wip commands

common-config.nix

@@ -1,214 +0,0 @@
-{ config, pkgs, lib, ... }: with lib; let
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
-  (h: assert h.hostNames != [];
-    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
-    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-  )) + "\n";
-in {
-  options = {
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.listOf types.str;
-    };
-    vacu.ssh.config = mkOption {
-      type = types.lines;
-    };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-        options = {
-          certAuthority = mkOption {
-            type = types.bool;
-            default = false;
-            description = mdDoc ''
-              This public key is an SSH certificate authority, rather than an
-              individual host's key.
-            '';
-          };
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [ name ] ++ config.extraHostNames;
-            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-            description = mdDoc ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service. This list includes the name of the
-              containing `knownHosts` attribute by default
-              for convenience. If you wish to configure multiple host keys
-              for the same host use multiple `knownHosts`
-              entries with different attribute names and the same
-              `hostNames` list.
-            '';
-          };
-          extraHostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = mdDoc ''
-              A list of additional host names and/or IP numbers used for
-              accessing the host's ssh service. This list is ignored if
-              `hostNames` is set explicitly.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = mdDoc ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the {command}`ssh-keyscan`
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = mdDoc ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the {command}`ssh-keyscan` command. The content
-              of the file should follow the same format as described for
-              the `publicKey` option. Only a single key
-              is supported. If a host has multiple keys, use
-              {option}`programs.ssh.knownHostsFiles` instead.
-            '';
-          };
-        };
-      }));
-      description = mdDoc ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
-    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
-  };
-  config = {
-    vacu.nix.extraSubstituters = [
-      "https://nixcache.shelvacu.com/"
-      "https://nix-community.cachix.org/"
-    ];
-    vacu.nix.extraTrustedKeys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
-    ];
-    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
-      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                  (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    });
-    vacu.ssh.authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
-    ];
-    vacu.ssh.config = ''
-      Host deckvacu
-        User deck
-      
-      Host rsb
-        User user
-        HostName finaltask.xyz
-        Port 2222
-      
-      Host awoo
-        HostName 45.142.157.71
-
-      Host trip
-        HostName trip.shelvacu.com
-        Port 6922
-      
-      Host liam
-        HostName 178.128.79.152
-
-      Host pluto
-        HostName pluto.somevideogam.es
-
-      Host *
-        User shelvacu
-        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
-    '';
-
-    vacu.ssh.knownHosts = {
-      #public hosts
-      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-
-      #colin's stuff
-      "uninsane.org" = {
-        extraHostNames = [ "git.uninsane.org" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      };
-      "desko" = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      };
-
-      #daymocker's stuff
-      "pluto" = {
-        extraHostNames = [ "74.208.184.137" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-      };
-
-      #personal hosts
-      "zigbee-hub" = {
-        extraHostNames = [ "10.78.79.114" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
-      };
-      trip = {
-        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-      };
-      servacu = {
-        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-      };
-      finaltask = {
-        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-      };
-      compute-deck = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-      };
-      "2esrever" = {
-        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-      };
-      awoo = {
-        extraHostNames = [ "45.142.157.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-      };
-      deckvacu = {
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-      };
-      liam = {
-        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-      };
-    };
-  };
-}

common-nixos-config.nix

@@ -1,78 +0,0 @@
-{ lib, pkgs, config, inputs, utils, ... }:
-{
-  imports = [ ./common-config.nix ];
-  options.vacu.acmeCertDependencies = lib.mkOption {
-    default = {};
-    example = ''
-      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
-    '';
-    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
-  };
-  config = let
-    for-systemd-services = lib.concatMapAttrs
-      (cert: units:
-        {
-          "acme-selfsigned-${cert}" = {
-            wantedBy = units;
-            before = units;
-          };
-        }
-      )
-      config.vacu.acmeCertDependencies;
-    for-security-acme-certs = lib.concatMapAttrs
-      (cert: units:
-        {
-          ${cert}.reloadServices = units;
-        }
-      )
-      config.vacu.acmeCertDependencies;
-  in {
-    console = {
-      font = lib.mkDefault "Lat2-Terminus16";
-      keyMap = lib.mkDefault "us";
-    };
-    environment.systemPackages = (import ./common-packages.nix { inherit pkgs inputs; }) ++ [
-      
-    ] ++ (if config.services.xserver.enable then [ pkgs.xorg.xev ] else []);
-
-    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
-    time.timeZone = "America/Los_Angeles";
-
-    users.users.shelvacu = {
-      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-    };
-    systemd.services = for-systemd-services;
-    security.acme.certs = for-security-acme-certs;
-    services.openssh = {
-      # require public key authentication for better security
-      settings.PasswordAuthentication = false;
-      settings.KbdInteractiveAuthentication = false;
-      settings.PermitRootLogin = "prohibit-password";
-    };
-
-    nix.settings.trusted-users = [ "shelvacu" ];
-    security.sudo.wheelNeedsPassword = lib.mkDefault false;
-
-    programs.screen.screenrc = ''
-      defscrollback 10000
-      termcapinfo xterm* ti@:te@
-    '';
-
-    programs.tmux.enable = true;
-    programs.tmux.extraConfig = "setw mouse";
-    programs.tmux.clock24 = true;
-
-    nix.settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-      substituters = config.vacu.nix.extraSubstituters;
-      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
-    };
-    nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkDefault true;
-
-    programs.ssh.extraConfig = config.vacu.ssh.config;
-  };
-}

common-packages.nix

@@ -1,37 +0,0 @@
-{ pkgs, inputs }: (with pkgs; [
-  inputs.nix-search-cli.packages.${pkgs.system}.default
-  inputs.nix-inspect.packages.${pkgs.system}.default
-  nixos-rebuild
-  nano
-  vim
-  wget
-  screen
-  tmux
-  lsof
-  htop
-  mosh
-  dnsutils
-  iperf3
-  nmap
-  rsync
-  ethtool
-  sshfs
-  ddrescue
-  pciutils
-  ncdu
-  nix-index
-  git
-  pv
-  unzip
-  file
-  ripgrep
-  jq
-  units
-  tree
-  rclone
-  iputils
-  ssh-to-age
-  sops
-  inetutils
-  neovim
-])

devver/default.nix

@@ -1,53 +1,57 @@
-{ config, pkgs, lib, inputs, ... }:
+{ config, pkgs, lib, inputs, modulesPath, ... }:
 
 {
   imports = [
     inputs.homeManager.nixosModules.default
-    # inputs.microvm.nixosModules.microvm
     ../common-nixos-config.nix
+    (modulesPath + "/profiles/qemu-guest.nix")
   ];
+
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
+  boot.extraModulePackages = [ ];
+
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
   networking.hostName = "devver";
-
-  # # blegghh, this should all be in triple-dezert config
-  # microvm.hypervisor = "qemu";
-  # microvm.vcpu = 16;
-  # microvm.mem = 1000;
-  # microvm.balloonMem = 7000;
-  # microvm.interfaces = [{
-  #   type = "bridge";
-  #   bridge = inputs.self.nixosConfigurations.triple-dezert.config.vacu.network.lan_bridge;
-  #   id = "vm-devver";
-  #   mac = "02:19:07:A2:15:72";
-  # }];
-  # microvm.shares = [{
-  #   tag = "root";
-  #   source = "/trip/devver-vm/root";
-  #   mountPoint = "/";
-  #   securityModel = "mapped";
-  #   proto = "9p";
-  # } {
-  #   source = "/trip/devver-vm/nix-store";
-  #   mountPoint = "/nix/store";
-  #   securityModel = "mapped";
-  #   proto = "9p";
-  # }];
-  # microvm.storeOnDisk = true;
   boot.loader.external.enable = true;
-  boot.loader.external.installHook = pkgs.writeScript "vacuDirectBootInstaller" ''
+  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
-    #TODO: probably copy kernel/initrd to root
+    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
-    exit 0
+    set -xev
+    mkdir -p /boot
+    cp $1/kernel /boot/kernel
+    cp $1/initrd /boot/initrd
+    cp $1/kernel-params /boot/kernel-params
+    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
   '';
 
-  fileSystems.root = {
+  users.users.root.shell = pkgs.bashInteractive;
+
+  fileSystems."/boot" = {
     fsType = "9p";
-    device = "root";
+    device = "boot";
-    options = [ "trans=virtio" "msize=104857600" "access=any" "version=9p2000.L" ];
+    options = [
+      "trans=virtio"
+      "access=any"
+      "version=9p2000.L"
+      "posixacl"
+      "cache=mmap"
+      "nofail"
+      "noauto"
+    ];
   };
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
+    fsType = "ext4";
+  };
+
+  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   services.openssh.enable = true;
 
+  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
+
   system.stateVersion = "23.11";
 }

flake.lock

@@ -24,11 +24,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713406758,
+        "lastModified": 1717915259,
-        "narHash": "sha256-kwZvhmx+hSZvjzemKxsAqzEqWmXZS47VVwQhNrINORQ=",
+        "narHash": "sha256-VsGPboaleIlPELHY5cNTrXK4jHVmgUra8uC6h7KVC5c=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1efd500e9805a9efbce401ed5999006d397b9f11",
+        "rev": "1bbdb06f14e2621290b250e631cf3d8948e4d19b",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713566308,
+        "lastModified": 1717931644,
-        "narHash": "sha256-7Y91t8pheIzjJveUMAPyeh5NOq5F49Nq4Hl2532QpJs=",
+        "narHash": "sha256-Sz8Wh9cAiD5FhL8UWvZxBfnvxETSCVZlqWSYWaCPyu0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "057117a401a34259c9615ce62218aea7afdee4d3",
+        "rev": "3d65009effd77cb0d6e7520b68b039836a7606cf",
         "type": "github"
       },
       "original": {
@@ -204,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713606448,
+        "lastModified": 1717685136,
-        "narHash": "sha256-JMKo6uoAcUip9N10a3r1T2IoLz+pUStwIFrsVW/R4MA=",
+        "narHash": "sha256-S+C/DX5HOhlhJAmcGxbB+Tv6oqZOkr3z/WzPuydXI14=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "96cbbcd3712a0cb7f128c54b21ec2af0950d88d0",
+        "rev": "fd13986ede9b94c50e84aecb2c88863e297bbb52",
         "type": "github"
       },
       "original": {
@@ -226,11 +226,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1715787097,
+        "lastModified": 1717441449,
-        "narHash": "sha256-TPp2j0ttvBvkk4oXidvo8Y071zEab0BtcNsC3ZEkluI=",
+        "narHash": "sha256-juxjgmLnFbl+/hhIO2cVtIa6caCO4pLKlZWUMwAOznM=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "fa673bf8656fe6f28253b83971a36999bc9995d2",
+        "rev": "e3a4dd5b381fb580804105594cc9c71dc45abdb5",
         "type": "github"
       },
       "original": {
@@ -334,11 +334,11 @@
         "parts": "parts_2"
       },
       "locked": {
-        "lastModified": 1713493270,
+        "lastModified": 1717293583,
-        "narHash": "sha256-G5Md4ghux4LBRkPE8vzLTUWxzlQ7s1xKxZ8i3ICWZU8=",
+        "narHash": "sha256-Upz+fnWJjzt5WokjO/iaiPbqiwSrqpWjrpcFOqQ4p0E=",
         "owner": "bluskript",
         "repo": "nix-inspect",
-        "rev": "86f636b1e01579b3a63b2c778c21a818b00c3d1e",
+        "rev": "c55921e1d1cf980ff6351273fde6cedd5d8fa320",
         "type": "github"
       },
       "original": {
@@ -397,11 +397,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709961763,
+        "lastModified": 1717786204,
-        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
+        "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
+        "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
         "type": "github"
       },
       "original": {
@@ -429,11 +429,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1713434076,
+        "lastModified": 1717880976,
-        "narHash": "sha256-+/p5edwlkqKZc6GDAQl+92Hoe1f3NNbUF9uj+X9H3pU=",
+        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8494ae076b7878d61a7d2d25e89a847fe8f8364c",
+        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
         "type": "github"
       },
       "original": {
@@ -445,11 +445,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1713537308,
+        "lastModified": 1717786204,
-        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
+        "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
+        "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
         "type": "github"
       },
       "original": {
@@ -458,13 +458,28 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs2405": {
       "locked": {
-        "lastModified": 1713615491,
+        "lastModified": 1718810994,
-        "narHash": "sha256-anw33U3VMlJnFcTs64khnyZHOGPH5dTYZFixpvpuxBI=",
+        "narHash": "sha256-qrHSG34MeJdbK7WO3+NCehOf2p8ptW50UiMTAcs9wHU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0ca25f1cd948ac52e6c0b51bf1b48327728e8328",
+        "rev": "79f152a46bd42ba3a9fe96513e0fd9ac88190079",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05-small",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1717861563,
+        "narHash": "sha256-qekkLNkKoTJkk9IUJ1wizquB1d1FHWaZP3NQTLorFdI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a6c3bf2daa3bf17c0e76597c36e221ed7dcb2413",
         "type": "github"
       },
       "original": {
@@ -636,6 +651,7 @@
         "nix-search-cli": "nix-search-cli",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs2405": "nixpkgs2405",
         "padtype": "padtype",
         "sops-nix": "sops-nix",
         "vscode-server": "vscode-server"
@@ -689,11 +705,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1713532771,
+        "lastModified": 1717902109,
-        "narHash": "sha256-vfKxhYVMzG2tg48/1rewBoSLCrKIjQsG1j7Nm/Y2gf4=",
+        "narHash": "sha256-OQTjaEZcByyVmHwJlKp/8SE9ikC4w+mFd3X0jJs6wiA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a929a011a09db735abc45a8a45d1ff7fdee62755",
+        "rev": "f0922ad001829b400f0160ba85b47d252fa3d925",
         "type": "github"
       },
       "original": {
@@ -793,11 +809,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709622318,
+        "lastModified": 1713958148,
-        "narHash": "sha256-bTscF0366xtoIXgH7Zq+Mn0mpX3w4h/2xKpHiYMyLNc=",
+        "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
         "owner": "nix-community",
         "repo": "nixos-vscode-server",
-        "rev": "d0ed9b8cf1f0a71f110df9119489ab047e0726bd",
+        "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
         "type": "github"
       },
       "original": {

flake.nix

@@ -4,7 +4,7 @@
   inputs = {
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
     nixpkgs.url = "nixpkgs/nixos-23.11-small";
-    # nix run github:bluskript/nix-inspect -- --expr 'builtins.getFlake "path:'$PWD'"'
+    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
       #inputs.nixpkgs.follows = "nixpkgs";
@@ -48,6 +48,7 @@
   };
 
   outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
+    debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
     nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
       system =  "x86_64-linux";
       modules = [ ./triple-dezert ];
@@ -56,9 +57,7 @@
 
     nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
       system = "x86_64-linux";
-      modules = [
+      modules = [ ./compute-deck ];
-        ./compute-deck
-      ];
       specialArgs = { inherit inputs; };
     };
 
@@ -68,13 +67,29 @@
       specialArgs = { inherit inputs; };
     };
 
-    # nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
-    #   system =  "x86_64-linux";
+      system = "x86_64-linux";
-    #   modules = [ ./devver ];
+      modules = [ ./lp0 ];
-    #   specialArgs = { inherit inputs; };
+      specialArgs = { inherit inputs; };
-    # };
+    };
     
-    # nixosConfigurations.devver2 = self.nixosConfigurations.devver;
+    nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./installer.nix ];
+      specialArgs = { inherit inputs; };
+    };
+
+    nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
+      system =  "x86_64-linux";
+      modules = [ ./devver ];
+      specialArgs = { inherit inputs; };
+    };
+
+    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./fw ];
+      specialArgs = { inherit inputs; };
+    };
 
     nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
       modules = [ ./nix-on-droid.nix ];
@@ -120,6 +135,7 @@
       }
     );
 
+    nixosModules.common = import ./common-config.nix;
     packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
   };
 }

fw/default.nix

@@ -0,0 +1,94 @@
+{ config, inputs, pkgs, lib, ... }: {
+  imports = [ 
+    ../common-nixos-config.nix
+  ];
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  networking.networkmanager.enable = true;
+
+  vacu.packages.bitwarden-desktop.enable = true;
+  vacu.packages.nheko.enable = true;
+  vacu.packages.librewolf.enable = true;
+  vacu.packages.brave.enable = true;
+  vacu.packages.thunderbird.enable = true;
+  vacu.packages.wl-clipboard.enable = true;
+  vacu.packages.nextcloud-client.enable = true;
+  vacu.packages.signal-desktop.enable = true;
+  vacu.packages.fw-ectool.enable = true;
+  vacu.packages.framework-tool.enable = true;
+  vacu.packages.iio-sensor-proxy.enable = true;
+  vacu.packages.power-profiles-daemon.enable = true;
+  vacu.packages.acpi.enable = true;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.memtest86.enable = true;
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  networking.hostName = "fw"; # Define your hostname.
+  networking.hostId = "c6e309d5";
+  boot.zfs.extraPools = [ "fw" ];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  systemd.services.zfs-mount.enable = false;
+
+  services.openssh.enable = true;
+  system.stateVersion = "23.11"; # Did you read the comment?
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "fw/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot0" =
+    { device = "/dev/disk/by-label/BOOT0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/boot1" =
+    { device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+  hardware.opengl = {
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+  programs.nix-ld.enable = true;
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+  };
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+}

installer.nix

@@ -0,0 +1,18 @@
+{ config, inputs, modulesPath, lib, ... }: {
+  imports = [
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+    ./common-nixos-config.nix
+  ];
+  # this is an installer image, created anew every time. There's no state we need to worry about messing up
+  system.stateVersion = config.system.nixos.version; 
+  isoImage.isoBaseName = "nixos-shel-installer";
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+  # boot.kernelPatches = [{
+  #   name = "foo";
+  #   patch = null;
+  #   extraStructuredConfig = {
+  #     VIRTIO = lib.kernel.yes;
+  #     VIRTIO_BLK = lib.kernel.yes;
+  #   };
+  # }];
+}

lp0/default.nix

@@ -0,0 +1,76 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ../common-nixos-config.nix
+    ./hardware-config.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "lp0onfire"; # Define your hostname.
+
+  # Set your time zone.
+  time.timeZone = "America/Los_Angeles";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    nano
+    vim
+    wget
+    screen
+    lsof
+    htop
+    mosh
+    dnsutils
+    iperf3
+    nmap
+    rsync
+    ethtool
+    sshfs
+    ddrescue
+    pciutils
+    ncdu
+    nix-index
+    git
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+  services.openssh.enable = true;
+
+  # system.autoUpgrade.enable = true;
+  # system.autoUpgrade.allowReboot = true;
+  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
+  
+  nixpkgs.config.allowUnfree = true;
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "1d719394047b32ae" ];
+  };
+
+  #opens udp ports for mosh
+  programs.mosh.enable = true;
+
+  # Disable wifi card; This is sitting directly under a router and I don't want to cause interference.
+  boot.blacklistedKernelModules = [ "iwlwifi" ];
+
+  # networking.nat = {
+  #   enable = true;
+  #   externalInterface = "enp2s0";
+  #   internalIPs = [ "192.168.192.0/24" ];
+  #   internalInterfaces = [ "ztrf26rjvk" ];
+  # };
+}
+

lp0/hardware-config.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/36B4-78A2";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = true;
+}

nix-on-droid.nix

@@ -2,30 +2,7 @@
 
 {
   imports = [ ./common-config.nix ];
-  # Simply install just the packages
+  environment.packages = config.vacu.packageList;
-  environment.packages = with pkgs; [
-    # User-facing stuff that you really really want to have
-    vim # or some other editor, e.g. nano or neovim
-    nano
-    # Some common stuff that people expect to have
-    diffutils
-    findutils
-    utillinux
-    tzdata
-    hostname
-    man
-    gnugrep
-    #gnupg
-    gnused
-    gnutar
-    bzip2
-    gzip
-    xz
-    zip
-    unzip
-    openssh
-    git
-  ] ++ (import ./common-packages.nix { inherit pkgs inputs; });
 
   environment.etc."resolv.conf".text = lib.mkForce ''
     nameserver 10.78.79.1

package-set.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, lib, ... }: let
+  inherit (lib) mkOption types;
+  pkgOptions = builtins.attrValues config.vacu.packages;
+  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
+  enabledPkgs = builtins.map (o: o.package) enabledOptions;
+in {
+  options = {
+    vacu.packages = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+	  enable = mkOption {
+	    type = types.bool;
+	    default = true;
+	    description = "Will this package be installed (included in environment.systemPackages)";
+	  };
+	  package = mkOption {
+	    type = types.package;
+	    default = pkgs.${name};
+	    defaultText = "pkgs.${name}";
+	  };
+	};
+      }));
+    };
+    vacu.packageList = mkOption {
+      type = types.listOf types.package;
+      readOnly = true;
+    };
+  };
+
+  config.vacu.packageList = enabledPkgs;
+}

triple-dezert/awootrip.nix

@@ -52,6 +52,8 @@ in {
   services.openvpn.servers.${tunnelName} = {
     config = ''
       remote 45.142.157.71
+      # HACK this relies on the static ip being assigned by the router
+      local 10.78.79.237
       dev ${devName}
       dev-type tun
       ifconfig ${tripAddr} ${awooAddr}

triple-dezert/default.nix

@@ -6,7 +6,7 @@
       ./awootrip.nix
       ./frontproxy.nix
       # ./kanidm.nix
-      ./keycloak.nix
+      # ./keycloak.nix
       ./database.nix
       ./vacustore.nix
       ./nix-cache-nginx.nix
@@ -14,7 +14,7 @@
       ./static-stuff.nix
       #./vms.nix
       ./networking.nix
-      #./devver-host.nix
+      ./devver-host.nix
     ];
 
   system.nixos.tags = [ "host-${config.networking.hostName}" ];

triple-dezert/devver-host.nix

@@ -1,23 +1,31 @@
-{ pkgs, lib, config, ... }: let
+{ pkgs, lib, config, inputs, ... }: let
   qemu-pkg = pkgs.qemu_kvm;
-  rootPath = "/trip/devver-vm/root";
+  #rootPath = "/trip/devver-vm/root";
-  runArgs = [
+  bootPath = "/trip/devver-vm/boot";
-    (lib.qemu-common.qemuBinary qemu-pkg)
+  installer = inputs.self.nixosConfigurations.shel-installer;
+  installerIsoDeriv = installer.config.system.build.isoImage;
+  installerIsoPath = "${installerIsoDeriv}/iso/${installerIsoDeriv.name}";
+  bootInstaller = false;
+  tapdev = "qemu-devver";
+  tapdev-int = "qemu-devver-int";
+  commonArgs = [
+    "${qemu-pkg}/bin/qemu-kvm"
     "-name" "devver"
     # https://www.qemu.org/docs/master/system/i386/microvm.html
     # "microvm" is basically no-batteries-included, and should allow including only the things we need
-    "-machine" "microvm,accel=kvm,vmport=off,dump-guest-core=off,mem-merge=off,acpi=on,pcie=on,pic=off,pit=off,usb=off"
+    "-machine" "microvm,accel=kvm,dump-guest-core=off,mem-merge=off,acpi=on,pcie=on,pic=off,pit=off,usb=off"
     "-m" "8G"
     "-smp" "12"
     "-nodefaults"
     "-no-user-config"
     "-chardev" "stdio,id=stdio,signal=off"
     "-serial" "chardev:stdio"
+    "-monitor" "none"
     "-device" "virtio-rng-pci"
     "-enable-kvm"
     "-cpu" "host,-sgx"
     "-usb"
-    "-device usb-kbd"
+    "-device" "usb-kbd"
     "-nographic"
     # do I need/want QMP here?
 
@@ -25,21 +33,108 @@
     "-object" "memory-backend-memfd,id=mem,size=8G,share=off"
     "-numa" "node,memdev=mem"
 
-    "-fsdev" "local,id=fs0,path=${rootPath},security_model=mapped"
+    # I don't understand, the docs for "-drive" says it's a shortcut for -blockdev and -device, but all the real-world code has -drive and -device
-    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=root"
+    #"-drive" "file=/trip/devver-vm/disk-image/root.img,discard=unmap,if=none,format=raw,cache=none,id=root-disk"
+    "-blockdev" "driver=raw,node-name=root-disk,file.driver=file,file.filename=/trip/devver-vm/disk-image/root.img,discard=unmap,cache.direct=on"
+    "-device" "virtio-blk-device,drive=root-disk,write-cache=off"
     
-    "-netdev" "bridge,id=vm-devver,br=${config.vacu.network.lan_bridge},helper=/run/wrappers/bin/qemu-bridge-helper,queues=12"
+    "-fsdev" "local,id=fs0,path=${bootPath},security_model=mapped-xattr,fmode=0600,dmode=0700"
+    "-device" "virtio-9p-pci,fsdev=fs0,mount_tag=boot"
+
+    "-netdev" "tap,id=vm-devver,ifname=${tapdev},script=no,downscript=no"
     #Why 34? No idea! Best hint I could find is in the mailing list about the serial driver: https://lists.nongnu.org/archive/html/qemu-devel/2013-01/msg05952.html
     "-device" "virtio-net-pci,netdev=vm-devver,mac=02:19:07:A2:15:72,romfile=,mq=on,vectors=34"
-
+    "-netdev" "tap,id=vm-devver2,ifname=${tapdev-int},script=no,downscript=no"
-    "-append" "earlyprintk=ttyS0 console=ttyS0 init=/init"
+    "-device" "virtio-net-pci,netdev=vm-devver2,romfile=,mq=on,vectors=34"
-    "-kernel" "${rootPath}/boot/kernel"
-    "-initrd" "${rootPath}/boot/initrd"
   ];
+  installerArgs = [
+    # "-boot" "once=d"
+    # "-cdrom" "${installerIsoPath}"
+    "-drive" "if=virtio,media=cdrom,driver=raw,node-name=disk,file.driver=file,file.filename=${installerIsoPath},file.locking=off,read-only=on"
+    "-kernel" "${installer.config.system.build.kernel}/${installer.config.system.boot.loader.kernelFile}"
+    "-initrd" "${installer.config.system.build.initialRamdisk}/${installer.config.system.boot.loader.initrdFile}"
+    "-append" "${lib.concatStringsSep " " installer.config.boot.kernelParams} init=${installer.config.system.build.toplevel}/init earlyprintk=ttyS0 console=ttyS0 debug"
+  ];
+  mainArgs = [
+    "-kernel" "${bootPath}/kernel"
+    "-initrd" "${bootPath}/initrd"
+    "-append" "earlyprintk=ttyS0 console=ttyS0"
+  ];
+
   runScript = ''
-    #!${pkgs.sh}
+    set -ev
-    ${lib.escapeShellArgs runArgs}
+    declare -a args
+    if [ "x$1" == "x--installer" ]; then
+      args=(${lib.escapeShellArgs (commonArgs ++ installerArgs)})
+    else
+      args=(${lib.escapeShellArgs (commonArgs ++ mainArgs)}" $(cat ${bootPath}/kernel-params)")
+    fi
+    d=`mktemp -d --tmpdir qemu-devver-XXXXXXXXX`
+    cd $d
+    "''${args[@]}"
   '';
 in {
+  users.groups.devver = {};
+  users.users.devver = {
+    isSystemUser = true;
+    group = config.users.groups.devver.name;
+  };
+  environment.systemPackages = [(pkgs.writeScriptBin "run-devver" runScript) qemu-pkg];
+  systemd.network.netdevs.${tapdev} = {
+    netdevConfig = {
+      Kind = "tap";
+      Name = tapdev;
+    };
+    tapConfig = {
+      User = config.users.users.devver.name;
+      Group = config.users.groups.devver.name;
+      PacketInfo = true;
+      # KeepCarrier = true;
+    };
+  };
+  systemd.network.netdevs.${tapdev-int} = {
+    netdevConfig = {
+      Kind = "tap";
+      Name = tapdev-int;
+    };
+    tapConfig = {
+      User = config.users.users.devver.name;
+      Group = config.users.groups.devver.name;
+      PacketInfo = true;
+      # KeepCarrier = true;
+    };
+  };
+  systemd.network.networks."02-vm-devver".extraConfig = ''
+    Bridge = ${config.vacu.network.lan_bridge}
 
+    [Match]
+    Name = ${tapdev}
+
+    [Link]
+    RequiredForOnline = no
+  '';
+  systemd.network.networks."02-vm-devver-int".extraConfig = ''
+    Address = 10.110.171.204/31
+    DHCP = no
+    DNS = no
+    LLDP = no
+
+    [Match]
+    Name = ${tapdev-int}
+
+    [Link]
+    RequiredForOnline = no
+  '';
+
+  # networking.firewall.extraCommands = ''
+  #   if ! (iptables -t nat -n --list devver-prerouting > /dev/null 2>&1); then
+  #     iptables -t nat -N devver-prerouting
+  #   fi
+  #   iptables -t nat -F devver-prerouting
+  #   iptables -t nat -A devver-prerouting -p tcp -m tcp --dport 5022 -j DNAT --to-destination 10.78.79.10
+  #   iptables -t nat -I PREROUTING 1 -j devver-prerouting
+  # '';
+  # networking.firewall.extraStopCommands = ''
+  #   iptables -t nat -D PREROUTING -j devver-prerouting || true
+  # '';
 }

triple-dezert/frontproxy.nix

@@ -67,7 +67,7 @@ in {
       networking.hosts = {
         "${outer_config.containers.vacustore.localAddress}" = [ "vacustore" ];
         "127.4.20.165" = [ "kani" ];
-        "${outer_config.containers.keycloak.localAddress}" = [ "keycloak" ];
+        # "${outer_config.containers.keycloak.localAddress}" = [ "keycloak" ];
         "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
         "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
         "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];

triple-dezert/haproxy-config.cfg

@@ -37,7 +37,7 @@ frontend main
   acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0
 
   acl host_vacustore var(req.host) -m str "vacu.store"
-  acl host_auth var(req.host) -m str "auth.shelvacu.com"
+  # acl host_auth var(req.host) -m str "auth.shelvacu.com"
   acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
   acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
   acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
@@ -59,7 +59,7 @@ frontend main
   http-request return string "Shelvacu is awesome" content-type text/plain if { path / } { var(req.host) -m str "shelvacu.com" }
   http-request return string "Jean-luc is awesome" content-type text/plain if { path / } { var(req.host) -m str "jean-luc.org" }
   http-request allow if host_vacustore
-  http-request allow if host_auth
+  # http-request allow if host_auth
   http-request allow if host_cache
   http-request allow if host_stats_jl
   http-request allow if host_tulpaudcast_jl
@@ -67,7 +67,7 @@ frontend main
   http-request return status 404 string "not found" content-type text/plain
 
   use_backend vacustore if host_vacustore
-  use_backend keycloak if host_auth
+  # use_backend keycloak if host_auth
   use_backend nix-cache if host_cache
   use_backend jl_stats if host_stats_jl
   use_backend static_stuff if host_tulpaudcast_jl
@@ -83,11 +83,11 @@ backend kani
   option forwardfor
   server main kani:8443 check maxconn 500 ssl verify none ssl-reuse
 
-backend keycloak
+# backend keycloak
-  mode http
+#   mode http
-  option forwardfor
+#   option forwardfor
-  option forwarded proto host for
+#   option forwarded proto host for
-  server main keycloak:80 check maxconn 500 proto h1
+#   server main keycloak:80 check maxconn 500 proto h1
 
 backend nix-cache
   mode http

triple-dezert/vacustore.nix

@@ -37,6 +37,8 @@
         client_body_timeout 5m;
       '';
 
+      environment.systemPackages = [ config.services.nextcloud.package ]; # make occ command available without having to dig for it
+
       services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud28;
@@ -50,6 +52,13 @@
 
         extraApps = {
           inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
+	  appointments = pkgs.fetchNextcloudApp {
+            appName = "appointments";
+	    url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
+	    sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
+	    appVersion = "2.1.4";
+	    license = "agpl3";
+	  };
           gpoddersync = pkgs.fetchNextcloudApp {
             appName = "gpoddersync";
             url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";