⬆️ version bump

🚑 fix raspberry pi build
⬆️ version bump
2025-10-19 20:15:33 -04:00 · 2025-10-15 12:27:35 -04:00 · 2025-10-12 11:02:54 -04:00 · 2025-10-11 21:11:58 -04:00 · 2025-10-07 13:21:55 -04:00 · 2025-09-25 14:35:27 -04:00
88 changed files with 915306 additions and 1500 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,7 @@
 /.direnv
-/result
+/result
 /.pre-commit-config.yaml
 /node_modules/
 .terraform
 *.tfvars
 *.tfstate*
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,17 +1,19 @@
 keys:
  - &walkah age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
  - &plato age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
-  - &agent age1vc8svd5277rjkgzg7frf04uaa45w3crhfvg628rqyrqmxul3q9nsjz6yxk
+  - &agent age1pn2hnqvgt7rvfglxddlj3jwrm79rvmutmexkpxv4frdnznlel33qvfy6u5
-  - &form age1ulmzprdmcd8r0w47a0nrrlg8melkjk6evl2rc54yh6lxkcfas36q6wrsv9
+  - &form age1mnrl9u8vpdjncge33pg7quakl0qdf5dlfgch87jhrs0wrvup4s0s5xh7ly
-  - &matter age1lfjkch3pqaq3uwmjxyucpm2tws6llxqqjglj4yn49jkwkf50xvmqrl974e
+  - &matter age1tt0gwcm03zmpelerpph49knn8f6t8z7aq9una2qys76kf4rwxpnquxkvz3
-  - &purpose age1jnf94uq5ap96vk7nfk3qkr38ylhletc6pskj0ypc470d7gmt0qeqskdy5z
+  - &purpose age1px55dk5n3whfdyshzyxqmyjvqdmv9au6myx6w67jw3cqp9sdx9rsa6xep9
  - &socrates age12wakcnv487c5rkgv7z6umzywrqwcy6dgguq0dug6lxp64scjsq6sspkmgz
 creation_rules:
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
-    - age:
+      - age:
-      - *walkah
+          - *walkah
-      - *plato
+          - *plato
-      - *agent
+          - *agent
-      - *form
+          - *form
-      - *matter
+          - *matter
-      - *purpose
+          - *purpose
          - *socrates
--- a/default.nix
+++ b/default.nix
@@ -10,4 +10,5 @@
  )
  {
    src = ./.;
-  }).defaultNix
+  }
 ).defaultNix
--- a/flake.lock
+++ b/flake.lock
@@ -7,64 +7,28 @@
        ]
      },
      "locked": {
-        "lastModified": 1664143588,
+        "lastModified": 1760721282,
-        "narHash": "sha256-I1qaa8VMISprKulco2bxiIJUaz1NGiKmlsQuM996yzM=",
+        "narHash": "sha256-aAHphQbU9t/b2RRy2Eb8oMv+I08isXv2KUGFAFn7nCo=",
-        "owner": "lnl7",
+        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "95ba7e548d55e74c36369dbd6a4bfe99a543c835",
+        "rev": "c3211fcd0c56c11ff110d346d4487b18f7365168",
        "type": "github"
      },
      "original": {
-        "owner": "lnl7",
+        "owner": "nix-darwin",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1659725433,
        "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "dotfiles": {
      "flake": false,
      "locked": {
        "lastModified": 1663967156,
        "narHash": "sha256-jWQjcsLCO4HmDSF/Ib5Lo56Z4v5E9eAXewwI6Qb0Sx0=",
        "owner": "walkah",
        "repo": "dotfiles",
        "rev": "4d05de816af0fc3732dcd01999f77f5d9f46afcb",
        "type": "github"
      },
      "original": {
        "owner": "walkah",
        "repo": "dotfiles",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1648199409,
+        "lastModified": 1747046372,
-        "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -76,11 +40,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1650374568,
+        "lastModified": 1747046372,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -89,32 +53,39 @@
        "type": "github"
      }
    },
-    "flake-utils": {
+    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1659877975,
+        "lastModified": 1709087332,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "numtide",
+        "owner": "hercules-ci",
-        "repo": "flake-utils",
+        "repo": "gitignore.nix",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "hercules-ci",
-        "repo": "flake-utils",
+        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
-        "utils": "utils_2"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1664146938,
+        "lastModified": 1760887455,
-        "narHash": "sha256-fIvsJ3qWiD6o3qH9iU66OsL8uG5C1FGXcuaNEctJv8M=",
+        "narHash": "sha256-/xU8iYZjolWbMUNBQF6af5zgGs73Qw21WMgz1tLs3Yw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9e7394523eb4f298528d457e316fc752bdf07151",
+        "rev": "aeabc1ac63e6ebb8ba4714c4abdfe0556f2de765",
        "type": "github"
      },
      "original": {
@@ -123,29 +94,83 @@
        "type": "github"
      }
    },
-    "nixos-hardware": {
+    "libcamera-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1663229557,
+        "lastModified": 1725630279,
-        "narHash": "sha256-1uU4nsDLXKG0AHc/VCsNBAEPkTA/07juYhcEWRb1O1E=",
+        "narHash": "sha256-KH30jmHfxXq4j2CL7kv18DYECJRp9ECuWNPnqPZajPA=",
-        "owner": "NixOS",
+        "owner": "raspberrypi",
-        "repo": "nixos-hardware",
+        "repo": "libcamera",
-        "rev": "a0df6cd6e199df4a78c833c273781ea92fa62cfb",
+        "rev": "69a894c4adad524d3063dd027f5c4774485cf9db",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "raspberrypi",
-        "ref": "master",
+        "repo": "libcamera",
-        "repo": "nixos-hardware",
+        "rev": "69a894c4adad524d3063dd027f5c4774485cf9db",
        "type": "github"
      }
    },
    "libpisp-src": {
      "flake": false,
      "locked": {
        "lastModified": 1724944683,
        "narHash": "sha256-Fo2UJmQHS855YSSKKmGrsQnJzXog1cdpkIOO72yYAM4=",
        "owner": "raspberrypi",
        "repo": "libpisp",
        "rev": "28196ed6edcfeda88d23cc5f213d51aa6fa17bb3",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "v1.0.7",
        "repo": "libpisp",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1736643958,
        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751903740,
        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1648219316,
+        "lastModified": 1760872779,
-        "narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=",
+        "narHash": "sha256-c5C907Raf9eY8f1NUXYeju9aUDlm227s/V0OptEbypA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634",
+        "rev": "63bdb5d90fa2fa11c42f9716ad1e23565613b07c",
        "type": "github"
      },
      "original": {
@@ -155,80 +180,215 @@
        "type": "github"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
        "lastModified": 1664201777,
        "narHash": "sha256-cUW9DqELUNi1jNMwVSbfq4yl5YGyOfeu+UHUUImbby0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "00f877f4927b6f7d7b75731b5a1e2ae7324eaf14",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1662996720,
+        "lastModified": 1736061677,
-        "narHash": "sha256-XvLQ3SuXnDMJMpM1sv1ifPjBuRytiDYhB12H/BNTjgY=",
+        "narHash": "sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5f326e2a403e1cebaec378e72ceaf5725983376d",
+        "rev": "cbd8ec4de4469333c82ff40d057350c30e9f7d36",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1664177230,
+        "lastModified": 1760663237,
-        "narHash": "sha256-eyo88ffm16I0K9cdcePbOsQg4MDjf1EgIdkGTLB/7iA=",
+        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
-        "owner": "NixOS",
+        "owner": "cachix",
-        "repo": "nixpkgs",
+        "repo": "git-hooks.nix",
-        "rev": "ff9793cfd1a25145a7e591af604675b3d6f68987",
+        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "cachix",
-        "ref": "nixpkgs-unstable",
+        "repo": "git-hooks.nix",
-        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "raspberry-pi-nix": {
      "inputs": {
        "libcamera-src": "libcamera-src",
        "libpisp-src": "libpisp-src",
        "nixpkgs": "nixpkgs_2",
        "rpi-bluez-firmware-src": "rpi-bluez-firmware-src",
        "rpi-firmware-nonfree-src": "rpi-firmware-nonfree-src",
        "rpi-firmware-src": "rpi-firmware-src",
        "rpi-linux-6_12_17-src": "rpi-linux-6_12_17-src",
        "rpi-linux-6_6_78-src": "rpi-linux-6_6_78-src",
        "rpi-linux-stable-src": "rpi-linux-stable-src",
        "rpicam-apps-src": "rpicam-apps-src"
      },
      "locked": {
        "lastModified": 1742223591,
        "narHash": "sha256-ZNTz8r5jlJ1jvpqf5+aUYgpnYJSVX0iP14doOc1Hm0E=",
        "owner": "nix-community",
        "repo": "raspberry-pi-nix",
        "rev": "3e8100d5e976a6a2be363015cb33463af9ef441a",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "raspberry-pi-nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "darwin": "darwin",
-        "deploy-rs": "deploy-rs",
+        "flake-compat": "flake-compat",
        "dotfiles": "dotfiles",
        "flake-compat": "flake-compat_2",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
-        "nixos-hardware": "nixos-hardware",
+        "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix"
+        "pre-commit-hooks": "pre-commit-hooks",
        "raspberry-pi-nix": "raspberry-pi-nix",
        "sops-nix": "sops-nix",
        "systems": "systems"
      }
    },
    "rpi-bluez-firmware-src": {
      "flake": false,
      "locked": {
        "lastModified": 1708969706,
        "narHash": "sha256-KakKnOBeWxh0exu44beZ7cbr5ni4RA9vkWYb9sGMb8Q=",
        "owner": "RPi-Distro",
        "repo": "bluez-firmware",
        "rev": "78d6a07730e2d20c035899521ab67726dc028e1c",
        "type": "github"
      },
      "original": {
        "owner": "RPi-Distro",
        "ref": "bookworm",
        "repo": "bluez-firmware",
        "type": "github"
      }
    },
    "rpi-firmware-nonfree-src": {
      "flake": false,
      "locked": {
        "lastModified": 1723266537,
        "narHash": "sha256-T7eTKXqY9cxEMdab8Snda4CEOrEihy5uOhA6Fy+Mhnw=",
        "owner": "RPi-Distro",
        "repo": "firmware-nonfree",
        "rev": "4b356e134e8333d073bd3802d767a825adec3807",
        "type": "github"
      },
      "original": {
        "owner": "RPi-Distro",
        "ref": "bookworm",
        "repo": "firmware-nonfree",
        "type": "github"
      }
    },
    "rpi-firmware-src": {
      "flake": false,
      "locked": {
        "lastModified": 1728405098,
        "narHash": "sha256-4gnK0KbqFnjBmWia9Jt2gveVWftmHrprpwBqYVqE/k0=",
        "owner": "raspberrypi",
        "repo": "firmware",
        "rev": "7bbb5f80d20a2335066a8781459c9f33e5eebc64",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "1.20241008",
        "repo": "firmware",
        "type": "github"
      }
    },
    "rpi-linux-6_12_17-src": {
      "flake": false,
      "locked": {
        "lastModified": 1740765145,
        "narHash": "sha256-hoCsGc4+RC/2LmxDtswLBL5ZhWlw4vSiL4Vkl39r2MU=",
        "owner": "raspberrypi",
        "repo": "linux",
        "rev": "5985ce32e511f4e8279a841a1b06a8c7d972b386",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "rpi-6.12.y",
        "repo": "linux",
        "type": "github"
      }
    },
    "rpi-linux-6_6_78-src": {
      "flake": false,
      "locked": {
        "lastModified": 1740503700,
        "narHash": "sha256-Y8+ot4Yi3UKwlZK3ap15rZZ16VZDvmeFkD46+6Ku7bE=",
        "owner": "raspberrypi",
        "repo": "linux",
        "rev": "2e071057fded90e789c0101498e45a1778be93fe",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "rpi-6.6.y",
        "repo": "linux",
        "type": "github"
      }
    },
    "rpi-linux-stable-src": {
      "flake": false,
      "locked": {
        "lastModified": 1728403745,
        "narHash": "sha256-phCxkuO+jUGZkfzSrBq6yErQeO2Td+inIGHxctXbD5U=",
        "owner": "raspberrypi",
        "repo": "linux",
        "rev": "5aeecea9f4a45248bcf564dec924965e066a7bfd",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "stable_20241008",
        "repo": "linux",
        "type": "github"
      }
    },
    "rpicam-apps-src": {
      "flake": false,
      "locked": {
        "lastModified": 1727515047,
        "narHash": "sha256-qCYGrcibOeGztxf+sd44lD6VAOGoUNwRqZDdAmcTa/U=",
        "owner": "raspberrypi",
        "repo": "rpicam-apps",
        "rev": "a8ccf9f3cd9df49875dfb834a2b490d41d226031",
        "type": "github"
      },
      "original": {
        "owner": "raspberrypi",
        "ref": "v1.5.2",
        "repo": "rpicam-apps",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1664204020,
+        "lastModified": 1760845571,
-        "narHash": "sha256-LAey3hr8b9EAt3n304Wt9Vm4uQFd8pSRtLX8leuYFDs=",
+        "narHash": "sha256-PwGzU3EOU65Ef1VvuNnVLie+l+P0g/fzf/PGUG82KbM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "912f9ff41fd9353dec1f783170793699789fe9aa",
+        "rev": "9c9a9798be331ed3f4b2902933d7677d0659ee61",
        "type": "github"
      },
      "original": {
@@ -237,33 +397,18 @@
        "type": "github"
      }
    },
-    "utils": {
+    "systems": {
      "locked": {
-        "lastModified": 1648297722,
+        "lastModified": 1681028828,
-        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
-        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
        "type": "github"
      }
    },
    "utils_2": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@@ -3,13 +3,16 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    systems.url = "github:nix-systems/default";
-    home-manager.url = "github:nix-community/home-manager";
+    raspberry-pi-nix.url = "github:nix-community/raspberry-pi-nix";
    flake-utils.url = "github:numtide/flake-utils";
    deploy-rs.url = "github:serokell/deploy-rs";
    darwin = {
-      url = "github:lnl7/nix-darwin/master";
+      url = "github:nix-darwin/nix-darwin/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@@ -18,147 +21,65 @@
      flake = false;
    };
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    pre-commit-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # My stuff
    dotfiles = {
      url = "github:walkah/dotfiles";
      flake = false;
    };
  };
  outputs =
-    { self
+    {
-    , nixpkgs
+      self,
-    , nixos-hardware
+      nixpkgs,
-    , deploy-rs
+      pre-commit-hooks,
-    , darwin
+      systems,
-    , flake-utils
+      ...
    , home-manager
    , sops-nix
    , dotfiles
    , ...
    }@inputs:
    let
-      mkSystem = hostName: system: modules:
+      forAllSystems =
-        nixpkgs.lib.nixosSystem {
+        fn: nixpkgs.lib.genAttrs (import systems) (system: fn system nixpkgs.legacyPackages.${system});
          system = system;
          modules = [
            home-manager.nixosModules.home-manager
            ({ config, ... }: {
              networking.hostName = hostName;
            })
          ] ++ modules;
          specialArgs = inputs;
        };
      mkDarwin = hostName: system: modules:
        darwin.lib.darwinSystem {
          system = system;
          modules = [
            home-manager.darwinModules.home-manager
            ({ config, ... }: {
              networking.hostName = hostName;
            })
          ] ++ modules;
          specialArgs = inputs;
        };
    in
-    flake-utils.lib.eachDefaultSystem
+    {
-      (system:
+      checks = forAllSystems (
-      let
+        system: pkgs:
-        pkgs = nixpkgs.legacyPackages.${system};
+        import ./nix/checks.nix {
-        darwin-local = pkgs.writeScriptBin "darwin-local" ''
+          inherit
-          #!${pkgs.stdenv.shell}
+            self
-          nix build .#darwinConfigurations.$(hostname -s).system
+            pkgs
-          ./result/sw/bin/darwin-rebuild switch --flake .
+            pre-commit-hooks
-        '';
+            system
-      in
+            ;
-      {
+        }
-        devShells.default = pkgs.mkShell {
+      );
-          name = "athens";
+      devShells = forAllSystems (system: pkgs: import ./nix/shells.nix { inherit self pkgs system; });
-          buildInputs = [ darwin-local deploy-rs.packages.${system}.deploy-rs pkgs.nixpkgs-fmt pkgs.rnix-lsp pkgs.sops ];
+      formatter = forAllSystems (_: pkgs: pkgs.nixfmt-tree);
-        };
+    }
-      }) // {
+    // {
-      nixosConfigurations = {
+      hosts = import ./nix/hosts.nix;
-        # Aristotle
+      overlays.default = nixpkgs.lib.composeManyExtensions [ ];
        agent = mkSystem "agent" "aarch64-linux" [ ./hosts/aristotle/configuration.nix ];
        form = mkSystem "form" "aarch64-linux" [ ./hosts/aristotle/configuration.nix ];
        matter = mkSystem "matter" "aarch64-linux" [ ./hosts/aristotle/configuration.nix ];
        purpose = mkSystem "purpose" "aarch64-linux" [ ./hosts/aristotle/configuration.nix ];
-        plato = mkSystem "plato" "x86_64-linux" [ ./hosts/plato/configuration.nix ];
+      darwinConfigurations = import ./nix/darwin.nix inputs;
-        socrates = mkSystem "socrates" "x86_64-linux" [ ./hosts/socrates/configuration.nix ];
+      nixosConfigurations = import ./nix/nixos.nix inputs;
      };
      darwinConfigurations = {
        epicurus = mkDarwin "epicurus" "aarch64-darwin" [ ./hosts/epicurus/darwin-configuration.nix ];
        heraclitus = mkDarwin "heraclitus" "aarch64-darwin" [ ./hosts/heraclitus/darwin-configuration.nix ];
      };
-      deploy.nodes = {
+      nixConfig = {
-        agent = {
+        extra-substituters = [
-          hostname = "agent";
+          "https://walkah.cachix.org"
-          sshUser = "root";
+          "https://nix-community.cachix.org"
-          profiles.system = {
+        ];
-            user = "root";
+        extra-trusted-public-keys = [
-            path = deploy-rs.lib.aarch64-linux.activate.nixos
+          "walkah.cachix.org-1:D8cO78JoJC6UPV1ZMgd1V5znpk3jNUERGIeAKN15hxo="
-              self.nixosConfigurations.agent;
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          };
+        ];
        };
        form = {
          hostname = "form";
          sshUser = "root";
          profiles.system = {
            user = "root";
            path = deploy-rs.lib.aarch64-linux.activate.nixos
              self.nixosConfigurations.form;
          };
        };
        matter = {
          hostname = "matter";
          sshUser = "root";
          profiles.system = {
            user = "root";
            path = deploy-rs.lib.aarch64-linux.activate.nixos
              self.nixosConfigurations.matter;
          };
        };
        purpose = {
          hostname = "purpose";
          sshUser = "root";
          profiles.system = {
            user = "root";
            path = deploy-rs.lib.aarch64-linux.activate.nixos
              self.nixosConfigurations.purpose;
          };
        };
        plato = {
          hostname = "plato";
          profiles = {
            system = {
              user = "root";
              path = deploy-rs.lib.x86_64-linux.activate.nixos
                self.nixosConfigurations.plato;
            };
          };
        };
        socrates = {
          hostname = "socrates";
          profiles = {
            system = {
              user = "root";
              path = deploy-rs.lib.x86_64-linux.activate.nixos
                self.nixosConfigurations.socrates;
            };
          };
        };
      };
    };
 }
--- a/hosts/aristotle/configuration.nix
+++ b/hosts/aristotle/configuration.nix
@@ -1,68 +0,0 @@
 { config, pkgs, nixos-hardware, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    nixos-hardware.nixosModules.raspberry-pi-4
    ../../modules/ipfs/cluster.nix
    ../../modules/sops
  ];
  nixpkgs.overlays = [ (import ../../overlays) ];
  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = false;
  boot.kernelPackages = pkgs.linuxPackages_rpi4;
  boot.loader.raspberryPi = {
    enable = true;
    version = 4;
  };
  # networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = true;
  networking.firewall.enable = false;
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
  ];
  environment.systemPackages = with pkgs; [ libraspberrypi ];
  services = {
    prometheus = {
      enable = true;
      port = 9090;
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          openFirewall = true;
          port = 9100;
        };
      };
    };
    tailscale = { enable = true; };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/hosts/epicurus/darwin-configuration.nix
+++ b/hosts/epicurus/darwin-configuration.nix
@@ -1,50 +0,0 @@
 { config, lib, pkgs, dotfiles, ... }:
 {
  imports = [
    ./homebrew.nix
    ../../modules/base/darwin.nix
    ../../modules/builder
  ];
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  environment.systemPackages = with pkgs; [ emacs-nox vim ghc go gopls niv rustup stack ];
  # Use a custom configuration.nix location.
  # $ darwin-rebuild switch -I darwin-config=$HOME/.config/nixpkgs/darwin/configuration.nix
  # environment.darwinConfig = "$HOME/.config/nixpkgs/darwin/configuration.nix";
  # Auto upgrade nix package and the daemon service.
  services.nix-daemon.enable = true;
  users.users.walkah = {
    home = "/Users/walkah";
    shell = pkgs.zsh;
  };
  home-manager.users.walkah = import "${dotfiles}/home.nix";
  nixpkgs.config.packageOverrides = pkgs: {
    haskellPackages = pkgs.haskellPackages.override {
      overrides = self: super: {
        niv = pkgs.haskell.lib.overrideCabal super.niv (drv: {
          enableSeparateBinOutput = false;
        });
      };
    };
  };
  services.lorri.enable = true;
  programs = {
    zsh = {
      enable = true;
      promptInit = "";
    };
  };
  # Used for backwards compatibility, please read the changelog before changing.
  # $ darwin-rebuild changelog
  system.stateVersion = 4;
 }
--- a/hosts/heraclitus/darwin-configuration.nix
+++ b/hosts/heraclitus/darwin-configuration.nix
@@ -1,50 +0,0 @@
 { config, lib, pkgs, dotfiles, ... }:
 {
  imports = [
    ./homebrew.nix
    ../../modules/base/darwin.nix
    ../../modules/dev
    ../../modules/builder
  ];
  nixpkgs.config.allowBroken = true;
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  environment.systemPackages = with pkgs; [ emacs ];
  # Auto upgrade nix package and the daemon service.
  services.nix-daemon.enable = true;
  users.users.walkah = {
    home = "/Users/walkah";
    shell = pkgs.zsh;
  };
  home-manager.useGlobalPkgs = true;
  home-manager.useUserPackages = true;
  home-manager.users.walkah = import "${dotfiles}/home.nix";
  services.lorri.enable = true;
  programs = {
    zsh = {
      enable = true;
      promptInit = "";
    };
  };
  system = {
    defaults = {
      dock = {
        autohide = true;
        orientation = "left";
      };
    };
  };
  # Used for backwards compatibility, please read the changelog before changing.
  # $ darwin-rebuild changelog
  system.stateVersion = 4;
 }
--- a/hosts/heraclitus/homebrew.nix
+++ b/hosts/heraclitus/homebrew.nix
@@ -1,68 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  homebrew = {
    taps = [
      "homebrew/cask"
      "homebrew/cask-drivers"
      "homebrew/cask-fonts"
      "homebrew/cask-versions"
      "homebrew/services"
    ];
    brews = [ "coreutils" ];
    casks = [
      "1password"
      "bartender"
      "brave-browser"
      "bunch"
      "discord"
      "docker"
      "element"
      "fantastical"
      "figma"
      "firefox"
      "firefox-developer-edition"
      "font-jetbrains-mono"
      "font-jetbrains-mono-nerd-font"
      "gather"
      "google-chrome"
      "gpg-suite"
      "hazel"
      "ipfs"
      "iterm2"
      "keybase"
      "logi-options-plus"
      "logseq"
      "minecraft"
      "obsidian"
      "plexamp"
      "raycast"
      "slack"
      "sonos"
      "soundsource"
      "spotify"
      "stats"
      "steam"
      "syncthing"
      "synology-drive"
      "todoist"
      "visual-studio-code"
      "whalebird"
      "zoom"
    ];
    masApps = {
      OnePasswordSafari = 1569813296;
      Bumpr = 1166066070;
      DayOne = 1055511498;
      Drafts = 1435957248;
      HomeAssistant = 1099568401;
      Reeder = 1529448980;
      Tailscale = 1475387142;
      UlyssesMac = 1225570693;
      Xcode = 497799835;
    };
  };
 }
--- a/hosts/plato/configuration.nix
+++ b/hosts/plato/configuration.nix
@@ -1,183 +0,0 @@
 { config, pkgs, home-manager, ... }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../users
    ../../modules/coredns
    ../../modules/code-server
    ../../modules/drone
    ../../modules/drone/runner-docker.nix
    ../../modules/gitea
    ../../modules/home-assistant
    ../../modules/matrix
    ../../modules/minecraft
    ../../modules/pleroma
    ../../modules/postgresql
    ../../modules/sops
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.systemd-boot.configurationLimit = 3;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.cleanTmpDir = true;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  nixpkgs.config.allowUnfree = true;
  nixpkgs.overlays = [ (import ../../overlays) ];
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  # Set your time zone.
  time.timeZone = "America/Toronto";
  networking.hostName = "plato"; # Define your hostname.
  networking.useDHCP = false;
  networking.interfaces.enp10s0.useDHCP = true;
  networking.interfaces.enp9s0.useDHCP = true;
  security.sudo.wheelNeedsPassword = false;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5spf4diguK+w7iYLFr565++6DjHukWfvpN2ru9dCRk nixbuild"
  ];
  system.autoUpgrade.enable = false;
  environment.systemPackages = with pkgs; [ pinentry weechat ];
  fileSystems."/mnt/downloads" = {
    device = "192.168.6.100:/volume1/Downloads";
    fsType = "nfs";
  };
  fileSystems."/mnt/music" = {
    device = "192.168.6.100:/volume1/Music";
    fsType = "nfs";
  };
  fileSystems."/mnt/video" = {
    device = "192.168.6.100:/volume1/Video";
    fsType = "nfs";
  };
  power.ups = {
    enable = true;
    mode = "standalone";
    ups."cyberpower" = {
      description = "Cyberpower EC650LCD";
      driver = "usbhid-ups";
      port = "auto";
    };
  };
  programs.mosh.enable = true;
  programs.zsh = {
    enable = true;
    promptInit = "";
  };
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryFlavor = "curses";
  };
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.tailscale.enable = true;
  services.keybase.enable = true;
  virtualisation.docker = {
    enable = true;
    # Clean docker images periodically
    autoPrune = {
      enable = true;
      flags = [ "--all" ];
    };
  };
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  walkah.coredns = { enable = true; };
  services = {
    borgbackup.jobs."borgbase" = {
      paths = [
        "/var/lib"
        "/var/backup"
      ];
      exclude = [
        # very large paths
        "/var/lib/docker"
        "/var/lib/postgresql"
        "/var/lib/systemd"
      ];
      repo = "qxflzs92@qxflzs92.repo.borgbase.com:repo";
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat /root/borgbackup/passphrase";
      };
      environment.BORG_RSH = "ssh -i /root/borgbackup/ssh_key";
      compression = "auto,lzma";
      startAt = "daily";
    };
    grafana = {
      enable = true;
      domain = "plato.walkah.lab";
      port = 2342;
      addr = "0.0.0.0";
    };
    prometheus = {
      enable = true;
      port = 9090;
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9100;
        };
      };
      scrapeConfigs = [
        {
          job_name = "node";
          static_configs = [{
            targets = [
              "plato:9100"
              "agent:9100"
              "form:9100"
              "matter:9100"
              "purpose:9100"
              "socrates:9100"
            ];
          }];
        }
        {
          job_name = "coredns";
          static_configs = [{ targets = [ "plato:9153" ]; }];
        }
        {
          job_name = "ipfs";
          metrics_path = "/debug/metrics/prometheus";
          static_configs = [{
            targets = [ "agent:5001" "form:5001" "matter:5001" "purpose:5001" ];
          }];
        }
      ];
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?
 }
--- a/hosts/plato/hardware-configuration.nix
+++ b/hosts/plato/hardware-configuration.nix
@@ -1,37 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot.initrd.availableKernelModules = [
    "uhci_hcd"
    "ehci_pci"
    "ahci"
    "xhci_pci"
    "firewire_ohci"
    "usb_storage"
    "usbhid"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "wl" ];
  boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/ea3c68ac-e822-4b71-a8f5-65d9e452a3c2";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/FB06-AB48";
    fsType = "vfat";
  };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/3a812874-3def-4e46-b20d-cd55fa7bdd5f"; }];
 }
--- a/hosts/socrates/configuration.nix
+++ b/hosts/socrates/configuration.nix
@@ -1,81 +0,0 @@
 { pkgs, ... }: {
  imports = [
    ./hardware-configuration.nix
    ./networking.nix # generated at runtime by nixos-infect
    ../../users
    ../../modules/coredns
    ../../modules/code-server/nginx.nix
    ../../modules/drone/nginx.nix
    ../../modules/gitea/nginx.nix
    ../../modules/home-assistant/nginx.nix
    ../../modules/ipfs/gateway.nix
    ../../modules/matrix/nginx.nix
    ../../modules/pleroma/nginx.nix
  ];
  nixpkgs.overlays = [ (import ../../overlays) ];
  boot.cleanTmpDir = true;
  # Set your time zone.
  time.timeZone = "America/Toronto";
  networking.hostName = "socrates";
  networking.firewall.allowPing = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  networking.firewall.checkReversePath = "loose";
  nix = {
    settings.trusted-users = [ "@wheel" "root" ];
  };
  security.sudo.wheelNeedsPassword = false;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
  ];
  system.autoUpgrade.enable = false;
  environment.systemPackages = with pkgs; [ ipfs-migrator ];
  programs.mosh.enable = true;
  programs.zsh.enable = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "walkah@walkah.net";
  walkah.coredns = {
    enable = true;
    addr = "100.103.57.96";
  };
  services = {
    nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
    };
    openssh = { enable = true; };
    prometheus = {
      enable = true;
      port = 9090;
      listenAddress = "100.103.57.96";
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          openFirewall = true;
          port = 9100;
          listenAddress = "100.103.57.96";
        };
      };
    };
    tailscale = { enable = true; };
  };
  system.stateVersion = "22.05";
 }
--- a/modules/base/darwin.nix
+++ b/modules/base/darwin.nix
@@ -1,29 +0,0 @@
 { pkgs, config, ... }: {
  nix = {
    configureBuildUsers = true;
    extraOptions = ''
      extra-platforms = x86_64-darwin aarch64-darwin
      experimental-features = nix-command flakes
    '';
    settings = {
      trusted-users = [ "root" "@admin" ];
    };
  };
  homebrew = {
    enable = true;
    brewPrefix = "/opt/homebrew/bin";
    global = {
      brewfile = true;
      lockfiles = false;
    };
    onActivation = {
      autoUpdate = true;
      cleanup = "zap";
      upgrade = true;
    };
  };
 }
--- a/modules/builder/default.nix
+++ b/modules/builder/default.nix
@@ -1,11 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  nix.distributedBuilds = true;
  nix.buildMachines = [{
    hostName = "plato";
    systems = [ "x86_64-linux" "aarch64-linux" ];
    maxJobs = 12;
    speedFactor = 2;
    supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
  }];
 }
--- a/modules/dev/default.nix
+++ b/modules/dev/default.nix
@@ -1,24 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    emacs
    # Elixir
    elixir
    elixir_ls
    # Golang
    go
    gopls
    # Node/JS
    deno
    nodejs
    yarn
    # Rust
    rustup
    rust-analyzer
  ];
 }
--- a/modules/gitea/default.nix
+++ b/modules/gitea/default.nix
@@ -1,44 +0,0 @@
 { config, lib, pkgs, ... }:
 let cfg = config.services.gitea;
 in
 {
  users.users.git = {
    description = "Gitea Service";
    home = cfg.stateDir;
    useDefaultShell = true;
    group = "git";
    isSystemUser = true;
  };
  users.groups.git = { };
  services = {
    gitea = {
      enable = true;
      user = "git";
      domain = "walkah.dev";
      appName = "walkah forge";
      rootUrl = "https://walkah.dev/";
      httpAddress = "0.0.0.0";
      httpPort = 8003;
      lfs.enable = true;
      settings = {
        log.LEVEL = "Error";
        other.SHOW_FOOTER_VERSION = false;
        repository.DEFAULT_BRANCH = "main";
        server.SSH_DOMAIN = "git.walkah.dev";
        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;
      };
      dump.enable = false;
      database = {
        type = "postgres";
        user = "git";
      };
    };
    postgresqlBackup.databases = [ "gitea" ];
  };
 }
--- a/modules/home-assistant/default.nix
+++ b/modules/home-assistant/default.nix
@@ -1,15 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  # Use the docker container because it's officially supported.
  virtualisation.oci-containers = {
    containers = {
      home-assistant = {
        image = "ghcr.io/home-assistant/home-assistant:2022.9.7";
        volumes =
          [ "/var/lib/hass:/config" "/etc/localtime:/etc/localtime:ro" ];
        extraOptions = [ "--privileged" "--network=host" ];
      };
    };
  };
 }
--- a/modules/home-assistant/postgresql.nix
+++ b/modules/home-assistant/postgresql.nix
@@ -1,14 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  services = {
    postgresql = {
      ensureDatabases = [ "hass" ];
      ensureUsers = [{
        name = "hass";
        ensurePermissions = { "DATABASE hass" = "ALL PRIVILEGES"; };
      }];
    };
    postgresqlBackup.databases = [ "hass" ];
  };
 }
--- a/modules/ipfs/default.nix
+++ b/modules/ipfs/default.nix
@@ -1,28 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ ipfs-migrator ];
  services = {
    ipfs = {
      enable = true;
      apiAddress = "/ip4/0.0.0.0/tcp/5001";
      gatewayAddress = "/ip4/0.0.0.0/tcp/8080";
      swarmAddress = [
        "/ip4/0.0.0.0/tcp/4001"
        "/ip6/::/tcp/4001"
        "/ip4/0.0.0.0/udp/4001/quic"
        "/ip6/::/udp/4001/quic"
      ];
      extraConfig = {
        Addresses = {
          Announce = [ ];
          NoAnnounce = [ ];
        };
        API = { HTTPHeaders = { Access-Control-Allow-Origin = [ "*" ]; }; };
        Discovery = { MDNS = { Enabled = true; }; };
        Routing = { Type = "dht"; };
      };
    };
  };
 }
--- a/modules/ipfs/gateway.nix
+++ b/modules/ipfs/gateway.nix
@@ -1,55 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  peers = [
    {
      ID = "12D3KooWMQSgdfa4tUrDhkFx4zP3ZpgT1ryj9KH5RGUae62Vsc7y";
      Addrs = [ "/ip4/100.95.167.126/tcp/4001" ];
    }
    {
      ID = "12D3KooWMqSiDukubKNKrK7J4PaF3mfNnZFVAd3Lh7qj3Y3e5bcN";
      Addrs = [ "/ip4/100.87.220.71/tcp/4001" ];
    }
    {
      ID = "12D3KooWGmNRyqP969QbyP8NLVRZNK2i6yCcP6N6N2r2DCG4H34v";
      Addrs = [ "/ip4/100.126.255.109/tcp/4001" ];
    }
    {
      ID = "12D3KooWFkR8nsG5pzffoAfMzmwBcSakXxnogVa6inRxUbpfN5ua";
      Addrs = [ "/ip4/100.74.59.80/tcp/4001" ];
    }
  ];
 in
 {
  imports = [ ./default.nix ];
  environment.systemPackages = with pkgs; [ ipfs-migrator ];
  networking.firewall = {
    allowedTCPPorts = [ 4001 ];
    allowedUDPPorts = [ 4001 ];
  };
  services = {
    ipfs = {
      enable = true;
      extraConfig = {
        Peering = { Peers = peers; };
        Swarm = { AddrFilters = null; };
      };
    };
    nginx = {
      virtualHosts."walkah.cloud" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
        serverAliases = [
          "walkah.net"
          "www.walkah.net"
        ];
      };
    };
  };
 }
--- a/modules/matrix/nginx.nix
+++ b/modules/matrix/nginx.nix
@@ -1,39 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "matrix.walkah.chat" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = { proxyPass = "http://100.111.208.75:8008"; };
      };
      "walkah.chat" = {
        forceSSL = true;
        enableACME = true;
        locations."= /.well-known/matrix/server".extraConfig =
          let server = { "m.server" = "matrix.walkah.chat:443"; };
          in
          ''
            default_type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON server}';
          '';
        locations."= /.well-known/matrix/client".extraConfig =
          let
            client = {
              "m.homeserver" = { "base_url" = "https://matrix.walkah.chat"; };
            };
          in
          ''
            default_type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON client}';
          '';
        locations."/" = { root = pkgs.element-web; };
      };
    };
  };
 }
--- a/modules/pleroma/config.exs
+++ b/modules/pleroma/config.exs
@@ -1,61 +0,0 @@
 import Config
 config :pleroma, Pleroma.Web.Endpoint,
  url: [host: "walkah.social", scheme: "https", port: 443],
  http: [ip: {0, 0, 0, 0}, port: 4000]
 config :pleroma, :instance,
  name: "walkah.social",
  email: "walkah@walkah.net",
  notify_email: "walkah@walkah.net",
  limit: 5000,
  registrations_open: false
 config :pleroma, :media_proxy,
  enabled: false,
  redirect_on_failure: true
 config :pleroma, Pleroma.Repo,
  adapter: Ecto.Adapters.Postgres,
  username: "pleroma",
  database: "pleroma",
  hostname: "localhost"
 # Configure web push notifications
 config :web_push_encryption, :vapid_details, subject: "mailto:walkah@walkah.net"
 config :pleroma, :database, rum_enabled: false
 config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
 config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
 config :pleroma, configurable_from_database: false
 config :pleroma, :frontend_configurations,
  pleroma_fe: %{
    alwaysShowSubjectInput: true,
    background: "",
    collapseMessageWithSubject: false,
    disableChat: false,
    greentext: false,
    hideFilteredStatuses: false,
    hideMutedPosts: false,
    hidePostStats: false,
    hideSitename: false,
    hideUserStats: false,
    loginMethod: "password",
    logo: "/static/logo.svg",
    logoMargin: ".1em",
    logoMask: true,
    minimalScopesMode: false,
    noAttachmentLinks: false,
    nsfwCensorImage: "",
    postContentType: "text/plain",
    redirectRootLogin: "/main/friends",
    redirectRootNoLogin: "/walkah",
    scopeCopy: true,
    sidebarRight: true,
    showFeaturesPanel: false,
    showInstanceSpecificPanel: false,
    subjectLineBehavior: "email",
    theme: "pleroma-dark",
    webPushNotifications: false
  }
--- a/modules/pleroma/default.nix
+++ b/modules/pleroma/default.nix
@@ -1,21 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  services = {
    pleroma = {
      enable = true;
      secretConfigFile = "/var/lib/pleroma/secrets.exs";
      configs = [
        (builtins.readFile ./config.exs)
      ];
    };
    postgresql = {
      ensureDatabases = [ "pleroma" ];
      ensureUsers = [{
        name = "pleroma";
        ensurePermissions = { "DATABASE pleroma" = "ALL PRIVILEGES"; };
      }];
    };
    postgresqlBackup.databases = [ "pleroma" ];
  };
 }
--- a/modules/postgresql/default.nix
+++ b/modules/postgresql/default.nix
@@ -1,39 +0,0 @@
 { pkgs, config, ... }: {
  services = {
    postgresql = {
      enable = true;
      package = pkgs.postgresql_12;
    };
    postgresqlBackup = {
      enable = true;
    };
  };
  # Postgres upgrades: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading
  environment.systemPackages = [
    (pkgs.writeScriptBin "upgrade-pg-cluster" ''
      set -eux
      # XXX it's perhaps advisable to stop all services that depend on postgresql
      systemctl stop postgresql
      # XXX replace `<new version>` with the psqlSchema here
      export NEWDATA="/var/lib/postgresql/12"
      # XXX specify the postgresql package you'd like to upgrade to
      export NEWBIN="${pkgs.postgresql_12}/bin"
      export OLDDATA="${config.services.postgresql.dataDir}"
      export OLDBIN="${config.services.postgresql.package}/bin"
      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
      cd "$NEWDATA"
      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
      sudo -u postgres $NEWBIN/pg_upgrade \
        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
        --old-bindir $OLDBIN --new-bindir $NEWBIN \
        "$@"
    '')
  ];
 }
--- a/nix/checks.nix
+++ b/nix/checks.nix
@@ -0,0 +1,15 @@
 {
  system,
  pre-commit-hooks,
  ...
 }:
 {
  pre-commit-check = pre-commit-hooks.lib.${system}.run {
    src = ./.;
    hooks = {
      deadnix.enable = true;
      nixfmt-rfc-style.enable = true;
      statix.enable = true;
    };
  };
 }
--- a/nix/darwin.nix
+++ b/nix/darwin.nix
@@ -0,0 +1,29 @@
 {
  self,
  darwin,
  home-manager,
  ...
 }:
 let
  mkDarwin =
    hostName: modules:
    let
      hostSystem = self.hosts.${hostName}.system;
    in
    darwin.lib.darwinSystem {
      system = hostSystem;
      modules = [
        home-manager.darwinModules.home-manager
        (_: {
          networking.hostName = hostName;
          nixpkgs.overlays = [ self.overlays.default ];
        })
      ]
      ++ modules;
      specialArgs = { inherit home-manager; };
    };
 in
 {
  epicurus = mkDarwin "epicurus" [ ./hosts/epicurus/darwin-configuration.nix ];
  heraclitus = mkDarwin "heraclitus" [ ./hosts/heraclitus/darwin-configuration.nix ];
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -0,0 +1,49 @@
 {
  socrates = {
    type = "nixos";
    address = "100.103.57.96";
    system = "x86_64-linux";
    sshUser = "walkah";
  };
  plato = {
    type = "nixos";
    address = "100.111.208.75";
    system = "x86_64-linux";
    sshUser = "walkah";
  };
  agent = {
    type = "nixos";
    address = "100.103.219.26";
    system = "aarch64-linux";
    sshUser = "root";
  };
  form = {
    type = "nixos";
    address = "100.104.247.27";
    system = "aarch64-linux";
    sshUser = "root";
  };
  matter = {
    type = "nixos";
    address = "100.95.77.67";
    system = "aarch64-linux";
    sshUser = "root";
  };
  purpose = {
    type = "nixos";
    address = "100.117.49.15";
    system = "aarch64-linux";
    sshUser = "root";
  };
  epicurus = {
    type = "darwin";
    address = "100.75.26.104";
    system = "aarch64-darwin";
    sshUser = "walkah";
  };
  heraclitus = {
    type = "darwin";
    address = "100.72.149.31";
    system = "aarch64-darwin";
  };
 }
--- a/nix/hosts/aristotle/configuration.nix
+++ b/nix/hosts/aristotle/configuration.nix
@@ -0,0 +1,75 @@
 { pkgs, raspberry-pi-nix, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../modules/base/nixos.nix
    raspberry-pi-nix.nixosModules.raspberry-pi
    ../../modules/ipfs/cluster.nix
    ../../modules/k3s/agent.nix
    ../../modules/sops
  ];
  # See: https://github.com/NixOS/nixos-hardware/issues/858
  boot.initrd.systemd.tpm2.enable = false;
  boot.kernelParams = [
    "cgroup_enable=memory"
    "cgroup_enable=cpuset"
    "cgroup_memory=1"
  ];
  raspberry-pi-nix.board = "bcm2711";
  hardware.raspberry-pi.config = {
    all = {
      dt-overlays = {
        rpi-poe = {
          enable = true;
          params = {
            poe_fan_temp0 = {
              enable = true;
              value = 50000;
            };
            poe_fan_temp1 = {
              enable = true;
              value = 60000;
            };
            poe_fan_temp2 = {
              enable = true;
              value = 70000;
            };
            poe_fan_temp3 = {
              enable = true;
              value = 80000;
            };
          };
        };
      };
    };
  };
  time.timeZone = "America/Toronto";
  networking = {
    # networking.hostName = "nixos"; # Define your hostname.
    # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
    # Per-interface useDHCP will be mandatory in the future, so this generated config
    # replicates the default behaviour.
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
    interfaces.wlan0.useDHCP = true;
    firewall.enable = false;
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
  ];
  environment.systemPackages = with pkgs; [
    libraspberrypi
    raspberrypi-eeprom
  ];
  security.sudo.wheelNeedsPassword = false;
 }
--- a/nix/hosts/aristotle/hardware-configuration.nix
+++ b/nix/hosts/aristotle/hardware-configuration.nix
@@ -1,19 +1,15 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot.initrd.availableKernelModules = [ "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/NIXOS_SD";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  swapDevices = [ ];
--- a/nix/hosts/epicurus/darwin-configuration.nix
+++ b/nix/hosts/epicurus/darwin-configuration.nix
@@ -0,0 +1,10 @@
 { ... }:
 {
  imports = [
    ./homebrew.nix
    ../../modules/base/darwin.nix
    ../../modules/builder
    ../../modules/dev
  ];
 }
--- a/nix/hosts/epicurus/homebrew.nix
+++ b/nix/hosts/epicurus/homebrew.nix
@@ -1,35 +1,33 @@
-{ config, lib, pkgs, ... }:
+_:
 {
  homebrew = {
    taps = [
      "homebrew/cask"
      "homebrew/cask-drivers"
      "homebrew/cask-fonts"
      "homebrew/services"
    ];
-    brews = [ "code-server" "coreutils" "mosh" ];
+    brews = [
      "btop"
      "code-server"
      "coreutils"
      "mas"
      "mosh"
    ];
    casks = [
      "1password"
-      "alfred"
+      "docker-desktop"
      "docker"
      "font-jetbrains-mono"
      "font-jetbrains-mono-nerd-font"
      "gpg-suite"
      "ipfs"
      "keybase"
      "plex-media-server"
      "stats"
      "syncthing"
      "synology-drive"
      "tailscale-app"
    ];
    masApps = {
      Bumpr = 1166066070;
      Magnet = 441258766;
      Tailscale = 1475387142;
      Xcode = 497799835;
    };
  };
--- a/nix/hosts/heraclitus/darwin-configuration.nix
+++ b/nix/hosts/heraclitus/darwin-configuration.nix
@@ -0,0 +1,19 @@
 { ... }:
 {
  imports = [
    ./homebrew.nix
    ../../modules/base/darwin.nix
    ../../modules/dev
    ../../modules/builder
  ];
  system = {
    defaults = {
      dock = {
        autohide = true;
        orientation = "left";
      };
    };
  };
 }
--- a/nix/hosts/heraclitus/homebrew.nix
+++ b/nix/hosts/heraclitus/homebrew.nix
@@ -0,0 +1,106 @@
 _:
 {
  homebrew = {
    taps = [
      "homebrew/cask"
      "homebrew/services"
      "walkah/tap"
      "1password/tap"
      "d12frosted/emacs-plus"
      "dracula/install"
      "heroku/brew"
    ];
    brews = [
      "asdf"
      "argocd"
      "cmake"
      "cocoapods"
      "coreutils"
      {
        name = "emacs-plus";
        args = [ "--with-c9rgreen-sonoma-icon" ];
      }
      "fontconfig"
      "gcc"
      "gh"
      "helm"
      "heroku"
      "ipfs"
      "kind"
      "kubernetes-cli"
      "kustomize"
      "libtool"
      "mas"
      "mr"
      "ollama"
      "opentofu"
      "podman"
      "r"
      "ripgrep"
      "tea"
      "terminal-notifier"
      "watchman"
    ];
    casks = [
      "1password"
      "1password-cli"
      "actual"
      "android-studio"
      "arc"
      "balenaetcher"
      "beeper"
      "brave-browser"
      "bruno"
      "bunch"
      "calibre"
      "claude"
      "discord"
      "docker-desktop"
      "dracula-xcode"
      "element"
      "fantastical"
      "figma"
      "firefox@developer-edition"
      "font-jetbrains-mono"
      "font-jetbrains-mono-nerd-font"
      "ghostty"
      "google-chrome"
      "gpg-suite"
      "hazel"
      "jordanbaird-ice"
      "logi-options+"
      "logitech-camera-settings"
      "microsoft-edge"
      "minecraft"
      "obsidian"
      "opal-composer"
      "plexamp"
      "raycast"
      "rstudio"
      "slack"
      "sonos"
      "spotify"
      "stats"
      "steam"
      "synology-drive"
      "tailscale-app"
      "todoist-app"
      "visual-studio-code"
      "zen"
      "zoom"
      "zulu@17"
    ];
    masApps = {
      OnePasswordSafari = 1569813296;
      Bumpr = 1166066070;
      DayOne = 1055511498;
      Drafts = 1435957248;
      HomeAssistant = 1099568401;
      Xcode = 497799835;
    };
  };
 }
--- a/nix/hosts/plato/configuration.nix
+++ b/nix/hosts/plato/configuration.nix
@@ -0,0 +1,217 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  automount_opts = "uid=1000,gid=1000,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
  inherit (config.sops) secrets;
 in
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../modules/base/nixos.nix
    ../../modules/coredns
    ../../modules/drone
    ../../modules/drone/runner-docker.nix
    ../../modules/gitea
    ../../modules/k3s/server.nix
    ../../modules/matrix
    ../../modules/minecraft
    ../../modules/postgresql
    ../../modules/sops
  ];
  boot = {
    binfmt.emulatedSystems = [ "aarch64-linux" ];
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot = {
        # Use the systemd-boot EFI boot loader.
        enable = true;
        configurationLimit = 3;
      };
    };
    tmp.cleanOnBoot = true;
  };
  # Set your time zone.
  time.timeZone = "America/Toronto";
  networking = {
    hostName = "plato"; # Define your hostname.
    useDHCP = false;
    interfaces = {
      enp10s0.useDHCP = true;
      enp9s0.useDHCP = true;
    };
    # Open ports in the firewall.
    # networking.firewall.allowedTCPPorts = [ ... ];
    # networking.firewall.allowedUDPPorts = [ ... ];
    # Or disable the firewall altogether.
    firewall.enable = false;
  };
  security.sudo.wheelNeedsPassword = false;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5spf4diguK+w7iYLFr565++6DjHukWfvpN2ru9dCRk nixbuild"
  ];
  environment.systemPackages = with pkgs; [
    cifs-utils
    pinentry
    weechat
  ];
  fileSystems = {
    "/mnt/downloads" = {
      device = "//parthenon/Downloads";
      fsType = "cifs";
      options = [
        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
      ];
    };
    "/mnt/music" = {
      device = "//parthenon/Music";
      fsType = "cifs";
      options = [
        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
      ];
    };
    "/mnt/video" = {
      device = "//parthenon/Video";
      fsType = "cifs";
      options = [
        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
      ];
    };
  };
  nixpkgs.config.allowInsecurePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "broadcom-sta" # aka “wl”
    ];
  power.ups = {
    enable = true;
    mode = "netserver";
    ups."cyberpower" = {
      description = "Cyberpower EC650LCD";
      driver = "usbhid-ups";
      port = "auto";
    };
    upsd = {
      enable = true;
      listen = [
        { address = "0.0.0.0"; }
      ];
    };
    users.upsmon = {
      passwordFile = secrets.upsmon.path;
      upsmon = "primary";
    };
    upsmon.monitor."cyberpower".user = "upsmon";
  };
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
  sops.secrets = {
    filesystems-parthenon = { };
    upsmon = { };
  };
  services = {
    borgbackup.jobs."borgbase" = {
      paths = [
        "/var/backup"
      ];
      repo = "ssh://h7ug55o3@h7ug55o3.repo.borgbase.com/./repo";
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat /root/borgbackup/passphrase";
      };
      environment.BORG_RSH = "ssh -i /root/borgbackup/ssh_key";
      compression = "auto,lzma";
      startAt = "daily";
    };
    grafana = {
      enable = true;
      settings = {
        server = {
          domain = "plato.walkah.lab";
          http_port = 2342;
          http_addr = "0.0.0.0";
        };
      };
    };
    prometheus = {
      scrapeConfigs = [
        {
          job_name = "node";
          static_configs = [
            {
              targets = [
                "plato:9100"
                "agent:9100"
                "form:9100"
                "matter:9100"
                "purpose:9100"
                "socrates:9100"
              ];
            }
          ];
        }
        {
          job_name = "coredns";
          static_configs = [ { targets = [ "plato:9153" ]; } ];
        }
        {
          job_name = "ipfs";
          metrics_path = "/debug/metrics/prometheus";
          static_configs = [
            {
              targets = [
                "agent:5001"
                "form:5001"
                "matter:5001"
                "purpose:5001"
              ];
            }
          ];
        }
      ];
    };
    tailscale = {
      useRoutingFeatures = "server";
    };
  };
  walkah.coredns = {
    enable = true;
  };
  virtualisation.docker = {
    enable = true;
    # Clean docker images periodically
    autoPrune = {
      enable = true;
      flags = [ "--all" ];
    };
    daemon.settings = {
      dns = [
        "1.1.1.1"
        "1.0.0.1"
      ];
    };
  };
 }
--- a/nix/hosts/plato/hardware-configuration.nix
+++ b/nix/hosts/plato/hardware-configuration.nix
@@ -0,0 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd.availableKernelModules = [
      "uhci_hcd"
      "ehci_pci"
      "ahci"
      "xhci_pci"
      "firewire_ohci"
      "usb_storage"
      "usbhid"
      "sd_mod"
      "sr_mod"
    ];
    initrd.kernelModules = [ ];
    kernelModules = [
      "kvm-intel"
      "wl"
    ];
    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/ea3c68ac-e822-4b71-a8f5-65d9e452a3c2";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/FB06-AB48";
    fsType = "vfat";
  };
  swapDevices = [ { device = "/dev/disk/by-uuid/3a812874-3def-4e46-b20d-cd55fa7bdd5f"; } ];
 }
--- a/nix/hosts/socrates/configuration.nix
+++ b/nix/hosts/socrates/configuration.nix
@@ -0,0 +1,72 @@
 { pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./networking.nix # generated at runtime by nixos-infect
    ../../modules/base/nixos.nix
    ../../modules/akkoma
    ../../modules/akkoma/nginx.nix
    ../../modules/coredns
    ../../modules/code-server/nginx.nix
    ../../modules/drone/nginx.nix
    ../../modules/gitea/nginx.nix
    ../../modules/home-assistant/nginx.nix
    ../../modules/ipfs/gateway.nix
    ../../modules/matrix/nginx.nix
    ../../modules/minecraft/proxy.nix
    ../../modules/sops
  ];
  boot.tmp.cleanOnBoot = true;
  # Set your time zone.
  time.timeZone = "America/Toronto";
  networking = {
    hostName = "socrates";
    firewall = {
      allowPing = true;
      allowedTCPPorts = [
        80
        443
      ];
      trustedInterfaces = [ "tailscale0" ];
      checkReversePath = "loose";
    };
  };
  nix = {
    settings.trusted-users = [
      "@wheel"
      "root"
    ];
  };
  security = {
    sudo.wheelNeedsPassword = false;
    acme.acceptTerms = true;
    acme.defaults.email = "walkah@walkah.net";
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
  ];
  environment.systemPackages = with pkgs; [ ipfs-migrator ];
  walkah.coredns = {
    enable = true;
    addr = "100.103.57.96";
  };
  services = {
    nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
    };
  };
 }
--- a/nix/hosts/socrates/hardware-configuration.nix
+++ b/nix/hosts/socrates/hardware-configuration.nix
@@ -2,5 +2,8 @@
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot.loader.grub.device = "/dev/vda";
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+  fileSystems."/" = {
    device = "/dev/vda1";
    fsType = "ext4";
  };
 }
--- a/nix/hosts/socrates/networking.nix
+++ b/nix/hosts/socrates/networking.nix
@@ -1,4 +1,5 @@
-{ lib, ... }: {
+{ lib, ... }:
 {
  # This file was populated at runtime with the networking
  # details gathered from the active system.
  networking = {
@@ -28,14 +29,18 @@
            prefixLength = 64;
          }
        ];
-        ipv4.routes = [{
+        ipv4.routes = [
-          address = "167.99.176.1";
+          {
-          prefixLength = 32;
+            address = "167.99.176.1";
-        }];
+            prefixLength = 32;
-        ipv6.routes = [{
+          }
-          address = "2604:a880:cad:d0::1";
+        ];
-          prefixLength = 32;
+        ipv6.routes = [
-        }];
+          {
            address = "2604:a880:cad:d0::1";
            prefixLength = 32;
          }
        ];
      };
    };
--- a/nix/modules/akkoma/default.nix
+++ b/nix/modules/akkoma/default.nix
@@ -0,0 +1,111 @@
 { config, pkgs, ... }:
 let
  inherit (config.services) akkoma;
  inherit (config.sops) secrets;
  inherit ((pkgs.formats.elixirConf { }).lib) mkRaw;
 in
 {
  services = {
    akkoma = {
      enable = true;
      config = {
        ":pleroma" = {
          ":instance" = {
            name = "walkah.social";
            email = "walkah@walkah.net";
            notify_email = "walkah@walkah.net";
            description = "James Walker's personal Akkoma instance";
            registrations_open = false;
            invites_enabled = true;
            federating = true;
            federation_incoming_replies_max_depth = null;
            allow_relay = true;
            safe_dm_mentions = true;
            external_user_synchronization = true;
            cleanup_attachments = true;
          };
          ":media_proxy" = {
            enabled = false;
            redirect_on_failure = true;
          };
          "Pleroma.Repo" = {
            adapter = mkRaw "Ecto.Adapters.Postgres";
            socket_dir = "/run/postgresql";
            username = config.services.akkoma.user;
            database = "akkoma";
            prepare = mkRaw ":named";
            parameters.plan_cache_mode = "force_custom_plan";
          };
          "Pleroma.Web.Endpoint" = {
            secret_key_base = {
              _secret = secrets.akkoma-secret-key-base.path;
            };
            signing_salt = {
              _secret = secrets.akkoma-signing-salt.path;
            };
            live_view.signing_salt = {
              _secret = secrets.akkoma-signing-salt.path;
            };
            url = {
              host = "walkah.social";
              scheme = "https";
              port = 443;
            };
            http = {
              ip = "127.0.0.1";
              port = 4000;
            };
          };
        };
        ":web_push_encryption" = {
          ":vapid_details" = {
            private_key = {
              _secret = secrets.akkoma-vapid-private-key.path;
            };
            public_key = {
              _secret = secrets.akkoma-vapid-public-key.path;
            };
          };
        };
        ":joken" = {
          ":default_signer" = {
            _secret = secrets.akkoma-joken-signer.path;
          };
        };
      };
      nginx = null; # doing this manually
    };
    postgresql = {
      enable = true;
    };
    postgresqlBackup = {
      enable = true;
      databases = [ "akkoma" ];
    };
  };
  sops = {
    secrets = {
      akkoma-secret-key-base = {
        owner = akkoma.user;
      };
      akkoma-signing-salt = {
        owner = akkoma.user;
      };
      akkoma-vapid-private-key = {
        owner = akkoma.user;
      };
      akkoma-vapid-public-key = {
        owner = akkoma.user;
      };
      akkoma-joken-signer = {
        owner = akkoma.user;
      };
    };
  };
 }
--- a/nix/modules/akkoma/nginx.nix
+++ b/nix/modules/akkoma/nginx.nix
@@ -1,6 +1,4 @@
-{ config, lib, pkgs, ... }:
+_: {
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
@@ -8,7 +6,7 @@
        forceSSL = true;
        enableACME = true;
        locations."/" = {
-          proxyPass = "http://100.111.208.75:4000";
+          proxyPass = "http://127.0.0.1:4000";
          proxyWebsockets = true;
        };
      };
--- a/nix/modules/base/common.nix
+++ b/nix/modules/base/common.nix
@@ -0,0 +1,29 @@
 _:
 {
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
    gc = {
      automatic = true;
    };
    settings = {
      substituters = [
        "https://walkah.cachix.org"
        "https://nix-community.cachix.org"
        "https://cache.garnix.io"
      ];
      trusted-public-keys = [
        "walkah.cachix.org-1:D8cO78JoJC6UPV1ZMgd1V5znpk3jNUERGIeAKN15hxo="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
      ];
    };
  };
  programs.zsh.enable = true;
 }
--- a/nix/modules/base/darwin.nix
+++ b/nix/modules/base/darwin.nix
@@ -0,0 +1,56 @@
 { ... }:
 {
  imports = [
    ./common.nix
    ../../users
  ];
  nix = {
    enable = true;
    extraOptions = ''
      extra-platforms = x86_64-darwin aarch64-darwin
    '';
    gc = {
      interval = {
        Hour = 3;
        Minute = 16;
        Weekday = 6;
      };
      options = "--delete-older-than 30d";
    };
    settings = {
      trusted-users = [
        "root"
        "@admin"
      ];
    };
  };
  environment.etc = {
    "sudoers.d/walkah".text = ''
      walkah   ALL = (ALL) NOPASSWD: ALL
    '';
  };
  homebrew = {
    enable = true;
    brewPrefix = "/opt/homebrew/bin";
    global = {
      brewfile = true;
      lockfiles = false;
    };
    onActivation = {
      autoUpdate = true;
      cleanup = "zap";
      upgrade = true;
    };
  };
  system = {
    primaryUser = "walkah";
    stateVersion = 4;
  };
 }
--- a/nix/modules/base/nixos.nix
+++ b/nix/modules/base/nixos.nix
@@ -0,0 +1,63 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./common.nix
    ../monitoring
    ../../users
  ];
  documentation = {
    enable = false;
  };
  environment.systemPackages = with pkgs; [
    btop
    htop
    inetutils
    vim
  ];
  nix = {
    gc = {
      persistent = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    settings = {
      auto-optimise-store = true;
      trusted-users = [
        "root"
        "walkah"
      ];
    };
  };
  programs = {
    mosh.enable = true;
  };
  services = {
    openssh.enable = true;
    tailscale = {
      enable = true;
      extraSetFlags = [ "--webclient" ];
    };
  };
  system = {
    autoUpgrade = {
      enable = true;
      flake = "github:walkah/athens#${config.networking.hostName}";
      dates = "hourly";
      flags = [
        "--option"
        "tarball-ttl"
        "0"
      ];
    };
    stateVersion = "23.05";
  };
 }
--- a/nix/modules/builder/default.nix
+++ b/nix/modules/builder/default.nix
@@ -0,0 +1,23 @@
 _: {
  nix = {
    distributedBuilds = true;
    buildMachines = [
      {
        hostName = "plato";
        systems = [
          "x86_64-linux"
          "aarch64-linux"
        ];
        maxJobs = 6;
        supportedFeatures = [
          "benchmark"
          "big-parallel"
          "kvm"
        ];
      }
    ];
    extraOptions = ''
      builders-use-substitutes = true
    '';
  };
 }
--- a/nix/modules/code-server/default.nix
+++ b/nix/modules/code-server/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ code-server ];
--- a/nix/modules/code-server/nginx.nix
+++ b/nix/modules/code-server/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+_:
 {
  services.nginx = {
@@ -8,7 +8,7 @@
        forceSSL = true;
        enableACME = true;
        locations."/" = {
-          proxyPass = "http://100.66.26.116:8080";
+          proxyPass = "http://100.75.26.104:8080";
          proxyWebsockets = true;
        };
      };
--- a/nix/modules/coredns/default.nix
+++ b/nix/modules/coredns/default.nix
@@ -1,7 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 with lib;
-let cfg = config.walkah.coredns;
+let
  cfg = config.walkah.coredns;
 in
 {
  options.walkah.coredns = {
--- a/nix/modules/coredns/walkah.lab.zone
+++ b/nix/modules/coredns/walkah.lab.zone
@@ -1,6 +1,6 @@
 $ORIGIN walkah.lab.
@       3600 IN SOA plato.walkah.lab. walkah.walkah.net. (
-        2021070700 ; serial
+        2023091000 ; serial
        7200       ; refresh (2 hours)
        3600       ; retry (1 hour)
        1209600    ; expire (2 weeks)
@@ -10,10 +10,10 @@ $ORIGIN walkah.lab.
 socrates        IN A    100.103.57.96
 plato           IN A    100.111.208.75
 ; aristotle
-agent           IN A    100.95.167.126
+agent           IN A    100.103.219.26
-form            IN A    100.87.220.71
+form            IN A    100.104.247.27
-matter          IN A    100.126.255.109
+matter          IN A    100.95.77.67
-purpose         IN A    100.74.59.80
+purpose         IN A    100.117.49.15
 parthenon       IN A    100.106.65.39
-epicurus        IN A    100.66.26.116
+epicurus        IN A    100.75.26.104
--- a/nix/modules/dev/default.nix
+++ b/nix/modules/dev/default.nix
@@ -0,0 +1,11 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    # Nix
    cachix
    nixd
    nixf
    nixfmt-rfc-style
  ];
 }
--- a/nix/modules/drone/default.nix
+++ b/nix/modules/drone/default.nix
@@ -1,4 +1,5 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, ... }:
 {
  sops.secrets.drone = {
    owner = "drone";
  };
@@ -9,9 +10,7 @@
      ensureUsers = [
        {
          name = "drone";
-          ensurePermissions = {
+          ensureDBOwnership = true;
            "DATABASE drone" = "ALL PRIVILEGES";
          };
        }
      ];
    };
--- a/nix/modules/drone/nginx.nix
+++ b/nix/modules/drone/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+_:
 {
  services.nginx = {
--- a/nix/modules/drone/runner-docker.nix
+++ b/nix/modules/drone/runner-docker.nix
@@ -1,4 +1,5 @@
-{ pkgs, config, lib, ... }: {
+{ pkgs, config, ... }:
 {
  systemd.services.drone-runner-docker = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
--- a/nix/modules/drone/runner-exec.nix
+++ b/nix/modules/drone/runner-exec.nix
@@ -1,7 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 let
  droneserver = config.users.users.droneserver.name;
 in
 {
  nix.settings.allowed-users = [ "drone-runner-exec" ];
  systemd.services.drone-runner-exec = {
@@ -39,14 +36,14 @@ in
        "/etc/passwd:/etc/passwd"
        "/etc/group:/etc/group"
        "/nix/var/nix/profiles/system/etc/nix:/etc/nix"
        "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
        "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
        "${
-          builtins.toFile "ssh_config" ''
+          config.environment.etc."ssl/certs/ca-certificates.crt".source
-            Host eve.thalheim.io
+        }:/etc/ssl/certs/ca-certificates.crt"
-              ForwardAgent yes
+        "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
-          ''
+        "${builtins.toFile "ssh_config" ''
-        }:/etc/ssh/ssh_config"
+          Host eve.thalheim.io
            ForwardAgent yes
        ''}:/etc/ssh/ssh_config"
        "/etc/machine-id"
        # channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
        "/nix/"
--- a/nix/modules/gitea/default.nix
+++ b/nix/modules/gitea/default.nix
@@ -0,0 +1,68 @@
 { config, ... }:
 let
  cfg = config.services.gitea;
 in
 {
  users.users.git = {
    description = "Gitea Service";
    home = cfg.stateDir;
    useDefaultShell = true;
    group = "git";
    isSystemUser = true;
  };
  users.groups.git = { };
  services = {
    gitea = {
      enable = true;
      user = "git";
      appName = "walkah forge";
      lfs.enable = true;
      settings = {
        log = {
          LEVEL = "Error";
        };
        other = {
          SHOW_FOOTER_VERSION = false;
        };
        repository = {
          DEFAULT_BRANCH = "main";
        };
        server = {
          DOMAIN = "walkah.dev";
          HTTP_ADDR = "0.0.0.0";
          HTTP_PORT = 8003;
          ROOT_URL = "https://walkah.dev/";
          SSH_DOMAIN = "git.walkah.dev";
        };
        service = {
          DISABLE_REGISTRATION = true;
        };
        session = {
          COOKIE_SECURE = true;
        };
      };
      dump.enable = false;
      database = {
        createDatabase = false;
        type = "postgres";
        name = "gitea";
        socket = "/run/postgresql";
        user = "git";
      };
    };
    postgresql = {
      ensureDatabases = [ "gitea" ];
      ensureUsers = [
        {
          name = "git";
        }
      ];
    };
    postgresqlBackup.databases = [ "gitea" ];
  };
 }
--- a/nix/modules/gitea/nginx.nix
+++ b/nix/modules/gitea/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+_:
 {
  services.nginx = {
@@ -10,6 +10,9 @@
        locations."/" = {
          proxyPass = "http://100.111.208.75:8003";
          proxyWebsockets = true;
          extraConfig = ''
            client_max_body_size 0;
          '';
        };
      };
    };
--- a/nix/modules/home-assistant/nginx.nix
+++ b/nix/modules/home-assistant/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+_:
 {
  services.nginx = {
@@ -8,7 +8,7 @@
        forceSSL = true;
        enableACME = true;
        locations."/" = {
-          proxyPass = "http://100.111.208.75:8123";
+          proxyPass = "http://100.72.37.46:8123";
          proxyWebsockets = true;
        };
      };
--- a/nix/modules/ipfs/badbits.deny
+++ b/nix/modules/ipfs/badbits.deny
--- a/nix/modules/ipfs/cluster.nix
+++ b/nix/modules/ipfs/cluster.nix
@@ -1,15 +1,19 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 {
  imports = [
    ./default.nix
    ../../services/ipfs-cluster.nix
  ];
  services = {
-    ipfs = {
+    kubo = {
      enable = true;
-      extraConfig = {
+      settings = {
        Discovery = {
          MDNS = {
            Enabled = true;
          };
        };
        Swarm = {
          AddrFilters = null;
          ConnMgr = {
--- a/nix/modules/ipfs/default.nix
+++ b/nix/modules/ipfs/default.nix
@@ -0,0 +1,31 @@
 _:
 {
  services = {
    kubo = {
      enable = true;
      settings = {
        Addresses = {
          Announce = [ ];
          API = "/ip4/0.0.0.0/tcp/5001";
          Gateway = "/ip4/0.0.0.0/tcp/8080";
          NoAnnounce = [ ];
          Swarm = [
            "/ip4/0.0.0.0/tcp/4001"
            "/ip6/::/tcp/4001"
            "/ip4/0.0.0.0/udp/4001/quic"
            "/ip6/::/udp/4001/quic"
          ];
        };
        API = {
          HTTPHeaders = {
            Access-Control-Allow-Origin = [ "*" ];
          };
        };
        Routing = {
          Type = "dht";
        };
      };
    };
  };
 }
--- a/nix/modules/ipfs/gateway.nix
+++ b/nix/modules/ipfs/gateway.nix
@@ -0,0 +1,79 @@
 { pkgs, ... }:
 let
  peers = [
    {
      ID = "12D3KooWEVoGdqsakyi3bgE8ivvRzcgTjiirFNS2FbUMw6HSjZF9";
      Addrs = [ "/ip4/100.103.219.26/tcp/4001" ];
    }
    {
      ID = "12D3KooWC5ncgKeJV2G6QBdGMkT2gLbeviaDxpYR7V6NVTsma3C5";
      Addrs = [ "/ip4/100.104.247.27/tcp/4001" ];
    }
    {
      ID = "12D3KooW9xeqfnnNWafiDkLXWjC5YdUnBrG5tJDd3tnm86kqVwhA";
      Addrs = [ "/ip4/100.95.77.67/tcp/4001" ];
    }
    {
      ID = "12D3KooWLYPckqA4JACJ4vioWc4tYuPjmfLMbgviECnWqazjSgK9";
      Addrs = [ "/ip4/100.117.49.15/tcp/4001" ];
    }
  ];
 in
 {
  imports = [ ./default.nix ];
  environment.systemPackages = with pkgs; [ ipfs-migrator ];
  environment.etc = {
    "ipfs/denylists/badbits.deny".source = ./badbits.deny;
  };
  networking.firewall = {
    allowedTCPPorts = [ 4001 ];
    allowedUDPPorts = [ 4001 ];
  };
  services = {
    kubo = {
      enable = true;
      settings = {
        Discovery = {
          MDNS = {
            Enabled = false;
          };
        };
        Peering = {
          Peers = peers;
        };
        Swarm = {
          AddrFilters = null;
        };
      };
    };
    nginx = {
      # IPFS Gateway
      virtualHosts."walkah.cloud" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8080";
        };
      };
      # Hosted Sites
      virtualHosts."walkah.net" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8080";
        };
        serverAliases = [
          "www.walkah.net"
        ];
      };
    };
  };
 }
--- a/nix/modules/k3s/agent.nix
+++ b/nix/modules/k3s/agent.nix
@@ -0,0 +1,12 @@
 _:
 let
  hosts = import ../../hosts.nix;
 in
 {
  imports = [ ./common.nix ];
  services.k3s = {
    role = "agent";
    serverAddr = "https://${hosts.plato.address}:6443";
  };
 }
--- a/nix/modules/k3s/common.nix
+++ b/nix/modules/k3s/common.nix
@@ -0,0 +1,18 @@
 { config, ... }:
 let
  hostname = config.networking.hostName;
  hosts = import ../../hosts.nix;
 in
 {
  services.k3s = {
    enable = true;
    tokenFile = config.sops.secrets.k3s-token.path;
    extraFlags = [
      "--node-external-ip=${hosts.${hostname}.address}"
    ];
  };
  sops.secrets.k3s-token = {
    owner = "root";
    mode = "0400";
  };
 }
--- a/nix/modules/k3s/server.nix
+++ b/nix/modules/k3s/server.nix
@@ -0,0 +1,7 @@
 {
  imports = [ ./common.nix ];
  services.k3s = {
    role = "server";
    clusterInit = true;
  };
 }
--- a/nix/modules/matrix/default.nix
+++ b/nix/modules/matrix/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 {
  services = {
@@ -13,7 +13,10 @@
            LC_CTYPE = "C";
      '';
    };
-    postgresqlBackup.databases = [ "matrix" ];
+    postgresqlBackup.databases = [
      "matrix"
      "matrix-syncv3"
    ];
    matrix-synapse = {
      enable = true;
@@ -24,21 +27,30 @@
        enable_registration = false;
        database = {
          name = "psycopg2";
-          args = { database = "matrix"; };
+          args = {
            database = "matrix";
          };
        };
-        listeners = [{
+        listeners = [
-          bind_addresses = [
+          {
-            "0.0.0.0"
+            bind_addresses = [
-          ];
+              "0.0.0.0"
-          port = 8008;
+            ];
-          type = "http";
+            port = 8008;
-          tls = false;
+            type = "http";
-          x_forwarded = true;
+            tls = false;
-          resources = [{
+            x_forwarded = true;
-            compress = false;
+            resources = [
-            names = [ "client" "federation" ];
+              {
-          }];
+                compress = false;
-        }];
+                names = [
                  "client"
                  "federation"
                ];
              }
            ];
          }
        ];
      };
      extraConfigFiles = [
        config.sops.secrets.matrix-registration-secret.path
--- a/nix/modules/matrix/nginx.nix
+++ b/nix/modules/matrix/nginx.nix
@@ -0,0 +1,64 @@
 _:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "matrix.walkah.chat" = {
        forceSSL = true;
        enableACME = true;
        locations."/_matrix" = {
          proxyPass = "http://100.111.208.75:8008";
        };
        locations."/_synapse/client" = {
          proxyPass = "http://100.111.208.75:8008";
        };
      };
      "syncv3.walkah.chat" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://100.111.208.75:8088";
        };
      };
      "walkah.chat" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "= /.well-known/matrix/server".extraConfig =
            let
              server = {
                "m.server" = "matrix.walkah.chat:443";
              };
            in
            ''
              default_type application/json;
              add_header Access-Control-Allow-Origin *;
              return 200 '${builtins.toJSON server}';
            '';
          "= /.well-known/matrix/client".extraConfig =
            let
              client = {
                "m.homeserver" = {
                  "base_url" = "https://matrix.walkah.chat";
                };
                "org.matrix.msc3575.proxy" = {
                  "url" = "https://syncv3.walkah.chat";
                };
              };
            in
            ''
              default_type application/json;
              add_header Access-Control-Allow-Origin *;
              return 200 '${builtins.toJSON client}';
            '';
          # "/" = {
          #   root = pkgs.element-web;
          # };
        };
      };
    };
  };
 }
--- a/nix/modules/minecraft/default.nix
+++ b/nix/modules/minecraft/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+_: {
  services.minecraft-server = {
    enable = true;
@@ -8,6 +8,7 @@
    # see here for more info: https://minecraft.gamepedia.com/Server.properties#server.properties
    serverProperties = {
      server-port = 25565;
      enable-query = true;
      gamemode = "survival";
      motd = "Vanilla Survival";
      max-players = 20;
@@ -18,6 +19,9 @@
    whitelist = {
      walkahj = "7209094c-b3ef-4c89-b8cd-0aef7c1d57a6";
      puffpuffpassion = "72e0d040-fa54-47e8-a6e7-162fdaa0cac5";
      rafadoodle = "9a7c860e-e269-4c38-b2f7-ca5533c27e98";
      camylamb = "c9fcbfa1-89da-4cf9-97fe-b9e5290a4eb4";
      shortychark = "3f420f61-867f-4651-a849-d2e54f8c220d";
    };
  };
 }
--- a/nix/modules/minecraft/proxy.nix
+++ b/nix/modules/minecraft/proxy.nix
@@ -0,0 +1,32 @@
 _:
 let
  dest_ip = "100.111.208.75";
  dest_port = 25565;
 in
 {
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [ dest_port ];
    };
    nat = {
      enable = true;
      internalInterfaces = [ "tailscale0" ];
      externalInterface = "eth0";
      forwardPorts = [
        {
          sourcePort = dest_port;
          proto = "tcp";
          destination = "${dest_ip}:${toString dest_port}";
        }
      ];
    };
  };
  services = {
    tailscale = {
      useRoutingFeatures = "server";
      extraUpFlags = [ "--stateful-filtering=false" ];
    };
  };
 }
--- a/nix/modules/monitoring/default.nix
+++ b/nix/modules/monitoring/default.nix
@@ -0,0 +1,17 @@
 _:
 {
  services = {
    prometheus = {
      enable = true;
      port = 9090;
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9100;
        };
      };
    };
  };
 }
--- a/nix/modules/postgresql/default.nix
+++ b/nix/modules/postgresql/default.nix
@@ -0,0 +1,45 @@
 { pkgs, config, ... }:
 {
  services = {
    postgresql = {
      enable = true;
      package = pkgs.postgresql_14;
    };
    postgresqlBackup = {
      enable = true;
    };
  };
  # Postgres upgrades: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading
  environment.systemPackages = [
    (
      let
        # XXX specify the postgresql package you'd like to upgrade to.
        # Do not forget to list the extensions you need.
        newPostgres = pkgs.postgresql_15;
      in
      pkgs.writeScriptBin "upgrade-pg-cluster" ''
        set -eux
        # XXX it's perhaps advisable to stop all services that depend on postgresql
        systemctl stop postgresql
        export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
        export NEWBIN="${newPostgres}/bin"
        export OLDDATA="${config.services.postgresql.dataDir}"
        export OLDBIN="${config.services.postgresql.package}/bin"
        install -d -m 0700 -o postgres -g postgres "$NEWDATA"
        cd "$NEWDATA"
        sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
        sudo -u postgres $NEWBIN/pg_upgrade \
          --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
          --old-bindir $OLDBIN --new-bindir $NEWBIN \
          "$@"
      ''
    )
  ];
 }
--- a/nix/modules/sops/default.nix
+++ b/nix/modules/sops/default.nix
--- a/nix/nixos.nix
+++ b/nix/nixos.nix
@@ -0,0 +1,38 @@
 {
  self,
  nixpkgs,
  home-manager,
  raspberry-pi-nix,
  sops-nix,
  ...
 }:
 let
  mkSystem =
    hostName: modules:
    let
      hostSystem = self.hosts.${hostName}.system;
    in
    nixpkgs.lib.nixosSystem {
      modules = [
        home-manager.nixosModules.home-manager
        (_: {
          networking.hostName = hostName;
          nixpkgs.overlays = [ self.overlays.default ];
          nixpkgs.config.allowUnfree = true;
        })
        { nixpkgs.hostPlatform = hostSystem; }
      ]
      ++ modules;
      specialArgs = { inherit raspberry-pi-nix sops-nix; };
    };
 in
 {
  # Aristotle
  agent = mkSystem "agent" [ ./hosts/aristotle/configuration.nix ];
  form = mkSystem "form" [ ./hosts/aristotle/configuration.nix ];
  matter = mkSystem "matter" [ ./hosts/aristotle/configuration.nix ];
  purpose = mkSystem "purpose" [ ./hosts/aristotle/configuration.nix ];
  plato = mkSystem "plato" [ ./hosts/plato/configuration.nix ];
  socrates = mkSystem "socrates" [ ./hosts/socrates/configuration.nix ];
 }
--- a/nix/overlays/default.nix
+++ b/nix/overlays/default.nix
@@ -0,0 +1 @@
 _self: _super: { }
--- a/nix/secrets/secrets.yaml
+++ b/nix/secrets/secrets.yaml
@@ -0,0 +1,85 @@
 matrix-registration-secret: ENC[AES256_GCM,data:Sn3pGBq4U3Tgw0pYaetnBLRiNdFGnMxAxyfrxhF9kFDMFijKSy9XBj71M5XxV4shYQyPvu2WDnPR1YvyoQVlv8cEoXhX7++JlYsp/2ZfKIzp4iMxh24z57Cw8vg=,iv:/zxlIeI9gWWCHbejYgz8pjjOrukKome0/bmcXuG3/yE=,tag:3fc3c96H3pO1FUO7p3T4gw==,type:str]
 ipfs-cluster-secret: ENC[AES256_GCM,data:fmZ1USrJlR8fbulr1Kn8LDkMl/c6OkIN5M5q4X0MLO77K8zPwTXm0+M8ZHfq36rnuxBV0gsTiYBn47DSQLaDkONOPuEu99EGuIYZ9qZQVaZ/RC12ej6bpHaaX3m3j48szOXwJdoyDWlP32ZFanMznO8+EwAz5ccNV03ck/Rh/qpq9pWt/QjNhqtAkwFkooGB0aWRdHlillsB/SGQJk/moweIQk3qz2Ya4cN21Cxfssd08TDacjNCUekIgZ/xuXV7j8dCV/qiAOJEfaHn,iv:bAEDTTeQvg+sE67nEuSZhxqJBZVXFRNIPOZGkPYy9dY=,tag:82eBLePaqu7tYu0MtefMOQ==,type:str]
 drone: ENC[AES256_GCM,data:UKh2qyZq5eTiEpdbGve+fCQZzSx/j+wUv9eHT/ToU9b51rwA7XJQC4g3rvljBL9X7DFVVdsWOdG6y1eRGImdelJ5hwxa8oK5CBpaGLGjd9+Hm8SS+Q+PAFDW6fdsPtDDgK5jjykcIlJ7u9mjCffFsCGw3UWfHxnniCnIba9e499XU+VR6l96U3oGOsrr0XO/d2zwrOm3mvXQL1P3cE+se4/UDKrdABGfKWyGqZ9xgi6Q7PTSmRv4AtpwpgF1URBvPVqs6yoexWetksLv+Xk5H50EeucbMOA+oUSJ06fUMECFRF9thRrdUbtK,iv:CiZz6NSksNMGmZxWS7uE69O6UnvTkRWbeBwC1bUqR9o=,tag:qcLmseQgkjMVv2uNXPFHzw==,type:str]
 akkoma-secret-key-base: ENC[AES256_GCM,data:OQBGkyjhDeNz40bBMMqLU7S6s4r6CtatOxJ5RNdba5m5NQO+JJ5/sEuOjJrJ29oRGjHFYwmUcAB9vptWdGZdcA==,iv:oYh9fh12cNYJOgC8DAxyYxw8dp1Fmd1CijNpgmn/AV8=,tag:E9W/5TWPjIgjE3o/QAky0A==,type:str]
 akkoma-signing-salt: ENC[AES256_GCM,data:KtOdcHM8XLY=,iv:RXvLlSyPzK6HYFxwyKEnDw1llmfNC5ambqvGiAkVxnA=,tag:LLna293WAYoBlr0j3U6zkg==,type:str]
 akkoma-vapid-private-key: ENC[AES256_GCM,data:D8Dh53yOgKrcsttJ36xyV1locXBV2BB2EG/rOfIctCbOItdsodtpMCAwRg==,iv:xzheaTo0b3szYGvZmc3ucPi9lYXJStznAUyWNQ9TATE=,tag:tHV5DUFuvq2F9yRFmHrQXQ==,type:str]
 akkoma-vapid-public-key: ENC[AES256_GCM,data:HnUAyTq7dwa+A9L1X3YyxkiJ71BoZis5TdEPHJZkFRoiU5ZYu21xJW4R1H8xsCUDTaFTKLzdSNImVStIg1A+ex6UXLvsJwqM55P8ZnUm87V5KIsCimEm,iv:vVNoYubajEgqZIg6j9k6HjY/j4ib8A7MHGWPrJnkpCw=,tag:GBr2z4EGbn5vmFMWtY013w==,type:str]
 akkoma-joken-signer: ENC[AES256_GCM,data:6GbXC7teDXxr0z7eBLm9EvJv59Bvd1FqRuBGntAH9YzM79MVUMsx4JnCZ+bPR9hLiIVgITeAc5djk2tiJewh6w==,iv:q7A8f7kocb1Go7acFkVSxdmhObPxpGlfbPgfrOXHEjg=,tag:lS4UNS1ivVZdmm8AMS/1MQ==,type:str]
 filesystems-parthenon: ENC[AES256_GCM,data:dYO+QjvWhR3oXrDfAEaUvTLx147NIDFcPUa7p3Jv558ynqmmEnVZ3+fVMUQVIw==,iv:ASmXqNA8/TZvSRo31CFAzt6StsZzZpVFvz15LN5+QmQ=,tag:Wx6kDCXqZ1iSmxpggBKVxA==,type:str]
 upsmon: ENC[AES256_GCM,data:Rlqkhh7w8S9jD3mwUdkt3g==,iv:hiMkbAhea1f6r5gGTRw49ebepMtTYBVyH+bHwp/T61Q=,tag:cbaxIDuD4JNeCC5MiMGl6w==,type:str]
 k3s-token: ENC[AES256_GCM,data:dyyFY/ruyCfAdQmmdD1eDPKhBWkbgElbFQgMjGALrM8OeTXRiiV18AwG1ZGtw+j3CBmladwBf0+gcfC0ojKHlA==,iv:j4IOIZegDMJik6shOhUZGyI0N8TD1yMDcOacArgM05Q=,tag:t91uRzF8RgxLF/f2M+9Wgg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT3gyL29ETGNYSTNBMHhx
            RUVNRmdpZm9TZTdJNTJCOSt5blZ3T2JLVlhVCldaTjhaanBrWTVIOWJQQ1VJUTUw
            alJuRjhOU2wxWEF1RG0vZE9LVU1JcHMKLS0tIGF0VlRDeldsSFFZNzVHaWJGTUtC
            WlhMcDM3RlF5Y3FkRXczbWNHQWNrVjAKx77NlnVTab75G2QTiuEmAyI10m2ZbMjc
            IyVWoRabZY96J/HYiZaURZY5Aq10Opa9vTp0xXL0FxLwF0Bclr7J+Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzY3hRcjZsZDBjb1FtWElx
            ODV3Q0g2Q0QveEUrMkRIZlJSbDBBdjlHZ25ZCmxvcngwN1V4RkJLL1NzWkw4bjNF
            OXdXMlo1KzZIV3BtUWtXOGdzQ1l1RnMKLS0tIFJjY3JtOHNwTldrM0dqbnkvSThM
            QW0zMzJtMzNSaEJldzJITDAvZExtcFUKTovVFKkl40WdXOji8xWKZ8eZcEXU64uz
            4K7fqyhchzu+PB1xVMYeSahIYTh2oZGSKXi8nnTBwz2cPLJmy/8Biw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1pn2hnqvgt7rvfglxddlj3jwrm79rvmutmexkpxv4frdnznlel33qvfy6u5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYlZtbC9sSXhzYUU2bnBZ
            ZmpKUk5BcHdGbTJ3b0xhRTVxMXIxOXJYSmpNCkdWQ3hJV0t0OVcwNmYwaVh5V3VJ
            ellsaGRyNnVEaTkxUFNReG4yTUprQUkKLS0tIHNqdjdmQjh3cHlwb0M2bGk0b2NG
            eGV5Vk54dzNWSlFGTWc1akxHUmhiQ28KzAs/krsXZxcRQpefv5ncqbZ6D9Mr8HDl
            9Ir35JL2HhZv3wtMUK9TQVINmbPiPGf9mzVoiCQ7Nq9J80wzt/A53Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mnrl9u8vpdjncge33pg7quakl0qdf5dlfgch87jhrs0wrvup4s0s5xh7ly
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeDI0QXE4L0tBWDd3dmVI
            TlN3RlBNYjNCUkZMWGUwVEtkZHU4UTVYdWw4CnMvT09sU0EyVllSM1VSRXhsL2FF
            NnVGQ0hyRTFjdjBWSjVpNXNuc3I4RTAKLS0tIEIveW00Ky9jbnozTGZqZk4zeEdp
            ZnBaRUJMSy9sSTIwUzR0U1JsRFhJWnMKOyIeYJquwLWqmLVqMNRCLK1U/10ILBEu
            FX+kU8c5qrpsSoMjNfy/h9QCF/5u+9CV/9wHw2HONN0CAwWlYrDgdw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tt0gwcm03zmpelerpph49knn8f6t8z7aq9una2qys76kf4rwxpnquxkvz3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6a2JmV1hQb0FHekpzVWVL
            d1RzdEoxVmZWQ25XT2hkYmtESFIrNFc1N1Y0Cmx4dEZrRnhDZDlGRXJPVGRpa0l5
            akhKR3dlTS9SblFrTndBakVIemwrRFEKLS0tICsraW83aFlvRzRKVHdQcjhLUjFB
            K29DeVBqWUs0ejRUVUd2SkpVYzd1UEkK0/AHkZ7gKouHi26nsZsr4CpmDu+jbKx6
            BA7VAwCI0nBP5sOgNXbsmYhgyAlaz28tybNXV+QzCnJiyTXhZM5F8w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1px55dk5n3whfdyshzyxqmyjvqdmv9au6myx6w67jw3cqp9sdx9rsa6xep9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS1BMUFU5T05PM2Z1Zk96
            N3FYTWp3bWtwMDZ4QVdVMEVLaTFueE9Od1JJCjdtMUNRa1JGWUkxRTZueS9vSGdx
            NG9TVHF5T3lYbUZxa1FWY2RldHV1ZVkKLS0tIHNqbEZlSk9zR1FpWmNMQy8rayt6
            SStpZHdKZGN0NGNieldPY2JTcnJ4ZW8Kz5u/fJjkwi8vJh3CB7K0S7+b9gzOhsvW
            +0lfMGT+Dtbchq8O1wsCoBfe8I5kV2QlXJxTU7o4BASFKfNzX9E4gA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12wakcnv487c5rkgv7z6umzywrqwcy6dgguq0dug6lxp64scjsq6sspkmgz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVa2pHd2dvNHBwcW85SnNy
            aSt4ZElQdGZLMW5GNnIyc2NxY1J2MEk1c0RjCmJiMEY5cklnWVVHN25ST2JSWEhT
            WWcvVG9TRVlVdWFzcjhENFZCMUhXVHMKLS0tIFpWcURkWFExU200TlR1N2NIak4z
            WlZuY2ExWWJ1VzBpY2kzaUZCcVJMZHcKoqKBQEe+3UnAhqbc7Nq8zgEVoFFjryaY
            c8ALKqMIaMjAeA8ZU4ZTIu13pMYcJ+gAlPATt0vmsTn0Q0XIiudpJQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-10T18:41:36Z"
    mac: ENC[AES256_GCM,data:nAUaEMxYGZc+hzeFo2sjQNBPuVw9GKjDAL9R9uJl9ySWNOLtSjl150qkAYjfqfIpsiyRtnSBfP1UxvKHjbAv5Fu9Bmkv+1rv6T8d9nK541DrT1IJ/F/sdw+Vqf/xJss1pvZLP/KhLT5wfvyPrk3VeKWx5f7BI/VzCsU1MNukZdY=,iv:ooxqCvIogeyXiHC10BJUYu9PCTZr/bnUJHiUzg2bjw4=,tag:Wt+vmIVPmlTOxAQ6rHnxdg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nix/shells.nix
+++ b/nix/shells.nix
@@ -0,0 +1,23 @@
 {
  system,
  pkgs,
  self,
  ...
 }:
 {
  default = pkgs.mkShell {
    name = "athens";
    buildInputs = with pkgs; [
      deadnix
      doctl
      nixd
      nixf
      nixpkgs-fmt
      opentofu
      statix
      sops
    ];
    inherit (self.checks.${system}.pre-commit-check) shellHook;
  };
 }
--- a/nix/users/default.nix
+++ b/nix/users/default.nix
@@ -0,0 +1,5 @@
 { ... }:
 {
  imports = [ ./walkah ];
 }
--- a/nix/users/walkah/default.nix
+++ b/nix/users/walkah/default.nix
@@ -0,0 +1,27 @@
 { lib, pkgs, ... }:
 {
  users.users.walkah = {
    home = if pkgs.stdenv.isDarwin then "/Users/walkah" else "/home/walkah";
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8YMax7PGIrcPNIHkpuNRFgn3HJK6Wepm+ycZWO6jfR walkah@walkah-ipadpro11"
    ];
  }
  // lib.optionalAttrs pkgs.stdenv.isLinux {
    extraGroups = [
      "wheel"
      "docker"
    ];
    group = "walkah";
    isNormalUser = true;
  };
  users.groups.walkah = { };
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
    users.walkah = import ./home.nix;
  };
 }
--- a/nix/users/walkah/home.nix
+++ b/nix/users/walkah/home.nix
@@ -0,0 +1,30 @@
 { lib, pkgs, ... }:
 {
  home = {
    packages = with pkgs; [
      chezmoi
      bat
      direnv
      eza
      fd
      fzf
      git
      htop
      jq
      starship
      tmux
    ];
    activation.chezmoi = lib.hm.dag.entryAfter [ "installPackages" ] ''
      export SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
      export PATH="${pkgs.git}/bin:${pkgs.openssh}/bin:$PATH"
      if [ ! -d $HOME/.local/share/chezmoi ]; then
        $DRY_RUN_CMD ${pkgs.chezmoi}/bin/chezmoi init --apply walkah/dotfiles
      else
        $DRY_RUN_CMD ${pkgs.chezmoi}/bin/chezmoi update --apply
      fi
    '';
    stateVersion = "24.05";
  };
 }
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1 +0,0 @@
 self: super: { }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,68 +0,0 @@
 matrix-registration-secret: ENC[AES256_GCM,data:Sn3pGBq4U3Tgw0pYaetnBLRiNdFGnMxAxyfrxhF9kFDMFijKSy9XBj71M5XxV4shYQyPvu2WDnPR1YvyoQVlv8cEoXhX7++JlYsp/2ZfKIzp4iMxh24z57Cw8vg=,iv:/zxlIeI9gWWCHbejYgz8pjjOrukKome0/bmcXuG3/yE=,tag:3fc3c96H3pO1FUO7p3T4gw==,type:str]
 ipfs-cluster-secret: ENC[AES256_GCM,data:Z9i7ZLhlXw4m8myNUSiY5ej2/6UIwCwIe0bvbCttVLdv8cAHwzR2f22poKD6KnPBe9yaym+X3YtrHTCM4pVIbiSzMsHwYZ00vRQi35ZmYg==,iv:9PBz/olzA4X7JEL1xG8ACUaH1WDHSzApzlG5q0ZqSYk=,tag:9I4PGf91MHAKNeG4fVKIow==,type:str]
 drone: ENC[AES256_GCM,data:UKh2qyZq5eTiEpdbGve+fCQZzSx/j+wUv9eHT/ToU9b51rwA7XJQC4g3rvljBL9X7DFVVdsWOdG6y1eRGImdelJ5hwxa8oK5CBpaGLGjd9+Hm8SS+Q+PAFDW6fdsPtDDgK5jjykcIlJ7u9mjCffFsCGw3UWfHxnniCnIba9e499XU+VR6l96U3oGOsrr0XO/d2zwrOm3mvXQL1P3cE+se4/UDKrdABGfKWyGqZ9xgi6Q7PTSmRv4AtpwpgF1URBvPVqs6yoexWetksLv+Xk5H50EeucbMOA+oUSJ06fUMECFRF9thRrdUbtK,iv:CiZz6NSksNMGmZxWS7uE69O6UnvTkRWbeBwC1bUqR9o=,tag:qcLmseQgkjMVv2uNXPFHzw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNkhRdXhFTVkxVTNVTlhK
            d0xiQ3VmcURreWFzVGxVb0RPK2RNMGVob2g0CnBkZzF4U0FrWVVVbW03Umliby9P
            djNUKzFWbW0xR1QyOUh3d2g5SjNsUW8KLS0tIGRhamZvOERxUmxDdDNHM1ZUbzdZ
            UjJUQS9vL2ZkQ3NCd1VwLzRMQS9Xc0EKKcGxURwN3ejTk41W/q5VVrhalPO4GOdr
            JvdxH7OIn+u/8KNNXgKOPV8Iss35Mu4geSh1zJXPVf+YhTZNq8C2jQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTkxOWEo0Nk9iMy8zUGFP
            endwS2NQQWJnVmo3RTNyYiszMndtSGNZUjFJCmZzUTZidmNWVGxVWDduUldMaXV4
            SnZTMTZaU3FUNFpwbjBTQk94azhRZ2sKLS0tIDU1R1cwZDJQZW5qcXkyLzZIQitV
            ZUptMXcvcXhkNUdRZDc2WmF3c2tLeXMKnicAN5U1KO/vhJxGgv/oHGPJ4mEoVogL
            Gv5RTCKMwfHgdEHOUPbq/kPz0eTc9R57XsfhA7DHpgZAxo86gZNqOg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vc8svd5277rjkgzg7frf04uaa45w3crhfvg628rqyrqmxul3q9nsjz6yxk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcjdmckwyVVJkQXpScTU2
            WWt1MHFhTExxbCtwT1ZGWlZRZ3orRmZpYUZjCmNySmRVWkV4TEIyU09SUXNLdGFZ
            VjN5RFhwelFvVW1PR04rQ3NyU0trVHcKLS0tIDVZZGt5TnZNU21PbE9PZVVtTUdI
            eXhsWlkwa3l2Zk9KTkc0dzZpajFxVmcKTmhGMdS0Uq32P5I+X+8h4ve/KHvHWA/a
            Juu+VjGRe7hm0pWOutDQPbL6o8l+wij2ugDsNy3LKHbWs4lM5VZEHg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ulmzprdmcd8r0w47a0nrrlg8melkjk6evl2rc54yh6lxkcfas36q6wrsv9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFRGVllUM0R2VXB0bmtj
            dXV2bDFvbmpjTktZRlpKUXRPMXdwdmRxL3o4Cmg2WjRFdTgydkd5OHp2dS9TRlhG
            Y29NOUVEeXptYWhzMGVJOENrTjdpdUEKLS0tIEZzOGlsWGJPMitkTVpwTC82Uzdh
            NDhRVGQweXhEdFk4bHQxOWFOSmxNYVkKlb9KvHfUnM7uApzed5zvFPh7X8QMbdE/
            VSlmccOG1zlbstbr4mU/Xu+52FMBsp8UEkK29y07uhZQEh/txI9Wwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lfjkch3pqaq3uwmjxyucpm2tws6llxqqjglj4yn49jkwkf50xvmqrl974e
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSWRSdGUvRnFuZUtPcG9T
            N3FsWldiOTBLUXQ0SHd1UTk2T3ArNkpaN3l3CnBtN1o0SGY5S1Z3WnVhcVYrRUYr
            S0htZUh3RlQvYkV4Rmg2b3NPOFdCQkkKLS0tIEVUdVNxRnFZVlFKd3R4d1dCZk9N
            cHo2empQdDd4TTZJckczdzU3YVJZeW8K0tFG5fMFiVqAw0HqEV3F8yV6tLV/XY2e
            R8Rp2kAcPvBNdHZ52oKyGZNgblg5uia4mBjbvB8iXkX/z8Bddo/vCQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jnf94uq5ap96vk7nfk3qkr38ylhletc6pskj0ypc470d7gmt0qeqskdy5z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYk5PazQ2U2ZiYU03K28v
            elhtQjllbThwOE5Ockd4S1B6Z1AvNmNjcXlrCmZyTzMyUWFmcEZGazRWTG40bmJI
            TXkvOXpWVW1TYkcxckRtT3N6Y1BuZEUKLS0tIDBPRkJ0M3Y2T1NxN0RtbW1aNUhL
            alB4LzZGSTJmUEt0TFBkUTdzR1pOOTQKG8T65JhLKx602YnEmG/Gqi/rY8X/9XgF
            61ejhZ1DucTrM3sfUKjTFwaNVJLJgGEoPRioZW0SJkckjm5NNlutLw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-06-30T20:47:05Z"
    mac: ENC[AES256_GCM,data:S/DfCcsk7oURR8zHW5jkLsDExNBl8G4gPJ5CQzS1R6i38ncEP7yT0pMiwizvZEVHHLP8lxTqsnyquEWhQfcKxojOysgiuGOl/SiiuXGBA91vWzURNN1ricJ+g5SXp593+0cMnkpC8ej6Bkja/QX/DORn74BF+dKLFT3InRi0ucI=,iv:btU0YLRTSnqlOIFzlI0Xbd6IX0noOo0ORqG7+nd8qHs=,tag:JUEWkaaFt0lm5YyW73q7ug==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/services/ipfs-cluster.nix
+++ b/services/ipfs-cluster.nix
@@ -1,123 +0,0 @@
 ## From https://github.com/NixOS/nixpkgs/pull/100871
 { config, lib, pkgs, options, ... }:
 with lib;
 let
  cfg = config.services.ipfs-cluster;
  opt = options.services.ipfs-cluster;
  # secret is by envvar, not flag
  initFlags = toString [
    (optionalString (cfg.initPeers != [ ]) "--peers")
    (lib.strings.concatStringsSep "," cfg.initPeers)
  ];
 in
 {
  ###### interface
  options = {
    services.ipfs-cluster = {
      enable = mkEnableOption
        "Pinset orchestration for IPFS - requires ipfs daemon to be useful";
      user = mkOption {
        type = types.str;
        default = "ipfs";
        description = "User under which the ipfs-cluster daemon runs.";
      };
      group = mkOption {
        type = types.str;
        default = "ipfs";
        description = "Group under which the ipfs-cluster daemon runs.";
      };
      consensus = mkOption {
        type = types.enum [ "raft" "crdt" ];
        description = "Consensus protocol - 'raft' or 'crdt'. https://cluster.ipfs.io/documentation/guides/consensus/";
      };
      dataDir = mkOption {
        type = types.str;
        default = "/var/lib/ipfs-cluster";
        description = "The data dir for ipfs-cluster.";
      };
      initPeers = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = "Peer addresses to initialize with on first run.";
      };
      openSwarmPort = mkOption {
        type = types.bool;
        description = "Open swarm port, secured by the cluster secret. This does not expose the API or proxy. https://cluster.ipfs.io/documentation/guides/security/";
      };
      secretFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          File containing the cluster secret in the format of EnvironmentFile as described by
          <citerefentry><refentrytitle>systemd.exec</refentrytitle>
          <manvolnum>5</manvolnum></citerefentry>. For example:
          <programlisting>
          CLUSTER_SECRET=<replaceable>...</replaceable>
          </programlisting>
          if null, a new secret will be generated on first run.
          A secret in the correct format can also be generated by: openssl rand -hex 32
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.ipfs-cluster ];
    systemd.tmpfiles.rules =
      [ "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" ];
    systemd.services.ipfs-cluster-init = {
      path = [ "/run/wrappers" pkgs.ipfs-cluster ];
      environment.IPFS_CLUSTER_PATH = cfg.dataDir;
      wantedBy = [ "default.target" ];
      serviceConfig = {
        # "" clears exec list (man systemd.service -> execStart)
        ExecStart = [
          ""
          "${pkgs.ipfs-cluster}/bin/ipfs-cluster-service init --consensus ${cfg.consensus} ${initFlags}"
        ];
        Type = "oneshot";
        RemainAfterExit = true;
        User = cfg.user;
        Group = cfg.group;
      } // optionalAttrs (cfg.secretFile != null) {
        EnvironmentFile = cfg.secretFile;
      };
      unitConfig.ConditionDirectoryNotEmpty = "!${cfg.dataDir}";
    };
    systemd.services.ipfs-cluster = {
      environment.IPFS_CLUSTER_PATH = cfg.dataDir;
      wantedBy = [ "multi-user.target" ];
      wants = [ "ipfs-cluster-init.service" ];
      after = [ "ipfs-cluster-init.service" ];
      serviceConfig = {
        ExecStart =
          [ "" "${pkgs.ipfs-cluster}/bin/ipfs-cluster-service daemon" ];
        User = cfg.user;
        Group = cfg.group;
      };
    };
    networking.firewall.allowedTCPPorts = mkIf cfg.openSwarmPort [ 9096 ];
  };
 }
--- a/shell.nix
+++ b/shell.nix
@@ -10,4 +10,5 @@
  )
  {
    src = ./.;
-  }).shellNix
+  }
 ).shellNix
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,49 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/cloudflare/cloudflare" {
  version     = "4.52.0"
  constraints = "~> 4.0"
  hashes = [
    "h1:Pi5M+GeoMSN2eJ6QnIeXjBf19O+rby/74CfB2ocpv20=",
    "zh:19be1a91c982b902c42aba47766860dfa5dc151eed1e95fd39ca642229381ef0",
    "zh:1de451c4d1ecf7efbe67b6dace3426ba810711afdd644b0f1b870364c8ae91f8",
    "zh:352b4a2120173298622e669258744554339d959ac3a95607b117a48ee4a83238",
    "zh:3c6f1346d9154afbd2d558fabb4b0150fc8d559aa961254144fe1bc17fe6032f",
    "zh:4c4c92d53fb535b1e0eff26f222bbd627b97d3b4c891ec9c321268676d06152f",
    "zh:53276f68006c9ceb7cdb10a6ccf91a5c1eadd1407a28edb5741e84e88d7e29e8",
    "zh:7925a97773948171a63d4f65bb81ee92fd6d07a447e36012977313293a5435c9",
    "zh:7dfb0a4496cfe032437386d0a2cd9229a1956e9c30bd920923c141b0f0440060",
    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
    "zh:8d4aa79f0a414bb4163d771063c70cd991c8fac6c766e685bac2ee12903c5bd6",
    "zh:a67540c13565616a7e7e51ee9366e88b0dc60046e1d75c72680e150bd02725bb",
    "zh:a936383a4767f5393f38f622e92bf2d0c03fe04b69c284951f27345766c7b31b",
    "zh:d4887d73c466ff036eecf50ad6404ba38fd82ea4855296b1846d244b0f13c380",
    "zh:e9093c8bd5b6cd99c81666e315197791781b8f93afa14fc2e0f732d1bb2a44b7",
    "zh:efd3b3f1ec59a37f635aa1d4efcf178734c2fcf8ddb0d56ea690bec342da8672",
  ]
 }
 provider "registry.opentofu.org/digitalocean/digitalocean" {
  version     = "2.49.2"
  constraints = "~> 2.0"
  hashes = [
    "h1:JzS2Y+M1FEMa7/wbKqiCsLSfcUC/HAg9Cq+3HeJuZgo=",
    "zh:0fdf521cd264fa17ade903673a96e30b017da1970950d7566d8efaeb7eeaa051",
    "zh:1457402e4c5e588e1fc7dc4f360e994c06ab84b4822186e5d67cccef80d817de",
    "zh:1b5f1e524cc74c8c9bfe214950972c054ddb24424b396b2c25a932938408dde5",
    "zh:293f45fbed53f41b18b4212dee571617cd2968793aedb477958a0b01d640cfbc",
    "zh:316dd02bc81d6aeea5fd38c0fe6819fc13696a5f239111e93f9c9730491c2df4",
    "zh:32fa7a2a88a50f93025d9ece6b7d755e5c7931fc14f8336341c0939616224523",
    "zh:52a977f7ecd480ca03a4a6821afa2de893966a8baa38834b1570ec2ae5b71ec9",
    "zh:8c733467ff87aa98495a1c8cdb83d6c6fbaa93a329ff6611ef8ff11d86801321",
    "zh:93352fe00a2ada0f188e8669c61283b708a602e10aa7d5ddda9302b24b47fe14",
    "zh:9357cf59572b21c4b9d85c6cb22facf9d82cf037f8674b884b3a7be66a06f598",
    "zh:a3286ecb621e052fba29c26737b093329c5bcd99d7d7c8fc470ce4695b129abd",
    "zh:b66b7b8e37c3614a3e4083b118e6d0de63b90029471a94e5cbb7f44c6d36330d",
    "zh:d06dd42935819ea454516edd24f980ca6c1e18ebb3c3e47f8ff4f4ef68fb06e4",
    "zh:d89490c30f3e4f097d71af5075b126e5ec13983f3072275a5c0c468bf0df8a57",
    "zh:de7d8114938c52920426ae94451edb26ba98583712545c480a69308506ec6a72",
    "zh:f6a55d865a3f4ec3a79359bd30e4ef6e2742f1e02a1d934e44b41b092155fc45",
  ]
 }
--- a/terraform/cloudflare_dns.tf
+++ b/terraform/cloudflare_dns.tf
@@ -0,0 +1,17 @@
 locals {
  account_id = "273a4698f673c012fd50161e46ceafdb"
 }
 resource "cloudflare_zone" "walkah_codes" {
  account_id = local.account_id
  zone       = "walkah.codes"
 }
 resource "cloudflare_record" "walkah_codes" {
  zone_id = cloudflare_zone.walkah_codes.id
  name    = "walkah.codes"
  type    = "A"
  proxied = true
  content = digitalocean_droplet.socrates.ipv4_address
 }
--- a/terraform/digitalocean_droplets.tf
+++ b/terraform/digitalocean_droplets.tf
@@ -0,0 +1,9 @@
 resource "digitalocean_droplet" "socrates" {
  name       = "socrates"
  image      = "72067660"
  size       = "s-8vcpu-16gb"
  backups    = true
  ipv6       = true
  monitoring = true
 }
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -0,0 +1,21 @@
 terraform {
  required_version = ">= 1.8.0"
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "~> 2.0"
    }
  }
 }
 provider "cloudflare" {
  api_token = var.cloudflare_token
 }
 provider "digitalocean" {
  token = var.do_token
 }
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -0,0 +1,6 @@
 variable "cloudflare_token" {
  type = string
 }
 variable "do_token" {
  type = string
 }
--- a/users/default.nix
+++ b/users/default.nix
@@ -1,5 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ ./walkah.nix ];
 }
--- a/users/walkah.nix
+++ b/users/walkah.nix
@@ -1,16 +0,0 @@
 { config, lib, pkgs, dotfiles, ... }:
 {
  users.users.walkah = {
    isNormalUser = true;
    shell = pkgs.zsh;
    extraGroups = [ "wheel" "docker" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8YMax7PGIrcPNIHkpuNRFgn3HJK6Wepm+ycZWO6jfR walkah@walkah-ipadpro11"
    ];
  };
  home-manager.useGlobalPkgs = true;
  home-manager.useUserPackages = true;
  home-manager.users.walkah = import "${dotfiles}/home.nix";
 }