stuff

common-packages.nix

@@ -1,37 +0,0 @@
-{ pkgs, inputs }: (with pkgs; [
-  inputs.nix-search-cli.packages.${pkgs.system}.default
-  inputs.nix-inspect.packages.${pkgs.system}.default
-  nixos-rebuild
-  nano
-  vim
-  wget
-  screen
-  tmux
-  lsof
-  htop
-  mosh
-  dnsutils
-  iperf3
-  nmap
-  rsync
-  ethtool
-  sshfs
-  ddrescue
-  pciutils
-  ncdu
-  nix-index
-  git
-  pv
-  unzip
-  file
-  ripgrep
-  jq
-  units
-  tree
-  rclone
-  iputils
-  ssh-to-age
-  sops
-  inetutils
-  neovim
-])

common/commands.nix

@@ -0,0 +1,29 @@
+{ config, lib, ... }: let
+  inherit (lib) mkOption types;
+in {
+  options = {
+    vacu.commands = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+          content = mkOption {
+	    type = types.str;
+	    default = "";
+	  };
+	  enable = mkOption {
+            type = types.bool;
+	    default = config.content != "";
+	    defaultText = ''${name}.content != ""'';
+	  };
+	  kind = mkOption {
+	    type = types.enum [ "alias" "function" ];
+	    default = "alias";
+	  };
+	};
+      }));
+    };
+  };
+  config = {
+    #todo
+  };
+}

common/generic.nix

@@ -2,13 +2,8 @@
   inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
   inherit (builtins) attrValues;
   cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
-  (h: assert h.hostNames != [];
-    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
-    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-  )) + "\n";
   packageNames = lib.splitString "\n" ''
+    ruby_3_3
     nixos-rebuild
     nano
     vim
@@ -57,6 +52,8 @@
     zip
     unzip
     openssh
+    dig
+    bash
     git'';
   plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
   packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
@@ -66,100 +63,8 @@
     nix-inspect.enable = lib.mkDefault true;
   };
 in {
-  imports = [ ./package-set.nix ];
+  imports = [ ./package-set.nix ./ssh.nix ./commands.nix ];
   options = {
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.listOf types.str;
-    };
-    vacu.ssh.config = mkOption {
-      type = types.lines;
-    };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-        options = {
-          certAuthority = mkOption {
-            type = types.bool;
-            default = false;
-            description = ''
-              This public key is an SSH certificate authority, rather than an
-              individual host's key.
-            '';
-          };
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [ name ] ++ config.extraHostNames;
-            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-            description = ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service. This list includes the name of the
-              containing `knownHosts` attribute by default
-              for convenience. If you wish to configure multiple host keys
-              for the same host use multiple `knownHosts`
-              entries with different attribute names and the same
-              `hostNames` list.
-            '';
-          };
-          extraHostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = ''
-              A list of additional host names and/or IP numbers used for
-              accessing the host's ssh service. This list is ignored if
-              `hostNames` is set explicitly.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the {command}`ssh-keyscan`
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the {command}`ssh-keyscan` command. The content
-              of the file should follow the same format as described for
-              the `publicKey` option. Only a single key
-              is supported. If a host has multiple keys, use
-              {option}`programs.ssh.knownHostsFiles` instead.
-            '';
-          };
-        };
-      }));
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
     vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
     vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
   };
@@ -173,11 +78,6 @@ in {
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
     ];
-    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
-      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                  (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    });
     vacu.ssh.authorizedKeys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
@@ -187,6 +87,9 @@ in {
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
+	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
+	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
     ];
     vacu.ssh.config = ''
       Host deckvacu
@@ -270,6 +173,14 @@ in {
         extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
         publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
       };
+      devver = {
+        extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
+	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
+      };
+      fw = {
+        extraHostNames = [ "fw.t2d.lan" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+      };
     };
   };
 }

common/nixos.nix

@@ -1,6 +1,6 @@
 { lib, pkgs, config, inputs, utils, ... }:
 {
-  imports = [ ./common-config.nix ];
+  imports = [ ./generic.nix ];
   options.vacu.acmeCertDependencies = lib.mkOption {
     default = {};
     example = ''

common/ssh.nix

@@ -0,0 +1,113 @@
+{ config, pkgs, lib, inputs, ... }: let
+  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
+  inherit (builtins) attrValues;
+  cfg = config.vacu;
+  knownHosts = attrValues cfg.ssh.knownHosts;
+  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
+  (h: assert h.hostNames != [];
+    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+  )) + "\n";
+in {
+  options = {
+    vacu.ssh.authorizedKeys = mkOption {
+      type = types.listOf types.str;
+    };
+    vacu.ssh.config = mkOption {
+      type = types.lines;
+    };
+    # Straight copied from nixpkgs 
+    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
+    vacu.ssh.knownHosts = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+          certAuthority = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              This public key is an SSH certificate authority, rather than an
+              individual host's key.
+            '';
+          };
+          hostNames = mkOption {
+            type = types.listOf types.str;
+            default = [ name ] ++ config.extraHostNames;
+            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
+            description = ''
+              A list of host names and/or IP numbers used for accessing
+              the host's ssh service. This list includes the name of the
+              containing `knownHosts` attribute by default
+              for convenience. If you wish to configure multiple host keys
+              for the same host use multiple `knownHosts`
+              entries with different attribute names and the same
+              `hostNames` list.
+            '';
+          };
+          extraHostNames = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = ''
+              A list of additional host names and/or IP numbers used for
+              accessing the host's ssh service. This list is ignored if
+              `hostNames` is set explicitly.
+            '';
+          };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the {command}`ssh-keyscan`
+              command. The public key should not include any host names, only
+              the key type and the key itself.
+            '';
+          };
+          publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.path;
+            description = ''
+              The path to the public key file for the host. The public
+              key file is read at build time and saved in the Nix store.
+              You can fetch a public key file from a running SSH server
+              with the {command}`ssh-keyscan` command. The content
+              of the file should follow the same format as described for
+              the `publicKey` option. Only a single key
+              is supported. If a host has multiple keys, use
+              {option}`programs.ssh.knownHostsFiles` instead.
+            '';
+          };
+        };
+      }));
+      description = ''
+        The set of system-wide known SSH hosts. To make simple setups more
+        convenient the name of an attribute in this set is used as a host name
+        for the entry. This behaviour can be disabled by setting
+        `hostNames` explicitly. You can use
+        `extraHostNames` to add additional host names without
+        disabling this default.
+      '';
+      example = literalExpression ''
+        {
+          myhost = {
+            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
+          };
+          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
+          "myhost2.net/dsa" = {
+            hostNames = [ "myhost2.net" ];
+            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
+          };
+        }
+      '';
+    };
+  };
+  config = {
+    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
+      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                  (data.publicKey != null && data.publicKeyFile == null);
+      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+    });
+  };
+};

devver/default.nix

@@ -1,36 +1,57 @@
-{ config, pkgs, lib, inputs, ... }:
+{ config, pkgs, lib, inputs, modulesPath, ... }:
 
 {
   imports = [
     inputs.homeManager.nixosModules.default
-    # inputs.microvm.nixosModules.microvm
     ../common-nixos-config.nix
+    (modulesPath + "/profiles/qemu-guest.nix")
   ];
+
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
+  boot.extraModulePackages = [ ];
+
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
   networking.hostName = "devver";
   boot.loader.external.enable = true;
-  boot.loader.external.installHook = pkgs.writeScript "vacuDirectBootInstaller" ''
+  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
-    #TODO: probably copy kernel/initrd to root
+    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
-    (echo "vacuDirectBootInstaller"; for a in "$@";do echo "$a";done) 1>&2
+    set -xev
-    exit 0
+    mkdir -p /boot
+    cp $1/kernel /boot/kernel
+    cp $1/initrd /boot/initrd
+    cp $1/kernel-params /boot/kernel-params
+    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
   '';
 
-  fileSystems."/" = {
+  users.users.root.shell = pkgs.bashInteractive;
+
+  fileSystems."/boot" = {
     fsType = "9p";
-    device = "root";
+    device = "boot";
     options = [
       "trans=virtio"
-      "msize=104857600"
       "access=any"
       "version=9p2000.L"
       "posixacl"
       "cache=mmap"
+      "nofail"
+      "noauto"
     ];
   };
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
+    fsType = "ext4";
+  };
+
+  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   services.openssh.enable = true;
 
+  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
+
   system.stateVersion = "23.11";
 }

flake.lock

@@ -458,6 +458,21 @@
         "type": "indirect"
       }
     },
+    "nixpkgs2405": {
+      "locked": {
+        "lastModified": 1718810994,
+        "narHash": "sha256-qrHSG34MeJdbK7WO3+NCehOf2p8ptW50UiMTAcs9wHU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "79f152a46bd42ba3a9fe96513e0fd9ac88190079",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05-small",
+        "type": "indirect"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1717861563,
@@ -636,6 +651,7 @@
         "nix-search-cli": "nix-search-cli",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs2405": "nixpkgs2405",
         "padtype": "padtype",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"

flake.nix

@@ -4,6 +4,7 @@
   inputs = {
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
     nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
       #inputs.nixpkgs.follows = "nixpkgs";
@@ -84,6 +85,12 @@
       specialArgs = { inherit inputs; };
     };
 
+    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./fw ];
+      specialArgs = { inherit inputs; };
+    };
+
     nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
       modules = [ ./nix-on-droid.nix ];
       extraSpecialArgs = { inherit inputs; };

fw/default.nix

@@ -0,0 +1,94 @@
+{ config, inputs, pkgs, lib, ... }: {
+  imports = [ 
+    ../common-nixos-config.nix
+  ];
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  networking.networkmanager.enable = true;
+
+  vacu.packages.bitwarden-desktop.enable = true;
+  vacu.packages.nheko.enable = true;
+  vacu.packages.librewolf.enable = true;
+  vacu.packages.brave.enable = true;
+  vacu.packages.thunderbird.enable = true;
+  vacu.packages.wl-clipboard.enable = true;
+  vacu.packages.nextcloud-client.enable = true;
+  vacu.packages.signal-desktop.enable = true;
+  vacu.packages.fw-ectool.enable = true;
+  vacu.packages.framework-tool.enable = true;
+  vacu.packages.iio-sensor-proxy.enable = true;
+  vacu.packages.power-profiles-daemon.enable = true;
+  vacu.packages.acpi.enable = true;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.memtest86.enable = true;
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  networking.hostName = "fw"; # Define your hostname.
+  networking.hostId = "c6e309d5";
+  boot.zfs.extraPools = [ "fw" ];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  systemd.services.zfs-mount.enable = false;
+
+  services.openssh.enable = true;
+  system.stateVersion = "23.11"; # Did you read the comment?
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "fw/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot0" =
+    { device = "/dev/disk/by-label/BOOT0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/boot1" =
+    { device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+  hardware.opengl = {
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+  programs.nix-ld.enable = true;
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+  };
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+}

triple-dezert/devver-host.nix

@@ -1,12 +1,14 @@
 { pkgs, lib, config, inputs, ... }: let
   qemu-pkg = pkgs.qemu_kvm;
-  rootPath = "/trip/devver-vm/root";
+  #rootPath = "/trip/devver-vm/root";
+  bootPath = "/trip/devver-vm/boot";
   installer = inputs.self.nixosConfigurations.shel-installer;
   installerIsoDeriv = installer.config.system.build.isoImage;
   installerIsoPath = "${installerIsoDeriv}/iso/${installerIsoDeriv.name}";
-  bootInstaller = true;
+  bootInstaller = false;
   tapdev = "qemu-devver";
-  runArgs = [
+  tapdev-int = "qemu-devver-int";
+  commonArgs = [
     "${qemu-pkg}/bin/qemu-kvm"
     "-name" "devver"
     # https://www.qemu.org/docs/master/system/i386/microvm.html
@@ -30,32 +32,46 @@
     "-device" "virtio-balloon"
     "-object" "memory-backend-memfd,id=mem,size=8G,share=off"
     "-numa" "node,memdev=mem"
+
+    # I don't understand, the docs for "-drive" says it's a shortcut for -blockdev and -device, but all the real-world code has -drive and -device
+    #"-drive" "file=/trip/devver-vm/disk-image/root.img,discard=unmap,if=none,format=raw,cache=none,id=root-disk"
+    "-blockdev" "driver=raw,node-name=root-disk,file.driver=file,file.filename=/trip/devver-vm/disk-image/root.img,discard=unmap,cache.direct=on"
+    "-device" "virtio-blk-device,drive=root-disk,write-cache=off"
     
-    "-fsdev" "local,id=fs0,path=${rootPath},security_model=mapped"
+    "-fsdev" "local,id=fs0,path=${bootPath},security_model=mapped-xattr,fmode=0600,dmode=0700"
-    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=root"
+    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=boot"
 
     "-netdev" "tap,id=vm-devver,ifname=${tapdev},script=no,downscript=no"
-    #"-netdev" "bridge,id=vm-devver,br=${config.vacu.network.lan_bridge},helper=/run/wrappers/bin/qemu-bridge-helper"
     #Why 34? No idea! Best hint I could find is in the mailing list about the serial driver: https://lists.nongnu.org/archive/html/qemu-devel/2013-01/msg05952.html
     "-device" "virtio-net-pci,netdev=vm-devver,mac=02:19:07:A2:15:72,romfile=,mq=on,vectors=34"
-
+    "-netdev" "tap,id=vm-devver2,ifname=${tapdev-int},script=no,downscript=no"
-  ] ++ (if bootInstaller then [
+    "-device" "virtio-net-pci,netdev=vm-devver2,romfile=,mq=on,vectors=34"
+  ];
+  installerArgs = [
     # "-boot" "once=d"
     # "-cdrom" "${installerIsoPath}"
     "-drive" "if=virtio,media=cdrom,driver=raw,node-name=disk,file.driver=file,file.filename=${installerIsoPath},file.locking=off,read-only=on"
     "-kernel" "${installer.config.system.build.kernel}/${installer.config.system.boot.loader.kernelFile}"
     "-initrd" "${installer.config.system.build.initialRamdisk}/${installer.config.system.boot.loader.initrdFile}"
     "-append" "${lib.concatStringsSep " " installer.config.boot.kernelParams} init=${installer.config.system.build.toplevel}/init earlyprintk=ttyS0 console=ttyS0 debug"
-  ] else [
+  ];
-    "-kernel" "${rootPath}/boot/kernel"
+  mainArgs = [
-    "-initrd" "${rootPath}/boot/initrd"
+    "-kernel" "${bootPath}/kernel"
-    "-append" "earlyprintk=ttyS0 console=ttyS0 init=/init"
+    "-initrd" "${bootPath}/initrd"
-  ]);
+    "-append" "earlyprintk=ttyS0 console=ttyS0"
+  ];
 
   runScript = ''
+    set -ev
+    declare -a args
+    if [ "x$1" == "x--installer" ]; then
+      args=(${lib.escapeShellArgs (commonArgs ++ installerArgs)})
+    else
+      args=(${lib.escapeShellArgs (commonArgs ++ mainArgs)}" $(cat ${bootPath}/kernel-params)")
+    fi
     d=`mktemp -d --tmpdir qemu-devver-XXXXXXXXX`
     cd $d
-    ${lib.escapeShellArgs runArgs} -D ./log.txt
+    "''${args[@]}"
   '';
 in {
   users.groups.devver = {};
@@ -76,6 +92,18 @@ in {
       # KeepCarrier = true;
     };
   };
+  systemd.network.netdevs.${tapdev-int} = {
+    netdevConfig = {
+      Kind = "tap";
+      Name = tapdev-int;
+    };
+    tapConfig = {
+      User = config.users.users.devver.name;
+      Group = config.users.groups.devver.name;
+      PacketInfo = true;
+      # KeepCarrier = true;
+    };
+  };
   systemd.network.networks."02-vm-devver".extraConfig = ''
     Bridge = ${config.vacu.network.lan_bridge}
 
@@ -85,4 +113,28 @@ in {
     [Link]
     RequiredForOnline = no
   '';
+  systemd.network.networks."02-vm-devver-int".extraConfig = ''
+    Address = 10.110.171.204/31
+    DHCP = no
+    DNS = no
+    LLDP = no
+
+    [Match]
+    Name = ${tapdev-int}
+
+    [Link]
+    RequiredForOnline = no
+  '';
+
+  # networking.firewall.extraCommands = ''
+  #   if ! (iptables -t nat -n --list devver-prerouting > /dev/null 2>&1); then
+  #     iptables -t nat -N devver-prerouting
+  #   fi
+  #   iptables -t nat -F devver-prerouting
+  #   iptables -t nat -A devver-prerouting -p tcp -m tcp --dport 5022 -j DNAT --to-destination 10.78.79.10
+  #   iptables -t nat -I PREROUTING 1 -j devver-prerouting
+  # '';
+  # networking.firewall.extraStopCommands = ''
+  #   iptables -t nat -D PREROUTING -j devver-prerouting || true
+  # '';
 }

triple-dezert/vacustore.nix

@@ -37,6 +37,8 @@
         client_body_timeout 5m;
       '';
 
+      environment.systemPackages = [ config.services.nextcloud.package ]; # make occ command available without having to dig for it
+
       services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud28;
@@ -50,6 +52,13 @@
 
         extraApps = {
           inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
+	  appointments = pkgs.fetchNextcloudApp {
+            appName = "appointments";
+	    url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
+	    sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
+	    appVersion = "2.1.4";
+	    license = "agpl3";
+	  };
           gpoddersync = pkgs.fetchNextcloudApp {
             appName = "gpoddersync";
             url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";
@@ -111,4 +120,4 @@
       };
     };
   };
-}
+}