misc: initial commit

nixos/audio/pipewire-low-latency.nix

@@ -0,0 +1,37 @@
+{config, ...}: {
+  assertions = [
+    {
+      assertion = config.services.pipewire.enable;
+      message = "PipeWire must be enabled for low-latency PipeWire";
+    }
+  ];
+
+  services.pipewire.extraConfig = {
+    pipewire."92-low-latency" = {
+      context.properties = {
+        default.clock.rate = 48000;
+        default.clock.quantum = 32;
+        default.clock.min-quantum = 32;
+        default.clock.max-quantum = 32;
+      };
+    };
+    pipewire-pulse."92-low-latency" = {
+      context.modules = [
+        {
+          name = "libpipewire-module-protocol-pulse";
+          args = {
+            pulse.min.req = "32/48000";
+            pulse.default.req = "32/48000";
+            pulse.max.req = "32/48000";
+            pulse.min.quantum = "32/48000";
+            pulse.max.quantum = "32/48000";
+          };
+        }
+      ];
+      stream.properties = {
+        node.latency = "32/48000";
+        resample.quality = 1;
+      };
+    };
+  };
+}

nixos/audio/pipewire.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}

nixos/common/flake-support.nix

@@ -0,0 +1,52 @@
+# Configuration for any flake-based NixOS system
+# Try our darndest to get nixpkgs into path & registry properly
+#
+# Maybe write a blog post about it?
+#
+# In theory NixOS 24.05 does this for us?
+# > On flake-based NixOS configurations using nixpkgs.lib.nixosSystem, NixOS will automatically set NIX_PATH and the system-wide flake registry (/etc/nix/registry.json) to point <nixpkgs> and the unqualified flake path nixpkgs to the version of nixpkgs used to build the system.
+# > This makes nix run nixpkgs#hello and nix-build '<nixpkgs>' -A hello work out of the box with no added configuration, reusing dependencies already on the system.
+# > This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
+# > To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.
+# https://nixos.org/manual/nixos/unstable/release-notes#sec-release-24.05-highlights
+#
+# Some reading:
+# https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry#custom-nix-path-and-flake-registry-1
+# https://github.com/NixOS/nix/issues/9574
+#
+# https://discourse.nixos.org/t/questions-on-using-nixos-desktop-with-flakes/16285/5
+#
+# I think there are two separate problems.
+#
+# # Getting lookup paths (like <nixpkgs>) to resolve
+#
+# This comment mentions how they work:
+# https://discourse.nixos.org/t/nix-path-is-not-recognized/38404/6
+#
+# # Getting `indirect` flake refs (like "nixpkgs") to resolve
+# · indirect: Indirections through the flake registry. These have the form
+#
+#     | [flake:]<flake-id>(/<rev-or-ref>(/rev)?)?
+#
+#   These perform a lookup of <flake-id> in the flake registry. For example, nixpkgs and nixpkgs/release-20.09 are indirect flake references. The specified rev and/or ref are merged with the entry in
+#   the registry; see nix registry for details.
+{
+  inputs,
+  lib,
+  ...
+}: let
+  inherit (inputs) nixpkgs;
+in {
+  # Enable flake features
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+  nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
+
+  programs.command-not-found.enable = false; # Doesn't work well past channels
+
+  nix.registry.nixpkgs.flake = nixpkgs;
+  # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
+  # Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
+  environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
+  # https://github.com/NixOS/nix/issues/9574
+  nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
+}

nixos/default.nix

@@ -0,0 +1,167 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+{
+    imports = [ 
+      inputs.disko.nixosModules.disko
+      
+      ./device.nix
+      ./disk-config.nix
+      ./hardware-configuration.nix
+      ./audio/pipewire.nix
+      ./impermanence.nix
+      ./nix-maintenance.nix
+      # ./hardening.nix
+
+      ./desktop/plasma
+      ./tailscale.nix
+
+      ./users.nix
+      ./user-system-config.nix
+    ];
+
+  # Allows referring to this flake by the shorthand `nixos-config`, which lets you do e.g.
+  # nix repl nixos-config 
+  nix.registry.nixos-config.to = {
+    type = "git";
+    url = "file://${config.users.users.evar.home}/dev/nix/config";
+  };
+
+  # In order to catch all logs, we need to mount this early enough in the boot process.
+  fileSystems."/var/log".neededForBoot = true;
+  
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+
+  # This is not ideal for a laptop.
+  # For solution watch https://github.com/nix-community/impermanence/issues/153
+  time.timeZone = "America/New_York";
+
+  nix.settings = {
+    # unclutters home folder
+    use-xdg-base-directories = true;
+
+    # adding a community binary cache
+    substituters = [
+      "https://nix-community.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg)
+    [
+      "steam"
+      # "steam-original"
+      # "steam-run"
+      "steam-unwrapped"
+      "obsidian"
+      "rider"
+      "rust-rover"
+      "spotify"
+    ];
+
+  # basically agrees to some license stuff
+  hardware.enableRedistributableFirmware = true;
+
+  ### Boot
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.systemd.enable = true;
+
+  ### Session management
+
+  services.displayManager.autoLogin = {
+    # only if there's any encripted disks
+    enable = config.boot.initrd.luks.devices != {};
+    user = "evar";
+  };
+
+  ### Networking
+
+  networking.networkmanager = {
+    enable = true;
+    # Per https://kokada.dev/blog/an-unordered-list-of-hidden-gems-inside-nixos/
+    # May improve reliability
+    wifi.backend = "iwd";
+  };
+  services.openssh.enable = true;
+
+  ### System software
+
+  environment.systemPackages = [
+    pkgs.git
+    pkgs.gdu
+
+    pkgs.exfatprogs # for mkfs.exfat
+    pkgs.parted # for partprobe
+
+    pkgs.gparted
+
+    # For thinkorswim
+    # TODO: Should be elsewhere
+    pkgs.distrobox
+  ];
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+
+  programs.adb.enable = true;
+
+  # Miscellaneous
+
+  # helps some things access battery info
+  services.upower.enable = true;
+  # dynamic mounting of connected devices
+  services.udisks2.enable = true;
+  services.printing.enable = true;
+  # service discovery, hostname lookups, etc.
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+  # For the music server
+  networking.firewall.allowedUDPPorts = [
+    # DLNA discovery (SSDP)
+    1900
+  ];
+
+  hardware.bluetooth = {
+    powerOnBoot = true;
+    settings.General.Experimental = "true";
+  };
+  # allows connecting to virtualized directories
+  services.gvfs.enable = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

nixos/desktop/gnome/default.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  services.xserver.enable = true;
+  # services.xserver.displayManager.defaultSession = "gnome";
+  # https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@tty1".enable = false;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  hardware.pulseaudio.enable = false;
+  # xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  environment.systemPackages = [
+    pkgs.gnomeExtensions.appindicator
+    pkgs.gnomeExtensions.dash-to-dock
+    pkgs.gnomeExtensions.dash-to-panel
+    pkgs.mission-center
+    pkgs.gnome.nautilus
+  ];
+  environment.gnome.excludePackages = [
+    pkgs.gnome-tour
+    pkgs.gnome.cheese # Camera
+    pkgs.gnome.gnome-system-monitor
+    #pkgs.gnome.gnome-music
+    pkgs.gnome.gnome-terminal # Console
+    pkgs.gnome.gnome-contacts
+    pkgs.gedit # Text Editor
+    pkgs.gnome.epiphany # Web
+    pkgs.gnome.geary
+    pkgs.gnome.totem # Videos
+  ];
+  services.udev.packages = [
+    pkgs.gnome.gnome-settings-daemon
+  ];
+
+  services.xserver.desktopManager.gnome.extraGSettingsOverrides = ''
+    [org.gnome.mutter]
+    experimental-features=['scale-monitor-framebuffer']
+  '';
+  services.xserver.desktopManager.gnome.extraGSettingsOverridePackages = [pkgs.gnome.mutter];
+}

nixos/desktop/hypr/default.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  nix.settings = {
+    builders-use-substitutes = true; # unknown, suggested by anyrun
+    substituters = [
+      "https://hyprland.cachix.org"
+      "https://anyrun.cachix.org"
+    ];
+    trusted-public-keys = [
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+    ];
+  };
+
+  services.xserver.enable = true;
+  services.xserver.displayManager.defaultSession = "hyprland";
+  # https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@tty1".enable = false;
+  services.xserver.displayManager.gdm.enable = true;
+  security.pam.services.swaylock = {};
+
+  programs.hyprland = {
+    enable = true;
+  };
+
+  xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+
+  services.blueman.enable = true;
+}

nixos/desktop/plasma/default.nix

@@ -0,0 +1,20 @@
+{config, lib, pkgs, ...}:
+let
+  autologin = config.services.displayManager.autoLogin.enable;
+in
+{
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.wayland.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  programs.dconf.enable = true;
+
+  # The user is expected to have Emacs instead
+  environment.plasma6.excludePackages = with pkgs.kdePackages; [
+    elisa
+  ];
+
+  # https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-2495681146
+  systemd.services."getty@tty1".enable = lib.mkIf autologin false;
+  systemd.services."autovt@tty1".enable = lib.mkIf autologin false;
+}

nixos/device.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+  ];
+
+  # Set the Wireless Regulatory Domain
+  # https://github.com/NixOS/nixpkgs/issues/25378
+  boot.extraModprobeConfig = ''
+    options cfg80211 ieee80211_regdom="US"
+  '';
+
+  services.fwupd.enable = true;
+
+  hardware.bluetooth.enable = true;
+
+  boot.kernelPackages =
+    lib.mkIf
+    (lib.versionOlder pkgs.linux.version "6.9")
+    pkgs.linuxPackages_latest;
+
+  # Not needed on NixOS 24.05+
+  # Disable pcr for linux kernel testing 6.9-rc4+
+  # Per https://community.frame.work/t/tracking-framework-16-linux-6-9-0-rc4-rc5-extreme-screen-flickering-anyone-else/49467/44
+  boot.kernelParams = let
+    affectedVersions = ["6.9-rc4" "6.9-rc5" "6.9-rc6"];
+    version = config.boot.kernelPackages.kernel.version;
+    affected = builtins.elem version affectedVersions;
+  in
+    lib.mkIf affected ["amdgpu.dcdebugmask=0x400"];
+
+  environment.systemPackages = lib.mkMerge [
+    (with pkgs; [
+      fw-ectool
+      framework-tool
+    ])
+    # Show EasyEffects status in GNOME
+    (lib.mkIf config.services.xserver.desktopManager.gnome.enable [
+      pkgs.gnomeExtensions.easyeffects-preset-selector
+    ])
+  ];
+
+  # The FWL benefits from modifying its speakers
+  home-manager.sharedModules = [
+    {
+      services.easyeffects.enable = true;
+    }
+  ];
+  # EasyEffects needs this
+  programs.dconf.enable = true;
+
+  # RGB LED Matrix
+  services.hardware.openrgb = {
+    enable = true;
+    package = pkgs.openrgb-with-all-plugins;
+  };
+}

nixos/disk-config.nix

@@ -0,0 +1,69 @@
+{
+  # checkout the example folder for how to configure different disko layouts
+  disko.devices = {
+    disk.fw16-2280 = {
+      device = "/dev/disk/by-path/pci-0000:05:00.0-nvme-1";
+      content = {
+        type = "gpt";
+        partitions = {
+          esp = {
+            size = "2G";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = ["noatime" "fmask=0077" "dmask=0077"];
+            };
+          };
+          cryptall = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "all";
+              settings = {
+                # allowDiscards = true;
+                # keyFile = "/tmp/secret.key";
+              };
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  # System state which should be persistent across reboots and possibly backed up.
+                  "/@nixos-persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = ["noatime" "compress=zstd"];
+                  };
+                  # I’m not so interested in backing up logs but I want them to be preserved across reboots,
+                  # so I’m dedicating a subvolume to logs rather than using the persist subvolume.
+                  "/@nixos-varlog" = {
+                    mountpoint = "/var/log";
+                    mountOptions = ["noatime" "compress=zstd"];
+                  };
+                  # Needs to be persistent but is not worth backing up, as it’s trivial to reconstruct.
+                  "/@nixos-nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["noatime" "compress=zstd"];
+                  };
+
+                  "/@data" = {
+                    mountpoint = "/data";
+                    mountOptions = ["noatime" "compress=zstd"];
+                  };
+                  "/@home-evar" = {
+                    mountpoint = "/home/evar";
+                    mountOptions = ["noatime" "compress=zstd"];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = ["size=25%" "mode=755"];
+    };
+  };
+}

nixos/hardening.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  nix.settings.allowed-users = ["@wheel"];
+  security.sudo.execWheelOnly = true;
+  services.openssh = {
+    allowSFTP = false;
+    settings = {
+      ChallengeResponseAuthentication = false;
+      PasswordAuthentication = false;
+    };
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
+}

nixos/hardware-configuration.nix

@@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp196s0f3u2u3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixos/impermanence.nix

@@ -0,0 +1,52 @@
+{
+  inputs,
+  options,
+  ...
+}: {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  # There are bind mounts into here that are important for boot.
+  fileSystems."/persist".neededForBoot = true;
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos"
+      "/var/lib/bluetooth"
+      "/var/lib/fprint"
+      "/var/lib/upower"
+      "/var/lib/tailscale"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/var/lib/iwd" # Known networks and keys
+      {
+        directory = "/var/lib/colord";
+        user = "colord";
+        group = "colord";
+        mode = "u=rwx,g=rx,o=";
+      }
+      # TODO: cups?
+    ];
+    files = [
+      "/etc/machine-id"
+      #{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      "/var/lib/NetworkManager/secret_key"
+      "/var/lib/NetworkManager/seen-bssids"
+      "/var/lib/NetworkManager/timestamps"
+    ];
+  };
+
+  # /etc/{passwd,shadow} are not persisted
+  users.mutableUsers = false;
+
+  # Some report issues with impermanence file config for host keys, so just change their location
+  services.openssh.hostKeys =
+    builtins.map
+    (x: x // {path = "/persist" + x.path;})
+    options.services.openssh.hostKeys.default;
+
+  # sudo lecture db is not persisted, turn it off
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}

nixos/nix-maintenance.nix

@@ -0,0 +1,14 @@
+{
+  nix = {
+    settings.auto-optimise-store = true;
+    optimise = {
+      automatic = true;
+      dates = ["weekly"];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+  };
+}

nixos/tailscale.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Implicitly trust packets routed over Tailscale
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+}

nixos/user-system-config.nix

@@ -0,0 +1,54 @@
+# Configuration that really wants to be per-user,
+# but can't be defined from Home Manager.
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  networking.firewall = lib.mkMerge [
+    # User-mode Syncthing
+    {
+      allowedTCPPorts = [22000];
+      allowedUDPPorts = [21027 22000];
+    }
+
+    # LocalSend
+    {allowedTCPPorts = [53317];}
+  ];
+
+  environment.systemPackages = lib.mkMerge [
+    [pkgs.ryujinx]
+    [
+      (pkgs.lutris.override {
+        extraLibraries = pkgs: [
+          pkgs.libvdpau
+          pkgs.openal
+          pkgs.speex
+          pkgs.libgudev
+        ];
+      })
+      pkgs.wineWowPackages.waylandFull
+    ]
+    # For gamemode status in GNOME
+    (lib.mkIf (config.services.xserver.desktopManager.gnome.enable) [
+      pkgs.gnomeExtensions.gamemode-indicator-in-system-settings
+    ])
+  ];
+
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+    gamescopeSession.enable = true;
+  };
+  programs.gamemode = {
+    enable = true;
+    enableRenice = true;
+    settings = {
+      general = {
+        softrealtime = "auto";
+        renice = 10;
+      };
+    };
+  };
+}

nixos/users.nix

@@ -0,0 +1,44 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [inputs.home-manager.nixosModules.home-manager];
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {inherit inputs;};
+  };
+
+  # TODO: Remove
+  # Allow root login with same password as primary user
+  users.users.root.hashedPasswordFile = let
+    primaryUser = "evar";
+  in
+    config.users.users.${primaryUser}.hashedPasswordFile;
+
+  users.users.evar = {
+    hashedPassword = "$y$j9T$4TYc8brm3.oJUbkktbbEq/$cTlZRmAVxb2GtttEXSoSGw9y.qm.vUs/yXgwLjlTk46";
+    uid = 1000;
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "video"
+      "input"
+      "audio"
+      "adbusers"
+      "uucp"
+      "dialout"
+    ];
+    # openssh.authorizedKeys.keys = [
+    #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhBR2Kg0VR1+p9jNYmuaaGXTMjHwQSbvmzIjwhOOmNG emily@intras 2022-10-26"
+    # ];
+  };
+  home-manager.users.evar = {
+    imports = [../home];
+  };
+}