4 changed files with 7 additions and 215 deletions
--- a/README.md
+++ b/README.md
@ -1,12 +0,0 @@
 # My NixOS configurations
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
    - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@ -1,92 +0,0 @@
 # A place for brain dump ideas maybe to be taken off of the shelve one day
 ### NixOS webtools
 - Better options search https://mynixos.com/options/services 
 ### Interesting ideas for restructuring nixos config
 - https://github.com/gytis-ivaskevicius/flake-utils-plus
 - https://github.com/divnix/digga/tree/main/examples/devos
 - https://digga.divnix.com/
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Format everything here using nixfmt
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - CI https://gvolpe.com/blog/nixos-binary-cache-ci/
 ### NAS
 - helios64 extra led lights
 - safely turn off NAS on power disconnect
 - hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
 - tor unlock
 ### bcachefs
 - bcachefs health alerts via email
 - bcachefs periodic snapshotting
 - use mount.bcachefs command for mounting
 - bcachefs native encryption
    - just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
 ### Shell Comands
 - myip = dig +short myip.opendns.com @resolver1.opendns.com
 #### https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
 - seq read = `fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting`
 - seq write = `fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting`
 - random read = `fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting`
 - random write = `fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting`
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
 ### Services
 - setup archivebox
 - radio https://tildegit.org/tilderadio/site
 - music
    - mopidy
        - use the jellyfin plugin?
    - navidrome
        - spotify secrets for navidrome
    - picard for music tagging
    - alternative music software
        - https://www.smarthomebeginner.com/best-music-server-software-options/
        - https://funkwhale.audio/
        - https://github.com/epoupon/lms
        - https://github.com/benkaiser/stretto
        - https://github.com/blackcandy-org/black_candy
        - https://github.com/koel/koel
        - https://airsonic.github.io/
        - https://ampache.org/
 - replace nextcloud with seafile
 ### VPN container
 - use wireguard for vpn
    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
    - https://github.com/pia-foss/manual-connections
    - port forwarding for vpn
        - transmission using forwarded port
    - https://www.wireguard.com/netns/
    - one way firewall for vpn container
 ### Networking
 - tailscale for p2p connections
    - remove all use of zerotier
 ### Archive
 - https://www.backblaze.com/b2/cloud-storage.html
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
 ### Paranoia
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 ### Misc
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
 ### Future Interests (upon merge into nixpkgs)
 - nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
 - glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356
--- a/machines/ray/ca.rsa.4096.crt
+++ b/machines/ray/ca.rsa.4096.crt
@ -1,43 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
 BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
 dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
 IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
 FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
 MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
 EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
 QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
 AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
 bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
 hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
 De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
 V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
 25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
 fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
 p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
 Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
 tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
 jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
 meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
 1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
 HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
 yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
 EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
 cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
 HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
 aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
 hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
 pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
 Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
 tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
 LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
 6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
 5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
 JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
 iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
 8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
 +no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
 -----END CERTIFICATE-----
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 {
-   disabledModules = [
+  disabledModules = [
    "hardware/video/nvidia.nix"
-   ];
+  ];
  imports = [
    ./hardware-configuration.nix
    ./nvidia.nix
@ -32,81 +32,20 @@
  hardware.nvidia = {
    modesetting.enable = true; # for nvidia-vaapi-driver
    prime = {
-      sync.enable = true;
+      #reverse_sync.enable = true;
      offload.enable = true;
      offload.enableOffloadCmd = true;
      #sync.enable = true;
      nvidiaBusId = "PCI:1:0:0";
      amdgpuBusId = "PCI:4:0:0";
    };
    powerManagement = {
 #      enable = true;
 #      finegrained = true;
-#      coarsegrained = true;
+      coarsegrained = true;
    };
  };
  # vpn-container.enable = true;
  # containers.vpn.interfaces = [ "piaw" ];
  # allow traffic for wireguard interface to pass
  # networking.firewall = {
  #   # wireguard trips rpfilter up
  #   extraCommands = ''
  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
  #   '';
  #   extraStopCommands = ''
  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
  #   '';
  # };
  # systemd.services.pia-vpn-wireguard = {
  #   enable = true;
  #   description = "PIA VPN WireGuard Tunnel";
  #   requires = [ "network-online.target" ];
  #   after = [ "network.target" "network-online.target" ];
  #   wantedBy = [ "multi-user.target" ];
  #   environment.DEVICE = "piaw";
  #   path = with pkgs; [ kmod wireguard-tools jq curl ];
  #   serviceConfig = {
  #     Type = "oneshot";
  #     RemainAfterExit = true;
  #   };
  #   script = ''
  #     WG_HOSTNAME=zurich406
  #     WG_SERVER_IP=156.146.62.153
  #     PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
  #     PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
  #     PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  #     privKey=$(wg genkey)
  #     pubKey=$(echo "$privKey" | wg pubkey)
  #     wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
  #     echo "               
  #     [Interface]
  #     Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
  #     PrivateKey = $privKey
  #     ListenPort = 51820
  #     [Peer]
  #     PersistentKeepalive = 25
  #     PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
  #     AllowedIPs = 0.0.0.0/0
  #     Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
  #     " > /tmp/piaw.conf
  #     # TODO make /tmp/piaw.conf ro to root
  #     ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
  #     wg-quick up /tmp/piaw.conf
  #   '';
  #   preStop = ''
  #     wg-quick down /tmp/piaw.conf
  #   '';
  # };
  # age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  virtualisation.docker.enable = true;