added firewall rule for tang

Im testing this to allow jeeves to be stable and desktops stay on the latest kernel

.gitignore

@@ -160,3 +160,6 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+test.*
+secrets.*

.vscode/settings.json

@@ -1,27 +1,44 @@
 {
   "cSpell.words": [
     "aboutwelcome",
+    "acltype",
+    "addstr",
+    "advplyr",
     "ahci",
+    "aioesphomeapi",
     "alsa",
+    "archlinux",
+    "ashift",
     "asrouter",
+    "attroff",
+    "attron",
+    "audiobooks",
+    "audiobookshelf",
     "auditd",
     "autofetch",
     "autopull",
+    "autotrim",
     "azuretools",
     "bantime",
+    "bazarr",
+    "binhex",
     "bitwarden",
+    "blkdiscard",
     "breakpad",
     "btop",
     "cachix",
+    "canmount",
     "captivedetect",
     "cgroupdriver",
     "charliermarsh",
+    "cloudflared",
     "codezombiech",
     "compactmode",
     "Compat",
     "contentblocking",
     "cookiebanners",
     "crlite",
+    "cryptsetup",
     "darkreader",
     "datareporting",
     "davidanson",
@@ -32,44 +49,66 @@
     "diffie",
     "direnv",
     "dmask",
+    "dnodesize",
     "dotfiles",
     "drawio",
     "eamodio",
     "endlessh",
     "errorlens",
     "esbenp",
+    "esphome",
     "extest",
     "fastforwardteam",
     "FASTFOX",
+    "ffmpegthumbnailer",
+    "filebot",
+    "filebrowser",
     "fileroller",
     "findbar",
+    "Fira",
     "fmask",
+    "fontconfig",
     "formfill",
     "foxundermoon",
     "FULLSCREEN",
     "fxaccounts",
     "gamemode",
     "gamescope",
+    "getch",
+    "getmaxyx",
     "ghdeploy",
     "globalprivacycontrol",
     "gparted",
+    "gtts",
     "healthreport",
     "Heatsink",
     "hediet",
     "hexeditor",
     "hicolor",
     "hmac",
+    "homeassistant",
     "HPKP",
     "htmlaboutaddons",
+    "hurlenko",
     "hwloc",
+    "INITDB",
+    "iocharset",
+    "ioit",
     "iperf",
+    "isal",
     "jnoortheen",
     "jsbc",
+    "kagi",
+    "kuma",
+    "levelname",
     "libglvnd",
     "libmysqlclient",
     "libsodium",
     "libssh",
     "libvirtd",
+    "localtime",
+    "louislam",
+    "lsnew",
     "luks",
     "lynis",
     "mangohud",
@@ -78,46 +117,80 @@
     "maxtime",
     "mechatroner",
     "mediainfo",
+    "mklabel",
+    "mkpart",
     "modesetting",
+    "mountpoint",
+    "mountpoints",
     "mousewheel",
     "mtxr",
+    "muninn",
     "ncdu",
     "nemo",
     "neofetch",
+    "nerdfonts",
+    "netdev",
+    "netdevs",
+    "Networkd",
     "networkmanager",
     "newtabpage",
     "nixos",
     "nixpkgs",
     "nmap",
+    "noauto",
+    "noecho",
     "nonsponsored",
+    "Noto",
     "nvme",
     "OCSP",
     "oderwat",
+    "oneshot",
     "optimise",
     "optoutstudies",
     "overalljails",
     "overscroll",
+    "overseerr",
     "pbmode",
     "pciutils",
+    "pcscd",
     "pdfjs",
     "peerconnection",
     "PESKYFOX",
+    "PGID",
+    "photoprism",
     "pipewire",
     "pkgs",
     "plugdev",
+    "poppler",
+    "posixacl",
+    "primarycache",
+    "prismlauncher",
     "privatebrowsing",
+    "PRIVOXY",
+    "prowlarr",
     "proxychains",
     "prusa",
+    "psycopg",
+    "PUID",
     "pulseaudio",
     "punycode",
     "pylance",
+    "pymetno",
+    "qbit",
+    "qbittorrent",
+    "qbittorrentvpn",
+    "qbitvpn",
     "quicksuggest",
+    "radarr",
     "readahead",
     "Redistributable",
     "referer",
     "REFERERS",
+    "relatime",
     "Rhosts",
     "ripgrep",
+    "routable",
+    "rspace",
     "rtkit",
     "rycee",
     "safebrowsing",
@@ -129,25 +202,33 @@
     "signon",
     "Signons",
     "skia",
+    "smartd",
     "smartmontools",
     "SMOOTHFOX",
     "socialtracking",
+    "sonarr",
     "sponsorblock",
     "sqltools",
+    "ssdp",
     "stdenv",
     "subresource",
     "substituters",
     "supermaven",
+    "sysstat",
     "tabmanager",
     "tamasfe",
     "tiktok",
     "timonwong",
+    "tmmworkshop",
+    "Tmpfs",
     "topsites",
     "topstories",
+    "torrenting",
     "twimg",
     "uaccess",
     "ublock",
     "uitour",
+    "unrar",
     "unsubmitted",
     "urlbar",
     "urlclassifier",
@@ -161,12 +242,20 @@
     "vpnpromourl",
     "webchannel",
     "WEBRTC",
+    "WEBUI",
     "wireshark",
+    "Workqueues",
+    "xattr",
     "xhci",
+    "yazi",
+    "yubikey",
+    "yubioath",
     "yzhang",
+    "zeroconf",
     "zerotier",
     "zerotierone",
     "zoxide",
+    "zram",
     "zstd"
   ]
 }

common/global/default.nix

@@ -1,7 +1,6 @@
 {
-  config,
-  lib,
   inputs,
+  lib,
   outputs,
   ...
 }:
@@ -10,24 +9,19 @@
     inputs.home-manager.nixosModules.home-manager
     ./docker.nix
     ./fail2ban.nix
+    ./fonts.nix
     ./libs.nix
     ./locale.nix
     ./nh.nix
     ./nix.nix
     ./programs.nix
     ./ssh.nix
+    ./snapshot_manager.nix
   ];
 
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.tmp.useTmpfs = true;
 
-  security.auditd.enable = lib.mkDefault true;
+  hardware.enableRedistributableFirmware = true;
-
-  programs = {
-    zsh.enable = true;
-    fish.enable = true;
-  };
-
-  users.mutableUsers = lib.mkDefault true;
 
   home-manager = {
     useGlobalPkgs = true;
@@ -35,7 +29,24 @@
     extraSpecialArgs = {inherit inputs outputs;};
   };
 
-  nixpkgs.config.allowUnfree = true;
+  nixpkgs = {
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      allowUnfree = true;
+    };
+  };
 
-  hardware.enableRedistributableFirmware = true;
+  programs = {
+    zsh.enable = true;
+    fish.enable = true;
+  };
+
+  security.auditd.enable = lib.mkDefault true;
+
+  users.mutableUsers = lib.mkDefault true;
+
+  zramSwap = {
+    enable = lib.mkDefault true;
+    priority = 1000;
+  };
 }

common/global/fonts.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontconfig.enable = true;
+    enableDefaultPackages = true;
+    packages = with pkgs; [
+      nerdfonts
+    ];
+  };
+}

common/global/snapshot_config.toml

@@ -0,0 +1,29 @@
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 24
+daily = 14
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
+15_min = 8
+hourly = 24
+daily = 30
+monthly = 6

common/global/snapshot_manager.nix

@@ -0,0 +1,44 @@
+{ inputs, pkgs, lib, config, ... }:
+let
+  cfg = config.services.snapshot_manager;
+in
+{
+  options = {
+    services.snapshot_manager = {
+      enable = lib.mkOption {
+        default = true;
+        example = true;
+        description = "Whether to enable k3s-net.";
+        type = lib.types.bool;
+      };
+      path = lib.mkOption {
+        type = lib.types.path;
+        description = "Path that needs to be updated via git pull";
+        default = ./snapshot_config.toml;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd = {
+      services."snapshot_manager" = {
+        description = "ZFS Snapshot Manager";
+        requires = [ "zfs-import.target" ];
+        after = [ "zfs-import.target" ];
+        path = [ pkgs.zfs ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/snapshot_manager --config-file='${cfg.path}'";
+        };
+      };
+      timers."snapshot_manager" = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "15m";
+          OnUnitActiveSec = "15m";
+          Unit = "snapshot_manager.service";
+        };
+      };
+    };
+  };
+}

common/optional/desktop.nix

@@ -1,4 +1,9 @@
+{ lib, pkgs, ... }:
 {
+  boot = {
+    kernelPackages = lib.mkDefault pkgs.master.linuxPackages_zen;
+    zfs.package = pkgs.master.zfs_unstable;
+  };
   services = {
     desktopManager.plasma6.enable = true;
     xserver = {

common/optional/scanner.nix

@@ -0,0 +1,6 @@
+{
+  hardware.sane = {
+    enable = true;
+    drivers.scanSnap.enable = true;
+  };
+}

common/optional/syncthing_base.nix

@@ -9,9 +9,10 @@
     settings = {
       devices = {
         phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
-        jeeves.id = "RCDU465-AIQRBEJ-VWC4EZF-2AMXABC-F3S4NFW-QA4ZUAQ-OVNUBLI-BUJJTA2"; # cspell:disable-line
+        jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
         ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
         bob.id = "CJIAPEJ-VO74RR4-F75VU6M-QNZAMYG-FYUJG7Y-6AT62HJ-355PRPL-PJFETAZ"; # cspell:disable-line
+        rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
       };
     };
   };

common/optional/yubikey.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  services.pcscd.enable = true;
+
+  environment.systemPackages = [ pkgs.yubioath-flutter ];
+}

flake.lock

@@ -9,11 +9,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1725940994,
+        "lastModified": 1730520198,
-        "narHash": "sha256-PCj5WMvCMg2g8gBNf3izt4rPu5b5Mi/7zxmXHit3N3U=",
+        "narHash": "sha256-0G4QIsCmQyfwdWUws7UDZQYcCn5l9m42AE9c3Ak0+DY=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "93857a3619db67e72f5012ce3cb001e402b86dbe",
+        "rev": "ca0f5e3fd8a37605a6960fee549f6b79d3f83c28",
         "type": "gitlab"
       },
       "original": {
@@ -39,28 +39,6 @@
         "type": "github"
       }
     },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixos-cosmic",
-          "nix-update",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "locked": {
         "lastModified": 1629284811,
@@ -101,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725948275,
+        "lastModified": 1730490306,
-        "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=",
+        "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe",
+        "rev": "1743615b61c7285976f85b303a36cdf88a556503",
         "type": "github"
       },
       "original": {
@@ -136,33 +114,9 @@
         "type": "github"
       }
     },
-    "nix-update": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nixpkgs": [
-          "nixos-cosmic",
-          "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1725635983,
-        "narHash": "sha256-haSfwdurfltqQ/7YEmDcmWLnWwvAgelIHnXsHG34P1k=",
-        "owner": "lilyinstarlight",
-        "repo": "nix-update",
-        "rev": "ed54a7546affb3f8c9c3e10a6fa6fdb21756ec8f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lilyinstarlight",
-        "repo": "nix-update",
-        "type": "github"
-      }
-    },
     "nixos-cosmic": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "nix-update": "nix-update",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -170,11 +124,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1725932078,
+        "lastModified": 1730511796,
-        "narHash": "sha256-IATccCX01KHY3QDYmpCMu70WRWxJH4V7z9vp71RlSAs=",
+        "narHash": "sha256-+ZBaUiJWig7LumIKi1fOExUke8XubkKJUlcrEa+UN+M=",
         "owner": "lilyinstarlight",
         "repo": "nixos-cosmic",
-        "rev": "0452cc841e9b30160ae48db636164fb7a6d6bb72",
+        "rev": "1d5a818e3b5188f6aa106eed5f66e454787c5d70",
         "type": "github"
       },
       "original": {
@@ -185,11 +139,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1725885300,
+        "lastModified": 1730537918,
-        "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
+        "narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
+        "rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
         "type": "github"
       },
       "original": {
@@ -201,11 +155,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725634671,
+        "lastModified": 1730200266,
-        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
+        "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
+        "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
         "type": "github"
       },
       "original": {
@@ -215,13 +169,29 @@
         "type": "github"
       }
     },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1730587346,
+        "narHash": "sha256-YAzfNPNFtztrOYe1Nhi6cTiT7kedRwmlfpijA9T2uuk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "a8ffc2295c358629bc1bda569bf8b3bbb21aa1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1725826545,
+        "lastModified": 1730327045,
-        "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=",
+        "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9",
+        "rev": "080166c15633801df010977d9d7474b4a6c549d7",
         "type": "github"
       },
       "original": {
@@ -233,11 +203,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1725826545,
+        "lastModified": 1730327045,
-        "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=",
+        "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9",
+        "rev": "080166c15633801df010977d9d7474b4a6c549d7",
         "type": "github"
       },
       "original": {
@@ -259,7 +229,7 @@
           "nixpkgs"
         ],
         "systems": "systems_2",
-        "treefmt-nix": "treefmt-nix_2"
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
         "lastModified": 1723343306,
@@ -282,6 +252,7 @@
         "nixos-cosmic": "nixos-cosmic",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "system_tools": "system_tools",
         "systems": "systems_3"
@@ -295,11 +266,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725848835,
+        "lastModified": 1730428392,
-        "narHash": "sha256-u4lCr+tOEWhsFiww5G04U5jUNzaQJi0/ZMIDGiLeT14=",
+        "narHash": "sha256-2aRfq1P0usr+TlW9LUCoefqqpPum873ac0TgZzXYHKI=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "2ef910a6276a2f34513d18f2f826a8dea72c3b3f",
+        "rev": "17eda17f5596a84e92ba94160139eb70f3c3e734",
         "type": "github"
       },
       "original": {
@@ -317,11 +288,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1725312414,
+        "lastModified": 1729617389,
-        "narHash": "sha256-IWztoUBuZjqw5Mti/CJvvPvAHNpCfnZVS/gGNMdQUhQ=",
+        "narHash": "sha256-Q05Nhw84FprGiuQHd1ahOhKKIbxzp1rpeCqddjXUSVM=",
         "owner": "RichieCahill",
         "repo": "system_tools",
-        "rev": "632a465087f5b9ab7d6efc125bebfe6af57c1d58",
+        "rev": "2a2aa711fcf67ed5e4db484e507a4a511b9b4230",
         "type": "github"
       },
       "original": {
@@ -375,28 +346,6 @@
       }
     },
     "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixos-cosmic",
-          "nix-update",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719887753,
-        "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "system_tools",

flake.nix

@@ -4,10 +4,12 @@
   nixConfig = {
     extra-substituters = [
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
+      "https://cache.tmmworkshop.com/?priority=1&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
     ];
     extra-trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
     ];
@@ -16,6 +18,7 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs-master.url = "github:nixos/nixpkgs/master";
     systems.url = "github:nix-systems/default-linux";
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
@@ -75,6 +78,14 @@
         modules = [./systems/jeeves];
         specialArgs = {inherit inputs outputs;};
       };
+      rhapsody-in-green = lib.nixosSystem {
+        modules = [./systems/rhapsody-in-green];
+        specialArgs = {inherit inputs outputs;};
+      };
+      muninn = lib.nixosSystem {
+        modules = [./systems/muninn];
+        specialArgs = {inherit inputs outputs;};
+      };
     };
   };
 }

overlays/default.nix

@@ -6,4 +6,11 @@
       config.allowUnfree = true;
     };
   };
+  # When applied, the master nixpkgs set (declared in the flake inputs) will be accessible through 'pkgs.master'
+  master = final: _prev: {
+    master = import inputs.nixpkgs-master {
+      system = final.system;
+      config.allowUnfree = true;
+    };
+  };
 }

systems/bob/default.nix

@@ -1,25 +1,24 @@
-{
-  inputs,
-  ...
-}:
 {
   imports = [
-    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
     ../../users/richie
-    ../common/global
+    ../../common/global
-    ../common/optional/desktop.nix
+    ../../common/optional/desktop.nix
-    ../common/optional/steam.nix
+    ../../common/optional/scanner.nix
-    ../common/optional/syncthing_base.nix
+    ../../common/optional/steam.nix
-    ../common/optional/systemd-boot.nix
+    ../../common/optional/syncthing_base.nix
-    ../common/optional/zerotier.nix
+    ../../common/optional/systemd-boot.nix
+    ../../common/optional/zerotier.nix
+    ../../common/optional/yubikey.nix
     ./hardware.nix
     ./nvidia.nix
+    ./syncthing.nix
   ];
 
   networking = {
     hostName = "bob";
-    networkmanager.enable = true;
     hostId = "7c678a41";
+    firewall.enable = true;
+    networkmanager.enable = true;
   };
 
   hardware = {
@@ -47,52 +46,7 @@
       pulse.enable = true;
     };
 
-    syncthing.settings.folders = {
+    snapshot_manager.enable = true;
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = "/home/richie/notes";
-        devices = [
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "/home/richie/books";
-        devices = [
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "/home/richie/important";
-        devices = [
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "/home/richie/music";
-        devices = [
-          "ipad"
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "/home/richie/projects";
-        devices = [
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
 
     zfs = {
       trim.enable = true;

systems/bob/hardware.nix

@@ -22,8 +22,10 @@
         "sd_mod"
       ];
       kernelModules = [ ];
-      luks.devices = {
+      luks.devices."luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2" = {
-        "luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+        bypassWorkqueues = true;
+        allowDiscards = true;
       };
     };
     kernelModules = [ "kvm-amd" ];

systems/bob/syncthing.nix

@@ -0,0 +1,58 @@
+{    
+  services.syncthing.settings.folders = {
+    "notes" = {
+      id = "l62ul-lpweo"; # cspell:disable-line
+      path = "/home/richie/notes";
+      devices = [
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "important" = {
+      id = "4ckma-gtshs"; # cspell:disable-line
+      path = "/home/richie/important";
+      devices = [
+        "phone"
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "music" = {
+      id = "vprc5-3azqc"; # cspell:disable-line
+      path = "/home/richie/music";
+      devices = [
+        "ipad"
+        "phone"
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "projects" = {
+      id = "vyma6-lqqrz"; # cspell:disable-line
+      path = "/home/richie/projects";
+      devices = [
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "temp" = {
+      id = "bob_temp";
+      path = "/home/richie/temp";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "vault" = {
+      path = "/home/richie/vault";
+      devices = [
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+  };
+}

systems/jeeves/arch_mirror.nix

@@ -3,10 +3,18 @@ let
   vars = import ./vars.nix;
 in
 {
+  users = {
+    users.arch-mirror = {
+      isSystemUser = true;
+      group = "arch-mirror";
+    };
+    groups.arch-mirror = {};
+  };
+
   virtualisation.oci-containers.containers.arch_mirror = {
     image = "ubuntu/apache2:latest";
     volumes = [
-      "${../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
+      "${../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
       "${vars.media_mirror}:/data"
     ];
     ports = [ "800:80" ];
@@ -23,6 +31,8 @@ in
     serviceConfig = {
       Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
       Type = "simple";
+      User = "arch-mirror";
+      Group = "arch-mirror";
       ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
     };
   };

systems/jeeves/default.nix

@@ -1,21 +1,21 @@
-{ config, pkgs, ... }:
 let
   vars = import ./vars.nix;
 in
 {
   imports = [
     ../../users/richie
-    ../common/global
+    ../../common/global
-    ../common/optional/ssh_decrypt.nix
+    ../../common/optional/ssh_decrypt.nix
-    ../common/optional/syncthing_base.nix
+    ../../common/optional/syncthing_base.nix
-    ../common/optional/systemd-boot.nix
+    ../../common/optional/zerotier.nix
-    ../common/optional/zerotier.nix
     ./arch_mirror.nix
     ./docker
     ./hardware.nix
+    ./home_assistant.nix
     ./networking.nix
     ./programs.nix
     ./services.nix
+    ./syncthing.nix
   ];
 
   boot.zfs.extraPools = [
@@ -24,92 +24,45 @@ in
     "torrenting"
   ];
 
+  networking.firewall.allowedTCPPorts = [ 7654 ];
+
   services = {
     openssh.ports = [ 629 ];
 
+    nix-serve = {
+      enable = true;
+      secretKeyFile = "${vars.storage_secrets}/services/nix-cache/cache-priv-key.pem";
+      openFirewall = true;
+    };
+
     plex = {
       enable = true;
       dataDir = vars.media_plex;
+      openFirewall = true;
+    };
+
+    tang = {
+      enable = true;
+      ipAddressAllow = [
+        "192.168.98.1/24"
+        "192.168.95.1/24"
+      ];
     };
 
     smartd.enable = true;
 
-    sysstat.enable = true;
+    snapshot_manager = {
+      enable = true;
+      path = ./snapshot_config.toml;
+    };
 
-    syncthing.guiAddress = "192.168.90.40:8384";
+    sysstat.enable = true;
-    syncthing.settings.folders = {
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = vars.media_notes;
-        devices = [
-          "bob"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/books";
-        devices = [
-          "bob"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/important";
-        devices = [
-          "bob"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/music";
-        devices = [
-          "bob"
-          "ipad"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/projects";
-        devices = [
-          "bob"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
 
     zfs = {
       trim.enable = true;
       autoScrub.enable = true;
     };
   };
-  systemd = {
-    services."snapshot_manager" = {
-      description = "ZFS Snapshot Manager";
-      requires = [ "zfs-import.target" ];
-      after = [ "zfs-import.target" ];
-      serviceConfig = {
-        Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
-        Type = "oneshot";
-        ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
-      };
-    };
-    timers."snapshot_manager" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "15m";
-        OnUnitActiveSec = "15m";
-        Unit = "snapshot_manager.service";
-      };
-    };
-  };
-
 
   system.stateVersion = "24.05";
 }

systems/jeeves/docker/audiobookshelf.nix

@@ -0,0 +1,19 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.audiobookshelf = {
+    image = "ghcr.io/advplyr/audiobookshelf:latest";
+    volumes = [
+      "${vars.media_docker_configs}/audiobookshelf:/config"
+      "${vars.media_docker_configs}/audiobookshelf:/metadata"
+      "${vars.storage_library}/audiobooks:/audiobooks"
+      "${vars.storage_library}/books:/books"
+    ];
+    environment = {
+      TZ = "America/New_York";
+    };
+    extraOptions = [ "--network=web" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/grafana.nix

@@ -0,0 +1,12 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.grafana = {
+    image = "grafana/grafana-enterprise:latest";
+    volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
+    user = "600:600";
+    extraOptions = [ "--network=web" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/haproxy.cfg

@@ -25,44 +25,47 @@ frontend ContentSwitching
   bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
   mode  http
   # tmmworkshop.com
-  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
-  acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
+  acl host_cache  hdr(host) -i cache.tmmworkshop.com
-  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
   acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
+  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
+  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_photoprism  hdr(host) -i photoprism.tmmworkshop.com
   acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
-  acl host_overseerr  hdr(host) -i overseerr.tmmworkshop.com
 
-  use_backend mirror_nodes   if host_mirror
+  use_backend audiobookshelf_nodes if host_audiobookshelf
-  use_backend dndrules_nodes if host_dndrules
+  use_backend cache_nodes  if host_cache
-  use_backend grafana_nodes  if host_grafana
   use_backend filebrowser_nodes  if host_filebrowser
+  use_backend grafana_nodes  if host_grafana
+  use_backend mirror_nodes   if host_mirror
+  use_backend photoprism_nodes  if host_photoprism
   use_backend uptime_kuma_nodes  if host_uptime_kuma
-  use_backend overseerr_nodes  if host_overseerr
 
-backend mirror_nodes
+backend audiobookshelf_nodes
   mode http
-  server server arch_mirror:80
+  server server audiobookshelf:80
 
-backend mirror_rsync
+backend cache_nodes
   mode http
-  server server arch_mirror:873
+  server server 192.168.90.40:5000
 
 backend grafana_nodes
   mode http
   server server grafana:3000
 
-backend dndrules_nodes
-  mode http
-  server server dnd_file_server:80
-
 backend filebrowser_nodes
   mode http
   server server filebrowser:8080
 
+backend mirror_nodes
+  mode http
+  server server arch_mirror:80
+
+backend photoprism_nodes
+  mode http
+  server server photoprism:2342
+
 backend uptime_kuma_nodes
   mode http
   server server uptime_kuma:3001
 
-backend overseerr_nodes
-  mode http
-  server server overseerr:5055

systems/jeeves/docker/internal.nix

@@ -1,144 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    qbit = {
-      image = "ghcr.io/linuxserver/qbittorrent:latest";
-      ports = [
-        "6881:6881"
-        "6881:6881/udp"
-        "8082:8082"
-        "29432:29432"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbit:/config"
-        "${vars.torrenting_qbit}:/data"
-      ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WEBUI_PORT = "8082";
-      };
-      autoStart = true;
-    };
-    qbitvpn = {
-      image = "binhex/arch-qbittorrentvpn:latest";
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      ports = [
-        "6882:6881"
-        "6882:6881/udp"
-        "8081:8081"
-        "8118:8118"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbitvpn:/config"
-        "${vars.torrenting_qbitvpn}:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      environment = {
-        WEBUI_PORT = "8081";
-        PUID = "600";
-        PGID = "100";
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        STRICT_PORT_FORWARD = "yes";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.90.0/24";
-        NAME_SERVERS = "1.1.1.1,1.0.0.1";
-        UMASK = "000";
-        DEBUG = "false";
-        DELUGE_DAEMON_LOG_LEVEL = "debug";
-        DELUGE_WEB_LOG_LEVEL = "debug";
-      };
-      environmentFiles = [/root/secrets/docker/qbitvpn];
-      autoStart = true;
-    };
-    bazarr = {
-      image = "ghcr.io/linuxserver/bazarr:latest";
-      ports = [ "6767:6767" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/bazarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.storage_plex}/tv:/tv"
-      ];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    radarr = {
-      image = "ghcr.io/linuxserver/radarr:latest";
-      ports = [ "7878:7878" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/radarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/sonarr:/config"
-        "${vars.storage_plex}/tv:/tv"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    overseerr = {
-      image = "ghcr.io/linuxserver/overseerr";
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
-      dependsOn = [
-        "radarr"
-        "sonarr"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    whisper = {
-      image = "ghcr.io/linuxserver/faster-whisper:latest";
-      ports = [ "10300:10300" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WHISPER_MODEL = "tiny-int8";
-        WHISPER_LANG = "en";
-        WHISPER_BEAM = "1";
-      };
-      volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/docker/photoprism.nix

@@ -0,0 +1,53 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.photoprism = {
+    image = "photoprism/photoprism:latest";
+    volumes = [ 
+      "${vars.media_docker_configs}/photoprism:/photoprism/storage"
+      "${vars.storage_photos}/originals:/photoprism/originals"
+      "${vars.storage_photos}/import:/photoprism/import"
+    ];
+    environment = {
+      PHOTOPRISM_ADMIN_USER="admin";
+      PHOTOPRISM_AUTH_MODE="password";
+      PHOTOPRISM_DISABLE_TLS="false";
+      PHOTOPRISM_DEFAULT_TLS="true";
+      PHOTOPRISM_ORIGINALS_LIMIT="30000";
+      PHOTOPRISM_HTTP_COMPRESSION="gzip";
+      PHOTOPRISM_LOG_LEVEL="info";
+      PHOTOPRISM_READONLY="false";
+      PHOTOPRISM_EXPERIMENTAL="false";
+      PHOTOPRISM_DISABLE_CHOWN="false";
+      PHOTOPRISM_DISABLE_WEBDAV="false";
+      PHOTOPRISM_DISABLE_SETTINGS="false";
+      PHOTOPRISM_DISABLE_TENSORFLOW="false";
+      PHOTOPRISM_DISABLE_FACES="false";
+      PHOTOPRISM_DISABLE_CLASSIFICATION="false";
+      PHOTOPRISM_DISABLE_VECTORS="false";
+      PHOTOPRISM_DISABLE_RAW="false";
+      PHOTOPRISM_RAW_PRESETS="false";
+      PHOTOPRISM_SIDECAR_YAML="true";
+      PHOTOPRISM_BACKUP_ALBUMS="true";
+      PHOTOPRISM_BACKUP_DATABASE="true";
+      PHOTOPRISM_BACKUP_SCHEDULE="daily";
+      PHOTOPRISM_INDEX_SCHEDULE="";
+      PHOTOPRISM_AUTO_INDEX="300";
+      PHOTOPRISM_AUTO_IMPORT= "-1";
+      PHOTOPRISM_DETECT_NSFW="false";
+      PHOTOPRISM_UPLOAD_NSFW="true";
+      PHOTOPRISM_DATABASE_DRIVER="sqlite";
+      PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
+      PHOTOPRISM_SITE_DESCRIPTION="";
+      PHOTOPRISM_SITE_AUTHOR="";
+      PHOTOPRISM_UID="600";
+      PHOTOPRISM_GID="600";
+      # PHOTOPRISM_UMASK: 0000
+    };
+    environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
+    autoStart = true;
+    extraOptions = [ "--network=web" ];
+  };
+}
+

systems/jeeves/docker/postgresql.nix

@@ -13,20 +13,20 @@ in
     };
   };
 
-  virtualisation.oci-containers.containers = {
+  # virtualisation.oci-containers.containers = {
-    postgres = {
+  #   postgres = {
-      image = "postgres:16";
+  #     image = "postgres:16";
-      ports = [ "5432:5432" ];
+  #     ports = [ "5432:5432" ];
-      volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
+  #     volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
-      environment = {
+  #     environment = {
-        POSTGRES_USER = "admin";
+  #       POSTGRES_USER = "admin";
-        POSTGRES_DB = "archive";
+  #       POSTGRES_DB = "archive";
-        POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
+  #       POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
-      };
+  #     };
-      environmentFiles = [/root/secrets/docker/postgres];
+  #     environmentFiles = [/root/secrets/docker/postgres];
-      autoStart = true;
+  #     autoStart = true;
-      user = "postgres:postgres";
+  #     user = "postgres:postgres";
-    };
+  #   };
-  };
+  # };
 
 }

systems/jeeves/docker/prowlarr.nix

@@ -0,0 +1,17 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 9696 ];
+  virtualisation.oci-containers.containers.prowlarr = {
+    image = "ghcr.io/linuxserver/prowlarr:latest";
+    ports = [ "9696:9696" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbit.nix

@@ -0,0 +1,29 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6881 8082 29432 ]; 
+    allowedUDPPorts = [ 6881 ];
+  };
+  virtualisation.oci-containers.containers.qbit = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
+    ports = [
+      "6881:6881"
+      "6881:6881/udp"
+      "8082:8082"
+      "29432:29432"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbit:/config"
+      "${vars.torrenting_qbit}:/data"
+    ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      WEBUI_PORT = "8082";
+    };
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbitvpn.nix

@@ -0,0 +1,41 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6882 8081 8118 ];
+    allowedUDPPorts = [ 6882 ];
+  };
+  virtualisation.oci-containers.containers.qbitvpn = {
+    image = "binhex/arch-qbittorrentvpn:latest";
+    extraOptions = [ "--cap-add=NET_ADMIN" ];
+    ports = [
+      "6882:6881"
+      "6882:6881/udp"
+      "8081:8081"
+      "8118:8118"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbitvpn:/config"
+      "${vars.torrenting_qbitvpn}:/data"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    environment = {
+      WEBUI_PORT = "8081";
+      PUID = "600";
+      PGID = "100";
+      VPN_ENABLED = "yes";
+      VPN_CLIENT = "openvpn";
+      STRICT_PORT_FORWARD = "yes";
+      ENABLE_PRIVOXY = "yes";
+      LAN_NETWORK = "192.168.90.0/24";
+      NAME_SERVERS = "1.1.1.1,1.0.0.1";
+      UMASK = "000";
+      DEBUG = "false";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+    environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/reverse_proxy.nix

@@ -3,22 +3,6 @@ let
 in
 {
   virtualisation.oci-containers.containers = {
-    grafana = {
-      image = "grafana/grafana-enterprise:latest";
-      volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
-      user = "600:600";
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    dnd_file_server = {
-      image = "ubuntu/apache2:latest";
-      volumes = [
-        "${../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-        "${vars.storage_main}/Table_Top/:/data"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
     haproxy = {
       image = "haproxy:latest";
       user = "600:600";
@@ -26,15 +10,15 @@ in
         TZ = "Etc/EST";
       };
       volumes = [
-        "/root/secrets/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
+        "${vars.storage_secrets}/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
         "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
       ];
       dependsOn = [
         "arch_mirror"
-        "dnd_file_server"
+        "audiobookshelf"
         "filebrowser"
         "grafana"
-        "overseerr"
+        "photoprism"
         "uptime_kuma"
       ];
       extraOptions = [ "--network=web" ];
@@ -47,7 +31,7 @@ in
         "tunnel"
         "run"
       ];
-      environmentFiles = [/root/secrets/docker/cloud_flare_tunnel];
+      environmentFiles = ["${vars.storage_secrets}/docker/cloud_flare_tunnel"];
       dependsOn = [ "haproxy" ];
       extraOptions = [ "--network=web" ];
       autoStart = true;

systems/jeeves/docker/sonarr.nix

@@ -0,0 +1,21 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 9696 8989 ];
+  virtualisation.oci-containers.containers.sonarr = {
+    image = "ghcr.io/linuxserver/sonarr:latest";
+    ports = [ "8989:8989" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [
+      "${vars.media_docker_configs}/sonarr:/config"
+      "${vars.storage_plex}/tv:/tv"
+      "${vars.torrenting_qbitvpn}:/data"
+    ];
+    autoStart = true;
+  };
+}

systems/jeeves/hardware.nix

@@ -1,9 +1,26 @@
 { config, lib, modulesPath, ... }:
-
 {
   imports =[ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot = {
+    loader = {
+      grub = {
+        enable = true;
+        zfsSupport = true;
+        efiSupport = true;
+        mirroredBoots = [
+          {
+            devices = [ "nodev" ];
+            path = "/boot0";
+          }
+          {
+            devices = [ "nodev" ];
+            path = "/boot1";
+          }
+        ];
+      };
+      efi.canTouchEfiVariables = true;
+    };
     initrd = {
       availableKernelModules = [
         "ahci"
@@ -17,8 +34,77 @@
       ];
       kernelModules = [ ];
       luks.devices = {
-        "luks-root-pool-wwn-0x500a0751e6c3c01e-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part2";
+        # cspell:disable
-        "luks-root-pool-wwn-0x500a0751e6c3c01c-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01c-part2";
+        # Root pool
+        "luks-root-pool-wwn-0x55cd2e4150f01519-part2" = {
+          device = "/dev/disk/by-id/wwn-0x55cd2e4150f01519-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-root-pool-wwn-0x55cd2e4150f01556-part2" = {
+          device = "/dev/disk/by-id/wwn-0x55cd2e4150f01556-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        # Media pool
+        "luks-media_pool-nvme-INTEL_SSDPEK1A118GA_BTOC14120V2J118B-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPEK1A118GA_BTOC14120V2J118B-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPEK1A118GA_BTOC14120WAG118B-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPEK1A118GA_BTOC14120WAG118B-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPE2ME012T4_CVMD5130000G1P2HGN-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPE2ME012T4_CVMD5130000G1P2HGN-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPE2ME012T4_CVMD5130000U1P2HGN-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPE2ME012T4_CVMD5130000U1P2HGN-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        # Storage pool
+        "luks-storage_pool-nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834822N-part1" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834822N-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834817F-part1" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834817F-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-INTEL_MEMPEK1W016GA_PHBT828104DF016D-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_MEMPEK1W016GA_PHBT828104DF016D-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-INTEL_MEMPEK1W016GA_PHBT828105A8016D-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_MEMPEK1W016GA_PHBT828105A8016D-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-wwn-0x5000cca23bc438dd-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bc438dd-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd035f5-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd035f5-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd00ad6-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd00ad6-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcf313e-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcf313e-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcdf3b8-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcdf3b8-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd02746-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd02746-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcf9f89-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcf9f89-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd00ae9-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd00ae9-part1";
+        # Torrenting pool
+        "luks-torrenting_pool-wwn-0x500a0751e6c3c01e-part1" = {
+          device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-torrenting_pool-wwn-0x5000cca264f080a3-part1".device = "/dev/disk/by-id/wwn-0x5000cca264f080a3-part1";
+        "luks-torrenting_pool-wwn-0x5000cca298c33ae5-part1".device = "/dev/disk/by-id/wwn-0x5000cca298c33ae5-part1";
+        # cspell:enable
       };
     };
     kernelModules = [ "kvm-amd" ];
@@ -36,13 +122,26 @@
       fsType = "zfs";
     };
 
+    "/nix" =
+    { device = "root_pool/nix";
+      fsType = "zfs";
+    };
+
     "/var" = {
       device = "root_pool/var";
       fsType = "zfs";
     };
 
-    "/boot" = {
+    "/boot0" = {
-      device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1";
+      device = "/dev/disk/by-id/wwn-0x55cd2e4150f01556-part1";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+    "/boot1" = {
+      device = "/dev/disk/by-id/wwn-0x55cd2e4150f01519-part1";
       fsType = "vfat";
       options = [
         "fmask=0077"

systems/jeeves/home_assistant.nix

@@ -0,0 +1,49 @@
+{
+  services.home-assistant = {
+    enable = true;
+    openFirewall = true;
+    config = {
+      http = {
+        server_port = 8123;
+        server_host = [
+          "192.168.95.14"
+          "192.168.90.40"
+          "192.168.98.4"
+        ];
+        use_x_forwarded_for = true;
+        trusted_proxies = "172.100.0.4";
+      };
+      homeassistant = {
+        time_zone = "America/New_York";
+        unit_system = "imperial";
+        temperature_unit = "F";
+      };
+      assist_pipeline = { };
+      backup = { };
+      bluetooth = { };
+      config = { };
+      dhcp = { };
+      energy = { };
+      history = { };
+      homeassistant_alerts = { };
+      image_upload = { };
+      logbook = { };
+      media_source = { };
+      mobile_app = { };
+      ssdp = { };
+      sun = { };
+      webhook = { };
+      zeroconf = { };
+    };
+    extraPackages =
+      python3Packages: with python3Packages; [
+        psycopg2
+        gtts
+        aioesphomeapi
+        esphome-dashboard-api
+        bleak-esphome
+        pymetno
+      ];
+    extraComponents = [ "isal" ];
+  };
+}

systems/jeeves/networking.nix

@@ -2,36 +2,48 @@
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
-    firewall.enable = false;
+    firewall.enable = true;
     useNetworkd = true;
   };
 
   systemd.network = {
+
     enable = true;
+
+    netdevs = {
+      "20-ioit-vlan" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "ioit-vlan";
+        };
+        vlanConfig.Id = 20;
+      };
+    };
+
     networks = {
       "10-1GB_Primary" = {
         matchConfig.Name = "enp98s0f0";
         DHCP = "yes";
+        vlan = [ "ioit-vlan" ];
+        linkConfig.RequiredForOnline = "routable";
       };
-    };
-    networks = {
       "10-1GB_Secondary" = {
         matchConfig.Name = "enp98s0f1";
         DHCP = "yes";
       };
-    };
-    networks = {
       "10-10GB_Primary" = {
         matchConfig.Name = "enp97s0f0np0";
         DHCP = "yes";
         linkConfig.RequiredForOnline = "routable";
       };
-    };
-    networks = {
       "10-10GB_Secondary" = {
         matchConfig.Name = "enp97s0f1np1";
         DHCP = "yes";
       };
+      "40-ioit-vlan" = {
+        matchConfig.Name = "ioit-vlan";
+        DHCP = "yes";
+      };
     };
   };
 

systems/jeeves/scripts/zfs.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# zpools
+
+# media
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/media media mirror
+sudo zpool add media -o ashift=12 special mirror
+
+# storage
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/storage storage
+sudo zpool add storage -o ashift=12 special mirror
+sudo zpool add storage -o ashift=12 logs mirror
+
+# torrenting
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/torrenting torrenting
+sudo zpool add torrenting -o ashift=12 special
+
+# media datasets
+sudo zfs create -o compression=zstd-9 media/docker
+sudo zfs create -o recordsize=1M -o compression=zstd-19 media/library
+sudo zfs create -o exec=off media/minio
+sudo zfs create -o exec=off media/mirror
+sudo zfs create -o copies=3 media/notes
+sudo zfs create -o recordsize=16k -o primarycache=metadata -o mountpoint=/zfs/media/database/photoprism_mariadb media/photoprism_mariadb
+sudo zfs create -o compression=zstd-9 media/plex
+sudo zfs create -o recordsize=16k -o primarycache=metadata -o mountpoint=/zfs/media/database/postgres media/postgres
+
+# storage datasets
+sudo zfs create -o recordsize=1M -o compression=zstd-19 storage/archive
+sudo zfs create -o compression=zstd-19 storage/main
+sudo zfs create -o recordsize=16K -o compression=zstd-19 -o copies=2 storage/photos
+sudo zfs create -o recordsize=1M -o compression=zstd-19 storage/plex
+sudo zfs create -o compression=zstd-19 -o copies=3 storage/secrets
+sudo zfs create -o compression=zstd-19 storage/syncthing
+
+# torrenting datasets
+sudo zfs create -o recordsize=16K -o exec=off -o sync=disabled torrenting/qbit
+sudo zfs create -o recordsize=16K -o exec=off -o sync=disabled torrenting/qbitvpn

systems/jeeves/services.nix

@@ -3,6 +3,9 @@
   pkgs,
   ...
 }:
+let
+  vars = import ./vars.nix;
+in
 {
   systemd = {
     services = {
@@ -20,7 +23,7 @@
         description = "validates startup";
         path = [ pkgs.zfs ];
         serviceConfig = {
-          EnvironmentFile = "/root/secrets/services/server-validation";
+          EnvironmentFile = "${vars.storage_secrets}/services/server-validation";
           Type = "oneshot";
           ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
         };

systems/jeeves/snapshot_config.toml

@@ -1,8 +1,32 @@
-["media/Notes"]
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 24
+daily = 14
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
 15_min = 8
 hourly = 24
 daily = 30
-monthly = 12
+monthly = 6
 
 ["storage/plex"]
 15_min = 6

systems/jeeves/syncthing.nix

@@ -0,0 +1,63 @@
+let
+  vars = import ./vars.nix;
+in
+{
+  services.syncthing = {
+    guiAddress = "192.168.90.40:8384";
+    settings.folders = {
+      "bob_temp" = {
+        path = "${vars.storage_syncthing}/bob_temp";
+        devices = [
+          "jeeves"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "notes" = {
+        id = "l62ul-lpweo"; # cspell:disable-line
+        path = vars.media_notes;
+        devices = [
+          "bob"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "important" = {
+        id = "4ckma-gtshs"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/important";
+        devices = [
+          "bob"
+          "rhapsody-in-green"
+          "phone"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "music" = {
+        id = "vprc5-3azqc"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/music";
+        devices = [
+          "bob"
+          "rhapsody-in-green"
+          "ipad"
+          "phone"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "projects" = {
+        id = "vyma6-lqqrz"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/projects";
+        devices = [
+          "bob"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "rhapsody-in-green_temp" = {
+        path = "${vars.storage_syncthing}/rhapsody-in-green_temp";
+        devices = [
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+    };
+  };
+}

systems/jeeves/vars.nix

@@ -6,17 +6,19 @@ in
 {
   inherit zfs_media zfs_storage zfs_torrenting;
   # media
-  media_database = "${zfs_media}/syncthing/database";
+  media_database = "${zfs_media}/database";
   media_docker = "${zfs_media}/docker";
   media_docker_configs = "${zfs_media}/docker/configs";
   media_mirror = "${zfs_media}/mirror";
   media_notes = "${zfs_media}/notes";
-  media_plex = "${zfs_media}/plex/";
+  media_plex = "${zfs_media}/plex";
-  media_scripts = "${zfs_media}/scripts";
   # storage
   storage_main = "${zfs_storage}/main";
+  storage_photos = "${zfs_storage}/photos";
   storage_plex = "${zfs_storage}/plex";
+  storage_secrets = "${zfs_storage}/secrets";
   storage_syncthing = "${zfs_storage}/syncthing";
+  storage_library = "${zfs_storage}/library";
   # torrenting
   torrenting_qbit = "${zfs_torrenting}/qbit";
   torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";

systems/muninn/default.nix

@@ -0,0 +1,52 @@
+{
+  imports = [
+    ../../users/richie
+    ../../common/global
+    ../../common/optional/desktop.nix
+    ../../common/optional/steam.nix
+    ../../common/optional/systemd-boot.nix
+    ./hardware.nix
+  ];
+
+  networking = {
+    hostName = "muninn";
+    hostId = "a43179c5";
+    firewall.enable = true;
+    networkmanager.enable = true;
+  };
+
+  hardware = {
+    pulseaudio.enable = false;
+    bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+  };
+
+  security.rtkit.enable = true;
+
+  services = {
+
+    displayManager.sddm.enable = true;
+
+    openssh.ports = [ 262 ];
+
+    printing.enable = true;
+
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+
+    snapshot_manager.enable = true;
+
+    zfs = {
+      trim.enable = true;
+      autoScrub.enable = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

systems/muninn/hardware.nix

@@ -0,0 +1,61 @@
+{ config, lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices."luks-root-pool-nvme-INTEL_SSDPEKKW256G7_BTPY63820XBH256D-part2" = {
+        device = "/dev/disk/by-id/nvme-INTEL_SSDPEKKW256G7_BTPY63820XBH256D-part2";
+        bypassWorkqueues = true;
+        allowDiscards = true;
+      };
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "root_pool/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

systems/rhapsody-in-green/default.nix

@@ -0,0 +1,57 @@
+{ inputs, ... }:
+{
+  imports = [
+    ../../users/richie
+    ../../common/global
+    ../../common/optional/desktop.nix
+    ../../common/optional/syncthing_base.nix
+    ../../common/optional/systemd-boot.nix
+    ../../common/optional/yubikey.nix
+    ../../common/optional/zerotier.nix
+    ./hardware.nix
+    ./syncthing.nix
+    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
+  ];
+
+  networking = {
+    hostName = "rhapsody-in-green";
+    hostId = "6404140d";
+    firewall.enable = true;
+    networkmanager.enable = true;
+  };
+
+  hardware = {
+    pulseaudio.enable = false;
+    bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+  };
+
+  security.rtkit.enable = true;
+
+  services = {
+
+    displayManager.sddm.enable = true;
+
+    openssh.ports = [ 922 ];
+
+    printing.enable = true;
+
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+
+    snapshot_manager.enable = true;
+
+    zfs = {
+      trim.enable = true;
+      autoScrub.enable = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

systems/rhapsody-in-green/hardware.nix

@@ -0,0 +1,56 @@
+{ config, lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices = {
+        "luks-root-pool-nvme-Samsung_SSD_980_PRO_1TB_S5P2NU0X403203E-part2" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_1TB_S5P2NU0X403203E-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

systems/rhapsody-in-green/syncthing.nix

@@ -0,0 +1,58 @@
+{    
+  services.syncthing.settings.folders = {
+    "notes" = {
+      id = "l62ul-lpweo"; # cspell:disable-line
+      path = "/home/richie/notes";
+      devices = [
+        "bob"
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "important" = {
+      id = "4ckma-gtshs"; # cspell:disable-line
+      path = "/home/richie/important";
+      devices = [
+        "bob"
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "music" = {
+      id = "vprc5-3azqc"; # cspell:disable-line
+      path = "/home/richie/music";
+      devices = [
+        "bob"
+        "ipad"
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "projects" = {
+      id = "vyma6-lqqrz"; # cspell:disable-line
+      path = "/home/richie/projects";
+      devices = [
+        "bob"
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    rhapsody-in-temp = {
+      id = "rhapsody-in-green_temp";
+      path = "/home/richie/temp";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "vault" = {
+      path = "/home/richie/vault";
+      devices = [
+        "bob"
+      ];
+      fsWatcherEnabled = true;
+    };
+  };
+}

tools/installer.py

@@ -0,0 +1,229 @@
+"""Install NixOS on a ZFS pool."""
+
+from __future__ import annotations
+
+import logging
+import sys
+from os import getenv
+from pathlib import Path
+from random import getrandbits
+from subprocess import PIPE, Popen, run
+from time import sleep
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
+
+def configure_logger(level: str = "INFO") -> None:
+    """Configure the logger.
+    Args:
+        level (str, optional): The logging level. Defaults to "INFO".
+    """
+    logging.basicConfig(
+        level=level,
+        datefmt="%Y-%m-%dT%H:%M:%S%z",
+        format="%(asctime)s %(levelname)s %(filename)s:%(lineno)d - %(message)s",
+        handlers=[logging.StreamHandler(sys.stdout)],
+    )
+
+
+def bash_wrapper(command: str) -> str:
+    """Execute a bash command and capture the output.
+    Args:
+        command (str): The bash command to be executed.
+    Returns:
+        Tuple[str, int]: A tuple containing the output of the command (stdout) as a string,
+        the error output (stderr) as a string (optional), and the return code as an integer.
+    """
+    logging.debug(f"running {command=}")
+    # This is a acceptable risk
+    process = Popen(command.split(), stdout=PIPE, stderr=PIPE)  # noqa: S603
+    output, _ = process.communicate()
+    if process.returncode != 0:
+        error = f"Failed to run command {command=} return code {process.returncode=}"
+        raise RuntimeError(error)
+
+    return output.decode()
+
+
+def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
+    """Partition a disk.
+    Args:
+        disk (str): The disk to partition.
+        swap_size (int): The size of the swap partition in GB.
+            minimum value is 1.
+        reserve (int, optional): The size of the reserve partition in GB. Defaults to 0.
+            minimum value is 0.
+    """
+    logging.info(f"partitioning {disk=}")
+    swap_size = max(swap_size, 1)
+    reserve = max(reserve, 0)
+
+    bash_wrapper(f"blkdiscard -f {disk}")
+
+    if reserve > 0:
+        msg = f"Creating swap partition on {disk=} with size {swap_size=}GiB and reserve {reserve=}GiB"
+        logging.info(msg)
+
+        swap_start = swap_size + reserve
+        swap_partition = f"mkpart swap -{swap_start}GiB -{reserve}GiB "
+    else:
+        logging.info(f"Creating swap partition on {disk=} with size {swap_size=}GiB")
+        swap_start = swap_size
+        swap_partition = f"mkpart swap -{swap_start}GiB 100% "
+
+    logging.debug(f"{swap_partition=}")
+
+    create_partitions = (
+        f"parted --script --align=optimal {disk} -- "
+        "mklabel gpt "
+        "mkpart EFI 1MiB 4GiB "
+        f"mkpart root_pool 4GiB -{swap_start}GiB "
+        f"{swap_partition}"
+        "set 1 esp on"
+    )
+    bash_wrapper(create_partitions)
+
+    logging.info(f"{disk=} successfully partitioned")
+
+
+def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
+    """Create a ZFS pool.
+    Args:
+        disks (Sequence[str]): A tuple of disks to use for the pool.
+        mnt_dir (str): The mount directory.
+    """
+    if len(pool_disks) <= 0:
+        error = "disks must be a tuple of at least length 1"
+        raise ValueError(error)
+
+    zpool_create = (
+        "zpool create "
+        "-o ashift=12 "
+        "-o autotrim=on "
+        f"-R {mnt_dir} "
+        "-O acltype=posixacl "
+        "-O canmount=off "
+        "-O dnodesize=auto "
+        "-O normalization=formD "
+        "-O relatime=on "
+        "-O xattr=sa "
+        "-O mountpoint=none "
+        "root_pool "
+    )
+    if len(pool_disks) == 1:
+        zpool_create += pool_disks[0]
+    else:
+        zpool_create += "mirror "
+        zpool_create += " ".join(pool_disks)
+
+    bash_wrapper(zpool_create)
+    zpools = bash_wrapper("zpool list -o name")
+    if "root_pool" not in zpools.splitlines():
+        logging.critical("Failed to create root_pool")
+        sys.exit(1)
+
+
+def create_zfs_datasets() -> None:
+    """Create ZFS datasets."""
+    default_options = "-o compression=zstd -o atime=off -o mountpoint=legacy"
+
+    bash_wrapper(f"zfs create {default_options} -o canmount=noauto root_pool/root")
+    for dataset in ("home", "var"):
+        bash_wrapper(f"zfs create {default_options} root_pool/{dataset}")
+
+    datasets = bash_wrapper("zfs list -o name")
+
+    expected_datasets = {"root_pool/root", "root_pool/home", "root_pool/var"}
+    missing_datasets = expected_datasets.difference(datasets.splitlines())
+    if missing_datasets:
+        logging.critical(f"Failed to create pools {missing_datasets}")
+        sys.exit(1)
+
+
+def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
+    """Install NixOS."""
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/root {mnt_dir}")
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/home {mnt_dir}/home")
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/var {mnt_dir}/var")
+
+    for disk in disks:
+        bash_wrapper(f"mkfs.vfat -n EFI {disk}-part1")
+
+    # set up mirroring afterwards if more than one disk
+    boot_partition = f"mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1,X-mount.mkdir {disks[0]}-part1 {mnt_dir}/boot"
+    bash_wrapper(boot_partition)
+
+    bash_wrapper(f"nixos-generate-config --root {mnt_dir}")
+
+    host_id = format(getrandbits(32), "08x")
+
+    nix_hardware = Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").read_text()
+    nix_hardware = nix_hardware.replace(
+        ";\n}", f';\n  networking.hostId = "{host_id}";' "\n}"
+    )
+
+    if encrypt:
+        test = [
+            f'    "luks-root-pool-{disk.split("/")[-1]}-part2".device = "{disk}-part2";\n'
+            for disk in disks
+        ]
+
+        encrypted_disks = (
+            ";\n  boot.initrd.luks.devices = {\n" f"{''.join(test)}" "  };\n" "}"
+        )
+        nix_hardware = nix_hardware.replace(";\n}", encrypted_disks)
+
+    Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").write_text(nix_hardware)
+
+    run(("nixos-install", "--root", mnt_dir), check=True)  # noqa: S603
+
+
+def main() -> None:
+    """Main."""
+    configure_logger("DEBUG")
+
+    logging.info("Starting installation")
+
+    disks = ("/dev/disk/by-id/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",)
+
+    # Set swap size in GB, set to 1 if you don't want swap to take up too much space
+    swap_size = 1
+    reserve = 0
+
+    encrypt_key = getenv("ENCRYPT_KEY")
+
+    for disk in disks:
+        partition_disk(disk, swap_size, reserve)
+
+        if encrypt_key:
+            sleep(1)
+            for command in (
+                f'printf "{encrypt_key}" | cryptsetup luksFormat --type luks2 {disk}-part2 -',
+                f'printf "{encrypt_key}" | cryptsetup luksOpen {disk}-part2 luks-root-pool-{disk.split("/")[-1]}-part2 -',
+            ):
+                run(command, shell=True, check=True)
+
+    mnt_dir = "/tmp/nix_install"  # noqa: S108
+
+    Path(mnt_dir).mkdir(parents=True, exist_ok=True)
+
+    if encrypt_key:
+        pool_disks = [
+            f'/dev/mapper/luks-root-pool-{disk.split("/")[-1]}-part2' for disk in disks
+        ]
+    else:
+        pool_disks = [f"{disk}-part2" for disk in disks]
+
+    create_zfs_pool(pool_disks, mnt_dir)
+
+    create_zfs_datasets()
+
+    install_nixos(mnt_dir, disks, encrypt_key)
+
+    logging.info("Installation complete")
+
+
+if __name__ == "__main__":
+    main()

users/richie/default.nix

@@ -8,14 +8,17 @@ in {
   users.users.richie = {
     isNormalUser = true;
     shell = pkgs.zsh;
+    group = "richie";
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPtuYhiJHRTYhNaDmTcJOqJASk7D8mIn6u3F1IN5AFJ bob" # cspell:disable-line
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZFsc9CSH03ZUP7y81AHwSyjLwFmcshVFCyxDcYhBT rhapsody-in-green" # cspell:disable-line
     ];
     extraGroups =
     [
       "audio"
       "video"
       "wheel"
+      "users"
     ]
     ++ ifTheyExist [
       "dialout"
@@ -23,9 +26,15 @@ in {
       "libvirtd"
       "networkmanager"
       "plugdev"
+      "scanner"
       "uaccess"
       "wireshark"
     ];
+    uid = 1000;
+  };
+
+  users.groups.richie = {
+    gid = 1000;
   };
 
   home-manager.users.richie = import ./systems/${config.networking.hostName}.nix; 

users/richie/home/cli/default.nix

@@ -1,8 +1,8 @@
 {
   imports = [
+    ./direnv.nix
     ./git.nix
     ./zsh.nix
-    ./direnv.nix
   ];
 
   programs.starship.enable = true;

users/richie/home/gui/default.nix

@@ -1,26 +1,27 @@
 { pkgs, ... }:
 {
   imports = [
-    ./firefox.nix
+    ./firefox
     ./vscode
   ];
 
   home.packages = with pkgs; [
-    beeper
     candy-icons
-    nemo
-    nemo-fileroller
     discord-canary
     gimp
     gparted
     mediainfo
+    nemo
+    nemo-fileroller
     obs-studio
     obsidian
+    prismlauncher
     proxychains
+    prusa-slicer
+    signal-desktop
     sweet-nova
     util-linux
     vlc
     zoom-us
-    prusa-slicer
   ];
 }

users/richie/home/gui/firefox/default.nix

@@ -1,9 +1,7 @@
+{ inputs, ... }:
 {
-  pkgs,
+  imports = [ ./search_engines.nix ];
-  inputs,
+
-  ...
-}:
-{
   programs.firefox = {
     enable = true;
     profiles.richie = {
@@ -16,55 +14,11 @@
         sponsorblock
         ublock-origin
       ];
-      search.engines = {
+      search = {
-        "Nix Options" = {
+        force = true;
-          urls = [
+        default = "kagi";
-            {
+        order = [ "kagi" "DuckDuckGo" "Google" ];
-              template = "https://search.nixos.org/options";
-              params = [
-                {
-                  name = "type";
-                  value = "packages";
-                }
-                {
-                  name = "channel";
-                  value = "unstable";
-                }
-                {
-                  name = "query";
-                  value = "{searchTerms}";
-                }
-              ];
-            }
-          ];
-          icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-          definedAliases = [ "@o" ];
       };
-        "Nix Packages" = {
-          urls = [
-            {
-              template = "https://search.nixos.org/packages";
-              params = [
-                {
-                  name = "type";
-                  value = "packages";
-                }
-                {
-                  name = "channel";
-                  value = "unstable";
-                }
-                {
-                  name = "query";
-                  value = "{searchTerms}";
-                }
-              ];
-            }
-          ];
-          icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-          definedAliases = [ "@n" ];
-        };
-      };
-      search.force = true;
       settings = {
         # SECTION: FASTFOX
         # GENERAL

users/richie/home/gui/firefox/search_engines.nix

@@ -0,0 +1,65 @@
+{ pkgs, ... }:
+{
+  programs.firefox.profiles.richie.search.engines = {
+    "Nix Options" = {
+      urls = [
+        {
+          template = "https://search.nixos.org/options";
+          params = [
+            {
+              name = "type";
+              value = "packages";
+            }
+            {
+              name = "channel";
+              value = "unstable";
+            }
+            {
+              name = "query";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+      definedAliases = [ "@o" ];
+    };
+    "Nix Packages" = {
+      urls = [
+        {
+          template = "https://search.nixos.org/packages";
+          params = [
+            {
+              name = "type";
+              value = "packages";
+            }
+            {
+              name = "channel";
+              value = "unstable";
+            }
+            {
+              name = "query";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+      definedAliases = [ "@n" ];
+    };
+    "kagi" = {
+      urls = [
+        {
+          template = "https://kagi.com/search?";
+          params = [
+            {
+              name = "q";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = ./kagi.png;
+    };
+  };
+}

users/richie/home/programs.nix

@@ -5,14 +5,23 @@
     bat
     btop
     eza
+    fd
+    ffmpegthumbnailer
+    fzf
     git
     gnupg
+    imagemagick
+    jq
     ncdu
     neofetch
+    p7zip
+    poppler
     rar
     ripgrep
     starship
     tmux
+    unzip
+    yazi
     zoxide
     # system info
     hwloc

users/richie/systems/muninn.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../home/global.nix
+    ../home/gui
+  ];
+}

users/richie/systems/rhapsody-in-green.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../home/global.nix
+    ../home/gui
+  ];
+}