speed up

try again
2024-06-17 21:11:06 -06:00 · 2024-06-16 21:30:10 -06:00 · 2024-06-16 21:22:17 -06:00 · 2024-06-16 21:21:19 -06:00 · 2024-06-16 21:05:33 -06:00 · 2024-06-16 21:01:29 -06:00
192 changed files with 14701 additions and 6816 deletions
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -0,0 +1,28 @@
 name: Check Flake
 on: [push]
 env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/
 jobs:
  check-flake:
    runs-on: nixos
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - run: attic -V
      - name: Setup Attic Cache
        uses: https://git.neet.dev/zuckerberg/attic-action@v0.2.5
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
      - name: Check Flake
        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 result
--- a/27
+++ b/27
@@ -0,0 +1,27 @@
 # Lockfile utils
 .PHONY: update-lockfile
 update-lockfile:
 	nix flake update --commit-lock-file
 .PHONY: update-lockfile-without-commit
 update-lockfile-without-commit:
 	nix flake update
 # Agenix utils
 .PHONY: edit-secret
 edit-secret:
 	cd secrets && agenix -e $(filter-out $@,$(MAKECMDGOALS))
 .PHONY: rekey-secrets
 rekey-secrets:
 	cd secrets && agenix -r
 # NixOS utils
 .PHONY: clean-old-nixos-profiles
 clean-old-nixos-profiles:
 	doas nix-collect-garbage -d
 # Garbage Collect
 .PHONY: gc
 gc:
 	nix store gc
--- a/README.md
+++ b/README.md
@@ -0,0 +1,11 @@
 # My NixOS configurations
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,84 @@
 # A place for brain dump ideas maybe to be taken off of the shelve one day
 ### NixOS webtools
 - Better options search https://mynixos.com/options/services 
 ### Interesting ideas for restructuring nixos config
 - https://github.com/gytis-ivaskevicius/flake-utils-plus
 - https://github.com/divnix/digga/tree/main/examples/devos
 - https://digga.divnix.com/
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx
 ### NAS
 - safely turn off NAS on power disconnect
 ### Shell Comands
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
 ### Services
 - setup archivebox
 - radio https://tildegit.org/tilderadio/site
 - music
    - mopidy
        - use the jellyfin plugin?
    - navidrome
        - spotify secrets for navidrome
    - picard for music tagging
    - alternative music software
        - https://www.smarthomebeginner.com/best-music-server-software-options/
        - https://funkwhale.audio/
        - https://github.com/epoupon/lms
        - https://github.com/benkaiser/stretto
        - https://github.com/blackcandy-org/black_candy
        - https://github.com/koel/koel
        - https://airsonic.github.io/
        - https://ampache.org/
 - replace nextcloud with seafile
 ### Archive
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
 ### Paranoia
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 # Setup CI
 - CI
    - hydra
    - https://docs.cachix.org/continuous-integration-setup/
 - Binary Cache
    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
    - https://github.com/edolstra/nix-serve
    - https://nixos.wiki/wiki/Binary_Cache
    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
 - Both
    - https://garnix.io/
    - https://nixbuild.net
 # Secrets
 - consider using headscale
 - Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
 - Rollover luks FDE passwords
 - /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
 - Rollover shared yubikey secrets
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 ### Misc
 - for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
 ### Future Interests (upon merge into nixpkgs)
 - nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
 - glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -4,11 +4,12 @@
 let
  cfg = config.system.autoUpgrade;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    system.autoUpgrade = {
      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
+      flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
    };
  };
 }
--- a/common/backups.nix
+++ b/common/backups.nix
@@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.backup;
  hostname = config.networking.hostName;
  mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
  mkBackup = group: paths: {
    repository = mkRespository group;
    inherit paths;
    initialize = true;
    timerConfig = {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
    extraBackupArgs = [
      ''--exclude-if-present ".nobackup"''
    ];
    pruneOpts = [
      "--keep-daily 7" # one backup for each of the last n days
      "--keep-weekly 5" # one backup for each of the last n weeks
      "--keep-monthly 12" # one backup for each of the last n months
      "--keep-yearly 75" # one backup for each of the last n years
    ];
    environmentFile = "/run/agenix/backblaze-s3-backups";
    passwordFile = "/run/agenix/restic-password";
  };
  # example usage: "sudo restic_samba unlock" (removes lockfile)
  mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
    if [ "$EUID" -ne 0 ]
      then echo "Run as root"
      exit
    fi
    . /run/agenix/backblaze-s3-backups
    export AWS_SECRET_ACCESS_KEY
    export AWS_ACCESS_KEY_ID
    export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
    export RESTIC_REPOSITORY="${mkRespository group}"
    exec ${pkgs.restic}/bin/restic "$@"
  '';
 in
 {
  options.backup = {
    group = lib.mkOption {
      default = null;
      type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
        options = {
          paths = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            description = ''
              Paths to backup
            '';
          };
        };
      }));
    };
  };
  config = lib.mkIf (cfg.group != null) {
    services.restic.backups = lib.concatMapAttrs
      (group: groupCfg: {
        ${group} = mkBackup group groupCfg.paths;
      })
      cfg.group;
    age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
    age.secrets.restic-password.file = ../secrets/restic-password.age;
    environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
  };
 }
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -0,0 +1,17 @@
 { config, lib, ... }:
 {
  nix = {
    settings = {
      substituters = [
        "https://cache.nixos.org/"
        "https://nix-community.cachix.org"
        "http://s0.koi-bebop.ts.net:28338/nixos"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "nixos:IDhKojUaMz+UIiri1/DQk9EpqDokih8dwxmp41uJnls="
      ];
    };
  };
 }
--- a/common/boot/bios.nix
+++ b/common/boot/bios.nix
@@ -3,24 +3,27 @@
 with lib;
 let
  cfg = config.bios;
-in {
+in
 {
  options.bios = {
    enable = mkEnableOption "enable bios boot";
    device = mkOption {
      type = types.str;
    };
    configurationLimit = mkOption {
      default = 20;
      type = types.int;
    };
  };
  config = mkIf cfg.enable {
    # Use GRUB 2 for BIOS
    boot.loader = {
      timeout = 2;
      grub = {
        enable = true;
        device = cfg.device;
        version = 2;
        useOSProber = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
        theme = pkgs.nixos-grub2-theme;
      };
    };
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,6 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
-    ./luks.nix
+    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/efi.nix
+++ b/common/boot/efi.nix
@@ -3,24 +3,27 @@
 with lib;
 let
  cfg = config.efi;
-in {
+in
 {
  options.efi = {
    enable = mkEnableOption "enable efi boot";
    configurationLimit = mkOption {
      default = 20;
      type = types.int;
    };
  };
  config = mkIf cfg.enable {
    # Use GRUB2 for EFI
    boot.loader = {
      efi.canTouchEfiVariables = true;
      timeout = 2;
      grub = {
        enable = true;
        device = "nodev";
        version = 2;
        efiSupport = true;
        useOSProber = true;
        #       memtest86.enable = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
        theme = pkgs.nixos-grub2-theme;
      };
    };
--- a/common/boot/firmware.nix
+++ b/common/boot/firmware.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.firmware;
-in {
+in
 {
  options.firmware.x86_64 = {
    enable = mkEnableOption "enable x86_64 firmware";
  };
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -1,101 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.luks;
 in {
  options.luks = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    device = {
      name = lib.mkOption {
        type = lib.types.str;
        default = "enc-pv";
      };
      path = lib.mkOption {
        type = lib.types.either lib.types.str lib.types.path;
      };
      allowDiscards = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    boot.initrd.luks.devices.${cfg.device.name} = {
      device = cfg.device.path;
      allowDiscards = cfg.device.allowDiscards;
    };
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    # Make machine accessable over tor for boot unlock
    boot.initrd.secrets = {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    # start tor during boot process
    boot.initrd.network.postCommands = let
      torRc = (pkgs.writeText "tor.rc" ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 22 127.0.0.1:22
      '');
    in ''
      # Add nice prompt for giving LUKS passphrase over ssh
      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
      echo "tor: preparing onion folder"
      # have to do this otherwise tor does not want to start
      chmod -R 700 /etc/tor
      echo "make sure localhost is up"
      ip a a 127.0.0.1/8 dev lo
      ip link set lo up
      echo "haveged: starting haveged"
      haveged -F &
      echo "tor: starting tor"
      tor -f ${torRc} --verify-config
      tor -f ${torRc} &
    '';
  };
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -0,0 +1,96 @@
 { config, pkgs, lib, ... }:
 # TODO: use tailscale instead of tor https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc
 let
  cfg = config.remoteLuksUnlock;
 in
 {
  options.remoteLuksUnlock = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    enableTorUnlock = lib.mkOption {
      type = lib.types.bool;
      default = cfg.enable;
      description = "Make machine accessable over tor for ssh boot unlock";
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    boot.initrd.network.postCommands = lib.mkMerge [
      (
        ''
          # Add nice prompt for giving LUKS passphrase over ssh
          echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
        ''
      )
      (
        let torRc = (pkgs.writeText "tor.rc" ''
          DataDirectory /etc/tor
          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
          SOCKSPort 127.0.0.1:9063
          HiddenServiceDir /etc/tor/onion/bootup
          HiddenServicePort 22 127.0.0.1:22
        ''); in
        lib.mkIf cfg.enableTorUnlock ''
          echo "tor: preparing onion folder"
          # have to do this otherwise tor does not want to start
          chmod -R 700 /etc/tor
          echo "make sure localhost is up"
          ip a a 127.0.0.1/8 dev lo
          ip link set lo up
          echo "haveged: starting haveged"
          haveged -F &
          echo "tor: starting tor"
          tor -f ${torRc} --verify-config
          tor -f ${torRc} &
        ''
      )
    ];
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -2,27 +2,68 @@
 {
  imports = [
    ./backups.nix
    ./binary-cache.nix
    ./flakes.nix
    ./pia.nix
    ./zerotier.nix
    ./auto-update.nix
    ./shell.nix
    ./network
    ./boot
    ./server
    ./pc
    ./machine-info
    ./nix-builder.nix
    ./ssh.nix
  ];
-  system.stateVersion = "20.09";
+  nix.flakes.enable = true;
  system.stateVersion = "23.11";
  networking.useDHCP = false;
-  time.timeZone = "America/New_York";
+  networking.firewall.enable = true;
-  i18n.defaultLocale = "en_US.UTF-8";
+  networking.firewall.allowPing = true;
-  services.openssh.enable = true;
+  time.timeZone = "America/Denver";
  i18n = {
    defaultLocale = "en_US.UTF-8";
    extraLocaleSettings = {
      LANGUAGE = "en_US.UTF-8";
      LC_ALL = "en_US.UTF-8";
    };
  };
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
    };
  };
  programs.mosh.enable = true;
  environment.systemPackages = with pkgs; [
-    wget kakoune htop git dnsutils tmux nethogs iotop pciutils usbutils
+    wget
    kakoune
    htop
    git
    git-lfs
    dnsutils
    tmux
    nethogs
    iotop
    pciutils
    usbutils
    killall
    screen
    micro
    helix
    lm_sensors
    picocom
    lf
    gnumake
    tree
    attic
  ];
  nixpkgs.config.allowUnfree = true;
@@ -30,11 +71,32 @@
  users.mutableUsers = false;
  users.users.googlebot = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
+      "wheel"
      "dialout" # serial
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
-  nix.trustedUsers = [ "root" "googlebot" ];
+  users.users.root = {
    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
  };
  # don't use sudo
  security.doas.enable = true;
  security.sudo.enable = false;
  security.doas.extraRules = [
    # don't ask for password every time
    { groups = [ "wheel" ]; persist = true; }
  ];
  nix.gc.automatic = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "zuckerberg@neet.dev";
 }
--- a/common/flakes.nix
+++ b/common/flakes.nix
@@ -2,20 +2,23 @@
 with lib;
 let
  cfg = config.nix.flakes;
-in {
+in
 {
  options.nix.flakes = {
    enable = mkEnableOption "use nix flakes";
  };
  config = mkIf cfg.enable {
    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      # pin nixpkgs for system commands such as "nix shell"
      registry.nixpkgs.flake = config.inputs.nixpkgs;
      # pin system nixpkgs to the same version as the flake input
      nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
    };
  };
 }
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -0,0 +1,200 @@
 # Gathers info about each machine to constuct overall configuration
 # Ex: Each machine already trusts each others SSH fingerprint already
 { config, lib, pkgs, ... }:
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
          options = {
            hostNames = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              description = ''
                List of hostnames for this machine. The first one is the default so it is the target of deployments.
                Used for automatically trusting hosts for ssh connections.
              '';
            };
            arch = lib.mkOption {
              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
              description = ''
                The architecture of this machine.
              '';
            };
            systemRoles = lib.mkOption {
              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
              description = ''
                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
              '';
            };
            hostKey = lib.mkOption {
              type = lib.types.str;
              description = ''
                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
                and for decrypting secrets with agenix.
              '';
            };
            remoteUnlock = lib.mkOption {
              default = null;
              type = lib.types.nullOr (lib.types.submodule {
                options = {
                  hostKey = lib.mkOption {
                    type = lib.types.str;
                    description = ''
                      The system ssh host key of this machine used for luks boot unlocking only.
                    '';
                  };
                  clearnetHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over clearnet used to luks boot unlock this machine
                    '';
                  };
                  onionHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over tor used to luks boot unlock this machine
                    '';
                  };
                };
              });
            };
            userKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
                TODO: consider auto populating other programs that use ssh keys such as gitea
              '';
            };
            deployKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
              '';
            };
            configurationPath = lib.mkOption {
              type = lib.types.path;
              description = ''
                The path to this machine's configuration directory.
              '';
            };
          };
        });
    };
  };
  config = {
    assertions = (lib.concatLists (lib.mapAttrsToList
      (
        name: cfg: [
          {
            assertion = builtins.length cfg.hostNames > 0;
            message = ''
              Error with config for ${name}
              There must be at least one hostname.
            '';
          }
          {
            assertion = builtins.length cfg.systemRoles > 0;
            message = ''
              Error with config for ${name}
              There must be at least one system role.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
            message = ''
              Error with config for ${name}
              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
            message = ''
              Error with config for ${name}
              At least one of clearnet host or onion host must be defined.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
            message = ''
              Error with config for ${name}
              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
            message = ''
              Error with config for ${name}
              Tor unlock hostname must be an onion address.
            '';
          }
          {
            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
            message = ''
              Error with config for ${name}
              There must be at least one userkey defined for personal machines.
            '';
          }
          {
            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
            message = ''
              Error with config for ${name}
              Only deploy machines are allowed to have deploy keys for security reasons.
            '';
          }
        ]
      )
      machines));
    # Set per machine properties automatically using each of their `properties.nix` files respectively
    machines.hosts =
      let
        properties = dir: lib.concatMapAttrs
          (name: path: {
            ${name} =
              import path
              //
              { configurationPath = builtins.dirOf path; };
          })
          (propertiesFiles dir);
        propertiesFiles = dir:
          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
        propertiesFiles' = dir:
          let
            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
            dirName = path: builtins.baseNameOf (builtins.dirOf path);
          in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
  };
 }
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@@ -0,0 +1,15 @@
 # Allows getting machine-info outside the scope of nixos configuration
 { nixpkgs ? import <nixpkgs> { }
 , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
 }:
 {
  machines =
    (nixpkgs.lib.evalModules {
      modules = [
        ./default.nix
        assertionsModule
      ];
    }).config.machines;
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@@ -0,0 +1,19 @@
 { config, lib, ... }:
 # Maps roles to their hosts
 {
  options.machines.roles = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  config = {
    machines.roles = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  machines = config.machines;
  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
 in
 {
  options.machines.ssh = {
    userKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        List of user keys aggregated from all machines.
      '';
    };
    deployKeys = lib.mkOption {
      default = [ ];
      type = lib.types.listOf lib.types.str;
      description = ''
        List of deploy keys aggregated from all machines.
      '';
    };
    hostKeysByRole = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
      description = ''
        Machine host keys divided into their roles.
      '';
    };
  };
  config = {
    machines.ssh.userKeys = sshkeys "userKeys";
    machines.ssh.deployKeys = sshkeys "deployKeys";
    machines.ssh.hostKeysByRole = lib.mapAttrs
      (role: hosts:
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
      machines.roles;
  };
 }
--- a/common/network/ca.rsa.4096.crt
+++ b/common/network/ca.rsa.4096.crt
@@ -0,0 +1,43 @@
 -----BEGIN CERTIFICATE-----
 MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
 MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
 hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
 De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
 V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
 25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
 fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
 p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
 Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
 tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
 jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
 meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
 1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
 HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
 yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
 hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
 pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
 Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
 tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
 LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
 6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
 5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
 JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
 iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
 8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
 +no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
 -----END CERTIFICATE-----
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -0,0 +1,23 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.networking;
 in
 {
  imports = [
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
    ./tailscale.nix
    ./vpn.nix
  ];
  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
  config = mkIf cfg.ip_forward {
    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  };
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -0,0 +1,113 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia.openvpn;
  vpnfailsafe = pkgs.stdenv.mkDerivation {
    pname = "vpnfailsafe";
    version = "0.0.1";
    src = ./.;
    installPhase = ''
      mkdir -p $out
      cp vpnfailsafe.sh $out/vpnfailsafe.sh
      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
    '';
  };
 in
 {
  options.pia.openvpn = {
    enable = lib.mkEnableOption "Enable private internet access";
    server = lib.mkOption {
      type = lib.types.str;
      default = "us-washingtondc.privacy.network";
      example = "swiss.privacy.network";
    };
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        pia = {
          config = ''
            client
            dev tun
            proto udp
            remote ${cfg.server} 1198
            resolv-retry infinite
            nobind
            persist-key
            persist-tun
            cipher aes-128-cbc
            auth sha1
            tls-client
            remote-cert-tls server
            auth-user-pass
            compress
            verb 1
            reneg-sec 0
            <crl-verify>
            -----BEGIN X509 CRL-----
            MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
            EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
            cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
            HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
            ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
            aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
            MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
            9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
            jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
            B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
            ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
            5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
            MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
            -----END X509 CRL-----
            </crl-verify>
            <ca>
            -----BEGIN CERTIFICATE-----
            MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
            VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
            BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
            dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
            IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
            FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
            MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
            EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
            QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
            AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
            ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
            bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
            L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
            lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
            cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
            8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
            /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
            OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
            y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
            sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
            b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
            A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
            SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
            czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
            b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
            a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
            ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
            7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
            GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
            1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
            YDQ8z9v+DMO6iwyIDRiU
            -----END CERTIFICATE-----
            </ca>
            disable-occ
            auth-user-pass /run/agenix/pia-login.conf
          '';
          autoStart = true;
          up = "${vpnfailsafe}/vpnfailsafe.sh";
          down = "${vpnfailsafe}/vpnfailsafe.sh";
        };
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -0,0 +1,363 @@
 { config, lib, pkgs, ... }:
 # Server list:
 #   https://serverlist.piaservers.net/vpninfo/servers/v6
 # Reference materials:
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
 # TODO implement this module such that the wireguard VPN doesn't have to live in a container
 # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
 # TODO verify signatures of PIA responses
 # TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative.
 with builtins;
 with lib;
 let
  cfg = config.pia.wireguard;
  getPIAToken = ''
    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
    # PIA_TOKEN only lasts 24hrs
    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  '';
  chooseWireguardServer = ''
    servers=$(mktemp)
    servers_json=$(mktemp)
    curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
    # extract json part only
    head -n 1 "$servers" | tr -d '\n' > "$servers_json"
    echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
    # Some locations have multiple servers available. Pick a random one.
    totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
    if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
      echo "Location \"${cfg.serverLocation}\" not found."
      exit 1
    fi
    serverindex=$(( RANDOM % totalservers))
    WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
    WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
    WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
    # write chosen server
    rm -f /tmp/${cfg.interfaceName}-server.conf
    touch /tmp/${cfg.interfaceName}-server.conf
    chmod 700 /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
    rm $servers_json $servers
  '';
  getChosenWireguardServer = ''
    WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
  '';
  refreshPIAPort = ''
    ${getChosenWireguardServer}
    signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
    payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
    bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
  '';
  portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
  containerServiceName = "container@${config.vpn-container.containerName}.service";
 in
 {
  options.pia.wireguard = {
    enable = mkEnableOption "Enable private internet access";
    badPortForwardPorts = mkOption {
      type = types.listOf types.port;
      description = ''
        Ports that will not be accepted from PIA.
        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
      '';
    };
    wireguardListenPort = mkOption {
      type = types.port;
      description = "The port wireguard listens on for this VPN connection";
      default = 51820;
    };
    serverLocation = mkOption {
      type = types.str;
      default = "swiss";
    };
    interfaceName = mkOption {
      type = types.str;
      default = "piaw";
    };
    forwardedPort = mkOption {
      type = types.nullOr types.port;
      description = "The port to redirect port forwarded TCP VPN traffic too";
      default = null;
    };
    forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
        message = ''
          The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
        '';
      }
    ];
    # mounts used to pass the connection parameters to the container
    # the container doesn't have internet until it uses these parameters so it cannot fetch them itself
    vpn-container.mounts = [
      "/tmp/${cfg.interfaceName}.conf"
      "/tmp/${cfg.interfaceName}-server.conf"
      "/tmp/${cfg.interfaceName}-address.conf"
    ];
    # The container takes ownership of the wireguard interface on its startup
    containers.vpn.interfaces = [ cfg.interfaceName ];
    # TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
    # networking.firewall = {
    #   extraCommands = ''
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
    #   '';
    #   extraStopCommands = ''
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
    #   '';
    # };
    networking.firewall.checkReversePath = "loose";
    systemd.services.pia-vpn-wireguard-init = {
      description = "Creates PIA VPN Wireguard Interface";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      before = [ containerServiceName ];
      requiredBy = [ containerServiceName ];
      partOf = [ containerServiceName ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        # restart once a month; PIA forwarded port expires after two months
        # because the container is "PartOf" this unit, it gets restarted too
        RuntimeMaxSec = "30d";
      };
      script = ''
        echo Waiting for internet...
        while ! ping -c 1 -W 1 1.1.1.1; do
            sleep 1
        done
        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
        # cannot do without internet to start with. NAT'ing the host's internet would address this
        # issue but is not ideal because then leaking network outside of the VPN is more likely.
        ${chooseWireguardServer}
        ${getPIAToken}
        # generate wireguard keys
        privKey=$(wg genkey)
        pubKey=$(echo "$privKey" | wg pubkey)
        # authorize our WG keys with the PIA server we are about to connect to
        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
        # create wg-quick config file
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        echo "
        [Interface]
        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
        PrivateKey = $privKey
        ListenPort = ${toString cfg.wireguardListenPort}
        [Peer]
        PersistentKeepalive = 25
        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
        AllowedIPs = 0.0.0.0/0
        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
        " >> /tmp/${cfg.interfaceName}.conf
        # create file storing the VPN ip address PIA assigned to us
        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
        # Create wg interface now so it inherits from the namespace with internet access
        # the container will handle actually connecting the interface since that info is
        # not preserved upon moving into the container's networking namespace
        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
        ip link add ${cfg.interfaceName} type wireguard
      '';
      preStop = ''
        # cleanup wireguard interface
        ip link del ${cfg.interfaceName}
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard = {
      description = "Initializes the PIA VPN WireGuard Tunnel";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        # pseudo calls wg-quick
        # Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
        # cannot actually call wg-quick because the interface has to be already
        # created before the container taken ownership of the interface
        # Thus, assumes wg interface was already created:
        #   ip link add ${cfg.interfaceName} type wireguard
        ${getChosenWireguardServer}
        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
        ip -4 address add $myaddress dev ${cfg.interfaceName}
        ip link set mtu 1420 up dev ${cfg.interfaceName}
        wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
        # TODO is this needed?
        ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
        ip -4 rule add table main suppress_prefixlength 0
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        # Reserve port
        ${getPIAToken}
        payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
        signature=$(echo "$payload_and_signature" | jq -r '.signature')
        payload=$(echo "$payload_and_signature" | jq -r '.payload')
        port=$(echo "$payload" | base64 -d | jq -r '.port')
        # Check if the port is acceptable
        notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
          # the port PIA assigned is not allowed, kill the connection
          wg-quick down /tmp/${cfg.interfaceName}.conf
          exit 1
        fi
        # write reserved port to file readable for all users
        echo $port > /tmp/${cfg.interfaceName}-port
        chmod 644 /tmp/${cfg.interfaceName}-port
        # write payload and signature info needed to allow refreshing allocated forwarded port
        rm -f /tmp/${cfg.interfaceName}-port-renewal
        touch /tmp/${cfg.interfaceName}-port-renewal
        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
        # Block all traffic from VPN interface except for traffic that is from the forwarded port
        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        # The first port refresh triggers the port to be actually allocated
        ${refreshPIAPort}
        ${optionalString (cfg.forwardedPort != null) ''
          # redirect the fowarded port
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
        ${optionalString cfg.forwardPortForTransmission ''
          # assumes no auth needed for transmission
          curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
          regex='X-Transmission-Session-Id\: (\w*)'
          if [[ $curlout =~ $regex ]]; then
              sessionId=''${BASH_REMATCH[1]}
          else
              exit 1
          fi
          # set the port in transmission
          data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
          curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
        ''}
      '';
      preStop = ''
        wg-quick down /tmp/${cfg.interfaceName}.conf
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        ${optionalString (cfg.forwardedPort != null) ''
          # stop redirecting the forwarded port
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      description = "PIA VPN WireGuard Tunnel Port Forwarding";
      after = [ "pia-vpn-wireguard.service" ];
      requires = [ "pia-vpn-wireguard.service" ];
      path = with pkgs; [ curl ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = refreshPIAPort;
    };
    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      partOf = [ "pia-vpn-wireguard-forward-port.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*:0/10"; # 10 minutes
        RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/ping.nix
+++ b/common/network/ping.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 # keeps peer to peer connections alive with a periodic ping
 with lib;
 with builtins;
 # todo auto restart
 let
  cfg = config.keepalive-ping;
  serviceTemplate = host:
    {
      "keepalive-ping@${host}" = {
        description = "Periodic ping keep alive for ${host} connection";
        requires = [ "network-online.target" ];
        after = [ "network.target" "network-online.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Restart = "always";
        path = with pkgs; [ iputils ];
        script = ''
          ping -i ${cfg.delay} ${host} &>/dev/null
        '';
      };
    };
  combineAttrs = foldl recursiveUpdate { };
  serviceList = map serviceTemplate cfg.hosts;
  services = combineAttrs serviceList;
 in
 {
  options.keepalive-ping = {
    enable = mkEnableOption "Enable keep alive ping task";
    hosts = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Hosts to ping periodically
      '';
    };
    delay = mkOption {
      type = types.str;
      default = "60";
      description = ''
        Ping interval in seconds of periodic ping per host being pinged
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services = services;
  };
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -0,0 +1,20 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.services.tailscale;
 in
 {
  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
  # MagicDNS
  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
  # exit node
  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
  config.networking.ip_forward = mkIf cfg.exitNode true;
 }
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -0,0 +1,106 @@
 { config, pkgs, lib, allModules, ... }:
 with lib;
 let
  cfg = config.vpn-container;
 in
 {
  options.vpn-container = {
    enable = mkEnableOption "Enable VPN container";
    containerName = mkOption {
      type = types.str;
      default = "vpn";
      description = ''
        Name of the VPN container.
      '';
    };
    mounts = mkOption {
      type = types.listOf types.str;
      default = [ "/var/lib" ];
      example = "/home/example";
      description = ''
        List of mounts on the host to bind to the vpn container.
      '';
    };
    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
    config = mkOption {
      type = types.anything;
      default = { };
      example = ''
        {
          services.nginx.enable = true;
        }
      '';
      description = ''
        NixOS config for the vpn container.
      '';
    };
  };
  config = mkIf cfg.enable {
    pia.wireguard.enable = !cfg.useOpenVPN;
    pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
    containers.${cfg.containerName} = {
      ephemeral = true;
      autoStart = true;
      bindMounts = mkMerge ([{
        "/run/agenix" = {
          hostPath = "/run/agenix";
          isReadOnly = true;
        };
      }] ++ (lists.forEach cfg.mounts (mount:
        {
          "${mount}" = {
            hostPath = mount;
            isReadOnly = false;
          };
        }
      )));
      enableTun = cfg.useOpenVPN;
      privateNetwork = true;
      hostAddress = "172.16.100.1";
      localAddress = "172.16.100.2";
      config = {
        imports = allModules ++ [ cfg.config ];
        # networking.firewall.enable = mkForce false;
        networking.firewall.trustedInterfaces = [
          # completely trust internal interface to host
          "eth0"
        ];
        pia.openvpn.enable = cfg.useOpenVPN;
        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
        # TODO fix so it does run it's own resolver again
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
        # services.resolved.enable = true;
        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
      };
    };
    # load secrets the container needs
    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
    # forwarding for vpn container (only for OpenVPN)
    networking.nat.enable = mkIf cfg.useOpenVPN true;
    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
      "ve-${cfg.containerName}"
    ];
    networking.ip_forward = mkIf cfg.useOpenVPN true;
    # assumes only one potential interface
    networking.usePredictableInterfaceNames = false;
    networking.nat.externalInterface = "eth0";
  };
 }
--- a/common/network/vpnfailsafe.sh
+++ b/common/network/vpnfailsafe.sh
@@ -0,0 +1,187 @@
 #!/usr/bin/env bash
 set -eEo pipefail
 # $@ := ""
 set_route_vars() {
    local network_var
    local -a network_vars; read -ra network_vars <<<"${!route_network_*}"
    for network_var in "${network_vars[@]}"; do
        local -i i="${network_var#route_network_}"
        local -a vars=("route_network_$i" "route_netmask_$i" "route_gateway_$i" "route_metric_$i")
        route_networks[i]="${!vars[0]}"
        route_netmasks[i]="${!vars[1]:-255.255.255.255}"
        route_gateways[i]="${!vars[2]:-$route_vpn_gateway}"
        route_metrics[i]="${!vars[3]:-0}"
    done
 }
 # Configuration.
 readonly prog="$(basename "$0")"
 readonly private_nets="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
 declare -a remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 read -ra remotes <<<"$(env|grep -oP '^remote_[0-9]+=.*'|sort -n|cut -d= -f2|tr '\n' '\t')"
 read -ra cnf_remote_domains <<<"$(printf '%s\n' "${remotes[@]%%*[0-9]}"|sort -u|tr '\n' '\t')"
 read -ra cnf_remote_ips <<<"$(printf '%s\n' "${remotes[@]##*[!0-9.]*}"|sort -u|tr '\n' '\t')"
 set_route_vars
 read -ra numbered_vars <<<"${!foreign_option_*} ${!proto_*} ${!remote_*} ${!remote_port_*} \
                           ${!route_network_*} ${!route_netmask_*} ${!route_gateway_*} ${!route_metric_*}"
 readonly numbered_vars "${numbered_vars[@]}" dev ifconfig_local ifconfig_netmask ifconfig_remote \
         route_net_gateway route_vpn_gateway script_type trusted_ip trusted_port untrusted_ip untrusted_port \
         remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 readonly cur_remote_ip="${trusted_ip:-$untrusted_ip}"
 readonly cur_port="${trusted_port:-$untrusted_port}"
 # $@ := ""
 update_hosts() {
    if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then
        local -r beg="# VPNFAILSAFE BEGIN" end="# VPNFAILSAFE END"
        {
            sed -e "/^$beg/,/^$end/d" /etc/hosts
            echo -e "$beg\\n$remote_entries\\n$end"
        } >/etc/hosts.vpnfailsafe
        chmod --reference=/etc/hosts /etc/hosts.vpnfailsafe
        mv /etc/hosts.vpnfailsafe /etc/hosts
    fi
 }
 # $@ := "up" | "down"
 update_routes() {
    local -a resolved_ips
    read -ra resolved_ips <<<"$(getent -s files hosts "${cnf_remote_domains[@]:-ENOENT}"|cut -d' ' -f1|tr '\n' '\t' || true)"
    local -ar remote_ips=("$cur_remote_ip" "${resolved_ips[@]}" "${cnf_remote_ips[@]}")
    if [[ "$*" == up ]]; then
        for remote_ip in "${remote_ips[@]}"; do
            if [[ -n "$remote_ip" && -z "$(ip route show "$remote_ip")" ]]; then
                ip route add "$remote_ip" via "$route_net_gateway"
            fi
        done
        for net in 0.0.0.0/1 128.0.0.0/1; do
            if [[ -z "$(ip route show "$net")" ]]; then
                ip route add "$net" via "$route_vpn_gateway"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -z "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route add "${route_networks[i]}/${route_netmasks[i]}" \
                  via "${route_gateways[i]}" metric "${route_metrics[i]}" dev "$dev"
            fi
        done
    elif [[ "$*" == down ]]; then
        for route in "${remote_ips[@]}" 0.0.0.0/1 128.0.0.0/1; do
            if [[ -n "$route" && -n "$(ip route show "$route")" ]]; then
                ip route del "$route"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -n "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route del "${route_networks[i]}/${route_netmasks[i]}"
            fi
        done
    fi
 }
 # $@ := ""
 update_firewall() {
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    insert_chain() {
        if iptables -C "$*" -j "VPNFAILSAFE_$*" 2>/dev/null; then
            iptables -D "$*" -j "VPNFAILSAFE_$*"
            for opt in F X; do
                iptables -"$opt" "VPNFAILSAFE_$*"
            done
        fi
        iptables -N "VPNFAILSAFE_$*"
        iptables -I "$*" -j "VPNFAILSAFE_$*"
    }
    # $@ := "INPUT" | "OUTPUT"
    accept_remotes() {
        case "$@" in
            INPUT)  local -r icmp_type=reply   io=i sd=s states="";;
            OUTPUT) local -r icmp_type=request io=o sd=d states=NEW,;;
        esac
        local -r public_nic="$(ip route show "$cur_remote_ip"|cut -d' ' -f5)"
        local -ar suf=(-m conntrack --ctstate "$states"RELATED,ESTABLISHED -"$io" "${public_nic:?}" -j ACCEPT)
        icmp_rule() {
            iptables "$1" "$2" -p icmp --icmp-type "echo-$icmp_type" -"$sd" "$3" "${suf[@]/%ACCEPT/RETURN}"
        }
        for ((i=1; i <= ${#remotes[*]}; ++i)); do
            local port="remote_port_$i"
            local proto="proto_$i"
            iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"
            if ! icmp_rule -C "VPNFAILSAFE_$*" "${remotes[i-1]}" 2>/dev/null; then
                icmp_rule -A "VPNFAILSAFE_$*" "${remotes[i-1]}"
            fi
        done
        if ! iptables -S|grep -q "^-A VPNFAILSAFE_$* .*-$sd $cur_remote_ip/32 .*-j ACCEPT$"; then
            for p in tcp udp; do
                iptables -A "VPNFAILSAFE_$*" -p "$p" -"$sd" "$cur_remote_ip" --"$sd"port "${cur_port}" "${suf[@]}"
            done
            icmp_rule -A "VPNFAILSAFE_$*" "$cur_remote_ip"
        fi
    }
    # $@ := "OUTPUT" | "FORWARD"
    reject_dns() {
        for proto in udp tcp; do
            iptables -A "VPNFAILSAFE_$*" -p "$proto" --dport 53 ! -o "$dev" -j REJECT
        done
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    pass_private_nets() { 
        case "$@" in
            INPUT) local -r io=i sd=s;;&
            OUTPUT|FORWARD) local -r io=o sd=d;;&
            INPUT) local -r vpn="${ifconfig_remote:-$ifconfig_local}/${ifconfig_netmask:-32}"
               iptables -A "VPNFAILSAFE_$*" -"$sd" "$vpn" -"$io" "$dev" -j RETURN
               for i in $(seq 1 "${#route_networks[@]}"); do
                   iptables -A "VPNFAILSAFE_$*" -"$sd" "${route_networks[i]}/${route_netmasks[i]}" -"$io" "$dev" -j RETURN
               done;;&
            *) iptables -A "VPNFAILSAFE_$*" -"$sd" "$private_nets" ! -"$io" "$dev" -j RETURN;;&
            INPUT) iptables -A "VPNFAILSAFE_$*" -s "$private_nets" -i "$dev" -j DROP;;&
            *) for iface in "$dev" lo+; do
                   iptables -A "VPNFAILSAFE_$*" -"$io" "$iface" -j RETURN
               done;;
        esac
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    drop_other() {
        iptables -A "VPNFAILSAFE_$*" -j DROP
    }
    for chain in INPUT OUTPUT FORWARD; do
        insert_chain "$chain"
        [[ $chain == FORWARD ]] || accept_remotes "$chain"
        [[ $chain == INPUT ]] || reject_dns "$chain"
        pass_private_nets "$chain"
        drop_other "$chain"
    done
 }
 # $@ := ""
 cleanup() {
    update_resolv down
    update_routes down
 }
 trap cleanup INT TERM
 # $@ := line_number exit_code
 err_msg() {
    echo "$0:$1: \`$(sed -n "$1,+0{s/^\\s*//;p}" "$0")' returned $2" >&2
    cleanup
 }
 trap 'err_msg "$LINENO" "$?"' ERR
 # $@ := ""
 main() {
    case "${script_type:-down}" in
        up) for f in hosts routes firewall; do "update_$f" up; done;;
        down) update_routes down
              update_resolv down;;
    esac
 }
 main
--- a/common/nix-builder.nix
+++ b/common/nix-builder.nix
@@ -0,0 +1,60 @@
 { config, lib, ... }:
 let
  builderRole = "nix-builder";
  builderUserName = "nix-builder";
  machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
  otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
  thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
  builders = machinesByRole builderRole;
  thisMachineIsABuilder = thisMachineHasRole builderRole;
  # builders don't include themselves as a remote builder
  otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
 in
 lib.mkMerge [
  # configure builder
  (lib.mkIf thisMachineIsABuilder {
    users.users.${builderUserName} = {
      description = "Distributed Nix Build User";
      group = builderUserName;
      isSystemUser = true;
      createHome = true;
      home = "/var/lib/nix-builder";
      useDefaultShell = true;
      openssh.authorizedKeys.keys = builtins.map
        (builderCfg: builderCfg.hostKey)
        (builtins.attrValues config.machines.hosts);
    };
    users.groups.${builderUserName} = { };
    nix.settings.trusted-users = [
      builderUserName
    ];
  })
  # use each builder
  {
    nix.distributedBuilds = true;
    nix.buildMachines = builtins.map
      (builderCfg: {
        hostName = builtins.elemAt builderCfg.hostNames 0;
        system = builderCfg.arch;
        protocol = "ssh-ng";
        sshUser = builderUserName;
        sshKey = "/etc/ssh/ssh_host_ed25519_key";
        maxJobs = 3;
        speedFactor = 10;
        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
      })
      (builtins.attrValues otherBuilders);
    # It is very likely that the builder's internet is faster or just as fast
    nix.extraOptions = ''
      builders-use-substitutes = true
    '';
  }
 ]
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # enable pulseaudio support for packages
    nixpkgs.config.pulseaudio = true;
@@ -16,45 +17,6 @@ in {
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
      # use the example session manager (no others are packaged yet so this is enabled by default,
      # no need to redefine it in your config for now)
      #media-session.enable = true;
      config.pipewire = {
        "context.objects" = [
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name"     = "support.node.driver";
              "node.name"        = "Dummy-Driver";
              "priority.driver"  = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class"      = "Audio/Source/Virtual";
              "audio.position"   = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class"      = "Audio/Sink";
              "audio.position"   = "FL,FR";
            };
          }
        ];
      };
    };
    users.users.googlebot.extraGroups = [ "audio" ];
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@@ -17,39 +17,8 @@ let
      "PREFIX=$(out)"
    ];
  };
-
+in
-  nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
+{
    pname = "nvidia-vaapi-driver";
    version = "0.0.5";
    src = pkgs.fetchFromGitHub {
      owner = "elFarto";
      repo = pname;
      rev = "v${version}";
      sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
    };
    patches = [
      ./use-meson-v57.patch
    ];
    nativeBuildInputs = with pkgs; [
      meson
      cmake
      ninja
      pkg-config
    ];
    buildInputs = with pkgs; [
      nv-codec-headers-11-1-5-1
      libva
      gst_all_1.gstreamer
      gst_all_1.gst-plugins-bad
      libglvnd
    ];
  };
 in {
  config = lib.mkIf cfg.enable {
    # chromium with specific extensions + settings
    programs.chromium = {
@@ -60,6 +29,9 @@ in {
        "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
        "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
        "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
        "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
        "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
        # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
      ];
      extraOpts = {
        "BrowserSignin" = 0;
@@ -76,10 +48,11 @@ in {
    nixpkgs.config.packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
      chromium = pkgs.chromium.override {
        gnomeKeyringSupport = true;
        enableWideVine = true;
        # ungoogled = true;
-        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-native-gpu-memory-buffers --enable-gpu-rasterization";
+        # --enable-native-gpu-memory-buffers # fails on AMD APU
        # --enable-webrtc-vp9-support
        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
      };
    };
    # todo vulkan in chrome
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@@ -2,21 +2,24 @@
 let
  cfg = config.de;
-in {
+in
 {
  imports = [
    ./kde.nix
-    ./xfce.nix
+    #    ./xfce.nix
    ./yubikey.nix
    ./chromium.nix
-#    ./firefox.nix
+    ./firefox.nix
    ./audio.nix
    #    ./torbrowser.nix
    ./pithos.nix
    ./spotify.nix
    ./vscodium.nix
    ./discord.nix
    ./steam.nix
    ./touchpad.nix
    ./mount-samba.nix
    ./udev.nix
    ./virtualisation.nix
  ];
  options.de = {
@@ -35,15 +38,24 @@ in {
      mumble
      tigervnc
      bluez-tools
      vscodium
      element-desktop
      mpv
      nextcloud-client
      signal-desktop
      minecraft
      sauerbraten
      gnome.file-roller
      gparted
      libreoffice-fresh
      thunderbird
      spotify
      arduino
      yt-dlp
      jellyfin-media-player
      joplin-desktop
      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
      lxqt.pavucontrol-qt
      barrier
      # For Nix IDE
      nixpkgs-fmt
    ];
    # Networking
@@ -52,9 +64,30 @@ in {
    # Printing
    services.printing.enable = true;
    services.printing.drivers = with pkgs; [
      gutenprint
    ];
    # Printer discovery
    services.avahi.enable = true;
    services.avahi.nssmdns4 = true;
    programs.file-roller.enable = true;
    # Security
    services.gnome.gnome-keyring.enable = true;
    security.pam.services.googlebot.enableGnomeKeyring = true;
    # Android dev
    programs.adb.enable = true;
    # Mount personal SMB stores
    services.mount-samba.enable = true;
    # allow building ARM derivations
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # for luks onlock over tor
    services.tor.enable = true;
    services.tor.client.enable = true;
  };
 }
--- a/common/pc/discord.nix
+++ b/common/pc/discord.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    users.users.googlebot.packages = [
      pkgs.discord
--- a/common/pc/firefox.nix
+++ b/common/pc/firefox.nix
@@ -20,31 +20,6 @@ let
  };
  firefox = pkgs.wrapFirefox somewhatPrivateFF {
   desktopName = "Sneed Browser";
    nixExtensions = [
      (pkgs.fetchFirefoxAddon {
        name = "ublock-origin";
        url = "https://addons.mozilla.org/firefox/downloads/file/3719054/ublock_origin-1.33.2-an+fx.xpi";
        sha256 = "XDpe9vW1R1iVBTI4AmNgAg1nk7BVQdIAMuqd0cnK5FE=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "sponsorblock";
        url = "https://addons.mozilla.org/firefox/downloads/file/3720594/sponsorblock_skip_sponsorships_on_youtube-2.0.12.3-an+fx.xpi";
        sha256 = "HRtnmZWyXN3MKo4AvSYgNJGkBEsa2RaMamFbkz+YzQg=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "KeePassXC-Browser";
        url = "https://addons.mozilla.org/firefox/downloads/file/3720664/keepassxc_browser-1.7.6-fx.xpi";
        sha256 = "3K404/eq3amHhIT0WhzQtC892he5I0kp2SvbzE9dbZg=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "https-everywhere";
        url = "https://addons.mozilla.org/firefox/downloads/file/3716461/https_everywhere-2021.1.27-an+fx.xpi";
        sha256 = "2gSXSLunKCwPjAq4Wsj0lOeV551r3G+fcm1oeqjMKh8=";
      })
    ];
    extraPolicies = {
      CaptivePortal = false;
      DisableFirefoxStudies = true;
@@ -74,12 +49,6 @@ let
        ExtensionRecommendations = false;
        SkipOnboarding = true;
      };
      WebsiteFilter = {
        Block = [
          "http://paradigminteractive.io/"
          "https://paradigminteractive.io/"
        ];
      };
    };
    extraPrefs = ''
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -2,19 +2,19 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
-    # kde plasma
+    services.displayManager.sddm.enable = true;
-    services.xserver = {
+    services.displayManager.sddm.wayland.enable = true;
-      enable = true;
+    services.desktopManager.plasma6.enable = true;
      desktopManager.plasma5.enable = true;
      displayManager.sddm.enable = true;
    };
    # kde apps
    nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
    users.users.googlebot.packages = with pkgs; [
-      akonadi kmail plasma5Packages.kmail-account-wizard
+      # akonadi
      # kmail
      # plasma5Packages.kmail-account-wizard
      kate
    ];
  };
 }
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@@ -0,0 +1,50 @@
 # mounts the samba share on s0 over tailscale
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.mount-samba;
  # prevents hanging on network split and other similar niceties to ensure a stable connection
  network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
  systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
  auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
  version_opts = "vers=3.1.1";
  public_user_opts = "gid=${toString config.users.groups.users.gid}";
  opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
 in
 {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };
  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
    fileSystems."/mnt/public" = {
      device = "//s0.koi-bebop.ts.net/public";
      fsType = "cifs";
      options = [ "${opts},${public_user_opts}" ];
    };
    fileSystems."/mnt/private" = {
      device = "//s0.koi-bebop.ts.net/googlebot";
      fsType = "cifs";
      options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
    environment.shellAliases = {
      # remount storage
      remount_public = "sudo systemctl restart mnt-public.mount";
      remount_private = "sudo systemctl restart mnt-private.mount";
      # Encrypted Vault
      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
      vault_lock = "umount /mnt/vault/";
    };
  };
 }
--- a/common/pc/pithos.nix
+++ b/common/pc/pithos.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
--- a/common/pc/spotify.nix
+++ b/common/pc/spotify.nix
@@ -1,84 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.spotifyd;
  toml = pkgs.formats.toml {};
  spotifydConf = toml.generate "spotify.conf" cfg.settings;
 in
 {
  disabledModules = [
    "services/audio/spotifyd.nix"
  ];
  options = {
    services.spotifyd = {
      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
      settings = mkOption {
        default = {};
        type = toml.type;
        example = { global.bitrate = 320; };
        description = ''
          Configuration for Spotifyd. For syntax and directives, see
          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
        '';
      };
      users = mkOption {
        type = with types; listOf str;
        default = [];
        description = ''
          Usernames to be added to the "spotifyd" group, so that they
          can start and interact with the userspace daemon.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    # username specific stuff because i'm lazy...
    services.spotifyd.users = [ "googlebot" ];
    users.users.googlebot.packages = with pkgs; [
      spotify
      spotify-tui
    ];
    users.groups.spotifyd = {
      members = cfg.users;
    };
    age.secrets.spotifyd = {
      file = ../../secrets/spotifyd.age;
      group = "spotifyd";
    };
    # spotifyd to read secrets and run as user service
    services.spotifyd = {
      settings.global = {
        username_cmd = "sed '1q;d' /run/agenix/spotifyd";
        password_cmd = "sed '2q;d' /run/agenix/spotifyd";
        bitrate = 320;
        backend = "pulseaudio";
        device_name = config.networking.hostName;
        device_type = "computer";
        # on_song_change_hook = "command_to_run_on_playback_events"
        autoplay = true;
      };
    };
    systemd.user.services.spotifyd-daemon = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" "sound.target" ];
      description = "spotifyd, a Spotify playing daemon";
      environment.SHELL = "/bin/sh";
      serviceConfig = {
        ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --config-path ${spotifydConf}";
        Restart = "always";
        CacheDirectory = "spotifyd";
      };
    };
  };
 }
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller
--- a/common/pc/torbrowser.nix
+++ b/common/pc/torbrowser.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
--- a/common/pc/touchpad.nix
+++ b/common/pc/touchpad.nix
@@ -2,13 +2,14 @@
 let
  cfg = config.de.touchpad;
-in {
+in
 {
  options.de.touchpad = {
    enable = lib.mkEnableOption "enable touchpad";
  };
  config = lib.mkIf cfg.enable {
-    services.xserver.libinput.enable = true;
+    services.libinput.enable = true;
-    services.xserver.libinput.touchpad.naturalScrolling = true;
+    services.libinput.touchpad.naturalScrolling = true;
  };
 }
--- a/common/pc/udev.nix
+++ b/common/pc/udev.nix
@@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.de;
 in
 {
  config = lib.mkIf cfg.enable {
    services.udev.extraRules = ''
      # depthai
      SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
      # Moonlander
      # Rules for Oryx web flashing and live training
      KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
      KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
      # Wally Flashing rules for the Moonlander and Planck EZ
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
    '';
    services.udev.packages = [ pkgs.platformio ];
    users.groups.plugdev = {
      members = [ "googlebot" ];
    };
  };
 }
--- a/common/pc/use-meson-v57.patch
+++ b/common/pc/use-meson-v57.patch
@@ -1,22 +0,0 @@
 diff --git a/meson.build b/meson.build
 index dace367..8c0e290 100644
 --- a/meson.build
 +++ b/meson.build
@@ -8,7 +8,7 @@ project(
         'warning_level=0',
     ],
     license: 'MIT',
 -    meson_version: '>= 0.58.0',
 +    meson_version: '>= 0.57.0',
 )
 cc = meson.get_compiler('c')
@@ -47,8 +47,3 @@ shared_library(
     gnu_symbol_visibility: 'hidden',
 )
 -meson.add_devenv(environment({
 -    'NVD_LOG': '1',
 -    'LIBVA_DRIVER_NAME': 'nvidia',
 -    'LIBVA_DRIVERS_PATH': meson.project_build_root(),
 -}))
--- a/common/pc/virtualisation.nix
+++ b/common/pc/virtualisation.nix
@@ -0,0 +1,23 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.de;
 in
 {
  config = lib.mkIf cfg.enable {
    # AppVMs
    virtualisation.appvm.enable = true;
    virtualisation.appvm.user = "googlebot";
    # Use podman instead of docker
    virtualisation.podman.enable = true;
    virtualisation.podman.dockerCompat = true;
    # virt-manager
    virtualisation.libvirtd.enable = true;
    programs.dconf.enable = true;
    virtualisation.spiceUSBRedirection.enable = true;
    environment.systemPackages = with pkgs; [ virt-manager ];
    users.users.googlebot.extraGroups = [ "libvirtd" "adbusers" ];
  };
 }
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@@ -4,8 +4,20 @@ let
  cfg = config.de;
  extensions = with pkgs.vscode-extensions; [
-#    bbenoist.Nix # nix syntax support
+    bbenoist.nix # nix syntax support
-#    arrterian.nix-env-selector  # nix dev envs
+    arrterian.nix-env-selector # nix dev envs
    dart-code.dart-code
    dart-code.flutter
    golang.go
    jnoortheen.nix-ide
    ms-vscode.cpptools
  ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
    {
      name = "platformio-ide";
      publisher = "platformio";
      version = "3.1.1";
      sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
    }
  ];
  vscodium-with-extensions = pkgs.vscode-with-extensions.override {
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.xserver = {
      enable = true;
--- a/common/pc/yubikey.nix
+++ b/common/pc/yubikey.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # yubikey
    services.pcscd.enable = true;
--- a/common/pia.nix
+++ b/common/pia.nix
@@ -1,98 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia;
 in
 {
  options.pia = {
    enable = lib.mkEnableOption "Enable private internet access";
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        us-east = {
          config = ''
 client
 dev tun
 proto udp
 remote us-washingtondc.privacy.network 1198
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 cipher aes-128-cbc
 auth sha1
 tls-client
 remote-cert-tls server
 auth-user-pass
 compress
 verb 1
 reneg-sec 0
 <crl-verify>
 -----BEGIN X509 CRL-----
 MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
 MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
 jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
 B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
 ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
 MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
 -----END X509 CRL-----
 </crl-verify>
 <ca>
 -----BEGIN CERTIFICATE-----
 MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
 MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
 L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
 lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
 cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
 8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
 /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
 OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
 y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
 sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
 b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
 A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
 SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
 czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
 b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
 a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
 ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
 7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
 GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
 1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
 YDQ8z9v+DMO6iwyIDRiU
 -----END CERTIFICATE-----
 </ca>
 disable-occ
 auth-user-pass /run/secrets/pia-login.conf
          '';
          autoStart = true;
 #          up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
 #          down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
        };
      };
    };
    age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
  };
 }
--- a/common/server/actualbudget.nix
+++ b/common/server/actualbudget.nix
@@ -0,0 +1,87 @@
 # Starting point:
 # https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.actual-server;
  stateDir = "/var/lib/${cfg.stateDirName}";
 in
 {
  options.services.actual-server = {
    enable = lib.mkEnableOption "Actual Server";
    hostname = lib.mkOption {
      type = lib.types.str;
      default = "localhost";
      description = "Hostname for the Actual Server.";
    };
    port = lib.mkOption {
      type = lib.types.int;
      default = 25448;
      description = "Port on which the Actual Server should listen.";
    };
    stateDirName = lib.mkOption {
      type = lib.types.str;
      default = "actual-server";
      description = "Name of the directory under /var/lib holding the server's data.";
    };
    upload = {
      fileSizeSyncLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for synchronized files.";
      };
      syncEncryptedFileSizeLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for synchronized encrypted files.";
      };
      fileSizeLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for file uploads.";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.actual-server = {
      description = "Actual Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.actual-server}/bin/actual-server";
        Restart = "always";
        StateDirectory = cfg.stateDirName;
        WorkingDirectory = stateDir;
        DynamicUser = true;
        UMask = "0007";
      };
      environment = {
        NODE_ENV = "production";
        ACTUAL_PORT = toString cfg.port;
        # Actual is actually very bad at configuring it's own paths despite that information being readily available
        ACTUAL_USER_FILES = "${stateDir}/user-files";
        ACTUAL_SERVER_FILES = "${stateDir}/server-files";
        ACTUAL_DATA_DIR = stateDir;
        ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
        ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
        ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
      };
    };
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://localhost:${toString cfg.port}";
    };
  };
 }
--- a/common/server/archivebox/composition.nix
+++ b/common/server/archivebox/composition.nix
@@ -1,17 +0,0 @@
 # This file has been generated by node2nix 1.9.0. Do not edit!
 {pkgs ? import <nixpkgs> {
    inherit system;
  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
 let
  nodeEnv = import ./node-env.nix {
    inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
    inherit pkgs nodejs;
    libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
  };
 in
 import ./node-packages.nix {
  inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
  inherit nodeEnv;
 }
--- a/common/server/archivebox/default.nix
+++ b/common/server/archivebox/default.nix
@@ -1,456 +0,0 @@
 { pkgs, lib, config, ... }:
 # TODO pocket integration (POCKET_CONSUMER_KEY, POCKET_ACCESS_TOKENS)
 # TODO fix http timeout?
 let
  cfg = config.services.archivebox;
  archiveboxPkgs = import ./composition.nix { inherit pkgs; };
  mercury-parser = archiveboxPkgs."@postlight/mercury-parser";
  readability-extractor = archiveboxPkgs."readability-extractor-git+https://github.com/ArchiveBox/readability-extractor.git";
  single-file = archiveboxPkgs."single-file-git+https://github.com/gildas-lormeau/SingleFile.git";
 in {
  options.services.archivebox = {
    enable = lib.mkEnableOption "Enable ArchiveBox";
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/archivebox";
      description = ''
        Path to the archivebox data directory
      '';
    };
    listenAddress = lib.mkOption {
      type = lib.types.str;
      default = "localhost";
      example = "127.0.0.1";
      description = ''
        The address archivebox should listen to
      '';
    };
    listenPort = lib.mkOption {
      type = lib.types.int;
      default = 37226;
      example = 1357;
      description = ''
        The port archivebox should listen on
      '';
    };
    hostname = lib.mkOption {
      type = lib.types.str;
      example = "example.com";
    };
    enableACME = lib.mkEnableOption "Enable ACME + SSL";
    user = lib.mkOption {
      type = lib.types.str;
      default = "archivebox";
      description = ''
        The user archivebox should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "archivebox";
      description = ''
        The group archivebox should run as
      '';
    };
    timeout = lib.mkOption {
      type = lib.types.int;
      default = 60;
      example = 120;
      description = ''
        Maximum allowed download time per archive method for each link in seconds
      '';
    };
    snapshotsPerPage = lib.mkOption {
      type = lib.types.int;
      default = 40;
      example = 100;
      description = ''
        Maximum number of Snapshots to show per page on Snapshot list pages
      '';
    };
    footerInfo = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "Content is hosted for personal archiving purposes only. Contact server owner for any takedown requests.";
      description = ''
        Some text to display in the footer of the archive index.
        Useful for providing server admin contact info to respond to takedown requests.
      '';
    };
    urlBlacklist = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "\\.(css|js|otf|ttf|woff|woff2|gstatic\\.com|googleapis\\.com/css)(\\?.*)?$";
      description = ''
        A regex expression used to exclude certain URLs from archiving.
      '';
    };
    urlWhitelist = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "^http(s)?:\\/\\/(.+)?example\\.com\\/?.*$";
      description = ''
        A regex expression used to exclude all URLs that don't match the given pattern from archiving
      '';
    };
    saveTitle = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the title of the webpage
      '';
    };
    saveFavicon = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the favicon of the webpage
      '';
    };
    saveWget = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the webpage with wget
      '';
    };
    saveWgetRequisites = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch images/css/js with wget. (True is highly recommended, otherwise your won't download many critical assets to render the page, like images, js, css, etc.)
      '';
    };
    wgetUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during wget archiving.
      '';
    };
    wgetCookiesFile = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        Cookies file to pass to wget. To capture sites that require a user to be logged in,
        you can specify a path to a netscape-format cookies.txt file for wget to use.
      '';
    };
    saveWARC = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save a timestamped WARC archive of all the page requests and responses during the wget archive process.
      '';
    };
    savePDF = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Print page as PDF. (Uses chromium)
      '';
    };
    saveScreenshot = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch a screenshot of the page. (Uses chromium)
      '';
    };
    screenshotResolution = lib.mkOption {
      type = lib.types.str;
      default = "1440,2000";
      example = "1024,768";
      description = ''
        Screenshot resolution in pixels width,height.
      '';
    };
    saveDOM = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch a DOM dump of the page. (Uses chromium)
      '';
    };
    saveHeaders = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the webpage's response headers
      '';
    };
    saveSingleFile = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch an HTML file with all assets embedded using Single File. (Uses chromium) https://github.com/gildas-lormeau/SingleFile
      '';
    };
    saveReadability = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Extract article text, summary, and byline using Mozilla's Readability library. https://github.com/mozilla/readability
        Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
      '';
    };
    saveMercury = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Extract article text, summary, and byline using the Mercury library. https://github.com/postlight/mercury-parser
        Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
      '';
    };
    saveGit = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch any git repositories on the page.
      '';
    };
    gitDomains = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "git.example.com";
      description = ''
        Domains to attempt download of git repositories on using `git clone`
      '';
    };
    saveMedia = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch all audio, video, annotations, and media metadata on the page using `yt-dlp`.
        Warning, this can use up a lot of storage very quickly.
      '';
    };
    mediaTimeout = lib.mkOption {
      type = lib.types.int;
      default = 3600;
      example = 120;
      description = ''
        Maximum allowed download time for fetching media
      '';
    };
    mediaMaxSize = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "750m";
      description = ''
        Maxium size of media to download
      '';
    };
    saveArchiveDotOrg = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Submit the page's URL to be archived on Archive.org. (The Internet Archive)
      '';
    };
    checkSSLCert = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enforce HTTPS certificate and HSTS chain of trust when archiving sites. 
        Set this to False if you want to archive pages even if they have expired or invalid certificates. 
        Be aware that when False you cannot guarantee that you have not been man-in-the-middle'd while archiving content.
      '';
    };
    curlUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during curl archiving.
      '';
    };
    chromiumUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during Chromium headless archiving.
      '';
    };
    chromiumUserDataDir = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        Path to a Chrome user profile directory.
      '';
    };
    publicCreateSnapshots = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Anon users can add URLs to be archived
      '';
    };
    publicViewSnapshots = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Anon users can view archived pages
      '';
    };
    publicViewIndex = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Anon users can view the archive index
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = cfg.enableACME;
      forceSSL = cfg.enableACME;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.listenPort}";
      };
    };
    users.users.${cfg.user} =
    if cfg.user == "archivebox" then {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.dataDir;
      createHome = true;
    }
    else {};
    users.groups.${cfg.group} = {};
    systemd.services.archivebox = {
      enable = true;
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${pkgs.archivebox}/bin/archivebox server";
      serviceConfig.PrivateTmp="yes";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      environment = let
        boolToStr = bool: if bool then "true" else "false";
        useCurl = cfg.saveArchiveDotOrg || cfg.saveFavicon || cfg.saveHeaders || cfg.saveTitle;
        useGit = cfg.saveGit;
        useWget = cfg.saveWget;
        useSinglefile = cfg.saveSingleFile;
        useReadability = cfg.saveReadability;
        useMercury = cfg.saveMercury;
        useYtdlp = cfg.saveMedia;
        useChromium = cfg.saveDOM || cfg.savePDF || cfg.saveScreenshot || cfg.saveSingleFile;
      in {
        SAVE_TITLE = boolToStr cfg.saveTitle;
        SAVE_FAVICON = boolToStr cfg.saveFavicon;
        SAVE_WGET = boolToStr cfg.saveWget;
        SAVE_WGET_REQUISITES = boolToStr cfg.saveWgetRequisites;
        SAVE_SINGLEFILE = boolToStr cfg.saveSingleFile;
        SAVE_READABILITY = boolToStr cfg.saveReadability;
        SAVE_MERCURY = boolToStr cfg.saveMercury;
        SAVE_PDF = boolToStr cfg.savePDF;
        SAVE_SCREENSHOT = boolToStr cfg.saveScreenshot;
        SAVE_DOM = boolToStr cfg.saveDOM;
        SAVE_HEADERS = boolToStr cfg.saveHeaders;
        SAVE_WARC = boolToStr cfg.saveWARC;
        SAVE_GIT = boolToStr cfg.saveGit;
        SAVE_MEDIA = boolToStr cfg.saveMedia;
        SAVE_ARCHIVE_DOT_ORG = boolToStr cfg.saveArchiveDotOrg;
        TIMEOUT = toString cfg.timeout;
        MEDIA_TIMEOUT = toString cfg.mediaTimeout;
        URL_BLACKLIST = cfg.urlBlacklist;
        URL_WHITELIST = cfg.urlWhitelist;
        BIND_ADDR = "${cfg.listenAddress}:${toString cfg.listenPort}";
        PUBLIC_INDEX = boolToStr cfg.publicViewIndex;
        PUBLIC_SNAPSHOTS = boolToStr cfg.publicViewSnapshots;
        PUBLIC_ADD_VIEW = boolToStr cfg.publicCreateSnapshots;
        FOOTER_INFO = cfg.footerInfo;
        SNAPSHOTS_PER_PAGE = toString cfg.snapshotsPerPage;
        RESOLUTION = cfg.screenshotResolution;
        GIT_DOMAINS = cfg.gitDomains;
        CHECK_SSL_VALIDITY = boolToStr cfg.checkSSLCert;
        MEDIA_MAX_SIZE = cfg.mediaMaxSize;
        CURL_USER_AGENT = cfg.curlUserAgent;
        WGET_USER_AGENT = cfg.wgetUserAgent;
        CHROME_USER_AGENT = cfg.chromiumUserAgent;
        COOKIES_FILE = cfg.wgetCookiesFile;
        CHROME_USER_DATA_DIR = cfg.chromiumUserDataDir;
        CURL_BINARY = if useCurl then "${pkgs.curl}/bin/curl" else null;
        GIT_BINARY = if useGit then "${pkgs.git}/bin/git" else null;
        WGET_BINARY = if useWget then "${pkgs.wget}/bin/wget" else null;
        SINGLEFILE_BINARY = if useSinglefile then "${single-file}/bin/single-file" else null;
        READABILITY_BINARY = if useReadability then "${readability-extractor}/bin/readability-extractor" else null;
        MERCURY_BINARY = if useMercury then "${mercury-parser}/bin/mercury-parser" else null;
        YOUTUBEDL_BINARY = if useYtdlp then "${pkgs.yt-dlp}/bin/yt-dlp" else null;
        NODE_BINARY = "${pkgs.nodejs}/bin/nodejs"; # is this really needed? Nix already includes nodejs inside packages where needed
        RIPGREP_BINARY = "${pkgs.ripgrep}/bin/rg";
        CHROME_BINARY = if useChromium then "${pkgs.chromium}/bin/chromium-browser" else null;
        USE_CURL = boolToStr useCurl;
        USE_WGET = boolToStr useWget;
        USE_SINGLEFILE = boolToStr useSinglefile;
        USE_READABILITY = boolToStr useReadability;
        USE_MERCURY = boolToStr useMercury;
        USE_GIT = boolToStr useGit;
        USE_CHROME = boolToStr useChromium;
        USE_YOUTUBEDL = boolToStr useYtdlp;
        USE_RIPGREP = boolToStr true;
        OUTPUT_DIR = cfg.dataDir;
      };
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
        # initalize/migrate data directory
        cd ${cfg.dataDir}
        ${pkgs.archivebox}/bin/archivebox init
      '';
    };
  };
 }
--- a/common/server/archivebox/generate.sh
+++ b/common/server/archivebox/generate.sh
@@ -1,3 +0,0 @@
 #!/usr/bin/env bash
 rm -f ./node-env.nix
 nix run nixpkgs#nodePackages.node2nix -- -i node-packages.json -o node-packages.nix -c composition.nix --no-out-link
--- a/common/server/archivebox/node-env.nix
+++ b/common/server/archivebox/node-env.nix
@@ -1,588 +0,0 @@
 # This file originates from node2nix
 {lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
 let
  # Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
  utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
  python = if nodejs ? python then nodejs.python else python2;
  # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
  tarWrapper = runCommand "tarWrapper" {} ''
    mkdir -p $out/bin
    cat > $out/bin/tar <<EOF
    #! ${stdenv.shell} -e
    $(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
    EOF
    chmod +x $out/bin/tar
  '';
  # Function that generates a TGZ file from a NPM project
  buildNodeSourceDist =
    { name, version, src, ... }:
    stdenv.mkDerivation {
      name = "node-tarball-${name}-${version}";
      inherit src;
      buildInputs = [ nodejs ];
      buildPhase = ''
        export HOME=$TMPDIR
        tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
      '';
      installPhase = ''
        mkdir -p $out/tarballs
        mv $tgzFile $out/tarballs
        mkdir -p $out/nix-support
        echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
      '';
    };
  # Common shell logic
  installPackage = writeShellScript "install-package" ''
    installPackage() {
      local packageName=$1 src=$2
      local strippedName
      local DIR=$PWD
      cd $TMPDIR
      unpackFile $src
      # Make the base dir in which the target dependency resides first
      mkdir -p "$(dirname "$DIR/$packageName")"
      if [ -f "$src" ]
      then
          # Figure out what directory has been unpacked
          packageDir="$(find . -maxdepth 1 -type d | tail -1)"
          # Restore write permissions to make building work
          find "$packageDir" -type d -exec chmod u+x {} \;
          chmod -R u+w "$packageDir"
          # Move the extracted tarball into the output folder
          mv "$packageDir" "$DIR/$packageName"
      elif [ -d "$src" ]
      then
          # Get a stripped name (without hash) of the source directory.
          # On old nixpkgs it's already set internally.
          if [ -z "$strippedName" ]
          then
              strippedName="$(stripHash $src)"
          fi
          # Restore write permissions to make building work
          chmod -R u+w "$strippedName"
          # Move the extracted directory into the output folder
          mv "$strippedName" "$DIR/$packageName"
      fi
      # Change to the package directory to install dependencies
      cd "$DIR/$packageName"
    }
  '';
  # Bundle the dependencies of the package
  #
  # Only include dependencies if they don't exist. They may also be bundled in the package.
  includeDependencies = {dependencies}:
    lib.optionalString (dependencies != []) (
      ''
        mkdir -p node_modules
        cd node_modules
      ''
      + (lib.concatMapStrings (dependency:
        ''
          if [ ! -e "${dependency.name}" ]; then
              ${composePackage dependency}
          fi
        ''
      ) dependencies)
      + ''
        cd ..
      ''
    );
  # Recursively composes the dependencies of a package
  composePackage = { name, packageName, src, dependencies ? [], ... }@args:
    builtins.addErrorContext "while evaluating node package '${packageName}'" ''
      installPackage "${packageName}" "${src}"
      ${includeDependencies { inherit dependencies; }}
      cd ..
      ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
    '';
  pinpointDependencies = {dependencies, production}:
    let
      pinpointDependenciesFromPackageJSON = writeTextFile {
        name = "pinpointDependencies.js";
        text = ''
          var fs = require('fs');
          var path = require('path');
          function resolveDependencyVersion(location, name) {
              if(location == process.env['NIX_STORE']) {
                  return null;
              } else {
                  var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
                  if(fs.existsSync(dependencyPackageJSON)) {
                      var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
                      if(dependencyPackageObj.name == name) {
                          return dependencyPackageObj.version;
                      }
                  } else {
                      return resolveDependencyVersion(path.resolve(location, ".."), name);
                  }
              }
          }
          function replaceDependencies(dependencies) {
              if(typeof dependencies == "object" && dependencies !== null) {
                  for(var dependency in dependencies) {
                      var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
                      if(resolvedVersion === null) {
                          process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
                      } else {
                          dependencies[dependency] = resolvedVersion;
                      }
                  }
              }
          }
          /* Read the package.json configuration */
          var packageObj = JSON.parse(fs.readFileSync('./package.json'));
          /* Pinpoint all dependencies */
          replaceDependencies(packageObj.dependencies);
          if(process.argv[2] == "development") {
              replaceDependencies(packageObj.devDependencies);
          }
          replaceDependencies(packageObj.optionalDependencies);
          /* Write the fixed package.json file */
          fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
        '';
      };
    in
    ''
      node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
      ${lib.optionalString (dependencies != [])
        ''
          if [ -d node_modules ]
          then
              cd node_modules
              ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
              cd ..
          fi
        ''}
    '';
  # Recursively traverses all dependencies of a package and pinpoints all
  # dependencies in the package.json file to the versions that are actually
  # being used.
  pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
    ''
      if [ -d "${packageName}" ]
      then
          cd "${packageName}"
          ${pinpointDependencies { inherit dependencies production; }}
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
      fi
    '';
  # Extract the Node.js source code which is used to compile packages with
  # native bindings
  nodeSources = runCommand "node-sources" {} ''
    tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
    mv node-* $out
  '';
  # Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
  addIntegrityFieldsScript = writeTextFile {
    name = "addintegrityfields.js";
    text = ''
      var fs = require('fs');
      var path = require('path');
      function augmentDependencies(baseDir, dependencies) {
          for(var dependencyName in dependencies) {
              var dependency = dependencies[dependencyName];
              // Open package.json and augment metadata fields
              var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
              var packageJSONPath = path.join(packageJSONDir, "package.json");
              if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
                  console.log("Adding metadata fields to: "+packageJSONPath);
                  var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
                  if(dependency.integrity) {
                      packageObj["_integrity"] = dependency.integrity;
                  } else {
                      packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
                  }
                  if(dependency.resolved) {
                      packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
                  } else {
                      packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
                  }
                  if(dependency.from !== undefined) { // Adopt from property if one has been provided
                      packageObj["_from"] = dependency.from;
                  }
                  fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
              }
              // Augment transitive dependencies
              if(dependency.dependencies !== undefined) {
                  augmentDependencies(packageJSONDir, dependency.dependencies);
              }
          }
      }
      if(fs.existsSync("./package-lock.json")) {
          var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
          if(![1, 2].includes(packageLock.lockfileVersion)) {
             process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
             process.exit(1);
          }
          if(packageLock.dependencies !== undefined) {
              augmentDependencies(".", packageLock.dependencies);
          }
      }
    '';
  };
  # Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
  reconstructPackageLock = writeTextFile {
    name = "addintegrityfields.js";
    text = ''
      var fs = require('fs');
      var path = require('path');
      var packageObj = JSON.parse(fs.readFileSync("package.json"));
      var lockObj = {
          name: packageObj.name,
          version: packageObj.version,
          lockfileVersion: 1,
          requires: true,
          dependencies: {}
      };
      function augmentPackageJSON(filePath, dependencies) {
          var packageJSON = path.join(filePath, "package.json");
          if(fs.existsSync(packageJSON)) {
              var packageObj = JSON.parse(fs.readFileSync(packageJSON));
              dependencies[packageObj.name] = {
                  version: packageObj.version,
                  integrity: "sha1-000000000000000000000000000=",
                  dependencies: {}
              };
              processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
          }
      }
      function processDependencies(dir, dependencies) {
          if(fs.existsSync(dir)) {
              var files = fs.readdirSync(dir);
              files.forEach(function(entry) {
                  var filePath = path.join(dir, entry);
                  var stats = fs.statSync(filePath);
                  if(stats.isDirectory()) {
                      if(entry.substr(0, 1) == "@") {
                          // When we encounter a namespace folder, augment all packages belonging to the scope
                          var pkgFiles = fs.readdirSync(filePath);
                          pkgFiles.forEach(function(entry) {
                              if(stats.isDirectory()) {
                                  var pkgFilePath = path.join(filePath, entry);
                                  augmentPackageJSON(pkgFilePath, dependencies);
                              }
                          });
                      } else {
                          augmentPackageJSON(filePath, dependencies);
                      }
                  }
              });
          }
      }
      processDependencies("node_modules", lockObj.dependencies);
      fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
    '';
  };
  prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
    let
      forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
    in
    ''
        # Pinpoint the versions of all dependencies to the ones that are actually being used
        echo "pinpointing versions of dependencies..."
        source $pinpointDependenciesScriptPath
        # Patch the shebangs of the bundled modules to prevent them from
        # calling executables outside the Nix store as much as possible
        patchShebangs .
        # Deploy the Node.js package by running npm install. Since the
        # dependencies have been provided already by ourselves, it should not
        # attempt to install them again, which is good, because we want to make
        # it Nix's responsibility. If it needs to install any dependencies
        # anyway (e.g. because the dependency parameters are
        # incomplete/incorrect), it fails.
        #
        # The other responsibilities of NPM are kept -- version checks, build
        # steps, postprocessing etc.
        export HOME=$TMPDIR
        cd "${packageName}"
        runHook preRebuild
        ${lib.optionalString bypassCache ''
          ${lib.optionalString reconstructLock ''
            if [ -f package-lock.json ]
            then
                echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
                echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
                rm package-lock.json
            else
                echo "No package-lock.json file found, reconstructing..."
            fi
            node ${reconstructPackageLock}
          ''}
          node ${addIntegrityFieldsScript}
        ''}
        npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
        if [ "''${dontNpmInstall-}" != "1" ]
        then
            # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
            rm -f npm-shrinkwrap.json
            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
        fi
    '';
  # Builds and composes an NPM package including all its dependencies
  buildNodePackage =
    { name
    , packageName
    , version
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , preRebuild ? ""
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , meta ? {}
    , ... }@args:
    let
      extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
    in
    stdenv.mkDerivation ({
      name = "${name}-${version}";
      buildInputs = [ tarWrapper python nodejs ]
        ++ lib.optional (stdenv.isLinux) utillinux
        ++ lib.optional (stdenv.isDarwin) libtool
        ++ buildInputs;
      inherit nodejs;
      inherit dontStrip; # Stripping may fail a build for some package deployments
      inherit dontNpmInstall preRebuild unpackPhase buildPhase;
      compositionScript = composePackage args;
      pinpointDependenciesScript = pinpointDependenciesOfPackage args;
      passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
      installPhase = ''
        source ${installPackage}
        # Create and enter a root node_modules/ folder
        mkdir -p $out/lib/node_modules
        cd $out/lib/node_modules
        # Compose the package and all its dependencies
        source $compositionScriptPath
        ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
        # Create symlink to the deployed executable folder, if applicable
        if [ -d "$out/lib/node_modules/.bin" ]
        then
            ln -s $out/lib/node_modules/.bin $out/bin
        fi
        # Create symlinks to the deployed manual page folders, if applicable
        if [ -d "$out/lib/node_modules/${packageName}/man" ]
        then
            mkdir -p $out/share
            for dir in "$out/lib/node_modules/${packageName}/man/"*
            do
                mkdir -p $out/share/man/$(basename "$dir")
                for page in "$dir"/*
                do
                    ln -s $page $out/share/man/$(basename "$dir")
                done
            done
        fi
        # Run post install hook, if provided
        runHook postInstall
      '';
      meta = {
        # default to Node.js' platforms
        platforms = nodejs.meta.platforms;
      } // meta;
    } // extraArgs);
  # Builds a node environment (a node_modules folder and a set of binaries)
  buildNodeDependencies =
    { name
    , packageName
    , version
    , src
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , ... }@args:
    let
      extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
    in
      stdenv.mkDerivation ({
        name = "node-dependencies-${name}-${version}";
        buildInputs = [ tarWrapper python nodejs ]
          ++ lib.optional (stdenv.isLinux) utillinux
          ++ lib.optional (stdenv.isDarwin) libtool
          ++ buildInputs;
        inherit dontStrip; # Stripping may fail a build for some package deployments
        inherit dontNpmInstall unpackPhase buildPhase;
        includeScript = includeDependencies { inherit dependencies; };
        pinpointDependenciesScript = pinpointDependenciesOfPackage args;
        passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
        installPhase = ''
          source ${installPackage}
          mkdir -p $out/${packageName}
          cd $out/${packageName}
          source $includeScriptPath
          # Create fake package.json to make the npm commands work properly
          cp ${src}/package.json .
          chmod 644 package.json
          ${lib.optionalString bypassCache ''
            if [ -f ${src}/package-lock.json ]
            then
                cp ${src}/package-lock.json .
            fi
          ''}
          # Go to the parent folder to make sure that all packages are pinpointed
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
          ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
          # Expose the executables that were installed
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
          mv ${packageName} lib
          ln -s $out/lib/node_modules/.bin $out/bin
        '';
      } // extraArgs);
  # Builds a development shell
  buildNodeShell =
    { name
    , packageName
    , version
    , src
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , ... }@args:
    let
      nodeDependencies = buildNodeDependencies args;
    in
    stdenv.mkDerivation {
      name = "node-shell-${name}-${version}";
      buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
      buildCommand = ''
        mkdir -p $out/bin
        cat > $out/bin/shell <<EOF
        #! ${stdenv.shell} -e
        $shellHook
        exec ${stdenv.shell}
        EOF
        chmod +x $out/bin/shell
      '';
      # Provide the dependencies in a development shell through the NODE_PATH environment variable
      inherit nodeDependencies;
      shellHook = lib.optionalString (dependencies != []) ''
        export NODE_PATH=${nodeDependencies}/lib/node_modules
        export PATH="${nodeDependencies}/bin:$PATH"
      '';
    };
 in
 {
  buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
  buildNodePackage = lib.makeOverridable buildNodePackage;
  buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
  buildNodeShell = lib.makeOverridable buildNodeShell;
 }
--- a/common/server/archivebox/node-packages.json
+++ b/common/server/archivebox/node-packages.json
@@ -1,5 +0,0 @@
 [
  "@postlight/mercury-parser"
 , { "readability-extractor": "git+https://github.com/ArchiveBox/readability-extractor.git" }
 , { "single-file": "git+https://github.com/gildas-lormeau/SingleFile.git" }
 ]
--- a/common/server/archivebox/node-packages.nix
+++ b/common/server/archivebox/node-packages.nix
--- a/common/server/atticd.nix
+++ b/common/server/atticd.nix
@@ -0,0 +1,40 @@
 { config, lib, ... }:
 let
  cfg = config.services.atticd;
 in
 {
  config = lib.mkIf cfg.enable {
    services.atticd = {
      credentialsFile = "/run/agenix/atticd-credentials";
      settings = {
        listen = "[::]:28338";
        # Speed things up
        require-proof-of-possession = false;
        chunking = {
          # Disable chunking for performance (I have plenty of space)
          nar-size-threshold = 0;
          # Chunking is disabled due to poor performance so these values don't matter but are required anyway.
          # One day, when I move away from ZFS maybe this will perform well enough.
          # nar-size-threshold = 64 * 1024; # 64 KiB
          min-size = 16 * 1024; # 16 KiB
          avg-size = 64 * 1024; # 64 KiB
          max-size = 256 * 1024; # 256 KiB
        };
        # Disable compression for performance (I have plenty of space)
        compression.type = "none";
        garbage-collection = {
          default-retention-period = "6 months";
        };
      };
    };
    age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
  };
 }
--- a/common/server/ceph.nix
+++ b/common/server/ceph.nix
@@ -3,9 +3,9 @@
 with lib;
 let
  cfg = config.ceph;
-in {
+in
-  options.ceph = {
+{
-  };
+  options.ceph = { };
  config = mkIf cfg.enable {
    # ceph.enable = true;
--- a/common/server/dashy.nix
+++ b/common/server/dashy.nix
@@ -0,0 +1,53 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.dashy;
 in
 {
  options.services.dashy = {
    enable = mkEnableOption "dashy";
    imageTag = mkOption {
      type = types.str;
      default = "latest";
    };
    port = mkOption {
      type = types.int;
      default = 56815;
    };
    configFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the YAML configuration file";
    };
  };
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      dashy = {
        image = "lissy93/dashy:${cfg.imageTag}";
        environment = {
          TZ = "${config.time.timeZone}";
        };
        ports = [
          "127.0.0.1:${toString cfg.port}:80"
        ];
        volumes = [
          "${cfg.configFile}:/app/public/conf.yml"
        ];
      };
    };
    services.nginx.enable = true;
    services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
      default = true;
      addSSL = true;
      serverAliases = [ "s0" ];
      sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
      sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
      };
    };
  };
 }
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -2,7 +2,6 @@
 {
  imports = [
    ./archivebox
    ./nginx.nix
    ./thelounge.nix
    ./mumble.nix
@@ -12,7 +11,17 @@
    ./zerobin.nix
    ./gitea.nix
    ./privatebin/privatebin.nix
    ./drastikbot.nix
    ./radio.nix
    ./samba.nix
    ./owncast.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./iodine.nix
    ./searx.nix
    ./gitea-actions-runner.nix
    ./dashy.nix
    ./librechat.nix
    ./actualbudget.nix
    ./atticd.nix
  ];
 }
--- a/common/server/drastikbot.nix
+++ b/common/server/drastikbot.nix
@@ -1,80 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.drastikbot;
  drastikbot = pkgs.python3Packages.buildPythonApplication rec {
    pname = "drastikbot";
    version = "v2.1";
    format = "other";
    srcs = [
      config.inputs.drastikbot
      config.inputs.drastikbot_modules
      config.inputs.dailybuild_modules
    ];
    nativeBuildInputs = [ pkgs.makeWrapper ];
    phases = [ "installPhase" ]; # Removes all phases except installPhase
    installPhase = ''
      arr=($srcs)
      mkdir -p $out/irc/modules
      cp -r ''${arr[0]}/src/* $out/
      cp -r ''${arr[1]}/* $out/irc/modules
      cp -r ''${arr[2]}/* $out/irc/modules
      makeWrapper ${pkgs.python3}/bin/python3 $out/drastikbot \
        --prefix PYTHONPATH : ${with pkgs.python3Packages; makePythonPath [requests beautifulsoup4]} \
        --add-flags "$out/drastikbot.py"
    '';
  };
 in {
  options.services.drastikbot = {
    enable = lib.mkEnableOption "enable drastikbot";
    user = lib.mkOption {
      type = lib.types.str;
      default = "drastikbot";
      description = ''
        The user drastikbot should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "drastikbot";
      description = ''
        The group drastikbot should run as
      '';
    };
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/drastikbot";
      description = ''
        Path to the drastikbot data directory
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    users.users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.group;
        home = cfg.dataDir;
        createHome = true;
    };
    users.groups.${cfg.group} = {};
    systemd.services.drastikbot = {
      enable = true;
      after = ["network.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig.ExecStart = "${drastikbot}/drastikbot -c ${cfg.dataDir}";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user} ${cfg.dataDir}
      '';
    };
  };
 }
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -0,0 +1,137 @@
 { config, pkgs, lib, allModules, ... }:
 # Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
 # This is useful for providing a real Nix/OS builder to gitea.
 # Warning, NixOS containers are not secure. For example, the container shares the /nix/store
 # Therefore, this should not be used to run untrusted code.
 # To enable, assign a machine the 'gitea-actions-runner' system role
 # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
 let
  runnerRole = "gitea-actions-runner";
  runners = config.machines.roles.${runnerRole};
  thisMachineIsARunner = builtins.elem config.networking.hostName runners;
  containerName = "gitea-runner";
 in
 {
  config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
    # containers.${containerName} = {
    #   ephemeral = true;
    #   autoStart = true;
    #   # for podman
    #   enableTun = true;
    #   # privateNetwork = true;
    #   # hostAddress = "172.16.101.1";
    #   # localAddress = "172.16.101.2";
    #   bindMounts =
    #     {
    #       "/run/agenix/gitea-actions-runner-token" = {
    #         hostPath = "/run/agenix/gitea-actions-runner-token";
    #         isReadOnly = true;
    #       };
    #       "/var/lib/gitea-runner" = {
    #         hostPath = "/var/lib/gitea-runner";
    #         isReadOnly = false;
    #       };
    #     };
    #   extraFlags = [
    #     # Allow podman
    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
    #   ];
    #   additionalCapabilities = [
    #     "CAP_SYS_ADMIN"
    #   ];
    #   config = {
    #     imports = allModules;
    #     # speeds up evaluation
    #     nixpkgs.pkgs = pkgs;
    #     networking.hostName = lib.mkForce containerName;
    #     # don't use remote builders
    #     nix.distributedBuilds = lib.mkForce false;
    #     environment.systemPackages = with pkgs; [
    #       git
    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
    #       nodejs
    #     ];
    #     services.gitea-actions-runner.instances.inst = {
    #       enable = true;
    #       name = config.networking.hostName;
    #       url = "https://git.neet.dev/";
    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
    #       labels = [
    #         "ubuntu-latest:docker://node:18-bullseye"
    #         "nixos:host"
    #       ];
    #     };
    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
    #     users.users.gitea-runner = {
    #       home = "/var/lib/gitea-runner";
    #       group = "gitea-runner";
    #       isSystemUser = true;
    #       createHome = true;
    #     };
    #     users.groups.gitea-runner = { };
    #     virtualisation.podman.enable = true;
    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    #   };
    # };
    # networking.nat.enable = true;
    # networking.nat.internalInterfaces = [
    #   "ve-${containerName}"
    # ];
    # networking.ip_forward = true;
    # don't use remote builders
    nix.distributedBuilds = lib.mkForce false;
    services.gitea-actions-runner.instances.inst = {
      enable = true;
      name = config.networking.hostName;
      url = "https://git.neet.dev/";
      tokenFile = "/run/agenix/gitea-actions-runner-token";
      labels = [
        "ubuntu-latest:docker://node:18-bullseye"
        "nixos:host"
      ];
    };
    environment.systemPackages = with pkgs; [
      git
      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
      nodejs
      attic
    ];
    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
    systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
    users.users.gitea-runner = {
      home = "/var/lib/gitea-runner";
      group = "gitea-runner";
      isSystemUser = true;
      createHome = true;
    };
    users.groups.gitea-runner = { };
    virtualisation.podman.enable = true;
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
  };
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 let
  cfg = config.services.gitea;
-in {
+in
 {
  options.services.gitea = {
    hostname = lib.mkOption {
      type = lib.types.str;
@@ -11,29 +12,63 @@ in {
  };
  config = lib.mkIf cfg.enable {
    services.gitea = {
      domain = cfg.hostname;
      rootUrl = "https://${cfg.hostname}/";
      appName = cfg.hostname;
-      ssh.enable = true;
+      lfs.enable = true;
-      # lfs.enable = true;
+      # dump.enable = true;
      dump.enable = true;
      cookieSecure = true;
      disableRegistration = true;
      settings = {
        server = {
          ROOT_URL = "https://${cfg.hostname}/";
          DOMAIN = cfg.hostname;
        };
        other = {
          SHOW_FOOTER_VERSION = false;
        };
        ui = {
          DEFAULT_THEME = "arc-green";
        };
        service = {
          DISABLE_REGISTRATION = true;
        };
        session = {
          COOKIE_SECURE = true;
          PROVIDER = "db";
          SESSION_LIFE_TIME = 259200; # 3 days
          GC_INTERVAL_TIME = 259200; # 3 days
        };
        mailer = {
          ENABLED = true;
          MAILER_TYPE = "smtp";
          SMTP_ADDR = "mail.neet.dev";
          SMTP_PORT = "465";
          IS_TLS_ENABLED = true;
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
        actions = {
          ENABLED = true;
        };
        indexer = {
          REPO_INDEXER_ENABLED = true;
        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
    age.secrets.robots-email-pw = {
      file = ../../secrets/robots-email-pw.age;
      owner = config.services.gitea.user;
    };
    # backups
    backup.group."gitea".paths = [
      config.services.gitea.stateDir
    ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
-        proxyPass = "http://localhost:${toString cfg.httpPort}";
+        proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
      };
    };
  };
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@@ -7,7 +7,8 @@
 let
  cfg = config.services.icecast;
-in {
+in
 {
  options.services.icecast = {
    mount = lib.mkOption {
      type = lib.types.str;
--- a/common/server/iodine.nix
+++ b/common/server/iodine.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.iodine.server;
 in
 {
  config = lib.mkIf cfg.enable {
    # iodine DNS-based vpn
    services.iodine.server = {
      ip = "192.168.99.1";
      domain = "tun.neet.dev";
      passwordFile = "/run/agenix/iodine";
    };
    age.secrets.iodine.file = ../../secrets/iodine.age;
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.nat.internalInterfaces = [
      "dns0" # iodine
    ];
  };
 }
--- a/common/server/librechat.nix
+++ b/common/server/librechat.nix
@@ -0,0 +1,62 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.librechat;
 in
 {
  options.services.librechat = {
    enable = mkEnableOption "librechat";
    port = mkOption {
      type = types.int;
      default = 3080;
    };
    host = lib.mkOption {
      type = lib.types.str;
      example = "example.com";
    };
  };
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      librechat = {
        image = "ghcr.io/danny-avila/librechat:v0.6.6";
        environment = {
          HOST = "0.0.0.0";
          MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
          ENDPOINTS = "openAI,google,bingAI,gptPlugins";
        };
        environmentFiles = [
          "/run/agenix/librechat-env-file"
        ];
        ports = [
          "${toString cfg.port}:3080"
        ];
      };
    };
    age.secrets.librechat-env-file.file = ../../secrets/librechat-env-file.age;
    services.mongodb.enable = true;
    services.mongodb.bind_ip = "0.0.0.0";
    # easier podman maintenance
    virtualisation.oci-containers.backend = "podman";
    virtualisation.podman.dockerSocket.enable = true;
    virtualisation.podman.dockerCompat = true;
    # For mongodb access
    networking.firewall.trustedInterfaces = [
      "podman0" # for librechat
    ];
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -0,0 +1,112 @@
 { config, pkgs, lib, ... }:
 with builtins;
 let
  cfg = config.mailserver;
  domains = [
    "neet.space"
    "neet.dev"
    "neet.cloud"
    "runyan.org"
    "runyan.rocks"
    "thunderhex.com"
    "tar.ninja"
    "bsd.ninja"
    "bsd.rocks"
  ];
 in
 {
  config = lib.mkIf cfg.enable {
    # kresd doesn't work with tailscale MagicDNS
    mailserver.localDnsResolver = false;
    services.resolved.enable = true;
    mailserver = {
      fqdn = "mail.neet.dev";
      dkimKeyBits = 2048;
      indexDir = "/var/lib/mailindex";
      enableManageSieve = true;
      fullTextSearch.enable = true;
      fullTextSearch.indexAttachments = true;
      fullTextSearch.memoryLimit = 500;
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
        "cris@runyan.org" = {
          hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
          aliases = [ "chris@runyan.org" ];
        };
        "robot@runyan.org" = {
          aliases = [
            "no-reply@neet.dev"
            "robot@neet.dev"
          ];
          sendOnly = true;
          hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
        };
      };
      rejectRecipients = [
        "george@runyan.org"
        "joslyn@runyan.org"
        "damon@runyan.org"
        "jonas@runyan.org"
        "simon@neet.dev"
      ];
      forwards = {
        "amazon@runyan.org" = [
          "jeremy@runyan.org"
          "cris@runyan.org"
        ];
      };
      certificateScheme = "acme-nginx"; # use let's encrypt for certs
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
    services.postfix.origin = "$mydomain";
    # relay sent mail through mailgun
    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
    services.postfix.config = {
      smtp_sasl_auth_enable = "yes";
      smtp_sasl_security_options = "noanonymous";
      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
      smtp_use_tls = "yes";
      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
      smtp_sender_dependent_authentication = "yes";
    };
    services.postfix.mapFiles.sender_relay =
      let
        relayHost = "[smtp.mailgun.org]:587";
      in
      pkgs.writeText "sender_relay"
        (concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
    # webmail
    services.nginx.enable = true;
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
      extraConfig = ''
        # starttls needed for authentication, so the fqdn required to match the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
    };
    # backups
    backup.group."email".paths = [
      config.mailserver.mailDirectory
    ];
  };
 }
--- a/common/server/matrix.nix
+++ b/common/server/matrix.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.matrix;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.matrix = {
    enable = lib.mkEnableOption "enable matrix";
    element-web = {
@@ -59,10 +60,11 @@ in {
  config = lib.mkIf cfg.enable {
    services.matrix-synapse = {
      enable = true;
      settings = {
        server_name = cfg.host;
        enable_registration = cfg.enable_registration;
        listeners = [{
-        bind_address = "127.0.0.1";
+          bind_addresses = [ "127.0.0.1" ];
          port = cfg.port;
          tls = false;
          resources = [{
@@ -77,6 +79,7 @@ in {
        turn_shared_secret = cfg.turn.secret;
        turn_user_lifetime = "1h";
      };
    };
    services.coturn = {
      enable = true;
@@ -135,7 +138,8 @@ in {
        ];
        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
      };
-      virtualHosts.${cfg.turn.host} =  { # get TLS cert for TURN server
+      virtualHosts.${cfg.turn.host} = {
        # get TLS cert for TURN server
        enableACME = true;
        forceSSL = true;
      };
--- a/common/server/mumble.nix
+++ b/common/server/mumble.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.murmur;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.murmur.domain = lib.mkOption {
    type = lib.types.str;
  };
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@@ -0,0 +1,33 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
 in
 {
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
      package = pkgs.nextcloud29;
      hostName = "neet.cloud";
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
      config.adminpassFile = "/run/agenix/nextcloud-pw";
      autoUpdateApps.enable = true;
    };
    age.secrets.nextcloud-pw = {
      file = ../../secrets/nextcloud-pw.age;
      owner = "nextcloud";
    };
    # backups
    backup.group."nextcloud".paths = [
      config.services.nextcloud.home
    ];
    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      enableACME = true;
      forceSSL = true;
    };
  };
 }
--- a/common/server/nginx-stream.nix
+++ b/common/server/nginx-stream.nix
@@ -5,7 +5,8 @@ let
  nginxWithRTMP = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };
-in {
+in
 {
  options.services.nginx.stream = {
    enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
    port = lib.mkOption {
--- a/common/server/nginx.nix
+++ b/common/server/nginx.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.nginx;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.nginx = {
      recommendedGzipSettings = true;
--- a/common/server/owncast.nix
+++ b/common/server/owncast.nix
@@ -0,0 +1,32 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.services.owncast;
 in
 {
  options.services.owncast = {
    hostname = lib.mkOption {
      type = types.str;
      example = "example.com";
    };
  };
  config = mkIf cfg.enable {
    services.owncast.listen = "127.0.0.1";
    services.owncast.port = 62419; # random port
    networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/privatebin/privatebin.nix
+++ b/common/server/privatebin/privatebin.nix
@@ -14,7 +14,8 @@ let
      cp -ar $src $out
    '';
  };
-in {
+in
 {
  options.services.privatebin = {
    enable = lib.mkEnableOption "enable privatebin";
    host = lib.mkOption {
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.radio;
  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
-in {
+in
 {
  options.services.radio = {
    enable = lib.mkEnableOption "enable radio";
    user = lib.mkOption {
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -0,0 +1,120 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.services.samba.enable {
    services.samba = {
      openFirewall = true;
      package = pkgs.sambaFull; # printer sharing
      securityType = "user";
      # should this be on?
      nsswins = true;
      extraConfig = ''
        workgroup = HOME
        server string = smbnix
        netbios name = smbnix
        security = user 
        use sendfile = yes
        min protocol = smb2
        guest account = nobody
        map to guest = bad user
        # printing
        load printers = yes
        printing = cups
        printcap name = cups
        hide files = /.nobackup/.DS_Store/._.DS_Store/
      '';
      shares = {
        public = {
          path = "/data/samba/Public";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "public_data";
          "force group" = "public_data";
        };
        googlebot = {
          path = "/data/samba/googlebot";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "googlebot";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "googlebot";
          "force group" = "users";
        };
        cris = {
          path = "/data/samba/cris";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "cris";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "root";
          "force group" = "users";
        };
        printers = {
          comment = "All Printers";
          path = "/var/spool/samba";
          public = "yes";
          browseable = "yes";
          # to allow user 'guest account' to print.
          "guest ok" = "yes";
          writable = "no";
          printable = "yes";
          "create mode" = 0700;
        };
      };
    };
    # backups
    backup.group."samba".paths = [
      config.services.samba.shares.googlebot.path
      config.services.samba.shares.cris.path
      config.services.samba.shares.public.path
    ];
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
      # are these needed?
      workgroup = "HOME";
      hoplimit = 3;
      discovery = true;
    };
    networking.firewall.allowedTCPPorts = [ 5357 ];
    networking.firewall.allowedUDPPorts = [ 3702 ];
    # Printer discovery
    # (is this needed?)
    services.avahi.enable = true;
    services.avahi.nssmdns4 = true;
    # printer sharing
    systemd.tmpfiles.rules = [
      "d /var/spool/samba 1777 root root -"
    ];
    users.groups.public_data.gid = 994;
    users.users.public_data = {
      isSystemUser = true;
      group = "public_data";
      uid = 994;
    };
    users.users.googlebot.extraGroups = [ "public_data" ];
    # samba user for share
    users.users.cris.isSystemUser = true;
    users.users.cris.group = "cris";
    users.groups.cris = { };
  };
 }
--- a/common/server/searx.nix
+++ b/common/server/searx.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
 in
 {
  config = lib.mkIf cfg.enable {
    services.searx = {
      environmentFile = "/run/agenix/searx";
      settings = {
        server.port = 43254;
        server.secret_key = "@SEARX_SECRET_KEY@";
        engines = [{
          name = "wolframalpha";
          shortcut = "wa";
          api_key = "@WOLFRAM_API_KEY@";
          engine = "wolframalpha_api";
        }];
      };
    };
    services.nginx.virtualHosts."search.neet.space" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
      };
    };
    age.secrets.searx.file = ../../secrets/searx.age;
  };
 }
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.thelounge;
-in {
+in
 {
  options.services.thelounge = {
    fileUploadBaseUrl = lib.mkOption {
      type = lib.types.str;
@@ -23,7 +24,7 @@ in {
  config = lib.mkIf cfg.enable {
    services.thelounge = {
-      private = true;
+      public = false;
      extraConfig = {
        reverseProxy = true;
        maxHistory = -1;
@@ -42,6 +43,10 @@ in {
      };
    };
    backup.group."thelounge".paths = [
      "/var/lib/thelounge/"
    ];
    # the lounge client
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
--- a/common/server/video-stream.nix
+++ b/common/server/video-stream.nix
@@ -79,8 +79,11 @@ in
          "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
        ];
        cmd = [
-          "lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
+          "lightspeed-webrtc"
-          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
+          "--addr=0.0.0.0"
          "--ip=${domain}"
          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
          "run"
        ];
        #        imageFile = pkgs.dockerTools.pullImage {
        #          imageName = "projectlightspeed/webrtc";
--- a/common/server/zerobin.nix
+++ b/common/server/zerobin.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.zerobin;
-in {
+in
 {
  options.services.zerobin = {
    host = lib.mkOption {
      type = lib.types.str;
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -0,0 +1,54 @@
 { config, lib, pkgs, ... }:
 # Improvements to the default shell
 # - use nix-index for command-not-found
 # - disable fish's annoying greeting message
 # - add some handy shell commands
 {
  environment.systemPackages = with pkgs; [
    comma
  ];
  # nix-index
  programs.nix-index.enable = true;
  programs.nix-index.enableFishIntegration = true;
  programs.command-not-found.enable = false;
  programs.fish = {
    enable = true;
    shellInit = ''
      # disable annoying fish shell greeting
      set fish_greeting
      alias sudo="doas"
    '';
  };
  environment.shellAliases = {
    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
    io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    llsblk = "lsblk -o +uuid,fsType";
  };
  nixpkgs.overlays = [
    (final: prev: {
      # comma uses the "nix-index" package built into nixpkgs by default.
      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
      comma = prev.comma.overrideAttrs (old: {
        postInstall = ''
          wrapProgram $out/bin/comma \
            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
          ln -s $out/bin/comma $out/bin/,
        '';
      });
    })
  ];
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,61 +1,38 @@
-rec {
+{ config, lib, pkgs, ... }:
-  users = [
+
 {
  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
    (host: cfg: {
      ${host} = {
        hostNames = cfg.hostNames;
        publicKey = cfg.hostKey;
      };
      "${host}-remote-unlock" =
        if cfg.remoteUnlock != null then {
          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
          publicKey = cfg.remoteUnlock.hostKey;
        } else null;
    })
    config.machines.hosts);
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    let
      unlockHosts = unlockType: lib.concatMapAttrs
        (host: cfg:
          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
            ${host} = cfg.remoteUnlock.${unlockType};
          } else { })
        config.machines.hosts;
    in
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
  ];
  system = {
    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4xi9PqTvcA/XB+gTwjFXk+f3sycGSFoioO3e8yDy7H";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
  };
  # groups
  systems = with system; [
    liza
    ray
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  personal = with system; [
    ray
  ];
  servers = with system; [
    liza
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  compute = with system; [
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  storage = with system; [
    s0
  ];
 }
--- a/common/zerotier.nix
+++ b/common/zerotier.nix
@@ -1,14 +0,0 @@
 { lib, config, ... }:
 let
  cfg = config.services.zerotierone;
 in {
  config = lib.mkIf cfg.enable {
    services.zerotierone.joinNetworks = [
      "565799d8f6d654c0"
    ];
    networking.firewall.allowedUDPPorts = [
      9993
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -2,14 +2,21 @@
  "nodes": {
    "agenix": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": [
          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1646845404,
+        "lastModified": 1716561646,
-        "narHash": "sha256-JENXFCI2HVqi0whBzt7MAW9PX3ziEaYqBhMux+4g+VM=",
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "764c975e74bce2f89a5106b68ec48e2b586f893c",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
        "type": "github"
      },
      "original": {
@@ -18,6 +25,36 @@
        "type": "github"
      }
    },
    "attic": {
      "inputs": {
        "crane": "crane",
        "flake-compat": [
          "flake-compat"
        ],
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717279440,
        "narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
        "owner": "zhaofengli",
        "repo": "attic",
        "rev": "717cc95983cdc357bc347d70be20ced21f935843",
        "type": "github"
      },
      "original": {
        "owner": "zhaofengli",
        "repo": "attic",
        "type": "github"
      }
    },
    "blobs": {
      "flake": false,
      "locked": {
@@ -34,63 +71,126 @@
        "type": "gitlab"
      }
    },
    "crane": {
      "inputs": {
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717025063,
        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "dailybuild_modules": {
-      "flake": false,
+      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1633210754,
+        "lastModified": 1651719222,
-        "narHash": "sha256-jBIE07mLsF+qHoa/CQLSRipvfNSivgbuWUatI6Wwy0s=",
+        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
        "ref": "refs/heads/master",
        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
        "revCount": 19,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybot.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybot.git"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
-        "rev": "e6a1c8686dad46b7847a5c690107a48fc20a6a29",
+        "repo": "nix-darwin",
        "revCount": 9,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      }
    },
    "drastikbot": {
      "flake": false,
      "locked": {
        "lastModified": 1596211584,
        "narHash": "sha256-1L8vTE1YEhFWzY5RYb+s5Hb4LrVJNN2leKlZEugEyRU=",
        "owner": "olagood",
        "repo": "drastikbot",
        "rev": "ef72e3afe7602d95c8b014202e220f04796900ab",
        "type": "github"
      },
      "original": {
        "owner": "olagood",
        "ref": "v2.1",
        "repo": "drastikbot",
        "type": "github"
      }
    },
-    "drastikbot_modules": {
+    "deploy-rs": {
-      "flake": false,
+      "inputs": {
        "flake-compat": [
          "flake-compat"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": [
          "flake-utils"
        ]
      },
      "locked": {
-        "lastModified": 1619214744,
+        "lastModified": 1718194053,
-        "narHash": "sha256-w1164FkRkeyWnx6a95WDbwEUvNkNwFWa/6mhKtgVw0c=",
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
-        "owner": "olagood",
+        "owner": "serokell",
-        "repo": "drastikbot_modules",
+        "repo": "deploy-rs",
-        "rev": "3af549a8c3f6e55b63758a61a751bebb1b2db3a3",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
        "type": "github"
      },
      "original": {
-        "owner": "olagood",
+        "owner": "serokell",
-        "ref": "v2.1",
+        "repo": "deploy-rs",
-        "repo": "drastikbot_modules",
+        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": [
          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1620759905,
+        "lastModified": 1710146030,
-        "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=",
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
@@ -99,113 +199,116 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703113217,
        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1716772633,
        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
        "owner": "Mic92",
        "repo": "nix-index-database",
        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "nix-index-database",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1717248095,
        "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1638587357,
+        "lastModified": 1717144377,
-        "narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e34c5379866833f41e2a36f309912fa675d687c7",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-21.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-21_05": {
+    "nixpkgs-frigate": {
      "locked": {
-        "lastModified": 1625692408,
+        "lastModified": 1695825837,
-        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
+        "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
+        "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-21.05",
        "type": "indirect"
      }
    },
    "nixpkgs-21_11": {
      "locked": {
        "lastModified": 1638371214,
        "narHash": "sha256-0kE6KhgH7n0vyuX4aUoGsGIQOqjIx2fJavpCWtn73rc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a640d8394f34714578f3e6335fc767d0755d78f9",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-21.11",
        "type": "indirect"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1646675913,
        "narHash": "sha256-ZvGf51XpXM7JojKLZ5yI0XLUq8UOFX6AwZ3bhtdcpIo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9b1c7ba323732ddc85a51850a7f10ecc5269b8e9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-21.11",
        "repo": "nixpkgs",
        "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1621784194,
        "narHash": "sha256-CQWN/QvVHG8qCn7UhGGwoT3jAPvnJHQUvzBlIt48FGs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c5265c01a944b1cecfcfab392d5204d73d65d4ec",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1626852498,
        "narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "16105403bdd843540cbef9c63fc0f16c1c6eaa70",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "radio": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": [
-        "nixpkgs": "nixpkgs_3"
+          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1633288285,
+        "lastModified": 1631585589,
-        "narHash": "sha256-pL8oEB1AoghvFTsSLLKA1zhV8Z8TM8vcAkeodS6/IZs=",
+        "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
        "ref": "main",
-        "rev": "eb95b31089f5a107cb7efe0c55d45beb1399ebbb",
+        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
-        "revCount": 51,
+        "revCount": 38,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      },
      "original": {
        "ref": "main",
        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      }
@@ -213,11 +316,11 @@
    "radio-web": {
      "flake": false,
      "locked": {
-        "lastModified": 1629918655,
+        "lastModified": 1652121792,
-        "narHash": "sha256-sDVM1K1r2y4T37tvdu3mtjiswJ7/PrVGsDQrHzrNfac=",
+        "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
-        "ref": "master",
+        "ref": "refs/heads/master",
-        "rev": "585ce4e3d09d1618d61358902a4231e91e15e1de",
+        "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
-        "revCount": 4,
+        "revCount": 5,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
      },
@@ -229,50 +332,64 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "attic": "attic",
        "dailybuild_modules": "dailybuild_modules",
-        "drastikbot": "drastikbot",
+        "deploy-rs": "deploy-rs",
-        "drastikbot_modules": "drastikbot_modules",
+        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "flake-utils": "flake-utils",
        "nix-index-database": "nix-index-database",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-frigate": "nixpkgs-frigate",
        "radio": "radio",
        "radio-web": "radio-web",
-        "simple-nixos-mailserver": "simple-nixos-mailserver"
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
        "systems": "systems"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
-        "nixpkgs": "nixpkgs_4",
+        "flake-compat": [
-        "nixpkgs-21_05": "nixpkgs-21_05",
+          "flake-compat"
-        "nixpkgs-21_11": "nixpkgs-21_11",
+        ],
-        "utils": "utils"
+        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-24_05": [
          "nixpkgs"
        ],
        "utils": [
          "flake-utils"
        ]
      },
      "locked": {
-        "lastModified": 1638911354,
+        "lastModified": 1718084203,
-        "narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=",
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.11",
+        "ref": "master",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1605370193,
+        "lastModified": 1681028828,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@@ -1,61 +1,199 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
+    # nixpkgs
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
-    agenix.url = "github:ryantm/agenix";
+    nixpkgs-frigate.url = "github:NixOS/nixpkgs/5cfafa12d57374f48bcc36fda3274ada276cf69e";
-    # radio
+    # Common Utils Among flake inputs
-    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main";
+    systems.url = "github:nix-systems/default";
-    radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
+    flake-utils = {
-    radio-web.flake = false;
+      url = "github:numtide/flake-utils";
-
+      inputs.systems.follows = "systems";
-    # drastikbot
+    };
-    drastikbot.url = "github:olagood/drastikbot/v2.1";
+    flake-compat = {
-    drastikbot.flake = false;
+      url = "github:edolstra/flake-compat";
-    drastikbot_modules.url = "github:olagood/drastikbot_modules/v2.1";
+      flake = false;
    drastikbot_modules.flake = false;
    dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
    dailybuild_modules.flake = false;
    };
-  outputs = inputs: {
+    # NixOS hardware
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    # Mail Server
    simple-nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-24_05.follows = "nixpkgs";
        flake-compat.follows = "flake-compat";
        utils.follows = "flake-utils";
      };
    };
    # Agenix
    agenix = {
      url = "github:ryantm/agenix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        systems.follows = "systems";
      };
    };
    # Radio
    radio = {
      url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
      };
    };
    radio-web = {
      url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
      flake = false;
    };
    # Dailybot
    dailybuild_modules = {
      url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
      };
    };
    # NixOS deployment
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-compat.follows = "flake-compat";
        utils.follows = "flake-utils";
      };
    };
    # Prebuilt nix-index database
    nix-index-database = {
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Attic
    attic = {
      url = "github:zhaofengli/attic";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
        flake-compat.follows = "flake-compat";
      };
    };
  };
  outputs = { self, nixpkgs, ... }@inputs:
    let
      machines = (import ./common/machine-info/moduleless.nix
        {
          inherit nixpkgs;
          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
        }).machines.hosts;
    in
    {
      nixosConfigurations =
        let
-      nixpkgs = inputs.nixpkgs;
+          modules = system: hostname: with inputs; [
      mkSystem = system: nixpkgs: path:
        nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
            path
            ./common
-            inputs.simple-nixos-mailserver.nixosModule
+            simple-nixos-mailserver.nixosModule
-            inputs.agenix.nixosModules.age
+            agenix.nixosModules.default
            dailybuild_modules.nixosModule
            nix-index-database.nixosModules.nix-index
            attic.nixosModules.atticd
            self.nixosModules.kernel-modules
            ({ lib, ... }: {
-              config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
+              config = {
                nixpkgs.overlays = [ self.overlays.default ];
                environment.systemPackages = [
                  agenix.packages.${system}.agenix
                ];
                networking.hostName = hostname;
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];
-          # specialArgs = {};
+
          mkSystem = system: nixpkgs: path: hostname:
            let
              allModules = modules system hostname;
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
                name = "nixpkgs-patched";
                src = nixpkgs;
                patches = [
                  ./patches/gamepadui.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
            in
            patchedNixpkgs.lib.nixosSystem {
              inherit system;
              modules = allModules ++ [ path ];
              specialArgs = {
                inherit allModules;
                lib = self.lib;
                nixos-hardware = inputs.nixos-hardware;
              };
            };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
          machines;
      packages =
        let
          mkKexec = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/kexec.nix ];
            }).config.system.build.kexec_tarball;
          mkIso = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/iso.nix ];
            }).config.system.build.isoImage;
        in
        {
-      "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
+          "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
-      "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+          "x86_64-linux"."iso" = mkIso "x86_64-linux";
-      "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
+          "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
-      "neetdev" = mkSystem "x86_64-linux" nixpkgs ./machines/neet.dev/configuration.nix;
+          "aarch64-linux"."iso" = mkIso "aarch64-linux";
      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
      "s0" = mkSystem "aarch64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
      "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
      "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
      "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
      "n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
      "n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
        };
      overlays.default = import ./overlays { inherit inputs; };
      nixosModules.kernel-modules = import ./overlays/kernel-modules;
      deploy.nodes =
        let
          mkDeploy = configName: arch: hostname: {
            inherit hostname;
            magicRollback = false;
            sshUser = "root";
            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
          };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
          machines;
      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
      lib = nixpkgs.lib.extend (final: prev: import ./lib { lib = nixpkgs.lib; });
    };
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -0,0 +1,56 @@
 { lib, ... }:
 with lib;
 {
  # Passthrough trace for debugging
  pTrace = v: traceSeq v v;
  # find the total sum of a int list
  sum = foldr (x: y: x + y) 0;
  # splits a list of length two into two params then they're passed to a func
  splitPair = f: pair: f (head pair) (last pair);
  # Finds the max value in a list
  maxList = foldr max 0;
  # Sorts a int list. Greatest value first
  sortList = sort (x: y: x > y);
  # Cuts a list in half and returns the two parts in a list
  cutInHalf = l: [ (take (length l / 2) l) (drop (length l / 2) l) ];
  # Splits a list into a list of lists with length cnt
  chunksOf = cnt: l:
    if length l > 0 then
      [ (take cnt l) ] ++ chunksOf cnt (drop cnt l)
    else [ ];
  # same as intersectLists but takes an array of lists to intersect instead of just two
  intersectManyLists = ll: foldr intersectLists (head ll) ll;
  # converts a boolean to a int (c style)
  boolToInt = b: if b then 1 else 0;
  # drops the last element of a list
  dropLast = l: take (length l - 1) l;
  # transposes a matrix
  transpose = ll:
    let
      outerSize = length ll;
      innerSize = length (elemAt ll 0);
    in
    genList (i: genList (j: elemAt (elemAt ll j) i) outerSize) innerSize;
  # attriset recursiveUpdate but for a list of attrisets
  combineAttrs = foldl recursiveUpdate { };
  # visits every single attriset element of an attriset recursively
  # and accumulates the result of every visit in a flat list
  recurisveVisitAttrs = f: set:
    let
      visitor = n: v:
        if isAttrs v then [ (f n v) ] ++ recurisveVisitAttrs f v
        else [ (f n v) ];
    in
    concatLists (map (name: visitor name set.${name}) (attrNames set));
  # merges two lists of the same size (similar to map but both lists are inputs per iteration)
  mergeLists = f: a: imap0 (i: f (elemAt a i));
  map2D = f: ll:
    let
      outerSize = length ll;
      innerSize = length (elemAt ll 0);
      getElem = x: y: elemAt (elemAt ll y) x;
    in
    genList (y: genList (x: f x y (getElem x y)) innerSize) outerSize;
 }
--- a/lockfile-update.sh
+++ b/lockfile-update.sh
@@ -1,4 +0,0 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i bash -p bash
 nix flake update --commit-lock-file
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@@ -1,26 +0,0 @@
 { config, ... }:
 {
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
  nix.flakes.enable = true;
  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
  hardware.deviceTree.enable = true;
  hardware.deviceTree.overlays = [
    ./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
  ];
 }
--- a/machines/compute/n1/configuration.nix
+++ b/machines/compute/n1/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n1";
 }
--- a/machines/compute/n2/configuration.nix
+++ b/machines/compute/n2/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n2";
 }
--- a/machines/compute/n3/configuration.nix
+++ b/machines/compute/n3/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n3";
 }
--- a/machines/compute/n4/configuration.nix
+++ b/machines/compute/n4/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n4";
 }
--- a/machines/compute/n5/configuration.nix
+++ b/machines/compute/n5/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n5";
 }
--- a/machines/compute/n6/configuration.nix
+++ b/machines/compute/n6/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n6";
 }
--- a/machines/compute/n7/configuration.nix
+++ b/machines/compute/n7/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n7";
 }
--- a/machines/compute/sopine-baseboard-ethernet.dtbo
+++ b/machines/compute/sopine-baseboard-ethernet.dtbo
--- a/machines/compute/sopine-baseboard-ethernet.dts
+++ b/machines/compute/sopine-baseboard-ethernet.dts
@@ -1,15 +0,0 @@
 /dts-v1/;
 / {
 	model = "SoPine with baseboard";
 	compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
 	fragment@0 {
 /*		target = <&ethernet@1c30000>; */
 		target-path = "/soc/ethernet@1c30000";
 		__overlay__ {
 			allwinner,tx-delay-ps = <500>;
 		};
 	};
 };
--- a/machines/ephemeral/iso.nix
+++ b/machines/ephemeral/iso.nix
@@ -0,0 +1,12 @@
 { modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/iso-image.nix")
    ./minimal.nix
  ];
  isoImage.makeUsbBootable = true;
  networking.hostName = "iso";
 }
--- a/machines/ephemeral/kexec.nix
+++ b/machines/ephemeral/kexec.nix
@@ -0,0 +1,48 @@
 # From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
 # Builds a kexec img
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/netboot/netboot.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./minimal.nix
  ];
  networking.hostName = "kexec";
  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
  system.build = rec {
    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
      mkdir $out
      if [ -f ${config.system.build.kernel}/bzImage ]; then
        cp ${config.system.build.kernel}/bzImage $out/kernel
      else
        cp ${config.system.build.kernel}/Image $out/kernel
      fi
      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
      nuke-refs $out/kernel
    '';
    kexec_script = pkgs.writeTextFile {
      executable = true;
      name = "kexec-nixos";
      text = ''
        #!${pkgs.stdenv.shell}
        set -e
        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
        sync
        echo "executing kernel, filesystems will be improperly umounted"
        ${pkgs.kexectools}/bin/kexec -e
      '';
    };
    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
      storeContents = [
        {
          object = config.system.build.kexec_script;
          symlink = "/kexec_nixos";
        }
      ];
      contents = [ ];
    };
  };
 }
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -0,0 +1,53 @@
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
    ../../common/machine-info
    ../../common/ssh.nix
  ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30"
    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  system.stateVersion = "21.11";
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
    git
    git-lfs
    wget
    htop
    dnsutils
    pciutils
    usbutils
    lm_sensors
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  services.openssh = {
    enable = true;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/ephemeral/sdimg.nix
+++ b/machines/ephemeral/sdimg.nix
@@ -0,0 +1,57 @@
 { config, modulesPath, pkgs, lib, ... }:
 let
  pinecube-uboot = pkgs.buildUBoot {
    defconfig = "pinecube_defconfig";
    extraMeta.platforms = [ "armv7l-linux" ];
    filesToInstall = [ "u-boot-sunxi-with-spl.bin" ];
  };
 in
 {
  imports = [
    (modulesPath + "/installer/sd-card/sd-image.nix")
    ./minimal.nix
  ];
  sdImage.populateFirmwareCommands = "";
  sdImage.populateRootCommands = ''
    mkdir -p ./files/boot
    ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
  '';
  sdImage.postBuildCommands = ''
    dd if=${pinecube-uboot}/u-boot-sunxi-with-spl.bin of=$img bs=1024 seek=8 conv=notrunc
  '';
  ###
  networking.hostName = "pinecube";
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.consoleLogLevel = 7;
  # cma is 64M by default which is waay too much and we can't even unpack initrd
  boot.kernelParams = [ "console=ttyS0,115200n8" "cma=32M" ];
  boot.kernelModules = [ "spi-nor" ]; # Not sure why this doesn't autoload. Provides SPI NOR at /dev/mtd0
  boot.extraModulePackages = [ config.boot.kernelPackages.rtl8189es ];
  zramSwap.enable = true; # 128MB is not much to work with
  sound.enable = true;
  environment.systemPackages = with pkgs; [
    ffmpeg
    (v4l_utils.override { withGUI = false; })
    usbutils
  ];
  services.getty.autologinUser = lib.mkForce "googlebot";
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" ];
    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
  };
  networking.wireless.enable = true;
 }
--- a/Show More
+++ b/Show More