setup mailserver configuration

2021-11-12 05:30:35 +03:00 · 2021-11-12 05:30:35 +03:00 · c8a0b0a88c
commit c8a0b0a88c
parent 1e4a664824
20 changed files with 498 additions and 286 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,27 @@
 {
  "nodes": {
+    "android-nixpkgs": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1636057193,
+        "narHash": "sha256-Vk1HyR3ZnqsG4NCCUDs0VDy8nJ5Snz2dXzBjn+V7ROc=",
+        "owner": "tadfisher",
+        "repo": "android-nixpkgs",
+        "rev": "5f2d54af6e691403c9ae04c209153aff926227ca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tadfisher",
+        "repo": "android-nixpkgs",
+        "type": "github"
+      }
+    },
    "base16": {
      "inputs": {
        "nixpkgs": "nixpkgs"
@ -66,6 +88,51 @@
        "type": "gitlab"
      }
    },
+    "devshell": {
+      "locked": {
+        "lastModified": 1631528035,
+        "narHash": "sha256-ZV4+WsrF1uaAOM2ynGzWD5dCmrWpKc+Rj1hZkodEPQY=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "dd0d585d2ed42b9d226673dd56d4fe2dfd0bf0dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1631561581,
+        "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "locked": {
+        "lastModified": 1634851050,
+        "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -73,11 +140,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1635285717,
-        "narHash": "sha256-CGsOBSkdjIHmKEbUkik1JKQhiKCJ64Hj7dROx7yEDCo=",
+        "lastModified": 1636044164,
+        "narHash": "sha256-RI9QjS8NBrfVTp6dzmcEVKNNjxYGBf26+/7ihDA/USc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "46a69810cb95d2e7286089830dc535d6719eaa6f",
+        "rev": "70c5b268e10025c70823767f4fb49e240b40151d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "vscode-server-fixup",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1635839387,
+        "narHash": "sha256-2B6DqfTiwY5w2TljC4+AxEUuVYMTP5Fo2h5iGNIONvk=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "288faaa5a65e72e37e6027024829b15c8bb69286",
        "type": "github"
      },
      "original": {
@ -160,11 +248,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1635332953,
-        "narHash": "sha256-jL1ziAo75FUPL0LmWDRidiDJzNxX+mQlr7t9+t3EAGU=",
+        "lastModified": 1636130118,
+        "narHash": "sha256-8HWSbvu3OfXAg8CHoQGWyQ/r6cAmNb6EX6zGUKYWiz8=",
        "owner": "NixOS",
        "repo": "nix",
-        "rev": "6e684d1b8747ed0180489eacbdf920a82162e249",
+        "rev": "3d6ee223d6fff37610790dfbda1329f05bfc4058",
        "type": "github"
      },
      "original": {
@ -239,11 +327,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1635333802,
-        "narHash": "sha256-HGACg/gHNOP9jSIdSCa6Gkf1i2kgyyzNB+6uMxVOFaA=",
+        "lastModified": 1636139470,
+        "narHash": "sha256-M3cCNN57UBO5IVcEuGYHMboXaPuta/e+X1C1GHc94t8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a90064443bc2aaed44d02aa170484d317cb130de",
+        "rev": "6f6f476bd68225f7e6d079c0cb996363e91c282c",
        "type": "github"
      },
      "original": {
@ -256,11 +344,11 @@
    "nixpkgs-mozilla": {
      "flake": false,
      "locked": {
-        "lastModified": 1634833229,
-        "narHash": "sha256-uDbVCkW91/AY87mTwm8XrX2E133LTFqwYsYNNxBcY9M=",
+        "lastModified": 1636047415,
+        "narHash": "sha256-iDFogua24bhFJZSxG/jhZbbNxDXuKP9S/pyRIYzrRPM=",
        "owner": "mozilla",
        "repo": "nixpkgs-mozilla",
-        "rev": "6070a8ee799f629cb1d0004821f77ceed94d3992",
+        "rev": "cf58c4c67b15b402e77a2665b9e7bad3e9293cb2",
        "type": "github"
      },
      "original": {
@ -269,6 +357,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-nixos-test": {
+      "locked": {
+        "lastModified": 1632909223,
+        "narHash": "sha256-f8J2eG5n8eORyV1HLBA1PWojzSUbpvkYyuLSMHrGQKU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e1fc1a80a071c90ab65fb6eafae5520579163783",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e1fc1a80a071c90ab65fb6eafae5520579163783",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1632411313,
@ -318,11 +422,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1634782485,
-        "narHash": "sha256-psfh4OQSokGXG0lpq3zKFbhOo3QfoeudRcaUnwMRkQo=",
+        "lastModified": 1635844945,
+        "narHash": "sha256-tZcL307dj28jgEU1Wdn+zwG9neyW0H2+ZjdVhvJxh9g=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "34ad3ffe08adfca17fcb4e4a47bb5f3b113687be",
+        "rev": "b67e752c29f18a0ca5534a07661366d6a2c2e649",
        "type": "github"
      },
      "original": {
@ -335,11 +439,11 @@
    "qbittorrent-ee": {
      "flake": false,
      "locked": {
-        "lastModified": 1630342029,
-        "narHash": "sha256-KIfvEZRAegwhVESjtTdMoP5YgXAtfSgGkt8f7+bEgjA=",
+        "lastModified": 1635705887,
+        "narHash": "sha256-MiAfqcalfk6CWBtLtENnwc0W17MLSZOoLuzfu/xP4Pw=",
        "owner": "c0re100",
        "repo": "qBittorrent-Enhanced-Edition",
-        "rev": "a0f2567d14d8e36702df9aaa066e1fd4f973027a",
+        "rev": "a3955360cd527a641d4623fd84609bc072c574e2",
        "type": "github"
      },
      "original": {
@ -350,6 +454,7 @@
    },
    "root": {
      "inputs": {
+        "android-nixpkgs": "android-nixpkgs",
        "base16": "base16",
        "base16-horizon-scheme": "base16-horizon-scheme",
        "base16-tokyonight-scheme": "base16-tokyonight-scheme",
@ -367,6 +472,7 @@
        "qbittorrent-ee": "qbittorrent-ee",
        "rycee": "rycee",
        "simple-nixos-mailserver": "simple-nixos-mailserver",
+        "vscode-server-fixup": "vscode-server-fixup",
        "zsh-autosuggestions": "zsh-autosuggestions",
        "zsh-cod": "zsh-cod",
        "zsh-nix-shell": "zsh-nix-shell",
@ -376,11 +482,11 @@
    "rycee": {
      "flake": false,
      "locked": {
-        "lastModified": 1635286343,
-        "narHash": "sha256-9wAvo5L+k7HMQzIU7WyE/8Qb2YVbXVSFpbTVlHcFOrE=",
+        "lastModified": 1636084930,
+        "narHash": "sha256-+8eD0YQjpg97le1MRs1sB0MOTlWAQygNZdbg01TrnK8=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "aa654a8ade0d76a3440245c1d666f6eb3eab230c",
+        "rev": "fec337f6dfc43f65fe110d5748df90294aedfe07",
        "type": "gitlab"
      },
      "original": {
@ -399,11 +505,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1634237121,
-        "narHash": "sha256-rOHq6XaWzMnQXRsgcDiA2Dbzl7IZ0Q5S6RI+k63z3nQ=",
+        "lastModified": 1635808698,
+        "narHash": "sha256-qeRonS/oVIN094cU3jyBKXK+75po/Gv6lurhVAUo1rc=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "0d9a880c0e41a553c5d9af4efa62169db7ddeb62",
+        "rev": "ef8ca96c5d0097a0feaf6059a9b012001a096a7f",
        "type": "gitlab"
      },
      "original": {
@ -427,6 +533,29 @@
        "type": "github"
      }
    },
+    "vscode-server-fixup": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "home-manager": "home-manager_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-nixos-test": "nixpkgs-nixos-test"
+      },
+      "locked": {
+        "lastModified": 1636482527,
+        "narHash": "sha256-/o4DCLlVPx6lk7tnS/5t109vUPhY4rzEN00iGMG43sE=",
+        "owner": "yaxitech",
+        "repo": "vscode-server-fixup",
+        "rev": "c78b489936ba7e06dd13c751b01932e36f07cd33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yaxitech",
+        "repo": "vscode-server-fixup",
+        "type": "github"
+      }
+    },
    "zsh-autosuggestions": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -10,6 +10,10 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    android-nixpkgs = {
+      url = "github:tadfisher/android-nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    base16.url = "github:alukardbf/base16-nix";
    base16-horizon-scheme = {
      url = "github:michael-ball/base16-horizon-scheme";
@ -60,6 +64,10 @@
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    vscode-server-fixup = {
+      url = "github:yaxitech/vscode-server-fixup";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    zsh-autosuggestions = {
      url = "github:zsh-users/zsh-autosuggestions";
      flake = false;
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -1,7 +1,7 @@
 { inputs, lib, ... }: {
  imports = [
    ./hardware-configuration.nix
-    inputs.self.nixosRoles.desktop
+    inputs.self.nixosRoles.workstation
  ];

  deviceSpecific.devInfo = {
--- a/misc/Passwords.kdbx
+++ b/misc/Passwords.kdbx
--- a/profiles/applications/packages.nix
+++ b/profiles/applications/packages.nix
@ -4,6 +4,7 @@ with config.deviceSpecific; {

  home-manager.users.alukard.home.packages = with pkgs; [
    # cli
+    bat
    curl
    exa
    fd
--- a/profiles/overlay.nix
+++ b/profiles/overlay.nix
@ -14,22 +14,25 @@ with lib; {
  nixpkgs.overlays = [
    # (import "${inputs.nixpkgs-mozilla}/lib-overlay.nix")
    # (import "${inputs.nixpkgs-mozilla}/rust-overlay.nix")
+    inputs.android-nixpkgs.overlay
    (self: super:
      rec {
        inherit inputs;

-        youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
-        i3lock-fancy-rapid = pkgs.callPackage ./packages/i3lock-fancy-rapid.nix { };
-        xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { };
-        ibm-plex-powerline = pkgs.callPackage ./packages/ibm-plex-powerline.nix { };
+        android-emulator = self.callPackage ./packages/android-emulator.nix { };
        bibata-cursors = pkgs.callPackage ./packages/bibata-cursors.nix { };
-        multimc = pkgs.qt5.callPackage ./packages/multimc.nix { multimc-repo = inputs.multimc-cracked; };
        ceserver = pkgs.callPackage ./packages/ceserver.nix { };
+        i3lock-fancy-rapid = pkgs.callPackage ./packages/i3lock-fancy-rapid.nix { };
+        ibm-plex-powerline = pkgs.callPackage ./packages/ibm-plex-powerline.nix { };
        mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { };
-        tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { };
+        multimc = pkgs.qt5.callPackage ./packages/multimc.nix { multimc-repo = inputs.multimc-cracked; };
        reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
+        tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { };
        vscode = master.vscode;
        vscode-fhs = master.vscode-fhs;
+        xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { };
+        youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
+
        vivaldi = master.vivaldi.overrideAttrs (old: rec {
          postInstall = ''
            substituteInPlace "$out"/bin/vivaldi \
@ -37,7 +40,7 @@ with lib; {
              --enable-zero-copy --use-gl=desktop --enable-features=VaapiVideoDecoder --disable-features=UseOzonePlatform "$@"'
          '';
        });
-        nix-direnv = inputs.nix-direnv.defaultPackage.${system};
+        # nix-direnv = inputs.nix-direnv.defaultPackage.${system};
        wine = super.wineWowPackages.staging;
        qbittorrent = super.qbittorrent.overrideAttrs (old: rec {
          version = "enchanced-edition";
@ -79,12 +82,16 @@ with lib; {
    android_sdk.accept_license = true;
  };

-  home-manager.users.alukard = {
-    nixpkgs.config = {
-      allowUnfree = true;
-    };
-    xdg.configFile."nixpkgs/config.nix".text = ''
-      { allowUnfree = true; }
-    '';
-  };
+  # home-manager.users.alukard = {
+  #   nixpkgs.config = {
+  #     allowUnfree = true;
+  #     android_sdk.accept_license = true;
+  #   };
+  #   xdg.configFile."nixpkgs/config.nix".text = ''
+  #     {
+  #       allowUnfree = true;
+  #       android_sdk.accept_license = true;
+  #     }
+  #   '';
+  # };
 }
--- a/profiles/packages/android-emulator.nix
+++ b/profiles/packages/android-emulator.nix
@ -0,0 +1,128 @@
+{ stdenv, lib, runtimeShell
+, name ? "android-emulator", sdk ? null, deviceType ? ""
+, platformVersion ? "30", systemImageType ? "default", abiVersion ? "x86_64"
+, enableGPU ? false, extraAVDFiles ? []
+, app ? null, package ? null, activity ? null
+, avdHomeDir ? null
+}:
+
+stdenv.mkDerivation {
+  inherit name;
+
+  buildCommand = ''
+    mkdir -p $out/bin
+
+    cat > $out/bin/${name}-run << "EOF"
+    #!${runtimeShell} -e
+
+    # We need a TMPDIR
+    if [ "$TMPDIR" = "" ]
+    then
+        export TMPDIR=/tmp
+    fi
+
+    ${if avdHomeDir == null then ''
+      # Store the virtual devices somewhere else, instead of polluting a user's HOME directory
+      export ANDROID_SDK_HOME=$(mktemp -d $TMPDIR/nix-android-vm-XXXX)
+    '' else ''
+      mkdir -p "${avdHomeDir}"
+      export ANDROID_SDK_HOME="${avdHomeDir}"
+    ''}
+
+    # We need to specify the location of the Android SDK root folder
+    export ANDROID_SDK_ROOT=${sdk}
+
+    # We have to look for a free TCP port
+
+    echo "Looking for a free TCP port in range 5554-5584" >&2
+
+    for i in $(seq 5554 2 5584)
+    do
+        if [ -z "$(${sdk}/platform-tools/adb devices | grep emulator-$i)" ]
+        then
+            port=$i
+            break
+        fi
+    done
+
+    if [ -z "$port" ]
+    then
+        echo "Unfortunately, the emulator port space is exhausted!" >&2
+        exit 1
+    else
+        echo "We have a free TCP port: $port" >&2
+    fi
+
+    export ANDROID_SERIAL="emulator-$port"
+
+    # Create a virtual android device for testing if it does not exist
+    # ${sdk}/cmdline-tools/latest/bin/avdmanager list target
+
+    if [ "$(${sdk}/cmdline-tools/latest/bin/avdmanager list avd | grep 'Name: ${name}')" = "" ]
+    then
+        # Create a virtual android device
+        yes "" | ${sdk}/cmdline-tools/latest/bin/avdmanager create avd -n "${name}" -k "system-images;android-${platformVersion};${systemImageType};${abiVersion}" -d "${deviceType}" $NIX_ANDROID_AVD_FLAGS
+
+        # fix wrong sdk path
+        sed -i "s|image.sysdir.1.\+|image.sysdir.1=${sdk}/system-images/android-${platformVersion}/${systemImageType}/${abiVersion}|" "$ANDROID_SDK_HOME/.android/avd/${name}.avd/config.ini"
+
+        ${lib.optionalString enableGPU ''
+          # Enable GPU acceleration
+          echo "hw.gpu.enabled=yes" >> "$ANDROID_SDK_HOME/.android/avd/${name}.avd/config.ini"
+        ''}
+
+        ${lib.concatMapStrings (extraAVDFile: ''
+          ln -sf ${extraAVDFile} "$ANDROID_SDK_HOME/.android/avd/${name}.avd"
+        '') extraAVDFiles}
+    fi
+
+    # Launch the emulator
+    ${sdk}/emulator/emulator -avd "${name}" -no-boot-anim -port $port $NIX_ANDROID_EMULATOR_FLAGS &
+
+    # Wait until the device has completely booted
+    echo "Waiting until the emulator has booted the device and the package manager is ready..." >&2
+
+    ${sdk}/platform-tools/adb -s emulator-$port wait-for-device
+
+    echo "Device state has been reached" >&2
+
+    while [ -z "$(${sdk}/platform-tools/adb -s emulator-$port shell getprop dev.bootcomplete | grep 1)" ]
+    do
+        sleep 5
+    done
+
+    echo "dev.bootcomplete property is 1" >&2
+
+    #while [ -z "$(${sdk}/platform-tools/adb -s emulator-$port shell getprop sys.boot_completed | grep 1)" ]
+    #do
+        #sleep 5
+    #done
+
+    #echo "sys.boot_completed property is 1" >&2
+
+    echo "ready" >&2
+
+    ${lib.optionalString (app != null) ''
+      # Install the App through the debugger, if it has not been installed yet
+
+      if [ -z "${package}" ] || [ "$(${sdk}/platform-tools/adb -s emulator-$port shell pm list packages | grep package:${package})" = "" ]
+      then
+          if [ -d "${app}" ]
+          then
+              appPath="$(echo ${app}/*.apk)"
+          else
+              appPath="${app}"
+          fi
+
+          ${sdk}/platform-tools/adb -s emulator-$port install "$appPath"
+      fi
+
+      # Start the application
+      ${lib.optionalString (package != null && activity != null) ''
+          ${sdk}/platform-tools/adb -s emulator-$port shell am start -a android.intent.action.MAIN -n ${package}/${activity}
+      ''}
+    ''}
+    EOF
+    chmod +x $out/bin/${name}-run
+  '';
+}
--- a/profiles/servers/caddy.nix
+++ b/profiles/servers/caddy.nix
@ -1,105 +0,0 @@
-{ pkgs, config, lib, ... }: {
-  users.groups.cert.members = [ "turnserver" "caddy" "dovecot2" ];
-
-  secrets."ataraxiadev.com.pem" = {
-    owner = "root:cert";
-    permissions = "440";
-  };
-  secrets."ataraxiadev.com.key" = {
-    owner = "root:cert";
-    permissions = "440";
-  };
-  secrets."origin-pull-ca.pem" = {
-    owner = "root:cert";
-    permissions = "440";
-  };
-
-  ## DNS-over-TLS
-  services.stubby = {
-    enable = true;
-    listenAddresses = [ "0::1" "127.0.0.1" ];
-    roundRobinUpstreams = false;
-    upstreamServers = ''
-      ## Quad9
-      - address_data: 2620:fe::fe
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 2620:fe::9
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 9.9.9.9
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 149.112.112.112
-        tls_auth_name: "dns.quad9.net"
-      ## Cloudflare
-      - address_data: 2606:4700:4700::1112
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 2606:4700:4700::1002
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 1.1.1.2
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 1.0.0.2
-        tls_auth_name: "cloudflare-dns.com"
-    '';
-    extraConfig = ''
-      # Set TLS 1.3 as minimum acceptable version
-      tls_min_version: GETDNS_TLS1_3
-      # Require DNSSEC validation
-      dnssec: GETDNS_EXTENSION_TRUE
-    '';
-  };
-
-  networking.nameservers = [ "::1" "127.0.0.1" ];
-  services.resolved = {
-    enable = true;
-    fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
-  };
-
-  services.caddy = {
-    enable = true;
-    email = "ataraxiadev@ataraxiadev.com";
-    group = "cert";
-    ca = null;
-    config = ''
-      (matrix-well-known-header) {
-        # Headers
-        header Access-Control-Allow-Origin "*"
-        header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
-        header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
-        header Content-Type "application/json"
-      }
-
-      ataraxiadev.com {
-        handle /.well-known/matrix/server {
-          import matrix-well-known-header
-          respond `{"m.server":"matrix.ataraxiadev.com:443"}`
-        }
-        reverse_proxy /_matrix/* http://localhost:13748
-        tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} {
-          protocols tls1.3
-          client_auth {
-            mode require_and_verify
-            trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o=
-          }
-        }
-      }
-
-      matrix.ataraxiadev.com {
-        reverse_proxy /* http://localhost:13748
-        reverse_proxy /mautrix-telegram/* http://localhost:29317
-        tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} {
-          protocols tls1.3
-          client_auth {
-            mode require_and_verify
-            trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o=
-          }
-        }
-      }
-    '';
-  };
-}
-
-# handle /.well-known/matrix/client {
-#     import matrix-well-known-header
-#     respond `{"m.homeserver":{"base_url":"https://matrix.ataraxiadev.com"},"m.identity_server":{"base_url":"https://identity.ataraxiadev.com"}}`
-# }
-
-# reverse_proxy /_synapse/client/* http://localhost:8008
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -14,82 +14,90 @@ in {
  security.acme = {
    email = "ataraxiadev@ataraxiadev.com";
    acceptTerms = true;
-    certs."mail.ataraxiadev.com" = { };
+    certs."mail.ataraxiadev.com" = {
+      group = "cert";
+      webroot = "/var/lib/acme/acme-challenge";
+      postRun = ''
+        systemctl reload postfix
+        systemctl reload dovecot2
+      '';
+    };
  };

  services.postfix = {
-    relayHost = "smtp.email.eu-zurich-1.oci.oraclecloud.com";
-    relayPort = 587;
-    enableSubmission = true;
-    submissionOptions = {
-      smtp_tls_security_level = "may";
-      smtp_sasl_auth_enable = "yes";
-      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_passwd";
-      smtp_sasl_security_options = "";
-    };
-    mapFiles = { sasl_passwd = config.secrets.sasl_passwd.decrypted; };
-    # dnsBlacklists = [
-    #   "all.s5h.net"
-    #   "b.barracudacentral.org"
-    #   "bl.spamcop.net"
-    #   "blacklist.woody.ch"
-      # "bogons.cymru.com"
-      # "cbl.abuseat.org"
-      # "combined.abuse.ch"
-      # "db.wpbl.info"
-      # "dnsbl-1.uceprotect.net"
-      # "dnsbl-2.uceprotect.net"
-      # "dnsbl-3.uceprotect.net"
-      # "dnsbl.anticaptcha.net"
-      # "dnsbl.dronebl.org"
-      # "dnsbl.inps.de"
-      # "dnsbl.sorbs.net"
-      # "dnsbl.spfbl.net"
-      # "drone.abuse.ch"
-      # "duinv.aupads.org"
-      # "dul.dnsbl.sorbs.net"
-      # "dyna.spamrats.com"
-      # "dynip.rothen.com"
-      # "http.dnsbl.sorbs.net"
-      # "ips.backscatterer.org"
-      # "ix.dnsbl.manitu.net"
-      # "korea.services.net"
-      # "misc.dnsbl.sorbs.net"
-      # "noptr.spamrats.com"
-      # "orvedb.aupads.org"
-      # "pbl.spamhaus.org"
-      # "proxy.bl.gweep.ca"
-      # "psbl.surriel.com"
-      # "relays.bl.gweep.ca"
-      # "relays.nether.net"
-      # "sbl.spamhaus.org"
-      # "singular.ttk.pte.hu"
-      # "smtp.dnsbl.sorbs.net"
-      # "socks.dnsbl.sorbs.net"
-      # "spam.abuse.ch"
-      # "spam.dnsbl.anonmails.de"
-      # "spam.dnsbl.sorbs.net"
-      # "spam.spamrats.com"
-      # "spambot.bls.digibase.ca"
-      # "spamrbl.imp.ch"
-      # "spamsources.fabel.dk"
-      # "ubl.lashback.com"
-      # "ubl.unsubscore.com"
-      # "virus.rbl.jp"
-      # "web.dnsbl.sorbs.net"
-      # "wormrbl.imp.ch"
-      # "xbl.spamhaus.org"
-      # "z.mailspike.net"
-      # "zen.spamhaus.org"
-      # "zombie.dnsbl.sorbs.net"
-    # ];
-    # dnsBlacklistOverrides = ''
-    #   ataraxiadev.com OK
-    #   192.168.0.0/16 OK
-    #   ${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)}
-    # '';
+    mapFiles."sasl_passwd" = config.secrets.sasl_passwd.decrypted;
+    extraConfig =
+    ''
+      smtp_tls_security_level = may
+      smtp_sasl_auth_enable = yes
+      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+      smtp_sasl_security_options =
+      smtp_sasl_tls_security_options =
+      relayhost = [smtp.email.eu-zurich-1.oci.oraclecloud.com]:587
+    '';
+    dnsBlacklists = [
+      "all.s5h.net"
+      "b.barracudacentral.org"
+      "bl.spamcop.net"
+      "blacklist.woody.ch"
+      "bogons.cymru.com"
+      "cbl.abuseat.org"
+      "combined.abuse.ch"
+      "db.wpbl.info"
+      "dnsbl-1.uceprotect.net"
+      "dnsbl-2.uceprotect.net"
+      "dnsbl-3.uceprotect.net"
+      "dnsbl.anticaptcha.net"
+      "dnsbl.dronebl.org"
+      "dnsbl.inps.de"
+      "dnsbl.sorbs.net"
+      "dnsbl.spfbl.net"
+      "drone.abuse.ch"
+      "duinv.aupads.org"
+      "dul.dnsbl.sorbs.net"
+      "dyna.spamrats.com"
+      "dynip.rothen.com"
+      "http.dnsbl.sorbs.net"
+      "ips.backscatterer.org"
+      "ix.dnsbl.manitu.net"
+      "korea.services.net"
+      "misc.dnsbl.sorbs.net"
+      "noptr.spamrats.com"
+      "orvedb.aupads.org"
+      "pbl.spamhaus.org"
+      "proxy.bl.gweep.ca"
+      "psbl.surriel.com"
+      "relays.bl.gweep.ca"
+      "relays.nether.net"
+      "sbl.spamhaus.org"
+      "singular.ttk.pte.hu"
+      "smtp.dnsbl.sorbs.net"
+      "socks.dnsbl.sorbs.net"
+      "spam.abuse.ch"
+      "spam.dnsbl.anonmails.de"
+      "spam.dnsbl.sorbs.net"
+      "spam.spamrats.com"
+      "spambot.bls.digibase.ca"
+      "spamrbl.imp.ch"
+      "spamsources.fabel.dk"
+      "ubl.lashback.com"
+      "ubl.unsubscore.com"
+      "virus.rbl.jp"
+      "web.dnsbl.sorbs.net"
+      "wormrbl.imp.ch"
+      "xbl.spamhaus.org"
+      "z.mailspike.net"
+      "zen.spamhaus.org"
+      "zombie.dnsbl.sorbs.net"
+    ];
+    dnsBlacklistOverrides = ''
+      ataraxiadev.com OK
+      mail.ataraxiadev.com OK
+      192.168.0.0/16 OK
+      ${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)}
+    '';
  };
-  mailserver = {
+  mailserver = rec {
    enable = true;
    openFirewall = true;
    fqdn = "mail.ataraxiadev.com";
@ -103,10 +111,12 @@ in {
    };
    localDnsResolver = false;
    certificateScheme = 1;
-    # certificateFile = config.secrets."ataraxiadev.com.pem".decrypted;
-    # keyFile = config.secrets."ataraxiadev.com.key".decrypted;
+    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
+    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
    enableImap = true;
    enableImapSsl = true;
+    enableSubmission = true;
+    enableSubmissionSsl = true;
    virusScanning = false;
  };
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -73,19 +73,40 @@
        locations."/" = {
          root = "/var/lib/ataraxiadev.com";
        };
-        locations."/.well-known" = {
-          proxyPass = "http://localhost:13748";
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/acme-challenge";
        };
+        locations."/.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "matrix.ataraxiadev.com:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."/.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://matrix.ataraxiadev.com"; };
+              "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
        locations."/_matrix" = {
          proxyPass = "http://localhost:13748";
        };
      } // default;
      "matrix.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://localhost:13748";
-        };
+        locations."/".extraConfig = ''
+          return 404;
+        '';
        locations."/mautrix-telegram/" = {
          proxyPass = "http://localhost:29317";
+        };        
+        locations."/_matrix" = {
+          proxyPass = "http://localhost:13748";
        };
      } // default;
    };
--- a/profiles/servers/vscode-server.nix
+++ b/profiles/servers/vscode-server.nix
@ -0,0 +1,9 @@
+{ config, lib, pkgs, inputs, ... }: {
+  home-manager.sharedModules = [
+    inputs.vscode-server-fixup.nixosModules.home
+  ];
+
+  home-manager.users.alukard = {
+    services.vscode-server-fixup.enable = true;
+  };
+}
--- a/profiles/sound/default.nix
+++ b/profiles/sound/default.nix
@ -4,7 +4,6 @@
  imports = [
    ./pipewire.nix
    ./easyeffects
-    # ./mopidy.nix
  ];


--- a/profiles/sound/mopidy.nix
+++ b/profiles/sound/mopidy.nix
@ -1,56 +0,0 @@
-{ pkgs, config, lib, ... }: {
-  # TODO: FIXIT!
-  services.mopidy = {
-    enable = true;
-    # extensionPackages = with pkgs; [ mopidy-gmusic mopidy-youtube ];
-    configuration = ''
-      [mpd]
-      hostname = 0.0.0.0
-      [audio]
-      output = pulsesink server=127.0.0.1
-      [local]
-      enabled = true
-      library = json
-      media_dir = /home/alukard/Music
-      scan_timeout = 1000
-      scan_flush_threshold = 100
-      scan_follow_symlinks = false
-    '';
-  };
-
-  systemd.services.mopidy = {
-    after = [ "network-online.target" ];
-  };
-
-  # users.users.mopidy = {
-  #   isNormalUser = false;
-  #   extraGroups = [
-  #     "smbuser"
-  #   ];
-  # };
-  # services.mopidy = {
-  #   enable = true;
-  #   # extensionPackages = with pkgs; [ mopidy-local ];
-  #   configuration = ''
-  #     [local]
-  #     enabled = true
-  #     library = json
-  #     media_dir = /home/alukard/Music
-  #     scan_timeout = 1000
-  #     scan_flush_threshold = 100
-  #     scan_follow_symlinks = false
-
-  #     [audio]
-  #     output = pulsesink server=127.0.0.1
-
-  #     [mpd]
-  #     hostname = 0.0.0.0
-  #   '';
-  # };
-  # home-manager.users.alukard.home.file.".ncmpcpp/config".text = ''
-  #   mpd_host = 127.0.0.1
-  #   mpd_port = 6600
-  #   mpd_music_dir = "/media/files/Music"
-  # '';
-
-}
--- a/profiles/workspace/development/flutter.nix
+++ b/profiles/workspace/development/flutter.nix
@ -0,0 +1,51 @@
+{ config, lib, pkgs, inputs, ... }: {
+  home-manager.users.alukard = rec {
+    imports = [ inputs.android-nixpkgs.hmModule ];
+
+    android-sdk = {
+      enable = true;
+      path = "${config.home-manager.users.alukard.home.homeDirectory}/.android/sdk";
+      packages = sdk: with sdk; [
+        build-tools-31-0-0
+        build-tools-29-0-2
+        cmdline-tools-latest
+        patcher-v4
+        platform-tools
+        platforms-android-30
+
+
+        emulator
+        system-images-android-30-google-apis-x86-64
+      ];
+    };
+
+    home.sessionVariables = {
+      ANDROID_HOME = android-sdk.path;
+      ANDROID_SDK_ROOT = android-sdk.path;
+      JAVA_HOME = pkgs.jdk11.home;
+    };
+
+    home.packages = let
+      android-emulator = pkgs.android-emulator.override {
+        name = "flutter-emulator";
+        avdHomeDir = config.home-manager.users.alukard.home.homeDirectory;
+        sdk = android-sdk.path;
+        platformVersion = "30";
+        systemImageType = "google_apis";
+        abiVersion = "x86_64";
+        deviceType = "pixel";
+        # enableGPU = true;
+      };
+    in [
+      pkgs.flutter
+      android-emulator
+      # jdk11
+    ];
+  };
+
+  environment.sessionVariables = {
+    ANDROID_HOME = config.home-manager.users.alukard.android-sdk.path;
+    ANDROID_SDK_ROOT = config.home-manager.users.alukard.android-sdk.path;
+    JAVA_HOME = pkgs.jdk11.home;
+  };
+}
--- a/profiles/workspace/zsh.nix
+++ b/profiles/workspace/zsh.nix
@ -47,7 +47,7 @@
        "rede" = "systemctl --user start redshift.service &";
        "redd" = "systemctl --user stop redshift.service &";
        "show-packages" = "_ nix-store -q --references /run/current-system/sw";
-        "cat" = "${pkgs.bat}/bin/bat";
+        # "cat" = "${pkgs.bat}/bin/bat";
        "nsp" = "nix-shell --run zsh -p";
        # "find" = "fd";
        "grep" = "${pkgs.ripgrep}/bin/rg";
--- a/roles/base.nix
+++ b/roles/base.nix
@ -1,6 +1,9 @@
 { inputs, ... }: {
  imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [
-    inputs.home-manager.nixosModules.home-manager
+    inputs.home-manager.nixosModules.home-manager {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+    }

    applications
    # auto-run
--- a/roles/default.nix
+++ b/roles/default.nix
@ -2,4 +2,5 @@
  server = ./server.nix;
  desktop = ./desktop.nix;
  base = ./base.nix;
+  workstation = ./workstation.nix;
 }
--- a/roles/desktop.nix
+++ b/roles/desktop.nix
@ -20,7 +20,6 @@
    himalaya
    kitty
    mangohud
-    mopidy
    mpv
    ncmpcpp
    packages
--- a/roles/server.nix
+++ b/roles/server.nix
@ -12,7 +12,7 @@
    coturn
    mailserver
    matrix-synapse
-    # nginx
-    caddy
+    nginx
+    vscode-server
  ];
 }
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@ -0,0 +1,7 @@
+{ inputs, ... }: {
+  imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [
+    ./desktop.nix
+
+    flutter
+  ];
+}