meow

2025-07-23 14:24:23 +02:00 · 2025-07-23 14:24:23 +02:00 · 9ca7a8d8f6
commit 9ca7a8d8f6
parent 93a675c06a
20 changed files with 631 additions and 194 deletions
--- a/flake.lock
+++ b/flake.lock
@ -23,11 +23,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746967469,
+        "lastModified": 1753107457,
-        "narHash": "sha256-FRpU/uwwqS9v/ehoZ2FPvm7TNVS4/kDnXVWEvBKBuAc=",
+        "narHash": "sha256-Hh4/gCQ1rymD3TSlyyZA4vO9hx3uVX9MPi0o3luWYlI=",
        "owner": "sofusa",
        "repo": "csharp-language-server",
-        "rev": "dd210e8300ef03ce70dcbee5e7c441cee6e71795",
+        "rev": "485d3a5602ca18554d8739aee69283e0164590d9",
        "type": "github"
      },
      "original": {
@ -109,24 +109,6 @@
        "type": "github"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
@ -166,18 +148,17 @@
    },
    "helix": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs-master"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1746686948,
+        "lastModified": 1753258147,
-        "narHash": "sha256-w61Wo6vlkPXEiuqd19AIwvlVA77siY1oVXfK3o+buOU=",
+        "narHash": "sha256-hCYSMxW9pAB8jP+PdDBzVxdU2w12ZgsGUf6JJh90dqI=",
        "owner": "sofusa",
        "repo": "helix-pull-diagnostics",
-        "rev": "b99c77b7898ebc0b2b6d40e728abb513e6a9fa6a",
+        "rev": "0831043ffa4fa7097a54681d6ed5d6b7dc2a6a10",
        "type": "github"
      },
      "original": {
@ -193,11 +174,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746981801,
+        "lastModified": 1753181343,
-        "narHash": "sha256-+Bfr0KqZV6gZdA7e2kupeoawozaLIHLuiPtC54uxbFc=",
+        "narHash": "sha256-CLQfNtUqirNVSYoW/kYbvL4PeeNasmZonaPnjO3+1YQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ff915842e4a2e63c4c8c5c08c6870b9d5b3c3ee9",
+        "rev": "0cdfcdbb525b77b951c889b6131047bc374f48fe",
        "type": "github"
      },
      "original": {
@ -214,11 +195,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743604125,
+        "lastModified": 1752603129,
-        "narHash": "sha256-ZD61DNbsBt1mQbinAaaEqKaJk2RFo9R/j+eYWeGMx7A=",
+        "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "180fd43eea296e62ae68e079fcf56aba268b9a1a",
+        "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
        "type": "github"
      },
      "original": {
@ -235,11 +216,11 @@
      },
      "locked": {
        "dir": "nix",
-        "lastModified": 1739976554,
+        "lastModified": 1751398458,
-        "narHash": "sha256-iBsa9Gyc9q1pBxpvwBkZWFPx3aNZgqtqtehuTjymZ20=",
+        "narHash": "sha256-EHg2Z0EbsFN5zU1WrLc1sFszbUsLLpqZgFim7Zi8dRc=",
        "ref": "feat-tap-overlap",
-        "rev": "900ef1359ea5f632f490be2e259aa3b409f5855e",
+        "rev": "fb0334cbd16ec64c5ebcc10f7982a9857bd97d27",
-        "revCount": 942,
+        "revCount": 986,
        "type": "git",
        "url": "https://github.com/jokesper/kmonad"
      },
@ -279,46 +260,44 @@
    "lix": {
      "flake": false,
      "locked": {
-        "lastModified": 1746827285,
+        "lastModified": 1751235704,
-        "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=",
+        "narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=",
-        "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a",
+        "rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
        "lix": "lix",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs"
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1746838955,
+        "lastModified": 1751240025,
-        "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=",
+        "narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=",
-        "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc",
+        "rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"
      }
    },
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1743812405,
+        "lastModified": 1752497937,
-        "narHash": "sha256-BedQ9Z3+nqtp9BRjHjJNPUeLIMVbTsP3Udbz0b1cUn0=",
+        "narHash": "sha256-xBkxB3KGDUQRpd2nSqJvw6vJhse4Lee4OaeJH6WvNDM=",
        "owner": "mobile-nixos",
        "repo": "mobile-nixos",
-        "rev": "6679fd7a8dd4ccf4aa538b82216723861cfe61a2",
+        "rev": "7a5fb89f4d2f08829f3fa1078108ceb40e8c8a67",
        "type": "github"
      },
      "original": {
@ -327,6 +306,27 @@
        "type": "github"
      }
    },
    "niri": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-master"
        ],
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
        "lastModified": 1752870529,
        "narHash": "sha256-23DJk5EfEDCq7Xy1QELcayG0VxbbWpdQ6t7jbhae1Ok=",
        "owner": "YaLTeR",
        "repo": "niri",
        "rev": "fefc0bc0a71556eb75352e2b611e50eb5d3bf9c2",
        "type": "github"
      },
      "original": {
        "owner": "YaLTeR",
        "repo": "niri",
        "type": "github"
      }
    },
    "nix-flatpak": {
      "locked": {
        "lastModified": 1739444422,
@ -345,11 +345,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1746814339,
+        "lastModified": 1753122741,
-        "narHash": "sha256-hf2lICJzwACWuzHCmZn5NI6LUAOgGdR1yh8ip+duyhk=",
+        "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "3c5e12673265dfb0de3d9121420c0c2153bf21e0",
+        "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
        "type": "github"
      },
      "original": {
@ -361,11 +361,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1746904237,
+        "lastModified": 1746663147,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
        "type": "github"
      },
      "original": {
@ -377,11 +377,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1747003416,
+        "lastModified": 1753264108,
-        "narHash": "sha256-AT1E41SQNY19vQ9L+RDSGkall2fEjLptBc6DSLJ0U5E=",
+        "narHash": "sha256-8p2/JVY9NZJBJYhKqHrnniheqIYKEWqbfb3njExFEKE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5d35e620053b041a4e04f09b21adf058408994c9",
+        "rev": "54066a57598ff5d22ed30a746603a524667250fc",
        "type": "github"
      },
      "original": {
@ -407,6 +407,22 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1752950548,
        "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -435,17 +451,12 @@
      }
    },
    "quadlet": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1746457417,
+        "lastModified": 1752618481,
-        "narHash": "sha256-Eno9poUcLhWfMvs4H9Eb8JnXT5LFVhQ6G3UiEb0iKoA=",
+        "narHash": "sha256-8132xTqalZxJZbznHDNoia1UqjNdL/hIQD4IXnI9F58=",
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
-        "rev": "11315f2c85e7ef9022115ce73386852e60de2c11",
+        "rev": "0c1d64f360c1a3c3534f6b592ca3ed5d46cf8429",
        "type": "github"
      },
      "original": {
@ -463,9 +474,10 @@
        "lanzaboote": "lanzaboote",
        "lix-module": "lix-module",
        "mobile-nixos": "mobile-nixos",
        "niri": "niri",
        "nix-flatpak": "nix-flatpak",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-master": "nixpkgs-master",
        "quadlet": "quadlet",
        "zen-browser": "zen-browser"
@ -513,6 +525,27 @@
        "type": "github"
      }
    },
    "rust-overlay_3": {
      "inputs": {
        "nixpkgs": [
          "niri",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1752374969,
        "narHash": "sha256-Ky3ynEkJXih7mvWyt9DWoiSiZGqPeHLU1tlBU4b0mcc=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "75fb000638e6d0f57cb1e8b7a4550cbdd8c76f1d",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -543,21 +576,6 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
@ -566,11 +584,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746998207,
+        "lastModified": 1753069499,
-        "narHash": "sha256-q+3L52wIBNoUPPWGw55O2+WstZCgBVRGdKpYRxt60Rw=",
+        "narHash": "sha256-YtgY0ueqKNrBma4Euu8WH23BhUkBujirJDMDE1KujnU=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "37077d385abbf4358621948df86b37f618c5b338",
+        "rev": "c64b94235ae24e3b9e01a08f0331d8bb0e5b037a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -11,7 +11,6 @@
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    quadlet.url = "github:SEIAROTg/quadlet-nix";
    quadlet.inputs.nixpkgs.follows = "nixpkgs";
    # software
    lanzaboote = {
@ -21,8 +20,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix-module = {
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz";
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
    };
    zen-browser.url = "github:0xc000022070/zen-browser-flake";
    zen-browser.inputs.nixpkgs.follows = "nixpkgs-master";
@ -30,6 +29,10 @@
      url = "git+https://github.com/jokesper/kmonad?dir=nix&ref=feat-tap-overlap";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    niri.url = "github:YaLTeR/niri";
    niri.inputs.nixpkgs.follows = "nixpkgs-master";
    # nheko.url = "github:Nheko-Reborn/nheko";
    # nheko.flake = false;
    # helix
    helix.url = "github:sofusa/helix-pull-diagnostics";
@ -55,7 +58,27 @@
          };
        }
      );
-      overlays = [ self.overlays.default ];
+      overlays = [ self.overlays.default
              # lix-module.overlays.default
      (final: prev: let
        versionSuffix = "-horribly-patched";
        lix = final.applyPatches {
          name = "lix${versionSuffix}";
          src = inputs.lix-module.inputs.lix;
          patches = [
            (final.fetchpatch {
              name = "lix-2.93-structuredAttrs.patch";
              url = "https://gerrit.lix.systems/changes/lix~3668/revisions/2/patch?download&raw";
              hash = "sha256-JQlAU0texMa7DMrqk447SXJUEu1k4IP9z8mjCHyskVc=";
            })
          ];
        };
        patchedOverlay = import (inputs.lix-module + "/overlay.nix") {
          inherit versionSuffix lix;
        };
      in
        patchedOverlay final prev)
      ];
      genPkgs =
        system:
        import nixpkgs {
@ -72,7 +95,7 @@
      };
      nixosConfigurations = lib.xyno.loadInstances ./instances (
        [
-          inputs.lix-module.nixosModules.default
+          # inputs.lix-module.nixosModules.default
          inputs.kmonad.nixosModules.default
          inputs.home-manager.nixosModules.default
          inputs.lanzaboote.nixosModules.lanzaboote
--- a/hm-modules/helix.nix
+++ b/hm-modules/helix.nix
@ -16,6 +16,7 @@ in
      dprint
      nodePackages_latest.typescript-language-server
      nodePackages_latest.vscode-langservers-extracted
      markdown-oxide
      ## python
      # ruff-lsp
      # nodePackages_latest.pyright
--- a/instances/theseus/configuration.nix
+++ b/instances/theseus/configuration.nix
@ -8,8 +8,7 @@
 {
  nixpkgs.system = "x86_64-linux";
  imports = [ ./hardware-configuration.nix ];
-  hardware.keyboard.zsa.enable = true;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; 
  home-manager.users.${config.xyno.system.user.name} = (
    { ... }:
    {
@ -17,7 +16,7 @@
      xyno.borgmatic.enable = true;
      home.packages = [
        # work
-        pkgs.jetbrains.rider
+        (pkgs.unstable.jetbrains.rider.override  { jdk = pkgs.unstable.openjdk21; })
        (pkgs.firefox-devedition.overrideAttrs (super: self: { meta.priority = 1; }))
      ];
      services.flatpak.update.auto.enable = true;
@ -39,20 +38,43 @@
      };
    }
  );
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];
  environment.systemPackages = with pkgs; [
    aerc
    oama # required for aerc
    libsecret # required for oama
    easyeffects
    jabref
    glib # rider wants gsettings
    (pkgs.writeShellScriptBin "sudo" "run0 $@")
    krita
    strawberry
    pandoc
    tectonic
    rquickshare
    supersonic
    # (nheko.overrideAttrs (
    #   super: self: {
    #     src = inputs.nheko;
    #   }
    # ))
  ];
  time.timeZone = "Europe/Berlin";
-  networking.firewall.allowedTCPPorts = [ 1880 2021 ];
+  networking.firewall.allowedTCPPorts = [
-  networking.firewall.allowedUDPPorts = [ 1880 2021 ];
+    1880
    2021
  ];
  networking.firewall.allowedUDPPorts = [
    1880
    2021
  ];
  services.tailscale.enable = true;
  services.tailscale.useRoutingFeatures = "client";
  xyno.common.enable = true;
  xyno.desktop.common-programs.enable = true;
  xyno.hardware.kmonad.enable = true;
  xyno.presets.cli.enable = true;
@ -67,7 +89,7 @@
    enable = true;
    enableWifi = true;
  };
-  xyno.desktop.easyeffects.enable = true;
+  # xyno.desktop.easyeffects.enable = true;
  # xyno.desktop.fcitx5.enable = true;
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
@ -76,5 +98,4 @@
  services.flatpak.enable = true;
  system.stateVersion = "24.11";
  programs.nh.enable = true;
 }
--- a/modules/desktop/audio.nix
+++ b/modules/desktop/audio.nix
@ -10,26 +10,41 @@ in
 {
  options.xyno.desktop.audio.enable = lib.mkEnableOption "enable pipewire and stuff";
  config = lib.mkIf cfg.enable {
-  services.pipewire = {
+    services.pipewire = {
-    enable = true;
+      enable = true;
-    # raopOpenFirewall = true; # airplay
+      # raopOpenFirewall = true; # airplay
-    pulse.enable = true;
+      pulse.enable = true;
-    extraConfig.pipewire = {
+      extraConfig.pipewire = {
-      "9-clock-allow-higher" = {
+        "9-clock-allow-higher" = {
-        "context.properties" = {
+          "context.properties" = {
-          "default.clock.allowed-rates" = [ "44100" "48000" "96000" "192000" ];
+            "default.clock.allowed-rates" = [
              "44100"
              "48000"
              "96000"
              "192000"
            ];
          };
        };
        # "10-raop-discover" = {
        #   "context.modules" = [
        #     {
        #       name = "libpipewire-module-raop-discover";
        #       args = { };
        #     }
        #   ];
        # };
      };
      extraConfig.pipewire-pulse = {
        "10-zeroconf" = {
          "pulse.cmd" = [
            {
              cmd = "load-module";
              args = "module-zeroconf-discover";
            }
          ];
        };
      };
      # "10-raop-discover" = {
      #   "context.modules" = [
      #     {
      #       name = "libpipewire-module-raop-discover";
      #       args = { };
      #     }
      #   ];
      # };
    };
  };
  };
 }
--- a/modules/desktop/common-programs.nix
+++ b/modules/desktop/common-programs.nix
@ -13,7 +13,7 @@ in
    lib.mkEnableOption "install some commonly used programs";
  config = lib.mkIf cfg.enable {
    home-manager.users.${config.xyno.system.user.name} = lib.mkIf config.xyno.presets.home-manager.enable ({...}: {
-      xyno.alacritty.enable = true;
+      # xyno.alacritty.enable = true;
      xyno.helix.enable = true;
    });
    programs.steam = {
@ -37,14 +37,17 @@ in
      signal-desktop
      obsidian
      diebahn
-      vlc
+      mpv
      lutris
      libreoffice-qt6-fresh
      inkscape
      easyeffects
      appimage-run
      unstable.keepassxc
      inputs.zen-browser.packages."${pkgs.system}".default
      qalculate-qt
      wl-clipboard-rs
      wdisplays
    ];
--- a/modules/desktop/foot.nix
+++ b/modules/desktop/foot.nix
@ -13,14 +13,14 @@ in
    type = lib.types.str;
    default = "niri.service";
  };
-  options.xyno.desktop.foot.package= lib.mkOption {
+  options.xyno.desktop.foot.package = lib.mkOption {
    type = lib.types.package;
    default = pkgs.foot;
  };
  config = lib.mkIf cfg.enable {
    # should be socket activated tm
-    # systemd.user.services.foot.wantedBy = lib.mkForce [ cfg.wantedBy ];
+    # systemd.user.services.foot-server.wantedBy = lib.mkForce [ cfg.wantedBy ];
-    # systemd.user.sockets.foot.wantedBy = lib.mkForce [ cfg.wantedBy ];
+    systemd.user.sockets.foot-server.wantedBy = lib.mkForce [ cfg.wantedBy ];
    systemd.packages = [ cfg.package ];
    xyno.desktop.niri.term = lib.mkDefault "footclient";
    programs.foot = {
--- a/modules/desktop/mate-polkit.nix
+++ b/modules/desktop/mate-polkit.nix
@ -1,32 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  cfg = config.xyno.desktop.mate-polkit;
 in
 {
  options.xyno.desktop.mate-polkit.enable = lib.mkEnableOption "enable mate-polkit as the gui polkit thing";
  options.xyno.desktop.mate-polkit.wantedBy = lib.mkOption {
    type = lib.types.str;
    default = "niri.service";
  };
  options.xyno.desktop.mate-polkit.package = lib.mkOption {
    type = lib.types.package;
    default = pkgs.mate.mate-polkit; # we're using mate polkit as it seems to be the only maintained gtk polkit thing (and we're using all the other gtk shit anyways)
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];
    systemd.user.services.mate-polkit = {
      unitConfig.PartOf = "graphical-session.target";
      unitConfig.After = "graphical-session.target";
      unitConfig.Requisite = "graphical-session.target";
      serviceConfig.Restart = "on-failure";
      wantedBy = [ cfg.wantedBy ];
      script = "exec ${cfg.package}/libexec/polkit-mate-authentication-agent-1";
    };
  };
 }
--- a/modules/desktop/niri.nix
+++ b/modules/desktop/niri.nix
@ -1,4 +1,5 @@
 {
  inputs,
  pkgs,
  config,
  lib,
@ -11,6 +12,7 @@ let
    "org.pulseaudio.pavucontrol"
    "KeePassXC"
    "org.gnome.NautilusPreviewer"
    "io.github.Qalculate.qalculate-qt"
  ];
  matchFloat = lib.concatStringsSep "\n" (
    map (x: ''
@ -42,32 +44,72 @@ in
          { ... }:
          {
            xyno.dark-theme.enable = true;
            home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
              [filechooser]
              cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
              default_dir=$HOME
              env=TERMCMD=footclient --app-id floating-alacritty
              open_mode = suggested
              save_mode = suggested
            '';
          }
        );
    xdg.portal = {
      extraPortals = [
        pkgs.xdg-desktop-portal-termfilechooser
      ];
      config.niri.default = [
        "gnome"
        "gtk"
      ];
      # config.niri."org.freedesktop.impl.portal.FileChooser" = [ "termfilechooser" ];
      config.niri."org.freedesktop.impl.portal.Access" = [ "gtk" ];
      config.niri."org.freedesktop.impl.portal.Notification" = [ "gtk" ];
      config.niri."org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
    };
    # xdg.portal = {
    #   enable = true;
    #   wlr.enable = true;
    # };
    environment.systemPackages = with pkgs;[
      playerctl
      xwayland-satellite
    ];
    programs.niri.enable = true;
    programs.niri.package = inputs.niri.packages.${pkgs.system}.default.overrideAttrs (prev: {
      patches = prev.patches ++ [
        (pkgs.fetchurl {
          url = "https://patch-diff.githubusercontent.com/raw/YaLTeR/niri/pull/1907.patch";
          hash = "sha256-XhG8Ga1/QMPXrF0FjQuBk8KZISbof4Md4kM73cG1SYQ=";
        })
      ];
    });
    environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes
    environment.etc."niri/config.kdl".text = ''
-      // xwayland
+      animations {
-      spawn-at-startup "${pkgs.xwayland-satellite}/bin/xwayland-satellite"
+        off
      environment {
        DISPLAY ":0"
      }
      // keybinds
      binds {
        Mod+D { spawn "${cfg.launcher}"; }
        Mod+Alt+L { spawn "lock"; }
        Mod+T { spawn "${cfg.term}"; }
-        Mod+Y { spawn "${cfg.term} yazi"; }
+        Mod+Y { spawn "${cfg.term}" "--app-id" "floating-alacritty" "yazi"; }
        Mod+P { spawn "keepassxc"; }
-        XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.1+"; }
+        Mod+S { spawn "qalculate-qt"; }
-        XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.1-"; }
+        Mod+Shift+N { spawn "makoctl" "dismiss" "-a"; }
        Mod+N { spawn "makoctl" "dismiss"; }
        Mod+E { spawn "makoctl" "menu" "fuzzel -d"; }
        XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03+"; }
        XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03-"; }
        XF86AudioMute        allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; }
        XF86AudioMicMute     allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SOURCE@" "toggle"; }
        XF86AudioNext        allow-when-locked=true { spawn "playerctl" "next"; }
        XF86AudioPrev        allow-when-locked=true { spawn "playerctl" "previous"; }
        XF86AudioPlay        allow-when-locked=true { spawn "playerctl" "play-pause"; }
        XF86AudioPause       allow-when-locked=true { spawn "playerctl" "pause"; }
        Mod+Q { close-window; }
@ -284,10 +326,19 @@ in
        Super+Backslash { focus-workspace "scratchpad"; }
      }
      layout {
-        gaps 12
+        // center-focused-column "always"
        gaps 8
        shadow {
          on
        }
        background-color "transparent"
        struts {
          right 16
          left 16
        }
        default-column-width { proportion 0.33333; }
        tab-indicator {
          hide-when-single-tab
          position "top"
@ -300,6 +351,11 @@ in
      // scratchpad
      // workspace "scratchpad"
      // Put swaybg inside the overview backdrop.
      layer-rule {
          match namespace="^wpaperd.*$"
          place-within-backdrop true
      }
      screenshot-path "~/Pictures/screenshots/screenshot-%Y-%m-%d %H-%M-%S.png"
      // Indicate screencasted windows with red colors.
@ -353,11 +409,13 @@ in
      }
      input {
-        workspace-auto-back-and-forth
+        // workspace-auto-back-and-forth
-        focus-follows-mouse
+        focus-follows-mouse max-scroll-amount="10%"
        keyboard {
          xkb {
            layout "eu"
            // options "compose:lalt"
          }
        }
        touchpad {
--- a/modules/desktop/waybar.nix
+++ b/modules/desktop/waybar.nix
@ -424,7 +424,7 @@ in
  };
  options.xyno.desktop.waybar.package = lib.mkOption {
    type = lib.types.package;
-    default = pkgs.unstable.waybar.override { hyprlandSupport = false; }; # we don't use it and hyprland seems to not build on current master
+    default = pkgs.unstable.waybar;
  };
  options.xyno.desktop.waybar.mode = lib.mkOption {
    type = lib.types.str;
--- a/modules/hardware/kmonad.nix
+++ b/modules/hardware/kmonad.nix
@ -26,6 +26,11 @@ in
          config = builtins.readFile ./kmonad/k70.kbd;
        };
        wire = {
          device = "/dev/input/by-id/usb-Razer_Razer_BlackWidow_Chroma_V2-event-kbd";
          config = builtins.readFile ./kmonad/chroma_v2.kbd;
        };
      };
    };
  };
--- a/modules/hardware/kmonad/chroma_v2.kbd
+++ b/modules/hardware/kmonad/chroma_v2.kbd
@ -0,0 +1,89 @@
 (defcfg
  ;; ** For Linux **
  input  (device-file "/dev/input/by-id/usb-Razer_Razer_BlackWidow_Chroma_V2-event-kbd")
  ;; input  (device-file "/dev/input/by-path/platform-i8042-serio-0-event-kbd")
  output (uinput-sink "KMonad output")
  ;; ** For Windows **
  ;; input  (low-level-hook)
  ;; output (send-event-sink)
  ;; ** For MacOS **
  ;; input  (iokit-name "my-keyboard-product-string")
  ;; output (kext)
  fallthrough true
 )
 (defsrc
  esc     f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12
  grv     1    2    3    4    5    6    7    8    9    0    -    =    bspc
  tab     q    w    e    r    t    y    u    i    o    p    [    ]
  caps    a    s    d    f    g    h    j    k    l    ;    '    \   ret
  lsft 102d z    x    c    v    b    n    m    ,    .    /    rsft
  lctl    lmet lalt           spc            ralt rmet cmp  rctl
 )
 (defalias
  ext  (layer-toggle extend) ;; Bind 'ext' to the Extend Layer
 )
 (defalias
  cpy C-c
  pst C-v
  cut C-x
  udo C-z
  all C-a
  fnd C-f
  bk Back
  fw Forward
 )
 (defalias
 num (layer-toggle num)
 )
 (deflayer colemak-dh
  esc     f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12   
  grv      1    2    3    4    5    6    7    8    9    0    -    =    bspc
  tab      q    w    f    p    b    j    l    u    y    ;    [    ]
  esc     (tap-hold-next-release 200 a lctrl)    (tap-hold-next-release 200 r ralt)    (tap-hold-next-release 200 s lmet)    t    g    m    n    (tap-hold-next-release 200 e rmet)    (tap-hold-next-release 200 i lalt)    (tap-hold-next-release 200 o rctrl)    '    \\   ret
  lsft  z    x    c    d    v    102d k    h    ,    .    /    rsft
  lctl     lmet lalt           spc            ralt rmet _    _
 )
 (deflayer num
  esc     f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12   
  grv      1    2    3    4    5    6    7    8    9    0    -    =    bspc
  tab      q    w    f    p    b    j    l    u    y    ;    [    ]
  esc      1    2    3    4    5    6    7    8    9    0    '    \\   ret
  lsft  z    x    c    d    v    102d k    h    ,    .    /    rsft
  lctl     lmet lalt           spc            ralt rmet _    _
 )
 (deflayer colemak-dhk
  esc     f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12
  grv      1    2    3    4    5    6    7    8    9    0    -    =    bspc
  tab      q    w    f    p    b    j    l    u    y    ;    [    ]
  @ext     a    r    s    t    g    k    n    e    i    o    '    \\   ret
  lsft  z    x    c    d    v    102d m    h    ,    .    /    rsft
  lctl     lmet lalt           spc            ralt rmet _    _
 )
 (deflayer extend
  _        play rewind previoussong nextsong ejectcd refresh brdn brup www mail prog1 prog2
  _        f1   f2   f3   f4   f5   f6   f7   f8   f9  f10   f11  f12  _
  _        esc  @bk  @fnd @fw  ins  pgup home up   end  menu prnt slck
  _        lalt lmet lsft lctl ralt pgdn lft  down rght del  caps _    _
  _     @udo @cut @cpy  tab  @pst _   pgdn bks  lsft lctl comp _
  _        _    _              ret            _    _    _    _
 )
 (deflayer empty
  _        _    _    _    _    _    _    _    _    _    _    _    _    
  _        _    _    _    _    _    _    _    _    _    _    _    _    _
  _        _    _    _    _    _    _    _    _    _    _    _    _ 
  _        _    _    _    _    _    _    _    _    _    _    _    _    _ 
  _    _     _    _    _    _    _    _    _    _    _    _    _ 
  _        _    _              _              _    _    _    _
 )
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -8,7 +8,6 @@
  ./desktop/foot.nix
  ./desktop/fuzzel.nix
  ./desktop/mako.nix
  ./desktop/mate-polkit.nix
  ./desktop/niri.nix
  ./desktop/shikane.nix
  ./desktop/swayidle.nix
@ -17,6 +16,7 @@
  ./hardware/kmonad.nix
  ./networking/networkd.nix
  ./presets/cli.nix
  ./presets/common.nix
  ./presets/gui.nix
  ./presets/home-manager.nix
  ./system/user.nix
--- a/modules/networking/networkd.nix
+++ b/modules/networking/networkd.nix
@ -13,6 +13,50 @@ in
  config = lib.mkIf cfg.enable {
    systemd.network.enable = true;
    networking.useNetworkd = true;
    networking = {
      dhcpcd.enable = false;
      useDHCP = true;
      useHostResolvConf = false;
    };
    # systemd.network.networks."60-wifi-client" = {
    #   matchConfig = {
    #     WLANInterfaceType = "station";
    #   };
    #   networkConfig = {
    #     DHCP = "yes";
    #     # IPv6AcceptRA = true;
    #     KeepConfiguration = "no";
    #     IPv6PrivacyExtensions = "kernel";
    #   };
    #   linkConfig.RequiredForOnline = "routable";
    #   dhcpV4Config = {
    #     RouteMetric = 1025;
    #     # IPv6OnlyMode = "yes";
    #   };
    #   ipv6AcceptRAConfig = {
    #     # UsePREF64 = true;
    #     RouteMetric = 1025;
    #   };
    # };
    # systemd.network.networks."60-ethernet-dhcp" = {
    #   matchConfig = {
    #     Kind = "!*";
    #     Type = "either";
    #     # Name = "en*";
    #   };
    #   linkConfig.RequiredForOnline = "routable";
    #   dhcpV4Config = {
    #     # IPv6OnlyMode = "yes";
    #   };
    #   networkConfig = {
    #     DHCP = "yes";
    #     # IPv6AcceptRA = true;
    #     KeepConfiguration = "no";
    #     IPv6PrivacyExtensions = "kernel";
    #   };
    #   # ipv6AcceptRAConfig.UsePREF64 = true;
    # };
    networking.wireless.iwd.enable = cfg.enableWifi;
    # services.clatd.enable = true;
  };
 }
--- a/modules/presets/cli.nix
+++ b/modules/presets/cli.nix
@ -15,6 +15,27 @@ in
    xyno.cli.starship.enable = true;
    security.sudo.enable = false;
    # Opitionally
    i18n.defaultLocale = "en_US.UTF-8";
    # i18n.extraLocales = ["de_DE.UTF-8"];
    i18n.extraLocaleSettings = {
      LC_CTYPE = "en_US.UTF8";
      LC_ADDRESS = "de_DE.UTF-8";
      LC_MEASUREMENT = "de_DE.UTF-8";
      LC_MESSAGES = "en_US.UTF-8";
      LC_MONETARY = "de_DE.UTF-8";
      LC_NAME = "de_DE.UTF-8";
      LC_NUMERIC = "en_US.UTF-8";
      LC_PAPER = "de_DE.UTF-8";
      LC_TELEPHONE = "de_DE.UTF-8";
      LC_TIME = "de_DE.UTF-8";
      LC_COLLATE = "de_DE.UTF-8";
    };
    home-manager.users.xyno.home.sessionVariables.LOCALE_ARCHIVE_2_27 =
      lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
    home-manager.users.xyno.systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 =
      lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
    nix.settings = {
      substituters = [
        "https://cache.lix.systems"
@ -51,6 +72,13 @@ in
      enable = true;
    };
    services.pcscd.enable = true;
 programs.gnupg.agent = {
   enable = true;
   # pinentrywlavor = "curses";
   # enableSSHSupport = true;
 };
    environment.systemPackages = with pkgs; [
      jq
      fd
@ -80,7 +108,7 @@ in
    programs.mosh.enable = true;
    environment.variables.EDITOR = "hx";
    environment.variables.VISUAL = "hx";
-    environment.variables.PAGER= "moar";
+    environment.variables.PAGER = "moar";
    environment.shellAliases = {
      l = "ls -alh";
--- a/modules/presets/common.nix
+++ b/modules/presets/common.nix
@ -0,0 +1,17 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  cfg = config.xyno.common;
 in
 {
  options.xyno.common.enable = lib.mkEnableOption "enables common settings";
  config = lib.mkIf cfg.enable {
    boot.initrd.systemd.enable = true;
    hardware.keyboard.zsa.enable = true;
    programs.nh.enable = true;
  };
 }
--- a/modules/presets/gui.nix
+++ b/modules/presets/gui.nix
@ -16,7 +16,8 @@ in
  config = lib.mkIf cfg.enable {
    xyno.desktop.niri.enable = true;
    xyno.desktop.audio.enable = lib.mkDefault true;
-    xyno.desktop.mate-polkit.enable = true;
+    security.soteria.enable = true;
    security.rtkit.enable = true;
    xyno.hardware.kmonad.enable = true;
    # wayland on electron
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
@ -31,7 +32,19 @@ in
    qt = {
      enable = true;
      style = "breeze";
-      platformTheme = "kde";
+      platformTheme = "lxqt";
    };
    programs.yazi = {
      settings.keymap.manager.prepend_keymap = [
        {
          on = "y";
          run = [
            ''shell -- for path in "$@"; do echo "file://$path"; done | ${pkgs.wl-clipboard-rs}/bin/wl-copy -t text/uri-list''
            "yank"
          ];
        }
      ];
    };
    # setup printing
@ -42,11 +55,14 @@ in
      openFirewall = true;
    };
    services.printing.enable = true;
    services.printing.stateless = true;
    services.system-config-printer.enable = true;
    # enable the gnome shit
    services.gnome.gnome-keyring.enable = true;
    services.gnome.gnome-online-accounts.enable = true;
    services.gnome.core-utilities.enable = true;
    services.gnome.gcr-ssh-agent.enable = lib.mkForce false;
    services.gnome.sushi.enable = true;
    services.gnome.gnome-settings-daemon.enable = true;
    services.gvfs.enable = true;
@ -55,33 +71,34 @@ in
      enable = true;
      settings.default = [ "foot.desktop" ];
    };
    xdg.portal.xdgOpenUsePortal = true;
    environment.sessionVariables.GTK_USE_PORTAL = "1";
-    home-manager.users.${config.xyno.system.user.name} =
+    # home-manager.users.${config.xyno.system.user.name} =
-      { pkgs, ... }:
+    #   { pkgs, ... }:
-      {
+    #   {
-        xdg.mimeApps = {
+    #     xdg.mimeApps = {
-          enable = true;
+    #       enable = true;
-          defaultApplications = {
+    #       defaultApplications = {
-            "x-scheme-handler/mailto" = [ "aerc.desktop" ];
+    #         "x-scheme-handler/mailto" = [ "aerc.desktop" ];
-            "inode/directory" = [ "org.gnome.Nautilus.desktop" ];
+    #         "inode/directory" = [ "org.gnome.Nautilus.desktop" ];
-            "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ];
+    #         "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ];
-            "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop";
+    #         "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop";
-            "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop";
+    #         "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop";
-            "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop";
+    #         "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop";
-            "text/html" = "userapp-Zen-D2P132.desktop";
+    #         "text/html" = "userapp-Zen-D2P132.desktop";
-            "application/x-extension-htm" = "userapp-Zen-D2P132.desktop";
+    #         "application/x-extension-htm" = "userapp-Zen-D2P132.desktop";
-            "application/x-extension-html" = "userapp-Zen-D2P132.desktop";
+    #         "application/x-extension-html" = "userapp-Zen-D2P132.desktop";
-            "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop";
+    #         "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop";
-            "application/xhtml+xml" = "userapp-Zen-D2P132.desktop";
+    #         "application/xhtml+xml" = "userapp-Zen-D2P132.desktop";
-            "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop";
+    #         "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop";
-            "application/x-extension-xht" = "userapp-Zen-D2P132.desktop";
+    #         "application/x-extension-xht" = "userapp-Zen-D2P132.desktop";
-            "application/pdf" = "org.gnome.Evince.desktop";
+    #         "application/pdf" = "org.gnome.Evince.desktop";
-          };
+    #       };
-        };
+    #     };
-      };
+    #   };
    environment.systemPackages = with pkgs; [
      kdePackages.breeze-gtk
@ -98,6 +115,7 @@ in
      source-code-pro # Default monospace font in 3.32
      source-sans
      b612
      lxqt.lxqt-config
    ];
--- a/modules/system/impermanence.nix
+++ b/modules/system/impermanence.nix
@ -0,0 +1,22 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  cfg = config.xyno.impermanence;
 in
 {
  options.xyno.impermanence = {
    enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
    extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
    extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
  };
  config = lib.mkIf cfg.enable {
    imports = [ ]; # TODO
    impermanence.extraFiles = cfg.extraFiles;
    impermanence.extraDirectories = cfg.extraDirectories;
  };
 }
--- a/secrets/deploy-secrets.py
+++ b/secrets/deploy-secrets.py
@ -0,0 +1,51 @@
 #!/usr/bin/env python
 import subprocess
 import sys
 import argparse
 import json
 parser = argparse.ArgumentParser()
 parser.add_argument("flake")
 parser.add_argument("-f", "--force", action='store_true')
 args = parser.parse_args()
 NIX_OUTPUT_JSON_PATH = subprocess.run(["nix", "build", f"{args.flake}.config.xyno.secret-output", "--no-link")
 HOSTNAME = subprocess.run(["nix", "eval", f"{args.flake}.config.networking.hostName", "--raw"])
 nix_output_json
 with open(NIX_OUTPUT_JSON_PATH, "r") as f:
    nix_output_json = json.load(f)
 def run_ssh(command):
    return subprocess.run("ssh", HOSTNAME, command)
 def check_tpm():
    return run_ssh("systemd-analyze has-tpm2").returncode == 0
 def push_secret(secret_name, secret_content):
    if !args.force && secret_name in run_ssh("systemd-creds list"):
        print(f"[INFO] secret {secret_name} exists on target, skipping")
        print(f"[INFO] run with --force to skip")
        return
    command 
    if secret_content["random"] != null:
        command = f"openssl rand -hex {secret_content["random"]} | systemd-creds encrypt - {secret_name}"
    else if secret_content["ageFile"] != null:
        secret_output = subprocess.run(["rage", "-d", secret_content["ageFile"]])
        command = f"echo '{secret_output}' | systemd-creds encrypt - {secret_name}"
    else if secret_content["command"] != null:
        secret_output = subprocess.run(["sh", "-c", secret_content["command"]])
        command = f"echo '{secret_output}' | systemd-creds encrypt - {secret_name}"
    else:
        print(f"[ERROR] no secret content set for {secret_name}: {secret_content}")
        return
    run_ssh(command)
 for secret_name, secret_content in nix_output_json:
    push_secret(secret_name,secret_content)
--- a/secrets/nixos-module.nix
+++ b/secrets/nixos-module.nix
@ -0,0 +1,56 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 with lib;
 let
  cfg = config.xyno.secrets;
  json = builtins.toJSON cfg;
 in
 {
  options.xyno.secret-output = lib.mkOption {
    type = types.str;
  };
  options.xyno.secrets = mkOption {
    type = types.attrsOf (
      types.submodule {
        options = {
          random = mkOption {
            type = types.nullOr types.int;
            default = null;
            description = ''
              have the secret be a random hex string with n bytes
            '';
          };
          ageFile = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              have the secret be a age encrypted file
            '';
          };
          command = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              have the secret be the output of a command (impure grrrrr)
            '';
          };
        };
      }
    );
  };
  config = {
    systemd.tpm2.enable = true;
    boot.initrd.systemd.tpm2.enable = true;
    # TODO: ensure secrets are loaded in activation script
    xyno.secret-output = pkgs.writeFile "xyno-secret.json" json;
    environment.systemPackages = [
      pkgs.openssl # needed for random secrets
    ];
  };
 }