prototype

Move s0 to systemd-boot
Automatically set machine hostname
2023-04-26 14:46:55 -06:00 · 2023-04-25 23:41:08 -06:00 · 2023-04-24 20:52:17 -06:00 · 2023-04-23 10:29:18 -06:00 · 2023-04-23 10:28:55 -06:00 · 2023-04-23 10:16:54 -06:00
161 changed files with 4622 additions and 6558 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 result
--- a/README.md
+++ b/README.md
@@ -0,0 +1,11 @@
 # My NixOS configurations
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,84 @@
 # A place for brain dump ideas maybe to be taken off of the shelve one day
 ### NixOS webtools
 - Better options search https://mynixos.com/options/services 
 ### Interesting ideas for restructuring nixos config
 - https://github.com/gytis-ivaskevicius/flake-utils-plus
 - https://github.com/divnix/digga/tree/main/examples/devos
 - https://digga.divnix.com/
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx
 ### NAS
 - safely turn off NAS on power disconnect
 ### Shell Comands
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
 ### Services
 - setup archivebox
 - radio https://tildegit.org/tilderadio/site
 - music
    - mopidy
        - use the jellyfin plugin?
    - navidrome
        - spotify secrets for navidrome
    - picard for music tagging
    - alternative music software
        - https://www.smarthomebeginner.com/best-music-server-software-options/
        - https://funkwhale.audio/
        - https://github.com/epoupon/lms
        - https://github.com/benkaiser/stretto
        - https://github.com/blackcandy-org/black_candy
        - https://github.com/koel/koel
        - https://airsonic.github.io/
        - https://ampache.org/
 - replace nextcloud with seafile
 ### Archive
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
 ### Paranoia
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 # Setup CI
 - CI
    - hydra
    - https://docs.cachix.org/continuous-integration-setup/
 - Binary Cache
    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
    - https://github.com/edolstra/nix-serve
    - https://nixos.wiki/wiki/Binary_Cache
    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
 - Both
    - https://garnix.io/
    - https://nixbuild.net
 # Secrets
 - consider using headscale
 - Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
 - Rollover luks FDE passwords
 - /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
 - Rollover shared yubikey secrets
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 ### Misc
 - for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
 ### Future Interests (upon merge into nixpkgs)
 - nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
 - glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -1,14 +1,25 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 # Modify auto-update so that it pulls a flake
 let
  cfg = config.system.autoUpgrade;
-in {
+in
-  config = lib.mkIf cfg.enable {
+{
-    system.autoUpgrade = {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
-      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
+    {
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
+      system.autoUpgrade = {
-    };
+        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-  };
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
        # dates = "03:40";
        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
        # randomizedDelaySec = "45min";
      };
      system.autoUpgrade.allowKexec = lib.mkDefault true;
      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
    }
  ]);
 }
--- a/common/backups.nix
+++ b/common/backups.nix
@@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.backup;
  hostname = config.networking.hostName;
  mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
  mkBackup = group: paths: {
    repository = mkRespository group;
    inherit paths;
    initialize = true;
    timerConfig = {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
    extraBackupArgs = [
      ''--exclude-if-present ".nobackup"''
    ];
    pruneOpts = [
      "--keep-daily 7" # one backup for each of the last n days
      "--keep-weekly 5" # one backup for each of the last n weeks
      "--keep-monthly 12" # one backup for each of the last n months
      "--keep-yearly 75" # one backup for each of the last n years
    ];
    environmentFile = "/run/agenix/backblaze-s3-backups";
    passwordFile = "/run/agenix/restic-password";
  };
  # example usage: "sudo restic_samba unlock" (removes lockfile)
  mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
    if [ "$EUID" -ne 0 ]
      then echo "Run as root"
      exit
    fi
    . /run/agenix/backblaze-s3-backups
    export AWS_SECRET_ACCESS_KEY
    export AWS_ACCESS_KEY_ID
    export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
    export RESTIC_REPOSITORY="${mkRespository group}"
    exec ${pkgs.restic}/bin/restic "$@"
  '';
 in
 {
  options.backup = {
    group = lib.mkOption {
      default = null;
      type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
        options = {
          paths = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            description = ''
              Paths to backup
            '';
          };
        };
      }));
    };
  };
  config = lib.mkIf (cfg.group != null) {
    services.restic.backups = lib.concatMapAttrs
      (group: groupCfg: {
        ${group} = mkBackup group groupCfg.paths;
      })
      cfg.group;
    age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
    age.secrets.restic-password.file = ../secrets/restic-password.age;
    environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
  };
 }
--- a/common/boot/bios.nix
+++ b/common/boot/bios.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.bios;
-in {
+in
 {
  options.bios = {
    enable = mkEnableOption "enable bios boot";
    device = mkOption {
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,8 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
    ./kexec-luks.nix
    ./luks.nix
    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/efi.nix
+++ b/common/boot/efi.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.efi;
-in {
+in
 {
  options.efi = {
    enable = mkEnableOption "enable efi boot";
  };
@@ -19,7 +20,7 @@ in {
        version = 2;
        efiSupport = true;
        useOSProber = true;
-#       memtest86.enable = true;
+        #       memtest86.enable = true;
        configurationLimit = 20;
        theme = pkgs.nixos-grub2-theme;
      };
--- a/common/boot/firmware.nix
+++ b/common/boot/firmware.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.firmware;
-in {
+in
 {
  options.firmware.x86_64 = {
    enable = mkEnableOption "enable x86_64 firmware";
  };
--- a/common/boot/kexec-luks.nix
+++ b/common/boot/kexec-luks.nix
@@ -0,0 +1,121 @@
 # Allows kexec'ing as an alternative to rebooting for machines that
 # have luks encrypted partitions that need to be mounted at boot.
 # These luks partitions will be automatically unlocked, no password,
 # or any interaction needed whatsoever.
 # This is accomplished by fetching the luks key(s) while the system is running,
 # then building a temporary initrd that contains the luks key(s), and kexec'ing.
 { config, lib, pkgs, ... }:
 {
  options.luks = {
    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
  };
  config = lib.mkIf config.luks.enableKexec {
    luks.fallbackToPassword = true;
    luks.disableKeyring = true;
    boot.initrd.luks.devices = lib.listToAttrs
      (builtins.map
        (item:
          {
            name = item;
            value = {
              masterKeyFile = "/etc/${item}.key";
            };
          })
        config.luks.deviceNames);
    systemd.services.prepare-luks-kexec-image = {
      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
      wantedBy = [ "kexec.target" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
      # based on https://github.com/flowztul/keyexec
      script = ''
        system=/nix/var/nix/profiles/system
        old_initrd=$(readlink -f "$system/initrd")
        umask 0077
        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
        cleanup() {
          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
          rm -rf "$CRYPTROOT_TMPDIR"
        }
        # trap cleanup INT TERM EXIT
        mkdir -p "$CRYPTROOT_TMPDIR"
        cd "$CRYPTROOT_TMPDIR"
        # Determine the compression type of the initrd image
        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
        # Decompress the initrd image based on its compression type
        case "$compression" in
          gzip)
            gunzip -c "$old_initrd" > initrd.cpio
            ;;
          xz)
            unxz -c "$old_initrd" > initrd.cpio
            ;;
          zstd)
            zstd -d -c "$old_initrd" > initrd.cpio
            ;;
          *)
            echo "Unsupported compression type: $compression"
            exit 1
            ;;
        esac
        # Extract the contents of the cpio archive
        mkdir -p initrd_contents
        cd initrd_contents
        cpio -idv < ../initrd.cpio
        # Generate keys and add them to the extracted initrd filesystem
        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
        for item in "''${luksDeviceNames[@]}"; do
          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
        done
        # Add normal initrd secrets too
        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
            let source' = if source == null then dest else builtins.toString source; in
              ''
                mkdir -p $(dirname "./${dest}")
                cp -a ${source'} "./${dest}"
              ''
          ) config.boot.initrd.secrets)
        }
        # Create a new cpio archive with the modified contents
        find . | cpio -o -H newc -v > ../new_initrd.cpio
        # Compress the new cpio archive using the original compression type
        cd ..
        case "$compression" in
          gzip)
            gunzip -c new_initrd.cpio > new_initrd
            ;;
          xz)
            unxz -c new_initrd.cpio > new_initrd
            ;;
          zstd)
            zstd -c new_initrd.cpio > new_initrd
            ;;
        esac
        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
      '';
    };
  };
 }
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -1,101 +1,74 @@
-{ config, pkgs, lib, ... }:
+# Makes it a little easier to configure luks partitions for boot
 # Additionally, this solves a circular dependency between kexec luks
 # and NixOS's luks module.
 { config, lib, ... }:
 let
  cfg = config.luks;
-in {
+
  deviceCount = builtins.length cfg.devices;
  deviceMap = lib.imap
    (i: item: {
      device = item;
      name =
        if deviceCount == 1 then "enc-pv"
        else "enc-pv${builtins.toString (i + 1)}";
    })
    cfg.devices;
 in
 {
  options.luks = {
-    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
+    devices = lib.mkOption {
-    device = {
+      type = lib.types.listOf lib.types.str;
-      name = lib.mkOption {
+      default = [ ];
        type = lib.types.str;
        default = "enc-pv";
      };
      path = lib.mkOption {
        type = lib.types.either lib.types.str lib.types.path;
      };
      allowDiscards = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
    };
-    sshHostKeys = lib.mkOption {
+
-      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
+    allowDiscards = lib.mkOption {
-      default = [
+      type = lib.types.bool;
-        "/secret/ssh_host_rsa_key"
+      default = true;
-        "/secret/ssh_host_ed25519_key"
+    };
    fallbackToPassword = lib.mkEnableOption
      "Fallback to interactive passphrase prompt if the cannot be found.";
    disableKeyring = lib.mkEnableOption
      "When opening LUKS2 devices, don't use the kernel keyring";
    # set automatically, don't touch
    deviceNames = lib.mkOption {
      type = lib.types.listOf lib.types.str;
    };
  };
  config = lib.mkMerge [
    {
      assertions = [
        {
          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
          message = ''
            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
          '';
        }
      ];
-    };
+    }
-    sshAuthorizedKeys = lib.mkOption {
+    (lib.mkIf (deviceCount != 0) {
-      type = lib.types.listOf lib.types.str;
+      luks.deviceNames = builtins.map (device: device.name) deviceMap;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
-  config = lib.mkIf cfg.enable {
+      boot.initrd.luks.devices = lib.listToAttrs (
-    boot.initrd.luks.devices.${cfg.device.name} = {
+        builtins.map
-      device = cfg.device.path;
+          (item:
-      allowDiscards = cfg.device.allowDiscards;
+            {
-    };
+              name = item.name;
-
+              value = {
-    # Unlock LUKS disk over ssh
+                device = item.device;
-    boot.initrd.network.enable = true;
+                allowDiscards = cfg.allowDiscards;
-    boot.initrd.kernelModules = cfg.kernelModules;
+                fallbackToPassword = cfg.fallbackToPassword;
-    boot.initrd.network.ssh = {
+                disableKeyring = cfg.disableKeyring;
-      enable = true;
+              };
-      port = 22;
+            })
-      hostKeys = cfg.sshHostKeys;
+          deviceMap);
-      authorizedKeys = cfg.sshAuthorizedKeys;
+    })
-    };
+  ];
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    # Make machine accessable over tor for boot unlock
    boot.initrd.secrets = {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    # start tor during boot process
    boot.initrd.network.postCommands = let
      torRc = (pkgs.writeText "tor.rc" ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 22 127.0.0.1:22
      '');
    in ''
      # Add nice prompt for giving LUKS passphrase over ssh
      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
      echo "tor: preparing onion folder"
      # have to do this otherwise tor does not want to start
      chmod -R 700 /etc/tor
      echo "make sure localhost is up"
      ip a a 127.0.0.1/8 dev lo
      ip link set lo up
      echo "haveged: starting haveged"
      haveged -F &
      echo "tor: starting tor"
      tor -f ${torRc} --verify-config
      tor -f ${torRc} &
    '';
  };
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -0,0 +1,94 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.remoteLuksUnlock;
 in
 {
  options.remoteLuksUnlock = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    enableTorUnlock = lib.mkOption {
      type = lib.types.bool;
      default = cfg.enable;
      description = "Make machine accessable over tor for ssh boot unlock";
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    boot.initrd.network.postCommands = lib.mkMerge [
      (
        ''
          # Add nice prompt for giving LUKS passphrase over ssh
          echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
        ''
      )
      (
        let torRc = (pkgs.writeText "tor.rc" ''
          DataDirectory /etc/tor
          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
          SOCKSPort 127.0.0.1:9063
          HiddenServiceDir /etc/tor/onion/bootup
          HiddenServicePort 22 127.0.0.1:22
        ''); in
        lib.mkIf cfg.enableTorUnlock ''
          echo "tor: preparing onion folder"
          # have to do this otherwise tor does not want to start
          chmod -R 700 /etc/tor
          echo "make sure localhost is up"
          ip a a 127.0.0.1/8 dev lo
          ip link set lo up
          echo "haveged: starting haveged"
          haveged -F &
          echo "tor: starting tor"
          tor -f ${torRc} --verify-config
          tor -f ${torRc} &
        ''
      )
    ];
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -2,30 +2,44 @@
 {
  imports = [
    ./backups.nix
    ./flakes.nix
    ./pia.nix
    ./zerotier.nix
    ./auto-update.nix
    ./shell.nix
    ./network
    ./boot
    ./server
    ./pc
    ./machine-info
    ./ssh.nix
  ];
-  system.stateVersion = "20.09";
+  nix.flakes.enable = true;
  system.stateVersion = "21.11";
  networking.useDHCP = false;
-  time.timeZone = "America/New_York";
+  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  time.timeZone = "America/Denver";
  i18n.defaultLocale = "en_US.UTF-8";
-  services.openssh.enable = true;
+  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
    };
  };
  programs.mosh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    kakoune
    htop
-    git git-lfs
+    git
    git-lfs
    dnsutils
    tmux
    nethogs
@@ -33,6 +47,12 @@
    pciutils
    usbutils
    killall
    screen
    micro
    helix
    lm_sensors
    picocom
    lf
  ];
  nixpkgs.config.allowUnfree = true;
@@ -40,11 +60,32 @@
  users.mutableUsers = false;
  users.users.googlebot = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
+      "wheel"
      "dialout" # serial
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
-  nix.trustedUsers = [ "root" "googlebot" ];
+  users.users.root = {
    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
  };
  # don't use sudo
  security.doas.enable = true;
  security.sudo.enable = false;
  security.doas.extraRules = [
    # don't ask for password every time
    { groups = [ "wheel" ]; persist = true; }
  ];
  nix.gc.automatic = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "zuckerberg@neet.dev";
 }
--- a/common/flakes.nix
+++ b/common/flakes.nix
@@ -2,7 +2,8 @@
 with lib;
 let
  cfg = config.nix.flakes;
-in {
+in
 {
  options.nix.flakes = {
    enable = mkEnableOption "use nix flakes";
  };
@@ -16,6 +17,9 @@ in {
      # pin nixpkgs for system commands such as "nix shell"
      registry.nixpkgs.flake = config.inputs.nixpkgs;
      # pin system nixpkgs to the same version as the flake input
      nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
    };
  };
 }
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -0,0 +1,200 @@
 # Gathers info about each machine to constuct overall configuration
 # Ex: Each machine already trusts each others SSH fingerprint already
 { config, lib, pkgs, ... }:
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
          options = {
            hostNames = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              description = ''
                List of hostnames for this machine. The first one is the default so it is the target of deployments.
                Used for automatically trusting hosts for ssh connections.
              '';
            };
            arch = lib.mkOption {
              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
              description = ''
                The architecture of this machine.
              '';
            };
            systemRoles = lib.mkOption {
              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
              description = ''
                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
              '';
            };
            hostKey = lib.mkOption {
              type = lib.types.str;
              description = ''
                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
                and for decrypting secrets with agenix.
              '';
            };
            remoteUnlock = lib.mkOption {
              default = null;
              type = lib.types.nullOr (lib.types.submodule {
                options = {
                  hostKey = lib.mkOption {
                    type = lib.types.str;
                    description = ''
                      The system ssh host key of this machine used for luks boot unlocking only.
                    '';
                  };
                  clearnetHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over clearnet used to luks boot unlock this machine
                    '';
                  };
                  onionHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over tor used to luks boot unlock this machine
                    '';
                  };
                };
              });
            };
            userKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
                TODO: consider auto populating other programs that use ssh keys such as gitea
              '';
            };
            deployKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
              '';
            };
            configurationPath = lib.mkOption {
              type = lib.types.path;
              description = ''
                The path to this machine's configuration directory.
              '';
            };
          };
        });
    };
  };
  config = {
    assertions = (lib.concatLists (lib.mapAttrsToList
      (
        name: cfg: [
          {
            assertion = builtins.length cfg.hostNames > 0;
            message = ''
              Error with config for ${name}
              There must be at least one hostname.
            '';
          }
          {
            assertion = builtins.length cfg.systemRoles > 0;
            message = ''
              Error with config for ${name}
              There must be at least one system role.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
            message = ''
              Error with config for ${name}
              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
            message = ''
              Error with config for ${name}
              At least one of clearnet host or onion host must be defined.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
            message = ''
              Error with config for ${name}
              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
            message = ''
              Error with config for ${name}
              Tor unlock hostname must be an onion address.
            '';
          }
          {
            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
            message = ''
              Error with config for ${name}
              There must be at least one userkey defined for personal machines.
            '';
          }
          {
            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
            message = ''
              Error with config for ${name}
              Only deploy machines are allowed to have deploy keys for security reasons.
            '';
          }
        ]
      )
      machines));
    # Set per machine properties automatically using each of their `properties.nix` files respectively
    machines.hosts =
      let
        properties = dir: lib.concatMapAttrs
          (name: path: {
            ${name} =
              import path
              //
              { configurationPath = builtins.dirOf path; };
          })
          (propertiesFiles dir);
        propertiesFiles = dir:
          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
        propertiesFiles' = dir:
          let
            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
            dirName = path: builtins.baseNameOf (builtins.dirOf path);
          in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
  };
 }
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@@ -0,0 +1,15 @@
 # Allows getting machine-info outside the scope of nixos configuration
 { nixpkgs ? import <nixpkgs> { }
 , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
 }:
 {
  machines =
    (nixpkgs.lib.evalModules {
      modules = [
        ./default.nix
        assertionsModule
      ];
    }).config.machines;
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@@ -0,0 +1,19 @@
 { config, lib, ... }:
 # Maps roles to their hosts
 {
  options.machines.roles = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  config = {
    machines.roles = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  machines = config.machines;
  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
 in
 {
  options.machines.ssh = {
    userKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        List of user keys aggregated from all machines.
      '';
    };
    deployKeys = lib.mkOption {
      default = [ ];
      type = lib.types.listOf lib.types.str;
      description = ''
        List of deploy keys aggregated from all machines.
      '';
    };
    hostKeysByRole = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
      description = ''
        Machine host keys divided into their roles.
      '';
    };
  };
  config = {
    machines.ssh.userKeys = sshkeys "userKeys";
    machines.ssh.deployKeys = sshkeys "deployKeys";
    machines.ssh.hostKeysByRole = lib.mapAttrs
      (role: hosts:
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
      machines.roles;
  };
 }
--- a/common/network/ca.rsa.4096.crt
+++ b/common/network/ca.rsa.4096.crt
@@ -0,0 +1,43 @@
 -----BEGIN CERTIFICATE-----
 MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
 MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
 hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
 De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
 V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
 25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
 fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
 p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
 Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
 tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
 jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
 meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
 1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
 HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
 yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
 hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
 pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
 Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
 tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
 LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
 6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
 5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
 JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
 iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
 8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
 +no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
 -----END CERTIFICATE-----
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -0,0 +1,23 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.networking;
 in
 {
  imports = [
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
    ./tailscale.nix
    ./vpn.nix
  ];
  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
  config = mkIf cfg.ip_forward {
    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  };
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -0,0 +1,113 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia.openvpn;
  vpnfailsafe = pkgs.stdenv.mkDerivation {
    pname = "vpnfailsafe";
    version = "0.0.1";
    src = ./.;
    installPhase = ''
      mkdir -p $out
      cp vpnfailsafe.sh $out/vpnfailsafe.sh
      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
    '';
  };
 in
 {
  options.pia.openvpn = {
    enable = lib.mkEnableOption "Enable private internet access";
    server = lib.mkOption {
      type = lib.types.str;
      default = "us-washingtondc.privacy.network";
      example = "swiss.privacy.network";
    };
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        pia = {
          config = ''
            client
            dev tun
            proto udp
            remote ${cfg.server} 1198
            resolv-retry infinite
            nobind
            persist-key
            persist-tun
            cipher aes-128-cbc
            auth sha1
            tls-client
            remote-cert-tls server
            auth-user-pass
            compress
            verb 1
            reneg-sec 0
            <crl-verify>
            -----BEGIN X509 CRL-----
            MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
            EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
            cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
            HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
            ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
            aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
            MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
            9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
            jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
            B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
            ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
            5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
            MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
            -----END X509 CRL-----
            </crl-verify>
            <ca>
            -----BEGIN CERTIFICATE-----
            MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
            VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
            BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
            dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
            IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
            FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
            MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
            EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
            QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
            AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
            ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
            bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
            L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
            lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
            cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
            8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
            /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
            OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
            y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
            sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
            b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
            A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
            SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
            czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
            b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
            a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
            ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
            7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
            GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
            1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
            YDQ8z9v+DMO6iwyIDRiU
            -----END CERTIFICATE-----
            </ca>
            disable-occ
            auth-user-pass /run/agenix/pia-login.conf
          '';
          autoStart = true;
          up = "${vpnfailsafe}/vpnfailsafe.sh";
          down = "${vpnfailsafe}/vpnfailsafe.sh";
        };
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -0,0 +1,357 @@
 { config, lib, pkgs, ... }:
 # Server list:
 #   https://serverlist.piaservers.net/vpninfo/servers/v6
 # Reference materials:
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
 # TODO implement this module such that the wireguard VPN doesn't have to live in a container
 # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
 # TODO verify signatures of PIA responses
 with builtins;
 with lib;
 let
  cfg = config.pia.wireguard;
  getPIAToken = ''
    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
    # PIA_TOKEN only lasts 24hrs
    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  '';
  chooseWireguardServer = ''
    servers=$(mktemp)
    servers_json=$(mktemp)
    curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
    # extract json part only
    head -n 1 "$servers" | tr -d '\n' > "$servers_json"
    echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
    # Some locations have multiple servers available. Pick a random one.
    totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
    if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
      echo "Location \"${cfg.serverLocation}\" not found."
      exit 1
    fi
    serverindex=$(( RANDOM % totalservers))
    WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
    WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
    WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
    # write chosen server
    rm -f /tmp/${cfg.interfaceName}-server.conf
    touch /tmp/${cfg.interfaceName}-server.conf
    chmod 700 /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
    rm $servers_json $servers
  '';
  getChosenWireguardServer = ''
    WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
  '';
  refreshPIAPort = ''
    ${getChosenWireguardServer}
    signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
    payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
    bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
  '';
  portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
  containerServiceName = "container@${config.vpn-container.containerName}.service";
 in
 {
  options.pia.wireguard = {
    enable = mkEnableOption "Enable private internet access";
    badPortForwardPorts = mkOption {
      type = types.listOf types.port;
      description = ''
        Ports that will not be accepted from PIA.
        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
      '';
    };
    wireguardListenPort = mkOption {
      type = types.port;
      description = "The port wireguard listens on for this VPN connection";
      default = 51820;
    };
    serverLocation = mkOption {
      type = types.str;
      default = "swiss";
    };
    interfaceName = mkOption {
      type = types.str;
      default = "piaw";
    };
    forwardedPort = mkOption {
      type = types.nullOr types.port;
      description = "The port to redirect port forwarded TCP VPN traffic too";
      default = null;
    };
    forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
        message = ''
          The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
        '';
      }
    ];
    # mounts used to pass the connection parameters to the container
    # the container doesn't have internet until it uses these parameters so it cannot fetch them itself
    vpn-container.mounts = [
      "/tmp/${cfg.interfaceName}.conf"
      "/tmp/${cfg.interfaceName}-server.conf"
      "/tmp/${cfg.interfaceName}-address.conf"
    ];
    # The container takes ownership of the wireguard interface on its startup
    containers.vpn.interfaces = [ cfg.interfaceName ];
    # TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
    # networking.firewall = {
    #   extraCommands = ''
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
    #   '';
    #   extraStopCommands = ''
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
    #   '';
    # };
    networking.firewall.checkReversePath = "loose";
    systemd.services.pia-vpn-wireguard-init = {
      description = "Creates PIA VPN Wireguard Interface";
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      before = [ containerServiceName ];
      requiredBy = [ containerServiceName ];
      partOf = [ containerServiceName ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools jq curl iproute ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        # restart once a month; PIA forwarded port expires after two months
        # because the container is "PartOf" this unit, it gets restarted too
        RuntimeMaxSec = "30d";
      };
      script = ''
        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
        # cannot do without internet to start with. NAT'ing the host's internet would address this
        # issue but is not ideal because then leaking network outside of the VPN is more likely.
        ${chooseWireguardServer}
        ${getPIAToken}
        # generate wireguard keys
        privKey=$(wg genkey)
        pubKey=$(echo "$privKey" | wg pubkey)
        # authorize our WG keys with the PIA server we are about to connect to
        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
        # create wg-quick config file
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        echo "
        [Interface]
        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
        PrivateKey = $privKey
        ListenPort = ${toString cfg.wireguardListenPort}
        [Peer]
        PersistentKeepalive = 25
        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
        AllowedIPs = 0.0.0.0/0
        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
        " >> /tmp/${cfg.interfaceName}.conf
        # create file storing the VPN ip address PIA assigned to us
        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
        # Create wg interface now so it inherits from the namespace with internet access
        # the container will handle actually connecting the interface since that info is
        # not preserved upon moving into the container's networking namespace
        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
        ip link add ${cfg.interfaceName} type wireguard
      '';
      preStop = ''
        # cleanup wireguard interface
        ip link del ${cfg.interfaceName}
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard = {
      description = "Initializes the PIA VPN WireGuard Tunnel";
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        # pseudo calls wg-quick
        # Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
        # cannot actually call wg-quick because the interface has to be already
        # created before the container taken ownership of the interface
        # Thus, assumes wg interface was already created:
        #   ip link add ${cfg.interfaceName} type wireguard
        ${getChosenWireguardServer}
        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
        ip -4 address add $myaddress dev ${cfg.interfaceName}
        ip link set mtu 1420 up dev ${cfg.interfaceName}
        wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
        # TODO is this needed?
        ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
        ip -4 rule add table main suppress_prefixlength 0
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        # Reserve port
        ${getPIAToken}
        payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
        signature=$(echo "$payload_and_signature" | jq -r '.signature')
        payload=$(echo "$payload_and_signature" | jq -r '.payload')
        port=$(echo "$payload" | base64 -d | jq -r '.port')
        # Check if the port is acceptable
        notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
          # the port PIA assigned is not allowed, kill the connection
          wg-quick down /tmp/${cfg.interfaceName}.conf
          exit 1
        fi
        # write reserved port to file readable for all users
        echo $port > /tmp/${cfg.interfaceName}-port
        chmod 644 /tmp/${cfg.interfaceName}-port
        # write payload and signature info needed to allow refreshing allocated forwarded port
        rm -f /tmp/${cfg.interfaceName}-port-renewal
        touch /tmp/${cfg.interfaceName}-port-renewal
        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
        # Block all traffic from VPN interface except for traffic that is from the forwarded port
        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        # The first port refresh triggers the port to be actually allocated
        ${refreshPIAPort}
        ${optionalString (cfg.forwardedPort != null) ''
          # redirect the fowarded port
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
        ${optionalString cfg.forwardPortForTransmission ''
          # assumes no auth needed for transmission
          curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
          regex='X-Transmission-Session-Id\: (\w*)'
          if [[ $curlout =~ $regex ]]; then
              sessionId=''${BASH_REMATCH[1]}
          else
              exit 1
          fi
          # set the port in transmission
          data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
          curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
        ''}
      '';
      preStop = ''
        wg-quick down /tmp/${cfg.interfaceName}.conf
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        ${optionalString (cfg.forwardedPort != null) ''
          # stop redirecting the forwarded port
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      description = "PIA VPN WireGuard Tunnel Port Forwarding";
      after = [ "pia-vpn-wireguard.service" ];
      requires = [ "pia-vpn-wireguard.service" ];
      path = with pkgs; [ curl ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = refreshPIAPort;
    };
    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      partOf = [ "pia-vpn-wireguard-forward-port.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*:0/10"; # 10 minutes
        RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/ping.nix
+++ b/common/network/ping.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 # keeps peer to peer connections alive with a periodic ping
 with lib;
 with builtins;
 # todo auto restart
 let
  cfg = config.keepalive-ping;
  serviceTemplate = host:
    {
      "keepalive-ping@${host}" = {
        description = "Periodic ping keep alive for ${host} connection";
        requires = [ "network-online.target" ];
        after = [ "network.target" "network-online.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Restart = "always";
        path = with pkgs; [ iputils ];
        script = ''
          ping -i ${cfg.delay} ${host} &>/dev/null
        '';
      };
    };
  combineAttrs = foldl recursiveUpdate { };
  serviceList = map serviceTemplate cfg.hosts;
  services = combineAttrs serviceList;
 in
 {
  options.keepalive-ping = {
    enable = mkEnableOption "Enable keep alive ping task";
    hosts = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Hosts to ping periodically
      '';
    };
    delay = mkOption {
      type = types.str;
      default = "60";
      description = ''
        Ping interval in seconds of periodic ping per host being pinged
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services = services;
  };
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -0,0 +1,20 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.services.tailscale;
 in
 {
  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
  # MagicDNS
  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
  # exit node
  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
  config.networking.ip_forward = mkIf cfg.exitNode true;
 }
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -0,0 +1,109 @@
 { config, pkgs, lib, allModules, ... }:
 with lib;
 let
  cfg = config.vpn-container;
 in
 {
  options.vpn-container = {
    enable = mkEnableOption "Enable VPN container";
    containerName = mkOption {
      type = types.str;
      default = "vpn";
      description = ''
        Name of the VPN container.
      '';
    };
    mounts = mkOption {
      type = types.listOf types.str;
      default = [ "/var/lib" ];
      example = "/home/example";
      description = ''
        List of mounts on the host to bind to the vpn container.
      '';
    };
    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
    config = mkOption {
      type = types.anything;
      default = { };
      example = ''
        {
          services.nginx.enable = true;
        }
      '';
      description = ''
        NixOS config for the vpn container.
      '';
    };
  };
  config = mkIf cfg.enable {
    pia.wireguard.enable = !cfg.useOpenVPN;
    pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
    containers.${cfg.containerName} = {
      ephemeral = true;
      autoStart = true;
      bindMounts = mkMerge ([{
        "/run/agenix" = {
          hostPath = "/run/agenix";
          isReadOnly = true;
        };
      }] ++ (lists.forEach cfg.mounts (mount:
        {
          "${mount}" = {
            hostPath = mount;
            isReadOnly = false;
          };
        }
      )));
      enableTun = cfg.useOpenVPN;
      privateNetwork = true;
      hostAddress = "172.16.100.1";
      localAddress = "172.16.100.2";
      config = {
        imports = allModules ++ [ cfg.config ];
        # speeds up evaluation
        nixpkgs.pkgs = pkgs;
        # networking.firewall.enable = mkForce false;
        networking.firewall.trustedInterfaces = [
          # completely trust internal interface to host
          "eth0"
        ];
        pia.openvpn.enable = cfg.useOpenVPN;
        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
        # TODO fix so it does run it's own resolver again
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
        # services.resolved.enable = true;
        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
      };
    };
    # load secrets the container needs
    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
    # forwarding for vpn container (only for OpenVPN)
    networking.nat.enable = mkIf cfg.useOpenVPN true;
    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
      "ve-${cfg.containerName}"
    ];
    networking.ip_forward = mkIf cfg.useOpenVPN true;
    # assumes only one potential interface
    networking.usePredictableInterfaceNames = false;
    networking.nat.externalInterface = "eth0";
  };
 }
--- a/common/network/vpnfailsafe.sh
+++ b/common/network/vpnfailsafe.sh
@@ -0,0 +1,187 @@
 #!/usr/bin/env bash
 set -eEo pipefail
 # $@ := ""
 set_route_vars() {
    local network_var
    local -a network_vars; read -ra network_vars <<<"${!route_network_*}"
    for network_var in "${network_vars[@]}"; do
        local -i i="${network_var#route_network_}"
        local -a vars=("route_network_$i" "route_netmask_$i" "route_gateway_$i" "route_metric_$i")
        route_networks[i]="${!vars[0]}"
        route_netmasks[i]="${!vars[1]:-255.255.255.255}"
        route_gateways[i]="${!vars[2]:-$route_vpn_gateway}"
        route_metrics[i]="${!vars[3]:-0}"
    done
 }
 # Configuration.
 readonly prog="$(basename "$0")"
 readonly private_nets="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
 declare -a remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 read -ra remotes <<<"$(env|grep -oP '^remote_[0-9]+=.*'|sort -n|cut -d= -f2|tr '\n' '\t')"
 read -ra cnf_remote_domains <<<"$(printf '%s\n' "${remotes[@]%%*[0-9]}"|sort -u|tr '\n' '\t')"
 read -ra cnf_remote_ips <<<"$(printf '%s\n' "${remotes[@]##*[!0-9.]*}"|sort -u|tr '\n' '\t')"
 set_route_vars
 read -ra numbered_vars <<<"${!foreign_option_*} ${!proto_*} ${!remote_*} ${!remote_port_*} \
                           ${!route_network_*} ${!route_netmask_*} ${!route_gateway_*} ${!route_metric_*}"
 readonly numbered_vars "${numbered_vars[@]}" dev ifconfig_local ifconfig_netmask ifconfig_remote \
         route_net_gateway route_vpn_gateway script_type trusted_ip trusted_port untrusted_ip untrusted_port \
         remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
 readonly cur_remote_ip="${trusted_ip:-$untrusted_ip}"
 readonly cur_port="${trusted_port:-$untrusted_port}"
 # $@ := ""
 update_hosts() {
    if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then
        local -r beg="# VPNFAILSAFE BEGIN" end="# VPNFAILSAFE END"
        {
            sed -e "/^$beg/,/^$end/d" /etc/hosts
            echo -e "$beg\\n$remote_entries\\n$end"
        } >/etc/hosts.vpnfailsafe
        chmod --reference=/etc/hosts /etc/hosts.vpnfailsafe
        mv /etc/hosts.vpnfailsafe /etc/hosts
    fi
 }
 # $@ := "up" | "down"
 update_routes() {
    local -a resolved_ips
    read -ra resolved_ips <<<"$(getent -s files hosts "${cnf_remote_domains[@]:-ENOENT}"|cut -d' ' -f1|tr '\n' '\t' || true)"
    local -ar remote_ips=("$cur_remote_ip" "${resolved_ips[@]}" "${cnf_remote_ips[@]}")
    if [[ "$*" == up ]]; then
        for remote_ip in "${remote_ips[@]}"; do
            if [[ -n "$remote_ip" && -z "$(ip route show "$remote_ip")" ]]; then
                ip route add "$remote_ip" via "$route_net_gateway"
            fi
        done
        for net in 0.0.0.0/1 128.0.0.0/1; do
            if [[ -z "$(ip route show "$net")" ]]; then
                ip route add "$net" via "$route_vpn_gateway"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -z "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route add "${route_networks[i]}/${route_netmasks[i]}" \
                  via "${route_gateways[i]}" metric "${route_metrics[i]}" dev "$dev"
            fi
        done
    elif [[ "$*" == down ]]; then
        for route in "${remote_ips[@]}" 0.0.0.0/1 128.0.0.0/1; do
            if [[ -n "$route" && -n "$(ip route show "$route")" ]]; then
                ip route del "$route"
            fi
        done
        for i in $(seq 1 "${#route_networks[@]}"); do
            if [[ -n "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
                ip route del "${route_networks[i]}/${route_netmasks[i]}"
            fi
        done
    fi
 }
 # $@ := ""
 update_firewall() {
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    insert_chain() {
        if iptables -C "$*" -j "VPNFAILSAFE_$*" 2>/dev/null; then
            iptables -D "$*" -j "VPNFAILSAFE_$*"
            for opt in F X; do
                iptables -"$opt" "VPNFAILSAFE_$*"
            done
        fi
        iptables -N "VPNFAILSAFE_$*"
        iptables -I "$*" -j "VPNFAILSAFE_$*"
    }
    # $@ := "INPUT" | "OUTPUT"
    accept_remotes() {
        case "$@" in
            INPUT)  local -r icmp_type=reply   io=i sd=s states="";;
            OUTPUT) local -r icmp_type=request io=o sd=d states=NEW,;;
        esac
        local -r public_nic="$(ip route show "$cur_remote_ip"|cut -d' ' -f5)"
        local -ar suf=(-m conntrack --ctstate "$states"RELATED,ESTABLISHED -"$io" "${public_nic:?}" -j ACCEPT)
        icmp_rule() {
            iptables "$1" "$2" -p icmp --icmp-type "echo-$icmp_type" -"$sd" "$3" "${suf[@]/%ACCEPT/RETURN}"
        }
        for ((i=1; i <= ${#remotes[*]}; ++i)); do
            local port="remote_port_$i"
            local proto="proto_$i"
            iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"
            if ! icmp_rule -C "VPNFAILSAFE_$*" "${remotes[i-1]}" 2>/dev/null; then
                icmp_rule -A "VPNFAILSAFE_$*" "${remotes[i-1]}"
            fi
        done
        if ! iptables -S|grep -q "^-A VPNFAILSAFE_$* .*-$sd $cur_remote_ip/32 .*-j ACCEPT$"; then
            for p in tcp udp; do
                iptables -A "VPNFAILSAFE_$*" -p "$p" -"$sd" "$cur_remote_ip" --"$sd"port "${cur_port}" "${suf[@]}"
            done
            icmp_rule -A "VPNFAILSAFE_$*" "$cur_remote_ip"
        fi
    }
    # $@ := "OUTPUT" | "FORWARD"
    reject_dns() {
        for proto in udp tcp; do
            iptables -A "VPNFAILSAFE_$*" -p "$proto" --dport 53 ! -o "$dev" -j REJECT
        done
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    pass_private_nets() { 
        case "$@" in
            INPUT) local -r io=i sd=s;;&
            OUTPUT|FORWARD) local -r io=o sd=d;;&
            INPUT) local -r vpn="${ifconfig_remote:-$ifconfig_local}/${ifconfig_netmask:-32}"
               iptables -A "VPNFAILSAFE_$*" -"$sd" "$vpn" -"$io" "$dev" -j RETURN
               for i in $(seq 1 "${#route_networks[@]}"); do
                   iptables -A "VPNFAILSAFE_$*" -"$sd" "${route_networks[i]}/${route_netmasks[i]}" -"$io" "$dev" -j RETURN
               done;;&
            *) iptables -A "VPNFAILSAFE_$*" -"$sd" "$private_nets" ! -"$io" "$dev" -j RETURN;;&
            INPUT) iptables -A "VPNFAILSAFE_$*" -s "$private_nets" -i "$dev" -j DROP;;&
            *) for iface in "$dev" lo+; do
                   iptables -A "VPNFAILSAFE_$*" -"$io" "$iface" -j RETURN
               done;;
        esac
    }
    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
    drop_other() {
        iptables -A "VPNFAILSAFE_$*" -j DROP
    }
    for chain in INPUT OUTPUT FORWARD; do
        insert_chain "$chain"
        [[ $chain == FORWARD ]] || accept_remotes "$chain"
        [[ $chain == INPUT ]] || reject_dns "$chain"
        pass_private_nets "$chain"
        drop_other "$chain"
    done
 }
 # $@ := ""
 cleanup() {
    update_resolv down
    update_routes down
 }
 trap cleanup INT TERM
 # $@ := line_number exit_code
 err_msg() {
    echo "$0:$1: \`$(sed -n "$1,+0{s/^\\s*//;p}" "$0")' returned $2" >&2
    cleanup
 }
 trap 'err_msg "$LINENO" "$?"' ERR
 # $@ := ""
 main() {
    case "${script_type:-down}" in
        up) for f in hosts routes firewall; do "update_$f" up; done;;
        down) update_routes down
              update_resolv down;;
    esac
 }
 main
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # enable pulseaudio support for packages
    nixpkgs.config.pulseaudio = true;
@@ -16,45 +17,6 @@ in {
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
      # use the example session manager (no others are packaged yet so this is enabled by default,
      # no need to redefine it in your config for now)
      #media-session.enable = true;
      config.pipewire = {
        "context.objects" = [
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name"     = "support.node.driver";
              "node.name"        = "Dummy-Driver";
              "priority.driver"  = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class"      = "Audio/Source/Virtual";
              "audio.position"   = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class"      = "Audio/Sink";
              "audio.position"   = "FL,FR";
            };
          }
        ];
      };
    };
    users.users.googlebot.extraGroups = [ "audio" ];
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@@ -49,7 +49,8 @@ let
    ];
  };
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # chromium with specific extensions + settings
    programs.chromium = {
@@ -60,8 +61,9 @@ in {
        "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
        "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
        "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
        "fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
        "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
        "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
        # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
      ];
      extraOpts = {
        "BrowserSignin" = 0;
@@ -78,10 +80,11 @@ in {
    nixpkgs.config.packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
      chromium = pkgs.chromium.override {
        gnomeKeyringSupport = true;
        enableWideVine = true;
        # ungoogled = true;
-        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-native-gpu-memory-buffers --enable-gpu-rasterization";
+        # --enable-native-gpu-memory-buffers # fails on AMD APU
        # --enable-webrtc-vp9-support
        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
      };
    };
    # todo vulkan in chrome
@@ -90,7 +93,7 @@ in {
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
        # vaapiVdpau
        libvdpau-va-gl
        nvidia-vaapi-driver
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@@ -2,21 +2,23 @@
 let
  cfg = config.de;
-in {
+in
 {
  imports = [
    ./kde.nix
    ./xfce.nix
    ./yubikey.nix
    ./chromium.nix
-#    ./firefox.nix
+    #    ./firefox.nix
    ./audio.nix
-#    ./torbrowser.nix
+    #    ./torbrowser.nix
    ./pithos.nix
    ./spotify.nix
    ./vscodium.nix
    ./discord.nix
    ./steam.nix
    ./touchpad.nix
    ./mount-samba.nix
  ];
  options.de = {
@@ -41,11 +43,20 @@ in {
      nextcloud-client
      signal-desktop
      minecraft
      sauerbraten
      gnome.file-roller
      gparted
      lm_sensors
      libreoffice-fresh
      thunderbird
      spotifyd
      spotify-qt
      arduino
      yt-dlp
      jellyfin-media-player
      joplin-desktop
      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
      # For Nix IDE
      nixpkgs-fmt
      rnix-lsp
    ];
    # Networking
@@ -54,6 +65,14 @@ in {
    # Printing
    services.printing.enable = true;
    services.printing.drivers = with pkgs; [
      gutenprint
    ];
    # Printer discovery
    services.avahi.enable = true;
    services.avahi.nssmdns = true;
    programs.file-roller.enable = true;
    # Security
    services.gnome.gnome-keyring.enable = true;
--- a/common/pc/discord.nix
+++ b/common/pc/discord.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    users.users.googlebot.packages = [
      pkgs.discord
--- a/common/pc/firefox.nix
+++ b/common/pc/firefox.nix
@@ -20,7 +20,7 @@ let
  };
  firefox = pkgs.wrapFirefox somewhatPrivateFF {
-   desktopName = "Sneed Browser";
+    desktopName = "Sneed Browser";
    nixExtensions = [
      (pkgs.fetchFirefoxAddon {
@@ -71,8 +71,8 @@ let
        TopSites = false;
      };
      UserMessaging = {
-         ExtensionRecommendations = false;
+        ExtensionRecommendations = false;
-         SkipOnboarding = true;
+        SkipOnboarding = true;
      };
      WebsiteFilter = {
        Block = [
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # kde plasma
    services.xserver = {
@@ -14,7 +15,10 @@ in {
    # kde apps
    nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
    users.users.googlebot.packages = with pkgs; [
-      akonadi kmail plasma5Packages.kmail-account-wizard
+      # akonadi
      # kmail
      # plasma5Packages.kmail-account-wizard
      kate
    ];
  };
 }
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@@ -0,0 +1,48 @@
 # mounts the samba share on s0 over tailscale
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.mount-samba;
  # prevents hanging on network split and other similar niceties to ensure a stable connection
  network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
  systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
  auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
  version_opts = "vers=3.1.1";
  opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
 in
 {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };
  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
    fileSystems."/mnt/public" = {
      device = "//s0.koi-bebop.ts.net/public";
      fsType = "cifs";
      options = [ opts ];
    };
    fileSystems."/mnt/private" = {
      device = "//s0.koi-bebop.ts.net/googlebot";
      fsType = "cifs";
      options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
    environment.shellAliases = {
      # remount storage
      remount_public = "sudo systemctl restart mnt-public.mount";
      remount_private = "sudo systemctl restart mnt-private.mount";
      # Encrypted Vault
      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
      vault_lock = "umount /mnt/vault/";
    };
  };
 }
--- a/common/pc/pithos.nix
+++ b/common/pc/pithos.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
@@ -11,7 +12,7 @@ in {
          version = "1.5.1";
          src = super.fetchFromGitHub {
            owner = pname;
-            repo  = pname;
+            repo = pname;
            rev = version;
            sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
          };
--- a/common/pc/spotify.nix
+++ b/common/pc/spotify.nix
@@ -4,7 +4,7 @@ with lib;
 let
  cfg = config.services.spotifyd;
-  toml = pkgs.formats.toml {};
+  toml = pkgs.formats.toml { };
  spotifydConf = toml.generate "spotify.conf" cfg.settings;
 in
 {
@@ -17,7 +17,7 @@ in
      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
      settings = mkOption {
-        default = {};
+        default = { };
        type = toml.type;
        example = { global.bitrate = 320; };
        description = ''
@@ -28,7 +28,7 @@ in
      users = mkOption {
        type = with types; listOf str;
-        default = [];
+        default = [ ];
        description = ''
          Usernames to be added to the "spotifyd" group, so that they
          can start and interact with the userspace daemon.
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller
--- a/common/pc/torbrowser.nix
+++ b/common/pc/torbrowser.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
--- a/common/pc/touchpad.nix
+++ b/common/pc/touchpad.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de.touchpad;
-in {
+in
 {
  options.de.touchpad = {
    enable = lib.mkEnableOption "enable touchpad";
  };
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@@ -4,8 +4,8 @@ let
  cfg = config.de;
  extensions = with pkgs.vscode-extensions; [
-#    bbenoist.Nix # nix syntax support
+    #    bbenoist.Nix # nix syntax support
-#    arrterian.nix-env-selector  # nix dev envs
+    #    arrterian.nix-env-selector  # nix dev envs
  ];
  vscodium-with-extensions = pkgs.vscode-with-extensions.override {
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.xserver = {
      enable = true;
--- a/common/pc/yubikey.nix
+++ b/common/pc/yubikey.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # yubikey
    services.pcscd.enable = true;
--- a/common/pia.nix
+++ b/common/pia.nix
@@ -1,98 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.pia;
 in
 {
  options.pia = {
    enable = lib.mkEnableOption "Enable private internet access";
  };
  config = lib.mkIf cfg.enable {
    services.openvpn = {
      servers = {
        us-east = {
          config = ''
 client
 dev tun
 proto udp
 remote us-washingtondc.privacy.network 1198
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 cipher aes-128-cbc
 auth sha1
 tls-client
 remote-cert-tls server
 auth-user-pass
 compress
 verb 1
 reneg-sec 0
 <crl-verify>
 -----BEGIN X509 CRL-----
 MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
 MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
 jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
 B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
 ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
 MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
 -----END X509 CRL-----
 </crl-verify>
 <ca>
 -----BEGIN CERTIFICATE-----
 MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
 MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
 L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
 lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
 cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
 8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
 /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
 OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
 y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
 sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
 b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
 A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
 SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
 czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
 b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
 a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
 ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
 7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
 GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
 1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
 YDQ8z9v+DMO6iwyIDRiU
 -----END CERTIFICATE-----
 </ca>
 disable-occ
 auth-user-pass /run/secrets/pia-login.conf
          '';
          autoStart = true;
 #          up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
 #          down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
        };
      };
    };
    age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
  };
 }
--- a/common/server/archivebox/composition.nix
+++ b/common/server/archivebox/composition.nix
@@ -1,17 +0,0 @@
 # This file has been generated by node2nix 1.9.0. Do not edit!
 {pkgs ? import <nixpkgs> {
    inherit system;
  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
 let
  nodeEnv = import ./node-env.nix {
    inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
    inherit pkgs nodejs;
    libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
  };
 in
 import ./node-packages.nix {
  inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
  inherit nodeEnv;
 }
--- a/common/server/archivebox/default.nix
+++ b/common/server/archivebox/default.nix
@@ -1,456 +0,0 @@
 { pkgs, lib, config, ... }:
 # TODO pocket integration (POCKET_CONSUMER_KEY, POCKET_ACCESS_TOKENS)
 # TODO fix http timeout?
 let
  cfg = config.services.archivebox;
  archiveboxPkgs = import ./composition.nix { inherit pkgs; };
  mercury-parser = archiveboxPkgs."@postlight/mercury-parser";
  readability-extractor = archiveboxPkgs."readability-extractor-git+https://github.com/ArchiveBox/readability-extractor.git";
  single-file = archiveboxPkgs."single-file-git+https://github.com/gildas-lormeau/SingleFile.git";
 in {
  options.services.archivebox = {
    enable = lib.mkEnableOption "Enable ArchiveBox";
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/archivebox";
      description = ''
        Path to the archivebox data directory
      '';
    };
    listenAddress = lib.mkOption {
      type = lib.types.str;
      default = "localhost";
      example = "127.0.0.1";
      description = ''
        The address archivebox should listen to
      '';
    };
    listenPort = lib.mkOption {
      type = lib.types.int;
      default = 37226;
      example = 1357;
      description = ''
        The port archivebox should listen on
      '';
    };
    hostname = lib.mkOption {
      type = lib.types.str;
      example = "example.com";
    };
    enableACME = lib.mkEnableOption "Enable ACME + SSL";
    user = lib.mkOption {
      type = lib.types.str;
      default = "archivebox";
      description = ''
        The user archivebox should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "archivebox";
      description = ''
        The group archivebox should run as
      '';
    };
    timeout = lib.mkOption {
      type = lib.types.int;
      default = 60;
      example = 120;
      description = ''
        Maximum allowed download time per archive method for each link in seconds
      '';
    };
    snapshotsPerPage = lib.mkOption {
      type = lib.types.int;
      default = 40;
      example = 100;
      description = ''
        Maximum number of Snapshots to show per page on Snapshot list pages
      '';
    };
    footerInfo = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "Content is hosted for personal archiving purposes only. Contact server owner for any takedown requests.";
      description = ''
        Some text to display in the footer of the archive index.
        Useful for providing server admin contact info to respond to takedown requests.
      '';
    };
    urlBlacklist = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "\\.(css|js|otf|ttf|woff|woff2|gstatic\\.com|googleapis\\.com/css)(\\?.*)?$";
      description = ''
        A regex expression used to exclude certain URLs from archiving.
      '';
    };
    urlWhitelist = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "^http(s)?:\\/\\/(.+)?example\\.com\\/?.*$";
      description = ''
        A regex expression used to exclude all URLs that don't match the given pattern from archiving
      '';
    };
    saveTitle = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the title of the webpage
      '';
    };
    saveFavicon = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the favicon of the webpage
      '';
    };
    saveWget = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the webpage with wget
      '';
    };
    saveWgetRequisites = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch images/css/js with wget. (True is highly recommended, otherwise your won't download many critical assets to render the page, like images, js, css, etc.)
      '';
    };
    wgetUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during wget archiving.
      '';
    };
    wgetCookiesFile = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        Cookies file to pass to wget. To capture sites that require a user to be logged in,
        you can specify a path to a netscape-format cookies.txt file for wget to use.
      '';
    };
    saveWARC = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save a timestamped WARC archive of all the page requests and responses during the wget archive process.
      '';
    };
    savePDF = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Print page as PDF. (Uses chromium)
      '';
    };
    saveScreenshot = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch a screenshot of the page. (Uses chromium)
      '';
    };
    screenshotResolution = lib.mkOption {
      type = lib.types.str;
      default = "1440,2000";
      example = "1024,768";
      description = ''
        Screenshot resolution in pixels width,height.
      '';
    };
    saveDOM = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch a DOM dump of the page. (Uses chromium)
      '';
    };
    saveHeaders = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Save the webpage's response headers
      '';
    };
    saveSingleFile = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch an HTML file with all assets embedded using Single File. (Uses chromium) https://github.com/gildas-lormeau/SingleFile
      '';
    };
    saveReadability = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Extract article text, summary, and byline using Mozilla's Readability library. https://github.com/mozilla/readability
        Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
      '';
    };
    saveMercury = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Extract article text, summary, and byline using the Mercury library. https://github.com/postlight/mercury-parser
        Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
      '';
    };
    saveGit = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch any git repositories on the page.
      '';
    };
    gitDomains = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "git.example.com";
      description = ''
        Domains to attempt download of git repositories on using `git clone`
      '';
    };
    saveMedia = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Fetch all audio, video, annotations, and media metadata on the page using `yt-dlp`.
        Warning, this can use up a lot of storage very quickly.
      '';
    };
    mediaTimeout = lib.mkOption {
      type = lib.types.int;
      default = 3600;
      example = 120;
      description = ''
        Maximum allowed download time for fetching media
      '';
    };
    mediaMaxSize = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = "750m";
      description = ''
        Maxium size of media to download
      '';
    };
    saveArchiveDotOrg = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Submit the page's URL to be archived on Archive.org. (The Internet Archive)
      '';
    };
    checkSSLCert = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enforce HTTPS certificate and HSTS chain of trust when archiving sites. 
        Set this to False if you want to archive pages even if they have expired or invalid certificates. 
        Be aware that when False you cannot guarantee that you have not been man-in-the-middle'd while archiving content.
      '';
    };
    curlUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during curl archiving.
      '';
    };
    chromiumUserAgent = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        This is the user agent to use during Chromium headless archiving.
      '';
    };
    chromiumUserDataDir = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        Path to a Chrome user profile directory.
      '';
    };
    publicCreateSnapshots = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Anon users can add URLs to be archived
      '';
    };
    publicViewSnapshots = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Anon users can view archived pages
      '';
    };
    publicViewIndex = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Anon users can view the archive index
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = cfg.enableACME;
      forceSSL = cfg.enableACME;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.listenPort}";
      };
    };
    users.users.${cfg.user} =
    if cfg.user == "archivebox" then {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.dataDir;
      createHome = true;
    }
    else {};
    users.groups.${cfg.group} = {};
    systemd.services.archivebox = {
      enable = true;
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${pkgs.archivebox}/bin/archivebox server";
      serviceConfig.PrivateTmp="yes";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      environment = let
        boolToStr = bool: if bool then "true" else "false";
        useCurl = cfg.saveArchiveDotOrg || cfg.saveFavicon || cfg.saveHeaders || cfg.saveTitle;
        useGit = cfg.saveGit;
        useWget = cfg.saveWget;
        useSinglefile = cfg.saveSingleFile;
        useReadability = cfg.saveReadability;
        useMercury = cfg.saveMercury;
        useYtdlp = cfg.saveMedia;
        useChromium = cfg.saveDOM || cfg.savePDF || cfg.saveScreenshot || cfg.saveSingleFile;
      in {
        SAVE_TITLE = boolToStr cfg.saveTitle;
        SAVE_FAVICON = boolToStr cfg.saveFavicon;
        SAVE_WGET = boolToStr cfg.saveWget;
        SAVE_WGET_REQUISITES = boolToStr cfg.saveWgetRequisites;
        SAVE_SINGLEFILE = boolToStr cfg.saveSingleFile;
        SAVE_READABILITY = boolToStr cfg.saveReadability;
        SAVE_MERCURY = boolToStr cfg.saveMercury;
        SAVE_PDF = boolToStr cfg.savePDF;
        SAVE_SCREENSHOT = boolToStr cfg.saveScreenshot;
        SAVE_DOM = boolToStr cfg.saveDOM;
        SAVE_HEADERS = boolToStr cfg.saveHeaders;
        SAVE_WARC = boolToStr cfg.saveWARC;
        SAVE_GIT = boolToStr cfg.saveGit;
        SAVE_MEDIA = boolToStr cfg.saveMedia;
        SAVE_ARCHIVE_DOT_ORG = boolToStr cfg.saveArchiveDotOrg;
        TIMEOUT = toString cfg.timeout;
        MEDIA_TIMEOUT = toString cfg.mediaTimeout;
        URL_BLACKLIST = cfg.urlBlacklist;
        URL_WHITELIST = cfg.urlWhitelist;
        BIND_ADDR = "${cfg.listenAddress}:${toString cfg.listenPort}";
        PUBLIC_INDEX = boolToStr cfg.publicViewIndex;
        PUBLIC_SNAPSHOTS = boolToStr cfg.publicViewSnapshots;
        PUBLIC_ADD_VIEW = boolToStr cfg.publicCreateSnapshots;
        FOOTER_INFO = cfg.footerInfo;
        SNAPSHOTS_PER_PAGE = toString cfg.snapshotsPerPage;
        RESOLUTION = cfg.screenshotResolution;
        GIT_DOMAINS = cfg.gitDomains;
        CHECK_SSL_VALIDITY = boolToStr cfg.checkSSLCert;
        MEDIA_MAX_SIZE = cfg.mediaMaxSize;
        CURL_USER_AGENT = cfg.curlUserAgent;
        WGET_USER_AGENT = cfg.wgetUserAgent;
        CHROME_USER_AGENT = cfg.chromiumUserAgent;
        COOKIES_FILE = cfg.wgetCookiesFile;
        CHROME_USER_DATA_DIR = cfg.chromiumUserDataDir;
        CURL_BINARY = if useCurl then "${pkgs.curl}/bin/curl" else null;
        GIT_BINARY = if useGit then "${pkgs.git}/bin/git" else null;
        WGET_BINARY = if useWget then "${pkgs.wget}/bin/wget" else null;
        SINGLEFILE_BINARY = if useSinglefile then "${single-file}/bin/single-file" else null;
        READABILITY_BINARY = if useReadability then "${readability-extractor}/bin/readability-extractor" else null;
        MERCURY_BINARY = if useMercury then "${mercury-parser}/bin/mercury-parser" else null;
        YOUTUBEDL_BINARY = if useYtdlp then "${pkgs.yt-dlp}/bin/yt-dlp" else null;
        NODE_BINARY = "${pkgs.nodejs}/bin/nodejs"; # is this really needed? Nix already includes nodejs inside packages where needed
        RIPGREP_BINARY = "${pkgs.ripgrep}/bin/rg";
        CHROME_BINARY = if useChromium then "${pkgs.chromium}/bin/chromium-browser" else null;
        USE_CURL = boolToStr useCurl;
        USE_WGET = boolToStr useWget;
        USE_SINGLEFILE = boolToStr useSinglefile;
        USE_READABILITY = boolToStr useReadability;
        USE_MERCURY = boolToStr useMercury;
        USE_GIT = boolToStr useGit;
        USE_CHROME = boolToStr useChromium;
        USE_YOUTUBEDL = boolToStr useYtdlp;
        USE_RIPGREP = boolToStr true;
        OUTPUT_DIR = cfg.dataDir;
      };
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
        # initalize/migrate data directory
        cd ${cfg.dataDir}
        ${pkgs.archivebox}/bin/archivebox init
      '';
    };
  };
 }
--- a/common/server/archivebox/generate.sh
+++ b/common/server/archivebox/generate.sh
@@ -1,3 +0,0 @@
 #!/usr/bin/env bash
 rm -f ./node-env.nix
 nix run nixpkgs#nodePackages.node2nix -- -i node-packages.json -o node-packages.nix -c composition.nix --no-out-link
--- a/common/server/archivebox/node-env.nix
+++ b/common/server/archivebox/node-env.nix
@@ -1,588 +0,0 @@
 # This file originates from node2nix
 {lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
 let
  # Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
  utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
  python = if nodejs ? python then nodejs.python else python2;
  # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
  tarWrapper = runCommand "tarWrapper" {} ''
    mkdir -p $out/bin
    cat > $out/bin/tar <<EOF
    #! ${stdenv.shell} -e
    $(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
    EOF
    chmod +x $out/bin/tar
  '';
  # Function that generates a TGZ file from a NPM project
  buildNodeSourceDist =
    { name, version, src, ... }:
    stdenv.mkDerivation {
      name = "node-tarball-${name}-${version}";
      inherit src;
      buildInputs = [ nodejs ];
      buildPhase = ''
        export HOME=$TMPDIR
        tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
      '';
      installPhase = ''
        mkdir -p $out/tarballs
        mv $tgzFile $out/tarballs
        mkdir -p $out/nix-support
        echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
      '';
    };
  # Common shell logic
  installPackage = writeShellScript "install-package" ''
    installPackage() {
      local packageName=$1 src=$2
      local strippedName
      local DIR=$PWD
      cd $TMPDIR
      unpackFile $src
      # Make the base dir in which the target dependency resides first
      mkdir -p "$(dirname "$DIR/$packageName")"
      if [ -f "$src" ]
      then
          # Figure out what directory has been unpacked
          packageDir="$(find . -maxdepth 1 -type d | tail -1)"
          # Restore write permissions to make building work
          find "$packageDir" -type d -exec chmod u+x {} \;
          chmod -R u+w "$packageDir"
          # Move the extracted tarball into the output folder
          mv "$packageDir" "$DIR/$packageName"
      elif [ -d "$src" ]
      then
          # Get a stripped name (without hash) of the source directory.
          # On old nixpkgs it's already set internally.
          if [ -z "$strippedName" ]
          then
              strippedName="$(stripHash $src)"
          fi
          # Restore write permissions to make building work
          chmod -R u+w "$strippedName"
          # Move the extracted directory into the output folder
          mv "$strippedName" "$DIR/$packageName"
      fi
      # Change to the package directory to install dependencies
      cd "$DIR/$packageName"
    }
  '';
  # Bundle the dependencies of the package
  #
  # Only include dependencies if they don't exist. They may also be bundled in the package.
  includeDependencies = {dependencies}:
    lib.optionalString (dependencies != []) (
      ''
        mkdir -p node_modules
        cd node_modules
      ''
      + (lib.concatMapStrings (dependency:
        ''
          if [ ! -e "${dependency.name}" ]; then
              ${composePackage dependency}
          fi
        ''
      ) dependencies)
      + ''
        cd ..
      ''
    );
  # Recursively composes the dependencies of a package
  composePackage = { name, packageName, src, dependencies ? [], ... }@args:
    builtins.addErrorContext "while evaluating node package '${packageName}'" ''
      installPackage "${packageName}" "${src}"
      ${includeDependencies { inherit dependencies; }}
      cd ..
      ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
    '';
  pinpointDependencies = {dependencies, production}:
    let
      pinpointDependenciesFromPackageJSON = writeTextFile {
        name = "pinpointDependencies.js";
        text = ''
          var fs = require('fs');
          var path = require('path');
          function resolveDependencyVersion(location, name) {
              if(location == process.env['NIX_STORE']) {
                  return null;
              } else {
                  var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
                  if(fs.existsSync(dependencyPackageJSON)) {
                      var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
                      if(dependencyPackageObj.name == name) {
                          return dependencyPackageObj.version;
                      }
                  } else {
                      return resolveDependencyVersion(path.resolve(location, ".."), name);
                  }
              }
          }
          function replaceDependencies(dependencies) {
              if(typeof dependencies == "object" && dependencies !== null) {
                  for(var dependency in dependencies) {
                      var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
                      if(resolvedVersion === null) {
                          process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
                      } else {
                          dependencies[dependency] = resolvedVersion;
                      }
                  }
              }
          }
          /* Read the package.json configuration */
          var packageObj = JSON.parse(fs.readFileSync('./package.json'));
          /* Pinpoint all dependencies */
          replaceDependencies(packageObj.dependencies);
          if(process.argv[2] == "development") {
              replaceDependencies(packageObj.devDependencies);
          }
          replaceDependencies(packageObj.optionalDependencies);
          /* Write the fixed package.json file */
          fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
        '';
      };
    in
    ''
      node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
      ${lib.optionalString (dependencies != [])
        ''
          if [ -d node_modules ]
          then
              cd node_modules
              ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
              cd ..
          fi
        ''}
    '';
  # Recursively traverses all dependencies of a package and pinpoints all
  # dependencies in the package.json file to the versions that are actually
  # being used.
  pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
    ''
      if [ -d "${packageName}" ]
      then
          cd "${packageName}"
          ${pinpointDependencies { inherit dependencies production; }}
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
      fi
    '';
  # Extract the Node.js source code which is used to compile packages with
  # native bindings
  nodeSources = runCommand "node-sources" {} ''
    tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
    mv node-* $out
  '';
  # Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
  addIntegrityFieldsScript = writeTextFile {
    name = "addintegrityfields.js";
    text = ''
      var fs = require('fs');
      var path = require('path');
      function augmentDependencies(baseDir, dependencies) {
          for(var dependencyName in dependencies) {
              var dependency = dependencies[dependencyName];
              // Open package.json and augment metadata fields
              var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
              var packageJSONPath = path.join(packageJSONDir, "package.json");
              if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
                  console.log("Adding metadata fields to: "+packageJSONPath);
                  var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
                  if(dependency.integrity) {
                      packageObj["_integrity"] = dependency.integrity;
                  } else {
                      packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
                  }
                  if(dependency.resolved) {
                      packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
                  } else {
                      packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
                  }
                  if(dependency.from !== undefined) { // Adopt from property if one has been provided
                      packageObj["_from"] = dependency.from;
                  }
                  fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
              }
              // Augment transitive dependencies
              if(dependency.dependencies !== undefined) {
                  augmentDependencies(packageJSONDir, dependency.dependencies);
              }
          }
      }
      if(fs.existsSync("./package-lock.json")) {
          var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
          if(![1, 2].includes(packageLock.lockfileVersion)) {
             process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
             process.exit(1);
          }
          if(packageLock.dependencies !== undefined) {
              augmentDependencies(".", packageLock.dependencies);
          }
      }
    '';
  };
  # Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
  reconstructPackageLock = writeTextFile {
    name = "addintegrityfields.js";
    text = ''
      var fs = require('fs');
      var path = require('path');
      var packageObj = JSON.parse(fs.readFileSync("package.json"));
      var lockObj = {
          name: packageObj.name,
          version: packageObj.version,
          lockfileVersion: 1,
          requires: true,
          dependencies: {}
      };
      function augmentPackageJSON(filePath, dependencies) {
          var packageJSON = path.join(filePath, "package.json");
          if(fs.existsSync(packageJSON)) {
              var packageObj = JSON.parse(fs.readFileSync(packageJSON));
              dependencies[packageObj.name] = {
                  version: packageObj.version,
                  integrity: "sha1-000000000000000000000000000=",
                  dependencies: {}
              };
              processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
          }
      }
      function processDependencies(dir, dependencies) {
          if(fs.existsSync(dir)) {
              var files = fs.readdirSync(dir);
              files.forEach(function(entry) {
                  var filePath = path.join(dir, entry);
                  var stats = fs.statSync(filePath);
                  if(stats.isDirectory()) {
                      if(entry.substr(0, 1) == "@") {
                          // When we encounter a namespace folder, augment all packages belonging to the scope
                          var pkgFiles = fs.readdirSync(filePath);
                          pkgFiles.forEach(function(entry) {
                              if(stats.isDirectory()) {
                                  var pkgFilePath = path.join(filePath, entry);
                                  augmentPackageJSON(pkgFilePath, dependencies);
                              }
                          });
                      } else {
                          augmentPackageJSON(filePath, dependencies);
                      }
                  }
              });
          }
      }
      processDependencies("node_modules", lockObj.dependencies);
      fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
    '';
  };
  prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
    let
      forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
    in
    ''
        # Pinpoint the versions of all dependencies to the ones that are actually being used
        echo "pinpointing versions of dependencies..."
        source $pinpointDependenciesScriptPath
        # Patch the shebangs of the bundled modules to prevent them from
        # calling executables outside the Nix store as much as possible
        patchShebangs .
        # Deploy the Node.js package by running npm install. Since the
        # dependencies have been provided already by ourselves, it should not
        # attempt to install them again, which is good, because we want to make
        # it Nix's responsibility. If it needs to install any dependencies
        # anyway (e.g. because the dependency parameters are
        # incomplete/incorrect), it fails.
        #
        # The other responsibilities of NPM are kept -- version checks, build
        # steps, postprocessing etc.
        export HOME=$TMPDIR
        cd "${packageName}"
        runHook preRebuild
        ${lib.optionalString bypassCache ''
          ${lib.optionalString reconstructLock ''
            if [ -f package-lock.json ]
            then
                echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
                echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
                rm package-lock.json
            else
                echo "No package-lock.json file found, reconstructing..."
            fi
            node ${reconstructPackageLock}
          ''}
          node ${addIntegrityFieldsScript}
        ''}
        npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
        if [ "''${dontNpmInstall-}" != "1" ]
        then
            # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
            rm -f npm-shrinkwrap.json
            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
        fi
    '';
  # Builds and composes an NPM package including all its dependencies
  buildNodePackage =
    { name
    , packageName
    , version
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , preRebuild ? ""
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , meta ? {}
    , ... }@args:
    let
      extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
    in
    stdenv.mkDerivation ({
      name = "${name}-${version}";
      buildInputs = [ tarWrapper python nodejs ]
        ++ lib.optional (stdenv.isLinux) utillinux
        ++ lib.optional (stdenv.isDarwin) libtool
        ++ buildInputs;
      inherit nodejs;
      inherit dontStrip; # Stripping may fail a build for some package deployments
      inherit dontNpmInstall preRebuild unpackPhase buildPhase;
      compositionScript = composePackage args;
      pinpointDependenciesScript = pinpointDependenciesOfPackage args;
      passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
      installPhase = ''
        source ${installPackage}
        # Create and enter a root node_modules/ folder
        mkdir -p $out/lib/node_modules
        cd $out/lib/node_modules
        # Compose the package and all its dependencies
        source $compositionScriptPath
        ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
        # Create symlink to the deployed executable folder, if applicable
        if [ -d "$out/lib/node_modules/.bin" ]
        then
            ln -s $out/lib/node_modules/.bin $out/bin
        fi
        # Create symlinks to the deployed manual page folders, if applicable
        if [ -d "$out/lib/node_modules/${packageName}/man" ]
        then
            mkdir -p $out/share
            for dir in "$out/lib/node_modules/${packageName}/man/"*
            do
                mkdir -p $out/share/man/$(basename "$dir")
                for page in "$dir"/*
                do
                    ln -s $page $out/share/man/$(basename "$dir")
                done
            done
        fi
        # Run post install hook, if provided
        runHook postInstall
      '';
      meta = {
        # default to Node.js' platforms
        platforms = nodejs.meta.platforms;
      } // meta;
    } // extraArgs);
  # Builds a node environment (a node_modules folder and a set of binaries)
  buildNodeDependencies =
    { name
    , packageName
    , version
    , src
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , ... }@args:
    let
      extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
    in
      stdenv.mkDerivation ({
        name = "node-dependencies-${name}-${version}";
        buildInputs = [ tarWrapper python nodejs ]
          ++ lib.optional (stdenv.isLinux) utillinux
          ++ lib.optional (stdenv.isDarwin) libtool
          ++ buildInputs;
        inherit dontStrip; # Stripping may fail a build for some package deployments
        inherit dontNpmInstall unpackPhase buildPhase;
        includeScript = includeDependencies { inherit dependencies; };
        pinpointDependenciesScript = pinpointDependenciesOfPackage args;
        passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
        installPhase = ''
          source ${installPackage}
          mkdir -p $out/${packageName}
          cd $out/${packageName}
          source $includeScriptPath
          # Create fake package.json to make the npm commands work properly
          cp ${src}/package.json .
          chmod 644 package.json
          ${lib.optionalString bypassCache ''
            if [ -f ${src}/package-lock.json ]
            then
                cp ${src}/package-lock.json .
            fi
          ''}
          # Go to the parent folder to make sure that all packages are pinpointed
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
          ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
          # Expose the executables that were installed
          cd ..
          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
          mv ${packageName} lib
          ln -s $out/lib/node_modules/.bin $out/bin
        '';
      } // extraArgs);
  # Builds a development shell
  buildNodeShell =
    { name
    , packageName
    , version
    , src
    , dependencies ? []
    , buildInputs ? []
    , production ? true
    , npmFlags ? ""
    , dontNpmInstall ? false
    , bypassCache ? false
    , reconstructLock ? false
    , dontStrip ? true
    , unpackPhase ? "true"
    , buildPhase ? "true"
    , ... }@args:
    let
      nodeDependencies = buildNodeDependencies args;
    in
    stdenv.mkDerivation {
      name = "node-shell-${name}-${version}";
      buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
      buildCommand = ''
        mkdir -p $out/bin
        cat > $out/bin/shell <<EOF
        #! ${stdenv.shell} -e
        $shellHook
        exec ${stdenv.shell}
        EOF
        chmod +x $out/bin/shell
      '';
      # Provide the dependencies in a development shell through the NODE_PATH environment variable
      inherit nodeDependencies;
      shellHook = lib.optionalString (dependencies != []) ''
        export NODE_PATH=${nodeDependencies}/lib/node_modules
        export PATH="${nodeDependencies}/bin:$PATH"
      '';
    };
 in
 {
  buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
  buildNodePackage = lib.makeOverridable buildNodePackage;
  buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
  buildNodeShell = lib.makeOverridable buildNodeShell;
 }
--- a/common/server/archivebox/node-packages.json
+++ b/common/server/archivebox/node-packages.json
@@ -1,5 +0,0 @@
 [
  "@postlight/mercury-parser"
 , { "readability-extractor": "git+https://github.com/ArchiveBox/readability-extractor.git" }
 , { "single-file": "git+https://github.com/gildas-lormeau/SingleFile.git" }
 ]
--- a/common/server/archivebox/node-packages.nix
+++ b/common/server/archivebox/node-packages.nix
--- a/common/server/ceph.nix
+++ b/common/server/ceph.nix
@@ -3,9 +3,9 @@
 with lib;
 let
  cfg = config.ceph;
-in {
+in
-  options.ceph = {
+{
-  };
+  options.ceph = { };
  config = mkIf cfg.enable {
    # ceph.enable = true;
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -2,7 +2,6 @@
 {
  imports = [
    ./archivebox
    ./nginx.nix
    ./thelounge.nix
    ./mumble.nix
@@ -11,8 +10,14 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
    ./gitea-runner.nix
    ./privatebin/privatebin.nix
    ./drastikbot.nix
    ./radio.nix
    ./samba.nix
    ./owncast.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./iodine.nix
    ./searx.nix
  ];
 }
--- a/common/server/drastikbot.nix
+++ b/common/server/drastikbot.nix
@@ -1,80 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.drastikbot;
  drastikbot = pkgs.python3Packages.buildPythonApplication rec {
    pname = "drastikbot";
    version = "v2.1";
    format = "other";
    srcs = [
      config.inputs.drastikbot
      config.inputs.drastikbot_modules
      config.inputs.dailybuild_modules
    ];
    nativeBuildInputs = [ pkgs.makeWrapper ];
    phases = [ "installPhase" ]; # Removes all phases except installPhase
    installPhase = ''
      arr=($srcs)
      mkdir -p $out/irc/modules
      cp -r ''${arr[0]}/src/* $out/
      cp -r ''${arr[1]}/* $out/irc/modules
      cp -r ''${arr[2]}/* $out/irc/modules
      makeWrapper ${pkgs.python3}/bin/python3 $out/drastikbot \
        --prefix PYTHONPATH : ${with pkgs.python3Packages; makePythonPath [requests beautifulsoup4]} \
        --add-flags "$out/drastikbot.py"
    '';
  };
 in {
  options.services.drastikbot = {
    enable = lib.mkEnableOption "enable drastikbot";
    user = lib.mkOption {
      type = lib.types.str;
      default = "drastikbot";
      description = ''
        The user drastikbot should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "drastikbot";
      description = ''
        The group drastikbot should run as
      '';
    };
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/drastikbot";
      description = ''
        Path to the drastikbot data directory
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    users.users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.group;
        home = cfg.dataDir;
        createHome = true;
    };
    users.groups.${cfg.group} = {};
    systemd.services.drastikbot = {
      enable = true;
      after = ["network.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig.ExecStart = "${drastikbot}/drastikbot -c ${cfg.dataDir}";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user} ${cfg.dataDir}
      '';
    };
  };
 }
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@@ -0,0 +1,98 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.gitea-runner;
 in
 {
  options.services.gitea-runner = {
    enable = lib.mkEnableOption "Enables gitea runner";
    dataDir = lib.mkOption {
      default = "/var/lib/gitea-runner";
      type = lib.types.str;
      description = lib.mdDoc "gitea runner data directory.";
    };
    instanceUrl = lib.mkOption {
      type = lib.types.str;
    };
    registrationTokenFile = lib.mkOption {
      type = lib.types.path;
    };
  };
  config = lib.mkIf cfg.enable {
    virtualisation.docker.enable = true;
    users.users.gitea-runner = {
      description = "Gitea Runner Service";
      home = cfg.dataDir;
      useDefaultShell = true;
      group = "gitea-runner";
      isSystemUser = true;
      createHome = true;
      extraGroups = [
        "docker" # allow creating docker containers
      ];
    };
    users.groups.gitea-runner = { };
    # registration token
    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
    age.secrets.gitea-runner-registration-token = {
      file = ../../secrets/gitea-runner-registration-token.age;
      owner = "gitea-runner";
    };
    systemd.services.gitea-runner = {
      description = "Gitea Runner";
      serviceConfig = {
        WorkingDirectory = cfg.dataDir;
        User = "gitea-runner";
        Group = "gitea-runner";
      };
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ gitea-actions-runner ];
      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
      script = ''
        . ${cfg.registrationTokenFile}
        if [[ ! -s .runner ]]; then
          try=$((try + 1))
          success=0
          LOGFILE="$(mktemp)"
          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
          # the context of a single docker-compose, something similar could be done via healthchecks, but
          # this is more flexible.
          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
            act_runner register \
              --instance "${cfg.instanceUrl}" \
              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
              --name     "${config.networking.hostName}" \
              --no-interactive > $LOGFILE 2>&1
            cat $LOGFILE
            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
            if [[ $? -eq 0 ]]; then
              echo "SUCCESS"
              success=1
            else
              echo "Waiting to retry ..."
              sleep 5
            fi
          done
        fi
        exec act_runner daemon
      '';
    };
  };
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 let
  cfg = config.services.gitea;
-in {
+in
 {
  options.services.gitea = {
    hostname = lib.mkOption {
      type = lib.types.str;
@@ -14,11 +15,8 @@ in {
      domain = cfg.hostname;
      rootUrl = "https://${cfg.hostname}/";
      appName = cfg.hostname;
      ssh.enable = true;
      # lfs.enable = true;
-      dump.enable = true;
+      # dump.enable = true;
      cookieSecure = true;
      disableRegistration = true;
      settings = {
        other = {
          SHOW_FOOTER_VERSION = false;
@@ -26,8 +24,37 @@ in {
        ui = {
          DEFAULT_THEME = "arc-green";
        };
        service = {
          DISABLE_REGISTRATION = true;
        };
        session = {
          COOKIE_SECURE = true;
        };
        mailer = {
          ENABLED = true;
          MAILER_TYPE = "smtp";
          SMTP_ADDR = "mail.neet.dev";
          SMTP_PORT = "465";
          IS_TLS_ENABLED = true;
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
        actions = {
          ENABLED = true;
        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
    age.secrets.robots-email-pw = {
      file = ../../secrets/robots-email-pw.age;
      owner = config.services.gitea.user;
    };
    # backups
    backup.group."gitea".paths = [
      config.services.gitea.stateDir
    ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
--- a/common/server/hydra.nix
+++ b/common/server/hydra.nix
@@ -20,6 +20,6 @@ in
    hydraURL = "https://${domain}";
    useSubstitutes = true;
    notificationSender = notifyEmail;
-    buildMachinesFiles = [];
+    buildMachinesFiles = [ ];
  };
 }
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@@ -7,7 +7,8 @@
 let
  cfg = config.services.icecast;
-in {
+in
 {
  options.services.icecast = {
    mount = lib.mkOption {
      type = lib.types.str;
--- a/common/server/iodine.nix
+++ b/common/server/iodine.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.iodine.server;
 in
 {
  config = lib.mkIf cfg.enable {
    # iodine DNS-based vpn
    services.iodine.server = {
      ip = "192.168.99.1";
      domain = "tun.neet.dev";
      passwordFile = "/run/agenix/iodine";
    };
    age.secrets.iodine.file = ../../secrets/iodine.age;
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.nat.internalInterfaces = [
      "dns0" # iodine
    ];
  };
 }
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -0,0 +1,100 @@
 { config, pkgs, lib, ... }:
 with builtins;
 let
  cfg = config.mailserver;
  domains = [
    "neet.space"
    "neet.dev"
    "neet.cloud"
    "runyan.org"
    "runyan.rocks"
    "thunderhex.com"
    "tar.ninja"
    "bsd.ninja"
    "bsd.rocks"
  ];
 in
 {
  config = lib.mkIf cfg.enable {
    # kresd doesn't work with tailscale MagicDNS
    mailserver.localDnsResolver = false;
    services.resolved.enable = true;
    mailserver = {
      fqdn = "mail.neet.dev";
      dkimKeyBits = 2048;
      indexDir = "/var/lib/mailindex";
      enableManageSieve = true;
      fullTextSearch.enable = true;
      fullTextSearch.indexAttachments = true;
      fullTextSearch.memoryLimit = 500;
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
        "robot@runyan.org" = {
          aliases = [
            "no-reply@neet.dev"
            "robot@neet.dev"
          ];
          sendOnly = true;
          hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
        };
      };
      rejectRecipients = [
        "george@runyan.org"
        "joslyn@runyan.org"
        "damon@runyan.org"
        "jonas@runyan.org"
      ];
      certificateScheme = 3; # use let's encrypt for certs
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
    services.postfix.origin = "$mydomain";
    # relay sent mail through mailgun
    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
    services.postfix.config = {
      smtp_sasl_auth_enable = "yes";
      smtp_sasl_security_options = "noanonymous";
      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
      smtp_use_tls = "yes";
      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
      smtp_sender_dependent_authentication = "yes";
    };
    services.postfix.mapFiles.sender_relay =
      let
        relayHost = "[smtp.mailgun.org]:587";
      in
      pkgs.writeText "sender_relay"
        (concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
    # webmail
    services.nginx.enable = true;
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
      extraConfig = ''
        # starttls needed for authentication, so the fqdn required to match the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
    };
    # backups
    backup.group."email".paths = [
      config.mailserver.mailDirectory
    ];
  };
 }
--- a/common/server/matrix.nix
+++ b/common/server/matrix.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.matrix;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.matrix = {
    enable = lib.mkEnableOption "enable matrix";
    element-web = {
@@ -59,23 +60,25 @@ in {
  config = lib.mkIf cfg.enable {
    services.matrix-synapse = {
      enable = true;
-      server_name = cfg.host;
+      settings = {
-      enable_registration = cfg.enable_registration;
+        server_name = cfg.host;
-      listeners = [ {
+        enable_registration = cfg.enable_registration;
-        bind_address = "127.0.0.1";
+        listeners = [{
-        port = cfg.port;
+          bind_addresses = [ "127.0.0.1" ];
-        tls = false;
+          port = cfg.port;
-        resources = [ {
+          tls = false;
-          compress = true;
+          resources = [{
-          names = [ "client" "federation" ];
+            compress = true;
-        } ];
+            names = [ "client" "federation" ];
-      } ];
+          }];
-      turn_uris = [
+        }];
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
+        turn_uris = [
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
-      ];
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
-      turn_shared_secret = cfg.turn.secret;
+        ];
-      turn_user_lifetime = "1h";
+        turn_shared_secret = cfg.turn.secret;
        turn_user_lifetime = "1h";
      };
    };
    services.coturn = {
@@ -118,7 +121,7 @@ in {
    services.nginx = {
      enable = true;
-      virtualHosts.${cfg.host} =  {
+      virtualHosts.${cfg.host} = {
        enableACME = true;
        forceSSL = true;
        listen = [
@@ -135,7 +138,8 @@ in {
        ];
        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
      };
-      virtualHosts.${cfg.turn.host} =  { # get TLS cert for TURN server
+      virtualHosts.${cfg.turn.host} = {
        # get TLS cert for TURN server
        enableACME = true;
        forceSSL = true;
      };
--- a/common/server/mumble.nix
+++ b/common/server/mumble.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.murmur;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.murmur.domain = lib.mkOption {
    type = lib.types.str;
  };
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@@ -0,0 +1,34 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
 in
 {
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
      package = pkgs.nextcloud25;
      hostName = "neet.cloud";
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
      config.adminpassFile = "/run/agenix/nextcloud-pw";
      autoUpdateApps.enable = true;
      enableBrokenCiphersForSSE = false;
    };
    age.secrets.nextcloud-pw = {
      file = ../../secrets/nextcloud-pw.age;
      owner = "nextcloud";
    };
    # backups
    backup.group."nextcloud".paths = [
      config.services.nextcloud.home
    ];
    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      enableACME = true;
      forceSSL = true;
    };
  };
 }
--- a/common/server/nginx-stream.nix
+++ b/common/server/nginx-stream.nix
@@ -5,7 +5,8 @@ let
  nginxWithRTMP = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };
-in {
+in
 {
  options.services.nginx.stream = {
    enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
    port = lib.mkOption {
--- a/common/server/nginx.nix
+++ b/common/server/nginx.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.nginx;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.nginx = {
      recommendedGzipSettings = true;
--- a/common/server/owncast.nix
+++ b/common/server/owncast.nix
@@ -0,0 +1,32 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.services.owncast;
 in
 {
  options.services.owncast = {
    hostname = lib.mkOption {
      type = types.str;
      example = "example.com";
    };
  };
  config = mkIf cfg.enable {
    services.owncast.listen = "127.0.0.1";
    services.owncast.port = 62419; # random port
    networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/privatebin/privatebin.nix
+++ b/common/server/privatebin/privatebin.nix
@@ -14,7 +14,8 @@ let
      cp -ar $src $out
    '';
  };
-in {
+in
 {
  options.services.privatebin = {
    enable = lib.mkEnableOption "enable privatebin";
    host = lib.mkOption {
@@ -30,7 +31,7 @@ in {
      group = "privatebin";
      isSystemUser = true;
    };
-    users.groups.privatebin = {};
+    users.groups.privatebin = { };
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.host} = {
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.radio;
  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
-in {
+in
 {
  options.services.radio = {
    enable = lib.mkEnableOption "enable radio";
    user = lib.mkOption {
@@ -56,11 +57,11 @@ in {
      home = cfg.dataDir;
      createHome = true;
    };
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };
    systemd.services.radio = {
      enable = true;
-      after = ["network.target"];
+      after = [ "network.target" ];
-      wantedBy = ["multi-user.target"];
+      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -0,0 +1,120 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.services.samba.enable {
    services.samba = {
      openFirewall = true;
      package = pkgs.sambaFull; # printer sharing
      securityType = "user";
      # should this be on?
      nsswins = true;
      extraConfig = ''
        workgroup = HOME
        server string = smbnix
        netbios name = smbnix
        security = user 
        use sendfile = yes
        min protocol = smb2
        guest account = nobody
        map to guest = bad user
        # printing
        load printers = yes
        printing = cups
        printcap name = cups
        hide files = /.nobackup/.DS_Store/._.DS_Store/
      '';
      shares = {
        public = {
          path = "/data/samba/Public";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "public_data";
          "force group" = "public_data";
        };
        googlebot = {
          path = "/data/samba/googlebot";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "googlebot";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "googlebot";
          "force group" = "users";
        };
        cris = {
          path = "/data/samba/cris";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "valid users" = "cris";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "root";
          "force group" = "users";
        };
        printers = {
          comment = "All Printers";
          path = "/var/spool/samba";
          public = "yes";
          browseable = "yes";
          # to allow user 'guest account' to print.
          "guest ok" = "yes";
          writable = "no";
          printable = "yes";
          "create mode" = 0700;
        };
      };
    };
    # backups
    backup.group."samba".paths = [
      config.services.samba.shares.googlebot.path
      config.services.samba.shares.cris.path
      config.services.samba.shares.public.path
    ];
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
      # are these needed?
      workgroup = "HOME";
      hoplimit = 3;
      discovery = true;
    };
    networking.firewall.allowedTCPPorts = [ 5357 ];
    networking.firewall.allowedUDPPorts = [ 3702 ];
    # Printer discovery
    # (is this needed?)
    services.avahi.enable = true;
    services.avahi.nssmdns = true;
    # printer sharing
    systemd.tmpfiles.rules = [
      "d /var/spool/samba 1777 root root -"
    ];
    users.groups.public_data.gid = 994;
    users.users.public_data = {
      isSystemUser = true;
      group = "public_data";
      uid = 994;
    };
    users.users.googlebot.extraGroups = [ "public_data" ];
    # samba user for share
    users.users.cris.isSystemUser = true;
    users.users.cris.group = "cris";
    users.groups.cris = { };
  };
 }
--- a/common/server/searx.nix
+++ b/common/server/searx.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
 in
 {
  config = lib.mkIf cfg.enable {
    services.searx = {
      environmentFile = "/run/agenix/searx";
      settings = {
        server.port = 43254;
        server.secret_key = "@SEARX_SECRET_KEY@";
        engines = [{
          name = "wolframalpha";
          shortcut = "wa";
          api_key = "@WOLFRAM_API_KEY@";
          engine = "wolframalpha_api";
        }];
      };
    };
    services.nginx.virtualHosts."search.neet.space" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
      };
    };
    age.secrets.searx.file = ../../secrets/searx.age;
  };
 }
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.thelounge;
-in {
+in
 {
  options.services.thelounge = {
    fileUploadBaseUrl = lib.mkOption {
      type = lib.types.str;
@@ -23,12 +24,12 @@ in {
  config = lib.mkIf cfg.enable {
    services.thelounge = {
-      private = true;
+      public = false;
      extraConfig = {
        reverseProxy = true;
        maxHistory = -1;
        https.enable = false;
-  #      theme = "thelounge-theme-solarized";
+        #      theme = "thelounge-theme-solarized";
        prefetch = false;
        prefetchStorage = false;
        fileUpload = {
@@ -42,6 +43,10 @@ in {
      };
    };
    backup.group."thelounge".paths = [
      "/var/lib/thelounge/"
    ];
    # the lounge client
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
--- a/common/server/video-stream.nix
+++ b/common/server/video-stream.nix
@@ -15,14 +15,14 @@ let
 in
 {
  networking.firewall.allowedUDPPorts = [ rtp-port ];
-  networking.firewall.allowedTCPPortRanges = [ {
+  networking.firewall.allowedTCPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
-  networking.firewall.allowedUDPPortRanges = [ { 
+  networking.firewall.allowedUDPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
  virtualisation.docker.enable = true;
@@ -49,12 +49,12 @@ in
        ports = [
          "${toStr ingest-port}:8084"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/ingest";
+        #          imageName = "projectlightspeed/ingest";
-#          finalImageTag = "version-0.1.4";
+        #          finalImageTag = "version-0.1.4";
-#          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
+        #          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
-#          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
+        #          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
-#        };
+        #        };
      };
      "lightspeed-react" = {
        workdir = "/var/lib/lightspeed-react";
@@ -62,12 +62,12 @@ in
        ports = [
          "${toStr web-port}:80"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/react";
+        #          imageName = "projectlightspeed/react";
-#          finalImageTag = "version-0.1.3";
+        #          finalImageTag = "version-0.1.3";
-#          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
+        #          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
-#          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
+        #          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
-#        };
+        #        };
      };
      "lightspeed-webrtc" = {
        workdir = "/var/lib/lightspeed-webrtc";
@@ -79,15 +79,18 @@ in
          "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
        ];
        cmd = [
-          "lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
+          "lightspeed-webrtc"
-          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
+          "--addr=0.0.0.0"
          "--ip=${domain}"
          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
          "run"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/webrtc";
+        #          imageName = "projectlightspeed/webrtc";
-#          finalImageTag = "version-0.1.2";
+        #          finalImageTag = "version-0.1.2";
-#          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
+        #          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
-#          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
+        #          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
-#        };
+        #        };
      };
    };
  };
--- a/common/server/vscode/modules/vscode-server/default.nix
+++ b/common/server/vscode/modules/vscode-server/default.nix
@@ -1,8 +1,8 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
-  systemd.user.services.${name} = {
+    systemd.user.services.${name} = {
-    inherit description serviceConfig;
+      inherit description serviceConfig;
-    wantedBy = [ "default.target" ];
+      wantedBy = [ "default.target" ];
-  };
+    };
-})
+  })
--- a/common/server/vscode/modules/vscode-server/home.nix
+++ b/common/server/vscode/modules/vscode-server/home.nix
@@ -1,15 +1,15 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
-  systemd.user.services.${name} = {
+    systemd.user.services.${name} = {
-    Unit = {
+      Unit = {
-      Description = description;
+        Description = description;
-    };
+      };
-    Service = serviceConfig;
+      Service = serviceConfig;
-    Install = {
+      Install = {
-      WantedBy = [ "default.target" ];
+        WantedBy = [ "default.target" ];
      };
    };
-  };
+  })
 })
--- a/common/server/zerobin.nix
+++ b/common/server/zerobin.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.zerobin;
-in {
+in
 {
  options.services.zerobin = {
    host = lib.mkOption {
      type = lib.types.str;
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -0,0 +1,52 @@
 { config, lib, pkgs, ... }:
 # Improvements to the default shell
 # - use nix-index for command-not-found
 # - disable fish's annoying greeting message
 # - add some handy shell commands
 {
  environment.systemPackages = with pkgs; [
    comma
  ];
  # nix-index
  programs.nix-index.enable = true;
  programs.nix-index.enableFishIntegration = true;
  programs.command-not-found.enable = false;
  programs.fish = {
    enable = true;
    shellInit = ''
      # disable annoying fish shell greeting
      set fish_greeting
      alias sudo="doas"
    '';
  };
  environment.shellAliases = {
    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
    io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
  };
  nixpkgs.overlays = [
    (final: prev: {
      # comma uses the "nix-index" package built into nixpkgs by default.
      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
      comma = prev.comma.overrideAttrs (old: {
        postInstall = ''
          wrapProgram $out/bin/comma \
            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
          ln -s $out/bin/comma $out/bin/,
        '';
      });
    })
  ];
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,61 +1,38 @@
-rec {
+{ config, lib, pkgs, ... }:
-  users = [
+
 {
  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
    (host: cfg: {
      ${host} = {
        hostNames = cfg.hostNames;
        publicKey = cfg.hostKey;
      };
      "${host}-remote-unlock" =
        if cfg.remoteUnlock != null then {
          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
          publicKey = cfg.remoteUnlock.hostKey;
        } else null;
    })
    config.machines.hosts);
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    let
      unlockHosts = unlockType: lib.concatMapAttrs
        (host: cfg:
          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
            ${host} = cfg.remoteUnlock.${unlockType};
          } else { })
        config.machines.hosts;
    in
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
  ];
  system = {
    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4xi9PqTvcA/XB+gTwjFXk+f3sycGSFoioO3e8yDy7H";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
  };
  # groups
  systems = with system; [
    liza
    ray
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  personal = with system; [
    ray
  ];
  servers = with system; [
    liza
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  compute = with system; [
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  storage = with system; [
    s0
  ];
 }
--- a/common/zerotier.nix
+++ b/common/zerotier.nix
@@ -1,14 +0,0 @@
 { lib, config, ... }:
 let
  cfg = config.services.zerotierone;
 in {
  config = lib.mkIf cfg.enable {
    services.zerotierone.joinNetworks = [
      "565799d8f6d654c0"
    ];
    networking.firewall.allowedUDPPorts = [
      9993
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -2,16 +2,17 @@
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1646845404,
+        "lastModified": 1682101079,
-        "narHash": "sha256-JENXFCI2HVqi0whBzt7MAW9PX3ziEaYqBhMux+4g+VM=",
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "764c975e74bce2f89a5106b68ec48e2b586f893c",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
        "type": "github"
      },
      "original": {
@@ -20,6 +21,29 @@
        "type": "github"
      }
    },
    "archivebox": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1648612759,
        "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
        "ref": "refs/heads/master",
        "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
        "revCount": 2,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
      }
    },
    "blobs": {
      "flake": false,
      "locked": {
@@ -37,119 +61,193 @@
      }
    },
    "dailybuild_modules": {
      "flake": false,
      "locked": {
        "lastModified": 1633210754,
        "narHash": "sha256-jBIE07mLsF+qHoa/CQLSRipvfNSivgbuWUatI6Wwy0s=",
        "ref": "master",
        "rev": "e6a1c8686dad46b7847a5c690107a48fc20a6a29",
        "revCount": 9,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      }
    },
    "drastikbot": {
      "flake": false,
      "locked": {
        "lastModified": 1596211584,
        "narHash": "sha256-1L8vTE1YEhFWzY5RYb+s5Hb4LrVJNN2leKlZEugEyRU=",
        "owner": "olagood",
        "repo": "drastikbot",
        "rev": "ef72e3afe7602d95c8b014202e220f04796900ab",
        "type": "github"
      },
      "original": {
        "owner": "olagood",
        "ref": "v2.1",
        "repo": "drastikbot",
        "type": "github"
      }
    },
    "drastikbot_modules": {
      "flake": false,
      "locked": {
        "lastModified": 1619214744,
        "narHash": "sha256-w1164FkRkeyWnx6a95WDbwEUvNkNwFWa/6mhKtgVw0c=",
        "owner": "olagood",
        "repo": "drastikbot_modules",
        "rev": "3af549a8c3f6e55b63758a61a751bebb1b2db3a3",
        "type": "github"
      },
      "original": {
        "owner": "olagood",
        "ref": "v2.1",
        "repo": "drastikbot_modules",
        "type": "github"
      }
    },
    "flake-utils": {
      "locked": {
        "lastModified": 1620759905,
        "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1646675913,
        "narHash": "sha256-ZvGf51XpXM7JojKLZ5yI0XLUq8UOFX6AwZ3bhtdcpIo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9b1c7ba323732ddc85a51850a7f10ecc5269b8e9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-21.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-21_05": {
      "locked": {
        "lastModified": 1625692408,
        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-21.05",
        "type": "indirect"
      }
    },
    "radio": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1633288285,
+        "lastModified": 1651719222,
-        "narHash": "sha256-pL8oEB1AoghvFTsSLLKA1zhV8Z8TM8vcAkeodS6/IZs=",
+        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
        "ref": "refs/heads/master",
        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
        "revCount": 19,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": [
          "simple-nixos-mailserver",
          "utils"
        ]
      },
      "locked": {
        "lastModified": 1682063650,
        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1681202837,
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1681591833,
        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
        "owner": "Mic92",
        "repo": "nix-index-database",
        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "nix-index-database",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1682133240,
        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
        "lastModified": 1654936503,
        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.05",
        "type": "indirect"
      }
    },
    "nixpkgs-hostapd-pr": {
      "flake": false,
      "locked": {
        "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
        "type": "file",
        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
      },
      "original": {
        "type": "file",
        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
      }
    },
    "radio": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1631585589,
        "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
        "ref": "main",
-        "rev": "eb95b31089f5a107cb7efe0c55d45beb1399ebbb",
+        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
-        "revCount": 51,
+        "revCount": 38,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      },
      "original": {
        "ref": "main",
        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio.git"
      }
@@ -157,11 +255,11 @@
    "radio-web": {
      "flake": false,
      "locked": {
-        "lastModified": 1629918655,
+        "lastModified": 1652121792,
-        "narHash": "sha256-sDVM1K1r2y4T37tvdu3mtjiswJ7/PrVGsDQrHzrNfac=",
+        "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
-        "ref": "master",
+        "ref": "refs/heads/master",
-        "rev": "585ce4e3d09d1618d61358902a4231e91e15e1de",
+        "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
-        "revCount": 4,
+        "revCount": 5,
        "type": "git",
        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
      },
@@ -173,10 +271,13 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "archivebox": "archivebox",
        "dailybuild_modules": "dailybuild_modules",
-        "drastikbot": "drastikbot",
+        "deploy-rs": "deploy-rs",
-        "drastikbot_modules": "drastikbot_modules",
+        "flake-utils": "flake-utils",
        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs",
        "nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr",
        "radio": "radio",
        "radio-web": "radio-web",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
@@ -188,27 +289,39 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-21_05": "nixpkgs-21_05",
+        "nixpkgs-22_05": "nixpkgs-22_05",
        "nixpkgs-21_11": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1638911354,
+        "lastModified": 1655930346,
-        "narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=",
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.11",
+        "ref": "nixos-22.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
--- a/flake.nix
+++ b/flake.nix
@@ -1,69 +1,146 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
    # nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff";
    # nixpkgs-patch-howdy.flake = false;
    flake-utils.url = "github:numtide/flake-utils";
    # mail server
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
    simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
    # agenix
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    # radio
-    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main";
+    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
    radio.inputs.nixpkgs.follows = "nixpkgs";
    radio.inputs.flake-utils.follows = "flake-utils";
    radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
    radio-web.flake = false;
    # drastikbot
    drastikbot.url = "github:olagood/drastikbot/v2.1";
    drastikbot.flake = false;
    drastikbot_modules.url = "github:olagood/drastikbot_modules/v2.1";
    drastikbot_modules.flake = false;
    dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
-    dailybuild_modules.flake = false;
+    dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs";
    dailybuild_modules.inputs.flake-utils.follows = "flake-utils";
    # archivebox
    archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
    archivebox.inputs.nixpkgs.follows = "nixpkgs";
    archivebox.inputs.flake-utils.follows = "flake-utils";
    # nixos config deployment
    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils";
    # prebuilt nix-index database
    nix-index-database.url = "github:Mic92/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch";
    nixpkgs-hostapd-pr.flake = false;
  };
-  outputs = inputs: {
+  outputs = { self, nixpkgs, ... }@inputs:
    nixosConfigurations =
    let
-      nixpkgs = inputs.nixpkgs;
+      machines = (import ./common/machine-info/moduleless.nix
-      mkSystem = system: nixpkgs: path:
+        {
-        nixpkgs.lib.nixosSystem {
+          inherit nixpkgs;
-          inherit system;
+          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
-          modules = [
+        }).machines.hosts;
-            path
+    in
    {
      nixosConfigurations =
        let
          modules = system: hostname: with inputs; [
            ./common
-            inputs.simple-nixos-mailserver.nixosModule
+            simple-nixos-mailserver.nixosModule
-            inputs.agenix.nixosModules.age
+            agenix.nixosModules.default
            dailybuild_modules.nixosModule
            archivebox.nixosModule
            nix-index-database.nixosModules.nix-index
            ({ lib, ... }: {
-              config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
+              config = {
                environment.systemPackages = [
                  agenix.packages.${system}.agenix
                ];
                networking.hostName = hostname;
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];
-          # specialArgs = {};
+
          mkSystem = system: nixpkgs: path: hostname:
            let
              allModules = modules system hostname;
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
                name = "nixpkgs-patched";
                src = nixpkgs;
                patches = [
                  inputs.nixpkgs-hostapd-pr
                  ./patches/kexec-luks.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
            in
            patchedNixpkgs.lib.nixosSystem {
              inherit system;
              modules = allModules ++ [ path ];
              specialArgs = {
                inherit allModules;
              };
            };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
          machines;
      packages =
        let
          mkKexec = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/kexec.nix ];
            }).config.system.build.kexec_tarball;
          mkIso = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/iso.nix ];
            }).config.system.build.isoImage;
        in
        {
          "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
          "x86_64-linux"."iso" = mkIso "x86_64-linux";
          "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
          "aarch64-linux"."iso" = mkIso "aarch64-linux";
        };
-    in
+
-    {
+      deploy.nodes =
-      "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
+        let
-      "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+          mkDeploy = configName: arch: hostname: {
-      "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
+            inherit hostname;
-      "neetdev" = mkSystem "x86_64-linux" nixpkgs ./machines/neet.dev/configuration.nix;
+            magicRollback = false;
-      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
+            sshUser = "root";
-      "s0" = mkSystem "aarch64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
+            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
-      "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
+          };
-      "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
+        in
-      "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
+        nixpkgs.lib.mapAttrs
-      "n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
+          (hostname: cfg:
-      "n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
+            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
-      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
+          machines;
-      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
+
      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
    };
  };
 }
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@@ -1,26 +0,0 @@
 { config, ... }:
 {
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
  nix.flakes.enable = true;
  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
  hardware.deviceTree.enable = true;
  hardware.deviceTree.overlays = [
    ./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
  ];
 }
--- a/machines/compute/n1/configuration.nix
+++ b/machines/compute/n1/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n1";
 }
--- a/machines/compute/n2/configuration.nix
+++ b/machines/compute/n2/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n2";
 }
--- a/machines/compute/n3/configuration.nix
+++ b/machines/compute/n3/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n3";
 }
--- a/machines/compute/n4/configuration.nix
+++ b/machines/compute/n4/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n4";
 }
--- a/machines/compute/n5/configuration.nix
+++ b/machines/compute/n5/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n5";
 }
--- a/machines/compute/n6/configuration.nix
+++ b/machines/compute/n6/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n6";
 }
--- a/machines/compute/n7/configuration.nix
+++ b/machines/compute/n7/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n7";
 }
--- a/machines/compute/sopine-baseboard-ethernet.dtbo
+++ b/machines/compute/sopine-baseboard-ethernet.dtbo
--- a/machines/compute/sopine-baseboard-ethernet.dts
+++ b/machines/compute/sopine-baseboard-ethernet.dts
@@ -1,15 +0,0 @@
 /dts-v1/;
 / {
 	model = "SoPine with baseboard";
 	compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
 	fragment@0 {
 /*		target = <&ethernet@1c30000>; */
 		target-path = "/soc/ethernet@1c30000";
 		__overlay__ {
 			allwinner,tx-delay-ps = <500>;
 		};
 	};
 };
--- a/machines/ephemeral/iso.nix
+++ b/machines/ephemeral/iso.nix
@@ -0,0 +1,12 @@
 { modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/iso-image.nix")
    ./minimal.nix
  ];
  isoImage.makeUsbBootable = true;
  networking.hostName = "iso";
 }
--- a/machines/ephemeral/kexec.nix
+++ b/machines/ephemeral/kexec.nix
@@ -0,0 +1,48 @@
 # From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
 # Builds a kexec img
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/netboot/netboot.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./minimal.nix
  ];
  networking.hostName = "kexec";
  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
  system.build = rec {
    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
      mkdir $out
      if [ -f ${config.system.build.kernel}/bzImage ]; then
        cp ${config.system.build.kernel}/bzImage $out/kernel
      else
        cp ${config.system.build.kernel}/Image $out/kernel
      fi
      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
      nuke-refs $out/kernel
    '';
    kexec_script = pkgs.writeTextFile {
      executable = true;
      name = "kexec-nixos";
      text = ''
        #!${pkgs.stdenv.shell}
        set -e
        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
        sync
        echo "executing kernel, filesystems will be improperly umounted"
        ${pkgs.kexectools}/bin/kexec -e
      '';
    };
    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
      storeContents = [
        {
          object = config.system.build.kexec_script;
          symlink = "/kexec_nixos";
        }
      ];
      contents = [ ];
    };
  };
 }
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -0,0 +1,53 @@
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
    ../../common/machine-info
    ../../common/ssh.nix
  ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30"
    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  system.stateVersion = "21.11";
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
    git
    git-lfs
    wget
    htop
    dnsutils
    pciutils
    usbutils
    lm_sensors
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  services.openssh = {
    enable = true;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -1,310 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  mta-sts-web = {
    enableACME = true;
    forceSSL = true;
    locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.txt" ''
      version: STSv1
      mode: none
      mx: mail.neet.dev
      max_age: 86400
    '';
  };
 in {
  imports =[
    ./hardware-configuration.nix
  ];
  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
  };
  system.autoUpgrade.enable = true;
  networking.hostName = "liza";
  networking.interfaces.enp1s0.useDHCP = true;
  services.gitea = {
    enable = true;
    hostname = "git.neet.dev";
    disableRegistration = true;
  };
  services.peertube = {
    enable = true;
    localDomain = "tube.neet.space";
    listenHttp = 9000;
    listenWeb = 443;
    enableWebHttps = true;
    # dataDirs
    serviceEnvironmentFile = "/run/secrets/peertube-init";
    # settings
    database = {
      createLocally = true;
      passwordFile = "/run/secrets/peertube-db-pw";
    };
    redis = {
      createLocally = true;
      passwordFile = "/run/secrets/peertube-redis-pw";
    };
    smtp = {
      createLocally = false;
      passwordFile = "/run/secrets/peertube-smtp";
    };
  };
  services.nginx.virtualHosts."tube.neet.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.peertube.listenHttp}";
      proxyWebsockets = true;
    };
  };
  age.secrets.peertube-init.file = ../../secrets/peertube-init.age;
  age.secrets.peertube-db-pw.file = ../../secrets/peertube-db-pw.age;
  age.secrets.peertube-redis-pw.file = ../../secrets/peertube-redis-pw.age;
  age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
  networking.firewall.allowedTCPPorts = [ 1935 ];
  services.searx = {
    enable = true;
    environmentFile = "/run/secrets/searx";
    settings = {
      server.port = 43254;
      server.secret_key = "@SEARX_SECRET_KEY@";
      engines = [ {
        name = "wolframalpha";
        shortcut = "wa";
        api_key = "@WOLFRAM_API_KEY@";
        engine = "wolframalpha_api";
      } ];
    };
  };
  services.nginx.virtualHosts."search.neet.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
    };
  };
  age.secrets.searx.file = ../../secrets/searx.age;
  services.minecraft-server = {
    enable = true;
    jvmOpts = "-Xms2048M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
    eula = true;
    declarative = true;
    serverProperties = {
      motd = "Welcome :)";
      server-port = 38358;
      white-list = false;
    };
    openFirewall = true;
    package = pkgs.minecraft-server.overrideAttrs (old: {
      version = "1.17";
      src = pkgs.fetchurl {
        url = "https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar";
        sha1 = "0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e";
      };
    });
  };
  # wrap radio and drastikbot in a VPN
  containers.vpn-continer = {
    ephemeral = true;
    autoStart = true;
    bindMounts = {
      "/var/lib" = {
        hostPath = "/var/lib/";
        isReadOnly = false;
      };
      "/run/secrets" = {
        hostPath = "/run/secrets";
        isReadOnly = true;
      };
      "/dev/fuse" = {
        hostPath = "/dev/fuse";
        isReadOnly = false;
      };
    };
    enableTun = true;
    privateNetwork = true;
    hostAddress = "172.16.100.1";
    localAddress = "172.16.100.2";
    config = {
      imports = [
        ../../common
        config.inputs.agenix.nixosModules.age
      ];
      # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
      options.inputs = lib.mkOption { default = config.inputs; };
      options.currentSystem = lib.mkOption { default = config.currentSystem; };
      config = {
        pia.enable = true;
        nixpkgs.pkgs = pkgs;
        networking.firewall.enable = false;
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
        services.resolved.enable = true;
        services.radio = {
          enable = true;
          host = "radio.neet.space";
        };
      };
    };
  };
  # load the secret on behalf of the container
  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  services.drastikbot.enable = true;
  # icecast endpoint + website
  services.nginx.virtualHosts."radio.neet.space" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/stream.mp3" = {
        proxyPass = "http://172.16.100.2:8001/stream.mp3";
        extraConfig = ''
          add_header Access-Control-Allow-Origin *;
        '';
      };
      "/".root = config.inputs.radio-web;
    };
  };
  services.nginx.virtualHosts."paradigminteractive.agency" = {
    enableACME = true;
    forceSSL = true;
    locations."/".root = builtins.fetchTarball {
      url = "https://git.neet.dev/zuckerberg/paradigminteractive.agency/archive/b91f3ea2884ddd902461a8acb47f20ae04bc28ee.tar.gz";
      sha256 = "1x1fpsd1qr0004hfcxk6j4c4n3wwxykzhnv47gmrdnx5hq1nbzq4";
    };
  };
  services.matrix = {
    enable = true;
    host = "neet.space";
    enable_registration = false;
    element-web = {
      enable = true;
      host = "chat.neet.space";
    };
    jitsi-meet = {
      enable = true;
      host = "meet.neet.space";
    };
    turn = {
      host = "turn.neet.space";
      secret = "a8369a0e96922abf72494bb888c85831b";
    };
  };
  services.nginx.virtualHosts."tmp.neet.dev" = {
    enableACME = true;
    forceSSL = true;
    root = "/var/www/tmp";
  };
  mailserver = {
    enable = true;
    fqdn = "mail.neet.dev";
    dkimKeyBits = 2048;
    indexDir = "/var/lib/mailindex";
    enableManageSieve = true;
    fullTextSearch.enable = true;
    fullTextSearch.indexAttachments = true;
    fullTextSearch.memoryLimit = 500;
    domains = [
      "neet.space" "neet.dev" "neet.cloud"
      "runyan.org" "runyan.rocks"
      "thunderhex.com" "tar.ninja"
      "bsd.ninja" "bsd.rocks"
      "paradigminteractive.agency"
    ];
    loginAccounts = {
      "jeremy@runyan.org" = {
        hashedPasswordFile = "/run/secrets/email-pw";
        aliases = [
          "@neet.space" "@neet.cloud" "@neet.dev"
          "@runyan.org" "@runyan.rocks"
          "@thunderhex.com" "@tar.ninja"
          "@bsd.ninja" "@bsd.rocks"
          "@paradigminteractive.agency"
        ];
      };
    };
    rejectRecipients = [
      "george@runyan.org"
      "joslyn@runyan.org"
      "damon@runyan.org"
    ];
    certificateScheme = 3; # use let's encrypt for certs
  };
  age.secrets.email-pw.file = ../../secrets/email-pw.age;
  services.nginx.virtualHosts."mta-sts.runyan.org" = mta-sts-web;
  services.nginx.virtualHosts."mta-sts.runyan.rocks" = mta-sts-web;
  services.nginx.virtualHosts."mta-sts.thunderhex.com" = mta-sts-web;
  services.nginx.virtualHosts."mta-sts.tar.ninja" = mta-sts-web;
  services.nginx.virtualHosts."mta-sts.bsd.ninja" = mta-sts-web;
  services.nginx.virtualHosts."mta-sts.bsd.rocks" = mta-sts-web;
  services.nextcloud = {
    enable = true;
    https = true;
    package = pkgs.nextcloud22;
    hostName = "neet.cloud";
    config.dbtype = "sqlite";
    config.adminuser = "jeremy";
    config.adminpassFile = "/run/secrets/nextcloud-pw";
    autoUpdateApps.enable = true;
  };
  age.secrets.nextcloud-pw = {
    file = ../../secrets/nextcloud-pw.age;
    owner = "nextcloud";
  };
  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    enableACME = true;
    forceSSL = true;
  };
  # iodine DNS-based vpn
  services.iodine.server = {
    enable = true;
    ip = "192.168.99.1";
    domain = "tun.neet.dev";
    passwordFile = "/run/secrets/iodine";
  };
  age.secrets.iodine.file = ../../secrets/iodine.age;
  networking.firewall.allowedUDPPorts = [ 53 ];
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [
    "dns0" # iodine
    "ve-vpn-continer" # vpn container
  ];
  networking.nat.externalInterface = "enp1s0";
  security.acme.acceptTerms = true;
  security.acme.email = "zuckerberg@neet.dev";
 }
--- a/machines/liza/hardware-configuration.nix
+++ b/machines/liza/hardware-configuration.nix
@@ -1,36 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
      fsType = "btrfs";
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
      fsType = "ext3";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
    ];
 }
--- a/machines/nat/configuration.nix
+++ b/machines/nat/configuration.nix
@@ -5,15 +5,11 @@
    ./hardware-configuration.nix
  ];
  nix.flakes.enable = true;
  efi.enable = true;
  networking.hostName = "nat";
  networking.interfaces.ens160.useDHCP = true;
  services.zerotierone.enable = true;
  de.enable = true;
  de.touchpad.enable = true;
 }
--- a/machines/nat/hardware-configuration.nix
+++ b/machines/nat/hardware-configuration.nix
@@ -12,12 +12,14 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
+    {
      device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0C95-1290";
+    {
      device = "/dev/disk/by-uuid/0C95-1290";
      fsType = "vfat";
    };
--- a/machines/neet.dev/configuration.nix
+++ b/machines/neet.dev/configuration.nix
@@ -1,49 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
  ];
  # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
  };
  networking.hostName = "neetdev";
  system.autoUpgrade.enable = true;
  networking.interfaces.eno1.useDHCP = true;
  services.nginx.enable = true;
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
  services.thelounge = {
    enable = true;
    port = 9000;
    fileUploadBaseUrl = "https://files.neet.cloud/irc/";
    host = "irc.neet.dev";
    fileHost = {
      host = "files.neet.cloud";
      path = "/irc";
    };
  };
  services.murmur = {
    enable = true;
    port = 23563;
    domain = "voice.neet.space";
  };
 }
--- a/machines/neet.dev/hardware-configuration.nix
+++ b/machines/neet.dev/hardware-configuration.nix
@@ -1,38 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
    ];
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
 }
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  services.gitea-runner = {
    enable = true;
    instanceUrl = "https://git.neet.dev";
  };
  system.autoUpgrade.enable = true;
 }
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@@ -0,0 +1,43 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  # because grub just doesn't work for some reason
  boot.loader.systemd-boot.enable = true;
  remoteLuksUnlock.enable = true;
  remoteLuksUnlock.enableTorUnlock = false;
  boot.initrd.availableKernelModules = [ "xhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/F185-C4E5";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -0,0 +1,20 @@
 {
  hostNames = [
    "phil"
    "phil.neet.dev"
  ];
  arch = "aarch64-linux";
  systemRoles = [
    "server"
    "gitea-runner"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
    clearnetHost = "unlock.phil.neet.dev";
  };
 }
--- a/machines/ponyo/default.nix
+++ b/machines/ponyo/default.nix
@@ -0,0 +1,142 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  system.autoUpgrade.enable = true;
  # I want to manually trigger kexec updates for now on ponyo
  system.autoUpgrade.allowKexec = false;
  luks.enableKexec = true;
  # p2p mesh network
  services.tailscale.exitNode = true;
  # email server
  mailserver.enable = true;
  # nextcloud
  services.nextcloud.enable = true;
  # git
  services.gitea = {
    enable = true;
    hostname = "git.neet.dev";
  };
  # IRC
  services.thelounge = {
    enable = true;
    port = 9000;
    fileUploadBaseUrl = "https://files.neet.cloud/irc/";
    host = "irc.neet.dev";
    fileHost = {
      host = "files.neet.cloud";
      path = "/irc";
    };
  };
  # mumble
  services.murmur = {
    enable = true;
    port = 23563;
    domain = "voice.neet.space";
  };
  # IRC bot
  services.drastikbot = {
    enable = true;
    wolframAppIdFile = "/run/agenix/wolframalpha";
  };
  age.secrets.wolframalpha = {
    file = ../../secrets/wolframalpha.age;
    owner = config.services.drastikbot.user;
  };
  backup.group."dailybot".paths = [
    config.services.drastikbot.dataDir
  ];
  # music radio
  vpn-container.enable = true;
  vpn-container.config = {
    services.radio = {
      enable = true;
      host = "radio.runyan.org";
    };
  };
  pia.wireguard.badPortForwardPorts = [ ];
  services.nginx.virtualHosts."radio.runyan.org" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/stream.mp3" = {
        proxyPass = "http://vpn.containers:8001/stream.mp3";
        extraConfig = ''
          add_header Access-Control-Allow-Origin *;
        '';
      };
      "/".root = config.inputs.radio-web;
    };
  };
  # matrix home server
  services.matrix = {
    enable = true;
    host = "neet.space";
    enable_registration = false;
    element-web = {
      enable = true;
      host = "chat.neet.space";
    };
    jitsi-meet = {
      enable = true;
      host = "meet.neet.space";
    };
    turn = {
      host = "turn.neet.space";
      secret = "a8369a0e96922abf72494bb888c85831b";
    };
  };
  # pin postgresql for matrix (will need to migrate eventually)
  services.postgresql.package = pkgs.postgresql_11;
  # iodine DNS-based vpn
  services.iodine.server.enable = true;
  # proxied web services
  services.nginx.enable = true;
  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://s0.koi-bebop.ts.net";
      proxyWebsockets = true;
    };
  };
  services.nginx.virtualHosts."navidrome.neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://s0.koi-bebop.ts.net:4533";
  };
  # TODO replace with a proper file hosting service
  services.nginx.virtualHosts."tmp.neet.dev" = {
    enableACME = true;
    forceSSL = true;
    root = "/var/www/tmp";
  };
  # redirect runyan.org to github
  services.nginx.virtualHosts."runyan.org" = {
    enableACME = true;
    forceSSL = true;
    extraConfig = ''
      rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
    '';
  };
  # owncast live streaming
  services.owncast.enable = true;
  services.owncast.hostname = "live.neet.dev";
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Zuckerberg	b7549e63f5	prototype	2023-04-26 14:46:55 -06:00
Zuckerberg	306ce8bc3f	Move s0 to systemd-boot	2023-04-25 23:41:08 -06:00
Zuckerberg	b5dd983ba3	Automatically set machine hostname	2023-04-24 20:52:17 -06:00
Zuckerberg	832894edfc	Gitea runner	2023-04-23 10:29:18 -06:00
Zuckerberg	feb6270952	Update options for newer nixpkgs	2023-04-23 10:28:55 -06:00
Zuckerberg	b4dd2d4a92	update TODOs	2023-04-23 10:16:54 -06:00
Zuckerberg	38c2e5aece	Fix properties.nix path loading	2023-04-21 23:24:05 -06:00
Zuckerberg	0ef689b750	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21) • Updated input 'deploy-rs': 'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19) → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21) • Updated input 'flake-utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) • Added input 'flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26) → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03) → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)	2023-04-21 21:22:00 -06:00
Zuckerberg	e72e19b7e8	Fix auto upgrade	2023-04-21 18:58:54 -06:00
Zuckerberg	03603119e5	Fix invalid import issue.	2023-04-21 18:57:06 -06:00
Zuckerberg	71baa09bd2	Refactor imports and secrets. Add per system properties and role based secret access. Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.	2023-04-21 12:58:11 -06:00
Zuckerberg	a02775a234	Update install steps	2023-04-19 21:17:45 -06:00
Zuckerberg	5800359214	Update install steps	2023-04-19 21:17:03 -06:00
Zuckerberg	0bd42f1850	Update install steps	2023-04-19 21:15:58 -06:00
Zuckerberg	40f0e5d2ac	Add Phil	2023-04-19 18:12:42 -06:00
Zuckerberg	f90b9f85fd	try out appvm	2023-04-18 23:15:21 -06:00
Zuckerberg	5b084fffcc	moonlander	2023-04-18 23:15:03 -06:00
Zuckerberg	4dd6401f8c	update TODOs	2023-04-18 23:14:49 -06:00
Zuckerberg	260bbc1ffd	Use doas instead of sudo	2023-04-10 22:03:57 -06:00
Zuckerberg	c8132a67d0	Use lf as terminal file explorer	2023-04-10 22:03:29 -06:00
Zuckerberg	3412d5caf9	Use hashed passwordfile just to be safe	2023-04-09 23:00:10 -06:00
Zuckerberg	1065cc4b59	Enable gitea email notifications	2023-04-09 22:05:23 -06:00
Zuckerberg	154b37879b	Cross off finished TODOs	2023-04-09 22:04:51 -06:00
Zuckerberg	a34238b3a9	Easily run restic commands on a backup group	2023-04-09 13:06:15 -06:00
Zuckerberg	42e2ebd294	Allow marking folders as omitted from backup	2023-04-09 12:35:20 -06:00
Zuckerberg	378cf47683	restic backups	2023-04-08 21:25:55 -06:00
Zuckerberg	f68a4f4431	nixpkgs-fmt everything	2023-04-04 23:30:28 -06:00
Zuckerberg	3c683e7b9e	NixOS router is now in active use :)	2023-04-04 20:53:38 -06:00
Zuckerberg	68bd70b525	Basic router working using the wip hostapd module from upstream	2023-04-04 12:57:16 -06:00
Zuckerberg	2189ab9a1b	Improve cifs mounts. Newer protocol version, helpful commands, better network connection resiliency.	2023-03-31 11:43:12 -06:00
Zuckerberg	acbbb8a37a	encrypted samba vault with gocryptfs	2023-03-25 15:49:07 -06:00
Zuckerberg	d1e6d21d66	iperf server	2023-03-25 15:48:39 -06:00
Zuckerberg	1a98e039fe	Cleanup fio tests	2023-03-25 15:48:24 -06:00
Zuckerberg	3459ce5058	Add joplin	2023-03-18 22:04:31 -06:00
Zuckerberg	c48b1995f8	Remove zerotier	2023-03-18 20:41:09 -06:00
Zuckerberg	53c0e7ba1f	Add Webmail	2023-03-14 23:28:07 -06:00
Zuckerberg	820cd392f1	Choose random PIA server in a specified region instead of hardcoded. And more TODOs addressed.	2023-03-12 22:55:46 -06:00
Zuckerberg	759fe04185	with lib;	2023-03-12 21:50:46 -06:00
Zuckerberg	db441fcf98	Add ability to refuse PIA ports	2023-03-12 21:46:36 -06:00
Zuckerberg	83e9280bb4	Use the NixOS firewall instead to block unwanted PIA VPN traffic	2023-03-12 20:49:39 -06:00
Zuckerberg	478235fe32	Enable firewall for PIA VPN wireguard interface	2023-03-12 20:29:20 -06:00
Zuckerberg	440401a391	Add ponyo to deploy-rs config	2023-03-12 19:50:55 -06:00
Zuckerberg	42c0dcae2d	Port forwarding for transmission	2023-03-12 19:50:29 -06:00
Zuckerberg	7159868b57	update todo's	2023-03-12 19:46:51 -06:00
Zuckerberg	ab2cc0cc0a	Cleanup services	2023-03-12 17:51:10 -06:00
Zuckerberg	aaa1800d0c	Cleanup mail domains	2023-03-12 13:29:12 -06:00
Zuckerberg	a795c65c32	Cleanup mail domains	2023-03-12 13:25:34 -06:00
Zuckerberg	5ed02e924d	Remove liza	2023-03-12 00:15:06 -07:00
Zuckerberg	1d620372b8	Remove leftovers of removed compute nodes	2023-03-12 00:14:49 -07:00
Zuckerberg	9684a975e2	Migrate nextcloud to ponyo	2023-03-12 00:10:14 -07:00
Zuckerberg	c3c3a9e77f	disable searx for now	2023-03-12 00:09:40 -07:00
Zuckerberg	ecb6d1ef63	Migrate mailserver to ponyo	2023-03-11 23:40:36 -07:00
Zuckerberg	a5f7bb8a22	Fix vpn systemd service restart issues	2023-03-09 13:07:20 -07:00
Zuckerberg	cea9b9452b	Initial prototype for Wireguard based PIA VPN - not quite 'ready' yet	2023-03-08 23:49:02 -07:00
Zuckerberg	8fb45a7ee5	Turn off howdy	2023-03-08 23:47:11 -07:00
Zuckerberg	b53f03bb7d	Fix typo	2023-03-08 23:45:49 -07:00
Zuckerberg	dee0243268	Peer to peer connection keepalive task	2023-03-07 22:55:37 -07:00
Zuckerberg	8b6bc354bd	Peer to peer connection keepalive task	2023-03-07 22:54:26 -07:00
Zuckerberg	aff5611cdb	Update renamed nixos options	2023-03-07 22:52:31 -07:00
Zuckerberg	c5e7d8b2fe	Allow easy patching of nixpkgs	2023-03-03 23:24:33 -07:00
Zuckerberg	90a3549237	use comma and pregenerated nix-index	2023-03-03 00:18:20 -07:00
Zuckerberg	63f2a82ad1	ignore lid close for NAS	2023-03-03 00:16:57 -07:00
Zuckerberg	0cc39bfbe0	deploy-rs initial PoC	2023-03-03 00:16:23 -07:00
Zuckerberg	ec54b27d67	fix router serial	2023-03-03 00:14:22 -07:00
Zuckerberg	bba4f27465	add picocom for serial	2023-03-03 00:12:35 -07:00
Zuckerberg	b5c77611d7	remove unused compute nodes	2023-03-03 00:12:16 -07:00
Zuckerberg	987919417d	allow root login over ssh using trusted key	2023-02-11 23:07:48 -07:00
Zuckerberg	d8dbb12959	grow disk for ponyo	2023-02-11 19:01:42 -07:00
Zuckerberg	3e0cde40b8	Cleanup remote LUKS unlock	2023-02-11 18:40:08 -07:00
Zuckerberg	2c8576a295	Hardware accelerated encoding for jellyfin	2023-02-11 16:10:19 -07:00
Zuckerberg	8aecc04d01	config cleanup	2023-02-11 16:10:10 -07:00
Zuckerberg	9bcf7cc50d	VPN using its own DNS resolver is unstable	2023-02-11 16:09:02 -07:00
Zuckerberg	cb2ac1c1ba	Use x86 machine for NAS	2023-02-11 16:08:48 -07:00
Zuckerberg	7f1e304012	Remove stale secrets	2023-02-11 15:19:35 -07:00
Zuckerberg	9e3dae4b16	Rekey secrets	2023-02-11 15:07:08 -07:00
Zuckerberg	c649b04bdd	Update ssh keys and allow easy ssh LUKS unlocking	2023-02-11 15:05:20 -07:00
Zuckerberg	6fce2e1116	Allow unlocking over tor	2023-02-11 13:38:54 -07:00
Zuckerberg	3e192b3321	Hardware config should be in hardware config	2023-02-11 13:35:46 -07:00
Zuckerberg	bc863de165	Hardware config should be in hardware config	2023-02-11 09:48:25 -07:00
Zuckerberg	cfa5c9428e	Remove reg	2023-02-11 09:46:05 -07:00
Zuckerberg	abddc5a680	Razer keyboard	2023-02-11 00:32:36 -07:00
Zuckerberg	577dc4faaa	Add initial configuration for APU2E4 router	2023-02-10 20:51:10 -07:00
Zuckerberg	a8b0385c6d	more ephemeral options	2023-02-08 22:27:54 -07:00
Zuckerberg	fc85627bd6	use unstable for ephemeral os config	2023-02-08 22:26:04 -07:00
Zuckerberg	f9cadba3eb	improve ephemeral os config	2023-02-08 22:25:09 -07:00
Zuckerberg	c192c2d52f	enable spotify	2023-02-08 18:48:08 -07:00
Zuckerberg	04c7a9ea51	Update tz	2023-02-08 18:47:58 -07:00
Zuckerberg	6f9edd8870	Add ISO build	2023-02-08 01:36:23 -05:00
Zuckerberg	076bdb3ab4	Use upstream nvidia reverse prime support	2023-02-08 01:35:25 -05:00
Zuckerberg	fcbd877d06	flake.lock: Update Flake lock file updates: • Updated input 'nix-locate': 'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17) → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17) • Updated input 'nix-locate/flake-compat': 'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03) → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08) → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)	2023-02-08 00:59:29 -05:00
Zuckerberg	27f4b5af78	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15) → 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) • Added input 'agenix/darwin': 'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09) • Added input 'agenix/darwin/nixpkgs': follows 'agenix/nixpkgs' • Updated input 'archivebox': 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=master&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30) → 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=refs%2fheads%2fmaster&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30) • Updated input 'dailybuild_modules': 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=master&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05) → 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=refs%2fheads%2fmaster&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05) • Updated input 'flake-utils': 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07) → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22) → 'github:NixOS/nixpkgs/0874168639713f547c05947c76124f78441ea46c' (2023-01-01) • Removed input 'nixpkgs-nvidia' • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21) → 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08) • Updated input 'radio-web': 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=master&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09) → 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=refs%2fheads%2fmaster&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)	2023-02-08 00:33:47 -05:00
Zuckerberg	7238d6e6c5	latest kernel not needed for wifi anymore	2023-02-06 22:45:34 -05:00
Zuckerberg	094905a727	virt-manager	2023-02-06 22:44:22 -05:00
Zuckerberg	cf3fa0ff12	depthai udev	2023-02-06 22:44:09 -05:00
Zuckerberg	7c7b356aab	Remove 'I don't care about cookies'. It is under new management	2023-02-06 22:43:43 -05:00
Zuckerberg	c57e4f022f	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/7e5e58b98c3dcbf497543ff6f22591552ebfe65b' (2022-05-16) → 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15) • Updated input 'flake-utils': 'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30) → 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d17a56d90ecbd1b8fc908d49598fb854ef188461' (2022-06-17) → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/42948b300670223ca8286aaf916bc381f66a5313' (2022-04-08) → 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/a48082c79cff8f3b314ba4f95f4ae87ca7d4d068' (2022-06-14) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f535d8123c4761b2ed8138f3d202ea710a334a1d' (2022-06-22)	2022-10-23 10:43:19 -04:00
zuckerberg	f5a9f04cf2	Rekey secrets	2022-08-25 23:16:22 -04:00
zuckerberg	50fd928cda	Change key	2022-08-25 23:16:09 -04:00
Zuckerberg	11072c374b	Owncast	2022-07-24 15:18:29 -04:00
Zuckerberg	60f1235848	Add shell aliases	2022-07-24 13:23:03 -04:00
Zuckerberg	55ea5aebc4	Add README and TODO files	2022-07-24 12:57:05 -04:00
Zuckerberg	2738f6b794	WIP wireguard vpn	2022-07-24 12:13:17 -04:00
Zuckerberg	ec2b248ed8	Don't use tailscale in containers	2022-06-23 22:37:14 -04:00
Zuckerberg	aa7bbc5932	Use Tailscale	2022-06-23 22:30:07 -04:00
Zuckerberg	eef574c9f7	Pin nixpkgs to a version that works for bcachefs	2022-06-20 11:51:45 -04:00
Zuckerberg	25fb7a1645	Jellyfin Client only on desktop	2022-06-20 00:04:54 -04:00
Zuckerberg	301fd8462b	Update to NixOS 22.05	2022-06-20 00:00:49 -04:00
Zuckerberg	a92800cbcc	Update to NixOS 22.05	2022-06-19 23:59:52 -04:00
Zuckerberg	5e361b2fc8	Update to NixOS 22.05	2022-06-19 23:44:01 -04:00
Zuckerberg	b41e4dc375	add jellyfin media player	2022-06-19 23:29:54 -04:00
Zuckerberg	7e615f814d	Rewrite VPN container	2022-05-28 18:54:41 -04:00
Zuckerberg	c560a63182	More vpn options	2022-05-27 16:43:25 -04:00
Zuckerberg	2f14d07f82	Proxy jellyfin correctly	2022-05-20 19:30:14 -04:00
Zuckerberg	a89fde8aa5	Don't export bazarr	2022-05-20 19:15:33 -04:00
Zuckerberg	1856fe00d6	Jellyfin open port	2022-05-20 18:58:13 -04:00
Zuckerberg	388599e08c	Use aarch64-linux friendly nix-locate	2022-05-20 16:42:38 -04:00
Zuckerberg	75a33a0b5e	Add .gitignore	2022-05-20 16:37:33 -04:00
Zuckerberg	918b53e383	Move jellyfin to container	2022-05-20 16:37:05 -04:00
Zuckerberg	c643244dab	set sendmail send domain	2022-05-16 17:46:11 -04:00
Zuckerberg	9fc6f816fb	Use nix-locate for command-not-found	2022-05-16 15:01:15 -04:00
Zuckerberg	63902fcb46	Require auth for public samba share	2022-05-16 13:22:00 -04:00
Zuckerberg	8a1e0b76f1	Remove sauerbraten	2022-05-16 13:07:32 -04:00
Zuckerberg	f144bda9e6	Minimal kexec image builder	2022-05-16 13:04:31 -04:00
Zuckerberg	b8c9278f37	Use runyan.org	2022-05-09 14:46:18 -04:00
Zuckerberg	9f45df7903	Update dailybot	2022-05-04 22:55:53 -04:00
Zuckerberg	a894a5429e	Eanble sender dependent authentication	2022-05-03 19:21:10 -04:00
Zuckerberg	dfec18e904	Send mail through mailgun	2022-05-03 18:33:48 -04:00
Zuckerberg	91e38f5866	Remove pi.agency	2022-05-03 14:54:09 -04:00
Zuckerberg	fed1aecd64	Update dailybot	2022-05-03 14:53:58 -04:00
Zuckerberg	ec3056f8c1	Don't store awful files	2022-05-03 14:53:42 -04:00
Zuckerberg	339eed1f55	Move services to ponyo	2022-05-02 18:01:03 -04:00
Zuckerberg	5ac5b4551b	Rekey secrets	2022-05-02 11:56:25 -04:00
Zuckerberg	d378a287fa	Add ponyo system	2022-05-02 11:56:14 -04:00
Zuckerberg	d71af55727	Better samba mount options	2022-05-02 02:54:41 -04:00
Zuckerberg	de05a535ea	Prune services	2022-05-02 02:54:22 -04:00
Zuckerberg	910af494b5	Retire neetdev	2022-05-02 02:50:54 -04:00
Zuckerberg	3d1c078a44	Revert radio to previous version	2022-04-30 22:15:27 -04:00
Zuckerberg	c85beff7ed	SSDs for NAS	2022-04-26 00:57:11 -04:00
Zuckerberg	7ab4906710	Use '*.containers' instead of ips	2022-04-25 00:46:40 -04:00
Zuckerberg	af3af7b2ae	Add samba share user	2022-04-25 00:30:57 -04:00
Zuckerberg	f627abc649	More hosts	2022-04-25 00:20:14 -04:00
Zuckerberg	e37878c544	Automount samba shares	2022-04-24 21:56:28 -04:00
Zuckerberg	73bbd39c64	Create samba users	2022-04-24 21:55:24 -04:00
Zuckerberg	acbf162ffe	Use latest pykms	2022-04-24 21:54:04 -04:00
Zuckerberg	516121b26c	Revert broken samba config for now...	2022-04-24 21:53:41 -04:00
Zuckerberg	8742352ea9	Disable scroll jacking extension works poorly	2022-04-24 21:26:29 -04:00
Zuckerberg	61391cc180	Improve samba speed	2022-04-23 04:32:33 -04:00
Zuckerberg	60771ea56e	Access transmission files over samba	2022-04-23 04:32:19 -04:00
Zuckerberg	2f19903a45	Remove pi.agency	2022-04-21 15:17:59 -04:00
Zuckerberg	8102981a01	Update dailybot	2022-04-21 15:17:32 -04:00
Zuckerberg	d975477c05	Update dailybot	2022-04-21 14:50:11 -04:00
Zuckerberg	af9333feff	Ponyo as media proxy	2022-04-21 02:24:45 -04:00
Zuckerberg	5945310dd4	Ponyo keys	2022-04-21 01:27:47 -04:00
Zuckerberg	d5d986dd88	Rekey secrets	2022-04-21 01:26:53 -04:00
Zuckerberg	ffad65d902	OVH is annoying...	2022-04-21 01:15:51 -04:00
Zuckerberg	2cd7f12a75	Install as efi removable	2022-04-20 22:51:14 -04:00
Zuckerberg	fe48d7b009	New ponyo	2022-04-20 16:06:24 -04:00
Zuckerberg	448c3b280a	New ponyo	2022-04-20 16:00:29 -04:00
Zuckerberg	ef2ad011cc	Add ponyo	2022-04-20 00:04:25 -04:00
Zuckerberg	8267954e3d	Improve file-roller	2022-04-19 16:33:12 -04:00
Zuckerberg	609f1d416a	Stop scroll jacking	2022-04-19 16:32:03 -04:00
Zuckerberg	b4dce62d36	Fix permissions	2022-04-19 16:31:26 -04:00
Zuckerberg	e15b612b3c	Shared group/user for consistent permissions+access	2022-04-17 23:43:42 -04:00
Zuckerberg	6233ce6c0d	navidrome over cloudflared	2022-04-17 20:36:04 -04:00
Zuckerberg	1a4bdc4a8a	Enable zerotier	2022-04-17 19:06:56 -04:00
Zuckerberg	73da58f6bf	Bigger HDD	2022-04-13 21:15:35 -04:00
Zuckerberg	10f054a9d9	Bigger HDD	2022-04-12 17:25:08 -04:00
Zuckerberg	3f389e233f	lm_sensors on everything	2022-04-12 17:24:56 -04:00
Zuckerberg	bece0911b3	don't bump `system.stateVersion` so carelessly...	2022-04-11 01:58:22 -04:00
Zuckerberg	5cf1dff4e0	ssh hosts	2022-04-09 22:41:21 -04:00
Zuckerberg	8d9c80d5b7	Use nixos unstable for NAS	2022-04-09 19:24:00 -04:00
Zuckerberg	0b99df46b7	Use nixos unstable for NAS	2022-04-09 19:22:38 -04:00
Zuckerberg	fdedd6fe4d	Basic NAS services	2022-04-09 19:20:15 -04:00
Zuckerberg	e8ebcfc2be	VPN failsafe working	2022-04-09 19:04:11 -04:00
Zuckerberg	11600ef4d7	vpnleak protection doesn't work correctly	2022-04-09 02:49:52 -04:00
Zuckerberg	285c4d3d58	Prevent VPN leaks	2022-04-09 01:02:20 -04:00
Zuckerberg	b2bd980947	rekey script	2022-04-09 01:01:45 -04:00
Zuckerberg	3158f8c3af	Easy nixos vpn containers	2022-04-09 01:01:14 -04:00
Zuckerberg	809dd0b5eb	s0 new key	2022-04-09 01:00:52 -04:00
Zuckerberg	b347656b6a	Rekey secrets	2022-04-07 13:11:16 -04:00
Zuckerberg	1bb464f966	NAS Samba+Plex	2022-04-07 12:27:49 -04:00
Zuckerberg	ba570ec51a	Swap for NAS	2022-04-07 12:26:56 -04:00
Zuckerberg	c5efc2db4d	Cleanup	2022-04-07 12:23:21 -04:00
Zuckerberg	74c7f696d8	Remove annoying greeting	2022-04-06 20:13:12 -04:00
Zuckerberg	dfc66651ab	Update inputs, clean up inputs	2022-04-06 19:53:27 -04:00
Zuckerberg	f386bc8871	bcachefs rootfs on helios64	2022-04-06 19:45:36 -04:00
Zuckerberg	c8bf265f83	Small changes	2022-04-06 19:43:40 -04:00
Zuckerberg	4d4b0b8240	Bump nixos baseline option	2022-04-06 19:34:30 -04:00
Zuckerberg	598c1d275b	Archivebox as a flake	2022-04-06 19:33:15 -04:00
Zuckerberg	ca6a2c1bef	drastikbot as a flake	2022-03-28 19:20:32 -04:00
Zuckerberg	43e31a8d2d	WolframAlpha For drastikbot	2022-03-27 19:23:07 -04:00
Zuckerberg	49eb594429	Improve NVIDIA	2022-03-27 19:21:03 -04:00
Zuckerberg	a30b584fd9	Printer working	2022-03-27 19:19:32 -04:00
Zuckerberg	7445624273	New applications	2022-03-27 19:19:13 -04:00
Zuckerberg	7d01f0ab41	Chromium on AMD	2022-03-27 19:16:52 -04:00
Zuckerberg	49f1821bf2	tampermonkey in chromium	2022-03-27 19:16:08 -04:00
Zuckerberg	8984524ff1	Make using serial easier...	2022-03-27 19:15:36 -04:00
Zuckerberg	4d80638ab8	Enable bcachefs	2022-03-16 01:44:00 -04:00
Zuckerberg	0e9d3f53e7	typo	2022-03-16 01:38:17 -04:00
Zuckerberg	6673463214	Helios64 use upstream kernel + bcachefs	2022-03-16 01:31:24 -04:00