From 80bda6662ec5723396e82ecb5a635c216a7cd969 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 01:54:53 +1100
Subject: [PATCH 01/11] build: aerc stylesheets are strings now

---
 modules/home-manager/features/aerc.nix | 60 +++++++++++++-------------
 1 file changed, 29 insertions(+), 31 deletions(-)

diff --git a/modules/home-manager/features/aerc.nix b/modules/home-manager/features/aerc.nix
index e7a783d..5991ed5 100644
--- a/modules/home-manager/features/aerc.nix
+++ b/modules/home-manager/features/aerc.nix
@@ -18,36 +18,34 @@
         sort = "-r date";
       };
     };
-    stylesets = {
-      catppuccin-mocha = {
-        "*.default" = true;
-        "*.normal" = true;
-        "default.fg" = "#cdd6f4";
-        "error.fg" = "#f38ba8";
-        "warning.fg" = "#fab387";
-        "success.fg" = "#a6e3a1";
-        "tab.fg" = "#6c7086";
-        "tab.bg" = "#181825";
-        "tab.selected.fg" = "#cdd6f4";
-        "tab.selected.bg" = "#1e1e2e";
-        "tab.selected.bold" = true;
-        "border.fg" = "#11111b";
-        "border.bold" = true;
-        "msglist_unread.bold" = true;
-        "msglist_flagged.fg" = "#f9e2af";
-        "msglist_flagged.bold" = true;
-        "msglist_result.fg" = "#89b4fa";
-        "msglist_result.bold" = true;
-        "msglist_*.selected.bold" = true;
-        "msglist_*.selected.bg" = "#313244";
-        "dirlist_*.selected.bold" = true;
-        "dirlist_*.selected.bg" = "#313244";
-        "statusline_default.fg" = "#9399b2";
-        "statusline_default.bg" = "#313244";
-        "statusline_error.bold" = true;
-        "statusline_success.bold" = true;
-        "completion_default.selected.bg" = "#313244";
-      };
-    };
+    stylesets.catppuccin-mocha = ''
+      "*.default" = true
+      "*.normal" = true
+      "default.fg" = "#cdd6f4"
+      "error.fg" = "#f38ba8"
+      "warning.fg" = "#fab387"
+      "success.fg" = "#a6e3a1"
+      "tab.fg" = "#6c7086"
+      "tab.bg" = "#181825"
+      "tab.selected.fg" = "#cdd6f4"
+      "tab.selected.bg" = "#1e1e2e"
+      "tab.selected.bold" = true
+      "border.fg" = "#11111b"
+      "border.bold" = true
+      "msglist_unread.bold" = true
+      "msglist_flagged.fg" = "#f9e2af"
+      "msglist_flagged.bold" = true
+      "msglist_result.fg" = "#89b4fa"
+      "msglist_result.bold" = true
+      "msglist_*.selected.bold" = true
+      "msglist_*.selected.bg" = "#313244"
+      "dirlist_*.selected.bold" = true
+      "dirlist_*.selected.bg" = "#313244"
+      "statusline_default.fg" = "#9399b2"
+      "statusline_default.bg" = "#313244"
+      "statusline_error.bold" = true
+      "statusline_success.bold" = true
+      "completion_default.selected.bg" = "#313244"
+    '';
   };
 }

From 2d9b057c3a3c57953e02fe517276dbfdcfae7ec5 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 01:55:04 +1100
Subject: [PATCH 02/11] build: git settings have been tidied up

---
 modules/home-manager/features/git.nix | 59 ++++++++++++---------------
 1 file changed, 25 insertions(+), 34 deletions(-)

diff --git a/modules/home-manager/features/git.nix b/modules/home-manager/features/git.nix
index ea1f4eb..2ee75a1 100644
--- a/modules/home-manager/features/git.nix
+++ b/modules/home-manager/features/git.nix
@@ -1,44 +1,35 @@
 {
   programs.git = {
     enable = true;
-
-    delta = {
-      enable = true;
-      options.theme = "Dracula";
-    };
-
-    userName = "wi11-holdsworth";
-    userEmail = "83637728+wi11-holdsworth@users.noreply.github.com";
-
-    aliases = {
-      # keep-sorted start
-      a = "add";
-      aa = "add .";
-      ap = "add -p";
-      c = "commit --verbose";
-      ca = "commit -a --verbose";
-      cam = "commit -a -m";
-      cm = "commit -m";
-      co = "checkout";
-      cob = "checkout -b";
-      d = "diff";
-      dc = "diff --cached";
-      ds = "diff --stat";
-      m = "commit --amend --verbose";
-      pl = "pull";
-      ps = "push";
-      s = "status -s";
-      # keep-sorted end
-    };
-
-    extraConfig = {
+    settings = {
       init.defaultBranch = "main";
-
       core.editor = "nvim";
-
       push.autoSetupRemote = true;
-
       pull.rebase = false;
+      user = {
+        name = "wi11-holdsworth";
+        email = "83637728+wi11-holdsworth@users.noreply.github.com";
+      };
+      aliases = {
+        # keep-sorted start
+        a = "add";
+        aa = "add .";
+        ap = "add -p";
+        c = "commit --verbose";
+        ca = "commit -a --verbose";
+        cam = "commit -a -m";
+        cm = "commit -m";
+        co = "checkout";
+        cob = "checkout -b";
+        d = "diff";
+        dc = "diff --cached";
+        ds = "diff --stat";
+        m = "commit --amend --verbose";
+        pl = "pull";
+        ps = "push";
+        s = "status -s";
+        # keep-sorted end
+      };
     };
   };
 }

From 96e1951ecfa10bf0cea1ca79fa6202a1d0179d89 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:24:23 +1100
Subject: [PATCH 03/11] feat: enable firewall on all systems

---
 modules/nixos/features/network.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/features/network.nix b/modules/nixos/features/network.nix
index 5ea2774..ce2b3a9 100644
--- a/modules/nixos/features/network.nix
+++ b/modules/nixos/features/network.nix
@@ -6,5 +6,6 @@
   networking = {
     hostName = "${hostName}";
     networkmanager.enable = true;
+    firewall.enable = true;
   };
 }

From a62a9b6990de1d19c8793324d75a3dd3c20efa2a Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:24:39 +1100
Subject: [PATCH 04/11] feat: confine sudo access to users with the wheel group
 only

---
 modules/nixos/features/sudo.nix | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 modules/nixos/features/sudo.nix

diff --git a/modules/nixos/features/sudo.nix b/modules/nixos/features/sudo.nix
new file mode 100644
index 0000000..78f1db5
--- /dev/null
+++ b/modules/nixos/features/sudo.nix
@@ -0,0 +1,6 @@
+{
+  ...
+}:
+{
+  security.sudo.execWheelOnly = true;
+}

From 6a9ee249d95e1cd5526ba14cfb36176758a5bed2 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:12:38 +1100
Subject: [PATCH 05/11] feat: move lazygit to home manager module

---
 modules/home-manager/default.nix          |  1 +
 modules/home-manager/features/lazygit.nix | 14 ++++++++++++++
 modules/nixos/default.nix                 |  1 -
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 modules/home-manager/features/lazygit.nix

diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix
index 7c8e20d..119520d 100644
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@@ -13,6 +13,7 @@
     "fish"
     "gh"
     "git"
+    "lazygit"
     "starship"
     "yazi"
     "zoxide"
diff --git a/modules/home-manager/features/lazygit.nix b/modules/home-manager/features/lazygit.nix
new file mode 100644
index 0000000..e4938bf
--- /dev/null
+++ b/modules/home-manager/features/lazygit.nix
@@ -0,0 +1,14 @@
+{
+  ...
+}:
+{
+  programs.lazygit = {
+    enable = true;
+    settings = {
+      log = {
+        localBranchSortOrder = "recency";
+        remoteBranchSortOrder = "recency";
+      };
+    };
+  };
+}
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index b1c31ad..804f01d 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -46,7 +46,6 @@
       hexyl # hexadecimal viewer
       hyperfine # benchmarking tool
       keep-sorted # alphabetical formatter
-      lazygit # git tui
       mprocs # run long running commands and monitor output
       navi # cheatsheet browser
       nb # note taking

From f2568c2a78ba1d83697bee149d704e1e50a5de22 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:06:21 +1100
Subject: [PATCH 06/11] fix: aerc D bind now moves email to trash folder and
 not just all mail

---
 modules/home-manager/features/aerc.nix | 130 +++++++++++++++++++++++++
 1 file changed, 130 insertions(+)

diff --git a/modules/home-manager/features/aerc.nix b/modules/home-manager/features/aerc.nix
index 5991ed5..7debd0a 100644
--- a/modules/home-manager/features/aerc.nix
+++ b/modules/home-manager/features/aerc.nix
@@ -18,6 +18,136 @@
         sort = "-r date";
       };
     };
+    extraBinds = {
+      global = {
+        # keep-sorted start
+        "<C-n>" = ":next-tab <Enter>";
+        "<C-p>" = ":prev-tab<Enter>";
+        "<C-t>" = ":term<Enter>";
+        "?" = ":help keys<Enter>";
+        # keep-sorted end
+      };
+      messages = {
+        # keep-sorted start
+        "!" = ":term<space>";
+        "$" = ":term<space>";
+        "/" = ":search<space>-a<space>";
+        "<C-b>" = ":prev 100%<Enter>";
+        "<C-d>" = ":next 50%<Enter>";
+        "<C-f>" = ":next 100%<Enter>";
+        "<C-u>" = ":prev 50%<Enter>";
+        "<Down>" = ":next<Enter>";
+        "<Enter>" = ":view<Enter>";
+        "<Esc>" = ":clear<Enter>";
+        "<PgDn>" = ":next 100%<Enter>";
+        "<PgUp>" = ":prev 100%<Enter>";
+        "<Up>" = ":prev<Enter>";
+        "\\" = ":filter <space>";
+        "|" = ":pipe<space>";
+        A = ":archive flat<Enter>";
+        C = ":compose<Enter>";
+        D = ":move Trash<Enter>";
+        G = ":select -1<Enter>";
+        H = ":collapse-folder<Enter>";
+        J = ":next-folder <Enter>";
+        K = ":prev-folder<Enter>";
+        L = ":expand-folder<Enter>";
+        N = ":prev-result<Enter>";
+        R = ":read<Enter>";
+        Rq = ":reply -q<Enter>";
+        Rr = ":reply<Enter>";
+        T = ":toggle-threads<Enter>";
+        U = ":unread<Enter>";
+        V = ":mark -v<Enter>";
+        c = ":cf<space>";
+        d = ":prompt 'Really delete this message?' 'delete-message'<Enter>";
+        g = ":select 0 <Enter>";
+        j = ":next <Enter>";
+        k = ":prev <Enter>";
+        n = ":next-result<Enter>";
+        q = ":quit<Enter>";
+        rq = ":reply -aq<Enter>";
+        rr = ":reply -a<Enter>";
+        v = ":mark -t<Enter>";
+        # keep-sorted end
+      };
+      "messages:folder=Drafts" = {
+        "<Enter>" = ":recall<Enter>";
+      };
+      view = {
+        # keep-sorted start
+        "/" = ":toggle-key-passthrough <Enter> /";
+        "<C-j>" = ":next-part<Enter>";
+        "<C-k>" = ":prev-part<Enter>";
+        "<C-l>" = ":open-link <space>";
+        "|" = ":pipe<space>";
+        A = ":archive flat<Enter>";
+        D = ":move Trash<Enter>";
+        H = ":toggle-headers<Enter>";
+        J = ":next <Enter>";
+        K = ":prev<Enter>";
+        O = ":open<Enter>";
+        R = ":read<Enter>";
+        Rq = ":reply -q<Enter>";
+        Rr = ":reply<Enter>";
+        S = ":save<space>";
+        U = ":unread<Enter>";
+        f = ":forward <Enter>";
+        q = ":close<Enter>";
+        rq = ":reply -aq<Enter>";
+        rr = ":reply -a<Enter>";
+        # keep-sorted end
+      };
+      "view::passthrough" = {
+        # keep-sorted start
+        "$ex" = "<C-x>";
+        "$noinherit" = "true";
+        "<Esc>" = ":toggle-key-passthrough<Enter>";
+        # keep-sorted end
+      };
+      compose = {
+        # keep-sorted start
+        "$ex" = "<C-x>";
+        "$noinherit" = "true";
+        "<A-n>" = ":switch-account -n<Enter>";
+        "<A-p>" = ":switch-account -p<Enter>";
+        "<C-j>" = ":next-field<Enter>";
+        "<C-k>" = ":prev-field<Enter>";
+        "<C-n>" = ":next-tab<Enter>";
+        "<C-p>" = ":prev-tab<Enter>";
+        "<tab>" = ":next-field<Enter>";
+        # keep-sorted end
+      };
+      "compose::editor" = {
+        # keep-sorted start
+        "$ex" = "<C-x>";
+        "$noinherit" = "true";
+        "<C-j>" = ":next-field<Enter>";
+        "<C-k>" = ":prev-field<Enter>";
+        "<C-n>" = ":next-tab<Enter>";
+        "<C-p>" = ":prev-tab<Enter>";
+        # keep-sorted end
+      };
+      "compose::review" = {
+        # keep-sorted start
+        a = ":attach<space>";
+        d = ":detach<space>";
+        e = ":edit<Enter>";
+        n = ":abort<Enter>";
+        p = ":postpone<Enter>";
+        q = ":choose -o d discard abort -o p postpone postpone<Enter>";
+        y = ":send <Enter>";
+        # keep-sorted end
+      };
+      terminal = {
+        # keep-sorted start
+        "$ex" = "<C-x>";
+        "$noinherit" = "true";
+        "<C-n>" = ":next-tab<Enter>";
+        "<C-p>" = ":prev-tab<Enter>";
+        # keep-sorted end
+      };
+    };
     stylesets.catppuccin-mocha = ''
       "*.default" = true
       "*.normal" = true

From f4c10a0a0bf3676c564cd436c8283ac8d64d0335 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:26:30 +1100
Subject: [PATCH 07/11] refactor: combine nix-settings and nixpkgs modules into
 one nix module

---
 modules/nixos/default.nix                            | 3 +--
 modules/nixos/features/{nix-settings.nix => nix.nix} | 7 +++++++
 modules/nixos/features/nixpkgs.nix                   | 3 ---
 3 files changed, 8 insertions(+), 5 deletions(-)
 rename modules/nixos/features/{nix-settings.nix => nix.nix} (80%)
 delete mode 100644 modules/nixos/features/nixpkgs.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 804f01d..e980470 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -13,8 +13,7 @@
     "localisation"
     "network"
     "nh"
-    "nix-settings"
-    "nixpkgs"
+    "nix"
     "nixvim"
     "syncthing"
     "systemd-boot"
diff --git a/modules/nixos/features/nix-settings.nix b/modules/nixos/features/nix.nix
similarity index 80%
rename from modules/nixos/features/nix-settings.nix
rename to modules/nixos/features/nix.nix
index eda2992..498861b 100644
--- a/modules/nixos/features/nix-settings.nix
+++ b/modules/nixos/features/nix.nix
@@ -1,4 +1,11 @@
 {
+  lib,
+  ...
+}:
+{
+  # allow packages with non-free licenses
+  nixpkgs.config.allowUnfree = true;
+
   nix = {
     gc = {
       automatic = true;
diff --git a/modules/nixos/features/nixpkgs.nix b/modules/nixos/features/nixpkgs.nix
deleted file mode 100644
index e95ec3c..0000000
--- a/modules/nixos/features/nixpkgs.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  nixpkgs.config.allowUnfree = true;
-}

From ef927bcfda3984a89abcbc46af81b82a8a75c3aa Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:28:30 +1100
Subject: [PATCH 08/11] feat: restrict nix package manager to wheel group

---
 modules/nixos/features/nix.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/features/nix.nix b/modules/nixos/features/nix.nix
index 498861b..ab6eca1 100644
--- a/modules/nixos/features/nix.nix
+++ b/modules/nixos/features/nix.nix
@@ -18,6 +18,7 @@
       persistent = true;
     };
     settings = {
+      allowed-users = [ "@wheel" ];
       experimental-features = [
         "nix-command"
         "flakes"

From 2652248bc3fc13741bb2d655c228a86b6bcf5a2b Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:27:36 +1100
Subject: [PATCH 09/11] feat: rip out default packages

---
 modules/nixos/features/nix.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/nixos/features/nix.nix b/modules/nixos/features/nix.nix
index ab6eca1..a73a504 100644
--- a/modules/nixos/features/nix.nix
+++ b/modules/nixos/features/nix.nix
@@ -3,6 +3,9 @@
   ...
 }:
 {
+  # rip out default packages
+  environment.defaultPackages = lib.mkForce [ ];
+
   # allow packages with non-free licenses
   nixpkgs.config.allowUnfree = true;
 

From 77225f2fa1f4f20ba41e0ad61a34864dc9ec8e60 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 17:28:44 +1100
Subject: [PATCH 10/11] feat: harden sshd on server

---
 hosts/server/configuration.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 0311fe3..8854a0d 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -25,7 +25,19 @@
 
   networking.hostName = "${hostName}";
 
-  services.openssh.enable = true;
+  # hardened openssh
+  services.openssh = {
+    passwordAuthentication = false;
+    allowSFTP = false; 
+    challengeResponseAuthentication = false;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
 
   system.stateVersion = "24.11";
 

From 9793215fed7f14bf84a61b58d3779edc6fb187e7 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Wed, 22 Oct 2025 18:02:12 +1100
Subject: [PATCH 11/11] fix: miniflux host specified wrong

---
 modules/nixos/features/paperless.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/features/paperless.nix b/modules/nixos/features/paperless.nix
index eef48b1..348b42d 100644
--- a/modules/nixos/features/paperless.nix
+++ b/modules/nixos/features/paperless.nix
@@ -30,7 +30,7 @@ in
       ];
     };
 
-    nginx.virtualHosts."miniflux.fi33.buzz" = {
+    nginx.virtualHosts."paperless.fi33.buzz" = {
       forceSSL = true;
       useACMEHost = "fi33.buzz";
       locations."/".proxyPass = "http://localhost:${port}";