nix27
32 files changed, 376 insertions, 493 deletions
diff --git a/checks.nix b/checks.nix
index 3570574..511b658 100644
--- a/checks.nix
+++ b/checks.nix
@@ -7,7 +7,7 @@
 {
   preCommit = inputs.git-hooks.lib.${system}.run {
     src = builtins.path {
-      name = "nixfiles";
+      name = "src";
       path = ./.;
     };
     hooks = {
@@ -22,8 +22,19 @@
         entry = "${pkgs.prometheus.cli}/bin/promtool check rules";
         files = "(?x)^(modules/monitoring/rules/.*\.yaml)$";
       };
+      trim-trailing-whitespace = {
+        enable = true;
+        excludes = [ ".*\.patch" ];
+      };
+      check-added-large-files.enable = true;
+      check-case-conflicts.enable = true;
+      check-symlinks.enable = true;
       deadnix.enable = true;
+      detect-private-keys.enable = true;
       editorconfig-checker.enable = true;
+      fix-byte-order-marker.enable = true;
+      flake-checker.enable = true;
+      nil.enable = true;
       prettier.enable = true;
       shellcheck.enable = true;
       shfmt.enable = true;
diff --git a/configurations/default.nix b/configurations/default.nix
index 78eb2bc..088060b 100644
--- a/configurations/default.nix
+++ b/configurations/default.nix
@@ -64,12 +64,14 @@ mapAttrs' mkConfiguration (
       nixos-hardware.nixosModules.common-gpu-amd
       nixos-hardware.nixosModules.common-pc-ssd
       nixpkgs.nixosModules.notDetected
+      srvos.nixosModules.common
     ];
 
     melian.modules = with inputs; [
       nixos-hardware.nixosModules.common-pc-laptop-ssd
       nixos-hardware.nixosModules.lenovo-thinkpad-t480
       nixpkgs.nixosModules.notDetected
+      srvos.nixosModules.common
     ];
 
     manwe.modules = with inputs; [
@@ -77,6 +79,7 @@ mapAttrs' mkConfiguration (
       nixos-hardware.nixosModules.common-cpu-amd
       nixos-hardware.nixosModules.common-pc-ssd
       nixpkgs.nixosModules.notDetected
+      srvos.nixosModules.server
     ];
 
     varda.modules = with inputs; [
@@ -84,6 +87,7 @@ mapAttrs' mkConfiguration (
       nixos-hardware.nixosModules.common-cpu-amd
       nixos-hardware.nixosModules.common-pc-ssd
       nixpkgs.nixosModules.notDetected
+      srvos.nixosModules.server
     ];
 
     yavanna.modules = with inputs; [
@@ -91,6 +95,7 @@ mapAttrs' mkConfiguration (
       nixos-hardware.nixosModules.common-cpu-intel
       nixos-hardware.nixosModules.common-pc-hdd
       nixpkgs.nixosModules.notDetected
+      srvos.nixosModules.server
     ];
   }
 )
diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix
index fdff40e..c02a3c3 100644
--- a/configurations/eonwe/default.nix
+++ b/configurations/eonwe/default.nix
@@ -28,7 +28,8 @@ with lib;
 
   hm = {
     home.packages = with pkgs; [
-      # anki # FIXME Broken again.
+      anki
+      gimp
       iaito
       kdenlive
       krita
@@ -293,8 +294,8 @@ with lib;
     };
   };
 
-  # No swap space is declared here because the system already has 128Gb of RAM.
-  # I've only manage to hit around 100Gb mark when running large
-  # computations/compiling something big. Pretty sure that a hefty chunk of it
-  # was just cache and it wouldn't make me get to OOM situations.
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
 }
diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix
index 3707440..609d2a8 100644
--- a/configurations/manwe/default.nix
+++ b/configurations/manwe/default.nix
@@ -23,7 +23,6 @@ with lib;
       enable = true;
       domain = "git.${my.domain.azahi}";
     };
-
     matrix.dendrite = {
       enable = true;
       domain = my.domain.azahi;
@@ -71,6 +70,6 @@ with lib;
 
   zramSwap = {
     enable = true;
-    memoryPercent = 25;
+    memoryPercent = 50;
   };
 }
diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix
index 0805b4a..0d50f9f 100644
--- a/configurations/melian/default.nix
+++ b/configurations/melian/default.nix
@@ -6,11 +6,9 @@ with lib;
 
     syncthing.enable = true;
 
+    android.enable = true;
     bluetooth.enable = true;
-
     throttled.enable = true;
-
-    android.enable = true;
   };
 
   hardware.trackpoint = {
@@ -63,7 +61,7 @@ with lib;
             "level disengaged"
             50
             32767
-          ] # This could annoy some people but IDGAF.
+          ]
         ];
       };
     };
@@ -90,8 +88,6 @@ with lib;
     };
   };
 
-  # NOTE This makes hibernation pretty much impossible because the partition is
-  # encrypted.
   swapDevices = [
     {
       device = "/swapfile";
@@ -101,6 +97,6 @@ with lib;
 
   zramSwap = {
     enable = true;
-    memoryPercent = 25;
+    memoryPercent = 100;
   };
 }
diff --git a/configurations/varda/default.nix b/configurations/varda/default.nix
index c8ecef2..76f8daf 100644
--- a/configurations/varda/default.nix
+++ b/configurations/varda/default.nix
@@ -6,8 +6,6 @@ with lib;
   nixfiles.modules = {
     wireguard.client.enable = true;
 
-    acme.enable = true;
-
     k3s.enable = true;
   };
 
@@ -57,6 +55,6 @@ with lib;
 
   zramSwap = {
     enable = true;
-    memoryPercent = 25;
+    memoryPercent = 50;
   };
 }
diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix
index 2d52f53..b9de05e 100644
--- a/configurations/yavanna/default.nix
+++ b/configurations/yavanna/default.nix
@@ -27,6 +27,6 @@ _: {
 
   zramSwap = {
     enable = true;
-    memoryPercent = 25;
+    memoryPercent = 50;
   };
 }
diff --git a/flake.lock b/flake.lock
index 9da599c..8c1b4ee 100644
--- a/flake.lock
+++ b/flake.lock
@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1714136352,
-        "narHash": "sha256-BtWQ2Th/jamO1SlD+2ASSW5Jaf7JhA/JLpQHk0Goqpg=",
+        "lastModified": 1716561646,
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
         "type": "github"
       },
       "original": {
@@ -30,7 +30,9 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": "flake-utils",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -54,7 +56,9 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": "flake-utils_2",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -247,18 +251,18 @@
     },
     "devshell": {
       "inputs": {
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nix-topology",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1711099426,
-        "narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=",
+        "lastModified": 1713532798,
+        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8",
+        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
         "type": "github"
       },
       "original": {
@@ -269,21 +273,23 @@
     },
     "dns": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1635273082,
-        "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
-        "owner": "kirelagin",
+        "lastModified": 1715873341,
+        "narHash": "sha256-vOTcr7KXhNDvYPwGotjxcLBrrUq/Nt3sfKRtFwGdHGo=",
+        "owner": "nix-community",
         "repo": "dns.nix",
-        "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
+        "rev": "9ebfa9158290de09fafcc759211e48bda48329ee",
         "type": "github"
       },
       "original": {
-        "owner": "kirelagin",
+        "owner": "nix-community",
         "repo": "dns.nix",
         "type": "github"
       }
@@ -303,78 +309,11 @@
         "type": "github"
       }
     },
-    "flake-registry": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1705308826,
-        "narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=",
-        "owner": "NixOS",
-        "repo": "flake-registry",
-        "rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "flake-registry",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_3": {
-      "locked": {
-        "lastModified": 1614513358,
-        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_4": {
-      "inputs": {
-        "systems": "systems_4"
-      },
-      "locked": {
         "lastModified": 1710146030,
         "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
@@ -388,27 +327,9 @@
         "type": "github"
       }
     },
-    "flake-utils_5": {
-      "inputs": {
-        "systems": "systems_6"
-      },
-      "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_6": {
+    "flake-utils_2": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -424,58 +345,6 @@
         "type": "github"
       }
     },
-    "flake-utils_7": {
-      "inputs": {
-        "systems": "systems_8"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_8": {
-      "inputs": {
-        "systems": "systems_9"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_9": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "ref": "master",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "fromYaml": {
       "flake": false,
       "locked": {
@@ -497,7 +366,6 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": "flake-utils_4",
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
@@ -507,11 +375,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714478972,
-        "narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
+        "lastModified": 1716213921,
+        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "2849da033884f54822af194400f8dff435ada242",
+        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
         "type": "github"
       },
       "original": {
@@ -544,16 +412,16 @@
     "gnome-shell": {
       "flake": false,
       "locked": {
-        "lastModified": 1698794309,
-        "narHash": "sha256-/TIkZ8y5Wv3QHLFp79Poao9fINurKs5pa4z0CRe+F8s=",
+        "lastModified": 1713702291,
+        "narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=",
         "owner": "GNOME",
         "repo": "gnome-shell",
-        "rev": "a7c169c6c29cf02a4c392fa0acbbc5f5072823e7",
+        "rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934",
         "type": "github"
       },
       "original": {
         "owner": "GNOME",
-        "ref": "45.1",
+        "ref": "46.1",
         "repo": "gnome-shell",
         "type": "github"
       }
@@ -565,11 +433,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714900398,
-        "narHash": "sha256-H7XYHpjk1G6dkA3AnbYrKtaTFjcCE7ul6nUVlVQxtsA=",
+        "lastModified": 1716457508,
+        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fdaaf543bad047639ef0b356ea2e6caec2f1215c",
+        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
         "type": "github"
       },
       "original": {
@@ -581,11 +449,11 @@
     "homelab-svg-assets": {
       "flake": false,
       "locked": {
-        "lastModified": 1713467357,
-        "narHash": "sha256-DwjQVWgN8Ys9IbiR18IHMlAKD2q5dgdWSxP/Ze1kRQA=",
+        "lastModified": 1715873439,
+        "narHash": "sha256-hiW4kxpwuiln9ULYfydZbARZE4j2qzT/qAOPRBReyIY=",
         "owner": "loganmarchione",
         "repo": "homelab-svg-assets",
-        "rev": "8bb1d84d848155e2d9eb1680a2e04b1bb51f3da8",
+        "rev": "80b6b632a4cce01b3d91ad943e3e6391d2d60745",
         "type": "github"
       },
       "original": {
@@ -639,17 +507,19 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": "flake-utils_5",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1714872254,
-        "narHash": "sha256-O9n7CATdL7uD+MNcxd8RhjA4Bn6yweF7uoGaJKOYcE0=",
+        "lastModified": 1716600043,
+        "narHash": "sha256-6qCzoi1hLw24Wbx4K9Qgw/rVV4YOQBFJpkiYM3deKv4=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "716121fd08323465a25878cba2814f7463be0095",
+        "rev": "d20a387ad4a5376dfce8f220707fb1d5fbd97ab2",
         "type": "github"
       },
       "original": {
@@ -665,11 +535,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714878592,
-        "narHash": "sha256-E68C03sYRsYFsK7wiGHUIJm8IsyPRALOrFoTL0glXnI=",
+        "lastModified": 1716170277,
+        "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "a362555e9dbd4ecff3bb98969bbdb8f79fe87f10",
+        "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
         "type": "github"
       },
       "original": {
@@ -681,7 +551,9 @@
     "nix-topology": {
       "inputs": {
         "devshell": "devshell",
-        "flake-utils": "flake-utils_7",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -690,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714686485,
-        "narHash": "sha256-JUIGvx9sHjGqpGAFhY9jpOPzxLh8M7B8p/7ClmE/L24=",
+        "lastModified": 1715634843,
+        "narHash": "sha256-YrECYhEXY7g8Ji5luq8mdRaLRGiwTPCSDEeVP91DyDY=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "79f82222e38c010dfa9367705d2b0142b9ceb635",
+        "rev": "9ed5c7b5c5cd5bed9e204e8b9d69f4be1954abd3",
         "type": "github"
       },
       "original": {
@@ -705,11 +577,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1714885415,
-        "narHash": "sha256-LG+2IVqVi1fy724rSDAkgqae+f47fGGko4cJhtkN8PE=",
+        "lastModified": 1716173274,
+        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "753176b57b3fcddb140c1c012868e62c025120bd",
+        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
         "type": "github"
       },
       "original": {
@@ -720,11 +592,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1714809261,
-        "narHash": "sha256-hfBmnYFyz9I1mdrC3tX1A+dF9cOUcds5PIMPxrT+cRk=",
+        "lastModified": 1716619601,
+        "narHash": "sha256-9dUxZf8MOqJH3vjbhrz7LH4qTcnRsPSBU1Q50T7q/X8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d32560238207b8e26d88b265207b216ee46b8450",
+        "rev": "47e03a624662ce399e55c45a5f6da698fc72c797",
         "type": "github"
       },
       "original": {
@@ -736,11 +608,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1714918599,
-        "narHash": "sha256-xC/YiDwYPUiBdb92EKheCJlioIKldbFmuxKISvWnLR8=",
+        "lastModified": 1716660083,
+        "narHash": "sha256-QO7cdjtDhx72KEw6m0NOtuE5FS4asaRExZ65uFR/q8g=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4e83e12e19f96a483dab8a31851f8b7ae8f224bb",
+        "rev": "6de51d98ec2ae46730f11845e221aab9d2470a8a",
         "type": "github"
       },
       "original": {
@@ -752,16 +624,16 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714917266,
-        "narHash": "sha256-uxNVLUDf5HY+140Y/9uyYyqAml51W1y0CuRkQid+nnw=",
+        "lastModified": 1716656097,
+        "narHash": "sha256-iobi+LJSawPbbwLEEOe2ENSCgVPHdR9sW32bTeU+Avk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fb5a7b84b7127ed1baa8bc4242368ecc99fcd4e3",
+        "rev": "8219ecf351180fc02b0e72383beb37b5d731f9a9",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -806,7 +678,7 @@
         "azahi-cc": "azahi-cc",
         "dns": "dns",
         "flake-compat": "flake-compat",
-        "flake-registry": "flake-registry",
+        "flake-utils": "flake-utils",
         "git-hooks": "git-hooks",
         "home-manager": "home-manager",
         "homelab-svg-assets": "homelab-svg-assets",
@@ -821,11 +693,32 @@
         "nixpkgs-stable": "nixpkgs-stable",
         "nmap-vulners": "nmap-vulners",
         "nmap-vulscan": "nmap-vulscan",
+        "srvos": "srvos",
         "stylix": "stylix",
         "vscode-extensions": "vscode-extensions",
         "xmonad-ng": "xmonad-ng"
       }
     },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716425501,
+        "narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=",
+        "owner": "nix-community",
+        "repo": "srvos",
+        "rev": "1122cd50a23647e09c3e7a679d37ec02113bc412",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "srvos",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
@@ -847,11 +740,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714555012,
-        "narHash": "sha256-WVUrm3TGVj6c8g5aG20OjJRHMvUtAZjpHQgukDhyOT8=",
+        "lastModified": 1716456264,
+        "narHash": "sha256-s9Tyj5pEivl/AsvrpkUkfR1Iu3zHfXpviPfe4HbPJ5I=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "43d23b1609b87f6a4100db2a09bd118c52c78766",
+        "rev": "290c8aef476ce98fff9cefc059284429d561a085",
         "type": "github"
       },
       "original": {
@@ -920,84 +813,9 @@
         "type": "github"
       }
     },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_6": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_7": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_8": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_9": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "utils": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1709126324,
@@ -1018,17 +836,19 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": "flake-utils_8",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1714872267,
-        "narHash": "sha256-G04hUZnX7rrJ5a9A2OqrKZ1x25svs2xpGDrP2ExExUg=",
+        "lastModified": 1716600075,
+        "narHash": "sha256-WeUfE0jslseCeGUcQPHQLL2aFArGst1RdA0WKfoOHJ4=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "7d48b70548c01495e9d434db3a89f61600ca4aca",
+        "rev": "b2de3e372569c4af5bacc49e5920392e1808f98a",
         "type": "github"
       },
       "original": {
@@ -1039,7 +859,9 @@
     },
     "xmonad-ng": {
       "inputs": {
-        "flake-utils": "flake-utils_9",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
diff --git a/flake.nix b/flake.nix
index f0a1fc2..9e78601 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,7 +8,7 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     nixpkgs-master.url = "github:NixOS/nixpkgs/master";
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/release-23.11";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/release-24.05";
 
     nixos-hardware.url = "github:NixOS/nixos-hardware";
 
@@ -17,6 +17,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    srvos = {
+      url = "github:nix-community/srvos";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     stylix = {
       url = "github:danth/stylix";
       inputs = {
@@ -35,10 +40,21 @@
         nixpkgs.follows = "nixpkgs";
       };
     };
+    # agenix-rekey = {
+    #   url = "github:oddlama/agenix-rekey";
+    #   inputs = {
+    #     flake-utils.follows = "flake-utils";
+    #     nixpkgs.follows = "nixpkgs";
+    #     pre-commit-hooks.follows = "git-hooks";
+    #   };
+    # };
 
     dns = {
-      url = "github:kirelagin/dns.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:nix-community/dns.nix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+      };
     };
 
     mailserver = {
@@ -53,6 +69,7 @@
       url = "github:pinpox/alertmanager-ntfy";
       inputs = {
         flake-compat.follows = "flake-compat";
+        flake-utils.follows = "flake-utils";
         nixpkgs.follows = "nixpkgs";
       };
     };
@@ -61,6 +78,7 @@
       url = "github:nix-community/nix-vscode-extensions";
       inputs = {
         flake-compat.follows = "flake-compat";
+        flake-utils.follows = "flake-utils";
         nixpkgs.follows = "nixpkgs";
       };
     };
@@ -69,6 +87,7 @@
       url = "github:dwarfmaster/arkenfox-nixos";
       inputs = {
         flake-compat.follows = "flake-compat";
+        flake-utils.follows = "flake-utils";
         nixpkgs.follows = "nixpkgs";
         pre-commit.follows = "git-hooks";
       };
@@ -78,6 +97,7 @@
       url = "github:Infinidoge/nix-minecraft";
       inputs = {
         flake-compat.follows = "flake-compat";
+        flake-utils.follows = "flake-utils";
         nixpkgs.follows = "nixpkgs";
       };
     };
@@ -91,6 +111,7 @@
       url = "github:oddlama/nix-topology";
       inputs = {
         nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
         pre-commit-hooks.follows = "git-hooks";
       };
     };
@@ -101,7 +122,10 @@
 
     xmonad-ng = {
       url = "git+https://git.azahi.cc/xmonad-ng?ref=master";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+      };
     };
 
     azahi-cc = {
@@ -127,10 +151,7 @@
       };
     };
 
-    flake-registry = {
-      url = "github:NixOS/flake-registry";
-      flake = false;
-    };
+    flake-utils.url = "github:numtide/flake-utils";
     flake-compat.url = "github:edolstra/flake-compat";
   };
 
diff --git a/lib/default.nix b/lib/default.nix
index cd4b601..a6a25c9 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -33,20 +33,13 @@ lib: _: with lib; rec {
       builtins.readDir
       (mapAttrsToList (
         name: type:
+        let
+          modulePath = dir + "/${name}";
+        in
         if type == "regular" && hasSuffix ".nix" name && name != "default.nix" then
-          [
-            {
-              name = removeSuffix ".nix" name;
-              value = dir + "/${name}";
-            }
-          ]
-        else if type == "directory" && pathExists (dir + "/${name}/default.nix") then
-          [
-            {
-              inherit name;
-              value = dir + "/${name}";
-            }
-          ]
+          [ (nameValuePair (removeSuffix ".nix" name) modulePath) ]
+        else if type == "directory" && pathExists (modulePath + "/default.nix") then
+          [ (nameValuePair name modulePath) ]
         else
           [ ]
       ))
diff --git a/lib/my.nix b/lib/my.nix
index 7d2d1de..8e9b3fc 100644
--- a/lib/my.nix
+++ b/lib/my.nix
@@ -30,6 +30,12 @@ with lib;
                       readOnly = true;
                     };
 
+                    stateVersion = mkOption {
+                      description = "Machine's Nixpkgs state version.";
+                      type = str;
+                      default = trivial.release;
+                    };
+
                     deviceIcon = mkOption {
                       description = "Device icon to be used with nix-topology.";
                       type = nullOr (either path str);
@@ -152,6 +158,7 @@ with lib;
         configurations = {
           # VPS in Germany.
           manwe = {
+            stateVersion = "24.05";
             deviceIcon = "devices.cloud-server";
             system = "x86_64-linux";
             isHeadless = true;
@@ -195,6 +202,7 @@ with lib;
 
           # VPS in Germany.
           varda = {
+            stateVersion = "24.05";
             deviceIcon = "devices.cloud-server";
             system = "x86_64-linux";
             isHeadless = true;
@@ -217,6 +225,7 @@ with lib;
 
           # VPS in France.
           yavanna = {
+            stateVersion = "24.05";
             deviceIcon = "devices.cloud-server";
             system = "x86_64-linux";
             isHeadless = true;
@@ -245,6 +254,7 @@ with lib;
 
           # A beefy desktop: 7950x/rx6750xt/128GB.
           eonwe = {
+            stateVersion = "24.05";
             deviceIcon = "devices.desktop";
             system = "x86_64-linux";
             isHeadful = true;
@@ -258,6 +268,7 @@ with lib;
 
           # ThinkPad T480.
           melian = {
+            stateVersion = "24.05";
             deviceIcon = "devices.laptop";
             system = "x86_64-linux";
             isHeadful = true;
diff --git a/modules/common/documentation.nix b/modules/common/documentation.nix
index 20856cb..33e767c 100644
--- a/modules/common/documentation.nix
+++ b/modules/common/documentation.nix
@@ -32,7 +32,7 @@ with lib;
           (_: _: { __contentAddressed = true; });
     };
 
-    environment.sessionVariables = {
+    environment.variables = {
       MANOPT = "--no-hyphenation";
       MANPAGER = "${getExe pkgs.less} -+F";
     };
diff --git a/modules/common/home-manager.nix b/modules/common/home-manager.nix
index 9c4cbeb..f2fc8a8 100644
--- a/modules/common/home-manager.nix
+++ b/modules/common/home-manager.nix
@@ -19,6 +19,7 @@ with lib;
     news.display = "silent";
     home = {
       inherit (config.system) stateVersion;
+      enableNixpkgsReleaseCheck = false;
     };
   };
 
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index 727def4..e891e58 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -18,7 +18,6 @@ in
       optional networkmanager.enable "/etc/NetworkManager/system-connections"
       ++ optional wireless.iwd.enable "/var/lib/iwd";
 
-    # TODO Switch to systemd-networkd.
     networking = mkMerge [
       {
         domain = my.domain.shire;
@@ -29,12 +28,11 @@ in
         # Remove default hostname mappings. This is required at least by the
         # current implementation of the monitoring module.
         hosts = {
-          "127.0.0.2" = mkForce [ ];
+          "127.0.0.1" = mkForce [ ];
           "::1" = mkForce [ ];
         };
 
         nameservers = mkDefault dns.const.quad9.default;
-        resolvconf.enable = true;
 
         useDHCP = false;
 
@@ -84,13 +82,17 @@ in
         }
       )
       (mkIf this.isHeadful {
-        interfaces = {
-          eth0.useDHCP = mkDefault true;
-          wlan0.useDHCP = mkDefault true;
-        };
+        interfaces.eth0.useDHCP = mkDefault true;
 
         networkmanager = {
           enable = mkDefault true;
+          unmanaged = [
+            "bridge"
+            "ethernet"
+            "loopback"
+            "wireguard"
+          ];
+          plugins = mkForce [ ];
           wifi.backend = "iwd";
         };
 
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index c03c1b1..6c5bd18 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -3,7 +3,6 @@
   inputs,
   lib,
   pkgs,
-  pkgsPr,
   this,
   ...
 }:
@@ -12,142 +11,149 @@ let
   cfg = config.nixfiles.modules.common.nix;
 in
 {
+  imports = with inputs.srvos.nixosModules; [
+    mixins-nix-experimental
+    mixins-trusted-nix-caches
+  ];
+
   options.nixfiles.modules.common.nix.allowedUnfreePackages = mkOption {
     description = "A list of allowed unfree packages.";
     type = with types; listOf str;
     default = [ ];
   };
 
-  config = {
-    _module.args =
-      let
-        importNixpkgs =
-          nixpkgs:
-          import nixpkgs {
-            inherit (config.nixpkgs) config;
-            inherit (this) system;
-          };
-      in
-      rec {
-        pkgsLocal = importNixpkgs "${config.my.home}/src/nixpkgs"; # Impure!
-        pkgsMaster = importNixpkgs inputs.nixpkgs-master;
-        pkgsStable = importNixpkgs inputs.nixpkgs-stable;
-        pkgsRev =
-          rev: hash:
-          importNixpkgs (
-            pkgs.fetchFromGitHub {
-              owner = "NixOS";
-              repo = "nixpkgs";
-              inherit rev hash;
-            }
-          );
-        pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head";
+  config =
+    let
+      useNixpkgs =
+        nixpkgs:
+        import nixpkgs {
+          inherit (config.nixpkgs) config;
+          inherit (this) system;
+        };
+
+      pkgsLocal = useNixpkgs "${config.my.home}/src/nixpkgs"; # Impure!
+      pkgsMaster = useNixpkgs inputs.nixpkgs-master;
+      pkgsStable = useNixpkgs inputs.nixpkgs-stable;
+      pkgsRev =
+        rev: hash:
+        useNixpkgs (
+          pkgs.fetchFromGitHub {
+            owner = "NixOS";
+            repo = "nixpkgs";
+            inherit rev hash;
+          }
+        );
+      pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head";
+    in
+    {
+      _module.args = {
+        inherit
+          pkgsLocal
+          pkgsMaster
+          pkgsStable
+          pkgsRev
+          pkgsPr
+          ;
+      };
+
+      hm = {
+        # Used primarily in conjunction with the "nixfiles" script.
+        home.file.".nix-defexpr/default.nix".text =
+          let
+            hostname = strings.escapeNixIdentifier this.hostname;
+          in
+          optionalString this.isHeadful ''
+            let
+              self = builtins.getFlake "nixfiles";
+              configurations = self.nixosConfigurations;
+              local = configurations.${hostname};
+            in rec {
+              inherit self;
+              inherit (self) inputs lib;
+              inherit (lib) my;
+              this = my.configurations.${hostname};
+              inherit (local) config;
+              inherit (local.config.system.build) toplevel vm vmWithBootLoader manual;
+              pretty = expr: lib.trace (lib.generators.toPretty {} expr) {};
+            } // configurations // local._module.args
+          '';
+
+        programs.bash.shellAliases.nix = "nix --verbose --print-build-logs";
       };
 
-    hm = {
-      # Used primarily in conjunction with the "nixfiles" script.
-      home.file.".nix-defexpr/default.nix".text =
+      nix =
         let
-          hostname = strings.escapeNixIdentifier this.hostname;
+          notSelfInputs = filterAttrs (n: _: n != "self") inputs;
         in
-        optionalString this.isHeadful ''
-          let
-            self = builtins.getFlake "nixfiles";
-            configurations = self.nixosConfigurations;
-            local = configurations.${hostname};
-          in rec {
-            inherit self;
-            inherit (self) inputs lib;
-            inherit (lib) my;
-            this = my.configurations.${hostname};
-            inherit (local) config;
-            inherit (local.config.system.build) toplevel vm vmWithBootLoader manual;
-            pretty = expr: lib.trace (lib.generators.toPretty {} expr) {};
-          } // configurations // local._module.args
-        '';
-
-      programs.bash.shellAliases.nix = "nix --verbose --print-build-logs";
-    };
+        {
+          daemonCPUSchedPolicy = "idle";
+          daemonIOSchedClass = "idle";
+          daemonIOSchedPriority = 7;
 
-    nix =
-      let
-        notSelfInputs = filterAttrs (n: _: n != "self") inputs;
-      in
-      {
-        daemonCPUSchedPolicy = "idle";
-        daemonIOSchedClass = "idle";
-        daemonIOSchedPriority = 7;
-
-        settings = {
-          # https://nixos.org/manual/nix/unstable/contributing/experimental-features.html#currently-available-experimental-features
-          # https://github.com/NixOS/nix/blob/master/src/libutil/experimental-features.cc
-          experimental-features = concatStringsSep " " [
-            "flakes"
-            "nix-command"
-            "recursive-nix"
-            "repl-flake"
-          ];
+          settings = {
+            keep-derivations = if this.isHeadful then "true" else "false";
+            keep-outputs = if this.isHeadful then "true" else "false";
 
-          keep-derivations = if this.isHeadful then "true" else "false";
-          keep-outputs = if this.isHeadful then "true" else "false";
+            warn-dirty = false;
 
-          flake-registry = "${inputs.flake-registry}/flake-registry.json";
+            keep-going = true;
 
-          warn-dirty = false;
+            substituters = [
+              "https://azahi.cachix.org"
+              "https://nix-community.cachix.org"
+            ];
 
-          keep-going = true;
+            trusted-substituters = [ "https://azahi.cachix.org" ];
+            trusted-public-keys = [ "azahi.cachix.org-1:2bayb+iWYMAVw3ZdEpVg+NPOHCXncw7WMQ0ElX1GO3s=" ];
 
-          substituters = [
-            "https://azahi.cachix.org"
-            "https://nix-community.cachix.org"
-          ];
-          trusted-public-keys = [
-            "azahi.cachix.org-1:2bayb+iWYMAVw3ZdEpVg+NPOHCXncw7WMQ0ElX1GO3s="
-            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          ];
+            trusted-users = [
+              "root"
+              my.username
+            ];
+          };
 
-          trusted-users = [
-            "root"
-            my.username
+          nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [
+            "nixfiles=${config.my.home}/src/nixfiles"
           ];
+
+          registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // {
+            nixfiles.flake = inputs.self;
+          };
         };
 
-        nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [
-          "nixfiles=${config.my.home}/src/nixfiles"
+      nixpkgs = {
+        config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
+
+        overlays = with inputs; [
+          self.overlays.default
+          (_: _: {
+            # Global PR package overrides go here. Example:
+            # ```
+            # inherit (pkgsPr 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go;
+            # ```
+          })
         ];
+      };
 
-        registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // {
-          nixfiles.flake = inputs.self;
+      environment = {
+        localBinInPath = true;
+        defaultPackages = [ ];
+        systemPackages =
+          with pkgs;
+          optionals this.isHeadful [
+            nix-top
+            nix-tree
+            nixfiles
+          ];
+        variables = {
+          NIXFILES = "${config.my.home}/src/nixfiles";
+          NIX_SHELL_PRESERVE_PROMPT = "1";
         };
       };
 
-    nixpkgs = {
-      config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
-
-      overlays = with inputs; [
-        self.overlays.default
-        (_: _super: {
-          inherit (pkgsPr 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go;
-        })
-      ];
-    };
-
-    environment = {
-      localBinInPath = true;
-      defaultPackages = mkForce [ ];
-      systemPackages =
-        with pkgs;
-        optionals this.isHeadful [
-          nix-top
-          nix-tree
-          nixfiles
-        ];
-      sessionVariables = {
-        NIXFILES = "${config.my.home}/src/nixfiles";
-        NIX_SHELL_PRESERVE_PROMPT = "1";
+      system = {
+        # HACK This lets `nix flake check` to pass.
+        stateVersion = if hasAttr "stateVersion" this then this.stateVersion else trivial.release;
       };
     };
-
-    system.stateVersion = with builtins; head (split "\n" (readFile "${inputs.nixpkgs}/.version"));
-  };
 }
diff --git a/modules/common/security.nix b/modules/common/security.nix
index c635cdc..acfc9cc 100644
--- a/modules/common/security.nix
+++ b/modules/common/security.nix
@@ -1,13 +1,6 @@
 _: {
   security = {
-    sudo = {
-      enable = true;
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-      extraConfig = ''
-        Defaults lecture=never
-      '';
-    };
+    sudo.wheelNeedsPassword = false;
 
     polkit = {
       enable = true;
@@ -24,8 +17,5 @@ _: {
         });
       '';
     };
-
-    # Pretty much used only for PipeWire.
-    rtkit.enable = true;
   };
 }
diff --git a/modules/common/stylix.nix b/modules/common/stylix.nix
index 9a360ad..314aa4c 100644
--- a/modules/common/stylix.nix
+++ b/modules/common/stylix.nix
@@ -37,6 +37,8 @@ with lib;
   # [1]: https://github.com/tinted-theming/base24/blob/master/styling.md
   config = {
     stylix = {
+      autoEnable = this.isHeadful;
+
       image = pkgs.fetchurl {
         url = "https://upload.wikimedia.org/wikipedia/commons/a/a5/Bonaparte_ante_la_Esfinge%2C_por_Jean-Léon_Gérôme.jpg";
         sha256 = "sha256-qWv52oT8cF9K4ZoeawmR3jgoGB2ARfjbKKc12IljUcM=";
diff --git a/modules/common/systemd.nix b/modules/common/systemd.nix
index b393d9f..aac1647 100644
--- a/modules/common/systemd.nix
+++ b/modules/common/systemd.nix
@@ -13,7 +13,6 @@
     enable = true;
     network = {
       inherit (config.systemd.network) enable;
-      wait-online.enable = false;
     };
   };
 
@@ -35,7 +34,7 @@
       };
     };
 
-  environment.sessionVariables = {
+  environment.variables = {
     SYSTEMD_PAGERSECURE = "1";
     SYSTEMD_PAGER = "${pkgs.less}/bin/less";
     SYSTEMD_LESS = "FRSXMK";
diff --git a/modules/common/xdg.nix b/modules/common/xdg.nix
index c581369..0b807b7 100644
--- a/modules/common/xdg.nix
+++ b/modules/common/xdg.nix
@@ -84,7 +84,10 @@ in
   };
 
   config = {
-    xdg.portal = mkIf this.isHeadful { enable = true; };
+    xdg = {
+      portal.enable = this.isHeadful;
+      sounds.enable = this.isHeadful;
+    };
 
     hm.xdg = mkMerge [
       (with cfg; {
diff --git a/modules/default.nix b/modules/default.nix
index e41e09b..63b3aa7 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,9 +1 @@
-{ lib, ... }:
-with lib;
-{
-  nixfiles =
-    { ... }:
-    {
-      imports = attrValues (modulesIn ./.);
-    };
-}
+{ lib, ... }: with lib; { nixfiles = _: { imports = attrValues (modulesIn ./.); }; }
diff --git a/modules/firefox/userContent.css b/modules/firefox/userContent.css
index cf7b659..df0124a 100644
--- a/modules/firefox/userContent.css
+++ b/modules/firefox/userContent.css
@@ -397,3 +397,10 @@
     display: none !important;
   }
 }
+
+@-moz-document regexp("https?://app\.slack\.com\.*")
+{
+  .p-client__banners.p-ia__workspace_banner {
+    display: none !important;
+  }
+}
diff --git a/modules/nginx.nix b/modules/nginx.nix
index ed34237..b912e22 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -55,13 +55,16 @@ in
 
         serverTokens = false;
 
-        recommendedGzipSettings = true;
-        recommendedOptimisation = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
+        recommendedBrotliSettings = lib.mkDefault true;
+        recommendedGzipSettings = lib.mkDefault true;
+        recommendedOptimisation = lib.mkDefault true;
+        recommendedProxySettings = lib.mkDefault true;
+        recommendedTlsSettings = lib.mkDefault true;
+        recommendedZstdSettings = lib.mkDefault true;
 
         commonHttpConfig = concatStrings [
           ''
+            access_log syslog:server=unix:/dev/log;
             add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
           ''
           (optionalString (hasAttr "wireguard" this) (
@@ -100,6 +103,8 @@ in
               ]
             ) cfg.virtualHosts
           ));
+
+        sslDhparam = config.security.dhparams.params.nginx.path;
       };
 
       fail2ban.jails = {
@@ -114,6 +119,11 @@ in
       };
     };
 
+    security.dhparams = {
+      enable = true;
+      params.nginx = { };
+    };
+
     networking.firewall.allowedTCPPorts = [
       80
       443
diff --git a/modules/openssh.nix b/modules/openssh.nix
index 5504521..470b6c9 100644
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@@ -99,7 +99,6 @@ in
             ClientAliveCountMax = 3;
             ClientAliveInterval = 60;
             KbdInteractiveAuthentication = false;
-            LogLevel = if config.nixfiles.modules.fail2ban.enable then "VERBOSE" else "ERROR";
             MaxAuthTries = 3;
             PasswordAuthentication = false;
             PermitRootLogin = mkForce "no";
diff --git a/modules/postgresql.nix b/modules/postgresql.nix
index f9ea64f..f88831b 100644
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@@ -79,7 +79,7 @@ in
       cfg.extraPostStart != [ ]
     ) concatLines cfg.extraPostStart;
 
-    environment.sessionVariables.PSQLRC = toString (
+    environment.variables.PSQLRC = toString (
       pkgs.writeText "psqlrc" ''
         \set QUIET 1
 
diff --git a/modules/profiles/default.nix b/modules/profiles/default.nix
index 5edfd7a..6967cb7 100644
--- a/modules/profiles/default.nix
+++ b/modules/profiles/default.nix
@@ -36,12 +36,15 @@ in
       eza.enable = true;
       htop.enable = true;
       tmux.enable = true;
-      vim.enable = true;
     };
 
-    programs.less = {
-      enable = true;
-      envVariables.LESSHISTFILE = "-";
+    programs = {
+      less = {
+        enable = true;
+        envVariables.LESSHISTFILE = "-";
+      };
+
+      nano.enable = false;
     };
 
     time.timeZone = "Europe/Moscow";
diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix
index eab447c..3ee2ff5 100644
--- a/modules/profiles/dev/default.nix
+++ b/modules/profiles/dev/default.nix
@@ -58,6 +58,7 @@ in
 
         packages = with pkgs; [
           age
+          google-cloud-sdk
           htmlq
           httpie
           hydra-check
@@ -65,7 +66,9 @@ in
           logcli
           nix-update
           nixpkgs-review
+          scaleway-cli
           sops
+          vultr-cli
           yq
         ];
 
diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix
index 7060e49..83b3e4a 100644
--- a/modules/profiles/headful.nix
+++ b/modules/profiles/headful.nix
@@ -93,6 +93,8 @@ in
           configurationLimit = 10;
         };
       };
+
+      consoleLogLevel = 3;
     };
 
     hardware.opengl = {
diff --git a/modules/profiles/headless.nix b/modules/profiles/headless.nix
index 7733f3e..f739206 100644
--- a/modules/profiles/headless.nix
+++ b/modules/profiles/headless.nix
@@ -30,11 +30,13 @@ in
       ".bash_history".source = config.hm.lib.file.mkOutOfStoreSymlink "/dev/null";
     };
 
-    # Pin version to prevent any surprises. Try keeping this up-to-date[1] with
-    # the latest LTS release + hardened patches (just in case).
-    #
-    # [1]: https://kernel.org
-    boot.kernelPackages = pkgs.linuxPackages_6_6_hardened;
+    boot = {
+      # Pin version to prevent any surprises. Try keeping this up-to-date[1]
+      # with the latest LTS release + hardened patches (just in case).
+      #
+      # [1]: https://kernel.org
+      kernelPackages = pkgs.linuxPackages_6_6_hardened; # EOL Dec, 2026
+    };
 
     nix = {
       gc = {
@@ -55,7 +57,5 @@ in
     ];
 
     services.udisks2.enable = false;
-
-    xdg.sounds.enable = false;
   };
 }
diff --git a/modules/qutebrowser.nix b/modules/qutebrowser.nix
index 8fdcf48..36a71e7 100644
--- a/modules/qutebrowser.nix
+++ b/modules/qutebrowser.nix
@@ -12,10 +12,7 @@ in
   options.nixfiles.modules.qutebrowser.enable = mkEnableOption "Qutebrowser";
 
   config = mkIf cfg.enable {
-    nixfiles.modules = {
-      mpv.enable = true;
-      vim.enable = true;
-    };
+    nixfiles.modules.mpv.enable = true;
 
     hm = {
       programs.qutebrowser = with config.nixfiles.modules; {
diff --git a/modules/shadowsocks.nix b/modules/shadowsocks.nix
index 1d55cf5..a70e2d1 100644
--- a/modules/shadowsocks.nix
+++ b/modules/shadowsocks.nix
@@ -127,8 +127,7 @@ in
       "net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17);
       "net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26);
       "net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26);
-      "net.ipv4.tcp_mtu_probing" = 1;
-      "net.ipv4.tcp_congestion_control" = "hybla";
+      "net.ipv4.tcp_mtu_probing" = mkOverride 100 1;
     };
 
     topology = with cfg; {
diff --git a/modules/soju.nix b/modules/soju.nix
index f8212b5..c64b89e 100644
--- a/modules/soju.nix
+++ b/modules/soju.nix
@@ -89,14 +89,14 @@ in
                 listen ircs://${cfg.address}:${toString cfg.port}
                 tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"}
                 ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"}
-                db postgres ${
+                db postgres "${
                   concatStringsSep " " [
                     "host=/run/postgresql"
                     "user=${db}"
                     "dbname=${db}"
                     "sslmode=disable"
                   ]
-                }
+                }"
                 hostname ${cfg.domain}
                 title ${cfg.domain}
               '';
diff --git a/modules/sound.nix b/modules/sound.nix
index ff90dfc..49ca5bc 100644
--- a/modules/sound.nix
+++ b/modules/sound.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  this,
+  ...
+}:
 with lib;
 let
   cfg = config.nixfiles.modules.sound;
@@ -6,13 +11,19 @@ in
 {
   options.nixfiles.modules.sound.enable = mkEnableOption "sound support";
 
-  config = mkIf cfg.enable {
-    services.pipewire = {
-      enable = true;
+  config =
+    mkIf cfg.enable {
+      services.pipewire = {
+        enable = true;
+
+        alsa.enable = true;
+        jack.enable = true;
+        pulse.enable = true;
+      };
 
-      alsa.enable = true;
-      jack.enable = true;
-      pulse.enable = true;
+      security.rtkit.enable = true;
+    }
+    // {
+      sound.enable = this.isHeadful;
     };
-  };
 }

Consider giving Nix/NixOS a try! <3