Pinning system nixpkgs is not needed anymore. nixpkgs already does this automatically for flakes.

Update nixpkgs. Move to new dashy service
Add Home Manager
2025-03-28 21:45:46 -07:00 · 2025-03-28 21:05:37 -07:00 · 2025-03-28 20:27:14 -07:00 · 2025-03-28 20:24:33 -07:00 · 2025-03-28 20:23:07 -07:00 · 2025-03-28 20:22:14 -07:00
186 changed files with 14165 additions and 2958 deletions
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@ -0,0 +1,19 @@
 name: Check Flake
 on: [push]
 env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/
 jobs:
  check-flake:
    runs-on: nixos
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Check Flake
        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
--- a/27
+++ b/27
@ -0,0 +1,27 @@
 # Lockfile utils
 .PHONY: update-lockfile
 update-lockfile:
 	nix flake update --commit-lock-file
 .PHONY: update-lockfile-without-commit
 update-lockfile-without-commit:
 	nix flake update
 # Agenix utils
 .PHONY: edit-secret
 edit-secret:
 	cd secrets && agenix -e $(filter-out $@,$(MAKECMDGOALS))
 .PHONY: rekey-secrets
 rekey-secrets:
 	cd secrets && agenix -r
 # NixOS utils
 .PHONY: clean-old-nixos-profiles
 clean-old-nixos-profiles:
 	doas nix-collect-garbage -d
 # Garbage Collect
 .PHONY: gc
 gc:
 	nix store gc
--- a/README.md
+++ b/README.md
@ -3,10 +3,9 @@
 ### Source Layout
 - `/common` - common configuration imported into all `/machines`
    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
-    - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
+    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
-    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
+    - `/pc` - config that a graphical PC should have. Have the `personal` role set in the machine's `properties.nix` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@ -10,24 +10,12 @@
 - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
 ### Housekeeping
 - Format everything here using nixfmt
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
 - CI https://gvolpe.com/blog/nixos-binary-cache-ci/
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx
 ### NAS
 - helios64 extra led lights
 - safely turn off NAS on power disconnect
 - hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
 - tor unlock
 ### bcachefs
 - bcachefs health alerts via email
 - bcachefs periodic snapshotting
 - use mount.bcachefs command for mounting
 - bcachefs native encryption
    - just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
 ### Shell Comands
 - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
@ -52,21 +40,7 @@
        - https://ampache.org/
 - replace nextcloud with seafile
 ### VPN container
 - use wireguard for vpn
    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
    - https://github.com/pia-foss/manual-connections
    - port forwarding for vpn
        - transmission using forwarded port
    - https://www.wireguard.com/netns/
    - one way firewall for vpn container
 ### Networking
 - tailscale for p2p connections
    - remove all use of zerotier
 ### Archive
 - https://www.backblaze.com/b2/cloud-storage.html
 - email
    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
    - http://kb.unixservertech.com/software/dovecot/archiveserver
@ -75,7 +49,32 @@
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence
 # Setup CI
 - CI
    - hydra
    - https://docs.cachix.org/continuous-integration-setup/
 - Binary Cache
    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
    - https://github.com/edolstra/nix-serve
    - https://nixos.wiki/wiki/Binary_Cache
    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
 - Both
    - https://garnix.io/
    - https://nixbuild.net
 # Secrets
 - consider using headscale
 - Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
 - Rollover luks FDE passwords
 - /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
 - Rollover shared yubikey secrets
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 ### Misc
 - for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@ -4,11 +4,12 @@
 let
  cfg = config.system.autoUpgrade;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    system.autoUpgrade = {
      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
+      flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
    };
  };
 }
--- a/common/backups.nix
+++ b/common/backups.nix
@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.backup;
  hostname = config.networking.hostName;
  mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
  mkBackup = group: paths: {
    repository = mkRespository group;
    inherit paths;
    initialize = true;
    timerConfig = {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
    extraBackupArgs = [
      ''--exclude-if-present ".nobackup"''
    ];
    pruneOpts = [
      "--keep-daily 7" # one backup for each of the last n days
      "--keep-weekly 5" # one backup for each of the last n weeks
      "--keep-monthly 12" # one backup for each of the last n months
      "--keep-yearly 75" # one backup for each of the last n years
    ];
    environmentFile = "/run/agenix/backblaze-s3-backups";
    passwordFile = "/run/agenix/restic-password";
  };
  # example usage: "sudo restic_samba unlock" (removes lockfile)
  mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
    if [ "$EUID" -ne 0 ]
      then echo "Run as root"
      exit
    fi
    . /run/agenix/backblaze-s3-backups
    export AWS_SECRET_ACCESS_KEY
    export AWS_ACCESS_KEY_ID
    export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
    export RESTIC_REPOSITORY="${mkRespository group}"
    exec ${pkgs.restic}/bin/restic "$@"
  '';
 in
 {
  options.backup = {
    group = lib.mkOption {
      default = null;
      type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
        options = {
          paths = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            description = ''
              Paths to backup
            '';
          };
        };
      }));
    };
  };
  config = lib.mkIf (cfg.group != null) {
    services.restic.backups = lib.concatMapAttrs
      (group: groupCfg: {
        ${group} = mkBackup group groupCfg.paths;
      })
      cfg.group;
    age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
    age.secrets.restic-password.file = ../secrets/restic-password.age;
    environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
  };
 }
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@ -0,0 +1,17 @@
 { config, lib, ... }:
 {
  nix = {
    settings = {
      substituters = [
        "https://cache.nixos.org/"
        "https://nix-community.cachix.org"
        "http://s0.koi-bebop.ts.net:5000"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
      ];
    };
  };
 }
--- a/common/boot/bios.nix
+++ b/common/boot/bios.nix
@ -3,24 +3,27 @@
 with lib;
 let
  cfg = config.bios;
-in {
+in
 {
  options.bios = {
    enable = mkEnableOption "enable bios boot";
    device = mkOption {
      type = types.str;
    };
    configurationLimit = mkOption {
      default = 20;
      type = types.int;
    };
  };
  config = mkIf cfg.enable {
    # Use GRUB 2 for BIOS
    boot.loader = {
      timeout = 2;
      grub = {
        enable = true;
        device = cfg.device;
        version = 2;
        useOSProber = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
        theme = pkgs.nixos-grub2-theme;
      };
    };
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@ -5,6 +5,6 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
-    ./luks.nix
+    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/efi.nix
+++ b/common/boot/efi.nix
@ -3,24 +3,27 @@
 with lib;
 let
  cfg = config.efi;
-in {
+in
 {
  options.efi = {
    enable = mkEnableOption "enable efi boot";
    configurationLimit = mkOption {
      default = 20;
      type = types.int;
    };
  };
  config = mkIf cfg.enable {
    # Use GRUB2 for EFI
    boot.loader = {
      efi.canTouchEfiVariables = true;
      timeout = 2;
      grub = {
        enable = true;
        device = "nodev";
        version = 2;
        efiSupport = true;
        useOSProber = true;
-#       memtest86.enable = true;
+        #       memtest86.enable = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
        theme = pkgs.nixos-grub2-theme;
      };
    };
--- a/common/boot/firmware.nix
+++ b/common/boot/firmware.nix
@ -3,7 +3,8 @@
 with lib;
 let
  cfg = config.firmware;
-in {
+in
 {
  options.firmware.x86_64 = {
    enable = mkEnableOption "enable x86_64 firmware";
  };
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@ -1,101 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.luks;
 in {
  options.luks = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    device = {
      name = lib.mkOption {
        type = lib.types.str;
        default = "enc-pv";
      };
      path = lib.mkOption {
        type = lib.types.either lib.types.str lib.types.path;
      };
      allowDiscards = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    boot.initrd.luks.devices.${cfg.device.name} = {
      device = cfg.device.path;
      allowDiscards = cfg.device.allowDiscards;
    };
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    # Make machine accessable over tor for boot unlock
    boot.initrd.secrets = {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    # start tor during boot process
    boot.initrd.network.postCommands = let
      torRc = (pkgs.writeText "tor.rc" ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 22 127.0.0.1:22
      '');
    in ''
      # Add nice prompt for giving LUKS passphrase over ssh
      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
      echo "tor: preparing onion folder"
      # have to do this otherwise tor does not want to start
      chmod -R 700 /etc/tor
      echo "make sure localhost is up"
      ip a a 127.0.0.1/8 dev lo
      ip link set lo up
      echo "haveged: starting haveged"
      haveged -F &
      echo "tor: starting tor"
      tor -f ${torRc} --verify-config
      tor -f ${torRc} &
    '';
  };
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@ -0,0 +1,96 @@
 { config, pkgs, lib, ... }:
 # TODO: use tailscale instead of tor https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc
 let
  cfg = config.remoteLuksUnlock;
 in
 {
  options.remoteLuksUnlock = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
    enableTorUnlock = lib.mkOption {
      type = lib.types.bool;
      default = cfg.enable;
      description = "Make machine accessable over tor for ssh boot unlock";
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
      default = [
        "/secret/ssh_host_rsa_key"
        "/secret/ssh_host_ed25519_key"
      ];
    };
    sshAuthorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
    };
    onionConfig = lib.mkOption {
      type = lib.types.path;
      default = /secret/onion;
    };
    kernelModules = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
    };
  };
  config = lib.mkIf cfg.enable {
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
    boot.initrd.network.ssh = {
      enable = true;
      port = 22;
      hostKeys = cfg.sshHostKeys;
      authorizedKeys = cfg.sshAuthorizedKeys;
    };
    boot.initrd.postDeviceCommands = ''
      echo 'waiting for root device to be opened...'
      mkfifo /crypt-ramfs/passphrase
      echo /crypt-ramfs/passphrase >> /dev/null
    '';
    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
    boot.initrd.network.postCommands = lib.mkMerge [
      (
        ''
          # Add nice prompt for giving LUKS passphrase over ssh
          echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
        ''
      )
      (
        let torRc = (pkgs.writeText "tor.rc" ''
          DataDirectory /etc/tor
          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
          SOCKSPort 127.0.0.1:9063
          HiddenServiceDir /etc/tor/onion/bootup
          HiddenServicePort 22 127.0.0.1:22
        ''); in
        lib.mkIf cfg.enableTorUnlock ''
          echo "tor: preparing onion folder"
          # have to do this otherwise tor does not want to start
          chmod -R 700 /etc/tor
          echo "make sure localhost is up"
          ip a a 127.0.0.1/8 dev lo
          ip link set lo up
          echo "haveged: starting haveged"
          haveged -F &
          echo "tor: starting tor"
          tor -f ${torRc} --verify-config
          tor -f ${torRc} &
        ''
      )
    ];
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@ -1,7 +1,9 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
  imports = [
    ./backups.nix
    ./binary-cache.nix
    ./flakes.nix
    ./auto-update.nix
    ./shell.nix
@ -9,28 +11,43 @@
    ./boot
    ./server
    ./pc
    ./machine-info
    ./nix-builder.nix
    ./ssh.nix
  ];
  nix.flakes.enable = true;
-  system.stateVersion = "21.11";
+  system.stateVersion = "23.11";
-  networking.useDHCP = false;
+  networking.useDHCP = lib.mkDefault true;
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
-  time.timeZone = "America/New_York";
+  time.timeZone = "America/Los_Angeles";
-  i18n.defaultLocale = "en_US.UTF-8";
+  i18n = {
    defaultLocale = "en_US.UTF-8";
    extraLocaleSettings = {
      LANGUAGE = "en_US.UTF-8";
      LC_ALL = "en_US.UTF-8";
    };
  };
-  services.openssh.enable = true;
+  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
    };
  };
  programs.mosh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    kakoune
    htop
-    git git-lfs
+    git
    git-lfs
    dnsutils
    tmux
    nethogs
@ -42,6 +59,10 @@
    micro
    helix
    lm_sensors
    picocom
    lf
    gnumake
    tree
  ];
  nixpkgs.config.allowUnfree = true;
@ -54,14 +75,32 @@
      "dialout" # serial
    ];
    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
-  nix.trustedUsers = [ "root" "googlebot" ];
+  users.users.root = {
    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
  };
  # don't use sudo
  security.doas.enable = true;
  security.sudo.enable = false;
  security.doas.extraRules = [
    # don't ask for password every time
    { groups = [ "wheel" ]; persist = true; }
  ];
  nix.gc.automatic = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "zuckerberg@neet.dev";
  # Enable Desktop Environment if this is a PC (machine role is "personal")
  de.enable = (
    builtins.elem config.networking.hostName config.machines.roles.personal
  );
 }
--- a/common/flakes.nix
+++ b/common/flakes.nix
@ -2,23 +2,17 @@
 with lib;
 let
  cfg = config.nix.flakes;
-in {
+in
 {
  options.nix.flakes = {
    enable = mkEnableOption "use nix flakes";
  };
  config = mkIf cfg.enable {
    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      # pin nixpkgs for system commands such as "nix shell"
      registry.nixpkgs.flake = config.inputs.nixpkgs;
      # pin system nixpkgs to the same version as the flake input
      nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
    };
  };
 }
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@ -0,0 +1,200 @@
 # Gathers info about each machine to constuct overall configuration
 # Ex: Each machine already trusts each others SSH fingerprint already
 { config, lib, pkgs, ... }:
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
          options = {
            hostNames = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              description = ''
                List of hostnames for this machine. The first one is the default so it is the target of deployments.
                Used for automatically trusting hosts for ssh connections.
              '';
            };
            arch = lib.mkOption {
              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
              description = ''
                The architecture of this machine.
              '';
            };
            systemRoles = lib.mkOption {
              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
              description = ''
                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
              '';
            };
            hostKey = lib.mkOption {
              type = lib.types.str;
              description = ''
                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
                and for decrypting secrets with agenix.
              '';
            };
            remoteUnlock = lib.mkOption {
              default = null;
              type = lib.types.nullOr (lib.types.submodule {
                options = {
                  hostKey = lib.mkOption {
                    type = lib.types.str;
                    description = ''
                      The system ssh host key of this machine used for luks boot unlocking only.
                    '';
                  };
                  clearnetHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over clearnet used to luks boot unlock this machine
                    '';
                  };
                  onionHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over tor used to luks boot unlock this machine
                    '';
                  };
                };
              });
            };
            userKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
                TODO: consider auto populating other programs that use ssh keys such as gitea
              '';
            };
            deployKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
              '';
            };
            configurationPath = lib.mkOption {
              type = lib.types.path;
              description = ''
                The path to this machine's configuration directory.
              '';
            };
          };
        });
    };
  };
  config = {
    assertions = (lib.concatLists (lib.mapAttrsToList
      (
        name: cfg: [
          {
            assertion = builtins.length cfg.hostNames > 0;
            message = ''
              Error with config for ${name}
              There must be at least one hostname.
            '';
          }
          {
            assertion = builtins.length cfg.systemRoles > 0;
            message = ''
              Error with config for ${name}
              There must be at least one system role.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
            message = ''
              Error with config for ${name}
              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
            message = ''
              Error with config for ${name}
              At least one of clearnet host or onion host must be defined.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
            message = ''
              Error with config for ${name}
              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
            message = ''
              Error with config for ${name}
              Tor unlock hostname must be an onion address.
            '';
          }
          {
            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
            message = ''
              Error with config for ${name}
              There must be at least one userkey defined for personal machines.
            '';
          }
          {
            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
            message = ''
              Error with config for ${name}
              Only deploy machines are allowed to have deploy keys for security reasons.
            '';
          }
        ]
      )
      machines));
    # Set per machine properties automatically using each of their `properties.nix` files respectively
    machines.hosts =
      let
        properties = dir: lib.concatMapAttrs
          (name: path: {
            ${name} =
              import path
              //
              { configurationPath = builtins.dirOf path; };
          })
          (propertiesFiles dir);
        propertiesFiles = dir:
          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
        propertiesFiles' = dir:
          let
            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
            dirName = path: builtins.baseNameOf (builtins.dirOf path);
          in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
  };
 }
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@ -0,0 +1,15 @@
 # Allows getting machine-info outside the scope of nixos configuration
 { nixpkgs ? import <nixpkgs> { }
 , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
 }:
 {
  machines =
    (nixpkgs.lib.evalModules {
      modules = [
        ./default.nix
        assertionsModule
      ];
    }).config.machines;
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@ -0,0 +1,19 @@
 { config, lib, ... }:
 # Maps roles to their hosts
 {
  options.machines.roles = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  config = {
    machines.roles = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  machines = config.machines;
  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
 in
 {
  options.machines.ssh = {
    userKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        List of user keys aggregated from all machines.
      '';
    };
    deployKeys = lib.mkOption {
      default = [ ];
      type = lib.types.listOf lib.types.str;
      description = ''
        List of deploy keys aggregated from all machines.
      '';
    };
    hostKeysByRole = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
      description = ''
        Machine host keys divided into their roles.
      '';
    };
  };
  config = {
    machines.ssh.userKeys = sshkeys "userKeys";
    machines.ssh.deployKeys = sshkeys "deployKeys";
    machines.ssh.hostKeysByRole = lib.mapAttrs
      (role: hosts:
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
      machines.roles;
  };
 }
--- a/common/network/ca.rsa.4096.crt
+++ b/common/network/ca.rsa.4096.crt
--- a/common/network/default.nix
+++ b/common/network/default.nix
@ -7,11 +7,11 @@ let
 in
 {
  imports = [
    ./hosts.nix
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
    ./tailscale.nix
    ./vpn.nix
    ./zerotier.nix
  ];
  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@ -1,63 +0,0 @@
 { config, lib, ... }:
 let
  system = (import ../ssh.nix).system;
 in {
  networking.hosts = {
    # some DNS providers filter local ip results from DNS request
    "172.30.145.180" = [ "s0.zt.neet.dev" ];
    "172.30.109.9" = [ "ponyo.zt.neet.dev" ];
    "172.30.189.212" = [ "ray.zt.neet.dev" ];
  };
  programs.ssh.knownHosts = {
    liza = {
      hostNames = [ "liza" "liza.neet.dev" ];
      publicKey = system.liza;
    };
    ponyo = {
      hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
      publicKey = system.ponyo;
    };
    ponyo-unlock = {
      hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
      publicKey = system.ponyo-unlock;
    };
    ray = {
      hostNames = [ "ray" "ray.zt.neet.dev" ];
      publicKey = system.ray;
    };
    s0 = {
      hostNames = [ "s0" "s0.zt.neet.dev" ];
      publicKey = system.s0;
    };
    n1 = {
      hostNames = [ "n1" ];
      publicKey = system.n1;
    };
    n2 = {
      hostNames = [ "n2" ];
      publicKey = system.n2;
    };
    n3 = {
      hostNames = [ "n3" ];
      publicKey = system.n3;
    };
    n4 = {
      hostNames = [ "n4" ];
      publicKey = system.n4;
    };
    n5 = {
      hostNames = [ "n5" ];
      publicKey = system.n5;
    };
    n6 = {
      hostNames = [ "n6" ];
      publicKey = system.n6;
    };
    n7 = {
      hostNames = [ "n7" ];
      publicKey = system.n7;
    };
  };
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.pia;
+  cfg = config.pia.openvpn;
  vpnfailsafe = pkgs.stdenv.mkDerivation {
    pname = "vpnfailsafe";
    version = "0.0.1";
@ -14,7 +14,7 @@ let
  };
 in
 {
-  options.pia = {
+  options.pia.openvpn = {
    enable = lib.mkEnableOption "Enable private internet access";
    server = lib.mkOption {
      type = lib.types.str;
@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@ -0,0 +1,363 @@
 { config, lib, pkgs, ... }:
 # Server list:
 #   https://serverlist.piaservers.net/vpninfo/servers/v6
 # Reference materials:
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
 # TODO implement this module such that the wireguard VPN doesn't have to live in a container
 # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
 # TODO verify signatures of PIA responses
 # TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative.
 with builtins;
 with lib;
 let
  cfg = config.pia.wireguard;
  getPIAToken = ''
    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
    # PIA_TOKEN only lasts 24hrs
    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
  '';
  chooseWireguardServer = ''
    servers=$(mktemp)
    servers_json=$(mktemp)
    curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
    # extract json part only
    head -n 1 "$servers" | tr -d '\n' > "$servers_json"
    echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
    # Some locations have multiple servers available. Pick a random one.
    totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
    if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
      echo "Location \"${cfg.serverLocation}\" not found."
      exit 1
    fi
    serverindex=$(( RANDOM % totalservers))
    WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
    WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
    WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
    # write chosen server
    rm -f /tmp/${cfg.interfaceName}-server.conf
    touch /tmp/${cfg.interfaceName}-server.conf
    chmod 700 /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
    echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
    rm $servers_json $servers
  '';
  getChosenWireguardServer = ''
    WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
    WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
  '';
  refreshPIAPort = ''
    ${getChosenWireguardServer}
    signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
    payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
    bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
  '';
  portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
  containerServiceName = "container@${config.vpn-container.containerName}.service";
 in
 {
  options.pia.wireguard = {
    enable = mkEnableOption "Enable private internet access";
    badPortForwardPorts = mkOption {
      type = types.listOf types.port;
      description = ''
        Ports that will not be accepted from PIA.
        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
      '';
    };
    wireguardListenPort = mkOption {
      type = types.port;
      description = "The port wireguard listens on for this VPN connection";
      default = 51820;
    };
    serverLocation = mkOption {
      type = types.str;
      default = "swiss";
    };
    interfaceName = mkOption {
      type = types.str;
      default = "piaw";
    };
    forwardedPort = mkOption {
      type = types.nullOr types.port;
      description = "The port to redirect port forwarded TCP VPN traffic too";
      default = null;
    };
    forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
        message = ''
          The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
        '';
      }
    ];
    # mounts used to pass the connection parameters to the container
    # the container doesn't have internet until it uses these parameters so it cannot fetch them itself
    vpn-container.mounts = [
      "/tmp/${cfg.interfaceName}.conf"
      "/tmp/${cfg.interfaceName}-server.conf"
      "/tmp/${cfg.interfaceName}-address.conf"
    ];
    # The container takes ownership of the wireguard interface on its startup
    containers.vpn.interfaces = [ cfg.interfaceName ];
    # TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
    # networking.firewall = {
    #   extraCommands = ''
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
    #   '';
    #   extraStopCommands = ''
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
    #   '';
    # };
    networking.firewall.checkReversePath = "loose";
    systemd.services.pia-vpn-wireguard-init = {
      description = "Creates PIA VPN Wireguard Interface";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      before = [ containerServiceName ];
      requiredBy = [ containerServiceName ];
      partOf = [ containerServiceName ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools jq curl iproute2 iputils ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        # restart once a month; PIA forwarded port expires after two months
        # because the container is "PartOf" this unit, it gets restarted too
        RuntimeMaxSec = "30d";
      };
      script = ''
        echo Waiting for internet...
        while ! ping -c 1 -W 1 1.1.1.1; do
            sleep 1
        done
        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
        # cannot do without internet to start with. NAT'ing the host's internet would address this
        # issue but is not ideal because then leaking network outside of the VPN is more likely.
        ${chooseWireguardServer}
        ${getPIAToken}
        # generate wireguard keys
        privKey=$(wg genkey)
        pubKey=$(echo "$privKey" | wg pubkey)
        # authorize our WG keys with the PIA server we are about to connect to
        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
        # create wg-quick config file
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
        echo "
        [Interface]
        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
        PrivateKey = $privKey
        ListenPort = ${toString cfg.wireguardListenPort}
        [Peer]
        PersistentKeepalive = 25
        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
        AllowedIPs = 0.0.0.0/0
        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
        " >> /tmp/${cfg.interfaceName}.conf
        # create file storing the VPN ip address PIA assigned to us
        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
        # Create wg interface now so it inherits from the namespace with internet access
        # the container will handle actually connecting the interface since that info is
        # not preserved upon moving into the container's networking namespace
        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
        ip link add ${cfg.interfaceName} type wireguard
      '';
      preStop = ''
        # cleanup wireguard interface
        ip link del ${cfg.interfaceName}
        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard = {
      description = "Initializes the PIA VPN WireGuard Tunnel";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ wireguard-tools iproute2 curl jq iptables ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        # pseudo calls wg-quick
        # Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
        # cannot actually call wg-quick because the interface has to be already
        # created before the container taken ownership of the interface
        # Thus, assumes wg interface was already created:
        #   ip link add ${cfg.interfaceName} type wireguard
        ${getChosenWireguardServer}
        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
        ip -4 address add $myaddress dev ${cfg.interfaceName}
        ip link set mtu 1420 up dev ${cfg.interfaceName}
        wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
        # TODO is this needed?
        ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
        ip -4 rule add table main suppress_prefixlength 0
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        # Reserve port
        ${getPIAToken}
        payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
        signature=$(echo "$payload_and_signature" | jq -r '.signature')
        payload=$(echo "$payload_and_signature" | jq -r '.payload')
        port=$(echo "$payload" | base64 -d | jq -r '.port')
        # Check if the port is acceptable
        notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
          # the port PIA assigned is not allowed, kill the connection
          wg-quick down /tmp/${cfg.interfaceName}.conf
          exit 1
        fi
        # write reserved port to file readable for all users
        echo $port > /tmp/${cfg.interfaceName}-port
        chmod 644 /tmp/${cfg.interfaceName}-port
        # write payload and signature info needed to allow refreshing allocated forwarded port
        rm -f /tmp/${cfg.interfaceName}-port-renewal
        touch /tmp/${cfg.interfaceName}-port-renewal
        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
        # Block all traffic from VPN interface except for traffic that is from the forwarded port
        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
        # The first port refresh triggers the port to be actually allocated
        ${refreshPIAPort}
        ${optionalString (cfg.forwardedPort != null) ''
          # redirect the fowarded port
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
        ${optionalString cfg.forwardPortForTransmission ''
          # assumes no auth needed for transmission
          curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
          regex='X-Transmission-Session-Id\: (\w*)'
          if [[ $curlout =~ $regex ]]; then
              sessionId=''${BASH_REMATCH[1]}
          else
              exit 1
          fi
          # set the port in transmission
          data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
          curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
        ''}
      '';
      preStop = ''
        wg-quick down /tmp/${cfg.interfaceName}.conf
        # The rest of the script is only for only for port forwarding skip if not needed
        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
        ${optionalString (cfg.forwardedPort != null) ''
          # stop redirecting the forwarded port
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
        ''}
      '';
    };
    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      description = "PIA VPN WireGuard Tunnel Port Forwarding";
      after = [ "pia-vpn-wireguard.service" ];
      requires = [ "pia-vpn-wireguard.service" ];
      path = with pkgs; [ curl ];
      serviceConfig = {
        Type = "oneshot";
      };
      script = refreshPIAPort;
    };
    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
      enable = portForwarding;
      partOf = [ "pia-vpn-wireguard-forward-port.service" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*:0/10"; # 10 minutes
        RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
      };
    };
    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/ping.nix
+++ b/common/network/ping.nix
@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 # keeps peer to peer connections alive with a periodic ping
 with lib;
 with builtins;
 # todo auto restart
 let
  cfg = config.keepalive-ping;
  serviceTemplate = host:
    {
      "keepalive-ping@${host}" = {
        description = "Periodic ping keep alive for ${host} connection";
        requires = [ "network-online.target" ];
        after = [ "network.target" "network-online.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Restart = "always";
        path = with pkgs; [ iputils ];
        script = ''
          ping -i ${cfg.delay} ${host} &>/dev/null
        '';
      };
    };
  combineAttrs = foldl recursiveUpdate { };
  serviceList = map serviceTemplate cfg.hosts;
  services = combineAttrs serviceList;
 in
 {
  options.keepalive-ping = {
    enable = mkEnableOption "Enable keep alive ping task";
    hosts = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Hosts to ping periodically
      '';
    };
    delay = mkOption {
      type = types.str;
      default = "60";
      description = ''
        Ping interval in seconds of periodic ping per host being pinged
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services = services;
  };
 }
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@ -8,7 +8,11 @@ in
 {
  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
-  config.services.tailscale.enable = !config.boot.isContainer;
+  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
  # MagicDNS
  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
  # exit node
  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@ -26,9 +26,11 @@ in
      '';
    };
    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
    config = mkOption {
      type = types.anything;
-      default = {};
+      default = { };
      example = ''
        {
          services.nginx.enable = true;
@ -41,6 +43,9 @@ in
  };
  config = mkIf cfg.enable {
    pia.wireguard.enable = !cfg.useOpenVPN;
    pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
    containers.${cfg.containerName} = {
      ephemeral = true;
      autoStart = true;
@ -59,36 +64,40 @@ in
        }
      )));
-      enableTun = true;
+      enableTun = cfg.useOpenVPN;
      privateNetwork = true;
      hostAddress = "172.16.100.1";
      localAddress = "172.16.100.2";
      config = {
-        imports = allModules ++ [cfg.config];
+        imports = allModules ++ [ cfg.config ];
-        nixpkgs.pkgs = pkgs;
+        # networking.firewall.enable = mkForce false;
        networking.firewall.trustedInterfaces = [
          # completely trust internal interface to host
          "eth0"
        ];
-        networking.firewall.enable = mkForce false;
+        pia.openvpn.enable = cfg.useOpenVPN;
-
+        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
        pia.enable = true;
        pia.server = "swiss.privacy.network"; # swiss vpn
        # TODO fix so it does run it's own resolver again
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
-        services.resolved.enable = true;
+        # services.resolved.enable = true;
        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
      };
    };
    # load secrets the container needs
    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
-    # forwarding for vpn container
+    # forwarding for vpn container (only for OpenVPN)
-    networking.nat.enable = true;
+    networking.nat.enable = mkIf cfg.useOpenVPN true;
-    networking.nat.internalInterfaces = [
+    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
      "ve-${cfg.containerName}"
    ];
-    networking.ip_forward = true;
+    networking.ip_forward = mkIf cfg.useOpenVPN true;
    # assumes only one potential interface
    networking.usePredictableInterfaceNames = false;
--- a/common/network/zerotier.nix
+++ b/common/network/zerotier.nix
@ -1,14 +0,0 @@
 { lib, config, ... }:
 let
  cfg = config.services.zerotierone;
 in {
  config = lib.mkIf cfg.enable {
    services.zerotierone.joinNetworks = [
      "565799d8f6d654c0"
    ];
    networking.firewall.allowedUDPPorts = [
      9993
    ];
  };
 }
--- a/common/nix-builder.nix
+++ b/common/nix-builder.nix
@ -0,0 +1,60 @@
 { config, lib, ... }:
 let
  builderRole = "nix-builder";
  builderUserName = "nix-builder";
  machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
  otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
  thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
  builders = machinesByRole builderRole;
  thisMachineIsABuilder = thisMachineHasRole builderRole;
  # builders don't include themselves as a remote builder
  otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
 in
 lib.mkMerge [
  # configure builder
  (lib.mkIf thisMachineIsABuilder {
    users.users.${builderUserName} = {
      description = "Distributed Nix Build User";
      group = builderUserName;
      isSystemUser = true;
      createHome = true;
      home = "/var/lib/nix-builder";
      useDefaultShell = true;
      openssh.authorizedKeys.keys = builtins.map
        (builderCfg: builderCfg.hostKey)
        (builtins.attrValues config.machines.hosts);
    };
    users.groups.${builderUserName} = { };
    nix.settings.trusted-users = [
      builderUserName
    ];
  })
  # use each builder
  {
    nix.distributedBuilds = true;
    nix.buildMachines = builtins.map
      (builderCfg: {
        hostName = builtins.elemAt builderCfg.hostNames 0;
        system = builderCfg.arch;
        protocol = "ssh-ng";
        sshUser = builderUserName;
        sshKey = "/etc/ssh/ssh_host_ed25519_key";
        maxJobs = 3;
        speedFactor = 10;
        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
      })
      (builtins.attrValues otherBuilders);
    # It is very likely that the builder's internet is faster or just as fast
    nix.extraOptions = ''
      builders-use-substitutes = true
    '';
  }
 ]
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # enable pulseaudio support for packages
    nixpkgs.config.pulseaudio = true;
@ -16,44 +17,14 @@ in {
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
-      # use the example session manager (no others are packaged yet so this is enabled by default,
+    services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
-      # no need to redefine it in your config for now)
+      context.properties = {
-      #media-session.enable = true;
+        default.clock.rate = 48000;
-
+        default.clock.quantum = 256;
-      config.pipewire = {
+        default.clock.min-quantum = 256;
-        "context.objects" = [
+        default.clock.max-quantum = 2048;
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name"     = "support.node.driver";
              "node.name"        = "Dummy-Driver";
              "priority.driver"  = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class"      = "Audio/Source/Virtual";
              "audio.position"   = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name"     = "support.null-audio-sink";
              "node.name"        = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class"      = "Audio/Sink";
              "audio.position"   = "FL,FR";
            };
          }
        ];
      };
    };
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@ -17,39 +17,8 @@ let
      "PREFIX=$(out)"
    ];
  };
-
+in
-  nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
+{
    pname = "nvidia-vaapi-driver";
    version = "0.0.5";
    src = pkgs.fetchFromGitHub {
      owner = "elFarto";
      repo = pname;
      rev = "v${version}";
      sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
    };
    patches = [
      ./use-meson-v57.patch
    ];
    nativeBuildInputs = with pkgs; [
      meson
      cmake
      ninja
      pkg-config
    ];
    buildInputs = with pkgs; [
      nv-codec-headers-11-1-5-1
      libva
      gst_all_1.gstreamer
      gst_all_1.gst-plugins-bad
      libglvnd
    ];
  };
 in {
  config = lib.mkIf cfg.enable {
    # chromium with specific extensions + settings
    programs.chromium = {
@ -72,7 +41,7 @@ in {
        "SpellcheckLanguage" = [ "en-US" ];
      };
      defaultSearchProviderSuggestURL = null;
-      defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
+      defaultSearchProviderSearchURL = "https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en";
    };
    # hardware accelerated video playback (on intel)
@ -83,12 +52,12 @@ in {
        # ungoogled = true;
        # --enable-native-gpu-memory-buffers # fails on AMD APU
        # --enable-webrtc-vp9-support
-        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
+        commandLineArgs = "--use-vulkan";
      };
    };
    # todo vulkan in chrome
    # todo video encoding in chrome
-    hardware.opengl = {
+    hardware.graphics = {
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@ -2,22 +2,22 @@
 let
  cfg = config.de;
-in {
+in
 {
  imports = [
    ./kde.nix
    ./xfce.nix
    ./yubikey.nix
    ./chromium.nix
-#    ./firefox.nix
+    ./firefox.nix
    ./audio.nix
 #    ./torbrowser.nix
    ./pithos.nix
    ./spotify.nix
    ./vscodium.nix
    ./discord.nix
    ./steam.nix
    ./touchpad.nix
    ./mount-samba.nix
    ./udev.nix
    ./virtualisation.nix
  ];
  options.de = {
@ -25,9 +25,10 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    # vulkan
+    environment.systemPackages = with pkgs; [
-    hardware.opengl.driSupport = true;
+      # https://github.com/NixOS/nixpkgs/pull/328086#issuecomment-2235384618
-    hardware.opengl.driSupport32Bit = true;
+      gparted
    ];
    # Applications
    users.users.googlebot.packages = with pkgs; [
@ -36,20 +37,25 @@ in {
      mumble
      tigervnc
      bluez-tools
      vscodium
      element-desktop
      mpv
      nextcloud-client
      signal-desktop
      minecraft
      gparted
      libreoffice-fresh
      thunderbird
-      spotifyd
+      spotify
      spotify-qt
      arduino
      yt-dlp
      jellyfin-media-player
      joplin-desktop
      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
      lxqt.pavucontrol-qt
      barrier
      # For Nix IDE
      nixpkgs-fmt
      nixd
      nil
    ];
    # Networking
@ -63,12 +69,28 @@ in {
    ];
    # Printer discovery
    services.avahi.enable = true;
-    services.avahi.nssmdns = true;
+    services.avahi.nssmdns4 = true;
    programs.file-roller.enable = true;
    # Security
    services.gnome.gnome-keyring.enable = true;
    security.pam.services.googlebot.enableGnomeKeyring = true;
    # Android dev
    programs.adb.enable = true;
    # Mount personal SMB stores
    services.mount-samba.enable = true;
    # allow building ARM derivations
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # for luks onlock over tor
    services.tor.enable = true;
    services.tor.client.enable = true;
    # Enable wayland support in various chromium based applications
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
  };
 }
--- a/common/pc/discord.nix
+++ b/common/pc/discord.nix
@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    users.users.googlebot.packages = [
      pkgs.discord
--- a/common/pc/firefox.nix
+++ b/common/pc/firefox.nix
@ -20,31 +20,6 @@ let
  };
  firefox = pkgs.wrapFirefox somewhatPrivateFF {
   desktopName = "Sneed Browser";
    nixExtensions = [
      (pkgs.fetchFirefoxAddon {
        name = "ublock-origin";
        url = "https://addons.mozilla.org/firefox/downloads/file/3719054/ublock_origin-1.33.2-an+fx.xpi";
        sha256 = "XDpe9vW1R1iVBTI4AmNgAg1nk7BVQdIAMuqd0cnK5FE=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "sponsorblock";
        url = "https://addons.mozilla.org/firefox/downloads/file/3720594/sponsorblock_skip_sponsorships_on_youtube-2.0.12.3-an+fx.xpi";
        sha256 = "HRtnmZWyXN3MKo4AvSYgNJGkBEsa2RaMamFbkz+YzQg=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "KeePassXC-Browser";
        url = "https://addons.mozilla.org/firefox/downloads/file/3720664/keepassxc_browser-1.7.6-fx.xpi";
        sha256 = "3K404/eq3amHhIT0WhzQtC892he5I0kp2SvbzE9dbZg=";
      })
      (pkgs.fetchFirefoxAddon {
        name = "https-everywhere";
        url = "https://addons.mozilla.org/firefox/downloads/file/3716461/https_everywhere-2021.1.27-an+fx.xpi";
        sha256 = "2gSXSLunKCwPjAq4Wsj0lOeV551r3G+fcm1oeqjMKh8=";
      })
    ];
    extraPolicies = {
      CaptivePortal = false;
      DisableFirefoxStudies = true;
@ -74,12 +49,6 @@ let
        ExtensionRecommendations = false;
        SkipOnboarding = true;
      };
      WebsiteFilter = {
        Block = [
          "http://paradigminteractive.io/"
          "https://paradigminteractive.io/"
        ];
      };
    };
    extraPrefs = ''
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@ -2,22 +2,19 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
-    # kde plasma
+    services.displayManager.sddm.enable = true;
-    services.xserver = {
+    services.displayManager.sddm.wayland.enable = true;
-      enable = true;
+    services.desktopManager.plasma6.enable = true;
      desktopManager.plasma5.enable = true;
      displayManager.sddm.enable = true;
    };
    # kde apps
    nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
    users.users.googlebot.packages = with pkgs; [
      # akonadi
      # kmail
      # plasma5Packages.kmail-account-wizard
-      kate
+      kdePackages.kate
    ];
  };
 }
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@ -1,36 +1,50 @@
-# mounts the samba share on s0 over zeroteir
+# mounts the samba share on s0 over tailscale
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.services.mount-samba;
-  # prevents hanging on network split
+  # prevents hanging on network split and other similar niceties to ensure a stable connection
-  network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
+  network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
  systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
-  auth_opts = "credentials=/run/agenix/smb-secrets";
+  auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
-  version_opts = "vers=2.1";
+  version_opts = "vers=3.1.1";
-  opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
+  public_user_opts = "gid=${toString config.users.groups.users.gid}";
-in {
+
  opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
 in
 {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };
-  config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
+  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
    fileSystems."/mnt/public" = {
-        device = "//s0.zt.neet.dev/public";
+      device = "//s0.koi-bebop.ts.net/public";
      fsType = "cifs";
-        options = [ opts ];
+      options = [ "${opts},${public_user_opts}" ];
    };
    fileSystems."/mnt/private" = {
-        device = "//s0.zt.neet.dev/googlebot";
+      device = "//s0.koi-bebop.ts.net/googlebot";
      fsType = "cifs";
      options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
    environment.shellAliases = {
      # remount storage
      remount_public = "sudo systemctl restart mnt-public.mount";
      remount_private = "sudo systemctl restart mnt-private.mount";
      # Encrypted Vault
      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
      vault_lock = "umount /mnt/vault/";
    };
  };
 }
--- a/common/pc/pia/default.nix
+++ b/common/pc/pia/default.nix
@ -1,76 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.pia;
 in {
  imports = [
    ./pia.nix
  ];
  options.services.pia = {
    enable = lib.mkEnableOption "Enable PIA Client";
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/pia";
      description = ''
        Path to the pia data directory
      '';
    };
    user = lib.mkOption {
      type = lib.types.str;
      default = "root";
      description = ''
        The user pia should run as
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "piagrp";
      description = ''
        The group pia should run as
      '';
    };
    users = mkOption {
      type = with types; listOf str;
      default = [];
      description = ''
        Usernames to be added to the "spotifyd" group, so that they
        can start and interact with the userspace daemon.
      '';
    };
  };
  config = mkIf cfg.enable {
    # users.users.${cfg.user} =
    # if cfg.user == "pia" then {
    #   isSystemUser = true;
    #   group = cfg.group;
    #   home = cfg.dataDir;
    #   createHome = true;
    # }
    # else {};
    users.groups.${cfg.group}.members = cfg.users;
    systemd.services.pia-daemon = {
      enable = true;
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
      serviceConfig.PrivateTmp="yes";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
      '';
    };
  };
 }
--- a/common/pc/pia/fix-pia.patch
+++ b/common/pc/pia/fix-pia.patch
@ -1,147 +0,0 @@
 diff --git a/Rakefile b/Rakefile
 index fa6d771..bcd6fb1 100644
 --- a/Rakefile
 +++ b/Rakefile
@@ -151,41 +151,6 @@ end
 # Install LICENSE.txt
 stage.install('LICENSE.txt', :res)
 -# Download server lists to ship preloaded copies with the app.  These tasks
 -# depend on version.txt so they're refreshed periodically (whenver a new commit
 -# is made), but not for every build.
 -#
 -# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
 -# this is primarily intended for reproducing a build.
 -#
 -# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
 -serverDataProbe = Probe.new('serverdata')
 -serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
 -# JSON resource build directory
 -jsonFetched = Build.new('json-fetched')
 -# These are the assets we need to fetch and the URIs we get them from
 -{
 -    'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
 -    'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
 -    'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
 -}.each do |k, v|
 -    fetchedFile = jsonFetched.artifact(k.to_s)
 -    serverDataDir = ENV['SERVER_DATA_DIR']
 -    file fetchedFile => [version.artifact('version.txt'),
 -                         serverDataProbe.artifact('serverdata.txt'),
 -                         jsonFetched.componentDir] do |t|
 -        if(serverDataDir)
 -            # Use the copy provided instead of fetching (for reproducing a build)
 -            File.copy(File.join(serverDataDir, k), fetchedFile)
 -        else
 -            # Fetch from the web API (write with "binary" mode so LF is not
 -            # converted to CRLF on Windows)
 -            File.binwrite(t.name, Net::HTTP.get(URI(v)))
 -        end
 -    end
 -    stage.install(fetchedFile, :res)
 -end
 -
 # Install version/brand/arch info in case an upgrade needs to know what is
 # currently installed
 stage.install(version.artifact('version.txt'), :res)
 diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
 index f820a6d..e1b6c33 100644
 --- a/common/src/posix/unixsignalhandler.cpp
 +++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
     // we checked it, we can't even log because the logger is not reentrant.
     auto pThis = instance();
     if(pThis)
 -        ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
 +        auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
 }
 template<int Signal>
 void UnixSignalHandler::setAbortAction()
 diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
 index fd3aced..2367a5e 100644
 --- a/daemon/src/linux/linux_nl.cpp
 +++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
     unsigned char term = 0;
     PosixFd killSocket = _workerKillSocket.get();
     if(killSocket)
 -        ::write(killSocket.get(), &term, sizeof(term));
 +        auto _ = ::write(killSocket.get(), &term, sizeof(term));
     _workerThread.join();
 }
 diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
 index 3f63ac2..420d54d 100644
 --- a/extras/support-tool/launcher/linux-launcher.cpp
 +++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
     if(forkResult == 0)
     {
         // Apply gid as both real and effective
 -        setregid(gid, gid);
 +        auto _ = setregid(gid, gid);
         int execErr = execv(filename, argv);
         std::cerr << "exec err: " << execErr << " / " << errno << " - "
 diff --git a/rake/model/qt.rb b/rake/model/qt.rb
 index c8cd362..a6abe59 100644
 --- a/rake/model/qt.rb
 +++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
     end
     def getQtRoot(qtVersion, arch)
 -        qtToolchainPtns = getQtToolchainPatterns(arch)
 -        qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
 -        # Explicitly filter for existing paths - if the pattern has wildcards
 -        # we only get existing directories, but if the patterns are just
 -        # alternates with no wildcards, we can get directories that don't exist
 -        qtRoots.find_all { |r| File.exist?(r) }.max
 +        ENV['QTROOT']
     end
     def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
     end
     def getQtPathVersion(path)
 -        verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
 -        if(verMatch == nil)
 -            nil
 -        else
 -            [verMatch[1].to_i, verMatch[2].to_i]
 -        end
 +        [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
     end
     # Build a component definition with the defaults.  The "Core" component will
 diff --git a/rake/product/linux.rb b/rake/product/linux.rb
 index f43fb3e..83505af 100644
 --- a/rake/product/linux.rb
 +++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
     QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
     # Version of libicu (needed to determine lib*.so.## file names in deployment)
 -    ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
 -        .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
 +    ICU_VERSION = ENV['ICU_MAJOR'].to_i;
     # Copy a directory recursively, excluding *.debug files (debugging symbols)
     def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
     # Since these are just development workflow tools, they can be skipped if
     # specific dependencies are not available.
     def self.defineTools(toolsStage)
 -        # Test if we have libthai-dev, for the Thai word breaking utility
 -        if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
 -            Executable.new('thaibreak')
 -                .source('tools/thaibreak')
 -                .lib('thai')
 -                .install(toolsStage, :bin)
 -            toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
 -            toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
 -        else
 -            puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
 -        end
     end
 end
--- a/common/pc/pia/pia.nix
+++ b/common/pc/pia/pia.nix
@ -1,139 +0,0 @@
 { pkgs, lib, config, ... }:
 {
  nixpkgs.overlays = [
    (self: super:
    with self;
    let
      # arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
      arch = "x86_64";
      pia-desktop = clangStdenv.mkDerivation rec {
        pname = "pia-desktop";
        version = "3.3.0";
        src = fetchgit {
          url = "https://github.com/pia-foss/desktop";
          rev = version;
          fetchLFS = true;
          sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
        };
        patches = [
          ./fix-pia.patch
        ];
        nativeBuildInputs = [
          cmake
          rake
        ];
        prePatch = ''
          sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
        '';
        installPhase = ''
          mkdir -p $out/bin $out/lib $out/share
          cp -r ../out/pia_release_${arch}/stage/bin $out
          cp -r ../out/pia_release_${arch}/stage/lib $out
          cp -r ../out/pia_release_${arch}/stage/share $out
        '';
        cmakeFlags = [
          "-DCMAKE_BUILD_TYPE=Release"
        ];
        QTROOT = "${qt5.full}";
        QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
        QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
        ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
        buildInputs = [
          mesa
          libsForQt5.qt5.qtquickcontrols
          libsForQt5.qt5.qtquickcontrols2
          icu
          libnl
        ];
        dontWrapQtApps = true;
      };
    in rec {
      openvpn-updown = buildFHSUserEnv {
        name = "openvpn-updown";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "openvpn-updown.sh";
      };
      pia-client = buildFHSUserEnv {
        name = "pia-client";
        targetPkgs = pkgs: (with pkgs; [
          pia-desktop
          xorg.libXau
          xorg.libXdmcp
        ]);
        runScript = "pia-client";
      };
      piactl = buildFHSUserEnv {
        name = "piactl";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "piactl";
      };
      pia-daemon = buildFHSUserEnv {
        name = "pia-daemon";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-daemon";
      };
      pia-hnsd = buildFHSUserEnv {
        name = "pia-hnsd";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-hnsd";
      };
      pia-openvpn = buildFHSUserEnv {
        name = "pia-openvpn";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-openvpn";
      };
      pia-ss-local = buildFHSUserEnv {
        name = "pia-ss-local";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-ss-local";
      };
      pia-support-tool = buildFHSUserEnv {
        name = "pia-support-tool";
        targetPkgs = pkgs: (with pkgs; [
          pia-desktop
          xorg.libXau
          xorg.libXdmcp
        ]);
        runScript = "pia-support-tool";
      };
      pia-unbound = buildFHSUserEnv {
        name = "pia-unbound";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-unbound";
      };
      pia-wireguard-go = buildFHSUserEnv {
        name = "pia-wireguard-go";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "pia-wireguard-go";
      };
      support-tool-launcher = buildFHSUserEnv {
        name = "support-tool-launcher";
        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
        runScript = "support-tool-launcher";
      };
    })
  ];
 }
--- a/common/pc/pithos.nix
+++ b/common/pc/pithos.nix
@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
--- a/common/pc/spotify.nix
+++ b/common/pc/spotify.nix
@ -1,86 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.spotifyd;
  toml = pkgs.formats.toml {};
  spotifydConf = toml.generate "spotify.conf" cfg.settings;
 in
 {
  disabledModules = [
    "services/audio/spotifyd.nix"
  ];
  options = {
    services.spotifyd = {
      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
      settings = mkOption {
        default = {};
        type = toml.type;
        example = { global.bitrate = 320; };
        description = ''
          Configuration for Spotifyd. For syntax and directives, see
          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
        '';
      };
      users = mkOption {
        type = with types; listOf str;
        default = [];
        description = ''
          Usernames to be added to the "spotifyd" group, so that they
          can start and interact with the userspace daemon.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    # username specific stuff because i'm lazy...
    services.spotifyd.users = [ "googlebot" ];
    users.users.googlebot.packages = with pkgs; [
      spotify
      spotify-tui
    ];
    users.groups.spotifyd = {
      members = cfg.users;
    };
    age.secrets.spotifyd = {
      file = ../../secrets/spotifyd.age;
      group = "spotifyd";
      mode = "0440"; # group can read
    };
    # spotifyd to read secrets and run as user service
    services.spotifyd = {
      settings.global = {
        username_cmd = "sed '1q;d' /run/agenix/spotifyd";
        password_cmd = "sed '2q;d' /run/agenix/spotifyd";
        bitrate = 320;
        backend = "pulseaudio";
        device_name = config.networking.hostName;
        device_type = "computer";
        # on_song_change_hook = "command_to_run_on_playback_events"
        autoplay = true;
      };
    };
    systemd.user.services.spotifyd-daemon = {
      enable = true;
      wantedBy = [ "graphical-session.target" ];
      partOf = [ "graphical-session.target" ];
      description = "spotifyd, a Spotify playing daemon";
      environment.SHELL = "/bin/sh";
      serviceConfig = {
        ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --config-path ${spotifydConf}";
        Restart = "always";
        CacheDirectory = "spotifyd";
      };
    };
  };
 }
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller
--- a/common/pc/torbrowser.nix
+++ b/common/pc/torbrowser.nix
@ -1,24 +0,0 @@
 { lib, config, pkgs, ... }:
 let
  cfg = config.de;
 in {
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
      (self: super: {
        tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec {
          version = "10.0.10";
          lang = "en-US";
          src = pkgs.fetchurl {
            url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
            sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg=";
          };
        });
      })
    ];
    users.users.googlebot.packages = with pkgs; [
      tor-browser-bundle-bin
    ];
  };
 }
--- a/common/pc/touchpad.nix
+++ b/common/pc/touchpad.nix
@ -1,14 +1,11 @@
 { lib, config, pkgs, ... }:
 let
-  cfg = config.de.touchpad;
+  cfg = config.de;
-in {
+in
-  options.de.touchpad = {
+{
    enable = lib.mkEnableOption "enable touchpad";
  };
  config = lib.mkIf cfg.enable {
-    services.xserver.libinput.enable = true;
+    services.libinput.enable = true;
-    services.xserver.libinput.touchpad.naturalScrolling = true;
+    services.libinput.touchpad.naturalScrolling = true;
  };
 }
--- a/common/pc/udev.nix
+++ b/common/pc/udev.nix
@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.de;
 in
 {
  config = lib.mkIf cfg.enable {
    services.udev.extraRules = ''
      # depthai
      SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
      # Moonlander
      # Rules for Oryx web flashing and live training
      KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
      KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
      # Wally Flashing rules for the Moonlander and Planck EZ
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
    '';
    services.udev.packages = [ pkgs.platformio ];
    users.groups.plugdev = {
      members = [ "googlebot" ];
    };
  };
 }
--- a/common/pc/use-meson-v57.patch
+++ b/common/pc/use-meson-v57.patch
@ -1,22 +0,0 @@
 diff --git a/meson.build b/meson.build
 index dace367..8c0e290 100644
 --- a/meson.build
 +++ b/meson.build
@@ -8,7 +8,7 @@ project(
         'warning_level=0',
     ],
     license: 'MIT',
 -    meson_version: '>= 0.58.0',
 +    meson_version: '>= 0.57.0',
 )
 cc = meson.get_compiler('c')
@@ -47,8 +47,3 @@ shared_library(
     gnu_symbol_visibility: 'hidden',
 )
 -meson.add_devenv(environment({
 -    'NVD_LOG': '1',
 -    'LIBVA_DRIVER_NAME': 'nvidia',
 -    'LIBVA_DRIVERS_PATH': meson.project_build_root(),
 -}))
--- a/common/pc/virtualisation.nix
+++ b/common/pc/virtualisation.nix
@ -0,0 +1,23 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.de;
 in
 {
  config = lib.mkIf cfg.enable {
    # AppVMs
    virtualisation.appvm.enable = true;
    virtualisation.appvm.user = "googlebot";
    # Use podman instead of docker
    virtualisation.podman.enable = true;
    virtualisation.podman.dockerCompat = true;
    # virt-manager
    virtualisation.libvirtd.enable = true;
    programs.dconf.enable = true;
    virtualisation.spiceUSBRedirection.enable = true;
    environment.systemPackages = with pkgs; [ virt-manager ];
    users.users.googlebot.extraGroups = [ "libvirtd" "adbusers" ];
  };
 }
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@ -4,8 +4,35 @@ let
  cfg = config.de;
  extensions = with pkgs.vscode-extensions; [
-#    bbenoist.Nix # nix syntax support
+    bbenoist.nix # nix syntax support
-#    arrterian.nix-env-selector  # nix dev envs
+    arrterian.nix-env-selector # nix dev envs
    dart-code.dart-code
    dart-code.flutter
    golang.go
    jnoortheen.nix-ide
    ms-vscode.cpptools
    rust-lang.rust-analyzer
    vadimcn.vscode-lldb
    tauri-apps.tauri-vscode
  ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
    {
      name = "platformio-ide";
      publisher = "platformio";
      version = "3.1.1";
      sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
    }
    {
      name = "wgsl-analyzer";
      publisher = "wgsl-analyzer";
      version = "0.8.1";
      sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
    }
    {
      name = "volar";
      publisher = "Vue";
      version = "2.2.4";
      sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
    }
  ];
  vscodium-with-extensions = pkgs.vscode-with-extensions.override {
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
@ -1,22 +0,0 @@
 { lib, config, pkgs, ... }:
 let
  cfg = config.de;
 in {
  config = lib.mkIf cfg.enable {
    services.xserver = {
      enable = true;
      desktopManager = {
        xterm.enable = false;
        xfce.enable = true;
      };
      displayManager.sddm.enable = true;
    };
    # xfce apps
    # TODO for some reason whiskermenu needs to be global for it to work
    environment.systemPackages = with pkgs; [
      xfce.xfce4-whiskermenu-plugin
    ];
  };
 }
--- a/common/pc/yubikey.nix
+++ b/common/pc/yubikey.nix
@ -2,7 +2,8 @@
 let
  cfg = config.de;
-in {
+in
 {
  config = lib.mkIf cfg.enable {
    # yubikey
    services.pcscd.enable = true;
--- a/common/server/actualbudget.nix
+++ b/common/server/actualbudget.nix
@ -0,0 +1,87 @@
 # Starting point:
 # https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.actual-server;
  stateDir = "/var/lib/${cfg.stateDirName}";
 in
 {
  options.services.actual-server = {
    enable = lib.mkEnableOption "Actual Server";
    hostname = lib.mkOption {
      type = lib.types.str;
      default = "localhost";
      description = "Hostname for the Actual Server.";
    };
    port = lib.mkOption {
      type = lib.types.int;
      default = 25448;
      description = "Port on which the Actual Server should listen.";
    };
    stateDirName = lib.mkOption {
      type = lib.types.str;
      default = "actual-server";
      description = "Name of the directory under /var/lib holding the server's data.";
    };
    upload = {
      fileSizeSyncLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for synchronized files.";
      };
      syncEncryptedFileSizeLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for synchronized encrypted files.";
      };
      fileSizeLimitMB = lib.mkOption {
        type = lib.types.nullOr lib.types.int;
        default = null;
        description = "File size limit in MB for file uploads.";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.actual-server = {
      description = "Actual Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.actual-server}/bin/actual-server";
        Restart = "always";
        StateDirectory = cfg.stateDirName;
        WorkingDirectory = stateDir;
        DynamicUser = true;
        UMask = "0007";
      };
      environment = {
        NODE_ENV = "production";
        ACTUAL_PORT = toString cfg.port;
        # Actual is actually very bad at configuring it's own paths despite that information being readily available
        ACTUAL_USER_FILES = "${stateDir}/user-files";
        ACTUAL_SERVER_FILES = "${stateDir}/server-files";
        ACTUAL_DATA_DIR = stateDir;
        ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
        ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
        ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
      };
    };
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://localhost:${toString cfg.port}";
    };
  };
 }
--- a/common/server/ceph.nix
+++ b/common/server/ceph.nix
@ -3,9 +3,9 @@
 with lib;
 let
  cfg = config.ceph;
-in {
+in
-  options.ceph = {
+{
-  };
+  options.ceph = { };
  config = mkIf cfg.enable {
    # ceph.enable = true;
--- a/common/server/default.nix
+++ b/common/server/default.nix
@ -10,9 +10,16 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
    ./owncast.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./iodine.nix
    ./searx.nix
    ./gitea-actions-runner.nix
    ./librechat.nix
    ./actualbudget.nix
    ./unifi.nix
  ];
 }
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@ -0,0 +1,136 @@
 { config, pkgs, lib, allModules, ... }:
 # Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
 # This is useful for providing a real Nix/OS builder to gitea.
 # Warning, NixOS containers are not secure. For example, the container shares the /nix/store
 # Therefore, this should not be used to run untrusted code.
 # To enable, assign a machine the 'gitea-actions-runner' system role
 # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
 let
  runnerRole = "gitea-actions-runner";
  runners = config.machines.roles.${runnerRole};
  thisMachineIsARunner = builtins.elem config.networking.hostName runners;
  containerName = "gitea-runner";
 in
 {
  config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
    # containers.${containerName} = {
    #   ephemeral = true;
    #   autoStart = true;
    #   # for podman
    #   enableTun = true;
    #   # privateNetwork = true;
    #   # hostAddress = "172.16.101.1";
    #   # localAddress = "172.16.101.2";
    #   bindMounts =
    #     {
    #       "/run/agenix/gitea-actions-runner-token" = {
    #         hostPath = "/run/agenix/gitea-actions-runner-token";
    #         isReadOnly = true;
    #       };
    #       "/var/lib/gitea-runner" = {
    #         hostPath = "/var/lib/gitea-runner";
    #         isReadOnly = false;
    #       };
    #     };
    #   extraFlags = [
    #     # Allow podman
    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
    #   ];
    #   additionalCapabilities = [
    #     "CAP_SYS_ADMIN"
    #   ];
    #   config = {
    #     imports = allModules;
    #     # speeds up evaluation
    #     nixpkgs.pkgs = pkgs;
    #     networking.hostName = lib.mkForce containerName;
    #     # don't use remote builders
    #     nix.distributedBuilds = lib.mkForce false;
    #     environment.systemPackages = with pkgs; [
    #       git
    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
    #       nodejs
    #     ];
    #     services.gitea-actions-runner.instances.inst = {
    #       enable = true;
    #       name = config.networking.hostName;
    #       url = "https://git.neet.dev/";
    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
    #       labels = [
    #         "ubuntu-latest:docker://node:18-bullseye"
    #         "nixos:host"
    #       ];
    #     };
    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
    #     users.users.gitea-runner = {
    #       home = "/var/lib/gitea-runner";
    #       group = "gitea-runner";
    #       isSystemUser = true;
    #       createHome = true;
    #     };
    #     users.groups.gitea-runner = { };
    #     virtualisation.podman.enable = true;
    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    #   };
    # };
    # networking.nat.enable = true;
    # networking.nat.internalInterfaces = [
    #   "ve-${containerName}"
    # ];
    # networking.ip_forward = true;
    # don't use remote builders
    nix.distributedBuilds = lib.mkForce false;
    services.gitea-actions-runner.instances.inst = {
      enable = true;
      name = config.networking.hostName;
      url = "https://git.neet.dev/";
      tokenFile = "/run/agenix/gitea-actions-runner-token";
      labels = [
        "ubuntu-latest:docker://node:18-bullseye"
        "nixos:host"
      ];
    };
    environment.systemPackages = with pkgs; [
      git
      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
      nodejs
    ];
    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
    systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
    users.users.gitea-runner = {
      home = "/var/lib/gitea-runner";
      group = "gitea-runner";
      isSystemUser = true;
      createHome = true;
    };
    users.groups.gitea-runner = { };
    virtualisation.podman.enable = true;
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
  };
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 let
  cfg = config.services.gitea;
-in {
+in
 {
  options.services.gitea = {
    hostname = lib.mkOption {
      type = lib.types.str;
@ -11,29 +12,63 @@ in {
  };
  config = lib.mkIf cfg.enable {
    services.gitea = {
      domain = cfg.hostname;
      rootUrl = "https://${cfg.hostname}/";
      appName = cfg.hostname;
-      ssh.enable = true;
+      lfs.enable = true;
-      # lfs.enable = true;
+      # dump.enable = true;
      dump.enable = true;
      cookieSecure = true;
      disableRegistration = true;
      settings = {
        server = {
          ROOT_URL = "https://${cfg.hostname}/";
          DOMAIN = cfg.hostname;
        };
        other = {
          SHOW_FOOTER_VERSION = false;
        };
        ui = {
-          DEFAULT_THEME = "arc-green";
+          DEFAULT_THEME = "gitea-dark";
        };
        service = {
          DISABLE_REGISTRATION = true;
        };
        session = {
          COOKIE_SECURE = true;
          PROVIDER = "db";
          SESSION_LIFE_TIME = 259200; # 3 days
          GC_INTERVAL_TIME = 259200; # 3 days
        };
        mailer = {
          ENABLED = true;
          MAILER_TYPE = "smtp";
          SMTP_ADDR = "mail.neet.dev";
          SMTP_PORT = "465";
          IS_TLS_ENABLED = true;
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
        actions = {
          ENABLED = true;
        };
        indexer = {
          REPO_INDEXER_ENABLED = true;
        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
    age.secrets.robots-email-pw = {
      file = ../../secrets/robots-email-pw.age;
      owner = config.services.gitea.user;
    };
    # backups
    backup.group."gitea".paths = [
      config.services.gitea.stateDir
    ];
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.hostname} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
-        proxyPass = "http://localhost:${toString cfg.httpPort}";
+        proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
      };
    };
  };
--- a/common/server/hydra.nix
+++ b/common/server/hydra.nix
@ -20,6 +20,6 @@ in
    hydraURL = "https://${domain}";
    useSubstitutes = true;
    notificationSender = notifyEmail;
-    buildMachinesFiles = [];
+    buildMachinesFiles = [ ];
  };
 }
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@ -7,7 +7,8 @@
 let
  cfg = config.services.icecast;
-in {
+in
 {
  options.services.icecast = {
    mount = lib.mkOption {
      type = lib.types.str;
--- a/common/server/iodine.nix
+++ b/common/server/iodine.nix
@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.iodine.server;
 in
 {
  config = lib.mkIf cfg.enable {
    # iodine DNS-based vpn
    services.iodine.server = {
      ip = "192.168.99.1";
      domain = "tun.neet.dev";
      passwordFile = "/run/agenix/iodine";
    };
    age.secrets.iodine.file = ../../secrets/iodine.age;
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.nat.internalInterfaces = [
      "dns0" # iodine
    ];
  };
 }
--- a/common/server/librechat.nix
+++ b/common/server/librechat.nix
@ -0,0 +1,69 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.librechat;
 in
 {
  options.services.librechat = {
    enable = mkEnableOption "librechat";
    port = mkOption {
      type = types.int;
      default = 3080;
    };
    host = lib.mkOption {
      type = lib.types.str;
      example = "example.com";
    };
  };
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      librechat = {
        image = "ghcr.io/danny-avila/librechat:v0.7.7";
        environment = {
          HOST = "0.0.0.0";
          MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
          ENDPOINTS = "openAI,google,bingAI,gptPlugins";
          OPENAI_MODELS = lib.concatStringsSep "," [
            "gpt-4o-mini"
            "o3-mini"
            "gpt-4o"
            "o1"
          ];
          REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
        };
        environmentFiles = [
          "/run/agenix/librechat-env-file"
        ];
        ports = [
          "${toString cfg.port}:3080"
        ];
      };
    };
    age.secrets.librechat-env-file.file = ../../secrets/librechat-env-file.age;
    services.mongodb.enable = true;
    services.mongodb.bind_ip = "0.0.0.0";
    # easier podman maintenance
    virtualisation.oci-containers.backend = "podman";
    virtualisation.podman.dockerSocket.enable = true;
    virtualisation.podman.dockerCompat = true;
    # For mongodb access
    networking.firewall.trustedInterfaces = [
      "podman0" # for librechat
    ];
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@ -0,0 +1,113 @@
 { config, pkgs, lib, ... }:
 with builtins;
 let
  cfg = config.mailserver;
  domains = [
    "neet.space"
    "neet.dev"
    "neet.cloud"
    "runyan.org"
    "runyan.rocks"
    "thunderhex.com"
    "tar.ninja"
    "bsd.ninja"
    "bsd.rocks"
  ];
 in
 {
  config = lib.mkIf cfg.enable {
    # kresd doesn't work with tailscale MagicDNS
    mailserver.localDnsResolver = false;
    services.resolved.enable = true;
    mailserver = {
      fqdn = "mail.neet.dev";
      dkimKeyBits = 2048;
      indexDir = "/var/lib/mailindex";
      enableManageSieve = true;
      fullTextSearch.enable = true;
      fullTextSearch.indexAttachments = true;
      fullTextSearch.memoryLimit = 500;
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
        "cris@runyan.org" = {
          hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
          aliases = [ "chris@runyan.org" ];
        };
        "robot@runyan.org" = {
          aliases = [
            "no-reply@neet.dev"
            "robot@neet.dev"
          ];
          sendOnly = true;
          hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
        };
      };
      rejectRecipients = [
        "george@runyan.org"
        "joslyn@runyan.org"
        "damon@runyan.org"
        "jonas@runyan.org"
        "simon@neet.dev"
        "ellen@runyan.org"
      ];
      forwards = {
        "amazon@runyan.org" = [
          "jeremy@runyan.org"
          "cris@runyan.org"
        ];
      };
      certificateScheme = "acme-nginx"; # use let's encrypt for certs
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
    services.postfix.origin = "$mydomain";
    # relay sent mail through mailgun
    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
    services.postfix.config = {
      smtp_sasl_auth_enable = "yes";
      smtp_sasl_security_options = "noanonymous";
      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
      smtp_use_tls = "yes";
      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
      smtp_sender_dependent_authentication = "yes";
    };
    services.postfix.mapFiles.sender_relay =
      let
        relayHost = "[smtp.mailgun.org]:587";
      in
      pkgs.writeText "sender_relay"
        (concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
    # webmail
    services.nginx.enable = true;
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
      extraConfig = ''
        # starttls needed for authentication, so the fqdn required to match the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
    };
    # backups
    backup.group."email".paths = [
      config.mailserver.mailDirectory
    ];
  };
 }
--- a/common/server/matrix.nix
+++ b/common/server/matrix.nix
@ -3,7 +3,8 @@
 let
  cfg = config.services.matrix;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.matrix = {
    enable = lib.mkEnableOption "enable matrix";
    element-web = {
@ -62,15 +63,15 @@ in {
      settings = {
        server_name = cfg.host;
        enable_registration = cfg.enable_registration;
-        listeners = [ {
+        listeners = [{
-          bind_addresses = ["127.0.0.1"];
+          bind_addresses = [ "127.0.0.1" ];
          port = cfg.port;
          tls = false;
-          resources = [ {
+          resources = [{
            compress = true;
            names = [ "client" "federation" ];
-          } ];
+          }];
-        } ];
+        }];
        turn_uris = [
          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
@ -137,7 +138,8 @@ in {
        ];
        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
      };
-      virtualHosts.${cfg.turn.host} =  { # get TLS cert for TURN server
+      virtualHosts.${cfg.turn.host} = {
        # get TLS cert for TURN server
        enableACME = true;
        forceSSL = true;
      };
--- a/common/server/mumble.nix
+++ b/common/server/mumble.nix
@ -3,7 +3,8 @@
 let
  cfg = config.services.murmur;
  certs = config.security.acme.certs;
-in {
+in
 {
  options.services.murmur.domain = lib.mkOption {
    type = lib.types.str;
  };
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@ -0,0 +1,44 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
 in
 {
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
      package = pkgs.nextcloud30;
      hostName = "neet.cloud";
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
      config.adminpassFile = "/run/agenix/nextcloud-pw";
      autoUpdateApps.enable = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        # Want
        inherit end_to_end_encryption mail spreed;
        # Might use
        inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
        # Try out
        # inherit maps music news notes phonetrack polls forms;
      };
      extraAppsEnable = true;
    };
    age.secrets.nextcloud-pw = {
      file = ../../secrets/nextcloud-pw.age;
      owner = "nextcloud";
    };
    # backups
    backup.group."nextcloud".paths = [
      config.services.nextcloud.home
    ];
    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      enableACME = true;
      forceSSL = true;
    };
  };
 }
--- a/common/server/nginx-stream.nix
+++ b/common/server/nginx-stream.nix
@ -5,7 +5,8 @@ let
  nginxWithRTMP = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };
-in {
+in
 {
  options.services.nginx.stream = {
    enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
    port = lib.mkOption {
--- a/common/server/nginx.nix
+++ b/common/server/nginx.nix
@ -2,7 +2,12 @@
 let
  cfg = config.services.nginx;
-in {
+in
 {
  options.services.nginx = {
    openFirewall = lib.mkEnableOption "Open firewall ports 80 and 443";
  };
  config = lib.mkIf cfg.enable {
    services.nginx = {
      recommendedGzipSettings = true;
@ -11,6 +16,8 @@ in {
      recommendedTlsSettings = true;
    };
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    services.nginx.openFirewall = lib.mkDefault true;
    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 80 443 ];
  };
 }
--- a/common/server/owncast.nix
+++ b/common/server/owncast.nix
@ -4,7 +4,8 @@ with lib;
 let
  cfg = config.services.owncast;
-in {
+in
 {
  options.services.owncast = {
    hostname = lib.mkOption {
      type = types.str;
--- a/common/server/privatebin/conf.php
+++ b/common/server/privatebin/conf.php
@ -1,42 +0,0 @@
 ;<?php http_response_code(403); /*
 [main]
 name = "Kode Paste"
 discussion = false
 opendiscussion = false
 password = true
 fileupload = false
 burnafterreadingselected = false
 defaultformatter = "plaintext"
 sizelimit = 10485760
 template = "bootstrap"
 languageselection = false
 [expire]
 default = "1week"
 [expire_options]
 5min = 300
 10min = 600
 1hour = 3600
 1day = 86400
 1week = 604800
 [formatter_options]
 plaintext = "Plain Text"
 syntaxhighlighting = "Source Code"
 markdown = "Markdown"
 [traffic]
 limit = 10
 dir = "/var/lib/privatebin"
 [purge]
 limit = 300
 batchsize = 10
 dir = "/var/lib/privatebin"
 [model]
 class = Filesystem
 [model_options]
 dir = "/var/lib/privatebin"
--- a/common/server/privatebin/privatebin.nix
+++ b/common/server/privatebin/privatebin.nix
@ -1,73 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.privatebin;
  privateBinSrc = pkgs.stdenv.mkDerivation {
    name = "privatebin";
    src = pkgs.fetchFromGitHub {
      owner = "privatebin";
      repo = "privatebin";
      rev = "d65bf02d7819a530c3c2a88f6f9947651fe5258d";
      sha256 = "7ttAvEDL1ab0cUZcqZzXFkXwB2rF2t4eNpPxt48ap94=";
    };
    installPhase = ''
      cp -ar $src $out
    '';
  };
 in {
  options.services.privatebin = {
    enable = lib.mkEnableOption "enable privatebin";
    host = lib.mkOption {
      type = lib.types.str;
      example = "example.com";
    };
  };
  config = lib.mkIf cfg.enable {
    users.users.privatebin = {
      description = "privatebin service user";
      group = "privatebin";
      isSystemUser = true;
    };
    users.groups.privatebin = {};
    services.nginx.enable = true;
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        root = privateBinSrc;
        index = "index.php";
      };
      locations."~ \.php$" = {
        root = privateBinSrc;
        extraConfig = ''
          fastcgi_pass  unix:${config.services.phpfpm.pools.privatebin.socket};
          fastcgi_index index.php;
        '';
      };
    };
    systemd.tmpfiles.rules = [
      "d '/var/lib/privatebin' 0750 privatebin privatebin - -"
    ];
    services.phpfpm.pools.privatebin = {                                                                                                                                                                                                             
      user = "privatebin";
      group = "privatebin";
      phpEnv = {
        CONFIG_PATH = "${./conf.php}";
      };
      settings = {
        pm = "dynamic";
        "listen.owner" = config.services.nginx.user;
        "pm.max_children" = 5;
        "pm.start_servers" = 2;
        "pm.min_spare_servers" = 1;
        "pm.max_spare_servers" = 3;
        "pm.max_requests" = 500;
      };
    };
  };
 }
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@ -3,7 +3,8 @@
 let
  cfg = config.services.radio;
  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
-in {
+in
 {
  options.services.radio = {
    enable = lib.mkEnableOption "enable radio";
    user = lib.mkOption {
@ -56,11 +57,11 @@ in {
      home = cfg.dataDir;
      createHome = true;
    };
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };
    systemd.services.radio = {
      enable = true;
-      after = ["network.target"];
+      after = [ "network.target" ];
-      wantedBy = ["multi-user.target"];
+      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
      serviceConfig.User = cfg.user;
      serviceConfig.Group = cfg.group;
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@ -5,32 +5,28 @@
    services.samba = {
      openFirewall = true;
      package = pkgs.sambaFull; # printer sharing
      securityType = "user";
      # should this be on?
      nsswins = true;
-      extraConfig = ''
+      settings = {
-        workgroup = HOME
+        global = {
-        server string = smbnix
+          security = "user";
-        netbios name = smbnix
+          workgroup = "HOME";
-        security = user 
+          "server string" = "smbnix";
-        use sendfile = yes
+          "netbios name" = "smbnix";
-        min protocol = smb2
+          "use sendfile" = "yes";
-        guest account = nobody
+          "min protocol" = "smb2";
-        map to guest = bad user
+          "guest account" = "nobody";
          "map to guest" = "bad user";
          # printing
-        load printers = yes
+          "load printers" = "yes";
-        printing = cups
+          printing = "cups";
-        printcap name = cups
+          "printcap name" = "cups";
-        # horrible files
+          "hide files" = "/.nobackup/.DS_Store/._.DS_Store/";
-        veto files = /._*/.DS_Store/ /._*/._.DS_Store/
+        };
        delete veto files = yes
      '';
      shares = {
        public = {
          path = "/data/samba/Public";
          browseable = "yes";
@ -77,6 +73,13 @@
      };
    };
    # backups
    backup.group."samba".paths = [
      config.services.samba.settings.googlebot.path
      config.services.samba.settings.cris.path
      config.services.samba.settings.public.path
    ];
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
@ -92,7 +95,7 @@
    # Printer discovery
    # (is this needed?)
    services.avahi.enable = true;
-    services.avahi.nssmdns = true;
+    services.avahi.nssmdns4 = true;
    # printer sharing
    systemd.tmpfiles.rules = [
@ -110,6 +113,6 @@
    # samba user for share
    users.users.cris.isSystemUser = true;
    users.users.cris.group = "cris";
-    users.groups.cris = {};
+    users.groups.cris = { };
  };
 }
--- a/common/server/searx.nix
+++ b/common/server/searx.nix
@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
 in
 {
  config = lib.mkIf cfg.enable {
    services.searx = {
      environmentFile = "/run/agenix/searx";
      settings = {
        server.port = 43254;
        server.secret_key = "@SEARX_SECRET_KEY@";
        engines = [{
          name = "wolframalpha";
          shortcut = "wa";
          api_key = "@WOLFRAM_API_KEY@";
          engine = "wolframalpha_api";
        }];
      };
    };
    services.nginx.virtualHosts."search.neet.space" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
      };
    };
    age.secrets.searx.file = ../../secrets/searx.age;
  };
 }
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
@ -2,7 +2,8 @@
 let
  cfg = config.services.thelounge;
-in {
+in
 {
  options.services.thelounge = {
    fileUploadBaseUrl = lib.mkOption {
      type = lib.types.str;
@ -42,6 +43,10 @@ in {
      };
    };
    backup.group."thelounge".paths = [
      "/var/lib/thelounge/"
    ];
    # the lounge client
    services.nginx.virtualHosts.${cfg.host} = {
      enableACME = true;
--- a/common/server/unifi.nix
+++ b/common/server/unifi.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.unifi;
 in
 {
  options.services.unifi = {
    # Open select Unifi ports instead of using openFirewall to avoid opening access to unifi's control panel
    openMinimalFirewall = lib.mkEnableOption "Open bare minimum firewall ports";
  };
  config = lib.mkIf cfg.enable {
    services.unifi.unifiPackage = pkgs.unifi;
    services.unifi.mongodbPackage = pkgs.mongodb-7_0;
    networking.firewall = lib.mkIf cfg.openMinimalFirewall {
      allowedUDPPorts = [
        3478 # STUN
        10001 # used for device discovery.
      ];
      allowedTCPPorts = [
        8080 # Used for device and application communication.
      ];
    };
  };
 }
--- a/common/server/video-stream.nix
+++ b/common/server/video-stream.nix
@ -15,14 +15,14 @@ let
 in
 {
  networking.firewall.allowedUDPPorts = [ rtp-port ];
-  networking.firewall.allowedTCPPortRanges = [ {
+  networking.firewall.allowedTCPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
-  networking.firewall.allowedUDPPortRanges = [ { 
+  networking.firewall.allowedUDPPortRanges = [{
    from = webrtc-peer-lower-port;
    to = webrtc-peer-upper-port;
-  } ];
+  }];
  virtualisation.docker.enable = true;
@ -49,12 +49,12 @@ in
        ports = [
          "${toStr ingest-port}:8084"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/ingest";
+        #          imageName = "projectlightspeed/ingest";
-#          finalImageTag = "version-0.1.4";
+        #          finalImageTag = "version-0.1.4";
-#          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
+        #          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
-#          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
+        #          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
-#        };
+        #        };
      };
      "lightspeed-react" = {
        workdir = "/var/lib/lightspeed-react";
@ -62,12 +62,12 @@ in
        ports = [
          "${toStr web-port}:80"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/react";
+        #          imageName = "projectlightspeed/react";
-#          finalImageTag = "version-0.1.3";
+        #          finalImageTag = "version-0.1.3";
-#          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
+        #          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
-#          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
+        #          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
-#        };
+        #        };
      };
      "lightspeed-webrtc" = {
        workdir = "/var/lib/lightspeed-webrtc";
@ -79,15 +79,18 @@ in
          "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
        ];
        cmd = [
-          "lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
+          "lightspeed-webrtc"
-          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
+          "--addr=0.0.0.0"
          "--ip=${domain}"
          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
          "run"
        ];
-#        imageFile = pkgs.dockerTools.pullImage {
+        #        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/webrtc";
+        #          imageName = "projectlightspeed/webrtc";
-#          finalImageTag = "version-0.1.2";
+        #          finalImageTag = "version-0.1.2";
-#          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
+        #          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
-#          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
+        #          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
-#        };
+        #        };
      };
    };
  };
--- a/common/server/vscode/modules/vscode-server/default.nix
+++ b/common/server/vscode/modules/vscode-server/default.nix
@ -1,8 +1,8 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
    systemd.user.services.${name} = {
      inherit description serviceConfig;
      wantedBy = [ "default.target" ];
    };
-})
+  })
--- a/common/server/vscode/modules/vscode-server/home.nix
+++ b/common/server/vscode/modules/vscode-server/home.nix
@ -1,6 +1,6 @@
 import ./module.nix ({ name, description, serviceConfig }:
-{
+  {
    systemd.user.services.${name} = {
      Unit = {
        Description = description;
@ -12,4 +12,4 @@ import ./module.nix ({ name, description, serviceConfig }:
        WantedBy = [ "default.target" ];
      };
    };
-})
+  })
--- a/common/server/zerobin.nix
+++ b/common/server/zerobin.nix
@ -2,7 +2,8 @@
 let
  cfg = config.services.zerobin;
-in {
+in
 {
  options.services.zerobin = {
    host = lib.mkOption {
      type = lib.types.str;
--- a/common/shell.nix
+++ b/common/shell.nix
@ -1,36 +1,28 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 # Improvements to the default shell
-# - use nix-locate for command-not-found
+# - use nix-index for command-not-found
 # - disable fish's annoying greeting message
 # - add some handy shell commands
-let
+{
-  nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
+  environment.systemPackages = with pkgs; [
-in {
+    comma
  programs.command-not-found.enable = false;
  environment.systemPackages = [
    nix-locate
  ];
  # nix-index
  programs.nix-index.enable = true;
  programs.nix-index.enableFishIntegration = true;
  programs.command-not-found.enable = false;
  programs.fish = {
    enable = true;
-    shellInit = let
+    shellInit = ''
      wrapper = pkgs.writeScript "command-not-found" ''
        #!${pkgs.bash}/bin/bash
        source ${nix-locate}/etc/profile.d/command-not-found.sh
        command_not_found_handle "$@"
      '';
    in ''
      # use nix-locate for command-not-found functionality
      function __fish_command_not_found_handler --on-event fish_command_not_found
          ${wrapper} $argv
      end
      # disable annoying fish shell greeting
      set fish_greeting
      alias sudo="doas"
    '';
  };
@ -38,9 +30,25 @@ in {
    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
-    io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
-    io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
-    io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
-    io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
    llsblk = "lsblk -o +uuid,fsType";
  };
  nixpkgs.overlays = [
    (final: prev: {
      # comma uses the "nix-index" package built into nixpkgs by default.
      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
      comma = prev.comma.overrideAttrs (old: {
        postInstall = ''
          wrapProgram $out/bin/comma \
            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
          ln -s $out/bin/comma $out/bin/,
        '';
      });
    })
  ];
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@ -1,65 +1,38 @@
-rec {
+{ config, lib, pkgs, ... }:
-  users = [
+
 {
  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
    (host: cfg: {
      ${host} = {
        hostNames = cfg.hostNames;
        publicKey = cfg.hostKey;
      };
      "${host}-remote-unlock" =
        if cfg.remoteUnlock != null then {
          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
          publicKey = cfg.remoteUnlock.hostKey;
        } else null;
    })
    config.machines.hosts);
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    let
      unlockHosts = unlockType: lib.concatMapAttrs
        (host: cfg:
          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
            ${host} = cfg.remoteUnlock.${unlockType};
          } else { })
        config.machines.hosts;
    in
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
  ];
  system = {
    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
    ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
    ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
  };
  # groups
  systems = with system; [
    liza
    ponyo
    ray
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  personal = with system; [
    ray
  ];
  servers = with system; [
    liza
    ponyo
    s0
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  compute = with system; [
    n1
    n2
    n3
    n4
    n5
    n6
    n7
  ];
  storage = with system; [
    s0
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@ -3,45 +3,28 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
-        "nixpkgs": [
+        "home-manager": [
-          "nixpkgs"
+          "home-manager"
        ]
      },
      "locked": {
        "lastModified": 1675176355,
        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "archivebox": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": [
          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1648612759,
+        "lastModified": 1723293904,
-        "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
-        "ref": "refs/heads/master",
+        "owner": "ryantm",
-        "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
+        "repo": "agenix",
-        "revCount": 2,
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
-        "type": "git",
+        "type": "github"
        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
      },
      "original": {
-        "type": "git",
+        "owner": "ryantm",
-        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
+        "repo": "agenix",
        "type": "github"
      }
    },
    "blobs": {
@ -70,17 +53,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1651719222,
+        "lastModified": 1739947126,
-        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
+        "narHash": "sha256-JoiddH5H9up8jC/VKU8M7wDlk/bstKoJ3rHj+TkW4Zo=",
        "ref": "refs/heads/master",
-        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
+        "rev": "ea1ad60f1c6662103ef4a3705d8e15aa01219529",
-        "revCount": 19,
+        "revCount": 20,
        "type": "git",
-        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
+        "url": "https://git.neet.dev/zuckerberg/dailybot.git"
      },
      "original": {
        "type": "git",
-        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
+        "url": "https://git.neet.dev/zuckerberg/dailybot.git"
      }
    },
    "darwin": {
@ -91,11 +74,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1673295039,
+        "lastModified": 1700795494,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
@ -105,14 +88,40 @@
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": [
          "flake-compat"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": [
          "flake-utils"
        ]
      },
      "locked": {
        "lastModified": 1727447169,
        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1668681692,
+        "lastModified": 1696426674,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -122,12 +131,17 @@
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": [
          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1726560853,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@ -136,65 +150,69 @@
        "type": "github"
      }
    },
-    "nix-locate": {
+    "home-manager": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1673969751,
+        "lastModified": 1740845322,
-        "narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
+        "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
-        "owner": "bennofs",
+        "owner": "nix-community",
-        "repo": "nix-index",
+        "repo": "home-manager",
-        "rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
+        "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
        "type": "github"
      },
      "original": {
-        "owner": "bennofs",
+        "owner": "nix-community",
-        "repo": "nix-index",
+        "repo": "home-manager",
        "type": "github"
      }
    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728263287,
        "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
        "owner": "Mic92",
        "repo": "nix-index-database",
        "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "nix-index-database",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1728056216,
        "narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1672580127,
+        "lastModified": 1740374225,
-        "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
+        "narHash": "sha256-Dnmzy5YWUVj3BNaZo5jRpZslXexbNKEk3ADGGcz9RpY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0874168639713f547c05947c76124f78441ea46c",
+        "rev": "3349acd765bdffe454f7c8bbc450855577c1a6cf",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
        "lastModified": 1654936503,
        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1675835843,
        "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
        "type": "github"
      },
      "original": {
@ -248,53 +266,60 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "archivebox": "archivebox",
        "dailybuild_modules": "dailybuild_modules",
        "deploy-rs": "deploy-rs",
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
-        "nix-locate": "nix-locate",
+        "home-manager": "home-manager",
        "nix-index-database": "nix-index-database",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "radio": "radio",
        "radio-web": "radio-web",
-        "simple-nixos-mailserver": "simple-nixos-mailserver"
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
        "systems": "systems"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": [
          "flake-compat"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-22_05": "nixpkgs-22_05",
+        "nixpkgs-24_05": [
-        "utils": "utils"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1655930346,
+        "lastModified": 1722877200,
-        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
+        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
+        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-22.05",
+        "ref": "master",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1605370193,
+        "lastModified": 1681028828,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -1,89 +1,166 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    # nixpkgs
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
-    flake-utils.url = "github:numtide/flake-utils";
+    # Common Utils Among flake inputs
-
+    systems.url = "github:nix-systems/default";
-    nix-locate.url = "github:bennofs/nix-index";
+    flake-utils = {
-    nix-locate.inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:numtide/flake-utils";
-
+      inputs.systems.follows = "systems";
-    # mail server
+    };
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
+    flake-compat = {
-    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:edolstra/flake-compat";
-
+      flake = false;
    # agenix
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    # radio
    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
    radio.inputs.nixpkgs.follows = "nixpkgs";
    radio.inputs.flake-utils.follows = "flake-utils";
    radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
    radio-web.flake = false;
    # drastikbot
    dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
    dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs";
    dailybuild_modules.inputs.flake-utils.follows = "flake-utils";
    # archivebox
    archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
    archivebox.inputs.nixpkgs.follows = "nixpkgs";
    archivebox.inputs.flake-utils.follows = "flake-utils";
    };
-  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
+    # NixOS hardware
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    # Home Manager
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Mail Server
    simple-nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-24_05.follows = "nixpkgs";
        flake-compat.follows = "flake-compat";
      };
    };
    # Agenix
    agenix = {
      url = "github:ryantm/agenix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        systems.follows = "systems";
        home-manager.follows = "home-manager";
      };
    };
    # Radio
    radio = {
      url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
      };
    };
    radio-web = {
      url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
      flake = false;
    };
    # Dailybot
    dailybuild_modules = {
      url = "git+https://git.neet.dev/zuckerberg/dailybot.git";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
      };
    };
    # NixOS deployment
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-compat.follows = "flake-compat";
        utils.follows = "flake-utils";
      };
    };
    # Prebuilt nix-index database
    nix-index-database = {
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, ... }@inputs:
    let
      machines = (import ./common/machine-info/moduleless.nix
        {
          inherit nixpkgs;
          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
        }).machines;
      machineHosts = machines.hosts;
      machineRoles = machines.roles;
    in
    {
      nixosConfigurations =
        let
-      modules = system: [
+          modules = system: hostname: with inputs; [
            ./common
-        inputs.simple-nixos-mailserver.nixosModule
+            simple-nixos-mailserver.nixosModule
-        inputs.agenix.nixosModules.default
+            agenix.nixosModules.default
-        inputs.dailybuild_modules.nixosModule
+            dailybuild_modules.nixosModule
-        inputs.archivebox.nixosModule
+            nix-index-database.nixosModules.nix-index
            home-manager.nixosModules.home-manager
            self.nixosModules.kernel-modules
            ({ lib, ... }: {
-          config.environment.systemPackages = [
+              config = {
-            inputs.agenix.packages.${system}.agenix
+                nixpkgs.overlays = [ self.overlays.default ];
                environment.systemPackages = [
                  agenix.packages.${system}.agenix
                ];
                networking.hostName = hostname;
                home-manager.useGlobalPkgs = true;
                home-manager.useUserPackages = true;
                home-manager.users.googlebot = import ./home/googlebot.nix {
                  inherit hostname;
                  inherit machineRoles;
                };
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];
-      mkSystem = system: nixpkgs: path:
+          mkSystem = system: nixpkgs: path: hostname:
            let
-          allModules = modules system;
+              allModules = modules system hostname;
-        in nixpkgs.lib.nixosSystem {
+
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
                name = "nixpkgs-patched";
                src = nixpkgs;
                patches = [
                  ./patches/gamepadui.patch
                  ./patches/dont-break-nix-serve.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
            in
            patchedNixpkgs.lib.nixosSystem {
              inherit system;
-          modules = allModules ++ [path];
+              modules = allModules ++ [ path ];
              specialArgs = {
                inherit allModules;
                lib = self.lib;
                nixos-hardware = inputs.nixos-hardware;
              };
            };
        in
-    {
+        nixpkgs.lib.mapAttrs
-      "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
+          (hostname: cfg:
-      "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
+            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
-      "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
+          machineHosts;
      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
      "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
      "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
      "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
      "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
      "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
      "n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
      "n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
    };
-    packages = let
+      packages =
        let
          mkKexec = system:
            (nixpkgs.lib.nixosSystem {
              inherit system;
@ -94,11 +171,33 @@
              inherit system;
              modules = [ ./machines/ephemeral/iso.nix ];
            }).config.system.build.isoImage;
-    in {
+        in
        {
          "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
          "x86_64-linux"."iso" = mkIso "x86_64-linux";
          "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
          "aarch64-linux"."iso" = mkIso "aarch64-linux";
        };
      overlays.default = import ./overlays { inherit inputs; };
      nixosModules.kernel-modules = import ./overlays/kernel-modules;
      deploy.nodes =
        let
          mkDeploy = configName: arch: hostname: {
            inherit hostname;
            magicRollback = false;
            sshUser = "root";
            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
          };
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
          machineHosts;
      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
      lib = nixpkgs.lib.extend (final: prev: import ./lib { lib = nixpkgs.lib; });
    };
 }
--- a/home/googlebot.nix
+++ b/home/googlebot.nix
@ -0,0 +1,83 @@
 { hostname, machineRoles }:
 { config, lib, pkgs, ... }:
 let
  # Check if the current machine has the role "personal"
  thisMachineIsPersonal = builtins.elem hostname machineRoles.personal;
 in
 {
  home.username = "googlebot";
  home.homeDirectory = "/home/googlebot";
  home.stateVersion = "24.11";
  programs.home-manager.enable = true;
  programs.zed-editor = {
    enable = thisMachineIsPersonal;
    extensions = [
      "nix"
      "toml"
      "html"
      "make"
      "git-firefly"
      "vue"
      "scss"
    ];
    userSettings = {
      assistant = {
        enabled = true;
        version = "2";
        default_model = {
          provider = "openai";
          model = "gpt-4-turbo";
        };
      };
      features = {
        edit_prediction_provider = "zed";
      };
      node = {
        path = lib.getExe pkgs.nodejs;
        npm_path = lib.getExe' pkgs.nodejs "npm";
      };
      auto_update = false;
      terminal = {
        blinking = "off";
        copy_on_select = false;
      };
      lsp = {
        rust-analyzer = {
          # binary = {
          #   path = lib.getExe pkgs.rust-analyzer;
          # };
          binary = {
            path = "/run/current-system/sw/bin/nix";
            arguments = [ "develop" "--command" "rust-analyzer" ];
          };
          initialization_options = {
            cargo = {
              features = "all";
            };
          };
        };
      };
      # tell zed to use direnv and direnv can use a flake.nix enviroment.
      load_direnv = "shell_hook";
      base_keymap = "VSCode";
      theme = {
        mode = "system";
        light = "One Light";
        dark = "Andrometa";
      };
      ui_font_size = 12;
      buffer_font_size = 12;
    };
  };
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -0,0 +1,56 @@
 { lib, ... }:
 with lib;
 {
  # Passthrough trace for debugging
  pTrace = v: traceSeq v v;
  # find the total sum of a int list
  sum = foldr (x: y: x + y) 0;
  # splits a list of length two into two params then they're passed to a func
  splitPair = f: pair: f (head pair) (last pair);
  # Finds the max value in a list
  maxList = foldr max 0;
  # Sorts a int list. Greatest value first
  sortList = sort (x: y: x > y);
  # Cuts a list in half and returns the two parts in a list
  cutInHalf = l: [ (take (length l / 2) l) (drop (length l / 2) l) ];
  # Splits a list into a list of lists with length cnt
  chunksOf = cnt: l:
    if length l > 0 then
      [ (take cnt l) ] ++ chunksOf cnt (drop cnt l)
    else [ ];
  # same as intersectLists but takes an array of lists to intersect instead of just two
  intersectManyLists = ll: foldr intersectLists (head ll) ll;
  # converts a boolean to a int (c style)
  boolToInt = b: if b then 1 else 0;
  # drops the last element of a list
  dropLast = l: take (length l - 1) l;
  # transposes a matrix
  transpose = ll:
    let
      outerSize = length ll;
      innerSize = length (elemAt ll 0);
    in
    genList (i: genList (j: elemAt (elemAt ll j) i) outerSize) innerSize;
  # attriset recursiveUpdate but for a list of attrisets
  combineAttrs = foldl recursiveUpdate { };
  # visits every single attriset element of an attriset recursively
  # and accumulates the result of every visit in a flat list
  recurisveVisitAttrs = f: set:
    let
      visitor = n: v:
        if isAttrs v then [ (f n v) ] ++ recurisveVisitAttrs f v
        else [ (f n v) ];
    in
    concatLists (map (name: visitor name set.${name}) (attrNames set));
  # merges two lists of the same size (similar to map but both lists are inputs per iteration)
  mergeLists = f: a: imap0 (i: f (elemAt a i));
  map2D = f: ll:
    let
      outerSize = length ll;
      innerSize = length (elemAt ll 0);
      getElem = x: y: elemAt (elemAt ll y) x;
    in
    genList (y: genList (x: f x y (getElem x y)) innerSize) outerSize;
 }
--- a/lockfile-update.sh
+++ b/lockfile-update.sh
@ -1,4 +0,0 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i bash -p bash
 nix flake update --commit-lock-file
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@ -1,24 +0,0 @@
 { config, ... }:
 {
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
  hardware.deviceTree.enable = true;
  hardware.deviceTree.overlays = [
    ./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
  ];
 }
--- a/machines/compute/n1/configuration.nix
+++ b/machines/compute/n1/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n1";
 }
--- a/machines/compute/n2/configuration.nix
+++ b/machines/compute/n2/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n2";
 }
--- a/machines/compute/n3/configuration.nix
+++ b/machines/compute/n3/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n3";
 }
--- a/machines/compute/n4/configuration.nix
+++ b/machines/compute/n4/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n4";
 }
--- a/machines/compute/n5/configuration.nix
+++ b/machines/compute/n5/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n5";
 }
--- a/machines/compute/n6/configuration.nix
+++ b/machines/compute/n6/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n6";
 }
--- a/machines/compute/n7/configuration.nix
+++ b/machines/compute/n7/configuration.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../common.nix
  ];
  networking.hostName = "n7";
 }
--- a/machines/compute/sopine-baseboard-ethernet.dtbo
+++ b/machines/compute/sopine-baseboard-ethernet.dtbo
--- a/machines/compute/sopine-baseboard-ethernet.dts
+++ b/machines/compute/sopine-baseboard-ethernet.dts
@ -1,15 +0,0 @@
 /dts-v1/;
 / {
 	model = "SoPine with baseboard";
 	compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
 	fragment@0 {
 /*		target = <&ethernet@1c30000>; */
 		target-path = "/soc/ethernet@1c30000";
 		__overlay__ {
 			allwinner,tx-delay-ps = <500>;
 		};
 	};
 };
--- a/machines/ephemeral/kexec.nix
+++ b/machines/ephemeral/kexec.nix
@ -29,10 +29,10 @@
      text = ''
        #!${pkgs.stdenv.shell}
        set -e
-        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
+        ${pkgs.kexec-tools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
        sync
        echo "executing kernel, filesystems will be improperly umounted"
-        ${pkgs.kexectools}/bin/kexec -e
+        ${pkgs.kexec-tools}/bin/kexec -e
      '';
    };
    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@ -1,28 +1,53 @@
-{ pkgs, ... }:
+{ config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
    ../../common/machine-info
    ../../common/ssh.nix
  ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
-    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+    "panic=30"
-    "console=ttyS0" # enable serial console
+    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  system.stateVersion = "21.11";
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
    git
    git-lfs
    wget
    htop
    dnsutils
    pciutils
    usbutils
    lm_sensors
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  services.openssh = {
    enable = true;
-    challengeResponseAuthentication = false;
+    settings = {
-    passwordAuthentication = false;
+      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };
  };
  services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
+  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/ephemeral/sdimg.nix
+++ b/machines/ephemeral/sdimg.nix
@ -0,0 +1,57 @@
 { config, modulesPath, pkgs, lib, ... }:
 let
  pinecube-uboot = pkgs.buildUBoot {
    defconfig = "pinecube_defconfig";
    extraMeta.platforms = [ "armv7l-linux" ];
    filesToInstall = [ "u-boot-sunxi-with-spl.bin" ];
  };
 in
 {
  imports = [
    (modulesPath + "/installer/sd-card/sd-image.nix")
    ./minimal.nix
  ];
  sdImage.populateFirmwareCommands = "";
  sdImage.populateRootCommands = ''
    mkdir -p ./files/boot
    ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
  '';
  sdImage.postBuildCommands = ''
    dd if=${pinecube-uboot}/u-boot-sunxi-with-spl.bin of=$img bs=1024 seek=8 conv=notrunc
  '';
  ###
  networking.hostName = "pinecube";
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.consoleLogLevel = 7;
  # cma is 64M by default which is waay too much and we can't even unpack initrd
  boot.kernelParams = [ "console=ttyS0,115200n8" "cma=32M" ];
  boot.kernelModules = [ "spi-nor" ]; # Not sure why this doesn't autoload. Provides SPI NOR at /dev/mtd0
  boot.extraModulePackages = [ config.boot.kernelPackages.rtl8189es ];
  zramSwap.enable = true; # 128MB is not much to work with
  sound.enable = true;
  environment.systemPackages = with pkgs; [
    ffmpeg
    (v4l_utils.override { withGUI = false; })
    usbutils
  ];
  services.getty.autologinUser = lib.mkForce "googlebot";
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" ];
    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
  };
  networking.wireless.enable = true;
 }
--- a/machines/howl/default.nix
+++ b/machines/howl/default.nix
@ -0,0 +1,12 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  # don't use remote builders
  nix.distributedBuilds = lib.mkForce false;
  nix.gc.automatic = lib.mkForce false;
 }
--- a/machines/howl/hardware-configuration.nix
+++ b/machines/howl/hardware-configuration.nix
@ -0,0 +1,58 @@
 { config, lib, pkgs, modulesPath, nixos-hardware, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    nixos-hardware.nixosModules.framework-13-7040-amd
  ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  hardware.framework.amd-7040.preventWakeOnAC = true;
  services.fwupd.enable = true;
  # fingerprint reader has initially shown to be more of a nuisance than a help
  # it makes sddm log in fail most of the time and take several minutes to finish
  services.fprintd.enable = false;
  # boot
  boot.loader.systemd-boot.enable = true;
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  # thunderbolt
  services.hardware.bolt.enable = true;
  # firmware
  firmware.x86_64.enable = true;
  # disks
  remoteLuksUnlock.enable = true;
  boot.initrd.luks.devices."enc-pv" = {
    device = "/dev/disk/by-uuid/2e4a6960-a6b1-40ee-9c2c-2766eb718d52";
    allowDiscards = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/1f62386c-3243-49f5-b72f-df8fc8f39db8";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/F4D9-C5E8";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/5f65cb11-2649-48fe-9c78-3e325b857c53"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/machines/howl/properties.nix
+++ b/machines/howl/properties.nix
@ -0,0 +1,26 @@
 {
  hostNames = [
    "howl"
  ];
  arch = "x86_64-linux";
  systemRoles = [
    "personal"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQi3q8jU6vRruExAL60J7GFO1gS8HsmXVJuKRT4ljrG";
  userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
  ];
  deployKeys = [
    # TODO
  ];
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
    onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";
  };
 }
--- a/Show More
+++ b/Show More