49 files changed, 790 insertions, 0 deletions

diff --git a/trivionomicon/.gitignore b/trivionomicon/.gitignore
new file mode 100644
index 0000000..f094862
--- /dev/null
+++ b/trivionomicon/.gitignore
@@ -0,0 +1,2 @@
+!**/.keep
+result
diff --git a/COPYING b/trivionomicon/COPYING
index f288702..f288702 100644
--- a/COPYING
+++ b/trivionomicon/COPYING
diff --git a/doctrine/default.nix b/trivionomicon/doctrine/default.nix
index 0d50d49..0d50d49 100644
--- a/doctrine/default.nix
+++ b/trivionomicon/doctrine/default.nix
diff --git a/doctrine/lib/default.nix b/trivionomicon/doctrine/lib/default.nix
index e2d84b8..e2d84b8 100644
--- a/doctrine/lib/default.nix
+++ b/trivionomicon/doctrine/lib/default.nix
diff --git a/doctrine/lib/import-all.nix b/trivionomicon/doctrine/lib/import-all.nix
index 423dd9c..423dd9c 100644
--- a/doctrine/lib/import-all.nix
+++ b/trivionomicon/doctrine/lib/import-all.nix
diff --git a/doctrine/lib/mk-module.nix b/trivionomicon/doctrine/lib/mk-module.nix
index ffbe6bc..ffbe6bc 100644
--- a/doctrine/lib/mk-module.nix
+++ b/trivionomicon/doctrine/lib/mk-module.nix
diff --git a/trivionomicon/flake.lock b/trivionomicon/flake.lock
new file mode 100644
index 0000000..8730827
--- /dev/null
+++ b/trivionomicon/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1754292888,
+        "narHash": "sha256-1ziydHSiDuSnaiPzCQh1mRFBsM2d2yRX9I+5OPGEmIE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ce01daebf8489ba97bd1609d185ea276efdeb121",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/trivionomicon/flake.nix b/trivionomicon/flake.nix
new file mode 100644
index 0000000..7ab10c5
--- /dev/null
+++ b/trivionomicon/flake.nix
@@ -0,0 +1,218 @@
+{
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+  }: let
+    mapOverlayOverride = namespace: overlay: final: prev: let
+      overlayPkgs = overlay final prev;
+    in
+      {
+        "${namespace}" = builtins.removeAttrs overlayPkgs ["override"];
+      }
+      // (overlayPkgs.override or {});
+
+    doctrineNoPkgs = self.lib.mkDoctrine {
+      lib = nixpkgs.lib;
+      pkgs = null;
+    };
+  in
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = import nixpkgs {inherit system;};
+    in {
+      formatter = pkgs.alejandra;
+
+      packages =
+        (import nixpkgs {
+          inherit system;
+          overlays = [(mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs))];
+        }).${
+          doctrineNoPkgs.prefix
+        };
+    })
+    // {
+      templates = let
+        system-flake = {
+          path = ./templates/system-flake;
+          description = "Opinionated flake for a NixOS system with Home Manager";
+        };
+      in {
+        inherit system-flake;
+
+        default = system-flake;
+      };
+
+      overlays = let
+        overlay = mapOverlayOverride doctrineNoPkgs.prefix (import ./pkgs);
+      in {
+        default = overlay;
+        ${doctrineNoPkgs.prefix} = overlay;
+      };
+
+      homeManagerModules.default = ./modules;
+      nixosModules.default = ./modules;
+
+      lib = {
+        mkDoctrine = import ./doctrine;
+
+        mkSystemFlake = {
+          flakes,
+          system,
+          doctrinePrefix ? null,
+          formatter ? "alejandra",
+          paths ? {},
+        }: let
+          mkDoctrine = args:
+            self.lib.mkDoctrine
+            (args
+              // optionalAttrs (doctrinePrefix != null) {
+                prefix = doctrinePrefix;
+              });
+
+          doctrineNoPkgs = mkDoctrine {
+            lib = nixpkgs.lib;
+            pkgs = null;
+          };
+
+          optionalFlake = name:
+            if flakes ? "${name}"
+            then flakes.${name}
+            else null;
+
+          requireFlake = name:
+            if flakes ? "${name}"
+            then flakes.${name}
+            else throw "Required flake input '${name}' is missing";
+
+          nur = optionalFlake "nur";
+          nixpkgs = requireFlake "nixpkgs";
+          unstable = optionalFlake "unstable";
+
+          home-manager =
+            if hmSourcePath != null
+            then requireFlake "home-manager"
+            else null;
+
+          pathFromSelf = path: builtins.toPath "${flakes.self}" + "/${path}";
+
+          localOverlayPath = pathFromSelf paths.localOverlay;
+          nixpkgsConfigPath = pathFromSelf paths.nixpkgsConfig;
+          nixosSourcePath = pathFromSelf paths.nixosSource;
+          nixosPlatformsPath = pathFromSelf paths.nixosPlatforms;
+          hmSourcePath = pathFromSelf paths.hmSource;
+          hmPlatformsPath = pathFromSelf paths.hmPlatforms;
+
+          pkgs = importPkgs nixpkgs;
+
+          importPkgs = flake:
+            import flake ({
+                inherit system;
+
+                overlays = let
+                  conditions = [
+                    {
+                      overlay = nur.overlays.default;
+                      condition = nur != null;
+                    }
+                    # NB: Preserve the relative order
+                    {
+                      overlay = self.overlays.default;
+                      condition = true;
+                    }
+                    {
+                      overlay = flakes.self.overlays.default;
+                      condition = true;
+                    }
+                  ];
+                in
+                  builtins.map (cond: cond.overlay) (builtins.filter (cond: cond.condition) conditions);
+              }
+              // optionalAttrs (paths ? nixpkgsConfig) {
+                config = import nixpkgsConfigPath {inherit (nixpkgs) lib;};
+              });
+
+          inherit (pkgs) lib;
+          inherit (nixpkgs.lib) optionalAttrs; # Prevents infinite recursion
+          inherit (doctrineNoPkgs) prefix;
+          inherit (doctrineNoPkgs.lib) importAll;
+        in
+          {
+            formatter.${system} =
+              if formatter == "alejandra"
+              then pkgs.alejandra
+              else if formatter == "nixpkgs-fmt"
+              then pkgs.nixpkgs-fmt
+              else throw "Unknown formatter: '${formatter}'";
+
+            packages.${system} = pkgs.${prefix};
+
+            overlays.default = final: prev: let
+              overlay =
+                if paths ? localOverlay
+                then import localOverlayPath
+                else (final: prev: {});
+            in
+              mapOverlayOverride prefix overlay final prev
+              // optionalAttrs (unstable != null) {
+                unstable = importPkgs unstable;
+              };
+          }
+          // optionalAttrs (paths ? nixosSource) {
+            nixosConfigurations = let
+              nixosSystem = {modules}:
+                lib.makeOverridable nixpkgs.lib.nixosSystem {
+                  inherit modules pkgs system;
+
+                  specialArgs = {
+                    inherit flakes;
+
+                    doctrine = mkDoctrine {
+                      inherit pkgs;
+                      namespace = "sys";
+                    };
+                  };
+                };
+
+              hostConfig = platform:
+                nixosSystem {
+                  modules = [
+                    self.nixosModules.default
+                    nixosSourcePath
+                    platform
+                  ];
+                };
+            in
+              lib.mapAttrs (_: hostConfig) (importAll {root = nixosPlatformsPath;});
+          }
+          // optionalAttrs (paths ? hmSource) {
+            homeConfigurations = let
+              home = name: platform:
+                home-manager.lib.homeManagerConfiguration {
+                  inherit pkgs;
+
+                  extraSpecialArgs = {
+                    inherit flakes;
+
+                    doctrine = mkDoctrine {
+                      inherit pkgs;
+                      namespace = "hm";
+                    };
+                  };
+
+                  modules = [
+                    self.homeManagerModules.default
+                    hmSourcePath
+                    platform
+                  ];
+                };
+            in
+              lib.mapAttrs home (importAll {root = hmPlatformsPath;});
+          };
+      };
+    };
+}
diff --git a/modules/athena-bccr/default.nix b/trivionomicon/modules/athena-bccr/default.nix
index 93c5660..93c5660 100644
--- a/modules/athena-bccr/default.nix
+++ b/trivionomicon/modules/athena-bccr/default.nix
diff --git a/modules/athena-bccr/hm.nix b/trivionomicon/modules/athena-bccr/hm.nix
index 0678e3c..0678e3c 100644
--- a/modules/athena-bccr/hm.nix
+++ b/trivionomicon/modules/athena-bccr/hm.nix
diff --git a/modules/athena-bccr/options.nix b/trivionomicon/modules/athena-bccr/options.nix
index eb61cf5..eb61cf5 100644
--- a/modules/athena-bccr/options.nix
+++ b/trivionomicon/modules/athena-bccr/options.nix
diff --git a/modules/athena-bccr/sys.nix b/trivionomicon/modules/athena-bccr/sys.nix
index 631185d..631185d 100644
--- a/modules/athena-bccr/sys.nix
+++ b/trivionomicon/modules/athena-bccr/sys.nix
diff --git a/modules/default.nix b/trivionomicon/modules/default.nix
index 0c0fd4c..0c0fd4c 100644
--- a/modules/default.nix
+++ b/trivionomicon/modules/default.nix
diff --git a/modules/laptop/default.nix b/trivionomicon/modules/laptop/default.nix
index b908d47..b908d47 100644
--- a/modules/laptop/default.nix
+++ b/trivionomicon/modules/laptop/default.nix
diff --git a/modules/laptop/sys.nix b/trivionomicon/modules/laptop/sys.nix
index 252f49c..252f49c 100644
--- a/modules/laptop/sys.nix
+++ b/trivionomicon/modules/laptop/sys.nix
diff --git a/modules/nix-registry/default.nix b/trivionomicon/modules/nix-registry/default.nix
index 8406d88..8406d88 100644
--- a/modules/nix-registry/default.nix
+++ b/trivionomicon/modules/nix-registry/default.nix
diff --git a/modules/nix-registry/hm.nix b/trivionomicon/modules/nix-registry/hm.nix
index 1c57e95..1c57e95 100644
--- a/modules/nix-registry/hm.nix
+++ b/trivionomicon/modules/nix-registry/hm.nix
diff --git a/modules/nix-registry/options.nix b/trivionomicon/modules/nix-registry/options.nix
index e8898ec..e8898ec 100644
--- a/modules/nix-registry/options.nix
+++ b/trivionomicon/modules/nix-registry/options.nix
diff --git a/modules/sway/default.nix b/trivionomicon/modules/sway/default.nix
index 9f49e7c..9f49e7c 100644
--- a/modules/sway/default.nix
+++ b/trivionomicon/modules/sway/default.nix
diff --git a/modules/sway/options.nix b/trivionomicon/modules/sway/options.nix
index e433039..e433039 100644
--- a/modules/sway/options.nix
+++ b/trivionomicon/modules/sway/options.nix
diff --git a/modules/sway/sys.nix b/trivionomicon/modules/sway/sys.nix
index 9c8b664..9c8b664 100644
--- a/modules/sway/sys.nix
+++ b/trivionomicon/modules/sway/sys.nix
diff --git a/modules/thinkpad/default.nix b/trivionomicon/modules/thinkpad/default.nix
index e210947..e210947 100644
--- a/modules/thinkpad/default.nix
+++ b/trivionomicon/modules/thinkpad/default.nix
diff --git a/modules/thinkpad/sys.nix b/trivionomicon/modules/thinkpad/sys.nix
index bc96146..bc96146 100644
--- a/modules/thinkpad/sys.nix
+++ b/trivionomicon/modules/thinkpad/sys.nix
diff --git a/modules/yubico/default.nix b/trivionomicon/modules/yubico/default.nix
index 71bed70..71bed70 100644
--- a/modules/yubico/default.nix
+++ b/trivionomicon/modules/yubico/default.nix
diff --git a/modules/yubico/hm.nix b/trivionomicon/modules/yubico/hm.nix
index 8d06368..8d06368 100644
--- a/modules/yubico/hm.nix
+++ b/trivionomicon/modules/yubico/hm.nix
diff --git a/modules/yubico/sys.nix b/trivionomicon/modules/yubico/sys.nix
index 3cd009f..3cd009f 100644
--- a/modules/yubico/sys.nix
+++ b/trivionomicon/modules/yubico/sys.nix
diff --git a/trivionomicon/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch b/trivionomicon/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
new file mode 100644
index 0000000..e7fc5d5
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
@@ -0,0 +1,25 @@
+From 5e7eb46f46af6a29a2aea19db722ebc28baede25 Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sat, 21 Jun 2025 22:37:19 -0600
+Subject: [PATCH] Remove CheckUpdatePlugin from default list
+
+---
+ src/main/java/cr/libre/firmador/Settings.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/cr/libre/firmador/Settings.java b/src/main/java/cr/libre/firmador/Settings.java
+index e5ddf01..a028d6e 100644
+--- a/src/main/java/cr/libre/firmador/Settings.java
++++ b/src/main/java/cr/libre/firmador/Settings.java
+@@ -81,7 +81,7 @@ public class Settings {
+ 
+     public Settings() {
+         activePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
+-        activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
++        // activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+         availablePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
+         availablePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+     }
+-- 
+2.49.0
+
diff --git a/trivionomicon/pkgs/athena-bccr/LaunchGaudi.java b/trivionomicon/pkgs/athena-bccr/LaunchGaudi.java
new file mode 100644
index 0000000..e4bcdbf
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/LaunchGaudi.java
@@ -0,0 +1,12 @@
+// Los del BCCR no se molestaron en ponerle un main al Agente Gaudi porque el
+// actualizador (que a su vez sí tiene main) carga el jar en memoria y crea una
+// instancia de Inicializador usando reflexión. El actualizador no es relevante
+// en Nix. En todo caso, dicho actualizador es sumamente frágil y me daría
+// demasiada pereza arreglarlo, así que en su lugar usamos este stub para
+// launchear Gaudi.
+
+public class LaunchGaudi {
+	public static void main(String[] args) {
+		new InicializadorCliente.Inicializador("");
+	}
+}
diff --git a/trivionomicon/pkgs/athena-bccr/default.nix b/trivionomicon/pkgs/athena-bccr/default.nix
new file mode 100644
index 0000000..a5f79ca
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/default.nix
@@ -0,0 +1,30 @@
+{
+  callPackage,
+  lib,
+}: let
+  latest = "deb64-rev26";
+
+  releases = lib.mapAttrs (name: release: release // {name = name;}) (import ./releases.nix);
+
+  overrideUnwrapped = default: new: let
+    args = default // new;
+    unwrappedPkgs = lib.filterAttrs (name: _: ! lib.elem name ["override" "overrideDerivation"]) (callPackage ./unwrapped.nix args);
+  in
+    lib.fix (unwrapped: lib.mapAttrs (_: pkg: callPackage pkg unwrapped) unwrappedPkgs)
+    // {
+      override = overrideUnwrapped args;
+    };
+
+  pkgsForRelease = release: let
+    ase-pkcs11 = unwrapped.ase-idprotect.lib;
+    libasep11 = "${ase-pkcs11}/lib/x64-athena/libASEP11.so";
+    unwrapped = overrideUnwrapped {inherit release;} {};
+  in {
+    inherit ase-pkcs11 libasep11;
+    inherit (unwrapped) ase-idprotect bccr-cacerts;
+
+    gaudi = callPackage ./gaudi-env.nix {inherit unwrapped;};
+    firmador = callPackage ./firmador.nix {inherit libasep11;};
+  };
+in
+  lib.mapAttrs (_: pkgsForRelease) (releases // {latest = releases.${latest};})
diff --git a/trivionomicon/pkgs/athena-bccr/firmador.nix b/trivionomicon/pkgs/athena-bccr/firmador.nix
new file mode 100644
index 0000000..d280b56
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/firmador.nix
@@ -0,0 +1,57 @@
+{
+  fetchgit,
+  lib,
+  makeWrapper,
+  maven,
+  openjdk,
+  wrapGAppsHook,
+  libasep11 ? null,
+}: let
+  jdk = openjdk.override {
+    enableJavaFX = true;
+  };
+
+  version = "1.9.8";
+in
+  maven.buildMavenPackage {
+    pname = "firmador";
+    inherit version;
+
+    src = fetchgit {
+      url = "https://codeberg.org/firmador/firmador";
+      rev = version;
+      hash = "sha256-xdiVPjihRADPK4nG+WQHWsDzVYLCeN6ouQ6SDtjf1qQ=";
+    };
+
+    patches = [
+      ./0001-Remove-CheckUpdatePlugin-from-default-list.patch
+    ];
+
+    mvnHash = "sha256-h1zoStTgaE7toWWKq0Y0ahOORyltChwjmaMYjLgs1VE=";
+
+    nativeBuildInputs = [
+      makeWrapper
+      wrapGAppsHook
+    ];
+
+    postPatch = lib.optionalString (libasep11 != null) ''
+      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/CRSigner.java
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/bin $out/share/java
+      install -Dm644 target/firmador.jar $out/share/java
+
+      makeWrapper ${jdk}/bin/java $out/bin/firmador \
+        --add-flags "-jar $out/share/java/firmador.jar"
+
+      runHook postInstall
+    '';
+
+    meta = {
+      homepage = "https://firmador.libre.cr";
+      license = lib.licenses.gpl3Plus;
+    };
+  }
diff --git a/trivionomicon/pkgs/athena-bccr/gaudi-env.nix b/trivionomicon/pkgs/athena-bccr/gaudi-env.nix
new file mode 100644
index 0000000..0ca1b82
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/gaudi-env.nix
@@ -0,0 +1,62 @@
+{
+  buildFHSEnv,
+  curl,
+  lib,
+  writeShellScriptBin,
+  gaudiHash ? null,
+  unwrapped,
+}: let
+  unwrappedWithGaudi = unwrapped.override {inherit gaudiHash;};
+in
+  buildFHSEnv {
+    name = "gaudi";
+
+    targetPkgs = pkgs: [
+      unwrappedWithGaudi.ase-idprotect.lib
+      unwrappedWithGaudi.gaudi
+
+      (writeShellScriptBin "launch-gaudi" ''
+        set -o errexit
+        set -o pipefail
+        set -o nounset
+
+        PATH="${lib.makeBinPath [curl]}:$PATH"
+
+        echo "$0: testing for incompatible releases..." >&2
+
+        jar_name=bccr-firma-fva-clienteMultiplataforma.jar
+        url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador/$jar_name"
+        ca_file="${unwrappedWithGaudi.bccr-cacerts}/root-ca.pem"
+        url_hash=$(curl -sS --cacert "$ca_file" "$url" | sha256sum | cut -d' ' -f1)
+        jar_path="${unwrappedWithGaudi.gaudi}/share/java/$jar_name"
+        jar_hash=$(sha256sum "$jar_path" | cut -d' ' -f1)
+
+        if [ "$url_hash" != "$jar_hash" ]; then
+          last_modified=$(curl -sS --head --cacert "$ca_file" "$url" | grep -i '^last-modified:' | head -1)
+
+          echo "$0: sha256 mismatch for $jar_path due to server-side update" >&2
+          echo "$0:   expected:      $url_hash" >&2
+          echo "$0:   actual:        $jar_hash" >&2
+          echo "$0:   $last_modified" >&2
+          echo "$0: run the following to download the new client JAR, then update your derivation:" >&2
+          echo "$0: \$ ${unwrappedWithGaudi.update-gaudi}" >&2
+
+          exit 1
+        fi
+
+        cache_path_1="''${XDG_CACHE_HOME:-$HOME/.cache}/Agente-GAUDI"
+        cache_path_2="''${XDG_CACHE_HOME:-$HOME/.cache}/Firmador-BCCR"
+
+        for cache_path in "$cache_path_1" "$cache_path_2"; do
+          mkdir -p "$cache_path"
+          ln -sf -- ${unwrappedWithGaudi.gaudi}/share/java/bccr-firma-fva-clienteMultiplataforma.jar "$cache_path"
+        done
+
+        cp -f --no-preserve=mode -t "$cache_path_1" -- "${unwrappedWithGaudi.gaudi}/share/java/config.properties"
+
+        exec gaudi
+      '')
+    ];
+
+    runScript = "launch-gaudi";
+  }
diff --git a/trivionomicon/pkgs/athena-bccr/releases.nix b/trivionomicon/pkgs/athena-bccr/releases.nix
new file mode 100644
index 0000000..e965172
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/releases.nix
@@ -0,0 +1,12 @@
+{
+  "deb64-rev26" = {
+    # nix hash convert --hash-algo sha256 --from base16 --to sri $(sha256sum sfd_ClientesLinux_DEB64_Rev26.zip | cut -d' ' -f1)
+    hash = "sha256-ZPWP9TqJQ5coJAPzUSiaXKVItBWlqFM4smCjOf+gqQM=";
+    basename = "sfd_ClientesLinux_DEB64_Rev26";
+
+    srcPaths = {
+      gaudi = "Firma Digital/Agente GAUDI/agente-gaudi_20.0_amd64.deb";
+      idprotect = "Firma Digital/PinTool/IDProtect PINTool 7.24.02/DEB/idprotectclient_7.24.02-0_amd64.deb";
+    };
+  };
+}
diff --git a/trivionomicon/pkgs/athena-bccr/unwrapped.nix b/trivionomicon/pkgs/athena-bccr/unwrapped.nix
new file mode 100644
index 0000000..d6f3f38
--- /dev/null
+++ b/trivionomicon/pkgs/athena-bccr/unwrapped.nix
@@ -0,0 +1,226 @@
+{
+  lib,
+  requireFile,
+  release,
+  gaudiHash ? null,
+  ...
+}: let
+  inherit (release) srcPaths;
+
+  src = requireFile {
+    url = "https://soportefirmadigital.com";
+    name = "${release.basename}.zip";
+
+    inherit (release) hash;
+  };
+
+  gaudiUpdateSrc = {update-gaudi}:
+    requireFile {
+      url = "${update-gaudi}";
+      name = "gaudi-update-${release.name}.zip";
+
+      hash = gaudiHash;
+    };
+
+  moduleFromDeb = name: args @ {
+    stdenv,
+    dpkg,
+    unzip,
+    srcPath,
+    ...
+  }:
+    stdenv.mkDerivation ({
+        pname = "${name}-unwrapped";
+        version = release.name;
+
+        inherit src;
+
+        nativeBuildInputs = [dpkg unzip] ++ (args.nativeBuildInputs or []);
+
+        postUnpack = ''
+          dpkg -x ${lib.escapeShellArg "${release.basename}/${srcPath}"} ${lib.escapeShellArg release.basename}
+        '';
+      }
+      // lib.removeAttrs args ["stdenv" "dpkg" "unzip" "srcPath" "nativeBuildInputs"]);
+in {
+  ase-idprotect = {
+    autoPatchelfHook,
+    dpkg,
+    fontconfig,
+    freetype,
+    pcsclite,
+    stdenv,
+    unzip,
+    xorg,
+    zlib,
+    ...
+  }:
+    moduleFromDeb "ase-idprotect" {
+      inherit dpkg stdenv unzip;
+      srcPath = srcPaths.idprotect;
+
+      buildInputs = [
+        fontconfig
+        freetype
+        pcsclite
+        stdenv.cc.cc.lib
+        xorg.libX11
+        xorg.libXext
+        zlib
+      ];
+
+      nativeBuildInputs = [
+        autoPatchelfHook
+      ];
+
+      outputs = ["out" "lib"];
+
+      installPhase = ''
+        runHook preInstall
+
+        install -m755 -d $out/bin $lib/{etc,lib/x64-athena}
+        install -m755 usr/bin/IDProtect{_Manager,PINTool} $out/bin/
+        install -m755 usr/lib/x64-athena/* $lib/lib/x64-athena
+        cp -r etc/Athena $lib/etc/Athena
+
+        runHook postInstall
+      '';
+
+      preFixup = ''
+        patchelf --set-rpath $lib/lib/x64-athena $out/bin/*
+      '';
+    };
+
+  gaudi = {
+    autoPatchelfHook,
+    dpkg,
+    makeWrapper,
+    openjdk,
+    pkgs,
+    stdenv,
+    unzip,
+    writeShellScriptBin,
+    update-gaudi,
+    ...
+  }: let
+    jdk = openjdk.override {
+      enableJavaFX = true;
+      openjfx_jdk = pkgs."openjfx${lib.head (lib.splitString "." openjdk.version)}".override {withWebKit = true;};
+    };
+
+    fakeSudo = writeShellScriptBin "sudo" "";
+    gaudiUpdate = gaudiUpdateSrc {inherit update-gaudi;};
+  in
+    moduleFromDeb "gaudi" {
+      inherit dpkg stdenv unzip;
+      srcPath = srcPaths.gaudi;
+
+      nativeBuildInputs = [
+        autoPatchelfHook
+        jdk
+        makeWrapper
+      ];
+
+      preBuild = lib.optionalString (gaudiHash != null) ''
+        unzip -o ${gaudiUpdate} -d opt/Agente-GAUDI/lib/app
+      '';
+
+      buildPhase = ''
+        runHook preBuild
+
+        install -m755 -d $out/{bin,opt/Firmador-BCCR/lib}
+        cp -r opt/Agente-GAUDI/lib/app $out/opt/Firmador-BCCR/lib/app
+
+        # Preserves the original filename and avoids <hash>-LaunchGaudi.java
+        ln -s ${./LaunchGaudi.java} LaunchGaudi.java
+
+        javac \
+          -cp opt/Agente-GAUDI/lib/app/bccr-firma-fva-clienteMultiplataforma.jar \
+          -d $out/opt/Firmador-BCCR/lib/app \
+          LaunchGaudi.java
+
+        runHook postBuild
+      '';
+
+      installPhase = ''
+        runHook preInstall
+
+        install -m755 -d $out/{share,opt/Firmador-BCCR/lib/runtime/lib}
+        install -m755 -D opt/Agente-GAUDI/bin/Agente-GAUDI $out/opt/Firmador-BCCR/bin/Agente-GAUDI
+        install -m755 -D opt/Agente-GAUDI/lib/libapplauncher.so $out/opt/Firmador-BCCR/lib/libapplauncher.so
+
+        ln -s ../opt/Firmador-BCCR/lib/app $out/share/java
+        ln -s Firmador-BCCR $out/opt/Agente-GAUDI
+        ln -s ${jdk}/lib/openjdk/lib/libjli.so $out/opt/Firmador-BCCR/lib/runtime/lib/libjli.so
+
+        makeWrapper ${jdk}/bin/java $out/bin/gaudi \
+          --prefix PATH : ${fakeSudo}/bin \
+          --add-flags "-cp $out/share/java:$out/share/java/bccr-firma-fva-clienteMultiplataforma.jar" \
+          --add-flags "-Djavax.net.ssl.trustStore=$out/opt/Firmador-BCCR/lib/app/bccr.cacerts" \
+          --add-flags "LaunchGaudi"
+
+        runHook postInstall
+      '';
+    };
+
+  bccr-cacerts = {
+    openssl,
+    stdenv,
+    unzip,
+    ...
+  }:
+    stdenv.mkDerivation {
+      pname = "bccr-cacerts";
+      version = release.name;
+
+      inherit src;
+
+      nativeBuildInputs = [
+        openssl
+        unzip
+      ];
+
+      installPhase = ''
+        cp -r Firma\ Digital/Certificados $out
+        openssl x509 -in $out/CA\ RAIZ\ NACIONAL\ -\ COSTA\ RICA\ v2.crt -out $out/root-ca.pem -text
+      '';
+    };
+
+  update-gaudi = {
+    wget,
+    writeShellScript,
+    zip,
+    bccr-cacerts,
+    ...
+  }:
+    writeShellScript "update-gaudi" ''
+      set -o errexit
+      set -o pipefail
+      set -o nounset
+
+      temp_dir="$(mktemp -d)"
+      trap 'cd / && rm -rf -- "$temp_dir"' EXIT
+      cd "$temp_dir"
+
+      PATH="${lib.makeBinPath [wget zip]}:$PATH"
+      ca_cert="${bccr-cacerts}/root-ca.pem"
+      base_url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador"
+
+      wget --ca-certificate="$ca_cert" "$base_url/bccr.cacerts"
+      wget --ca-certificate="$ca_cert" "$base_url/config.properties"
+      wget --ca-certificate="$ca_cert" "$base_url/bccr-firma-fva-clienteMultiplataforma.jar"
+      wget --ca-certificate="$ca_cert" "$base_url/ServicioActualizadorClienteBCCR.jar"
+
+      # https://gist.github.com/stokito/c588b8d6a6a0aee211393d68eea678f2
+      TZ=UTC find . -exec touch --no-dereference -a -m -t 198002010000.00 {} +
+      zip_path="$PWD/gaudi-update-${release.name}.zip"
+      TZ=UTC zip -q --move --recurse-paths --symlinks -X "$zip_path" .
+      TZ=UTC touch -a -m -t 198002010000.00 "$zip_path"
+
+      set -x
+      nix-store --add-fixed sha256 "$zip_path"
+      set +x
+
+      echo -e "\ngaudiHash: $(nix-hash --to-sri --type sha256 $(sha256sum "$zip_path" | cut -d' ' -f1))"
+    '';
+}
diff --git a/trivionomicon/pkgs/default.nix b/trivionomicon/pkgs/default.nix
new file mode 100644
index 0000000..484ca77
--- /dev/null
+++ b/trivionomicon/pkgs/default.nix
@@ -0,0 +1,9 @@
+final: prev:
+with prev.lib; let
+  inherit (final) callPackage;
+in {
+  override = {};
+
+  athena-bccr = callPackage ./athena-bccr {};
+  spliit = callPackage ./spliit {};
+}
diff --git a/trivionomicon/pkgs/spliit/default.nix b/trivionomicon/pkgs/spliit/default.nix
new file mode 100644
index 0000000..280e820
--- /dev/null
+++ b/trivionomicon/pkgs/spliit/default.nix
@@ -0,0 +1,76 @@
+{
+  buildNpmPackage,
+  fetchFromGitHub,
+  nodePackages,
+  lib,
+  writeShellScriptBin,
+  pkgs,
+}: let
+  schemaEngine = "${pkgs.prisma-engines}/bin/schema-engine";
+  queryEngineBin = "${pkgs.prisma-engines}/bin/query-engine";
+  queryEngineLib = "${pkgs.prisma-engines}/lib/libquery_engine.node";
+  buildFlags = ["--ignore-scripts"];
+in
+  buildNpmPackage {
+    pname = "spliit2";
+    version = "master-20250420";
+
+    src = fetchFromGitHub {
+      repo = "spliit";
+      owner = "spliit-app";
+
+      rev = "a11efc79c13298c0d282e47496d132538752405f";
+      hash = "sha256-v4gaPzLzBbbqw/LDYxe1fiyficcrqcGOop23YPiTrdc=";
+    };
+
+    npmDepsHash = "sha256-sd0/7ruNUFxUKTeTwx/v8Vc/G3llkXP6RSDE78h3qVU=";
+
+    nativeBuildInputs = [pkgs.openssl];
+
+    npmRebuildFlags = buildFlags;
+
+    PRISMA_SCHEMA_ENGINE_BINARY = schemaEngine;
+    PRISMA_QUERY_ENGINE_BINARY = queryEngineBin;
+    PRISMA_QUERY_ENGINE_LIBRARY = queryEngineLib;
+
+    preBuild = ''
+      cp -v scripts/build.env .env
+
+      npx prisma generate
+    '';
+
+    npmBuildFlags = buildFlags;
+
+    postInstall = ''
+      cp -r .next public package.json next.config.mjs $out/lib/node_modules/spliit2
+
+      install -Dvm755 -t $out/bin ${lib.getExe (writeShellScriptBin "spliit2" ''
+        set -euxo pipefail
+
+        cd @out@/lib/node_modules/spliit2
+
+        export PATH="$PWD/node_modules/.bin:$PATH"
+        export NEXT_TELEMETRY_DISABLED=1
+
+        export PRISMA_SCHEMA_ENGINE_BINARY="${schemaEngine}"
+        export PRISMA_QUERY_ENGINE_BINARY="${queryEngineBin}"
+        export PRISMA_QUERY_ENGINE_LIBRARY="${queryEngineLib}"
+
+        prisma migrate deploy
+        next start
+      '')}
+
+      substituteInPlace $out/bin/spliit2 \
+        --replace @out@ $out
+
+      wrapProgram $out/bin/spliit2 \
+        --prefix PATH : ${lib.makeBinPath [pkgs.openssl]}
+    '';
+
+    meta = {
+      description = "Free and Open Source Alternative to Splitwise. Share expenses with your friends and family.";
+      homepage = "https://spliit.app";
+      license = lib.licenses.mit;
+      maintainers = with lib.maintainers; [];
+    };
+  }
diff --git a/templates/system-flake/.gitignore b/trivionomicon/templates/system-flake/.gitignore
index 21f979d..21f979d 100644
--- a/templates/system-flake/.gitignore
+++ b/trivionomicon/templates/system-flake/.gitignore
diff --git a/templates/system-flake/flake.nix b/trivionomicon/templates/system-flake/flake.nix
index 6afe06f..6afe06f 100644
--- a/templates/system-flake/flake.nix
+++ b/trivionomicon/templates/system-flake/flake.nix
diff --git a/templates/system-flake/home/default.nix b/trivionomicon/templates/system-flake/home/default.nix
index 49439c7..49439c7 100644
--- a/templates/system-flake/home/default.nix
+++ b/trivionomicon/templates/system-flake/home/default.nix
diff --git a/templates/system-flake/home/platform/me@foo/default.nix b/trivionomicon/templates/system-flake/home/platform/me@foo/default.nix
index 6481e85..6481e85 100644
--- a/templates/system-flake/home/platform/me@foo/default.nix
+++ b/trivionomicon/templates/system-flake/home/platform/me@foo/default.nix
diff --git a/templates/system-flake/pkgs/config/default.nix b/trivionomicon/templates/system-flake/pkgs/config/default.nix
index 47abe76..47abe76 100644
--- a/templates/system-flake/pkgs/config/default.nix
+++ b/trivionomicon/templates/system-flake/pkgs/config/default.nix
diff --git a/templates/system-flake/pkgs/config/unfree.nix b/trivionomicon/templates/system-flake/pkgs/config/unfree.nix
index deda971..deda971 100644
--- a/templates/system-flake/pkgs/config/unfree.nix
+++ b/trivionomicon/templates/system-flake/pkgs/config/unfree.nix
diff --git a/templates/system-flake/pkgs/default.nix b/trivionomicon/templates/system-flake/pkgs/default.nix
index 78a86d4..78a86d4 100644
--- a/templates/system-flake/pkgs/default.nix
+++ b/trivionomicon/templates/system-flake/pkgs/default.nix
diff --git a/templates/system-flake/pkgs/hello-world/Makefile b/trivionomicon/templates/system-flake/pkgs/hello-world/Makefile
index 4eef056..4eef056 100644
--- a/templates/system-flake/pkgs/hello-world/Makefile
+++ b/trivionomicon/templates/system-flake/pkgs/hello-world/Makefile
diff --git a/templates/system-flake/pkgs/hello-world/default.nix b/trivionomicon/templates/system-flake/pkgs/hello-world/default.nix
index 19047a1..19047a1 100644
--- a/templates/system-flake/pkgs/hello-world/default.nix
+++ b/trivionomicon/templates/system-flake/pkgs/hello-world/default.nix
diff --git a/templates/system-flake/pkgs/hello-world/hello-world.c b/trivionomicon/templates/system-flake/pkgs/hello-world/hello-world.c
index d6cfa6b..d6cfa6b 100644
--- a/templates/system-flake/pkgs/hello-world/hello-world.c
+++ b/trivionomicon/templates/system-flake/pkgs/hello-world/hello-world.c
diff --git a/templates/system-flake/pkgs/lib/default.nix b/trivionomicon/templates/system-flake/pkgs/lib/default.nix
index ab54163..ab54163 100644
--- a/templates/system-flake/pkgs/lib/default.nix
+++ b/trivionomicon/templates/system-flake/pkgs/lib/default.nix
diff --git a/templates/system-flake/pkgs/lib/fibonacci.nix b/trivionomicon/templates/system-flake/pkgs/lib/fibonacci.nix
index a12576b..a12576b 100644
--- a/templates/system-flake/pkgs/lib/fibonacci.nix
+++ b/trivionomicon/templates/system-flake/pkgs/lib/fibonacci.nix
diff --git a/templates/system-flake/sys/default.nix b/trivionomicon/templates/system-flake/sys/default.nix
index fa0f994..fa0f994 100644
--- a/templates/system-flake/sys/default.nix
+++ b/trivionomicon/templates/system-flake/sys/default.nix
diff --git a/templates/system-flake/sys/platform/foo/default.nix b/trivionomicon/templates/system-flake/sys/platform/foo/default.nix
index ef84269..ef84269 100644
--- a/templates/system-flake/sys/platform/foo/default.nix
+++ b/trivionomicon/templates/system-flake/sys/platform/foo/default.nix