n/zorigami: nextcloud update

colmena: use nixpkgs version, so we don't need to rebuild lix for it
tokodon: pull in kde6 version instead of kde5

.ci.sdImages.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -a
+source /run/agenix/ci-secrets
+set +a
+
+cat ci-secrets.nix | envsubst > ci-secrets.nix.tmp
+mv ci-secrets.nix.tmp ci-secrets.nix
+
+set -eou pipefail
+
+set -x
+
+while read hostOutput; do
+  echo "${hostOutput}"
+  nix build --no-link ".#nixosConfigurations.${hostOutput}.config.system.build.sdImage"
+done < <(nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr '
+    with import <nixpkgs> { };
+    (lib.strings.concatStringsSep "\n"
+    (lib.mapAttrsToList (n: v: n)
+      (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system && v.pkgs.system == "aarch64-linux" && n != builtins.getEnv "HOSTNAME")
+        (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations)))
+')

.ci.sh

@@ -1,18 +1,23 @@
 #!/usr/bin/env bash
 
+set -a
+source /run/agenix/ci-secrets
+set +a
+
+cat ci-secrets.nix | envsubst > ci-secrets.nix.tmp
+mv ci-secrets.nix.tmp ci-secrets.nix
+
 set -eou pipefail
 
-export NIX_CONFIG="use-xdg-base-directories = true"
+set -x
 
-nix profile install nixpkgs#nixos-rebuild
-
-~/.local/state/nix/profile/bin/nixos-rebuild build --flake ".#ciTest"
-
-# for hostOutput in $(nix eval --raw --impure --expr '
-#     with import <nixpkgs> { };
-#     (lib.mapAttrsToList (name: value: value)
-#         (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations)[0]'
-# ); do
-#     ~/.local/state/nix/profile/bin/nixos-rebuild build --flake ".#${hostOutput}"
-# done
-# 
+while read hostOutput; do
+  echo "${hostOutput}"
+  nixos-rebuild build --verbose --flake ".#${hostOutput}"
+done < <(nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr '
+    with import <nixpkgs> { };
+    (lib.strings.concatStringsSep "\n"
+    (lib.mapAttrsToList (n: v: n)
+      (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system)
+        (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations)))
+'; echo "")

.forgejo/workflows/ci.yml

@@ -0,0 +1,28 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  x86_64-linux:
+    if: |
+      !contains(github.event.head_commit.message, '[skip-ci arm64]')
+      && !contains(github.event.head_commit.message, '[skip-ci]')
+    runs-on: self-hosted-x86_64-linux
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build hosts configuration
+        run: ./.ci.sh
+
+  aarch64-linux:
+    if: |
+      !contains(github.event.head_commit.message, '[skip-ci arm64]')
+      && !contains(github.event.head_commit.message, '[skip-ci]')
+    runs-on: self-hosted-aarch64-linux
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build hosts configuration
+        run: ./.ci.sh

.github/workflows/ci.yml

@@ -1,21 +1,59 @@
 name: CI
 
 on:
-  pull_request:
   push:
     branches: [main]
 
 jobs:
-  run-x86_64-linux:
-    name: Run x86_64 Linux
-    runs-on: ubuntu-22.04
+  get-hosts:
+    if: "!contains(github.event.head_commit.message, '[skip-ci]')"
+    runs-on: self-hosted-x86_64-linux
+    outputs:
+      matrix: ${{ steps.hosts_out.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v3
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: ./.ci.sh
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - id: hosts_out
+        name: set hosts var
+        run: |
+          {
+            echo -n "matrix="
+            nix eval --raw --impure --expr '
+                let
+                    f = configs: builtins.groupBy (n: configs.${n}.pkgs.system) (builtins.attrNames configs);
+                in
+                    builtins.toJSON (f (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations)'
+            echo ""
+          }  >> "$GITHUB_OUTPUT"
+
+  x86_64-linux:
+    if: |
+      !contains(github.event.head_commit.message, '[skip-ci x64]')
+      && !contains(github.event.head_commit.message, '[skip-ci]')
+    runs-on: self-hosted-x86_64-linux
+    needs: [get-hosts]
+    strategy:
+      fail-fast: false
+      matrix:
+        host: ${{ fromJson(needs.get-hosts.outputs.matrix).x86_64-linux }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build host configuration ${{ matrix.host }}
+        run: nixos-rebuild build --verbose --flake ".#${{ matrix.host }}"
+
+  aarch64-linux:
+    if: |
+      !contains(github.event.head_commit.message, '[skip-ci arm64]')
+      && !contains(github.event.head_commit.message, '[skip-ci]')
+    runs-on: self-hosted-aarch64-linux
+    needs: [get-hosts]
+    strategy:
+      fail-fast: false
+      matrix:
+        host: ${{ fromJson(needs.get-hosts.outputs.matrix).aarch64-linux }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build host configuration ${{ matrix.host }}
+        run: nixos-rebuild build --verbose --flake ".#${{ matrix.host }}"

README.md

@@ -0,0 +1,73 @@
+# My personal NixOS infrastructure configurations
+
+This repository contains configurations for Most™ of my NixOS machines.
+
+All of the host configurations are deployable using
+[deploy-rs](https://github.com/serokell/deploy-rs),
+[colmena](https://colmena.cli.rs/), and plain old `nixos-rebuild`. See
+`deploy.nodes` and `colmena` crimes in flake outputs for details how. Initial
+host deploment, sadly, needs to happen manually (for now at least). Secrets are
+managed using [agenix](https://github.com/ryantm/agenix), instead of any
+deployment-tool-native secret manager.
+
+## General usage
+### Adding new module
+```
+$ echo -e "{ config, lib, pkgs, inputs, ... }:\n\n{\n}" > modules/new-module.nix
+```
+
+### Adding new host
+```
+$ mkdir nixos/newhost
+$ echo -e "{ config, lib, pkgs, inputs, ... }:\n\n{\n}" > nixos/newhost/default.nix
+$ echo '{"publicKey": "…", "targetHost": "…", "system": "aarch64-linux"}' | jq -rM > nixos/newhost/meta.json
+```
+
+### Exploring generated configurations
+Colmena has a nice feature here called `colmena repl`. Go out there and explore
+`nodes` and its attributes.
+
+### Before you commit
+To keep things clean, uniform, and working at least on some basic level,
+remember to:
+```
+$ nix flake check --no-build
+$ nix fmt
+```
+Small bit of warning: `nix fmt`, with formatters as configured (`deadnix`
+specifically) *will* remove unused variables and such. Might be annoying when
+things are work-in-progress.
+
+### Deploying new configurations
+There are multiple options here. You can use `nixos-rebuild` either locally:
+```
+$ sudo nixos-rebuild switch --flake .#microlith
+```
+remotely:
+```
+$ nixos-rebuild switch --target-host root@zorigami --build-host root@zorigami --flake .#zorigami
+```
+remotely using `deploy-rs`:
+```
+$ deploy .#scylla
+```
+or using `colmena`:
+```
+$ colmena apply --on khas
+```
+All of these *should* generally work, though I prefer to use `deploy-rs` on my
+router (because of magic rollback) when deploying bigger changes, and `colmena`
+in most cases, because it's faster. And if the changes you're about to deploy
+had a chance to be built by "CI", most stuff shouldn't need to be built locally.
+
+Warnings about `colmena` and `deploy` being unknown flake outputs are known, and
+will stay here at least until
+[schemas](https://determinate.systems/posts/flake-schemas) get implemented for
+these.
+
+## General notes
+Feel free to use this as a basis for your own configuration flakes, but while I
+keep things here working for me, the general state might not reflect best
+practices. Use caution, and if you feel like you don't really understand
+something (and there are some code crimes commited here), don't feel obliged to
+use it just because it's already here.

ci-secrets.nix

@@ -0,0 +1 @@
+{ wifi = "$__SECRET_wifi_secrets"; }

flake.lock

@@ -4,14 +4,15 @@
       "inputs": {
         "darwin": [],
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1696775529,
-        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "lastModified": 1716561646,
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
         "type": "github"
       },
       "original": {
@@ -23,11 +24,11 @@
     "base16-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1689473676,
-        "narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=",
+        "lastModified": 1696158499,
+        "narHash": "sha256-5yIHgDTPjoX/3oDEfLSQ0eJZdFL1SaCfb9d6M0RmOTM=",
         "owner": "tinted-theming",
         "repo": "base16-schemes",
-        "rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789",
+        "rev": "a9112eaae86d9dd8ee6bb9445b664fba2f94037a",
         "type": "github"
       },
       "original": {
@@ -36,31 +37,59 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "stable": "stable"
+      },
+      "locked": {
+        "lastModified": 1711386353,
+        "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "main",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
-        ],
-        "rust-overlay": [
-          "lanzaboote",
-          "rust-overlay"
         ]
       },
       "locked": {
-        "lastModified": 1688772518,
-        "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=",
+        "lastModified": 1711299236,
+        "narHash": "sha256-6/JsyozOMKN8LUGqWMopKTSiK8N79T8Q+hcxu2KkTXg=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e",
+        "rev": "880573f80d09e18a11713f402b9e6172a085449f",
         "type": "github"
       },
       "original": {
@@ -71,16 +100,16 @@
     },
     "deploy-rs": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": "nixpkgs_2",
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1695052866,
-        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
+        "lastModified": 1715699772,
+        "narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
+        "rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
         "type": "github"
       },
       "original": {
@@ -92,11 +121,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
         "type": "github"
       },
       "original": {
@@ -108,11 +137,43 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -129,11 +190,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688466019,
-        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
+        "lastModified": 1709336216,
+        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
+        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
         "type": "github"
       },
       "original": {
@@ -143,15 +204,12 @@
       }
     },
     "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
         "type": "github"
       },
       "original": {
@@ -162,14 +220,14 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -178,6 +236,57 @@
         "type": "github"
       }
     },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -187,11 +296,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -208,11 +317,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
         "type": "github"
       },
       "original": {
@@ -223,14 +332,16 @@
     },
     "home-manager_2": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1696940889,
-        "narHash": "sha256-p2Wic74A1tZpFcld1wSEbFQQbrZ/tPDuLieCnspamQo=",
+        "lastModified": 1717052710,
+        "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6bba64781e4b7c1f91a733583defbd3e46b49408",
+        "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
         "type": "github"
       },
       "original": {
@@ -239,12 +350,48 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1708968331,
+        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "jovian-nixos": {
+      "inputs": {
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717012808,
+        "narHash": "sha256-Wn0fbjqmpIiuPUWnvxu85a9sPYtSd/2tcPDhAYW54RM=",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "rev": "a8e6557f29fa0cbcc2c54d15f9664c14ae2a3e98",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "type": "github"
+      }
+    },
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
         "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -252,11 +399,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1696410458,
-        "narHash": "sha256-ohrrFywK7WIHEGWosBVRFZF5D2q2AeIGFGp9mMZRc40=",
+        "lastModified": 1716805126,
+        "narHash": "sha256-yqJWx74e16Gk4pwW5DWfI4orTKeWezKFNbW7eaojpLw=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "ac43ac3024f814fcf3a3bab41873019109521442",
+        "rev": "2eb19b872bc0a5f336b9b934ba96ea029e4da8c2",
         "type": "github"
       },
       "original": {
@@ -265,17 +412,62 @@
         "type": "github"
       }
     },
-    "microvm": {
+    "lix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1714955862,
+        "narHash": "sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=",
+        "ref": "refs/tags/2.90-beta.1",
+        "rev": "b6799ab0374a8e1907a48915d3187e07da41d88c",
+        "revCount": 15501,
+        "type": "git",
+        "url": "https://git@git.lix.systems/lix-project/lix"
+      },
+      "original": {
+        "ref": "refs/tags/2.90-beta.1",
+        "type": "git",
+        "url": "https://git@git.lix.systems/lix-project/lix"
+      }
+    },
+    "lix-module": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_4"
+        "flake-utils": "flake-utils_3",
+        "flakey-profile": "flakey-profile",
+        "lix": [
+          "lix"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1696981517,
-        "narHash": "sha256-1VQt+o9hRdjiWBaN73HKchfltAHzszoIGt35ZT9JStE=",
+        "lastModified": 1717036776,
+        "narHash": "sha256-joKTxvywYlKspGGKOIXho6oRbggOPyayEqAyuZCavO0=",
+        "ref": "refs/heads/main",
+        "rev": "b4b38e6b5fe18da9464f291ae5fbf2ea9acb9ccb",
+        "revCount": 86,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module"
+      }
+    },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1716754174,
+        "narHash": "sha256-L2Vni6dGDFWXWwY0rqkQWtZXt+qYQKUZr+Fj+EpI97Q=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "2c28afc481d47c551ab71d96130d938cdde59933",
+        "rev": "fa4262c3c9197e7d62185858907f2e5acff3258d",
         "type": "github"
       },
       "original": {
@@ -290,11 +482,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1695388192,
-        "narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=",
+        "lastModified": 1707825078,
+        "narHash": "sha256-hTfge2J2W+42SZ7VHXkf4kjU+qzFqPeC9k66jAUBMHk=",
         "owner": "misterio77",
         "repo": "nix-colors",
-        "rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c",
+        "rev": "b01f024090d2c4fc3152cd0cf12027a7b8453ba1",
         "type": "github"
       },
       "original": {
@@ -305,16 +497,16 @@
     },
     "nix-formatter-pack": {
       "inputs": {
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_3",
         "nmd": "nmd",
         "nmt": "nmt"
       },
       "locked": {
-        "lastModified": 1694984852,
-        "narHash": "sha256-A1x55uLb2LT9evsTWYc1U9+iki1AmE5ROxOuCKPf3JE=",
+        "lastModified": 1715807870,
+        "narHash": "sha256-lutvG1LFGSpXsGA7U4TWfdfq6p71WdSlhw3vM4W/Opk=",
         "owner": "Gerschtli",
         "repo": "nix-formatter-pack",
-        "rev": "23795a4daf29ce784b3edc13b9776c7b445c453b",
+        "rev": "ab5feb867e5d074918852de6134500a82a09dc48",
         "type": "github"
       },
       "original": {
@@ -323,16 +515,40 @@
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "jovian-nixos",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1690328911,
+        "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=",
+        "owner": "zhaofengli",
+        "repo": "nix-github-actions",
+        "rev": "96df4a39c52f53cb7098b923224d8ce941b64747",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "matrix-name",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1696736548,
-        "narHash": "sha256-Dg0gJ9xVXud55sAbXspMapFYZOpVAldQQo7MFp91Vb0=",
+        "lastModified": 1716772633,
+        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "2902dc66f64f733bfb45754e984e958e9fe7faf9",
+        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
         "type": "github"
       },
       "original": {
@@ -341,13 +557,29 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1716987116,
+        "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1677676435,
-        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
@@ -359,11 +591,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1694911725,
-        "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=",
+        "lastModified": 1697935651,
+        "narHash": "sha256-qOfWjQ2JQSQL15KLh6D7xQhx0qgZlYZTYlcEiRuAMMw=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "819180647f428a3826bfc917a54449da1e532ce0",
+        "rev": "e1e11fdbb01113d85c7f41cada9d2847660e3902",
         "type": "github"
       },
       "original": {
@@ -374,27 +606,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1685801374,
-        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1671417167,
-        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
         "type": "github"
       },
       "original": {
@@ -405,38 +637,6 @@
       }
     },
     "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1696604326,
-        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1696019113,
-        "narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_5": {
       "locked": {
         "lastModified": 1669933672,
         "narHash": "sha256-9nzaATSTmEMpTrx+7j3vVwQkcpu9JMkQ1M08iPtu7m4=",
@@ -452,34 +652,18 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
+    "nixpkgs_4": {
       "locked": {
-        "lastModified": 1696604326,
-        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
-        "owner": "nixos",
+        "lastModified": 1716991893,
+        "narHash": "sha256-Eoyi4cFspfDadhSs4d0eSsLkL9kZYiM2Tg17bFSm750=",
+        "owner": "arachnist",
         "repo": "nixpkgs",
-        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
+        "rev": "7869e74e5aa899302d2d36b23b62550c6a29c54c",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_7": {
-      "locked": {
-        "lastModified": 1696879762,
-        "narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "owner": "arachnist",
+        "ref": "ar-patchset-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -534,11 +718,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1689668210,
-        "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=",
+        "lastModified": 1710923068,
+        "narHash": "sha256-6hOpUiuxuwpXXc/xfJsBUJeqqgGI+JMJuLo45aG3cKc=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "eb433bff05b285258be76513add6f6c57b441775",
+        "rev": "e611897ddfdde3ed3eaac4758635d7177ff78673",
         "type": "github"
       },
       "original": {
@@ -550,14 +734,21 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "colmena": "colmena",
         "deploy-rs": "deploy-rs",
         "home-manager": "home-manager_2",
+        "impermanence": "impermanence",
+        "jovian-nixos": "jovian-nixos",
         "lanzaboote": "lanzaboote",
+        "lix": "lix",
+        "lix-module": "lix-module",
         "microvm": "microvm",
         "nix-colors": "nix-colors",
         "nix-formatter-pack": "nix-formatter-pack",
         "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_7"
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_4",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
       }
     },
     "rust-overlay": {
@@ -572,11 +763,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694657451,
-        "narHash": "sha256-cRZa9ZmUi0EFKcmzpsOXLVhiMQD8XLrku8v+U1YiGm8=",
+        "lastModified": 1711246447,
+        "narHash": "sha256-g9TOluObcOEKewFo2fR4cn51Y/jSKhRRo4QZckHLop0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "7c4f46f0b3597e3c4663285e6794194e55574879",
+        "rev": "dcc802a6ec4e9cc6a1c8c393327f0c42666f22e4",
         "type": "github"
       },
       "original": {
@@ -585,6 +776,61 @@
         "type": "github"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_4",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils_2"
+      },
+      "locked": {
+        "lastModified": 1714720456,
+        "narHash": "sha256-e0WFe1BHqX23ADpGBc4ZRu38Mg+GICCZCqyS6EWCbHc=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1708358594,
+        "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
+        "ref": "refs/heads/main",
+        "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
+        "revCount": 614,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
+    "stable": {
+      "locked": {
+        "lastModified": 1696039360,
+        "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -615,13 +861,94 @@
         "type": "github"
       }
     },
-    "utils": {
+    "systems_3": {
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "utils_2": {
+      "inputs": {
+        "systems": "systems_6"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,13 +2,21 @@
   description = "Nibylandia configurations";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:arachnist/nixpkgs/ar-patchset-unstable";
     home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
     nix-colors.url = "github:misterio77/nix-colors";
     nix-formatter-pack.url = "github:Gerschtli/nix-formatter-pack";
     nix-index-database.url = "github:Mic92/nix-index-database";
+    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
     deploy-rs.url = "github:serokell/deploy-rs";
     microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
+    impermanence.url = "github:nix-community/impermanence";
+    colmena = {
+      url = "github:zhaofengli/colmena/main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     agenix = {
       url = "github:ryantm/agenix";
       inputs.darwin.follows = "";
@@ -17,12 +25,31 @@
       url = "github:nix-community/lanzaboote";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    jovian-nixos = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    lix = {
+      url =
+        "git+https://git@git.lix.systems/lix-project/lix?ref=refs/tags/2.90-beta.1";
+      flake = false;
+    };
+    lix-module = {
+      url = "git+https://git.lix.systems/lix-project/nixos-module";
+      inputs.lix.follows = "lix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs
-    , agenix, lanzaboote, microvm, ... }:
+  outputs = { self, nixpkgs, deploy-rs, ... }@inputs:
     let
-      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      forAllSystems = nixpkgs.lib.genAttrs systems;
       pkgsForDeploy =
         forAllSystems (system: import nixpkgs { inherit system; });
       deployPkgs = forAllSystems (system:
@@ -39,9 +66,11 @@
             })
           ];
         });
+      inherit (nixpkgs) lib;
+      meta = import ./meta.nix;
     in {
       formatter = forAllSystems (system:
-        nix-formatter-pack.lib.mkFormatter {
+        inputs.nix-formatter-pack.lib.mkFormatter {
           inherit nixpkgs system;
 
           config = {
@@ -57,140 +86,49 @@
           };
         });
 
-      nixosModules = with self.nixosModules; {
-        nibylandia-boot.imports = [ ./modules/boot.nix ];
+      overlays = import ./overlays;
 
-        nibylandia-secureboot.imports = [
-          lanzaboote.nixosModules.lanzaboote
+      nixosModules = lib.mapAttrs' (name: value:
+        lib.nameValuePair (builtins.replaceStrings [ ".nix" ] [ "" ] name) {
+          imports = [ (./modules/. + "/${name}") ];
+        }) (builtins.readDir ./modules);
 
-          ({ config, lib, ... }: {
-            age.secrets = {
-              secureboot-cert.file = ./secrets/secureboot-cert.age;
-              secureboot-key.file = ./secrets/secureboot-key.age;
-            };
-
-            boot.lanzaboote = {
-              enable = true;
-              publicKeyFile = config.age.secrets.secureboot-cert.path;
-              privateKeyFile = config.age.secrets.secureboot-key.path;
-            };
-
-            nibylandia-boot.uefi.enable = lib.mkForce false;
-          })
-        ];
-
-        nibylandia-common.imports = [
-          nix-index-database.nixosModules.nix-index
-          agenix.nixosModules.default
-
-          microvm.nixosModules.host
-
-          nibylandia-boot
-
-          ({ pkgs, ... }: {
-            environment.systemPackages =
-              [ agenix.packages.${pkgs.system}.default ];
-          })
-
-          ./modules/common.nix
-        ];
-
-        nibylandia-graphical.imports = [
-          nibylandia-common
-
-          ./modules/graphical.nix
-        ];
-
-        nibylandia-laptop.imports = [ ./modules/laptop.nix ];
-
-        nibylandia-gaming.imports = [ ./modules/gaming.nix ];
-      };
-
-      nixosConfigurations = with self.nixosModules; {
-        ciTest = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
+      nixosConfigurations = builtins.mapAttrs (name: value:
+        nixpkgs.lib.nixosSystem {
+          inherit (value) system;
           modules = [
-            nibylandia-common
-
+            (./nixos/. + "/${name}")
+            inputs.lix-module.nixosModules.default
             {
-              nibylandia-boot.uefi.enable = true;
-              fileSystems."/" = {
-                device = "none";
-                fsType = "tmpfs";
-                options = [ "defaults" "size=8G" "mode=755" ];
-              };
-            }
+              nixpkgs.system = value.system;
+            } # need to set this explicitly for colmena
           ];
-        };
+          extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];
+          specialArgs = { inherit inputs; };
+        }) meta.hosts;
 
-        scylla = nixpkgs.lib.nixosSystem {
-          system = "aarch64-linux";
-          modules = [
-            nibylandia-common
-
-            ./nixos/scylla
-          ];
-        };
-
-        khas = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            nibylandia-graphical
-            nibylandia-laptop
-            nibylandia-secureboot
-            nibylandia-gaming
-
-            ./nixos/khas
-          ];
-        };
-
-        microlith = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            nibylandia-graphical
-            nibylandia-gaming
-            nibylandia-secureboot
-
-            ./nixos/microlith
-          ];
-        };
-      };
-
-      deploy.nodes.scylla = {
+      deploy.nodes = builtins.mapAttrs (name: value: {
         fastConnection = false;
         remoteBuild = true;
-        hostname = "i.am-a.cat";
+        hostname = value.config.deployment.targetHost;
         profiles.system = {
           user = "root";
           sshUser = "root";
-          path = deployPkgs.aarch64-linux.deploy-rs.lib.activate.nixos
-            self.nixosConfigurations.scylla;
+          path =
+            deployPkgs.${value.config.nixpkgs.system}.deploy-rs.lib.activate.nixos
+            value;
         };
-      };
+      }) self.nixosConfigurations;
 
-      deploy.nodes.khas = {
-        fastConnection = false;
-        remoteBuild = true;
-        hostname = "khas";
-        profiles.system = {
-          user = "root";
-          sshUser = "root";
-          path = deployPkgs.x86_64-linux.deploy-rs.lib.activate.nixos
-            self.nixosConfigurations.khas;
+      colmena = {
+        meta = {
+          nixpkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
+          nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs)
+            self.nixosConfigurations;
+          specialArgs.lib = lib;
         };
-      };
-
-      deploy.nodes.microlith = {
-        fastConnection = false;
-        remoteBuild = true;
-        hostname = "microlith.nibylandia.lan";
-        profiles.system = {
-          user = "root";
-          sshUser = "root";
-          path = deployPkgs.x86_64-linux.deploy-rs.lib.activate.nixos
-            self.nixosConfigurations.microlith;
-        };
-      };
+      } // builtins.mapAttrs (_: v: { imports = v._module.args.modules; })
+        self.nixosConfigurations;
 
       checks = builtins.mapAttrs
         (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;

meta.nix

@@ -0,0 +1,16 @@
+let
+  ar_khas =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas";
+  ar_microlith =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt ar@microlith";
+  defaultDomain = "tail412c1.ts.net";
+in {
+  hosts = builtins.mapAttrs (name: value:
+    {
+      targetHost = name + "." + defaultDomain;
+    }
+    // builtins.fromJSON (builtins.readFile (./nixos/. + "/${name}/meta.json")))
+    (builtins.readDir ./nixos);
+
+  users.ar = [ ar_khas ar_microlith ];
+}

modules/boot.nix

@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 
-let cfg = config.nibylandia-boot;
+let cfg = config.boot;
 in {
-  options.nibylandia-boot = {
+  options.boot = {
     uefi.enable = lib.mkEnableOption "Boot via UEFI";
     ryzen.enable = lib.mkEnableOption "Enable AMD Ryzen-specific options";
   };

modules/ci-runners.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+
+let
+  gitea-runner-directory = "/var/lib/gitea-runner";
+  meta = import ../meta.nix;
+  ci-packages = with pkgs; [
+    bash
+    coreutils
+    curl
+    gawk
+    git-lfs
+    nixFlakes
+    gitFull
+    gnused
+    nodejs
+    wget
+    jq
+    nixos-rebuild
+    envsubst
+  ];
+  ci-labels = [
+    "nixos-${pkgs.system}:host"
+    "nixos:host"
+    "self-hosted-${pkgs.system}"
+    "self-hosted"
+  ];
+in {
+  age.secrets = {
+    gitea-runner-token.file =
+      ../secrets/gitea-runner-token-${config.networking.hostName}.age;
+    github-runner-token.file =
+      ../secrets/github-runner-token-${config.networking.hostName}.age;
+    ci-secrets = { # for printer host sd images
+      file = ../secrets/ci-secrets.age;
+      mode = "444";
+    };
+  };
+
+  services.github-runners."nix-${config.networking.hostName}" = {
+    enable = true;
+    extraLabels = ci-labels;
+    tokenFile = config.age.secrets.github-runner-token.path;
+    url = "https://github.com/arachnist/nibylandia";
+
+    extraPackages = ci-packages;
+  };
+
+  services.gitea-actions-runner.instances.nix = {
+    enable = true;
+    name = config.networking.hostName;
+    tokenFile = config.age.secrets.gitea-runner-token.path;
+    labels = ci-labels;
+    url = "https://code.hackerspace.pl";
+    settings = {
+      cache.enabled = true;
+      host.workdir_parent = "${gitea-runner-directory}/action-cache-dir";
+    };
+
+    hostPackages = ci-packages;
+  };
+
+  systemd.services.gitea-runner-nix.environment = {
+    XDG_CONFIG_HOME = gitea-runner-directory;
+    XDG_CACHE_HOME = "${gitea-runner-directory}/.cache";
+  };
+
+  nix.sshServe = {
+    enable = true;
+    protocol = "ssh";
+    keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeC/Nr7STpYEZ50p7X+XrFdeaIfib60tt2QN4Kvxscr"
+    ] ++ meta.users.ar;
+  };
+}

modules/common.nix

@@ -1,7 +1,25 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
-let secrets = import ../secrets.nix;
+let meta = import ../meta.nix;
 in {
+  imports = with inputs; [
+    nix-index-database.nixosModules.nix-index
+    agenix.nixosModules.default
+
+    microvm.nixosModules.host
+
+    self.nixosModules.boot
+  ];
+
+  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+
+  deployment = {
+    allowLocalDeployment = true;
+    buildOnTarget = true;
+  };
+
+  age.secrets.nix-store.file = ../secrets/nix-store.age;
+
   boot.binfmt.emulatedSystems =
     lib.lists.remove pkgs.system [ "x86_64-linux" "aarch64-linux" ];
   programs.command-not-found.enable = false;
@@ -31,52 +49,75 @@ in {
       terminal = "screen256-color";
       clock24 = true;
     };
+    ssh.knownHosts = builtins.mapAttrs (name: value: {
+      inherit (value) publicKey;
+      extraHostNames = [ value.targetHost ];
+    }) meta.hosts;
     bash.enableCompletion = true;
     mosh.enable = true;
   };
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = lib.mkDefault "client";
+    permitCertUid = "ar";
+  };
+
+  deployment.targetHost =
+    lib.mkDefault meta.hosts.${config.networking.hostName}.targetHost;
 
   nix = {
-    package = pkgs.nixUnstable;
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
+    settings = {
+      trusted-users = [ "ar" "root" ];
+      substituters = (if config.networking.hostName != "scylla" then
+        [
+          "ssh://nix-ssh@scylla.tail412c1.ts.net?trusted=1&ssh-key=${config.age.secrets.nix-store.path}"
+        ]
+      else
+        [ ]) ++ (if config.networking.hostName != "zorigami" then
+          [
+            "ssh://nix-ssh@zorigami.tail412c1.ts.net?trusted=1&ssh-key=${config.age.secrets.nix-store.path}"
+          ]
+        else
+          [ ]);
+      trusted-substituters = config.nix.settings.substituters;
+      extra-substituters = [ "https://cache.lix.systems" ];
+      trusted-public-keys =
+        [ "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" ];
+    };
   };
-
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowBroken = true;
+  nixpkgs.overlays = [ inputs.self.overlays.nibylandia ];
 
   environment.systemPackages = with pkgs; [
-    deploy-rs
     file
     git
-    go
     libarchive
     lm_sensors
     lshw
     lsof
     pciutils
-    pry
     pv
     strace
     usbutils
     wget
     zip
-    config.boot.kernelPackages.perf
+    # config.boot.kernelPackages.perf
     age
-    sshfs
-    dig
     dstat
     htop
     iperf
-    whois
     xxd
     tcpdump
     traceroute
-    age
-    cfssl
-    gomuks
-    bind
-    nmap
+    jq
+    dnsutils
+    tailscale
+    nix-top
   ];
 
   documentation = {
@@ -87,7 +128,7 @@ in {
     nixos.enable = true;
   };
 
-  users.users.root.openssh.authorizedKeys.keys = secrets.ar;
+  users.users.root.openssh.authorizedKeys.keys = meta.users.ar;
 
   users.mutableUsers = false;
 
@@ -114,7 +155,7 @@ in {
       "networkmanager"
     ];
     hashedPassword = lib.mkDefault null;
-    openssh.authorizedKeys.keys = secrets.ar;
+    openssh.authorizedKeys.keys = meta.users.ar;
   };
 
   console.keyMap = "us";
@@ -128,4 +169,33 @@ in {
     ];
   };
   time.timeZone = "Europe/Warsaw";
+
+  systemd.network = {
+    enable = true;
+    netdevs.virbr0.netdevConfig = {
+      Kind = "bridge";
+      Name = "virbr0";
+    };
+    networks.virbr0 = {
+      matchConfig.Name = "virbr0";
+      # Hand out IP addresses to MicroVMs.
+      # Use `networkctl status virbr0` to see leases.
+      networkConfig = {
+        DHCPServer = true;
+        IPv6SendRA = true;
+      };
+      addresses = [
+        { addressConfig.Address = "10.0.0.1/24"; }
+        { addressConfig.Address = "fd12:3456:789a::1/64"; }
+      ];
+      ipv6Prefixes = [{ ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; }];
+    };
+    networks.microvm-eth0 = {
+      matchConfig.Name = "vm-*";
+      networkConfig.Bridge = "virbr0";
+    };
+  };
+
+  services.chrony.enable = true;
+  services.timesyncd.enable = false;
 }

modules/gaming.nix

@@ -4,5 +4,5 @@
     remotePlay.openFirewall = true;
   };
 
-  environment.systemPackages = with pkgs; [ yuzu-early-access ryujinx ];
+  # environment.systemPackages = with pkgs; [ ryujinx ];
 }

modules/graphical.nix

@@ -1,6 +1,34 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
+
+let
+  flakes = lib.filterAttrs (name: value: value ? outputs) inputs;
+  nixRegistry = builtins.mapAttrs (name: v: { flake = v; }) flakes;
+  # rfkill block 0; rmmod btusb btintel; systemctl restart bluetooth.service; modprobe btintel; modprobe btusb; systemctl restart bluetooth.service; rfkill unblock 0
+  bt-unfuck = with pkgs;
+    writeScriptBin "bt-unfuck" ''
+      #!${runtimeShell}
+      ${util-linux}/bin/rfkill block 0
+      ${kmod}/bin/rmmod btusb btintel
+      ${systemd}/bin/systemctl restart bluetooth.service
+      for mod in btintel btusb; do
+        ${kmod}/bin/modprobe $mod
+      done
+      ${systemd}/bin/systemctl restart bluetooth.service
+      ${util-linux}/bin/rfkill unblock 0
+    '';
+in {
+  imports = [ inputs.self.nixosModules.common inputs.home-manager.nixosModule ];
+
+  nix.registry = nixRegistry;
+
+  home-manager.users.ar = {
+    home.username = "ar";
+    home.homeDirectory = "/home/ar";
+    home.stateVersion = config.system.stateVersion;
+  };
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
 
-{
   boot = {
     extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
     extraModprobeConfig = ''
@@ -23,8 +51,14 @@
     pulse.enable = true;
   };
 
+  home-manager.users.ar.services.easyeffects.enable = true;
+
   networking.networkmanager.enable = true;
   networking.networkmanager.wifi.backend = "wpa_supplicant";
+  systemd.network.wait-online.enable = false;
+  systemd.services.NetworkManager-wait-online.serviceConfig.ExecStart =
+    lib.mkForce [ "" "${pkgs.networkmanager}/bin/nm-online" ];
+
   hardware.glasgow.enable = true;
   hardware.nitrokey.enable = true;
   hardware.steam-hardware.enable = true;
@@ -37,27 +71,47 @@
     driSupport32Bit = true;
   };
 
+  security.wrappers.bt-unfuck = {
+    setuid = true;
+    owner = "root";
+    group = "root";
+    source = "${bt-unfuck}/bin/bt-unfuck";
+  };
+
+  services.desktopManager.plasma6.enable = true;
+
   services.xserver = {
     enable = true;
-    desktopManager.plasma5 = {
-      enable = true;
-      runUsingSystemd = true;
-    };
-    displayManager = {
-      sddm = {
-        enable = true;
-        # sadly, not working correctly on khas?
-        # wayland.enable = true;
-        settings.Wayland.SessionDir =
-          "/run/current-system/sw/share/wayland-sessions";
-        settings.X11.SessionDir = lib.mkForce "";
-      };
-      defaultSession = "plasmawayland";
-    };
+    xkb.layout = "pl";
+    xkb.options = "ctrl:nocaps";
+  };
 
-    layout = "pl";
-    xkbOptions = "ctrl:nocaps";
-    libinput.enable = true;
+  services.libinput.enable = true;
+  services.displayManager = {
+    sddm = {
+      enable = lib.mkDefault true;
+      wayland.enable = true;
+      settings.Wayland.SessionDir =
+        "/run/current-system/sw/share/wayland-sessions";
+      settings.X11.SessionDir = lib.mkForce "";
+    };
+    defaultSession = "plasma";
+  };
+
+  boot = {
+    loader.timeout = 0;
+    consoleLogLevel = 0;
+    initrd.verbose = false;
+    initrd.systemd.enable = true;
+    plymouth.enable = true;
+    plymouth.theme = "breeze";
+    kernelParams = [
+      "quiet"
+      "splash"
+      "rd.systemd.show_status=false"
+      "rd.udev.log_level=3"
+      "udev.log_priority=3"
+    ];
   };
 
   fonts = {
@@ -79,7 +133,7 @@
   };
 
   i18n.inputMethod = {
-    enabled = "ibus";
+    enabled = lib.mkDefault "ibus";
     ibus.engines = with pkgs.ibus-engines; [ uniemoji ];
   };
 
@@ -90,7 +144,7 @@
 
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
   };
 
   services.flatpak.enable = true;
@@ -99,6 +153,7 @@
     gnupg.agent = {
       enable = true;
       enableSSHSupport = true;
+      pinentryPackage = pkgs.pinentry-qt;
     };
     adb.enable = true;
     fuse.userAllowOther = true;
@@ -107,19 +162,26 @@
     kdeconnect.enable = true;
     sway.enable = true;
     hyprland.enable = true;
-  };
-
-  nixpkgs.config = {
     firefox = {
-      enablePlasmaBrowserIntegration = true;
-      enableBrowserpass = true;
+      enable = true;
+      #nativeMessagingHosts.packages = with pkgs; [
+      #  browserpass
+      #  plasma-browser-integration
+      #];
     };
-    joypixels.acceptLicense = true;
   };
 
-  environment.systemPackages = with pkgs; [
+  nixpkgs.config = { joypixels.acceptLicense = true; };
+
+  environment.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; };
+
+  environment.systemPackages = [
+    inputs.agenix.packages.${pkgs.system}.default
+    inputs.nixpkgs.legacyPackages.${pkgs.system}.colmena
+  ] ++ (with pkgs; [
+    krfb # for kdeconnect virtual display
     chromium
-    electrum
+    # electrum
     ffmpeg-full
     firefox
     imagemagick
@@ -127,14 +189,10 @@
     kate
     keybase-gui
     kolourpaint
-    nixfmt
+    nixfmt-classic
     okular
     paprefs
     pavucontrol
-    (signal-desktop.overrideAttrs (old: {
-      preFixup = (old.preFixup or "")
-        + "  gappsWrapperArgs+=(\n    --add-flags --use-tray-icon\n  )\n";
-    }))
     solvespace
     spotify
     youtube-dl
@@ -154,6 +212,7 @@
     element-desktop
     oneko
     cinny-desktop
+    neochat
     vagrant
     vokoscreen-ng
     appimage-run
@@ -161,13 +220,28 @@
     scrcpy
     krita
     vlc
-    # mastodon-update-script
     libreoffice-qt
-    tokodon
+    kdePackages.tokodon
 
     glasgow
     freecad
 
+    easyeffects
+
+    nixd
+    clang-tools
+    python3Packages.python-lsp-server
+    yaml-language-server
+
+    (signal-desktop.overrideAttrs (old: {
+      preFixup = ''
+        gappsWrapperArgs+=(
+          --add-flags "--enable-features=UseOzonePlatform"
+          --add-flags "--ozone-platform=wayland"
+        )
+      '' + old.preFixup;
+    }))
+
     (vscode-with-extensions.override {
       vscodeExtensions = with vscode-extensions; [
         bbenoist.nix
@@ -191,5 +265,20 @@
     })
 
     prusa-slicer
-  ];
+    # TODO: investigate later
+    # orca-slicer
+    # super-slicer-beta
+
+    deploy-rs
+    go
+    pry
+    sshfs
+    dig
+    whois
+    cfssl
+    gomuks
+    bind
+    nmap
+    waypipe
+  ]);
 }

modules/laptop.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+_:
 
 {
   services.power-profiles-daemon.enable = true;

modules/monitoring.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.nibylandia.monitoring-server;
+  grafana = config.services.grafana.settings.server;
+  filterValidPrometheus =
+    filterAttrsListRecursive (n: v: !(n == "_module" || v == null));
+  filterAttrsListRecursive = pred: x:
+    if lib.isAttrs x then
+      lib.listToAttrs (lib.concatMap (name:
+        let v = x.${name};
+        in if pred name v then
+          [ (lib.nameValuePair name (filterAttrsListRecursive pred v)) ]
+        else
+          [ ]) (lib.attrNames x))
+    else if lib.isList x then
+      map (filterAttrsListRecursive pred) x
+    else
+      x;
+  writePrettyJSON = name: x:
+    pkgs.runCommandLocal name { } ''
+      echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out
+    '';
+  vmConfig = {
+    scrape_configs =
+      filterValidPrometheus config.services.prometheus.scrapeConfigs;
+  };
+  generatedPrometheusYml = writePrettyJSON "prometheus.yml" vmConfig;
+  getEnabled = x:
+    lib.concatMap (name:
+      let v = x.${name};
+      in if builtins.typeOf v == "set" && v.enable then [ v ] else [ ])
+    (lib.attrNames x);
+  # TODO: add some magic to configure endpoints for all the other exporters
+  localExporterEndpoints =
+    map (x: x.listenAddress + ":" + builtins.toString x.port)
+    (getEnabled config.services.prometheus.exporters);
+in {
+  options = {
+    nibylandia.monitoring-server = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "External domain for monitoring services";
+      };
+    };
+  };
+
+  config = {
+    services.victoriametrics = {
+      enable = true;
+      retentionPeriod = 12;
+      listenAddress = "127.0.0.1:8428";
+      extraOptions = [
+        "-selfScrapeInterval=10s"
+        "-promscrape.config=${generatedPrometheusYml}"
+      ];
+    };
+
+    services.grafana.enable = true;
+
+    services.grafana.settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        inherit (cfg) domain;
+      };
+      database = {
+        user = "grafana";
+        type = "postgres";
+        host = "/run/postgresql";
+      };
+    };
+
+    services.postgresql.ensureDatabases = [ "grafana" ];
+    services.postgresql.ensureUsers = [{
+      name = "grafana";
+      ensureDBOwnership = true;
+    }];
+
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        listenAddress = "127.0.0.1";
+        enabledCollectors = [ "systemd" ];
+      };
+    };
+
+    services.prometheus.scrapeConfigs = [{
+      job_name = "local_exporters";
+      scrape_interval = "10s";
+      static_configs = [{ targets = localExporterEndpoints; }];
+    }];
+    services.nginx.virtualHosts.${cfg.domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          "http://${grafana.http_addr}:${builtins.toString grafana.http_port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

modules/secureboot.nix

@@ -0,0 +1,17 @@
+{ config, lib, inputs, ... }:
+
+{
+  imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+  age.secrets = {
+    secureboot-cert.file = ../secrets/secureboot-cert.age;
+    secureboot-key.file = ../secrets/secureboot-key.age;
+  };
+
+  boot.lanzaboote = {
+    enable = true;
+    publicKeyFile = config.age.secrets.secureboot-cert.path;
+    privateKeyFile = config.age.secrets.secureboot-key.path;
+  };
+
+  boot.uefi.enable = lib.mkForce false;
+}

nixos/akamanto/default.nix

@@ -0,0 +1,587 @@
+{ config, pkgs, lib, inputs, ... }:
+
+let
+  ci-secrets = import ../../ci-secrets.nix;
+  klipperScreenConfig = builtins.toFile "KlipperConfig.conf" ''
+    [printer Kodak]
+    moonraker_host: localhost
+    moonraker_port: 7125
+  '';
+  cageScript = pkgs.writeScriptBin "klipperCageScript" ''
+    #!${pkgs.runtimeShell}
+    ${pkgs.wlr-randr}/bin/wlr-randr --output Unknown-1 --transform 180
+    sounds=( /home/ar/startup-sounds/* )
+    ${pkgs.mpv}/bin/mpv ''${sounds[ $RANDOM % ''${#sounds[@]}]} &
+    ${pkgs.klipperscreen}/bin/KlipperScreen --configfile ${klipperScreenConfig}
+  '';
+  klipperHostMcu = "${
+      pkgs.klipper-firmware.override {
+        firmwareConfig = ./klipper-rpi.cfg;
+        klipper = klipperOld;
+      }
+    }/klipper.elf";
+  klipperOld = pkgs.klipper.overrideAttrs (old: {
+    version = "unstable-dc6182f3";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "KevinOConnor";
+      repo = "klipper";
+      rev =
+        "dc6182f3b339b990c8a68940f02a210e332be269"; # 266e96621c0133e1192bbaec5addb6bcf443a203 broke shit in weird ways
+      sha256 = "sha256-0uoq5bvL/4L9oa/JY54qHMRw5vE7V//HxLFMOEqGUjA=";
+    };
+  });
+in {
+  # https://en.wikipedia.org/wiki/Aka_Manto
+  networking.hostName = "akamanto";
+  deployment.buildOnTarget = lib.mkForce false;
+  deployment.tags = [ "reachable-hs" ];
+
+  imports = [ "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image.nix" ]
+    ++ (with inputs.self.nixosModules; [ common ]);
+
+  nixpkgs.overlays = [ inputs.self.overlays.rpi5 ];
+
+  sdImage = {
+    compressImage = false;
+    firmwareSize = 1024;
+    imageName =
+      "${config.sdImage.imageBaseName}-${pkgs.stdenv.hostPlatform.system}-${config.networking.hostName}.img";
+    populateFirmwareCommands = ''
+      storePath() {
+        local path="$1"
+        echo ''${path/\/nix\/store\/}
+      }
+
+      cp -v ${pkgs.rpi5-uefi}/* firmware
+      cp -v ${pkgs.rpi5-dtb}/* firmware
+
+      mkdir -p firmware/kernels
+      touch firmware/nixos-sd-system-image
+
+      kernelFile=$(storePath ${config.boot.kernelPackages.kernel})-${config.system.boot.loader.kernelFile}
+      initrdFile=$(storePath ${config.system.build.initialRamdisk})-${config.system.boot.loader.initrdFile}
+
+      cp ${
+        config.boot.kernelPackages.kernel + "/"
+        + config.system.boot.loader.kernelFile
+      } \
+        firmware/kernels/$kernelFile
+
+      cp ${
+        config.system.build.initialRamdisk + "/"
+        + config.system.boot.loader.initrdFile
+      } \
+        firmware/kernels/$initrdFile
+
+      mkdir -p firmware/EFI/boot
+
+      # making our own efi program; grub-install tries to probe for things
+      MODULES=( fat part_gpt part_msdos normal boot linux configfile efifwsetup
+        ls search search_label search_fs_uuid search_fs_file echo serial test
+        loadenv ext2 reboot help cat )
+      ${pkgs.grub2_efi}/bin/grub-mkimage --directory=${pkgs.grub2_efi}/lib/grub/arm64-efi \
+        -o firmware/EFI/boot/bootaa64.efi \
+        -p /EFI/boot -O arm64-efi ''${MODULES[@]}
+
+      cat <<EOF > firmware/EFI/boot/grub.cfg
+      search --set=drive1 --file /nixos-sd-system-image
+
+      set timeout=10
+      set default="0"
+
+      menuentry '${config.system.nixos.distroName} ${config.system.nixos.label}' {
+        linux (\$drive1)/kernels/$kernelFile init=${config.system.build.toplevel}/init ${
+          toString config.boot.kernelParams
+        }
+        initrd (\$drive1)/kernels/$initrdFile
+      }
+      EOF
+    '';
+    populateRootCommands = ''
+      mkdir -p ./files/boot
+    '';
+  };
+
+  hardware.enableRedistributableFirmware = lib.mkForce false;
+  hardware.firmware = with pkgs; [ raspberrypiWirelessFirmware wireless-regdb ];
+
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_rpi5;
+    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
+    kernelParams = [
+      "fbcon=rotate:2"
+      "8250.nr_uarts=11"
+      "console=ttyAMA10,115200"
+      "console=tty0"
+    ];
+    initrd.availableKernelModules = lib.mkForce [
+      "usbhid"
+      "usb_storage"
+      "vc4"
+      "pcie_brcmstb" # required for the pcie bus to work
+      "reset-raspberrypi" # required for vl805 firmware to load
+    ];
+    loader.grub = {
+      enable = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+  };
+
+  fileSystems = lib.mkForce {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      options = [ "x-initrd.mount" ];
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+    };
+  };
+
+  environment.etc."wifi-secrets".text = ci-secrets.wifi;
+
+  microvm.host.enable = false;
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useDHCP = true;
+    wireless = {
+      enable = true;
+      environmentFile = "/etc/wifi-secrets";
+      networks."hackerspace.pl-guests".psk = "@HSWAW_WIFI@";
+      networks."hackerspace.pl-guests-5G".psk = "@HSWAW_WIFI@";
+    };
+  };
+  networking.firewall.enable = false;
+
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+      userServices = true;
+    };
+  };
+
+  users.users.root.hashedPassword =
+    "$y$j9T$.1ogQkT5J95hEFkgp9esc0$rneVdOpPwPDsgAckJsXJmzgVEENPkFWHWKgca2mVz6D";
+  users.mutableUsers = false;
+  users.users.ar = {
+    extraGroups = [ "video" "dialout" "plugdev" "pipewire" ];
+  };
+
+  documentation = {
+    enable = lib.mkForce false;
+  } // builtins.listToAttrs (map (x: {
+    name = x;
+    value = { enable = lib.mkForce false; };
+  }) [ "man" "info" "nixos" "doc" "dev" ]);
+
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+
+  hardware.opengl.enable = true;
+
+  # strictly for shits and giggles
+  sound.enable = true;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    systemWide = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluez;
+  };
+  services.udisks2 = { enable = true; };
+
+  # diet
+  boot.binfmt.emulatedSystems = lib.mkForce [ ];
+  environment.systemPackages = [
+    # avoid warnings
+    (pkgs.glibcLocales.override {
+      allLocales = false;
+      locales = [ "en_US.UTF-8/UTF-8" "en_CA.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ];
+    })
+
+    # strictly unnecessary
+    (pkgs.v4l-utils.override { withGUI = false; })
+  ] ++ (with pkgs;
+  # lib.mkForce
+    [
+      # strictly required
+      coreutils
+      nix
+      systemd
+
+      # shell's required and not automatically pulled in
+      zsh
+      bashInteractive
+
+      # avoid warnings
+      gnugrep
+
+      # nice-to-haves
+      procps
+      openssh
+      findutils
+      iproute2
+      util-linux
+      usbutils
+      neovim
+      tmux
+      uhubctl
+      libraspberrypi
+      raspberrypi-eeprom
+
+      # strictly unnecessary
+      mpv
+      alsa-utils
+      bluez
+      pipewire
+    ]);
+  programs.nix-index.enable = lib.mkForce false;
+  services.journald.extraConfig = ''
+    Storage=volatile
+  '';
+  systemd.coredump.enable = false;
+  services.lvm.enable = lib.mkForce false;
+  # strictly printer stuff below
+
+  systemd.services.klipper-mcu-rpi = {
+    description = "Klipper 3D host mcu";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "klipper.service" ];
+    serviceConfig = {
+      DynamicUser = true;
+      User = "klipper";
+      RuntimeDirectory = "klipper-mcu";
+      StateDirectory = "klipper";
+      SupplementaryGroups = [ "dialout" "pipewire" ];
+      OOMScoreAdjust = "-999";
+      CPUSchedulingPolicy = "rr";
+      CPUSchedulingPriority = 99;
+      IOSchedulingClass = "realtime";
+      IOSchedulingPriority = 0;
+      ExecStart = "${klipperHostMcu} -I /run/klipper-mcu/mcu-rpi";
+      ReadWritePaths = "/dev/gpiochip0";
+    };
+  };
+  systemd.services.klipper.serviceConfig = {
+    SupplementaryGroups = [ "dialout" "pipewire" ];
+    ReadWritePaths = "/var/lib/moonraker/config";
+  };
+  ## uncomment if you need manual config changes
+  #systemd.services.klipper.serviceConfig = {
+  #  ExecStart = lib.mkForce [
+  #    ""
+  #    "${pkgs.klipper}/bin/klippy --input-tty=/run/klipper/tty --api-server=/run/klipper/api /var/lib/moonraker/config/klipper.cfg"
+  #  ];
+  #  ReadWritePaths = "/var/lib/moonraker/config/";
+  #};
+  services.klipper = {
+    enable = true;
+    mutableConfig = true;
+    mutableConfigFolder = "/var/lib/moonraker/config";
+    firmwares = {
+      mcu = {
+        enableKlipperFlash = false;
+        enable = true;
+        configFile = ./klipper-octopus.cfg;
+        serial =
+          "/dev/serial/by-id/usb-Klipper_stm32f429xx_400048000251313133383438-if00";
+        package = pkgs.klipper-firmware.override {
+          gcc-arm-embedded = pkgs.gcc-arm-embedded-11;
+          klipper = klipperOld;
+        };
+      };
+    };
+    # imported using:
+    # sed -r -e 's/^([^:]*):/\1=/' -e 's/=(.{1,})$/="\1"/' -e '/^\[.*[ ]/s/\[(.*)\]/["\1"]/' klipper-printer.cfg > klipper-printer.toml
+    # + some small fixes
+    # + nix repl :p fromTOML (builtins.readFile ( ./. + "/klipper-printer.toml"))
+    settings = {
+      printer = {
+        kinematics = "corexy";
+        max_accel = "2000";
+        max_velocity = "300";
+        max_z_accel = "100";
+        max_z_velocity = "5";
+      };
+      mcu = {
+        serial =
+          "/dev/serial/by-id/usb-Klipper_stm32f429xx_400048000251313133383438-if00";
+      };
+      "mcu rpi" = { serial = "/run/klipper-mcu/mcu-rpi"; };
+      virtual_sdcard = { path = "/var/lib/moonraker/gcodes"; };
+
+      pause_resume = { };
+      display_status = { };
+      exclude_object = { };
+      force_move = { enable_force_move = "true"; };
+
+      idle_timeout = {
+        timeout = 1800;
+        gcode = [ "TURN_OFF_HEATERS" ];
+      };
+
+      save_variables = {
+        filename = "/var/lib/moonraker/config/variables.cfg";
+      };
+
+      bed_mesh = {
+        horizontal_move_z = "5";
+        mesh_max = "210, 200";
+        mesh_min = "5, 5";
+        probe_count = "5, 5";
+        speed = "120";
+      };
+
+      "bed_mesh default" = {
+        version = 1;
+        x_count = 5;
+        y_count = 5;
+        mesh_x_pps = 2;
+        mesh_y_pps = 2;
+        algo = "lagrange";
+        tension = 0.2;
+        min_x = 5.0;
+        max_x = 210.0;
+        min_y = 5.0;
+        max_y = 200.0;
+        # klippy is, apparently, very specific about bed mesh formatting
+        points = "\n" + lib.concatStringsSep "\n" (map (s: "  " + s)
+          (map (l: lib.concatStringsSep ", " l) [
+            [ "-0.747500" "-0.752500" "-0.776250" "-0.851250" "-0.990625" ]
+            [ "-0.590000" "-0.582500" "-0.588750" "-0.688750" "-0.839375" ]
+            [ "-0.376875" "-0.362500" "-0.388750" "-0.464375" "-0.623750" ]
+            [ "-0.184375" "-0.220000" "-0.208750" "-0.221250" "-0.361875" ]
+            [ "0.128125" "0.078750" "0.065000" "0.038750" "-0.075625" ]
+          ]));
+      };
+
+      probe = {
+        pin = "P1.25";
+        z_offset = "-0.300";
+      };
+      safe_z_home = { home_xy_position = "110, 110"; };
+
+      "temperature_sensor ambient" = {
+        sensor_pin = "P0.26";
+        sensor_type = "ATC Semitec 104GT-2";
+      };
+
+      "temperature_sensor rpi" = { sensor_type = "temperature_host"; };
+
+      fan = { pin = "P2.4"; };
+      "fan_generic exhaust" = { pin = "P2.6"; };
+
+      firmware_retraction = {
+        retract_length = "5.5";
+        retract_speed = "45";
+      };
+
+      heater_bed = {
+        control = "watermark";
+        heater_pin = "P2.5";
+        max_temp = "130";
+        min_temp = "0";
+        sensor_pin = "P0.25";
+        sensor_type = "Honeywell 100K 135-104LAG-J01";
+      };
+
+      extruder = {
+        control = "pid";
+        dir_pin = "!P0.5";
+        enable_pin = "!P0.4";
+        filament_diameter = "1.750";
+        heater_pin = "P2.7";
+        max_temp = "295";
+        microsteps = "32";
+        min_temp = "0";
+        nozzle_diameter = "0.400";
+        max_extrude_cross_section = "2.56";
+        pid_Kd = "160";
+        pid_Ki = "2.318";
+        pid_Kp = "38.5";
+        rotation_distance = "8.07";
+        sensor_pin = "P0.23";
+        sensor_type = "ATC Semitec 104GT-2";
+        step_pin = "P2.0";
+      };
+      extruder1 = {
+        control = "pid";
+        dir_pin = "P0.11";
+        enable_pin = "!P0.10";
+        filament_diameter = "1.750";
+        heater_pin = "P1.23";
+        max_temp = "265";
+        microsteps = "32";
+        min_temp = "0";
+        nozzle_diameter = "0.400";
+        max_extrude_cross_section = "2.56";
+        pid_Kd = "160";
+        pid_Ki = "2.318";
+        pid_Kp = "38.5";
+        rotation_distance = "8.07";
+        sensor_pin = "P0.24";
+        sensor_type = "ATC Semitec 104GT-2";
+        step_pin = "P2.1";
+      };
+
+      stepper_x = {
+        dir_pin = "!P0.22";
+        enable_pin = "!P0.21";
+        endstop_pin = "^P1.24";
+        homing_positive_dir = "true";
+        homing_speed = "80";
+        microsteps = "32";
+        position_endstop = "220";
+        position_max = "220";
+        position_min = "-15";
+        rotation_distance = "40";
+        step_pin = "P2.3";
+      };
+      stepper_y = {
+        dir_pin = "!P0.20";
+        enable_pin = "!P0.19";
+        endstop_pin = "^P1.26";
+        homing_positive_dir = "true";
+        homing_speed = "80";
+        microsteps = "32";
+        position_endstop = "215";
+        position_max = "215";
+        rotation_distance = "40";
+        step_pin = "P2.2";
+      };
+      stepper_z = {
+        dir_pin = "P2.13";
+        enable_pin = "!P4.29";
+        endstop_pin = "^P1.29";
+        homing_positive_dir = "true";
+        homing_speed = "50";
+        microsteps = "32";
+        position_endstop = "235";
+        position_max = "240";
+        position_min = "-5";
+        rotation_distance = "4";
+        step_pin = "P2.8";
+      };
+
+      "led caselight" = {
+        red_pin = "rpi:gpio17";
+        green_pin = "rpi:gpio27";
+        blue_pin = "rpi:gpio22";
+        hardware_pwm = false;
+        cycle_time = "0.005";
+
+        initial_RED = "1.0";
+        initial_GREEN = "0.0";
+        initial_BLUE = "0.455";
+      };
+
+      "gcode_macro CANCEL_PRINT" = {
+        description = "Cancel the actual running print";
+        gcode = [ "TURN_OFF_HEATERS" "CANCEL_PRINT_BASE" ];
+        rename_existing = "CANCEL_PRINT_BASE";
+      };
+      "delayed_gcode bed_mesh_init" = {
+        gcode = [ "BED_MESH_PROFILE LOAD=default" ];
+        initial_duration = ".01";
+      };
+      "delayed_gcode t0_offset" = {
+        gcode = [ "SET_GCODE_OFFSET X=0 Y=0 Z=-0.0" ];
+        initial_duration = ".02";
+      };
+    } // lib.mapAttrs' (name: value:
+      lib.nameValuePair
+      ("gcode_macro " + (builtins.replaceStrings [ ".gcode" ] [ "" ] name)) {
+        gcode = lib.remove "" (lib.splitString "\n"
+          (builtins.readFile (./klipper-macros/. + "/${name}")));
+      }) (lib.attrsets.filterAttrs (n: v: n != ".gitkeep")
+        (builtins.readDir ./klipper-macros/.));
+  };
+
+  services.moonraker = {
+    user = "root";
+    enable = true;
+    address = "0.0.0.0";
+    allowSystemControl = true;
+    settings = {
+      octoprint_compat = { };
+      history = { };
+      authorization = {
+        force_logins = false;
+        cors_domains = [ "*.local" "*.waw.hackerspace.pl" ];
+        trusted_clients = [
+          "127.0.0.1/32"
+          "10.8.0.0/23"
+          "100.64.0.0/10"
+          "2a0d:eb00:4242:0000:0000:0000:0000:0000/64"
+        ];
+      };
+      # causes issues for some reason
+      # zeroconf = { mdns_hostname = "barbie-girl"; };
+      machine = { provider = "systemd_cli"; };
+      "webcam rpi" = {
+        enabled = "True";
+        service = "mjpegstreamer-adaptive";
+        stream_url = "/webcam/stream";
+        snapshot_url = "/webcam/snapshot";
+        target_fps = "30";
+        target_fps_idle = "30";
+        aspect_ratio = "4:3";
+      };
+    };
+  };
+
+  services.fluidd = {
+    enable = false;
+    nginx.locations."/webcam/".proxyPass = "http://127.0.0.1:8080/";
+  };
+
+  services.mainsail = {
+    enable = true;
+    nginx.locations."/webcam/".proxyPass = "http://127.0.0.1:8080/";
+  };
+
+  services.nginx.clientMaxBodySize = "1000m";
+  services.nginx.recommendedProxySettings = true;
+
+  systemd.services.ustreamer = {
+    wantedBy = [ "multi-user.target" ];
+    description = "uStreamer for video0";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart =
+        "${pkgs.ustreamer}/bin/ustreamer --encoder=HW --persistent --rotate 180 --resolution 1296x972 --desired-fps 30";
+    };
+  };
+
+  # the proper way to do this, supposedly, would be to tie the touchscreen input to display output, eg. with:
+  # ENV{WL_OUTPUT}="HDMI-A-1"
+  # sadly, this doesn't work for us here, for some unbeknownst reason
+  services.udev.extraRules = ''
+    KERNEL=="gpiochip0", GROUP="dialout", MODE="0660"
+    SUBSYSTEM=="input", ATTRS{idVendor}=="0eef", ENV{LIBINPUT_CALIBRATION_MATRIX}="-1 0 1 0 -1 1"
+  '';
+  services.cage = {
+    enable = true;
+    user = "ar";
+    program = "${cageScript}/bin/klipperCageScript";
+    environment = {
+      GDK_BACKEND = "wayland";
+      QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    };
+    extraArguments = [ "-d" ];
+  };
+  systemd.services."cage-tty1".serviceConfig.Restart = "always";
+}

nixos/akamanto/klipper-macros/LOAD_FILAMENT.gcode

@@ -0,0 +1,13 @@
+M83                   ; Put the extruder into relative mode
+G92 E0.0              ; Reset the extruder so that it thinks it is at position zero
+; 60cm total, really
+; faster
+{% for n in range(10) %}
+  G1 E50 F700
+{% endfor %}
+; slower
+{% for n in range(2) %}
+  G1 E50 F350
+{% endfor %}
+G92 E0.0
+M82                   ; Put the extruder back into absolute mode.

nixos/akamanto/klipper-macros/PRIME_LINE.gcode

@@ -0,0 +1,15 @@
+G92 E0
+{% if (printer.toolhead.extruder) == "extruder" %}
+  {% set prime_x = 3 %}
+{% else %}
+  {% set prime_x = 4 %}
+{% endif %}
+M117 priming first line
+G1 X{ prime_x } Y3 Z0.3 F5000.0
+G1 E3 F3000
+G1 X{ prime_x } Y143.0 Z0.3 F3000.0 E20
+M117 priming second line
+G1 X{ prime_x + 2 } Y143.0 Z0.3 F5000.0
+G1 X{ prime_x + 2 } Y3 Z0.3 F3000 E40
+G92 E0
+G1 Z2.0 F3000

nixos/akamanto/klipper-macros/SWAP_EXTRUDER.gcode

@@ -0,0 +1,5 @@
+{% if (printer.toolhead.extruder) == "extruder" %}
+  T1
+{% else %}
+  T0
+{% endif %}

nixos/akamanto/klipper-macros/T0.gcode

@@ -0,0 +1,12 @@
+SET_GCODE_OFFSET X=0 Y=0 Z=0
+SAVE_GCODE_STATE
+{% if printer.toolhead.position.z + 6 < printer.toolhead.axis_minimum.z %}
+G91
+G1 Z5
+G90
+{% endif %}
+G1 X220 F10000
+RESTORE_GCODE_STATE MOVE=1 MOVE_SPEED=100
+SET_GCODE_OFFSET X=0 Y=0 Z=0
+ACTIVATE_EXTRUDER EXTRUDER=extruder
+M117 T0 active

nixos/akamanto/klipper-macros/T1.gcode

@@ -0,0 +1,12 @@
+SET_GCODE_OFFSET X=27.45 Y=-0.15 Z=1.6
+SAVE_GCODE_STATE
+{% if printer.toolhead.position.z + 6 < printer.toolhead.axis_minimum.z %}
+G91
+G1 Z5
+G90
+{% endif %}
+G1 X-37.45 F10000
+RESTORE_GCODE_STATE MOVE=1 MOVE_SPEED=100
+SET_GCODE_OFFSET X=27.45 Y=-0.15 Z=1.6
+ACTIVATE_EXTRUDER EXTRUDER=extruder1
+M117 T1 active

nixos/akamanto/klipper-macros/TC_DEMO.gcode

@@ -0,0 +1,14 @@
+G90
+G1 X100 Y100 Z20 F6000
+T1
+T0
+T1
+T0
+T1
+T0
+T1
+T0
+T1
+T0
+T1
+T0

nixos/akamanto/klipper-macros/UNLOAD_FILAMENT.gcode

@@ -0,0 +1,13 @@
+M83                   ; Put the extruder into relative mode
+G92 E0.0              ; Reset the extruder so that it thinks it is at position zero
+; 60cm total, really
+; slower
+{% for n in range(2) %}
+  G1 E-50 F350
+{% endfor %}
+; faster
+{% for n in range(10) %}
+  G1 E-50 F700
+{% endfor %}
+G92 E0.0
+M82                   ; Put the extruder back into absolute mode.

nixos/akamanto/klipper-macros/ZZ_T0_PRE_CALI.gcode

@@ -0,0 +1,4 @@
+G91
+G1 Z5
+G90
+G1 X220 Y15 F10000

nixos/akamanto/klipper-macros/ZZ_T1_PRE_CALI.gcode

@@ -0,0 +1,3 @@
+G91
+G1 Z5
+G90

nixos/akamanto/klipper-octopus.cfg

@@ -0,0 +1,113 @@
+CONFIG_LOW_LEVEL_OPTIONS=y
+# CONFIG_MACH_AVR is not set
+# CONFIG_MACH_ATSAM is not set
+# CONFIG_MACH_ATSAMD is not set
+# CONFIG_MACH_LPC176X is not set
+CONFIG_MACH_STM32=y
+# CONFIG_MACH_HC32F460 is not set
+# CONFIG_MACH_RP2040 is not set
+# CONFIG_MACH_PRU is not set
+# CONFIG_MACH_AR100 is not set
+# CONFIG_MACH_LINUX is not set
+# CONFIG_MACH_SIMU is not set
+CONFIG_BOARD_DIRECTORY="stm32"
+CONFIG_MCU="stm32f429xx"
+CONFIG_CLOCK_FREQ=168000000
+CONFIG_USBSERIAL=y
+CONFIG_FLASH_SIZE=0x80000
+CONFIG_FLASH_BOOT_ADDRESS=0x8000000
+CONFIG_RAM_START=0x20000000
+CONFIG_RAM_SIZE=0x20000
+CONFIG_STACK_SIZE=512
+CONFIG_FLASH_APPLICATION_ADDRESS=0x8008000
+CONFIG_STM32_SELECT=y
+# CONFIG_MACH_STM32F103 is not set
+# CONFIG_MACH_STM32F207 is not set
+# CONFIG_MACH_STM32F401 is not set
+# CONFIG_MACH_STM32F405 is not set
+# CONFIG_MACH_STM32F407 is not set
+CONFIG_MACH_STM32F429=y
+# CONFIG_MACH_STM32F446 is not set
+# CONFIG_MACH_STM32F765 is not set
+# CONFIG_MACH_STM32F031 is not set
+# CONFIG_MACH_STM32F042 is not set
+# CONFIG_MACH_STM32F070 is not set
+# CONFIG_MACH_STM32F072 is not set
+# CONFIG_MACH_STM32G070 is not set
+# CONFIG_MACH_STM32G071 is not set
+# CONFIG_MACH_STM32G0B0 is not set
+# CONFIG_MACH_STM32G0B1 is not set
+# CONFIG_MACH_STM32G431 is not set
+# CONFIG_MACH_STM32H723 is not set
+# CONFIG_MACH_STM32H743 is not set
+# CONFIG_MACH_STM32H750 is not set
+# CONFIG_MACH_STM32L412 is not set
+# CONFIG_MACH_N32G452 is not set
+# CONFIG_MACH_N32G455 is not set
+CONFIG_MACH_STM32F4=y
+CONFIG_MACH_STM32F4x5=y
+CONFIG_HAVE_STM32_USBOTG=y
+CONFIG_HAVE_STM32_CANBUS=y
+CONFIG_HAVE_STM32_USBCANBUS=y
+CONFIG_STM32_DFU_ROM_ADDRESS=0x1fff0000
+CONFIG_STM32_FLASH_START_8000=y
+# CONFIG_STM32_FLASH_START_20200 is not set
+# CONFIG_STM32_FLASH_START_C000 is not set
+# CONFIG_STM32_FLASH_START_10000 is not set
+# CONFIG_STM32_FLASH_START_4000 is not set
+# CONFIG_STM32_FLASH_START_0000 is not set
+CONFIG_STM32_CLOCK_REF_8M=y
+# CONFIG_STM32_CLOCK_REF_12M is not set
+# CONFIG_STM32_CLOCK_REF_16M is not set
+# CONFIG_STM32_CLOCK_REF_20M is not set
+# CONFIG_STM32_CLOCK_REF_24M is not set
+# CONFIG_STM32_CLOCK_REF_25M is not set
+# CONFIG_STM32_CLOCK_REF_INTERNAL is not set
+CONFIG_CLOCK_REF_FREQ=8000000
+CONFIG_STM32F0_TRIM=16
+CONFIG_STM32_USB_PA11_PA12=y
+# CONFIG_STM32_SERIAL_USART1 is not set
+# CONFIG_STM32_SERIAL_USART1_ALT_PB7_PB6 is not set
+# CONFIG_STM32_SERIAL_USART2 is not set
+# CONFIG_STM32_SERIAL_USART2_ALT_PD6_PD5 is not set
+# CONFIG_STM32_SERIAL_USART3 is not set
+# CONFIG_STM32_SERIAL_USART3_ALT_PD9_PD8 is not set
+# CONFIG_STM32_CANBUS_PA11_PA12 is not set
+# CONFIG_STM32_CANBUS_PA11_PB9 is not set
+# CONFIG_STM32_MMENU_CANBUS_PB8_PB9 is not set
+# CONFIG_STM32_MMENU_CANBUS_PI9_PH13 is not set
+# CONFIG_STM32_MMENU_CANBUS_PB5_PB6 is not set
+# CONFIG_STM32_MMENU_CANBUS_PB12_PB13 is not set
+# CONFIG_STM32_MMENU_CANBUS_PD0_PD1 is not set
+# CONFIG_STM32_USBCANBUS_PA11_PA12 is not set
+CONFIG_USB=y
+CONFIG_USB_VENDOR_ID=0x1d50
+CONFIG_USB_DEVICE_ID=0x614e
+CONFIG_USB_SERIAL_NUMBER_CHIPID=y
+CONFIG_USB_SERIAL_NUMBER="12345"
+
+#
+# USB ids
+#
+# end of USB ids
+
+CONFIG_WANT_GPIO_BITBANGING=y
+CONFIG_WANT_DISPLAYS=y
+CONFIG_WANT_SENSORS=y
+CONFIG_WANT_LIS2DW=y
+CONFIG_WANT_SOFTWARE_I2C=y
+CONFIG_WANT_SOFTWARE_SPI=y
+CONFIG_NEED_SENSOR_BULK=y
+CONFIG_CANBUS_FREQUENCY=1000000
+CONFIG_INITIAL_PINS=""
+CONFIG_HAVE_GPIO=y
+CONFIG_HAVE_GPIO_ADC=y
+CONFIG_HAVE_GPIO_SPI=y
+CONFIG_HAVE_GPIO_SDIO=y
+CONFIG_HAVE_GPIO_I2C=y
+CONFIG_HAVE_GPIO_HARD_PWM=y
+CONFIG_HAVE_STRICT_TIMING=y
+CONFIG_HAVE_CHIPID=y
+CONFIG_HAVE_STEPPER_BOTH_EDGE=y
+CONFIG_HAVE_BOOTLOADER_REQUEST=y
+CONFIG_INLINE_STEPPER_HACK=y

nixos/akamanto/klipper-rpi.cfg

@@ -0,0 +1,31 @@
+# CONFIG_LOW_LEVEL_OPTIONS is not set
+# CONFIG_MACH_AVR is not set
+# CONFIG_MACH_ATSAM is not set
+# CONFIG_MACH_ATSAMD is not set
+# CONFIG_MACH_LPC176X is not set
+# CONFIG_MACH_STM32 is not set
+# CONFIG_MACH_HC32F460 is not set
+# CONFIG_MACH_RP2040 is not set
+# CONFIG_MACH_PRU is not set
+# CONFIG_MACH_AR100 is not set
+CONFIG_MACH_LINUX=y
+# CONFIG_MACH_SIMU is not set
+CONFIG_BOARD_DIRECTORY="linux"
+CONFIG_CLOCK_FREQ=50000000
+CONFIG_LINUX_SELECT=y
+CONFIG_USB_VENDOR_ID=0x1d50
+CONFIG_USB_DEVICE_ID=0x614e
+CONFIG_USB_SERIAL_NUMBER="12345"
+CONFIG_WANT_GPIO_BITBANGING=y
+CONFIG_WANT_DISPLAYS=y
+CONFIG_WANT_SENSORS=y
+CONFIG_WANT_LIS2DW=y
+CONFIG_WANT_SOFTWARE_I2C=y
+CONFIG_WANT_SOFTWARE_SPI=y
+CONFIG_CANBUS_FREQUENCY=1000000
+CONFIG_HAVE_GPIO=y
+CONFIG_HAVE_GPIO_ADC=y
+CONFIG_HAVE_GPIO_SPI=y
+CONFIG_HAVE_GPIO_I2C=y
+CONFIG_HAVE_GPIO_HARD_PWM=y
+CONFIG_INLINE_STEPPER_HACK=y

nixos/akamanto/klipper-smoothie.cfg

@@ -0,0 +1,51 @@
+# CONFIG_LOW_LEVEL_OPTIONS is not set
+# CONFIG_MACH_AVR is not set
+# CONFIG_MACH_ATSAM is not set
+# CONFIG_MACH_ATSAMD is not set
+CONFIG_MACH_LPC176X=y
+# CONFIG_MACH_STM32 is not set
+# CONFIG_MACH_HC32F460 is not set
+# CONFIG_MACH_RP2040 is not set
+# CONFIG_MACH_PRU is not set
+# CONFIG_MACH_AR100 is not set
+# CONFIG_MACH_LINUX is not set
+# CONFIG_MACH_SIMU is not set
+CONFIG_BOARD_DIRECTORY="lpc176x"
+CONFIG_MCU="lpc1769"
+CONFIG_CLOCK_FREQ=120000000
+CONFIG_USBSERIAL=y
+CONFIG_FLASH_SIZE=0x80000
+CONFIG_FLASH_BOOT_ADDRESS=0x0
+CONFIG_RAM_START=0x10000000
+CONFIG_RAM_SIZE=0x7fe0
+CONFIG_STACK_SIZE=512
+CONFIG_FLASH_APPLICATION_ADDRESS=0x4000
+CONFIG_LPC_SELECT=y
+# CONFIG_MACH_LPC1768 is not set
+CONFIG_MACH_LPC1769=y
+CONFIG_LPC_FLASH_START_4000=y
+# CONFIG_LPC_FLASH_START_0000 is not set
+CONFIG_LPC_USB=y
+# CONFIG_LPC_SERIAL_UART0_P03_P02 is not set
+CONFIG_USB=y
+CONFIG_USB_VENDOR_ID=0x1d50
+CONFIG_USB_DEVICE_ID=0x614e
+CONFIG_USB_SERIAL_NUMBER_CHIPID=y
+CONFIG_USB_SERIAL_NUMBER="12345"
+CONFIG_WANT_GPIO_BITBANGING=y
+CONFIG_WANT_DISPLAYS=y
+CONFIG_WANT_SENSORS=y
+CONFIG_WANT_LIS2DW=y
+CONFIG_WANT_SOFTWARE_I2C=y
+CONFIG_WANT_SOFTWARE_SPI=y
+CONFIG_CANBUS_FREQUENCY=1000000
+CONFIG_HAVE_GPIO=y
+CONFIG_HAVE_GPIO_ADC=y
+CONFIG_HAVE_GPIO_SPI=y
+CONFIG_HAVE_GPIO_I2C=y
+CONFIG_HAVE_GPIO_HARD_PWM=y
+CONFIG_HAVE_STRICT_TIMING=y
+CONFIG_HAVE_CHIPID=y
+CONFIG_HAVE_STEPPER_BOTH_EDGE=y
+CONFIG_HAVE_BOOTLOADER_REQUEST=y
+CONFIG_INLINE_STEPPER_HACK=y

nixos/akamanto/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb4i+BmIb2wiT4y5uWsCOmSo1dRp6Ql36toUsRHN6pC",
+  "system": "aarch64-linux"
+}

nixos/akamanto/moonraker-remove-config-path-warning.patch

@@ -0,0 +1,14 @@
+diff --git a/moonraker/components/file_manager/file_manager.py b/moonraker/components/file_manager/file_manager.py
+index 731547d..bc5c14b 100644
+--- a/moonraker/components/file_manager/file_manager.py
++++ b/moonraker/components/file_manager/file_manager.py
+@@ -202,7 +202,8 @@ class FileManager:
+             par_path = pathlib.Path(cfg_parent)
+             if (
+                 par_path in cfg_path.parents or
+-                par_path.resolve() in cfg_path.resolve().parents
++                par_path.resolve() in cfg_path.resolve().parents or
++                cfg_path.samefile("/etc/klipper.cfg")
+             ):
+                 self.server.remove_warning("klipper_config")
+             else:

nixos/amanojaku/default.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, lib, inputs, ... }:
+
+{
+  networking.hostName = "amanojaku";
+  deployment.tags = [ "reachable-home" ];
+
+  imports = with inputs.self.nixosModules; [
+    graphical
+    laptop
+
+    inputs.jovian-nixos.nixosModules.default
+  ];
+
+  boot.uefi.enable = true;
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_jovian;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/3ccaa83b-c3a3-478e-aa79-5310cf344c93";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/9C71-46C1";
+    fsType = "vfat";
+  };
+
+  services.displayManager.sddm.enable = lib.mkForce false;
+
+  hardware.pulseaudio.enable = lib.mkForce false;
+  jovian.devices.steamdeck.enable = true;
+
+  environment.systemPackages = with pkgs; [ maliit-keyboard maliit-framework ];
+  i18n.inputMethod.enabled = lib.mkForce "fcitx5";
+  i18n.inputMethod.fcitx5 = {
+    addons = with pkgs; [
+      fcitx5-chinese-addons
+      fcitx5-gtk
+      libsForQt5.fcitx5-qt
+    ];
+  };
+
+  jovian.steam = {
+    enable = true;
+    autoStart = true;
+    desktopSession = "plasma";
+    user = "ar";
+  };
+
+  jovian.decky-loader.user = "ar";
+
+  age.secrets.ar-password.file = ../../secrets/amanojaku-ar.age;
+  users.users.ar.hashedPasswordFile = config.age.secrets.ar-password.path;
+}

nixos/amanojaku/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4rFVYs5t4uBpZK9kmDQkr9ONLDE41jOCP/tMmM+SMb",
+  "system": "x86_64-linux"
+}

nixos/kamaitachi/default.nix

@@ -0,0 +1,431 @@
+{ config, pkgs, lib, inputs, ... }:
+
+let
+  ci-secrets = import ../../ci-secrets.nix;
+  klipperScreenConfig = builtins.toFile "KlipperConfig.conf" ''
+    [printer Kodak]
+    moonraker_host: localhost
+    moonraker_port: 7125
+  '';
+  cageScript = pkgs.writeScriptBin "klipperCageScript" ''
+    #!${pkgs.runtimeShell}
+    ${pkgs.wlr-randr}/bin/wlr-randr --output HDMI-A-1 --transform 180
+    sounds=( /home/ar/startup-sounds/* )
+    ${pkgs.mpv}/bin/mpv ''${sounds[ $RANDOM % ''${#sounds[@]}]} &
+    ${pkgs.klipperscreen}/bin/KlipperScreen --configfile ${klipperScreenConfig}
+  '';
+  klipperHostMcu = "${
+      pkgs.klipper-firmware.override {
+        firmwareConfig = ./klipper-rpi.cfg;
+        klipper = klipperOld;
+      }
+    }/klipper.elf";
+  klipperOld = pkgs.klipper.overrideAttrs (old: {
+    version = "unstable-dc6182f3";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "KevinOConnor";
+      repo = "klipper";
+      rev =
+        "dc6182f3b339b990c8a68940f02a210e332be269"; # 266e96621c0133e1192bbaec5addb6bcf443a203 broke shit in weird ways
+      sha256 = "sha256-0uoq5bvL/4L9oa/JY54qHMRw5vE7V//HxLFMOEqGUjA=";
+    };
+  });
+in {
+  # https://en.wikipedia.org/wiki/Kamaitachi
+  networking.hostName = "kamaitachi";
+  deployment.buildOnTarget = lib.mkForce false;
+  deployment.tags = [ "reachable-home" ];
+
+  imports = with inputs.self.nixosModules; [
+    "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image.nix"
+    common
+  ];
+
+  # don't want to pull in all of installer stuff, so we need to copy some things from sd-image-aarch64.nix:
+  sdImage = {
+    compressImage = false;
+    imageName =
+      "${config.sdImage.imageBaseName}-${pkgs.stdenv.hostPlatform.system}-${config.networking.hostName}.img";
+    populateFirmwareCommands = let
+      configTxt = pkgs.writeText "config.txt" ''
+        [pi3]
+        kernel=u-boot-rpi3.bin
+
+        [pi4]
+        kernel=u-boot-rpi4.bin
+        enable_gic=1
+        armstub=armstub8-gic.bin
+
+        # Otherwise the resolution will be weird in most cases, compared to
+        # what the pi3 firmware does by default.
+        disable_overscan=1
+
+        # Supported in newer board revisions
+        arm_boost=1
+
+        [all]
+        # Boot in 64-bit mode.
+        arm_64bit=1
+
+        # U-Boot needs this to work, regardless of whether UART is actually used or not.
+        # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
+        # a requirement in the future.
+        enable_uart=1
+
+        # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
+        # when attempting to show low-voltage or overtemperature warnings.
+        avoid_warnings=1
+      '';
+    in ''
+      (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
+
+      # Add the config
+      cp ${configTxt} firmware/config.txt
+
+      # Add pi3 specific files
+      cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
+
+      # Add pi4 specific files
+      cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
+      cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-400.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4s.dtb firmware/
+    '';
+    populateRootCommands = ''
+      mkdir -p ./files/boot
+      ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
+    '';
+  };
+
+  hardware.enableRedistributableFirmware = lib.mkForce false;
+  hardware.firmware = with pkgs; [ raspberrypiWirelessFirmware wireless-regdb ];
+  boot = {
+    # avoid building zfs
+    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
+    kernelParams = [ "console=ttyS1,115200n8" "fbcon=rotate:2" ];
+    loader.grub.enable = false;
+    loader.generic-extlinux-compatible.enable = true;
+  };
+
+  environment.etc."wifi-secrets".text = ci-secrets.wifi;
+
+  microvm.host.enable = false;
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useDHCP = true;
+    wireless = {
+      enable = true;
+      environmentFile = "/etc/wifi-secrets";
+      networks."hackerspace.pl-guests".psk = "@HSWAW_WIFI@";
+      networks."hackerspace.pl-guests-5G".psk = "@HSWAW_WIFI@";
+      networks."Nibylandia-5G".psk = "@NIBYLANDIA_WIFI@";
+      networks."Nibylandia".psk = "@NIBYLANDIA_WIFI@";
+    };
+  };
+  networking.firewall.enable = false;
+
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+      userServices = true;
+    };
+  };
+
+  users.users.root.hashedPassword =
+    "$y$j9T$.1ogQkT5J95hEFkgp9esc0$rneVdOpPwPDsgAckJsXJmzgVEENPkFWHWKgca2mVz6D";
+  users.mutableUsers = false;
+  users.users.ar = {
+    extraGroups = [ "video" "dialout" "plugdev" "pipewire" ];
+  };
+
+  documentation = {
+    enable = lib.mkForce false;
+  } // builtins.listToAttrs (map (x: {
+    name = x;
+    value = { enable = lib.mkForce false; };
+  }) [ "man" "info" "nixos" "doc" "dev" ]);
+
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+
+  hardware.opengl.enable = true;
+
+  # strictly for shits and giggles
+  sound.enable = true;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    systemWide = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluez;
+  };
+  services.udisks2 = { enable = true; };
+
+  # diet
+  boot.binfmt.emulatedSystems = lib.mkForce [ ];
+  environment.systemPackages = with pkgs; [
+    # strictly required
+    coreutils
+    nix
+    systemd
+
+    # shell's required and not automatically pulled in
+    zsh
+    bashInteractive
+
+    # avoid warnings
+    gnugrep
+    (glibcLocales.override {
+      allLocales = false;
+      locales = [ "en_US.UTF-8/UTF-8" "en_CA.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ];
+    })
+
+    # nice-to-haves
+    procps
+    openssh
+    findutils
+    iproute2
+    util-linux
+    usbutils
+    neovim
+    tmux
+    uhubctl
+
+    # strictly unnecessary
+    mpv
+    alsa-utils
+    bluez
+    pipewire
+    (v4l-utils.override { withGUI = false; })
+  ];
+  programs.nix-index.enable = lib.mkForce false;
+  services.journald.extraConfig = ''
+    Storage=volatile
+  '';
+  systemd.coredump.enable = false;
+  services.lvm.enable = lib.mkForce false;
+
+  # strictly plotter stuff below
+
+  systemd.services.klipper-mcu-rpi = {
+    description = "Klipper 3D host mcu";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "klipper.service" ];
+    serviceConfig = {
+      DynamicUser = true;
+      User = "klipper";
+      RuntimeDirectory = "klipper-mcu";
+      StateDirectory = "klipper";
+      SupplementaryGroups = [ "dialout" "pipewire" ];
+      OOMScoreAdjust = "-999";
+      CPUSchedulingPolicy = "rr";
+      CPUSchedulingPriority = 99;
+      IOSchedulingClass = "realtime";
+      IOSchedulingPriority = 0;
+      ExecStart = "${klipperHostMcu} -I /run/klipper-mcu/mcu-rpi";
+      ReadWritePaths = "/dev/gpiochip0";
+    };
+  };
+  systemd.services.klipper.serviceConfig = {
+    SupplementaryGroups = [ "dialout" "pipewire" ];
+    ReadWritePaths = "/var/lib/moonraker/config";
+  };
+  services.klipper = {
+    enable = true;
+    mutableConfig = false;
+    firmwares = {
+      mcu = {
+        enableKlipperFlash = false;
+        enable = true;
+        configFile = ./klipper-skr-pico.cfg;
+        serial = "/dev/ttyAMA0";
+        package = pkgs.klipper-firmware.override {
+          gcc-arm-embedded = pkgs.gcc-arm-embedded-11;
+          klipper = klipperOld;
+        };
+      };
+    };
+    settings = {
+      printer = {
+        kinematics = "corexy";
+        max_accel = "1000";
+        max_velocity = "100";
+        max_z_accel = "30";
+        max_z_velocity = "5";
+      };
+      mcu = { serial = "/dev/ttyAMA0"; };
+      "mcu rpi" = { serial = "/run/klipper-mcu/mcu-rpi"; };
+      virtual_sdcard = { path = "/var/lib/moonraker/gcodes"; };
+
+      pause_resume = { };
+      display_status = { };
+      exclude_object = { };
+      force_move = { enable_force_move = "true"; };
+
+      save_variables = {
+        filename = "/var/lib/moonraker/config/variables.cfg";
+      };
+
+      "temperature_sensor rpi" = { sensor_type = "temperature_host"; };
+
+      "stepper_x" = {
+        step_pin = "gpio11";
+        dir_pin = "!gpio10";
+        enable_pin = "!gpio12";
+        microsteps = "16";
+        rotation_distance = "40";
+        endstop_pin = "^gpio4";
+        position_endstop = "0";
+        position_max = "235";
+        homing_speed = "50";
+      };
+      "tmc2209 stepper_x" = {
+        uart_pin = "gpio9";
+        tx_pin = "gpio8";
+        uart_address = "0";
+        run_current = "0.580";
+        stealthchop_threshold = "999999";
+      };
+      "stepper_y" = {
+        step_pin = "gpio6";
+        dir_pin = "!gpio5";
+        enable_pin = "!gpio7";
+        microsteps = "16";
+        rotation_distance = "40";
+        endstop_pin = "^gpio3";
+        position_endstop = "0";
+        position_max = "235";
+        homing_speed = "50";
+      };
+      "tmc2209 stepper_y" = {
+        uart_pin = "gpio9";
+        tx_pin = "gpio8";
+        uart_address = "2";
+        run_current = "0.580";
+        stealthchop_threshold = "999999";
+      };
+      "stepper_z" = {
+        step_pin = "gpio19";
+        dir_pin = "gpio28";
+        enable_pin = "!gpio2";
+        microsteps = "16";
+        rotation_distance = "8";
+        endstop_pin = "^gpio25";
+        position_endstop = "0.0";
+        position_max = "250";
+      };
+      "tmc2209 stepper_z" = {
+        uart_pin = "gpio9";
+        tx_pin = "gpio8";
+        uart_address = "1";
+        run_current = "0.580";
+        stealthchop_threshold = "999999";
+      };
+      "neopixel board_neopixel" = {
+        pin = "gpio24";
+        chain_count = "1";
+        color_order = "GRB";
+        initial_RED = "0.3";
+        initial_GREEN = "0.3";
+        initial_BLUE = "0.3";
+      };
+      "delayed_gcode t0_offset" = {
+        gcode = [ "SET_GCODE_OFFSET X=0 Y=0 Z=0" ];
+        initial_duration = ".02";
+      };
+    } // lib.mapAttrs' (name: value:
+      lib.nameValuePair
+      ("gcode_macro " + (builtins.replaceStrings [ ".gcode" ] [ "" ] name)) {
+        gcode = lib.remove "" (lib.splitString "\n"
+          (builtins.readFile (./klipper-macros/. + "/${name}")));
+      }) (lib.attrsets.filterAttrs (n: v: n != ".gitkeep")
+        (builtins.readDir ./klipper-macros/.));
+  };
+
+  services.moonraker = {
+    user = "root";
+    enable = true;
+    address = "0.0.0.0";
+    allowSystemControl = true;
+    settings = {
+      octoprint_compat = { };
+      history = { };
+      authorization = {
+        force_logins = false;
+        cors_domains = [
+          "*.local"
+          "*.waw.hackerspace.pl"
+          "*.nibylandia.lan"
+          "*.tail412c1.ts.net"
+        ];
+        trusted_clients = [
+          "127.0.0.1/32"
+          "10.8.0.0/23"
+          "100.64.0.0/10"
+          "2a0d:eb00:4242:0000:0000:0000:0000:0000/64"
+          "192.168.24.0/24"
+          "192.168.20.0/24"
+        ];
+      };
+      # causes issues for some reason
+      # zeroconf = { mdns_hostname = "barbie-girl"; };
+      machine = { provider = "systemd_cli"; };
+      "webcam rpi" = {
+        enabled = "True";
+        service = "mjpegstreamer-adaptive";
+        stream_url = "/webcam/stream";
+        snapshot_url = "/webcam/snapshot";
+        target_fps = "30";
+        target_fps_idle = "30";
+        aspect_ratio = "4:3";
+      };
+    };
+  };
+
+  services.fluidd = {
+    enable = false;
+    nginx.locations."/webcam/".proxyPass = "http://127.0.0.1:8080/";
+  };
+
+  services.mainsail = {
+    enable = true;
+    nginx.locations."/webcam/".proxyPass = "http://127.0.0.1:8080/";
+  };
+
+  services.nginx.clientMaxBodySize = "1000m";
+  services.nginx.recommendedProxySettings = true;
+
+  systemd.services.ustreamer = {
+    wantedBy = [ "multi-user.target" ];
+    description = "uStreamer for video0";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart =
+        "${pkgs.ustreamer}/bin/ustreamer --encoder=HW --persistent --rotate 90 --slowdown --resolution 1296x972 --desired-fps 30";
+    };
+  };
+
+  services.cage = {
+    enable = true;
+    user = "ar";
+    program = "${cageScript}/bin/klipperCageScript";
+    environment = {
+      GDK_BACKEND = "wayland";
+      QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    };
+    extraArguments = [ "-d" ];
+  };
+  systemd.services."cage-tty1".serviceConfig.Restart = "always";
+}

nixos/kamaitachi/klipper-rpi.cfg

@@ -0,0 +1,31 @@
+# CONFIG_LOW_LEVEL_OPTIONS is not set
+# CONFIG_MACH_AVR is not set
+# CONFIG_MACH_ATSAM is not set
+# CONFIG_MACH_ATSAMD is not set
+# CONFIG_MACH_LPC176X is not set
+# CONFIG_MACH_STM32 is not set
+# CONFIG_MACH_HC32F460 is not set
+# CONFIG_MACH_RP2040 is not set
+# CONFIG_MACH_PRU is not set
+# CONFIG_MACH_AR100 is not set
+CONFIG_MACH_LINUX=y
+# CONFIG_MACH_SIMU is not set
+CONFIG_BOARD_DIRECTORY="linux"
+CONFIG_CLOCK_FREQ=50000000
+CONFIG_LINUX_SELECT=y
+CONFIG_USB_VENDOR_ID=0x1d50
+CONFIG_USB_DEVICE_ID=0x614e
+CONFIG_USB_SERIAL_NUMBER="12345"
+CONFIG_WANT_GPIO_BITBANGING=y
+CONFIG_WANT_DISPLAYS=y
+CONFIG_WANT_SENSORS=y
+CONFIG_WANT_LIS2DW=y
+CONFIG_WANT_SOFTWARE_I2C=y
+CONFIG_WANT_SOFTWARE_SPI=y
+CONFIG_CANBUS_FREQUENCY=1000000
+CONFIG_HAVE_GPIO=y
+CONFIG_HAVE_GPIO_ADC=y
+CONFIG_HAVE_GPIO_SPI=y
+CONFIG_HAVE_GPIO_I2C=y
+CONFIG_HAVE_GPIO_HARD_PWM=y
+CONFIG_INLINE_STEPPER_HACK=y

nixos/kamaitachi/klipper-skr-pico.cfg

@@ -0,0 +1,56 @@
+# CONFIG_LOW_LEVEL_OPTIONS is not set
+# CONFIG_MACH_AVR is not set
+# CONFIG_MACH_ATSAM is not set
+# CONFIG_MACH_ATSAMD is not set
+# CONFIG_MACH_LPC176X is not set
+# CONFIG_MACH_STM32 is not set
+# CONFIG_MACH_HC32F460 is not set
+CONFIG_MACH_RP2040=y
+# CONFIG_MACH_PRU is not set
+# CONFIG_MACH_AR100 is not set
+# CONFIG_MACH_LINUX is not set
+# CONFIG_MACH_SIMU is not set
+CONFIG_BOARD_DIRECTORY="rp2040"
+CONFIG_MCU="rp2040"
+CONFIG_CLOCK_FREQ=12000000
+CONFIG_SERIAL=y
+CONFIG_FLASH_SIZE=0x200000
+CONFIG_FLASH_BOOT_ADDRESS=0x10000100
+CONFIG_RAM_START=0x20000000
+CONFIG_RAM_SIZE=0x42000
+CONFIG_STACK_SIZE=512
+CONFIG_FLASH_APPLICATION_ADDRESS=0x10000100
+CONFIG_RP2040_SELECT=y
+CONFIG_RP2040_HAVE_STAGE2=y
+CONFIG_RP2040_FLASH_START_0100=y
+# CONFIG_RP2040_FLASH_START_4000 is not set
+CONFIG_RP2040_STAGE2_FILE="boot2_w25q080.S"
+CONFIG_RP2040_STAGE2_CLKDIV=2
+# CONFIG_RP2040_USB is not set
+CONFIG_RP2040_SERIAL_UART0=y
+# CONFIG_RP2040_CANBUS is not set
+# CONFIG_RP2040_USBCANBUS is not set
+CONFIG_RP2040_CANBUS_GPIO_RX=4
+CONFIG_RP2040_CANBUS_GPIO_TX=5
+CONFIG_SERIAL_BAUD=250000
+CONFIG_USB_VENDOR_ID=0x1d50
+CONFIG_USB_DEVICE_ID=0x614e
+CONFIG_USB_SERIAL_NUMBER="12345"
+CONFIG_WANT_GPIO_BITBANGING=y
+CONFIG_WANT_DISPLAYS=y
+CONFIG_WANT_SENSORS=y
+CONFIG_WANT_LIS2DW=y
+CONFIG_WANT_SOFTWARE_I2C=y
+CONFIG_WANT_SOFTWARE_SPI=y
+CONFIG_NEED_SENSOR_BULK=y
+CONFIG_CANBUS_FREQUENCY=1000000
+CONFIG_HAVE_GPIO=y
+CONFIG_HAVE_GPIO_ADC=y
+CONFIG_HAVE_GPIO_SPI=y
+CONFIG_HAVE_GPIO_I2C=y
+CONFIG_HAVE_GPIO_HARD_PWM=y
+CONFIG_HAVE_STRICT_TIMING=y
+CONFIG_HAVE_CHIPID=y
+CONFIG_HAVE_STEPPER_BOTH_EDGE=y
+CONFIG_HAVE_BOOTLOADER_REQUEST=y
+CONFIG_INLINE_STEPPER_HACK=y

nixos/kamaitachi/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb4i+BmIb2wiT4y5uWsCOmSo1dRp6Ql36toUsRHN6pC",
+  "system": "aarch64-linux"
+}

nixos/khas/default.nix

@@ -1,8 +1,20 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, inputs, ... }:
 
 {
   networking.hostName = "khas";
-  imports = [ ./hardware-configuration.nix ];
+  deployment.tags = [ "reachable-everywhere" ];
+
+  imports = with inputs.self.nixosModules; [
+    ./hardware-configuration.nix
+
+    graphical
+    laptop
+    secureboot
+    gaming
+  ];
+
+  # boot.kernelParams = [ "nohz_full=1-15" ];
+
   age.secrets.ar-password.file = ../../secrets/khas-ar.age;
 
   users.users.ar.hashedPasswordFile = config.age.secrets.ar-password.path;

nixos/khas/hardware-configuration.nix

@@ -2,7 +2,7 @@
 
 {
   hardware.enableAllFirmware = true;
-  nibylandia-boot.ryzen.enable = true;
+  boot.ryzen.enable = true;
 
   boot.initrd.availableKernelModules =
     [ "nvme" "ehci_pci" "xhci_pci" "rtsx_pci_sdmmc" ];
@@ -87,4 +87,10 @@
     fsType = "btrfs";
     options = [ "subvol=var_lib_tpm" ];
   };
+
+  fileSystems."/var/lib/tailscale" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_tailscale" ];
+  };
 }

nixos/khas/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAs/jPJBvAVB+BgkywNDSUqcuqzFaWTmBn5hTnKm1wjF",
+  "system": "x86_64-linux"
+}

nixos/microlith/default.nix

@@ -1,8 +1,16 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, inputs, ... }:
 
 {
   networking.hostName = "microlith";
-  imports = [ ./hardware-configuration.nix ];
+  deployment.tags = [ "reachable-home" ];
+
+  imports = with inputs.self.nixosModules; [
+    ./hardware-configuration.nix
+
+    graphical
+    gaming
+    secureboot
+  ];
   age.secrets.ar-password.file = ../../secrets/microlith-ar.age;
 
   users.users.ar.hashedPasswordFile = config.age.secrets.ar-password.path;

nixos/microlith/hardware-configuration.nix

@@ -13,6 +13,11 @@
     fsType = "xfs";
   };
 
+  fileSystems."/steam" = {
+    device = "/dev/disk/by-uuid/a2b3af5e-b15b-4023-8f8f-ea828b8df241";
+    fsType = "xfs";
+  };
+
   boot.initrd.luks.devices."microlith".device =
     "/dev/disk/by-uuid/3b53f78f-4d3f-4b3b-b7c8-640fe450f122";
 

nixos/microlith/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD",
+  "system": "x86_64-linux"
+}

nixos/scylla/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, inputs, ... }:
 
 let
   keaJsonWithIncludes = name: value:
@@ -20,9 +20,16 @@ let
     ${pkgs.bird2}/bin/birdc reload in all
   '';
 in {
-  imports = [ ./hardware-configuration.nix ];
+  deployment.tags = [ "reachable-everywhere" ];
 
-  nibylandia-boot.uefi.enable = true;
+  imports = with inputs.self.nixosModules; [
+    ./hardware-configuration.nix
+
+    common
+    ci-runners
+  ];
+
+  boot.uefi.enable = true;
 
   boot = {
     kernelPackages = pkgs.linuxPackages_latest;
@@ -67,6 +74,7 @@ in {
   };
 
   networking.hostName = "scylla";
+
   networking.wireless.enable = false;
 
   time.timeZone = "Europe/Warsaw";
@@ -424,6 +432,15 @@ in {
     before = [ "bird.service" ];
   };
 
+  services.tailscale = {
+    useRoutingFeatures = "both";
+    extraUpFlags = [
+      "--advertise-exit-node"
+      "--advertise-routes=172.20.0.0/14"
+      "--advertise-routes=fd00::/8"
+    ];
+  };
+
   systemd.services = {
     dn42-roa = {
       after = [ "network.target" ];
@@ -435,6 +452,11 @@ in {
 
   security.polkit.enable = true;
   virtualisation.libvirtd.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+  };
 
   services.avahi = {
     enable = true;

nixos/scylla/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg",
+  "system": "aarch64-linux"
+}

nixos/stereolith/default.nix

@@ -0,0 +1,282 @@
+{ config, inputs, lib, pkgs, ... }:
+
+{
+  networking.hostName = "stereolith";
+  networking.hostId = "adcad022";
+
+  deployment.tags = [ "reachable-home" ];
+
+  imports = with inputs.self.nixosModules; [ common ];
+
+  boot.uefi.enable = true;
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernelPackages = pkgs.linuxPackages;
+  boot.zfs.package = pkgs.zfs_2_1;
+  boot.extraModulePackages = with config.boot.kernelPackages; [ zfs_2_1 ];
+
+  boot.enableContainers = true;
+  boot.zfs.extraPools = [ config.networking.hostName ];
+  boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = "1"; };
+
+  system.stateVersion = lib.mkForce "22.11";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/34409a0d-48ac-4dcb-8fe2-ac553b5b27f1";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3906-F639";
+    fsType = "vfat";
+  };
+
+  nix.settings.max-jobs = 16;
+
+  hardware.enableRedistributableFirmware = true;
+
+  environment.systemPackages = with pkgs; [
+    git
+    wget
+    tmux
+    tcpdump
+    sysstat
+    samba
+  ];
+
+  programs = {
+    neovim = {
+      enable = true;
+      withRuby = true;
+      vimAlias = true;
+      viAlias = true;
+      defaultEditor = true;
+    };
+    mosh.enable = true;
+  };
+
+  networking.useDHCP = false;
+  networking.wireless.enable = false;
+  networking.nameservers = [ "192.168.20.1" ];
+  networking.interfaces.enp9s0.ipv4 = {
+    addresses = [{
+      address = "192.168.20.31";
+      prefixLength = 24;
+    }];
+    routes = [{
+      address = "0.0.0.0";
+      prefixLength = 0;
+      via = "192.168.20.1";
+    }];
+  };
+  systemd.network.wait-online.enable = false;
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 1688 2005 2582 3000 ]
+    ++ (map (x: 9091 + x) (lib.range (0 - 2) 10))
+    ++ (map (x: 51413 + x) (lib.range (0 - 2) 10)) ++ [ 137 139 445 631 ]
+    ++ [ 1143 1025 8080 ] ++ [ 5201 ] ++ [ 4000 4001 4002 ] ++ [ 5001 5050 ];
+  networking.firewall.allowedUDPPorts = [ 69 2005 51820 ]
+    ++ (map (x: 51413 + x) (lib.range (0 - 2) 10)) ++ [ 4000 4001 4002 ];
+
+  users.users.minecraft = {
+    isNormalUser = true;
+    openssh.authorizedKeys = {
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOHWPbzvwXTftY1r0dXcYZxT9QBnQkwepdMn8PCAPlYvYwUObEj3rgYrYRFrtCRWZVrKAdqBxnH9/6S9w631Zs7tgqEeDHJsotZNZV3qip7qGjn9IqUHXqF95MUDJV21AeBAqQ1xalefwCkwf/vYLFn8dSnsnlfO+mtlHZOuBED+SB2U1eNrWY2e45v8m7PqSyTCbCu0F3wVcHGwRFsxWA598wf85UBRVcSWVcUydE9F+PCS9sGETkXiRUDcHWnup8uygs4xLa9RADubhdGkUbQE6m6yOjvHJWZ4ov59zJh+hmpszCwfmUw/k39T2TM7tbwUWxgc68qDyaMGQr/Wzd x10a94@Celestia"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJ+LSo3YXE6Jk6pGKL5om/VOi7XE5OvHA2U73V0pJXHa1bA4ityICeNqec2w8TSWSwTihJ4oAM7YLShkERNTcd1NWNHgUYova9nJ/nItFxrxDpTQsqK315u4d7nE+go09c85cyomHbDDcNVg9kJeCUjF+dr82N7JZfYVdQystOslOROYtl94GHuFHVOQyBRGeSztmakYvK1+3WV8dby6TfYG1l6uf6qLCg7q64zR4xDDP0KgfcrsusBQ6qYnKhop1fUTaW9NtEOQP/MhFLDp2YQmTsNJDiKAQpwwYLexWq4UcziXbnRfD56CHFHbW7Hu6Ltu35cHFKR2r9y4TBwTV crendgrim@gmx.de"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt arachnist@monolith"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7WvV+4zRYrDoxXxLttLvIJkuzB3ZsHIUUmyc5Jp81F minecraft@orochi"
+      ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    commonHttpConfig = ''
+      add_header X-Clacks-Overhead "GNU Terry Pratchett";
+    '';
+
+    virtualHosts = {
+      "default" = {
+        forceSSL = false;
+        enableACME = false;
+        serverName = "_";
+        locations."/".return = "410";
+        locations."/tftp/" = { alias = "/stereolith/crap/tftp/"; };
+      };
+      "i.am-a.cat" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/transmission/Downloads/" = {
+          alias = "/stereolith/crap/transmission/Downloads/";
+          extraConfig = ''
+            autoindex on;
+            satisfy any;
+
+            allow 192.168.20.0/24;
+            allow 192.168.24.0/24;
+            allow 10.255.255.0/24;
+            deny all;
+
+            auth_basic "crap";
+            auth_basic_user_file "/etc/nginx/auth/crap";
+          '';
+        };
+      };
+
+      "drukarke.zajeba.li" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5001";
+          proxyWebsockets = true;
+          extraConfig = ''
+            satisfy any;
+
+            allow 192.168.20.0/24;
+            allow 192.168.24.0/24;
+            allow 10.255.255.0/24;
+            deny all;
+
+            auth_basic "octoprint";
+            auth_basic_user_file "/etc/nginx/auth/octoprint";
+
+            client_max_body_size 0;
+          '';
+        };
+      };
+
+      "185.102.189.133" = {
+        forceSSL = false;
+        locations."/.well-known/pki-validation/" = {
+          alias = "/stereolith/crap/pki-validation/";
+        };
+      };
+
+      "picture.cat" = {
+        locations."/" = { root = "/stereolith/photo/_build"; };
+      };
+
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "ar@is-a.cat";
+  };
+
+  services.printing = {
+    enable = true;
+    startWhenNeeded = false;
+    browsing = true;
+    listenAddresses = [ "*:631" ];
+    defaultShared = true;
+    drivers = with pkgs; [ cups-dymo ];
+  };
+  services.samba = {
+    enable = true;
+    package = pkgs.samba4Full;
+    shares = {
+      scan = {
+        browseable = "yes";
+        comment = "Scanner";
+        "guest ok" = "yes";
+        path = "/stereolith/scan";
+        "read only" = false;
+      };
+      transmission = {
+        browseable = "yes";
+        comment = "Scanner";
+        "guest ok" = "yes";
+        path = "/stereolith/crap/transmission/Downloads";
+        "read only" = false;
+        "force user" = "transmission";
+        "force group" = "transmission";
+      };
+      annscratch = {
+        browseable = "yes";
+        comment = "scratch";
+        "guest ok" = "yes";
+        path = "/stereolith/scratch/anna";
+        "read only" = false;
+      };
+      photo = {
+        browseable = "yes";
+        comment = "photo";
+        "guest ok" = "yes";
+        path = "/stereolith/photo";
+        "read only" = false;
+        "force user" = "arachnist";
+        "force group" = "users";
+      };
+      labelprinter = {
+        path = "/var/spool/samba";
+        printer = "labelprinter";
+        browseable = "yes";
+        comment = "Label Printer";
+        "guest ok" = "yes";
+        writable = "no";
+        printable = "yes";
+        public = "yes";
+        "create mode" = 700;
+      };
+    };
+    extraConfig = ''
+      load printers = yes
+      printing = cups
+      printcap name = cups
+    '';
+  };
+  systemd.tmpfiles.rules = [ "d /var/spool/samba 1777 root root -" ];
+  sound.enable = false;
+  hardware.pulseaudio.enable = false;
+  services.xserver.enable = false;
+  systemd.services.mdmonitor.enable = false;
+
+  services.transmission = {
+    enable = true;
+    downloadDirPermissions = "775";
+    settings = {
+      rpc-port = 9091;
+      peer-port = 51413;
+      rpc-bind-address = "0.0.0.0";
+      rpc-whitelist-enabled = false;
+      rpc-host-whitelist-enabled = false;
+      download-dir = "/stereolith/crap/transmission/Downloads";
+      incomplete-dir = "/stereolith/crap/transmission/Downloads";
+      dht-enabled = false;
+      pex-enabled = false;
+    };
+    webHome = pkgs.flood-for-transmission;
+  };
+
+  virtualisation.oci-containers.containers = {
+    octoprint = {
+      image = "octoprint/octoprint";
+      volumes = [ "octoprint:/octoprint" ];
+      ports = [ "5001:80" ];
+      extraOptions = [
+        "--device=/dev/ttyACM0:/dev/ttyACM0"
+        "--device=/dev/video0:/dev/video0"
+        "--device=/dev/video1:/dev/video1"
+      ];
+      environment = {
+        ENABLE_MJPG_STREAMER = "true";
+        MJPG_STREAMER_INPUT = "-r 1920x1080 -f 30";
+      };
+    };
+  };
+
+  security.polkit.enable = true;
+  virtualisation.libvirtd.enable = true;
+
+  services.pykms.enable = true;
+}

nixos/stereolith/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O",
+  "system": "x86_64-linux"
+}

nixos/tsukumogami/default.nix

@@ -0,0 +1,266 @@
+{ config, pkgs, lib, inputs, ... }:
+
+let
+  ci-secrets = import ../../ci-secrets.nix;
+  cageScript = pkgs.writeScriptBin "inventoryChromium" ''
+    #!${pkgs.runtimeShell}
+    ${pkgs.wlr-randr}/bin/wlr-randr --output HDMI-A-1 --transform 90
+    ${pkgs.chromium}/bin/chromium --kiosk https://inventory.hackerspace.pl
+  '';
+in {
+  # https://en.wikipedia.org/wiki/Tsukumogami
+  networking.hostName = "tsukumogami";
+  deployment.buildOnTarget = lib.mkForce false;
+  deployment.tags = [ "reachable-hs" ];
+
+  imports = with inputs.self.nixosModules; [
+    "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image.nix"
+    common
+  ];
+
+  # don't want to pull in all of installer stuff, so we need to copy some things from sd-image-aarch64.nix:
+  sdImage = {
+    compressImage = false;
+    imageName =
+      "${config.sdImage.imageBaseName}-${pkgs.stdenv.hostPlatform.system}-${config.networking.hostName}.img";
+    populateFirmwareCommands = let
+      # contents of these are used *only* for generating a microsd card image!
+      configTxt = pkgs.writeText "config.txt" ''
+        [pi3]
+        kernel=u-boot-rpi3.bin
+
+        [pi02]
+        kernel=u-boot-rpi3.bin
+
+        [pi4]
+        kernel=u-boot-rpi4.bin
+        enable_gic=1
+        armstub=armstub8-gic.bin
+
+        # Otherwise the resolution will be weird in most cases, compared to
+        # what the pi3 firmware does by default.
+        disable_overscan=1
+
+        # Supported in newer board revisions
+        arm_boost=1
+
+        [cm4]
+        # Enable host mode on the 2711 built-in XHCI USB controller.
+        # This line should be removed if the legacy DWC2 controller is required
+        # (e.g. for USB device mode) or if USB support is not required.
+        otg_mode=1
+
+        [all]
+        # Boot in 64-bit mode.
+        arm_64bit=1
+
+        # U-Boot needs this to work, regardless of whether UART is actually used or not.
+        # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
+        # a requirement in the future.
+        enable_uart=1
+
+        # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
+        # when attempting to show low-voltage or overtemperature warnings.
+        avoid_warnings=1
+
+        hdmi_enable_4kp60=1
+
+        # avoid display issues
+        hdmi_cvt=1920 1080 60 3 0 0 0
+        hdmi_force_hotplug=1
+        hdmi_group=2
+        hdmi_mode=87
+
+        hdmi_drive=1
+        hdmi_boost=7
+      '';
+    in ''
+      (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
+
+      # Add the config
+      cp ${configTxt} firmware/config.txt
+
+      # Add pi3 specific files
+      cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
+
+      # Add pi4 specific files
+      cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
+      cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-400.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4.dtb firmware/
+      cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-cm4s.dtb firmware/
+    '';
+    populateRootCommands = ''
+      mkdir -p ./files/boot
+      ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
+    '';
+  };
+
+  hardware.enableRedistributableFirmware = lib.mkForce false;
+  hardware.firmware = with pkgs; [ raspberrypiWirelessFirmware wireless-regdb ];
+  boot = {
+    # camera, kernel side
+    # kernelModules = [ "bcm2835-v4l2" ];
+    # avoid building zfs
+    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
+    kernelParams = [ "verbose" "loglevel=7" "cma=256M" "fbcon=rotate:1" ];
+    loader.grub.enable = false;
+    loader.generic-extlinux-compatible.enable = true;
+  };
+
+  environment.etc."wifi-secrets".text = ci-secrets.wifi;
+
+  microvm.host.enable = false;
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useDHCP = true;
+    wireless = {
+      enable = true;
+      environmentFile = "/etc/wifi-secrets";
+      networks."hackerspace.pl-guests".psk = "@HSWAW_WIFI@";
+      networks."hackerspace.pl-guests-5G".psk = "@HSWAW_WIFI@";
+    };
+  };
+  networking.firewall.enable = false;
+
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+      userServices = true;
+    };
+  };
+
+  # dupa.8
+  users.users.root.hashedPassword =
+    "$y$j9T$yzZnq2/mg6OawoGAbzb0f0$yOyJmpjmFWfm7GF7eRriCO5wwjCWaJWZOH.6f9gVZ3/";
+  users.mutableUsers = false;
+  users.users.inventory = {
+    group = "inventory";
+    extraGroups = [ "video" "dialout" "plugdev" "pipewire" "users" "wheel" ];
+    isNormalUser = true;
+    openssh.authorizedKeys.keys =
+      config.users.users.root.openssh.authorizedKeys.keys;
+  };
+  users.groups.inventory = { };
+
+  documentation = {
+    enable = lib.mkForce false;
+  } // builtins.listToAttrs (map (x: {
+    name = x;
+    value = { enable = lib.mkForce false; };
+  }) [ "man" "info" "nixos" "doc" "dev" ]);
+
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+
+  hardware.opengl.enable = true;
+
+  # strictly for shits and giggles
+  sound.enable = true;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    systemWide = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+  services.udisks2 = { enable = true; };
+
+  # diet
+  boot.binfmt.emulatedSystems = lib.mkForce [ ];
+  environment.systemPackages = with pkgs;
+    lib.mkForce [
+      # strictly required
+      coreutils
+      nix
+      systemd
+
+      # shell's required and not automatically pulled in
+      zsh
+      bashInteractive
+
+      # reaaaaally useful (on-screen keyboard)
+      maliit-keyboard
+      maliit-framework
+      squeekboard
+
+      # we include these anyway
+      wlr-randr
+      chromium
+
+      # avoid warnings
+      gnugrep
+      (glibcLocales.override {
+        allLocales = false;
+        locales = [
+          "en_US.UTF-8/UTF-8"
+          "en_CA.UTF-8/UTF-8"
+          "en_DK.UTF-8/UTF-8"
+          "pl_PL.UTF-8/UTF-8"
+        ];
+      })
+
+      # nice-to-haves
+      procps
+      openssh
+      findutils
+      iproute2
+      util-linux
+      usbutils
+      neovim
+      tmux
+
+      # strictly unnecessary
+      mpv
+      alsa-utils
+      pipewire
+      (v4l-utils.override { withGUI = false; })
+    ];
+  programs.nix-index.enable = lib.mkForce false;
+  services.journald.extraConfig = ''
+    Storage=volatile
+  '';
+  systemd.coredump.enable = false;
+  services.lvm.enable = lib.mkForce false;
+
+  # systemd.services.ustreamer = {
+  #   wantedBy = [ "multi-user.target" ];
+  #   description = "uStreamer for video0";
+  #   serviceConfig = {
+  #     Type = "simple";
+  #     ExecStart =
+  #       "${pkgs.ustreamer}/bin/ustreamer --encoder=HW --persistent --rotate 90 --slowdown --resolution 1296x972 --desired-fps 30";
+  #   };
+  # };
+
+  # the proper way to do this, supposedly, would be to tie the touchscreen input to display output, eg. with:
+  # ENV{WL_OUTPUT}="HDMI-A-1"
+  # sadly, this doesn't work for us here, for some unbeknownst reason
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}=“1 0 0 0 1 0” # default
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}=“0 -1 1 1 0 0” # 90 degree clockwise
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}="-1 0 1 0 -1 1" # 180 degree clockwise
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}=“0 1 0 -1 0 1” # 270 degree clockwise
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}="-1 0 1 1 0 0" # reflect along y axis
+  # ENV{LIBINPUT_CALIBRATION_MATRIX}="-1 0 1 0 1 0" # reflect along xgi axis
+  services.udev.extraRules = ''
+    SUBSYSTEM=="input", ATTRS{idVendor}=="0408", ENV{LIBINPUT_CALIBRATION_MATRIX}=“0 -1 1 1 0 0”
+  '';
+  services.cage = {
+    enable = true;
+    user = "inventory";
+    program = "${cageScript}/bin/inventoryChromium";
+    environment = {
+      GDK_BACKEND = "wayland";
+      QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+      WLR_LIBINPUT_NO_DEVICES = "1";
+    };
+    extraArguments = [ "-d" ];
+  };
+  systemd.services."cage-tty1".serviceConfig.Restart = "always";
+}

nixos/tsukumogami/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/Cl0F5WUxDTaQAlb+bYpQ0sCRuFQlf3MHJ4+3/KfYi",
+  "system": "aarch64-linux"
+}

nixos/zorigami/default.nix

@@ -0,0 +1,663 @@
+{ config, pkgs, lib, inputs, ... }:
+
+{
+  deployment.tags = [ "reachable-everywhere" ];
+
+  imports = [ inputs.simple-nixos-mailserver.nixosModule ]
+    ++ (with inputs.self.nixosModules; [
+      common
+      secureboot
+      monitoring
+      ci-runners
+
+      ./hardware.nix
+    ]);
+
+  boot.kernelPackages = pkgs.linuxPackages;
+
+  age.secrets.cassAuth = {
+    file = ../../secrets/cassAuth.age;
+    group = "nginx";
+    mode = "440";
+  };
+  age.secrets.minecraftRestic.file = ../../secrets/norkclubMinecraftRestic.age;
+  age.secrets.nextCloudAdmin = {
+    file = ../../secrets/nextCloudAdmin.age;
+    group = "nextcloud";
+    mode = "440";
+  };
+  age.secrets.wgNibylandia.file = ../../secrets/wg/nibylandia_zorigami.age;
+
+  age.secrets.arMail.file = ../../secrets/mail/ar.age;
+  age.secrets.apoMail.file = ../../secrets/mail/apo.age;
+  age.secrets.madargonMail.file = ../../secrets/mail/madargon.age;
+  age.secrets.enkiMail.file = ../../secrets/mail/enki.age;
+  age.secrets.matrixMail.file = ../../secrets/mail/matrix.age;
+  age.secrets.mastodonMail.file = ../../secrets/mail/mastodon.age;
+  age.secrets.mastodonPlainMail = {
+    group = "mastodon";
+    mode = "440";
+    file = ../../secrets/mail/mastodonPlain.age;
+  };
+  age.secrets.vaultwardenMail.file = ../../secrets/mail/vaultwarden.age;
+  age.secrets.vaultwardenPlainMail = {
+    group = "vaultwarden";
+    mode = "440";
+    file = ../../secrets/mail/vaultwardenPlain.age;
+  };
+
+  age.secrets.minifluxCredentials.file = ../../secrets/miniflux.age;
+  age.secrets.keycloakDatabase = {
+    file = ../../secrets/keycloakDatabase.age;
+    mode = "440";
+  };
+  age.secrets.keycloak.file = ../../secrets/mail/keycloak.age;
+  age.secrets.mastodonActiveRecordSecrets.file =
+    ../../secrets/mastodon-activerecord.age;
+
+  age.secrets.notbotEnvironment.file = ../../secrets/notbotEnvironment.age;
+
+  age.secrets.synapseExtraConfig = {
+    group = "matrix-synapse";
+    mode = "440";
+    file = ../../secrets/synapseExtraConfig.age;
+  };
+  age.secrets.acmeZorigamiZajebaLi.file =
+    ../../secrets/acme-zorigami-zajeba.li.age;
+  age.secrets.automataDendritePrivateKey.file =
+    ../../secrets/automata.of-a.cat-matrix_key.pem.age;
+  age.secrets.automataDendriteEnv.file =
+    ../../secrets/automata.of-a.cat-matrix_env.age;
+
+  nibylandia.monitoring-server = { domain = "monitoring.is-a.cat"; };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "4096m";
+    appendHttpConfig = ''
+      disable_symlinks off;
+    '';
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "ar@is-a.cat";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ] ++ [ 25565 25566 ]
+    ++ [ 113 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ]
+    ++ [ 19132 19133 25565 25566 ] ++ [ 51315 ];
+
+  nix.settings.max-jobs = 1;
+  nix.settings.cores = 24;
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+  };
+  services.prometheus.exporters.postgres = {
+    enable = true;
+    runAsLocalSuperUser = true;
+    listenAddress = "127.0.0.1";
+  };
+
+  systemd.services.notbot = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    description = "Notbot irc bot service";
+    serviceConfig = {
+      Type = "simple";
+      User = "bot";
+      EnvironmentFile = config.age.secrets.notbotEnvironment.path;
+      ExecStart = ''
+        ${pkgs.notbot}/bin/notbot -nickname "notbot" -name "notbot" -user "bot" \
+          -server "irc.libera.chat:6667" -password $NICKSERV_PASSWORD \
+          -channels $CHANNELS -jitsi.channels $JITSI_CHANNELS -spaceapi.channels $SPACEAPI_CHANNELS
+      '';
+    };
+  };
+  users.users.bot = {
+    isSystemUser = true;
+    group = "bot";
+  };
+  users.groups.bot = { };
+
+  systemd.services.cass = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    description = "cass";
+    serviceConfig = {
+      Type = "simple";
+      User = "ar";
+      ExecStart = ''
+        ${pkgs.cass}/bin/cass -listen "127.0.0.1:8000" -file-store "/srv/www/arachnist.is-a.cat/c" -url-base "https://ar.is-a.cat/c/"'';
+    };
+  };
+
+  systemd.services.minecraft-overviewer = {
+    script = ''
+      ${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 12 -c "/srv/minecraft-overviewer/survival/config.py"
+      ${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 12 -c "/srv/minecraft-overviewer/survival/config.py" --genpoi
+    '';
+    serviceConfig = {
+      User = "minecraft";
+      Group = "users";
+      ProtectHome = "no";
+    };
+  };
+
+  systemd.timers.minecraft-overviewer = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = { OnCalendar = "hourly"; };
+  };
+
+  systemd.timers.minecraft-backup = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = { OnCalendar = "*:0/15"; };
+  };
+
+  users.users.minecraft = {
+    isNormalUser = true;
+    group = "users";
+    openssh.authorizedKeys.keys =
+      config.users.users.ar.openssh.authorizedKeys.keys ++ [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOHWPbzvwXTftY1r0dXcYZxT9QBnQkwepdMn8PCAPlYvYwUObEj3rgYrYRFrtCRWZVrKAdqBxnH9/6S9w631Zs7tgqEeDHJsotZNZV3qip7qGjn9IqUHXqF95MUDJV21AeBAqQ1xalefwCkwf/vYLFn8dSnsnlfO+mtlHZOuBED+SB2U1eNrWY2e45v8m7PqSyTCbCu0F3wVcHGwRFsxWA598wf85UBRVcSWVcUydE9F+PCS9sGETkXiRUDcHWnup8uygs4xLa9RADubhdGkUbQE6m6yOjvHJWZ4ov59zJh+hmpszCwfmUw/k39T2TM7tbwUWxgc68qDyaMGQr/Wzd x10a94@Celestia"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJ+LSo3YXE6Jk6pGKL5om/VOi7XE5OvHA2U73V0pJXHa1bA4ityICeNqec2w8TSWSwTihJ4oAM7YLShkERNTcd1NWNHgUYova9nJ/nItFxrxDpTQsqK315u4d7nE+go09c85cyomHbDDcNVg9kJeCUjF+dr82N7JZfYVdQystOslOROYtl94GHuFHVOQyBRGeSztmakYvK1+3WV8dby6TfYG1l6uf6qLCg7q64zR4xDDP0KgfcrsusBQ6qYnKhop1fUTaW9NtEOQP/MhFLDp2YQmTsNJDiKAQpwwYLexWq4UcziXbnRfD56CHFHbW7Hu6Ltu35cHFKR2r9y4TBwTV crendgrim@gmx.de"
+      ];
+  };
+
+  systemd.services.minecraft-backup = {
+    script = ''
+      export PATH="/run/current-system/sw/bin"
+      /home/minecraft/minecraft-backup/backup.sh -w rcon -i /home/minecraft/survival/world -r $BACKUP_DESTINATION -s $RCON_AUTH -m -1
+    '';
+    serviceConfig = {
+      User = "minecraft";
+      Group = "users";
+      ProtectHome = "no";
+      EnvironmentFile = config.age.secrets.minecraftRestic.path;
+    };
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud29;
+    hostName = "cloud.is-a.cat";
+    autoUpdateApps.enable = true;
+    autoUpdateApps.startAt = "05:00:00";
+
+    settings.overwriteprotocol = "https";
+
+    config = {
+      adminuser = "admin";
+      adminpassFile = config.age.secrets.nextCloudAdmin.path;
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbhost = "/run/postgresql";
+    };
+  };
+
+  services.postgresql.ensureDatabases =
+    [ "nextcloud" "matrix-synapse" "mastodon" "dendrite" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    }
+    {
+      name = "matrix-synapse";
+      ensureDBOwnership = true;
+    }
+    {
+      name = "mastodon";
+      ensureDBOwnership = true;
+    }
+    {
+      name = "dendrite";
+      ensureDBOwnership = true;
+    }
+  ];
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "is-a.cat";
+    domains = [ "is-a.cat" "i.am-a.cat" "rsg.enterprises" ];
+    certificateScheme = "acme-nginx";
+    enableManageSieve = true;
+    fullTextSearch = {
+      enable = true;
+      memoryLimit = 2000;
+    };
+    localDnsResolver = false;
+    monitoring.enable = false;
+    borgbackup.enable = false;
+    backup.enable = false;
+    messageSizeLimit = 41943040;
+    loginAccounts = {
+      "ar@is-a.cat" = {
+        aliases = [
+          "arachnist@is-a.cat"
+          "letsencrypt@is-a.cat"
+          "gustaw.weldon@is-a.cat"
+          "@rsg.enterprises"
+          "@i.am-a.cat"
+          "ari@is-a.cat"
+        ];
+
+        hashedPasswordFile = config.age.secrets.arMail.path;
+      };
+      "apo@is-a.cat".hashedPasswordFile = config.age.secrets.apoMail.path;
+      "madargon@is-a.cat".hashedPasswordFile =
+        config.age.secrets.madargonMail.path;
+      "enkiusz@is-a.cat".hashedPasswordFile = config.age.secrets.enkiMail.path;
+      "mastodon@is-a.cat".hashedPasswordFile =
+        config.age.secrets.mastodonMail.path;
+      "matrix@is-a.cat".hashedPasswordFile = config.age.secrets.matrixMail.path;
+      "vaultwarden@is-a.cat".hashedPasswordFile =
+        config.age.secrets.vaultwardenMail.path;
+    };
+  };
+  services.dovecot2.sieve.extensions = [ "fileinto" ];
+
+  # automata.of-a.cat
+  services.dendrite = {
+    enable = true;
+    httpPort = 8108;
+    loadCredential = [
+      "matrix-server-key:${config.age.secrets.automataDendritePrivateKey.path}"
+    ];
+    environmentFile = config.age.secrets.automataDendriteEnv.path;
+
+    settings = let
+      database_config = {
+        connection_string = "postgresql:///dendrite?host=/run/postgresql";
+        max_open_conns = 10;
+        max_idle_conns = 5;
+      };
+    in {
+      global = {
+        server_name = "automata.of-a.cat";
+        private_key = "$CREDENTIALS_DIRECTORY/matrix-server-key";
+        jetstream.storage_path = "/var/lib/dendrite/";
+      };
+
+      client_api = {
+        registration_disabled = true;
+        rate_limiting.enabled = false;
+        registration_shared_secret = "\${REGISTRATION_SHARED_SECRET}";
+      };
+
+      app_service_api.database = database_config;
+      federation_api.database = database_config;
+      key_server.database = database_config;
+      media_api.database = database_config;
+      mscs.database = database_config;
+      room_server.database = database_config;
+      sync_api.database = database_config;
+      user_api.account_database = database_config;
+      user_api.device_database = database_config;
+      relay_api.device_database = database_config;
+    };
+  };
+
+  # is-a.cat
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "is-a.cat";
+
+      registrations_require_3pid = [ "email" ];
+      allowed_local_3pids = [{
+        medium = "email";
+        pattern = "^[^@]+@is-a.cat$";
+      }];
+      enable_registration = true;
+      registration_requires_token = true;
+      withJemalloc = true;
+    };
+    extraConfigFiles = [ config.age.secrets.synapseExtraConfig.path ];
+  };
+
+  services.mastodon = {
+    enable = true;
+    webProcesses = 4;
+    streamingProcesses = 4;
+    localDomain = "is-a.cat";
+    configureNginx = true;
+    smtp = {
+      user = "mastodon@is-a.cat";
+      passwordFile = config.age.secrets.mastodonPlainMail.path;
+      fromAddress = "mastodon@is-a.cat";
+      host = "is-a.cat";
+      createLocally = false;
+      authenticate = true;
+    };
+    extraConfig = {
+      EMAIL_DOMAIN_ALLOWLIST = "is-a.cat";
+      MAX_TOOT_CHARS = "20000";
+      MAX_PINNED_TOOTS = "10";
+      MAX_BIO_CHARS = "2000";
+      MAX_PROFILE_FIELDS = "8";
+      MAX_POLL_OPTIONS = "10";
+      MAX_IMAGE_SIZE = "33554432";
+      MAX_VIDEO_SIZE = "167772160";
+      ALLOWED_PRIVATE_ADDRESSES = "127.1.33.7";
+      GITHUB_REPOSITORY = "arachnist/mastodon/tree/meow";
+    };
+    extraEnvFiles = [ config.age.secrets.mastodonActiveRecordSecrets.path ];
+    package = pkgs.glitch-soc;
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    config = {
+      DOMAIN = "https://vaultwarden.is-a.cat";
+      ROCKET_PORT = "8222";
+      ROCKET_ADDRESS = "127.0.0.1";
+      databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
+
+      smtpHost = "is-a.cat";
+      smtpFrom = "vaultwarden@is-a.cat";
+      smtpUsername = "vaultwarden@is-a.cat";
+      smtpSecurity = "force_tls";
+
+      signupsDomainsWhitelist = "is-a.cat";
+    };
+    environmentFile = config.age.secrets.vaultwardenPlainMail.path;
+  };
+  services.nginx.virtualHosts."vaultwarden.is-a.cat" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${
+          toString config.services.vaultwarden.config.ROCKET_PORT
+        }";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://localhost:3012";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://localhost:8812";
+      proxyWebsockets = true;
+    };
+  };
+
+  # need to figure out something fancy about network configuration
+  networking.hostName = "zorigami";
+
+  systemd.network.wait-online.enable = false;
+  networking.useDHCP = false;
+  networking.tempAddresses = "disabled";
+  networking.interfaces = {
+    enp38s0.useDHCP = false;
+    enp42s0f3u5u3c2.useDHCP = false;
+    enp36s0f0 = {
+      useDHCP = false;
+      ipv4 = {
+        addresses = [{
+          address = "185.236.240.137";
+          prefixLength = 31;
+        }];
+        routes = [{
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "185.236.240.136";
+        }];
+      };
+      ipv6 = {
+        addresses = [{
+          address = "2a0d:eb00:8007::10";
+          prefixLength = 64;
+        }];
+        routes = [{
+          address = "::";
+          prefixLength = 0;
+          via = "2a0d:eb00:8007::1";
+        }];
+      };
+    };
+    # funky crossconnects
+    enp36s0f1 = {
+      useDHCP = false;
+      ipv4.addresses = [{
+        address = "10.21.37.1";
+        prefixLength = 27;
+      }];
+    };
+    enp39s0 = {
+      useDHCP = false;
+      ipv4.addresses = [{
+        address = "10.21.37.33";
+        prefixLength = 27;
+      }];
+    };
+  };
+
+  networking.nameservers = [
+    "8.8.8.8"
+    "8.8.4.4"
+    "1.1.1.1"
+    "2606:4700:4700::1111"
+    "2606:4700:4700::1001"
+    "2001:4860:4860::8888"
+  ];
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.accept_ra" = false;
+    "net.ipv6.conf.default.accept_ra" = false;
+    "net.ipv4.conf.all.forwarding" = true;
+  };
+  networking.wireguard.interfaces = {
+    wg-nibylandia = {
+      ips = [ "10.255.255.1/24" ];
+      privateKeyFile = config.age.secrets.wgNibylandia.path;
+      listenPort = 51315;
+
+      peers = [
+        {
+          publicKey = "g/XhdVYsegn7Pp58Y1HFNxp4jhmA8YjRDg8W8J6swCw=";
+          endpoint = "i.am-a.cat:51315";
+          allowedIPs =
+            [ "10.255.255.2/32" "192.168.20.0/24" "192.168.24.0/24" ];
+          persistentKeepalive = 15;
+        }
+        {
+          publicKey = "ubxtr3zW9F/ofjaQFnj6XpYcrOvTdOSW5wv06+VEehU=";
+          allowedIPs = [ "10.255.255.3/32" ];
+          persistentKeepalive = 15;
+        }
+        {
+          publicKey = "tVH3q1AJZKsitYmASdaogMCBwhMCd8oSuDY2POpiUiY=";
+          allowedIPs = [ "10.255.255.4/32" ];
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      interfaces-config = {
+        interfaces = [ "enp36s0f1/10.21.37.1" "enp39s0/10.21.37.33" ];
+      };
+
+      subnet4 = [
+        {
+          subnet = "10.21.37.0/27";
+          pools = [{ pool = "10.21.37.5 - 10.21.37.25"; }];
+          reservations-out-of-pool = true;
+          reservations-in-subnet = true;
+        }
+        {
+          subnet = "10.21.37.32/27";
+          pools = [{ pool = "10.21.37.37 - 10.21.37.57"; }];
+          reservations-out-of-pool = true;
+          reservations-in-subnet = true;
+        }
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "s.nork.club" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/srv/www/s.nork.club";
+    };
+    "ar.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
+      locations."/up" = {
+        proxyPass = "http://127.0.0.1:8000";
+        basicAuthFile = config.age.secrets.cassAuth.path;
+        extraConfig = ''
+          proxy_request_buffering off;
+          proxy_send_timeout "9000s";
+          proxy_read_timeout "9000s";
+        '';
+      };
+      locations."/down" = {
+        proxyPass = "http://127.0.0.1:8000";
+        basicAuthFile = config.age.secrets.cassAuth.path;
+        extraConfig = ''
+          proxy_request_buffering off;
+          proxy_send_timeout "9000s";
+          proxy_read_timeout "9000s";
+        '';
+      };
+    };
+    "arachnist.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
+    };
+    "brata.zajeba.li" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/brata.zajeba.li"; };
+    };
+    "irc.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."^~ /weechat" = {
+        proxyPass = "http://127.0.0.1:9001";
+        proxyWebsockets = true;
+      };
+      locations."/" = { root = pkgs.glowing-bear; };
+    };
+    "cloud.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+    "${config.services.matrix-synapse.settings.server_name}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/_matrix" = { proxyPass = "http://127.0.0.1:8008"; };
+
+      locations."/.well-known/matrix/server" = {
+        return = ''
+          200 "{\"m.server\":\"${config.services.matrix-synapse.settings.server_name}:443\",\"m.homeserver\":{\"base_url\":\"https://${config.services.matrix-synapse.settings.server_name}\"}}"'';
+      };
+    };
+    "matrix.${config.services.matrix-synapse.settings.server_name}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        root = pkgs.cinny.override {
+          conf = {
+            homeserverList = [
+              config.services.matrix-synapse.settings.server_name
+              "matrix.hackerspace.pl"
+            ];
+            allowCustomHomeservers = false;
+            defaultHomeserver = 0;
+          };
+        };
+      };
+    };
+    ${config.services.dendrite.settings.global.server_name} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/.well-known/matrix/server".return = ''
+          200 "{\"m.server\":\"matrix.${config.services.dendrite.settings.global.server_name}:443\",\"m.homeserver\":{\"base_url\":\"https://matrix.${config.services.dendrite.settings.global.server_name}\"}}"
+        '';
+        "/.well-known/matrix/client".return = ''
+          200 "{\"m.homeserver\":{\"base_url\":\"https://matrix.${config.services.dendrite.settings.global.server_name}\"}}"
+        '';
+      };
+    };
+    "matrix.${config.services.dendrite.settings.global.server_name}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/_matrix".proxyPass =
+          "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+        "/_dendrite".proxyPass =
+          "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+        "/_synapse".proxyPass =
+          "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+      };
+    };
+    "rower.zajeba.li" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        return = "301 https://pl.wikipedia.org/wiki/Praga-Po%C5%82udnie";
+      };
+    };
+    "wildcard.zajeba.li" = {
+      enableACME = true;
+      forceSSL = true;
+
+      serverAliases = [ "~^(.*).zajeba.li$" ];
+      root = "/srv/www/wildcard_zajeba.li/$1";
+    };
+  };
+  security.acme.certs."wildcard.zajeba.li" = {
+    extraDomainNames = lib.mkForce [ ];
+    domain = "*.zajeba.li";
+    dnsProvider = "cloudflare";
+    webroot = lib.mkForce null;
+    credentialFiles = {
+      CLOUDFLARE_DNS_API_TOKEN_FILE =
+        config.age.secrets.acmeZorigamiZajebaLi.path;
+    };
+  };
+
+  services.oidentd.enable = true;
+
+  programs.java = {
+    enable = true;
+    package = pkgs.openjdk21;
+  };
+
+  environment.systemPackages = with pkgs; [ john restic weechat ];
+  users.groups.domi = { gid = 1004; };
+  users.users.domi = {
+    isNormalUser = true;
+    uid = 1004;
+    group = "domi";
+    extraGroups = [ "users" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFHcfS3YKXUX4N8cD2IEF3GxHvb+IlynSSudDF1/e3U domi@kita"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPkJRQYGIVC//ofxYrIxF3nP3D8gTDSSSMyEzG6JVQii domi@sakamoto"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImhJ+2pw5c1Tzx/g+S04on5bUXhwzloqRaiXti5UC7A domi@zork"
+    ];
+  };
+}

nixos/zorigami/hardware.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.zfs.extraPools = [ "tank" ];
+  boot.zfs.package = pkgs.zfs_unstable;
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.ryzen.enable = true;
+
+  networking.hostId = "7999af7c";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/2c034d00-d937-498c-85af-088616b8449c";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C1BA-34FE";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home/minecraft/survival/world" = {
+    device = "survivalworld";
+    fsType = "tmpfs";
+    options = [ "mode=755" "uid=1001" "gid=100" "size=40G" ];
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/86fee886-bdba-4f0b-8fe6-31c32e8232fa"; }];
+
+}

nixos/zorigami/meta.json

@@ -0,0 +1,4 @@
+{
+  "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty",
+  "system": "x86_64-linux"
+}

overlays/default.nix

@@ -0,0 +1,4 @@
+{
+  nibylandia = final: prev: (import ./nibylandia.nix) final prev;
+  rpi5 = final: prev: (import ./rpi5.nix) final prev;
+}

overlays/nibylandia.nix

@@ -0,0 +1,32 @@
+self: super:
+let inherit (self) lib;
+in {
+  cass = super.callPackage ../pkgs/cass.nix { };
+  notbot = super.callPackage ../pkgs/notbot.nix { };
+  glitch-soc = let
+    emoji-reactions = import ../pkgs/glitch-soc/emoji.nix {
+      inherit (super) fetchpatch fetchurl;
+    };
+    file-post-patch = lib.concatMapStringsSep "\n" (f: ''
+      mkdir -p "$(dirname "${f.name}")"
+      cp -f "${f.src}" "${f.name}"
+    '') emoji-reactions.files;
+    tl-replacer = super.callPackage ../pkgs/glitch-soc/tl-replacer { };
+  in self.callPackage ../pkgs/glitch-soc {
+    srcPostPatch = ''
+      ${file-post-patch}
+            ${tl-replacer}/tl-replacer ${tl-replacer}/tl-replacer.yaml
+    '';
+    inherit (emoji-reactions) patches;
+  };
+
+  python3 = super.python3.override {
+    packageOverrides = self: super: {
+      pillow_with_headers =
+        self.callPackage ../pkgs/pillow-with-headers.nix { };
+      minecraft-overviewer =
+        self.callPackage ../pkgs/minecraft-overviewer.nix { };
+    };
+  };
+  python3Packages = self.python3.pkgs;
+}

overlays/rpi5.nix

@@ -0,0 +1,17 @@
+self: super: rec {
+  linux_rpi5 = self.callPackage ../pkgs/linux_rpi/linux-rpi.nix {
+    kernelPatches = with self.kernelPatches; [
+      bridge_stp_helper
+      request_key_helper
+    ];
+    rpiVersion = 5;
+  };
+
+  linuxPackages_rpi5 = self.linuxPackagesFor linux_rpi5;
+
+  rpi5-arm-tf = self.callPackage ../pkgs/rpi5-arm-tf.nix { };
+  rpi5-edk2-tools = self.callPackage ../pkgs/rpi5-edk2-tools.nix { };
+  rpi5-uefi = self.callPackage ../pkgs/rpi5-uefi.nix { };
+  rpi5-uefi-bin = self.callPackage ../pkgs/rpi5-uefi-bin.nix { };
+  rpi5-dtb = self.callPackage ../pkgs/rpi5-dtb.nix { };
+}

pkgs/cass.nix

@@ -0,0 +1,16 @@
+{ fetchFromGitea, buildGoPackage, ... }:
+
+buildGoPackage rec {
+  pname = "cass";
+  version = "0.0.1";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "arachnist";
+    repo = pname;
+    rev = "00b3536c5b546bb5b929b2562c86fee2869885a4";
+    sha256 = "+ZGO/ZoGN+LdcPGWHjjZ/wpayFxnfKvxiVMaS0iNYr0=";
+  };
+
+  goPackagePath = "github.com/arachnist/cass";
+}

pkgs/glitch-soc/default.nix

@@ -0,0 +1,26 @@
+{ callPackage, patches ? [ ], srcPostPatch ? "", mastodon, }:
+let
+  src = callPackage ./source.nix {
+    inherit patches;
+    postPatch = srcPostPatch;
+  };
+
+  # the upstream nix package doesn't support yarn berry yet so here we fucking go
+  # see https://github.com/NixOS/nixpkgs/issues/254369 and https://github.com/NixOS/nixpkgs/issues/277697
+  yarn-deps = callPackage ./yarn.nix {
+    inherit src;
+    hash = src.yarnHash;
+  };
+
+  # this is mastodon built from the glitch source
+  # modules are unpatched though
+  glitch-1 = mastodon.override {
+    pname = "glitch";
+    srcOverride = src;
+    gemset = ./. + "/gemset.nix";
+  };
+
+  modules = callPackage ./modules.nix { inherit glitch-1 yarn-deps; };
+
+  glitch-2 = glitch-1.overrideAttrs (old: { mastodonModules = modules; });
+in glitch-2

pkgs/glitch-soc/emoji.nix

@@ -0,0 +1,138 @@
+# autogenerated file
+{fetchpatch, fetchurl}: {
+  patches = [
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/4dc414453dfecd6b9a45ceccdace92812814212b.patch";
+      hash = "sha256-i0zXqVW43ZQuCrGNxgVSf5/OV4AdeJDykTIgo9FHLeA=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/b1f2ef4f95eb1dc982561514cf96a6b4913d9083.patch";
+      hash = "sha256-mPTn1tSFX16H3qw6tTMoY8ZEpSFw0WwMoAlwdMdN5o8=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/b63636b0a68efb1d228d2e2d095ac3856c7e4972.patch";
+      hash = "sha256-W54/zXblx89YfWqkkeHYpYArDPzI63S+XgPw5kbtVIQ=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/c6ef1a902cddaab21987fae31a80321794a10573.patch";
+      hash = "sha256-ShXE7LykbImUByMjpKpMrB+mvjV9Y+txwNWBQwlHYX0=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/638ea3bf2df621a43b58df03453a1015c4fab139.patch";
+      hash = "sha256-EYNjYGTtpvMA2rX959RjD7buPeC2zRYXcqO92jUszss=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/e60b2ef24541ef626f24da577bd1ccbb29d015ce.patch";
+      hash = "sha256-HpYr5hSVw39kCQd6RUUAgZvbDpZ77lwmKXhuQ6//UGk=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/323a50c9a9a4867d2bb0003929f241c6bd102ae4.patch";
+      hash = "sha256-Q8gQwOlakdulWBKT4RQ8HLq8MUuw2gBum3mHygsu1OE=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/3150cd5ebaa7b2106e74284b9bd0ebb72a881e7f.patch";
+      hash = "sha256-//d36ZolRH5Z9/2tBGWAUjlbIbaXb2MQGrDUVrlPHGI=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/0fa071703cdd29387b02b7585ea7708907a0b47f.patch";
+      hash = "sha256-F73oi+m6905u9N/iE+0kG8a/raSPW7znDeoNSjzrWJc=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/7691ac0053b51df419014cd84e2c5646e70b71e0.patch";
+      hash = "sha256-WgWtfn2UJXUz1elSPlM6PfIOG9xRgP0KVOtJ/35tY44=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/a624ba5621d5c26715954592cb76ab26dc4a30d4.patch";
+      hash = "sha256-Vj2vaxJf6Fyuew4yTZ8T8rH7sVmey3zkmlYX++L4DzQ=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/b9723c99cf7397b124c207367208e571f0a56972.patch";
+      hash = "sha256-QWrAHRSAUG5swVxV19Y1yg5tupnEafHzJf6j7se95A8=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/16b08f1d6bcc9ffd1e3316a11dc8c2def1926245.patch";
+      hash = "sha256-zWDnO/KLpl0aBaxS2DTt0W7WCeR29gU4N//5gZvJcwg=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/49e3973158dcb33257a12dd15d86b685b8435728.patch";
+      hash = "sha256-ygSdBo/9UKp9LAHNvpjvqcRF5uFpRWaqOH86gLnxYwU=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/bec0e6dd37df9799edb14b4d8d0e63692b66cf31.patch";
+      hash = "sha256-haFsOBTGWWbhEvbWWVf9Sawdw/CCUa3ZVRCz3AHNlF4=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/23f608619f1c8392dae995982c7595972147a9c8.patch";
+      hash = "sha256-+oUPXiHicgK1/r1lovl4IH6jZ7rDUWwBuVCDywzCPCk=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/3c66a42d0ad7f3416c8c130cf90364ac3acbb86d.patch";
+      hash = "sha256-N4yijNnCfeBb8CVsVK8L/ncRyWcvDZD9gkHaUMR1WaA=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/d37eb7f3eb4c38d00c8c4040bbba764036fb8019.patch";
+      hash = "sha256-SUOgcCBXlfsyMHKYvkkvgiOkW1uzLruI+jy5uf9f5kA=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/21e5b2ac22cff0b84549cb357b73186cc33a4872.patch";
+      hash = "sha256-mweLZ82np2r/kbbDJscwOomHgruULHxxlu9zhR51PNQ=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/89273da276cd987c01d0be3c4a0d598497167fd6.patch";
+      hash = "sha256-6aLwW6uJu1dXHenCnpta3nta6vZ+ZWH5pxhMGM0nLr8=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/af4cbbbc185c432c6a18c1efb84222e48c44356c.patch";
+      hash = "sha256-zBWsmMawNT1/1Kh4uZ7RpbIL03Gri7wsRMec/EYb/3Q=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/277428127e505120acbe3299d41b27c68fe78c83.patch";
+      hash = "sha256-srvagWbsqZQbOtk2Wfyk5LoBhoqeW0fSZXgDm0q6UEg=";
+    })
+    (fetchpatch {
+      url =
+        "https://github.com/glitch-soc/mastodon/pull/2462/commits/e48512b008f406a1f19336e71c44d33362df2606.patch";
+      hash = "sha256-wPPZkkeieMbO0jeO9VXqQyW+F+D7WmcFoXSVHGY03bM=";
+    })
+  ];
+  files = [
+    {
+      src = fetchurl {
+        url =
+          "https://github.com/glitch-soc/mastodon/raw/e48512b008f406a1f19336e71c44d33362df2606/app%2Fjavascript%2Fimages%2Fmailer-new%2Fheading%2Freaction.png";
+        hash = "sha256-6QLPNTSigxXryjO0IbvZFOQjWrnwrQHr5Mb0ZJllMLk=";
+      };
+      name = "app/javascript/images/mailer-new/heading/reaction.png";
+    }
+    {
+      src = fetchurl {
+        url =
+          "https://github.com/glitch-soc/mastodon/raw/e48512b008f406a1f19336e71c44d33362df2606/app%2Fjavascript%2Fimages%2Fmailer%2Ficon_add.png";
+        hash = "sha256-UYDdj5GKsg1cfVTx04hwsEURk6iKZfQCMAA2UFT0SJA=";
+      };
+      name = "app/javascript/images/mailer/icon_add.png";
+    }
+  ];
+}

pkgs/glitch-soc/modules.nix

@@ -0,0 +1,69 @@
+# this is mostly copied from upstream mastodon packaging, but modified for yarn-berry deps
+{ stdenv, nodejs-slim, yarn-berry, brotli,
+# previous inputs
+glitch-1, yarn-deps, }:
+stdenv.mkDerivation {
+  pname = "glitch-modules";
+  inherit (glitch-1) src version;
+
+  yarnOfflineCache = yarn-deps;
+
+  nativeBuildInputs =
+    [ glitch-1.mastodonGems glitch-1.mastodonGems.wrappedRuby ]
+    ++ [ nodejs-slim yarn-berry brotli ];
+
+  RAILS_ENV = "production";
+  NODE_ENV = "production";
+
+  buildPhase = ''
+    runHook preBuild
+
+    export HOME=$PWD
+    # This option is needed for openssl-3 compatibility
+    # Otherwise we encounter this upstream issue: https://github.com/mastodon/mastodon/issues/17924
+    export NODE_OPTIONS=--openssl-legacy-provider
+
+    export YARN_ENABLE_TELEMETRY=0
+    mkdir -p ~/.yarn/berry
+    ln -sf $yarnOfflineCache ~/.yarn/berry/cache
+
+    yarn install --immutable --immutable-cache
+
+    patchShebangs ~/bin
+    patchShebangs ~/node_modules
+
+    # skip running yarn install
+    rm -rf ~/bin/yarn
+
+    OTP_SECRET=precompile_placeholder \
+    SECRET_KEY_BASE=precompile_placeholder \
+    ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
+    ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
+    ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
+      rails assets:precompile
+    yarn cache clean
+    rm -rf ~/node_modules/.cache
+
+    # Create missing static gzip and brotli files
+    gzip --best --keep ~/public/assets/500.html
+    gzip --best --keep ~/public/packs/report.html
+    find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
+      -exec gzip --best --keep --force {} ';'
+    brotli --best --keep ~/public/packs/report.html
+    find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
+      -exec brotli --best --keep {} ';'
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/public
+    cp -r node_modules $out/node_modules
+    cp -r public/assets $out/public
+    cp -r public/packs $out/public
+
+    runHook postInstall
+  '';
+}

pkgs/glitch-soc/source.nix

@@ -0,0 +1,23 @@
+{ lib, applyPatches, fetchFromGitHub, patches ? [ ], postPatch ? "", yarn-berry
+, gawk, gnused, }:
+(applyPatches {
+  src = fetchFromGitHub {
+    owner = "glitch-soc";
+    repo = "mastodon";
+    rev = "a8e6f5e656a9f46377b05d288654c1ba86bb858f";
+    hash = "sha256-EP+43scB5+cpmL3yM8TLAWSb7PbZQpdhOwewXae+FnI=";
+  };
+  inherit patches;
+  nativeBuildInputs = [ gawk gnused ];
+  postPatch = postPatch
+    + lib.optionalString (lib.versionAtLeast yarn-berry.version "4.1.0") ''
+      # this is for yarn starting with 4.1.0 because fuck everything amirite
+      # see also https://github.com/yarnpkg/berry/pull/6083
+      echo "patching cachekey in yarn.lock"
+      cacheKey="$(awk -e '/cacheKey:/ {print $2}' yarn.lock)"
+      sed -i -Ee 's|^  checksum: ([^/]*)$|  checksum: '$cacheKey'/\1|g;' yarn.lock
+    '';
+}) // {
+  version = "unstable-2024-05-30";
+  yarnHash = "sha256-BNk6xMx11QYQQ8occYU1HJ6z/AuF2UeDRzJwgAFb0XQ=";
+}

pkgs/glitch-soc/tl-replacer/default.nix

@@ -0,0 +1,13 @@
+{ stdenv, ruby }:
+
+stdenv.mkDerivation {
+  pname = "tl-replacer";
+  version = "0.2";
+  src = ./.;
+
+  buildInputs = [ ruby ];
+  installPhase = ''
+    mkdir -p $out
+    cp -r $src/tl-replacer* $out
+  '';
+}

pkgs/glitch-soc/tl-replacer/tl-replacer

@@ -0,0 +1,57 @@
+#!/usr/bin/ruby
+require 'json'
+require 'yaml'
+require 'pp'
+
+config = YAML.load_file(ARGV[0])
+def update_translations(hash, replacements)
+    hash.reduce({}) do |acc, (key,value)|
+        if value.is_a?(Hash)
+            acc[key] = update_translations(value, replacements)
+        elsif value.is_a?(String)
+            replacements.to_a.sort_by do |x| 0-x[0].length end.each do |from, to|
+                if value.match?(from) then
+                    value.gsub!(from, to)
+                end
+            end
+            acc[key] = value
+        end
+        acc
+    end
+end
+
+config["paths"].each do |dir|
+    Dir.entries(dir).each do |fname|
+        config["replacements"].each do |lang, conf|
+            conf["filename-patterns"].each do |pattern|
+                if File.fnmatch?(pattern, fname) then
+                    config["types"]["yaml"].each do |type_ext|
+                        if File.extname(fname) == type_ext then
+                            fpath = File.join(dir, fname)
+                            puts " .... updating #{fpath}"
+                            tl = YAML.load_file(fpath)
+                            tl = update_translations(tl, conf["strings"])
+
+                            File.open(fpath, 'w') do |file|
+                                file.write(tl.to_yaml(options = {:line_width => -1}))
+                            end
+                        end
+                    end
+
+                    config["types"]["json"].each do |type_ext|
+                        if File.extname(fname) == type_ext then
+                            fpath = File.join(dir, fname)
+                            puts " .... updating #{fpath}"
+                            tl = JSON.load_file(fpath)
+                            tl = update_translations(tl, conf["strings"])
+
+                            File.open(fpath, 'w') do |file|
+                                file.write(JSON.pretty_generate(tl))
+                            end
+                        end
+                    end
+                end
+            end
+        end
+    end
+end

pkgs/glitch-soc/tl-replacer/tl-replacer.yaml

@@ -0,0 +1,50 @@
+paths:
+  - "app/javascript/flavours/glitch/locales"
+  - "app/javascript/mastodon/locales"
+  - "config/locales-glitch"
+  - "config/locales"
+types:
+  "yaml":
+    - ".yml"
+    - ".yaml"
+  "json":
+    - ".json"
+replacements:
+  en:
+    filename-patterns:
+      - "en*.*"
+      - "*.en*.*"
+    strings:
+      "posts": "meows"
+      "post": "meow"
+      "Posts": "Meows"
+      "Post": "Meow"
+  pl:
+    filename-patterns:
+      - "pl.*"
+      - "*.pl.*"
+    strings:
+      "Ostatni post": "Ostatnie miauknięcie"
+      "Ten wpis nie będzie widoczny pod podanymi hasztagami, ponieważ jest oznaczony jako niepubliczny.": "To miauknięcie nie będzie widoczne pod podanymi hasztagami, ponieważ jest oznaczone jako niepubliczne."
+      "ten wpis": "to miauknięcie"
+      "Ten wpis": "To miauknięcie"
+      "Twój wpis": "Twoje miauknięcie"
+      "Twój post został podbity": "Twoje miauknięcie zostało podbite"
+      "nowy wpis": "nowe miauknięcie"
+      "swój pierwszy post": "swoje pierwsze miauknięcie"
+      "Ten wpis nie może zostać podbity": "To miauknięcie nie może zostać podbite"
+      "Post": "Miauknięcie"
+      "post": "miauknięcie"
+      "Posty": "Miauknięcia"
+      "posty": "miauknięcia"
+      "postów": "miauknięć"
+      "Wpis": "Miauknięcie"
+      "Wpisy": "Miauknięcia"
+      "wpis": "miauknięcie"
+      "wpisy": "miauknięcia"
+      "wpisach": "miauknięciach"
+      "wpisów": "miauknięć"
+      "wpisu": "miauknięcia"
+      "wpisie": "miauknięciu"
+      "Opublikuj": "Miauknij"
+      "wzmianki": "miauknięcia"

pkgs/glitch-soc/update-emoji-patch.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq nix-prefetch
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+# kinda hacky? seems to work fine though :3
+echo -e "# autogenerated file\n{fetchpatch, fetchurl}: {\n  patches = [" > emoji.nix
+curl 'https://api.github.com/repos/glitch-soc/mastodon/pulls/2462/commits' | jq -r 'map(.sha) | .[]' | while read sha; do
+	url="https://github.com/glitch-soc/mastodon/pull/2462/commits/$sha.patch"
+	hash="$(nix-prefetch fetchpatch --url "$url")"
+	echo -e '    (fetchpatch {\n      url =\n        "'$url'";\n      hash = "'$hash'";\n    })' >> emoji.nix
+done
+echo -e '  ];\n  files = [' >> emoji.nix
+curl 'https://api.github.com/repos/glitch-soc/mastodon/pulls/2462/files?per_page=100' | jq -c 'map(select(has("patch")|not) | {name:.filename,url:.raw_url}) | .[]' | while read json; do
+	name="$(jq -r '.name' <<<"$json")"
+	url="$(jq -r '.url' <<<"$json")"
+	hash="$(nix-prefetch fetchurl --url "$url")"
+	echo -e '    {\n      src = fetchurl {\n        url =\n          "'$url'";\n        hash = "'$hash'";\n      };\n      name = "'$name'";\n    }' >> emoji.nix
+done
+echo -e '  ];\n}' >> emoji.nix

pkgs/glitch-soc/update.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p curl jq coreutils nix-prefetch-github gnused bundix prefetch-yarn-deps
+
+set -e
+
+cd "$(dirname "$0")"
+
+commit="$(curl -SsL "$1")"
+rev="$(jq -r '.commit.sha' <<<"$commit")"
+date="$(jq -r '.commit.commit.committer.date' <<<"$commit")"
+date="$(date --date="$date" --iso-8601=date)"
+echo "current commit is $rev, prefetching..."
+
+hash="$(nix-prefetch-github glitch-soc mastodon --rev "$rev" | jq -r '.hash')"
+
+sed -i -Ee "s|^( *rev = )\".*\";|\\1\"$rev\";|g;" ./source.nix
+sed -i -Ee "s|^( *hash = )\".*\";|\\1\"$hash\";|g;" ./source.nix
+sed -i -Ee "s|^( *version = )\".*\";|\\1\"unstable-$date\";|g;" ./source.nix
+
+echo "building source"
+srcdir="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
+
+echo "creating gemset"
+rm -f gemset.nix
+bundix --lockfile $srcdir/Gemfile.lock --gemfile $srcdir/Gemfile
+echo "" >> gemset.nix
+
+# TODO: find a way to automate this
+sed -i -Ee "s|^( *yarnHash = )\".*\";|\\1\"\";|g;" ./source.nix
+# echo "creating yarn hash"
+# hash="$(prefetch-yarn-deps $srcdir/yarn.lock)"
+# hash="$(nix hash --to-sri --type sha256 "$hash")"
+# sed -i -Ee "s|^( *yarnHash = )\".*\";|\\1\"$hash\";|g;' ./source.nix
+
+./update-emoji-patch.sh

pkgs/glitch-soc/yarn.nix

@@ -0,0 +1,35 @@
+{ stdenvNoCC, yarn-berry, cacert, src, hash, }:
+stdenvNoCC.mkDerivation {
+  name = "yarn-deps";
+  nativeBuildInputs = [ yarn-berry cacert ];
+  inherit src;
+
+  dontInstall = true;
+
+  NODE_EXTRA_CA_CERTS = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+
+  buildPhase = ''
+    mkdir -p $out
+
+    export HOME=$(mktemp -d)
+    echo $HOME
+
+    export YARN_ENABLE_TELEMETRY=0
+    export YARN_COMPRESSION_LEVEL=0
+
+    cache="$(yarn config get cacheFolder)"
+    if ! yarn install --immutable --mode skip-build; then
+      cp yarn.lock yarn.lock.bak
+      yarn install --mode skip-build
+      diff -u yarn.lock.bak yarn.lock > yarn.lock.diff
+      echo "yarn build failed! diff generated as yarn.lock.diff"
+      exit 1
+    fi
+
+    cp -r $cache/* $out/
+  '';
+
+  outputHashAlgo = "sha256";
+  outputHash = hash;
+  outputHashMode = "recursive";
+}

pkgs/linux_rpi/linux-rpi.nix

@@ -0,0 +1,77 @@
+{ stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, rpiVersion, ...
+}@args:
+
+let
+  # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
+  modDirVersion = "6.1.73";
+  tag = "stable_20240124";
+in lib.overrideDerivation (buildLinux (args // {
+  version = "${modDirVersion}-${tag}";
+  inherit modDirVersion;
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "linux";
+    rev = tag;
+    hash = "sha256-P4ExzxWqZj+9FZr9U2tmh7rfs/3+iHEv0m74PCoXVuM=";
+  };
+
+  defconfig = {
+    "1" = "bcmrpi_defconfig";
+    "2" = "bcm2709_defconfig";
+    "3" = if stdenv.hostPlatform.isAarch64 then
+      "bcmrpi3_defconfig"
+    else
+      "bcm2709_defconfig";
+    "4" = "bcm2711_defconfig";
+    "5" = "bcm2712_defconfig";
+  }.${toString rpiVersion};
+
+  features = { efiBootStub = false; } // (args.features or { });
+
+  extraMeta = if (rpiVersion < 3) then {
+    platforms = with lib.platforms; arm;
+    hydraPlatforms = [ ];
+  } else {
+    platforms = with lib.platforms; arm ++ aarch64;
+    hydraPlatforms = [ "aarch64-linux" ];
+  };
+} // (args.argsOverride or { }))) (oldAttrs: {
+  postConfigure = ''
+    # The v7 defconfig has this set to '-v7' which screws up our modDirVersion.
+    sed -i $buildRoot/.config -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+    sed -i $buildRoot/include/config/auto.conf -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+  '';
+
+  # Make copies of the DTBs named after the upstream names so that U-Boot finds them.
+  # This is ugly as heck, but I don't know a better solution so far.
+  postFixup = ''
+    dtbDir=${if stdenv.isAarch64 then "$out/dtbs/broadcom" else "$out/dtbs"}
+    rm $dtbDir/bcm283*.dtb
+    copyDTB() {
+      cp -v "$dtbDir/$1" "$dtbDir/$2"
+    }
+  '' + lib.optionalString
+    (lib.elem stdenv.hostPlatform.system [ "armv6l-linux" ]) ''
+      copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero.dtb
+      copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero-w.dtb
+      copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb
+      copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b.dtb
+      copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b-rev2.dtb
+      copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-a-plus.dtb
+      copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus.dtb
+      copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb
+      copyDTB bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb
+    '' + lib.optionalString
+    (lib.elem stdenv.hostPlatform.system [ "armv7l-linux" ]) ''
+      copyDTB bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb
+    '' + lib.optionalString
+    (lib.elem stdenv.hostPlatform.system [ "armv7l-linux" "aarch64-linux" ]) ''
+      copyDTB bcm2710-rpi-zero-2.dtb bcm2837-rpi-zero-2.dtb
+      copyDTB bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb
+      copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-a-plus.dtb
+      copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb
+      copyDTB bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb
+      copyDTB bcm2711-rpi-4-b.dtb bcm2838-rpi-4-b.dtb
+    '';
+})

pkgs/mastodonUpdate.nix

@@ -0,0 +1,13 @@
+{ runtimeShell, writeScriptBin, mastodon, symlinkJoin }:
+
+let
+  name = "mastodon-update.sh";
+  script = writeScriptBin name ''
+    #!${runtimeShell}
+    exec ${mastodon.updateScript} "$@"
+  '';
+
+in symlinkJoin {
+  inherit name;
+  paths = [ script ];
+}

pkgs/minecraft-overviewer.nix

@@ -0,0 +1,44 @@
+{ fetchFromGitHub, pkgs, buildPythonPackage, python3Packages, python3, ... }:
+
+buildPythonPackage rec {
+  pname = "Minecraft-Overviewer";
+  version = "2024-03-15";
+  format = "other";
+
+  propagatedBuildInputs = with pkgs;
+    [ pipreqs ] ++ (with python3Packages; [
+      pillow_with_headers
+      altgraph
+      certifi
+      charset-normalizer
+      docopt
+      idna
+      importlib-metadata
+      nbtlib
+      numpy
+      packaging
+      pefile
+      requests
+      urllib3
+      yarg
+      zipp
+    ]);
+
+  buildInputs = with python3Packages; [ setuptools ];
+
+  buildPhase = ''
+    export CFLAGS="-I${python3Packages.pillow_with_headers}/include/libImaging"
+    ${python3.interpreter} setup.py build
+  '';
+
+  installPhase = ''
+    ${python3.interpreter} setup.py install --prefix=$out --install-lib=$out/${python3.sitePackages}
+  '';
+
+  src = fetchFromGitHub {
+    owner = "GregoryAM-SP";
+    repo = "The-Minecraft-Overviewer";
+    rev = "4deb15d2cfbaaff7327a39b1e24d03eb4f7878ec";
+    sha256 = "sha256-8YCZ7pk0Rj7wAT5DqGZmNsSI5qQWx5By+1G73yUsAQw=";
+  };
+}

pkgs/notbot.nix

@@ -0,0 +1,17 @@
+{ fetchFromGitea, buildGoModule, ... }:
+
+buildGoModule rec {
+  pname = "notbot";
+  version = "0.0.3";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "arachnist";
+    repo = pname;
+    rev = "195b12bdba2d579533e00de9c9dce52ece0bc562";
+    sha256 = "cHy1TSUI2KfZyaZMXJibT4G/HwcBhPKQF6ftJpilRCQ=";
+  };
+
+  vendorHash = "sha256-gi6mrJW65tfWYScwRlPSvBartqfvVlGbR9GWfj9G4xE=";
+  proxyVendor = true;
+}

pkgs/pillow-with-headers.nix

@@ -0,0 +1,8 @@
+{ python3Packages, ... }:
+
+python3Packages.pillow.overrideAttrs (_: {
+  postInstall = ''
+    mkdir -p $out/include/libImaging
+    cp src/libImaging/*.h $out/include/libImaging
+  '';
+})

pkgs/raspberrypi-wireless/default.nix

@@ -0,0 +1,60 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  pname = "raspberrypi-wireless-firmware";
+  version = "unstable-2023-11-15";
+
+  srcs = [
+    (fetchFromGitHub {
+      name = "bluez-firmware";
+      owner = "RPi-Distro";
+      repo = "bluez-firmware";
+      rev = "d9d4741caba7314d6500f588b1eaa5ab387a4ff5";
+      hash = "sha256-CjbZ3t3TW/iJ3+t9QKEtM9NdQU7SwcUCDYuTmFEwvhU=";
+    })
+    (fetchFromGitHub {
+      name = "firmware-nonfree";
+      owner = "RPi-Distro";
+      repo = "firmware-nonfree";
+      rev = "3db4164cfd89e6d9afb7ebc87607b792651512df";
+      hash = "sha256-Yynww79LPPkau4YDSLI6IMOjH64nMpHUdGjnCfIR2+M=";
+    })
+  ];
+
+  sourceRoot = ".";
+
+  dontBuild = true;
+  # Firmware blobs do not need fixing and should not be modified
+  dontFixup = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p "$out/lib/firmware/brcm"
+
+    # Wifi firmware
+    cp -rv "$NIX_BUILD_TOP/firmware-nonfree/debian/config/brcm80211/." "$out/lib/firmware/"
+
+    # Bluetooth firmware
+    cp -rv "$NIX_BUILD_TOP/bluez-firmware/debian/firmware/broadcom/." "$out/lib/firmware/brcm"
+
+    # brcmfmac43455-sdio.bin is a symlink to the non-existent path: ../cypress/cyfmac43455-sdio.bin.
+    # See https://github.com/RPi-Distro/firmware-nonfree/issues/26
+    ln -s "./cyfmac43455-sdio-standard.bin" "$out/lib/firmware/cypress/cyfmac43455-sdio.bin"
+
+    pushd $out/lib/firmware/brcm &>/dev/null
+    # Symlinks for Zero 2W
+    ln -s "./brcmfmac43436-sdio.clm_blob" "$out/lib/firmware/brcm/brcmfmac43430b0-sdio.clm_blob"
+    popd &>/dev/null
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description =
+      "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
+    homepage = "https://github.com/RPi-Distro/firmware-nonfree";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lopsided98 ];
+  };
+}

pkgs/raspberrypi/armstubs.nix

@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+let inherit (lib) optionals;
+in stdenv.mkDerivation {
+  pname = "raspberrypi-armstubs";
+  version = "unstable-2022-07-11";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "tools";
+    rev = "439b6198a9b340de5998dd14a26a0d9d38a6bcac";
+    hash =
+      "sha512-KMHgj73eXHT++IE8DbCsFeJ87ngc9R3XxMUJy4Z3s4/MtMeB9zblADHkyJqz9oyeugeJTrDtuVETPBRo7M4Y8A==";
+  };
+
+  env.NIX_CFLAGS_COMPILE = toString [ "-march=armv8-a+crc" ];
+
+  preConfigure = ''
+    cd armstubs
+  '';
+
+  makeFlags = [
+    "CC8=${stdenv.cc.targetPrefix}cc"
+    "LD8=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY8=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP8=${stdenv.cc.targetPrefix}objdump"
+    "CC7=${stdenv.cc.targetPrefix}cc"
+    "LD7=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY7=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP7=${stdenv.cc.targetPrefix}objdump"
+  ] ++ optionals stdenv.isAarch64 [ "armstub8.bin" "armstub8-gic.bin" ]
+    ++ optionals stdenv.isAarch32 [
+      "armstub7.bin"
+      "armstub8-32.bin"
+      "armstub8-32-gic.bin"
+    ];
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -vp $out/
+    cp -v *.bin $out/
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware related ARM stubs for the Raspberry Pi";
+    homepage = "https://github.com/raspberrypi/tools";
+    license = licenses.bsd3;
+    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ samueldr ];
+  };
+}

pkgs/raspberrypi/default.nix

@@ -0,0 +1,37 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation rec {
+  # NOTE: this should be updated with linux_rpi
+  pname = "raspberrypi-firmware";
+  # raspberrypi/firmware no longers tag the releases. However, since each commit
+  # on the stable branch corresponds to a tag in raspberrypi/linux repo, we
+  # assume they are cut together.
+  version = "stable_20240124";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "firmware";
+    rev = "4649b6d52005b52b1d23f553b5e466941bc862dc";
+    hash = "";
+  };
+
+  installPhase = ''
+    mkdir -p $out/share/raspberrypi/
+    mv boot "$out/share/raspberrypi/"
+  '';
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  meta = with lib; {
+    description = "Firmware for the Raspberry Pi board";
+    homepage = "https://github.com/raspberrypi/firmware";
+    license =
+      licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
+    maintainers = with maintainers; [ dezgeg ];
+    # Hash mismatch on source, mystery.
+    # Maybe due to https://github.com/NixOS/nix/issues/847
+    broken = stdenvNoCC.isDarwin;
+  };
+}

pkgs/rpi5-arm-tf.nix

@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchFromGitHub, runCommand, buildPackages, pkgsCross, openssl }:
+
+stdenv.mkDerivation rec {
+  name = "arm-trusted-firmware-rpi5";
+  version = "20240316";
+
+  src = fetchFromGitHub {
+    owner = "worproject";
+    repo = "arm-trusted-firmware";
+    rev = "682607fbd775e37fb5631508434dab9e60220c9a";
+    hash = "sha256-Kdn9xJtHhwxvqpzC6osW2xWdZrlOmowaxBLPYGmtHYQ=";
+  };
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
+
+  makeFlags = [
+    "HOSTCC=$(CC_FOR_BUILD)"
+    "AS=$(CC_FOR_BUILD)"
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+    # binutils 2.39 regression
+    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
+    # See also: https://developer.trustedfirmware.org/T996
+    "LDFLAGS=-no-warn-rwx-segments"
+
+    "PLAT=rpi5"
+    "PRELOADED_BL33_BASE=0x20000"
+    "RPI3_PRELOADED_DTB_BASE=0x1F0000"
+    "SUPPORT_VFP=1"
+    "SMC_PCI_SUPPORT=1"
+  ];
+
+  filesToInstall = [ "build/rpi5/release/*" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp -r ${lib.concatStringsSep " " filesToInstall} $out
+
+    runHook postInstall
+  '';
+
+  hardeningDisable = [ "all" ];
+  dontStrip = true;
+}

pkgs/rpi5-dtb.nix

@@ -0,0 +1,26 @@
+{ stdenv, fetchurl, ... }:
+
+let
+  dtbVersion = "1e403e23baab5673f0494a200f57cd01287d5b1a";
+  fileName = "bcm2712-rpi-5-b.dtb";
+in stdenv.mkDerivation {
+  pname = "rpi5-dtb";
+  version = "20240316";
+
+  src = fetchurl {
+    url =
+      "https://github.com/raspberrypi/firmware/raw/${dtbVersion}/boot/${fileName}";
+    hash = "sha256-xUMqzINz+mMR4UciG4ulyGhblXcwr6x1ksXerCsn5zI=";
+  };
+
+  phases = [ "installPhase" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/
+    cp $src $out/${fileName}
+
+    runHook postInstall
+  '';
+}

pkgs/rpi5-edk2-tools.nix

@@ -0,0 +1,58 @@
+{ lib, stdenv, fetchFromGitHub, openssl, buildPackages, runCommand, clangStdenv
+, fetchpatch, libuuid, python3 }:
+
+let
+  srcWithVendoring = fetchFromGitHub {
+    owner = "worproject";
+    repo = "rpi5-uefi";
+    rev = "c1ca184c608dca75a346cc56b8eaf42648d83e86";
+    fetchSubmodules = true;
+    hash = "sha256-mGMqgJXsEFq79aHes8HUGcKrfbGjeAHTA/xzbq5qURs=";
+  };
+  pythonEnv = buildPackages.python3.withPackages (ps: [ ps.tkinter ]);
+in stdenv.mkDerivation {
+  name = "rpi5-edk2-tools";
+  version = "20240316";
+
+  # We don't want EDK2 to keep track of OpenSSL,
+  # they're frankly bad at it.
+  src = runCommand "edk2-unvendored-src" { } ''
+    cp --no-preserve=mode -r ${srcWithVendoring} $out
+    rm -rf $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    mkdir -p $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    tar --strip-components=1 -xf ${buildPackages.openssl.src} -C $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    chmod -R +w $out/
+
+    # Fix missing INT64_MAX include that edk2 explicitly does not provide
+    # via it's own <stdint.h>. Let's pull in openssl's definition instead:
+    sed -i $out/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/property/property_parse.c \
+        -e '1i #include "internal/numbers.h"'
+  '';
+
+  nativeBuildInputs = [ pythonEnv ];
+  depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.bash ];
+  depsHostHost = [ libuuid ];
+  strictDeps = true;
+
+  # trick taken from https://src.fedoraproject.org/rpms/edk2/blob/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/edk2.spec#_319
+  GCC5_AARCH64_PREFIX = stdenv.cc.targetPrefix;
+
+  makeFlags = [ "-C edk2/BaseTools" "-j 14" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-return-type"
+    + lib.optionalString stdenv.cc.isGNU " -Wno-error=stringop-truncation"
+    + lib.optionalString stdenv.isDarwin " -Wno-error=macro-redefined";
+
+  hardeningDisable = [ "format" "fortify" ];
+
+  installPhase = ''
+    mkdir -vp $out
+    mv -v edk2/BaseTools $out
+    mv -v edk2/edksetup.sh $out
+    # patchShebangs fails to see these when cross compiling
+    for i in $out/BaseTools/BinWrappers/PosixLike/*; do
+      substituteInPlace $i --replace '/usr/bin/env bash' ${buildPackages.bash}/bin/bash
+      chmod +x "$i"
+    done
+  '';
+}

pkgs/rpi5-uefi-bin.nix

@@ -0,0 +1,25 @@
+{ stdenv, lib, fetchzip }:
+
+let version = "v0.3";
+in stdenv.mkDerivation {
+  pname = "rpi5-uefi-bin";
+  inherit version;
+
+  src = fetchzip {
+    url =
+      "https://github.com/worproject/rpi5-uefi/releases/download/${version}/RPi5_UEFI_Release_${version}.zip";
+    sha256 = "sha256-bjEvq7KlEFANnFVL0LyexXEeoXj7rHGnwQpq09PhIb0=";
+    stripRoot = false;
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/boot
+    mv ./* $out/boot
+
+    runHook postInstall
+  '';
+
+  meta = with lib; { description = "EDK2 port for raspberry pi 5"; };
+}

pkgs/rpi5-uefi.nix

@@ -0,0 +1,60 @@
+{ lib, stdenv, openssl, pkgsCross, buildPackages, runCommand, rpi5-arm-tf
+, rpi5-edk2-tools, libuuid, python3, bc, util-linux, nasm, acpica-tools }:
+
+let pythonEnv = buildPackages.python3.withPackages (ps: [ ps.tkinter ]);
+in stdenv.mkDerivation rec {
+  pname = "rpi5-uefi";
+
+  inherit (rpi5-edk2-tools) src version;
+
+  nativeBuildInputs = [ bc pythonEnv util-linux nasm acpica-tools ];
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  strictDeps = true;
+
+  # trick taken from https://src.fedoraproject.org/rpms/edk2/blob/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/edk2.spec#_319
+  GCC5_AARCH64_PREFIX = stdenv.cc.targetPrefix;
+
+  env.NIX_CFLAGS_COMPILE = toString [ "-Wformat" ];
+
+  prePatch = ''
+    rm -rf edk2/BaseTools
+    ln -sv ${rpi5-edk2-tools}/BaseTools edk2/BaseTools
+
+    sed -i -e '/ACPI_SD_LIMIT_UHS_DEFAULT/s/TRUE/FALSE/' edk2-platforms/Platform/RaspberryPi/RPi5/Drivers/RpiPlatformDxe/ConfigTable.h
+    sed -i -e '/default\s*= SYSTEM_TABLE_MODE_ACPI/s/SYSTEM_TABLE_MODE_ACPI/SYSTEM_TABLE_MODE_BOTH/' edk2-platforms/Platform/RaspberryPi/RPi5/Drivers/RpiPlatformDxe/RpiPlatformDxeHii.vfr
+    sed -i -e '/"SystemTableMode"/s/0$/1/' edk2-platforms/Platform/RaspberryPi/RPi5/RPi5.dsc
+  '';
+
+  configurePhase = ''
+    runHook preConfigure
+    export WORKSPACE="$PWD"
+    export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-platforms:$WORKSPACE/edk2-non-osi
+
+    . $WORKSPACE/edk2/edksetup.sh BaseTools
+    runHook postConfigure
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    build -a AARCH64 \
+      -b RELEASE \
+      -t GCC \
+      -p edk2-platforms/Platform/RaspberryPi/RPi5/RPi5.dsc \
+      -D TFA_BUILD_ARTIFACTS=${rpi5-arm-tf} \
+      --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=L"${version}" \
+      -n $NIX_BUILD_CORES $buildFlags
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    mv -v Build/RPi5/RELEASE_GCC/FV/RPI_EFI.fd $out/
+    mv -v config.txt $out/
+
+    runHook postInstall
+  '';
+}

secrets.nix

@@ -1,49 +1,103 @@
-let
-  ar_khas =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas";
-  ar_microlith =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt ar@microlith";
-  ar = [ ar_khas ar_microlith ];
-
-  scylla =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg";
-  khas =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6VxPqJHYKmVB5d7bd6vuRqBNKXV1fo2R/WvdSF77xa";
-  zorigami =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty";
-  stereolith =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O";
-  microlith =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD";
+let meta = import ./meta.nix;
 in {
 
-  "secrets/secureboot-key.age".publicKeys = ar ++ [ khas microlith ];
-  "secrets/secureboot-cert.age".publicKeys = ar ++ [ khas microlith ];
-  "secrets/khas-ar.age".publicKeys = ar ++ [ khas ];
-  "secrets/microlith-ar.age".publicKeys = ar ++ [ microlith ];
-  "secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ];
-  "secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar ++ [ scylla ];
-  "secrets/nextCloudAdmin.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/nextCloudExporter.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/norkclubMinecraftRestic.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/cassAuth.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/miniflux.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/stuffAuth.age".publicKeys = ar ++ [ stereolith ];
-  "secrets/wg/nibylandia_zorigami.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/ar.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/apo.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/mastodon.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/mastodonPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/madargon.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/enki.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/matrix.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/vaultwarden.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/vaultwardenPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/keycloak.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ];
-
-  inherit ar;
+  "secrets/secureboot-key.age".publicKeys = meta.users.ar ++ (with meta.hosts; [
+    khas.publicKey
+    microlith.publicKey
+    zorigami.publicKey
+    scylla.publicKey
+  ]);
+  "secrets/secureboot-cert.age".publicKeys = meta.users.ar
+    ++ (with meta.hosts; [
+      khas.publicKey
+      microlith.publicKey
+      zorigami.publicKey
+      scylla.publicKey
+    ]);
+  "secrets/khas-ar.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.khas.publicKey ];
+  "secrets/microlith-ar.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.microlith.publicKey ];
+  "secrets/amanojaku-ar.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.amanojaku.publicKey ];
+  "secrets/nix-store.age".publicKeys = meta.users.ar ++ (with meta.hosts; [
+    zorigami.publicKey
+    scylla.publicKey
+    stereolith.publicKey
+    khas.publicKey
+    microlith.publicKey
+    akamanto.publicKey
+    amanojaku.publicKey
+    tsukumogami.publicKey
+  ]);
+  "secrets/wg/nibylandia_scylla.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/lan/nibylandia-ddns-kea.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/lan/nibylandia-ddns-bind.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/notbotEnvironment.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/nextCloudAdmin.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/nextCloudExporter.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/norkclubMinecraftRestic.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/cassAuth.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/miniflux.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/stuffAuth.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.stereolith.publicKey ];
+  "secrets/wg/nibylandia_zorigami.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/ar.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/apo.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/mastodon.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/mastodonPlain.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/madargon.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/enki.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/matrix.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/vaultwarden.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/vaultwardenPlain.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/keycloak.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mail/keycloakPlain.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/keycloakDatabase.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/synapseExtraConfig.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/mastodon-activerecord.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/gitea-runner-token-zorigami.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/gitea-runner-token-scylla.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/github-runner-token-zorigami.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/github-runner-token-scylla.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.scylla.publicKey ];
+  "secrets/ci-secrets.age".publicKeys = meta.users.ar ++ (with meta.hosts; [
+    scylla.publicKey
+    zorigami.publicKey
+  ]); # TODO: we're not getting ssh keys for the generated disk image, so we need to embed it at disk image build time
+  "secrets/acme-zorigami-zajeba.li.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/automata.of-a.cat-matrix_key.pem.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
+  "secrets/automata.of-a.cat-matrix_env.age".publicKeys = meta.users.ar
+    ++ [ meta.hosts.zorigami.publicKey ];
 }

secrets/acme-zorigami-zajeba.li.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg qZRPbk9d9AHVVQfrsee+nPmCPfTc3cYMkIBy2lmbRBg
+KzBbIvpyFjQUYe7dtX1t0XV5wG5uwlEriXg+YrCvQ0w
+-> ssh-ed25519 grc4Uw bQii+4HNWJCp61FotQgZmGJm0slw/qmdk58+5ZmSXBU
+PE+2xj+WXqpf6ii5ePFX7gzomyEC/4VN5TKs2oJay+8
+-> ssh-ed25519 DLT88w 1TKVTSJ+CRKLG7GtcH9PXoQzXiNsINvkkzMN7cd0tkM
+SKmAoLbKZIsfkM0XmpERUKJd2J3eeT2gk98lA5QwxdI
+--- pR/aFqnbRFfJQ186q78Ep89Cx6uSDkuKnrAgaX21CKY
+¶5—Al%¤E‘JZ|t©¸ˆ†ãRÒ 	óG9—…tÇmɤNêB
…¤ôðË`¨ƒÚNeøvPC… 5
F³ÅÍÁ<C38D>.ö‰vö

secrets/amanojaku-ar.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg 3BLa5nyoJ/NDHVV8qId8zHZ9IcsYh9aMVWY1RFz+Ogo
+r+KUlNBmE9U1vh9VakJt1LeagcBsmTzPCRKKfwp43bs
+-> ssh-ed25519 grc4Uw pcT3wOLIvf/nshtHz1ZZTN4fME9SaupbY6v+IqlmhUo
+BEA2AH/USvWyeghI5BFfyHY0NSRoaHUyzC+DlTvF/GM
+-> ssh-ed25519 IPKcYQ wm4RkXqcXbHtawYx78yxos2X8mtwR7gsvEqR24YZI2g
+gnSGAI77WrGxjI79hH3BsEzBqYCFwIV2oxwPiYXDIc8
+--- teX5jt7yekDMwim5HmU2Us6N7PzlMOKisxdST701o3M
+Læ—]˜M6Wˆ–àÚ<C3A0>Ó×êDä,;Í{U?eŨkPêît¨â(ÌÓbóÚ¦¼ß“‹Ž
Ñ¿wQ<0E>ÅyÜ2åê›ëhŸì©æ;Î’•Œ÷wkœNo3ºnäAêöÈ*¡·

secrets/automata.of-a.cat-matrix_env.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg anzcoH0kLJb2Azom1hBIT1eVbzv1yctL3l6c8gfjwzk
+DDhgP/3+hIROP4d8xQ2apBDB6WTmXb3Q9AcEYdIeUIM
+-> ssh-ed25519 grc4Uw La7w09KGxP8xifVbikW83CJdhMA5ufgZLX6e0kQ6Gl0
+fxyMY6lq+OpU6HmUxr9SgZ4JDbWgWN9LAjSbFklU5o4
+-> ssh-ed25519 DLT88w v4qUHpFJK918iuY3IyRxIOZpWbpaL6OpRKBVU7pEET4
+/nRHMyt5B3wfnqWhk+116qBvXlQlRZ4MDuzBscKQ3Xg
+--- DKfwaXi8Uhc6mWjkIR1drR8QrsnjG7Z1233qyOker2g
+C™;$y”J
+ý‹-©QÛØý1<C3BD>ùs}ÔÖ
žà½5Ç<35>ÂXÎCÉ<43>¤DG)ãY…O×g=&ô¥
+ÌP‘}RwÞ‡
+ëd*Ÿ¤Y–‰Ãìs“˜jN¡®š„sL0Û<30>kV•MPeé‹

secrets/automata.of-a.cat-matrix_key.pem.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg Gf4ZeBJ6c6YqrBXiaL26rwKfnHklKQgjobQ0PcrB0m4
+EFj/+2bzZa/3HDv4kRBKmc9A79lljtxvH8eHOBbarYg
+-> ssh-ed25519 grc4Uw 65LBccbQNOiDt/ItwGAG4Zrwv9yhWIgDJisGA22sbmU
+38LT/tEb7hWBlcDSV8yY3Wozg3w5wc0Gc69Uf1SSTvw
+-> ssh-ed25519 DLT88w xkiPn6h1P5X0el8S1mxvdGzbzqkzMeX1EugI5jhyB00
+/jn34J6c1NLerwVcCySZ6u4O0LKsCtnAlItCvKx9ziM
+--- WwJnBwgvC3tYkIWTQqUHjuzXAGblCw3Lvldic9Rp9K8
+7R)<29>!í+•ãÎUQê˜ÕGÐZÌf&è€ÞÿÚß•²DfŠPâ¿·)ñ…¯-.pìðòv_¯dáQçÅ+ÒG~|t1ÞÀ¢®}M…-êþ!s©hEL{Ú˜†ioØß<Ó–É,mI3«ÀD*Cw²O©÷uîTу:·VÖÅÑÄÉϱî_[(ñPy­$¥xX;ÂñS<C3B1>‚G–Ûߺ“ge
+üÙ{îA

secrets/cassAuth.age

@@ -1,14 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 kY4Rgg 1T37a0MucAEFYMGcdyS+Nxcbkp027j3JxXy2teCwHRg
-3khC9F+CVUToHWx22Cs0b+1dm0/nUwG7/nu4nFqRijY
--> ssh-ed25519 grc4Uw NW49Rzlxh92jldZPNq3mkeJHi460dIA80B3bGqhVrm0
-9j3PAPk/C1DsGUMTHq1PzQMYId2rNoHRtwYBTViJ/A4
--> ssh-ed25519 DLT88w b/3j37sDUOtFD0TbPl0Gvyd/73MNlmKT4EhXn48ANQI
-eHqL7WDztCzYyvb+K+bkZI0514Z2QyWDwvotmpFHI6M
--> ,se-grease U<o] ~4 Yci -R
-R3H3gWM+BWWFB5qvnpwT0ZHZjihotvCUjaC98pTmtxcqHdHm6bmqNXSBUIIKaOD0
-79M
---- NdVSXnmGsA82Wmu9fVBnsKRn5g6qFhzGLO2v1NE8FXc
-.½<>„upÅÎün|zÖÂÃ>z¬ËY‹Ò[u)e5u‘sC'Ÿ‡®‘\ÏeЂt']°44Ýh/\›¡-0Ÿ n©ðX÷ëTÚ
-]³ÒwÏ
-¾6ú÷Ø{U`o<>ï‚J\C£`ð+Ynס©ÎqdïÓµ¸˜«›ßŽWÞ
+-> ssh-ed25519 kY4Rgg InhjCAhags7BG+tAighqgEvy5e61t0iYCc3npNrtqRE
+1/TGuVt+RcOMC2t0/Z4VwljQ9si8KwofWHEMDUnISk4
+-> ssh-ed25519 grc4Uw m4EP0Qms2l18Wf/DSXrmO4Av06Ye2csnMS1QdYuZcxg
+O28Fxcv0w13CO+4mwqcOvtC4ignNquh0+R/Z+5i2Pn8
+-> ssh-ed25519 DLT88w r3Ue500Ih1ahtOH0ThHnw46vIt3FzL3HBlOgaDidtEo
+m1kMy5aEDd88WaiauiJ7bCmZpZcgy8QtUvE2XxBstA8
+--- cynhWP7VYn6yJBVF1eKY/vKyD5dhYspHwtSXSaG5Hi0
+[ Ã5;
NµI«èVí‰\
©IW
C¹™çjîÿï5ÐIË©±—£JâkNÀÛü½³Ú¬Ä9¸Oy6Çf*Þ¦,H<>Ê+¬:_úõ¨?:ÿnÀRŽõ4*
+dõ<EFBFBD>
ðµ~RÒ›èWÆ™»JË­¬©Z¹a›HVu‰"å7

secrets/ci-secrets.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg RSEMYQyKt568d2bftr2T+LMqHcZRv8IEzYPbexqWlT4
+xRt1a1AKPIjWx+yuEEdJ5Vbl2CM5TNog7MhiWHvSpyg
+-> ssh-ed25519 grc4Uw DXix9IU7eWbeXOSSpuzS7gCWUJJJ5b0ZG41hb7tVkko
+Hgm84ICn5/MGoSLt7q1KCsySzxds0kpa6YsBqhFqBnw
+-> ssh-ed25519 CJl5MQ b2ErL0vpRtZLxfdAfl3xRUkaR4lcUmybBs1qlb8aTWk
+bYUHLN77u4PTEmoE4fJFxiK7HJQWgld4Ttb0vGuz/bI
+-> ssh-ed25519 DLT88w y8H8YO0uLPNpBVPUzHx9nSzoHsw8U8OLTVLngNdyFG0
+8seG+OwsVljtBJZ7IIWLocKWShJuJsAxNTygzXlyHro
+--- G3EfipJ+ZkxczM3fnwhdJtpQlBkX+k28asTPZ0aMihw
+¥B{f‘~™¼¼Ðj¦$úﰷ—eãëI"–T÷g¥Ÿªgñ^6˜ÏÝV˜Ò3¡<žSüO¿‡ê
+V?<3F>/êÉè»bÄüŽ±]†X¤@M

secrets/gitea-runner-token-scylla.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg WVJ/QupKCd22ktKgjsYoXRYnd06Wdg8mx4wXObhYvA0
+sTsybHw/9txSgUEiZI71grdAVI+SvWrVHxoaovlHuCA
+-> ssh-ed25519 grc4Uw HOIZRDy6UHgH/UviX80b+Ai9gtta4fOBdis8KK78nVM
+gZTxRmA1c6ZUuRNLi21x5oyHmAriL2NG/JZEloYypss
+-> ssh-ed25519 CJl5MQ ni17wBb+H2pmQe2pCL8gmx6zs0N4JEcetQ/vURhyElg
+bXObAXvfQ10e+hc1uYThj8lk53gJ6QPg1pl68EmV+qg
+--- GhB9BBp+A/7ZH5qp2iQu4N/KhN+EHD19lS8ZJhUlze8
+ËIs R«²,§¬¨Rš»°¹jýÞë{Ö0Æ Yþœvpìë1抙‰#Ø¤EÂzÌ߉°p%åÆV7á»kúƒ…`÷°›V+À

secrets/gitea-runner-token-zorigami.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg 5ILYbJRJi+u/YgzdzlPX9TBfCMZ514e9NzBUSc/tX0w
+UZV1WVw3JUw02+mou2bUJpelLosWQ6pIiKyQ4pSWqck
+-> ssh-ed25519 grc4Uw 5amLs+JClxaoIY9ePZS0tf7TblCSK2+tQvhA9mTQzm8
+FFdBHGQ78gT4mV0Y3TLvIj75RW8vr9SUjB8dOmaGSlg
+-> ssh-ed25519 DLT88w e/fG8ot68fDxIRnaR7PfCgyiysQk20iGODfW4s1+tBo
+K/eM8mznVgggxpbO+hCxAJEKSXT9uw2VEdQgAVpqXYI
+--- XR21VH4kwISBPe8oJ4cf6yc6DCwEB8yio3oNS64H1Hk
+0ﾃvｵi<EFBFBD><EFBFBD>%Jｳ彑&<26>ﾐｰ^WUｴyb潔V<E6BD94>}TﾁnB~/uvE-<2D>曖卅t王ﾔ{.ﾆ咲4)ﾚ房ﾒ葢<EFBE92>g>｢T4析ﾐ

secrets/github-runner-token-scylla.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg K+kBDCSLH89MJ4U6U5OYz1Xul2sxqlgb3WPhrSdbYE0
++F0llBblCnaMiBOpEo7JMp4TDHExQ7k47jI/CFQ+CNA
+-> ssh-ed25519 grc4Uw IUpfU9mTb13hBzqV+73U+2lhMpn4M32gzkZ5Ppq6tgM
++t/qv8IQoKr+Rn6nS6tIIzWSu4GB2/sI/IXQynr4JzE
+-> ssh-ed25519 CJl5MQ pEuMoIa3ItlQDVv7kkuHpPtAFb1sAZYNFBTjcazQW30
+lXuq3r267mP4e4yA2fOfLrgxlzhpUlHeChYKiipOQmw
+--- 3nODl2Oegpunu2YL2tPxp2VKbHIm3vFJV18Y+4qifG0
+ŽÃ$P<>"ÍÖÌ8ûê­z…).Úĸ 1Ò¨Qá×ScxÒ
ÒÃËèìÓã<C393>F²ýQp»k<13>:¡<>Óå

secrets/keycloakDatabase.age

@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 kY4Rgg kesf+SaZD83McqpA9DixWtFIrEmRPxXkJ0GwzlUxWmE
-fget0ABRpLa1ILPy+j8qB60R2XOBZUkADYHIqShetLM
--> ssh-ed25519 grc4Uw M6nvJkxP3YiZ9HQegvcReYpkLcyhpF2YiAV0Pr6FuiQ
-gPV7IhypqI8C655+ef69PbvTBcCEK3ChpVKcckU2hQk
--> ssh-ed25519 DLT88w 8Cvg6k8zYawUgvMf8RQdA3pxxywIhCn7nPNGrMK4Q0o
-Kc58s9qkYHVS9pf+MYghheQXLxtImbny+W0zQ6j9eKE
--> $mU5]|V-grease 3;xw\jc
-+Fl1I+CYc0AGj429YbhVaz3i/HvkLrHX0Jt2OIhN4xqp/oJNqw
---- IfmaR6Z1bL8wgwgv1A+kuvxTq+xqKb6VD4iKdi0K8mk
-:‚Imià[Äo|Ú/ÄøR27?ãK"Êæfí¼&{å
Î[7ˆÌe&1¡“¹9…I)uù\Zæ >UÔ_yß
+-> ssh-ed25519 kY4Rgg /YJw6sGHCMvD3VlfPTpnMq4lzBb0Bg7sw0KQe19z5Dk
+NaIdnbSQbWUbzpxKAzqvDn3Nyowc3oAoNw4OaWF4VCg
+-> ssh-ed25519 grc4Uw X23KiCQv1N7ZkWO9PMyJFaCF7RNV1nL0fcmgADLqNAw
+5RfQnMWfoFGhCZb8o2MXT2TpjcXDP+jR57yG7gOenWA
+-> ssh-ed25519 DLT88w DqbKtk9Smb/J5/4VkZV5F1wXRvHjXg5eOOEgiviYhk4
+JTYFDrH0WGrKgQ9fVZjjajCuYfyBk4hUaMmbvLxsI7Y
+--- JDu9LS6IeQ30uDJjuMCQS8oeOG4/TIT79wZBKZE37Sc
+öõŠ/=”‘‹”VfB—!æ±5ð™²ÌI»^¹ù(ý°<C3BD>"2d‚ÅEH%ï‚œÛ*šD‰€TaÁ-“”㥈<C2A5>øa<C3B8>

secrets/khas-ar.age

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 kY4Rgg GE43afqnZA6nX8QEPznXxMEZoRu/oJ+fT9OBtFx/QxM
-mEr1DxBMFoEDQDQXQjBSLy3vVgOyCPJ2H/OcpZJWqXg
--> ssh-ed25519 grc4Uw 8MDCgHOj1lEMQJtH9ILRwoHxFYkR+c0LNuIzaJVR2SY
-MMUYVYkAR2hMm2S0m/05JM68W4rAYTjir/qyW0Q/TXM
--> ssh-ed25519 q4t0Rw dkSEYpIGzwkBCQUdaYRUL83Dx5OVVl1wkRaPrUI9RDc
-va06hkaOquxhQITBnTLyibSoM3jxQzBLmQcDhq+8dIk
--> VwB1p2M-grease "x FC pC\
-HBrm27hDe0KHabipPX7VkNrXdBx+xg
---- 2Sa4Ce1K7UZ1pVa1ZSjCC0hNLb3zCgztX/yzNf0kgHg
-¬ö¥2r7í&„@
³›àÞïì)Z<><5A>s’L>½rÕ®öʯ<C38A>Ó-³ç8C
{Fć^ÃÑÑÈüÎÖ$-}°£+n+:ú<>mšQîN¶”o§ýansjH1÷æ~ÑTDõ%Â]-¬Äòö±ñ<C2B1>8à@ÎíÅYuÈ™ÎùzŽ¤›Ì7<líñ3YˆÞ°4
+-> ssh-ed25519 kY4Rgg WE/puP2JwPNv9wTZi2ENRjxojAuxQfc+BlsZPZYrSms
++aaOyeInrsJzFd938+XVN2Mbr+VNQQkBli0/kYZjiHI
+-> ssh-ed25519 grc4Uw 95m4RIdplQE0MT7K9r87e0ox9wSmDCqK9otLoFSxiB4
+y4H0JJsu/5mn9zV8hD0l9Sc68yWBYZtG4Oq/XQzFcXE
+-> ssh-ed25519 1p3EMA PwCPdgOSEqLuu1Vz8XTc+Eirh32Pj93Se8WTvSXwQBo
+B32bF6UiDdpcE+tqSM3GBg5oPf++fvWNMYac6aDC8HE
+--- ulpXvqhHY/PD33jhsLoS3/YTEvmiMbS088zZ9ncK6Ak
+U›%÷+H0Âl([ÛißÕžfJšå£~A’¤Ðe
+
…°/cX¾Ñ¹v–G(Í:žØO
<01>[±Ý1Ž#­P`íJ£	:ê$
+àÅ„jE¢Z™Â<EFBFBD>t€u„2/¾<12>RPÓ¤Žï{!wš‡ê»° "TþÄ:2ü3E-Õk	áP›ð³–¹ÕÝäøwÀS

secrets/lan/nibylandia-ddns-kea.age

@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 kY4Rgg zF0Gy00g+A652+c4MKe5GFlewtlUMjpLLzODkT1HNBw
-KoG7CzBBLuTYaPc42+cx/IwDe0WHEwdW7BZD950qx9k
--> ssh-ed25519 grc4Uw oi34sgBlxzAvBNvRnPoNys03fYlQPtGaN521dHQKlyA
-AEclTFw+LElZMNng0+ezmB06vmqlIxrhZ5Ug7lO0K2Y
--> ssh-ed25519 CJl5MQ IGMoyGOVqyoczmGdDUrHcQF3zqbKQXESlrg2HkJklls
-iH0PiadiTgwEtjf2L1Ry2MCFFxhvb9LFr/eFKJA+M+4
--> YCy8T-grease 2K|TYGy| ?++k:
-jzDT2sSDmnozZA0Prkr6cYgVou+09UwXc9H4KBNOlQ
---- SjezupwORSDfiv2pPCKzoNGfolICCAd7eLNOmCRuuq4
-øß.3~M%4`©7?ùjòdzÁ¹–ç­l†f˜y¡%byÉŽ&Øž…[–—ûÅãa[¶˜wØ<77>dž¿òV;,‚»Ç´5[SM¬wëQ™âu…¸:VÖÓg—Œ
بozýs‘b_[–Ø;UÚ…$´}¥´‚%
+-> ssh-ed25519 kY4Rgg iY+bhTcJ5EASg6bwUdmPdf+h3+paMJ1RgY95hi+ZRh0
+IFC13K0t6hwf6CmKdSC7qktkKt4R79qdgkjfvMfqWCg
+-> ssh-ed25519 grc4Uw AlPqBM26wtwpHX/B86Me9uBF28ZIg94eqQef6i1C/kA
+JbaKnFkl6PlXJ1IgWHMEo1DziqoC3VyebvoUmCiIBb8
+-> ssh-ed25519 CJl5MQ vrXURTIr5xUvFIUEZ3Rb3J1DyqLYhX1sRXlhdkTo/Eg
+1j1gK8i2wTopBG6BOg0mJ7wzpWWxU0jmgIPUQGRbkvE
+--- RVcB3UgXIOyFNcBeeJbOClOOxJ3pSWLE9mbnfFE/InI
+<EFBFBD>Í0ûŸ/ˆrâïèÜÛÍâ„à“—˜1ÈÄÁãeû>R+åX—¸G´Hðκ?ª>€g¹Ž=ÿ‹¼Xçt]š?•:k$hU’¸¯¥<C2AF>ò6:ó<>$-–À<E28093>“<EFBFBD>¹Íb³Äºˆ(jžë¦Ó(YÊ<59>@<40>Ì°ÍòÙrÛ

secrets/mail/apo.age

@@ -1,13 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 kY4Rgg N+m6p/zttdGnIbdBfTRIEBuQvAquREmfs8RwDTnROAY
-Q5ROKDJmForW63J5UVu4Qf2TagKisGX4PcMaIVx1K7w
--> ssh-ed25519 grc4Uw aSbKCbiCwnipGPVt5dcbCNNBeILtEnAB6Vkfq9LvdEY
-biHvwNpy7waPMuOQ4TE2mI+iOzROupSqkZINBi7l5/w
--> ssh-ed25519 DLT88w Qa4VLSyBQRboqa68kVtqnGb7wEH9oyulEheaYXzl2ws
-jyDSxSQbzNVJIWsoJIoO3zVpPHy6RWNzPC5IhB5z0tk
--> z-TKn-grease DO*%z p1C
-LUYpx4GSo0pNIT9gW8id1xBZWsJ3iJxhwHxSLg/kQS3KBAJO5uqgd8jnTg4TwGeM
-NSP31qORZHU
---- AbYdv5y7vwe3ONItmV9Fb73/NeTpZd2kBxpu/msW+50
-X3ó€ÍMť;Á6h·ŠµQŢŽ<C5A2>ńĐ=´;<3B>ú#šŰ‘u3WÍPÜw§Ľ˘Ś
-?–gYÍ4⯨uu<75>`[ťHű8ś°˝—ű7ĘZţ$Ť>ĘĽx»Očre‹
+-> ssh-ed25519 kY4Rgg furr0wKuF3UVBY2KVGESBQxxJImHSCacWkKNgMinWAs
+3lej3Fyut846w60agk0L6CpPrcRhCDwtvlIVSU1Z4IE
+-> ssh-ed25519 grc4Uw i8TZQwo/zDMVurig2E8P0FmarBCSTVp2isbM9nz3YVM
+C02+oAEOT3Z3qmC5qEo5ckb3GtQP1q3880PJq/ji2+o
+-> ssh-ed25519 DLT88w MnTixAlxgk2uAoH6qNpIJGLkc17J/iuaCMhP1rkwmQ8
+T9wTnw2HO0iTN3b+UFeEI35o82oeW4n5BRMClidNDB4
+--- 0xkWGxrvK/bhpSTNCPU6JimpIZ2bz8ptl5tWdUErBK4
+Î݉›Ě{™˘ÎÔ|MĆ%Ď=D4$¬/îŻjŢob»„ K@6Ý™Â÷.µ?saWB(śV·¸vúĎXľ×Ą"^3ÉŞEL>ŕçµZ6[Šš‘W2k…¦wę*–#ü