Add a build for the yubikey management raspberry pi image.

Move ansible-sshjail and zsh-histdb into my config instead of living as separate flakes.
Support running arm code on x86.
2025-10-08 21:24:44 -04:00 · 2025-10-05 21:37:57 -04:00 · 2025-10-05 20:43:04 -04:00 · 2025-10-05 20:04:03 -04:00 · 2025-10-05 15:17:34 -04:00 · 2025-10-05 14:55:42 -04:00
258 changed files with 40566 additions and 1278 deletions
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
 	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
 	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/sftp/tasks/common.yaml
+++ b/ansible/roles/sftp/tasks/common.yaml
@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false
 - name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0700
    owner: nochainstounlock
    group: nochainstounlock
  loop:
    - /home/nochainstounlock/.ssh
 - name: Set authorized keys
  authorized_key:
    user: nochainstounlock
    key: |
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
    exclusive: true
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/ansible/roles/sshd/files/keys/yubikey.pub
+++ b/ansible/roles/sshd/files/keys/yubikey.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8
--- a/nix/configuration/.gitignore
+++ b/nix/configuration/.gitignore
@@ -0,0 +1 @@
 result
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -2,49 +2,88 @@
  config,
  lib,
  pkgs,
  pkgs-unstable,
  home-manager,
  ...
 }:
 {
  imports = [
-    ./roles/reset
+    ./roles/2ship2harkinian
    ./util/unfree_polyfill
    ./roles/iso
    ./hosts/odo
    "${
      builtins.fetchTarball {
        url = "https://github.com/nix-community/disko/archive/refs/tags/v1.9.0.tar.gz";
        sha256 = "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388";
      }
    }/module.nix"
    ./roles/boot
    ./roles/zfs
    ./roles/network
    ./roles/firewall
    ./roles/zsh
    ./roles/graphics
    ./roles/sound
    ./roles/sway
    ./roles/alacritty
-    ./roles/firefox
+    ./roles/amd_s2idle
-    ./roles/chromium
+    ./roles/ansible
    ./roles/emacs
    ./roles/git
    ./roles/fonts
    ./roles/gpg
    ./roles/waybar
    ./roles/qemu
    ./roles/wireguard
    ./roles/ares
-    ./roles/ssh
+    ./roles/bluetooth
-    ./roles/python
+    ./roles/boot
    ./roles/chromecast
    ./roles/chromium
    ./roles/d2
    ./roles/direnv
    ./roles/distributed_build
    ./roles/docker
    ./roles/ecc
    ./roles/emacs
    ./roles/emulate_isa
    ./roles/firefox
    ./roles/firewall
    ./roles/flux
    ./roles/fonts
    ./roles/gcloud
    ./roles/git
    ./roles/global_options
    ./roles/gnuplot
    ./roles/gpg
    ./roles/graphics
    ./roles/hydra
    ./roles/iso
    ./roles/iso_mount
    ./roles/kanshi
    ./roles/kodi
    ./roles/kubernetes
-    ./roles/rust
+    ./roles/latex
    ./roles/launch_keyboard
    ./roles/lvfs
    ./roles/media
    ./roles/memtest86
    ./roles/network
    ./roles/nix_index
    ./roles/nix_worker
    ./roles/nvme
    ./roles/openpgp_card_tools
    ./roles/optimized_build
    ./roles/pcsx2
    ./roles/podman
    ./roles/python
    ./roles/qemu
    ./roles/reset
    ./roles/rpcs3
    ./roles/rust
    ./roles/sequoia
    ./roles/shadps4
    ./roles/shikane
    ./roles/shipwright
    ./roles/sm64ex
    ./roles/sops
    ./roles/sound
    ./roles/spaghettikart
    ./roles/ssh
    ./roles/steam
    ./roles/steam_run_free
    ./roles/sway
    ./roles/tekton
    ./roles/terraform
    ./roles/thunderbolt
    ./roles/uutils
    ./roles/vnc_client
    ./roles/vscode
    ./roles/wasm
    ./roles/waybar
    ./roles/wireguard
    ./roles/yubikey
    ./roles/zfs
    ./roles/zrepl
    ./roles/zsh
    ./util/install_files
    ./util/unfree_polyfill
  ];
  nix.settings.experimental-features = [
@@ -56,6 +95,20 @@
  # boot.kernelPackages = pkgs.linuxPackages_6_11;
  hardware.enableRedistributableFirmware = true;
  # Use nixos-rebuild-ng
  # system.rebuild.enableNg = true;
  # Keep outputs so we can build offline.
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    substitute = false
  '';
  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
  boot.supportedFilesystems.zfs = true;
  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
  services.getty = {
    autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
    autologinOnce = true;
@@ -73,33 +126,24 @@
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
  };
  users.groups.talexander.gid = 11235;
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.packages = [
        pkgs.atool
        pkgs.httpie
      ];
      programs.bash.enable = true;
      # The state version is required and should stay at the version you
      # originally installed.
      home.stateVersion = "24.11";
    };
  # Automatic garbage collection
-  nix.gc = {
+  nix.gc = lib.mkIf (!config.me.buildingIso) {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
-    randomizedDelaySec = "14m";
+    persistent = true;
    dates = "monthly";
    # randomizedDelaySec = "14m";
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = !config.me.buildingIso;
  nix.settings.substituters = lib.mkForce [ ];
  # Use doas instead of sudo
  security.doas.enable = true;
@@ -113,9 +157,6 @@
    }
  ];
  # Do not use default packages (nixos includes some defaults like nano)
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [
    wget
    mg
@@ -126,15 +167,23 @@
    file
    usbutils # for lsusb
    pciutils # for lspci
    mesa-demos # for glxgears TODO move to better role
    vulkan-tools # for vkcube TODO move to better role
    xorg.xeyes # to test which windows are using x11 TODO move to better role
    ripgrep
    strace
    # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
    trace-cmd # ftrace
    tcpdump
    git-crypt
    nix-index-unwrapped
    gnumake
    ncdu
    nix-tree
    libarchive # bsdtar
    lsof
    doas-sudo-shim # To support --sudo for remote builds
    dmidecode # Read SMBIOS information.
    ipcalc
    gptfdisk # for cgdisk
    nix-output-monitor # For better view into nixos-rebuild
    nix-serve-ng # Serve nix store over http
  ];
  services.openssh = {
@@ -163,7 +212,6 @@
      "/var/lib/nixos" # Contains user information (uids/gids)
      "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
      "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
      "/etc/zfs/zpool.cache" # Which zpools to import, the root zpool is already imported and does not need this cache file but this captures additional pools. TODO consider setting cachefile=none on main pool.
    ];
    files = [
      "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
@@ -172,10 +220,16 @@
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
-    # users.talexander = {
+    users.talexander = {
-    #   directories = [];
+      directories = [
-    #   files = [];
+        {
-    # };
+          directory = "persist";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        }
      ];
    };
  };
  # Write a list of the currently installed packages to /etc/current-system-packages
@@ -187,12 +241,24 @@
    in
    formatted;
  # environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" (
  #   builtins.map (
  #     x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: "  " + s) x.value)
  #   ) config.environment.systemPackages.definitionsWithLocations
  # );
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     nix = pkgs-unstable.nix;
  #   })
  # ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     foot = throw "foo";
  #   })
  # ];
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
--- a/nix/configuration/flake.lock
+++ b/nix/configuration/flake.lock
@@ -1,18 +1,12 @@
 {
  "nodes": {
    "crane": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1717535930,
+        "lastModified": 1731098351,
-        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
        "type": "github"
      },
      "original": {
@@ -21,6 +15,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1758287904,
        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@@ -45,11 +59,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717285511,
+        "lastModified": 1730504689,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@@ -58,42 +72,6 @@
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@@ -116,34 +94,13 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1736373539,
        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1734945620,
+        "lastModified": 1737831083,
-        "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=",
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "d000479f4f41390ff7cf9204979660ad5dd16176",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
@@ -157,7 +114,6 @@
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
@@ -165,75 +121,75 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1718178907,
+        "lastModified": 1737639419,
-        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v0.4.1",
+        "ref": "v0.4.2",
        "repo": "lanzaboote",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1736200483,
+        "lastModified": 1759381078,
-        "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-b93b4e9b5": {
+    "nixpkgs-dda3dcd3f": {
      "locked": {
-        "lastModified": 1713721570,
+        "lastModified": 1746663147,
-        "narHash": "sha256-R0s+O5UjTePQRb72XPgtkTmEiOOW8n+1q9Gxt/OJnKU=",
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1710695816,
+        "lastModified": 1730741070,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-unoptimized": {
      "locked": {
-        "lastModified": 1736012469,
+        "lastModified": 1759381078,
-        "narHash": "sha256-/qlNWm/IEVVH7GfgAIyP6EsVZI6zjAx1cV5zNyrs+rI=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8f3e1f807051e32d8c95cd12b9b421623850a34d",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@@ -257,11 +213,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1717664902,
+        "lastModified": 1731363552,
-        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
        "type": "github"
      },
      "original": {
@@ -272,32 +228,27 @@
    },
    "root": {
      "inputs": {
-        "home-manager": "home-manager",
+        "disko": "disko",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-b93b4e9b5": "nixpkgs-b93b4e9b5",
+        "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
-        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
        "zsh-histdb": "zsh-histdb"
      }
    },
    "rust-overlay": {
      "inputs": {
        "flake-utils": [
          "lanzaboote",
          "flake-utils"
        ],
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1717813066,
+        "lastModified": 1731897198,
-        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
        "type": "github"
      },
      "original": {
@@ -305,54 +256,6 @@
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "zsh-histdb": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-TFks1dvPwAXKQeePh9jmxj06ZfXArH1pN9yXVQWeL6w=",
        "path": "flakes/zsh-histdb",
        "type": "path"
      },
      "original": {
        "path": "flakes/zsh-histdb",
        "type": "path"
      }
    }
  },
  "root": "root",
--- a/nix/configuration/flake.nix
+++ b/nix/configuration/flake.nix
@@ -3,7 +3,7 @@
 #   output: result/iso/nixos.iso
 # Run the ISO image
-#   "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#   doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #        -accel kvm \
 #        -cpu host \
 #        -smp cores=8 \
@@ -12,11 +12,11 @@
 #        -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \
 #        -nic user,hostfwd=tcp::60022-:22 \
 #        -boot order=d \
-#        -cdrom "$(readlink -f ./result/iso/nixos.iso)" \
+#        -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \
 #        -display vnc=127.0.0.1:0
 #
 # doas cp "$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd
-# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos.iso -display vnc=127.0.0.1:0
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0
 # Get a repl for this flake
 #   nix repl --expr "builtins.getFlake \"$PWD\""
@@ -25,26 +25,32 @@
 # iso.odo.isoName == "nixos.iso"
 # full path = <outPath> / iso / <isoName>
 #
 # Install on a new machine:
 #
 #
 # doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
 # for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 # nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
 #
 {
  description = "My system configuration";
  inputs = {
    impermanence.url = "github:nix-community/impermanence";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-dda3dcd3f.url = "github:NixOS/nixpkgs/dda3dcd3fe03e991015e9a74b22d35950f264a54";
-    nixpkgs-b93b4e9b5.url = "github:NixOS/nixpkgs/b93b4e9b527904aadf52dba6ca35efde2067cbd4";
+    nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager/release-24.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.1";
+      url = "github:nix-community/lanzaboote/v0.4.2";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    zsh-histdb = {
+    disko = {
-      url = "path:flakes/zsh-histdb";
+      url = "github:nix-community/disko";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
@@ -53,59 +59,184 @@
    {
      self,
      nixpkgs,
-      nixpkgs-unstable,
+      nixpkgs-unoptimized,
-      nixpkgs-b93b4e9b5,
+      nixpkgs-dda3dcd3f,
      impermanence,
      home-manager,
      lanzaboote,
      zsh-histdb,
      ...
    }@inputs:
    let
      base_x86_64_linux = rec {
        system = "x86_64-linux";
        specialArgs = {
-          pkgs-b93b4e9b5 = import nixpkgs-b93b4e9b5 {
+          pkgs-dda3dcd3f = import nixpkgs-dda3dcd3f {
            inherit system;
          };
-          pkgs-unstable = import nixpkgs-unstable {
+          pkgs-unoptimized = import nixpkgs-unoptimized {
            inherit system;
            hostPlatform.gcc.arch = "default";
            hostPlatform.gcc.tune = "default";
          };
        };
        modules = [
          impermanence.nixosModules.impermanence
          home-manager.nixosModules.home-manager
          lanzaboote.nixosModules.lanzaboote
-          {
+          inputs.disko.nixosModules.disko
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
          }
          { nixpkgs.overlays = [ zsh-histdb.overlays.default ]; }
          ./configuration.nix
        ];
      };
-      systems = {
+      systems =
-        odo = {
+        let
-          main = nixpkgs.lib.nixosSystem (base_x86_64_linux // { });
+          additional_iso_modules = [
-          iso = nixpkgs.lib.nixosSystem (
+            (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
-            base_x86_64_linux
+            # TODO: Figure out how to do image based appliances
-            // {
+            # (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix")
            {
              isoImage.makeEfiBootable = true;
              isoImage.makeUsbBootable = true;
              me.buildingIso = true;
              me.optimizations.enable = nixpkgs.lib.mkForce false;
            }
            {
              # These are big space hogs. The chance that I need them on an ISO is slim.
              me.steam.enable = nixpkgs.lib.mkForce false;
              me.pcsx2.enable = nixpkgs.lib.mkForce false;
            }
          ];
          additional_vm_modules = [
            (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
            {
              networking.dhcpcd.enable = true;
              networking.useDHCP = true;
              me.optimizations.enable = nixpkgs.lib.mkForce false;
            }
            {
              # I don't need games on a virtual machine.
              me.steam.enable = nixpkgs.lib.mkForce false;
              me.pcsx2.enable = nixpkgs.lib.mkForce false;
              me.sm64ex.enable = nixpkgs.lib.mkForce false;
              me.shipwright.enable = nixpkgs.lib.mkForce false;
              me.ship2harkinian.enable = nixpkgs.lib.mkForce false;
            }
          ];
        in
        {
          odo = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
-                (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
+                ./hosts/odo
-                # TODO: maybe?  imports = [ "${modulesPath}/profiles/image-based-appliance.nix" ];
+              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          quark = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/quark
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          neelix = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/neelix
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          hydra =
            let
              hydra_additional_iso_modules = additional_iso_modules ++ [
                {
-                  isoImage.makeEfiBootable = true;
+                  me.optimizations.enable = true;
                  isoImage.makeUsbBootable = true;
                  me.buildingIso = true;
                }
              ];
-            }
+            in
-          );
+            rec {
              main = base_x86_64_linux // {
                modules = base_x86_64_linux.modules ++ [
                  ./hosts/hydra
                ];
              };
              iso = main // {
                modules = main.modules ++ hydra_additional_iso_modules;
              };
              vm = main // {
                modules = main.modules ++ additional_vm_modules;
              };
              vm_iso = main // {
                modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules;
              };
            };
          ionlybootzfs = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/ionlybootzfs
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
        };
      };
    in
    {
-      nixosConfigurations.odo = systems.odo.main;
+      nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main;
-      iso.odo = systems.odo.iso.config.system.build.isoImage;
+      iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage;
      nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm;
      vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage;
      nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main;
      iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage;
      nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm;
      vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage;
      nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main;
      iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage;
      nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm;
      vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage;
      nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main;
      iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage;
      nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm;
      vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage;
      nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main;
      iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage;
      nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm;
      vm_iso.ionlybootzfs =
        (nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage;
    };
 }
--- a/nix/configuration/flakes/zsh-histdb/flake.lock
+++ b/nix/configuration/flakes/zsh-histdb/flake.lock
@@ -1,61 +0,0 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735141468,
        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/configuration/flakes/zsh-histdb/flake.nix
+++ b/nix/configuration/flakes/zsh-histdb/flake.nix
@@ -1,34 +0,0 @@
 {
  description = "A slightly better history for zsh";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs =
    {
      self,
      nixpkgs,
      flake-utils,
      ...
    }:
    let
      out =
        system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
          # Maybe pkgs = import nixpkgs { inherit system; }; ?
          appliedOverlay = self.overlays.default pkgs pkgs;
        in
        {
          packages = rec {
            default = zsh-histdb;
            zsh-histdb = appliedOverlay.zsh-histdb;
          };
        };
    in
    flake-utils.lib.eachDefaultSystem out
    // {
      overlays.default = final: prev: {
        zsh-histdb = final.callPackage ./package.nix { };
      };
    };
 }
--- a/nix/configuration/hosts/hydra/DEPLOY_BOOT
+++ b/nix/configuration/hosts/hydra/DEPLOY_BOOT
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=hydra
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/hydra/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=hydra
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/ISO
+++ b/nix/configuration/hosts/hydra/ISO
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/VM_ISO
+++ b/nix/configuration/hosts/hydra/VM_ISO
@@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#vm_iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 install -m 0644 result/iso/nixos-*-x86_64-linux.iso ~/hydra.iso
 unlink ./result
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@@ -0,0 +1,67 @@
 #
 # Testing:
 # doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #      -accel kvm \
 #      -cpu host \
 #      -smp cores=8 \
 #      -m 32768 \
 #      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
 #      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
 #      -device nvme,serial=deadbeef,drive=nvm \
 #      -nic user,hostfwd=tcp::60022-:22 \
 #      -boot order=d \
 #      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
 #      -display vnc=127.0.0.1:0
 #
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./disk-config.nix
    ./hardware-configuration.nix
    ./vm_disk.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "fbd233d8";
  networking.hostName = "hydra"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = false;
  me.optimizations = {
    enable = true;
    arch = "znver4";
    system_features = [
      "gccarch-znver4"
      "gccarch-skylake"
      # "gccarch-alderlake" missing WAITPKG
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Mount tmpfs at /tmp
  boot.tmp.useTmpfs = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = false;
  me.hydra.enable = false;
  me.nix_worker.enable = true;
  me.vm_disk.enable = true;
  me.wireguard.activated = [ ];
  me.wireguard.deactivated = [ ];
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/hydra/disk-config.nix
+++ b/nix/configuration/hosts/hydra/disk-config.nix
@@ -0,0 +1,140 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "1MiB";
              compression = "lz4";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
 }
--- a/nix/configuration/hosts/hydra/hardware-configuration.nix
+++ b/nix/configuration/hosts/hydra/hardware-configuration.nix
@@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.dhcpcd.enable = lib.mkForce true;
  networking.useDHCP = lib.mkForce true;
  networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
  # systemd.network.enable = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nix/configuration/hosts/hydra/vm_disk.nix
+++ b/nix/configuration/hosts/hydra/vm_disk.nix
@@ -0,0 +1,77 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    vm_disk.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to mount the local disk for persistent storage.";
    };
  };
  config = lib.mkIf config.me.vm_disk.enable (
    lib.mkMerge [
      {
        # Mount the local disk
        fileSystems = {
          "/.disk" = lib.mkForce {
            device = "/dev/nvme0n1p1";
            fsType = "ext4";
            options = [
              "noatime"
              "discard"
            ];
            neededForBoot = true;
          };
          "/persist" = {
            fsType = "none";
            device = "/.disk/persist";
            options = [
              "bind"
              "rw"
            ];
            depends = [
              "/.disk/persist"
            ];
          };
          "/state" = {
            fsType = "none";
            device = "/.disk/state";
            options = [
              "bind"
              "rw"
            ];
            depends = [
              "/.disk/state"
            ];
          };
          "/nix/store" = lib.mkForce {
            fsType = "overlay";
            device = "overlay";
            options = [
              "lowerdir=/nix/.ro-store"
              "upperdir=/.disk/persist/store"
              "workdir=/.disk/state/work"
            ];
            depends = [
              "/nix/.ro-store"
              "/.disk/persist/store"
              "/.disk/state/work"
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET="ionlybootzfs"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=ionlybootzfs
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/ISO
+++ b/nix/configuration/hosts/ionlybootzfs/ISO
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/ionlybootzfs/default.nix
+++ b/nix/configuration/hosts/ionlybootzfs/default.nix
@@ -0,0 +1,63 @@
 #
 # Testing:
 # doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #      -accel kvm \
 #      -cpu host \
 #      -smp cores=8 \
 #      -m 32768 \
 #      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
 #      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
 #      -device nvme,serial=deadbeef,drive=nvm \
 #      -nic user,hostfwd=tcp::60022-:22 \
 #      -boot order=d \
 #      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
 #      -display vnc=127.0.0.1:0
 #
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./wrapped-disk-config.nix
    ./hardware-configuration.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "fbd233d8";
  networking.hostName = "ionlybootzfs"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = true;
  me.optimizations = {
    enable = false;
    arch = "znver4";
    system_features = [
      "gccarch-znver4"
      "gccarch-skylake"
      # "gccarch-alderlake" missing WAITPKG
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Mount tmpfs at /tmp
  boot.tmp.useTmpfs = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = false;
  me.wireguard.activated = [ ];
  me.wireguard.deactivated = [ ];
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/ionlybootzfs/disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/disk-config.nix
@@ -0,0 +1,142 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options = {
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              # keylocation = "file:///tmp/secret.key";
            };
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "16MiB";
              compression = "zstd-19";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }
--- a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
+++ b/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
@@ -0,0 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.dhcpcd.enable = lib.mkForce true;
  networking.useDHCP = lib.mkForce true;
  # systemd.network.enable = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
+++ b/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
@@ -0,0 +1,131 @@
 {
  config,
  lib,
  pkgs,
  pkgs-unoptimized,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    { }
    (lib.mkIf (!config.me.optimizations.enable) {
      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
    })
    (lib.mkIf (config.me.optimizations.enable) {
      nixpkgs.hostPlatform = {
        gcc.arch = "znver4";
        gcc.tune = "znver4";
        system = "x86_64-linux";
      };
      nixpkgs.overlays = [
        (
          final: prev:
          let
            addConfig =
              additionalConfig: pkg:
              pkg.override (oldconfig: {
                structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
              });
          in
          {
            linux_me = addConfig {
              # Full preemption
              PREEMPT = lib.mkOverride 60 lib.kernel.yes;
              PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
              # Google's BBRv3 TCP congestion Control
              TCP_CONG_BBR = lib.kernel.yes;
              DEFAULT_BBR = lib.kernel.yes;
              # Preemptive Full Tickless Kernel at 300Hz
              HZ = lib.kernel.freeform "300";
              HZ_300 = lib.kernel.yes;
              HZ_1000 = lib.kernel.no;
            } prev.linux_6_14;
            # gsl = prev.gsl.overrideAttrs (old: {
            #   # gsl tests fails when optimizations are enabled.
            #   # > FAIL: cholesky_invert unscaled hilbert (  4,  4)[0,2]: 2.55795384873636067e-13                        0
            #   # >  (2.55795384873636067e-13 observed vs 0 expected) [28259614]
            #   doCheck = false;
            # });
          }
        )
        (final: prev: {
          haskellPackages = prev.haskellPackages.extend (
            final': prev': {
              inherit (pkgs-unoptimized.haskellPackages)
                crypton
                crypton-connection
                crypton-x509
                crypton-x509-store
                crypton-x509-system
                crypton-x509-validation
                hspec-wai
                http-client-tls
                http2
                pandoc
                pandoc-cli
                pandoc-lua-engine
                pandoc-server
                servant-server
                tls
                wai-app-static
                wai-extra
                warp
                ;
            }
          );
        })
        (final: prev: {
          inherit (pkgs-unoptimized)
            gsl
            redis
            valkey
            ;
        })
      ];
      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
    })
    (lib.mkIf (!config.me.buildingIso) {
      nix.settings.system-features = lib.mkForce [
        "gccarch-znver4"
        "gccarch-skylake"
        # "gccarch-alderlake" missing WAITPKG
        "gccarch-x86-64-v3"
        "gccarch-x86-64-v4"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
      # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
      # system.includeBuildDependencies = true;
      # This also should enable building offline? TODO: test.
      nix.extraOptions = ''
        keep-outputs = true
        keep-derivations = true
      '';
      # # building ON
      # nixpkgs.localSystem = { system = "aarch64-linux"; };
      # # building FOR
      # nixpkgs.crossSystem = { system = "aarch64-linux"; };
      # nixpkgs.config = {
      #   replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
      # };
      # or maybe an overlay
      # stdenv = prev.clangStdenv;
    })
    (lib.mkIf (config.me.buildingIso) {
      boot.supportedFilesystems.zfs = true;
    })
  ];
 }
--- a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/neelix/DEPLOY_BOOT
+++ b/nix/configuration/hosts/neelix/DEPLOY_BOOT
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=neelix
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/neelix/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=neelix
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/default.nix
+++ b/nix/configuration/hosts/neelix/default.nix
@@ -0,0 +1,51 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    ./power_management.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "bca9d0a5";
  networking.hostName = "neelix"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = false;
  me.optimizations = {
    enable = false;
    arch = "alderlake";
    system_features = [
      "gccarch-alderlake"
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Early KMS
  boot.initrd.kernelModules = [ "i915" ];
  # Mount tmpfs at /tmp
  # boot.tmp.useTmpfs = true;
  me.bluetooth.enable = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = true;
  me.graphics_card_type = "intel";
  me.kodi.enable = true;
  me.lvfs.enable = true;
  me.sound.enable = true;
  me.wireguard.activated = [ "wgh" ];
  me.wireguard.deactivated = [ "wgf" ];
  me.zrepl.enable = true;
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/neelix/disk-config.nix
+++ b/nix/configuration/hosts/neelix/disk-config.nix
@@ -0,0 +1,140 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "1MiB";
              compression = "lz4";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
 }
--- a/nix/configuration/hosts/neelix/hardware-configuration.nix
+++ b/nix/configuration/hosts/neelix/hardware-configuration.nix
@@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/configuration/hosts/neelix/power_management.nix
+++ b/nix/configuration/hosts/neelix/power_management.nix
@@ -0,0 +1,35 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  environment.systemPackages = with pkgs; [
    powertop
  ];
  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
  boot.kernelParams = [
    "pcie_aspm=force"
    # "pcie_aspm.policy=powersupersave"
    "nowatchdog"
  ];
  # default performance balance_performance balance_power power
  # defaults to balance_performance
  # systemd.tmpfiles.rules = [
  #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
  # ];
  boot.extraModprobeConfig = ''
    options snd_hda_intel power_save=1
  '';
 }
--- a/nix/configuration/hosts/odo/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odo/DEPLOY_BOOT
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 # TARGET=10.216.1.15
 # TARGET=192.168.211.250
 TARGET=odo
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=odo
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/ISO
+++ b/nix/configuration/hosts/odo/ISO
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BOOT
+++ b/nix/configuration/hosts/odo/SELF_BOOT
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BUILD
+++ b/nix/configuration/hosts/odo/SELF_BUILD
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_SWITCH
+++ b/nix/configuration/hosts/odo/SELF_SWITCH
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@@ -1,33 +1,129 @@
-{ config, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
-    ./disk-config.nix
+    ./wrapped-disk-config.nix
-    ./optimized_build.nix
+    ./distributed_build.nix
    ./power_management.nix
    ./screen_brightness.nix
    ./wifi.nix
    ./framework_module.nix
  ];
-  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  config = {
-  networking.hostId = "908cbf04";
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
    networking.hostId = "908cbf04";
-  networking.hostName = "odo"; # Define your hostname.
+    networking.hostName = "odo"; # Define your hostname.
-  time.timeZone = "America/New_York";
+    time.timeZone = "America/New_York";
-  i18n.defaultLocale = "en_US.UTF-8";
+    i18n.defaultLocale = "en_US.UTF-8";
-  me.secureBoot.enable = true;
+    me.secureBoot.enable = true;
-  # Early KMS
+    me.optimizations = {
-  boot.initrd.kernelModules = [ "amdgpu" ];
+      enable = true;
      arch = "znver4";
      system_features = [
        "gccarch-znver4"
        "gccarch-skylake"
        # "gccarch-alderlake" missing WAITPKG
        "gccarch-x86-64-v3"
        "gccarch-x86-64-v4"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
    };
-  # Mount tmpfs at /tmp
+    # Early KMS
-  boot.tmp.useTmpfs = true;
+    boot.initrd.kernelModules = [ "amdgpu" ];
-  environment.systemPackages = with pkgs; [
+    # Mount tmpfs at /tmp
-    fw-ectool
+    boot.tmp.useTmpfs = true;
  ];
-  me.graphical = true;
+    environment.systemPackages = with pkgs; [
-  me.graphicsCardType = "amd";
+      fw-ectool
      framework-tool
    ];
    # Enable light sensor
    # hardware.sensor.iio.enable = lib.mkDefault true;
    # Enable TRIM
    # services.fstrim.enable = lib.mkDefault true;
    me.alacritty.enable = true;
    me.amd_s2idle.enable = true;
    me.ansible.enable = true;
    me.ares.enable = true;
    me.bluetooth.enable = true;
    me.chromecast.enable = true;
    me.chromium.enable = true;
    me.d2.enable = true;
    me.direnv.enable = true;
    me.docker.enable = false;
    me.ecc.enable = false;
    me.emacs_flavor = "full";
    me.emulate_isa.enable = true;
    me.firefox.enable = true;
    me.flux.enable = true;
    me.gcloud.enable = true;
    me.git.config = ../../roles/git/files/gitconfig_home;
    me.gnuplot.enable = true;
    me.gpg.enable = true;
    me.graphical = true;
    me.graphics_card_type = "amd";
    me.iso_mount.enable = true;
    me.kanshi.enable = false;
    me.kubernetes.enable = true;
    me.latex.enable = true;
    me.launch_keyboard.enable = true;
    me.lvfs.enable = true;
    me.media.enable = true;
    me.nix_index.enable = true;
    me.openpgp_card_tools.enable = true;
    me.pcsx2.enable = true;
    me.podman.enable = true;
    me.python.enable = true;
    me.qemu.enable = true;
    me.rpcs3.enable = true;
    me.rust.enable = true;
    me.sequoia.enable = true;
    me.shadps4.enable = true;
    me.shikane.enable = true;
    me.sops.enable = true;
    me.sound.enable = true;
    me.spaghettikart.enable = true;
    me.steam.enable = true;
    me.steam_run_free.enable = true;
    me.sway.enable = true;
    me.tekton.enable = true;
    me.terraform.enable = true;
    me.thunderbolt.enable = true;
    me.uutils.enable = false;
    me.vnc_client.enable = true;
    me.vscode.enable = true;
    me.wasm.enable = true;
    me.waybar.enable = true;
    me.wireguard.activated = [
      "drmario"
      "wgh"
      "colo"
    ];
    me.wireguard.deactivated = [ "wgf" ];
    me.yubikey.enable = true;
    me.zrepl.enable = true;
    me.zsh.enable = true;
    me.sm64ex.enable = true;
    me.shipwright.enable = true;
    me.ship2harkinian.enable = true;
  };
 }
--- a/nix/configuration/hosts/odo/disk-config.nix
+++ b/nix/configuration/hosts/odo/disk-config.nix
@@ -1,11 +1,8 @@
-{
+# Manual Step:
-  config,
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
-  lib,
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
  pkgs,
  ...
 }:
-lib.mkIf (!config.me.buildingIso) {
+{
  disko.devices = {
    disk = {
      main = {
--- a/nix/configuration/hosts/odo/distributed_build.nix
+++ b/nix/configuration/hosts/odo/distributed_build.nix
@@ -0,0 +1,27 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      me.distributed_build.enable = true;
      me.distributed_build.machines.hydra = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
      me.distributed_build.machines.quark = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
    }
  ];
 }
--- a/nix/configuration/hosts/odo/framework_module.nix
+++ b/nix/configuration/hosts/odo/framework_module.nix
@@ -0,0 +1,23 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      boot.extraModulePackages = with config.boot.kernelPackages; [
        framework-laptop-kmod
      ];
      # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
      boot.kernelModules = [
        "cros_ec"
        "cros_ec_lpcs"
      ];
    }
  ];
 }
--- a/nix/configuration/hosts/odo/hardware-configuration.nix
+++ b/nix/configuration/hosts/odo/hardware-configuration.nix
@@ -20,14 +20,14 @@
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
--- a/nix/configuration/hosts/odo/optimized_build.nix
+++ b/nix/configuration/hosts/odo/optimized_build.nix
@@ -1,51 +0,0 @@
 {
  config,
  lib,
  pkgs,
  pkgs-unstable,
  ...
 }:
 {
  imports = [ ];
  nix.settings.system-features = lib.mkForce [
    "gccarch-znver4"
    "gccarch-skylake"
    # "gccarch-alderlake" missing pkgwait
    "gccarch-x86-64-v3"
    "benchmark"
    "big-parallel"
    "kvm"
    "nixos-test"
  ];
  # nixpkgs.hostPlatform = {
  #   gcc.arch = "znver4";
  #   gcc.tune = "znver4";
  #   system = "x86_64-linux";
  # };
  nixpkgs.overlays = [
    (
      self: super:
      let
        optimizeWithFlags =
          pkg: flags:
          pkg.overrideAttrs (old: {
            NIX_CFLAGS_COMPILE = [ (old.NIX_CFLAGS_COMPILE or "") ] ++ flags;
          });
      in
      {
        linux_znver4 = optimizeWithFlags super.linux_zen [
          "-march=znver4"
          "-mtune=znver4"
        ];
      }
    )
    (final: prev: {
      linux-firmware = pkgs-unstable.linux-firmware;
    })
  ];
  boot.kernelPackages = lib.mkIf (!config.me.buildingIso) (pkgs.linuxPackagesFor pkgs.linux_znver4);
 }
--- a/nix/configuration/hosts/odo/power_management.nix
+++ b/nix/configuration/hosts/odo/power_management.nix
@@ -20,9 +20,9 @@
  # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
  # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
  boot.kernelParams = [
-    "amdgpu.abmlevel=3"
+    "amdgpu.abmlevel=2"
    "pcie_aspm=force"
-    "pcie_aspm.policy=powersupersave"
+    # "pcie_aspm.policy=powersupersave"
    "nowatchdog"
    # I don't see a measurable benefit from these two:
    # "cpufreq.default_governor=powersave"
@@ -47,5 +47,29 @@
    "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
  ];
  boot.extraModprobeConfig = ''
    # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
    blacklist sp5100_tco
    # Sound power-saving was causing chat notifications to be inaudible.
    # options snd_hda_intel power_save=1
  '';
 }
--- a/nix/configuration/hosts/odo/screen_brightness.nix
+++ b/nix/configuration/hosts/odo/screen_brightness.nix
@@ -9,6 +9,6 @@
  imports = [ ];
  systemd.tmpfiles.rules = [
-    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 85"
+    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 21845"
  ];
 }
--- a/nix/configuration/hosts/odo/wifi.nix
+++ b/nix/configuration/hosts/odo/wifi.nix
@@ -0,0 +1,22 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = {
    # Doesn't seem necessary starting with 6.13
    # environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
    #   doas iw dev wlan0 set power_save off
    # '';
    # Enable debug logging for ath12k wifi card.
    boot.kernelParams = [
      "ath12k.debug_mask=0xffffffff"
    ];
  };
 }
--- a/nix/configuration/hosts/odo/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/odo/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/quark/DEPLOY_BOOT
+++ b/nix/configuration/hosts/quark/DEPLOY_BOOT
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.15
 # TARGET=192.168.211.250
 TARGET=quark
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=quark
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/ISO
+++ b/nix/configuration/hosts/quark/ISO
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BOOT
+++ b/nix/configuration/hosts/quark/SELF_BOOT
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BUILD
+++ b/nix/configuration/hosts/quark/SELF_BUILD
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_SWITCH
+++ b/nix/configuration/hosts/quark/SELF_SWITCH
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@@ -0,0 +1,123 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./disk-config.nix
    ./distributed_build.nix
    ./hardware-configuration.nix
    ./power_management.nix
  ];
  config = {
    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
    networking.hostId = "47ee7d7c";
    networking.hostName = "quark"; # Define your hostname.
    time.timeZone = "America/New_York";
    i18n.defaultLocale = "en_US.UTF-8";
    me.secureBoot.enable = true;
    me.optimizations = {
      enable = true;
      arch = "znver4";
      system_features = [
        "gccarch-znver4"
        "gccarch-znver5"
        "gccarch-skylake"
        # "gccarch-alderlake" missing WAITPKG
        "gccarch-x86-64-v3"
        "gccarch-x86-64-v4"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
    };
    # Early KMS
    boot.initrd.kernelModules = [ "amdgpu" ];
    # Mount tmpfs at /tmp
    boot.tmp.useTmpfs = true;
    # Enable TRIM
    # services.fstrim.enable = lib.mkDefault true;
    # RPCS3 has difficulty with znver5
    me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
    me.alacritty.enable = true;
    me.amd_s2idle.enable = true;
    me.ansible.enable = true;
    me.ares.enable = true;
    me.bluetooth.enable = true;
    me.chromecast.enable = true;
    me.chromium.enable = true;
    me.d2.enable = true;
    me.direnv.enable = true;
    me.docker.enable = false;
    me.ecc.enable = true;
    me.emacs_flavor = "full";
    me.emulate_isa.enable = true;
    me.firefox.enable = true;
    me.flux.enable = true;
    me.gcloud.enable = true;
    me.git.config = ../../roles/git/files/gitconfig_home;
    me.gnuplot.enable = true;
    me.gpg.enable = true;
    me.graphical = true;
    me.graphics_card_type = "amd";
    me.iso_mount.enable = true;
    me.kanshi.enable = false;
    me.kubernetes.enable = true;
    me.latex.enable = true;
    me.launch_keyboard.enable = true;
    me.lvfs.enable = true;
    me.media.enable = true;
    me.nix_index.enable = true;
    me.nix_worker.enable = true;
    me.openpgp_card_tools.enable = true;
    me.pcsx2.enable = true;
    me.podman.enable = true;
    me.python.enable = true;
    me.qemu.enable = true;
    me.rpcs3.enable = true;
    me.rust.enable = true;
    me.sequoia.enable = true;
    me.shadps4.enable = true;
    me.shikane.enable = true;
    me.sops.enable = true;
    me.sound.enable = true;
    me.spaghettikart.enable = true;
    me.steam.enable = true;
    me.steam_run_free.enable = true;
    me.sway.enable = true;
    me.tekton.enable = true;
    me.terraform.enable = true;
    me.thunderbolt.enable = true;
    me.uutils.enable = false;
    me.vnc_client.enable = true;
    me.vscode.enable = true;
    me.wasm.enable = true;
    me.waybar.enable = true;
    me.wireguard.activated = [
      "drmario"
      "wgh"
      "colo"
    ];
    me.wireguard.deactivated = [ "wgf" ];
    me.yubikey.enable = true;
    me.zrepl.enable = true;
    me.zsh.enable = true;
    me.sm64ex.enable = true;
    me.shipwright.enable = true;
    me.ship2harkinian.enable = true;
  };
 }
--- a/nix/configuration/hosts/quark/disk-config.nix
+++ b/nix/configuration/hosts/quark/disk-config.nix
@@ -0,0 +1,148 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options = {
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              # keylocation = "file:///tmp/secret.key";
            };
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "16MiB";
              compression = "zstd-19";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }
--- a/nix/configuration/hosts/quark/distributed_build.nix
+++ b/nix/configuration/hosts/quark/distributed_build.nix
@@ -0,0 +1,21 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      me.distributed_build.enable = true;
      me.distributed_build.machines.hydra = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
    }
  ];
 }
--- a/nix/configuration/hosts/quark/hardware-configuration.nix
+++ b/nix/configuration/hosts/quark/hardware-configuration.nix
@@ -0,0 +1,35 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/configuration/hosts/quark/power_management.nix
+++ b/nix/configuration/hosts/quark/power_management.nix
@@ -0,0 +1,48 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  environment.systemPackages = with pkgs; [
    powertop
  ];
  boot.kernelParams = [
    # Enable undervolting GPU.
    # "amdgpu.ppfeaturemask=0xfff7ffff"
  ];
  systemd.tmpfiles.rules = [
    # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
  ];
  # services.udev.packages = [
  #   (pkgs.writeTextFile {
  #     name = "amdgpu-low-power";
  #     text = ''
  #       ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low"
  #     '';
  #     destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
  #   })
  # ];
 }
--- a/nix/configuration/roles/2ship2harkinian/default.nix
+++ b/nix/configuration/roles/2ship2harkinian/default.nix
@@ -0,0 +1,48 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ship2harkinian.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install 2ship2harkinian.";
    };
  };
  config = lib.mkIf config.me.ship2harkinian.enable (
    lib.mkMerge [
      {
        allowedUnfree = [ "2ship2harkinian" ];
      }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          _2ship2harkinian
        ];
        # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".local/share/2ship";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/alacritty/default.nix
+++ b/nix/configuration/roles/alacritty/default.nix
@@ -7,18 +7,30 @@
 {
  imports = [ ];
-
+  options.me = {
-  environment.systemPackages = with pkgs; [
+    alacritty.enable = lib.mkOption {
-    alacritty
+      type = lib.types.bool;
-    xdg-utils # for xdg-open
+      default = false;
-  ];
+      example = true;
-
+      description = "Whether we want to install alacritty.";
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.file.".config/alacritty/alacritty.toml" = {
        source = ./files/alacritty.toml;
      };
    };
  };
  config = lib.mkIf config.me.alacritty.enable (
    lib.mkMerge [
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          alacritty
          xdg-utils # for xdg-open
        ];
        me.install.user.talexander.file = {
          ".config/alacritty/alacritty.toml" = {
            source = ./files/alacritty.toml;
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/amd_s2idle/cysystemd.nix
+++ b/nix/configuration/roles/amd_s2idle/cysystemd.nix
@@ -0,0 +1,48 @@
 {
  lib,
  pkgs,
  buildPythonPackage,
  fetchFromGitHub,
  pythonOlder,
  cython,
  pkg-config,
  setuptools,
 }:
 let
  version = "1.6.3";
 in
 buildPythonPackage {
  pname = "cysystemd";
  inherit version;
  pyproject = true;
  src = fetchFromGitHub {
    owner = "mosquito";
    repo = "cysystemd";
    tag = version;
    hash = "sha256-xumrQgoKfFeKdRQUIYXXiXEcNd76i4wo/EIDm8BN7oU=";
  };
  disabled = pythonOlder "3.6";
  build-system = [
    setuptools
    cython
  ];
  nativeBuildInputs = [
    pkg-config
  ];
  buildInputs = [ pkgs.systemd ];
  pythonImportsCheck = [ "cysystemd" ];
  meta = {
    description = "systemd wrapper on Cython";
    homepage = "https://github.com/mosquito/cysystemd";
    license = lib.licenses.asl20;
    platforms = lib.platforms.linux;
  };
 }
--- a/nix/configuration/roles/amd_s2idle/default.nix
+++ b/nix/configuration/roles/amd_s2idle/default.nix
@@ -0,0 +1,47 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    amd_s2idle.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install amd_s2idle.";
    };
  };
  config = lib.mkIf config.me.amd_s2idle.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          amd-debug-tools
        ];
        nixpkgs.overlays = [
          (
            final: prev:
            let
              innerPackage = (final.callPackage ./package.nix { });
            in
            {
              amd-debug-tools = innerPackage;
            }
          )
          (final: prev: {
            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
              (python-final: python-prev: {
                cysystemd = (python-final.callPackage ./cysystemd.nix { });
              })
            ];
          })
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/amd_s2idle/package.nix
+++ b/nix/configuration/roles/amd_s2idle/package.nix
@@ -0,0 +1,60 @@
 {
  lib,
  fetchgit,
  python3Packages,
  acpica-tools,
  ethtool,
  libdisplay-info,
 }:
 let
  version = "0.2.8";
 in
 python3Packages.buildPythonApplication {
  pname = "amd-debug-tools";
  inherit version;
  pyproject = true;
  build-system = with python3Packages; [
    pyudev
    setuptools
    setuptools-git
    setuptools-git-versioning
  ];
  dependencies = with python3Packages; [
    acpica-tools
    cysystemd
    dbus-fast
    ethtool
    jinja2
    libdisplay-info
    matplotlib
    pandas
    pyudev
    seaborn
    tabulate
  ];
  src = fetchgit {
    url = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git";
    tag = version;
    hash = "sha256-EmXsW7Q5WMFL32LWr29W3GnGpw5aj53wlp9KbFV1r0Q=";
    leaveDotGit = true;
  };
  disabled = python3Packages.pythonOlder "3.7";
  postPatch = ''
    substituteInPlace pyproject.toml \
      --replace-fail ', "setuptools-git-versioning>=2.0,<3"' ""
  '';
  pythonImportsCheck = [ "amd_debug" ];
  meta = {
    description = "Debug tools for AMD zen systems";
    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/";
    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/tag/?h=${version}";
    license = lib.licenses.mit;
    platforms = lib.platforms.linux;
  };
 }
--- a/nix/configuration/roles/ansible/default.nix
+++ b/nix/configuration/roles/ansible/default.nix
@@ -0,0 +1,89 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ansible.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ansible.";
    };
  };
  config = lib.mkIf config.me.ansible.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          ansible
        ];
        nixpkgs.overlays = [
          (final: prev: {
            ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { });
          })
          (final: prev: {
            ansible = pkgs.symlinkJoin {
              name = "ansible";
              paths = [
                (prev.ansible.overridePythonAttrs {
                  propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ];
                })
                pkgs.ansible-sshjail
              ];
              buildInputs = [ pkgs.makeWrapper ];
              postBuild = ''
                ${lib.concatMapStringsSep "\n"
                  (
                    prog:
                    (
                      "wrapProgram $out/bin/${prog} ${
                        lib.concatMapStringsSep " "
                          (
                            plugin_type:
                            "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins"
                          )
                          [
                            "action"
                            "cache"
                            "callback"
                            "connection"
                            "filter"
                            "inventory"
                            "lookup"
                            "shell"
                            "strategy"
                            "test"
                            "vars"
                          ]
                      } --prefix PATH : ${lib.makeBinPath [ ]}"
                    )
                  )
                  [
                    "ansible"
                    "ansible-config"
                    "ansible-console"
                    "ansible-doc"
                    "ansible-galaxy"
                    "ansible-inventory"
                    "ansible-playbook"
                    "ansible-pull"
                    "ansible-test"
                    "ansible-vault"
                  ]
                }
              '';
            };
          })
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
+++ b/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
@@ -0,0 +1,33 @@
 # unpackPhase
 # patchPhase
 # configurePhase
 # buildPhase
 # checkPhase
 # installPhase
 # fixupPhase
 # installCheckPhase
 # distPhase
 {
  stdenv,
  fetchgit,
  ...
 }:
 stdenv.mkDerivation {
  name = "ansible-sshjail";
  src = fetchgit {
    url = "https://github.com/austinhyde/ansible-sshjail.git";
    rev = "a7b0076fdb680b915d35efafd1382919100532b6";
    sha256 = "sha256-4QX/017fDRzb363NexgvHZ/VFKXOjRgGPDKKygyUylM=";
  };
  phases = [
    "installPhase"
  ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share/ansible/plugins/connection_plugins
    cp $src/sshjail.py $out/share/ansible/plugins/connection_plugins/
    runHook postInstall
  '';
 }
--- a/nix/configuration/roles/ares/default.nix
+++ b/nix/configuration/roles/ares/default.nix
@@ -8,7 +8,37 @@
 {
  imports = [ ];
-  environment.systemPackages = with pkgs; [
+  options.me = {
-    ares
+    ares.enable = lib.mkOption {
-  ];
+      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ares.";
    };
  };
  config = lib.mkIf config.me.ares.enable (
    lib.mkMerge [
      { }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          ares
        ];
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".local/share/ares";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/blank/default.nix
+++ b/nix/configuration/roles/blank/default.nix
@@ -8,4 +8,23 @@
 {
  imports = [ ];
  options.me = {
    blank.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install blank.";
    };
  };
  config = lib.mkIf config.me.blank.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
        ];
      }
      (lib.mkIf config.me.graphical {
      })
    ]
  );
 }
--- a/nix/configuration/roles/bluetooth/default.nix
+++ b/nix/configuration/roles/bluetooth/default.nix
@@ -0,0 +1,46 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    bluetooth.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install bluetooth.";
    };
  };
  config = lib.mkIf config.me.bluetooth.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
        ];
        hardware.bluetooth = {
          enable = true;
          powerOnBoot = true;
          settings = {
            General = {
              # Enable support for showing battery charge level.
              Experimental = true;
            };
          };
        };
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          directories = [
            "/var/lib/bluetooth" # Bluetooth pairing information.
          ];
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -22,6 +22,14 @@
  };
  config = lib.mkMerge [
    {
      environment.systemPackages = with pkgs; [
        tpm2-tools # For tpm2_eventlog to check for OptionRoms
        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
        sbctl # For debugging and troubleshooting Secure Boot.
      ];
    }
    (lib.mkIf (!config.me.buildingIso) {
      boot.loader.grub.enable = false;
@@ -33,6 +41,8 @@
      # Automatically delete old generations
      boot.loader.systemd-boot.configurationLimit = 3;
      boot.loader.systemd-boot.memtest86.enable = true;
      # Check what will be lost with `zfs diff zroot/linux/root@blank`
      boot.initrd.systemd.enable = lib.mkDefault true;
      boot.initrd.systemd.services.zfs-rollback = {
@@ -65,26 +75,21 @@
      #     options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
      #   '';
      # };
      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        hideMounts = true;
        directories = [
          "/var/lib/sbctl" # Secure Boot Keys
        ];
      };
    })
    (lib.mkIf (config.me.secureBoot.enable) {
      # For debugging and troubleshooting Secure Boot.
      environment.systemPackages = with pkgs; [
        sbctl
      ];
      boot.loader.systemd-boot.enable = lib.mkForce false;
      boot.lanzaboote = {
        enable = true;
-        pkiBundle = "/etc/secureboot";
+        pkiBundle = "/var/lib/sbctl";
        # TODO:
        #     pkiBundle = "/var/lib/sbctl";
      };
      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        hideMounts = true;
        directories = [
          "/etc/secureboot" # Old Secure Boot Keys location
          # TODO: run `doas sbctl setup --migrate` to move keys
          "/var/lib/sbctl" # Secure Boot Keys
        ];
      };
    })
  ];
--- a/nix/configuration/roles/chromecast/default.nix
+++ b/nix/configuration/roles/chromecast/default.nix
@@ -0,0 +1,31 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    chromecast.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install chromecast.";
    };
  };
  config = lib.mkIf config.me.chromecast.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          catt
        ];
      }
      (lib.mkIf config.me.graphical {
      })
    ]
  );
 }
--- a/nix/configuration/roles/chromium/default.nix
+++ b/nix/configuration/roles/chromium/default.nix
@@ -8,45 +8,68 @@
 {
  imports = [ ];
-  # TODO: Read https://bbs.archlinux.org/viewtopic.php?pid=2209507#p2209507 and apply desired settings.
+  options.me = {
-
+    chromium.enable = lib.mkOption {
-  environment.systemPackages = with pkgs; [
+      type = lib.types.bool;
-    (chromium.override { enableWideVine = true; })
+      default = false;
-  ];
+      example = true;
-
+      description = "Whether we want to install chromium.";
  allowedUnfree = [
    "chromium"
    "chromium-unwrapped"
    "widevine-cdm"
  ];
  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    users.talexander = {
      directories = [
        {
          directory = ".config/chromium";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        }
      ];
    };
  };
  environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    users.talexander = {
      directories = [
        {
          directory = ".cache/chromium";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        }
      ];
    };
  };
-  # Enabling vulkan causes video to render as white
+  config = lib.mkIf config.me.chromium.enable (
-  # nixpkgs.config.chromium.commandLineArgs = "--enable-features=Vulkan";
+    lib.mkMerge [
      { }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          chromium
        ];
        allowedUnfree = [
          "chromium"
          "chromium-unwrapped"
          "widevine-cdm"
        ];
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".config/chromium";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".cache/chromium";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };
        nixpkgs.overlays = [
          (final: prev: {
            chromium = prev.chromium.override {
              enableWideVine = true;
              commandLineArgs = [
                "--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder"
                # Enabling vulkan causes video to render as white
                # "--enable-features=Vulkan";
              ];
            };
          })
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/d2/default.nix
+++ b/nix/configuration/roles/d2/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    d2.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install d2.";
    };
  };
  config = lib.mkIf config.me.d2.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          d2
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/direnv/default.nix
+++ b/nix/configuration/roles/direnv/default.nix
@@ -0,0 +1,55 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  direnv_zsh_hook = pkgs.writeTextFile {
    name = "direnv_zsh_hook.zsh";
    text = ''
      eval "$(direnv hook zsh)"
    '';
  };
 in
 {
  imports = [ ];
  options.me = {
    direnv.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install direnv.";
    };
  };
  config = lib.mkIf config.me.direnv.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          direnv
          nix-direnv
        ];
        me.zsh.includes = [ direnv_zsh_hook ];
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                # List of allowed directories from `direnv allow`.
                directory = ".local/share/direnv";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/distributed_build/default.nix
+++ b/nix/configuration/roles/distributed_build/default.nix
@@ -0,0 +1,110 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  make_machine_config = name: {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use the ${name} machine during distributed builds.";
    };
    additional_config = lib.mkOption {
      type = lib.types.attrs;
      default = { };
      example = lib.literalExpression {
        speedFactor = 2;
      };
      description = "Additional config values for the buildMachines entry. For example, speedFactor.";
    };
  };
 in
 {
  imports = [ ];
  options.me = {
    distributed_build.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
    };
    distributed_build.machines.hydra = make_machine_config "hydra";
    distributed_build.machines.quark = make_machine_config "quark";
  };
  config = lib.mkIf config.me.distributed_build.enable (
    lib.mkMerge [
      {
        nix.distributedBuilds = true;
      }
      (lib.mkIf config.me.distributed_build.machines.hydra.enable {
        nix.buildMachines = [
          (
            {
              hostName = "hydra";
              sshUser = "nixworker";
              # sshKey = "";
              # publicHostKey = "";
              systems = [
                "x86_64-linux"
                # "aarch64-linux"
              ];
              maxJobs = 1;
              supportedFeatures = [
                "nixos-test"
                "benchmark"
                "big-parallel"
                # "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-skylake"
                "gccarch-znver4"
              ];
            }
            // config.me.distributed_build.machines.hydra.additional_config
          )
        ];
      })
      (lib.mkIf config.me.distributed_build.machines.quark.enable {
        nix.buildMachines = [
          (
            {
              hostName = "quark";
              sshUser = "nixworker";
              sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
              # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
              publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
              systems = [
                "x86_64-linux"
                # "aarch64-linux"
              ];
              maxJobs = 1;
              supportedFeatures = [
                "gccarch-armv6"
                "gccarch-aarch64"
                "gccarch-riscv64"
                "nixos-test"
                "benchmark"
                "big-parallel"
                "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-skylake"
                "gccarch-znver4"
                "gccarch-znver5"
              ];
            }
            // config.me.distributed_build.machines.quark.additional_config
          )
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/docker/default.nix
+++ b/nix/configuration/roles/docker/default.nix
@@ -8,42 +8,91 @@
 {
  imports = [ ];
-  virtualisation.docker.enable = true;
+  options.me = {
-  # Use docker activation
+    docker.enable = lib.mkOption {
-  virtualisation.docker.enableOnBoot = false;
+      type = lib.types.bool;
-  # Rootless docker breaks access to ssh for buildkit.
+      default = false;
-  # virtualisation.docker.rootless = {
+      example = true;
-  #   enable = true;
+      description = "Whether we want to install docker.";
-  #   setSocketVariable = true;
+    };
  # };
  # Give docker access to ssh for fetching repos with buildkit.
  virtualisation.docker.extraPackages = [ pkgs.openssh ];
  environment.systemPackages = with pkgs; [
    docker-buildx
  ];
  environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    directories = [
      {
        directory = "/var/lib/docker";
        user = "root";
        group = "root";
        mode = "0740";
      }
    ];
    # users.talexander = {
    #   directories = [
    #     {
    #       directory = ".local/share/docker";
    #       user = "talexander";
    #       group = "talexander";
    #       mode = "0740";
    #     }
    #   ];
    # };
  };
-  # Needed for non-rootless docker
+  config = lib.mkIf config.me.docker.enable (
-  users.users.talexander.extraGroups = [ "docker" ];
+    lib.mkMerge [
      {
        assertions = [
          {
            assertion = !config.me.podman.enable;
            message = "docker conflicts with podman";
          }
        ];
      }
      {
        virtualisation.docker.enable = true;
        # Use docker activation
        virtualisation.docker.enableOnBoot = false;
        # Rootless docker breaks access to ssh for buildkit.
        # virtualisation.docker.rootless = {
        #   enable = true;
        #   setSocketVariable = true;
        # };
        # Give docker access to ssh for fetching repos with buildkit.
        virtualisation.docker.extraPackages = [ pkgs.openssh ];
        environment.systemPackages = with pkgs; [
          docker-buildx
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          directories = [
            {
              directory = "/var/lib/docker";
              user = "root";
              group = "root";
              mode = "0740";
            }
          ];
          # users.talexander = {
          #   directories = [
          #     {
          #       directory = ".local/share/docker";
          #       user = "talexander";
          #       group = "talexander";
          #       mode = "0740";
          #     }
          #   ];
          # };
        };
        systemd.services.link-docker-creds = {
          # Contains credentials so it cannot be added to the nix store
          enable = true;
          description = "link-docker-creds";
          wantedBy = [ "multi-user.target" ];
          wants = [ "multi-user.target" ];
          after = [ "multi-user.target" ];
          # path = with pkgs; [
          #   zfs
          # ];
          unitConfig.DefaultDependencies = "no";
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = "yes";
          };
          script = ''
            if [ -e /persist/manual/docker/config.json ]; then
              install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker
              ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json
            fi
          '';
          preStop = ''
            rm -f /home/talexander/.docker/config.json
          '';
        };
        # Needed for non-rootless docker
        users.users.talexander.extraGroups = [ "docker" ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/ecc/default.nix
+++ b/nix/configuration/roles/ecc/default.nix
@@ -0,0 +1,28 @@
 # Check memory errors with: ras-mc-ctl --error-count
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ecc.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ecc.";
    };
  };
  config = lib.mkIf config.me.ecc.enable (
    lib.mkMerge [
      {
        hardware.rasdaemon.enable = true;
      }
    ]
  );
 }
--- a/nix/configuration/roles/emacs/default.nix
+++ b/nix/configuration/roles/emacs/default.nix
@@ -6,76 +6,166 @@
 }:
 let
-  plainmacs = pkgs.writeShellScriptBin "plainmacs" ''
+  plainmacs =
-    INIT_SCRIPT=$(cat <<EOF
+    emacs_package:
-    (progn
+    pkgs.writeShellScriptBin "plainmacs" ''
-      (setq make-backup-files nil auto-save-default nil create-lockfiles nil)
+      INIT_SCRIPT=$(cat <<EOF
-      (load-theme 'tango-dark t)
+      (progn
-      (set-face-attribute 'default nil :background "black")
+        (setq make-backup-files nil auto-save-default nil create-lockfiles nil)
-      ;; Bright yellow highlighting for selected region
+        (load-theme 'tango-dark t)
-      (set-face-attribute 'region nil :background "#ffff50" :foreground "black")
+        (set-face-attribute 'default nil :background "black")
-      ;; Bright green cursor to distinguish from yellow region
+        ;; Bright yellow highlighting for selected region
-      (set-cursor-color "#ccff66")
+        (set-face-attribute 'region nil :background "#ffff50" :foreground "black")
-      ;; Hightlight the current line
+        ;; Bright green cursor to distinguish from yellow region
-      (set-face-attribute 'line-number-current-line nil :foreground "white")
+        (set-cursor-color "#ccff66")
-      ;; Set default font
+        ;; Hightlight the current line
-      (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
+        (set-face-attribute 'line-number-current-line nil :foreground "white")
-      ;; Set fallback font for unicode glyphs
+        ;; Set default font
-      (when (display-graphic-p)
+        (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
-        (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
+        ;; Set fallback font for unicode glyphs
-      (menu-bar-mode -1)
+        (when (display-graphic-p)
-      (when (fboundp 'tool-bar-mode)
+          (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
-        (tool-bar-mode -1))
+        (menu-bar-mode -1)
-      (when (  fboundp 'scroll-bar-mode)
+        (when (fboundp 'tool-bar-mode)
-        (scroll-bar-mode -1))
+          (tool-bar-mode -1))
-      (pixel-scroll-precision-mode)
+        (when (  fboundp 'scroll-bar-mode)
-      (setq frame-resize-pixelwise t)
+          (scroll-bar-mode -1))
        (pixel-scroll-precision-mode)
        (setq frame-resize-pixelwise t)
        )
      EOF
      )
    EOF
    )
-    exec ${pkgs.emacs29-pgtk}/bin/emacs -q --eval "$INIT_SCRIPT" "''${@}"
+      exec ${emacs_package}/bin/emacs -q --eval "$INIT_SCRIPT" "''${@}"
-  '';
+    '';
-  e_shorthand = pkgs.writeShellScriptBin "e" ''
+  e_shorthand =
-    exec ${pkgs.emacs29-pgtk}/bin/emacs "''${@}"
+    emacs_package:
-  '';
+    pkgs.writeShellScriptBin "e" ''
      exec ${emacs_package}/bin/emacs "''${@}"
    '';
 in
 {
  imports = [ ];
-  environment.systemPackages = with pkgs; [
+  options.me.emacs_flavor = lib.mkOption {
-    plainmacs
+    type = lib.types.nullOr (
-    e_shorthand
+      lib.types.enum [
-    emacs29-pgtk
+        "full"
-    clang # To compile tree-sitter grammars
+        "plainmacs"
-    nixd # nix language server
+      ]
-    nixfmt-rfc-style # auto-formatting nix files through nixd
+    );
-  ];
+    default = null;
-
+    example = "full";
-  home-manager.users.talexander =
+    description = "What flavor of emacs to set up.";
    { pkgs, ... }:
    {
      home.file.".config/emacs" = {
        source = ./files/emacs;
        recursive = true;
      };
    };
  environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    users.talexander = {
      directories = [
        ".config/emacs/eln-cache" # Installed packages
        ".config/emacs/elpa" # Installed packages
        ".config/emacs/private" # For recentf
        ".config/emacs/tree-sitter" # Compiled tree-sitter grammars
      ];
      files = [
        ".config/emacs/history" # For savehist
        ".config/emacs/.last-package-update-day" # For use-package
      ];
    };
  };
-  environment.variables.EDITOR = "${plainmacs}/bin/plainmacs";
+  config = lib.mkIf (config.me.emacs_flavor != null) (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          my_emacs
          (plainmacs my_emacs)
          (e_shorthand my_emacs)
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              ".config/emacs/eln-cache" # Installed packages
              ".config/emacs/elpa" # Installed packages
              ".config/emacs/private" # For recentf
              ".config/emacs/tree-sitter" # Compiled tree-sitter grammars
            ];
            files = [
              ".config/emacs/history" # For savehist
              ".config/emacs/.last-package-update-day" # For use-package
            ];
          };
        };
        environment.variables.EDITOR = "plainmacs";
      }
      (lib.mkIf (config.me.graphical) {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = final.emacs-pgtk;
          })
        ];
      })
      (lib.mkIf (!config.me.graphical) {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = final.emacs-nox;
          })
        ];
      })
      (lib.mkIf (config.me.emacs_flavor == "full") {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = pkgs.buildEnv {
              name = prev.my_emacs.name;
              paths = with prev; [
                my_emacs
              ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
              nativeBuildInputs = [ final.makeWrapper ];
              postBuild = ''
                wrapProgram $out/bin/emacs --prefix PATH : ${
                  lib.makeBinPath [
                    (final.aspellWithDicts (
                      dicts: with dicts; [
                        en
                        en-computers
                        # en-science # TODO: Why is en-science non-free?
                      ]
                    ))
                    final.nixd # nix language server
                    final.nixfmt-rfc-style # auto-formatting nix files through nixd
                    final.clang # To compile tree-sitter grammars
                    final.shellcheck
                    final.cmake-language-server
                    final.cmake # Used by cmake-language-server
                    final.rust-analyzer
                    final.prettier # Format yaml, json, and JS
                    final.terraform-ls
                    final.typescript-language-server
                    final.tex
                  ]
                }
              '';
            };
          })
        ];
        me.install.user.talexander.file = {
          ".config/emacs" = {
            source = ./files/emacs;
            recursive = true;
          };
        };
      })
      (lib.mkIf (config.me.emacs_flavor == "plainmacs") {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = pkgs.buildEnv {
              name = prev.my_emacs.name;
              paths = with prev; [
                my_emacs
              ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
            };
          })
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/emacs/files/emacs/elisp/base-extensions.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/base-extensions.el
@@ -14,17 +14,6 @@
 ;; Other packages
 (use-package emacs
  :config
  (setq enable-recursive-minibuffers t)
  ;; Filter the M-x list base on the current mode
  (setq read-extended-command-predicate #'command-completion-default-include-p)
  ;; Enable triggering completion with the tab key.
  (setq tab-always-indent 'complete)
  )
 (use-package dashboard
  :config
  (dashboard-setup-startup-hook))
@@ -51,17 +40,27 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
  ;; This is an emacs built-in but we're pulling the latest version
  :pin gnu
  :config
  (savehist-mode))
 (use-package which-key
  :pin gnu
  :diminish
  :config
  (which-key-mode))
 (use-package windmove
-  :config
+  ;; This is an emacs built-in but we're pulling the latest version
-  (windmove-default-keybindings))
+  :pin gnu
  :bind
  (
   ("S-<up>" . windmove-up)
   ("S-<right>" . windmove-right)
   ("S-<down>" . windmove-down)
   ("S-<left>" . windmove-left)
   )
  )
 (setq tramp-default-method "ssh")
--- a/nix/configuration/roles/emacs/files/emacs/elisp/base.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/base.el
@@ -6,11 +6,13 @@
             )
 (use-package auto-package-update
-   :ensure t
+  :ensure t
-   :config
+  :custom
-   (setq auto-package-update-delete-old-versions t
+  (auto-package-update-interval 14)
-         auto-package-update-interval 14)
+  (auto-package-update-delete-old-versions t)
-   (auto-package-update-maybe))
+  :config
  (auto-package-update-maybe)
  )
 (defun assert-directory (p)
  (unless (file-exists-p p) (make-directory p t))
@@ -24,11 +26,51 @@
 (setq autoload-directory (concat user-emacs-directory (file-name-as-directory "elisp") (file-name-as-directory "autoload")))
 (add-to-list 'load-path (assert-directory autoload-directory))
 (use-package emacs
  :ensure nil
  :bind
  (("C-z" . nil)
   ("C-x C-z" . nil)
   ("RET" . newline-and-indent)
   )
  :custom
  ;; Replace highlighted text if you start typing.
  (delete-selection-mode 1)
  (history-length 300)
  ;; Enable auto-revert for buffers like dired
  (global-auto-revert-non-file-buffers t)
  ;; If the underlying file changes, reload it automatically. This is useful for moving around in git without confusing language servers.
  (auto-revert-avoid-polling t)
  (auto-revert-interval 5)
  (auto-revert-check-vc-info t)
  (global-auto-revert-mode t)
  ;; Disable backup files and lockfiles
  (create-lockfiles nil)
  (make-backup-files nil)
  (backup-inhibited t)
  ;; Do not auto-save files
  (auto-save-default nil)
  (pixel-scroll-precision-mode t)
  (pixel-scroll-precision-use-momentum nil)
  :config
  (setq enable-recursive-minibuffers t)
  ;; Filter the M-x list base on the current mode
  (setq read-extended-command-predicate #'command-completion-default-include-p)
  ;; Enable triggering completion with the tab key.
  (setq tab-always-indent 'complete)
  )
 (setq-default
 ;; Disable backup files and lockfiles
 make-backup-files nil
 auto-save-default nil
 create-lockfiles nil
 ;; Unless otherwise specified, always install packages if they are absent.
 use-package-always-ensure t
 ;; Point custom-file at /dev/null so emacs does not write any settings to my dotfiles.
@@ -63,13 +105,13 @@
 show-trailing-whitespace t
 ;; Remove the line when killing it with ctrl-k
 kill-whole-line t
 ;; Show the current project in the mode line
 project-mode-line t
 )
 ;; (setq-default fringes-outside-margins t)
 ;; Per-pixel scrolling instead of per-line
 (pixel-scroll-precision-mode)
 ;; Typed text replaces selection
 (delete-selection-mode)
@@ -77,12 +119,6 @@
 ;; Delete trailing whitespace before save
 (add-hook 'before-save-hook 'delete-trailing-whitespace)
 ;; If the underlying file changes, reload it automatically. This is useful for moving around in git without confusing language servers.
 (setopt auto-revert-avoid-polling t)
 (setopt auto-revert-interval 5)
 (setopt auto-revert-check-vc-info t)
 (global-auto-revert-mode)
 ;;;;; Performance
 ;; Run garbage collect when emacs is idle
 (run-with-idle-timer 5 t (lambda () (garbage-collect)))
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-cmake.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-cmake.el
@@ -0,0 +1,18 @@
 (require 'common-lsp)
 (use-package cmake-mode
  :commands cmake-mode
  :hook (
         (cmake-mode . (lambda ()
                         (eglot-ensure)
                         (defclass my/eglot-cmake (eglot-lsp-server) ()
                           :documentation
                           "Own eglot server class.")
                         (add-to-list 'eglot-server-programs
                                      '(cmake-mode . (my/eglot-cmake "cmake-language-server")))
                         ))
         )
  )
 (provide 'lang-cmake)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
@@ -0,0 +1,16 @@
 (defun d2-format-buffer ()
  "Run prettier."
  (interactive)
  (run-command-on-buffer "d2" "fmt" "-")
  )
 (use-package d2-mode
  :commands (d2-mode)
  :hook (
         (d2-mode . (lambda ()
                      ;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
                      ))
         )
  )
 (provide 'lang-d2)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-javascript.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-javascript.el
@@ -1,6 +1,12 @@
 (require 'common-lsp)
 (require 'util-tree-sitter)
 (defun js-format-buffer ()
  "Run prettier."
  (interactive)
  (run-command-on-buffer "prettier" "--stdin-filepath" buffer-file-name)
  )
 (use-package json-ts-mode
  :ensure nil
  :pin manual
@@ -113,10 +119,14 @@
         ("\\.js\\'" . js-ts-mode)
         )
  :commands (js-ts-mode)
  :custom (
           (js-indent-level 2)
           )
  :hook (
         (js-ts-mode . (lambda ()
                                 (when-linux
                                   (eglot-ensure)
                                   (add-hook 'before-save-hook 'js-format-buffer nil 'local)
                                   )
                                 ))
         )
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el
@@ -1,16 +1,23 @@
 (use-package org
  :ensure nil
  :commands org-mode
-  :bind (
+  :bind (:map org-mode-map
         ("C-c l" . org-store-link)
         ("C-c a" . org-agenda)
-         ("C--" . org-timestamp-down)
+         ("S-<up>" . org-shiftup)
-         ("C-=" . org-timestamp-up)
+         ("S-<right>" . org-shiftright)
         ("S-<down>" . org-shiftdown)
         ("S-<left>" . org-shiftleft)
         )
  :hook (
         (org-mode . (lambda ()
                       (org-indent-mode +1)
-                        ))
+                       ))
         ;; Make windmove work in Org mode:
         (org-shiftup-final . windmove-up)
         (org-shiftleft-final . windmove-left)
         (org-shiftdown-final . windmove-down)
         (org-shiftright-final . windmove-right)
         )
  :config
  (require 'org-tempo)
@@ -38,6 +45,8 @@
  ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
  ;; (setq org-latex-compiler "lualatex")
  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
  ;; (setq org-preview-latex-default-process 'dvisvgm)
  (setq org-latex-pdf-process
        '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -78,4 +87,8 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 (use-package htmlize
  ;; For syntax highlighting when exporting to HTML.
  )
 (provide 'lang-org)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-rust.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-rust.el
@@ -46,7 +46,7 @@
                             (when rust-analyzer-command
                               ;; (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command)))
                               (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command :initializationOptions (:imports (:granularity (:enforce t :group "item")
-                                                                                                                                                           :merge (:glob nil)
+                                                                                                                                                           :merge (:glob :json-false)
                                                                                                                                                           :prefix "self")
                                                                                                                                             ))))
                               )
@@ -60,8 +60,8 @@
  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
  :config
  ;; Add keybindings for interacting with Cargo
-  (use-package cargo
+  ;; (use-package cargo
-    :hook (rust-ts-mode . cargo-minor-mode))
+  ;;   :hook (rust-ts-mode . cargo-minor-mode))
  )
 (use-package toml-ts-mode
--- a/nix/configuration/roles/emacs/files/emacs/init.el
+++ b/nix/configuration/roles/emacs/files/emacs/init.el
@@ -38,4 +38,8 @@
 (require 'lang-nix)
 (require 'lang-cmake)
 (require 'lang-d2)
 (load-directory autoload-directory)
--- a/nix/configuration/roles/emulate_isa/default.nix
+++ b/nix/configuration/roles/emulate_isa/default.nix
@@ -0,0 +1,41 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    emulate_isa.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to enable emulating other CPU architectures.";
    };
  };
  config = lib.mkIf config.me.emulate_isa.enable (
    lib.mkMerge [
      {
        boot.binfmt.emulatedSystems = [
          "aarch64-linux" # Raspberry Pi gen 3
          "riscv64-linux"
          # TODO: Should "x86_64-linux" be in this list or should this list be dependent on the host CPU?
          "armv6l-linux" # Raspberry Pi gen 1
        ];
        me.optimizations = {
          system_features = [
            "gccarch-armv6"
            "gccarch-aarch64"
            "gccarch-riscv64"
          ];
        };
      }
    ]
  );
 }
 # NOTE: build nixosConfigurations.<name>.config.system.build.sdImage
--- a/nix/configuration/roles/firefox/default.nix
+++ b/nix/configuration/roles/firefox/default.nix
@@ -8,106 +8,132 @@
 {
  imports = [ ];
-  programs.firefox = {
+  options.me = {
-    enable = true;
+    firefox.enable = lib.mkOption {
-    package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { });
+      type = lib.types.bool;
-    languagePacks = [ "en-US" ];
+      default = false;
-    preferences = {
+      example = true;
-      # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5";
+      description = "Whether we want to install firefox.";
      "media.hardware-video-decoding.force-enabled" = true;
      "media.ffmpeg.vaapi.enabled" = true;
      "doh-rollout.doorhanger-decision" = "UIDisabled";
      "dom.security.https_only_mode" = true;
      "dom.security.https_only_mode_ever_enabled" = true;
      "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
      # Disable ads
      "extensions.pocket.enabled" = false;
      "browser.newtabpage.activity-stream.showSponsored" = false;
      "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
      "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
      "browser.newtabpage.pinned" = "[]";
      "browser.newtabpage.activity-stream.section.highlights.includePocket" = false;
      "browser.topsites.contile.enabled" = false;
      # Disable cache when devtools are open.
      "devtools.cache.disabled" = true;
      # Do not track header.
      "privacy.donottrackheader.enabled" = true;
      # Tell websites not to share or sell my data.
      "privacy.globalprivacycontrol.enabled" = true;
      # Disable "studies" (slice testing)
      "app.shield.optoutstudies.enabled" = false;
      # Disable attribution which is used by advertisers to track you.
      "dom.private-attribution.submission.enabled" = false;
      # Disable battery status, used to track users.
      "dom.battery.enabled" = false;
      # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
      #
      # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
      # dom.event.clipboardevents.enabled: false
      # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
      "privacy.firstparty.isolate" = true;
      # Do not preload URLs that auto-complete in the address bar.
      "browser.urlbar.speculativeConnect.enabled" = false;
      # Do not resist fingerprinting because that tells websites to use light mode.
      # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
      "privacy.resistFingerprinting" = false; # (default false)
      # Instead, enable fingerprinting protection, which allows configuring an override.
      "privacy.fingerprintingProtection" = true;
      # Allow sending dark mode preference to websites.
      # Allow sending timezone to websites.
      "privacy.fingerprintingProtection.overrides" =
        "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked";
      # Disable weather on new tab page
      "browser.newtabpage.activity-stream.showWeather" = false;
    };
-    # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options.
+  };
    policies = {
      DisableTelemetry = true;
      DisplayBookmarksToolbar = "newtab";
-      # Check about:support for extension/add-on ID strings.
+  config = lib.mkIf config.me.firefox.enable (
-      # Valid strings for installation_mode are "allowed", "blocked",
+    lib.mkMerge [
-      # "force_installed" and "normal_installed".
+      (lib.mkIf config.me.graphical {
-      ExtensionSettings = {
+        programs.firefox = {
-        # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+          enable = true;
-        "uBlock0@raymondhill.net" = {
+          package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { });
-          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          languagePacks = [ "en-US" ];
-          installation_mode = "force_installed";
+          preferences = {
            # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5";
            "media.hardware-video-decoding.force-enabled" = true;
            "media.ffmpeg.vaapi.enabled" = true;
            "doh-rollout.doorhanger-decision" = "UIDisabled";
            "dom.security.https_only_mode" = true;
            "dom.security.https_only_mode_ever_enabled" = true;
            "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
            # Disable ads
            "extensions.pocket.enabled" = false;
            "browser.newtabpage.activity-stream.showSponsored" = false;
            "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
            "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
            "browser.newtabpage.pinned" = "[]";
            "browser.newtabpage.activity-stream.section.highlights.includePocket" = false;
            "browser.topsites.contile.enabled" = false;
            # Disable cache when devtools are open.
            "devtools.cache.disabled" = true;
            # Do not track header.
            "privacy.donottrackheader.enabled" = true;
            # Tell websites not to share or sell my data.
            "privacy.globalprivacycontrol.enabled" = true;
            # Disable "studies" (slice testing)
            "app.shield.optoutstudies.enabled" = false;
            # Disable attribution which is used by advertisers to track you.
            "dom.private-attribution.submission.enabled" = false;
            # Disable battery status, used to track users.
            "dom.battery.enabled" = false;
            # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
            #
            # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
            # dom.event.clipboardevents.enabled: false
            # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
            "privacy.firstparty.isolate" = true;
            # Do not preload URLs that auto-complete in the address bar.
            "browser.urlbar.speculativeConnect.enabled" = false;
            # Do not resist fingerprinting because that tells websites to use light mode.
            # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
            "privacy.resistFingerprinting" = false; # (default false)
            # Instead, enable fingerprinting protection, which allows configuring an override.
            "privacy.fingerprintingProtection" = true;
            # Allow sending dark mode preference to websites.
            # Allow sending timezone to websites.
            "privacy.fingerprintingProtection.overrides" =
              "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt";
            # Disable weather on new tab page
            "browser.newtabpage.activity-stream.showWeather" = false;
            # Disable AI stuff that wastes battery life
            "browser.ml.chat.enabled" = false;
            "browser.ml.enabled" = false;
          };
          # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options.
          policies = {
            DisableTelemetry = true;
            DisplayBookmarksToolbar = "newtab";
            # Check about:support for extension/add-on ID strings.
            # Valid strings for installation_mode are "allowed", "blocked",
            # "force_installed" and "normal_installed".
            ExtensionSettings = {
              # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
              "uBlock0@raymondhill.net" = {
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
                installation_mode = "force_installed";
              };
              # "firefox@teleparty.com" = {
              #   install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
              #   installation_mode = "normal_installed";
              # };
              "@ublacklist" = {
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublacklist/latest.xpi";
                installation_mode = "normal_installed";
              };
              "@react-devtools" = {
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/react-devtools/latest.xpi";
                installation_mode = "normal_installed";
              };
            };
          };
        };
        "firefox@teleparty.com" = {
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
          installation_mode = "normal_installed";
        };
      };
    };
  };
-  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
-    hideMounts = true;
+          hideMounts = true;
-    users.talexander = {
+          users.talexander = {
-      directories = [
+            directories = [
-        {
+              {
-          directory = ".mozilla";
+                directory = ".mozilla";
-          user = "talexander";
+                user = "talexander";
-          group = "talexander";
+                group = "talexander";
-          mode = "0700";
+                mode = "0700";
-        }
+              }
-      ];
+            ];
-    };
+          };
-  };
+        };
-  environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
-    hideMounts = true;
+          hideMounts = true;
-    users.talexander = {
+          users.talexander = {
-      directories = [
+            directories = [
-        {
+              {
-          directory = ".cache/mozilla";
+                directory = ".cache/mozilla";
-          user = "talexander";
+                user = "talexander";
-          group = "talexander";
+                group = "talexander";
-          mode = "0700";
+                mode = "0700";
-        }
+              }
-      ];
+            ];
-    };
+          };
-  };
+        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/flux/default.nix
+++ b/nix/configuration/roles/flux/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    flux.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install flux.";
    };
  };
  config = lib.mkIf config.me.flux.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          fluxcd
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/fonts/default.nix
+++ b/nix/configuration/roles/fonts/default.nix
@@ -8,20 +8,23 @@
 {
  imports = [ ];
-  fonts = {
+  config = lib.mkIf config.me.graphical {
-    enableDefaultPackages = false;
+    fonts = {
-    packages = with pkgs; [
+      enableDefaultPackages = false;
-      cascadia-code
+      packages = with pkgs; [
-      source-sans-pro
+        cascadia-code
-      source-serif-pro
+        source-sans-pro
-      noto-fonts-cjk-sans
+        source-serif-pro
-      noto-fonts-cjk-serif
+        noto-fonts
-      noto-fonts-color-emoji
+        noto-fonts-cjk-sans
-    ];
+        noto-fonts-cjk-serif
        noto-fonts-color-emoji
      ];
-    fontconfig = {
+      fontconfig = {
-      localConf = (builtins.readFile ./files/fonts.conf);
+        localConf = (builtins.readFile ./files/fonts.conf);
-      useEmbeddedBitmaps = true;
+        useEmbeddedBitmaps = true;
      };
    };
  };
 }
--- a/nix/configuration/roles/fonts/files/fonts.conf
+++ b/nix/configuration/roles/fonts/files/fonts.conf
@@ -47,17 +47,17 @@
  </alias>
-  <!-- Screw it. Force Liberation Mono to be source code pro. -->
+  <!-- Screw it. Force Liberation Mono to be cascadia mono. -->
-  <match target="pattern">
+  <!-- <match target="pattern"> -->
-    <test qual="any" name="family"><string>Liberation Mono</string></test>
+  <!--   <test qual="any" name="family"><string>Liberation Mono</string></test> -->
-    <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit>
+  <!--   <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit> -->
-  </match>
+  <!-- </match> -->
  <!-- Dejavu Sans Mono keeps coming back when I query "monospace". Doesn't happen when I'm using Souce Code Pro but does happen with cascadia... force it to cascadia -->
-  <match target="pattern">
+  <!-- <match target="pattern"> -->
-    <test qual="any" name="family"><string>monospace</string></test>
+  <!--   <test qual="any" name="family"><string>monospace</string></test> -->
-    <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit>
+  <!--   <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit> -->
-  </match>
+  <!-- </match> -->
  <!-- Disable ligatures in monospace fonts. -->
  <match target="font">
--- a/nix/configuration/roles/gcloud/default.nix
+++ b/nix/configuration/roles/gcloud/default.nix
@@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    gcloud.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gcloud.";
    };
  };
  config = lib.mkIf config.me.gcloud.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".config/gcloud";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/git/default.nix
+++ b/nix/configuration/roles/git/default.nix
@@ -5,18 +5,75 @@
  ...
 }:
 let
  git_wrapped =
    package: prog:
    pkgs.writeShellScriptBin "${prog}" ''
      export PATH="${
        lib.makeBinPath [
          pkgs.meld
        ]
      }:$PATH"
      exec ${package}/bin/${prog} "''${@}"
    '';
 in
 {
  imports = [ ];
-  environment.systemPackages = with pkgs; [
+  options.me = {
-    git
+    git.config = lib.mkOption {
-  ];
+      type = lib.types.nullOr lib.types.path;
-
+      default = null;
-  home-manager.users.talexander =
+      example = ./files/gitconfig_home;
-    { pkgs, ... }:
+      description = "A git config file.";
    {
      home.file.".gitconfig" = {
        source = ./files/gitconfig_home;
      };
    };
  };
  config = lib.mkMerge [
    {
      environment.systemPackages = with pkgs; [
        my_git
      ];
    }
    (lib.mkIf (config.me.git.config != null) {
      me.install.user.talexander.file = {
        ".gitconfig" = {
          source = config.me.git.config;
        };
      };
    })
    (lib.mkIf (config.me.graphical) {
      nixpkgs.overlays = [
        (final: prev: {
          my_git = (
            pkgs.buildEnv {
              name = prev.git.name;
              version = prev.git.version;
              paths =
                (builtins.map (git_wrapped prev.git) [
                  "git"
                ])
                ++ [
                  prev.git
                ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
              nativeBuildInputs = [ final.makeWrapper ];
              ignoreCollisions = true;
            }
          );
        })
      ];
    })
    (lib.mkIf (!config.me.graphical) {
      nixpkgs.overlays = [
        (final: prev: {
          my_git = prev.git;
        })
      ];
    })
  ];
 }
--- a/nix/configuration/roles/git/files/gitconfig_home
+++ b/nix/configuration/roles/git/files/gitconfig_home
@@ -1,35 +1,58 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
 # Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
        # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
        # updateRefs was annoying when you want to split a branch in two by rebasing away from commits from one branch and rebasing away some commits from another branch.
 	updateRefs = false
 # Disabled because ephemeral pin storage is not yet ready in openpgp-card-state
 # [gpg]
 # 	program = oct-git
--- a/nix/configuration/roles/global_options/default.nix
+++ b/nix/configuration/roles/global_options/default.nix
@@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  # options.me.graphics_card_type = lib.mkOption {
  #   type = lib.types.nullOr (
  #     lib.types.enum [
  #       "amd"
  #       "intel"
  #       "nvidia"
  #     ]
  #   );
  #   default = null;
  #   example = "amd";
  #   description = "What graphics card type is in the computer.";
  # };
  # options.me.graphical = lib.mkOption {
  #   type = lib.types.bool;
  #   default = false;
  #   example = true;
  #   description = "Whether we want to install graphical programs.";
  # };
 }
--- a/nix/configuration/roles/gnuplot/default.nix
+++ b/nix/configuration/roles/gnuplot/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    gnuplot.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gnuplot.";
    };
  };
  config = lib.mkIf config.me.gnuplot.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          gnuplot
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/gpg/default.nix
+++ b/nix/configuration/roles/gpg/default.nix
@@ -2,7 +2,6 @@
  config,
  lib,
  pkgs,
  pkgs-unstable,
  ...
 }:
@@ -17,158 +16,118 @@ in
 {
  imports = [ ];
-  # Fetch public keys:
+  options.me = {
-  # gpg --locate-keys tom@fizz.buzz
+    gpg.enable = lib.mkOption {
-  #
+      type = lib.types.bool;
-  # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
+      default = false;
-
+      example = true;
-  hardware.gpgSmartcards.enable = true;
+      description = "Whether we want to install gpg.";
  services.udev.packages = [
    pkgs.yubikey-personalization
    pkgs.libfido2
    (pkgs.writeTextFile {
      name = "my-rules";
      text = ''
        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
      '';
      destination = "/etc/udev/rules.d/50-yubikey.rules";
    })
  ];
  services.pcscd.enable = true;
  # services.gnome.gnome-keyring.enable = true;
  # services.dbus.packages = [ pkgs.gcr ];
  # services.pcscd.plugins = lib.mkForce [ ];
  #   programs.gpg.scdaemonSettings = {
  #   disable-ccid = true;
  # };
  # .gnupg/scdaemon.conf
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.file.".gnupg/scdaemon.conf" = {
        source = ./files/scdaemon.conf;
      };
    };
  # programs.gnupg.dirmngr.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-qt;
    # settings = {
    #   disable-ccid = true;
    # };
  };
  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    users.talexander = {
      directories = [
        {
          directory = ".gnupg";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        } # Local keyring
      ];
    };
  };
-  nixpkgs.overlays = [
+  config = lib.mkIf config.me.gpg.enable (
-    (final: prev: {
+    lib.mkMerge [
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+      {
-      #   postPatch = ''
+        # Fetch public keys:
-      #     substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+        # gpg --locate-external-keys tom@fizz.buzz
      #       --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #   '';
      # });
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+        hardware.gpgSmartcards.enable = true;
-      #   postPatch =
+        services.udev.packages = [
-      #     old.postPatch
+          pkgs.yubikey-personalization
-      #     + (lib.optionalString
+          pkgs.libfido2
-      #       (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
+          (pkgs.writeTextFile {
-      #       ''
+            name = "my-rules";
-      #         substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+            text = ''
-      #           --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
+              ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
-      #       ''
+              KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
-      #     );
+            '';
-      # });
+            destination = "/etc/udev/rules.d/50-yubikey.rules";
          })
        ];
        services.pcscd.enable = true;
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+        me.install.user.talexander.file = {
-      #   postPatch =
+          ".gnupg/scdaemon.conf" = {
-      #     old.postPatch
+            source = ./files/scdaemon.conf;
-      #     + ''
+          };
-      #       substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+        };
      #         --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #     '';
      # });
-      # gnupg = prev.gnupg.override {
+        programs.gnupg.agent = {
-      #   pcsclite = pkgs.pcsclite.overrideAttrs (old: {
+          enable = true;
-      #     postPatch =
+          enableSSHSupport = true;
-      #       old.postPatch
+          pinentryPackage = pkgs.pinentry-qt;
-      #       + (lib.optionalString
+          # Settings block populates /etc/gnupg/gpg-agent.conf
-      #         (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
+          # settings = {
-      #         ''
+          # };
-      #           substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+        };
      #             --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #         ''
      #       );
      #   });
      # };
    })
  ];
-  # security.polkit.extraConfig = ''
+        # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
-  #   polkit.addRule(function(action, subject) {
+        #
-  #     if (action.id == "org.debian.pcsc-lite.access_card") {
+        # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
-  #       return polkit.Result.YES;
+        #   hideMounts = true;
-  #     }
+        #   users.talexander = {
-  #   });
+        #     files = [
        #       {
        #         file = ".gnupg/trustdb.gpg";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/pubring.kbx";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/tofu.db";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #     ];
        #     directories = [
        #       {
        #         directory = ".gnupg/crls.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #       {
        #         directory = ".gnupg/private-keys-v1.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #     ];
        #   };
        # };
-  #   polkit.addRule(function(action, subject) {
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
-  #     if (action.id == "org.debian.pcsc-lite.access_pcsc") {
+          hideMounts = true;
-  #       return polkit.Result.YES;
+          users.talexander = {
-  #     }
+            directories = [
-  #   });
+              {
-  # '';
+                directory = ".gnupg";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };
-  environment.systemPackages = with pkgs; [
+        environment.systemPackages = with pkgs; [
-    pcsclite
+          pcsclite
-    pcsctools
+          pcsctools
-    yubikey-personalization
+          glibcLocales
-    yubikey-manager
+          ccid
-    glibcLocales
+          libusb-compat-0_1
-    ccid
+          gpg_test_wkd
-    libusb-compat-0_1
+        ];
    gpg_test_wkd
  ];
-  # nixpkgs.overlays = [
+        programs.gnupg.agent.enableExtraSocket = true;
-  #   (final: prev: {
+      }
-  #     gnupg = pkgs-unstable.gnupg;
+    ]
-  #     scdaemon = pkgs-unstable.scdaemon;
+  );
  #     libgcrypt = pkgs-unstable.libgcrypt;
  #   })
  # ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     gnupg = prev.gnupg.overrideAttrs (old: rec {
  #       version = "2.4.7";
  #       src = prev.fetchurl {
  #         url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
  #         hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
  #       };
  #     });
  #   })
  # ];
  programs.gnupg.agent.enableExtraSocket = true;
 }
--- a/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
+++ b/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
@@ -6,3 +6,6 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 gpg --no-default-keyring --keyring /tmp/gpg-$$ --auto-key-locate clear,wkd --locate-keys "${@}"
 # To generate files for the WKD:
 # gpg-wks-client --directory ./pgp/.well-known/openpgpkey --install-key <keyid> <email>
--- a/nix/configuration/roles/gpg/files/scdaemon.conf
+++ b/nix/configuration/roles/gpg/files/scdaemon.conf
@@ -1,7 +1,10 @@
-reader-port Yubico Yubi
+#reader-port Yubico Yubi
 disable-ccid
-log-file /home/talexander/scd.log
+# This setting enables other backends like oct to access the pgp card simultaneously but it also means that gpg will ask for the pin for EVERY ssh session which is annoying in scripts.
-verbose
+#pcsc-shared
-debug cardio
+
-debug-level 5
+#log-file /home/talexander/scd.log
 #verbose
 #debug cardio
 #debug-level 5
--- a/nix/configuration/roles/graphics/default.nix
+++ b/nix/configuration/roles/graphics/default.nix
@@ -8,5 +8,56 @@
 {
  imports = [ ];
-  hardware.graphics.enable = true;
+  options.me.graphics_card_type = lib.mkOption {
    type = lib.types.nullOr (
      lib.types.enum [
        "amd"
        "intel"
        "nvidia"
      ]
    );
    default = null;
    example = "amd";
    description = "What graphics card type is in the computer.";
  };
  options.me.graphical = lib.mkOption {
    type = lib.types.bool;
    default = false;
    example = true;
    description = "Whether we want to install graphical programs.";
  };
  config = (
    lib.mkMerge [
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          mesa-demos # for glxgears
          vulkan-tools # for vkcube
          xorg.xeyes # to test which windows are using x11
        ];
        hardware.graphics.enable = true;
        # hardware.graphics.enable32Bit = true;
        # Vulkan Support (64-bit is enabled by default, 32-bit is disabled by default)
        # hardware.opengl.driSupport = true; # This is already enabled by default
        # hardware.opengl.driSupport32Bit = true; # For 32 bit applications
      })
      (lib.mkIf (config.me.graphics_card_type == "amd") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.amd
        ];
      })
      (lib.mkIf (config.me.graphics_card_type == "intel") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.intel
        ];
      })
      (lib.mkIf (config.me.graphics_card_type == "nvidia") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.nvidia
        ];
      })
    ]
  );
 }
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8`