add vuescan definition

2023-12-28 16:34:26 +01:00
125 changed files with 1083 additions and 30606 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1 @@
-use flake
+PATH_add .
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,2 @@
 result
 .direnv
 .pre-commit-config.yaml
 .gcroots
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,88 +0,0 @@
 # Public keys are combination of host + user
 keys:
  - &sue_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
  - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
  - &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
  - &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
  - &warwick_root age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
  - &niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
  - &atlas_root age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
  - &jefke_root age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
  - &lewis_root age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
 creation_rules:
  - path_regex: secrets/sue/colmena.yaml
    key_groups:
      - age:
        - *sue_root
  - path_regex: secrets/sue/nixos.yaml
    key_groups:
      - age:
        - *sue_root
  - path_regex: secrets/sue/pim.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
  - path_regex: secrets/gamepc/colmena.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
  - path_regex: secrets/gamepc/pim.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
        - *gamepc_root
        - *gamepc_pim
  - path_regex: secrets/warwick/colmena.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/servers.yaml
    key_groups:
      - age:
        - *warwick_root
        - *atlas_root
        - *jefke_root
        - *lewis_root
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/atlas/colmena.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/kubernetes.yaml
    key_groups:
      - age:
        - *atlas_root
        - *jefke_root
        - *lewis_root
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/jefke/colmena.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/lewis/colmena.yaml
    key_groups:
      - age:
        - *sue_pim
        - *sue_root
        - *niels
  - path_regex: secrets/lewis/nixos.yaml
    key_groups:
      - age:
        - *lewis_root
        - *sue_pim
        - *sue_root
        - *niels
--- a/README.md
+++ b/README.md
@ -1,35 +1,20 @@
-# nixos-configs
+# nixos-laptop
-NixOS configurations for the machines I manage.
+NixOS configuration for my laptop.
 My configuration is simple: I have one personal laptop with one user.
-Currently managed systems:
+## Features
 - **sue**: My current laptop, a Dell XPS 9315. It has two flavours:
    - Default running GNOME
    - Specialisation running Cosmic
 - **gamepc**: My gaming PC running Cinnamon
 - **warwick**: A Raspberry Pi 4 Model B, which mostly does some monitoring
 - **atlas**: A Gigabyte Brix, one of my Kubernetes nodes
 - **jefke**: A Gigabyte Brix, one of my Kubernetes nodes
 - **lewis**: A Gigabyte Brix, one of my Kubernetes nodes. Additionally, contains my media collection and does backups.
-## Deployment
+- Nixpkgs 23.11
-
+- Flakes!
-I use [Colmena](https://colmena.cli.rs) for deploying my machines.
+- [Nix User Repository (NUR)](https://github.com/nix-community/NUR)
-
+    - Currently only used for Firefox Plugins
-Create garbage collection roots like so:
+- [Home Manager](https://github.com/nix-community/home-manager)
-```
+    - For managing my configuration for my user
-colmena build --keep-result --experimental-flake-eval
+- [Agenix](https://github.com/ryantm/agenix)
-```
+    - To deploy global system secrets, like:
-
+        - Wireguard private key and shared secret
-To apply to the local machine:
+- [Homeage](https://github.com/jordanisaacs/homeage)
-```
+    - To deploy secrets in my home directory, like:
-sudo colmena apply-local --sudo --experimental-flake-eval
+        - SSH keys
-```
+        - Syncthing private key
 To apply to all remotely managed systems:
 ```
 colmena apply --experimental-flake-eval
 ```
 > [!NOTE]
 > Currently the `--experimental-flake-eval` flag is necessary to properly use Colmena with flakes. See [this PR](https://github.com/zhaofengli/colmena/pull/228).
--- a/checks.nix
+++ b/checks.nix
@ -1,15 +0,0 @@
 {
  self,
  flake-utils,
  git-hooks,
  ...
 }:
 flake-utils.lib.eachDefaultSystem (system: {
  checks.pre-commit-check = git-hooks.lib.${system}.run {
    src = self;
    hooks.treefmt = {
      enable = true;
      package = self.packages.${system}.formatter;
    };
  };
 })
--- a/colmena.nix
+++ b/colmena.nix
@ -1,62 +0,0 @@
 inputs @ {
  self,
  nixpkgs,
  colmena,
  ...
 }: {
  colmena = {
    meta = {
      nixpkgs = import nixpkgs {
        system = "x86_64-linux";
      };
      specialArgs = {
        inherit inputs self;
      };
    };
    sue = {
      imports = [
        (import ./machines).sue.nixosModule
        ./nixos
      ];
    };
    gamepc = {
      imports = [
        (import ./machines).gamepc.nixosModule
        ./nixos
      ];
    };
    warwick = {
      imports = [
        (import ./machines).warwick.nixosModule
        ./nixos
      ];
    };
    atlas = {
      imports = [
        (import ./machines).atlas.nixosModule
        ./nixos
      ];
    };
    jefke = {
      imports = [
        (import ./machines).jefke.nixosModule
        ./nixos
      ];
    };
    lewis = {
      imports = [
        (import ./machines).lewis.nixosModule
        ./nixos
      ];
    };
  };
  colmenaHive = colmena.lib.makeHive self.outputs.colmena;
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -2,92 +2,63 @@
  description = "My NixOS configuration";
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    nur.url = "github:nix-community/NUR";
    stylix.url = "github:pizzapim/stylix/master";
    treefmt-nix.url = "github:numtide/treefmt-nix";
    nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
    flake-utils.url = "github:numtide/flake-utils";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    colmena.url = "github:zhaofengli/colmena";
    git-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
-      url = "github:nix-community/home-manager?ref=release-24.11";
+      url = "github:nix-community/home-manager?ref=release-23.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-
+    homeage = {
-    lanzaboote = {
+      url = "github:jordanisaacs/homeage";
      url = "github:nix-community/lanzaboote/v0.3.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-
+    agenix = {
-    disko = {
+      url = "github:ryantm/agenix";
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-artwork = {
      type = "git";
      url = "https://github.com/NixOS/nixos-artwork.git";
      flake = false;
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-cosmic = {
      url = "github:lilyinstarlight/nixos-cosmic";
      inputs.nixpkgs-stable.follows = "nixpkgs-unstable";
    };
    nix-snapshotter = {
      url = "github:pdtpartners/nix-snapshotter";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    kubenix = {
      url = "github:pizzapim/kubenix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nixng = {
      url = "github:pizzapim/NixNG/dnsmasq";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
  };
-  outputs = inputs @ {
+  outputs =
-    self,
+    { nixpkgs
-    nixpkgs,
+    , nixpkgs-unstable
-    flake-utils,
+    , home-manager
-    colmena,
+    , homeage
-    ...
+    , agenix
-  }:
+    , nur
-    (flake-utils.lib.meld inputs [
+    , nixos-hardware
-      ./packages.nix
+    , ...
-      ./formatter.nix
+    }: {
-      ./nixos-configurations.nix
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
-      ./checks.nix
+
-      ./colmena.nix
+      nixosConfigurations.pim = nixpkgs.lib.nixosSystem rec {
-    ])
+        system = "x86_64-linux";
-    // flake-utils.lib.eachDefaultSystem (system: {
+        modules = [
-      devShells.default = nixpkgs.legacyPackages.${system}.mkShell {
+          {
-        inherit (self.checks.${system}.pre-commit-check) shellHook;
+            nixpkgs.overlays = [
-        buildInputs =
+              nur.overlay
-          self.checks.${system}.pre-commit-check.enabledPackages ++ [colmena.defaultPackage.${system}];
+              (final: _prev: {
                unstable = import nixpkgs-unstable {
                  inherit system;
                  config.allowUnfree = true;
                };
              })
            ];
          }
          ./nixos
          agenix.nixosModules.default
          nixos-hardware.nixosModules.lenovo-thinkpad-x260
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users.pim = {
              imports = [ ./home-manager homeage.homeManagerModules.homeage ];
            };
          }
        ];
      };
-    });
+    };
 }
--- a/formatter.nix
+++ b/formatter.nix
@ -1,8 +0,0 @@
 {
  self,
  flake-utils,
  ...
 }:
 flake-utils.lib.eachDefaultSystem (system: {
  formatter = self.packages.${system}.formatter;
 })
--- a/home-manager/bash/default.nix
+++ b/home-manager/bash/default.nix
@ -0,0 +1,20 @@
 {
  config = {
    programs.bash = {
      enable = true;
      shellAliases = {
        htop = "btop";
        gp = "git push";
        gco = "git checkout";
        gd = "git diff";
        gc = "git commit";
        gpl = "git pull";
        gb = "git branch";
        ga = "git add";
        gl = "git log";
        gs = "git status";
        tf = "tofu";
      };
    };
  };
 }
--- a/home-manager/bat/default.nix
+++ b/home-manager/bat/default.nix
@ -0,0 +1,8 @@
 {
  config = {
    programs.bat = {
      enable = true;
      config.theme = "gruvbox-dark";
    };
  };
 }
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@ -1,247 +1,135 @@
-{
+{ pkgs, lib, config, ... }: {
  lib,
  config,
  inputs,
  ...
 }: {
  imports = [
    ./bash
    ./neovim
    ./firefox
-    ./tidal.nix
+    ./ssh
-    ./gnome
+    ./syncthing
-    ./syncthing.nix
+    ./keepassxc
-    ./vscode.nix
+    ./git
-    inputs.nix-index-database.hmModules.nix-index
+    ./direnv
-    inputs.sops-nix.homeManagerModules.sops
+    ./thunderbird
    ./fzf
    ./bat
  ];
-  xsession.enable = true;
+  home = {
    username = "pim";
    homeDirectory = "/home/pim";
    stateVersion = "23.05";
-  xdg = {
+    packages = with pkgs; [
-    userDirs.enable = true;
+      moonlight-qt
      vlc
      nicotine-plus
      logseq
      signal-desktop
      telegram-desktop
      strawberry
      gimp
      libreoffice
      (pkgs.nerdfonts.override { fonts = [ "Hack" ]; })
      virt-manager
      gnome.gnome-tweaks
      impression
      poppler_utils # For pdfunite
      silicon
    ];
-    mimeApps = {
+    file.k3s-pim-privkey = {
-      enable = true;
+      target = ".kube/config";
-
+      source = ./kubeconfig.yml;
      defaultApplications = let
        applications = {
          telegram = {
            mimeApp = "org.telegram.desktop.desktop";
            mimeTypes = ["x-scheme-handler/tg"];
          };
          librewolf = {
            mimeApp = "librewolf.desktop";
            mimeTypes = [
              "x-scheme-handler/http"
              "text/html"
              "application/xhtml+xml"
              "x-scheme-handler/https"
              "application/pdf"
            ];
          };
          gnomeTextEditor = {
            mimeApp = "org.gnome.TextEditor.desktop";
            mimeTypes = ["text/plain"];
          };
          loupe = {
            mimeApp = "org.gnome.Loupe.desktop";
            mimeTypes = [
              "image/jpeg"
              "image/png"
              "image/gif"
              "image/webp"
              "image/tiff"
              "image/x-tga"
              "image/vnd-ms.dds"
              "image/x-dds"
              "image/bmp"
              "image/vnd.microsoft.icon"
              "image/vnd.radiance"
              "image/x-exr"
              "image/x-portable-bitmap"
              "image/x-portable-graymap"
              "image/x-portable-pixmap"
              "image/x-portable-anymap"
              "image/x-qoi"
              "image/svg+xml"
              "image/svg+xml-compressed"
              "image/avif"
              "image/heic"
              "image/jxl"
            ];
          };
        };
        mimeTypesForApp = {
          mimeApp,
          mimeTypes,
        }:
          map
          (
            mimeType: {"${mimeType}" = mimeApp;}
          )
          mimeTypes;
      in
        lib.zipAttrs (lib.flatten (map mimeTypesForApp (builtins.attrValues applications)));
    };
  };
  programs = {
    home-manager.enable = true;
-    bat.enable = true;
+    chromium.enable = true;
-    git.delta = {
+    terminator = {
      enable = true;
-      options.syntax-theme = "gruvbox-dark";
+      config = {
-    };
+        profiles.default = {
          # Gruvbox theme: https://github.com/egel/terminator-gruvbox
          background_color = "#282828";
          cursor_color = "#7c6f64";
          foreground_color = "#ebdbb2";
          palette =
            "#181818:#cc241d:#98971a:#d79921:#458588:#b16286:#689d6a:#a89984:#928374:#fb4934:#b8bb26:#fabd2f:#83a598:#d3869b:#8ec07c:#ebdbb2";
        };
-    fzf = {
+        keybindings = {
-      enable = true;
+          zoom_in = "<Ctrl>plus";
-      enableZshIntegration = true;
+          zoom_out = "<Ctrl>minus";
-    };
+          new_tab = "<Ctrl><Shift>T";
          cycle_next = "<Ctrl>Tab";
          cycle_prev = "<Ctrl><Shift>Tab";
          split_horiz = "<Alt>C";
          split_vert = "<Alt>V";
-    alacritty = {
+          go_left = "<Alt>H";
-      enable = true;
+          go_right = "<Alt>L";
          go_up = "<Alt>K";
          go_down = "<Alt>J";
-      settings.terminal.shell = {
+          copy = "<Ctrl><Shift>C";
-        program = lib.getExe config.programs.tmux.package;
+          paste = "<Ctrl><Shift>V";
        args = ["attach"];
      };
    };
-    direnv = {
+          layout_launcher = ""; # Default <Alt>L
-      enable = true;
+        };
      enableBashIntegration = true;
      nix-direnv.enable = true;
    };
    atuin = {
      enable = true;
      flags = ["--disable-up-arrow"];
      enableFishIntegration = true;
      settings = {
        auto_sync = true;
        sync_frequency = "5m";
        sync_address = "https://atuin.kun.is";
      };
    };
    fish = {
      enable = true;
      interactiveShellInit = ''
        set -U fish_greeting
      '';
      shellAbbrs = {
        htop = "btop";
        gp = "git push";
        gpf = "git push --force";
        gco = "git checkout";
        gd = "git diff";
        gc = "git commit";
        gca = "git commit --amend";
        gpl = "git pull";
        gb = "git branch";
        ga = "git add";
        gl = "git log";
        gs = "git status";
        tf = "tofu";
      };
    };
    starship = {
      enable = true;
      enableFishIntegration = true;
      enableTransience = true;
      settings.nix_shell.heuristic = true;
    };
    nix-index = {
      enable = true;
      enableFishIntegration = true;
    };
    tmux = {
      enable = true;
      shell = lib.getExe config.programs.fish.package;
      shortcut = "a";
      clock24 = true;
      newSession = true;
      mouse = true;
      escapeTime = 10;
      terminal = "screen-256color";
      extraConfig = ''
        unbind _
        bind _ split-window -h
        unbind -
        bind - split-window -v
        unbind h
        bind h select-pane -L
        unbind j
        bind j select-pane -D
        unbind k
        bind k select-pane -U
        unbind l
        bind l select-pane -R
      '';
    };
    ssh = {
      enable = true;
      extraConfig = "User root";
      matchBlocks.github = lib.hm.dag.entryBefore ["*"] {
        hostname = "github.com";
        user = "pizzapim";
        identitiesOnly = true;
      };
    };
    git = {
      enable = true;
      userName = "Pim Kunis";
      userEmail = "pim@kunis.nl";
      extraConfig = {
        push.autoSetupRemote = true;
        commit.verbose = true;
        pull.rebase = true;
        init.defaultBranch = "master";
      };
    };
    # Currently, it is not possible to have Home Manager manage Librewolf extensions.
    # There is a draft PR which addresses this:
    # https://github.com/nix-community/home-manager/pull/3339
    # The extensions I currently use are:
    # - ublock-origin (already installed by librewolf)
    # - cookie-autodelete
    # - clearurls
    # - istilldontcareaboutcookies
    # - keepassxc-browser
    # - redirector
    # - violentmonkey
    # - boring-rss
    # - kagi-search
    # - refined-github
    librewolf = {
      enable = true;
      settings = {
        "identity.fxaccounts.enabled" = true;
        "privacy.clearOnShutdown.history" = false;
        "privacy.clearOnShutdown.downloads" = false;
        "browser.translations.automaticallyPopup" = false;
        "browser.aboutConfig.showWarning" = false;
        "privacy.clearOnShutdown.cookies" = false;
      };
    };
  };
  # Let home-manager manage the X session
  xsession = { enable = true; };
  xdg = {
    userDirs.enable = true;
    configFile."home/postgresql_server.crt".source = ./postgresql_server.crt;
    configFile."home/postgresql_client.crt".source = ./postgresql_client.crt;
  };
  homeage = {
    identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
    installationType = "systemd";
    file."common-pg-tfbackend" = {
      source = ../secrets/common-pg-tfbackend.age;
      symlinks = [ "${config.xdg.configHome}/home/common.pg.tfbackend" ];
    };
    file."ansible-vault-secret" = {
      source = ../secrets/ansible-vault-secret.age;
      symlinks = [ "${config.xdg.configHome}/home/ansible-vault-secret" ];
    };
    file."powerdns-api-key" = {
      source = ../secrets/powerdns-api-key.json.age;
      symlinks = [ "${config.xdg.configHome}/home/powerdns-api-key.json" ];
    };
    file."postgresql_client.key" = {
      source = ../secrets/postgresql_client.key.age;
      symlinks = [ "${config.xdg.configHome}/home/postgresql_client.key" ];
    };
    file."k3s-pim-privkey" = {
      source = ../secrets/k3s-pim-privkey.age;
      symlinks = [ "${config.home.homeDirectory}/.kube/k3s-pim-privkey" ];
    };
  };
  fonts.fontconfig.enable = true;
  dconf.settings = with lib.hm.gvariant; {
    "org/gnome/desktop/input-sources" = {
      sources = [ (mkTuple [ "xkb" "us" ]) ];
      xkb-options = [ "terminate:ctrl_alt_bksp" "caps:escape" ];
    };
    "org/gnome/desktop/interface" = {
      monospace-font-name = "Hack Nerd Font Mono 10";
    };
  };
 }
--- a/home-manager/direnv/default.nix
+++ b/home-manager/direnv/default.nix
@ -0,0 +1,9 @@
 {
  config = {
    programs.direnv = {
      enable = true;
      enableBashIntegration = true;
      nix-direnv.enable = true;
    };
  };
 }
--- a/home-manager/firefox/addons.nix
+++ b/home-manager/firefox/addons.nix
@ -1,10 +1,28 @@
-pkgs: lib: let
+pkgs: lib:
 let
  rycee-addons = pkgs.nur.repos.rycee.firefox-addons;
  custom-addons = import ./custom-addons.nix pkgs lib;
-in
+in {
-  with rycee-addons; [
+  default = lib.concatLists [
    (with rycee-addons; [
      ublock-origin
      clearurls
      cookie-autodelete
      istilldontcareaboutcookies
      keepassxc-browser
      redirector
      ublacklist
      umatrix
      violentmonkey
      boring-rss
      # rycee.bypass-paywalls-clean
    ])
    (with custom-addons; [ http-version-indicator indicatetls sixindicator ])
  ];
  sue = with rycee-addons; [
    ublock-origin
    istilldontcareaboutcookies
    keepassxc-browser
    custom-addons.simple-style-fox-2
-  ]
+  ];
 }
--- a/home-manager/firefox/custom-addons.nix
+++ b/home-manager/firefox/custom-addons.nix
@ -1,22 +1,15 @@
-pkgs: lib: let
+pkgs: lib:
 let
  # Stolen from: https://github.com/nix-community/nur-combined/blob/master/repos/rycee/pkgs/firefox-addons/default.nix
-  buildFirefoxXpiAddon = lib.makeOverridable ({
+  buildFirefoxXpiAddon = lib.makeOverridable ({ stdenv ? pkgs.stdenv
-    stdenv ? pkgs.stdenv,
+    , fetchurl ? pkgs.fetchurl, pname, version, addonId, url, sha256, meta, ...
-    fetchurl ? pkgs.fetchurl,
+    }:
    pname,
    version,
    addonId,
    url,
    sha256,
    meta,
    ...
  }:
    stdenv.mkDerivation {
      name = "${pname}-${version}";
      inherit meta;
-      src = fetchurl {inherit url sha256;};
+      src = fetchurl { inherit url sha256; };
      preferLocalBuild = true;
      allowSubstitutes = true;
@ -32,12 +25,14 @@ in {
    pname = "http-version-indicator";
    version = "3.2.1";
    addonId = "spdyindicator@chengsun.github.com";
-    url = "https://addons.mozilla.org/firefox/downloads/file/3767224/http2_indicator-3.2.1.xpi";
+    url =
      "https://addons.mozilla.org/firefox/downloads/file/3767224/http2_indicator-3.2.1.xpi";
    sha256 = "be9518017334ce502a1da514542c2ca4f974217d0c8e6c7c31d518aba57c09a8";
    meta = with lib; {
      homepage = "https://github.com/bsiegel/http-version-indicator";
-      description = "An indicator showing the HTTP version used to load the page in the address bar.";
+      description =
-      mozPermissions = ["<all_urls>" "tabs" "webNavigation" "webRequest"];
+        "An indicator showing the HTTP version used to load the page in the address bar.";
      mozPermissions = [ "<all_urls>" "tabs" "webNavigation" "webRequest" ];
      platforms = platforms.all;
    };
  };
@ -45,11 +40,13 @@ in {
    pname = "indicatetls";
    version = "0.3.0";
    addonId = "{252ee273-8c8d-4609-b54d-62ae345be0a1}";
-    url = "https://addons.mozilla.org/firefox/downloads/file/3608595/indicatetls-0.3.0.xpi";
+    url =
      "https://addons.mozilla.org/firefox/downloads/file/3608595/indicatetls-0.3.0.xpi";
    sha256 = "7a3b7edb1085f7b15d279c1013fac1d68f5247cfd6312d5275cb053e24a79465";
    meta = with lib; {
      homepage = "https://github.com/jannispinter/indicatetls";
-      description = "Displays negotiated SSL/TLS protocol version and additional security information in the address bar";
+      description =
        "Displays negotiated SSL/TLS protocol version and additional security information in the address bar";
      license = licenses.mpl20;
      mozPermissions = [
        "tabs"
@ -66,13 +63,15 @@ in {
    pname = "sixindicator";
    version = "1.3.0";
    addonId = "{8c9cad02-c069-4e93-909d-d874da819c49}";
-    url = "https://addons.mozilla.org/firefox/downloads/file/3493442/sixindicator-1.3.0.xpi";
+    url =
      "https://addons.mozilla.org/firefox/downloads/file/3493442/sixindicator-1.3.0.xpi";
    sha256 = "415ab83ed4ac94d1efe114752a09df29536d1bd54cc9b7e5ce5d9ee55a84226d";
    meta = with lib; {
      homepage = "https://github.com/HostedDinner/SixIndicator";
-      description = "Shows a simple icon, if IPv6 or IPv4 was used for the request of the site. When clicking on the icon, more information is shown, like the number of requests per domain and if these requests were made via IPv6 or IPv4.";
+      description =
        "Shows a simple icon, if IPv6 or IPv4 was used for the request of the site. When clicking on the icon, more information is shown, like the number of requests per domain and if these requests were made via IPv6 or IPv4.";
      license = licenses.mit;
-      mozPermissions = ["tabs" "webRequest" "<all_urls>"];
+      mozPermissions = [ "tabs" "webRequest" "<all_urls>" ];
      platforms = platforms.all;
    };
  };
@ -80,12 +79,13 @@ in {
    pname = "simple-style-fox-2";
    version = "10.0";
    addonId = "{317526c6-ff2b-49c9-822e-d77b4a3da1d1}";
-    url = "https://addons.mozilla.org/firefox/downloads/file/3934220/simple_style_fox_2-10.0.xpi";
+    url =
      "https://addons.mozilla.org/firefox/downloads/file/3934220/simple_style_fox_2-10.0.xpi";
    sha256 = "1aaac3ba08d21086d7087015f92a27661940df45a97bf5680588c883f799a97d";
    meta = with lib; {
      description = "Simple style fox 2";
      license = licenses.cc-by-30;
-      mozPermissions = [];
+      mozPermissions = [ ];
      platforms = platforms.all;
    };
  };
--- a/home-manager/firefox/default.nix
+++ b/home-manager/firefox/default.nix
@ -1,9 +1,5 @@
-{
+{ pkgs, lib, ... }:
-  pkgs,
+let
  lib,
  config,
  ...
 }: let
  firefoxAddons = import ./addons.nix pkgs lib;
  firefoxSettings = {
    "browser.aboutConfig.showWarning" = false;
@ -15,14 +11,9 @@
    "media.webspeech.synth.dont_notify_on_error" = true;
    "browser.gesture.swipe.left" = false;
    "browser.gesture.swipe.right" = false;
    "browser.newtabpage.activity-stream.showSponsored" = false;
    "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
  };
  cfg = config.pim.firefox;
 in {
-  options.pim.firefox.enable = lib.mkEnableOption "firefox";
+  config = {
  config = lib.mkIf cfg.enable {
    programs.firefox = {
      enable = true;
      profiles = {
@ -30,9 +21,52 @@ in {
          id = 0;
          isDefault = true;
          settings = firefoxSettings;
-          extensions = firefoxAddons;
+          extensions = firefoxAddons.default;
        };
        sue = {
          id = 1;
          settings = firefoxSettings;
          extensions = firefoxAddons.sue;
        };
      };
    };
    xdg.desktopEntries.firefox-sue = {
      categories = [ "Network" "WebBrowser" ];
      exec = "firefox -P sue --name firefox %U";
      genericName = "Web Browser";
      icon = "firefox";
      mimeType = [
        "text/html"
        "text/xml"
        "application/xhtml+xml"
        "application/vnd.mozilla.xul+xml"
        "x-scheme-handler/http"
        "x-scheme-handler/https"
      ];
      name = "Firefox | Sue";
      startupNotify = true;
      terminal = false;
      type = "Application";
    };
    xdg.desktopEntries.firefox = lib.mkForce {
      categories = [ "Network" "WebBrowser" ];
      exec = "firefox --new-window --name firefox %U";
      genericName = "Web Browser";
      icon = "firefox";
      mimeType = [
        "text/html"
        "text/xml"
        "application/xhtml+xml"
        "application/vnd.mozilla.xul+xml"
        "x-scheme-handler/http"
        "x-scheme-handler/https"
      ];
      name = "Firefox";
      startupNotify = true;
      terminal = false;
      type = "Application";
    };
  };
 }
--- a/home-manager/fzf/default.nix
+++ b/home-manager/fzf/default.nix
@ -0,0 +1,8 @@
 {
  config = {
    programs.fzf = {
      enable = true;
      enableBashIntegration = true;
    };
  };
 }
--- a/home-manager/git/default.nix
+++ b/home-manager/git/default.nix
@ -0,0 +1,18 @@
 {
  config = {
    programs.git = {
      enable = true;
      userName = "Pim Kunis";
      userEmail = "pim@kunis.nl";
      extraConfig = {
        push.autoSetupRemote = true;
        commit.verbose = true;
        pull.rebase = true;
      };
      includes = [{
        path = "~/git/suecode/.gitconfig";
        condition = "gitdir:~/git/suecode/**";
      }];
    };
  };
 }
--- a/home-manager/gnome/default.nix
+++ b/home-manager/gnome/default.nix
@ -1,94 +0,0 @@
 {
  pkgs,
  lib,
  self,
  config,
  ...
 }: let
  cfg = config.pim.gnome;
 in {
  options.pim.gnome.enable = lib.mkEnableOption "gnome";
  config = lib.mkIf cfg.enable {
    home.packages = [pkgs.gnome-tweaks];
    dconf.settings = with lib.hm.gvariant; {
      "org/gnome/desktop/sound".allow-volume-above-100-percent = true;
      "org/gnome/desktop/wm/preferences".num-workspaces = 4;
      "org/gnome/mutter".edge-tiling = true;
      "org/gnome/shell" = {
        disable-extension-version-validation = true;
        enabled-extensions = [
          "workspaces-by-open-apps@favo02.github.com"
          "pop-shell@system76.com"
          "windowIsReady_Remover@nunofarruca@gmail.com"
          "randomwallpaper@iflow.space"
          "Vitals@CoreCoding.com"
          "tailscale-status@maxgallup.github.com"
        ];
      };
      "org/gnome/desktop/input-sources" = {
        sources = [(mkTuple ["xkb" "us"])];
        xkb-options = ["terminate:ctrl_alt_bksp" "caps:escape"];
      };
      "org/gnome/shell/extensions/pop-shell" = {
        active-hint = true;
        fullscreen-launcher = false;
        mouse-cursor-focus-location = mkUint32 4;
        mouse-cursor-follows-active-window = true;
        show-skip-taskbar = false;
        show-title = true;
        smart-gaps = false;
        snap-to-grid = false;
        stacking-with-mouse = true;
        tile-by-default = true;
      };
      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
        binding = "<Super>t";
        command = lib.getExe config.programs.alacritty.package;
        name = "Terminal";
      };
      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = {
        binding = "<Super>e";
        command = "${lib.getExe config.programs.librewolf.package} --browser";
        name = "Browser";
      };
      "org/gnome/desktop/wm/keybindings" = {
        close = ["<Shift><Super>q"];
        minimize = mkEmptyArray type.string;
        move-to-workspace-1 = ["<Shift><Super>1"];
        move-to-workspace-2 = ["<Shift><Super>2"];
        move-to-workspace-3 = ["<Shift><Super>3"];
        move-to-workspace-4 = ["<Shift><Super>4"];
        switch-applications = mkEmptyArray type.string;
        switch-applications-backward = mkEmptyArray type.string;
        switch-to-workspace-1 = ["<Super>1"];
        switch-to-workspace-2 = ["<Super>2"];
        switch-to-workspace-3 = ["<Super>3"];
        switch-to-workspace-4 = ["<Super>4"];
        toggle-fullscreen = ["<Super>f"];
      };
      "org/gnome/shell/extensions/space-iflow-randomwallpaper" = {
        auto-fetch = true;
        change-type = 2;
        hide-panel-icon = true;
        history-length = 1;
        hours = 0;
        minutes = 30;
        sources = ["42"];
        fetch-on-startup = true;
      };
      "org/gnome/shell/extensions/space-iflow-randomwallpaper/sources/general/42".type = 4;
      "org/gnome/shell/extensions/space-iflow-randomwallpaper/sources/localFolder/42".folder = builtins.toString ./wallpapers;
    };
  };
 }
--- a/Capital/Decorations_for_Season-opening_Kabuki_Performances_at_Saruwakamachi_LACMA_M.2007.152.22.jpg
+++ b/Capital/Decorations_for_Season-opening_Kabuki_Performances_at_Saruwakamachi_LACMA_M.2007.152.22.jpg
--- a/Capital/Hiroshige,_A_bridge_in_the_rain.jpg
+++ b/Capital/Hiroshige,_A_bridge_in_the_rain.jpg
--- a/Capital/Hiroshige,_Evening_Cherry_Blossoms,_Yoshiwara_Nakanochô_(Yoshiwara_nakanochô_yozakura)_From_the_series_Famous_Views.jpg
+++ b/Capital/Hiroshige,_Evening_Cherry_Blossoms,_Yoshiwara_Nakanochô_(Yoshiwara_nakanochô_yozakura)_From_the_series_Famous_Views.jpg
--- a/Capital/Kameido_umeyashiki_no_zu_LCCN2008660840.jpg
+++ b/Capital/Kameido_umeyashiki_no_zu_LCCN2008660840.jpg
--- a/Capital/NDL-DC_1301973-Utagawa_Hiroshige-東都名所-crd.jpg
+++ b/Capital/NDL-DC_1301973-Utagawa_Hiroshige-東都名所-crd.jpg
--- a/Capital/NDL-DC_1303508-Utagawa_Hiroshige-東都名所_永代橋深川新地-crd.jpg
+++ b/Capital/NDL-DC_1303508-Utagawa_Hiroshige-東都名所_永代橋深川新地-crd.jpg
--- a/Capital/NDL-DC_1303509-Utagawa_Hiroshige-東都名所_王子滝の川-crd.jpg
+++ b/Capital/NDL-DC_1303509-Utagawa_Hiroshige-東都名所_王子滝の川-crd.jpg
--- a/Capital/NDL-DC_1303510-Utagawa_Hiroshige-東都名所_神田明神-crd.jpg
+++ b/Capital/NDL-DC_1303510-Utagawa_Hiroshige-東都名所_神田明神-crd.jpg
--- a/Capital/NDL-DC_1303511-Utagawa_Hiroshige-東都名所_真土山之図-crd.jpg
+++ b/Capital/NDL-DC_1303511-Utagawa_Hiroshige-東都名所_真土山之図-crd.jpg
--- a/Capital/NDL-DC_1303513-Utagawa_Hiroshige-東都名所_道潅山虫聞之図-crd.jpg
+++ b/Capital/NDL-DC_1303513-Utagawa_Hiroshige-東都名所_道潅山虫聞之図-crd.jpg
--- a/Capital/NDL-DC_1303514-Utagawa_Hiroshige-東都名所_深川三拾三間堂-crd.jpg
+++ b/Capital/NDL-DC_1303514-Utagawa_Hiroshige-東都名所_深川三拾三間堂-crd.jpg
--- a/Capital/NDL-DC_1303515-Utagawa_Hiroshige-東都名所_五百羅漢さゞゐ堂-crd.jpg
+++ b/Capital/NDL-DC_1303515-Utagawa_Hiroshige-東都名所_五百羅漢さゞゐ堂-crd.jpg
--- a/Capital/NDL-DC_1303516-Utagawa_Hiroshige-東都名所_芝増上寺山内図-crd.jpg
+++ b/Capital/NDL-DC_1303516-Utagawa_Hiroshige-東都名所_芝増上寺山内図-crd.jpg
--- a/Capital/NDL-DC_1308372-Utagawa_Hiroshige-東都名所_日暮里-crd.jpg
+++ b/Capital/NDL-DC_1308372-Utagawa_Hiroshige-東都名所_日暮里-crd.jpg
--- a/Capital/NDL-DC_1308374-Utagawa_Hiroshige-東都名所_芝赤羽橋之図-crd.jpg
+++ b/Capital/NDL-DC_1308374-Utagawa_Hiroshige-東都名所_芝赤羽橋之図-crd.jpg
--- a/Capital/NDL-DC_1308375-Utagawa_Hiroshige-東都名所_芝増上寺-crd.jpg
+++ b/Capital/NDL-DC_1308375-Utagawa_Hiroshige-東都名所_芝増上寺-crd.jpg
--- a/Capital/NDL-DC_1308376-Utagawa_Hiroshige-東都名所_芝愛宕山之図-crd.jpg
+++ b/Capital/NDL-DC_1308376-Utagawa_Hiroshige-東都名所_芝愛宕山之図-crd.jpg
--- a/Capital/NDL-DC_1308381-Utagawa_Hiroshige-東都名所_駿河町之図-crd.jpg
+++ b/Capital/NDL-DC_1308381-Utagawa_Hiroshige-東都名所_駿河町之図-crd.jpg
--- a/Capital/NDL-DC_1308382-Utagawa_Hiroshige-東都名所_浅草金竜山年之市群集-crd.jpg
+++ b/Capital/NDL-DC_1308382-Utagawa_Hiroshige-東都名所_浅草金竜山年之市群集-crd.jpg
--- a/Capital/東都名所_二丁町芝居の図-View_of_the_Kabuki_Theaters_at_Sakai-cho_on_Opening_Day_of_the_New_Season_(Sakai-cho_Shibai_no_Zu),_from_the_series,_
+++ b/Capital/東都名所_二丁町芝居の図-View_of_the_Kabuki_Theaters_at_Sakai-cho_on_Opening_Day_of_the_New_Season_(Sakai-cho_Shibai_no_Zu),_from_the_series,_
--- a/Capital/東都名所_真崎雪晴ノ図-Clearing_Weather_after_Snow_at_Massaki_MET_DP123291.jpg
+++ b/Capital/東都名所_真崎雪晴ノ図-Clearing_Weather_after_Snow_at_Massaki_MET_DP123291.jpg
--- a/Capital/東都名所_芝愛宕山上の図-Shiba_Atago_Sanjo_no_Zu_MET_DP123284.jpg
+++ b/Capital/東都名所_芝愛宕山上の図-Shiba_Atago_Sanjo_no_Zu_MET_DP123284.jpg
--- a/home-manager/keepassxc/default.nix
+++ b/home-manager/keepassxc/default.nix
@ -0,0 +1,9 @@
 { pkgs, config, ... }: {
  config = {
    home.packages = [ pkgs.keepassxc ];
    homeage.file."keepassxc.ini" = {
      source = ../../secrets/keepassxc.ini.age;
      symlinks = [ "${config.xdg.configHome}/keepassxc/keepassxc.ini" ];
    };
  };
 }
--- a/home-manager/kubeconfig.yml
+++ b/home-manager/kubeconfig.yml
@ -0,0 +1,19 @@
 apiVersion: v1
 clusters:
 - cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTURJMU56UXlOVGt3SGhjTk1qTXhNakUwTVRjeE56TTVXaGNOTXpNeE1qRXhNVGN4TnpNNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTURJMU56UXlOVGt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUMzdYdlBzUG9DeTk3Nm1zWm9qTHBlUklieVB5NWFPV0NJWXpyZVpUcVYKUlo4cDVyME1RdVViV0crNTJqQ1ZjNCtrZGN3WVkwRXRDaUpkZ21LSU5RcTRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWx1ZGcvZWd0bUMvWkNiaTZMRkNnClhIaXFtL2t3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlTbHJ2TmVTc3RtVlFLVWp2STF3UlZPb0RMWEJjWDEKelpZOURUNW9WM214QWlBT2JKRThOaldOSUdSZE1FcWpXZXhUd1M5RUlGbGs2eUEwOXNjS0FmRUNXUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://jefke.hyp:6443
  name: default
 contexts:
 - context:
    cluster: default
    user: pim
  name: default
 current-context: default
 kind: Config
 preferences: {}
 users:
 - name: pim
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWVENCL0tBREFnRUNBaEFWemhyQ3QwZzFQMWJXZW1IUGx2SUZNQW9HQ0NxR1NNNDlCQU1DTUNNeElUQWYKQmdOVkJBTU1HR3N6Y3kxamJHbGxiblF0WTJGQU1UY3dNalUzTkRJMU9UQWVGdzB5TXpFeU1UUXhPVEl3TURCYQpGdzB5TkRFeU1UTXhPVEl3TURCYU1BNHhEREFLQmdOVkJBTVRBM0JwYlRBcU1BVUdBeXRsY0FNaEFDYWxxaUdFCjdvcVo0SFNvLy95RGhqZXJrVVA5WWg4QXdFbHFnMXI4NGpvbG8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTZQpkenA2TzVhajU4NGtML2FJM0pvTHhkOUtQakFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUF3eDJISGNOcVd4bkhyCmkvRVg2SmJRVlRZYThmTzhpYTdMOXRYWS84OXlQQUloQVBSanlmMU0waWtCZU95VUVUODVLS1dNaDFhbWRNZVUKSUFBZTM2WDVUSVRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key: k3s-pim-privkey
--- a/home-manager/neovim/default.nix
+++ b/home-manager/neovim/default.nix
@ -1,18 +1,5 @@
-{
+{ pkgs, ... }: {
-  pkgs,
+  config = {
  config,
  lib,
  ...
 }: let
  cfg = config.pim.neovim;
 in {
  options.pim.neovim.enable = lib.mkEnableOption "neovim";
  config = lib.mkIf cfg.enable {
    # Disable Stylix styling of Neovim,
    # because we have a plugin for that.
    stylix.targets.neovim.enable = false;
    programs.neovim = {
      enable = true;
      viAlias = true;
@ -23,10 +10,11 @@ in {
      extraPackages = with pkgs; [
        nil
-        pyright
+        nodePackages.pyright
        neofetch
        gopls
        terraform-ls
-        nixfmt-classic
+        nixfmt
        stylua
        black
        nixpkgs-fmt
@ -83,7 +71,7 @@ in {
        nvim-web-devicons
        lsp-format-nvim
        {
-          plugin = pkgs.vimPlugins.none-ls-nvim;
+          plugin = pkgs.unstable.vimPlugins.none-ls-nvim;
          type = "lua";
          config = builtins.readFile ./none-ls.lua;
        }
--- a/home-manager/neovim/lspconfig.lua
+++ b/home-manager/neovim/lspconfig.lua
@ -45,21 +45,14 @@ require("lspconfig").terraformls.setup({
 	capabilities = capabilities,
 })
-local function has_treefmt()
+-- require'lspconfig'.efm.setup {
-    local git_root = vim.fn.systemlist("git rev-parse --show-toplevel")[1]
+--     on_attach = require("lsp-format").on_attach,
-    if vim.v.shell_error ~= 0 then
+--     init_options = {documentFormatting = true},
-        return false
+--     settings = {
-    end
+--         languages = {
-    local treefmt_path = git_root .. "/treefmt.nix"
+--             lua = {{formatCommand = "lua-format -i", formatStdin = true}},
-    return vim.fn.filereadable(treefmt_path) == 1
+--             nix = {{formatCommand = "nixfmt", formatStdin = true}}
-end
+--         }
-
+--     },
-vim.api.nvim_create_autocmd("BufWritePost", {
+--     filetypes = {"lua", "nix"}
-    pattern = "*",
+-- }
    callback = function()
 	if vim.fn.expand("%:p") ~= vim.fn.getcwd() .. "/.git/COMMIT_EDITMSG" and has_treefmt() then
 		vim.cmd("silent !treefmt > /dev/null 2>&1")
        end
    end,
    group = vim.api.nvim_create_augroup("TreefmtAutoformat", { clear = true }),
 })
--- a/home-manager/neovim/none-ls.lua
+++ b/home-manager/neovim/none-ls.lua
@ -20,24 +20,24 @@ require("null-ls").setup({
 	},
 	-- configure format on save
-	-- on_attach = function(current_client, bufnr)
+	on_attach = function(current_client, bufnr)
-	-- 	if current_client.supports_method("textDocument/formatting") then
+		if current_client.supports_method("textDocument/formatting") then
-	-- 		vim.api.nvim_clear_autocmds({ group = augroup, buffer = bufnr })
+			vim.api.nvim_clear_autocmds({ group = augroup, buffer = bufnr })
-	-- 		vim.api.nvim_create_autocmd("BufWritePre", {
+			vim.api.nvim_create_autocmd("BufWritePre", {
-	-- 			group = augroup,
+				group = augroup,
-	-- 			buffer = bufnr,
+				buffer = bufnr,
-	-- 			callback = function()
+				callback = function()
-	-- 				vim.lsp.buf.format({
+					vim.lsp.buf.format({
-	-- 					filter = function(client)
+						filter = function(client)
-	-- 						--  only use null-ls for formatting instead of lsp server
+							--  only use null-ls for formatting instead of lsp server
-	-- 						return client.name == "null-ls"
+							return client.name == "null-ls"
-	-- 					end,
+						end,
-	-- 					bufnr = bufnr,
+						bufnr = bufnr,
-	-- 				})
+					})
-	-- 			end,
+				end,
-	-- 		})
+			})
-	-- 	end
+		end
-	-- end,
+	end,
 })
 -- formatting command
--- a/home-manager/postgresql_client.crt
+++ b/home-manager/postgresql_client.crt
@ -0,0 +1,17 @@
 -----BEGIN CERTIFICATE-----
 MIICrzCCAZcCFApupXAa2tPytpi3av47+az0Ggb4MA0GCSqGSIb3DQEBCwUAMBQx
 EjAQBgNVBAMMCWplZmtlLmh5cDAeFw0yMzExMjQyMjAzMjhaFw0yNDExMjMyMjAz
 MjhaMBQxEjAQBgNVBAMMCXRlcnJhZm9ybTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALeJ/fYUCmwislUw4XcCxivCUuWuUWI+t/nke9/hWEWTmDG4Z7/a
 IAKqsGk0zNATQViAXmYZwdYK70AKQhxat3OJcuZarsurOXVjVJdT4Wr5SxHGHjd0
 bwd8JzFZPIfgYCILCISFjCIfpD58kBq2bkvI4rpn4tb2iPunXp0+S8iHDMB5wAOb
 FgT0muuz9ua4R76nq79O9wLbAVf38CDR9bMGcPcKknz0sl37jr7A/pDvQzpFWO33
 eJb64b7Qe4CHslWFj1tdEkXaMpMNWHhc2TmtLtlt6a+RY1R9KdX5x0lQTyJnEwJZ
 8YTKnlMoNvkfBznuARFmNNmUYPoHE6WgonMCAwEAATANBgkqhkiG9w0BAQsFAAOC
 AQEAaH1HVPThhAkrXE4Zmh49D1zvq5uy6moV326/ovnPQfco2jYBYO5mYxBF32mx
 ShEanbJJKkFjWkQHmsWt7nrkeloz6q8sD19nLyyWmMj0Pd6wcLv017Zdo902fh27
 Rl8qZS44vEc+N/5gc2eINMfXm/JOdXYntOVpFO/I+6b9Q2iWFX3YUAXiIDiEYBvS
 BBqyXC2nVg6Lp1KVg+EaYW27sj8b5HHXnpEGdXduVmOWttdaQVjYslqmH7mUKi9f
 2U9FicMvw6KvkRki+SLKeZr2yIP1QQOnWg0BPbeCpMfdMSu/AtLkAtugZeT8p1Ko
 3hMMyKKzyyhiwpzvk21QFNZ5LA==
 -----END CERTIFICATE-----
--- a/home-manager/postgresql_server.crt
+++ b/home-manager/postgresql_server.crt
@ -0,0 +1,67 @@
 Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ef:2f:4d:d4:26:7e:33:1b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=jefke.hyp
        Validity
            Not Before: Nov 22 19:12:03 2023 GMT
            Not After : Oct 29 19:12:03 2123 GMT
        Subject: CN=jefke.hyp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c7:ab:eb:9c:d0:7f:4f:f1:ba:65:0a:8b:07:7b:
                    2e:5b:f0:26:82:33:c9:73:e6:91:cc:11:94:05:1c:
                    8d:67:29:cb:5e:67:35:02:80:54:af:99:4b:aa:ce:
                    e8:56:62:be:63:cb:b2:4a:b0:a9:28:12:e2:77:50:
                    7d:d5:d2:3b:48:d8:32:59:25:26:ff:a6:5c:f6:eb:
                    ae:5b:3d:7a:14:10:ba:90:9c:6f:1f:b9:d8:99:0e:
                    b7:09:5e:62:69:c4:c0:c6:27:b0:d3:60:0d:47:4c:
                    a5:11:53:f2:f1:4a:f9:a6:bc:d6:a3:35:a2:e8:e5:
                    a9:d1:60:e8:e5:18:ce:d2:60:80:4e:dc:48:ae:7f:
                    b7:ea:76:51:28:39:a4:b0:95:82:95:93:98:b2:9f:
                    23:c9:81:69:59:a3:e4:f7:5a:1c:01:31:96:c1:4b:
                    59:21:f8:a2:e6:9e:21:78:0e:6b:c1:68:c7:5c:16:
                    9a:06:54:df:b6:77:1d:2d:89:d0:c8:9e:db:b5:d4:
                    8c:fb:b9:4f:b7:6e:39:5f:39:8e:48:73:76:7d:46:
                    6e:1f:8d:14:cb:40:b5:ff:c6:f0:c0:44:3c:ed:52:
                    3f:4f:7b:69:63:93:c6:41:e6:5e:ed:33:50:20:46:
                    db:93:bf:e8:52:51:95:f1:81:73:58:da:67:21:7b:
                    12:bd
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         aa:5c:89:41:a6:b7:3d:65:87:ca:50:c4:f3:58:aa:d3:b4:55:
         b1:a7:8d:18:26:17:e5:8a:21:24:a1:49:53:77:31:5b:55:63:
         be:01:d8:fe:b7:06:7c:da:07:1f:94:6a:de:96:ad:ca:3b:20:
         2a:e1:35:90:19:83:6d:37:d1:15:12:de:3c:0e:46:be:66:a1:
         6a:1d:ec:72:dc:46:79:69:e4:af:77:c8:ff:cd:d6:7d:16:88:
         ab:44:fd:70:fc:40:47:ff:43:95:11:5a:9a:56:0c:d2:dd:7c:
         3b:87:aa:10:26:fa:25:a3:a0:43:8a:1b:ec:54:11:7e:65:67:
         d2:06:e1:3e:3b:e1:0e:b0:80:ef:4b:35:3f:fc:34:1d:95:2e:
         ee:c1:67:38:da:b3:74:86:4b:95:8c:0c:1d:51:28:c1:42:e9:
         77:68:d7:ec:3b:66:30:c6:e5:2a:62:ea:15:fb:24:56:cf:02:
         d0:25:54:a7:58:15:b5:2a:71:93:56:c0:69:7a:36:18:6c:31:
         b1:8e:3c:77:d7:77:ac:fc:e1:94:c5:08:bb:35:ac:48:5f:6b:
         8b:c8:c8:78:f4:a9:ca:4f:9d:51:54:89:97:c9:af:a1:fa:71:
         df:58:f6:ff:04:7c:c8:1c:95:6b:1a:e3:a7:f6:43:1c:27:94:
         10:03:ce:ec
 -----BEGIN CERTIFICATE-----
 MIICpjCCAY4CCQDvL03UJn4zGzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlq
 ZWZrZS5oeXAwIBcNMjMxMTIyMTkxMjAzWhgPMjEyMzEwMjkxOTEyMDNaMBQxEjAQ
 BgNVBAMMCWplZmtlLmh5cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AMer65zQf0/xumUKiwd7LlvwJoIzyXPmkcwRlAUcjWcpy15nNQKAVK+ZS6rO6FZi
 vmPLskqwqSgS4ndQfdXSO0jYMlklJv+mXPbrrls9ehQQupCcbx+52JkOtwleYmnE
 wMYnsNNgDUdMpRFT8vFK+aa81qM1oujlqdFg6OUYztJggE7cSK5/t+p2USg5pLCV
 gpWTmLKfI8mBaVmj5PdaHAExlsFLWSH4ouaeIXgOa8Fox1wWmgZU37Z3HS2J0Mie
 27XUjPu5T7duOV85jkhzdn1Gbh+NFMtAtf/G8MBEPO1SP097aWOTxkHmXu0zUCBG
 25O/6FJRlfGBc1jaZyF7Er0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqlyJQaa3
 PWWHylDE81iq07RVsaeNGCYX5YohJKFJU3cxW1VjvgHY/rcGfNoHH5Rq3patyjsg
 KuE1kBmDbTfRFRLePA5Gvmahah3sctxGeWnkr3fI/83WfRaIq0T9cPxAR/9DlRFa
 mlYM0t18O4eqECb6JaOgQ4ob7FQRfmVn0gbhPjvhDrCA70s1P/w0HZUu7sFnONqz
 dIZLlYwMHVEowULpd2jX7DtmMMblKmLqFfskVs8C0CVUp1gVtSpxk1bAaXo2GGwx
 sY48d9d3rPzhlMUIuzWsSF9ri8jIePSpyk+dUVSJl8mvofpx31j2/wR8yByVaxrj
 p/ZDHCeUEAPO7A==
 -----END CERTIFICATE-----
--- a/home-manager/ssh/default.nix
+++ b/home-manager/ssh/default.nix
@ -0,0 +1,35 @@
 { config, lib, ... }: {
  config = {
    programs.ssh = {
      enable = true;
      extraConfig = "User root";
      matchBlocks = {
        github = lib.hm.dag.entryBefore [ "*" ] {
          hostname = "github.com";
          user = "pizzapim";
          identitiesOnly = true;
        };
        lewis = lib.hm.dag.entryBefore [ "*" ] { hostname = "lewis.hyp"; };
        atlas = lib.hm.dag.entryBefore [ "*" ] { hostname = "atlas.hyp"; };
        jefke = lib.hm.dag.entryBefore [ "*" ] { hostname = "jefke.hyp"; };
        hermes = lib.hm.dag.entryBefore [ "*" ] { hostname = "hermes.dmz"; };
        maestro = lib.hm.dag.entryBefore [ "*" ] { hostname = "maestro.dmz"; };
        bancomart =
          lib.hm.dag.entryBefore [ "*" ] { hostname = "bancomart.dmz"; };
        handjecontantje =
          lib.hm.dag.entryBefore [ "*" ] { hostname = "handjecontantje.dmz"; };
      };
    };
    homeage.file."sue_ed25519" = {
      source = ../../secrets/sue_ed25519.age;
      symlinks = [ "${config.home.homeDirectory}/.ssh/sue_ed25519" ];
    };
    homeage.file."sue_azure_rsa" = {
      source = ../../secrets/sue_azure_rsa.age;
      symlinks = [ "${config.home.homeDirectory}/.ssh/sue_azure_rsa" ];
    };
  };
 }
--- a/home-manager/syncthing.nix
+++ b/home-manager/syncthing.nix
@ -1,18 +0,0 @@
 {
  config,
  lib,
  ...
 }: let
  cfg = config.pim.syncthing;
 in {
  options.pim.syncthing.enable = lib.mkEnableOption "syncthing";
  config = lib.mkIf cfg.enable {
    services.syncthing.enable = true;
    sops.secrets = {
      "syncthing/key".path = "${config.xdg.configHome}/syncthing/key.pem";
      "syncthing/cert".path = "${config.xdg.configHome}/syncthing/cert.pem";
    };
  };
 }
--- a/home-manager/syncthing/default.nix
+++ b/home-manager/syncthing/default.nix
@ -0,0 +1,17 @@
 { config, ... }: {
  config = {
    services.syncthing.enable = true;
    xdg.configFile."syncthing/config.xml".source = ./syncthing.xml;
    xdg.userDirs.music = "${config.home.homeDirectory}/sync/Music";
    homeage.file."syncthing-key.pem" = {
      source = ../../secrets/syncthing-key.pem.age;
      symlinks = [ "${config.xdg.configHome}/syncthing/key.pem" ];
    };
    homeage.file."syncthing-cert.pem" = {
      source = ../../secrets/syncthing-cert.pem.age;
      symlinks = [ "${config.xdg.configHome}/syncthing/cert.pem" ];
    };
  };
 }
--- a/home-manager/syncthing/syncthing.xml
+++ b/home-manager/syncthing/syncthing.xml
@ -0,0 +1,175 @@
 <configuration version="37">
    <folder id="nncij-isaoe" label="Nextcloud" path="/home/pim/sync" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
        <filesystemType>basic</filesystemType>
        <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
            <encryptionPassword></encryptionPassword>
        </device>
        <device id="LX5I2N3-WXPGTGV-ZMYTG3X-SZXJGKQ-KDGUBIA-KVFXMXX-2U2I3BX-M3H53Q2" introducedBy="">
            <encryptionPassword></encryptionPassword>
        </device>
        <minDiskFree unit="%">1</minDiskFree>
        <versioning>
            <cleanupIntervalS>3600</cleanupIntervalS>
            <fsPath></fsPath>
            <fsType>basic</fsType>
        </versioning>
        <copiers>0</copiers>
        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
        <hashers>0</hashers>
        <order>random</order>
        <ignoreDelete>false</ignoreDelete>
        <scanProgressIntervalS>0</scanProgressIntervalS>
        <pullerPauseS>0</pullerPauseS>
        <maxConflicts>10</maxConflicts>
        <disableSparseFiles>false</disableSparseFiles>
        <disableTempIndexes>false</disableTempIndexes>
        <paused>false</paused>
        <weakHashThresholdPct>25</weakHashThresholdPct>
        <markerName>.stfolder</markerName>
        <copyOwnershipFromParent>false</copyOwnershipFromParent>
        <modTimeWindowS>0</modTimeWindowS>
        <maxConcurrentWrites>2</maxConcurrentWrites>
        <disableFsync>false</disableFsync>
        <blockPullOrder>standard</blockPullOrder>
        <copyRangeMethod>standard</copyRangeMethod>
        <caseSensitiveFS>false</caseSensitiveFS>
        <junctionsAsDirs>false</junctionsAsDirs>
        <syncOwnership>false</syncOwnership>
        <sendOwnership>false</sendOwnership>
        <syncXattrs>false</syncXattrs>
        <sendXattrs>false</sendXattrs>
        <xattrFilter>
            <maxSingleEntrySize>1024</maxSingleEntrySize>
            <maxTotalSize>4096</maxTotalSize>
        </xattrFilter>
    </folder>
    <device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" name="Home" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
        <address>dynamic</address>
        <paused>false</paused>
        <autoAcceptFolders>false</autoAcceptFolders>
        <maxSendKbps>0</maxSendKbps>
        <maxRecvKbps>0</maxRecvKbps>
        <maxRequestKiB>0</maxRequestKiB>
        <untrusted>false</untrusted>
        <remoteGUIPort>0</remoteGUIPort>
    </device>
    <device id="LX5I2N3-WXPGTGV-ZMYTG3X-SZXJGKQ-KDGUBIA-KVFXMXX-2U2I3BX-M3H53Q2" name="x260" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
        <address>dynamic</address>
        <paused>false</paused>
        <autoAcceptFolders>false</autoAcceptFolders>
        <maxSendKbps>0</maxSendKbps>
        <maxRecvKbps>0</maxRecvKbps>
        <maxRequestKiB>0</maxRequestKiB>
        <untrusted>false</untrusted>
        <remoteGUIPort>0</remoteGUIPort>
    </device>
    <gui enabled="true" tls="false" debugging="false">
        <address>127.0.0.1:8384</address>
        <apikey></apikey>
        <theme>default</theme>
    </gui>
    <ldap></ldap>
    <options>
        <listenAddress>default</listenAddress>
        <globalAnnounceServer>default</globalAnnounceServer>
        <globalAnnounceEnabled>true</globalAnnounceEnabled>
        <localAnnounceEnabled>true</localAnnounceEnabled>
        <localAnnouncePort>21027</localAnnouncePort>
        <localAnnounceMCAddr>[ff12::8384]:21027</localAnnounceMCAddr>
        <maxSendKbps>0</maxSendKbps>
        <maxRecvKbps>0</maxRecvKbps>
        <reconnectionIntervalS>60</reconnectionIntervalS>
        <relaysEnabled>true</relaysEnabled>
        <relayReconnectIntervalM>10</relayReconnectIntervalM>
        <startBrowser>true</startBrowser>
        <natEnabled>true</natEnabled>
        <natLeaseMinutes>60</natLeaseMinutes>
        <natRenewalMinutes>30</natRenewalMinutes>
        <natTimeoutSeconds>10</natTimeoutSeconds>
        <urAccepted>-1</urAccepted>
        <urSeen>3</urSeen>
        <urUniqueID></urUniqueID>
        <urURL>https://data.syncthing.net/newdata</urURL>
        <urPostInsecurely>false</urPostInsecurely>
        <urInitialDelayS>1800</urInitialDelayS>
        <autoUpgradeIntervalH>12</autoUpgradeIntervalH>
        <upgradeToPreReleases>false</upgradeToPreReleases>
        <keepTemporariesH>24</keepTemporariesH>
        <cacheIgnoredFiles>false</cacheIgnoredFiles>
        <progressUpdateIntervalS>5</progressUpdateIntervalS>
        <limitBandwidthInLan>false</limitBandwidthInLan>
        <minHomeDiskFree unit="%">1</minHomeDiskFree>
        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
        <tempIndexMinBlocks>10</tempIndexMinBlocks>
        <trafficClass>0</trafficClass>
        <setLowPriority>true</setLowPriority>
        <maxFolderConcurrency>0</maxFolderConcurrency>
        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
        <crashReportingEnabled>true</crashReportingEnabled>
        <stunKeepaliveStartS>180</stunKeepaliveStartS>
        <stunKeepaliveMinS>20</stunKeepaliveMinS>
        <stunServer>default</stunServer>
        <databaseTuning>auto</databaseTuning>
        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
        <announceLANAddresses>true</announceLANAddresses>
        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
        <connectionLimitEnough>0</connectionLimitEnough>
        <connectionLimitMax>0</connectionLimitMax>
        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
    </options>
    <defaults>
        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
            <filesystemType>basic</filesystemType>
            <device id="LX5I2N3-WXPGTGV-ZMYTG3X-SZXJGKQ-KDGUBIA-KVFXMXX-2U2I3BX-M3H53Q2" introducedBy="">
                <encryptionPassword></encryptionPassword>
            </device>
            <minDiskFree unit="%">1</minDiskFree>
            <versioning>
                <cleanupIntervalS>3600</cleanupIntervalS>
                <fsPath></fsPath>
                <fsType>basic</fsType>
            </versioning>
            <copiers>0</copiers>
            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
            <hashers>0</hashers>
            <order>random</order>
            <ignoreDelete>false</ignoreDelete>
            <scanProgressIntervalS>0</scanProgressIntervalS>
            <pullerPauseS>0</pullerPauseS>
            <maxConflicts>10</maxConflicts>
            <disableSparseFiles>false</disableSparseFiles>
            <disableTempIndexes>false</disableTempIndexes>
            <paused>false</paused>
            <weakHashThresholdPct>25</weakHashThresholdPct>
            <markerName>.stfolder</markerName>
            <copyOwnershipFromParent>false</copyOwnershipFromParent>
            <modTimeWindowS>0</modTimeWindowS>
            <maxConcurrentWrites>2</maxConcurrentWrites>
            <disableFsync>false</disableFsync>
            <blockPullOrder>standard</blockPullOrder>
            <copyRangeMethod>standard</copyRangeMethod>
            <caseSensitiveFS>false</caseSensitiveFS>
            <junctionsAsDirs>false</junctionsAsDirs>
            <syncOwnership>false</syncOwnership>
            <sendOwnership>false</sendOwnership>
            <syncXattrs>false</syncXattrs>
            <sendXattrs>false</sendXattrs>
            <xattrFilter>
                <maxSingleEntrySize>1024</maxSingleEntrySize>
                <maxTotalSize>4096</maxTotalSize>
            </xattrFilter>
        </folder>
        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
            <address>dynamic</address>
            <paused>false</paused>
            <autoAcceptFolders>false</autoAcceptFolders>
            <maxSendKbps>0</maxSendKbps>
            <maxRecvKbps>0</maxRecvKbps>
            <maxRequestKiB>0</maxRequestKiB>
            <untrusted>false</untrusted>
            <remoteGUIPort>0</remoteGUIPort>
        </device>
        <ignores></ignores>
    </defaults>
 </configuration>
--- a/home-manager/thunderbird/default.nix
+++ b/home-manager/thunderbird/default.nix
@ -0,0 +1,8 @@
 {
  config = {
    programs.thunderbird = {
      enable = true;
      profiles.default = { isDefault = true; };
    };
  };
 }
--- a/home-manager/tidal.nix
+++ b/home-manager/tidal.nix
@ -1,16 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  cfg = config.pim.tidal;
 in {
  options.pim.tidal.enable = lib.mkEnableOption "tidal";
  config = lib.mkIf cfg.enable {
    home.packages = with pkgs; [
      supercollider-with-sc3-plugins
    ];
  };
 }
--- a/home-manager/vscode.nix
+++ b/home-manager/vscode.nix
@ -1,32 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.pim.vscode;
 in {
  options.pim.vscode.enable = lib.mkEnableOption "vscode";
  config = lib.mkIf cfg.enable {
    programs.vscode = {
      enable = true;
      package = pkgs.vscodium;
      extensions = with pkgs.vscode-extensions; [
        vscodevim.vim
        marp-team.marp-vscode
        jnoortheen.nix-ide
        mkhl.direnv
      ];
      userSettings = {
        "nix.enableLanguageServer" = true;
        "nix.serverPath" = lib.getExe pkgs.nil;
        "terminal.integrated.defaultProfile.linux" = "fish";
        "explorer.confirmDragAndDrop" = false;
        "explorer.confirmPasteNative" = false;
        "explorer.confirmDelete" = false;
      };
    };
  };
 }
--- a/machines/atlas/configuration.nix
+++ b/machines/atlas/configuration.nix
@ -1,14 +0,0 @@
 {config, ...}: {
  config = {
    facter.reportPath = ./facter.json;
    system.stateVersion = "23.05";
    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
    pim.k3s.serverAddr = "https://jefke.dmz:6443";
    deployment = {
      targetHost = "atlas";
      targetUser = "root";
      tags = ["server" "kubernetes"];
    };
  };
 }
--- a/machines/atlas/facter.json
+++ b/machines/atlas/facter.json
--- a/machines/default.nix
+++ b/machines/default.nix
@ -1,31 +0,0 @@
 {
  sue = {
    system = "x86_64-linux";
    nixosModule = import ./sue/configuration.nix;
  };
  gamepc = {
    system = "x86_64-linux";
    nixosModule = import ./gamepc/configuration.nix;
  };
  warwick = {
    system = "aarch64-linux";
    nixosModule = import ./warwick/configuration.nix;
  };
  atlas = {
    system = "x86_64-linux";
    nixosModule = import ./atlas/configuration.nix;
  };
  jefke = {
    system = "x86_64-linux";
    nixosModule = import ./jefke/configuration.nix;
  };
  lewis = {
    system = "x86_64-linux";
    nixosModule = import ./lewis/configuration.nix;
  };
 }
--- a/machines/gamepc/configuration.nix
+++ b/machines/gamepc/configuration.nix
@ -1,123 +0,0 @@
 {
  config,
  lib,
  ...
 }: {
  config = {
    pim = {
      cinnamon.enable = true;
      sops-nix.usersWithSopsKeys = ["pim"];
    };
    facter.reportPath = ./facter.json;
    home-manager.users.pim.imports = [./pim.home.nix];
    programs.steam.enable = true;
    system.stateVersion = "24.05";
    users.users = {
      root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
      pim = {
        isNormalUser = true;
        extraGroups = ["autologin"];
        openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
      };
    };
    deployment = {
      targetHost = "gamepc";
      targetUser = "root";
      tags = ["desktop"];
    };
    services = {
      openssh.enable = true;
      xserver.displayManager.lightdm.extraSeatDefaults = ''
        autologin-user=pim
      '';
      sunshine = {
        enable = true;
        openFirewall = true;
        settings = {
          sunshine_name = config.networking.hostName;
          origin_web_ui_allowed = "wan";
          credentials_file = "/home/pim/.config/sunshine/sunshine_credentials.json";
        };
      };
    };
    boot.loader.grub = {
      enable = true;
      efiSupport = true;
      efiInstallAsRemovable = true;
    };
    disko.devices.disk = lib.genAttrs ["0" "1"] (name: {
      type = "disk";
      device = "/dev/nvme${name}n1";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            size = "1M";
            type = "EF02"; # for grub MBR
          };
          ESP = {
            size = "500M";
            type = "EF00";
            content = {
              type = "mdraid";
              name = "boot";
            };
          };
          mdadm = {
            size = "100%";
            content = {
              type = "mdraid";
              name = "raid0";
            };
          };
        };
      };
    });
    disko.devices.mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid0 = {
        type = "mdadm";
        level = 0;
        content = {
          type = "gpt";
          partitions = {
            primary = {
              end = "-4G";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
            swap = {
              size = "100%";
              content = {
                type = "swap";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/machines/gamepc/facter.json
+++ b/machines/gamepc/facter.json
--- a/machines/gamepc/pim.home.nix
+++ b/machines/gamepc/pim.home.nix
@ -1,26 +0,0 @@
 {
  self,
  pkgs,
  config,
  ...
 }: {
  home = {
    username = "pim";
    homeDirectory = "/home/pim";
    stateVersion = "24.05";
    packages = with pkgs.unstable; [
      devenv
      vlc
      handbrake
      lutris
    ];
  };
  sops = {
    defaultSopsFile = "${self}/secrets/gamepc/pim.yaml";
    # TODO: should be set automatically?
    age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
    secrets."sunshine_credentials".path = "${config.xdg.configHome}/sunshine/sunshine_credentials.json";
  };
 }
--- a/machines/jefke/configuration.nix
+++ b/machines/jefke/configuration.nix
@ -1,14 +0,0 @@
 {config, ...}: {
  config = {
    pim.k3s.clusterInit = true;
    facter.reportPath = ./facter.json;
    system.stateVersion = "23.05";
    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
    deployment = {
      targetHost = "jefke";
      targetUser = "root";
      tags = ["server" "kubernetes"];
    };
  };
 }
--- a/machines/jefke/facter.json
+++ b/machines/jefke/facter.json
--- a/machines/lewis/configuration.nix
+++ b/machines/lewis/configuration.nix
@ -1,26 +0,0 @@
 {
  self,
  config,
  pkgs,
  ...
 }: {
  config = {
    facter.reportPath = ./facter.json;
    system.stateVersion = "23.05";
    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
    sops.defaultSopsFile = "${self}/secrets/lewis/nixos.yaml";
    environment.systemPackages = [pkgs.beets];
    deployment = {
      targetHost = "lewis";
      targetUser = "root";
      tags = ["server" "kubernetes"];
    };
    pim = {
      k3s.serverAddr = "https://jefke.dmz:6443";
      data-sharing.enable = true;
      backups.enable = true;
    };
  };
 }
--- a/machines/lewis/facter.json
+++ b/machines/lewis/facter.json
--- a/machines/sue/configuration.nix
+++ b/machines/sue/configuration.nix
@ -1,98 +0,0 @@
 {
  self,
  pkgs,
  lib,
  inputs,
  config,
  ...
 }: {
  options = {
    pim.cosmic.enable = lib.mkEnableOption "cosmic";
  };
  config = {
    pim = {
      lanzaboote.enable = true;
      tidal.enable = true;
      gnome.enable = true;
      stylix.enable = true;
      wireguard.enable = true;
      compliance.enable = true;
      sops-nix.usersWithSopsKeys = ["pim"];
    };
    users.users.pim = {
      isNormalUser = true;
      extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
    };
    deployment = {
      allowLocalDeployment = true;
      targetHost = null;
      tags = ["desktop"];
    };
    facter.reportPath = ./facter.json;
    home-manager.users.pim.imports = [./pim.home.nix];
    nix.settings.trusted-users = ["pim"];
    system.stateVersion = "23.05";
    sops.defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
    boot.kernelPackages = pkgs.unstable.linuxKernel.packages.linux_6_12;
    environment.systemPackages = with pkgs; [
      borgbackup
      kubectl
      nmap
      poppler_utils # For pdfunite
      silicon
      units
    ];
    virtualisation = {
      libvirtd.enable = true;
      docker = {
        enable = true;
        rootless = {
          enable = true;
          setSocketVariable = true;
        };
      };
    };
    swapDevices = [{device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b";}];
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/31638735-5cc4-4013-8037-17e30edcbb0a";
        fsType = "ext4";
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/560E-F8A2";
        fsType = "vfat";
        options = ["fmask=0022" "dmask=0022"];
      };
    };
    nix.settings = {
      substituters = ["https://cosmic.cachix.org/"];
      trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
    };
    boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494";
    specialisation.cosmic = lib.mkIf config.pim.cosmic.enable {
      configuration = {
        imports = [
          inputs.nixos-cosmic.nixosModules.default
        ];
        services = {
          desktopManager.cosmic.enable = true;
          displayManager.cosmic-greeter.enable = true;
        };
      };
    };
  };
 }
--- a/machines/sue/facter.json
+++ b/machines/sue/facter.json
--- a/machines/sue/pim.home.nix
+++ b/machines/sue/pim.home.nix
@ -1,64 +0,0 @@
 {
  self,
  pkgs,
  config,
  ...
 }: {
  config = {
    pim = {
      tidal.enable = true;
      gnome.enable = true;
      vscode.enable = true;
      syncthing.enable = true;
      neovim.enable = true;
      firefox.enable = true;
    };
    programs.chromium.enable = true;
    home = {
      username = "pim";
      homeDirectory = "/home/pim";
      stateVersion = "23.05";
    };
    sops = {
      defaultSopsFile = "${self}/secrets/sue/pim.yaml";
      age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
      secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
    };
    home.packages =
      (with pkgs; [
        jellyfin-media-player
        virt-manager
        bottles-unwrapped
        feishin
      ])
      ++ (with pkgs.unstable; [
        attic-client
        dbeaver-bin
        devenv
        gimp
        hexchat
        impression
        insomnia
        keepassxc
        krita
        libreoffice
        # logseq # Has insecure electron dependency
        moonlight-qt
        nicotine-plus
        qFlipper
        signal-desktop
        strawberry
        telegram-desktop
        vlc
        vorta
        wireshark
        # nheko # Has insecure olm dependency
        handbrake
        redfishtool
      ]);
  };
 }
--- a/machines/warwick/configuration.nix
+++ b/machines/warwick/configuration.nix
@ -1,39 +0,0 @@
 {
  lib,
  config,
  inputs,
  ...
 }: {
  imports = [inputs.nixos-hardware.nixosModules.raspberry-pi-4];
  config = {
    pim = {
      tailscale.advertiseExitNode = true;
      prometheus.enable = true;
    };
    facter.reportPath = ./facter.json;
    system.stateVersion = "23.05";
    systemd.network.networks."30-main-nic" = {
      matchConfig.Name = lib.mkForce "end*";
      networkConfig.IPv6AcceptRA = true;
    };
    deployment = {
      targetHost = "warwick";
      targetUser = "root";
      tags = ["server"];
      buildOnTarget = true;
    };
    boot.loader.systemd-boot.enable = lib.mkForce false;
    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
    fileSystems."/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = ["noatime"];
    };
  };
 }
--- a/machines/warwick/facter.json
+++ b/machines/warwick/facter.json
--- a/nixos-configurations.nix
+++ b/nixos-configurations.nix
@ -1,18 +0,0 @@
 inputs @ {
  nixpkgs,
  self,
  ...
 }: {
  nixosConfigurations = nixpkgs.lib.mapAttrs (name: {
    system,
    nixosModule,
  }:
    nixpkgs.lib.nixosSystem {
      inherit system;
      modules = [./nixos nixosModule];
      specialArgs = {
        inherit inputs system self;
      };
    }) (import ./machines);
 }
--- a/nixos/backups.nix
+++ b/nixos/backups.nix
@ -1,94 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.pim.backups;
  borgmaticConfig = pkgs.writeTextFile {
    name = "borgmatic-config.yaml";
    text = lib.generators.toYAML {} {
      source_directories = ["/mnt/longhorn/persistent/longhorn-backup"];
      repositories = [
        {
          path = cfg.repoLocation;
          label = "nfs";
        }
        {
          path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo";
          label = "borgbase";
        }
      ];
      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
      keep_daily = 7;
      keep_weekly = 4;
      keep_monthly = 12;
      keep_yearly = -1;
      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
    };
  };
 in {
  options.pim.backups = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to enable backups of persistent data on this machine.
      '';
    };
    repoLocation = lib.mkOption {
      default = "/mnt/longhorn/persistent/nfs.borg";
      type = lib.types.str;
      description = ''
        Location of the Borg repository to back up to.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [borgbackup];
    # Converted from:
    # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
    systemd.services.borgmatic = {
      description = "borgmatic backup";
      wants = ["network-online.target"];
      after = ["network-online.target"];
      unitConfig.ConditionACPower = true;
      preStart = "${pkgs.coreutils}/bin/sleep 10s";
      serviceConfig = {
        Type = "oneshot";
        Nice = 19;
        CPUSchedulingPolicy = "batch";
        IOSchedulingClass = "best-effort";
        IOSchedulingPriority = 7;
        IOWeight = 100;
        Restart = "no";
        LogRateLimitIntervalSec = 0;
        Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
      };
      script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
    };
    systemd.timers.borgmatic = {
      description = "Run borgmatic backup";
      wantedBy = ["timers.target"];
      timerConfig = {
        OnCalendar = "*-*-* 3:00:00";
        Persistent = true;
        RandomizedDelaySec = "1h";
      };
    };
    sops.secrets = {
      "borg/borgPassphrase" = {};
      "borg/borgbasePrivateKey" = {};
    };
  };
 }
--- a/nixos/cinnamon.nix
+++ b/nixos/cinnamon.nix
@ -1,24 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  cfg = config.pim.cinnamon;
 in {
  options.pim.cinnamon.enable = lib.mkEnableOption "cinnamon";
  config = lib.mkIf cfg.enable {
    services = {
      displayManager.defaultSession = "cinnamon";
      libinput.enable = true;
      xserver = {
        desktopManager.cinnamon.enable = true;
        displayManager.lightdm.enable = true;
      };
    };
    environment.cinnamon.excludePackages = [
      pkgs.gnome-terminal
    ];
  };
 }
--- a/nixos/compliance.nix
+++ b/nixos/compliance.nix
@ -1,14 +0,0 @@
 {
  config,
  lib,
  ...
 }: let
  cfg = config.pim.compliance;
 in {
  options.pim.compliance.enable = lib.mkEnableOption "compliance";
  config = lib.mkIf cfg.enable {
    services.clamav = {
      daemon.enable = true;
    };
  };
 }
--- a/nixos/data-sharing.nix
+++ b/nixos/data-sharing.nix
@ -1,47 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  cfg = config.pim.data-sharing;
  nfsShares = [
    "/mnt/longhorn/persistent/media"
    "/mnt/longhorn/persistent/media/books"
    "/mnt/longhorn/persistent/media/movies"
    "/mnt/longhorn/persistent/media/music"
    "/mnt/longhorn/persistent/media/shows"
    "/mnt/longhorn/persistent/longhorn-backup"
  ];
  nfsExports = lib.strings.concatLines (
    builtins.map
    (
      share: "${share} 192.168.30.0/16(rw,sync,no_subtree_check,no_root_squash) 127.0.0.1/8(rw,sync,no_subtree_check,no_root_squash) 10.0.0.0/8(rw,sync,no_subtree_check,no_root_squash)"
    )
    nfsShares
  );
 in {
  options.pim.data-sharing = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Configure this server to serve our data using NFS.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      2049 # NFS
      111 # NFS
      20048 # NFS
    ];
    services.nfs.server = {
      enable = true;
      exports = nfsExports;
    };
  };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,209 +1,155 @@
 { pkgs, config, lib, ... }:
 let
  vuescan = pkgs.callPackage ./vuescan.nix { };
 in
 {
-  pkgs,
+  imports = [ ./hardware-configuration.nix ];
  config,
  lib,
  inputs,
  self,
  name,
  ...
 }: {
  imports = [
    inputs.home-manager.nixosModules.home-manager
    inputs.nixos-facter-modules.nixosModules.facter
    inputs.disko.nixosModules.disko
    inputs.sops-nix.nixosModules.sops
    inputs.nix-snapshotter.nixosModules.nix-snapshotter
    ./lanzaboote.nix
    ./tidal.nix
    ./stylix.nix
    ./wireguard.nix
    ./gnome.nix
    ./compliance.nix
    ./cinnamon.nix
    ./ssh.nix
    ./desktop.nix
    ./server.nix
    ./prometheus.nix
    ./kubernetes
    ./data-sharing.nix
    ./backups.nix
  ];
-  options = {
+  boot = { loader.systemd-boot.enable = true; };
    pim.sops-nix = {
      colmenaSopsFile = lib.mkOption {
        type = lib.types.path;
        default = "${self}/secrets/${name}/colmena.yaml";
      };
-      usersWithSopsKeys = lib.mkOption {
+  time.timeZone = "Europe/Amsterdam";
-        type = lib.types.listOf lib.types.str;
+  i18n.defaultLocale = "en_US.UTF-8";
-        default = lib.optional (! config.deployment.allowLocalDeployment) "root";
+
  services = {
    udev.packages = [ vuescan ];
    gnome.gnome-keyring.enable = lib.mkForce false;
    xserver = {
      enable = true;
      displayManager.gdm = { enable = true; };
      desktopManager.gnome.enable = true;
      excludePackages = with pkgs; [ xterm ];
    };
    printing = {
      enable = true;
      drivers = [ pkgs.hplip pkgs.gutenprint ];
    };
    fprintd = {
      enable = true;
      tod = {
        enable = true;
        driver = pkgs.libfprint-2-tod1-vfs0090;
      };
    };
  };
-  config = {
+  users = {
-    time.timeZone = "Europe/Amsterdam";
+    users.pim = {
-    hardware.pulseaudio.enable = false;
+      isNormalUser = true;
-    sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+      extraGroups = [ "wheel" "docker" "input" ];
    i18n = {
      defaultLocale = "en_US.UTF-8";
      extraLocaleSettings = let
        extraLocale = "nl_NL.UTF-8";
      in {
        LC_ADDRESS = extraLocale;
        LC_IDENTIFICATION = extraLocale;
        LC_MEASUREMENT = extraLocale;
        LC_MONETARY = extraLocale;
        LC_NAME = extraLocale;
        LC_NUMERIC = extraLocale;
        LC_PAPER = extraLocale;
        LC_TELEPHONE = extraLocale;
        LC_TIME = extraLocale;
      };
    };
  };
-    deployment.keys = lib.pipe config.pim.sops-nix.usersWithSopsKeys [
+  environment = {
-      (lib.map (
+    systemPackages = with pkgs; [
-        user: let
+      wget
-          homeDirectory =
+      curl
-            if user == "root"
+      git
-            then "/root"
+      btop
-            else "/home/${user}";
+      ripgrep
-          sopsFile = config.pim.sops-nix.colmenaSopsFile;
+      vim
-        in {
+      dogdns
-          name = "${user}-sops-age";
+      tree
-          value = {
+      dig
-            keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_nix_keys\"][\"${user}\"]" "-d" (builtins.toString sopsFile)];
+      vuescan
            name = "keys.txt";
            destDir = "${homeDirectory}/.config/sops/age";
            inherit user;
            group = "users";
          };
        }
      ))
      builtins.listToAttrs
    ];
    gnome.excludePackages = with pkgs; [
      gnome.totem
      gnome-tour
      gnome.epiphany
      gnome.geary
      gnome-console
      gnome.gnome-music
    ];
  };
-    systemd = {
+  system = {
-      services.NetworkManager-wait-online.enable = lib.mkForce false;
+    stateVersion = "23.05";
      network.wait-online.enable = lib.mkForce false;
    };
-    services = {
+    activationScripts.diff = ''
      xserver.excludePackages = [pkgs.xterm];
      printing.drivers = [pkgs.hplip pkgs.gutenprint];
      tailscale.enable = true;
      pipewire = {
        alsa.enable = true;
        alsa.support32Bit = true;
        pulse.enable = true;
        jack.enable = true;
      };
    };
    environment = {
      systemPackages = with pkgs; [
        age
        btop
        btrfs-progs
        curl
        dig
        exfat
        f3
        fastfetch
        file
        git
        jq
        ripgrep
        sbctl
        tree
        vim
        wget
        yq
        ncdu
        lshw
        sops
      ];
    };
    system.activationScripts.diff = ''
      if [[ -e  /run/current-system ]]; then
        ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
      fi
    '';
  };
-    security = {
+  programs.ssh = {
-      rtkit.enable = true;
+    startAgent = true;
-      sudo.extraConfig = ''
+    knownHosts = {
-        Defaults        timestamp_timeout=30
+      dmz = {
-      '';
+        hostNames = [ "*.dmz" ];
-    };
+        publicKey =
-
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
-    nix = {
+        certAuthority = true;
      package = pkgs.nixVersions.stable;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      gc = {
        automatic = true;
        persistent = true;
        dates = "weekly";
        options = "--delete-older-than 7d";
      };
    };
    networking = {
      hostName = name;
      useDHCP = lib.mkDefault true;
      networkmanager.unmanaged = lib.mkIf config.services.tailscale.enable ["tailscale0"];
      wireless.extraConfig = ''
        p2p_disabled=1
      '';
    };
    nixpkgs = {
      # hostPlatform = lib.mkDefault "x86_64-linux";
      config = {
        allowUnfreePredicate = pkg:
          builtins.elem (lib.getName pkg) [
            "libfprint-2-tod1-goodix"
            "steam"
            "steam-original"
            "steam-run"
            "steam-unwrapped"
          ];
      };
-      overlays = [
+      hypervisors = {
-        inputs.nur.overlay
+        hostNames = [ "*.hyp" ];
-        (final: _prev: {
+        publicKey =
-          unstable = import inputs.nixpkgs-unstable {
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
-            inherit (pkgs) system;
+        certAuthority = true;
-            config.allowUnfree = true;
+      };
          };
        })
      ];
    };
    boot.kernel.sysctl = {
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";
    };
    home-manager = {
      useGlobalPkgs = true;
      useUserPackages = true;
      extraSpecialArgs = {inherit self inputs;};
      sharedModules = ["${self}/home-manager"];
    };
  };
  security.sudo.extraConfig = ''
    Defaults        timestamp_timeout=30
  '';
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
    gc = {
      automatic = true;
      persistent = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
  };
  age = {
    identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
    secrets = {
      wg-quick-home-privkey.file = ../secrets/wg-quick-home-privkey.age;
      wg-quick-home-preshared-key.file =
        ../secrets/wg-quick-home-preshared-key.age;
    };
  };
  networking = {
    hostName = "x260";
    wg-quick.interfaces.home = {
      privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
      address = [ "10.225.191.4/24" ];
      dns = [ "192.168.30.8" ];
      peers = [{
        presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
        endpoint = "wg.geokunis2.nl:51820";
        publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
        allowedIPs = [ "0.0.0.0/0" "::0/0" ];
      }];
    };
  };
  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  nixpkgs.config.permittedInsecurePackages = [
    "electron-25.9.0"
  ];
 }
--- a/nixos/desktop.nix
+++ b/nixos/desktop.nix
@ -1,20 +0,0 @@
 {
  lib,
  config,
  ...
 }: {
  config = lib.mkIf (builtins.elem "desktop" config.deployment.tags) {
    programs.ssh.startAgent = true;
    services = {
      xserver.enable = true;
      printing.enable = true;
      pipewire.enable = true;
      tailscale = {
        useRoutingFeatures = "client";
        extraSetFlags = ["--accept-routes"];
      };
    };
  };
 }
--- a/nixos/gnome.nix
+++ b/nixos/gnome.nix
@ -1,54 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  cfg = config.pim.gnome;
 in {
  options.pim.gnome.enable = lib.mkEnableOption "gnome";
  config = lib.mkIf cfg.enable {
    services = {
      gnome.gnome-keyring.enable = lib.mkForce false;
      xserver = {
        desktopManager.gnome.enable = true;
        displayManager.gdm.enable = true;
      };
    };
    environment = {
      systemPackages =
        [
          pkgs.gnome-shell-extensions
        ]
        ++ (with pkgs.gnomeExtensions; [
          pop-shell
          window-is-ready-remover
          random-wallpaper
          workspaces-indicator-by-open-apps
        ])
        ++ lib.optional config.services.tailscale.enable pkgs.gnomeExtensions.tailscale-status;
      gnome.excludePackages = with pkgs; [
        epiphany
        gnome-connections
        gnome-console
        gnome-tour
        geary
        gnome-calendar
        gnome-clocks
        gnome-contacts
        gnome-font-viewer
        gnome-logs
        gnome-maps
        gnome-music
        seahorse
        totem
        yelp
        gnome-weather
      ];
    };
  };
 }
--- a/nixos/hardware-configuration.nix
+++ b/nixos/hardware-configuration.nix
@ -0,0 +1,41 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }: {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot.initrd.availableKernelModules =
    [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/33e4587b-fba3-4a9d-82d2-a9e49a8e75fa";
    fsType = "ext4";
  };
  boot.initrd.luks.devices."luks-cd1139a7-0c1b-4459-b586-29b577825ee9".device =
    "/dev/disk/by-uuid/cd1139a7-0c1b-4459-b586-29b577825ee9";
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/87DA-B083";
    fsType = "vfat";
  };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/908399cd-2f4f-4555-8805-80c9faf190aa"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nixos/kubernetes/default.nix
+++ b/nixos/kubernetes/default.nix
@ -1,17 +0,0 @@
 {
  lib,
  config,
  ...
 }: {
  imports = [
    ./k3s
    ./storage.nix
  ];
  config = lib.mkIf (builtins.elem "kubernetes" config.deployment.tags) {
    pim = {
      k3s.enable = true;
      hasK8sStorageSetup = true;
    };
  };
 }
--- a/nixos/kubernetes/k3s/bootstrap.nix
+++ b/nixos/kubernetes/k3s/bootstrap.nix
@ -1,20 +0,0 @@
 {kubenix, ...}: {
  imports = [kubenix.modules.k8s];
  kubernetes.resources.clusterRoleBindings.cluster-admins = {
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "ClusterRole";
      name = "cluster-admin";
    };
    subjects = [
      {
        kind = "User";
        name = "pim";
      }
      {
        kind = "User";
        name = "niels";
      }
    ];
  };
 }
--- a/nixos/kubernetes/k3s/ca/client-ca.crt
+++ b/nixos/kubernetes/k3s/ca/client-ca.crt
@ -1,81 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDZjCCAU6gAwIBAgIIK1UyUU0zJ3cwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE
 AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy
 MFoXDTQ0MDEyNTEyMzAyMFowIzEhMB8GA1UEAwwYazNzLWNsaWVudC1jYUAxNzE1
 MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBB8Y6sNAW10pxocoKo71
 BTJXo7gwFSxotKxht5rinAmpvVEZnRlIDcjtdRZ0mqTT3I8SXrhGtWjdTP37cmM1
 /KNjMGEwHQYDVR0OBBYEFA0aYftOY6QKQhCiWi2U3JEkGfqJMB8GA1UdIwQYMBaA
 FPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
 BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQDDGSh4gVbI5zjCrHn4yFt/XdGq1MML
 8wJf2UvRCddQULwhuWae21P5i6cGks3v3Yqd9h+uZJ2JKl6heChuq1/vZBQ9Y31G
 LuRvaGdJnzgu2S1UQMUbkc39lgJf8j20XMK4NsIOP1N3rU5i5htEzjMsi9MtiabO
 yjC9fzYXVW0j5uTi14swYG9ESKPJ7WQ1nETWWRiBrs4IlPRq3jIVOJTBAHxWjMtg
 96zfvqK+jgH+rx3QolwiwV7ai0D1RbCvGoOhkoQcy506SztdlNRXfGpAbcXFJ+uP
 esw9xLilIjF4o42Ga9uizBGjbk/gyN4r4lZ6ojSXGKDczcQxM6i2bGRvn96KbK/R
 o0gbsb56niVt1ZQDCuYdOs3B9JlrQeZaeCUypx/UbAoYnVy1FECj0OcPDI69Es60
 wHjyp3EAOTJ/gSiUhdvDjwUYT2klP0d+GvsXWbPAcqJJJS8SuVhXIZZfZW5e7Cbn
 +TwO3omtxg6b7Wh7QWTUajWtmLjFSoP0MlOp56u9U5R0rfNDG5mrV4gCh0QTNyzt
 +CEIC8fHDUUDAphJnirYLZszzmg14vNQUR2gm3T9/j7XYHtmzrWA7eT2pk6h1HQz
 yJwoW2EsGyT6GELjztXQN+lWlBqW05cedkMsGnfym2A4Y06MaUwjNmTA3kiAoUUr
 Z6PMef1lNVlmUA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE
 AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx
 MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1
 NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP
 ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk
 uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4
 yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS
 TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW
 aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A
 vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm
 3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE
 HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0
 N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb
 ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5
 IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY
 PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
 AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5
 VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy
 P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx
 KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx
 W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6
 36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR
 dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY
 i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC
 1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY
 JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E
 XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL
 BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx
 MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3
 MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP
 tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot
 RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ
 OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd
 6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw
 qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T
 1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9
 bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc
 zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB
 ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ
 8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/
 TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD
 5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy
 htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL
 BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ
 PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf
 MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx
 kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY
 j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE
 H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0
 jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R
 G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0
 RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+
 09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm
 KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq
 -----END CERTIFICATE-----
--- a/nixos/kubernetes/k3s/ca/etcd/peer-ca.crt
+++ b/nixos/kubernetes/k3s/ca/etcd/peer-ca.crt
@ -1,81 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDaTCCAVGgAwIBAgIIK1UyUU0zJ3owDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE
 AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy
 MFoXDTQ0MDEyNTEyMzAyMFowJjEkMCIGA1UEAwwbazNzLWV0Y2QtcGVlci1jYUAx
 NzE1MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnl/F0abKbhtunsAE
 gFB/NapdHORdwEku2AlLLFZuBTWTm7bDPV6aL/QrSlqKOscrh0WqCJMAy+OrC3Uz
 MgKgQKNjMGEwHQYDVR0OBBYEFH8weUS7ylk6JshWGj/UTH3vt/L6MB8GA1UdIwQY
 MBaAFPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
 AQH/BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQASumDCrfrfm9AAjCou3V1YEbZA
 bM20GyWfFHIWzZOtCyKJQt0oOr2tXXv8RwsG0qWeVU7C0CeGUEhF8IFe/O01idWT
 wv8Fiatugen6gx2ufawyEv4ATW3tPAizt+r4eZz0euYntGevPx2iM1R5xEcaNj01
 kRiydyeP/m1C+uEXTCemIcP0vC67UE5OFBntjub7+K5h+iFApt/3MpdAW51GSDZn
 t+EgaMa98ozHhTRWpA0QlmbDzQLX8hIALvFvzqyJcUHSoVeJEo0J25IXi7mJKQP3
 kTG/1WjEXlZ2LUfWtBRlhfgxjdupLTULdOpHY3E0Zl5K7gBvDayMcrdcGNIgJ0iJ
 qMRfB30Qwa1Hypgio5GOi4aOEyE3dNQke+M8UtI1oMXCyPeLTBMoc7rzZii0AnwD
 5IuT4Uwx8SMHBuBPlU6TVe4UsChaw+k7kPDAWJ9yULW4x4o/zHQB/opjWMSpQqc0
 nrBfFEhgFyUbwYnGutfEczwhxPlDhdICKPK2bO5dh6LEPohvmoXVks6Dp98Ha371
 61/1ZLsMqO8spMrzlkONdSjZmoyFSIWiUivzXcnGVyiuSqYEbRokgoKg1mv61c3x
 lcw7ChGafWws1odaHV0A6nXf7G5+K3I6wnKW5601GwrAiQVgEba8x290WWun4k8d
 USo2/Dqkd9+wVScQHw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE
 AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx
 MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1
 NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP
 ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk
 uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4
 yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS
 TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW
 aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A
 vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm
 3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE
 HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0
 N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb
 ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5
 IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY
 PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
 AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5
 VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy
 P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx
 KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx
 W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6
 36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR
 dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY
 i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC
 1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY
 JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E
 XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL
 BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx
 MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3
 MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP
 tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot
 RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ
 OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd
 6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw
 qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T
 1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9
 bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc
 zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB
 ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ
 8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/
 TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD
 5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy
 htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL
 BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ
 PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf
 MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx
 kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY
 j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE
 H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0
 jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R
 G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0
 RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+
 09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm
 KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq
 -----END CERTIFICATE-----
--- a/nixos/kubernetes/k3s/ca/etcd/server-ca.crt
+++ b/nixos/kubernetes/k3s/ca/etcd/server-ca.crt
@ -1,81 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAVOgAwIBAgIIK1UyUU0zJ3swDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE
 AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy
 MFoXDTQ0MDEyNTEyMzAyMFowKDEmMCQGA1UEAwwdazNzLWV0Y2Qtc2VydmVyLWNh
 QDE3MTUyNTc4MTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjDMY4U81p+y3C
 k+g4MloNceEQ0+TKbnGc0xlGmJBXXKqB6zrolIdv/J9GABZ9eIUGEs8Xw0E4VEPM
 l2iFGyoOo2MwYTAdBgNVHQ4EFgQUm/3f0yXxqbgLmU4a+H2QMavLUX0wHwYDVR0j
 BBgwFoAU+v1VBloKGDwkLS76al8nKpC+N2IwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 HQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQELBQADggIBADcxOaGyetgWEqo5BqNZd9X6
 6Lj3rJZTYBmAJeISscG/Dwnv0MmRWw911zmRhikEu8jmLiGMQZUwFD1KoJ6Z/D2M
 0Iqk87Ur4aS+mw2Yc60QatkZ2D1XBhrzk3gMaCtWMQBRiexA4qvaw8qlDkDR2eW9
 wyks+WsD6Am1Vb/9k7fIfDR1KkScpl07fAMil73URy+KNDZ6r8hW3xZulvZd5IWp
 g2px4A+i4eUbevBU1xljpXjP5lrEqoApk5YQDlHHKARszWlQC9PbvyiRRn8dH69m
 mC0cdt5tSWWT49bCRtfigoejeFr8SaYzDuvR4Wb31CgbH+qVZADfgggE1N6pQCsY
 w+b8xvoZGAcKEWAlX3J159Rc1mV9HRCEzaGEt5kgJuPFyJUXCjQzrKTADOawFxGb
 IYeKcmUJuJG0yDkYb5lNa5fv02PAqXVM+Wz+YpFryHRphKt/gGLlhg1HyqnLVowi
 UhlRyPLj9XG8PH1ZRVF6/havkg9H78voMXdFMcotIF34wSP5k/wsDjmgsvuLUIek
 ryImLiMuJT5sTM/xVdLT2B9cJrFz4XIAFV209PvIldDDp1ySsh7Tz8fWHdCjvd5o
 8FTAcyBW72mpS5WP+FUnq0mgpHp9HrLCC3q4AQ7juJszD1PExGNW710rjMHlnrrF
 w4VKyOziEAxsiuA390Ds
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE
 AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx
 MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1
 NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP
 ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk
 uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4
 yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS
 TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW
 aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A
 vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm
 3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE
 HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0
 N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb
 ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5
 IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY
 PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
 AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5
 VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy
 P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx
 KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx
 W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6
 36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR
 dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY
 i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC
 1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY
 JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E
 XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL
 BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx
 MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3
 MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP
 tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot
 RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ
 OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd
 6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw
 qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T
 1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9
 bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc
 zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB
 ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ
 8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/
 TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD
 5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy
 htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL
 BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ
 PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf
 MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx
 kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY
 j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE
 H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0
 jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R
 G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0
 RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+
 09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm
 KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq
 -----END CERTIFICATE-----
--- a/nixos/kubernetes/k3s/ca/request-header-ca.crt
+++ b/nixos/kubernetes/k3s/ca/request-header-ca.crt
@ -1,81 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDbjCCAVagAwIBAgIIK1UyUU0zJ3kwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE
 AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy
 MFoXDTQ0MDEyNTEyMzAyMFowKzEpMCcGA1UEAwwgazNzLXJlcXVlc3QtaGVhZGVy
 LWNhQDE3MTUyNTc4MTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARAACYmLLW4
 6vaF9q1cqBefK/FQebhkwoDcuYuG597sjxQPEz8sO/yYVaNnNcVZZPqDsiF4OCOz
 i9ge02pJJVXJo2MwYTAdBgNVHQ4EFgQUrVPDbR8zlHplrCIASYmcn8IrbDEwHwYD
 VR0jBBgwFoAU+v1VBloKGDwkLS76al8nKpC+N2IwDwYDVR0TAQH/BAUwAwEB/zAO
 BgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQELBQADggIBABlvTQJx7B0LI95sOKjM
 zul35QpHoMTJOM4IrtDVUQfRutsRVaJ8z2M/2PXY0OiP8ZURaUTR63fL1lklQOMq
 xDM59mcyWTEB50+yTYZNCi0qUrxI7kiOGmsCWJ1JDcRRnXonF2htPdMUr8wIOrzR
 CL/HIYObEqasmTZeBlaHMc7clLB+yROveCRG91MeC8iftu/ORoqUIMVhXuR2PEQn
 mupksalzL71RdOPLdL7UQzhVaABDRD0JrWsb6F198PLWiGpslwqFumyxucgd4+Xq
 lb9AB/Sac/2KJH2GEGUoUMac7tJ+BNNc1T6VQUeyKDCacNRemjKxOa58ilFGvGPK
 xKuuPhaN/mdZNBI1EX1m8JbCTByP5naGB7DDsP8ekMg1jvfszU+BDZSZoBgDhMmu
 7Hsu/CpS8LWDzZ0KRuBsCLTYwlA1H0rp3C2ZYc/cbBexo8oyHMisMvpzM/5NMkuT
 aKCQFt3HOncNG6rTltTrFaJaH9sZJxaaR6Q+pKzTtRGpx3SabZnNQkmu2MoFTKoE
 vApW1wYptjOm7k5+o0a7IcWWK8FbqGOwfTAiI+mNYkiwo+qunALY0q/MiX0c7beI
 qDzvjAHEt/xuWLCVqXhCy7bsgAmiukICMVflWd1Bg5OlXHa9H6sXqE1hP74Wv2bo
 kBKEUETfs+HldaQgT5ontb+T
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE
 AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx
 MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1
 NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP
 ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk
 uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4
 yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS
 TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW
 aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A
 vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm
 3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE
 HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0
 N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb
 ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5
 IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY
 PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
 AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5
 VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy
 P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx
 KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx
 W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6
 36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR
 dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY
 i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC
 1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY
 JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E
 XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL
 BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx
 MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3
 MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP
 tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot
 RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ
 OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd
 6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw
 qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T
 1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9
 bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc
 zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB
 ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ
 8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/
 TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD
 5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy
 htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL
 BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ
 PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf
 MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx
 kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY
 j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE
 H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0
 jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R
 G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0
 RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+
 09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm
 KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq
 -----END CERTIFICATE-----
--- a/nixos/kubernetes/k3s/ca/server-ca.crt
+++ b/nixos/kubernetes/k3s/ca/server-ca.crt
@ -1,81 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDZjCCAU6gAwIBAgIIK1UyUU0zJ3gwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE
 AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy
 MFoXDTQ0MDEyNTEyMzAyMFowIzEhMB8GA1UEAwwYazNzLXNlcnZlci1jYUAxNzE1
 MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDhZobdYwh9+5PmK68/Pi
 CETLWdTMftlpf4Kws1c1pu9diaQ2p2uAhgsdMxe8k5Su22HUG9soOsLpMfGn1fwS
 dqNjMGEwHQYDVR0OBBYEFH4kXKFZ+MJI3cnwRtm2URRJk4ghMB8GA1UdIwQYMBaA
 FPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
 BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQCWi/YtfU0RFX8vZenOolcbrtSiZDYO
 yYuUUI3h7U1AW7Hmn3Gk0SYdNxUbJLB2sFt8s8TX+N80M5483prUi8O3CL/DTXxD
 Ae4uag2MFGh0710JY0I/7paB9H9GU6T+BAKrjdru2mwlNC+DcUIY7UX5/PrmnG9z
 HMt6tSdy6RuKTBu69tr/Mpdb3VZIjrEuJ/d1LrkbxEXXW+12AvBMociBXUW+7ooO
 LlKji2LGFJUYvh7yjOXykjB5U75/9oBrRpASFkGqwcXk7c89UEL9RiPDLqAm6u1U
 YoE8U9mZtgTV2E4DKUbamdeVRFalJMw1Pp6WrSLsK1wBgWxydEz8djUg8WLf01ml
 mRtLH7AKgFy3u5s+fxMQMGSfSmSjzsV3HCKb8bssk8bm0Q4wLznqW1ClKTbBRdDb
 lE0BkI0cJqaTkjBkcuPUd9yCEUT3mCFRPIqpiYAqzPwudZ9PynZVd4NfrItpEw1V
 7hVFjN2q524LK3moPFd/adfEenZEXbkaUimUloADmnR/fuTjvqkUh0OVCta3SMTd
 GjhMBidfBaDPs+b/wpI4oo3JzKL9U0AqDH9/KOsJk2W38VE8z+exgY0eU2E6HOaz
 O18nrHF+eMY65Zxird7xLmu+I0h1aF0qp37ejBZnWMxawQwb0km0IcVE4xzixQ9F
 NBWX9TfSjd17Tg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE
 AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx
 MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1
 NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP
 ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk
 uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4
 yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS
 TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW
 aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A
 vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm
 3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE
 HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0
 N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb
 ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5
 IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY
 PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
 AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5
 VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy
 P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx
 KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx
 W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6
 36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR
 dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY
 i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC
 1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY
 JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E
 XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL
 BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx
 MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3
 MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP
 tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot
 RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ
 OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd
 6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw
 qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T
 1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9
 bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc
 zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB
 ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ
 8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/
 TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD
 5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy
 htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL
 BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ
 PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf
 MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx
 kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY
 j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE
 H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0
 jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R
 G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0
 RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+
 09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm
 KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq
 -----END CERTIFICATE-----
--- a/nixos/kubernetes/k3s/default.nix
+++ b/nixos/kubernetes/k3s/default.nix
@ -1,213 +0,0 @@
 {
  self,
  inputs,
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.pim.k3s;
 in {
  options.pim.k3s = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to run k3s on this server.
      '';
    };
    role = lib.mkOption {
      default = "server";
      type = lib.types.str;
      description = ''
        Whether to run k3s as a server or an agent.
      '';
    };
    clusterInit = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether this node should initialize the K8s cluster.
      '';
    };
    serverAddr = lib.mkOption {
      default = null;
      type = with lib.types; nullOr str;
      description = ''
        Address of the server whose cluster this server should join.
        Leaving this empty will make the server initialize the cluster.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      k3s
      openiscsi # Required for Longhorn
      nfs-utils # Required for Longhorn
    ];
    # TODO!!!!!
    networking = {
      nftables.enable = lib.mkForce false;
      firewall.enable = lib.mkForce false;
    };
    virtualisation.containerd = {
      enable = true;
      settings = {
        version = 2;
        proxy_plugins.nix = {
          type = "snapshot";
          address = "/run/nix-snapshotter/nix-snapshotter.sock";
        };
        plugins = let
          k3s-cni-plugins = pkgs.buildEnv {
            name = "k3s-cni-plugins";
            paths = with pkgs; [
              cni-plugins
              cni-plugin-flannel
            ];
          };
        in {
          "io.containerd.grpc.v1.cri" = {
            stream_server_address = "127.0.0.1";
            stream_server_port = "10010";
            enable_selinux = false;
            enable_unprivileged_ports = true;
            enable_unprivileged_icmp = true;
            disable_apparmor = true;
            disable_cgroup = true;
            restrict_oom_score_adj = true;
            sandbox_image = "rancher/mirrored-pause:3.6";
            containerd.snapshotter = "nix";
            cni = {
              conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
              bin_dir = "${k3s-cni-plugins}/bin";
            };
          };
          "io.containerd.transfer.v1.local".unpack_config = [
            {
              platform = "linux/amd64";
              snapshotter = "nix";
            }
          ];
        };
      };
    };
    services = {
      nix-snapshotter.enable = true;
      k3s = let
        serverFlagList = [
          "--image-service-endpoint=unix:///run/nix-snapshotter/nix-snapshotter.sock"
          "--snapshotter=overlayfs"
          "--container-runtime-endpoint=unix:///run/containerd/containerd.sock"
          "--tls-san=${config.networking.fqdn}"
          "--disable=servicelb"
          "--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56"
          "--service-cidr=10.43.0.0/16,2001:cafe:43::/112"
        ];
        serverFlags = builtins.concatStringsSep " " serverFlagList;
      in {
        enable = true;
        role = cfg.role;
        tokenFile = config.sops.secrets."k3s/serverToken".path;
        extraFlags = lib.mkIf (cfg.role == "server") (lib.mkForce serverFlags);
        clusterInit = cfg.clusterInit;
        serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
      };
      # Required for Longhorn
      openiscsi = {
        enable = true;
        name = "iqn.2016-04.com.open-iscsi:${config.networking.fqdn}";
      };
    };
    # HACK: Symlink binaries to /usr/local/bin such that Longhorn can find them
    # when they use nsenter.
    # https://github.com/longhorn/longhorn/issues/2166#issuecomment-1740179416
    systemd.tmpfiles.rules = [
      "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
    ];
    system.activationScripts = {
      k3s-bootstrap = lib.mkIf (cfg.role == "server") {
        text = (
          let
            k3sBootstrapFile =
              (inputs.kubenix.evalModules.x86_64-linux {
                module = import ./bootstrap.nix;
              })
              .config
              .kubernetes
              .result;
          in ''
            mkdir -p /var/lib/rancher/k3s/server/manifests
            ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json
          ''
        );
      };
      k3s-certs = lib.mkIf (cfg.role == "server") {
        text = ''
          mkdir -p /var/lib/rancher/k3s/server/tls/etcd
          cp -f ${./ca/server-ca.crt} /var/lib/rancher/k3s/server/tls/server-ca.crt
          cp -f ${./ca/client-ca.crt} /var/lib/rancher/k3s/server/tls/client-ca.crt
          cp -f ${./ca/request-header-ca.crt} /var/lib/rancher/k3s/server/tls/request-header-ca.crt
          cp -f ${./ca/etcd/peer-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt
          cp -f ${./ca/etcd/server-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt
        '';
      };
    };
    sops.secrets = let
      keyPathBase = "/var/lib/rancher/k3s/server/tls";
    in {
      "k3s/serverToken" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
      };
      "k3s/keys/clientCAKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/client-ca.key";
      };
      "k3s/keys/requestHeaderCAKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/request-header-ca.key";
      };
      "k3s/keys/serverCAKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/server-ca.key";
      };
      "k3s/keys/serviceKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/service.key";
      };
      "k3s/keys/etcd/peerCAKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/etcd/peer-ca.key";
      };
      "k3s/keys/etcd/serverCAKey" = {
        sopsFile = "${self}/secrets/kubernetes.yaml";
        path = "${keyPathBase}/etcd/server-ca.key";
      };
    };
  };
 }
--- a/nixos/kubernetes/storage.nix
+++ b/nixos/kubernetes/storage.nix
@ -1,112 +0,0 @@
 {
  lib,
  config,
  ...
 }: {
  options.pim.hasK8sStorageSetup = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };
  config = lib.mkIf config.pim.hasK8sStorageSetup {
    disko.devices = {
      disk = {
        nvme = {
          device = "/dev/nvme0n1";
          type = "disk";
          content = {
            type = "gpt";
            partitions = {
              boot = {
                type = "EF00";
                size = "500M";
                content = {
                  type = "filesystem";
                  format = "vfat";
                  mountpoint = "/boot";
                };
              };
              pv_os = {
                size = "79G";
                content = {
                  type = "lvm_pv";
                  vg = "vg_os";
                };
              };
              pv_nvme_extra = {
                size = "100%";
                content = {
                  type = "lvm_pv";
                  vg = "vg_data";
                };
              };
            };
          };
        };
        sata = {
          device = "/dev/sda";
          type = "disk";
          content = {
            type = "gpt";
            partitions.pv_sata = {
              size = "100%";
              content = {
                type = "lvm_pv";
                vg = "vg_data";
              };
            };
          };
        };
      };
      lvm_vg = {
        vg_os = {
          type = "lvm_vg";
          lvs = {
            root = {
              size = "75G";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
                mountOptions = ["defaults"];
              };
            };
            swap = {
              size = "100%FREE";
              content.type = "swap";
            };
          };
        };
        vg_data = {
          type = "lvm_vg";
          lvs.longhorn = {
            size = "100%FREE";
            content = {
              type = "filesystem";
              format = "xfs";
              mountpoint = "/mnt/longhorn";
            };
          };
        };
      };
    };
  };
 }
--- a/nixos/lanzaboote.nix
+++ b/nixos/lanzaboote.nix
@ -1,41 +0,0 @@
 {
  config,
  lib,
  inputs,
  ...
 }: {
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];
  options = {
    pim.lanzaboote.enable = lib.mkEnableOption {
      description = ''
        Whether to enable lanzaboote
      '';
    };
  };
  config = lib.mkIf config.pim.lanzaboote.enable {
    boot = {
      # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
      # switch from lzb to bootspec by adding following line to the system configuration:
      # bootspec.enable = true;
      loader = {
        systemd-boot.enable = lib.mkForce false;
        # Use lanzaboote instead see below, default is:
        # systemd-boot.enable = true;
        efi = {
          canTouchEfiVariables = true;
        };
      };
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
  };
 }
--- a/nixos/prometheus.nix
+++ b/nixos/prometheus.nix
@ -1,64 +0,0 @@
 {
  lib,
  config,
  nodes,
  ...
 }: {
  options.pim.prometheus.enable = lib.mkEnableOption "prometheus";
  config = lib.mkIf config.pim.prometheus.enable {
    networking.firewall.allowedTCPPorts = [80];
    services.prometheus = {
      enable = true;
      scrapeConfigs = (
        let
          generated = lib.pipe nodes [
            (lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
            (lib.attrsets.mapAttrsToList
              (name: node: {
                job_name = name;
                static_configs = [
                  {
                    targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
                  }
                ];
              }))
          ];
          pikvm = {
            job_name = "pikvm";
            metrics_path = "/api/export/prometheus/metrics";
            scheme = "https";
            tls_config.insecure_skip_verify = true;
            # We don't care about security here, it's behind a VPN.
            basic_auth = {
              username = "admin";
              password = "admin";
            };
            static_configs = [
              {
                targets = ["pikvm.dmz"];
              }
            ];
          };
        in
          generated ++ [pikvm]
      );
    };
    services.nginx = {
      enable = true;
      virtualHosts."${config.networking.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
          recommendedProxySettings = true;
        };
      };
    };
  };
 }
--- a/nixos/server.nix
+++ b/nixos/server.nix
@ -1,67 +0,0 @@
 {
  lib,
  config,
  self,
  ...
 }: {
  options.pim.tailscale.advertiseExitNode = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };
  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
    networking = {
      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
      domain = "dmz";
      useDHCP = false;
      nftables.enable = lib.mkDefault true;
      firewall.enable = lib.mkDefault true;
    };
    systemd.network = {
      enable = true;
      networks = {
        "30-main-nic" = {
          matchConfig.Name = "en*";
          networkConfig.DHCP = "yes";
        };
      };
    };
    boot = {
      # Increase this from 128.
      # It seems containerization solutions use this a lot.
      # Then, if exhausted, deployment of sops keys fail.
      kernel.sysctl."fs.inotify.max_user_instances" = 256;
      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    };
    services = {
      openssh.enable = true;
      prometheus.exporters.node.enable = true;
      tailscale = {
        authKeyFile = config.sops.secrets."tailscale/authKey".path;
        useRoutingFeatures = "server";
        openFirewall = true;
        extraUpFlags =
          [
            "--accept-dns=false"
            "--hostname=${config.networking.hostName}"
          ]
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
      };
    };
    sops.secrets."tailscale/authKey" = {
      sopsFile = "${self}/secrets/servers.yaml";
    };
  };
 }
--- a/nixos/ssh.nix
+++ b/nixos/ssh.nix
@ -1,27 +0,0 @@
 {lib, ...}: {
  options = {
    pim.ssh.keys = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
    };
  };
  config = {
    pim.ssh.keys = {
      pim = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"];
      niels = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"];
    };
    services = {
      openssh = {
        openFirewall = true;
        settings = {
          PasswordAuthentication = false;
          KbdInteractiveAuthentication = false;
          GSSAPIAuthentication = false;
          UseDns = false;
        };
      };
    };
  };
 }
--- a/nixos/stylix.nix
+++ b/nixos/stylix.nix
@ -1,47 +0,0 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }: let
  cfg = config.pim.stylix;
 in {
  imports = [inputs.stylix.nixosModules.stylix];
  options.pim.stylix.enable = lib.mkEnableOption "stylix";
  config = {
    stylix = lib.mkMerge [
      {
        image = "${inputs.nixos-artwork}/wallpapers/nix-wallpaper-binary-blue.png";
      }
      (lib.mkIf cfg.enable {
        enable = true;
        base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-medium.yaml";
        cursor = {
          package = pkgs.bibata-cursors;
          name = "Bibata-Modern-Classic";
          size = 28;
        };
        fonts = {
          monospace = {
            package = pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];};
            name = "JetBrainsMono Nerd Font Mono";
          };
          sansSerif = {
            package = pkgs.dejavu_fonts;
            name = "DejaVu Sans";
          };
          serif = {
            package = pkgs.dejavu_fonts;
            name = "DejaVu Serif";
          };
        };
      })
    ];
  };
 }
--- a/nixos/tidal.nix
+++ b/nixos/tidal.nix
@ -1,13 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  cfg = config.pim.tidal;
 in {
  options.pim.tidal.enable = lib.mkEnableOption "tidal";
  config = lib.mkIf cfg.enable {
    users.users.pim.extraGroups = ["audio"];
  };
 }
--- a/nixos/vuescan.nix
+++ b/nixos/vuescan.nix
@ -0,0 +1,60 @@
 { stdenv
 , fetchurl
 , gnutar
 , autoPatchelfHook
 , glibc
 , gtk2
 , xorg
 , libgudev
 , makeDesktopItem
 }:
 let
  pname = "vuescan";
  version = "9.8";
  desktopItem = makeDesktopItem {
    name = "VueScan";
    desktopName = "VueScan";
    genericName = "Scanning Program";
    comment = "Scanning Program";
    icon = "vuescan";
    terminal = false;
    type = "Application";
    startupNotify = true;
    categories = [ "Graphics" "Utility" ];
    keywords = [ "scan" "scanner" ];
    exec = "vuescan";
  };
 in
 stdenv.mkDerivation {
  name = "${pname}-${version}";
  src = fetchurl {
    url = "https://www.hamrick.com/files/vuex6498.tgz";
    hash = "sha256-qTSZuNPCi+G4e7PfnJEDj8rBMYV/Tw/ye3nDspqIPlE=";
  };
  # Stripping breaks the program
  dontStrip = true;
  nativeBuildInputs = [ gnutar autoPatchelfHook ];
  buildInputs = [ glibc gtk2 xorg.libSM libgudev ];
  unpackPhase = ''
    tar xfz $src
  '';
  installPhase = ''
    install -m755 -D VueScan/vuescan $out/bin/vuescan
    mkdir -p $out/share/icons/hicolor/scalable/apps/
    cp VueScan/vuescan.svg $out/share/icons/hicolor/scalable/apps/vuescan.svg
    mkdir -p $out/lib/udev/rules.d/
    cp VueScan/vuescan.rul $out/lib/udev/rules.d/60-vuescan.rules
    mkdir -p $out/share/applications/
    ln -s ${desktopItem}/share/applications/* $out/share/applications
  '';
 }
--- a/nixos/wireguard.nix
+++ b/nixos/wireguard.nix
@ -1,55 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  cfg = config.pim.wireguard;
 in {
  options.pim.wireguard.enable = lib.mkEnableOption "wireguard";
  config = lib.mkIf cfg.enable {
    networking = {
      useDHCP = lib.mkDefault true;
      networkmanager.unmanaged = ["tailscale0"];
      wg-quick.interfaces = {
        home = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
          address = ["10.225.191.4/24"];
          dns = ["192.168.30.131"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
              allowedIPs = ["0.0.0.0/0"];
            }
          ];
        };
        home-no-pihole = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
          address = ["10.225.191.4/24"];
          dns = ["192.168.10.1"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
              allowedIPs = ["0.0.0.0/0"];
            }
          ];
        };
      };
    };
    sops.secrets = {
      "wireguard/home/presharedKey" = {};
      "wireguard/home/privateKey" = {};
    };
  };
 }
--- a/packages.nix
+++ b/packages.nix
@ -1,13 +0,0 @@
 {
  nixpkgs,
  flake-utils,
  treefmt-nix,
  ...
 }:
 flake-utils.lib.eachDefaultSystem (system: let
  pkgs = nixpkgs.legacyPackages.${system};
  treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
  treefmtWrapper = treefmtEval.config.build.wrapper;
 in {
  packages.formatter = treefmtWrapper;
 })
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,3 @@
 ```bash
 nix run github:ryantm/agenix# -- -e secret1.age
 ```
--- a/secrets/ansible-vault-secret.age
+++ b/secrets/ansible-vault-secret.age
--- a/secrets/atlas/colmena.yaml
+++ b/secrets/atlas/colmena.yaml
@ -1,40 +0,0 @@
 sops_nix_keys:
    root: ENC[AES256_GCM,data:T0s44DmC+XgBcXaZ3czEzR3vyjSaYq3k+1NWiVOVqC6GCKIYh5v29R0L7MSStnxfAl3SoDM9rGX4J9aQdzNK0TqEHRgMQxcNsOI=,iv:gbz0I6H7g4VQhto/nIANxRtBNdJ/N0a21i0g99tNoDQ=,tag:0R3FnkiWMc8r7yXGj/yVMg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRc2pvdVk2c0tucStYWUxk
            eWdqSnFHeGcwQ2hTak45THRWbDZFMGZxNnlzCmNkS3RzYkxOWkcrYWlpTWwvQS9w
            QUFNTFJhS29oS091ZTZvcHV2V1BBVVUKLS0tIE5vN1VXNkxtK1J6U1VqazdLWGxB
            WXlHWXlXMUpLTllReUhRaVVNYStHejQK3iUKACJn64LjNnUtfUzdrrOP2cF4Z/O5
            FMVesOAcZObReuEDf7IcdPHxYsG9dQFfwMvodDO0vpqOlMNcNAvYJA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaME5TeDJWLzJOay83THdV
            VTRKRXNiNUYvTndqc1F4NnJXSGV5Zmh6UGdnCldMbmtMbFNvNnhSR3dYUkNQRGZ4
            b1ZTM0h3a1BNMkhoUkdKeEo0ZzBxdXMKLS0tIFJscjFsWWNoMnNXTk1oNitGNE85
            SENiM256UmpTeHBzc2pIcDZvSC9KM2cKPq/kcoypuM9KbeRlIL+C1qmrZWrvjk6j
            UeeKdAnD4ONjaOm2x+u9ZFS7frL20KSdHgixMCSEUvE0Pyi/vdlkeQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY2lqbXdwV2tDcGg2R0Ji
            NlJFSFl6LzZEWWhERW1xSm1STGJUWFRlZENVCnRBNTNaR0JmaWhZMkVvK204d0pl
            aXpFdUlTZitjVHZCbUhYeDlYN01hdHMKLS0tIHl6SFNUUXArUDV6UzBub09ISGZK
            U09hRXd6cTBDUVcxNDVtYUFINU5Rd2MKO0w21gJKxwBsbKmzt6O/gAgp/Ocz6Hzg
            YADNi3gwdcWQGr36GVhKiZwf8UyYTIui3v1eQLAX5gOh48KKVSJMow==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-01T11:22:03Z"
    mac: ENC[AES256_GCM,data:XvARePc6FEmp+rY39fuBHfWsezUd6zyQdfHzWPBmBb7dRf/A6tr0J7XyUL+Ex+rFnFg+JRbBFIy+fqByDZn8aQyVqOnyCgGKuSNDXcyZ1/KGwxS5PW7N95x0Vo4TJI9JxmedCfxIdQH6Tat1VlyKRgTG2viZ3WFnWwe/UBaX+Ok=,iv:gdAOTRTQPfjDTYDsQJnkIs8maa1D98nFp7gn9QKgQGg=,tag:9Uw9PoOknp8cxsrNZiO/RQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/Show more
+++ b/Show more