Remove home manager from the steam deck.

Clean up steam deck config.
Update packages on steam deck.
2026-02-08 01:22:56 -05:00 · 2026-02-08 01:22:56 -05:00 · 2026-02-08 01:22:56 -05:00 · 2026-02-08 01:22:55 -05:00 · 2026-02-06 11:28:45 -05:00 · 2026-02-06 11:28:45 -05:00
489 changed files with 55582 additions and 1 deletions
--- a/ansible/roles/base/files/gitconfig_home
+++ b/ansible/roles/base/files/gitconfig_home
@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/base/files/gitconfig_work
+++ b/ansible/roles/base/files/gitconfig_work
@ -8,6 +8,7 @@
 	lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
 	bh = log --oneline --branches=* --remotes=* --graph --decorate
 	amend = commit --amend --no-edit
+	authorcount = shortlog --summary --numbered --all --no-merges
 [core]
 	excludesfile = ~/.gitignore_global
 [commit]
--- a/ansible/roles/sftp/tasks/common.yaml
+++ b/ansible/roles/sftp/tasks/common.yaml
@ -64,6 +64,23 @@
 #     force: true
 #   diff: false

+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0700
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /home/nochainstounlock/.ssh
+
+- name: Set authorized keys
+  authorized_key:
+    user: nochainstounlock
+    key: |
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrjXsXjtxEm47XnRZfo67kJULoc0NBLrB0lPYFiS2Ar kodi@neelix
+    exclusive: true
+
 - import_tasks: tasks/freebsd.yaml
  when: 'os_flavor == "freebsd"'

--- a/ansible/roles/sshd/files/keys/yubikey.pub
+++ b/ansible/roles/sshd/files/keys/yubikey.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky cardno:000611194908
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8
--- a/nix/configuration/.gitignore
+++ b/nix/configuration/.gitignore
@ -0,0 +1 @@
+result
--- a/nix/configuration/README.org
+++ b/nix/configuration/README.org
@ -0,0 +1,12 @@
+* To-do
+** Perhaps use overlay for /etc for speedup
+#+begin_src nix
+  system.etc.overlay.enable = true;
+#+end_src
+** read https://nixos.org/manual/nixos/stable/
+** Performance for mini pc
+#+begin_src nix
+  security.pam.loginLimits = [
+    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
+  ];
+#+end_src
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@ -0,0 +1,271 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    ./roles/2ship2harkinian
+    ./roles/alacritty
+    ./roles/amd_s2idle
+    ./roles/ansible
+    ./roles/ares
+    ./roles/base
+    ./roles/bluetooth
+    ./roles/boot
+    ./roles/build_in_ram
+    ./roles/chromecast
+    ./roles/chromium
+    ./roles/d2
+    ./roles/direnv
+    ./roles/disko
+    ./roles/distributed_build
+    ./roles/doas
+    ./roles/docker
+    ./roles/dont_use_substituters
+    ./roles/ecc
+    ./roles/emacs
+    ./roles/emulate_isa
+    ./roles/firefox
+    ./roles/firewall
+    ./roles/flux
+    ./roles/fonts
+    ./roles/gcloud
+    ./roles/git
+    ./roles/global_options
+    ./roles/gnome_keyring
+    ./roles/gnuplot
+    ./roles/gpg
+    ./roles/graphics
+    ./roles/hydra
+    ./roles/image_based_appliance
+    ./roles/iso
+    ./roles/iso_mount
+    ./roles/jujutsu
+    ./roles/kanshi
+    ./roles/kodi
+    ./roles/kubernetes
+    ./roles/latex
+    ./roles/launch_keyboard
+    ./roles/lvfs
+    ./roles/media
+    ./roles/memtest86
+    ./roles/minimal_base
+    ./roles/network
+    ./roles/nix_index
+    ./roles/nix_repl
+    ./roles/nix_worker
+    ./roles/nixdev
+    ./roles/nvme
+    ./roles/openpgp_card_tools
+    ./roles/optimized_build
+    ./roles/pcsx2
+    ./roles/podman
+    ./roles/postgresql_client
+    ./roles/python
+    ./roles/qemu
+    ./roles/recovery
+    ./roles/reset
+    ./roles/rpcs3
+    ./roles/rust
+    ./roles/sequoia
+    ./roles/shadps4
+    ./roles/shikane
+    ./roles/shipwright
+    ./roles/sm64ex
+    ./roles/sops
+    ./roles/sound
+    ./roles/spaghettikart
+    ./roles/ssh
+    ./roles/sshd
+    ./roles/steam
+    ./roles/steam_run_free
+    ./roles/sway
+    ./roles/tekton
+    ./roles/terraform
+    ./roles/thunderbolt
+    ./roles/user
+    ./roles/uutils
+    ./roles/vnc_client
+    ./roles/vscode
+    ./roles/wasm
+    ./roles/waybar
+    ./roles/wine
+    ./roles/wireguard
+    ./roles/yubikey
+    ./roles/zfs
+    ./roles/zrepl
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  config = {
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+      # "blake3-hashes"
+      # "git-hashing"
+    ];
+    nix.settings.trusted-users = [ "@wheel" ];
+    nix.settings.connect-timeout = 5;
+    nix.settings.min-free = 128000000;
+    nix.settings.max-free = 1000000000;
+    nix.settings.fallback = true;
+    nix.settings.warn-dirty = false;
+
+    hardware.enableRedistributableFirmware = true;
+
+    # Keep outputs so we can build offline.
+    nix.settings.keep-outputs = true;
+    nix.settings.keep-derivations = true;
+
+    # Automatic garbage collection
+    nix.gc = lib.mkIf (!config.me.buildingPortable) {
+      # Runs nix-collect-garbage --delete-older-than 5d
+      automatic = true;
+      persistent = true;
+      dates = "monthly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 30d";
+    };
+    nix.settings.auto-optimise-store = !config.me.buildingPortable;
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      directories = [
+        "/var/lib/nixos" # Contains user information (uids/gids)
+        "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+        "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+      ];
+      files = [
+        "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      ];
+    };
+
+    # Write a list of the currently installed packages to /etc/current-system-packages
+    # environment.etc."current-system-packages".text =
+    #   let
+    #     packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+    #     sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+    #     formatted = builtins.concatStringsSep "\n" sortedUnique;
+    #   in
+    #   formatted;
+
+    # nixpkgs.overlays = [
+    #   (final: prev: {
+    #     foot = throw "foo";
+    #   })
+    # ];
+
+    nixpkgs.overlays =
+      let
+        disableTests = (
+          package_name:
+          (final: prev: {
+            "${package_name}" = prev."${package_name}".overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+            });
+          })
+        );
+        disablePythonTests = (
+          package_name:
+          (final: prev: {
+            pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+              (python-final: python-prev: {
+                "${package_name}" = python-prev."${package_name}".overridePythonAttrs (oldAttrs: {
+                  doCheck = false;
+                });
+              })
+            ];
+          })
+        );
+      in
+      [
+        # (final: prev: {
+        #   imagemagick = prev.imagemagick.overrideAttrs (old: rec {
+        #     # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
+        #     version = "7.1.2-7";
+
+        #     src = final.fetchFromGitHub {
+        #       owner = "ImageMagick";
+        #       repo = "ImageMagick";
+        #       tag = version;
+        #       hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
+        #     };
+        #   });
+        # })
+        # (final: prev: {
+        #   grub2 = (final.callPackage ./package/grub { });
+        # })
+        (disableTests "coreutils")
+        (disableTests "coreutils-full")
+        (disableTests "libuv")
+        (final: prev: {
+          inherit (final.unoptimized) libtpms libjxl;
+        })
+        (final: prev: {
+          slurp = prev.slurp.overrideAttrs (old: {
+            version = "1.5.0";
+            src = final.fetchFromGitHub {
+              owner = "emersion";
+              repo = "slurp";
+              rev = "v1.5.0";
+              hash = "sha256-2M8f3kN6tihwKlUCp2Qowv5xD6Ufb71AURXqwQShlXI=";
+            };
+          });
+        })
+        # Works but probably sets python2's scipy to be python3:
+        #
+        # (final: prev: {
+        #   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+        #     (python-final: python-prev: {
+        #       scipy = final.unoptimized.python3Packages.scipy;
+        #     })
+        #   ];
+        # })
+
+        # Does not work:
+        #
+        # (final: prev: {
+        #   python3 = prev.python3.override {
+        #     packageOverrides = python-final: python-prev: {
+        #       scipy = final.unoptimized.python3.pkgs.scipy;
+        #     };
+        #   };
+        # })
+
+        # Maybe works?:
+        #
+        (final: prev: {
+          python3Packages = prev.python3Packages.override {
+            overrides = python-final: python-prev: {
+              scipy = final.unoptimized.python3.pkgs.scipy;
+            };
+          };
+        })
+      ];
+
+    # This option defines the first version of NixOS you have installed on this particular machine,
+    # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+    #
+    # Most users should NEVER change this value after the initial install, for any reason,
+    # even if you've upgraded your system to a new NixOS release.
+    #
+    # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+    # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+    # to actually do that.
+    #
+    # This value being lower than the current NixOS release does NOT mean your system is
+    # out of date, out of support, or vulnerable.
+    #
+    # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+    # and migrated your data accordingly.
+    #
+    # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+    system.stateVersion = "24.11"; # Did you read the comment?
+  };
+}
--- a/nix/configuration/flake.lock
+++ b/nix/configuration/flake.lock
@ -0,0 +1,256 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769524058,
+        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "impermanence",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1770197578,
+        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nix/configuration/flake.nix
+++ b/nix/configuration/flake.nix
@ -0,0 +1,127 @@
+# TODO maybe use `nix eval --raw .#odo.iso.outPath`
+
+#
+# Install on a new machine:
+#
+# Set
+#   me.disko.enable = true;
+#   me.disko.offline.enable = true;
+#
+# Run
+#   doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
+#   doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      disko,
+      impermanence,
+      lanzaboote,
+      ...
+    }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
+      nodes = {
+        odo = {
+          system = "x86_64-linux";
+        };
+        odowork = {
+          system = "x86_64-linux";
+        };
+        quark = {
+          system = "x86_64-linux";
+        };
+        recovery = {
+          system = "x86_64-linux";
+        };
+        i_only_boot_zfs = {
+          system = "x86_64-linux";
+        };
+        hydra = {
+          system = "x86_64-linux";
+        };
+      };
+      nixosConfigs = builtins.mapAttrs (
+        hostname: nodeConfig: format:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit self;
+
+            this_nixos_config = self.nixosConfigurations."${hostname}";
+
+            all_nixos_configs = self.nixosConfigurations;
+          };
+          modules = [
+            impermanence.nixosModules.impermanence
+            lanzaboote.nixosModules.lanzaboote
+            disko.nixosModules.disko
+            ./configuration.nix
+            (./. + "/hosts/${hostname}")
+            (./. + "/formats/${format}.nix")
+            {
+              config = {
+                nixpkgs.hostPlatform.system = nodeConfig.system;
+                nixpkgs.overlays = [
+                  (final: prev: {
+                    # stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                    unoptimized = import nixpkgs {
+                      system = prev.stdenv.hostPlatform.system;
+                      hostPlatform.gcc.arch = "default";
+                      hostPlatform.gcc.tune = "default";
+                    };
+                  })
+                ];
+              };
+            }
+          ];
+        }
+      ) nodes;
+      installerConfig =
+        hostname: nodeConfig:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            targetSystem = self.nixosConfigurations."${hostname}";
+          };
+          modules = [
+            ./formats/installer.nix
+            ({ nixpkgs.hostPlatform.system = nodeConfig.system; })
+          ];
+        };
+    in
+    {
+      nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
+    }
+    // {
+      packages = (
+        forAllSystems (
+          system:
+          (builtins.mapAttrs (hostname: nodeConfig: {
+            iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
+            vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
+            sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
+            installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
+          }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
+        )
+      );
+    };
+}
--- a/nix/configuration/formats/installer.nix
+++ b/nix/configuration/formats/installer.nix
@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  targetSystem,
+  ...
+}:
+let
+  installer = pkgs.writeShellApplication {
+    name = "installer";
+    runtimeInputs = with pkgs; [
+      # clevis
+      dosfstools
+      e2fsprogs
+      gawk
+      nixos-install-tools
+      util-linux
+      config.nix.package
+    ];
+    text = ''
+      set -euo pipefail
+
+      ${targetSystem.config.system.build.diskoScript}
+
+      nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
+    '';
+  };
+  installerFailsafe = pkgs.writeShellScript "failsafe" ''
+    ${lib.getExe installer} || echo "ERROR: Installation failure!"
+    sleep 3600
+  '';
+in
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/all-hardware.nix")
+  ];
+
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
+  boot.zfs.package = pkgs.zfs_unstable;
+  boot.kernelParams = [
+    "quiet"
+    "systemd.unit=getty.target"
+  ];
+  boot.supportedFilesystems.zfs = true;
+  boot.initrd.systemd.enable = true;
+
+  networking.hostId = "04581ecf";
+
+  isoImage.makeEfiBootable = true;
+  isoImage.makeUsbBootable = true;
+  isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+
+  environment.systemPackages = [
+    installer
+  ];
+
+  systemd.services."getty@tty1" = {
+    overrideStrategy = "asDropin";
+    serviceConfig = {
+      ExecStart = [
+        ""
+        installerFailsafe
+      ];
+      Restart = "no";
+      StandardInput = "null";
+    };
+  };
+
+  # system.stateVersion = lib.mkDefault lib.trivial.release;
+  system.stateVersion = "24.11";
+}
--- a/nix/configuration/formats/iso.nix
+++ b/nix/configuration/formats/iso.nix
@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.buildingPortable = true;
+    me.disko.enable = true;
+    me.disko.offline.enable = true;
+    me.mountPersistence = lib.mkForce false;
+    # me.optimizations.enable = lib.mkForce false;
+
+    # Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
+    # me.image_based_appliance.enable = true;
+
+    # TODO: Should I use this instead of doing a mkIf for the disk config?
+    # disko.enableConfig = false;
+
+    # Faster image generation for testing/development.
+    isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+  };
+}
--- a/nix/configuration/formats/sd.nix
+++ b/nix/configuration/formats/sd.nix
@ -0,0 +1,32 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+
+    # TODO: image based appliance?
+
+    # TODO: Maybe this?
+    # fileSystems = {
+    #   "/" = {
+    #     device = "/dev/disk/by-label/NIXOS_SD";
+    #     fsType = "ext4";
+    #     options = [
+    #       "noatime"
+    #       "norelatime"
+    #     ];
+    #   };
+    # };
+  };
+}
--- a/nix/configuration/formats/toplevel.nix
+++ b/nix/configuration/formats/toplevel.nix
@ -0,0 +1 @@
+{ }
--- a/nix/configuration/formats/vm_iso.nix
+++ b/nix/configuration/formats/vm_iso.nix
@ -0,0 +1,22 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.image_based_appliance.enable = true;
+  };
+}
--- a/nix/configuration/hosts/hydra/DEPLOY_BOOT
+++ b/nix/configuration/hosts/hydra/DEPLOY_BOOT
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/hydra/DEPLOY_SWITCH
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=hydra
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/ISO
+++ b/nix/configuration/hosts/hydra/ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/SELF_BOOT
+++ b/nix/configuration/hosts/hydra/SELF_BOOT
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/SELF_BUILD
+++ b/nix/configuration/hosts/hydra/SELF_BUILD
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/SELF_SWITCH
+++ b/nix/configuration/hosts/hydra/SELF_SWITCH
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/VM_ISO
+++ b/nix/configuration/hosts/hydra/VM_ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@ -0,0 +1,138 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "6fbf418b";
+
+        hostName = "hydra"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.219";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01db";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    me.image_based_appliance.enable = lib.mkForce false;
+
+    environment.systemPackages = with pkgs; [
+      htop
+      git # for building on hydra
+      tmux # for building on hydra
+      nix-output-monitor # for building on hydra
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    # Override garbage collection to keep things longer
+    # Automatic garbage collection
+    nix.gc = lib.mkForce {
+      automatic = true;
+      persistent = true;
+      dates = "weekly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 60d";
+    };
+
+    # The default limit of files is 1024 which is too low for some nix builds.
+    #
+    # Check with `ulimit -n`
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "8192";
+      }
+    ];
+
+    # systemd.user.extraConfig = "DefaultLimitNOFILE=8192";
+    # systemd.services."user@11400".serviceConfig.LimitNOFILE = "8192";
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.hydra.enable = true;
+    me.minimal_base.enable = true;
+    me.nix_worker.enable = true;
+  };
+}
--- a/nix/configuration/hosts/hydra/hardware-configuration.nix
+++ b/nix/configuration/hosts/hydra/hardware-configuration.nix
@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}
--- a/nix/configuration/hosts/hydra/vm_disk.nix
+++ b/nix/configuration/hosts/hydra/vm_disk.nix
@ -0,0 +1,95 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # environment.systemPackages = with pkgs; [
+    #   e2fsprogs # mkfs.ext4
+    #   gptfdisk # cgdisk
+    # ];
+
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      # "/.persist" = lib.mkForce {
+      #   device = "bind9p";
+      #   fsType = "9p";
+      #   options = [
+      #     "noatime"
+      #     "trans=virtio"
+      #     "version=9p2000.L"
+      #     "cache=mmap"
+      #     "msize=512000"
+      #     "uname=root"
+      #     "dfltuid=0"
+      #     "dfltgid=0"
+      #     "nodevmap"
+      #     # "noauto"
+      #     # "x-systemd.automount"
+      #   ];
+      #   neededForBoot = true;
+      # };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.disk/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/state"
+        ];
+        neededForBoot = true;
+      };
+
+      # "/nix/store" = lib.mkForce {
+      #   overlay = {
+      #     lowerdir = [ "/nix/.ro-store" ];
+      #     upperdir = "/.disk/persist/store";
+      #     workdir = "/.disk/state/work";
+      #   };
+      #   # fsType = "overlay";
+      #   # device = "overlay";
+      #   # options = [
+      #   #   "lowerdir=/nix/.ro-store"
+      #   #   "upperdir=/.disk/persist/store"
+      #   #   "workdir=/.disk/state/work"
+      #   # ];
+      #   depends = [
+      #     "/nix/.ro-store"
+      #     "/.disk/persist/store"
+      #     "/.disk/state/work"
+      #   ];
+      # };
+    };
+  };
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT
+++ b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/ISO
+++ b/nix/configuration/hosts/i_only_boot_zfs/ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT
+++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD
+++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH
+++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/i_only_boot_zfs/default.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/default.nix
@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "6a05d86e";
+
+    networking.hostName = "i_only_boot_zfs"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    # boot.loader.generic-extlinux-compatible.enable = true;
+    # boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.optimizations = {
+      # enable = true;
+      # arch = "kabylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        # "gccarch-kabylake"
+        "gccarch-x86-64-v3"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Even when installed, we want to dhcp because this is for a VM.
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+  };
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/disk-config.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/disk-config.nix
@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix
@ -0,0 +1,13 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/power_management.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/power_management.nix
@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}
--- a/nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix
@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)
--- a/nix/configuration/hosts/neelix/DEPLOY_BOOT
+++ b/nix/configuration/hosts/neelix/DEPLOY_BOOT
@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/neelix/DEPLOY_SWITCH
@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+#TARGET=10.216.1.14
+# TARGET=192.168.211.250
+TARGET=neelix
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+
+# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'
--- a/nix/configuration/hosts/neelix/default.nix
+++ b/nix/configuration/hosts/neelix/default.nix
@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "bca9d0a5";
+
+    networking.hostName = "neelix"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    me.optimizations = {
+      enable = false;
+      arch = "alderlake";
+      system_features = [
+        "gccarch-alderlake"
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "i915" ];
+
+    # Mount tmpfs at /tmp
+    # boot.tmp.useTmpfs = true;
+
+    me.base.enable = true;
+    me.bluetooth.enable = true;
+    me.boot.enable = true;
+    me.doas.enable = true;
+    me.emacs_flavor = "plainmacs";
+    me.firewall.enable = true;
+    me.font.enable = true;
+    me.git.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "intel";
+    me.kodi.enable = true;
+    me.lvfs.enable = true;
+    me.memtest.enable = true;
+    me.network.enable = true;
+    me.nvme.enable = true;
+    me.sound.enable = true;
+    me.ssh.enable = true;
+    me.sshd.enable = true;
+    me.user.enable = true;
+    me.wireguard.activated = [ "wgh" ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.zfs.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+  };
+}
--- a/nix/configuration/hosts/neelix/disk-config.nix
+++ b/nix/configuration/hosts/neelix/disk-config.nix
@ -0,0 +1,140 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingIso) {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "1MiB";
+              compression = "lz4";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+}
--- a/nix/configuration/hosts/neelix/hardware-configuration.nix
+++ b/nix/configuration/hosts/neelix/hardware-configuration.nix
@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "xhci_pci"
+      "nvme"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+      "sdhci_pci"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/neelix/power_management.nix
+++ b/nix/configuration/hosts/neelix/power_management.nix
@ -0,0 +1,35 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    # default performance balance_performance balance_power power
+    # defaults to balance_performance
+    # systemd.tmpfiles.rules = [
+    #   "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+    #   "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+    # ];
+
+    boot.extraModprobeConfig = ''
+      options snd_hda_intel power_save=1
+    '';
+  };
+}
--- a/nix/configuration/hosts/odo/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odo/DEPLOY_BOOT
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odo
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/ISO
+++ b/nix/configuration/hosts/odo/ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BOOT
+++ b/nix/configuration/hosts/odo/SELF_BOOT
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/SELF_BUILD
+++ b/nix/configuration/hosts/odo/SELF_BUILD
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+: "${NOM:="true"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+if [ "$NOM" = "true" ]; then
+    nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
+else
+    nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" -v "${@}"
+fi
--- a/nix/configuration/hosts/odo/SELF_SWITCH
+++ b/nix/configuration/hosts/odo/SELF_SWITCH
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@ -0,0 +1,165 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+    ./screen_brightness.nix
+    ./wifi.nix
+    ./framework_module.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "908cbf04";
+
+    networking.hostName = "odo"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.rollback.dataset = [
+      "zroot/linux/nix/root@blank"
+      "zroot/linux/nix/home@blank"
+    ];
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    environment.systemPackages = with pkgs; [
+      fw-ectool
+      framework-tool
+    ];
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
+    nix.daemonCPUSchedPolicy = "idle";
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.base.enable = true;
+    me.bluetooth.enable = true;
+    me.build_in_ram.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.doas.enable = true;
+    me.docker.enable = false;
+    me.dont_use_substituters.enable = true;
+    me.ecc.enable = false;
+    me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
+    me.firefox.enable = true;
+    me.firewall.enable = true;
+    me.flux.enable = true;
+    me.font.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.git.enable = true;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.jujutsu.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.memtest.enable = true;
+    me.network.enable = true;
+    me.nix_index.enable = true;
+    me.nix_repl.enable = true;
+    me.nixdev.enable = true;
+    me.nvme.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.pcsx2.enable = true;
+    me.podman.enable = true;
+    me.postgresql_client.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.recovery.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shadps4.enable = false;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.spaghettikart.enable = true;
+    me.ssh.enable = true;
+    me.sshd.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.user.enable = true;
+    me.uutils.enable = false;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wine.enable = false;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
+    me.zfs.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
+  };
+}
--- a/nix/configuration/hosts/odo/disk-config.nix
+++ b/nix/configuration/hosts/odo/disk-config.nix
@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/odo/distributed_build.nix
+++ b/nix/configuration/hosts/odo/distributed_build.nix
@ -0,0 +1,19 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/odo/framework_module.nix
+++ b/nix/configuration/hosts/odo/framework_module.nix
@ -0,0 +1,19 @@
+{
+  config,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    boot.extraModulePackages = with config.boot.kernelPackages; [
+      framework-laptop-kmod
+    ];
+    # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
+    boot.kernelModules = [
+      "cros_ec"
+      "cros_ec_lpcs"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odo/hardware-configuration.nix
+++ b/nix/configuration/hosts/odo/hardware-configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/odo/power_management.nix
+++ b/nix/configuration/hosts/odo/power_management.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    # amd_pstate=passive :: Fully automated hardware pstate control.
+    # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+    # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+    # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+    boot.kernelParams = [
+      "amdgpu.abmlevel=2"
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+      # I don't see a measurable benefit from these two:
+      # "cpufreq.default_governor=powersave"
+      # "initcall_blacklist=cpufreq_gov_userspace_init"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+      blacklist sp5100_tco
+
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}
--- a/nix/configuration/hosts/odo/screen_brightness.nix
+++ b/nix/configuration/hosts/odo/screen_brightness.nix
@ -0,0 +1,9 @@
+{
+  imports = [ ];
+
+  config = {
+    systemd.tmpfiles.rules = [
+      "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 32767"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odo/wifi.nix
+++ b/nix/configuration/hosts/odo/wifi.nix
@ -0,0 +1,10 @@
+{
+  imports = [ ];
+
+  config = {
+    # Enable debug logging for ath12k wifi card.
+    boot.kernelParams = [
+      "ath12k.debug_mask=0xffffffff"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odo/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/odo/wrapped-disk-config.nix
@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)
--- a/nix/configuration/hosts/odowork/DEPLOY_BOOT
+++ b/nix/configuration/hosts/odowork/DEPLOY_BOOT
@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odowork
+
+nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/odowork/DEPLOY_SWITCH
@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=odowork
+
+nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/INSTALLER
+++ b/nix/configuration/hosts/odowork/INSTALLER
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/ISO
+++ b/nix/configuration/hosts/odowork/ISO
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/SELF_BOOT
+++ b/nix/configuration/hosts/odowork/SELF_BOOT
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/SELF_BUILD
+++ b/nix/configuration/hosts/odowork/SELF_BUILD
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/SELF_SWITCH
+++ b/nix/configuration/hosts/odowork/SELF_SWITCH
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/odowork/default.nix
+++ b/nix/configuration/hosts/odowork/default.nix
@ -0,0 +1,152 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+    ./screen_brightness.nix
+    ./wifi.nix
+    ./framework_module.nix
+    ./ssh_config.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "133cb66e";
+
+    networking.hostName = "odowork"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.rollback.dataset = [
+      "zroot/linux/nixwork/root@blank"
+      "zroot/linux/nixwork/home@blank"
+    ];
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    environment.systemPackages = with pkgs; [
+      fw-ectool
+      framework-tool
+    ];
+
+    # Enable light sensor
+    # hardware.sensor.iio.enable = lib.mkDefault true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
+    nix.daemonCPUSchedPolicy = "idle";
+
+    fonts.enableDefaultPackages = lib.mkForce true;
+    fonts.packages = with pkgs; [
+      corefonts
+    ];
+    allowedUnfree = [ "corefonts" ];
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.base.enable = true;
+    me.bluetooth.enable = true;
+    me.build_in_ram.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.doas.enable = true;
+    me.docker.enable = false;
+    me.dont_use_substituters.enable = true;
+    me.emacs_flavor = "full";
+    me.firefox.enable = true;
+    me.firewall.enable = true;
+    me.font.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_work;
+    me.git.enable = true;
+    me.gnome_keyring.enable = true;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.jujutsu.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.memtest.enable = true;
+    me.network.enable = true;
+    me.nix_index.enable = true;
+    me.nix_repl.enable = true;
+    me.nixdev.enable = true;
+    me.nvme.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.podman.enable = true;
+    me.postgresql_client.enable = true;
+    me.python.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.ssh.enable = true;
+    me.sshd.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.user.enable = true;
+    me.vscode.enable = true;
+    me.vscode.enable_work_profile = true;
+    me.waybar.enable = true;
+    me.wireguard.activated = [
+      "wgh"
+    ];
+    me.wireguard.deactivated = [
+      "wgf"
+      "colo"
+    ];
+    me.yubikey.enable = true;
+    me.zfs.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+  };
+}
--- a/nix/configuration/hosts/odowork/disk-config.nix
+++ b/nix/configuration/hosts/odowork/disk-config.nix
@ -0,0 +1,155 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nixwork" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nixwork/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/root@blank$' || zfs snapshot zroot/linux/nixwork/root@blank";
+          };
+          "linux/nixwork/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/boot@blank$' || zfs snapshot zroot/linux/nixwork/boot@blank";
+          };
+          "linux/nixwork/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/nix@blank$' || zfs snapshot zroot/linux/nixwork/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nixwork/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/home@blank$' || zfs snapshot zroot/linux/nixwork/home@blank";
+          };
+          "linux/nixwork/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/persist@blank$' || zfs snapshot zroot/linux/nixwork/persist@blank";
+          };
+          "linux/nixwork/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/state@blank$' || zfs snapshot zroot/linux/nixwork/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/boot".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nixwork" ];
+}
--- a/nix/configuration/hosts/odowork/distributed_build.nix
+++ b/nix/configuration/hosts/odowork/distributed_build.nix
@ -0,0 +1,19 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = false;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/odowork/framework_module.nix
+++ b/nix/configuration/hosts/odowork/framework_module.nix
@ -0,0 +1,19 @@
+{
+  config,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    boot.extraModulePackages = with config.boot.kernelPackages; [
+      framework-laptop-kmod
+    ];
+    # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
+    boot.kernelModules = [
+      "cros_ec"
+      "cros_ec_lpcs"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odowork/hardware-configuration.nix
+++ b/nix/configuration/hosts/odowork/hardware-configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/odowork/power_management.nix
+++ b/nix/configuration/hosts/odowork/power_management.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    # amd_pstate=passive :: Fully automated hardware pstate control.
+    # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
+    # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
+    # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
+    boot.kernelParams = [
+      "amdgpu.abmlevel=2"
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+      # I don't see a measurable benefit from these two:
+      # "cpufreq.default_governor=powersave"
+      # "initcall_blacklist=cpufreq_gov_userspace_init"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Disable the hardware watchdog inside AMD 700 chipset series for power savings.
+      blacklist sp5100_tco
+
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}
--- a/nix/configuration/hosts/odowork/screen_brightness.nix
+++ b/nix/configuration/hosts/odowork/screen_brightness.nix
@ -0,0 +1,9 @@
+{
+  imports = [ ];
+
+  config = {
+    systemd.tmpfiles.rules = [
+      "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 32767"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odowork/ssh_config.nix
+++ b/nix/configuration/hosts/odowork/ssh_config.nix
@ -0,0 +1,15 @@
+{
+  lib,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = {
+    me.install.user.talexander.file = {
+      ".ssh/config" = {
+        source = lib.mkForce "/persist/manual/ssh/talexander/config";
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/odowork/wifi.nix
+++ b/nix/configuration/hosts/odowork/wifi.nix
@ -0,0 +1,10 @@
+{
+  imports = [ ];
+
+  config = {
+    # Enable debug logging for ath12k wifi card.
+    boot.kernelParams = [
+      "ath12k.debug_mask=0xffffffff"
+    ];
+  };
+}
--- a/nix/configuration/hosts/odowork/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/odowork/wrapped-disk-config.nix
@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)
--- a/nix/configuration/hosts/quark/DEPLOY_BOOT
+++ b/nix/configuration/hosts/quark/DEPLOY_BOOT
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=quark
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=quark
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/ISO
+++ b/nix/configuration/hosts/quark/ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BOOT
+++ b/nix/configuration/hosts/quark/SELF_BOOT
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_BUILD
+++ b/nix/configuration/hosts/quark/SELF_BUILD
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/SELF_SWITCH
+++ b/nix/configuration/hosts/quark/SELF_SWITCH
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@ -0,0 +1,160 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./hardware-configuration.nix
+    ./power_management.nix
+    ./waybar.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "47ee7d7c";
+
+    networking.hostName = "quark"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.rollback.dataset = [
+      "zroot/linux/nix/root@blank"
+      "zroot/linux/nix/home@blank"
+    ];
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-znver5"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
+    nix.daemonCPUSchedPolicy = "idle";
+
+    # RPCS3 has difficulty with znver5
+    me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
+
+    me.alacritty.enable = true;
+    me.amd_s2idle.enable = true;
+    me.ansible.enable = true;
+    me.ares.enable = true;
+    me.base.enable = true;
+    me.bluetooth.enable = true;
+    me.build_in_ram.enable = true;
+    me.chromecast.enable = true;
+    me.chromium.enable = true;
+    me.d2.enable = true;
+    me.direnv.enable = true;
+    me.doas.enable = true;
+    me.docker.enable = false;
+    me.dont_use_substituters.enable = true;
+    me.ecc.enable = true;
+    me.emacs_flavor = "full";
+    me.emulate_isa.enable = true;
+    me.firefox.enable = true;
+    me.firewall.enable = true;
+    me.flux.enable = true;
+    me.font.enable = true;
+    me.gcloud.enable = true;
+    me.git.config = ../../roles/git/files/gitconfig_home;
+    me.git.enable = true;
+    me.gnuplot.enable = true;
+    me.gpg.enable = true;
+    me.graphical = true;
+    me.graphics_card_type = "amd";
+    me.iso_mount.enable = true;
+    me.jujutsu.enable = true;
+    me.kanshi.enable = false;
+    me.kubernetes.enable = true;
+    me.latex.enable = true;
+    me.launch_keyboard.enable = true;
+    me.lvfs.enable = true;
+    me.media.enable = true;
+    me.memtest.enable = true;
+    me.network.enable = true;
+    me.nix_index.enable = true;
+    me.nix_repl.enable = true;
+    me.nix_worker.enable = true;
+    me.nixdev.enable = true;
+    me.nvme.enable = true;
+    me.openpgp_card_tools.enable = true;
+    me.pcsx2.enable = true;
+    me.podman.enable = true;
+    me.postgresql_client.enable = true;
+    me.python.enable = true;
+    me.qemu.enable = true;
+    me.recovery.enable = true;
+    me.rpcs3.enable = true;
+    me.rust.enable = true;
+    me.sequoia.enable = true;
+    me.shadps4.enable = false;
+    me.shikane.enable = true;
+    me.sops.enable = true;
+    me.sound.enable = true;
+    me.spaghettikart.enable = true;
+    me.ssh.enable = true;
+    me.sshd.enable = true;
+    me.steam.enable = true;
+    me.steam_run_free.enable = true;
+    me.sway.enable = true;
+    me.tekton.enable = true;
+    me.terraform.enable = true;
+    me.thunderbolt.enable = true;
+    me.user.enable = true;
+    me.uutils.enable = false;
+    me.vnc_client.enable = true;
+    me.vscode.enable = true;
+    me.wasm.enable = true;
+    me.waybar.enable = true;
+    me.wine.enable = false;
+    me.wireguard.activated = [
+      "drmario"
+      "wgh"
+      "colo"
+    ];
+    me.wireguard.deactivated = [ "wgf" ];
+    me.yubikey.enable = true;
+    me.zfs.enable = true;
+    me.zrepl.enable = true;
+    me.zsh.enable = true;
+
+    me.sm64ex.enable = true;
+    me.shipwright.enable = true;
+    me.ship2harkinian.enable = true;
+  };
+}
--- a/nix/configuration/hosts/quark/disk-config.nix
+++ b/nix/configuration/hosts/quark/disk-config.nix
@ -0,0 +1,150 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/efi";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/boot" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "legacy";
+              "org.zfsbootmenu:active" = "on";
+            };
+            mountpoint = "/boot";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/quark/distributed_build.nix
+++ b/nix/configuration/hosts/quark/distributed_build.nix
@ -0,0 +1,13 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/quark/hardware-configuration.nix
+++ b/nix/configuration/hosts/quark/hardware-configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/quark/power_management.nix
+++ b/nix/configuration/hosts/quark/power_management.nix
@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    boot.kernelParams = [
+      # Enable undervolting GPU.
+      # "amdgpu.ppfeaturemask=0xfff7ffff"
+    ];
+
+    systemd.tmpfiles.rules = [
+      # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+    ];
+
+    # services.udev.packages = [
+    #   (pkgs.writeTextFile {
+    #     name = "amdgpu-low-power";
+    #     text = ''
+    #       ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low"
+    #     '';
+    #     destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
+    #   })
+    # ];
+  };
+}
--- a/nix/configuration/hosts/quark/waybar.nix
+++ b/nix/configuration/hosts/quark/waybar.nix
@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  config = {
+    me.waybar.config = lib.mkForce {
+      # "height": 10, # Waybar height (to be removed for auto height)
+      "modules-left" = [
+        "sway/workspaces"
+        "sway/mode"
+      ];
+      "modules-center" = [ "sway/window" ];
+      "modules-right" = [
+        "custom/night_mode"
+        # "custom/temperature" # /sys/class/thermal/thermal_zone* does not currently exist on quark
+        "custom/sound"
+        "custom/available_memory"
+        "idle_inhibitor"
+        "custom/clock"
+        "tray"
+      ];
+      "sway/workspaces" = {
+        "disable-scroll" = true;
+      };
+      "sway/mode" = {
+        "format" = "<span style=\"italic\">{}</span>";
+      };
+      "sway/window" = {
+        "format" = "{title}";
+      };
+      "idle_inhibitor" = {
+        "format" = "{icon}";
+        "format-icons" = {
+          "activated" = "☕"; # ☕
+          "deactivated" = "💤"; # ☾☁⛾⛔⏾⌛⏳💤
+        };
+      };
+      "tray" = {
+        # "icon-size" = 21;
+        "spacing" = 10;
+      };
+      "custom/clock" = {
+        "exec" = "waybar_custom_clock";
+        "return-type" = "json";
+        "restart-interval" = 30;
+      };
+      "custom/available_memory" = {
+        "exec" = "waybar_custom_available_memory";
+        "return-type" = "json";
+        "restart-interval" = 30;
+      };
+      "custom/sound" = {
+        "exec" = "waybar_custom_sound";
+        "return-type" = "json";
+        "restart-interval" = 30;
+      };
+      # "custom/temperature" = {
+      #   "exec" = "waybar_custom_temperature";
+      #   "return-type" = "json";
+      #   "restart-interval" = 30;
+      # };
+      "custom/night_mode" = {
+        "exec" = "waybar_night_mode";
+        "return-type" = "json";
+        "restart-interval" = 30;
+        "on-click" = "pkill -USR1 -f waybar_night_mode";
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/quark/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/quark/wrapped-disk-config.nix
@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)
--- a/nix/configuration/hosts/recovery/DEPLOY_BOOT
+++ b/nix/configuration/hosts/recovery/DEPLOY_BOOT
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=recovery
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/DEPLOY_SWITCH
+++ b/nix/configuration/hosts/recovery/DEPLOY_SWITCH
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=recovery
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/ISO
+++ b/nix/configuration/hosts/recovery/ISO
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/SELF_BOOT
+++ b/nix/configuration/hosts/recovery/SELF_BOOT
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/SELF_BUILD
+++ b/nix/configuration/hosts/recovery/SELF_BUILD
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/SELF_SWITCH
+++ b/nix/configuration/hosts/recovery/SELF_SWITCH
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
--- a/nix/configuration/hosts/recovery/default.nix
+++ b/nix/configuration/hosts/recovery/default.nix
@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "46b62d92";
+
+    networking.hostName = "recovery"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = true;
+    me.mountPersistence = true;
+
+    me.optimizations = {
+      # enable = true;
+      arch = "kabylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-kabylake"
+        "gccarch-x86-64-v3"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+    me.recovery.enable = true;
+  };
+}
--- a/nix/configuration/hosts/recovery/disk-config.nix
+++ b/nix/configuration/hosts/recovery/disk-config.nix
@ -0,0 +1,142 @@
+# Manual Step:
+#   Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
+#   Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
+
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"
+                  "noatime"
+                  "discard"
+                ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        # mode = "mirror";
+        # Workaround: cannot import 'zroot': I/O error in disko tests
+        options.cachefile = "none";
+        options = {
+          ashift = "12";
+          compatibility = "openzfs-2.2-freebsd";
+          autotrim = "on";
+        };
+        rootFsOptions = {
+          acltype = "posixacl";
+          atime = "off";
+          relatime = "off";
+          xattr = "sa";
+          mountpoint = "none";
+          compression = "lz4";
+          canmount = "off";
+          utf8only = "on";
+          dnodesize = "auto";
+          normalization = "formD";
+        };
+
+        datasets = {
+          "linux/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options = {
+              # encryption = "aes-256-gcm";
+              # keyformat = "passphrase";
+              # keylocation = "file:///tmp/secret.key";
+            };
+          };
+          "linux/nix/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
+          };
+          "linux/nix/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
+            options = {
+              recordsize = "16MiB";
+              compression = "zstd-19";
+            };
+          };
+          "linux/nix/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
+          };
+          "linux/nix/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
+          };
+          "linux/nix/state" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/state";
+            postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
+          };
+        };
+      };
+    };
+  };
+
+  # Make sure all persistent volumes are marked as neededForBoot
+  #
+  # Also mounts /home so it is mounted before the user home directories are created.
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/home".neededForBoot = true;
+
+  fileSystems."/".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/nix".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/persist".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/state".options = [
+    "noatime"
+    "norelatime"
+  ];
+  fileSystems."/home".options = [
+    "noatime"
+    "norelatime"
+  ];
+
+  # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
+  # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+}
--- a/nix/configuration/hosts/recovery/distributed_build.nix
+++ b/nix/configuration/hosts/recovery/distributed_build.nix
@ -0,0 +1,13 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.quark = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}
--- a/nix/configuration/hosts/recovery/hardware-configuration.nix
+++ b/nix/configuration/hosts/recovery/hardware-configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
--- a/nix/configuration/hosts/recovery/power_management.nix
+++ b/nix/configuration/hosts/recovery/power_management.nix
@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}
--- a/nix/configuration/hosts/recovery/wrapped-disk-config.nix
+++ b/nix/configuration/hosts/recovery/wrapped-disk-config.nix
@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)
--- a/nix/configuration/roles/2ship2harkinian/default.nix
+++ b/nix/configuration/roles/2ship2harkinian/default.nix
@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    ship2harkinian.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install 2ship2harkinian.";
+    };
+  };
+
+  config = lib.mkIf (config.me.ship2harkinian.enable && config.me.graphical) {
+    allowedUnfree = [ "2ship2harkinian" ];
+
+    environment.systemPackages = with pkgs; [
+      _2ship2harkinian
+    ];
+
+    # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      users.talexander = {
+        directories = [
+          {
+            directory = ".local/share/2ship";
+            user = "talexander";
+            group = "talexander";
+            mode = "0755";
+          }
+        ];
+      };
+    };
+  };
+}
--- a/Show More
+++ b/Show More