wip commands

Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff
2024-06-22 17:03:25 -07:00 · 2024-06-22 17:00:44 -07:00 · 2024-06-22 16:50:31 -07:00 · 2024-06-22 16:49:44 -07:00
80 changed files with 1321 additions and 4651 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,15 +1,8 @@
 shel_keys: &shel_keys
-  - &a age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
+  - &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
-  - &b age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
+  - &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
-  - &c age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
+  - &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
-  - &d age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
+  - &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
  - &e age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
  - &f age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
  - &g age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
  - &h age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
  - &i age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
  - &j age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
  - &k age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
 machine_host_keys:
  - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
  - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
@@ -22,17 +15,10 @@ creation_rules:
  - path_regex: ^secrets/liam/
    key_groups:
    - age:
-      - *a
+      - *pixel-termux
-      - *b
+      - *t460s
-      - *c
+      - *pixel-nix
-      - *d
+      - *compute-deck-user
      - *e
      - *f
      - *g
      - *h
      - *i
      - *j
      - *k
      - *liam
  - path_regex: ^tests/test_secrets/
    key_groups:
--- a/README.md
+++ b/README.md
@@ -1,31 +1,13 @@
 more just notes for now
 ---
 deploy:
 ```sh
 nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
 ```
 ---
 build flake on remote machine, including eval:
 ```sh
 git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
-```
+```
 ---
 search for string in closure
 ```sh
 rg search_str $(nix path-info --recursive ./result)
 ```
 or
 ```sh
 rg search_str $(nix path-info --recursive .#qb.trip)
 ```
--- a/common/common-but-not.nix
+++ b/common/common-but-not.nix
@@ -1,9 +0,0 @@
 # todo: rename this module
 # stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
 { inputs, ... }:
 {
  nix.registry.vacu.to = {
    type = "path";
    path = inputs.self.outPath;
  };
 }
--- a/common/defaultPackages.nix
+++ b/common/defaultPackages.nix
@@ -1,83 +0,0 @@
 {
  pkgs,
  config,
  inputs,
  lib,
  ...
 }: lib.mkMerge [
  (lib.mkIf (!config.vacu.minimal) {
    vacu.packages = 
      (with pkgs; [
        home-manager
        nix-index
        rclone
        termscp
        man
        neovim
        nmap
        ruby
      ])
      ++ [
        inputs.nix-search-cli.packages.${pkgs.system}.default
        inputs.nix-inspect.packages.${pkgs.system}.default
      ];
  }) (
    lib.mkIf (config.vacu.minimal) { 
      environment.defaultPackages = [];
    }
  ) {
    vacu.packages =
      with pkgs; [
        nixos-rebuild
        which
        nano
        vim
        wget
        screen
        tmux
        lsof
        htop
        mosh
        dnsutils
        iperf3
        rsync
        ethtool
        sshfs
        ddrescue
        pciutils
        ncdu
        pv
        unzip
        file
        ripgrep
        jq
        units
        tree
        iputils
        ssh-to-age
        sops
        inetutils
        diffutils
        findutils
        utillinux
        tzdata
        hostname
        gnugrep
        gnused
        gnutar
        bzip2
        gzip
        xz
        zip
        unzip
        openssh
        dig
        bash
        usbutils
        psutils
        killall
        git
        curl
      ];
    }
 ]
--- a/common/home.nix
+++ b/common/home.nix
@@ -1,7 +0,0 @@
 { ... }:
 let
 in
 {
  imports = [ ./common-but-not.nix ];
 }
--- a/common/minimal.nix
+++ b/common/minimal.nix
@@ -1,49 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit (lib) mkDefault mkIf mkEnableOption;
 in
 {
  options.vacu.minimal = mkEnableOption "minimal system";
  config = mkIf config.vacu.minimal {
    programs.git.lfs.enable = false;
    programs.git.package = pkgs.gitMinimal;
    # mostly copied from nixos's /profiles/minimal.nix
    environment.noXlibs = mkDefault true;
    documentation.enable = mkDefault false;
    documentation.doc.enable = mkDefault false;
    documentation.info.enable = mkDefault false;
    documentation.man.enable = mkDefault false;
    documentation.nixos.enable = mkDefault false;
    # Perl is a default package.
    environment.defaultPackages = mkDefault [ ];
    environment.stub-ld.enable = false;
    # The lessopen package pulls in Perl.
    programs.less.lessopen = mkDefault null;
    # This pulls in nixos-containers which depends on Perl.
    boot.enableContainers = mkDefault false;
    programs.command-not-found.enable = mkDefault false;
    services.logrotate.enable = mkDefault false;
    services.udisks2.enable = mkDefault false;
    xdg.autostart.enable = mkDefault false;
    xdg.icons.enable = mkDefault false;
    xdg.mime.enable = mkDefault false;
    xdg.sounds.enable = mkDefault false;
  };
 }
--- a/common/module.nix
+++ b/common/module.nix
@@ -1,216 +0,0 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 let
  inherit (lib) mkOption types;
  inherit (inputs) self;
 in
 {
  imports = [
    ./package-set.nix
    ./shell
    ./nixvim.nix
    ./ssh.nix
    ./nix.nix
    ./verify-system
    ./defaultPackages.nix
    ./minimal.nix
  ];
  options = {
    vacu.rootCAs = mkOption { type = types.listOf types.str; };
    vacu.versionId = mkOption {
      type = types.str;
      readOnly = true;
    };
    vacu.versionInfo = mkOption { readOnly = true; };
    vacu.hostName = mkOption { type = types.str; };
    vacu.shortHostName = mkOption {
      type = types.str;
      default = config.vacu.hostName;
    };
    vacu.nixvimPkg = mkOption { readOnly = true; };
  };
  config = {
    vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
    vacu.versionInfo = {
      id = self.rev or self.dirtyRev;
      flakePath = self.outPath;
      nixpkgs = config.nixpkgs.flake.source;
      inherit inputs;
    };
    vacu.nix.caches.nixcache-shelvacu = {
      url = "https://nixcache.shelvacu.com/";
      keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
    };
    vacu.nix.caches.nix-community = {
      url = "https://nix-community.cachix.org/";
      keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
    };
    vacu.nix.caches.nix-on-droid = {
      url = "https://nix-on-droid.cachix.org/";
      keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
    };
    vacu.nix.caches.nixos = {
      url = "https://cache.nixos.org/";
      keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
    };
    vacu.rootCAs = [
      ''
        -----BEGIN CERTIFICATE-----
        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
        -----END CERTIFICATE-----
      ''
    ];
    vacu.ssh.authorizedKeys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC" # pixel9pro nix-on-droid
    ];
    vacu.ssh.config = ''
      Host deckvacu
        User deck
      Host rsb
        User user
        HostName finaltask.xyz
        Port 2222
      Host awoo
        HostName 45.142.157.71
      Host trip
        HostName trip.shelvacu.com
        Port 6922
      Host liam
        HostName 178.128.79.152
      Host pluto
        HostName pluto.somevideogam.es
      Host *
        User shelvacu
        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
    '';
    vacu.ssh.knownHosts = {
      #public hosts
      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
      #colin's stuff
      "uninsane.org" = {
        extraHostNames = [ "git.uninsane.org" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
      };
      "desko" = {
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      };
      #daymocker's stuff
      "pluto" = {
        extraHostNames = [ "74.208.184.137" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
      };
      #powerhouse hosts
      "ostiary" = {
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
      };
      "habitat" = {
        # previously known as zigbee-hub
        extraHostNames = [ "10.78.79.114" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
      };
      "vnopn" = {
        extraHostNames = [
          "10.78.79.1"
          "vnopn.t2d.lan"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
      };
      #work laptop
      "tebbs-MBP" = {
        extraHostNames = [ "10.244.10.3" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
      };
      #personal hosts
      trip = {
        extraHostNames = [
          "triple-dezert"
          "trip.shelvacu.com"
          "[trip.shelvacu.com]:6922"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
      };
      servacu = {
        extraHostNames = [
          "mail.dis8.net"
          "servacu.shelvacu.com"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
      };
      finaltask = {
        extraHostNames = [
          "rsb"
          "finaltask.xyz"
          "[finaltask.xyz]:2222"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
      };
      compute-deck = {
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
      };
      "2esrever" = {
        extraHostNames = [
          "10.4.5.218"
          "10.244.46.71"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
      };
      awoo = {
        extraHostNames = [ "45.142.157.71" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
      };
      deckvacu = {
        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
      };
      liam = {
        extraHostNames = [
          "liam.dis8.net"
          "178.128.79.152"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
      };
      fw = {
        extraHostNames = [ "fw.t2d.lan" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
      };
    };
  };
 }
--- a/common/nix-on-droid.nix
+++ b/common/nix-on-droid.nix
@@ -1,21 +0,0 @@
 { config, lib, ... }:
 let
  inherit (lib) mkDefault;
 in
 {
  imports = [
    ./module.nix
    ./common-but-not.nix
  ];
  environment.packages = config.vacu.packageList;
  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
  nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
  nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
  vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
  environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
  environment.etc.profile.text = config.vacu.shell.interactiveLines;
  environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
  vacu.hostName = mkDefault "nix-on-droid";
  vacu.shortHostName = mkDefault "nod";
 }
--- a/common/nix.nix
+++ b/common/nix.nix
@@ -1,36 +0,0 @@
 { lib, config, ... }:
 let
  inherit (lib) mkOption types;
  caches = builtins.attrValues config.vacu.nix.caches;
  enabledCaches = builtins.filter (c: c.enable) caches;
 in
 {
  options = {
    vacu.nix.caches = mkOption {
      type = types.attrsOf (
        types.submodule (
          { name, ... }:
          {
            options = {
              url = mkOption { type = types.str; };
              keys = mkOption {
                type = types.listOf types.str;
                default = [ ];
              };
              enable = mkOption {
                default = true;
                type = types.bool;
              };
            };
          }
        )
      );
    };
    vacu.nix.substituterUrls = mkOption { readOnly = true; };
    vacu.nix.trustedKeys = mkOption { readOnly = true; };
    vacu.nix.plainOptions = mkOption { };
  };
  config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
  config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
  config.vacu.nix.plainOptions.allowUnfree = true;
 }
--- a/common/nixos-rebuild.nix
+++ b/common/nixos-rebuild.nix
@@ -1,33 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
 in
 {
  options.vacu.alwaysUseRemoteSudo =
    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
    // {
      default = true;
    };
  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
    system.build.nixos-rebuild = lib.mkForce (
      pkgs.runCommandLocal "nixos-rebuild-wrapped"
        {
          nativeBuildInputs = [ pkgs.makeShellWrapper ];
          meta.mainProgram = "nixos-rebuild";
        }
        ''
          runHook preInstall
          mkdir -p $out/bin
          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
          runHook postInstall
        ''
    );
  };
 }
--- a/common/nixos.nix
+++ b/common/nixos.nix
@@ -1,115 +0,0 @@
 {
  lib,
  pkgs,
  config,
  utils,
  ...
 }:
 {
  imports = [
    ./module.nix
    ./common-but-not.nix
    ./verify-system/nixos.nix
    ./nixos-rebuild.nix
  ];
  options.vacu.underTest = lib.mkOption {
    default = false;
    type = lib.types.bool;
  };
  options.vacu.acmeCertDependencies = lib.mkOption {
    default = { };
    example = ''
      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
    '';
    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
  };
  config =
    let
      for-systemd-services = lib.concatMapAttrs (cert: units: {
        "acme-selfsigned-${cert}" = {
          wantedBy = units;
          before = units;
        };
      }) config.vacu.acmeCertDependencies;
      for-security-acme-certs = lib.concatMapAttrs (cert: units: {
        ${cert}.reloadServices = units;
      }) config.vacu.acmeCertDependencies;
    in
    {
      console = {
        keyMap = lib.mkDefault "us";
      };
      networking.hostName = config.vacu.hostName;
      vacu.packages."xorg-xev" = {
        enable = config.services.xserver.enable;
        package = pkgs.xorg.xev;
      };
      environment.systemPackages = config.vacu.packageList;
      programs.git = lib.mkDefault {
        enable = true;
        lfs.enable = true;
      };
      programs.nix-ld.enable = true;
      system.nixos.tags = [
        "vacu${config.vacu.versionId}"
        config.vacu.hostName
      ];
      environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
      i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
      time.timeZone = "America/Los_Angeles";
      users.users.shelvacu = {
        openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
        isNormalUser = true;
        extraGroups = [ "wheel" ];
      };
      systemd.services = for-systemd-services;
      security.acme.certs = for-security-acme-certs;
      services.openssh = {
        # require public key authentication for better security
        settings.PasswordAuthentication = false;
        settings.KbdInteractiveAuthentication = false;
        settings.PermitRootLogin = "prohibit-password";
      };
      nix.settings.trusted-users = [ "shelvacu" ];
      security.sudo.wheelNeedsPassword = lib.mkDefault false;
      programs.screen = {
        screenrc = ''
                  defscrollback 10000
                  termcapinfo xterm* ti@:te@
          	maptimeout 5
        '';
      } // (if config.system.nixos.release == "23.11" then { } else { enable = true; });
      programs.tmux.enable = true;
      programs.tmux.extraConfig = "setw mouse";
      programs.tmux.clock24 = true;
      nix.settings = {
        experimental-features = [
          "nix-command"
          "flakes"
        ];
        substituters = lib.mkForce config.vacu.nix.substituterUrls;
        extra-substituters = lib.mkForce [ ];
        trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
        extra-trusted-public-keys = lib.mkForce [ ];
      };
      nixpkgs.config.allowUnfree = lib.mkDefault true;
      programs.mosh.enable = lib.mkDefault true;
      programs.ssh.extraConfig = config.vacu.ssh.config;
      security.pki.certificates = config.vacu.rootCAs;
      # commands.nix
      environment.pathsToLink = [ "/share/vacufuncs" ];
      vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
      programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
      programs.bash.promptInit = lib.mkForce "";
    };
 }
--- a/common/nixvim.nix
+++ b/common/nixvim.nix
@@ -1,15 +0,0 @@
 {
  pkgs,
  config,
  inputs,
  lib,
  ...
 }:
 {
  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
  vacu.shell.functions = lib.mkIf (!config.vacu.minimal) {
    nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
    nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
    nvim = ''nvim-nixvim "$@"'';
  };
 }
--- a/common/package-set.nix
+++ b/common/package-set.nix
@@ -1,74 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (lib) mkOption types;
  pkgOptions = builtins.attrValues config.vacu.packages;
  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
  enabledPkgs = builtins.map (o: o.package) enabledOptions;
  packagesSetType = types.attrsOf (
    types.submodule (
      {
        name,
        ...
      }:
      {
        options = {
          enable = mkOption {
            type = types.bool;
            description = "Will this package be installed (included in environment.systemPackages)";
          };
          package = mkOption {
            type = types.package;
            default = pkgs.${name};
            defaultText = "pkgs.${name}";
          };
        };
      }
    )
  );
  packageListToSet = (
    from:
    let
      keyvals = map (
        val:
        if builtins.isString val then
          {
            name = val;
            value = {
              package = pkgs."${val}";
              enable = lib.mkDefault true;
            };
          }
        else
          {
            name = val.pname or val.name;
            value = {
              package = lib.mkDefault val;
              enable = lib.mkDefault true;
            };
          }
      ) from;
    in
    builtins.listToAttrs keyvals
  );
 in
 {
  options = {
    vacu.packages = mkOption {
      default = { };
      type = types.coercedTo (types.listOf (
        types.either types.str types.package
      )) packageListToSet packagesSetType;
    };
    vacu.packageList = mkOption {
      type = types.listOf types.package;
      readOnly = true;
    };
  };
  config.vacu.packageList = enabledPkgs;
 }
--- a/common/shell/default.nix
+++ b/common/shell/default.nix
@@ -1,95 +0,0 @@
 {
  config,
  lib,
  pkgs,
  vaculib,
  ...
 }:
 let
  inherit (lib) mkOption types;
  cfg = config.vacu.shell;
  writeShellFunction =
    name: text:
    pkgs.writeTextFile {
      inherit name;
      executable = false;
      destination = "/share/vacufuncs/${name}";
      text = ''
        ${text}
      '';
      checkPhase = ''
        ${pkgs.stdenv.shellDryRun} "$target"
      '';
    };
  functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
 in
 {
  imports = [
    ./not-aliases.nix
    ./ps1.nix
  ];
  options = {
    vacu.shell.functionsDir = mkOption { type = types.path; };
    vacu.shell.interactiveLines = mkOption {
      type = types.lines;
      default = "";
    };
    vacu.shell.idempotentShellLines = mkOption {
      type = types.lines;
      default = "";
    };
    vacu.shell.color = mkOption { type = types.enum (builtins.attrNames vaculib.shellColors); };
    vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
  };
  config = {
    _module.args.vaculib = {
      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
      shellColors = {
        black = 30;
        red = 31;
        green = 32;
        yellow = 33;
        blue = 34;
        magenta = 35;
        cyan = 36;
        white = 37;
      };
    };
    vacu.shell.interactiveLines = ''
      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
        __vacushell_load
        unset __vacushell_load
      fi
    '';
    vacu.shell.functions."vacureload" = ''
      declare -gA vacuShellFunctionsLoaded
      if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
        echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
          unset -f $funcname
        done
        return
      fi
      for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
        if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
          unset -f $funcname
        fi
      done
      for fullPath in ${cfg.functionsDir}/*; do
        local funcname="$(basename "$fullPath")"
        local followedPath="$(readlink -f "$fullPath")"
        if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
          unset -f $funcname
          eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
          vacuShellFunctionsLoaded[$funcname]=$followedPath
        fi
        unset followedPath
        unset funcname
      done
      __set_idempotents
    '';
    vacu.shell.functions."__set_idempotents" = cfg.idempotentShellLines;
    vacu.packages = functionPackages;
  };
 }
--- a/common/shell/not-aliases.nix
+++ b/common/shell/not-aliases.nix
@@ -1,45 +0,0 @@
 # These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
 { pkgs, ... }:
 let
  inherit (pkgs) writeScriptBin;
 in
 {
  vacu.packages = [
    (writeScriptBin "ms" ''
      set -e
      if [[ $# != 1 ]]; then
        echo "wrong number of args" 1>&2
        exit 1
      fi
      set -x
      mosh -- $1 screen -Rd
    '')
    (writeScriptBin "mss" ''
      set -e
      if [[ $# != 1 ]]; then
        echo "wrong number of args" 1>&2
        exit 1
      fi
      set -x
      mosh -- $1 sudo screen -Rd
    '')
    (writeScriptBin "rmln" ''
      set -eo pipefail
      for arg in "$@"; do
        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
          echo "$0: $arg is not a symlink" 1>&2
          exit 1
        fi
      done
      rm "$@"
    '')
  ];
  vacu.shell.functions = {
    nd = ''
      declare -a args
      args=("$@")
      mkdir "''${args[@]}" && cd "''${args[-1]}"
    '';
    td = ''pushd $(mktemp "$@")'';
  };
 }
--- a/common/shell/ps1.nix
+++ b/common/shell/ps1.nix
@@ -1,36 +0,0 @@
 {
  config,
  lib,
  vaculib,
  ...
 }:
 let
  cfg = config.vacu.shell;
  # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
  colors = vaculib.shellColors;
  # https://man.archlinux.org/man/bash.1#PROMPTING
  # \[ and \] begins and ends "a sequence of non-printing characters"
  set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
  set_inverted_color = colornum: ''\[\e[1;37;${toString (colornum + 10)}m\]'';
  reset_color = ''\[\e[0m\]'';
  colornum = colors.${cfg.color};
  root_text = root: lib.optionalString root "ROOT@";
  final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
  default_ps1 =
    root:
    ''\n''
    + (set_color colornum)
    + ''${root_text root}${config.vacu.shortHostName}:\w''
    + (final root)
    + reset_color
    + " ";
 in
 {
  vacu.shell.idempotentShellLines = ''
    if [ $UID = 0 ]; then
      export PS1=${lib.escapeShellArg (default_ps1 true)}
    else
      export PS1=${lib.escapeShellArg (default_ps1 false)}
    fi
  '';
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,147 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  inherit (lib)
    mkOption
    types
    flip
    concatMapStringsSep
    optionalString
    concatStringsSep
    readFile
    mapAttrsToList
    literalExpression
    ;
  inherit (builtins) attrValues;
  cfg = config.vacu;
  knownHosts = attrValues cfg.ssh.knownHosts;
  knownHostsText =
    (flip (concatMapStringsSep "\n") knownHosts (
      h:
      assert h.hostNames != [ ];
      optionalString h.certAuthority "@cert-authority "
      + concatStringsSep "," h.hostNames
      + " "
      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
    ))
    + "\n";
 in
 {
  options = {
    vacu.ssh.knownHostsText = mkOption {
      type = types.str;
      readOnly = true;
      default = knownHostsText;
    };
    vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
    vacu.ssh.config = mkOption { type = types.lines; };
    # Straight copied from nixpkgs 
    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
    vacu.ssh.knownHosts = mkOption {
      default = { };
      type = types.attrsOf (
        types.submodule (
          {
            name,
            config,
            options,
            ...
          }:
          {
            options = {
              certAuthority = mkOption {
                type = types.bool;
                default = false;
                description = ''
                  This public key is an SSH certificate authority, rather than an
                  individual host's key.
                '';
              };
              hostNames = mkOption {
                type = types.listOf types.str;
                default = [ name ] ++ config.extraHostNames;
                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
                description = ''
                  A list of host names and/or IP numbers used for accessing
                  the host's ssh service. This list includes the name of the
                  containing `knownHosts` attribute by default
                  for convenience. If you wish to configure multiple host keys
                  for the same host use multiple `knownHosts`
                  entries with different attribute names and the same
                  `hostNames` list.
                '';
              };
              extraHostNames = mkOption {
                type = types.listOf types.str;
                default = [ ];
                description = ''
                  A list of additional host names and/or IP numbers used for
                  accessing the host's ssh service. This list is ignored if
                  `hostNames` is set explicitly.
                '';
              };
              publicKey = mkOption {
                default = null;
                type = types.nullOr types.str;
                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
                description = ''
                  The public key data for the host. You can fetch a public key
                  from a running SSH server with the {command}`ssh-keyscan`
                  command. The public key should not include any host names, only
                  the key type and the key itself.
                '';
              };
              publicKeyFile = mkOption {
                default = null;
                type = types.nullOr types.path;
                description = ''
                  The path to the public key file for the host. The public
                  key file is read at build time and saved in the Nix store.
                  You can fetch a public key file from a running SSH server
                  with the {command}`ssh-keyscan` command. The content
                  of the file should follow the same format as described for
                  the `publicKey` option. Only a single key
                  is supported. If a host has multiple keys, use
                  {option}`programs.ssh.knownHostsFiles` instead.
                '';
              };
            };
          }
        )
      );
      description = ''
        The set of system-wide known SSH hosts. To make simple setups more
        convenient the name of an attribute in this set is used as a host name
        for the entry. This behaviour can be disabled by setting
        `hostNames` explicitly. You can use
        `extraHostNames` to add additional host names without
        disabling this default.
      '';
      example = literalExpression ''
        {
          myhost = {
            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
          };
          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
          "myhost2.net/dsa" = {
            hostNames = [ "myhost2.net" ];
            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
          };
        }
      '';
    };
    config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
      name: data: {
        assertion =
          (data.publicKey == null && data.publicKeyFile != null)
          || (data.publicKey != null && data.publicKeyFile == null);
        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
      }
    );
  };
 }
--- a/common/verify-system/default.nix
+++ b/common/verify-system/default.nix
@@ -1,60 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  inherit (lib) mkOption mkEnableOption types;
  cfg = config.vacu.verifySystem;
 in
 {
  options.vacu.verifySystem = {
    enable = (mkEnableOption "verify system is what is expected") // {
      default = true;
    };
    verifiers = mkOption {
      default = { };
      type = types.attrsOf (
        types.submodule (
          { name, config, ... }:
          {
            options = {
              enable = mkEnableOption "Enable system ident check ${name}";
              name = mkOption {
                type = types.str;
                default = name;
              };
              script = mkOption {
                type = types.lines;
                default = "## system ident check ${config.name}";
              };
            };
          }
        )
      );
    };
    verifyAllScript =
      let
        verifiers = (builtins.attrValues cfg.verifiers);
        enabled = builtins.filter (s: s.enable) verifiers;
        files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
        script = ''
                  ## vacu verify-system
          	for f in ${lib.concatStringsSep " " files}; do
          	  echo "verifying system with $f"
          	  if ! source $f; then
          	    echo "ERR: $f failed" >&2
          	    return 1
          	  fi
          	done
        '';
        scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
      in
      mkOption {
        readOnly = true;
        default = scriptFile;
      };
  };
 }
--- a/common/verify-system/nixos.nix
+++ b/common/verify-system/nixos.nix
@@ -1,65 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkOption types;
 in
 {
  options.vacu.verifySystem.expectedMac = mkOption {
    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
    default = null;
  };
  config = lib.mkIf config.vacu.verifySystem.enable {
    # system.activationScripts."00-verify-system" = {
    #   text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
    #   supportsDryActivation = true;
    # };
    system.extraSystemBuilderCmds = ''
      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
      cat <<EOF > $out/bin/switch-to-configuration
      #!${pkgs.bash}/bin/bash
      oldpath="$PATH"
      export PATH="${pkgs.coreutils}/bin"
      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
      export PATH="$oldpath"
      exec $out/bin/.switch-to-configuration-unverified "\$@"
      EOF
      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
    '';
    vacu.verifySystem.verifiers = {
      hostname = {
        enable = lib.mkDefault true;
        script = ''
          expected=${config.networking.hostName}
          actual=$(cat /proc/sys/kernel/hostname)
          if [[ "$expected" != "$actual" ]]; then
            echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
            return 1
          fi
        '';
      };
      expectedMac = {
        enable = config.vacu.verifySystem.expectedMac != null;
        script = ''
          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
          	   for ifMac in "''${actual[@]}"; do
                       if [[ "$ifMac" == "$expected" ]]; then
          	       # all is well
          	       return 0
          	      fi
          	   done
          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
          	   return 1
          	 '';
      };
    };
  };
 }
--- a/compute-deck/bluetooth.nix
+++ b/compute-deck/bluetooth.nix
@@ -1,7 +1,6 @@
-{ ... }:
+{ ... }: {
-{
+hardware.bluetooth.enable = true;
-  hardware.bluetooth.enable = true;
+hardware.bluetooth.powerOnBoot = true;
  hardware.bluetooth.powerOnBoot = true;
-  services.blueman.enable = true;
+services.blueman.enable = true;
 }
--- a/compute-deck/default.nix
+++ b/compute-deck/default.nix
@@ -1,24 +1,18 @@
-{
+{ config, pkgs, lib, jovian, inputs, ... }:
  config,
  pkgs,
  lib,
  jovian,
  inputs,
  ...
 }:
 {
  imports = [
    inputs.jovian.nixosModules.jovian
-    # inputs.disko.nixosModules.default
+    inputs.disko.nixosModules.default
-    inputs.home-manager.nixosModules.default
+    inputs.homeManager.nixosModules.default
    ./hardware.nix
    ./partitioning.nix
    ./home.nix
    ./bluetooth.nix
    ./partitioning.nix
    ./padtype.nix
-    ../common/nixos.nix
+    ../common-nixos-config.nix
  ];
  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  boot.loader.systemd-boot.enable = false;
  boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -29,9 +23,7 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  vacu.hostName = "compute-deck";
+  networking.hostName = "compute-deck";
  vacu.shortHostName = "cd";
  vacu.shell.color = "blue";
  networking.hostId = "e595d9b0";
  boot.supportedFilesystems = [ "zfs" ];
@@ -63,22 +55,22 @@
    rustup
  ];
-  # boot.kernelPatches = [
+  boot.kernelPatches = [
-  #   {
+    {
-  #     name = "gadget";
+      name = "gadget";
-  #     patch = null;
+      patch = null;
-  #     extraStructuredConfig = with lib.kernel; {
+      extraStructuredConfig = with lib.kernel; {
-  #       USB_ETH=module;
+        USB_ETH=module;
-  #       USB_GADGET=yes;
+        USB_GADGET=yes;
-  #       USB_LIBCOMPOSITE=yes;
+        USB_LIBCOMPOSITE=yes;
-  #       USB_CONFIGFS=yes;
+        USB_CONFIGFS=yes;
-  #       USB_DWC3=module;
+        USB_DWC3=module;
-  #       USB_DWC3_PCI=module;
+        USB_DWC3_PCI=module;
-  #       USB_DWC3_DUAL_ROLE=yes;
+        USB_DWC3_DUAL_ROLE=yes;
-  #       USB_DWC3_HOST=no;
+        USB_DWC3_HOST=no;
-  #       USB_DWC3_GADGET=no;
+        USB_DWC3_GADGET=no;
-  #       USB_ROLE_SWITCH=yes;
+        USB_ROLE_SWITCH=yes;
-  #     };
+      };
-  #   }
+    }
-  # ];
+  ];
 }
--- a/compute-deck/hardware.nix
+++ b/compute-deck/hardware.nix
@@ -1,60 +1,51 @@
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
    "nvme"
    "xhci_pci"
    "usbhid"
    "sdhci_pci"
    "dwc3_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
-  /*
+/*
-    fileSystems."/" =
+  fileSystems."/" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
+      fsType = "btrfs";
-        options = [ "subvol=root" ];
+      options = [ "subvol=root" ];
-      };
+    };
-    fileSystems."/home" =
+  fileSystems."/home" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
+      fsType = "btrfs";
-        options = [ "subvol=home" ];
+      options = [ "subvol=home" ];
-      };
+    };
-    fileSystems."/nix" =
+  fileSystems."/nix" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
+      fsType = "btrfs";
-        options = [ "subvol=nix" ];
+      options = [ "subvol=nix" ];
-      };
+    };
-    fileSystems."/boot" =
+  fileSystems."/boot" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
+      fsType = "btrfs";
-        options = [ "subvol=boot" ];
+      options = [ "subvol=boot" ];
-      };
+    };
-  */
+*/
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
    fsType = "ext4";
  };
-  fileSystems."/boot/EFI" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/C268-79C8";
+    { device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
-    fsType = "vfat";
+      fsType = "ext4";
-  };
+    };
  fileSystems."/boot/EFI" =
    { device = "/dev/disk/by-uuid/C268-79C8";
      fsType = "vfat";
    };
  swapDevices = [ ];
--- a/compute-deck/home.nix
+++ b/compute-deck/home.nix
@@ -2,7 +2,9 @@
 {
  home-manager.users.shelvacu = {
    # these make vscode-remote work
-    imports = [ inputs.vscode-server.homeModules.default ];
+    imports = [
      inputs.vscode-server.homeModules.default
    ];
    services.vscode-server.enable = true;
    home.stateVersion = "23.11";
--- a/compute-deck/padtype.nix
+++ b/compute-deck/padtype.nix
@@ -1,10 +1,8 @@
-{ inputs, ... }:
+{ inputs, ... }: let
 let
  padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
-in
+in {
 {
  environment.systemPackages = [ padtype-pkg ];
-
+  
  systemd.services."padtype" = {
    wantedBy = [ "multi-user.target" ];
    script = "${padtype-pkg}/bin/padtype";
--- a/compute-deck/partitioning.nix
+++ b/compute-deck/partitioning.nix
@@ -1,6 +1,5 @@
-{ inputs, ... }:
+{ ... }:
 {
  imports = [ inputs.disko.nixosModules.default ];
  disko.devices.disk.blarg = {
    device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
    content = {
@@ -14,29 +13,20 @@
        subvolumes = {
          "/root" = {
            mountpoint = "/";
-            mountOptions = [
+            mountOptions = [ "compress=zstd" "noatime" ];
              "compress=zstd"
              "noatime"
            ];
          };
          "/home" = {
            mountpoint = "/home";
-            mountOptions = [
+            mountOptions = [ "compress=zstd" "noatime" ];
              "compress=zstd"
              "noatime"
            ];
          };
          "/nix" = {
            mountpoint = "/nix";
-            mountOptions = [
+            mountOptions = [ "compress=zstd" "noatime" ];
              "compress=zstd"
              "noatime"
            ];
          };
-          #           "/swap" = {
+#           "/swap" = {
-          #             mountpoint = "/.swapvol";
+#             mountpoint = "/.swapvol";
-          #             swap.swapfile.size = "20M";
+#             swap.swapfile.size = "20M";
-          #           };
+#           };
        };
      };
    };
--- a/coopdx.nix
+++ b/coopdx.nix
@@ -1,103 +0,0 @@
 {
  callPackage,
  fetchFromGitHub,
  autoPatchelfHook,
  zlib,
  curl,
  libcxx,
  stdenvNoCC,
  nixpkgs ? <nixpkgs>,
  writeTextFile,
  lib,
  bash,
  enableTextureFix ? true,
  enableDiscord ? false,
 }:
 let
  libc_hack = writeTextFile {
    name = "libc-hack";
    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
    text = ''
      #include <unistd.h>
      #include <string.h>
      #include <pthread.h>
    '';
    destination = "/include/libc.h";
  };
  target = stdenvNoCC.targetPlatform;
  bits =
    if target.is64bit then
      "64"
    else if target.is32bit then
      "32"
    else
      throw "unspported bits";
  pname = "sm64coopdx";
  version = "1.0.3";
  region = "us"; # dx removed support for other regions
 in
 (callPackage "${nixpkgs}/pkgs/games/sm64ex/generic.nix" {
  inherit pname version region;
  src = fetchFromGitHub {
    owner = "coop-deluxe";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
  };
  extraNativeBuildInputs = [ autoPatchelfHook ];
  extraBuildInputs = [
    zlib
    curl
    libcxx
    libc_hack
  ];
  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
  compileFlags = [
    "BREW_PREFIX=/not-exist"
    "TARGET_ARCH=generic"
    "TARGET_BITS=${bits}"
    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
  ];
  extraMeta = {
    mainProgram = pname;
    homepage = "https://sm64coopdx.com/";
    description = "Super Mario 64 online co-op mod, forked from sm64ex";
  };
 }).overrideAttrs
  {
    installPhase =
      let
        sharedLib = target.extensions.sharedLibrary;
      in
      ''
              runHook preInstall
              local built=$PWD/build/${region}_pc
              mkdir -p $out/share/${pname}
              cp $built/${pname} $out/share/${pname}/${pname}-unwrapped
              cp -r $built/{dynos,lang,mods,palettes} $out/share/${pname}
              cp ./baserom.*.z64 $out/share/
              ${lib.optionalString enableDiscord ''
                cp $built/libdiscord_game_sdk${sharedLib} $out/share/${pname}
              ''}
              mkdir -p $out/bin
              (
                echo '#!${bash}/bin/bash'
        	echo "cd $out/share/${pname}"
        	echo 'exec ./${pname}-unwrapped "$@"'
              ) > $out/bin/${pname}
              chmod a+x $out/bin/${pname}
              runHook postInstall
      '';
  }
--- a/deterministic-certs.nix
+++ b/deterministic-certs.nix
@@ -1,93 +0,0 @@
 {
  nixpkgs ? import <nixpkgs>,
 }:
 let
  pkgs = nixpkgs;
  lib = nixpkgs.lib;
  defaultCertTemplate = {
    serial = 1;
    activation_date = "1970-01-01 00:00:00 UTC";
    expiration_date = "2500-01-01 00:00:00 UTC";
  };
  keyValToConfigLines = (
    key: value:
    if (builtins.isString value) || (builtins.isPath value) then
      "${key} = \"${value}\""
    else if builtins.isInt value then
      "${key} = ${builtins.toString value}"
    else if builtins.isList value then
      map (innerValue: keyValToConfigLines key innerValue)
    else if builtins.isBool value then
      (if value then "${key}" else "# no ${key}")
    else
      throw "don't know how to handle ${builtins.typeOf value}"
  );
  mkTemplateConfig =
    config:
    lib.concatStringsSep "\n" (
      lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
    );
  certCfg = pkgs.writeText "deterministic-cert.cfg" ''
    serial = 1
    activation_date = "1970-01-01 00:00:00 UTC"
    expiration_date = "2500-01-01 00:00:00 UTC"
  '';
  privKeyFile =
    name:
    let
      keySizeBits = 256;
      keySizeHex = builtins.toString (keySizeBits / 4);
    in
    pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
      seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
      ${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
    '';
  generateCert =
    {
      name,
      config,
      args,
      preCommands ? "",
    }:
    let
      deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
        mkdir -p $out
        cd $out
        ln -s ${privKeyFile name} privkey.pem
        ln -s ${
          pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
        } template.cfg
        ${preCommands}
        ${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
      '';
    in
    deriv
    // {
      privateKeyPath = "${deriv}/privkey.pem";
      certificatePath = "${deriv}/cert.pem";
    };
 in
 {
  inherit privKeyFile;
  selfSigned =
    name: config:
    generateCert {
      inherit name config;
      args = [ "--generate-self-signed" ];
    };
  caSigned =
    name: ca: config:
    generateCert {
      inherit name config;
      preCommands = ''
        ln -s ${ca.privateKeyPath} ca-privkey.pem
        ln -s ${ca.certificatePath} ca-cert.pem
      '';
      args = [
        "--generate-certificate"
        "--load-ca-certificate=ca-cert.pem"
        "--load-ca-privkey=ca-privkey.pem"
      ];
    };
 }
--- a/devver/default.nix
+++ b/devver/default.nix
@@ -0,0 +1,57 @@
 { config, pkgs, lib, inputs, modulesPath, ... }:
 {
  imports = [
    inputs.homeManager.nixosModules.default
    ../common-nixos-config.nix
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
  boot.extraModulePackages = [ ];
  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  networking.hostName = "devver";
  boot.loader.external.enable = true;
  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
    set -xev
    mkdir -p /boot
    cp $1/kernel /boot/kernel
    cp $1/initrd /boot/initrd
    cp $1/kernel-params /boot/kernel-params
    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
  '';
  users.users.root.shell = pkgs.bashInteractive;
  fileSystems."/boot" = {
    fsType = "9p";
    device = "boot";
    options = [
      "trans=virtio"
      "access=any"
      "version=9p2000.L"
      "posixacl"
      "cache=mmap"
      "nofail"
      "noauto"
    ];
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
    fsType = "ext4";
  };
  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  services.openssh.enable = true;
  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
  system.stateVersion = "23.11";
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -2,334 +2,140 @@
  description = "Config for triple-dezert server";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
-    # nixpkgs.url = "github:nixos/nixpkgs/be0ec1a45fe1a6f6534c451b935724ab48405f26";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
    flake-utils.url = "github:numtide/flake-utils";
    nixvim = {
      url = "github:nix-community/nixvim/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixvim-unstable = {
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-inspect = {
      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-inspect-unstable = {
      url = "github:bluskript/nix-inspect";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    vscode-server-unstable = {
      url = "github:nix-community/nixos-vscode-server";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
      inputs.flake-utils.follows = "flake-utils";
    };
    vscode-server = {
      url = "github:nix-community/nixos-vscode-server";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid";
+      url = "github:nix-community/nix-on-droid/release-23.05";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
-    jovian-unstable = {
+    jovian = {
      # there is no stable jovian :cry:
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
-    disko-unstable = {
+    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
-    home-manager = {
+    homeManager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager-unstable = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-search-cli-unstable = {
      url = "github:peterldowns/nix-search-cli";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
      inputs.flake-utils.follows = "flake-utils";
    };
    nix-search-cli = {
      url = "github:peterldowns/nix-search-cli";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
-    padtype-unstable = {
+    padtype = {
      url = "gitlab:shelvacu/padtype";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixos-hardware.url = "github:nixos/nixos-hardware";
+    microvm = {
-    most-winningest = {
+      url = "github:astro/microvm.nix";
      url = "github:captain-jean-luc/most-winningest";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
  };
-  outputs =
+  outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
-    {
+    debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
-      self,
+    nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
-      nixpkgs,
+      system =  "x86_64-linux";
-      nix-on-droid,
+      modules = [ ./triple-dezert ];
-      home-manager,
+      specialArgs = { inherit inputs; };
-      ...
+    };
    }@inputs:
    let
      lib = import "${nixpkgs}/lib";
      pkgs = import nixpkgs {
        system = "x86_64-linux";
        config.allowUnfree = true;
      };
      defaultInputs = {
        inherit (inputs)
          self
          nix-search-cli
          nix-inspect
          nixvim
          ;
      };
      defaultArgs = {
        inputs = defaultInputs;
      };
    in
    {
      debug.isoDeriv = (
        import "${inputs.nixpkgs}/nixos/release-small.nix" {
          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
        }
      );
      nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [ ./triple-dezert ];
        specialArgs = {
          inputs = defaultInputs // {
            inherit (inputs) most-winningest;
          };
        };
      };
-      nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
+    nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
-        system = "x86_64-linux";
+      system = "x86_64-linux";
-        modules = [ ./compute-deck ];
+      modules = [ ./compute-deck ];
-        specialArgs = {
+      specialArgs = { inherit inputs; };
-          inputs = {
+    };
            jovian = inputs.jovian-unstable;
            home-manager = inputs.home-manager-unstable;
            vscode-server = inputs.vscode-server-unstable;
            disko = inputs.disko-unstable;
            padtype = inputs.padtype-unstable;
            nix-search-cli = inputs.nix-search-cli-unstable;
            nix-inspect = inputs.nix-inspect-unstable;
            nixvim = inputs.nixvim-unstable;
            self = inputs.self;
          };
        };
      };
-      nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
+      system =  "x86_64-linux";
-        modules = [ ./liam ];
+      modules = [ ./liam ];
-        specialArgs = {
+      specialArgs = { inherit inputs; };
-          inputs = defaultInputs // {
+    };
            inherit (inputs) sops-nix;
          };
        };
      };
-      nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
+      system = "x86_64-linux";
-        modules = [ ./lp0 ];
+      modules = [ ./lp0 ];
-        specialArgs = defaultArgs;
+      specialArgs = { inherit inputs; };
-      };
+    };
    nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [ ./installer.nix ];
      specialArgs = { inherit inputs; };
    };
-      nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
+      system =  "x86_64-linux";
-        modules = [ ./installer.nix ];
+      modules = [ ./devver ];
-        specialArgs = defaultArgs;
+      specialArgs = { inherit inputs; };
-      };
+    };
-      nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
-        system = "x86_64-linux";
+      system = "x86_64-linux";
-        modules = [ ./fw ];
+      modules = [ ./fw ];
-        specialArgs = {
+      specialArgs = { inherit inputs; };
-          inputs = defaultInputs // {
+    };
            inherit (inputs) nixos-hardware;
          };
        };
      };
-      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
+    nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-        modules = [ ./nix-on-droid ];
+      modules = [ ./nix-on-droid.nix ];
-        extraSpecialArgs = {
+      extraSpecialArgs = { inherit inputs; };
-          inputs = defaultInputs // {
+    };
            inherit (inputs) nixpkgs;
          };
        };
        pkgs = import nixpkgs { system = "aarch64-linux"; };
      };
-      homeConfigurations."nix-on-droid" = home-manager.lib.homeManagerConfiguration {
+    diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
        modules = [
          ./home/nix-on-droid.nix
          { _module.args.inputs = defaultInputs; }
        ];
        pkgs = import nixpkgs { system = "aarch64-linux"; };
      };
-      checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (
+    checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
        system:
        let
          pkgs = import nixpkgs { inherit system; };
          config = {
            node.pkgs = pkgs;
            node.pkgsReadOnly = false;
            node.specialArgs.selfPackages = self.packages.${system};
          };
        in
        {
          liam = nixpkgs.lib.nixos.runTest {
            hostPkgs = pkgs;
            imports = [
              config
              ./tests/liam.nix
              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
            ];
          };
          trip = nixpkgs.lib.nixos.runTest {
            hostPkgs = pkgs;
            imports = [
              config
              ./tests/triple-dezert.nix
              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
            ];
          };
        }
      );
      nixosModules.common = import ./common/module.nix;
      qb = # qb is "quick build"
        let
          toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = pkgs; };
          renamedAarchPackages = lib.mapAttrs' (
            name: value: lib.nameValuePair (name + "-aarch64") value
          ) self.packages.aarch64-linux;
          packages = self.packages.x86_64-linux // renamedAarchPackages;
        in
        rec {
          fw = toplevelOf "fw";
          triple-dezert = toplevelOf "triple-dezert";
          trip = triple-dezert;
          compute-deck = toplevelOf "compute-deck";
          cd = compute-deck;
          liam = toplevelOf "liam";
          lp0 = toplevelOf "lp0";
          shel-installer = toplevelOf "shel-installer";
          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
          check-trip = check-triple-dezert;
          check-liam = self.checks.x86_64-linux.liam.driver;
          nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
          nod = nix-on-droid;
          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
          dc-priv = deterministicCerts.privKeyFile "test";
          dc-cert = deterministicCerts.selfSigned "test" { };
          sm64 = packages.sm64coopdx;
          ak = packages.authorizedKeys;
        }
        // packages;
      brokenBuilds = [ "sm64coopdx-aarch64" ];
      all =
        pkgs.runCommand "nix-stuff-all"
          {
            __structuredAttrs = true;
            links = removeAttrs self.qb self.brokenBuilds;
          }
          ''
            mkdir $out
            cd $out
            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
          '';
      allPure = self.all.overrideAttrs (prev: {
        links = removeAttrs prev.links [
          "nix-on-droid"
          "nod"
          "nod-bootstrap-x86_64"
          "nod-bootstrap-aarch64"
        ];
      });
      archive =
        let
          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
          allButImgs = self.all.overrideAttrs (prev: {
            links = removeAttrs prev.links [ "iso" ];
          });
          isoContents = lib.concatStringsSep "\n" (
            map (
              c: "${c.source} => ${c.target}"
            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
          );
          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
          info = pkgs.closureInfo { rootPaths = [ allButImgs.drvPath ]; };
        in
        allButImgs.overrideAttrs (prev: {
          links = prev.links // {
            iso-contents = isoContentsPkg;
            build-deps = info;
          };
        });
    }
    // (inputs.flake-utils.lib.eachDefaultSystem (
      system:
      let
-        pkgs = import nixpkgs {
+        pkgs = nixpkgs.legacyPackages.${system};
-          inherit system;
+        config = {
-          config.allowUnfree = true;
+          node.pkgs = pkgs;
          node.pkgsReadOnly = false;
          node.specialArgs.selfPackages = self.packages.${system};
          node.specialArgs.inputs = inputs;
        };
      in
      {
-        formatter = pkgs.nixfmt-rfc-style;
+        liam = nixpkgs.lib.nixos.runTest {
-        packages = {
+          hostPkgs = pkgs;
-          sm64coopdx = pkgs.callPackage ./coopdx.nix { inherit nixpkgs; };
+          imports = [ config ./tests/liam.nix ];
          # snmpb = pkgs.libsForQt5.callPackage ./packages/snmpb/package.nix { };
          # snmp-mibs-downloader = pkgs.callPackage ./packages/snmp-mibs-downloader.nix { };
          authorizedKeys = pkgs.writeText "authorizedKeys" (
            lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys
          );
          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
            extraSpecialArgs = {
              inputs = { };
            };
            module = {
              imports = [ ./nixvim ];
            };
          };
        };
        trip = nixpkgs.lib.nixos.runTest {
          hostPkgs = pkgs;
          imports = [ config ./tests/triple-dezert.nix ];
        };
        # trip_haproxy_config = let
        #   hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
        # in pkgs.stdenvNoCC.mkDerivation {
        #   name = "trip-haproxy-config-check";
        #   script = ''
        #     mkdir -p certs/shelvacu.com/
        #     touch certs/shelvacu.com/full.pem
        #     ${hacfg.package}/bin/haproxy \
        #       -f ${pkgs.writeText "haproxy-config" hacfg.config} \
        #       -c \
        #       -dW \
        #       -dD \
        #       -C $PWD
        #   '';
        # };
      }
-    ));
+    );
    nixosModules.common = import ./common-config.nix;
    packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
  };
 }
--- a/fw/android.nix
+++ b/fw/android.nix
@@ -1,5 +0,0 @@
 { pkgs, ... }:
 {
  vacu.packages = pkgs.androidStudioPackages.stable.all;
  users.users.shelvacu.extraGroups = [ "kvm" ];
 }
--- a/fw/apex.nix
+++ b/fw/apex.nix
@@ -1,69 +0,0 @@
 # everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
 { pkgs, config, ... }:
 let
  # to match package used in config.services.pcscd, unfortunately not exposed like usual
  pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
 in
 {
  # apparently this is already enabled??
  # nixpkgs.overlays = [ ( final: prev: {
  #   libfido2 = prev.libfido2.override { withPcsclite = true; };
  # } ) ];
  vacu.packages =
    (with pkgs; [
      libfido2
      pcsc-tools
      scmccid
      opensc
    ])
    ++ [ pcsclite-pkg ];
  services.pcscd.enable = true;
  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
  boot.blacklistedKernelModules = [
    "pn533_usb"
    "pn533"
    "nfc"
  ];
  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
  # (PIN1 for authentication/decryption, PIN2 for signing).
  # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
  #   module: ${pkgs.opensc}/lib/opensc-pkcs11.so
  # '';
  # environment.etc."opensc.conf".text = ''
  #   app default {
  #     reader_driver pcsc {
  #       enable_pinpad = false;
  #     }
  #   }
  # '';
  environment.systemPackages = [
    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
    # security devices, so they can be used for TLS client auth.
    # Each user needs to run this themselves, it does not work on a system level
    # due to a bug in Chromium:
    #
    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
    (pkgs.writeShellScriptBin "setup-browser-eid" ''
      NSSDB="''${HOME}/.pki/nssdb"
      mkdir -p ''${NSSDB}
      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
    '')
  ];
  programs.firefox.enable = true;
  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
  # trying CTAP-bridge
  services.udev.extraRules = ''
    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
  '';
 }
--- a/fw/default.nix
+++ b/fw/default.nix
@@ -1,70 +1,24 @@
-{
+{ config, inputs, pkgs, lib, ... }: {
-  config,
+  imports = [ 
-  inputs,
+    ../common-nixos-config.nix
  pkgs,
  ...
 }:
 {
  imports = [
    ../common/nixos.nix
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
    ./apex.nix
    ./android.nix
    ./thunderbolt.nix
    ./fwupd.nix
    ./zfs.nix
    #./experiment.nix
  ];
-
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  vacu.hostName = "fw"; # Define your hostname.
  vacu.shell.color = "magenta";
  vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  networking.networkmanager.enable = true;
  # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
-  services.fprintd.enable = false; # kinda broken
+  vacu.packages.bitwarden-desktop.enable = true;
-
+  vacu.packages.nheko.enable = true;
-  vacu.packages =
+  vacu.packages.librewolf.enable = true;
-    (with pkgs; [
+  vacu.packages.brave.enable = true;
-      bitwarden-desktop
+  vacu.packages.thunderbird.enable = true;
-      nheko
+  vacu.packages.wl-clipboard.enable = true;
-      librewolf
+  vacu.packages.nextcloud-client.enable = true;
-      brave
+  vacu.packages.signal-desktop.enable = true;
-      thunderbird
+  vacu.packages.fw-ectool.enable = true;
-      wl-clipboard
+  vacu.packages.framework-tool.enable = true;
-      nextcloud-client
+  vacu.packages.iio-sensor-proxy.enable = true;
-      signal-desktop
+  vacu.packages.power-profiles-daemon.enable = true;
-      fw-ectool
+  vacu.packages.acpi.enable = true;
      framework-tool
      iio-sensor-proxy
      power-profiles-daemon
      acpi
      jellyfin-media-player
      vlc
      dmidecode
      prismlauncher
      ffmpeg_7-full
      wireshark
      obsidian
      dino
      aircrack-ng
      libreoffice-qt6-fresh
      gimp
      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
      (inkscape-with-extensions.override { inkscapeExtensions = null; })
      libsmi
      net-snmp
      android-tools
    ])
    ++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
  # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
  # presumably needed by nheko
  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
  networking.firewall.enable = false;
  services.xserver.enable = true;
  services.displayManager.sddm.enable = true;
@@ -86,54 +40,41 @@
    }
  ];
  networking.hostName = "fw"; # Define your hostname.
  networking.hostId = "c6e309d5";
  boot.zfs.extraPools = [ "fw" ];
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  systemd.services.zfs-mount.enable = false;
  services.openssh.enable = true;
  system.stateVersion = "23.11"; # Did you read the comment?
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
-    "nvme"
+  boot.initrd.kernelModules = [ ];
    "xhci_pci"
    "thunderbolt"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  #boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
-  #boot.extraModulePackages = [ ];
+  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "fw/root";
+    { device = "fw/root";
-    fsType = "zfs";
+      fsType = "zfs";
-  };
+    };
-  fileSystems."/boot0" = {
+  fileSystems."/boot0" =
-    device = "/dev/disk/by-label/BOOT0";
+    { device = "/dev/disk/by-label/BOOT0";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = [
+      options = [ "fmask=0022" "dmask=0022" ];
-      "fmask=0022"
+    };
      "dmask=0022"
    ];
  };
-  fileSystems."/boot1" = {
+  fileSystems."/boot1" =
-    device = "/dev/disk/by-label/BOOT1";
+    { device = "/dev/disk/by-label/BOOT1";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = [
+      options = [ "fmask=0022" "dmask=0022" ];
-      "fmask=0022"
+    };
      "dmask=0022"
    ];
  };
  hardware.cpu.amd.updateMicrocode = true;
  hardware.enableAllFirmware = true;
  hardware.opengl = {
    driSupport = true;
    driSupport32Bit = true;
    extraPackages = [
      pkgs.rocmPackages.clr.icd
      pkgs.amdvlk
    ];
  };
  programs.nix-ld.enable = true;
  programs.steam = {
@@ -150,8 +91,4 @@
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;
  services.blueman.enable = true;
  services.postgresql.enable = true; # for development
  virtualisation.waydroid.enable = true;
 }
--- a/fw/experiment.nix
+++ b/fw/experiment.nix
@@ -1,38 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  version = "6.10.4";
  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
  customKernel = pkgs.linux_6_10.override {
    inherit version;
    src = pkgs.fetchurl {
      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
      inherit hash;
    };
    modDirVersion = lib.versions.pad 3 version;
  };
  customKernelPackages = pkgs.linuxPackagesFor customKernel;
 in {
  system.nixos.tags = ["EXPERIMENT" "kernel-${config.boot.kernelPackages.kernel.version}"];
  boot.kernelPackages = lib.mkForce customKernelPackages;
  # boot.zfs.extraPools = lib.mkForce [];
  # fileSystems."/".fsType = lib.mkForce "ext4";
  vacu.packages.sm64coopdx.enable = false;
  vacu.verifySystem.expectedMac = lib.mkForce null;
 }
 # good: 
 #  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
 #  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
 #  linux-6.9.12
 #  6.10.4 (maybe?? sus)
 # Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
 # bad:
 # Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
 #  linux linux-6.10.10
--- a/fw/fwupd.nix
+++ b/fw/fwupd.nix
@@ -1,8 +0,0 @@
 { config, lib, ... }:
 {
  vacu.packages = [ config.services.fwupd.package ];
  services.fwupd.enable = true;
  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
  #update: it didn't work, I dunno why. Leaving this here anyways
  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
 }
--- a/fw/thunderbolt.nix
+++ b/fw/thunderbolt.nix
@@ -1,10 +0,0 @@
 { pkgs, config, ... }:
 {
  services.hardware.bolt.enable = true;
  vacu.packages = [
    pkgs.thunderbolt
    config.services.hardware.bolt.package
    pkgs.kdePackages.plasma-thunderbolt
  ];
 }
--- a/fw/zfs.nix
+++ b/fw/zfs.nix
@@ -1,21 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
 # latestCompatibleLinuxPackages = lib.pipe pkgs.linuxKernel.packages [
 #   builtins.attrValues
 #   (builtins.filter (kPkgs: (builtins.tryEval kPkgs).success && kPkgs ? kernel && kPkgs.kernel.pname == "linux" && kernelCompatible kPkgs.kernel))
 #   (builtins.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)))
 #   lib.last
 # ];
 in
 {
  boot.zfs.extraPools = [ "fw" ];
  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_10;
  systemd.services.zfs-mount.enable = false;
  # see also fileSystems."/"
 }
--- a/generic-digitalocean-nixos.nix
+++ b/generic-digitalocean-nixos.nix
@@ -0,0 +1,10 @@
 { inputs, system ? "x86_64-linux" }:
 let
 pkgs = inputs.nixpkgs.legacyPackages.${system};
 config = { config, ... }: {
  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
  system.stateVersion = config.system.nixos.release;
 };
 in
 (pkgs.nixos config).digitalOceanImage
--- a/home/nix-on-droid.nix
+++ b/home/nix-on-droid.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  imports = [ ../common/home.nix ];
  home.stateVersion = "24.05";
  home.homeDirectory = "/data/data/com.termux.nix/files/home";
  home.username = "nix-on-droid";
 }
--- a/installer.nix
+++ b/installer.nix
@@ -1,21 +1,12 @@
-{
+{ config, inputs, modulesPath, lib, ... }: {
  config,
  inputs,
  modulesPath,
  lib,
  ...
 }:
 {
  imports = [
    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
-    ./common/nixos.nix
+    ./common-nixos-config.nix
  ];
  # this is an installer image, created anew every time. There's no state we need to worry about messing up
-  system.stateVersion = config.system.nixos.version;
+  system.stateVersion = config.system.nixos.version; 
  isoImage.isoBaseName = "nixos-shel-installer";
  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
  vacu.hostName = "vacuInstaller";
  vacu.shell.color = "red";
  # boot.kernelPatches = [{
  #   name = "foo";
  #   patch = null;
--- a/liam/default.nix
+++ b/liam/default.nix
@@ -1,74 +1,57 @@
-{
+{ modulesPath, config, lib, ... }: {
  modulesPath,
  config,
  lib,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
-    ../common/nixos.nix
+    ../common-nixos-config.nix
    ./nginx.nix
    ./sops.nix
    ./dovecot.nix
    ./mail.nix
    ./dkim.nix
    ./sieve.nix
    ./network.nix
  ];
-  options =
+  options = let
-    let
+    mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
-      mkReadOnly =
+  in {
-        val:
+    vacu.liam = {
-        lib.options.mkOption {
+      shel_domains = mkReadOnly [
-          default = val;
+        "shelvacu.com"
-          readOnly = true;
+        "dis8.net"
-        };
+        "mail.dis8.net"
-    in
+        "jean-luc.org"
-    {
+        "in.jean-luc.org"
-      vacu.liam = {
+        "vacu.store"
-        shel_domains = mkReadOnly [
+      ];
-          "shelvacu.com"
+      julie_domains = mkReadOnly [
-          "dis8.net"
+        "violingifts.com"
-          "mail.dis8.net"
+        "theviolincase.com"
-          "jean-luc.org"
+        "shop.theviolincase.com"
-          "in.jean-luc.org"
+      ];
-          "vacu.store"
+      domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
-        ];
+      reservedIpLocal = mkReadOnly "10.46.0.7";
        julie_domains = mkReadOnly [
          "violingifts.com"
          "theviolincase.com"
          "shop.theviolincase.com"
        ];
        domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
        relayhost = lib.options.mkOption {
          type = lib.types.str;
          # mailhop is duocircle
          default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
        };
        reservedIpLocal = mkReadOnly "10.46.0.7";
      };
    };
  };
  config = {
-    vacu.hostName = "liam";
+    system.nixos.tags = [ "host-${config.networking.hostName}" ];
-    vacu.shell.color = "cyan";
+    networking.hostName = "liam";
    networking.domain = "dis8.net";
    vacu.minimal = true;
    hardware.enableAllFirmware = false;
    hardware.enableRedistributableFirmware = false;
    # networking.interfaces."ens3".useDHCP = false;
    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
    # {
    #   "ip_address": "10.46.0.7",
    #   "netmask": "255.255.0.0",
    #   "gateway": "10.46.0.1"
    # }
    services.openssh.enable = true;
    virtualisation.digitalOcean.setSshKeys = false;
-    users.users.root.openssh.authorizedKeys.keys =
+    users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
      config.users.users.shelvacu.openssh.authorizedKeys.keys;
    system.stateVersion = "23.11";
  };
-}
+}
--- a/liam/dkim.nix
+++ b/liam/dkim.nix
@@ -1,13 +1,7 @@
-{
+{ config, pkgs, lib, ... }: 
  config,
  pkgs,
  lib,
  ...
 }:
 let
-  inherit (config.vacu.liam) domains;
+inherit (config.vacu.liam) domains;
-in
+in {
 {
  services.opendkim = {
    enable = true;
    keyPath = "/run/secrets/dkimkeys";
@@ -21,4 +15,4 @@ in
  systemd.services.postfix.after = [ "opendkim.service" ];
 }
 # 2024-03-liam._domainkey
-# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
+# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
--- a/liam/dovecot.nix
+++ b/liam/dovecot.nix
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 {
  networking.firewall.allowedTCPPorts = [ 993 ];
  systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -22,11 +17,7 @@
    sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
    sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
    enablePAM = false;
-    protocols = lib.mkForce [
+    protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
      "imap"
      "lmtp"
      "sieve"
    ];
    modules = [ pkgs.dovecot_pigeonhole ];
    mailUser = "vmail";
    mailGroup = "vmail";
@@ -84,13 +75,13 @@
      userdb {
        driver = passwd-file
-        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
+        args = username_format=%n /run/secrets/dovecot-passwd
        override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
      }
      passdb {
        driver = passwd-file
-        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
+        args = username_format=%n /run/secrets/dovecot-passwd
        override_fields = user=%n
      }
@@ -102,4 +93,4 @@
      # mail_debug = yes
    '';
  };
-}
+}
--- a/liam/mail.nix
+++ b/liam/mail.nix
@@ -1,25 +1,10 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
-  inherit (config.vacu.liam)
+inherit (config.vacu.liam) shel_domains julie_domains domains;
-    shel_domains
+fqdn = config.networking.fqdn;
-    julie_domains
+dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
-    domains
+in {
-    relayhost
+  networking.firewall.allowedTCPPorts = [ 25 465 ];
    ;
  debug = false;
  fqdn = config.networking.fqdn;
  dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
 in
 {
  networking.firewall.allowedTCPPorts = [
    25
    465
  ];
  vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
  services.postfix = {
@@ -28,15 +13,12 @@ in
    # this goes into virtual_alias_maps
    # "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
-    virtual =
+    virtual = ''
-      ''
+      julie@shelvacu.com julie
-        julie@shelvacu.com julie
+      mom@shelvacu.com julie
-        mom@shelvacu.com julie
+      psv@shelvacu.com psv
-        psv@shelvacu.com psv
+    '' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
-      ''
+    + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
      + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains)
      + "\n"
      + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
    transport = ''
      shelvacu@${fqdn} ${dovecot_transport}
@@ -51,34 +33,19 @@ in
    rootAlias = "shelvacu";
    enableSubmission = false;
    enableSubmissions = true;
-    mapFiles.header_checks = pkgs.writeText "header-checks" (
+    mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
-      "/./ INFO checker headers\n"
+    mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
      + (lib.concatMapStringsSep "\n" (
        d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
      ) domains)
    );
    mapFiles.sender_access = pkgs.writeText "sender-access" (
      lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains
    );
    # hack to get postfix to add a X-Original-To header
    mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
    mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
    mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
    # verbatim appended to main.cf
    extraConfig = ''
      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
      inet_protocols = ipv4
      virtual_alias_domains =
        ${lib.concatStringsSep ",\n  " domains}
      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
      sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
      header_checks = pcre:/etc/postfix/header_checks
      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
      recipient_delimiter = +
      #we should never use these transport methods unless thru transport map
      # RFC3463:
@@ -99,38 +66,13 @@ in
      smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
      # smtp_bind_address = 10.46.0.7
-      # inet_interfaces = all
+
-      # inet_protocols = ipv4
+      ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
-      ${lib.optionalString config.services.opendkim.enable (
+        smtpd_milters = unix:/run/opendkim/opendkim.sock
-        assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
+        non_smtpd_milters = unix:/run/opendkim/opendkim.sock
-        ''
+      '')}
          smtpd_milters = unix:/run/opendkim/opendkim.sock
          non_smtpd_milters = unix:/run/opendkim/opendkim.sock
        ''
      )}
    '';
    masterConfig."relayservice" = {
      command = "smtp";
      type = "unix";
      args = [
        "-o"
        "smtp_sasl_auth_enable=yes"
        "-o"
        "smtp_sasl_security_options=noanonymous"
        "-o"
        "smtp_tls_security_level=secure"
        "-o"
        "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
        "-o"
        "smtp_tls_wrappermode=no"
        #"-o" "relayhost=${relayhost}"
      ] ++ (if debug then [ "-v" ] else [ ]);
    };
    masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
    masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
    masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
    submissionsOptions = {
      smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
      smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -157,5 +99,6 @@ in
      tls_preempt_cipherlist = "no";
    };
  };
-}
+}
--- a/liam/network.nix
+++ b/liam/network.nix
@@ -1,32 +0,0 @@
 { lib, config, ... }:
 let
  # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
  # {
  #   "ip_address": "10.46.0.7",
  #   "netmask": "255.255.0.0",
  #   "gateway": "10.46.0.1"
  # }
  interface_conf = {
    useDHCP = true;
    ipv4.addresses = [
      {
        address = "10.46.0.7";
        prefixLength = 24;
      }
    ];
    ipv4.routes = [
      {
        address = "0.0.0.0";
        prefixLength = 0;
        via = "10.46.0.1";
        options.scope = "global";
        options.src = "10.46.0.7";
        options.metric = "1200";
      }
    ];
  };
 in
 {
  networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
  networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
 }
--- a/liam/nginx.nix
+++ b/liam/nginx.nix
@@ -1,19 +1,16 @@
 { config, ... }:
 let
-  domains = [
+domains = [
-    "smtp.shelvacu.com"
+  "smtp.shelvacu.com"
-    "imap.shelvacu.com"
+  "imap.shelvacu.com"
-    "mail.shelvacu.com"
+  "mail.shelvacu.com"
-    "autoconfig.shelvacu.com"
+  "autoconfig.shelvacu.com"
-    "mail.dis8.net"
+  "mail.dis8.net"
-    "liam.dis8.net"
+  "liam.dis8.net"
-  ];
+];
 in
 {
-  networking.firewall.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
    80
    443
  ];
  security.acme.acceptTerms = true;
  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
  security.acme.defaults.email = "shelvacu@gmail.com";
@@ -34,4 +31,4 @@ in
      default = true;
    };
  };
-}
+}
--- a/liam/sieve.nix
+++ b/liam/sieve.nix
@@ -1,12 +1,4 @@
-{
+{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
  config,
  pkgs,
  lib,
  ...
 }:
 with lib.strings;
 with lib.lists;
 let
  email_folders = [
    "24nm-domain@shelvacu.com"
    "agora@shelvacu.com"
@@ -26,7 +18,7 @@ let
    "jean-luc@jean-luc.org"
    "mariceayukawa@jean-luc.org"
    "snow@jean-luc.org"
-
+  
    "capt@in.jean-luc.org"
  ];
  domain_folders = [
@@ -40,70 +32,42 @@ let
    "xn--tulp-yoa.info"
  ];
  valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
-  mk_domain_folder_name =
+  mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
-    domain:
+  mk_email_folder_name = email: let
-    assert valid_ish_domain domain;
+    parts = splitString "@" email;
-    concatStringsSep "." (reverseList (splitString "." domain));
+    domain_part = assert (length parts) == 2; elemAt parts 1;
-  mk_email_folder_name =
+    user_part = assert (length parts) == 2; elemAt parts 0;
-    email:
+    domain_folder = mk_domain_folder_name domain_part;
-    let
+    folder_name = domain_folder + ".@" + user_part;
-      parts = splitString "@" email;
+  in folder_name;
      domain_part =
        assert (length parts) == 2;
        elemAt parts 1;
      user_part =
        assert (length parts) == 2;
        elemAt parts 0;
      domain_folder = mk_domain_folder_name domain_part;
      folder_name = domain_folder + ".@" + user_part;
    in
    folder_name;
  is_quoteable = s: match "[ -~]*" s != null;
-  sieve_quote_string =
+  sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
-    s:
+  email_filters = map (e: 
-    assert is_quoteable s;
+    ''
-    "\""
+      elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
-    + (replaceStrings
+        fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
-      [
+      }
-        "\""
+    ''
-        "\\"
+  ) email_folders;
-      ]
+  domain_filters = map (d:
-      [
+    ''
-        "\\\""
+      elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
-        "\\\\"
+        fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
-      ]
+      }
-      s
+    ''
-    )
+  ) domain_folders;
    + "\"";
  email_filters = map (e: ''
    elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
      fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
    }
  '') email_folders;
  domain_filters = map (d: ''
    elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
      fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
    }
  '') domain_folders;
  sieve_text = ''
    require ["fileinto", "mailbox"];
-    if header :is "Delivered-To" "shelvacu@liam.dis8.net" {
+    if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
-      if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
+      discard;
        discard;
      }
      elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
        fileinto :create "gmail";
      }
      ${concatStrings email_filters}
      ${concatStrings domain_filters}
    }
    elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
      fileinto :create "gmail";
    }
    ${concatStrings email_filters}
    ${concatStrings domain_filters}
  '';
-in
+in {
-{
+  services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
-  services.dovecot2.sieve.extensions = [
+}
    "fileinto"
    "mailbox"
  ];
  services.dovecot2.sieve.scripts.before = pkgs.writeText "blargsieve" sieve_text;
 }
--- a/liam/sops.nix
+++ b/liam/sops.nix
@@ -1,11 +1,8 @@
 { inputs, lib, config, ... }:
 {
-  inputs,
+  imports = [
-  lib,
+    inputs.sops-nix.nixosModules.sops
-  config,
+  ];
  ...
 }:
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
  options.vacu.secretsFolder = lib.mkOption {
    type = lib.types.path;
@@ -23,9 +20,5 @@
      restartUnits = [ "opendkim.service" ];
      owner = config.services.opendkim.user;
    };
    sops.secrets.relay_creds = {
      restartUnits = [ "postfix.service" ];
      owner = config.services.postfix.user;
    };
  };
-}
+}
--- a/lp0/default.nix
+++ b/lp0/default.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 {
  imports = [
-    ../common/nixos.nix
+    ../common-nixos-config.nix
    ./hardware-config.nix
  ];
@@ -9,9 +9,7 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-  vacu.hostName = "lp0onfire"; # Define your hostname.
+  networking.hostName = "lp0onfire"; # Define your hostname.
  vacu.shortHostName = "lp0";
  vacu.shell.color = "green";
  # Set your time zone.
  time.timeZone = "America/Los_Angeles";
@@ -55,7 +53,7 @@
  # system.autoUpgrade.enable = true;
  # system.autoUpgrade.allowReboot = true;
  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-
+  
  nixpkgs.config.allowUnfree = true;
  services.zerotierone = {
    enable = true;
@@ -75,3 +73,4 @@
  #   internalInterfaces = [ "ztrf26rjvk" ];
  # };
 }
--- a/lp0/hardware-config.nix
+++ b/lp0/hardware-config.nix
@@ -1,37 +1,27 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
+    { device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/36B4-78A2";
+    { device = "/dev/disk/by-uuid/36B4-78A2";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
  swapDevices = [ ];
--- a/nix-on-droid/default.nix
+++ b/nix-on-droid/default.nix
@@ -1,27 +1,19 @@
-{
+{ config, lib, pkgs, inputs, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
-  imports = [
+  imports = [ ./common-config.nix ];
-    ../common/nix-on-droid.nix
+  environment.packages = config.vacu.packageList;
    ./flake-registry.nix
  ];
  vacu.shell.color = "white";
  environment.etc."resolv.conf".text = lib.mkForce ''
-    # nameserver 10.78.79.1
+    nameserver 10.78.79.1
    nameserver 9.9.9.10
    nameserver 149.112.112.10
    options timeout:1 attempts:5
  '';
  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
  # Backup etc files instead of failing to activate generation if a file already exists in /etc
  environment.etcBackupExtension = ".bak";
@@ -32,8 +24,10 @@
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  nix.substituters = config.vacu.nix.extraSubstituters;
  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
-  #environment.sessionVariables."PS1" = "\\w $ ";
+  environment.sessionVariables."PS1" = "\\w $ ";
  # Set your time zone
  time.timeZone = "America/Los_Angeles";
--- a/nix-on-droid/flake-registry.nix
+++ b/nix-on-droid/flake-registry.nix
@@ -1,9 +0,0 @@
 # To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
 { inputs, ... }:
 {
  nix.registry.nixpkgs.to = {
    type = "path";
    path = inputs.nixpkgs.outPath;
  };
  nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
 }
--- a/nixvim/default.nix
+++ b/nixvim/default.nix
@@ -1,35 +0,0 @@
 { ... }:
 let
 in
 {
  opts = {
    smartindent = true;
    expandtab = true;
    shiftwidth = 2;
    softtabstop = -1;
  };
  plugins.comment.enable = true;
  plugins.surround.enable = true;
  plugins.lsp = {
    enable = true;
    onAttach = builtins.readFile ./nixd-init.lua;
    servers = {
      bashls.enable = true;
      jsonls.enable = true;
      # nil-ls.enable = true;
      nixd = {
        enable = true;
      };
      pyright.enable = true;
      tsserver.enable = true;
      lua-ls.enable = true;
      rust-analyzer = {
        enable = true;
        installCargo = false;
        installRustc = false;
      };
      html.enable = true;
      yamlls.enable = true;
    };
  };
 }
--- a/nixvim/nixd-init.lua
+++ b/nixvim/nixd-init.lua
@@ -1,22 +0,0 @@
 --@param client vim.lsp.Client
 local function init_per_dir_nixd(client)
  if client.workspace_folders == nil then
    return
  end
  local path = client.workspace_folders[1].name
  local command = client.config.cmd[1]
  local name = string.gsub(command, "(.*/)(.*)", "%2")
  local is_nixd = name == "nixd"
  local is_nix_stuff = (path == '/home/shelvacu/dev/nix-stuff' or path == '/home/shelvacu/nix-stuff' or path == '/data/data/com.termux.nix/files/home/nix-stuff')
  if is_nixd and is_nix_stuff then
    local get_flake = "(builtins.getFlake \"" .. path .. "\")"
    client.config.settings["nixd"].options = {
      nixos = { expr = get_flake .. ".nixosConfigurations.fw.options", },
      ["home-manager"] = { expr = get_flake .. ".homeConfigurations.\"nix-on-droid\".options", },
      ["nix-on-droid"] = { expr = get_flake .. ".nixOnDroidConfigurations.default.options", },
    }
    client.notify("workspace/didChangeConfiguration", { settings = client.config.settings, })
  end
 end
 init_per_dir_nixd(client)
--- a/package-set.nix
+++ b/package-set.nix
@@ -0,0 +1,32 @@
 { config, pkgs, lib, ... }: let
  inherit (lib) mkOption types;
  pkgOptions = builtins.attrValues config.vacu.packages;
  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
  enabledPkgs = builtins.map (o: o.package) enabledOptions;
 in {
  options = {
    vacu.packages = mkOption {
      default = {};
      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
        options = {
 	  enable = mkOption {
 	    type = types.bool;
 	    default = true;
 	    description = "Will this package be installed (included in environment.systemPackages)";
 	  };
 	  package = mkOption {
 	    type = types.package;
 	    default = pkgs.${name};
 	    defaultText = "pkgs.${name}";
 	  };
 	};
      }));
    };
    vacu.packageList = mkOption {
      type = types.listOf types.package;
      readOnly = true;
    };
  };
  config.vacu.packageList = enabledPkgs;
 }
--- a/packages/snmp-mibs-downloader.nix
+++ b/packages/snmp-mibs-downloader.nix
@@ -1,124 +0,0 @@
 {
  bash,
  coreutils,
  gzip,
  gnutar,
  unzip,
  wget,
  gnupatch,
  fetchFromGitLab,
  fetchurl,
  #libsmi,
  #resholve,
  stdenv,
  writeText,
  lib,
 }@args:
 stdenv.mkDerivation (
  self:
  let
    # this script depends on an old version of libsmi's smistrip
    libsmi = stdenv.mkDerivation rec {
      pname = "libsmi";
      version = "0.4.8";
      src = fetchurl {
        url = "https://www.ibr.cs.tu-bs.de/projects/libsmi/download/${pname}-${version}.tar.gz";
        hash = "sha256-8EilJw9BvIiww7Co/nDKTXFqRrUxoOyqqHxGL0nXSEk=";
      };
      env.NIX_CFLAGS_COMPILE = "-std=gnu90";
      #env.CFLAGS="-Wno-error";
      #env.NIX_DEBUG="7";
      hardeningDisable = [ "format" ];
      meta = with lib; {
        description = "A Library to Access SMI MIB Information";
        homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
        license = licenses.free;
        platforms = lib.platforms.linux ++ lib.platforms.darwin;
      };
    };
  in
  rec {
    pname = "snmp-mibs-downloader";
    version = "1.6";
    src = fetchFromGitLab {
      domain = "salsa.debian.org";
      owner = "debian";
      repo = "${pname}";
      rev = "debian/${version}";
      hash = "sha256-W2VW3EJWmHwlqMoL12dFcfkYmAADLOtUWCydcL5qUKc=";
    };
    # installPhase = ''
    #   install -Dm755 download-mibs $out/bin
    #   install -Dm644 *.conf *list $out/etc/snmp-mips-downloader
    #   cp mibrfcs/* $out/share/snmp/mibs-downloader/mibrfcs
    #   cp mibiana/* $out/share/snmp/mibs-downloader/mibiana
    #   gzip -9 $out/share/snmp/mibs-downloader/*/*
    # '';
    postPatch = ''
      substituteInPlace download-mibs \
        --replace-fail SMISTRIP=/usr/bin/smistrip "" \
        --replace-fail CONFDIR=/etc/snmp-mibs-downloader "BASEDIR=/var/lib/mibs; AUTOLOAD='rfc ianarfc iana'" \
        --replace-fail '. $CONFDIR/snmp-mibs-downloader.conf' ""
    '';
    preInstall = ''
      mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
    '';
    installFlags = [
      "INSTALL=install"
      "DESTDIR=$(out)"
    ];
    postInstall = ''
      mv $out/usr/* $out
      rmdir $out/usr
      substituteInPlace $out/etc/snmp-mibs-downloader/* \
        --replace-quiet 'DIR=/usr/share/snmp/mibs-downloader' 'DIR='$out'/share/snmp/mibs-downloader'
      mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
      cat <<EOF > $out/bin/download-mibs
        #!${bash}/bin/bash
        PATH=${
          lib.escapeShellArg (
            lib.concatStringsSep ":" (
              lib.flip map [
                coreutils
                gzip
                gnutar
                unzip
                wget
                gnupatch
              ] (p: "${p}/bin")
            )
          )
        }
        SMISTRIP=${libsmi}/bin/smistrip
        CONFDIR=$out/etc/snmp-mibs-downloader
        source $out/bin/.download-mibs-unwrapped
      EOF
      chmod u+x $out/bin/download-mibs
    '';
    env.NIX_DEBUG = "7";
    # solutions.default = {
    #   scripts = [ "bin/download-mibs" ];
    #   interpreter = "${bash}/bin/bash";
    #   inputs = [ coreutils gzip gnutar unzip wget gnupatch ]; 
    #   keep = {
    #     "$archive_fetcher" = true;
    #     source = [ "$CONFDIR/$i.conf" ];
    #     "${wget}/bin/wget" = true;
    #   };
    #   fix = { "$SMISTRIP" = [ "${libsmi}/bin/smistrip" ]; };
    # };
    meta = {
      mainProgram = "download-mibs";
    };
  }
 )
--- a/packages/snmpb/package.nix
+++ b/packages/snmpb/package.nix
@@ -1,133 +0,0 @@
 {
  fetchgit,
  lib,
  libsmi,
  libtomcrypt,
  qmake,
  qtbase,
  qwt,
  stdenv,
  wrapQtAppsHook,
  breakpointHook,
 }@args:
 stdenv.mkDerivation (
  finalAttrs:
  let
    # ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
    libsmi = finalAttrs.passthru.libsmi;
    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
  in
  {
    pname = "snmpb";
    version = "0.9pre1";
    # __structuredAttrs = true;
    passthru = {
      proFile = "${finalAttrs.pname}.pro";
      makeFile = "makefile.${finalAttrs.pname}";
      smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
      libsmi = args.libsmi.overrideAttrs (
        final: prev: {
          #preConfigure = (prev.preConfigure or "") + "\n" + ''
          #  appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
          #'';
          configureFlags = (prev.configureFlags or [ ]) ++ [
            "--with-pathseparator=;"
            "--with-smipath=${finalAttrs.passthru.smipath}"
          ];
          env.NIX_DEBUG = "2";
          pname = prev.pname + "-for-snmpb";
        }
      );
      libsmi-data = stdenv.mkDerivation {
        name = "libsmi-snmpb-data";
        phases = "unpackPhase installPhase";
        src = libsmi.src;
        installPhase = ''
                  mkdir -p $out/share/snmpb/{mibs,pibs}
          	shopt -s globstar
          	for foo in mibs pibs; do
          	  for node in $foo/**/*; do
          	    [[ -f $node ]] && install -m444 $node $out/share/snmpb/$foo/
          	  done
          	done
          	rm $out/share/snmpb/*/Makefile*
        '';
      };
    };
    src = fetchgit {
      url = "https://git.code.sf.net/p/snmpb/code";
      rev = "a092855bfd201778f87be578b91aeb062726e329";
      hash = "sha256-nlS1pqv2ERZGkk0SJ8ByXqBHHho1GTSq/oxrXL2tytM=";
    };
    patches = [ ./unvendor.patch ];
    buildInputs = [
      qwt
      qtbase
      libtomcrypt
      libsmi
    ];
    nativeBuildInputs = [
      wrapQtAppsHook
      qmake
      breakpointHook
    ];
    #setSourceRoot = "sourceRoot=$(echo */app)";
    #NIX_DEBUG="7";
    #installFlags = "INSTALL_PREFIX=$(out) NO_ROOT=1";
    installPhase = ''
      popd
      install -Dm 555 -s app/snmpb $out/bin/snmpb
      #mkdir -p $out/share/snmpb/{mibs,pibs}
      #for foo in mibs pibs; do
      #  for file in ${libsmi}/share/$foo/*; do
      #    ln -s $file $out/share/snmpb/$foo/
      #  done
      #done
      install -Dm 444 app/snmpb.desktop $out/share/applications
      install -Dm 444 app/snmpb.xml $out/share/mime/packages
      install -Dm 444 app/images/snmpb.png $out/share/icons/hicolor/128x128/apps
      install -Dm 444 app/images/snmpb.png $out/share/pixmaps
      install -Dm 444 app/images/snmpb.svg $out/share/icons/hicolor/scalable/apps
    '';
    postPatch = ''
      rm -rf libsmi libtomcrypt qwt #ensures un-vendoring worked correctly
      #smipath_parts=(${libsmi}/share/{mibs,pibs}/*)
      #smipath=$(IFS=";" ; echo "''${smipath_parts[*]}")
      substituteInPlace app/preferences.cpp --subst-var smipath
      substituteInPlace app/*.pro \
        --subst-var libs \
        --subst-var include
      pushd app
    '';
    env = {
      include = "${qwt.dev}/include ${libsmi}/include ${libtomcrypt}/include";
      libs = "${qwt}/lib/libqwt.so ${libsmi}/lib/libsmi.so ${libtomcrypt}/lib/libtomcrypt.so -lqwt -lsmi -ltomcrypt";
      inherit (finalAttrs.passthru) smipath;
    };
    preConfigure = ''
      qmakeFlags+=( "${finalAttrs.passthru.proFile}" "-o" "${finalAttrs.passthru.makeFile}" )
    '';
    makefile = finalAttrs.passthru.makeFile;
    meta = {
      description = "GUI SNMP browser and MIB editor wrtten with Qt";
    };
  }
 )
--- a/packages/snmpb/unvendor.patch
+++ b/packages/snmpb/unvendor.patch
@@ -1,61 +0,0 @@
 diff --git a/app/preferences.cpp b/app/preferences.cpp
 index 29fa8c8..98e842f 100644
 --- a/app/preferences.cpp
 +++ b/app/preferences.cpp
@@ -22,13 +22,6 @@
 #include <qfileinfo.h>
 #include <qtextstream.h>
 -// For DEFAULT_SMIPATH
 -#ifdef WIN32
 -#include "../libsmi/win/config.h"
 -#else
 -#include "../libsmi/config.h"
 -#endif
 -
 #include "mibmodule.h"
 #include "preferences.h"
@@ -288,7 +281,7 @@ void Preferences::MibPathRefresh()
 void Preferences::MibPathReset()
 {
     // "Reset to default" for MIB paths
 -    QStringList defaultpaths = QString(DEFAULT_SMIPATH).split(SMI_PATH_SEPARATOR);
 +    QStringList defaultpaths = QString("@smipath@").split(SMI_PATH_SEPARATOR);
     QSettings settings;
     settings.beginWriteArray("mibpaths");
 diff --git a/app/snmpb.h b/app/snmpb.h
 index 63f0d6e..c1da1b8 100644
 --- a/app/snmpb.h
 +++ b/app/snmpb.h
@@ -20,6 +20,7 @@
 #ifndef SNMPB_H
 #define SNMPB_H
 +#include <qwt_text.h>
 #include "ui_mainw.h"
 #define SNMPB_VERSION_STRING "1.0"
 diff --git a/app/snmpb.pro b/app/snmpb.pro
 index b6ee631..a5ff14a 100644
 --- a/app/snmpb.pro
 +++ b/app/snmpb.pro
@@ -83,14 +83,9 @@ FORMS += \
 INCLUDEPATH += \
 	../snmp++/include \
 	../snmp++/ \
 -	../libtomcrypt/src/headers \
 -	../libsmi/lib \
 -	../qwt/src
 -LIBS	+= \
 -	-L../libtomcrypt \
 -	-L../libsmi/lib/.libs \
 -	-L../qwt/lib \
 -	-lsmi -ltomcrypt -lqwt
 +        @include@
 +
 +LIBS	+= @libs@
 RESOURCES	= snmpb.qrc
--- a/secrets/liam/main.yaml
+++ b/secrets/liam/main.yaml
@@ -1,7 +1,6 @@
-dovecot-passwd: ENC[AES256_GCM,data:pcj7T1AKqZfMBGiHiihW0WxVKzAiy6xsGGlOhOV4IeHPEn+SXNoQjTQQVhZoNxYsENptH54SgWwlMETCcQrQzq6prrktlT3iZCnwlwvzaNRXrMe1mk/WT+OiTpaQ0PWGfrhVkQXj4bxWKCRc2i3NJxm1AtYfE0nNL/1dUk9rzwYTH6zjiQFYmZHbwzjtxiE3YbZCwYnpNR3Ql08S4kNf5TtsecFtTY1VOPFRycjEfIIIUbVLUM06DZ5savKVNRdgaVMUuXyPoOxy65YbkwZ9vkoBleRShY0v6FOgG1YLmQmr7f8QtiHlFbA0NJ0vUkg8bgSTsw27jC/JQU0qTSNVrMHgzfApw6GUQgGTYZK24tFCVNBJ3sxvTbuVOcShy01yJA==,iv:5gTo8ySgq//ZaY88F7AcAa2CEe2hXR415EqqSsYIbF8=,tag:DOf4yEXW5kzYAL89KQOAdQ==,type:str]
+dovecot-passwd: ENC[AES256_GCM,data:cZt43pgPNbORpqX6KyXvzVt1Q8tNz1cMF9YVUyL7saZyFqA5XA+uywU5yVerjdsTXfx4QeoYbA+bDE7qwdjTQBpEoEMm99WBb77rac652VGXXCas4nrbwMmZbUY2Z57PKd4GPN/i57VAD6eHiTV8HCd5OwiX7AlpmHXImgL9jr4P9skyTPIEnLF3NUVxktmAjn+X7IwmBH1mtn5Gesc5Q+6hoTQMwLn7ilYWfcOvaf5UOsHS6zvuTlGPuISaLPEvx2CLBccu7I38kKafCLTc1FOhdrFRu2n9/6gD1yIxUnbCkDWpcIV1e/3FlU5aQM7c7duQFVuIW9KpY2U0R2Y5Miv0ciU2D1GaJWMud7S/HCxPrQo=,iv:Arppozvg9+bjNCIJl7kRwbwGm2fuf7CjBfEfDT45+MQ=,tag:+PeAznYRW9S0Ok5uEn/qpQ==,type:str]
 dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str]
 dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str]
 relay_creds: ENC[AES256_GCM,data:yWG53NaiA2s5aUudZWecDS1+fOURTHd0D0rNxZ9Tud9TsTO2F/6+5i3vRz/4qP4FoBexEVoW5Xhkqo8o8OaGOpZHh/Nla7TJTnaSCgJw9QPfFoRNiE9f46LytXYThiCGBdy3Z3gtNmSX5BQk1zNI1TiHBFG4IYfauq7e6jJ4Bp/9z3LRknDITdlLjzAPjIO5kUG95IrQQCl3SeAjS+LwxPFRuV1+zWNdOXJLmSeWv1JcAcyhkwutMhQYRGMaS09bbXp29N8DX3lsAK9pYZLr5F3gXwOrZN7nG4+K0KOqfMI4UcLpIOlCPdj9XjgAYcWC+LL5bA0W53e7je3IDVebevDheKPowKK/A6le2TfqXKfhOVi4qXaEsjOBIJzLylOqXoAb1ZCM3nTHCC3M/r3/il+6RnFgISOCHezTiEYM,iv:0kAJzoV/HEIRuEAxzWAaQqwlzWlBSwklipWquF9WeoY=,tag:SCQOQCXm6kmLSYhkT6dubQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -11,113 +10,50 @@ sops:
        - recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZREpDaXVwSjBPZEtaUFU1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0FqZWxDYmxHYU5FZVQz
-            d1FTYnV1STlUdW5oeis4RStVckcvUFhPcndRCnNUdndTenhxN1M1STNlZmtqcWtI
+            V2FZMFFSVXJubVRaNDZORDJPSXhHMnludmpRCjJrendscEdqU0p6K1R6eE9FUGtj
-            amkxZitGZ2p1ZlNTRFVaYkNvWWdnRkUKLS0tIExLYm5PYVI4aFViaER2L1dUOGMy
+            RVB4Z3dlNHlBSHRhZ0ZMODdDRkN6ZFEKLS0tIFlzUStVWmhlYWExV1JscHE0KzhG
-            d05BTDlqanFMQ1hjazRLUUVlaXpHL2cK+kXvv9khiwYlBK+lmqgYmHNNjMXHU5FZ
+            Vm1uUmhQRzAvL1YzTWVVbllRUlE2Z0EKwg6SBat+CG8E7/j7K0sakqGSyJYNzXqt
-            x5dpXndIiTRJ0cGtEgK78efbQmVNsHAae2X0E0IxbvrSe26S5PIbMQ==
+            b0DMsGq9GnHE1Ph6gGVVWO+pos/FGuunSDyL0lcXk9xJE02FErnw+w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONXlpMm5KTmZuKysybU0z
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNVl3ZTNGWGdMT280MnhQ
-            OUJCMmdrZ0V4amI4NTNtOEFqSXVtbW92cjFVCmlCZGF4bXMycXhJS3h6OWVpV000
+            R2RHTGRWVFpjMWltMDVIWk1YSUc2eEhjbWwwCnNiTjA4dUZuOU1tNTZtd240VXpU
-            SjZuQUFxelVpT3BXOVh5eU1vYnNKMjAKLS0tIG1KYjZJU1dMd1Y3bmxWaDhOSEJn
+            c0FKY3VoR1dYUVo1MDZjMEJ5MmhjeEEKLS0tIGhuT3k2VlFpTWpJdFJYM0JhZWtS
-            SUp1akQ2bUU0VmQvVkhheXZ4Zk5jWVkKqJ12/g0H8l6WwpiHxA0K3g3Ry4dpPb/h
+            dzNFb0FDcERGTFVUOTgxN3czTmRUME0KihoqiXkph3sNWTwn6tFi29z9jnht6JRT
-            2m84IYzpQA28BRCSHeIEeH1hQ1jU33/625XlNE1iJncPqu9YH5mXug==
+            zOMNiaWjMHQ7GiR+Yv1JMWrEvKRrEjNaFXt89z0Ebx4llTtyH8W2fw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLM3NCcGVPTS9hWHQvMCsv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWE91QUFmTzdEUjJ3TTFX
-            RlJ5M0tVQWZIUm1tWSt2NlFVRGtHaTN1Rmd3CndVUHpEcU15S2lmbHpIY0h6WW1B
+            Y2o0Yy9BZjdkc2VVcis4a3FlcDVScDF5eGwwCkZocDFIN3B5dHdNTDNaVXI2WHBF
-            aEpRZVgzN0puRmlMNWNQNW94TXh6UUkKLS0tIEVXSVVVL2JaMGRFcldoVnZ1TFZz
+            dDVXMDdvOXVBM3V1NW01YngzclJ1RXMKLS0tIDV5M2JURHkvWWFlbGtUNEhxZ2ZE
-            bzJ3UGl1aGpsa0FGSVkzeGRHZDJWdmMKZgg4UtokzNDBuVZYoyYirTI1NEC3QGmm
+            RVlDMDgvNVFOamlFR1BZMUtrMzJ4N1UK6r7QbX3nEBu+S8e7oqCk3ys6hqXHkyW4
-            ilOukMvpTZFYtKbwWVOuB8kyeudlkupavzlnHYAGBbpMVccpPeZHAw==
+            z4hWz1rr/23JpGR2ENRS+DpHRCRo4KKRhUx2hLc6C2XijNgD4YsUCA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZ0tyczJoVzZxUmhIZG14
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqelVSdDFFcVZxODBiVkEv
-            WDZjSlM0Q2F6VE9Yb1hRV0d5dGVoVmErVkJFCi9HbXdxZE9NZ0pLaFo1Nlk5QjRV
+            QUhYUzM5SDZLVWQ4YlB2UGorZWlidUhIa1N3Ck96TXFGTXBtSVFLdFY1b3BKK3g5
-            TSsrMlFqV2Z0OVlWVjRnYXpyTlNWdUUKLS0tIGZ5M2ZEWFR0NDNQUFQxMW1tTXlP
+            ejZFTkZOTDdqdHFsWmRKNEcyaUZZWW8KLS0tIDJtL2JaRE5XaHNvYW9HMFYrbTFP
-            dDRaYnFZajR2S3ZoZ1FFWURYVFVpSFkK8YuczSfs+j3dL1OT4sr2/kfdAxPRstJj
+            NUFlUTVvQVdiTlBZOVZqSjA1ODNhUHcK8hnqUuHjUgjF8nbZgY4BTkk58BbRCYWV
-            SeDlvg4C0e2wKrqj0QwjN5oz8t21ELerXska7yZ3cod5gaQcFxB44w==
+            NOPw/jUdEZBRoTJqoEdOLAtW/x1h7Xo+mpVuDW0K7h07LiaU7FL8xQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNWlKeHh6UjNIRTAycEJ1
            UVhJMi9CUVBsVld3YlBEYjVwaWE0T2V0cFJzCnpEb2ZxNkNwMDBDQ3JsQXVjY1lS
            eFhqSkcvenkvOHNOclI3dkc5NytmQjAKLS0tIHkrc3ZEQjhJVVZlZWVJMVE0b0x5
            QkxVMkhOK2hUS0lQVGlXYXUrVm1LVFkKyFIvkGHeykZBib8gNln1mEHtU5+Xr9rC
            RpphkvAU9AA4J5/LXQs3To/WzTg9gt2fSxtrwk9TLheheRfUcHDuRQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aENxNUpXUUxTcEZobkpW
            SFo1UWlUSXRWbzF2bWp6WU9Idi93OWQvdGl3Ck1rdlNYZFR5dThKa3NaVFU4NWY4
            dTdUNUdEQ1hkWkRsT0dNbVVqMytnTXcKLS0tIExXZlgydnhXTktyeDNrZmg0RFlt
            QXAzNGk3MmRCSng2SlN5bGdiSTlJRTQKXy5hTxS47WVjw1ILaaNfMaW7YMIS3FGP
            hvYeGGL2WHstUapyYb/Rgn46KJgk1gfDchYyHq+06SkpZRaUzCBDUw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYWl1NUQzMElhbFBrbVBu
            eURzOGFJSW85dFMzLzR4M3UvOVhQUGYvS0ZRCm1qYXJTUnpUcUVWUTFtRWQ2OHBO
            UVg2UC9OSDJkL21vV3VNV0l1Z3ZHcHcKLS0tIDhVaGpFZ1djSnFaRnVKckxtQU0z
            YlAyNGxsYno2U1NIMDVtVXJwcFA0ZWsKdNW5iANSWOGdSRYeBf/+/gtk7b+IN/ir
            lo1HtaIT1a5tA28JfAo6ixIKdF5nnSIunM6Z0JlF9zKuJbBOmdVbHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWDd5Yk1pNGZ0UHRrc3lu
            WWlPZTd5bFIvNVBqTWplR3NzdS8rQ0gyZVdVCkUvMEg5eWxCWHNyYTcvMFd6ek9y
            Z0RudTRHanlTTVhYZDBuMkpsYTcwWjAKLS0tIGtDemJabDRVakJxMUdVUWQ2VjIv
            NTBabFVLNENzWlNoUmZSUXU2eEJtdEEKuOXBlsIBsgjQvRZ4fKdoLfs1gqZYa4og
            9o/mo+ciXYU3xPPOhnd/OTar/8pBpCBBCO0Ag+1Me/dVYbA0s8Jvvw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUnNZSEtpb0JVOTVjazFB
            NHdXSnVxRm4vaXN6VE5leGU1Z1JGOHFEUUNVCnNwdUxweTVlanR2ODdvTzlDWkZR
            NWVsY0k3WmFOWktsUVJGT1p6QUlKbGsKLS0tIEtnRVdxeWVYd29XZHVQWmZCNnhE
            OElkbHNtUG1ncXdQWEpOcDNMeUg1d0EKF9OjITJDrkfZA2wI6Gm+0+MTDw4OPkQt
            SDbNe5Gllo8BC1jTRM3H+uxsQ5L0TRrwnrSxNYjNdDIRHMrIxi3qcg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVk12WUxKdWdDVWRCU1dk
            VkhNZWhNeWJ6OWJJaWdXNFZwRlZMT0lOTFdJClRyYkQvank0cGlZSzJGaE1LVVpO
            VURjMnBIY3VvMkVnbzlJVGF0dU1FR2MKLS0tIHZlV0U4azN4aEVRU1YzWDN6U3Nz
            YlIzbFBDd1pqMTVQa0diYnZjRmRRa2MKcPAvAB0B/zNj+mcavMkJdksWl8o1j8oQ
            gGG8xdIEPT9wjfbL75IvHOy/7TKJR0uVomD8IB4QuVi1MxJh6jNJQw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmxpNlZvV2JWYmRJS3lq
            Um5GVDQ0ampMTDdzZHB1RFFqZ012bFZMd3g4CjdoMzdOUXhtSEF4Tjk1UTJlNGNG
            TzAwSDAvK3VCL3ZheW1HOHFCclU0OEkKLS0tIDY5anhYeTQ5RGxNUlZNRXg5Rm1o
            QVk5dm5RaWpocUZrWk02Slg3N2lONjAKxWKAmAHt9x2T/9bh2mnQIF03ufffO9wF
            79jffMh/3GyX5Pk0IbjMWwOn7ahQWOEgD58C1Lja2wpixLdwb0wgfA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcUJUTFRrZmxiN1MrZkZB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UDNVSG9Fb01YSWJTdXRD
-            V2FjSlM5ZUxyUFZMKzRoYzY1M0plcmhjckJ3CjBhY0VRT2VMRUR2N01YZWZVRkJk
+            UFB1dWhpRUFhWmMwTzdHeTNRdlg2YXd1ZnlnCndBRXBpMTJWdFRsMVNYeDBBY2g2
-            VEdqSTNvLzNBOElZVVUxZ0VBekx6RnMKLS0tIHNtVlA4V1R2bkFBaVJMYkk3eUNm
+            ZEZKTEw4dHpHSlFNT1BsSXQvaCs4MDQKLS0tIDg3YUlJYU1nUjRTTGtIeTJBVEhR
-            TjhQY0VoNU91Zi96VzZGaitsWHptT0UKZ3Vx/iqilkHrFkAbaSeJZNmSOzXvMDX6
+            SjZLWG4xNmxoSmtaTFZweEd3TDJ2QUkKcI4MdgglGFJT58ugHebiE6YQUehEomnH
-            HhcXrrq+sVjnq0XhOqWVY72h8Hp3d0JWA9VOxNQRyM9hdVENXur8YA==
+            qPZdH0SZAtJxBPqt78wJqvndR5INt5HBmLtXMDLLEk8o43lqfIkK5Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-10T20:44:49Z"
+    lastmodified: "2024-03-21T22:00:22Z"
-    mac: ENC[AES256_GCM,data:tSTKCP7HUUCSCrbeiLutPghjfbL9TsxuCmbARUqwQBH8pyeOsyFHyPCqmqjCDSu2ha0QTldNGM9baiIQa/05DV5KNmFfVuoWy6dd4/3L5yNd3FPkzR2SvBua1g09YZpC1G2IaGrOcqBEOY9baILeBGgXfxRtcpMVAR2C3bOqJyQ=,iv:4phBdZ/4u5DAbUn4Z7pdrJym+iG9oxZSsIPZqoDEqco=,tag:RJn0416yl+0FV9bTu5tA5w==,type:str]
+    mac: ENC[AES256_GCM,data:wnRif4PVGh1P29ZXv1XPF4GdFFhrsRkYmdlun4WsLDFs0Y3xIjPQRScAbDzPnhY6vaiGKZfx0+RZHHMMFyVCz4bmo85MzGuF9H2QECBfWBNgCNCKXqz7pLQHA4c0u9jiatuc9PVc42RokJ+rITn1cWV9tLGot98ealpYkJbN91w=,iv:EL2Y5WZtWB6IRwnrGmWV5QO3XiPOB8IJkATbZTY1/oY=,tag:/z3ULuFshOw/ed+G3W8OmQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/tests/liam.nix
+++ b/tests/liam.nix
@@ -1,210 +1,75 @@
-{
+{ pkgs, nodes, ... }: {
  pkgs,
  nodes,
  lib,
  ...
 }:
 let
  certs = import ../deterministic-certs.nix { nixpkgs = pkgs; };
  relayDomain = "relay.test.example.com";
  rootCA = certs.selfSigned "liam-test" {
    ca = true;
    cert_signing_key = true;
    cn = "Liam test CA";
  };
  relayCert = certs.caSigned "liam-relay" rootCA {
    ca = false;
    signing_key = true;
    encryption_key = true;
    data_encipherment = true;
    tls_www_client = true;
    tls_www_server = true;
    cn = relayDomain;
    dns_name = relayDomain;
  };
  relayUser = "foobar@shelvacu.com";
  relayPass = "asdfghjkl";
  relayPassFile = pkgs.writeText "relay-password-file" "${relayUser}:${relayPass}";
  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
  testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
  sopsTestSecrets = {
    "dovecot-passwd" =
      (lib.concatStringsSep "\n" (
        map (name: "${name}:{plain}${name}::::::") [
          "shelvacu"
          "julie"
        ]
      ))
      + "\nbackup:::::::";
    dkim_key = ''
      -----BEGIN PRIVATE KEY-----
      MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB
      CKth6N4JD8XrNezCYbvyrUcVpGkkMX3TC9sEyZgGV6Y2Cs/J2Q6jKakC47nXebzV
      Edk/kWsApj4J7PQl4t/G3vf1rdfICQx1pIspsmqQKsYugUG18EugEZzelai3+n4U
      wqsed4551aRtwaws8dJQePOEEq1BAgMBAAECgYEAummKgXpVkqiJ8sMPlPEgYnHB
      aXLjJNx/FGpOwVHCzp/DK2WG6ADKHhaecmgZCuYFmDz07bKo6U9arqBQqUdxpUor
      JT2SS9RFP5MTsTB6R+eRqX8oMRQhcXB/+MczoSV/087vIZsL3L//6XoGyvjuHKW/
      bvUR/F8PhB84uPU6RLkCQQDzXXj80iRhY6jHDwqoGf3BXd4O4cIAzPbBXN0W41fV
      L5ZBm0K0KAgLnyjVygbsSn6lXsZXzAa/wAbSstMeCn7PAkEA5Uv88nfZSLU99XvF
      WB9GD7lKXsAnWlf09F8hH4a1TH/zfGUCxrDdYNmdBdG6t0XuIVjay3TZcpW68Z2Q
      lLeW7wJACj7KJCKYo3z1kwPAGBmYBDb2bTv11eDLFpLZP+hsPy5UrghiQ4FX7V1S
      88Ugi3wLXtzhjrqpIhNsdhxPJPmeIwJAVpx8YE4a+hbT340v/thZS4ku6Vllw/9j
      XIcuaM0mYE4Yd81j3g9in7mzUUZmY+H7UAdTJfTuShT6t1dQDIzIawJBAIJ+azsj
      H5M2KsE3Nuxe3RODM/D4I5M5dngTkgNZQvUAywAyj9U39ZeFPEyXJyGkKNoR2CXB
      hCvgabgr0wsi1y0=
      -----END PRIVATE KEY-----
    '';
    relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
  };
  sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (
    builtins.toJSON sopsTestSecrets
  );
  sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" { } ''
    mkdir -p $out/liam
    SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose  -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${sopsTestSecretsYaml} --output-type yaml > $out/liam/main.yaml
  '';
 in
 {
  name = "liam-receives-mail";
-  nodes.ns =
+  nodes.ns = { lib, nodes, ... }: let
-    { lib, nodes, ... }:
+    liam_config = nodes.liam;
-    let
+  in {
-      liam_config = nodes.liam;
+    networking.firewall.allowedUDPPorts = [ 53 ];
-    in
+    services.bind.enable = true;
-    {
+    services.bind.extraOptions = "empty-zones-enable no;";
-      networking.firewall.allowedUDPPorts = [ 53 ];
+    services.bind.zones = [{
-      services.bind.enable = true;
+      name = ".";
-      services.bind.extraOptions = "empty-zones-enable no;";
+      master = true;
-      services.bind.zones = [
+      file = pkgs.writeText "root.zone" ''
-        {
+        $TTL 3600
-          name = ".";
+        . IN SOA ns. ns. ( 1 8 2 4 1 )
-          master = true;
+        . IN NS ns.
-          file = pkgs.writeText "root.zone" ''
+        ${lib.concatMapStringsSep "\n"
-            $TTL 3600
+          (node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}")
-            . IN SOA ns. fake-hostmaster.example.com. ( 1 1 1 1 1 )
+          (builtins.attrValues nodes)
            . IN NS ns.
            ${relayDomain}. IN A ${nodes.relay.networking.primaryIPAddress}
            ${lib.concatMapStringsSep "\n" (
              node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}"
            ) (builtins.attrValues nodes)}
            ${lib.concatMapStringsSep "\n" (d: ''
              ${d}. IN  A ${nodes.liam.networking.primaryIPAddress}
              ${d}. IN  MX 0 ${d}.
              ${d}. IN  TXT  ( "v=spf1 mx -all" ) ;
              ${liam_config.services.opendkim.selector}._domainkey.${d}.  IN      TXT     ( "v=DKIM1; k=rsa; "
                "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" )
            '') liam_config.vacu.liam.domains}
          '';
        }
-      ];
+        ${lib.concatMapStringsSep "\n"
-    };
+          (d: ''
                ${d}. IN  A ${nodes.liam.networking.primaryIPAddress}
                ${d}. IN  MX  ${nodes.liam.networking.primaryIPAddress} 0
                ${d}. IN  TXT  ( "v=spf1 mx -all" ) ;
                ${liam_config.services.opendkim.selector}._domainkey.${d}.  IN      TXT     ( "v=DKIM1; k=rsa; "
                  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez
 0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" ) '')
          liam_config.vacu.liam.domains
        }
      '';
    }];
  };
-  nodes.relay =
+  nodes.liam = { lib, ... }: {
-    {
+    imports = [ ../liam ];
-      lib,
+    systemd.services."acme-liam.dis8.net".enable = lib.mkForce false;
-      pkgs,
+    systemd.timers."acme-liam.dis8.net".enable = lib.mkForce false;
-      config,
+    systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ];
-      ...
+    systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ];
-    }:
+    # sops = lib.mkForce {};
-    let
+    vacu.secretsFolder = ./test_secrets;
-      mailpit = pkgs.mailpit;
+    sops.age.sshKeyPaths = [ ./test_key ];
-      dir = "/var/lib/mailpit";
+    services.do-agent.enable = false;
-    in
+    virtualisation.digitalOcean = {
-    {
+      seedEntropy = false;
-      networking.firewall.enable = false;
+      setSshKeys = false;
-      users.groups.mailpit = { };
+      rebuildFromUserData = false;
-      users.users.mailpit = {
+      setRootPassword = false;
        isSystemUser = true;
        home = dir;
        createHome = true;
        group = config.users.groups.mailpit.name;
      };
      systemd.services.mailpit = {
        environment = {
          MP_DATABASE = "${dir}/mailpit.db";
          MP_SMTP_TLS_CERT = relayCert.certificatePath;
          MP_SMTP_TLS_KEY = relayCert.privateKeyPath;
          MP_SMTP_REQUIRE_STARTTLS = "true";
          MP_SMTP_BIND_ADDR = "0.0.0.0:587";
          MP_SMTP_AUTH_FILE = "${relayPassFile}";
          MP_UI_BIND_ADDR = "0.0.0.0:8025";
        };
        serviceConfig.ExecStart = "${mailpit}/bin/mailpit";
        # serviceConfig.Restart = "always";
        serviceConfig.User = config.users.users.mailpit.name;
        serviceConfig.Group = config.users.groups.mailpit.name;
        serviceConfig.AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        wantedBy = [ "multi-user.target" ];
      };
    };
    # uncomment to significantly speed up the test
    services.dovecot2.enableDHE = lib.mkForce false;
    security.acme.defaults.email = lib.mkForce "me@example.org";
    security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
    networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
  };
-  nodes.liam =
+  nodes.checker = { pkgs, lib, ... }: {
-    { lib, ... }:
+    environment.systemPackages = [
-    {
+      pkgs.wget
-      imports = [ ../liam ];
+      pkgs.python311Packages.imap-tools
-      vacu.underTest = true;
+      pkgs.python311
-      #systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}";
+      (pkgs.writeScriptBin "mailtest" ''
-      systemd.services."acme-liam.dis8.net".enable = lib.mkForce false;
+      #!${pkgs.python311}/bin/python
-      systemd.timers."acme-liam.dis8.net".enable = lib.mkForce false;
+      import sys
-      systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [
+      sys.argv.insert(1, "${nodes.liam.networking.primaryIPAddress}")
-        "postfix.service"
+      sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
-        "dovecot2.service"
+      ${builtins.readFile ./mailtest.py}
-      ];
+      '')
-      systemd.services."acme-selfsigned-liam.dis8.net".before = [
+    ];
-        "postfix.service"
+    networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
-        "dovecot2.service"
+  };
      ];
      vacu.secretsFolder = "${sopsTestSecretsFolder}";
      vacu.liam.relayhost = "[badhost.blarg]:587 [${relayDomain}]:587";
      system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
      system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
      sops.age.keyFile = "/run/secretKey";
      services.do-agent.enable = false;
      virtualisation.digitalOcean = {
        seedEntropy = false;
        setSshKeys = false;
        rebuildFromUserData = false;
        setRootPassword = false;
      };
      # uncomment to significantly speed up the test
      services.dovecot2.enableDHE = lib.mkForce false;
      security.acme.defaults.email = lib.mkForce "me@example.org";
      security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
      networking.nameservers = lib.mkForce [ nodes.ns.networking.primaryIPAddress ];
      security.pki.certificateFiles = [ rootCA.certificatePath ];
    };
  nodes.checker =
    { pkgs, lib, ... }:
    {
      environment.systemPackages = [
        pkgs.wget
        pkgs.python311Packages.imap-tools
        pkgs.python311
        (pkgs.writers.writePython3Bin "mailtest"
          {
            libraries = with pkgs.python3Packages; [
              imap-tools
              requests
            ];
          }
          ''
            # flake8: noqa
            # #!${pkgs.python311}/bin/python
            import sys
            sys.argv.insert(1, "${nodes.liam.networking.primaryIPAddress}")
            #sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
            #sys.path.append("${pkgs.python311Packages.urllib3}/lib/python3.11/site-packages")
            #sys.path.append("${pkgs.python311Packages.requests}/lib/python3.11/site-packages")
            ${builtins.readFile ./mailtest.py}
          ''
        )
      ];
      networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
    };
  testScript = ''
    start_all()
@@ -213,23 +78,13 @@ in
    liam.wait_for_unit("nginx.service")
    liam.wait_for_open_port(80)
-    liam.copy_from_host("${pkgs.writeText "acme-test" "test"}", "${
+    liam.copy_from_host("${pkgs.writeText "acme-test" "test"}", "${nodes.liam.security.acme.defaults.webroot + "/.well-known/acme-challenge/test"}")
      nodes.liam.security.acme.defaults.webroot + "/.well-known/acme-challenge/test"
    }")
    checker.succeed("wget http://liam.dis8.net/.well-known/acme-challenge/test")
    liam.wait_for_unit("postfix.service")
    liam.wait_for_unit("dovecot2.service")
    relay.wait_for_unit("mailpit.service")
    checks = """
      --submission --mailfrom me@shelvacu.com --rcptto foo@example.com --username shelvacu --expect-mailpit-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
      --submission --mailfrom me@dis8.net     --rcptto foo@example.com --username shelvacu --expect-mailpit-not-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
      # julie's emails should NOT get sieve'd like mine
      --rcptto julie@shelvacu.com --username julie --imap-dir INBOX
      --rcptto julie+stuff@shelvacu.com --username julie --imap-dir INBOX
      # test the sieve script is working
      --mailfrom whoever@example.com --rcptto sievetest@shelvacu.com --username shelvacu --imap-dir com.shelvacu
@@ -247,7 +102,6 @@ in
      --mailfrom julie@shelvacu.com --expect-recipient-refused
      --mailfrom @vacu.store --expect-recipient-refused
      --submission --expect-recipient-refused --mailfrom julie@shelvacu.com --username shelvacu
      --submission --expect-recipient-refused --mailfrom fubar@theviolincase.com --username shelvacu
      --submission --expect-recipient-refused --mailfrom fubar@vacu.store --username julie
@@ -258,7 +112,6 @@ in
      --submission --mailfrom foo@vacu.store --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent
      --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie --password julie --expect-sent
      --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie@shelvacu.com --password julie --expect-sent
    """
    for check in checks.split("\n"):
      check = check.strip()
@@ -267,4 +120,4 @@ in
      res = checker.succeed("mailtest " + check.strip())
      print(res)
  '';
-}
+}
--- a/tests/mailtest.py
+++ b/tests/mailtest.py
@@ -5,7 +5,6 @@ import time
 import ssl
 import argparse
 import uuid
 import requests
 parser = argparse.ArgumentParser()
 parser.add_argument('host', type = str)
@@ -25,9 +24,6 @@ parser.add_argument('--expect-recipient-refused',
 )
 parser.add_argument('--expect-sent', dest = 'expect', action = 'store_const', const = 'sent')
 parser.add_argument('--expect-imap-error', dest = 'expect', action = 'store_const', const = 'imap_error')
 parser.add_argument('--expect-mailpit-received', dest = 'expect', action = 'store_const', const = 'mailpit_received')
 parser.add_argument('--expect-mailpit-not-received', dest = 'expect', action = 'store_const', const = 'mailpit_not_received')
 parser.add_argument('--mailpit-url')
 args = parser.parse_args()
@@ -45,9 +41,6 @@ if password is None:
 if (username is None or password is None) and (args.submission or args.expect == 'received'):
    assert False, "Bad args"
 if args.expect.startswith("mailpit_") and args.mailpit_url is None:
    assert False, "Bad args"
 msg_magic = str(uuid.uuid4())
 def mk_ctx():
@@ -75,19 +68,6 @@ except smtplib.SMTPRecipientsRefused:
 else:
    assert (not args.expect == 'recipient_refused'), "Server was supposed to reject this message, but it didn't"
 if args.mailpit_url is not None:
    time.sleep(3)
    mails = requests.get(args.mailpit_url + "/api/v1/messages").json()
    found_message = False
    for message_data in mails["messages"]:
        if msg_magic in message_data["Snippet"]:
            found_message = True
            break
    if args.expect == 'mailpit_received':
        assert found_message, "Message not received by mailpit server"
    else:
        assert not found_message, "Message was received by the mailpit server when it wasn't supposed to be"
 if args.expect == 'received' or args.expect == 'imap_error':
    time.sleep(3)
    try:
@@ -113,4 +93,4 @@ if args.expect == 'received' or args.expect == 'imap_error':
    except imaplib.IMAP4.error as e:
        assert args.expect == 'imap_error', f"IMAP error: {e}"
    else:
-        assert not args.expect == 'imap_error', "Expected an IMAP error, but didn't get one"
+        assert not args.expect == 'imap_error', "Expected an IMAP error, but didn't get one"
--- a/tests/test_secrets/liam/main.yaml
+++ b/tests/test_secrets/liam/main.yaml
@@ -1,4 +1,4 @@
-dovecot-passwd: ENC[AES256_GCM,data:Ji41+n/7D90/O/LVM+3FDNACZ6jJPT6QYVIGWLujCheIY8m6vaRmMXzPCTgbK+njDOfIv7O2Sko15U4CYqWXAi3P43Np8GKRcv5+4NE=,iv:o6+tYBHSB3reRIqvFGB39wHk3G1L5VKmkj9Fiinnvnw=,tag:wggoNMvAYyJzkh73C3bMHw==,type:str]
+dovecot-passwd: ENC[AES256_GCM,data:OPlQGFnkklEQvFpQM3jrdHB1p1zM+n76TCCaLmM/DOYlJ6W3+8bGt4i1JJq+FbA05RiX0Yhpv5s=,iv:R47TNT306RVrAPSRpK5TjUoWJF4nXnBvpDpIhwpdxWg=,tag:iKTUIoano0Bcxjkb2VQeuA==,type:str]
 dkim_key: ENC[AES256_GCM,data:nzujLrGttOL38d8mxglUcAQ9EO+sL2Gh75E4Wyt6siviFEpx5ZIpXkaC9XXmD2f6Ax4BHF8FTOB1cX0dLrRYp9gNOV007CsVUWpYf34H/J5bOUo1j+urYtbtA5Idu8FoUC3ENg5Ap4CId7jTtxQ9PlS9vTKQ2T2tIqmvXGE0t0aowUdJJdPfJLN1lMENY+/m9NxwArF06K/75BAX9LaxhNDzUHNwV9PK+htD9M1g0r7McbLtZpPut8tdkzOWGiUHIisPpXSTUk8LjrFY36DNngcXAyiRZtp6WrhINVABRKMVf92dYUQixpf6r7BkCkyRT60rAHz5UbWHI/saYHgXlH2OGK5hyZZ4JueAHU2Y7Hpvbw3UIG9jumdDcRda5W0WycJyGS4a5YZST907eDP4PuZayHOmp288Cuyc+kXOxvuCGjqiuZswokj4Ba4hIUUNJU1Ys4THYrf+j+iX0nKclGS+LXvqQI1cKUE3gBecxE2SW3BNzIOGh/ywO1kg2uZlUPpfGBr+Aupke/nULcGi2HVwX5EV47jpDyoqIEiVCy3OYSeQ2gkocIQ/y74fNMoud4kWmye8bAhprxVUHHes2TBjBb6QxQdmazjhAiCvgSI3p43QlSG2fqtQMcXMiANra1heRHHsOS8GKWk/ti9/k3/0YWycXcawYE8lpg/efpBPWkgWQ+NDUxcJBbWCKbkvA2DEfoSluwcGuxUjWGa27SKaCVX/LNAUDvXcw82F61XsTpoK2i0pme7pIZeF1bfbKyPxDnpWKoLoL2i2HchD1B5AEemr+eKh3kPGqpY3SNfqPFyUYN34Fea/gg/eM1Jw/ORWGNxMwg882a/NQLRzjjseQsPEI0r0o8Xba1KqGP1mMhursrOFVRz9xXG7l5oXhx0+GsscKDnP40CXJBMf6r2tEZobrR8NagV4/Mh4r2+zYw12KwwYZ5drmS1b0ftrLZLSugJopgLaQqYC3OAnmdW1MOkNoQSWv9Y5NaPERpMQ9BJcPcGM3W3+AyEz3zRSlFQFnjZO6kk37dFz1KVbbXkrFTXhDpGw/Z/RCMdzv6eyhPqcSSccisaOxDtlLQXy95G6tOcpJV7u7qu1LzQDehyZnBjasqMQVpCJw1Q9GRxnSBjpVKzN07dEkzXqcZHh67kPR/aoH8jzbfNq5YDQ6nxK0INcSyCzJe4w18JbY5Wq0F5U0OeYwYAwHoIV/nbMdptyyw==,iv:ol3dz4SomkwyN2s4tPWDCJEYdnMuZTvHppUA95Nz3+8=,tag:IlZBYvM8e3COjxZ/dxJT7Q==,type:str]
 dkim_pub: ENC[AES256_GCM,data:tigMKTZ5XiDViSez2WKfUPBkw9OtLKrEBrbp/I3tUk+mu7RR2YIaQEWfTH0EOzPMpDEIJ32pwlqicGQZdTf7WdpELcJZgbxKpWPWgTzjwHasgs38aJh2JIIoIuFwa1YgEuRGtSl7YT47WDhTTGbFFdvaKBlIe7vipgkFSxNX1NKGNgdkkcVczvlVgWKqbp05zzUlav1XEwBhd+3eTgPQFptYyvQbIFasiunrHBT8cbm+CQ/O8q90lUkoVrmQUu3XG6njDMa4pNULUJqsUogCyYgm/aDMdx7AN29daCbgj99g/hjnQrBFajJCzNyG36XrzQdZJGiG0AgG1oWAq98boNFxC5ux4eBDmT946FyxXFNwyZpu1p2naHkBlE01duCBS4PUuQFlw9tsCYOuL+xGR3paBafTcL6X67w=,iv:lXFMxiePwivoyQxuQu+hEHeuU0z85fJk9y7296oJNl8=,tag:0QknKaFPpNHo2v0feR+jAQ==,type:str]
 sops:
@@ -16,8 +16,8 @@ sops:
            T3dqdEJxRmkvSStuK1NmRWJkN1psWWsKuNdc6DHXXEcn63CZv/5lE30MAagPfHO0
            GDOLTLCLDzNvKmd5i9dNuYBrD1JeyotNId6E4w/3oYxCFJ56SsH32Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-28T22:08:15Z"
+    lastmodified: "2024-03-21T22:00:58Z"
-    mac: ENC[AES256_GCM,data:G7ceHgkxOv1xinx2Oc5kWCDs5njnf/uUyHlOddzM8RBZTcBp4RVB6NJb3ERFpHlEBXtO5EXnXm2ggK9cfxH9BKL/4tZeFQDqT9QcwFvtynQbCcOmBi3ffrkt4uXKwOIpVZyT8bz8GYueLq/fu2fIHwjZ7Ll43Gn2Sp6gQuvFSuo=,iv:wg88Qpn5cIIr9tXUkc/WxfMDt/SHbA09CRCCv/FwUVU=,tag:QiG5ERsym5kl2g11LK0onw==,type:str]
+    mac: ENC[AES256_GCM,data:147XZroz5psp5Q5zGz19FZNPFr01wPGM0ivxbNVu9IcuUPw5dhnSaFQTvdYKfZPLSW2dwMJ2sPA5NAxxW0zQTh3d4vjirJ7GVj07Fn+ipL/X+wZKM42HjNSEw9IdAD5OIArZ8XjZcC+AGu7C4wHHf43uOEu7ZbWYx9Kbq+cJGbk=,iv:V9GHCN0NPWaRZOmoWhKA5fHwfKfrdays3ODfiTBrbo8=,tag:JwiHjHEjTDc6XRqtn0Aqwg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/tests/triple-dezert.nix
+++ b/tests/triple-dezert.nix
@@ -1,53 +1,41 @@
-{ pkgs, nodes, ... }:
+{ pkgs, nodes, ... }: {
 {
  name = "trip-megatest";
-  nodes.triple-dezert =
+  nodes.triple-dezert = { lib, config, ... }: let
-    { lib, config, ... }:
+    domains = builtins.attrNames config.security.acme.certs;
-    let
+    disableAcmes = builtins.listToAttrs (
-      domains = builtins.attrNames config.security.acme.certs;
+      map (d: {
-      disableAcmes = builtins.listToAttrs (
+        name = "acme-${d}";
-        map (d: {
+        value = { enable = lib.mkForce false; };
-          name = "acme-${d}";
+      }) domains
-          value = {
+    );
-            enable = lib.mkForce false;
+    reEnableSelfsigned = builtins.listToAttrs (
-          };
+      map (d: {
-        }) domains
+        name = "acme-selfsigned-${d}";
-      );
+        value = { wantedBy = [ "container@frontproxy.service" ]; before = [ "container@frontproxy.service" ]; };
-      reEnableSelfsigned = builtins.listToAttrs (
+      }) domains
-        map (d: {
+    );
-          name = "acme-selfsigned-${d}";
+    unitsToDisable = [
-          value = {
+      "container@vacustore.service"
-            wantedBy = [ "container@frontproxy.service" ];
+      "container@nix-cache-nginx.service"
-            before = [ "container@frontproxy.service" ];
+      "openvpn-awootrip.service"
-          };
+    ];
-        }) domains
+    disableUnits = builtins.listToAttrs (
-      );
+      map (u: {
-      unitsToDisable = [
+        name = u;
-        "container@vacustore.service"
+        value = { enable = lib.mkForce false; };
-        "container@nix-cache-nginx.service"
+      }) unitsToDisable
-        "openvpn-awootrip.service"
+    );
-      ];
+  in {
-      disableUnits = builtins.listToAttrs (
+    imports = [ ../triple-dezert ];
-        map (u: {
+    systemd.services = disableAcmes // reEnableSelfsigned;
-          name = u;
+    systemd.units = disableUnits;
-          value = {
+    #vacu.secretsFolder = ./test_secrets;
-            enable = lib.mkForce false;
+    #sops.age.sshKeyPaths = [ ./test_key ];
-          };
+    boot.zfs.extraPools = lib.mkForce [];
-        }) unitsToDisable
+    security.acme.defaults.email = lib.mkForce "me@example.org";
-      );
+    security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
-    in
+  };
    {
      imports = [ ../triple-dezert ];
      vacu.underTest = true;
      systemd.services = disableAcmes // reEnableSelfsigned;
      systemd.units = disableUnits;
      #vacu.secretsFolder = ./test_secrets;
      #sops.age.sshKeyPaths = [ ./test_key ];
      boot.zfs.extraPools = lib.mkForce [ ];
      security.acme.defaults.email = lib.mkForce "me@example.org";
      security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
    };
  # nodes.checker = { pkgs, lib, ... }: {
  #   environment.systemPackages = [
@@ -105,4 +93,4 @@
    triple_dezert.wait_for_open_port(80)
    triple_dezert.succeed("curl -vv http://shelvacu.com/ --resolve shelvacu.com:80:127.0.0.1")
  '';
-}
+}
--- a/triple-dezert/awootrip.nix
+++ b/triple-dezert/awootrip.nix
@@ -1,23 +1,13 @@
-{
+{ config, pkgs, inputs, lib, ... }: 
  config,
  pkgs,
  inputs,
  lib,
  ...
 }:
 let
  prefix = "10.16.237.";
  tripAddr = prefix + "2";
  awooAddr = prefix + "1";
  devName = "at4"; # It was my fourth attempt before it worked...
  tunnelName = "awootrip";
-in
+in {
 {
  systemd.network.netdevs.${devName} = {
-    netdevConfig = {
+    netdevConfig = { Kind = "tun"; Name = devName; };
      Kind = "tun";
      Name = devName;
    };
    enable = true;
  };
--- a/triple-dezert/database.nix
+++ b/triple-dezert/database.nix
@@ -1,62 +1,47 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with lib;
-let
+let 
  cfg = config.vacu;
  databases = attrValues cfg.databases;
-  authText = flip (concatMapStringsSep "\n") databases (
+  authText = flip (concatMapStringsSep "\n") databases
-    d:
+    (d:
-    if d.authByIp != null then
+      if d.authByIp != null then
-      # host  database  user  address     auth-method  [auth-options]
+        # host  database  user  address     auth-method  [auth-options]
-      ''host "${d.name}" "${d.user}" ${d.authByIp}/32 trust''
+        ''host "${d.name}" "${d.user}" ${d.authByIp}/32 trust''
-    else
+      else
-      # local   database  user  auth-method [auth-options]
+        # local   database  user  auth-method [auth-options]
-      ''local "${d.name}" "${d.user}" peer''
+        ''local "${d.name}" "${d.user}" peer'')
-  );
+  ;
 in
 {
  options.vacu.databases = mkOption {
-    default = { };
+    default = {};
    description = "Databases that should be created and how they should be accessed";
-    type = types.attrsOf (
+    type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-      types.submodule (
+      options = {
-        {
+        name = mkOption {
-          name,
+          type = types.str;
-          config,
+          default = name;
-          options,
+          description = "name of the database to create";
-          ...
+        };
-        }:
+        user = mkOption {
-        {
+          type = types.str;
-          options = {
+          default = name;
-            name = mkOption {
+          description = "username of the user created to access/own the database";
-              type = types.str;
+        };
-              default = name;
+        authByIp = mkOption {
-              description = "name of the database to create";
+          type = types.nullOr types.str;
-            };
+          default = null;
-            user = mkOption {
+          description = "If set, user is authenticated based on connecting from the given ip address";
-              type = types.str;
+        };
-              default = name;
+        authByUser = mkOption {
-              description = "username of the user created to access/own the database";
+          type = types.bool;
-            };
+          default = false;
-            authByIp = mkOption {
+          description = "If true, user is authenticated based on connecting to the unix socket from a process running as the user";
-              type = types.nullOr types.str;
+        };
-              default = null;
+      };
-              description = "If set, user is authenticated based on connecting from the given ip address";
+    }));
            };
            authByUser = mkOption {
              type = types.bool;
              default = false;
              description = "If true, user is authenticated based on connecting to the unix socket from a process running as the user";
            };
          };
        }
      )
    );
  };
  config = {
@@ -68,9 +53,11 @@ in
    services.postgresql = rec {
      enable = true;
      package = pkgs.postgresql_16;
-      dataDir = "/var/postgres/data/${package.psqlSchema}";
+      dataDir = "/trip/pg/data/${package.psqlSchema}";
      enableJIT = true;
-      initdbArgs = [ "--waldir=/var/postgres/wal/${package.psqlSchema}" ];
+      initdbArgs = [
        "--waldir=/trip/pg/wal/${package.psqlSchema}"
      ];
      ensureUsers = [
        {
          name = "root";
@@ -87,11 +74,6 @@ in
      '';
    };
-    systemd.services.postgresql.postStart =
+    systemd.services.postgresql.postStart = "\n#START stuff from database.nix\n" + (concatMapStringsSep "\n" (d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' '') databases) + "\n#END stuff from database.nix\n";
      "\n#START stuff from database.nix\n"
      + (concatMapStringsSep "\n" (
        d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' ''
      ) databases)
      + "\n#END stuff from database.nix\n";
  };
-}
+}
--- a/triple-dezert/default.nix
+++ b/triple-dezert/default.nix
@@ -1,27 +1,26 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, lib, ... }: {
-{
+  imports =
-  imports = [
+    [
-    ../common/nixos.nix
+      ../common-nixos-config.nix
-    ./hardware-configuration.nix
+      ./hardware-configuration.nix
-    ./awootrip.nix
+      ./awootrip.nix
-    ./frontproxy.nix
+      ./frontproxy.nix
-    # ./kanidm.nix
+      # ./kanidm.nix
-    # ./keycloak.nix
+      # ./keycloak.nix
-    ./database.nix
+      ./database.nix
-    ./vacustore.nix
+      ./vacustore.nix
-    ./nix-cache-nginx.nix
+      ./nix-cache-nginx.nix
-    ./jl-stats.nix
+      ./jl-stats.nix
-    ./static-stuff.nix
+      ./static-stuff.nix
-    #./vms.nix
+      #./vms.nix
-    ./networking.nix
+      ./networking.nix
-    ./emily.nix
+      ./devver-host.nix
-    ./jellyfin.nix
+    ];
-  ];
+
  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  #todo: increase boot partition size
  boot.loader.systemd-boot.configurationLimit = 10;
  # The first thing to complain was redis in the vacustore container:
  #
  #   WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
@@ -31,35 +30,17 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  vacu.hostName = "triple-dezert";
+  networking.hostName = "triple-dezert";
  vacu.shortHostName = "trip";
  vacu.shell.color = "yellow";
  vacu.verifySystem.expectedMac = "b8:ca:3a:68:15:c8";
  services.xserver.enable = false;
-  vacu.packages =
+  environment.systemPackages = with pkgs; [
-    (with pkgs; [
+    zfs
-      zfs
+    smartmontools
-      smartmontools
+    openvpn
-      openvpn
+    nvme-cli
-      nvme-cli
+    tshark
-      tshark
+    postgresql_16
    ])
    ++ [
      config.services.postgresql.package
      (pkgs.writeScriptBin "into-nix-cache" ''
              if [[ $UID -ne 0 ]]; then exec sudo $0 "$@";fi
              ${pkgs.nix}/bin/nix copy \
                --no-update-lock-file \
        	--no-write-lock-file \
                --to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' \
        	"$@"
      '')
    ];
  hardware.opengl.extraPackages = [
    pkgs.intel-compute-runtime
    pkgs.ocl-icd
  ];
  services.openssh = {
@@ -68,6 +49,14 @@
    ports = [ 6922 ];
  };
  system.copySystemConfiguration = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
@@ -79,3 +68,4 @@
  networking.hostId = "c871875e";
  hardware.enableAllFirmware = true;
 }
--- a/triple-dezert/devver-host.nix
+++ b/triple-dezert/devver-host.nix
@@ -0,0 +1,140 @@
 { pkgs, lib, config, inputs, ... }: let
  qemu-pkg = pkgs.qemu_kvm;
  #rootPath = "/trip/devver-vm/root";
  bootPath = "/trip/devver-vm/boot";
  installer = inputs.self.nixosConfigurations.shel-installer;
  installerIsoDeriv = installer.config.system.build.isoImage;
  installerIsoPath = "${installerIsoDeriv}/iso/${installerIsoDeriv.name}";
  bootInstaller = false;
  tapdev = "qemu-devver";
  tapdev-int = "qemu-devver-int";
  commonArgs = [
    "${qemu-pkg}/bin/qemu-kvm"
    "-name" "devver"
    # https://www.qemu.org/docs/master/system/i386/microvm.html
    # "microvm" is basically no-batteries-included, and should allow including only the things we need
    "-machine" "microvm,accel=kvm,dump-guest-core=off,mem-merge=off,acpi=on,pcie=on,pic=off,pit=off,usb=off"
    "-m" "8G"
    "-smp" "12"
    "-nodefaults"
    "-no-user-config"
    "-chardev" "stdio,id=stdio,signal=off"
    "-serial" "chardev:stdio"
    "-monitor" "none"
    "-device" "virtio-rng-pci"
    "-enable-kvm"
    "-cpu" "host,-sgx"
    "-usb"
    "-device" "usb-kbd"
    "-nographic"
    # do I need/want QMP here?
    "-device" "virtio-balloon"
    "-object" "memory-backend-memfd,id=mem,size=8G,share=off"
    "-numa" "node,memdev=mem"
    # I don't understand, the docs for "-drive" says it's a shortcut for -blockdev and -device, but all the real-world code has -drive and -device
    #"-drive" "file=/trip/devver-vm/disk-image/root.img,discard=unmap,if=none,format=raw,cache=none,id=root-disk"
    "-blockdev" "driver=raw,node-name=root-disk,file.driver=file,file.filename=/trip/devver-vm/disk-image/root.img,discard=unmap,cache.direct=on"
    "-device" "virtio-blk-device,drive=root-disk,write-cache=off"
    "-fsdev" "local,id=fs0,path=${bootPath},security_model=mapped-xattr,fmode=0600,dmode=0700"
    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=boot"
    "-netdev" "tap,id=vm-devver,ifname=${tapdev},script=no,downscript=no"
    #Why 34? No idea! Best hint I could find is in the mailing list about the serial driver: https://lists.nongnu.org/archive/html/qemu-devel/2013-01/msg05952.html
    "-device" "virtio-net-pci,netdev=vm-devver,mac=02:19:07:A2:15:72,romfile=,mq=on,vectors=34"
    "-netdev" "tap,id=vm-devver2,ifname=${tapdev-int},script=no,downscript=no"
    "-device" "virtio-net-pci,netdev=vm-devver2,romfile=,mq=on,vectors=34"
  ];
  installerArgs = [
    # "-boot" "once=d"
    # "-cdrom" "${installerIsoPath}"
    "-drive" "if=virtio,media=cdrom,driver=raw,node-name=disk,file.driver=file,file.filename=${installerIsoPath},file.locking=off,read-only=on"
    "-kernel" "${installer.config.system.build.kernel}/${installer.config.system.boot.loader.kernelFile}"
    "-initrd" "${installer.config.system.build.initialRamdisk}/${installer.config.system.boot.loader.initrdFile}"
    "-append" "${lib.concatStringsSep " " installer.config.boot.kernelParams} init=${installer.config.system.build.toplevel}/init earlyprintk=ttyS0 console=ttyS0 debug"
  ];
  mainArgs = [
    "-kernel" "${bootPath}/kernel"
    "-initrd" "${bootPath}/initrd"
    "-append" "earlyprintk=ttyS0 console=ttyS0"
  ];
  runScript = ''
    set -ev
    declare -a args
    if [ "x$1" == "x--installer" ]; then
      args=(${lib.escapeShellArgs (commonArgs ++ installerArgs)})
    else
      args=(${lib.escapeShellArgs (commonArgs ++ mainArgs)}" $(cat ${bootPath}/kernel-params)")
    fi
    d=`mktemp -d --tmpdir qemu-devver-XXXXXXXXX`
    cd $d
    "''${args[@]}"
  '';
 in {
  users.groups.devver = {};
  users.users.devver = {
    isSystemUser = true;
    group = config.users.groups.devver.name;
  };
  environment.systemPackages = [(pkgs.writeScriptBin "run-devver" runScript) qemu-pkg];
  systemd.network.netdevs.${tapdev} = {
    netdevConfig = {
      Kind = "tap";
      Name = tapdev;
    };
    tapConfig = {
      User = config.users.users.devver.name;
      Group = config.users.groups.devver.name;
      PacketInfo = true;
      # KeepCarrier = true;
    };
  };
  systemd.network.netdevs.${tapdev-int} = {
    netdevConfig = {
      Kind = "tap";
      Name = tapdev-int;
    };
    tapConfig = {
      User = config.users.users.devver.name;
      Group = config.users.groups.devver.name;
      PacketInfo = true;
      # KeepCarrier = true;
    };
  };
  systemd.network.networks."02-vm-devver".extraConfig = ''
    Bridge = ${config.vacu.network.lan_bridge}
    [Match]
    Name = ${tapdev}
    [Link]
    RequiredForOnline = no
  '';
  systemd.network.networks."02-vm-devver-int".extraConfig = ''
    Address = 10.110.171.204/31
    DHCP = no
    DNS = no
    LLDP = no
    [Match]
    Name = ${tapdev-int}
    [Link]
    RequiredForOnline = no
  '';
  # networking.firewall.extraCommands = ''
  #   if ! (iptables -t nat -n --list devver-prerouting > /dev/null 2>&1); then
  #     iptables -t nat -N devver-prerouting
  #   fi
  #   iptables -t nat -F devver-prerouting
  #   iptables -t nat -A devver-prerouting -p tcp -m tcp --dport 5022 -j DNAT --to-destination 10.78.79.10
  #   iptables -t nat -I PREROUTING 1 -j devver-prerouting
  # '';
  # networking.firewall.extraStopCommands = ''
  #   iptables -t nat -D PREROUTING -j devver-prerouting || true
  # '';
 }
--- a/triple-dezert/emily.nix
+++ b/triple-dezert/emily.nix
@@ -1,49 +0,0 @@
 { config, ... }:
 let
  sshPort = 32767;
  container = config.containers.emily;
 in
 {
  networking.firewall.allowedTCPPorts = [ sshPort ];
  networking.nat.forwardPorts = [
    {
      destination = container.localAddress;
      proto = "tcp";
      sourcePort = sshPort;
    }
  ];
  containers.emily = {
    privateNetwork = true;
    hostAddress = "192.168.100.20";
    localAddress = "192.168.100.21";
    autoStart = true;
    ephemeral = false;
    bindMounts."/emdata" = {
      hostPath = "/trip/ncdata/data/melamona/files";
      isReadOnly = false;
    };
    config =
      { config, ... }:
      {
        system.stateVersion = "24.05";
        services.openssh.enable = true;
        services.openssh.ports = [ sshPort ];
        services.openssh.openFirewall = true;
        users.groups.emily.gid = 999;
        users.users.emily = {
          isNormalUser = true;
          isSystemUser = false;
          hashedPassword = "$y$j9T$gP2phgJ9iSH.tWROn/T2C1$dwifP4R4SY4Fyd6W4vZ7tMDFhZB7Cfji9QvporeKUXB";
          group = "emily";
        };
        users.mutableUsers = false;
        users.allowNoPasswordLogin = true;
      };
  };
 }
--- a/triple-dezert/frontproxy.nix
+++ b/triple-dezert/frontproxy.nix
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, inputs, lib, ... }:
  config,
  pkgs,
  inputs,
  lib,
  ...
 }:
 let
  # How to register a new domain in acme-dns before deploying the nix config:
  # From trip:
@@ -16,10 +10,8 @@ let
    "vacu.store"
    "jean-luc.org"
    "pwrhs.win"
    "jf.finaltask.xyz"
  ];
-in
+in {
 {
  security.acme.acceptTerms = true;
  security.acme.defaults = {
    email = "nix-acme@shelvacu.com";
@@ -31,14 +23,7 @@ in
    postRun = "${pkgs.nixos-container}/bin/nixos-container run frontproxy -- systemctl reload haproxy";
  };
-  security.acme.certs = builtins.listToAttrs (
+  security.acme.certs = builtins.listToAttrs (map (d: { name = d; value = { extraDomainNames = ["*.${d}"]; }; }) domains);
    map (d: {
      name = d;
      value = {
        extraDomainNames = [ "*.${d}" ];
      };
    }) domains
  );
  users.groups.acme.gid = 993;
@@ -47,61 +32,46 @@ in
    after = [ "network-online.target" ];
  };
-  networking.firewall.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [ 443 ]; # quic!
-
+    
-  containers.frontproxy =
+  containers.frontproxy = let outer_config = config; in {
    autoStart = true;
    restartIfChanged = true;
    ephemeral = true;
    bindMounts = builtins.listToAttrs (map (d: { name = "/certs/${d}"; value = {
      hostPath = outer_config.security.acme.certs.${d}.directory;
      isReadOnly = true;
    }; }) domains);
    config = { config, pkgs, ... }:
    let
-      outer_config = config;
+      haproxySrc = pkgs.runCommand "extract-haproxy" {} ''
-    in
+        cd `mktemp -d`
-    {
+        tar -xf ${config.services.haproxy.package.src}
-      autoStart = true;
+        mv * $out
-      restartIfChanged = true;
+      '';
-      ephemeral = true;
+    in {
-      bindMounts = builtins.listToAttrs (
+      system.stateVersion = "23.11";
-        map (d: {
+      users.groups.acme.gid = outer_config.users.groups.acme.gid;
-          name = "/certs/${d}";
+      users.users.haproxy.extraGroups = [ config.users.groups.acme.name ];
-          value = {
+      services.haproxy.enable = true;
-            hostPath = outer_config.security.acme.certs.${d}.directory;
+      services.haproxy.config = ''
-            isReadOnly = true;
+        # # ssl keylogging
-          };
+        # global
-        }) domains
+        #   tune.ssl.keylog on
-      );
+        #   lua-load ${ pkgs.writeText "sslkeylog.lua" (builtins.readFile ./sslkeylog.lua) }
      config =
        { config, pkgs, ... }:
        let
          haproxySrc = pkgs.runCommand "extract-haproxy" { } ''
            cd `mktemp -d`
            tar -xf ${config.services.haproxy.package.src}
            mv * $out
          '';
        in
        {
          system.stateVersion = "23.11";
          users.groups.acme.gid = outer_config.users.groups.acme.gid;
          users.users.haproxy.extraGroups = [ config.users.groups.acme.name ];
          services.haproxy.enable = true;
          services.haproxy.config = ''
            # # ssl keylogging
            # global
            #   tune.ssl.keylog on
            #   lua-load ${pkgs.writeText "sslkeylog.lua" (builtins.readFile ./sslkeylog.lua)}
-            # haproxy-config.cfg
+        # haproxy-config.cfg
-            ${builtins.readFile ./haproxy-config.cfg}
+        ${builtins.readFile ./haproxy-config.cfg}
-          '';
+      '';
-          networking.hosts = {
+      networking.hosts = {
-            "${outer_config.containers.vacustore.localAddress}" = [ "vacustore" ];
+        "${outer_config.containers.vacustore.localAddress}" = [ "vacustore" ];
-            "127.4.20.165" = [ "kani" ];
+        "127.4.20.165" = [ "kani" ];
-            # "${outer_config.containers.keycloak.localAddress}" = [ "keycloak" ];
+        # "${outer_config.containers.keycloak.localAddress}" = [ "keycloak" ];
-            "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
+        "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
-            "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
+        "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
-            "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
+        "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
-            "${outer_config.containers.jellyfin.localAddress}" = [ "jellyfin" ];
+      };
          };
        };
    };
  };
 }
--- a/triple-dezert/haproxy-config.cfg
+++ b/triple-dezert/haproxy-config.cfg
@@ -13,8 +13,8 @@ global
 defaults
  # https://world.hey.com/goekesmi/haproxy-chrome-tcp-preconnect-and-error-408-a-post-preserved-from-the-past-2497d1f7
-  timeout server 3s
+  timeout server 302s
-  timeout client 3s
+  timeout client 302s
  timeout connect 10s
  option http-ignore-probes
@@ -25,7 +25,7 @@ defaults
 frontend main
  bind :80
-  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem crt /certs/jf.finaltask.xyz/full.pem
+  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem
  mode http
@@ -36,13 +36,12 @@ frontend main
  # Check whether the client is attempting domain fronting.
  acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0
  acl host_vacustore var(req.host) -m str "vacu.store"
  # acl host_auth var(req.host) -m str "auth.shelvacu.com"
-  acl host_vacustore       var(req.host) -m str "vacu.store"
+  acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
-  acl host_cache           var(req.host) -m str "nixcache.shelvacu.com"
+  acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
-  acl host_stats_jl        var(req.host) -m str "stats.jean-luc.org"
+  acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
-  acl host_tulpaudcast_jl  var(req.host) -m str "tulpaudcast.jean-luc.org"
+  acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win"
  acl host_habitat_pwrhs   var(req.host) -m str "habitat.pwrhs.win"
  acl host_jellyfin        var(req.host) -m str "jf.finaltask.xyz"
  http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc }
@@ -65,7 +64,6 @@ frontend main
  http-request allow if host_stats_jl
  http-request allow if host_tulpaudcast_jl
  http-request allow if host_habitat_pwrhs
  http-request allow if host_jellyfin
  http-request return status 404 string "not found" content-type text/plain
  use_backend vacustore if host_vacustore
@@ -74,7 +72,6 @@ frontend main
  use_backend jl_stats if host_stats_jl
  use_backend static_stuff if host_tulpaudcast_jl
  use_backend habitat if host_habitat_pwrhs
  use_backend jellyfin if host_jellyfin
 backend vacustore
  mode http
@@ -86,11 +83,6 @@ backend kani
  option forwardfor
  server main kani:8443 check maxconn 500 ssl verify none ssl-reuse
 backend jellyfin
  mode http
  option forwardfor
  server main jellyfin:8096 check maxconn 100 proto h1
 # backend keycloak
 #   mode http
 #   option forwardfor
--- a/triple-dezert/hardware-configuration.nix
+++ b/triple-dezert/hardware-configuration.nix
@@ -1,36 +1,24 @@
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "nvme" "usb_storage" "usbhid" "sd_mod" ];
    "ehci_pci"
    "ahci"
    "mpt3sas"
    "nvme"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/a4d6a30b-a8b1-460c-9f90-554e61b112fe";
+    { device = "/dev/disk/by-uuid/a4d6a30b-a8b1-460c-9f90-554e61b112fe";
-    fsType = "f2fs";
+      fsType = "f2fs";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/4F4C-7557";
+    { device = "/dev/disk/by-uuid/4F4C-7557";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/triple-dezert/jellyfin.nix
+++ b/triple-dezert/jellyfin.nix
@@ -1,46 +0,0 @@
 { config, pkgs, ... }:
 let
  name = "jellyfin";
  contain = config.containers.${name};
 in
 {
  systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
    mode = "0755";
  };
  containers.${name} = {
    privateNetwork = true;
    hostAddress = "192.168.100.22";
    localAddress = "192.168.100.23";
    autoStart = true;
    ephemeral = true;
    restartIfChanged = true;
    bindMounts."/${name}" = {
      hostPath = "/trip/${name}";
      isReadOnly = false;
    };
    config =
      { pkgs, ... }:
      {
        system.stateVersion = "24.05";
        networking.useHostResolvConf = false;
        networking.nameservers = [ "10.78.79.1" ];
        networking.firewall.enable = false;
        services.jellyfin = {
          enable = true;
          dataDir = "/${name}";
        };
        environment.systemPackages = with pkgs; [
          jellyfin
          jellyfin-web
          jellyfin-ffmpeg
        ];
      };
  };
 }
--- a/triple-dezert/jl-stats.nix
+++ b/triple-dezert/jl-stats.nix
@@ -1,19 +1,31 @@
-{
+{ config, pkgs, inputs, lib, ... }: 
  config,
  pkgs,
  inputs,
  lib,
  ...
 }:
 let
-  name = "jl-stats";
+name = "jl-stats";
-  contain = config.containers.${name};
+contain = config.containers.${name}; 
-  pg = config.services.postgresql.package;
+most-winningest = pkgs.callPackage ({
-  most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override {
+  rustPlatform,
-    postgresql = pg;
+  fetchFromGitHub,
  pkg-config,
  openssl,
  postgresql,
 }: rustPlatform.buildRustPackage rec {
  pname = "most-winningest";
  version = "69.420";
  nativeBuildInputs = [ pkg-config ];
  buildInputs = [ openssl postgresql ];
  src = fetchFromGitHub {
    owner = "captain-jean-luc";
    repo = pname;
    rev = "d203ae1b8dd450b281bc1b4bb2ae7518a5665352";
    hash = "sha256-RDVIu4zU4BvsJ1Ek7SwlpvA7H48TlPTzTCvUk+9hZ74=";
  };
-in
+
-{
+  cargoHash = "sha256-5Wbx/RBqtDmJUKdLXttryMuJfpkUJwRGTFYP3UFEPT0=";
 }) {};
 in {
  vacu.databases.${name}.authByIp = contain.localAddress;
  networking.firewall.extraCommands = ''
@@ -40,51 +52,40 @@ in
      isReadOnly = false;
    };
-    config =
+    config = { pkgs, ... }: {
-      { pkgs, ... }:
+      system.stateVersion = "23.11";
      {
        system.stateVersion = "23.11";
-        networking.useHostResolvConf = false;
+      networking.useHostResolvConf = false;
-        networking.nameservers = [ "10.78.79.1" ];
+      networking.nameservers = [ "10.78.79.1" ];
-        networking.firewall.enable = false;
+      networking.firewall.enable = false;
-        systemd.tmpfiles.settings.${name}."/${name}/generated".d = {
+      systemd.tmpfiles.settings.${name}."/${name}/generated".d = {
-          mode = "0755";
+        mode = "0755";
        };
        services.nginx.enable = true;
        services.nginx.virtualHosts."stats.jean-luc.org" = {
          default = true;
          root = "/${name}/generated";
        };
        systemd.services.most-winningest = {
          environment = {
            DATABASE_URL = "postgres://${name}@${contain.hostAddress}/${name}";
          };
          script = ''
            cd ${most-winningest.src}
            ${
              pkgs.diesel-cli.override {
                sqliteSupport = false;
                mysqlSupport = false;
              }
            }/bin/diesel migration run --locked-schema
            cd /${name}
            ${most-winningest}/bin/${most-winningest.pname}
          '';
        };
        systemd.timers.most-winningest = {
          wantedBy = [ "multi-user.target" ];
          timerConfig.OnBootSec = "5m";
          timerConfig.OnUnitInactiveSec = "1h";
        };
        environment.systemPackages = [
          pg # provides psql binary, helpful for debugging
        ];
      };
      services.nginx.enable = true;
      services.nginx.virtualHosts."stats.jean-luc.org" = {
        default = true;
        root = "/${name}/generated";
      };
      systemd.services.most-winningest = {
        environment = {
          DATABASE_URL = "postgres://${name}@${contain.hostAddress}/${name}"; 
        };
        script = ''
          cd ${most-winningest.src}
          ${pkgs.diesel-cli.override { sqliteSupport = false; mysqlSupport = false; }}/bin/diesel migration run --locked-schema
          cd /${name}
          ${most-winningest}/bin/${most-winningest.pname}
        '';
      };
      systemd.timers.most-winningest = {
        wantedBy = [ "multi-user.target" ];
        timerConfig.OnBootSec = "5m";
        timerConfig.OnUnitInactiveSec = "1h";
      };
    };
  };
-}
+}
--- a/triple-dezert/kanidm.nix
+++ b/triple-dezert/kanidm.nix
@@ -1,60 +1,51 @@
-{
+{ config, pkgs, inputs, lib, ... }: {
-  config,
+  networking.firewall.allowedTCPPorts = [ 636 ];
-  pkgs,
+
-  inputs,
+  services.postgresql = {
-  lib,
+    ensureUsers = [
-  ...
+      {
-}:
+        name = "kanidm";
-{
+        ensureDBOwnership = true;
-  networking.firewall.allowedTCPPorts = [ 636 ];
+      }
-
+    ];
-  services.postgresql = {
+    ensureDatabases = [
-    ensureUsers = [
+      "kanidm"
-      {
+    ];
-        name = "kanidm";
+  };
-        ensureDBOwnership = true;
+
-      }
+  environment.systemPackages = [ config.services.kanidm.package ]; # adds the binary to the PATH
-    ];
+
-    ensureDatabases = [ "kanidm" ];
+  systemd.mounts = [
-  };
+    {
-
+      what = "/trip/sqlites/kani";
-  environment.systemPackages = [ config.services.kanidm.package ]; # adds the binary to the PATH
+      where = builtins.dirOf config.services.kanidm.serverSettings.db_path;
-
+      type = "none";
-  systemd.mounts = [
+      options = "bind";
-    {
+    }
-      what = "/trip/sqlites/kani";
+  ];
-      where = builtins.dirOf config.services.kanidm.serverSettings.db_path;
+
-      type = "none";
+  users.users.kanidm.extraGroups = [ "acme" ];
-      options = "bind";
+
-    }
+  services.kanidm = let tls_dir = config.security.acme.certs."shelvacu.com".directory; in rec {
-  ];
+    package = inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.kanidm;
-
+    enableServer = true;
-  users.users.kanidm.extraGroups = [ "acme" ];
+    serverSettings = {
-
+      domain = "id.shelvacu.com";
-  services.kanidm =
+      origin = "https://id.shelvacu.com";
-    let
+      # db_path = "/trip/sqlites/kani/kani.sqlite";
-      tls_dir = config.security.acme.certs."shelvacu.com".directory;
+      db_fs_type = "zfs";
-    in
+      bindaddress = "127.4.20.165:8443";
-    rec {
+      ldapbindaddress = "[::]:636";
-      package = inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.kanidm;
+      trust_x_forward_for = true;
-      enableServer = true;
+      tls_chain = tls_dir + "/fullchain.pem";
-      serverSettings = {
+      tls_key = tls_dir + "/key.pem";
-        domain = "id.shelvacu.com";
+    };
-        origin = "https://id.shelvacu.com";
+
-        # db_path = "/trip/sqlites/kani/kani.sqlite";
+    enableClient = true;
-        db_fs_type = "zfs";
+    clientSettings = {
-        bindaddress = "127.4.20.165:8443";
+      uri = serverSettings.origin;
-        ldapbindaddress = "[::]:636";
+      verify_ca = true;
-        trust_x_forward_for = true;
+      verify_hostnames = true;
-        tls_chain = tls_dir + "/fullchain.pem";
+    };
-        tls_key = tls_dir + "/key.pem";
+  };
-      };
+}
      enableClient = true;
      clientSettings = {
        uri = serverSettings.origin;
        verify_ca = true;
        verify_hostnames = true;
      };
    };
 }
--- a/triple-dezert/keycloak.nix
+++ b/triple-dezert/keycloak.nix
@@ -1,13 +1,5 @@
-{
+{ config, pkgs, inputs, lib, ... }: 
-  config,
+let contain = config.containers.keycloak; in
  pkgs,
  inputs,
  lib,
  ...
 }:
 let
  contain = config.containers.keycloak;
 in
 {
  vacu.databases.keycloak.authByIp = contain.localAddress;
@@ -27,43 +19,33 @@ in
    ephemeral = false;
    restartIfChanged = true;
-    config =
+    config = let outer_config = config; in { config, pkgs, lib, ... }: {
-      let
+      system.stateVersion = "23.11";
-        outer_config = config;
+      networking.firewall.enable = false;
      in
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        system.stateVersion = "23.11";
        networking.firewall.enable = false;
-        #debugging
+      #debugging
-        environment.systemPackages = [ pkgs.inetutils ];
+      environment.systemPackages = [ pkgs.inetutils ];
-        services.keycloak = {
+      services.keycloak = {
-          enable = true;
+        enable = true;
-          database.type = "postgresql";
+        database.type = "postgresql";
-          # most people would call this setting "bind address", keycloak is just dumb
+        # most people would call this setting "bind address", keycloak is just dumb
-          settings.http-host = contain.localAddress;
+        settings.http-host = contain.localAddress;
-          settings.http-port = 80;
+        settings.http-port = 80;
-          settings.proxy = "edge";
+        settings.proxy = "edge";
-          #todo: investigate any plugins i might want
+        #todo: investigate any plugins i might want
-          settings.hostname-strict-backchannel = false;
+        settings.hostname-strict-backchannel = false;
-          settings.hostname = "auth.shelvacu.com";
+        settings.hostname = "auth.shelvacu.com";
-
+        
-          database.username = "keycloak";
+        database.username = "keycloak";
-          database.passwordFile = "/dev/null";
+        database.passwordFile = "/dev/null";
-          database.name = "keycloak";
+        database.name = "keycloak";
-          database.host = contain.hostAddress;
+        database.host = contain.hostAddress;
-          database.useSSL = false;
+        database.useSSL = false;
-          database.createLocally = false;
+        database.createLocally = false;
-          # database.createLocally = true;
+        # database.createLocally = true;
        };
      };
    };
  };
 }
--- a/triple-dezert/networking.nix
+++ b/triple-dezert/networking.nix
@@ -1,10 +1,8 @@
 # Partially based on https://astro.github.io/microvm.nix/simple-network.html
-{ config, lib, ... }:
+{ config, lib, ... }: let
 let
  bridge = config.vacu.network.lan_bridge;
  lan_port = "eno1";
-in
+in {
 {
  options = {
    vacu.network.lan_bridge = lib.mkOption {
      type = lib.types.str;
@@ -54,9 +52,9 @@ in
    networking.nat = {
      enable = true;
-      internalInterfaces = [ "ve-+" ];
+      internalInterfaces = ["ve-+"];
      externalInterface = bridge;
      enableIPv6 = false;
    };
  };
-}
+}
--- a/triple-dezert/nix-cache-nginx.nix
+++ b/triple-dezert/nix-cache-nginx.nix
@@ -2,8 +2,7 @@
 #
 # to build&copy to binary cache:
 #   nix copy --to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' .#nixosConfigurations."compute-deck".config.system.build.toplevel
-{ config, lib, ... }:
+{ config, ... }: {
 {
  containers.nix-cache-nginx = {
    privateNetwork = true;
    hostAddress = "192.168.100.12";
@@ -16,27 +15,16 @@
      hostPath = "/trip/nix-binary-cache";
      isReadOnly = true;
    };
-
+    
-    config =
+    config = let outer_config = config; in { config, pkgs, lib, ... }: {
-      let
+      system.stateVersion = "23.11";
-        outer_config = config;
+      networking.firewall.enable = false;
-      in
+      services.nginx.enable = true;
-      {
+      services.nginx.virtualHosts.binary-cache = {
-        config,
+        root = "/www/";
-        pkgs,
+        listenAddresses = [ outer_config.containers.nix-cache-nginx.localAddress ];
-        lib,
+        default = true;
        ...
      }:
      {
        system.stateVersion = "23.11";
        networking.firewall.enable = false;
        services.nginx.enable = true;
        services.nginx.virtualHosts.binary-cache = {
          root = "/www/";
          listenAddresses = [ outer_config.containers.nix-cache-nginx.localAddress ];
          default = true;
        };
      };
    };
  };
-  vacu.nix.caches.nixcache-shelvacu.url = lib.mkForce "file:///trip/nix-binary-cache";
+}
 }
--- a/triple-dezert/static-stuff.nix
+++ b/triple-dezert/static-stuff.nix
@@ -1,14 +1,7 @@
-{
+{ config, pkgs, inputs, lib, ... }: 
  config,
  pkgs,
  inputs,
  lib,
  ...
 }:
 let
-  contain = config.containers.keycloak;
+contain = config.containers.keycloak; 
-in
+in {
 {
  systemd.tmpfiles.settings.asdf."/trip/static-stuff".d = {
    mode = "0744";
  };
@@ -26,14 +19,12 @@ in
      isReadOnly = true;
    };
-    config =
+    config = { pkgs, ... }: {
-      { pkgs, ... }:
+      system.stateVersion = "23.11";
-      {
+      networking.firewall.enable = false;
        system.stateVersion = "23.11";
        networking.firewall.enable = false;
-        services.nginx.enable = true;
+      services.nginx.enable = true;
-        services.nginx.virtualHosts."tulpaudcast.jean-luc.org".root = "/static-stuff/tulpaudcast.jean-luc.org";
+      services.nginx.virtualHosts."tulpaudcast.jean-luc.org".root = "/static-stuff/tulpaudcast.jean-luc.org";
-      };
+    };
  };
-}
+}
--- a/triple-dezert/vacustore.nix
+++ b/triple-dezert/vacustore.nix
@@ -1,5 +1,4 @@
-{ config, ... }:
+{ config, ... }: {
 {
  vacu.databases.nextcloud = {
    user = "ncadmin";
    authByIp = config.containers.vacustore.localAddress;
@@ -25,113 +24,100 @@
      isReadOnly = false;
    };
-    config =
+    config = let outer_config = config; in { config, pkgs, lib, ... }: {
-      let
+      system.stateVersion = "22.05";
        outer_config = config;
      in
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        system.stateVersion = "22.05";
-        networking.firewall.enable = false;
+      networking.firewall.enable = false;
-        networking.useHostResolvConf = lib.mkForce false;
+      networking.useHostResolvConf = lib.mkForce false;
-        services.resolved.enable = true;
+      services.resolved.enable = true;
-        services.nginx.virtualHosts."vacu.store".extraConfig = ''
+      systemd.services.nextcloud-setup.after = [ "network-online.target" ];
          client_body_timeout 5m;
        '';
-        environment.systemPackages = [ config.services.nextcloud.package ]; # make occ command available without having to dig for it
+      services.nginx.virtualHosts."vacu.store".extraConfig = ''
        client_body_timeout 5m;
      '';
-        services.nextcloud = {
+      environment.systemPackages = [ config.services.nextcloud.package ]; # make occ command available without having to dig for it
          enable = true;
          package = pkgs.nextcloud29;
          configureRedis = true;
          hostName = "vacu.store";
          datadir = "/ncdata";
          https = true;
          maxUploadSize = "1000G";
          database.createLocally = false;
-          extraApps = {
+      services.nextcloud = {
-            inherit (config.services.nextcloud.package.packages.apps)
+        enable = true;
-              calendar
+        package = pkgs.nextcloud28;
-              notes
+        configureRedis = true;
-              tasks
+        hostName = "vacu.store";
-              contacts
+        datadir = "/ncdata";
-              ;
+        logLevel = 1;
-            # appointments = pkgs.fetchNextcloudApp {
+        https = true;
-            #   appName = "appointments";
+        maxUploadSize = "1000G";
-            #   url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
+        database.createLocally = false;
-            #   sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
+
-            #   appVersion = "2.1.4";
+        extraApps = {
-            #   license = "gpl3";
+          inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
-            # };
+	  appointments = pkgs.fetchNextcloudApp {
-            gpoddersync = pkgs.fetchNextcloudApp {
+            appName = "appointments";
-              appName = "gpoddersync";
+	    url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
-              url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.9.0/gpoddersync.tar.gz";
+	    sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
-              sha256 = "sha256-wLiM8kv+HinOoAebarQ9MwuxqUpVeF0zS2RVYpAoYMI=";
+	    appVersion = "2.1.4";
-              appVersion = "3.9.0";
+	    license = "agpl3";
-              license = "gpl3";
+	  };
-            };
+          gpoddersync = pkgs.fetchNextcloudApp {
-            webapppassword = pkgs.fetchNextcloudApp {
+            appName = "gpoddersync";
-              appName = "webapppassword";
+            url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";
-              url = "https://github.com/digital-blueprint/webapppassword/releases/download/v24.6.0/webapppassword.tar.gz";
+            sha256 = "sha256-eeBvRZUDVIaym0ngfPD2d7aY3SI/7lPWkrYPnqSh5Kw=";
-              sha256 = "sha256-x9uARo/VtkFLabif2/GZhs4cG6qmhAJs93dzhFFmhB0=";
+            appVersion = "3.8.2";
-              appVersion = "24.6.0";
+            license = "agpl3";
              license = "gpl3";
            };
            # oidc_login = pkgs.fetchNextcloudApp {
            #   appName = "oidc_login";
            #   url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
            #   sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
            #   appVersion = "3.0.2";
            #   license = "gpl3";
            # };
            # sociallogin = pkgs.fetchNextcloudApp {
            #   appName = "sociallogin";
            #   url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
            #   sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
            #   appVersion = "5.6.3";
            #   license = "gpl3";
            # };
          };
-
+          webapppassword = pkgs.fetchNextcloudApp {
-          phpOptions."opcache.interned_strings_buffer" = "32";
+            appName = "webapppassword";
-
+            url = "https://github.com/digital-blueprint/webapppassword/releases/download/v23.12.0/webapppassword.tar.gz";
-          config = {
+            sha256 = "sha256-nQUHEm+cvTmRS2ECZK4lk7YAd+2gUYTFcu44A967kY4=";
-            adminpassFile = "/etc/admin_password";
+            appVersion = "23.12.0";
-            dbtype = "pgsql";
+            license = "agpl3";
            dbuser = "ncadmin";
            dbhost = outer_config.containers.vacustore.hostAddress;
            dbname = "nextcloud";
            dbtableprefix = "oc_";
          };
-
+          # oidc_login = pkgs.fetchNextcloudApp {
-          settings = {
+          #   appName = "oidc_login";
-            loglevel = 1;
+          #   url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
-            default_phone_region = "US";
+          #   sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
-            overwriteprotocol = "https";
+          #   appVersion = "3.0.2";
-            trusted_proxies = [ outer_config.containers.vacustore.hostAddress ];
+          #   license = "agpl3";
-            allow_user_to_change_display_name = false;
+          # };
-            lost_password_link = "disabled";
+          sociallogin = pkgs.fetchNextcloudApp {
-            oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/";
+            appName = "sociallogin";
-            oidc_login_client_id = "vacustore";
+            url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
-            # client_secret can't go here...
+            sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
-            # oidc_login_auto_redirect = true;
+            appVersion = "5.6.3";
-            oidc_login_button_text = "Yo Do Da Login Thangg";
+            license = "agpl3";
            oidc_login_scope = "email profile";
            oidc_login_disable_registration = false;
            oidc_login_code_challenge_method = "S256";
          };
          secretFile = "/etc/nc-secrets.json";
        };
        phpOptions."opcache.interned_strings_buffer" = "32";
        config = {
          trustedProxies = [ outer_config.containers.vacustore.hostAddress ];
          adminpassFile = "/etc/admin_password";
          dbtype = "pgsql";
          dbuser = "ncadmin";
          dbhost = outer_config.containers.vacustore.hostAddress;
          dbname = "nextcloud";
          dbtableprefix = "oc_";
          overwriteProtocol = "https";
          defaultPhoneRegion = "US";
        };
        extraOptions = {
          allow_user_to_change_display_name = false;
          lost_password_link = "disabled";
          oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/";
          oidc_login_client_id = "vacustore";
          # client_secret can't go here...
          # oidc_login_auto_redirect = true;
          oidc_login_button_text = "Yo Do Da Login Thangg";
          oidc_login_scope = "email profile";
          oidc_login_disable_registration = false;
          oidc_login_code_challenge_method = "S256";
        };
        secretFile = "/etc/nc-secrets.json";
      };
    };
  };
 }
--- a/triple-dezert/vms.nix
+++ b/triple-dezert/vms.nix
@@ -0,0 +1,26 @@
 # https://astro.github.io/microvm.nix/host.html
 { pkgs, inputs, config, self, ... }: {
  imports = [
    inputs.microvm.nixosModules.host
  ];
  microvm.host.enable = true;
  # https://gitlab.com/virtio-fs/virtiofsd/-/issues/121
  microvm.virtiofsd.inodeFileHandles = "mandatory";
  assertions = [{
    assertion = config.networking.useNetworkd;
    message = "microvm setup requires networkd";
  }];
  microvm.vms.devver2 = {
    autostart = true;
    flake = inputs.self;
    updateFlake = "git+file:///etc/nixos#devver";
  };
  # systemd.network.networks."20-devver" = {
  #   matchConfig.name = "vm-devver";
  #   networkConfig.Bridge = config.vacu.network.lan_bridge;
  # };
 }
Author	SHA1	Message	Date
Shelvacu	3d478c8d37	wip commands	2024-06-22 17:03:25 -07:00
Shelvacu	e052a165ec	wip commands	2024-06-22 17:00:44 -07:00
Shelvacu	5a9e975723	Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff	2024-06-22 16:50:31 -07:00
Shelvacu	91d9098ae2	remove (unnecssary) common-packages	2024-06-22 16:49:44 -07:00