From 18674ac22d0e3495487ad2676cb18cbe0d461494 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Thu, 17 Jul 2025 13:54:51 +0200
Subject: [PATCH 01/15] feat(system): enable fingerprint reader only if lid is
 open

---
 hosts/cmdframe/default.nix |  2 +-
 system/laptop.nix          |  8 ++++++++
 system/lid.nix             | 27 +++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 system/laptop.nix
 create mode 100644 system/lid.nix

diff --git a/hosts/cmdframe/default.nix b/hosts/cmdframe/default.nix
index e1750c8..f122a4b 100644
--- a/hosts/cmdframe/default.nix
+++ b/hosts/cmdframe/default.nix
@@ -5,7 +5,7 @@
     ./disk-config.nix
     ../../hardware/base.nix
     ../../hardware/bluetooth.nix
-    ../../system/desktop.nix
+    ../../system/laptop.nix
     ../../system/printing/home.nix
     ../../desktop
     ../../desktop/cosmic.nix
diff --git a/system/laptop.nix b/system/laptop.nix
new file mode 100644
index 0000000..74eeef9
--- /dev/null
+++ b/system/laptop.nix
@@ -0,0 +1,8 @@
+_:
+
+{
+  imports = [
+    ./desktop.nix
+    ./lid.nix
+  ];
+}
diff --git a/system/lid.nix b/system/lid.nix
new file mode 100644
index 0000000..ccdc5c9
--- /dev/null
+++ b/system/lid.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+
+{
+  services.acpid = lib.mkIf config.services.fprintd.enable {
+    enable = true;
+    handlers.lidClosed = {
+      event = "button/lid \\w+ close";
+      action = ''
+        echo "Lid closed. Disabling fprintd."
+        systemctl stop fprintd
+        ln -s /dev/null /run/systemd/transient/fprintd.service
+        systemctl daemon-reload
+      '';
+    };
+    handlers.lidOpen = {
+      event = "button/lid \\w+ open";
+      action = ''
+        if ! $(systemctl is-active --quiet fprintd); then
+          echo "Lid open. Enabling fprintd."
+          rm -f /run/systemd/transient/fprintd.service
+          systemctl daemon-reload
+          systemctl start fprintd
+        fi
+      '';
+    };
+  };
+}

From 526527f5dce9ff2d66618dda14f3fe0e50cdbb7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Thu, 17 Jul 2025 14:01:06 +0200
Subject: [PATCH 02/15] refactor(system): move boot options into their own file

---
 hardware/base.nix | 15 +--------------
 system/boot.nix   | 16 ++++++++++++++++
 system/common.nix |  1 +
 3 files changed, 18 insertions(+), 14 deletions(-)
 create mode 100644 system/boot.nix

diff --git a/hardware/base.nix b/hardware/base.nix
index 95d1c07..679f042 100644
--- a/hardware/base.nix
+++ b/hardware/base.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+_:
 
 {
   imports = [
@@ -7,19 +7,6 @@
     ./zsa.nix
   ];
 
-  boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
-  boot.kernelPackages = lib.mkOverride 800 pkgs.linuxPackages_latest;
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.initrd.systemd.enable = true;
-
-  boot.plymouth.enable = true;
-
-  # prevents `systemd-vconsole-setup` failing during systemd initrd
-  console.earlySetup = true;
-  systemd.services.systemd-vconsole-setup.unitConfig.After = "local-fs.target";
-
   services.smartd.enable = true;
   services.smartd.notifications.x11.enable = true;
 }
diff --git a/system/boot.nix b/system/boot.nix
new file mode 100644
index 0000000..126ef4c
--- /dev/null
+++ b/system/boot.nix
@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+
+{
+  boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
+  boot.kernelPackages = lib.mkOverride 800 pkgs.linuxPackages_latest;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.systemd.enable = true;
+
+  boot.plymouth.enable = true;
+
+  # prevents `systemd-vconsole-setup` failing during systemd initrd
+  console.earlySetup = true;
+  systemd.services.systemd-vconsole-setup.unitConfig.After = "local-fs.target";
+}
diff --git a/system/common.nix b/system/common.nix
index 2d8bded..e6609c8 100644
--- a/system/common.nix
+++ b/system/common.nix
@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./boot.nix
     ./zram.nix
     ./i18n.nix
     ./nix.nix

From 6b59e71417f06cc1289e879df48ffb0095052583 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 13:25:24 +0200
Subject: [PATCH 03/15] feat(nix): add nix-tree

---
 system/nix.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system/nix.nix b/system/nix.nix
index 927b138..36fa247 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -54,4 +54,8 @@ in
     ''
       nix flake update ${inputsToUpdateStr} --flake ${config.system.autoUpgrade.flake}
     '';
+
+  environment.systemPackages = with pkgs; [
+    unstable.nix-tree
+  ];
 }

From 8094d2cef621f8f303635782d1f1fb19dadc9d3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 13:26:20 +0200
Subject: [PATCH 04/15] fix(mullvad-browser): configure search for work
 profile, too

---
 home/browsers/mullvad-browser.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/browsers/mullvad-browser.nix b/home/browsers/mullvad-browser.nix
index f5614c7..887e85e 100644
--- a/home/browsers/mullvad-browser.nix
+++ b/home/browsers/mullvad-browser.nix
@@ -217,6 +217,7 @@ in
       work = {
         id = 1;
         settings = commonSettings;
+        search = commonSearch;
         extensions.packages =
           commonExtensions
           ++ (with firefox-addons; [

From 3c96318a67d3da89221974a9f37088a89a38ae79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 13:26:56 +0200
Subject: [PATCH 05/15] chore(lsp): replace opentofu-ls with tofu-ls

---
 home/editors/lsp.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/home/editors/lsp.nix b/home/editors/lsp.nix
index 491a001..a002117 100644
--- a/home/editors/lsp.nix
+++ b/home/editors/lsp.nix
@@ -8,7 +8,7 @@
     unstable.nixd
     nls
     terraform-ls
-    unstable.opentofu-ls
+    unstable.tofu-ls
     pyright
     nodePackages.bash-language-server
     nodePackages.vim-language-server

From e3680c4bf4940e523f213ac5f2d191e925677792 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 13:28:09 +0200
Subject: [PATCH 06/15] feat(felschr-work): add spotify

---
 home/felschr-work.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/felschr-work.nix b/home/felschr-work.nix
index fe1969e..924a8e2 100644
--- a/home/felschr-work.nix
+++ b/home/felschr-work.nix
@@ -68,6 +68,7 @@ with pkgs;
 
     # entertainment
     celluloid
+    spotify
 
     # ai
     unstable.alpaca

From 62b6d12d3ee0c2727feb5bc36e6b25936c4f9f77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 14:05:55 +0200
Subject: [PATCH 07/15] feat(nix): switch from nix.settings.auto-optimise-store
 to nix.optimise

This runs optimisation periodically instead of during builds.
---
 system/nix.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/system/nix.nix b/system/nix.nix
index 36fa247..70e7eb3 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -18,6 +18,10 @@ in
 
   nixpkgs.config.allowUnfree = true;
 
+  nix.optimise = {
+    automatic = true;
+  };
+
   nix.gc = {
     automatic = true;
     dates = "04:00";
@@ -26,7 +30,6 @@ in
 
   nix.settings = {
     trusted-users = [ "@wheel" ];
-    auto-optimise-store = true;
     substituters = nixConfig.extra-substituters;
     trusted-public-keys = nixConfig.extra-trusted-public-keys;
   };

From 3b3b005fe1e77e716be48657f12ac59ae9047fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 14:08:52 +0200
Subject: [PATCH 08/15] refactor(nix): simplify config

---
 system/nix.nix | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/system/nix.nix b/system/nix.nix
index 70e7eb3..335dc93 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -18,20 +18,18 @@ in
 
   nixpkgs.config.allowUnfree = true;
 
-  nix.optimise = {
-    automatic = true;
-  };
-
-  nix.gc = {
-    automatic = true;
-    dates = "04:00";
-    options = "--delete-older-than 30d";
-  };
-
-  nix.settings = {
-    trusted-users = [ "@wheel" ];
-    substituters = nixConfig.extra-substituters;
-    trusted-public-keys = nixConfig.extra-trusted-public-keys;
+  nix = {
+    settings = {
+      trusted-users = [ "@wheel" ];
+      substituters = nixConfig.extra-substituters;
+      trusted-public-keys = nixConfig.extra-trusted-public-keys;
+    };
+    optimise.automatic = true;
+    gc = {
+      automatic = true;
+      dates = "04:00";
+      options = "--delete-older-than 30d";
+    };
   };
 
   system.autoUpgrade = {

From 69b456ee8155343b79d8dd8d04350a668b5c14b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 19:56:09 +0200
Subject: [PATCH 09/15] chore(flake): update inputs

---
 flake.lock | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index afd77bd..d7fbb10 100644
--- a/flake.lock
+++ b/flake.lock
@@ -129,11 +129,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1751256218,
-        "narHash": "sha256-WC1YSV4lFT41AaEhpiQZRuofe+2WLI9PNuuqgdRmjVM=",
+        "lastModified": 1753070653,
+        "narHash": "sha256-vp4Svdpb90eEYkUKxjVROgcJ92u/2sVF8hnpsiKJEhI=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "fa40d85b15cbfb1a488ef9a119ff2d40a481c8da",
+        "rev": "87f5912350a5bac28eacc1b89bb1767ca1a77e7e",
         "type": "gitlab"
       },
       "original": {
@@ -198,11 +198,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749398372,
-        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
+        "lastModified": 1751413152,
+        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
+        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750792728,
-        "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
+        "lastModified": 1753055804,
+        "narHash": "sha256-KerePGJYX47ex6OY3CWsid4AltO2gDtQROunYJ0eCEE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
+        "rev": "adf195f021a8cbb0c317f75b52e96c82616526f9",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1750837715,
-        "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=",
+        "lastModified": 1752666637,
+        "narHash": "sha256-P8J72psdc/rWliIvp8jUpoQ6qRDlVzgSDDlgkaXQ0Fw=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "98236410ea0fe204d0447149537a924fb71a6d4f",
+        "rev": "d1bfa8f6ccfb5c383e1eba609c1eb67ca24ed153",
         "type": "github"
       },
       "original": {
@@ -420,11 +420,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751211869,
-        "narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=",
+        "lastModified": 1752866191,
+        "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b43c397f6c213918d6cfe6e3550abfe79b5d1c51",
+        "rev": "f01fe91b0108a7aff99c99f2e9abbc45db0adc2a",
         "type": "github"
       },
       "original": {
@@ -436,11 +436,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1751011381,
-        "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=",
+        "lastModified": 1752950548,
+        "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7",
+        "rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
         "type": "github"
       },
       "original": {
@@ -475,11 +475,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1751271961,
-        "narHash": "sha256-Ka+zyYx1UeDccCv4ZlW7LAvVJdJGnSzKjZQt04fCIoQ=",
+        "lastModified": 1753086528,
+        "narHash": "sha256-5RMRU6J7fiaHzA0Bz/xStfuLLQ1AtJfIagxHqEhAb2c=",
         "owner": "astro",
         "repo": "nix-openwrt-imagebuilder",
-        "rev": "8e3ee0a40fb019ec95bec661c45b9d4940d27583",
+        "rev": "09b9e58d8b4e98193590aa02f60b41881fad840d",
         "type": "github"
       },
       "original": {

From 6c8a14aa999925d1e47e03119d9860b7fd088942 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 19:59:24 +0200
Subject: [PATCH 10/15] feat(adguardhome): enable filters OISD (Big), AdGuard
 DNS filter

---
 services/adguardhome.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/adguardhome.nix b/services/adguardhome.nix
index 4bbf1ad..50feaed 100644
--- a/services/adguardhome.nix
+++ b/services/adguardhome.nix
@@ -59,12 +59,12 @@ in
         {
           name = "OISD (Big)";
           url = "https://big.oisd.nl";
-          enabled = false;
+          enabled = true;
         }
         {
           name = "AdGuard DNS filter";
           url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
-          enabled = false;
+          enabled = true;
         }
       ];
       whitelist_filters = [

From 07ba36b5435106342e48b8f1027527ffefbeff64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 20:52:01 +0200
Subject: [PATCH 11/15] feat(cmdframe): enable ollama & open-webui

---
 hosts/cmdframe/default.nix | 6 ++++++
 hosts/home-pc/default.nix  | 5 +++++
 services/open-webui.nix    | 2 --
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/hosts/cmdframe/default.nix b/hosts/cmdframe/default.nix
index f122a4b..a8b66e0 100644
--- a/hosts/cmdframe/default.nix
+++ b/hosts/cmdframe/default.nix
@@ -13,6 +13,7 @@
     ../../virtualisation/podman.nix
     ../../virtualisation/libvirt.nix
     ../../modules/systemdNotify.nix
+    ../../services/open-webui.nix
     inputs.seven-modules.nixosModules.seven
   ];
 
@@ -39,6 +40,11 @@
     "--operator=felschr"
   ];
 
+  services.ollama = {
+    acceleration = "rocm";
+    rocmOverrideGfx = "11.5.0";
+  };
+
   seven = {
     enable = true;
     wireguard = {
diff --git a/hosts/home-pc/default.nix b/hosts/home-pc/default.nix
index 0cbba48..59a0e58 100644
--- a/hosts/home-pc/default.nix
+++ b/hosts/home-pc/default.nix
@@ -61,6 +61,11 @@
     "87.98.162.88" = [ "portcheck.transmissionbt.com" ];
   };
 
+  services.ollama = {
+    acceleration = "rocm";
+    rocmOverrideGfx = "10.3.1";
+  };
+
   seven = {
     enable = true;
     wireguard = {
diff --git a/services/open-webui.nix b/services/open-webui.nix
index 67794c8..a4d7e63 100644
--- a/services/open-webui.nix
+++ b/services/open-webui.nix
@@ -19,8 +19,6 @@
   services.ollama = {
     enable = true;
     package = pkgs.unstable.ollama;
-    acceleration = "rocm";
-    rocmOverrideGfx = "10.3.1";
   };
 
   services.open-webui = {

From 2daf2e5c580f2c399335c6db78ebf33788ddf3c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 20:54:19 +0200
Subject: [PATCH 12/15] refactor: move services/open-webui.nix to
 services/llm.nix

---
 hosts/cmdframe/default.nix           | 2 +-
 hosts/home-pc/default.nix            | 2 +-
 services/{open-webui.nix => llm.nix} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename services/{open-webui.nix => llm.nix} (100%)

diff --git a/hosts/cmdframe/default.nix b/hosts/cmdframe/default.nix
index a8b66e0..4efec24 100644
--- a/hosts/cmdframe/default.nix
+++ b/hosts/cmdframe/default.nix
@@ -13,7 +13,7 @@
     ../../virtualisation/podman.nix
     ../../virtualisation/libvirt.nix
     ../../modules/systemdNotify.nix
-    ../../services/open-webui.nix
+    ../../services/llm.nix
     inputs.seven-modules.nixosModules.seven
   ];
 
diff --git a/hosts/home-pc/default.nix b/hosts/home-pc/default.nix
index 59a0e58..19d2a7a 100644
--- a/hosts/home-pc/default.nix
+++ b/hosts/home-pc/default.nix
@@ -20,7 +20,7 @@
     ../../services/samba/home-pc.nix
     ../../services/restic/home-pc.nix
     ../../services/pcscd.nix
-    ../../services/open-webui.nix
+    ../../services/llm.nix
     inputs.seven-modules.nixosModules.seven
   ];
 
diff --git a/services/open-webui.nix b/services/llm.nix
similarity index 100%
rename from services/open-webui.nix
rename to services/llm.nix

From 331ded0ec15ae45c2685daa5b28e13260ac0084e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 20:57:00 +0200
Subject: [PATCH 13/15] feat(hardened): switch from sudo to sudo-rs

---
 system/hardened.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/system/hardened.nix b/system/hardened.nix
index cf94bc4..5bc2b25 100644
--- a/system/hardened.nix
+++ b/system/hardened.nix
@@ -12,8 +12,16 @@
   # @TODO hardened kernel causes Bluetooth issues
   boot.kernelPackages = lib.mkOverride 900 pkgs.linuxPackages;
 
-  # Xbox Controller not working via Bluetooth if enabled
-  security.lockKernelModules = lib.mkOverride 900 false;
+  security = {
+    # Xbox Controller not working via Bluetooth if enabled
+    lockKernelModules = lib.mkOverride 900 false;
+
+    sudo.enable = false;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+  };
 
   boot.loader.systemd-boot.editor = lib.mkDefault false;
 

From 576ddc0d693b22c480cfccd85c494103ddb50de2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 21:20:55 +0200
Subject: [PATCH 14/15] feat(networking): add train WiFi networks

---
 system/networking.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/system/networking.nix b/system/networking.nix
index 7524edf..0a72f6b 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -35,6 +35,24 @@ let
       "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com"
     ];
   };
+
+  mkPublicWifiProfile = ssid: {
+    connection = {
+      id = ssid;
+      type = "wifi";
+    };
+    wifi = {
+      mode = "infrastructure";
+      inherit ssid;
+    };
+    ipv4 = {
+      method = "auto";
+    };
+    ipv6 = {
+      method = "auto";
+      addr-gen-mode = "stable-privacy";
+    };
+  };
 in
 {
   networking = {
@@ -46,6 +64,11 @@ in
       5353 # mDNS
     ];
     networkmanager.dns = "systemd-resolved";
+    networkmanager.ensureProfiles.profiles = {
+      "WIFIonICE" = mkPublicWifiProfile "WIFIonICE";
+      "WIFI@DB" = mkPublicWifiProfile "WIFI@DB";
+      "metronom free WLAN" = mkPublicWifiProfile "metronom free WLAN";
+    };
   };
 
   systemd.network = {

From b5341635d91ae9332b49b22eee7fa25f5edf40ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Mon, 21 Jul 2025 21:21:38 +0200
Subject: [PATCH 15/15] feat(networking): auto-login for Deutsche Bahn WiFi
 portals

---
 system/networking.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/system/networking.nix b/system/networking.nix
index 0a72f6b..831e5a3 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -119,4 +119,20 @@ in
     dig
     wireguard-tools
   ];
+
+  networking.networkmanager.dispatcherScripts = [
+    {
+      #!/usr/bin/env bash
+      source = pkgs.writeText "connect_ice" ''
+        set -euxo pipefail
+        ACTION="$2"
+        if [[ "$ACTION" == "up" ]]; then
+          if [[ "$CONNECTION_ID" =~ "WIFIonICE|WIFI@DB" ]]; then
+            ${pkgs.curl}/bin/curl 'https://login.wifionice.de/cna/logon' -sSL -X POST
+          fi
+        fi
+      '';
+      type = "basic";
+    }
+  ];
 }