systems -> hosts

moved functions to /lib

inputs over imports

turned each module file into a nixosModule

moved registry and $NIX_PATH pinning to /modules/pinning.nix

hosts/game-laptop/default.nix

@@ -0,0 +1,88 @@
+_: {
+  pkgs,
+  config,
+  ...
+}: {
+  localModules = {
+    remoteBuild.enable = true;
+    DE.gnome.enable = true;
+    DM = {
+      lightdm.enable = true;
+      autoLogin = true;
+      loginUser = "games";
+    };
+    theming = {
+      enable = true;
+      kmscon.enable = true;
+    };
+  };
+  nixpkgs.allowedUnfree = [
+    "nvidia-x11"
+    "nvidia-persistenced"
+    "steam"
+    "steam-original"
+  ];
+  environment = {
+    systemPackages = builtins.attrValues {
+      inherit
+        (pkgs)
+        neovim
+        heroic
+        legendary-gl
+        prismlauncher
+        pcmanfm #file manager
+        librewolf #best browser
+        obs-studio
+        vlc
+        webcord
+        ;
+    };
+    etc = {
+      "jdks/17".source = pkgs.openjdk17 + /bin;
+      "jdks/8".source = pkgs.openjdk8 + /bin;
+    };
+  };
+  networking = {
+    hostName = "game-laptop";
+    networkmanager.enable = true;
+  };
+  #user managment
+  sops.secrets.root.neededForUsers = true;
+  users = {
+    mutableUsers = false;
+    users = {
+      games = {
+        useDefaultShell = true;
+        uid = 1000;
+        isNormalUser = true;
+        extraGroups = ["audio"];
+        initialHashedPassword = "";
+      };
+      "root" = {
+        uid = 0;
+        home = "/root";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuO/3IF+AjH8QjW4DAUV7mjlp2Mryd+1UnpAUofS2yA gerg@gerg-phone"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc gerg@gerg-windows"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWbwkFJmRBgyWyWU+w3ksZ+KuFw9uXJN3PwqqE7Z/i8 gerg@gerg-desktop"
+        ];
+        passwordFile = config.sops.secrets.root.path;
+      };
+    };
+  };
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+  boot = {
+    initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci"];
+    kernelModules = ["kvm-amd"];
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 16 * 1024;
+    }
+  ];
+
+  system.stateVersion = "23.05";
+}

hosts/game-laptop/disko.nix

@@ -0,0 +1,39 @@
+{disko, ...}: {disks ? [], ...}: {
+  dummyvalue = {inherit disks;};
+  imports = [disko.nixosModules.disko];
+  disko.devices = {
+    disk.nvme0n1 = {
+      device = "/dev/disk/by-id/nvme-WDC_PC_SN530_SDBPNPZ-512G-1006_21311N802456";
+      type = "disk";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          {
+            name = "ESP";
+            start = "1MiB";
+            end = "1GiB";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          }
+          {
+            name = "root";
+            start = "1GiB";
+            end = "100%";
+            part-type = "primary";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          }
+        ];
+      };
+    };
+  };
+}

hosts/game-laptop/prime.nix

@@ -0,0 +1,27 @@
+_: {config, ...}: {
+  hardware.nvidia = {
+    package = config.boot.kernelPackages.nvidiaPackages.latest;
+    prime = {
+      sync.enable = true;
+      amdgpuBusId = "PCI:5:0:0";
+      nvidiaBusId = "PCI:1:0:0";
+    };
+    nvidiaPersistenced = true;
+    nvidiaSettings = false;
+    modesetting.enable = true;
+  };
+  services.xserver = {
+    videoDrivers = ["nvidia"];
+    #disable DPMS
+    monitorSection = ''
+      Option "DPMS" "false"
+    '';
+    #disable screen blanking in total
+    serverFlagsSection = ''
+      Option "StandbyTime" "0"
+      Option "SuspendTime" "0"
+      Option "OffTime" "0"
+      Option "BlankTime" "0"
+    '';
+  };
+}

hosts/game-laptop/secrets.yaml

@@ -0,0 +1,30 @@
+root: ENC[AES256_GCM,data:ZHWgqJt4zMWuN/8rkmOQngBvw85MRCXsbLpgKj4Hzd8cDvvr6HIwsECiZZHh8Yp5FDL5t2IokIEf4KT8mqvm1bhakvWyMtP3tw==,iv:RTNPLxCDm+bsu70EbasUfxCtgp1+86aW+aFQECZTAPU=,tag:uDbUE3vw0kc30WsKLOtVbw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1egxes320renph0uevtmnsz4d5aw0z794c5nwrk2z6249wv2yevgqx9cf90
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpU2NMRHVkRDV1ekpvZUJz
+            WDlFWjh5SU1EY3FOSFpNUmhLd3Z2N0VtdjM4Ck1RMWFkenZvV3NESnhSNnF4MnBL
+            dmwvdU4rbmRxTnI3R1lRWUw4NkFTZFEKLS0tIHBLWVMzTmhsbU5ORkVld2VBR0hD
+            SlZBR1ZmRENXRVVaVXlEVnNvOEN1YkUKrIvpZHRRxYBj83kchgGWVNPsrGnmnWEh
+            80avkBy/6iCYmGEJ7PA4qxAea6jTOfaX+WbVm/jbmXpBEmE/NjPL5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age180y8kdtdlqelayyz9mq2c7xv248rh4gdfr3amjzvdcjrz6wdaqmsj762pp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRXMySTF5VGRkK0N6NTZt
+            Sml4N3hjNXVLcXpmME1KSm1yTDZNVzdscEZNClk0TlZEUmNLN09PM0tMOHc1ZkJH
+            OTdzdVBSVkVpeHN5UVZvMTV1MW80RXMKLS0tIDR6SVcwWmtnWkV2UTRnb2lmZEdU
+            OHNBcUxydUJpMVdON21rMHBiNFRRRk0KokksVnVDldZvC7tqjjDVsU7z3Uh0ytQ3
+            tLdO8k+HxRYfFqhgfq2z7vTzHOVcZRvgiihYV4kLR9lnivpL6uOB+A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-11T20:03:05Z"
+    mac: ENC[AES256_GCM,data:buZBqAIO8IAHUu2tXzvUcMcvBL0r/Y5cCSrVvFHlAaUyNCkXktW0ZvW6n3mdEhKx8GzVYlvW5p9iDEkeyrD6YwcFVqXyW2tI0at1TevJwFc17AFXOPYRF7V2QrPX6lvLoZtxBcKeqXfn8mO+2QSyhYIheuln99YilHVYtLzujfk=,iv:v+E18iYaExTx66OGyJUCn5ygVNCDx54PekgrQo98V8U=,tag:+Ktm/mAHwq8h+IZ8eMnIhA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/gerg-desktop/containers/minecraft.nix_

@@ -0,0 +1,100 @@
+_:{
+  containers."minecraft" = {
+    ephemeral = true;
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "bridge0";
+    localAddress = "192.168.1.10/24";
+    bindMounts."/minecraft" = {
+      hostPath = "/persist/minecraft";
+      isReadOnly = false;
+    };
+    config = {pkgs, ...}: {
+      nixpkgs.config.allowUnfree = true;
+      environment.systemPackages = [pkgs.neovim];
+      networking = {
+        defaultGateway = "192.168.1.1";
+        nameservers = ["192.168.1.1"];
+        firewall = {
+          allowedUDPPorts = [25565];
+          allowedTCPPorts = [25565];
+        };
+      };
+      systemd.services.setmacaddr = {
+        script = ''
+          /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:10
+        '';
+        wantedBy = ["basic.target"];
+        after = ["dhcpcd.service"];
+      };
+      boot.initrd.postDeviceCommands = "mkdir -p /minecraft";
+
+      system.stateVersion = "unstable";
+      users.users.minecraft = {
+        description = "Minecraft server service user";
+        home = "/minecraft";
+        createHome = true;
+        isSystemUser = true;
+        group = "minecraft";
+      };
+      users.groups.minecraft = {};
+
+      systemd.sockets.minecraft-server = {
+        bindsTo = ["minecraft-server.service"];
+        socketConfig = {
+          ListenFIFO = "/run/minecraft-server.stdin";
+          SocketMode = "0660";
+          SocketUser = "minecraft";
+          SocketGroup = "minecraft";
+          RemoveOnStop = true;
+          FlushPending = true;
+        };
+      };
+
+      systemd.services.minecraft-server = {
+        enable = true;
+        description = "Minecraft Server Service";
+        wantedBy = ["multi-user.target"];
+        requires = ["minecraft-server.socket"];
+        after = ["network.target" "minecraft-server.socket"];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.papermc}/bin/minecraft-server -Xms8G -Xmx8G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
+          Restart = "always";
+          User = "minecraft";
+          WorkingDirectory = "/minecraft";
+
+          StandardInput = "socket";
+          StandardOutput = "journal";
+          StandardError = "journal";
+
+          # Hardening
+          CapabilityBoundingSet = [""];
+          DeviceAllow = [""];
+          LockPersonality = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          UMask = "0077";
+        };
+        preStart = ''
+          echo "eula=true" > eula.txt
+
+        '';
+      };
+    };
+  };
+}

hosts/gerg-desktop/containers/website.nix_

@@ -0,0 +1,155 @@
+_:{
+  sops.secrets = {
+    "website/sql_gitea" = {
+      mode = "0444";
+    };
+    "website/sql_nextcloud" = {
+      mode = "0444";
+    };
+    "website/nextcloud" = {
+      mode = "0444";
+    };
+
+    "website/ssl_key" = {
+      mode = "0444";
+    };
+
+    "website/ssl_cert" = {
+      mode = "0444";
+    };
+  };
+  containers."website" = {
+    ephemeral = true;
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "bridge0";
+    localAddress = "192.168.1.11/24";
+    bindMounts = {
+      "/var" = {
+        hostPath = "/persist/website/var";
+        isReadOnly = false;
+      };
+      "/etc/ssh" = {
+        hostPath = "/persist/website/etc/ssh/";
+        isReadOnly = false;
+      };
+      "/secrets".hostPath = "/run/secrets/website";
+    };
+    config = {
+      pkgs,
+      config,
+      ...
+    }: let
+      giteaPort = 3000;
+    in {
+      nixpkgs.config.allowUnfree = true;
+      environment.systemPackages = [pkgs.neovim];
+      networking = {
+        defaultGateway = "192.168.1.1";
+        nameservers = ["1.1.1.1" "1.0.0.1"];
+        firewall = {
+          allowedTCPPorts = [giteaPort 80 443 22];
+        };
+      };
+      systemd.services.setmacaddr = {
+        script = ''
+          /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:11
+        '';
+        wantedBy = ["basic.target"];
+        after = ["dhcpcd.service"];
+      };
+      system.stateVersion = "unstable";
+      services = {
+        gitea = {
+          enable = true;
+          appName = "Powered by NixOS";
+          domain = "git.gerg-l.com";
+          rootUrl = "https://git.gerg-l.com/";
+          httpPort = giteaPort;
+          settings = {
+            server = {
+              LANDING_PAGE = "/explore/repos";
+            };
+            ui = {
+              DEFAULT_THEME = "arc-green";
+            };
+            service = {
+              DISABLE_REGISTRATION = true;
+            };
+          };
+          database = {
+            type = "postgres";
+            passwordFile = "/secrets/sql_gitea";
+          };
+        };
+        nextcloud = {
+          enable = true;
+          package = pkgs.nextcloud26;
+          hostName = "next.gerg-l.com";
+          autoUpdateApps.enable = true;
+          enableBrokenCiphersForSSE = false;
+          config = {
+            dbtype = "pgsql";
+            dbhost = "/run/postgresql";
+            dbpassFile = "/secrets/sql_nextcloud";
+            adminpassFile = "/secrets/nextcloud";
+            adminuser = "admin-root";
+            defaultPhoneRegion = "IL";
+          };
+        };
+        postgresql = {
+          enable = true;
+          package = pkgs.postgresql_13;
+          ensureDatabases = [config.services.nextcloud.config.dbname];
+          ensureUsers = [
+            {
+              name = config.services.nextcloud.config.dbuser;
+              ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
+            }
+          ];
+          authentication = ''
+            local gitea all ident map=gitea-users
+          '';
+          identMap = ''
+            gitea-users gitea gitea
+          '';
+        };
+        nginx = {
+          enable = true;
+          recommendedGzipSettings = true;
+          recommendedOptimisation = true;
+          recommendedProxySettings = true;
+          recommendedTlsSettings = true;
+          virtualHosts = let
+            template = {
+              forceSSL = true;
+              sslCertificate = "/secrets/ssl_cert";
+              sslCertificateKey = "/secrets/ssl_key";
+            };
+          in {
+            "git.gerg-l.com" =
+              template
+              // {
+                locations."/" = {
+                  proxyPass = "http://localhost:${toString giteaPort}";
+                };
+              };
+            "next.gerg-l.com" = template;
+          };
+        };
+        openssh = {
+          enable = true;
+          settings = {
+            PermitRootLogin = "no";
+            PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+          };
+        };
+      };
+      systemd.services."nextcloud-setup" = {
+        requires = ["postgresql.service"];
+        after = ["postgresql.service"];
+      };
+    };
+  };
+}

hosts/gerg-desktop/default.nix

@@ -0,0 +1,125 @@
+{nvim-flake, ...}: {
+  pkgs,
+  config,
+  ...
+}: {
+  localModules = {
+    remoteBuild.isBuilder = true;
+    X11Programs = {
+      sxhkd.enable = true;
+    };
+    DE.dwm.enable = true;
+    DM = {
+      lightdm.enable = true;
+      autoLogin = true;
+      loginUser = "gerg";
+    };
+    theming = {
+      enable = true;
+      kmscon.enable = true;
+    };
+  };
+  hardware.nvidia = {
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+    nvidiaPersistenced = false;
+    nvidiaSettings = false;
+    modesetting.enable = true;
+    open = false;
+  };
+  services.xserver = {
+    videoDrivers = ["nvidia" "amdgpu"];
+  };
+
+  nixpkgs.allowedUnfree = [
+    "nvidia-x11"
+    "steam"
+    "steam-original"
+  ];
+
+  nix.settings.system-features = ["kvm" "big-parallel" "nixos-test" "benchmark"];
+
+  environment = {
+    systemPackages = builtins.attrValues {
+      inherit
+        (pkgs)
+        bitwarden #store stuff
+        qbittorrent #steal stuff
+        pavucontrol #gui volume control
+        pcmanfm #file manager
+        librewolf #best browser
+        vlc #play stuff
+        ripgrep
+        xautoclick
+        webcord
+        prismlauncher
+        ;
+      inherit (nvim-flake.packages.${pkgs.system}) neovim;
+    };
+    etc = {
+      "jdks/17".source = pkgs.openjdk17 + /bin;
+      "jdks/8".source = pkgs.openjdk8 + /bin;
+    };
+  };
+
+  networking = {
+    useDHCP = false;
+    hostName = "gerg-desktop";
+    hostId = "288b56db";
+    nameservers = [
+      "192.168.1.1"
+      "2605:59c8:252e:500::1"
+    ];
+    defaultGateway = "192.168.1.1";
+    interfaces = {
+      "enp11s0" = {
+        name = "eth0";
+      };
+      "bridge0" = {
+        name = "bridge0";
+        macAddress = "D8:5E:D3:E5:47:90";
+        ipv4.addresses = [
+          {
+            address = "192.168.1.4";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    bridges."bridge0".interfaces = ["eth0"];
+    firewall.enable = true;
+  };
+  #user managment
+  sops.secrets = {
+    gerg.neededForUsers = true;
+  };
+  users = {
+    mutableUsers = false;
+    users = {
+      gerg = {
+        useDefaultShell = true;
+        uid = 1000;
+        isNormalUser = true;
+        extraGroups = ["wheel" "audio"];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuO/3IF+AjH8QjW4DAUV7mjlp2Mryd+1UnpAUofS2yA gerg@gerg-phone"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc gerg@gerg-windows"
+        ];
+        passwordFile = config.sops.secrets.gerg.path;
+      };
+      "root" = {
+        uid = 0;
+        home = "/root";
+        hashedPassword = "!";
+      };
+    };
+  };
+  boot = {
+    kernelModules = ["amdgpu"];
+    initrd = {
+      availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"];
+      includeDefaultModules = false;
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

hosts/gerg-desktop/disko.nix

@@ -0,0 +1,193 @@
+{disko, ...}: {disks ? [], ...}: {
+  dummyvalue = {inherit disks;};
+  imports = [disko.nixosModules.disko];
+  disko.devices = {
+    disk = {
+      nvme0 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N22";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            {
+              name = "boot";
+              start = "0";
+              end = "1M";
+              part-type = "primary";
+              flags = ["bios_grub"];
+            }
+            {
+              name = "ESP";
+              start = "1M";
+              end = "1G";
+              bootable = true;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N22";
+              };
+            }
+            {
+              name = "zfsboot";
+              start = "1G";
+              end = "5G";
+              content = {
+                type = "zfs";
+                pool = "bpool";
+              };
+            }
+            {
+              name = "swap";
+              start = "5G";
+              end = "21G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            }
+            {
+              name = "zfsroot";
+              start = "21G";
+              end = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            }
+          ];
+        };
+      };
+      nvme1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            {
+              name = "BIOS";
+              start = "0";
+              end = "1M";
+              part-type = "primary";
+              flags = ["bios_grub"];
+            }
+            {
+              name = "ESP";
+              start = "1M";
+              end = "1G";
+              bootable = true;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
+              };
+            }
+            {
+              name = "zfsboot";
+              start = "1G";
+              end = "5G";
+              content = {
+                type = "zfs";
+                pool = "bpool";
+              };
+            }
+            {
+              name = "swap";
+              start = "5G";
+              end = "21G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            }
+            {
+              name = "zfsroot";
+              start = "21G";
+              end = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            }
+          ];
+        };
+      };
+    };
+    zpool = {
+      rpool = {
+        type = "zpool";
+        mode = "mirror";
+        rootFsOptions = {
+          acltype = "posixacl";
+          compression = "zstd";
+          dnodesize = "auto";
+          normalization = "formD";
+          relatime = "on";
+          xattr = "sa";
+          encryption = "on";
+          keyformat = "passphrase";
+          keylocation = "prompt";
+        };
+        options = {
+          ashift = "12";
+          autotrim = "on";
+        };
+
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+          };
+          "nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+          };
+          "var" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/var";
+          };
+          "persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+          };
+          "home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+          };
+        };
+      };
+      bpool = {
+        type = "zpool";
+        mode = "mirror";
+        rootFsOptions = {
+          acltype = "posixacl";
+          compression = "lz4";
+          devices = "off";
+          normalization = "formD";
+          relatime = "on";
+          xattr = "sa";
+          canmount = "off";
+        };
+
+        options = {
+          compatibility = "grub2";
+          ashift = "12";
+          autotrim = "on";
+        };
+        datasets = {
+          "boot" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/boot";
+          };
+        };
+      };
+    };
+  };
+}

hosts/gerg-desktop/parrot.nix

@@ -0,0 +1,21 @@
+{self, ...}: {
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  #discord bot stuff
+  systemd.services.parrot = {
+    enable = true;
+    wantedBy = ["multi-user.target"];
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+    script = lib.getExe self.packages.${pkgs.system}.parrot;
+    serviceConfig = {
+      EnvironmentFile = config.sops.secrets.discordenv.path;
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+  };
+  sops.secrets.discordenv = {};
+}

hosts/gerg-desktop/secrets.yaml

@@ -0,0 +1,28 @@
+discordenv: ENC[AES256_GCM,data:/A46urPOiqH2ejKmmzCIpR/g2hU6n/AUTNQPikAxvp1PikWgX8JX+NPrGSGgxpn82B70JlwGK9T+9Fe9gaFgswhMrUj19TQ1kERW8HWLJ1LptvJTOsX57rKihJZUwD0v7g/Xof75U68dKPzdSlH7z16r0iOVA6ET4/w=,iv:0HK+0eBMf3awgQrbwXAEsBniTsxqj+izmftoB/UEp64=,tag:EajyB09aJPnHpss3Jv5SaQ==,type:str]
+gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
+website:
+    nextcloud: ENC[AES256_GCM,data:JoxSXYzBhXV+h4Ar,iv:jKlAwWfX58DpgGbGOqWBIwcnx8EdIxhFKOUzsDccr7w=,tag:L6UBHh1HU8Je+OczQCypXg==,type:str]
+    sql_gitea: ENC[AES256_GCM,data:Usfd0QDm/4ntj7kzXXYa3O7H7/E=,iv:3xUD2KuQvJUQtai6C+qAnQ2RbkpN5VLK8BUJFiMpQkY=,tag:E6KNzFIZekgecJCBPlw4YA==,type:str]
+    sql_nextcloud: ENC[AES256_GCM,data:xkJioAZCCd8aIxS283UhZ2yfLgQ=,iv:7SQ2iSJShX6dDP3qD0KPaJP49CQ6RMHQ6uY5J/WODtI=,tag:HNXYa1L88mGB5uOrmTuFDg==,type:str]
+    ssl_key: ENC[AES256_GCM,data:EBs5NZ5nHvC687N+YxY62MtJMK2Mi8FfhVrhrmOtmHLnZJlHEzljYBvImypvLEMA2v1++PEN+j7d/utv2kdHrSxBETKiE6ckk8DpjK6MWcjS2fVanYT/XRScJCLOx0PI6E2AR6L8snQ/Wp/3Ado+hLr6Ze7MI3DZd/gwJyrTZtdcSVzBGAJhmzgrF9/Hwb8qtFnJxj7z5kJ3FrXYdaobgSthsdjRpElGNJw0xgz3MVN67LVAMgkmkOXB6NF8FS5rsrvF2nYsqF0bkySCRSSjCjvlxRNAu3kUJQR+o4dA/Zu353z3mbh0driKAO2iih3rfRr+eVrTVjImoGVxpVcjEyCRI0vL8PBLgdC1L5uvE+KgodfaoBiCHTaQt++QbXsa29U4iO5U8hykt0JJW9yZSCaMAspZu/mb1EhChd5lj0q1WLgeGLAtzBN2QCIQ79yRs+nSK0Jgd9k/M4GC4+QufBAM1KZ9FrjZD5RgFuoGpvE69sR4MiekuNXTnFKwBp1WQo7MzWjutXN/x30k2JfaH/s9GoM0DZNPovg16Cgf7SLMCPUo9ynBbeFLOp/Pb+AhIQuNtjX8IpwJDYSJQAKrhUrV/NyI9OKjXVfIWO2yN5wIO2b2u72cIJrOgsMpYO1mGkyEbPtntew4EXPsgw8gdF7bfT6WPpJivvxNhGHSYuNDDoXvh+/t72yFXDuXu28/R6DIg+HmknYNu1On1sHZPrg9BnLny/4tD8OSYr4lKT/0FvQmspM6JPu5ZnxseJf3qjClQbcnwX4deqZX4JHhPXolDJ+LLycl4i62C7dTcO4/B/HLJ5J/+3WP9YvHd+FW3KlrRw/YVGcY+Mjn43/s0vgufH/VxFJ6+CIZZ8CiNt0MtMtajg5Xz8eFHbJRuKJlzzC5JQ1rJ2j0ZnZX19qmvC2nuowdZG7yDX9Htbgv0Elg7cNyO3T3NEKjbU2EjPj9NEah0zWzdymRVoVCv0E9EJIX73K/OSDNrjxJr5P8gNC4p/qD6Ufl3j9MTq1uujIQxFYEYQmSymQiaVbIbY2dmp5ISS6mioGJ4clQluuVsNNFQyFM0fM82Bsmk6MKlHaVk3pyvSLQ6j3R/YFtN9cwGKTdbcHmZIsTUF0XysU7LHM9JmHE9BXPsku01ONszHFlPz/GEgHGxB3bTthE2BHrTR9K6gZZy3j9/cpp6rZe711gnjyfWXpVOL2oPFL+nZZ17WDPOjD/w9KNB3Av4XSAHOJj8F6BcS7f6c69F9vTUlVeG7a6lTQ+4n5o/FQ+mPFyXgCJaMR88T+vYEG+tNbvZrGjyEYaDkfDOXfnqWL/ITDL/lD2YEdB/Vvi8cZtFqQ5fP91T/wOn9Gae0QG4zG6f1aKKW03WJKIvSMh0sUZ1QKVf/8KYUMBho1ZdXcjnxFpn0dpW8bCxIe3juhayyyGrLrMN1+Kr8aHYLTUcB4FU6DppD1esjJN05Y9Im9OqdLCK7UsldUb16j0Xk+2xYKqyQ8JniSL8XQaqeVIJnLaw0Vx1mvnrpe0GHPZVWxFjHzkFzx2H9+M5RuBqZnuWQtfAlCnQ631VvOG1BF+oY89CXG9d/SN6IY3kJ01LzG5XXbBnqeUjcNAIGwkHaVVn4w74Sko5hASWLX60Fo0Cq/BLuUw4qeZ/x0zPtICrl7JXcu4Ei+LO4aZVaDX/ZLw6nkN/GFf5Lc8FZ3COW9I39Dzo3VfK6wfMMnjNgk0cIQZqYC8oIhyexwE047+nwGw10h0jAerHqZmTsaWy+NCBweXWy2lHvQBGnXr8L0db0vrPr+XkrPmoDckSp2J0+/GPTQdWUWijPWLnd3K3hAU7jwkPwfAQNVpVPBbhTea51TcGej5CiphnEElIiuAvUO60kAxyRsbFYDESnJPCj5G+biiKVvN0rzrjU4KpS5wDgyJC8tq8SNv6tGUrqTsNKZXmKQ1wpEadQVam+hpC81HJOr8He51ZZm9OQLkfzN4U8dJx6ax27GOW/1OSzqEycZ3gNJE3MJmFyeRL9cY9+78L5ZB5UrpOJtFPm09fxKKY4A2/E/u70rnbWDkip8aKjflun3Skdr8meC1JiMW/awe8ausTy4cZzkkJWUqBogjTJCfH8UvOo1zwFRubOQLFeFrK3pSD74ALfG8OlT1mTnjSHc4xD6I11LTrGEetyfngNcRQElP44ipslaGno7390J6Tbv8i/8J1SPTvVzqSdHBIzjsMp0/HzyL4LuxRRn2mfrEuGaz0INeeYfATCJf/XsIrPX2uvnimJOLOKD4,iv:plv5vk1K1MvSvG4qfCgktRLaONHKYlJpKz89c9miGO4=,tag:FIOgCYD7X/G0I0+4XrtuQw==,type:str]
+    ssl_cert: ENC[AES256_GCM,data:+MVjz7j3LAjWNmNOw2tIWdyXGnNukLI9iQM+xoca0t4mZgU8TQcx71sanxD4SpnIOMy/vVNAUHJS3wAM7XMIbTy2S8qSG1bbk6EVC8TB7zfgSVY6BqD4H1lCiVe43AjWwc/qkdxGHO/nX8e7KkxFY4H7RnROdhqH1MYnXUvMXZgHrY/Bv/pNkJ/fC9UapQWKciw26uORk6Ji+ihmhp6h9qLUPIt4UBTljruUhr34UhwxQ1tib6j1GFdPcSpXmbnQ8dQ5s64DShs7aMcS87vwY5r2bZowaX+FdpWokDXCF3wXwS+vhS/pMvzcN0cKogT4uXC3FatIByuLpvb35JD0k2f8OYi1zdKNRyffFkveWySXzVUojq56zhyY6d0rFpW14s5m4WdBpQUDHLe1kO8B4EUv3ZmOQz+SgbPL9EQVzpwoQt2yNkFENJbu2Jvs3LVwoclLM81hOomSThPRMgbixRcttf1MbmU8ED1EoNwF04VgDbNDOOyZFsSkz2rOVTlv/gIWTnBgngh3nU+8VWU6PPbNvYliXvU2XRPhGnXeKH2yCyilQ7aLsWjjvco257p4XvS8g7uuFpyau1UkO81kc3R1qrBjyPdxZylDvxI7JCDQZqWxtNiRRRWTWd+4oHTt8REp7aZlGP9FLDW10LWnOtCe56dbuVvFQd/3mjF1YDEkqE7Q3ZotiV6JzbkouV1rue8jpReREDp7Dsm7ZPdBn58Z0c3NaI8OTffOhQ2oDEJn2I/lUuvGhrEU41SxLvDDmpNVi2ISI/c6PfdKlATKZUDVWP7L6nu2M1bb1HvVXaYoKxldZmLGSdVGk3rhY6HUVSM3BgsgkLiFO0AHui0ETQnkfuhy1T8IMPb3WaAQmHHzR9YipZ03xlUoOSeICgDohMw/bLaP4zNAs+gMgLssWJd8Jm9iK5K/OKN6gG0V7YFdUwNyeX7guEADND0hlT0mFkKlLKywBEGwiSdzrqIvrnE7tzUdD/SlL+WOYKBCByksHwmC51ImFe3/GapAPEoMlxtwy4o/E8nExL/WAMEoNT9wxV4/Mk5l5CT1sUDGG8ifzMVcq4LxPxvQDFYLyKf5Apg4f0MkB4kOvS5hFRF9Ewx3hEjHgKJL4HTWFPut7ktbGvYvfJTSvpyJv9s+uk+b69Y+YhwxFgCLc6oTkHoGaekGaQN8rbPGiomepDK/ZdYr/720zDZuC9Z1WMdRsR7E4GX1Ko31pQEk2tUWmjQk76hp299Sly7tjrh7mRtZXNNVhAzh3DEdqmTZPKNObXI/sf7KM4e0SzSbdJd4DdbV+S8vwbqBYdmEtBwSZNp0YnApBoEC/R7iPp7T98sdt2Y8cWcFITMyHTOQ0Qk9/hFzrdYi+rrOQ33AP/rjzOFp11t99nZKNZGuMucSTRUKgTuRLumjD5dS6PWuTm6k94HUNT8p8BSgGOBSIPqBdvZvKe7titvtfoH7iqoafHfePJ8sUd5dKZdpvDBl5bW2aiTB9v/qP/vlmThAG6t1ukmqbo3rS/6QC2N8X2X4GKqcPrVLKk1vtlnI4qWzLLieePxruJoWhctdp14CjKotVAzgYXtAvuKm1MI5gNWKRqwykeNS5w3C/CQT0KpyqUNLAkEa5+Fg4PUxeLCitpgnz6jq8+1WCltwdWAAkp8RwdMncbG2Jk6AA0iC6lu0kog9U7gsclRc16+jVFYPA+h3trbt8DnFLQTrCEaeOeRwli+WBibO31+0efk4D4e/IUz3c3PkNVwLV3RPFF7FeAo9w7HYOaHrmvbFevnbyUb+aI8i/EiDkoCzgaIcG9nOWSjBjNjZPrK5JZR+hXvTZ163k2eFj7uwfuQkUUakXfFJxLjHzko87oEiOsUkieEamp0yZ4n8eMq/BgNSPMYmnpmxaotdDB/czN5qM0myLKsDgHZso0sLMmPs1YfoDGjsZsMNaQh3C92XyzR4psSwy81wXFLahvt3E/DczOFaBoJ0VtmqFcGuYep/r3Ft6YCXf0y0Yruj5kZRSBvSSu6bfOwppA7gJKChlKKyRiKROMbt9Oh843tWuGKgKajOZZCY/mQH5D1VyxQ8YqxotgbCpEUu/gLPuqf2upCMxA+Vhw8plwrPUOmgnsjybdYoNayfzo28X8ek8ryWKHAcOrIAcCO9e6RHeuZFmstcJsDz7gjpolbufWu7oZkF9NoqksI46+1isb7iZ58U777RSLJWcGlrYdvzJA==,iv:QvDjeJf7D1eqdhDPO472F4MsM5DTcs+4aGgJfhI9J9k=,tag:jVGgIZqzaEqjRAGJxy/zCw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age180y8kdtdlqelayyz9mq2c7xv248rh4gdfr3amjzvdcjrz6wdaqmsj762pp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NWRPckFGSDlWZHpFSFFo
+            bHMxbHNhRmdEVUJjdnpjeEIwYXFJWUtuYVdBCm13bHVudzBKaXFwVW0xRzErYW9J
+            ZUN2QnhjZndVQUUxSTFJZWF6KzFzNkEKLS0tIDVmcnd0WGtLK2dFR3lqWktDd1hG
+            dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
+            MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-19T00:33:35Z"
+    mac: ENC[AES256_GCM,data:YWGS3fxhEh6Xz/OohJkQdvGzfe9Do7IRN7MiuHo8URbidq6DLsuvN086QNlMQEnopR5BDJ2V+4inKS1xOM+G66e4Ta/uYH7VweamGSk/dGGqAnG5uylljIupSS9WDvI0tpv2PMWrbGV6oEps0SPC2HN7CvhI8EaSQdz3CvEYKgo=,iv:YDKgb90IvwEkfRFMwoy/Y1LREHe2Dzf3Dt97BT/wJuo=,tag:HSmmPdyhF5dr+5IvM+Xo6Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/gerg-desktop/spicetify.nix

@@ -0,0 +1,37 @@
+{spicetify-nix, ...}: {pkgs, ...}: let
+  spicePkgs = spicetify-nix.legacyPackages.${pkgs.system};
+  ex = spicePkgs.extensions;
+in {
+  imports = [spicetify-nix.nixosModule];
+  nixpkgs.allowedUnfree = ["spotify"];
+  programs.spicetify = {
+    enable = true;
+    spotifyPackage = spicePkgs.spotify;
+    spicetifyPackage = spicePkgs.spicetify-cli;
+    enabledExtensions = [
+      ex.adblock
+      ex.hidePodcasts
+      ex.shuffle
+    ];
+    theme = spicePkgs.themes.Dribbblish;
+    colorScheme = "custom";
+    customColorScheme = {
+      text = "f8f8f8";
+      subtext = "f8f8f8";
+      sidebar-text = "79dac8";
+      main = "000000";
+      sidebar = "323437";
+      player = "000000";
+      card = "000000";
+      shadow = "000000";
+      selected-row = "7c8f8f";
+      button = "74b2ff";
+      button-active = "74b2ff";
+      button-disabled = "555169";
+      tab-active = "80a0ff";
+      notification = "80a0ff";
+      notification-error = "e2637f";
+      misc = "282a36";
+    };
+  };
+}

hosts/gerg-desktop/vfio.nix

@@ -0,0 +1,156 @@
+{
+  self,
+  pipewire_fix,
+  ...
+}: {
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+###TAKEN FROM HERE:https://github.com/NixOS/nixpkgs/blob/4787ebf7ae2ab071389be7ff86cf38edeee7e9f8/nixos/modules/services/x11/xserver.nix#L106-L136
+let
+  xcfg = config.services.xserver;
+  xserverbase = let
+    fontsForXServer =
+      config.fonts.fonts
+      ++ [
+        pkgs.xorg.fontadobe100dpi
+        pkgs.xorg.fontadobe75dpi
+      ];
+  in
+    pkgs.runCommand "xserverbase"
+    {
+      fontpath =
+        lib.optionalString (xcfg.fontPath != null)
+        ''FontPath "${xcfg.fontPath}"'';
+      inherit (xcfg) config;
+      preferLocalBuild = true;
+    }
+    ''
+      echo 'Section "Files"' >> $out
+      echo $fontpath >> $out
+      for i in ${toString fontsForXServer}; do
+        if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
+          for j in $(find $i -name fonts.dir); do
+            echo "  FontPath \"$(dirname $j)\"" >> $out
+          done
+        fi
+      done
+      for i in $(find ${toString xcfg.modules} -type d); do
+        if test $(echo $i/*.so* | wc -w) -ne 0; then
+          echo "  ModulePath \"$i\"" >> $out
+        fi
+      done
+      echo '${xcfg.filesSection}' >> $out
+      echo 'EndSection' >> $out
+      echo >> $out
+    '';
+  oneMonitor = pkgs.writeText "1-monitor.conf" (lib.concatStrings [(builtins.readFile xserverbase) (builtins.readFile (self + /misc/1-monitor.conf))]);
+  twoMonitor = pkgs.writeText "2-monitor.conf" (lib.concatStrings [(builtins.readFile xserverbase) (builtins.readFile (self + /misc/2-monitor.conf))]);
+in {
+  ####VM SOUND BORKED
+  services.pipewire.package = pipewire_fix.legacyPackages.${pkgs.system}.pipewire;
+  boot = {
+    kernelParams = ["amd_iommu=on" "iommu=pt" "vfio_iommu_type1.allow_unsafe_interrupts=1" "kvm.ignore_msrs=1"];
+  };
+  virtualisation = {
+    libvirtd = {
+      enable = true;
+      qemu = {
+        #don't hook evdev at vm start
+        package = pkgs.qemu.overrideAttrs (old: {
+          patches =
+            old.patches
+            ++ [
+              (pkgs.writeText "qemu.diff" ''
+                diff --git a/ui/input-linux.c b/ui/input-linux.c
+                index e572a2e..a9d76ba 100644
+                --- a/ui/input-linux.c
+                +++ b/ui/input-linux.c
+                @@ -397,12 +397,6 @@ static void input_linux_complete(UserCreatable *uc, Error **errp)
+                     }
+
+                     qemu_set_fd_handler(il->fd, input_linux_event, NULL, il);
+                -    if (il->keycount) {
+                -        /* delay grab until all keys are released */
+                -        il->grab_request = true;
+                -    } else {
+                -        input_linux_toggle_grab(il);
+                -    }
+                     QTAILQ_INSERT_TAIL(&inputs, il, next);
+                     il->initialized = true;
+                     return;
+              '')
+            ];
+        });
+        runAsRoot = true;
+        ovmf.enable = true;
+        verbatimConfig = ''
+          user = "gerg"
+          group = "kvm"
+          namespaces = []
+        '';
+      };
+    };
+  };
+  environment = {
+    systemPackages = [
+      pkgs.virt-manager
+    ];
+    shellAliases = {
+      vm-start = "virsh start Windows";
+      vm-stop = "virsh shutdown Windows";
+    };
+  };
+
+  users.users.gerg.extraGroups = ["kvm" "libvirtd"];
+
+  services.xserver.displayManager.xserverArgs = lib.mkAfter ["-config /tmp/xorg.conf"];
+  services.xserver.displayManager.sessionCommands = lib.mkBefore ''
+    if ! (test -e "/tmp/ONE_MONITOR"); then
+          xrandr --output DP-0 --auto --mode 3440x1440 --rate 120 --primary --pos 0x0
+          xrandr --output HDMI-A-1-0 --auto --mode 1920x1080 --rate 144 --set TearFree on --pos 3440x360
+          xset -dpms
+    fi
+  '';
+
+  systemd.tmpfiles.rules = let
+    qemuHook = pkgs.writeShellScript "qemu-hook" ''
+      GUEST_NAME="$1"
+      OPERATION="$2"
+      SUB_OPERATION="$3"
+
+      if [ "$GUEST_NAME" == "Windows" ]; then
+        if [ "$OPERATION" == "prepare" ]; then
+            systemctl stop display-manager.service
+            modprobe -r -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
+            ${pkgs.libvirt}/bin/virsh nodedev-detach pci_0000_01_00_0
+            ${pkgs.libvirt}/bin/virsh nodedev-detach pci_0000_01_00_1
+            systemctl set-property --runtime -- user.slice AllowedCPUs=8-15,24-31
+            systemctl set-property --runtime -- system.slice AllowedCPUs=8-15,24-31
+            systemctl set-property --runtime -- init.scope AllowedCPUs=8-15,24-31
+            ln -fs ${oneMonitor} /tmp/xorg.conf
+            touch /tmp/ONE_MONITOR
+            systemctl start display-manager.service
+        fi
+        if [ "$OPERATION" == "release" ]; then
+          systemctl stop display-manager.service
+          systemctl set-property --runtime -- user.slice AllowedCPUs=0-31
+          systemctl set-property --runtime -- system.slice AllowedCPUs=0-31
+          systemctl set-property --runtime -- init.scope AllowedCPUs=0-31
+          ${pkgs.libvirt}/bin/virsh nodedev-reattach pci_0000_01_00_0
+          ${pkgs.libvirt}/bin/virsh nodedev-reattach pci_0000_01_00_1
+          modprobe -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
+          ln -fs ${twoMonitor} /tmp/xorg.conf
+          rm /tmp/ONE_MONITOR
+          systemctl start display-manager.service
+        fi
+      fi
+    '';
+  in [
+    "L  /tmp/xorg.conf - - - - ${twoMonitor}"
+    "L+ /var/lib/libvirt/hooks/qemu - - - - ${qemuHook}"
+    "L+ /var/lib/libvirt/qemu/Windows.xml - - - - ${self + /misc/Windows.xml}"
+  ];
+}

hosts/gerg-desktop/zfs.nix

@@ -0,0 +1,75 @@
+_: {
+  config,
+  lib,
+  ...
+}: {
+  #link some stuff
+  systemd.tmpfiles.rules = [
+    "L+ /etc/ssh/ssh_host_ed25519_key  - - - - /persist/ssh/ssh_host_ed25519_key"
+    "L+ /etc/ssh/ssh_host_ed25519_key.pub  - - - - /persist/ssh/ssh_host_ed25519_key.pub"
+  ];
+  #create machine-id for spotify
+  environment.etc = {
+    "machine-id".text = "b6431c2851094770b614a9cfa78fb6ea";
+  };
+  #make sure the sopskey is found
+  sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
+  fileSystems."/persist".neededForBoot = true;
+
+  boot = {
+    zfs = {
+      devNodes = "/dev/disk/by-id/";
+      forceImportAll = true;
+    };
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    #disable hibernate and set cache max
+    kernelParams = ["nohibernate" "zfs.zfs_arc_max=17179869184"];
+    supportedFilesystems = ["zfs" "vfat"];
+    initrd = {
+      #module for multiple swap devices
+      kernelModules = ["dm_mod"];
+      #keyboard module for zfs password
+      availableKernelModules = ["hid_generic"];
+      #wipe / and /var on boot
+      postDeviceCommands = lib.mkAfter ''
+        zfs rollback -r rpool/root@empty
+        zfs rollback -r rpool/var@empty
+      '';
+    };
+    plymouth.enable = false;
+    loader = {
+      generationsDir.copyKernels = true;
+
+      #override defaults
+      systemd-boot.enable = false;
+      efi.canTouchEfiVariables = false;
+
+      grub = {
+        enable = true;
+        efiInstallAsRemovable = true;
+        copyKernels = true;
+        efiSupport = true;
+        zfsSupport = true;
+        mirroredBoots = [
+          {
+            path = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
+            devices = ["/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N0E"];
+          }
+          {
+            path = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N22";
+            devices = ["/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N22"];
+          }
+        ];
+        splashImage = null;
+        extraConfig = ''
+          GRUB_TIMEOUT_STYLE=hidden
+        '';
+      };
+    };
+  };
+  systemd.services.zfs-mount.enable = false;
+  services.zfs = {
+    autoScrub.enable = true;
+    trim.enable = true;
+  };
+}

hosts/moms-laptop/default.nix

@@ -0,0 +1,84 @@
+_: {
+  pkgs,
+  config,
+  ...
+}: {
+  localModules = {
+    remoteBuild.enable = true;
+    DM = {
+      lightdm.enable = true;
+      autoLogin = true;
+      loginUser = "jo";
+    };
+    DE.xfce.enable = true;
+    theming = {
+      enable = true;
+      kmscon.enable = true;
+    };
+  };
+
+  environment.systemPackages = builtins.attrValues {
+    inherit
+      (pkgs)
+      neovim
+      vlc
+      nomacs
+      rsync
+      pavucontrol #gui volume control
+      librewolf #best browser
+      ;
+  };
+  services.xserver.videoDrivers = ["intel"];
+  networking = {
+    hostName = "moms-laptop";
+    networkmanager.enable = true;
+  };
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  sops.secrets.root.neededForUsers = true;
+  users = {
+    mutableUsers = false;
+    users = {
+      jo = {
+        useDefaultShell = true;
+        uid = 1000;
+        isNormalUser = true;
+        extraGroups = ["networkmanager" "audio"];
+        initialHashedPassword = "";
+      };
+      "root" = {
+        uid = 0;
+        home = "/root";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuO/3IF+AjH8QjW4DAUV7mjlp2Mryd+1UnpAUofS2yA gerg@gerg-phone"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc gerg@gerg-windows"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWbwkFJmRBgyWyWU+w3ksZ+KuFw9uXJN3PwqqE7Z/i8 gerg@gerg-desktop"
+        ];
+        passwordFile = config.sops.secrets.root.path;
+      };
+    };
+  };
+  boot = {
+    initrd.availableKernelModules = ["xhci-pci" "ehci-pci" "ahci" "usbhid" "sd_mod" "sr_mod" "rtsx_usb_sdmmc"];
+    kernelModules = ["kvm-intel"];
+  };
+  systemd.tmpfiles.rules = [
+    "L+ /home/jo/Desktop/gimp.desktop - - - - ${pkgs.gimp}/share/applications/gimp.desktop"
+    "L+ /home/jo/Desktop/org.gnome.Calculator.desktop - - - - ${pkgs.gnome.gnome-calculator}/share/applications/org.gnome.Calculator.desktop"
+    "L+ /home/jo/Desktop/org.nomacs.ImageLounge.desktop - - - - ${pkgs.nomacs}/share/applications/org.nomacs.ImageLounge.desktop"
+    "L+ /home/jo/Desktop/thunar.desktop - - - - ${pkgs.xfce.thunar}/share/applications/thunar.desktop"
+    "L+ /home/jo/Desktop/librewolf.desktop - - - - ${pkgs.librewolf}/share/applications/librewolf.desktop"
+    "L+ /home/jo/Desktop/vlc.desktop - - - - ${pkgs.vlc}/share/applications/vlc.desktop"
+    "L /home/jo/Desktop/Downloads - - - - /home/jo/Downloads"
+    "L /home/jo/Desktop/Documents - - - - /home/jo/Documents"
+    "L /home/jo/Desktop/Pictures - - - - /home/jo/Pictures"
+  ];
+
+  system.stateVersion = "23.05";
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 8 * 1024;
+    }
+  ];
+}

hosts/moms-laptop/disko.nix

@@ -0,0 +1,39 @@
+{disko, ...}: {disks ? [], ...}: {
+  dummyvalue = {inherit disks;};
+  imports = [disko.nixosModules.disko];
+  disko.devices = {
+    disk.sda = {
+      device = "/dev/disk/by-id/ata-WDC_WDS240G2G0A-00JH30_180936803144";
+      type = "disk";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          {
+            name = "ESP";
+            start = "1MiB";
+            end = "1GiB";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          }
+          {
+            name = "root";
+            start = "1GiB";
+            end = "100%";
+            part-type = "primary";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          }
+        ];
+      };
+    };
+  };
+}

hosts/moms-laptop/printing.nix

@@ -0,0 +1,20 @@
+_: {pkgs, ...}: {
+  nixpkgs.allowedUnfree = ["hplip"];
+  environment.systemPackages = [
+    pkgs.gimp
+    (pkgs.xsane.override {gimpSupport = true;})
+    pkgs.libreoffice
+  ];
+  users.users.jo.extraGroups = ["scanner" "lp" "cups"];
+  hardware.sane = {
+    enable = true;
+    extraBackends = [pkgs.hplipWithPlugin];
+  };
+  systemd.tmpfiles.rules = ["L /home/jo/.config/GIMP/2.10/plug-ins/xsane - - - - /run/current-system/sw/bin/xsane"];
+  services = {
+    printing = {
+      enable = true;
+      drivers = [pkgs.hplipWithPlugin];
+    };
+  };
+}

hosts/moms-laptop/secrets.yaml

@@ -0,0 +1,30 @@
+root: ENC[AES256_GCM,data:tQMtWAjqHcuny+6R3M0BFyEaFiaAr0eU04xhLiMdZ9KuqeQoV2aasJ9I6yVWNeaNE/K2DEWEXIv3fhLVp11/CMBjd9Yi1An9Jg==,iv:cx1jHEioCRaL7u2zwp8NfDxnHr5zzWTOh8/gJgUKN+0=,tag:JVex88fYnSmfwhortUi0Xw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vxx3qdsucv2v2slag67c4f0kwd8jtta4tue6m8d9xfl4ryrqvyusxgwl68
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwU3doYWlIdWEwTmVOUGRY
+            aGJPMy9ac1RoUS9LdUcvbkxSU1N2MVpIeFRjCmV6QTlhMUhoVmdUOGdFdmVMNW5h
+            cVI4YlBwaEZFbC8xZWYrMFZQOFVaQzgKLS0tIHMzN081UmowTXYzc1hhNk5FOWdu
+            Vmh5WGFXT2M0dUttQjMxMXA5TUJFTkEKvI3cbR9A9vK6oiEc6Qaj9j84FxVekQvl
+            ZfQhT6nLrh7IjR+uJ1ZqwJioSsGKLCDmBropjTWei469fJkma7p8BQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age180y8kdtdlqelayyz9mq2c7xv248rh4gdfr3amjzvdcjrz6wdaqmsj762pp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZk1ScGpmT1Fjd1p3MFFw
+            dE1mRjUyQkN4N05VMThUZnNHL2pQbjVQem5nCjVsejY0L0piTHMzOVo4d2xHL2Fq
+            aVp0WXpMbUlEMGFoS080N1BITXhDa1EKLS0tIHRTSTAybUFUZFFNL1NOWHduWmE3
+            SVJpZmRIcjJZWjNGZFllTGU4L0NLZG8K/J87ETorELtOxABopOvEcRPiY8qubzou
+            Ogs1d+4CqPx/PC4tW06tkp8Fp8DWcr8/XxxsPJ9DBfVT7wCRb/RqCw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-11T20:02:40Z"
+    mac: ENC[AES256_GCM,data:XK10hpfe5zKQvP4Lf0lXTgmSULsqC446CYR7B57R6G99BJgpkdYOK9Zi1IHF3g1mwjplxY3LSi8mW+ETV7DgnhOhpTiGJQzFKmLVQCogImM63aWR6/SYRAoI3wvgb4TMv/cZvaqRHmU+HzjTN5ZCGWDfKyQvFVjOWps8FvK4kNM=,iv:cK5ARa1+Qtw/LHHNUZVFa1k79LuDIW40jhS9AyEBUCQ=,tag:b621ftO1UVE1/4G3KVsIOQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3