Add a build for the yubikey management raspberry pi image.

Move ansible-sshjail and zsh-histdb into my config instead of living as separate flakes.
Support running arm code on x86.
2025-10-08 21:24:44 -04:00 · 2025-10-05 21:37:57 -04:00 · 2025-10-05 20:43:04 -04:00 · 2025-10-05 20:04:03 -04:00 · 2025-10-05 15:17:34 -04:00 · 2025-10-05 14:55:42 -04:00
320 changed files with 45157 additions and 283 deletions
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -88,6 +88,6 @@ linfi:
  enabled: true
  zfs_dataset: zmass/unencrypted/vm/linfi
  zfs_mountpoint: /vm/linfi
-  driver_blocklist: "ath if_ath if_ath_pci ath_hal"
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
  pci_blocklist: "6/0/0"
  amd: false
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/devfs/files/homeserver_devfs.rules
+++ b/ansible/roles/devfs/files/homeserver_devfs.rules
@@ -17,3 +17,9 @@ add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
+
+[tajailrand=15]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path urandom unhide
--- a/ansible/roles/emacs/files/elisp/lang-nix.el
+++ b/ansible/roles/emacs/files/elisp/lang-nix.el
@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                             ;; (eglot-ensure)
+                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                             ;;   :documentation
+                             ;;   "Own eglot server class.")
+
+                             ;; (add-to-list 'eglot-server-programs
+                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-nix)
--- a/ansible/roles/emacs/files/init.el
+++ b/ansible/roles/emacs/files/init.el
@@ -36,4 +36,6 @@

 (require 'lang-xml)

+(require 'lang-nix)
+
 (load-directory autoload-directory)
--- a/ansible/roles/emacs/meta/main.yaml
+++ b/ansible/roles/emacs/meta/main.yaml
@@ -7,3 +7,5 @@ dependencies:
    when: 'emacs_flavor == "full"'
  - role: terraform
    when: 'emacs_flavor == "full"'
+  - role: nix
+    when: 'emacs_flavor == "full"'
--- a/ansible/roles/firefox/defaults/main.yaml
+++ b/ansible/roles/firefox/defaults/main.yaml
@@ -28,7 +28,7 @@ firefox_config:
  # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
  #
  # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
-  dom.event.clipboardevents.enabled: false
+  # dom.event.clipboardevents.enabled: false
  # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
  privacy.firstparty.isolate: true
  # Do not preload URLs that auto-complete in the address bar.
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -42,6 +42,10 @@ nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 p
 rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1

+# cloak -> dagger old
+rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
+nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
+
 # -> sftp
 # TODO: Limit bandwidth for sftp
 rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
--- a/ansible/roles/framework_laptop/tasks/linux.yaml
+++ b/ansible/roles/framework_laptop/tasks/linux.yaml
@@ -96,4 +96,5 @@
  package:
    name:
      - fw-ectool-git
+      - wireless-regdb
    state: present
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -6,6 +6,8 @@ dagger {
    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
    exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";

+    devfs_ruleset = 15;
+    mount.devfs;
    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
--- a/ansible/roles/media/files/cast_file_vaapi
+++ b/ansible/roles/media/files/cast_file_vaapi
@@ -4,7 +4,23 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

+: ${VIDEO_BITRATE:="1M"} # Only for encoding modes targeting bitrate
+: ${AUDIO_BITRATE:="192k"}

+############## Setup #########################
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################

 function main {
    local cmd
@@ -12,28 +28,10 @@ function main {
    shift
    if [ "$cmd" = "copy" ]; then
        copy "${@}"
-    elif [ "$cmd" = "av1" ]; then
-        av1 "${@}"
-    elif [ "$cmd" = "stream_software_h264" ]; then
-        stream_software_h264 "${@}"
-    elif [ "$cmd" = "stream_hardware_h264" ]; then
-        stream_hardware_h264 "${@}"
-    elif [ "$cmd" = "preprocess_software_h264" ]; then
-        preprocess_software_h264 "${@}"
-    elif [ "$cmd" = "preprocess_hardware_h264" ]; then
-        preprocess_hardware_h264 "${@}"
-    elif [ "$cmd" = "vp9" ]; then
-        vp9 "${@}"
-    elif [ "$cmd" = "preprocess_hardware_vp9" ]; then
-        preprocess_hardware_vp9 "${@}"
-    elif [ "$cmd" = "vp8" ]; then
-        vp8 "${@}"
-    elif [ "$cmd" = "software_vp8" ]; then
-        software_vp8 "${@}"
-    elif [ "$cmd" = "preprocess_h264" ]; then
-        preprocess_h264 "${@}"
-    elif [ "$cmd" = "preprocess_vp8" ]; then
-        preprocess_vp8 "${@}"
+    elif [ "$cmd" = "convert" ]; then
+        convert "${@}"
+    elif [ "$cmd" = "stream" ]; then
+        stream "${@}"
    elif [ "$cmd" = "webcam" ]; then
        webcam "${@}"
    elif [ "$cmd" = "encode_webcam" ]; then
@@ -64,286 +62,106 @@ function copy {
        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
 }

-
-
-function av1 {
-    # local additional_flags=()
-    # additional_flags+=(--profile "$PROFILE")
-    # (cd "$DIR/../" && cargo build --no-default-features "${additional_flags[@]}")
-
-    local destination_type="$1" # "stream" or "preprocess"
-    local acceleration_type="$2" # "software" or "hardware"
-    # shift 2
-
+function convert {
    local args=()
+    local acceleration_type="$1" # "software" or "hardware"
+    local codec="$2" # "h264" or "av1"
+    local file_to_cast="$3"
+    local file_to_save="$4"

-    if [ "$destination_type" == "stream" ]; then
-        args+=(-re -stream_loop -1)
-    elif [ "$destination_type" == "preproces" ]; then
+
+
+    # Verify parameters
+
+
+    if [ "$acceleration_type" == "software" ]; then
+        true
+    elif [ "$acceleration_type" == "hardware" ]; then
        true
    else
-        (>&2 echo "Unknown destination type: $destination_type")
-        exit 1
+        die 1 "Unknown acceleration type: $acceleration_type"
    fi

+    if [ "$codec" == "h264" ]; then
+        true
+    elif [ "$codec" == "av1" ]; then
+        true
+    else
+        die 1 "Unknown codec: $codec"
+    fi
+
+
+
+    # Build command
+
+
+
    if [ "$acceleration_type" == "software" ]; then
        true
    elif [ "$acceleration_type" == "hardware" ]; then
        args+=(-vaapi_device /dev/dri/renderD128)
-    else
-        (>&2 echo "Unknown acceleration type: $acceleration_type")
-        exit 1
    fi

    args+=(-i "$file_to_cast")

-    if [ "$acceleration_type" == "software" ]; then
-        args+=(-c:v h264)
-    elif [ "$acceleration_type" == "hardware" ]; then
-        args+=(-vf 'format=nv12|vaapi,hwupload')
-        args+=(-c:v h264_vaapi)
-    else
-        (>&2 echo "Unknown acceleration type: $acceleration_type")
-        exit 1
+    if [ "$codec" == "h264" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v h264)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v h264_vaapi)
+            args+=(-profile:v high)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
+    elif [ "$codec" == "av1" ]; then
+        if [ "$acceleration_type" == "software" ]; then
+            args+=(-c:v libsvtav1)
+            args+=(-preset 4) # [0-13] default 10, lower = higher quality / slower encode
+            args+=(-crf 20) # [0-63] default 35, lower = higher quality / larger file
+            # Parameters: https://gitlab.com/AOMediaCodec/SVT-AV1/-/blob/master/Docs/Parameters.md
+            # fast-decode [0-2] default 0 (off), higher = faster decode
+            # tune [0-2] default 1, Specifies whether to use PSNR or VQ as the tuning metric [0 = VQ, 1 = PSNR, 2 = SSIM]
+            # film-grain-denoise, setting to 0 uses the original frames instead of denoising the film grain
+            args+=(-svtav1-params "fast-decode=1:film-grain-denoise=0")
+        elif [ "$acceleration_type" == "hardware" ]; then
+            # -c:v av1_amf -quality quality
+            args+=(-vf 'format=nv12|vaapi,hwupload')
+            args+=(-c:v av1_vaapi)
+            args+=(-b:v "$VIDEO_BITRATE")
+        fi
    fi

-    args+=(-b:v 2M)
-    args+=(-profile:v high)
+
+
+    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
    args+=(-bf 0)
    args+=(-strict -2)
    args+=(-c:a opus)
    args+=(-ac 2)
-    args+=(-b:a 320k)
+    args+=(-b:a "$AUDIO_BITRATE")
    args+=(-ar 48000)
-
-    if [ "$destination_type" == "stream" ]; then
-        args+=(-f rtsp)
-        args+=(-rtsp_transport tcp)
-        args+=("rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch")
-    elif [ "$destination_type" == "preproces" ]; then
-        args+=("$file_to_save")
-    else
-        (>&2 echo "Unknown destination type: $destination_type")
-        exit 1
-    fi
+    args+=("$file_to_save")
+    set -x
+    </dev/null exec ffmpeg "${args[@]}"
 }

-function stream_software_h264 {
-    local file_to_cast
-    file_to_cast="$3"
+function stream {
+    local args=()
+    local acceleration_type="$1" # "software" or "hardware"
+    local codec="$2" # "h264" or "av1"

-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
+    local USERNAME="$3"
+    local PASSWORD="$4"
+    local file_to_cast="$5"

-    set -x

-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-               -re \
-               -stream_loop -1 \
-               -i "$file_to_cast" \
-               -c:v h264 \
-               -b:v 2M \
-               -profile:v high \
-               -bf 0 \
-               -strict -2 \
-               -c:a opus \
-               -ac 2 \
-               -b:a 320k \
-               -ar 48000 \
-               -f rtsp \
-               -rtsp_transport tcp \
-               "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
+    args+=(-re -stream_loop -1)

-function stream_hardware_h264 {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-               -re \
-               -stream_loop -1 \
-               -vaapi_device /dev/dri/renderD128 \
-               -i "$file_to_cast" \
-               -vf 'format=nv12|vaapi,hwupload' \
-               -c:v h264_vaapi \
-               -b:v 2M \
-               -profile:v high \
-               -bf 0 \
-               -strict -2 \
-               -c:a opus \
-               -ac 2 \
-               -b:a 320k \
-               -ar 48000 \
-               -f rtsp \
-               -rtsp_transport tcp \
-               "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_software_h264 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-               -i "$file_to_cast" \
-               -c:v h264 \
-               -b:v 2M \
-               -profile:v high \
-               -bf 0 \
-               -strict -2 \
-               -c:a opus \
-               -ac 2 \
-               -b:a 320k \
-               -ar 48000 \
-               "$file_to_save"
-}
-
-function preprocess_hardware_h264 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-               -vaapi_device /dev/dri/renderD128 \
-               -i "$file_to_cast" \
-               -vf 'format=nv12,hwupload' \
-               -c:v h264_vaapi \
-               -b:v 2M \
-               -profile:v high \
-               -bf 0 \
-               -strict -2 \
-               -c:a opus \
-               -ac 2 \
-               -b:a 320k \
-               -ar 48000 \
-               "$file_to_save"
-}
-
-function vp9 {
-    local file_to_cast
-    file_to_cast="$3"
-
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v vp9_vaapi \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_hardware_vp9 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    </dev/null exec ffmpeg \
-        -init_hw_device vaapi=foo:/dev/dri/renderD128 \
-        -hwaccel vaapi \
-        -hwaccel_output_format vaapi \
-        -hwaccel_device foo \
-        -i "$file_to_cast" \
-        -filter_hw_device foo \
-        -vf 'format=nv12|vaapi,hwupload' \
-        -c:v vp9_vaapi \
-        -bf 0 \
-        -strict -2 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        "$file_to_save"
-}
-
-function software_vp8 {
-    local USERNAME PASSWORD
-    USERNAME="$1"
-    PASSWORD="$2"
-
-    local file_to_cast
-    file_to_cast="$3"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 2M :: Target 2 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    </dev/null exec ffmpeg \
-        -re \
-        -stream_loop -1 \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 2M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        -f rtsp \
-        -rtsp_transport tcp \
-        "rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch"
-}
-
-function preprocess_vp8 {
-    local file_to_cast file_to_save
-    file_to_cast="$1"
-    file_to_save="$2"
-
-    set -x
-
-    # -bf 0 :: Disable b-frames because webrtc doesn't support h264 streams with b-frames.
-    # -strict -2 :: Enable support for experimental codecs like opus.
-    # -b:v 2M :: Target 2 megabit/s
-    # -crf 10 :: Target a quality level and adjust bitrate accordingly. This should be preferred, but ideally both should be used.
-    </dev/null exec ffmpeg \
-        -i "$file_to_cast" \
-        -c:v vp8 \
-        -b:v 2M \
-        -crf 10 \
-        -bf 0 \
-        -c:a opus \
-        -b:a 320k \
-        -ar 48000 \
-        -strict -2 \
-        "$file_to_save"
+    args+=(-f rtsp)
+    args+=(-rtsp_transport tcp)
+    args+=("rtsp://$USERNAME:$PASSWORD@172.16.16.251:8554/fetch")
 }

 function webcam {
--- a/ansible/roles/media/tasks/linux.yaml
+++ b/ansible/roles/media/tasks/linux.yaml
@@ -1,3 +1,5 @@
+# Maybe install https://github.com/alexheretic/ab-av1 to find good crf values for encoding
+
 - name: Build aur packages
  register: buildaur
  become_user: "{{ build_user.name }}"
--- a/ansible/roles/network/files/main.conf
+++ b/ansible/roles/network/files/main.conf
@@ -1,3 +1,6 @@
 [General]
 EnableNetworkConfiguration=true
 # AddressRandomization=network
+
+# Needed for Qualcomm WCN785x
+ControlPortOverNL80211=false
--- a/ansible/roles/nix/tasks/common.yaml
+++ b/ansible/roles/nix/tasks/common.yaml
@@ -0,0 +1,55 @@
+# - name: Create directories
+#   file:
+#     name: "{{ item }}"
+#     state: directory
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - /foo/bar
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+# - name: Install Configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.conf
+#       dest: /usr/local/etc/foo.conf
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
--- a/ansible/roles/nix/tasks/freebsd.yaml
+++ b/ansible/roles/nix/tasks/freebsd.yaml
@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
--- a/ansible/roles/nix/tasks/linux.yaml
+++ b/ansible/roles/nix/tasks/linux.yaml
@@ -0,0 +1,21 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - nixd
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - nixd
+#     state: present
--- a/ansible/roles/nix/tasks/main.yaml
+++ b/ansible/roles/nix/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined
--- a/ansible/roles/nix/tasks/peruser.yaml
+++ b/ansible/roles/nix/tasks/peruser.yaml
@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
--- a/ansible/roles/nix/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/nix/tasks/peruser_freebsd.yaml
--- a/ansible/roles/nix/tasks/peruser_linux.yaml
+++ b/ansible/roles/nix/tasks/peruser_linux.yaml
--- a/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-make.conf
+++ b/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-make.conf
@@ -33,6 +33,7 @@ OPTIONS_SET+=STATIC LTO

 .if ${.CURDIR:M*/editors/emacs*}
 OPTIONS_SET+=NATIVECOMP PGTK
+OPTIONS_UNSET+=XPM
 .endif

 .if ${.CURDIR:M*/www/firefox*}
--- a/ansible/roles/sftp/tasks/common.yaml
+++ b/ansible/roles/sftp/tasks/common.yaml
@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false

+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0700
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /home/nochainstounlock/.ssh
+
+- name: Set authorized keys
+  authorized_key:
+    user: nochainstounlock
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
+    exclusive: true
+
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'

--- a/ansible/roles/sshd/files/keys/yubikey.pub
+++ b/ansible/roles/sshd/files/keys/yubikey.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8
--- a/ansible/roles/sway/files/config
+++ b/ansible/roles/sway/files/config
@@ -21,6 +21,9 @@ set $term alacritty
 # set $menu dmenu_path | dmenu | xargs swaymsg exec
 set $menu wofi --show drun --gtk-dark

+# Do not show a title bar on windows
+default_border pixel 2
+
 bindsym $mod+grave exec $term

 include ~/.config/sway/config.d/*.conf
--- a/ansible/roles/waybar/files/style.css
+++ b/ansible/roles/waybar/files/style.css
@@ -149,6 +149,11 @@ tooltip {
  padding-bottom: 2px;
 }

+#window {
+  padding-left: 10px;
+  padding-right: 10px;
+}
+
 #network {
  /* No styles */
 }
--- a/ansible/roles/waybar/files/waybar_config.json
+++ b/ansible/roles/waybar/files/waybar_config.json
@@ -1,6 +1,7 @@
 {
  // "height": 10, // Waybar height (to be removed for auto height)
  "modules-left": ["sway/workspaces", "sway/mode"],
+  "modules-center": ["sway/window"],
  "modules-right": ["custom/night_mode", "custom/temperature", "custom/sound", "custom/available_memory", "custom/battery", "idle_inhibitor", "custom/clock", "tray"],
  "sway/workspaces": {
    "disable-scroll": true
@@ -8,6 +9,9 @@
  "sway/mode": {
    "format": "<span style=\"italic\">{}</span>"
  },
+  "sway/window": {
+    "format": "{title}"
+  },
  "idle_inhibitor": {
    "format": "{icon}",
    "format-icons": {
--- a/ansible/roles/waybar/files/waybar_scripts/waybar_night_mode.bash
+++ b/ansible/roles/waybar/files/waybar_scripts/waybar_night_mode.bash
@@ -8,7 +8,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 SLEEP_INTERVAL=${SLEEP_INTERVAL:-30}

 # ◓◒●◌◎
-# 🟠🟡🟢🟣🟤
+# 🔴🔵🟠🟡🟢🟣🟤
 # 🟥🟦🟧🟨🟩🟪🟫
 # ☀☯⭐🌝🌞⏾
 # 🌑🌓🌗🌕
@@ -42,7 +42,7 @@ function main {
    local night_mode_icon night_mode_text night_mode_class
    night_mode_mode="auto"
    night_mode_class=""
-    wlsunset -l 40.7 -L -74.0 &
+    wlsunset -S 07:00 -s 22:00 &
    wlsunset_pid=$!

    while true; do
--- a/ansible/roles/zfs/tasks/linux.yaml
+++ b/ansible/roles/zfs/tasks/linux.yaml
@@ -1,7 +1,8 @@
 - name: Install packages
  package:
    name:
-      - linux-lts-headers
+      # - linux-lts-headers
+      - linux-headers
    state: present

 - name: Check trusted gpg keys
@@ -26,7 +27,7 @@
  args:
    creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
  loop:
-    - zfs-dkms
+    - zfs-dkms-git
    - zfs-utils

 - name: Update cache
@@ -39,7 +40,7 @@
 - name: Install packages
  package:
    name:
-      - zfs-dkms
+      - zfs-dkms-git
      - zfs-utils
    state: present

--- a/nix/configuration/.gitignore
+++ b/nix/configuration/.gitignore
@@ -0,0 +1 @@
+result
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -0,0 +1,286 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./roles/2ship2harkinian
+    ./roles/alacritty
+    ./roles/amd_s2idle
+    ./roles/ansible
+    ./roles/ares
+    ./roles/bluetooth
+    ./roles/boot
+    ./roles/chromecast
+    ./roles/chromium
+    ./roles/d2
+    ./roles/direnv
+    ./roles/distributed_build
+    ./roles/docker
+    ./roles/ecc
+    ./roles/emacs
+    ./roles/emulate_isa
+    ./roles/firefox
+    ./roles/firewall
+    ./roles/flux
+    ./roles/fonts
+    ./roles/gcloud
+    ./roles/git
+    ./roles/global_options
+    ./roles/gnuplot
+    ./roles/gpg
+    ./roles/graphics
+    ./roles/hydra
+    ./roles/iso
+    ./roles/iso_mount
+    ./roles/kanshi
+    ./roles/kodi
+    ./roles/kubernetes
+    ./roles/latex
+    ./roles/launch_keyboard
+    ./roles/lvfs
+    ./roles/media
+    ./roles/memtest86
+    ./roles/network
+    ./roles/nix_index
+    ./roles/nix_worker
+    ./roles/nvme
+    ./roles/openpgp_card_tools
+    ./roles/optimized_build
+    ./roles/pcsx2
+    ./roles/podman
+    ./roles/python
+    ./roles/qemu
+    ./roles/reset
+    ./roles/rpcs3
+    ./roles/rust
+    ./roles/sequoia
+    ./roles/shadps4
+    ./roles/shikane
+    ./roles/shipwright
+    ./roles/sm64ex
+    ./roles/sops
+    ./roles/sound
+    ./roles/spaghettikart
+    ./roles/ssh
+    ./roles/steam
+    ./roles/steam_run_free
+    ./roles/sway
+    ./roles/tekton
+    ./roles/terraform
+    ./roles/thunderbolt
+    ./roles/uutils
+    ./roles/vnc_client
+    ./roles/vscode
+    ./roles/wasm
+    ./roles/waybar
+    ./roles/wireguard
+    ./roles/yubikey
+    ./roles/zfs
+    ./roles/zrepl
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.trusted-users = [ "@wheel" ];
+
+  # boot.kernelPackages = pkgs.linuxPackages_6_11;
+  hardware.enableRedistributableFirmware = true;
+
+  # Use nixos-rebuild-ng
+  # system.rebuild.enableNg = true;
+
+  # Keep outputs so we can build offline.
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+    substitute = false
+  '';
+
+  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
+  boot.supportedFilesystems.zfs = true;
+  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
+
+  services.getty = {
+    autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
+    autologinOnce = true;
+  };
+  users.mutableUsers = false;
+  users.users.talexander = {
+    isNormalUser = true;
+    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
+    group = "talexander";
+    extraGroups = [ "wheel" ];
+    uid = 11235;
+    packages = with pkgs; [
+      tree
+    ];
+    # Generate with `mkpasswd -m scrypt`
+    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
+    ];
+  };
+  users.groups.talexander.gid = 11235;
+
+  # Automatic garbage collection
+  nix.gc = lib.mkIf (!config.me.buildingIso) {
+    # Runs nix-collect-garbage --delete-older-than 5d
+    automatic = true;
+    persistent = true;
+    dates = "monthly";
+    # randomizedDelaySec = "14m";
+    options = "--delete-older-than 30d";
+  };
+  nix.settings.auto-optimise-store = !config.me.buildingIso;
+  nix.settings.substituters = lib.mkForce [ ];
+
+  # Use doas instead of sudo
+  security.doas.enable = true;
+  security.doas.wheelNeedsPassword = false;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    {
+      # Retain environment (for example NIX_PATH)
+      keepEnv = true;
+      persist = true; # Only ask for a password the first time.
+    }
+  ];
+
+  environment.systemPackages = with pkgs; [
+    wget
+    mg
+    rsync
+    libinput
+    htop
+    tmux
+    file
+    usbutils # for lsusb
+    pciutils # for lspci
+    ripgrep
+    strace
+    # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
+    trace-cmd # ftrace
+    tcpdump
+    git-crypt
+    gnumake
+    ncdu
+    nix-tree
+    libarchive # bsdtar
+    lsof
+    doas-sudo-shim # To support --sudo for remote builds
+    dmidecode # Read SMBIOS information.
+    ipcalc
+    gptfdisk # for cgdisk
+    nix-output-monitor # For better view into nixos-rebuild
+    nix-serve-ng # Serve nix store over http
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+    hideMounts = true;
+    directories = [
+      "/var/lib/iwd" # Wifi settings
+      "/var/lib/nixos" # Contains user information (uids/gids)
+      "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+      "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+    ];
+    files = [
+      "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    users.talexander = {
+      directories = [
+        {
+          directory = "persist";
+          user = "talexander";
+          group = "talexander";
+          mode = "0700";
+        }
+      ];
+    };
+  };
+
+  # Write a list of the currently installed packages to /etc/current-system-packages
+  environment.etc."current-system-packages".text =
+    let
+      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+      formatted = builtins.concatStringsSep "\n" sortedUnique;
+    in
+    formatted;
+
+  # environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" (
+  #   builtins.map (
+  #     x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: "  " + s) x.value)
+  #   ) config.environment.systemPackages.definitionsWithLocations
+  # );
+
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     nix = pkgs-unstable.nix;
+  #   })
+  # ];
+
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     foot = throw "foo";
+  #   })
+  # ];
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
--- a/nix/configuration/flake.lock
+++ b/nix/configuration/flake.lock
@@ -0,0 +1,263 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758287904,
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-dda3dcd3f": {
+      "locked": {
+        "lastModified": 1746663147,
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unoptimized": {
+      "locked": {
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nix/configuration/flake.nix
+++ b/nix/configuration/flake.nix
@@ -0,0 +1,242 @@
+# Build ISO image
+#   nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#iso.odo
+#   output: result/iso/nixos.iso
+
+# Run the ISO image
+#   doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#        -accel kvm \
+#        -cpu host \
+#        -smp cores=8 \
+#        -m 32768 \
+#        -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#        -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \
+#        -nic user,hostfwd=tcp::60022-:22 \
+#        -boot order=d \
+#        -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \
+#        -display vnc=127.0.0.1:0
+#
+# doas cp "$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0
+
+# Get a repl for this flake
+#   nix repl --expr "builtins.getFlake \"$PWD\""
+
+# TODO maybe use `nix eval --raw .#iso.odo.outPath`
+# iso.odo.isoName == "nixos.iso"
+# full path = <outPath> / iso / <isoName>
+
+#
+# Install on a new machine:
+#
+#
+# doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
+
+# for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+# nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
+#
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence.url = "github:nix-community/impermanence";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-dda3dcd3f.url = "github:NixOS/nixpkgs/dda3dcd3fe03e991015e9a74b22d35950f264a54";
+    nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-unoptimized,
+      nixpkgs-dda3dcd3f,
+      impermanence,
+      lanzaboote,
+      ...
+    }@inputs:
+    let
+      base_x86_64_linux = rec {
+        system = "x86_64-linux";
+        specialArgs = {
+          pkgs-dda3dcd3f = import nixpkgs-dda3dcd3f {
+            inherit system;
+          };
+          pkgs-unoptimized = import nixpkgs-unoptimized {
+            inherit system;
+            hostPlatform.gcc.arch = "default";
+            hostPlatform.gcc.tune = "default";
+          };
+        };
+        modules = [
+          impermanence.nixosModules.impermanence
+          lanzaboote.nixosModules.lanzaboote
+          inputs.disko.nixosModules.disko
+          ./configuration.nix
+        ];
+      };
+      systems =
+        let
+          additional_iso_modules = [
+            (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
+            # TODO: Figure out how to do image based appliances
+            # (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix")
+            {
+              isoImage.makeEfiBootable = true;
+              isoImage.makeUsbBootable = true;
+              me.buildingIso = true;
+              me.optimizations.enable = nixpkgs.lib.mkForce false;
+            }
+            {
+              # These are big space hogs. The chance that I need them on an ISO is slim.
+              me.steam.enable = nixpkgs.lib.mkForce false;
+              me.pcsx2.enable = nixpkgs.lib.mkForce false;
+            }
+          ];
+          additional_vm_modules = [
+            (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
+            {
+              networking.dhcpcd.enable = true;
+              networking.useDHCP = true;
+              me.optimizations.enable = nixpkgs.lib.mkForce false;
+            }
+            {
+              # I don't need games on a virtual machine.
+              me.steam.enable = nixpkgs.lib.mkForce false;
+              me.pcsx2.enable = nixpkgs.lib.mkForce false;
+              me.sm64ex.enable = nixpkgs.lib.mkForce false;
+              me.shipwright.enable = nixpkgs.lib.mkForce false;
+              me.ship2harkinian.enable = nixpkgs.lib.mkForce false;
+            }
+          ];
+        in
+        {
+          odo = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/odo
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          quark = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/quark
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          neelix = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/neelix
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          hydra =
+            let
+              hydra_additional_iso_modules = additional_iso_modules ++ [
+                {
+                  me.optimizations.enable = true;
+                }
+              ];
+            in
+            rec {
+              main = base_x86_64_linux // {
+                modules = base_x86_64_linux.modules ++ [
+                  ./hosts/hydra
+                ];
+              };
+              iso = main // {
+                modules = main.modules ++ hydra_additional_iso_modules;
+              };
+              vm = main // {
+                modules = main.modules ++ additional_vm_modules;
+              };
+              vm_iso = main // {
+                modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules;
+              };
+            };
+          ionlybootzfs = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/ionlybootzfs
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+
+        };
+    in
+    {
+      nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main;
+      iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm;
+      vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main;
+      iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm;
+      vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main;
+      iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm;
+      vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main;
+      iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm;
+      vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main;
+      iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm;
+      vm_iso.ionlybootzfs =
+        (nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage;
+    };
+}
--- a/nix/configuration/hosts/hydra/DEPLOY_BOOT
+++ b/nix/configuration/hosts/hydra/DEPLOY_BOOT
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/hydra/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/ISO
+++ b/nix/configuration/hosts/hydra/ISO
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/VM_ISO
+++ b/nix/configuration/hosts/hydra/VM_ISO
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#vm_iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+install -m 0644 result/iso/nixos-*-x86_64-linux.iso ~/hydra.iso
+unlink ./result
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@@ -0,0 +1,67 @@
+#
+# Testing:
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#      -accel kvm \
+#      -cpu host \
+#      -smp cores=8 \
+#      -m 32768 \
+#      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
+#      -device nvme,serial=deadbeef,drive=nvm \
+#      -nic user,hostfwd=tcp::60022-:22 \
+#      -boot order=d \
+#      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
+#      -display vnc=127.0.0.1:0
+#
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disk-config.nix
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "fbd233d8";
+
+  networking.hostName = "hydra"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = false;
+
+  me.optimizations = {
+    enable = true;
+    arch = "znver4";
+    system_features = [
+      "gccarch-znver4"
+      "gccarch-skylake"
+      # "gccarch-alderlake" missing WAITPKG
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Mount tmpfs at /tmp
+  boot.tmp.useTmpfs = true;
+
+  me.emacs_flavor = "plainmacs";
+  me.graphical = false;
+  me.hydra.enable = false;
+  me.nix_worker.enable = true;
+  me.vm_disk.enable = true;
+  me.wireguard.activated = [ ];
+  me.wireguard.deactivated = [ ];
+  me.zsh.enable = true;
+}
--- a/nix/configuration/hosts/hydra/disk-config.nix
+++ b/nix/configuration/hosts/hydra/disk-config.nix
@@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}
--- a/nix/configuration/hosts/hydra/hardware-configuration.nix
+++ b/nix/configuration/hosts/hydra/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.dhcpcd.enable = lib.mkForce true;
+  networking.useDHCP = lib.mkForce true;
+  networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
+  # systemd.network.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/nix/configuration/hosts/hydra/vm_disk.nix
+++ b/nix/configuration/hosts/hydra/vm_disk.nix
@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    vm_disk.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to mount the local disk for persistent storage.";
+    };
+  };
+
+  config = lib.mkIf config.me.vm_disk.enable (
+    lib.mkMerge [
+      {
+        # Mount the local disk
+        fileSystems = {
+          "/.disk" = lib.mkForce {
+            device = "/dev/nvme0n1p1";
+            fsType = "ext4";
+            options = [
+              "noatime"
+              "discard"
+            ];
+            neededForBoot = true;
+          };
+
+          "/persist" = {
+            fsType = "none";
+            device = "/.disk/persist";
+            options = [
+              "bind"
+              "rw"
+            ];
+            depends = [
+              "/.disk/persist"
+            ];
+          };
+
+          "/state" = {
+            fsType = "none";
+            device = "/.disk/state";
+            options = [
+              "bind"
+              "rw"
+            ];
+            depends = [
+              "/.disk/state"
+            ];
+          };
+
+          "/nix/store" = lib.mkForce {
+            fsType = "overlay";
+            device = "overlay";
+            options = [
+              "lowerdir=/nix/.ro-store"
+              "upperdir=/.disk/persist/store"
+              "workdir=/.disk/state/work"
+            ];
+            depends = [
+              "/nix/.ro-store"
+              "/.disk/persist/store"
+              "/.disk/state/work"
+            ];
+          };
+        };
+      }
+    ]
+  );
+}
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET="ionlybootzfs"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=ionlybootzfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/ISO
+++ b/nix/configuration/hosts/ionlybootzfs/ISO
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/ionlybootzfs/default.nix
+++ b/nix/configuration/hosts/ionlybootzfs/default.nix
@@ -0,0 +1,63 @@
+#
+# Testing:
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#      -accel kvm \
+#      -cpu host \
+#      -smp cores=8 \
+#      -m 32768 \
+#      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
+#      -device nvme,serial=deadbeef,drive=nvm \
+#      -nic user,hostfwd=tcp::60022-:22 \
+#      -boot order=d \
+#      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
+#      -display vnc=127.0.0.1:0
+#
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./wrapped-disk-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "fbd233d8";
+
+  networking.hostName = "ionlybootzfs"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = true;
+
+  me.optimizations = {
+    enable = false;
+    arch = "znver4";
+    system_features = [
+      "gccarch-znver4"
+      "gccarch-skylake"
+      # "gccarch-alderlake" missing WAITPKG
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Mount tmpfs at /tmp
+  boot.tmp.useTmpfs = true;
+
+  me.emacs_flavor = "plainmacs";
+  me.graphical = false;
+  me.wireguard.activated = [ ];
+  me.wireguard.deactivated = [ ];
+  me.zsh.enable = true;
+}
--- a/nix/configuration/hosts/ionlybootzfs/disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/disk-config.nix
@@ -0,0 +1,142 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
+++ b/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.dhcpcd.enable = lib.mkForce true;
+  networking.useDHCP = lib.mkForce true;
+  # systemd.network.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
+++ b/nix/configuration/hosts/ionlybootzfs/optimized_build.nix
@@ -0,0 +1,131 @@
+{
+  config,
+  lib,
+  pkgs,
+  pkgs-unoptimized,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    { }
+    (lib.mkIf (!config.me.optimizations.enable) {
+      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
+    })
+    (lib.mkIf (config.me.optimizations.enable) {
+      nixpkgs.hostPlatform = {
+        gcc.arch = "znver4";
+        gcc.tune = "znver4";
+        system = "x86_64-linux";
+      };
+
+      nixpkgs.overlays = [
+        (
+          final: prev:
+          let
+            addConfig =
+              additionalConfig: pkg:
+              pkg.override (oldconfig: {
+                structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
+              });
+          in
+          {
+            linux_me = addConfig {
+              # Full preemption
+              PREEMPT = lib.mkOverride 60 lib.kernel.yes;
+              PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
+
+              # Google's BBRv3 TCP congestion Control
+              TCP_CONG_BBR = lib.kernel.yes;
+              DEFAULT_BBR = lib.kernel.yes;
+
+              # Preemptive Full Tickless Kernel at 300Hz
+              HZ = lib.kernel.freeform "300";
+              HZ_300 = lib.kernel.yes;
+              HZ_1000 = lib.kernel.no;
+            } prev.linux_6_14;
+            # gsl = prev.gsl.overrideAttrs (old: {
+            #   # gsl tests fails when optimizations are enabled.
+            #   # > FAIL: cholesky_invert unscaled hilbert (  4,  4)[0,2]: 2.55795384873636067e-13                        0
+            #   # >  (2.55795384873636067e-13 observed vs 0 expected) [28259614]
+            #   doCheck = false;
+            # });
+          }
+        )
+        (final: prev: {
+          haskellPackages = prev.haskellPackages.extend (
+            final': prev': {
+              inherit (pkgs-unoptimized.haskellPackages)
+                crypton
+                crypton-connection
+                crypton-x509
+                crypton-x509-store
+                crypton-x509-system
+                crypton-x509-validation
+                hspec-wai
+                http-client-tls
+                http2
+                pandoc
+                pandoc-cli
+                pandoc-lua-engine
+                pandoc-server
+                servant-server
+                tls
+                wai-app-static
+                wai-extra
+                warp
+                ;
+            }
+          );
+        })
+        (final: prev: {
+          inherit (pkgs-unoptimized)
+            gsl
+            redis
+            valkey
+            ;
+        })
+      ];
+
+      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+    })
+    (lib.mkIf (!config.me.buildingIso) {
+      nix.settings.system-features = lib.mkForce [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+
+      # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
+      # system.includeBuildDependencies = true;
+
+      # This also should enable building offline? TODO: test.
+      nix.extraOptions = ''
+        keep-outputs = true
+        keep-derivations = true
+      '';
+
+      # # building ON
+      # nixpkgs.localSystem = { system = "aarch64-linux"; };
+      # # building FOR
+      # nixpkgs.crossSystem = { system = "aarch64-linux"; };
+
+      # nixpkgs.config = {
+      #   replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
+      # };
+      # or maybe an overlay
+      # stdenv = prev.clangStdenv;
+
+    })
+    (lib.mkIf (config.me.buildingIso) {
+      boot.supportedFilesystems.zfs = true;
+    })
+  ];
+}
--- a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/neelix/DEPLOY_BOOT
+++ b/nix/configuration/hosts/neelix/DEPLOY_BOOT
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/neelix/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/default.nix
+++ b/nix/configuration/hosts/neelix/default.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./power_management.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "bca9d0a5";
+
+  networking.hostName = "neelix"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = false;
+
+  me.optimizations = {
+    enable = false;
+    arch = "alderlake";
+    system_features = [
+      "gccarch-alderlake"
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Early KMS
+  boot.initrd.kernelModules = [ "i915" ];
+
+  # Mount tmpfs at /tmp
+  # boot.tmp.useTmpfs = true;
+
+  me.bluetooth.enable = true;
+  me.emacs_flavor = "plainmacs";
+  me.graphical = true;
+  me.graphics_card_type = "intel";
+  me.kodi.enable = true;
+  me.lvfs.enable = true;
+  me.sound.enable = true;
+  me.wireguard.activated = [ "wgh" ];
+  me.wireguard.deactivated = [ "wgf" ];
+  me.zrepl.enable = true;
+  me.zsh.enable = true;
+
+}
--- a/nix/configuration/hosts/neelix/disk-config.nix
+++ b/nix/configuration/hosts/neelix/disk-config.nix
@@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}
--- a/nix/configuration/hosts/neelix/hardware-configuration.nix
+++ b/nix/configuration/hosts/neelix/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nix/configuration/hosts/neelix/power_management.nix
+++ b/nix/configuration/hosts/neelix/power_management.nix
@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+  boot.kernelParams = [
+    "pcie_aspm=force"
+    # "pcie_aspm.policy=powersupersave"
+    "nowatchdog"
+  ];
+
+  # default performance balance_performance balance_power power
+  # defaults to balance_performance
+  # systemd.tmpfiles.rules = [
+  #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+  # ];
+
+  boot.extraModprobeConfig = ''
+    options snd_hda_intel power_save=1
+  '';
+}
--- a/nix/configuration/hosts/odo/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odo/DEPLOY_BOOT
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+# TARGET=10.216.1.15
+# TARGET=192.168.211.250
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/ISO
+++ b/nix/configuration/hosts/odo/ISO
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BOOT
+++ b/nix/configuration/hosts/odo/SELF_BOOT
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BUILD
+++ b/nix/configuration/hosts/odo/SELF_BUILD
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_SWITCH
+++ b/nix/configuration/hosts/odo/SELF_SWITCH
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@@ -0,0 +1,129 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+    ./screen_brightness.nix
+    ./wifi.nix
+    ./framework_module.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "908cbf04";
+
+    networking.hostName = "odo"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.secureBoot.enable = true;
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    environment.systemPackages = with pkgs; [
+      fw-ectool
+      framework-tool
+    ];
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.bluetooth.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.docker.enable = false;
+    me.ecc.enable = false;
+    me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
+    me.firefox.enable = true;
+    me.flux.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.nix_index.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.pcsx2.enable = true;
+    me.podman.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shadps4.enable = true;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.spaghettikart.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.uutils.enable = false;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
+  };
+}
--- a/nix/configuration/hosts/odo/disk-config.nix
+++ b/nix/configuration/hosts/odo/disk-config.nix
@@ -0,0 +1,142 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/odo/distributed_build.nix
+++ b/nix/configuration/hosts/odo/distributed_build.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      me.distributed_build.enable = true;
+      me.distributed_build.machines.hydra = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+      me.distributed_build.machines.quark = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+    }
+  ];
+}
--- a/nix/configuration/hosts/odo/framework_module.nix
+++ b/nix/configuration/hosts/odo/framework_module.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      boot.extraModulePackages = with config.boot.kernelPackages; [
+        framework-laptop-kmod
+      ];
+      # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
+      boot.kernelModules = [
+        "cros_ec"
+        "cros_ec_lpcs"
+      ];
+    }
+  ];
+}
--- a/nix/configuration/hosts/odo/hardware-configuration.nix
+++ b/nix/configuration/hosts/odo/hardware-configuration.nix
@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nix/configuration/hosts/odo/power_management.nix
+++ b/nix/configuration/hosts/odo/power_management.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+  # amd_pstate=passive :: Fully automated hardware pstate control.
+  # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+  # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+  # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+  boot.kernelParams = [
+    "amdgpu.abmlevel=2"
+    "pcie_aspm=force"
+    # "pcie_aspm.policy=powersupersave"
+    "nowatchdog"
+    # I don't see a measurable benefit from these two:
+    # "cpufreq.default_governor=powersave"
+    # "initcall_blacklist=cpufreq_gov_userspace_init"
+  ];
+
+  systemd.tmpfiles.rules = [
+    "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+    "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+    "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+  ];
+
+  boot.extraModprobeConfig = ''
+    # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+    blacklist sp5100_tco
+
+    # Sound power-saving was causing chat notifications to be inaudible.
+    # options snd_hda_intel power_save=1
+  '';
+}
--- a/nix/configuration/hosts/odo/screen_brightness.nix
+++ b/nix/configuration/hosts/odo/screen_brightness.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  systemd.tmpfiles.rules = [
+    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 21845"
+  ];
+}
--- a/nix/configuration/hosts/odo/wifi.nix
+++ b/nix/configuration/hosts/odo/wifi.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Doesn't seem necessary starting with 6.13
+    # environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
+    #   doas iw dev wlan0 set power_save off
+    # '';
+
+    # Enable debug logging for ath12k wifi card.
+    boot.kernelParams = [
+      "ath12k.debug_mask=0xffffffff"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odo/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/odo/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)
--- a/nix/configuration/hosts/quark/DEPLOY_BOOT
+++ b/nix/configuration/hosts/quark/DEPLOY_BOOT
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.15
+# TARGET=192.168.211.250
+TARGET=quark
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=quark
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/ISO
+++ b/nix/configuration/hosts/quark/ISO
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BOOT
+++ b/nix/configuration/hosts/quark/SELF_BOOT
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BUILD
+++ b/nix/configuration/hosts/quark/SELF_BUILD
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_SWITCH
+++ b/nix/configuration/hosts/quark/SELF_SWITCH
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@@ -0,0 +1,123 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disk-config.nix
+    ./distributed_build.nix
+    ./hardware-configuration.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "47ee7d7c";
+
+    networking.hostName = "quark"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.secureBoot.enable = true;
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-znver5"
+        "gccarch-skylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # RPCS3 has difficulty with znver5
+    me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.bluetooth.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.docker.enable = false;
+    me.ecc.enable = true;
+    me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
+    me.firefox.enable = true;
+    me.flux.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.nix_index.enable = true;
+    me.nix_worker.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.pcsx2.enable = true;
+    me.podman.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shadps4.enable = true;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.spaghettikart.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.uutils.enable = false;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
+  };
+}
--- a/nix/configuration/hosts/quark/disk-config.nix
+++ b/nix/configuration/hosts/quark/disk-config.nix
@@ -0,0 +1,148 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/quark/distributed_build.nix
+++ b/nix/configuration/hosts/quark/distributed_build.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      me.distributed_build.enable = true;
+      me.distributed_build.machines.hydra = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+    }
+  ];
+}
--- a/nix/configuration/hosts/quark/hardware-configuration.nix
+++ b/nix/configuration/hosts/quark/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nix/configuration/hosts/quark/power_management.nix
+++ b/nix/configuration/hosts/quark/power_management.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  boot.kernelParams = [
+    # Enable undervolting GPU.
+    # "amdgpu.ppfeaturemask=0xfff7ffff"
+  ];
+
+  systemd.tmpfiles.rules = [
+    # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+  ];
+
+  # services.udev.packages = [
+  #   (pkgs.writeTextFile {
+  #     name = "amdgpu-low-power";
+  #     text = ''
+  #       ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low"
+  #     '';
+  #     destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
+  #   })
+  # ];
+}
--- a/nix/configuration/roles/2ship2harkinian/default.nix
+++ b/nix/configuration/roles/2ship2harkinian/default.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ship2harkinian.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install 2ship2harkinian.";
+    };
+  };
+
+  config = lib.mkIf config.me.ship2harkinian.enable (
+    lib.mkMerge [
+      {
+        allowedUnfree = [ "2ship2harkinian" ];
+      }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          _2ship2harkinian
+        ];
+
+        # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".local/share/2ship";
+                user = "talexander";
+                group = "talexander";
+                mode = "0755";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/alacritty/default.nix
+++ b/nix/configuration/roles/alacritty/default.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+  options.me = {
+    alacritty.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install alacritty.";
+    };
+  };
+
+  config = lib.mkIf config.me.alacritty.enable (
+    lib.mkMerge [
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          alacritty
+          xdg-utils # for xdg-open
+        ];
+
+        me.install.user.talexander.file = {
+          ".config/alacritty/alacritty.toml" = {
+            source = ./files/alacritty.toml;
+          };
+        };
+      })
+    ]
+  );
+
+}
--- a/nix/configuration/roles/alacritty/files/alacritty.toml
+++ b/nix/configuration/roles/alacritty/files/alacritty.toml
@@ -0,0 +1,44 @@
+[colors]
+draw_bold_text_with_bright_colors = true
+indexed_colors = []
+
+[colors.bright]
+black = "0x666666"
+blue = "0x7aa6da"
+cyan = "0x54ced6"
+green = "0x9ec400"
+magenta = "0xb77ee0"
+red = "0xff3334"
+white = "0xffffff"
+yellow = "0xe7c547"
+
+[colors.normal]
+black = "0x000000"
+blue = "0x7aa6da"
+cyan = "0x70c0ba"
+green = "0xb9ca4a"
+magenta = "0xc397d8"
+red = "0xd54e53"
+white = "0xeaeaea"
+yellow = "0xe6c547"
+
+[colors.primary]
+background = "0x000000"
+foreground = "0xeaeaea"
+
+[font]
+size = 11.0
+
+[[hints.enabled]]
+command = "xdg-open"
+post_processing = true
+regex = "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-<>\"\\s{-}\\^⟨⟩`]+"
+
+[hints.enabled.mouse]
+enabled = false
+mods = "None"
+
+[scrolling]
+history = 10000
+# Lines moved per scroll.
+multiplier = 3
--- a/nix/configuration/roles/amd_s2idle/cysystemd.nix
+++ b/nix/configuration/roles/amd_s2idle/cysystemd.nix
@@ -0,0 +1,48 @@
+{
+  lib,
+  pkgs,
+  buildPythonPackage,
+  fetchFromGitHub,
+  pythonOlder,
+  cython,
+  pkg-config,
+  setuptools,
+}:
+
+let
+  version = "1.6.3";
+in
+buildPythonPackage {
+  pname = "cysystemd";
+  inherit version;
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "mosquito";
+    repo = "cysystemd";
+    tag = version;
+    hash = "sha256-xumrQgoKfFeKdRQUIYXXiXEcNd76i4wo/EIDm8BN7oU=";
+  };
+
+  disabled = pythonOlder "3.6";
+
+  build-system = [
+    setuptools
+    cython
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [ pkgs.systemd ];
+
+  pythonImportsCheck = [ "cysystemd" ];
+
+  meta = {
+    description = "systemd wrapper on Cython";
+    homepage = "https://github.com/mosquito/cysystemd";
+    license = lib.licenses.asl20;
+    platforms = lib.platforms.linux;
+  };
+}
--- a/nix/configuration/roles/amd_s2idle/default.nix
+++ b/nix/configuration/roles/amd_s2idle/default.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    amd_s2idle.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install amd_s2idle.";
+    };
+  };
+
+  config = lib.mkIf config.me.amd_s2idle.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          amd-debug-tools
+        ];
+        nixpkgs.overlays = [
+          (
+            final: prev:
+            let
+              innerPackage = (final.callPackage ./package.nix { });
+            in
+            {
+              amd-debug-tools = innerPackage;
+            }
+          )
+          (final: prev: {
+            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+              (python-final: python-prev: {
+                cysystemd = (python-final.callPackage ./cysystemd.nix { });
+              })
+            ];
+          })
+        ];
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/amd_s2idle/package.nix
+++ b/nix/configuration/roles/amd_s2idle/package.nix
@@ -0,0 +1,60 @@
+{
+  lib,
+  fetchgit,
+  python3Packages,
+  acpica-tools,
+  ethtool,
+  libdisplay-info,
+}:
+
+let
+  version = "0.2.8";
+in
+python3Packages.buildPythonApplication {
+  pname = "amd-debug-tools";
+  inherit version;
+  pyproject = true;
+
+  build-system = with python3Packages; [
+    pyudev
+    setuptools
+    setuptools-git
+    setuptools-git-versioning
+  ];
+  dependencies = with python3Packages; [
+    acpica-tools
+    cysystemd
+    dbus-fast
+    ethtool
+    jinja2
+    libdisplay-info
+    matplotlib
+    pandas
+    pyudev
+    seaborn
+    tabulate
+  ];
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git";
+    tag = version;
+    hash = "sha256-EmXsW7Q5WMFL32LWr29W3GnGpw5aj53wlp9KbFV1r0Q=";
+    leaveDotGit = true;
+  };
+
+  disabled = python3Packages.pythonOlder "3.7";
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace-fail ', "setuptools-git-versioning>=2.0,<3"' ""
+  '';
+
+  pythonImportsCheck = [ "amd_debug" ];
+
+  meta = {
+    description = "Debug tools for AMD zen systems";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/";
+    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/tag/?h=${version}";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+  };
+}
--- a/nix/configuration/roles/ansible/default.nix
+++ b/nix/configuration/roles/ansible/default.nix
@@ -0,0 +1,89 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ansible.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ansible.";
+    };
+  };
+
+  config = lib.mkIf config.me.ansible.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          ansible
+        ];
+
+        nixpkgs.overlays = [
+          (final: prev: {
+            ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { });
+          })
+          (final: prev: {
+            ansible = pkgs.symlinkJoin {
+              name = "ansible";
+              paths = [
+                (prev.ansible.overridePythonAttrs {
+                  propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ];
+                })
+                pkgs.ansible-sshjail
+              ];
+              buildInputs = [ pkgs.makeWrapper ];
+
+              postBuild = ''
+                ${lib.concatMapStringsSep "\n"
+                  (
+                    prog:
+                    (
+                      "wrapProgram $out/bin/${prog} ${
+                        lib.concatMapStringsSep " "
+                          (
+                            plugin_type:
+                            "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins"
+                          )
+                          [
+                            "action"
+                            "cache"
+                            "callback"
+                            "connection"
+                            "filter"
+                            "inventory"
+                            "lookup"
+                            "shell"
+                            "strategy"
+                            "test"
+                            "vars"
+                          ]
+                      } --prefix PATH : ${lib.makeBinPath [ ]}"
+                    )
+                  )
+                  [
+                    "ansible"
+                    "ansible-config"
+                    "ansible-console"
+                    "ansible-doc"
+                    "ansible-galaxy"
+                    "ansible-inventory"
+                    "ansible-playbook"
+                    "ansible-pull"
+                    "ansible-test"
+                    "ansible-vault"
+                  ]
+                }
+              '';
+            };
+          })
+        ];
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
+++ b/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
@@ -0,0 +1,33 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  fetchgit,
+  ...
+}:
+stdenv.mkDerivation {
+  name = "ansible-sshjail";
+  src = fetchgit {
+    url = "https://github.com/austinhyde/ansible-sshjail.git";
+    rev = "a7b0076fdb680b915d35efafd1382919100532b6";
+    sha256 = "sha256-4QX/017fDRzb363NexgvHZ/VFKXOjRgGPDKKygyUylM=";
+  };
+  phases = [
+    "installPhase"
+  ];
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/ansible/plugins/connection_plugins
+    cp $src/sshjail.py $out/share/ansible/plugins/connection_plugins/
+
+    runHook postInstall
+  '';
+}
--- a/nix/configuration/roles/ares/default.nix
+++ b/nix/configuration/roles/ares/default.nix
@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ares.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ares.";
+    };
+  };
+
+  config = lib.mkIf config.me.ares.enable (
+    lib.mkMerge [
+      { }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          ares
+        ];
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".local/share/ares";
+                user = "talexander";
+                group = "talexander";
+                mode = "0755";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/blank/default.nix
+++ b/nix/configuration/roles/blank/default.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    blank.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install blank.";
+    };
+  };
+
+  config = lib.mkIf config.me.blank.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+        ];
+      }
+      (lib.mkIf config.me.graphical {
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/bluetooth/default.nix
+++ b/nix/configuration/roles/bluetooth/default.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    bluetooth.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install bluetooth.";
+    };
+  };
+
+  config = lib.mkIf config.me.bluetooth.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+        ];
+
+        hardware.bluetooth = {
+          enable = true;
+          powerOnBoot = true;
+          settings = {
+            General = {
+              # Enable support for showing battery charge level.
+              Experimental = true;
+            };
+          };
+        };
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          directories = [
+            "/var/lib/bluetooth" # Bluetooth pairing information.
+          ];
+        };
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -0,0 +1,104 @@
+# ISO does not work with systemd initrd yet https://github.com/NixOS/nixpkgs/pull/291750
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options = {
+    me.secureBoot = {
+      enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Enable to use secure boot.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      environment.systemPackages = with pkgs; [
+        tpm2-tools # For tpm2_eventlog to check for OptionRoms
+        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
+        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
+        sbctl # For debugging and troubleshooting Secure Boot.
+      ];
+    }
+    (lib.mkIf (!config.me.buildingIso) {
+
+      boot.loader.grub.enable = false;
+      # Use the systemd-boot EFI boot loader.
+      boot.loader.systemd-boot.enable = true;
+      # TODO: make not write bootx64.efi
+      boot.loader.efi.canTouchEfiVariables = false;
+
+      # Automatically delete old generations
+      boot.loader.systemd-boot.configurationLimit = 3;
+
+      boot.loader.systemd-boot.memtest86.enable = true;
+
+      # Check what will be lost with `zfs diff zroot/linux/root@blank`
+      boot.initrd.systemd.enable = lib.mkDefault true;
+      boot.initrd.systemd.services.zfs-rollback = {
+        description = "Rollback ZFS root dataset to blank snapshot";
+        wantedBy = [
+          "initrd.target"
+        ];
+        after = [
+          "zfs-import-zroot.service"
+        ];
+        before = [
+          "sysroot.mount"
+        ];
+        path = with pkgs; [
+          zfs
+        ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          zfs rollback -r zroot/linux/nix/root@blank
+          zfs rollback -r zroot/linux/nix/home@blank
+          echo "rollback complete"
+        '';
+      };
+
+      # boot.loader.systemd-boot.extraEntries = {
+      #   "windows.conf" = ''
+      #     title Windows
+      #     efi /EFI/Microsoft/Boot/bootmgfw.efi
+      #     options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
+      #   '';
+      # };
+      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+        hideMounts = true;
+        directories = [
+          "/var/lib/sbctl" # Secure Boot Keys
+        ];
+      };
+    })
+    (lib.mkIf (config.me.secureBoot.enable) {
+      environment.systemPackages = with pkgs; [
+        sbctl
+      ];
+      boot.loader.systemd-boot.enable = lib.mkForce false;
+      boot.lanzaboote = {
+        enable = true;
+        pkiBundle = "/var/lib/sbctl";
+      };
+    })
+  ];
+}
+# efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi'
+
+# Text-only:
+# sudo cp "$(nix-build '<nixpkgs>' --no-out-link -A 'refind')/share/refind/refind_x64.efi" /boot/EFI/boot/bootx64.efi
+
+# Full graphics:
+# $ sudo nix-shell -p refind efibootmgr
+# $ refind-install
--- a/nix/configuration/roles/chromecast/default.nix
+++ b/nix/configuration/roles/chromecast/default.nix
@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    chromecast.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install chromecast.";
+    };
+  };
+
+  config = lib.mkIf config.me.chromecast.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          catt
+        ];
+      }
+      (lib.mkIf config.me.graphical {
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/chromium/default.nix
+++ b/nix/configuration/roles/chromium/default.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    chromium.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install chromium.";
+    };
+  };
+
+  config = lib.mkIf config.me.chromium.enable (
+    lib.mkMerge [
+      { }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          chromium
+        ];
+        allowedUnfree = [
+          "chromium"
+          "chromium-unwrapped"
+          "widevine-cdm"
+        ];
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".config/chromium";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".cache/chromium";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+
+        nixpkgs.overlays = [
+          (final: prev: {
+            chromium = prev.chromium.override {
+              enableWideVine = true;
+              commandLineArgs = [
+                "--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder"
+                # Enabling vulkan causes video to render as white
+                # "--enable-features=Vulkan";
+              ];
+            };
+          })
+        ];
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/d2/default.nix
+++ b/nix/configuration/roles/d2/default.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    d2.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install d2.";
+    };
+  };
+
+  config = lib.mkIf config.me.d2.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          d2
+        ];
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/direnv/default.nix
+++ b/nix/configuration/roles/direnv/default.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  direnv_zsh_hook = pkgs.writeTextFile {
+    name = "direnv_zsh_hook.zsh";
+    text = ''
+      eval "$(direnv hook zsh)"
+    '';
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    direnv.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install direnv.";
+    };
+  };
+
+  config = lib.mkIf config.me.direnv.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          direnv
+          nix-direnv
+        ];
+
+        me.zsh.includes = [ direnv_zsh_hook ];
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                # List of allowed directories from `direnv allow`.
+                directory = ".local/share/direnv";
+                user = "talexander";
+                group = "talexander";
+                mode = "0755";
+              }
+            ];
+          };
+        };
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/distributed_build/default.nix
+++ b/nix/configuration/roles/distributed_build/default.nix
@@ -0,0 +1,110 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  make_machine_config = name: {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to use the ${name} machine during distributed builds.";
+    };
+
+    additional_config = lib.mkOption {
+      type = lib.types.attrs;
+      default = { };
+      example = lib.literalExpression {
+        speedFactor = 2;
+      };
+      description = "Additional config values for the buildMachines entry. For example, speedFactor.";
+    };
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    distributed_build.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
+    };
+
+    distributed_build.machines.hydra = make_machine_config "hydra";
+    distributed_build.machines.quark = make_machine_config "quark";
+  };
+
+  config = lib.mkIf config.me.distributed_build.enable (
+    lib.mkMerge [
+      {
+        nix.distributedBuilds = true;
+      }
+      (lib.mkIf config.me.distributed_build.machines.hydra.enable {
+        nix.buildMachines = [
+          (
+            {
+              hostName = "hydra";
+              sshUser = "nixworker";
+              # sshKey = "";
+              # publicHostKey = "";
+              systems = [
+                "x86_64-linux"
+                # "aarch64-linux"
+              ];
+              maxJobs = 1;
+              supportedFeatures = [
+                "nixos-test"
+                "benchmark"
+                "big-parallel"
+                # "kvm"
+                "gccarch-x86-64-v3"
+                "gccarch-x86-64-v4"
+                "gccarch-skylake"
+                "gccarch-znver4"
+              ];
+            }
+            // config.me.distributed_build.machines.hydra.additional_config
+          )
+        ];
+      })
+      (lib.mkIf config.me.distributed_build.machines.quark.enable {
+        nix.buildMachines = [
+          (
+            {
+              hostName = "quark";
+              sshUser = "nixworker";
+              sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
+              # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
+              publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
+              systems = [
+                "x86_64-linux"
+                # "aarch64-linux"
+              ];
+              maxJobs = 1;
+              supportedFeatures = [
+                "gccarch-armv6"
+                "gccarch-aarch64"
+                "gccarch-riscv64"
+                "nixos-test"
+                "benchmark"
+                "big-parallel"
+                "kvm"
+                "gccarch-x86-64-v3"
+                "gccarch-x86-64-v4"
+                "gccarch-skylake"
+                "gccarch-znver4"
+                "gccarch-znver5"
+              ];
+            }
+            // config.me.distributed_build.machines.quark.additional_config
+          )
+        ];
+      })
+    ]
+  );
+}
--- a/nix/configuration/roles/docker/default.nix
+++ b/nix/configuration/roles/docker/default.nix
@@ -0,0 +1,98 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    docker.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install docker.";
+    };
+  };
+
+  config = lib.mkIf config.me.docker.enable (
+    lib.mkMerge [
+      {
+        assertions = [
+          {
+            assertion = !config.me.podman.enable;
+            message = "docker conflicts with podman";
+          }
+        ];
+      }
+      {
+        virtualisation.docker.enable = true;
+        # Use docker activation
+        virtualisation.docker.enableOnBoot = false;
+        # Rootless docker breaks access to ssh for buildkit.
+        # virtualisation.docker.rootless = {
+        #   enable = true;
+        #   setSocketVariable = true;
+        # };
+        # Give docker access to ssh for fetching repos with buildkit.
+        virtualisation.docker.extraPackages = [ pkgs.openssh ];
+        environment.systemPackages = with pkgs; [
+          docker-buildx
+        ];
+
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          directories = [
+            {
+              directory = "/var/lib/docker";
+              user = "root";
+              group = "root";
+              mode = "0740";
+            }
+          ];
+          # users.talexander = {
+          #   directories = [
+          #     {
+          #       directory = ".local/share/docker";
+          #       user = "talexander";
+          #       group = "talexander";
+          #       mode = "0740";
+          #     }
+          #   ];
+          # };
+        };
+
+        systemd.services.link-docker-creds = {
+          # Contains credentials so it cannot be added to the nix store
+          enable = true;
+          description = "link-docker-creds";
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "multi-user.target" ];
+          after = [ "multi-user.target" ];
+          # path = with pkgs; [
+          #   zfs
+          # ];
+          unitConfig.DefaultDependencies = "no";
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = "yes";
+          };
+          script = ''
+            if [ -e /persist/manual/docker/config.json ]; then
+              install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker
+              ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json
+            fi
+          '';
+          preStop = ''
+            rm -f /home/talexander/.docker/config.json
+          '';
+        };
+
+        # Needed for non-rootless docker
+        users.users.talexander.extraGroups = [ "docker" ];
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/ecc/default.nix
+++ b/nix/configuration/roles/ecc/default.nix
@@ -0,0 +1,28 @@
+# Check memory errors with: ras-mc-ctl --error-count
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ecc.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ecc.";
+    };
+  };
+
+  config = lib.mkIf config.me.ecc.enable (
+    lib.mkMerge [
+      {
+        hardware.rasdaemon.enable = true;
+      }
+    ]
+  );
+}
--- a/Show More
+++ b/Show More