Unfinished attempt at packaging pia client

Add ISO build
Use upstream nvidia reverse prime support
2023-02-08 01:38:54 -05:00 · 2023-02-08 01:36:23 -05:00 · 2023-02-08 01:35:25 -05:00 · 2023-02-08 00:59:29 -05:00 · 2023-02-08 00:33:47 -05:00 · 2023-02-06 22:45:34 -05:00
111 changed files with 3676 additions and 10005 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 result
--- a/README.md
+++ b/README.md
@@ -0,0 +1,12 @@
 # My NixOS configurations
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
    - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,85 @@
 # A place for brain dump ideas maybe to be taken off of the shelve one day
 ### NixOS webtools
 - Better options search https://mynixos.com/options/services 
 ### Interesting ideas for restructuring nixos config
 - https://github.com/gytis-ivaskevicius/flake-utils-plus
 - https://github.com/divnix/digga/tree/main/examples/devos
 - https://digga.divnix.com/
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Format everything here using nixfmt
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - CI https://gvolpe.com/blog/nixos-binary-cache-ci/
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx
 ### NAS
 - helios64 extra led lights
 - safely turn off NAS on power disconnect
 - hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
 - tor unlock
 ### bcachefs
 - bcachefs health alerts via email
 - bcachefs periodic snapshotting
 - use mount.bcachefs command for mounting
 - bcachefs native encryption
    - just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
 ### Shell Comands
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
 ### Services
 - setup archivebox
 - radio https://tildegit.org/tilderadio/site
 - music
    - mopidy
        - use the jellyfin plugin?
    - navidrome
        - spotify secrets for navidrome
    - picard for music tagging
    - alternative music software
        - https://www.smarthomebeginner.com/best-music-server-software-options/
        - https://funkwhale.audio/
        - https://github.com/epoupon/lms
        - https://github.com/benkaiser/stretto
        - https://github.com/blackcandy-org/black_candy
        - https://github.com/koel/koel
        - https://airsonic.github.io/
        - https://ampache.org/
 - replace nextcloud with seafile
 ### VPN container
 - use wireguard for vpn
    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
    - https://github.com/pia-foss/manual-connections
    - port forwarding for vpn
        - transmission using forwarded port
    - https://www.wireguard.com/netns/
    - one way firewall for vpn container
 ### Networking
 - tailscale for p2p connections
    - remove all use of zerotier
 ### Archive
 - https://www.backblaze.com/b2/cloud-storage.html
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
 ### Paranoia
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 ### Misc
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
 ### Future Interests (upon merge into nixpkgs)
 - nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
 - glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -0,0 +1,14 @@
 { config, lib, ... }:
 # Modify auto-update so that it pulls a flake
 let
  cfg = config.system.autoUpgrade;
 in {
  config = lib.mkIf cfg.enable {
    system.autoUpgrade = {
      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
    };
  };
 }
--- a/common/boot/bios.nix
+++ b/common/boot/bios.nix
@@ -12,8 +12,6 @@ in {
  };
  config = mkIf cfg.enable {
    # Enable microcode
    firmware.x86_64.enable = true;
    # Use GRUB 2 for BIOS
    boot.loader = {
      timeout = 2;
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -0,0 +1,10 @@
 { lib, config, pkgs, ... }:
 {
  imports = [
    ./firmware.nix
    ./efi.nix
    ./bios.nix
    ./luks.nix
  ];
 }
--- a/common/boot/efi.nix
+++ b/common/boot/efi.nix
@@ -9,8 +9,6 @@ in {
  };
  config = mkIf cfg.enable {
    # Enable microcode
    firmware.x86_64.enable = true;
    # Use GRUB2 for EFI
    boot.loader = {
      efi.canTouchEfiVariables = true;
--- a/common/common.nix
+++ b/common/common.nix
@@ -1,51 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./flakes.nix
    ./pia.nix
    ./zerotier.nix
    ./boot/firmware.nix
    ./boot/efi.nix
    ./boot/bios.nix
    ./boot/luks.nix
    ./server/nginx.nix
    ./server/thelounge.nix
    ./server/mumble.nix
    ./server/icecast.nix
    ./server/nginx-stream.nix
    ./server/matrix.nix
    ./server/zerobin.nix
    ./server/gitea.nix
    ./server/privatebin/privatebin.nix
    ./pc/de.nix
  ];
  system.stateVersion = "20.09";
  networking.useDHCP = false;
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  services.openssh.enable = true;
  environment.systemPackages = with pkgs; [
    wget kakoune htop git dnsutils tmux nethogs iotop
  ];
  nixpkgs.config.allowUnfree = true;
  users.mutableUsers = false;
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    ];
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -0,0 +1,67 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./flakes.nix
    ./auto-update.nix
    ./shell.nix
    ./network
    ./boot
    ./server
    ./pc
  ];
  nix.flakes.enable = true;
  system.stateVersion = "21.11";
  networking.useDHCP = false;
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  services.openssh.enable = true;
  programs.mosh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    kakoune
    htop
    git git-lfs
    dnsutils
    tmux
    nethogs
    iotop
    pciutils
    usbutils
    killall
    screen
    micro
    helix
    lm_sensors
  ];
  nixpkgs.config.allowUnfree = true;
  users.mutableUsers = false;
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "dialout" # serial
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
  nix.trustedUsers = [ "root" "googlebot" ];
  nix.gc.automatic = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "zuckerberg@neet.dev";
 }
--- a/common/flakes.nix
+++ b/common/flakes.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, inputs, ... }:
+{ lib, pkgs, config, ... }:
 with lib;
 let
  cfg = config.nix.flakes;
@@ -15,7 +15,10 @@ in {
      '';
      # pin nixpkgs for system commands such as "nix shell"
-      registry.nixpkgs.flake = inputs.nixpkgs;
+      registry.nixpkgs.flake = config.inputs.nixpkgs;
      # pin system nixpkgs to the same version as the flake input
      nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
    };
  };
 }
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -0,0 +1,23 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.networking;
 in
 {
  imports = [
    ./hosts.nix
    ./pia-openvpn.nix
    ./tailscale.nix
    ./vpn.nix
    ./zerotier.nix
  ];
  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
  config = mkIf cfg.ip_forward {
    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  };
 }
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -0,0 +1,63 @@
 { config, lib, ... }:
 let
  system = (import ../ssh.nix).system;
 in {
  networking.hosts = {
    # some DNS providers filter local ip results from DNS request
    "172.30.145.180" = [ "s0.zt.neet.dev" ];
    "172.30.109.9" = [ "ponyo.zt.neet.dev" ];
    "172.30.189.212" = [ "ray.zt.neet.dev" ];
  };
  programs.ssh.knownHosts = {
    liza = {
      hostNames = [ "liza" "liza.neet.dev" ];
      publicKey = system.liza;
    };
    ponyo = {
      hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
      publicKey = system.ponyo;
    };
    ponyo-unlock = {
      hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
      publicKey = system.ponyo-unlock;
    };
    ray = {
      hostNames = [ "ray" "ray.zt.neet.dev" ];
      publicKey = system.ray;
    };
    s0 = {
      hostNames = [ "s0" "s0.zt.neet.dev" ];
      publicKey = system.s0;
    };
    n1 = {
      hostNames = [ "n1" ];
      publicKey = system.n1;
    };
    n2 = {
      hostNames = [ "n2" ];
      publicKey = system.n2;
    };
    n3 = {
      hostNames = [ "n3" ];
      publicKey = system.n3;
    };
    n4 = {
      hostNames = [ "n4" ];
      publicKey = system.n4;
    };
    n5 = {
      hostNames = [ "n5" ];
      publicKey = system.n5;
    };
    n6 = {
      hostNames = [ "n6" ];
      publicKey = system.n6;
    };
    n7 = {
      hostNames = [ "n7" ];
      publicKey = system.n7;
    };
  };
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -0,0 +1,113 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia;
  vpnfailsafe = pkgs.stdenv.mkDerivation {
    pname = "vpnfailsafe";
    version = "0.0.1";
    src = ./.;
    installPhase = ''
      mkdir -p $out
      cp vpnfailsafe.sh $out/vpnfailsafe.sh
      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
    '';
  };
 in
 {
  options.pia = {
    enable = lib.mkEnableOption "Enable private internet access";
    server = lib.mkOption {
      type = lib.types.str;
      default = "us-washingtondc.privacy.network";
      example = "swiss.privacy.network";
    };
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        pia = {
          config = ''
            client
            dev tun
            proto udp
            remote ${cfg.server} 1198
            resolv-retry infinite
            nobind
            persist-key
            persist-tun
            cipher aes-128-cbc
            auth sha1
            tls-client
            remote-cert-tls server
            auth-user-pass
            compress
            verb 1
            reneg-sec 0
            <crl-verify>
            -----BEGIN X509 CRL-----
            MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
            EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
            cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
            HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
            ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
            aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
            MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
            9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
            jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
            B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
            ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
            5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
            MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
            -----END X509 CRL-----
            </crl-verify>
            <ca>
            -----BEGIN CERTIFICATE-----
            MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
            VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
            BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
            dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
            IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
            FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
            MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
            EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
            QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
            AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
            ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
            bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
            L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
            lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
            cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
            8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
            /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
            OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
            y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
            sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
            b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
            A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
            SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
            czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
            b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
            a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
            ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
            7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
            GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
            1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
            YDQ8z9v+DMO6iwyIDRiU
            -----END CERTIFICATE-----
            </ca>
            disable-occ
            auth-user-pass /run/agenix/pia-login.conf
          '';
          autoStart = true;
          up = "${vpnfailsafe}/vpnfailsafe.sh";
          down = "${vpnfailsafe}/vpnfailsafe.sh";
        };
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  };
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -0,0 +1,16 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.services.tailscale;
 in
 {
  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
  config.services.tailscale.enable = !config.boot.isContainer;
  # exit node
  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
  config.networking.ip_forward = mkIf cfg.exitNode true;
 }
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -0,0 +1,97 @@
 { config, pkgs, lib, allModules, ... }:
 with lib;
 let
  cfg = config.vpn-container;
 in
 {
  options.vpn-container = {
    enable = mkEnableOption "Enable VPN container";
    containerName = mkOption {
      type = types.str;
      default = "vpn";
      description = ''
        Name of the VPN container.
      '';
    };
    mounts = mkOption {
      type = types.listOf types.str;
      default = [ "/var/lib" ];
      example = "/home/example";
      description = ''
        List of mounts on the host to bind to the vpn container.
      '';
    };
    config = mkOption {
      type = types.anything;
      default = {};
      example = ''
        {
          services.nginx.enable = true;
        }
      '';
      description = ''
        NixOS config for the vpn container.
      '';
    };
  };
  config = mkIf cfg.enable {
    containers.${cfg.containerName} = {
      ephemeral = true;
      autoStart = true;
      bindMounts = mkMerge ([{
        "/run/agenix" = {
          hostPath = "/run/agenix";
          isReadOnly = true;
        };
      }] ++ (lists.forEach cfg.mounts (mount:
        {
          "${mount}" = {
            hostPath = mount;
            isReadOnly = false;
          };
        }
      )));
      enableTun = true;
      privateNetwork = true;
      hostAddress = "172.16.100.1";
      localAddress = "172.16.100.2";
      config = {
        imports = allModules ++ [cfg.config];
        nixpkgs.pkgs = pkgs;
        networking.firewall.enable = mkForce false;
        pia.enable = true;
        pia.server = "swiss.privacy.network"; # swiss vpn
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
        services.resolved.enable = true;
      };
    };
    # load secrets the container needs
    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
    # forwarding for vpn container
    networking.nat.enable = true;
    networking.nat.internalInterfaces = [
      "ve-${cfg.containerName}"
    ];
    networking.ip_forward = true;
    # assumes only one potential interface
    networking.usePredictableInterfaceNames = false;
    networking.nat.externalInterface = "eth0";
  };
 }
--- a/common/network/vpnfailsafe.sh
+++ b/common/network/vpnfailsafe.sh
@@ -0,0 +1,187 @@
 #!/usr/bin/env bash
 set -eEo pipefail
 # $@ := ""
 set_route_vars() {
    local network_var
    local -a network_vars; read -ra network_vars <<<"${!route_network_*}"
    for network_var in "${network_vars[@]}"; do
        local -i i="${network_var#route_network_}"
        local -a vars=("route_network_$i" "route_netmask_$i" "route_gateway_$i" "route_metric_$i")
        route_networks[i]="${!vars[0]}"
        route_netmasks[i]="${!vars[1]:-255.255.255.255}"
        route_gateways[i]="${!vars[2]:-$route_vpn_gateway}"
        route_metrics[i]="${!vars[3]:-0}"
    done
 }
 # Configuration.
 readonly prog="$(basename "$0")"
 readonly private_nets="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
 declare -a remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 read -ra remotes <<<"$(env|grep -oP '^remote_[0-9]+=.*'|sort -n|cut -d= -f2|tr '\n' '\t')"
 read -ra cnf_remote_domains <<<"$(printf '%s\n' "${remotes[@]%%*[0-9]}"|sort -u|tr '\n' '\t')"
 read -ra cnf_remote_ips <<<"$(printf '%s\n' "${remotes[@]##*[!0-9.]*}"|sort -u|tr '\n' '\t')"
 set_route_vars
 read -ra numbered_vars <<<"${!foreign_option_*} ${!proto_*} ${!remote_*} ${!remote_port_*} \
                           ${!route_network_*} ${!route_netmask_*} ${!route_gateway_*} ${!route_metric_*}"
 readonly numbered_vars "${numbered_vars[@]}" dev ifconfig_local ifconfig_netmask ifconfig_remote \
         route_net_gateway route_vpn_gateway script_type trusted_ip trusted_port untrusted_ip untrusted_port \
         remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 readonly cur_remote_ip="${trusted_ip:-$untrusted_ip}"
 readonly cur_port="${trusted_port:-$untrusted_port}"
 # $@ := ""
 update_hosts() {
    if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then
        local -r beg="# VPNFAILSAFE BEGIN" end="# VPNFAILSAFE END"
        {
            sed -e "/^$beg/,/^$end/d" /etc/hosts
            echo -e "$beg\\n$remote_entries\\n$end"
        } >/etc/hosts.vpnfailsafe
        chmod --reference=/etc/hosts /etc/hosts.vpnfailsafe
        mv /etc/hosts.vpnfailsafe /etc/hosts
    fi
 }
 # $@ := "up" | "down"
 update_routes() {
    local -a resolved_ips
    read -ra resolved_ips <<<"$(getent -s files hosts "${cnf_remote_domains[@]:-ENOENT}"|cut -d' ' -f1|tr '\n' '\t' || true)"
    local -ar remote_ips=("$cur_remote_ip" "${resolved_ips[@]}" "${cnf_remote_ips[@]}")
    if [[ "$*" == up ]]; then
        for remote_ip in "${remote_ips[@]}"; do
            if [[ -n "$remote_ip" && -z "$(ip route show "$remote_ip")" ]]; then
                ip route add "$remote_ip" via "$route_net_gateway"
            fi
        done
        for net in 0.0.0.0/1 128.0.0.0/1; do
            if [[ -z "$(ip route show "$net")" ]]; then
                ip route add "$net" via "$route_vpn_gateway"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -z "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route add "${route_networks[i]}/${route_netmasks[i]}" \
                  via "${route_gateways[i]}" metric "${route_metrics[i]}" dev "$dev"
            fi
        done
    elif [[ "$*" == down ]]; then
        for route in "${remote_ips[@]}" 0.0.0.0/1 128.0.0.0/1; do
            if [[ -n "$route" && -n "$(ip route show "$route")" ]]; then
                ip route del "$route"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -n "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route del "${route_networks[i]}/${route_netmasks[i]}"
            fi
        done
    fi
 }
 # $@ := ""
 update_firewall() {
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    insert_chain() {
        if iptables -C "$*" -j "VPNFAILSAFE_$*" 2>/dev/null; then
            iptables -D "$*" -j "VPNFAILSAFE_$*"
            for opt in F X; do
                iptables -"$opt" "VPNFAILSAFE_$*"
            done
        fi
        iptables -N "VPNFAILSAFE_$*"
        iptables -I "$*" -j "VPNFAILSAFE_$*"
    }
    # $@ := "INPUT" | "OUTPUT"
    accept_remotes() {
        case "$@" in
            INPUT)  local -r icmp_type=reply   io=i sd=s states="";;
            OUTPUT) local -r icmp_type=request io=o sd=d states=NEW,;;
        esac
        local -r public_nic="$(ip route show "$cur_remote_ip"|cut -d' ' -f5)"
        local -ar suf=(-m conntrack --ctstate "$states"RELATED,ESTABLISHED -"$io" "${public_nic:?}" -j ACCEPT)
        icmp_rule() {
            iptables "$1" "$2" -p icmp --icmp-type "echo-$icmp_type" -"$sd" "$3" "${suf[@]/%ACCEPT/RETURN}"
        }
        for ((i=1; i <= ${#remotes[*]}; ++i)); do
            local port="remote_port_$i"
            local proto="proto_$i"
            iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"
            if ! icmp_rule -C "VPNFAILSAFE_$*" "${remotes[i-1]}" 2>/dev/null; then
                icmp_rule -A "VPNFAILSAFE_$*" "${remotes[i-1]}"
            fi
        done
        if ! iptables -S|grep -q "^-A VPNFAILSAFE_$* .*-$sd $cur_remote_ip/32 .*-j ACCEPT$"; then
            for p in tcp udp; do
                iptables -A "VPNFAILSAFE_$*" -p "$p" -"$sd" "$cur_remote_ip" --"$sd"port "${cur_port}" "${suf[@]}"
            done
            icmp_rule -A "VPNFAILSAFE_$*" "$cur_remote_ip"
        fi
    }
    # $@ := "OUTPUT" | "FORWARD"
    reject_dns() {
        for proto in udp tcp; do
            iptables -A "VPNFAILSAFE_$*" -p "$proto" --dport 53 ! -o "$dev" -j REJECT
        done
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    pass_private_nets() { 
        case "$@" in
            INPUT) local -r io=i sd=s;;&
            OUTPUT|FORWARD) local -r io=o sd=d;;&
            INPUT) local -r vpn="${ifconfig_remote:-$ifconfig_local}/${ifconfig_netmask:-32}"
               iptables -A "VPNFAILSAFE_$*" -"$sd" "$vpn" -"$io" "$dev" -j RETURN
               for i in $(seq 1 "${#route_networks[@]}"); do
                   iptables -A "VPNFAILSAFE_$*" -"$sd" "${route_networks[i]}/${route_netmasks[i]}" -"$io" "$dev" -j RETURN
               done;;&
            *) iptables -A "VPNFAILSAFE_$*" -"$sd" "$private_nets" ! -"$io" "$dev" -j RETURN;;&
            INPUT) iptables -A "VPNFAILSAFE_$*" -s "$private_nets" -i "$dev" -j DROP;;&
            *) for iface in "$dev" lo+; do
                   iptables -A "VPNFAILSAFE_$*" -"$io" "$iface" -j RETURN
               done;;
        esac
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    drop_other() {
        iptables -A "VPNFAILSAFE_$*" -j DROP
    }
    for chain in INPUT OUTPUT FORWARD; do
        insert_chain "$chain"
        [[ $chain == FORWARD ]] || accept_remotes "$chain"
        [[ $chain == INPUT ]] || reject_dns "$chain"
        pass_private_nets "$chain"
        drop_other "$chain"
    done
 }
 # $@ := ""
 cleanup() {
    update_resolv down
    update_routes down
 }
 trap cleanup INT TERM
 # $@ := line_number exit_code
 err_msg() {
    echo "$0:$1: \`$(sed -n "$1,+0{s/^\\s*//;p}" "$0")' returned $2" >&2
    cleanup
 }
 trap 'err_msg "$LINENO" "$?"' ERR
 # $@ := ""
 main() {
    case "${script_type:-down}" in
        up) for f in hosts routes firewall; do "update_$f" up; done;;
        down) update_routes down
              update_resolv down;;
    esac
 }
 main
--- a/common/network/zerotier.nix
+++ b/common/network/zerotier.nix
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -4,26 +4,59 @@ let
  cfg = config.de;
 in {
  config = lib.mkIf cfg.enable {
    # Audio
    sound.enable = true;
    # enable pulseaudio support for packages
    nixpkgs.config.pulseaudio = true;
-    # realtime pulseaudio
+    # realtime audio
    security.rtkit.enable = true;
-    hardware.pulseaudio = {
+    services.pipewire = {
      enable = true;
-      support32Bit = true;
+      alsa.enable = true;
-      package = pkgs.pulseaudioFull; # bt headset support
+      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
-      # TODO: switch on connect isn't working for some reason (at least when in kde)
+      # use the example session manager (no others are packaged yet so this is enabled by default,
-      extraConfig = "
+      # no need to redefine it in your config for now)
-        load-module module-switch-on-connect
+      #media-session.enable = true;
-        load-module module-switch-on-connect ignore_virtual=no
+
-      ";
+      config.pipewire = {
        "context.objects" = [
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name"     = "support.node.driver";
              "node.name"        = "Dummy-Driver";
              "priority.driver"  = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class"      = "Audio/Source/Virtual";
              "audio.position"   = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class"      = "Audio/Sink";
              "audio.position"   = "FL,FR";
            };
          }
        ];
      };
    };
    users.users.googlebot.extraGroups = [ "audio" ];
    # bt headset support
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@@ -2,6 +2,53 @@
 let
  cfg = config.de;
  nv-codec-headers-11-1-5-1 = pkgs.stdenv.mkDerivation rec {
    pname = "nv-codec-headers";
    version = "11.1.5.1";
    src = pkgs.fetchgit {
      url = "https://git.videolan.org/git/ffmpeg/nv-codec-headers.git";
      rev = "n${version}";
      sha256 = "yTOKLjyYLxT/nI1FBOMwHpkDhfuua3+6Z5Mpb7ZrRhU=";
    };
    makeFlags = [
      "PREFIX=$(out)"
    ];
  };
  nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
    pname = "nvidia-vaapi-driver";
    version = "0.0.5";
    src = pkgs.fetchFromGitHub {
      owner = "elFarto";
      repo = pname;
      rev = "v${version}";
      sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
    };
    patches = [
      ./use-meson-v57.patch
    ];
    nativeBuildInputs = with pkgs; [
      meson
      cmake
      ninja
      pkg-config
    ];
    buildInputs = with pkgs; [
      nv-codec-headers-11-1-5-1
      libva
      gst_all_1.gstreamer
      gst_all_1.gst-plugins-bad
      libglvnd
    ];
  };
 in {
  config = lib.mkIf cfg.enable {
    # chromium with specific extensions + settings
@@ -13,6 +60,9 @@ in {
        "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
        "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
        "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
        "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
        "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
        # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
      ];
      extraOpts = {
        "BrowserSignin" = 0;
@@ -29,17 +79,23 @@ in {
    nixpkgs.config.packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
      chromium = pkgs.chromium.override {
        gnomeKeyringSupport = true;
        enableWideVine = true;
        # ungoogled = true;
        # --enable-native-gpu-memory-buffers # fails on AMD APU
        # --enable-webrtc-vp9-support
        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
      };
    };
    # todo vulkan in chrome
    # todo video encoding in chrome
    hardware.opengl = {
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        vaapiVdpau
+        # vaapiVdpau
        libvdpau-va-gl
        nvidia-vaapi-driver
      ];
      extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
    };
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@@ -8,14 +8,16 @@ in {
    ./xfce.nix
    ./yubikey.nix
    ./chromium.nix
-    ./firefox.nix
+#    ./firefox.nix
    ./audio.nix
 #    ./torbrowser.nix
    ./pithos.nix
    ./spotify.nix
    ./vscodium.nix
    ./discord.nix
    ./steam.nix
    ./touchpad.nix
    ./mount-samba.nix
  ];
  options.de = {
@@ -29,8 +31,25 @@ in {
    # Applications
    users.users.googlebot.packages = with pkgs; [
-      chromium keepassxc mumble tigervnc bluez-tools vscodium element-desktop mpv
+      chromium
-      libva-utils ffmpeg-full
+      keepassxc
      mumble
      tigervnc
      bluez-tools
      vscodium
      element-desktop
      mpv
      nextcloud-client
      signal-desktop
      minecraft
      gparted
      libreoffice-fresh
      thunderbird
      spotifyd
      spotify-qt
      arduino
      yt-dlp
      jellyfin-media-player
    ];
    # Networking
@@ -39,6 +58,14 @@ in {
    # Printing
    services.printing.enable = true;
    services.printing.drivers = with pkgs; [
      gutenprint
    ];
    # Printer discovery
    services.avahi.enable = true;
    services.avahi.nssmdns = true;
    programs.file-roller.enable = true;
    # Security
    services.gnome.gnome-keyring.enable = true;
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -14,7 +14,10 @@ in {
    # kde apps
    nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
    users.users.googlebot.packages = with pkgs; [
-      akonadi kmail plasma5Packages.kmail-account-wizard
+      # akonadi
      # kmail
      # plasma5Packages.kmail-account-wizard
      kate
    ];
  };  
 }
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@@ -0,0 +1,36 @@
 # mounts the samba share on s0 over zeroteir
 { config, lib, ... }:
 let
  cfg = config.services.mount-samba;
  # prevents hanging on network split
  network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
  auth_opts = "credentials=/run/agenix/smb-secrets";
  version_opts = "vers=2.1";
  opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
 in {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };
  config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
    fileSystems."/mnt/public" = {
        device = "//s0.zt.neet.dev/public";
        fsType = "cifs";
        options = [ opts ];
    };
    fileSystems."/mnt/private" = {
        device = "//s0.zt.neet.dev/googlebot";
        fsType = "cifs";
        options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
  };
 }
--- a/common/pc/pia/default.nix
+++ b/common/pc/pia/default.nix
@@ -0,0 +1,76 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.pia;
 in {
  imports = [
    ./pia.nix
  ];
  options.services.pia = {
    enable = lib.mkEnableOption "Enable PIA Client";
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/pia";
      description = ''
        Path to the pia data directory
      '';
    };
    user = lib.mkOption {
      type = lib.types.str;
      default = "root";
      description = ''
        The user pia should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "piagrp";
      description = ''
        The group pia should run as
      '';
    };
    users = mkOption {
      type = with types; listOf str;
      default = [];
      description = ''
        Usernames to be added to the "spotifyd" group, so that they
        can start and interact with the userspace daemon.
      '';
    };
  };
  config = mkIf cfg.enable {
    # users.users.${cfg.user} =
    # if cfg.user == "pia" then {
    #   isSystemUser = true;
    #   group = cfg.group;
    #   home = cfg.dataDir;
    #   createHome = true;
    # }
    # else {};
    users.groups.${cfg.group}.members = cfg.users;
    systemd.services.pia-daemon = {
      enable = true;
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
      serviceConfig.PrivateTmp="yes";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
      '';
    };
  };
 }
--- a/common/pc/pia/fix-pia.patch
+++ b/common/pc/pia/fix-pia.patch
@@ -0,0 +1,147 @@
 diff --git a/Rakefile b/Rakefile
 index fa6d771..bcd6fb1 100644
 --- a/Rakefile
 +++ b/Rakefile
@@ -151,41 +151,6 @@ end
 # Install LICENSE.txt
 stage.install('LICENSE.txt', :res)
 -# Download server lists to ship preloaded copies with the app.  These tasks
 -# depend on version.txt so they're refreshed periodically (whenver a new commit
 -# is made), but not for every build.
 -#
 -# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
 -# this is primarily intended for reproducing a build.
 -#
 -# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
 -serverDataProbe = Probe.new('serverdata')
 -serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
 -# JSON resource build directory
 -jsonFetched = Build.new('json-fetched')
 -# These are the assets we need to fetch and the URIs we get them from
 -{
 -    'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
 -    'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
 -    'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
 -}.each do |k, v|
 -    fetchedFile = jsonFetched.artifact(k.to_s)
 -    serverDataDir = ENV['SERVER_DATA_DIR']
 -    file fetchedFile => [version.artifact('version.txt'),
 -                         serverDataProbe.artifact('serverdata.txt'),
 -                         jsonFetched.componentDir] do |t|
 -        if(serverDataDir)
 -            # Use the copy provided instead of fetching (for reproducing a build)
 -            File.copy(File.join(serverDataDir, k), fetchedFile)
 -        else
 -            # Fetch from the web API (write with "binary" mode so LF is not
 -            # converted to CRLF on Windows)
 -            File.binwrite(t.name, Net::HTTP.get(URI(v)))
 -        end
 -    end
 -    stage.install(fetchedFile, :res)
 -end
 -
 # Install version/brand/arch info in case an upgrade needs to know what is
 # currently installed
 stage.install(version.artifact('version.txt'), :res)
 diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
 index f820a6d..e1b6c33 100644
 --- a/common/src/posix/unixsignalhandler.cpp
 +++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
     // we checked it, we can't even log because the logger is not reentrant.
     auto pThis = instance();
     if(pThis)
 -        ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
 +        auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
 }
 template<int Signal>
 void UnixSignalHandler::setAbortAction()
 diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
 index fd3aced..2367a5e 100644
 --- a/daemon/src/linux/linux_nl.cpp
 +++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
     unsigned char term = 0;
     PosixFd killSocket = _workerKillSocket.get();
     if(killSocket)
 -        ::write(killSocket.get(), &term, sizeof(term));
 +        auto _ = ::write(killSocket.get(), &term, sizeof(term));
     _workerThread.join();
 }
 diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
 index 3f63ac2..420d54d 100644
 --- a/extras/support-tool/launcher/linux-launcher.cpp
 +++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
     if(forkResult == 0)
     {
         // Apply gid as both real and effective
 -        setregid(gid, gid);
 +        auto _ = setregid(gid, gid);
         int execErr = execv(filename, argv);
         std::cerr << "exec err: " << execErr << " / " << errno << " - "
 diff --git a/rake/model/qt.rb b/rake/model/qt.rb
 index c8cd362..a6abe59 100644
 --- a/rake/model/qt.rb
 +++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
     end
     def getQtRoot(qtVersion, arch)
 -        qtToolchainPtns = getQtToolchainPatterns(arch)
 -        qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
 -        # Explicitly filter for existing paths - if the pattern has wildcards
 -        # we only get existing directories, but if the patterns are just
 -        # alternates with no wildcards, we can get directories that don't exist
 -        qtRoots.find_all { |r| File.exist?(r) }.max
 +        ENV['QTROOT']
     end
     def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
     end
     def getQtPathVersion(path)
 -        verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
 -        if(verMatch == nil)
 -            nil
 -        else
 -            [verMatch[1].to_i, verMatch[2].to_i]
 -        end
 +        [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
     end
     # Build a component definition with the defaults.  The "Core" component will
 diff --git a/rake/product/linux.rb b/rake/product/linux.rb
 index f43fb3e..83505af 100644
 --- a/rake/product/linux.rb
 +++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
     QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
     # Version of libicu (needed to determine lib*.so.## file names in deployment)
 -    ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
 -        .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
 +    ICU_VERSION = ENV['ICU_MAJOR'].to_i;
     # Copy a directory recursively, excluding *.debug files (debugging symbols)
     def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
     # Since these are just development workflow tools, they can be skipped if
     # specific dependencies are not available.
     def self.defineTools(toolsStage)
 -        # Test if we have libthai-dev, for the Thai word breaking utility
 -        if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
 -            Executable.new('thaibreak')
 -                .source('tools/thaibreak')
 -                .lib('thai')
 -                .install(toolsStage, :bin)
 -            toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
 -            toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
 -        else
 -            puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
 -        end
     end
 end
--- a/common/pc/pia/pia.nix
+++ b/common/pc/pia/pia.nix
@@ -0,0 +1,139 @@
 { pkgs, lib, config, ... }:
 {
  nixpkgs.overlays = [
    (self: super:
    with self;
    let
      # arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
      arch = "x86_64";
      pia-desktop = clangStdenv.mkDerivation rec {
        pname = "pia-desktop";
        version = "3.3.0";
        src = fetchgit {
          url = "https://github.com/pia-foss/desktop";
          rev = version;
          fetchLFS = true;
          sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
        };
        patches = [
          ./fix-pia.patch
        ];
        nativeBuildInputs = [
          cmake
          rake
        ];
        prePatch = ''
          sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
        '';
        installPhase = ''
          mkdir -p $out/bin $out/lib $out/share
          cp -r ../out/pia_release_${arch}/stage/bin $out
          cp -r ../out/pia_release_${arch}/stage/lib $out
          cp -r ../out/pia_release_${arch}/stage/share $out
        '';
        cmakeFlags = [
          "-DCMAKE_BUILD_TYPE=Release"
        ];
        QTROOT = "${qt5.full}";
        QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
        QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
        ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
        buildInputs = [
          mesa
          libsForQt5.qt5.qtquickcontrols
          libsForQt5.qt5.qtquickcontrols2
          icu
          libnl
        ];
        dontWrapQtApps = true;
      };
    in rec {
      openvpn-updown = buildFHSUserEnv {
        name = "openvpn-updown";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "openvpn-updown.sh";
      };
      pia-client = buildFHSUserEnv {
        name = "pia-client";
        targetPkgs = pkgs: (with pkgs; [
          pia-desktop
          xorg.libXau
          xorg.libXdmcp
        ]);
        runScript = "pia-client";
      };
      piactl = buildFHSUserEnv {
        name = "piactl";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "piactl";
      };
      pia-daemon = buildFHSUserEnv {
        name = "pia-daemon";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-daemon";
      };
      pia-hnsd = buildFHSUserEnv {
        name = "pia-hnsd";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-hnsd";
      };
      pia-openvpn = buildFHSUserEnv {
        name = "pia-openvpn";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-openvpn";
      };
      pia-ss-local = buildFHSUserEnv {
        name = "pia-ss-local";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-ss-local";
      };
      pia-support-tool = buildFHSUserEnv {
        name = "pia-support-tool";
        targetPkgs = pkgs: (with pkgs; [
          pia-desktop
          xorg.libXau
          xorg.libXdmcp
        ]);
        runScript = "pia-support-tool";
      };
      pia-unbound = buildFHSUserEnv {
        name = "pia-unbound";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-unbound";
      };
      pia-wireguard-go = buildFHSUserEnv {
        name = "pia-wireguard-go";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-wireguard-go";
      };
      support-tool-launcher = buildFHSUserEnv {
        name = "support-tool-launcher";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "support-tool-launcher";
      };
    })
  ];
 }
--- a/common/pc/spotify.nix
+++ b/common/pc/spotify.nix
@@ -0,0 +1,86 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.spotifyd;
  toml = pkgs.formats.toml {};
  spotifydConf = toml.generate "spotify.conf" cfg.settings;
 in
 {
  disabledModules = [
    "services/audio/spotifyd.nix"
  ];
  options = {
    services.spotifyd = {
      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
      settings = mkOption {
        default = {};
        type = toml.type;
        example = { global.bitrate = 320; };
        description = ''
          Configuration for Spotifyd. For syntax and directives, see
          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
        '';
      };
      users = mkOption {
        type = with types; listOf str;
        default = [];
        description = ''
          Usernames to be added to the "spotifyd" group, so that they
          can start and interact with the userspace daemon.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    # username specific stuff because i'm lazy...
    services.spotifyd.users = [ "googlebot" ];
    users.users.googlebot.packages = with pkgs; [
      spotify
      spotify-tui
    ];
    users.groups.spotifyd = {
      members = cfg.users;
    };
    age.secrets.spotifyd = {
      file = ../../secrets/spotifyd.age;
      group = "spotifyd";
      mode = "0440"; # group can read
    };
    # spotifyd to read secrets and run as user service
    services.spotifyd = {
      settings.global = {
        username_cmd = "sed '1q;d' /run/agenix/spotifyd";
        password_cmd = "sed '2q;d' /run/agenix/spotifyd";
        bitrate = 320;
        backend = "pulseaudio";
        device_name = config.networking.hostName;
        device_type = "computer";
        # on_song_change_hook = "command_to_run_on_playback_events"
        autoplay = true;
      };
    };
    systemd.user.services.spotifyd-daemon = {
      enable = true;
      wantedBy = [ "graphical-session.target" ];
      partOf = [ "graphical-session.target" ];
      description = "spotifyd, a Spotify playing daemon";
      environment.SHELL = "/bin/sh";
      serviceConfig = {
        ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --config-path ${spotifydConf}";
        Restart = "always";
        CacheDirectory = "spotifyd";
      };
    };
  };
 }
--- a/common/pc/use-meson-v57.patch
+++ b/common/pc/use-meson-v57.patch
@@ -0,0 +1,22 @@
 diff --git a/meson.build b/meson.build
 index dace367..8c0e290 100644
 --- a/meson.build
 +++ b/meson.build
@@ -8,7 +8,7 @@ project(
         'warning_level=0',
     ],
     license: 'MIT',
 -    meson_version: '>= 0.58.0',
 +    meson_version: '>= 0.57.0',
 )
 cc = meson.get_compiler('c')
@@ -47,8 +47,3 @@ shared_library(
     gnu_symbol_visibility: 'hidden',
 )
 -meson.add_devenv(environment({
 -    'NVD_LOG': '1',
 -    'LIBVA_DRIVER_NAME': 'nvidia',
 -    'LIBVA_DRIVERS_PATH': meson.project_build_root(),
 -}))
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@@ -4,7 +4,7 @@ let
  cfg = config.de;
  extensions = with pkgs.vscode-extensions; [
-    bbenoist.Nix # nix syntax support
+#    bbenoist.Nix # nix syntax support
 #    arrterian.nix-env-selector  # nix dev envs
  ];
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
@@ -14,7 +14,9 @@ in {
    };
    # xfce apps
-    users.users.googlebot.packages = with pkgs; [
+    # TODO for some reason whiskermenu needs to be global for it to work
    environment.systemPackages = with pkgs; [
      xfce.xfce4-whiskermenu-plugin
    ];
  };
 }
--- a/common/pia.nix
+++ b/common/pia.nix
@@ -1,97 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia;
 in
 {
  options.pia = {
    enable = lib.mkEnableOption "Enable private internet access";
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        us-east = {
          config = ''
 client
 dev tun
 proto udp
 remote us-washingtondc.privacy.network 1198
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 cipher aes-128-cbc
 auth sha1
 tls-client
 remote-cert-tls server
 auth-user-pass
 compress
 verb 1
 reneg-sec 0
 <crl-verify>
 -----BEGIN X509 CRL-----
 MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
 MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
 jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
 B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
 ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
 MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
 -----END X509 CRL-----
 </crl-verify>
 <ca>
 -----BEGIN CERTIFICATE-----
 MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
 MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
 L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
 lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
 cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
 8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
 /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
 OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
 y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
 sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
 b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
 A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
 SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
 czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
 b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
 a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
 ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
 7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
 GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
 1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
 YDQ8z9v+DMO6iwyIDRiU
 -----END CERTIFICATE-----
 </ca>
 disable-occ
 auth-user-pass /secret/pia-login.conf
          '';
          autoStart = true;
          up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
          down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
        };
      };
    };
  };
 }
--- a/common/server/ceph.nix
+++ b/common/server/ceph.nix
@@ -0,0 +1,43 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.ceph;
 in {
  options.ceph = {
  };
  config = mkIf cfg.enable {
    # ceph.enable = true;
    ## S3 Object gateway
    #ceph.rgw.enable = true;
    #ceph.rgw.daemons = [
    #];
    # https://docs.ceph.com/en/latest/start/intro/
    # meta object storage daemon
    ceph.osd.enable = true;
    ceph.osd.daemons = [
    ];
    # monitor's ceph state
    ceph.mon.enable = true;
    ceph.mon.daemons = [
    ];
    # manage ceph
    ceph.mgr.enable = true;
    ceph.mgr.daemons = [
    ];
    # metadata server
    ceph.mds.enable = true;
    ceph.mds.daemons = [
    ];
    ceph.global.fsid = "925773DC-D95F-476C-BBCD-08E01BF0865F";
  };
 }
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -0,0 +1,18 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./nginx.nix
    ./thelounge.nix
    ./mumble.nix
    ./icecast.nix
    ./nginx-stream.nix
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
    ./owncast.nix
  ];
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -12,6 +12,8 @@ in {
  config = lib.mkIf cfg.enable {
    services.gitea = {
      domain = cfg.hostname;
      rootUrl = "https://${cfg.hostname}/";
      appName = cfg.hostname;
      ssh.enable = true;
      # lfs.enable = true;
      dump.enable = true;
@@ -21,8 +23,12 @@ in {
        other = {
          SHOW_FOOTER_VERSION = false;
        };
        ui = {
          DEFAULT_THEME = "arc-green";
        };
      };
    };
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@@ -17,11 +17,13 @@ in {
      type = lib.types.str;
      example = "fallback.mp3";
    };
    nginx = lib.mkEnableOption "enable nginx";
  };
  config = lib.mkIf cfg.enable {
    services.icecast = {
-      listen.address = "127.0.0.1";
+      listen.address = "0.0.0.0";
      listen.port = 8001;
      admin.password = "hackme";
      extraConf = ''
        <authentication>
@@ -48,11 +50,14 @@ in {
        </mount>
      '';
    };
-    services.nginx.virtualHosts.${cfg.hostname} = {
+    services.nginx.virtualHosts.${cfg.hostname} = lib.mkIf cfg.nginx {
      enableACME = true;
      forceSSL = true;
      locations."/${cfg.mount}" = {
        proxyPass = "http://localhost:${toString cfg.listen.port}/${cfg.mount}";
        extraConfig = ''
          add_header Access-Control-Allow-Origin *;
        '';
      };
    };
  };
--- a/common/server/matrix.nix
+++ b/common/server/matrix.nix
@@ -59,23 +59,25 @@ in {
  config = lib.mkIf cfg.enable {
    services.matrix-synapse = {
      enable = true;
-      server_name = cfg.host;
+      settings = {
-      enable_registration = cfg.enable_registration;
+        server_name = cfg.host;
-      listeners = [ {
+        enable_registration = cfg.enable_registration;
-        bind_address = "127.0.0.1";
+        listeners = [ {
-        port = cfg.port;
+          bind_addresses = ["127.0.0.1"];
-        tls = false;
+          port = cfg.port;
-        resources = [ {
+          tls = false;
-          compress = true;
+          resources = [ {
-          names = [ "client" "webclient" "federation" ];
+            compress = true;
            names = [ "client" "federation" ];
          } ];
        } ];
-      } ];
+        turn_uris = [
-      turn_uris = [
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
+        ];
-      ];
+        turn_shared_secret = cfg.turn.secret;
-      turn_shared_secret = cfg.turn.secret;
+        turn_user_lifetime = "1h";
-      turn_user_lifetime = "1h";
+      };
    };
    services.coturn = {
@@ -184,26 +186,32 @@ in {
          min = 5;
          max = 30;
        };
-        startScreenSharing = true;
+        # startScreenSharing = true;
        videoQuality = {
          disabledCodec = "VP8";
          preferredCodec = "H264";
          enforcePreferredCodec = true;
        };
-        p2p = {
+        # p2p = {
-          enabled = true;
+        #   enabled = true;
-          preferH264 = true;
+        #   preferH264 = true;
-          disabledCodec = "VP8";
+        #   disabledCodec = "VP8";
-          preferredCodec = "H264";
+        #   preferredCodec = "H264";
-          disableH264 = false;
+        #   disableH264 = false;
-        };
+        # };
        requireDisplayName = false;
        disableThirdPartyRequests = true;
-        localRecording = {
+        localRecording.enabled = false;
          enabled = false;
        };
        doNotStoreRoom = true;
      };
      interfaceConfig = {
        SHOW_JITSI_WATERMARK = false;
        SHOW_WATERMARK_FOR_GUESTS = false;
      };
    };
    services.jitsi-videobridge = lib.mkIf cfg.jitsi-meet.enable {
      enable = true;
      openFirewall = true;
    };
  };
 }
--- a/common/server/nginx-stream.nix
+++ b/common/server/nginx-stream.nix
@@ -51,7 +51,7 @@ in {
      appendConfig = ''
        rtmp {
          server {
-            listen 1935;
+            listen ${toString cfg.port};
            chunk_size 4096;
            application ${cfg.rtmpName} {
              allow publish all;
--- a/common/server/owncast.nix
+++ b/common/server/owncast.nix
@@ -0,0 +1,31 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.services.owncast;
 in {
  options.services.owncast = {
    hostname = lib.mkOption {
      type = types.str;
      example = "example.com";
    };
  };
  config = mkIf cfg.enable {
    services.owncast.listen = "127.0.0.1";
    services.owncast.port = 62419; # random port
    networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@@ -0,0 +1,74 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.radio;
  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
 in {
  options.services.radio = {
    enable = lib.mkEnableOption "enable radio";
    user = lib.mkOption {
      type = lib.types.str;
      default = "radio";
      description = ''
        The user radio should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "radio";
      description = ''
        The group radio should run as
      '';
    };
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/radio";
      description = ''
        Path to the radio data directory
      '';
    };
    host = lib.mkOption {
      type = lib.types.str;
      description = ''
        Domain radio is hosted on
      '';
    };
    nginx = lib.mkEnableOption "enable nginx";
  };
  config = lib.mkIf cfg.enable {
    services.icecast = {
      enable = true;
      hostname = cfg.host;
      mount = "stream.mp3";
      fallback = "fallback.mp3";
    };
    services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
      enableACME = true;
      forceSSL = true;
      locations."/".root = config.inputs.radio-web;
    };
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.dataDir;
      createHome = true;
    };
    users.groups.${cfg.group} = {};
    systemd.services.radio = {
      enable = true;
      after = ["network.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      serviceConfig.WorkingDirectory = cfg.dataDir;
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user} ${cfg.dataDir}
      '';
    };
  };
 }
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -0,0 +1,115 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.services.samba.enable {
    services.samba = {
      openFirewall = true;
      package = pkgs.sambaFull; # printer sharing
      securityType = "user";
      # should this be on?
      nsswins = true;
      extraConfig = ''
        workgroup = HOME
        server string = smbnix
        netbios name = smbnix
        security = user 
        use sendfile = yes
        min protocol = smb2
        guest account = nobody
        map to guest = bad user
        # printing
        load printers = yes
        printing = cups
        printcap name = cups
        # horrible files
        veto files = /._*/.DS_Store/ /._*/._.DS_Store/
        delete veto files = yes
      '';
      shares = {
        public = {
          path = "/data/samba/Public";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "public_data";
          "force group" = "public_data";
        };
        googlebot = {
          path = "/data/samba/googlebot";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "googlebot";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "googlebot";
          "force group" = "users";
        };
        cris = {
          path = "/data/samba/cris";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "cris";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "root";
          "force group" = "users";
        };
        printers = {
          comment = "All Printers";
          path = "/var/spool/samba";
          public = "yes";
          browseable = "yes";
          # to allow user 'guest account' to print.
          "guest ok" = "yes";
          writable = "no";
          printable = "yes";
          "create mode" = 0700;
        };
      };
    };
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
      # are these needed?
      workgroup = "HOME";
      hoplimit = 3;
      discovery = true;
    };
    networking.firewall.allowedTCPPorts = [ 5357 ];
    networking.firewall.allowedUDPPorts = [ 3702 ];
    # Printer discovery
    # (is this needed?)
    services.avahi.enable = true;
    services.avahi.nssmdns = true;
    # printer sharing
    systemd.tmpfiles.rules = [
      "d /var/spool/samba 1777 root root -"
    ];
    users.groups.public_data.gid = 994;
    users.users.public_data = {
      isSystemUser = true;
      group = "public_data";
      uid = 994;
    };
    users.users.googlebot.extraGroups = [ "public_data" ];
    # samba user for share
    users.users.cris.isSystemUser = true;
    users.users.cris.group = "cris";
    users.groups.cris = {};
  };
 }
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
@@ -23,7 +23,7 @@ in {
  config = lib.mkIf cfg.enable {
    services.thelounge = {
-      private = true;
+      public = false;
      extraConfig = {
        reverseProxy = true;
        maxHistory = -1;
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -0,0 +1,46 @@
 { config, pkgs, ... }:
 # Improvements to the default shell
 # - use nix-locate for command-not-found
 # - disable fish's annoying greeting message
 # - add some handy shell commands
 let
  nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
 in {
  programs.command-not-found.enable = false;
  environment.systemPackages = [
    nix-locate
  ];
  programs.fish = {
    enable = true;
    shellInit = let
      wrapper = pkgs.writeScript "command-not-found" ''
        #!${pkgs.bash}/bin/bash
        source ${nix-locate}/etc/profile.d/command-not-found.sh
        command_not_found_handle "$@"
      '';
    in ''
      # use nix-locate for command-not-found functionality
      function __fish_command_not_found_handler --on-event fish_command_not_found
          ${wrapper} $argv
      end
      # disable annoying fish shell greeting
      set fish_greeting
    '';
  };
  environment.shellAliases = {
    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
    io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
    io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
  };
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -0,0 +1,65 @@
 rec {
  users = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
  ];
  system = {
    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
    ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
    ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
  };
  # groups
  systems = with system; [
    liza
    ponyo
    ray
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  personal = with system; [
    ray
  ];
  servers = with system; [
    liza
    ponyo
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  compute = with system; [
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  storage = with system; [
    s0
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -1,58 +1,284 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1675176355,
        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "archivebox": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1648612759,
        "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
        "ref": "refs/heads/master",
        "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
        "revCount": 2,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
      }
    },
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "dailybuild_modules": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1651719222,
        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
        "ref": "refs/heads/master",
        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
        "revCount": 19,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nix-locate": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673969751,
        "narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
        "owner": "bennofs",
        "repo": "nix-index",
        "rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
        "type": "github"
      },
      "original": {
        "owner": "bennofs",
        "repo": "nix-index",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1622622179,
+        "lastModified": 1672580127,
-        "narHash": "sha256-XCw/9QDuj9J6prVR8YrteTcFKj2sRWYIjwgs8qOOrYQ=",
+        "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "eaba7870ffc3400eca4407baa24184b7fe337ec1",
+        "rev": "0874168639713f547c05947c76124f78441ea46c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-21.05",
+        "ref": "nixos-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1607522989,
+        "lastModified": 1654936503,
-        "narHash": "sha256-o/jWhOSAlaK7y2M57OIriRt6whuVVocS/T0mG7fd1TI=",
+        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4",
+        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-unstable",
+        "ref": "nixos-22.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1675835843,
        "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "radio": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1631585589,
        "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
        "ref": "main",
        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
        "revCount": 38,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      },
      "original": {
        "ref": "main",
        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      }
    },
    "radio-web": {
      "flake": false,
      "locked": {
        "lastModified": 1652121792,
        "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
        "ref": "refs/heads/master",
        "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
        "revCount": 5,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "archivebox": "archivebox",
        "dailybuild_modules": "dailybuild_modules",
        "flake-utils": "flake-utils",
        "nix-locate": "nix-locate",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "radio": "radio",
        "radio-web": "radio-web",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "blobs": "blobs",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-22_05": "nixpkgs-22_05",
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1622448045,
+        "lastModified": 1655930346,
-        "narHash": "sha256-duIjiaBwdkY+JpeVbQSt0SOrYQ4GDH5XoT3xZOz4jPA=",
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6e0690093c24261192ee5c0557f85791a67eec29",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.05",
+        "ref": "nixos-22.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -1,32 +1,104 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
    flake-utils.url = "github:numtide/flake-utils";
    nix-locate.url = "github:bennofs/nix-index";
    nix-locate.inputs.nixpkgs.follows = "nixpkgs";
    # mail server
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
    # agenix
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    # radio
    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
    radio.inputs.nixpkgs.follows = "nixpkgs";
    radio.inputs.flake-utils.follows = "flake-utils";
    radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
    radio-web.flake = false;
    # drastikbot
    dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
    dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs";
    dailybuild_modules.inputs.flake-utils.follows = "flake-utils";
    # archivebox
    archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
    archivebox.inputs.nixpkgs.follows = "nixpkgs";
    archivebox.inputs.flake-utils.follows = "flake-utils";
  };
-  outputs = inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
    nixosConfigurations =
    let
-      mkSystem = system: path:
+      modules = system: [
-        inputs.nixpkgs.lib.nixosSystem {
+        ./common
-          inherit system;
+        inputs.simple-nixos-mailserver.nixosModule
-          modules = [
+        inputs.agenix.nixosModules.default
-            path
+        inputs.dailybuild_modules.nixosModule
-            inputs.simple-nixos-mailserver.nixosModule
+        inputs.archivebox.nixosModule
        ({ lib, ... }: {
          config.environment.systemPackages = [
            inputs.agenix.packages.${system}.agenix
          ];
-          specialArgs = { inherit inputs; };
+
          # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
          options.inputs = lib.mkOption { default = inputs; };
          options.currentSystem = lib.mkOption { default = system; };
        })
      ];
      mkSystem = system: nixpkgs: path:
        let
          allModules = modules system;
        in nixpkgs.lib.nixosSystem {
          inherit system;
          modules = allModules ++ [path];
          specialArgs = {
            inherit allModules;
          };
        };
    in
    {
-      "reg" = mkSystem "x86_64-linux" ./machines/reg/configuration.nix;
+      "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
-      "mitty" = mkSystem "x86_64-linux" ./machines/mitty/configuration.nix;
+      "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
-      "nanachi" = mkSystem "x86_64-linux" ./machines/nanachi/configuration.nix;
+      "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
-      "riko" = mkSystem "x86_64-linux" ./machines/riko/configuration.nix;
+      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
-      "neetdev" = mkSystem "x86_64-linux" ./machines/neet.dev/configuration.nix;
+      "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
-      "liza" = mkSystem "x86_64-linux" ./machines/liza/configuration.nix;
+      "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
-      "s0" = mkSystem "aarch64-linux" ./machines/storage/s0/configuration.nix;
+      "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
-      "n1" = mkSystem "aarch64-linux" ./machines/compute/n1/configuration.nix;
+      "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
      "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
      "n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
      "n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
    };
    packages = let
      mkKexec = system:
        (nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [ ./machines/ephemeral/kexec.nix ];
        }).config.system.build.kexec_tarball;
      mkIso = system:
        (nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [ ./machines/ephemeral/iso.nix ];
        }).config.system.build.isoImage;
    in {
      "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
      "x86_64-linux"."iso" = mkIso "x86_64-linux";
      "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
      "aarch64-linux"."iso" = mkIso "aarch64-linux";
    };
  };
 }
--- a/lockfile-update.sh
+++ b/lockfile-update.sh
@@ -0,0 +1,4 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i bash -p bash
 nix flake update --commit-lock-file
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@@ -1,10 +1,6 @@
 { config, ... }:
 {
  imports = [
    ../../common/common.nix
  ];
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
@@ -17,7 +13,7 @@
    };
  };
-  nix.flakes.enable = true;
+  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
--- a/machines/compute/n2/configuration.nix
+++ b/machines/compute/n2/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n2";
 }
--- a/machines/compute/n3/configuration.nix
+++ b/machines/compute/n3/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n3";
 }
--- a/machines/compute/n4/configuration.nix
+++ b/machines/compute/n4/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n4";
 }
--- a/machines/compute/n5/configuration.nix
+++ b/machines/compute/n5/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n5";
 }
--- a/machines/compute/n6/configuration.nix
+++ b/machines/compute/n6/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n6";
 }
--- a/machines/compute/n7/configuration.nix
+++ b/machines/compute/n7/configuration.nix
@@ -0,0 +1,9 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n7";
 }
--- a/machines/ephemeral/iso.nix
+++ b/machines/ephemeral/iso.nix
@@ -0,0 +1,12 @@
 { modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/iso-image.nix")
    ./minimal.nix
  ];
  isoImage.makeUsbBootable = true;
  networking.hostName = "iso";
 }
--- a/machines/ephemeral/kexec.nix
+++ b/machines/ephemeral/kexec.nix
@@ -0,0 +1,48 @@
 # From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
 # Builds a kexec img
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/netboot/netboot.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./minimal.nix
  ];
  networking.hostName = "kexec";
  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
  system.build = rec {
    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
      mkdir $out
      if [ -f ${config.system.build.kernel}/bzImage ]; then
        cp ${config.system.build.kernel}/bzImage $out/kernel
      else
        cp ${config.system.build.kernel}/Image $out/kernel
      fi
      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
      nuke-refs $out/kernel
    '';
    kexec_script = pkgs.writeTextFile {
      executable = true;
      name = "kexec-nixos";
      text = ''
        #!${pkgs.stdenv.shell}
        set -e
        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
        sync
        echo "executing kernel, filesystems will be improperly umounted"
        ${pkgs.kexectools}/bin/kexec -e
      '';
    };
    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
      storeContents = [
        {
          object = config.system.build.kexec_script;
          symlink = "/kexec_nixos";
        }
      ];
      contents = [ ];
    };
  };
 }
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -0,0 +1,28 @@
 { pkgs, ... }:
 {
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  services.openssh = {
    enable = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
 }
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -3,13 +3,11 @@
 {
  imports =[
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
-  nix.flakes.enable = true;
+  firmware.x86_64.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
@@ -20,15 +18,93 @@
    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
  };
-  services.gitea = {
+  system.autoUpgrade.enable = true;
    enable = true;
    hostname = "git.neet.dev";
  };
  networking.hostName = "liza";
  networking.interfaces.enp1s0.useDHCP = true;
-  security.acme.acceptTerms = true;
+  mailserver = {
-  security.acme.email = "zuckerberg@neet.dev";
+    enable = true;
    fqdn = "mail.neet.dev";
    dkimKeyBits = 2048;
    indexDir = "/var/lib/mailindex";
    enableManageSieve = true;
    fullTextSearch.enable = true;
    fullTextSearch.indexAttachments = true;
    fullTextSearch.memoryLimit = 500;
    domains = [
      "neet.space" "neet.dev" "neet.cloud"
      "runyan.org" "runyan.rocks"
      "thunderhex.com" "tar.ninja"
      "bsd.ninja" "bsd.rocks"
    ];
    loginAccounts = {
      "jeremy@runyan.org" = {
        hashedPasswordFile = "/run/agenix/email-pw";
        aliases = [
          "@neet.space" "@neet.cloud" "@neet.dev"
          "@runyan.org" "@runyan.rocks"
          "@thunderhex.com" "@tar.ninja"
          "@bsd.ninja" "@bsd.rocks"
        ];
      };
    };
    rejectRecipients = [
      "george@runyan.org"
      "joslyn@runyan.org"
      "damon@runyan.org"
      "jonas@runyan.org"
    ];
    certificateScheme = 3; # use let's encrypt for certs
  };
  age.secrets.email-pw.file = ../../secrets/email-pw.age;
  # sendmail to use xxx@domain instead of xxx@mail.domain
  services.postfix.origin = "$mydomain";
  # relay sent mail through mailgun
  # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
  services.postfix.config = {
    smtp_sasl_auth_enable = "yes";
    smtp_sasl_security_options = "noanonymous";
    smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
    smtp_use_tls = "yes";
    sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
    smtp_sender_dependent_authentication = "yes";
  };
  services.postfix.mapFiles.sender_relay = let
    relayHost = "[smtp.mailgun.org]:587";
  in pkgs.writeText "sender_relay" ''
    @neet.space ${relayHost}
    @neet.cloud ${relayHost}
    @neet.dev ${relayHost}
    @runyan.org ${relayHost}
    @runyan.rocks ${relayHost}
    @thunderhex.com ${relayHost}
    @tar.ninja ${relayHost}
    @bsd.ninja ${relayHost}
    @bsd.rocks ${relayHost}
  '';
  services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
  age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
  services.nextcloud = {
    enable = true;
    https = true;
    package = pkgs.nextcloud22;
    hostName = "neet.cloud";
    config.dbtype = "sqlite";
    config.adminuser = "jeremy";
    config.adminpassFile = "/run/agenix/nextcloud-pw";
    autoUpdateApps.enable = true;
  };
  age.secrets.nextcloud-pw = {
    file = ../../secrets/nextcloud-pw.age;
    owner = "nextcloud";
  };
  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    enableACME = true;
    forceSSL = true;
  };
 }
--- a/machines/mitty/configuration.nix
+++ b/machines/mitty/configuration.nix
@@ -1,118 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # cuxhh3ei2djpgf2zdkboceuhaxavgr3ipu3d7a2swx4giy2wosfxspyd.onion
  nix.flakes.enable = true;
  bios = {
    enable = true;
    device = "/dev/vda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/6dcf23ea-cb5e-4329-a88b-832209918c40";
  };
  networking.hostName = "mitty";
  networking.interfaces.ens3.useDHCP = true;
  services.nginx.enable = true;
  containers.jellyfin = {
    ephemeral = true;
    autoStart = true;
    bindMounts = {
      "/var/lib" = {
        hostPath = "/var/lib/";
        isReadOnly = false;
      };
    };
    bindMounts = {
      "/secret" = {
        hostPath = "/secret";
        isReadOnly = true;
      };
    };
    enableTun = true;
    privateNetwork = true;
    hostAddress = "172.16.100.1";
    localAddress = "172.16.100.2";
    config = {
      imports = [ ../../common/common.nix ];
      pia.enable = true;
      nixpkgs.pkgs = pkgs;
      services.radarr.enable = true;
      services.radarr.openFirewall = true;
      services.bazarr.enable = true;
      services.bazarr.openFirewall = true;
      services.sonarr.enable = true;
      services.sonarr.openFirewall = true;
      services.jackett.enable = true;
      services.jackett.openFirewall = true;
      services.jellyfin.enable = true;
      services.jellyfin.openFirewall = true;
      services.deluge.enable = true;
      services.deluge.web.enable = true;
      services.deluge.web.openFirewall = true;
    };
  };
  services.nginx.virtualHosts."radarr.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:7878";
    };
  };
  services.nginx.virtualHosts."sonarr.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:8989";
    };
  };
  services.nginx.virtualHosts."bazarr.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:6767";
    };
  };
  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:8096";
    };
  };
  services.nginx.virtualHosts."deluge.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:8112";
    };
  };
  services.nginx.virtualHosts."jackett.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://172.16.100.2:9117";
    };
  };
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-jellyfin" ];
  networking.nat.externalInterface = "ens3";
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
 }
--- a/machines/mitty/hardware-configuration.nix
+++ b/machines/mitty/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/78f9b9a3-40f6-4c6c-a599-5d5067ffa214";
      fsType = "ext3";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/26252a81-8a98-45d0-8507-494ecb3901e7"; }
    ];
 }
--- a/machines/mitty/peertube.yaml
+++ b/machines/mitty/peertube.yaml
@@ -1,513 +0,0 @@
 listen:
  hostname: 'localhost'
  port: 9000
 # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
 webserver:
  https: true
  hostname: 'mitty.neet.dev'
  port: 443
 rates_limit:
  api:
    # 50 attempts in 10 seconds
    window: 10 seconds
    max: 50
  login:
    # 15 attempts in 5 min
    window: 5 minutes
    max: 15
  signup:
    # 2 attempts in 5 min (only succeeded attempts are taken into account)
    window: 5 minutes
    max: 2
  ask_send_email:
    # 3 attempts in 5 min
    window: 5 minutes
    max: 3
 # Proxies to trust to get real client IP
 # If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
 # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
 trust_proxy:
  - 'loopback'
 # Your database name will be database.name OR "peertube"+database.suffix
 database:
  hostname: 'localhost'
  port: 5432
  ssl: false
  suffix: '_prod'
  username: 'peertube'
  password: 'peertube'
  pool:
    max: 5
 # Redis server for short time storage
 # You can also specify a 'socket' path to a unix socket but first need to
 # comment out hostname and port
 redis:
  hostname: 'localhost'
  port: 6379
  auth: null
  db: 0
 # SMTP server to send emails
 smtp:
  # smtp or sendmail
  transport: smtp
  # Path to sendmail command. Required if you use sendmail transport
  sendmail: null
  hostname: null
  port: 465 # If you use StartTLS: 587
  username: null
  password: null
  tls: true # If you use StartTLS: false
  disable_starttls: false
  ca_file: null # Used for self signed certificates
  from_address: 'admin@example.com'
 email:
  body:
    signature: "PeerTube"
  subject:
    prefix: "[PeerTube]"
 # From the project root directory
 storage:
  tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
  avatars: '/var/www/peertube/storage/avatars/'
  videos: '/var/www/peertube/storage/videos/'
  streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
  redundancy: '/var/www/peertube/storage/redundancy/'
  logs: '/var/www/peertube/storage/logs/'
  previews: '/var/www/peertube/storage/previews/'
  thumbnails: '/var/www/peertube/storage/thumbnails/'
  torrents: '/var/www/peertube/storage/torrents/'
  captions: '/var/www/peertube/storage/captions/'
  cache: '/var/www/peertube/storage/cache/'
  plugins: '/var/www/peertube/storage/plugins/'
  # Overridable client files : logo.svg, favicon.png and icons/*.png (PWA) in client/dist/assets/images
  # Could contain for example assets/images/favicon.png
  # If the file exists, peertube will serve it
  # If not, peertube will fallback to the default fil
  client_overrides: '/var/www/peertube/storage/client-overrides/'
 log:
  level: 'info' # debug/info/warning/error
  rotation:
    enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
    maxFileSize: 12MB
    maxFiles: 20
  anonymizeIP: false
  log_ping_requests: true
  prettify_sql: false
 trending:
  videos:
    interval_days: 7 # Compute trending videos for the last x days
    algorithms:
      enabled:
        - 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History)
        - 'hot' # adaptation of Reddit's 'Hot' algorithm
        - 'most-viewed' # default, used initially by PeerTube as the trending page
        - 'most-liked'
      default: 'most-viewed'
 # Cache remote videos on your server, to help other instances to broadcast the video
 # You can define multiple caches using different sizes/strategies
 # Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
 redundancy:
  videos:
    check_interval: '1 hour' # How often you want to check new videos to cache
    strategies: # Just uncomment strategies you want
 #      -
 #        size: '10GB'
 #        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
 #        min_lifetime: '48 hours'
 #        strategy: 'most-views' # Cache videos that have the most views
 #      -
 #        size: '10GB'
 #        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
 #        min_lifetime: '48 hours'
 #        strategy: 'trending' # Cache trending videos
 #      -
 #        size: '10GB'
 #        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
 #        min_lifetime: '48 hours'
 #        strategy: 'recently-added' # Cache recently added videos
 #        min_views: 10 # Having at least x views
 # Other instances that duplicate your content
 remote_redundancy:
  videos:
    # 'nobody': Do not accept remote redundancies
    # 'anybody': Accept remote redundancies from anybody
    # 'followings': Accept redundancies from instance followings
    accept_from: 'anybody'
 csp:
  enabled: false
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:
 security:
  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
  frameguard:
    enabled: true
 tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: true
  # Only handle requests on your videos.
  # If you set this to false it means you have a public tracker.
  # Then, it is possible that clients overload your instance with external torrents
  private: true
  # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
  reject_too_many_announces: false
 history:
  videos:
    # If you want to limit users videos history
    # -1 means there is no limitations
    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
    max_age: -1
 views:
  videos:
    # PeerTube creates a database entry every hour for each video to track views over a period of time
    # This is used in particular by the Trending page
    # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
    # -1 means no cleanup
    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
    remote:
      max_age: '30 days'
 plugins:
  # The website PeerTube will ask for available PeerTube plugins and themes
  # This is an unmoderated plugin index, so only install plugins/themes you trust
  index:
    enabled: true
    check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
    url: 'https://packages.joinpeertube.org'
 federation:
  videos:
    federate_unlisted: false
    # Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
    # It removes objects that do not exist anymore, and potentially fix their URLs
    # This setting is opt-in because due to an old bug in PeerTube, remote rates sent by instance before PeerTube 3.0 will be deleted
    # We still suggest you to enable this setting even if your users will loose most of their video's likes/dislikes
    cleanup_remote_interactions: false
 peertube:
  check_latest_version:
    # Check and notify admins of new PeerTube versions
    enabled: true
    # You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
    url: 'https://joinpeertube.org/api/v1/versions.json'
 ###############################################################################
 #
 # From this point, all the following keys can be overridden by the web interface
 # (local-production.json file). If you need to change some values, prefer to
 # use the web interface because the configuration will be automatically
 # reloaded without any need to restart PeerTube.
 #
 # /!\ If you already have a local-production.json file, the modification of the
 # following keys will have no effect /!\.
 #
 ###############################################################################
 cache:
  previews:
    size: 500 # Max number of previews you want to cache
  captions:
    size: 500 # Max number of video captions/subtitles you want to cache
  torrents:
    size: 500 # Max number of video torrents you want to cache
 admin:
  # Used to generate the root user at first startup
  # And to receive emails from the contact form
  email: 'googlebot@tar.ninja'
 contact_form:
  enabled: true
 signup:
  enabled: false
  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
  requires_email_verification: false
  filters:
    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
      whitelist: []
      blacklist: []
 user:
  # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
  # -1 == unlimited
  video_quota: -1
  video_quota_daily: -1
 # If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
 # In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
 # Please, do not disable transcoding since many uploaded videos will not work
 transcoding:
  enabled: true
  # Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
  allow_additional_extensions: true
  # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
  allow_audio_files: true
  # Amount of threads used by ffmpeg for 1 transcoding job
  threads: 1
  # Amount of transcoding jobs to execute in parallel
  concurrency: 1
  # Choose the transcoding profile
  # New profiles can be added by plugins
  # Available in core PeerTube: 'default'
  profile: 'default'
  resolutions: # Only created if the original video has a higher resolution, uses more storage!
    0p: false # audio-only (creates mp4 without video stream, always created when enabled)
    240p: false
    360p: false
    480p: false
    720p: false
    1080p: false
    1440p: false
    2160p: false
  # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
  # If you also enabled the hls format, it will multiply videos storage by 2
  # If disabled, breaks federation with PeerTube instances < 2.1
  webtorrent:
    enabled: false
  # /!\ Requires ffmpeg >= 4.1
  # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
  #     * Resolution change is smoother
  #     * Faster playback in particular with long videos
  #     * More stable playback (less bugs/infinite loading)
  # If you also enabled the webtorrent format, it will multiply videos storage by 2
  hls:
    enabled: true
 live:
  enabled: true
  # Limit lives duration
  # -1 == unlimited
  max_duration: -1 # For example: '5 hours'
  # Limit max number of live videos created on your instance
  # -1 == unlimited
  max_instance_lives: 20
  # Limit max number of live videos created by a user on your instance
  # -1 == unlimited
  max_user_lives: 3
  # Allow your users to save a replay of their live
  # PeerTube will transcode segments in a video file
  # If the user daily/total quota is reached, PeerTube will stop the live
  # /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
  allow_replay: true
  # Your firewall should accept traffic from this port in TCP if you enable live
  rtmp:
    port: 1935
  # Allow to transcode the live streaming in multiple live resolutions
  transcoding:
    enabled: true
    threads: 2
    # Choose the transcoding profile
    # New profiles can be added by plugins
    # Available in core PeerTube: 'default'
    profile: 'default'
    resolutions:
      240p: false
      360p: false
      480p: false
      720p: false
      1080p: false
      1440p: false
      2160p: false
 import:
  # Add ability for your users to import remote videos (from YouTube, torrent...)
  videos:
    # Amount of import jobs to execute in parallel
    concurrency: 1
    http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
      enabled: false
      # IPv6 is very strongly rate-limited on most sites supported by youtube-dl
      force_ipv4: false
      # You can use an HTTP/HTTPS/SOCKS proxy with youtube-dl
      proxy:
        enabled: false
        url: ""
    torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
      enabled: false
 auto_blacklist:
  # New videos automatically blacklisted so moderators can review before publishing
  videos:
    of_users:
      enabled: false
 # Instance settings
 instance:
  name: 'PeerTube'
  short_description: 'PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.'
  description: 'Welcome to this PeerTube instance!' # Support markdown
  terms: 'No terms for now.' # Support markdown
  code_of_conduct: '' # Supports markdown
  # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
  moderation_information: '' # Supports markdown
  # Why did you create this instance?
  creation_reason: '' # Supports Markdown
  # Who is behind the instance? A single person? A non profit?
  administrator: '' # Supports Markdown
  # How long do you plan to maintain this instance?
  maintenance_lifetime: '' # Supports Markdown
  # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
  business_model: '' # Supports Markdown
  # If you want to explain on what type of hardware your PeerTube instance runs
  # Example: "2 vCore, 2GB RAM..."
  hardware_information: '' # Supports Markdown
  # What are the main languages of your instance? To interact with your users for example
  # Uncomment or add the languages you want
  # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
  languages:
 #    - en
 #    - es
 #    - fr
  # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
  # Uncomment or add the category ids you want
  # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
  categories:
 #    - 1  # Music
 #    - 2  # Films
 #    - 3  # Vehicles
 #    - 4  # Art
 #    - 5  # Sports
 #    - 6  # Travels
 #    - 7  # Gaming
 #    - 8  # People
 #    - 9  # Comedy
 #    - 10 # Entertainment
 #    - 11 # News & Politics
 #    - 12 # How To
 #    - 13 # Education
 #    - 14 # Activism
 #    - 15 # Science & Technology
 #    - 16 # Animals
 #    - 17 # Kids
 #    - 18 # Food
  default_client_route: '/videos/trending'
  # Whether or not the instance is dedicated to NSFW content
  # Enabling it will allow other administrators to know that you are mainly federating sensitive content
  # Moreover, the NSFW checkbox on video upload will be automatically checked by default
  is_nsfw: false
  # By default, "do_not_list" or "blur" or "display" NSFW videos
  # Could be overridden per user with a setting
  default_nsfw_policy: 'do_not_list'
  customizations:
    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
  robots: |
    User-agent: *
    Disallow:
  # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string.
  securitytxt:
    "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
 services:
  # Cards configuration to format video in Twitter
  twitter:
    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
    # If false, we use an image link card that will redirect on your PeerTube instance
    # Change it to "true", and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
    whitelisted: false
 followers:
  instance:
    # Allow or not other instances to follow yours
    enabled: true
    # Whether or not an administrator must manually validate a new follower
    manual_approval: false
 followings:
  instance:
    # If you want to automatically follow back new instance followers
    # If this option is enabled, use the mute feature instead of deleting followings
    # /!\ Don't enable this if you don't have a reactive moderation team /!\
    auto_follow_back:
      enabled: false
    # If you want to automatically follow instances of the public index
    # If this option is enabled, use the mute feature instead of deleting followings
    # /!\ Don't enable this if you don't have a reactive moderation team /!\
    auto_follow_index:
      enabled: false
      # Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
      index_url: ''
 theme:
  default: 'default'
 broadcast_message:
  enabled: false
  message: '' # Support markdown
  level: 'info' # 'info' | 'warning' | 'error'
  dismissable: false
 search:
  # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
  # If enabled, the associated group will be able to "escape" from the instance follows
  # That means they will be able to follow channels, watch videos, list videos of non followed instances
  remote_uri:
    users: true
    anonymous: false
  # Use a third party index instead of your local index, only for search results
  # Useful to discover content outside of your instance
  # If you enable search_index, you must enable remote_uri search for users
  # If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
  # instead of loading the video locally
  search_index:
    enabled: false
    # URL of the search index, that should use the same search API and routes
    # than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
    # You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
    # and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
    url: ''
    # You can disable local search, so users only use the search index
    disable_local_search: false
    # If you did not disable local search, you can decide to use the search index by default
    is_default_search: false
--- a/machines/nanachi/configuration.nix
+++ b/machines/nanachi/configuration.nix
@@ -1,43 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # uxzq63kr2uuwutpaqjna2sg4gnk3p65e5bkvedzx5dsxx2mvxhjm7fid.onion
  nix.flakes.enable = true;
  bios = {
    enable = true;
    device = "/dev/vda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/e57ac752-bd99-421f-a3b9-0cfa9608a54e";
  };
  networking.hostName = "nanachi";
  networking.interfaces.ens3.useDHCP = true;
  services.icecast = {
    enable = true;
    hostname = "nanachi.neet.dev";
    mount = "stream.mp3";
    fallback = "fallback.mp3";
  };
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
  services.nginx.enable = true;
  services.nginx.virtualHosts."nanachi.neet.dev" = {
    enableACME = true;
    forceSSL = true;
    root = "/var/www/tmp";
  };
 }
--- a/machines/nanachi/hardware-configuration.nix
+++ b/machines/nanachi/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/47b13d6a-0bbb-42a6-abd9-2b06f76d9718";
      fsType = "ext3";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b7533a50-6dd2-4a64-953b-a8218e77d9fa"; }
    ];
 }
--- a/machines/nat/configuration.nix
+++ b/machines/nat/configuration.nix
@@ -0,0 +1,17 @@
 { config, pkgs, fetchurl, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  efi.enable = true;
  networking.hostName = "nat";
  networking.interfaces.ens160.useDHCP = true;
  services.zerotierone.enable = true;
  de.enable = true;
  de.touchpad.enable = true;
 }
--- a/machines/nat/hardware-configuration.nix
+++ b/machines/nat/hardware-configuration.nix
@@ -0,0 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "nvme" "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/0C95-1290";
      fsType = "vfat";
    };
  swapDevices = [ ];
 }
--- a/machines/neet.dev/configuration.nix
+++ b/machines/neet.dev/configuration.nix
@@ -1,71 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
  nix.flakes.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
  };
  networking.hostName = "neetdev";
  networking.interfaces.eno1.useDHCP = true;
  services.nginx.enable = true;
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
  # placeholder
  services.nginx.virtualHosts."radio.neet.space" = {
    enableACME = true;
    forceSSL = true;
  };
  services.thelounge = {
    enable = true;
    port = 9000;
    fileUploadBaseUrl = "https://files.neet.cloud/irc/";
    host = "irc.neet.dev";
    fileHost = {
      host = "files.neet.cloud";
      path = "/irc";
    };
  };
  services.murmur = {
    enable = true;
    port = 23563;
    domain = "voice.neet.space";
  };
  mailserver = {
    enable = true;
    fqdn = "mail.neet.dev";
    domains = [ "neet.space" "neet.dev" "neet.cloud" ];
    loginAccounts = {
      "jeremy@neet.dev" = {
        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
        hashedPasswordFile = "/secret/email.password";
        aliases = [
          "zuckerberg@neet.space"
          "zuckerberg@neet.cloud"
          "zuckerberg@neet.dev"
        ];
      };
    };
    certificateScheme = 3; # use let's encrypt for certs
  };
 }
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -0,0 +1,172 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
  ];
  networking.hostName = "ponyo";
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
  };
  system.autoUpgrade.enable = true;
  services.zerotierone.enable = true;
  services.gitea = {
    enable = true;
    hostname = "git.neet.dev";
    disableRegistration = true;
  };
  services.thelounge = {
    enable = true;
    port = 9000;
    fileUploadBaseUrl = "https://files.neet.cloud/irc/";
    host = "irc.neet.dev";
    fileHost = {
      host = "files.neet.cloud";
      path = "/irc";
    };
  };
  services.murmur = {
    enable = true;
    port = 23563;
    domain = "voice.neet.space";
  };
  services.drastikbot = {
    enable = true;
    wolframAppIdFile = "/run/agenix/wolframalpha";
  };
  age.secrets.wolframalpha = {
    file = ../../secrets/wolframalpha.age;
    owner = config.services.drastikbot.user;
  };
  # wrap radio in a VPN
  vpn-container.enable = true;
  vpn-container.config = {
    services.radio = {
      enable = true;
      host = "radio.runyan.org";
    };
  };
  # tailscale
  services.tailscale.exitNode = true;
  # icecast endpoint + website
  services.nginx.virtualHosts."radio.runyan.org" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/stream.mp3" = {
        proxyPass = "http://vpn.containers:8001/stream.mp3";
        extraConfig = ''
          add_header Access-Control-Allow-Origin *;
        '';
      };
      "/".root = config.inputs.radio-web;
    };
  };
  services.matrix = {
    enable = true;
    host = "neet.space";
    enable_registration = false;
    element-web = {
      enable = true;
      host = "chat.neet.space";
    };
    jitsi-meet = {
      enable = true;
      host = "meet.neet.space";
    };
    turn = {
      host = "turn.neet.space";
      secret = "a8369a0e96922abf72494bb888c85831b";
    };
  };
  services.postgresql.package = pkgs.postgresql_11;
  services.searx = {
    enable = true;
    environmentFile = "/run/agenix/searx";
    settings = {
      server.port = 43254;
      server.secret_key = "@SEARX_SECRET_KEY@";
      engines = [ {
        name = "wolframalpha";
        shortcut = "wa";
        api_key = "@WOLFRAM_API_KEY@";
        engine = "wolframalpha_api";
      } ];
    };
  };
  services.nginx.virtualHosts."search.neet.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
    };
  };
  age.secrets.searx.file = ../../secrets/searx.age;
  # iodine DNS-based vpn
  services.iodine.server = {
    enable = true;
    ip = "192.168.99.1";
    domain = "tun.neet.dev";
    passwordFile = "/run/agenix/iodine";
  };
  age.secrets.iodine.file = ../../secrets/iodine.age;
  networking.firewall.allowedUDPPorts = [ 53 ];
  networking.nat.internalInterfaces = [
    "dns0" # iodine
  ];
  services.nginx.enable = true;
  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://s0.zt.neet.dev";
      proxyWebsockets = true;
    };
  };
  services.nginx.virtualHosts."navidrome.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
  };
  services.nginx.virtualHosts."tmp.neet.dev" = {
    enableACME = true;
    forceSSL = true;
    root = "/var/www/tmp";
  };
  # redirect to github
  services.nginx.virtualHosts."runyan.org" = {
    enableACME = true;
    forceSSL = true;
    extraConfig = ''
      rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
    '';
  };
  services.owncast.enable = true;
  services.owncast.hostname = "live.neet.dev";
 }
--- a/machines/ponyo/hardware-configuration.nix
+++ b/machines/ponyo/hardware-configuration.nix
@@ -0,0 +1,37 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "nvme" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/mapper/enc-pv";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
      fsType = "ext4";
    };
  swapDevices = [
    {
      device = "/dev/disk/by-partuuid/b14668b8-9026-b041-8b71-f302b6b291bf";
      randomEncryption.enable = true;
    }
  ];
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = lib.mkDefault false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/ray/ca.rsa.4096.crt
+++ b/machines/ray/ca.rsa.4096.crt
@@ -0,0 +1,43 @@
 -----BEGIN CERTIFICATE-----
 MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
 MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
 hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
 De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
 V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
 25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
 fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
 p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
 Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
 tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
 jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
 meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
 1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
 HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
 yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
 hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
 pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
 Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
 tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
 LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
 6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
 5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
 JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
 iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
 8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
 +no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
 -----END CERTIFICATE-----
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@@ -0,0 +1,119 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  firmware.x86_64.enable = true;
  efi.enable = true;
  boot.initrd.luks.devices."enc-pv" = {
    device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
    allowDiscards = true;
  };
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  networking.hostName = "ray";
  hardware.enableAllFirmware = true;
  # depthai
  services.udev.extraRules = ''
    SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
  '';
  # gpu
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia = {
    modesetting.enable = true; # for nvidia-vaapi-driver
    prime = {
      reverseSync.enable = true;
      offload.enableOffloadCmd = true;
      nvidiaBusId = "PCI:1:0:0";
      amdgpuBusId = "PCI:4:0:0";
    };
  };
  # virt-manager
  virtualisation.libvirtd.enable = true;
  programs.dconf.enable = true;
  virtualisation.spiceUSBRedirection.enable = true;
  environment.systemPackages = with pkgs; [ virt-manager ];
  users.users.googlebot.extraGroups = [ "libvirtd" ];
  # vpn-container.enable = true;
  # containers.vpn.interfaces = [ "piaw" ];
  # allow traffic for wireguard interface to pass
  # networking.firewall = {
  #   # wireguard trips rpfilter up
  #   extraCommands = ''
  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
  #   '';
  #   extraStopCommands = ''
  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
  #   '';
  # };
  # systemd.services.pia-vpn-wireguard = {
  #   enable = true;
  #   description = "PIA VPN WireGuard Tunnel";
  #   requires = [ "network-online.target" ];
  #   after = [ "network.target" "network-online.target" ];
  #   wantedBy = [ "multi-user.target" ];
  #   environment.DEVICE = "piaw";
  #   path = with pkgs; [ kmod wireguard-tools jq curl ];
  #   serviceConfig = {
  #     Type = "oneshot";
  #     RemainAfterExit = true;
  #   };
  #   script = ''
  #     WG_HOSTNAME=zurich406
  #     WG_SERVER_IP=156.146.62.153
  #     PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
  #     PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
  #     PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  #     privKey=$(wg genkey)
  #     pubKey=$(echo "$privKey" | wg pubkey)
  #     wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
  #     echo "               
  #     [Interface]
  #     Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
  #     PrivateKey = $privKey
  #     ListenPort = 51820
  #     [Peer]
  #     PersistentKeepalive = 25
  #     PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
  #     AllowedIPs = 0.0.0.0/0
  #     Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
  #     " > /tmp/piaw.conf
  #     # TODO make /tmp/piaw.conf ro to root
  #     ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
  #     wg-quick up /tmp/piaw.conf
  #   '';
  #   preStop = ''
  #     wg-quick down /tmp/piaw.conf
  #   '';
  # };
  # age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  virtualisation.docker.enable = true;
  services.zerotierone.enable = true;
  services.mount-samba.enable = true;
  de.enable = true;
  de.touchpad.enable = true;
 }
--- a/machines/neet.dev/hardware-configuration.nix
+++ b/machines/neet.dev/hardware-configuration.nix
@@ -8,31 +8,34 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ahci" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
+    { device = "/dev/vg/root";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
+    { device = "/dev/vg/root";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
+    { device = "/dev/disk/by-uuid/2C85-2B59";
-      fsType = "ext4";
+      fsType = "vfat";
    };
  swapDevices =
-    [ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
+    [ { device = "/dev/vg/swap"; }
    ];
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # high-resolution display
  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/machines/reg/configuration.nix
+++ b/machines/reg/configuration.nix
@@ -3,13 +3,13 @@
 {
  imports = [
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # smcxui7kwoyxpswwage4fkcppxnqzpw33xcmxmlhxvk5gcp5s6lrtfad.onion
-  nix.flakes.enable = true;
+  boot.kernelPackages = pkgs.linuxPackages_5_12;
  firmware.x86_64.enable = true;
  efi.enable = true;
  luks = {
@@ -25,6 +25,8 @@
  de.enable = true;
  de.touchpad.enable = true;
  services.zerotierone.enable = true;
  # VNC
  networking.firewall.allowedTCPPorts = [ 5900 ];
--- a/machines/riko/configuration.nix
+++ b/machines/riko/configuration.nix
@@ -1,53 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
    ../../common/common.nix
  ];
  # rzv5fm2vrmnbmffe3bgh2kxdpa66jwdjw57wallgw4j4q64kaknb55id.onion
  nix.flakes.enable = true;
  bios = {
    enable = true;
    device = "/dev/vda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/60051e7a-c2fe-4065-9ef0-110aaac78f0c";
  };
  networking.hostName = "riko";
  networking.interfaces.ens3.useDHCP = true;
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
  services.nginx.enable = true;
  services.nginx.virtualHosts."riko.neet.dev" = {
    enableACME = true;
    forceSSL = true;
  };
  services.matrix = {
    enable = true;
    host = "neet.space";
    enable_registration = false;
    element-web = {
      enable = true;
      host = "chat.neet.space";
    };
    jitsi-meet = {
      enable = true;
      host = "meet.neet.space";
    };
    turn = {
      host = "turn.neet.space";
      secret = "a8369a0e96922abf72494bb888c85831b";
    };
  };
 }
--- a/machines/riko/hardware-configuration.nix
+++ b/machines/riko/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/mapper/vg-root";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/e65c8351-d869-456a-bade-0c23e483570f";
      fsType = "ext3";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/43dd30f1-f428-4b67-a1ce-5c7c336428c4"; }
    ];
 }
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -2,12 +2,188 @@
 {
  imports =[
-    ./helios64.nix
+    ./helios64
-    ../../../common/common.nix
+    ./hardware-configuration.nix
  ];
-  nix.flakes.enable = true;
+  # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
  networking.hostName = "s0";
-  fileSystems."/" = { device = lib.mkForce "/dev/disk/by-label/bold-emmc"; fsType = lib.mkForce "btrfs"; };
+
-  networking.interfaces.eth0.useDHCP = true;
+  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  system.autoUpgrade.enable = true;
  boot.supportedFilesystems = [ "bcachefs" ];
  services.zerotierone.enable = true;
  # for education purposes only
  services.pykms.enable = true;
  services.pykms.openFirewallPort = true;
  users.users.googlebot.packages = with pkgs; [
    bcachefs-tools
  ];
  services.samba.enable = true;
  services.navidrome = {
    enable = true;
    settings = {
      Address = "0.0.0.0";
      Port = 4533;
      MusicFolder = "/data/samba/Public/Plex/Music";
    };
  };
  networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
  users.users.googlebot.extraGroups = [ "transmission" ];
  users.groups.transmission.gid = config.ids.gids.transmission;
  vpn-container.enable = true;
  vpn-container.mounts = [
    "/var/lib"
    "/data/samba/Public/Plex"
  ];
  vpn-container.config = {
    # servarr services
    services.prowlarr.enable = true;
    services.sonarr.enable = true;
    services.sonarr.user = "public_data";
    services.sonarr.group = "public_data";
    services.bazarr.enable = true;
    services.bazarr.user = "public_data";
    services.bazarr.group = "public_data";
    services.radarr.enable = true;
    services.radarr.user = "public_data";
    services.radarr.group = "public_data";
    services.lidarr.enable = true;
    services.lidarr.user = "public_data";
    services.lidarr.group = "public_data";
    services.jellyfin.enable = true;
    users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
    services.transmission = {
      enable = true;
      performanceNetParameters = true;
      user = "public_data";
      group = "public_data";
      settings = {
        /* directory settings */
        # "watch-dir" = "/srv/storage/Transmission/To-Download";
        # "watch-dir-enabled" = true;
        "download-dir" = "/data/samba/Public/Plex/Transmission";
        "incomplete-dir" = "/var/lib/transmission/.incomplete";
        "incomplete-dir-enabled" = true;
        /* web interface, accessible from local network */
        "rpc-enabled" = true;
        "rpc-bind-address" = "0.0.0.0";
        "rpc-whitelist" = "127.0.0.1,192.168.*.*,172.16.*.*";
        "rpc-host-whitelist" = "void,192.168.*.*,172.16.*.*";
        "rpc-host-whitelist-enabled" = false;
        "port-forwarding-enabled" = true;
        "peer-port" = 50023;
        "peer-port-random-on-start" = false;
        "encryption" = 1;
        "lpd-enabled" = true; /* local peer discovery */
        "dht-enabled" = true; /* dht peer discovery in swarm */
        "pex-enabled" = true; /* peer exchange */
        /* ip blocklist */
        "blocklist-enabled" = true;
        "blocklist-updates-enabled" = true;
        "blocklist-url" = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
        /* download speed settings */
        # "speed-limit-down" = 1200;
        # "speed-limit-down-enabled" = false;
        # "speed-limit-up" = 500;
        # "speed-limit-up-enabled" = true;
        /* seeding limit */
        "ratio-limit" = 2;
        "ratio-limit-enabled" = true;
        "download-queue-enabled" = true;
        "download-queue-size" = 20; # gotta go fast
      };
    };
    users.groups.public_data.gid = 994;
    users.users.public_data = {
      isSystemUser = true;
      group = "public_data";
      uid = 994;
    };
  };
  # unpackerr
  # flaresolverr
  services.nginx.enable = true;
  services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
  services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
  services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://vpn.containers:8686";
  services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://vpn.containers:8989";
  services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
  services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
  services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
    proxyPass = "http://vpn.containers:8096";
    proxyWebsockets = true;
  };
  services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
    proxyPass = "http://vpn.containers:8096";
    proxyWebsockets = true;
  };
  services.nginx.virtualHosts."transmission.s0".locations."/" = {
    proxyPass = "http://vpn.containers:9091";
    proxyWebsockets = true;
  };
  # tailscale
  services.tailscale.exitNode = true;
  nixpkgs.overlays = [
    (final: prev: {
      radarr = prev.radarr.overrideAttrs (old: rec {
        installPhase = ''
          runHook preInstall
          mkdir -p $out/{bin,share/${old.pname}-${old.version}}
          cp -r * $out/share/${old.pname}-${old.version}/.
          makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Radarr \
            --add-flags "$out/share/${old.pname}-${old.version}/Radarr.dll" \
            --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
              final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
          runHook postInstall
        '';
      });
      prowlarr = prev.prowlarr.overrideAttrs (old: {
        installPhase = ''
          runHook preInstall
          mkdir -p $out/{bin,share/${old.pname}-${old.version}}
          cp -r * $out/share/${old.pname}-${old.version}/.
          makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Prowlarr \
            --add-flags "$out/share/${old.pname}-${old.version}/Prowlarr.dll" \
            --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
              final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
          runHook postInstall
        '';
      });
      pykms = prev.pykms.overrideAttrs (old: {
        src = pkgs.fetchFromGitHub {
          owner = "Py-KMS-Organization";
          repo = "py-kms";
          rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
          sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
        };
      });
    })
  ];
 }
--- a/machines/storage/s0/fancontrol.rs
+++ b/machines/storage/s0/fancontrol.rs
@@ -1,47 +0,0 @@
 use std::cmp::{max, min};
 use std::path::PathBuf;
 use std::fs::{read_dir, read_to_string, write};
 use std::thread::sleep;
 use std::time::Duration;
 const MINTEMP : i32 = 50000;
 const MAXTEMP : i32 = 80000;
 const MINSTART : i32 = 60;
 const MINSTOP : i32 = 29;
 const MAXPWM : i32 = 255;
 fn adjust(fan: &PathBuf, sensor: &PathBuf) {
    let temp: i32 = read_to_string(sensor).unwrap().trim().parse().unwrap();
    let prev_pwm: i32 = read_to_string(fan).unwrap().trim().parse().unwrap();
    let mut pwm: i32;
    pwm = (temp - MINTEMP) * 255 / (MAXTEMP - MINTEMP);
    pwm = max(pwm, 0);
    if pwm > 0 {
        pwm = max(pwm, if prev_pwm < MINSTOP { MINSTART } else { MINSTOP });
        pwm = min(pwm, MAXPWM);
    }
    //println!("sensor: {}, pwm: {}", temp, pwm);
    write(fan, pwm.to_string()).unwrap();
 }
 fn main() {
    let mut fans = Vec::new();
    for hwmon_dir in ["/sys/devices/platform/p6-fan/hwmon", "/sys/devices/platform/p7-fan/hwmon"].iter() {
        for dir in read_dir(hwmon_dir).unwrap() {
            let mut p = dir.unwrap().path();
            p.push("pwm1");
            if p.exists() {
                fans.push(p)
            }
        }
    }
    let fans = fans;
    loop {
        for fan in &fans {
            adjust(fan, &PathBuf::from("/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input"))
        }
        sleep(Duration::from_secs(5));
    }
 }
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@@ -0,0 +1,58 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [
    "ahci"
    "usb_storage"
    "bcache"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."enc-pv1" = {
    device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
    allowDiscards = true; # SSD
  };
  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
  boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
  boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
  boot.initrd.luks.devices."enc-pvUSB" = {
    device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
    allowDiscards = true; # SSD
  };
  fileSystems."/" =
    { device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
      fsType = "bcachefs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/8F7E-53C4";
      fsType = "vfat";
    };
  swapDevices = [
    {
      device = "/dev/mmcblk1p2";
      randomEncryption.enable = true;
    }
  ];
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = lib.mkDefault false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  networking.interfaces.eth1.useDHCP = lib.mkDefault true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/machines/storage/s0/helios64.nix
+++ b/machines/storage/s0/helios64.nix
@@ -1,42 +0,0 @@
 { pkgs, lib, ... }:
 {
  # Fan speed adjustment
  systemd.services.fans = {
    wantedBy = ["multi-user.target"];
    serviceConfig.ExecStart = pkgs.runCommandCC "fans" { nativeBuildInputs = [ pkgs.rustc ]; } ''
      rustc ${./fancontrol.rs} -o $out
    '';
    serviceConfig.Restart = "always";
  };
  boot = {
    kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./kernel.nix {});
    #kernelPackages = pkgs.linuxPackages_latest;
    kernelParams = ["panic=3" "boot.shell_on_fail"];
    loader.grub.enable = false;
    loader.generic-extlinux-compatible.enable = true;
    initrd.postDeviceCommands = ''
      (
      cd /sys/bus/platform/drivers/sdhci-arasan
      while true; do
        test -e fe330000.sdhci/mmc_host/mmc*/mmc*/block && break
        echo fe330000.sdhci > unbind
        echo fe330000.sdhci > bind
        sleep 1
      done
      )
    '';
  };
  systemd.services.disable-offload = {
    wantedBy = ["sys-devices-platform-fe300000.ethernet-net-eth0.device" "multi-user.targtet"];
    after = ["sys-devices-platform-fe300000.ethernet-net-eth0.device"];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.ethtool}/bin/ethtool --offload eth0 tx off";
      Restart = "on-failure";
      RestartSec = "10";
    };
  };
 }
--- a/machines/storage/s0/helios64/README.md
+++ b/machines/storage/s0/helios64/README.md
@@ -0,0 +1,62 @@
 Kobol Helios64
 ==============
 The `default.nix` module provides the required setup for the system to work.
 The `recommended.nix` module adds recommended settings for the system.
 Status
 ------
 ### Works
 - SATA hard drives
 - Ethernet (1gbps)
 - Serial through USB type-c (`ttyS2`)
 ### Untested
 - Ethernet (2.5gbps)
 - DP video out
 - UPS behaviour
 - `rootfs` on SATA drives
 ### Disabled
 Due to misbehaviour, `ttyS0` (`&uart0`, `serial@ff180000`) has been disabled
 via a kernel patch.
 Without this change, using, or attempting to use `ttyS0` will break serial
 output from `ttyS2`.
 Kernel
 ------
 Only Linux 5.10 (LTS) is supported, using the patch set derived from Armbian.
 Requirements
 ------------
 A *platform firmware* needs to be provided out of band for the system.
 The author recommends Tow-Boot, for which a [draft pull request](https://github.com/Tow-Boot/Tow-Boot/pull/54)
 adds support for the Helios64.
 Any other supported *platform firmware* should work too.
 > **NOTE**: at the time of writing (2021-10-10) the *platform firmware*
 > **must** make use of the proprietary ram training. The open source equivalent
 > will make the system unstable, and worse, will cause silent memory
 > corruption, in addition to loud memory corruption.
 Notes
 -----
 ### Baud rate
 The serial baud rate is configured for `115200`, which is a more common default
 than the usual for Rockchip at `1500000`. See [the rationale for the decision](https://github.com/Tow-Boot/Tow-Boot/pull/33).
--- a/machines/storage/s0/helios64/default.nix
+++ b/machines/storage/s0/helios64/default.nix
@@ -0,0 +1,27 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./modules/fancontrol.nix
    ./modules/heartbeat.nix
    ./modules/ups.nix
  ];
  boot.kernelParams = lib.mkAfter [
    "console=ttyS2,115200n8"
    "earlycon=uart8250,mmio32,0xff1a0000"
  ];
  # Required for rootfs on sata
  boot.initrd.availableKernelModules = [
    "pcie-rockchip-host" # required for rootfs on pcie sata disks
    "phy-rockchip-pcie" # required for rootfs on pcie sata disks
    "phy-rockchip-usb" # maybe not needed
    "uas" # required for rootfs on USB 3.0 sata disks
  ];
  # bcachefs kernel is 5.15. but need patches that are only in 5.16+
  # Patch the device tree to add support for getting the cpu thermal temp
  hardware.deviceTree.enable = true;
  hardware.deviceTree.kernelPackage = pkgs.linux_latest;
 }
--- a/machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules
+++ b/machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules
@@ -0,0 +1,23 @@
 # Helios64 persistent hwmon
 ACTION=="remove", GOTO="helios64_hwmon_end"
 #
 KERNELS=="fan1", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
 KERNELS=="fan2", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
 KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1"
 SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end"
 ENV{HWMON_PATH}="/sys%p"
 #
 ATTR{name}=="cpu_thermal", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu"
 #
 ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board"
 ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}"
 #
 ENV{IS_HELIOS64_HWMON}=="1", RUN+="/bin/ln -sf $env{HWMON_PATH} $env{HELIOS64_SYMLINK}"
 LABEL="helios64_hwmon_end"
--- a/machines/storage/s0/helios64/modules/bsp/90-helios64-ups.rules
+++ b/machines/storage/s0/helios64/modules/bsp/90-helios64-ups.rules
@@ -0,0 +1,11 @@
 ACTION=="add", GOTO="helios64_ups_end"
 ACTION=="remove", GOTO="helios64_ups_end"
 # Power loss event
 ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="0", RUN+="/usr/bin/systemctl start helios64-ups.timer"
 # Power restore event
 ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="1", RUN+="/usr/bin/systemctl stop helios64-ups.timer"
 LABEL="helios64_ups_end"
--- a/machines/storage/s0/helios64/modules/fancontrol.nix
+++ b/machines/storage/s0/helios64/modules/fancontrol.nix
@@ -0,0 +1,41 @@
 { pkgs, ... }:
 {
  hardware.fancontrol.enable = true;
  hardware.fancontrol.config = ''
    # Helios64 PWM Fan Control Configuration
    # Temp source : /dev/thermal-cpu
    INTERVAL=10
    FCTEMPS=/dev/fan-p6/pwm1=/dev/thermal-cpu/temp1_input /dev/fan-p7/pwm1=/dev/thermal-cpu/temp1_input
    MINTEMP=/dev/fan-p6/pwm1=40 /dev/fan-p7/pwm1=40
    MAXTEMP=/dev/fan-p6/pwm1=80 /dev/fan-p7/pwm1=80
    MINSTART=/dev/fan-p6/pwm1=60 /dev/fan-p7/pwm1=60
    MINSTOP=/dev/fan-p6/pwm1=29 /dev/fan-p7/pwm1=29
    MINPWM=20
  '';
  services.udev.packages = [
    # Fan control
    (pkgs.callPackage (
      { stdenv, lib, coreutils }:
      stdenv.mkDerivation {
        name = "helios64-udev-fancontrol";
        dontUnpack = true;
        dontBuild = true;
        installPhase = ''
          mkdir -p "$out/etc/udev/rules.d/";
          install -Dm644 "${./bsp/90-helios64-hwmon.rules}" \
            "$out/etc/udev/rules.d/90-helios64-hwmon.rules"
          substituteInPlace "$out/etc/udev/rules.d/90-helios64-hwmon.rules" \
            --replace '/bin/ln'  '${lib.getBin coreutils}/bin/ln'
        '';
        meta = with lib; {
          description = "Udev rules for fancontrol for the Helios64";
          platforms = platforms.linux;
        };
      }
    ) {})
  ];
 }
--- a/machines/storage/s0/helios64/modules/heartbeat.nix
+++ b/machines/storage/s0/helios64/modules/heartbeat.nix
@@ -0,0 +1,22 @@
 { pkgs, lib, ... }:
 {
  systemd.services.heartbeat = {
    enable = true;
    description = "Enable heartbeat & network activity led on Helios64";
    serviceConfig = {
      Type = "oneshot";
      ExecStart = ''
        ${lib.getBin pkgs.bash}/bin/bash -c 'echo heartbeat | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:green\\:status/trigger'
        # this led is not supported yet in the kernel i'm using
        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo netdev | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/trigger'
        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo eth0 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/device_name'
        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/link'
        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/rx'
        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/tx'
      '';
    };
    after = [ "getty.target" ];
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/machines/storage/s0/helios64/modules/ups.nix
+++ b/machines/storage/s0/helios64/modules/ups.nix
@@ -0,0 +1,51 @@
 { pkgs, ... }:
 {
  systemd.services.helios64-ups = {
    enable = true;
    description = "Helios64 UPS Action";
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.systemd}/bin/poweroff";
    };
  };
  systemd.timers.helios64-ups = {
    enable = true;
    description = "Helios64 UPS Shutdown timer on power loss";
    # disabling the timer by default. Even though armbian enaled
    # the timer by default through this, we don't, as we can't
    # rely on the udev rules to disable it after a system switch.
    # wantedBy = [ "multi-user.target" ];
    timerConfig = {
      OnActiveSec = "10m";
      AccuracySec = "1s";
      Unit = "helios64-ups.service";
    };
  };
  # The udev rule that will trigger the above service.
  services.udev.packages = [
    (pkgs.callPackage (
      { stdenv, lib, coreutils, systemd }:
      stdenv.mkDerivation {
          name = "helios64-udev-ups";
          dontUnpack = true;
          dontBuild = true;
          installPhase = ''
              mkdir -p "$out/etc/udev/rules.d/";
              install -Dm644 "${./bsp/90-helios64-ups.rules}" \
                "$out/etc/udev/rules.d/90-helios64-ups.rules"
              substituteInPlace "$out/etc/udev/rules.d/90-helios64-ups.rules" \
                  --replace '/bin/ln'  '${lib.getBin coreutils}/bin/ln' \
                  --replace '/usr/bin/systemctl' '${lib.getBin systemd}/bin/systemctl'
          '';
          meta = with lib; {
              description = "Udev rules for UPS for the Helios64";
              platforms = platforms.linux;
          };
      }
    ) {})
  ];
 }
--- a/machines/storage/s0/helios64/recommended.nix
+++ b/machines/storage/s0/helios64/recommended.nix
@@ -0,0 +1,8 @@
 { lib, ... }:
 {
  # Since 20.03, you must explicitly specify to use dhcp on an interface
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # Helps with 4GiB of RAM
  zramSwap.enable = lib.mkDefault true;
 }
--- a/machines/storage/s0/kernel.nix
+++ b/machines/storage/s0/kernel.nix
--- a/machines/storage/s0/patches/kernel/09e006cfb43e8ec38afe28278b210dab72e6cac8.patch
+++ b/machines/storage/s0/patches/kernel/09e006cfb43e8ec38afe28278b210dab72e6cac8.patch
@@ -1,437 +0,0 @@
 From 09e006cfb43e8ec38afe28278b210dab72e6cac8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
 Date: Wed, 14 Oct 2020 22:00:30 +0200
 Subject: arm64: dts: rockchip: Add basic support for Kobol's Helios64
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The hardware is described in detail on Kobol's wiki at
 https://wiki.kobol.io/helios64/intro/.
 Up to now the following peripherals are working:
 - UART
 - Micro-SD card
 - eMMC
 - ethernet port 1
 - status LED
 - temperature sensor on i2c bus 2
 Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
 Link: https://lore.kernel.org/r/20201014200030.845759-3-uwe@kleine-koenig.org
 Signed-off-by: Heiko Stuebner <heiko@sntech.de>
 ---
 arch/arm64/boot/dts/rockchip/Makefile              |   1 +
 .../boot/dts/rockchip/rk3399-kobol-helios64.dts    | 372 +++++++++++++++++++++
 2 files changed, 373 insertions(+)
 create mode 100644 arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 diff --git a/arch/arm64/boot/dts/rockchip/Makefile b/arch/arm64/boot/dts/rockchip/Makefile
 index 26661c7b736b7..28b26a874313e 100644
 --- a/arch/arm64/boot/dts/rockchip/Makefile
 +++ b/arch/arm64/boot/dts/rockchip/Makefile
@@ -26,6 +26,7 @@ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-hugsun-x99.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge-captain.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge-v.dtb
 +dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-kobol-helios64.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-leez-p710.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-nanopc-t4.dtb
 dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-nanopi-m4.dtb
 diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 new file mode 100644
 index 0000000000000..2a561be724b22
 --- /dev/null
 +++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -0,0 +1,387 @@
 +// SPDX-License-Identifier: (GPL-2.0+ OR MIT)
 +/*
 + * Copyright (c) 2020 Aditya Prayoga <aditya@kobol.io>
 + */
 +
 +/*
 + * The Kobol Helios64 is a board designed to operate as a NAS and optionally
 + * ships with an enclosing that can host five 2.5" hard disks.
 + *
 + * See https://wiki.kobol.io/helios64/intro/ for further details.
 + */
 +
 +/dts-v1/;
 +#include "rk3399.dtsi"
 +#include "rk3399-opp.dtsi"
 +
 +/ {
 +	model = "Kobol Helios64";
 +	compatible = "kobol,helios64", "rockchip,rk3399";
 +
 +	avdd_1v8_s0: avdd-1v8-s0 {
 +		compatible = "regulator-fixed";
 +		regulator-name = "avdd_1v8_s0";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <1800000>;
 +		regulator-max-microvolt = <1800000>;
 +		vin-supply = <&vcc3v3_sys_s3>;
 +	};
 +
 +	clkin_gmac: external-gmac-clock {
 +		compatible = "fixed-clock";
 +		clock-frequency = <125000000>;
 +		clock-output-names = "clkin_gmac";
 +		#clock-cells = <0>;
 +	};
 +
 +	leds {
 +		compatible = "gpio-leds";
 +		pinctrl-names = "default";
 +		pinctrl-0 = <&sys_grn_led_on &sys_red_led_on>;
 +
 +		led-0 {
 +			label = "helios64:green:status";
 +			gpios = <&gpio0 RK_PB4 GPIO_ACTIVE_HIGH>;
 +			default-state = "on";
 +		};
 +
 +		led-1 {
 +			label = "helios64:red:fault";
 +			gpios = <&gpio0 RK_PB5 GPIO_ACTIVE_HIGH>;
 +			default-state = "keep";
 +		};
 +	};
 +
 +	vcc1v8_sys_s0: vcc1v8-sys-s0 {
 +		compatible = "regulator-fixed";
 +		regulator-name = "vcc1v8_sys_s0";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <1800000>;
 +		regulator-max-microvolt = <1800000>;
 +		vin-supply = <&vcc1v8_sys_s3>;
 +	};
 +
 +	vcc3v0_sd: vcc3v0-sd {
 +		compatible = "regulator-fixed";
 +		enable-active-high;
 +		gpio = <&gpio0 RK_PA1 GPIO_ACTIVE_HIGH>;
 +		regulator-name = "vcc3v0_sd";
 +		regulator-boot-on;
 +		regulator-min-microvolt = <3000000>;
 +		regulator-max-microvolt = <3000000>;
 +		pinctrl-names = "default";
 +		pinctrl-0 = <&sdmmc0_pwr_h>;
 +		vin-supply = <&vcc3v3_sys_s3>;
 +	};
 +
 +	vcc3v3_sys_s3: vcc_lan: vcc3v3-sys-s3 {
 +		compatible = "regulator-fixed";
 +		regulator-name = "vcc3v3_sys_s3";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <3300000>;
 +		regulator-max-microvolt = <3300000>;
 +		vin-supply = <&vcc5v0_sys>;
 +
 +		regulator-state-mem {
 +			regulator-on-in-suspend;
 +		};
 +	};
 +
 +	vcc5v0_sys: vcc5v0-sys {
 +		compatible = "regulator-fixed";
 +		regulator-name = "vcc5v0_sys";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <5000000>;
 +		regulator-max-microvolt = <5000000>;
 +		vin-supply = <&vcc12v_dcin_bkup>;
 +
 +		regulator-state-mem {
 +			regulator-on-in-suspend;
 +		};
 +	};
 +
 +	vcc12v_dcin: vcc12v-dcin {
 +		compatible = "regulator-fixed";
 +		regulator-name = "vcc12v_dcin";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <12000000>;
 +		regulator-max-microvolt = <12000000>;
 +	};
 +
 +	vcc12v_dcin_bkup: vcc12v-dcin-bkup {
 +		compatible = "regulator-fixed";
 +		regulator-name = "vcc12v_dcin_bkup";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <12000000>;
 +		regulator-max-microvolt = <12000000>;
 +		vin-supply = <&vcc12v_dcin>;
 +	};
 +};
 +
 +/*
 + * The system doesn't run stable with cpu freq enabled, so disallow the lower
 + * frequencies until this problem is properly understood and resolved.
 + */
 +&cluster0_opp {
 +	/delete-node/ opp00;
 +	/delete-node/ opp01;
 +	/delete-node/ opp02;
 +	/delete-node/ opp03;
 +	/delete-node/ opp04;
 +};
 +
 +&cluster1_opp {
 +	/delete-node/ opp00;
 +	/delete-node/ opp01;
 +	/delete-node/ opp02;
 +	/delete-node/ opp03;
 +	/delete-node/ opp04;
 +	/delete-node/ opp05;
 +	/delete-node/ opp06;
 +};
 +
 +&cpu_b0 {
 +	cpu-supply = <&vdd_cpu_b>;
 +};
 +
 +&cpu_b1 {
 +	cpu-supply = <&vdd_cpu_b>;
 +};
 +
 +&cpu_l0 {
 +	cpu-supply = <&vdd_cpu_l>;
 +};
 +
 +&cpu_l1 {
 +	cpu-supply = <&vdd_cpu_l>;
 +};
 +
 +&cpu_l2 {
 +	cpu-supply = <&vdd_cpu_l>;
 +};
 +
 +&cpu_l3 {
 +	cpu-supply = <&vdd_cpu_l>;
 +};
 +
 +&emmc_phy {
 +	status = "okay";
 +};
 +
 +&gmac {
 +	assigned-clock-parents = <&clkin_gmac>;
 +	assigned-clocks = <&cru SCLK_RMII_SRC>;
 +	clock_in_out = "input";
 +	phy-mode = "rgmii";
 +	phy-supply = <&vcc_lan>;
 +	pinctrl-names = "default";
 +	pinctrl-0 = <&rgmii_pins &gphy_reset>;
 +	rx_delay = <0x20>;
 +	tx_delay = <0x28>;
 +	snps,reset-active-low;
 +	snps,reset-delays-us = <0 10000 50000>;
 +	snps,reset-gpio = <&gpio3 RK_PB7 GPIO_ACTIVE_LOW>;
 +	status = "okay";
 +};
 +
 +&i2c0 {
 +	clock-frequency = <400000>;
 +	i2c-scl-rising-time-ns = <168>;
 +	i2c-scl-falling-time-ns = <4>;
 +	status = "okay";
 +
 +	rk808: pmic@1b {
 +		compatible = "rockchip,rk808";
 +		reg = <0x1b>;
 +		interrupt-parent = <&gpio0>;
 +		interrupts = <10 IRQ_TYPE_LEVEL_LOW>;
 +		clock-output-names = "xin32k", "rk808-clkout2";
 +		pinctrl-names = "default";
 +		pinctrl-0 = <&pmic_int_l>;
 +		vcc1-supply = <&vcc5v0_sys>;
 +		vcc2-supply = <&vcc5v0_sys>;
 +		vcc3-supply = <&vcc5v0_sys>;
 +		vcc4-supply = <&vcc5v0_sys>;
 +		vcc6-supply = <&vcc5v0_sys>;
 +		vcc7-supply = <&vcc5v0_sys>;
 +		vcc8-supply = <&vcc3v3_sys_s3>;
 +		vcc9-supply = <&vcc5v0_sys>;
 +		vcc10-supply = <&vcc5v0_sys>;
 +		vcc11-supply = <&vcc5v0_sys>;
 +		vcc12-supply = <&vcc3v3_sys_s3>;
 +		vddio-supply = <&vcc3v0_s3>;
 +		wakeup-source;
 +		#clock-cells = <1>;
 +
 +		regulators {
 +			vdd_cpu_l: DCDC_REG2 {
 +				regulator-name = "vdd_cpu_l";
 +				regulator-always-on;
 +				regulator-boot-on;
 +				regulator-min-microvolt = <750000>;
 +				regulator-max-microvolt = <1350000>;
 +				regulator-ramp-delay = <6001>;
 +
 +				regulator-state-mem {
 +					regulator-off-in-suspend;
 +				};
 +			};
 +
 +			vcc1v8_sys_s3: DCDC_REG4 {
 +				regulator-name = "vcc1v8_sys_s3";
 +				regulator-always-on;
 +				regulator-boot-on;
 +				regulator-min-microvolt = <1800000>;
 +				regulator-max-microvolt = <1800000>;
 +
 +				regulator-state-mem {
 +					regulator-on-in-suspend;
 +					regulator-suspend-microvolt = <1800000>;
 +				};
 +			};
 +
 +			vcc_sdio_s0: LDO_REG4 {
 +				regulator-name = "vcc_sdio_s0";
 +				regulator-always-on;
 +				regulator-boot-on;
 +				regulator-min-microvolt = <1800000>;
 +				regulator-max-microvolt = <3000000>;
 +
 +				regulator-state-mem {
 +					regulator-on-in-suspend;
 +					regulator-suspend-microvolt = <3000000>;
 +				};
 +			};
 +
 +			vcc3v0_s3: LDO_REG8 {
 +				regulator-name = "vcc3v0_s3";
 +				regulator-always-on;
 +				regulator-boot-on;
 +				regulator-min-microvolt = <3000000>;
 +				regulator-max-microvolt = <3000000>;
 +
 +				regulator-state-mem {
 +					regulator-on-in-suspend;
 +					regulator-suspend-microvolt = <3000000>;
 +				};
 +			};
 +		};
 +	};
 +
 +	vdd_cpu_b: regulator@40 {
 +		compatible = "silergy,syr827";
 +		reg = <0x40>;
 +		fcs,suspend-voltage-selector = <1>;
 +		regulator-name = "vdd_cpu_b";
 +		regulator-always-on;
 +		regulator-boot-on;
 +		regulator-min-microvolt = <712500>;
 +		regulator-max-microvolt = <1500000>;
 +		regulator-ramp-delay = <1000>;
 +		vin-supply = <&vcc5v0_sys>;
 +
 +		regulator-state-mem {
 +			regulator-off-in-suspend;
 +		};
 +	};
 +};
 +
 +&i2c2 {
 +	clock-frequency = <400000>;
 +	i2c-scl-rising-time-ns = <160>;
 +	i2c-scl-falling-time-ns = <30>;
 +	status = "okay";
 +
 +	temp@4c {
 +		compatible = "national,lm75";
 +		reg = <0x4c>;
 +	};
 +};
 +
 +&io_domains {
 +	audio-supply = <&vcc1v8_sys_s0>;
 +	bt656-supply = <&vcc1v8_sys_s0>;
 +	gpio1830-supply = <&vcc3v0_s3>;
 +	sdmmc-supply = <&vcc_sdio_s0>;
 +	status = "okay";
 +};
 +
 +&pcie0 {
 +	num-lanes = <2>;
 +	max-link-speed = <2>;
 +	pinctrl-names = "default";
 +	pinctrl-0 = <&pcie_prst &pcie_clkreqn_cpm>;
 +	vpcie12v-supply = <&vcc12v_dcin>;
 +	vpcie3v3-supply = <&pcie_power>;
 +	vpcie1v8-supply = <&avdd_1v8_s0>;
 +	vpcie0v9-supply = <&avdd_0v9_s0>;
 +	status = "okay";
 +};
 +
 +&pcie_phy {
 +	status = "okay";
 +};
 +
 +&pinctrl {
 +	gmac {
 +		gphy_reset: gphy-reset {
 +			rockchip,pins = <3 RK_PB7 RK_FUNC_GPIO &pcfg_output_low>;
 +		};
 +	};
 +
 +	leds {
 +		sys_grn_led_on: sys-grn-led-on {
 +			rockchip,pins = <0 RK_PB4 RK_FUNC_GPIO &pcfg_pull_down>;
 +		};
 +
 +		sys_red_led_on: sys-red-led-on {
 +			rockchip,pins = <0 RK_PB5 RK_FUNC_GPIO &pcfg_pull_down>;
 +		};
 +	};
 +
 +	pmic {
 +		pmic_int_l: pmic-int-l {
 +			rockchip,pins = <0 RK_PB2 RK_FUNC_GPIO &pcfg_pull_up>;
 +		};
 +	};
 +
 +	vcc3v0-sd {
 +		sdmmc0_pwr_h: sdmmc0-pwr-h {
 +			rockchip,pins = <0 RK_PA1 RK_FUNC_GPIO &pcfg_pull_up>;
 +		};
 +	};
 +};
 +
 +&pmu_io_domains {
 +	pmu1830-supply = <&vcc3v0_s3>;
 +	status = "okay";
 +};
 +
 +&sdhci {
 +	bus-width = <8>;
 +	mmc-hs200-1_8v;
 +	non-removable;
 +	vqmmc-supply = <&vcc1v8_sys_s0>;
 +	status = "okay";
 +};
 +
 +&sdmmc {
 +	bus-width = <4>;
 +	cap-sd-highspeed;
 +	cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>;
 +	disable-wp;
 +	pinctrl-names = "default";
 +	pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>;
 +	vmmc-supply = <&vcc3v0_sd>;
 +	vqmmc-supply = <&vcc_sdio_s0>;
 +	status = "okay";
 +};
 +
 +&uart2 {
 +	status = "okay";
 +};
 --
 cgit 1.2.3-1.el7
--- a/machines/storage/s0/patches/kernel/115200baud.patch
+++ b/machines/storage/s0/patches/kernel/115200baud.patch
@@ -1,14 +0,0 @@
 diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 index 714616618..b1fb824f3 100644
 --- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 +++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -16,6 +16,11 @@
 	compatible = "kobol,helios64", "rockchip,rk3399";
 +	chosen {
 +		bootargs = "earlycon=uart8250,mmio32,0xff1a0000 earlyprintk";
 +		stdout-path = "serial2:115200n8";
 +	};
 +
 	adc-keys {
 		compatible = "adc-keys";
--- a/machines/storage/s0/patches/kernel/62dbf80fc581a8eed7288ed7aca24446054eb616.patch
+++ b/machines/storage/s0/patches/kernel/62dbf80fc581a8eed7288ed7aca24446054eb616.patch
@@ -1,38 +0,0 @@
 From 62dbf80fc581a8eed7288ed7aca24446054eb616 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
 Date: Mon, 2 Nov 2020 16:06:58 +0100
 Subject: dt-bindings: arm: rockchip: Add Kobol Helios64
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Document the new board by Kobol introduced recently in
 rockchip/rk3399-kobol-helios64.dts.
 Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
 Acked-by: Rob Herring <robh@kernel.org>
 Link: https://lore.kernel.org/r/20201102150658.167161-1-uwe@kleine-koenig.org
 Signed-off-by: Heiko Stuebner <heiko@sntech.de>
 ---
 Documentation/devicetree/bindings/arm/rockchip.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/Documentation/devicetree/bindings/arm/rockchip.yaml b/Documentation/devicetree/bindings/arm/rockchip.yaml
 index 65b4cc2c63f7c..70fa4d98db564 100644
 --- a/Documentation/devicetree/bindings/arm/rockchip.yaml
 +++ b/Documentation/devicetree/bindings/arm/rockchip.yaml
@@ -381,6 +381,11 @@ properties:
               - khadas,edge-v
           - const: rockchip,rk3399
 +      - description: Kobol Helios64
 +        items:
 +          - const: kobol,helios64
 +          - const: rockchip,rk3399
 +
       - description: Mecer Xtreme Mini S6
         items:
           - const: mecer,xms6
 -- 
 cgit 1.2.3-1.el7
--- a/machines/storage/s0/patches/kernel/add-board-helios64.patch
+++ b/machines/storage/s0/patches/kernel/add-board-helios64.patch
--- a/machines/storage/s0/patches/kernel/fa67f2817ff2c9bb07472d30e58d904922f1a538.patch
+++ b/machines/storage/s0/patches/kernel/fa67f2817ff2c9bb07472d30e58d904922f1a538.patch
@@ -1,34 +0,0 @@
 From fa67f2817ff2c9bb07472d30e58d904922f1a538 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
 Date: Wed, 14 Oct 2020 22:00:29 +0200
 Subject: dt-bindings: vendor-prefixes: Add kobol prefix
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The prefix is already used in arm/armada-388-helios4.dts.
 Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
 Acked-by: Rob Herring <robh@kernel.org>
 Link: https://lore.kernel.org/r/20201014200030.845759-2-uwe@kleine-koenig.org
 Signed-off-by: Heiko Stuebner <heiko@sntech.de>
 ---
 Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
 index 2735be1a84709..259faf1b382c0 100644
 --- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
 +++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
@@ -553,6 +553,8 @@ patternProperties:
     description: Kionix, Inc.
   "^kobo,.*":
     description: Rakuten Kobo Inc.
 +  "^kobol,.*":
 +    description: Kobol Innovations Pte. Ltd.
   "^koe,.*":
     description: Kaohsiung Opto-Electronics Inc.
   "^kontron,.*":
 -- 
 cgit 1.2.3-1.el7
--- a/machines/storage/s0/patches/kernel/helios64-remove-pcie-ep-gpios.patch
+++ b/machines/storage/s0/patches/kernel/helios64-remove-pcie-ep-gpios.patch
@@ -1,25 +0,0 @@
 From e7e9a3a959927094d59b67f46ecc1c5d50190ce8 Mon Sep 17 00:00:00 2001
 From: Aditya Prayoga <aditya@kobol.io>
 Date: Tue, 15 Sep 2020 13:42:02 +0700
 Subject: [PATCH] Remove PCIE ep-gpios from Helios64
 Signed-off-by: Aditya Prayoga <aditya@kobol.io>
 ---
 arch/arm64/boot/dts/rockchip/rk3399-helios64.dts | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 index c065ba82d..002c93912 100644
 --- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
 +++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -721,7 +721,6 @@
 };
 &pcie0 {
 -	ep-gpios = <&gpio2 RK_PD4 GPIO_ACTIVE_HIGH>;
 	num-lanes = <2>;
 	max-link-speed = <2>;
 	pinctrl-names = "default";
 --
 Created with Armbian build tools https://github.com/armbian/build
--- a/machines/storage/s0/patches/kernel/rk3399-pci-rockchip-support-ep-gpio-undefined-case.patch
+++ b/machines/storage/s0/patches/kernel/rk3399-pci-rockchip-support-ep-gpio-undefined-case.patch
@@ -1,29 +0,0 @@
 From 002593cfe8fc7539a6aa2dfb246d832e0b8b8516 Mon Sep 17 00:00:00 2001
 From: Aditya Prayoga <aditya@kobol.io>
 Date: Tue, 15 Sep 2020 13:29:45 +0700
 Subject: [PATCH] PCI: rockchip: support ep-gpio undefined case
 Signed-off-by: Aditya Prayoga <aditya@kobol.io>
 ---
 drivers/pci/controller/pcie-rockchip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/drivers/pci/controller/pcie-rockchip.c b/drivers/pci/controller/pcie-rockchip.c
 index c53d1322a..e4f42591d 100644
 --- a/drivers/pci/controller/pcie-rockchip.c
 +++ b/drivers/pci/controller/pcie-rockchip.c
@@ -119,9 +119,9 @@ int rockchip_pcie_parse_dt(struct rockchip_pcie *rockchip)
 	}
 	if (rockchip->is_rc) {
 -		rockchip->ep_gpio = devm_gpiod_get(dev, "ep", GPIOD_OUT_HIGH);
 +		rockchip->ep_gpio = devm_gpiod_get_optional(dev, "ep", GPIOD_OUT_HIGH);
 		if (IS_ERR(rockchip->ep_gpio)) {
 -			dev_err(dev, "missing ep-gpios property in node\n");
 +			dev_err(dev, "invalid ep-gpios property in node\n");
 			return PTR_ERR(rockchip->ep_gpio);
 		}
 	}
 -- 
 Created with Armbian build tools https://github.com/armbian/build
--- a/machines/storage/s0/patches/uboot/115200baud.patch
+++ b/machines/storage/s0/patches/uboot/115200baud.patch
@@ -1,21 +0,0 @@
 From efb3ec2ca3a88530d45c593f051ec53f80a4c4d8 Mon Sep 17 00:00:00 2001
 From: Moritz Angermann <moritz.angermann@gmail.com>
 Date: Fri, 4 Dec 2020 17:00:03 +0800
 Subject: [PATCH] Update rk3399-helios64-u-boot.dtsi
 ---
 arch/arm/dts/rk3399-kobol-helios64-u-boot.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/arch/arm/dts/rk3399-kobol-helios64-u-boot.dtsi b/arch/arm/dts/rk3399-kobol-helios64-u-boot.dtsi
 index 27ea5eaa971..3a260c7e126 100644
 --- a/arch/arm/dts/rk3399-kobol-helios64-u-boot.dtsi
 +++ b/arch/arm/dts/rk3399-kobol-helios64-u-boot.dtsi
@@ -16,7 +16,7 @@
 	chosen {
 		bootargs = "earlycon=uart8250,mmio32,0xff1a0000 earlyprintk";
 -		stdout-path = "serial2:1500000n8";
 +		stdout-path = "serial2:115200n8";
 		u-boot,spl-boot-order = "same-as-spl", &spiflash, &sdmmc, &sdhci;
 	};
--- a/machines/storage/s0/patches/uboot/add-board-helios64.patch
+++ b/machines/storage/s0/patches/uboot/add-board-helios64.patch
--- a/secrets/cloudflared-navidrome.json.age
+++ b/secrets/cloudflared-navidrome.json.age
@@ -0,0 +1,37 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w 6LPdjXDINKLmWzBbhs/gcQQnJTqePJAGVWX5YhwibHA
 5O06D+H2KbLtueFoKNVIgFYlBeJimTL2Mk5S3biEKdw
 -> ssh-ed25519 mbw8xA Ubq0SL3E410a1+3z2jZ6KFi6+tqNbqG7En0moLx+B1A
 EWhz0Q4UWJDEwt1jYrX0udCdflA7unlYhddCg2vJpXA
 -> ssh-ed25519 N240Tg 9UOgws8kFmAABuG68rjq9vNDLbBJa8pFOAnqtSsObm0
 CWJLwZEVg4mK5DjDSXoDnHt51WTQ9WAka0sCM78bg7o
 -> ssh-ed25519 2a2Yhw +xRtdu4UdGfIFkoLTQxBkkitPOKMcJJKepcvCGofaRI
 qFjGwGjta954LgzVFCPOTmzbGO7ApEpIo88+dnLOA5s
 -> ssh-ed25519 dMQYog wWsB7E4PjFCh44K2t65IVG2uOMJMyCDu4RyoMgbreQY
 iFuu7dgxBzBTqt0iecUCt2avL7i6PQ7pf1rSRrsJo/I
 -> ssh-ed25519 G2eSCQ mlVuEjjG1ZZbeRZ+mPPxIkEjNnzbRjvBQz7gBEUL+lg
 1+8DUKJNvUxIpwIDEV6xRoI66Xgt4Z2YqtPA3hk/804
 -> ssh-ed25519 6AT2/g n4A59l+hQA9jsQaM8ONFxp91c7jLN+bljIoNrRaSZlQ
 lwmGQF1+dviOSkHGTg2pbSiHaDmhWSvav5XfUeaXDYE
 -> ssh-ed25519 yHDAQw ACe/PrRD6xPh04w8WIPTpb5f051BmhaxD01u2YK82AM
 itYUUUS1+aJ+lZ2IIwys1shG2GQWrF3q3ZgfVztMALg
 -> ssh-ed25519 hPp1nw YY8vayLICissYqcnWCvxcDyB3KxnpH6xOSYAvunQzE8
 SBzK7KsQy+Z+vsRKFgxkEJC4I4CwSM7MQ7ZbOJJ1W7Q
 -> ssh-ed25519 CRfjsA iGbknT4mBJzDd8eEXLYCmDIzfLKzGrQNeHfRx0t0BSo
 e9i000+K/KG0nikIGfXWEY8nPnnbOpWHhrys4qeXFY0
 -> ssh-ed25519 vwVIvQ BYFMu0y8DnHivMOzITB+10tDGH3vXgUCuwASMPN4DnI
 q8te5woh6MpFXKLOzZz8VK7vvivDnxIIm2YT9stxqLs
 -> ssh-ed25519 fBrw3g qJT3udFmHFFf6p+B7+rQlKeBkDjiGPJjjDoAHoP/skI
 UIC1B5eCaJArcEPetgG7cvHy2/7iOCPLPC1DM44/lmE
 -> ssh-ed25519 S5xQfg teWDWxkmGO/6Pdq9BUSpyNP3HV6Abs7Dbe4YS4E8hV0
 cij5vsyrDdKolTdEMKiWe4wFB0/T/5l6slHdJ7PaAcg
 -> ssh-ed25519 XPxfUQ eNsWuyTu3Z7o9MkQ5c06F9nbwyKnNdCTBnVtHWfw5TU
 bdlQbFoOflX0mN0fOfSRKv/pLSyy7wI4FKhMWtkC7sk
 -> ssh-ed25519 SpD5mg BhsBDO0HY8ukC5xl6dPA0crSsFw5ItIEj1STIib+3zs
 fJHJQUDczhv/XWBzi3CX1CRf2/zypk1tDTWro1EBA78
 -> ssh-ed25519 Kk8sng rhJTlmqcgXZQY8KXCzhA/s8rZki7TmBxuFDlZgr27hY
 wGjSOZgCYeVUYG6xXCG/kX18E5ljfytxfbSzPeG2M8k
 -> BT2o-grease
 d46Jzs4hD8i10FLG
 --- UWVcEz0fWRw7B8XDTX4SJfRPIgzAN7YfHQEJAVqQxYc
 v¯©ð˜‡ñò·ˆù•Tá4¡!ö=1›¬}nPÝ“$ºÖ~š€"nfêm‰V¡<56>‹>žÖ§3Å|ì~¸ó€Ü<E282AC>cRoeL=4(<28>"hòã¾ÌÞoPÀÇR3;ˆä’‹Æ.poÖþy-‚UO6¨í¢!Q2ìqo"ÆìúV)³GÝàªE<08>ºf¥½°™<E284A2>4Ü?[~W±<57>ÎÌz qëÚYê»ªGóè.fm7w¸¹"•1˜šÜã,ÿi}Çø^Öæ¿Ž	ø&/“RD‚gkÛªãn
--- a/secrets/email-pw.age
+++ b/secrets/email-pw.age
--- a/secrets/iodine.age
+++ b/secrets/iodine.age
@@ -0,0 +1,39 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
 gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
 -> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
 i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
 -> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
 RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
 -> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
 qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
 -> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
 Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
 -> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
 eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
 -> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
 r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
 -> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
 baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
 -> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
 tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
 -> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
 slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
 -> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
 znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
 -> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
 q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
 -> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
 EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
 -> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
 xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
 -> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
 FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
 -> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
 fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
 -> C89-grease >Fa(j6s UN5!{
 nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
 5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
 --- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
 h,:ìüæ
 H)'’ÐŠÂ/²)žÒ¾ìpˆ¡Rç›2QU
--- a/secrets/nextcloud-pw.age
+++ b/secrets/nextcloud-pw.age
@@ -0,0 +1,39 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w 7+DO9mI/zZfTIN/0KBMOIjMNnReyGoH/XVQa0OLdAHY
 qg/UIBJr8GX79d7xrIIN9GUt3pDIormlOM7IdjIytHk
 -> ssh-ed25519 mbw8xA 9KorXegEBX3PYQm+Ljdjs2hkxAIpz2CZrITNCGo0BnM
 QNQWGWqoudiryg/0fV2KZUuJQGp/suZun9KF9c2OTqw
 -> ssh-ed25519 N240Tg kfl4aaKI28cDfzX3MBisRGraQYChPdUF2WigjOFYx0Y
 u8dgbgJSmcJBp2Uc8qbWMbpa/cKEmx4V3psQgzqnitA
 -> ssh-ed25519 2a2Yhw MGk791xEYHlC4bYfU5CMS3rY8TVI8KYvEIwUhE7wQ3k
 iFT3QUR8PyWw4grqy7/8KfLfYNIDkgDKM2MqSr6cj0U
 -> ssh-ed25519 dMQYog IW1ntuHrV85WX60GI295c197NUlQMKuo5gd3sQZl/gA
 gAnx0rMggqZ7Rn8tHFAXJx3z3t9MkZpmjpgI2qAtK4g
 -> ssh-ed25519 G2eSCQ 7ZpZQAda0uxjIIdpLnC5JlU6cbLtJWr9LSIIdi7PUQw
 PfGFrMVLCmy8SDv2nn6p6M560Xu8lte8DjbCORDM+uc
 -> ssh-ed25519 6AT2/g JGE9jVFM2Wu348XIHpubyCEismpfBraxnFGTnEvqqnI
 kDHfyJdBIGIURDJ0Nsce4DqzPzhk5p+LM1QZ44pZ4g8
 -> ssh-ed25519 yHDAQw KNzCNjvErLwEJZpWWMIBFUGOC8jURyvoKzCWX0ATrRM
 EyIJpn48eU8oEB5FbMhCOd16hAVrxTFLyJEoos7WGOY
 -> ssh-ed25519 hPp1nw kdjLNwgYQV/4NMubVpJw8QCIuKn+u3CT1boZNJEWfCM
 FXNLqmpZB+CtSmCY9zGr+3UebEwNK3JmdP4ifdXiQL4
 -> ssh-ed25519 CRfjsA axLQSlgVkaYmRktIP+fwHnhN2pJ55NCOW0fzTzgjFF4
 ElO0byzF3PJxN9WgENIN/YfmsOR9rOhEh3xRNIIGIyk
 -> ssh-ed25519 vwVIvQ LtrPXRJ0hztkWFnoKt5c0UzWQpD9CO990k52gjWcQnY
 nHb1hsXhHQokcA4WoRlbZy0EFQt8Xd0cYUGqblY17Q4
 -> ssh-ed25519 fBrw3g dnWs7lWY8QoWOjWHG68FSYqZDzsIaA/qU4AXrndGNTw
 gh4+t6THL2mtrPUzGlYd/YxDjk3hpHxUmGq+kRcz9BQ
 -> ssh-ed25519 S5xQfg kEXs5hXXR4ocYYWoT2xFr4HITe9wIOOLz73zm/9bf0o
 WpO+5/zXc+UGYJGkNNQr8UsEz2RyBUtQ4Syep718294
 -> ssh-ed25519 XPxfUQ pL4j/idFPiIPnWI7bIwn0+FuB6az/hXURAh+tvdr7Hc
 WWJPFYanmf3+KnjG84XlnEapI1vh0wRi9XFJRn5JVpo
 -> ssh-ed25519 SpD5mg CpGcl7ONt0juh/N2hwcxWiuc9u9wjQ4d+AAF+1BQim0
 7Xs7qYITkCsjloA74CDGn6lZhXNTqFV05omLiCz9efg
 -> ssh-ed25519 Kk8sng DzLM7ewz+4yz5YNQfBDKcOOlqMxScGR34XfVpCUHMEM
 eH2ogYJO2N4cqxRibCOEoL5cXcTdWavHS3uRX7wwHxY
 -> h<Vf$Fh-grease :~Z8 qwh*'} 2*OyJh )iMU_m?t
 u9QuYuPJEVl7Rt1cEcXZPQ0IfpOzqB59iTMch/SDoByr966PBlBfjDS/7i9U0sEI
 GMeVtXePXkKPXVvhmbZ/C9KI
 --- 1F0kxs/7SRrpoj9q4t1eCg381LzCgrwA1DYG7zcI3dI
 ö>°cY§ÀeéEò‹ƒ\ã¯<>Ôc¸j‘½	ßÎíÃS—XpºýG<C3BD>§$½}i¼10
 Ï±™<œ`á Œ<>, öAž¤£~r>ø$|wˆ¿
--- a/secrets/peertube-db-pw.age
+++ b/secrets/peertube-db-pw.age
@@ -0,0 +1,39 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w 6fOw4Kh4O0WAdZG0WPBdl63ap/Xr/w+Rweylt/0mKDU
 M2ZYVPz9vVGjJ6us48pXSFKKH8tK8PhkvBUJAUriimY
 -> ssh-ed25519 mbw8xA JBYsd9iwH4E2GfGP63DwdwT4Y+gvL31sB3rSY2GKDmQ
 zMHRL3bDxeAkWdKYPPtc/xyrkZlNtzBwzMyt5lb0H4o
 -> ssh-ed25519 N240Tg 9DErfKdTHuvUcw9+5yzo8kMHa+IKxspGlWb6KRvPB0o
 q1FLalljaHyYxEu6JrmcXGYhYi0L7TAtV0U8UsaQ4cs
 -> ssh-ed25519 2a2Yhw eDolYbro00zktVZA8xdhbjvLkcOItFU/lTBPXNYypWI
 d1MlKnVGRf2T2VFPhDnsSF8fboF+5mAdXEMeJRTjJz8
 -> ssh-ed25519 dMQYog 2y6zkr37iC5VarUPOlrXVj9XyS5pihQq6O/K20gTMnc
 jQxtJYCH1JagBpaupGVizzk0ZCswOQvFTcxT8IeFtRI
 -> ssh-ed25519 G2eSCQ 8b0ZqtAxiFRfLEMHnj6LZmq5CQT7nMmfTwc+gpKbQQs
 kl9EvBs9BpZXoomdg30ViCMBV8xEnYlCD9GFY+dNVBM
 -> ssh-ed25519 6AT2/g kA3H9/fN5qyPquKIBQqYSGZYhxqDc7Zyj0CrjF0Nqgg
 zXrT+jpTJo6ToVzLuLzDcqblXKdDbjxt4Zr9CvWBZc0
 -> ssh-ed25519 yHDAQw vuMN4IU9wAIAWDFEDCr1yjEPtEMCISxYTx27qh4QS3U
 2vrVYYbBlbyEOmd7cpeijKeNk6uEe/1iWQcZO8dSrWI
 -> ssh-ed25519 hPp1nw TwogaV1PZXUekJoqXepW8sUm+DvPCxTEL+RobecJ3ys
 VKM1QHFM8qDW1ZCpueQEqQtQknoQ470nll7y6WTjlWA
 -> ssh-ed25519 CRfjsA dvkLphHpCButJtI/RMlt7RvaIuMNHLbF9y663tvuvhs
 VEwK/KDK93e2iwEcwmGM8vvhwqi+tNW8SYrbsehZbWE
 -> ssh-ed25519 vwVIvQ xnd9Vgz9FCeRu6yZbbIZbSBEvSkgPzFifye5eT8kmT0
 XOCZBNTP66Wzy5Vdn4qJwzApDx3U2qNnQqEBcwfARHk
 -> ssh-ed25519 fBrw3g 81Mv0OtBk9J2Tb7kjnT4uCGeytV7HJfOTcA5C4NoLy4
 hiMbGjXjtvBa2Puhb8GBas3WXc0fozRD4hg73MvQumw
 -> ssh-ed25519 S5xQfg F2oOMdM1U1aT4K6pIhCnCz5EbxnEb9Q4QZ0MkhSJKnE
 Pz2cyF+IGLz64466ne8np3xA7g+51S4s4mlaLRohIM4
 -> ssh-ed25519 XPxfUQ 3rIutnjj8fXIo3mCAL5nfzJep7q70j+AGLE3j/JxOhY
 v2Xj5PbpFMsf6Tx68u7VHCRqGa3Wrnsk4E6Q08SklUc
 -> ssh-ed25519 SpD5mg tmM+zaXpX+W8xsMfBCoWZc+7wPRI6yFt2W/p4O2s4lo
 ckNxHza6ruYdIffwxDFOWnYOUgpbWNfwzU5AQJb6ZAA
 -> ssh-ed25519 Kk8sng 2ddBuZ+DEVuvRmWS2O8r+xT4Qtrev78Vre+yQ3kNdEA
 LojDcUOsZtA5kw8kIPC2y+G21T1uKUEUkwkJ3xPiUX4
 -> "JnF1%Gd-grease |=~ P
 tzG7OLiEsRVyoTBpLPGwqNBUGkz0
 --- /AHllIllItlnpPXQAkywTF1UsUb7Wpec2jdYE6kOkO4
 lß´“ <>§K
 ^U5{Ôpœ_l9ûá7I#J¯˜Á!ë†å`CÎ¸^vÚÕˆEòµßŸÁˆuž¥òä×_WPæo2.<èù w}¶Ì
 (!V®
--- a/secrets/peertube-init.age
+++ b/secrets/peertube-init.age
@@ -0,0 +1,41 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
 qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
 -> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
 7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
 -> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
 FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
 -> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
 9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
 -> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
 6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
 -> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
 A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
 -> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
 sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
 -> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
 LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
 -> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
 1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
 -> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
 9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
 -> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
 gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
 -> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
 f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
 -> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
 6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
 -> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
 vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
 -> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
 jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
 -> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
 VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
 -> vWbrVo-grease ,kVQ{
 PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
 mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
 --- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
 >»KÝ’-B<15>vœâŒ×ôÕŽ}4©Q‹åÎË³x
 ÅîÝÒ{Ê±í
 0U<01>Ò
 ê¶×Ý
--- a/Show More
+++ b/Show More