feat(mixed): some updates

.gitignore

@@ -6,3 +6,6 @@ result*
 cert*
 key*
 /.pre-commit-config.yaml
+home/features/desktop/vivaldi
+hosts/heimdall/
+lima.yaml

flake.lock

@@ -111,11 +111,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763604782,
-        "narHash": "sha256-sILPaT6a0D8dc/2PMr5Ge+Dm4DMwv6/ARcUOWquarX0=",
+        "lastModified": 1765454544,
+        "narHash": "sha256-3Q8x53CHKVSDr0qagrbD84/w1bCj6NwFNWw25A5Fbvg=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "de0dc6a85ae88eb8194c2f7e053f3e933b77c2ac",
+        "rev": "6c88b5f14cf1a0002a7a48c147a76145b4de95d1",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762276996,
-        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
+        "lastModified": 1765326679,
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -205,11 +205,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762980239,
-        "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=",
+        "lastModified": 1763759067,
+        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da",
+        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
         "type": "github"
       },
       "original": {
@@ -271,11 +271,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763319842,
-        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "lastModified": 1765459528,
+        "narHash": "sha256-RvRup4vx8ZvTOH7RTKxXXTmFhhYgQnoUAajoWuZIwcM=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "rev": "46600f39dd738b2e7fa9da358d21684e2d493845",
         "type": "github"
       },
       "original": {
@@ -355,11 +355,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763416652,
-        "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=",
+        "lastModified": 1765461410,
+        "narHash": "sha256-AVZ1y5tfTGqf5zJx6uY52KHN2pP9gGF9RMQ3meBVKIg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312",
+        "rev": "7b34e428f31ce52baabda53e52bf14002e1c0625",
         "type": "github"
       },
       "original": {
@@ -454,11 +454,11 @@
     },
     "nixos-facter-modules": {
       "locked": {
-        "lastModified": 1762264948,
-        "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=",
+        "lastModified": 1765442039,
+        "narHash": "sha256-k3lYQ+A1F7aTz8HnlU++bd9t/x/NP2A4v9+x6opcVg0=",
         "owner": "nix-community",
         "repo": "nixos-facter-modules",
-        "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96",
+        "rev": "9dd775ee92de63f14edd021d59416e18ac2c00f1",
         "type": "github"
       },
       "original": {
@@ -469,11 +469,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763334038,
-        "narHash": "sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ=",
+        "lastModified": 1765363881,
+        "narHash": "sha256-3C3xWn8/2Zzr7sxVBmpc1H1QfxjNfta5IMFe3O9ZEPw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c",
+        "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0",
         "type": "github"
       },
       "original": {
@@ -485,11 +485,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1763544195,
-        "narHash": "sha256-RQd61fDW3hnvIsE+fbGPiu4U4kV9kNEksweGfYMEvyE=",
+        "lastModified": 1765311838,
+        "narHash": "sha256-I4HxlTn5VS443QGtHFCGd8Te6zQcIdl2Vq6v+AsRpDA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2e948201e2d01325521b131f02dee4079f2a0fdf",
+        "rev": "0738efdb77594c885f02c3763b27e091837dec56",
         "type": "github"
       },
       "original": {
@@ -501,11 +501,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1763464769,
-        "narHash": "sha256-AJHrsT7VoeQzErpBRlLJM1SODcaayp0joAoEA35yiwM=",
+        "lastModified": 1765270179,
+        "narHash": "sha256-g2a4MhRKu4ymR4xwo+I+auTknXt/+j37Lnf0Mvfl1rE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6f374686605df381de8541c072038472a5ea2e2d",
+        "rev": "677fbe97984e7af3175b6c121f3c39ee5c8d62c9",
         "type": "github"
       },
       "original": {
@@ -525,11 +525,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1763332965,
-        "narHash": "sha256-ixaP8XeGRo4ZMOLlUJm1YSxMjoOMvrPN3UbMMWe2Nt8=",
+        "lastModified": 1765142559,
+        "narHash": "sha256-LwqL+m95SrEYPrHcAxAj3gvRITEqqOKkt39QvY2MzbA=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "4ddfbc0414d28d6ba0267470a0b94b84b85ad490",
+        "rev": "7599ab2424729fd10e7544b28c8185d8a464dc7a",
         "type": "github"
       },
       "original": {
@@ -576,7 +576,8 @@
         "nixpkgs-darwin": "nixpkgs-darwin",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nixvim": "nixvim",
-        "secrets": "secrets"
+        "secrets": "secrets",
+        "zen-browser": "zen-browser"
       }
     },
     "secrets": {
@@ -638,6 +639,29 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "zen-browser": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765430623,
+        "narHash": "sha256-YfJwnCXF3V+WFedx4RtrIdZ8XxF6zB1Oh2ij/EHzoWk=",
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "rev": "f2881ba36cbfc86ef1fe741cec871fe523aea5bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -32,6 +32,10 @@
 
     git-hooks.url = "github:cachix/git-hooks.nix";
     git-hooks.inputs.nixpkgs.follows = "nixpkgs";
+
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
+    zen-browser.inputs.nixpkgs.follows = "nixpkgs";
+    zen-browser.inputs.home-manager.follows = "home-manager";
   };
 
   outputs =

home/features/cli/git.nix

@@ -21,6 +21,7 @@ in
 {
 
   home.packages = with pkgs; [
+    gh
     git-crypt
     codeberg-cli
   ];

home/features/cli/starship.nix

@@ -6,6 +6,7 @@
 
     settings = {
       format = "$all$directory$character";
+      nix_shell.disabled = true;
 
       palette = "kanagawa";
       palettes.kanagawa = {

home/features/desktop/aerospace.nix

@@ -10,9 +10,9 @@ in
 
   programs.aerospace = {
     enable = true;
-    userSettings = {
-      start-at-login = true;
+    launchd.enable = true;
 
+    settings = {
       mode.main.binding = {
         # vim-style window focusing
         ctrl-h = "exec-and-forget ${aerospace-focus} left";

home/features/desktop/default.nix

@@ -3,7 +3,9 @@
   imports = [
     ./fonts.nix
     ./ghostty.nix
+    # ./thunderbird.nix
     ./yubikey.nix
+    ./zen-browser.nix
   ]
   ++ lib.optionals (isDarwin) [
     ./aerospace.nix

home/features/desktop/thunderbird.nix

@@ -0,0 +1,6 @@
+{
+  programs.thunderbird = {
+    enable = false;
+    profiles.thomas.isDefault = true;
+  };
+}

home/features/desktop/zen-browser.nix

@@ -1,203 +1,97 @@
-{
-  inputs,
-  pkgs,
-  lib,
-  config,
-  ...
+{ inputs
+, config
+, ...
 }:
 
 let
-  locked = value: {
-    Value = value;
-    Status = "locked";
-  };
+  mkExtensionSettings = builtins.mapAttrs (_: pluginId: {
+    install_url = "https://addons.mozilla.org/firefox/downloads/latest/${pluginId}/latest.xpi";
+    installation_mode = "force_installed";
+  });
 in
 
 {
   imports = [
-    inputs.zen-browser.homeModules.twilight
+    inputs.zen-browser.homeModules.beta
   ];
 
   programs.zen-browser.policies = {
-    ExtensionSettings = {
-      "{d7742d87-e61d-4b78-b8a1-b469842139fa}" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/vimium-ff/latest.xpi";
-        installation_mode = "force_installed";
-      };
-
-      "[email protected]" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
-        installation_mode = "force_installed";
-      };
-
-      "{7be2ba16-0f1e-4d93-9ebc-5164397477a9}" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/videospeed/latest.xpi";
-        installation_mode = "force_installed";
-      };
-
-      "[email protected]" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/proton-pass/latest.xpi";
-        installation_mode = "force_installed";
-      };
-
-      "addon@simplelogin" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
-        installation_mode = "force_installed";
-      };
-
-      "[email protected]" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/alby/latest.xpi";
-        installation_mode = "force_installed";
-      };
+    AutofillAddressEnabled = false;
+    AutofillCreditCardEnabled = false;
+    DisableAppUpdate = true;
+    DisableFeedbackCommands = true;
+    DisableFirefoxStudies = true;
+    DisablePocket = true;
+    DisableTelemetry = true;
+    DontCheckDefaultBrowser = true;
+    NoDefaultBookmarks = true;
+    OfferToSaveLogins = false;
+    EnableTrackingProtection = {
+      Value = true;
+      Locked = true;
+      Cryptomining = true;
+      Fingerprinting = true;
+    };
 
-      "[email protected]" = {
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
-        installation_mode = "force_installed";
-      };
+    ExtensionSettings = mkExtensionSettings {
+      "{d7742d87-e61d-4b78-b8a1-b469842139fa}" = "vimium-ff";
+      "[email protected]" = "ublock-origin";
+      "{7be2ba16-0f1e-4d93-9ebc-5164397477a9}" = "videospeed";
+      "addon@simplelogin" = "simplelogin";
+      "[email protected]" = "alby";
+      "[email protected]" = "darkreader";
     };
   };
 
   programs.zen-browser = {
     enable = true;
-
-    # NOTE: Zen Browser seems currently to ignore Enterprise Policies
-    # See: https://github.com/zen-browser/desktop/discussions/2195
-    # All actual configuration is done via Preferences instead
-    policies = {
-      Preferences = builtins.mapAttrs (_: locked) {
-        # Original preferences
-        "browser.tabs.warnOnClose" = false;
-        "media.videocontrols.picture-in-picture.video-toggle.enabled" = true;
-
-        # AutofillAddressEnabled = false
-        "extensions.formautofill.addresses.enabled" = false;
-        "extensions.formautofill.addresses.capture.enabled" = false;
-
-        # AutofillCreditCardEnabled = false
-        "extensions.formautofill.creditCards.enabled" = false;
-        "extensions.formautofill.creditCards.available" = false;
-
-        # DisableAppUpdate = true
-        "app.update.enabled" = false;
-        "app.update.auto" = false;
-        "app.update.service.enabled" = false;
-
-        # DisableFeedbackCommands = true
-        "browser.chrome.toolbar_tips" = false;
-
-        # DisableFirefoxStudies = true
-        "app.shield.optoutstudies.enabled" = false;
-        "app.normandy.enabled" = false;
-        "app.normandy.api_url" = "";
-
-        # DisablePocket = true
-        "extensions.pocket.enabled" = false;
-        "extensions.pocket.api" = "";
-        "extensions.pocket.oAuthConsumerKey" = "";
-        "extensions.pocket.site" = "";
-
-        # DisableTelemetry = true
-        "toolkit.telemetry.enabled" = false;
-        "toolkit.telemetry.unified" = false;
-        "toolkit.telemetry.server" = "";
-        "toolkit.telemetry.archive.enabled" = false;
-        "toolkit.telemetry.newProfilePing.enabled" = false;
-        "toolkit.telemetry.shutdownPingSender.enabled" = false;
-        "toolkit.telemetry.updatePing.enabled" = false;
-        "toolkit.telemetry.bhrPing.enabled" = false;
-        "toolkit.telemetry.firstShutdownPing.enabled" = false;
-        "datareporting.healthreport.uploadEnabled" = false;
-        "datareporting.policy.dataSubmissionEnabled" = false;
-        "browser.ping-centre.telemetry" = false;
-        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
-        "browser.newtabpage.activity-stream.telemetry" = false;
-
-        # DontCheckDefaultBrowser = true
-        "browser.shell.checkDefaultBrowser" = false;
-
-        # NoDefaultBookmarks = true
-        "browser.bookmarks.restore_default_bookmarks" = false;
-
-        # OfferToSaveLogins = false
-        "signon.rememberSignons" = false;
-        "signon.autofillForms" = false;
-        "signon.generation.enabled" = false;
-
-        # EnableTrackingProtection (supplementary preferences)
-        "privacy.trackingprotection.enabled" = true;
-        "privacy.trackingprotection.pbmode.enabled" = true;
-        "privacy.trackingprotection.cryptomining.enabled" = true;
-        "privacy.trackingprotection.fingerprinting.enabled" = true;
-        "privacy.trackingprotection.socialtracking.enabled" = true;
-
-        # Additional privacy hardening
-        "browser.safebrowsing.malware.enabled" = false;
-        "browser.safebrowsing.phishing.enabled" = false;
-        "browser.safebrowsing.downloads.enabled" = false;
-        "browser.safebrowsing.downloads.remote.enabled" = false;
-        "network.captive-portal-service.enabled" = false;
-        "network.connectivity-service.enabled" = false;
+    profiles."default" = {
+      containersForce = true;
+      containers = {
+        Personal = {
+          color = "purple";
+          icon = "fingerprint";
+          id = 1;
+        };
+
+        Development = {
+          color = "blue";
+          icon = "briefcase";
+          id = 2;
+        };
+
+        Shopping = {
+          color = "yellow";
+          icon = "dollarsign";
+          id = 3;
+        };
       };
+
+      spacesForce = true;
+      spaces =
+        let
+          containers = config.programs.zen-browser.profiles."default".containers;
+        in
+        {
+          "Space" = {
+            id = "c6de089c-410d-4206-961d-ab11f988d40a";
+            icon = "🏠";
+            container = containers.Personal.id;
+            position = 1000;
+          };
+          "Work" = {
+            id = "cdd10fab-4fc5-494b-9041-325e5759195b";
+            icon = "🚀";
+            container = containers.Development.id;
+            position = 2000;
+          };
+          "Shopping" = {
+            id = "78aabdad-8aae-4fe0-8ff0-2a0c6c4ccc24";
+            icon = "💸";
+            container = containers.Shopping.id;
+            position = 3000;
+          };
+        };
     };
   };
-
-  home.activation.zenExtensions = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-    ZEN_PROFILES_DIR="$HOME/Library/Application Support/zen/Profiles"
-
-    if [ -d "$ZEN_PROFILES_DIR" ]; then
-      # Extract extension settings from the configuration
-      EXTENSIONS_CONFIG='${builtins.toJSON config.programs.zen-browser.policies.ExtensionSettings}'
-
-      # Find all profile directories that contain zen-themes.json
-      find "$ZEN_PROFILES_DIR" -maxdepth 1 -type d -name "*.*" | while read -r PROFILE_DIR; do
-        # Skip profiles that don't have zen-themes.json
-        if [ ! -f "$PROFILE_DIR/zen-themes.json" ]; then
-          continue
-        fi
-        EXTENSIONS_DIR="$PROFILE_DIR/extensions"
-        mkdir -p "$EXTENSIONS_DIR"
-        
-        echo "Managing extensions for profile: $(basename "$PROFILE_DIR")"
-        
-        # Create a temporary file to track which extensions should exist
-        EXPECTED_EXTENSIONS=$(mktemp)
-        
-        # Parse the JSON configuration and download/update extensions
-        echo "$EXTENSIONS_CONFIG" | ${pkgs.jq}/bin/jq -r 'to_entries[] | select(.value.installation_mode == "force_installed") | "\(.key) \(.value.install_url)"' | while read -r EXTENSION_ID INSTALL_URL; do
-          EXTENSION_FILE="$EXTENSIONS_DIR/$EXTENSION_ID.xpi"
-          
-          # Add to expected extensions list
-          echo "$EXTENSION_ID.xpi" >> "$EXPECTED_EXTENSIONS"
-          
-          echo "Installing extension: $EXTENSION_ID"
-          ${pkgs.curl}/bin/curl -L -o "$EXTENSION_FILE" "$INSTALL_URL"
-          
-          if [ $? -eq 0 ]; then
-            echo "Successfully installed: $EXTENSION_ID"
-          else
-            echo "Failed to install: $EXTENSION_ID"
-            rm -f "$EXTENSION_FILE"
-          fi
-        done
-        
-        # Remove extensions that are no longer in the configuration
-        if [ -f "$EXPECTED_EXTENSIONS" ]; then
-          for EXISTING_XPI in "$EXTENSIONS_DIR"/*.xpi; do
-            if [ -f "$EXISTING_XPI" ]; then
-              BASENAME=$(basename "$EXISTING_XPI")
-              if ! grep -Fxq "$BASENAME" "$EXPECTED_EXTENSIONS"; then
-                echo "Removing unmanaged extension: $BASENAME"
-                rm -f "$EXISTING_XPI"
-              fi
-            fi
-          done
-        fi
-        
-        # Cleanup temporary file
-        rm -f "$EXPECTED_EXTENSIONS"
-      done
-    else
-      echo "Zen Browser profiles directory not found: $ZEN_PROFILES_DIR"
-    fi
-  '';
 }

modules/darwin/kanata.nix

@@ -1,8 +1,7 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
+{ config
+, lib
+, pkgs
+, ...
 }:
 let
   cfg = config.services.kanata;
@@ -102,6 +101,8 @@ in
       ];
       RunAtLoad = true;
       KeepAlive = true;
+      StandardOutPath = "/Library/Logs/Karabiner/karabiner-vhiddaemon.out.log";
+      StandardErrorPath = "/Library/Logs/Karabiner/karabiner-vhiddaemon.err.log";
     };
 
     launchd.daemons.karabiner-vhidmanager.serviceConfig = {
@@ -111,6 +112,8 @@ in
         "activate"
       ];
       RunAtLoad = true;
+      StandardOutPath = "/Library/Logs/Karabiner/karabiner-vhidmanager.out.log";
+      StandardErrorPath = "/Library/Logs/Karabiner/karabiner-vhidmanager.err.log";
     };
 
     launchd.daemons.kanata.serviceConfig = {
@@ -119,7 +122,7 @@ in
         "${lib.getExe cfg.package}"
         "--port"
         "10000"
-        # "--debug"
+        "--debug"
       ]
       ++ lib.optionals (cfg.config != "") [
         "-c"