Use libsecret for mbsync and git-credential-helper

Add gnome-keyring as libsecret backend, swap git-credential-helper and mbsync to using libsecret/secret-tool. Add helper script to check for and request mbsync passwords if missing. Add GNOME Seahorse for viewing passwords graphically. Remove email/work.nix and merge back into default.nix Don't auto start protonmail-bridge, use the GUI instead so it doesn't need to unlock all my keychains immediately Move 3D modelling software to Vanguard only, instead of all personal devices. Move waybar back to top of screen and adjust all corner radii to 5px from 10px Re-enable swayfx blur_ignore_transparent now that it's added to nixpkgs, re-enable shadows
2024-07-08 08:58:32 +01:00 · 2024-07-08 08:58:32 +01:00 · 94c6d717b0
parent 9d80d3ab4c
commit 94c6d717b0
19 changed files with 221 additions and 205 deletions
--- a/README.org
+++ b/README.org
@ -22,38 +22,25 @@ NixOS system), run:
 #+end_src
 ** Clone password-store repository
 #+begin_src bash
-  git -c credential.helper='' clone https://git.xenia.me.uk/pixelifytica/pass $PASSWORD_STORE_DIR
+  git clone https://git.xenia.me.uk/pixelifytica/pass $PASSWORD_STORE_DIR
 #+end_src

 * Email setup
+** Passwords for mbsync
+Run src_bash{mbsync-ensure-pass} to check for passwords required by
+~mbsync~, and query for missing passwords.
+
+Static app-specific passwords are stored in ~password-store~, fetch from
+there to add to secret service.
 ** Proton
 *** Bridge
 Start Proton Mail Bridge application, if needed configure to store
 using =SecretService= and log in. Application will auto-start with
-plasma session.
-*** Password
-Get password from ~protonmail-bridge~, save to ~password-store~:
-#+begin_src bash
-  pass insert mbsync/$(hostname)/proton
-  # Insert pass at prompt
-#+end_src
-** iCloud
-*** Password
-If not already done, save password to ~password-store~:
-#+begin_src bash
-  pass insert mbsync/$(hostname)/icloud
-  # Insert pass at prompt
-#+end_src
-This will be synced across devices so only needs doing once
+desktop session.
+
+Use password from Bridge for ~mbsync~.
 ** Outlook
-*** Password
-If not already done, save password to ~password-store~:
-#+begin_src bash
-  pass insert mbsync/$(hostname)/outlook
-  # Insert pass at prompt
-#+end_src
-This will be synced across devices so only needs doing once
-*** Configuration
+*** Davmail
 Run src_bash{davmail-setup} to automate this process.

 On first run (or if token expires), stop systemd service and run manually to complete manual auth. Token will stay valid for a little while (no idea how long specifically).
--- a/home/Vanguard.nix
+++ b/home/Vanguard.nix
@ -4,6 +4,11 @@
    ./games/default.nix
    ./streaming/default.nix
  ];
+  home.packages = with pkgs; [
+    blender
+    freecad
+    prusa-slicer
+  ];
  wayland.windowManager.sway.config = {
    output = {
      "Microstep MSI G27CQ4 E2 Unknown" = {
--- a/home/default.nix
+++ b/home/default.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{...}: {
  imports = [
    # Programs
    ./desktop/default.nix
@ -10,7 +6,7 @@
    ./emacs/default.nix
    ./browser/default.nix
    # Services
-    ./services/email/work.nix # TODO combine again at some point
+    ./services/email/default.nix
    ./services/password-store/default.nix
    # Additional Scripts
    ./scripts/default.nix
--- a/home/desktop/default.nix
+++ b/home/desktop/default.nix
@ -6,7 +6,6 @@
 }: {
  imports = [
    ./sway/default.nix
-    ./foot/default.nix
    ./alacritty/default.nix
    ./avizo/default.nix
    ./fuzzel/default.nix
@ -16,34 +15,51 @@
    ./waybar/default.nix
    ./wlogout/default.nix
  ];
-  home.packages = with pkgs; [
-    pinentry
-    ffmpeg
-    evince
-    libreoffice-fresh
-    inkscape
-    webcord
-    teams-for-linux
-    swayimg
-    swaybg
-    (writeShellScriptBin "set-background" ''
-      ${swaybg}/bin/swaybg -m fill -i ${./wallpapers/landscapes/tropic_island_day.jpg}
-    '')
-    (writeShellScriptBin "protonmail-setup-bridge" ''
-      pkill -9 -f protonmail-bridge
-      ${protonmail-bridge}/bin/protonmail-bridge -c
-      swaymsg exec "${protonmail-bridge}/bin/protonmail-bridge -n"
-    '')
-    (writeShellScriptBin "davmail-setup" ''
-      systemctl --user restart davmail # Ensure config file is present
-      systemctl --user stop davmail
-      ${davmail}/bin/davmail -n ~/.davmail.properties
-      systemctl --user restart davmail
-    '')
-  ];
+  home = {
+    pointerCursor = let
+      name =
+        if config.scheme.variant == "light"
+        then "volantes_cursors"
+        else "volantes_light_cursors";
+    in {
+      inherit name;
+      package = pkgs.volantes-cursors;
+      size = 32;
+      gtk.enable = true;
+      x11 = {
+        enable = true;
+        defaultCursor = name;
+      };
+    };
+    packages = with pkgs; [
+      pinentry-gnome3
+      gnome.seahorse
+      ffmpeg
+      evince
+      libreoffice-fresh
+      inkscape
+      webcord
+      teams-for-linux
+      grim
+      slurp
+      swayimg
+      swaybg
+      (writeShellScriptBin "protonmail-setup-bridge" ''
+        pkill -9 -f protonmail-bridge
+        ${protonmail-bridge}/bin/protonmail-bridge -c
+        swaymsg exec "${protonmail-bridge}/bin/protonmail-bridge -n"
+      '')
+      (writeShellScriptBin "davmail-setup" ''
+        systemctl --user restart davmail # Ensure config file is present
+        systemctl --user stop davmail
+        ${davmail}/bin/davmail -n ~/.davmail.properties
+        systemctl --user restart davmail
+      '')
+    ];
+  };
  services = {
    avizo.enable = true;
-    gpg-agent.pinentryPackage = pkgs.pinentry-gtk2;
+    gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
    syncthing.enable = true;
    kdeconnect = {
      enable = true;
@ -66,14 +82,6 @@
        then "Papirus-Light"
        else "Papirus-Dark";
    };
-    cursorTheme = {
-      package = pkgs.volantes-cursors;
-      name =
-        if config.scheme.variant == "light"
-        then "volantes_cursors"
-        else "volantes_light_cursors";
-      size = 32;
-    };
    theme = {
      package = pkgs.gnome.gnome-themes-extra;
      name =
--- a/home/desktop/fuzzel/default.nix
+++ b/home/desktop/fuzzel/default.nix
@ -39,7 +39,7 @@
      };
      border = {
        width = 1;
-        radius = 10;
+        radius = 5;
      };
    };
  };
--- a/home/desktop/mako/default.nix
+++ b/home/desktop/mako/default.nix
@ -19,7 +19,7 @@
    progressColor = "over ${sc.red}ff";
    backgroundColor = "${sc.base00}cc";
    borderColor = "${sc.${accentColourName}}ff";
-    borderRadius = 10;
+    borderRadius = 5;
    borderSize = 1;
    defaultTimeout = 0;
  };
--- a/home/desktop/mimeapps.nix
+++ b/home/desktop/mimeapps.nix
@ -72,6 +72,6 @@ in {
  "x-scheme-handler/ms-powerpoint" = ["impress.desktop"];
  "x-scheme-handler/ms-excel" = ["calc.desktop"];
  "x-scheme-handler/msteams" = ["teams-for-linux.desktop"] ++ browser;
-  "x-scheme-handler/zoomus" = ["Zoom.desktop"] ++ browser;
-  "x-scheme-handler/zoommtg" = ["Zoom.desktop"] ++ browser;
+  "x-scheme-handler/zoomus" = browser;
+  "x-scheme-handler/zoommtg" = browser;
 }
--- a/home/desktop/rofi/default.nix
+++ b/home/desktop/rofi/default.nix
@ -57,7 +57,7 @@
        width = mkLiteral "75%";
        border = mkLiteral "1px";
        border-color = border;
-        border-radius = mkLiteral "10px";
+        border-radius = mkLiteral "5px";
        background-color = bg;
      };

@ -70,7 +70,7 @@
        background-color = bg2;
        padding = mkLiteral "6px";
        text-color = blue;
-        border-radius = mkLiteral "10px";
+        border-radius = mkLiteral "5px";
        margin = mkLiteral "20px 0px 0px 20px";
      };

@ -103,7 +103,7 @@
      "element selected" = {
        background-color = bg2;
        text-color = blue;
-        border-radius = mkLiteral "10px";
+        border-radius = mkLiteral "5px";
      };

      mode-switcher = {
@ -113,7 +113,7 @@
      button = {
        padding = mkLiteral "10px";
        text-color = fg2;
-        border-radius = mkLiteral "10px";
+        border-radius = mkLiteral "5px";
        vertical-align = mkLiteral "0.5";
        horizontal-align = mkLiteral "0.5";
      };
--- a/home/desktop/sway/default.nix
+++ b/home/desktop/sway/default.nix
@ -5,7 +5,12 @@
  fonts,
  accentColourName,
  ...
-}: {
+}: let
+  set-background = pkgs.writeShellScriptBin "set-background" ''
+    ${pkgs.swaybg}/bin/swaybg -m fill -i ${./wallpapers/landscapes/tropic_island_day.jpg}
+  '';
+in {
+  home.packages = [set-background];
  programs.waybar.systemd.target = "sway-session.target";
  services.kanshi.systemdTarget = "sway-session.target";
  wayland.windowManager.sway = {
@ -81,8 +86,7 @@
      };
      startup = [
        {command = "${pkgs.libsForQt5.polkit-kde-agent}/libexec/polkit-kde-authentication-agent-1";}
-        {command = "${pkgs.protonmail-bridge}/bin/protonmail-bridge -n";}
-        {command = "set-background";}
+        {command = "${set-background}/bin/set-background";}
      ];
      window = {
        border = 1;
@ -159,23 +163,22 @@
    extraConfig = ''
      bindgesture swipe:right workspace prev
      bindgesture swipe:left workspace next
-      corner_radius 10
+      corner_radius 5
      blur enable
      blur_xray disable
      blur_passes 3
      blur_radius 5
-      corner_radius 10
-      shadows disable
-      shadow_blur_radius 0
-      layer_effects "system-menu" blur enable; shadows disable
-      layer_effects "gtk-layer-shell" blur enable; shadows disable
-      layer_effects "notifications" blur enable; shadows disable
-      layer_effects "launcher" blur enable; shadows disable
-      layer_effects "logout_dialog" blur enable; shadows disable
-      layer_effects "waybar" blur enable; shadows disable
-      layer_effects "avizo" blur enable; shadows disable
-      layer_effects "swaync-notification-window" blur enable; shadows disable
-      layer_effects "swaync-control-center" blur enable; shadows disable
+      shadows enable
+      shadow_blur_radius 5
+      layer_effects "system-menu" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "gtk-layer-shell" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "notifications" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "launcher" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "logout_dialog" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "waybar" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "avizo" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "swaync-notification-window" blur enable; blur_ignore_transparent enable; shadows enable
+      layer_effects "swaync-control-center" blur enable; blur_ignore_transparent enable; shadows enable
      titlebar_separator enable
    '';
  };
--- a/home/desktop/swaync/default.nix
+++ b/home/desktop/swaync/default.nix
@ -20,7 +20,7 @@
    }

    .floating-notifications.background .notification-row .notification-background {
-      border-radius: 10px;
+      border-radius: 5px;
      border: 1px solid ${sc.${accentColourName}};
      margin: 18px;
      background-color: ${alpha-background};
@ -33,7 +33,7 @@
      .notification-background
      .notification {
      padding: 7px;
-      border-radius: 10px;
+      border-radius: 5px;
    }

    .floating-notifications.background
@ -87,7 +87,7 @@
      > *:last-child
      > *
      .notification-action {
-      border-radius: 10px;
+      border-radius: 5px;
      background-color: ${sc.base01};
      color: ${sc.base05};
      margin: 7px;
@ -121,7 +121,7 @@
      .close-button {
      margin: 7px;
      padding: 2px;
-      border-radius: 10px;
+      border-radius: 5px;
      background-color: ${sc.red};
      color: ${sc.base00};
    }
@ -143,7 +143,7 @@
    }

    .control-center {
-      border-radius: 10px;
+      border-radius: 5px;
      border: 1px solid ${sc.${accentColourName}};
      margin: 18px;
      background-color: ${alpha-background};
@ -174,7 +174,7 @@
    }

    .control-center .notification-row .notification-background {
-      border-radius: 10px;
+      border-radius: 5px;
      background-color: ${sc.base01};
      color: ${sc.base05};
      margin-top: 14px;
--- a/home/desktop/waybar/default.nix
+++ b/home/desktop/waybar/default.nix
@ -15,7 +15,7 @@
    settings.main = {
      name = "main";
      layer = "top";
-      position = "bottom";
+      position = "top";
      # Layout
      "modules-left" = [
        "sway/workspaces"
@ -64,7 +64,6 @@
        "rewrite" = {
          "(.*) - GNU Emacs at (.*)" = "  $1 [$2]";
          "(alacritty.*)" = "  $1";
-          "(foot.*)" = "  $1";
          "(.*) - mpv" = "󰦟  $1";
          "swayimg: (.*)" = "󰋩  $1";
          "(btm)" = "  Resource Usage [$1]";
@ -260,16 +259,16 @@
      window > box {
          color: ${sc.base05};
          background: alpha(${sc.base00}, ${alpha});
-          margin: 0px 5px 5px;
+          margin: 5px 5px 0px;
          padding: 0px;
          border-top: 1px solid ${sc.base04};
-          border-radius: 10px;
+          border-radius: 5px;
      }

      tooltip {
          background: ${sc.base00};
          border: 1px solid ${sc.${accentColourName}};
-          border-radius: 10px;
+          border-radius: 5px;
          box-shadow: none;
      }

--- a/home/personal.nix
+++ b/home/personal.nix
@ -1,10 +1 @@
-{pkgs, ...}: {
-  home.packages = with pkgs;
-  with kdePackages; [
-    blender
-    freecad
-    prusa-slicer
-    ktorrent
-    noson
-  ];
-}
+{...}: {}
--- a/home/scripts/shell/rsync-local-config.sh
+++ b/home/scripts/shell/rsync-local-config.sh
@ -1,6 +1,6 @@
 HOSTS=("$@")
 # Config files
-for TARGET in bat bottom git starship.toml; do
+for TARGET in bat starship.toml; do
    SOURCE="$HOME/.config/$TARGET"
    echo "--- $SOURCE ---"
    TMP_TARGET=/tmp/rsync-local-config
--- a/home/services/email/default.nix
+++ b/home/services/email/default.nix
@ -1,19 +1,30 @@
 {
+  config,
  pkgs,
-  hostname,
  ...
 }: {
-  home.packages = with pkgs; [protonmail-bridge-gui];
+  home.packages = with pkgs; [
+    protonmail-bridge-gui
+    (writeShellScriptBin "mbsync-ensure-pass"
+      (builtins.readFile ./mbsync-ensure-pass.sh))
+    (writeShellScriptBin "davmail-setup" ''
+      systemctl --user restart davmail # Ensure config file is present
+      systemctl --user stop davmail
+      ${davmail}/bin/davmail -n ~/.davmail.properties
+      systemctl --user restart davmail
+    '')
+  ];
  accounts.email = {
    maildirBasePath = "Mail";
    accounts = let
      realName = "Evie Litherland-Smith";
    in {
      proton = let
+        address = "e.litherlandsmith@proton.me";
        host = "127.0.0.1";
        tls.enable = false;
-      in rec {
-        inherit realName;
+      in {
+        inherit realName address;
        primary = true;
        maildir.path = "Proton";
        imap = {
@ -24,10 +35,9 @@
          inherit host tls;
          port = 1025;
        };
-        address = "e.litherlandsmith@proton.me";
        aliases = ["evie@xenia.me.uk" "evie@litherlandsmith.slmail.me"];
        userName = address;
-        passwordCommand = "${pkgs.pass}/bin/pass show mbsync/${hostname}/proton | head -n1";
+        passwordCommand = "${pkgs.libsecret}/bin/secret-tool lookup email ${address}";
        mu.enable = true;
        msmtp = {
          enable = true;
@ -46,15 +56,16 @@
          extraConfig.account.AuthMechs = "LOGIN";
        };
      };
-      icloud = rec {
-        inherit realName;
+      icloud = let
+        address = "e.litherlandsmith@icloud.com";
+      in {
+        inherit realName address;
        primary = false;
        maildir.path = "iCloud";
        imap.host = "imap.mail.me.com";
        smtp.host = "smtp.mail.me.com";
-        address = "e.litherlandsmith@icloud.com";
        userName = address;
-        passwordCommand = "${pkgs.pass}/bin/pass show mbsync/${hostname}/icloud | head -n1";
+        passwordCommand = "${pkgs.libsecret}/bin/secret-tool lookup email ${address}";
        mu.enable = true;
        msmtp.enable = true;
        mbsync = {
@ -66,6 +77,50 @@
          subFolders = "Verbatim";
        };
      };
+      outlook = let
+        address = "evie.litherland-smith@ukaea.uk";
+        host = "127.0.0.1";
+        tls.enable = false;
+      in {
+        inherit realName address;
+        primary = false;
+        maildir.path = "Outlook";
+        imap = {
+          inherit host tls;
+          port = 1144;
+        };
+        smtp = {
+          inherit host tls;
+          port = 1026;
+        };
+        aliases = ["elitherl@jet.uk"];
+        userName = address;
+        passwordCommand = "${pkgs.libsecret}/bin/secret-tool lookup email ${address}";
+        mu.enable = true;
+        msmtp = {
+          enable = true;
+          extraConfig = {
+            tls = "off";
+            auth = "login";
+          };
+        };
+        mbsync = {
+          enable = true;
+          create = "both";
+          expunge = "both";
+          remove = "both";
+          patterns = [
+            "*"
+            "!Conversation History"
+            "!Snoozed"
+            "!Social Activity Notifications"
+            "!Sync Issues*"
+            "!Unsent Messages"
+          ];
+          subFolders = "Verbatim";
+          extraConfig.account.AuthMechs = "LOGIN";
+        };
+      };
    };
  };
  programs = {
@ -76,7 +131,24 @@
      groups.inboxes = {
        proton = ["INBOX"];
        icloud = ["INBOX"];
+        outlook = ["INBOX"];
      };
    };
  };
+  systemd.user.services.davmail = {
+    Unit = {
+      Description = "Davmail server";
+      Wants = ["network-online.target"];
+      After = ["network-online.target"];
+    };
+    Service = {
+      Environment = ["PATH=/run/current-system/sw/bin/:$PATH"];
+      Restart = "always";
+      ExecStartPre = with config.home; ''
+        /bin/sh -c "if [ ! -f ${homeDirectory}/.davmail.properties ]; then cp ${./davmail.properties} ${homeDirectory}/.davmail.properties; fi; chmod 644 ${homeDirectory}/.davmail.properties"
+      '';
+      ExecStart = "${pkgs.davmail}/bin/davmail -notray ${config.home.homeDirectory}/.davmail.properties";
+    };
+    Install.WantedBy = ["default.target"];
+  };
 }
--- a/home/services/email/mbsync-ensure-pass.sh
+++ b/home/services/email/mbsync-ensure-pass.sh
@ -0,0 +1,15 @@
+EMAIL_ADDRESSES=(
+    e.litherlandsmith@proton.me
+    e.litherlandsmith@icloud.com
+    evie.litherland-smith@ukaea.uk
+)
+LABELS=("Proton" "iCloud" "Outlook")
+
+for i in "${!EMAIL_ADDRESSES[@]}"; do
+    ADDRESS="${EMAIL_ADDRESSES[$i]}"
+    LABEL="${LABELS[$i]}"
+    secret-tool lookup email "$ADDRESS" >/dev/null || (
+        echo "Setup $LABEL"
+        secret-tool store --label="$LABEL mail mbsync" email "$ADDRESS"
+    )
+done
--- a/home/services/email/work.nix
+++ b/home/services/email/work.nix
@ -1,77 +0,0 @@
-{
-  config,
-  pkgs,
-  hostname,
-  ...
-}: {
-  imports = [./default.nix];
-  home.packages = with pkgs; [
-    (writeShellScriptBin "davmail-setup" ''
-      systemctl --user restart davmail # Ensure config file is present
-      systemctl --user stop davmail
-      ${davmail}/bin/davmail -n ~/.davmail.properties
-      systemctl --user restart davmail
-    '')
-  ];
-  accounts.email.accounts.outlook = let
-    host = "127.0.0.1";
-    tls.enable = false;
-  in rec {
-    inherit (config.accounts.email.accounts.proton) realName;
-    primary = false;
-    maildir.path = "Outlook";
-    imap = {
-      inherit host tls;
-      port = 1144;
-    };
-    smtp = {
-      inherit host tls;
-      port = 1026;
-    };
-    address = "evie.litherland-smith@ukaea.uk";
-    aliases = ["elitherl@jet.uk"];
-    userName = address;
-    passwordCommand = "${pkgs.pass}/bin/pass show mbsync/${hostname}/outlook | head -n1";
-    mu.enable = true;
-    msmtp = {
-      enable = true;
-      extraConfig = {
-        tls = "off";
-        auth = "login";
-      };
-    };
-    mbsync = {
-      enable = true;
-      create = "both";
-      expunge = "both";
-      remove = "both";
-      patterns = [
-        "*"
-        "!Conversation History"
-        "!Snoozed"
-        "!Social Activity Notifications"
-        "!Sync Issues*"
-        "!Unsent Messages"
-      ];
-      subFolders = "Verbatim";
-      extraConfig.account.AuthMechs = "LOGIN";
-    };
-  };
-  programs.mbsync.groups.inboxes.outlook = ["INBOX"];
-  systemd.user.services.davmail = {
-    Unit = {
-      Description = "Davmail server";
-      Wants = ["network-online.target"];
-      After = ["network-online.target"];
-    };
-    Service = {
-      Environment = ["PATH=/run/current-system/sw/bin/:$PATH"];
-      Restart = "always";
-      ExecStartPre = with config.home; ''
-        /bin/sh -c "if [ ! -f ${homeDirectory}/.davmail.properties ]; then cp ${./davmail.properties} ${homeDirectory}/.davmail.properties; fi; chmod 644 ${homeDirectory}/.davmail.properties"
-      '';
-      ExecStart = "${pkgs.davmail}/bin/davmail -notray ${config.home.homeDirectory}/.davmail.properties";
-    };
-    Install.WantedBy = ["default.target"];
-  };
-}
--- a/home/services/password-store/default.nix
+++ b/home/services/password-store/default.nix
@ -18,9 +18,6 @@
        PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
      };
    };
-    git.extraConfig.credential = {
-      helper = "${pkgs.pass-git-helper}/bin/pass-git-helper";
-    };
  };
  services = {
    gpg-agent = rec {
--- a/home/shell/git.nix
+++ b/home/shell/git.nix
@ -1,10 +1,14 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }: {
  services.git-sync.enable = false; # Can't find pass for some reason...
-  programs.git = {
+  programs.git = let
+    package = pkgs.gitFull;
+  in {
+    inherit package;
    enable = true;
    userName = "Evie Litherland-Smith";
    userEmail = lib.mkDefault "evie@xenia.me.uk";
@ -30,6 +34,7 @@
      pull.rebase = false;
      init.defaultBranch = "main";
      merge.conflictstyle = "diff3";
+      credential.helper = "${package}/bin/git-credential-libsecret";
      diff = {
        colorMoved = "default";
        gpg.textconv = "gpg --no-tty --decrypt";
--- a/system/desktop.nix
+++ b/system/desktop.nix
@ -1,4 +1,5 @@
 {
+  config,
  lib,
  pkgs,
  ...
@ -11,6 +12,7 @@
    sessionVariables = {
      NIXOS_OZONE_WL = "1";
      GRIM_DEFAULT_DIR = "$HOME/Pictures/Grim";
+      QT_QPA_PLATFORM = lib.mkIf config.programs.sway.enable "wayland";
    };
    systemPackages = with pkgs; [
      xdg-utils
@ -31,7 +33,17 @@
  };
  security = {
    polkit.enable = true;
-    pam.services.swaylock = {};
+    pam = {
+      services.swaylock = {};
+      loginLimits = [
+        {
+          domain = "@users";
+          item = "rtprio";
+          type = "-";
+          value = 1;
+        }
+      ];
+    };
  };
  programs = {
    dconf.enable = true;
@ -41,7 +53,10 @@
    file-roller.enable = true;
    thunar = {
      enable = true;
-      plugins = with pkgs.xfce; [thunar-archive-plugin thunar-volman];
+      plugins = with pkgs.xfce; [
+        thunar-archive-plugin
+        thunar-volman
+      ];
    };
    sway = {
      enable = true;
@ -59,8 +74,8 @@
  gtk.iconCache.enable = true;
  qt = {
    enable = true;
-    platformTheme = "gnome";
    style = "adwaita";
+    platformTheme = "gnome";
  };
  services = {
    dbus.packages = with pkgs; [gcr];