move python extension to manual build.

Reviewed-on: #44

.archive/flake.nix

@@ -0,0 +1,36 @@
+{
+  "durincore" = mkNixosConfig {
+    # T470 Thinkpad Intel i7-6600U
+    # Backup Nix dev laptop
+    hostname = "durincore";
+    system = "x86_64-linux";
+    hardwareModules = [
+      ./nixos/profiles/hw-thinkpad-t470.nix
+      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
+    ];
+    profileModules = [
+      ./nixos/profiles/role-workstation.nix
+      ./nixos/profiles/role-dev.nix
+      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+    ];
+  };
+
+  "legiondary" = mkNixosConfig {
+    # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
+    # Nix dev/gaming laptop
+    hostname = "legiondary";
+    system = "x86_64-linux";
+    hardwareModules = [
+      inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
+      ./nixos/profiles/hw-legion-15arh05h.nix
+      disko.nixosModules.disko
+      (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
+    ];
+    profileModules = [
+      ./nixos/profiles/role-dev.nix
+      ./nixos/profiles/role-gaming.nix
+      ./nixos/profiles/role-workstation.nix
+      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+    ];
+  };
+}

.envrc

@@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export VAULT_ADDR="http://10.1.1.61:8200"

.forgejo/workflows/build.yaml

@@ -28,6 +28,8 @@ jobs:
             os: native-x86_64
           - system: telperion
             os: native-x86_64
+          - system: shadowfax
+            os: native-x86_64
     runs-on: ${{ matrix.os }}
     env:
       PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
@@ -46,55 +48,8 @@ jobs:
       - name: Garbage collect build dependencies
         run: nix-collect-garbage
 
-      - name: Build previous ${{ matrix.system }} system
-        shell: bash
-        run: |
-          nix build git+https://git.hsn.dev/jahanson/mochi#top.${{ matrix.system }} \
-            -v --log-format raw --profile ./profile
       - name: Build new ${{ matrix.system }} system
         shell: bash
         run: |
           nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
             > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
-      - name: Check for build failure
-        if: failure()
-        run: |
-          drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
-          if [ -n $drv ]; then
-            nix log $drv
-            echo $drv
-          fi
-          exit 1
-      - name: Diff profile
-        id: diff
-        run: |
-          nix profile diff-closures --profile ./profile
-          delimiter="$(openssl rand -hex 16)"
-          echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
-          nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
-          echo "${delimiter}" >> "${GITHUB_OUTPUT}"
-      # - name: Comment report in pr
-      #   uses: https://github.com/marocchino/sticky-pull-request-comment@v2
-      #   with:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #     header: ".#top.${{ matrix.system }}"
-      #     message: |
-      #       ### Report for `${{ matrix.system }}`
-
-      #       <summary> Version changes </summary> <br>
-      #       <pre> ${{ steps.diff.outputs.diff }} </pre>
-      # - name: Push to Cachix
-      #   if: success()
-      #   env:
-      #     CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-      #   run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
-  nix-build-success:
-    if: ${{ always() }}
-    needs:
-      - nix-build
-    name: Nix Build Successful
-    runs-on: docker
-    steps:
-      - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
-        name: Check matrix status
-        run: exit 1

.gitignore

@@ -6,3 +6,6 @@ result*
 .kube
 .github
 .profile
+.idea
+.secrets
+.op

.pre-commit-config.yaml

@@ -36,3 +36,4 @@ repos:
       - id: sops-encryption
         # Uncomment to exclude all markdown files from encryption
         # exclude: *.\.md
+        files: .*secrets.*

.prettierrc

@@ -0,0 +1,4 @@
+{
+  "quoteProps": "preserve",
+  "trailingComma": "none"
+}

.sops.yaml

@@ -15,9 +15,10 @@ keys:
     - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
     - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
     - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+    - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+    - &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
     - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
     - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
-    - &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
 
 
 creation_rules:
@@ -28,6 +29,7 @@ creation_rules:
         - *gandalf
         - *jahanson
         - *legiondary
+        - *shadowfax
         - *telchar
         - *telperion
         - *varda

.vscode/nixmodule.code-snippets

@@ -0,0 +1,46 @@
+{
+  // If scope is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
+  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
+  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
+  // Placeholders with the same ids are connected.
+  "Nix Module with Enable Option": {
+    "scope": "nix",
+    "prefix": "nixmodule",
+    "body": [
+      "{ config, lib, pkgs, ... }:",
+      "let",
+      "  cfg = config.mySystem.${1:moduleName};",
+      "in",
+      "{",
+      "  options.mySystem.${1:moduleName} = {",
+      "    enable = lib.mkEnableOption \"${2:Description of the module}\";",
+      "  };",
+      "",
+      "  config = lib.mkIf cfg.enable {",
+      "    $0",
+      "  };",
+      "}"
+    ],
+    "description": "Creates a blank Nix module with an enable option"
+  },
+  "Nix Home Manager Module with Enable Option": {
+    "scope": "nix",
+    "prefix": "nixmodule-homemanager",
+    "body": [
+      "{ config, lib, pkgs, ... }:",
+      "let",
+      "  cfg = config.myHome.programs.${1:moduleName};",
+      "in",
+      "{",
+      "  options.myHome.programs.${1:moduleName} = {",
+      "    enable = lib.mkEnableOption \"${2:Description of the module}\";",
+      "  };",
+      "",
+      "  config = lib.mkIf cfg.enable {",
+      "    $0",
+      "  };",
+      "}"
+    ],
+    "description": "Creates a blank Nix module with an enable option"
+  }
+}

flake.lock

@@ -24,11 +24,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722821805,
-        "narHash": "sha256-FGrUPUD+LMDwJsYyNSxNIzFMldtCm8wXiQuyL2PHSrM=",
+        "lastModified": 1726590912,
+        "narHash": "sha256-5bxY85siOIqOcQ8TOMAWLkMUZvLUADS2i5TsZhzUIZY=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0257e44f4ad472b54f19a6dd1615aee7fa48ed49",
+        "rev": "d32d1504c77d7f6ba7e033357dcf638baceab9b7",
         "type": "github"
       },
       "original": {
@@ -77,32 +77,16 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
         "type": "github"
       },
       "original": {
@@ -116,11 +100,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -152,11 +136,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -170,29 +154,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_5": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
@@ -216,49 +182,6 @@
         "type": "github"
       }
     },
-    "ghostty": {
-      "inputs": {
-        "nixpkgs-stable": "nixpkgs-stable",
-        "nixpkgs-unstable": "nixpkgs-unstable",
-        "zig": "zig",
-        "zls": "zls"
-      },
-      "locked": {
-        "lastModified": 1723168569,
-        "narHash": "sha256-VTo/HNmYQ1ctAzdCOvtInQf9grhSuRLGA8FGP/4pVew=",
-        "ref": "refs/heads/main",
-        "rev": "33d9c043ef828b062865f42db551d6ddc48e2def",
-        "revCount": 6848,
-        "type": "git",
-        "url": "ssh://git@github.com/ghostty-org/ghostty"
-      },
-      "original": {
-        "type": "git",
-        "url": "ssh://git@github.com/ghostty-org/ghostty"
-      }
-    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "ghostty",
-          "zls",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -266,11 +189,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720042825,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "lastModified": 1726592409,
+        "narHash": "sha256-2Y6CDvD/BD43WLS77PHu6dUHbdUfFhuzkY8oJAecD/U=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594",
         "type": "github"
       },
       "original": {
@@ -282,11 +205,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1719091691,
-        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
+        "lastModified": 1725690722,
+        "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
+        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
         "type": "github"
       },
       "original": {
@@ -295,16 +218,26 @@
         "type": "github"
       }
     },
-    "langref": {
-      "flake": false,
+    "krewfile": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "narHash": "sha256-O6p2tiKD8ZMhSX+DeA/o5hhAvcPkU2J9lFys/r11peY=",
-        "type": "file",
-        "url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
+        "lastModified": 1726074731,
+        "narHash": "sha256-FsJQbSW9MGndQr7xz49SHjculvRaJGeqBSOgQjHguBc=",
+        "owner": "ajgon",
+        "repo": "krewfile",
+        "rev": "05183df6874c2ce479987872083017d7c1ddb546",
+        "type": "github"
       },
       "original": {
-        "type": "file",
-        "url": "https://raw.githubusercontent.com/ziglang/zig/0fb2015fd3422fc1df364995f9782dfe7255eccd/doc/langref.html.in"
+        "owner": "ajgon",
+        "ref": "feat/indexes",
+        "repo": "krewfile",
+        "type": "github"
       }
     },
     "lix": {
@@ -323,7 +256,7 @@
     },
     "lix-module": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_2",
         "flakey-profile": "flakey-profile",
         "lix": "lix",
         "nixpkgs": [
@@ -392,11 +325,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722740924,
-        "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
+        "lastModified": 1726449931,
+        "narHash": "sha256-1AX7MyYzP7sNgZiGF8jwehCCI75y2kBGwACeryJs+yE=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
+        "rev": "c1b0fa0bec5478185eae2fd3f39b9e906fc83995",
         "type": "github"
       },
       "original": {
@@ -429,18 +362,18 @@
     },
     "nix-vscode-extensions": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_5",
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1723828248,
-        "narHash": "sha256-Y1zPsSg5t5FWibjooojhJ231u5stC9nYcpeOPrb5F+0=",
+        "lastModified": 1726623336,
+        "narHash": "sha256-mslZtr0SPdHDLUM5VRV0ipQQ4G0Piv2Kk15490w4JXM=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "b3f6cf134b9485eeb7fd509670c13c98944b02a3",
+        "rev": "b23683fef09032c85bb8b20f8ec72fb2f70075ff",
         "type": "github"
       },
       "original": {
@@ -451,11 +384,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1722332872,
-        "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
+        "lastModified": 1726650330,
+        "narHash": "sha256-UbHzmaOQ18O/kCizipU70N0UQVFIfv8AiFKXw07oZ9Y=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
+        "rev": "abb448608a56a60075468e90d8acec2a7cb689b1",
         "type": "github"
       },
       "original": {
@@ -467,11 +400,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1724098845,
-        "narHash": "sha256-D5HwjQw/02fuXbR4LCTo64koglP2j99hkDR79/3yLOE=",
+        "lastModified": 1726447378,
+        "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f1bad50880bae73ff2d82fafc22010b4fc097a9c",
+        "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1",
         "type": "github"
       },
       "original": {
@@ -483,14 +416,14 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1719876945,
-        "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
+        "lastModified": 1722555339,
+        "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
       }
     },
     "nixpkgs-ovmf": {
@@ -511,27 +444,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1705957679,
-        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "release-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
         "type": "github"
       },
       "original": {
@@ -543,27 +460,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1719082008,
-        "narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
+        "lastModified": 1726463316,
+        "narHash": "sha256-gI9kkaH0ZjakJOKrdjaI/VbaMEo9qBbSUl93DnU7f4c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9693852a2070b398ee123a329e68f0dab5526681",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable_2": {
-      "locked": {
-        "lastModified": 1723991338,
-        "narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "8a3354191c0d7144db9756a74755672387b702ba",
+        "rev": "99dc8785f6a0adac95f5e2ab05cc2e1bf666d172",
         "type": "github"
       },
       "original": {
@@ -573,6 +474,20 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1682134069,
+        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
     "nixvirt-git": {
       "inputs": {
         "nixpkgs": [
@@ -597,11 +512,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1722976219,
-        "narHash": "sha256-ggIGbaqOP3N/+aezX3y4K0kbmrsYaJl/8ThC0Jq1it4=",
+        "lastModified": 1726664693,
+        "narHash": "sha256-wKhz9vk5SweftZ3qIDj87tjCoiso5dBg3exVxdxCYtU=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "315c48e6c9acb95b4af6492015d36ef1b7b99dfc",
+        "rev": "cac0bf9ab741e9cc76042fe00284bd692ac80a8f",
         "type": "github"
       },
       "original": {
@@ -697,20 +612,21 @@
     "root": {
       "inputs": {
         "disko": "disko",
-        "ghostty": "ghostty",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "krewfile": "krewfile",
         "lix-module": "lix-module",
         "nix-index-database": "nix-index-database",
         "nix-inspect": "nix-inspect",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
         "nixvirt-git": "nixvirt-git",
         "nur": "nur",
         "sops-nix": "sops-nix",
-        "talhelper": "talhelper"
+        "talhelper": "talhelper",
+        "vscode-server": "vscode-server"
       }
     },
     "rust-overlay": {
@@ -758,14 +674,14 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1722897572,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {
@@ -834,21 +750,6 @@
         "type": "github"
       }
     },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "talhelper": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -857,11 +758,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722917349,
-        "narHash": "sha256-7ZFfvJJM0HTom12kQ60sLCTkmOt1Z2qqty4ddiqdP/I=",
+        "lastModified": 1726631991,
+        "narHash": "sha256-Cz4mOWAPNA2hiBJCM89cJ/RIhnr9NZp+N0W0itPGoR0=",
         "owner": "budimanjojo",
         "repo": "talhelper",
-        "rev": "66d4ea8a347ef1e12fef466bbaf33a287ab5810d",
+        "rev": "305526ae002573b481ec4e02146472f707bd824d",
         "type": "github"
       },
       "original": {
@@ -892,78 +793,22 @@
         "type": "github"
       }
     },
-    "zig": {
+    "vscode-server": {
       "inputs": {
-        "flake-compat": [
-          "ghostty"
-        ],
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "ghostty",
-          "nixpkgs-stable"
-        ]
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1717848532,
-        "narHash": "sha256-d+xIUvSTreHl8pAmU1fnmkfDTGQYCn2Rb/zOwByxS2M=",
-        "owner": "mitchellh",
-        "repo": "zig-overlay",
-        "rev": "02fc5cc555fc14fda40c42d7c3250efa43812b43",
+        "lastModified": 1713958148,
+        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
         "type": "github"
       },
       "original": {
-        "owner": "mitchellh",
-        "repo": "zig-overlay",
-        "type": "github"
-      }
-    },
-    "zig-overlay": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_3",
-        "nixpkgs": [
-          "ghostty",
-          "zls",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1718539737,
-        "narHash": "sha256-hvQ900gSqzGnJWMRQwv65TixciIbC44iX0Nh5ENRwCU=",
-        "owner": "mitchellh",
-        "repo": "zig-overlay",
-        "rev": "6eb42ce6f85d247b1aecf854c45d80902821d0ad",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mitchellh",
-        "repo": "zig-overlay",
-        "type": "github"
-      }
-    },
-    "zls": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "gitignore": "gitignore",
-        "langref": "langref",
-        "nixpkgs": [
-          "ghostty",
-          "nixpkgs-stable"
-        ],
-        "zig-overlay": "zig-overlay"
-      },
-      "locked": {
-        "lastModified": 1718930611,
-        "narHash": "sha256-FtfVhs6XHNfSQRQorrrz03nD0LCNp2FCnGllRntHBts=",
-        "owner": "zigtools",
-        "repo": "zls",
-        "rev": "0b9746b60c2020ab948f6556f1c729858b82a0f0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zigtools",
-        "ref": "master",
-        "repo": "zls",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
         "type": "github"
       }
     }

flake.nix

@@ -80,13 +80,25 @@
     };
 
     # ghostty - 👻
-    ghostty = {
-      url = "git+ssh://git@github.com/ghostty-org/ghostty";
+    # ghostty = {
+    #   url = "git+ssh://git@github.com/ghostty-org/ghostty";
+    # };
+    # just manually installing it, private repo gives me a lot of headaches.disko
+    # nix profile install git+ssh://git@github.com/ghostty-org/ghostty
+
+    vscode-server.url = "github:nix-community/nixos-vscode-server";
+
+    # krewfile - Declarative krew plugin management
+    krewfile = {
+      # url = "github:brumhard/krewfile";
+      url = "github:ajgon/krewfile?ref=feat/indexes";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
+
   };
 
   outputs =
-    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ghostty, ... } @ inputs:
+    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs:
     let
       forAllSystems = nixpkgs.lib.genAttrs [
         "aarch64-linux"
@@ -156,41 +168,6 @@
             };
         in
         {
-          "durincore" = mkNixosConfig {
-            # T470 Thinkpad Intel i7-6600U
-            # Nix dev laptop
-            hostname = "durincore";
-            system = "x86_64-linux";
-            hardwareModules = [
-              ./nixos/profiles/hw-thinkpad-t470.nix
-              inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
-            ];
-            profileModules = [
-              ./nixos/profiles/role-workstation.nix
-              ./nixos/profiles/role-dev.nix
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
-            ];
-          };
-
-          "legiondary" = mkNixosConfig {
-            # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
-            # Nix dev/gaming laptop
-            hostname = "legiondary";
-            system = "x86_64-linux";
-            hardwareModules = [
-              inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
-              ./nixos/profiles/hw-legion-15arh05h.nix
-              disko.nixosModules.disko
-              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
-            ];
-            profileModules = [
-              ./nixos/profiles/role-dev.nix
-              ./nixos/profiles/role-gaming.nix
-              ./nixos/profiles/role-workstation.nix
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
-            ];
-          };
-
           "telchar" = mkNixosConfig {
             # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
             # Nix dev laptop
@@ -200,7 +177,7 @@
               inputs.nixos-hardware.nixosModules.framework-16-7040-amd
               ./nixos/profiles/hw-framework-16-7840hs.nix
               disko.nixosModules.disko
-              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
+              (import ./nixos/profiles/disko-telchar.nix)
               lix-module.nixosModules.default
             ];
             profileModules = [
@@ -251,6 +228,25 @@
               ./nixos/profiles/hw-supermicro.nix
             ];
             profileModules = [
+              vscode-server.nixosModules.default
+              ./nixos/profiles/role-dev.nix
+              ./nixos/profiles/role-server.nix
+              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
+            ];
+          };
+
+          "shadowfax" = mkNixosConfig {
+            # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
+            # Workloads server
+            hostname = "shadowfax";
+            system = "x86_64-linux";
+            hardwareModules = [
+              lix-module.nixosModules.default
+              ./nixos/profiles/hw-threadripperpro.nix
+            ];
+            profileModules = [
+              vscode-server.nixosModules.default
+              ./nixos/profiles/role-dev.nix
               ./nixos/profiles/role-server.nix
               { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
             ];

nixos/home/jahanson/global.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, inputs, ... }:
 with config;
 {
   imports = [
@@ -21,6 +21,7 @@ with config;
     };
 
     home = {
+
       # Install these packages for my user
       packages = with pkgs; [
         # misc
@@ -68,9 +69,14 @@ with config;
         # system tools
         sysstat
         lm_sensors # for `sensors` command
-        ethtool
+        ethtool # modify network interface settings or firmware
         pciutils # lspci
         usbutils # lsusb
+        lshw # lshw
+
+        # filesystem tools
+        gptfdisk # sgdisk
+
 
         # system call monitoring
         strace # system call monitoring
@@ -87,6 +93,7 @@ with config;
 
         # nix tools
         nvd
+
       ];
     };
   };

nixos/home/jahanson/workstation.nix

@@ -1,10 +1,25 @@
-{ pkgs, config, ... }:
+{ pkgs, config, inputs, ... }:
 with config;
 {
   imports = [
     ./global.nix
+    inputs.krewfile.homeManagerModules.krewfile
   ];
 
+  # Krewfile management
+  programs.krewfile = {
+    enable = true;
+    krewPackage = pkgs.krew;
+    indexes = {
+      "netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
+    };
+    plugins = [
+      "netshoot/netshoot"
+      "resource-capacity"
+      "rook-ceph"
+    ];
+  };
+
   myHome = {
     programs.firefox.enable = true;
     programs.thunderbird.enable = true;
@@ -24,34 +39,38 @@ with config;
     # Install these packages for my user
     packages = with pkgs;
       [
-        #apps
-        discord
-        flameshot
-        jetbrains.datagrip
+        # apps
         obsidian
         parsec-bin
-        solaar
-        talosctl
-        termius
+        solaar # open source manager for logitech unifying receivers
         unstable.bruno
         unstable.fractal
         unstable.httpie
-        unstable.mods
+        unstable.jetbrains.datagrip
+        unstable.jetbrains.rust-rover
         unstable.peazip
+        unstable.seabird
+        unstable.talosctl
         unstable.telegram-desktop
         unstable.tidal-hifi
+        unstable.vault
+        unstable.vesktop
         vlc
+        yt-dlp
 
         # cli
         brightnessctl
 
         # dev utils
+        kubectl
         minio-client # S3 management
         pre-commit # Pre-commit tasks for git
         shellcheck # shell script linting
         unstable.act # run GitHub actions locally
         unstable.nodePackages_latest.prettier # code formatter
         unstable.tailspin # logfile highlighter
+        coder
+
       ];
   };
 }

nixos/home/modules/programs/de/gnome/default.nix

@@ -26,7 +26,7 @@ with lib.hm.gvariant; {
       "org/gnome/shell" = {
         disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
         enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
-        favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
+        favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ];
       };
       "org/gnome/nautilus/preferences" = {
         default-folder-viewer = "list-view";
@@ -44,6 +44,9 @@ with lib.hm.gvariant; {
         clock-format = "12h";
         show-battery-percentage = true;
       };
+      "org/gnome/settings-daemon/plugins/power" = {
+        ambient-enabled = false;
+      };
     };
   };
 }

nixos/home/modules/shell/fish/default.nix

@@ -47,10 +47,12 @@ in
             end
           end
 
+          # Krew
+          set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
+
           # Paths are in reverse priority order
           update_path /opt/homebrew/opt/postgresql@16/bin
           update_path /opt/homebrew/bin
-          update_path ${homeDirectory}/.krew/bin
           update_path /nix/var/nix/profiles/default/bin
           update_path /run/current-system/sw/bin
           update_path /etc/profiles/per-user/${username}/bin

nixos/hosts/gandalf/config/disks.nix

@@ -0,0 +1,16 @@
+[
+  "/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
+  "/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
+  "/dev/disk/by-id/scsi-350000c0f01da4b40"
+  "/dev/disk/by-id/scsi-350000c0f01e7d190"
+  "/dev/disk/by-id/scsi-350000c0f01ea443c"
+  "/dev/disk/by-id/scsi-350000c0f01f8230c"
+  "/dev/disk/by-id/scsi-35000c500586e5057"
+  "/dev/disk/by-id/scsi-35000c500624a0ddb"
+  "/dev/disk/by-id/scsi-35000c500624a1a8b"
+  "/dev/disk/by-id/scsi-35000cca046135ad8"
+  "/dev/disk/by-id/scsi-35000cca04613722c"
+  "/dev/disk/by-id/scsi-35000cca0461810f8"
+  "/dev/disk/by-id/scsi-35000cca04618b930"
+  "/dev/disk/by-id/scsi-35000cca04618cec4"
+]

nixos/hosts/gandalf/config/incus-preseed.nix

@@ -0,0 +1,49 @@
+{ ... }:
+{
+  config = {
+    "core.https_address" = "10.1.1.15:8445"; # Need quotes around key
+  };
+  networks = [
+    {
+      config = {
+        "ipv4.address" = "auto"; # Need quotes around key
+        "ipv6.address" = "auto"; # Need quotes around key
+      };
+      description = "";
+      name = "incusbr0";
+      type = "";
+      project = "default";
+    }
+  ];
+  storage_pools = [
+    {
+      config = {
+        source = "eru/incus";
+      };
+      description = "";
+      name = "default";
+      driver = "zfs";
+    }
+  ];
+  profiles = [
+    {
+      config = { };
+      description = "";
+      devices = {
+        eth0 = {
+          name = "eth0";
+          network = "incusbr0";
+          type = "nic";
+        };
+        root = {
+          path = "/";
+          pool = "default";
+          type = "disk";
+        };
+      };
+      name = "default";
+    }
+  ];
+  projects = [ ];
+  cluster = null;
+}

nixos/hosts/gandalf/default.nix

@@ -1,9 +1,12 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, inputs, ... }:
 let
   sanoidConfig = import ./config/sanoid.nix { };
+  disks = import ./config/disks.nix;
+  smartdDevices = map (device: { inherit device; }) disks;
+
 in
 {
   imports =
@@ -27,10 +30,33 @@ in
 
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
   ];
 
+  # VSCode Compatibility Settings
+  programs.nix-ld.enable = true;
+  services.vscode-server = {
+    enable = true;
+  };
+
+  # Home Manager
+  home-manager.users.jahanson = {
+    # Git settings
+    # TODO: Move to config module.
+    programs.git = {
+      enable = true;
+      userName = "Joseph Hanson";
+      userEmail = "joe@veri.dev";
+
+      extraConfig = {
+        core.autocrlf = "input";
+        init.defaultBranch = "main";
+        pull.rebase = true;
+        rebase.autoStash = true;
+      };
+    };
+  };
+
   # Network settings
   networking = {
     hostName = "gandalf";
@@ -39,17 +65,11 @@ in
     networkmanager.enable = true;
     # TODO: Add ports specifically.
     firewall.enable = false;
+    nftables.enable = false;
     interfaces = {
       "enp130s0f0".useDHCP = true;
       "enp130s0f1".useDHCP = true;
     };
-
-    # For VMs
-    bridges = {
-      "br0" = {
-        interfaces = [ "enp130s0f1" ];
-      };
-    };
   };
 
   swapDevices = [ ];
@@ -68,12 +88,11 @@ in
     };
   };
 
-  # no de
   services = {
-    xserver = {
-      enable = false;
-      displayManager.gdm.enable = false;
-      desktopManager.gnome.enable = false;
+    smartd = {
+      devices = smartdDevices;
+      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
     };
   };
 
@@ -82,6 +101,12 @@ in
     purpose = "Production";
     system = {
       motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
+      # Incus
+      incus = {
+        enable = true;
+        preseed = import ./config/incus-preseed.nix { };
+        webuiport = 8445;
+      };
       # ZFS
       zfs.enable = true;
       zfs.mountPoolsAtBoot = [ "eru" ];
@@ -99,18 +124,19 @@ in
         local.noWarning = true;
         remote.noWarning = true;
       };
-      # Borg
-      borgbackup = {
-        enable = true;
-        paths = [ "/eru/containers/volumes/unifi/" ];
-        exclude = [ ];
-        repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
-        repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
-      };
     };
     services = {
-      podman.enable = true;
       libvirt-qemu.enable = true;
+      podman.enable = true;
+
+      # Scrutiny
+      scrutiny = {
+        enable = true;
+        devices = disks;
+        extraCapabilities = [ "SYS_RAWIO" ];
+        containerVolumeLocation = "/eru/containers/volumes/scrutiny";
+        port = 8585;
+      };
 
       # Sanoid
       sanoid = {
@@ -118,8 +144,7 @@ in
         inherit (sanoidConfig.outputs) templates datasets;
       };
 
-      # Unifi & Lego-Auto
-      unifi.enable = true;
+      # Lego-Auto for SSL Certificates
       lego-auto = {
         enable = true;
         dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";

nixos/hosts/gandalf/secrets.sops.yaml

@@ -1,9 +1,9 @@
 lego:
     dnsimple:
-        token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
+        token: ENC[AES256_GCM,data:jtPQzX0FTN1KIVAwDXkakyQY6UJyaDhT2VaalYQv+ghbGfNwAK9hO6aOBw==,iv:+x04TmDryTrxkXRSAXlC7MtwQkUYV3rF45SlXiP0zZA=,tag:579m99+Zwm7/2phDmQM/1w==,type:str]
 borg:
     repository:
-        passphrase: ENC[AES256_GCM,data:lt0Rq269GoBuLNw9fxwuMAmtYjE=,iv:57IFde6EX7myLSCvYXkkbSulr8S7JPYoThWBsPLH0Yw=,tag:NwlpouurYF+2qmw2T3De8A==,type:str]
+        passphrase: ENC[AES256_GCM,data:BCf4ywpje/eU18drsG9GLVFUCZs=,iv:nCE+7oj0dlnUMzAUtaJmwuhrbZeJKGj1JHoAof8dGfY=,tag:+/aMlnkezV/HYWL9cPVioA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -13,68 +13,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
-            M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
-            QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
-            M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
-            ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUlBQRUxXbW5yd0NOV0Vu
+            T2loVENJekhiU0xzK25BSVhGTVZ6RSs0VlJFCkRzenI0MHc5dGNLMm81aUxlS0xN
+            cDh2dk9EOThqZG5oeXBiZ2FJSzdwMVkKLS0tIE5UL3VIQ0F6MDRCRHVPOGZNRG10
+            YjY3ZlpCbXFzaGlEVU80emt6L25CWTQK7LNGhKdtgaZ691XkB9cBd7HzbSaRVucv
+            YNpWEQqTHMOvrXfZoj/iS8BO6AV21zkgPRUJUeH71Rompp8KZf0VfQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
-            TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
-            MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
-            a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
-            obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZjhDb3VQV0FrMVBpaXU0
+            MnE2UW9vRWlLUVZ4OEN2MCtSWkVLUGZmbXhrCnFMTFJ6ZmJSTVFuby9tdXdvMUkv
+            YUZxU2d3NVliOVc4ZkJNcjF0NUpMR3MKLS0tIFZaTXlBN2RXRDlSMXJ2c0cvNjhS
+            T09yeURTMVl1Y3dxalhyT0pnRWowRjQKZ4e0r5VJvlNU3OhqN2uVbJRvJ0794Smq
+            D3EYz+0Xh7k7L0UGwWgG7OxDsxJwlusDcBFJqgrCiXzd6bBP1scgqw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
-            NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
-            cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
-            MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
-            S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR3NPWFUrbnFPNW5qMlFF
+            L3pvOGVUWnVWN0Rjd1hRY3QyQy9uRENLVFJvCko2Ui9IMFpxQXl2c250RTRnT2Ex
+            dWQ0REQvMnRFQVBkZlUxNi8vRHZ0dWsKLS0tIHZVSlM0b2RXR1VxVFZCUld2bEIw
+            NkJmcTB4S2NNNWJpR0VneHBqMkhxbUEK2bEVSifh6NE8zCjssoBZ9FWevQ7GxgQp
+            ClLKBk8d3DDskkJSsL7sVV/KYUyRXQ8pUAyc4nbbO1n3JJeYPDc1xw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
-            cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
-            MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
-            RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
-            FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQUNrZW9BUURPT09hc1lS
+            ZW1Sa3BqSG15SUJPa0Y2NXFQanJxenAvTVEwCmdLUTRQZkJzUHlBSVdRbW5TVThF
+            WDhlbGRld1FsWEhwTk5NU1V5RG12RUkKLS0tIEpFcnBxdVd3YlcvelhJZlByei9W
+            NE1WL2F1eHQ2VDBYSkEvdWFkWTloRTAKwLzbJqwk1+u5xEPFHO59QpU+DCoDO4R2
+            c9jFmfC/SGyDvtgH/r0inue0paUbssS/EuNbcPUJbgspPgOzXT38LQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
-            TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
-            MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
-            VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
-            ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNDNkdThheEh6QUJXYzVr
+            NTJpTGxWelRYc3F3QS9JNXFYNHRJK2JOeEM0CmlFOWZ1MVMxSWs0UkM4anVCbVlP
+            L2pncEwwaThYNW8xTzVPUCtlRk1xZUkKLS0tIER5UGtPZnJ5OGF2eTUvK3pQSjgr
+            THNmdDdmT0VSdnVmdlZlRlJTZEdUSDAKhnE1wEbTWa7ufQlo8M7DBPKjMXA88S1D
+            amtSDhDQBltoEJQiQ5tY8e++uxG0O931b9ygdSs4Mhz3ctcrR17OgQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWW9QVElmdDJOSGt3Snl0
+            RFZJSktrQlpYREkyUEl6Mk5JN3YvaU96MlVJCitURmRlU0QzY0FQcXhibkJxVjdz
+            MmJZWXpoZ1ZkNTd4MTlsWTdCN1pqVGcKLS0tIFRuenBTa0tqd20wVGtWa1MxeU82
+            RVhiMjlaV0hqZ2JtN3RUb1FINDU1czQKECXZ3iUVwOMUmmiiJP8Ke6D0yKJ5iJ3t
+            5rLYa/p8JnEKLM7g4WFnJSl4Yks8vc1GE6wvFxVGad+K9d3HFnstFQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
-            V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
-            RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
-            RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
-            fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZkZFYVFGMUpLckloMm1w
+            NTdaa2kzU0x6ZzBRQnU4OFBtaE9UNU44WXhNCmUrUmlUWGgzcGU3eUdVOTJ2MllG
+            Rkt0eUVQYWtsamJldzN6cXlTOWNWRlUKLS0tIDFvOFo0YXZzTWJ1by9FakRkUHVn
+            QThtZkpaL1pLaHRVRzQ4OHBQaEc4Z2sK3QcdxD0eC4BMqTJs949EQu+LOMzlQ9d9
+            710uGiOb0fTnDJhbYQo5TfU0YMmsjYz7pfKS33x/hcYKz0yhdYaqYA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
-            N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
-            dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
-            V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
-            PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U1BMc3dkcFUyVkczYWMv
+            a3NVSHIyS011K3RXcFdpb3NPTDJsNnQyYnh3Ci8yTlZDM2ZVWDliSTJMMTRIZ2NW
+            VkpBMCt1ZnNQZU9IakF6QWdxY1l2blEKLS0tIGljeHVGbW04UTV3bkU3a2ZQSzFS
+            RWh3akgwdG5FNmtYZWN2NGFQTlRnSlEK4JDDt681LDq/lxnVEvHzhNeCCtmOQCU1
+            m2OW8L053ZweC4t4urqRz33b6VNVyeQG2wejfDtkbzOrbZnOsId8WA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-27T04:50:25Z"
-    mac: ENC[AES256_GCM,data:IKLC9N4FvfV+eWFoVZa5ijyBdiQuNdXAE4Z/pQNhns+qTuMpuz9QLeQGysow8zCqg9z5WHPa+U10uBIJg0P6Bq2CkBTJ2/75axsQgqc+BPuY4cUfppbYqQaSzB831b3XMHei9m/IPXNoh277jk0E9A0mOzHu4YsBEEzyf5nESn4=,iv:dOIgrQD0eDB1lqTWoDoLXnDZTWJLf5m9a948Wabfc6I=,tag:MWoIe5UpTqZCDDJMcg0swA==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:etf0bt71hn7uY03VfGucBr9RQVcAyqswTxYjfka4pmGHqMR4zpkYloiPiaPvDEHTNbg8QI4sI7HHkyWO/S/pIsoIosD+jnzxNhvW4HYCVIVn1dr+vzPrdguz2I2cVq3LvkErB2xCjNCfxSNQtTFkNog9yMV25CeT71Yk/hEexRs=,iv:c+FWtxvEZ19SGsgxA1iKib68bndtbxZ7VqLpmFfFfrg=,tag:Jrbi5SRLvzgzuztip63KVQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/hosts/shadowfax/config/disks.nix

@@ -0,0 +1,14 @@
+[
+  "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314200DT2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201AD2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201E72P0C"
+  "/dev/disk/by-id/scsi-35000cca23bc8a504"
+  "/dev/disk/by-id/scsi-35000cca23bd29918"
+  "/dev/disk/by-id/scsi-35000cca23bd29970"
+  "/dev/disk/by-id/scsi-35000cca2524cc70c"
+  "/dev/disk/by-id/scsi-35000cca2524e03f4"
+  "/dev/disk/by-id/scsi-35000cca2525680dc"
+  "/dev/disk/by-id/scsi-35000cca25256b484"
+]

nixos/hosts/shadowfax/config/incus-preseed.nix

@@ -0,0 +1,49 @@
+{ ... }:
+{
+  config = {
+    "core.https_address" = "10.1.1.61:8443"; # Need quotes around key
+  };
+  networks = [
+    {
+      config = {
+        "ipv4.address" = "auto"; # Need quotes around key
+        "ipv6.address" = "auto"; # Need quotes around key
+      };
+      description = "";
+      name = "incusbr0";
+      type = "";
+      project = "default";
+    }
+  ];
+  storage_pools = [
+    {
+      config = {
+        source = "nahar/incus";
+      };
+      description = "";
+      name = "default";
+      driver = "zfs";
+    }
+  ];
+  profiles = [
+    {
+      config = { };
+      description = "";
+      devices = {
+        eth0 = {
+          name = "eth0";
+          network = "incusbr0";
+          type = "nic";
+        };
+        root = {
+          path = "/";
+          pool = "default";
+          type = "disk";
+        };
+      };
+      name = "default";
+    }
+  ];
+  projects = [ ];
+  cluster = null;
+}

nixos/hosts/shadowfax/config/sanoid.nix

@@ -0,0 +1,17 @@
+{ ... }:
+{
+  outputs = {
+    # ZFS automated snapshots
+    templates = {
+      "production" = {
+        recursive = true;
+        autoprune = true;
+        autosnap = true;
+        hourly = 24;
+        daily = 7;
+        monthly = 12;
+      };
+    };
+    datasets = { };
+  };
+}

nixos/hosts/shadowfax/config/soft-serve.nix

@@ -0,0 +1,46 @@
+{ ... }:
+{
+  name = "Soft Serve";
+  log = {
+    format = "text";
+    time_format = "2006-01-02 15:04:05";
+  };
+  ssh = {
+    listen_addr = ":23231";
+    public_url = "ssh://10.1.1.61:23231";
+    key_path = "ssh/soft_serve_host_ed25519";
+    client_key_path = "ssh/soft_serve_client_ed25519";
+    max_timeout = 0;
+    idle_timeout = 600;
+  };
+  git = {
+    listen_addr = ":9418";
+    public_url = "git://10.1.1.61";
+    max_timeout = 0;
+    idle_timeout = 3;
+    max_connections = 32;
+  };
+  http = {
+    listen_addr = ":23232";
+    tls_key_path = null;
+    tls_cert_path = null;
+    public_url = "http://10.1.1.61:23232";
+  };
+  stats = {
+    listen_addr = "10.1.1.61:23233";
+  };
+  db = {
+    driver = "sqlite";
+    data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
+  };
+  lfs = {
+    enabled = true;
+    ssh_enabled = false;
+  };
+  jobs = {
+    mirror_pull = "@every 10m";
+  };
+  initial_admin_keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
+  ];
+}

nixos/hosts/shadowfax/default.nix

@@ -0,0 +1,149 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, inputs, ... }:
+let
+  sanoidConfig = import ./config/sanoid.nix { };
+  disks = import ./config/disks.nix;
+  smartdDevices = map (device: { inherit device; }) disks;
+in
+{
+  imports =
+    [
+      inputs.disko.nixosModules.disko
+      (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; })
+    ];
+
+  # Debug
+  # boot.zfs.forceImportRoot = lib.mkForce true;
+
+  boot = {
+    initrd = {
+      kernelModules = [ "nfs" ];
+      supportedFilesystems = [ "nfs" ];
+    };
+
+    kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
+  ];
+
+  programs = {
+    _1password.enable = true;
+    # VSCode Compatibility Settings
+    nix-ld.enable = true;
+  };
+
+  services = {
+    # Soft Serve
+    soft-serve = {
+      enable = true;
+      settings = import ./config/soft-serve.nix { };
+    };
+
+    # VSCode Compatibility Settings
+    vscode-server = {
+      enable = true;
+    };
+  };
+
+  # Home Manager
+  home-manager.users.jahanson = {
+    # Git settings
+    # TODO: Move to config module.
+    programs.git = {
+      enable = true;
+      userName = "Joseph Hanson";
+      userEmail = "joe@veri.dev";
+
+      extraConfig = {
+        core.autocrlf = "input";
+        init.defaultBranch = "main";
+        pull.rebase = true;
+        rebase.autoStash = true;
+      };
+    };
+  };
+
+  # Network settings
+  networking = {
+    hostName = "shadowfax";
+    hostId = "a885fabe";
+    useDHCP = false; # needed for bridge
+    networkmanager.enable = true;
+    firewall.enable = false;
+    interfaces = {
+      "enp36s0f0".useDHCP = true;
+      "enp36s0f1".useDHCP = true;
+    };
+  };
+
+  swapDevices = [ ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  sops = {
+    secrets = { };
+  };
+
+  services = {
+    smartd = {
+      devices = smartdDevices;
+    };
+  };
+
+  # System settings and services.
+  mySystem = {
+    purpose = "Production";
+    system = {
+      motd.networkInterfaces = [ "enp36s0f0" ];
+      # Incus
+      incus = {
+        enable = true;
+        preseed = import ./config/incus-preseed.nix { };
+      };
+
+      # ZFS
+      zfs.enable = true;
+      zfs.mountPoolsAtBoot = [
+        "nahar"
+        "moria"
+      ];
+
+      # NFS
+      nfs.enable = true;
+
+      resticBackup = {
+        local.enable = false;
+        remote.enable = false;
+        local.noWarning = true;
+        remote.noWarning = true;
+      };
+    };
+
+    services = {
+      podman.enable = true;
+      libvirt-qemu.enable = true;
+
+      # Scrutiny
+      scrutiny = {
+        enable = true;
+        devices = disks;
+        extraCapabilities = [ "SYS_RAWIO" ];
+        containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
+        port = 8585;
+      };
+
+      # Sanoid
+      sanoid = {
+        enable = true;
+        inherit (sanoidConfig.outputs) templates datasets;
+      };
+    };
+  };
+}

nixos/hosts/telchar/default.nix

@@ -13,46 +13,29 @@
   networking.hostName = "telchar";
   boot = {
     initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
-    initrd.kernelModules = [ ];
+    initrd.kernelModules = [ "amdgpu" ];
     kernelModules = [ "kvm-amd" ];
     extraModulePackages = [ ];
   };
 
-  fileSystems = {
-    "/" = {
-      device = "zroot/root";
-      fsType = "zfs";
-    };
-
-    "/nix" = {
-      device = "zroot/nix";
-      fsType = "zfs";
-    };
-
-    "/var" = {
-      device = "zroot/var";
-      fsType = "zfs";
-    };
-
-    "/home" = {
-      device = "zroot/home";
-      fsType = "zfs";
-    };
-  };
-
   swapDevices = [ ];
   virtualisation.docker.enable = true;
 
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  services.flatpak.enable = true;
   # System settings and services.
   mySystem = {
     purpose = "Development";
+
+    # System config
     system = {
       motd.networkInterfaces = [ "wlp1s0" ];
       fingerprint-reader-on-laptop-lid.enable = true;
       borg.pika-backup.enable = true;
     };
-    security._1password.enable = true;
+
     framework_wifi_swap.enable = true;
+    security._1password.enable = true;
   };
 }

nixos/hosts/telperion/config/haproxy.nix

@@ -27,11 +27,11 @@ frontend k8s_homelab_apiserver
   option tcplog
   default_backend k8s_homelab_controlplane
 
-frontend k8s_erebor_apiserver
+frontend k8s_theshire_apiserver
   bind *:6444
   mode tcp
   option tcplog
-  default_backend k8s_erebor_controlplane
+  default_backend k8s_theshire_controlplane
 
 backend k8s_homelab_controlplane
   option httpchk GET /healthz
@@ -41,13 +41,13 @@ backend k8s_homelab_controlplane
   balance roundrobin
   server shadowfax 10.1.1.61:6443 check
 
-backend k8s_erebor_controlplane
+backend k8s_theshire_controlplane
   option httpchk GET /healthz
   http-check expect status 200
   mode tcp
   option ssl-hello-chk
   balance roundrobin
-  server nenya 10.1.1.81:6443 check
-  server vilya 10.1.1.82:6443 check
-  server narya 10.1.1.83:6443 check
-''
+  server bilbo 10.1.1.62:6443 check
+  server frodo 10.1.1.63:6443 check
+  server sam 10.1.1.64:6443 check
+''

nixos/hosts/telperion/default.nix

@@ -42,6 +42,8 @@
   swapDevices = [ ];
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # Until I can figure out why the tftp port is not opening, disable the firewall.
+  networking.firewall.enable = false;
 
   sops = {
     # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@@ -97,13 +99,15 @@
 
       matchbox = {
         enable = true;
-        dataPath = "/var/lib/matchbox";
-        assetPath = "/nas/matchbox/assets";
+        # /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
+        dataPath = "/opt/talbox/data";
+        # /var/lib/matchbox/assets
+        assetPath = "/opt/talbox/assets";
       };
 
       dnsmasq = {
         enable = true;
-        tftpRoot = "/srv/tftp";
+        tftpRoot = "/opt/talbox";
         bootAsset = "http://10.1.1.57:8086/boot.ipxe";
       };
     };

nixos/hosts/telperion/secrets.sops.yaml

@@ -1,10 +1,10 @@
-1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
+1password-credentials.json: ENC[AES256_GCM,data:AgjrQRlLUHozHTsn2iAf+DoQKmhQfSH6ktISxUZeEjs56k6idjbndkK/kwQXNNrAwmmpT+3OG7cOv0bAPU8AzwZYVyOlpFwp/eXvPJI6YcXlmsCn9lEANpdIbpc28npWTxuYvwZTSavJt5qo/Q9Gf5YQ2qiW6ER3vA1bej7Q6/WRNqcRWKfcMOfNg5YAms/o+nUDKgp2TG4cypyw7tXUoFk9drhCrybNSdlWxWf1t+VdiGLIFk1HvYWkelpxJujRZbKJxNi+4kPT1xQyU8IJbOZx1wXsIfz5I7QPtfoMxbAhRB5ikAwZpNLO1DpnAqBcLES+yqHm0V/hyI48mHz9gSH7fCUvGqj2OqdaKAl0lEpkTMA8PkfRNKGumwHsq2IEh5PP0kj50WlEFFoZszM5QKr9FK7tcvMP0mTL88hlCqnH7rzvNQtpC76BcoReOfKO0ZPtfEAJVGzsQ4F0hkeYzlfyoylqOzldju1QPadQ8Pq3dZFUXg5mZrF2N2kx8gqHqNHqK0BY7KFRrqTIJWebHiLYWe+WWqK3aUSLx3j8iqjuf+HtEBnxAkVIuAYBS6KwHQeXycdD/d1aMm8T46mJzW5FHlUed++GsU5HGQOF2gDZ2gfimdZ7taH0Wlf2wYmuH3BJKFGROefv0SuhuqKMxG1ownFIO0CbCS61ErRTER1P1L44CmaPyIgRNPMmz4nLlKt6+P7Ci4QGpevBkY1wHEn3dT/fNrBBW5EBsrWKRA88guZZHAwB3HLAVNqDno+nWlXlB5RxzaYzya6MYrlXKQxYluU73UQRzH7ikAcL4dJpjVPNIZPkzNRAI75U/IOQX+XspwM+yeIC38TAnNIcARXk2u2FJPaJLQSLqQJYgN9DO5Rg3cIVD/RsSU8TMEq/5jHaoMjZZ4iaYjUHzXbTOvk9WuGBJB1uBm3WUVDwLy6sVp7kHv4PvECcDByNxvhd7Krpbgt9sMi3jsfloo8zOzyoUOkbCEJNr6KCTOvd1/gzRVBxKyTajBkp3P/K7sqGSYpqqmE9qQSeHH6hVMgpicPsn29rzBRW5z0Oep+E6mmDoFuzJ1PJCdLguOIOkVDGiaT+ETtSrg6By3+lhcknElquTd0McoIO2nst80VA3tGUFwPcRJ+GmCtNLBDQgsxz0FtLMzIp5rWi630gnDHBjCf/qXWxyb1YXTpWGmsfWlF3xf8TrH313cnYkKVJAxMBFQVB9GCZMbFcgWg2A9T6b53tVHhmTWIZ5fHGOVBsruo/zU3mhxjoOqsbgrmj6Vi/1sEHvkN0hQq13QGT0bRv4L8BdeIanCMItEP09WZ3lDlDaXY/5xgfwr82oCxrMM7uk/j7COF5C1OjtbsqrGUUB4bphgiVsTT0m7KUw/VdJlPDUNAm3Qu5YUgeypmcNJoNFwsa0deDdg3GllaePP+8BDRbNrGSWUoNB7iNcW/fVaw=,iv:FUiB54c70FVSSkeXZ4stCdKGwihjpSZfsKqKoiDynTA=,tag:aNTbQb2/FUx2NrjQUVMIsA==,type:str]
 bind:
     rndc-keys:
-        main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
-        externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
+        main: ENC[AES256_GCM,data:JVFfmWawvoQZNA/phLZAH/ZfDFkuDBAzQsvavFMT/8v8JKi4oJ/V2UjVv4Xhh730SP74Z41UBUA+N1iW+1HsIqCm+UGcjelLWiKoMGQMmuzVSbt4oN0lVtVIZyke+hzlNPm5qTt1,iv:Q5t9beYjCoTiYOm8K3ktqLbkaWWWzPPljcxmdrXdczA=,tag:gZaOrxZ9ou/+ZxukaZ9FDg==,type:str]
+        externaldns: ENC[AES256_GCM,data:eCtagoXcjAqKfvD8AuxUhtL2Rvn1iUxbS3qDv1x1KVUzdg1jGAELgCivgPLv8UaLCZ7dqqtr1XiMgsd8RPKgSZO/AS9TTQx8eGnWUnaorUXdhYfhrGfeUa7LoEPYPNx4jwrN45j3OKsE,iv:ffUDa51TqFMqOBItiezwfiNkf4aajdfIXo6+cR48rAE=,tag:E2jMpk1/hpJGjLfIFuTpqw==,type:str]
     zones:
-        jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
+        jahanson.tech: ENC[AES256_GCM,data:V2g44YwCpvZoug0Ck/qnoT9PdKWK/qIl2LLZ6PUfIKFAzrvsggjmRFRfFvKJ3lydvzGWYKXPwNK1q+AfG3E1PffqoOR5cb4Dol1fxCoytGVAzF5GiIJ46wcZa7oko2aa8A4Ki+dwo+koWGCGbyCIqvQpQNjlz/J7SzQL0qpW/bgSSKP4lh0JJpkGwdYwqe3+MU5bvw/UcswBoU4A9szNOUyF2amRKloZPr6dMJAPb51D0CJc69EoQD7Zc2me1C6ML8aDDRaAZ601Woh52kQ9chriXuiGW25UmNzLi56PxWrkxe/JDJbw1Lm25k3JQDil8hmkrE/WTiMQG93oB3vHvUx7Icvvtu1w2bWGt1h+ndhKLXJLE5X4HxNdVKuPxemOt5tATsa6SCYedgbsvoZDX347IJq1NzEcn89aeq2+/ij2OvmrjPi1lk46OEtWN+WKbHuGBpmmW1Y9bf2sRE6huJjOOW6AH6g8IsUmC4LQr7h99etwqyOLxoefmxDFeEmO4L75h++JAB2805I9fTSxegz2Pa+HblEiYsE4T4aF5AHhIGXdDcUg2mDwROBowLpglnj74rsSmNbsH46Zr2O5iiu0hIjmmh78JZ5Q9nIVx4+5GBHyr05I04wMtk1Avy3i9b5YqWZAfeqJO7J7sMbrfoGdM7R4Kjn2dBlKSKaxUPNdrYXxi4dT2g+6D2skET7yUMRz45ivGOnt9nYTzhTyOn47VssFtF5lXPJ79rGeNfF6e7TVVi4OZi1F16M3t60p0+svBsogdxBo0FJ18aUvlos/0XMtup2UEMQeywKTnNE9pzfgZ7BQYGZWexRI06vkX9IysI40ylUCU+MYaApAiVYFGQO87qGT7929O0BaS2dqB/wbYPVoAY4uohiq2cUpsZUE1NhRqaU+668jMPaVRJCil/ccrwACJ7Y6tdGGvpyZbZ8XIVYd1YM1F6PJKtBeFpPJuYxWmDute/sx993coUKdjKIhpGq77Gh5Om/TrM9k0cc6DRkoi+Ht+wLGTAiwd2aWJ0C5fbX2erk6kpnkRQaOr1tNkpO1DgtAy1aF5Bk/Y1aQ0YE1AM95QL/JYxLWOMREC71YlKQaDST2QSv4KrAZ2MsceS2tWl/d49CIBUDtMrUATjNQp8ZUmS+sKm8XUwA8E5u5FFKmI3uEDl2kF+o=,iv:Arg1bFBxKjCTRSJ+E5lbemuAcDuvinds1f/P1TKwzhQ=,tag:n48FnS8Y0TpbRkdsFHR9KQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,68 +14,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
-            N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
-            cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
-            VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
-            rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZQcTBNeFF6NjdXMThQ
+            QnMxVFZHZlBwTk5CU1pSNFBPTUt6MmR2NVNrCnFjd0Q5d0pwZGdJbDlDdS8wNG5Q
+            aHdqekpmREhlbEVMUjZNc1BscU5xbjgKLS0tIFdLUC9wNGlyOFd3WjRnc0IwZU85
+            alhDYk1DelpINjYvVmlCa1pKY3hjV3cKF7aIzA9U1bPVP6bQbYCTjXKptE9Rovyi
+            CVBUzWWrb2Z12rvjDzIKc/L1iMqLn0PjPsYHL+CHW8z5A6R3m3FDMw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
-            bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
-            Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
-            eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
-            10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFlDK1duT010Nll2cmV3
+            ZVRKM0tFNGVHQXM0Q001ZGtIZVV4bVByTVRZClZVclFEMVlSYnp2ZElNZm1DOGpR
+            bzNCUkQrNXF4UlU5WHloaEtzMW5wMUEKLS0tIFpwQ0pLRjFJOUR0dEhhTVBhT3hJ
+            c09wdG1jVlREUk5QUThKRFpsSlRUM1EKjxe9zkAp8t3gwMFOipPZeVdIyEnOTm77
+            0EnaO+oPJNTE+WefHKEEnqkUP0JY6vkDSkymgLtlPnY9VkAWP7ymbw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
-            S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
-            a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
-            eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
-            mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTlZoVGgwSFNOZ214WlBC
+            dFdBb2tSTjJLU1M2WmZXcS9jU2d4WThab0JFClNQekNJM1dmVjJUeEN3d1F3dVFF
+            R0c2bFlFNkowZjl5eEJXMllXSzZLSUEKLS0tIG1CUWRZeXE3SksxTUxrQjBTaGpS
+            VTZqOHB3eFlHZmNlSU9QOGprdWh3bm8KfvR852TCR0nfmXkDgF3FSOR9agJ8GUPt
+            1iK2aDZHLZKcK4mcuPc/qzfCXvTHlIvTDbSD0PbgCyG7gwgX2Qd8mA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
-            eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
-            MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
-            VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
-            wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXpCcmY2T3Zmejd2TUlX
+            TDZYMSt6OFdIZC9ibHJid3JxVjlHK0pCWXpnCmF4dTJWNzQ1a0FZdWxJUWZVZEhk
+            Tk44YWQ5U2dWc2orcTExMjIwT3ZOVmcKLS0tIDJpbkEyNmJmQU1PemhpYzBycjV6
+            V0pHbjhRcERyb042L0ZMUnZSdVpOOEUKICA6kYzVpAwMaoKrZIkj7GIjv4mGRzu5
+            3sm2D/yeE68TXH6PvHPRZpkLAqrn2HvQuviIgHXH3Flgeuu+DGl8cQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
-            NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
-            RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
-            Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
-            bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMLzdsOHpDUW9Vb3c5cVFZ
+            a0VOMEdjS2kzbTVtcU0zeXdOclJxbU5FSFE0CkwrdGN5VTNxT2Y0VUdOT0ZnMWlz
+            VGxwNGFSSUttZjdIVDlRL1JQekhSdkUKLS0tIE9JbUJWeFRVbXVyNkJIVTQ0bS81
+            Zk14MEtrR2pRSWVPUEJONVNKNUl4VXMKJ93XAmrAH25gUTbtY4HQjSKCJqH8yK7t
+            5WGip1wjuP/jab8ycHaM8MK6hH7qKJGLKF0Q+agvQok7RKqZl5+ikA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYUhubnhKcnFDZml5Qjl6
+            MzgvVFk4QzNwOWdSWDh6RlBDdTVzRWMrTmdBCktBZVdKWW9JdGxEVlRtVCtMYXpB
+            YTV4TmNlRnFzMTcwWGZSeWtzN3hxRFkKLS0tIHpsMTNLckhMRkM5V0xqbmFjOUpK
+            ZFl0QlZCUmcvQXBvcFpoZHJNZ0xUQTgKTnAjik5QM++wy3+y8N5zHk+nY1+bMfr8
+            5IQBIQuoJUhvj8GPniyYRHEhzttfYNuYJaENQcuYOaIpbGb3jTmBJA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
-            dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
-            RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
-            cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
-            aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQW1McmZlNVhDR1VRMUM5
+            UVk4aGd1RDZxQ3RlSG1UUEd0R1gyUU1VUkg4Clo0eFgxVlcvNnNtWVZZajRGYUZJ
+            K3d0ZzNSSG16dGVONjU2cDMzbkNvazAKLS0tIE1jcU9ERXZhbW4zM0E3Z3RJWTRm
+            anA4RmxVOWplWlo0QkFLQ2xFQ3YrRWsK0Z1iH93d8sMj8PbFaLBBO7xqz04f6ytV
+            m6bFiMoTp+hdnFdGZkl3S+4wQBG44uLJ9z6I/SL3H90ZBrVfE0XV0Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
-            dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
-            cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
-            WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
-            3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTSsvbFEvc0ZjQUl5WWhl
+            Q0tWVndqbGlMcnpYMzUxdnlWVGxubldaWVZFCnpBdHRaa052aUJWZENBR1QvTXgx
+            Nld6UHpPR05yQ0g4ZEVKVVhQUUdNVWcKLS0tIE1aMm1XOWRxWXhiOGk0Y0IzbEdN
+            b0VpUGdsdjNpV2ZJYzBNeUZtTFg0NTgKJ9dSsLlgbxotxWyLrY6XWVyg3I3zugG0
+            pvd/gQmiYFxptVmBPw+GkOZJBugHpURQznXq6DEo0hVaYLoxoaFBNQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:jFVRdgtgZrte6eKFuD5QSuFrOgyFxpqEaSrAZslNa6eSoMFPZcf3q9hrw12WTbfXBqy3eHwCcJ6atjZ8V7hMD4r/lVW236RJPU5ZxQT1zrDStF7nT0S1ZI9HrWywIcJuQ9brwUJkdXlA4Da7SHv/NVvA/b5x333K5bJzSGLEU0E=,iv:nusWEAgWpc0XUKE7rXtKnz9lmnqCmf+UM/RezVZcRwE=,tag:6/wCzaukgp1ZdP7TwBpzUQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/hosts/varda/default.nix

@@ -1,4 +1,4 @@
-{ ... }: {
+{ pkgs, ... }: {
   imports = [ ];
 
   networking.hostId = "cdab8473";
@@ -28,7 +28,10 @@
     system.motd.networkInterfaces = [ "enp1s0" ];
     security.acme.enable = true;
     services = {
-      forgejo.enable = true;
+      forgejo = {
+        enable = true;
+        package = pkgs.unstable.forgejo;
+      };
       nginx.enable = true;
     };
   };

nixos/modules/nixos/containers/default.nix

@@ -3,5 +3,6 @@
     ./backrest
     ./lego-auto
     ./unifi
+    ./scrutiny
   ];
 }

nixos/modules/nixos/containers/scrutiny/default.nix

@@ -0,0 +1,92 @@
+{ lib, config, ... }:
+with lib;
+let
+  app = "scrutiny";
+  # renovate: depName=AnalogJ/scrutiny datasource=github-releases
+  version = "v0.8.1";
+  cfg = config.mySystem.services.${app};
+in
+{
+  options.mySystem.services.${app} = {
+    enable = mkEnableOption "${app}";
+
+    # Port to expose the web ui on.
+    port = mkOption {
+      type = types.int;
+      default = 8080;
+      description = ''
+        Port to expose the web ui on.
+      '';
+      example = 8080;
+    };
+    # Location where the container will store its data.
+    containerVolumeLocation = mkOption {
+      type = types.str;
+      default = "/mnt/data/containers/${app}";
+      description = ''
+        The location where the container will store its data.
+      '';
+      example = "/mnt/data/containers/${app}";
+    };
+
+    # podman equivalent:
+    # --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    devices = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Devices to monitor on Scrutiny.
+      '';
+      example = [
+        "/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+      ];
+    };
+
+    # podman equivalent:
+    # --cap-add SYS_RAWIO
+    extraCapabilities = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "SYS_RAWIO"
+      ];
+      description = ''
+        Extra capabilities to add to the container.
+      '';
+      example = [
+        "SYS_RAWIO"
+      ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # TODO: Add automatic restarting of the container when disks.nix changes.
+    # - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
+    # - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
+    virtualisation.oci-containers.containers.${app} = {
+      image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
+      autoStart = true;
+
+      ports = [
+        "${toString cfg.port}:8080" # web ui
+        "8086:8086" # influxdb2
+      ];
+
+      environment = {
+        TZ = "America/Chicago";
+      };
+
+      volumes = [
+        "${cfg.containerVolumeLocation}:/opt/scrutiny/config"
+        "${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
+        "/run/udev:/run/udev:ro"
+      ];
+
+      # Merge the devices and extraCapabilities into the extraOptions property
+      # using the --device and --cap-add flags
+      extraOptions =
+        (map (disk: "--device=${toString disk}") cfg.devices)
+        ++
+        (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
+    };
+  };
+}

nixos/modules/nixos/containers/unifi/default.nix

@@ -3,7 +3,7 @@ with lib;
 let
   app = "unifi";
   # renovate: depName=goofball222/unifi datasource=github-releases
-  version = "8.3.32";
+  version = "8.4.62";
   cfg = config.mySystem.services.${app};
   appFolder = "/eru/containers/volumes/${app}";
   # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
@@ -14,9 +14,14 @@ in
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.interfaces.podman0 = {
-      allowedTCPPorts = [ 8080 8443 8880 8843 ];
-      allowedUDPPorts = [ 3478 ];
+    networking.firewall.interfaces = {
+      enp130s0f0 = {
+        allowedTCPPorts = [ 8443 ];
+      };
+      podman0 = {
+        allowedTCPPorts = [ 8080 8443 8880 8843 ];
+        allowedUDPPorts = [ 3478 ];
+      };
     };
     virtualisation.oci-containers.containers.${app} = {
       image = "ghcr.io/goofball222/unifi:${version}";

nixos/modules/nixos/editor/vscode.nix

@@ -4,29 +4,35 @@ let
   cfg = config.mySystem.editor.vscode;
   # VSCode Community Extensions. These are updated daily.
   vscodeCommunityExtensions = [
+    "ahmadalli.vscode-nginx-conf"
+    "astro-build.astro-vscode"
+    "bmalehorn.vscode-fish"
+    "coder.coder-remote"
     "dracula-theme.theme-dracula"
     "editorconfig.editorconfig"
     "esbenp.prettier-vscode"
+    "foxundermoon.shell-format"
     "github.copilot"
-    # "github.copilot-chat"
+    "hashicorp.hcl"
     "jnoortheen.nix-ide"
     "mikestead.dotenv"
     "mrmlnc.vscode-json5"
     "ms-azuretools.vscode-docker"
-    # Python extensions *required* for redhat.ansible/vscode-yaml
-    "ms-python.python"
+    # "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
     "ms-python.vscode-pylance"
-    "ms-vscode-remote.remote-ssh"
     "ms-vscode-remote.remote-ssh-edit"
     "pkief.material-icon-theme"
     "redhat.ansible"
     "redhat.vscode-yaml"
     "signageos.signageos-vscode-sops"
     "tamasfe.even-better-toml"
+    "task.vscode-task"
     "tyriar.sort-lines"
     "yzhang.markdown-all-in-one"
-    "foxundermoon.shell-format"
-    "ahmadalli.vscode-nginx-conf"
+    "fill-labs.dependi"
+    "rust-lang.rust-analyzer"
+    "dustypomerleau.rust-syntax"
+    # "github.copilot-chat"
   ];
   # Nixpkgs Extensions. These are updated whenver they get around to it.
   vscodeNixpkgsExtensions = [
@@ -41,12 +47,27 @@ let
     #   version = "1.219.0";
     #   sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
     # }
-    { # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
+    {
+      # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
       # The latest generally targets insiders build of vs code right now and it won't load on stable.
       name = "copilot-chat";
       publisher = "github";
-      version = "0.18.1";
-      sha256 = "BrcrfhkX2VGF9wznTSlPSdPPv126ScbHb1ngBRGtr4E=";
+      version = "0.20.1";
+      sha256 = "sha256-HCPUufTZdukDmvP4/90K1x6bPq281Y02RpRds0vDL3U=";
+    }
+    {
+      name = "remote-ssh";
+      publisher = "ms-vscode-remote";
+      version = "0.113.1";
+      sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
+
+    }
+    {
+      # Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
+      name = "python";
+      publisher = "ms-python";
+      version = "2024.14.1";
+      sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
     }
   ];
   # Extract extension strings and coerce them to a list of valid attribute paths.

nixos/modules/nixos/hardware/default.nix

@@ -1,5 +1,5 @@
 {
   imports = [
-    ./nvidia
+    # ./nvidia
   ];
 }

nixos/modules/nixos/security/acme/secrets.sops.yaml

@@ -1,6 +1,6 @@
 security:
     acme:
-        env: ENC[AES256_GCM,data:JP+Syy9927T9ePL4Ly9FxlJ8F4/g/xejRn9nw2mqpl2ZUTwudp+R+ZI//h14Nej5S07oJt2L3LD/ol7ugdXHFG8=,iv:NJdqDIA0FZzyKRvDgjWmHA17q0FOCqjCk0WdkFMtd5w=,tag:KG8dgCcEOdroFpljNawdGA==,type:str]
+        env: ENC[AES256_GCM,data:rYeJqYF11Ccw/zDTpfB2ewXIy4cqzHF/d+ar6NUdOGxesiBdJXVbGQtGOOLHTUJ6yKNhdBJ2mpBpCpIdQEdT9+4=,iv:XpjxG0RypUQ0Ub0dKAa8/c4F8TVuRNFXJM5UAfrlMV4=,tag:zCaLPPTp9KHs/AwYNq28gg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -10,68 +10,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFJTREJxZ3NlNGtkSmhG
-            YTcwVmt1OUNmdTRaVDI5N3JNemszNklHV1dNCmVYczBEQ3BHT3ZhbjUySFNJVjhQ
-            dWh6c2ZHRUZTOTJEOTBrS3NuNDNzZW8KLS0tIHp3ckNvdmNYdkh3Znc0OVk5Yk53
-            ZW5jQmxLMHR6MC8yVFpFdFhsTVBub0kKRdYFNppcSFZ/5gm2WvydESeJOTVYd0Yk
-            0HQd6o8bAX8dcRhMHyyveWXz94/mcINkqz2mlXoL1N0HRPXcuUu5tQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOHNGVG5DWVArcngxYXlv
+            dlFmd1RPenFwSm9TSjhTR3F3cHB6R2lTTGo4Ck1BTVFSd21Xc0hiZlBUdjFrbWFp
+            Q2VoVzQrTEpZbE1yTHpBUVIyNWFiVEUKLS0tIDZLM3gzbUZUajZQaVRtT0dsQlpY
+            VExPSVBLb0R3ekpNTE1jNG9QME5OTkkKPivk0v0xDOzHJSPVJYO6/5wdF1PChXtl
+            xj6JrycRyQPahncXndTZoQL7EbdXnR2tfMtEE5Ua7l4mK11pE3K8cg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RnNVZFowV2NYakYvOEFr
-            c2pFaDVqekVFeEdPWklkVWxoMjNEMEZrbWtFClFmcGNZYkJqUVF3MlRDcmpqWFZI
-            aU11eElxd2c4YTEzNEQ4RFgraFIxS0UKLS0tIEY5Yi9IUGxjYnpyL2I0eVFNNk83
-            Q3VaYjdiYVd0TFVuSld6M25wWHRZMncKaqb2kQvlLGZMaI72npCBuroWK/Fqr9jg
-            oaBz3rpvYJEox2Naismb2D4fNCtI7Z1hLhPqq/jGAiczNaU039N9Bg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc0p0TXdtcVZNcngrQXM4
+            bzBJcERRWVhxLy9QVHBCSnJEMzJTekF4RlU0CmFDWmtMdEdiOFVrRmhRbXc0R3ZE
+            RC9mQUF4ZjFkbWlYZHkyZ25NV01hREUKLS0tIEVQWHR5YTJ0KytQYi83MmpWL0tO
+            Q0ZKN2JSMGVsU2h5eW5OTk1Kd3hoS0EKNbVvQ3VwkWloO15CV8v3SP8pD4zc2h04
+            uM4/VlXTsVxVBqRxycdTKdWhmIChb8w98ljQC+iqatCCUiC9vHYIsg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdC9BM21iMldoUkIwdnpr
-            a0hXbUNzNFJFTDF3ZS9CSFBENHdNTTZDU1RzCm9QbVdLMnRyTDRQNFE2U2w3cXpW
-            WkdKRFdocnRNaUxLejExSE5STjdCTkEKLS0tIHZvKzVtWnV4WWxRZXFMVWpobHJt
-            WlVNd2xNb2c0YVB5WlJtbTVreFhadFUK32KcIdcbt1rAk2+GWe5slpAdHcTBWoKs
-            wGOEayXeMi9EGYtx7v1oJ8+xlo2wRW/i1pKdCRK4vi4FtaXT65zglw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNTVwbGNWRHNaRkd4N0Z3
+            U3ZrYWRMNGJSMTI4UjljQkozTHAvdXpIaVZjCmJMNmdoVjBZZHRqcHBkcEpiL2dC
+            ak5xNGVRV0NoV2c5TCsvbkhWM2JqeXMKLS0tIG9uMmpJUzdMTUhVWWsxSWFaSTVy
+            VHhxQ1U3L042VGpNdjI4RVNiRFlqU00KPuDqqR7EeclGGOs0R/3PsB+dnNo20Lh+
+            GiCWjFy9MVEsrlZV7pd9cb0ggYTm09H0ZD5kb+++Er9WJqb7Ss+iOQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb2wzMW1EUUx5VFp0Ykor
-            UWJEeFlZQTVJTFZIVFExZ1NkcVBCT09XVkU0CmFvWCtsaStjSDR6OVQwTW9iV3Vu
-            cVo3MHhVOTAxQnU3ZWdDcllKaXhnK3cKLS0tIENyYlFtVWtqS05MVVFOWFpZK1Zp
-            cTFkQlpkZFgvOERSdlFMSHFxR1pTZmcKSRYr/tIskcm4mwiF74Qnd5d0zRRDSzC1
-            QXidtsl505oGOgT/ujVtPwSJwvJewZT7NJKVRYktS3xY0v/flr1ieQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRGdRRWUybHNiZzZaM1hv
+            bW5Kb3NIbW1WNFl6aUdLWDA4WWI3RDdZQ0VFCjBXajVsY3BNMWs2QldjZDZWQnZ3
+            VjBvZ1AwZkVGNTB2RGF5aGp4ckFYYTQKLS0tIFd6L1lyblZ6ZEVXTHJGanhna0JQ
+            S25RbHI4TENLUzRtM2NGOFNQQUdENm8K3upUW3cVF6fBrii/pEXua5sLwFcU/as3
+            RNDLpyvvA/CCZCuneNS27/nYUcc2rJVDU71OsDA6A6SUivYLTriRbQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjdka1hwejFZR25xbXcr
-            Vzc4MVd3eXJOdmxqZVFDVVMvTVhLT0lZdVVFCmFtQkZjSm0wUHdMczM5ckFBaEdQ
-            Y0JMYnR0dGRLYTF1d3NHSyt6MWcrYXcKLS0tIElaT0FjVEdaeExnMUF4OE93Z1Ny
-            cnQ0Kzd0aWdrSlN5Y3NIN1kyOVh1WTQKG825r7fM2BXak4Q4GNPwZgmigmPxZXh4
-            DTdp3xBgHWpw8eQsi+gBzzf+4boLDTDDi+acLshj+SpIhjPdMZ1BwA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaE9UczNPNk0zbWV6Zjdv
+            VXNEVmVibG1xejVObnlBa0JOOVBoQTZvQ0ZVClRSOXBrKzdjVkdGNVc2VmtidE8v
+            Wjlob1Q4cDZRYjB5ejMwWXZzL2NFbUkKLS0tIHdLWjZtcjRjbjNGYjIzeWhqV0t5
+            NFBwOUJZYUlicXRqWWtucnJIM2ZXMXcK9UTQ7NxoE5vozWvaDWT285BpZG/VdBh7
+            3VrNKMWJLt/OuA0ucJAkK8NJ4mBYviytUk0kRR39nUok5+kM1iJJpA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MjVaRjQ3VTdsUzNHSkxE
+            ZGFiWWZmTzN5N0t3YjBtNGtiWDhNVmduQVM0ClZFMHp6UE5aUjdYaXU3YTk5RDk3
+            Q0ZBcnJLYzVtN3h2UEVSbmtsa1hTbEkKLS0tIEIwL3dkQVRCRm1TaGlUNVpWTUFT
+            MHFjd0ovcXN5S3ZhdXpzU3ZXUnorTjAKPdgr51ho0B2rDKld/UHHC4j1RwRy0fGy
+            6Pl/Qes4Gjvrb4dlDHS4HTEwBs0TbA62DEDI/jquypwxRW55eDMB6g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmVpUHh0QzNLMVhsMHN5
-            bituWE9Ic2tXTm95cWlUMG9QVWhEcE1sejNBCmw5Q0lTYjExRjdkaCtYMWdkQnZZ
-            dXNrQWhZaERBK1hVK0pkbFlvQkc1RHcKLS0tIGcwK0dzUVZFMFh2b0dmWDMyMjdS
-            d09MQlZST2ZJY28vRWtkRzRjd3JFKzQKH2pjr7P1mG1m/8L/VLaTVrAQem8rcNGN
-            tBWqg9XT3aSc+7NqUDkPVvH8STFGVlEhIskKTJA2TuY6CXfqwS3D5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmNINWttMHBndGM0eVJI
+            OFlGUEpQRGthS2xuWnNtcjRaWEY0L0JKZzJvCkYzWCtVdE1VNnh1c2lGaUZoN1J4
+            SnN1M25qempwZXBLV0ZPRjJreklnbEkKLS0tIGJYRk5xaFhuK2FwdUtKMHFaTGJZ
+            QlRmcFpPazh3ZkgzWTh0Y01yTWxMbkEKK525n37sRSRirQQPzVluIwAiYFIbeta+
+            0/baUvErrjD9xofBZOm7kenLw/pPtcGXsUFqp9aCM7KGLjgRQTuK6g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRW80Q2x5bllHVDNzTGsr
-            a29PRHJHcHR2Mng2M2lpb1ZXMkV3UlZkQVRvCk01ciszVDlqeUdpa01FbjRtU3hq
-            V2hPS1NTSEdPL01ZZkxVdmI4ZHRRVFkKLS0tIHpjck5OaGl2dGgyUjZlNmlVWkZB
-            RHZ2TlJOanR6L2tQRm0rc3NVVSs1R1EKdSheY8qXv+ylwqjlpbWsSYD55X4SUT7c
-            W2czHg0Ezbjk8W7vyDuxdS1LjKSMinfRPUG+oyUwxwrjBN3aAwVDIQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNXhtSE50Yk9BdnRIOUEx
+            UW0rRGNHTFJjWWI0R0xqVGVTUkFvSFZyUVcwCmp6b2I2aStEdlNzcGNtcTVML2dz
+            TWRRUWVpd0doWFBYTWZZRXFjZ0wxR1kKLS0tIFhSU094RFdXVXFrT2FqbVEwc2FB
+            WE93RjBHS1NreWhqTmtEckVWMSt6clEKE24mtrJll0lsXEJktPjCFRpf8DLdxIW4
+            4JjOWY6zgBWxtuvg5rdb5rz7Sp2UaI1LavvhkCdjmpFckdEUDMOOyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:YEm+/mTkdLblxqrQAkCW8QUoQVkK1drgdHCt463aBUl9r04TJdRbij0p3QuLzVIvXJosdBQ0dN0Y/huuFOkP2bixH1q1WtBaqt98iYuR+Gessj7+kDekTNHCNQoZJjbFfqOwIEFNw/if2kY4aHcUoyQQj//yoGTA0vGbqrWzcX0=,iv:KWIo36gl7hOrEDZulqwRwr6eCfc6Hat5f17hpLLDMW8=,tag:3IBrvYXxN4j9I72lwiKq/A==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:nBRzGlhrgKchrfnidh/SUNiT04UVeeuck7wWL8M6Jfi0zJItankJaCAHlFzHku5+HYCM+6B1TN5bBKzyrizMAAtZ7fwmUjMt1TgXDSmG4CQXrUSmTkItlHnA1W8MvdFbJY5+cS3aJNx7rnvGp5H5OroedL88L+uuIHqxEx/qxRI=,iv:E4MmeS+xBPIvd2QNxpOHGx2Vpj16s9PZzp6kjkbItqA=,tag:FqVEO7iEjvAuJE4EJ35Yww==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/modules/nixos/services/default.nix

@@ -4,6 +4,7 @@
     ./cockpit
     ./dnsmasq
     ./forgejo
+    ./glances
     ./haproxy
     ./libvirt-qemu
     ./matchbox
@@ -15,5 +16,6 @@
     ./reboot-required-check.nix
     ./restic
     ./sanoid
+    ./vault
   ];
 }

nixos/modules/nixos/services/dnsmasq/default.nix

@@ -24,8 +24,8 @@ in
     ];
 
     networking.firewall = {
-      # dhcp ports
-      allowedUDPPorts = [ 67 68 ]; # server/client
+      # dhcp ports | tftp port
+      allowedUDPPorts = [ 67 68 69 ]; # server/client/tftp
     };
 
     # Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients

nixos/modules/nixos/services/forgejo/default.nix

@@ -9,6 +9,10 @@ in
 {
   options.mySystem.services.forgejo = {
     enable = mkEnableOption "Forgejo";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.forgejo;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -25,6 +29,7 @@ in
 
     services.forgejo = {
       enable = true;
+      package = cfg.package;
       # enable sql db dumps daily
       dump.enable = true;
       database.type = "postgres";

nixos/modules/nixos/services/forgejo/secrets.sops.yaml

@@ -1,7 +1,7 @@
 services:
     forgejo:
         smtp:
-            password: ENC[AES256_GCM,data:kkKrSGJER21Q3efHuJ6YJVcmqILMYMME+e1GRdNDOX+sDgKwapY+lJrlELgD5RFVJN4=,iv:/nxRa6Tn1pGGYQ0mds70p3+a9ZYHv6UidngHvI5GTIY=,tag:4rScz6znMhgtQB9V4iDqWg==,type:str]
+            password: ENC[AES256_GCM,data:sq+vLUV35+sclAszVQRU4up1s1y6K6BNbzSW8hKBN4kavJOZLX6o86xTgNjjScQop1c=,iv:5zbzggdTT59ali0LzmPtaP/jAnGCYoJFcIEZkFNFmJw=,tag:z9s3NQptPwKOC+m/EUVeWA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -11,68 +11,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM0tHclk4K3ZTZ2VyTk1i
-            MXliVmtmUXBMWlFlTjZHeEdEbHArUjJwMVRrClViKzZJNXkwMHF3bW5FQUxROVRF
-            UTdadFdseVkzaUpvMnNKaTZkVWNJSVUKLS0tIGxkUmk5ZmFZOWtlUndJdjFSL056
-            dXh2bG04QXR4THB4WFVSamY0SWpUSGcKwYArSMUjLm7j4+0vdPw8x8WrfIMEvJz1
-            K8Tqc2IJ1KfH4GGcOveYt9UcgUrzuvXsSnPydKWnc86RuFA+X6Qixg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUXYxY2hGci9ZZ3BId0xE
+            TFJJVzdJQ2h2TlhNQk8vZFYyajZyUVpiY0E4CjFJR0lGdG1jYk1EejBNTFVwekJD
+            bE0xR01SNWNib3VyRE52TG1hbFYydXcKLS0tIEtkaW9RN2lqYkhwR29JZm9QcHFM
+            U0hqelgyTWJGUW83emttS1pVYzlNOWcKWp+wQH8iZH6ox+unG6Qx/2vbG8GeMpCa
+            k3lUrtyqEKxw3V08FA1gWvLF8XWVgYGVS1jlZFypOVLbl5Ig9l+VDg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNTVGdjJ0dGE4aHBDbjRx
-            VWlJeXEzVkF5MXNmN2VNUnZrZTFuam94ZmdZCjZiSXpNZTk0VFVuck9ac3hDenZv
-            djZrbndYTjREUG5RSTNFNnhLTkRWSzQKLS0tIHR3L3BDditLcm1BMmlLcWdGNFFt
-            MGRBaFVjTzRNaXlOaGtvUzlmanZTb00Kb/RJFiSQ9XlRAfjrrncoJlDnQAJw9LI3
-            lXX0+BKL4fz8VUFY1dqcuDBSuvssADkDxU4X6yaebt/touhXJ66A8w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWsvN2w3MGp3M21xc3BT
+            UkVueCtwSmdRNjNXNFdYY1NBTUF4Y2czVFVjCmhzcnpKUkVvZGRzSm1KTGs2SldW
+            cEZ1djNGUWpaek9lRGFkWVlqSHJDWmcKLS0tIHY1TU1FNm52clhZNVBDOWtrOXI2
+            b0RWamMvdWMvS2tSMnRTcTFlV2hBdUUK2RMSSn4WBhBiv5k0NNoXdwjPJkueOoXu
+            OXEeslquRSkZ+f/BpbhzFTXRzlQdLA9keMTcM20SK1IBuKICkJ5eyQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUVxVGFobUxZV2M0ZUx4
-            NkpWTTVYZkM0cmFYNFJXYkE5SHJaaVpvdlVNCkV6UTN4c09ZT1RkVE1EYjlVZkhm
-            Y1ltSWpuSW95SXVkb3pyUVQ1ZGJ2Q28KLS0tIC82WnVsQ3RxSmxaL3czRlI0cTJV
-            OFd6VXJZUnZkT204Y2locHVvb3VpRHMKg9AMO4e5qGgSno/8FWEseUW9bQmfxVS1
-            UOYzIvtmAZVuL0uxrz6b9TwOv0CooP0+JhNOjcuFzcbMCcM1CQgwvg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbDlZMlcvbkk2WnJmZU1I
+            djR2UEtqbUlsaVVQZjk1R2RjbVpTT3VQVVNBCmV4aWVLOFdkdnhEaWgwU2FzbVRL
+            ZVVLVjN5WVdNMWtxbDcrUGYzZ2xNWDgKLS0tIHpTdExXbXF4V1pnSzBMcnFoSWF4
+            eU83ZVVnblV0eE5ia3QrMndDNG11MXMKF+iGOD0KKJV7YgxmI4ucHjvyGu+0EcIQ
+            smjK+ENxzkfk3yFICjkiIQSVBygvNiV97oPVpYeYGnhyiH3xefgyWQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJDbGtEeksrN3lKeXJF
-            dFIzd280SXRwZmVycHl2YlZ2VEo5dHhQVTE4ClBHS0lKd0FaMkNZT0xlVUF0eURO
-            TDZ6ZWJBRmtNMUZFN0FqbEVtdUxjYVEKLS0tIHZOTUZwUVdXenlDb2JxUXE3TVgy
-            UDZMb2xQVGIraDNxTy8yZDV2cEtHc1kKyjdLT8YcpB0yhXugPcN0scRiiTvpaF06
-            AoBdKBnxWHn1EVuypo75gOvKHwUMDdiQY/WUndQdlNOihDjzCSYGUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUWx5YWhHbWFZeGEvV0VL
+            TnU1akp0WHhlczQwbW9LZ3BTYlhFSUVlaWpvCnFsZFFIdXNubGRyQkFnNm1nSUVQ
+            d3Z2WUwyVjYraXRxV3NoZVZYbVhyQWcKLS0tIG5LV1hDRng4aDd5eDUzY0k1TXQv
+            SWNzRXgwRTRvL3hEc3ZvVGFiRTQ0UEkK/9vK8sXbEqxQ4KCxzMeFHmqoTSLd/kx3
+            JBt18+XISrPYptEekZTV6obp2GKxpHDj0LEsNpUIjPWmIbT6gInHBQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArM3BsTUhJWTlXSitXN2NG
-            cG1LTWs5MFZYV09Ga3JqREdmZ2NDYVRHa25JCm4vNFZXS3JQdTEzUmxmbld5R1BD
-            dFFWM1Ivd1M5dTNJbExLZThNYmdCbE0KLS0tICsyWmh3bjZLVC9ZSUxBVlpkWksv
-            WXpaZDkyOFFnTkYvVDJjdjJGeXVSZGsKjJEb7JlXb8n/l0j32ixReFR+UJm59CYy
-            QyGCeBuAWOpeDw5d4jA+WikFrRRAJyiTcvsVi+PAzzqlOAlT0+/KrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmFZUE43L1FzTFltamdX
+            Uk4zNUtjMmlwcFVEeVB6UmFjWHM2OEpMaGxVCi9HYmFOVjl4MDl1MFAzc3pTbWtO
+            WHIwV0labHpmYUFFcWZwNWdrN1dhVk0KLS0tIHM1VENSWWtUN2hFa1hLcUJjU1VJ
+            amJ2K2xHL1FwMlErZitrSXRwek05TEEK/KDJHIOzuMCp1xON6ZYsgMKbYIQ5MAm8
+            W5U9PDE93js7j8lR4dTq2AASB+U5nk3I0MPPrcqhHkVcsSwMuKYSUg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWHUzSTYvaWRQc1dhWEN2
+            d2JwdjFldkRzbi95Q2JpRlZFaUVGWFU0MUFFCmpaaHdQbmw0Q2FVS1JvMkNYSzR6
+            aDRCRVI1NU9jRXkwMndyUzFwL3BDOUkKLS0tIDFvclN5eXJTWEg4VGhDVFpFSHdV
+            V1FlN0JOVFBXZ1A2SmxZaGkvU0MrU3MKuK+c/lbMvzdREphCn46IvL8X1iOw4BwB
+            9FdstXHyEX8OW0hFl35ZCNvPyd9pwO5fK/sObDrZ5+aCfFE0MbFbyg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSXg3NUVia1hkK08raHRI
-            VmlMRENkMHB4bkFJNGNiRGlLUitSQzVrWFZnCkZPWTI4QjhiWUpaYkh2NHZwR1dG
-            Z0Zub0JSdWwvM1ptazhUdWpxL3htR1kKLS0tIE91bWZObHVRSmZNNlBJK2FZK2RF
-            UnBtNmlJbnRYRmVyQ2hMcWNxSjVkVzQKZ9+hpZk/VnMKaVEUoajfBfMjkqz1PbVl
-            Fy6cOfjXzGCtx8vsU3TNILy+23M6e3G7K6ghHnhO5kL4StAY1PTR/w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnK1N0S3pDa2tCdjhiMGJJ
+            T0lDNU9YQXN1bkJuM1NUUnFzeGJBN01WTEVFClVVNmNTekpOOHp6N202L0NzSno3
+            MEwvMUx0c1ZmTFpscFlTM3FDR1VhOE0KLS0tIGM5TjBiQjByWkMwY3lhQm5CVTZJ
+            K1pPUER4aVlmN0FKTElEOXdzbVlRMVUKaqTcad+P1DfUqEhD7YUdsGaIx2H4IMco
+            Kh7lk0/ppXFmcRAKWF3luwdLkaebkFzx56MZjJGroNmMvkR0fMUv9Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ3JDSGZ5WTRybGpVdG1Q
-            Y2crbWlQMnAyQjIzbzY4RHcwV3pXdGVzY2s0CnE2MTRLZnRQakU1RzVlQ1NDeXRk
-            U21mM0ExVzQ2QllOdTltQlpNOE5EU1kKLS0tIEtOa1BJdnRVY3FuZ2Zlb3g2ajhN
-            eTRFakI4MlRBbEJKbXBHSXlBWlZJMmcKaeSAhUZHIlXOaKqnRcARJITwQdJLFbpt
-            Hs5sshvnv+EZjvir9L0EgRtgpUmnpkl+mGnQxaBW4YVf/iiQYTyHsA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5T0syRFJiekFaeDRsY0FT
+            NE1DQUgwK3NQS3lQRGRTTXFQVEVkK1pYYkJnCkNWQ3J0b0V1eXF3OVF3R2JjNEpy
+            U3libG9INjl4K2VEMHpMMHdRYVViUkEKLS0tIEliSUFLWlhmblFZWCtRdDRGNlNa
+            VXhhd1BLcmh5TnVsaEJaOUJURG9VYlEKeFta+e5e2EiJCSL7CMrIoYwyAnCeybEq
+            vYfgMETwNaAh/AfGS1mdEABpK1tWi1H6Uu44g8OWTiszjQ09shb76A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:61nap2R6vs3XTFECmq5F1rqPE6eWZyM50dsYtNMfAAWQU9D9cyaDEx6bKkwMyBpxSQNHlGJWoglwRvZH2wQsLB46sdR9UNosqJZD7RRRh/RzkY3SWW6vHeP/YgnfsGgPpMWleBI7jnH/4EMoB8a1PECZiR7L/8BIFDlmdklbJ/I=,iv:G5xTBn3oFBLJHIEqGsghAXrZc115eGwWBbMLBOHET6Y=,tag:bnZodcvP+6nbc/yFcQVogw==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:DrSjFv1jbSuMO2QL6h8h8ln0Y5VBDBSrqC8rvaLZHkd8MOF4IPsjQORN2coZJNNvOpGhZsTiZ2prBBCQfqGRI+QWNlGTezOfWCZpFa7Fkp7g8TXZQmAkvrpnkFYgcL2JyvN5PrvL1j6gK4+zP7ohjLk1+v1VbYOPSab+N9ftYRI=,iv:VDGLfHXC0/vIue1kIKTGxK5x0CskAyG0CcNUOmHEXfc=,tag:CWXtliE0nCSiiW5O630A1A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/modules/nixos/services/glances/default.nix

@@ -0,0 +1,52 @@
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.mySystem.services.glances;
+in
+with lib;
+{
+  options.mySystem.services.glances =
+    {
+      enable = mkEnableOption "Glances system monitor";
+    };
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = with pkgs;
+      [ glances python310Packages.psutil hddtemp ];
+
+    # port 61208
+    systemd.services.glances = {
+      script = ''
+        ${pkgs.glances}/bin/glances --enable-plugin smart --webserver --bind 0.0.0.0
+      '';
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    networking = {
+      firewall.allowedTCPPorts = [ 61208 ];
+    };
+
+    environment.etc."glances/glances.conf" = {
+      text = ''
+        [global]
+        check_update=False
+
+        [network]
+        hide=lo,docker.*
+
+        [diskio]
+        hide=loop.*
+
+        [containers]
+        disable=False
+        podman_sock=unix:///var/run/podman/podman.sock
+
+        [connections]
+        disable=True
+
+        [irq]
+        disable=True
+      '';
+    };
+  };
+}

nixos/modules/nixos/services/radicale/secrets.sops.yaml

@@ -1,6 +1,6 @@
 services:
     radicale:
-        htpasswd: ENC[AES256_GCM,data:5ddA5KQfwz19///HzOsWfQ==,iv:RF0x0m+ODyDjQhn7eSBEXu5Leg0EvpMvuLVErDZihAo=,tag:HhHzXcroFshr1H/ditMARA==,type:str]
+        htpasswd: ENC[AES256_GCM,data:O/bI1CUdpal/aJSiLaWtDQ==,iv:iJ4WrQ2vbjRlICcY21R6NGmtOZwO68zANQv52uwm74k=,tag:c2sMcVCUWOjSALNITdx1dg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -10,68 +10,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UjFGTkNCaHVEK3ROTVBO
-            OUxrcmhjR21YempEZWVIOUlLYVNuMm9XOURNClJkbVZ5MEFmL0dhTWgzNWtYTHUy
-            SUlyZmtYTXZmWUx0V3BGZFRjOTcyWVUKLS0tIDNVSW5ZcU1IdW1jRTJucUxIdm5x
-            TmIvZmRRaFh1clkydDVlcWxvVGJkOGcKFpeAAdv1pi5AixsBKn/0Zo4QRTNBrKdm
-            8Qy6MVZg8HTf/CezK/XjkAoiB5K96fATXTpdZqZ7jfcuYLdpfEU2jA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUxOSWd5TnFlazlXcjUv
+            RVBjM01WRjZ4R2d3WGhQWHNheEZWRkdWcWx3CitOekFGZ1RXL1M3QndrWHUzUFNH
+            QkY2dnYyZlhFMGVvTzBQb05oTjFFZ1UKLS0tIDFYN0pQTHBEMUZTU3QvOEJQS0Rh
+            Z2p1ZFVvVVBBZXVwTkhVZ05nNVBOQUkK7qFuomZfRvwFXTUc6LWWT10Ws8xIDcCj
+            AD/HSc9K+lEXHoTNmpHZyUYGnxJljnDNB3d3FS4pKbHujvhvMXwfPQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQlRJNlhhdkNLcjRjaFZT
-            YVZJdDJLeFYwMzJUZlllaElPazhPaE14YWlRClNBWDVkTWx0Qm8xTExyT2dmSjRP
-            VHdNM3pwQkNXUW5xVTZlVC9YTFFodjQKLS0tIEkyQTVHd0pqelppSXJ5SGpHSVF1
-            aUd6ZGhaU3BsdnFVV3NqMDkwbDdVUjgK1BnXUPCCo7M/sdpGfLOOJ5AAjyI9isSx
-            9WJ5+WmNxygzBDczPjJITBrvZMGduAxWqQP/FrLe9rQ/RA3DGJjThA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdnRKZUk5Um5HYUwzbmhL
+            K1A0ZW1YN0d3WllNb28zeDhzS1ppWXhleDBVCmMrRk41WlM1RXN5TkVnVVRYQ3Ev
+            c2RTeVJ1ays1bzg1ZGozMWI5ZWZ1ZHcKLS0tIFRKRlhFT1VwY2lwbUhRd3A4SEds
+            Y3BFY2lpQkExL2V4SjJvU3pTSW5WYzAKO8GMLDaoDrxdZzM8unYvq3/OteDGIwra
+            dRd8c6b5LSoC63Y59WftmmasXFRNrZHZX24vwgwReKapnWmqtQTgrQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWdJandiNXJhMUxwSm5p
-            eHh5bmM2MmF6d2MvdjBXYmhyZUgvS1V4L2pnCmxDYm1VUi82byt5SFJ6aHdrNmp6
-            dENPTmgvVWZPYmZtN0s2VG8xNHplT00KLS0tIExYcSs1bENBK1NFZUluSjFCOFVp
-            R3lmaUNyT0lyaWlhdGJySWtLWVNqLzAK28Nd/WUDXXW2BXhLvZpzbOU7kSoMRPaX
-            jqx6VRHBcgXvPJcYh1KK0nnxo6+DlLeTXI/ai3H6WI3TbQHNmoLEGQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJQM3BnU2hlTVJvT0RQ
+            WHRVWkJEd3JacnlVSStQYVU3c2QwOThPOVhvCjZOeEFDdXFzeWNoS3JTbktFMDJV
+            ZDJKV2RlMDRiTW0vRHRBUUhCUGlPUlEKLS0tIGxWT0VmaUNGMXk0a1NYTDI0WDQw
+            b2hjeEFPVGdhek8yVEcwN1BzVnFQbFEKNgwnchYNz/afrg6FeFlCikMIaCfsEMYK
+            PHmfIiM64XReGZGsKL+gxIw33yszbyeOu0vr26tqV3HU/QUE7f19gw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc2lUelNyV3BGNjl0STJw
-            clpiSUZUSTUwbEtZYjcvbzVaVi9EQ1d1WlFFCnhQbC9Lelk0V1RmQTJ0K2ZZazdo
-            NTZCREhNUE5KbVR0ek1Hd09UbkN2bkEKLS0tIFVyd2YvZ3g2R2dOaEJOcWVWVG9D
-            b3REQnhvOENGbWxtdER2T05wS2RINTQKRhMiqLnu2Ww098A24fNtfDFSMC/t7A2D
-            qcLdhazNwKvzCSOW0i+EYsG4beWcqLyDFA5dNpGWyfRYSh3QJWTdmA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTEpra1haektoVFNpMkV6
+            eGVkQnRpblV5amdMaGZJVVJiMUV1VEYwYkVvCmJZZ1ZvWTRUOVpYRnZkSEcvbzk2
+            MDZ0MVl5NmNBQnJ5ZkhqejI5Nm5URDgKLS0tIDZPRURpVHp4Q1NsRG9ZeGVqRU9X
+            WnJ2ejZrZ0hOdDhxZUNnaDhOWVpzVFEKoYnqypCuLKT8OUbtRk6yN9UfWBqbznzE
+            DgCHiOj590zXsfRpaei/UYx0qdEmtymh7FivkxSRNYylfcngjYiadA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdWNXSks3MEF4eGVHREpp
-            VllDczcxbThRYUsxZGhHR0J5TVoyTmFtdWpNCmJHbG5UMExLSHh5ZkwyRDMzc2N6
-            UG1WTnNyTTdldHFDa3VKOG45Q1RmU0UKLS0tIFFXKzZHTm0wTVpheEw5RE12bWlo
-            NHFWWlRBdmRRWU1DL25CRmlVdDhhRjgKutzYioPd1LJvQdo/FQ+hQznRqsIhSGfn
-            c2ZwmE3QgPRhfh1CoeoK+iK/STVlrb8DEPi5VPEOz74+kbr18v+K5g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QkpxRHJYTEo5cE9ielZl
+            a1NYUllWYmp2NzZZejJtby9MRkF4ejNPWmtNCmNDMWk3cGg3eVlYUXBCTjg0TmdG
+            akRwVFZxMUZMNXAvYzRSYkZlamthVlUKLS0tIHEzYmg3eTFveWppbzk3c3FHM0pn
+            bTZ4K2xhN2xRU2VDK040cGpDbjVmVUUKuAsZczZzTWKKxISxWOaxjzxM6wLnsbpT
+            dxCkcqbjL8tWs1hACsWhJ4cNGNP7gkF+9RELZvvAHgSMrlpMv7Y80w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZVhZeVdXVXRSWi9tMjRv
+            dlJFRE5NNDZZdStsOUdmMFZBdC9wL2o1S0hRCkpPNE5ic2t2UHdvanJ5bTdheDk2
+            SUhsOTlXZnkrTkRvUXRaZE9SbW9EMGsKLS0tIHRZK3ZBQ1UrMlFGWEdIblk1YURV
+            VUJaWXhJMy9NUC81SjhGR0t0QnZPSDAKnQe+zUSRWvfjwr/c5wIkw/alXelnIK+u
+            BmvB/bps060r8GWIGYsN5mVzBpLAYwqqB4ylpjoLTfhAx3J3A+fRCw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdERIZTlEN3NRK2R1WUJL
-            T0ZScVpraUdaQWE2WU4zdUp2Rk96T0xzcGhnClNWSGlKODYrSVBlM0V5RkVaMUt6
-            YUJIa1NnZTZhM1ZXOGp4ZHZidTR6V2cKLS0tIG54RU91dkZEeFB4WGdaSFpQTjlX
-            NVF3WGdGZmxxMllBQVlYQy9zTE03VW8KE9LaWyGBs7vRBjayY+8XiFDq0uFQIFfy
-            AqeVIQIAlt6EKXzUwCD/otHgCAJmI1T/2QNc7x34HjgQi1NcjZzxJw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa2hQWlNhdmpZNHkyQmJI
+            WGwwZitJaUx5U0xzdURjdlFpN01jMWFvRUZZCndMcHpNclhoR1NXZzVNOWtlY0JD
+            c1RSNGVzY1RUa0JLYng2a0w0bFozNXcKLS0tIC9Sb0k4MmpaWUVqMkxUbHlEdlgx
+            M0hoN29oY1FVNVFGZFVyZVJTM2owYjAKsnVoccpgW7RPuJL66Q9iCOG5GZ41K65e
+            7J8lGbHkalzX63VGIOgtvSViIXIeQxw9+Tmf70GQUqcM6czwX8fu5Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdXNFbGNLb0RqZXpQcXda
-            RDd5ODk1QXk5N1o4Z2N2dytIWlMvVVVSa1VBCkNLSzZWZG5rc1N1d1hQQnladVJ6
-            VGwwSmFkVU9GYmZyQjhiK1ZSNWRrVG8KLS0tIFkyM0FDNUhVK291eGl4cjNTSnRk
-            bUs1eUZkcWJYM0NVU3FDMDFKNTNIWUEKbfdIAAfRNO5OXmvxA4az2be6O+aSIzfL
-            lHfQwH+07owhw6K17vJaKlOVGlpTLVpW88497ILCoUrcH9QbVnGAcg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZWxZWk53cHd1bzhjVmZF
+            TUk4RmhENGMvNzZnREdKYU9TTDZzS0Jha1I0CnY3NXZzVlJhTGpVNi8yWlZ5SXN1
+            Z3I4b3BOcGtpek4vK3JzV1JUVWVMZUkKLS0tIHJMOEZraFB2WXdBVUFDUisrMzBM
+            TUUzcW1GR1JOcG4yMm9EY3R6WFdTeEUKzJerRRS/5eCDOhOxHEB78qiVOx++z4M/
+            XOEN6X0iDUBDfFJIqtMngMjU9E9DlRIYetMOYLxTpxmdKiv3Njyh/A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:mgsfpMzhJ0vaoxNTbfXcVZ395e79wFGTK7YmYZY1nUOrTFP5NO8xUB+A9RlnUVrgKEV6eJBLYah6LX29fjwcllgT3aJnk9oFf32PxBPaYxg93m/L5a1+8cHbYn9JqQcPzaqmCCqT1uK5DphO2ztxKqlBhzEhx4UIfh5hBkyu3cI=,iv:n1oVTFkQriDMdRqmcUNApqzfaCX/rGNhzjGPAgPTK7c=,tag:E3uoBzPxhBk0lBF5GMhNoQ==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:f2p4VkJ7RLGPBbkkesqFKNIVow+/7MobH+AqnELAguGxlMAt1XZaU1cLfyMy1RQIrT0UmUV2xjRf/PGXBVNOTK+A2M0zoI90N8daTvk2xrEX5JVNWycgKVnQfztIgUAf5LA+tcvyWQ/Z/sIN1aGNfbl1tCSq+U+3xjIxZ74qmuw=,iv:wcyjoKWNFLb/jGclNWbHP7wwnkz29iINSfKblqhP+bI=,tag:3RrZXX9pAWQG05ZPI5A35Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/modules/nixos/services/restic/secrets.sops.yaml

@@ -1,8 +1,8 @@
 services:
     restic:
-        password: ENC[AES256_GCM,data:PMY=,iv:GzQOdFF+rDY/WN3uZK7FV2++o2Mh4fnhzHhNnzyiJ4c=,tag:GhnZYmvoaDb3wSbHA50DkQ==,type:str]
-        repository: ENC[AES256_GCM,data:1Ui21g==,iv:qC8f3+nYS9HTF5WqFfiKjAFY0tSQhL1XU6sAgIK7vCs=,tag:ykOm3Tv8XWbqDofPChvHuA==,type:str]
-        env: ENC[AES256_GCM,data:tfXFwJZkdFrhwN90u1tT3Q==,iv:ShVllR4+CNOURMwCIF5ionQZEs6Zv+GCQOwpZ3cNlIU=,tag:udAASv7SH635dqNtNf4z7g==,type:str]
+        password: ENC[AES256_GCM,data:QPU=,iv:6FYmdgpKLplg1uIkXNvyA+DW493xdMLsBLnbenabz+M=,tag:SVY2mEhoPP/exDOENzVRGg==,type:str]
+        repository: ENC[AES256_GCM,data:VGtSJA==,iv:K4FnYzTrfVhjMWf4R7qgPUCdgWFlQAG8JJccfRYlEWM=,tag:43onghqVr44slin0rlIUgQ==,type:str]
+        env: ENC[AES256_GCM,data:TWUJ/GE84CTiLo1Gud+XsA==,iv:gKC1VcWnGqEwn5+e5jIqsIfipi3X2oHGvrG0rgqQl9E=,tag:QIBfXblvSDxAVYbZGAN3Mg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -12,68 +12,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QStpWFFiTDF0dkMva28w
-            WGM0TFdOY2VhUGVCTjh6ZzFycmZkci81MWtNCldGZksxNHR5MnFmQ1ZnMVpXK2xo
-            OWltSjQ1OEN3WnNqK2xTN3haYWJWYkEKLS0tIFJBSHhSNWtxSkFYcFZrL1o5dGxX
-            RVFWMVJXMnRQdWhFSEwvOVVicG50ek0KMJYN1Xo4Y1QgPGkGcglXa7wip9u8gOeG
-            E4e4s9upSyjZTKOe+6OOnYXjVl3uc0SJLmdjvQyqqMR7SnOTqjqbfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRUJEU25EaUhacWFBOVg5
+            TWI3NmtkWFpONHRVZ1BVSVRsQzMraVdmblFBCmd2NzcwMGRTMTR6ck9lcGZSQmVi
+            dHlFeS9RNENKcDEvS2FiRTVrYjVlUGcKLS0tIG1VSW9sejVWZmJHQXlIOVpLMjds
+            SHV6U2ZhUnVpQVNROGNjNEtZZXI1bEUKXjSwBNA8ylfo4CWlefFfajm2JdYtjUVK
+            bqXlIH/nG+nQ+I4Rj1XHo7hAuxCatuN0bGVBkSlzqIZk58/JladwFg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWlNFbXlONEI2L1NhOSs5
-            TXA0dERBV0xmUDlHN2FDeXBKZ3FROEE2d2cwCjF2aWZSbGloYStEemozTkJlelZS
-            TC9tMnNDL05YS01lYWFlSjBDMjBNVmcKLS0tIDFYVSszTGVpTWlQc2JFNE5HTGQx
-            allaTGsycThSKzJPT1R0TjhlZ21tYkEK5eFfulRlIjh0j/n55uCtkgTe9Y25Li1k
-            TaMfOiS56aeDBVJx0x/glR2gvxR4yd0si1fPijsbP2179JqE7zFNSg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWis3TWZ0djY4YnJNek9N
+            T2VXK0IzaStkMisyaUs5MTVHeXY4bytoUWdnCmlmTmRXRlRwOUZVQm5aWkxSKzFB
+            UzhtbWd2Q09sbTJPeDRWeTFESkcwWUUKLS0tIDVaN0d4UGlTZUhIaXVKaXJRNThS
+            algwTTZsVzNTQngzVUwyU2lpNll0bU0Kjz+34mvPPAfGUQKMH6LXawGou9HjBTjJ
+            p9vxncB+7ykvT4e4Z0PpPE/Zo5yvi9rt1T8bZ6dG7GA5vuE/4BarCA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YnZoaWIyajVLYjFHT3NR
-            UTNNY2llYW5mWjJIejhCZ08vSGQvWDZiZ1VRCmNMeWdGelRod2x5NmdhS2RVWGhl
-            RmxhOGo4OXFINDgxbjQvQkNpakVkZzgKLS0tIDNNVFRmNGQwWmJKYUlFN3hNbVFw
-            MXZoMXFkaXhCaHhCclZrb2R1WEVjSjAK2InKsgvBb6tI8gUZYwfGAYOly0pa1mFK
-            kuQyj0VMYFI3O7c35ZpwNmHCtFzxt2rza7E0DGrYpVUlJgOte6Gicg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK2FNS0tJaTdRQzA0VVky
+            aERMTVdqRzBwWFV1WFJJcVRKSTFIUlh3U0E0CmFKZm9jUHBpRjJCZk9PVkNWVEFU
+            RURReEhGNTRmWWpLa1ZNdVFHK3FQQWMKLS0tIHcrMTBiMGhlcFc3RzlmVEp2OEpX
+            ZHZLdXV4a05NaGRmR2Z1SkZCV25kNUEKHU1v1OK0d2ud7QL+gEoA8R4Z5YgVSP42
+            IvnEQxjjXZjC4p+OjFErKcWrVb+3DGzqF1vngJVrXmIgOx/SZKTa/Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZnZKemIveDRTZGhoN3lB
-            bHlNOVNFUnAzdVBjRk5HR3lxdGI4UWdDTFdFCkUzMUdEMXk1dVppdTJhMmgxRjBG
-            UDl3UzlhUi9nOS9WZW5naWhyMlN4NWMKLS0tIGJVZndlOTBQMjM3dEROUTdlQzEw
-            NXRkOUhDaTU1am0wbjNXWkVOMUZsZ2sK5uOwOezrleA+zwYcDYjBdGQXRI+27ZLr
-            850yLNtKO248aFX128JTk5+J1OV5Dv4QYRbzGfpb0/mK0U1uTXLm1g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MytrUFpsMUVpT3pTNWlq
+            NjMrRjI5a3NqNzlNV2JlczJRNXNicVZaWVdNCjNnRHM2RGV1SEh6M0U3T0NvdlNQ
+            a1JIZFp5bHJwMXlNd29DQ2MwckRrczAKLS0tIHdmd2lFZ1FWTFFMUExPeWRXd2U3
+            RU9UYXJESnAyYXFITTN0cm5QelR2T1UK3XUlIGQED91sUPc1ITq1rXLj/xhkGM9s
+            R4bsTK5RqpXE+RmGfxeAMP7Om424vjM76l6DU2JkoZietDwR35UA8w==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU93TEgwVHJSeWJmbGNv
-            bDlQZVd5SjQ2eGJ0ZjVYVE9MYnRRZmp6czFzClZvVnFjd213MlU3b01jNHJGWm43
-            cDkxWVh5MTEzY05lVlg0TGJWbWdvYkUKLS0tIEtqc2c3R1JuOTlmazYrSDdlZXJs
-            L21nOU5oZjVySGdJUGpGUy94U3Ixc2sKeHKCmx5yxHprbCq+76K5MNWVZJjOs+ck
-            QiTxxYKvdI7w2cCfyn9l9+dLcMqlqxdRLnoX99oi2ztIDHZEVEmqsg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc0haNU95V3JRUlpuUjha
+            SHpOWThJWVMwbElRaFcrL21jYXA2SFBHeFR3CnV1MkRxbG9QV1dWdjJxWENtQk5L
+            M1g0cDJXRjN0VFhiRXZKbG1yS3hXaG8KLS0tIEtScWorRENpbFZWMjVXNnIxTTdi
+            djdBdThNMzFZdlI4TVBJSjdxeXg0VE0Kcwsa/et9gMSlm46rt0vZ/dFy3ZCZQ5Oi
+            WLJ492+srIeE47Gpye2jN2XAmM4exCijYkZeQvPpLIFvBFmQCK30hQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTDI0QXZaMlZLUW9ST0lW
+            Q1M1ZmlpTHpvM0NHejFSNEx0UUFnTVJIN0U4CllRcnVpUjFqOUZRRk5CWXZqT0V0
+            YWwweld0TE9zZGFmUTVDVVl6eDNETzAKLS0tIGtEanVWTHgxSk9Ld3NRYndOL3dZ
+            WXJrUWtncDZjVE50dmw2MHRCelpzZ2cKfLIQbrTsVGXY+UZCC5p/7+bXKHhv8nxt
+            dvvr+VGnH57jmELqSUoWOgefJ6GFNcCoGSYHZ9cn0UgvhZgx1Wpoow==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQlNCSytZdTJQbGN3Y2U4
-            NlIxSWsyeTIvU0ZrVjhqVTl2K1pMVHN2UXdnClhCU2djUkZGQzRzYUhNNnc2TmlS
-            RVVrdkdqNUxQdGhCYWwyc3NLQ2l5bFUKLS0tIGVxWm01eU5zb2pma2pUU3VPbmxW
-            cW94Y0dBZVMzbW9icUtyWDV2c1N0ZU0K77jXENggGEHpoe6qQl5O0sBbycrmlPoo
-            fnIMedUGzXpzYRV8cyKnY1sFGwyU2ymGsUff7cIBablwP1/MAKRJmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRN2M0VmVCQ0JaNVhnRzBj
+            Z2Vqbk9GZUtaZlExYTRPQ3ZJWHIvU283cFRBCjExQnJvZy9SMndJd0VqdUpCSDFJ
+            ZmJpVFJ1em9iNnNOcnFTQUExeGZESm8KLS0tIGdnWXNtNEg2SHpjRW1mR28vVDRv
+            VFVRcDh0TlVXR3pYRk1Ybkx3MjhOaVEKsViUc14dePdnukQa3ud/EesnvZL7OCM1
+            HWJYP81C9O4mU1kwRYtC0lGxMQX6aWiFZ5e2ImSi3w+mBP+KihfmBw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdm9ZNmdvVnhROFZvVVhu
-            QkJGQ2J5MkI4VjVLNXNSL2svbnBKZUJ2Y1MwClFsQ1JQSEhlK0JJbTRHNzBNU2tI
-            aDl4eFhMMlhib1QzZldUcnVJdVZMSFkKLS0tIHBoYXVYazk4S1VpOE0vV2tqL2hC
-            N3JDRm1OMFFobjloaXBNNENrQ29BeVkK/aAtqd93BGI5q3bZHydLxmVp6iBgfNUE
-            nf+dZioVWVdoK9LSpoREFuOQu4upZ3MjxkClO0hjBJwaACElPrUF2w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUlZ1TER2anNCRHBKQm1v
+            QjhybHFCc1dod1djeWxkRmhBSC9YTW5IV0NJCkM5c3hkYWtLZnJHNVpPYUh4TzBR
+            U3ZaMEdSTVNsenV0RVorTTZMUXdYT3MKLS0tIDV1dWxjbXNtekZaUk9xaVdOYU93
+            UUpVako2MGVobTcvNWRsTWMwZm5ZSVEK1uI5dVSI4vY5hw0oxj21mJYoZB2Jq52z
+            e+RDvcyBFRsS+238UCVi5qDdA8DcnQ2uRiBxKDGC2P3RoVU5TeCfTQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:Eht9Vth1XVzeTCTyS18neiLthQF2c1DZkUkrYv01v1nC6tRPnWPd6+7zPQsQbdUuImwEthFpGDtNY0DLqwuZ9NWWhtEhWspUK2QKxNDKdP/aDT5rnjcf5tvyDK1EGnvTfp/fbw5I+z1mQYfrrUrQNVn6eiZXO+71mF9zoQLu/C0=,iv:TMnbBm1d5BSC6ywdwR4Mmn39qyCEyjSr5ndwtcwQk/k=,tag:qcAjLJl995bSmJtzGX7VbQ==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:88ZnGTkV1xxZO7UuVm5clZrHUMeiqAG++4X4DbCJGwqL+VDagYVhsui1+PzN62h6TgXtARecHON8TXd8z/NF4ekiY+LAcMC3m9x5AzmGYa7Qd5FKht1O6RfRORBDrojj251cqCifDxeGPq3C/X4Zi8Jg4KTSk1lAJoXMsqJQ3+c=,iv:8NnKOlzXD1jRVQ/tgoChEb0YY18Y7VpEiq85YhupTws=,tag:eUbLR66sNqQ2VIQW0/CBwA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/modules/nixos/services/vault/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.services.vault;
+in
+{
+  options.mySystem.services.vault = {
+    enable = lib.mkEnableOption "vault";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1:8200";
+      description = "Address of the Vault server";
+      example = "127.0.0.1:8200";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault = {
+      enable = true;
+      package = pkgs.unstable.vault;
+      address = cfg.address;
+      dev = false;
+      storageBackend = "raft";
+      extraConfig = ''
+        api_addr = "http://127.0.0.1:8200"
+        cluster_addr = "http://127.0.0.1:8201"
+        ui = true
+      '';
+    };
+  };
+}

nixos/modules/nixos/services/vault/resources/vault-config.hcl

@@ -0,0 +1,14 @@
+listener "tcp" {
+    address = "0.0.0.0:8200"
+    tls_disable = true
+}
+
+storage "raft" {
+    path = "/var/lib/vault/data"
+    node_id = "node1"
+}
+
+disable_mlock = true
+api_addr = "http://localhost:8200"
+cluster_addr = "http://localhost:8201"
+ui = true

nixos/modules/nixos/system/default.nix

@@ -1,8 +1,9 @@
 {
   imports = [
     ./borg
-    ./fingerprint-laptop-lid.nix
+    ./fingerprint-reader-on-laptop-lid
     ./impermanence.nix
+    ./incus
     ./motd
     ./nfs
     ./nix.nix

nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/default.nix

@@ -1,3 +1,4 @@
+# Pertially from: https://github.com/fzakaria/nix-home/blob/framework-laptop/modules/nixos/fprint-laptop-lid.nix
 # Originally this file was based on
 # https://unix.stackexchange.com/questions/678609/how-to-disable-fingerprint-authentication-when-laptop-lid-is-closed
 # However I found this not to work as the fprintd is started via dbus and masking it doesn't seem to do anything.
@@ -8,22 +9,25 @@
 # On framework 13 the USB is:
 # Port 004: Dev 003, If 0, Class=Vendor Specific Class, Driver=[none], 12M
 # ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
+# On Framework 16 the USB is:
+# Bus 005 Device 007: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
+# Use `findfp.sh` to find the correct USB device.
 { config, lib, pkgs, ... }:
 let
   cfg = config.mySystem.system.fingerprint-reader-on-laptop-lid;
   laptop-lid = pkgs.writeShellScript "laptop-lid" ''
-    lock=$HOME/fingerprint-reader-disabled
+    lock=/var/lock/fingerprint-reader-disabled
 
     # match for either display port or hdmi port
     if grep -Fq closed /proc/acpi/button/lid/LID0/state &&
-       (grep -Fxq connected /sys/class/drm/card1-DP-*/status ||
-        grep -Fxq connected /sys/class/drm/card1-HDMI-*/status)
+       (grep -Fxq connected /sys/class/drm/card*-DP-*/status ||
+        grep -Fxq connected /sys/class/drm/card*-HDMI-*/status)
     then
       touch "$lock"
-      echo 0 > /sys/bus/usb/devices/1-4/authorized
+      echo 0 > /dev/fingerprint_sensor/authorized
     elif [ -f "$lock" ]
     then
-      echo 1 > /sys/bus/usb/devices/1-4/authorized
+      echo 1 > /dev/fingerprint_sensor/authorized
       rm "$lock"
     fi
   '';
@@ -34,9 +38,19 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.acpid = {
-      enable = true;
-      lidEventCommands = "${laptop-lid}";
+    services = {
+      acpid = {
+        enable = true;
+        lidEventCommands = "${laptop-lid}";
+      };
+      # Add udev rule to create symlink for fingerprint sensor
+      # when usb device 27c6:609c is connected or disconnected.
+      # Reason: hubs like caldigit re-orient the device number on each boot.
+      # May requires a reboot to take effect.
+      # or sudo udevadm control --reload-rules && sudo udevadm trigger
+      udev.extraRules = ''
+        SUBSYSTEM=="usb", ATTRS{idVendor}=="27c6", ATTRS{idProduct}=="609c", RUN+="/bin/sh -c 'ln -sf /sys$devpath /dev/fingerprint_sensor'"
+      '';
     };
 
     # Disable fingerprint reader at login since you can't put in a password when fprintd is running.

nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/findfp.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+find_usb_device() {
+    local idVendor=$1
+    local idProduct=$2
+    local device_id="${idVendor}:${idProduct}"
+
+    for device in /sys/bus/usb/devices/*; do
+        if [ -f "$device/idVendor" ] && [ -f "$device/idProduct" ]; then
+            vendor=$(cat "$device/idVendor")
+            product=$(cat "$device/idProduct")
+            if [ "${vendor}:${product}" = "$device_id" ]; then
+                echo "$device"
+                return 0
+            fi
+        fi
+    done
+
+    return 1
+}
+
+# Example usage
+idVendor="27c6"
+idProduct="609c"
+
+device_path=$(find_usb_device "$idVendor" "$idProduct")
+
+if [ -n "$device_path" ]; then
+    echo "Device found at: $device_path"
+
+    # Print additional information
+    manufacturer=$(cat "$device_path/manufacturer" 2>/dev/null)
+    product=$(cat "$device_path/product" 2>/dev/null)
+
+    echo "Manufacturer: ${manufacturer:-N/A}"
+    echo "Product: ${product:-N/A}"
+else
+    echo "Device not found"
+fi

nixos/modules/nixos/system/incus/default.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.mySystem.system.incus;
+  user = "jahanson";
+in
+{
+  # sops.secrets.secret-domain-0 = {
+  #   sopsFile = ./secret.sops.yaml;
+  # };
+  options.mySystem.system.incus = {
+    enable = lib.mkEnableOption "incus";
+    preseed = lib.mkOption {
+      type = lib.types.unspecified;
+      default = "";
+      description = "Incus preseed configuration. Generate with `incus admin init`.";
+    };
+    webuiport = lib.mkOption {
+      type = lib.types.int;
+      default = 8443;
+      description = "Port for the Incus Web UI";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    virtualisation.incus = {
+      inherit (cfg) preseed;
+      enable = true;
+      ui.enable = true;
+    };
+
+    users.users.${user}.extraGroups = [ "incus-admin" ];
+
+    # systemd.services.incus-preseed.postStart = "${oidcSetup}";
+
+    networking = {
+      # nftables.enable = true;
+      firewall = {
+        allowedTCPPorts = [
+          cfg.webuiport
+          53
+          67
+        ];
+        allowedUDPPorts = [
+          53
+          67
+        ];
+      };
+    };
+  };
+}

nixos/overlays/charm-mods/default.nix

@@ -0,0 +1,70 @@
+{
+  lib,
+  buildGoModule,
+  installShellFiles,
+  fetchFromGitHub,
+  gitUpdater,
+  testers,
+  mods,
+}:
+
+buildGoModule rec {
+  pname = "mods";
+  version = "1.5.0";
+  commitHash = "820b22023653d1066f49b3b817dbfb3bcefbe2a1";
+
+  src = fetchFromGitHub {
+    owner = "charmbracelet";
+    repo = "mods";
+    rev = commitHash;
+    # hash = "sha256-Niap2qsIJwlDRITkPD2Z7NCiJubkyy8/pvagj5Beq84=";
+    hash = "sha256-VYe6qEDcsgr1E/Gtt+4lad2qtPeMKGINmhEk5Ed98Pw=";
+  };
+
+  vendorHash = "sha256-sLpFOoZq/xE0co5XegScUIOt8Ax/N3ROwQJIPvu8jts=";
+  # vendorHash = "sha256-DaSbmu1P/umOAhG901aC+TKa3xXSvUbpYsaiYTr2RJs=";
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X=main.Version=${version}-${commitHash}"
+  ];
+
+  # These tests require internet access.
+  checkFlags = [ "-skip=^TestLoad/http_url$|^TestLoad/https_url$" ];
+
+  passthru = {
+    updateScript = gitUpdater {
+      rev-prefix = "v";
+      ignoredVersions = ".(rc|beta).*";
+    };
+
+    tests.version = testers.testVersion {
+      package = mods;
+      command = "HOME=$(mktemp -d) mods -v";
+    };
+  };
+
+  postInstall = ''
+    export HOME=$(mktemp -d)
+    $out/bin/mods man > mods.1
+    $out/bin/mods completion bash > mods.bash
+    $out/bin/mods completion fish > mods.fish
+    $out/bin/mods completion zsh > mods.zsh
+
+    installManPage mods.1
+    installShellCompletion mods.{bash,fish,zsh}
+  '';
+
+  meta = with lib; {
+    description = "AI on the command line";
+    homepage = "https://github.com/charmbracelet/mods";
+    license = licenses.mit;
+    maintainers = with maintainers; [ dit7ya caarlos0 ];
+    mainProgram = "mods";
+  };
+}

nixos/overlays/coder/default.nix

@@ -0,0 +1,108 @@
+{ lib
+, channel ? "mainline"
+, fetchurl
+, installShellFiles
+, makeBinaryWrapper
+, terraform
+, stdenvNoCC
+, unzip
+, nixosTests
+}:
+
+let
+  inherit (stdenvNoCC.hostPlatform) system;
+
+  channels = {
+    stable = {
+      version = "2.14.3";
+      hash = {
+        x86_64-linux = "sha256-CDQmixywYDLj3ABqTEnaUftITSFGA/wGAfe0IFoU64g=";
+        x86_64-darwin = "sha256-TDpoby2lBw8W6zJrHgF/AQFQL+j9dv3d21VLsiSd1sk=";
+        aarch64-linux = "sha256-L+2YOMgH1cCl4o1VFZk1dC258/XStgiH9lr9PEQOPSo=";
+        aarch64-darwin = "sha256-hG3HsJ+DIjwB5ehT+Hd3EZduvjNXYTZLYbAYCRWWiQ8=";
+      };
+    };
+    mainline = {
+      version = "2.15.0";
+      hash = {
+        x86_64-linux = "sha256-zM5l3vkLKuDdZHTgVTYfvfYTGLCpDnA2GZDh5PLQ9rs=";
+        x86_64-darwin = "sha256-AbW92RMaPfusve5DxRaT3npeN2zVzrBOBL3XGN8235I=";
+        aarch64-linux = "sha256-13FZc1zMmaxfDp0bXBFzf2gcO6wkiA932C5m9oon2GQ=";
+        aarch64-darwin = "sha256-UP08DncRvM1NjtMOfanDnXGySK1RrCUta5lbIvJ7vto=";
+      };
+    };
+  };
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "coder";
+  version = channels.${channel}.version;
+  src = fetchurl {
+    hash = (channels.${channel}.hash).${system};
+
+    url =
+      let
+        systemName = {
+          x86_64-linux = "linux_amd64";
+          aarch64-linux = "linux_arm64";
+          x86_64-darwin = "darwin_amd64";
+          aarch64-darwin = "darwin_arm64";
+        }.${system};
+
+        ext = {
+          x86_64-linux = "tar.gz";
+          aarch64-linux = "tar.gz";
+          x86_64-darwin = "zip";
+          aarch64-darwin = "zip";
+        }.${system};
+      in
+      "https://github.com/coder/coder/releases/download/v${finalAttrs.version}/coder_${finalAttrs.version}_${systemName}.${ext}";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+    makeBinaryWrapper
+    unzip
+  ];
+
+  unpackPhase = ''
+    runHook preUnpack
+
+    case $src in
+        *.tar.gz) tar -xz -f "$src" ;;
+        *.zip)    unzip      "$src" ;;
+    esac
+
+    runHook postUnpack
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m755 coder $out/bin/coder
+
+    runHook postInstall
+  '';
+
+  postInstall = ''
+    wrapProgram $out/bin/coder \
+      --prefix PATH : ${lib.makeBinPath [ terraform ]}
+  '';
+
+  # integration tests require network access
+  doCheck = false;
+
+  meta = {
+    description = "Provision remote development environments via Terraform";
+    homepage = "https://coder.com";
+    license = lib.licenses.agpl3Only;
+    mainProgram = "coder";
+    maintainers = with lib.maintainers; [ ghuntley kylecarbs urandom ];
+  };
+
+  passthru = {
+    updateScript = ./update.sh;
+    tests = {
+      inherit (nixosTests) coder;
+    };
+  };
+})

nixos/overlays/default.nix

@@ -1,23 +1,33 @@
 { inputs, ... }:
 let
-  warpTerminalOverlay = import ./warp-terminal {
-    inherit (inputs.nixpkgs) lib;
+  inherit (inputs.nixpkgs) lib;
+
+  vivaldiOverlay = self: super: {
+    vivaldi = super.callPackage ./vivaldi { };
   };
-  termiusOverlay = import ./termius { };
-  # Partial overlay
-  # talosctlOverlay = import ./talosctl { };
-  # Full overlay
-  talosctlOverlay = self: super: {
-    talosctl = super.callPackage ./talosctl/talosctl-custom.nix { };
+
+  termiusOverlay = self: super: {
+    termius = super.callPackage ./termius { };
   };
-  goOverlay = import ./go { };
+
+  modsOverlay = self: super: {
+    mods = super.callPackage ./charm-mods { };
+  };
+
+  coderOverlay = self: super: {
+    coder = super.callPackage ./coder { };
+  };
+
+  smartmontoolsOverlay = import ./smartmontools { };
 in
 {
+  coder = coderOverlay;
+  comm-packages = inputs.nix-vscode-extensions.overlays.default;
+  mods = modsOverlay;
   nur = inputs.nur.overlay;
-  # warp-terminal = warpTerminalOverlay;
+  smartmontools = smartmontoolsOverlay;
   termius = termiusOverlay;
-  talosctl = talosctlOverlay;
-  # go = goOverlay;
+  # vivaldi = vivaldiOverlay;
 
   # The unstable nixpkgs set (declared in the flake inputs) will
   # be accessible through 'pkgs.unstable'
@@ -28,6 +38,4 @@ in
     };
   };
 
-  # VSCode Community Packages
-  comm-packages = inputs.nix-vscode-extensions.overlays.default;
 }

nixos/overlays/smartmontools/default.nix

@@ -0,0 +1,15 @@
+{ ... }:
+let
+  dbrev = "5613";
+  drivedbBranch = "RELEASE_7_4";
+in
+final: prev: {
+  smartmontools = prev.smartmontools.overrideAttrs (oldAttrs: {
+    inherit dbrev drivedbBranch;
+    driverdb = builtins.fetchurl {
+      url = "https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
+      sha256 = "sha256-6r7Pd298Ea55AXOLijUEQoJq+Km5cE+Ygti65yacdoM=";
+      name = "smartmontools-drivedb.h";
+    };
+  });
+}

nixos/overlays/smartmontools/getsmartdbhash.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -I nixpkgs=/etc/nix/inputs/nixpkgs/ -i bash -p nix
+set -euo pipefail
+
+dbrev="5613"
+drivedbBranch="RELEASE_7_4"
+url="https://sourceforge.net/p/smartmontools/code/${dbrev}/tree/trunk/smartmontools/drivedb.h?format=raw";
+
+echo "Fetching hash for URL: $url"
+
+hash=$(nix-prefetch-url "$url")
+sri=$(nix-hash --type sha256 --flat --base32 --to-sri "$hash")
+
+echo "Hash: $hash"
+echo "Sri: $sri"

nixos/overlays/termius/default.nix

@@ -1,8 +1,96 @@
-{ ... }:
-(final: prev: {
-  termius = prev.termius.overrideAttrs (oldAttrs: {
-    postInstall = ''
-      install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png
-    '';
-  });
-})
+{ autoPatchelfHook
+, squashfsTools
+, alsa-lib
+, fetchurl
+, makeDesktopItem
+, makeWrapper
+, stdenv
+, lib
+, libsecret
+, mesa
+, udev
+, wrapGAppsHook3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "termius";
+  version = "9.5.0";
+
+  src = fetchurl {
+    # find the latest version with
+    # curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version'
+    # and the url with
+    # curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r
+    # and the sha512 with
+    # curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r
+    # nix-hash --type sha512 --to-sri <output of curl>
+    url = "https://api.snapcraft.io/api/v1/snaps/download/WkTBXwoX81rBe3s3OTt3EiiLKBx2QhuS_203.snap";
+    hash = "sha512-BouIQvJZbi350l30gl9fnXKYRHhi5q1oOvyEIVEmd4DjXvJLQisV4cK4OZIJ/bPOCI5DTxNOY7PwEduVQd3SYA==";
+    #
+  };
+
+  desktopItem = makeDesktopItem {
+    categories = [ "Network" ];
+    comment = "The SSH client that works on Desktop and Mobile";
+    desktopName = "Termius";
+    exec = "termius-app";
+    genericName = "Cross-platform SSH client";
+    icon = "termius-app";
+    name = "termius-app";
+  };
+
+  dontBuild = true;
+  dontConfigure = true;
+  dontPatchELF = true;
+  dontWrapGApps = true;
+
+  # TODO: migrate off autoPatchelfHook and use nixpkgs' electron
+  nativeBuildInputs = [ autoPatchelfHook squashfsTools makeWrapper wrapGAppsHook3 ];
+
+  buildInputs = [
+    alsa-lib
+    libsecret
+    mesa
+  ];
+
+  unpackPhase = ''
+    runHook preUnpack
+    unsquashfs "$src"
+    runHook postUnpack
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    cd squashfs-root
+    mkdir -p $out/opt/termius
+    cp -r ./ $out/opt/termius
+
+    mkdir -p "$out/share/applications" "$out/share/pixmaps/termius-app.png"
+    cp "${desktopItem}/share/applications/"* "$out/share/applications"
+    cp meta/gui/icon.png $out/share/pixmaps/termius-app.png
+
+    runHook postInstall
+  '';
+
+  postInstall = ''
+    install -Dm644 meta/gui/icon.png $out/share/icons/hicolor/128x128/apps/termius-app.png
+  '';
+
+  runtimeDependencies = [ (lib.getLib udev) ];
+
+  postFixup = ''
+    makeWrapper $out/opt/termius/termius-app $out/bin/termius-app \
+      "''${gappsWrapperArgs[@]}"
+  '';
+
+  meta = with lib; {
+    description = "A cross-platform SSH client with cloud data sync and more";
+    homepage = "https://termius.com/";
+    downloadPage = "https://termius.com/linux/";
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    license = licenses.unfree;
+    maintainers = with maintainers; [ Br1ght0ne th0rgal ];
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "termius-app";
+  };
+}

nixos/overlays/termius/retrive-latest-sri.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq nix
+
+VERSION=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.version')
+DOWNLOAD_URL=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_url' -r)
+SHASUM=$(curl -H 'X-Ubuntu-Series: 16' https://api.snapcraft.io/api/v1/snaps/details/termius-app | jq '.download_sha512' -r)
+SRI512SUM=$(nix-hash --type sha512 --to-sri $SHASUM)
+
+echo "The latest SRI for version $VERSION is "
+echo "$SRI512SUM"

nixos/overlays/vivaldi/default.nix

@@ -0,0 +1,135 @@
+{ lib, stdenv, fetchurl, zlib, libX11, libXext, libSM, libICE, libxkbcommon, libxshmfence
+, libXfixes, libXt, libXi, libXcursor, libXScrnSaver, libXcomposite, libXdamage, libXtst, libXrandr
+, alsa-lib, dbus, cups, libexif, ffmpeg, systemd, libva, libGL
+, freetype, fontconfig, libXft, libXrender, libxcb, expat
+, libuuid
+, libxml2
+, glib, gtk3, pango, gdk-pixbuf, cairo, atk, at-spi2-atk, at-spi2-core
+, qt5
+, libdrm, mesa
+, vulkan-loader
+, nss, nspr
+, patchelf, makeWrapper
+, wayland, pipewire
+, isSnapshot ? false
+, proprietaryCodecs ? false, vivaldi-ffmpeg-codecs ? null
+, enableWidevine ? false, widevine-cdm ? null
+, commandLineArgs ? ""
+, pulseSupport ? stdenv.isLinux, libpulseaudio
+, kerberosSupport ? true, libkrb5
+}:
+
+let
+  branch = if isSnapshot then "snapshot" else "stable";
+  vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
+in stdenv.mkDerivation rec {
+  pname = "vivaldi";
+  version = "6.9.3447.37";
+
+  suffix = {
+    aarch64-linux = "arm64";
+    x86_64-linux = "amd64";
+  }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+  src = fetchurl {
+    url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
+    hash = {
+      aarch64-linux = "sha256-kYTnWad/jrJt9z+AhjXzHYxVSIwIIO3RKD7szuPEg2s=";
+      x86_64-linux = "sha256-+h7SHci8gZ+epKFHD0PiXyME2xT+loD2KXpJGFCfIFg=";
+    }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+  };
+
+  unpackPhase = ''
+    ar vx $src
+    tar -xvf data.tar.xz
+  '';
+
+  nativeBuildInputs = [ patchelf makeWrapper ];
+
+  dontWrapQtApps = true;
+
+  buildInputs = [
+    stdenv.cc.cc stdenv.cc.libc zlib libX11 libXt libXext libSM libICE libxcb libxkbcommon libxshmfence
+    libXi libXft libXcursor libXfixes libXScrnSaver libXcomposite libXdamage libXtst libXrandr
+    atk at-spi2-atk at-spi2-core alsa-lib dbus cups gtk3 gdk-pixbuf libexif ffmpeg systemd libva
+    qt5.qtbase
+    freetype fontconfig libXrender libuuid expat glib nss nspr libGL
+    libxml2 pango cairo
+    libdrm mesa vulkan-loader
+    wayland pipewire
+  ] ++ lib.optional proprietaryCodecs vivaldi-ffmpeg-codecs
+    ++ lib.optional pulseSupport libpulseaudio
+    ++ lib.optional kerberosSupport libkrb5;
+
+  libPath = lib.makeLibraryPath buildInputs
+    + lib.optionalString (stdenv.is64bit)
+      (":" + lib.makeSearchPathOutput "lib" "lib64" buildInputs)
+    + ":$out/opt/${vivaldiName}/lib";
+
+  buildPhase = ''
+    runHook preBuild
+    echo "Patching Vivaldi binaries"
+    for f in chrome_crashpad_handler vivaldi-bin vivaldi-sandbox ; do
+      patchelf \
+        --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+        --set-rpath "${libPath}" \
+        opt/${vivaldiName}/$f
+    done
+
+    for f in libGLESv2.so libqt5_shim.so ; do
+      patchelf --set-rpath "${libPath}" opt/${vivaldiName}/$f
+    done
+  '' + lib.optionalString proprietaryCodecs ''
+    ln -s ${vivaldi-ffmpeg-codecs}/lib/libffmpeg.so opt/${vivaldiName}/libffmpeg.so.''${version%\.*\.*}
+  '' + ''
+    echo "Finished patching Vivaldi binaries"
+    runHook postBuild
+  '';
+
+  dontPatchELF = true;
+  dontStrip    = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p "$out"
+    cp -r opt "$out"
+    mkdir "$out/bin"
+    ln -s "$out/opt/${vivaldiName}/${vivaldiName}" "$out/bin/vivaldi"
+    mkdir -p "$out/share"
+    cp -r usr/share/{applications,xfce4} "$out"/share
+    substituteInPlace "$out"/share/applications/*.desktop \
+      --replace /usr/bin/${vivaldiName} "$out"/bin/vivaldi
+    substituteInPlace "$out"/share/applications/*.desktop \
+      --replace vivaldi-stable vivaldi
+    local d
+    for d in 16 22 24 32 48 64 128 256; do
+      mkdir -p "$out"/share/icons/hicolor/''${d}x''${d}/apps
+      ln -s \
+        "$out"/opt/${vivaldiName}/product_logo_''${d}.png \
+        "$out"/share/icons/hicolor/''${d}x''${d}/apps/vivaldi.png
+    done
+    wrapProgram "$out/bin/vivaldi" \
+      --add-flags ${lib.escapeShellArg commandLineArgs} \
+      --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
+      --set-default FONTCONFIG_FILE "${fontconfig.out}/etc/fonts/fonts.conf" \
+      --set-default FONTCONFIG_PATH "${fontconfig.out}/etc/fonts" \
+      --suffix XDG_DATA_DIRS : ${gtk3}/share/gsettings-schemas/${gtk3.name}/ \
+      ${lib.optionalString enableWidevine "--suffix LD_LIBRARY_PATH : ${libPath}"}
+  '' + lib.optionalString enableWidevine ''
+    ln -sf ${widevine-cdm}/share/google/chrome/WidevineCdm $out/opt/${vivaldiName}/WidevineCdm
+  '' + ''
+    runHook postInstall
+  '';
+
+  passthru.updateScript = ./update-vivaldi.sh;
+
+  meta = with lib; {
+    description = "Browser for our Friends, powerful and personal";
+    homepage    = "https://vivaldi.com";
+    license     = licenses.unfree;
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    mainProgram = "vivaldi";
+    maintainers = with maintainers; [ otwieracz badmutex ];
+    platforms   = [ "x86_64-linux" "aarch64-linux" ];
+  };
+}

nixos/overlays/vivaldi/ffmpeg-codecs.nix

@@ -0,0 +1,32 @@
+{ squashfsTools, fetchurl, lib, stdenv }:
+
+# This derivation roughly follows the update-ffmpeg script that ships with the official Vivaldi
+# downloads at https://vivaldi.com/download/
+stdenv.mkDerivation rec {
+  pname = "chromium-codecs-ffmpeg-extra";
+  version = "115541";
+
+  src = fetchurl {
+    url = "https://api.snapcraft.io/api/v1/snaps/download/XXzVIXswXKHqlUATPqGCj2w2l7BxosS8_41.snap";
+    hash = "sha256-a1peHhku+OaGvPyChvLdh6/7zT+v8OHNwt60QUq7VvU=";
+  };
+
+  buildInputs = [ squashfsTools ];
+
+  unpackPhase = ''
+    unsquashfs -dest . $src
+  '';
+
+  installPhase = ''
+    install -vD chromium-ffmpeg-${version}/chromium-ffmpeg/libffmpeg.so $out/lib/libffmpeg.so
+  '';
+
+  meta = with lib; {
+    description = "Additional support for proprietary codecs for Vivaldi";
+    homepage    = "https://ffmpeg.org/";
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    license     = licenses.lgpl21;
+    maintainers = with maintainers; [ betaboon cawilliamson fptje ];
+    platforms   = [ "x86_64-linux" ];
+  };
+}

nixos/overlays/vivaldi/update-vivaldi.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl common-updater-scripts
+
+set -eu -o pipefail
+
+version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
+
+update_hash() {
+    url="https://downloads.vivaldi.com/stable/vivaldi-stable_$version-1_$2.deb"
+    hash=$(nix hash to-sri --type sha256 $(nix-prefetch-url --type sha256 "$url"))
+    update-source-version vivaldi "$version" "$hash" --system=$1 --ignore-same-version
+}
+
+update_hash aarch64-linux arm64
+update_hash x86_64-linux amd64

nixos/overlays/vivaldi/update.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p libarchive curl common-updater-scripts
+
+set -eu -o pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+root=../../../../..
+export NIXPKGS_ALLOW_UNFREE=1
+
+version() {
+  (cd "$root" && nix-instantiate --eval --strict -A "$1.version" | tr -d '"')
+}
+
+vivaldi_version_old=$(version vivaldi)
+vivaldi_version=$(curl -sS https://vivaldi.com/download/ | sed -rne 's/.*vivaldi-stable_([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)-1_amd64\.deb.*/\1/p')
+
+if [[ ! "$vivaldi_version" = "$vivaldi_version_old" ]]; then
+  echo "vivaldi is not up-to-date, not updating codecs"
+  (cd "$root" && nix-shell maintainers/scripts/update.nix --argstr package vivaldi)
+  exit
+fi
+
+echo "vivaldi is up-to-date, updating codecs"
+
+# Download vivaldi and save file path.
+url="https://downloads.vivaldi.com/stable/vivaldi-stable_${vivaldi_version}-1_amd64.deb"
+mapfile -t prefetch < <(nix-prefetch-url --print-path "$url")
+path=${prefetch[1]}
+
+nixpkgs="$(git rev-parse --show-toplevel)"
+default_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/default.nix"
+ffmpeg_nix="$nixpkgs/pkgs/applications/networking/browsers/vivaldi/ffmpeg-codecs.nix"
+
+# Check vivaldi-ffmpeg-codecs version.
+chromium_version_old=$(version vivaldi-ffmpeg-codecs)
+ffmpeg_update_script=$(bsdtar xOf "$path" data.tar.xz | bsdtar xOf - ./opt/vivaldi/update-ffmpeg)
+chromium_version=$(sed -rne 's/^FFMPEG_VERSION_DEB\=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/p' <<< $ffmpeg_update_script)
+download_subdir=$(sed -rne 's/.*FFMPEG_URL_DEB\=https:\/\/launchpadlibrarian\.net\/([0-9]+)\/.*_amd64\.deb/\1/p' <<< $ffmpeg_update_script)
+
+if [[ "$chromium_version" != "$chromium_version_old" ]]; then
+  # replace the download prefix
+  sed -i $ffmpeg_nix -e "s/\(https:\/\/launchpadlibrarian\.net\/\)[0-9]\+/\1$download_subdir/g"
+  (cd "$root" && update-source-version vivaldi-ffmpeg-codecs "$chromium_version")
+
+  git add "${ffmpeg_nix}"
+  git commit -m "vivaldi-ffmpeg-codecs: $chromium_version_old -> $chromium_version"
+fi

nixos/overlays/zed-editor/default.nix

@@ -0,0 +1,16 @@
+{ ... }:
+let
+  finalVersion = "0.149.3";
+in
+final: prev: {
+  zed-editor = prev.zed-editor.overrideAttrs
+    (oldAttrs: {
+      version = finalVersion;
+      src = prev.fetchFromGithub {
+        hash = "sha256-ed6/QQObmclSA36g+civhii1aFKTBSjqB+LOyp2LUPg=";
+      };
+      cargoLock = prev.outputHashes {
+        "blade-graphics-0.4.0" = "sha256-sGXhXmgtd7Wx/Gf7HCWro4RsQOGS4pQt8+S3T+2wMfY=";
+      };
+    });
+}

nixos/profiles/disko-telchar.nix

@@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-diskseq/1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "128M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  # Subvolume name is the same as the mountpoint
+                  "/home" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/home";
+                  };
+                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
+                  "/home/user" = { };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+                };
+
+                mountpoint = "/partition-root";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos/profiles/global.nix

@@ -36,6 +36,8 @@ with lib;
       dnsutils
       jq
       yq
+      nvme-cli
+      smartmontools
     ];
 
     networking.useDHCP = lib.mkDefault true;

nixos/profiles/global/secrets.sops.yaml

@@ -1,9 +1,9 @@
 services:
     pushover:
-        env: ENC[AES256_GCM,data:Z138qrnqNDIlhZiuEPmTekY9oq3KGH7HIr4MrXyYoMqjZRsgj3scpeFFrO1CCyfaq9gCugStEQvkmeinJ+1FkoOs3qMRbIgxinUfj366cuOas2mo4OSw0+v559Acgpxr,iv:jq+IPXYTC7RI3YkbD/avMI+cXtXlWPQwizzkdjPzlXE=,tag:KI5ye2yMu5JAl5KodWpwaA==,type:str]
-pushover-user-key: ENC[AES256_GCM,data:WbhwKcEaR3AuAv2HUZ/A8kGjsHj2OB8hBwSTHOKk,iv:q8HVHg5dHKPSdTzfgJr95JxxEY2X1u0wPEvLlu9UfAI=,tag:H91O575QWfR3z12OunZwew==,type:str]
-pushover-api-key: ENC[AES256_GCM,data:uhm/Jbuo5pFkE6H98L3KUboiYOBh7f5QgRRnzewo,iv:Ai/EKu6+8gVnmDND0e4W30ExPU7GioSJ6kEYbbpLVWI=,tag:sOzg+tSNwwP4WAUXiQ/NPw==,type:str]
-jahanson-password: ENC[AES256_GCM,data:lfTo0YLbENWKUZa7eqQ=,iv:pA9xFU5wRvpX6NSvOfHCNu1A7f/wsyuHQftLjWdXoys=,tag:AxWfhgOZdVHVac8thB3bgg==,type:str]
+        env: ENC[AES256_GCM,data:oqU6JIwsFaxuO3Lc7EeRJCWrR1bDzs70LKqNtO/wZ4ZC56EuAS7dei9TKXqYdQ34svXeVDnbwkHLNIWVJtA6xUoKWbrhc3VMscuChRtijzONW9Ln72veAVraV5cEUCr0,iv:sZjoAc7WKPTHskSIKnfLmI2/W7Jwi7kzTaAFE3pomus=,tag:KO7tTxpT+LF3JXCx/LS0CQ==,type:str]
+pushover-user-key: ENC[AES256_GCM,data:S/zpO5t/Ze/Nu6nMNkHmQdDcDNwpxpoueC1te6bX,iv:VGwuQDg34VqBzUEQTDdHUCMJV655pQBrBke2kerv9lU=,tag:MQvKbGQeMxMLFsKnTxuVUg==,type:str]
+pushover-api-key: ENC[AES256_GCM,data:rinJsuixNfCSQbAHixSQyn08MDLZ9hLMVr8XNIDZ,iv:r0uP0A4K0FUL3KQAcEQub+o8R4BKIgNckSnof8TIZzs=,tag:23KlBJl6r4zwqayPYbtjyA==,type:str]
+jahanson-password: ENC[AES256_GCM,data:XGTQabc+LYpQ6WbVm6Q=,iv:4DlJJ5yl4aaAWKp/go286ioqk4HRc94VhUwLUIb6lXo=,tag:kK1qY7vMZRVirS/ymI3D4A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -13,68 +13,77 @@ sops:
         - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYW5xM2pwbmM0MmNqZlE5
-            SHdlcnE0SXcvSHpkS1F6WDdWNUxyenRrTUJFCjlPbTY4L252S3IwN1c4QitIbGR2
-            SDBwMXdCdGVjeExkRTJQNnd0a1NSVGMKLS0tIGE4T0pXTEMwQ2FyRVpNS1ZyVDdO
-            QUVxOXFZTVFMZHJyZFFaS3loU1ZiQkUKQJYLPv8Acl9eeDOuWFP3HoUPH2jYGweK
-            Hky9FVS0LhOVxlVhKEX/pH/EsR1O7Id//5zq437KZA6v6sZqVdfx+w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbEhtZFFibXRYRHN1WHB3
+            ZHlMMSt1MWhZRVhFTnFyaG50Rm04NDlmRjNFClRITU9VbXNxMERxWnpqc2U1MzYv
+            cVEwdXhTTyswbVA5alU1cXpoYnFUOVkKLS0tIHQ2SC9JQWNObzZ5Z2ZRb1J0Nkh6
+            NUFvbGJnQVFIZm5SUDV0SitWZ05lYjgKEH/RAEebaa8Ccbs5j7G6xOhkSNnOFGas
+            +ntPSvzEzgJAR4Jho4Pz95id686DZPWmCVakRyZxdtZSzS5+PBKFTA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMStjc2diVUE3OU55MVRo
-            UGFrSDZBbXVDTG9icHJjTEh6UHlPRSt3emlnCk9pQ3dVWi92ck5oZitMUFp1Y2tk
-            Tk4xbSt0OTBJMUhWRmtTd0kwVXo5aXMKLS0tIDFOQi80QWNoZEVGeExyeUJqeUV5
-            UWZUSGo2UmsxOWRYdFowSmJoT1FjeEEK7eb3XYm6/Q/hXXBNfHX1zDypq5SG74dy
-            keMjZI7XlYDpWij/juZl6oYRUaOxUzz4T9QE5jUjJsv9pXRCcoSPdA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMU5ieG5EMzBUT2RLYkV5
+            aHNreXhBTFNSUlJMazBpRG8rYUEwM29mRWhjCmkwVFA2OVg3Qmltc2p0NUpXaUQr
+            V0FhbkNsOWJsUnRLbTdYS2xVaTJlWWMKLS0tIG5JUzU3dDJrak02L1NDbytsdk5y
+            b1FhVktpVFZCQWowRitUcnRDdDI1WGMK+OBrJmrpiZZWOov+jag2UyOI6Tg1RJqI
+            pgnHv0Ju+cn8Pg4VvAE/zN+hYMzD2aMMpQk5I1BhuH8IS56NpMzcFg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYklSam94VU1wYlRDRkZO
-            QWhqYWxZNFBnaVBhZWtvbkxhZzlFUVlESEF3ClpQVFFJTUs5YUlxK1U2cUpoWDlz
-            a2RqVFBjNzdidnZYcGcrb2ZDMXM2ZWMKLS0tIHZsNU9IRlllUW9nKzIzMlA1cm1E
-            RHdsZ0h6Q0hhRmFNMUFYNUcxNXA5YnMKa9YXvrQlHIW9X94IrnVbJq9WDuQahdoC
-            Uimav/J0XgN1/Eu4i+bFhOvIoZcV8t0L1uZbWU6Fn3yhDl4BXGPPUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnBxVGZFSTBzMmdiTElp
+            RkpVbndYcS9NVlFuK0ZQb2M2cU0zVDJ3MTFzCmV5Y25WWGVkNk91dWUzTm1UdURT
+            d29RRGZNK2J2ZjdNN2hHMUd1MEFqM2sKLS0tIGtXNU1jQStmWE5kQldrQW9seVoz
+            Q001QkZVb282cW5RY2Nlc0ZRTy9vYXcKFXO2d0dZVoFTdw5M4bJH3C3mi6e56Bvp
+            ubyGesXow1S0JytyveWhpTJVh/6gfXAGGSGJyVbM3xoguBtdhazzAQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSUlwdjJIUWdTWVlZcGM5
-            dndnc1lFb0hjdW5vbzdJR3dJN3c0Z29FemlZCjBCVGxUS1dGVkZWc2hmTStYcDF3
-            bTR1WDFUN0pOa2wxYmZNVnhsQ1dhQVUKLS0tIEJmdzlJN1AvTkZqRHRGQTcrbG4y
-            NEJtV0FJU3RMbGNBMCtyWnIzYWwwSUEK/kt62lblp5wMYC8uWWRV09rWwQBOxxXw
-            K2gzMoIIy44u2PMKZSX8vp2socQfMxNtBqMm4PH6Tl5oyd9cNMX9rA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZytiVDQyTlQxU1MrYUdV
+            WGVBNVN0UUVlYXkyOVA3MHBkakpYOXA1QWxJCjBCYUJXamFpYkJDaVNCWGdnRGk3
+            MDJtM2k1aVdxaGRxQWREeUg2TDNpbEkKLS0tIHMrSlFDcGs0N2JGOVZYdXlSRk9I
+            OGNEMlRad28zT3FmeUxSWjkrNGJTZDQKuP3lfQ0hwdK5DzrL4Qn5VkRCtvHi50Yr
+            PoIVrF+1gJA2COrytD81rPH/OsWMAUdEKtRO1EOGOTEag21e0UpSnA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRXd0bUhzeTlvYmRsalVK
-            Sjk1YWxzdTdNSVNTai85WndIUmZabW81SGpvClFFTytkRHc3a3R1Rk9PVmtKR2tB
-            cWlzUk1Qb2dMWlBva1Boa0dGOGhPY2sKLS0tIGhDVmZHWUlsL1RrREdIWWdBSmw2
-            U080Z2FTcCt5OWUvYmNVUlVzNnRvcjgKeKVY57El+zPFwS0scrp8qHXodmKn8qcn
-            qqF3804LfavB27BnYjHLcGb52HrgrmtpY3TpjfM3i7uuYjJZbh9xCw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNDJNWjIzenptWlhOUzJm
+            U2c4UjlnTEFvTWw4U041ZVNqa0FPMi8zZ1VVCmZCYXE0L2pVdjRQajl6YlRLdnpr
+            Uk0yL2c3cmt4ZUZjK0RHMis5YWZPblUKLS0tIEIvTzZuczZlWitLVW1kY1pWUFhr
+            a25iRHBJMFZJYVNSQVgwanBIS2RnZ0EKuKzaVJHkZj2kB4O8z9XMWmoRGbFaDEOl
+            JuU7jOfR+0r9zBwSAzrYnLL5xBh6IH5L3UWB4vfi6X271KJa1g7d3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c2xJeHNDZUo3SUlpd3N5
+            bzJFVzRkMFY3UnljcGNKWWJYWlVVZGxVUUZNCll5ekRzampIYS9JUHdOYXZBNWp2
+            UU5kREpCNFpYK2l5M0x0Qjg4V2pESFEKLS0tIHhyNmh3SVJLZVRXY29hN2ZRTmZV
+            U1RMTGpCblE5RzJzeWdYUm4xYnZ2b0UK/oQ44kjpwdOwF4rr+M0mxmJipuBAvPTV
+            dQJqFu6xs664uDosd8rWT7sEeEWJLvs5s/QZKD73EiCg7i9819pMrQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbXZVSVMyZ09YYW13aEFW
-            TlJ3TlYxbyttVGs0VVFHVmNTT3oxalVYc0NvCnF2WW53MHhxSHgwTnNGVkZyd3Zo
-            UzZ4NHVQOTlkMlVVYTdFWXdoVVM0bUUKLS0tIG05M2hmWjhGaWZrb2RBRGV3U2xD
-            WnI1c1VLZDJ5aW9aMFN0YnBiN0wyRUEKxZJCCI6jO5nbwwIm4lUo7WrqKKRvyQbY
-            CYCJfZhCIYwXgrvFp1CLnY81ayZjnkVUKGMvOoQD2tJ9FZmBBFolxg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RmhTK29yaGVCbmJmWkdC
+            VU1nczRwWWV6RG5sY3ZCeWVyUFlQTS91aVJnClNlMjRPdEN0L1NaOXZGdFlJdW41
+            TlRpdTYveXdRSW1UaGNCbXk3UWtQdDAKLS0tIDV5ZkNWVTNGRnJtcGxJQmZ2NDBh
+            V1h3WVZzRk5pV2JSMlhmOFpaQXNIWmsKy0VbeGo9FchDTZ3327/9/8WEQce1RLSj
+            sWW952ZDkS/tkcYwcKa2FZYNpv71wwW6RWwZEtfGKmYttYNOovwzBw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNlFjbWduR0IyUnhhaVZW
-            NW9mbXBVUC9PSXdVR3ozRmNBQ1lHSkJCUFN3CnJvb0pBak9KczZTM3F0SktTc0Rl
-            QjZOVWJlUGRxeWIrUUVWdGVjbk5IanMKLS0tIHRlaFUxejBybzl0bFJqUmlab25O
-            cTdUU1EyY3BmdlhUMVhZWE1SekdUNzQKg8KI+jRz6d3ugvx8FNMkpC3kfj4flMY7
-            gRI9Ej777+Vl9Zowo1I4qF4t/6kAfvA8JUiuQnl7Ns7Mou0EyMVv5Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU0hPVDZrVWp1dUdlUGJH
+            V2hDK2QwQ291Zi9iTXBEUmNjTDhwOHRabjFNCkllbThlMmRZSGFyb3QyQjN3UEFF
+            ZHNteXFRM01Vb3Q3bit4M0ZJaWtTVGsKLS0tIEFrTDVGN0V5UnZiTWROT1FxQzFN
+            QWR3TU1mWmNUZmdpUkhyQzBTUm1OaXcKnJ1W9n8gIBCyjuIGca6B2Z2EwCnfrrJJ
+            bm9RMO3ZmA5ffc+nTyKfy9QtYY6i9ksUxNsUp5sWCxiKKb759voURQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:M09iYBGnRluGoGRQTOT9/oTHlg692Lm4LXrz0u5V8DleWRg1zIyjYxtupadpKMbGQ1DVuhB3oNejuvmjKJ+eX2Z8m4LMDhVFJZEfjd5/g+fUuwoyEzI1nU4ttvQ1j6NnO9F0F/VxvOp9fb78zpgzhxDEMjVrhHcnM0qyZtnSx7Y=,iv:V21v29Xx1QWGb1/Lap6dRJ6OuwcsdDCW0QrDeitqtYw=,tag:3PEgDPAzCD01XLCR+JJqQA==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:+emFGGQB1nrYdbGQE4/zqhMz+CtXlDhBCFCgimW4UddTqbtggqSy1J+w3Y4/vih6fQmBgGQHjuSNO84ZPtnvxSf1DOOWknic/8ozU5hPyhNksYl0D68EthUuqdsuIHzY6vEZMYPjIRaig/dAii/ov6pmLTlhKFjt7FpQTIuKmdY=,iv:MCaltKhV2CV0w31cpf1GQzAYlQphaHh/PGMbtN3EPOo=,tag:LGpbDiRarAOnORill/aE9w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

nixos/profiles/global/users.nix

@@ -10,27 +10,45 @@ in
     };
   };
 
-  users.users.jahanson = {
-    isNormalUser = true;
-    shell = pkgs.fish;
-    hashedPasswordFile = config.sops.secrets.jahanson-password.path;
-    extraGroups =
-      [
-        "wheel"
-      ]
-      ++ ifTheyExist [
-        "network"
-        "samba-users"
-        "docker"
-        "podman"
-        "audio" # pulseaudio
-        "libvirtd"
-      ];
+  users = {
+    groups = {
+      kah = {
+        gid = 568;
+      };
+    };
+    users = {
+      kah = {
+        isSystemUser = true;
+        group = "kah";
+        uid = 568;
+      };
 
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDJtqzSFK3MN12Lo3Y4DnzJV5NiygIPkR+gun5oEb2q jahanson@legiondary"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@durincore"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
-    ];
+      jahanson = {
+        isNormalUser = true;
+        shell = pkgs.fish;
+        hashedPasswordFile = config.sops.secrets.jahanson-password.path;
+        extraGroups =
+          [
+            "wheel"
+            "kah"
+          ]
+          ++ ifTheyExist [
+            "network"
+            "samba-users"
+            "docker"
+            "podman"
+            "audio" # pulseaudio
+            "libvirtd"
+          ];
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDJtqzSFK3MN12Lo3Y4DnzJV5NiygIPkR+gun5oEb2q jahanson@legiondary"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@durincore"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHwUOBEd0z2Jh6qJi4JeJbWdbU665E8/cP44iaUjW1DA jahanson@shadowfax"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHzVi4xC6aLYsC4iiIX9rBfEh/FkWZilukLxmfjU9DE jahanson@gandalf"
+        ];
+      };
+    };
   };
 }

nixos/profiles/hw-threadripperpro.nix

@@ -0,0 +1,29 @@
+{ lib, ... }: {
+  imports = [ ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  mySystem = {
+    services.openssh.enable = true;
+    security.wheelNeedsSudoPassword = false;
+
+    # Restic backups disabled.
+    # TODO: configure storagebox for hetzner backups
+    system.resticBackup = {
+      local.enable = false;
+      local.noWarning = true;
+      remote.enable = false;
+      remote.noWarning = true;
+    };
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/profiles/role-dev.nix

@@ -9,22 +9,30 @@ with config;
     btop
     dnsutils
     fira-code-nerdfont
+    jo
     jq
     nix
+    unstable.ncdu
     yq
 
-    # TODO Move
+    # dev
     gh
     go
     nil
     nixpkgs-fmt
     shfmt
     statix
+    unstable.helix
 
-    # bind # for dns utils like named-checkconf
+    # flake imports
     inputs.nix-inspect.packages.${pkgs.system}.default
     inputs.talhelper.packages.${pkgs.system}.default
-    inputs.ghostty.packages.${pkgs.system}.default
+
+    # charmbracelet tools
+    gum
+    vhs
+    mods
+    soft-serve
   ];
 
   programs.direnv = {

nixos/profiles/role-workstation.nix

@@ -50,6 +50,7 @@ with config;
     cpupower-gui
     vivaldi
     gparted
+    termius
   ];
 
   i18n = {

renovate.json5

@@ -1,8 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ],
+  "extends": ["config:base"],
   "nix": {
     "enabled": true
   },
@@ -16,16 +14,14 @@
     {
       "customType": "regex",
       "description": "Process various dependencies in nix files",
-      "fileMatch": [
-        "\\.nix$"
-      ],
+      "fileMatch": ["\\.nix$"],
       "matchStrings": [
         // Newline
         "(?m:^[ \\t]*?# ?renovate: depName=(?<depName>\\S+)( datasource=(?<datasource>\\S+))?( versioning=(?<versioning>\\S+))?( extractVersion=(?<extractVersion>\\S+))?\\n[ \\t ]*?\\S+ = \"?(?<currentValue>[^\" ]+?)\";?$)"
       ],
       "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
-      "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}",
-    },
-  ],
+      "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
+    }
+  ]
 }