Add support for setting the group owning the file.

This is remove duplication between the individual hosts folders.

ansible/roles/sftp/tasks/common.yaml

@@ -64,6 +64,23 @@
 #     force: true
 #   diff: false
 
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0700
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /home/nochainstounlock/.ssh
+
+- name: Set authorized keys
+  authorized_key:
+    user: nochainstounlock
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
+    exclusive: true
+
 - import_tasks: tasks/freebsd.yaml
   when: 'os_flavor == "freebsd"'
 

nix/configuration/.gitignore

@@ -0,0 +1 @@
+result

nix/configuration/configuration.nix

@@ -0,0 +1,291 @@
+{
+  config,
+  lib,
+  pkgs,
+  home-manager,
+  ...
+}:
+
+{
+  imports = [
+    ./roles/2ship2harkinian
+    ./roles/alacritty
+    ./roles/ansible
+    ./roles/ares
+    ./roles/bluetooth
+    ./roles/boot
+    ./roles/chromecast
+    ./roles/chromium
+    ./roles/distributed_build
+    ./roles/docker
+    ./roles/ecc
+    ./roles/emacs
+    ./roles/firefox
+    ./roles/firewall
+    ./roles/flux
+    ./roles/fonts
+    ./roles/gcloud
+    ./roles/git
+    ./roles/global_options
+    ./roles/gnuplot
+    ./roles/gpg
+    ./roles/graphics
+    ./roles/hydra
+    ./roles/iso
+    ./roles/iso_mount
+    ./roles/kanshi
+    ./roles/kodi
+    ./roles/kubernetes
+    ./roles/latex
+    ./roles/launch_keyboard
+    ./roles/lvfs
+    ./roles/media
+    ./roles/memtest86
+    ./roles/network
+    ./roles/nix_index
+    ./roles/nix_worker
+    ./roles/nvme
+    ./roles/optimized_build
+    ./roles/pcsx2
+    ./roles/python
+    ./roles/qemu
+    ./roles/reset
+    ./roles/rpcs3
+    ./roles/rust
+    ./roles/shikane
+    ./roles/shipwright
+    ./roles/sm64ex
+    ./roles/sops
+    ./roles/sound
+    ./roles/ssh
+    ./roles/steam
+    ./roles/steam_run_free
+    ./roles/sway
+    ./roles/tekton
+    ./roles/terraform
+    ./roles/thunderbolt
+    ./roles/vnc_client
+    ./roles/vscode
+    ./roles/wasm
+    ./roles/waybar
+    ./roles/wireguard
+    ./roles/zfs
+    ./roles/zrepl
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  me.install.user.talexander.file."/home/talexander/flake.nix" = {
+    source = ./flake.nix;
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.trusted-users = [ "@wheel" ];
+
+  # boot.kernelPackages = pkgs.linuxPackages_6_11;
+  hardware.enableRedistributableFirmware = true;
+
+  # Use nixos-rebuild-ng
+  # system.rebuild.enableNg = true;
+
+  # Keep outputs so we can build offline.
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+  '';
+
+  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
+  boot.supportedFilesystems.zfs = true;
+  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
+
+  services.getty = {
+    autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
+    autologinOnce = true;
+  };
+  users.mutableUsers = false;
+  users.users.talexander = {
+    isNormalUser = true;
+    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
+    group = "talexander";
+    extraGroups = [ "wheel" ];
+    uid = 11235;
+    packages = with pkgs; [
+      tree
+    ];
+    # Generate with `mkpasswd -m scrypt`
+    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
+    ];
+  };
+  users.groups.talexander.gid = 11235;
+  home-manager.users.talexander =
+    { pkgs, ... }:
+    {
+      # The state version is required and should stay at the version you
+      # originally installed.
+      home.stateVersion = "24.11";
+    };
+
+  home-manager.users.root =
+    { pkgs, ... }:
+    {
+      # The state version is required and should stay at the version you
+      # originally installed.
+      home.stateVersion = "24.11";
+    };
+
+  # Automatic garbage collection
+  nix.gc = lib.mkIf (!config.me.buildingIso) {
+    # Runs nix-collect-garbage --delete-older-than 5d
+    automatic = true;
+    randomizedDelaySec = "14m";
+    options = "--delete-older-than 30d";
+  };
+  nix.settings.auto-optimise-store = !config.me.buildingIso;
+
+  # Use doas instead of sudo
+  security.doas.enable = true;
+  security.doas.wheelNeedsPassword = false;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    {
+      # Retain environment (for example NIX_PATH)
+      keepEnv = true;
+      persist = true; # Only ask for a password the first time.
+    }
+  ];
+
+  environment.systemPackages = with pkgs; [
+    wget
+    mg
+    rsync
+    libinput
+    htop
+    tmux
+    file
+    usbutils # for lsusb
+    pciutils # for lspci
+    ripgrep
+    strace
+    ltrace
+    trace-cmd # ftrace
+    tcpdump
+    git-crypt
+    gnumake
+    ncdu
+    nix-tree
+    libarchive # bsdtar
+    lsof
+    doas-sudo-shim # To support --use-remote-sudo for remote builds
+    dmidecode # Read SMBIOS information.
+    ipcalc
+    gptfdisk # for cgdisk
+    nix-output-monitor # For better view into nixos-rebuild
+    nix-serve-ng # Serve nix store over http
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+    hideMounts = true;
+    directories = [
+      "/var/lib/iwd" # Wifi settings
+      "/var/lib/nixos" # Contains user information (uids/gids)
+      "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+      "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+    ];
+    files = [
+      "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    users.talexander = {
+      directories = [
+        {
+          directory = "persist";
+          user = "talexander";
+          group = "talexander";
+          mode = "0700";
+        }
+      ];
+    };
+  };
+
+  # Write a list of the currently installed packages to /etc/current-system-packages
+  environment.etc."current-system-packages".text =
+    let
+      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+      formatted = builtins.concatStringsSep "\n" sortedUnique;
+    in
+    formatted;
+
+  # environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" (
+  #   builtins.map (
+  #     x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: "  " + s) x.value)
+  #   ) config.environment.systemPackages.definitionsWithLocations
+  # );
+
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     nix = pkgs-unstable.nix;
+  #   })
+  # ];
+
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     foot = throw "foo";
+  #   })
+  # ];
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}

nix/configuration/flake.lock

@@ -0,0 +1,386 @@
+{
+  "nodes": {
+    "ansible-sshjail": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "path": "flakes/ansible-sshjail",
+        "type": "path"
+      },
+      "original": {
+        "path": "flakes/ansible-sshjail",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746729224,
+        "narHash": "sha256-9R4sOLAK1w3Bq54H3XOJogdc7a6C2bLLmatOQ+5pf5w=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "85555d27ded84604ad6657ecca255a03fd878607",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746981801,
+        "narHash": "sha256-+Bfr0KqZV6gZdA7e2kupeoawozaLIHLuiPtC54uxbFc=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "ff915842e4a2e63c4c8c5c08c6870b9d5b3c3ee9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1746663147,
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-b93b4e9b5": {
+      "locked": {
+        "lastModified": 1713721570,
+        "narHash": "sha256-R0s+O5UjTePQRb72XPgtkTmEiOOW8n+1q9Gxt/OJnKU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b93b4e9b527904aadf52dba6ca35efde2067cbd4",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unoptimized": {
+      "locked": {
+        "lastModified": 1746663147,
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "ansible-sshjail": "ansible-sshjail",
+        "disko": "disko",
+        "home-manager": "home-manager",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-b93b4e9b5": "nixpkgs-b93b4e9b5",
+        "nixpkgs-unoptimized": "nixpkgs-unoptimized",
+        "zsh-histdb": "zsh-histdb"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "zsh-histdb": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "path": "flakes/zsh-histdb",
+        "type": "path"
+      },
+      "original": {
+        "path": "flakes/zsh-histdb",
+        "type": "path"
+      },
+      "parent": []
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/configuration/flake.nix

@@ -0,0 +1,272 @@
+# Build ISO image
+#   nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#iso.odo
+#   output: result/iso/nixos.iso
+
+# Run the ISO image
+#   doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#        -accel kvm \
+#        -cpu host \
+#        -smp cores=8 \
+#        -m 32768 \
+#        -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#        -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \
+#        -nic user,hostfwd=tcp::60022-:22 \
+#        -boot order=d \
+#        -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \
+#        -display vnc=127.0.0.1:0
+#
+# doas cp "$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0
+
+# Get a repl for this flake
+#   nix repl --expr "builtins.getFlake \"$PWD\""
+
+# TODO maybe use `nix eval --raw .#iso.odo.outPath`
+# iso.odo.isoName == "nixos.iso"
+# full path = <outPath> / iso / <isoName>
+
+#
+# Install on a new machine:
+#
+#
+# doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix
+
+# nix flake update zsh-histdb --flake .
+# nix flake update ansible-sshjail --flake .
+# for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+# nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
+#
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence.url = "github:nix-community/impermanence";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-b93b4e9b5.url = "github:NixOS/nixpkgs/b93b4e9b527904aadf52dba6ca35efde2067cbd4";
+    nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    zsh-histdb = {
+      url = "path:flakes/zsh-histdb";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    ansible-sshjail = {
+      url = "path:flakes/ansible-sshjail";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-unoptimized,
+      nixpkgs-b93b4e9b5,
+      impermanence,
+      home-manager,
+      lanzaboote,
+      zsh-histdb,
+      ansible-sshjail,
+      ...
+    }@inputs:
+    let
+      base_x86_64_linux = rec {
+        system = "x86_64-linux";
+        specialArgs = {
+          pkgs-b93b4e9b5 = import nixpkgs-b93b4e9b5 {
+            inherit system;
+          };
+          pkgs-unoptimized = import nixpkgs-unoptimized {
+            inherit system;
+            hostPlatform.gcc.arch = "default";
+            hostPlatform.gcc.tune = "default";
+          };
+        };
+        modules = [
+          impermanence.nixosModules.impermanence
+          home-manager.nixosModules.home-manager
+          lanzaboote.nixosModules.lanzaboote
+          inputs.disko.nixosModules.disko
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+          }
+          {
+            nixpkgs.overlays = [
+              zsh-histdb.overlays.default
+              ansible-sshjail.overlays.default
+            ];
+          }
+          ./configuration.nix
+        ];
+      };
+      systems =
+        let
+          additional_iso_modules = [
+            (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
+            # TODO: Figure out how to do image based appliances
+            # (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix")
+            {
+              isoImage.makeEfiBootable = true;
+              isoImage.makeUsbBootable = true;
+              me.buildingIso = true;
+              me.optimizations.enable = nixpkgs.lib.mkForce false;
+            }
+            {
+              # These are big space hogs. The chance that I need them on an ISO is slim.
+              me.steam.enable = nixpkgs.lib.mkForce false;
+              me.pcsx2.enable = nixpkgs.lib.mkForce false;
+            }
+          ];
+          additional_vm_modules = [
+            (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
+            {
+              networking.dhcpcd.enable = true;
+              networking.useDHCP = true;
+              me.optimizations.enable = nixpkgs.lib.mkForce false;
+            }
+            {
+              # I don't need games on a virtual machine.
+              me.steam.enable = nixpkgs.lib.mkForce false;
+              me.pcsx2.enable = nixpkgs.lib.mkForce false;
+              me.sm64ex.enable = nixpkgs.lib.mkForce false;
+              me.shipwright.enable = nixpkgs.lib.mkForce false;
+              me.ship2harkinian.enable = nixpkgs.lib.mkForce false;
+            }
+          ];
+        in
+        {
+          odo = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/odo
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          quark = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/quark
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          neelix = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/neelix
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+          hydra =
+            let
+              additional_iso_modules = additional_iso_modules ++ [
+                {
+                  me.optimizations.enable = true;
+                }
+              ];
+            in
+            rec {
+              main = base_x86_64_linux // {
+                modules = base_x86_64_linux.modules ++ [
+                  ./hosts/hydra
+                ];
+              };
+              iso = main // {
+                modules = main.modules ++ additional_iso_modules;
+              };
+              vm = main // {
+                modules = main.modules ++ additional_vm_modules;
+              };
+              vm_iso = main // {
+                modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+              };
+            };
+          ionlybootzfs = rec {
+            main = base_x86_64_linux // {
+              modules = base_x86_64_linux.modules ++ [
+                ./hosts/ionlybootzfs
+              ];
+            };
+            iso = main // {
+              modules = main.modules ++ additional_iso_modules;
+            };
+            vm = main // {
+              modules = main.modules ++ additional_vm_modules;
+            };
+            vm_iso = main // {
+              modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
+            };
+          };
+
+        };
+    in
+    {
+      nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main;
+      iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm;
+      vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main;
+      iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm;
+      vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main;
+      iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm;
+      vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main;
+      iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm;
+      vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage;
+
+      nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main;
+      iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage;
+      nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm;
+      vm_iso.ionlybootzfs =
+        (nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage;
+    };
+}

nix/configuration/flakes/ansible-sshjail/flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1735141468,
+        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/configuration/flakes/ansible-sshjail/flake.nix

@@ -0,0 +1,34 @@
+{
+  description = "A slightly better history for zsh";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      ...
+    }:
+    let
+      out =
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+          # Maybe pkgs = import nixpkgs { inherit system; }; ?
+          appliedOverlay = self.overlays.default pkgs pkgs;
+        in
+        {
+          packages = rec {
+            default = ansible-sshjail;
+            ansible-sshjail = appliedOverlay.ansible-sshjail;
+          };
+        };
+    in
+    flake-utils.lib.eachDefaultSystem out
+    // {
+      overlays.default = final: prev: {
+        ansible-sshjail = final.callPackage ./package.nix { };
+      };
+    };
+}

nix/configuration/flakes/ansible-sshjail/package.nix

@@ -0,0 +1,33 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  fetchgit,
+  ...
+}:
+stdenv.mkDerivation {
+  name = "ansible-sshjail";
+  src = fetchgit {
+    url = "https://github.com/austinhyde/ansible-sshjail.git";
+    rev = "a7b0076fdb680b915d35efafd1382919100532b6";
+    sha256 = "sha256-4QX/017fDRzb363NexgvHZ/VFKXOjRgGPDKKygyUylM=";
+  };
+  phases = [
+    "installPhase"
+  ];
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/ansible/plugins/connection_plugins
+    cp $src/sshjail.py $out/share/ansible/plugins/connection_plugins/
+
+    runHook postInstall
+  '';
+}

nix/configuration/flakes/zsh-histdb/flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1735141468,
+        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/configuration/flakes/zsh-histdb/flake.nix

@@ -0,0 +1,34 @@
+{
+  description = "A slightly better history for zsh";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      ...
+    }:
+    let
+      out =
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+          # Maybe pkgs = import nixpkgs { inherit system; }; ?
+          appliedOverlay = self.overlays.default pkgs pkgs;
+        in
+        {
+          packages = rec {
+            default = zsh-histdb;
+            zsh-histdb = appliedOverlay.zsh-histdb;
+          };
+        };
+    in
+    flake-utils.lib.eachDefaultSystem out
+    // {
+      overlays.default = final: prev: {
+        zsh-histdb = final.callPackage ./package.nix { };
+      };
+    };
+}

nix/configuration/flakes/zsh-histdb/package.nix

@@ -0,0 +1,36 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  pkgs,
+  sqlite,
+  ...
+}:
+stdenv.mkDerivation {
+  name = "zsh-histdb";
+  src = pkgs.fetchgit {
+    url = "https://github.com/larkery/zsh-histdb.git";
+    rev = "90a6c104d0fcc0410d665e148fa7da28c49684eb";
+    sha256 = "sha256-vtG1poaRVbfb/wKPChk1WpPgDq+7udLqLfYfLqap4Vg=";
+  };
+  buildInputs = [ sqlite ];
+  phases = [
+    "installPhase"
+  ];
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/share/zsh/plugins/zsh-histdb
+    cp -r $src/histdb-* $src/*.zsh $src/db_migrations $out/share/zsh/plugins/zsh-histdb/
+    runHook postInstall
+  '';
+  postInstall = ''
+    substituteInPlace $out/share/zsh/plugins/zsh-histdb/sqlite-history.zsh $out/share/zsh/plugins/zsh-histdb/histdb-merge $out/share/zsh/plugins/zsh-histdb/histdb-migrate --replace-fail "sqlite3" "${sqlite}/bin/sqlite3"
+  '';
+}

nix/configuration/hosts/hydra/DEPLOY_BOOT

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=hydra
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'

nix/configuration/hosts/hydra/DEPLOY_SWITCH

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=hydra
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'

nix/configuration/hosts/hydra/ISO

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" "${@}" |& nom

nix/configuration/hosts/hydra/default.nix

@@ -0,0 +1,68 @@
+#
+# Testing:
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#      -accel kvm \
+#      -cpu host \
+#      -smp cores=8 \
+#      -m 32768 \
+#      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
+#      -device nvme,serial=deadbeef,drive=nvm \
+#      -nic user,hostfwd=tcp::60022-:22 \
+#      -boot order=d \
+#      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
+#      -display vnc=127.0.0.1:0
+#
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disk-config.nix
+    ./hardware-configuration.nix
+    ./optimized_build.nix
+    ./vm_disk.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "fbd233d8";
+
+  networking.hostName = "hydra"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = false;
+
+  me.optimizations = {
+    enable = true;
+    arch = "znver4";
+    system_features = [
+      "gccarch-znver4"
+      "gccarch-skylake"
+      # "gccarch-alderlake" missing WAITPKG
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Mount tmpfs at /tmp
+  boot.tmp.useTmpfs = true;
+
+  me.emacs_flavor = "plainmacs";
+  me.graphical = false;
+  me.hydra.enable = false;
+  me.nix_worker.enable = true;
+  me.vm_disk.enable = true;
+  me.wireguard.activated = [ ];
+  me.wireguard.deactivated = [ ];
+  me.zsh.enable = true;
+}

nix/configuration/hosts/hydra/disk-config.nix

@@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}

nix/configuration/hosts/hydra/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.dhcpcd.enable = lib.mkForce true;
+  networking.useDHCP = lib.mkForce true;
+  networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
+  # systemd.network.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nix/configuration/hosts/hydra/vm_disk.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    vm_disk.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to mount the local disk for persistent storage.";
+    };
+  };
+
+  config = lib.mkIf config.me.vm_disk.enable (
+    lib.mkMerge [
+      {
+        # Mount the local disk
+        fileSystems = {
+          "/.disk" = lib.mkForce {
+            device = "/dev/nvme0n1p1";
+            fsType = "ext4";
+            options = [
+              "noatime"
+              "discard"
+            ];
+            neededForBoot = true;
+          };
+
+          "/persist" = {
+            fsType = "none";
+            device = "/.disk/persist";
+            options = [
+              "bind"
+              "rw"
+            ];
+            depends = [
+              "/.disk/persist"
+            ];
+          };
+
+          "/state" = {
+            fsType = "none";
+            device = "/.disk/state";
+            options = [
+              "bind"
+              "rw"
+            ];
+            depends = [
+              "/.disk/state"
+            ];
+          };
+
+          "/nix/store" = lib.mkForce {
+            fsType = "overlay";
+            device = "overlay";
+            options = [
+              "lowerdir=/nix/.ro-store"
+              "upperdir=/.disk/persist/store"
+              "workdir=/.disk/state/work"
+            ];
+            depends = [
+              "/nix/.ro-store"
+              "/.disk/persist/store"
+              "/.disk/state/work"
+            ];
+          };
+        };
+      }
+    ]
+  );
+}

nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET="ionlybootzfs"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=ionlybootzfs
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/ISO

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" "${@}" |& nom

nix/configuration/hosts/ionlybootzfs/default.nix

@@ -0,0 +1,63 @@
+#
+# Testing:
+# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
+#      -accel kvm \
+#      -cpu host \
+#      -smp cores=8 \
+#      -m 32768 \
+#      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
+#      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
+#      -device nvme,serial=deadbeef,drive=nvm \
+#      -nic user,hostfwd=tcp::60022-:22 \
+#      -boot order=d \
+#      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
+#      -display vnc=127.0.0.1:0
+#
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./wrapped-disk-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "fbd233d8";
+
+  networking.hostName = "ionlybootzfs"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = true;
+
+  me.optimizations = {
+    enable = false;
+    arch = "znver4";
+    system_features = [
+      "gccarch-znver4"
+      "gccarch-skylake"
+      # "gccarch-alderlake" missing WAITPKG
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Mount tmpfs at /tmp
+  boot.tmp.useTmpfs = true;
+
+  me.emacs_flavor = "plainmacs";
+  me.graphical = false;
+  me.wireguard.activated = [ ];
+  me.wireguard.deactivated = [ ];
+  me.zsh.enable = true;
+}

nix/configuration/hosts/ionlybootzfs/disk-config.nix

@@ -0,0 +1,142 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.dhcpcd.enable = lib.mkForce true;
+  networking.useDHCP = lib.mkForce true;
+  # systemd.network.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nix/configuration/hosts/ionlybootzfs/optimized_build.nix

@@ -0,0 +1,131 @@
+{
+  config,
+  lib,
+  pkgs,
+  pkgs-unoptimized,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    { }
+    (lib.mkIf (!config.me.optimizations.enable) {
+      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
+    })
+    (lib.mkIf (config.me.optimizations.enable) {
+      nixpkgs.hostPlatform = {
+        gcc.arch = "znver4";
+        gcc.tune = "znver4";
+        system = "x86_64-linux";
+      };
+
+      nixpkgs.overlays = [
+        (
+          final: prev:
+          let
+            addConfig =
+              additionalConfig: pkg:
+              pkg.override (oldconfig: {
+                structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
+              });
+          in
+          {
+            linux_me = addConfig {
+              # Full preemption
+              PREEMPT = lib.mkOverride 60 lib.kernel.yes;
+              PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
+
+              # Google's BBRv3 TCP congestion Control
+              TCP_CONG_BBR = lib.kernel.yes;
+              DEFAULT_BBR = lib.kernel.yes;
+
+              # Preemptive Full Tickless Kernel at 300Hz
+              HZ = lib.kernel.freeform "300";
+              HZ_300 = lib.kernel.yes;
+              HZ_1000 = lib.kernel.no;
+            } prev.linux_6_14;
+            # gsl = prev.gsl.overrideAttrs (old: {
+            #   # gsl tests fails when optimizations are enabled.
+            #   # > FAIL: cholesky_invert unscaled hilbert (  4,  4)[0,2]: 2.55795384873636067e-13                        0
+            #   # >  (2.55795384873636067e-13 observed vs 0 expected) [28259614]
+            #   doCheck = false;
+            # });
+          }
+        )
+        (final: prev: {
+          haskellPackages = prev.haskellPackages.extend (
+            final': prev': {
+              inherit (pkgs-unoptimized.haskellPackages)
+                crypton
+                crypton-connection
+                crypton-x509
+                crypton-x509-store
+                crypton-x509-system
+                crypton-x509-validation
+                hspec-wai
+                http-client-tls
+                http2
+                pandoc
+                pandoc-cli
+                pandoc-lua-engine
+                pandoc-server
+                servant-server
+                tls
+                wai-app-static
+                wai-extra
+                warp
+                ;
+            }
+          );
+        })
+        (final: prev: {
+          inherit (pkgs-unoptimized)
+            gsl
+            redis
+            valkey
+            ;
+        })
+      ];
+
+      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+    })
+    (lib.mkIf (!config.me.buildingIso) {
+      nix.settings.system-features = lib.mkForce [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+
+      # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
+      # system.includeBuildDependencies = true;
+
+      # This also should enable building offline? TODO: test.
+      nix.extraOptions = ''
+        keep-outputs = true
+        keep-derivations = true
+      '';
+
+      # # building ON
+      # nixpkgs.localSystem = { system = "aarch64-linux"; };
+      # # building FOR
+      # nixpkgs.crossSystem = { system = "aarch64-linux"; };
+
+      # nixpkgs.config = {
+      #   replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
+      # };
+      # or maybe an overlay
+      # stdenv = prev.clangStdenv;
+
+    })
+    (lib.mkIf (config.me.buildingIso) {
+      boot.supportedFilesystems.zfs = true;
+    })
+  ];
+}

nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix

@@ -0,0 +1,8 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)

nix/configuration/hosts/neelix/DEPLOY_BOOT

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/DEPLOY_SWITCH

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

nix/configuration/hosts/neelix/default.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./power_management.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "bca9d0a5";
+
+  networking.hostName = "neelix"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = false;
+
+  me.optimizations = {
+    enable = false;
+    arch = "alderlake";
+    system_features = [
+      "gccarch-alderlake"
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Early KMS
+  boot.initrd.kernelModules = [ "i915" ];
+
+  # Mount tmpfs at /tmp
+  # boot.tmp.useTmpfs = true;
+
+  me.bluetooth.enable = true;
+  me.emacs_flavor = "plainmacs";
+  me.graphical = true;
+  me.graphics_card_type = "intel";
+  me.kodi.enable = true;
+  me.lvfs.enable = true;
+  me.sound.enable = true;
+  me.wireguard.activated = [ "wgh" ];
+  me.wireguard.deactivated = [ "wgf" ];
+  me.zrepl.enable = true;
+  me.zsh.enable = true;
+
+}

nix/configuration/hosts/neelix/disk-config.nix

@@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}

nix/configuration/hosts/neelix/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/configuration/hosts/neelix/power_management.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+  boot.kernelParams = [
+    "pcie_aspm=force"
+    # "pcie_aspm.policy=powersupersave"
+    "nowatchdog"
+  ];
+
+  # default performance balance_performance balance_power power
+  # defaults to balance_performance
+  # systemd.tmpfiles.rules = [
+  #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+  #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+  # ];
+
+  boot.extraModprobeConfig = ''
+    options snd_hda_intel power_save=1
+  '';
+}

nix/configuration/hosts/odo/DEPLOY_BOOT

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+# TARGET=10.216.1.15
+# TARGET=192.168.211.250
+TARGET=odo
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'

nix/configuration/hosts/odo/DEPLOY_SWITCH

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=odo
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'

nix/configuration/hosts/odo/ISO

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" "${@}" |& nom

nix/configuration/hosts/odo/SELF_BOOT

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" "${@}" |& nom

nix/configuration/hosts/odo/SELF_BUILD

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" "${@}" |& nom

nix/configuration/hosts/odo/SELF_SWITCH

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" "${@}" |& nom

nix/configuration/hosts/odo/default.nix

@@ -0,0 +1,116 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+    ./screen_brightness.nix
+    ./wifi.nix
+    ./framework_module.nix
+  ];
+
+  # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+  networking.hostId = "908cbf04";
+
+  networking.hostName = "odo"; # Define your hostname.
+
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  me.secureBoot.enable = true;
+
+  me.optimizations = {
+    enable = true;
+    arch = "znver4";
+    system_features = [
+      "gccarch-znver4"
+      "gccarch-skylake"
+      # "gccarch-alderlake" missing WAITPKG
+      "gccarch-x86-64-v3"
+      "gccarch-x86-64-v4"
+      "benchmark"
+      "big-parallel"
+      "kvm"
+      "nixos-test"
+    ];
+  };
+
+  # Early KMS
+  boot.initrd.kernelModules = [ "amdgpu" ];
+
+  # Mount tmpfs at /tmp
+  boot.tmp.useTmpfs = true;
+
+  environment.systemPackages = with pkgs; [
+    fw-ectool
+    framework-tool
+  ];
+
+  # Enable light sensor
+  # hardware.sensor.iio.enable = lib.mkDefault true;
+
+  # Enable TRIM
+  # services.fstrim.enable = lib.mkDefault true;
+
+  me.alacritty.enable = true;
+  me.ansible.enable = true;
+  me.ares.enable = true;
+  me.bluetooth.enable = true;
+  me.chromecast.enable = true;
+  me.chromium.enable = true;
+  me.docker.enable = true;
+  me.ecc.enable = true;
+  me.emacs_flavor = "full";
+  me.firefox.enable = true;
+  me.flux.enable = true;
+  me.gcloud.enable = true;
+  me.git.config = ../../roles/git/files/gitconfig_home;
+  me.gnuplot.enable = true;
+  me.gpg.enable = true;
+  me.graphical = true;
+  me.graphics_card_type = "amd";
+  me.iso_mount.enable = true;
+  me.kanshi.enable = false;
+  me.kubernetes.enable = true;
+  me.latex.enable = true;
+  me.launch_keyboard.enable = true;
+  me.lvfs.enable = true;
+  me.media.enable = true;
+  me.nix_index.enable = true;
+  me.pcsx2.enable = true;
+  me.python.enable = true;
+  me.qemu.enable = true;
+  me.rpcs3.enable = true;
+  me.rust.enable = true;
+  me.shikane.enable = true;
+  me.sops.enable = true;
+  me.sound.enable = true;
+  me.steam.enable = true;
+  me.steam_run_free.enable = true;
+  me.sway.enable = true;
+  me.tekton.enable = true;
+  me.terraform.enable = true;
+  me.thunderbolt.enable = true;
+  me.vnc_client.enable = true;
+  me.vscode.enable = true;
+  me.wasm.enable = true;
+  me.waybar.enable = true;
+  me.wireguard.activated = [
+    "drmario"
+    "wgh"
+    "colo"
+  ];
+  me.wireguard.deactivated = [ "wgf" ];
+  me.zrepl.enable = true;
+  me.zsh.enable = true;
+
+  me.sm64ex.enable = true;
+  me.shipwright.enable = true;
+  me.ship2harkinian.enable = true;
+}

nix/configuration/hosts/odo/disk-config.nix

@@ -0,0 +1,142 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/odo/distributed_build.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      me.distributed_build.enable = true;
+      me.distributed_build.machines.hydra = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+      me.distributed_build.machines.quark = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+    }
+  ];
+}

nix/configuration/hosts/odo/framework_module.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      boot.extraModulePackages = with config.boot.kernelPackages; [
+        framework-laptop-kmod
+      ];
+      # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
+      boot.kernelModules = [
+        "cros_ec"
+        "cros_ec_lpcs"
+      ];
+    }
+  ];
+}

nix/configuration/hosts/odo/hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/configuration/hosts/odo/power_management.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+  # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+  # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+  # amd_pstate=passive :: Fully automated hardware pstate control.
+  # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+  # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+  # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+  boot.kernelParams = [
+    "amdgpu.abmlevel=3"
+    "pcie_aspm=force"
+    # "pcie_aspm.policy=powersupersave"
+    "nowatchdog"
+    # I don't see a measurable benefit from these two:
+    # "cpufreq.default_governor=powersave"
+    # "initcall_blacklist=cpufreq_gov_userspace_init"
+  ];
+
+  systemd.tmpfiles.rules = [
+    "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+    "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+    "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+  ];
+
+  boot.extraModprobeConfig = ''
+    # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+    blacklist sp5100_tco
+
+    # Sound power-saving was causing chat notifications to be inaudible.
+    # options snd_hda_intel power_save=1
+  '';
+}

nix/configuration/hosts/odo/screen_brightness.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  systemd.tmpfiles.rules = [
+    "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 85"
+  ];
+}

nix/configuration/hosts/odo/wifi.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Doesn't seem necessary starting with 6.13
+    # environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
+    #   doas iw dev wlan0 set power_save off
+    # '';
+
+    # Enable debug logging for ath12k wifi card.
+    boot.kernelParams = [
+      "ath12k.debug_mask=0xffffffff"
+    ];
+  };
+}

nix/configuration/hosts/odo/wrapped-disk-config.nix

@@ -0,0 +1,8 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)

nix/configuration/hosts/quark/DEPLOY_BOOT

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.15
+# TARGET=192.168.211.250
+TARGET=quark
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'

nix/configuration/hosts/quark/DEPLOY_SWITCH

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=quark
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --use-remote-sudo --max-jobs "$JOBS" "${@}" |& nom
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'

nix/configuration/hosts/quark/ISO

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" "${@}" |& nom

nix/configuration/hosts/quark/SELF_BOOT

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" "${@}" |& nom

nix/configuration/hosts/quark/SELF_BUILD

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" "${@}" |& nom

nix/configuration/hosts/quark/SELF_SWITCH

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix flake update zsh-histdb --flake "$DIR/../../"
+nix flake update ansible-sshjail --flake "$DIR/../../"
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --use-remote-sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" "${@}" |& nom

nix/configuration/hosts/quark/default.nix

@@ -0,0 +1,113 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disk-config.nix
+    ./distributed_build.nix
+    ./hardware-configuration.nix
+    ./power_management.nix
+    ./wifi.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "47ee7d7c";
+
+    networking.hostName = "quark"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.secureBoot.enable = true;
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver5";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-znver5"
+        "gccarch-skylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # RPCS3 has difficulty with znver5
+    me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
+
+    me.alacritty.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.bluetooth.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.docker.enable = true;
+    me.ecc.enable = true;
+    me.emacs_flavor = "full";
+    me.firefox.enable = true;
+    me.flux.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.nix_index.enable = true;
+    me.nix_worker.enable = true;
+    me.pcsx2.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
+  };
+}

nix/configuration/hosts/quark/disk-config.nix

@@ -0,0 +1,148 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}

nix/configuration/hosts/quark/distributed_build.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = lib.mkMerge [
+    {
+      me.distributed_build.enable = true;
+      me.distributed_build.machines.hydra = {
+        enable = true;
+        additional_config = {
+          speedFactor = 2;
+        };
+      };
+    }
+  ];
+}

nix/configuration/hosts/quark/hardware-configuration.nix

@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/configuration/hosts/quark/power_management.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  environment.systemPackages = with pkgs; [
+    powertop
+  ];
+
+  boot.kernelParams = [
+    # Enable undervolting GPU.
+    # "amdgpu.ppfeaturemask=0xfff7ffff"
+  ];
+
+  systemd.tmpfiles.rules = [
+    # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+    # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+  ];
+
+  # services.udev.packages = [
+  #   (pkgs.writeTextFile {
+  #     name = "amdgpu-low-power";
+  #     text = ''
+  #       ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low"
+  #     '';
+  #     destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
+  #   })
+  # ];
+}

nix/configuration/hosts/quark/wifi.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
+      doas iw dev wlan0 set power_save off
+    '';
+  };
+}

nix/configuration/roles/2ship2harkinian/default.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ship2harkinian.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install 2ship2harkinian.";
+    };
+  };
+
+  config = lib.mkIf config.me.ship2harkinian.enable (
+    lib.mkMerge [
+      {
+        allowedUnfree = [ "2ship2harkinian" ];
+      }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          _2ship2harkinian
+        ];
+
+        # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".local/share/2ship";
+                user = "talexander";
+                group = "talexander";
+                mode = "0755";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}

nix/configuration/roles/alacritty/default.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+  options.me = {
+    alacritty.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install alacritty.";
+    };
+  };
+
+  config = lib.mkIf config.me.alacritty.enable (
+    lib.mkMerge [
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          alacritty
+          xdg-utils # for xdg-open
+        ];
+
+        home-manager.users.talexander =
+          { pkgs, ... }:
+          {
+            home.file.".config/alacritty/alacritty.toml" = {
+              source = ./files/alacritty.toml;
+            };
+          };
+      })
+    ]
+  );
+
+}

nix/configuration/roles/alacritty/files/alacritty.toml

@@ -0,0 +1,44 @@
+[colors]
+draw_bold_text_with_bright_colors = true
+indexed_colors = []
+
+[colors.bright]
+black = "0x666666"
+blue = "0x7aa6da"
+cyan = "0x54ced6"
+green = "0x9ec400"
+magenta = "0xb77ee0"
+red = "0xff3334"
+white = "0xffffff"
+yellow = "0xe7c547"
+
+[colors.normal]
+black = "0x000000"
+blue = "0x7aa6da"
+cyan = "0x70c0ba"
+green = "0xb9ca4a"
+magenta = "0xc397d8"
+red = "0xd54e53"
+white = "0xeaeaea"
+yellow = "0xe6c547"
+
+[colors.primary]
+background = "0x000000"
+foreground = "0xeaeaea"
+
+[font]
+size = 11.0
+
+[[hints.enabled]]
+command = "xdg-open"
+post_processing = true
+regex = "(ipfs:|ipns:|magnet:|mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-<>\"\\s{-}\\^⟨⟩`]+"
+
+[hints.enabled.mouse]
+enabled = false
+mods = "None"
+
+[scrolling]
+history = 10000
+# Lines moved per scroll.
+multiplier = 3

nix/configuration/roles/ansible/default.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ansible.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ansible.";
+    };
+  };
+
+  config = lib.mkIf config.me.ansible.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          ansible
+        ];
+
+        nixpkgs.overlays = [
+          (final: prev: {
+            ansible = pkgs.symlinkJoin {
+              name = "ansible";
+              paths = [
+                (prev.ansible.overridePythonAttrs {
+                  propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ];
+                })
+                pkgs.ansible-sshjail
+              ];
+              buildInputs = [ pkgs.makeWrapper ];
+
+              postBuild = ''
+                ${lib.concatMapStringsSep "\n"
+                  (
+                    prog:
+                    (
+                      "wrapProgram $out/bin/${prog} ${
+                        lib.concatMapStringsSep " "
+                          (
+                            plugin_type:
+                            "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins"
+                          )
+                          [
+                            "action"
+                            "cache"
+                            "callback"
+                            "connection"
+                            "filter"
+                            "inventory"
+                            "lookup"
+                            "shell"
+                            "strategy"
+                            "test"
+                            "vars"
+                          ]
+                      } --prefix PATH : ${lib.makeBinPath [ ]}"
+                    )
+                  )
+                  [
+                    "ansible"
+                    "ansible-config"
+                    "ansible-console"
+                    "ansible-doc"
+                    "ansible-galaxy"
+                    "ansible-inventory"
+                    "ansible-playbook"
+                    "ansible-pull"
+                    "ansible-test"
+                    "ansible-vault"
+                  ]
+                }
+              '';
+            };
+          })
+        ];
+      }
+    ]
+  );
+}

nix/configuration/roles/ares/default.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ares.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ares.";
+    };
+  };
+
+  config = lib.mkIf config.me.ares.enable (
+    lib.mkMerge [
+      { }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          ares
+        ];
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".local/share/ares";
+                user = "talexander";
+                group = "talexander";
+                mode = "0755";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}

nix/configuration/roles/blank/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    blank.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install blank.";
+    };
+  };
+
+  config = lib.mkIf config.me.blank.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+        ];
+      }
+      (lib.mkIf config.me.graphical {
+      })
+    ]
+  );
+}

nix/configuration/roles/bluetooth/default.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    bluetooth.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install bluetooth.";
+    };
+  };
+
+  config = lib.mkIf config.me.bluetooth.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+        ];
+
+        hardware.bluetooth = {
+          enable = true;
+          powerOnBoot = true;
+          settings = {
+            General = {
+              # Enable support for showing battery charge level.
+              Experimental = true;
+            };
+          };
+        };
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          directories = [
+            "/var/lib/bluetooth" # Bluetooth pairing information.
+          ];
+        };
+      }
+    ]
+  );
+}

nix/configuration/roles/boot/default.nix

@@ -0,0 +1,104 @@
+# ISO does not work with systemd initrd yet https://github.com/NixOS/nixpkgs/pull/291750
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options = {
+    me.secureBoot = {
+      enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Enable to use secure boot.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      environment.systemPackages = with pkgs; [
+        tpm2-tools # For tpm2_eventlog to check for OptionRoms
+        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
+        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
+        sbctl # For debugging and troubleshooting Secure Boot.
+      ];
+    }
+    (lib.mkIf (!config.me.buildingIso) {
+
+      boot.loader.grub.enable = false;
+      # Use the systemd-boot EFI boot loader.
+      boot.loader.systemd-boot.enable = true;
+      # TODO: make not write bootx64.efi
+      boot.loader.efi.canTouchEfiVariables = false;
+
+      # Automatically delete old generations
+      boot.loader.systemd-boot.configurationLimit = 3;
+
+      boot.loader.systemd-boot.memtest86.enable = true;
+
+      # Check what will be lost with `zfs diff zroot/linux/root@blank`
+      boot.initrd.systemd.enable = lib.mkDefault true;
+      boot.initrd.systemd.services.zfs-rollback = {
+        description = "Rollback ZFS root dataset to blank snapshot";
+        wantedBy = [
+          "initrd.target"
+        ];
+        after = [
+          "zfs-import-zroot.service"
+        ];
+        before = [
+          "sysroot.mount"
+        ];
+        path = with pkgs; [
+          zfs
+        ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          zfs rollback -r zroot/linux/nix/root@blank
+          zfs rollback -r zroot/linux/nix/home@blank
+          echo "rollback complete"
+        '';
+      };
+
+      # boot.loader.systemd-boot.extraEntries = {
+      #   "windows.conf" = ''
+      #     title Windows
+      #     efi /EFI/Microsoft/Boot/bootmgfw.efi
+      #     options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
+      #   '';
+      # };
+      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+        hideMounts = true;
+        directories = [
+          "/var/lib/sbctl" # Secure Boot Keys
+        ];
+      };
+    })
+    (lib.mkIf (config.me.secureBoot.enable) {
+      environment.systemPackages = with pkgs; [
+        sbctl
+      ];
+      boot.loader.systemd-boot.enable = lib.mkForce false;
+      boot.lanzaboote = {
+        enable = true;
+        pkiBundle = "/var/lib/sbctl";
+      };
+    })
+  ];
+}
+# efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi'
+
+# Text-only:
+# sudo cp "$(nix-build '<nixpkgs>' --no-out-link -A 'refind')/share/refind/refind_x64.efi" /boot/EFI/boot/bootx64.efi
+
+# Full graphics:
+# $ sudo nix-shell -p refind efibootmgr
+# $ refind-install

nix/configuration/roles/chromecast/default.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    chromecast.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install chromecast.";
+    };
+  };
+
+  config = lib.mkIf config.me.chromecast.enable (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          catt
+        ];
+      }
+      (lib.mkIf config.me.graphical {
+      })
+    ]
+  );
+}

nix/configuration/roles/chromium/default.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    chromium.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install chromium.";
+    };
+  };
+
+  config = lib.mkIf config.me.chromium.enable (
+    lib.mkMerge [
+      { }
+      (lib.mkIf config.me.graphical {
+        environment.systemPackages = with pkgs; [
+          (chromium.override { enableWideVine = true; })
+        ];
+        allowedUnfree = [
+          "chromium"
+          "chromium-unwrapped"
+          "widevine-cdm"
+        ];
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".config/chromium";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".cache/chromium";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+
+        # Enabling vulkan causes video to render as white
+        # nixpkgs.config.chromium.commandLineArgs = "--enable-features=Vulkan";
+      })
+    ]
+  );
+}

nix/configuration/roles/distributed_build/default.nix

@@ -0,0 +1,105 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  make_machine_config = name: {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to use the ${name} machine during distributed builds.";
+    };
+
+    additional_config = lib.mkOption {
+      type = lib.types.attrs;
+      default = { };
+      example = lib.literalExpression {
+        speedFactor = 2;
+      };
+      description = "Additional config values for the buildMachines entry. For example, speedFactor.";
+    };
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    distributed_build.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
+    };
+
+    distributed_build.machines.hydra = make_machine_config "hydra";
+    distributed_build.machines.quark = make_machine_config "quark";
+  };
+
+  config = lib.mkIf config.me.distributed_build.enable (
+    lib.mkMerge [
+      {
+        nix.distributedBuilds = true;
+      }
+      (lib.mkIf config.me.distributed_build.machines.hydra.enable {
+        nix.buildMachines = [
+          (
+            {
+              hostName = "hydra";
+              sshUser = "nixworker";
+              # sshKey = "";
+              # publicHostKey = "";
+              systems = [
+                "x86_64-linux"
+                # "aarch64-linux"
+              ];
+              maxJobs = 1;
+              supportedFeatures = [
+                # "nixos-test"
+                "benchmark"
+                "big-parallel"
+                # "kvm"
+                "gccarch-x86-64-v3"
+                "gccarch-x86-64-v4"
+                "gccarch-znver4"
+              ];
+            }
+            // config.me.distributed_build.machines.hydra.additional_config
+          )
+        ];
+      })
+      (lib.mkIf config.me.distributed_build.machines.quark.enable {
+        nix.buildMachines = [
+          (
+            {
+              hostName = "quark";
+              sshUser = "nixworker";
+              sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
+              # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
+              publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
+              systems = [
+                "x86_64-linux"
+                # "aarch64-linux"
+              ];
+              maxJobs = 1;
+              supportedFeatures = [
+                # "nixos-test"
+                "benchmark"
+                "big-parallel"
+                # "kvm"
+                "gccarch-x86-64-v3"
+                "gccarch-x86-64-v4"
+                "gccarch-znver4"
+                "gccarch-znver5"
+              ];
+            }
+            // config.me.distributed_build.machines.quark.additional_config
+          )
+        ];
+      })
+    ]
+  );
+}

nix/configuration/roles/docker/default.nix

@@ -0,0 +1,90 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    docker.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install docker.";
+    };
+  };
+
+  config = lib.mkIf config.me.docker.enable (
+    lib.mkMerge [
+      {
+        virtualisation.docker.enable = true;
+        # Use docker activation
+        virtualisation.docker.enableOnBoot = false;
+        # Rootless docker breaks access to ssh for buildkit.
+        # virtualisation.docker.rootless = {
+        #   enable = true;
+        #   setSocketVariable = true;
+        # };
+        # Give docker access to ssh for fetching repos with buildkit.
+        virtualisation.docker.extraPackages = [ pkgs.openssh ];
+        environment.systemPackages = with pkgs; [
+          docker-buildx
+        ];
+
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          directories = [
+            {
+              directory = "/var/lib/docker";
+              user = "root";
+              group = "root";
+              mode = "0740";
+            }
+          ];
+          # users.talexander = {
+          #   directories = [
+          #     {
+          #       directory = ".local/share/docker";
+          #       user = "talexander";
+          #       group = "talexander";
+          #       mode = "0740";
+          #     }
+          #   ];
+          # };
+        };
+
+        systemd.services.link-docker-creds = {
+          # Contains credentials so it cannot be added to the nix store
+          enable = true;
+          description = "link-docker-creds";
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "multi-user.target" ];
+          after = [ "multi-user.target" ];
+          # path = with pkgs; [
+          #   zfs
+          # ];
+          unitConfig.DefaultDependencies = "no";
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = "yes";
+          };
+          script = ''
+            if [ -e /persist/manual/docker/config.json ]; then
+              install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker
+              ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json
+            fi
+          '';
+          preStop = ''
+            rm -f /home/talexander/.docker/config.json
+          '';
+        };
+
+        # Needed for non-rootless docker
+        users.users.talexander.extraGroups = [ "docker" ];
+      }
+    ]
+  );
+}

nix/configuration/roles/ecc/default.nix

@@ -0,0 +1,28 @@
+# Check memory errors with: ras-mc-ctl --error-count
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ecc.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install ecc.";
+    };
+  };
+
+  config = lib.mkIf config.me.ecc.enable (
+    lib.mkMerge [
+      {
+        hardware.rasdaemon.enable = true;
+      }
+    ]
+  );
+}

nix/configuration/roles/emacs/default.nix

@@ -0,0 +1,171 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  plainmacs =
+    emacs_package:
+    pkgs.writeShellScriptBin "plainmacs" ''
+      INIT_SCRIPT=$(cat <<EOF
+      (progn
+        (setq make-backup-files nil auto-save-default nil create-lockfiles nil)
+        (load-theme 'tango-dark t)
+        (set-face-attribute 'default nil :background "black")
+        ;; Bright yellow highlighting for selected region
+        (set-face-attribute 'region nil :background "#ffff50" :foreground "black")
+        ;; Bright green cursor to distinguish from yellow region
+        (set-cursor-color "#ccff66")
+        ;; Hightlight the current line
+        (set-face-attribute 'line-number-current-line nil :foreground "white")
+        ;; Set default font
+        (set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
+        ;; Set fallback font for unicode glyphs
+        (when (display-graphic-p)
+          (set-fontset-font "fontset-default" nil (font-spec :name "Noto Color Emoji")))
+        (menu-bar-mode -1)
+        (when (fboundp 'tool-bar-mode)
+          (tool-bar-mode -1))
+        (when (  fboundp 'scroll-bar-mode)
+          (scroll-bar-mode -1))
+        (pixel-scroll-precision-mode)
+        (setq frame-resize-pixelwise t)
+        )
+      EOF
+      )
+
+      exec ${emacs_package}/bin/emacs -q --eval "$INIT_SCRIPT" "''${@}"
+    '';
+  e_shorthand =
+    emacs_package:
+    pkgs.writeShellScriptBin "e" ''
+      exec ${emacs_package}/bin/emacs "''${@}"
+    '';
+in
+{
+  imports = [ ];
+
+  options.me.emacs_flavor = lib.mkOption {
+    type = lib.types.nullOr (
+      lib.types.enum [
+        "full"
+        "plainmacs"
+      ]
+    );
+    default = null;
+    example = "full";
+    description = "What flavor of emacs to set up.";
+  };
+
+  config = lib.mkIf (config.me.emacs_flavor != null) (
+    lib.mkMerge [
+      {
+        environment.systemPackages = with pkgs; [
+          my_emacs
+          (plainmacs my_emacs)
+          (e_shorthand my_emacs)
+        ];
+
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              ".config/emacs/eln-cache" # Installed packages
+              ".config/emacs/elpa" # Installed packages
+              ".config/emacs/private" # For recentf
+              ".config/emacs/tree-sitter" # Compiled tree-sitter grammars
+            ];
+            files = [
+              ".config/emacs/history" # For savehist
+              ".config/emacs/.last-package-update-day" # For use-package
+            ];
+          };
+        };
+
+        environment.variables.EDITOR = "plainmacs";
+      }
+      (lib.mkIf (config.me.graphical) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            my_emacs = final.emacs-pgtk;
+          })
+        ];
+      })
+      (lib.mkIf (!config.me.graphical) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            my_emacs = final.emacs-nox;
+          })
+        ];
+      })
+      (lib.mkIf (config.me.emacs_flavor == "full") {
+        nixpkgs.overlays = [
+          (final: prev: {
+            my_emacs = pkgs.buildEnv {
+              name = prev.my_emacs.name;
+              paths = with prev; [
+                my_emacs
+              ];
+              extraOutputsToInstall = [
+                "man"
+                "doc"
+                "info"
+              ];
+              nativeBuildInputs = [ final.makeWrapper ];
+              postBuild = ''
+                wrapProgram $out/bin/emacs --prefix PATH : ${
+                  lib.makeBinPath [
+                    (final.aspellWithDicts (
+                      dicts: with dicts; [
+                        en
+                        en-computers
+                        # en-science # TODO: Why is en-science non-free?
+                      ]
+                    ))
+                    final.nixd # nix language server
+                    final.nixfmt-rfc-style # auto-formatting nix files through nixd
+                    final.clang # To compile tree-sitter grammars
+                    final.shellcheck
+                    final.cmake-language-server
+                    final.cmake # Used by cmake-language-server
+                    final.rust-analyzer
+                    final.nodePackages_latest.prettier # Format yaml, json, and JS
+                    final.terraform-ls
+                  ]
+                }
+              '';
+            };
+          })
+        ];
+
+        home-manager.users.talexander =
+          { pkgs, ... }:
+          {
+            home.file.".config/emacs" = {
+              source = ./files/emacs;
+              recursive = true;
+            };
+          };
+      })
+      (lib.mkIf (config.me.emacs_flavor == "plainmacs") {
+        nixpkgs.overlays = [
+          (final: prev: {
+            my_emacs = pkgs.buildEnv {
+              name = prev.my_emacs.name;
+              paths = with prev; [
+                my_emacs
+              ];
+              extraOutputsToInstall = [
+                "man"
+                "doc"
+                "info"
+              ];
+            };
+          })
+        ];
+      })
+    ]
+  );
+}

nix/configuration/roles/emacs/files/emacs/early-init.el

@@ -0,0 +1,25 @@
+(setq gc-cons-threshold (* 128 1024 1024)) ;; 128MiB Increase garbage collection threshold for performance (default 800000)
+;; Increase amount of data read from processes, default 4k
+(when (version<= "27.0" emacs-version)
+  (setq read-process-output-max (* 10 1024 1024)) ;; 10MiB
+  )
+
+;; Suppress warnings
+(setq byte-compile-warnings '(not obsolete))
+(setq warning-suppress-log-types '((comp) (bytecomp)))
+(setq native-comp-async-report-warnings-errors 'silent)
+
+;; Set up default visual settings
+(setq frame-resize-pixelwise t)
+;; Disable toolbar & menubar
+(menu-bar-mode -1)
+(when (fboundp 'tool-bar-mode)
+  (tool-bar-mode -1))
+(when (display-graphic-p)
+  (context-menu-mode +1))
+
+(setq default-frame-alist '((fullscreen . maximized)
+                            (vertical-scroll-bars . nil)
+                            (horizontal-scroll-bars . nil)
+                            ;; Set dark colors in early-init to prevent flashes of white.
+                            (background-color . "#000000")))

nix/configuration/roles/emacs/files/emacs/elisp/base-extensions.el

@@ -0,0 +1,85 @@
+(use-package diminish)
+
+;; Eglot recommends pulling the latest of the standard libraries it
+;; uses from ELPA if you're not tracking the current.config/emacsevelopment
+;; branch.
+(use-package xref
+  :pin gnu
+  )
+
+(use-package eldoc
+  :pin gnu
+  :diminish
+  )
+
+;; Other packages
+
+(use-package dashboard
+  :config
+  (dashboard-setup-startup-hook))
+
+(when (version<= "26.0.50" emacs-version )
+  (add-hook 'prog-mode-hook 'display-line-numbers-mode)
+  (add-hook 'prog-mode-hook 'column-number-mode)
+  )
+
+;; Display a horizontal line instead of ^L for page break characters
+(use-package page-break-lines
+  :diminish
+  :config
+  (global-page-break-lines-mode +1)
+  )
+
+(use-package recentf
+  ;; This is an emacs built-in but we're pulling the latest version
+  :config
+  (setq recentf-max-saved-items 100)
+  (setq recentf-save-file (recentf-expand-file-name "~/.config/emacs/private/cache/recentf"))
+  (recentf-mode 1))
+
+;; Persist history over Emacs restarts. Vertico sorts by history position.
+(use-package savehist
+  ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
+  :config
+  (savehist-mode))
+
+(use-package which-key
+  :pin gnu
+  :diminish
+  :config
+  (which-key-mode))
+
+(use-package windmove
+  ;; This is an emacs built-in but we're pulling the latest version
+  :pin gnu
+  :bind
+  (
+   ("S-<up>" . windmove-up)
+   ("S-<right>" . windmove-right)
+   ("S-<down>" . windmove-down)
+   ("S-<left>" . windmove-left)
+   )
+  )
+
+(setq tramp-default-method "ssh")
+
+(use-package nginx-mode
+  :mode (
+         ("headers\\.include\\'" . nginx-mode)
+         )
+  :config
+  (setq nginx-indent-level 4))
+
+(use-package systemd
+  :mode
+  (("\\.service\\'" . systemd-mode)
+   ("\\.timer\\'" . systemd-mode))
+  )
+
+(use-package pkgbuild-mode
+  :mode
+  (("PKGBUILD\\'" . pkgbuild-mode))
+  )
+
+(provide 'base-extensions)

nix/configuration/roles/emacs/files/emacs/elisp/base-functions.el

@@ -0,0 +1,127 @@
+;; ========== Function to reload current file =================
+
+(defun reload-file ()
+    "Revert buffer without confirmation."
+    (interactive)
+    (revert-buffer :ignore-auto :noconfirm))
+
+;; ===========================================================
+;; ============= Run commands ================================
+(defun run-command-on-buffer (cmd &rest args)
+  "Run a command using the current buffer as stdin and replacing its contents if the command succeeds with the stdout from the command. This is useful for code formatters."
+  (let (
+        (stdout-buffer (generate-new-buffer "tmp-stdout" t))
+        (full-cmd (append '(call-process-region nil nil cmd nil stdout-buffer nil) args))
+        )
+    (unwind-protect
+        (let ((exit-status (eval full-cmd)))
+          (if (eq exit-status 0)
+              (save-excursion
+                (replace-buffer-contents stdout-buffer)
+                )
+            (message "FAILED running command on buffer %s" (append (list cmd) args))
+            )
+          )
+      (kill-buffer stdout-buffer)
+      )
+    )
+  )
+
+(defun run-command-in-directory (dir cmd &rest args)
+  "Run a command in the specified directory. If the directory is nil, the directory of the file is used. The stdout result is trimmed of whitespace and returned."
+  (let (
+        (default-directory (or dir default-directory))
+        (stdout-buffer (generate-new-buffer "tmp-stdout" t))
+        (full-cmd (append '(call-process cmd nil (list stdout-buffer nil) nil) args))
+        )
+    (unwind-protect
+        (let ((exit-status (condition-case nil (eval full-cmd) (file-missing nil))))
+          (if (eq exit-status 0)
+              (progn
+                (with-current-buffer stdout-buffer
+                  (string-trim (buffer-string))
+                  )
+                )
+            )
+          )
+      (kill-buffer stdout-buffer)
+      )
+    )
+  )
+
+(defun load-directory (dir)
+  (let ((load-it (lambda (f)
+                   (load-file (concat (file-name-as-directory dir) f)))
+                 ))
+    (mapc load-it (directory-files dir nil "\\.el$"))))
+
+(defun generate-vc-link ()
+  (interactive)
+  (or
+   (generate-github-link)
+   (generate-source-hut-link)
+   )
+  )
+
+(defun generate-github-link ()
+  "Generate a permalink to the current line."
+  (interactive)
+  (let (
+        (current-rev (vc-working-revision buffer-file-name))
+        (line-number (line-number-at-pos))
+        (repository-url (vc-git-repository-url buffer-file-name))
+        (relative-path (file-relative-name buffer-file-name (vc-root-dir)))
+        )
+    (save-match-data
+      (and (string-match "\\(git@github\.com:\\|https://github\.com/\\)\\([^/]+\\)/\\([^.]+\\).git" repository-url)
+           (let* (
+                 (gh-org (match-string 2 repository-url))
+                 (gh-repo (match-string 3 repository-url))
+                 (full-url (format "https://github.com/%s/%s/blob/%s/%s?plain=1#L%s" gh-org gh-repo current-rev relative-path line-number))
+                 )
+             (message "%s" full-url)
+             (kill-new full-url)
+             t
+             )
+           )
+      )
+    )
+  )
+
+(defun generate-source-hut-link ()
+  "Generate a permalink to the current line."
+  (interactive)
+  (let (
+        (current-rev (vc-working-revision buffer-file-name))
+        (line-number (line-number-at-pos))
+        (repository-url (vc-git-repository-url buffer-file-name))
+        (relative-path (file-relative-name buffer-file-name (vc-root-dir)))
+        )
+    (message "Using repo url %s" repository-url)
+    (save-match-data
+      (and (string-match "https://git.sr.ht/\\([^/]+\\)/\\([^/]+\\)" repository-url)
+           (let* (
+                 (sh-org (match-string 1 repository-url))
+                 (sh-repo (match-string 2 repository-url))
+                 (full-url (format "https://git.sr.ht/%s/%s/tree/%s/%s#L%s" sh-org sh-repo current-rev relative-path line-number))
+                 )
+             (message "%s" full-url)
+             (kill-new full-url)
+             t
+             )
+           )
+      )
+    )
+  )
+
+(defmacro when-linux (&rest body)
+  "Execute only when on Linux."
+  (declare (indent defun))
+  `(when (eq system-type 'gnu/linux) ,@body))
+
+(defmacro when-freebsd (&rest body)
+  "Execute only when on FreeBSD."
+  (declare (indent defun))
+  `(when (eq system-type 'berkeley-unix) ,@body))
+
+(provide 'base-functions)

nix/configuration/roles/emacs/files/emacs/elisp/base-global-keys.el

@@ -0,0 +1,12 @@
+;; Add your keys here, as such
+
+;; Disable the suspend frame hotkeys
+(global-unset-key (kbd "C-z"))
+(global-unset-key (kbd "C-x C-z"))
+
+;; dabbrev-expand. Seems to be some sort of dumb-expand. Accidentally hitting it when trying to use M-?
+(global-unset-key (kbd "M-/"))
+
+(global-set-key (kbd "C-x g l") 'generate-vc-link)
+
+(provide 'base-global-keys)

nix/configuration/roles/emacs/files/emacs/elisp/base-theme.el

@@ -0,0 +1,15 @@
+;; Set theme
+(load-theme 'tango-dark t)
+(set-face-attribute 'default nil :background "black")
+;; Bright yellow highlighting for selected region
+(set-face-attribute 'region nil :background "#ffff50" :foreground "black")
+;; Bright green cursor to distinguish from yellow region
+(set-face-attribute 'cursor nil :background "#ccff66")
+;; Hightlight the current line
+(set-face-attribute 'line-number-current-line nil :foreground "white")
+;; Set default font
+(set-face-attribute 'default nil :height 100 :width 'regular :weight 'regular :family "Cascadia Mono")
+;; Set fallback font for unicode glyphs
+(set-fontset-font t 'emoji (font-spec :name "Noto Color Emoji") nil 'prepend)
+
+(provide 'base-theme)

nix/configuration/roles/emacs/files/emacs/elisp/base.el

@@ -0,0 +1,131 @@
+(package-initialize)
+(use-package use-package)
+
+(add-to-list 'package-archives
+             '("melpa" . "https://melpa.org/packages/")
+             )
+
+(use-package auto-package-update
+   :ensure t
+   :config
+   (setq auto-package-update-delete-old-versions t
+         auto-package-update-interval 14)
+   (auto-package-update-maybe))
+
+(defun assert-directory (p)
+  (unless (file-exists-p p) (make-directory p t))
+  p
+  )
+
+(defconst private-dir  (expand-file-name "private" user-emacs-directory))
+(defconst temp-dir (format "%s/cache" private-dir)
+  "Hostname-based elisp temp directories")
+(assert-directory (concat temp-dir "/auto-save-list/"))
+(setq autoload-directory (concat user-emacs-directory (file-name-as-directory "elisp") (file-name-as-directory "autoload")))
+(add-to-list 'load-path (assert-directory autoload-directory))
+
+(use-package emacs
+  :ensure nil
+  :bind
+  (("C-z" . nil)
+   ("C-x C-z" . nil)
+   ("RET" . newline-and-indent)
+   )
+  :custom
+  ;; Replace highlighted text if you start typing.
+  (delete-selection-mode 1)
+
+  (history-length 300)
+
+  ;; Enable auto-revert for buffers like dired
+  (global-auto-revert-non-file-buffers t)
+
+  ;; If the underlying file changes, reload it automatically. This is useful for moving around in git without confusing language servers.
+  (auto-revert-avoid-polling t)
+  (auto-revert-interval 5)
+  (auto-revert-check-vc-info t)
+  (global-auto-revert-mode t)
+
+  ;; Disable backup files and lockfiles
+  (create-lockfiles nil)
+  (make-backup-files nil)
+  (backup-inhibited t)
+
+  ;; Do not auto-save files
+  (auto-save-default nil)
+
+  (pixel-scroll-precision-mode t)
+  (pixel-scroll-precision-use-momentum nil)
+
+  :config
+  (setq enable-recursive-minibuffers t)
+
+  ;; Filter the M-x list base on the current mode
+  (setq read-extended-command-predicate #'command-completion-default-include-p)
+
+  ;; Enable triggering completion with the tab key.
+  (setq tab-always-indent 'complete)
+
+  )
+
+(setq-default
+ ;; Unless otherwise specified, always install packages if they are absent.
+ use-package-always-ensure t
+ ;; Point custom-file at /dev/null so emacs does not write any settings to my dotfiles.
+ custom-file "/dev/null"
+ ;; Don't pop up a small window at the bottom of emacs at launch.
+ inhibit-startup-screen t
+ inhibit-startup-message t
+ ;; Don't show the list of buffers when opening many files.
+ inhibit-startup-buffer-menu t
+ ;; Give the scratch buffer a clean slate.
+ initial-major-mode 'fundamental-mode
+ initial-scratch-message nil
+ ;; Send prompts to mini-buffer not the GUI
+ use-dialog-box nil
+ ;; End files with line break
+ require-final-newline t
+ ;; Use spaces, not tabs
+ indent-tabs-mode nil
+ ;; Use a better frame title
+ frame-title-format '("" invocation-name ": "(:eval (if (buffer-file-name)
+                                                        (abbreviate-file-name (buffer-file-name))
+                                                      "%b")))
+ ;; Use 'y' or 'n' instead of 'yes' or 'no'
+ use-short-answers t
+ ;; Natively compile packages
+ package-native-compile t
+ ;; Confirm when opening a file that does not exist
+ confirm-nonexistent-file-or-buffer t
+ ;; Do not require double space to end a sentence.
+ sentence-end-double-space nil
+ ;; Show trailing whitespace
+ show-trailing-whitespace t
+ ;; Remove the line when killing it with ctrl-k
+ kill-whole-line t
+
+ ;; Show the current project in the mode line
+ project-mode-line t
+ )
+
+;; (setq-default fringes-outside-margins t)
+
+;; Per-pixel scrolling instead of per-line
+(pixel-scroll-precision-mode)
+
+;; Typed text replaces selection
+(delete-selection-mode)
+
+
+;; Delete trailing whitespace before save
+(add-hook 'before-save-hook 'delete-trailing-whitespace)
+
+;;;;; Performance
+;; Run garbage collect when emacs is idle
+(run-with-idle-timer 5 t (lambda () (garbage-collect)))
+(add-function :after after-focus-change-function
+              (lambda ()
+                (unless (frame-focus-state)
+                  (garbage-collect))))
+
+(provide 'base)

nix/configuration/roles/emacs/files/emacs/elisp/common-lsp.el

@@ -0,0 +1,47 @@
+(use-package eglot
+  :pin gnu
+  :commands (eglot eglot-ensure)
+  :bind (:map eglot-mode-map
+              ;; M-.
+              ;; ([remap xref-find-definitions] . lsp-ui-peek-find-definitions)
+              ;; M-?
+              ;; ([remap xref-find-references] . lsp-ui-peek-find-references)
+              ("C-c C-a" . eglot-code-actions)
+              ;; C-M-.
+              ([remap xref-find-apropos] . #'consult-eglot-symbols)
+              )
+  ;; :hook (
+  ;;        (eglot-managed-mode . (lambda ()
+  ;;                                (when (eglot-managed-p)
+  ;;                                  (corfu-mode +1)
+  ;;                                  )
+  ;;                                ))
+  ;;        )
+  :config
+  (fset #'jsonrpc--log-event #'ignore) ;; Disable logging LSP traffic for performance boost
+  (set-face-attribute 'eglot-highlight-symbol-face nil :background "#0291a1" :foreground "black")
+  (set-face-attribute 'eglot-mode-line nil :inherit 'mode-line :bold nil)
+
+
+  :custom
+  (eglot-autoshutdown t "Shut down server when last buffer is killed.")
+  (eglot-sync-connect 0 "Don't block on language server starting.")
+  (eglot-send-changes-idle-time 0.1)
+  )
+
+(use-package consult-eglot
+  :commands (consult-eglot-symbols)
+  )
+
+(use-package company
+  :after eglot
+  :hook (eglot-managed-mode . company-mode)
+  :config
+  (setq company-backends '((company-capf)))
+  (setq company-idle-delay 0) ;; Default 0.2
+  )
+
+;; (use-package company-box
+;;   :hook (company-mode . company-box-mode))
+
+(provide 'common-lsp)

nix/configuration/roles/emacs/files/emacs/elisp/lang-bash.el

@@ -0,0 +1,16 @@
+(require 'util-tree-sitter)
+
+(use-package bash-ts-mode
+  :ensure nil
+  :commands (bash-ts-mode)
+  :hook (
+         (bash-ts-mode . (lambda ()
+                           (flymake-mode +1)
+                           )))
+  :init
+  (add-to-list 'major-mode-remap-alist '(sh-mode . bash-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(bash "https://github.com/tree-sitter/tree-sitter-bash"))
+  (unless (treesit-ready-p 'bash) (treesit-install-language-grammar 'bash))
+  )
+
+(provide 'lang-bash)

nix/configuration/roles/emacs/files/emacs/elisp/lang-c.el

@@ -0,0 +1,49 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun locate-compile-commands-file ()
+  "See if compile_commands.json exists."
+  ;; This can be generated by prefixing the make command with `intercept-build15 --append`
+  (let ((compile-commands-file (locate-dominating-file (buffer-file-name) "compile_commands.json")))
+    compile-commands-file
+    )
+  )
+
+(defun activate-c-eglot ()
+  "Activate eglot for the c family of languages."
+  (when (locate-compile-commands-file)
+    (eglot-ensure)
+    (defclass my/eglot-c (eglot-lsp-server) ()
+      :documentation
+      "Own eglot server class.")
+
+    (add-to-list 'eglot-server-programs
+                 '(c-ts-mode . (my/eglot-c "/usr/local/bin/clangd15")))
+    (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+    )
+  )
+
+(use-package c-mode
+  :mode (
+         ("\\.c\\'" . c-ts-mode)
+         ("\\.h\\'" . c-or-c++-ts-mode)
+         )
+  :commands (c-mode c-ts-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (c-ts-mode . (lambda ()
+                        (activate-c-eglot)
+                        ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(c-mode . c-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c++-mode . c++-ts-mode))
+  (add-to-list 'major-mode-remap-alist '(c-or-c++-mode . c-or-c++-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(c "https://github.com/tree-sitter/tree-sitter-c"))
+  (add-to-list 'treesit-language-source-alist '(cpp "https://github.com/tree-sitter/tree-sitter-cpp"))
+  (unless (treesit-ready-p 'c) (treesit-install-language-grammar 'c))
+  (unless (treesit-ready-p 'cpp) (treesit-install-language-grammar 'cpp))
+  )
+
+(provide 'lang-c)

nix/configuration/roles/emacs/files/emacs/elisp/lang-cmake.el

@@ -0,0 +1,18 @@
+(require 'common-lsp)
+
+(use-package cmake-mode
+  :commands cmake-mode
+  :hook (
+         (cmake-mode . (lambda ()
+                         (eglot-ensure)
+                         (defclass my/eglot-cmake (eglot-lsp-server) ()
+                           :documentation
+                           "Own eglot server class.")
+
+                         (add-to-list 'eglot-server-programs
+                                      '(cmake-mode . (my/eglot-cmake "cmake-language-server")))
+                         ))
+         )
+  )
+
+(provide 'lang-cmake)

nix/configuration/roles/emacs/files/emacs/elisp/lang-dockerfile.el

@@ -0,0 +1,13 @@
+(use-package dockerfile-ts-mode
+  :pin manual
+  :mode (
+         ("Dockerfile\\'" . dockerfile-ts-mode)
+         )
+  :commands (dockerfile-mode dockerfile-ts-mode)
+  :init
+  (add-to-list 'major-mode-remap-alist '(dockerfile-mode . dockerfile-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(dockerfile "https://github.com/camdencheek/tree-sitter-dockerfile"))
+  (unless (treesit-ready-p 'dockerfile) (treesit-install-language-grammar 'dockerfile))
+  )
+
+(provide 'lang-dockerfile)

nix/configuration/roles/emacs/files/emacs/elisp/lang-go.el

@@ -0,0 +1,33 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package go-ts-mode
+  :pin manual
+  :mode (
+         ("\\.go\\'" . go-ts-mode)
+         ("/go\\.mod\\'" . go-mod-ts-mode)
+         )
+  :commands (go-ts-mode go-mod-ts-mode)
+  :hook (
+         (go-ts-mode . (lambda ()
+                         (when-linux
+                           (eglot-ensure)
+                           )
+                         ))
+
+         (go-mod-ts-mode . (lambda ()
+                         (when-linux
+                           (eglot-ensure)
+                           )
+                         ))
+
+         ;; (before-save . lsp-format-buffer)
+         )
+  :init
+  (add-to-list 'treesit-language-source-alist '(go "https://github.com/tree-sitter/tree-sitter-go"))
+  (add-to-list 'treesit-language-source-alist '(gomod "https://github.com/camdencheek/tree-sitter-go-mod"))
+  (unless (treesit-ready-p 'go) (treesit-install-language-grammar 'go))
+  (unless (treesit-ready-p 'gomod) (treesit-install-language-grammar 'gomod))
+  )
+
+(provide 'lang-go)

nix/configuration/roles/emacs/files/emacs/elisp/lang-javascript.el

@@ -0,0 +1,177 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package json-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.json\\'" . json-ts-mode)
+         )
+  :commands (json-ts-mode)
+  :hook (
+         (json-ts-mode . (lambda ()
+                           (add-hook 'before-save-hook 'json-fmt-jq nil 'local)
+                           ))
+         )
+  :init
+  (add-to-list 'treesit-language-source-alist '(json "https://github.com/tree-sitter/tree-sitter-json"))
+  (unless (treesit-ready-p 'json) (treesit-install-language-grammar 'json))
+  )
+
+(defun json-fmt-jq ()
+  "Run jq."
+  (run-command-on-buffer "jq" "--monochrome-output" ".")
+  )
+
+(defun configure-typescript-language-server ()
+  "Configures the typescript language server."
+  (when-linux
+    ;; Either initializationOptions or workspace/didChangeConfiguration works.
+    (setq eglot-workspace-configuration
+          (list (cons ':typescript '(:inlayHints (:includeInlayParameterNameHints
+                                                  "all"
+                                                  :includeInlayParameterNameHintsWhenArgumentMatchesName
+                                                  t
+                                                  :includeInlayFunctionParameterTypeHints
+                                                  t
+                                                  :includeInlayVariableTypeHints
+                                                  t
+                                                  :includeInlayVariableTypeHintsWhenTypeMatchesName
+                                                  t
+                                                  :includeInlayPRopertyDeclarationTypeHints
+                                                  t
+                                                  :includeInlayFunctionLikeReturnTypeHints
+                                                  t
+                                                  :includeInlayEnumMemberValueHints
+                                                  t)))))
+    (eglot-ensure)
+    ;; (defclass my/eglot-typescript (eglot-lsp-server) ()
+    ;;   :documentation
+    ;;   "Own eglot server class.")
+
+    ;; (add-to-list 'eglot-server-programs
+    ;;              '((js-mode js-ts-mode tsx-ts-mode typescript-ts-mode typescript-mode) . (my/eglot-typescript "typescript-language-server" "--stdio" :initializationOptions (:preferences (:includeInlayParameterNameHints
+    ;;                                                                                                                                                                                        "all"
+    ;;                                                                                                                                                                                        :includeInlayParameterNameHintsWhenArgumentMatchesName
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayFunctionParameterTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayVariableTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayVariableTypeHintsWhenTypeMatchesName
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayPRopertyDeclarationTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayFunctionLikeReturnTypeHints
+    ;;                                                                                                                                                                                        t
+    ;;                                                                                                                                                                                        :includeInlayEnumMemberValueHints
+    ;;                                                                                                                                                                                        t)))))
+    )
+  )
+
+(use-package tsx-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.tsx\\'" . tsx-ts-mode)
+         )
+  :commands (tsx-ts-mode)
+  :hook (
+         (tsx-ts-mode . (lambda ()
+                          (when-linux
+                            (configure-typescript-language-server)
+                            )
+                          ))
+         )
+  :init
+  (add-to-list 'treesit-language-source-alist '(tsx . ("https://github.com/tree-sitter/tree-sitter-typescript" "master" "tsx/src")))
+  (unless (treesit-ready-p 'tsx) (treesit-install-language-grammar 'tsx))
+  )
+
+
+(use-package typescript-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.ts\\'" . typescript-ts-mode)
+         )
+  :commands (typescript-ts-mode)
+  :hook (
+         (typescript-ts-mode . (lambda ()
+                                 (configure-typescript-language-server)
+                                 ))
+         )
+  :init
+  (add-to-list 'treesit-language-source-alist '(typescript . ("https://github.com/tree-sitter/tree-sitter-typescript" "master" "typescript/src")))
+  (unless (treesit-ready-p 'typescript) (treesit-install-language-grammar 'typescript))
+  )
+
+(use-package js-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.js\\'" . js-ts-mode)
+         )
+  :commands (js-ts-mode)
+  :hook (
+         (js-ts-mode . (lambda ()
+                                 (when-linux
+                                   (eglot-ensure)
+                                   )
+                                 ))
+         )
+  :init
+  (add-to-list 'treesit-language-source-alist '(javascript . ("https://github.com/tree-sitter/tree-sitter-javascript" "master" "src")))
+  (unless (treesit-ready-p 'javascript) (treesit-install-language-grammar 'javascript))
+  )
+
+(defun prettier-fmt ()
+  "Run prettier."
+  (run-command-on-buffer "prettier" "--stdin-filepath" buffer-file-name)
+  )
+
+
+(use-package css-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.css\\'" . css-ts-mode)
+         )
+  :commands (css-ts-mode)
+  :custom (css-indent-offset 2)
+  :init
+  (add-to-list 'treesit-language-source-alist '(css "https://github.com/tree-sitter/tree-sitter-css"))
+  (unless (treesit-ready-p 'css) (treesit-install-language-grammar 'css))
+  :hook (
+         (css-ts-mode . (lambda ()
+                             (eglot-ensure)
+                             (defclass my/eglot-css (eglot-lsp-server) ()
+                               :documentation
+                               "Own eglot server class.")
+
+                             (add-to-list 'eglot-server-programs
+                                          '(css-ts-mode . (my/eglot-css "vscode-css-language-server" "--stdio")))
+                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             (add-hook 'before-save-hook 'prettier-fmt nil 'local)
+                             ))
+         )
+  )
+
+
+(use-package web-mode
+  :mode (("\\.dust\\'" . dust-mode)
+         )
+  :config
+  (setq web-mode-markup-indent-offset 2)
+  (setq web-mode-enable-current-element-highlight t)
+  )
+
+;; Define a custom mode for dust so that org-mode handle #+BEGIN_SRC dust blocks
+(define-derived-mode dust-mode web-mode "WebDust"
+  "Major mode for editing dust templates in web-mode."
+  (web-mode)
+  (web-mode-set-engine "dust")
+  ;; (setq web-mode-content-type "html")
+  )
+
+(provide 'lang-javascript)

nix/configuration/roles/emacs/files/emacs/elisp/lang-lua.el

@@ -0,0 +1,21 @@
+(defun lua-format-buffer ()
+  "Run stylua."
+  (interactive)
+  (run-command-on-buffer "stylua" "--search-parent-directories" "--stdin-filepath" buffer-file-name "-")
+  )
+
+(use-package lua-mode
+  :mode
+  (("\\.lua\\'" . lua-mode)
+   ("\\.rockspec\\'" . lua-mode))
+  :commands lua-mode
+  :hook (
+         (lua-mode . (lambda ()
+                        (add-hook 'before-save-hook 'lua-format-buffer nil 'local)
+                        ))
+         )
+  :custom
+  (lua-indent-level 4)
+  )
+
+(provide 'lang-lua)

nix/configuration/roles/emacs/files/emacs/elisp/lang-markdown.el

@@ -0,0 +1,14 @@
+(use-package markdown-mode
+  :ensure t
+  :commands (markdown-mode gfm-mode)
+  :mode (("README\\.md\\'" . gfm-mode)
+         ("\\.md\\'" . markdown-mode)
+         ("\\.markdown\\'" . markdown-mode))
+  :init (setq markdown-command "multimarkdown"))
+
+;; For code block editing
+(use-package edit-indirect
+  :commands (edit-indirect-region edit-indirect-save edit-indirect-abort edit-indirect-commit edit-indirect-display-active-buffer)
+  )
+
+(provide 'lang-markdown)

nix/configuration/roles/emacs/files/emacs/elisp/lang-nix.el

@@ -0,0 +1,22 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(use-package nix-mode
+  :mode (("\\.nix\\'" . nix-mode)
+         )
+  :commands nix-mode
+  :hook (
+         (nix-mode . (lambda ()
+                       (eglot-ensure)
+                       (defclass my/eglot-nix (eglot-lsp-server) ()
+                         :documentation
+                         "Own eglot server class.")
+
+                       (add-to-list 'eglot-server-programs
+                                    '(nix-mode . (my/eglot-nix "nixd")))
+                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                       ))
+         )
+  )
+
+(provide 'lang-nix)

nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el

@@ -0,0 +1,90 @@
+(use-package org
+  :ensure nil
+  :commands org-mode
+  :bind (:map org-mode-map
+         ("C-c l" . org-store-link)
+         ("C-c a" . org-agenda)
+         ("S-<up>" . org-shiftup)
+         ("S-<right>" . org-shiftright)
+         ("S-<down>" . org-shiftdown)
+         ("S-<left>" . org-shiftleft)
+         )
+  :hook (
+         (org-mode . (lambda ()
+                       (org-indent-mode +1)
+                       ))
+         ;; Make windmove work in Org mode:
+         (org-shiftup-final . windmove-up)
+         (org-shiftleft-final . windmove-left)
+         (org-shiftdown-final . windmove-down)
+         (org-shiftright-final . windmove-right)
+         )
+  :config
+  (require 'org-tempo)
+  (setq org-export-latex-listings t)
+  (setq org-startup-truncated nil)
+  (setq org-startup-folded nil)
+  (setq org-src-fontify-natively t
+        org-src-tab-acts-natively t
+        org-confirm-babel-evaluate nil
+        )
+
+  ;; Show the full source of org-mode links instead of condensing them. I.E. render "[[foo]]" instead of "foo"
+  (setq org-descriptive-links nil)
+
+  ;; Only interpret _ and ^ and sub and superscripts if they're of the form _{subscript} and ^{superscript}
+  (setq org-export-with-sub-superscripts '{})
+  ;; Don't include a "validate" link at the bottom of html export
+  (setq org-html-validation-link nil)
+
+
+  (setq org-latex-listings 'minted)
+  (setq org-latex-minted-options '(("breaklines" "true")
+                                   ("breakanywhere" "true")
+                                   ("bgcolor" "mintedbg") ("frame" "single") ("framesep" "6pt") ("fontsize" "\\footnotesize")))
+
+  ;; TODO: There is an option to set the compiler, could be better than manually doing this here https://orgmode.org/manual/LaTeX_002fPDF-export-commands.html
+  ;; (setq org-latex-compiler "lualatex")
+  ;; TODO: nixos latex page recommends this line, figure out what it does / why its needed:
+  ;; (setq org-preview-latex-default-process 'dvisvgm)
+  (setq org-latex-pdf-process
+        '("lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
+          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"
+          "lualatex -shell-escape -interaction nonstopmode -output-directory %o %f"))
+  (add-to-list 'org-latex-packages-alist '("cache=false" "minted"))
+  (add-to-list 'org-latex-packages-alist '("" "svg"))
+  (add-to-list 'org-latex-packages-alist '("margin=2cm" "geometry" nil))
+
+  (add-to-list 'org-src-lang-modes '("dot" . "graphviz-dot"))
+
+  (org-babel-do-load-languages 'org-babel-load-languages
+                               '((shell      . t)
+                                 (js         . t)
+                                 (emacs-lisp . t)
+                                 (python     . t)
+                                 (dot        . t)
+                                 (css        . t)
+                                 (gnuplot    . t)
+                                 (sqlite     . t)
+                                 ))
+
+  (require 'color)
+
+  (let ((bg (face-attribute 'default :background)))
+    (custom-set-faces
+     `(org-block ((t (:inherit default :background ,(color-lighten-name bg 15) :extend ,t))))
+     `(org-block-begin-line ((t (:inherit default :background ,"#472300" :extend ,t))))
+     `(org-block-end-line ((t (:inherit default :background ,"#472300" :extend ,t))))
+     ))
+  )
+
+(use-package org-bullets
+  :commands org-bullets-mode
+  :hook (org-mode . org-bullets-mode)
+  )
+
+(use-package gnuplot-mode)
+(use-package gnuplot)
+(use-package graphviz-dot-mode)
+
+(provide 'lang-org)

nix/configuration/roles/emacs/files/emacs/elisp/lang-python.el

@@ -0,0 +1,92 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun python-backspace (arg)
+  "Special handling of python backspace."
+  (interactive "*p")
+  (if mark-active
+      (backward-delete-char-untabify arg)
+    (python-indent-dedent-line-backspace arg)
+    )
+  )
+
+(defun locate-venv-poetry ()
+  "Find a poetry venv."
+  (run-command-in-directory nil "poetry" "env" "info" "-p")
+  )
+
+(defun locate-pyproject-directory ()
+  "Adapt lsp-python-ms for poetry."
+  (let ((pypoetry-file (locate-dominating-file (buffer-file-name) "pyproject.toml")))
+    pypoetry-file
+    )
+  )
+
+
+(defun python-fmt ()
+  "format python."
+  (python-fmt-black)
+  (python-fmt-isort)
+  )
+
+(defun python-fmt-black ()
+  "Run black."
+  (run-command-on-buffer "black" "--quiet" "--fast" "-")
+  )
+
+(defun python-fmt-isort ()
+  "Run isort."
+  (run-command-on-buffer "isort" "-")
+  )
+
+(defun add-poetry-venv-to-path ()
+  "Add the bin folder in the poetry venv to exec-path."
+  (let (
+        (venv-path (locate-venv-poetry))
+        )
+    (when venv-path
+      (make-local-variable 'exec-path)
+      (add-to-list 'exec-path (concat venv-path "/bin"))
+      )
+    )
+  )
+
+(use-package python
+  :mode ("\\.py\\'" . python-ts-mode)
+  :commands (python-mode python-ts-mode)
+  :pin manual
+  :hook (
+         (python-ts-mode . (lambda ()
+                             (when-linux
+                               (when (executable-find "poetry")
+                                 (add-poetry-venv-to-path)
+                                 (let ((venv (locate-venv-poetry))) (when venv
+                                                                      (setq eglot-workspace-configuration
+                                                                            (list (cons ':python (list ':venvPath venv ':pythonPath (concat venv "/bin/python")))))
+                                                                      ))
+                                 )
+                               (eglot-ensure)
+                               )
+
+                             ;; (when-freebsd
+                             ;;   (eglot-ensure)
+                             ;;   (defclass my/eglot-pylyzer (eglot-lsp-server) ()
+                             ;;     :documentation
+                             ;;     "Own eglot server class.")
+
+                             ;;   (add-to-list 'eglot-server-programs
+                             ;;                '(python-ts-mode . (my/eglot-pylyzer "pylyzer" "--server")))
+                             ;;   )
+
+                             (add-hook 'before-save-hook 'python-fmt nil 'local)
+                             ))
+         )
+  :bind ((:map python-ts-mode-map ([backspace] . python-backspace))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(python-mode . python-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(python "https://github.com/tree-sitter/tree-sitter-python"))
+  (unless (treesit-ready-p 'python) (treesit-install-language-grammar 'python))
+  )
+
+(provide 'lang-python)

nix/configuration/roles/emacs/files/emacs/elisp/lang-rust.el

@@ -0,0 +1,92 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun locate-rust-analyzer ()
+  "Find rust-analyzer."
+  (let ((rust-analyzer-paths (list (locate-rust-analyzer-rustup) (locate-rust-analyzer-ansible-built) (locate-rust-analyzer-in-path))))
+    (let ((first-non-nil-path (seq-find (lambda (elt) elt) rust-analyzer-paths)))
+      first-non-nil-path
+      )
+    )
+  )
+
+(defun locate-rust-analyzer-rustup ()
+  "Find rust-analyzer through rustup."
+  (run-command-in-directory nil "rustup" "which" "rust-analyzer")
+  )
+
+(defun locate-rust-analyzer-ansible-built ()
+  "Find rust-analyzer where the ansible playbook built it."
+  (let ((rust-analyzer-path "/opt/rust-analyzer/target/release/rust-analyzer"))
+    (when (file-exists-p rust-analyzer-path)
+      rust-analyzer-path
+      )
+    )
+  )
+
+(defun locate-rust-analyzer-in-path ()
+  "Find rust-analyzer in $PATH."
+  (executable-find "rust-analyzer")
+  )
+
+(use-package rust-ts-mode
+  :pin manual
+  :mode (
+         ("\\.rs\\'" . rust-ts-mode)
+         )
+  :commands (rust-ts-mode)
+  :hook (
+         (rust-ts-mode . (lambda ()
+                           (eglot-ensure)
+                           ;; Disable on-type formatting which was incorrectly injecting parenthesis into my code.
+                           (make-local-variable 'eglot-ignored-server-capabilities)
+                           (add-to-list 'eglot-ignored-server-capabilities :documentOnTypeFormattingProvider)
+                           ;; Configure initialization options
+                           (let ((rust-analyzer-command (locate-rust-analyzer)))
+                             (when rust-analyzer-command
+                               ;; (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command)))
+                               (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command :initializationOptions (:imports (:granularity (:enforce t :group "item")
+                                                                                                                                                           :merge (:glob nil)
+                                                                                                                                                           :prefix "self")
+                                                                                                                                             ))))
+                               )
+                             )
+                           (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                           ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(rust-mode . rust-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(rust "https://github.com/tree-sitter/tree-sitter-rust"))
+  (unless (treesit-ready-p 'rust) (treesit-install-language-grammar 'rust))
+  :config
+  ;; Add keybindings for interacting with Cargo
+  ;; (use-package cargo
+  ;;   :hook (rust-ts-mode . cargo-minor-mode))
+  )
+
+(use-package toml-ts-mode
+  :ensure nil
+  :pin manual
+  :mode (
+         ("\\.toml\\'" . toml-ts-mode)
+         )
+  :commands (toml-ts-mode)
+  :init
+  (add-to-list 'treesit-language-source-alist '(toml "https://github.com/tree-sitter/tree-sitter-toml"))
+  (unless (treesit-ready-p 'toml) (treesit-install-language-grammar 'toml))
+  )
+
+;; Set additional rust-analyzer settings:
+;;
+;; (add-to-list 'eglot-server-programs `(rust-ts-mode . (,rust-analyzer-command :initializationOptions (:cargo (:features "all")))))
+;;
+;; In addition to the above, directory-specific settings can be written to a .dir-locals.el with the contents:
+;;
+;; (
+;;  (rust-ts-mode . ((eglot-workspace-configuration
+;;                    . (:rust-analyzer (:cargo (:noDefaultFeatures t :features ["compare" "tracing"]))))
+;;                   ))
+;;  )
+
+
+(provide 'lang-rust)

nix/configuration/roles/emacs/files/emacs/elisp/lang-terraform.el

@@ -0,0 +1,38 @@
+(require 'common-lsp)
+(require 'util-tree-sitter)
+
+(defun terraform-fmt ()
+  "Run terraform fmt."
+  (run-command-on-buffer "terraform" "fmt" "-")
+  )
+
+
+(use-package hcl-mode
+  :mode (("\\.hcl\\'" . hcl-mode))
+  :commands hcl-mode
+  :custom (hcl-indent-level 2)
+  :hook (
+         (hcl-mode . (lambda () (unless (derived-mode-p 'terraform-mode) (add-hook 'before-save-hook 'terraform-fmt nil 'local))))
+         )
+  )
+
+(use-package terraform-mode
+  :mode (("\\.tf\\'" . terraform-mode)
+         ("\\.tfvars\\'" . terraform-mode))
+  :commands terraform-mode
+  :custom (terraform-indent-level 2)
+  :hook (
+         (terraform-mode . (lambda ()
+                             (eglot-ensure)
+                             (defclass my/eglot-terraform (eglot-lsp-server) ()
+                               :documentation
+                               "Own eglot server class.")
+
+                             (add-to-list 'eglot-server-programs
+                                          '(terraform-mode . (my/eglot-terraform "terraform-ls" "serve")))
+                             (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                             ))
+         )
+  )
+
+(provide 'lang-terraform)

nix/configuration/roles/emacs/files/emacs/elisp/lang-xml.el

@@ -0,0 +1,17 @@
+(defun xml-fmt ()
+  "Run xmllint --format."
+  (run-command-on-buffer "xmllint" "--format" "-")
+  )
+
+(use-package nxml-mode
+  :commands (nxml-mode)
+  :pin manual
+  :ensure nil
+  :hook (
+         (nxml-mode . (lambda ()
+                        (add-hook 'before-save-hook 'xml-fmt nil 'local)
+                        ))
+         )
+  )
+
+(provide 'lang-xml)

nix/configuration/roles/emacs/files/emacs/elisp/lang-yaml.el

@@ -0,0 +1,27 @@
+(defun yaml-format-buffer ()
+  "Run prettier."
+  (interactive)
+  (run-command-on-buffer "prettier" "--stdin-filepath" buffer-file-name)
+  )
+
+(use-package yaml-ts-mode
+  :mode
+  (
+   ("\\.y[a]?ml\\'" . yaml-ts-mode)
+   ("playbook\\.tmp\\'" . yaml-ts-mode)
+   ("environments/[^/]*/group_vars/[^/]*\\'" . yaml-ts-mode)
+   ("environments/[^/]*/host_vars/[^/]*\\'" . yaml-ts-mode)
+   )
+  :commands (yaml-ts-mode)
+  :hook (
+         (yaml-ts-mode . (lambda ()
+                        (add-hook 'before-save-hook 'yaml-format-buffer nil 'local)
+                        ))
+         )
+  :init
+  (add-to-list 'major-mode-remap-alist '(yaml-mode . yaml-ts-mode))
+  (add-to-list 'treesit-language-source-alist '(yaml "https://github.com/ikatyang/tree-sitter-yaml"))
+  (unless (treesit-ready-p 'yaml) (treesit-install-language-grammar 'yaml))
+  )
+
+(provide 'lang-yaml)

nix/configuration/roles/emacs/files/emacs/elisp/util-flymake.el

@@ -0,0 +1,10 @@
+(use-package flymake
+  :pin manual
+  :ensure nil
+  :commands (flymake-mode)
+  :config
+  ;; Set the text before the brackets for flymake's modeline output to an empty string to make it less verbose.
+  (setq flymake-mode-line-lighter "")
+  )
+
+(provide 'util-flymake)

nix/configuration/roles/emacs/files/emacs/elisp/util-tree-sitter.el

@@ -0,0 +1,16 @@
+(use-package treesit
+  :pin manual
+  :ensure nil
+  :commands (treesit-install-language-grammar treesit-ready-p)
+  :init
+  (setq treesit-language-source-alist '())
+  :config
+  ;; Default to the max level of detail in treesitter highlighting. This
+  ;; can be overridden in each language's use-package call with:
+  ;;
+  ;;   :custom
+  ;;   (treesit-font-lock-level 3)
+  (setq treesit-font-lock-level 4)
+  )
+
+(provide 'util-tree-sitter)

nix/configuration/roles/emacs/files/emacs/elisp/util-vertico.el

@@ -0,0 +1,61 @@
+(defun my/minibuffer-delete (arg)
+  "When looking for files, go up an entire directory with the backspace button if theres no text after the directory."
+  (interactive "p")
+  (if minibuffer-completing-file-name
+      (if (string-match-p ".*/$" (minibuffer-contents))
+          (vertico-directory-delete-word arg)
+        (vertico-directory-delete-char arg))
+      (delete-backward-char arg)))
+
+(use-package vertico
+  :config
+  (vertico-mode)
+  (vertico-mouse-mode)
+
+  ;; Remove prefix when switching to tilde or root ("/")
+  (setq file-name-shadow-properties '(invisible t intangible t))
+  (file-name-shadow-mode +1)
+
+  (set-face-attribute 'vertico-current nil :inherit nil :background "#383b01")
+  :custom
+  (vertico-count 20)
+  )
+
+;; Create an ido/ivy-like experience when selecting files.
+(use-package vertico-directory
+  :after vertico
+  :ensure nil
+  :bind ( :map vertico-map
+          ("RET" . vertico-directory-enter)
+          :map minibuffer-local-map
+          ("DEL" . my/minibuffer-delete)
+          )
+  )
+
+(use-package consult
+  :custom
+  (completion-in-region-function #'consult-completion-in-region)
+  (xref-show-xrefs-function #'consult-xref)
+  (xref-show-definitions-function #'consult-xref)
+  (consult-project-root-function #'deadgrep--project-root)
+  :bind (
+         ("C-. s" . consult-ripgrep)
+         ("C-s" . consult-line)
+         ("M-g g" . consult-goto-line)
+         ("C-. e" . consult-flymake)
+         )
+  )
+
+;; (use-package corfu
+;;   :commands (corfu-mode global-corfu-mode)
+;;   :custom
+;;   (corfu-auto t)
+;;   )
+
+(use-package marginalia
+  :config (marginalia-mode))
+
+(use-package orderless
+  :custom (completion-styles '(orderless)))
+
+(provide 'util-vertico)

nix/configuration/roles/emacs/files/emacs/init.el

@@ -0,0 +1,43 @@
+(add-to-list 'load-path (concat user-emacs-directory "elisp"))
+
+(require 'base)
+(require 'base-theme)
+(require 'base-extensions)
+(require 'base-functions)
+(require 'base-global-keys)
+
+(require 'util-vertico)
+
+(require 'util-flymake)
+
+(require 'lang-python)
+
+(require 'lang-javascript)
+
+(require 'lang-rust)
+
+(require 'lang-yaml)
+
+(require 'lang-org)
+
+(require 'lang-bash)
+
+(require 'lang-markdown)
+
+(require 'lang-lua)
+
+(require 'lang-terraform)
+
+(require 'lang-go)
+
+(require 'lang-dockerfile)
+
+(require 'lang-c)
+
+(require 'lang-xml)
+
+(require 'lang-nix)
+
+(require 'lang-cmake)
+
+(load-directory autoload-directory)

nix/configuration/roles/firefox/default.nix

@@ -0,0 +1,136 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    firefox.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install firefox.";
+    };
+  };
+
+  config = lib.mkIf config.me.firefox.enable (
+    lib.mkMerge [
+      (lib.mkIf config.me.graphical {
+        programs.firefox = {
+          enable = true;
+          package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { });
+          languagePacks = [ "en-US" ];
+          preferences = {
+            # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5";
+            "media.hardware-video-decoding.force-enabled" = true;
+            "media.ffmpeg.vaapi.enabled" = true;
+            "doh-rollout.doorhanger-decision" = "UIDisabled";
+            "dom.security.https_only_mode" = true;
+            "dom.security.https_only_mode_ever_enabled" = true;
+            "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
+            # Disable ads
+            "extensions.pocket.enabled" = false;
+            "browser.newtabpage.activity-stream.showSponsored" = false;
+            "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+            "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
+            "browser.newtabpage.pinned" = "[]";
+            "browser.newtabpage.activity-stream.section.highlights.includePocket" = false;
+            "browser.topsites.contile.enabled" = false;
+            # Disable cache when devtools are open.
+            "devtools.cache.disabled" = true;
+            # Do not track header.
+            "privacy.donottrackheader.enabled" = true;
+            # Tell websites not to share or sell my data.
+            "privacy.globalprivacycontrol.enabled" = true;
+            # Disable "studies" (slice testing)
+            "app.shield.optoutstudies.enabled" = false;
+            # Disable attribution which is used by advertisers to track you.
+            "dom.private-attribution.submission.enabled" = false;
+            # Disable battery status, used to track users.
+            "dom.battery.enabled" = false;
+
+            # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+            #
+            # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+            # dom.event.clipboardevents.enabled: false
+
+            # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+            "privacy.firstparty.isolate" = true;
+            # Do not preload URLs that auto-complete in the address bar.
+            "browser.urlbar.speculativeConnect.enabled" = false;
+            # Do not resist fingerprinting because that tells websites to use light mode.
+            # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+            "privacy.resistFingerprinting" = false; # (default false)
+            # Instead, enable fingerprinting protection, which allows configuring an override.
+            "privacy.fingerprintingProtection" = true;
+            # Allow sending dark mode preference to websites.
+            # Allow sending timezone to websites.
+            "privacy.fingerprintingProtection.overrides" =
+              "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked";
+            # Disable weather on new tab page
+            "browser.newtabpage.activity-stream.showWeather" = false;
+          };
+          # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options.
+          policies = {
+            DisableTelemetry = true;
+            DisplayBookmarksToolbar = "newtab";
+
+            # Check about:support for extension/add-on ID strings.
+            # Valid strings for installation_mode are "allowed", "blocked",
+            # "force_installed" and "normal_installed".
+            ExtensionSettings = {
+              # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+              "uBlock0@raymondhill.net" = {
+                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+                installation_mode = "force_installed";
+              };
+              # "firefox@teleparty.com" = {
+              #   install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
+              #   installation_mode = "normal_installed";
+              # };
+              "@ublacklist" = {
+                install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublacklist/latest.xpi";
+                installation_mode = "normal_installed";
+              };
+              "@react-devtools" = {
+                install_url = "https://addons.mozilla.org/firefox/downloads/latest/react-devtools/latest.xpi";
+                installation_mode = "normal_installed";
+              };
+            };
+          };
+        };
+
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".mozilla";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+        environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) {
+          hideMounts = true;
+          users.talexander = {
+            directories = [
+              {
+                directory = ".cache/mozilla";
+                user = "talexander";
+                group = "talexander";
+                mode = "0700";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}