From 3ed643bd1e2283057e663f1dec15229ad068aa2d Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Thu, 26 Jan 2023 00:23:55 +0300
Subject: [PATCH] various updates

---
 machines/AMD-Workstation/default.nix     |  4 +-
 machines/Flakes-ISO/default.nix          | 24 +++++-
 patches/mullvad-exclude-containers.patch | 50 ++++++++++++
 patches/update.patch                     | 64 ----------------
 profiles/applications/nnn.nix            | 20 +++++
 profiles/applications/packages.nix       | 18 +----
 profiles/applications/tor-browser.nix    |  2 +-
 profiles/applications/vscode/default.nix | 97 ++++++++++--------------
 profiles/mullvad.nix                     | 47 ------------
 profiles/overlay.nix                     |  4 +-
 profiles/packages/protonhax.nix          | 27 +++++++
 profiles/security.nix                    | 23 +++---
 profiles/servers/firefox-syncserver.nix  | 27 +++++++
 profiles/servers/headscale.nix           | 24 ++++++
 profiles/servers/joplin-server.nix       | 33 +++++---
 profiles/virtualisation.nix              | 18 ++++-
 profiles/workspace/aria2.nix             | 17 +++++
 profiles/workspace/nix-index.nix         |  1 +
 roles/base.nix                           |  1 +
 roles/container.nix                      |  2 +
 roles/desktop.nix                        |  3 +-
 roles/hypervisor.nix                     |  3 +
 22 files changed, 293 insertions(+), 216 deletions(-)
 create mode 100644 patches/mullvad-exclude-containers.patch
 delete mode 100644 patches/update.patch
 create mode 100644 profiles/applications/nnn.nix
 delete mode 100644 profiles/mullvad.nix
 create mode 100644 profiles/packages/protonhax.nix
 create mode 100644 profiles/servers/firefox-syncserver.nix
 create mode 100644 profiles/servers/headscale.nix
 create mode 100644 profiles/workspace/aria2.nix

diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix
index 08a2363..57972a5 100644
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@@ -39,6 +39,8 @@
   hardware.video.hidpi.enable = lib.mkForce false;
   hardware.firmware = [ pkgs.rtl8761b-firmware ];
 
+  networking.firewall.allowedTCPPorts = [ 52736 ];
+
   secrets.files-veracrypt = {};
   environment.etc.crypttab = {
     text = ''
@@ -79,7 +81,7 @@
     home.stateVersion = "21.11";
   };
 
-  system.stateVersion = "21.11";
+  system.stateVersion = "22.11";
 
   # VFIO Passthough
   # virtualisation = {
diff --git a/machines/Flakes-ISO/default.nix b/machines/Flakes-ISO/default.nix
index 0005734..6ede056 100644
--- a/machines/Flakes-ISO/default.nix
+++ b/machines/Flakes-ISO/default.nix
@@ -1,10 +1,13 @@
-{ modulesPath, lib, inputs, pkgs, ... }: {
+{ modulesPath, lib, inputs, pkgs, config, ... }: {
   imports = with inputs.self; [
     "${toString modulesPath}/installer/cd-dvd/installation-cd-graphical-plasma5.nix"
+    ../../modules/autoinstall/default.nix
+    ../Home-Hypervisor/autoinstall.nix
   ];
 
   options = {
     device = lib.mkOption { type = lib.types.str; };
+    mainuser = lib.mkOption { type = lib.types.str; };
   };
 
   config = {
@@ -40,5 +43,24 @@
     };
     environment.etc.nixpkgs.source = inputs.nixpkgs;
     environment.etc.self.source = inputs.self;
+
+    services.openssh = {
+      enable = true;
+      passwordAuthentication = true;
+      permitRootLogin = "yes";
+      forwardX11 = true;
+      extraConfig = "StreamLocalBindUnlink yes";
+      ports = [ 22 ];
+    };
+
+    users.users.nixos.openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
+    ];
+
+    # isoImage.contents = [{
+    #   source = ../..;
+    #   target = "/home/nixos/nixos-config";
+    # }];
   };
 }
\ No newline at end of file
diff --git a/patches/mullvad-exclude-containers.patch b/patches/mullvad-exclude-containers.patch
new file mode 100644
index 0000000..bc68777
--- /dev/null
+++ b/patches/mullvad-exclude-containers.patch
@@ -0,0 +1,50 @@
+diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
+index e1e640c4474..1578f8680c8 100644
+--- a/nixos/modules/virtualisation/nixos-containers.nix
++++ b/nixos/modules/virtualisation/nixos-containers.nix
+@@ -445,6 +445,7 @@ let
+       localAddress = null;
+       localAddress6 = null;
+       tmpfs = null;
++      mullvadExclude = false;
+     };
+ 
+ in
+@@ -691,6 +692,14 @@ in
+               '';
+             };
+ 
++            mullvadExclude = mkOption {
++              type = types.bool;
++              default = false;
++              description = lib.mdDoc ''
++                Start container with mullvad-exclude.
++              '';
++            };
++
+             # Removed option. See `checkAssertion` below for the accompanying error message.
+             pkgs = mkOption { visible = false; };
+           } // networkOptions;
+@@ -767,6 +776,8 @@ in
+ 
+       postStart = postStartScript dummyConfig;
+ 
++      postStop = mkIf dummyConfig.mullvadExclude "";
++
+       restartIfChanged = false;
+ 
+       serviceConfig = serviceDirectives dummyConfig;
+@@ -797,7 +808,12 @@ in
+           recursiveUpdate unit {
+             preStart = preStartScript containerConfig;
+             script = startScript containerConfig;
+-            postStart = postStartScript containerConfig;
++            postStart = (if containerConfig.mullvadExclude then ''
++              ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid add $MAINPID
++            '' else "") + postStartScript containerConfig;
++            postStop = mkIf containerConfig.mullvadExclude ''
++              ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid delete $MAINPID
++            '';
+             serviceConfig = serviceDirectives containerConfig;
+             unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";
+             environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";
diff --git a/patches/update.patch b/patches/update.patch
deleted file mode 100644
index 66e566e..0000000
--- a/patches/update.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-diff --git a/pkgs/applications/networking/mullvad-vpn/default.nix b/pkgs/applications/networking/mullvad-vpn/default.nix
-index 0d79f41..e463f70 100644
---- a/pkgs/applications/networking/mullvad-vpn/default.nix
-+++ b/pkgs/applications/networking/mullvad-vpn/default.nix
-@@ -43,11 +43,11 @@ in
-
- stdenv.mkDerivation rec {
-   pname = "mullvad-vpn";
--  version = "2022.4";
-+  version = "2022.5";
-
-   src = fetchurl {
-     url = "https://github.com/mullvad/mullvadvpn-app/releases/download/${version}/MullvadVPN-${version}_amd64.deb";
--    sha256 = "sha256-OwTtWzlZjHNFSN5/UjFJbcrPCv9+ucWYEL2idYjeozU=";
-+    sha256 = "1sk7xizxs045r6b7wxdls6gvfyz3r1qxqir5nhcfk0mfpy8phw0v";
-   };
-
-   nativeBuildInputs = [
-@@ -75,7 +75,6 @@ stdenv.mkDerivation rec {
-     mv opt/Mullvad\ VPN/* $out/share/mullvad
-
-     ln -s $out/share/mullvad/mullvad-{gui,vpn} $out/bin/
--    ln -s $out/share/mullvad/resources/mullvad-daemon $out/bin/mullvad-daemon
-     ln -sf $out/share/mullvad/resources/mullvad-problem-report $out/bin/mullvad-problem-report
-
-     wrapProgram $out/bin/mullvad-vpn --set MULLVAD_DISABLE_UPDATE_NOTIFICATION 1
-diff --git a/pkgs/applications/networking/mullvad/libwg.nix b/pkgs/applications/networking/mullvad/libwg.nix
-index d54a2ca..287797f 100644
---- a/pkgs/applications/networking/mullvad/libwg.nix
-+++ b/pkgs/applications/networking/mullvad/libwg.nix
-@@ -13,7 +13,7 @@ buildGoModule {
-
-   sourceRoot = "source/wireguard/libwg";
-
--  vendorSha256 = "qvymWCdJ+GY90W/Fpdp+r1+mTq6O4LyN2Yw/PjKdFm0=";
-+  vendorSha256 = "QNde5BqkSuqp3VJQOhn7aG6XknRDZQ62PE3WGhEJ5LU=";
-
-   # XXX: hack to make the ar archive go to the correct place
-   # This is necessary because passing `-o ...` to `ldflags` does not work
-diff --git a/pkgs/applications/networking/mullvad/mullvad.nix b/pkgs/applications/networking/mullvad/mullvad.nix
-index 65aeab2..b047562 100644
---- a/pkgs/applications/networking/mullvad/mullvad.nix
-+++ b/pkgs/applications/networking/mullvad/mullvad.nix
-@@ -15,16 +15,16 @@
- }:
- rustPlatform.buildRustPackage rec {
-   pname = "mullvad";
--  version = "2022.4";
-+  version = "2022.5";
-
-   src = fetchFromGitHub {
-     owner = "mullvad";
-     repo = "mullvadvpn-app";
--    rev = version;
--    hash = "sha256-s0Cmeh10lQUB5BK4i1qxkDy/ylx/3c6V66dxH+kcnLs=";
-+    rev = "2022.5";
-+    sha256 = "1jd7wpz6pp1fa0y3cs99i7wdwcfwarp7zji6cv37y8h1w4nq89if";
-   };
-
--  cargoHash = "sha256-HPURL+CFUVLWRq8nzLiZxDhckgH76b6JBUObLGtoEEw=";
-+  cargoHash = "sha256-KpBhdZce8Ug3ws7f1qg+5LtOMQw2Mf/uJsBg/TZSYyk=";
-
-   nativeBuildInputs = [
-     pkg-config
diff --git a/profiles/applications/nnn.nix b/profiles/applications/nnn.nix
new file mode 100644
index 0000000..a21d0f0
--- /dev/null
+++ b/profiles/applications/nnn.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }: {
+  home-manager.users.${config.mainuser} = {
+    programs.nnn = {
+      enable = true;
+      package = pkgs.nnn.override ({ withNerdIcons = true; });
+      # extraPackages = with pkgs; [ ffmpegthumbnailer mediainfo sxiv ];
+      # bookmarks = {
+      #   d = "~/Documents";
+      #   D = "~/Downloads";
+      #   p = "~/Pictures";
+      #   v = "~/Videos";
+      # };
+      # plugins = { };
+    };
+
+    programs.zsh.shellAliases = {
+      "n" = "nnn -deE";
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/applications/packages.nix b/profiles/applications/packages.nix
index e833006..6908eda 100644
--- a/profiles/applications/packages.nix
+++ b/profiles/applications/packages.nix
@@ -15,13 +15,10 @@ with config.deviceSpecific; {
     glib.out
     # gptfdisk
     jq
-    kitti3
     libqalculate
     lm_sensors
     lnav
     # nix-alien
-    nixfmt
-    nixpkgs-fmt
     nix-prefetch-git
     nix-index-update
     p7zip
@@ -31,9 +28,8 @@ with config.deviceSpecific; {
     ripgrep
     ripgrep-all
     sd
-    statix
     tealdeer
-    # tidal-dl
+    translate-shell
     unzip
     usbutils
     wget
@@ -42,13 +38,10 @@ with config.deviceSpecific; {
 
     # tui
     bottom
-    bpytop
     micro
     ncdu
     nix-tree
-    nnn
     procs
-    ranger
 
     # gui
     bitwarden
@@ -57,30 +50,23 @@ with config.deviceSpecific; {
     discord
     feh
     foliate
-    gparted
     jellyfin-media-player
     joplin-desktop
-    networkmanagerapplet
-    # persepolis
     pinta
     qbittorrent
     qimgv
-    # quodlibet
     system-config-printer
     tdesktop
     xarchiver
     youtube-to-mpv
     zathura
 
-    # libsForQt5.networkmanager-qt
     xdg-utils
 
     # awesome-shell
     curlie
     duf
     zsh-z
-
-    inputs.webcord.packages.${pkgs.hostPlatform.system}.default
   ] ++ lib.optionals (!(isVM || isISO)) [
     audacity
     blueman
@@ -91,7 +77,6 @@ with config.deviceSpecific; {
     scrcpy
   ] ++ lib.optionals isGaming [
     ceserver
-    # ckan
     gamescope
     goverlay
     lutris
@@ -101,6 +86,7 @@ with config.deviceSpecific; {
     reshade-shaders
     (retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; })
     parsec
+    protonhax
     protontricks
     vkBasalt
     wine
diff --git a/profiles/applications/tor-browser.nix b/profiles/applications/tor-browser.nix
index adc105d..80124b5 100644
--- a/profiles/applications/tor-browser.nix
+++ b/profiles/applications/tor-browser.nix
@@ -4,7 +4,7 @@ let
     mullvad-exclude ${pkgs.tor-browser-bundle-bin}/bin/tor-browser
   '';
 in {
-  home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.wireguard.enable then [
+  home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.vpn.mullvad.enable then [
     tor-browser
   ] else [
     pkgs.tor-browser-bundle-bin
diff --git a/profiles/applications/vscode/default.nix b/profiles/applications/vscode/default.nix
index f3913a7..006224d 100644
--- a/profiles/applications/vscode/default.nix
+++ b/profiles/applications/vscode/default.nix
@@ -23,65 +23,44 @@ in
       package = pkgs.vscode;
       enableExtensionUpdateCheck = false;
       enableUpdateCheck = false;
-      extensions =
-        with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
-        with inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
-        with pkgs.vscode-extensions;
-        let
-          vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
-          open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
-          nixpkgs = pkgs.vscode-extensions;
-        in [
-          (inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: {
-            buildPhase = "yarn run build";
-            installPhase = ''
-              mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode
-              cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
-            '';
-          }))
-          (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
+      extensions = let
+        vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
+        open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
+        nixpkgs = pkgs.vscode-extensions;
+      in [
+        (inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: {
+          buildPhase = "yarn run build";
+          installPhase = ''
+            mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode
+            cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
+          '';
+        }))
+        (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
 
-          vscode.aaron-bond.better-comments
-          vscode.alefragnani.bookmarks
-          vscode.alefragnani.project-manager
-          # vscode.arrterian.nix-env-selector
-          # vscode.bbenoist.nix
-          vscode.bungcip.better-toml
-          vscode.catppuccin.catppuccin-vsc
-          vscode.christian-kohler.path-intellisense
-          vscode.codezombiech.gitignore
-          vscode.dart-code.dart-code
-          # dlasagno.wal-theme
-          vscode.eamodio.gitlens-insiders
-          vscode.enkia.tokyo-night
-          vscode.equinusocio.vsc-material-theme-icons
-          vscode.felixangelov.bloc
-          vscode.github.vscode-pull-request-github
-          vscode.irongeek.vscode-env
-          vscode.jebbs.plantuml
-          vscode.jnoortheen.nix-ide
-          vscode.lucax88x.codeacejumper
-          vscode.marcelovelasquez.flutter-tree
-          vscode.mhutchie.git-graph
-          vscode.ms-azuretools.vscode-docker
-          vscode.ms-vscode-remote.remote-ssh
-          # vscode.ms-vscode-remote.remote-ssh-edit
-        ];
-        #  ++ [ (import ./extensions.nix).extensions ];
-      # extensions = with pkgs.vscode-extensions;
-      # (map
-      #   (extension: pkgs.vscode-utils.buildVscodeMarketplaceExtension {
-      #     mktplcRef = {
-      #       inherit (extension) name publisher version sha256;
-      #     };
-      #   })
-      #   (import ./extensions.nix).extensions
-      # );
-      # ++ [
-      #   arrterian.nix-env-selector
-
-      #   (pkgs.callPackage ./theme.nix { } config.lib.base16.theme)
-      # ];
+        vscode.aaron-bond.better-comments
+        vscode.alefragnani.bookmarks
+        vscode.alefragnani.project-manager
+        vscode.bungcip.better-toml
+        vscode.catppuccin.catppuccin-vsc
+        vscode.christian-kohler.path-intellisense
+        vscode.codezombiech.gitignore
+        vscode.dart-code.dart-code
+        # dlasagno.wal-theme
+        vscode.eamodio.gitlens-insiders
+        vscode.enkia.tokyo-night
+        vscode.equinusocio.vsc-material-theme-icons
+        vscode.felixangelov.bloc
+        vscode.github.vscode-pull-request-github
+        vscode.irongeek.vscode-env
+        vscode.jebbs.plantuml
+        vscode.jnoortheen.nix-ide
+        vscode.lucax88x.codeacejumper
+        vscode.marcelovelasquez.flutter-tree
+        vscode.mhutchie.git-graph
+        vscode.ms-azuretools.vscode-docker
+        vscode.ms-vscode-remote.remote-ssh
+        nixpkgs.rust-lang.rust-analyzer
+      ];
       # mutableExtensionsDir = false;
       userSettings = {
         "update.mode" = "none";
@@ -146,7 +125,7 @@ in
         "git.enableCommitSigning" = true;
         "git-graph.repository.sign.commits" = true;
         "git-graph.repository.sign.tags" = true;
-        # "editor.bracketPairColorization.enabled" = true;
+        # "editor.bracketPairColorization.enabled" = false;
         "editor.guides.bracketPairs" = "active";
         "terminal.integrated.defaultProfile.linux" = "zsh";
         "terminal.integrated.profiles.linux".zsh.path = "/run/current-system/sw/bin/zsh";
diff --git a/profiles/mullvad.nix b/profiles/mullvad.nix
deleted file mode 100644
index be9063a..0000000
--- a/profiles/mullvad.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  vpn = config.deviceSpecific.wireguard;
-in {
-  config = lib.mkIf vpn.enable {
-    services.mullvad-vpn.enable = true;
-    services.mullvad-vpn.enableExcludeWrapper = true;
-    services.mullvad-vpn.package = pkgs.mullvad-vpn;
-    startupApplications = [ "${pkgs.mullvad-vpn}/share/mullvad/mullvad-gui" ];
-
-    services.tailscale = {
-      enable = true;
-      #interfaceName = "userspace-networking";
-      interfaceName = "tailscale0";
-    };
-    systemd.services.tailscaled.serviceConfig.ExecStart = lib.mkForce [
-      ""
-      "${pkgs.mullvad}/bin/mullvad-exclude ${pkgs.tailscale}/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=\${PORT} $FLAGS"
-    ];
-    # FIXME: allow mullvad custom dns
-    networking.nftables.ruleset = let
-      resolver_addrs = "100.100.100.100";
-      excluded_ipv4 = "100.64.0.1/10";
-      excluded_ipv6 = "fd7a:115c:a1e0::/48";
-    in ''
-      table inet mullvad-ts {
-        chain excludeOutgoing {
-          type route hook output priority 0; policy accept;
-          ip daddr ${excluded_ipv4} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-          ip6 daddr ${excluded_ipv6} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-        }
-        chain allow-incoming {
-          type filter hook input priority -100; policy accept;
-          iifname "${config.services.tailscale.interfaceName}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-        }
-        chain excludeDns {
-          type filter hook output priority -10; policy accept;
-          ip daddr ${resolver_addrs} udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-          ip daddr ${resolver_addrs} tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-        }
-      }
-    '';
-
-    persist.state.directories = [ "/var/lib/tailscale" ];
-    persist.state.homeDirectories = [ ".config/Mullvad VPN" ];
-  };
-}
\ No newline at end of file
diff --git a/profiles/overlay.nix b/profiles/overlay.nix
index 37f0015..41484f2 100644
--- a/profiles/overlay.nix
+++ b/profiles/overlay.nix
@@ -31,9 +31,8 @@ with lib; {
         kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { };
         microbin = pkgs.callPackage ./packages/microbin-pkg { };
         mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { };
-        mullvad = master.mullvad;
-        mullvad-vpn = master.mullvad-vpn;
         parsec = pkgs.callPackage ./packages/parsec.nix { };
+        protonhax = pkgs.callPackage ./packages/protonhax.nix { };
         reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
         rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { };
         rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { };
@@ -44,7 +43,6 @@ with lib; {
         vscode = master.vscode;
         vscode-fhs = master.vscode-fhs;
         xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { };
-        # xray-core = pkgs.callPackage ./packages/xray-core.nix { };
         youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
         vivaldi = master.vivaldi;
         steam = prev.steam.override {
diff --git a/profiles/packages/protonhax.nix b/profiles/packages/protonhax.nix
new file mode 100644
index 0000000..e2a47fa
--- /dev/null
+++ b/profiles/packages/protonhax.nix
@@ -0,0 +1,27 @@
+{ stdenv, fetchFromGitHub, tinycc }:
+
+ stdenv.mkDerivation rec {
+  pname = "protonhax";
+  version = "1.0.4";
+
+  src = fetchFromGitHub {
+    owner = "jcnils";
+    repo = pname;
+    rev = version;
+    hash = "sha256-3s1pmHcQy/xJS6ke0Td3tkXAhXcTuJ4mb3Dtpxb2/6o=";
+  };
+
+  buildPhase = ''
+    make
+  '';
+
+  installPhase = ''
+    install -d -m755 $out/bin
+    install -m755 protonhax $out/bin/protonhax
+    install -m755 envload $out/bin/envload
+  '';
+
+  nativeBuildInputs = [
+    tinycc
+  ];
+}
diff --git a/profiles/security.nix b/profiles/security.nix
index c59f361..1b67cb6 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -35,7 +35,7 @@ with config.deviceSpecific; {
   };
   # Safe, because we using doas
   users.allowNoPasswordLogin = true;
-  # FIXME
+  # FIXME: completely remove sudo
   security.sudo = {
     enable = true;
     extraRules = [{
@@ -49,17 +49,13 @@ with config.deviceSpecific; {
       } {
         command = "/run/current-system/sw/bin/nix-shell";
         options = [ "SETENV" "NOPASSWD" ];
-      }];
+      }
+      # {
+      #   command = "/run/current-system/sw/bin/deploy";
+      #   options = [ "SETENV" "NOPASSWD" ];
+      # }
+      ];
     }];
-    # extraConfig = lib.concatStrings [''
-    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
-    # ''
-    # (if (isLaptop) then ''
-    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
-    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
-    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
-    # '' else "")
-    # ];
   };
   security.doas = {
     enable = true;
@@ -83,6 +79,11 @@ with config.deviceSpecific; {
       noPass = true;
       keepEnv = true;
       cmd = "/run/current-system/sw/bin/tlp-stat";
+    } {
+      users = [ config.mainuser ];
+      keepEnv = false;
+      cmd = "/run/current-system/sw/bin/podman";
+      args = [ "build" ];
     }];
   };
   systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
diff --git a/profiles/servers/firefox-syncserver.nix b/profiles/servers/firefox-syncserver.nix
new file mode 100644
index 0000000..dd87ab9
--- /dev/null
+++ b/profiles/servers/firefox-syncserver.nix
@@ -0,0 +1,27 @@
+{ pkgs, config, lib, ... }: {
+  secrets.firefox-syncserver = {
+    # owner = config.services.firefox-syncserver.database.user;
+  };
+
+  services.mysql.package = pkgs.mariadb;
+
+  services.firefox-syncserver = {
+    enable = true;
+    database.createLocally = true;
+    secrets = config.secrets.firefox-syncserver.decrypted;
+    settings = {
+      port = 5000;
+      tokenserver.enabled = true;
+    };
+    singleNode = {
+      enable = true;
+      # enableTLS = false;
+      # enableNginx = false;
+      enableTLS = false;
+      enableNginx = true;
+      hostname = "localhost";
+      # hostname = "fsync.ataraxiadev.com";
+      # url = "https://fsync.ataraxiadev.com";
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/servers/headscale.nix b/profiles/servers/headscale.nix
new file mode 100644
index 0000000..23a21c0
--- /dev/null
+++ b/profiles/servers/headscale.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }: {
+  # secrets.headscale-db.owner = config.services.headscale.user;
+  # FIXME: https://github.com/juanfont/headscale/blob/main/config-example.yaml
+  services.headscale = {
+    enable = true;
+    serverUrl = "http://192.168.0.100:8080";
+    address = "192.168.0.100";
+    serverUrl = "http://tailscale.ataraxiadev.com:8080";
+    # address = "0.0.0.0";
+    port = 8080;
+    dns = {
+      magicDns = true;
+      nameservers = "192.168.0.1";
+      baseDomain = "ataraxiadev.com";
+    };
+    # database.passwordFile = config.secrets.headscale-db.decrypted;
+    # database.path = "/var/lib/headscale/db.sqlite";
+    # privateKeyFile = "/var/lib/headscale/private.key";
+  };
+  environment.systemPackages = [ config.services.headscale.package ];
+  networking.firewall.allowedTCPPorts = [ config.services.headscale.port ];
+
+  persist.state.directories = [ "/var/lib/headscale" ];
+}
\ No newline at end of file
diff --git a/profiles/servers/joplin-server.nix b/profiles/servers/joplin-server.nix
index b857e73..41af14d 100644
--- a/profiles/servers/joplin-server.nix
+++ b/profiles/servers/joplin-server.nix
@@ -29,17 +29,28 @@ in {
       volumes = [ "/srv/joplin/postgres:/var/lib/postgresql/data" ];
     };
   };
-  systemd.services.create-joplin-network = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = [
-      "${backend}-joplin.service"
-      "${backend}-joplin-db.service"
-    ];
-    script = ''
-      ${pkgs.docker}/bin/docker network inspect joplin || \
-        ${pkgs.docker}/bin/docker network create -d bridge joplin
-      exit 0
-    '';
+  # systemd.services.create-joplin-network = with config.virtualisation.oci-containers; {
+  #   serviceConfig.Type = "oneshot";
+  #   wantedBy = [
+  #     "${backend}-joplin.service"
+  #     "${backend}-joplin-db.service"
+  #   ];
+  #   script = ''
+  #     ${pkgs.podman}/bin/podman network inspect joplin || \
+  #       ${pkgs.podman}/bin/podman network create -d bridge joplin || true
+  #   '';
+  # };
+  systemd.services.podman-joplin = {
+    path = [ "/run/wrappers" ];
+    serviceConfig.User = config.mainuser;
+    preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
+    postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
+  };
+  systemd.services.podman-joplin-db = {
+    path = [ "/run/wrappers" ];
+    serviceConfig.User = config.mainuser;
+    preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
+    postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
   };
   systemd.services.create-joplin-folder = {
     serviceConfig.Type = "oneshot";
diff --git a/profiles/virtualisation.nix b/profiles/virtualisation.nix
index e8e8d08..ba76deb 100644
--- a/profiles/virtualisation.nix
+++ b/profiles/virtualisation.nix
@@ -13,7 +13,23 @@ with config.deviceSpecific; {
       else
         "overlay2";
     };
-    virtualisation.oci-containers.backend = "docker";
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.podman = {
+      enable = true;
+      extraPackages = [ pkgs.zfs ];
+      defaultNetwork.dnsname.enable = true;
+    };
+    virtualisation.containers.registries.search = [
+      "docker.io" "gcr.io" "quay.io"
+    ];
+    virtualisation.containers.storage.settings =
+      lib.mkIf (devInfo.fileSystem == "zfs") {
+      storage = {
+        driver = "zfs";
+        graphroot = "/var/lib/containers/storage";
+        runroot = "/run/containers/storage";
+      };
+    };
 
     virtualisation.libvirtd = {
       enable = true;
diff --git a/profiles/workspace/aria2.nix b/profiles/workspace/aria2.nix
new file mode 100644
index 0000000..ade1884
--- /dev/null
+++ b/profiles/workspace/aria2.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+let
+  homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
+in {
+  # TODO: enable websocket (--rpc-certificate)
+  services.aria2 = {
+    enable = true;
+    downloadDir = "${homeDir}/Downloads/aria2";
+    rpcListenPort = 6800;
+    # FIXME: I can expose this, since i listen rpc only on localhost
+    # but in future it's better to implement read key from secrets before start daemon
+    rpcSecret = "secret";
+    # listenPortRange = {};
+    openPorts = false;
+  };
+  # networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
+}
\ No newline at end of file
diff --git a/profiles/workspace/nix-index.nix b/profiles/workspace/nix-index.nix
index 64b5483..925c07a 100644
--- a/profiles/workspace/nix-index.nix
+++ b/profiles/workspace/nix-index.nix
@@ -5,6 +5,7 @@
       enableZshIntegration = true;
     };
   };
+  programs.command-not-found.enable = lib.mkForce false;
 
   persist.derivative.homeDirectories = [ ".cache/nix-index" ];
 }
\ No newline at end of file
diff --git a/roles/base.nix b/roles/base.nix
index 02906fa..e68b218 100644
--- a/roles/base.nix
+++ b/roles/base.nix
@@ -14,6 +14,7 @@
     misc
     network
     nix
+    nnn
     overlay
     persist
     secrets
diff --git a/roles/container.nix b/roles/container.nix
index 5a40349..3989a54 100644
--- a/roles/container.nix
+++ b/roles/container.nix
@@ -12,7 +12,9 @@
     misc
     network
     nix
+    nnn
     overlay
+    persist
     secrets
     secrets-envsubst
     security
diff --git a/roles/desktop.nix b/roles/desktop.nix
index b778972..e813ea6 100644
--- a/roles/desktop.nix
+++ b/roles/desktop.nix
@@ -8,11 +8,11 @@
 
     applications-setup
     hardware
-    mullvad
     services
     sound
     themes
     virtualisation
+    vpn
 
     alacritty
     corectrl
@@ -32,6 +32,7 @@
     vscode
     waydroid
 
+    aria2
     copyq
     cursor
     direnv
diff --git a/roles/hypervisor.nix b/roles/hypervisor.nix
index a566989..db2f207 100644
--- a/roles/hypervisor.nix
+++ b/roles/hypervisor.nix
@@ -7,13 +7,16 @@
 
     applications
     devices
+    direnv
     git
     gpg
     locale
     misc
     nix
     nix-index
+    nnn
     overlay
+    persist
     secrets
     secrets-envsubst
     security