config/automatrop/playbooks/default.yml

@@ -1,16 +1,23 @@
 - name: Default
   hosts: all
   roles:
+    - role: facts
+      tags: facts
     - role: access
       tags: access
       when: root_access
     - role: system
       tags: system
       when: root_access
+    - role: ecryptfs_automount
+      tags: ecryptfs_automount
+      when: encrypt_home_stacked_fs
     - role: dotfiles
       tags: dotfiles
     - role: vim
       tags: vim
+    - role: gnupg
+      tags: gnupg
     - role: mnussbaum.base16-builder-ansible # Required for desktop_environment
       tags:
         - color

config/automatrop/roles/dotfiles/tasks/main.yml

@@ -19,6 +19,12 @@
   tags: dotfiles_repo
 # TODO Put actual dotfiles in a subdirectory of the repo, so we don't have to put everything in config
 
+- name: Register as Ansible collection
+  file:
+    state: link
+    src: "{{ ansible_user_dir }}/.dotfiles/config/automatrop"
+    path: "{{ ansible_user_dir }}/.ansible/collections/ansible_collections/geoffreyfrogeye/automatrop"
+
 - name: Install python dependencies for scripts
   pip:
     requirements: "{{ ansible_user_dir }}/.dotfiles/config/scripts/requirements.txt"

config/automatrop/roles/ecryptfs_automount/README.md

@@ -0,0 +1,17 @@
+# ecryptfs_automount
+
+Configure pam to allow auto-mounting of encrypted home directories with eCryptfs.
+
+## Usage
+
+You still need to run the following for an user directory to be encrypted:
+
+```bash
+modprobe ecryptfs
+ecryptfs-migrate-home -u username
+```
+
+## Source
+
+https://wiki.archlinux.org/title/ECryptfs#Auto-mounting
+

config/automatrop/roles/ecryptfs_automount/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Setup pam_encryptfs auth
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      auth       [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      auth       required                    pam_ecryptfs.so      unwrap
+    insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs password
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      password   optional                    pam_ecryptfs.so      unwrap
+    insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs session
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      session    [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      session    optional                    pam_ecryptfs.so      unwrap
+    insertafter: '^session\s+required\s+pam_unix.so$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
+  become: yes
+  notify:
+    - etc changed

config/automatrop/roles/facts/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Set facts
+  set_fact:
+    arch_based: "{{ ansible_distribution == 'Archlinux' }}"
+    arch: "{{ ansible_lsb.id == 'Arch' }}"
+    manjaro: "{{ ansible_lsb.id == 'Manjaro' or ansible_lsb.id == 'Manjaro-ARM' }}"
+    termux: "{{ ansible_distribution == 'OtherLinux' and ansible_python.executable == '/data/data/com.termux/files/usr/bin/python' }}"
+    debian: "{{ ansible_distribution == 'Debian' }}"
+    ubuntu: "{{ ansible_distribution == 'Ubuntu' }}"
+    junest: "{{ ansible_distribution == 'Archlinux' and ansible_is_chroot }}" # TODO Check if /etc/junest exists
+  tags:
+    - always
+
+- name: Set composed facts
+  set_fact:
+    debian_based: "{{ debian or ubuntu }}"
+    can_chown: "{{ not junest }}"
+    has_systemd: "{{ not junest }}"
+  tags:
+    - always
+# TODO Make this a real Ansible fact maybe?

config/automatrop/roles/gnupg/tasks/main.yml

@@ -0,0 +1,51 @@
+- name: Create GnuPG directory
+  file:
+    path: "{{ gnupghome }}"
+    state: directory
+    mode: "u=rwx"
+
+- name: Create GnuPG configuration files
+  file:
+    path: "{{ gnupghome }}/{{ item }}"
+    state: file
+    mode: "u=rw,g=r,o=r"
+  loop:
+    - gpg-agent.conf
+    - gpg.conf
+
+- name: Configure GnuPG
+  lineinfile:
+    path: "{{ gnupghome }}/gpg.conf"
+    regex: "^#?\\s*{{ item.key }}\\s"
+    line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
+  loop:
+    # Remove fluff
+    - key: no-greeting
+    - key: no-emit-version
+    - key: no-comments
+    # Output format that I prefer
+    - key: keyid-format
+      value: 0xlong
+    # Show fingerprints
+    - key: with-fingerprint
+    # Make sure to show if key is invalid
+    # (should be default on most platform,
+    # but just to be sure)
+    - key: list-options
+      value: show-uid-validity
+    - key: verify-options
+      value: show-uid-validity
+    # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
+    - key: personal-digest-preferences
+      value: SHA512
+    - key: cert-digest-algo
+      value: SHA512
+    - key: default-preference-list
+      value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+    - key: personal-cipher-preferences
+      value: TWOFISH CAMELLIA256 AES 3DES
+
+- name: Install Geoffrey Frogeye's key
+  gpg_key:
+    fpr: 4FBA930D314A03215E2CDB0A8312C8CAC1BAC289
+    trust: 5

config/automatrop/roles/gnupg/vars/main.yml

@@ -0,0 +1 @@
+gnupghome: "{{ ansible_user_dir }}/.config/gnupg"

config/automatrop/roles/software/handlers/main.yml

@@ -0,0 +1,23 @@
+- name: Create and install meta package for Arch Linux
+  block:
+    - name: Generate meta package PKGBUILD
+      template:
+        src: PKGBUILD.j2
+        dest: "{{ ansible_user_dir }}/.cache/automatrop/PKGBUILD"
+      listen: "software changed"
+
+    - name: Install meta package
+      aur:
+        name: "automatrop-packages-{{ inventory_hostname_short }}"
+        local_pkgbuild: "{{ ansible_user_dir }}/.cache/automatrop"
+        use: makepkg
+        state: latest
+      listen: "software changed"
+      when: root_access
+  when: arch_based
+
+- name: update pacman cache
+  pacman:
+    update_cache: yes
+  become: yes
+  when: arch_based

config/automatrop/roles/software/templates/PKGBUILD.j2

@@ -0,0 +1,14 @@
+# Maintainer: Geoffrey Frogeye
+
+pkgname=automatrop-packages-{{ inventory_hostname_short }}
+pkgver={{ ansible_date_time.iso8601_basic_short }}
+pkgrel=1
+pkgdesc='Metapackage for packages wanted by Geoffrey via automatrop for {{ inventory_hostname }}'
+url='https://git.frogeye.fr/geoffrey/dotfiles/src/branch/master/config/automatrop'
+arch=('any')
+license=('GPL')
+depends=(
+{% for package in packages %}
+  '{{ package }}'
+{% endfor %}
+)

config/automatrop/roles/system/files/openvpn-client.service

@@ -0,0 +1,11 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
+# The part before --script-security 2 might need upgrading from
+# /usr/lib/systemd/system/openvpn-client@.service if it was upgraded
+Restart=on-failure
+User=
+AmbiantCapabilities=
+# It's not pretty, but other script only work with systemd or call resolvconf with -p,
+# which doesn't work without a local DNS resolver
+# TODO Local DNS resolver sounds nice anyway

config/automatrop/roles/system/handlers/main.yaml

@@ -1,3 +1,17 @@
+- name: Create a etckeeper commit
+  command: "etckeeper commit 'automatrop {{ ansible_date_time.iso8601 }}'"
+  listen: "etc changed"
+  become: yes
+  register: etckeeper_commit
+  failed_when: "etckeeper_commit.rc != 0 and 'nothing to commit' not in etckeeper_commit.stdout"
+  changed_when: "'nothing to commit' not in etckeeper_commit.stdout"
+
+- name: Restart chrony
+  systemd:
+    name: chronyd
+    state: restarted
+  listen: chrony reconfigured
+  become: yes
 
 - name: Reload systemd daemon
   systemd:
@@ -9,3 +23,8 @@
   debug:
     msg: "The Panfrost display driver configuration was changed, but needs a reboot to be applied."
   listen: panfrost config changed
+
+- name: Reload systemd-logind
+  command: systemctl kill -s HUP systemd-logind
+  become: yes
+  listen: systemd-logind config changed

config/automatrop/roles/system/tasks/main.yml

@@ -1,3 +1,7 @@
+# TODO For other distributions
+
+# Package are installed with --asdeps because they are needed
+
 # Xorg configuration
 
 - name: Check if there is Intel backlight
@@ -21,6 +25,7 @@
     dest: "{{ item }}/20-intel_backlight.conf"
   become: yes
   when: display_server == 'x11' and intel_backlight.stat.exists
+  notify: etc changed
   loop: "{{ xorg_common_config_dirs }}"
 
 - name: Configure Xorg joystick behaviour
@@ -29,6 +34,7 @@
     dest: "{{ item }}/50-joystick.conf"
   become: yes
   when: display_server == 'x11'
+  notify: etc changed
   loop: "{{ xorg_common_config_dirs }}"
 
 - name: List modules we're using
@@ -57,6 +63,7 @@
     dest: /etc/systemd/system/getty@.service.d/override.conf
   become: yes
   notify:
+    - etc changed
     - systemd changed
   when: auto_numlock
 
@@ -66,5 +73,56 @@
     state: absent
   become: yes
   notify:
+    - etc changed
     - systemd changed
   when: not auto_numlock
+
+### STOPPED HERE ###
+
+- name: Empty motd
+  copy:
+    content: ""
+    dest: /etc/motd
+    mode: "u=rw,g=r,o=r"
+  become: yes
+  notify:
+    - etc changed
+
+# VPN configuration
+
+- name: Prepare directory for openvpn-client service override
+  file:
+    path: /etc/systemd/system/openvpn-client@.service.d
+    state: directory
+    mode: "u=rwx,g=rx,o=rx"
+  become: yes
+
+- name: Make openvpn use hooks for resolvconf
+  copy:
+    src: openvpn-client.service
+    dest: /etc/systemd/system/openvpn-client@.service.d/override.conf
+  become: yes
+  notify:
+    - etc changed
+    - systemd changed
+
+- name: Disable power button
+  lineinfile:
+    path: /etc/systemd/logind.conf
+    line: 'HandlePowerKey=ignore'
+    regexp: '^#? *HandlePowerKey='
+    insertafter: '^\[Login\]$'
+  become: yes
+  notify: systemd-logind config changed
+  # Reason: I sometimes press it accidentally
+  # (hoping to start it when it's already started,
+  # or really accidentally on the Pinebook).
+  # Suspend would be nice, but it doesn't have the locker then
+
+# TODO Hibernation, if that's relevant
+# $ sudo blkid | grep 'TYPE="swap"'
+# $ sudoedit /etc/default/grub
+# Add resume=UUID=<UUID-of-swap-partition> to GRUB_CMDLINE_LINUX_DEFAULT
+# $ sudo grub-mkconfig -o /boot/grub/grub.cfg
+
+# TODO udevil

config/nix/build.sh

@@ -2,4 +2,4 @@
 export NIXPKGS_ALLOW_UNFREE=1
 nix-build '<nixpkgs/nixos>' -A vm \
 -I nixpkgs=channel:nixos-23.05 \
--I nixos-config=./testvm.nix
+-I nixos-config=./configuration.nix

config/nix/configuration.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    <nixos-hardware/dell/g3/3779>
+    # <nixos-hardware/pine64/pinebook-pro>
+    ./modules/common.nix
+    ./modules/desktop.nix
+    ./modules/battery.nix
+    ./modules/wireless.nix
+    ./modules/extra.nix
+    ./modules/dev.nix
+  ];
+}

config/nix/curacao.nix

@@ -1,9 +0,0 @@
-{ ... }:
-{
-  imports = [
-    <nixos-hardware/dell/g3/3779>
-    ./os/loader.nix
-  ];
-
-  networking.hostName = "curacao.geoffrey.frogeye.fr";
-}

config/nix/hm/common.nix

@@ -1,130 +0,0 @@
-{ pkgs, config, ... }:
-{
-  home.stateVersion = "23.05";
-
-  programs = {
-    home-manager.enable = true;
-    zsh = {
-      enable = true;
-      enableAutosuggestions = true;
-      enableCompletion = true;
-      enableSyntaxHighlighting = true;
-      # syntaxHighlighting.enable = true; # 23.11 syntax
-    };
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      vimAlias = true;
-      viAlias = true;
-    };
-    gpg = {
-      enable = true;
-      homedir = "${config.xdg.dataHome}/gnupg";
-      settings = {
-        # Remove fluff
-        no-greeting = true;
-        no-emit-version = true;
-        no-comments = true;
-        # Output format that I prefer
-        keyid-format = "0xlong";
-        # Show fingerprints
-        with-fingerprint = true;
-        # Make sure to show if key is invalid
-        # (should be default on most platform,
-        # but just to be sure)
-        list-options = "show-uid-validity";
-        verify-options = "show-uid-validity";
-        # Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
-        personal-digest-preferences = "SHA512";
-        cert-digest-algo = "SHA512";
-        default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed";
-        personal-cipher-preferences = "TWOFISH CAMELLIA256 AES 3DES";
-      };
-      publicKeys = [{
-        source = builtins.fetchurl {
-          url = "https://keys.openpgp.org/vks/v1/by-fingerprint/4FBA930D314A03215E2CDB0A8312C8CAC1BAC289";
-          sha256 = "sha256:10y9xqcy1vyk2p8baay14p3vwdnlwynk0fvfbika65hz2z8yw2cm";
-        };
-        trust = "ultimate";
-      }];
-    };
-  };
-
-  home.packages = with pkgs; [
-    # dotfiles dependencies
-    coreutils
-    bash
-    gnugrep
-    gnused
-    gnutar
-    openssl
-    git
-    wget
-    curl
-    python3Packages.pip
-    ansible # TODO Reevaluate
-
-    # shell
-    zsh-completions
-    nix-zsh-completions
-    zsh-history-substring-search
-    antigen # TODO Reevaluate
-    powerline-go
-
-    # terminal essentials
-    moreutils
-    man
-    visidata
-    nodePackages.insect
-    translate-shell
-    unzip
-    unrar
-    p7zip
-
-    # remote
-    openssh
-    rsync
-    borgbackup
-
-    # cleanup
-    jdupes
-    duperemove
-    optipng
-    libjpeg
-    # FIXME reflac not available (but also a dumb shell script)
-
-    # local monitoring
-    htop
-    iotop
-    iftop
-    lsof
-    strace
-    pv
-    progress
-    speedtest-cli
-
-    # multimedia toolbox
-    ffmpeg
-    sox
-    imagemagick
-
-    # password
-    pass
-    pwgen
-
-    # Mail
-    isync
-    msmtp
-    notmuch
-    neomutt
-    lynx
-
-    # Organisation
-    vdirsyncer
-    khard
-    khal
-    todoman
-    syncthing
-
-  ];
-}

config/nix/hm/desktop.nix

@@ -1,82 +0,0 @@
-{ pkgs, ... }:
-{
-  xsession.windowManager.i3 = {
-    enable = true;
-    config = {
-      terminal = "alacritty";
-    };
-  };
-
-  programs = {
-    # Browser
-    qutebrowser.enable = true;
-
-    # Terminal
-    alacritty.enable = true;
-  };
-
-  home.packages = with pkgs; [
-    # remote
-    tigervnc
-
-    # music
-    mpd
-    mpc-cli
-    ashuffle
-    vimpc
-
-    # multimedia common
-    gimp
-    inkscape
-    mpv
-    mpvScripts.thumbnail
-    libreoffice
-
-    # data management
-    freefilesync
-
-    # browsers
-    firefox
-
-    # fonts
-    dejavu_fonts
-    twemoji-color-font
-    xfce.thunar
-    gnome.gedit
-    feh
-    zathura
-    zbar
-    zathura
-    meld
-    python3Packages.magic
-    yubikey-touch-detector
-
-    # x11-exclusive
-    libgnomekbd # to show keyboard layout
-    dunst
-    i3lock
-    numlockx
-    rofi
-    rofimoji
-    rxvt-unicode
-    # TODO urxvt-resize-font-git
-    scrot
-    simplescreenrecorder
-    trayer
-    unclutter
-    xautolock
-    xclip
-    lemonbar-xft
-    autorandr
-    keynav
-    sct
-    xorg.xinit
-    xorg.xbacklight
-
-
-    # organisation
-    rofi-pass # TODO Try autopass.cr
-    thunderbird
-  ];
-
-}

config/nix/hm/loader.nix

@@ -1,10 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./common.nix
-    ./desktop.nix
-    ./dev.nix
-    ./extra.nix
-    ./style.nix
-  ];
-}

config/nix/hm/style.nix

@@ -1,22 +0,0 @@
-{ pkgs, config, ... }:
-let
-  stylix = builtins.fetchGit {
-    url = "https://github.com/danth/stylix.git";
-    ref = "release-23.05";
-  };
-in
-{
-  imports = [ (import stylix).homeManagerModules.stylix ];
-
-  stylix = {
-    base16Scheme = "${pkgs.base16-schemes}/share/themes/solarized-dark.yaml";
-    image = builtins.fetchurl {
-      url = "https://get.wallhere.com/photo/sunlight-abstract-minimalism-green-simple-circle-light-leaf-wave-material-line-wing-computer-wallpaper-font-close-up-macro-photography-124350.png";
-      sha256 = "sha256:1zfq3f3v34i45mi72pkfqphm8kbhczsg260xjfl6dbydy91d7y93";
-    };
-    # FIXME This doesn't work
-  };
-
-  # Fix https://nix-community.github.io/home-manager/index.html#_why_do_i_get_an_error_message_about_literal_ca_desrt_dconf_literal_or_literal_dconf_service_literal
-  home.packages = [ pkgs.dconf ];
-}

config/nix/modules/common.nix

@@ -0,0 +1,161 @@
+{ pkgs, lib, ... }:
+{
+  boot.loader.grub.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "nixos";
+
+  time.timeZone = "Europe/Amsterdam";
+
+  # TODO qwerty-fr for console
+
+  # Enable CUPS to print documents
+  services.printing.enable = true;
+
+  # Enable passwordless sudo
+  security.sudo.extraRules = [{
+    groups = [ "wheel" ];
+    commands = [{
+      command = "ALL";
+      options = [ "NOPASSWD" ];
+    }];
+  }];
+
+  # Users
+  users.users.geoffrey = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    packages = with pkgs; [
+      # dotfiles dependencies
+      coreutils
+      bash
+      gnugrep
+      gnused
+      gnutar
+      openssl
+      git
+      wget
+      curl
+      python3Packages.pip
+      ansible # TODO Reevaluate
+
+      # shell
+      zsh-completions
+      nix-zsh-completions
+      zsh-history-substring-search
+      antigen # TODO Reevaluate
+      powerline-go
+
+      # terminal essentials
+      moreutils
+      man
+      visidata
+      nodePackages.insect
+      translate-shell
+      unzip
+      unrar
+      p7zip
+
+      # remote
+      openssh
+      rsync
+      borgbackup
+
+      # cleanup
+      jdupes
+      duperemove
+      optipng
+      libjpeg
+      # FIXME reflac not available (but also a dumb shell script)
+
+      # local monitoring
+      htop
+      iotop
+      iftop
+      lsof
+      strace
+      pv
+      progress
+      speedtest-cli
+
+      # multimedia toolbox
+      ffmpeg
+      sox
+      imagemagick
+
+      # password
+      pass
+      pwgen
+
+      # Mail
+      isync
+      msmtp
+      notmuch
+      neomutt
+      lynx
+
+      # Organisation
+      vdirsyncer
+      khard
+      khal
+      todoman
+      syncthing
+
+    ];
+    initialPassword = "cartable"; # DEBUG
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE41gxrO8oZ5n3saapSwZDViOQphm6RzqgsBUyA88pU geoffrey@frogeye.fr"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    wget
+    kexec-tools
+    openvpn
+    update-resolv-conf # TODO Is it what I think it is?
+  ];
+
+  # Enable compilation cache
+  programs = {
+    ccache.enable = true;
+    # TODO Not enough, see https://nixos.wiki/wiki/CCache.
+    # Might want to see if it's worth using on NixOS
+    gnupg.agent.enable = true;
+
+    # TODO Below should be user config
+
+    zsh = {
+      enable = true;
+      autosuggestions.enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+    };
+    neovim = {
+      enable = true;
+      defaultEditor = true;
+      vimAlias = true;
+      viAlias = true;
+    };
+  };
+
+  services = {
+    # Enable the OpenSSH daemon
+    openssh.enable = true;
+    getty.autologinUser = "geoffrey"; # DEBUG
+
+    # Time sychronisation
+    chrony = {
+        enable = true;
+        servers = map (n: "${toString n}.europe.pool.ntp.org") (lib.lists.range 0 3);
+        extraConfig = "rtcsync";
+    };
+
+  };
+
+  # TEST
+  system.copySystemConfiguration = true;
+
+  # Use defaults from
+  system.stateVersion = "23.05";
+
+}

config/nix/modules/desktop.nix

@@ -0,0 +1,106 @@
+{ pkgs, ... }:
+{
+  # Enable the X11 windowing system
+  services.xserver.enable = true;
+
+  services.xserver = {
+    extraLayouts.qwerty-fr = {
+      description = "QWERTY-fr";
+      languages = [ "fr" ];
+      symbolsFile = "${pkgs.stdenv.mkDerivation {
+          name = "qwerty-fr-keypad";
+          src = builtins.fetchGit {
+            url = "https://github.com/qwerty-fr/qwerty-fr.git";
+            rev = "3a4d13089e8ef016aa20baf6b2bf3ea53de674b8";
+          };
+          patches = [ ./qwerty-fr-keypad.diff ];
+          # TODO This doesn't seem to be applied... it's the whole point of the derivation :(
+          installPhase = ''
+            runHook preInstall
+            mkdir -p $out/linux
+            cp $src/linux/us_qwerty-fr $out/linux
+            runHook postInstall
+          '';
+      }}/linux/us_qwerty-fr";
+    };
+    layout = "qwerty-fr";
+    # TODO home.keyboard = null; in home-manager... or something
+
+  };
+
+  # Enable sound
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+
+  services.xserver.displayManager.startx.enable = true;
+  services.xserver.windowManager.i3.enable = true;
+
+  users.users.geoffrey. packages = with pkgs; [
+    # remote
+    tigervnc
+
+    # music
+    mpd
+    mpc-cli
+    ashuffle
+    vimpc
+
+    # multimedia common
+    gimp
+    inkscape
+    mpv
+    mpvScripts.thumbnail
+    libreoffice
+
+    # data management
+    freefilesync
+
+    # browsers
+    firefox
+    qutebrowser
+
+    # fonts
+    dejavu_fonts
+    twemoji-color-font
+    xfce.thunar
+    gnome.gedit
+    feh
+    zathura
+    zbar
+    zathura
+    meld
+    python3Packages.magic
+    yubikey-touch-detector
+
+    # x11-exclusive
+    libgnomekbd # to show keyboard layout
+    dunst
+    i3lock
+    numlockx
+    rofi
+    rofimoji
+    rxvt-unicode
+    # TODO urxvt-resize-font-git
+    scrot
+    simplescreenrecorder
+    trayer
+    unclutter
+    xautolock
+    xclip
+    lemonbar-xft
+    autorandr
+    keynav
+    sct
+    xorg.xinit
+    xorg.xbacklight
+
+    alacritty
+
+    # organisation
+    rofi-pass # TODO Try autopass.cr
+    thunderbird
+  ];
+
+  environment.systemPackages = with pkgs; [ pavucontrol ];
+
+}

config/nix/modules/dev.nix

@@ -2,7 +2,7 @@
 {
   # TODO Separate in diffrent packages once the structure is finalized...
   # or connvert into per-directory requirements
-  home.packages = with pkgs; [
+  users.users.geoffrey. packages = with pkgs; [
     # Ansible
     ansible
     ansible-lint

config/nix/modules/extra.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
-  home.packages = with pkgs; [
+  users.users.geoffrey. packages = with pkgs; [
     # android tools
     android-tools
 
@@ -16,7 +16,7 @@
     # downloading
     yt-dlp
     megatools
-    # transmission TODO Collision if both transmissions are active?
+    transmission
     transmission-qt
 
     # wine
@@ -41,4 +41,8 @@
     # TODO factorio
   ];
 
+  environment.systemPackages = with pkgs; [
+    # android tools
+    android-udev-rules
+  ];
 }

config/nix/os/common.nix

@@ -1,72 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  boot.loader.grub.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  time.timeZone = "Europe/Amsterdam";
-
-  # TODO qwerty-fr for console
-
-  # Enable CUPS to print documents
-  services.printing.enable = true;
-
-  # Enable passwordless sudo
-  security.sudo.extraRules = [{
-    groups = [ "wheel" ];
-    commands = [{
-      command = "ALL";
-      options = [ "NOPASSWD" ];
-    }];
-  }];
-
-  environment.systemPackages = with pkgs; [
-    wget
-    kexec-tools
-    openvpn
-    update-resolv-conf # TODO Is it what I think it is?
-
-    # android tools
-    android-udev-rules
-  ];
-
-  programs = {
-    # Enable compilation cache
-    ccache.enable = true;
-    # TODO Not enough, see https://nixos.wiki/wiki/CCache.
-    # Might want to see if it's worth using on NixOS
-    gnupg.agent.enable = true;
-
-    # Let users mount disks
-    udevil.enable = true;
-  };
-
-  services = {
-    # Enable the OpenSSH daemon
-    openssh.enable = true;
-
-    # Time sychronisation
-    chrony = {
-      enable = true;
-      servers = map (n: "${toString n}.europe.pool.ntp.org") (lib.lists.range 0 3);
-      extraConfig = "rtcsync";
-    };
-
-    # Prevent power button from shutting down the computer.
-    # On Pinebook it's too easy to hit,
-    # on others I sometimes turn it off when unsuspending.
-    logind.extraConfig = "HandlePowerKey=ignore";
-
-  };
-
-  # FIXME services.openvpn.servers.<name>.updateResolvConf=true
-  # For profiles in the extensions
-
-  # TODO Hibernation?
-
-  # TEST
-  system.copySystemConfiguration = true;
-
-  # Use defaults from
-  system.stateVersion = "23.05";
-
-}

config/nix/os/desktop.nix

@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  # Enable the X11 windowing system
-  services.xserver.enable = true;
-
-  services.xserver = {
-    windowManager.i3.enable = true;
-    desktopManager.gnome.enable = true;
-    displayManager.defaultSession = "none+i3";
-
-    # Keyboard layout
-    extraLayouts.qwerty-fr = {
-      description = "QWERTY-fr";
-      languages = [ "fr" ];
-      symbolsFile = "${pkgs.stdenv.mkDerivation {
-          name = "qwerty-fr-keypad";
-          src = builtins.fetchGit {
-            url = "https://github.com/qwerty-fr/qwerty-fr.git";
-            rev = "3a4d13089e8ef016aa20baf6b2bf3ea53de674b8";
-          };
-          patches = [ ./qwerty-fr-keypad.diff ];
-          # TODO This doesn't seem to be applied... it's the whole point of the derivation :(
-          installPhase = ''
-            runHook preInstall
-            mkdir -p $out/linux
-            cp $src/linux/us_qwerty-fr $out/linux
-            runHook postInstall
-          '';
-      }}/linux/us_qwerty-fr";
-    };
-    layout = "qwerty-fr";
-  };
-
-  # Enable sound
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
-  environment.systemPackages = with pkgs; [ pavucontrol ];
-}

config/nix/os/geoffrey.nix

@@ -1,35 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    <home-manager/nixos>
-  ];
-
-  users.users.geoffrey = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    shell = pkgs.zsh;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE41gxrO8oZ5n3saapSwZDViOQphm6RzqgsBUyA88pU geoffrey@frogeye.fr"
-    ];
-  };
-
-  # Won't allow to set the shell otherwise,
-  # even though home-manager sets it
-  programs.zsh.enable = true;
-
-  home-manager = {
-    users.geoffrey = { pkgs, ... }: {
-      imports = [
-        ../hm/loader.nix
-      ];
-    };
-    # Makes VMs able to re-run
-    useUserPackages = true;
-    # Adds consistency
-    useGlobalPkgs = true;
-  };
-
-  # FIXME Make sure I'm the only user & everything is encrypted
-  services.xserver.displayManager.autoLogin.user = "geoffrey";
-}

config/nix/os/loader.nix

@@ -1,10 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./battery.nix
-    ./geoffrey.nix
-    ./common.nix
-    ./desktop.nix
-    ./wireless.nix
-  ];
-}

config/nix/pindakaas.nix

@@ -1,9 +0,0 @@
-{ ... }:
-{
-  imports = [
-    <nixos-hardware/pine64/pinebook-pro>
-    ./os/loader.nix
-  ];
-
-  networking.hostName = "pindakaas.geoffrey.frogeye.fr";
-}

config/nix/testvim.nix

@@ -1,6 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [
-    ./curacao.nix
-  ];
-}

config/nix/testvm.nix

@@ -1,8 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./os/loader.nix
-  ];
-
-  networking.hostName = "nixos";
-}

config/shell/shenv

@@ -29,6 +29,7 @@ direnv CARGOHOME "$HOME/.cache/cargo" # There are config in there that we can ve
 export CCACHE_CONFIGPATH="$HOME/.config/ccache.conf"
 direnv CCACHE_DIR "$HOME/.cache/ccache" # The config file alone seems to be not enough
 direnv DASHT_DOCSETS_DIR "$HOME/.cache/dash_docsets"
+direnv GNUPGHOME "$HOME/.config/gnupg"
 direnv GOPATH "$HOME/.cache/go"
 direnv GRADLE_USER_HOME "$HOME/.cache/gradle"
 export INPUTRC="$HOME/.config/inputrc"