Add a build for the yubikey management raspberry pi image.

Move ansible-sshjail and zsh-histdb into my config instead of living as separate flakes.
Support running arm code on x86.
2025-10-08 21:24:44 -04:00 · 2025-10-05 21:37:57 -04:00 · 2025-10-05 20:43:04 -04:00 · 2025-10-05 20:04:03 -04:00 · 2025-10-05 15:17:34 -04:00 · 2025-10-05 14:55:42 -04:00
79 changed files with 2050 additions and 598 deletions
--- a/ansible/roles/sshd/files/keys/yubikey.pub
+++ b/ansible/roles/sshd/files/keys/yubikey.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -22,6 +22,7 @@
    ./roles/docker
    ./roles/ecc
    ./roles/emacs
    ./roles/emulate_isa
    ./roles/firefox
    ./roles/firewall
    ./roles/flux
@@ -47,6 +48,7 @@
    ./roles/nix_index
    ./roles/nix_worker
    ./roles/nvme
    ./roles/openpgp_card_tools
    ./roles/optimized_build
    ./roles/pcsx2
    ./roles/podman
@@ -55,6 +57,7 @@
    ./roles/reset
    ./roles/rpcs3
    ./roles/rust
    ./roles/sequoia
    ./roles/shadps4
    ./roles/shikane
    ./roles/shipwright
@@ -69,11 +72,13 @@
    ./roles/tekton
    ./roles/terraform
    ./roles/thunderbolt
    ./roles/uutils
    ./roles/vnc_client
    ./roles/vscode
    ./roles/wasm
    ./roles/waybar
    ./roles/wireguard
    ./roles/yubikey
    ./roles/zfs
    ./roles/zrepl
    ./roles/zsh
@@ -97,6 +102,7 @@
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    substitute = false
  '';
  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
@@ -120,7 +126,7 @@
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
@@ -137,6 +143,7 @@
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = !config.me.buildingIso;
  nix.settings.substituters = lib.mkForce [ ];
  # Use doas instead of sudo
  security.doas.enable = true;
@@ -171,7 +178,7 @@
    nix-tree
    libarchive # bsdtar
    lsof
-    doas-sudo-shim # To support --use-remote-sudo for remote builds
+    doas-sudo-shim # To support --sudo for remote builds
    dmidecode # Read SMBIOS information.
    ipcalc
    gptfdisk # for cgdisk
--- a/nix/configuration/flake.lock
+++ b/nix/configuration/flake.lock
@@ -1,22 +1,5 @@
 {
  "nodes": {
    "ansible-sshjail": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "path": "flakes/ansible-sshjail",
        "type": "path"
      },
      "original": {
        "path": "flakes/ansible-sshjail",
        "type": "path"
      },
      "parent": []
    },
    "crane": {
      "locked": {
        "lastModified": 1731098351,
@@ -39,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756733629,
+        "lastModified": 1758287904,
-        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
        "type": "github"
      },
      "original": {
@@ -89,42 +72,6 @@
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@@ -190,11 +137,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1756787288,
+        "lastModified": 1759381078,
-        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@@ -238,11 +185,11 @@
    },
    "nixpkgs-unoptimized": {
      "locked": {
-        "lastModified": 1756787288,
+        "lastModified": 1759381078,
-        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@@ -281,14 +228,12 @@
    },
    "root": {
      "inputs": {
        "ansible-sshjail": "ansible-sshjail",
        "disko": "disko",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
        "nixpkgs": "nixpkgs",
        "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
-        "nixpkgs-unoptimized": "nixpkgs-unoptimized",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
        "zsh-histdb": "zsh-histdb"
      }
    },
    "rust-overlay": {
@@ -311,53 +256,6 @@
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "zsh-histdb": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "path": "flakes/zsh-histdb",
        "type": "path"
      },
      "original": {
        "path": "flakes/zsh-histdb",
        "type": "path"
      },
      "parent": []
    }
  },
  "root": "root",
--- a/nix/configuration/flake.nix
+++ b/nix/configuration/flake.nix
@@ -31,8 +31,6 @@
 #
 # doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
 # nix flake update zsh-histdb --flake .
 # nix flake update ansible-sshjail --flake .
 # for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 # nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
 #
@@ -51,18 +49,6 @@
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    zsh-histdb = {
      url = "path:flakes/zsh-histdb";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ansible-sshjail = {
      url = "path:flakes/ansible-sshjail";
      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -77,8 +63,6 @@
      nixpkgs-dda3dcd3f,
      impermanence,
      lanzaboote,
      zsh-histdb,
      ansible-sshjail,
      ...
    }@inputs:
    let
@@ -98,12 +82,6 @@
          impermanence.nixosModules.impermanence
          lanzaboote.nixosModules.lanzaboote
          inputs.disko.nixosModules.disko
          {
            nixpkgs.overlays = [
              zsh-histdb.overlays.default
              ansible-sshjail.overlays.default
            ];
          }
          ./configuration.nix
        ];
      };
@@ -193,7 +171,7 @@
          };
          hydra =
            let
-              additional_iso_modules = additional_iso_modules ++ [
+              hydra_additional_iso_modules = additional_iso_modules ++ [
                {
                  me.optimizations.enable = true;
                }
@@ -206,13 +184,13 @@
                ];
              };
              iso = main // {
-                modules = main.modules ++ additional_iso_modules;
+                modules = main.modules ++ hydra_additional_iso_modules;
              };
              vm = main // {
                modules = main.modules ++ additional_vm_modules;
              };
              vm_iso = main // {
-                modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+                modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules;
              };
            };
          ionlybootzfs = rec {
--- a/nix/configuration/flakes/ansible-sshjail/flake.lock
+++ b/nix/configuration/flakes/ansible-sshjail/flake.lock
@@ -1,61 +0,0 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735141468,
        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/configuration/flakes/ansible-sshjail/flake.nix
+++ b/nix/configuration/flakes/ansible-sshjail/flake.nix
@@ -1,34 +0,0 @@
 {
  description = "A slightly better history for zsh";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs =
    {
      self,
      nixpkgs,
      flake-utils,
      ...
    }:
    let
      out =
        system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
          # Maybe pkgs = import nixpkgs { inherit system; }; ?
          appliedOverlay = self.overlays.default pkgs pkgs;
        in
        {
          packages = rec {
            default = ansible-sshjail;
            ansible-sshjail = appliedOverlay.ansible-sshjail;
          };
        };
    in
    flake-utils.lib.eachDefaultSystem out
    // {
      overlays.default = final: prev: {
        ansible-sshjail = final.callPackage ./package.nix { };
      };
    };
 }
--- a/nix/configuration/flakes/zsh-histdb/flake.lock
+++ b/nix/configuration/flakes/zsh-histdb/flake.lock
@@ -1,61 +0,0 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735141468,
        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/configuration/flakes/zsh-histdb/flake.nix
+++ b/nix/configuration/flakes/zsh-histdb/flake.nix
@@ -1,34 +0,0 @@
 {
  description = "A slightly better history for zsh";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs =
    {
      self,
      nixpkgs,
      flake-utils,
      ...
    }:
    let
      out =
        system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
          # Maybe pkgs = import nixpkgs { inherit system; }; ?
          appliedOverlay = self.overlays.default pkgs pkgs;
        in
        {
          packages = rec {
            default = zsh-histdb;
            zsh-histdb = appliedOverlay.zsh-histdb;
          };
        };
    in
    flake-utils.lib.eachDefaultSystem out
    // {
      overlays.default = final: prev: {
        zsh-histdb = final.callPackage ./package.nix { };
      };
    };
 }
--- a/nix/configuration/hosts/hydra/DEPLOY_BOOT
+++ b/nix/configuration/hosts/hydra/DEPLOY_BOOT
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=hydra
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/hydra/DEPLOY_SWITCH
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=hydra
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'
--- a/nix/configuration/hosts/hydra/ISO
+++ b/nix/configuration/hosts/hydra/ISO
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/VM_ISO
+++ b/nix/configuration/hosts/hydra/VM_ISO
@@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#vm_iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 install -m 0644 result/iso/nixos-*-x86_64-linux.iso ~/hydra.iso
 unlink ./result
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@@ -24,7 +24,6 @@
  imports = [
    ./disk-config.nix
    ./hardware-configuration.nix
    ./optimized_build.nix
    ./vm_disk.nix
  ];
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET="ionlybootzfs"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=ionlybootzfs
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'
--- a/nix/configuration/hosts/ionlybootzfs/ISO
+++ b/nix/configuration/hosts/ionlybootzfs/ISO
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/neelix/DEPLOY_BOOT
+++ b/nix/configuration/hosts/neelix/DEPLOY_BOOT
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=neelix
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/neelix/DEPLOY_SWITCH
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=neelix
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/odo/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odo/DEPLOY_BOOT
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=odo
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=odo
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'
--- a/nix/configuration/hosts/odo/ISO
+++ b/nix/configuration/hosts/odo/ISO
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BOOT
+++ b/nix/configuration/hosts/odo/SELF_BOOT
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BUILD
+++ b/nix/configuration/hosts/odo/SELF_BUILD
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_SWITCH
+++ b/nix/configuration/hosts/odo/SELF_SWITCH
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@@ -15,6 +15,7 @@
    ./framework_module.nix
  ];
  config = {
    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
    networking.hostId = "908cbf04";
@@ -70,6 +71,7 @@
    me.docker.enable = false;
    me.ecc.enable = false;
    me.emacs_flavor = "full";
    me.emulate_isa.enable = true;
    me.firefox.enable = true;
    me.flux.enable = true;
    me.gcloud.enable = true;
@@ -86,12 +88,14 @@
    me.lvfs.enable = true;
    me.media.enable = true;
    me.nix_index.enable = true;
    me.openpgp_card_tools.enable = true;
    me.pcsx2.enable = true;
    me.podman.enable = true;
    me.python.enable = true;
    me.qemu.enable = true;
    me.rpcs3.enable = true;
    me.rust.enable = true;
    me.sequoia.enable = true;
    me.shadps4.enable = true;
    me.shikane.enable = true;
    me.sops.enable = true;
@@ -103,6 +107,7 @@
    me.tekton.enable = true;
    me.terraform.enable = true;
    me.thunderbolt.enable = true;
    me.uutils.enable = false;
    me.vnc_client.enable = true;
    me.vscode.enable = true;
    me.wasm.enable = true;
@@ -113,10 +118,12 @@
      "colo"
    ];
    me.wireguard.deactivated = [ "wgf" ];
    me.yubikey.enable = true;
    me.zrepl.enable = true;
    me.zsh.enable = true;
    me.sm64ex.enable = true;
    me.shipwright.enable = true;
    me.ship2harkinian.enable = true;
  };
 }
--- a/nix/configuration/hosts/quark/DEPLOY_BOOT
+++ b/nix/configuration/hosts/quark/DEPLOY_BOOT
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=quark
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH
@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=quark
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'
--- a/nix/configuration/hosts/quark/ISO
+++ b/nix/configuration/hosts/quark/ISO
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BOOT
+++ b/nix/configuration/hosts/quark/SELF_BOOT
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BUILD
+++ b/nix/configuration/hosts/quark/SELF_BUILD
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_SWITCH
+++ b/nix/configuration/hosts/quark/SELF_SWITCH
@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix flake update zsh-histdb --flake "$DIR/../../"
 nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@@ -10,7 +10,6 @@
    ./distributed_build.nix
    ./hardware-configuration.nix
    ./power_management.nix
    ./wifi.nix
  ];
  config = {
@@ -26,7 +25,7 @@
    me.optimizations = {
      enable = true;
-      arch = "znver5";
+      arch = "znver4";
      system_features = [
        "gccarch-znver4"
        "gccarch-znver5"
@@ -65,6 +64,7 @@
    me.docker.enable = false;
    me.ecc.enable = true;
    me.emacs_flavor = "full";
    me.emulate_isa.enable = true;
    me.firefox.enable = true;
    me.flux.enable = true;
    me.gcloud.enable = true;
@@ -82,12 +82,14 @@
    me.media.enable = true;
    me.nix_index.enable = true;
    me.nix_worker.enable = true;
    me.openpgp_card_tools.enable = true;
    me.pcsx2.enable = true;
    me.podman.enable = true;
    me.python.enable = true;
    me.qemu.enable = true;
    me.rpcs3.enable = true;
    me.rust.enable = true;
    me.sequoia.enable = true;
    me.shadps4.enable = true;
    me.shikane.enable = true;
    me.sops.enable = true;
@@ -99,6 +101,7 @@
    me.tekton.enable = true;
    me.terraform.enable = true;
    me.thunderbolt.enable = true;
    me.uutils.enable = false;
    me.vnc_client.enable = true;
    me.vscode.enable = true;
    me.wasm.enable = true;
@@ -109,6 +112,7 @@
      "colo"
    ];
    me.wireguard.deactivated = [ "wgf" ];
    me.yubikey.enable = true;
    me.zrepl.enable = true;
    me.zsh.enable = true;
--- a/nix/configuration/hosts/quark/wifi.nix
+++ b/nix/configuration/hosts/quark/wifi.nix
@@ -1,16 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  config = {
    environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
      doas iw dev wlan0 set power_save off
    '';
  };
 }
--- a/nix/configuration/roles/amd_s2idle/package.nix
+++ b/nix/configuration/roles/amd_s2idle/package.nix
@@ -8,7 +8,7 @@
 }:
 let
-  version = "0.2.7";
+  version = "0.2.8";
 in
 python3Packages.buildPythonApplication {
  pname = "amd-debug-tools";
@@ -16,27 +16,28 @@ python3Packages.buildPythonApplication {
  pyproject = true;
  build-system = with python3Packages; [
    setuptools
    setuptools-git-versioning
    setuptools-git
    pyudev
    setuptools
    setuptools-git
    setuptools-git-versioning
  ];
  dependencies = with python3Packages; [
    acpica-tools
    cysystemd
    dbus-fast
    ethtool
    jinja2
    libdisplay-info
    matplotlib
    pandas
    pyudev
    seaborn
    tabulate
    acpica-tools
    ethtool
    libdisplay-info
  ];
  src = fetchgit {
    url = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git";
    tag = version;
-    hash = "sha256-6X9cUKN0BkkKcYGU+YJYCGT+l5iUZDN+D8Fqq/ns98Q=";
+    hash = "sha256-EmXsW7Q5WMFL32LWr29W3GnGpw5aj53wlp9KbFV1r0Q=";
    leaveDotGit = true;
  };
@@ -52,6 +53,7 @@ python3Packages.buildPythonApplication {
  meta = {
    description = "Debug tools for AMD zen systems";
    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/";
    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/tag/?h=${version}";
    license = lib.licenses.mit;
    platforms = lib.platforms.linux;
  };
--- a/nix/configuration/roles/ansible/default.nix
+++ b/nix/configuration/roles/ansible/default.nix
@@ -25,6 +25,9 @@
        ];
        nixpkgs.overlays = [
          (final: prev: {
            ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { });
          })
          (final: prev: {
            ansible = pkgs.symlinkJoin {
              name = "ansible";
--- a/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
+++ b/nix/configuration/roles/ansible/package/ansible-sshjail/package.nix
--- a/nix/configuration/roles/distributed_build/default.nix
+++ b/nix/configuration/roles/distributed_build/default.nix
@@ -58,12 +58,13 @@ in
              ];
              maxJobs = 1;
              supportedFeatures = [
-                # "nixos-test"
+                "nixos-test"
                "benchmark"
                "big-parallel"
                # "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-skylake"
                "gccarch-znver4"
              ];
            }
@@ -86,12 +87,16 @@ in
              ];
              maxJobs = 1;
              supportedFeatures = [
-                # "nixos-test"
+                "gccarch-armv6"
                "gccarch-aarch64"
                "gccarch-riscv64"
                "nixos-test"
                "benchmark"
                "big-parallel"
-                # "kvm"
+                "kvm"
                "gccarch-x86-64-v3"
                "gccarch-x86-64-v4"
                "gccarch-skylake"
                "gccarch-znver4"
                "gccarch-znver5"
              ];
--- a/nix/configuration/roles/emacs/files/emacs/elisp/base.el
+++ b/nix/configuration/roles/emacs/files/emacs/elisp/base.el
@@ -7,10 +7,12 @@
 (use-package auto-package-update
  :ensure t
  :custom
  (auto-package-update-interval 14)
  (auto-package-update-delete-old-versions t)
  :config
-   (setq auto-package-update-delete-old-versions t
+  (auto-package-update-maybe)
-         auto-package-update-interval 14)
+  )
   (auto-package-update-maybe))
 (defun assert-directory (p)
  (unless (file-exists-p p) (make-directory p t))
@@ -110,9 +112,6 @@
 ;; (setq-default fringes-outside-margins t)
 ;; Per-pixel scrolling instead of per-line
 (pixel-scroll-precision-mode)
 ;; Typed text replaces selection
 (delete-selection-mode)
--- a/nix/configuration/roles/emulate_isa/default.nix
+++ b/nix/configuration/roles/emulate_isa/default.nix
@@ -0,0 +1,41 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    emulate_isa.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to enable emulating other CPU architectures.";
    };
  };
  config = lib.mkIf config.me.emulate_isa.enable (
    lib.mkMerge [
      {
        boot.binfmt.emulatedSystems = [
          "aarch64-linux" # Raspberry Pi gen 3
          "riscv64-linux"
          # TODO: Should "x86_64-linux" be in this list or should this list be dependent on the host CPU?
          "armv6l-linux" # Raspberry Pi gen 1
        ];
        me.optimizations = {
          system_features = [
            "gccarch-armv6"
            "gccarch-aarch64"
            "gccarch-riscv64"
          ];
        };
      }
    ]
  );
 }
 # NOTE: build nixosConfigurations.<name>.config.system.build.sdImage
--- a/nix/configuration/roles/fonts/default.nix
+++ b/nix/configuration/roles/fonts/default.nix
@@ -15,6 +15,7 @@
        cascadia-code
        source-sans-pro
        source-serif-pro
        noto-fonts
        noto-fonts-cjk-sans
        noto-fonts-cjk-serif
        noto-fonts-color-emoji
--- a/nix/configuration/roles/git/files/gitconfig_home
+++ b/nix/configuration/roles/git/files/gitconfig_home
@@ -1,7 +1,7 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
 	default = simple # (default since 2.0)
 [alias]
@@ -53,3 +53,6 @@
 	autoStash = true
        # updateRefs was annoying when you want to split a branch in two by rebasing away from commits from one branch and rebasing away some commits from another branch.
 	updateRefs = false
 # Disabled because ephemeral pin storage is not yet ready in openpgp-card-state
 # [gpg]
 # 	program = oct-git
--- a/nix/configuration/roles/gpg/default.nix
+++ b/nix/configuration/roles/gpg/default.nix
@@ -29,9 +29,7 @@ in
    lib.mkMerge [
      {
        # Fetch public keys:
-        # gpg --locate-keys tom@fizz.buzz
+        # gpg --locate-external-keys tom@fizz.buzz
        #
        # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
        hardware.gpgSmartcards.enable = true;
        services.udev.packages = [
@@ -47,15 +45,6 @@ in
          })
        ];
        services.pcscd.enable = true;
        # services.gnome.gnome-keyring.enable = true;
        # services.dbus.packages = [ pkgs.gcr ];
        # services.pcscd.plugins = lib.mkForce [ ];
        #   programs.gpg.scdaemonSettings = {
        #   disable-ccid = true;
        # };
        me.install.user.talexander.file = {
          ".gnupg/scdaemon.conf" = {
@@ -63,16 +52,57 @@ in
          };
        };
        # programs.gnupg.dirmngr.enable = true;
        programs.gnupg.agent = {
          enable = true;
          enableSSHSupport = true;
          pinentryPackage = pkgs.pinentry-qt;
          # Settings block populates /etc/gnupg/gpg-agent.conf
          # settings = {
          #   disable-ccid = true;
          # };
        };
        # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
        #
        # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        #   hideMounts = true;
        #   users.talexander = {
        #     files = [
        #       {
        #         file = ".gnupg/trustdb.gpg";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/pubring.kbx";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/tofu.db";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #     ];
        #     directories = [
        #       {
        #         directory = ".gnupg/crls.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #       {
        #         directory = ".gnupg/private-keys-v1.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #     ];
        #   };
        # };
        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
@@ -82,7 +112,7 @@ in
                user = "talexander";
                group = "talexander";
                mode = "0700";
-              } # Local keyring
+              }
            ];
          };
        };
@@ -90,8 +120,6 @@ in
        environment.systemPackages = with pkgs; [
          pcsclite
          pcsctools
          yubikey-personalization
          yubikey-manager
          glibcLocales
          ccid
          libusb-compat-0_1
--- a/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
+++ b/nix/configuration/roles/gpg/files/gpg_test_wkd.bash
@@ -6,3 +6,6 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 gpg --no-default-keyring --keyring /tmp/gpg-$$ --auto-key-locate clear,wkd --locate-keys "${@}"
 # To generate files for the WKD:
 # gpg-wks-client --directory ./pgp/.well-known/openpgpkey --install-key <keyid> <email>
--- a/nix/configuration/roles/gpg/files/scdaemon.conf
+++ b/nix/configuration/roles/gpg/files/scdaemon.conf
@@ -1,6 +1,9 @@
 #reader-port Yubico Yubi
 disable-ccid
 # This setting enables other backends like oct to access the pgp card simultaneously but it also means that gpg will ask for the pin for EVERY ssh session which is annoying in scripts.
 #pcsc-shared
 #log-file /home/talexander/scd.log
 #verbose
 #debug cardio
--- a/nix/configuration/roles/kodi/default.nix
+++ b/nix/configuration/roles/kodi/default.nix
@@ -51,7 +51,7 @@
          # Generate with `mkpasswd -m scrypt`
          hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
          openssh.authorizedKeys.keys = [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
          ];
--- a/nix/configuration/roles/media/files/cast_file_vaapi
+++ b/nix/configuration/roles/media/files/cast_file_vaapi
@@ -123,11 +123,13 @@ function convert {
        if [ "$acceleration_type" == "software" ]; then
            args+=(-c:v h264)
            args+=(-profile:v high)
            args+=(-vf format=yuv420p)
            args+=(-b:v "$VIDEO_BITRATE")
        elif [ "$acceleration_type" == "hardware" ]; then
            args+=(-vf 'format=nv12|vaapi,hwupload')
            args+=(-c:v h264_vulkan)
            args+=(-profile:v high)
            args+=(-vf format=yuv420p)
            args+=(-b:v "$VIDEO_BITRATE")
        fi
    elif [ "$codec" == "av1" ]; then
--- a/nix/configuration/roles/network/default.nix
+++ b/nix/configuration/roles/network/default.nix
@@ -55,8 +55,20 @@
      General = {
        EnableNetworkConfiguration = true;
        AddressRandomization = "network";
        ControlPortOverNL80211 = false;
      };
      # Rank = {
      #   BandModifier2_4GHz = 1.0;
      #   BandModifier5GHz = 1.0;
      #   BandModifier6GHz = 1.0;
      # };
      DriverQuirks = {
        PowerSaveDisable = "*";
        # ath12k_pci
      };
      # Scan = {
      #   DisablePeriodicScan = true;
      #   DisableRoamingScan = true;
      # };
    };
  };
  environment.systemPackages = with pkgs; [
@@ -102,4 +114,19 @@
  #   })
  # ];
  # nixpkgs.overlays = [
  #   (final: prev: {
  #     linux-firmware = prev.linux-firwmare.overrideAttrs (old: rec {
  #       version = "20250917";
  #       src = final.fetchFromGitLab {
  #         owner = "kernel-firmware";
  #         repo = "linux-firmware";
  #         tag = version;
  #         hash = "sha256-tecFB6WYEfBK9FB7Rv8nHLdefIoaFnHrpzXBl+iSd08=";
  #       };
  #     });
  #   })
  # ];
 }
--- a/nix/configuration/roles/nix_worker/default.nix
+++ b/nix/configuration/roles/nix_worker/default.nix
@@ -43,7 +43,7 @@
          hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
          openssh.authorizedKeys.keys = [
            # Normal keys:
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
            # Key for nix to connect:
--- a/nix/configuration/roles/openpgp_card_tools/default.nix
+++ b/nix/configuration/roles/openpgp_card_tools/default.nix
@@ -0,0 +1,49 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./openpgp-card-ssh-agent.nix
  ];
  options.me = {
    openpgp_card_tools.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install openpgp-card-tools.";
    };
  };
  config = lib.mkIf config.me.openpgp_card_tools.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          openpgp-card-tools
          openpgp-card-tool-git
          openpgp-card-ssh-agent
        ];
        nixpkgs.overlays = [
          (final: prev: {
            openpgp-card-tool-git = (final.callPackage ./package/openpgp-card-tool-git/package.nix { });
            openpgp-card-ssh-agent = (final.callPackage ./package/openpgp-card-ssh-agent/package.nix { });
          })
        ];
        me.install.user.talexander.file = {
          ".config/openpgp-card-state/config.toml" = {
            source = ./files/openpgp-card-state.toml;
          };
        };
        # The current openpgp-card-ssh-agent has an outdated dependency on openpgp-card-state which makes it not handle my current openpgp-card-state.toml
        # services.openpgp-card-ssh-agent.enable = true;
      }
    ]
  );
 }
--- a/nix/configuration/roles/openpgp_card_tools/files/openpgp-card-state.toml
+++ b/nix/configuration/roles/openpgp_card_tools/files/openpgp-card-state.toml
@@ -0,0 +1 @@
 default_pin_storage = "Pinentry"
--- a/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix
+++ b/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix
@@ -0,0 +1,94 @@
 # Upstream to nixpkgs/nixos/modules/services/networking/ssh/openpgp-card-ssh-agent.nix
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkIf
    mkOption
    mkEnableOption
    mkPackageOption
    mkDefault
    types
    concatMapStringsSep
    generators
    ;
  cfg = config.services.openpgp-card-ssh-agent;
 in
 {
  options.services.openpgp-card-ssh-agent = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to start openpgp-card-ssh-agent when you log in.
        Also sets SSH_AUTH_SOCK to point at openpgp-card-ssh-agent.
      '';
    };
    package = mkPackageOption pkgs "openpgp-card-ssh-agent" { };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];
    systemd.user.sockets.openpgp-card-ssh-agent = {
      wantedBy = [ "sockets.target" ];
      description = "A simple ssh-agent backed by OpenPGP card authentication keys";
      documentation = [
        "https://codeberg.org/openpgp-card/ssh-agent"
        "man:ssh-add(1)"
        "man:ssh-agent(1)"
        "man:ssh(1)"
      ];
      socketConfig = {
        ListenStream = "%t/openpgp-card/ssh-agent.sock";
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
    systemd.user.services.openpgp-card-ssh-agent = {
      description = "A simple ssh-agent backed by OpenPGP card authentication keys";
      documentation = [
        "https://codeberg.org/openpgp-card/ssh-agent"
        "man:ssh-add(1)"
        "man:ssh-agent(1)"
        "man:ssh(1)"
      ];
      after = [ "local-fs.target" ];
      requires = [
        "openpgp-card-ssh-agent.socket"
        # "gnome-keyring-daemon.service"
      ];
      serviceConfig = {
        ExecStart = ''
          ${cfg.package}/bin/openpgp-card-ssh-agent -H fd://
        '';
      };
    };
    environment.extraInit = ''
      if [ -z "$SSH_AUTH_SOCK" ] && [ -n "$XDG_RUNTIME_DIR" ]; then
        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/openpgp-card/ssh-agent.sock"
      fi
    '';
    assertions = [
      {
        assertion = cfg.enable -> !config.programs.ssh.startAgent;
        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
      }
      {
        assertion = cfg.enable -> !config.programs.gnupg.agent.enableSSHSupport;
        message = "You can't use GnuPG agent with SSH support enabled and openpgp-card-ssh-agent at the same time!";
      }
    ];
  };
 }
--- a/nix/configuration/roles/openpgp_card_tools/package/openpgp-card-ssh-agent/package.nix
+++ b/nix/configuration/roles/openpgp_card_tools/package/openpgp-card-ssh-agent/package.nix
@@ -0,0 +1,52 @@
 {
  lib,
  rustPlatform,
  fetchFromGitea,
  pkg-config,
  pcsclite,
  dbus,
  openssl,
  testers,
  openpgp-card-ssh-agent,
 }:
 rustPlatform.buildRustPackage rec {
  pname = "openpgp-card-ssh-agent";
  version = "0.3.4";
  src = fetchFromGitea {
    domain = "codeberg.org";
    owner = "openpgp-card";
    repo = "ssh-agent";
    rev = "v${version}";
    hash = "sha256-nWbvEsVa7YJsBtVZfLQDB4CiaHP3GEYeYS32+WZv8PE=";
  };
  cargoHash = "sha256-nG7xebypXv7UAfu7sWbcp4DIhLv4lfzMrQUY6m2iDmw=";
  nativeBuildInputs = [
    pkg-config
  ];
  buildInputs = [
    openssl
    pcsclite
    dbus
  ];
  passthru = {
    tests.version = testers.testVersion {
      package = openpgp-card-ssh-agent;
    };
  };
  meta = with lib; {
    description = "An ssh agent that uses OpenPGP cards for your key";
    homepage = "https://codeberg.org/openpgp-card/ssh-agent";
    license = with licenses; [
      asl20 # OR
      mit
    ];
    mainProgram = "openpgp-card-ssh-agent";
  };
 }
--- a/nix/configuration/roles/openpgp_card_tools/package/openpgp-card-tool-git/package.nix
+++ b/nix/configuration/roles/openpgp_card_tools/package/openpgp-card-tool-git/package.nix
@@ -0,0 +1,54 @@
 {
  lib,
  rustPlatform,
  fetchFromGitea,
  pkg-config,
  pcsclite,
  dbus,
  openssl,
  sqlite,
  testers,
  openpgp-card-tool-git,
 }:
 rustPlatform.buildRustPackage rec {
  pname = "openpgp-card-tool-git";
  version = "0.1.6";
  src = fetchFromGitea {
    domain = "codeberg.org";
    owner = "openpgp-card";
    repo = "oct-git";
    rev = "v${version}";
    hash = "sha256-38/JHzCkL3+0IbOacH54A5Hj03oDe9jDzcwp672a8LE=";
  };
  cargoHash = "sha256-j1Osj2rjLxrSKh82ym6PiIHVO1wLE7Ax2/5+pdRcv+E=";
  nativeBuildInputs = [
    pkg-config
  ];
  buildInputs = [
    openssl
    pcsclite
    dbus
    sqlite
  ];
  passthru = {
    tests.version = testers.testVersion {
      package = openpgp-card-tool-git;
    };
  };
  meta = with lib; {
    description = "Tool for using OpenPGP cards with git";
    homepage = "https://codeberg.org/openpgp-card/oct-git";
    license = with licenses; [
      asl20 # OR
      mit
    ];
    mainProgram = "oct-git";
  };
 }
--- a/nix/configuration/roles/optimized_build/default.nix
+++ b/nix/configuration/roles/optimized_build/default.nix
@@ -97,64 +97,9 @@
                } prev.linux_6_16;
              }
            )
            (final: prev: {
              haskellPackages = prev.haskellPackages.extend (
                final': prev': {
                  inherit (pkgs-unoptimized.haskellPackages)
                    crypto-token
                    crypton
                    crypton-connection
                    crypton-x509
                    crypton-x509-store
                    crypton-x509-system
                    crypton-x509-validation
                    hspec-wai
                    http-client-tls
                    http2
                    pandoc
                    pandoc-cli
                    pandoc-lua-engine
                    pandoc-server
                    servant-server
                    tls
                    tls-session-manager
                    wai-app-static
                    wai-extra
                    warp
                    warp-tls
                    ;
                }
              );
            })
            # (final: prev: {
            #   python = prev.python.override {
            #     packageOverrides = python-final: python-prev: {
            #       inherit (pkgs-unoptimized.pythonPackages) coverage;
            #     };
            #   };
            # })
            # (final: prev: {
            #   pythonPackagesOverlays = prev.pythonPackagesOverlays.extend (
            #     final': prev': {
            #       inherit (pkgs-unoptimized.pythonPackagesOverlays)
            #         coverage
            #         ;
            #     }
            #   );
            # })
            # (final: prev: {
            #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
            #     (python-final: python-prev: {
            #       inherit (pkgs-unoptimized.pythonPackages) coverage;
            #     })
            #   ];
            # })
            (final: prev: {
              inherit (pkgs-unoptimized)
                gsl
                redis
                valkey
                nix-serve-ng
                rapidjson
                assimp
                ;
--- a/nix/configuration/roles/python/default.nix
+++ b/nix/configuration/roles/python/default.nix
@@ -31,6 +31,7 @@
          pyright
          isort
          black
          uv
        ];
        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
--- a/nix/configuration/roles/qemu/default.nix
+++ b/nix/configuration/roles/qemu/default.nix
@@ -5,6 +5,41 @@
  ...
 }:
 let
  qemurc =
    (pkgs.writeScriptBin "qemurc" (
      builtins.readFile (
        pkgs.replaceVars ./files/qemurc.bash {
          "OVMFfd" = "${pkgs.OVMF.fd}";
          mount_root = "/vm";
          zfs_root = "zroot/linux/nix/vm";
        }
      )
    )).overrideAttrs
      (old: {
        buildCommand = ''
          ${old.buildCommand}
          patchShebangs $out
        '';
      });
  qemurc_wrapped =
    (pkgs.writeScriptBin "qemurc" ''
      #!/usr/bin/env bash
      export "PATH=${
        lib.makeBinPath [
          pkgs.swtpm
          pkgs.tmux
        ]
      }:''${PATH}"
      exec ${qemurc}/bin/qemurc "''${@}"
    '').overrideAttrs
      (old: {
        buildCommand = ''
          ${old.buildCommand}
          patchShebangs $out
        '';
      });
 in
 {
  imports = [ ];
@@ -22,6 +57,7 @@
      {
        environment.systemPackages = with pkgs; [
          qemu
          qemurc_wrapped
        ];
      }
    ]
--- a/nix/configuration/roles/qemu/files/qemurc.bash
+++ b/nix/configuration/roles/qemu/files/qemurc.bash
@@ -0,0 +1,375 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Share a host directory to the guest via 9pfs.
 #
 # Inside the VM run:
 #   mount -t virtfs -o trans=virtio sharename /some/vm/path
 #   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
 #   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
 # Example usage:
 #
 #   doas qemurc create-disk mint 10
 #   doas env CD=/vm/iso/linuxmint-22.2-cinnamon-64bit.iso qemurc start mint
 #   doas qemurc start mint
 #   doas env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 qemurc start mint
 : ${VERBOSE:="NO"} # or YES
 if [ "$VERBOSE" = "YES" ]; then
    set -x
 fi
 : ${CPU_CORES:="1"}
 : ${MEMORY:="1G"}
 : ${GTK_ENABLE:="NO"} # Only enable one, either GTK or VNC
 : ${VNC_ENABLE:="NO"} # Only enable one, either GTK or VNC
 : ${VNC_LISTEN:="127.0.0.1:0"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
 : ${AUDIO_ENABLE:="NO"}
 : ${TPM_ENABLE:="NO"}
 : ${BIND9P:=""}
 : "${CD:=}"
 : ${SHUTDOWN_TIMEOUT:="600"}
 : ${MOUNT_ROOT:="@mount_root@"}
 : ${ZFS_ROOT:="@zfs_root@"}
 ############## Setup #########################
 function cleanup {
    sync
    for p in "${pids[@]}"; do
        log "Killing $p"
        kill "$p"
        log "Killed $p"
    done
    for vm in "${vms[@]}"; do
        log "Stopping $vm"
        stop_one "$vm"
        log "Stopped $vm"
    done
 }
 pids=()
 vms=()
 trap "set +e; cleanup" EXIT
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function main {
    local cmd
    cmd=$1
    shift
    if [ "$cmd" = "start" ]; then
        init
        start "${@}"
    elif [ "$cmd" = "stop" ]; then
        init
        stop "${@}"
    elif [ "$cmd" = "status" ]; then
        init
        status "${@}"
    elif [ "$cmd" = "console" ]; then
        init
        console "${@}"
    elif [ "$cmd" = "_start_body" ]; then
        init
        start_body "${@}"
    elif [ "$cmd" = "create-disk" ]; then
        create_disk "${@}"
    else
        (>&2 echo "Unknown command: $cmd")
        exit 1
    fi
 }
 function start {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Starting VM $name."
        start_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function start_one {
    local name="$1"
    local tmux_name="$name"
    tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
 }
 function launch_pidfile {
    local pidfile="$1"
    shift 1
    mkdir -p "$(dirname "$pidfile")"
    cat > "${pidfile}" <<< "$$"
    set -x
    exec "${@}"
 }
 export -f launch_pidfile
 function stop {
    local num_vms="$#"
    if [ "$num_vms" -eq 0 ]; then
        log "No VMs specified."
        return 0
    fi
    while [ "$#" -gt 0 ]; do
        local name="$1"
        shift 1
        log "Stopping VM $name."
        stop_one "$name"
        [ "$#" -eq 0 ] || sleep 5
    done
 }
 function stop_one {
    local name="$1"
    local pidfile="/run/qemurc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "Pid file $pidfile does not exist."
        return 0
    fi
    local qemu_pid
    qemu_pid=$(cat "$pidfile")
    if ps -p "$qemu_pid" >/dev/null; then
        # We cannot send a graceful shutdown command externally to qemu: https://gitlab.com/qemu-project/qemu/-/issues/148
        log "Killing ${name}:${qemu_pid}."
        kill -SIGTERM "$qemu_pid"
    fi
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$qemu_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${qemu_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
            break
        fi
        log "Waiting for ${name}:${qemu_pid} to exit."
        sleep 2
    done
    kill -9 "$qemu_pid"
    local timeout_start timeout_end
    timeout_start=$(date +%s)
    while ps -p "$qemu_pid" >/dev/null; do
        timeout_end=$(date +%s)
        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
            log "${name}:${qemu_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
            break
        fi
        log "Waiting for ${name}:${qemu_pid} to hard power down."
        sleep 2
    done
    rm -f "$pidfile"
    log "Finished stopping $name."
 }
 function status {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            status_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function status_one {
    local name="$1"
    local pidfile="/run/qemurc/${name}/pid"
    if [ ! -e "$pidfile" ]; then
        log "$name is not running."
        return 0
    fi
    local qemu_pid
    qemu_pid=$(cat "$pidfile")
    if ! ps -p "$qemu_pid" >/dev/null; then
        log "$name is not running."
        return 0
    fi
    log "$name is running as pid $qemu_pid."
 }
 function console {
    local num_vms="$#"
    if [ "$num_vms" -gt 0 ]; then
        for name in "$@"; do
            log "Attaching to console of VM $name."
            console_one "$name"
        done
    else
        log "No VMs specified."
    fi
 }
 function console_one {
    local name="$1"
    local tmux_name="$name"
    exec tmux a -t "$tmux_name"
 }
 function init {
    mkdir -p /run/qemurc
 }
 ############## qemu ############################
 function create_disk {
    local name="$1"
    local gigabytes="$2"
    local zfs_path="${ZFS_ROOT}/${name}"
    local mount_path="${MOUNT_ROOT}/${name}"
    zfs create -o mountpoint=none -o canmount=off "$zfs_path"
    zfs create -o "mountpoint=$mount_path" -o canmount=on "$zfs_path/settings"
    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
    zfs snapshot -r "$zfs_path@empty"
    install -m0600 "@OVMFfd@/FV/OVMF_VARS.fd" "${mount_path}/"
    tee "${mount_path}/settings" <<EOF
 CPU_CORES="$CPU_CORES"
 MEMORY="$MEMORY"
 GTK_ENABLE="$GTK_ENABLE"
 VNC_ENABLE="$VNC_ENABLE"
 VNC_LISTEN="$VNC_LISTEN"
 VNC_WIDTH="$VNC_WIDTH"
 VNC_HEIGHT="$VNC_HEIGHT"
 AUDIO_ENABLE="$AUDIO_ENABLE"
 TPM_ENABLE="$TPM_ENABLE"
 BIND9P="$BIND9P"
 EOF
 }
 function start_body {
    local name="$1"
    local zfs_path="${ZFS_ROOT}/${name}"
    local mount_path="${MOUNT_ROOT}/${name}"
    local run_path="/run/qemurc/${name}"
    local mount_cd="$CD"
    local swtpm_sock="${run_path}/swtpm.sock"
    local swtpm_path="${MOUNT_ROOT}/${name}/swtpm"
    install -d -m 0700 "$run_path"
    if [ -e "${mount_path}/settings" ]; then
        source "${mount_path}/settings"
    fi
    local additional_args=()
    if [ -n "$BIND9P" ]; then
        additional_args+=(-device "virtio-9p-type,fsdev=${BIND9P},mount_tag=bind9p")
    fi
    if [ -n "$mount_cd" ]; then
        additional_args+=(-cdrom "$mount_cd")
    fi
    if [ "$VNC_ENABLE" = "YES" ]; then
        additional_args+=(-vnc "${VNC_LISTEN},power-control=on")
    fi
    if [ "$AUDIO_ENABLE" = "YES" ]; then
        additional_args+=(-audio "driver=pa,model=virtio,server=/run/user/11235/pulse/native")
    fi
    if [ "$TPM_ENABLE" = "YES" ]; then
        install -d -m 0700 "$swtpm_path"
        swtpm socket --tpm2 --tpmstate dir="$swtpm_path" --ctrl type=unixio,path="$swtpm_sock" &
        local tpm_pid=$!
        pids+=("$tpm_pid")
        additional_args+=(-chardev "socket,id=chrtpm,path=$swtpm_sock"
                          -tpmdev "emulator,id=tpm0,chardev=chrtpm"
                          -device "tpm-tis,tpmdev=tpm0")
    fi
    if [ "$GTK_ENABLE" = "YES" ]; then
        additional_args+=(
            -device 'virtio-gpu-gl,hostmem=8G,blob=true,venus=true'
            -display 'gtk,gl=on'
            -vga virtio
        )
    fi
    vms+=("$name")
    local pidfile="/run/qemurc/${name}/pid"
    local launch_cmd=()
    launch_cmd+=(
        launch_pidfile "$pidfile"
        qemu-system-x86_64
        -accel kvm
        -cpu host
        -smp cores="$CPU_CORES"
        -m "$MEMORY"
        -rtc base=localtime
        -drive "file=\"@OVMFfd@/FV/OVMF_CODE.fd\",if=pflash,format=raw,readonly=on"
        -drive "if=pflash,format=raw,file=\"$(readlink -f "${mount_path}/OVMF_VARS.fd")\""
        -drive "if=none,file=/dev/zvol/${zfs_path}/disk0,format=raw,id=hd0"
        -device 'nvme,serial=deadbeef,drive=hd0'
        -nic 'user,hostfwd=tcp::60022-:22'
        -boot order=d
        "${additional_args[@]}"
    )
    set +e
    rm -f "$pidfile"
    (
        IFS=$' \n\t'
        set -ex
        bash -c "${launch_cmd[*]}"
    )
    local exit_code=$?
    log "Exit code ${exit_code}"
    set -e
 }
 main "${@}"
--- a/nix/configuration/roles/sequoia/default.nix
+++ b/nix/configuration/roles/sequoia/default.nix
@@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    sequoia.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install sequoia.";
    };
  };
  config = lib.mkIf config.me.sequoia.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          sequoia-sq
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/uutils/default.nix
+++ b/nix/configuration/roles/uutils/default.nix
@@ -0,0 +1,33 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    uutils.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to replace GNU coreutils with uutils (a rust drop-in replacement).";
    };
  };
  config = lib.mkIf config.me.uutils.enable (
    lib.mkMerge [
      {
        # environment.corePackages automatically installes coreutils-full, so merely installing uutils-coreutils-noprefix is insufficient for replacing GNU coreutils.
        nixpkgs.overlays = [
          (final: prev: {
            coreutils = final.uutils-coreutils-noprefix;
            coreutils-full = final.uutils-coreutils-noprefix;
          })
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/yubikey/default.nix
+++ b/nix/configuration/roles/yubikey/default.nix
@@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    yubikey.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install yubikey.";
    };
  };
  config = lib.mkIf config.me.yubikey.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
          yubikey-personalization
          yubikey-manager
        ];
      }
    ]
  );
 }
--- a/nix/configuration/roles/zsh/default.nix
+++ b/nix/configuration/roles/zsh/default.nix
@@ -109,6 +109,12 @@ in
            ];
          };
        };
        nixpkgs.overlays = [
          (final: prev: {
            zsh-histdb = (final.callPackage ./package/zsh-histdb/package.nix { });
          })
        ];
      }
    ]
  );
--- a/nix/configuration/roles/zsh/package/zsh-histdb/package.nix
+++ b/nix/configuration/roles/zsh/package/zsh-histdb/package.nix
--- a/nix/yubipi/.gitignore
+++ b/nix/yubipi/.gitignore
@@ -0,0 +1 @@
 result
--- a/nix/yubipi/configuration.nix
+++ b/nix/yubipi/configuration.nix
@@ -0,0 +1,177 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    "${modulesPath}/installer/sd-card/sd-image.nix"
    ./roles/image_based_appliance
    ./roles/optimized_build
    ./roles/raspberry_pi_sd_image
    ./roles/reset
    # ./util/install_files
    ./util/unfree_polyfill
  ];
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.trusted-users = [ "@wheel" ];
  hardware.enableRedistributableFirmware = true;
  # Keep outputs so we can build offline.
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    substitute = false
  '';
  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
  boot.supportedFilesystems.zfs = true;
  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
  services.getty = {
    autologinUser = "talexander";
    autologinOnce = true;
  };
  users.mutableUsers = false;
  users.users.talexander = {
    isNormalUser = true;
    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
    group = "talexander";
    extraGroups = [ "wheel" ];
    uid = 11235;
    packages = with pkgs; [
      tree
    ];
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
  };
  users.groups.talexander.gid = 11235;
  # Automatic garbage collection
  nix.gc = lib.mkIf (!config.me.image_based_appliance.enable) {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
    persistent = true;
    dates = "monthly";
    # randomizedDelaySec = "14m";
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = true;
  nix.settings.substituters = lib.mkForce [ ];
  # Use doas instead of sudo
  security.doas.enable = true;
  security.doas.wheelNeedsPassword = false;
  security.sudo.enable = false;
  security.doas.extraRules = [
    {
      # Retain environment (for example NIX_PATH)
      keepEnv = true;
      persist = true; # Only ask for a password the first time.
    }
  ];
  environment.systemPackages = with pkgs; [
    # wget
    # mg
    # rsync
    # libinput
    # htop
    # tmux
    # file
    # usbutils # for lsusb
    # pciutils # for lspci
    # ripgrep
    # strace
    # # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
    # trace-cmd # ftrace
    # tcpdump
    # git-crypt
    # gnumake
    # ncdu
    # nix-tree
    # libarchive # bsdtar
    # lsof
    # doas-sudo-shim # To support --sudo for remote builds
    # dmidecode # Read SMBIOS information.
    # ipcalc
    # gptfdisk # for cgdisk
    # nix-output-monitor # For better view into nixos-rebuild
    # nix-serve-ng # Serve nix store over http
  ];
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };
  boot.initrd.kernelModules = [
    # "vc4"
    # "bcm2835_dma"
    # "i2c_bcm2835"
  ];
  # Compressing through emulation is slow and we're just going to decompress the image anyway.
  sdImage.compressImage = false;
  # Write a list of the currently installed packages to /etc/current-system-packages
  environment.etc."current-system-packages".text =
    let
      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
      formatted = builtins.concatStringsSep "\n" sortedUnique;
    in
    formatted;
  nixpkgs.overlays = [
    (final: prev: {
      efivar = throw "foo";
    })
  ];
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/nix/yubipi/flake.lock
+++ b/nix/yubipi/flake.lock
@@ -0,0 +1,44 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1759381078,
        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unoptimized": {
      "locked": {
        "lastModified": 1759381078,
        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs",
        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/yubipi/flake.nix
+++ b/nix/yubipi/flake.nix
@@ -0,0 +1,43 @@
 {
  description = "My system configuration";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs =
    {
      self,
      nixpkgs,
      nixpkgs-unoptimized,
      ...
    }@inputs:
    let
      base_armv6l_linux = rec {
        system = "armv6l-linux-linux";
        specialArgs = {
          pkgs-unoptimized = import nixpkgs-unoptimized {
            inherit system;
            hostPlatform.gcc.arch = "default";
            hostPlatform.gcc.tune = "default";
          };
        };
        modules = [
          ./configuration.nix
        ];
      };
      systems = {
        yubipi = rec {
          main = base_armv6l_linux // {
            modules = base_armv6l_linux.modules ++ [
              ./hosts/yubipi
            ];
          };
        };
      };
    in
    {
      nixosConfigurations.yubipi = nixpkgs.lib.nixosSystem systems.yubipi.main;
    };
 }
--- a/nix/yubipi/hosts/yubipi/ISO
+++ b/nix/yubipi/hosts/yubipi/ISO
@@ -0,0 +1,9 @@
 #!/usr/bin/env bash
 #
 set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#nixosConfigurations.yubipi.config.system.build.sdImage" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/yubipi/hosts/yubipi/default.nix
+++ b/nix/yubipi/hosts/yubipi/default.nix
@@ -0,0 +1,46 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ./wrapped-disk-config.nix
  ];
  config = {
    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
    networking.hostId = "61f81c12";
    networking.hostName = "yubipi"; # Define your hostname.
    time.timeZone = "America/New_York";
    i18n.defaultLocale = "en_US.UTF-8";
    me.optimizations = {
      enable = true;
      arch = "armv6";
      system_features = [
        "gccarch-armv6l"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
    };
    # Early KMS
    boot.initrd.kernelModules = [ ];
    # Mount tmpfs at /tmp
    boot.tmp.useTmpfs = true;
    # Enable TRIM
    services.fstrim.enable = lib.mkDefault true;
    me.image_based_appliance.enable = true;
    me.raspberry_pi_sd_image.enable = true;
  };
 }
--- a/nix/yubipi/hosts/yubipi/disk-config.nix
+++ b/nix/yubipi/hosts/yubipi/disk-config.nix
@@ -0,0 +1,12 @@
 {
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [
        "noatime"
        "norelatime"
      ];
    };
  };
 }
--- a/nix/yubipi/hosts/yubipi/hardware-configuration.nix
+++ b/nix/yubipi/hosts/yubipi/hardware-configuration.nix
@@ -0,0 +1,28 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "armv6l-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/yubipi/hosts/yubipi/wrapped-disk-config.nix
+++ b/nix/yubipi/hosts/yubipi/wrapped-disk-config.nix
@@ -0,0 +1,8 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 (import ./disk-config.nix)
--- a/nix/yubipi/roles/blank/default.nix
+++ b/nix/yubipi/roles/blank/default.nix
@@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    blank.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install blank.";
    };
  };
  config = lib.mkIf config.me.blank.enable (
    lib.mkMerge [
      {
        environment.systemPackages = with pkgs; [
        ];
      }
      (lib.mkIf config.me.graphical {
      })
    ]
  );
 }
--- a/nix/yubipi/roles/image_based_appliance/default.nix
+++ b/nix/yubipi/roles/image_based_appliance/default.nix
@@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    image_based_appliance.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install image_based_appliance.";
    };
  };
  config = lib.mkIf config.me.image_based_appliance.enable (
    lib.mkMerge [
      {
        # Do not install nix. A full new image must be built to update
        # the machine.
        nix.enable = false;
        system.switch.enable = false;
      }
    ]
  );
 }
--- a/nix/yubipi/roles/optimized_build/default.nix
+++ b/nix/yubipi/roles/optimized_build/default.nix
@@ -0,0 +1,78 @@
 {
  config,
  lib,
  pkgs,
  pkgs-unoptimized,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    optimizations.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to enable CPU optimizations (will trigger a rebuild from source).";
    };
    optimizations.arch = lib.mkOption {
      type = lib.types.str;
      default = null;
      example = "znver4";
      description = "The CPU arch for which programs should be optimized.";
    };
    optimizations.system_features = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "gccarch-armv6l"
        "benchmark"
        "big-parallel"
        "kvm"
        "nixos-test"
      ];
      description = "The list of CPU features that should be enabled on this machine.";
    };
  };
  config = lib.mkMerge [
    (lib.mkIf (!config.me.optimizations.enable) (
      lib.mkMerge [
        {
        }
      ]
    ))
    (lib.mkIf config.me.optimizations.enable (
      lib.mkMerge [
        {
          nixpkgs.config.allowUnsupportedSystem = true;
          nixpkgs.hostPlatform = {
            gcc.arch = config.me.optimizations.arch;
            gcc.tune = config.me.optimizations.arch;
            system = "armv6l-linux";
          };
          # Uncomment on of these to enable cross compiling:
          # nixpkgs.buildPlatform = builtins.currentSystem;
          # nixpkgs.buildPlatform = {
          #   gcc.arch = "znver4";
          #   gcc.tune = "znver4";
          #   system = "x86_64-linux";
          # };
        }
      ]
    ))
    (lib.mkIf (config.me.optimizations.system_features != [ ]) (
      lib.mkMerge [
        {
          nix.settings.system-features = lib.mkForce config.me.optimizations.system_features;
        }
      ]
    ))
  ];
 }
--- a/nix/yubipi/roles/raspberry_pi_sd_image/default.nix
+++ b/nix/yubipi/roles/raspberry_pi_sd_image/default.nix
@@ -0,0 +1,62 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  options.me = {
    raspberry_pi_sd_image.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install raspberry_pi_sd_image.";
    };
  };
  config = lib.mkIf config.me.raspberry_pi_sd_image.enable (
    lib.mkMerge [
      {
        boot.loader.grub.enable = false;
        boot.loader.generic-extlinux-compatible.enable = true;
        boot.consoleLogLevel = lib.mkDefault 7;
        boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi1;
        sdImage = {
          populateFirmwareCommands =
            let
              configTxt = pkgs.writeText "config.txt" ''
                # u-boot refuses to start (gets stuck at rainbow polygon) without this,
                # at least on Raspberry Pi 0.
                enable_uart=1
                # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
                # when attempting to show low-voltage or overtemperature warnings.
                avoid_warnings=1
                [pi0]
                kernel=u-boot-rpi0.bin
                [pi1]
                kernel=u-boot-rpi1.bin
              '';
            in
            ''
              (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf *.dtb $NIX_BUILD_TOP/firmware/)
              cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin
              cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin
              cp ${configTxt} firmware/config.txt
            '';
          populateRootCommands = ''
            mkdir -p ./files/boot
            ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
          '';
        };
      }
    ]
  );
 }
--- a/nix/yubipi/roles/reset/default.nix
+++ b/nix/yubipi/roles/reset/default.nix
@@ -0,0 +1,16 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [ ];
  # Reset some defaults to start from a minimal more-arch-linux-like state. Think of this like a CSS reset sheet.
  config = {
    # Do not use default packages (nixos includes some defaults like nano)
    environment.defaultPackages = lib.mkForce [ ];
  };
 }
--- a/nix/yubipi/util/install_files/default.nix
+++ b/nix/yubipi/util/install_files/default.nix
@@ -0,0 +1,333 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.me.install;
  inherit (lib)
    filter
    attrNames
    ;
  get_shell_values =
    target:
    let
      homedir = config.users.users."${target.username}".home;
      group = config.users.users."${target.username}".group;
    in
    {
      source = lib.strings.escapeShellArg "${target.source}";
      destination = lib.strings.escapeShellArg "${homedir}/${target.target}";
      mode = lib.strings.escapeShellArg "${target.mode}";
      dir_mode = lib.strings.escapeShellArg "${target.dir_mode}";
      username = lib.strings.escapeShellArg "${target.username}";
      group = lib.strings.escapeShellArg "${group}";
    };
  install_user_file =
    let
      constructors = {
        "overwrite" = install_user_file_overwrite;
        "symlink" = install_user_file_symlink;
      };
    in
    stage: target: (constructors."${target.method}"."${stage}" target);
  install_user_file_overwrite = {
    "check" = (target: "");
    "install" = (
      target:
      let
        inherit (get_shell_values target)
          source
          destination
          mode
          dir_mode
          username
          group
          ;
        flags = lib.strings.concatStringsSep " " [
          (if mode != "" then "-m ${mode}" else "")
          (if username != "" then "-o ${username}" else "")
          (if group != "" then "-g ${group}" else "")
        ];
        dir_flags = lib.strings.concatStringsSep " " [
          (if dir_mode != "" then "-m ${dir_mode}" else "")
          (if username != "" then "-o ${username}" else "")
          (if group != "" then "-g ${group}" else "")
        ];
      in
      if target.recursive then
        [
          ''
            find ${source} -type f -print0 | while read -r -d "" file; do
                relative_path=$(realpath -s --relative-to ${source} "$file")
                full_dest=${destination}/"$relative_path"
                create_containing_directories "$full_dest" ${dir_flags}
                $DRY_RUN_CMD install $VERBOSE_ARG --compare ${flags} "$file" "$full_dest"
            done
          ''
        ]
      else
        [
          ''
            create_containing_directories ${destination} ${dir_flags}
            $DRY_RUN_CMD install $VERBOSE_ARG --compare ${flags} ${source} ${destination}
          ''
        ]
    );
    "uninstall" = (
      target:
      let
        inherit (get_shell_values target)
          source
          destination
          ;
      in
      if target.recursive then
        [
          ''
            find ${source} -type f -print0 | while read -r -d "" file; do
                relative_path=$(realpath -s --relative-to ${source} "$file")
                full_dest=${destination}/"$relative_path"
                $DRY_RUN_CMD echo rm -f "$full_dest"
            done
          ''
        ]
      else
        [
          ''
            $DRY_RUN_CMD echo rm -f ${destination}
          ''
        ]
    );
  };
  install_user_file_symlink = {
    "check" = (target: "");
    "install" = (
      target:
      let
        inherit (get_shell_values target)
          source
          destination
          mode
          dir_mode
          username
          group
          ;
        owner = lib.strings.concatStringsSep ":" (
          filter (val: val != "") [
            username
            group
          ]
        );
        dir_flags = lib.strings.concatStringsSep " " [
          (if dir_mode != "" then "-m ${dir_mode}" else "")
          (if username != "" then "-o ${username}" else "")
          (if group != "" then "-g ${group}" else "")
        ];
      in
      if target.recursive then
        [
          ''
            find ${source} -type f -print0 | while read -r -d "" file; do
                relative_path=$(realpath -s --relative-to ${source} "$file")
                full_dest=${destination}/"$relative_path"
                create_containing_directories "$full_dest" ${dir_flags}
                $DRY_RUN_CMD ln $VERBOSE_ARG -s "$file" "$full_dest"
                $DRY_RUN_CMD chown $VERBOSE_ARG -h ${owner} "$full_dest"
            done
          ''
        ]
      else
        [
          ''
            create_containing_directories ${destination} ${dir_flags}
            $DRY_RUN_CMD ln $VERBOSE_ARG -s ${source} ${destination}
            $DRY_RUN_CMD chown $VERBOSE_ARG -h ${owner} ${destination}
          ''
        ]
    );
    "uninstall" = (
      target:
      let
        inherit (get_shell_values target)
          source
          destination
          ;
      in
      if target.recursive then
        [
          ''
            find ${source} -type f -print0 | while read -r -d "" file; do
                relative_path=$(realpath -s --relative-to ${source} "$file")
                full_dest=${destination}/"$relative_path"
                $DRY_RUN_CMD echo rm -f "$full_dest"
            done
          ''
        ]
      else
        [
          ''
            $DRY_RUN_CMD echo rm -f ${destination}
          ''
        ]
    );
  };
 in
 {
  imports = [ ];
  options.me.install = {
    user = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, config, ... }:
          let
            username = name;
          in
          {
            options = {
              enable = lib.mkOption {
                type = lib.types.bool;
                default = true;
                defaultText = "enable";
                example = lib.literalExpression false;
                description = "Whether we want to install files in this user's home directory.";
              };
              file = lib.mkOption {
                type = lib.types.attrsOf (
                  lib.types.submodule (
                    { name, config, ... }:
                    let
                      path = name;
                    in
                    {
                      options = {
                        enable = lib.mkOption {
                          type = lib.types.bool;
                          default = true;
                          defaultText = "enable";
                          example = lib.literalExpression false;
                          description = "Whether we want to install this file in this user's home directory.";
                        };
                        username = lib.mkOption {
                          type = lib.types.str;
                          defaultText = "username";
                          example = "root";
                          description = "The username for the user whose home directory will contain the file.";
                        };
                        target = lib.mkOption {
                          type = lib.types.str;
                          defaultText = "target";
                          example = ".local/share/foo/bar.txt";
                          description = "The path where the file should be written.";
                        };
                        method = lib.mkOption {
                          type = lib.types.enum [
                            "symlink"
                            "overwrite"
                            # "bind_mount" TODO: for directories?
                          ];
                          default = "symlink";
                          defaultText = "me.install.file.‹path›.method";
                          example = "overwrite";
                          description = "The way in which the file should be installed.";
                        };
                        mode = lib.mkOption {
                          type = lib.types.str;
                          default = "0444";
                          defaultText = "me.install.file.‹path›.mode";
                          example = "0750";
                          description = "The read, write, execute permission flags.";
                        };
                        dir_mode = lib.mkOption {
                          type = lib.types.str;
                          default = "0755";
                          defaultText = "dir_mode";
                          example = "0755";
                          description = "The read, write, execute permission flags for any parent directories that need to be created.";
                        };
                        source = lib.mkOption {
                          type = lib.types.path;
                          defaultText = "me.install.file.‹path›.source";
                          example = ./files/foo.txt;
                          description = "The source file to install into the destination.";
                        };
                        recursive = lib.mkOption {
                          type = lib.types.bool;
                          default = false;
                          defaultText = "recursive";
                          example = lib.literalExpression false;
                          description = "Whether we want to recurse through the directory doing individual installs for each file.";
                        };
                      };
                      config = {
                        username = lib.mkDefault username;
                        target = lib.mkDefault path;
                      };
                    }
                  )
                );
              };
            };
          }
        )
      );
    };
  };
  config =
    let
      all_users = builtins.map (username: cfg.user."${username}") (attrNames cfg.user);
      enabled_users = filter (user: user.enable) all_users;
      all_file_targets = lib.flatten (
        builtins.map (user: (builtins.map (path: user.file."${path}") (attrNames user.file))) enabled_users
      );
      enabled_file_targets = filter (target: target.enable) all_file_targets;
      check_commands = lib.flatten (builtins.map (install_user_file "check") enabled_file_targets);
      install_commands = lib.flatten (builtins.map (install_user_file "install") enabled_file_targets);
      uninstall_commands = lib.flatten (
        builtins.map (install_user_file "uninstall") enabled_file_targets
      );
    in
    {
      systemd.services.me-install-file = {
        enable = true;
        description = "me-install-file";
        wantedBy = [ "multi-user.target" ];
        wants = [ "multi-user.target" ];
        before = [ "multi-user.target" ];
        # path = with pkgs; [
        #   zfs
        # ];
        unitConfig.DefaultDependencies = "no";
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
        };
        script =
          ''
            set -o pipefail
            IFS=$'\n\t'
            source ${./files/lib.bash}
          ''
          + (lib.strings.concatStringsSep "\n" (
            [
            ]
            ++ check_commands
            ++ install_commands
          ));
        preStop =
          ''
            set -o pipefail
            IFS=$'\n\t'
            source ${./files/lib.bash}
          ''
          + (lib.strings.concatStringsSep "\n" uninstall_commands);
      };
    };
 }
--- a/nix/yubipi/util/install_files/files/lib.bash
+++ b/nix/yubipi/util/install_files/files/lib.bash
@@ -0,0 +1,38 @@
 #!/usr/bin/env bash
 #
 ############## Setup #########################
 function die {
    local status_code="$1"
    shift
    (>&2 echo "${@}")
    exit "$status_code"
 }
 function log {
    (>&2 echo "${@}")
 }
 ############## Program #########################
 function create_containing_directories {
    local full_dest="$1"
    shift 1
    local dirs_to_create=()
    local containing_directory="$full_dest"
    while true; do
        containing_directory=$(dirname "$containing_directory")
        if [ -e "$containing_directory" ] || [ "$containing_directory" = "/" ]; then
            break
        fi
        dirs_to_create+=($containing_directory)
    done
    for (( idx=${#dirs_to_create[@]}-1 ; idx>=0 ; idx-- )) ; do
        local containing_directory="${dirs_to_create[idx]}"
        log "Creating $containing_directory"
        $DRY_RUN_CMD install $VERBOSE_ARG -d "${@}" "$containing_directory"
    done
 }
--- a/nix/yubipi/util/unfree_polyfill/default.nix
+++ b/nix/yubipi/util/unfree_polyfill/default.nix
@@ -0,0 +1,15 @@
 { config, lib, ... }:
 let
  inherit (builtins) elem;
  inherit (lib) getName mkOption;
  inherit (lib.types) listOf str;
 in
 {
  # Pending https://github.com/NixOS/nixpkgs/issues/55674
  options.allowedUnfree = mkOption {
    type = listOf str;
    default = [ ];
  };
  config.nixpkgs.config.allowUnfreePredicate = p: elem (getName p) config.allowedUnfree;
 }
Author	SHA1	Message	Date
Tom Alexander	3733e76d18	Add a build for the yubikey management raspberry pi image.	2025-10-08 21:24:44 -04:00
Tom Alexander	3d9513f2c5	Move ansible-sshjail and zsh-histdb into my config instead of living as separate flakes.	2025-10-05 21:37:57 -04:00
Tom Alexander	ae6cce96a2	Support running arm code on x86.	2025-10-05 20:43:04 -04:00
Tom Alexander	3274d1903f	Replace GNU coreutils with uutils.	2025-10-05 20:04:03 -04:00
Tom Alexander	a01b58f6ac	use-remote-sudo has been replaced with sudo.	2025-10-05 15:17:34 -04:00
Tom Alexander	fb7b1322da	Remove hack for turning off wifi power saving from quark shell init.	2025-10-05 14:55:42 -04:00
Tom Alexander	69b6a81b8b	Update packages.	2025-10-05 14:07:04 -04:00
Tom Alexander	f5c30860ab	Install uv.	2025-10-05 14:04:01 -04:00
Tom Alexander	255b39df0a	Disable the nix binary cache. It is technically a risk and since I build most of my software anyway, I'm not getting much benefit.	2025-10-05 14:04:01 -04:00
Tom Alexander	da66a6917b	Update amd-debug-tools to 0.2.8.	2025-09-29 21:17:30 -04:00
Tom Alexander	ad2c4809d7	Fix building the hydra vm ISO.	2025-09-28 11:38:18 -04:00
Tom Alexander	fe49204e3f	Enable optimizations on some packages that are no longer broken.	2025-09-28 11:38:17 -04:00
Tom Alexander	fa44003fad	Disable wifi powersaving.	2025-09-26 22:35:04 -04:00
Tom Alexander	bc0a64fb8b	Update packages.	2025-09-26 22:34:43 -04:00
Tom Alexander	3048b62834	ControlPortOverNL80211 no longer needs to be disabled for the QCNCM865 in my laptop.	2025-09-26 20:22:22 -04:00
Tom Alexander	08b424e1f3	Minor cleanups for emacs.	2025-09-25 20:15:52 -04:00
Tom Alexander	185c43761c	Add sequoia.	2025-09-25 20:13:56 -04:00
Tom Alexander	37abf58271	Add a qemu port of my bhyverc script for running virtual machines on Linux.	2025-09-19 21:04:58 -04:00
Tom Alexander	3b007f8bc5	Support transcoding from 10bit to 8bit video.	2025-09-17 19:50:07 -04:00
Tom Alexander	d358e9383e	Add noto fonts for ⏵ in nix output monitor.	2025-09-14 12:42:21 -04:00
`@@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8`