Initial release

2025-03-03 23:07:58 -06:00 · 2025-03-03 23:07:58 -06:00 · 8fbb25bbac
commit 8fbb25bbac
53 changed files with 1648 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+result
+*.swp
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
+[submodule "users/lauren_lagarde/home-manager"]
+	path = users/lauren_lagarde/home-manager
+	url = https://git.mlaga97.space/mlaga97/home-manager.git
--- a/apply.sh
+++ b/apply.sh
@ -0,0 +1 @@
+nix build -L .?submodules=1#$HOSTNAME
--- a/build_iso.sh
+++ b/build_iso.sh
@ -0,0 +1 @@
+nix build -L .?submodules=1#packages.x86_64-linux.$1
--- a/clear_secrets.sh
+++ b/clear_secrets.sh
@ -0,0 +1 @@
+rm -rf ./secrets
--- a/example_flake.nix
+++ b/example_flake.nix
@ -0,0 +1,78 @@
+{
+  description = "Lauren's Example Stub Flake";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Extras
+    waveforms.url = "github:liff/waveforms-flake";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, nixos-generators, waveforms, ... }@inputs: let
+    system = "x86_64-linux";
+    timezone = "America/Chicago";
+    locale = "en_US.UTF-8";
+
+    unstable = nixpkgs-unstable.legacyPackages.${system};
+
+    iso_modules = [
+      "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
+      { isoImage.squashfsCompression = "zstd"; }
+    ];
+
+    # Look into: https://git.sr.ht/~magic_rb/dotfiles/tree/master/item/nixos/systems/gooseberry
+    pi_modules = [{ 
+      # Disabling the whole `profiles/base.nix` module, which is responsible
+      # for adding ZFS and a bunch of other unnecessary programs:
+      disabledModules = [
+        "profiles/base.nix"
+      ];
+    }];
+
+    # TODO: Surely a better way, no?
+    inherited_modules = [
+      { time.timeZone = timezone; }
+      home-manager.nixosModules.home-manager
+      waveforms.nixosModule
+    ];
+  in {
+    nixosConfigurations = {
+      ll-nixos-headless = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          ./nixos/systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+    };
+
+    packages.aarch64-linux = {
+      ll-nixos-headless-pi-sdcard = nixos-generators.nixosGenerate {
+        system = "aarch64-linux";
+        format = "sd-aarch64";
+        modules = pi_modules ++ [
+          ./nixos/systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+    };
+
+    packages.x86_64-linux = {
+      ll-nixos-headless-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          ./nixos/systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+    };
+  };
+}
--- a/features/base.nix
+++ b/features/base.nix
@ -0,0 +1,45 @@
+{ pkgs, ... }: {
+  users.mutableUsers = false;
+  nixpkgs.config.allowUnfree = true;
+
+  services.smartd.enable = true;
+
+  boot.supportedFilesystems = [ "zfs" "ntfs" ];
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  nix.channel.enable = false;
+
+  # TODO: ????
+  networking.wireless.enable = false;
+
+  # Basic Services
+  services.uptimed.enable = true;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  # Basic Utilities
+  environment.systemPackages = with pkgs; [
+    # Basic Utilities
+    bc pv killall unzip unrar-wrapper unar
+
+    # System Monitoring / TUI QoL Tools
+    btop iotop tmux byobu
+
+    # Security / Cryptography
+    ssss gnupg pwgen qrencode diceware
+
+    # Applications
+    vim_configurable
+
+    # asdf
+    git ffmpeg restic rclone nixos-generators
+    # samba libvirt tinc_pre
+
+    # File Systems
+    nfs-utils cifs-utils exfatprogs
+  ];
+}
--- a/features/br0.nix
+++ b/features/br0.nix
@ -0,0 +1,23 @@
+{ ... }: {
+  networking.useNetworkd = true;
+  systemd.network = {
+    enable = true;
+    netdevs."20-br0".netdevConfig = {
+      Kind = "bridge";
+      Name = "br0";
+    };
+    networks = {
+      "40-br0" = {
+        matchConfig.Name = "br0";
+        bridgeConfig = {};
+        linkConfig = {
+          RequiredForOnline = "routable";
+        };
+        networkConfig = {
+          DHCP = "ipv4";
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
+}
--- a/features/docker.nix
+++ b/features/docker.nix
@ -0,0 +1,3 @@
+{ ... }: {
+  virtualisation.docker.enable = true;
+}
--- a/features/dockge.nix
+++ b/features/dockge.nix
@ -0,0 +1,21 @@
+{ ... }: {
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dockge = {
+      image = "louislam/dockge";
+      ports = [
+        "5001:5001"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/opt/stacks/dockge/data:/app/data"
+        "/root/.docker/:/root/.docker"
+        "/opt/stacks:/opt/stacks"
+      ];
+      environment = {
+        DOCKGE_STACKS_DIR = "/opt/stacks";
+      };
+    };
+  };
+
+}
--- a/features/embedded.nix
+++ b/features/embedded.nix
@ -0,0 +1,44 @@
+{ pkgs, unstable, ... }: {
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.segger-jlink.acceptLicense = true;
+
+  # TODO: whygodwhy.jpg
+  nixpkgs.config.permittedInsecurePackages = [ "segger-jlink-qt4-796s" ];
+
+  environment.systemPackages = with pkgs; [
+    unstable.platformio # https://github.com/NixOS/nixpkgs/commit/0ba947ba44fc17c7cc94be2374dbfb939900cecd
+    segger-jlink
+
+    arduino-ide
+    stm32cubemx
+
+    avrdude
+    esptool
+    stlink
+    stlink-gui
+    (kicad-small.override { addons=[kicadAddons.kikit kicadAddons.kikit-library]; })
+    kikit
+    screen
+    prusa-slicer
+    esphome
+    librecad
+    pulseview
+    sigrok-cli
+  ];
+
+  services.udev.packages = with pkgs; [
+    platformio
+    platformio-core
+
+    openocd
+    stlink
+    esptool
+    avrdude
+  ];
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTR{idVendor}="1a86", ATTR{idProduct}=="8010", MODE="0666"
+    SUBSYSTEM=="usb", ATTR{idVendor}="4348", ATTR{idProduct}=="55e0", MODE="0666"
+    SUBSYSTEM=="usb", ATTR{idVendor}="1a86", ATTR{idProduct}=="8012", MODE="0666"
+  '';
+}
--- a/features/factorio.nix
+++ b/features/factorio.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    (factorio.override {
+      username = "";
+      token = "";
+
+      releaseType = "alpha";
+      version = "1.1.107";
+
+      # nix-prefetch-url "file:///run/media/lauren_lagarde/Lauren%20USB/Applications/factorio/factorio_alpha_x64_1.1.107.tar.xz" --name factorio_alpha_x64-1.1.107.tar.xz
+    })
+  ];
+}
--- a/features/headless.nix
+++ b/features/headless.nix
@ -0,0 +1,67 @@
+{ config, lib, pkgs, callPackage, ... }: {
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Packages
+
+  environment.systemPackages = with pkgs; [
+    # Basic Utilities
+    bc pv killall unzip unrar-wrapper unar
+
+    # System Monitoring / TUI QoL Tools
+    btop iotop tmux byobu
+
+    # Backup Tools
+    restic rclone
+
+    # Networking Utilities
+    dig tinc_pre traceroute wireguard-tools iperf3
+
+    # Security / Cryptography
+    (pass.withExtensions (ext: with ext; [ pass-otp pass-update ]))
+    ssss gnupg pwgen qrencode diceware
+
+    # NixOS Helpers
+    nixos-generators nix-index nix-search-cli
+
+    # Applications
+    vim_configurable
+
+    # File Systems
+    nfs-utils cifs-utils exfatprogs
+
+    # Multimedia Utilities
+    ffmpeg imagemagick
+
+    # Services
+    podman-compose
+
+    units usbutils pciutils
+  ];
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+  # TODO: Split this out further
+
+  services.uptimed.enable = true;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  # TODO: Attempt to use podman
+  virtualisation.docker.enable = true;
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = false;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}
--- a/features/i3.nix
+++ b/features/i3.nix
@ -0,0 +1,71 @@
+{ pkgs, lib, unstable, ... }: {
+
+  hardware.graphics.enable32Bit = true;
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Display Server Config
+
+  services.xserver = {
+    enable = true;
+
+    desktopManager = {
+      xterm.enable = false;
+      gnome.enable = true;
+    };
+
+    windowManager.i3.enable = true;
+  };
+
+  services.displayManager = {
+    defaultSession = "none+i3";
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Packages
+
+  programs.virt-manager.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    # Polybar
+    siji
+    polybar
+    font-awesome
+    font-awesome_5
+    networkmanagerapplet
+
+    # Apps
+    gnome-terminal
+    chromium
+    qtpass
+    unstable.yt-dlp
+
+    rofi
+    i3status
+    i3lock
+    i3blocks
+    nemo-with-extensions
+    dunst
+    pinentry-qt
+    brightnessctl
+    openscad-unstable
+    shutter
+    pavucontrol
+    arandr
+    blueman
+    sublime-merge
+    libreoffice
+    gparted
+    loupe
+    gthumb
+    vlc
+    mpv
+
+    ledger
+    xorg.xkill
+    sound-juicer
+  ];
+}
--- a/features/intelgpu.nix
+++ b/features/intelgpu.nix
@ -0,0 +1,16 @@
+{ pkgs, ... }: {
+  nixpkgs.config.packageOverrides = pkgs: {
+    intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+  };
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver
+      libvdpau-va-gl
+    ];
+  };
+
+  environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
+}
--- a/features/libvirt.nix
+++ b/features/libvirt.nix
@ -0,0 +1,3 @@
+{ ... }: {
+  virtualisation.libvirtd.enable = true;
+}
--- a/features/nvidia.nix
+++ b/features/nvidia.nix
@ -0,0 +1,36 @@
+# https://community.frame.work/t/egpu-gtx-1060-6gb-working-great-on-nixos-on-the-12th-gen-framework/40919
+{ config, ... }: {
+  # Enable OpenGL
+  hardware.graphics.enable = true;
+
+  # Load nvidia driver for Xorg and Wayland
+  services.xserver.videoDrivers = ["nvidia"];
+
+  hardware.nvidia = {
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    powerManagement.enable = true;
+
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of
+    # supported GPUs is at:
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+    # Only available from driver 515.43.04+
+    # Currently alpha-quality/buggy, so false is currently the recommended setting.
+    open = false;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+}
--- a/features/persistent_docker.nix
+++ b/features/persistent_docker.nix
@ -0,0 +1,40 @@
+{ pkgs, lib, ... }: {
+  systemd.mounts = [
+    {
+      type = "ext4";
+      options = "rw";
+      what = "/dev/vda";
+      where = "/persistent";
+    }
+  ];
+
+  systemd.automounts = [
+    {
+      wantedBy = [ "multi-user.target" ];
+      where = "/persistent";
+    }
+  ];
+
+  virtualisation.docker.daemon.settings = {
+    data-root = "/persistent/docker-root";
+  };
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dockge = {
+      image = "louislam/dockge";
+      ports = [
+        "5001:5001"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/persistent/stacks/dockge/data:/app/data"
+        "/root/.docker/:/root/.docker"
+        "/persistent/stacks:/persistent/stacks"
+      ];
+      environment = {
+        DOCKGE_STACKS_DIR = "/persistent/stacks";
+      };
+    };
+  };
+}
--- a/features/printing.nix
+++ b/features/printing.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }: {
+  services.printing.enable = true;
+  services.printing.drivers = with pkgs; [ brlaser hplipWithPlugin ];
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+}
--- a/features/rtl-sdr.nix
+++ b/features/rtl-sdr.nix
@ -0,0 +1,12 @@
+{ pkgs, unstable, ... }: {
+  hardware.rtl-sdr.enable = true;
+  users.users.lauren_lagarde.extraGroups = [ "plugdev" ];
+
+  services.udev.packages = [ pkgs.rtl-sdr ];
+
+  environment.systemPackages = with pkgs; [
+    gnuradio
+    soapyrtlsdr
+    gqrx
+  ];
+}
--- a/features/stronghold-binary-cache.nix
+++ b/features/stronghold-binary-cache.nix
@ -0,0 +1,13 @@
+{ ... }: {
+  nix.settings = {
+    substituters = [
+      "http://nix-cache.stronghold.mlaga97.space"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [
+      "nix-cache.stronghold.mlaga97.space:RR2S/XWXGjACgAeN30qWCgG1wySOyTGtup8Os3yrdQw="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}
--- a/features/virtualbox.nix
+++ b/features/virtualbox.nix
@ -0,0 +1,10 @@
+{ ... }: {
+  virtualisation.libvirtd.enable = false;
+
+  virtualisation.virtualbox = {
+    host = {
+      enable = true;
+      enableExtensionPack = true;
+    };
+  };
+}
--- a/features/yubikey.nix
+++ b/features/yubikey.nix
@ -0,0 +1,17 @@
+{ pkgs, lib, ... }: {
+  environment.systemPackages = with pkgs; [
+		yubikey-personalization
+  ];
+
+	services.udev.packages = with pkgs; [
+		yubikey-personalization
+  ];
+
+	services.pcscd.enable = true;
+  programs.ssh.startAgent = false;
+
+	programs.gnupg.agent = {
+		enable = true;
+		enableSSHSupport = true;
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,255 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.11.0",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735344290,
+        "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "613691f285dad87694c2ba1c9e6298d04736292d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "lix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729298361,
+        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+      }
+    },
+    "lix-module": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "flakey-profile": "flakey-profile",
+        "lix": "lix",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732605668,
+        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+        "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz?rev=f19bd752910bbe3a861c9cad269bd078689d50fe"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1711241261,
+        "narHash": "sha256-knrTvpl81yGFHIpm1SsLDApe0thFkw1cl3ISAMPmP/0=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "b2a1eeef8c185f6bd27432b053ff09d773244cbc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729472750,
+        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1736241350,
+        "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1723175592,
+        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1735531152,
+        "narHash": "sha256-As8I+ebItDKtboWgDXYZSIjGlKeqiLBvjxsQHUmAf1Q=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3ffbbdbac0566a0977da3d2657b89cbcfe9a173b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1,
+        "narHash": "sha256-QJFvxzBCZHVjWApIe4KaxC3gRd5d1QgDT3xJNetMwVE=",
+        "path": "/nix/store/n9acswl48815yv56dqwszbm2s80rlf7r-nixos-24.05.20240531.805a384/nixos",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "home-manager": "home-manager",
+        "lix-module": "lix-module",
+        "nixos-generators": "nixos-generators",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "waveforms": "waveforms"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "waveforms": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1722915115,
+        "narHash": "sha256-kkH01G1ViT7N/0gNQVcsPMxyrhn+rPFGeGHK3w2Xryo=",
+        "owner": "liff",
+        "repo": "waveforms-flake",
+        "rev": "49ef7864932c4428b628791cd7cfccc694717ee8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "liff",
+        "repo": "waveforms-flake",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,271 @@
+# https://nix.dev/
+# https://github.com/barrucadu/nixfiles/tree/master
+# https://bitbucket.org/bzz/nixos/src/master/configuration.nix
+# https://grahamc.com/blog/erase-your-darlings/
+# https://github.com/Misterio77/nix-starter-configs
+
+## Build System
+# sudo rm -rf /etc/nixos/ && sudo cp ./ /etc/nixos/ && sudo nixos-rebuild switch
+
+## Build Iso
+# nix build -L .#packages.x86_64-linux.ll-nixos-full-iso
+
+## Update Packages
+# nix flake update
+
+## Clean up nix-store
+# nix-store --delete ...
+
+## Encrypted Home Directory
+# https://github.com/nix-community/home-manager/issues/3415
+
+## Declarative Disk Partioning
+# https://github.com/nix-community/disko
+# https://github.com/nix-community/nixos-anywhere-examples/blob/main/configuration.nix
+
+{
+  description = "Lauren's System Flake";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    home-manager.url = "github:nix-community/home-manager/release-24.11";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixos-generators.url = "github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
+
+    lix-module.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";
+    lix-module.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Extras
+    waveforms.url = "github:liff/waveforms-flake";
+    disko.url = "github:nix-community/disko/v1.11.0";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, nixos-generators, disko, waveforms, lix-module, ... }@inputs: let
+    system = "x86_64-linux";
+    timezone = "America/Chicago";
+    locale = "en_US.UTF-8";
+    stateVersion = "24.11";
+
+    unstable = nixpkgs-unstable.legacyPackages.${system};
+
+    iso_modules = [
+      "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
+      { isoImage.squashfsCompression = "zstd"; }
+    ];
+
+    # Look into: https://git.sr.ht/~magic_rb/dotfiles/tree/master/item/nixos/systems/gooseberry
+    pi_modules = [{ 
+      # Disabling the whole `profiles/base.nix` module, which is responsible
+      # for adding ZFS and a bunch of other unnecessary programs:
+      disabledModules = [
+        "profiles/base.nix"
+      ];
+
+      # Allows for remote deployment via
+      # nixos-rebuild -L switch --flake .?submodules=1#HOSTNAME --target-host USER@HOSTNAME
+      nix.settings.require-sigs = false;
+    }];
+
+    # TODO: Surely a better way, no?
+    inherited_modules = [
+      {
+        time.timeZone = timezone;
+        system.stateVersion = stateVersion;
+      }
+      lix-module.nixosModules.default
+      home-manager.nixosModules.home-manager
+      waveforms.nixosModule
+      disko.nixosModules.default
+    ];
+  in {
+    nixosConfigurations = {
+      ll-nixos-headless = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos-headless"; }
+          ./systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-nixos = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos"; }
+          ./systems/ll-nixos-full.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-latitude-e5591 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          {
+            networking.hostName = "ll-latitude-e5591";
+            networking.hostId = "f55542ee";
+          }
+          ./systems/ll-latitude-e5591.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-nixos-headless-pi = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        modules = pi_modules ++ [
+          {
+            networking.hostName = "ll-nixos-headless-pi";
+
+            boot.loader.grub.enable = false;
+            boot.loader.generic-extlinux-compatible.enable = true;
+
+            fileSystems = {
+              "/" = {
+                device = "/dev/disk/by-label/NIXOS_SD";
+                fsType = "ext4";
+              };
+
+              "/boot/firmware" = {
+                device = "/dev/disk/by-label/FIRMWARE";
+                fsType = "vfat";
+              };
+            };
+          }
+          ./systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+
+      # Real Systems
+      bastion-in-training = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [ ./systems/bastion/bastion-in-training.nix ] ++ inherited_modules;
+      };
+      bastion = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [ ./systems/bastion/bastion-actual.nix ] ++ inherited_modules;
+      };
+
+      stronghold = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          {
+            networking.hostName = "stronghold";
+            networking.hostId = "c581a1cd";
+          }
+          ./systems/vm-docker-base.nix
+        ] ++ inherited_modules;
+      };
+    };
+
+    packages.aarch64-linux = {
+      ll-nixos-headless-pi-sdcard = nixos-generators.nixosGenerate {
+        system = "aarch64-linux";
+        format = "sd-aarch64";
+        modules = pi_modules ++ [
+          { networking.hostName = "ll-nixos-headless-pi"; }
+          ./systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+
+      token-pi-sdcard = nixos-generators.nixosGenerate {
+        system = "aarch64-linux";
+        format = "sd-aarch64";
+        modules = pi_modules ++ [
+          { networking.hostName = "token-pi"; }
+          ./systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        specialArgs = { unstable = unstable; };
+      };
+    };
+
+    packages.x86_64-linux = {
+
+      ##########################################################################
+      ##########################################################################
+      ##########################################################################
+      # Personal Live Disks
+
+      ll-nixos-headless-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos-headless"; }
+          ./systems/ll-nixos-headless.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-nixos-base-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos-base"; }
+          ./systems/ll-nixos-base.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-nixos-full-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos"; }
+          ./systems/ll-nixos-full.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      ll-latitude-e5591-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-latitude-e5591"; }
+          ./systems/ll-latitude-e5591.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      ##########################################################################
+      ##########################################################################
+      ##########################################################################
+      # Systems
+
+      ll-nixos-factorio-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "ll-nixos-factorio"; }
+          ./systems/ll-nixos-factorio.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      vm-docker-dhcp-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = ""; }
+          ./systems/vm-docker-dhcp.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      living-room-nixos-iso = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = iso_modules ++ [
+          { networking.hostName = "living-room-nixos-iso"; }
+          ./systems/ll-nixos-full.nix
+        ] ++ inherited_modules;
+        format = "install-iso";
+        specialArgs = { unstable = unstable; };
+      };
+
+      default = self.packages.x86_64-linux.ll-nixos-full-iso;
+    };
+  };
+}
--- a/pop_secrets.sh
+++ b/pop_secrets.sh
@ -0,0 +1 @@
+cat secrets.tar.zst.gpg | gpg -d | tar --zstd -xv
--- a/push_secrets.sh
+++ b/push_secrets.sh
@ -0,0 +1 @@
+tar -c secrets/ | zstd | gpg --encrypt --compress-algo none --recipient mlaga97@gmail.com > secrets.tar.zst.gpg
--- a/secrets.tar.zst.gpg
+++ b/secrets.tar.zst.gpg
--- a/systems/bastion/bastion-actual.nix
+++ b/systems/bastion/bastion-actual.nix
@ -0,0 +1,117 @@
+{ pkgs, ... }: {
+  networking.hostName = "bastion";
+  networking.hostId = "0d13f99b";
+
+  # WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
+  # https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
+  # https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network
+
+  imports = [
+    ./bastion_base.nix
+
+    ../../features/intelgpu.nix
+    ../../tweaks/powersave.nix
+  ];
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  fileSystems = {
+    "/boot0" = {
+      device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+    "/boot1" = {
+      device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+
+    "/exports/Frigate" = {
+      device = "bastion-frigate";
+      fsType = "zfs";
+    };
+    "/exports/MyBook" = {
+      device = "MyBook/root";
+      fsType = "zfs";
+      options = [ "nofail" ];
+    };
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Networking
+
+  systemd.network.networks = {
+    "30-eno1" = {
+      matchConfig.Name = "eno1";
+      networkConfig.Bridge = "br0";
+      linkConfig.RequiredForOnline = "enslaved";
+    };
+    "30-enp0s20f0u8" = {
+      matchConfig.Name = "enp0s20f0u8";
+      networkConfig.Bridge = "br0";
+      linkConfig.RequiredForOnline = "enslaved";
+    };
+
+    "90-tinc" = {
+      matchConfig.Name = "tinc.mlaga97spa";
+      address = [ "10.86.84.105/32" ];
+      routes = [ { Destination = "10.86.84.0/24"; } ];
+    };
+  };
+
+  services.tinc.networks.mlaga97space = {
+    name = "bastion";
+    ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
+
+    chroot = false;
+    settings.ConnectTo = [ "fortress" "citadel" ];
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+
+  hardware.coral.pcie.enable = true;
+
+  services.apcupsd = {
+    enable = true;
+    configText = ''
+      UPSTYPE usb
+      NISIP 0.0.0.0
+      BATTERYLEVEL 5
+      MINUTES 3
+    '';
+  };
+
+  # TODO: Put scripts into version control
+  services.cron = {
+    enable = true;
+    mailto = "";
+    systemCronJobs = [
+
+      # Sync Restic from Archive to MyBook daily at 0600
+      "0 6 * * *  root  /home/lauren_lagarde/bin/SyncRestic > /dev/null"
+
+      # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
+      "*/10 * * * *  root  /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"
+
+      # Grab a still photo from all cameras once per minute
+      "* * * * *  root  /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"
+
+      # TODO: Automatically Collate Camera Images Monthly
+    ];
+  };
+}
--- a/systems/bastion/bastion-in-training.nix
+++ b/systems/bastion/bastion-in-training.nix
@ -0,0 +1,43 @@
+{ ... }: {
+  networking.hostName = "bastion-in-training";
+  networking.hostId = "c3e44236";
+
+  imports = [
+    ./bastion_base.nix
+  ];
+
+  boot.zfs.devNodes = "/dev/vda2";
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  fileSystems = {
+    "/boot0" = {
+      device = "/dev/vda1";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+    "/boot1" = {
+      device = "/dev/vdb1";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+  };
+
+  systemd.network.networks = {
+    "30-enp1s0" = {
+      matchConfig.Name = "enp1s0";
+      networkConfig.Bridge = "br0";
+      linkConfig.RequiredForOnline = "enslaved";
+    };
+  };
+}
--- a/systems/bastion/bastion_base.nix
+++ b/systems/bastion/bastion_base.nix
@ -0,0 +1,127 @@
+{ pkgs, ... }: {
+  imports = [
+    # Base Config
+    ../../features/base.nix
+    ../../features/headless.nix
+
+    # Features
+    ../../features/br0.nix
+    ../../features/dockge.nix
+    ../../features/docker.nix
+    ../../features/libvirt.nix
+
+    # Tweaks
+    ../../tweaks/zfs.nix
+    ../../tweaks/zram.nix
+    ../../tweaks/disable_firewall.nix
+    ../../tweaks/systemd-resolved_nonsense.nix
+
+    # Dotspace
+    ../../secrets/dotspace.nix
+
+    # Users
+    ../../users/lauren_lagarde/lauren_lagarde.nix
+    ../../users/ashley_funkhouser/ashley_funkhouser.nix
+  ];
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Bootloader / Kernel
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    zfsSupport = true;
+    efiSupport = true;
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Local Filesystems
+
+  fileSystems = {
+    "/" = {
+      device = "bastion-root/root";
+      fsType = "zfs";
+    };
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+
+  services.cron = {
+    enable = true;
+    mailto = "";
+    systemCronJobs = [
+      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/PublishStats > /dev/null"
+    ];
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      Frigate = {
+        path = "/exports/Frigate";
+        comment = "NVR Local Storage";
+        writable = "yes";
+        browseable = "yes";
+
+        "force user" = "nobody";
+        "force group" = "users";
+
+        "create mask" = "775";
+        "force create mode" = "775";
+        "security mask" = "775";
+        "force security mode" = "775";
+
+        "directory mask" = "2775";
+        "force directory mode" = "2775";
+        "directory security mask" = "2775";
+        "force directory security mode" = "2775";
+      };
+
+      MyBook = {
+        path = "/exports/MyBook";
+        comment = "External Storage";
+        writable = "yes";
+        browseable = "yes";
+
+        "force user" = "nobody";
+        "force group" = "users";
+
+        "create mask" = "775";
+        "force create mode" = "775";
+        "security mask" = "775";
+        "force security mode" = "775";
+
+        "directory mask" = "2775";
+        "force directory mode" = "2775";
+        "directory security mask" = "2775";
+        "force directory security mode" = "2775";
+      };
+    };
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # System Users
+
+  users.users = {
+    bastion = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialHashedPassword = "$y$j9T$WThHVbTQdHbv4mI0m4EjK/$LA.4Uf95jD/rJpLVf0kbfH0wFBj4FHCimV6xiDfLOD/";
+    };
+    dotspace = {
+      isNormalUser = true;
+      shell = pkgs.shadow;
+      initialHashedPassword = "$y$j9T$cH1b/0aafCTaHyWigarb70$bS6WFrbYV4xUZwVtqDCepydOhEol1DqmokBfkGmvRcA";
+    };
+  };
+}
--- a/systems/living-room-nixos.nix
+++ b/systems/living-room-nixos.nix
@ -0,0 +1,14 @@
+{ ... }: {
+  imports = [
+    ../ll-nixos-full.nix
+  ];
+
+  # Fix issue with HDMI passthrough
+  home-manager.users.lauren_lagarde = {
+    xsession.windowManager.i3 = {
+      config.startup = [
+        { command = "xrandr --output HDMI-1 --mode 1920x1080 --rate 60 --primary"; }
+      ];
+    };
+  };
+}
--- a/systems/ll-latitude-e5591.nix
+++ b/systems/ll-latitude-e5591.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }: {
+  imports = [
+    ./ll-nixos-full.nix
+    ../features/intelgpu.nix
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+
+  boot.kernelParams = [
+    "i915.enable_guc=2"
+  ];
+}
--- a/systems/ll-nixos-base.nix
+++ b/systems/ll-nixos-base.nix
@ -0,0 +1,22 @@
+{ ... }: {
+  imports = [
+    ./ll-nixos-headless.nix
+
+    # i3wm
+    ../features/i3.nix
+    ../features/yubikey.nix
+    ../tweaks/bluetooth.nix
+    ../tweaks/intel_igpu_screen_tearing.nix
+
+    # Lauren
+    ../users/lauren_lagarde/i3.nix
+    ../users/lauren_lagarde/autologin.nix
+  ];
+
+  home-manager.users.lauren_lagarde = {
+    imports = [
+      ../users/lauren_lagarde/home-manager/monitor_configs.nix
+      ../users/lauren_lagarde/home-manager/secrets/dotspace_gui.nix
+    ];
+  };
+}
--- a/systems/ll-nixos-factorio.nix
+++ b/systems/ll-nixos-factorio.nix
@ -0,0 +1,8 @@
+{ ... }: {
+  imports = [
+    ./ll-nixos-base.nix
+
+    # Additional Features
+    ../features/factorio.nix
+  ];
+}
--- a/systems/ll-nixos-full.nix
+++ b/systems/ll-nixos-full.nix
@ -0,0 +1,11 @@
+{ ... }: {
+  imports = [
+    ./ll-nixos-base.nix
+
+    # Additional Features
+    ../features/rtl-sdr.nix
+    ../features/printing.nix
+    ../features/embedded.nix
+    ../features/virtualbox.nix
+  ];
+}
--- a/systems/ll-nixos-headless.nix
+++ b/systems/ll-nixos-headless.nix
@ -0,0 +1,28 @@
+{ ... }: {
+  imports = [
+    # Core
+    ../features/base.nix
+    ../tweaks/zram.nix
+    ../tweaks/disable_nixos_user.nix
+    ../tweaks/systemd-resolved_nonsense.nix
+
+    # Headless
+    ../features/headless.nix
+    ../tweaks/zfs.nix
+
+    # Lauren
+    ../users/lauren_lagarde/lauren_lagarde.nix
+    {
+      home-manager.users.lauren_lagarde = {
+        imports = [
+          ../users/lauren_lagarde/home-manager/lauren_lagarde.nix
+        ];
+      };
+    }
+
+    # Dotspace
+    ../features/stronghold-binary-cache.nix
+    ../secrets/dotspace.nix
+    ../users/lauren_lagarde/dotspace.nix
+  ];
+}
--- a/systems/vm-docker-base.nix
+++ b/systems/vm-docker-base.nix
@ -0,0 +1,78 @@
+# cd; rm nixos-config; tar -xvf /Parlor/Lauren/nixos-config.tar.zst; cd nixos-config/nixos/; sudo nix run 'github:nix-community/disko/latest#disko-install' -- --flake .#TARGET_HOSTNAME --disk vda /dev/vda
+{ ... }: {
+  imports = [
+    ./ll-nixos-headless.nix
+
+    ../features/docker.nix
+    ../features/dockge.nix
+
+    ../tweaks/disable_firewall.nix
+  ];
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Bootloader / Kernel
+
+  # UEFI Boot
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  # Libvirt Guest Kernel Modules
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Disk Layout
+
+  # https://github.com/nix-community/disko/issues/528
+  disko.devices = {
+    disk = {
+      vda = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            primary = {
+              size = "100%";
+              content = {
+                type = "lvm_pv";
+                vg = "pool";
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/systems/vm-docker-dhcp.nix
+++ b/systems/vm-docker-dhcp.nix
@ -0,0 +1,9 @@
+{ ... }: {
+  imports = [
+    ./ll-nixos-headless.nix
+
+    # Additional Features
+    ../features/persistent_docker.nix
+    ../tweaks/disable-firewall.nix
+  ];
+}
--- a/tweaks/bluetooth.nix
+++ b/tweaks/bluetooth.nix
@ -0,0 +1,25 @@
+{ pkgs, lib, ... }: {
+  hardware.enableRedistributableFirmware = true;
+
+  services.blueman.enable = true;
+
+  hardware.bluetooth = {
+    enable = true;
+    settings.General = {
+      Enable = "Source,Sink,Media,Socket";
+      Experimental = true;
+    };
+  };
+
+  # PipeWire appears to have marginally less shitty bluetooth support
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    audio.enable = true;
+    pulse.enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    jack.enable = true;
+  };
+}
--- a/tweaks/disable_firewall.nix
+++ b/tweaks/disable_firewall.nix
@ -0,0 +1,3 @@
+{ ... }: {
+  networking.firewall.enable = false;
+}
--- a/tweaks/disable_nixos_user.nix
+++ b/tweaks/disable_nixos_user.nix
@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }: {
+  services.getty.autologinUser = lib.mkForce null;
+
+  users.groups.nixos = {};
+  users.users.nixos.group = "nixos";
+  users.users.nixos.isSystemUser = lib.mkForce true;
+  users.users.nixos.isNormalUser = lib.mkForce false;
+  users.users.nixos.initialHashedPassword = lib.mkForce "!";
+
+  # Disable root as well
+  users.users.root.initialHashedPassword = lib.mkForce "!";
+}
--- a/tweaks/intel_igpu_screen_tearing.nix
+++ b/tweaks/intel_igpu_screen_tearing.nix
@ -0,0 +1,6 @@
+{ ... }: {
+  # Fix screen tearing on Intel iGPU
+  # TODO: I think this is still broken
+  services.picom.enable = true;
+  services.picom.vSync = true;
+}
--- a/tweaks/powersave.nix
+++ b/tweaks/powersave.nix
@ -0,0 +1,3 @@
+{ ... }: {
+  powerManagement.cpuFreqGovernor = "powersave";
+}
--- a/tweaks/systemd-resolved_nonsense.nix
+++ b/tweaks/systemd-resolved_nonsense.nix
@ -0,0 +1,4 @@
+{ ... }: {
+  # I...this is dumb...
+  services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes";
+}
--- a/tweaks/zfs.nix
+++ b/tweaks/zfs.nix
@ -0,0 +1,16 @@
+{ config, ... }: {
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.devNodes = "/dev/disk/by-id/";
+
+  services.zfs.autoScrub.enable = true;
+  services.zfs.autoScrub.interval = "weekly";
+
+  boot.extraModprobeConfig = ''
+    # Under low-write conditions, wait up to 30 seconds before committing data to disk
+    options zfs zfs_txg_timeout=30
+
+    # Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933)
+    options zfs zfs_bclone_enabled=0
+    options zfs zfs_dmu_offset_next_sync=0
+  '';
+}
--- a/tweaks/zram.nix
+++ b/tweaks/zram.nix
@ -0,0 +1,7 @@
+{ ... }: {
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 200;
+  };
+}
--- a/users/ashley_funkhouser/ashley_funkhouser.nix
+++ b/users/ashley_funkhouser/ashley_funkhouser.nix
@ -0,0 +1,11 @@
+{ ... }: {
+  users.users.ashley_funkhouser = {
+    isNormalUser = true;
+    description = "Ashley Funkhouser";
+    extraGroups = [ "wheel" "libvirtd" ];
+    initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com"
+    ];
+  };
+}
--- a/users/lauren_lagarde/autologin.nix
+++ b/users/lauren_lagarde/autologin.nix
@ -0,0 +1,6 @@
+{ ... }: {
+  services.displayManager = {
+    autoLogin.enable = true;
+    autoLogin.user = "lauren_lagarde";
+  };
+}
--- a/users/lauren_lagarde/dotspace.nix
+++ b/users/lauren_lagarde/dotspace.nix
@ -0,0 +1,7 @@
+{ pkgs, unstable, ... }: {
+  home-manager.users.lauren_lagarde = {
+    imports = [
+      ./home-manager/secrets/dotspace.nix
+    ];
+  };
+}
--- a/users/lauren_lagarde/home-manager
+++ b/users/lauren_lagarde/home-manager
@ -0,0 +1 @@
+Subproject commit 97cde8a8e73f1623a390397b060e5e4b7ffa61ba
--- a/users/lauren_lagarde/i3.nix
+++ b/users/lauren_lagarde/i3.nix
@ -0,0 +1,9 @@
+{ home-manager, unstable, ... }: {
+  home-manager.extraSpecialArgs = {
+    inherit unstable;
+  };
+
+  home-manager.users.lauren_lagarde.imports = [
+    ./home-manager/i3.nix
+  ];
+}
--- a/users/lauren_lagarde/lauren_lagarde.nix
+++ b/users/lauren_lagarde/lauren_lagarde.nix
@ -0,0 +1,11 @@
+{ pkgs, ... }: {
+  users.users.lauren_lagarde = {
+    isNormalUser = true;
+    description = "Lauren Lagarde";
+    extraGroups = [ "docker" "wheel" "libvirtd" "disks" ];
+    initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev"
+    ];
+  };
+}
				`@ -0,0 +1 @@`
				`nix build -L .?submodules=1#packages.x86_64-linux.$1`
				`@ -0,0 +1 @@`
				`cat secrets.tar.zst.gpg \| gpg -d \| tar --zstd -xv`
				`@ -0,0 +1 @@`
				`tar -c secrets/ \| zstd \| gpg --encrypt --compress-algo none --recipient mlaga97@gmail.com > secrets.tar.zst.gpg`
				`@ -0,0 +1 @@`
				`Subproject commit 97cde8a8e73f1623a390397b060e5e4b7ffa61ba`