more more fixes

aa
disable zfsFix
2021-06-28 14:11:15 +07:00 · 2021-06-28 13:45:07 +07:00 · 2021-06-28 13:31:18 +07:00 · 2021-06-28 11:05:28 +07:00 · 2021-06-28 10:53:51 +07:00 · 2021-06-28 09:36:05 +07:00
217 changed files with 14236 additions and 6799 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -1,4 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary
--- a/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
+++ b/.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
-secrets.gcrypt/** filter=git-crypt diff=git-crypt
--- a/.github/screenshots/desktop.png
+++ b/.github/screenshots/desktop.png
--- a/.github/screenshots/neovim.png
+++ b/.github/screenshots/neovim.png
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@ -1,50 +0,0 @@
-name: Auto update
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *"
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.PAT_TOKEN }}
-
-      - name: Check for updates
-        id: check
-        run: |
-          local=$(cat flake.lock | jq ".nodes.nixpkgs.locked.rev")
-          remote=$(curl "https://api.github.com/repos/NixOS/nixpkgs/branches/nixos-unstable/commits?per_page=1" | jq ".commit.sha")
-          if [[ $local == $remote ]]; then
-            echo "skip=1" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=0" >> "$GITHUB_OUTPUT"
-            branch=$(TZ='Australia/Melbourne' date '+staging_auto/%Y%m%d')
-            echo "branch_name=${branch}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Install nix
-        if: steps.check.outputs.skip == 0
-        uses: cachix/install-nix-action@v31
-
-      - name: Configure git
-        if: steps.check.outputs.skip == 0
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-
-      - name: Update
-        if: steps.check.outputs.skip == 0
-        run: ./update.sh
-
-      - name: Push
-        if: steps.check.outputs.skip == 0
-        uses: ad-m/github-push-action@master
-        with:
-          github_token: ${{ secrets.PAT_TOKEN }}
-          branch: ${{ steps.check.outputs.branch_name }}
--- a/.github/workflows/cachix.yml
+++ b/.github/workflows/cachix.yml
@ -1,28 +1,58 @@
-name: CI
+name: Cachix build

 on:
  push:
  workflow_dispatch:

 jobs:
-  build:
-    name: Build linux-lava for x86_64-linux
+  linux:
+    name: Build Linux
    runs-on: ubuntu-latest
    steps:
-      # credits to https://github.com/easimon/maximize-build-space/issues/45
-      - name: Remove unneeded packages to maximise build space
-        shell: bash
-        run: |
-            df -h
-            sudo rm -rf /usr/share/dotnet
-            sudo rm -rf /usr/local/lib/android
-            df -h
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v2.3.4
+      - uses: cachix/install-nix-action@v13
        with:
-          fetch-depth: 0
-      - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v16
+          install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-3.0pre20201007_5257a25/install
+          extra_nix_config: experimental-features = nix-command flakes
+      - uses: cachix/cachix-action@v10
        with:
          name: lava
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix build -L .#linux-lava
+      - run: nix build -L .#linux_lava
+
+  linux_tkg:
+    name: Build Linux-tkg
+    runs-on: ubuntu-latest
+    strategy:
+        matrix:
+            kernelVersion: ["54", "510", "512"]
+            sched: [bmq, cfs, cacule, muqss, pds]
+            include:
+              - kernelVersion: "510"
+                sched: upds
+    steps:
+      - uses: actions/checkout@v2.3.4
+      - uses: cachix/install-nix-action@v13
+        with:
+          install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-3.0pre20201007_5257a25/install
+          extra_nix_config: experimental-features = nix-command flakes
+      - uses: cachix/cachix-action@v10
+        with:
+          name: lava
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: nix build -L .#linux_tkg-${{ matrix.sched }}-${{ matrix.kernelVersion }}
+
+  wine:
+    name: Build Wine
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.4
+      - uses: cachix/install-nix-action@v13
+        with:
+          install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-3.0pre20201007_5257a25/install
+          extra_nix_config: experimental-features = nix-command flakes
+      - uses: cachix/cachix-action@v10
+        with:
+          name: lava
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: nix build -L .#wine-osu
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@ -1,31 +0,0 @@
-name: Build images
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    name: Build caramel-img
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - uses: dbhi/qus/action@main
-        with:
-          targets: arm aarch64
-      - uses: cachix/install-nix-action@v17
-        with:
-          install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
-          extra_nix_config: |
-            extra-platforms = aarch64-linux arm-linux
-            experimental-features = nix-command flakes
-      - uses: cachix/cachix-action@v10
-        with:
-          name: lava
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix build -L .#packages.aarch64-linux.caramel-img
-      - uses: actions/upload-artifact@v3
-        with:
-          name: caramel-sd-image
-          path: result/sd-image/*
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
-result
--- a/README.md
+++ b/README.md
@ -1,31 +0,0 @@
-# flakes
-My NixOS config!
-
-![Desktop](.github/screenshots/desktop.png?raw=true)
-![Neovim](.github/screenshots/neovim.png?raw=true)
-
-## Usage
-I recommend more that you only simply look at the modules as inspiration for your own config. Some of them
-may or may not work on your machine if copied directly (but theoretically they should).
-
-But if you insist, just copy-paste one of the hosts in `hosts/`, one of the users in `users/`, and modify them
-to your liking. Open up `flake.nix`, add your new host config at the bottom, and then build it!
-
-## Hosts
-| Name      | Description |
-| -------   | ----------- |
-| hyacinth  | Main Desktop PC |
-| anemone   | Main Laptop |
-| caramel   | Raspberry Pi 400, stateless |
-| dandelion | ARM OCI VPS, stateless |
-
-## Users
-| Name | Description |
-| ---- | ----------- |
-| rin  | Main user for general usage |
-| hana | Lightweight user intended for inspecting stateless hosts |
-
-## License
-Licensed under CC0
-
-Credit is appreciated but not necessary
--- a/containers/amethyst/configuration.nix
+++ b/containers/amethyst/configuration.nix
@ -1,47 +0,0 @@
-{ lib, pkgs, ... }: {
-  system.stateVersion = "23.11";
-  systemd.tmpfiles.rules = [
-    "d /persist/transmission 755 transmission transmission"
-    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
-    "d /persist/transmission/.incomplete 750 transmission transmission"
-    "d /persist/transmission/Downloads 755 transmission transmission"
-    "d /persist/transmission/watchdir 755 transmission transmission"
-  ];
-  networking.wg-quick.interfaces.wg0 = {
-    configFile = "/persist/vpn.conf";
-    preUp = ''
-          # Try to access the DNS for up to 300s
-          for i in {1..60}; do
-            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
-            echo "Attempt $i: DNS still not available"
-            sleep 5s
-          done
-    '';
-  };
-
-  # https://github.com/NixOS/nixpkgs/issues/258793
-  systemd.services.transmission.serviceConfig = {
-    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
-    RootDirectoryStartOnly = lib.mkForce false;
-    RootDirectory = lib.mkForce "";
-    PrivateMounts = lib.mkForce false;
-    PrivateUsers = lib.mkForce false;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 9091 ];
-  services.transmission = {
-    enable = true;
-    package = pkgs.transmission_4;
-    downloadDirPermissions = "775";
-    openFirewall = true;
-    home = "/persist/transmission";
-    settings = {
-      ratio-limit-enabled = true;
-      rpc-bind-address = "0.0.0.0";
-      rpc-enabled = true;
-      rpc-port = 9091;
-      rpc-host-whitelist-enabled = false;
-      rpc-whitelist-enabled = false;
-    };
-  };
-}
--- a/containers/amethyst/flake.lock
+++ b/containers/amethyst/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -1,51 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }: {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      modules = [ ./configuration.nix ];
-    };
-    nixosModule = { ... }:
-    let
-      name = "amethyst";
-      fqdn = "amethyst.lava.moe";
-      subnet = "1";
-    in {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
-        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
-      };
-
-      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = "10.30.${subnet}.1";
-        localAddress = "10.30.${subnet}.2";
-        hostAddress6 = "fd0d:1::${subnet}:1";
-        localAddress6 = "fd0d:1::${subnet}:2";
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = [ ./configuration.nix ]; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        # flake = "path:" + ./.;
-      };
-    };
-  };
-}
--- a/containers/beryllium/configuration.nix
+++ b/containers/beryllium/configuration.nix
@ -1,23 +0,0 @@
-{ ... }: {
-  system.stateVersion = "25.11";
-  fileSystems."/var/lib/private" = {
-    device = "/persist";
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  networking.firewall.allowedTCPPorts = [ 6167 ];
-  networking.firewall.allowedUDPPorts = [ 6167 ];
-  # TODO: this should be generically set
-  networking.useHostResolvConf = false;
-  networking.nameservers = [ "8.8.8.8" ];
-
-  services.matrix-continuwuity = {
-    enable = true;
-    settings.global = {
-      # TODO: link this with outer container's address
-      address = [ "10.30.2.2" ];
-      server_name = "lava.moe";
-      rocksdb_recovery_mode = 2;
-    };
-  };
-}
--- a/containers/beryllium/flake.lock
+++ b/containers/beryllium/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/beryllium/flake.nix
+++ b/containers/beryllium/flake.nix
@ -1,69 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }: {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      modules = [ ./configuration.nix ];
-    };
-    nixosModule = { ... }:
-    let
-      name = "beryllium";
-      fqdn = "beryllium.lava.moe";
-      subnet = "2";
-    in {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".extraConfig = "return 302 'https://lava.moe';";
-        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
-        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
-        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
-      };
-
-      services.nginx.virtualHosts."lava.moe" = {
-        locations."= /.well-known/matrix/server".extraConfig =
-          let
-            server = { "m.server" = "${fqdn}:443"; };
-          in ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server}';
-          '';
-        locations."= /.well-known/matrix/client".extraConfig =
-          let
-            client = {
-              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
-              # "m.identity_server" = { "base_url" = "https://vector.im"; };
-            };
-          in ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client}';
-          '';
-      };
-
-      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = "10.30.${subnet}.1";
-        localAddress = "10.30.${subnet}.2";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = [ ./configuration.nix ]; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-      };
-    };
-  };
-}
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -1,53 +0,0 @@
-{ config, fqdn, lib, ... }: {
-  system.stateVersion = "25.11";
-  networking.firewall.allowedTCPPorts = [ 22 3000 ];
-  networking.firewall.allowedUDPPorts = [ 22 3000 ];
-
-  systemd.tmpfiles.rules = [
-    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
-  ];
-
-  services.forgejo = {
-    enable = true;
-    lfs.enable = true;
-    settings = {
-      DEFAULT.APP_NAME = "cilly's botanical laboratory";
-      server = {
-        DOMAIN = fqdn;
-        ROOT_URL = "https://${fqdn}/";
-        HTTP_PORT = 3000;
-        START_SSH_SERVER = true;
-        BUILTIN_SSH_SERVER_USER = "git";
-        SSH_DOMAIN = "git.lava.moe";
-        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
-      };
-      ui = lib.mkForce {
-        DEFAULT_THEME = "catppuccin-maroon-auto";
-        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
-          "catppuccin-pink"
-          "catppuccin-maroon"
-          "catppuccin-flamingo"
-          "catppuccin-rosewater"
-          "forgejo"
-          "gitea"
-        ];
-      };
-      api.ENABLE_SWAGGER = false;
-      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
-      repository.ENABLE_PUSH_CREATE_USER = true;
-      repository.ENABLE_PUSH_CREATE_ORG = true;
-      service.DISABLE_REGISTRATION = true;
-    };
-    stateDir = "/persist/forgejo";
-  };
-
-  systemd.services.forgejo.serviceConfig = {
-    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
-    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-    PrivateUsers = lib.mkForce false;
-  };
-
-  catppuccin.forgejo.enable = true;
-
-  environment.systemPackages = [ config.services.forgejo.package ];
-}
--- a/containers/citrine/flake.lock
+++ b/containers/citrine/flake.lock
@ -1,62 +0,0 @@
-{
-  "nodes": {
-    "catppuccin": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1773403535,
-        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
-        "owner": "catppuccin",
-        "repo": "nix",
-        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
-        "type": "github"
-      },
-      "original": {
-        "owner": "catppuccin",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773122722,
-        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "catppuccin": "catppuccin",
-        "nixpkgs": "nixpkgs_2"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -1,68 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    catppuccin.url = "github:catppuccin/nix";
-  };
-  outputs = { nixpkgs, catppuccin, ... }:
-  let
-    name = "citrine";
-    fqdn = "lab.lava.moe";
-    subnetId = "3";
-
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
-    host = subnet 1;
-    client = subnet 2;
-
-    subnet4 = x: "10.30.${subnetId}.${toString x}";
-    host4 = subnet4 1;
-    client4 = subnet4 2;
-
-    modules = [
-      ./configuration.nix
-      catppuccin.nixosModules.catppuccin
-      {
-        networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
-      }
-    ];
-  in {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      inherit modules;
-    };
-    nixosModule = { ... }: {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:3000";
-      };
-
-      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = host4;
-        localAddress = client4;
-        hostAddress6 = host;
-        localAddress6 = client;
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = modules; };
-        specialArgs = { inherit fqdn; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        # flake = "path:" + ./.;
-      };
-    };
-  };
-}
--- a/containers/citrine/templates/base/footer_content.tmpl
+++ b/containers/citrine/templates/base/footer_content.tmpl
@ -1,31 +0,0 @@
-<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
-    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
-        {{if ShowFooterPoweredBy}}
-            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
-        {{end}}
-        {{if (or .ShowFooterVersion .PageIsAdmin)}}
-            {{if .IsAdmin}}
-                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
-            {{else}}
-                {{AppVerNoMetadata}}
-            {{end}}
-        {{end}}
-        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
-            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
-            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
-        {{end}}
-    </div>
-    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
-        <div class="ui dropdown upward language">
-            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
-            <div class="menu language-menu">
-                {{range .AllLangs}}
-                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
-                {{end}}
-            </div>
-        </div>
-        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
-        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
-        {{template "custom/extra_links_footer" .}}
-    </div>
-</footer>
--- a/containers/citrine/templates/home.tmpl
+++ b/containers/citrine/templates/home.tmpl
@ -1,19 +0,0 @@
-{{template "base/head" .}}
-{{if not .IsSigned}}
-    <script>window.location.href = "/explore/repos";</script>
-{{end}}
-<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
-    <div class="tw-mb-8 tw-px-8">
-        <div class="center">
-            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
-            <div class="hero">
-                <h1 class="ui icon header title">
-                    {{AppDisplayName}}
-                </h1>
-                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
-            </div>
-        </div>
-    </div>
-    {{template "home_forgejo" .}}
-</div>
-{{template "base/footer" .}}
--- a/containers/diamond/configuration.nix
+++ b/containers/diamond/configuration.nix
@ -1,22 +0,0 @@
-{ fqdn, ... }: {
-  system.stateVersion = "25.11";
-  systemd.tmpfiles.rules = [
-    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
-  ];
-  fileSystems."/var/lib/vaultwarden" = {
-    device = "/persist/vaultwarden";
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  networking.firewall.allowedTCPPorts = [ 8000 ];
-  networking.firewall.allowedUDPPorts = [ 8000 ];
-
-  services.vaultwarden = {
-    enable = true;
-    domain = fqdn;
-    config = {
-      DOMAIN = "https://${fqdn}";
-      ROCKET_ADDRESS = "::";
-    };
-  };
-}
--- a/containers/diamond/flake.lock
+++ b/containers/diamond/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/diamond/flake.nix
+++ b/containers/diamond/flake.nix
@ -1,51 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }:
-  let
-    name = "diamond";
-    fqdn = "astransia.lava.moe";
-    subnetId = "4";
-
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
-    host = subnet 1;
-    client = subnet 2;
-
-    modules = [
-      ./configuration.nix
-    ];
-  in {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      inherit modules;
-    };
-    nixosModule = { ... }: {
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:8000";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
-      };
-
-      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress6 = host;
-        localAddress6 = client;
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = modules; };
-        specialArgs = { inherit fqdn; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        # flake = "path:" + ./.;
-      };
-    };
-  };
-}
--- a/containers/emerald/configuration.nix
+++ b/containers/emerald/configuration.nix
@ -1,23 +0,0 @@
-{ fqdn, shareFqdn, ... }: {
-  system.stateVersion = "25.11";
-  systemd.tmpfiles.rules = [
-    "d /persist/navidrome 755 navidrome navidrome"
-  ];
-  networking.firewall.allowedTCPPorts = [ 4533 ];
-  networking.firewall.allowedUDPPorts = [ 4533 ];
-
-  services.navidrome = {
-    enable = true;
-    environmentFile = "/binds/navidrome_env";
-    settings = {
-      Port = 4533;
-      Address = "[::]";
-      BaseUrl = "https://${fqdn}/";
-      ShareURL = "https://${shareFqdn}";
-      EnableSharing = true;
-      DataFolder = "/persist/navidrome";
-      MusicFolder = "/binds/music/main";
-    };
-  };
-  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
-}
--- a/containers/emerald/flake.lock
+++ b/containers/emerald/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -1,78 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }:
-  let
-    name = "emerald";
-    fqdn = "navia.lava.moe";
-    shareFqdn = "muse.lava.moe";
-    subnetId = "5";
-
-    subnet = x: "fd0d:2::${subnetId}:${toString x}";
-    host = subnet 1;
-    client = subnet 2;
-
-    subnet4 = x: "10.32.${subnetId}.${toString x}";
-    host4 = subnet4 1;
-    client4 = subnet4 2;
-
-    modules = [
-      ./configuration.nix
-      {
-        networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
-      }
-    ];
-  in {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      inherit modules;
-    };
-    nixosModule = { config, ... }: {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "100.67.2.1" ];
-      };
-
-      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = host4;
-        localAddress = client4;
-        hostAddress6 = host;
-        localAddress6 = client;
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = modules; };
-        specialArgs = { inherit fqdn shareFqdn; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        bindMounts."music" = {
-          hostPath = "/flower/media/music";
-          mountPoint = "/binds/music";
-          isReadOnly = true;
-        };
-        bindMounts."navidrome_env" = {
-          hostPath = config.age.secrets.navidrome_env.path;
-          mountPoint = "/binds/navidrome_env";
-          isReadOnly = true;
-        };
-        # flake = "path:" + ./.;
-      };
-    };
-  };
-}
--- a/containers/fluorite/configuration.nix
+++ b/containers/fluorite/configuration.nix
@ -1,22 +0,0 @@
-{ ... }: {
-  system.stateVersion = "25.11";
-  systemd.tmpfiles.rules = [
-    "d /persist/slskd/Downloads 755 slskd slskd"
-  ];
-  fileSystems."/var/lib/slskd" = {
-    device = "/persist/slskd";
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
-  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
-
-  services.slskd = {
-    enable = true;
-    domain = null;
-    environmentFile = "/binds/slskd_env";
-    settings = {
-      shares.directories = [ "/binds/music/" ];
-    };
-  };
-}
--- a/containers/fluorite/flake.lock
+++ b/containers/fluorite/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1773282481,
-        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/fluorite/flake.nix
+++ b/containers/fluorite/flake.nix
@ -1,89 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }:
-  let
-    name = "fluorite";
-    fqdn = "fluorite.lava.moe";
-    subnetId = "6";
-
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
-    host = subnet 1;
-    client = subnet 2;
-
-    subnet4 = x: "10.30.${subnetId}.${toString x}";
-    host4 = subnet4 1;
-    client4 = subnet4 2;
-
-    modules = [
-      ./configuration.nix
-      {
-        networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
-      }
-    ];
-  in {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      inherit modules;
-    };
-    nixosModule = { config, ... }: {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-      networking.firewall.allowedTCPPorts = [ 50300 ];
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/".proxyPass = "http://[${client}]:5030";
-        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
-      };
-
-      systemd.tmpfiles.rules = [
-        "d /persist/containers/${name} 755 root users"
-        "d /persist/media/music 075 nobody users"
-      ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = host4;
-        localAddress = client4;
-        hostAddress6 = host;
-        localAddress6 = client;
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = modules; };
-        specialArgs = { inherit fqdn; };
-
-        forwardPorts = [
-          {
-            containerPort = 50300;
-            hostPort = 50300;
-            protocol = "tcp";
-          }
-        ];
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        bindMounts."music" = {
-          hostPath = "/persist/media/music";
-          mountPoint = "/binds/music";
-          isReadOnly = true;
-        };
-        bindMounts."slskd_env" = {
-          hostPath = config.age.secrets.slskd_env.path;
-          mountPoint = "/binds/slskd_env";
-          isReadOnly = true;
-        };
-        # flake = "path:" + ./.;
-      };
-    };
-  };
-}
--- a/containers/garnet/configuration.nix
+++ b/containers/garnet/configuration.nix
@ -1,36 +0,0 @@
-{ ... }: {
-  system.stateVersion = "25.11";
-  fileSystems."/var/lib/opencloud" = {
-    device = "/flower/data";
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  fileSystems."/etc/opencloud" = {
-    device = "/persist/cfg";
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  # TODO: hardcoded address
-  networking.extraHosts = ''
-    100.67.2.1 cloud.lava.moe
-  '';
-
-  networking.firewall.allowedTCPPorts = [ 9200 ];
-  networking.firewall.allowedUDPPorts = [ 9200 ];
-
-  environment.etc."opencloud-admin-pass".text = ''
-    IDM_ADMIN_PASSWORD=supersillysecure
-  '';
-  services.opencloud = {
-    enable = true;
-    url = "https://cloud.lava.moe";
-    address = "10.30.7.2";
-    port = 9200;
-    environment = {
-      PROXY_TLS = "false";
-      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
-      IDP_ID_TOKEN_EXPIRATION = "2592000";
-    };
-    environmentFile = "/etc/opencloud-admin-pass";
-  };
-}
--- a/containers/garnet/flake.lock
+++ b/containers/garnet/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1779560665,
-        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/containers/garnet/flake.nix
+++ b/containers/garnet/flake.nix
@ -1,84 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-  outputs = { nixpkgs, ... }:
-  let
-    name = "garnet";
-    fqdn = "cloud.lava.moe";
-    subnetId = "7";
-
-    subnet = x: "fd0d:1::${subnetId}:${toString x}";
-    host = subnet 1;
-    client = subnet 2;
-
-    subnet4 = x: "10.30.${subnetId}.${toString x}";
-    host4 = subnet4 1;
-    client4 = subnet4 2;
-
-    modules = [
-      ./configuration.nix
-      {
-        networking.useHostResolvConf = false;
-        networking.nameservers = [ host ];
-      }
-    ];
-  in {
-    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-      inherit modules;
-    };
-    nixosModule = { config, ... }: {
-      networking.nat = {
-        enable = true;
-        enableIPv6 = true;
-        internalInterfaces = [ "ve-${name}" ];
-      };
-
-      services.nginx.virtualHosts."${fqdn}" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://${client4}:9200";
-          proxyWebsockets = true;
-        };
-        extraConfig = ''
-          proxy_read_timeout 3600s;
-          proxy_send_timeout 3600s;
-          keepalive_requests 100000;
-          keepalive_timeout 5m;
-          http2_max_concurrent_streams 512;
-        '';
-        # TODO: hardcoded address
-        listenAddresses = [ "100.67.2.1" ];
-      };
-
-      systemd.tmpfiles.rules = [
-        "d /persist/containers/${name} 755 root users"
-      ];
-      containers.${name} = {
-        autoStart = true;
-        privateNetwork = true;
-        hostAddress = host4;
-        localAddress = client4;
-        hostAddress6 = host;
-        localAddress6 = client;
-        # privateUsers = "pick";
-        nixpkgs = nixpkgs;
-        ephemeral = true;
-        config = { imports = modules; };
-        specialArgs = { inherit fqdn; };
-
-        bindMounts."persist" = {
-          hostPath = "/persist/containers/${name}";
-          mountPoint = "/persist";
-          isReadOnly = false;
-        };
-        bindMounts."content" = {
-          hostPath = "/flower/opencloud";
-          mountPoint = "/flower";
-          isReadOnly = false;
-        };
-      };
-    };
-  };
-}
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,101 +1,95 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    home-manager.url = "github:nix-community/home-manager";
+    nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable"; };
+    home-manager = { url = "github:LavaDesu/home-manager/aa"; };
+    secrets = { url = "github:LavaDesu/flakes-secrets"; };
+
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
-    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
-    catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
-    catppuccin.inputs.nixpkgs.follows = "nixpkgs";
-    catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
-    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
-    neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
-
-    nix-gaming.url = "github:fufexan/nix-gaming";
-    nix-index-database.url = "github:nix-community/nix-index-database";
-    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
-    spicetify-nix.url = "github:Gerg-L/spicetify-nix";
-    spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
-
-    # services
-    pastel.url = "github:cillynder/pastel";
-    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
-    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
-
-    # zsh plugins
-    zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
-    zsh-history-substring-search = { url = "github:zsh-users/zsh-history-substring-search"; flake = false; };
-    fast-syntax-highlighting = { url = "github:zdharma-continuum/fast-syntax-highlighting"; flake = false; };
-    pure = { url = "github:sindresorhus/pure"; flake = false; };
-
-    # overlays
-    linux-tkg = { url = "github:Frogging-Family/linux-tkg"; flake = false; };
-    nvim-treesitter = { url = "github:nvim-treesitter/nvim-treesitter"; flake = false; };
-    spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
-    tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
-    wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
-
-    # containers
-    c-amethyst.url = "path:./containers/amethyst";
-    c-beryllium.url = "path:./containers/beryllium";
-    c-citrine.url = "path:./containers/citrine";
-    c-diamond.url = "path:./containers/diamond";
-    c-emerald.url = "path:./containers/emerald";
-    c-fluorite.url = "path:./containers/fluorite";
-    c-garnet.url = "path:./containers/garnet";
  };

-  outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
+  outputs = inputs: with inputs;
    let
-      overlays = (import ./overlays)
-        ++ [(final: prev: {
-          me = prev.callPackage ./packages { inherit inputs; } // { inherit inputs; };
-        })];
+      getPaths = root: builtins.map
+        (path: root + ("/" + path)) # Prepends root path
+        (builtins.attrNames (builtins.readDir root)); # Reads root path

-        patchOverlaysWithLinuxLava = nixpkgs: arch: ([(self: super: {
-          linuxLavaNixpkgs = import nixpkgs {
-            overlays = [ (import ./overlays/linux-lava.nix) ] ++ overlays;
-            system = arch;
+      customPackages = pkgs:
+        let
+          callPackage = pkgs.callPackage;
+        in rec {
+          linux_lava = callPackage ./packages/linux-lava {};
+          linux_tkg = callPackage ./packages/linux-tkg {
+            kernelPatches = with pkgs.kernelPatches; [
+              bridge_stp_helper
+              request_key_helper
+            ];
          };
-        })] ++ overlays);
-
-      mkSystem =
-        if !(self ? rev) then throw "Dirty git tree detected." else
-        nixpkgs: name: arch: extraModules: nixpkgs.lib.nixosSystem {
-          system = arch;
-          modules = [
-            ({
-              nixpkgs.overlays = patchOverlaysWithLinuxLava nixpkgs arch;
-            })
-            agenix.nixosModules.age
-            catppuccin.nixosModules.catppuccin
-            (./hosts + "/${name}")
-          ] ++ extraModules;
-          specialArgs = {
-            inherit inputs;
-            modules = import ./modules { lib = nixpkgs.lib; };
-            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
+          linuxPackages_tkg = args: pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor (linux_tkg.override args));
+          wine-osu = callPackage ./packages/wine-osu { inherit getPaths; };
+        }
+        # For github workflow tests
+        // builtins.listToAttrs (builtins.map (e: {
+          name = "linux_tkg-${e.scheduler}-${pkgs.lib.stringAsChars (x: if x == "." then "" else x) e.version}";
+          value = callPackage ./packages/linux-tkg {
+            inherit (e) scheduler version;
+            kernelPatches = with pkgs.kernelPatches; [
+              bridge_stp_helper
+              request_key_helper
+            ];
+          };
+        }) (pkgs.lib.cartesianProductOfSets {
+          scheduler = ["bmq" "cfs" "cacule" "muqss" "pds"];
+          version = ["5.4" "5.10" "5.12"];
+        })) // {
+          "linux_tkg-upds-510" = callPackage ./packages/linux-tkg {
+            version = "5.10";
+            scheduler = "upds";
+            kernelPatches = with pkgs.kernelPatches; [
+              bridge_stp_helper
+              request_key_helper
+            ];
          };
        };
+
+      overlays = (builtins.map
+        (path: import path) # Imports path
+        (builtins.filter
+          (path: nixpkgs.lib.hasSuffix ".nix" path) # Checks file extension
+          (getPaths ./overlays)
+        )
+      ) ++ [(self: super: customPackages super)];
+
+      revCount = "297098";
+      base = { config, ... }: {
+        system = {
+          configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+          nixos = rec {
+            version = config.system.nixos.release + versionSuffix;
+            versionSuffix = ".${nixpkgs.lib.substring 0 8 (nixpkgs.lastModifiedDate or nixpkgs.lastModified or "19700101")}.r${revCount}-${nixpkgs.lib.substring 0 11 (nixpkgs.rev or "dirty")}";
+          };
+        };
+        nix.registry.nixpkgs.flake = nixpkgs;
+        nixpkgs.overlays = overlays;
+      };
+
+      hm-base = {
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+        };
+      };
    in
    {
-      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
-      nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
-      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
-      nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
-
-      packages."x86_64-linux" =
-        let
-          pkgs = import nixpkgs rec {
-            overlays = patchOverlaysWithLinuxLava nixpkgs system;
-            system = "x86_64-linux";
-          };
-        in
-        {
-          inherit (pkgs.me) linux-lava spotify-adblock;
-          linux-lava-ccache = pkgs.me.linux-lava.override { useCcache = true; };
-        };
+      nixosConfigurations."winter" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          base
+          home-manager.nixosModules.home-manager
+          hm-base
+          ./hosts/winter
+          secrets.nixosModules.winter
+        ];
+      };
+      packages.x86_64-linux = customPackages nixpkgs.legacyPackages.x86_64-linux;
    };
 }
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -1,45 +0,0 @@
-{ inputs, lib, modules, modulesPath, ... }: {
-  networking.hostName = "alyssum";
-  system.stateVersion = "25.11";
-  time.timeZone = "Australia/Melbourne";
-
-  age.secrets = {
-    acme_dns.file = ../../secrets/acme_dns.age;
-    passwd.file = ../../secrets/passwd.age;
-    navidrome_env.file = ../../secrets/navidrome_env.age;
-    wpa_conf = {
-      file = ../../secrets/wpa_conf.age;
-      path = "/etc/wpa_supplicant/imperative.conf";
-      symlink = false;
-    };
-  };
-
-  imports = with modules.system; [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    home-manager
-
-    base
-    kernel
-    nix-stable
-    packages
-    security
-    tailscale
-
-    modules.services.nginx
-    modules.services.syncthing
-
-    inputs.c-emerald.nixosModule
-    inputs.c-garnet.nixosModule
-
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-    ./home.syncthing.nix
-    ./samba.nix
-
-    ../../users/hana
-  ];
-
-  me.environment = "headless";
-  services.syncthing.user = lib.mkForce "hana";
-}
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -1,35 +0,0 @@
-{ ... }:
-let
-  bind = src: {
-    depends = [ "/nix" ];
-    device = src;
-    fsType = "none";
-    neededForBoot = true;
-    options = [ "bind" ];
-  };
-
-  mkLabelMount = label: type: {
-    device = "/dev/disk/by-label/${label}";
-    fsType = type;
-    options = [ "defaults" "relatime" ];
-  };
-  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
-    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
-  };
-  submount = mkBtrfsMount "alyssum";
-in {
-  fileSystems = {
-    "/" = {
-      device = "rootfs";
-      fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
-    };
-    "/boot" = mkLabelMount "stem" "vfat";
-
-    "/flower" = mkBtrfsMount "myosotis" "/@" true;
-    "/nix" = submount "/@/nix" false;
-    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
-    "/persist/.snapshots" = submount "/snap/persist" false;
-    "/var/log/journal" = bind "/persist/journal";
-  };
-}
--- a/hosts/alyssum/home.syncthing.nix
+++ b/hosts/alyssum/home.syncthing.nix
@ -1,39 +0,0 @@
-{ config, lib, ... }:
-let
-  configOn = user: port: {
-    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
-    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
-
-    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
-
-    users.users.${user} = {
-      hashedPasswordFile = config.age.secrets.passwd.path;
-      isNormalUser = true;
-      linger = true;
-    };
-    home-manager.users.${user} = { ... }: {
-      home = {
-        username = "${user}";
-        homeDirectory = "/home/${user}";
-        stateVersion = "26.05";
-      };
-      services.syncthing = {
-        enable = true;
-        guiAddress = "[::]:${toString port}";
-        overrideDevices = false;
-        overrideFolders = false;
-        settings = {
-          options.listenAddresses = [
-            "tcp://0.0.0.0:2${toString port}"
-            "quic://0.0.0.0:2${toString port}"
-            "dynamic+https://relays.syncthing.net/endpoint"
-          ];
-          defaults.folder.path = "/flower/syncthing/${user}";
-        };
-      };
-    };
-  };
-in lib.mkMerge [
-  (configOn "kujira" 8385)
-  (configOn "cilly" 8386)
-]
--- a/hosts/alyssum/kernel.nix
+++ b/hosts/alyssum/kernel.nix
@ -1,12 +0,0 @@
-{ config, lib, ... }: {
-  boot = {
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot.enable = true;
-    };
-    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
-    initrd.kernelModules = [ ];
-    kernelModules = [ "kvm-amd" ];
-  };
-  hardware.cpu.amd.updateMicrocode = true;
-}
--- a/hosts/alyssum/networking.nix
+++ b/hosts/alyssum/networking.nix
@ -1,15 +0,0 @@
-{ config, ... }: {
-  networking = {
-    useDHCP = true;
-    wireless.enable = true;
-
-    interfaces.wlp1s0.useDHCP = false;
-    interfaces.wlp1s0.ipv4.addresses = [{
-      address = "192.168.1.167";
-      prefixLength = 24;
-    }];
-
-    defaultGateway = "192.168.1.1";
-    nameservers = [ "8.8.8.8" "8.8.4.4" ];
-  };
-}
--- a/hosts/alyssum/packages.nix
+++ b/hosts/alyssum/packages.nix
@ -1,14 +0,0 @@
-{ pkgs, ... }: {
-  environment.systemPackages = with pkgs; [
-    git
-    htop
-    jq
-    neovim
-    rsync
-    sshfs
-    wget
-
-    kitty.terminfo
-  ];
-  environment.variables.EDITOR = "nvim";
-}
--- a/hosts/alyssum/samba.nix
+++ b/hosts/alyssum/samba.nix
@ -1,84 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  configOn = user: let
-    passwd_fname = "passwd_smb${user}";
-  in {
-    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
-    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
-    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
-
-    users.users.${user} = {
-      hashedPasswordFile = config.age.secrets.passwd.path;
-      isNormalUser = true;
-    };
-
-    system.activationScripts = {
-      init_smbpasswd.text = let
-        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
-      in ''
-        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
-      '';
-    };
-    services.samba.settings."${user}" = {
-      "path" = "/flower/smb/${user}";
-      "browseable" = "yes";
-      "read only" = "no";
-      "guest ok" = "no";
-      "create mask" = "0644";
-      "directory mask" = "0755";
-      "force user" = user;
-      "force group" = "users";
-      "valid users" = user;
-    };
-  };
-in lib.mkMerge [
-  (configOn "cilly")
-  (configOn "kujira")
-  {
-    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
-
-    networking.firewall.allowPing = true;
-
-    services.samba = {
-      enable = true;
-      package = pkgs.samba4Full;
-      openFirewall = true;
-      settings = {
-        global = {
-          "server smb encrypt" = "required";
-          "workgroup" = "WORKGROUP";
-          "server string" = "smbnix";
-          "netbios name" = "smbnix";
-          "security" = "user";
-          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
-          "hosts deny" = "0.0.0.0/0";
-          "guest account" = "nobody";
-          "map to guest" = "bad user";
-        };
-        "public" = {
-          "path" = "/flower/smb/public";
-          "browseable" = "yes";
-          "read only" = "no";
-          "guest ok" = "yes";
-          "create mask" = "0644";
-          "directory mask" = "0755";
-          "force user" = "hana";
-          "force group" = "users";
-        };
-      };
-    };
-
-    services.samba-wsdd = {
-      enable = true;
-      openFirewall = true;
-    };
-
-    services.avahi = {
-      enable = true;
-      openFirewall = true;
-      nssmdns4 = true;
-      publish.enable = true;
-      publish.userServices = true;
-    };
-  }
-]
--- a/hosts/anemone/default.nix
+++ b/hosts/anemone/default.nix
@ -1,60 +0,0 @@
-{ config, inputs, modules, overlays, pkgs, ... }: {
-  networking.hostName = "anemone";
-  system.stateVersion = "23.11";
-  time.timeZone = "Australia/Melbourne";
-
-  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
-  age.secrets = {
-    wg_anemone.file = ../../secrets/wg_anemone.age;
-    passwd.file = ../../secrets/passwd.age;
-  };
-
-  imports = with modules.system; [
-    home-manager
-
-    audio
-    base
-    bluetooth
-    ccache
-    corectrl
-    docker
-    flatpak
-    greetd
-    gui
-    input
-    kernel
-    nix
-    packages
-    printing
-    security
-    snapper
-    tailscale
-    wireguard
-
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-
-    ../../users/rin
-
-    modules.services.syncthing
-  ];
-
-  me = {
-    environment = "laptop";
-    batteryDevice = "BATT";
-    kbBacklightDevice = "asus::kbd_backlight";
-    hasFingerprint = true;
-    hidpi = true;
-  };
-
-  programs.wireshark = {
-    enable = true;
-    package = pkgs.wireshark;
-  };
-
-  services.fprintd.enable = true;
-  services.tlp.enable = true;
-
-  programs.kdeconnect.enable = true;
-}
--- a/hosts/anemone/filesystem.nix
+++ b/hosts/anemone/filesystem.nix
@ -1,36 +0,0 @@
-{ config, lib, ... }:
-let
-  mkLabelMount = label: type: lazy: {
-    device = "/dev/disk/by-label/${label}";
-    fsType = type;
-    options = [ "defaults" "relatime" ] ++ lib.optionals lazy [ "nofail" ];
-  };
-  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" false // {
-    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
-  };
-  submount = mkBtrfsMount "Anemone";
-in
-{
-  fileSystems = {
-    "/" = {
-      device = "rootfs";
-      fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
-    };
-    "/boot" = mkLabelMount "SYSTEM" "vfat" true;
-
-    "/mnt/butter" = submount "/" true;
-    "/nix" = submount "/current/snow" false;
-    "/home" = submount "/current/home" true;
-    "/home/.snapshots" = submount "/snapshot/home" false;
-    "/root" = submount "/current/root" false;
-    "/var" = submount "/current/var" false;
-    "/persist" = {
-      depends = [ "/var" ];
-      device = "/var/persist";
-      fsType = "none";
-      options = [ "bind" ];
-      neededForBoot = true;
-    };
-  };
-}
--- a/hosts/anemone/kernel.nix
+++ b/hosts/anemone/kernel.nix
@ -1,62 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  boot = {
-    consoleLogLevel = 0;
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot.enable = true;
-    };
-    initrd = {
-      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-      systemd.enable = true;
-      verbose = false;
-    };
-    kernelModules = [ "kvm-amd" ];
-    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
-    kernelParams = [
-      "quiet"
-      "console=tty2"
-      "systemd.show_status=0"
-      "rd.systemd.show_status=0"
-      "rd.udev.log_level=3"
-      "udev.log_level=3"
-      "udev.log_priority=3"
-    ];
-  };
-
-  # swapDevices = [{
-  #   device = "/persist/swapfile";
-  #   size = 16 * 1024;
-  # }];
-  #
-  # systemd.sleep.extraConfig = ''
-  #   HibernateMode=shutdown
-  # '';
-  /*
-  services.logind.lidSwitch = "suspend-then-hibernate";
-  systemd.sleep.extraConfig = ''
-    HibernateDelaySec=14400
-    SuspendEstimationSec=3600
-    HibernateOnACPower=true
-  '';
-  */
-
-  powerManagement.cpufreq.min = 400000;
-
-  hardware.cpu.amd.updateMicrocode = true;
-
-  hardware.firmware = let
-    fw = "${pkgs.linux-firmware}/lib/firmware/cirrus/";
-   in [(
-    pkgs.runCommandNoCC "cs35l41-10431683" { } ''
-      mkdir -p $out/lib/firmware/cirrus
-      cd $out/lib/firmware/cirrus
-
-      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-l0.bin
-      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-r0.bin
-      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-l0.bin
-      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-r0.bin
-
-      cp ${fw}/cs35l41-dsp1-spk-prot-10431e12.wmfw cs35l41-dsp1-spk-prot-10431683.wmfw
-    ''
-  )];
-}
--- a/hosts/anemone/networking.nix
+++ b/hosts/anemone/networking.nix
@ -1,4 +0,0 @@
-{ config, ... }: {
-  networking.wireless.iwd.enable = true;
-  environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
-}
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -1,44 +0,0 @@
-{ inputs, modules, modulesPath, ... }: {
-  networking.hostName = "dandelion";
-  system.stateVersion = "23.11";
-  time.timeZone = "Australia/Melbourne";
-
-  age.secrets = {
-    acme_dns.file = ../../secrets/acme_dns.age;
-    slskd_env.file = ../../secrets/slskd_env.age;
-    wg_dandelion.file = ../../secrets/wg_dandelion.age;
-  };
-
-  imports = with modules.system; [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    home-manager
-
-    base
-    kernel
-    nix-stable
-    packages
-    security
-    tailscale
-    wireguard
-
-    modules.services.banksia
-    modules.services.nginx
-    modules.services.unbound
-    modules.services.website
-
-    inputs.c-amethyst.nixosModule
-    inputs.c-beryllium.nixosModule
-    inputs.c-citrine.nixosModule
-    inputs.c-diamond.nixosModule
-    inputs.c-fluorite.nixosModule
-
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-    ./nginx.nix
-
-    ../../users/hana
-  ];
-
-  me.environment = "headless";
-}
--- a/hosts/dandelion/filesystem.nix
+++ b/hosts/dandelion/filesystem.nix
@ -1,34 +0,0 @@
-{ ... }:
-let
-  bind = src: {
-    depends = [ "/nix" ];
-    device = src;
-    fsType = "none";
-    neededForBoot = true;
-    options = [ "bind" ];
-  };
-
-  mkLabelMount = label: type: {
-    device = "/dev/disk/by-label/${label}";
-    fsType = type;
-    options = [ "defaults" "relatime" ];
-  };
-  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
-    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
-  };
-  submount = mkBtrfsMount "DANDELION";
-in {
-  fileSystems = {
-    "/" = {
-      device = "rootfs";
-      fsType = "tmpfs";
-      options = [ "defaults" "size=6G" "mode=755" ];
-    };
-    "/boot" = mkLabelMount "UEFI" "vfat";
-
-    "/nix" = submount "/@/nix" false;
-    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
-    "/persist/.snapshots" = submount "/snap/persist" false;
-    "/var/log/journal" = bind "/persist/journal";
-  };
-}
--- a/hosts/dandelion/kernel.nix
+++ b/hosts/dandelion/kernel.nix
@ -1,10 +0,0 @@
-{ ... }: {
-  boot = {
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot.enable = true;
-    };
-    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
-    initrd.kernelModules = [ "nvme" ];
-  };
-}
--- a/hosts/dandelion/networking.nix
+++ b/hosts/dandelion/networking.nix
@ -1,4 +0,0 @@
-{ ... }: {
-  networking.useDHCP = true;
-  networking.interfaces.enp2s0.useDHCP = false;
-}
--- a/hosts/dandelion/nginx.nix
+++ b/hosts/dandelion/nginx.nix
@ -1,8 +0,0 @@
-{ ... }: {
-  services.nginx.virtualHosts."muse.lava.moe" = {
-    useACMEHost = "lava.moe";
-    forceSSL = true;
-    locations."/".return = "404";
-    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
-  };
-}
--- a/hosts/dandelion/packages.nix
+++ b/hosts/dandelion/packages.nix
@ -1,14 +0,0 @@
-{ pkgs, ... }: {
-  environment.systemPackages = with pkgs; [
-    git
-    htop
-    jq
-    neovim
-    rsync
-    sshfs
-    wget
-
-    kitty.terminfo
-  ];
-  environment.variables.EDITOR = "nvim";
-}
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@ -1,47 +0,0 @@
-{ config, inputs, modules, overlays, pkgs, ... }: {
-  networking.hostName = "hyacinth";
-  system.stateVersion = "21.11";
-  time.timeZone = "Australia/Melbourne";
-
-  nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
-  age.secrets = {
-    passwd.file = ../../secrets/passwd.age;
-    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
-    wpa_conf.file = ../../secrets/wpa_conf.age;
-  };
-  imports = with modules.system; [
-    home-manager
-
-    aagl
-    audio
-    base
-    bluetooth
-    ccache
-    corectrl
-    docker
-    flatpak
-    greetd
-    gui
-    input
-    kernel
-    nix
-    packages
-    printing
-    security
-    snapper
-    tailscale
-    wireguard
-
-    modules.services.syncthing
-
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-    ./packages.nix
-
-    ../../users/rin
-  ];
-  systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
-
-  me.hasBluetooth = true;
-}
--- a/hosts/hyacinth/filesystem.nix
+++ b/hosts/hyacinth/filesystem.nix
@ -1,50 +0,0 @@
-{ config, lib, ... }:
-let
-  mkLabelMount = label: type: {
-    device = "/dev/disk/by-label/${label}";
-    fsType = type;
-    options = [ "defaults" "relatime" ];
-  };
-  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
-    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
-  };
-  mkCakeMount = mkBtrfsMount "CAKE";
-in
-{
-  fileSystems = {
-    "/" = {
-      device = "rootfs";
-      fsType = "tmpfs";
-      options = [ "defaults" "size=24G" "mode=755" ];
-    };
-    "/boot" = mkLabelMount "CUP" "vfat";
-
-    "/mnt/butter" = mkCakeMount "/" true;
-    "/mnt/cream" = mkBtrfsMount "CREAM" "/" true;
-    "/mnt/cream/permanence/.snapshots" = mkBtrfsMount "CREAM" "/snapshot/permanence" false;
-    "/nix" = mkCakeMount "/current/snow" false;
-    "/home" = mkCakeMount "/current/home" true;
-    "/home/.snapshots" = mkCakeMount "/snapshot/home" false;
-    "/root" = mkCakeMount "/current/root" false;
-    "/var" = mkCakeMount "/current/var" false;
-    "/persist" = {
-      depends = [ "/var" ];
-      device = "/var/persist";
-      fsType = "none";
-      options = [ "bind" ];
-      neededForBoot = true;
-    };
-  };
-  services.snapper.configs.cream = {
-      FSTYPE = "btrfs";
-      SUBVOLUME = "/mnt/cream/permanence";
-      TIMELINE_CLEANUP = true;
-      TIMELINE_CREATE = true;
-      TIMELINE_MIN_AGE = "1800";
-      TIMELINE_LIMIT_HOURLY = "5";
-      TIMELINE_LIMIT_DAILY = "7";
-      TIMELINE_LIMIT_WEEKLY = "0";
-      TIMELINE_LIMIT_MONTHLY = "0";
-      TIMELINE_LIMIT_YEARLY = "0";
-    };
-}
--- a/hosts/hyacinth/kernel.nix
+++ b/hosts/hyacinth/kernel.nix
@ -1,20 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  boot = {
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot.enable = true;
-    };
-    initrd.availableKernelModules = [ "xhci_pci" "nvme" ];
-    initrd.kernelModules = [ "amdgpu" ];
-    kernelParams = [
-      "amdgpu.gpu_recovery=1"
-      "intel_pstate=passive"
-      "split_lock_detect=off"
-    ];
-    kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
-  };
-  hardware.amdgpu.overdrive = {
-    enable = true;
-    ppfeaturemask = "0xffffffff";
-  };
-}
--- a/hosts/hyacinth/networking.nix
+++ b/hosts/hyacinth/networking.nix
@ -1,19 +0,0 @@
-{ config, ... }: {
-  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
-  networking = {
-    useDHCP = true;
-    interfaces.enp5s0.useDHCP = false;
-    interfaces.enp5s0.wakeOnLan.enable = true;
-
-    interfaces.enp5s0.ipv4.addresses = [{
-      address = "192.168.1.201";
-      prefixLength = 24;
-    }];
-    defaultGateway = "192.168.1.1";
-    nameservers = [ "8.8.8.8" "8.8.4.4" ];
-
-    extraHosts = ''
-      10.100.0.1     sugarcane
-    '';
-  };
-}
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@ -1,7 +0,0 @@
-{ pkgs, ... }: {
-  environment.systemPackages = with pkgs; [
-    discord
-    jetbrains.idea
-    texliveFull
-  ];
-}
--- a/hosts/winter/audio.nix
+++ b/hosts/winter/audio.nix
@ -0,0 +1,107 @@
+{ config, ... }:
+let
+  int = {
+    quantum = {
+      min = 512;
+      def = 1024;
+      max = 2048;
+    };
+    rate = 48000;
+  };
+  str = {
+    quantum = {
+      min = toString int.quantum.min;
+      def = toString int.quantum.def;
+      max = toString int.quantum.max;
+    };
+    rate = toString int.rate;
+  };
+in {
+  sound.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+
+    config.pipewire = {
+      "context.properties" = {
+        "link.max-buffers" = 16;
+        "default.clock.rate" = int.rate;
+        "default.clock.quantum" = int.quantum.def;
+        "default.clock.min-quantum" = int.quantum.min;
+        "default.clock.max-quantum" = int.quantum.max;
+        "core.daemon" = true;
+        "core.name" = "pipewire-0";
+      };
+
+      "context.modules" = [
+        {
+          name = "libpipewire-module-rtkit";
+          args = {
+            "nice.level" = -15;
+            "rt.prio" = 88;
+            "rt.time.soft" = 200000;
+            "rt.time.hard" = 200000;
+          };
+          flags = [ "ifexists" "nofail" ];
+        }
+        { name = "libpipewire-module-protocol-native"; }
+        { name = "libpipewire-module-profiler"; }
+        { name = "libpipewire-module-metadata"; }
+        { name = "libpipewire-module-spa-device-factory"; }
+        { name = "libpipewire-module-spa-node-factory"; }
+        { name = "libpipewire-module-client-node"; }
+        { name = "libpipewire-module-client-device"; }
+        {
+          name = "libpipewire-module-portal";
+          flags = [ "ifexists" "nofail" ];
+        }
+        { name = "libpipewire-module-access"; args = {}; }
+        { name = "libpipewire-module-adapter"; }
+        { name = "libpipewire-module-link-factory"; }
+        { name = "libpipewire-module-session-manager"; }
+      ];
+      "stream.properties" = {
+        "node.latency" = "${str.quantum.min}/${str.rate}";
+        "resample.quality" = 1;
+      };
+    };
+    config.pipewire-pulse = {
+      "context.modules" = [
+        {
+          name = "libpipewire-module-rtkit";
+          args = {
+            "nice.level" = -15;
+            "rt.prio" = 88;
+            "rt.time.soft" = 200000;
+            "rt.time.hard" = 200000;
+          };
+          flags = [ "ifexists" "nofail" ];
+        }
+        { name = "libpipewire-module-protocol-native"; }
+        { name = "libpipewire-module-client-node"; }
+        { name = "libpipewire-module-adapter"; }
+        { name = "libpipewire-module-metadata"; }
+        {
+          name = "libpipewire-module-protocol-pulse";
+          args = {
+            "pulse.min.req" = "${str.quantum.min}/${str.rate}";
+            "pulse.default.req" = "${str.quantum.def}/${str.rate}";
+            "pulse.max.req" = "${str.quantum.max}/${str.rate}";
+            "pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
+            "pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
+            "server.address" = [ "unix:native" ];
+          };
+        }
+      ];
+      "stream.properties" = {
+        "node.latency" = "${str.quantum.min}/${str.rate}";
+        "resample.quality" = 1;
+      };
+    };
+  };
+}
+
--- a/hosts/winter/default.nix
+++ b/hosts/winter/default.nix
@ -0,0 +1,47 @@
+{ config, overlays, pkgs, ... }: {
+  networking.hostName = "winter";
+  system.stateVersion = "20.09";
+
+  environment.etc = {
+    "machine-id".source = "/var/persist/machine-id";
+    "ssh/ssh_host_rsa_key".source = "/var/persist/ssh_host_rsa_key";
+    "ssh/ssh_host_rsa_key.pub".source = "/var/persist/ssh_host_rsa_key.pub";
+    "ssh/ssh_host_ed25519_key".source = "/var/persist/ssh_host_ed25519_key";
+    "ssh/ssh_host_ed25519_key.pub".source = "/var/persist/ssh_host_ed25519_key.pub";
+  };
+  environment.pathsToLink = [ "/share/zsh" ];
+  users.mutableUsers = false;
+
+  imports = [
+    ./audio.nix
+    ./gui.nix
+    ./hardware-configuration.nix
+    ./kernel.nix
+    ./networking.nix
+    ./packages.nix
+    ./security.nix
+
+    ../../users/rin
+  ];
+  nix = rec {
+    package = pkgs.nixUnstable;
+    binaryCaches = [
+      "https://cache.nixos.org?priority=10"
+      "https://lava.cachix.org"
+    ];
+    binaryCachePublicKeys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
+    ];
+    trustedBinaryCaches = binaryCaches;
+
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+  nixpkgs.config.allowUnfree = true;
+
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console.useXkbConfig = true;
+}
+
--- a/hosts/winter/gui.nix
+++ b/hosts/winter/gui.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }: {
+  fonts = {
+    enableDefaultFonts = true;
+    fontconfig = {
+      defaultFonts = {
+        serif = ["NotoSerif"];
+        sansSerif = ["NotoSans"];
+        monospace = ["CascadiaCode"];
+      };
+    };
+    fonts = with pkgs; [
+      cascadia-code
+      font-awesome-ttf
+      font-awesome_4
+      hanazono
+      material-icons
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-extra
+      open-sans
+      twemoji-color-font
+      unifont
+    ];
+  };
+  services.xserver = {
+    enable = true;
+    autorun = false;
+    displayManager = {
+      lightdm.enable = lib.mkForce false;
+      startx.enable = true;
+      xserverArgs = [
+        "-ardelay 250"
+        "-arinterval 15"
+      ];
+    };
+    desktopManager.xterm.enable = false;
+    libinput = {
+      enable = true;
+      mouse = {
+        accelSpeed = "0";
+        accelProfile = "flat";
+      };
+    };
+    xkbOptions = "caps:escape";
+    windowManager.i3 = {
+      enable = true;
+      package = pkgs.i3-gaps;
+      extraPackages = with pkgs; [
+        dunst
+        feh
+        lxappearance
+        maim
+        picom
+        polybar
+        rofi
+        xclip
+      ];
+    };
+  };
+}
--- a/hosts/winter/hardware-configuration.nix
+++ b/hosts/winter/hardware-configuration.nix
@ -0,0 +1,63 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=4G" "mode=755" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/E8E8-E570";
+      fsType = "vfat";
+    };
+
+  fileSystems."/mnt/butter" =
+    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
+      fsType = "btrfs";
+      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=5" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
+      fsType = "btrfs";
+      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=258" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
+      fsType = "btrfs";
+      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=260" ];
+    };
+
+  fileSystems."/root" =
+    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
+      fsType = "btrfs";
+      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=261" ];
+    };
+
+  fileSystems."/var" =
+    { device = "/dev/disk/by-uuid/8f0ba28e-5dff-4a4e-8db0-aa72cc90cb5d";
+      fsType = "btrfs";
+      options = [ "autodefrag" "compress=zstd:3" "nossd" "nossd_spread" "relatime" "subvolid=259" ];
+    };
+
+  fileSystems."/mnt/hdd" =
+    { device = "/dev/disk/by-uuid/d5e3cfe5-c73a-4695-b81b-fc0215d4cefe";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+}
--- a/hosts/winter/kernel.nix
+++ b/hosts/winter/kernel.nix
@ -0,0 +1,44 @@
+{ config, pkgs, ... }: {
+  powerManagement.cpuFreqGovernor = "ondemand";
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+      grub = {
+        enable = true;
+        efiSupport = true;
+        device = "nodev";
+      };
+    };
+    blacklistedKernelModules = ["uvcvideo"];
+    initrd = {
+      includeDefaultModules = false;
+      kernelModules = [ "i915" ];
+    };
+    kernel.sysctl = {
+      "kernel.core_pattern" = "|/bin/false";
+      "kernel.sysrq" = 1;
+    };
+    kernelParams = [
+      "amdgpu.gpu_recovery=1"
+      "amdgpu.si_support=1"
+      "radeon.si_support=0"
+      "intel_pstate=passive"
+      "msr.allow_writes=on"
+    ];
+    kernelPackages = pkgs.linuxPackages_tkg {
+      debug = false;
+      scheduler = "cacule";
+      timerFreq = 2000;
+      numa = false;
+      tickless = 1;
+      localVersion = "Lava";
+    };
+    kernelPatches = [{
+      name = "si-clocking";
+      patch = ../../packages/linux-lava/si-manual-clocking.patch;
+    }];
+    #kernelPackages = pkgs.lib.mkForce (pkgs.linuxPackagesFor pkgs.linux-lava);
+  };
+  zramSwap.enable = true;
+}
--- a/hosts/winter/networking.nix
+++ b/hosts/winter/networking.nix
@ -0,0 +1,21 @@
+{ config, ... }: {
+  networking.wireless = {
+    enable = true;
+    interfaces = [ "wlp3s0" ];
+  };
+
+  networking.useDHCP = false;
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.wlp3s0.useDHCP = false;
+
+  networking.interfaces.eno1.ipv4.addresses = [{
+    address = "10.0.0.2";
+    prefixLength = 24;
+  }];
+  networking.interfaces.wlp3s0.ipv4.addresses = [{
+    address = "192.168.100.13";
+    prefixLength = 24;
+  }];
+  networking.defaultGateway = "192.168.100.1";
+  networking.nameservers = ["192.168.100.11"];
+}
--- a/hosts/winter/packages.nix
+++ b/hosts/winter/packages.nix
@ -0,0 +1,33 @@
+{ config, pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    efibootmgr
+    git
+    gparted
+    htop
+    libarchive
+    lf
+    msr-tools
+    ncdu
+    neovim
+    rsync
+    wget
+
+    gnome3.nautilus
+  ];
+  environment.variables.EDITOR = "nvim";
+
+  hardware.opengl.extraPackages = with pkgs; [
+     vaapiIntel
+     vaapiVdpau
+     libvdpau-va-gl
+     intel-ocl
+     rocm-opencl-icd
+     rocm-opencl-runtime
+  ];
+  programs.light.enable = true;
+  hardware.opentabletdriver.enable = true;
+  programs.steam.enable = true;
+  services.dbus.packages = [ pkgs.gnome3.dconf pkgs.gcr ];
+  services.gnome.sushi.enable = true;
+  # services.ipfs.enable = true;
+}
--- a/hosts/winter/security.nix
+++ b/hosts/winter/security.nix
@ -0,0 +1,19 @@
+{ config, pkgs, ... }: {
+  networking.firewall.enable = false;
+  services.openssh.enable = true;
+
+  security = {
+    polkit.enable = true;
+    sudo.enable = false;
+    doas = {
+      enable = true;
+      extraRules = [
+        {
+          groups = ["wheel"];
+          keepEnv = true;
+          persist = true;
+        }
+      ];
+    };
+  };
+}
--- a/modules/binds.nix
+++ b/modules/binds.nix
@ -1,13 +0,0 @@
-{ config, lib, ...}: {
-  imports = [ ./options.nix ];
-  fileSystems = lib.mapAttrs (dest: key: let
-    target = if (lib.strings.hasPrefix "/" key)
-      then key
-      else "/persist/binds/${key}";
-  in {
-    depends = [ "/persist" ];
-    device = target;
-    fsType = "none";
-    options = [ "bind" ];
-  }) config.me.binds;
-}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,80 +0,0 @@
-{ lib }:
-let
-  getName = path: lib.removeSuffix ".nix" ( # Strip extension
-    lib.last (                              # Gets the last part (filename)
-      lib.splitString "/" (                 # Splits the path into components
-        builtins.toString path              # Converts the path into a string
-      )
-    )
-  );
-  mkAttrsFromPaths = paths: builtins.listToAttrs (
-    builtins.map (path: {
-      name = getName path;
-      value = path;
-    }) paths
-  );
-in {
-  binds = ./binds.nix;
-  options = ./options.nix;
-  services = mkAttrsFromPaths [
-    ./services/banksia.nix
-    ./services/jellyfin.nix
-    ./services/nginx.nix
-    ./services/postgres.nix
-    ./services/sonarr.nix
-    ./services/synapse.nix
-    ./services/syncthing.nix
-    ./services/tmptsync.nix
-    ./services/transmission.nix
-    ./services/unbound.nix
-    ./services/vaultwarden.nix
-    ./services/website.nix
-  ];
-  system = mkAttrsFromPaths [
-    ./system/aagl.nix
-    ./system/audio.nix
-    ./system/base.nix
-    ./system/bluetooth.nix
-    ./system/ccache.nix
-    ./system/corectrl.nix
-    ./system/docker.nix
-    ./system/flatpak.nix
-    ./system/greetd.nix
-    ./system/gui.nix
-    ./system/home-manager.nix
-    ./system/input.nix
-    ./system/kernel.nix
-    ./system/nix.nix
-    ./system/nix-stable.nix
-    ./system/packages.nix
-    ./system/printing.nix
-    ./system/security.nix
-    ./system/snapper.nix
-    ./system/tailscale.nix
-    ./system/virtualisation.nix
-    ./system/wireguard.nix
-  ];
-  user = mkAttrsFromPaths [
-    ./user/catppuccin.nix
-    ./user/comma.nix
-    ./user/direnv.nix
-    ./user/dunst.nix
-    ./user/eww.nix
-    ./user/git.nix
-    ./user/gpg.nix
-    ./user/hypridle.nix
-    ./user/hyprlock.nix
-    ./user/kitty.nix
-    ./user/mpv.nix
-    ./user/neovim.nix
-    ./user/neovim-minimal.nix
-    ./user/npm.nix
-    ./user/obs.nix
-    ./user/rofi.nix
-    ./user/sessionVariables.nix
-    ./user/spicetify.nix
-    ./user/theming.nix
-    ./user/xdg.nix
-    ./user/zsh.nix
-  ];
-}
--- a/modules/options.nix
+++ b/modules/options.nix
@ -1,53 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib)
-    mkOption
-    types;
-in {
-  options.me = {
-    environment = mkOption {
-      type = types.enum [ "desktop" "laptop" "headless" ];
-      default = "desktop";
-    };
-
-    hasFingerprint = mkOption {
-      type = types.bool;
-      default = false;
-    };
-
-    gui = mkOption {
-      type = types.bool;
-      default = config.me.environment != "headless";
-    };
-
-    batteryDevice = mkOption {
-      type = with types; nullOr (uniq str);
-      default = null;
-    };
-
-    kbBacklightDevice = mkOption {
-      type = with types; nullOr (uniq str);
-      default = null;
-    };
-
-    hasBluetooth = mkOption {
-      type = types.bool;
-      default = config.me.environment == "laptop";
-    };
-
-    hasWifi = mkOption {
-      type = types.bool;
-      default = config.me.environment == "laptop";
-    };
-
-    hidpi = mkOption {
-      type = types.bool;
-      default = false;
-    };
-
-    binds = lib.mkOption {
-      type = with lib.types; attrsOf str;
-      default = {};
-    };
-  };
-}
--- a/modules/services/banksia.nix
+++ b/modules/services/banksia.nix
@ -1,11 +0,0 @@
-# TODO ^^
-{ ... }: {
-  services.nginx.virtualHosts = {
-    "banksia.lava.moe" = {
-      useACMEHost = "lava.moe";
-      forceSSL = true;
-      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
-      locations."/api".proxyPass = "http://localhost:8080/";
-    };
-  };
-}
--- a/modules/services/jellyfin.nix
+++ b/modules/services/jellyfin.nix
@ -1,28 +0,0 @@
-{ ... }:
-let
-  dir = "/persist/jellyfin";
-in
-{
-  fileSystems."/var/lib/jellyfin" = {
-    depends = [ "/persist" ];
-    device = dir;
-    fsType = "none";
-    options = [ "bind" ];
-  };
-  system.activationScripts."jellyfin-create-bind-mount" = {
-    deps = [ "users" "groups" ];
-    text = ''
-      mkdir -p ${dir}
-      chown jellyfin:jellyfin ${dir}
-      chmod 700 ${dir}
-    '';
-  };
-  systemd.tmpfiles.rules = [
-    "d /tmp/jelly-transcodes 700 jellyfin jellyfin"
-    "L+ /var/lib/jellyfin/transcodes - - - - /tmp/jelly-transcodes"
-  ];
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
-}
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -1,28 +0,0 @@
-{ config, ... }: {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "me@lava.moe";
-      group = "nginx";
-      dnsProvider = "cloudflare";
-      environmentFile = config.age.secrets."acme_dns".path;
-    };
-    certs."lava.moe" = {
-      extraDomainNames = [
-        "*.lava.moe"
-        "*.local.lava.moe"
-      ];
-    };
-    certs."cilly.moe" = {};
-    certs."cilly.dev" = {};
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-  };
-}
--- a/modules/services/postgres.nix
+++ b/modules/services/postgres.nix
@ -1,20 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
-  uid = toString config.ids.uids.postgres;
-  gid = toString config.ids.gids.postgres;
-in {
-  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
-  services.postgresql = {
-    enable = true;
-    dataDir = dir;
-    # TODO: broken :3
-    package = pkgs.postgresql_13;
-    authentication = lib.mkOverride 10 ''
-      #type  database  DBuser  origin-address      auth-method
-      local  all       all                         trust
-      host   all       all     127.0.0.1/32        trust
-      host   all       all     ::1/128             trust
-    '';
-  };
-}
--- a/modules/services/sonarr.nix
+++ b/modules/services/sonarr.nix
@ -1,11 +0,0 @@
-{ ... }:
-let
-  dir = "/persist/sonarr";
-in
-{
-  services.sonarr = {
-    enable = true;
-    dataDir = dir;
-    openFirewall = true;
-  };
-}
--- a/modules/services/synapse.nix
+++ b/modules/services/synapse.nix
@ -1,89 +0,0 @@
-{ config, lib, options, pkgs, ... }:
-let
-  dom = "lava.moe";
-  sub = "matrix.lava.moe";
-  dir = "/persist/matrix-synapse";
-  uid = toString config.ids.uids.matrix-synapse;
-  gid = toString config.ids.gids.matrix-synapse;
-in {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
-
-  /*services.postgresql = {
-    ensureDatabases = [ "matrix-synapse" ];
-    ensureUsers = [{
-      name = "matrix-synapse";
-      ensurePermissions = {
-        "DATABASE matrix-synapse" = "ALL PRIVILEGES";
-      };
-    }];
-  };*/
-  # TODO this would be bad if we use postgres for other things too
-  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
-    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-      TEMPLATE template0
-      LC_COLLATE = "C"
-      LC_CTYPE = "C";
-  '';
-
-  services.nginx = {
-    virtualHosts = {
-      ${dom} = {
-        locations."= /.well-known/matrix/server".extraConfig =
-          let
-            server = { "m.server" = "${sub}:443"; };
-          in ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server}';
-          '';
-        locations."= /.well-known/matrix/client".extraConfig =
-          let
-            client = {
-              "m.homeserver" =  { "base_url" = "https://${sub}"; };
-              "m.identity_server" =  { "base_url" = "https://vector.im"; };
-            };
-          in ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client}';
-          '';
-      };
-
-      ${sub} = {
-        forceSSL = true;
-        useACMEHost = dom;
-
-        locations."/".extraConfig = ''
-          return 302 'https://${dom}';
-        '';
-
-        locations."/_matrix" = {
-          proxyPass = "http://[::1]:8008";
-        };
-      };
-    };
-  };
-
-  services.matrix-synapse = {
-    enable = true;
-    dataDir = dir;
-    server_name = dom;
-    logConfig = builtins.replaceStrings [ "INFO" ] [ "WARNING" ] options.services.matrix-synapse.logConfig.default;
-    listeners = [
-      {
-        port = 8008;
-        bind_address = "::1";
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = [ "client" "federation" ];
-            compress = false;
-          }
-        ];
-      }
-    ];
-  };
-}
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -1,23 +0,0 @@
-{ config, ... }:
-let
-  dir = "/persist/shared/.syncthing";
-  user = if config.me.gui then "rin" else "hana";
-  uid = toString config.users.users."${user}".uid;
-  gid = toString config.users.groups.users.gid;
-in
-{
-  systemd.tmpfiles.rules = [
-    "d ${dir}/config 700 ${uid} ${gid}"
-    "d ${dir}/data 700 ${uid} ${gid}"
-  ];
-  systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
-  services.syncthing = {
-    enable = true;
-    openDefaultPorts = true;
-    user = user;
-    group = "users";
-    dataDir = "/persist/shared/.syncthing/data";
-    configDir = "/persist/shared/.syncthing/config";
-    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
-  };
-}
--- a/modules/services/tmptsync.nix
+++ b/modules/services/tmptsync.nix
@ -1,32 +0,0 @@
-{ ... }:
-let
-  dir = "/persist/tmptsync";
-in
-{
-  systemd = {
-    services = {
-      tmptsync-load = {
-        before = [ "basic.target" ];
-        after = [ "local-fs.target" "sysinit.target" ];
-        unitConfig.DefaultDependencies = false;
-
-        environment.FILE = dir;
-        script = "${../../scripts/tmptsync.sh} load";
-        wantedBy = [ "basic.target" ];
-      };
-
-      tmptsync-save = {
-        environment.FILE = dir;
-        script = "${../../scripts/tmptsync.sh} save";
-        wantedBy = [ "basic.target" ];
-      };
-    };
-    timers.tmptsync-save = {
-      timerConfig = {
-        Unit = "tmptsync-save.service";
-        OnBootSec = "30min";
-        OnUnitActiveSec = "2h";
-      };
-    };
-  };
-}
--- a/modules/services/transmission.nix
+++ b/modules/services/transmission.nix
@ -1,18 +0,0 @@
-{ config, ... }: {
-  networking.firewall.allowedTCPPorts = [ 9091 ];
-  services.transmission = {
-    enable = true;
-    downloadDirPermissions = "775";
-    openFirewall = true;
-    settings = {
-      download-dir = "/persist/transmission/Downloads";
-      incomplete-dir = "/persist/transmission/.incomplete";
-      ratio-limit-enabled = true;
-      rpc-bind-address = "0.0.0.0";
-      rpc-enabled = true;
-      rpc-port = 9091;
-      rpc-host-whitelist = "${config.networking.hostName}";
-      rpc-whitelist = "10.100.0.*,10.0.0.*,192.168.100.*";
-    };
-  };
-}
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -1,62 +0,0 @@
-{ inputs, pkgs, gcSecrets, ... }:
-let
-  dir = "/persist/unbound";
-
-  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
-    echo "server:" > "$out"
-    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
-  '';
-in {
-  networking.firewall.interfaces."ve-+" = {
-    allowedUDPPorts = [ 53 853 ];
-    allowedTCPPorts = [ 53 853 ];
-  };
-  networking.firewall.interfaces.wg0 = {
-    allowedUDPPorts = [ 53 853 ];
-    allowedTCPPorts = [ 53 853 ];
-  };
-  systemd.tmpfiles.rules = [ "d ${dir} 700 unbound unbound" ];
-
-  services.unbound = {
-    enable = true;
-    stateDir = dir;
-    settings = {
-      forward-zone = [{
-        name = ".";
-        forward-tls-upstream = true;
-        forward-addr = [
-          "2606:4700:4700::1111@853#cloudflare-dns.com"
-          "2606:4700:4700::1001@853#cloudflare-dns.com"
-          "2001:4860:4860::8888@853#dns.google"
-          "2001:4860:4860::8844@853#dns.google"
-          "1.1.1.1@853#cloudflare-dns.com"
-          "1.0.0.1@853#cloudflare-dns.com"
-          "8.8.8.8@853#dns.google"
-          "8.8.4.4@853#dns.google"
-        ];
-      }];
-
-      server = {
-        interface = [ "0.0.0.0" "::0" ];
-        access-control = [
-          "127.0.0.1/8      allow"
-          "10.0.0.0/8       allow"
-          "100.64.0.0/10    allow"
-          "192.168.100.0/24 allow"
-          "fd0d::/16        allow"
-          "fd7a:115c:a1e0::/48 allow"
-          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
-        ];
-        domain-insecure = [ "\"local.lava.moe\"" ];
-        local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
-        local-data = [
-          "\"warden.local.lava.moe. IN A 10.100.0.2\""
-        ];
-      };
-
-      include = "${converted}";
-    };
-  };
-
-  systemd.services.unbound.serviceConfig.ReadWritePaths = [ dir ];
-}
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@ -1,32 +0,0 @@
-{ config, lib, ... }:
-let
-  dir = "/persist/vaultwarden";
-  user = config.users.users.vaultwarden.name;
-  group = config.users.groups.vaultwarden.name;
-in {
-  systemd.tmpfiles.rules = [
-    "d ${dir} 700 ${user} ${group}"
-    "d ${dir}_backup 700 ${user} ${group}"
-  ];
-  services.vaultwarden = {
-    enable = true;
-    backupDir = "${dir}_backup";
-    config = {
-      dataFolder = dir;
-      signupsAllowed = false;
-      domain = "https://warden.local.lava.moe";
-      rocketPort = 8002;
-    };
-    environmentFile = config.age.secrets.warden_admin.path;
-  };
-
-  services.nginx.virtualHosts."warden.local.lava.moe" = {
-    forceSSL = true;
-    useACMEHost = "lava.moe";
-
-    locations."/".proxyPass = "http://localhost:8002";
-  };
-
-  systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ dir ];
-  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce dir;
-}
--- a/modules/services/website.nix
+++ b/modules/services/website.nix
@ -1,43 +0,0 @@
-{ inputs, pkgs, ... }: let
-  pastel = inputs.pastel.packages.${pkgs.system}.default;
-in {
-  services.nginx.virtualHosts = {
-    "cilly.moe" = {
-      useACMEHost = "cilly.moe";
-      forceSSL = true;
-      root = pastel.outPath;
-    };
-    "cilly.dev" = {
-      useACMEHost = "cilly.dev";
-      forceSSL = true;
-      root = pastel.outPath;
-    };
-    "lava.moe" = {
-      useACMEHost = "lava.moe";
-      forceSSL = true;
-      root = inputs.website.outPath;
-    };
-    "cdn.lava.moe" = {
-      useACMEHost = "lava.moe";
-      forceSSL = true;
-      extraConfig = ''
-        return 301 https://sh.lava.moe$request_uri;
-      '';
-    };
-    "sh.lava.moe" = {
-      useACMEHost = "lava.moe";
-      forceSSL = true;
-      root = "/persist/cdn";
-    };
-    "_" = {
-      default = true;
-      addSSL = true;
-      # TODO generate this somewhere
-      sslCertificate = "/persist/fakeCerts/fake.crt";
-      sslCertificateKey = "/persist/fakeCerts/fake.key";
-      extraConfig = ''
-        return 444;
-      '';
-    };
-  };
-}
--- a/modules/system/aagl.nix
+++ b/modules/system/aagl.nix
@ -1,6 +0,0 @@
-{ inputs, ... }: {
-  imports = [ inputs.aagl.nixosModules.default ];
-  nix.settings = inputs.aagl.nixConfig;
-  programs.anime-game-launcher.enable = true;
-  programs.sleepy-launcher.enable = true;
-}
--- a/modules/system/audio.nix
+++ b/modules/system/audio.nix
@ -1,88 +0,0 @@
-{ config, ... }:
-let
-  int = {
-    quantum = {
-      min = 64;
-      def = 1024;
-      max = 2048;
-    };
-    rate = 48000;
-  };
-  str = {
-    quantum = {
-      min = toString int.quantum.min;
-      def = toString int.quantum.def;
-      max = toString int.quantum.max;
-    };
-    rate = toString int.rate;
-  };
-in {
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    jack.enable = true;
-  };
-  services.pipewire.extraConfig.pipewire = {
-    "context.properties" = {
-      "default.clock.rate" = int.rate;
-      "default.clock.quantum" = int.quantum.def;
-      "default.clock.min-quantum" = int.quantum.min;
-      "default.clock.max-quantum" = int.quantum.max;
-    };
-
-    "context.modules" = [
-      {
-        name = "libpipewire-module-rtkit";
-        args = {
-          "nice.level" = -15;
-          "rt.prio" = 88;
-          "rt.time.soft" = 200000;
-          "rt.time.hard" = 200000;
-        };
-      }
-    ];
-    "stream.properties" = {
-      "node.latency" = "${str.quantum.min}/${str.rate}";
-      "resample.quality" = 1;
-    };
-  };
-  services.pipewire.extraConfig.pipewire-pulse = {
-      "context.modules" = [
-        {
-          name = "libpipewire-module-rtkit";
-          args = {
-            "nice.level" = -15;
-            "rt.prio" = 88;
-            "rt.time.soft" = 200000;
-            "rt.time.hard" = 200000;
-          };
-        }
-      ];
-      "pulse.properties" = {
-         "pulse.min.req" = "${str.quantum.min}/${str.rate}";
-         "pulse.default.req" = "${str.quantum.def}/${str.rate}";
-         "pulse.max.req" = "${str.quantum.max}/${str.rate}";
-         "pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
-         "pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
-      };
-      "pulse.rules" = [
-        {
-          # Discord notification sounds fix
-          matches = [ { "application.process.binary" = ".DiscordCanary-wrapped"; } ];
-          actions = {
-              update-props = {
-                  "pulse.min.quantum" = "1024/48000";
-              };
-          };
-        }
-      ];
-      "stream.properties" = {
-        "node.latency" = "${str.quantum.min}/${str.rate}";
-        "resample.quality" = 1;
-      };
-  };
-}
-
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@ -1,27 +0,0 @@
-{ config, inputs, modules, ... }: {
-  imports = [ modules.binds modules.options ];
-
-  environment.etc = {
-    "machine-id".source = "/persist/machine-id";
-    "ssh/ssh_host_rsa_key".source = "/persist/ssh_host_rsa_key";
-    "ssh/ssh_host_rsa_key.pub".source = "/persist/ssh_host_rsa_key.pub";
-    "ssh/ssh_host_ed25519_key".source = "/persist/ssh_host_ed25519_key";
-    "ssh/ssh_host_ed25519_key.pub".source = "/persist/ssh_host_ed25519_key.pub";
-  };
-  environment.pathsToLink = [ "/share/zsh" ];
-
-  i18n.defaultLocale = "en_AU.UTF-8";
-  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
-
-  users.mutableUsers = false;
-
-  system = {
-    configurationRevision = inputs.self.rev;
-    nixos = rec {
-      version = config.system.nixos.release + versionSuffix;
-      versionSuffix = "-${config.system.name}.r${builtins.toString inputs.self.revCount}.${inputs.self.shortRev}";
-    };
-  };
-  nix.registry.config.flake = inputs.self;
-  nix.registry.shells.flake = inputs.self;
-}
--- a/modules/system/bluetooth.nix
+++ b/modules/system/bluetooth.nix
@ -1,6 +0,0 @@
-{ ... }: {
-  hardware.bluetooth = {
-    enable = true;
-    powerOnBoot = true;
-  };
-}
--- a/modules/system/ccache.nix
+++ b/modules/system/ccache.nix
@ -1,3 +0,0 @@
-{ config, ... }: {
-  programs.ccache.enable = true;
-}
--- a/modules/system/corectrl.nix
+++ b/modules/system/corectrl.nix
@ -1,5 +0,0 @@
-{ ... }: {
-  programs.corectrl = {
-    enable = true;
-  };
-}
--- a/modules/system/docker.nix
+++ b/modules/system/docker.nix
@ -1,13 +0,0 @@
-{ pkgs, ... }: {
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "btrfs";
-    # rootless = {
-    #   enable = true;
-    #   setSocketVariable = true;
-    # };
-  };
-  environment.systemPackages = [
-    pkgs.docker-compose
-  ];
-}
--- a/modules/system/flatpak.nix
+++ b/modules/system/flatpak.nix
@ -1,8 +0,0 @@
-{ pkgs, ... }: {
-  services.flatpak.enable = true;
-  xdg.portal = {
-    enable = true;
-    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
-    config.common.default = "*";
-  };
-}
--- a/modules/system/greetd.nix
+++ b/modules/system/greetd.nix
@ -1,18 +0,0 @@
-{ pkgs, ... }: {
-  services.greetd = {
-    enable = true;
-    settings = {
-      default_session = {
-        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
-        user = "greeter";
-      };
-
-      initial_session = {
-        command = "${pkgs.writeShellScript "launch.sh" ''
-          zsh -c "source $HOME/.config/zsh/.zshrc && Hyprland > \"$XDG_RUNTIME_DIR/Hyprland.out\""
-        ''}";
-        user = "rin";
-      };
-    };
-  };
-}
--- a/modules/system/gui.nix
+++ b/modules/system/gui.nix
@ -1,31 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  fonts = {
-    enableDefaultPackages = true;
-    fontconfig = {
-      defaultFonts = {
-        serif = [ "NotoSerif" ];
-        sansSerif = [ "NotoSans" ];
-        monospace = [ "CascadiaCode" ];
-      };
-    };
-    packages = with pkgs; [
-      material-symbols
-      material-icons
-      cascadia-code
-      hanazono
-      noto-fonts
-      noto-fonts-cjk-sans
-      open-sans
-      twemoji-color-font
-      unifont
-    ];
-  };
-  services.xserver = {
-    enable = true;
-    displayManager.lightdm.enable = lib.mkForce false;
-    desktopManager.xterm.enable = false;
-  };
-
-  programs.hyprland.enable = true;
-  security.pam.services.hyprlock = {};
-}
--- a/modules/system/home-manager.nix
+++ b/modules/system/home-manager.nix
@ -1,19 +0,0 @@
-{ config, inputs, modules, ... }: {
-  imports = [
-    inputs.home-manager.nixosModules.home-manager
-  ];
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = {
-      inherit inputs modules;
-      sysConfig = config;
-    };
-    sharedModules = [
-      {
-        imports = [ modules.options ];
-        config.me = config.me;
-      }
-    ];
-  };
-}
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@ -1,24 +0,0 @@
-{ ... }: {
-  services.xserver = {
-    displayManager = {
-      xserverArgs = [
-        "-ardelay 150"
-        "-arinterval 15"
-      ];
-    };
-  };
-  services.keyd = {
-    enable = true;
-    keyboards = {
-      default = {
-        ids = [ "*" ];
-        settings = {
-          main = {
-            capslock = "esc";
-            esc = "capslock";
-          };
-        };
-      };
-    };
-  };
-}
--- a/modules/system/kernel.nix
+++ b/modules/system/kernel.nix
@ -1,18 +0,0 @@
-{ config, pkgs, ... }: {
-  boot = {
-    blacklistedKernelModules = [ "uvcvideo" ];
-    initrd = {
-      includeDefaultModules = false;
-      availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
-    };
-    kernel.sysctl = {
-      "kernel.core_pattern" = "|/bin/false";
-      "kernel.sysrq" = 1;
-    };
-  };
-  hardware.enableRedistributableFirmware = true;
-  zramSwap = {
-    enable = true;
-    priority = 100;
-  };
-}
--- a/modules/system/nix-stable.nix
+++ b/modules/system/nix-stable.nix
@ -1,23 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  nix = {
-    package = pkgs.nixVersions.latest;
-
-    settings = rec {
-      substituters = [
-        "https://cache.nixos.org?priority=10"
-        "https://lava.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
-      ];
-      trusted-substituters = substituters;
-    };
-
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-  nixpkgs.config.allowUnfree = true;
-  programs.nh.enable = true;
-}
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -1,28 +0,0 @@
-{ config, inputs, pkgs, ... }: {
-  nix = {
-    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-    package = pkgs.nixVersions.latest;
-
-    settings = rec {
-      extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
-      substituters = [
-        "https://cache.nixos.org?priority=10"
-        "https://lava.cachix.org"
-        "https://nix-gaming.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
-        "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
-      ];
-      trusted-substituters = substituters;
-      trusted-users = [ "root" "rin" ];
-    };
-
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-  nixpkgs.config.allowUnfree = true;
-  programs.nh.enable = true;
-}
--- a/modules/system/packages-gui.nix
+++ b/modules/system/packages-gui.nix
@ -1,26 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  config = lib.mkIf config.me.gui {
-    environment.systemPackages = with pkgs; [
-      android-tools
-      gparted
-      nautilus
-    ];
-    hardware.graphics.extraPackages = with pkgs; [
-      intel-vaapi-driver
-      libva-vdpau-driver
-      libvdpau-va-gl
-    ];
-    hardware.opentabletdriver.enable = true;
-    hardware.keyboard.qmk.enable = true;
-    programs.steam = {
-      enable = true;
-      package = pkgs.steam.override {
-        extraPkgs = pkgs: with pkgs; [
-          gsettings-desktop-schemas
-        ];
-      };
-    };
-    services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
-    services.gnome.sushi.enable = true;
-  };
-}
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@ -1,25 +0,0 @@
-{ pkgs, ... }: {
-  imports = [ ./packages-gui.nix ];
-  environment.systemPackages = with pkgs; [
-    # ecryptfs
-    efibootmgr
-    fd
-    git
-    git-crypt
-    htop
-    jq
-    kitty.terminfo
-    libarchive
-    lf
-    msr-tools
-    ncdu
-    neovim
-    nfs-utils
-    ntfs3g
-    ripgrep
-    rsync
-    sshfs
-    wget
-  ];
-  environment.variables.EDITOR = "nvim";
-}
--- a/modules/system/printing.nix
+++ b/modules/system/printing.nix
@ -1,9 +0,0 @@
-{ pkgs, ... }: {
-  services.printing = {
-    enable = true;
-    drivers = with pkgs; [
-      epson-escpr
-      #me.epson-201112j
-    ];
-  };
-}
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -1,85 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  networking.firewall =
-  let
-    iptables = "${pkgs.iptables}/bin/iptables";
-    genCmds = type: ''
-      ${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
-      ${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
-    '';
-  in {
-    enable = true;
-    allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
-    allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
-    trustedInterfaces = [ "wg0" ];
-    logRefusedConnections = false;
-
-    extraCommands = genCmds "I";
-    extraStopCommands = genCmds "D";
-  };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      PermitRootLogin = "no";
-      PasswordAuthentication = false;
-      X11Forwarding = true;
-    };
-
-    hostKeys = [
-      {
-        bits = 4096;
-        path = "/persist/ssh_host_rsa_key";
-        rounds = 100;
-        type = "rsa";
-      }
-      {
-        path = "/persist/ssh_host_ed25519_key";
-        rounds = 100;
-        type = "ed25519";
-      }
-    ];
-  };
-
-  security = {
-    polkit.enable = true;
-    sudo.enable = false;
-    doas = {
-      enable = true;
-      extraRules = [
-        {
-          groups = [ "wheel" ];
-          keepEnv = true;
-          persist = true;
-        }
-      ];
-    };
-    pam = lib.mkIf (config.me.environment != "headless") {
-      u2f = {
-        enable = true;
-        settings = {
-          cue = true;
-          pinverification = 1;
-        };
-      };
-      services.doas.rules.auth = {
-        u2f.settings.pinverification = lib.mkForce 0;
-        u2f_int = lib.mkMerge [
-          {
-            enable = true;
-            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
-            control = "sufficient";
-            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
-            inherit (config.security.pam.u2f) settings;
-          }
-          {
-            settings = lib.mkForce {
-              interactive = true;
-              pinverification = 0;
-              userpresence = 0;
-            };
-          }
-        ];
-      };
-    };
-  };
-}
--- a/modules/system/snapper.nix
+++ b/modules/system/snapper.nix
@ -1,17 +0,0 @@
-{ config, lib, ... }: {
-  services.snapper = {
-    cleanupInterval = "1h";
-    configs.home = {
-      FSTYPE = "btrfs";
-      SUBVOLUME = "/home";
-      TIMELINE_CLEANUP = true;
-      TIMELINE_CREATE = true;
-      TIMELINE_MIN_AGE = "1800";
-      TIMELINE_LIMIT_HOURLY = "5";
-      TIMELINE_LIMIT_DAILY = "7";
-      TIMELINE_LIMIT_WEEKLY = "0";
-      TIMELINE_LIMIT_MONTHLY = "0";
-      TIMELINE_LIMIT_YEARLY = "0";
-    };
-  };
-}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
LavaDesu	49eec3c149	more more fixes	2021-06-28 14:11:15 +07:00
LavaDesu	fdae40c7ef	aa	2021-06-28 13:45:07 +07:00
LavaDesu	06ec8c63c0	disable zfsFix	2021-06-28 13:31:18 +07:00
LavaDesu	bd0c58c121	more fix	2021-06-28 11:05:28 +07:00
LavaDesu	264b62ca6a	use pre-patched kernel source instead of patching ourselves nix strips FHS before patching, causing the patch for some versions to fail	2021-06-28 10:53:51 +07:00
LavaDesu	df5bfd14d6	fix	2021-06-28 09:36:05 +07:00
LavaDesu	dfc2cdbd89	move sources into its own file also a bunch of misc changes	2021-06-28 09:32:32 +07:00
LavaDesu	c37ff41ca3	a	2021-06-28 08:57:18 +07:00
LavaDesu	287352e41a	yaml is dumb	2021-06-28 08:53:25 +07:00
LavaDesu	b0cb801b46	oops - fix workflow	2021-06-28 08:52:16 +07:00
LavaDesu	82705a2887	Add linux-tkg	2021-06-28 08:48:28 +07:00
				`@ -1 +0,0 @@`
				`secrets.gcrypt/** filter=git-crypt diff=git-crypt`