Disable optimizations for quick iteration.

Switch to using my fork of nixpkgs.
Pull in improvements from nixpkgs PR.
2025-09-19 19:08:31 -04:00 · 2025-09-19 19:08:30 -04:00 · 2025-09-06 20:32:25 -04:00 · 2025-09-06 17:39:04 -04:00 · 2025-09-04 18:51:14 -04:00 · 2025-09-04 18:51:14 -04:00
213 changed files with 37855 additions and 1072 deletions
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
 	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
 	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/sftp/tasks/common.yaml
+++ b/ansible/roles/sftp/tasks/common.yaml
@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false
 - name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0700
    owner: nochainstounlock
    group: nochainstounlock
  loop:
    - /home/nochainstounlock/.ssh
 - name: Set authorized keys
  authorized_key:
    user: nochainstounlock
    key: |
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
    exclusive: true
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'
--- a/nix/configuration/.gitignore
+++ b/nix/configuration/.gitignore
@@ -0,0 +1 @@
 result
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -2,46 +2,81 @@
  config,
  lib,
  pkgs,
  pkgs-unstable,
  home-manager,
  ...
 }:
 {
  imports = [
-    ./roles/reset
+    ./roles/2ship2harkinian
    ./roles/iso
    ./hosts/odo
    "${
      builtins.fetchTarball {
        url = "https://github.com/nix-community/disko/archive/refs/tags/v1.9.0.tar.gz";
        sha256 = "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388";
      }
    }/module.nix"
    ./roles/boot
    ./roles/zfs
    ./roles/network
    ./roles/firewall
    ./roles/zsh
    ./roles/graphics
    ./roles/sound
    ./roles/sway
    ./roles/alacritty
-    ./roles/firefox
+    ./roles/amd_s2idle
    ./roles/ansible
    ./roles/ares
    ./roles/bluetooth
    ./roles/boot
    ./roles/chromecast
    ./roles/chromium
-    ./roles/emacs
+    ./roles/d2
-    ./roles/git
+    ./roles/direnv
-    ./roles/fonts
+    ./roles/distributed_build
    ./roles/gpg
    ./roles/waybar
    ./roles/qemu
    ./roles/wireguard
    ./roles/bsnes
    ./roles/ssh
    ./roles/python
    ./roles/docker
    ./roles/ecc
    ./roles/emacs
    ./roles/firefox
    ./roles/firewall
    ./roles/flux
    ./roles/fonts
    ./roles/gcloud
    ./roles/git
    ./roles/global_options
    ./roles/gnuplot
    ./roles/gpg
    ./roles/graphics
    ./roles/hydra
    ./roles/iso
    ./roles/iso_mount
    ./roles/kanshi
    ./roles/kodi
    ./roles/kubernetes
    ./roles/latex
    ./roles/launch_keyboard
    ./roles/lvfs
    ./roles/media
    ./roles/memtest86
    ./roles/network
    ./roles/nix_index
    ./roles/nix_worker
    ./roles/nvme
    ./roles/optimized_build
    ./roles/pcsx2
    ./roles/python
    ./roles/qemu
    ./roles/reset
    ./roles/rpcs3
    ./roles/rust
    ./roles/shadps4
    ./roles/shikane
    ./roles/shipwright
    ./roles/sm64ex
    ./roles/sops
    ./roles/sound
    ./roles/ssh
    ./roles/steam
    ./roles/steam_run_free
    ./roles/sway
    ./roles/tekton
    ./roles/terraform
    ./roles/thunderbolt
    ./roles/vnc_client
    ./roles/vscode
    ./roles/wasm
    ./roles/waybar
    ./roles/wireguard
    ./roles/zfs
    ./roles/zrepl
    ./roles/zsh
    ./util/install_files
    ./util/unfree_polyfill
  ];
  nix.settings.experimental-features = [
@@ -53,6 +88,19 @@
  # boot.kernelPackages = pkgs.linuxPackages_6_11;
  hardware.enableRedistributableFirmware = true;
  # Use nixos-rebuild-ng
  # system.rebuild.enableNg = true;
  # Keep outputs so we can build offline.
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
  '';
  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
  boot.supportedFilesystems.zfs = true;
  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
  services.getty = {
    autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
    autologinOnce = true;
@@ -76,27 +124,17 @@
    ];
  };
  users.groups.talexander.gid = 11235;
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.packages = [
        pkgs.atool
        pkgs.httpie
      ];
      programs.bash.enable = true;
      # The state version is required and should stay at the version you
      # originally installed.
      home.stateVersion = "24.11";
    };
  # Automatic garbage collection
-  nix.gc = {
+  nix.gc = lib.mkIf (!config.me.buildingIso) {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
-    randomizedDelaySec = "14m";
+    persistent = true;
    dates = "monthly";
    # randomizedDelaySec = "14m";
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = !config.me.buildingIso;
  # Use doas instead of sudo
  security.doas.enable = true;
@@ -110,9 +148,6 @@
    }
  ];
  # Do not use default packages (nixos includes some defaults like nano)
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [
    wget
    mg
@@ -123,14 +158,23 @@
    file
    usbutils # for lsusb
    pciutils # for lspci
    mesa-demos # for glxgears TODO move to better role
    vulkan-tools # for vkcube TODO move to better role
    xorg.xeyes # to test which windows are using x11 TODO move to better role
    ripgrep
    strace
    # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
    trace-cmd # ftrace
    tcpdump
    git-crypt
-    nix-index-unwrapped
+    gnumake
    ncdu
    nix-tree
    libarchive # bsdtar
    lsof
    doas-sudo-shim # To support --use-remote-sudo for remote builds
    dmidecode # Read SMBIOS information.
    ipcalc
    gptfdisk # for cgdisk
    nix-output-monitor # For better view into nixos-rebuild
    nix-serve-ng # Serve nix store over http
  ];
  services.openssh = {
@@ -159,7 +203,6 @@
      "/var/lib/nixos" # Contains user information (uids/gids)
      "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
      "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
      "/etc/zfs/zpool.cache" # Which zpools to import, the root zpool is already imported and does not need this cache file but this captures additional pools. TODO consider setting cachefile=none on main pool.
    ];
    files = [
      "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
@@ -168,10 +211,16 @@
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
-    # users.talexander = {
+    users.talexander = {
-    #   directories = [];
+      directories = [
-    #   files = [];
+        {
-    # };
+          directory = "persist";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        }
      ];
    };
  };
  # Write a list of the currently installed packages to /etc/current-system-packages
@@ -183,12 +232,24 @@
    in
    formatted;
  # environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" (
  #   builtins.map (
  #     x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: "  " + s) x.value)
  #   ) config.environment.systemPackages.definitionsWithLocations
  # );
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     nix = pkgs-unstable.nix;
  #   })
  # ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     foot = throw "foo";
  #   })
  # ];
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
--- a/nix/configuration/flake.lock
+++ b/nix/configuration/flake.lock
@@ -1,18 +1,29 @@
 {
  "nodes": {
-    "crane": {
+    "ansible-sshjail": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1717535930,
+        "path": "flakes/ansible-sshjail",
-        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
+        "type": "path"
      },
      "original": {
        "path": "flakes/ansible-sshjail",
        "type": "path"
      },
      "parent": []
    },
    "crane": {
      "locked": {
        "lastModified": 1731098351,
        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
        "type": "github"
      },
      "original": {
@@ -21,6 +32,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1758160037,
        "narHash": "sha256-fXelTdjdILspZ1IUU9aICB1+PXwSFiF8j+7ujwo1VpQ=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "4f554162fff88e77655073d352eec0cea71103a2",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@@ -45,11 +76,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717285511,
+        "lastModified": 1730504689,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@@ -63,11 +94,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -116,34 +147,13 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1736373539,
        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1734945620,
+        "lastModified": 1737831083,
-        "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=",
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "d000479f4f41390ff7cf9204979660ad5dd16176",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
@@ -157,7 +167,6 @@
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
@@ -165,82 +174,82 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1718178907,
+        "lastModified": 1737639419,
-        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v0.4.1",
+        "ref": "v0.4.2",
        "repo": "lanzaboote",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1736200483,
+        "lastModified": 1758242085,
-        "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=",
+        "narHash": "sha256-hnrtEiy8qLMskZr0FBp0vbtMJ9xA4HvDdzuFRLxRiFg=",
-        "owner": "NixOS",
+        "ref": "og-amd-debug-tools",
-        "repo": "nixpkgs",
+        "rev": "7b0f433195e299008850d16e85a862177419cef6",
-        "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751",
+        "revCount": 862645,
-        "type": "github"
+        "type": "git",
        "url": "https://github.com/tomalexander/nixpkgs.git"
      },
      "original": {
-        "owner": "NixOS",
+        "ref": "og-amd-debug-tools",
-        "ref": "nixos-24.11",
+        "type": "git",
-        "repo": "nixpkgs",
+        "url": "https://github.com/tomalexander/nixpkgs.git"
        "type": "github"
      }
    },
-    "nixpkgs-b93b4e9b5": {
+    "nixpkgs-dda3dcd3f": {
      "locked": {
-        "lastModified": 1713721570,
+        "lastModified": 1746663147,
-        "narHash": "sha256-R0s+O5UjTePQRb72XPgtkTmEiOOW8n+1q9Gxt/OJnKU=",
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1710695816,
+        "lastModified": 1730741070,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-unoptimized": {
      "locked": {
-        "lastModified": 1736012469,
+        "lastModified": 1758242085,
-        "narHash": "sha256-/qlNWm/IEVVH7GfgAIyP6EsVZI6zjAx1cV5zNyrs+rI=",
+        "narHash": "sha256-hnrtEiy8qLMskZr0FBp0vbtMJ9xA4HvDdzuFRLxRiFg=",
-        "owner": "NixOS",
+        "ref": "og-amd-debug-tools",
-        "repo": "nixpkgs",
+        "rev": "7b0f433195e299008850d16e85a862177419cef6",
-        "rev": "8f3e1f807051e32d8c95cd12b9b421623850a34d",
+        "revCount": 862645,
-        "type": "github"
+        "type": "git",
        "url": "https://github.com/tomalexander/nixpkgs.git"
      },
      "original": {
-        "owner": "NixOS",
+        "ref": "og-amd-debug-tools",
-        "ref": "nixos-unstable",
+        "type": "git",
-        "repo": "nixpkgs",
+        "url": "https://github.com/tomalexander/nixpkgs.git"
        "type": "github"
      }
    },
    "pre-commit-hooks-nix": {
@@ -257,11 +266,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1717664902,
+        "lastModified": 1731363552,
-        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
        "type": "github"
      },
      "original": {
@@ -272,32 +281,29 @@
    },
    "root": {
      "inputs": {
-        "home-manager": "home-manager",
+        "ansible-sshjail": "ansible-sshjail",
        "disko": "disko",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-b93b4e9b5": "nixpkgs-b93b4e9b5",
+        "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
-        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized",
        "zsh-histdb": "zsh-histdb"
      }
    },
    "rust-overlay": {
      "inputs": {
        "flake-utils": [
          "lanzaboote",
          "flake-utils"
        ],
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1717813066,
+        "lastModified": 1731897198,
-        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
        "type": "github"
      },
      "original": {
@@ -344,15 +350,14 @@
        ]
      },
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-TFks1dvPwAXKQeePh9jmxj06ZfXArH1pN9yXVQWeL6w=",
        "path": "flakes/zsh-histdb",
        "type": "path"
      },
      "original": {
        "path": "flakes/zsh-histdb",
        "type": "path"
-      }
+      },
      "parent": []
    }
  },
  "root": "root",
--- a/nix/configuration/flake.nix
+++ b/nix/configuration/flake.nix
@@ -3,7 +3,7 @@
 #   output: result/iso/nixos.iso
 # Run the ISO image
-#   "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#   doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #        -accel kvm \
 #        -cpu host \
 #        -smp cores=8 \
@@ -12,11 +12,11 @@
 #        -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \
 #        -nic user,hostfwd=tcp::60022-:22 \
 #        -boot order=d \
-#        -cdrom "$(readlink -f ./result/iso/nixos.iso)" \
+#        -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \
 #        -display vnc=127.0.0.1:0
 #
 # doas cp "$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd
-# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos.iso -display vnc=127.0.0.1:0
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0
 # Get a repl for this flake
 #   nix repl --expr "builtins.getFlake \"$PWD\""
@@ -25,18 +25,30 @@
 # iso.odo.isoName == "nixos.iso"
 # full path = <outPath> / iso / <isoName>
 #
 # Install on a new machine:
 #
 #
 # doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
 # nix flake update zsh-histdb --flake .
 # nix flake update ansible-sshjail --flake .
 # for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 # nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
 #
 {
  description = "My system configuration";
  inputs = {
    impermanence.url = "github:nix-community/impermanence";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    # nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:tomalexander/nixpkgs/amd-debug-tools";
-    nixpkgs-b93b4e9b5.url = "github:NixOS/nixpkgs/b93b4e9b527904aadf52dba6ca35efde2067cbd4";
+    nixpkgs.url = "git+https://github.com/tomalexander/nixpkgs.git?ref=og-amd-debug-tools";
-    home-manager.url = "github:nix-community/home-manager/release-24.11";
+    nixpkgs-dda3dcd3f.url = "github:NixOS/nixpkgs/dda3dcd3fe03e991015e9a74b22d35950f264a54";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    nixpkgs-unoptimized.url = "git+https://github.com/tomalexander/nixpkgs.git?ref=og-amd-debug-tools";
    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.1";
+      url = "github:nix-community/lanzaboote/v0.4.2";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
@@ -47,65 +59,208 @@
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ansible-sshjail = {
      url = "path:flakes/ansible-sshjail";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    {
      self,
      nixpkgs,
-      nixpkgs-unstable,
+      nixpkgs-unoptimized,
-      nixpkgs-b93b4e9b5,
+      nixpkgs-dda3dcd3f,
      impermanence,
      home-manager,
      lanzaboote,
      zsh-histdb,
      ansible-sshjail,
      ...
    }@inputs:
    let
      base_x86_64_linux = rec {
        system = "x86_64-linux";
        specialArgs = {
-          pkgs-b93b4e9b5 = import nixpkgs-b93b4e9b5 {
+          pkgs-dda3dcd3f = import nixpkgs-dda3dcd3f {
            inherit system;
          };
-          pkgs-unstable = import nixpkgs-unstable {
+          pkgs-unoptimized = import nixpkgs-unoptimized {
            inherit system;
            hostPlatform.gcc.arch = "default";
            hostPlatform.gcc.tune = "default";
          };
        };
        modules = [
          impermanence.nixosModules.impermanence
          home-manager.nixosModules.home-manager
          lanzaboote.nixosModules.lanzaboote
          inputs.disko.nixosModules.disko
          {
-            home-manager.useGlobalPkgs = true;
+            nixpkgs.overlays = [
-            home-manager.useUserPackages = true;
+              zsh-histdb.overlays.default
              ansible-sshjail.overlays.default
            ];
          }
          { nixpkgs.overlays = [ zsh-histdb.overlays.default ]; }
          ./configuration.nix
        ];
      };
-      systems = {
+      systems =
-        odo = {
+        let
-          main = nixpkgs.lib.nixosSystem (base_x86_64_linux // { });
+          additional_iso_modules = [
          iso = nixpkgs.lib.nixosSystem (
            base_x86_64_linux
            // {
              modules = base_x86_64_linux.modules ++ [
            (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
-                # TODO: maybe?  imports = [ "${modulesPath}/profiles/image-based-appliance.nix" ];
+            # TODO: Figure out how to do image based appliances
            # (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix")
            {
              isoImage.makeEfiBootable = true;
              isoImage.makeUsbBootable = true;
              me.buildingIso = true;
              me.optimizations.enable = nixpkgs.lib.mkForce false;
            }
            {
              # These are big space hogs. The chance that I need them on an ISO is slim.
              me.steam.enable = nixpkgs.lib.mkForce false;
              me.pcsx2.enable = nixpkgs.lib.mkForce false;
            }
          ];
          additional_vm_modules = [
            (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
            {
              networking.dhcpcd.enable = true;
              networking.useDHCP = true;
              me.optimizations.enable = nixpkgs.lib.mkForce false;
            }
-          );
+            {
              # I don't need games on a virtual machine.
              me.steam.enable = nixpkgs.lib.mkForce false;
              me.pcsx2.enable = nixpkgs.lib.mkForce false;
              me.sm64ex.enable = nixpkgs.lib.mkForce false;
              me.shipwright.enable = nixpkgs.lib.mkForce false;
              me.ship2harkinian.enable = nixpkgs.lib.mkForce false;
            }
          ];
        in
        {
          odo = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/odo
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          quark = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/quark
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          neelix = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/neelix
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
          hydra =
            let
              additional_iso_modules = additional_iso_modules ++ [
                {
                  me.optimizations.enable = true;
                }
              ];
            in
            rec {
              main = base_x86_64_linux // {
                modules = base_x86_64_linux.modules ++ [
                  ./hosts/hydra
                ];
              };
              iso = main // {
                modules = main.modules ++ additional_iso_modules;
              };
              vm = main // {
                modules = main.modules ++ additional_vm_modules;
              };
              vm_iso = main // {
                modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
              };
            };
          ionlybootzfs = rec {
            main = base_x86_64_linux // {
              modules = base_x86_64_linux.modules ++ [
                ./hosts/ionlybootzfs
              ];
            };
            iso = main // {
              modules = main.modules ++ additional_iso_modules;
            };
            vm = main // {
              modules = main.modules ++ additional_vm_modules;
            };
            vm_iso = main // {
              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
            };
          };
        };
    in
    {
-      nixosConfigurations.odo = systems.odo.main;
+      nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main;
-      iso.odo = systems.odo.iso.config.system.build.isoImage;
+      iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage;
      nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm;
      vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage;
      nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main;
      iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage;
      nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm;
      vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage;
      nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main;
      iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage;
      nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm;
      vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage;
      nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main;
      iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage;
      nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm;
      vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage;
      nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main;
      iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage;
      nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm;
      vm_iso.ionlybootzfs =
        (nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage;
    };
 }
--- a/nix/configuration/flakes/ansible-sshjail/flake.lock
+++ b/nix/configuration/flakes/ansible-sshjail/flake.lock
@@ -0,0 +1,61 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735141468,
        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/configuration/flakes/ansible-sshjail/flake.nix
+++ b/nix/configuration/flakes/ansible-sshjail/flake.nix
@@ -0,0 +1,34 @@
 {
  description = "A slightly better history for zsh";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs =
    {
      self,
      nixpkgs,
      flake-utils,
      ...
    }:
    let
      out =
        system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
          # Maybe pkgs = import nixpkgs { inherit system; }; ?
          appliedOverlay = self.overlays.default pkgs pkgs;
        in
        {
          packages = rec {
            default = ansible-sshjail;
            ansible-sshjail = appliedOverlay.ansible-sshjail;
          };
        };
    in
    flake-utils.lib.eachDefaultSystem out
    // {
      overlays.default = final: prev: {
        ansible-sshjail = final.callPackage ./package.nix { };
      };
    };
 }
--- a/nix/configuration/flakes/ansible-sshjail/package.nix
+++ b/nix/configuration/flakes/ansible-sshjail/package.nix
@@ -0,0 +1,33 @@
 # unpackPhase
 # patchPhase
 # configurePhase
 # buildPhase
 # checkPhase
 # installPhase
 # fixupPhase
 # installCheckPhase
 # distPhase
 {
  stdenv,
  fetchgit,
  ...
 }:
 stdenv.mkDerivation {
  name = "ansible-sshjail";
  src = fetchgit {
    url = "https://github.com/austinhyde/ansible-sshjail.git";
    rev = "a7b0076fdb680b915d35efafd1382919100532b6";
    sha256 = "sha256-4QX/017fDRzb363NexgvHZ/VFKXOjRgGPDKKygyUylM=";
  };
  phases = [
    "installPhase"
  ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share/ansible/plugins/connection_plugins
    cp $src/sshjail.py $out/share/ansible/plugins/connection_plugins/
    runHook postInstall
  '';
 }
--- a/nix/configuration/flakes/zsh-histdb/package.nix
+++ b/nix/configuration/flakes/zsh-histdb/package.nix
@@ -21,9 +21,16 @@ stdenv.mkDerivation {
    sha256 = "sha256-vtG1poaRVbfb/wKPChk1WpPgDq+7udLqLfYfLqap4Vg=";
  };
  buildInputs = [ sqlite ];
-  phases = [ "installPhase" ];
+  phases = [
    "installPhase"
  ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share/zsh/plugins/zsh-histdb
    cp -r $src/histdb-* $src/*.zsh $src/db_migrations $out/share/zsh/plugins/zsh-histdb/
    runHook postInstall
  '';
  postInstall = ''
    substituteInPlace $out/share/zsh/plugins/zsh-histdb/sqlite-history.zsh $out/share/zsh/plugins/zsh-histdb/histdb-merge $out/share/zsh/plugins/zsh-histdb/histdb-migrate --replace-fail "sqlite3" "${sqlite}/bin/sqlite3"
  '';
 }
--- a/nix/configuration/hosts/hydra/DEPLOY_BOOT
+++ b/nix/configuration/hosts/hydra/DEPLOY_BOOT
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=hydra
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/hydra/DEPLOY_SWITCH
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=hydra
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/ISO
+++ b/nix/configuration/hosts/hydra/ISO
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@@ -0,0 +1,68 @@
 #
 # Testing:
 # doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #      -accel kvm \
 #      -cpu host \
 #      -smp cores=8 \
 #      -m 32768 \
 #      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
 #      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
 #      -device nvme,serial=deadbeef,drive=nvm \
 #      -nic user,hostfwd=tcp::60022-:22 \
 #      -boot order=d \
 #      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
 #      -display vnc=127.0.0.1:0
 #
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./disk-config.nix
    ./hardware-configuration.nix
    ./optimized_build.nix
    ./vm_disk.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "fbd233d8";
  networking.hostName = "hydra"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = false;
  me.optimizations = {
    enable = true;
    arch = "znver4";
    system_features = [
      "gccarch-znver4"
      "gccarch-skylake"
      # "gccarch-alderlake" missing WAITPKG
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Mount tmpfs at /tmp
  boot.tmp.useTmpfs = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = false;
  me.hydra.enable = false;
  me.nix_worker.enable = true;
  me.vm_disk.enable = true;
  me.wireguard.activated = [ ];
  me.wireguard.deactivated = [ ];
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/hydra/disk-config.nix
+++ b/nix/configuration/hosts/hydra/disk-config.nix
@@ -0,0 +1,140 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "1MiB";
              compression = "lz4";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
 }
--- a/nix/configuration/hosts/hydra/hardware-configuration.nix
+++ b/nix/configuration/hosts/hydra/hardware-configuration.nix
@@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.dhcpcd.enable = lib.mkForce true;
  networking.useDHCP = lib.mkForce true;
  networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
  # systemd.network.enable = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nix/configuration/hosts/hydra/vm_disk.nix
+++ b/nix/configuration/hosts/hydra/vm_disk.nix
@@ -0,0 +1,77 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    vm_disk.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to mount the local disk for persistent storage.";
    };
  };
  config = lib.mkIf config.me.vm_disk.enable (
    lib.mkMerge [
      {
        # Mount the local disk
        fileSystems = {
          "/.disk" = lib.mkForce {
            device = "/dev/nvme0n1p1";
            fsType = "ext4";
            options = [
              "noatime"
              "discard"
            ];
            neededForBoot = true;
          };
          "/persist" = {
            fsType = "none";
            device = "/.disk/persist";
            options = [
              "bind"
              "rw"
            ];
            depends = [
              "/.disk/persist"
            ];
          };
          "/state" = {
            fsType = "none";
            device = "/.disk/state";
            options = [
              "bind"
              "rw"
            ];
            depends = [
              "/.disk/state"
            ];
          };
          "/nix/store" = lib.mkForce {
            fsType = "overlay";
            device = "overlay";
            options = [
              "lowerdir=/nix/.ro-store"
              "upperdir=/.disk/persist/store"
              "workdir=/.disk/state/work"
            ];
            depends = [
              "/nix/.ro-store"
              "/.disk/persist/store"
              "/.disk/state/work"
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET="ionlybootzfs"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=ionlybootzfs
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/ISO
+++ b/nix/configuration/hosts/ionlybootzfs/ISO
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/ionlybootzfs/default.nix
+++ b/nix/configuration/hosts/ionlybootzfs/default.nix
@@ -0,0 +1,63 @@
 #
 # Testing:
 # doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
 #      -accel kvm \
 #      -cpu host \
 #      -smp cores=8 \
 #      -m 32768 \
 #      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
 #      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
 #      -device nvme,serial=deadbeef,drive=nvm \
 #      -nic user,hostfwd=tcp::60022-:22 \
 #      -boot order=d \
 #      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
 #      -display vnc=127.0.0.1:0
 #
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./wrapped-disk-config.nix
    ./hardware-configuration.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "fbd233d8";
  networking.hostName = "ionlybootzfs"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = true;
  me.optimizations = {
    enable = false;
    arch = "znver4";
    system_features = [
      "gccarch-znver4"
      "gccarch-skylake"
      # "gccarch-alderlake" missing WAITPKG
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Mount tmpfs at /tmp
  boot.tmp.useTmpfs = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = false;
  me.wireguard.activated = [ ];
  me.wireguard.deactivated = [ ];
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/ionlybootzfs/disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/disk-config.nix
@@ -0,0 +1,142 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options = {
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              # keylocation = "file:///tmp/secret.key";
            };
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "16MiB";
              compression = "zstd-19";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }
--- a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
+++ b/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
@@ -0,0 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.dhcpcd.enable = lib.mkForce true;
  networking.useDHCP = lib.mkForce true;
  # systemd.network.enable = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
+++ b/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
@@ -0,0 +1,131 @@
 {
  config,
  lib,
  pkgs,
  pkgs-unoptimized,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    { }
    (lib.mkIf (!config.me.optimizations.enable) {
      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
    })
    (lib.mkIf (config.me.optimizations.enable) {
      nixpkgs.hostPlatform = {
        gcc.arch = "znver4";
        gcc.tune = "znver4";
        system = "x86_64-linux";
      };
      nixpkgs.overlays = [
        (
          final: prev:
          let
            addConfig =
              additionalConfig: pkg:
              pkg.override (oldconfig: {
                structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
              });
          in
          {
            linux_me = addConfig {
              # Full preemption
              PREEMPT = lib.mkOverride 60 lib.kernel.yes;
              PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
              # Google's BBRv3 TCP congestion Control
              TCP_CONG_BBR = lib.kernel.yes;
              DEFAULT_BBR = lib.kernel.yes;
              # Preemptive Full Tickless Kernel at 300Hz
              HZ = lib.kernel.freeform "300";
              HZ_300 = lib.kernel.yes;
              HZ_1000 = lib.kernel.no;
            } prev.linux_6_14;
            # gsl = prev.gsl.overrideAttrs (old: {
            #   # gsl tests fails when optimizations are enabled.
            #   # > FAIL: cholesky_invert unscaled hilbert (  4,  4)[0,2]: 2.55795384873636067e-13                        0
            #   # >  (2.55795384873636067e-13 observed vs 0 expected) [28259614]
            #   doCheck = false;
            # });
          }
        )
        (final: prev: {
          haskellPackages = prev.haskellPackages.extend (
            final': prev': {
              inherit (pkgs-unoptimized.haskellPackages)
                crypton
                crypton-connection
                crypton-x509
                crypton-x509-store
                crypton-x509-system
                crypton-x509-validation
                hspec-wai
                http-client-tls
                http2
                pandoc
                pandoc-cli
                pandoc-lua-engine
                pandoc-server
                servant-server
                tls
                wai-app-static
                wai-extra
                warp
                ;
            }
          );
        })
        (final: prev: {
          inherit (pkgs-unoptimized)
            gsl
            redis
            valkey
            ;
        })
      ];
      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
    })
    (lib.mkIf (!config.me.buildingIso) {
      nix.settings.system-features = lib.mkForce [
        "gccarch-znver4"
        "gccarch-skylake"
        # "gccarch-alderlake" missing WAITPKG
        "gccarch-x86-64-v3"
        "gccarch-x86-64-v4"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
      # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
      # system.includeBuildDependencies = true;
      # This also should enable building offline? TODO: test.
      nix.extraOptions = ''
        keep-outputs = true
        keep-derivations = true
      '';
      # # building ON
      # nixpkgs.localSystem = { system = "aarch64-linux"; };
      # # building FOR
      # nixpkgs.crossSystem = { system = "aarch64-linux"; };
      # nixpkgs.config = {
      #   replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
      # };
      # or maybe an overlay
      # stdenv = prev.clangStdenv;
    })
    (lib.mkIf (config.me.buildingIso) {
      boot.supportedFilesystems.zfs = true;
    })
  ];
 }
--- a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/neelix/DEPLOY_BOOT
+++ b/nix/configuration/hosts/neelix/DEPLOY_BOOT
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=neelix
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/neelix/DEPLOY_SWITCH
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=neelix
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/default.nix
+++ b/nix/configuration/hosts/neelix/default.nix
@@ -0,0 +1,51 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    ./power_management.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
  networking.hostId = "bca9d0a5";
  networking.hostName = "neelix"; # Define your hostname.
  time.timeZone = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";
  me.secureBoot.enable = false;
  me.optimizations = {
    enable = false;
    arch = "alderlake";
    system_features = [
      "gccarch-alderlake"
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Early KMS
  boot.initrd.kernelModules = [ "i915" ];
  # Mount tmpfs at /tmp
  # boot.tmp.useTmpfs = true;
  me.bluetooth.enable = true;
  me.emacs_flavor = "plainmacs";
  me.graphical = true;
  me.graphics_card_type = "intel";
  me.kodi.enable = true;
  me.lvfs.enable = true;
  me.sound.enable = true;
  me.wireguard.activated = [ "wgh" ];
  me.wireguard.deactivated = [ "wgf" ];
  me.zrepl.enable = true;
  me.zsh.enable = true;
 }
--- a/nix/configuration/hosts/neelix/disk-config.nix
+++ b/nix/configuration/hosts/neelix/disk-config.nix
@@ -0,0 +1,140 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "1MiB";
              compression = "lz4";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
 }
--- a/nix/configuration/hosts/neelix/hardware-configuration.nix
+++ b/nix/configuration/hosts/neelix/hardware-configuration.nix
@@ -0,0 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/configuration/hosts/neelix/power_management.nix
+++ b/nix/configuration/hosts/neelix/power_management.nix
@@ -0,0 +1,35 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  environment.systemPackages = with pkgs; [
    powertop
  ];
  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
  boot.kernelParams = [
    "pcie_aspm=force"
    # "pcie_aspm.policy=powersupersave"
    "nowatchdog"
  ];
  # default performance balance_performance balance_power power
  # defaults to balance_performance
  # systemd.tmpfiles.rules = [
  #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
  #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
  # ];
  boot.extraModprobeConfig = ''
    options snd_hda_intel power_save=1
  '';
 }
--- a/nix/configuration/hosts/odo/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odo/DEPLOY_BOOT
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 # TARGET=10.216.1.15
 # TARGET=192.168.211.250
 TARGET=odo
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=odo
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/ISO
+++ b/nix/configuration/hosts/odo/ISO
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BOOT
+++ b/nix/configuration/hosts/odo/SELF_BOOT
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BUILD
+++ b/nix/configuration/hosts/odo/SELF_BUILD
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_SWITCH
+++ b/nix/configuration/hosts/odo/SELF_SWITCH
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@@ -1,11 +1,18 @@
-{ config, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
-    ./disk-config.nix
+    ./wrapped-disk-config.nix
-    ./optimized_build.nix
+    ./distributed_build.nix
    ./power_management.nix
    ./screen_brightness.nix
    ./wifi.nix
    ./framework_module.nix
  ];
  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
@@ -18,6 +25,22 @@
  me.secureBoot.enable = true;
  me.optimizations = {
    enable = false;
    arch = "znver4";
    system_features = [
      "gccarch-znver4"
      "gccarch-skylake"
      # "gccarch-alderlake" missing WAITPKG
      "gccarch-x86-64-v3"
      "gccarch-x86-64-v4"
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
    ];
  };
  # Early KMS
  boot.initrd.kernelModules = [ "amdgpu" ];
@@ -26,5 +49,72 @@
  environment.systemPackages = with pkgs; [
    fw-ectool
    framework-tool
  ];
  # Enable light sensor
  # hardware.sensor.iio.enable = lib.mkDefault true;
  # Enable TRIM
  # services.fstrim.enable = lib.mkDefault true;
  me.alacritty.enable = true;
  me.amd_s2idle.enable = true;
  me.ansible.enable = true;
  me.ares.enable = true;
  me.bluetooth.enable = true;
  me.chromecast.enable = true;
  me.chromium.enable = true;
  me.d2.enable = true;
  me.direnv.enable = true;
  me.docker.enable = true;
  me.ecc.enable = false;
  me.emacs_flavor = "full";
  me.firefox.enable = true;
  me.flux.enable = true;
  me.gcloud.enable = true;
  me.git.config = ../../roles/git/files/gitconfig_home;
  me.gnuplot.enable = true;
  me.gpg.enable = true;
  me.graphical = true;
  me.graphics_card_type = "amd";
  me.iso_mount.enable = true;
  me.kanshi.enable = false;
  me.kubernetes.enable = true;
  me.latex.enable = true;
  me.launch_keyboard.enable = true;
  me.lvfs.enable = true;
  me.media.enable = true;
  me.nix_index.enable = true;
  me.pcsx2.enable = true;
  me.python.enable = true;
  me.qemu.enable = true;
  me.rpcs3.enable = true;
  me.rust.enable = true;
  me.shadps4.enable = true;
  me.shikane.enable = true;
  me.sops.enable = true;
  me.sound.enable = true;
  me.steam.enable = true;
  me.steam_run_free.enable = true;
  me.sway.enable = true;
  me.tekton.enable = true;
  me.terraform.enable = true;
  me.thunderbolt.enable = true;
  me.vnc_client.enable = true;
  me.vscode.enable = true;
  me.wasm.enable = true;
  me.waybar.enable = true;
  me.wireguard.activated = [
    "drmario"
    "wgh"
    "colo"
  ];
  me.wireguard.deactivated = [ "wgf" ];
  me.zrepl.enable = true;
  me.zsh.enable = true;
  me.sm64ex.enable = true;
  me.shipwright.enable = true;
  me.ship2harkinian.enable = true;
 }
--- a/nix/configuration/hosts/odo/disk-config.nix
+++ b/nix/configuration/hosts/odo/disk-config.nix
@@ -1,11 +1,8 @@
-{
+# Manual Step:
-  config,
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
-  lib,
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
  pkgs,
  ...
 }:
-lib.mkIf (!config.me.buildingIso) {
+{
  disko.devices = {
    disk = {
      main = {
@@ -119,6 +116,27 @@ lib.mkIf (!config.me.buildingIso) {
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }
--- a/nix/configuration/hosts/odo/distributed_build.nix
+++ b/nix/configuration/hosts/odo/distributed_build.nix
@@ -0,0 +1,27 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      me.distributed_build.enable = true;
      me.distributed_build.machines.hydra = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
      me.distributed_build.machines.quark = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
    }
  ];
 }
--- a/nix/configuration/hosts/odo/framework_module.nix
+++ b/nix/configuration/hosts/odo/framework_module.nix
@@ -0,0 +1,23 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      boot.extraModulePackages = with config.boot.kernelPackages; [
        framework-laptop-kmod
      ];
      # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
      boot.kernelModules = [
        "cros_ec"
        "cros_ec_lpcs"
      ];
    }
  ];
 }
--- a/nix/configuration/hosts/odo/hardware-configuration.nix
+++ b/nix/configuration/hosts/odo/hardware-configuration.nix
@@ -20,14 +20,14 @@
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
--- a/nix/configuration/hosts/odo/optimized_build.nix
+++ b/nix/configuration/hosts/odo/optimized_build.nix
@@ -1,51 +0,0 @@
 {
  config,
  lib,
  pkgs,
  pkgs-unstable,
  ...
 }:
 {
  imports = [ ];
  nix.settings.system-features = lib.mkForce [
    "gccarch-znver4"
    "gccarch-skylake"
    # "gccarch-alderlake" missing pkgwait
    "gccarch-x86-64-v3"
    "benchmark"
    "big-parallel"
    "kvm"
    "nixos-test"
  ];
  # nixpkgs.hostPlatform = {
  #   gcc.arch = "znver4";
  #   gcc.tune = "znver4";
  #   system = "x86_64-linux";
  # };
  nixpkgs.overlays = [
    (
      self: super:
      let
        optimizeWithFlags =
          pkg: flags:
          pkg.overrideAttrs (old: {
            NIX_CFLAGS_COMPILE = [ (old.NIX_CFLAGS_COMPILE or "") ] ++ flags;
          });
      in
      {
        linux_znver4 = optimizeWithFlags super.linux_zen [
          "-march=znver4"
          "-mtune=znver4"
        ];
      }
    )
    (final: prev: {
      linux-firmware = pkgs-unstable.linux-firmware;
    })
  ];
  boot.kernelPackages = lib.mkIf (!config.me.buildingIso) (pkgs.linuxPackagesFor pkgs.linux_znver4);
 }
--- a/nix/configuration/hosts/odo/power_management.nix
+++ b/nix/configuration/hosts/odo/power_management.nix
@@ -20,9 +20,9 @@
  # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
  # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
  boot.kernelParams = [
-    "amdgpu.abmlevel=3"
+    "amdgpu.abmlevel=2"
    "pcie_aspm=force"
-    "pcie_aspm.policy=powersupersave"
+    # "pcie_aspm.policy=powersupersave"
    "nowatchdog"
    # I don't see a measurable benefit from these two:
    # "cpufreq.default_governor=powersave"
@@ -47,5 +47,29 @@
    "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
    "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
    "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
  ];
  boot.extraModprobeConfig = ''
    # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
    blacklist sp5100_tco
    # Sound power-saving was causing chat notifications to be inaudible.
    # options snd_hda_intel power_save=1
  '';
 }
--- a/nix/configuration/hosts/odo/screen_brightness.nix
+++ b/nix/configuration/hosts/odo/screen_brightness.nix
@@ -9,6 +9,6 @@
  imports = [ ];
  systemd.tmpfiles.rules = [
-    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 85"
+    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 21845"
  ];
 }
--- a/nix/configuration/hosts/odo/wifi.nix
+++ b/nix/configuration/hosts/odo/wifi.nix
@@ -0,0 +1,22 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = {
    # Doesn't seem necessary starting with 6.13
    # environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
    #   doas iw dev wlan0 set power_save off
    # '';
    # Enable debug logging for ath12k wifi card.
    boot.kernelParams = [
      "ath12k.debug_mask=0xffffffff"
    ];
  };
 }
--- a/nix/configuration/hosts/odo/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/odo/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/quark/DEPLOY_BOOT
+++ b/nix/configuration/hosts/quark/DEPLOY_BOOT
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.15
 # TARGET=192.168.211.250
 TARGET=quark
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 #TARGET=10.216.1.14
 # TARGET=192.168.211.250
 TARGET=quark
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/ISO
+++ b/nix/configuration/hosts/quark/ISO
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BOOT
+++ b/nix/configuration/hosts/quark/SELF_BOOT
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BUILD
+++ b/nix/configuration/hosts/quark/SELF_BUILD
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_SWITCH
+++ b/nix/configuration/hosts/quark/SELF_SWITCH
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@@ -0,0 +1,117 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./disk-config.nix
    ./distributed_build.nix
    ./hardware-configuration.nix
    ./power_management.nix
    ./wifi.nix
  ];
  config = {
    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
    networking.hostId = "47ee7d7c";
    networking.hostName = "quark"; # Define your hostname.
    time.timeZone = "America/New_York";
    i18n.defaultLocale = "en_US.UTF-8";
    me.secureBoot.enable = true;
    me.optimizations = {
      enable = true;
      arch = "znver5";
      system_features = [
        "gccarch-znver4"
        "gccarch-znver5"
        "gccarch-skylake"
        # "gccarch-alderlake" missing WAITPKG
        "gccarch-x86-64-v3"
        "gccarch-x86-64-v4"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
    };
    # Early KMS
    boot.initrd.kernelModules = [ "amdgpu" ];
    # Mount tmpfs at /tmp
    boot.tmp.useTmpfs = true;
    # Enable TRIM
    # services.fstrim.enable = lib.mkDefault true;
    # RPCS3 has difficulty with znver5
    me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
    me.alacritty.enable = true;
    me.amd_s2idle.enable = true;
    me.ansible.enable = true;
    me.ares.enable = true;
    me.bluetooth.enable = true;
    me.chromecast.enable = true;
    me.chromium.enable = true;
    me.d2.enable = true;
    me.direnv.enable = true;
    me.docker.enable = true;
    me.ecc.enable = true;
    me.emacs_flavor = "full";
    me.firefox.enable = true;
    me.flux.enable = true;
    me.gcloud.enable = true;
    me.git.config = ../../roles/git/files/gitconfig_home;
    me.gnuplot.enable = true;
    me.gpg.enable = true;
    me.graphical = true;
    me.graphics_card_type = "amd";
    me.iso_mount.enable = true;
    me.kanshi.enable = false;
    me.kubernetes.enable = true;
    me.latex.enable = true;
    me.launch_keyboard.enable = true;
    me.lvfs.enable = true;
    me.media.enable = true;
    me.nix_index.enable = true;
    me.nix_worker.enable = true;
    me.pcsx2.enable = true;
    me.python.enable = true;
    me.qemu.enable = true;
    me.rpcs3.enable = true;
    me.rust.enable = true;
    me.shadps4.enable = true;
    me.shikane.enable = true;
    me.sops.enable = true;
    me.sound.enable = true;
    me.steam.enable = true;
    me.steam_run_free.enable = true;
    me.sway.enable = true;
    me.tekton.enable = true;
    me.terraform.enable = true;
    me.thunderbolt.enable = true;
    me.vnc_client.enable = true;
    me.vscode.enable = true;
    me.wasm.enable = true;
    me.waybar.enable = true;
    me.wireguard.activated = [
      "drmario"
      "wgh"
      "colo"
    ];
    me.wireguard.deactivated = [ "wgf" ];
    me.zrepl.enable = true;
    me.zsh.enable = true;
    me.sm64ex.enable = true;
    me.shipwright.enable = true;
    me.ship2harkinian.enable = true;
  };
 }
--- a/nix/configuration/hosts/quark/disk-config.nix
+++ b/nix/configuration/hosts/quark/disk-config.nix
@@ -0,0 +1,148 @@
 # Manual Step:
 #   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
 #   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkIf (!config.me.buildingIso) {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "umask=0077"
                  "noatime"
                  "discard"
                ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        # mode = "mirror";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        options = {
          ashift = "12";
          compatibility = "openzfs-2.2-freebsd";
          autotrim = "on";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "off";
          relatime = "off";
          xattr = "sa";
          mountpoint = "none";
          compression = "lz4";
          canmount = "off";
          utf8only = "on";
          dnodesize = "auto";
          normalization = "formD";
        };
        datasets = {
          "linux/nix" = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options = {
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              # keylocation = "file:///tmp/secret.key";
            };
          };
          "linux/nix/root" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
          };
          "linux/nix/nix" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/nix";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
            options = {
              recordsize = "16MiB";
              compression = "zstd-19";
            };
          };
          "linux/nix/home" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/home";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
          };
          "linux/nix/persist" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/persist";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
          };
          "linux/nix/state" = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
            mountpoint = "/state";
            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
          };
        };
      };
    };
  };
  # Make sure all persistent volumes are marked as neededForBoot
  #
  # Also mounts /home so it is mounted before the user home directories are created.
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/state".neededForBoot = true;
  fileSystems."/home".neededForBoot = true;
  fileSystems."/".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/nix".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/persist".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/state".options = [
    "noatime"
    "norelatime"
  ];
  fileSystems."/home".options = [
    "noatime"
    "norelatime"
  ];
  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }
--- a/nix/configuration/hosts/quark/distributed_build.nix
+++ b/nix/configuration/hosts/quark/distributed_build.nix
@@ -0,0 +1,21 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = lib.mkMerge [
    {
      me.distributed_build.enable = true;
      me.distributed_build.machines.hydra = {
        enable = true;
        additional_config = {
          speedFactor = 2;
        };
      };
    }
  ];
 }
--- a/nix/configuration/hosts/quark/hardware-configuration.nix
+++ b/nix/configuration/hosts/quark/hardware-configuration.nix
@@ -0,0 +1,35 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/configuration/hosts/quark/power_management.nix
+++ b/nix/configuration/hosts/quark/power_management.nix
@@ -0,0 +1,48 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  environment.systemPackages = with pkgs; [
    powertop
  ];
  boot.kernelParams = [
    # Enable undervolting GPU.
    # "amdgpu.ppfeaturemask=0xfff7ffff"
  ];
  systemd.tmpfiles.rules = [
    # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
    # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
  ];
  # services.udev.packages = [
  #   (pkgs.writeTextFile {
  #     name = "amdgpu-low-power";
  #     text = ''
  #       ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low"
  #     '';
  #     destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
  #   })
  # ];
 }
--- a/nix/configuration/hosts/quark/wifi.nix
+++ b/nix/configuration/hosts/quark/wifi.nix
@@ -0,0 +1,16 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = {
    environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
      doas iw dev wlan0 set power_save off
    '';
  };
 }
--- a/nix/configuration/roles/2ship2harkinian/default.nix
+++ b/nix/configuration/roles/2ship2harkinian/default.nix
@@ -0,0 +1,48 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ship2harkinian.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install 2ship2harkinian.";
    };
  };
  config = lib.mkIf config.me.ship2harkinian.enable (
    lib.mkMerge [
      {
        allowedUnfree = [ "2ship2harkinian" ];
      }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          _2ship2harkinian
        ];
        # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".local/share/2ship";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/alacritty/default.nix
+++ b/nix/configuration/roles/alacritty/default.nix
@@ -7,18 +7,30 @@
 {
  imports = [ ];
  options.me = {
    alacritty.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install alacritty.";
    };
  };
  config = lib.mkIf config.me.alacritty.enable (
    lib.mkMerge [
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          alacritty
          xdg-utils # for xdg-open
        ];
-  home-manager.users.talexander =
+        me.install.user.talexander.file = {
-    { pkgs, ... }:
+          ".config/alacritty/alacritty.toml" = {
    {
      home.file.".config/alacritty/alacritty.toml" = {
            source = ./files/alacritty.toml;
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/amd_s2idle/default.nix
+++ b/nix/configuration/roles/amd_s2idle/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    amd_s2idle.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install amd_s2idle.";
    };
  };
  config = lib.mkIf config.me.amd_s2idle.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          amd-debug-tools
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/ansible/default.nix
+++ b/nix/configuration/roles/ansible/default.nix
@@ -0,0 +1,86 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ansible.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ansible.";
    };
  };
  config = lib.mkIf config.me.ansible.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          ansible
        ];
        nixpkgs.overlays = [
          (final: prev: {
            ansible = pkgs.symlinkJoin {
              name = "ansible";
              paths = [
                (prev.ansible.overridePythonAttrs {
                  propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ];
                })
                pkgs.ansible-sshjail
              ];
              buildInputs = [ pkgs.makeWrapper ];
              postBuild = ''
                ${lib.concatMapStringsSep "\n"
                  (
                    prog:
                    (
                      "wrapProgram $out/bin/${prog} ${
                        lib.concatMapStringsSep " "
                          (
                            plugin_type:
                            "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins"
                          )
                          [
                            "action"
                            "cache"
                            "callback"
                            "connection"
                            "filter"
                            "inventory"
                            "lookup"
                            "shell"
                            "strategy"
                            "test"
                            "vars"
                          ]
                      } --prefix PATH : ${lib.makeBinPath [ ]}"
                    )
                  )
                  [
                    "ansible"
                    "ansible-config"
                    "ansible-console"
                    "ansible-doc"
                    "ansible-galaxy"
                    "ansible-inventory"
                    "ansible-playbook"
                    "ansible-pull"
                    "ansible-test"
                    "ansible-vault"
                  ]
                }
              '';
            };
          })
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/ares/default.nix
+++ b/nix/configuration/roles/ares/default.nix
@@ -0,0 +1,44 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ares.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ares.";
    };
  };
  config = lib.mkIf config.me.ares.enable (
    lib.mkMerge [
      { }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          ares
        ];
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".local/share/ares";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/blank/default.nix
+++ b/nix/configuration/roles/blank/default.nix
@@ -8,4 +8,23 @@
 {
  imports = [ ];
  options.me = {
    blank.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install blank.";
    };
  };
  config = lib.mkIf config.me.blank.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
        ];
      }
      (lib.mkIf config.me.graphical {
      })
    ]
  );
 }
--- a/nix/configuration/roles/bluetooth/default.nix
+++ b/nix/configuration/roles/bluetooth/default.nix
@@ -0,0 +1,46 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    bluetooth.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install bluetooth.";
    };
  };
  config = lib.mkIf config.me.bluetooth.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
        ];
        hardware.bluetooth = {
          enable = true;
          powerOnBoot = true;
          settings = {
            General = {
              # Enable support for showing battery charge level.
              Experimental = true;
            };
          };
        };
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          directories = [
            "/var/lib/bluetooth" # Bluetooth pairing information.
          ];
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -22,6 +22,14 @@
  };
  config = lib.mkMerge [
    {
      environment.systemPackages = with pkgs; [
        tpm2-tools # For tpm2_eventlog to check for OptionRoms
        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
        sbctl # For debugging and troubleshooting Secure Boot.
      ];
    }
    (lib.mkIf (!config.me.buildingIso) {
      boot.loader.grub.enable = false;
@@ -33,6 +41,8 @@
      # Automatically delete old generations
      boot.loader.systemd-boot.configurationLimit = 3;
      boot.loader.systemd-boot.memtest86.enable = true;
      # Check what will be lost with `zfs diff zroot/linux/root@blank`
      boot.initrd.systemd.enable = lib.mkDefault true;
      boot.initrd.systemd.services.zfs-rollback = {
@@ -65,22 +75,21 @@
      #     options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
      #   '';
      # };
      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        hideMounts = true;
        directories = [
          "/var/lib/sbctl" # Secure Boot Keys
        ];
      };
    })
    (lib.mkIf (config.me.secureBoot.enable) {
      # For debugging and troubleshooting Secure Boot.
      environment.systemPackages = with pkgs; [
        sbctl
      ];
      boot.loader.systemd-boot.enable = lib.mkForce false;
      boot.lanzaboote = {
        enable = true;
-        pkiBundle = "/etc/secureboot";
+        pkiBundle = "/var/lib/sbctl";
      };
      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        hideMounts = true;
        directories = [
          "/etc/secureboot" # Secure Boot Keys
        ];
      };
    })
  ];
--- a/nix/configuration/roles/chromecast/default.nix
+++ b/nix/configuration/roles/chromecast/default.nix
@@ -0,0 +1,31 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    chromecast.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install chromecast.";
    };
  };
  config = lib.mkIf config.me.chromecast.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          catt
        ];
      }
      (lib.mkIf config.me.graphical {
      })
    ]
  );
 }
--- a/nix/configuration/roles/chromium/default.nix
+++ b/nix/configuration/roles/chromium/default.nix
@@ -8,15 +8,23 @@
 {
  imports = [ ];
-  # TODO: Read https://bbs.archlinux.org/viewtopic.php?pid=2209507#p2209507 and apply desired settings.
+  options.me = {
    chromium.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install chromium.";
    };
  };
  config = lib.mkIf config.me.chromium.enable (
    lib.mkMerge [
      { }
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
-    (chromium.override { enableWideVine = true; })
+          chromium
        ];
-
+        allowedUnfree = [
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
          "chromium"
          "chromium-unwrapped"
          "widevine-cdm"
@@ -49,6 +57,19 @@
          };
        };
        nixpkgs.overlays = [
          (final: prev: {
            chromium = prev.chromium.override {
              enableWideVine = true;
              commandLineArgs = [
                "--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder"
                # Enabling vulkan causes video to render as white
-  # nixpkgs.config.chromium.commandLineArgs = "--enable-features=Vulkan";
+                # "--enable-features=Vulkan";
              ];
            };
          })
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/d2/default.nix
+++ b/nix/configuration/roles/d2/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    d2.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install d2.";
    };
  };
  config = lib.mkIf config.me.d2.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          d2
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/direnv/default.nix
+++ b/nix/configuration/roles/direnv/default.nix
@@ -0,0 +1,55 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  direnv_zsh_hook = pkgs.writeTextFile {
    name = "direnv_zsh_hook.zsh";
    text = ''
      eval "$(direnv hook zsh)"
    '';
  };
 in
 {
  imports = [ ];
  options.me = {
    direnv.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install direnv.";
    };
  };
  config = lib.mkIf config.me.direnv.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          direnv
          nix-direnv
        ];
        me.zsh.includes = [ direnv_zsh_hook ];
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                # List of allowed directories from `direnv allow`.
                directory = ".local/share/direnv";
                user = "talexander";
                group = "talexander";
                mode = "0755";
              }
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/distributed_build/default.nix
+++ b/nix/configuration/roles/distributed_build/default.nix
@@ -0,0 +1,105 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  make_machine_config = name: {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use the ${name} machine during distributed builds.";
    };
    additional_config = lib.mkOption {
      type = lib.types.attrs;
      default = { };
      example = lib.literalExpression {
        speedFactor = 2;
      };
      description = "Additional config values for the buildMachines entry. For example, speedFactor.";
    };
  };
 in
 {
  imports = [ ];
  options.me = {
    distributed_build.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
    };
    distributed_build.machines.hydra = make_machine_config "hydra";
    distributed_build.machines.quark = make_machine_config "quark";
  };
  config = lib.mkIf config.me.distributed_build.enable (
    lib.mkMerge [
      {
        nix.distributedBuilds = true;
      }
      (lib.mkIf config.me.distributed_build.machines.hydra.enable {
        nix.buildMachines = [
          (
            {
              hostName = "hydra";
              sshUser = "nixworker";
              # sshKey = "";
              # publicHostKey = "";
              systems = [
                "x86_64-linux"
                # "aarch64-linux"
              ];
              maxJobs = 1;
              supportedFeatures = [
                # "nixos-test"
                "benchmark"
                "big-parallel"
                # "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-znver4"
              ];
            }
            // config.me.distributed_build.machines.hydra.additional_config
          )
        ];
      })
      (lib.mkIf config.me.distributed_build.machines.quark.enable {
        nix.buildMachines = [
          (
            {
              hostName = "quark";
              sshUser = "nixworker";
              sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
              # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
              publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
              systems = [
                "x86_64-linux"
                # "aarch64-linux"
              ];
              maxJobs = 1;
              supportedFeatures = [
                # "nixos-test"
                "benchmark"
                "big-parallel"
                # "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-znver4"
                "gccarch-znver5"
              ];
            }
            // config.me.distributed_build.machines.quark.additional_config
          )
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/docker/default.nix
+++ b/nix/configuration/roles/docker/default.nix
@@ -8,11 +8,31 @@
 {
  imports = [ ];
-  virtualisation.docker.enable = true;
+  options.me = {
-  virtualisation.docker.rootless = {
+    docker.enable = lib.mkOption {
-    enable = true;
+      type = lib.types.bool;
-    setSocketVariable = true;
+      default = false;
      example = true;
      description = "Whether we want to install docker.";
    };
  };
  config = lib.mkIf config.me.docker.enable (
    lib.mkMerge [
      {
        virtualisation.docker.enable = true;
        # Use docker activation
        virtualisation.docker.enableOnBoot = false;
        # Rootless docker breaks access to ssh for buildkit.
        # virtualisation.docker.rootless = {
        #   enable = true;
        #   setSocketVariable = true;
        # };
        # Give docker access to ssh for fetching repos with buildkit.
        virtualisation.docker.extraPackages = [ pkgs.openssh ];
        environment.systemPackages = with pkgs; [
          docker-buildx
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
@@ -24,16 +44,47 @@
              mode = "0740";
            }
          ];
-    users.talexander = {
+          # users.talexander = {
-      directories = [
+          #   directories = [
-        {
+          #     {
-          directory = ".local/share/docker";
+          #       directory = ".local/share/docker";
-          user = "talexander";
+          #       user = "talexander";
-          group = "talexander";
+          #       group = "talexander";
-          mode = "0740";
+          #       mode = "0740";
-        }
+          #     }
-      ];
+          #   ];
-    };
+          # };
        };
        systemd.services.link-docker-creds = {
          # Contains credentials so it cannot be added to the nix store
          enable = true;
          description = "link-docker-creds";
          wantedBy = [ "multi-user.target" ];
          wants = [ "multi-user.target" ];
          after = [ "multi-user.target" ];
          # path = with pkgs; [
          #   zfs
          # ];
          unitConfig.DefaultDependencies = "no";
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = "yes";
          };
          script = ''
            if [ -e /persist/manual/docker/config.json ]; then
              install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker
              ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json
            fi
          '';
          preStop = ''
            rm -f /home/talexander/.docker/config.json
          '';
        };
        # Needed for non-rootless docker
        users.users.talexander.extraGroups = [ "docker" ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/ecc/default.nix
+++ b/nix/configuration/roles/ecc/default.nix
@@ -0,0 +1,28 @@
 # Check memory errors with: ras-mc-ctl --error-count
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    ecc.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install ecc.";
    };
  };
  config = lib.mkIf config.me.ecc.enable (
    lib.mkMerge [
      {
        hardware.rasdaemon.enable = true;
      }
    ]
  );
 }
--- a/nix/configuration/roles/emacs/default.nix
+++ b/nix/configuration/roles/emacs/default.nix
@@ -6,7 +6,9 @@
 }:
 let
-  plainmacs = pkgs.writeShellScriptBin "plainmacs" ''
+  plainmacs =
    emacs_package:
    pkgs.writeShellScriptBin "plainmacs" ''
      INIT_SCRIPT=$(cat <<EOF
      (progn
        (setq make-backup-files nil auto-save-default nil create-lockfiles nil)
@@ -34,32 +36,37 @@ let
      EOF
      )
-    exec ${pkgs.emacs29-pgtk}/bin/emacs -q --eval "$INIT_SCRIPT" "''${@}"
+      exec ${emacs_package}/bin/emacs -q --eval "$INIT_SCRIPT" "''${@}"
    '';
-  e_shorthand = pkgs.writeShellScriptBin "e" ''
+  e_shorthand =
-    exec ${pkgs.emacs29-pgtk}/bin/emacs "''${@}"
+    emacs_package:
    pkgs.writeShellScriptBin "e" ''
      exec ${emacs_package}/bin/emacs "''${@}"
    '';
 in
 {
  imports = [ ];
-  environment.systemPackages = with pkgs; [
+  options.me.emacs_flavor = lib.mkOption {
-    plainmacs
+    type = lib.types.nullOr (
-    e_shorthand
+      lib.types.enum [
-    emacs29-pgtk
+        "full"
-    clang # To compile tree-sitter grammars
+        "plainmacs"
-    nixd # nix language server
+      ]
-    nixfmt-rfc-style # auto-formatting nix files through nixd
+    );
-  ];
+    default = null;
    example = "full";
    description = "What flavor of emacs to set up.";
  };
-  home-manager.users.talexander =
+  config = lib.mkIf (config.me.emacs_flavor != null) (
-    { pkgs, ... }:
+    lib.mkMerge [
      {
-      home.file.".config/emacs" = {
+        environment.systemPackages = with pkgs; [
-        source = ./files/emacs;
+          my_emacs
-        recursive = true;
+          (plainmacs my_emacs)
-      };
+          (e_shorthand my_emacs)
-    };
+        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
@@ -77,5 +84,88 @@ in
          };
        };
-  environment.variables.EDITOR = "${plainmacs}/bin/plainmacs";
+        environment.variables.EDITOR = "plainmacs";
      }
      (lib.mkIf (config.me.graphical) {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = final.emacs-pgtk;
          })
        ];
      })
      (lib.mkIf (!config.me.graphical) {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = final.emacs-nox;
          })
        ];
      })
      (lib.mkIf (config.me.emacs_flavor == "full") {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = pkgs.buildEnv {
              name = prev.my_emacs.name;
              paths = with prev; [
                my_emacs
              ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
              nativeBuildInputs = [ final.makeWrapper ];
              postBuild = ''
                wrapProgram $out/bin/emacs --prefix PATH : ${
                  lib.makeBinPath [
                    (final.aspellWithDicts (
                      dicts: with dicts; [
                        en
                        en-computers
                        # en-science # TODO: Why is en-science non-free?
                      ]
                    ))
                    final.nixd # nix language server
                    final.nixfmt-rfc-style # auto-formatting nix files through nixd
                    final.clang # To compile tree-sitter grammars
                    final.shellcheck
                    final.cmake-language-server
                    final.cmake # Used by cmake-language-server
                    final.rust-analyzer
                    final.prettier # Format yaml, json, and JS
                    final.terraform-ls
                    final.typescript-language-server
                    final.tex
                  ]
                }
              '';
            };
          })
        ];
        me.install.user.talexander.file = {
          ".config/emacs" = {
            source = ./files/emacs;
            recursive = true;
          };
        };
      })
      (lib.mkIf (config.me.emacs_flavor == "plainmacs") {
        nixpkgs.overlays = [
          (final: prev: {
            my_emacs = pkgs.buildEnv {
              name = prev.my_emacs.name;
              paths = with prev; [
                my_emacs
              ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
            };
          })
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/emacs/files/emacs/elisp/base-extensions.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/base-extensions.el
@@ -14,17 +14,6 @@
 ;; Other packages
 (use-package emacs
  :config
  (setq enable-recursive-minibuffers t)
  ;; Filter the M-x list base on the current mode
  (setq read-extended-command-predicate #'command-completion-default-include-p)
  ;; Enable triggering completion with the tab key.
  (setq tab-always-indent 'complete)
  )
 (use-package dashboard
  :config
  (dashboard-setup-startup-hook))
@@ -51,17 +40,27 @@
 ;; Persist history over Emacs restarts. Vertico sorts by history position.
 (use-package savehist
  ;; This is an emacs built-in but we're pulling the latest version
  :pin gnu
  :config
  (savehist-mode))
 (use-package which-key
  :pin gnu
  :diminish
  :config
  (which-key-mode))
 (use-package windmove
-  :config
+  ;; This is an emacs built-in but we're pulling the latest version
-  (windmove-default-keybindings))
+  :pin gnu
  :bind
  (
   ("S-<up>" . windmove-up)
   ("S-<right>" . windmove-right)
   ("S-<down>" . windmove-down)
   ("S-<left>" . windmove-left)
   )
  )
 (setq tramp-default-method "ssh")
--- a/nix/configuration/roles/emacs/files/emacs/elisp/base.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/base.el
@@ -24,11 +24,51 @@
 (setq autoload-directory (concat user-emacs-directory (file-name-as-directory "elisp") (file-name-as-directory "autoload")))
 (add-to-list 'load-path (assert-directory autoload-directory))
-(setq-default
+(use-package emacs
  :ensure nil
  :bind
  (("C-z" . nil)
   ("C-x C-z" . nil)
   ("RET" . newline-and-indent)
   )
  :custom
  ;; Replace highlighted text if you start typing.
  (delete-selection-mode 1)
  (history-length 300)
  ;; Enable auto-revert for buffers like dired
  (global-auto-revert-non-file-buffers t)
  ;; If the underlying file changes, reload it automatically. This is useful for moving around in git without confusing language servers.
  (auto-revert-avoid-polling t)
  (auto-revert-interval 5)
  (auto-revert-check-vc-info t)
  (global-auto-revert-mode t)
  ;; Disable backup files and lockfiles
- make-backup-files nil
+  (create-lockfiles nil)
- auto-save-default nil
+  (make-backup-files nil)
- create-lockfiles nil
+  (backup-inhibited t)
  ;; Do not auto-save files
  (auto-save-default nil)
  (pixel-scroll-precision-mode t)
  (pixel-scroll-precision-use-momentum nil)
  :config
  (setq enable-recursive-minibuffers t)
  ;; Filter the M-x list base on the current mode
  (setq read-extended-command-predicate #'command-completion-default-include-p)
  ;; Enable triggering completion with the tab key.
  (setq tab-always-indent 'complete)
  )
 (setq-default
 ;; Unless otherwise specified, always install packages if they are absent.
 use-package-always-ensure t
 ;; Point custom-file at /dev/null so emacs does not write any settings to my dotfiles.
@@ -63,6 +103,9 @@
 show-trailing-whitespace t
 ;; Remove the line when killing it with ctrl-k
 kill-whole-line t
 ;; Show the current project in the mode line
 project-mode-line t
 )
 ;; (setq-default fringes-outside-margins t)
@@ -77,12 +120,6 @@
 ;; Delete trailing whitespace before save
 (add-hook 'before-save-hook 'delete-trailing-whitespace)
 ;; If the underlying file changes, reload it automatically. This is useful for moving around in git without confusing language servers.
 (setopt auto-revert-avoid-polling t)
 (setopt auto-revert-interval 5)
 (setopt auto-revert-check-vc-info t)
 (global-auto-revert-mode)
 ;;;;; Performance
 ;; Run garbage collect when emacs is idle
 (run-with-idle-timer 5 t (lambda () (garbage-collect)))
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-cmake.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-cmake.el
@@ -0,0 +1,18 @@
 (require 'common-lsp)
 (use-package cmake-mode
  :commands cmake-mode
  :hook (
         (cmake-mode . (lambda ()
                         (eglot-ensure)
                         (defclass my/eglot-cmake (eglot-lsp-server) ()
                           :documentation
                           "Own eglot server class.")
                         (add-to-list 'eglot-server-programs
                                      '(cmake-mode . (my/eglot-cmake "cmake-language-server")))
                         ))
         )
  )
 (provide 'lang-cmake)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
@@ -0,0 +1,16 @@
 (defun d2-format-buffer ()
  "Run prettier."
  (interactive)
  (run-command-on-buffer "d2" "fmt" "-")
  )
 (use-package d2-mode
  :commands (d2-mode)
  :hook (
         (d2-mode . (lambda ()
                      ;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
                      ))
         )
  )
 (provide 'lang-d2)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-javascript.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-javascript.el
@@ -1,6 +1,12 @@
 (require 'common-lsp)
 (require 'util-tree-sitter)
 (defun js-format-buffer ()
  "Run prettier."
  (interactive)
  (run-command-on-buffer "prettier" "--stdin-filepath" buffer-file-name)
  )
 (use-package json-ts-mode
  :ensure nil
  :pin manual
@@ -113,10 +119,14 @@
         ("\\.js\\'" . js-ts-mode)
         )
  :commands (js-ts-mode)
  :custom (
           (js-indent-level 2)
           )
  :hook (
         (js-ts-mode . (lambda ()
                                 (when-linux
                                   (eglot-ensure)
                                   (add-hook 'before-save-hook 'js-format-buffer nil 'local)
                                   )
                                 ))
         )
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el
@@ -1,16 +1,23 @@
 (use-package org
  :ensure nil
  :commands org-mode
-  :bind (
+  :bind (:map org-mode-map
         ("C-c l" . org-store-link)
         ("C-c a" . org-agenda)
-         ("C--" . org-timestamp-down)
+         ("S-<up>" . org-shiftup)
-         ("C-=" . org-timestamp-up)
+         ("S-<right>" . org-shiftright)
         ("S-<down>" . org-shiftdown)
         ("S-<left>" . org-shiftleft)
         )
  :hook (
         (org-mode . (lambda ()
                       (org-indent-mode +1)
                       ))
         ;; Make windmove work in Org mode:
         (org-shiftup-final . windmove-up)
         (org-shiftleft-final . windmove-left)
         (org-shiftdown-final . windmove-down)
         (org-shiftright-final . windmove-right)
         )
  :config
  (require 'org-tempo)
@@ -38,6 +45,8 @@
  ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
  ;; (setq org-latex-compiler "lualatex")
  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
  ;; (setq org-preview-latex-default-process 'dvisvgm)
  (setq org-latex-pdf-process
        '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
@@ -78,4 +87,8 @@
 (use-package gnuplot)
 (use-package graphviz-dot-mode)
 (use-package htmlize
  ;; For syntax highlighting when exporting to HTML.
  )
 (provide 'lang-org)
--- a/nix/configuration/roles/emacs/files/emacs/elisp/lang-rust.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/lang-rust.el
@@ -46,7 +46,7 @@
                             (when rust-analyzer-command
                               ;; (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command)))
                               (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command :initializationOptions (:imports (:granularity (:enforce t :group "item")
-                                                                                                                                                           :merge (:glob nil)
+                                                                                                                                                           :merge (:glob :json-false)
                                                                                                                                                           :prefix "self")
                                                                                                                                             ))))
                               )
@@ -60,8 +60,8 @@
  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
  :config
  ;; Add keybindings for interacting with Cargo
-  (use-package cargo
+  ;; (use-package cargo
-    :hook (rust-ts-mode . cargo-minor-mode))
+  ;;   :hook (rust-ts-mode . cargo-minor-mode))
  )
 (use-package toml-ts-mode
--- a/nix/configuration/roles/emacs/files/emacs/init.el
+++ b/nix/configuration/roles/emacs/files/emacs/init.el
@@ -38,4 +38,8 @@
 (require 'lang-nix)
 (require 'lang-cmake)
 (require 'lang-d2)
 (load-directory autoload-directory)
--- a/nix/configuration/roles/firefox/default.nix
+++ b/nix/configuration/roles/firefox/default.nix
@@ -8,6 +8,18 @@
 {
  imports = [ ];
  options.me = {
    firefox.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firefox.";
    };
  };
  config = lib.mkIf config.me.firefox.enable (
    lib.mkMerge [
      (lib.mkIf config.me.graphical {
        programs.firefox = {
          enable = true;
          package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { });
@@ -61,6 +73,9 @@
              "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked";
            # Disable weather on new tab page
            "browser.newtabpage.activity-stream.showWeather" = false;
            # Disable AI stuff that wastes battery life
            "browser.ml.chat.enabled" = false;
            "browser.ml.enabled" = false;
          };
          # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options.
          policies = {
@@ -76,8 +91,16 @@
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
                installation_mode = "force_installed";
              };
-        "firefox@teleparty.com" = {
+              # "firefox@teleparty.com" = {
-          install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
+              #   install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
              #   installation_mode = "normal_installed";
              # };
              "@ublacklist" = {
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublacklist/latest.xpi";
                installation_mode = "normal_installed";
              };
              "@react-devtools" = {
                install_url = "https://addons.mozilla.org/firefox/downloads/latest/react-devtools/latest.xpi";
                installation_mode = "normal_installed";
              };
            };
@@ -110,4 +133,7 @@
            ];
          };
        };
      })
    ]
  );
 }
--- a/nix/configuration/roles/flux/default.nix
+++ b/nix/configuration/roles/flux/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    flux.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install flux.";
    };
  };
  config = lib.mkIf config.me.flux.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          fluxcd
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/fonts/default.nix
+++ b/nix/configuration/roles/fonts/default.nix
@@ -8,12 +8,15 @@
 {
  imports = [ ];
  config = lib.mkIf config.me.graphical {
    fonts = {
      enableDefaultPackages = false;
      packages = with pkgs; [
        cascadia-code
        source-sans-pro
        source-serif-pro
        noto-fonts-cjk-sans
        noto-fonts-cjk-serif
        noto-fonts-color-emoji
      ];
@@ -22,4 +25,5 @@
        useEmbeddedBitmaps = true;
      };
    };
  };
 }
--- a/nix/configuration/roles/fonts/files/fonts.conf
+++ b/nix/configuration/roles/fonts/files/fonts.conf
@@ -47,17 +47,17 @@
  </alias>
-  <!-- Screw it. Force Liberation Mono to be source code pro. -->
+  <!-- Screw it. Force Liberation Mono to be cascadia mono. -->
-  <match target="pattern">
+  <!-- <match target="pattern"> -->
-    <test qual="any" name="family"><string>Liberation Mono</string></test>
+  <!--   <test qual="any" name="family"><string>Liberation Mono</string></test> -->
-    <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit>
+  <!--   <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit> -->
-  </match>
+  <!-- </match> -->
  <!-- Dejavu Sans Mono keeps coming back when I query "monospace". Doesn't happen when I'm using Souce Code Pro but does happen with cascadia... force it to cascadia -->
-  <match target="pattern">
+  <!-- <match target="pattern"> -->
-    <test qual="any" name="family"><string>monospace</string></test>
+  <!--   <test qual="any" name="family"><string>monospace</string></test> -->
-    <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit>
+  <!--   <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit> -->
-  </match>
+  <!-- </match> -->
  <!-- Disable ligatures in monospace fonts. -->
  <match target="font">
--- a/nix/configuration/roles/gcloud/default.nix
+++ b/nix/configuration/roles/gcloud/default.nix
@@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    gcloud.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gcloud.";
    };
  };
  config = lib.mkIf config.me.gcloud.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".config/gcloud";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };
      }
    ]
  );
 }
--- a/nix/configuration/roles/git/default.nix
+++ b/nix/configuration/roles/git/default.nix
@@ -5,18 +5,75 @@
  ...
 }:
 let
  git_wrapped =
    package: prog:
    pkgs.writeShellScriptBin "${prog}" ''
      export PATH="${
        lib.makeBinPath [
          pkgs.meld
        ]
      }:$PATH"
      exec ${package}/bin/${prog} "''${@}"
    '';
 in
 {
  imports = [ ];
-  environment.systemPackages = with pkgs; [
+  options.me = {
-    git
+    git.config = lib.mkOption {
-  ];
+      type = lib.types.nullOr lib.types.path;
      default = null;
      example = ./files/gitconfig_home;
      description = "A git config file.";
    };
  };
-  home-manager.users.talexander =
+  config = lib.mkMerge [
    { pkgs, ... }:
    {
-      home.file.".gitconfig" = {
+      environment.systemPackages = with pkgs; [
-        source = ./files/gitconfig_home;
+        my_git
-      };
+      ];
-    };
+    }
    (lib.mkIf (config.me.git.config != null) {
      me.install.user.talexander.file = {
        ".gitconfig" = {
          source = config.me.git.config;
        };
      };
    })
    (lib.mkIf (config.me.graphical) {
      nixpkgs.overlays = [
        (final: prev: {
          my_git = (
            pkgs.buildEnv {
              name = prev.git.name;
              version = prev.git.version;
              paths =
                (builtins.map (git_wrapped prev.git) [
                  "git"
                ])
                ++ [
                  prev.git
                ];
              extraOutputsToInstall = [
                "man"
                "doc"
                "info"
              ];
              nativeBuildInputs = [ final.makeWrapper ];
              ignoreCollisions = true;
            }
          );
        })
      ];
    })
    (lib.mkIf (!config.me.graphical) {
      nixpkgs.overlays = [
        (final: prev: {
          my_git = prev.git;
        })
      ];
    })
  ];
 }
--- a/nix/configuration/roles/git/files/gitconfig_home
+++ b/nix/configuration/roles/git/files/gitconfig_home
@@ -3,33 +3,53 @@
 	name = Tom Alexander
 	signingkey = D3A179C9A53C0EDE
 [push]
-	default = simple
+	default = simple # (default since 2.0)
 [alias]
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
        authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
 	gpgsign = true
 	verbose = true
 [pull]
 	rebase = true
 [log]
 	date = local
 [init]
 	defaultBranch = main
 # Use meld for `git difftool` and `git mergetool`
 [diff]
-	tool = meld
+	tool = meld # Use meld for `git difftool` and `git mergetool`
 	algorithm = histogram
 	colorMoved = plain
 	mnemonicPrefix = true
 	renames = true
 [difftool]
 	prompt = false
 [difftool "meld"]
 	cmd = meld "$LOCAL" "$REMOTE"
 [merge]
 	tool = meld
 	conflictStyle = zdiff3
 [mergetool "meld"]
        # Make the middle pane start with partially-merged contents:
 	cmd = meld "$LOCAL" "$MERGED" "$REMOTE" --output "$MERGED"
        # Make the middle pane start without any merge progress:
 	# cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
 [column]
 	ui = auto
 [branch]
 	sort = -committerdate
 [tag]
 	sort = version:refname
 [fetch]
 	prune = true
 	pruneTags = true
 	all = true
 [rebase]
 	autoSquash = true
 	autoStash = true
        # updateRefs was annoying when you want to split a branch in two by rebasing away from commits from one branch and rebasing away some commits from another branch.
 	updateRefs = false
--- a/nix/configuration/roles/global_options/default.nix
+++ b/nix/configuration/roles/global_options/default.nix
@@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  # options.me.graphics_card_type = lib.mkOption {
  #   type = lib.types.nullOr (
  #     lib.types.enum [
  #       "amd"
  #       "intel"
  #       "nvidia"
  #     ]
  #   );
  #   default = null;
  #   example = "amd";
  #   description = "What graphics card type is in the computer.";
  # };
  # options.me.graphical = lib.mkOption {
  #   type = lib.types.bool;
  #   default = false;
  #   example = true;
  #   description = "Whether we want to install graphical programs.";
  # };
 }
--- a/nix/configuration/roles/gnuplot/default.nix
+++ b/nix/configuration/roles/gnuplot/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    gnuplot.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gnuplot.";
    };
  };
  config = lib.mkIf config.me.gnuplot.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          gnuplot
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/gpg/default.nix
+++ b/nix/configuration/roles/gpg/default.nix
@@ -2,13 +2,32 @@
  config,
  lib,
  pkgs,
  pkgs-unstable,
  ...
 }:
 let
  gpg_test_wkd =
    (pkgs.writeScriptBin "gpg_test_wkd" (builtins.readFile ./files/gpg_test_wkd.bash)).overrideAttrs
      (old: {
        buildCommand = "${old.buildCommand}\n patchShebangs $out";
      });
 in
 {
  imports = [ ];
  options.me = {
    gpg.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gpg.";
    };
  };
  config = lib.mkIf config.me.gpg.enable (
    lib.mkMerge [
      {
        # Fetch public keys:
        # gpg --locate-keys tom@fizz.buzz
        #
@@ -38,11 +57,8 @@
        #   disable-ccid = true;
        # };
-  # .gnupg/scdaemon.conf
+        me.install.user.talexander.file = {
-  home-manager.users.talexander =
+          ".gnupg/scdaemon.conf" = {
    { pkgs, ... }:
    {
      home.file.".gnupg/scdaemon.conf" = {
            source = ./files/scdaemon.conf;
          };
        };
@@ -71,66 +87,6 @@
          };
        };
  nixpkgs.overlays = [
    (final: prev: {
      # pcsclite = prev.pcsclite.overrideAttrs (old: {
      #   postPatch = ''
      #     substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #       --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #   '';
      # });
      # pcsclite = prev.pcsclite.overrideAttrs (old: {
      #   postPatch =
      #     old.postPatch
      #     + (lib.optionalString
      #       (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
      #       ''
      #         substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #           --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #       ''
      #     );
      # });
      # pcsclite = prev.pcsclite.overrideAttrs (old: {
      #   postPatch =
      #     old.postPatch
      #     + ''
      #       substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #         --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #     '';
      # });
      # gnupg = prev.gnupg.override {
      #   pcsclite = pkgs.pcsclite.overrideAttrs (old: {
      #     postPatch =
      #       old.postPatch
      #       + (lib.optionalString
      #         (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
      #         ''
      #           substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #             --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #         ''
      #       );
      #   });
      # };
    })
  ];
  # security.polkit.extraConfig = ''
  #   polkit.addRule(function(action, subject) {
  #     if (action.id == "org.debian.pcsc-lite.access_card") {
  #       return polkit.Result.YES;
  #     }
  #   });
  #   polkit.addRule(function(action, subject) {
  #     if (action.id == "org.debian.pcsc-lite.access_pcsc") {
  #       return polkit.Result.YES;
  #     }
  #   });
  # '';
        environment.systemPackages = with pkgs; [
          pcsclite
          pcsctools
@@ -139,27 +95,11 @@
          glibcLocales
          ccid
          libusb-compat-0_1
          gpg_test_wkd
        ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     gnupg = pkgs-unstable.gnupg;
  #     scdaemon = pkgs-unstable.scdaemon;
  #     libgcrypt = pkgs-unstable.libgcrypt;
  #   })
  # ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     gnupg = prev.gnupg.overrideAttrs (old: rec {
  #       version = "2.4.7";
  #       src = prev.fetchurl {
  #         url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
  #         hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
  #       };
  #     });
  #   })
  # ];
        programs.gnupg.agent.enableExtraSocket = true;
      }
    ]
  );
 }
--- a/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
+++ b/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 #
 # Test that we can retrieve a PGP key using Web Key Directory (WKD)
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 gpg --no-default-keyring --keyring /tmp/gpg-$$ --auto-key-locate clear,wkd --locate-keys "${@}"
--- a/nix/configuration/roles/gpg/files/scdaemon.conf
+++ b/nix/configuration/roles/gpg/files/scdaemon.conf
@@ -1,7 +1,7 @@
-reader-port Yubico Yubi
+#reader-port Yubico Yubi
 disable-ccid
-log-file /home/talexander/scd.log
+#log-file /home/talexander/scd.log
-verbose
+#verbose
-debug cardio
+#debug cardio
-debug-level 5
+#debug-level 5
--- a/nix/configuration/roles/graphics/default.nix
+++ b/nix/configuration/roles/graphics/default.nix
@@ -8,5 +8,56 @@
 {
  imports = [ ];
  options.me.graphics_card_type = lib.mkOption {
    type = lib.types.nullOr (
      lib.types.enum [
        "amd"
        "intel"
        "nvidia"
      ]
    );
    default = null;
    example = "amd";
    description = "What graphics card type is in the computer.";
  };
  options.me.graphical = lib.mkOption {
    type = lib.types.bool;
    default = false;
    example = true;
    description = "Whether we want to install graphical programs.";
  };
  config = (
    lib.mkMerge [
      (lib.mkIf config.me.graphical {
        environment.systemPackages = with pkgs; [
          mesa-demos # for glxgears
          vulkan-tools # for vkcube
          xorg.xeyes # to test which windows are using x11
        ];
        hardware.graphics.enable = true;
        # hardware.graphics.enable32Bit = true;
        # Vulkan Support (64-bit is enabled by default, 32-bit is disabled by default)
        # hardware.opengl.driSupport = true; # This is already enabled by default
        # hardware.opengl.driSupport32Bit = true; # For 32 bit applications
      })
      (lib.mkIf (config.me.graphics_card_type == "amd") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.amd
        ];
      })
      (lib.mkIf (config.me.graphics_card_type == "intel") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.intel
        ];
      })
      (lib.mkIf (config.me.graphics_card_type == "nvidia") {
        environment.systemPackages = with pkgs; [
          nvtopPackages.nvidia
        ];
      })
    ]
  );
 }
--- a/nix/configuration/roles/hydra/default.nix
+++ b/nix/configuration/roles/hydra/default.nix
@@ -0,0 +1,49 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    hydra.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install hydra.";
    };
  };
  config = lib.mkIf config.me.hydra.enable (
    lib.mkMerge [
      {
        services.hydra = {
          enable = true;
          hydraURL = "http://localhost:3000"; # Externally visible URL
          notificationSender = "hydra@localhost"; # "From" address for hydra emails.
          # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
          buildMachinesFiles = [ ];
          useSubstitutes = true;
        };
        # nix.buildMachines = [
        #   {
        #     hostName = "localhost";
        #     protocol = null;
        #     system = "x86_64-linux";
        #     supportedFeatures = [
        #       "kvm"
        #       "nixos-test"
        #       "big-parallel"
        #       "benchmark"
        #     ];
        #     maxJobs = 8;
        #   }
        # ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/iso_mount/default.nix
+++ b/nix/configuration/roles/iso_mount/default.nix
@@ -0,0 +1,45 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  iso_mount =
    (pkgs.writeScriptBin "iso_mount" (builtins.readFile ./files/iso_mount.bash)).overrideAttrs
      (old: {
        buildCommand = "${old.buildCommand}\n patchShebangs $out";
      });
  iso_unmount =
    (pkgs.writeScriptBin "iso_unmount" (builtins.readFile ./files/iso_unmount.bash)).overrideAttrs
      (old: {
        buildCommand = "${old.buildCommand}\n patchShebangs $out";
      });
 in
 {
  imports = [ ];
  options.me = {
    iso_mount.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install iso_mount.";
    };
  };
  config = lib.mkIf config.me.iso_mount.enable (
    lib.mkMerge [
      {
        environment.systemPackages = [
          iso_mount
          iso_unmount
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/iso_mount/files/iso_mount.bash
+++ b/nix/configuration/roles/iso_mount/files/iso_mount.bash
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 #
 # Mount a full-disk image as a loopback device so you can mount individual partitions from inside of it.
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 exec udisksctl loop-setup -r -f "${@}"
--- a/Show More
+++ b/Show More