Merge remote-tracking branch 'origin/master' into staging-next

    githubId = 10587952;

    name = "Armijn Hemel";

  };

  arminius-smh = {

    email = "armin@sprejz.de";

    github = "arminius-smh";

    githubId = 159054879;

    name = "Armin Manfred Sprejz";

  };

  arnarg = {

    email = "arnarg@fastmail.com";

    github = "arnarg";

    githubId = 2502736;

    name = "James Hillyerd";

  };

  jhol = {

    name = "Joel Holdsworth";

    email = "joel@airwebreathe.org.uk";

    github = "jhol";

    githubId = 1449493;

    keys = [ { fingerprint = "08F7 2546 95DE EAEF 03DE  B0E4 D874 562D DC99 D889"; } ];

  };

  jhollowe = {

    email = "jhollowe@johnhollowell.com";

    github = "jhollowe";

    githubId = 120342602;

    name = "Michael Paepcke";

  };

  pagedMov = {

    email = "kylerclay@proton.me";

    github = "pagedMov";

    githubId = 19557376;

    name = "Kyler Clay";

    keys = [ { fingerprint = "784B 3623 94E7 8F11 0B9D AE0F 56FD CFA6 2A93 B51E"; } ];

  };

  paholg = {

    email = "paho@paholg.com";

    github = "paholg";

    githubId = 7121530;

    name = "Wolf Honoré";

  };

  whtsht = {

    email = "whiteshirt0079@gmail.com";

    github = "whtsht";

    githubId = 85547207;

    name = "Hinata Toma";

  };

  wietsedv = {

    email = "wietsedv@proton.me";

    github = "wietsedv";

- [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable).

- [evremap](https://github.com/wez/evremap), a keyboard input remapper for Linux/Wayland systems. Available as [services.evremap](options.html#opt-services.evremap).

- [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable).

- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

  ./services/misc/etebase-server.nix

  ./services/misc/etesync-dav.nix

  ./services/misc/evdevremapkeys.nix

  ./services/misc/evremap.nix

  ./services/misc/felix.nix

  ./services/misc/flaresolverr.nix

  ./services/misc/forgejo.nix

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.evremap;

  format = pkgs.formats.toml { };

  key = lib.types.strMatching "KEY_[[:upper:]]+" // {

    description = "key ID prefixed with KEY_";

  };

  mkKeyOption =

    description:

    lib.mkOption {

      type = key;

      description = ''

        ${description}

        You can get a list of keys by running `evremap list-keys`.

      '';

    };

  mkKeySeqOption =

    description:

    (mkKeyOption description)

    // {

      type = lib.types.listOf key;

    };

  dualRoleModule = lib.types.submodule {

    options = {

      input = mkKeyOption "The key that should be remapped.";

      hold = mkKeySeqOption "The key sequence that should be output when the input key is held.";

      tap = mkKeySeqOption "The key sequence that should be output when the input key is tapped.";

    };

  };

  remapModule = lib.types.submodule {

    options = {

      input = mkKeySeqOption "The key sequence that should be remapped.";

      output = mkKeySeqOption "The key sequence that should be output when the input sequence is entered.";

    };

  };

in

{

  options.services.evremap = {

    enable = lib.mkEnableOption "evremap, a keyboard input remapper for Linux/Wayland systems";

    settings = lib.mkOption {

      type = lib.types.submodule {

        freeformType = format.type;

        options = {

          device_name = lib.mkOption {

            type = lib.types.str;

            example = "AT Translated Set 2 keyboard";

            description = ''

              The name of the device that should be remapped.

              You can get a list of devices by running `evremap list-devices` with elevated permissions.

            '';

          };

          dual_role = lib.mkOption {

            type = lib.types.listOf dualRoleModule;

            default = [ ];

            example = [

              {

                input = "KEY_CAPSLOCK";

                hold = [ "KEY_LEFTCTRL" ];

                tap = [ "KEY_ESC" ];

              }

            ];

            description = ''

              List of dual-role remappings that output different key sequences based on whether the

              input key is held or tapped.

            '';

          };

          remap = lib.mkOption {

            type = lib.types.listOf remapModule;

            default = [ ];

            example = [

              {

                input = [

                  "KEY_LEFTALT"

                  "KEY_UP"

                ];

                output = [ "KEY_PAGEUP" ];

              }

            ];

            description = ''

              List of remappings.

            '';

          };

        };

      };

      description = ''

        Settings for evremap.

        See the [upstream documentation](https://github.com/wez/evremap/blob/master/README.md#configuration)

        for how to configure evremap.

      '';

      default = { };

    };

  };

  config = lib.mkIf cfg.enable {

    environment.systemPackages = [ pkgs.evremap ];

    hardware.uinput.enable = true;

    systemd.services.evremap = {

      description = "evremap - keyboard input remapper";

      wantedBy = [ "multi-user.target" ];

      script = "${lib.getExe pkgs.evremap} remap ${format.generate "evremap.toml" cfg.settings}";

      serviceConfig = {

        DynamicUser = true;

        User = "evremap";

        SupplementaryGroups = [

          config.users.groups.input.name

          config.users.groups.uinput.name

        ];

        Restart = "on-failure";

        RestartSec = 5;

        TimeoutSec = 20;

        # Hardening

        ProtectClock = true;

        ProtectKernelLogs = true;

        ProtectControlGroups = true;

        ProtectKernelModules = true;

        ProtectHostname = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectHome = true;

        ProcSubset = "pid";

        PrivateTmp = true;

        PrivateNetwork = true;

        PrivateUsers = true;

        RestrictRealtime = true;

        RestrictNamespaces = true;

        RestrictAddressFamilies = "none";

        MemoryDenyWriteExecute = true;

        LockPersonality = true;

        IPAddressDeny = "any";

        AmbientCapabilities = "";

        CapabilityBoundingSet = "";

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "~@resources"

          "~@privileged"

        ];

        UMask = "0027";

      };

    };

  };

}

        type = types.nullOr types.str;

        example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";

        description = ''

          "bantime.formula" used by default to calculate next value of ban time, default value bellow,

          "bantime.formula" used by default to calculate next value of ban time, default value below,

          the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ...

        '';

      };