wip commands

common-config.nix

@@ -1,275 +0,0 @@
-{ config, pkgs, lib, inputs, ... }: let
-  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
-  inherit (builtins) attrValues;
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
-  (h: assert h.hostNames != [];
-    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
-    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-  )) + "\n";
-  packageNames = lib.splitString "\n" ''
-    nixos-rebuild
-    nano
-    vim
-    wget
-    screen
-    tmux
-    lsof
-    htop
-    mosh
-    dnsutils
-    iperf3
-    nmap
-    rsync
-    ethtool
-    sshfs
-    ddrescue
-    pciutils
-    ncdu
-    nix-index
-    git
-    pv
-    unzip
-    file
-    ripgrep
-    jq
-    units
-    tree
-    rclone
-    iputils
-    ssh-to-age
-    sops
-    inetutils
-    neovim
-    diffutils
-    findutils
-    utillinux
-    tzdata
-    hostname
-    man
-    gnugrep
-    gnused
-    gnutar
-    bzip2
-    gzip
-    xz
-    zip
-    unzip
-    openssh
-    git'';
-  plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
-  packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
-    nix-search-cli.package = inputs.nix-search-cli.packages.${pkgs.system}.default;
-    nix-search-cli.enable = lib.mkDefault true;
-    nix-inspect.package = inputs.nix-inspect.packages.${pkgs.system}.default;
-    nix-inspect.enable = lib.mkDefault true;
-  };
-in {
-  imports = [ ./package-set.nix ];
-  options = {
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.listOf types.str;
-    };
-    vacu.ssh.config = mkOption {
-      type = types.lines;
-    };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-        options = {
-          certAuthority = mkOption {
-            type = types.bool;
-            default = false;
-            description = ''
-              This public key is an SSH certificate authority, rather than an
-              individual host's key.
-            '';
-          };
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [ name ] ++ config.extraHostNames;
-            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-            description = ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service. This list includes the name of the
-              containing `knownHosts` attribute by default
-              for convenience. If you wish to configure multiple host keys
-              for the same host use multiple `knownHosts`
-              entries with different attribute names and the same
-              `hostNames` list.
-            '';
-          };
-          extraHostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = ''
-              A list of additional host names and/or IP numbers used for
-              accessing the host's ssh service. This list is ignored if
-              `hostNames` is set explicitly.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the {command}`ssh-keyscan`
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the {command}`ssh-keyscan` command. The content
-              of the file should follow the same format as described for
-              the `publicKey` option. Only a single key
-              is supported. If a host has multiple keys, use
-              {option}`programs.ssh.knownHostsFiles` instead.
-            '';
-          };
-        };
-      }));
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
-    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
-  };
-  config = {
-    vacu.packages = packageOpts;
-    vacu.nix.extraSubstituters = [
-      "https://nixcache.shelvacu.com/"
-      "https://nix-community.cachix.org/"
-    ];
-    vacu.nix.extraTrustedKeys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
-    ];
-    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
-      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                  (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    });
-    vacu.ssh.authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
-    ];
-    vacu.ssh.config = ''
-      Host deckvacu
-        User deck
-      
-      Host rsb
-        User user
-        HostName finaltask.xyz
-        Port 2222
-      
-      Host awoo
-        HostName 45.142.157.71
-
-      Host trip
-        HostName trip.shelvacu.com
-        Port 6922
-      
-      Host liam
-        HostName 178.128.79.152
-
-      Host pluto
-        HostName pluto.somevideogam.es
-
-      Host *
-        User shelvacu
-        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
-    '';
-
-    vacu.ssh.knownHosts = {
-      #public hosts
-      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-
-      #colin's stuff
-      "uninsane.org" = {
-        extraHostNames = [ "git.uninsane.org" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      };
-      "desko" = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      };
-
-      #daymocker's stuff
-      "pluto" = {
-        extraHostNames = [ "74.208.184.137" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-      };
-
-      #personal hosts
-      "zigbee-hub" = {
-        extraHostNames = [ "10.78.79.114" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
-      };
-      trip = {
-        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-      };
-      servacu = {
-        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-      };
-      finaltask = {
-        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-      };
-      compute-deck = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-      };
-      "2esrever" = {
-        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-      };
-      awoo = {
-        extraHostNames = [ "45.142.157.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-      };
-      deckvacu = {
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-      };
-      liam = {
-        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-      };
-    };
-  };
-}

common-nixos-config.nix

@@ -1,81 +0,0 @@
-{ lib, pkgs, config, inputs, utils, ... }:
-{
-  imports = [ ./common-config.nix ];
-  options.vacu.acmeCertDependencies = lib.mkOption {
-    default = {};
-    example = ''
-      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
-    '';
-    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
-  };
-  config = let
-    for-systemd-services = lib.concatMapAttrs
-      (cert: units:
-        {
-          "acme-selfsigned-${cert}" = {
-            wantedBy = units;
-            before = units;
-          };
-        }
-      )
-      config.vacu.acmeCertDependencies;
-    for-security-acme-certs = lib.concatMapAttrs
-      (cert: units:
-        {
-          ${cert}.reloadServices = units;
-        }
-      )
-      config.vacu.acmeCertDependencies;
-  in {
-    console = {
-      keyMap = lib.mkDefault "us";
-    };
-    vacu.packages."xorg-xev" = {
-      enable = config.services.xserver.enable;
-      package = pkgs.xorg.xev;
-    };
-    environment.systemPackages = config.vacu.packageList;
-
-    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
-    time.timeZone = "America/Los_Angeles";
-
-    users.users.shelvacu = {
-      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-    };
-    systemd.services = for-systemd-services;
-    security.acme.certs = for-security-acme-certs;
-    services.openssh = {
-      # require public key authentication for better security
-      settings.PasswordAuthentication = false;
-      settings.KbdInteractiveAuthentication = false;
-      settings.PermitRootLogin = "prohibit-password";
-    };
-
-    nix.settings.trusted-users = [ "shelvacu" ];
-    security.sudo.wheelNeedsPassword = lib.mkDefault false;
-
-    programs.screen = {
-      screenrc = ''
-        defscrollback 10000
-        termcapinfo xterm* ti@:te@
-      '';
-    } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
-
-    programs.tmux.enable = true;
-    programs.tmux.extraConfig = "setw mouse";
-    programs.tmux.clock24 = true;
-
-    nix.settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-      substituters = config.vacu.nix.extraSubstituters;
-      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
-    };
-    nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkDefault true;
-
-    programs.ssh.extraConfig = config.vacu.ssh.config;
-  };
-}

common-packages.nix

@@ -1,37 +0,0 @@
-{ pkgs, inputs }: (with pkgs; [
-  inputs.nix-search-cli.packages.${pkgs.system}.default
-  inputs.nix-inspect.packages.${pkgs.system}.default
-  nixos-rebuild
-  nano
-  vim
-  wget
-  screen
-  tmux
-  lsof
-  htop
-  mosh
-  dnsutils
-  iperf3
-  nmap
-  rsync
-  ethtool
-  sshfs
-  ddrescue
-  pciutils
-  ncdu
-  nix-index
-  git
-  pv
-  unzip
-  file
-  ripgrep
-  jq
-  units
-  tree
-  rclone
-  iputils
-  ssh-to-age
-  sops
-  inetutils
-  neovim
-])

devver/default.nix

@@ -1,36 +1,57 @@
-{ config, pkgs, lib, inputs, ... }:
+{ config, pkgs, lib, inputs, modulesPath, ... }:
 
 {
   imports = [
     inputs.homeManager.nixosModules.default
-    # inputs.microvm.nixosModules.microvm
     ../common-nixos-config.nix
+    (modulesPath + "/profiles/qemu-guest.nix")
   ];
+
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
+  boot.extraModulePackages = [ ];
+
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
   networking.hostName = "devver";
   boot.loader.external.enable = true;
-  boot.loader.external.installHook = pkgs.writeScript "vacuDirectBootInstaller" ''
-    #TODO: probably copy kernel/initrd to root
-    (echo "vacuDirectBootInstaller"; for a in "$@";do echo "$a";done) 1>&2
-    exit 0
+  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
+    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
+    set -xev
+    mkdir -p /boot
+    cp $1/kernel /boot/kernel
+    cp $1/initrd /boot/initrd
+    cp $1/kernel-params /boot/kernel-params
+    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
   '';
 
-  fileSystems."/" = {
+  users.users.root.shell = pkgs.bashInteractive;
+
+  fileSystems."/boot" = {
     fsType = "9p";
-    device = "root";
+    device = "boot";
     options = [
       "trans=virtio"
-      "msize=104857600"
       "access=any"
       "version=9p2000.L"
       "posixacl"
       "cache=mmap"
+      "nofail"
+      "noauto"
     ];
   };
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
+    fsType = "ext4";
+  };
+
+  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   services.openssh.enable = true;
 
+  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
+
   system.stateVersion = "23.11";
 }

flake.lock

@@ -458,6 +458,21 @@
         "type": "indirect"
       }
     },
+    "nixpkgs2405": {
+      "locked": {
+        "lastModified": 1718810994,
+        "narHash": "sha256-qrHSG34MeJdbK7WO3+NCehOf2p8ptW50UiMTAcs9wHU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "79f152a46bd42ba3a9fe96513e0fd9ac88190079",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05-small",
+        "type": "indirect"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1717861563,
@@ -636,6 +651,7 @@
         "nix-search-cli": "nix-search-cli",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs2405": "nixpkgs2405",
         "padtype": "padtype",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"

flake.nix

@@ -4,6 +4,7 @@
   inputs = {
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
     nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
       #inputs.nixpkgs.follows = "nixpkgs";
@@ -84,6 +85,12 @@
       specialArgs = { inherit inputs; };
     };
 
+    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./fw ];
+      specialArgs = { inherit inputs; };
+    };
+
     nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
       modules = [ ./nix-on-droid.nix ];
       extraSpecialArgs = { inherit inputs; };

fw/default.nix

@@ -0,0 +1,94 @@
+{ config, inputs, pkgs, lib, ... }: {
+  imports = [ 
+    ../common-nixos-config.nix
+  ];
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  networking.networkmanager.enable = true;
+
+  vacu.packages.bitwarden-desktop.enable = true;
+  vacu.packages.nheko.enable = true;
+  vacu.packages.librewolf.enable = true;
+  vacu.packages.brave.enable = true;
+  vacu.packages.thunderbird.enable = true;
+  vacu.packages.wl-clipboard.enable = true;
+  vacu.packages.nextcloud-client.enable = true;
+  vacu.packages.signal-desktop.enable = true;
+  vacu.packages.fw-ectool.enable = true;
+  vacu.packages.framework-tool.enable = true;
+  vacu.packages.iio-sensor-proxy.enable = true;
+  vacu.packages.power-profiles-daemon.enable = true;
+  vacu.packages.acpi.enable = true;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.memtest86.enable = true;
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  networking.hostName = "fw"; # Define your hostname.
+  networking.hostId = "c6e309d5";
+  boot.zfs.extraPools = [ "fw" ];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  systemd.services.zfs-mount.enable = false;
+
+  services.openssh.enable = true;
+  system.stateVersion = "23.11"; # Did you read the comment?
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "fw/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot0" =
+    { device = "/dev/disk/by-label/BOOT0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/boot1" =
+    { device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+  hardware.opengl = {
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+  programs.nix-ld.enable = true;
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+  };
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+}

triple-dezert/devver-host.nix

@@ -1,12 +1,14 @@
 { pkgs, lib, config, inputs, ... }: let
   qemu-pkg = pkgs.qemu_kvm;
-  rootPath = "/trip/devver-vm/root";
+  #rootPath = "/trip/devver-vm/root";
+  bootPath = "/trip/devver-vm/boot";
   installer = inputs.self.nixosConfigurations.shel-installer;
   installerIsoDeriv = installer.config.system.build.isoImage;
   installerIsoPath = "${installerIsoDeriv}/iso/${installerIsoDeriv.name}";
-  bootInstaller = true;
+  bootInstaller = false;
   tapdev = "qemu-devver";
-  runArgs = [
+  tapdev-int = "qemu-devver-int";
+  commonArgs = [
     "${qemu-pkg}/bin/qemu-kvm"
     "-name" "devver"
     # https://www.qemu.org/docs/master/system/i386/microvm.html
@@ -30,32 +32,46 @@
     "-device" "virtio-balloon"
     "-object" "memory-backend-memfd,id=mem,size=8G,share=off"
     "-numa" "node,memdev=mem"
+
+    # I don't understand, the docs for "-drive" says it's a shortcut for -blockdev and -device, but all the real-world code has -drive and -device
+    #"-drive" "file=/trip/devver-vm/disk-image/root.img,discard=unmap,if=none,format=raw,cache=none,id=root-disk"
+    "-blockdev" "driver=raw,node-name=root-disk,file.driver=file,file.filename=/trip/devver-vm/disk-image/root.img,discard=unmap,cache.direct=on"
+    "-device" "virtio-blk-device,drive=root-disk,write-cache=off"
     
-    "-fsdev" "local,id=fs0,path=${rootPath},security_model=mapped"
-    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=root"
+    "-fsdev" "local,id=fs0,path=${bootPath},security_model=mapped-xattr,fmode=0600,dmode=0700"
+    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=boot"
 
     "-netdev" "tap,id=vm-devver,ifname=${tapdev},script=no,downscript=no"
-    #"-netdev" "bridge,id=vm-devver,br=${config.vacu.network.lan_bridge},helper=/run/wrappers/bin/qemu-bridge-helper"
     #Why 34? No idea! Best hint I could find is in the mailing list about the serial driver: https://lists.nongnu.org/archive/html/qemu-devel/2013-01/msg05952.html
     "-device" "virtio-net-pci,netdev=vm-devver,mac=02:19:07:A2:15:72,romfile=,mq=on,vectors=34"
-
-  ] ++ (if bootInstaller then [
+    "-netdev" "tap,id=vm-devver2,ifname=${tapdev-int},script=no,downscript=no"
+    "-device" "virtio-net-pci,netdev=vm-devver2,romfile=,mq=on,vectors=34"
+  ];
+  installerArgs = [
     # "-boot" "once=d"
     # "-cdrom" "${installerIsoPath}"
     "-drive" "if=virtio,media=cdrom,driver=raw,node-name=disk,file.driver=file,file.filename=${installerIsoPath},file.locking=off,read-only=on"
     "-kernel" "${installer.config.system.build.kernel}/${installer.config.system.boot.loader.kernelFile}"
     "-initrd" "${installer.config.system.build.initialRamdisk}/${installer.config.system.boot.loader.initrdFile}"
     "-append" "${lib.concatStringsSep " " installer.config.boot.kernelParams} init=${installer.config.system.build.toplevel}/init earlyprintk=ttyS0 console=ttyS0 debug"
-  ] else [
-    "-kernel" "${rootPath}/boot/kernel"
-    "-initrd" "${rootPath}/boot/initrd"
-    "-append" "earlyprintk=ttyS0 console=ttyS0 init=/init"
-  ]);
+  ];
+  mainArgs = [
+    "-kernel" "${bootPath}/kernel"
+    "-initrd" "${bootPath}/initrd"
+    "-append" "earlyprintk=ttyS0 console=ttyS0"
+  ];
 
   runScript = ''
+    set -ev
+    declare -a args
+    if [ "x$1" == "x--installer" ]; then
+      args=(${lib.escapeShellArgs (commonArgs ++ installerArgs)})
+    else
+      args=(${lib.escapeShellArgs (commonArgs ++ mainArgs)}" $(cat ${bootPath}/kernel-params)")
+    fi
     d=`mktemp -d --tmpdir qemu-devver-XXXXXXXXX`
     cd $d
-    ${lib.escapeShellArgs runArgs} -D ./log.txt
+    "''${args[@]}"
   '';
 in {
   users.groups.devver = {};
@@ -76,6 +92,18 @@ in {
       # KeepCarrier = true;
     };
   };
+  systemd.network.netdevs.${tapdev-int} = {
+    netdevConfig = {
+      Kind = "tap";
+      Name = tapdev-int;
+    };
+    tapConfig = {
+      User = config.users.users.devver.name;
+      Group = config.users.groups.devver.name;
+      PacketInfo = true;
+      # KeepCarrier = true;
+    };
+  };
   systemd.network.networks."02-vm-devver".extraConfig = ''
     Bridge = ${config.vacu.network.lan_bridge}
 
@@ -85,4 +113,28 @@ in {
     [Link]
     RequiredForOnline = no
   '';
+  systemd.network.networks."02-vm-devver-int".extraConfig = ''
+    Address = 10.110.171.204/31
+    DHCP = no
+    DNS = no
+    LLDP = no
+
+    [Match]
+    Name = ${tapdev-int}
+
+    [Link]
+    RequiredForOnline = no
+  '';
+
+  # networking.firewall.extraCommands = ''
+  #   if ! (iptables -t nat -n --list devver-prerouting > /dev/null 2>&1); then
+  #     iptables -t nat -N devver-prerouting
+  #   fi
+  #   iptables -t nat -F devver-prerouting
+  #   iptables -t nat -A devver-prerouting -p tcp -m tcp --dport 5022 -j DNAT --to-destination 10.78.79.10
+  #   iptables -t nat -I PREROUTING 1 -j devver-prerouting
+  # '';
+  # networking.firewall.extraStopCommands = ''
+  #   iptables -t nat -D PREROUTING -j devver-prerouting || true
+  # '';
 }

triple-dezert/vacustore.nix

@@ -37,6 +37,8 @@
         client_body_timeout 5m;
       '';
 
+      environment.systemPackages = [ config.services.nextcloud.package ]; # make occ command available without having to dig for it
+
       services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud28;
@@ -50,6 +52,13 @@
 
         extraApps = {
           inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
+	  appointments = pkgs.fetchNextcloudApp {
+            appName = "appointments";
+	    url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
+	    sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
+	    appVersion = "2.1.4";
+	    license = "agpl3";
+	  };
           gpoddersync = pkgs.fetchNextcloudApp {
             appName = "gpoddersync";
             url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";
@@ -111,4 +120,4 @@
       };
     };
   };
-}
+}