Unfinished attempt at packaging pia client

Flake lock file updates:

• Updated input 'nix-locate':
    'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17)
  → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17)
• Updated input 'nix-locate/flake-compat':
    'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03)
  → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
  → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)

common/pc/chromium.nix

@@ -60,7 +60,6 @@ in {
         "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
         "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
         "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
-        "fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
         "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
         "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
         # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking

common/pc/pia/default.nix

@@ -0,0 +1,76 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.pia;
+in {
+  imports = [
+    ./pia.nix
+  ];
+
+  options.services.pia = {
+    enable = lib.mkEnableOption "Enable PIA Client";
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/pia";
+      description = ''
+        Path to the pia data directory
+      '';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = ''
+        The user pia should run as
+      '';
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "piagrp";
+      description = ''
+        The group pia should run as
+      '';
+    };
+
+    users = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = ''
+        Usernames to be added to the "spotifyd" group, so that they
+        can start and interact with the userspace daemon.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    # users.users.${cfg.user} =
+    # if cfg.user == "pia" then {
+    #   isSystemUser = true;
+    #   group = cfg.group;
+    #   home = cfg.dataDir;
+    #   createHome = true;
+    # }
+    # else {};
+    users.groups.${cfg.group}.members = cfg.users;
+
+    systemd.services.pia-daemon = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
+      serviceConfig.PrivateTmp="yes";
+      serviceConfig.User = cfg.user;
+      serviceConfig.Group = cfg.group;
+      preStart = ''
+        mkdir -p ${cfg.dataDir}
+        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
+      '';
+    };
+
+  };
+}

common/pc/pia/fix-pia.patch

@@ -0,0 +1,147 @@
+diff --git a/Rakefile b/Rakefile
+index fa6d771..bcd6fb1 100644
+--- a/Rakefile
++++ b/Rakefile
+@@ -151,41 +151,6 @@ end
+ # Install LICENSE.txt
+ stage.install('LICENSE.txt', :res)
+ 
+-# Download server lists to ship preloaded copies with the app.  These tasks
+-# depend on version.txt so they're refreshed periodically (whenver a new commit
+-# is made), but not for every build.
+-#
+-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
+-# this is primarily intended for reproducing a build.
+-#
+-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
+-serverDataProbe = Probe.new('serverdata')
+-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
+-# JSON resource build directory
+-jsonFetched = Build.new('json-fetched')
+-# These are the assets we need to fetch and the URIs we get them from
+-{
+-    'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
+-    'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
+-    'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
+-}.each do |k, v|
+-    fetchedFile = jsonFetched.artifact(k.to_s)
+-    serverDataDir = ENV['SERVER_DATA_DIR']
+-    file fetchedFile => [version.artifact('version.txt'),
+-                         serverDataProbe.artifact('serverdata.txt'),
+-                         jsonFetched.componentDir] do |t|
+-        if(serverDataDir)
+-            # Use the copy provided instead of fetching (for reproducing a build)
+-            File.copy(File.join(serverDataDir, k), fetchedFile)
+-        else
+-            # Fetch from the web API (write with "binary" mode so LF is not
+-            # converted to CRLF on Windows)
+-            File.binwrite(t.name, Net::HTTP.get(URI(v)))
+-        end
+-    end
+-    stage.install(fetchedFile, :res)
+-end
+-
+ # Install version/brand/arch info in case an upgrade needs to know what is
+ # currently installed
+ stage.install(version.artifact('version.txt'), :res)
+diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
+index f820a6d..e1b6c33 100644
+--- a/common/src/posix/unixsignalhandler.cpp
++++ b/common/src/posix/unixsignalhandler.cpp
+@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
+     // we checked it, we can't even log because the logger is not reentrant.
+     auto pThis = instance();
+     if(pThis)
+-        ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
++        auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ }
+ template<int Signal>
+ void UnixSignalHandler::setAbortAction()
+diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
+index fd3aced..2367a5e 100644
+--- a/daemon/src/linux/linux_nl.cpp
++++ b/daemon/src/linux/linux_nl.cpp
+@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
+     unsigned char term = 0;
+     PosixFd killSocket = _workerKillSocket.get();
+     if(killSocket)
+-        ::write(killSocket.get(), &term, sizeof(term));
++        auto _ = ::write(killSocket.get(), &term, sizeof(term));
+     _workerThread.join();
+ }
+diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
+index 3f63ac2..420d54d 100644
+--- a/extras/support-tool/launcher/linux-launcher.cpp
++++ b/extras/support-tool/launcher/linux-launcher.cpp
+@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
+     if(forkResult == 0)
+     {
+         // Apply gid as both real and effective
+-        setregid(gid, gid);
++        auto _ = setregid(gid, gid);
+ 
+         int execErr = execv(filename, argv);
+         std::cerr << "exec err: " << execErr << " / " << errno << " - "
+diff --git a/rake/model/qt.rb b/rake/model/qt.rb
+index c8cd362..a6abe59 100644
+--- a/rake/model/qt.rb
++++ b/rake/model/qt.rb
+@@ -171,12 +171,7 @@ class Qt
+     end
+ 
+     def getQtRoot(qtVersion, arch)
+-        qtToolchainPtns = getQtToolchainPatterns(arch)
+-        qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
+-        # Explicitly filter for existing paths - if the pattern has wildcards
+-        # we only get existing directories, but if the patterns are just
+-        # alternates with no wildcards, we can get directories that don't exist
+-        qtRoots.find_all { |r| File.exist?(r) }.max
++        ENV['QTROOT']
+     end
+ 
+     def getQtVersionScore(minor, patch)
+@@ -192,12 +187,7 @@ class Qt
+     end
+ 
+     def getQtPathVersion(path)
+-        verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
+-        if(verMatch == nil)
+-            nil
+-        else
+-            [verMatch[1].to_i, verMatch[2].to_i]
+-        end
++        [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
+     end
+ 
+     # Build a component definition with the defaults.  The "Core" component will
+diff --git a/rake/product/linux.rb b/rake/product/linux.rb
+index f43fb3e..83505af 100644
+--- a/rake/product/linux.rb
++++ b/rake/product/linux.rb
+@@ -18,8 +18,7 @@ module PiaLinux
+     QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
+ 
+     # Version of libicu (needed to determine lib*.so.## file names in deployment)
+-    ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
+-        .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
++    ICU_VERSION = ENV['ICU_MAJOR'].to_i;
+ 
+     # Copy a directory recursively, excluding *.debug files (debugging symbols)
+     def self.copyWithoutDebug(sourceDir, destDir)
+@@ -220,16 +219,5 @@ module PiaLinux
+     # Since these are just development workflow tools, they can be skipped if
+     # specific dependencies are not available.
+     def self.defineTools(toolsStage)
+-        # Test if we have libthai-dev, for the Thai word breaking utility
+-        if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
+-            Executable.new('thaibreak')
+-                .source('tools/thaibreak')
+-                .lib('thai')
+-                .install(toolsStage, :bin)
+-            toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
+-            toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
+-        else
+-            puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
+-        end
+     end
+ end

common/pc/pia/pia.nix

@@ -0,0 +1,139 @@
+{ pkgs, lib, config, ... }:
+
+{
+  nixpkgs.overlays = [
+    (self: super:
+
+    with self;
+
+    let
+      # arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
+      arch = "x86_64";
+
+      pia-desktop = clangStdenv.mkDerivation rec {
+        pname = "pia-desktop";
+        version = "3.3.0";
+
+        src = fetchgit {
+          url = "https://github.com/pia-foss/desktop";
+          rev = version;
+          fetchLFS = true;
+          sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
+        };
+
+        patches = [
+          ./fix-pia.patch
+        ];
+
+        nativeBuildInputs = [
+          cmake
+          rake
+        ];
+
+        prePatch = ''
+          sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
+        '';
+
+        installPhase = ''
+          mkdir -p $out/bin $out/lib $out/share
+          cp -r ../out/pia_release_${arch}/stage/bin $out
+          cp -r ../out/pia_release_${arch}/stage/lib $out
+          cp -r ../out/pia_release_${arch}/stage/share $out
+        '';
+
+        cmakeFlags = [
+          "-DCMAKE_BUILD_TYPE=Release"
+        ];
+
+        QTROOT = "${qt5.full}";
+        QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
+        QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
+        ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
+
+        buildInputs = [
+          mesa
+          libsForQt5.qt5.qtquickcontrols
+          libsForQt5.qt5.qtquickcontrols2
+          icu
+          libnl
+        ];
+        
+        dontWrapQtApps = true;
+      };
+    in rec {
+      openvpn-updown = buildFHSUserEnv {
+        name = "openvpn-updown";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "openvpn-updown.sh";
+      };
+
+      pia-client = buildFHSUserEnv {
+        name = "pia-client";
+        targetPkgs = pkgs: (with pkgs; [
+          pia-desktop
+          xorg.libXau
+          xorg.libXdmcp
+        ]);
+        runScript = "pia-client";
+      };
+
+      piactl = buildFHSUserEnv {
+        name = "piactl";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "piactl";
+      };
+
+      pia-daemon = buildFHSUserEnv {
+        name = "pia-daemon";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-daemon";
+      };
+
+      pia-hnsd = buildFHSUserEnv {
+        name = "pia-hnsd";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-hnsd";
+      };
+
+      pia-openvpn = buildFHSUserEnv {
+        name = "pia-openvpn";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-openvpn";
+      };
+
+      pia-ss-local = buildFHSUserEnv {
+        name = "pia-ss-local";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-ss-local";
+      };
+
+      pia-support-tool = buildFHSUserEnv {
+        name = "pia-support-tool";
+        targetPkgs = pkgs: (with pkgs; [
+          pia-desktop
+          xorg.libXau
+          xorg.libXdmcp
+        ]);
+        runScript = "pia-support-tool";
+      };
+
+      pia-unbound = buildFHSUserEnv {
+        name = "pia-unbound";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-unbound";
+      };
+
+      pia-wireguard-go = buildFHSUserEnv {
+        name = "pia-wireguard-go";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-wireguard-go";
+      };
+
+      support-tool-launcher = buildFHSUserEnv {
+        name = "support-tool-launcher";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "support-tool-launcher";
+      };
+    })
+  ];
+}

common/server/cloudflared.nix

@@ -1,58 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.cloudflared;
-  settingsFormat = pkgs.formats.yaml { };
-in
-{
-  meta.maintainers = with maintainers; [ pmc ];
-
-  options = {
-    services.cloudflared = {
-      enable = mkEnableOption "cloudflared";
-      package = mkOption {
-        type = types.package;
-        default = pkgs.cloudflared;
-        description = "The cloudflared package to use";
-        example = literalExpression ''pkgs.cloudflared'';
-      };
-      config = mkOption {
-        type = settingsFormat.type;
-        description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
-        example = literalExpression ''
-          {
-            url = "http://localhost:3000";
-            tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
-            credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
-          }
-        '';
-      };
-
-      configFile = mkOption {
-        type = types.path;
-        description = "Path to cloudflared config.yaml.";
-        example = literalExpression ''"/etc/cloudflared/config.yaml"'';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable ({
-    # Prefer the config file over settings if both are set.
-    services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
-
-    systemd.services.cloudflared = {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      description = "Cloudflare Argo Tunnel";
-      serviceConfig = {
-        TimeoutStartSec = 0;
-        Type = "notify";
-        ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
-        Restart = "on-failure";
-        RestartSec = "5s";
-      };
-    };
-  });
-}

common/server/default.nix

@@ -13,7 +13,6 @@
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix
-    ./cloudflared.nix
     ./owncast.nix
   ];
 }

common/shell.nix

@@ -6,7 +6,7 @@
 # - add some handy shell commands
 
 let
-  nix-locate = config.inputs.nix-locate.defaultPackage.${config.currentSystem};
+  nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
 in {
   programs.command-not-found.enable = false;
 

flake.lock

@@ -2,16 +2,17 @@
   "nodes": {
     "agenix": {
       "inputs": {
+        "darwin": "darwin",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1652712410,
-        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "lastModified": 1675176355,
+        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
         "type": "github"
       },
       "original": {
@@ -32,7 +33,7 @@
       "locked": {
         "lastModified": 1648612759,
         "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
         "revCount": 2,
         "type": "git",
@@ -71,7 +72,7 @@
       "locked": {
         "lastModified": 1651719222,
         "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
         "revCount": 19,
         "type": "git",
@@ -82,14 +83,36 @@
         "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1641205782,
-        "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
         "type": "github"
       },
       "original": {
@@ -100,11 +123,11 @@
     },
     "flake-utils": {
       "locked": {
-        "lastModified": 1653893745,
-        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
@@ -121,26 +144,26 @@
         ]
       },
       "locked": {
-        "lastModified": 1652819416,
-        "narHash": "sha256-OzYSb66kQUVP1FM0E7Z0ij13mm14DkJi79FAMprAavo=",
-        "owner": "googlebot42",
+        "lastModified": 1673969751,
+        "narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
+        "owner": "bennofs",
         "repo": "nix-index",
-        "rev": "a28bb3175d370c6cb9569e6d4b5570e9ca016a3e",
+        "rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
         "type": "github"
       },
       "original": {
-        "owner": "googlebot42",
+        "owner": "bennofs",
         "repo": "nix-index",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1655456688,
-        "narHash": "sha256-j2trI5gv2fnHdfUQFBy957avCPxxzCqE8R+TOYHPSRE=",
+        "lastModified": 1672580127,
+        "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d17a56d90ecbd1b8fc908d49598fb854ef188461",
+        "rev": "0874168639713f547c05947c76124f78441ea46c",
         "type": "github"
       },
       "original": {
@@ -167,16 +190,16 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1649408932,
-        "narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=",
+        "lastModified": 1675835843,
+        "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "42948b300670223ca8286aaf916bc381f66a5313",
+        "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -211,7 +234,7 @@
       "locked": {
         "lastModified": 1652121792,
         "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
         "revCount": 5,
         "type": "git",
@@ -246,11 +269,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1655214255,
-        "narHash": "sha256-hgFF2X9mxFieekDh2VoVAtgwuM6XeAwzvb53yakmjTg=",
+        "lastModified": 1655930346,
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "a48082c79cff8f3b314ba4f95f4ae87ca7d4d068",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
         "type": "gitlab"
       },
       "original": {

flake.nix

@@ -1,17 +1,16 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
 
     flake-utils.url = "github:numtide/flake-utils";
 
-    nix-locate.url = "github:googlebot42/nix-index";
+    nix-locate.url = "github:bennofs/nix-index";
     nix-locate.inputs.nixpkgs.follows = "nixpkgs";
 
     # mail server
     simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
     simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
-    simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
 
     # agenix
     agenix.url = "github:ryantm/agenix";
@@ -42,12 +41,12 @@
       modules = system: [
         ./common
         inputs.simple-nixos-mailserver.nixosModule
-        inputs.agenix.nixosModule
+        inputs.agenix.nixosModules.default
         inputs.dailybuild_modules.nixosModule
         inputs.archivebox.nixosModule
         ({ lib, ... }: {
           config.environment.systemPackages = [
-            inputs.agenix.defaultPackage.${system}
+            inputs.agenix.packages.${system}.agenix
           ];
 
           # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -70,7 +69,7 @@
     in
     {
       "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
-      "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+      "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
       "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
       "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
       "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
@@ -88,11 +87,18 @@
       mkKexec = system:
         (nixpkgs.lib.nixosSystem {
           inherit system;
-          modules = [ ./machines/kexec.nix ];
+          modules = [ ./machines/ephemeral/kexec.nix ];
         }).config.system.build.kexec_tarball;
+      mkIso = system:
+        (nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [ ./machines/ephemeral/iso.nix ];
+        }).config.system.build.isoImage;
     in {
       "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
+      "x86_64-linux"."iso" = mkIso "x86_64-linux";
       "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
+      "aarch64-linux"."iso" = mkIso "aarch64-linux";
     };
   };
 }

machines/ephemeral/iso.nix

@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    ./minimal.nix
+  ];
+
+  isoImage.makeUsbBootable = true;
+
+  networking.hostName = "iso";
+}

machines/ephemeral/kexec.nix

@@ -6,8 +6,11 @@
   imports = [
     (modulesPath + "/installer/netboot/netboot.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
+    ./minimal.nix
   ];
 
+  networking.hostName = "kexec";
+
   # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
   system.build = rec {
     image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
@@ -42,31 +45,4 @@
       contents = [ ];
     };
   };
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
-  boot.kernelParams = [
-    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
-    "console=ttyS0" # enable serial console
-    "console=tty1"
-  ];
-  boot.kernel.sysctl."vm.overcommit_memory" = "1";
-
-  environment.systemPackages = with pkgs; [
-    cryptsetup
-    btrfs-progs
-  ];
-  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
-
-  networking.useDHCP = true;
-
-  networking.hostName = "kexec";
-
-  services.openssh = {
-    enable = true;
-    challengeResponseAuthentication = false;
-    passwordAuthentication = false;
-  };
-
-  services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
 }

machines/ephemeral/minimal.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
+  boot.kernelParams = [
+    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+    "console=ttyS0" # enable serial console
+    "console=tty1"
+  ];
+  boot.kernel.sysctl."vm.overcommit_memory" = "1";
+
+  environment.systemPackages = with pkgs; [
+    cryptsetup
+    btrfs-progs
+  ];
+  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
+
+  networking.useDHCP = true;
+
+  services.openssh = {
+    enable = true;
+    challengeResponseAuthentication = false;
+    passwordAuthentication = false;
+  };
+
+  services.getty.autologinUser = "root";
+  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
+}

machines/ray/configuration.nix

@@ -1,12 +1,8 @@
 { config, pkgs, lib, ... }:
 
 {
-   disabledModules = [
-    "hardware/video/nvidia.nix"
-   ];
   imports = [
     ./hardware-configuration.nix
-    ./nvidia.nix
   ];
 
   firmware.x86_64.enable = true;
@@ -23,26 +19,30 @@
 
   hardware.enableAllFirmware = true;
 
-  # newer kernel for wifi
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # depthai
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
+  '';
 
   # gpu
   services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.logFile = "/var/log/Xorg.0.log";
   hardware.nvidia = {
     modesetting.enable = true; # for nvidia-vaapi-driver
     prime = {
-      sync.enable = true;
+      reverseSync.enable = true;
+      offload.enableOffloadCmd = true;
       nvidiaBusId = "PCI:1:0:0";
       amdgpuBusId = "PCI:4:0:0";
     };
-    powerManagement = {
-#      enable = true;
-#      finegrained = true;
-#      coarsegrained = true;
-    };
   };
 
+  # virt-manager
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+  environment.systemPackages = with pkgs; [ virt-manager ];
+  users.users.googlebot.extraGroups = [ "libvirtd" ];
+
   # vpn-container.enable = true;
   # containers.vpn.interfaces = [ "piaw" ];
 

machines/ray/nvidia.nix

@@ -1,485 +0,0 @@
-# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  nvidia_x11 = let
-    drivers = config.services.xserver.videoDrivers;
-    isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
-    hasDeprecated = drivers: any isDeprecated drivers;
-  in if (hasDeprecated drivers) then
-    throw ''
-      Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
-    ''
-  else if (elem "nvidia" drivers) then cfg.package else null;
-
-  enabled = nvidia_x11 != null;
-  cfg = config.hardware.nvidia;
-
-  pCfg = cfg.prime;
-  syncCfg = pCfg.sync;
-  offloadCfg = pCfg.offload;
-  reverseSyncCfg = pCfg.reverse_sync;
-  primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable;
-  nvidiaPersistencedEnabled =  cfg.nvidiaPersistenced;
-  nvidiaSettings = cfg.nvidiaSettings;
-in
-
-{
-  imports =
-    [
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
-    ];
-
-  options = {
-    hardware.nvidia.powerManagement.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management through systemd. For more information, see
-        the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
-      '';
-    };
-
-    hardware.nvidia.powerManagement.finegrained = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management of PRIME offload. For more information, see
-        the NVIDIA docs, chapter 22. PCI-Express runtime power management.
-      '';
-    };
-
-    hardware.nvidia.powerManagement.coarsegrained = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management of PRIME offload. For more information, see
-        the NVIDIA docs, chapter 22. PCI-Express runtime power management.
-      '';
-    };
-
-    hardware.nvidia.modesetting.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable kernel modesetting when using the NVIDIA proprietary driver.
-
-        Enabling this fixes screen tearing when using Optimus via PRIME (see
-        <option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
-        by default because it is not officially supported by NVIDIA and would not
-        work with SLI.
-      '';
-    };
-
-    hardware.nvidia.prime.nvidiaBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:1:0:0";
-      description = ''
-        Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
-        shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
-      '';
-    };
-
-    hardware.nvidia.prime.intelBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:0:2:0";
-      description = ''
-        Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
-        shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
-      '';
-    };
-
-    hardware.nvidia.prime.amdgpuBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:4:0:0";
-      description = ''
-        Bus ID of the AMD APU. You can find it using lspci; for example if lspci
-        shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
-      '';
-    };
-
-    hardware.nvidia.prime.sync.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
-        If enabled, the NVIDIA GPU will be always on and used for all rendering,
-        while enabling output to displays attached only to the integrated Intel/AMD
-        GPU without a multiplexer.
-
-        Note that this option only has any effect if the "nvidia" driver is specified
-        in <option>services.xserver.videoDrivers</option>, and it should preferably
-        be the only driver there.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-
-        If you enable this, you may want to also enable kernel modesetting for the
-        NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
-        to prevent tearing.
-
-        Note that this configuration will only be successful when a display manager
-        for which the <option>services.xserver.displayManager.setupCommands</option>
-        option is supported is used.
-      '';
-    };
-
-    hardware.nvidia.prime.allowExternalGpu = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Configure X to allow external NVIDIA GPUs when using Prime [Reverse] Sync.
-      '';
-    };
-
-    hardware.nvidia.prime.offload.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable render offload support using the NVIDIA proprietary driver via PRIME.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-      '';
-    };
-
-    hardware.nvidia.prime.offload.enableOffloadCmd = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Adds a `nvidia-offload` convenience script to <option>environment.systemPackages</option>
-        for offloading programs to an nvidia device. To work, should have also enabled
-        <option>hardware.nvidia.prime.offload.enable</option> or <option>hardware.nvidia.prime.reverse_sync.enable</option>
-
-        Example usage `nvidia-offload sauerbraten_client`
-      '';
-    };
-
-    hardware.nvidia.prime.reverse_sync.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Warning: This feature is relatively new, depending on your system this might
-        work poorly. AMD support, especially so.
-        See: https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828
-
-        Enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse
-        PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while
-        enabling output to displays attached only to the NVIDIA GPU without a
-        multiplexer.
-
-        Note that this option only has any effect if the "nvidia" driver is specified
-        in <option>services.xserver.videoDrivers</option>, and it should preferably
-        be the only driver there.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-
-        If you enable this, you may want to also enable kernel modesetting for the
-        NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
-        to prevent tearing.
-
-        Note that this configuration will only be successful when a display manager
-        for which the <option>services.xserver.displayManager.setupCommands</option>
-        option is supported is used.
-      '';
-    };
-
-    hardware.nvidia.nvidiaSettings = mkOption {
-      default = true;
-      type = types.bool;
-      description = ''
-        Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
-        systemPackages.
-      '';
-    };
-
-    hardware.nvidia.nvidiaPersistenced = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
-        GPUs stay awake even during headless mode.
-      '';
-    };
-
-    hardware.nvidia.package = lib.mkOption {
-      type = lib.types.package;
-      default = config.boot.kernelPackages.nvidiaPackages.stable;
-      defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
-      description = ''
-        The NVIDIA X11 derivation to use.
-      '';
-      example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
-    };
-  };
-
-  config = let
-      igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
-      igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
-  in mkIf enabled {
-    assertions = [
-      {
-        assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
-        message = ''
-          You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
-        '';
-      }
-
-      {
-        assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable;
-        message = ''
-          Offload command requires offloading or reverse prime sync to be enabled.
-        '';
-      }
-
-      {
-        assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
-        message = ''
-          When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
-        '';
-      }
-
-      {
-        assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
-        message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
-      }
-
-      {
-        assertion = (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> versionAtLeast nvidia_x11.version "470.0";
-        message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta.";
-      }
-
-      {
-        assertion = !(syncCfg.enable && offloadCfg.enable);
-        message = "PRIME Sync and Offload cannot be both enabled";
-      }
-
-      {
-        assertion = !(syncCfg.enable && reverseSyncCfg.enable);
-        message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled";
-      }
-
-      {
-        assertion = !(syncCfg.enable && cfg.powerManagement.finegrained && cfg.powerManagement.coarsegrained);
-        message = "Sync precludes powering down the NVIDIA GPU.";
-      }
-
-      {
-        assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
-        message = "Fine-grained power management requires offload to be enabled.";
-      }
-
-      {
-        assertion = cfg.powerManagement.coarsegrained -> offloadCfg.enable;
-        message = "Coarse-grained power management requires offload to be enabled.";
-      }
-
-      {
-        assertion = cfg.powerManagement.enable -> (
-          builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
-          builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
-        );
-        message = "Required files for driver based power management don't exist.";
-      }
-    ];
-
-    # If Optimus/PRIME is enabled, we:
-    # - Specify the configured NVIDIA GPU bus ID in the Device section for the
-    #   "nvidia" driver.
-    # - Add the AllowEmptyInitialConfiguration option to the Screen section for the
-    #   "nvidia" driver, in order to allow the X server to start without any outputs.
-    # - Add a separate Device section for the Intel GPU, using the "modesetting"
-    #   driver and with the configured BusID.
-    # - OR add a separate Device section for the AMD APU, using the "amdgpu"
-    #   driver and with the configures BusID.
-    # - Reference that Device section from the ServerLayout section as an inactive
-    #   device.
-    # - Configure the display manager to run specific `xrandr` commands which will
-    #   configure/enable displays connected to the Intel iGPU / AMD APU.
-
-    services.xserver.useGlamor = mkDefault offloadCfg.enable;
-
-    # reverse sync implies offloading
-    hardware.nvidia.prime.offload.enable = mkDefault reverseSyncCfg.enable;
-
-    services.xserver.drivers = optional primeEnabled {
-      name = igpuDriver;
-      display = !syncCfg.enable;
-      modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
-      deviceSection = ''
-        BusID "${igpuBusId}"
-        ${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
-      '';
-    } ++ singleton {
-      name = "nvidia";
-      modules = [ nvidia_x11.bin ];
-      display = syncCfg.enable;
-      deviceSection = optionalString primeEnabled ''
-        BusID "${pCfg.nvidiaBusId}"
-        ${optionalString pCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
-      '';
-    };
-
-    services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
-      Inactive "Device-${igpuDriver}[0]"
-    '' + optionalString reverseSyncCfg.enable ''
-      Inactive "Device-nvidia[0]"
-    '' + optionalString offloadCfg.enable ''
-      Option "AllowNVIDIAGPUScreens"
-    '';
-
-    services.xserver.displayManager.setupCommands = let
-      gpuProviderName = if igpuDriver == "amdgpu" then
-        # find the name of the provider if amdgpu
-        "`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
-      else
-        igpuDriver;
-      providerCmdParams = if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
-    in optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
-      # Added by nvidia configuration module for Optimus/PRIME.
-      ${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${providerCmdParams}
-      ${pkgs.xorg.xrandr}/bin/xrandr --auto
-    '';
-
-    environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
-      source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
-    };
-
-    # 'nvidia_x11' installs it's files to /run/opengl-driver/...
-    environment.etc."egl/egl_external_platform.d".source =
-      "/run/opengl-driver/share/egl/egl_external_platform.d/";
-
-    hardware.opengl.extraPackages = [
-      nvidia_x11.out
-      # pkgs.nvidia-vaapi-driver
-    ];
-    hardware.opengl.extraPackages32 = [
-      nvidia_x11.lib32
-      # pkgs.pkgsi686Linux.nvidia-vaapi-driver
-    ];
-
-    environment.systemPackages = [ nvidia_x11.bin ]
-      ++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
-      ++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ]
-      ++ optionals offloadCfg.enableOffloadCmd [ 
-        (pkgs.writeShellScriptBin "nvidia-offload" ''
-          export __NV_PRIME_RENDER_OFFLOAD=1
-          export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
-          export __GLX_VENDOR_LIBRARY_NAME=nvidia
-          export __VK_LAYER_NV_optimus=NVIDIA_only
-          exec -a "$0" "$@"
-        '') 
-      ];
-
-    systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
-
-    systemd.services = let
-      baseNvidiaService = state: {
-        description = "NVIDIA system ${state} actions";
-
-        path = with pkgs; [ kbd ];
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
-        };
-      };
-
-      nvidiaService = sleepState: (baseNvidiaService sleepState) // {
-        before = [ "systemd-${sleepState}.service" ];
-        requiredBy = [ "systemd-${sleepState}.service" ];
-      };
-
-      services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
-        // {
-          nvidia-resume = (baseNvidiaService "resume") // {
-            after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
-            requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
-          };
-        };
-    in optionalAttrs cfg.powerManagement.enable services
-      // optionalAttrs nvidiaPersistencedEnabled {
-        "nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
-          description = "NVIDIA Persistence Daemon";
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            Type = "forking";
-            Restart = "always";
-            PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
-            ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
-            ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
-          };
-        };
-      };
-
-    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
-        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
-      ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
-        "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
-
-    boot.extraModulePackages = [ nvidia_x11.bin ];
-
-    # nvidia-uvm is required by CUDA applications.
-    boot.kernelModules = [ "nvidia-uvm" ] ++
-      optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
-
-    # If requested enable modesetting via kernel parameter.
-    boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
-      ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
-
-    services.udev.extraRules =
-      ''
-        # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
-        KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 255'"
-        KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 254'"
-        KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) %n'"
-        KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
-        KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
-      '' + optionalString (cfg.powerManagement.finegrained || cfg.powerManagement.coarsegrained) ''
-        # Remove NVIDIA USB xHCI Host Controller devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
-
-        # Remove NVIDIA USB Type-C UCSI devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
-
-        # Remove NVIDIA Audio devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
-
-        # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
-        ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
-        ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
-
-        # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
-        ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
-        ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
-      '';
-
-    boot.extraModprobeConfig = optionalString cfg.powerManagement.finegrained ''
-      options nvidia "NVreg_DynamicPowerManagement=0x02"
-    '' + optionalString cfg.powerManagement.coarsegrained ''
-      options nvidia "NVreg_DynamicPowerManagement=0x01"
-    '';
-
-    boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
-
-    services.acpid.enable = true;
-
-  };
-
-}