Enable the thunderbolt service.

The latest vscode is storing data in ~/.vscode-shared that contains the "Open Recent" entries and the settings on which folders are trusted.

nix/configuration/configuration.nix

@@ -1,14 +1,22 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
+let
+  alias_nix_pin_revision = pkgs.writeShellScriptBin "nix-pin-revision" ''
+    # Usage: nix-pin-revision nixpkgs 'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2'
+    exec nix flake lock --override-input "''${@}"
+  '';
+in
 {
   imports = [
     ./roles/2ship2harkinian
     ./roles/alacritty
     ./roles/amd_s2idle
+    ./roles/android
     ./roles/ansible
     ./roles/ares
     ./roles/base
@@ -27,6 +35,7 @@
     ./roles/ecc
     ./roles/emacs
     ./roles/emulate_isa
+    ./roles/esim
     ./roles/firefox
     ./roles/firewall
     ./roles/flux
@@ -38,12 +47,14 @@
     ./roles/gnuplot
     ./roles/gpg
     ./roles/graphics
+    ./roles/graphviz
     ./roles/hydra
     ./roles/image_based_appliance
     ./roles/iso
     ./roles/iso_mount
     ./roles/jujutsu
     ./roles/kanshi
+    ./roles/kernel
     ./roles/kodi
     ./roles/kubernetes
     ./roles/latex
@@ -91,6 +102,7 @@
     ./roles/vscode
     ./roles/wasm
     ./roles/waybar
+    ./roles/webcam
     ./roles/wine
     ./roles/wireguard
     ./roles/yubikey
@@ -110,6 +122,14 @@
       # "git-hashing"
     ];
     nix.settings.trusted-users = [ "@wheel" ];
+    nix.settings.connect-timeout = 5;
+    nix.settings.min-free = 128000000;
+    nix.settings.max-free = 1000000000;
+    nix.settings.fallback = true;
+    nix.settings.warn-dirty = false;
+    nix.settings.fsync-metadata = true;
+    # Ensure store paths are durably written to disk before registering the paths so a crash mid-build does not leave us in a corrupted state.
+    nix.settings.fsync-store-paths = true;
 
     hardware.enableRedistributableFirmware = true;
 
@@ -120,7 +140,8 @@
     # Automatic garbage collection
     nix.gc = lib.mkIf (!config.me.buildingPortable) {
       # Runs nix-collect-garbage --delete-older-than 5d
-      automatic = true;
+      # automatic = true;
+      automatic = false;
       persistent = true;
       dates = "monthly";
       # randomizedDelaySec = "14m";
@@ -128,6 +149,10 @@
     };
     nix.settings.auto-optimise-store = !config.me.buildingPortable;
 
+    environment.systemPackages = [
+      alias_nix_pin_revision
+    ];
+
     environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
       hideMounts = true;
       directories = [
@@ -158,6 +183,7 @@
     nixpkgs.overlays =
       let
         disableTests = (
+          # Example: (disableTests "coreutils")
           package_name:
           (final: prev: {
             "${package_name}" = prev."${package_name}".overrideAttrs (old: {
@@ -166,23 +192,82 @@
             });
           })
         );
+        disableTestsPython = (
+          # Example: (disableTestsPython "scipy")
+          package_name:
+          (final: prev: {
+            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+              (python-final: python-prev: {
+                "${package_name}" = python-prev."${package_name}".overridePythonAttrs (oldAttrs: {
+                  doCheck = false;
+                });
+              })
+            ];
+          })
+        );
+        disableOptimizations = (
+          # Example: (disableOptimizations "coreutils")
+          package_name:
+          (final: prev: {
+            "${package_name}" = final.unoptimized."${package_name}";
+          })
+        );
+        disableOptimizationsScope = (
+          # Example: (disableOptimizationsScope "kdePackages" "qtbase")
+          scope: package_name:
+          (final: prev: {
+            "${scope}" = prev."${scope}".overrideScope (
+              scopeFinal: scopePrev: {
+                "${package_name}" = final.unoptimized."${scope}"."${package_name}";
+              }
+            );
+          })
+        );
+        disableOptimizationsPython3 = (
+          # Example: (disableOptimizationsPython3 "scipy")
+          package_name:
+          (final: prev: {
+            python3Packages = prev.python3Packages.override {
+              overrides = python-final: python-prev: {
+                "${package_name}" = final.unoptimized.python3.pkgs."${package_name}";
+              };
+            };
+          })
+        );
       in
       [
-        # (final: prev: {
-        #   imagemagick = prev.imagemagick.overrideAttrs (old: rec {
-        #     # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
-        #     version = "7.1.2-7";
+        (disableTests "deno") # Tests use too much disk space
+        (disableOptimizations "libtpms")
+        (disableOptimizationsPython3 "scipy")
+        (disableOptimizations "assimp")
+        (disableOptimizations "gsl")
+        (final: prev: {
+          rpcs3 = prev.rpcs3.override {
+            glew = (final.glew.override { enableEGL = false; });
+          };
+        })
+        (final: prev: {
+          fwupd = prev.fwupd.overrideAttrs (
+            finalAttrs: prevAttrs: {
+              version = "2.1.5";
+              src = final.fetchFromGitHub {
+                owner = "fwupd";
+                repo = "fwupd";
+                tag = finalAttrs.version;
+                hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
+              };
+            }
+          );
+        })
 
-        #     src = final.fetchFromGitHub {
-        #       owner = "ImageMagick";
-        #       repo = "ImageMagick";
-        #       tag = version;
-        #       hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
-        #     };
-        #   });
-        # })
+        # Works but probably sets python2's scipy to be python3:
+        #
         # (final: prev: {
-        #   grub2 = (final.callPackage ./package/grub { });
+        #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+        #     (python-final: python-prev: {
+        #       scipy = final.unoptimized.python3Packages.scipy;
+        #     })
+        #   ];
         # })
       ];
 

nix/configuration/flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764110879,
-        "narHash": "sha256-xanUzIb0tf3kJ+PoOFmXEXV1jM3PjkDT/TQ5DYeNYRc=",
+        "lastModified": 1780894562,
+        "narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "aecba248f9a7d68c5d1ed15de2d1c8a4c994a3c5",
+        "rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
         "type": "github"
       },
       "original": {
@@ -94,13 +94,40 @@
         "type": "github"
       }
     },
-    "impermanence": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "impermanence",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1737831083,
-        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
         "type": "github"
       },
       "original": {
@@ -137,11 +164,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763966396,
-        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
         "type": "github"
       },
       "original": {
@@ -151,6 +178,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-google": {
+      "locked": {
+        "lastModified": 1779893571,
+        "narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1730741070,
@@ -199,7 +242,8 @@
         "disko": "disko",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-google": "nixpkgs-google"
       }
     },
     "rust-overlay": {

nix/configuration/flake.nix

@@ -15,8 +15,12 @@
   description = "My system configuration";
 
   inputs = {
-    impermanence.url = "github:nix-community/impermanence";
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
     lanzaboote = {
       url = "github:nix-community/lanzaboote/v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -31,6 +35,7 @@
     {
       self,
       nixpkgs,
+      nixpkgs-google,
       disko,
       impermanence,
       lanzaboote,
@@ -57,6 +62,9 @@
         hydra = {
           system = "x86_64-linux";
         };
+        family_disks = {
+          system = "x86_64-linux";
+        };
       };
       nixosConfigs = builtins.mapAttrs (
         hostname: nodeConfig: format:
@@ -86,6 +94,9 @@
                       hostPlatform.gcc.arch = "default";
                       hostPlatform.gcc.tune = "default";
                     };
+                    google = import nixpkgs-google {
+                      system = prev.stdenv.hostPlatform.system;
+                    };
                   })
                 ];
               };

nix/configuration/formats/installer.nix

@@ -37,7 +37,8 @@ in
     (modulesPath + "/profiles/all-hardware.nix")
   ];
 
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
   boot.zfs.package = pkgs.zfs_unstable;
   boot.kernelParams = [
     "quiet"

nix/configuration/hosts/family_disks/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=family_disks
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=family_disks
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#family_disks.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_BUILD

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+: "${NOM:="true"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/family_disks/default.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "908cbf04";
+
+    networking.hostName = "family_disks"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.rollback.dataset = [
+      "zroot/linux/nix/root@blank"
+      "zroot/linux/nix/home@blank"
+    ];
+
+    me.optimizations = {
+      enable = true;
+      arch = "skylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
+    nix.daemonCPUSchedPolicy = "idle";
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+    me.recovery.enable = true;
+  };
+}

nix/configuration/hosts/family_disks/disk-config.nix

@@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              # recordsize = "16MiB";
+              # compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/family_disks/distributed_build.nix

@@ -0,0 +1,19 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}

nix/configuration/hosts/family_disks/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}

nix/configuration/hosts/family_disks/power_management.nix

@@ -0,0 +1,75 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    # amd_pstate=passive :: Fully automated hardware pstate control.
+    # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+    # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+    # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+    boot.kernelParams = [
+      "amdgpu.abmlevel=2"
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+      # I don't see a measurable benefit from these two:
+      # "cpufreq.default_governor=powersave"
+      # "initcall_blacklist=cpufreq_gov_userspace_init"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+      blacklist sp5100_tco
+
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}

nix/configuration/hosts/family_disks/wrapped-disk-config.nix

@@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

nix/configuration/hosts/hydra/DEPLOY_BOOT

@@ -10,4 +10,4 @@ TARGET=hydra
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/DEPLOY_SWITCH

@@ -10,4 +10,4 @@ TARGET=hydra
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BOOT

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_BUILD

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/SELF_SWITCH

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/VM_ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/default.nix

@@ -18,10 +18,43 @@
   ];
 
   config = {
-    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
-    networking.hostId = "6fbf418b";
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "6fbf418b";
 
-    networking.hostName = "hydra"; # Define your hostname.
+        hostName = "hydra"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.219";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01db";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
 
     time.timeZone = "America/New_York";
     i18n.defaultLocale = "en_US.UTF-8";
@@ -63,13 +96,42 @@
 
     environment.systemPackages = with pkgs; [
       htop
+      git # for building on hydra
+      tmux # for building on hydra
+      nix-output-monitor # for building on hydra
     ];
 
     # nix.sshServe.enable = true;
     # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
 
+    # Override garbage collection to keep things longer
+    # Automatic garbage collection
+    nix.gc = lib.mkForce {
+      automatic = true;
+      persistent = true;
+      dates = "weekly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 60d";
+    };
+
+    # The default limit of files is 1024 which is too low for some nix builds.
+    #
+    # Check with `ulimit -n`
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "8192";
+      }
+    ];
+
+    # systemd.user.extraConfig = "DefaultLimitNOFILE=8192";
+    # systemd.services."user@11400".serviceConfig.LimitNOFILE = "8192";
+
     me.build_in_ram.enable = true;
     me.dont_use_substituters.enable = true;
+    me.hydra.enable = true;
     me.minimal_base.enable = true;
     me.nix_worker.enable = true;
   };

nix/configuration/hosts/hydra/vm_disk.nix

@@ -26,7 +26,7 @@
         neededForBoot = true;
       };
 
-      # "/.disk" = lib.mkForce {
+      # "/.persist" = lib.mkForce {
       #   device = "bind9p";
       #   fsType = "9p";
       #   options = [
@@ -35,6 +35,10 @@
       #     "version=9p2000.L"
       #     "cache=mmap"
       #     "msize=512000"
+      #     "uname=root"
+      #     "dfltuid=0"
+      #     "dfltgid=0"
+      #     "nodevmap"
       #     # "noauto"
       #     # "x-systemd.automount"
       #   ];
@@ -67,25 +71,25 @@
         neededForBoot = true;
       };
 
-      "/nix/store" = lib.mkForce {
-        overlay = {
-          lowerdir = [ "/nix/.ro-store" ];
-          upperdir = "/.disk/persist/store";
-          workdir = "/.disk/state/work";
-        };
-        # fsType = "overlay";
-        # device = "overlay";
-        # options = [
-        #   "lowerdir=/nix/.ro-store"
-        #   "upperdir=/.disk/persist/store"
-        #   "workdir=/.disk/state/work"
-        # ];
-        depends = [
-          "/nix/.ro-store"
-          "/.disk/persist/store"
-          "/.disk/state/work"
-        ];
-      };
+      # "/nix/store" = lib.mkForce {
+      #   overlay = {
+      #     lowerdir = [ "/nix/.ro-store" ];
+      #     upperdir = "/.disk/persist/store";
+      #     workdir = "/.disk/state/work";
+      #   };
+      #   # fsType = "overlay";
+      #   # device = "overlay";
+      #   # options = [
+      #   #   "lowerdir=/nix/.ro-store"
+      #   #   "upperdir=/.disk/persist/store"
+      #   #   "workdir=/.disk/state/work"
+      #   # ];
+      #   depends = [
+      #     "/nix/.ro-store"
+      #     "/.disk/persist/store"
+      #     "/.disk/state/work"
+      #   ];
+      # };
     };
   };
 }

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/neelix/DEPLOY_BOOT

@@ -12,6 +12,6 @@ TARGET=neelix
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/DEPLOY_SWITCH

@@ -12,6 +12,6 @@ TARGET=neelix
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/odo/DEPLOY_BOOT

@@ -10,4 +10,4 @@ TARGET=odo
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/DEPLOY_SWITCH

@@ -10,4 +10,4 @@ TARGET=odo
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_BOOT

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_BUILD

@@ -7,4 +7,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_SWITCH

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/default.nix

@@ -77,6 +77,7 @@
 
     me.alacritty.enable = true;
     me.amd_s2idle.enable = true;
+    me.android.enable = true;
     me.ansible.enable = true;
     me.ares.enable = true;
     me.base.enable = true;
@@ -92,6 +93,7 @@
     me.ecc.enable = false;
     me.emacs_flavor = "full";
     me.emulate_isa.enable = true;
+    me.esim.enable = true;
     me.firefox.enable = true;
     me.firewall.enable = true;
     me.flux.enable = true;
@@ -103,9 +105,12 @@
     me.gpg.enable = true;
     me.graphical = true;
     me.graphics_card_type = "amd";
+    me.graphviz.enable = true;
     me.iso_mount.enable = true;
+    me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
@@ -146,6 +151,7 @@
     me.vscode.enable = true;
     me.wasm.enable = true;
     me.waybar.enable = true;
+    me.webcam.enable = true;
     me.wine.enable = false;
     me.wireguard.activated = [
       "drmario"
@@ -159,7 +165,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = true;
+    me.shipwright.enable = false;
     me.ship2harkinian.enable = true;
   };
 }

nix/configuration/hosts/odo/distributed_build.nix

@@ -4,6 +4,12 @@
   config = {
     me.distributed_build.enable = true;
     me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
       enable = true;
       additional_config = {
         speedFactor = 2;

nix/configuration/hosts/odowork/DEPLOY_BOOT

@@ -8,4 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TARGET=odowork
 
-nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/DEPLOY_SWITCH

@@ -8,4 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TARGET=odowork
 
-nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/INSTALLER

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/ISO

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/SELF_BOOT

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/SELF_BUILD

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/SELF_SWITCH

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odowork/default.nix

@@ -84,6 +84,7 @@
 
     me.alacritty.enable = true;
     me.amd_s2idle.enable = true;
+    me.android.enable = true;
     me.ansible.enable = true;
     me.base.enable = true;
     me.bluetooth.enable = true;
@@ -106,8 +107,11 @@
     me.gpg.enable = true;
     me.graphical = true;
     me.graphics_card_type = "amd";
+    me.graphviz.enable = true;
     me.iso_mount.enable = true;
+    me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
+    me.kernel.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
     me.lvfs.enable = true;
@@ -137,6 +141,7 @@
     me.vscode.enable = true;
     me.vscode.enable_work_profile = true;
     me.waybar.enable = true;
+    me.webcam.enable = true;
     me.wireguard.activated = [
       "wgh"
     ];

nix/configuration/hosts/odowork/distributed_build.nix

@@ -4,6 +4,12 @@
   config = {
     me.distributed_build.enable = true;
     me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
       enable = true;
       additional_config = {
         speedFactor = 2;

nix/configuration/hosts/quark/DEPLOY_BOOT

@@ -10,4 +10,4 @@ TARGET=quark
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/DEPLOY_SWITCH

@@ -10,4 +10,4 @@ TARGET=quark
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_BOOT

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_BUILD

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_SWITCH

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/default.nix

@@ -72,6 +72,7 @@
     me.alacritty.enable = true;
     me.amd_s2idle.enable = true;
     me.ansible.enable = true;
+    me.android.enable = true;
     me.ares.enable = true;
     me.base.enable = true;
     me.bluetooth.enable = true;
@@ -86,6 +87,7 @@
     me.ecc.enable = true;
     me.emacs_flavor = "full";
     me.emulate_isa.enable = true;
+    me.esim.enable = true;
     me.firefox.enable = true;
     me.firewall.enable = true;
     me.flux.enable = true;
@@ -97,9 +99,12 @@
     me.gpg.enable = true;
     me.graphical = true;
     me.graphics_card_type = "amd";
+    me.graphviz.enable = true;
     me.iso_mount.enable = true;
+    me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
@@ -141,6 +146,7 @@
     me.vscode.enable = true;
     me.wasm.enable = true;
     me.waybar.enable = true;
+    me.webcam.enable = true;
     me.wine.enable = false;
     me.wireguard.activated = [
       "drmario"
@@ -154,7 +160,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = true;
+    me.shipwright.enable = false;
     me.ship2harkinian.enable = true;
   };
 }

nix/configuration/hosts/quark/distributed_build.nix

@@ -3,5 +3,11 @@
 
   config = {
     me.distributed_build.enable = true;
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
   };
 }

nix/configuration/hosts/recovery/DEPLOY_BOOT

@@ -10,4 +10,4 @@ TARGET=recovery
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/recovery/DEPLOY_SWITCH

@@ -10,4 +10,4 @@ TARGET=recovery
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/recovery/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/recovery/SELF_BOOT

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/recovery/SELF_BUILD

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/recovery/SELF_SWITCH

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

nix/configuration/roles/android/default.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    android.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install android.";
+    };
+  };
+
+  config = lib.mkIf config.me.android.enable {
+    environment.systemPackages = with pkgs; [
+      android-tools
+    ];
+    users.users.talexander.extraGroups = [ "adbusers" ];
+  };
+}

nix/configuration/roles/base/default.nix

@@ -14,7 +14,13 @@ let
   cleanup_temporary_files = (
     patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
   );
-  alias_rga = pkgs.writeShellScriptBin "ks" ''
+  decode_jwt = (patchScriptBin "decode_jwt" (builtins.readFile ./files/decode_jwt.bash));
+  git_find_merged_branches = (
+    patchScriptBin "git_find_merged_branches" (builtins.readFile ./files/git_find_merged_branches.bash)
+  );
+  git_fix_author = (patchScriptBin "git_fix_author" (builtins.readFile ./files/git_fix_author.bash));
+  rsync_clone = (patchScriptBin "rsync_clone" (builtins.readFile ./files/rsync_clone.bash));
+  alias_rga = pkgs.writeShellScriptBin "rga" ''
     exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
   '';
 in
@@ -57,10 +63,14 @@ in
       ipcalc
       gptfdisk # for cgdisk
       nix-output-monitor # For better view into nixos-rebuild
-      nix-serve-ng # Serve nix store over http
+      # nix-serve-ng # Serve nix store over http
       cleanup_temporary_files
+      decode_jwt
       jq
       inetutils # For whois
+      git_find_merged_branches
+      git_fix_author
+      rsync_clone
     ];
   };
 }

nix/configuration/roles/base/files/cleanup_temporary_files.bash

@@ -1,4 +1,7 @@
 #!/usr/bin/env bash
 #
 # Delete temporary files on entire disk
-find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null
+set -euo pipefail
+IFS=$'\n\t'
+
+exec find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

nix/configuration/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

nix/configuration/roles/base/files/git_find_merged_branches.bash

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+# Find local branches that have been merged
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: ${MAIN_BRANCH:="main"}
+
+git checkout -q ${MAIN_BRANCH} && git for-each-ref refs/heads/ "--format=%(refname:short)" | while read branch; do mergeBase=$(git merge-base ${MAIN_BRANCH} $branch) && [[ $(git cherry ${MAIN_BRANCH} $(git commit-tree $(git rev-parse "$branch^{tree}") -p $mergeBase -m _)) == "-"* ]] && echo "$branch"; done

nix/configuration/roles/base/files/git_fix_author.bash

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+git filter-branch --env-filter '
+WRONG_EMAIL="old@email.foo"
+NEW_NAME="New Name"
+NEW_EMAIL="new@email.bar"
+
+if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_COMMITTER_NAME="$NEW_NAME"
+    export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
+fi
+if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_AUTHOR_NAME="$NEW_NAME"
+    export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
+fi
+' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags

nix/configuration/roles/base/files/rsync_clone.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Wrapper to set rsync flags for cloning a folder preserving attributes
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec rsync -aHAXS "$@"

nix/configuration/roles/disko/default.nix

@@ -85,9 +85,9 @@
             set -xeuo pipefail
             IFS=$'\n\t'
 
-            #${this_nixos_config.config.system.build.destroyScript}
+            ${this_nixos_config.config.system.build.destroyScript}
 
-            #${this_nixos_config.config.system.build.formatScript}
+            ${this_nixos_config.config.system.build.formatScript}
 
             ${this_nixos_config.config.system.build.mountScript}
 

nix/configuration/roles/distributed_build/default.nix

@@ -25,6 +25,13 @@ let
       };
       description = "Additional config values for the buildMachines entry. For example, speedFactor.";
     };
+
+    substituter_url = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "ssh-ng://remote-host";
+      description = "URL to use as a substituter.";
+    };
   };
 
   static_host_configs = {
@@ -37,7 +44,40 @@ let
         # "aarch64-linux"
       ];
     };
+    hydra = {
+      # Does not work, so we have to use root's authorized keys. Not sure why. My best guess is it is related to overriding the ssh target via the ssh config.
+      #
+      # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
+      # publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUNJRk9tU0NWV25xVVFFL2RKd2R0STdRQ29LTHhBNHRmWnRSYStFSG9XV0wgcm9vdEBoeWRyYQo=";
+      # publicHostKey = "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFDNk1nNytKMys1d2c5QkJmLzkweWJhbnhJK3ZiSXRzY1ZoTzRRVFNMT1FJM1QxbWMrNUxTK2oxdDY4a20zVmx1c2k5WWh0UmNOVk1NbmZQT3Q3ejFyZ0Q4Y05iY3UzU0xCOTNGR2hvb1ZtUktyVEMyaVE4bkxZYVoyV1lrdnZ3UjJ6b24zTjRlTlFJdWUwR0EzTEtNKy82RDN5V3didjRYV2pFeWtpa1NoVFJUVUtMTjU4aUVVOVRmcnEzeE1Ib0EvYmJZMGIxK1QzUDRkQ05wb3BFcFczaVJaYkV0NUpvNS92VFBsVjc4L3I3bnV2eHlaVjU3dWhzYjhFQlFzYUdCYTIraEt6SUhFblBHWXlPUDVRRWVCZ1ZBUzh6bFg4aktaZnZuaDA0NmdFdFoyMWJWdHNBZHNXcnVYdXNEUVQyanJ2VjJOVTYvc2cyMzZPbFZvWVU4Z1JYRHZiTXhoclVSVWNsajM1RGlzTi9wMEd2clZOckVjSktZK245MS9UMG9qU0gvVTVlRzVPclhZRXQwVzIra0NsVDk0T2kxM2JjQkVDYmVUUXJKMjJRc1hKSnVEVkVzOWhsU2RLemZkMDVaaVc3MllHaHRCRWptL015UG1nSHhxYzNTKzEwc0VvT2FIazdtRjQ0M0o1MzZoWEVHZDhGWjROMnQ3MlF3V3RuUGoyNENYOG8wbmNJN2ZIYTRHTWsybi9EWU84MlNUTEJHeVBMTkxnK040NUcyYUhaSk1NWGprWlplMUVZS0dQQm5tcTFlVUdFMVd0ZkVRSEhCTHd3Y0dDdm15aWI1NTliQ0p5NWExS2pnSGNBYlk0WVRKOTlwMWtPT2lIcVlvTnArczlhSklPZU93aE5xbkkrOUxrWnYrbEhCdXRoM3A1anRRNzA3bEJMMmVBd1E9PSByb290QGh5ZHJhCg==";
+      systems = [
+        "i686-linux"
+        "x86_64-linux"
+        # "aarch64-linux"
+      ];
+
+      hostName = lib.mkForce "hydra?remote-store=local?root=/.disk/root";
+    };
   };
+  joined_configs =
+    lib.genAttrs
+      (builtins.filter (hostname: config.me.distributed_build.machines."${hostname}".enable) (
+        builtins.attrNames all_nixos_configs
+      ))
+      (
+        hostname:
+        (lib.mkMerge [
+          {
+            hostName = hostname;
+            sshUser = "nixworker";
+            sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
+            maxJobs = 1;
+            supportedFeatures = all_nixos_configs."${hostname}".config.me.optimizations.system_features;
+          }
+          static_host_configs."${hostname}"
+          config.me.distributed_build.machines."${hostname}".additional_config
+        ])
+      );
 in
 {
   imports = [ ];
@@ -58,9 +98,13 @@ in
       {
         nix.distributedBuilds = true;
 
-        # https://nix.dev/manual/nix/2.32/store/types/ssh-store.html
-        # nix.settings.substituters = lib.mkForce [ "ssh://hydra?compress=true&log-fd=2&max-connections=4" ];
+        # Using an ssh-based substituter slows down the build because querying the remote store for paths takes ages.
+        #
+        # nix.settings.substituters = lib.mkForce [
+        #   "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/.disk/root"
+        # ];
         # nix.settings.substitute = lib.mkForce true;
+
         # nix.settings.post-build-hook = pkgs.writeShellScript "post-build-hook" ''
         #   set -euo pipefail
         #   IFS=$'\n\t'
@@ -87,6 +131,7 @@ in
                   sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
                   maxJobs = 1;
                   supportedFeatures = all_nixos_configs."${hostname}".config.me.optimizations.system_features;
+                  protocol = "ssh-ng";
                 }
                 static_host_configs."${hostname}"
                 config.me.distributed_build.machines."${hostname}".additional_config
@@ -95,6 +140,12 @@ in
           ) (builtins.attrNames all_nixos_configs)
         );
       }
+      # {
+      #   nix.settings.substitute = lib.mkForce true;
+      #   nix.settings.substituters = lib.mkForce (
+      #     lib.mapAttrsToList (hostname: joined_config: "ssh-ng://${joined_config.hostName}") joined_configs
+      #   );
+      # }
     ]
   );
 }

nix/configuration/roles/dont_use_substituters/default.nix

@@ -20,6 +20,6 @@
   config = lib.mkIf config.me.dont_use_substituters.enable {
     # Disable substituters to avoid risk of cache poisoning.
     nix.settings.substitute = false;
-    nix.settings.substituters = lib.mkForce [ ];
+    nix.settings.substituters = lib.mkOverride 99 [ ];
   };
 }

nix/configuration/roles/emacs/default.nix

@@ -125,7 +125,7 @@ in
                       ]
                     ))
                     final.nixd # nix language server
-                    final.nixfmt-rfc-style # auto-formatting nix files through nixd
+                    final.nixfmt # auto-formatting nix files through nixd
                     final.clang # To compile tree-sitter grammars
                     final.shellcheck
                     final.cmake-language-server

nix/configuration/roles/emacs/files/emacs/elisp/base-functions.el

@@ -27,6 +27,29 @@
     )
   )
 
+(defun run-command-on-buffer-require-output (cmd &rest args)
+  "Run a command using the current buffer as stdin and replacing its contents if the command succeeds with the stdout from the command. This is useful for code formatters. This version only replaces the buffer contents if the command output some text."
+  (let (
+        (stdout-buffer (generate-new-buffer "tmp-stdout" t))
+        (full-cmd (append '(call-process-region nil nil cmd nil stdout-buffer nil) args))
+        )
+    (unwind-protect
+        (let ((exit-status (eval full-cmd)))
+          (if (eq exit-status 0)
+              (if (> (buffer-size stdout-buffer) 0)
+                  (save-excursion
+                    (replace-buffer-contents stdout-buffer)
+                    )
+                (message "No output from command on buffer %s" (append (list cmd) args))
+                )
+            (message "FAILED running command on buffer %s" (append (list cmd) args))
+            )
+          )
+      (kill-buffer stdout-buffer)
+      )
+    )
+  )
+
 (defun run-command-in-directory (dir cmd &rest args)
   "Run a command in the specified directory. If the directory is nil, the directory of the file is used. The stdout result is trimmed of whitespace and returned."
   (let (

nix/configuration/roles/emacs/files/emacs/elisp/base.el

@@ -1,9 +1,19 @@
 (package-initialize)
-(use-package use-package)
+(use-package use-package
+  :custom
+  ;; Unless otherwise specified, always install packages if they are absent.
+  (use-package-always-ensure t)
+  ;; Allow updating built-in packages like eglot
+  ;; For some reason, built-in packages are still not updating so I'm just going to comment this out.
+  ;; (package-install-upgrade-built-in t)
+  ;; Natively compile packages
+  (package-native-compile t)
+  :config
+  (add-to-list 'package-archives
+               '("melpa" . "https://melpa.org/packages/")
+               )
+  )
 
-(add-to-list 'package-archives
-             '("melpa" . "https://melpa.org/packages/")
-             )
 
 (use-package auto-package-update
   :ensure t
@@ -71,10 +81,11 @@
   )
 
 (setq-default
- ;; Unless otherwise specified, always install packages if they are absent.
- use-package-always-ensure t
  ;; Point custom-file at /dev/null so emacs does not write any settings to my dotfiles.
- custom-file "/dev/null"
+ ;; custom-file "/dev/null"
+ ;;
+ ;; list-package breaks on newer versions of emacs if custom-file is set to /dev/null
+ custom-file (expand-file-name "custom.el" user-emacs-directory)
  ;; Don't pop up a small window at the bottom of emacs at launch.
  inhibit-startup-screen t
  inhibit-startup-message t
@@ -95,8 +106,6 @@
                                                       "%b")))
  ;; Use 'y' or 'n' instead of 'yes' or 'no'
  use-short-answers t
- ;; Natively compile packages
- package-native-compile t
  ;; Confirm when opening a file that does not exist
  confirm-nonexistent-file-or-buffer t
  ;; Do not require double space to end a sentence.

nix/configuration/roles/emacs/files/emacs/elisp/common-lsp.el

@@ -1,4 +1,5 @@
 (use-package eglot
+  ;; This is an emacs built-in but we're pulling the latest version
   :pin gnu
   :commands (eglot eglot-ensure)
   :bind (:map eglot-mode-map

nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el

@@ -1,14 +1,14 @@
 (defun d2-format-buffer ()
   "Run prettier."
   (interactive)
-  (run-command-on-buffer "d2" "fmt" "-")
+  (run-command-on-buffer-require-output "d2" "fmt" "-")
   )
 
 (use-package d2-mode
   :commands (d2-mode)
   :hook (
          (d2-mode . (lambda ()
-                      ;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
+                      (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
                       ))
          )
   )

nix/configuration/roles/emacs/files/emacs/elisp/lang-nft.el

@@ -0,0 +1,5 @@
+(use-package nftables-mode
+  :commands nftables-mode
+  )
+
+(provide 'lang-nft)

nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el

@@ -1,81 +1,79 @@
-(use-package org
-  :ensure nil
-  :commands org-mode
-  :bind (:map org-mode-map
-         ("C-c l" . org-store-link)
-         ("C-c a" . org-agenda)
-         ("S-<up>" . org-shiftup)
-         ("S-<right>" . org-shiftright)
-         ("S-<down>" . org-shiftdown)
-         ("S-<left>" . org-shiftleft)
-         )
-  :hook (
-         (org-mode . (lambda ()
-                       (org-indent-mode +1)
-                       ))
-         ;; Make windmove work in Org mode:
-         (org-shiftup-final . windmove-up)
-         (org-shiftleft-final . windmove-left)
-         (org-shiftdown-final . windmove-down)
-         (org-shiftright-final . windmove-right)
-         )
-  :config
-  (require 'org-tempo)
-  (setq org-export-latex-listings t)
-  (setq org-startup-truncated nil)
-  (setq org-startup-folded nil)
-  (setq org-src-fontify-natively t
-        org-src-tab-acts-natively t
-        org-confirm-babel-evaluate nil
-        )
+(require 'color)
+(let ((bg (face-attribute 'default :background)))
+  (use-package org
+    :ensure nil
+    :commands org-mode
+    :bind (:map org-mode-map
+                ("C-c l" . org-store-link)
+                ("C-c a" . org-agenda)
+                ("S-<up>" . org-shiftup)
+                ("S-<right>" . org-shiftright)
+                ("S-<down>" . org-shiftdown)
+                ("S-<left>" . org-shiftleft)
+                )
+    :hook (
+           (org-mode . (lambda ()
+                         (org-indent-mode +1)
+                         ))
+           ;; Make windmove work in Org mode:
+           (org-shiftup-final . windmove-up)
+           (org-shiftleft-final . windmove-left)
+           (org-shiftdown-final . windmove-down)
+           (org-shiftright-final . windmove-right)
+           )
+    :custom-face
+    (org-block ((t (:inherit default :background ,(color-lighten-name bg 15) :extend ,t))))
+    (org-block-begin-line ((t (:inherit default :background ,"#472300" :extend ,t))))
+    (org-block-end-line ((t (:inherit default :background ,"#472300" :extend ,t))))
+    :config
+    (require 'org-tempo)
+    (setq org-export-latex-listings t)
+    (setq org-startup-truncated nil)
+    (setq org-startup-folded nil)
+    (setq org-src-fontify-natively t
+          org-src-tab-acts-natively t
+          org-confirm-babel-evaluate nil
+          )
 
-  ;; Show the full source of org-mode links instead of condensing them. I.E. render "[[foo]]" instead of "foo"
-  (setq org-descriptive-links nil)
+    ;; Show the full source of org-mode links instead of condensing them. I.E. render "[[foo]]" instead of "foo"
+    (setq org-descriptive-links nil)
 
-  ;; Only interpret _ and ^ and sub and superscripts if they're of the form _{subscript} and ^{superscript}
-  (setq org-export-with-sub-superscripts '{})
-  ;; Don't include a "validate" link at the bottom of html export
-  (setq org-html-validation-link nil)
+    ;; Only interpret _ and ^ and sub and superscripts if they're of the form _{subscript} and ^{superscript}
+    (setq org-export-with-sub-superscripts '{})
+    ;; Don't include a "validate" link at the bottom of html export
+    (setq org-html-validation-link nil)
 
 
-  (setq org-latex-listings 'minted)
-  (setq org-latex-minted-options '(("breaklines" "true")
-                                   ("breakanywhere" "true")
-                                   ("bgcolor" "mintedbg") ("frame" "single") ("framesep" "6pt") ("fontsize" "\\footnotesize")))
+    (setq org-latex-listings 'minted)
+    (setq org-latex-minted-options '(("breaklines" "true")
+                                     ("breakanywhere" "true")
+                                     ("bgcolor" "mintedbg") ("frame" "single") ("framesep" "6pt") ("fontsize" "\\footnotesize")))
 
-  ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
-  ;; (setq org-latex-compiler "lualatex")
-  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
-  ;; (setq org-preview-latex-default-process 'dvisvgm)
-  (setq org-latex-pdf-process
-        '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
-          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
-          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"))
-  (add-to-list 'org-latex-packages-alist '("cache=false" "minted"))
-  (add-to-list 'org-latex-packages-alist '("" "svg"))
-  (add-to-list 'org-latex-packages-alist '("margin=2cm" "geometry" nil))
+    ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
+    ;; (setq org-latex-compiler "lualatex")
+    ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
+    ;; (setq org-preview-latex-default-process 'dvisvgm)
+    (setq org-latex-pdf-process
+          '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
+            "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
+            "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"))
+    (add-to-list 'org-latex-packages-alist '("cache=false" "minted"))
+    (add-to-list 'org-latex-packages-alist '("" "svg"))
+    (add-to-list 'org-latex-packages-alist '("margin=2cm" "geometry" nil))
 
-  (add-to-list 'org-src-lang-modes '("dot" . "graphviz-dot"))
+    (add-to-list 'org-src-lang-modes '("dot" . "graphviz-dot"))
 
-  (org-babel-do-load-languages 'org-babel-load-languages
-                               '((shell      . t)
-                                 (js         . t)
-                                 (emacs-lisp . t)
-                                 (python     . t)
-                                 (dot        . t)
-                                 (css        . t)
-                                 (gnuplot    . t)
-                                 (sqlite     . t)
-                                 ))
-
-  (require 'color)
-
-  (let ((bg (face-attribute 'default :background)))
-    (custom-set-faces
-     `(org-block ((t (:inherit default :background ,(color-lighten-name bg 15) :extend ,t))))
-     `(org-block-begin-line ((t (:inherit default :background ,"#472300" :extend ,t))))
-     `(org-block-end-line ((t (:inherit default :background ,"#472300" :extend ,t))))
-     ))
+    (org-babel-do-load-languages 'org-babel-load-languages
+                                 '((shell      . t)
+                                   (js         . t)
+                                   (emacs-lisp . t)
+                                   (python     . t)
+                                   (dot        . t)
+                                   (css        . t)
+                                   (gnuplot    . t)
+                                   (sqlite     . t)
+                                   ))
+    )
   )
 
 (use-package org-bullets

nix/configuration/roles/emacs/files/emacs/init.el

@@ -42,4 +42,6 @@
 
 (require 'lang-d2)
 
+(require 'lang-nft)
+
 (load-directory autoload-directory)

nix/configuration/roles/esim/default.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    esim.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install esim.";
+    };
+  };
+
+  config = lib.mkIf (config.me.esim.enable && config.me.graphical) {
+    environment.systemPackages = with pkgs; [
+      easylpac
+      zbar # To decode qrcodes via `zbarimg <file>`
+    ];
+
+    nixpkgs.overlays = [
+      (final: prev: {
+        easylpac = (final.callPackage ./package/easylpac/package.nix { });
+      })
+    ];
+
+  };
+}

nix/configuration/roles/esim/package/easylpac/CONTRIB

@@ -0,0 +1 @@
+Package from https://github.com/nix-community/nur-combined/blob/main/repos/linyinfeng/pkgs/easylpac/default.nix

nix/configuration/roles/esim/package/easylpac/ci-registry.json

@@ -0,0 +1,120 @@
+[
+  {
+    "key-id": "81370f",
+    "name": "GSM Association - RSP2 Root CI1",
+    "crls": ["http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl"]
+  },
+  {
+    "key-id": "d7a7d0",
+    "name": "GSM Association - M2M31 Root CI2"
+  },
+  {
+    "key-id": "4c2796",
+    "name": "OISITE GSMA CI G1",
+    "crls": ["http://public.wisekey.com/crl/ogsmacig1.crl"]
+  },
+  {
+    "key-id": "665a14",
+    "name": "Symantec RSP Test Root CA",
+    "crls": ["http://pki-crl.symauth.com/ca_a3dc2e3fea7708a11c889386d9d3a76f/LatestCRL.crl"]
+  },
+  {
+    "key-id": "f54172",
+    "name": "GSMA Test CI (SGP.26 v1)"
+  },
+  {
+    "key-id": "c0bc70",
+    "name": "GSMA Test CI (SGP.26 v1, BRP P256r1)"
+  },
+  {
+    "key-id": "34eecf",
+    "name": "Test CI (SGP.26 v3)"
+  },
+  {
+    "key-id": "2209f6",
+    "name": "Test CI (SGP.26 v3, BRP P256r1)"
+  },
+  {
+    "key-id": "148030",
+    "country": "CN",
+    "name": "Taier eSIM Root CA",
+    "crls": ["http://111.204.176.254:18889/download/n1.crl", "http://111.204.176.254:18889/download/n2.crl"]
+  },
+  {
+    "key-id": "16b5d1",
+    "country": "CN",
+    "name": "MNO: China Unicom"
+  },
+  {
+    "key-id": "7c0e54",
+    "country": "CN",
+    "name": "MNO: China Unicom"
+  },
+  {
+    "key-id": "3bd3f5",
+    "country": "CN",
+    "name": "MNO: China Unicom"
+  },
+  {
+    "key-id": "cdf6d1",
+    "country": "CN",
+    "name": "MNO: China Mobile"
+  },
+  {
+    "key-id": "d3ef83",
+    "country": "CN",
+    "name": "MNO: China Telecom",
+    "crls": ["http://crl.cnca.net/esim/ccs/a.crl", "http://crl.cnca.net/esim/ccs/b.crl"]
+  },
+  {
+    "key-id": "4eb94e",
+    "country": "CN",
+    "name": "MNO: China Telecom"
+  },
+  {
+    "key-id": "b70ba4",
+    "country": "GB",
+    "name": "Truphone SAS-UP CA"
+  },
+  {
+    "key-id": "73fca0",
+    "country": "CN",
+    "name": "Redtea Mobile CI"
+  },
+  {
+    "key-id": "ea53ad",
+    "country": "DE",
+    "name": "SubMan V4.2 CI"
+  },
+  {
+    "key-id": "96524c",
+    "country": "DE",
+    "name": "SubMan V4.2 CI"
+  },
+  {
+    "key-id": "b60f0b",
+    "country": "DE",
+    "name": "SubMan V4.2 CI Google Pixel"
+  },
+  {
+    "key-id": "cd6e60",
+    "country": "FR",
+    "name": "MC4 OT ROOT CI v1"
+  },
+  {
+    "key-id": "066d48",
+    "country": "FR",
+    "name": "MC4 CI TEST v2"
+  },
+  {
+    "key-id": "16704b",
+    "country": "US",
+    "name": "Entrust eSIM CA",
+    "crls": ["http://crl.entrust.net/entesimca.crl"]
+  },
+  {
+    "key-id": "77f0bd",
+    "country": "FR",
+    "name": "Gemalto CE CI"
+  }
+]

nix/configuration/roles/esim/package/easylpac/eum-registry.json

@@ -0,0 +1,88 @@
+[
+  {
+    "eum": "35060000",
+    "country": "CN",
+    "manufacturer": "HED"
+  },
+  {
+    "eum": "35840574",
+    "country": "CN",
+    "manufacturer": "Beijing Watchdata",
+    "accreditations": ["WD-BG"]
+  },
+  {
+    "eum": "89033023",
+    "country": "FR",
+    "manufacturer": "Thales",
+    "accreditations": ["GO-CA", "GO-PA", "GO-SI", "TS-CA", "TS-ME", "TS-NA", "TS-PA", "TS-SI"]
+  },
+  {
+    "eum": "89033024",
+    "country": "FR",
+    "manufacturer": "IDEMIA",
+    "accreditations": ["IA-FK", "IA-VE", "ID-NA", "ID-SN", "OR-SN"]
+  },
+  {
+    "eum": "89034011",
+    "country": "ES",
+    "manufacturer": "Valid",
+    "accreditations": ["VD-MD", "VD-SU"]
+  },
+  {
+    "eum": "89041030",
+    "country": "CH",
+    "manufacturer": "STM",
+    "accreditations": ["SM-CA", "SM-CT"]
+  },
+  {
+    "eum": "89043051",
+    "country": "AT",
+    "manufacturer": "NXP",
+    "accreditations": ["NP-HG", "NP-KG", "NP-TN"]
+  },
+  {
+    "eum": "89043052",
+    "country": "AT",
+    "manufacturer": "NXP"
+  },
+  {
+    "eum": "89044045",
+    "country": "GB",
+    "manufacturer": "Kigen",
+    "accreditations": ["KN-DN", "KN-NA"]
+  },
+  {
+    "eum": "89044047",
+    "country": "GB",
+    "manufacturer": "Truphone"
+  },
+  {
+    "eum": "89049032",
+    "country": "DE",
+    "manufacturer": "G+D",
+    "accreditations": ["GD-BA", "GD-CI", "GD-MM", "GD-NG"]
+  },
+  {
+    "eum": "89049038",
+    "country": "DE",
+    "manufacturer": "G+D"
+  },
+  {
+    "eum": "89086001",
+    "country": "CN",
+    "manufacturer": "Hengbao",
+    "accreditations": ["HO-DG"]
+  },
+  {
+    "eum": "89086029",
+    "country": "CN",
+    "manufacturer": "Wuhan Tianyu",
+    "accreditations": ["WN-HI"]
+  },
+  {
+    "eum": "89086030",
+    "country": "CN",
+    "manufacturer": "Eastcompeace",
+    "accreditations": ["ED-ZI"]
+  }
+]

nix/configuration/roles/esim/package/easylpac/package.nix

@@ -0,0 +1,68 @@
+{
+  callPackage,
+  go,
+  buildGoModule,
+  fetchFromGitHub,
+  pkg-config,
+  gtk3,
+  libXxf86vm,
+  libglvnd,
+  glfw,
+  wrapGAppsHook3,
+  fontconfig,
+  lpac,
+  lib,
+}:
+
+buildGoModule rec {
+  pname = "easylpac";
+  version = "0.7.9.2";
+  src = fetchFromGitHub {
+    owner = "creamlike1024";
+    repo = "EasyLPAC";
+    rev = version;
+    sha256 = "sha256-8VVR8QJR6SZEvdGls3kDU9l8SdFdUVnHm2qxUzgGJuU=";
+  };
+  proxyVendor = true;
+  vendorHash = "sha256-tX7abWGn1f4p+7vx2gDa5/NKg5SbWqMfHT8kbPwHK14=";
+
+  postConfigure = ''
+    cp --verbose "${./eum-registry.json}" eum-registry.json
+    cp --verbose "${./ci-registry.json}"  ci-registry.json
+  '';
+
+  env.FONTCONFIG_FILE = "${fontconfig.out}/etc/fonts/fonts.conf";
+
+  nativeBuildInputs = [
+    pkg-config
+    wrapGAppsHook3
+  ];
+  buildInputs = [
+    gtk3
+    libglvnd
+    libXxf86vm
+  ]
+  ++ glfw.buildInputs;
+
+  postInstall = ''
+    ln -s "${lpac}/bin/lpac" "$out/bin/lpac"
+  '';
+
+  passthru = {
+    updateScriptEnabled = true;
+    updateScript =
+      let
+        script = callPackage ./update.nix { };
+      in
+      [ "${script}/bin/update-easylpac" ];
+  };
+
+  meta = with lib; {
+    description = "lpac GUI Frontend";
+    homepage = "https://github.com/creamlike1024/EasyLPAC";
+    mainProgram = "EasyLPAC";
+    license = licenses.mit;
+    maintainers = with maintainers; [ yinfeng ];
+    broken = !(lib.versionAtLeast go.version "1.24");
+  };
+}

nix/configuration/roles/firefox/default.nix

@@ -66,8 +66,18 @@
         "privacy.fingerprintingProtection" = true;
         # Allow sending dark mode preference to websites.
         # Allow sending timezone to websites.
-        "privacy.fingerprintingProtection.overrides" =
-          "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt,-CanvasExtractionFromThirdPartiesIsBlocked";
+        "privacy.fingerprintingProtection.overrides" = (
+          builtins.concatStringsSep "," [
+            "+AllTargets" # Enable all protections
+            "-CSSPrefersColorScheme" # Don't hide light/dark preference
+            "-JSDateTimeUTC" # Allow sending timezone to websites.
+            "-CanvasExtractionBeforeUserInputIsBlocked" # Canvas image extraction needed by google maps to avoid names looking like barcodes.
+            # Google meet's auto-framing results in random flashing colored bars unless the following two are allowed:
+            "-CanvasImageExtractionPrompt"
+            "-CanvasExtractionFromThirdPartiesIsBlocked"
+            "-WebGLRenderCapability" # Needed for smooth zooming on google maps
+          ]
+        );
         # Disable weather on new tab page
         "browser.newtabpage.activity-stream.showWeather" = false;
         # Disable AI stuff that wastes battery life
@@ -79,6 +89,20 @@
       policies = {
         DisableTelemetry = true;
         DisplayBookmarksToolbar = "newtab";
+        DisableFirefoxStudies = true;
+        FirefoxHome = {
+          SponsoredStories = false;
+          SponsoredTopSites = false;
+          Stories = false;
+        };
+        GenerativeAI = {
+          Enabled = false;
+        };
+        SearchEngines = {
+          Remove = [
+            "Perplexity"
+          ];
+        };
 
         # Check about:support for extension/add-on ID strings.
         # Valid strings for installation_mode are "allowed", "blocked",

nix/configuration/roles/firewall/default.nix

@@ -24,7 +24,16 @@
     networking.firewall.allowedUDPPorts = [
       5353 # mDNS
     ];
+
+    # networking.firewall.enable = true;
+    # networking.nftables.enable = true;
+
     # Or disable the firewall altogether.
-    # networking.firewall.enable = false;
+    networking.firewall.enable = false;
+
+    # Debugging
+    # networking.firewall.logRefusedConnections = true;
+    # networking.firewall.logRefusedPackets = true;
+    # networking.firewall.logReversePathDrops = true;
   };
 }

nix/configuration/roles/gcloud/default.nix

@@ -18,7 +18,7 @@
   };
 
   config = lib.mkIf config.me.gcloud.enable {
-    environment.systemPackages = with pkgs; [
+    environment.systemPackages = with pkgs.google; [
       (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
     ];
 

nix/configuration/roles/git/default.nix

@@ -16,6 +16,14 @@ let
       }:$PATH"
       exec ${package}/bin/${prog} "''${@}"
     '';
+  git_hide = pkgs.writeShellScriptBin "git-hide" ''
+    git add --intent-to-add "''${@}"
+    git update-index --skip-worktree --assume-unchange "''${@}"
+  '';
+  git_unhide = pkgs.writeShellScriptBin "git-unhide" ''
+    git update-index --no-skip-worktree --no-assume-unchange "''${@}"
+    git reset "''${@}"
+  '';
 in
 {
   imports = [ ];
@@ -41,6 +49,8 @@ in
       {
         environment.systemPackages = with pkgs; [
           my_git
+          git_hide
+          git_unhide
         ];
       }
       (lib.mkIf (config.me.git.config != null) {

nix/configuration/roles/gpg/default.nix

@@ -44,11 +44,11 @@ in
     ];
     services.pcscd.enable = true;
 
-    me.install.user.talexander.file = {
-      ".gnupg/scdaemon.conf" = {
-        source = ./files/scdaemon.conf;
-      };
-    };
+    # me.install.user.talexander.file = {
+    #   ".gnupg/scdaemon.conf" = {
+    #     source = ./files/scdaemon.conf;
+    #   };
+    # };
 
     programs.gnupg.agent = {
       enable = true;

nix/configuration/roles/graphics/default.nix

@@ -34,7 +34,7 @@
         environment.systemPackages = with pkgs; [
           mesa-demos # for glxgears
           vulkan-tools # for vkcube
-          xorg.xeyes # to test which windows are using x11
+          xeyes # to test which windows are using x11
         ];
         hardware.graphics.enable = true;
         # hardware.graphics.enable32Bit = true;

nix/configuration/roles/graphviz/default.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    graphviz.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install graphviz.";
+    };
+  };
+
+  config = lib.mkIf config.me.graphviz.enable {
+    environment.systemPackages = with pkgs; [
+      graphviz
+    ];
+  };
+}

nix/configuration/roles/hydra/default.nix

@@ -1,9 +1,57 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
+let
+  # patchScriptBin =
+  #   {
+  #     filename,
+  #     contents,
+  #     path ? [ ],
+  #   }:
+  #   ((pkgs.writeScriptBin filename contents).overrideAttrs (old: {
+  #     buildInputs = [ pkgs.makeWrapper ];
+  #     buildCommand = "${old.buildCommand}\n patchShebangs $out\nwrapProgram $out/bin/${filename} --prefix PATH : ${lib.makeBinPath path}";
+  #   }));
+  nix_builder = pkgs.rustPlatform.buildRustPackage rec {
+    pname = "nix_builder";
+    version = "0.0.0";
+
+    src = pkgs.fetchgit {
+      url = "https://code.fizz.buzz/talexander/nix_builder.git";
+      # tag = version;
+      rev = "606832f505a1ccc9702cd12c236c3188f9282e82";
+      hash = "sha256-WHvnkCIPDBw0BnrQMnBpmwmYuhlxR4FfkoNWw2DY6XE=";
+      leaveDotGit = false;
+    };
+
+    cargoLock = {
+      lockFile = "${src}/Cargo.lock";
+    };
+
+    meta = with lib; {
+      description = "A builder of nix configs for a build server.";
+      homepage = "https://code.fizz.buzz/talexander/nix_builder";
+      license = licenses.bsd0;
+      maintainers = [ ];
+    };
+
+    nativeBuildInputs = [ pkgs.makeWrapper ];
+
+    postInstall = ''
+      wrapProgram $out/bin/nix-builder --prefix PATH : ${
+        lib.makeBinPath [
+          pkgs.git
+          pkgs.nix
+          pkgs.nixos-rebuild
+        ]
+      }
+    '';
+  };
+in
 {
   imports = [ ];
 
@@ -17,28 +65,92 @@
   };
 
   config = lib.mkIf config.me.hydra.enable {
-    services.hydra = {
-      enable = true;
-      hydraURL = "http://localhost:3000"; # Externally visible URL
-      notificationSender = "hydra@localhost"; # "From" address for hydra emails.
-      # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
-      buildMachinesFiles = [ ];
-      useSubstitutes = true;
+    environment.systemPackages = with pkgs; [
+      nix_builder
+      sqlite # For manually inspecting the database.
+    ];
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      users.nixworker = {
+        directories = [
+          {
+            directory = "persist";
+            user = "nixworker";
+            group = "nixworker";
+            mode = "0700";
+          }
+        ];
+      };
     };
 
-    # nix.buildMachines = [
-    #   {
-    #     hostName = "localhost";
-    #     protocol = null;
-    #     system = "x86_64-linux";
-    #     supportedFeatures = [
-    #       "kvm"
-    #       "nixos-test"
-    #       "big-parallel"
-    #       "benchmark"
-    #     ];
-    #     maxJobs = 8;
-    #   }
-    # ];
+    # Nix 2.30.0 (2025-07-07) changed the build directory from /tmp to /nix/var/nix/builds which broke a number of builds because my ZFS datasets were utf8only.
+    fileSystems."/.disk/root/nix/var/nix/builds" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=50G" # adjust for your situation and needs
+        "mode=700"
+        "uid=11400"
+        "gid=11400"
+      ];
+    };
+
+    systemd.timers."build-cache" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00 America/New_York";
+        Unit = "build-cache.service";
+      };
+    };
+
+    systemd.services."build-cache" = {
+      script = ''
+        set -euo pipefail
+        IFS=$'\n\t'
+        DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
+
+        NIX_REMOTE='local?root=/.disk/root' RUST_BACKTRACE=1 RUST_LOG=nix_builder=DEBUG ${nix_builder}/bin/nix-builder build --config ${./files/nix_builder.toml} --target odo --target odo_update --target odowork --target odowork_update --target quark --target quark_update --target hydra --target hydra_update --target controller0 --target controller0_update --target controller1 --target controller1_update --target controller2 --target controller2_update --target worker0 --target worker0_update --target worker1 --target worker1_update --target worker2 --target worker2_update --target family_disks --target family_disks_update --target nixbsd
+      '';
+      restartIfChanged = false;
+      serviceConfig = {
+        Type = "simple";
+        User = "nixworker";
+        # restartIfChanged = false;
+        # RemainAfterExit = true; # Prevents the service from automatically starting on rebuild. See https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
+        LimitNOFILE = 8192;
+      };
+    };
+
+    # TODO: This should move into nix-builder so we can only run clean when builds are passing. Otherwise partial builds will lose progress.
+    # TODO: In nix-builder maybe include setting to auto delete to make room during builds if we run out of space, just in case builds are failing for a long time and prevent cleanup from running.
+    systemd.timers."clean-cache" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-01 02:00:00 America/New_York";
+        Unit = "clean-cache.service";
+      };
+    };
+
+    systemd.services."clean-cache" = {
+      script = ''
+        set -euo pipefail
+        IFS=$'\n\t'
+        DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
+
+        NIX_REMOTE='local?root=/.disk/root' nix-collect-garbage -d
+      '';
+      path = with pkgs; [
+        pkgs.nix
+      ];
+      restartIfChanged = false;
+      serviceConfig = {
+        Type = "simple";
+        User = "nixworker";
+        # restartIfChanged = false;
+        # RemainAfterExit = true; # Prevents the service from automatically starting on rebuild. See https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
+        LimitNOFILE = 8192;
+      };
+    };
   };
 }

nix/configuration/roles/hydra/files/nix_builder.toml

@@ -0,0 +1,186 @@
+output_directory = "/home/nixworker/persist/nix_builder"
+
+[[targets]]
+  name = "odo"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.odo.config.system.build.toplevel"
+
+[[targets]]
+  name = "odo_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.odo.config.system.build.toplevel"
+  update = true
+  update_branch = "nix_update"
+
+[[targets]]
+  name = "odowork"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.odowork.config.system.build.toplevel"
+
+[[targets]]
+  name = "odowork_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.odowork.config.system.build.toplevel"
+  update = true
+  update_branch = "nix_update"
+
+[[targets]]
+  name = "quark"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.quark.config.system.build.toplevel"
+
+[[targets]]
+  name = "quark_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.quark.config.system.build.toplevel"
+  update = true
+  update_branch = "nix_update"
+
+[[targets]]
+  name = "hydra"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "hydra.vm_iso"
+
+[[targets]]
+  name = "hydra_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "nix"
+  path = "nix/configuration"
+  attr = "hydra.vm_iso"
+  update = true
+  update_branch = "nix_update"
+
+[[targets]]
+  name = "controller0"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller0.vm_iso"
+
+[[targets]]
+  name = "controller0_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller0.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+[[targets]]
+  name = "controller1"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller1.vm_iso"
+
+[[targets]]
+  name = "controller1_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller1.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+[[targets]]
+  name = "controller2"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller2.vm_iso"
+
+[[targets]]
+  name = "controller2_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "controller2.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+[[targets]]
+  name = "worker0"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker0.vm_iso"
+
+[[targets]]
+  name = "worker0_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker0.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+[[targets]]
+  name = "worker1"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker1.vm_iso"
+
+[[targets]]
+  name = "worker1_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker1.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+[[targets]]
+  name = "worker2"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker2.vm_iso"
+
+[[targets]]
+  name = "worker2_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "kubernetes"
+  path = "nix/kubernetes"
+  attr = "worker2.vm_iso"
+  update = true
+  update_branch = "kubernetes_update"
+
+# TODO: Add steam deck
+
+[[targets]]
+  name = "family_disks"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "family_disks"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.family_disks.config.system.build.toplevel"
+
+[[targets]]
+  name = "family_disks_update"
+  repo = "https://code.fizz.buzz/talexander/machine_setup.git"
+  branch = "family_disks"
+  path = "nix/configuration"
+  attr = "nixosConfigurations.family_disks.config.system.build.toplevel"
+  update = true
+  update_branch = "nix_update"
+
+[[targets]]
+  name = "nixbsd"
+  repo = "https://github.com/nixos-bsd/nixbsd.git"
+  revision = "828ff7a3c4ee91f548de65a963fca40eaedb171c"
+  path = "."
+  attr = "base.vmClosureInfo"

nix/configuration/roles/jujutsu/default.nix

@@ -15,11 +15,29 @@
       example = true;
       description = "Whether we want to install jujutsu.";
     };
+
+    jujutsu.config = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = ./files/jujutsu_config_home.toml;
+      description = "A jujutsu config file.";
+    };
   };
 
-  config = lib.mkIf config.me.jujutsu.enable {
-    environment.systemPackages = with pkgs; [
-      jujutsu
-    ];
-  };
+  config = lib.mkIf config.me.jujutsu.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          jujutsu
+        ];
+      }
+      (lib.mkIf (config.me.jujutsu.config != null) {
+        me.install.user.talexander.file = {
+          ".config/jj/config.toml" = {
+            source = config.me.jujutsu.config;
+          };
+        };
+      })
+    ]
+  );
 }

nix/configuration/roles/jujutsu/files/jujutsu_config_home.toml

@@ -0,0 +1,17 @@
+#:schema https://docs.jj-vcs.dev/latest/config-schema.json
+
+[ui]
+default-command = "log"
+paginate = "never"
+
+[user]
+name = "Tom Alexander"
+email = "tom@fizz.buzz"
+
+[signing]
+behavior = "own"
+backend = "gpg"
+key = "D272C8D6167F26859467666F4278299FB84F6875"
+
+# [git]
+# sign-on-push = true

nix/configuration/roles/kernel/default.nix

@@ -0,0 +1,194 @@
+# Check current config:
+#   nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
+#   cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  preemption_type = with lib.kernel; {
+    full = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = yes;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    lazy = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = yes;
+      PREEMPT_NONE = no;
+    };
+    voluntary = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    none = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = yes;
+    };
+  };
+  tick_hz =
+    with lib.kernel;
+    {
+      "1000" = {
+        HZ_1000 = yes;
+        HZ = freeform "1000";
+      };
+    }
+    // lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
+      HZ_1000 = no;
+      "HZ_${hz}" = yes;
+      HZ = freeform hz;
+    });
+  performance_governor = with lib.kernel; {
+    default = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
+    };
+    performance = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+    };
+  };
+  tick_rate = with lib.kernel; {
+    # Always tick at the hz frequency.
+    periodic = {
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = no;
+      NO_HZ = no;
+      NO_HZ_COMMON = no;
+      HZ_PERIODIC = yes;
+    };
+    # Idle - Do not disturb the CPU when idle. This can save power but increase latency.
+    idle = {
+      HZ_PERIODIC = no;
+      NO_HZ_FULL = no;
+      NO_HZ_IDLE = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+    };
+    # Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
+    tickless = {
+      HZ_PERIODIC = no;
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+      CONTEXT_TRACKING = yes;
+    };
+  };
+  huge_page = with lib.kernel; {
+    always = {
+      TRANSPARENT_HUGEPAGE_MADVISE = no;
+      TRANSPARENT_HUGEPAGE_ALWAYS = yes;
+    };
+    madvise = {
+      TRANSPARENT_HUGEPAGE_ALWAYS = no;
+      TRANSPARENT_HUGEPAGE_MADVISE = yes;
+    };
+  };
+  common_config =
+    with lib.kernel;
+    {
+      # Google's BBRv3 TCP congestion Control
+      TCP_CONG_BBR = yes;
+      DEFAULT_BBR = yes;
+    };
+  flavors = {
+    server = lib.mkMerge [
+      preemption_type.none
+      tick_hz."300"
+      performance_governor.default
+      tick_rate.tickless
+      huge_page.madvise
+    ];
+    interactive =
+      with lib.kernel;
+      lib.mkMerge [
+        {
+          # Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
+          RCU_LAZY = yes;
+        }
+        preemption_type.lazy
+        tick_hz."300"
+        performance_governor.default
+        tick_rate.tickless
+        huge_page.madvise
+      ];
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    kernel.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install kernel.";
+    };
+
+    kernel.version = lib.mkOption {
+      type = lib.types.str;
+      default = "linux"; # LTS
+      example = "linux_6_18";
+      description = "What version of the kernl should we use.";
+    };
+
+    kernel.flavor = lib.mkOption {
+      type = lib.types.str;
+      default = "interactive";
+      example = "server";
+      description = "What type of kernel should be built.";
+    };
+  };
+
+  config = lib.mkIf config.me.kernel.enable (
+    lib.mkMerge [
+      {
+        boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+      }
+      (lib.mkIf (!config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            linux_me = final."${config.me.kernel.version}";
+          })
+        ];
+      })
+      (lib.mkIf (config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (
+            final: prev:
+            let
+              addConfig =
+                additionalConfig: pkg:
+                pkg.override (oldconfig: {
+                  structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
+                  # stdenv = pkgs.llvmPackages_latest.stdenv;
+                  # stdenv = pkgs.clangStdenv;
+                });
+            in
+            {
+              linux_me = addConfig ([
+                common_config
+                flavors."${config.me.kernel.flavor}"
+              ]) final."${config.me.kernel.version}";
+            }
+          )
+        ];
+      })
+    ]
+  );
+}

nix/configuration/roles/latex/default.nix

@@ -43,6 +43,7 @@
               minted # emacs org-mode pdf export code block highlighting
               upquote # emacs org-mode pdf export
               lineno # emacs org-mode pdf export
+              beamer # emacs org-mode presentation pdf export
               ;
           }
         );