about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2022-09-20 02:42:46 +0300
committerAzat Bahawi <azat@bahawi.net>2022-09-20 02:42:46 +0300
commit783f2715f586559961a6440cc1617011ac365501 (patch)
treee82cdc172ccd21ffcd8dd77e818de1ef9023c974 /modules
parent2022-09-16 (diff)
2022-09-20
Diffstat (limited to 'modules')
-rw-r--r--modules/nixfiles/alacritty.nix2
-rw-r--r--modules/nixfiles/alertmanager.nix6
-rw-r--r--modules/nixfiles/aspell.nix23
-rw-r--r--modules/nixfiles/bluetooth.nix5
-rw-r--r--modules/nixfiles/chromium.nix15
-rw-r--r--modules/nixfiles/common/nix/default.nix26
-rw-r--r--modules/nixfiles/common/xdg.nix8
-rw-r--r--modules/nixfiles/curl.nix2
-rw-r--r--modules/nixfiles/default.nix2
-rw-r--r--modules/nixfiles/emacs/default.nix25
-rw-r--r--modules/nixfiles/emacs/doom/init.el4
-rw-r--r--modules/nixfiles/endlessh-go.nix2
-rw-r--r--modules/nixfiles/firefox/default.nix8
-rw-r--r--modules/nixfiles/firefox/profile.nix2
-rw-r--r--modules/nixfiles/firefox/userContent.css9
-rw-r--r--modules/nixfiles/git.nix293
-rw-r--r--modules/nixfiles/gnome.nix65
-rw-r--r--modules/nixfiles/gnupg.nix7
-rw-r--r--modules/nixfiles/gotify.nix6
-rw-r--r--modules/nixfiles/grafana.nix6
-rw-r--r--modules/nixfiles/ipfs.nix6
-rw-r--r--modules/nixfiles/kde.nix15
-rw-r--r--modules/nixfiles/loki.nix6
-rw-r--r--modules/nixfiles/matrix/dendrite.nix2
-rw-r--r--modules/nixfiles/monitoring/default.nix4
-rw-r--r--modules/nixfiles/nsd.nix22
-rw-r--r--modules/nixfiles/openssh.nix8
-rw-r--r--modules/nixfiles/profiles/dev/default.nix2
-rw-r--r--modules/nixfiles/profiles/dev/pystartup.py12
-rw-r--r--modules/nixfiles/profiles/headful.nix4
-rw-r--r--modules/nixfiles/prometheus.nix6
-rw-r--r--modules/nixfiles/qutebrowser.nix2
-rw-r--r--modules/nixfiles/radicale.nix6
-rw-r--r--modules/nixfiles/rtorrent.nix20
-rw-r--r--modules/nixfiles/searx.nix6
-rw-r--r--modules/nixfiles/shadowsocks.nix5
-rw-r--r--modules/nixfiles/syncthing.nix6
-rw-r--r--modules/nixfiles/zathura.nix4
38 files changed, 324 insertions, 328 deletions
diff --git a/modules/nixfiles/alacritty.nix b/modules/nixfiles/alacritty.nix
index 728e6ee..bafc0d9 100644
--- a/modules/nixfiles/alacritty.nix
+++ b/modules/nixfiles/alacritty.nix
@@ -20,7 +20,7 @@ in {
           };
           dynamic_padding = false;
           decorations =
-            if (kde.enable || gnome.enable)
+            if kde.enable
             then "full"
             else "none";
         };
diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix
index ee53467..e6564fb 100644
--- a/modules/nixfiles/alertmanager.nix
+++ b/modules/nixfiles/alertmanager.nix
@@ -28,11 +28,7 @@ in {
       upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain}.locations."/" = {
         proxyPass = "http://alertmanager";
-        extraConfig = ''
-          if ($internal != 1) {
-            return 403;
-          }
-        '';
+        extraConfig = nginxInternalOnly;
       };
     };
 
diff --git a/modules/nixfiles/aspell.nix b/modules/nixfiles/aspell.nix
deleted file mode 100644
index f397944..0000000
--- a/modules/nixfiles/aspell.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.nixfiles.modules.aspell;
-in {
-  options.nixfiles.modules.aspell.enable =
-    mkEnableOption "GNU Aspell";
-
-  config = mkIf cfg.enable {
-    hm.home = {
-      file.".aspell.conf".text = ''
-        personal /dev/null
-        repl /dev/null
-      '';
-
-      packages = with pkgs; [(aspellWithDicts (p: with p; [en ru]))];
-    };
-  };
-}
diff --git a/modules/nixfiles/bluetooth.nix b/modules/nixfiles/bluetooth.nix
index 69622a1..a1fd58f 100644
--- a/modules/nixfiles/bluetooth.nix
+++ b/modules/nixfiles/bluetooth.nix
@@ -24,11 +24,6 @@ in {
           UserspaceHID = true;
         };
       };
-
-      systemPackages = with pkgs;
-      with config.nixfiles.modules;
-        optional gnome.enable gnome.gnome-bluetooth
-        ++ optional kde.enable plasma5Packages.bluedevil;
     };
   };
 }
diff --git a/modules/nixfiles/chromium.nix b/modules/nixfiles/chromium.nix
index 0f5a93e..337acc8 100644
--- a/modules/nixfiles/chromium.nix
+++ b/modules/nixfiles/chromium.nix
@@ -11,7 +11,11 @@ in {
 
   config = mkIf cfg.enable {
     hm = {
-      # home.sessionVariables.BROWSER = mkOverride 300 "chromium";
+      home = {
+        # sessionVariables.BROWSER = mkOverride 300 "chromium";
+
+        packages = with pkgs; [profile-cleaner];
+      };
 
       programs.chromium = {
         enable = true;
@@ -21,15 +25,6 @@ in {
         extensions =
           [
             {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # UBlock Origin
-            {id = "clngdbkpkpeebahjckkjfobafhncgmne";} # Stylus
-            {id = "cnojnbdhbhnkbcieeekonklommdnndci";} # Search By Image
-            {id = "doojmbjmlfjjnbmnoijecmcbfeoakpjm";} # NoScript
-            {id = "eimadpbcbfnmbkopoojfekhnkhdbieeh";} # Dark Reader
-            {id = "hlepfoohegkhhmjieoechaddaejaokhf";} # Refined GitHub
-            {id = "jinjaccalgkegednnccohejagnlnfdag";} # Violentmonkey
-            {id = "nibjojkomfdiaoajekhjakgkdhaomnch";} # IPFS Companion
-            {id = "nngceckbapebfimnlniiiahkandclblb";} # Bitwarden
-            {id = "pmcmeagblkinmogikoikkdjiligflglb";} # Privacy Redirect
           ]
           ++ optional config.nixfiles.modules.kde.enable {
             id = "cimiefiiaegbelhefglklhhakcgmhkai"; # KDE Plasma Integration
diff --git a/modules/nixfiles/common/nix/default.nix b/modules/nixfiles/common/nix/default.nix
index 9fc585b..878505c 100644
--- a/modules/nixfiles/common/nix/default.nix
+++ b/modules/nixfiles/common/nix/default.nix
@@ -82,23 +82,43 @@ with lib; {
           '';
         });
 
+        helm = with super;
+          kubernetes-helm-wrapped.override {
+            plugins = with kubernetes-helmPlugins; [helm-secrets];
+          };
+
         alejandra = super.alejandra.overrideAttrs (_: _: {
           patches = [./patches/alejandra-no-ads.patch];
         });
 
-        # https://github.com/NixOS/nixpkgs/pull/190714
-        inherit (pkgsPR "190714" "sha256-T2SXzubuN0q74QmmamPWvZHgxH7YpU8JRU0bg9RLKls=") nheko;
+        # https://github.com/NixOS/nixpkgs/pull/191633
+        inherit
+          (pkgsPR
+            "191633"
+            "sha256-gk0x/hZ/XfLo5PZ4lai4oRhawDUw68LsE2dp5c3FYIA=")
+          soju
+          ;
+
+        # Currently broken in Nixpkgs.
+        inherit
+          (pkgsRev
+            "ee01de29d2f58d56b1be4ae24c24bd91c5380cea"
+            "sha256-R18MixER2iwduNqOlLzXUms0Z7G3emnKZOKyQS52SSA=")
+          gotify-server
+          ;
       }
       // (with super; let
         np = nodePackages;
       in {
         # Normalises package names. This is done purely for aesthetics.
+        css-language-server = np.vscode-css-languageserver-bin;
         dockerfile-language-server = np.dockerfile-language-server-nodejs;
         editorconfig = editorconfig-core-c;
+        html-language-server = np.vscode-html-languageserver-bin;
         inherit (np) bash-language-server;
         inherit (np) vim-language-server;
         inherit (np) yaml-language-server;
-        json-language-server = np.vscode-json-languageserver;
+        json-language-server = np.vscode-json-languageserver-bin;
         k3d = kube3d;
         lua-language-server = sumneko-lua-language-server;
         nix-language-server = rnix-lsp;
diff --git a/modules/nixfiles/common/xdg.nix b/modules/nixfiles/common/xdg.nix
index 60d5286..8ddf1ac 100644
--- a/modules/nixfiles/common/xdg.nix
+++ b/modules/nixfiles/common/xdg.nix
@@ -25,16 +25,14 @@ with lib; {
       in {
         enable = true;
 
-        createDirectories = this.isHeadful;
-
         desktop = tmp;
         documents = "${home}/doc";
         download = tmp;
         music = tmp;
         pictures = tmp;
-        videos = tmp;
-        templates = tmp;
         publicShare = "${home}/share";
+        templates = tmp;
+        videos = tmp;
       };
     }
     (mkIf this.isHeadful {
@@ -59,7 +57,7 @@ with lib; {
               "x-scheme-handler/http"
               "x-scheme-handler/https"
             ];
-            gwenview = [
+            imv = [
               "image/bmp"
               "image/gif"
               "image/jpeg"
diff --git a/modules/nixfiles/curl.nix b/modules/nixfiles/curl.nix
index ac5e938..e7bee31 100644
--- a/modules/nixfiles/curl.nix
+++ b/modules/nixfiles/curl.nix
@@ -11,7 +11,7 @@ in {
     mkEnableOption "Wether to enable cURL.";
 
   config = mkIf cfg.enable {
-    hm.xdg.configFile.".curlrc".text = ''
+    hm.home.file.".curlrc".text = ''
       connect-timeout = 60
       progress-bar
       referer = ";auto"
diff --git a/modules/nixfiles/default.nix b/modules/nixfiles/default.nix
index c85ae77..d59273e 100644
--- a/modules/nixfiles/default.nix
+++ b/modules/nixfiles/default.nix
@@ -4,7 +4,6 @@
     ./alacritty.nix
     ./alertmanager.nix
     ./aria2.nix
-    ./aspell.nix
     ./bat.nix
     ./beets.nix
     ./bluetooth.nix
@@ -22,7 +21,6 @@
     ./fonts.nix
     ./games
     ./git.nix
-    ./gnome.nix
     ./gnupg.nix
     ./gotify.nix
     ./grafana.nix
diff --git a/modules/nixfiles/emacs/default.nix b/modules/nixfiles/emacs/default.nix
index 41b2085..6b73151 100644
--- a/modules/nixfiles/emacs/default.nix
+++ b/modules/nixfiles/emacs/default.nix
@@ -21,7 +21,7 @@ in {
 
     nixfiles.modules = {
       fonts.enable = true;
-      git.enable = true;
+      git.client.enable = true;
       gnupg.enable = true;
       x11.enable = true;
     };
@@ -40,12 +40,25 @@ in {
           # NOTE gopls will require a Go executable, which must be provided by
           # the project's flake.
           extraBins = with pkgs; [
-            (aspellWithDicts (p: with p; [en ru])) # :checkers spell (+aspell)
+            (aspellWithDicts (p: with p; [en ru])) # :checkers (spell +aspell)
+            (python3.withPackages (p:
+              with p; [
+                # :lang python :ui (treemacs +lsp)
+                black # :lang python :editor format
+                isort # :lang python
+                pyflakes # :lang python
+                python-lsp-server # :lang (python +lsp)
+              ]))
+            python3Packages.black
+            python3Packages.isort
+            python3Packages.pyflakes
+            python3Packages.python-lsp-server
             asmfmt # :editor format
             bash-language-server # :lang (sh +lsp)
             clang-tools # :lang (cc +lsp) :editor format
             cmake-format # :lang cc :editor format
             cmigemo # :lang japanese
+            css-language-server # :lang (web +lsp)
             dockerfile-language-server # :tools (docker +lsp)
             editorconfig # :tools editorconfig
             fd # doom!
@@ -62,8 +75,10 @@ in {
             haskellPackages.cabal-fmt # :lang haskell :editor format
             haskellPackages.cabal-install # :lang haskell
             haskellPackages.hoogle # :lang haskell
+            html-language-server # :lang (web +lsp)
             html-tidy # :lang web
             jre # :lang plantuml
+            json-language-server # :lang (json +lsp)
             lua-language-server # :lang (lua +lsp)
             nix-language-server # :lang (nix +lsp)
             nixfmt # :lang nix :editor format
@@ -74,11 +89,9 @@ in {
             pandoc # :lang org markdown latex
             pinentry-emacs # doom!
             pre-commit # :tools magit
-            python3Packages.black # :lang python :editor format
-            python3Packages.isort # :lang python
-            python3Packages.pyflakes # :lang python
             ripgrep # doom!
-            rust-analyzer # :lang rust
+            rust-analyzer # :lang (rust +lsp)
+            rustfmt # :lang rust
             shellcheck # :lang sh
             shfmt # :lang sh :editor format
             sqlite # :lang (org +roam2) :tools lookup
diff --git a/modules/nixfiles/emacs/doom/init.el b/modules/nixfiles/emacs/doom/init.el
index 9da7f4b..98317ec 100644
--- a/modules/nixfiles/emacs/doom/init.el
+++ b/modules/nixfiles/emacs/doom/init.el
@@ -20,7 +20,7 @@
        ophints
        (popup +defaults)
        ;; tabs
-       ;; (treemacs +lsp)
+       (treemacs +lsp)
        ;; unicode
        (vc-gutter +diff-hl +pretty)
        window-select
@@ -90,7 +90,7 @@
        (java +lsp +tree-sitter)
        (javascript +lsp +tree-sitter)
        json
-       (latex +lsp)
+       (latex +lsp +tree-sittter)
        (lua +lsp +tree-sitter)
        markdown
        (nix +lsp)
diff --git a/modules/nixfiles/endlessh-go.nix b/modules/nixfiles/endlessh-go.nix
index b89ffc4..891d484 100644
--- a/modules/nixfiles/endlessh-go.nix
+++ b/modules/nixfiles/endlessh-go.nix
@@ -27,7 +27,7 @@ in {
           listenAddress = this.wireguard.ipv4.address;
           port = 9229;
         };
-        extraOptions = ["-conn_type=tcp4" "-geoip_supplier=ip-api" "-v=1"];
+        extraOptions = ["-geoip_supplier=ip-api" "-v=1"];
       };
 
       networking.firewall.allowedTCPPorts = [port];
diff --git a/modules/nixfiles/firefox/default.nix b/modules/nixfiles/firefox/default.nix
index 6e42d76..6dde7c3 100644
--- a/modules/nixfiles/firefox/default.nix
+++ b/modules/nixfiles/firefox/default.nix
@@ -7,7 +7,7 @@
 with lib; let
   cfg = config.nixfiles.modules.firefox;
 in {
-  options.nixfiles.modules.firefox.enable = mkEnableOption "";
+  options.nixfiles.modules.firefox.enable = mkEnableOption "Firefox";
 
   config = mkIf cfg.enable {
     hm = {
@@ -16,7 +16,7 @@ in {
 
         packages = with pkgs; [
           (writeShellScriptBin "firefox-vanilla" ''
-            ${config.hm.programs.firefox.package}/bin/firefox -p vanilla $@
+            ${config.hm.programs.firefox.package}/bin/firefox -p vanilla "$@"
           '')
           profile-cleaner
         ];
@@ -28,7 +28,6 @@ in {
         package = pkgs.firefox.override {
           cfg = with config.nixfiles.modules; {
             enablePlasmaBrowserIntegration = kde.enable;
-            enableGnomeExtensions = gnome.enable;
           };
         };
 
@@ -39,9 +38,8 @@ in {
             bitwarden
             darkreader
             ipfs-companion
+            libredirect
             noscript
-            privacy-redirect
-            refined-github
             stylus
             ublock-origin
             violentmonkey
diff --git a/modules/nixfiles/firefox/profile.nix b/modules/nixfiles/firefox/profile.nix
index 6735db3..93ade51 100644
--- a/modules/nixfiles/firefox/profile.nix
+++ b/modules/nixfiles/firefox/profile.nix
@@ -474,7 +474,7 @@ in {
     # Toolbar
     #
     "browser.uiCustomization.state" = ''
-      {"placements":{"widget-overflow-fixed-list":["ublock0_raymondhill_net-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","ipfs-firefox-addon_lidel_org-browser-action","addon_darkreader_org-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action"],"nav-bar":["back-button","forward-button","urlbar-container","save-to-pocket-button"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["addon_darkreader_org-browser-action","ipfs-firefox-addon_lidel_org-browser-action","plasma-browser-integration_kde_org-browser-action","ublock0_raymondhill_net-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action","_b7f9d2cd-d772-4302-8c3f-eb941af36f76_-browser-action","developer-button","_a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad_-browser-action"],"dirtyAreaCache":["nav-bar","widget-overflow-fixed-list","toolbar-menubar","TabsToolbar","PersonalToolbar"],"currentVersion":17,"newElementCount":7}
+      {"placements":{"widget-overflow-fixed-list":["ublock0_raymondhill_net-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","ipfs-firefox-addon_lidel_org-browser-action","addon_darkreader_org-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action"],"nav-bar":["back-button","forward-button","urlbar-container","save-to-pocket-button"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["addon_darkreader_org-browser-action","ipfs-firefox-addon_lidel_org-browser-action","plasma-browser-integration_kde_org-browser-action","ublock0_raymondhill_net-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action","_b7f9d2cd-d772-4302-8c3f-eb941af36f76_-browser-action","developer-button","_a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad_-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action"],"dirtyAreaCache":["nav-bar","widget-overflow-fixed-list","toolbar-menubar","TabsToolbar","PersonalToolbar"],"currentVersion":17,"newElementCount":8}
     '';
   };
 }
diff --git a/modules/nixfiles/firefox/userContent.css b/modules/nixfiles/firefox/userContent.css
index a6421e7..1dc3add 100644
--- a/modules/nixfiles/firefox/userContent.css
+++ b/modules/nixfiles/firefox/userContent.css
@@ -16,7 +16,7 @@
     }
 }
 
-@-moz-document regexp("https?:\/\/(\.*.)?gitlab(\..*)?\.(com|org).*") {
+@-moz-document regexp("https?:\/\/(.*.)?gitlab(\..*)?\.(com|org).*") {
     code {
         font-family: var(--monospace-font-family) !important;
         font-size: var(--monospace-font-size) !important;
@@ -235,11 +235,14 @@
 }
 
 @-moz-document regexp("https?:\/\/tabs\.ultimate-guitar\.com.*") {
-    #comment,
+    #comments,
     #shots,
     a[rel*="noreferrer"],
     a[target="_blank"],
-    div[class*="SiteWideBanner"] {
+    button,
+    div[class*="SiteWideBanner"],
+    footer,
+    iframe {
         display: none !important;
     }
 }
diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix
index e3659f4..bccb4b3 100644
--- a/modules/nixfiles/git.nix
+++ b/modules/nixfiles/git.nix
@@ -8,120 +8,223 @@
 with lib; let
   cfg = config.nixfiles.modules.git;
 in {
-  options.nixfiles.modules.git.enable = mkEnableOption "Git";
-
-  config = mkIf cfg.enable {
-    secrets = {
-      glab-cli-config = {
-        file = "${inputs.self}/secrets/glab-cli-config";
-        path = "${config.dirs.config}/glab-cli/config.yml";
-        owner = my.username;
-        inherit (config.my) group;
-      };
-      gh-hosts = {
-        file = "${inputs.self}/secrets/gh-hosts";
-        path = "${config.dirs.config}/gh/hosts.yml";
-        owner = my.username;
-        inherit (config.my) group;
+  options.nixfiles.modules.git = {
+    client.enable = mkEnableOption "Git client";
+    server = {
+      enable = mkEnableOption "Git server";
+
+      domain = mkOption {
+        description = "Domain name sans protocol scheme.";
+        type = with types; nullOr str;
+        default = "git.${config.networking.domain}";
       };
-      hut = {
-        file = "${inputs.self}/secrets/hut";
-        path = "${config.dirs.config}/hut/config";
-        owner = my.username;
-        inherit (config.my) group;
+
+      package = mkOption {
+        description = "Package.";
+        type = types.package;
+        default = pkgs.cgit-pink;
       };
     };
+  };
 
-    hm = {
-      home.packages = with pkgs; [glab hut];
+  config = mkMerge [
+    (mkIf cfg.client.enable {
+      secrets = {
+        glab-cli-config = {
+          file = "${inputs.self}/secrets/glab-cli-config";
+          path = "${config.dirs.config}/glab-cli/config.yml";
+          owner = my.username;
+          inherit (config.my) group;
+        };
+        gh-hosts = {
+          file = "${inputs.self}/secrets/gh-hosts";
+          path = "${config.dirs.config}/gh/hosts.yml";
+          owner = my.username;
+          inherit (config.my) group;
+        };
+        hut = {
+          file = "${inputs.self}/secrets/hut";
+          path = "${config.dirs.config}/hut/config";
+          owner = my.username;
+          inherit (config.my) group;
+        };
+      };
 
-      programs = {
-        git = {
-          enable = true;
+      hm = {
+        home.packages = with pkgs; [glab hut];
 
-          package = pkgs.git.override {
-            sendEmailSupport = true;
-            withSsh = true;
-          };
+        programs = {
+          git = {
+            enable = true;
 
-          userName = my.fullname;
-          userEmail = my.email;
-          signing = {
-            inherit (my.pgp) key;
-            signByDefault = true;
-          };
+            package = pkgs.git.override {
+              doInstallCheck = false;
+              pythonSupport = false;
+              sendEmailSupport = true;
+              withLibsecret = false;
+              withSsh = true;
+            };
+
+            userName = my.fullname;
+            userEmail = my.email;
+            signing = {
+              inherit (my.pgp) key;
+              signByDefault = true;
+            };
 
-          extraConfig =
-            {
-              advice.detachedHead = false;
-              color.ui = true;
-              core.whitespace = "trailing-space";
-              diff = {
-                mnemonicPrefix = true;
-                renames = "copies";
-                submodule = "log";
+            extraConfig =
+              {
+                advice.detachedHead = false;
+                color.ui = true;
+                core.whitespace = "trailing-space";
+                diff = {
+                  mnemonicPrefix = true;
+                  renames = "copies";
+                  submodule = "log";
+                };
+                init.defaultBranch = "master";
+                status.submoduleSummary = true;
+                github.user = my.username;
+                gitlab.user = my.username;
+              }
+              // mapAttrs'
+              (n: v: nameValuePair ''url "git@${v}:"'' {insteadOf = "${n}:";}) {
+                "bitbucket" = "bitbucket.com";
+                "codeberg" = "codeberg.org";
+                "github" = "github.com";
+                "gitlab" = "gitlab.com";
+                "sourcehut" = "git.sr.ht";
               };
-              init.defaultBranch = "master";
-              status.submoduleSummary = true;
-              github.user = my.username;
-              gitlab.user = my.username;
-            }
-            // mapAttrs'
-            (n: v: nameValuePair ''url "git@${v}:"'' {insteadOf = "${n}:";}) {
-              "bitbucket" = "bitbucket.com";
-              "codeberg" = "codeberg.org";
-              "github" = "github.com";
-              "gitlab" = "gitlab.com";
-              "sourcehut" = "git.sr.ht";
+
+            aliases = let
+              git = "${config.hm.programs.git.package}/bin/git";
+              curl = "${pkgs.curl}/bin/curl";
+            in {
+              fuck = "!${git} reset --hard && ${git} clean -fdx";
+              gud = ''commit -m "git gud"'';
+              wtc = "!${curl} -sq whatthecommit.com/index.txt | ${git} commit -F -";
             };
 
-          aliases = let
-            git = "${config.hm.programs.git.package}/bin/git";
-            curl = "${pkgs.curl}/bin/curl";
-          in {
-            fuck = "!${git} reset --hard && ${git} clean -fdx";
-            gud = ''commit -m "git gud"'';
-            wtc = "!${curl} -sq whatthecommit.com/index.txt | ${git} commit -F -";
+            # All helper tools/editor generated files should go here. This must
+            # be kept relatively clean and void of any project-specific residual
+            # files.
+            ignores = [
+              "*~"
+              ".cache/clangd/"
+              ".ccls-cache/"
+              ".dir-locals.el"
+              ".gdb_history"
+              ".netrwhist"
+              ".projectile"
+              "[._]*.s[a-v][a-z]"
+              "[._]*.sw[a-p]"
+              "[._]s[a-rt-v][a-z]"
+              "[._]ss[a-gi-z]"
+              "[._]sw[a-p]"
+              "\#*\#"
+              "compile_commands.json"
+              "cscope.*"
+              "vgcore.*"
+            ];
+          };
+
+          gh = {
+            enable = true;
+            settings.git_protocol = "ssh";
           };
 
-          # All helper tool/editor generated files should go here. This must be
-          # kept relatively clean and void of any tooling/project-specific
-          # residual files.
-          ignores = [
-            "*~"
-            ".ccls-cache/"
-            ".clangd/"
-            ".dir-locals.el"
-            ".gdb_history"
-            ".netrwhist"
-            "[._]*.s[a-v][a-z]"
-            "[._]*.sw[a-p]"
-            "[._]s[a-rt-v][a-z]"
-            "[._]ss[a-gi-z]"
-            "[._]sw[a-p]"
-            "\\#*\\#"
-            "compile_commands.json"
-            "cscope.*"
-            "vgcore.*"
-          ];
+          bash = {
+            shellAliases.gl = "${pkgs.glab}/bin/glab";
+            initExtra = mkAfter "_complete_alias gl __start_glab glab";
+          };
         };
 
-        gh = {
-          enable = true;
-          settings.git_protocol = "ssh";
+        xdg.configFile."glab-cli/aliases.yml".text = generators.toYAML {} {
+          ci = "pipeline ci";
+          co = "mr checkout";
+          li = "ci lint";
         };
+      };
+    })
+    (mkIf cfg.server.enable {
+      nixfiles.modules.nginx = {
+        enable = true;
+        virtualHosts.${cfg.server.domain} = {
+          locations = {
+            "/".extraConfig = let
+              projectList = pkgs.writeText "cgit-project-list" ''
+                nixfiles.git
+              '';
+
+              cgitrc = pkgs.writeText "cgitrc" ''
+                root-title=azahi’s git stuff
+                root-desc=鯛も一人はうまからず
+
+                about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh
+                source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py
+                commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh
+
+                enable-blame=1
+                enable-commit-graph=1
+                enable-follow-links=1
+                enable-git-config=1
+                enable-html-serving=1
+                enable-index-links=1
+                enable-index-owner=1
+                enable-log-filecount=1
+                enable-log-linecount=1
+                enable-remote-branches=1
+                enable-subject-links=1
+                enable-tree-linenumbers=1
+
+                remove-suffix=1
+
+                snapshots=tar.gz tar.bz2 zip
+
+                readme=:README
+                readme=:README.md
+                readme=:README.org
+                readme=:README.txt
+                readme=:readme
+                readme=:readme.md
+                readme=:readme.org
+                readme=:readme.txt
 
-        bash = {
-          shellAliases.gl = "${pkgs.glab}/bin/glab";
-          initExtra = mkAfter "_complete_alias gl __start_glab glab";
+                project-list=${projectList}
+                scan-path=${config.services.gitolite.dataDir}/repositories
+              '';
+            in ''
+              include ${config.services.nginx.package}/conf/fastcgi_params;
+              fastcgi_split_path_info ^(/?)(.+)$;
+              fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+              fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi;
+              fastcgi_param CGIT_CONFIG ${cgitrc};
+              fastcgi_param PATH_INFO $uri;
+              fastcgi_param QUERY_STRING $args;
+              fastcgi_param HTTP_HOST $server_name;
+            '';
+            "~* ^/(.+.(ico|css|png))$".extraConfig = ''
+              alias ${cfg.server.package}/cgit/$1;
+            '';
+          };
         };
       };
 
-      xdg.configFile."glab-cli/aliases.yml".text = generators.toYAML {} {
-        ci = "pipeline ci";
-        co = "mr checkout";
-        li = "ci lint";
+      services = let
+        user = "git";
+        group = "git";
+      in {
+        gitolite = {
+          enable = true;
+          inherit user group;
+          adminPubkey = my.ssh.key;
+        };
+
+        fcgiwrap = {
+          enable = true;
+          inherit user group;
+        };
       };
-    };
-  };
+    })
+  ];
 }
diff --git a/modules/nixfiles/gnome.nix b/modules/nixfiles/gnome.nix
deleted file mode 100644
index 4646d94..0000000
--- a/modules/nixfiles/gnome.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.nixfiles.modules.gnome;
-in {
-  options.nixfiles.modules.gnome.enable =
-    mkEnableOption "GNOME desktop environment";
-
-  config = mkIf cfg.enable {
-    nixfiles.modules = {
-      gnupg.pinentry = mkForce "gnome";
-      sound.enable = true;
-      x11.enable = true;
-    };
-
-    services = {
-      xserver = {
-        enable = true;
-        desktopManager.gnome.enable = true;
-        displayManager.gdm = {
-          enable = true;
-          wayland = false;
-        };
-      };
-
-      gnome = {
-        core-os-services.enable = true;
-        core-shell.enable = true;
-        core-utilities.enable = false;
-        core-developer-tools.enable = false;
-        games.enable = false;
-
-        chrome-gnome-shell.enable = false;
-        gnome-initial-setup.enable = false;
-        gnome-online-accounts.enable = false;
-        gnome-remote-desktop.enable = false;
-        gnome-settings-daemon.enable = true;
-        gnome-user-share.enable = false;
-        rygel.enable = false;
-        tracker-miners.enable = false;
-        tracker.enable = false;
-      };
-
-      dleyna-renderer.enable = false;
-      dleyna-server.enable = false;
-    };
-
-    environment = {
-      gnome = {
-        excludePackages = with pkgs.gnome; [
-          geary
-          gnome-disk-utility
-          seahorse
-          sushi
-        ];
-      };
-
-      systemPackages = with pkgs; [pinentry-gnome];
-    };
-  };
-}
diff --git a/modules/nixfiles/gnupg.nix b/modules/nixfiles/gnupg.nix
index 67d36d8..c1419e4 100644
--- a/modules/nixfiles/gnupg.nix
+++ b/modules/nixfiles/gnupg.nix
@@ -12,12 +12,7 @@ in {
     pinentry = mkOption {
       description = "Name of a pinentry implementation.";
       type = types.str;
-      default = with config.nixfiles.modules;
-        if kde.enable
-        then "qt"
-        else if gnome.enable
-        then "gnome"
-        else "curses";
+      default = "curses";
     };
   };
 
diff --git a/modules/nixfiles/gotify.nix b/modules/nixfiles/gotify.nix
index 1cfd9a7..8489e93 100644
--- a/modules/nixfiles/gotify.nix
+++ b/modules/nixfiles/gotify.nix
@@ -27,11 +27,7 @@ in {
           virtualHosts.${cfg.domain}.locations."/" = {
             proxyPass = "http://gotify";
             proxyWebsockets = true;
-            extraConfig = ''
-              if ($internal != 1) {
-                return 403;
-              }
-            '';
+            extraConfig = nginxInternalOnly;
           };
         };
         postgresql.enable = true;
diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix
index fcc85f8..c29bf75 100644
--- a/modules/nixfiles/grafana.nix
+++ b/modules/nixfiles/grafana.nix
@@ -44,11 +44,7 @@ in {
         virtualHosts.${cfg.domain}.locations."/" = {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
-          extraConfig = ''
-            if ($internal != 1) {
-              return 403;
-            }
-          '';
+          extraConfig = nginxInternalOnly;
         };
       };
       postgresql.enable = true;
diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix
index 1b1c802..f998d6d 100644
--- a/modules/nixfiles/ipfs.nix
+++ b/modules/nixfiles/ipfs.nix
@@ -159,11 +159,7 @@ in {
             # TODO Redirect "/" to "/webui" but keep other endpoints.
             locations."/" = {
               proxyPass = "http://ipfs_api";
-              extraConfig = ''
-                if ($internal != 1) {
-                  return 403;
-                }
-              '';
+              extraConfig = nginxInternalOnly;
             };
           };
         };
diff --git a/modules/nixfiles/kde.nix b/modules/nixfiles/kde.nix
index 934f114..e22663c 100644
--- a/modules/nixfiles/kde.nix
+++ b/modules/nixfiles/kde.nix
@@ -7,17 +7,26 @@
 with lib; let
   cfg = config.nixfiles.modules.kde;
 in {
-  options.nixfiles.modules.kde.enable = mkEnableOption "KDE Plasma 5 desktop environment";
+  options.nixfiles.modules.kde.enable = mkEnableOption "KDE Plasma";
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      gnupg.pinentry = mkForce "qt";
+      gnupg.pinentry = "qt";
       sound.enable = true;
       x11.enable = true;
     };
 
     services.xserver = {
-      desktopManager.plasma5.enable = true;
+      desktopManager.plasma5 = {
+        enable = true;
+        excludePackages = with pkgs.plasma5Packages; [
+          elisa
+          gwenview
+          khelpcenter
+          okular
+          print-manager
+        ];
+      };
       displayManager.sddm.enable = true;
     };
 
diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix
index 77b6ca0..4d9aab7 100644
--- a/modules/nixfiles/loki.nix
+++ b/modules/nixfiles/loki.nix
@@ -29,11 +29,7 @@ in {
       upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain}.locations."/" = {
         proxyPass = "http://loki";
-        extraConfig = ''
-          if ($internal != 1) {
-            return 403;
-          }
-        '';
+        extraConfig = nginxInternalOnly;
       };
     };
 
diff --git a/modules/nixfiles/matrix/dendrite.nix b/modules/nixfiles/matrix/dendrite.nix
index 4792f0e..8dbc318 100644
--- a/modules/nixfiles/matrix/dendrite.nix
+++ b/modules/nixfiles/matrix/dendrite.nix
@@ -21,7 +21,7 @@ in {
   config = mkIf cfg.enable {
     secrets.dendrite-private-key = {
       file = "${inputs.self}/secrets/dendrite-private-key";
-      mode = "0444"; # User is dynamic.
+      mode = "0444"; # FIXME User is dynamic so the file must be world-readable.
     };
 
     nixfiles.modules = {
diff --git a/modules/nixfiles/monitoring/default.nix b/modules/nixfiles/monitoring/default.nix
index c439614..35261e2 100644
--- a/modules/nixfiles/monitoring/default.nix
+++ b/modules/nixfiles/monitoring/default.nix
@@ -7,7 +7,7 @@
 with lib; let
   cfg = config.nixfiles.modules.monitoring;
 in {
-  options.nixfiles.modules.monitoring.enable = mkEnableOption "custom monitoring stack";
+  options.nixfiles.modules.monitoring.enable = mkEnableOption "a custom monitoring stack";
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
@@ -65,6 +65,8 @@ in {
       loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}";
 
       prometheus = {
+        # It would be nice if these could be generated dynamically. That would
+        # require a complete rework of how configurations are defined, though.
         scrapeConfigs = with my.configurations;
         with config.services.prometheus.exporters; [
           {
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index acbfd07..57973ee 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -26,7 +26,6 @@ in {
         ipTransparent = true;
         ratelimit.enable = true;
 
-        # TODO DNSSEC.
         zones = let
           dns = inputs.dns-nix.lib;
         in
@@ -37,7 +36,6 @@ in {
                 AAAA = [(aaaa ipv6.address)];
               };
 
-            # TODO Try moving DKIM keys somewhere in "my" or secrets maybe?
             mkEmailEntries = {
               domain ? my.domain.shire,
               dkimKey ? null,
@@ -70,7 +68,7 @@ in {
                   SOA = {
                     nameServer = "${cfg.fqdn}.";
                     adminEmail = "admin+dns@${my.domain.shire}";
-                    serial = 2022091420;
+                    serial = 2022091601; # Don't forget to bump the revision!
                   };
 
                   NS = with my.domain; [
@@ -84,6 +82,10 @@ in {
                 extra
               ]);
             };
+
+            # https://ariadne.id/
+            # https://docs.keyoxide.org/service-providers/dns/
+            ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"];
           in
             mkMerge [
               (mkZone {
@@ -105,15 +107,18 @@ in {
                       # ns2 = varda;
 
                       alertmanager = manwe;
-                      flood = yavanna;
+                      git = manwe;
                       gotify = manwe;
                       grafana = manwe;
                       loki = manwe;
-                      minecraft = varda;
                       prometheus = manwe;
                       radicale = manwe;
                       rss-bridge = manwe;
                       vaultwarden = manwe;
+
+                      minecraft = varda;
+
+                      flood = yavanna;
                     };
                   }
                 ];
@@ -124,8 +129,9 @@ in {
                   (mkEmailEntries {
                     dkimKey = "@DKIM_KEY@";
                   })
+                  ariadneIdProof
                   {
-                    TXT = ["openpgp4fpr:${my.pgp.fingerprint}"]; # https://docs.keyoxide.org/service-providers/dns/
+                    subdomains.git = ips "manwe";
                   }
                 ];
               })
@@ -136,7 +142,7 @@ in {
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe";
+                    subdomains.frodo = ips "manwe" // ariadneIdProof;
                   }
                 ];
               })
@@ -147,7 +153,7 @@ in {
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe";
+                    subdomains.frodo = ips "manwe" // ariadneIdProof;
                   }
                 ];
               })
diff --git a/modules/nixfiles/openssh.nix b/modules/nixfiles/openssh.nix
index 2bae2da..bf470ca 100644
--- a/modules/nixfiles/openssh.nix
+++ b/modules/nixfiles/openssh.nix
@@ -54,9 +54,11 @@ in {
             in
               internalServers
               // (mapAttrs' mkBlock {
-                # Custom blocks go here.
-                #
-                # example.hostname = "129.168.70.80";
+                gitolite = {
+                  user = "git";
+                  hostname = "git.${my.domain.shire}";
+                  inherit port;
+                };
               });
           };
         };
diff --git a/modules/nixfiles/profiles/dev/default.nix b/modules/nixfiles/profiles/dev/default.nix
index 14c0730..1a0ad07 100644
--- a/modules/nixfiles/profiles/dev/default.nix
+++ b/modules/nixfiles/profiles/dev/default.nix
@@ -20,7 +20,7 @@ in {
       bat.enable = true;
       curl.enable = true;
       direnv.enable = true;
-      git.enable = true;
+      git.client.enable = true;
       gnupg.enable = true;
       nmap.enable = true;
       wget.enable = true;
diff --git a/modules/nixfiles/profiles/dev/pystartup.py b/modules/nixfiles/profiles/dev/pystartup.py
index 1a78b55..adde66c 100644
--- a/modules/nixfiles/profiles/dev/pystartup.py
+++ b/modules/nixfiles/profiles/dev/pystartup.py
@@ -32,9 +32,7 @@ class TermColors(dict):
     color_base = "\001\033[%sm\002"
 
     def __init__(self):
-        self.update(
-            dict([(k, self.color_base % v) for k, v in self.color_templates])
-        )
+        self.update(dict([(k, self.color_base % v) for k, v in self.color_templates]))
 
 
 class Completer(object):
@@ -44,16 +42,12 @@ class Completer(object):
         readline.write_history_file(self.python_histfile)
 
     def __init__(self):
-        self.python_dir = os.path.expanduser(
-            "%s/python" % os.environ["XDG_DATA_HOME"]
-        )
+        self.python_dir = os.path.expanduser("%s/python" % os.environ["XDG_DATA_HOME"])
 
         if not os.path.exists(self.python_dir):
             os.mkdir(self.python_dir)
 
-        self.python_histfile = os.path.expanduser(
-            "%s/history" % self.python_dir
-        )
+        self.python_histfile = os.path.expanduser("%s/history" % self.python_dir)
 
         if os.path.exists(self.python_histfile):
             readline.read_history_file(self.python_histfile)
diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix
index ba54b03..afe9194 100644
--- a/modules/nixfiles/profiles/headful.nix
+++ b/modules/nixfiles/profiles/headful.nix
@@ -27,7 +27,6 @@ in {
       x11.enable = true;
 
       dwm.enable = mkDefault false;
-      gnome.enable = mkDefault false;
       kde.enable = mkDefault true;
       xmonad.enable = mkDefault false;
     };
@@ -35,8 +34,7 @@ in {
     hm = {
       home.packages = with pkgs; [
         calibre
-        convmv
-        dos2unix
+        imv
         kotatogram-desktop
         nheko
         tor-browser
diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix
index e816b74..0b0c096 100644
--- a/modules/nixfiles/prometheus.nix
+++ b/modules/nixfiles/prometheus.nix
@@ -28,11 +28,7 @@ in {
       upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain}.locations."/" = {
         proxyPass = "http://prometheus";
-        extraConfig = ''
-          if ($internal != 1) {
-            return 403;
-          }
-        '';
+        extraConfig = nginxInternalOnly;
       };
     };
 
diff --git a/modules/nixfiles/qutebrowser.nix b/modules/nixfiles/qutebrowser.nix
index dd1d027..186623a 100644
--- a/modules/nixfiles/qutebrowser.nix
+++ b/modules/nixfiles/qutebrowser.nix
@@ -245,7 +245,7 @@ in {
           };
 
           window = {
-            hide_decoration = false; # TODO Test in a WM.
+            hide_decoration = false;
             title_format = "{perc}{current_title}{title_sep}qutebrowser";
           };
 
diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix
index 679a8be..76f6b49 100644
--- a/modules/nixfiles/radicale.nix
+++ b/modules/nixfiles/radicale.nix
@@ -32,11 +32,7 @@ in {
         upstreams.radicale.servers."127.0.0.1:${toString port}" = {};
         virtualHosts.${cfg.domain}.locations."/" = {
           proxyPass = "http://radicale";
-          extraConfig = ''
-            if ($internal != 1) {
-              return 403;
-            }
-          '';
+          extraConfig = nginxInternalOnly;
         };
       };
 
diff --git a/modules/nixfiles/rtorrent.nix b/modules/nixfiles/rtorrent.nix
index 121f1ca..9f28c61 100644
--- a/modules/nixfiles/rtorrent.nix
+++ b/modules/nixfiles/rtorrent.nix
@@ -196,22 +196,16 @@ in {
               locations = {
                 "/" = {
                   tryFiles = "$uri /index.html";
-                  extraConfig = ''
-                    if ($internal != 1) {
-                      return 403;
-                    }
-                  '';
+                  extraConfig = nginxInternalOnly;
                 };
                 "/api" = {
                   proxyPass = "http://flood";
-                  extraConfig = ''
-                    proxy_buffering off;
-                    proxy_cache off;
-
-                    if ($internal != 1) {
-                      return 403;
-                    }
-                  '';
+                  extraConfig =
+                    nginxInternalOnly
+                    + ''
+                      proxy_buffering off;
+                      proxy_cache off;
+                    '';
                 };
               };
             };
diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix
index fd11904..24482cc 100644
--- a/modules/nixfiles/searx.nix
+++ b/modules/nixfiles/searx.nix
@@ -35,11 +35,7 @@ in {
       upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain}.locations."/" = {
         proxyPass = "http://searx";
-        extraConfig = ''
-          if ($internal != 1) {
-            return 403;
-          }
-        '';
+        extraConfig = nginxInternalOnly;
       };
     };
 
diff --git a/modules/nixfiles/shadowsocks.nix b/modules/nixfiles/shadowsocks.nix
index 6e98e97..b59359c 100644
--- a/modules/nixfiles/shadowsocks.nix
+++ b/modules/nixfiles/shadowsocks.nix
@@ -19,10 +19,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    secrets.shadowsocks-password = {
-      file = "${inputs.self}/secrets/shadowsocks-password";
-      mode = "0444"; # User is dynamic.
-    };
+    secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password";
 
     services = {
       shadowsocks = {
diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix
index 31286fa..ed51e73 100644
--- a/modules/nixfiles/syncthing.nix
+++ b/modules/nixfiles/syncthing.nix
@@ -137,11 +137,7 @@ in {
         upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {};
         virtualHosts.${cfg.domain}.locations."/" = {
           proxyPass = "http://syncthing";
-          extraConfig = ''
-            if ($internal != 1) {
-              return 403;
-            }
-          '';
+          extraConfig = nginxInternalOnly;
         };
       };
     })
diff --git a/modules/nixfiles/zathura.nix b/modules/nixfiles/zathura.nix
index 03a8311..1a0b39a 100644
--- a/modules/nixfiles/zathura.nix
+++ b/modules/nixfiles/zathura.nix
@@ -112,8 +112,8 @@ in {
           scroll-wrap = true;
           scroll-page-aware = false;
 
-          selection-clipboard = with config.nixfiles.modules;
-            if (kde.enable || gnome.enable)
+          selection-clipboard =
+            if config.nixfiles.modules.kde.enable
             then "clipboard"
             else "primary";
           selection-notification = false;

Consider giving Nix/NixOS a try! <3