viola: upstream

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-02-08 22:38:28 +03:00 · 2026-02-08 22:38:28 +03:00 · e6c9d19b0f
commit e6c9d19b0f
parent a50ae76a23
61 changed files with 492 additions and 244 deletions
--- a/viola/boot/initrd.nix
+++ b/viola/boot/initrd.nix
@ -1,4 +1,4 @@
-{lib, ...}: {
+_: {
  boot = {
    initrd = {
      availableKernelModules = [
@ -14,7 +14,6 @@
      supportedFilesystems = {
        vfat = true;
        btrfs = true;
-        zfs = lib.mkForce true;
      };

      systemd = {
--- a/viola/boot/kernel.nix
+++ b/viola/boot/kernel.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{config, ...}: {
  boot = {
    kernel = {
      sysctl = {
@ -16,7 +12,6 @@
      };
    };

-    kernelPackages = pkgs.linuxPackages_cachyos-server;
    extraModulePackages = with config.boot.kernelPackages; [
      rtl8821ce
      yt6801
@ -35,6 +30,7 @@
      "page_alloc.shuffle=1"
      "page_poison=1"
      "slab_nomerge"
+      "zswap.enabled=0"

      "kernel.watchdog=0"
      "oops=panic"
@ -73,7 +69,6 @@
    supportedFilesystems = {
      vfat = true;
      btrfs = true;
-      zfs = lib.mkForce true;
    };

    consoleLogLevel = 0;
--- a/viola/boot/lanzaboote.nix
+++ b/viola/boot/lanzaboote.nix
@ -1,7 +1,7 @@
-{...}: {
+_: {
  boot = {
    lanzaboote = {
-      enable = false;
+      enable = true;
      configurationLimit = 7;
      pkiBundle = "/var/lib/sbctl";
      settings = {
--- a/viola/boot/loader/systemd-boot.nix
+++ b/viola/boot/loader/systemd-boot.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  boot = {
    loader = {
      systemd-boot = {
--- a/viola/boot/tmp.nix
+++ b/viola/boot/tmp.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  boot = {
    tmp = {
      useTmpfs = true;
--- a/viola/boot/zfs.nix
+++ b/viola/boot/zfs.nix
@ -1,9 +0,0 @@
-{...}: {
-  boot = {
-    zfs = {
-      package = pkgs.zfs_cachyos;
-      allowHibernation = false;
-      removeLinuxDRM = false;
-    };
-  };
-}
--- a/viola/console/console.nix
+++ b/viola/console/console.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  console = {
    useXkbConfig = true;
  };
--- a/viola/default.nix
+++ b/viola/default.nix
@ -6,7 +6,6 @@
    "${self}/viola/boot/plymouth.nix"
    "${self}/viola/boot/tmp.nix"
    "${self}/viola/boot/loader/systemd-boot.nix"
-    "${self}/viola/boot/zfs.nix"

    "${self}/viola/disko/disk.nix"
    "${self}/viola/disko/lvm_vg.nix"
@ -60,14 +59,19 @@
    "${self}/viola/services/netbird.nix"
    "${self}/viola/services/scx.nix"
    "${self}/viola/services/xserver.nix"
-    "${self}/viola/services/zapret.nix"
-    "${self}/viola/services/zerotier.nix"
    "${self}/viola/services/usbmuxd.nix"
    "${self}/viola/services/irqbalance.nix"
    "${self}/viola/services/forgejo.nix"
+    "${self}/viola/services/postgresql.nix"
+    "${self}/viola/services/vaultwarden.nix"
    "${self}/viola/services/privatebin.nix"
+    "${self}/viola/services/woodpecker.nix"
+    "${self}/viola/services/stalwart.nix"
    "${self}/viola/services/homepage.nix"
+    "${self}/viola/services/redis.nix"
    "${self}/viola/services/zitadel.nix"
+    "${self}/viola/services/garage.nix"
+
    "${self}/viola/sops/defaults.nix"
    "${self}/viola/sops/secrets.nix"

--- a/viola/environment/systemPackages.nix
+++ b/viola/environment/systemPackages.nix
@ -10,5 +10,7 @@
      uutils-diffutils
      home-manager
    ];
+
+    enableAllTerminfo = false;
  };
 }
--- a/viola/environment/variables.nix
+++ b/viola/environment/variables.nix
@ -13,7 +13,5 @@
      GRIMBLAST_HIDE_CURSOR = "0";
      TERM = "xterm-256color";
    };
-
-    enableAllTerminfo = true;
  };
 }
--- a/viola/hardware/cpu.nix
+++ b/viola/hardware/cpu.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  hardware = {
    enableRedistributableFirmware = true;
    cpu = {
--- a/viola/hardware/graphics.nix
+++ b/viola/hardware/graphics.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  hardware = {
    graphics = {
      enable = true;
--- a/viola/hardware/zram.nix
+++ b/viola/hardware/zram.nix
@ -1,8 +1,8 @@
-{...}: {
+_: {
  zramSwap = {
    enable = true;
    algorithm = "zstd";
    priority = 100;
-    memoryPercent = 100;
+    memoryPercent = 200;
  };
 }
--- a/viola/home-manager/users.nix
+++ b/viola/home-manager/users.nix
@ -1,19 +1,16 @@
-{
-  inputs,
-  self,
-  ...
-}: {
+{self, ...}: {
  home-manager = {
    users = {
-      hand7s = {
+      "hand7s" = {
        imports = [
          "${self}/hand7s/"
-          inputs.spicetify-nix.homeManagerModules.default
-          inputs.hyprland.homeManagerModules.default
-          inputs.chaotic.homeManagerModules.default
-          inputs.sops-nix.homeManagerModules.sops
+          self.inputs.agenix.homeManagerModules.default
+          self.inputs.spicetify-nix.homeManagerModules.default
+          self.inputs.hyprland.homeManagerModules.default
+          self.inputs.chaotic.homeManagerModules.default
+          self.inputs.sops-nix.homeManagerModules.sops

-          inputs.nix-index-database.homeModules.nix-index
+          self.inputs.nix-index-database.homeModules.nix-index
        ];
      };
    };
@ -22,7 +19,6 @@

    extraSpecialArgs = {
      inherit
-        inputs
        self
        ;
    };
--- a/viola/i18n/locales.nix
+++ b/viola/i18n/locales.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  i18n = {
    defaultLocale = "en_US.UTF-8";
    supportedLocales = [
--- a/viola/networking/firewall.nix
+++ b/viola/networking/firewall.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    firewall = {
      allowPing = true;
@ -8,18 +8,48 @@
        80
        8080
        8443
+        8980
        53350
        53351
        53353
+
+        # mc
+        25565
+
+        # mail
+        24
+        25
+        110
+        143
+        465
+        587
+        993
+        995
+        4190
      ];

      allowedTCPPorts = [
        80
        8080
        8443
+        8980
        53350
        53351
        53353
+
+        # mc
+        25565
+
+        # mail
+        24
+        25
+        110
+        143
+        465
+        587
+        993
+        995
+        4190
      ];
    };
  };
--- a/viola/networking/hostId.nix
+++ b/viola/networking/hostId.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    hostId = "5c79d46a";
  };
--- a/viola/networking/hostname.nix
+++ b/viola/networking/hostname.nix
@ -1,5 +1,5 @@
-{...}: {
+_: {
  networking = {
-    hostName = "s0meMiniPC-nix";
+    hostName = "viola";
  };
 }
--- a/viola/networking/hosts.nix
+++ b/viola/networking/hosts.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    hosts = {
      # nope
--- a/viola/networking/interfaces.nix
+++ b/viola/networking/interfaces.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    firewall = {
      interfaces = {
@ -8,6 +8,7 @@
            6969
            8080
            8443
+            8980
            53350
            53351
            53352
@ -18,6 +19,7 @@
            6969
            8080
            8443
+            8980
            53350
            53351
            53352
--- a/viola/networking/nameservers.nix
+++ b/viola/networking/nameservers.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    nameservers = [
      # cf dns
--- a/viola/networking/networkmanager.nix
+++ b/viola/networking/networkmanager.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    networkmanager = {
      enable = false;
--- a/viola/networking/timeServers.nix
+++ b/viola/networking/timeServers.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    timeServers = [
      "0.nixos.pool.ntp.org"
--- a/viola/networking/wireguard.nix
+++ b/viola/networking/wireguard.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  networking = {
    wireguard = {
      enable = true;
--- a/viola/nix/settings/allowed-users.nix
+++ b/viola/nix/settings/allowed-users.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      sandbox = true;
--- a/viola/nix/settings/auto-optimise-store.nix
+++ b/viola/nix/settings/auto-optimise-store.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      auto-optimise-store = true;
--- a/viola/nix/settings/experimental-features.nix
+++ b/viola/nix/settings/experimental-features.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      experimental-features = [
--- a/viola/nix/settings/substituters.nix
+++ b/viola/nix/settings/substituters.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      substituters = [
@ -9,10 +9,10 @@
        # cachix
        "https://nix-community.cachix.org/"
        "https://chaotic-nyx.cachix.org/"
-        "https://ags.cachix.org"
        "https://hyprland.cachix.org"
        "https://chaotic-nyx.cachix.org/"
-        "https://colmena.cachix.org"
+        # nix-community
+        "https://hydra.nix-community.org/"
      ];
    };
  };
--- a/viola/nix/settings/trusted-public-keys.nix
+++ b/viola/nix/settings/trusted-public-keys.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      trusted-public-keys = [
--- a/viola/nix/settings/trusted-users.nix
+++ b/viola/nix/settings/trusted-users.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nix = {
    settings = {
      trusted-users = [
--- a/viola/nixpkgs/config.nix
+++ b/viola/nixpkgs/config.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nixpkgs = {
    config = {
      allowUnfree = true;
--- a/viola/nixpkgs/overlays.nix
+++ b/viola/nixpkgs/overlays.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nixpkgs = {
    overlays = [
    ];
--- a/viola/nixpkgs/system.nix
+++ b/viola/nixpkgs/system.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  nixpkgs = {
    system = "x86_64-linux";
    hostPlatform = "x86_64-linux";
--- a/viola/programs/nh.nix
+++ b/viola/programs/nh.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  programs = {
    nh = {
      enable = true;
--- a/viola/programs/ssh.nix
+++ b/viola/programs/ssh.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  programs = {
    ssh = {
      startAgent = true;
--- a/viola/security/polkit.nix
+++ b/viola/security/polkit.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  security = {
    polkit = {
      enable = true;
--- a/viola/security/rtkit.nix
+++ b/viola/security/rtkit.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  security = {
    rtkit = {
      enable = true;
--- a/viola/security/sudo-rs.nix
+++ b/viola/security/sudo-rs.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  security = {
    sudo-rs = {
      enable = true;
--- a/viola/services/garage.nix
+++ b/viola/services/garage.nix
@ -0,0 +1,12 @@
+{pkgs, ...}: {
+  services = {
+    garage = {
+      enable = true;
+      package = pkgs.garage;
+      logLevel = "error";
+      settings = {
+        # nope
+      };
+    };
+  };
+}
--- a/viola/services/irqbalance.nix
+++ b/viola/services/irqbalance.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  services = {
    irqbalance = {
      enable = true;
--- a/viola/services/libinput.nix
+++ b/viola/services/libinput.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  services = {
    libinput = {
      enable = true;
--- a/viola/services/netbird.nix
+++ b/viola/services/netbird.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  services = {
    netbird = {
      enable = true;
--- a/viola/services/pipewire.nix
+++ b/viola/services/pipewire.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  services = {
    pipewire = {
      enable = true;
--- a/viola/services/postgresql.nix
+++ b/viola/services/postgresql.nix
@ -0,0 +1,56 @@
+{pkgs, ...}: {
+  services = {
+    postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      checkConfig = true;
+
+      ensureUsers = [
+        {
+          name = "forgejo";
+          ensureDBOwnership = true;
+        }
+
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+
+        {
+          name = "woodpecker";
+          ensureDBOwnership = true;
+        }
+
+        {
+          name = "zitadel";
+          ensureDBOwnership = true;
+          ensureClauses = {
+            login = true;
+            superuser = true;
+          };
+        }
+
+        {
+          name = "stalwart";
+          ensureDBOwnership = true;
+        }
+      ];
+
+      ensureDatabases = [
+        "vaultwarden"
+        "forgejo"
+        "woodpecker"
+        "stalwart"
+        "zitadel"
+      ];
+
+      initialScript = ""; # nope
+ 
+      authentication = ""; #nope
+
+      settings = {
+        port = ${dbport};
+      };
+    };
+  };
+}
--- a/viola/services/redis.nix
+++ b/viola/services/redis.nix
@ -0,0 +1,152 @@
+{pkgs, ...}: {
+  services = {
+    redis = {
+      package = pkgs.valkey;
+      servers = {
+        "forgejo" = {
+          enable = true;
+          port = ${cacheport1};
+          logLevel = "warning";
+          databases = 16;
+          maxclients = 10000;
+          requirePass = ${cachepass1};
+
+          settings = {
+            stop-writes-on-bgsave-error = "yes";
+            rdbcompression = "yes";
+            rdbchecksum = "yes";
+
+            maxmemory = "1GB";
+            maxmemory-policy = "volatile-lru";
+            maxmemory-samples = 3;
+          };
+
+          save = [
+            [
+              900
+              1
+            ]
+
+            [
+              300
+              10
+            ]
+
+            [
+              60
+              1000
+            ]
+          ];
+        };
+
+        "woodpecker" = {
+          enable = false;
+          port = ${cacheport2};
+          logLevel = "warning";
+          databases = 16;
+          maxclients = 10000;
+          requirePass = ${cachepass2};
+
+          settings = {
+            stop-writes-on-bgsave-error = "yes";
+            rdbcompression = "yes";
+            rdbchecksum = "yes";
+
+            maxmemory = "1GB";
+            maxmemory-policy = "volatile-lru";
+            maxmemory-samples = 3;
+          };
+
+          save = [
+            [
+              900
+              1
+            ]
+
+            [
+              300
+              10
+            ]
+
+            [
+              60
+              1000
+            ]
+          ];
+        };
+
+        "stalwart" = {
+          enable = true;
+          port = ${cacheport3};
+          logLevel = "warning";
+          databases = 16;
+          maxclients = 10000;
+          requirePass = ${cachepass3};
+
+          settings = {
+            stop-writes-on-bgsave-error = "yes";
+            rdbcompression = "yes";
+            rdbchecksum = "yes";
+
+            maxmemory = "1GB";
+            maxmemory-policy = "volatile-lru";
+            maxmemory-samples = 3;
+          };
+
+          save = [
+            [
+              900
+              1
+            ]
+
+            [
+              300
+              10
+            ]
+
+            [
+              60
+              1000
+            ]
+          ];
+        };
+
+        "zitadel" = {
+          enable = true;
+          port = ${cacheport4};
+          logLevel = "warning";
+          databases = 16;
+          maxclients = 10000;
+          requirePass = ${cachepass4};
+
+          settings = {
+            stop-writes-on-bgsave-error = "yes";
+            rdbcompression = "yes";
+            rdbchecksum = "yes";
+
+            maxmemory = "1GB";
+            maxmemory-policy = "volatile-lru";
+            maxmemory-samples = 3;
+          };
+
+          save = [
+            [
+              900
+              1
+            ]
+
+            [
+              300
+              10
+            ]
+
+            [
+              60
+              1000
+            ]
+          ];
+        };
+      };
+    };
+  };
+}
--- a/viola/services/scx.nix
+++ b/viola/services/scx.nix
@ -1,8 +1,7 @@
-{...}: {
+_: {
  services = {
    scx = {
      enable = true;
-      # package = pkgs.scx_git.full;
      scheduler = "scx_lavd";
    };
  };
--- a/viola/services/stalwart.nix
+++ b/viola/services/stalwart.nix
@ -0,0 +1,135 @@
+_: {
+  services = {
+    stalwart-mail = {
+      enable = true;
+      settings = {
+        acme = {
+          "cloudflare" = {
+            default = true;
+            challenge = "dns-01";
+            provider = "cloudflare";
+            origin = "hand7s.org";
+            secret = ${mail_secret};
+            contact = [
+              "me@hand7s.org"
+            ];
+
+            email = "me@hand7s.org";
+            directory = "https://acme-staging-v02.api.letsencrypt.org/directory";
+            domains = [
+              "mail.hand7s.org"
+            ];
+          };
+        };
+
+        server = {
+          hostname = "mail.hand7s.org";
+
+          proxy = {
+            trusted-networks = [
+              "::1"
+              "100.109.213.170/16"
+            ];
+          };
+
+          listener = {
+            "lmtp" = {
+              bind = "[::]:24";
+              protocol = "lmtp";
+            };
+
+            "smtp" = {
+              bind = "[::]:25";
+              protocol = "smtp";
+            };
+
+            "pop3" = {
+              bind = "[::]:110";
+              protocol = "pop3";
+            };
+
+            "imap" = {
+              bind = "[::]:143";
+              protocol = "imap";
+            };
+
+            "submissions" = {
+              bind = "[::]:465";
+              protocol = "smtp";
+            };
+
+            "submission" = {
+              bind = "[::]:587";
+              protocol = "smtp";
+            };
+
+            "imaptls" = {
+              bind = "[::]:993";
+              protocol = "smtp";
+            };
+
+            "pop3s" = {
+              bind = "[::]:995";
+              protocol = "pop3";
+            };
+
+            "sieve" = {
+              bind = "[::]:4190";
+              protocol = "managesieve";
+            };
+
+            "management" = {
+              protocol = "http";
+              bind = [
+                "127.0.0.1:8980"
+              ];
+            };
+          };
+        };
+
+        lookup = {
+          default = {
+            hostname = "mail.hand7s.org";
+            domain = "hand7s.org";
+          };
+        };
+
+        storage = {
+          data = "postgresql";
+          blob = "s3";
+          fts = "postgresql";
+          lookup = "redis";
+        };
+
+        store = {
+          # nope
+          # i'm not redacting my main config
+          # here to show it here
+          # refer to stalwart mail
+          # ty
+        };
+
+        authentication = {
+          fallback-admin = {
+            user = "admin";
+            secret = "admin";
+          };
+        };
+
+        tracer = {
+          journal = {
+            enable = true;
+            type = "journal";
+            level = "debug";
+          };
+
+          console = {
+            enable = true;
+            type = "console";
+            level = "trace";
+          };
+        };
+      };
+    };
+  };
+}
--- a/viola/services/vaultwarden.nix
+++ b/viola/services/vaultwarden.nix
@ -0,0 +1,12 @@
+_: {
+  services = {
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      config = {
+        # holy private thing
+        # im NOT sharing it here
+      };
+    };
+  };
+}
--- a/viola/services/woodpecker.nix
+++ b/viola/services/woodpecker.nix
@ -0,0 +1,20 @@
+_: {
+  services = {
+    woodpecker-server = {
+      enable = false;
+      environment = {
+        WOODPECKER_OPEN = "true";
+        WOODPECKER_DATABASE_DRIVER = "postgres";
+        WOODPECKER_DATABASE_DATASOURCE = ${pqsql_socket};
+        WOODPECKER_SERVER_ADDR = ${ciport1};
+        WOODPECKER_GRPC_ADDR = ${ciport1};
+        WOODPECKER_HOST = "https://cicd.hand7s.org";
+
+        WOODPECKER_FORGEJO = "true";
+        WOODPECKER_FORGEJO_URL = "https://git.hand7s.org";
+        WOODPECKER_FORGEJO_CLIENT = ${cisecret1};
+        FORGEJO_SECRET = ${cisecret2};
+      };
+    };
+  };
+}
--- a/viola/services/zapret.nix
+++ b/viola/services/zapret.nix
@ -1,145 +0,0 @@
-{...}: {
-  services = {
-    zapret = {
-      enable = true;
-      configureFirewall = true;
-      qnum = 350;
-      params = [
-        "--wssize 1:6"
-
-        "--filter-tcp=80"
-        "--dpi-desync=multisplit"
-        "--dpi-desync-split-pos=10"
-        "--dpi-desync-repeats=6"
-        "--new"
-
-        "--filter-tcp=443"
-        "--dpi-desync=multidisorder"
-        "--dpi-desync-split-pos=1,midsld"
-        "--new"
-
-        "--filter-tcp=443"
-        "--dpi-desync=syndata"
-        "--dpi-desync-fake-syndata=0x00000000"
-        "--dpi-desync-ttl=10"
-        "--new"
-
-        "--filter-udp=443"
-        "--dpi-desync=fake"
-        "--dpi-desync-repeats=6"
-        "--dpi-desync-fake-quic=0x00000000"
-        "--new"
-
-        "--filter-udp=443"
-        "--dpi-desync=fake,udplen"
-        "--dpi-desync-udplen-increment=5"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-cutoff=n3"
-        "--dpi-desync-repeats=2"
-        "--new"
-
-        "--filter-tcp=443"
-        "--dpi-desync=split"
-        "--dpi-desync-fooling=md5sig,badseq"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-split-pos=1"
-        "--dpi-desync-repeats=10"
-        "--new"
-
-        "--filter-tcp=443"
-        "--dpi-desync=fake,split2"
-        "--dpi-desync-fooling=md5sig"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-split-seqovl=2"
-        "--dpi-desync-split-pos=2"
-
-        "--dpi-desync-autottl"
-        "--new"
-        "--filter-tcp=443"
-        "--dpi-desync=fake,split2"
-        "--dpi-desync-fooling=md5sig"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-split-seqovl=2"
-        "--dpi-desync-split-pos=2"
-        "--dpi-desync-autottl"
-        "--new"
-
-        "--filter-tcp=80"
-        "--dpi-desync=fake,split2"
-        "--dpi-desync-fooling=md5sig"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-autottl"
-        "--new"
-
-        "--filter-tcp=80"
-        "--dpi-desync-ttl=1"
-        "--dpi-desync-autottl=2"
-        "--dpi-desync-fake-tls=0x00000000"
-        "--dpi-desync-split-pos=1"
-        "--dpi-desync=fake,split2"
-        "--dpi-desync-repeats=6"
-        "--dpi-desync-fooling=md5sig"
-        "--new"
-      ];
-
-      whitelist = [
-        "googlevideo.com"
-        "youtu.be"
-        "youtube.com"
-        "youtubei.googleapis.com"
-        "googlevideo.com"
-        "youtu.be"
-        "youtube.com"
-        "youtubei.googleapis.com"
-        "youtubeembeddedplayer.googleapis.com"
-        "ytimg.l.google.com"
-        "ytimg.com"
-        "jnn-pa.googleapis.com"
-        "youtube-nocookie.com"
-        "youtube-ui.l.google.com"
-        "yt-video-upload.l.google.com"
-        "wide-youtube.l.google.com"
-        "youtubekids.com"
-        "ggpht.com"
-        "music.youtube.com"
-        "test.googlevideo.com"
-        "discord.com"
-        "gateway.discord.gg"
-        "cdn.discordapp.com"
-        "discordapp.net"
-        "discordapp.com"
-        "discord.gg"
-        "media.discordapp.net"
-        "images-ext-1.discordapp.net"
-        "discord.app"
-        "discord.media"
-        "discordcdn.com"
-        "discord.dev"
-        "discord.new"
-        "discord.gift"
-        "discordstatus.com"
-        "dis.gd"
-        "discord.co"
-        "discord-attachments-uploads-prd.storage.googleapis.com"
-        "7tv.app"
-        "7tv.io"
-        "10tv.app"
-        "x.com"
-        "t.co"
-        "ads-twitter.com"
-        "twimg.com"
-        "twitter.com"
-        "pscp.tv"
-        "twtrdns.net"
-        "twttr.com"
-        "periscope.tv"
-        "tweetdeck.com"
-        "twitpic.com"
-        "twitter.co"
-        "twitterinc.com"
-        "twitteroauth.com"
-        "twitterstat.us"
-      ];
-    };
-  };
-}
--- a/viola/services/zerotier.nix
+++ b/viola/services/zerotier.nix
@ -1,10 +0,0 @@
-{...}: {
-  services = {
-    zerotierone = {
-      enable = false;
-      joinNetworks = [
-        # nope
-      ];
-    };
-  };
-}
--- a/viola/systemd/oomd.nix
+++ b/viola/systemd/oomd.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  systemd = {
    oomd = {
      enable = true;
--- a/viola/systemd/slices/root-slice.nix
+++ b/viola/systemd/slices/root-slice.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  systemd = {
    slices = {
      root = {
--- a/viola/systemd/slices/system-slice.nix
+++ b/viola/systemd/slices/system-slice.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  systemd = {
    slices = {
      system = {
--- a/viola/systemd/slices/user-slice.nix
+++ b/viola/systemd/slices/user-slice.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  systemd = {
    slices = {
      user = {
--- a/viola/time/timeZone.nix
+++ b/viola/time/timeZone.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  time = {
    timeZone = "Europe/Moscow";
    hardwareClockInLocalTime = true;
--- a/viola/users/mutableUsers.nix
+++ b/viola/users/mutableUsers.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  users = {
    mutableUsers = false;
  };
--- a/viola/users/users/hand7s.nix
+++ b/viola/users/users/hand7s.nix
@ -1,14 +1,13 @@
-{...}: {
+_: {
  users = {
    users = {
-      hand7s = {
+      "hand7s" = {
        description = "me";
        isSystemUser = false;
        isNormalUser = true;
        initialHashedPassword = "$6$ckgRhNWmJgSwOUpJ$kfeAdokd5fa76HWbTmWN2YXx4M/PQVOTJku1ODbqbBhEkUFiLftdaJFRnNXfIM3Jtz0ShoRMSVCB7mDkxDrdi/";
        extraGroups = [
          "wheel"
-          "networkmanager"
          "docker"
        ];
      };
--- a/viola/users/users/root.nix
+++ b/viola/users/users/root.nix
@ -1,7 +1,7 @@
-{...}: {
+_: {
  users = {
    users = {
-      root = {
+      "root" = {
        initialHashedPassword = "$6$n4OLMvYHHStHvtmr$6OL0NV1dEM2b6oJRewkhuoFxM80lI67tfbJ6QkCg8WAA1gbeKrcwDAuJjm8zvpY4zcDR3Z5Zbo8uebfOi6XXF0";
      };
    };
--- a/viola/virtualisation/docker.nix
+++ b/viola/virtualisation/docker.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  virtualisation = {
    docker = {
      enable = true;