From d465e92647470759177cb63914fd3571cea7a8a4 Mon Sep 17 00:00:00 2001
From: Ryan Schanzenbacher <ryan@rschanz.org>
Date: Tue, 1 Apr 2025 11:26:04 -0400
Subject: Using Zen, added nix update to be upstreamed

---
 .../nix-home-manager/firefox-nightly/default.nix   |   9 +-
 home-config/nix-home-manager/flake.lock            | 108 +++++++---
 home-config/nix-home-manager/flake.nix             |  13 +-
 home-config/nix-home-manager/home.nix              |  26 ++-
 home-config/nix-home-manager/zenPolicies.nix       | 126 +++++++++++
 modules/ryan-packages/package-management.scm       | 233 +++++++++++++++++++++
 modules/ryan-services/nix.scm                      | 182 ++++++++++++++++
 7 files changed, 663 insertions(+), 34 deletions(-)
 create mode 100644 home-config/nix-home-manager/zenPolicies.nix
 create mode 100644 modules/ryan-packages/package-management.scm
 create mode 100644 modules/ryan-services/nix.scm

diff --git a/home-config/nix-home-manager/firefox-nightly/default.nix b/home-config/nix-home-manager/firefox-nightly/default.nix
index cffaa1d..b86da78 100644
--- a/home-config/nix-home-manager/firefox-nightly/default.nix
+++ b/home-config/nix-home-manager/firefox-nightly/default.nix
@@ -1,17 +1,16 @@
-{ config, pkgs, mozff, ...}:
+{ config, pkgs, zen-browser, ...}:
 
 let
 
-wrapped-ff-nightly = mozff.packages.${pkgs.system}.firefox-nightly-bin.override {
-    extraPolicies = import ./policies.nix;
-};
+#wrapped-ff-nightly = zen-browser.packages.${pkgs.system}.default
 
 in
 
 {
   programs.firefox = {
     enable = true;
-    #package = wrapped-ff-nightly;
+    policies = import ./policies.nix;
+    #package = zen-browser.packages.${pkgs.system}.default.unwrapped;
 
     profiles.${config.home.username} = {
         name = "${config.home.username}";
diff --git a/home-config/nix-home-manager/flake.lock b/home-config/nix-home-manager/flake.lock
index a0c7e15..0eebe5d 100644
--- a/home-config/nix-home-manager/flake.lock
+++ b/home-config/nix-home-manager/flake.lock
@@ -297,26 +297,24 @@
         "hyprland-protocols": "hyprland-protocols",
         "hyprland-qtutils": "hyprland-qtutils",
         "hyprlang": "hyprlang",
-        "hyprutils": "hyprutils",
+        "hyprutils": "hyprutils_2",
         "hyprwayland-scanner": "hyprwayland-scanner",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
+        "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks",
         "systems": "systems",
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1738457237,
-        "narHash": "sha256-9mtM+lwnmXnv5TPmdij1rR5fLzzqSjkltcyEuRf8uIk=",
+        "lastModified": 1742741773,
+        "narHash": "sha256-SLEd12Y9KzlQd4CfH2+gz3oQvkPKmwvwi74O+veNdbs=",
         "owner": "hyprwm",
         "repo": "hyprland",
-        "rev": "882f7ad7d2bbfc7440d0ccaef93b1cdd78e8e3ff",
+        "rev": "5ee35f914f921e5696030698e74fb5566a804768",
         "type": "github"
       },
       "original": {
         "owner": "hyprwm",
-        "ref": "v0.47.2",
+        "ref": "v0.48.0",
         "repo": "hyprland",
         "type": "github"
       }
@@ -348,10 +346,7 @@
     },
     "hyprland-qtutils": {
       "inputs": {
-        "hyprutils": [
-          "hyprland",
-          "hyprutils"
-        ],
+        "hyprutils": "hyprutils",
         "nixpkgs": [
           "hyprland",
           "nixpkgs"
@@ -437,7 +432,7 @@
       "inputs": {
         "hyprgraphics": "hyprgraphics_2",
         "hyprlang": "hyprlang_2",
-        "hyprutils": "hyprutils_2",
+        "hyprutils": "hyprutils_3",
         "hyprwayland-scanner": "hyprwayland-scanner_2",
         "nixpkgs": [
           "nixpkgs"
@@ -461,7 +456,7 @@
     },
     "hyprpicker-git": {
       "inputs": {
-        "hyprutils": "hyprutils_3",
+        "hyprutils": "hyprutils_4",
         "hyprwayland-scanner": "hyprwayland-scanner_3",
         "nixpkgs": [
           "nixpkgs"
@@ -484,6 +479,33 @@
       }
     },
     "hyprutils": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprland",
+          "hyprland-qtutils",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "hyprland-qtutils",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742984269,
+        "narHash": "sha256-uz9FaCIbga/gQ5ZG1Hb4HVVjTWT1qjjCAFlCXiaefxg=",
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "rev": "7248194a2ce0106ae647b70d0526a96dc9d6ad60",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "type": "github"
+      }
+    },
+    "hyprutils_2": {
       "inputs": {
         "nixpkgs": [
           "hyprland",
@@ -508,7 +530,7 @@
         "type": "github"
       }
     },
-    "hyprutils_2": {
+    "hyprutils_3": {
       "inputs": {
         "nixpkgs": [
           "hyprlock",
@@ -533,7 +555,7 @@
         "type": "github"
       }
     },
-    "hyprutils_3": {
+    "hyprutils_4": {
       "inputs": {
         "nixpkgs": [
           "hyprpicker-git",
@@ -717,17 +739,17 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1739736696,
-        "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
-        "owner": "nixos",
+        "lastModified": 1742889210,
+        "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
+        "rev": "698214a32beb4f4c8e3942372c694f40848b360d",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
-        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
         "type": "github"
       }
     },
@@ -746,6 +768,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1739736696,
+        "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -779,8 +817,9 @@
         "hyprpicker-git": "hyprpicker-git",
         "mozff": "mozff",
         "nixgl": "nixgl",
-        "nixpkgs": "nixpkgs",
-        "wpaperd": "wpaperd"
+        "nixpkgs": "nixpkgs_2",
+        "wpaperd": "wpaperd",
+        "zen-browser": "zen-browser"
       }
     },
     "rust-overlay": {
@@ -942,6 +981,27 @@
         "repo": "xdg-desktop-portal-hyprland",
         "type": "github"
       }
+    },
+    "zen-browser": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742871532,
+        "narHash": "sha256-ciC3zul202dnIwpAplSaCJTeXOUce7Pl1d+SMFwPQls=",
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "rev": "bef72020b20475847f24cd27134dca06724d4ba7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "rev": "bef72020b20475847f24cd27134dca06724d4ba7",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/home-config/nix-home-manager/flake.nix b/home-config/nix-home-manager/flake.nix
index ba3d01a..38b0708 100644
--- a/home-config/nix-home-manager/flake.nix
+++ b/home-config/nix-home-manager/flake.nix
@@ -3,9 +3,9 @@
 
   inputs = {
     # Specify the source of Home Manager and Nixpkgs.
-    nixpkgs.url = "github:nixos/nixpkgs/d74a2335ac9c133d6bbec9fc98d91a77f1604c1f";
+    nixpkgs.url = "github:nixos/nixpkgs/a84ebe20c6bc2ecbcfb000a50776219f48d134cc";
     home-manager = {
-      url = "github:nix-community/home-manager/53c587d263f94aaf6a281745923c76bbec62bcf3";
+      url = "github:nix-community/home-manager/693840c01b9bef9e54100239cef937e53d4661bf";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hyprlock = {
@@ -17,7 +17,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hyprland = {
-      url = "github:hyprwm/hyprland/v0.47.2";
+      url = "github:hyprwm/hyprland/v0.48.0";
       inputs.nixpkgs.follows = "nixpkgs";
       #inputs.hyprutils.url = "github:/hyprwm/hyprutils/6a8bc9d2a4451df12f5179dc0b1d2d46518a90ab";
     };
@@ -42,9 +42,13 @@
         inputs.hyprland.follows = "hyprland";
         inputs.nixpkgs.follows = "hyprland/nixpkgs";
     };
+    zen-browser = {
+        url = "github:0xc000022070/zen-browser-flake/bef72020b20475847f24cd27134dca06724d4ba7";
+        inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, home-manager, hyprland, nixgl, wpaperd, hyprpicker-git, hyprlock, mozff, clipboard-sync, hypr-dynamic-cursors, ... }@inputs:
+  outputs = { nixpkgs, home-manager, hyprland, nixgl, wpaperd, hyprpicker-git, hyprlock, mozff, clipboard-sync, hypr-dynamic-cursors, zen-browser, ... }@inputs:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -70,6 +74,7 @@
               inherit mozff;
               inherit clipboard-sync;
               inherit hypr-dynamic-cursors;
+              inherit zen-browser;
             };
           }
         ];
diff --git a/home-config/nix-home-manager/home.nix b/home-config/nix-home-manager/home.nix
index d2e0034..f5d386c 100644
--- a/home-config/nix-home-manager/home.nix
+++ b/home-config/nix-home-manager/home.nix
@@ -1,4 +1,24 @@
-{ config, pkgs, hyprland, nixgl, wpaperd, hyprpicker-git, hyprlock, mozff, clipboard-sync, hypr-dynamic-cursors, ... }:
+{ config, pkgs, hyprland, nixgl, wpaperd, hyprpicker-git, hyprlock, mozff, clipboard-sync, hypr-dynamic-cursors, zen-browser, ... }:
+let
+    # THIS IS NOT PERFECT AT ALL YET!!! Gets the basics done (my important
+    # policies regarding accounts and extensions. Does not set up profile
+    # stuff, like search. Most importantly, it DOES NOT add system CAs.
+    # To do that, run:
+    # `certutil -A -n "name" -t "CT,c" -i ./path/to/cert -d ~/.zen/profile-folder`
+    # I do this for my root and intermediate. BEWARE WHEN INSTALLING NEW
+    # SYSTEMS!!!!
+    ffPolicies = import ./zenPolicies.nix;
+    customZen = zen-browser.packages.${pkgs.system}.default.overrideAttrs (old: {
+        installPhase = old.installPhase + ''
+            rm -f $out/lib/zen-${old.version}/distribution/policies.json
+            rm -rf $out/lib
+            mkdir $out/opt/zen/distribution
+            ln -s ${pkgs.writeText "firefox-policies.json" (builtins.toJSON ffPolicies)} \
+                "$out/opt/zen/distribution/policies.json"
+        '';
+    });
+
+in
 
 {
   imports = [
@@ -94,10 +114,14 @@
     starship
     taskwarrior3
     delta
+    (flameshot.override { enableWlrSupport = true; })
 
     # Here until i can fix firefox's stupid devtools issue
     chromium
 
+    # Maybe will work?
+    customZen
+
     # Wrapped programs for some env variables
     (pkgs.writeScriptBin "hyprlock" ''
       #! ${pkgs.bash}/bin/bash
diff --git a/home-config/nix-home-manager/zenPolicies.nix b/home-config/nix-home-manager/zenPolicies.nix
new file mode 100644
index 0000000..55b1190
--- /dev/null
+++ b/home-config/nix-home-manager/zenPolicies.nix
@@ -0,0 +1,126 @@
+let
+    lock-false = {
+        Value = false;
+        Status = "locked";
+    };
+    lock-true = {
+        Value = true;
+        Status = "locked";
+    };
+in
+{
+
+policies = {
+    EnableTrackingProtection = {
+        Value = true;
+        Locked = true;
+        Cryptomining = true;
+        Fingerprinting = true;
+        EmailTracking = true;
+    };
+    UserMessaging = {
+        WhatsNew = false;
+        ExtensionRecommendations = false;
+        FeatureRecommendations = false;
+        UrlbarInterventions = false;
+        SkipOnboarding = true;
+        MoreFromMozilla = false;
+        Labs = false;
+        Locked = true;
+    };
+    DisableAppUpdate = true;
+    DisableAccounts = true;
+    DisableFirefoxAccounts = true;
+    DisableFirefoxStudies = true;
+    DisablePocket = true;
+    DisableTelemetry = true;
+    AutofillAddressEnabled = false;
+    AutofillCreditCardEnabled = false;
+    DisableMasterPasswordCreation = true;
+    PasswordManagerEnabled = false;
+    PrimaryPassword = false;
+    OfferToSaveLogins = false;
+    NoDefaultBookmarks = true;
+    OverrideFirstRunPage = "";
+    OverridePostUpdatePage = "";
+    FirefoxHome = {
+        Search = true;
+        TopSites = true;
+        SponsoredTopSites = false;
+        Highlights = false;
+        Pocket = false;
+        SponsoredPocket = false;
+        Snippets = false;
+        Locked = true;
+    };
+    SearchSuggestEnabled = true;
+    FirefoxSuggest = {
+        WebSuggestions = true;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+    };
+    PictureInPicture = lock-true;
+    HardwareAcceleration = true;
+    Certificates = {
+        ImportEnterpriseRoots = true;
+    };
+    ExtensionSettings = {
+    #"*".installation_mode = "blocked";
+    # uBlock Origin
+        "uBlock0@raymondhill.net" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # Bitwarden
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
+            installation_mode = "normal_installed";
+        };
+    # SponsorBlock
+        "sponsorBlocker@ajay.app" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # DeArrow
+        "deArrow@ajay.app" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/dearrow/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # Return Youtube Dislike
+        "{762f9885-5a13-4abd-9c77-433dcd38b8fd}" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/return-youtube-dislikes/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # Youtube Nonstop
+        "{0d7cafdd-501c-49ca-8ebb-e3341caaa55e}" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/youtube-nonstop/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # TamperMonkey
+        "firefox@tampermonkey.net" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/tampermonkey/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # Floccus
+        "floccus@handmadeideas.org" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/floccus/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    # Mailvelope
+        "jid1-AQqSMBYb0a8ADg@jetpack" = {
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
+            installation_mode = "force_installed";
+        };
+    };
+    Preferences = {
+        "xpinstall.whitelist.required" = lock-true;
+        "dom.webgpu.enabled" = lock-true;
+        "media.eme.enabled" = lock-true;
+        "general.autoScroll" = lock-true;
+        "general.smoothScroll" = lock-true;
+        "browser.crashReports.unsubmittedCheck.autoSubmit2" = lock-false;
+        "browser.aboutConfig.showWarning" = lock-false;
+    };
+};
+}
diff --git a/modules/ryan-packages/package-management.scm b/modules/ryan-packages/package-management.scm
new file mode 100644
index 0000000..9629168
--- /dev/null
+++ b/modules/ryan-packages/package-management.scm
@@ -0,0 +1,233 @@
+(define-module (ryan-packages package-management)
+               #:use-module ((guix licenses) #:prefix license:)
+               #:use-module (guix build-system meson)
+               #:use-module (guix build-system cmake)
+               #:use-module (guix packages)
+               #:use-module (guix git-download)
+               #:use-module (guix gexp)
+               #:use-module (gnu packages)
+               #:use-module (gnu packages autotools)
+               #:use-module (gnu packages backup)
+               #:use-module (gnu packages bdw-gc)
+               #:use-module (gnu packages bison)
+               #:use-module (gnu packages boost)
+               #:use-module (gnu packages compression)
+               #:use-module (gnu packages check)
+               #:use-module (gnu packages cmake)
+               #:use-module (gnu packages cpp)
+               #:use-module (gnu packages crypto)
+               #:use-module (gnu packages curl)
+               #:use-module (gnu packages databases)
+               #:use-module (gnu packages flex)
+               #:use-module (gnu packages gcc)
+               #:use-module (gnu packages libedit)
+               #:use-module (gnu packages linux)
+               #:use-module (gnu packages llvm)
+               #:use-module (gnu packages markup)
+               #:use-module (gnu packages package-management)
+               #:use-module (gnu packages perl)
+               #:use-module (gnu packages pkg-config)
+               #:use-module (gnu packages sqlite)
+               #:use-module (gnu packages tls)
+               #:use-module (gnu packages version-control)
+               #:use-module (gnu packages web)
+               #:use-module (guix utils))
+
+(define-public nix-ryan
+  (package
+    (name "nix")
+    (version "2.26.3")
+    (source
+      (origin
+        (method git-fetch)
+        (uri (git-reference
+               (url "https://github.com/NixOS/nix")
+               (commit version)))
+        (file-name (git-file-name "nix" version))
+        (sha256
+          (base32 "1rh9k0cdixahqzziylgg7p8j9p58h55m08h3l1kg369wlmi7r5g5"))))
+    (build-system meson-build-system)
+    (arguments
+      (list
+        #:configure-flags #~(list "--sysconfdir=/etc")
+        #:tests? #f))
+    (native-inputs
+      (list autoconf
+            autoconf-archive
+            automake
+            bison
+            gcc-14
+            cmake
+            flex
+            perl
+            perl-dbi
+            perl-dbd-sqlite
+            googletest
+            jq
+            libtool
+            pkg-config
+            rapidcheck))
+    (inputs
+      (list boost-ryan
+            brotli
+            bzip2
+            curl
+            editline
+            libarchive
+            libgc-ryan
+            libseccomp-ryan
+            libsodium
+            libbl3
+            libgit2-1.9
+            lowdown
+            nlohmann-json
+            openssl
+            sqlite
+            toml11
+            xz
+            zlib))
+    (home-page "https://nixos.org/")
+    (synopsis "The Nix package manager")
+    (description "todo")
+    (license license:lgpl2.1+)))
+
+(define libbl3
+  (package
+    (name "blake3")
+    (version "1.7.0")
+    (source
+      (origin
+        (method git-fetch)
+        (uri (git-reference
+               (url "https://github.com/BLAKE3-team/BLAKE3")
+               (commit version)))
+        (file-name (git-file-name name version))
+        (sha256
+          (base32 "1dsx5jmr8csgzdvfxf4byc1086rg6vclqgqkz54la8rpfn3gkh6k"))))
+    (build-system cmake-build-system)
+    (arguments
+      (list
+        #:configure-flags #~(list "-DCMAKE_POSITION_INDEPENDENT_CODE=on")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'enter-build-directory
+              (lambda _ (chdir "c") #t))
+            (add-before 'build 'set-env
+              (lambda _
+                (setenv "CFLAGS" "-fPIC")
+                (setenv "CXXFLAGS" "-fPIC")
+                #t)))))
+    (home-page "https://github.com/BLAKE3-team/BLAKE3")
+    (synopsis "Official C implementation of BLAKE3")
+    (description "todo")
+    (license license:expat)))
+
+(define toml11
+  (package
+    (name "toml11")
+    (version "v4.4.0")
+    (source
+      (origin
+        (method git-fetch)
+        (uri (git-reference
+               (url "https://github.com/ToruNiina/toml11")
+               (commit version)))
+        (sha256
+          (base32 "0d15b50cf9jgvh3w99xh6crh03bn2dmv9bdyvzq6knsk2diql1dj"))))
+    (build-system cmake-build-system)
+    (home-page "https://github.com/ToruNiina/toml11")
+    (synopsis "TODO")
+    (description "TODO")
+    (license license:expat)))
+
+(define libgit2-1.9
+  (package
+    (inherit libgit2-1.8)
+    (version "1.9.0")
+    (source (origin
+              (inherit (package-source libgit2-1.8))
+              (uri (git-reference
+                     (url "https://github.com/libgit2/libgit2")
+                     (commit (string-append "v" version))))
+              (file-name (git-file-name "libgit2" version))
+              (sha256
+                (base32
+                  "06ajn5i5l1209z7x7jxcpw68ph0a6g3q67bmx0jm381rr8cb4zdz"))
+              (snippet
+                #~(begin
+                    (for-each delete-file-recursively
+                              '("deps/llhttp"
+                                "deps/ntlmclient"
+                                "deps/pcre"
+                                "deps/winhttp"
+                                "deps/zlib"))))))))
+
+(define libgc-ryan
+  (package
+    (inherit libgc)
+    (version "8.2.8")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                     (url "https://github.com/ivmai/bdwgc")
+                     (commit (string-append "v" version))))
+              (file-name (git-file-name "libgc" version))
+              (sha256
+                (base32 "1xzvr5wb36flkbjqjyk5ilhda1a3yk61rgprxfjzdf1rzlmqn12i"))))
+    (native-inputs (modify-inputs (package-native-inputs libgc) (prepend autoconf autoconf-archive automake libtool)))))
+
+(define boost-ryan
+  (package
+    (inherit boost)
+    (version "1.87.0")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                     (url "https://github.com/boostorg/boost")
+                     (commit (string-append "boost-" version))
+                     (recursive? #t)))
+              (file-name (git-file-name "boost" version))
+              (sha256
+                (base32 "1xirczrh2rgk2x70crw33w6566d2by9q675wlyv0zj69f49z8prn"))))
+    (native-inputs (modify-inputs (package-native-inputs boost) (prepend clang-18)))
+    (arguments
+      (append
+          (substitute-keyword-arguments (package-arguments boost))
+          (list
+            #:tests? #f
+            #:configure-flags
+            #~(let ((icu (dirname (dirname (search-input-file
+                                             %build-inputs "bin/uconv")))))
+                (list
+                  ;; Auto-detection looks for ICU only in traditional
+                  ;; install locations.
+                  (string-append "--with-icu=" icu)
+                  ;; Ditto for Python.
+                  #$@(if (%current-target-system)
+                       #~()
+                       #~((let ((python (dirname (dirname (search-input-file
+                                                            %build-inputs
+                                                            "bin/python")))))
+                            (string-append "--with-python-root=" python)
+                            (string-append "--with-python=" python
+                                           "/bin/python")
+                            (string-append "--with-python-version="
+                                           (python-version python)))))
+                  "--with-toolset=clang")))))))
+
+(define libseccomp-ryan
+  (package
+    (inherit libseccomp)
+    (version "2.6.0")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                     (url "https://github.com/seccomp/libseccomp")
+                     (commit (string-append "v" version))))
+              (file-name (git-file-name "libseccomp" version))
+              (sha256
+                (base32 "189yh66aj3z3jvns739qbj504f3mcl3w44pxxizw877pbj3kal11"))))
+    (native-inputs (modify-inputs (package-native-inputs libseccomp) (prepend autoconf autoconf-archive automake libtool)))))
+
+
+nix-ryan
diff --git a/modules/ryan-services/nix.scm b/modules/ryan-services/nix.scm
new file mode 100644
index 0000000..75c9082
--- /dev/null
+++ b/modules/ryan-services/nix.scm
@@ -0,0 +1,182 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (ryan-services nix)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages bash)
+  #:use-module (gnu packages package-management)
+  #:use-module (gnu services base)
+  #:use-module (gnu services configuration)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu services web)
+  #:use-module (gnu services)
+  #:use-module (gnu system file-systems)
+  #:use-module (gnu system shadow)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (guix store)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 format)
+  #:use-module (guix modules)
+  #:export (nix-service-type
+
+            nix-configuration
+            nix-configuration?))
+
+;;; Commentary:
+;;;
+;;; This module provides a service definition for the Nix daemon.
+;;;
+;;; Code:
+
+(define-record-type* <nix-configuration>
+  nix-configuration make-nix-configuration
+  nix-configuration?
+  (package             nix-configuration-package ;file-like
+                       (default nix))
+  (sandbox             nix-configuration-sandbox ;boolean
+                       (default #t))
+  (build-directory     nix-configuration-build-directory ;string
+                       (default "/tmp"))
+  (build-sandbox-items nix-configuration-build-sandbox-items ;list of strings
+                       (default '()))
+  (extra-config        nix-configuration-extra-config ;list of strings
+                       (default '()))
+  (extra-options       nix-configuration-extra-options ;list of strings
+                       (default '())))
+
+;; Copied from gnu/services/base.scm
+(define* (nix-build-accounts count #:key
+                             (group "nixbld")
+                             (shadow shadow))
+  "Return a list of COUNT user accounts for Nix build users with the given
+GID."
+  (unfold (cut > <> count)
+          (lambda (n)
+            (user-account
+             (name (format #f "nixbld~2,'0d" n))
+             (system? #t)
+             (group group)
+             (supplementary-groups (list group "kvm"))
+             (comment (format #f "Nix Build User ~2d" n))
+             (home-directory "/var/empty")
+             (shell (file-append shadow "/sbin/nologin"))))
+          1+
+          1))
+(define (nix-accounts _)
+  "Return the user accounts and user groups."
+  (cons (user-group
+         (name "nixbld")
+         (system? #t)
+
+         ;; Use a fixed GID so that we can create the store with the right
+         ;; owner.
+         (id 40000))
+        (nix-build-accounts 10 #:group "nixbld")))
+
+(define (nix-activation _)
+  ;; Return the activation gexp.
+  #~(begin
+      (use-modules (guix build utils)
+                   (srfi srfi-26))
+      (for-each (cut mkdir-p <>) '("/nix/var/log"
+                                   "/nix/var/nix/gcroots/per-user"
+                                   "/nix/var/nix/profiles/per-user"))
+      (unless (file-exists? #$%nix-store-directory)
+        (mkdir-p #$%nix-store-directory)
+        (chown #$%nix-store-directory
+               (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
+        (chmod #$%nix-store-directory #o775))
+      (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
+                                       "/nix/var/nix/profiles/per-user"))))
+
+(define nix-service-etc
+  (match-lambda
+    (($ <nix-configuration> package sandbox build-directory build-sandbox-items extra-config)
+     (let ((ref-file (references-file package)))
+       `(("nix/nix.conf"
+          ,(computed-file
+            "nix.conf"
+            #~(begin
+                (use-modules (srfi srfi-26)
+                             (ice-9 format))
+                (with-output-to-file #$output
+                  (lambda _
+                    (define internal-sandbox-paths
+                      (call-with-input-file #$ref-file read))
+
+                    (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+                    ;; config.nix captures store file names.
+                    (format #t "sandbox-paths = ~{~a ~}~%"
+                            (append (list (string-append "/bin/sh=" #$bash-minimal "/bin/bash"))
+                                    internal-sandbox-paths
+                                    '#$build-sandbox-items))
+                    (for-each (cut display <>) '#$extra-config)))))))))))
+
+(define %nix-store-directory
+  "/nix/store")
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (list (file-system
+          (device %nix-store-directory)
+          (mount-point %nix-store-directory)
+          (type "none")
+          (check? #f)
+          (flags '(read-only bind-mount)))))
+
+(define nix-shepherd-service
+  ;; Return a <shepherd-service> for Nix.
+  (match-lambda
+    (($ <nix-configuration> package _ build-directory _ _ extra-options)
+     (list
+      (shepherd-service
+       (provision '(nix-daemon))
+       (documentation "Run nix-daemon.")
+       (requirement '(user-processes file-system-/nix/store))
+       (start #~(make-forkexec-constructor
+                 (list (string-append #$package "/bin/nix-daemon")
+                       #$@extra-options)
+                 #:environment-variables
+                 (list (string-append "TMPDIR=" #$build-directory)
+                       "PATH=/run/current-system/profile/bin")))
+       (respawn? #f)
+       (stop #~(make-kill-destructor)))))))
+
+(define nix-service-type
+  (service-type
+   (name 'nix)
+   (extensions
+    (list (service-extension shepherd-root-service-type nix-shepherd-service)
+          (service-extension account-service-type nix-accounts)
+          (service-extension activation-service-type nix-activation)
+          (service-extension etc-service-type nix-service-etc)
+          (service-extension profile-service-type
+                             (compose list nix-configuration-package))
+          (service-extension file-system-service-type
+                             (const %immutable-nix-store))))
+   (description "Run the Nix daemon.")
+   (default-value (nix-configuration))))
+
+;;; nix.scm ends here
-- 
cgit v1.2.3