cleanup, reenable HT

2025-01-27 10:38:55 +01:00 · 2025-01-27 10:38:55 +01:00 · faf2aadd23
commit faf2aadd23
parent e6205dd705
11 changed files with 259 additions and 6183 deletions
--- a/common/gaming.nix
+++ b/common/gaming.nix
@ -17,7 +17,6 @@ in
  config = mkIf (enable && gaming) {
    programs.steam = {
      enable = true;
-      gamescopeSession.enable = true;
      gamescopeSession.env = {
        DRI_PRIME = "1";
      };
--- a/common/hardware/laptop.nix
+++ b/common/hardware/laptop.nix
@ -29,44 +29,15 @@ in
    services.udev.packages = with pkgs; [ yubikey-personalization ];
    boot.bcache.enable = false;

-    # hardware.i2c.enable = true;
    services.libinput.enable = true;
-    hardware.opentabletdriver.enable = true;
    
-    systemd.user.services.opentabletdriver.after = [ "local-fs.target" ];
+    # hardware.opentabletdriver.enable = true;
+    # systemd.user.services.opentabletdriver.after = [ "local-fs.target" ];

    services.udisks2.enable = true;
-
-    #services.udev.extraRules = ''
-    #  SUBSYSTEM=="i2c-dev", ACTION=="add",\
-    #    ATTR{name}=="NVIDIA i2c adapter*",\
-    #    TAG+="ddcci",\
-    #    TAG+="systemd",\
-    #    ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
-    #'';
-
-    # systemd.services."ddcci@" = {
-    #  scriptArgs = "%i";
-    #  script = ''
-    #    sleep 20
-    #    echo Trying to attach ddcci to $1
-    #    i=0
-    #    id=$(echo $1 | cut -d "-" -f 2)
-    #    if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then
-    #      echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device
-    #    fi
-    #  '';
-    #  serviceConfig.Type = "oneshot";
-    #};
-
-    # systemd.enableCgroupAccounting = true;
-    # systemd.enableUnifiedCgroupHierarchy = false;
-
    boot = {
      kernelParams = [
-        # "intel_iommu=on"
        "nohibernate"
-        # "pcie_aspm=off"
      ];
      loader.efi.canTouchEfiVariables = true;
      initrd.availableKernelModules = [
@ -77,14 +48,7 @@ in
        "usb_storage"
        "sd_mod"
      ];
-      #      initrd.systemd.enable = true;
      loader.systemd-boot.enable = true;
-      #      extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ];
-      kernelModules = [
-        #        "ddcci_backlight"
-        #        "i2c-dev"
-        # "ec_sys"
-      ];
    };
  };

--- a/custom/ncspot/Cargo.lock
+++ b/custom/ncspot/Cargo.lock
--- a/custom/ncspot/package.nix
+++ b/custom/ncspot/package.nix
@ -1,96 +0,0 @@
-{
-  stdenv,
-  lib,
-  fetchFromGitHub,
-  rustPlatform,
-  pkg-config,
-  ncurses,
-  openssl,
-  darwin,
-  withALSA ? stdenv.isLinux,
-  alsa-lib,
-  withClipboard ? true,
-  libxcb,
-  python3,
-  withCover ? false,
-  ueberzug,
-  withPulseAudio ? stdenv.isLinux,
-  libpulseaudio,
-  withPortAudio ? stdenv.isDarwin,
-  portaudio,
-  withMPRIS ? stdenv.isLinux,
-  withNotify ? true,
-  dbus,
-  withCrossterm ? true,
-  nix-update-script,
-  testers,
-  ncspot,
-}:
-let
-  inherit (darwin.apple_sdk.frameworks) Cocoa;
-in
-rustPlatform.buildRustPackage rec {
-  pname = "ncspot";
-  version = "1.1.1";
-
-  src = fetchFromGitHub {
-    owner = "hrkfdn";
-    repo = "ncspot";
-    rev = "4ac180816da1d5caab356e71c8c56570e26ba1e8";
-    hash = "sha256-2WGFvugH/U2GH6/a/uSG0sbuu14u2BItKlc9esvueQc=";
-  };
-
-  cargoLock = {
-    lockFile = ./Cargo.lock;
-    outputHashes = {
-      "librespot-audio-0.5.0-dev" = "sha256-0LjNHLgZ91UrC3qefXzR4Pl+eh6+vyrkG2qaPDwWpAg=";
-    };
-  };
-
-  nativeBuildInputs = [ pkg-config ] ++ lib.optional withClipboard python3;
-
-  buildInputs =
-    [ ncurses ]
-    ++ lib.optional stdenv.isLinux openssl
-    ++ lib.optional withALSA alsa-lib
-    ++ lib.optional withClipboard libxcb
-    ++ lib.optional withCover ueberzug
-    ++ lib.optional withPulseAudio libpulseaudio
-    ++ lib.optional withPortAudio portaudio
-    ++ lib.optional (withMPRIS || withNotify) dbus
-    ++ lib.optional stdenv.isDarwin Cocoa;
-
-  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isDarwin "-DNCURSES_UNCTRL_H_incl";
-
-  buildNoDefaultFeatures = true;
-
-  buildFeatures =
-    [ "cursive/pancurses-backend" ]
-    ++ lib.optional withALSA "alsa_backend"
-    ++ lib.optional withClipboard "share_clipboard"
-    ++ lib.optional withCover "cover"
-    ++ lib.optional withPulseAudio "pulseaudio_backend"
-    ++ lib.optional withPortAudio "portaudio_backend"
-    ++ lib.optional withMPRIS "mpris"
-    ++ lib.optional withCrossterm "crossterm_backend"
-    ++ lib.optional withNotify "notify";
-
-  postInstall = ''
-    install -D --mode=444 $src/misc/ncspot.desktop $out/share/applications/${pname}.desktop
-    install -D --mode=444 $src/images/logo.svg $out/share/icons/hicolor/scalable/apps/${pname}.png
-  '';
-
-  passthru = {
-    updateScript = nix-update-script { };
-    tests.version = testers.testVersion { package = ncspot; };
-  };
-
-  meta = with lib; {
-    description = "Cross-platform ncurses Spotify client written in Rust, inspired by ncmpc and the likes";
-    homepage = "https://github.com/hrkfdn/ncspot";
-    changelog = "https://github.com/hrkfdn/ncspot/releases/tag/v${version}";
-    license = licenses.bsd2;
-    maintainers = with maintainers; [ liff ];
-    mainProgram = "ncspot";
-  };
-}
--- a/hardening/default.nix
+++ b/hardening/default.nix
@ -23,6 +23,8 @@
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
+  security.apparmor.enable = true;
+  security.allowSimultaneousMultithreading = true;
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano ];
 }
--- a/hm/common/default.nix
+++ b/hm/common/default.nix
@ -129,8 +129,8 @@ in
  };

  gtk.theme = {
-    package = pkgs.gnome-themes-extra;
-    name = "Adwaita-dark";
+    package = pkgs.adw-gtk3;
+    name = "adw-gtk3-dark";
  };

  gtk.enable = true;
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -40,7 +40,6 @@
        ./factorio.nix
        ./ranger.nix
        ./vesktop.nix
-        # ./ncspot.nix
        # ./grpcio-tools.nix
      ];
 }
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@ -7,30 +7,19 @@
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
-    # ./modules/kvm.nix
+    ./filesystems.nix
+    ./tmpfiles.nix
    ./../../sway
  ];

  age.identityPaths = [ ../../secrets/yubikey-identity.txt ];

-  services.zfs.trim.enable = true;
-  boot.supportedFilesystems.zfs = true;
-
-  # systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services);
-
-  # security.pam.yubico.control = "required";
-
  services.printing.cups-pdf.enable = true; # implies printing enable
  # services.printing.enable = true;
-  security.apparmor.enable = true;
-
-  #  networking.hostId = "2ea79333";
-  #  boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages;

  grimmShared = {
    tooling = {
      enable = true;
-      #      pass = true;
    };
    gaming = true;
    portals = true;
@ -53,23 +42,10 @@
        "shinigamieyes@shinigamieyes" = "shinigami-eyes";
      };
    };
-    #    cloudSync = {
-    #      enable = true;
-    #      username = "Grimmauld";
-    #      server = "cloud.grimmauld.de";
-    #      passwordFile = config.age.secrets.nextcloud_pass.path;
-    #    };
-
    spotify.enable = true;
  };
  
-  #  age.secrets.nextcloud_pass = {
-  #    file = ./../../secrets/nextcloud_pass.age;
-  #    mode = "777";
-  #  };
-
  networking.hostName = "grimm-nixos-ssd";
-
  system.stateVersion = "24.05";

  # nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ];
--- a/specific/grimm-nixos-ssd/filesystems.nix
+++ b/specific/grimm-nixos-ssd/filesystems.nix
@ -0,0 +1,200 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  nix_build = "/nix/build-sandbox";
+  persist = "/nix/persist";
+  tmp-exec = "/tmp-exec";
+in
+
+{
+ systemd.tmpfiles.rules = [
+    "D! ${nix_build} 0755 root root 7d"
+  ];
+
+  boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
+
+  boot.zfs = {
+    forceImportRoot = false;
+    requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
+    package = pkgs.zfs_2_3;
+  };
+
+  boot.supportedFilesystems.zfs = true;
+  services.zfs.trim.enable = true;
+#  services.homed.enable = true;
+
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "defaults"
+      "size=2G"
+      "mode=755"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."${persist}" = {
+    device = "zpool/persistent";
+    fsType = "zfs";
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  environment.etc =
+    lib.genAttrs
+      [
+        "machine-id"
+        "ssh/ssh_host_ed25519_key"
+        "ssh/ssh_host_ed25519_key.pub"
+        "ssh/ssh_host_rsa_key"
+        "ssh/ssh_host_rsa_key.pub"
+      ]
+      (n: {
+        source = "${persist}/etc/${n}";
+      });
+
+  fileSystems."/nix/var" = {
+    device = "/nix/var";
+    options = [
+      "bind"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."/etc/NetworkManager/system-connections" = {
+    device = "${persist}/etc/NetworkManager/system-connections";
+    options = [
+      "bind"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "zpool/nix";
+    fsType = "zfs";
+    options = [
+      "exec"
+      "suid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."/var" = {
+    device = "zpool/var";
+    fsType = "zfs";
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."${nix_build}" = {
+    # can execute
+    device = "zpool/nix-build";
+    fsType = "zfs";
+    options = [
+      "exec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."${tmp-exec}" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "defaults"
+      "size=2G"
+      "exec"
+      "nosuid"
+      "nodev"
+      "mode=1777"
+    ];
+  };
+
+  systemd.services.nix-daemon.environment.TMPDIR = nix_build;
+
+  fileSystems."/etc/nixos" = {
+    device = "zpool/nix_conf";
+    fsType = "zfs";
+    options = [
+      "noacl"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/12CE-A600";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "umask=077"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+    # noCheck = true;
+    # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
+  };
+
+  #  fileSystems."/crypt-storage" =
+  #     { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
+  #      fsType = "ext4";
+  #      options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
+  #    };
+
+  security.pam = {
+    zfs = {
+      enable = true;
+      homes = "zpool/home";
+    };
+  };
+  
+  boot.initrd.luks.yubikeySupport = true; # enable yubikey support
+  boot.initrd.luks.reusePassphrases = false;
+
+  boot.initrd.luks.devices."root" = {
+    device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
+    preLVM = true;
+    allowDiscards = true;
+
+    yubikey = {
+      slot = 2;
+      twoFactor = true; # Set to false for 1FA
+      gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
+      keyLength = 64; # Set to $KEY_LENGTH/8
+      saltLength = 16; # Set to $SALT_LENGTH
+
+      storage = {
+        device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
+        fsType = "ext4";
+        path = "/default";
+      };
+    };
+  };
+
+  swapDevices = [
+    #{
+    # device = "zpool/swap";
+    #  device = "/dev/zvol/zpool/swap";
+    #}
+  ];
+}
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@ -5,13 +5,6 @@
  modulesPath,
  ...
 }:
-
-let
-  nix_build = "/nix/build-sandbox";
-  persist = "/nix/persist";
-  tmp-exec = "/tmp-exec";
-in
-
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
@ -51,194 +44,14 @@ in
  security.lockKernelModules = false; # PAIN on an intended-portable setup
  # security.protectKernelImage = false;

-  boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
  boot.loader.systemd-boot.consoleMode = "auto";

-  systemd.tmpfiles.settings."mount"."/mnt".d = {
-    group = "root";
-    mode = "755";
-    user = "root";
-  };
-
-  boot.zfs = {
-    forceImportRoot = false;
-    requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
-    package = pkgs.zfs_2_3;
-  };
-
-  boot.supportedFilesystems.zfs = true;
  networking.hostId = "40fa5ea8";
-  # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  boot.kernelPackages = pkgs.linuxPackages_6_12;
-  boot.extraModulePackages = [ ];
-  services.homed.enable = true;

-  fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "defaults"
-      "size=2G"
-      "mode=755"
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."${persist}" = {
-    device = "zpool/persistent";
-    fsType = "zfs";
-    options = [
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  environment.etc =
-    lib.genAttrs
-      [
-        "machine-id"
-        "ssh/ssh_host_ed25519_key"
-        "ssh/ssh_host_ed25519_key.pub"
-        "ssh/ssh_host_rsa_key"
-        "ssh/ssh_host_rsa_key.pub"
-      ]
-      (n: {
-        source = "${persist}/etc/${n}";
-      });

  environment.memoryAllocator.provider = "libc";

-  fileSystems."/nix/var" = {
-    device = "/nix/var";
-    options = [
-      "bind"
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."/etc/NetworkManager/system-connections" = {
-    device = "${persist}/etc/NetworkManager/system-connections";
-    options = [
-      "bind"
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "zpool/nix";
-    fsType = "zfs";
-    options = [
-      "exec"
-      "suid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."/var" = {
-    device = "zpool/var";
-    fsType = "zfs";
-    options = [
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."${nix_build}" = {
-    # can execute
-    device = "zpool/nix-build";
-    fsType = "zfs";
-    options = [
-      "exec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."${tmp-exec}" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "defaults"
-      "size=2G"
-      "exec"
-      "nosuid"
-      "nodev"
-      "mode=1777"
-    ];
-  };
-
-  # environment.sessionVariables."java.io.tmpdir" = tmp-exec;
-
-  # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
-
-  systemd.tmpfiles.rules = [
-    "D! ${nix_build} 0755 root root 7d"
-    "D! /var/cache 0755 root root 7d"
-    "e! /var/.Trash-0 0755 root root 14d"
-    "D! /var/tmp 0755 root root 14d"
-    # "D! /root 0700 root root"
-  ];
-
-  systemd.user.tmpfiles.users =
-    let
-      forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
-    in
-    lib.mergeAttrsList (
-      forEachUser (
-        name: user: {
-          "${name}".rules = [
-            # "d /home/${user}/Downloads - - - 14d"
-            "e ${user.home}/.vim/undodir - - - 7d"
-            "d ${user.home}/.cache - - - 7d"
-            "e ${user.home}/.java - - - 7d"
-            "e ${user.home}/.gradle - - - 7d"
-            "e ${user.home}/.cargo - - - 7d"
-            "e ${user.home}/.rustup - - - 7d"
-            "e ${user.home}/.templateengine - - - 7d"
-            "e ${user.home}/.sane - - - 7d"
-            "e ${user.home}/.dotnet - - - 7d"
-            "e ${user.home}/.nuget - - - 7d"
-            # "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
-          ];
-        }
-      )
-    );
-
-  systemd.services.nix-daemon.environment.TMPDIR = nix_build;
-
-  fileSystems."/etc/nixos" = {
-    device = "zpool/nix_conf";
-    fsType = "zfs";
-    options = [
-      "noacl"
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/12CE-A600";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-      "umask=077"
-      "noexec"
-      "nosuid"
-      "nodev"
-    ];
-    # noCheck = true;
-    # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
-  };
  
  grimmShared = {
    screens = {
@ -258,53 +71,10 @@ in
    laptop_hardware.enable = true;
  };

-  #  fileSystems."/crypt-storage" =
-  #     { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
-  #      fsType = "ext4";
-  #      options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
-  #    };
-
-  security.pam = {
-    zfs = {
-      enable = true;
-      homes = "zpool/home";
-    };
-  };
-
  boot.initrd.systemd.enable = false; # breaks with luks
  system.etc.overlay.enable = false; # requires systemd initrd1

-  boot.initrd.luks.yubikeySupport = true; # enable yubikey support
-  boot.initrd.luks.reusePassphrases = false;
-
-  boot.initrd.luks.devices."root" = {
-    device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
-    preLVM = true;
-    allowDiscards = true;
-
-    yubikey = {
-      slot = 2;
-      twoFactor = true; # Set to false for 1FA
-      gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
-      keyLength = 64; # Set to $KEY_LENGTH/8
-      saltLength = 16; # Set to $SALT_LENGTH
-
-      storage = {
-        device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
-        fsType = "ext4";
-        path = "/default";
-      };
-    };
-  };
-
-  swapDevices = [
-    #{
-    # device = "zpool/swap";
-    #  device = "/dev/zvol/zpool/swap";
-    #}
-  ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
--- a/specific/grimm-nixos-ssd/tmpfiles.nix
+++ b/specific/grimm-nixos-ssd/tmpfiles.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}:
+{
+  
+  # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
+  
+  systemd.tmpfiles.settings."mount"."/mnt".d = {
+    group = "root";
+    mode = "755";
+    user = "root";
+  };
+
+  systemd.tmpfiles.rules = [
+    "D! /var/cache 0755 root root 7d"
+    "e! /var/.Trash-0 0755 root root 14d"
+    "D! /var/tmp 0755 root root 14d"
+    # "D! /root 0700 root root"
+  ];
+
+  systemd.user.tmpfiles.users =
+    let
+      forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
+    in
+    lib.mergeAttrsList (
+      forEachUser (
+        name: user: {
+          "${name}".rules = [
+            # "d /home/${user}/Downloads - - - 14d"
+            "e ${user.home}/.vim/undodir - - - 7d"
+            "d ${user.home}/.cache - - - 7d"
+            "e ${user.home}/.java - - - 7d"
+            "e ${user.home}/.gradle - - - 7d"
+            "e ${user.home}/.cargo - - - 7d"
+            "e ${user.home}/.rustup - - - 7d"
+            "e ${user.home}/.templateengine - - - 7d"
+            "e ${user.home}/.sane - - - 7d"
+            "e ${user.home}/.dotnet - - - 7d"
+            "e ${user.home}/.nuget - - - 7d"
+            # "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
+          ];
+        }
+      )
+    );
+  }