Add a build for the yubikey management raspberry pi image.

It is technically a risk and since I build most of my software anyway, I'm not getting much benefit.

ansible/roles/sshd/files/keys/yubikey.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8

nix/configuration/configuration.nix

@@ -22,6 +22,7 @@
     ./roles/docker
     ./roles/ecc
     ./roles/emacs
+    ./roles/emulate_isa
     ./roles/firefox
     ./roles/firewall
     ./roles/flux
@@ -47,6 +48,7 @@
     ./roles/nix_index
     ./roles/nix_worker
     ./roles/nvme
+    ./roles/openpgp_card_tools
     ./roles/optimized_build
     ./roles/pcsx2
     ./roles/podman
@@ -55,6 +57,7 @@
     ./roles/reset
     ./roles/rpcs3
     ./roles/rust
+    ./roles/sequoia
     ./roles/shadps4
     ./roles/shikane
     ./roles/shipwright
@@ -69,11 +72,13 @@
     ./roles/tekton
     ./roles/terraform
     ./roles/thunderbolt
+    ./roles/uutils
     ./roles/vnc_client
     ./roles/vscode
     ./roles/wasm
     ./roles/waybar
     ./roles/wireguard
+    ./roles/yubikey
     ./roles/zfs
     ./roles/zrepl
     ./roles/zsh
@@ -97,6 +102,7 @@
   nix.extraOptions = ''
     keep-outputs = true
     keep-derivations = true
+    substitute = false
   '';
 
   # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
@@ -120,7 +126,7 @@
     # Generate with `mkpasswd -m scrypt`
     hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
     ];
@@ -137,6 +143,7 @@
     options = "--delete-older-than 30d";
   };
   nix.settings.auto-optimise-store = !config.me.buildingIso;
+  nix.settings.substituters = lib.mkForce [ ];
 
   # Use doas instead of sudo
   security.doas.enable = true;
@@ -171,7 +178,7 @@
     nix-tree
     libarchive # bsdtar
     lsof
-    doas-sudo-shim # To support --use-remote-sudo for remote builds
+    doas-sudo-shim # To support --sudo for remote builds
     dmidecode # Read SMBIOS information.
     ipcalc
     gptfdisk # for cgdisk

nix/configuration/flake.lock

@@ -1,22 +1,5 @@
 {
   "nodes": {
-    "ansible-sshjail": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "path": "flakes/ansible-sshjail",
-        "type": "path"
-      },
-      "original": {
-        "path": "flakes/ansible-sshjail",
-        "type": "path"
-      },
-      "parent": []
-    },
     "crane": {
       "locked": {
         "lastModified": 1731098351,
@@ -39,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756733629,
+        "lastModified": 1758287904,
-        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
         "type": "github"
       },
       "original": {
@@ -89,42 +72,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -190,11 +137,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1756787288,
+        "lastModified": 1759381078,
-        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
         "type": "github"
       },
       "original": {
@@ -238,11 +185,11 @@
     },
     "nixpkgs-unoptimized": {
       "locked": {
-        "lastModified": 1756787288,
+        "lastModified": 1759381078,
-        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
         "type": "github"
       },
       "original": {
@@ -281,14 +228,12 @@
     },
     "root": {
       "inputs": {
-        "ansible-sshjail": "ansible-sshjail",
         "disko": "disko",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
         "nixpkgs": "nixpkgs",
         "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
-        "nixpkgs-unoptimized": "nixpkgs-unoptimized",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
-        "zsh-histdb": "zsh-histdb"
       }
     },
     "rust-overlay": {
@@ -311,53 +256,6 @@
         "repo": "rust-overlay",
         "type": "github"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "zsh-histdb": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "path": "flakes/zsh-histdb",
-        "type": "path"
-      },
-      "original": {
-        "path": "flakes/zsh-histdb",
-        "type": "path"
-      },
-      "parent": []
     }
   },
   "root": "root",

nix/configuration/flake.nix

@@ -31,8 +31,6 @@
 #
 # doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
 
-# nix flake update zsh-histdb --flake .
-# nix flake update ansible-sshjail --flake .
 # for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 # nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
 #
@@ -51,18 +49,6 @@
       # Optional but recommended to limit the size of your system closure.
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    zsh-histdb = {
-      url = "path:flakes/zsh-histdb";
-
-      # Optional but recommended to limit the size of your system closure.
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    ansible-sshjail = {
-      url = "path:flakes/ansible-sshjail";
-
-      # Optional but recommended to limit the size of your system closure.
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -77,8 +63,6 @@
       nixpkgs-dda3dcd3f,
       impermanence,
       lanzaboote,
-      zsh-histdb,
-      ansible-sshjail,
       ...
     }@inputs:
     let
@@ -98,12 +82,6 @@
           impermanence.nixosModules.impermanence
           lanzaboote.nixosModules.lanzaboote
           inputs.disko.nixosModules.disko
-          {
-            nixpkgs.overlays = [
-              zsh-histdb.overlays.default
-              ansible-sshjail.overlays.default
-            ];
-          }
           ./configuration.nix
         ];
       };
@@ -193,7 +171,7 @@
           };
           hydra =
             let
-              additional_iso_modules = additional_iso_modules ++ [
+              hydra_additional_iso_modules = additional_iso_modules ++ [
                 {
                   me.optimizations.enable = true;
                 }
@@ -206,13 +184,13 @@
                 ];
               };
               iso = main // {
-                modules = main.modules ++ additional_iso_modules;
+                modules = main.modules ++ hydra_additional_iso_modules;
               };
               vm = main // {
                 modules = main.modules ++ additional_vm_modules;
               };
               vm_iso = main // {
-                modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+                modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules;
               };
             };
           ionlybootzfs = rec {

nix/configuration/flakes/ansible-sshjail/flake.lock

@@ -1,61 +0,0 @@
-{
-  "nodes": {
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1735141468,
-        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

nix/configuration/flakes/ansible-sshjail/flake.nix

@@ -1,34 +0,0 @@
-{
-  description = "A slightly better history for zsh";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
-  inputs.flake-utils.url = "github:numtide/flake-utils";
-
-  outputs =
-    {
-      self,
-      nixpkgs,
-      flake-utils,
-      ...
-    }:
-    let
-      out =
-        system:
-        let
-          pkgs = nixpkgs.legacyPackages.${system};
-          # Maybe pkgs = import nixpkgs { inherit system; }; ?
-          appliedOverlay = self.overlays.default pkgs pkgs;
-        in
-        {
-          packages = rec {
-            default = ansible-sshjail;
-            ansible-sshjail = appliedOverlay.ansible-sshjail;
-          };
-        };
-    in
-    flake-utils.lib.eachDefaultSystem out
-    // {
-      overlays.default = final: prev: {
-        ansible-sshjail = final.callPackage ./package.nix { };
-      };
-    };
-}

nix/configuration/flakes/zsh-histdb/flake.lock

@@ -1,61 +0,0 @@
-{
-  "nodes": {
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1735141468,
-        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

nix/configuration/flakes/zsh-histdb/flake.nix

@@ -1,34 +0,0 @@
-{
-  description = "A slightly better history for zsh";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
-  inputs.flake-utils.url = "github:numtide/flake-utils";
-
-  outputs =
-    {
-      self,
-      nixpkgs,
-      flake-utils,
-      ...
-    }:
-    let
-      out =
-        system:
-        let
-          pkgs = nixpkgs.legacyPackages.${system};
-          # Maybe pkgs = import nixpkgs { inherit system; }; ?
-          appliedOverlay = self.overlays.default pkgs pkgs;
-        in
-        {
-          packages = rec {
-            default = zsh-histdb;
-            zsh-histdb = appliedOverlay.zsh-histdb;
-          };
-        };
-    in
-    flake-utils.lib.eachDefaultSystem out
-    // {
-      overlays.default = final: prev: {
-        zsh-histdb = final.callPackage ./package.nix { };
-      };
-    };
-}

nix/configuration/hosts/hydra/DEPLOY_BOOT

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=hydra
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'

nix/configuration/hosts/hydra/DEPLOY_SWITCH

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=hydra
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'

nix/configuration/hosts/hydra/ISO

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/hydra/VM_ISO

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#vm_iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+install -m 0644 result/iso/nixos-*-x86_64-linux.iso ~/hydra.iso
+unlink ./result

nix/configuration/hosts/hydra/default.nix

@@ -24,7 +24,6 @@
   imports = [
     ./disk-config.nix
     ./hardware-configuration.nix
-    ./optimized_build.nix
     ./vm_disk.nix
   ];
 

nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET="ionlybootzfs"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=ionlybootzfs
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/ISO

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/neelix/DEPLOY_BOOT

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=neelix
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/DEPLOY_SWITCH

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=neelix
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/odo/DEPLOY_BOOT

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=odo
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'

nix/configuration/hosts/odo/DEPLOY_SWITCH

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=odo
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'

nix/configuration/hosts/odo/ISO

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_BOOT

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_BUILD

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/SELF_SWITCH

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/odo/default.nix

@@ -15,108 +15,115 @@
     ./framework_module.nix
   ];
 
-  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  config = {
-  networking.hostId = "908cbf04";
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "908cbf04";
 
-  networking.hostName = "odo"; # Define your hostname.
+    networking.hostName = "odo"; # Define your hostname.
 
-  time.timeZone = "America/New_York";
+    time.timeZone = "America/New_York";
-  i18n.defaultLocale = "en_US.UTF-8";
+    i18n.defaultLocale = "en_US.UTF-8";
 
-  me.secureBoot.enable = true;
+    me.secureBoot.enable = true;
 
-  me.optimizations = {
+    me.optimizations = {
-    enable = true;
+      enable = true;
-    arch = "znver4";
+      arch = "znver4";
-    system_features = [
+      system_features = [
-      "gccarch-znver4"
+        "gccarch-znver4"
-      "gccarch-skylake"
+        "gccarch-skylake"
-      # "gccarch-alderlake" missing WAITPKG
+        # "gccarch-alderlake" missing WAITPKG
-      "gccarch-x86-64-v3"
+        "gccarch-x86-64-v3"
-      "gccarch-x86-64-v4"
+        "gccarch-x86-64-v4"
-      "benchmark"
+        "benchmark"
-      "big-parallel"
+        "big-parallel"
-      "kvm"
+        "kvm"
-      "nixos-test"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    environment.systemPackages = with pkgs; [
+      fw-ectool
+      framework-tool
     ];
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.bluetooth.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.docker.enable = false;
+    me.ecc.enable = false;
+    me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
+    me.firefox.enable = true;
+    me.flux.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.nix_index.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.pcsx2.enable = true;
+    me.podman.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shadps4.enable = true;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.spaghettikart.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.uutils.enable = false;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
   };
-
-  # Early KMS
-  boot.initrd.kernelModules = [ "amdgpu" ];
-
-  # Mount tmpfs at /tmp
-  boot.tmp.useTmpfs = true;
-
-  environment.systemPackages = with pkgs; [
-    fw-ectool
-    framework-tool
-  ];
-
-  # Enable light sensor
-  # hardware.sensor.iio.enable = lib.mkDefault true;
-
-  # Enable TRIM
-  # services.fstrim.enable = lib.mkDefault true;
-
-  me.alacritty.enable = true;
-  me.amd_s2idle.enable = true;
-  me.ansible.enable = true;
-  me.ares.enable = true;
-  me.bluetooth.enable = true;
-  me.chromecast.enable = true;
-  me.chromium.enable = true;
-  me.d2.enable = true;
-  me.direnv.enable = true;
-  me.docker.enable = false;
-  me.ecc.enable = false;
-  me.emacs_flavor = "full";
-  me.firefox.enable = true;
-  me.flux.enable = true;
-  me.gcloud.enable = true;
-  me.git.config = ../../roles/git/files/gitconfig_home;
-  me.gnuplot.enable = true;
-  me.gpg.enable = true;
-  me.graphical = true;
-  me.graphics_card_type = "amd";
-  me.iso_mount.enable = true;
-  me.kanshi.enable = false;
-  me.kubernetes.enable = true;
-  me.latex.enable = true;
-  me.launch_keyboard.enable = true;
-  me.lvfs.enable = true;
-  me.media.enable = true;
-  me.nix_index.enable = true;
-  me.pcsx2.enable = true;
-  me.podman.enable = true;
-  me.python.enable = true;
-  me.qemu.enable = true;
-  me.rpcs3.enable = true;
-  me.rust.enable = true;
-  me.shadps4.enable = true;
-  me.shikane.enable = true;
-  me.sops.enable = true;
-  me.sound.enable = true;
-  me.spaghettikart.enable = true;
-  me.steam.enable = true;
-  me.steam_run_free.enable = true;
-  me.sway.enable = true;
-  me.tekton.enable = true;
-  me.terraform.enable = true;
-  me.thunderbolt.enable = true;
-  me.vnc_client.enable = true;
-  me.vscode.enable = true;
-  me.wasm.enable = true;
-  me.waybar.enable = true;
-  me.wireguard.activated = [
-    "drmario"
-    "wgh"
-    "colo"
-  ];
-  me.wireguard.deactivated = [ "wgf" ];
-  me.zrepl.enable = true;
-  me.zsh.enable = true;
-
-  me.sm64ex.enable = true;
-  me.shipwright.enable = true;
-  me.ship2harkinian.enable = true;
 }

nix/configuration/hosts/quark/DEPLOY_BOOT

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=quark
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'

nix/configuration/hosts/quark/DEPLOY_SWITCH

@@ -10,10 +10,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # TARGET=192.168.211.250
 TARGET=quark
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 
-nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
 
 # rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'

nix/configuration/hosts/quark/ISO

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_BOOT

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_BUILD

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/SELF_SWITCH

@@ -6,7 +6,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
 
-nix flake update zsh-histdb --flake "$DIR/../../"
-nix flake update ansible-sshjail --flake "$DIR/../../"
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/quark/default.nix

@@ -10,7 +10,6 @@
     ./distributed_build.nix
     ./hardware-configuration.nix
     ./power_management.nix
-    ./wifi.nix
   ];
 
   config = {
@@ -26,7 +25,7 @@
 
     me.optimizations = {
       enable = true;
-      arch = "znver5";
+      arch = "znver4";
       system_features = [
         "gccarch-znver4"
         "gccarch-znver5"
@@ -65,6 +64,7 @@
     me.docker.enable = false;
     me.ecc.enable = true;
     me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
     me.firefox.enable = true;
     me.flux.enable = true;
     me.gcloud.enable = true;
@@ -82,12 +82,14 @@
     me.media.enable = true;
     me.nix_index.enable = true;
     me.nix_worker.enable = true;
+    me.openpgp_card_tools.enable = true;
     me.pcsx2.enable = true;
     me.podman.enable = true;
     me.python.enable = true;
     me.qemu.enable = true;
     me.rpcs3.enable = true;
     me.rust.enable = true;
+    me.sequoia.enable = true;
     me.shadps4.enable = true;
     me.shikane.enable = true;
     me.sops.enable = true;
@@ -99,6 +101,7 @@
     me.tekton.enable = true;
     me.terraform.enable = true;
     me.thunderbolt.enable = true;
+    me.uutils.enable = false;
     me.vnc_client.enable = true;
     me.vscode.enable = true;
     me.wasm.enable = true;
@@ -109,6 +112,7 @@
       "colo"
     ];
     me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
     me.zrepl.enable = true;
     me.zsh.enable = true;
 

nix/configuration/hosts/quark/wifi.nix

@@ -1,16 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  imports = [ ];
-
-  config = {
-    environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
-      doas iw dev wlan0 set power_save off
-    '';
-  };
-}

nix/configuration/roles/amd_s2idle/package.nix

@@ -8,7 +8,7 @@
 }:
 
 let
-  version = "0.2.7";
+  version = "0.2.8";
 in
 python3Packages.buildPythonApplication {
   pname = "amd-debug-tools";
@@ -16,27 +16,28 @@ python3Packages.buildPythonApplication {
   pyproject = true;
 
   build-system = with python3Packages; [
-    setuptools
-    setuptools-git-versioning
-    setuptools-git
     pyudev
+    setuptools
+    setuptools-git
+    setuptools-git-versioning
   ];
   dependencies = with python3Packages; [
+    acpica-tools
     cysystemd
+    dbus-fast
+    ethtool
     jinja2
+    libdisplay-info
     matplotlib
     pandas
     pyudev
     seaborn
     tabulate
-    acpica-tools
-    ethtool
-    libdisplay-info
   ];
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git";
     tag = version;
-    hash = "sha256-6X9cUKN0BkkKcYGU+YJYCGT+l5iUZDN+D8Fqq/ns98Q=";
+    hash = "sha256-EmXsW7Q5WMFL32LWr29W3GnGpw5aj53wlp9KbFV1r0Q=";
     leaveDotGit = true;
   };
 
@@ -52,6 +53,7 @@ python3Packages.buildPythonApplication {
   meta = {
     description = "Debug tools for AMD zen systems";
     homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/";
+    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/superm1/amd-debug-tools.git/tag/?h=${version}";
     license = lib.licenses.mit;
     platforms = lib.platforms.linux;
   };

nix/configuration/roles/ansible/default.nix

@@ -25,6 +25,9 @@
         ];
 
         nixpkgs.overlays = [
+          (final: prev: {
+            ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { });
+          })
           (final: prev: {
             ansible = pkgs.symlinkJoin {
               name = "ansible";

nix/configuration/roles/distributed_build/default.nix

@@ -58,12 +58,13 @@ in
               ];
               maxJobs = 1;
               supportedFeatures = [
-                # "nixos-test"
+                "nixos-test"
                 "benchmark"
                 "big-parallel"
                 # "kvm"
                 "gccarch-x86-64-v3"
                 "gccarch-x86-64-v4"
+                "gccarch-skylake"
                 "gccarch-znver4"
               ];
             }
@@ -86,12 +87,16 @@ in
               ];
               maxJobs = 1;
               supportedFeatures = [
-                # "nixos-test"
+                "gccarch-armv6"
+                "gccarch-aarch64"
+                "gccarch-riscv64"
+                "nixos-test"
                 "benchmark"
                 "big-parallel"
-                # "kvm"
+                "kvm"
                 "gccarch-x86-64-v3"
                 "gccarch-x86-64-v4"
+                "gccarch-skylake"
                 "gccarch-znver4"
                 "gccarch-znver5"
               ];

nix/configuration/roles/emacs/files/emacs/elisp/base.el

@@ -6,11 +6,13 @@
              )
 
 (use-package auto-package-update
-   :ensure t
+  :ensure t
-   :config
+  :custom
-   (setq auto-package-update-delete-old-versions t
+  (auto-package-update-interval 14)
-         auto-package-update-interval 14)
+  (auto-package-update-delete-old-versions t)
-   (auto-package-update-maybe))
+  :config
+  (auto-package-update-maybe)
+  )
 
 (defun assert-directory (p)
   (unless (file-exists-p p) (make-directory p t))
@@ -110,9 +112,6 @@
 
 ;; (setq-default fringes-outside-margins t)
 
-;; Per-pixel scrolling instead of per-line
-(pixel-scroll-precision-mode)
-
 ;; Typed text replaces selection
 (delete-selection-mode)
 

nix/configuration/roles/emulate_isa/default.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    emulate_isa.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to enable emulating other CPU architectures.";
+    };
+  };
+
+  config = lib.mkIf config.me.emulate_isa.enable (
+    lib.mkMerge [
+      {
+        boot.binfmt.emulatedSystems = [
+          "aarch64-linux" # Raspberry Pi gen 3
+          "riscv64-linux"
+          # TODO: Should "x86_64-linux" be in this list or should this list be dependent on the host CPU?
+          "armv6l-linux" # Raspberry Pi gen 1
+        ];
+
+        me.optimizations = {
+          system_features = [
+            "gccarch-armv6"
+            "gccarch-aarch64"
+            "gccarch-riscv64"
+          ];
+        };
+      }
+    ]
+  );
+}
+# NOTE: build nixosConfigurations.<name>.config.system.build.sdImage

nix/configuration/roles/fonts/default.nix

@@ -15,6 +15,7 @@
         cascadia-code
         source-sans-pro
         source-serif-pro
+        noto-fonts
         noto-fonts-cjk-sans
         noto-fonts-cjk-serif
         noto-fonts-color-emoji

nix/configuration/roles/git/files/gitconfig_home

@@ -1,7 +1,7 @@
 [user]
 	email = tom@fizz.buzz
 	name = Tom Alexander
-	signingkey = D3A179C9A53C0EDE
+	signingkey = 36C99E8B3C39D85F
 [push]
 	default = simple # (default since 2.0)
 [alias]
@@ -53,3 +53,6 @@
 	autoStash = true
         # updateRefs was annoying when you want to split a branch in two by rebasing away from commits from one branch and rebasing away some commits from another branch.
 	updateRefs = false
+# Disabled because ephemeral pin storage is not yet ready in openpgp-card-state
+# [gpg]
+# 	program = oct-git

nix/configuration/roles/gpg/default.nix

@@ -29,9 +29,7 @@ in
     lib.mkMerge [
       {
         # Fetch public keys:
-        # gpg --locate-keys tom@fizz.buzz
+        # gpg --locate-external-keys tom@fizz.buzz
-        #
-        # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
 
         hardware.gpgSmartcards.enable = true;
         services.udev.packages = [
@@ -47,15 +45,6 @@ in
           })
         ];
         services.pcscd.enable = true;
-        # services.gnome.gnome-keyring.enable = true;
-
-        # services.dbus.packages = [ pkgs.gcr ];
-
-        # services.pcscd.plugins = lib.mkForce [ ];
-
-        #   programs.gpg.scdaemonSettings = {
-        #   disable-ccid = true;
-        # };
 
         me.install.user.talexander.file = {
           ".gnupg/scdaemon.conf" = {
@@ -63,16 +52,57 @@ in
           };
         };
 
-        # programs.gnupg.dirmngr.enable = true;
         programs.gnupg.agent = {
           enable = true;
           enableSSHSupport = true;
           pinentryPackage = pkgs.pinentry-qt;
+          # Settings block populates /etc/gnupg/gpg-agent.conf
           # settings = {
-          #   disable-ccid = true;
           # };
         };
 
+        # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
+        #
+        # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+        #   hideMounts = true;
+        #   users.talexander = {
+        #     files = [
+        #       {
+        #         file = ".gnupg/trustdb.gpg";
+        #         parentDirectory = {
+        #           mode = "u=rwx,g=,o=";
+        #         };
+        #       }
+        #       {
+        #         file = ".gnupg/pubring.kbx";
+        #         parentDirectory = {
+        #           mode = "u=rwx,g=,o=";
+        #         };
+        #       }
+        #       {
+        #         file = ".gnupg/tofu.db";
+        #         parentDirectory = {
+        #           mode = "u=rwx,g=,o=";
+        #         };
+        #       }
+        #     ];
+        #     directories = [
+        #       {
+        #         directory = ".gnupg/crls.d";
+        #         user = "talexander";
+        #         group = "talexander";
+        #         mode = "0700";
+        #       }
+        #       {
+        #         directory = ".gnupg/private-keys-v1.d";
+        #         user = "talexander";
+        #         group = "talexander";
+        #         mode = "0700";
+        #       }
+        #     ];
+        #   };
+        # };
+
         environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
           hideMounts = true;
           users.talexander = {
@@ -82,7 +112,7 @@ in
                 user = "talexander";
                 group = "talexander";
                 mode = "0700";
-              } # Local keyring
+              }
             ];
           };
         };
@@ -90,8 +120,6 @@ in
         environment.systemPackages = with pkgs; [
           pcsclite
           pcsctools
-          yubikey-personalization
-          yubikey-manager
           glibcLocales
           ccid
           libusb-compat-0_1

nix/configuration/roles/gpg/files/gpg_test_wkd.bash

@@ -6,3 +6,6 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 gpg --no-default-keyring --keyring /tmp/gpg-$$ --auto-key-locate clear,wkd --locate-keys "${@}"
+
+# To generate files for the WKD:
+# gpg-wks-client --directory ./pgp/.well-known/openpgpkey --install-key <keyid> <email>

nix/configuration/roles/gpg/files/scdaemon.conf

@@ -1,6 +1,9 @@
 #reader-port Yubico Yubi
 disable-ccid
 
+# This setting enables other backends like oct to access the pgp card simultaneously but it also means that gpg will ask for the pin for EVERY ssh session which is annoying in scripts.
+#pcsc-shared
+
 #log-file /home/talexander/scd.log
 #verbose
 #debug cardio

nix/configuration/roles/kodi/default.nix

@@ -51,7 +51,7 @@
           # Generate with `mkpasswd -m scrypt`
           hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
           openssh.authorizedKeys.keys = [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
             "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
             "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
           ];

nix/configuration/roles/media/files/cast_file_vaapi

@@ -123,11 +123,13 @@ function convert {
         if [ "$acceleration_type" == "software" ]; then
             args+=(-c:v h264)
             args+=(-profile:v high)
+            args+=(-vf format=yuv420p)
             args+=(-b:v "$VIDEO_BITRATE")
         elif [ "$acceleration_type" == "hardware" ]; then
             args+=(-vf 'format=nv12|vaapi,hwupload')
             args+=(-c:v h264_vulkan)
             args+=(-profile:v high)
+            args+=(-vf format=yuv420p)
             args+=(-b:v "$VIDEO_BITRATE")
         fi
     elif [ "$codec" == "av1" ]; then

nix/configuration/roles/network/default.nix

@@ -55,8 +55,20 @@
       General = {
         EnableNetworkConfiguration = true;
         AddressRandomization = "network";
-        ControlPortOverNL80211 = false;
       };
+      # Rank = {
+      #   BandModifier2_4GHz = 1.0;
+      #   BandModifier5GHz = 1.0;
+      #   BandModifier6GHz = 1.0;
+      # };
+      DriverQuirks = {
+        PowerSaveDisable = "*";
+        # ath12k_pci
+      };
+      # Scan = {
+      #   DisablePeriodicScan = true;
+      #   DisableRoamingScan = true;
+      # };
     };
   };
   environment.systemPackages = with pkgs; [
@@ -102,4 +114,19 @@
   #   })
   # ];
 
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     linux-firmware = prev.linux-firwmare.overrideAttrs (old: rec {
+  #       version = "20250917";
+
+  #       src = final.fetchFromGitLab {
+  #         owner = "kernel-firmware";
+  #         repo = "linux-firmware";
+  #         tag = version;
+  #         hash = "sha256-tecFB6WYEfBK9FB7Rv8nHLdefIoaFnHrpzXBl+iSd08=";
+  #       };
+  #     });
+  #   })
+  # ];
+
 }

nix/configuration/roles/nix_worker/default.nix

@@ -43,7 +43,7 @@
           hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
           openssh.authorizedKeys.keys = [
             # Normal keys:
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
             "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
             "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
             # Key for nix to connect:

nix/configuration/roles/openpgp_card_tools/default.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./openpgp-card-ssh-agent.nix
+  ];
+
+  options.me = {
+    openpgp_card_tools.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install openpgp-card-tools.";
+    };
+  };
+
+  config = lib.mkIf config.me.openpgp_card_tools.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          openpgp-card-tools
+          openpgp-card-tool-git
+          openpgp-card-ssh-agent
+        ];
+
+        nixpkgs.overlays = [
+          (final: prev: {
+            openpgp-card-tool-git = (final.callPackage ./package/openpgp-card-tool-git/package.nix { });
+            openpgp-card-ssh-agent = (final.callPackage ./package/openpgp-card-ssh-agent/package.nix { });
+          })
+        ];
+
+        me.install.user.talexander.file = {
+          ".config/openpgp-card-state/config.toml" = {
+            source = ./files/openpgp-card-state.toml;
+          };
+        };
+
+        # The current openpgp-card-ssh-agent has an outdated dependency on openpgp-card-state which makes it not handle my current openpgp-card-state.toml
+        # services.openpgp-card-ssh-agent.enable = true;
+      }
+    ]
+  );
+}

nix/configuration/roles/openpgp_card_tools/files/openpgp-card-state.toml

@@ -0,0 +1 @@
+default_pin_storage = "Pinentry"

nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix

@@ -0,0 +1,94 @@
+# Upstream to nixpkgs/nixos/modules/services/networking/ssh/openpgp-card-ssh-agent.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkIf
+    mkOption
+    mkEnableOption
+    mkPackageOption
+    mkDefault
+    types
+    concatMapStringsSep
+    generators
+    ;
+  cfg = config.services.openpgp-card-ssh-agent;
+in
+{
+  options.services.openpgp-card-ssh-agent = {
+
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to start openpgp-card-ssh-agent when you log in.
+        Also sets SSH_AUTH_SOCK to point at openpgp-card-ssh-agent.
+      '';
+    };
+
+    package = mkPackageOption pkgs "openpgp-card-ssh-agent" { };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.user.sockets.openpgp-card-ssh-agent = {
+      wantedBy = [ "sockets.target" ];
+      description = "A simple ssh-agent backed by OpenPGP card authentication keys";
+      documentation = [
+        "https://codeberg.org/openpgp-card/ssh-agent"
+        "man:ssh-add(1)"
+        "man:ssh-agent(1)"
+        "man:ssh(1)"
+      ];
+      socketConfig = {
+        ListenStream = "%t/openpgp-card/ssh-agent.sock";
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
+    };
+
+    systemd.user.services.openpgp-card-ssh-agent = {
+      description = "A simple ssh-agent backed by OpenPGP card authentication keys";
+      documentation = [
+        "https://codeberg.org/openpgp-card/ssh-agent"
+        "man:ssh-add(1)"
+        "man:ssh-agent(1)"
+        "man:ssh(1)"
+      ];
+      after = [ "local-fs.target" ];
+      requires = [
+        "openpgp-card-ssh-agent.socket"
+        # "gnome-keyring-daemon.service"
+      ];
+
+      serviceConfig = {
+        ExecStart = ''
+          ${cfg.package}/bin/openpgp-card-ssh-agent -H fd://
+        '';
+      };
+    };
+
+    environment.extraInit = ''
+      if [ -z "$SSH_AUTH_SOCK" ] && [ -n "$XDG_RUNTIME_DIR" ]; then
+        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/openpgp-card/ssh-agent.sock"
+      fi
+    '';
+
+    assertions = [
+      {
+        assertion = cfg.enable -> !config.programs.ssh.startAgent;
+        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
+      }
+      {
+        assertion = cfg.enable -> !config.programs.gnupg.agent.enableSSHSupport;
+        message = "You can't use GnuPG agent with SSH support enabled and openpgp-card-ssh-agent at the same time!";
+      }
+    ];
+  };
+}

nix/configuration/roles/openpgp_card_tools/package/openpgp-card-ssh-agent/package.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitea,
+  pkg-config,
+  pcsclite,
+  dbus,
+  openssl,
+  testers,
+  openpgp-card-ssh-agent,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "openpgp-card-ssh-agent";
+  version = "0.3.4";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "openpgp-card";
+    repo = "ssh-agent";
+    rev = "v${version}";
+    hash = "sha256-nWbvEsVa7YJsBtVZfLQDB4CiaHP3GEYeYS32+WZv8PE=";
+  };
+
+  cargoHash = "sha256-nG7xebypXv7UAfu7sWbcp4DIhLv4lfzMrQUY6m2iDmw=";
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+    pcsclite
+    dbus
+  ];
+
+  passthru = {
+    tests.version = testers.testVersion {
+      package = openpgp-card-ssh-agent;
+    };
+  };
+
+  meta = with lib; {
+    description = "An ssh agent that uses OpenPGP cards for your key";
+    homepage = "https://codeberg.org/openpgp-card/ssh-agent";
+    license = with licenses; [
+      asl20 # OR
+      mit
+    ];
+    mainProgram = "openpgp-card-ssh-agent";
+  };
+}

nix/configuration/roles/openpgp_card_tools/package/openpgp-card-tool-git/package.nix

@@ -0,0 +1,54 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitea,
+  pkg-config,
+  pcsclite,
+  dbus,
+  openssl,
+  sqlite,
+  testers,
+  openpgp-card-tool-git,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "openpgp-card-tool-git";
+  version = "0.1.6";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "openpgp-card";
+    repo = "oct-git";
+    rev = "v${version}";
+    hash = "sha256-38/JHzCkL3+0IbOacH54A5Hj03oDe9jDzcwp672a8LE=";
+  };
+
+  cargoHash = "sha256-j1Osj2rjLxrSKh82ym6PiIHVO1wLE7Ax2/5+pdRcv+E=";
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+    pcsclite
+    dbus
+    sqlite
+  ];
+
+  passthru = {
+    tests.version = testers.testVersion {
+      package = openpgp-card-tool-git;
+    };
+  };
+
+  meta = with lib; {
+    description = "Tool for using OpenPGP cards with git";
+    homepage = "https://codeberg.org/openpgp-card/oct-git";
+    license = with licenses; [
+      asl20 # OR
+      mit
+    ];
+    mainProgram = "oct-git";
+  };
+}

nix/configuration/roles/optimized_build/default.nix

@@ -97,64 +97,9 @@
                 } prev.linux_6_16;
               }
             )
-            (final: prev: {
-              haskellPackages = prev.haskellPackages.extend (
-                final': prev': {
-                  inherit (pkgs-unoptimized.haskellPackages)
-                    crypto-token
-                    crypton
-                    crypton-connection
-                    crypton-x509
-                    crypton-x509-store
-                    crypton-x509-system
-                    crypton-x509-validation
-                    hspec-wai
-                    http-client-tls
-                    http2
-                    pandoc
-                    pandoc-cli
-                    pandoc-lua-engine
-                    pandoc-server
-                    servant-server
-                    tls
-                    tls-session-manager
-                    wai-app-static
-                    wai-extra
-                    warp
-                    warp-tls
-                    ;
-                }
-              );
-            })
-            # (final: prev: {
-            #   python = prev.python.override {
-            #     packageOverrides = python-final: python-prev: {
-            #       inherit (pkgs-unoptimized.pythonPackages) coverage;
-            #     };
-            #   };
-            # })
-            # (final: prev: {
-            #   pythonPackagesOverlays = prev.pythonPackagesOverlays.extend (
-            #     final': prev': {
-            #       inherit (pkgs-unoptimized.pythonPackagesOverlays)
-            #         coverage
-            #         ;
-            #     }
-            #   );
-            # })
-            # (final: prev: {
-            #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
-            #     (python-final: python-prev: {
-            #       inherit (pkgs-unoptimized.pythonPackages) coverage;
-            #     })
-            #   ];
-            # })
             (final: prev: {
               inherit (pkgs-unoptimized)
                 gsl
-                redis
-                valkey
-                nix-serve-ng
                 rapidjson
                 assimp
                 ;

nix/configuration/roles/python/default.nix

@@ -31,6 +31,7 @@
           pyright
           isort
           black
+          uv
         ];
 
         environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {

nix/configuration/roles/qemu/default.nix

@@ -5,6 +5,41 @@
   ...
 }:
 
+let
+  qemurc =
+    (pkgs.writeScriptBin "qemurc" (
+      builtins.readFile (
+        pkgs.replaceVars ./files/qemurc.bash {
+          "OVMFfd" = "${pkgs.OVMF.fd}";
+          mount_root = "/vm";
+          zfs_root = "zroot/linux/nix/vm";
+        }
+      )
+    )).overrideAttrs
+      (old: {
+        buildCommand = ''
+          ${old.buildCommand}
+          patchShebangs $out
+        '';
+      });
+  qemurc_wrapped =
+    (pkgs.writeScriptBin "qemurc" ''
+      #!/usr/bin/env bash
+      export "PATH=${
+        lib.makeBinPath [
+          pkgs.swtpm
+          pkgs.tmux
+        ]
+      }:''${PATH}"
+      exec ${qemurc}/bin/qemurc "''${@}"
+    '').overrideAttrs
+      (old: {
+        buildCommand = ''
+          ${old.buildCommand}
+          patchShebangs $out
+        '';
+      });
+in
 {
   imports = [ ];
 
@@ -22,6 +57,7 @@
       {
         environment.systemPackages = with pkgs; [
           qemu
+          qemurc_wrapped
         ];
       }
     ]

nix/configuration/roles/qemu/files/qemurc.bash

@@ -0,0 +1,375 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Share a host directory to the guest via 9pfs.
+#
+# Inside the VM run:
+#   mount -t virtfs -o trans=virtio sharename /some/vm/path
+#   mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
+#   mount -t 9p -o trans=virtio,cache=mmap,msize=512000 bind9p /path/to/mountpoint
+
+# Example usage:
+#
+#   doas qemurc create-disk mint 10
+#   doas env CD=/vm/iso/linuxmint-22.2-cinnamon-64bit.iso qemurc start mint
+#   doas qemurc start mint
+#   doas env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 qemurc start mint
+
+
+: ${VERBOSE:="NO"} # or YES
+if [ "$VERBOSE" = "YES" ]; then
+    set -x
+fi
+
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${GTK_ENABLE:="NO"} # Only enable one, either GTK or VNC
+: ${VNC_ENABLE:="NO"} # Only enable one, either GTK or VNC
+: ${VNC_LISTEN:="127.0.0.1:0"}
+: ${VNC_WIDTH:="1920"}
+: ${VNC_HEIGHT:="1080"}
+: ${AUDIO_ENABLE:="NO"}
+: ${TPM_ENABLE:="NO"}
+: ${BIND9P:=""}
+: "${CD:=}"
+
+: ${SHUTDOWN_TIMEOUT:="600"}
+: ${MOUNT_ROOT:="@mount_root@"}
+: ${ZFS_ROOT:="@zfs_root@"}
+
+
+
+############## Setup #########################
+
+
+function cleanup {
+    sync
+
+    for p in "${pids[@]}"; do
+        log "Killing $p"
+        kill "$p"
+        log "Killed $p"
+    done
+
+    for vm in "${vms[@]}"; do
+        log "Stopping $vm"
+        stop_one "$vm"
+        log "Stopped $vm"
+    done
+}
+pids=()
+vms=()
+trap "set +e; cleanup" EXIT
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function main {
+    local cmd
+    cmd=$1
+    shift
+    if [ "$cmd" = "start" ]; then
+        init
+        start "${@}"
+    elif [ "$cmd" = "stop" ]; then
+        init
+        stop "${@}"
+    elif [ "$cmd" = "status" ]; then
+        init
+        status "${@}"
+    elif [ "$cmd" = "console" ]; then
+        init
+        console "${@}"
+    elif [ "$cmd" = "_start_body" ]; then
+        init
+        start_body "${@}"
+    elif [ "$cmd" = "create-disk" ]; then
+        create_disk "${@}"
+    else
+        (>&2 echo "Unknown command: $cmd")
+        exit 1
+    fi
+}
+
+function start {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Starting VM $name."
+        start_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function start_one {
+    local name="$1"
+    local tmux_name="$name"
+    tmux new-session -d -s "$tmux_name" "$0" "_start_body" "$name"
+}
+
+function launch_pidfile {
+    local pidfile="$1"
+    shift 1
+    mkdir -p "$(dirname "$pidfile")"
+    cat > "${pidfile}" <<< "$$"
+    set -x
+    exec "${@}"
+}
+export -f launch_pidfile
+
+function stop {
+    local num_vms="$#"
+    if [ "$num_vms" -eq 0 ]; then
+        log "No VMs specified."
+        return 0
+    fi
+
+    while [ "$#" -gt 0 ]; do
+        local name="$1"
+        shift 1
+        log "Stopping VM $name."
+        stop_one "$name"
+        [ "$#" -eq 0 ] || sleep 5
+    done
+}
+
+function stop_one {
+    local name="$1"
+    local pidfile="/run/qemurc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "Pid file $pidfile does not exist."
+        return 0
+    fi
+
+    local qemu_pid
+    qemu_pid=$(cat "$pidfile")
+
+    if ps -p "$qemu_pid" >/dev/null; then
+        # We cannot send a graceful shutdown command externally to qemu: https://gitlab.com/qemu-project/qemu/-/issues/148
+        log "Killing ${name}:${qemu_pid}."
+        kill -SIGTERM "$qemu_pid"
+    fi
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$qemu_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${qemu_pid} took more than $SHUTDOWN_TIMEOUT seconds to shut down. Hard powering down."
+            break
+        fi
+
+        log "Waiting for ${name}:${qemu_pid} to exit."
+        sleep 2
+    done
+
+    kill -9 "$qemu_pid"
+
+    local timeout_start timeout_end
+    timeout_start=$(date +%s)
+    while ps -p "$qemu_pid" >/dev/null; do
+        timeout_end=$(date +%s)
+        if [ $((timeout_end-timeout_start)) -ge "$SHUTDOWN_TIMEOUT" ]; then
+            log "${name}:${qemu_pid} took more than $SHUTDOWN_TIMEOUT seconds to hard power down. Giving up."
+            break
+        fi
+
+        log "Waiting for ${name}:${qemu_pid} to hard power down."
+        sleep 2
+    done
+
+    rm -f "$pidfile"
+
+    log "Finished stopping $name."
+}
+
+function status {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            status_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function status_one {
+    local name="$1"
+    local pidfile="/run/qemurc/${name}/pid"
+
+    if [ ! -e "$pidfile" ]; then
+        log "$name is not running."
+        return 0
+    fi
+
+    local qemu_pid
+    qemu_pid=$(cat "$pidfile")
+
+    if ! ps -p "$qemu_pid" >/dev/null; then
+        log "$name is not running."
+        return 0
+    fi
+
+    log "$name is running as pid $qemu_pid."
+}
+
+function console {
+    local num_vms="$#"
+
+    if [ "$num_vms" -gt 0 ]; then
+        for name in "$@"; do
+            log "Attaching to console of VM $name."
+            console_one "$name"
+        done
+    else
+        log "No VMs specified."
+    fi
+}
+
+function console_one {
+    local name="$1"
+    local tmux_name="$name"
+    exec tmux a -t "$tmux_name"
+}
+
+function init {
+    mkdir -p /run/qemurc
+}
+
+############## qemu ############################
+
+function create_disk {
+    local name="$1"
+    local gigabytes="$2"
+
+    local zfs_path="${ZFS_ROOT}/${name}"
+    local mount_path="${MOUNT_ROOT}/${name}"
+
+    zfs create -o mountpoint=none -o canmount=off "$zfs_path"
+    zfs create -o "mountpoint=$mount_path" -o canmount=on "$zfs_path/settings"
+    zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
+    zfs snapshot -r "$zfs_path@empty"
+
+    install -m0600 "@OVMFfd@/FV/OVMF_VARS.fd" "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+GTK_ENABLE="$GTK_ENABLE"
+VNC_ENABLE="$VNC_ENABLE"
+VNC_LISTEN="$VNC_LISTEN"
+VNC_WIDTH="$VNC_WIDTH"
+VNC_HEIGHT="$VNC_HEIGHT"
+AUDIO_ENABLE="$AUDIO_ENABLE"
+TPM_ENABLE="$TPM_ENABLE"
+BIND9P="$BIND9P"
+EOF
+
+}
+
+function start_body {
+    local name="$1"
+    local zfs_path="${ZFS_ROOT}/${name}"
+    local mount_path="${MOUNT_ROOT}/${name}"
+    local run_path="/run/qemurc/${name}"
+    local mount_cd="$CD"
+    local swtpm_sock="${run_path}/swtpm.sock"
+    local swtpm_path="${MOUNT_ROOT}/${name}/swtpm"
+
+    install -d -m 0700 "$run_path"
+
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
+
+    local additional_args=()
+
+    if [ -n "$BIND9P" ]; then
+        additional_args+=(-device "virtio-9p-type,fsdev=${BIND9P},mount_tag=bind9p")
+    fi
+
+    if [ -n "$mount_cd" ]; then
+        additional_args+=(-cdrom "$mount_cd")
+    fi
+    if [ "$VNC_ENABLE" = "YES" ]; then
+        additional_args+=(-vnc "${VNC_LISTEN},power-control=on")
+    fi
+
+    if [ "$AUDIO_ENABLE" = "YES" ]; then
+        additional_args+=(-audio "driver=pa,model=virtio,server=/run/user/11235/pulse/native")
+    fi
+
+    if [ "$TPM_ENABLE" = "YES" ]; then
+        install -d -m 0700 "$swtpm_path"
+        swtpm socket --tpm2 --tpmstate dir="$swtpm_path" --ctrl type=unixio,path="$swtpm_sock" &
+        local tpm_pid=$!
+        pids+=("$tpm_pid")
+        additional_args+=(-chardev "socket,id=chrtpm,path=$swtpm_sock"
+                          -tpmdev "emulator,id=tpm0,chardev=chrtpm"
+                          -device "tpm-tis,tpmdev=tpm0")
+    fi
+
+    if [ "$GTK_ENABLE" = "YES" ]; then
+        additional_args+=(
+            -device 'virtio-gpu-gl,hostmem=8G,blob=true,venus=true'
+            -display 'gtk,gl=on'
+            -vga virtio
+        )
+    fi
+
+
+    vms+=("$name")
+
+    local pidfile="/run/qemurc/${name}/pid"
+
+    local launch_cmd=()
+    launch_cmd+=(
+        launch_pidfile "$pidfile"
+        qemu-system-x86_64
+        -accel kvm
+        -cpu host
+        -smp cores="$CPU_CORES"
+        -m "$MEMORY"
+        -rtc base=localtime
+        -drive "file=\"@OVMFfd@/FV/OVMF_CODE.fd\",if=pflash,format=raw,readonly=on"
+        -drive "if=pflash,format=raw,file=\"$(readlink -f "${mount_path}/OVMF_VARS.fd")\""
+        -drive "if=none,file=/dev/zvol/${zfs_path}/disk0,format=raw,id=hd0"
+        -device 'nvme,serial=deadbeef,drive=hd0'
+        -nic 'user,hostfwd=tcp::60022-:22'
+        -boot order=d
+        "${additional_args[@]}"
+    )
+    set +e
+    rm -f "$pidfile"
+    (
+        IFS=$' \n\t'
+        set -ex
+        bash -c "${launch_cmd[*]}"
+    )
+    local exit_code=$?
+    log "Exit code ${exit_code}"
+    set -e
+}
+
+main "${@}"

nix/configuration/roles/sequoia/default.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    sequoia.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install sequoia.";
+    };
+  };
+
+  config = lib.mkIf config.me.sequoia.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          sequoia-sq
+        ];
+      }
+    ]
+  );
+}

nix/configuration/roles/uutils/default.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    uutils.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to replace GNU coreutils with uutils (a rust drop-in replacement).";
+    };
+  };
+
+  config = lib.mkIf config.me.uutils.enable (
+    lib.mkMerge [
+      {
+        # environment.corePackages automatically installes coreutils-full, so merely installing uutils-coreutils-noprefix is insufficient for replacing GNU coreutils.
+        nixpkgs.overlays = [
+          (final: prev: {
+            coreutils = final.uutils-coreutils-noprefix;
+            coreutils-full = final.uutils-coreutils-noprefix;
+          })
+        ];
+      }
+    ]
+  );
+}

nix/configuration/roles/yubikey/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    yubikey.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install yubikey.";
+    };
+  };
+
+  config = lib.mkIf config.me.yubikey.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          yubikey-personalization
+          yubikey-manager
+        ];
+      }
+    ]
+  );
+}

nix/configuration/roles/zsh/default.nix

@@ -109,6 +109,12 @@ in
             ];
           };
         };
+
+        nixpkgs.overlays = [
+          (final: prev: {
+            zsh-histdb = (final.callPackage ./package/zsh-histdb/package.nix { });
+          })
+        ];
       }
     ]
   );

nix/yubipi/.gitignore

@@ -0,0 +1 @@
+result

nix/yubipi/configuration.nix

@@ -0,0 +1,177 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    "${modulesPath}/installer/sd-card/sd-image.nix"
+    ./roles/image_based_appliance
+    ./roles/optimized_build
+    ./roles/raspberry_pi_sd_image
+    ./roles/reset
+    # ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.trusted-users = [ "@wheel" ];
+
+  hardware.enableRedistributableFirmware = true;
+
+  # Keep outputs so we can build offline.
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+    substitute = false
+  '';
+
+  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
+  boot.supportedFilesystems.zfs = true;
+  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
+
+  services.getty = {
+    autologinUser = "talexander";
+    autologinOnce = true;
+  };
+  users.mutableUsers = false;
+  users.users.talexander = {
+    isNormalUser = true;
+    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
+    group = "talexander";
+    extraGroups = [ "wheel" ];
+    uid = 11235;
+    packages = with pkgs; [
+      tree
+    ];
+    # Generate with `mkpasswd -m scrypt`
+    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
+    ];
+  };
+  users.groups.talexander.gid = 11235;
+
+  # Automatic garbage collection
+  nix.gc = lib.mkIf (!config.me.image_based_appliance.enable) {
+    # Runs nix-collect-garbage --delete-older-than 5d
+    automatic = true;
+    persistent = true;
+    dates = "monthly";
+    # randomizedDelaySec = "14m";
+    options = "--delete-older-than 30d";
+  };
+  nix.settings.auto-optimise-store = true;
+  nix.settings.substituters = lib.mkForce [ ];
+
+  # Use doas instead of sudo
+  security.doas.enable = true;
+  security.doas.wheelNeedsPassword = false;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    {
+      # Retain environment (for example NIX_PATH)
+      keepEnv = true;
+      persist = true; # Only ask for a password the first time.
+    }
+  ];
+
+  environment.systemPackages = with pkgs; [
+    # wget
+    # mg
+    # rsync
+    # libinput
+    # htop
+    # tmux
+    # file
+    # usbutils # for lsusb
+    # pciutils # for lspci
+    # ripgrep
+    # strace
+    # # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
+    # trace-cmd # ftrace
+    # tcpdump
+    # git-crypt
+    # gnumake
+    # ncdu
+    # nix-tree
+    # libarchive # bsdtar
+    # lsof
+    # doas-sudo-shim # To support --sudo for remote builds
+    # dmidecode # Read SMBIOS information.
+    # ipcalc
+    # gptfdisk # for cgdisk
+    # nix-output-monitor # For better view into nixos-rebuild
+    # nix-serve-ng # Serve nix store over http
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  boot.initrd.kernelModules = [
+    # "vc4"
+    # "bcm2835_dma"
+    # "i2c_bcm2835"
+  ];
+  # Compressing through emulation is slow and we're just going to decompress the image anyway.
+  sdImage.compressImage = false;
+
+  # Write a list of the currently installed packages to /etc/current-system-packages
+  environment.etc."current-system-packages".text =
+    let
+      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+      formatted = builtins.concatStringsSep "\n" sortedUnique;
+    in
+    formatted;
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      efivar = throw "foo";
+    })
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.11"; # Did you read the comment?
+
+}

nix/yubipi/flake.lock

@@ -0,0 +1,44 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unoptimized": {
+      "locked": {
+        "lastModified": 1759381078,
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/yubipi/flake.nix

@@ -0,0 +1,43 @@
+{
+  description = "My system configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-unoptimized,
+      ...
+    }@inputs:
+    let
+      base_armv6l_linux = rec {
+        system = "armv6l-linux-linux";
+        specialArgs = {
+          pkgs-unoptimized = import nixpkgs-unoptimized {
+            inherit system;
+            hostPlatform.gcc.arch = "default";
+            hostPlatform.gcc.tune = "default";
+          };
+        };
+        modules = [
+          ./configuration.nix
+        ];
+      };
+      systems = {
+        yubipi = rec {
+          main = base_armv6l_linux // {
+            modules = base_armv6l_linux.modules ++ [
+              ./hosts/yubipi
+            ];
+          };
+        };
+      };
+    in
+    {
+      nixosConfigurations.yubipi = nixpkgs.lib.nixosSystem systems.yubipi.main;
+    };
+}

nix/yubipi/hosts/yubipi/ISO

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#nixosConfigurations.yubipi.config.system.build.sdImage" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/yubipi/hosts/yubipi/default.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "61f81c12";
+
+    networking.hostName = "yubipi"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.optimizations = {
+      enable = true;
+      arch = "armv6";
+      system_features = [
+        "gccarch-armv6l"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    services.fstrim.enable = lib.mkDefault true;
+
+    me.image_based_appliance.enable = true;
+    me.raspberry_pi_sd_image.enable = true;
+  };
+}

nix/yubipi/hosts/yubipi/disk-config.nix

@@ -0,0 +1,12 @@
+{
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "norelatime"
+      ];
+    };
+  };
+}

nix/yubipi/hosts/yubipi/hardware-configuration.nix

@@ -0,0 +1,28 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "armv6l-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/yubipi/hosts/yubipi/wrapped-disk-config.nix

@@ -0,0 +1,8 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+(import ./disk-config.nix)

nix/yubipi/roles/blank/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    blank.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install blank.";
+    };
+  };
+
+  config = lib.mkIf config.me.blank.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+        ];
+      }
+      (lib.mkIf config.me.graphical {
+      })
+    ]
+  );
+}

nix/yubipi/roles/image_based_appliance/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    image_based_appliance.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install image_based_appliance.";
+    };
+  };
+
+  config = lib.mkIf config.me.image_based_appliance.enable (
+    lib.mkMerge [
+      {
+        # Do not install nix. A full new image must be built to update
+        # the machine.
+        nix.enable = false;
+        system.switch.enable = false;
+      }
+    ]
+  );
+}

nix/yubipi/roles/optimized_build/default.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  lib,
+  pkgs,
+  pkgs-unoptimized,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    optimizations.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to enable CPU optimizations (will trigger a rebuild from source).";
+    };
+
+    optimizations.arch = lib.mkOption {
+      type = lib.types.str;
+      default = null;
+      example = "znver4";
+      description = "The CPU arch for which programs should be optimized.";
+    };
+
+    optimizations.system_features = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = [
+        "gccarch-armv6l"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+      description = "The list of CPU features that should be enabled on this machine.";
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf (!config.me.optimizations.enable) (
+      lib.mkMerge [
+        {
+        }
+      ]
+    ))
+    (lib.mkIf config.me.optimizations.enable (
+      lib.mkMerge [
+        {
+          nixpkgs.config.allowUnsupportedSystem = true;
+
+          nixpkgs.hostPlatform = {
+            gcc.arch = config.me.optimizations.arch;
+            gcc.tune = config.me.optimizations.arch;
+            system = "armv6l-linux";
+          };
+
+          # Uncomment on of these to enable cross compiling:
+          # nixpkgs.buildPlatform = builtins.currentSystem;
+          # nixpkgs.buildPlatform = {
+          #   gcc.arch = "znver4";
+          #   gcc.tune = "znver4";
+          #   system = "x86_64-linux";
+          # };
+        }
+      ]
+    ))
+    (lib.mkIf (config.me.optimizations.system_features != [ ]) (
+      lib.mkMerge [
+        {
+          nix.settings.system-features = lib.mkForce config.me.optimizations.system_features;
+        }
+      ]
+    ))
+
+  ];
+}

nix/yubipi/roles/raspberry_pi_sd_image/default.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    raspberry_pi_sd_image.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install raspberry_pi_sd_image.";
+    };
+  };
+
+  config = lib.mkIf config.me.raspberry_pi_sd_image.enable (
+    lib.mkMerge [
+      {
+        boot.loader.grub.enable = false;
+        boot.loader.generic-extlinux-compatible.enable = true;
+
+        boot.consoleLogLevel = lib.mkDefault 7;
+        boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi1;
+
+        sdImage = {
+          populateFirmwareCommands =
+            let
+              configTxt = pkgs.writeText "config.txt" ''
+                # u-boot refuses to start (gets stuck at rainbow polygon) without this,
+                # at least on Raspberry Pi 0.
+                enable_uart=1
+
+                # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
+                # when attempting to show low-voltage or overtemperature warnings.
+                avoid_warnings=1
+
+                [pi0]
+                kernel=u-boot-rpi0.bin
+
+                [pi1]
+                kernel=u-boot-rpi1.bin
+              '';
+            in
+            ''
+              (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf *.dtb $NIX_BUILD_TOP/firmware/)
+              cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin
+              cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin
+              cp ${configTxt} firmware/config.txt
+            '';
+          populateRootCommands = ''
+            mkdir -p ./files/boot
+            ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
+          '';
+        };
+      }
+    ]
+  );
+}

nix/yubipi/roles/reset/default.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  # Reset some defaults to start from a minimal more-arch-linux-like state. Think of this like a CSS reset sheet.
+  config = {
+    # Do not use default packages (nixos includes some defaults like nano)
+    environment.defaultPackages = lib.mkForce [ ];
+  };
+}

nix/yubipi/util/install_files/default.nix

@@ -0,0 +1,333 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.me.install;
+  inherit (lib)
+    filter
+    attrNames
+    ;
+
+  get_shell_values =
+    target:
+    let
+      homedir = config.users.users."${target.username}".home;
+      group = config.users.users."${target.username}".group;
+    in
+    {
+      source = lib.strings.escapeShellArg "${target.source}";
+      destination = lib.strings.escapeShellArg "${homedir}/${target.target}";
+      mode = lib.strings.escapeShellArg "${target.mode}";
+      dir_mode = lib.strings.escapeShellArg "${target.dir_mode}";
+      username = lib.strings.escapeShellArg "${target.username}";
+      group = lib.strings.escapeShellArg "${group}";
+    };
+  install_user_file =
+    let
+      constructors = {
+        "overwrite" = install_user_file_overwrite;
+        "symlink" = install_user_file_symlink;
+      };
+    in
+    stage: target: (constructors."${target.method}"."${stage}" target);
+  install_user_file_overwrite = {
+    "check" = (target: "");
+    "install" = (
+      target:
+      let
+        inherit (get_shell_values target)
+          source
+          destination
+          mode
+          dir_mode
+          username
+          group
+          ;
+        flags = lib.strings.concatStringsSep " " [
+          (if mode != "" then "-m ${mode}" else "")
+          (if username != "" then "-o ${username}" else "")
+          (if group != "" then "-g ${group}" else "")
+        ];
+        dir_flags = lib.strings.concatStringsSep " " [
+          (if dir_mode != "" then "-m ${dir_mode}" else "")
+          (if username != "" then "-o ${username}" else "")
+          (if group != "" then "-g ${group}" else "")
+        ];
+      in
+      if target.recursive then
+        [
+          ''
+            find ${source} -type f -print0 | while read -r -d "" file; do
+                relative_path=$(realpath -s --relative-to ${source} "$file")
+                full_dest=${destination}/"$relative_path"
+                create_containing_directories "$full_dest" ${dir_flags}
+                $DRY_RUN_CMD install $VERBOSE_ARG --compare ${flags} "$file" "$full_dest"
+            done
+          ''
+        ]
+      else
+        [
+          ''
+            create_containing_directories ${destination} ${dir_flags}
+            $DRY_RUN_CMD install $VERBOSE_ARG --compare ${flags} ${source} ${destination}
+          ''
+        ]
+    );
+    "uninstall" = (
+      target:
+      let
+        inherit (get_shell_values target)
+          source
+          destination
+          ;
+      in
+      if target.recursive then
+        [
+          ''
+            find ${source} -type f -print0 | while read -r -d "" file; do
+                relative_path=$(realpath -s --relative-to ${source} "$file")
+                full_dest=${destination}/"$relative_path"
+                $DRY_RUN_CMD echo rm -f "$full_dest"
+            done
+          ''
+        ]
+      else
+        [
+          ''
+            $DRY_RUN_CMD echo rm -f ${destination}
+          ''
+        ]
+    );
+  };
+  install_user_file_symlink = {
+    "check" = (target: "");
+    "install" = (
+      target:
+      let
+        inherit (get_shell_values target)
+          source
+          destination
+          mode
+          dir_mode
+          username
+          group
+          ;
+        owner = lib.strings.concatStringsSep ":" (
+          filter (val: val != "") [
+            username
+            group
+          ]
+        );
+        dir_flags = lib.strings.concatStringsSep " " [
+          (if dir_mode != "" then "-m ${dir_mode}" else "")
+          (if username != "" then "-o ${username}" else "")
+          (if group != "" then "-g ${group}" else "")
+        ];
+      in
+      if target.recursive then
+        [
+          ''
+            find ${source} -type f -print0 | while read -r -d "" file; do
+                relative_path=$(realpath -s --relative-to ${source} "$file")
+                full_dest=${destination}/"$relative_path"
+                create_containing_directories "$full_dest" ${dir_flags}
+                $DRY_RUN_CMD ln $VERBOSE_ARG -s "$file" "$full_dest"
+                $DRY_RUN_CMD chown $VERBOSE_ARG -h ${owner} "$full_dest"
+            done
+          ''
+        ]
+      else
+        [
+          ''
+            create_containing_directories ${destination} ${dir_flags}
+            $DRY_RUN_CMD ln $VERBOSE_ARG -s ${source} ${destination}
+            $DRY_RUN_CMD chown $VERBOSE_ARG -h ${owner} ${destination}
+          ''
+        ]
+    );
+    "uninstall" = (
+      target:
+      let
+        inherit (get_shell_values target)
+          source
+          destination
+          ;
+      in
+      if target.recursive then
+        [
+          ''
+            find ${source} -type f -print0 | while read -r -d "" file; do
+                relative_path=$(realpath -s --relative-to ${source} "$file")
+                full_dest=${destination}/"$relative_path"
+                $DRY_RUN_CMD echo rm -f "$full_dest"
+            done
+          ''
+        ]
+      else
+        [
+          ''
+            $DRY_RUN_CMD echo rm -f ${destination}
+          ''
+        ]
+    );
+  };
+in
+{
+  imports = [ ];
+
+  options.me.install = {
+    user = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, config, ... }:
+          let
+            username = name;
+          in
+          {
+            options = {
+              enable = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                defaultText = "enable";
+                example = lib.literalExpression false;
+                description = "Whether we want to install files in this user's home directory.";
+              };
+
+              file = lib.mkOption {
+                type = lib.types.attrsOf (
+                  lib.types.submodule (
+                    { name, config, ... }:
+                    let
+                      path = name;
+                    in
+                    {
+                      options = {
+                        enable = lib.mkOption {
+                          type = lib.types.bool;
+                          default = true;
+                          defaultText = "enable";
+                          example = lib.literalExpression false;
+                          description = "Whether we want to install this file in this user's home directory.";
+                        };
+                        username = lib.mkOption {
+                          type = lib.types.str;
+                          defaultText = "username";
+                          example = "root";
+                          description = "The username for the user whose home directory will contain the file.";
+                        };
+                        target = lib.mkOption {
+                          type = lib.types.str;
+                          defaultText = "target";
+                          example = ".local/share/foo/bar.txt";
+                          description = "The path where the file should be written.";
+                        };
+                        method = lib.mkOption {
+                          type = lib.types.enum [
+                            "symlink"
+                            "overwrite"
+                            # "bind_mount" TODO: for directories?
+                          ];
+                          default = "symlink";
+                          defaultText = "me.install.file.‹path›.method";
+                          example = "overwrite";
+                          description = "The way in which the file should be installed.";
+                        };
+                        mode = lib.mkOption {
+                          type = lib.types.str;
+                          default = "0444";
+                          defaultText = "me.install.file.‹path›.mode";
+                          example = "0750";
+                          description = "The read, write, execute permission flags.";
+                        };
+                        dir_mode = lib.mkOption {
+                          type = lib.types.str;
+                          default = "0755";
+                          defaultText = "dir_mode";
+                          example = "0755";
+                          description = "The read, write, execute permission flags for any parent directories that need to be created.";
+                        };
+                        source = lib.mkOption {
+                          type = lib.types.path;
+                          defaultText = "me.install.file.‹path›.source";
+                          example = ./files/foo.txt;
+                          description = "The source file to install into the destination.";
+                        };
+                        recursive = lib.mkOption {
+                          type = lib.types.bool;
+                          default = false;
+                          defaultText = "recursive";
+                          example = lib.literalExpression false;
+                          description = "Whether we want to recurse through the directory doing individual installs for each file.";
+                        };
+                      };
+
+                      config = {
+                        username = lib.mkDefault username;
+                        target = lib.mkDefault path;
+                      };
+                    }
+                  )
+                );
+              };
+            };
+          }
+        )
+      );
+    };
+  };
+
+  config =
+    let
+      all_users = builtins.map (username: cfg.user."${username}") (attrNames cfg.user);
+      enabled_users = filter (user: user.enable) all_users;
+      all_file_targets = lib.flatten (
+        builtins.map (user: (builtins.map (path: user.file."${path}") (attrNames user.file))) enabled_users
+      );
+      enabled_file_targets = filter (target: target.enable) all_file_targets;
+      check_commands = lib.flatten (builtins.map (install_user_file "check") enabled_file_targets);
+      install_commands = lib.flatten (builtins.map (install_user_file "install") enabled_file_targets);
+      uninstall_commands = lib.flatten (
+        builtins.map (install_user_file "uninstall") enabled_file_targets
+      );
+    in
+    {
+      systemd.services.me-install-file = {
+        enable = true;
+        description = "me-install-file";
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "multi-user.target" ];
+        before = [ "multi-user.target" ];
+        # path = with pkgs; [
+        #   zfs
+        # ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = "yes";
+        };
+        script =
+          ''
+            set -o pipefail
+            IFS=$'\n\t'
+            source ${./files/lib.bash}
+          ''
+          + (lib.strings.concatStringsSep "\n" (
+            [
+            ]
+            ++ check_commands
+            ++ install_commands
+          ));
+        preStop =
+          ''
+            set -o pipefail
+            IFS=$'\n\t'
+            source ${./files/lib.bash}
+          ''
+          + (lib.strings.concatStringsSep "\n" uninstall_commands);
+      };
+    };
+}

nix/yubipi/util/install_files/files/lib.bash

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+#
+
+############## Setup #########################
+
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
+function log {
+    (>&2 echo "${@}")
+}
+
+############## Program #########################
+
+function create_containing_directories {
+    local full_dest="$1"
+    shift 1
+    local dirs_to_create=()
+    local containing_directory="$full_dest"
+    while true; do
+        containing_directory=$(dirname "$containing_directory")
+        if [ -e "$containing_directory" ] || [ "$containing_directory" = "/" ]; then
+            break
+        fi
+        dirs_to_create+=($containing_directory)
+    done
+
+    for (( idx=${#dirs_to_create[@]}-1 ; idx>=0 ; idx-- )) ; do
+        local containing_directory="${dirs_to_create[idx]}"
+        log "Creating $containing_directory"
+        $DRY_RUN_CMD install $VERBOSE_ARG -d "${@}" "$containing_directory"
+    done
+
+}

nix/yubipi/util/unfree_polyfill/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+
+let
+  inherit (builtins) elem;
+  inherit (lib) getName mkOption;
+  inherit (lib.types) listOf str;
+in
+{
+  # Pending https://github.com/NixOS/nixpkgs/issues/55674
+  options.allowedUnfree = mkOption {
+    type = listOf str;
+    default = [ ];
+  };
+  config.nixpkgs.config.allowUnfreePredicate = p: elem (getName p) config.allowedUnfree;
+}