desktop-2025-02-01-10-55-26

.sops.yaml

@@ -8,6 +8,7 @@ keys:
     - &mini age1hdv2nz7r5fv6glq7jac27uf864t2668a97ptx52q57yfg4jd7ypqkag7wd
     - &nixos-virtualbox age1zs6k39g6kz740z3p9f0r2tc8dwn677zn3v5963g42p6lsljh7y0qzfn9ql
     - &nixos-vm age120fg86wv7vrcw6aeuunkzr7nerpwg8w0vu08xp8v8feqawtzqquq4763cw
+    - &thinkpad age1dmkhlzvxemlufsydaed7vajm4cdpjwmqj3pmpvlljkjzlck8t4rswwph4j
 creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
@@ -19,7 +20,8 @@ creation_rules:
       - *mini
       - *nixos-virtualbox
       - *nixos-vm
-  - path_regex: secrets-desktop.y`aml$
+      - *thinkpad
+  - path_regex: secrets-desktop.yaml$
     key_groups:
     - age:
       - *alex

README.md

@@ -6,7 +6,7 @@
 
 
 ```
-nix flake update .
+nix flake update
 
 sudo mergerfs -o cache.files=partial,dropcacheonclose=true,category.create=mfs /run/media/alex/disk1:/run/media/alex/disk2:/run/media/alex/disk3 /home/alex/shared/raid
 

configs/common-linux.nix

@@ -31,44 +31,44 @@
     supportedFilesystems = ["ntfs" "btrfs"];
 
     initrd = {
-      # postDeviceCommands = pkgs.lib.mkBefore ''
+      postDeviceCommands = pkgs.lib.mkBefore ''
-      #   mkdir -p /mnt
+        mkdir -p /mnt
 
-      #   # We first mount the btrfs root to /mnt
+        # We first mount the btrfs root to /mnt
-      #   # so we can manipulate btrfs subvolumes.
+        # so we can manipulate btrfs subvolumes.
-      #   mount -o subvol=/ /dev/mapper/lvm-root /mnt
+        mount -o subvol=/ /dev/mapper/lvm-root /mnt
 
-      #   # While we're tempted to just delete /root and create
+        # While we're tempted to just delete /root and create
-      #   # a new snapshot from /root-blank, /root is already
+        # a new snapshot from /root-blank, /root is already
-      #   # populated at this point with a number of subvolumes,
+        # populated at this point with a number of subvolumes,
-      #   # which makes `btrfs subvolume delete` fail.
+        # which makes `btrfs subvolume delete` fail.
-      #   # So, we remove them first.
+        # So, we remove them first.
-      #   #
+        #
-      #   # /root contains subvolumes:
+        # /root contains subvolumes:
-      #   # - /root/var/lib/portables
+        # - /root/var/lib/portables
-      #   # - /root/var/lib/machines
+        # - /root/var/lib/machines
-      #   #
+        #
-      #   # I suspect these are related to systemd-nspawn, but
+        # I suspect these are related to systemd-nspawn, but
-      #   # since I don't use it I'm not 100% sure.
+        # since I don't use it I'm not 100% sure.
-      #   # Anyhow, deleting these subvolumes hasn't resulted
+        # Anyhow, deleting these subvolumes hasn't resulted
-      #   # in any issues so far, except for fairly
+        # in any issues so far, except for fairly
-      #   # benign-looking errors from systemd-tmpfiles.
+        # benign-looking errors from systemd-tmpfiles.
-      #   btrfs subvolume list -o /mnt/root |
+        btrfs subvolume list -o /mnt/root |
-      #   cut -f9 -d' ' |
+        cut -f9 -d' ' |
-      #   while read subvolume; do
+        while read subvolume; do
-      #     echo "deleting /$subvolume subvolume..."
+          echo "deleting /$subvolume subvolume..."
-      #     btrfs subvolume delete "/mnt/$subvolume"
+          btrfs subvolume delete "/mnt/$subvolume"
-      #   done &&
+        done &&
-      #   echo "deleting /root subvolume..." &&
+        echo "deleting /root subvolume..." &&
-      #   btrfs subvolume delete /mnt/root
+        btrfs subvolume delete /mnt/root
 
-      #   echo "restoring blank /root subvolume..."
+        echo "restoring blank /root subvolume..."
-      #   btrfs subvolume snapshot /mnt/root-blank /mnt/root
+        btrfs subvolume snapshot /mnt/root-blank /mnt/root
 
-      #   # Once we're done rolling back to a blank snapshot,
+        # Once we're done rolling back to a blank snapshot,
-      #   # we can unmount /mnt and continue on the boot process.
+        # we can unmount /mnt and continue on the boot process.
-      #   umount /mnt
+        umount /mnt
-      # '';
+      '';
     };
   };
 

configs/filesystem.nix

@@ -0,0 +1,65 @@
+{
+  fileSystems = {
+    "/" = {
+      fsType = "btrfs";
+      options = [
+        "subvol=root"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
+    };
+
+    "/home" = {
+      fsType = "btrfs";
+      options = [
+        "subvol=home"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
+    };
+
+    "/nix" = {
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
+    };
+
+    "/persist" = {
+      fsType = "btrfs";
+      options = [
+        "subvol=persist"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
+      neededForBoot = true;
+    };
+
+    "/var/log" = {
+      fsType = "btrfs";
+      options = [
+        "subvol=log"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
+      neededForBoot = true;
+    };
+
+    "/boot" = {
+      fsType = "vfat";
+      options = ["fmask=0022" "dmask=0022"];
+    };
+  };
+}

configs/libvirtd.nix

@@ -0,0 +1,25 @@
+{pkgs, ...}: {
+  users.extraGroups.libvirtd.members = ["alex"];
+
+  virtualisation = {
+    libvirtd = {
+      enable = true;
+      # Used for UEFI boot of Home Assistant OS guest image
+      qemu.ovmf.enable = true;
+    };
+  };
+
+  environment = {
+    systemPackages = with pkgs; [
+      # For virt-install
+      virt-manager
+      # For lsusb
+      usbutils
+    ];
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/libvirt"
+      ];
+    };
+  };
+}

configs/pantheon.nix

@@ -0,0 +1,76 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  programs = {
+    # pantheon-tweaks.enable = true;
+    evolution.enable = true;
+  };
+
+  services = {
+    xserver = {
+      enable = true;
+      excludePackages = [pkgs.xterm];
+
+      xkb.layout = "us";
+
+      updateDbusEnvironment = true;
+
+      displayManager = {
+        lightdm = {
+          enable = true;
+          greeters.pantheon.enable = true;
+        };
+      };
+
+      desktopManager.pantheon = {
+        enable = true;
+        extraWingpanelIndicators = with pkgs; [
+          monitor
+          wingpanel-indicator-ayatana
+        ];
+      };
+    };
+
+    # Enable touchpad support.
+    libinput.enable = true;
+  };
+
+  systemd.user.services = {
+    # monitor = {
+    #   description = "indicator-monitor";
+    #   wantedBy = [ "graphical-session.target" ];
+    #   partOf = [ "graphical-session.target" ];
+    #   serviceConfig = {
+    #     ExecStart = "${pkgs.monitor}/bin/com.github.stsdc.monitor";
+    #   };
+    # };
+
+    indicatorapp = {
+      description = "indicator-application-gtk3";
+      wantedBy = ["graphical-session.target"];
+      partOf = ["graphical-session.target"];
+      serviceConfig = {
+        ExecStart = "${pkgs.indicator-application-gtk3}/libexec/indicator-application/indicator-application-service";
+      };
+    };
+  };
+
+  # App indicator
+  environment.pathsToLink = ["/libexec"];
+  environment.systemPackages = with pkgs; [
+    gnome-online-accounts
+    gnome-control-center
+    gnome-system-monitor
+    indicator-application-gtk3
+    monitor
+    pantheon-tweaks
+    eog
+  ];
+
+  environment.pantheon.excludePackages = with pkgs.pantheon; [
+    elementary-code
+  ];
+}

configs/plasma.nix

@@ -5,6 +5,10 @@
   lib,
   ...
 }: {
+  nixpkgs.config.permittedInsecurePackages = [
+    "deskflow-1.18.0"
+  ];
+
   programs = {
     dconf.enable = true;
     kdeconnect.enable = true;
@@ -69,7 +73,7 @@
         enable = true;
         wayland.enable = true;
       };
-      # defaultSession = "plasmax11";
+      defaultSession = "plasma";
     };
 
     # xserver = {

configs/services/grafana.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    nginx = {
+      virtualHosts = {
+        "grafana.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
+              proxyWebsockets = true;
+              recommendedProxySettings = true;
+            };
+          };
+        };
+      };
+    };
+
+    grafana = {
+      enable = true;
+      settings = {
+        server = {
+          # Listening Address
+          http_addr = "127.0.0.1";
+          # and Port
+          http_port = 3005;
+          # Grafana needs to know on which domain and URL it's running
+          domain = "grafana.szczepan.ski";
+          # root_url = "https://grafana.szczepan.ski/"; # Not needed if it is `https://your.domain/`
+          # serve_from_sub_path = true;
+        };
+      };
+    };
+  };
+}

configs/user-gui.nix

@@ -54,13 +54,15 @@
       keepassxc
       nextcloud-client
       pinta
-      # rustdesk-flutter
+      rustdesk-flutter
       simple-scan
 
       # discord
       # kdenlive
       # shotcut
 
+      telegram-desktop
+
       vorta
       kitty
 

configs/user.nix

@@ -90,13 +90,15 @@ in {
         serverAliveInterval = 60;
         forwardAgent = true;
 
-        matchBlocks."szczepan.ski" = {hostname = "szczepan.ski";};
+        matchBlocks = {
-        matchBlocks."mini" = {hostname = "mini";};
+          "szczepan.ski" = {hostname = "szczepan.ski";};
-        matchBlocks."desktop" = {hostname = "desktop";};
+          "mini" = {hostname = "mini";};
-        matchBlocks."framework" = {hostname = "framework";};
+          "desktop" = {hostname = "desktop";};
-        matchBlocks."nixos-vm" = {
+          "framework" = {hostname = "framework";};
-          hostname = "127.0.0.1";
+          "nixos-vm" = {
-          port = 1337;
+            hostname = "127.0.0.1";
+            port = 1337;
+          };
         };
       };
 

flake.lock

@@ -2,18 +2,18 @@
   "nodes": {
     "chaotic": {
       "inputs": {
+        "fenix": "fenix",
         "flake-schemas": "flake-schemas",
         "home-manager": "home-manager",
         "jovian": "jovian",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs"
-        "nixpkgs-small": "nixpkgs-small"
       },
       "locked": {
-        "lastModified": 1734346739,
+        "lastModified": 1738328739,
-        "narHash": "sha256-Um5yY36idRodddotyBaI9sQjw/xw5SV6tt3jPRgL330=",
+        "narHash": "sha256-LHxIpDEsQ1MoIeAJSuUznJWLzFhceUPcCb8x1mRe/Fk=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "7228d7032f0316dbc69b69584ec07707efbd38c9",
+        "rev": "61b2c985f6b4e07a7f2c44928a0e45fe6315ed96",
         "type": "github"
       },
       "original": {
@@ -23,6 +23,28 @@
         "type": "github"
       }
     },
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "chaotic",
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1738132439,
+        "narHash": "sha256-7q5vsyPQf6/aQEKAOgZ4ggv++Z2ppPSuPCGKlbPcM88=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "f94e521c1922784c377a2cace90aa89a6b8a1011",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -83,11 +105,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734093295,
+        "lastModified": 1738197605,
-        "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=",
+        "narHash": "sha256-yiLnWStN5yi/BuZDKBwkxNrtejD51h5eB1eC8jAauiw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8",
+        "rev": "7636b248675e00d887ec0e6932c316d87f36dbf3",
         "type": "github"
       },
       "original": {
@@ -103,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734344598,
+        "lastModified": 1738378034,
-        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
+        "narHash": "sha256-mldSa2NhDlnjqeSSFTNnkXIDrCLltpJfhrHUMBBKEiY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
+        "rev": "801ddd8693481866c2cfb1efd44ddbae778ea572",
         "type": "github"
       },
       "original": {
@@ -119,11 +141,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1734200366,
+        "lastModified": 1737831083,
-        "narHash": "sha256-0NursoP4BUdnc+wy+Mq3icHkXu/RgP1Sjo0MJxV2+Dw=",
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "c6323585fa0035d780e3d8906eb1b24b65d19a48",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
         "type": "github"
       },
       "original": {
@@ -141,11 +163,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734162608,
+        "lastModified": 1737617533,
-        "narHash": "sha256-m2AX+3eiVqIK6uO7GbGY7SFnkkYOlR5fQiNI0eRvWOQ=",
+        "narHash": "sha256-9hHaUxeRDZ5PTk7TqBbHPAjgKuBl67asaMdyehYLqFs=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "31bdf4c7c91204d65afbde01146deee0259a8fb7",
+        "rev": "2dd65c3c92a4b8b1bf653657ae8648b883a4d427",
         "type": "github"
       },
       "original": {
@@ -162,11 +184,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1734735212,
+        "lastModified": 1738064867,
-        "narHash": "sha256-9EJ/XadUCvlKWkLV/YGFFMbjMwi5XZWhW6pbxF/Ytm4=",
+        "narHash": "sha256-vaBgjmBHdkoTDPEy4YnTDvUvrbEXYftTnCtCZmw4EDo=",
         "owner": "taj-ny",
         "repo": "kwin-effects-forceblur",
-        "rev": "9a385496e5662f4caca5be463d9c6d5d2ff0fa8e",
+        "rev": "d7e46df232327f3d506c69f99177f2311ea4cd75",
         "type": "github"
       },
       "original": {
@@ -182,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733570843,
+        "lastModified": 1738277753,
-        "narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
+        "narHash": "sha256-iyFcCOk0mmDiv4ut9mBEuMxMZIym3++0qN1rQBg8FW0=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "a35b08d09efda83625bef267eb24347b446c80b8",
+        "rev": "49b807fa7c37568d7fbe2aeaafb9255c185412f9",
         "type": "github"
       },
       "original": {
@@ -220,11 +242,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1734352517,
+        "lastModified": 1738391520,
-        "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
+        "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
+        "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773",
         "type": "github"
       },
       "original": {
@@ -236,11 +258,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734119587,
+        "lastModified": 1738142207,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
         "type": "github"
       },
       "original": {
@@ -250,34 +272,18 @@
         "type": "github"
       }
     },
-    "nixpkgs-small": {
-      "locked": {
-        "lastModified": 1734838250,
-        "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1734119587,
+        "lastModified": 1738310300,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "narHash": "sha256-bRvUuk8A0O5jm/3fRN9Y5eFqLmO2b6bCC0YtPMxmWCI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "rev": "e2807b247ea4704655f71a36403a68ee04b634db",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -295,6 +301,23 @@
         "sops-nix": "sops-nix"
       }
     },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1738082745,
+        "narHash": "sha256-wuHCbF+e608ly6jwqtRK0kQOrGPNfF5HPM+k/9m3SJQ=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "bc10a4479821188597be042b332e2ed9b3769376",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -302,11 +325,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965552,
+        "lastModified": 1738291974,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
         "owner": "mic92",
         "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "Your new nix config";
 
   inputs = {
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
     chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
@@ -105,6 +105,18 @@
         ];
       };
 
+      thinkpad = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {inherit inputs outputs;};
+        modules = [
+          impermanence.nixosModules.impermanence
+          chaotic.nixosModules.default
+          inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme
+          inputs.sops-nix.nixosModules.sops
+          ./machine/thinkpad/configuration.nix
+        ];
+      };
+
       mini = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};
@@ -125,12 +137,22 @@
           ./machine/nixos-vm/configuration.nix
         ];
       };
+
+      nixos-virtualbox = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {inherit inputs outputs;};
+        modules = [
+          inputs.sops-nix.nixosModules.sops
+          impermanence.nixosModules.impermanence
+          ./machine/nixos-virtualbox/configuration.nix
+        ];
+      };
     };
 
     darwinConfigurations."MacBook" = nix-darwin.lib.darwinSystem {
       system = "aarch64-darwin";
       modules = [
-          ./machine/macbook/configuration.nix
+        ./machine/macbook/configuration.nix
         # home-manager.darwinModules.home-manager
         # {
         #   home-manager.useGlobalPkgs = true;

machine/desktop/configuration.nix

@@ -15,7 +15,7 @@ in {
     ../../configs/games.nix
     ../../configs/develop.nix
     ../../configs/hardware.nix
-    ../../configs/virtualization.nix
+    ../../configs/virtualbox.nix
     ../../configs/plasma.nix
     ../../configs/user-gui.nix
     ../../configs/user.nix
@@ -36,10 +36,6 @@ in {
         owner = config.users.users.alex.name;
         group = config.users.users.alex.group;
       };
-
-      hashedPassword = {
-        neededForUsers = true;
-      };
     };
   };
 
@@ -50,7 +46,6 @@ in {
       "big-parallel"
       "kvm"
       "gccarch-znver3"
-      # "gccarch-x86-64-v3"
     ];
     max-jobs = 4;
 
@@ -69,6 +64,9 @@ in {
     kernelPackages = pkgs.linuxPackages_cachyos;
     kernelParams = ["clearcpuid=514" "ip=dhcp"];
     kernelModules = ["nct6775"];
+    kernel.sysctl = {
+      "vm.nr_hugepages" = 1280;
+    };
     extraModulePackages = with pkgs.linuxPackages_cachyos; [ryzen-smu];
     initrd = {
       availableKernelModules = ["r8169"];
@@ -160,20 +158,20 @@ in {
     graphics = {
       enable = true;
       enable32Bit = true;
-      extraPackages = with pkgs; [rocmPackages.clr.icd];
+      # doesnt build atm
+      extraPackages = with pkgs; [
+        clinfo
+        rocmPackages.clr.icd
+        rocmPackages.rocminfo
+        rocmPackages.rocm-runtime
+      ];
     };
-
-    # cpu.x86.msr = {
-    #   enable = true;
-    # };
-
-    pulseaudio.enable = false;
   };
 
-  # powerManagement = {
+  powerManagement = {
-  #   enable = true;
+    enable = true;
-  #   powertop.enable = true;
+    powertop.enable = true;
-  # };
+  };
 
   services = {
     power-profiles-daemon.enable = true;
@@ -187,11 +185,17 @@ in {
       pulse.enable = true;
     };
 
-    sunshine = {
+    ollama = {
       enable = true;
-      capSysAdmin = true;
+      acceleration = "rocm";
+      environmentVariables = {
+        HCC_AMDGPU_TARGET = "gfx1100"; # used to be necessary, but doesn't seem to anymore
+      };
+      rocmOverrideGfx = "11.0.0";
     };
 
+    open-webui.enable = true;
+
     samba = {
       enable = true;
       settings = {
@@ -220,17 +224,6 @@ in {
       };
     };
 
-    duplicati = {
-      enable = true;
-      user = "alex";
-    };
-
-    # jellyfin = {
-    #   enable = true;
-    #   user = "alex";
-    #   group = "users";
-    # };
-
     borgbackup.jobs = {
       home = rec {
         compression = "auto,zstd";

machine/desktop/hardware-configuration.nix

@@ -7,75 +7,32 @@
 }: {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
+    ../../configs/filesystem.nix
   ];
 
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
-      fsType = "btrfs";
-      options = [
-        "subvol=root"
-        "discard=async"
-        "compress=zstd"
-        "nodiratime"
-        "noatime"
-      ];
     };
 
     "/home" = {
       device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
-      fsType = "btrfs";
-      options = [
-        "subvol=home"
-        "discard=async"
-        "compress=zstd"
-        "nodiratime"
-        "noatime"
-      ];
     };
 
     "/nix" = {
       device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
-      fsType = "btrfs";
-      options = [
-        "subvol=nix"
-        "discard=async"
-        "compress=zstd"
-        "nodiratime"
-        "noatime"
-      ];
     };
 
     "/persist" = {
       device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
-      fsType = "btrfs";
-      options = [
-        "subvol=persist"
-        "discard=async"
-        "compress=zstd"
-        "nodiratime"
-        "noatime"
-      ];
-      neededForBoot = true;
     };
 
     "/var/log" = {
       device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
-      fsType = "btrfs";
-      options = [
-        "subvol=log"
-        "discard=async"
-        "compress=zstd"
-        "nodiratime"
-        "noatime"
-      ];
-      neededForBoot = true;
     };
 
     "/boot" = {
       device = "/dev/disk/by-uuid/4339-5A4C";
-      fsType = "vfat";
-      options = ["fmask=0022" "dmask=0022"];
     };
   };
 

machine/framework/configuration.nix

@@ -15,7 +15,7 @@ in {
     ../../configs/docker.nix
     ../../configs/games.nix
     ../../configs/hardware.nix
-    ../../configs/virtualization.nix
+    ../../configs/virtualbox.nix
     ../../configs/plasma.nix
     ../../configs/user-gui.nix
     ../../configs/user.nix

machine/framework/hardware-configuration.nix

@@ -18,21 +18,16 @@
   ];
 
   fileSystems = {
-    # "/" = {
-    #   device = "/dev/disk/by-uuid/20780bfe-5714-4c2f-bf53-7296b76cfbdc";
-    #   fsType = "btrfs";
-    #   options = [
-    #     "subvol=root"
-    #     "discard=async"
-    #     "compress=zstd"
-    #     "nodiratime"
-    #     "noatime"
-    #   ];
-    # };
     "/" = {
-      device = "none";
+      device = "/dev/disk/by-uuid/20780bfe-5714-4c2f-bf53-7296b76cfbdc";
-      fsType = "tmpfs";
+      fsType = "btrfs";
-      options = ["defaults" "size=16G" "mode=755"];
+      options = [
+        "subvol=root"
+        "discard=async"
+        "compress=zstd"
+        "nodiratime"
+        "noatime"
+      ];
     };
     "/home" = {
       device = "/dev/disk/by-uuid/20780bfe-5714-4c2f-bf53-7296b76cfbdc";

machine/mini/configuration.nix

@@ -8,8 +8,9 @@
   imports = [
     ./hardware-configuration.nix
     ../../configs/borg.nix
-    ../../configs/docker.nix
     ../../configs/common-linux.nix
+    ../../configs/docker.nix
+    ../../configs/libvirtd.nix
     ../../configs/user.nix
   ];
 
@@ -51,9 +52,13 @@
     useDHCP = false;
     firewall = {enable = false;};
     interfaces = {
-      enp3s0.useDHCP = true;
+      br0 = {
+        useDHCP = true;
+      };
     };
 
+    bridges.br0.interfaces = ["enp3s0"];
+
     nftables.enable = true;
   };
 
@@ -96,7 +101,7 @@
     };
 
     locate = {
-      prunePaths = [ "/mnt" "/nix" ];
+      prunePaths = ["/mnt" "/nix"];
     };
   };
 

machine/mini/hardware-configuration.nix

@@ -1,10 +1,5 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
-  config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }: {
@@ -12,10 +7,14 @@
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
+  boot = {
-  boot.initrd.kernelModules = ["dm-snapshot"];
+    initrd = {
-  boot.kernelModules = ["kvm-intel"];
+      availableKernelModules = ["ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
-  boot.extraModulePackages = [];
+      kernelModules = ["dm-snapshot"];
+    };
+
+    kernelModules = ["kvm-intel"];
+  };
 
   fileSystems = {
     "/" = {

machine/nixos-virtualbox/configuration.nix

@@ -17,15 +17,8 @@
     validateSopsFiles = true;
     age = {
       sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
-      keyFile = "/var/lib/sops-nix/key.txt";
       generateKey = true;
     };
-
-    secrets = {
-      hashedPassword = {
-        neededForUsers = true;
-      };
-    };
   };
 
   time.timeZone = "Europe/Berlin";
@@ -33,7 +26,43 @@
   boot = {
     initrd = {
       enable = true;
-      supportedFilesystems = ["btrfs"];
+      postResumeCommands = lib.mkAfter ''
+        mkdir -p /mnt
+        # We first mount the btrfs root to /mnt
+        # so we can manipulate btrfs subvolumes.
+        mount -o subvol=/ /dev/sda2 /mnt
+
+        # While we're tempted to just delete /root and create
+        # a new snapshot from /root-blank, /root is already
+        # populated at this point with a number of subvolumes,
+        # which makes `btrfs subvolume delete` fail.
+        # So, we remove them first.
+        #
+        # /root contains subvolumes:
+        # - /root/var/lib/portables
+        # - /root/var/lib/machines
+        #
+        # I suspect these are related to systemd-nspawn, but
+        # since I don't use it I'm not 100% sure.
+        # Anyhow, deleting these subvolumes hasn't resulted
+        # in any issues so far, except for fairly
+        # benign-looking errors from systemd-tmpfiles.
+        btrfs subvolume list -o /mnt/root |
+        cut -f9 -d' ' |
+        while read subvolume; do
+          echo "deleting /$subvolume subvolume..."
+          btrfs subvolume delete "/mnt/$subvolume"
+        done &&
+        echo "deleting /root subvolume..." &&
+        btrfs subvolume delete /mnt/root
+
+        echo "restoring blank /root subvolume..."
+        btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+        # Once we're done rolling back to a blank snapshot,
+        # we can unmount /mnt and continue on the boot process.
+        umount /mnt
+      '';
     };
   };
 
@@ -42,14 +71,31 @@
     hostName = "nixos-virtualbox"; # Define your hostname.
   };
 
+  nix.settings = {
+    system-features = [
+      "nixos-test"
+      "benchmark"
+      "big-parallel"
+      "gccarch-znver3"
+    ];
+    trusted-substituters = ["https://ai.cachix.org"];
+    trusted-public-keys = ["ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="];
+  };
+
+  # nixpkgs.localSystem = {
+  #   gcc.arch = "znver3";
+  #   gcc.tune = "znver3";
+  #   system = "x86_64-linux";
+  # };
+
   programs.nix-ld.enable = true;
 
-  # services = {
+  services = {
-  #   k3s = {
+    # k3s = {
-  #     enable = true;
+    #   enable = true;
-  #     role = "server";
+    #   role = "server";
-  #   };
+    # };
-  # };
+  };
 
   system.stateVersion = "24.11";
 }

machine/nixos-virtualbox/hardware-configuration.nix

@@ -1,56 +1,48 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
-  config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }: {
-  imports = [];
-
   boot.initrd.availableKernelModules = ["ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = [];
-  boot.extraModulePackages = [];
 
-  fileSystems."/" = {
+  fileSystems = {
-    device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
+    "/" = {
-    fsType = "btrfs";
+      device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
-    options = ["subvol=root" "compress=zstd" "noatime"];
+      fsType = "btrfs";
-  };
+      options = ["subvol=root" "compress=zstd" "noatime"];
+    };
 
-  fileSystems."/home" = {
+    "/home" = {
-    device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
+      device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=home" "compress=zstd" "noatime"];
+      options = ["subvol=home" "compress=zstd" "noatime"];
-  };
+    };
 
-  fileSystems."/nix" = {
+    "/nix" = {
-    device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
+      device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=nix" "compress=zstd" "noatime"];
+      options = ["subvol=nix" "compress=zstd" "noatime"];
-  };
+    };
 
-  fileSystems."/persist" = {
+    "/persist" = {
-    device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
+      device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=persist" "compress=zstd" "noatime"];
+      options = ["subvol=persist" "compress=zstd" "noatime"];
-    neededForBoot = true;
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/var/log" = {
+    "/var/log" = {
-    device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
+      device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=log" "compress=zstd" "noatime"];
+      options = ["subvol=log" "compress=zstd" "noatime"];
-    neededForBoot = true;
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/boot" = {
+    "/boot" = {
-    device = "/dev/disk/by-uuid/6F47-35E9";
+      device = "/dev/disk/by-uuid/6F47-35E9";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = ["fmask=0022" "dmask=0022"];
+      options = ["fmask=0022" "dmask=0022"];
+    };
   };
 
   swapDevices = [];
@@ -62,6 +54,6 @@
   networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true;
 
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   virtualisation.virtualbox.guest.enable = true;
 }

machine/thinkpad/configuration.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  pkgs,
+  inputs,
+  outputs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    # ../../configs/borg.nix
+    ../../configs/common-linux.nix
+    ../../configs/docker.nix
+    ../../configs/libvirtd.nix
+    ../../configs/user.nix
+  ];
+
+  sops = {
+    defaultSopsFile = ../../secrets/secrets-mini.yaml;
+  };
+
+  boot = {
+    initrd = {
+      luks.devices = {
+        root = {
+          device = "/dev/disk/by-uuid/7f2eb00d-49d8-416f-a742-5af5ce871483";
+          preLVM = true;
+        };
+      };
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    # extraModulePackages = with pkgs.linuxPackages_latest; [rtl88x2bu];
+  };
+
+  time.timeZone = "Europe/Berlin";
+  networking = {
+    hostName = "thinkpad";
+    useDHCP = true;
+    firewall = {enable = false;};
+    # interfaces = {
+    #   br0 = {
+    #     useDHCP = true;
+    #   };
+    # };
+
+    # bridges.br0.interfaces = ["enp3s0"];
+
+    nftables.enable = true;
+
+    wireless = {
+      enable = true;
+      networks.Skynet-mobil.psk = "***";
+      interfaces = [ "wlp0s20f3" ];
+    };
+  };
+
+  environment = {
+    # systemPackages = with pkgs; [
+    #   nyx
+    #   snapraid
+    #   mergerfs
+    # ];
+    # persistence."/persist" = {
+    #   directories = [
+    #     # "/var/lib/docker"
+    #     "/var/lib/tor"
+    #   ];
+    # };
+  };
+
+  hardware = {
+    enableAllFirmware = true;
+  };
+
+  services = {
+    locate = {
+      prunePaths = ["/mnt" "/nix"];
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+    # cpuFreqGovernor = "powersave";
+  };
+
+  system.stateVersion = "24.11";
+}

machine/thinkpad/hardware-configuration.nix

@@ -0,0 +1,71 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-intel"];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/6de51510-623b-4ae4-b0ba-a319057eb6ea";
+    fsType = "btrfs";
+    options = ["subvol=root"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/6de51510-623b-4ae4-b0ba-a319057eb6ea";
+    fsType = "btrfs";
+    options = ["subvol=home"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/6de51510-623b-4ae4-b0ba-a319057eb6ea";
+    fsType = "btrfs";
+    options = ["subvol=nix"];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/disk/by-uuid/6de51510-623b-4ae4-b0ba-a319057eb6ea";
+    fsType = "btrfs";
+    options = ["subvol=persist"];
+    neededForBoot = true;
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/disk/by-uuid/6de51510-623b-4ae4-b0ba-a319057eb6ea";
+    fsType = "btrfs";
+    options = ["subvol=log"];
+    neededForBoot = true;
+  };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7785-083C";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/ded22b9d-440d-46d8-8246-b52deca7a49c";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machine/vps-arm/configuration.nix

@@ -11,7 +11,7 @@
     ../../configs/common-linux.nix
     ../../configs/docker.nix
     ../../configs/user.nix
-    # ../../configs/borg.nix
+    ../../configs/borg.nix
 
     ../../configs/services/adguardhome.nix
     ../../configs/services/atuin.nix
@@ -19,6 +19,7 @@
     ../../configs/services/frigate.nix
     ../../configs/services/gitea.nix
     ../../configs/services/goaccess.nix
+    ../../configs/services/grafana.nix
     ../../configs/services/headscale.nix
     ../../configs/services/immich.nix
     ../../configs/services/nextcloud.nix
@@ -103,6 +104,7 @@
           tor -f ${torRc} &
         '';
       };
+
       luks.devices = {
         root = {
           device = "/dev/disk/by-uuid/cad303e1-16d8-4c15-b6c6-1f5bfc498419";
@@ -209,6 +211,7 @@
           enableACME = true;
           globalRedirect = "alexander.szczepan.ski";
         };
+
         "alexander.szczepan.ski" = {
           forceSSL = true;
           enableACME = true;
@@ -225,7 +228,7 @@
           enableACME = true;
           locations = {
             "/" = {
-              proxyPass = "http://mini.main.szczepan.ski:8123/";
+              proxyPass = "http://192.168.178.45:8123/";
               proxyWebsockets = true;
             };
           };
@@ -255,39 +258,14 @@
       };
     };
 
-    # borgbackup.jobs.home = rec {
+    borgbackup.jobs.all = rec {
-    #   compression = "auto,zstd";
+      repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg";
-    #   encryption = {
+      exclude = [
-    #     mode = "repokey-blake2";
+        "/home/alex/mounted"
-    #     passCommand = "cat ${config.sops.secrets.borg-key.path}";
+        "/home/alex/.cache"
-    #   };
+        "/persist/borg"
-    #   extraCreateArgs = "--stats --verbose --checkpoint-interval=600 --exclude-caches";
+      ];
-    #   extraPruneArgs = [
+    };
-    #     "--save-space"
-    #     "--stats"
-    #   ];
-    #   extraCompactArgs = [
-    #     "--cleanup-commits"
-    #   ];
-    #   environment = {
-    #     BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
-    #     BORG_BASE_DIR = "/persist/borg";
-    #   };
-    #   readWritePaths = ["/persist/borg"];
-    #   paths = ["/home/alex" "/persist"];
-    #   repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm";
-    #   startAt = "daily";
-    #   prune.keep = {
-    #     daily = 7;
-    #     weekly = 4;
-    #     monthly = 6;
-    #   };
-    #   exclude = [
-    #     "/home/alex/mounted"
-    #     "/home/alex/.cache"
-    #     "/persist/borg"
-    #   ];
-    # };
 
     journald = {extraConfig = "SystemMaxUse=10G";};
   };

machine/vps-arm/hardware-configuration.nix

@@ -1,8 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
-  config,
   lib,
   pkgs,
   modulesPath,
@@ -12,57 +8,54 @@
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
+  boot.initrd = {
-  boot.initrd.kernelModules = ["dm-snapshot"];
+    availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
-  boot.kernelModules = [];
+    kernelModules = ["dm-snapshot"];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    fsType = "btrfs";
-    options = ["subvol=root"];
   };
 
-  fileSystems."/home" = {
+  fileSystems = {
-    device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
+    "/" = {
-    fsType = "btrfs";
+      device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    options = ["subvol=home"];
+      fsType = "btrfs";
-  };
+      options = ["subvol=root"];
+    };
 
-  fileSystems."/nix" = {
+    "/home" = {
-    device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
+      device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=nix"];
+      options = ["subvol=home"];
-  };
+    };
 
-  fileSystems."/persist" = {
+    "/nix" = {
-    device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
+      device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=persist"];
+      options = ["subvol=nix"];
-    neededForBoot = true;
+    };
-  };
 
-  fileSystems."/var/log" = {
+    "/persist" = {
-    device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
+      device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = ["subvol=log"];
+      options = ["subvol=persist"];
-    neededForBoot = true;
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/boot" = {
+    "/var/log" = {
-    device = "/dev/disk/by-uuid/DE94-E9C1";
+      device = "/dev/disk/by-uuid/224bc309-572c-4771-b66e-25d5e13c4917";
-    fsType = "vfat";
+      fsType = "btrfs";
-    options = ["fmask=0022" "dmask=0022"];
+      options = ["subvol=log"];
-  };
+      neededForBoot = true;
+    };
 
+    "/boot" = {
+      device = "/dev/disk/by-uuid/DE94-E9C1";
+      fsType = "vfat";
+      options = ["fmask=0022" "dmask=0022"];
+    };
+  };
   swapDevices = [
     {device = "/dev/disk/by-uuid/3c63b075-76ca-403f-bf75-53269b6bf4fa";}
   ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
 

secrets/secrets.yaml

@@ -8,65 +8,74 @@ sops:
         - recipient: age1gjhlw6vkfers3f76yug3alwupe4jckjhg8ncr8kll5gj5g6wlqtqacqa73
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxaVdQQXdOV1ZVSDVUdDBy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek9ZNkl2cHlsWDJkbkdE
-            ODAzN3RYRi9Sd0pHUlh6bVVwclkwM0daQzNrClZEdU1CYktMQVZ2enBMbFdsTmZ2
+            Q2d6a1diWnBHZlNPcmsyYnhnWkhPczJDMDNZCktFclNCVm42MjJDTWE0enI2UzUv
-            SHVRekpwWjlJdm9XNnVrUWZGdncxK2cKLS0tIFhRalByNG1GUy9kTVRqaHBpSUJu
+            Mi9LYTFqVmhqQ2Vmc1BPRGZMMm9wQ0kKLS0tIHlnSGtNbGxhL1pDK0U2YnNWSWJp
-            N3hmdFhLU1V1UUJ2SzBYOGk2LzVwb3MKBDHXy9Y5sSlDhmHUoiDdWhStxCiNq0fX
+            aFUwWDRTS3U1TnU0TVpJaExQNmM1ZlUKDF3TuqTmdWJvlnElL0nHu4/cRx4LAqRA
-            ef6GNTfFWWMT1eigq2av8u/xzUJ0kkUARkcWe14O7EGDga0Lij0ixg==
+            0/VuwZHdSW1P/Pm06K+OE3Q2hzVYEux/NNduI4gxJLXtL7s3Ux0IsA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m873zl0umr6huvs7ft98t7dg3wqx7skzgdrd6vjzeh8h6kkgdghsy5atvx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZitER241elRYZHZnRmhY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUjhuWXk1aTZMdW5rQUVh
-            WUZYN3VCSmlUbHgvMzFXYXpJTCtJOEg3Nm5VCktXOGVsSitsUktkSmZaOWxHcWdx
+            aFFsZFJNRFZKcnh6L2pVUjZ4Zy95bGlvdWc4Cng3bmNYbmkzTzc3QlJYRjAwT3Bl
-            NEV0dndsRmIxUVZFTUEwS1RIWXdMMmsKLS0tIEo1WnhrR0dCRVVWc3VTVndueEFY
+            MXV6NjkvY3BteXdacHl6SDIvSU40OTgKLS0tIGp6MGFnNHd1VXdVVDJnVlJnVzZx
-            eUFPbEdZa0tnYnYra3dUdE14SHZLdGsKny/grhc64lPMDdJLvHPCHn7ZMPtNksI7
+            b1VpWWd3NlFUR0dLVTVBa3VQaXJXT0EKLjEPsu9vYGEzKq0A9zD4WfMUUFXJ5a2G
-            dvRALhDGEgbTfJR4wEZJumx56wZbak+vI3sNYo/RXDggRrKmJCUrDA==
+            KmTdOMS+mE3QMbUSWOujBMw7dmfevfhNtknjfKHJzOBfzRIlmGXqBA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hcnyvwydfrhl9sz0dv4j5dsv2jzwmxvvhq6w7ejy0y5yxuj034es08gz9s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUUROaDkwTVdhellISUQ4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKM0d4bktNdTYzRkxscTQ5
-            OVNpNUtKUm9OMk1HVVp3TmZlYVRtYTZoQUJJCnhuMG12djd1OXF2RzZjaDFCM1R2
+            RGtHZzN6Vmg2ditjQzU5ZkJIbnl4aGFkZXhzClF4SlRCcTk2a0szblBoMVJMS0tU
-            TDNTQU11OFRjdXl5eTlKc1FmUUpJeDAKLS0tIGxQQVlKRTQ4c0xkOTlaUXVIT2Va
+            bmJPa0ppUUVmTW54NVpob3hMbzA4dDQKLS0tIGY3YzRkcVEwcXFYbEFRNGdoaHdi
-            bGkrS0lQWE1FdEhnc0x0K0lKKzAzbjgKkOcHJJBS1XfoL2TzseFZTmeJXYXeSK7r
+            Yjl5d0hFcmVaaStIbFRGeHRld09WcU0KdbvLVxfhkcIDpiAz2rnmmEYOTUzeKV0R
-            LiBegZy714nyf/AS+b2sNC9uu3oLsjF/Ro4uyLP3Ti81E+pJeU/ImA==
+            VyOfNBDXAQ6xfay6MOBTgCPOz7cbElL2MFDOv/JdTEqqu3vfHTP/XA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1w3nq2g9ctm43f43lyzfrznywqpqlrk6x9de2qy3sr05mm4yk4u3s05slw4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y2RqVmZUcUhkUTRKaDZw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMVhTaXVCb3dqNTVsTUhJ
-            RUhBR2dSdVZjdW9MdGNPSXFFclV0UlVzMFUwClpqZzd5Ymh3eVRFcUVBYlVDR2Nu
+            dlhMbUlZbXYwcVBiczJaQXRqOEI4UDJqc3hNCk5CWWRIcWg5dmE3QjB4aitHc3pQ
-            ZTNsWHBmZTZlekdweVFGdmJjMXJwVWsKLS0tIDBkWDBuZG9vUkhxNlVRYlk3Y3cy
+            NDJVdmhvTU0vc2dnWmFmU1Rob3J1alUKLS0tIFlmOUhDVUJjbmw5dUFKZ3NTVTJX
-            eG9wTHduTFlLQ3ZqK0tSbGtNQ25BVFkKjGrZjEfaViijBm6AQVPOv/fz7cJBxO0J
+            a09yd2JQR3ZiM1dreVZJbmpwVlJrcjAKbW4JCzpNg+jhlMAYoldv0l0oJtR+EyI5
-            J5G83XNFeU0zn78iuc9K/EwuSBbTPhjczOu1s7HNJOm26DrP/NrbXg==
+            RzAc73V9zcyKIqUHOXKW0oUzoly2EEOUUiSAgOZ1jzglyxGfL2zWjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hdv2nz7r5fv6glq7jac27uf864t2668a97ptx52q57yfg4jd7ypqkag7wd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcSthSmxOTjREWEZ5QzYy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZ2VScHUzVDFYYlhKWVlj
-            N0ZZTVlvTjZqamZIb21Rbk05SEIwU0E4MnpvCkRDVXg0clBEWTQ3TXJOSnpZYVM1
+            RFc1WGJiKzhUK0x6QW51Yko0QVh0cVBWbTM4Cjdyam0yRG01OTREYlVMVTdTRjZh
-            R3dwc3J4SmJBenNiT2dIK1J2WTY3eWcKLS0tIFVNQm5zYjB4dFIxMG8wKzlOaStG
+            RzMxaG9EdVFCUjFRdXM3VE5Qa0d4RWcKLS0tIDFzUzRya21naUhVcklmak0vanBV
-            MS9Pc2JmUHVFRU1hVjkvM0lZeEU3ajQKhNRTwMgTg3clHKxDQswcpkkkcGNMe3fD
+            bmcvbnpHLzloR0I0Z01jcFpTaVRNWncK0LQfKxfltvCpGWvmPMtmqu+wid30qfL4
-            W+Qvp+x9rOSUPgMdB2o5+8rsnzN1u+Pl+SYQ+UiMgKzSPCqJbsKqGg==
+            NqZhAMNHmCmnzSX0ViQQU0e4Hrd8/2FhJNap5k88ZenyzLWd7ToBuA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zs6k39g6kz740z3p9f0r2tc8dwn677zn3v5963g42p6lsljh7y0qzfn9ql
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0aFVKenl6YnFqVmpuQ0hs
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0czcrYWFiRklXTFA1aXQ3
-            SHlEYUVFSm5xTUNxNjhhV3d0NnBrMTB6OEhNCmtZa3o5dzluNTNQL1lXdVlIREJJ
+            WE9BejdSeEdLYXZESXloZWw2ZzV6cDZUNmljCk94eS9TYVB4RlFPTi96eG95bWVL
-            b3FCMGE2NnJMcThzREVkYUVQVnVBWlEKLS0tIDBzemwxdWJwSFhwcUg1YmtCT0Z3
+            L21jcGxJUDN1RUMzTVo5RTMvV0NkYWcKLS0tIHRlRkt1bjBGMmo5azFzNk41REZm
-            aVlHRXQ4Z3RFd2dUUFNMeUdwV3FFOE0K9HrCceBsDw4KhG9yL2rT/nX6Lyb2Th1K
+            MlQzZlNPUitVVG5hb3FBMGdZcHFSVE0K4fcnPvCWFrl6QilgK6dtoeDhznRguoUk
-            CUUUF0GGxMNMfwPatooEaM2Nx9izmo7jFDbKgDfWlrp8CLH6W+nlyQ==
+            cZbIbDJ3d1WE6ITl7MRCNuixtNTd+UCnCkamF1FKtboP5EvniQ7/zw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age120fg86wv7vrcw6aeuunkzr7nerpwg8w0vu08xp8v8feqawtzqquq4763cw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbFIzaWdPZmd5eTdDN1hG
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMXcvL2swcFcwZDRxRmtx
-            YXBnakprdGU2WlBrY21Rd0NOb3UyQjArcWc4CjhFRUxueWppRkRacmUvbERlbzkz
+            SzV4TjhyZ05UWmRaZG1QZm9WY2ZHODdVT2c4CkdxT2ltZnl3Ujk4M3Y2eHJ5VTVz
-            dDZSSmFFOU9KUmVTQmU2c2J3dnBET2sKLS0tIDNOTmZ0bjNGc1VoNTd0OGFvZU5O
+            c1U3QmptTERxQ1pBY1RLL1NRWjhlOFkKLS0tIG5RbTZCL0JrN1dKekFFeXJBN1RR
-            bTA1M3RzclpGOFZHNEJtUmx1NE9ockkK0MnfyVCDLUl7LkgWM1qxbtrl+LL9PuD3
+            b2t4V2FuL1lBM3k3Q1Z0M08rTkk1dlEKnm6tg/qKVjzHCQJCcJFuOqKqWYnk78WD
-            2h5w1gLAKJumHJFbqYcxIo2haTQMgYb6APek0OvEkNlqp+piBo/tGQ==
+            1H2FYyCR4AB/H9W+qgPYsND5sGj3rmqXXaWPWKxO/DeT+i8Ur2btdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dmkhlzvxemlufsydaed7vajm4cdpjwmqj3pmpvlljkjzlck8t4rswwph4j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTM2lnTEFUaFZBczJWOTAx
+            QlNReGFkWWpKT0Q1Q2R4MG8vVkU0OFBCUEdNCkRmNVhyVmtWOVBCdkU2WVVpRkhF
+            NmZTVHhieVBIYTRVUUZkM2lYeWx1ME0KLS0tIFJiNzR2QVF4ek9lU0hWWnJyRHF5
+            Z01OdDdUelFLeUNTSVZ4bUNQNDNIZHcKCBRiWCxASpO7tgCIBYOU7DqOxpT6krH7
+            u66QWXJ2gT0MeVloBv/qrqHv0p2JmECpG393XnHHBC83yNg3SawriA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-08-31T15:55:06Z"
     mac: ENC[AES256_GCM,data:KQraWMxoXkcrEHCG6R+M31qRCGMwXekA9hIgyULXLaCjkHHJ1JRovgMD0ujTgZVseLipXBCXzH2RJvErNDhozXyrSEpzU0hBb50c0BCD3yaSPojTFCHDGIt/9qi4YHVnOHBP7jVxrFSGk84TNgMqO16dUNsMu6faEYX8CpkHoZM=,iv:ci/kWQCWuV98YdCtgKqQCOgsfAup/pG4smoWvFXRWX4=,tag:2ivvnVo0+ft3BIts3axMGw==,type:str]