prototype

Move s0 to systemd-boot
Automatically set machine hostname
2023-04-26 14:46:55 -06:00 · 2023-04-25 23:41:08 -06:00 · 2023-04-24 20:52:17 -06:00 · 2023-04-23 10:29:18 -06:00 · 2023-04-23 10:28:55 -06:00 · 2023-04-23 10:16:54 -06:00
159 changed files with 3436 additions and 4109 deletions
--- a/README.md
+++ b/README.md
@@ -3,10 +3,9 @@
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
-    - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
+    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -10,24 +10,12 @@
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Format everything here using nixfmt
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - CI https://gvolpe.com/blog/nixos-binary-cache-ci/
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx
 ### NAS
 - helios64 extra led lights
 - safely turn off NAS on power disconnect
 - hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
 - tor unlock
 ### bcachefs
 - bcachefs health alerts via email
 - bcachefs periodic snapshotting
 - use mount.bcachefs command for mounting
 - bcachefs native encryption
    - just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
 ### Shell Comands
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
@@ -52,21 +40,7 @@
        - https://ampache.org/
 - replace nextcloud with seafile
 ### VPN container
 - use wireguard for vpn
    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
    - https://github.com/pia-foss/manual-connections
    - port forwarding for vpn
        - transmission using forwarded port
    - https://www.wireguard.com/netns/
    - one way firewall for vpn container
 ### Networking
 - tailscale for p2p connections
    - remove all use of zerotier
 ### Archive
 - https://www.backblaze.com/b2/cloud-storage.html
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
@@ -75,7 +49,32 @@
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 # Setup CI
 - CI
    - hydra
    - https://docs.cachix.org/continuous-integration-setup/
 - Binary Cache
    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
    - https://github.com/edolstra/nix-serve
    - https://nixos.wiki/wiki/Binary_Cache
    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
 - Both
    - https://garnix.io/
    - https://nixbuild.net
 # Secrets
 - consider using headscale
 - Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
 - Rollover luks FDE passwords
 - /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
 - Rollover shared yubikey secrets
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 ### Misc
 - for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -1,14 +1,25 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 # Modify auto-update so that it pulls a flake
 let
  cfg = config.system.autoUpgrade;
-in {
+in
-  config = lib.mkIf cfg.enable {
+{
-    system.autoUpgrade = {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
-      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
+    {
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
+      system.autoUpgrade = {
-    };
+        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-  };
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
-}
+
        # dates = "03:40";
        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
        # randomizedDelaySec = "45min";
      };
      system.autoUpgrade.allowKexec = lib.mkDefault true;
      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
    }
  ]);
 }
--- a/common/backups.nix
+++ b/common/backups.nix
@@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.backup;
  hostname = config.networking.hostName;
  mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
  mkBackup = group: paths: {
    repository = mkRespository group;
    inherit paths;
    initialize = true;
    timerConfig = {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
    extraBackupArgs = [
      ''--exclude-if-present ".nobackup"''
    ];
    pruneOpts = [
      "--keep-daily 7" # one backup for each of the last n days
      "--keep-weekly 5" # one backup for each of the last n weeks
      "--keep-monthly 12" # one backup for each of the last n months
      "--keep-yearly 75" # one backup for each of the last n years
    ];
    environmentFile = "/run/agenix/backblaze-s3-backups";
    passwordFile = "/run/agenix/restic-password";
  };
  # example usage: "sudo restic_samba unlock" (removes lockfile)
  mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
    if [ "$EUID" -ne 0 ]
      then echo "Run as root"
      exit
    fi
    . /run/agenix/backblaze-s3-backups
    export AWS_SECRET_ACCESS_KEY
    export AWS_ACCESS_KEY_ID
    export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
    export RESTIC_REPOSITORY="${mkRespository group}"
    exec ${pkgs.restic}/bin/restic "$@"
  '';
 in
 {
  options.backup = {
    group = lib.mkOption {
      default = null;
      type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
        options = {
          paths = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            description = ''
              Paths to backup
            '';
          };
        };
      }));
    };
  };
  config = lib.mkIf (cfg.group != null) {
    services.restic.backups = lib.concatMapAttrs
      (group: groupCfg: {
        ${group} = mkBackup group groupCfg.paths;
      })
      cfg.group;
    age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
    age.secrets.restic-password.file = ../secrets/restic-password.age;
    environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
  };
 }
--- a/common/boot/bios.nix
+++ b/common/boot/bios.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.bios;
-in {
+in
 {
  options.bios = {
    enable = mkEnableOption "enable bios boot";
    device = mkOption {
@@ -25,4 +26,4 @@ in {
      };
    };
  };
-}
+}
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,8 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
    ./kexec-luks.nix
    ./luks.nix
    ./remote-luks-unlock.nix
  ];
-}
+}
--- a/common/boot/efi.nix
+++ b/common/boot/efi.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.efi;
-in {
+in
 {
  options.efi = {
    enable = mkEnableOption "enable efi boot";
  };
@@ -19,7 +20,7 @@ in {
        version = 2;
        efiSupport = true;
        useOSProber = true;
-#       memtest86.enable = true;
+        #       memtest86.enable = true;
        configurationLimit = 20;
        theme = pkgs.nixos-grub2-theme;
      };
--- a/common/boot/firmware.nix
+++ b/common/boot/firmware.nix
@@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.firmware;
-in {
+in
 {
  options.firmware.x86_64 = {
    enable = mkEnableOption "enable x86_64 firmware";
  };
@@ -14,4 +15,4 @@ in {
  };
  # services.fwupd.enable = true;
-}
+}
--- a/common/boot/kexec-luks.nix
+++ b/common/boot/kexec-luks.nix
@@ -0,0 +1,121 @@
 # Allows kexec'ing as an alternative to rebooting for machines that
 # have luks encrypted partitions that need to be mounted at boot.
 # These luks partitions will be automatically unlocked, no password,
 # or any interaction needed whatsoever.
 # This is accomplished by fetching the luks key(s) while the system is running,
 # then building a temporary initrd that contains the luks key(s), and kexec'ing.
 { config, lib, pkgs, ... }:
 {
  options.luks = {
    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
  };
  config = lib.mkIf config.luks.enableKexec {
    luks.fallbackToPassword = true;
    luks.disableKeyring = true;
    boot.initrd.luks.devices = lib.listToAttrs
      (builtins.map
        (item:
          {
            name = item;
            value = {
              masterKeyFile = "/etc/${item}.key";
            };
          })
        config.luks.deviceNames);
    systemd.services.prepare-luks-kexec-image = {
      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
      wantedBy = [ "kexec.target" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
      # based on https://github.com/flowztul/keyexec
      script = ''
        system=/nix/var/nix/profiles/system
        old_initrd=$(readlink -f "$system/initrd")
        umask 0077
        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
        cleanup() {
          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
          rm -rf "$CRYPTROOT_TMPDIR"
        }
        # trap cleanup INT TERM EXIT
        mkdir -p "$CRYPTROOT_TMPDIR"
        cd "$CRYPTROOT_TMPDIR"
        # Determine the compression type of the initrd image
        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
        # Decompress the initrd image based on its compression type
        case "$compression" in
          gzip)
            gunzip -c "$old_initrd" > initrd.cpio
            ;;
          xz)
            unxz -c "$old_initrd" > initrd.cpio
            ;;
          zstd)
            zstd -d -c "$old_initrd" > initrd.cpio
            ;;
          *)
            echo "Unsupported compression type: $compression"
            exit 1
            ;;
        esac
        # Extract the contents of the cpio archive
        mkdir -p initrd_contents
        cd initrd_contents
        cpio -idv < ../initrd.cpio
        # Generate keys and add them to the extracted initrd filesystem
        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
        for item in "''${luksDeviceNames[@]}"; do
          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
        done
        # Add normal initrd secrets too
        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
            let source' = if source == null then dest else builtins.toString source; in
              ''
                mkdir -p $(dirname "./${dest}")
                cp -a ${source'} "./${dest}"
              ''
          ) config.boot.initrd.secrets)
        }
        # Create a new cpio archive with the modified contents
        find . | cpio -o -H newc -v > ../new_initrd.cpio
        # Compress the new cpio archive using the original compression type
        cd ..
        case "$compression" in
          gzip)
            gunzip -c new_initrd.cpio > new_initrd
            ;;
          xz)
            unxz -c new_initrd.cpio > new_initrd
            ;;
          zstd)
            zstd -c new_initrd.cpio > new_initrd
            ;;
        esac
        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
      '';
    };
  };
 }
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -1,101 +1,74 @@
-{ config, pkgs, lib, ... }:
+# Makes it a little easier to configure luks partitions for boot
 # Additionally, this solves a circular dependency between kexec luks
 # and NixOS's luks module.
 { config, lib, ... }:
 let
  cfg = config.luks;
-in {
+
  deviceCount = builtins.length cfg.devices;
  deviceMap = lib.imap
    (i: item: {
      device = item;
      name =
        if deviceCount == 1 then "enc-pv"
        else "enc-pv${builtins.toString (i + 1)}";
    })
    cfg.devices;
 in
 {
  options.luks = {
-    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
+    devices = lib.mkOption {
-    device = {
+      type = lib.types.listOf lib.types.str;
-      name = lib.mkOption {
+      default = [ ];
        type = lib.types.str;
        default = "enc-pv";
      };
      path = lib.mkOption {
        type = lib.types.either lib.types.str lib.types.path;
      };
      allowDiscards = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
    };
-    sshHostKeys = lib.mkOption {
+
-      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
+    allowDiscards = lib.mkOption {
-      default = [
+      type = lib.types.bool;
-        "/secret/ssh_host_rsa_key"
+      default = true;
-        "/secret/ssh_host_ed25519_key"
+    };
    fallbackToPassword = lib.mkEnableOption
      "Fallback to interactive passphrase prompt if the cannot be found.";
    disableKeyring = lib.mkEnableOption
      "When opening LUKS2 devices, don't use the kernel keyring";
    # set automatically, don't touch
    deviceNames = lib.mkOption {
      type = lib.types.listOf lib.types.str;
    };
  };
  config = lib.mkMerge [
    {
      assertions = [
        {
          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
          message = ''
            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
          '';
        }
      ];
-    };
+    }
-    sshAuthorizedKeys = lib.mkOption {
+    (lib.mkIf (deviceCount != 0) {
-      type = lib.types.listOf lib.types.str;
+      luks.deviceNames = builtins.map (device: device.name) deviceMap;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
-  config = lib.mkIf cfg.enable {
+      boot.initrd.luks.devices = lib.listToAttrs (
-    boot.initrd.luks.devices.${cfg.device.name} = {
+        builtins.map
-      device = cfg.device.path;
+          (item:
-      allowDiscards = cfg.device.allowDiscards;
+            {
-    };
+              name = item.name;
-
+              value = {
-    # Unlock LUKS disk over ssh
+                device = item.device;
-    boot.initrd.network.enable = true;
+                allowDiscards = cfg.allowDiscards;
-    boot.initrd.kernelModules = cfg.kernelModules;
+                fallbackToPassword = cfg.fallbackToPassword;
-    boot.initrd.network.ssh = {
+                disableKeyring = cfg.disableKeyring;
-      enable = true;
+              };
-      port = 22;
+            })
-      hostKeys = cfg.sshHostKeys;
+          deviceMap);
-      authorizedKeys = cfg.sshAuthorizedKeys;
+    })
-    };
+  ];
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    # Make machine accessable over tor for boot unlock
    boot.initrd.secrets = {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    # start tor during boot process
    boot.initrd.network.postCommands = let
      torRc = (pkgs.writeText "tor.rc" ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 22 127.0.0.1:22
      '');
    in ''
      # Add nice prompt for giving LUKS passphrase over ssh
      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
      echo "tor: preparing onion folder"
      # have to do this otherwise tor does not want to start
      chmod -R 700 /etc/tor
      echo "make sure localhost is up"
      ip a a 127.0.0.1/8 dev lo
      ip link set lo up
      echo "haveged: starting haveged"
      haveged -F &
      echo "tor: starting tor"
      tor -f ${torRc} --verify-config
      tor -f ${torRc} &
    '';
  };
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -0,0 +1,94 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.remoteLuksUnlock;
 in
 {
  options.remoteLuksUnlock = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    enableTorUnlock = lib.mkOption {
      type = lib.types.bool;
      default = cfg.enable;
      description = "Make machine accessable over tor for ssh boot unlock";
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    boot.initrd.network.postCommands = lib.mkMerge [
      (
        ''
          # Add nice prompt for giving LUKS passphrase over ssh
          echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
        ''
      )
      (
        let torRc = (pkgs.writeText "tor.rc" ''
          DataDirectory /etc/tor
          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
          SOCKSPort 127.0.0.1:9063
          HiddenServiceDir /etc/tor/onion/bootup
          HiddenServicePort 22 127.0.0.1:22
        ''); in
        lib.mkIf cfg.enableTorUnlock ''
          echo "tor: preparing onion folder"
          # have to do this otherwise tor does not want to start
          chmod -R 700 /etc/tor
          echo "make sure localhost is up"
          ip a a 127.0.0.1/8 dev lo
          ip link set lo up
          echo "haveged: starting haveged"
          haveged -F &
          echo "tor: starting tor"
          tor -f ${torRc} --verify-config
          tor -f ${torRc} &
        ''
      )
    ];
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -2,6 +2,7 @@
 {
  imports = [
    ./backups.nix
    ./flakes.nix
    ./auto-update.nix
    ./shell.nix
@@ -9,6 +10,8 @@
    ./boot
    ./server
    ./pc
    ./machine-info
    ./ssh.nix
  ];
  nix.flakes.enable = true;
@@ -20,17 +23,23 @@
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
-  time.timeZone = "America/New_York";
+  time.timeZone = "America/Denver";
  i18n.defaultLocale = "en_US.UTF-8";
-  services.openssh.enable = true;
+  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
    };
  };
  programs.mosh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    kakoune
    htop
-    git git-lfs
+    git
    git-lfs
    dnsutils
    tmux
    nethogs
@@ -42,6 +51,8 @@
    micro
    helix
    lm_sensors
    picocom
    lf
  ];
  nixpkgs.config.allowUnfree = true;
@@ -54,11 +65,24 @@
      "dialout" # serial
    ];
    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
-  nix.trustedUsers = [ "root" "googlebot" ];
+  users.users.root = {
    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
  };
  # don't use sudo
  security.doas.enable = true;
  security.sudo.enable = false;
  security.doas.extraRules = [
    # don't ask for password every time
    { groups = [ "wheel" ]; persist = true; }
  ];
  nix.gc.automatic = true;
--- a/common/flakes.nix
+++ b/common/flakes.nix
@@ -2,7 +2,8 @@
 with lib;
 let
  cfg = config.nix.flakes;
-in {
+in
 {
  options.nix.flakes = {
    enable = mkEnableOption "use nix flakes";
  };
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -0,0 +1,200 @@
 # Gathers info about each machine to constuct overall configuration
 # Ex: Each machine already trusts each others SSH fingerprint already
 { config, lib, pkgs, ... }:
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
          options = {
            hostNames = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              description = ''
                List of hostnames for this machine. The first one is the default so it is the target of deployments.
                Used for automatically trusting hosts for ssh connections.
              '';
            };
            arch = lib.mkOption {
              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
              description = ''
                The architecture of this machine.
              '';
            };
            systemRoles = lib.mkOption {
              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
              description = ''
                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
              '';
            };
            hostKey = lib.mkOption {
              type = lib.types.str;
              description = ''
                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
                and for decrypting secrets with agenix.
              '';
            };
            remoteUnlock = lib.mkOption {
              default = null;
              type = lib.types.nullOr (lib.types.submodule {
                options = {
                  hostKey = lib.mkOption {
                    type = lib.types.str;
                    description = ''
                      The system ssh host key of this machine used for luks boot unlocking only.
                    '';
                  };
                  clearnetHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over clearnet used to luks boot unlock this machine
                    '';
                  };
                  onionHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over tor used to luks boot unlock this machine
                    '';
                  };
                };
              });
            };
            userKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
                TODO: consider auto populating other programs that use ssh keys such as gitea
              '';
            };
            deployKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
              '';
            };
            configurationPath = lib.mkOption {
              type = lib.types.path;
              description = ''
                The path to this machine's configuration directory.
              '';
            };
          };
        });
    };
  };
  config = {
    assertions = (lib.concatLists (lib.mapAttrsToList
      (
        name: cfg: [
          {
            assertion = builtins.length cfg.hostNames > 0;
            message = ''
              Error with config for ${name}
              There must be at least one hostname.
            '';
          }
          {
            assertion = builtins.length cfg.systemRoles > 0;
            message = ''
              Error with config for ${name}
              There must be at least one system role.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
            message = ''
              Error with config for ${name}
              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
            message = ''
              Error with config for ${name}
              At least one of clearnet host or onion host must be defined.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
            message = ''
              Error with config for ${name}
              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
            message = ''
              Error with config for ${name}
              Tor unlock hostname must be an onion address.
            '';
          }
          {
            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
            message = ''
              Error with config for ${name}
              There must be at least one userkey defined for personal machines.
            '';
          }
          {
            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
            message = ''
              Error with config for ${name}
              Only deploy machines are allowed to have deploy keys for security reasons.
            '';
          }
        ]
      )
      machines));
    # Set per machine properties automatically using each of their `properties.nix` files respectively
    machines.hosts =
      let
        properties = dir: lib.concatMapAttrs
          (name: path: {
            ${name} =
              import path
              //
              { configurationPath = builtins.dirOf path; };
          })
          (propertiesFiles dir);
        propertiesFiles = dir:
          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
        propertiesFiles' = dir:
          let
            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
            dirName = path: builtins.baseNameOf (builtins.dirOf path);
          in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
  };
 }
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@@ -0,0 +1,15 @@
 # Allows getting machine-info outside the scope of nixos configuration
 { nixpkgs ? import <nixpkgs> { }
 , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
 }:
 {
  machines =
    (nixpkgs.lib.evalModules {
      modules = [
        ./default.nix
        assertionsModule
      ];
    }).config.machines;
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@@ -0,0 +1,19 @@
 { config, lib, ... }:
 # Maps roles to their hosts
 {
  options.machines.roles = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  config = {
    machines.roles = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  machines = config.machines;
  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
 in
 {
  options.machines.ssh = {
    userKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        List of user keys aggregated from all machines.
      '';
    };
    deployKeys = lib.mkOption {
      default = [ ];
      type = lib.types.listOf lib.types.str;
      description = ''
        List of deploy keys aggregated from all machines.
      '';
    };
    hostKeysByRole = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
      description = ''
        Machine host keys divided into their roles.
      '';
    };
  };
  config = {
    machines.ssh.userKeys = sshkeys "userKeys";
    machines.ssh.deployKeys = sshkeys "deployKeys";
    machines.ssh.hostKeysByRole = lib.mapAttrs
      (role: hosts:
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
      machines.roles;
  };
 }
--- a/common/network/ca.rsa.4096.crt
+++ b/common/network/ca.rsa.4096.crt
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -7,11 +7,11 @@ let
 in
 {
  imports = [
    ./hosts.nix
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
    ./tailscale.nix
    ./vpn.nix
    ./zerotier.nix
  ];
  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
@@ -20,4 +20,4 @@ in
    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  };
-}
+}
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -1,63 +0,0 @@
 { config, lib, ... }:
 let
  system = (import ../ssh.nix).system;
 in {
  networking.hosts = {
    # some DNS providers filter local ip results from DNS request
    "172.30.145.180" = [ "s0.zt.neet.dev" ];
    "172.30.109.9" = [ "ponyo.zt.neet.dev" ];
    "172.30.189.212" = [ "ray.zt.neet.dev" ];
  };
  programs.ssh.knownHosts = {
    liza = {
      hostNames = [ "liza" "liza.neet.dev" ];
      publicKey = system.liza;
    };
    ponyo = {
      hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
      publicKey = system.ponyo;
    };
    ponyo-unlock = {
      hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
      publicKey = system.ponyo-unlock;
    };
    ray = {
      hostNames = [ "ray" "ray.zt.neet.dev" ];
      publicKey = system.ray;
    };
    s0 = {
      hostNames = [ "s0" "s0.zt.neet.dev" ];
      publicKey = system.s0;
    };
    n1 = {
      hostNames = [ "n1" ];
      publicKey = system.n1;
    };
    n2 = {
      hostNames = [ "n2" ];
      publicKey = system.n2;
    };
    n3 = {
      hostNames = [ "n3" ];
      publicKey = system.n3;
    };
    n4 = {
      hostNames = [ "n4" ];
      publicKey = system.n4;
    };
    n5 = {
      hostNames = [ "n5" ];
      publicKey = system.n5;
    };
    n6 = {
      hostNames = [ "n6" ];
      publicKey = system.n6;
    };
    n7 = {
      hostNames = [ "n7" ];
      publicKey = system.n7;
    };
  };
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.pia;
+  cfg = config.pia.openvpn;
  vpnfailsafe = pkgs.stdenv.mkDerivation {
    pname = "vpnfailsafe";
    version = "0.0.1";
@@ -14,7 +14,7 @@ let
  };
 in
 {
-  options.pia = {
+  options.pia.openvpn = {
    enable = lib.mkEnableOption "Enable private internet access";
    server = lib.mkOption {
      type = lib.types.str;
@@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
-}
+}
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -0,0 +1,357 @@
 { config, lib, pkgs, ... }:
 # Server list:
 #   https://serverlist.piaservers.net/vpninfo/servers/v6
 # Reference materials:
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
 # TODO implement this module such that the wireguard VPN doesn't have to live in a container
 # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
 # TODO verify signatures of PIA responses
 with builtins;
 with lib;
 let
  cfg = config.pia.wireguard;
  getPIAToken = ''
    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
    # PIA_TOKEN only lasts 24hrs
    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  '';
  chooseWireguardServer = ''
    servers=$(mktemp)
    servers_json=$(mktemp)
    curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
    # extract json part only
    head -n 1 "$servers" | tr -d '\n' > "$servers_json"
    echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
    # Some locations have multiple servers available. Pick a random one.
    totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
    if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
      echo "Location \"${cfg.serverLocation}\" not found."
      exit 1
    fi
    serverindex=$(( RANDOM % totalservers))
    WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
    WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
    WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
    # write chosen server
    rm -f /tmp/${cfg.interfaceName}-server.conf
    touch /tmp/${cfg.interfaceName}-server.conf
    chmod 700 /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
    rm $servers_json $servers
  '';
  getChosenWireguardServer = ''
    WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
  '';
  refreshPIAPort = ''
    ${getChosenWireguardServer}
    signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
    payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
    bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
  '';
  portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
  containerServiceName = "container@${config.vpn-container.containerName}.service";
 in
 {
  options.pia.wireguard = {
    enable = mkEnableOption "Enable private internet access";
    badPortForwardPorts = mkOption {
      type = types.listOf types.port;
      description = ''
        Ports that will not be accepted from PIA.
        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
      '';
    };
    wireguardListenPort = mkOption {
      type = types.port;
      description = "The port wireguard listens on for this VPN connection";
      default = 51820;
    };
    serverLocation = mkOption {
      type = types.str;
      default = "swiss";
    };
    interfaceName = mkOption {
      type = types.str;
      default = "piaw";
    };
    forwardedPort = mkOption {
      type = types.nullOr types.port;
      description = "The port to redirect port forwarded TCP VPN traffic too";
      default = null;
    };
    forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
        message = ''
          The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
        '';
      }
    ];
    # mounts used to pass the connection parameters to the container
    # the container doesn't have internet until it uses these parameters so it cannot fetch them itself
    vpn-container.mounts = [
      "/tmp/${cfg.interfaceName}.conf"
      "/tmp/${cfg.interfaceName}-server.conf"
      "/tmp/${cfg.interfaceName}-address.conf"
    ];
    # The container takes ownership of the wireguard interface on its startup
    containers.vpn.interfaces = [ cfg.interfaceName ];
    # TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
    # networking.firewall = {
    #   extraCommands = ''
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
    #   '';
    #   extraStopCommands = ''
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
    #   '';
    # };
    networking.firewall.checkReversePath = "loose";
    systemd.services.pia-vpn-wireguard-init = {
      description = "Creates PIA VPN Wireguard Interface";
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      before = [ containerServiceName ];
      requiredBy = [ containerServiceName ];
      partOf = [ containerServiceName ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools jq curl iproute ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        # restart once a month; PIA forwarded port expires after two months
        # because the container is "PartOf" this unit, it gets restarted too
        RuntimeMaxSec = "30d";
      };
      script = ''
        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
        # cannot do without internet to start with. NAT'ing the host's internet would address this
        # issue but is not ideal because then leaking network outside of the VPN is more likely.
        ${chooseWireguardServer}
        ${getPIAToken}
        # generate wireguard keys
        privKey=$(wg genkey)
        pubKey=$(echo "$privKey" | wg pubkey)
        # authorize our WG keys with the PIA server we are about to connect to
        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
        # create wg-quick config file
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        echo "
        [Interface]
        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
        PrivateKey = $privKey
        ListenPort = ${toString cfg.wireguardListenPort}
        [Peer]
        PersistentKeepalive = 25
        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
        AllowedIPs = 0.0.0.0/0
        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
        " >> /tmp/${cfg.interfaceName}.conf
        # create file storing the VPN ip address PIA assigned to us
        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
        # Create wg interface now so it inherits from the namespace with internet access
        # the container will handle actually connecting the interface since that info is
        # not preserved upon moving into the container's networking namespace
        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
        ip link add ${cfg.interfaceName} type wireguard
      '';
      preStop = ''
        # cleanup wireguard interface
        ip link del ${cfg.interfaceName}
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard = {
      description = "Initializes the PIA VPN WireGuard Tunnel";
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        # pseudo calls wg-quick
        # Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
        # cannot actually call wg-quick because the interface has to be already
        # created before the container taken ownership of the interface
        # Thus, assumes wg interface was already created:
        #   ip link add ${cfg.interfaceName} type wireguard
        ${getChosenWireguardServer}
        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
        ip -4 address add $myaddress dev ${cfg.interfaceName}
        ip link set mtu 1420 up dev ${cfg.interfaceName}
        wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
        # TODO is this needed?
        ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
        ip -4 rule add table main suppress_prefixlength 0
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        # Reserve port
        ${getPIAToken}
        payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
        signature=$(echo "$payload_and_signature" | jq -r '.signature')
        payload=$(echo "$payload_and_signature" | jq -r '.payload')
        port=$(echo "$payload" | base64 -d | jq -r '.port')
        # Check if the port is acceptable
        notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
          # the port PIA assigned is not allowed, kill the connection
          wg-quick down /tmp/${cfg.interfaceName}.conf
          exit 1
        fi
        # write reserved port to file readable for all users
        echo $port > /tmp/${cfg.interfaceName}-port
        chmod 644 /tmp/${cfg.interfaceName}-port
        # write payload and signature info needed to allow refreshing allocated forwarded port
        rm -f /tmp/${cfg.interfaceName}-port-renewal
        touch /tmp/${cfg.interfaceName}-port-renewal
        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
        # Block all traffic from VPN interface except for traffic that is from the forwarded port
        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        # The first port refresh triggers the port to be actually allocated
        ${refreshPIAPort}
        ${optionalString (cfg.forwardedPort != null) ''
          # redirect the fowarded port
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
        ${optionalString cfg.forwardPortForTransmission ''
          # assumes no auth needed for transmission
          curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
          regex='X-Transmission-Session-Id\: (\w*)'
          if [[ $curlout =~ $regex ]]; then
              sessionId=''${BASH_REMATCH[1]}
          else
              exit 1
          fi
          # set the port in transmission
          data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
          curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
        ''}
      '';
      preStop = ''
        wg-quick down /tmp/${cfg.interfaceName}.conf
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        ${optionalString (cfg.forwardedPort != null) ''
          # stop redirecting the forwarded port
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      description = "PIA VPN WireGuard Tunnel Port Forwarding";
      after = [ "pia-vpn-wireguard.service" ];
      requires = [ "pia-vpn-wireguard.service" ];
      path = with pkgs; [ curl ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = refreshPIAPort;
    };
    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      partOf = [ "pia-vpn-wireguard-forward-port.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*:0/10"; # 10 minutes
        RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/ping.nix
+++ b/common/network/ping.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 # keeps peer to peer connections alive with a periodic ping
 with lib;
 with builtins;
 # todo auto restart
 let
  cfg = config.keepalive-ping;
  serviceTemplate = host:
    {
      "keepalive-ping@${host}" = {
        description = "Periodic ping keep alive for ${host} connection";
        requires = [ "network-online.target" ];
        after = [ "network.target" "network-online.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Restart = "always";
        path = with pkgs; [ iputils ];
        script = ''
          ping -i ${cfg.delay} ${host} &>/dev/null
        '';
      };
    };
  combineAttrs = foldl recursiveUpdate { };
  serviceList = map serviceTemplate cfg.hosts;
  services = combineAttrs serviceList;
 in
 {
  options.keepalive-ping = {
    enable = mkEnableOption "Enable keep alive ping task";
    hosts = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Hosts to ping periodically
      '';
    };
    delay = mkOption {
      type = types.str;
      default = "60";
      description = ''
        Ping interval in seconds of periodic ping per host being pinged
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services = services;
  };
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -8,9 +8,13 @@ in
 {
  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
-  config.services.tailscale.enable = !config.boot.isContainer;
+  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
  # MagicDNS
  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
  # exit node
  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
  config.networking.ip_forward = mkIf cfg.exitNode true;
-}
+}
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -26,9 +26,11 @@ in
      '';
    };
    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
    config = mkOption {
      type = types.anything;
-      default = {};
+      default = { };
      example = ''
        {
          services.nginx.enable = true;
@@ -41,6 +43,9 @@ in
  };
  config = mkIf cfg.enable {
    pia.wireguard.enable = !cfg.useOpenVPN;
    pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
    containers.${cfg.containerName} = {
      ephemeral = true;
      autoStart = true;
@@ -59,39 +64,46 @@ in
        }
      )));
-      enableTun = true;
+      enableTun = cfg.useOpenVPN;
      privateNetwork = true;
      hostAddress = "172.16.100.1";
      localAddress = "172.16.100.2";
      config = {
-        imports = allModules ++ [cfg.config];
+        imports = allModules ++ [ cfg.config ];
        # speeds up evaluation
        nixpkgs.pkgs = pkgs;
-        networking.firewall.enable = mkForce false;
+        # networking.firewall.enable = mkForce false;
        networking.firewall.trustedInterfaces = [
          # completely trust internal interface to host
          "eth0"
        ];
-        pia.enable = true;
+        pia.openvpn.enable = cfg.useOpenVPN;
-        pia.server = "swiss.privacy.network"; # swiss vpn
+        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
        # TODO fix so it does run it's own resolver again
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
-        services.resolved.enable = true;
+        # services.resolved.enable = true;
        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
      };
    };
    # load secrets the container needs
    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
-    # forwarding for vpn container
+    # forwarding for vpn container (only for OpenVPN)
-    networking.nat.enable = true;
+    networking.nat.enable = mkIf cfg.useOpenVPN true;
-    networking.nat.internalInterfaces = [
+    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
      "ve-${cfg.containerName}"
    ];
-    networking.ip_forward = true;
+    networking.ip_forward = mkIf cfg.useOpenVPN true;
    # assumes only one potential interface
    networking.usePredictableInterfaceNames = false;
    networking.nat.externalInterface = "eth0";
  };
-}
+}
--- a/common/network/zerotier.nix
+++ b/common/network/zerotier.nix
@@ -1,14 +0,0 @@
 { lib, config, ... }:
 let
  cfg = config.services.zerotierone;
 in {
  config = lib.mkIf cfg.enable {
    services.zerotierone.joinNetworks = [
      "565799d8f6d654c0"
    ];
    networking.firewall.allowedUDPPorts = [
      9993
    ];
  };
 }
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # enable pulseaudio support for packages
    nixpkgs.config.pulseaudio = true;
@@ -16,45 +17,6 @@ in {
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
      # use the example session manager (no others are packaged yet so this is enabled by default,
      # no need to redefine it in your config for now)
      #media-session.enable = true;
      config.pipewire = {
        "context.objects" = [
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name"     = "support.node.driver";
              "node.name"        = "Dummy-Driver";
              "priority.driver"  = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class"      = "Audio/Source/Virtual";
              "audio.position"   = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class"      = "Audio/Sink";
              "audio.position"   = "FL,FR";
            };
          }
        ];
      };
    };
    users.users.googlebot.extraGroups = [ "audio" ];
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@@ -49,7 +49,8 @@ let
    ];
  };
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # chromium with specific extensions + settings
    programs.chromium = {
@@ -60,7 +61,6 @@ in {
        "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
        "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
        "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
        "fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
        "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
        "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
        # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
@@ -80,6 +80,7 @@ in {
    nixpkgs.config.packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
      chromium = pkgs.chromium.override {
        enableWideVine = true;
        # ungoogled = true;
        # --enable-native-gpu-memory-buffers # fails on AMD APU
        # --enable-webrtc-vp9-support
@@ -89,10 +90,10 @@ in {
    # todo vulkan in chrome
    # todo video encoding in chrome
    hardware.opengl = {
-      enable = de.enableAcceleration;
+      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
        # vaapiVdpau
        libvdpau-va-gl
        nvidia-vaapi-driver
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@@ -2,37 +2,33 @@
 let
  cfg = config.de;
-in {
+in
 {
  imports = [
    ./kde.nix
    ./xfce.nix
    ./yubikey.nix
    ./chromium.nix
-#    ./firefox.nix
+    #    ./firefox.nix
    ./audio.nix
-#    ./torbrowser.nix
+    #    ./torbrowser.nix
    ./pithos.nix
    ./spotify.nix
    ./vscodium.nix
-    # FIXME make optional
+    ./discord.nix
-#    ./discord.nix
+    ./steam.nix
 #    ./steam.nix
    ./touchpad.nix
    ./mount-samba.nix
  ];
  options.de = {
    enable = lib.mkEnableOption "enable desktop environment";
    enableAcceleration = lib.mkOption {
      type = lib.types.bool;
      default = true;
    };
  };
  config = lib.mkIf cfg.enable {
    # vulkan
-   hardware.opengl.driSupport = de.enableAcceleration;
+    hardware.opengl.driSupport = true;
-   hardware.opengl.driSupport32Bit = de.enableAcceleration;
+    hardware.opengl.driSupport32Bit = true;
    # Applications
    users.users.googlebot.packages = with pkgs; [
@@ -45,7 +41,8 @@ in {
      element-desktop
      mpv
      nextcloud-client
-#      signal-desktop # FIXME
+      signal-desktop
      minecraft
      gparted
      libreoffice-fresh
      thunderbird
@@ -54,6 +51,12 @@ in {
      arduino
      yt-dlp
      jellyfin-media-player
      joplin-desktop
      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
      # For Nix IDE
      nixpkgs-fmt
      rnix-lsp
    ];
    # Networking
--- a/common/pc/discord.nix
+++ b/common/pc/discord.nix
@@ -2,10 +2,11 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    users.users.googlebot.packages = [
      pkgs.discord
    ];
  };
-}
+}
--- a/common/pc/firefox.nix
+++ b/common/pc/firefox.nix
@@ -20,7 +20,7 @@ let
  };
  firefox = pkgs.wrapFirefox somewhatPrivateFF {
-   desktopName = "Sneed Browser";
+    desktopName = "Sneed Browser";
    nixExtensions = [
      (pkgs.fetchFirefoxAddon {
@@ -71,8 +71,8 @@ let
        TopSites = false;
      };
      UserMessaging = {
-         ExtensionRecommendations = false;
+        ExtensionRecommendations = false;
-         SkipOnboarding = true;
+        SkipOnboarding = true;
      };
      WebsiteFilter = {
        Block = [
@@ -92,4 +92,4 @@ in
  config = lib.mkIf cfg.enable {
    users.users.googlebot.packages = [ firefox ];
  };
-}
+}
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # kde plasma
    services.xserver = {
@@ -19,5 +20,5 @@ in {
      # plasma5Packages.kmail-account-wizard
      kate
    ];
-  };  
+  };
 }
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@@ -1,36 +1,48 @@
-# mounts the samba share on s0 over zeroteir
+# mounts the samba share on s0 over tailscale
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.services.mount-samba;
-  # prevents hanging on network split
+  # prevents hanging on network split and other similar niceties to ensure a stable connection
-  network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
+  network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
  systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
-  auth_opts = "credentials=/run/agenix/smb-secrets";
+  auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
-  version_opts = "vers=2.1";
+  version_opts = "vers=3.1.1";
-  opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
+  opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
-in {
+in
 {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };
-  config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
+  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
    fileSystems."/mnt/public" = {
-        device = "//s0.zt.neet.dev/public";
+      device = "//s0.koi-bebop.ts.net/public";
-        fsType = "cifs";
+      fsType = "cifs";
-        options = [ opts ];
+      options = [ opts ];
    };
    fileSystems."/mnt/private" = {
-        device = "//s0.zt.neet.dev/googlebot";
+      device = "//s0.koi-bebop.ts.net/googlebot";
-        fsType = "cifs";
+      fsType = "cifs";
-        options = [ opts ];
+      options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
    environment.shellAliases = {
      # remount storage
      remount_public = "sudo systemctl restart mnt-public.mount";
      remount_private = "sudo systemctl restart mnt-private.mount";
      # Encrypted Vault
      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
      vault_lock = "umount /mnt/vault/";
    };
  };
-}
+}
--- a/common/pc/pithos.nix
+++ b/common/pc/pithos.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
@@ -11,7 +12,7 @@ in {
          version = "1.5.1";
          src = super.fetchFromGitHub {
            owner = pname;
-            repo  = pname;
+            repo = pname;
            rev = version;
            sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
          };
--- a/common/pc/spotify.nix
+++ b/common/pc/spotify.nix
@@ -4,7 +4,7 @@ with lib;
 let
  cfg = config.services.spotifyd;
-  toml = pkgs.formats.toml {};
+  toml = pkgs.formats.toml { };
  spotifydConf = toml.generate "spotify.conf" cfg.settings;
 in
 {
@@ -17,7 +17,7 @@ in
      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
      settings = mkOption {
-        default = {};
+        default = { };
        type = toml.type;
        example = { global.bitrate = 320; };
        description = ''
@@ -28,7 +28,7 @@ in
      users = mkOption {
        type = with types; listOf str;
-        default = [];
+        default = [ ];
        description = ''
          Usernames to be added to the "spotifyd" group, so that they
          can start and interact with the userspace daemon.
@@ -83,4 +83,4 @@ in
      };
    };
  };
-}
+}
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller
@@ -11,4 +12,4 @@ in {
      pkgs.steam
    ];
  };
-}
+}
--- a/common/pc/torbrowser.nix
+++ b/common/pc/torbrowser.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
--- a/common/pc/touchpad.nix
+++ b/common/pc/touchpad.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de.touchpad;
-in {
+in
 {
  options.de.touchpad = {
    enable = lib.mkEnableOption "enable touchpad";
  };
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@@ -4,8 +4,8 @@ let
  cfg = config.de;
  extensions = with pkgs.vscode-extensions; [
-#    bbenoist.Nix # nix syntax support
+    #    bbenoist.Nix # nix syntax support
-#    arrterian.nix-env-selector  # nix dev envs
+    #    arrterian.nix-env-selector  # nix dev envs
  ];
  vscodium-with-extensions = pkgs.vscode-with-extensions.override {
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.xserver = {
      enable = true;
--- a/common/pc/yubikey.nix
+++ b/common/pc/yubikey.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # yubikey
    services.pcscd.enable = true;
--- a/common/server/ceph.nix
+++ b/common/server/ceph.nix
@@ -3,13 +3,13 @@
 with lib;
 let
  cfg = config.ceph;
-in {
+in
-  options.ceph = {
+{
-  };
+  options.ceph = { };
  config = mkIf cfg.enable {
    # ceph.enable = true;
-    
+
    ## S3 Object gateway
    #ceph.rgw.enable = true;
    #ceph.rgw.daemons = [
@@ -40,4 +40,4 @@ in {
    ceph.global.fsid = "925773DC-D95F-476C-BBCD-08E01BF0865F";
  };
-}
+}
--- a/common/server/cloudflared.nix
+++ b/common/server/cloudflared.nix
@@ -1,58 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.cloudflared;
  settingsFormat = pkgs.formats.yaml { };
 in
 {
  meta.maintainers = with maintainers; [ pmc ];
  options = {
    services.cloudflared = {
      enable = mkEnableOption "cloudflared";
      package = mkOption {
        type = types.package;
        default = pkgs.cloudflared;
        description = "The cloudflared package to use";
        example = literalExpression ''pkgs.cloudflared'';
      };
      config = mkOption {
        type = settingsFormat.type;
        description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
        example = literalExpression ''
          {
            url = "http://localhost:3000";
            tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
            credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
          }
        '';
      };
      configFile = mkOption {
        type = types.path;
        description = "Path to cloudflared config.yaml.";
        example = literalExpression ''"/etc/cloudflared/config.yaml"'';
      };
    };
  };
  config = mkIf cfg.enable ({
    # Prefer the config file over settings if both are set.
    services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
    systemd.services.cloudflared = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      description = "Cloudflare Argo Tunnel";
      serviceConfig = {
        TimeoutStartSec = 0;
        Type = "notify";
        ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
        Restart = "on-failure";
        RestartSec = "5s";
      };
    };
  });
 }
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -10,10 +10,14 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
    ./gitea-runner.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
    ./cloudflared.nix
    ./owncast.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./iodine.nix
    ./searx.nix
  ];
-}
+}
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@@ -0,0 +1,98 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.gitea-runner;
 in
 {
  options.services.gitea-runner = {
    enable = lib.mkEnableOption "Enables gitea runner";
    dataDir = lib.mkOption {
      default = "/var/lib/gitea-runner";
      type = lib.types.str;
      description = lib.mdDoc "gitea runner data directory.";
    };
    instanceUrl = lib.mkOption {
      type = lib.types.str;
    };
    registrationTokenFile = lib.mkOption {
      type = lib.types.path;
    };
  };
  config = lib.mkIf cfg.enable {
    virtualisation.docker.enable = true;
    users.users.gitea-runner = {
      description = "Gitea Runner Service";
      home = cfg.dataDir;
      useDefaultShell = true;
      group = "gitea-runner";
      isSystemUser = true;
      createHome = true;
      extraGroups = [
        "docker" # allow creating docker containers
      ];
    };
    users.groups.gitea-runner = { };
    # registration token
    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
    age.secrets.gitea-runner-registration-token = {
      file = ../../secrets/gitea-runner-registration-token.age;
      owner = "gitea-runner";
    };
    systemd.services.gitea-runner = {
      description = "Gitea Runner";
      serviceConfig = {
        WorkingDirectory = cfg.dataDir;
        User = "gitea-runner";
        Group = "gitea-runner";
      };
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ gitea-actions-runner ];
      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
      script = ''
        . ${cfg.registrationTokenFile}
        if [[ ! -s .runner ]]; then
          try=$((try + 1))
          success=0
          LOGFILE="$(mktemp)"
          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
          # the context of a single docker-compose, something similar could be done via healthchecks, but
          # this is more flexible.
          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
            act_runner register \
              --instance "${cfg.instanceUrl}" \
              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
              --name     "${config.networking.hostName}" \
              --no-interactive > $LOGFILE 2>&1
            cat $LOGFILE
            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
            if [[ $? -eq 0 ]]; then
              echo "SUCCESS"
              success=1
            else
              echo "Waiting to retry ..."
              sleep 5
            fi
          done
        fi
        exec act_runner daemon
      '';
    };
  };
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 let
  cfg = config.services.gitea;
-in {
+in
 {
  options.services.gitea = {
    hostname = lib.mkOption {
      type = lib.types.str;
@@ -14,11 +15,8 @@ in {
      domain = cfg.hostname;
      rootUrl = "https://${cfg.hostname}/";
      appName = cfg.hostname;
      ssh.enable = true;
      # lfs.enable = true;
-      dump.enable = true;
+      # dump.enable = true;
      cookieSecure = true;
      disableRegistration = true;
      settings = {
        other = {
          SHOW_FOOTER_VERSION = false;
@@ -26,8 +24,37 @@ in {
        ui = {
          DEFAULT_THEME = "arc-green";
        };
        service = {
          DISABLE_REGISTRATION = true;
        };
        session = {
          COOKIE_SECURE = true;
        };
        mailer = {
          ENABLED = true;
          MAILER_TYPE = "smtp";
          SMTP_ADDR = "mail.neet.dev";
          SMTP_PORT = "465";
          IS_TLS_ENABLED = true;
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
        actions = {
          ENABLED = true;
        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
    age.secrets.robots-email-pw = {
      file = ../../secrets/robots-email-pw.age;
      owner = config.services.gitea.user;
    };
    # backups
    backup.group."gitea".paths = [
      config.services.gitea.stateDir
    ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
@@ -37,4 +64,4 @@ in {
      };
    };
  };
-}
+}
--- a/common/server/hydra.nix
+++ b/common/server/hydra.nix
@@ -20,6 +20,6 @@ in
    hydraURL = "https://${domain}";
    useSubstitutes = true;
    notificationSender = notifyEmail;
-    buildMachinesFiles = [];
+    buildMachinesFiles = [ ];
  };
-}
+}
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@@ -7,7 +7,8 @@
 let
  cfg = config.services.icecast;
-in {
+in
 {
  options.services.icecast = {
    mount = lib.mkOption {
      type = lib.types.str;
--- a/common/server/iodine.nix
+++ b/common/server/iodine.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.iodine.server;
 in
 {
  config = lib.mkIf cfg.enable {
    # iodine DNS-based vpn
    services.iodine.server = {
      ip = "192.168.99.1";
      domain = "tun.neet.dev";
      passwordFile = "/run/agenix/iodine";
    };
    age.secrets.iodine.file = ../../secrets/iodine.age;
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.nat.internalInterfaces = [
      "dns0" # iodine
    ];
  };
 }
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -0,0 +1,100 @@
 { config, pkgs, lib, ... }:
 with builtins;
 let
  cfg = config.mailserver;
  domains = [
    "neet.space"
    "neet.dev"
    "neet.cloud"
    "runyan.org"
    "runyan.rocks"
    "thunderhex.com"
    "tar.ninja"
    "bsd.ninja"
    "bsd.rocks"
  ];
 in
 {
  config = lib.mkIf cfg.enable {
    # kresd doesn't work with tailscale MagicDNS
    mailserver.localDnsResolver = false;
    services.resolved.enable = true;
    mailserver = {
      fqdn = "mail.neet.dev";
      dkimKeyBits = 2048;
      indexDir = "/var/lib/mailindex";
      enableManageSieve = true;
      fullTextSearch.enable = true;
      fullTextSearch.indexAttachments = true;
      fullTextSearch.memoryLimit = 500;
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
        "robot@runyan.org" = {
          aliases = [
            "no-reply@neet.dev"
            "robot@neet.dev"
          ];
          sendOnly = true;
          hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
        };
      };
      rejectRecipients = [
        "george@runyan.org"
        "joslyn@runyan.org"
        "damon@runyan.org"
        "jonas@runyan.org"
      ];
      certificateScheme = 3; # use let's encrypt for certs
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
    services.postfix.origin = "$mydomain";
    # relay sent mail through mailgun
    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
    services.postfix.config = {
      smtp_sasl_auth_enable = "yes";
      smtp_sasl_security_options = "noanonymous";
      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
      smtp_use_tls = "yes";
      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
      smtp_sender_dependent_authentication = "yes";
    };
    services.postfix.mapFiles.sender_relay =
      let
        relayHost = "[smtp.mailgun.org]:587";
      in
      pkgs.writeText "sender_relay"
        (concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
    # webmail
    services.nginx.enable = true;
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
      extraConfig = ''
        # starttls needed for authentication, so the fqdn required to match the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
    };
    # backups
    backup.group."email".paths = [
      config.mailserver.mailDirectory
    ];
  };
 }
--- a/common/server/matrix.nix
+++ b/common/server/matrix.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.matrix;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.matrix = {
    enable = lib.mkEnableOption "enable matrix";
    element-web = {
@@ -62,15 +63,15 @@ in {
      settings = {
        server_name = cfg.host;
        enable_registration = cfg.enable_registration;
-        listeners = [ {
+        listeners = [{
-          bind_addresses = ["127.0.0.1"];
+          bind_addresses = [ "127.0.0.1" ];
          port = cfg.port;
          tls = false;
-          resources = [ {
+          resources = [{
            compress = true;
            names = [ "client" "federation" ];
-          } ];
+          }];
-        } ];
+        }];
        turn_uris = [
          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
@@ -120,7 +121,7 @@ in {
    services.nginx = {
      enable = true;
-      virtualHosts.${cfg.host} =  {
+      virtualHosts.${cfg.host} = {
        enableACME = true;
        forceSSL = true;
        listen = [
@@ -137,7 +138,8 @@ in {
        ];
        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
      };
-      virtualHosts.${cfg.turn.host} =  { # get TLS cert for TURN server
+      virtualHosts.${cfg.turn.host} = {
        # get TLS cert for TURN server
        enableACME = true;
        forceSSL = true;
      };
@@ -214,4 +216,4 @@ in {
      openFirewall = true;
    };
  };
-}
+}
--- a/common/server/mumble.nix
+++ b/common/server/mumble.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.murmur;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.murmur.domain = lib.mkOption {
    type = lib.types.str;
  };
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@@ -0,0 +1,34 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
 in
 {
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
      package = pkgs.nextcloud25;
      hostName = "neet.cloud";
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
      config.adminpassFile = "/run/agenix/nextcloud-pw";
      autoUpdateApps.enable = true;
      enableBrokenCiphersForSSE = false;
    };
    age.secrets.nextcloud-pw = {
      file = ../../secrets/nextcloud-pw.age;
      owner = "nextcloud";
    };
    # backups
    backup.group."nextcloud".paths = [
      config.services.nextcloud.home
    ];
    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      enableACME = true;
      forceSSL = true;
    };
  };
 }
--- a/common/server/nginx-stream.nix
+++ b/common/server/nginx-stream.nix
@@ -5,7 +5,8 @@ let
  nginxWithRTMP = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };
-in {
+in
 {
  options.services.nginx.stream = {
    enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
    port = lib.mkOption {
@@ -72,4 +73,4 @@ in {
      cfg.port
    ];
  };
-}
+}
--- a/common/server/nginx.nix
+++ b/common/server/nginx.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.nginx;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    services.nginx = {
      recommendedGzipSettings = true;
@@ -13,4 +14,4 @@ in {
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
-}
+}
--- a/common/server/owncast.nix
+++ b/common/server/owncast.nix
@@ -4,7 +4,8 @@ with lib;
 let
  cfg = config.services.owncast;
-in {
+in
 {
  options.services.owncast = {
    hostname = lib.mkOption {
      type = types.str;
@@ -28,4 +29,4 @@ in {
      };
    };
  };
-}
+}
--- a/common/server/privatebin/privatebin.nix
+++ b/common/server/privatebin/privatebin.nix
@@ -14,7 +14,8 @@ let
      cp -ar $src $out
    '';
  };
-in {
+in
 {
  options.services.privatebin = {
    enable = lib.mkEnableOption "enable privatebin";
    host = lib.mkOption {
@@ -30,7 +31,7 @@ in {
      group = "privatebin";
      isSystemUser = true;
    };
-    users.groups.privatebin = {};
+    users.groups.privatebin = { };
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.host} = {
@@ -53,7 +54,7 @@ in {
      "d '/var/lib/privatebin' 0750 privatebin privatebin - -"
    ];
-    services.phpfpm.pools.privatebin = {                                                                                                                                                                                                             
+    services.phpfpm.pools.privatebin = {
      user = "privatebin";
      group = "privatebin";
      phpEnv = {
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@@ -3,7 +3,8 @@
 let
  cfg = config.services.radio;
  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
-in {
+in
 {
  options.services.radio = {
    enable = lib.mkEnableOption "enable radio";
    user = lib.mkOption {
@@ -56,11 +57,11 @@ in {
      home = cfg.dataDir;
      createHome = true;
    };
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };
    systemd.services.radio = {
      enable = true;
-      after = ["network.target"];
+      after = [ "network.target" ];
-      wantedBy = ["multi-user.target"];
+      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
@@ -71,4 +72,4 @@ in {
      '';
    };
  };
-}
+}
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@@ -25,9 +25,7 @@
        printing = cups
        printcap name = cups
-        # horrible files
+        hide files = /.nobackup/.DS_Store/._.DS_Store/
        veto files = /._*/.DS_Store/ /._*/._.DS_Store/
        delete veto files = yes
      '';
      shares = {
@@ -77,6 +75,13 @@
      };
    };
    # backups
    backup.group."samba".paths = [
      config.services.samba.shares.googlebot.path
      config.services.samba.shares.cris.path
      config.services.samba.shares.public.path
    ];
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
@@ -110,6 +115,6 @@
    # samba user for share
    users.users.cris.isSystemUser = true;
    users.users.cris.group = "cris";
-    users.groups.cris = {};
+    users.groups.cris = { };
  };
-}
+}
--- a/common/server/searx.nix
+++ b/common/server/searx.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
 in
 {
  config = lib.mkIf cfg.enable {
    services.searx = {
      environmentFile = "/run/agenix/searx";
      settings = {
        server.port = 43254;
        server.secret_key = "@SEARX_SECRET_KEY@";
        engines = [{
          name = "wolframalpha";
          shortcut = "wa";
          api_key = "@WOLFRAM_API_KEY@";
          engine = "wolframalpha_api";
        }];
      };
    };
    services.nginx.virtualHosts."search.neet.space" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
      };
    };
    age.secrets.searx.file = ../../secrets/searx.age;
  };
 }
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.thelounge;
-in {
+in
 {
  options.services.thelounge = {
    fileUploadBaseUrl = lib.mkOption {
      type = lib.types.str;
@@ -28,7 +29,7 @@ in {
        reverseProxy = true;
        maxHistory = -1;
        https.enable = false;
-  #      theme = "thelounge-theme-solarized";
+        #      theme = "thelounge-theme-solarized";
        prefetch = false;
        prefetchStorage = false;
        fileUpload = {
@@ -42,6 +43,10 @@ in {
      };
    };
    backup.group."thelounge".paths = [
      "/var/lib/thelounge/"
    ];
    # the lounge client
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
--- a/common/server/video-stream.nix
+++ b/common/server/video-stream.nix
@@ -15,14 +15,14 @@ let
 in
 {
  networking.firewall.allowedUDPPorts = [ rtp-port ];
-  networking.firewall.allowedTCPPortRanges = [ {
+  networking.firewall.allowedTCPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
-  networking.firewall.allowedUDPPortRanges = [ { 
+  networking.firewall.allowedUDPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
  virtualisation.docker.enable = true;
@@ -49,12 +49,12 @@ in
        ports = [
          "${toStr ingest-port}:8084"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/ingest";
+        #          imageName = "projectlightspeed/ingest";
-#          finalImageTag = "version-0.1.4";
+        #          finalImageTag = "version-0.1.4";
-#          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
+        #          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
-#          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
+        #          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
-#        };
+        #        };
      };
      "lightspeed-react" = {
        workdir = "/var/lib/lightspeed-react";
@@ -62,12 +62,12 @@ in
        ports = [
          "${toStr web-port}:80"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/react";
+        #          imageName = "projectlightspeed/react";
-#          finalImageTag = "version-0.1.3";
+        #          finalImageTag = "version-0.1.3";
-#          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
+        #          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
-#          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
+        #          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
-#        };
+        #        };
      };
      "lightspeed-webrtc" = {
        workdir = "/var/lib/lightspeed-webrtc";
@@ -79,15 +79,18 @@ in
          "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
        ];
        cmd = [
-          "lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
+          "lightspeed-webrtc"
-          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
+          "--addr=0.0.0.0"
          "--ip=${domain}"
          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
          "run"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/webrtc";
+        #          imageName = "projectlightspeed/webrtc";
-#          finalImageTag = "version-0.1.2";
+        #          finalImageTag = "version-0.1.2";
-#          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
+        #          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
-#          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
+        #          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
-#        };
+        #        };
      };
    };
  };
--- a/common/server/vscode/modules/vscode-server/default.nix
+++ b/common/server/vscode/modules/vscode-server/default.nix
@@ -1,8 +1,8 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
-  systemd.user.services.${name} = {
+    systemd.user.services.${name} = {
-    inherit description serviceConfig;
+      inherit description serviceConfig;
-    wantedBy = [ "default.target" ];
+      wantedBy = [ "default.target" ];
-  };
+    };
-})
+  })
--- a/common/server/vscode/modules/vscode-server/home.nix
+++ b/common/server/vscode/modules/vscode-server/home.nix
@@ -1,15 +1,15 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
-  systemd.user.services.${name} = {
+    systemd.user.services.${name} = {
-    Unit = {
+      Unit = {
-      Description = description;
+        Description = description;
-    };
+      };
-    Service = serviceConfig;
+      Service = serviceConfig;
-    Install = {
+      Install = {
-      WantedBy = [ "default.target" ];
+        WantedBy = [ "default.target" ];
      };
    };
-  };
+  })
 })
--- a/common/server/zerobin.nix
+++ b/common/server/zerobin.nix
@@ -2,7 +2,8 @@
 let
  cfg = config.services.zerobin;
-in {
+in
 {
  options.services.zerobin = {
    host = lib.mkOption {
      type = lib.types.str;
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -1,36 +1,28 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 # Improvements to the default shell
-# - use nix-locate for command-not-found
+# - use nix-index for command-not-found
 # - disable fish's annoying greeting message
 # - add some handy shell commands
-let
+{
-  nix-locate = config.inputs.nix-locate.defaultPackage.${config.currentSystem};
+  environment.systemPackages = with pkgs; [
-in {
+    comma
  programs.command-not-found.enable = false;
  environment.systemPackages = [
    nix-locate
  ];
  # nix-index
  programs.nix-index.enable = true;
  programs.nix-index.enableFishIntegration = true;
  programs.command-not-found.enable = false;
  programs.fish = {
    enable = true;
-    shellInit = let
+    shellInit = ''
      wrapper = pkgs.writeScript "command-not-found" ''
        #!${pkgs.bash}/bin/bash
        source ${nix-locate}/etc/profile.d/command-not-found.sh
        command_not_found_handle "$@"
      '';
    in ''
      # use nix-locate for command-not-found functionality
      function __fish_command_not_found_handler --on-event fish_command_not_found
          ${wrapper} $argv
      end
      # disable annoying fish shell greeting
      set fish_greeting
      alias sudo="doas"
    '';
  };
@@ -38,9 +30,23 @@ in {
    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
-    io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
-    io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
-    io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
-    io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
  };
-}
+
  nixpkgs.overlays = [
    (final: prev: {
      # comma uses the "nix-index" package built into nixpkgs by default.
      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
      comma = prev.comma.overrideAttrs (old: {
        postInstall = ''
          wrapProgram $out/bin/comma \
            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
          ln -s $out/bin/comma $out/bin/,
        '';
      });
    })
  ];
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,69 +1,38 @@
-rec {
+{ config, lib, pkgs, ... }:
-  users = [
+
 {
  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
    (host: cfg: {
      ${host} = {
        hostNames = cfg.hostNames;
        publicKey = cfg.hostKey;
      };
      "${host}-remote-unlock" =
        if cfg.remoteUnlock != null then {
          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
          publicKey = cfg.remoteUnlock.hostKey;
        } else null;
    })
    config.machines.hosts);
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    let
      unlockHosts = unlockType: lib.concatMapAttrs
        (host: cfg:
          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
            ${host} = cfg.remoteUnlock.${unlockType};
          } else { })
        config.machines.hosts;
    in
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXc9PX3uTYVrgvKdztk+LBh5WMNBUzbXlAo50SCAeNw" # nat 2
  ];
-  system = {
+}
    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
    ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
    ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    nat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGVgZc5Z2Oh426z7lEftcFUwCFcrZy8bvqS09Tj49GWE";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkTQNPzrIhsKk3OpTHq8b7slIp9LktB49r1w/DKb/5b";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
  };
  # groups
  systems = with system; [
    liza
    ponyo
    ray
    nat
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  personal = with system; [
    ray
    nat
  ];
  servers = with system; [
    liza
    ponyo
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  compute = with system; [
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  storage = with system; [
    s0
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -2,16 +2,17 @@
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1652712410,
+        "lastModified": 1682101079,
-        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
        "type": "github"
      },
      "original": {
@@ -32,7 +33,7 @@
      "locked": {
        "lastModified": 1648612759,
        "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
        "revCount": 2,
        "type": "git",
@@ -71,7 +72,7 @@
      "locked": {
        "lastModified": 1651719222,
        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
        "revCount": 19,
        "type": "git",
@@ -82,14 +83,61 @@
        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": [
          "simple-nixos-mailserver",
          "utils"
        ]
      },
      "locked": {
        "lastModified": 1682063650,
        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1641205782,
+        "lastModified": 1668681692,
-        "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
@@ -99,12 +147,15 @@
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1653893745,
+        "lastModified": 1681202837,
-        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
@@ -113,39 +164,38 @@
        "type": "github"
      }
    },
-    "nix-locate": {
+    "nix-index-database": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1652819416,
+        "lastModified": 1681591833,
-        "narHash": "sha256-OzYSb66kQUVP1FM0E7Z0ij13mm14DkJi79FAMprAavo=",
+        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
-        "owner": "googlebot42",
+        "owner": "Mic92",
-        "repo": "nix-index",
+        "repo": "nix-index-database",
-        "rev": "a28bb3175d370c6cb9569e6d4b5570e9ca016a3e",
+        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
        "type": "github"
      },
      "original": {
-        "owner": "googlebot42",
+        "owner": "Mic92",
-        "repo": "nix-index",
+        "repo": "nix-index-database",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1655456688,
+        "lastModified": 1682133240,
-        "narHash": "sha256-j2trI5gv2fnHdfUQFBy957avCPxxzCqE8R+TOYHPSRE=",
+        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d17a56d90ecbd1b8fc908d49598fb854ef188461",
+        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.05",
+        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -165,20 +215,16 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-hostapd-pr": {
      "flake": false,
      "locked": {
-        "lastModified": 1649408932,
+        "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
-        "narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=",
+        "type": "file",
-        "owner": "NixOS",
+        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
        "repo": "nixpkgs",
        "rev": "42948b300670223ca8286aaf916bc381f66a5313",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "type": "file",
-        "ref": "nixos-unstable",
+        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "radio": {
@@ -211,7 +257,7 @@
      "locked": {
        "lastModified": 1652121792,
        "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
        "revCount": 5,
        "type": "git",
@@ -227,10 +273,11 @@
        "agenix": "agenix",
        "archivebox": "archivebox",
        "dailybuild_modules": "dailybuild_modules",
        "deploy-rs": "deploy-rs",
        "flake-utils": "flake-utils",
-        "nix-locate": "nix-locate",
+        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr",
        "radio": "radio",
        "radio-web": "radio-web",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
@@ -246,11 +293,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1655214255,
+        "lastModified": 1655930346,
-        "narHash": "sha256-hgFF2X9mxFieekDh2VoVAtgwuM6XeAwzvb53yakmjTg=",
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "a48082c79cff8f3b314ba4f95f4ae87ca7d4d068",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
        "type": "gitlab"
      },
      "original": {
@@ -260,6 +307,21 @@
        "type": "gitlab"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
--- a/flake.nix
+++ b/flake.nix
@@ -1,17 +1,14 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff";
    # nixpkgs-patch-howdy.flake = false;
    flake-utils.url = "github:numtide/flake-utils";
    nix-locate.url = "github:googlebot42/nix-index";
    nix-locate.inputs.nixpkgs.follows = "nixpkgs";
    # mail server
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
    simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
    # agenix
    agenix.url = "github:ryantm/agenix";
@@ -33,66 +30,117 @@
    archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
    archivebox.inputs.nixpkgs.follows = "nixpkgs";
    archivebox.inputs.flake-utils.follows = "flake-utils";
    # nixos config deployment
    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils";
    # prebuilt nix-index database
    nix-index-database.url = "github:Mic92/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch";
    nixpkgs-hostapd-pr.flake = false;
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
+  outputs = { self, nixpkgs, ... }@inputs:
    nixosConfigurations =
    let
-      modules = system: [
+      machines = (import ./common/machine-info/moduleless.nix
-        ./common
+        {
-        inputs.simple-nixos-mailserver.nixosModule
+          inherit nixpkgs;
-        inputs.agenix.nixosModule
+          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
-        inputs.dailybuild_modules.nixosModule
+        }).machines.hosts;
        inputs.archivebox.nixosModule
        ({ lib, ... }: {
          config.environment.systemPackages = [
            inputs.agenix.defaultPackage.${system}
          ];
          # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
          options.inputs = lib.mkOption { default = inputs; };
          options.currentSystem = lib.mkOption { default = system; };
        })
      ];
      mkSystem = system: nixpkgs: path:
        let
          allModules = modules system;
        in nixpkgs.lib.nixosSystem {
          inherit system;
          modules = allModules ++ [path];
          specialArgs = {
            inherit allModules;
          };
        };
    in
    {
-      "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
+      nixosConfigurations =
-      "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+        let
-      "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
+          modules = system: hostname: with inputs; [
-      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
+            ./common
-      "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
+            simple-nixos-mailserver.nixosModule
-      "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
+            agenix.nixosModules.default
-      "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
+            dailybuild_modules.nixosModule
-      "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
+            archivebox.nixosModule
-      "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
+            nix-index-database.nixosModules.nix-index
-      "n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
+            ({ lib, ... }: {
-      "n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
+              config = {
-      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
+                environment.systemPackages = [
-      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
+                  agenix.packages.${system}.agenix
-    };
+                ];
-    packages = let
+                networking.hostName = hostname;
-      mkKexec = system:
+              };
-        (nixpkgs.lib.nixosSystem {
+
-          inherit system;
+              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
-          modules = [ ./machines/kexec.nix ];
+              options.inputs = lib.mkOption { default = inputs; };
-        }).config.system.build.kexec_tarball;
+              options.currentSystem = lib.mkOption { default = system; };
-    in {
+            })
-      "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
+          ];
-      "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
+
          mkSystem = system: nixpkgs: path: hostname:
            let
              allModules = modules system hostname;
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
                name = "nixpkgs-patched";
                src = nixpkgs;
                patches = [
                  inputs.nixpkgs-hostapd-pr
                  ./patches/kexec-luks.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
            in
            patchedNixpkgs.lib.nixosSystem {
              inherit system;
              modules = allModules ++ [ path ];
              specialArgs = {
                inherit allModules;
              };
            };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
          machines;
      packages =
        let
          mkKexec = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/kexec.nix ];
            }).config.system.build.kexec_tarball;
          mkIso = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
              modules = [ ./machines/ephemeral/iso.nix ];
            }).config.system.build.isoImage;
        in
        {
          "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
          "x86_64-linux"."iso" = mkIso "x86_64-linux";
          "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
          "aarch64-linux"."iso" = mkIso "aarch64-linux";
        };
      deploy.nodes =
        let
          mkDeploy = configName: arch: hostname: {
            inherit hostname;
            magicRollback = false;
            sshUser = "root";
            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
          };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
          machines;
      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
    };
  };
 }
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@@ -1,24 +0,0 @@
 { config, ... }:
 {
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
  hardware.deviceTree.enable = true;
  hardware.deviceTree.overlays = [
    ./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
  ];
 }
--- a/machines/compute/n1/configuration.nix
+++ b/machines/compute/n1/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n1";
 }
--- a/machines/compute/n2/configuration.nix
+++ b/machines/compute/n2/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n2";
 }
--- a/machines/compute/n3/configuration.nix
+++ b/machines/compute/n3/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n3";
 }
--- a/machines/compute/n4/configuration.nix
+++ b/machines/compute/n4/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n4";
 }
--- a/machines/compute/n5/configuration.nix
+++ b/machines/compute/n5/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n5";
 }
--- a/machines/compute/n6/configuration.nix
+++ b/machines/compute/n6/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n6";
 }
--- a/machines/compute/n7/configuration.nix
+++ b/machines/compute/n7/configuration.nix
@@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n7";
 }
--- a/machines/compute/sopine-baseboard-ethernet.dtbo
+++ b/machines/compute/sopine-baseboard-ethernet.dtbo
--- a/machines/compute/sopine-baseboard-ethernet.dts
+++ b/machines/compute/sopine-baseboard-ethernet.dts
@@ -1,15 +0,0 @@
 /dts-v1/;
 / {
 	model = "SoPine with baseboard";
 	compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
 	fragment@0 {
 /*		target = <&ethernet@1c30000>; */
 		target-path = "/soc/ethernet@1c30000";
 		__overlay__ {
 			allwinner,tx-delay-ps = <500>;
 		};
 	};
 };
--- a/machines/ephemeral/iso.nix
+++ b/machines/ephemeral/iso.nix
@@ -0,0 +1,12 @@
 { modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/iso-image.nix")
    ./minimal.nix
  ];
  isoImage.makeUsbBootable = true;
  networking.hostName = "iso";
 }
--- a/machines/ephemeral/kexec.nix
+++ b/machines/ephemeral/kexec.nix
@@ -6,8 +6,11 @@
  imports = [
    (modulesPath + "/installer/netboot/netboot.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./minimal.nix
  ];
  networking.hostName = "kexec";
  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
  system.build = rec {
    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
@@ -42,31 +45,4 @@
      contents = [ ];
    };
  };
-
+}
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  networking.hostName = "kexec";
  services.openssh = {
    enable = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
 }
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -0,0 +1,53 @@
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
    ../../common/machine-info
    ../../common/ssh.nix
  ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30"
    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  system.stateVersion = "21.11";
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
    git
    git-lfs
    wget
    htop
    dnsutils
    pciutils
    usbutils
    lm_sensors
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  services.openssh = {
    enable = true;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -1,110 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =[
    ./hardware-configuration.nix
  ];
  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
    device = "/dev/sda";
  };
  luks = {
    enable = true;
    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
  };
  system.autoUpgrade.enable = true;
  networking.hostName = "liza";
  networking.interfaces.enp1s0.useDHCP = true;
  mailserver = {
    enable = true;
    fqdn = "mail.neet.dev";
    dkimKeyBits = 2048;
    indexDir = "/var/lib/mailindex";
    enableManageSieve = true;
    fullTextSearch.enable = true;
    fullTextSearch.indexAttachments = true;
    fullTextSearch.memoryLimit = 500;
    domains = [
      "neet.space" "neet.dev" "neet.cloud"
      "runyan.org" "runyan.rocks"
      "thunderhex.com" "tar.ninja"
      "bsd.ninja" "bsd.rocks"
    ];
    loginAccounts = {
      "jeremy@runyan.org" = {
        hashedPasswordFile = "/run/agenix/email-pw";
        aliases = [
          "@neet.space" "@neet.cloud" "@neet.dev"
          "@runyan.org" "@runyan.rocks"
          "@thunderhex.com" "@tar.ninja"
          "@bsd.ninja" "@bsd.rocks"
        ];
      };
    };
    rejectRecipients = [
      "george@runyan.org"
      "joslyn@runyan.org"
      "damon@runyan.org"
      "jonas@runyan.org"
    ];
    certificateScheme = 3; # use let's encrypt for certs
  };
  age.secrets.email-pw.file = ../../secrets/email-pw.age;
  # sendmail to use xxx@domain instead of xxx@mail.domain
  services.postfix.origin = "$mydomain";
  # relay sent mail through mailgun
  # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
  services.postfix.config = {
    smtp_sasl_auth_enable = "yes";
    smtp_sasl_security_options = "noanonymous";
    smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
    smtp_use_tls = "yes";
    sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
    smtp_sender_dependent_authentication = "yes";
  };
  services.postfix.mapFiles.sender_relay = let
    relayHost = "[smtp.mailgun.org]:587";
  in pkgs.writeText "sender_relay" ''
    @neet.space ${relayHost}
    @neet.cloud ${relayHost}
    @neet.dev ${relayHost}
    @runyan.org ${relayHost}
    @runyan.rocks ${relayHost}
    @thunderhex.com ${relayHost}
    @tar.ninja ${relayHost}
    @bsd.ninja ${relayHost}
    @bsd.rocks ${relayHost}
  '';
  services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
  age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
  services.nextcloud = {
    enable = true;
    https = true;
    package = pkgs.nextcloud22;
    hostName = "neet.cloud";
    config.dbtype = "sqlite";
    config.adminuser = "jeremy";
    config.adminpassFile = "/run/agenix/nextcloud-pw";
    autoUpdateApps.enable = true;
  };
  age.secrets.nextcloud-pw = {
    file = ../../secrets/nextcloud-pw.age;
    owner = "nextcloud";
  };
  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    enableACME = true;
    forceSSL = true;
  };
 }
--- a/machines/liza/hardware-configuration.nix
+++ b/machines/liza/hardware-configuration.nix
@@ -1,36 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
      fsType = "btrfs";
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
      fsType = "ext3";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
    ];
 }
--- a/machines/nat/configuration.nix
+++ b/machines/nat/configuration.nix
@@ -1,51 +1,15 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, fetchurl, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./m1-support
  ];
  efi.enable = true;
  networking.hostName = "nat";
  networking.interfaces.ens160.useDHCP = true;
  de.enable = true;
  de.touchpad.enable = true;
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     signal-desktop = prev.signal-desktop.overrideAttrs (old: {
  #       version = "5.50.1";
  #       src = final.fetchurl {
  #         url = "https://github.com/0mniteck/Signal-Desktop-Builder/raw/2610eaded94b3c717a63fdff3cb872dbbaf16383/builds/release/signal-desktop_5.50.1_arm64.deb";
  #         sha256 = "sha256-++xG3fCMvU+nwlkBwjZ0d0wfWiNDSUhyCfzTirsY2xs=";
  #       };
  #       #buildInputs = old.buildInputs ++ [ final.openssl_3_0 ];
  #       preFixup = ''
  #         gappsWrapperArgs+=(
  #           --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ final.stdenv.cc.cc ] }"
  #           --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform --ozone-platform=wayland}}"
  #           --suffix PATH : ${lib.makeBinPath [ final.xdg-utils ]}
  #         )
  #         # Fix the desktop link
  #         substituteInPlace $out/share/applications/signal-desktop.desktop \
  #           --replace /opt/Signal/signal-desktop $out/bin/signal-desktop
  #         autoPatchelf --no-recurse -- $out/lib/Signal/
  #         patchelf --add-needed ${final.libpulseaudio}/lib/libpulse.so $out/lib/Signal/resources/app.asar.unpacked/node_modules/ringrtc/build/linux/libringrtc-arm64.node
  #         patchelf --add-needed ${final.openssl_3_0}/lib/libcrypto.so.3 $out/lib/Signal/resources/app.asar.unpacked/node_modules/ringrtc/build/linux/libringrtc-arm64.node
  #       '';
  #       meta.platforms = [ "aarch64-linux" ];
  #     });
  #   })
  # ];
  nixpkgs.overlays = [
    (final: prev: {
      jellyfin-media-player = prev.jellyfin-media-player.overrideAttrs (old: {
        meta.platforms = [ "aarch64-linux" ];
      });
    })
  ];
 }
--- a/machines/nat/hardware-configuration.nix
+++ b/machines/nat/hardware-configuration.nix
@@ -4,61 +4,24 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
-  imports =
+  imports = [ ];
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  efi.enable = true;
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "nvme" "usbhid" ];
-
+  boot.initrd.kernelModules = [ ];
  # 4k kernel for m1
  boot.kernelBuildIs16K = false;
  boot.initrd.availableKernelModules = [ "usb_storage" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."enc-pv" = {
    device = "/dev/nvme0n1p5";
    allowDiscards = true;
  };
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/f3021c34-2034-4bf0-bf3f-64d6d02c0eff";
+    {
      device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/f3021c34-2034-4bf0-bf3f-64d6d02c0eff";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/f3021c34-2034-4bf0-bf3f-64d6d02c0eff";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D33C-18EE";
+    {
      device = "/dev/disk/by-uuid/0C95-1290";
      fsType = "vfat";
    };
-  swapDevices =
+  swapDevices = [ ];
    [ { device = "/dev/disk/by-uuid/98e875e4-4c34-42e9-8c71-404dfe137ba7"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp1s0f0.useDHCP = lib.mkDefault true;
  #nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  # high-resolution display
  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/machines/nat/m1-support/asahi-fwextract/add_entry_point.patch
+++ b/machines/nat/m1-support/asahi-fwextract/add_entry_point.patch
@@ -1,31 +0,0 @@
 diff --git a/asahi_firmware/update.py b/asahi_firmware/update.py
 index 8d4c480..7d89353 100644
 --- a/asahi_firmware/update.py
 +++ b/asahi_firmware/update.py
@@ -30,7 +30,7 @@ def update_firmware(source, dest, manifest):
     pkg.save_manifest(manifest)
 -if __name__ == "__main__":
 +def main():
     import argparse
     import logging
     logging.basicConfig()
@@ -46,3 +46,7 @@ if __name__ == "__main__":
     args = parser.parse_args()
     update_firmware(args.source, args.dest, args.manifest)
 +
 +if __name__ == "__main__":
 +   main()
 +
 diff --git a/setup.py b/setup.py
 index 45ada19..1b371ba 100644
 --- a/setup.py
 +++ b/setup.py
@@ -9,4 +9,5 @@ setup(name='asahi_firmware',
       author_email='marcan@marcan.st',
       url='https://github.com/AsahiLinux/asahi-installer/',
       packages=['asahi_firmware'],
 +      entry_points={"console_scripts": ["asahi-fwextract = asahi_firmware.update:main"]}
      )
--- a/machines/nat/m1-support/asahi-fwextract/default.nix
+++ b/machines/nat/m1-support/asahi-fwextract/default.nix
@@ -1,24 +0,0 @@
 { lib
 , python3
 , fetchFromGitHub
 , makeBinaryWrapper
 }:
 python3.pkgs.buildPythonApplication rec {
  pname = "asahi-fwextract";
  version = "0.4pre2";
  # tracking version: https://github.com/AsahiLinux/PKGBUILDs/blob/main/asahi-fwextract/PKGBUILD
  src = fetchFromGitHub {
    owner = "AsahiLinux";
    repo = "asahi-installer";
    rev = "v${version}";
    hash = "sha256-RqvD2hNjKMlUg+oY1woUN5zpN+1Y/TrBQbokNgdeCW4=";
  };
  patches = [
    ./add_entry_point.patch
  ];
  nativeBuildInputs = [ python3.pkgs.setuptools makeBinaryWrapper ];
 }
--- a/machines/nat/m1-support/boot-m1n1/default.nix
+++ b/machines/nat/m1-support/boot-m1n1/default.nix
@@ -1,56 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  buildPkgs = if config.boot.kernelBuildIsCross then
    import (pkgs.path) {
      system = "x86_64-linux";
      crossSystem.system = "aarch64-linux";
    }
  else pkgs;
  bootM1n1 = buildPkgs.callPackage ../m1n1 {
    isRelease = true;
    withTools = false;
  };
  bootUBoot = buildPkgs.callPackage ../u-boot {
    m1n1 = bootM1n1;
  };
  bootFiles = {
    "m1n1/boot.bin" = pkgs.runCommand "boot.bin" {} ''
      cat ${bootM1n1}/build/m1n1.bin > $out
      cat ${config.boot.kernelPackages.kernel}/dtbs/apple/*.dtb >> $out
      cat ${bootUBoot}/u-boot-nodtb.bin.gz >> $out
      if [ -n "${config.boot.m1n1ExtraOptions}" ]; then
        echo '${config.boot.m1n1ExtraOptions}' >> $out
      fi
    '';
  };
 in {
  config = {
    # install m1n1 with the boot loader
    boot.loader.grub.extraFiles = bootFiles;
    boot.loader.systemd-boot.extraFiles = bootFiles;
    # ensure the installer has m1n1 in the image
    system.extraDependencies = lib.mkForce [ bootM1n1 bootUBoot ];
    # give the user the utilities to re-extract the firmware if necessary
    environment.systemPackages = [
      (buildPkgs.callPackage ../asahi-fwextract {})
    ];
    # system.extraDependencies = [ boot ];
    # system.extraDependencies = lib.mkForce [ boot ];
  };
  options.boot.m1n1ExtraOptions = lib.mkOption {
    type = lib.types.str;
    default = "";
    description = ''
      Append extra options to the m1n1 boot binary. Might be useful for fixing
      display problems on Mac minis.
      https://github.com/AsahiLinux/m1n1/issues/159
    '';
  };
 }
--- a/machines/nat/m1-support/default.nix
+++ b/machines/nat/m1-support/default.nix
@@ -1,8 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./kernel
    ./firmware
    ./boot-m1n1
  ];
 }
--- a/machines/nat/m1-support/firmware/default.nix
+++ b/machines/nat/m1-support/firmware/default.nix
@@ -1,18 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  hardware.firmware = [
    (pkgs.stdenvNoCC.mkDerivation {
      name = "firmware";
      buildCommand = ''
        mkdir -p $out/lib/firmware
        FIRMWARE=`echo ${./.}/*firmware*.tar`
        if [ -e "$FIRMWARE" ]; then
          tar xf "$FIRMWARE" -C $out/lib/firmware
        else
          # stop nixos infra from breaking when it doesn't have any firmware
          touch $out/lib/firmware/.dummy
        fi
      '';
    })
  ];
 }
--- a/machines/nat/m1-support/firmware/firmware.tar
+++ b/machines/nat/m1-support/firmware/firmware.tar
--- a/machines/nat/m1-support/kernel/config
+++ b/machines/nat/m1-support/kernel/config
@@ -1,691 +0,0 @@
 # from https://github.com/jannau/AsahiLinux-PKGBUILD/blob/main/linux-apple/config
 CONFIG_SWAP=y
 CONFIG_DM_SNAPSHOT=m
 CONFIG_WERROR=y
 CONFIG_DEFAULT_HOSTNAME="m1"
 CONFIG_SYSVIPC=y
 CONFIG_POSIX_MQUEUE=y
 CONFIG_AUDIT=y
 CONFIG_NO_HZ_IDLE=y
 CONFIG_HIGH_RES_TIMERS=y
 CONFIG_BPF_JIT=y
 CONFIG_PREEMPT=y
 CONFIG_IRQ_TIME_ACCOUNTING=y
 CONFIG_BSD_PROCESS_ACCT=y
 CONFIG_BSD_PROCESS_ACCT_V3=y
 CONFIG_TASKSTATS=y
 CONFIG_TASK_DELAY_ACCT=y
 CONFIG_TASK_XACCT=y
 CONFIG_TASK_IO_ACCOUNTING=y
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
 CONFIG_NUMA_BALANCING=y
 CONFIG_MEMCG=y
 CONFIG_BLK_CGROUP=y
 CONFIG_CGROUP_PIDS=y
 CONFIG_CGROUP_HUGETLB=y
 CONFIG_CPUSETS=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
 CONFIG_USER_NS=y
 CONFIG_SCHED_AUTOGROUP=y
 CONFIG_BLK_DEV_INITRD=y
 CONFIG_KALLSYMS_ALL=y
 # CONFIG_COMPAT_BRK is not set
 CONFIG_PROFILING=y
 CONFIG_ARCH_APPLE=y
 # CONFIG_ARM64_ERRATUM_2054223 is not set
 # CONFIG_ARM64_ERRATUM_2067961 is not set
 # CONFIG_NVIDIA_CARMEL_CNP_ERRATUM is not set
 CONFIG_ARM64_VA_BITS_48=y
 CONFIG_SCHED_MC=y
 CONFIG_SCHED_CLUSTER=y
 CONFIG_NR_CPUS=64
 CONFIG_NUMA=y
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_CRASH_DUMP=y
 CONFIG_XEN=y
 # CONFIG_ARM64_PTR_AUTH_KERNEL is not set
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_HIBERNATION=y
 CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y
 CONFIG_ENERGY_MODEL=y
 CONFIG_ARM_CPUIDLE=y
 CONFIG_ARM_PSCI_CPUIDLE=y
 CONFIG_CPU_FREQ=y
 CONFIG_CPU_FREQ_STAT=y
 CONFIG_CPU_FREQ_GOV_POWERSAVE=m
 CONFIG_CPU_FREQ_GOV_USERSPACE=y
 CONFIG_CPU_FREQ_GOV_ONDEMAND=y
 CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
 CONFIG_CPUFREQ_DT=y
 CONFIG_ACPI=y
 CONFIG_ACPI_APEI=y
 CONFIG_ACPI_APEI_GHES=y
 CONFIG_ACPI_APEI_MEMORY_FAILURE=y
 CONFIG_ACPI_APEI_EINJ=y
 CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=y
 CONFIG_CRYPTO_SHA1_ARM64_CE=y
 CONFIG_CRYPTO_SHA2_ARM64_CE=y
 CONFIG_CRYPTO_SHA512_ARM64_CE=m
 CONFIG_CRYPTO_SHA3_ARM64=m
 CONFIG_CRYPTO_SM3_ARM64_CE=m
 CONFIG_CRYPTO_GHASH_ARM64_CE=y
 CONFIG_CRYPTO_AES_ARM64=y
 CONFIG_CRYPTO_AES_ARM64_CE_CCM=y
 CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
 CONFIG_CRYPTO_AES_ARM64_BS=m
 CONFIG_JUMP_LABEL=y
 CONFIG_MODULES=y
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
 CONFIG_KSM=y
 CONFIG_MEMORY_FAILURE=y
 CONFIG_TRANSPARENT_HUGEPAGE=y
 CONFIG_CMA=y
 CONFIG_NET=y
 CONFIG_PACKET=y
 CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_PNP=y
 CONFIG_IP_PNP_DHCP=y
 CONFIG_IP_PNP_BOOTP=y
 CONFIG_IPV6=m
 CONFIG_IP_NF_IPTABLES=m
 CONFIG_IP_NF_FILTER=m
 CONFIG_IP_NF_TARGET_REJECT=m
 CONFIG_IP_NF_NAT=m
 CONFIG_IP_NF_TARGET_MASQUERADE=m
 CONFIG_IP_NF_MANGLE=m
 CONFIG_IP6_NF_IPTABLES=m
 CONFIG_IP6_NF_FILTER=m
 CONFIG_IP6_NF_TARGET_REJECT=m
 CONFIG_IP6_NF_MANGLE=m
 CONFIG_IP6_NF_NAT=m
 CONFIG_IP6_NF_TARGET_MASQUERADE=m
 CONFIG_BRIDGE=m
 CONFIG_BRIDGE_VLAN_FILTERING=y
 CONFIG_NET_DSA=m
 CONFIG_VLAN_8021Q=m
 CONFIG_VLAN_8021Q_GVRP=y
 CONFIG_VLAN_8021Q_MVRP=y
 CONFIG_NET_SCHED=y
 CONFIG_NET_SCH_CBS=m
 CONFIG_NET_SCH_ETF=m
 CONFIG_NET_SCH_TAPRIO=m
 CONFIG_NET_SCH_MQPRIO=m
 CONFIG_NET_SCH_INGRESS=m
 CONFIG_NET_CLS_BASIC=m
 CONFIG_NET_CLS_FLOWER=m
 CONFIG_NET_CLS_ACT=y
 CONFIG_NET_ACT_GACT=m
 CONFIG_NET_ACT_MIRRED=m
 CONFIG_NET_ACT_GATE=m
 CONFIG_QRTR=m
 CONFIG_QRTR_TUN=m
 CONFIG_CAN=m
 CONFIG_CAN_FLEXCAN=m
 CONFIG_BT=m
 CONFIG_BT_HIDP=m
 # CONFIG_BT_LE is not set
 # CONFIG_BT_DEBUGFS is not set
 CONFIG_BT_HCIBTUSB=m
 CONFIG_BT_HCIUART=m
 CONFIG_BT_HCIUART_LL=y
 CONFIG_BT_HCIUART_BCM=y
 CONFIG_BT_HCIUART_QCA=y
 CONFIG_CFG80211=m
 CONFIG_MAC80211=m
 CONFIG_RFKILL=m
 CONFIG_RFKILL_GPIO=m
 # CONFIG_NET_9P=y
 # CONFIG_NET_9P_VIRTIO=y
 CONFIG_NFC=m
 CONFIG_NFC_NCI=m
 CONFIG_NFC_S3FWRN5_I2C=m
 CONFIG_PCI=y
 CONFIG_PCIEPORTBUS=y
 CONFIG_PCI_IOV=y
 CONFIG_PCI_PASID=y
 CONFIG_HOTPLUG_PCI=y
 CONFIG_HOTPLUG_PCI_ACPI=y
 CONFIG_PCI_HOST_GENERIC=y
 CONFIG_PCIE_APPLE=y
 CONFIG_PCIE_DW_PLAT_HOST=y
 CONFIG_PCI_ENDPOINT=y
 CONFIG_PCI_ENDPOINT_CONFIGFS=y
 CONFIG_PCI_EPF_TEST=m
 CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
 CONFIG_EFI_BOOTLOADER_CONTROL=y
 CONFIG_EFI_CAPSULE_LOADER=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_NBD=m
 CONFIG_VIRTIO_BLK=y
 CONFIG_BLK_DEV_NVME=m
 CONFIG_SRAM=y
 CONFIG_DW_XDATA_PCIE=y
 CONFIG_PCI_ENDPOINT_TEST=m
 CONFIG_EEPROM_AT24=m
 CONFIG_SCSI=y
 # CONFIG_SCSI_PROC_FS is not set
 CONFIG_BLK_DEV_SD=y
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
 CONFIG_BLK_DEV_DM=m
 CONFIG_DM_MIRROR=m
 CONFIG_DM_ZERO=m
 CONFIG_DM_CRYPT=m
 CONFIG_NETDEVICES=y
 CONFIG_WIREGUARD=m
 CONFIG_MACVLAN=m
 CONFIG_MACVTAP=m
 CONFIG_IPVLAN=m
 CONFIG_IPVTAP=m
 CONFIG_TUN=y
 CONFIG_VETH=m
 CONFIG_VIRTIO_NET=y
 # CONFIG_NET_VENDOR_3COM is not set
 # CONFIG_NET_VENDOR_ADAPTEC is not set
 # CONFIG_NET_VENDOR_AGERE is not set
 # CONFIG_NET_VENDOR_ALACRITECH is not set
 # CONFIG_NET_VENDOR_ALTEON is not set
 # CONFIG_NET_VENDOR_AMAZON is not set
 # CONFIG_NET_VENDOR_AMD is not set
 CONFIG_AQTION=y
 # CONFIG_NET_VENDOR_ARC is not set
 # CONFIG_NET_VENDOR_ATHEROS is not set
 CONFIG_TIGON3=y
 # CONFIG_NET_VENDOR_BROCADE is not set
 # CONFIG_NET_VENDOR_CADENCE is not set
 # CONFIG_NET_VENDOR_CAVIUM is not set
 # CONFIG_NET_VENDOR_CHELSIO is not set
 # CONFIG_NET_VENDOR_CISCO is not set
 # CONFIG_NET_VENDOR_CORTINA is not set
 # CONFIG_NET_VENDOR_DEC is not set
 # CONFIG_NET_VENDOR_DLINK is not set
 # CONFIG_NET_VENDOR_EMULEX is not set
 # CONFIG_NET_VENDOR_EZCHIP is not set
 # CONFIG_NET_VENDOR_GOOGLE is not set
 # CONFIG_NET_VENDOR_HISILICON is not set
 # CONFIG_NET_VENDOR_HUAWEI is not set
 # CONFIG_NET_VENDOR_INTEL is not set
 # CONFIG_NET_VENDOR_MICROSOFT is not set
 # CONFIG_NET_VENDOR_LITEX is not set
 # CONFIG_NET_VENDOR_MARVELL is not set
 # CONFIG_NET_VENDOR_MELLANOX is not set
 # CONFIG_NET_VENDOR_MICREL is not set
 # CONFIG_NET_VENDOR_MICROCHIP is not set
 # CONFIG_NET_VENDOR_MICROSEMI is not set
 # CONFIG_NET_VENDOR_MYRI is not set
 # CONFIG_NET_VENDOR_NATSEMI is not set
 # CONFIG_NET_VENDOR_NETERION is not set
 # CONFIG_NET_VENDOR_NETRONOME is not set
 # CONFIG_NET_VENDOR_NI is not set
 # CONFIG_NET_VENDOR_NVIDIA is not set
 # CONFIG_NET_VENDOR_OKI is not set
 # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
 # CONFIG_NET_VENDOR_PENSANDO is not set
 # CONFIG_NET_VENDOR_QLOGIC is not set
 # CONFIG_NET_VENDOR_QUALCOMM is not set
 # CONFIG_NET_VENDOR_RDC is not set
 # CONFIG_NET_VENDOR_REALTEK is not set
 # CONFIG_NET_VENDOR_RENESAS is not set
 # CONFIG_NET_VENDOR_ROCKER is not set
 # CONFIG_NET_VENDOR_SAMSUNG is not set
 # CONFIG_NET_VENDOR_SEEQ is not set
 # CONFIG_NET_VENDOR_SOLARFLARE is not set
 # CONFIG_NET_VENDOR_SILAN is not set
 # CONFIG_NET_VENDOR_SIS is not set
 # CONFIG_NET_VENDOR_SMSC is not set
 # CONFIG_NET_VENDOR_SOCIONEXT is not set
 # CONFIG_NET_VENDOR_STMICRO is not set
 # CONFIG_NET_VENDOR_SUN is not set
 # CONFIG_NET_VENDOR_SYNOPSYS is not set
 # CONFIG_NET_VENDOR_TEHUTI is not set
 # CONFIG_NET_VENDOR_TI is not set
 # CONFIG_NET_VENDOR_VIA is not set
 # CONFIG_NET_VENDOR_WIZNET is not set
 # CONFIG_NET_VENDOR_XILINX is not set
 CONFIG_USB_RTL8150=y
 CONFIG_USB_RTL8152=y
 CONFIG_USB_LAN78XX=y
 CONFIG_USB_USBNET=y
 CONFIG_USB_NET_SMSC75XX=y
 CONFIG_USB_NET_SMSC95XX=y
 # CONFIG_USB_NET_NET1080 is not set
 # CONFIG_USB_NET_ZAURUS is not set
 CONFIG_USB_IPHETH=y
 # CONFIG_WLAN_VENDOR_ADMTEK is not set
 # CONFIG_WLAN_VENDOR_ATH is not set
 # CONFIG_WLAN_VENDOR_ATMEL is not set
 # CONFIG_WLAN_VENDOR_CISCO is not set
 # CONFIG_WLAN_VENDOR_INTEL is not set
 # CONFIG_WLAN_VENDOR_INTERSIL is not set
 # CONFIG_WLAN_VENDOR_MARVELL is not set
 # CONFIG_WLAN_VENDOR_MEDIATEK is not set
 # CONFIG_WLAN_VENDOR_MICROCHIP is not set
 # CONFIG_WLAN_VENDOR_RALINK is not set
 # CONFIG_WLAN_VENDOR_REALTEK is not set
 # CONFIG_WLAN_VENDOR_RSI is not set
 # CONFIG_WLAN_VENDOR_ST is not set
 # CONFIG_WLAN_VENDOR_TI is not set
 # CONFIG_WLAN_VENDOR_ZYDAS is not set
 # CONFIG_WLAN_VENDOR_QUANTENNA is not set
 # CONFIG_XEN_NETDEV_FRONTEND is not set
 CONFIG_INPUT_EVDEV=y
 CONFIG_KEYBOARD_APPLESPI=y
 CONFIG_INPUT_TOUCHSCREEN=y
 CONFIG_TOUCHSCREEN_ATMEL_MXT=m
 CONFIG_TOUCHSCREEN_EDT_FT5X06=m
 CONFIG_INPUT_MISC=y
 # CONFIG_SERIO_SERPORT is not set
 CONFIG_SERIO_AMBAKMI=y
 CONFIG_LEGACY_PTY_COUNT=16
 CONFIG_SERIAL_8250=y
 CONFIG_SERIAL_8250_CONSOLE=y
 CONFIG_SERIAL_8250_EXTENDED=y
 CONFIG_SERIAL_8250_SHARE_IRQ=y
 CONFIG_SERIAL_8250_DW=y
 CONFIG_SERIAL_OF_PLATFORM=y
 CONFIG_SERIAL_AMBA_PL011=y
 CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
 CONFIG_SERIAL_SAMSUNG=y
 CONFIG_SERIAL_SAMSUNG_CONSOLE=y
 CONFIG_SERIAL_DEV_BUS=y
 CONFIG_VIRTIO_CONSOLE=y
 CONFIG_I2C_CHARDEV=y
 CONFIG_I2C_MUX=y
 # CONFIG_I2C_HELPER_AUTO is not set
 CONFIG_I2C_SMBUS=y
 CONFIG_SPI=y
 CONFIG_SPI_DEBUG=y
 CONFIG_SPI_APPLE=y
 # CONFIG_PTP_1588_CLOCK is not set
 CONFIG_PINCTRL=y
 CONFIG_PINCTRL_APPLE_GPIO=y
 # CONFIG_HWMON is not set
 CONFIG_THERMAL_WRITABLE_TRIPS=y
 CONFIG_THERMAL_GOV_USER_SPACE=y
 CONFIG_WATCHDOG=y
 CONFIG_APPLE_WATCHDOG=y
 CONFIG_MFD_SYSCON=y
 CONFIG_MEDIA_SUPPORT=m
 CONFIG_MEDIA_CAMERA_SUPPORT=y
 CONFIG_MEDIA_ANALOG_TV_SUPPORT=y
 CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
 CONFIG_MEDIA_SDR_SUPPORT=y
 CONFIG_MEDIA_PLATFORM_SUPPORT=y
 CONFIG_VIDEO_V4L2_SUBDEV_API=y
 CONFIG_MEDIA_USB_SUPPORT=y
 CONFIG_USB_VIDEO_CLASS=m
 CONFIG_USB_GSPCA=m
 CONFIG_V4L_PLATFORM_DRIVERS=y
 CONFIG_V4L_MEM2MEM_DRIVERS=y
 CONFIG_DRM=y
 CONFIG_DRM_SIMPLEDRM=y
 CONFIG_FB=y
 CONFIG_FB_MODE_HELPERS=y
 CONFIG_FB_TILEBLITTING=y
 CONFIG_FB_EFI=y
 # CONFIG_XEN_FBDEV_FRONTEND is not set
 CONFIG_LOGO=y
 # CONFIG_LOGO_LINUX_MONO is not set
 # CONFIG_LOGO_LINUX_VGA16 is not set
 CONFIG_SOUND=y
 CONFIG_SND=y
 CONFIG_USB_ULPI_BUS=y
 CONFIG_USB_CONN_GPIO=y
 CONFIG_USB=y
 CONFIG_USB_OTG=y
 CONFIG_USB_MON=m
 CONFIG_USB_XHCI_HCD=y
 CONFIG_USB_EHCI_HCD=y
 CONFIG_USB_EHCI_HCD_PLATFORM=y
 CONFIG_USB_ACM=m
 CONFIG_USB_STORAGE=y
 CONFIG_USB_UAS=y
 CONFIG_USB_DWC3=y
 CONFIG_USB_DWC3_ULPI=y
 CONFIG_USB_DWC2=y
 CONFIG_USB_DWC2_HOST=y
 CONFIG_USB_DWC2_PCI=y
 CONFIG_USB_SERIAL=m
 CONFIG_USB_SERIAL_CP210X=m
 CONFIG_USB_SERIAL_FTDI_SIO=m
 CONFIG_USB_SERIAL_OPTION=m
 CONFIG_USB_GPIO_VBUS=y
 CONFIG_USB_ULPI=y
 CONFIG_USB_GADGET=y
 CONFIG_U_SERIAL_CONSOLE=y
 CONFIG_USB_SNP_UDC_PLAT=y
 CONFIG_USB_CONFIGFS=m
 CONFIG_USB_CONFIGFS_SERIAL=y
 CONFIG_USB_CONFIGFS_ACM=y
 CONFIG_USB_CONFIGFS_OBEX=y
 CONFIG_USB_CONFIGFS_NCM=y
 CONFIG_USB_CONFIGFS_ECM=y
 CONFIG_USB_CONFIGFS_ECM_SUBSET=y
 CONFIG_USB_CONFIGFS_RNDIS=y
 CONFIG_USB_CONFIGFS_EEM=y
 CONFIG_USB_CONFIGFS_MASS_STORAGE=y
 CONFIG_USB_CONFIGFS_F_FS=y
 CONFIG_USB_G_SERIAL=y
 CONFIG_USB_CDC_COMPOSITE=y
 CONFIG_TYPEC=y
 CONFIG_TYPEC_TCPM=y
 CONFIG_TYPEC_TPS6598X=y
 CONFIG_TYPEC_DP_ALTMODE=m
 CONFIG_NEW_LEDS=y
 CONFIG_LEDS_CLASS=y
 CONFIG_LEDS_CLASS_FLASH=y
 CONFIG_LEDS_CLASS_MULTICOLOR=y
 CONFIG_LEDS_BRIGHTNESS_HW_CHANGED=y
 CONFIG_UDMABUF=y
 CONFIG_DMABUF_HEAPS=y
 CONFIG_DMABUF_SYSFS_STATS=y
 CONFIG_DMABUF_HEAPS_SYSTEM=y
 CONFIG_DMABUF_HEAPS_CMA=y
 # CONFIG_VIRTIO_MENU is not set
 # CONFIG_VHOST_MENU is not set
 # CONFIG_XEN_PCIDEV_STUB is not set
 CONFIG_MAILBOX=y
 CONFIG_GENERIC_PHY=y
 CONFIG_VALIDATE_FS_PARSER=y
 CONFIG_EXT3_FS=y
 CONFIG_EXT4_FS_POSIX_ACL=y
 CONFIG_BTRFS_FS=m
 CONFIG_BTRFS_FS_POSIX_ACL=y
 CONFIG_FANOTIFY=y
 CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
 CONFIG_QUOTA=y
 CONFIG_AUTOFS4_FS=y
 CONFIG_FUSE_FS=m
 CONFIG_CUSE=m
 CONFIG_OVERLAY_FS=m
 CONFIG_VFAT_FS=y
 CONFIG_EXFAT_FS=y
 CONFIG_TMPFS=y
 CONFIG_TMPFS_POSIX_ACL=y
 CONFIG_HUGETLBFS=y
 CONFIG_EFIVAR_FS=y
 CONFIG_SQUASHFS=y
 CONFIG_NFS_FS=y
 CONFIG_NFS_V4=y
 CONFIG_NFS_V4_1=y
 CONFIG_NFS_V4_2=y
 CONFIG_ROOT_NFS=y
 CONFIG_9P_FS=y
 CONFIG_NLS_CODEPAGE_437=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_SECURITY=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_ECHAINIV=y
 CONFIG_CRYPTO_ANSI_CPRNG=y
 CONFIG_CRYPTO_USER_API_RNG=m
 CONFIG_CRYPTO_DEV_CCREE=m
 CONFIG_CRYPTO_DEV_HISI_SEC2=m
 CONFIG_CRYPTO_DEV_HISI_ZIP=m
 CONFIG_CRYPTO_DEV_HISI_HPRE=m
 CONFIG_CRYPTO_DEV_HISI_TRNG=m
 CONFIG_DMA_CMA=y
 CONFIG_CMA_SIZE_MBYTES=128
 CONFIG_PRINTK_TIME=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_INFO_REDUCED=y
 CONFIG_MAGIC_SYSRQ=y
 CONFIG_DEBUG_FS=y
 CONFIG_DEBUG_KERNEL=y
 # CONFIG_SCHED_DEBUG is not set
 CONFIG_FUNCTION_TRACER=y
 CONFIG_MEMTEST=y
 # additional nixos mandatory kernel configs
 CONFIG_CGROUPS=y
 CONFIG_INOTIFY_USER=y
 CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EPOLL=y
 CONFIG_SYSFS=y
 CONFIG_PROC_FS=y
 CONFIG_FHANDLE=y
 CONFIG_CRYPTO_USER_API_HASH=y
 CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_ISO9660_FS=y
 CONFIG_ZISOFS=n
 CONFIG_JOLIET=y
 CONFIG_SQUASHFS_XZ=y
 CONFIG_SQUASHFS_ZSTD=y
 CONFIG_DMIID=y
 CONFIG_TMPFS_XATTR=y
 CONFIG_SECCOMP=y
 CONFIG_BINFMT_ELF=y
 CONFIG_BINFMT_MISC=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y
 CONFIG_FW_LOADER_COMPRESS=y
 # stuff for the keyboard?
 CONFIG_SPI_HID_APPLE=y
 CONFIG_HID_APPLE=y
 CONFIG_HID_MAGICMOUSE=y
 CONFIG_APPLE_SART=y
 CONFIG_APPLE_RTKIT=y
 CONFIG_NVME_APPLE=y
 # stuff for sound?
 CONFIG_SND_SOC=y
 CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y
 CONFIG_SND_SIMPLE_CARD=y
 CONFIG_SND_SIMPLE_CARD_UTILS=y
 CONFIG_SND_SOC_CS42L42=y
 CONFIG_SND_SOC_TAS2770=y
 CONFIG_DMADEVICES=y
 CONFIG_APPLE_ADMAC=y
 CONFIG_SND_SOC_APPLE_MCA=y
 # stuff for wifi
 CONFIG_WLAN=y
 CONFIG_WLAN_VENDOR_BROADCOM=y
 CONFIG_BRCMUTIL=m
 CONFIG_BRCMFMAC=m
 CONFIG_BRCMFMAC_PROTO_MSGBUF=y
 CONFIG_BRCMFMAC_PCIE=y
 # new stuff for 5.17
 CONFIG_SPMI=y
 CONFIG_SPMI_APPLE=y
 CONFIG_CHARGER_MACSMC=y
 CONFIG_GPIOLIB=y
 CONFIG_GPIOLIB_IRQCHIP=y
 CONFIG_GPIO_MACSMC=y
 CONFIG_BACKLIGHT_GPIO=y
 # nftables related config
 CONFIG_NETFILTER=y
 CONFIG_NETFILTER_ADVANCED=y
 CONFIG_BRIDGE_NETFILTER=m
 #
 # Core Netfilter Configuration
 #
 CONFIG_NETFILTER_INGRESS=y
 CONFIG_NETFILTER_EGRESS=y
 CONFIG_NETFILTER_SKIP_EGRESS=y
 CONFIG_NETFILTER_NETLINK=m
 CONFIG_NETFILTER_FAMILY_BRIDGE=y
 CONFIG_NETFILTER_FAMILY_ARP=y
 CONFIG_NETFILTER_NETLINK_HOOK=m
 CONFIG_NETFILTER_NETLINK_ACCT=m
 CONFIG_NETFILTER_NETLINK_QUEUE=m
 CONFIG_NETFILTER_NETLINK_LOG=m
 CONFIG_NETFILTER_NETLINK_OSF=m
 CONFIG_NF_CONNTRACK=m
 CONFIG_NF_LOG_SYSLOG=m
 CONFIG_NETFILTER_CONNCOUNT=m
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_ZONES=y
 CONFIG_NF_CONNTRACK_PROCFS=y
 CONFIG_NF_CONNTRACK_EVENTS=y
 CONFIG_NF_CONNTRACK_TIMEOUT=y
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_LABELS=y
 CONFIG_NF_CT_PROTO_DCCP=y
 CONFIG_NF_CT_PROTO_GRE=y
 CONFIG_NF_CT_PROTO_SCTP=y
 CONFIG_NF_CT_PROTO_UDPLITE=y
 CONFIG_NF_CONNTRACK_AMANDA=m
 CONFIG_NF_CONNTRACK_FTP=m
 CONFIG_NF_CONNTRACK_H323=m
 CONFIG_NF_CONNTRACK_IRC=m
 CONFIG_NF_CONNTRACK_BROADCAST=m
 CONFIG_NF_CONNTRACK_NETBIOS_NS=m
 CONFIG_NF_CONNTRACK_SNMP=m
 CONFIG_NF_CONNTRACK_PPTP=m
 CONFIG_NF_CONNTRACK_SANE=m
 CONFIG_NF_CONNTRACK_SIP=m
 CONFIG_NF_CONNTRACK_TFTP=m
 CONFIG_NF_CT_NETLINK=m
 CONFIG_NF_CT_NETLINK_TIMEOUT=m
 CONFIG_NF_CT_NETLINK_HELPER=m
 CONFIG_NETFILTER_NETLINK_GLUE_CT=y
 CONFIG_NF_NAT=m
 CONFIG_NF_NAT_AMANDA=m
 CONFIG_NF_NAT_FTP=m
 CONFIG_NF_NAT_IRC=m
 CONFIG_NF_NAT_SIP=m
 CONFIG_NF_NAT_TFTP=m
 CONFIG_NF_NAT_REDIRECT=y
 CONFIG_NF_NAT_MASQUERADE=y
 CONFIG_NETFILTER_SYNPROXY=m
 CONFIG_NF_TABLES=m
 CONFIG_NF_TABLES_INET=y
 CONFIG_NF_TABLES_NETDEV=y
 CONFIG_NFT_NUMGEN=m
 CONFIG_NFT_CT=m
 CONFIG_NFT_FLOW_OFFLOAD=m
 CONFIG_NFT_CONNLIMIT=m
 CONFIG_NFT_LOG=m
 CONFIG_NFT_LIMIT=m
 CONFIG_NFT_MASQ=m
 CONFIG_NFT_REDIR=m
 CONFIG_NFT_NAT=m
 CONFIG_NFT_TUNNEL=m
 CONFIG_NFT_OBJREF=m
 CONFIG_NFT_QUEUE=m
 CONFIG_NFT_QUOTA=m
 CONFIG_NFT_REJECT=m
 CONFIG_NFT_REJECT_INET=m
 CONFIG_NFT_COMPAT=m
 CONFIG_NFT_HASH=m
 CONFIG_NFT_FIB=m
 CONFIG_NFT_FIB_INET=m
 CONFIG_NFT_XFRM=m
 CONFIG_NFT_SOCKET=m
 CONFIG_NFT_OSF=m
 CONFIG_NFT_TPROXY=m
 CONFIG_NFT_SYNPROXY=m
 CONFIG_NF_DUP_NETDEV=m
 CONFIG_NFT_DUP_NETDEV=m
 CONFIG_NFT_FWD_NETDEV=m
 CONFIG_NFT_FIB_NETDEV=m
 CONFIG_NFT_REJECT_NETDEV=m
 CONFIG_NF_FLOW_TABLE_INET=m
 CONFIG_NF_FLOW_TABLE=m
 CONFIG_NETFILTER_XTABLES=y
 #
 # Xtables combined modules
 #
 CONFIG_NETFILTER_XT_MARK=m
 CONFIG_NETFILTER_XT_CONNMARK=m
 CONFIG_NETFILTER_XT_SET=m
 #
 # Xtables targets
 #
 CONFIG_NETFILTER_XT_TARGET_AUDIT=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
 CONFIG_NETFILTER_XT_TARGET_CT=m
 CONFIG_NETFILTER_XT_TARGET_DSCP=m
 CONFIG_NETFILTER_XT_TARGET_HL=m
 CONFIG_NETFILTER_XT_TARGET_HMARK=m
 CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
 CONFIG_NETFILTER_XT_TARGET_LED=m
 CONFIG_NETFILTER_XT_TARGET_LOG=m
 CONFIG_NETFILTER_XT_TARGET_MARK=m
 CONFIG_NETFILTER_XT_NAT=m
 CONFIG_NETFILTER_XT_TARGET_NETMAP=m
 CONFIG_NETFILTER_XT_TARGET_NFLOG=m
 CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
 # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
 CONFIG_NETFILTER_XT_TARGET_RATEEST=m
 CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
 CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
 CONFIG_NETFILTER_XT_TARGET_TEE=m
 CONFIG_NETFILTER_XT_TARGET_TPROXY=m
 CONFIG_NETFILTER_XT_TARGET_TRACE=m
 CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
 CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
 #
 # Xtables matches
 #
 CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
 CONFIG_NETFILTER_XT_MATCH_BPF=m
 CONFIG_NETFILTER_XT_MATCH_CGROUP=m
 CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
 CONFIG_NETFILTER_XT_MATCH_COMMENT=m
 CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
 CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
 CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
 CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
 CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
 CONFIG_NETFILTER_XT_MATCH_CPU=m
 CONFIG_NETFILTER_XT_MATCH_DCCP=m
 CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
 CONFIG_NETFILTER_XT_MATCH_DSCP=m
 CONFIG_NETFILTER_XT_MATCH_ECN=m
 CONFIG_NETFILTER_XT_MATCH_ESP=m
 CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
 CONFIG_NETFILTER_XT_MATCH_HELPER=m
 CONFIG_NETFILTER_XT_MATCH_HL=m
 CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
 CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
 CONFIG_NETFILTER_XT_MATCH_L2TP=m
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
 CONFIG_NETFILTER_XT_MATCH_MAC=m
 CONFIG_NETFILTER_XT_MATCH_MARK=m
 CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
 CONFIG_NETFILTER_XT_MATCH_NFACCT=m
 CONFIG_NETFILTER_XT_MATCH_OSF=m
 CONFIG_NETFILTER_XT_MATCH_OWNER=m
 CONFIG_NETFILTER_XT_MATCH_POLICY=m
 CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
 CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
 CONFIG_NETFILTER_XT_MATCH_QUOTA=m
 CONFIG_NETFILTER_XT_MATCH_RATEEST=m
 CONFIG_NETFILTER_XT_MATCH_REALM=m
 CONFIG_NETFILTER_XT_MATCH_RECENT=m
 CONFIG_NETFILTER_XT_MATCH_SCTP=m
 CONFIG_NETFILTER_XT_MATCH_SOCKET=m
 CONFIG_NETFILTER_XT_MATCH_STATE=m
 CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
 CONFIG_NETFILTER_XT_MATCH_STRING=m
 CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
 CONFIG_NETFILTER_XT_MATCH_TIME=m
 CONFIG_NETFILTER_XT_MATCH_U32=m
 # end of Core Netfilter Configuration
--- a/machines/nat/m1-support/kernel/default-pagesize-16k.patch
+++ b/machines/nat/m1-support/kernel/default-pagesize-16k.patch
@@ -1,13 +0,0 @@
 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
 index a1eb6572ecd2..b94fbd9b3d70 100644
 --- a/arch/arm64/Kconfig
 +++ b/arch/arm64/Kconfig
@@ -1036,7 +1036,7 @@ endmenu
 choice
 	prompt "Page size"
 -	default ARM64_4K_PAGES
 +	default ARM64_16K_PAGES
 	help
 	  Page size (translation granule) configuration.
--- a/machines/nat/m1-support/kernel/default.nix
+++ b/machines/nat/m1-support/kernel/default.nix
@@ -1,62 +0,0 @@
 # the Asahi Linux kernel and options that must go along with it
 { config, pkgs, lib, ... }:
 {
  config = {
    boot.kernelPackages = pkgs.callPackage ./package.nix {
      crossBuild = config.boot.kernelBuildIsCross;
      _16KBuild = config.boot.kernelBuildIs16K;
    };
    # we definitely want to use CONFIG_ENERGY_MODEL, and
    # schedutil is a prerequisite for using it
    # source: https://www.kernel.org/doc/html/latest/scheduler/sched-energy.html
    powerManagement.cpuFreqGovernor = lib.mkOverride 800 "schedutil";
    # our kernel config is weird and doesn't really have any modules
    # remove?
    # boot.initrd.availableKernelModules = lib.mkForce [];
    boot.initrd.availableKernelModules = lib.mkForce [ "dm_crypt" ];
    boot.kernelParams = [
      "earlycon"
      "console=ttySAC0,1500000"
      "console=tty0"
      "boot.shell_on_fail"
      # Apple's SSDs are slow (~dozens of ms) at processing flush requests which
      # slows down programs that make a lot of fsync calls. This parameter sets
      # a delay in ms before actually flushing so that such requests can be
      # coalesced. Be warned that increasing this parameter above zero (default
      # is 1000) has the potential, though admittedly unlikely, risk of
      # UNBOUNDED data corruption in case of power loss!!!! Don't even think
      # about it on desktops!!
      "nvme_apple.flush_interval=1000"
    ];
    # U-Boot does not support EFI variables
    boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
    # GRUB has to be installed as removable if the user chooses to use it
    boot.loader.grub = lib.mkDefault {
      version = 2;
      efiSupport = true;
      efiInstallAsRemovable = true;
      device = "nodev";
    };
  };
  options.boot.kernelBuildIsCross = lib.mkOption {
    type = lib.types.bool;
    default = false;
    description = "Set that the Asahi Linux kernel should be cross-compiled.";
  };
  options.boot.kernelBuildIs16K = lib.mkOption {
    type = lib.types.bool;
    default = true;
    description = ''
      Set that the Asahi Linux kernel should be built with 16K pages and various
      software patched to be compatible. Some software may still be broken.
    '';
  };
 }
--- a/machines/nat/m1-support/kernel/package.nix
+++ b/machines/nat/m1-support/kernel/package.nix
@@ -1,67 +0,0 @@
 { pkgs, crossBuild ? false, _16KBuild ? false }: let
  buildPkgs = if crossBuild then
    import (pkgs.path) {
      system = "x86_64-linux";
      crossSystem.system = "aarch64-linux";
    }
  else pkgs;
  # we do this so the config can be read on any system and not affect
  # the output hash
  localPkgs = import (pkgs.path) { system = "aarch64-linux"; };
  readConfig = configfile: import (localPkgs.runCommand "config.nix" {} ''
    echo "{" > "$out"
    while IFS='=' read key val; do
      [ "x''${key#CONFIG_}" != "x$key" ] || continue
      no_firstquote="''${val#\"}";
      echo '  "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
    done < "${configfile}"
    echo "}" >> $out
  '').outPath;
  linux_asahi_pkg = { stdenv, lib, fetchFromGitHub, fetchpatch, linuxKernel, ... } @ args:
    linuxKernel.manualConfig rec {
      inherit stdenv lib;
      version = "5.19.0-rc7-asahi";
      modDirVersion = version;
      src = fetchFromGitHub {
        # tracking branch: https://github.com/AsahiLinux/linux/tree/asahi
        owner = "AsahiLinux";
        repo = "linux";
        rev = "c7d02d6615a5fb4afefd3084fce93d86e5fb184d";
        hash = "sha256-sed405+6L5U7S+Na2DNLGPNTNf3tv96LjK3CimeRjNU=";
      };
      kernelPatches = [
      ] ++ lib.optionals (!_16KBuild) [
        # thanks to Sven Peter
        # https://lore.kernel.org/linux-iommu/20211019163737.46269-1-sven@svenpeter.dev/
        { name = "sven-iommu-4k";
          patch = ./sven-iommu-4k.patch;
        }
      ] ++ lib.optionals _16KBuild [
        # patch the kernel to set the default size to 16k so we don't need to
        # convert our config to the nixos infrastructure or patch it and thus
        # introduce a dependency on the host system architecture
        { name = "default-pagesize-16k";
          patch = ./default-pagesize-16k.patch;
        }
      ];
      configfile = ./config;
      config = readConfig configfile;
      extraMeta.branch = "5.19";
    } // (args.argsOverride or {});
  linux_asahi = (buildPkgs.callPackage linux_asahi_pkg { }).overrideAttrs (o: {
    # use 5.19 suitable randstruct seed patch
    # to be removed when https://github.com/NixOS/nixpkgs/pull/180750 is
    # accepted and percolates through
    patches = (builtins.filter
      (v: (pkgs.lib.hasInfix "randstruct" (builtins.path { path = v; })) != true)
      o.patches) ++ [ ./randstruct-provide-seed-5.19.patch ];
  });
 in buildPkgs.recurseIntoAttrs (buildPkgs.linuxPackagesFor linux_asahi)
--- a/machines/nat/m1-support/kernel/randstruct-provide-seed-5.19.patch
+++ b/machines/nat/m1-support/kernel/randstruct-provide-seed-5.19.patch
@@ -1,13 +0,0 @@
 diff --git a/scripts/gen-randstruct-seed.sh b/scripts/gen-randstruct-seed.sh
 index 61017b36c464..7bb494dd2e18 100755
 --- a/scripts/gen-randstruct-seed.sh
 +++ b/scripts/gen-randstruct-seed.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
 -SEED=$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n')
 +SEED="NIXOS_RANDSTRUCT_SEED"
 echo "$SEED" > "$1"
 HASH=$(echo -n "$SEED" | sha256sum | cut -d" " -f1)
 echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
--- a/machines/nat/m1-support/kernel/sven-iommu-4k.patch
+++ b/machines/nat/m1-support/kernel/sven-iommu-4k.patch
@@ -1,449 +0,0 @@
 diff --git a/drivers/iommu/apple-dart.c b/drivers/iommu/apple-dart.c
 index 4f1a37bdd42d..c8c3ea81d818 100644
 --- a/drivers/iommu/apple-dart.c
 +++ b/drivers/iommu/apple-dart.c
@@ -97,7 +97,6 @@ struct apple_dart_hw {
  * @lock: lock for hardware operations involving this dart
  * @pgsize: pagesize supported by this DART
  * @supports_bypass: indicates if this DART supports bypass mode
 - * @force_bypass: force bypass mode due to pagesize mismatch?
  * @sid2group: maps stream ids to iommu_groups
  * @iommu: iommu core device
  */
@@ -115,7 +114,6 @@ struct apple_dart {
 	u32 pgsize;
 	u32 supports_bypass : 1;
 -	u32 force_bypass : 1;
 	struct iommu_group *sid2group[DART_MAX_STREAMS];
 	struct iommu_device iommu;
@@ -499,9 +497,6 @@ static int apple_dart_attach_dev(struct iommu_domain *domain,
 	struct apple_dart_master_cfg *cfg = dev_iommu_priv_get(dev);
 	struct apple_dart_domain *dart_domain = to_dart_domain(domain);
 -	if (cfg->stream_maps[0].dart->force_bypass &&
 -	    domain->type != IOMMU_DOMAIN_IDENTITY)
 -		return -EINVAL;
 	if (!cfg->stream_maps[0].dart->supports_bypass &&
 	    domain->type == IOMMU_DOMAIN_IDENTITY)
 		return -EINVAL;
@@ -630,8 +625,6 @@ static int apple_dart_of_xlate(struct device *dev, struct of_phandle_args *args)
 	if (cfg_dart) {
 		if (cfg_dart->supports_bypass != dart->supports_bypass)
 			return -EINVAL;
 -		if (cfg_dart->force_bypass != dart->force_bypass)
 -			return -EINVAL;
 		if (cfg_dart->pgsize != dart->pgsize)
 			return -EINVAL;
 	}
@@ -736,8 +729,6 @@ static int apple_dart_def_domain_type(struct device *dev)
 {
 	struct apple_dart_master_cfg *cfg = dev_iommu_priv_get(dev);
 -	if (cfg->stream_maps[0].dart->force_bypass)
 -		return IOMMU_DOMAIN_IDENTITY;
 	if (!cfg->stream_maps[0].dart->supports_bypass)
 		return IOMMU_DOMAIN_DMA;
@@ -1121,8 +1121,6 @@ static int apple_dart_probe(struct platform_device *pdev)
 		goto err_clk_disable;
 	}
 -	dart->force_bypass = dart->pgsize > PAGE_SIZE;
 -
 	ret = apple_dart_hw_reset(dart);
 	if (ret)
 		goto err_clk_disable;
@@ -1149,8 +1147,8 @@ static int apple_dart_probe(struct platform_device *pdev)
 	dev_info(
 		&pdev->dev,
 -		"DART [pagesize %x, %d streams, bypass support: %d, bypass forced: %d] initialized\n",
 -		dart->pgsize, dart->num_streams, dart->supports_bypass, dart->force_bypass);
 +		"DART [pagesize %x, %d streams, bypass support: %d] initialized\n",
 +		dart->pgsize, dart->num_streams, dart->supports_bypass);
 	return 0;
 err_sysfs_remove:
 diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
 index 09f6e1c0f9c0..094592751cfa 100644
 --- a/drivers/iommu/dma-iommu.c
 +++ b/drivers/iommu/dma-iommu.c
@@ -20,9 +20,11 @@
 #include <linux/iommu.h>
 #include <linux/iova.h>
 #include <linux/irq.h>
 +#include <linux/kernel.h>
 #include <linux/list_sort.h>
 #include <linux/mm.h>
 #include <linux/mutex.h>
 +#include <linux/pfn.h>
 #include <linux/pci.h>
 #include <linux/scatterlist.h>
 #include <linux/spinlock.h>
@@ -710,6 +712,9 @@ static struct page **__iommu_dma_alloc_pages(struct device *dev,
 {
 	struct page **pages;
 	unsigned int i = 0, nid = dev_to_node(dev);
 +	unsigned int j;
 +	unsigned long min_order = __fls(order_mask);
 +	unsigned int min_order_size = 1U << min_order;
 	order_mask &= (2U << MAX_ORDER) - 1;
 	if (!order_mask)
@@ -749,15 +754,37 @@ static struct page **__iommu_dma_alloc_pages(struct device *dev,
 				split_page(page, order);
 			break;
 		}
 -		if (!page) {
 -			__iommu_dma_free_pages(pages, i);
 -			return NULL;
 +
 +		/*
 +		 * If we have no valid page here we might be trying to allocate
 +		 * the last block consisting of 1<<order pages (to guarantee
 +		 * alignment) but actually need less pages than that.
 +		 * In that case we just try to allocate the entire block and
 +		 * directly free the spillover pages again.
 +		 */
 +		if (!page && !order_mask && count < min_order_size) {
 +			page = alloc_pages_node(nid, gfp, min_order);
 +			if (!page)
 +				goto free_pages;
 +			split_page(page, min_order);
 +
 +			for (j = count; j < min_order_size; ++j)
 +				__free_page(page + j);
 +
 +			order_size = count;
 		}
 +
 +		if (!page)
 +			goto free_pages;
 		count -= order_size;
 		while (order_size--)
 			pages[i++] = page++;
 	}
 	return pages;
 +
 +free_pages:
 +	__iommu_dma_free_pages(pages, i);
 +	return NULL;
 }
 /*
@@ -785,16 +787,28 @@ static struct page **__iommu_dma_alloc_noncontiguous(struct device *dev,
 	bool coherent = dev_is_dma_coherent(dev);
 	int ioprot = dma_info_to_prot(DMA_BIDIRECTIONAL, coherent, attrs);
 	unsigned int count, min_size, alloc_sizes = domain->pgsize_bitmap;
 +	struct sg_append_table sgt_append = {};
 +	struct scatterlist *last_sg;
 	struct page **pages;
 	dma_addr_t iova;
 	ssize_t ret;
 +	phys_addr_t orig_s_phys;
 +	size_t orig_s_len, orig_s_off, s_iova_off, iova_size;
 	if (static_branch_unlikely(&iommu_deferred_attach_enabled) &&
 	    iommu_deferred_attach(dev, domain))
 		return NULL;
 	min_size = alloc_sizes & -alloc_sizes;
 -	if (min_size < PAGE_SIZE) {
 +	if (iovad->granule > PAGE_SIZE) {
 +		if (size < iovad->granule) {
 +			/* ensure a single contiguous allocation */
 +			min_size = ALIGN(size, PAGE_SIZE*(1U<<get_order(size)));
 +			alloc_sizes = min_size;
 +		}
 +
 +		size = PAGE_ALIGN(size);
 +	} else if (min_size < PAGE_SIZE) {
 		min_size = PAGE_SIZE;
 		alloc_sizes |= PAGE_SIZE;
 	} else {
@@ -797,13 +836,17 @@ static struct page **__iommu_dma_alloc_noncontiguous(struct device *dev,
 	if (!pages)
 		return NULL;
 -	size = iova_align(iovad, size);
 -	iova = iommu_dma_alloc_iova(domain, size, dev->coherent_dma_mask, dev);
 +	iova_size = iova_align(iovad, size);
 +	iova = iommu_dma_alloc_iova(domain, iova_size, dev->coherent_dma_mask, dev);
 	if (!iova)
 		goto out_free_pages;
 -	if (sg_alloc_table_from_pages(sgt, pages, count, 0, size, GFP_KERNEL))
 +	/* append_table is only used to get a pointer to the last entry */
 +	if (sg_alloc_append_table_from_pages(&sgt_append, pages, count, 0,
 +					iova_size, UINT_MAX, 0, GFP_KERNEL))
 		goto out_free_iova;
 +	memcpy(sgt, &sgt_append.sgt, sizeof(*sgt));
 +	last_sg = sgt_append.prv;
 	if (!(ioprot & IOMMU_CACHE)) {
 		struct scatterlist *sg;
@@ -825,18 +839,59 @@ static struct page **__iommu_dma_alloc_noncontiguous(struct device *dev,
 			arch_dma_prep_coherent(sg_page(sg), sg->length);
 	}
 +	if (iovad->granule > PAGE_SIZE) {
 +		if (size < iovad->granule) {
 +			/*
 +			 * we only have a single sg list entry here that is
 +			 * likely not aligned to iovad->granule. adjust the
 +			 * entry to represent the encapsulating IOMMU page
 +			 * and then later restore everything to its original
 +			 * values, similar to the impedance matching done in
 +			 * iommu_dma_map_sg.
 +			 */
 +			orig_s_phys = sg_phys(sgt->sgl);
 +			orig_s_len = sgt->sgl->length;
 +			orig_s_off = sgt->sgl->offset;
 +			s_iova_off = iova_offset(iovad, orig_s_phys);
 +
 +			sg_set_page(sgt->sgl,
 +				pfn_to_page(PHYS_PFN(orig_s_phys - s_iova_off)),
 +				iova_align(iovad, orig_s_len + s_iova_off),
 +				sgt->sgl->offset & ~s_iova_off);
 +		} else {
 +			/*
 +			 * convince iommu_map_sg_atomic to map the last block
 +			 * even though it may be too small.
 +			 */
 +			orig_s_len = last_sg->length;
 +			last_sg->length = iova_align(iovad, last_sg->length);
 +		}
 +	}
 +
 	ret = iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot);
 -	if (ret < 0 || ret < size)
 +	if (ret < 0 || ret < iova_size)
 		goto out_free_sg;
 +	if (iovad->granule > PAGE_SIZE) {
 +		if (size < iovad->granule) {
 +			sg_set_page(sgt->sgl,
 +				pfn_to_page(PHYS_PFN(orig_s_phys)),
 +				orig_s_len, orig_s_off);
 +
 +			iova += s_iova_off;
 +		} else {
 +			last_sg->length = orig_s_len;
 +		}
 +	}
 +
 	sgt->sgl->dma_address = iova;
 -	sgt->sgl->dma_length = size;
 +	sgt->sgl->dma_length = iova_size;
 	return pages;
 out_free_sg:
 	sg_free_table(sgt);
 out_free_iova:
 -	iommu_dma_free_iova(cookie, iova, size, NULL);
 +	iommu_dma_free_iova(cookie, iova, iova_size, NULL);
 out_free_pages:
 	__iommu_dma_free_pages(pages, count);
 	return NULL;
@@ -1040,8 +1124,9 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
 		unsigned int s_length = sg_dma_len(s);
 		unsigned int s_iova_len = s->length;
 -		s->offset += s_iova_off;
 -		s->length = s_length;
 +		sg_set_page(s,
 +			    pfn_to_page(PHYS_PFN(sg_phys(s) + s_iova_off)),
 +			    s_length, s_iova_off & ~PAGE_MASK);
 		sg_dma_address(s) = DMA_MAPPING_ERROR;
 		sg_dma_len(s) = 0;
@@ -1082,13 +1167,17 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
 static void __invalidate_sg(struct scatterlist *sg, int nents)
 {
 	struct scatterlist *s;
 +	phys_addr_t orig_paddr;
 	int i;
 	for_each_sg(sg, s, nents, i) {
 -		if (sg_dma_address(s) != DMA_MAPPING_ERROR)
 -			s->offset += sg_dma_address(s);
 -		if (sg_dma_len(s))
 -			s->length = sg_dma_len(s);
 +		if (sg_dma_len(s)) {
 +			orig_paddr = sg_phys(s) + sg_dma_address(s);
 +			sg_set_page(s,
 +				    pfn_to_page(PHYS_PFN(orig_paddr)),
 +				    sg_dma_len(s),
 +				    sg_dma_address(s) & ~PAGE_MASK);
 +		}
 		sg_dma_address(s) = DMA_MAPPING_ERROR;
 		sg_dma_len(s) = 0;
 	}
@@ -1166,15 +1255,16 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg,
 	 * stashing the unaligned parts in the as-yet-unused DMA fields.
 	 */
 	for_each_sg(sg, s, nents, i) {
 -		size_t s_iova_off = iova_offset(iovad, s->offset);
 +		phys_addr_t s_phys = sg_phys(s);
 +		size_t s_iova_off = iova_offset(iovad, s_phys);
 		size_t s_length = s->length;
 		size_t pad_len = (mask - iova_len + 1) & mask;
 		sg_dma_address(s) = s_iova_off;
 		sg_dma_len(s) = s_length;
 -		s->offset -= s_iova_off;
 		s_length = iova_align(iovad, s_length + s_iova_off);
 -		s->length = s_length;
 +		sg_set_page(s, pfn_to_page(PHYS_PFN(s_phys - s_iova_off)),
 +			    s_length, s->offset & ~s_iova_off);
 		/*
 		 * Due to the alignment of our single IOVA allocation, we can
@@ -1412,9 +1502,15 @@ static int iommu_dma_get_sgtable(struct device *dev, struct sg_table *sgt,
 		void *cpu_addr, dma_addr_t dma_addr, size_t size,
 		unsigned long attrs)
 {
 +	struct iommu_domain *domain = iommu_get_dma_domain(dev);
 +	struct iommu_dma_cookie *cookie = domain->iova_cookie;
 +	struct iova_domain *iovad = &cookie->iovad;
 	struct page *page;
 	int ret;
 +	if (iovad->granule > PAGE_SIZE)
 +		return -ENXIO;
 +
 	if (is_vmalloc_addr(cpu_addr)) {
 		struct page **pages = dma_common_find_pages(cpu_addr);
 diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
 index f2c45b85b9fc..0c370e486d6e 100644
 --- a/drivers/iommu/iommu.c
 +++ b/drivers/iommu/iommu.c
@@ -80,6 +80,8 @@ static struct iommu_domain *__iommu_domain_alloc(struct bus_type *bus,
 						 unsigned type);
 static int __iommu_attach_device(struct iommu_domain *domain,
 				 struct device *dev);
 +static void __iommu_detach_device(struct iommu_domain *domain,
 +				  struct device *dev);
 static int __iommu_attach_group(struct iommu_domain *domain,
 				struct iommu_group *group);
 static void __iommu_detach_group(struct iommu_domain *domain,
@@ -1976,6 +1978,24 @@ void iommu_domain_free(struct iommu_domain *domain)
 }
 EXPORT_SYMBOL_GPL(iommu_domain_free);
 +static int iommu_check_page_size(struct iommu_domain *domain,
 +				struct device *dev)
 +{
 +	bool trusted = !(dev_is_pci(dev) && to_pci_dev(dev)->untrusted);
 +
 +	if (!iommu_is_paging_domain(domain))
 +		return 0;
 +	if (iommu_is_large_pages_domain(domain) && trusted)
 +		return 0;
 +
 +	if (!(domain->pgsize_bitmap & (PAGE_SIZE | (PAGE_SIZE - 1)))) {
 +		pr_warn("IOMMU pages cannot exactly represent CPU pages.\n");
 +		return -EFAULT;
 +	}
 +
 +	return 0;
 +}
 +
 static int __iommu_attach_device(struct iommu_domain *domain,
 				 struct device *dev)
 {
@@ -1985,9 +2005,23 @@ static int __iommu_attach_device(struct iommu_domain *domain,
 		return -ENODEV;
 	ret = domain->ops->attach_dev(domain, dev);
 -	if (!ret)
 -		trace_attach_device_to_domain(dev);
 -	return ret;
 +	if (ret)
 +		return ret;
 +
 +	/*
 +	 * Check that CPU pages can be represented by the IOVA granularity.
 +	 * This has to be done after ops->attach_dev since many IOMMU drivers
 +	 * only limit domain->pgsize_bitmap after having attached the first
 +	 * device.
 +	 */
 +	ret = iommu_check_page_size(domain, dev);
 +	if (ret) {
 +		__iommu_detach_device(domain, dev);
 +		return ret;
 +	}
 +
 +	trace_attach_device_to_domain(dev);
 +	return 0;
 }
 int iommu_attach_device(struct iommu_domain *domain, struct device *dev)
 diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
 index db77aa675145..180ce65a6789 100644
 --- a/drivers/iommu/iova.c
 +++ b/drivers/iommu/iova.c
@@ -49,10 +49,11 @@ init_iova_domain(struct iova_domain *iovad, unsigned long granule,
 {
 	/*
 	 * IOVA granularity will normally be equal to the smallest
 -	 * supported IOMMU page size; both *must* be capable of
 -	 * representing individual CPU pages exactly.
 +	 * supported IOMMU page size; while both usually are capable of
 +	 * representing individual CPU pages exactly the IOVA allocator
 +	 * supports any granularities that are an exact power of two.
 	 */
 -	BUG_ON((granule > PAGE_SIZE) || !is_power_of_2(granule));
 +	BUG_ON(!is_power_of_2(granule));
 	spin_lock_init(&iovad->iova_rbtree_lock);
 	iovad->rbroot = RB_ROOT;
 diff --git a/include/linux/iommu.h b/include/linux/iommu.h
 index 9208eca4b0d1..dec2dd70a876 100644
 --- a/include/linux/iommu.h
 +++ b/include/linux/iommu.h
@@ -63,6 +63,8 @@ struct iommu_domain_geometry {
 					      implementation              */
 #define __IOMMU_DOMAIN_PT	(1U << 2)  /* Domain is identity mapped   */
 #define __IOMMU_DOMAIN_DMA_FQ	(1U << 3)  /* DMA-API uses flush queue    */
 +#define __IOMMU_DOMAIN_LP	(1U << 4)  /* Support for PAGE_SIZE smaller
 +					      than IOMMU page size        */
 /*
  * This are the possible domain-types
@@ -82,10 +84,12 @@ struct iommu_domain_geometry {
 #define IOMMU_DOMAIN_IDENTITY	(__IOMMU_DOMAIN_PT)
 #define IOMMU_DOMAIN_UNMANAGED	(__IOMMU_DOMAIN_PAGING)
 #define IOMMU_DOMAIN_DMA	(__IOMMU_DOMAIN_PAGING |	\
 -				 __IOMMU_DOMAIN_DMA_API)
 +				 __IOMMU_DOMAIN_DMA_API |       \
 +				 __IOMMU_DOMAIN_LP)
 #define IOMMU_DOMAIN_DMA_FQ	(__IOMMU_DOMAIN_PAGING |	\
 				 __IOMMU_DOMAIN_DMA_API |	\
 -				 __IOMMU_DOMAIN_DMA_FQ)
 +				 __IOMMU_DOMAIN_DMA_FQ |        \
 +				 __IOMMU_DOMAIN_LP)
 struct iommu_domain {
 	unsigned type;
@@ -102,6 +106,16 @@ static inline bool iommu_is_dma_domain(struct iommu_domain *domain)
 	return domain->type & __IOMMU_DOMAIN_DMA_API;
 }
 +static inline bool iommu_is_paging_domain(struct iommu_domain *domain)
 +{
 +	return domain->type & __IOMMU_DOMAIN_PAGING;
 +}
 +
 +static inline bool iommu_is_large_pages_domain(struct iommu_domain *domain)
 +{
 +	return domain->type & __IOMMU_DOMAIN_LP;
 +}
 +
 enum iommu_cap {
 	IOMMU_CAP_CACHE_COHERENCY,	/* IOMMU can enforce cache coherent DMA
 					   transactions */
--- a/machines/nat/m1-support/m1n1/default.nix
+++ b/machines/nat/m1-support/m1n1/default.nix
@@ -1,85 +0,0 @@
 { stdenv
 , lib
 , fetchFromGitHub
 , pkgsCross
 , python3
 , dtc
 , isRelease ? false
 , withTools ? true
 , withChainloading ? false
 , rust-bin ? null
 }:
 assert withChainloading -> rust-bin != null;
 let
  pyenv = python3.withPackages (p: with p; [
    construct
    pyserial
  ]);
  rustenv = rust-bin.selectLatestNightlyWith (toolchain: toolchain.minimal.override {
    targets = [ "aarch64-unknown-none-softfloat" ];
  });
 in stdenv.mkDerivation rec {
  pname = "m1n1";
  version = "1.1.3";
  src = fetchFromGitHub {
    # tracking branch: https://github.com/AsahiLinux/m1n1/tree/main
    owner = "AsahiLinux";
    repo = "m1n1";
    rev = "v${version}";
    hash = "sha256-S2HLBLmgER0ZZJ5Q4EX2f1KDxnol0yCDrloDMJaLwBE=";
    fetchSubmodules = true;
  };
  makeFlags = [ "ARCH=aarch64-unknown-linux-gnu-" ]
    ++ lib.optional isRelease "RELEASE=1"
    ++ lib.optional withChainloading "CHAINLOADING=1";
  nativeBuildInputs = [
    dtc
    pkgsCross.aarch64-multiplatform.buildPackages.gcc
  ] ++ lib.optional withChainloading rustenv;
  postPatch = ''
    substituteInPlace proxyclient/m1n1/asm.py \
      --replace 'aarch64-linux-gnu-' 'aarch64-unknown-linux-gnu-' \
      --replace 'TOOLCHAIN = ""' 'TOOLCHAIN = "'$out'/toolchain-bin/"'
  '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out/build
    cp build/m1n1.macho $out/build
    cp build/m1n1.bin $out/build
  '' + (lib.optionalString withTools ''
    mkdir -p $out/{bin,script,toolchain-bin}
    cp -r proxyclient $out/script
    cp -r tools $out/script
    for toolpath in $out/script/proxyclient/tools/*.py; do
      tool=$(basename $toolpath .py)
      script=$out/bin/m1n1-$tool
      cat > $script <<EOF
 #!/bin/sh
 ${pyenv}/bin/python $toolpath "\$@"
 EOF
      chmod +x $script
    done
    GCC=${pkgsCross.aarch64-multiplatform.buildPackages.gcc}
    BINUTILS=${pkgsCross.aarch64-multiplatform.buildPackages.binutils}
    REAL_BINUTILS=$(grep -o '/nix/store/[^ ]*binutils[^ ]*' $BINUTILS/nix-support/propagated-user-env-packages)
    ln -s $GCC/bin/*-gcc $out/toolchain-bin/
    ln -s $GCC/bin/*-ld $out/toolchain-bin/
    ln -s $REAL_BINUTILS/bin/*-objcopy $out/toolchain-bin/
    ln -s $REAL_BINUTILS/bin/*-objdump $out/toolchain-bin/
    ln -s $REAL_BINUTILS/bin/*-nm $out/toolchain-bin/
  '') + ''
    runHook postInstall
  '';
 }
--- a/machines/nat/m1-support/u-boot/default.nix
+++ b/machines/nat/m1-support/u-boot/default.nix
@@ -1,35 +0,0 @@
 { lib
 , fetchFromGitHub
 , pkgsCross
 , m1n1
 }: (pkgsCross.aarch64-multiplatform.buildUBoot rec {
  src = fetchFromGitHub {
    # tracking branch: https://github.com/AsahiLinux/u-boot/tree/releng/installer-release
    owner = "AsahiLinux";
    repo = "u-boot";
    rev = "300817d324f73c30c998a10435d5d830b58df894";
    hash = "sha256-6q4l1gHAlaGM7ktlCBmehb/ZNvmpt1eah6tTdsQJfxM=";
  };
  version = "unstable-2022-07-11";
  defconfig = "apple_m1_defconfig";
  extraMeta.platforms = [ "aarch64-linux" ];
  filesToInstall = [
    "u-boot-nodtb.bin.gz"
    "m1n1-u-boot.macho"
    "m1n1-u-boot.bin"
  ];
  extraConfig = ''
    CONFIG_IDENT_STRING=" ${version}"
  '';
 }).overrideAttrs (o: {
  # nixos's downstream patches are not applicable
  patches = [ ];
  preInstall = ''
    # compress so that m1n1 knows U-Boot's size and can find things after it
    gzip -n u-boot-nodtb.bin
    cat ${m1n1}/build/m1n1.macho arch/arm/dts/t[68]*.dtb u-boot-nodtb.bin.gz > m1n1-u-boot.macho
    cat ${m1n1}/build/m1n1.bin arch/arm/dts/t[68]*.dtb u-boot-nodtb.bin.gz > m1n1-u-boot.bin
  '';
 })
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Zuckerberg	b7549e63f5	prototype	2023-04-26 14:46:55 -06:00
Zuckerberg	306ce8bc3f	Move s0 to systemd-boot	2023-04-25 23:41:08 -06:00
Zuckerberg	b5dd983ba3	Automatically set machine hostname	2023-04-24 20:52:17 -06:00
Zuckerberg	832894edfc	Gitea runner	2023-04-23 10:29:18 -06:00
Zuckerberg	feb6270952	Update options for newer nixpkgs	2023-04-23 10:28:55 -06:00
Zuckerberg	b4dd2d4a92	update TODOs	2023-04-23 10:16:54 -06:00
Zuckerberg	38c2e5aece	Fix properties.nix path loading	2023-04-21 23:24:05 -06:00
Zuckerberg	0ef689b750	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21) • Updated input 'deploy-rs': 'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19) → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21) • Updated input 'flake-utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) • Added input 'flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26) → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03) → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)	2023-04-21 21:22:00 -06:00
Zuckerberg	e72e19b7e8	Fix auto upgrade	2023-04-21 18:58:54 -06:00
Zuckerberg	03603119e5	Fix invalid import issue.	2023-04-21 18:57:06 -06:00
Zuckerberg	71baa09bd2	Refactor imports and secrets. Add per system properties and role based secret access. Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.	2023-04-21 12:58:11 -06:00
Zuckerberg	a02775a234	Update install steps	2023-04-19 21:17:45 -06:00
Zuckerberg	5800359214	Update install steps	2023-04-19 21:17:03 -06:00
Zuckerberg	0bd42f1850	Update install steps	2023-04-19 21:15:58 -06:00
Zuckerberg	40f0e5d2ac	Add Phil	2023-04-19 18:12:42 -06:00
Zuckerberg	f90b9f85fd	try out appvm	2023-04-18 23:15:21 -06:00
Zuckerberg	5b084fffcc	moonlander	2023-04-18 23:15:03 -06:00
Zuckerberg	4dd6401f8c	update TODOs	2023-04-18 23:14:49 -06:00
Zuckerberg	260bbc1ffd	Use doas instead of sudo	2023-04-10 22:03:57 -06:00
Zuckerberg	c8132a67d0	Use lf as terminal file explorer	2023-04-10 22:03:29 -06:00
Zuckerberg	3412d5caf9	Use hashed passwordfile just to be safe	2023-04-09 23:00:10 -06:00
Zuckerberg	1065cc4b59	Enable gitea email notifications	2023-04-09 22:05:23 -06:00
Zuckerberg	154b37879b	Cross off finished TODOs	2023-04-09 22:04:51 -06:00
Zuckerberg	a34238b3a9	Easily run restic commands on a backup group	2023-04-09 13:06:15 -06:00
Zuckerberg	42e2ebd294	Allow marking folders as omitted from backup	2023-04-09 12:35:20 -06:00
Zuckerberg	378cf47683	restic backups	2023-04-08 21:25:55 -06:00
Zuckerberg	f68a4f4431	nixpkgs-fmt everything	2023-04-04 23:30:28 -06:00
Zuckerberg	3c683e7b9e	NixOS router is now in active use :)	2023-04-04 20:53:38 -06:00
Zuckerberg	68bd70b525	Basic router working using the wip hostapd module from upstream	2023-04-04 12:57:16 -06:00
Zuckerberg	2189ab9a1b	Improve cifs mounts. Newer protocol version, helpful commands, better network connection resiliency.	2023-03-31 11:43:12 -06:00
Zuckerberg	acbbb8a37a	encrypted samba vault with gocryptfs	2023-03-25 15:49:07 -06:00
Zuckerberg	d1e6d21d66	iperf server	2023-03-25 15:48:39 -06:00
Zuckerberg	1a98e039fe	Cleanup fio tests	2023-03-25 15:48:24 -06:00
Zuckerberg	3459ce5058	Add joplin	2023-03-18 22:04:31 -06:00
Zuckerberg	c48b1995f8	Remove zerotier	2023-03-18 20:41:09 -06:00
Zuckerberg	53c0e7ba1f	Add Webmail	2023-03-14 23:28:07 -06:00
Zuckerberg	820cd392f1	Choose random PIA server in a specified region instead of hardcoded. And more TODOs addressed.	2023-03-12 22:55:46 -06:00
Zuckerberg	759fe04185	with lib;	2023-03-12 21:50:46 -06:00
Zuckerberg	db441fcf98	Add ability to refuse PIA ports	2023-03-12 21:46:36 -06:00
Zuckerberg	83e9280bb4	Use the NixOS firewall instead to block unwanted PIA VPN traffic	2023-03-12 20:49:39 -06:00
Zuckerberg	478235fe32	Enable firewall for PIA VPN wireguard interface	2023-03-12 20:29:20 -06:00
Zuckerberg	440401a391	Add ponyo to deploy-rs config	2023-03-12 19:50:55 -06:00
Zuckerberg	42c0dcae2d	Port forwarding for transmission	2023-03-12 19:50:29 -06:00
Zuckerberg	7159868b57	update todo's	2023-03-12 19:46:51 -06:00
Zuckerberg	ab2cc0cc0a	Cleanup services	2023-03-12 17:51:10 -06:00
Zuckerberg	aaa1800d0c	Cleanup mail domains	2023-03-12 13:29:12 -06:00
Zuckerberg	a795c65c32	Cleanup mail domains	2023-03-12 13:25:34 -06:00
Zuckerberg	5ed02e924d	Remove liza	2023-03-12 00:15:06 -07:00
Zuckerberg	1d620372b8	Remove leftovers of removed compute nodes	2023-03-12 00:14:49 -07:00
Zuckerberg	9684a975e2	Migrate nextcloud to ponyo	2023-03-12 00:10:14 -07:00
Zuckerberg	c3c3a9e77f	disable searx for now	2023-03-12 00:09:40 -07:00
Zuckerberg	ecb6d1ef63	Migrate mailserver to ponyo	2023-03-11 23:40:36 -07:00
Zuckerberg	a5f7bb8a22	Fix vpn systemd service restart issues	2023-03-09 13:07:20 -07:00
Zuckerberg	cea9b9452b	Initial prototype for Wireguard based PIA VPN - not quite 'ready' yet	2023-03-08 23:49:02 -07:00
Zuckerberg	8fb45a7ee5	Turn off howdy	2023-03-08 23:47:11 -07:00
Zuckerberg	b53f03bb7d	Fix typo	2023-03-08 23:45:49 -07:00
Zuckerberg	dee0243268	Peer to peer connection keepalive task	2023-03-07 22:55:37 -07:00
Zuckerberg	8b6bc354bd	Peer to peer connection keepalive task	2023-03-07 22:54:26 -07:00
Zuckerberg	aff5611cdb	Update renamed nixos options	2023-03-07 22:52:31 -07:00
Zuckerberg	c5e7d8b2fe	Allow easy patching of nixpkgs	2023-03-03 23:24:33 -07:00
Zuckerberg	90a3549237	use comma and pregenerated nix-index	2023-03-03 00:18:20 -07:00
Zuckerberg	63f2a82ad1	ignore lid close for NAS	2023-03-03 00:16:57 -07:00
Zuckerberg	0cc39bfbe0	deploy-rs initial PoC	2023-03-03 00:16:23 -07:00
Zuckerberg	ec54b27d67	fix router serial	2023-03-03 00:14:22 -07:00
Zuckerberg	bba4f27465	add picocom for serial	2023-03-03 00:12:35 -07:00
Zuckerberg	b5c77611d7	remove unused compute nodes	2023-03-03 00:12:16 -07:00
Zuckerberg	987919417d	allow root login over ssh using trusted key	2023-02-11 23:07:48 -07:00
Zuckerberg	d8dbb12959	grow disk for ponyo	2023-02-11 19:01:42 -07:00
Zuckerberg	3e0cde40b8	Cleanup remote LUKS unlock	2023-02-11 18:40:08 -07:00
Zuckerberg	2c8576a295	Hardware accelerated encoding for jellyfin	2023-02-11 16:10:19 -07:00
Zuckerberg	8aecc04d01	config cleanup	2023-02-11 16:10:10 -07:00
Zuckerberg	9bcf7cc50d	VPN using its own DNS resolver is unstable	2023-02-11 16:09:02 -07:00
Zuckerberg	cb2ac1c1ba	Use x86 machine for NAS	2023-02-11 16:08:48 -07:00
Zuckerberg	7f1e304012	Remove stale secrets	2023-02-11 15:19:35 -07:00
Zuckerberg	9e3dae4b16	Rekey secrets	2023-02-11 15:07:08 -07:00
Zuckerberg	c649b04bdd	Update ssh keys and allow easy ssh LUKS unlocking	2023-02-11 15:05:20 -07:00
Zuckerberg	6fce2e1116	Allow unlocking over tor	2023-02-11 13:38:54 -07:00
Zuckerberg	3e192b3321	Hardware config should be in hardware config	2023-02-11 13:35:46 -07:00
Zuckerberg	bc863de165	Hardware config should be in hardware config	2023-02-11 09:48:25 -07:00
Zuckerberg	cfa5c9428e	Remove reg	2023-02-11 09:46:05 -07:00
Zuckerberg	abddc5a680	Razer keyboard	2023-02-11 00:32:36 -07:00
Zuckerberg	577dc4faaa	Add initial configuration for APU2E4 router	2023-02-10 20:51:10 -07:00
Zuckerberg	a8b0385c6d	more ephemeral options	2023-02-08 22:27:54 -07:00
Zuckerberg	fc85627bd6	use unstable for ephemeral os config	2023-02-08 22:26:04 -07:00
Zuckerberg	f9cadba3eb	improve ephemeral os config	2023-02-08 22:25:09 -07:00
Zuckerberg	c192c2d52f	enable spotify	2023-02-08 18:48:08 -07:00
Zuckerberg	04c7a9ea51	Update tz	2023-02-08 18:47:58 -07:00
Zuckerberg	6f9edd8870	Add ISO build	2023-02-08 01:36:23 -05:00
Zuckerberg	076bdb3ab4	Use upstream nvidia reverse prime support	2023-02-08 01:35:25 -05:00
Zuckerberg	fcbd877d06	flake.lock: Update Flake lock file updates: • Updated input 'nix-locate': 'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17) → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17) • Updated input 'nix-locate/flake-compat': 'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03) → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08) → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)	2023-02-08 00:59:29 -05:00
Zuckerberg	27f4b5af78	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15) → 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) • Added input 'agenix/darwin': 'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09) • Added input 'agenix/darwin/nixpkgs': follows 'agenix/nixpkgs' • Updated input 'archivebox': 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=master&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30) → 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=refs%2fheads%2fmaster&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30) • Updated input 'dailybuild_modules': 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=master&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05) → 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=refs%2fheads%2fmaster&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05) • Updated input 'flake-utils': 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07) → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22) → 'github:NixOS/nixpkgs/0874168639713f547c05947c76124f78441ea46c' (2023-01-01) • Removed input 'nixpkgs-nvidia' • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21) → 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08) • Updated input 'radio-web': 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=master&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09) → 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=refs%2fheads%2fmaster&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)	2023-02-08 00:33:47 -05:00
Zuckerberg	7238d6e6c5	latest kernel not needed for wifi anymore	2023-02-06 22:45:34 -05:00
Zuckerberg	094905a727	virt-manager	2023-02-06 22:44:22 -05:00
Zuckerberg	cf3fa0ff12	depthai udev	2023-02-06 22:44:09 -05:00
Zuckerberg	7c7b356aab	Remove 'I don't care about cookies'. It is under new management	2023-02-06 22:43:43 -05:00
Zuckerberg	c57e4f022f	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/7e5e58b98c3dcbf497543ff6f22591552ebfe65b' (2022-05-16) → 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15) • Updated input 'flake-utils': 'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30) → 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d17a56d90ecbd1b8fc908d49598fb854ef188461' (2022-06-17) → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/42948b300670223ca8286aaf916bc381f66a5313' (2022-04-08) → 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/a48082c79cff8f3b314ba4f95f4ae87ca7d4d068' (2022-06-14) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f535d8123c4761b2ed8138f3d202ea710a334a1d' (2022-06-22)	2022-10-23 10:43:19 -04:00
zuckerberg	f5a9f04cf2	Rekey secrets	2022-08-25 23:16:22 -04:00
zuckerberg	50fd928cda	Change key	2022-08-25 23:16:09 -04:00