I don't know if i like this

nixosConfigurations/gerg-desktop/1_mon.conf

@@ -0,0 +1,30 @@
+Section "ServerLayout"
+	Identifier     "X.org Configured"
+	Screen      0  "Screen0" 0 0
+EndSection
+
+Section "Module"
+	Load  "glx"
+EndSection
+
+Section "Monitor"
+	Identifier   "Monitor0"
+	VendorName   "Monitor Vendor"
+	ModelName    "Monitor Model"
+  Option      "Primary" "true"
+  Modeline "1920x1080_144" 332.75 1920 1952 2016 2080 1080 1084 1089 1111 +HSync +VSync
+  Option "PreferredMode" "1920x1080_144"
+EndSection
+
+Section "Device"
+	Identifier  "Card0"
+	Driver      "amdgpu"
+	BusID       "PCI:15:0:0"
+EndSection
+
+Section "Screen"
+	Identifier "Screen0"
+	Device     "Card0"
+	Monitor    "Monitor0"
+  Option "TearFree" "true"
+EndSection

nixosConfigurations/gerg-desktop/2_mon.conf

@@ -0,0 +1,34 @@
+Section "ServerLayout"
+  Identifier "layout"
+  Screen 0 "nvidia"
+  Inactive "amdgpu"
+EndSection
+
+Section "Monitor"
+  Identifier "Monitor"
+EndSection
+
+Section "Device"
+  Identifier "nvidia"
+  Driver "nvidia"
+  BusID "PCI:1:0:0"
+  Option "SidebandSocketPath" "/run/nvidia-xdriver/"
+EndSection
+
+Section "Screen"
+  Identifier "nvidia"
+  Device "nvidia"
+  Option "AllowEmptyInitialConfiguration"
+EndSection
+
+Section "Device"
+  Identifier "amdgpu"
+  Driver "amdgpu"
+  BusID "PCI:15:0:0"
+EndSection
+
+Section "Screen"
+  Identifier "amdgpu"
+  Device "amdgpu"
+EndSection
+

nixosConfigurations/gerg-desktop/Windows.xml

@@ -0,0 +1,218 @@
+<domain type='kvm'>
+  <name>Windows</name>
+  <uuid>035e02d8-04d3-05e5-4706-900700080009</uuid>
+  <memory unit='KiB'>16777216</memory>
+  <currentMemory unit='KiB'>16777216</currentMemory>
+  <vcpu placement='static' cpuset='0-7,16-23'>16</vcpu>
+  <cputune>
+    <vcpupin vcpu='0' cpuset='0'/>
+    <vcpupin vcpu='1' cpuset='16'/>
+    <vcpupin vcpu='2' cpuset='1'/>
+    <vcpupin vcpu='3' cpuset='17'/>
+    <vcpupin vcpu='4' cpuset='2'/>
+    <vcpupin vcpu='5' cpuset='18'/>
+    <vcpupin vcpu='6' cpuset='3'/>
+    <vcpupin vcpu='7' cpuset='19'/>
+    <vcpupin vcpu='8' cpuset='4'/>
+    <vcpupin vcpu='9' cpuset='20'/>
+    <vcpupin vcpu='10' cpuset='5'/>
+    <vcpupin vcpu='11' cpuset='21'/>
+    <vcpupin vcpu='12' cpuset='6'/>
+    <vcpupin vcpu='13' cpuset='22'/>
+    <vcpupin vcpu='14' cpuset='7'/>
+    <vcpupin vcpu='15' cpuset='23'/>
+    <emulatorpin cpuset='8-15,24-31'/>
+  </cputune>
+  <os>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/Windows_VARS.fd</nvram>
+    <boot dev='hd'/>
+    <bootmenu enable='no'/>
+    <smbios mode='host'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <hyperv mode='passthrough'>
+      <relaxed state='on'/>
+      <vapic state='on'/>
+      <spinlocks state='on' retries='8191'/>
+      <vpindex state='on'/>
+      <runtime state='on'/>
+      <synic state='on'/>
+      <stimer state='on'/>
+      <reset state='off'/>
+      <vendor_id state='on' value='AuthenticAMD'/>
+      <frequencies state='on'/>
+      <reenlightenment state='off'/>
+      <tlbflush state='on'/>
+      <ipi state='on'/>
+      <evmcs state='off'/>
+    </hyperv>
+    <kvm>
+      <hidden state='on'/>
+    </kvm>
+    <vmport state='off'/>
+    <ioapic driver='kvm'/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='off'>
+    <topology sockets='1' dies='1' cores='8' threads='2'/>
+    <cache mode='passthrough'/>
+    <feature policy='require' name='topoext'/>
+  </cpu>
+  <clock offset='localtime'>
+    <timer name='rtc' present='no' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+    <timer name='hypervclock' present='yes'/>
+    <timer name='tsc' present='yes' mode='native'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
+      <source dev='/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S6PXNM0T402828A'/>
+      <target dev='sda' bus='sata'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
+      <source dev='/dev/disk/by-id/ata-WDC_WD10EZEX-75WN4A0_WD-WCC6Y7FCSH2U'/>
+      <target dev='sdb' bus='sata'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
+    </disk>
+    <controller type='pci' index='0' model='pcie-root'/>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0xe'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0xf'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x15'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='usb' index='0' model='qemu-xhci'>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='bridge'>
+      <mac address='52:54:00:05:03:2d'/>
+      <source bridge='br0'/>
+      <model type='virtio'/>
+      <link state='up'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Logitech_G502_HERO_Gaming_Mouse_1974396F3638-event-mouse'/>
+    </input>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Logitech_G502_HERO_Gaming_Mouse_1974396F3638-if01-event-kbd'/>
+    </input>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Keychron_Keychron_V6-event-kbd'/>
+    </input>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Keychron_Keychron_V6-event-if02'/>
+    </input>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Keychron_Keychron_V6-if02-event-mouse'/>
+    </input>
+    <input type='evdev'>
+      <source dev='/dev/input/by-id/usb-Keychron_Keychron_V6-if02-event-kbd' grab='all' repeat='on'/>
+    </input>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <sound model='ich9'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
+    </sound>
+    <audio id='1' type='pipewire' runtimeDir='/run/user/1000'>
+      <input name='@DEFAULT_SINK@' streamName='win10-in'/>
+      <output name='@DEFAULT_SOURCE@' streamName='win10-out'/>
+    </audio>
+    <hostdev mode='subsystem' type='pci' managed='yes'>
+      <source>
+        <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </source>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </hostdev>
+    <hostdev mode='subsystem' type='pci' managed='yes'>
+      <source>
+        <address domain='0x0000' bus='0x01' slot='0x00' function='0x1'/>
+      </source>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </hostdev>
+    <watchdog model='itco' action='reset'/>
+    <memballoon model='none'/>
+  </devices>
+</domain>

nixosConfigurations/gerg-desktop/_vfio.nix

@@ -0,0 +1,204 @@
+{
+  _dir,
+  pkgs,
+  lib,
+}:
+/*
+  This section is just me bullying
+  the xserver module to do what I want when I want it to
+*/
+let
+  cfg_monitors = pkgs.writeShellApplication {
+    name = "cfg_monitors";
+    runtimeInputs = [
+      pkgs.xorg.xrandr
+      pkgs.gawk
+      pkgs.gnugrep
+    ];
+    text = ''
+      xrandr --setprovideroutputsource \
+        "$(xrandr --listproviders | grep -i AMD | sed -n 's/^.*name://p')" NVIDIA-0 \
+        --output DP-0 \
+        --mode 3440x1440 --rate 120 --primary --pos 0x0 \
+        --output "$(xrandr | grep -e 'HDMI.* connected.*'| awk '{ print$1 }')" \
+        --mode 1920x1080 --rate 144 --set TearFree on --pos 3440x360
+    '';
+  };
+in
+{
+  #hardware.amdgpu = {
+  #  amdvlk = {
+  #    enable = true;
+  #    support32Bit.enable = true;
+  #  };
+  #  initrd.enable = true;
+  #  opencl.enable = true;
+  #};
+  environment.etc = {
+    "Xorg/1_mon.conf".source = "${_dir}/1_mon.conf";
+    "Xorg/2_mon.conf".source = "${_dir}/2_mon.conf";
+  };
+
+  services.xserver = {
+
+    videoDrivers = [ "amdgpu" ];
+
+    displayManager.setupCommands = lib.mkBefore ''
+      if ! [ -e "/etc/Xorg/ONE_MONITOR" ] ; then
+        ${lib.getExe cfg_monitors}
+      fi
+    '';
+
+    config = lib.mkForce (builtins.readFile "${_dir}/shared.conf");
+  };
+
+  systemd.tmpfiles.rules = [
+    "L  /etc/X11/xorg.conf.d/99-custom.conf  - - - - /etc/Xorg/2_mon.conf"
+
+    # Everything from here down is almost sane
+    "L+ /var/lib/libvirt/qemu/Windows.xml - - - - ${_dir}/Windows.xml"
+  ];
+
+  boot = {
+    kernelParams = [
+      "iommu=pt"
+      "amd_iommu=on"
+      /*
+        Switch to this if for a Intel cpu
+        "intel_iommu=on"
+      */
+      "vfio_iommu_type1.allow_unsafe_interrupts=1"
+      "kvm.ignore_msrs=1"
+    ];
+  };
+
+  environment = {
+    systemPackages = [
+      pkgs.dmidecode
+      cfg_monitors
+    ];
+    shellAliases = {
+      vm-start = "virsh start Windows";
+      vm-stop = "virsh shutdown Windows";
+      fix_monitors = "xset dpms force off && xset dpms force on";
+    };
+  };
+
+  programs.virt-manager.enable = true;
+
+  programs.dconf.profiles.user.databases = [
+    {
+      lockAll = true;
+      settings = {
+        "org/virt-manager/virt-manager/connections" = {
+          autoconnect = [ "qemu:///system" ];
+          uris = [ "qemu:///system" ];
+        };
+      };
+    }
+  ];
+
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu = {
+      # Patch to disable hooking the mouse via evdev at VM startup
+      package = pkgs.qemu_kvm.overrideAttrs (old: {
+        patches = old.patches ++ [
+          (builtins.toFile "qemu.diff" ''
+            diff --git a/ui/input-linux.c b/ui/input-linux.c
+            index e572a2e..a9d76ba 100644
+            --- a/ui/input-linux.c
+            +++ b/ui/input-linux.c
+            @@ -397,12 +397,6 @@ static void input_linux_complete(UserCreatable *uc, Error **errp)
+                 }
+
+                 qemu_set_fd_handler(il->fd, input_linux_event, NULL, il);
+            -    if (il->keycount) {
+            -        /* delay grab until all keys are released */
+            -        il->grab_request = true;
+            -    } else {
+            -        input_linux_toggle_grab(il);
+            -    }
+                 QTAILQ_INSERT_TAIL(&inputs, il, next);
+                 il->initialized = true;
+                 return;
+          '')
+        ];
+      });
+      runAsRoot = true;
+      ovmf.enable = true;
+      verbatimConfig = ''
+        user = "gerg"
+        group = "users"
+        namespaces = []
+      '';
+    };
+    hooks.qemu = {
+      # Ordering is based on the name
+      "AAA" = lib.getExe (
+        pkgs.writeShellApplication {
+          name = "qemu-hook";
+
+          runtimeInputs = [
+            pkgs.libvirt
+            pkgs.systemd
+            pkgs.kmod
+          ];
+
+          text = ''
+            GUEST_NAME="$1"
+            OPERATION="$2"
+
+            if [ "$GUEST_NAME" != "Windows" ]; then
+              exit 0
+            elif [ "$OPERATION" == "prepare" ]; then
+              # Stop display-manager
+              systemctl stop display-manager.service
+
+              # Un-bind driver
+              modprobe -r -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
+
+              # Detach GPU
+              virsh nodedev-detach pci_0000_01_00_0
+              virsh nodedev-detach pci_0000_01_00_1
+
+              # Set allowed CPUs
+              systemctl set-property --runtime -- user.slice AllowedCPUs=8-15,24-31
+              systemctl set-property --runtime -- system.slice AllowedCPUs=8-15,24-31
+              systemctl set-property --runtime -- init.scope AllowedCPUs=8-15,24-31
+
+              # Dual gpu/monitor stuff
+              ln -fs /etc/Xorg/1_mon.conf /etc/X11/xorg.conf.d/99-custom.conf
+              touch /etc/Xorg/ONE_MONITOR
+              systemctl start display-manager.service
+            elif [ "$OPERATION" == "release" ]; then
+              # Dual gpu/monitor stuff
+              systemctl stop display-manager.service
+
+              # Allow all CPUs
+              systemctl set-property --runtime -- user.slice AllowedCPUs=0-31
+              systemctl set-property --runtime -- system.slice AllowedCPUs=0-31
+              systemctl set-property --runtime -- init.scope AllowedCPUs=0-31
+
+              # Re-attach GPU
+              virsh nodedev-reattach pci_0000_01_00_0
+              virsh nodedev-reattach pci_0000_01_00_1
+
+              # Re-bind Driver
+              modprobe -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
+
+              # Dual gpu/monitor stuff
+              ln -fs /etc/Xorg/2_mon.conf /etc/X11/xorg.conf.d/99-custom.conf
+              rm /etc/Xorg/ONE_MONITOR
+
+              # Restart display-manager
+              systemctl start display-manager.service
+            else
+             exit 0
+            fi
+          '';
+        }
+      );
+    };
+  };
+}

nixosConfigurations/gerg-desktop/boot.nix

@@ -0,0 +1,131 @@
+{
+  lanzaboote,
+  config,
+  lib,
+  pkgs,
+}:
+let
+  windowsConf = ''
+    title  Windows
+    efi     /shellx64.efi
+    options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
+
+  '';
+in
+{
+  imports = [ lanzaboote.nixosModules.lanzaboote ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+    (pkgs.writeShellScriptBin "windows" ''
+      bootctl set-oneshot windows.conf
+      bootctl set-timeout-oneshot 1
+      reboot
+    '')
+  ];
+  systemd.tmpfiles.rules = [
+    "L+ /var/lib/sbctl  - - - - /persist/secureboot"
+  ];
+
+  boot = {
+    initrd = {
+      kernelModules = [ "igc" ];
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 22;
+          hostKeys = [ "/persist/initrd-keys/ssh_host_ed5519_key" ];
+          authorizedKeys = [ config.local.keys.gerg_gerg-phone ];
+        };
+      };
+      systemd = {
+        network = {
+          enable = true;
+          networks.enp11s0 = {
+            name = "enp11s0";
+            address = [ "192.168.1.4/24" ];
+            gateway = [ "192.168.1.1" ];
+            dns = [ "192.168.1.1" ];
+            DHCP = "no";
+            linkConfig = {
+              MACAddress = "D8:5E:D3:E5:47:90";
+              RequiredForOnline = "routable";
+            };
+          };
+          wait-online.enable = false;
+        };
+        users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      };
+    };
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+      configurationLimit = 10;
+      package = lib.mkForce (
+        pkgs.writeShellApplication {
+          name = "lzbt";
+          runtimeInputs = [
+            lanzaboote.packages.tool
+            pkgs.coreutils
+            pkgs.sbctl
+          ];
+          text = ''
+            lzbt "$@"
+            MP='${config.boot.loader.efi.efiSysMountPoint}'
+            cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
+            mkdir -p "$MP/loader/entries"
+            sbctl sign -s "$MP/shellx64.efi"
+            cat << EOF > "$MP/loader/entries/windows.conf"
+            ${windowsConf}
+            EOF
+          '';
+        }
+      );
+    };
+
+    loader = {
+      systemd-boot = {
+        enable = lib.mkForce false;
+        extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi;
+        extraEntries."windows.conf" = windowsConf;
+      };
+      grub.enable = lib.mkForce false;
+      timeout = lib.mkForce 5;
+      efi.efiSysMountPoint = "/efi22";
+    };
+
+    kernelPackages = pkgs.linuxPackagesFor (
+      let
+        version = "6.10.11";
+        src = pkgs.fetchurl {
+          url = "mirror://kernel/linux/kernel/v${builtins.head (lib.splitVersion version)}.x/linux-${version}.tar.xz";
+          hash = "sha256-+02gRvjBhRWfRTfe2IejCsxp2RxVWg/3+rxFIPWaMJY=";
+        };
+      in
+      (pkgs.linuxManualConfig {
+        inherit src;
+        inherit (config.boot) kernelPatches;
+        version = "${version}-gerg";
+        config = {
+          CONFIG_RUST = "y";
+          CONFIG_MODULES = "y";
+        };
+        configfile = ./kernelConfig;
+      }).overrideAttrs
+        (old: {
+          passthru = old.passthru or { } // {
+            features = lib.foldr (x: y: x.features or { } // y) {
+              efiBootStub = true;
+              netfilterRPFilter = true;
+              ia32Emulation = true;
+            } config.boot.kernelPatches;
+          };
+          meta = old.meta or { } // {
+            broken = false;
+          };
+        })
+    );
+  };
+}

nixosConfigurations/gerg-desktop/git.nix

@@ -0,0 +1,31 @@
+{ pkgs, config }:
+{
+  programs.git = {
+    enable = true;
+    config = {
+      user = {
+        name = "Gerg-L";
+        email = "GregLeyda@proton.me";
+      };
+      init = {
+        defaultBranch = "master";
+      };
+      push = {
+        autoSetupRemote = true;
+      };
+      advice.addIgnoredFile = false;
+      core.hooksPath = ".githooks";
+      gpg = {
+        format = "ssh";
+        ssh.defaultKeyCommand = pkgs.writeShellScript "git_key" ''
+          if ssh-add -L | grep -vq '${config.local.keys.gerg_gerg-desktop}'; then
+            ssh-add -t 1m ~/.ssh/id_ed25519
+          fi
+          echo 'key::${config.local.keys.gerg_gerg-desktop}'
+        '';
+      };
+      push.gpgsign = "if-asked";
+      commit.gpgsign = true;
+    };
+  };
+}

nixosConfigurations/gerg-desktop/main.nix

@@ -0,0 +1,218 @@
+{
+  lib,
+  nix-index-database,
+  nvim-flake,
+  self',
+  pkgs,
+  config,
+}:
+{
+  local = {
+    DE.dwm.enable = true;
+    DM = {
+      lightdm.enable = true;
+      autoLogin = true;
+      loginUser = "gerg";
+    };
+    theming = {
+      enable = true;
+      kmscon.enable = true;
+    };
+    allowedUnfree = [
+      "nvidia-x11"
+      "nvidia-settings"
+      "steam"
+      "steam-unwrapped"
+      "steam-run"
+    ];
+    packages = {
+      inherit (pkgs)
+        bitwarden-desktop # store stuff
+        qbittorrent # steal stuff
+        pavucontrol # gui volume control
+        pcmanfm # file manager
+        vlc # play stuff
+        ripgrep
+        fd
+        jq
+        wget
+        xautoclick
+        prismlauncher
+        deadnix
+        statix
+        #element-desktop
+        vesktop
+        gh
+        nixfmt-rfc-style
+        prusa-slicer # 3D printer slicer
+        # QMK configuration
+        #via
+        #qmk
+
+        ;
+      inherit (nvim-flake.packages) neovim;
+      inherit (self'.packages) lint;
+
+      librewolf = pkgs.librewolf.override { cfg.speechSynthesisSupport = false; };
+      nixpkgs-review = pkgs.nixpkgs-review.override { nix = config.nix.package; };
+    };
+  };
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  hardware.nvidia = {
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+    nvidiaPersistenced = false;
+    nvidiaSettings = true;
+    modesetting.enable = true;
+    open = true;
+    powerManagement = {
+      enable = lib.mkForce false;
+      finegrained = lib.mkForce false;
+    };
+    prime = {
+      nvidiaBusId = "PCI:1:0:0";
+      amdgpuBusId = "PCI:15:0:0";
+      #sync.enable = true;
+    };
+  };
+  services.xserver = {
+    videoDrivers = [
+      "nvidia"
+    ];
+    displayManager.setupCommands = lib.mkBefore ''
+      ${lib.getExe pkgs.xorg.xrandr} \
+        --output DP-0 \
+        --mode 3440x1440 \
+        --rate 120 \
+        --primary \
+        --pos 0x0 \
+        --output HDMI-0 \
+        --mode 1920x1080 \
+        --rate 120 \
+        --pos 3440x360
+    '';
+    serverFlagsSection = ''
+      Option "StandbyTime" "0"
+      Option "SuspendTime" "0"
+      Option "OffTime" "0"
+      Option "BlankTime" "0"
+    '';
+  };
+
+  services.libinput.mouse.accelProfile = "flat";
+
+  programs = {
+    steam.enable = true;
+
+    direnv = {
+      enable = true;
+      loadInNixShell = false;
+      silent = true;
+    };
+
+    nix-index = {
+      enable = true;
+      package = nix-index-database.packages.nix-index-with-db;
+    };
+
+    adb.enable = true;
+  };
+
+  nix = {
+    settings.system-features = [
+      "kvm"
+      "big-parallel"
+      "nixos-test"
+      "benchmark"
+    ];
+    extraOptions = ''
+      !include ${config.sops.secrets.github_token.path}
+    '';
+  };
+  sops.secrets.github_token = { };
+
+  environment.etc = {
+    "jdks/17".source = "${pkgs.openjdk17}/bin";
+    "jdks/8".source = "${pkgs.openjdk8}/bin";
+  };
+
+  services.udev.packages = [
+    pkgs.android-udev-rules
+    # pkgs.via
+    # pkgs.qmk-udev-rules
+  ];
+
+  networking = {
+    useNetworkd = false;
+    useDHCP = false;
+    hostId = "288b56db";
+    firewall.enable = true;
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs."br0" = {
+      netdevConfig = {
+        Kind = "bridge";
+        Name = "br0";
+      };
+    };
+    networks = {
+      "enp11s0" = {
+        name = "enp11s0";
+        bridge = [ "br0" ];
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "br0" = {
+        name = "br0";
+        address = [ "192.168.1.4/24" ];
+        gateway = [ "192.168.1.1" ];
+        dns = [ "192.168.1.1" ];
+        DHCP = "no";
+        bridgeConfig = { };
+        linkConfig = {
+          MACAddress = "D8:5E:D3:E5:47:90";
+          RequiredForOnline = "routable";
+        };
+      };
+    };
+  };
+
+  #user managment
+  sops.secrets.gerg.neededForUsers = true;
+
+  users = {
+    mutableUsers = false;
+    users = {
+      gerg = {
+        useDefaultShell = true;
+        uid = 1000;
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+          "adbusers"
+          "plugdev"
+        ];
+        openssh.authorizedKeys.keys = builtins.attrValues {
+          inherit (config.local.keys) gerg_gerg-phone gerg_gerg-windows;
+        };
+        hashedPasswordFile = config.sops.secrets.gerg.path;
+      };
+      root.hashedPassword = "!";
+    };
+  };
+  boot.initrd = {
+    availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usbhid"
+      "sd_mod"
+    ];
+    includeDefaultModules = false;
+  };
+
+  system.stateVersion = "24.11";
+  networking.hostName = "gerg-desktop";
+  nixpkgs.hostPlatform = "x86_64-linux";
+}

nixosConfigurations/gerg-desktop/secrets.yaml

@@ -0,0 +1,30 @@
+cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str]
+discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQtgbhF62vwzKCc9hYEoqHH8L5wF1shqD0qJqVjJSwpVqiMJnWg7UMhxJ+sf+6QKkcrcy9W3oZx3YPd2PrbjaZTBpM1fq+Ccs/6zrs3WIZhR6At7qwnuSm+XjOFHsFwamqgrikhzgWzdrPXysiYMYglQ4IxjuJbgMbW+v/9qvfzf1DUIVpbFYHpUgOko1pR362YBe8yxv1arWJzejzxX/6TG3TLoyaa3H0lA+ch9LMp0cy9x2A2E1WufuC+tbXITNiHVWPlUUf233g=,iv:HWY/PXuVOyMNAiPdv1G0ysGcbdbk3YgCVp3eNkkdTl4=,tag:RhSH0KsppNCX0TcjZFttLQ==,type:str]
+reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str]
+searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
+minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str]
+gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
+store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str]
+github_token: ENC[AES256_GCM,data:nIWnOvoO8jcoPvKIF4TDdMZxO5H+mAEjLOfQpPmIh0gUSHjadFCwdI0FpMN3D/+8zUXVuAWd2FfCdzKIxGApGqlXAn3aajkUeBK8rYF554COuxa4B43SjRlfvanCZyfsbxzFxoO1RDlzHUMUSzYgFE8wdvj804luIA==,iv:OcRPCZP3KIKv+OuS28jIEp5zQyFw/41gMMdPBVj5N9w=,tag:t+oJDxqwyFU92kDh0ot+6w==,type:str]
+gerg_ssl_key: ENC[AES256_GCM,data:pFcpNaMidtLjmVopk6hkDQy4RB8m1Wg0lJpBE04vBlXsCEQ0kP3ZHVN5gT+meu+8DVh0MXag7CNArjWOBQQme+br2J2cCfayHSPiOo2aZP1ZEhmm/aLD3PCK/Goo4Qnp38ypyqrRp7H1I5wzFeiE97oI3jk3CbSgBCjAiD4N7FOKWbXurhBsU3Qulbeyup8eQS7NYdF0aY4a10nLiRrhyefIXpTMhiKBA5dwSfa0VGNOnPvjri4hvA3+nGqDkQBav2t3zb+K3bonx7hYbzW4kzNYPviMTirKPBSad4V4E/+GtZ6N1dpZhE0ADrGsN1ycFnbXG5sic0311cM1xiOZLlSpWC5uLHq257MxwG+pTS22Gc43qhUupTbygPiBihoQFo1BQKSSELwUBymf6iZ1MmEp3b/CDZoZ4eHCFMKsrvdn9gA9Di/tz1wBRZmFPczBmUYxOBMR2QRtct+RhRYPs3+J4GKO9doZ/2uxlMUlo8logD/3KnbvhYQDcpdO0vsOoecVlDRl73RDkNR1NUwuSHubRQKU+ucp6ZCW+uL/1fcXs5PrdjhLsgh2t/vNjZT9Lr3upnkITxQiA5BIx8lNbe2SHYOKnW78KdVJTyJhcNXtu4uS+34me+x4iVNqmW6QbpmImbQHetUAdJMqzT2wE3ha8WV2jyjpYSkRWCjbYBJtT4ScBRPVYXZZJiE0iBBxgRZ4x1tFtl0nGhITQZxWo9Wlkp+5TcLfL5rX/NSSXAkYvBVZQoftgi3/aO73sS8hGm61o2DbD4Q2MLm1fe9nP8oNtzIdtT79xMEj1Dow7Hz/xRwIVHynVKfclVusx4aI3gZs4tWLJIGTUFK5zlFn1aLg2lOOhN5wXU1VaQ9vClO8wEINcw4zLWzjfoDq6NkK6o1se3TzjmC+aYaEGt+vYxiTI14nAtRx8IBB7iyBNp0SgMcgIHl3UuzNGMz4suVDne28G4BOmY6+FkA/wgaYbr5ShY8d+FyaHecX+ohfPBvPDm4wZwRNfaIdFcrvJ3JpqGEGgDEY3mE6eUeRe4VvfMEkkJeCpstHObC9wmkQ/gMOUsk8Q4A1nrZ/BHQxeltn6pYaZT0escjO7IITE4vT0y8/Q2nwMRKp+cDLTyO5yl/4SanPN3N6cYs6ze6jp2zo/9ue9t6YoX0TfpOr99sHinwFmlxSbXeisevZhGYFiVHQjNMaN8w/5/8t/FKrbcwmMQ3LgtGXCfP+5rwvIHVFq4+ItkGoWzw2sDio5vOa5cbYDmV4nq/OJzVbjaIdNGpagHMKK/Lbe/Xr/+GuZxJ7wS5x4ViZtCUDUCtqmFb3foxANM3REZTn+TIYjkKCXklEjVsbcOKRH6dKGQqYQKkeDZyOSiA6DsNwMvqM92oDmnpsSAFTTSxUGic1mnKBEZDqMDA7gfYZLDZM2SL4e9yyj27jv/PDGTL2UEfLfRTkiLcUL3THU3ak9HHymROwp8yWtJ3divDawyghZJEUY/m+WW0wP+SI0ckKEl3sB8fCK6DCAPASK2WVfJ9VzZKDIr7caFHnP+hXndLg40r4IQmClwYcCyO7EZRu4W4GLtCR5tdt2ef9ys0S98/d+Wh3ZQnDOJWQk7AL9FgEDxpXvbN4rOVCWG5HpGIM7RdgCXSluvdfiqv9uL69DsjMbJIFU9OXPm0CPRifKybQNCWbCrwxgGmp7dlSbk7Y7vyz7QAwiBzjiBAPUUipbssq4bJlyT2KJdjKpd4HYVHv0yMWOlmIGxV55XbS/ieItUxjSG+JNODZhclerlR/axaWxZJ1aKleFKbnAZ0F4ugzv05p+HSlRg9h8KHbaXfaFkyO7NLyyk47YMCcTGLXVmIFsPMUcECBqZV/l5vcswcRqwSygT7TR9lewchn1Csido5+ndrr/42kzdFccTfBdt75/WJAdkrS2+vhRH7X8PR1KLD6InSvFFYxDBgTuaJGwwiF2tMvKypyp0Zk2nPp+h1vIWxQQKTe6SVoLzPejMQToqDfiq0g0JK8CiIVne3mOTXQTHT8n+7YgQp73XAJaR2HmTQNa8XcmdCtJ6tCqNGygMSicK1siBcTN/xB2JGLNC4zviK4aFgmeODNdE99nCccU799IbSQrhyMEwmjP2+hSwz9fumwhJfLMge/eG7BqKuaA03402+JVNuAphmSTPXGpu/nf2YHdZ2mMqoqzoAtAmuQ+EcUipvjkSLfEWPp0FczubIVGT5jvnndLCzpIIRio9y/HpRJszdEDfGcDHM1pftxI08q8oVxW1R7SGjibVia38G6ZCJaMX4FdHZlIQ3dsC+A5T4rgxozOfzUTPczGdiMf1+6AqXrVYFvsvn/IwTG8mbTlFmYSWjyr34YfCoHEteeqgGzXd+eTOX46OgbBcOx/6dXe7enoN2fq3Obsp6sSDroRm4SwIve1umO8uAgU6dsqIjGwz+BtvdWs09KyJyvujmx62egpZH54yztnhLSX4Tz9M9CECZiLDm1zMXIFIAyb7LkuajAxeM0mkuYf64BTQXbxB5NjxvXO/DGPGfpGn94YNRzBE2qtBJVN+0j5UnA86tJqFKb9oa1bwALzH2sGmjKXg5aLbbbzvx+10Vz1gqx9OaZU6eG/3zUDnhKcUaWjWjEAFZpFNigadPpOMOK4NViE65zbfkfiabDzIlNaR6sRNDL+7MNZC5a1092Y00FSm2oUlRiKmRlEAHypCzcRNuCZfJ5cYXKkOZAcQT0p2unM72BtpNlQq35xG4QE+q6JA7gfi1Xx/g3kki7YwuNMbdyh61stikqC68RhN6ICtmKfGQiycVJwn78CL1AsGtcAFHhYqmv8mRTuan7fA7DnmLKDewghHA01CKczakhhr8p5PcLLtzzO41Au/lV34qlqUPU5DBCg5EnvZaZh2toxA6W3TfKwkPsb/B4QYW8CPRHSBUq3SjkHbgjR+P6HLOGsmuG4Kpg2RlNfFSdhTyhc3yP92lC5ZFZuY73C+TkD5RQ6dvytQfBtlhF7MXbgK5qpnypDAMAOCwT8t+aITNOwDads8XoiZRfZ5d3g669d2auZKmjfoEXvlqvaUhou97xFNOrMXmToDQk0GTjWPhClbEoPISZA30mEnWbRtyZS83igBruZ9OP/5xoanmp36rUMMr2MYxHw3vkOeUtnFHJNARTBFAsRV/jZxgEE64yP0IXc/VJgHUGpHaKsy29tf+TvhEwQ3f4BxVr6ltkZiv1r4PSxdTrA74dz88MJWUDYI8Q4mjBthWDwyi0bZ4+tXuEzX6bHBZHOJLA/23b0cKePLk3YpF0QnnPBzU61W8piv+7/4Xa50z9puEK5240EqhjQaLpyPSV3ee1wh2t9B3bV3z/p0zmYxFLhpMTLAVpEWGfcu8c/nX1ErlTh1peTzzxXZZm6uf9leB9zCiP5d9AS0vmhOR7EB82Lj3TtEJzZ31We+ntUgYynjbjtaYMvKB73WeFWzVRYqMKqNgPYj8C214gJZXtiLYKdw188nSTp8BprDd1mdiT0Gb0nKc7sgZLatJ3AGtky3pSYH8chQMEO1sAzob1U5DDLvFI5JGZwBosKqJicOGn/Gy8Dd8UqDc75+xHkYY21K7/XZP3rwaIQatCk2N+7lbPY1DoFwua+1q7ySIJiRRl/0z+emrN+wCtyCeNarpTbEjpf0sRLFa/OX0NjyMrpFE2QZyv179E2oyShIeLRVHQlxCJZiBt+1YCx0QIz//mCU5TAg7fDVZShr6viAMzY8vh4YaSmgf6QomNIB6NDmS2+Boyusvz6eL1g0/RER+nb1Riiel1FzL7olII/RlhCNt+5zBdnDyAhzWE90QsYJWW/s9HK0EITcp7zpr4ukJvzCo2Sj9rIfohnLjc9fvDNpI7YuUEfAPY23kMApF4Uvfsd7uM/hit5kNVxlkJrZYSojOelK1535ClKiVtlIPed/N/jbz8CztUWIryck16KCT+oZGYTodw1OZlQnmgHF6SOo/5EG+85rwIpSwNqyLsf45RiLpVfAWqF6AdFH0Yhy5ht1p/vO5xXUGyNp0qgZG6tT2/BfTUB5Q5WhW0COfzelL5X92orWJKM8PeeAQtJ9tteLTwgJWk1Ld3wjKkY1lKzclyY/u/XUurjXaWflFXUKc77q7yRxwucsiIVRcJYcHxbCeB/5yj3+zL4hK6QsY1cwbbSPSeBibvOW2Aj9bKCrCm6DDf18rhXFlrRhlt5tOIjHveVBBy2qjTZWjcypuFZE2Yhhltb2BSf7mes+D9CO62wDBF6K9EcbwWWcvWjS20BbvCFkxKkmDfsP/lmU+c6j5hvAdWA4/SK5eXzMN/VVQ5S9oc1Ahc15PKGs9mjncNBm20ddicB2kNKGPqF4MMLJUeHDE=,iv:fq1npi+bC2O1OqsizTAgK6qRf8MG98ACyydnGGNptwQ=,tag:kBR6cPmS7uvWlRo1CLQG3Q==,type:str]
+gerg_ssl_cert: ENC[AES256_GCM,data:55drf/NNtx1cTvGLGeISskau3dzXIFl0+KdyNWoy1078bHqiwni/0rQrtpZ8xCCnNs/xRBREWMcgPfMHbGScANaSQofhelleH7OVB6r5LXQdQQ/UA8mLhIasiifaCLzjsG/Y9Ab5vQV1NPJpJ5eI7//tsyeuBhR8AsZQpLxtA3DMzhT3imAzqLVMy0Gc5i/SsnxOeK1NfZf5qiC11ThXahvbp0RLxSsehCVnwZtjLka7/BaFqVqN8R4FkpPvyD7ONYLbIDpPjoKM452NOGsonGYIO9qyoqh0TLXfNnYNlm67TpvRxXZ6WdUSLfpiekdFUhL+/Rv6f/abTcmSqtRb8kEsCA7/CYPL7e0iIuMnwFuM44mks8M9pbXZmm51eaoB6jLSD/fuHv1xIlv25vYlmbfxaXMkNN6L9SLUJ2buFjufvTFjcf4rxZqvHdCBP3gblaUJw1a8MNhlD+naEff4up5eYkdvzxdoBAZRcsstUNEUlKS0HdOmUGv7M6iGBz3rimW9KXXhF2tTzTaL2H5k4WlGID55pswKG4X3Xcr6V/r4dNzOp3LSh5MB3oxqx8aHGqFO53PUzeXFX8m08sHA8cXiC/y9nEhpGzVYbSbmjSqPgA1M4tqwOqEDNdXYzAOE/UM0Fnvsxi5DjOc4XM+GJzRP+VIWBh2vxJl8ro5Bb9llnA9gZCQJ40fwPfUupX+ZZcO9gdPoa6sd9zrPtpFiR960FyIw6AdY8nKAxippm5cG2ALYqPfOUfWUOPxGBH3sdRhkuP1wG5zo/P7bXSMVKf/OH7RUF1PyH2EnhLn5+nxvP0IWZj+GO+qvBAaqZa6rXGtB/FAPky+leSLlamfq6eL9C+dWEVGDwX9KYRsgAT+XnvaZ3IsOJoDdp3ZUNVuT61OdQniXArrpDUf57AmhddkqaNu1sedmerMc0Ikm1kVEmqiSmZ70bZQtG9qbZ8bVqvTwjRs93W+HE6BpLHtysK5x+XPqcmK5OjF+8ABPGjOck8LdWgpHERcxPgcNAyf8c23fnaQuTqPbsJ6w++Mb6llHjt82tdL65BTWuqS9MFQxkkOI3ic6eYHOL0AalkLlBHS64e8KWhtVwxJMLVaO8Azhs09aRsDrnLz52YtvUI0sGxT3rqV8GWgKARqIQf3X5LvP2Q/50ov35zufnMCYG0o0d9wp4PB0wBTTXn2Rqw3uF8ANRZ4slcmUzxS3LGTPfF0Le+X4aPvziYehFSTGiKieH7MO3rV1fPvkpn1S89k6F4eR3KjhkMZ528NGD48kgXeFkSedDOuPkVv+5j7jkFPVAMW3v2eXVHf9i69rxvb9+7S52UuRZhOPVeB2Pj6CLCYGc5gguIctqN2uCW2F1mwZN7FdlDov3BrqHEGUn5Au4r20x7/oKdSHicLmmf5AiVuHJanQQ4Nt3EBSaZwFBbJAr4UMYoXJN9p8EuuZ+88Xdm+X9gyIMcrLEEf95EB5zFCxDhbd02A+R4Ou/dhxK1r0Ma2s74FJX8/joo+ybx2yrpVGztnH22mSAgzQ8ZTTrbHItdM7X7vUKDWeqpglzZpEIfiXRvZtQzj1U1/wAvcyzJyfMtWfj00jSkw0BABbKSf/sdutowmmEvKrxeihDwY4X8Z4Y237ipZDaDKS3+YRS3DfKyXBcQT/7UGAqanJaEzQrNWr1WXucVrsimxMcbhUgcvrughXWGk+bQ9ZtZUwuUE1rblFRG7vDQ2GzDaVq+dtYUHMiwJasrdnLT0Bf2CM9ShsH9/e9XeWOL96vlCSG0Ao4icq09D+0Flx4yjRGDsrSCMsecjuirRmvICsdo9eDVrSwvE35ijcBenTQje8Pjhl2bwoobt6qkGlc2sOu21wnq2JHXMvE5sPIRKLvDGbb6mhjt5fywIlHrxWAVl9vmzK4w0qciyjyvRTdXc1hk+toANC2WrcG95QIytK4ODSLB21+37HWi4/EA4PtCL4Bk4DpnvqutxN5eZLJd6aTAOy1kN2Uz68QNbzQ9ZoW4pmWA0uG4G2zis3IQSG2JJp+VPkm+8C6A122XfN7S8yr4HrKA/ZW/6W6HHH13IGqxQyrjkJm7eGNBebA02eXkG+b4mjTRhpZxPRFR6ggj1umouwQPffc4qFrIsXci+1qN35FfkiZaM6s5Jg952h2tj/y7YUJ+uVEIvJblvHpv9yWxVwtcX6hYPPNzJWIZcLrMLaIzKJS3S3b0t4fBpJAyM/u00izJ79fiyCnUQ4beLLhAiGg0S0Zihpcjqdr9+5DiBGAmE3GRNsGHWVtr54z4EeGlT8vPfc4yUK021K6dj7YtysP9OxtW6rKRGv3GF3l2tCn3i+9EbdUTtY9cu8aQ5Nuvr6luLAWwJJWGcWECE17I9DJ2HYWnbuZm3uKFBjNAE4cM2mMeEvFrgIT5j0k0CQB5PmjsOZsTI9NLEynn733UE+d7ycKx8Eq8zdqFbcE1vfGVNy/j9lHfRtgJtNKAlSmNBHBXn9qHDSGqqU4oc8J4yugpnWOhoJoVyTTnI1bfWNgEDVk+DIz98SYY2uh3JGI6lw5TNrO5g+WFjVCcS3w2mJ82KOQCo5BHgHafuuy8QGdNBReoKhuH553g9/7bD/qS6NIguDfSiLtFybpItsthRbx3qFX3w6iRBA2EjlpZPuSkgxgZua19Eefgz/UrcQAjGRCI2pXIDeeqsPhMHfNGmw3PpxK+K1,iv:VHH48PmpIsrWOtTqHmmT+q7CE+HmsEX9+DaXmGXreFE=,tag:s+zhy9blkNBUZDD8cJJnyg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age180y8kdtdlqelayyz9mq2c7xv248rh4gdfr3amjzvdcjrz6wdaqmsj762pp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NWRPckFGSDlWZHpFSFFo
+            bHMxbHNhRmdEVUJjdnpjeEIwYXFJWUtuYVdBCm13bHVudzBKaXFwVW0xRzErYW9J
+            ZUN2QnhjZndVQUUxSTFJZWF6KzFzNkEKLS0tIDVmcnd0WGtLK2dFR3lqWktDd1hG
+            dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
+            MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-12T23:25:07Z"
+    mac: ENC[AES256_GCM,data:5qyOCYaKi42Yeqgoiu/csmWbDN4KlQHgtuz9GoW1UNoUNMPgBfIXSE5gtOjMT4j7qQ4JC7zIfIG8UZ7S/HgrnDemjlr5z5U2Ub+eVoV38Ve+i2V0O91RPQZ5lyRdCKTNSlLvob4W8uMJAtUeI3Zemv2DB/P7RMtMuz2kZmPwpD8=,iv:wZfTu3Ss7nb60fok5CbB99NXpcqPRSfAUhuliK5bTnY=,tag:pj3fYSSHFhdY9oXK4CUh0Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

nixosConfigurations/gerg-desktop/services/ddns.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  _dir,
+}:
+{
+  sops.secrets.cloudflare = { };
+
+  systemd.services.ddns = {
+    reloadIfChanged = false;
+    restartIfChanged = false;
+    stopIfChanged = false;
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    startAt = "hourly";
+
+    serviceConfig = {
+      EnvironmentFile = config.sops.secrets.cloudflare.path;
+      DynamicUser = true;
+    };
+
+    path = [
+      pkgs.netcat
+      pkgs.jq
+      pkgs.curl
+    ];
+
+    script = builtins.readFile "${_dir}/ddns_script.sh";
+  };
+}

nixosConfigurations/gerg-desktop/services/ddns_script.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+if ! nc -zw1 api.cloudflare.com 443 &>/dev/null; then
+  echo No Internet access... bailing early
+  exit 0
+fi
+
+IP=$(grep -oP '^((?!fe80).).{22}ffee.{5}' /proc/net/if_inet6 | sed -E 's/(.{4})/\1:/g; s/.$//')
+
+func () {
+  RECORD="$1"
+  ZONE="$2"
+  PROXY="${3:-"true"}"
+
+
+  REQ=$(curl --silent \
+    --request GET \
+    --url "https://api.cloudflare.com/client/v4/zones/$ZONE/dns_records" \
+    --header 'Content-Type: application/json' \
+    --header "Authorization: Bearer $AUTH"
+  )
+
+  readarray -t AR < <(jq -r '.result[].name' <<< "$REQ")
+
+  for i in "${!AR[@]}"; do
+    if [ "${AR[i]}" == "$RECORD" ]; then
+      ID=$(jq -r ".result[$i].id" <<< "$REQ")
+      if [ "$(jq -r ".result[$i].content" <<< "$REQ")" == "$IP" ]; then
+        echo "IP was the same, returing early"
+        return 0
+      fi
+      break
+    fi
+  done
+
+
+  curl --silent \
+    --request PATCH \
+    --url "https://api.cloudflare.com/client/v4/zones/$ZONE/dns_records/$ID" \
+    --header "Authorization: Bearer $AUTH" \
+    --header "Content-Type: application/json" \
+    --data '{
+    "content": "'"$IP"'",
+    "name": "'"$RECORD"'",
+    "proxied": '"$PROXY"',
+    "type": "AAAA",
+    "comment": "",
+    "tags": [],
+    "ttl":  1
+  }'
+}
+
+func "*.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8"
+func "gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false"
+func "ipv6.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false"
+

nixosConfigurations/gerg-desktop/services/forgejo.nix

@@ -0,0 +1,40 @@
+{ config }:
+{
+  users = {
+    groups.${config.services.forgejo.group} = { };
+    users = {
+      ${config.services.forgejo.user} = {
+        isSystemUser = true;
+        inherit (config.services.forgejo) group;
+        extraGroups = [ "postgres" ];
+        openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
+      };
+
+      ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ];
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    stateDir = "/persist/services/forgejo";
+    settings = {
+      DEFAULT.APP_NAME = "Powered by NixOS";
+      server = {
+        DOMAIN = "git.gerg-l.com";
+        ROOT_URL = "https://git.gerg-l.com/";
+        LANDING_PAGE = "/explore/repos";
+        HTTP_ADDR = "/run/forgejo/forgejo.sock";
+        PROTOCOL = "http+unix";
+        UNIX_SOCKET_PERMISSION = "660";
+      };
+      ui.DEFAULT_THEME = "forgejo-dark";
+      service.DISABLE_REGISTRATION = true;
+    };
+    database = {
+      type = "postgres";
+      createDatabase = true;
+    };
+  };
+
+  local.nginx.proxyVhosts."git.gerg-l.com" =
+    "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
+}

nixosConfigurations/gerg-desktop/services/immich.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  users.users.${config.services.immich.user}.extraGroups = [ "postgres" ];
+  services.immich = {
+    enable = true;
+    openFirewall = true;
+    database = {
+      enable = true;
+      createDB = true;
+    };
+    mediaLocation = "/persist/services/immich";
+    machine-learning.enable = true;
+    settings = null;
+    port = 2283;
+    host = "0.0.0.0";
+  };
+
+  local.nginx.proxyVhosts."photos.gerg-l.com" =
+    "http://localhost:${toString config.services.immich.port}";
+}

nixosConfigurations/gerg-desktop/services/minecraft.nix

@@ -0,0 +1,94 @@
+{ lib, self' }:
+{
+  # I manually switch this sometimes
+  config = lib.mkIf false {
+    networking.firewall = {
+      allowedUDPPorts = [ 24454 ];
+      allowedTCPPorts = [
+        25565
+        25575
+      ];
+    };
+
+    users = {
+      users.minecraft = {
+        home = "/persist/minecraft2";
+        createHome = true;
+        isSystemUser = true;
+        group = "minecraft";
+      };
+      groups.minecraft = { };
+    };
+
+    systemd.services.minecraft-server = {
+      description = "Minecraft";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      script = ''
+        ${lib.getExe self'.packages.fabric} \
+        -Xms12G \
+        -Xmx12G \
+        -XX:+UnlockExperimentalVMOptions \
+        -XX:+UnlockDiagnosticVMOptions \
+        -XX:+AlwaysActAsServerClassMachine \
+        -XX:+AlwaysPreTouch \
+        -XX:+DisableExplicitGC \
+        -XX:+UseNUMA \
+        -XX:NmethodSweepActivity=1 \
+        -XX:ReservedCodeCacheSize=400M \
+        -XX:NonNMethodCodeHeapSize=12M \
+        -XX:ProfiledCodeHeapSize=194M \
+        -XX:NonProfiledCodeHeapSize=194M \
+        -XX:-DontCompileHugeMethods \
+        -XX:MaxNodeLimit=240000 \
+        -XX:NodeLimitFudgeFactor=8000 \
+        -XX:+UseVectorCmov \
+        -XX:+PerfDisableSharedMem \
+        -XX:+UseFastUnorderedTimeStamps \
+        -XX:+UseCriticalJavaThreadPriority \
+        -XX:ThreadPriorityPolicy=1 \
+        -XX:AllocatePrefetchStyle=3
+      '';
+
+      serviceConfig = {
+        Restart = "always";
+        User = "minecraft";
+        WorkingDirectory = "/persist/minecraft2";
+
+        StandardInput = "journal";
+        StandardOutput = "journal";
+        StandardError = "journal";
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+      };
+      preStart = ''
+        if [ ! -e "eula.txt" ]; then
+          echo "eula=true" > eula.txt
+        fi
+      '';
+    };
+  };
+}

nixosConfigurations/gerg-desktop/services/miniflux.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+}:
+{
+  sops.secrets.minifluxenv = { };
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      BASE_URL = "https://flux.gerg-l.com";
+      LISTEN_ADDR = "/run/miniflux/miniflux.sock";
+    };
+    adminCredentialsFile = config.sops.secrets.minifluxenv.path;
+    createDatabaseLocally = true;
+  };
+
+  users = {
+    groups.miniflux.gid = 377;
+    users = {
+      miniflux = {
+        group = "miniflux";
+        extraGroups = [ "postgres" ];
+        isSystemUser = true;
+        uid = 377;
+      };
+      ${config.services.nginx.user}.extraGroups = [ "miniflux" ];
+    };
+  };
+
+  systemd.services.miniflux.serviceConfig = {
+    RuntimeDirectoryMode = lib.mkForce "0770";
+    DynamicUser = lib.mkForce false;
+  };
+
+  local.nginx.proxyVhosts."flux.gerg-l.com" =
+    "http://unix:${config.services.miniflux.config.LISTEN_ADDR}";
+}

nixosConfigurations/gerg-desktop/services/nginx.nix

@@ -0,0 +1,70 @@
+{ config, lib }:
+{
+  options.local.nginx = {
+    proxyVhosts = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+    };
+    defaultVhosts = lib.mkOption {
+      type = lib.types.attrs;
+    };
+  };
+
+  config = {
+    local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
+      locations."/".proxyPass = v;
+    }) config.local.nginx.proxyVhosts;
+
+    sops.secrets = {
+      gerg_ssl_key.owner = config.services.nginx.user;
+      gerg_ssl_cert.owner = config.services.nginx.user;
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      certs."gerg-l.com" = {
+        email = "GregLeyda@proton.me";
+        webroot = "/var/lib/acme/acme-challenge";
+        extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
+      };
+    };
+
+    systemd.tmpfiles.rules = [ "L+ /var/lib/acme - - - - /persist/services/acme" ];
+
+    users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
+
+    services.nginx = {
+      enable = true;
+      recommendedZstdSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      # For immich
+      clientMaxBodySize = "50000M";
+      proxyTimeout = "600s";
+      virtualHosts =
+        builtins.mapAttrs
+          (
+            _: v:
+            {
+              forceSSL = true;
+              useACMEHost = "gerg-l.com";
+            }
+            // v
+          )
+          (
+            config.local.nginx.defaultVhosts
+            // {
+              "_" = {
+                default = true;
+                locations."/".return = "404";
+              };
+            }
+          );
+    };
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}

nixosConfigurations/gerg-desktop/services/nix-serve.nix

@@ -0,0 +1,77 @@
+{ config, pkgs }:
+{
+  sops.secrets.store_key.owner = "nix-serve";
+
+  users = {
+    groups = {
+      builder = { };
+      nix-serve = { };
+    };
+    users = {
+      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
+      builder = {
+        isSystemUser = true;
+        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+        group = "builder";
+        shell = pkgs.bashInteractive;
+      };
+      nix-serve = {
+        isSystemUser = true;
+        group = "nix-serve";
+      };
+    };
+  };
+
+  services.openssh.extraConfig = ''
+    Match User builder
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+      PermitTunnel no
+      X11Forwarding no
+    Match All
+  '';
+
+  nix.settings = {
+    trusted-users = [ "builder" ];
+    allowed-users = [ "nix-serve" ];
+    keep-outputs = true;
+    keep-derivations = true;
+    secret-key-files = config.sops.secrets.store_key.path;
+  };
+
+  systemd.services.nix-serve = {
+    description = "nix-serve binary cache server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    path = [
+      config.nix.package
+      pkgs.bzip2
+      pkgs.nix-serve-ng
+    ];
+
+    environment = {
+      NIX_REMOTE = "daemon";
+      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
+    };
+
+    script = ''
+      nix-serve --socket /run/nix-serve/nix-serve.sock &
+      PID=$!
+      sleep 1
+      chmod 660 /run/nix-serve/nix-serve.sock
+      wait "$PID"
+    '';
+
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "5s";
+      User = "nix-serve";
+      Group = "nix-serve";
+    };
+  };
+  systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ];
+
+  local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock";
+}

nixosConfigurations/gerg-desktop/services/parrot.nix

@@ -0,0 +1,23 @@
+{
+  pkgs,
+  config,
+  lib,
+}:
+{
+  sops.secrets.discordenv = { };
+
+  systemd.services.parrot = {
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    environment.SETTINGS_PATH = "/persist/services/parrot";
+
+    serviceConfig = {
+      ExecStart = lib.getExe pkgs.parrot;
+      EnvironmentFile = config.sops.secrets.discordenv.path;
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+  };
+}

nixosConfigurations/gerg-desktop/services/postgresql.nix

@@ -0,0 +1,9 @@
+{ pkgs }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+    dataDir = "/persist/services/postgresql";
+    settings.unix_socket_permissions = "0770";
+  };
+}

nixosConfigurations/gerg-desktop/services/reboot-bot.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  reboot-bot,
+}:
+{
+  sops.secrets.reboot_token = { };
+
+  systemd.services.reboot_bot = {
+    enable = false;
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    serviceConfig = {
+      ExecStart = lib.getExe reboot-bot.packages.default;
+      EnvironmentFile = config.sops.secrets.reboot_token.path;
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+  };
+}

nixosConfigurations/gerg-desktop/services/searxng.nix

@@ -0,0 +1,43 @@
+{ config, pkgs }:
+{
+  sops.secrets.searxngenv = { };
+  users.users.${config.services.nginx.user}.extraGroups = [ "searx" ];
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    runInUwsgi = true;
+    uwsgiConfig = {
+      socket = "/run/searx/searx.sock";
+      chmod-socket = "660";
+      disable-logging = true;
+    };
+    environmentFile = config.sops.secrets.searxngenv.path;
+    settings = {
+      general.instance_name = "Gerg search";
+      server = {
+        secret_key = "@SEARXNG_SECRET@";
+        base_url = "https://search.gerg-l.com";
+      };
+      search.formats = [
+        "html"
+        "json"
+      ];
+      engines = [
+        {
+          name = "bing";
+          disabled = true;
+        }
+        {
+          name = "brave";
+          disabled = true;
+        }
+      ];
+      ui.theme_args.simple_style = "dark";
+    };
+  };
+
+  local.nginx.defaultVhosts."search.gerg-l.com" = {
+    locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
+    extraConfig = "access_log off;";
+  };
+}

nixosConfigurations/gerg-desktop/shared.conf

@@ -0,0 +1,16 @@
+Section "ServerFlags"
+  Option "AllowMouseOpenFail" "on"
+  Option "DontZap" "on"
+  Option "StandbyTime" "0"
+  Option "SuspendTime" "0"
+  Option "OffTime" "0"
+  Option "BlankTime" "0"
+EndSection
+
+Section "InputClass"
+  Identifier "libinput pointer catchall"
+  MatchIsPointer "on"
+  MatchDevicePath "/dev/input/event*"
+  Driver "libinput"
+  Option "AccelProfile" "flat"
+EndSection

nixosConfigurations/gerg-desktop/spicetify.nix

@@ -0,0 +1,40 @@
+{ spicetify-nix }:
+let
+  spicePkgs = spicetify-nix.legacyPackages;
+in
+{
+  imports = [ spicetify-nix.nixosModules.default ];
+  local.allowedUnfree = [ "spotify" ];
+  programs.spicetify = {
+    enable = true;
+    enabledCustomApps = builtins.attrValues { inherit (spicePkgs.apps) lyricsPlus ncsVisualizer; };
+    enabledExtensions = builtins.attrValues {
+      inherit (spicePkgs.extensions)
+        adblockify
+        hidePodcasts
+        shuffle
+        betterGenres
+        ;
+    };
+    theme = spicePkgs.themes.dribbblish;
+    colorScheme = "custom";
+    customColorScheme = {
+      text = "f8f8f8";
+      subtext = "f8f8f8";
+      sidebar-text = "79dac8";
+      main = "000000";
+      sidebar = "323437";
+      player = "000000";
+      card = "000000";
+      shadow = "000000";
+      selected-row = "7c8f8f";
+      button = "74b2ff";
+      button-active = "74b2ff";
+      button-disabled = "555169";
+      tab-active = "80a0ff";
+      notification = "80a0ff";
+      notification-error = "e2637f";
+      misc = "282a36";
+    };
+  };
+}

nixosConfigurations/gerg-desktop/zfs.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  pkgs,
+}:
+{
+  #link some stuff
+  systemd.tmpfiles.rules = [
+    "L+ /etc/zfs/zpool.cache - - - - /persist/zfs/zpool.cache"
+    "L+ /etc/ssh/ssh_host_ed25519_key  - - - - /persist/ssh/ssh_host_ed25519_key"
+    "L+ /etc/ssh/ssh_host_ed25519_key.pub  - - - - /persist/ssh/ssh_host_ed25519_key.pub"
+    "L  /etc/nixos/flake.nix  - - - - /home/gerg/Projects/nixos/flake.nix"
+  ];
+  #create machine-id for spotify
+  environment.etc."machine-id" = {
+    text = "b6431c2851094770b614a9cfa78fb6ea";
+    mode = "0644";
+  };
+  #make sure the sopskey is found
+  sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ];
+  fileSystems."/persist".neededForBoot = true;
+  boot = {
+    supportedFilesystems.ntfs = true;
+
+    zfs = {
+      package = pkgs.zfs_unstable;
+      devNodes = "/dev/disk/by-id/";
+      forceImportAll = true;
+    };
+
+    #set ARC max
+    kernelParams = [ "zfs.zfs_arc_max=17179869184" ];
+
+    initrd = {
+      kernelModules = [
+        #module for multiple swap devices
+        "dm_mod"
+        #keyboard module for zfs password
+        "hid_generic"
+      ];
+
+      systemd.services.rollback = {
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+        unitConfig.DefaultDependencies = "no";
+        wantedBy = [ "initrd.target" ];
+        after = [ "zfs-import.target" ];
+        before = [ "sysroot.mount" ];
+        path = [ config.boot.zfs.package ];
+        script = ''
+          zfs rollback -r rpool/root@empty
+          zfs rollback -r rpool/var@empty
+        '';
+      };
+    };
+  };
+}