Add jupiter wireguard server

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
Change vps wireguard port
2025-06-26 09:16:24 +01:00 · 2025-06-26 09:14:18 +01:00 · 2025-06-25 23:03:12 +01:00 · 2025-06-24 10:13:05 +01:00 · 2025-06-24 09:08:43 +01:00 · 2025-06-16 11:56:53 +01:00
411 changed files with 23768 additions and 7431 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +0,0 @@
 **/wallpapers/*.jpg filter=lfs diff=lfs merge=lfs -text
 **/wallpapers/*.png filter=lfs diff=lfs merge=lfs -text
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,7 +2,6 @@
 	path = submodules/nixpkgs
 	url = git@github.com:karaolidis/nixpkgs.git
 	branch = integration
 [submodule "submodules/home-manager"]
 	path = submodules/home-manager
 	url = git@github.com:karaolidis/home-manager.git
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
 {
  "sops.defaults.ageKeyFile": "./secrets/personal/key.txt"
 }
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@ NixOS dotfiles and configuration for various hosts and users.
 - [`flake.lock`](./flake.lock) and [`flake.nix`](./flake.nix): Core Nix flake files defining the repository's dependencies and entry points.
 - [`hosts/`](./hosts): All host-specific configurations.
  - [`common/`](./hosts/common): Shared configuration definitions.
    - [`shells/`](./hosts/common/shells): Nix dev shells.
    - [`configs/`](./hosts/common/configs): System configurations applicable to all hosts.
@@ -16,9 +17,12 @@ NixOS dotfiles and configuration for various hosts and users.
        - [`gui/`](./hosts/common/configs/user/gui): GUI-related settings.
  - `<name>/`: Individual host configurations.
 - [`packages/`](./packages/): Custom packages.
 - `secrets/<namespace>/`: Global secrets for individual namespaces that apply across all hosts.
 - [`lib/`](./lib): Nix library function definitions and utilities.
  - [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
    - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
    - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
@@ -34,7 +38,9 @@ Any `options.nix` files create custom option definitions when present.
 Below is a table of all hosts, with links to their respective README files, which may provide further details and/or post-installation checklists.
 | Host          | README                                                       |
-|-------------|----------------------------------------------------------|
+| ------------- | ------------------------------------------------------------ |
 | `installer`   | [hosts/installer/README.md](./hosts/installer/README.md)     |
-| `eirene`    | [hosts/eirene/README.md](./hosts/eirene/README.md)       |
+| `himalia`     | [hosts/himalia/README.md](./hosts/himalia/README.md)         |
 | `elara`       | [hosts/elara/README.md](./hosts/elara/README.md)             |
 | `jupiter`     | [hosts/jupiter/README.md](./hosts/jupiter/README.md)         |
 | `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) |
--- a/flake.lock
+++ b/flake.lock
@@ -10,15 +10,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736090999,
+        "lastModified": 1744557573,
-        "narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=",
+        "narHash": "sha256-XAyj0iDuI51BytJ1PwN53uLpzTDdznPDQFG4RwihlTQ=",
        "owner": "aylur",
        "repo": "ags",
-        "rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c",
+        "rev": "3ed9737bdbc8fc7a7c7ceef2165c9109f336bff6",
        "type": "github"
      },
      "original": {
        "owner": "aylur",
        "ref": "main",
        "repo": "ags",
        "type": "github"
      }
@@ -30,15 +31,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736497508,
+        "lastModified": 1749559749,
-        "narHash": "sha256-murrCQMYKtZ8rkZ5O726ZCsCDee1l3ZdmV8yC9gRaIc=",
+        "narHash": "sha256-TM95tg1G7S6rVBBoMwurXMz8Il4xlnuZ2TI4h6lfZzg=",
        "owner": "aylur",
        "repo": "astal",
-        "rev": "ef4f95608481414053ecdbe4de29bd86fb452813",
+        "rev": "dd8a4662f2f17fb4326a7bd0fb2d054f5d477ba3",
        "type": "github"
      },
      "original": {
        "owner": "aylur",
        "ref": "main",
        "repo": "astal",
        "type": "github"
      }
@@ -50,35 +52,20 @@
        ]
      },
      "locked": {
-        "lastModified": 1736437680,
+        "lastModified": 1749436314,
-        "narHash": "sha256-9Sy17XguKdEU9M5peTrkWSlI/O5IAqjHzdzxbXnc30g=",
+        "narHash": "sha256-CqmqU5FRg5AadtIkxwu8ulDSOSoIisUMZRLlcED3Q5w=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "4d5d07d37ff773338e40a92088f45f4f88e509c8",
+        "rev": "dfa4d1b9c39c0342ef133795127a3af14598017a",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "master",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@@ -116,6 +103,7 @@
      },
      "original": {
        "owner": "numtide",
        "ref": "main",
        "repo": "flake-utils",
        "type": "github"
      }
@@ -127,11 +115,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736504054,
+        "lastModified": 1749678254,
-        "narHash": "sha256-Mb0aIdOIg5ge0Lju1zogdAcfklRciR8G0NY6R423oek=",
+        "narHash": "sha256-6I+qez0MnHu9M2spLj3LsGA/cUGgfx17/hMPvmrUMoU=",
        "owner": "karaolidis",
        "repo": "home-manager",
-        "rev": "baa0e7a14088ff1ed891afe4c6457faf40aa30a6",
+        "rev": "e248f54290b483a47c7550f69faecb8ed97e4831",
        "type": "github"
      },
      "original": {
@@ -143,11 +131,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1738059769,
+        "lastModified": 1749678247,
-        "narHash": "sha256-SBOwc5HSi0zThWoj3EfYh673X1d1dc78N2qCtcJmIvo=",
+        "narHash": "sha256-K83Q3c/o5CdMB3Npk3P1kCIz6FcUuJV8E4k6z1YN8AQ=",
        "owner": "karaolidis",
        "repo": "nixpkgs",
-        "rev": "befe9d27e7e7be485aae35d541f135c8471bd508",
+        "rev": "4d408c92fe165ab68f012a3fa36d4c58d84e83bd",
        "type": "github"
      },
      "original": {
@@ -163,22 +151,41 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "treefmt-nix": "treefmt-nix"
+        "treefmt-nix": [
          "treefmt-nix"
        ]
      },
      "locked": {
-        "lastModified": 1736500613,
+        "lastModified": 1749675110,
-        "narHash": "sha256-OCEXlRyOIMzxrhmnzoX32e241A7+Z+zsuyR7i6AG608=",
+        "narHash": "sha256-NkDE/JyeQJmLtpXjyFZK2wKs5K7isap7MBIzoYMC9nk=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "d51e847f68700c38f850a62c2b3e728864a38cde",
+        "rev": "0e8328c18d801a253ed5dfd17bd78254d9669d06",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "main",
        "repo": "NUR",
        "type": "github"
      }
    },
    "quadlet-nix": {
      "locked": {
        "lastModified": 1749099346,
        "narHash": "sha256-5gi/YaLVsFztGvVH45eB6jsBmZf+HnvDeSA9RXUqbcY=",
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
        "rev": "d4119a3423f938427252ba8bbdbe8ce040751864",
        "type": "github"
      },
      "original": {
        "owner": "SEIAROTg",
        "ref": "main",
        "repo": "quadlet-nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "ags": "ags",
@@ -188,9 +195,11 @@
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "nur": "nur",
        "quadlet-nix": "quadlet-nix",
        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix",
-        "systems": "systems"
+        "systems": "systems",
        "treefmt-nix": "treefmt-nix"
      }
    },
    "sops-nix": {
@@ -200,22 +209,22 @@
        ]
      },
      "locked": {
-        "lastModified": 1736203741,
+        "lastModified": 1749592509,
-        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "rev": "50754dfaa0e24e313c626900d44ef431f3210138",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "ref": "master",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "spicetify-nix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
@@ -224,15 +233,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736482561,
+        "lastModified": 1749357231,
-        "narHash": "sha256-f4hvN4MF26NIYeFA/H1sVW6KU5X9/jy9l95WrMsNUIU=",
+        "narHash": "sha256-AbrPgGFVYR45TlYLHYTppayG0xzOG9XXhi+1j3Klbw8=",
        "owner": "Gerg-L",
        "repo": "spicetify-nix",
-        "rev": "77fb1ae39e0f5c60a7d0bd6ce078b9c56e3356cb",
+        "rev": "03783416f7416715c52166d4e8ba0492a7149397",
        "type": "github"
      },
      "original": {
        "owner": "Gerg-L",
        "ref": "master",
        "repo": "spicetify-nix",
        "type": "github"
      }
@@ -256,20 +266,20 @@
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1733222881,
+        "lastModified": 1749194973,
-        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "ref": "main",
        "repo": "treefmt-nix",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -32,12 +32,20 @@
    };
    disko = {
-      url = "github:nix-community/disko";
+      type = "github";
      owner = "nix-community";
      repo = "disko";
      ref = "master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
-      url = "github:Mic92/sops-nix";
+      type = "github";
      owner = "Mic92";
      repo = "sops-nix";
      ref = "master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@@ -49,22 +57,57 @@
    };
    nur = {
-      url = "github:nix-community/NUR";
+      type = "github";
-      inputs.nixpkgs.follows = "nixpkgs";
+      owner = "nix-community";
      repo = "NUR";
      ref = "main";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        treefmt-nix.follows = "treefmt-nix";
      };
    };
    flake-utils = {
-      url = "github:numtide/flake-utils";
+      type = "github";
      owner = "numtide";
      repo = "flake-utils";
      ref = "main";
      inputs.systems.follows = "systems";
    };
    treefmt-nix = {
      type = "github";
      owner = "numtide";
      repo = "treefmt-nix";
      ref = "main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    quadlet-nix = {
      type = "github";
      owner = "SEIAROTg";
      repo = "quadlet-nix";
      ref = "main";
    };
    astal = {
-      url = "github:aylur/astal";
+      type = "github";
      owner = "aylur";
      repo = "astal";
      ref = "main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ags = {
-      url = "github:aylur/ags";
+      type = "github";
      owner = "aylur";
      repo = "ags";
      ref = "main";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        astal.follows = "astal";
@@ -72,7 +115,11 @@
    };
    spicetify-nix = {
-      url = "github:Gerg-L/spicetify-nix";
+      type = "github";
      owner = "Gerg-L";
      repo = "spicetify-nix";
      ref = "master";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        systems.follows = "systems";
@@ -90,9 +137,9 @@
          specialArgs = { inherit inputs system; };
        };
-        eirene = nixpkgs.lib.nixosSystem rec {
+        himalia = nixpkgs.lib.nixosSystem rec {
          system = "x86_64-linux";
-          modules = [ ./hosts/eirene ];
+          modules = [ ./hosts/himalia ];
          specialArgs = { inherit inputs system; };
        };
@@ -101,26 +148,37 @@
          modules = [ ./hosts/elara ];
          specialArgs = { inherit inputs system; };
        };
        jupiter = nixpkgs.lib.nixosSystem rec {
          system = "x86_64-linux";
          modules = [ ./hosts/jupiter ];
          specialArgs = { inherit inputs system; };
        };
        jupiter-vps = nixpkgs.lib.nixosSystem rec {
          system = "x86_64-linux";
          modules = [ ./hosts/jupiter-vps ];
          specialArgs = { inherit inputs system; };
        };
      };
    }
-    // inputs.flake-utils.lib.eachDefaultSystem (
+    // inputs.flake-utils.lib.eachSystem [ "x86_64-linux" ] (
      system:
      let
-        pkgs = nixpkgs.legacyPackages.${system};
+        pkgs = import nixpkgs {
-      in
+          inherit system;
-      {
+          config.allowUnfree = true;
        devShells = {
          bun = import ./hosts/common/shells/bun { inherit pkgs; };
          c = import ./hosts/common/shells/c { inherit pkgs; };
          go = import ./hosts/common/shells/go { inherit pkgs; };
          java = import ./hosts/common/shells/java { inherit pkgs; };
          nix = import ./hosts/common/shells/nix { inherit pkgs; };
          nodejs = import ./hosts/common/shells/nodejs { inherit pkgs; };
          python = import ./hosts/common/shells/python { inherit pkgs; };
        };
-        formatter = pkgs.nixfmt-rfc-style;
+        treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
      in
      {
        devShells = import ./hosts/common/shells { inherit pkgs; };
        lib = import ./lib { inherit pkgs; };
        packages = import ./packages { inherit pkgs inputs system; };
        formatter = treefmt.config.build.wrapper;
        checks.formatting = treefmt.config.build.check self;
      }
    );
 }
--- a/hosts/.gitignore
+++ b/hosts/.gitignore
@@ -1,2 +1,2 @@
-*/secrets/ssh_host_ed25519_key
+**/secrets/ssh_host_ed25519_key
-*/secrets/.decrypted~*
+**/secrets/.decrypted~*
--- a/hosts/common/configs/system/backup/backup.completion.zsh
+++ b/hosts/common/configs/system/backup/backup.completion.zsh
@@ -1,16 +0,0 @@
 _backup_completion() {
  local options=(
    '-m[Partition to mount for backup]:partition:($(_partitions))'
    '-b[Backup directory]:backup directory:_files -/'
  )
  local curcontext="$curcontext" state line
  typeset -A opt_args
  _partitions() {
    lsblk -rno NAME | sed 's/^/\/dev\//'
  }
  _arguments -s $options
 }
 compdef _backup_completion backup
--- a/hosts/common/configs/system/backup/backup.sh
+++ b/hosts/common/configs/system/backup/backup.sh
@@ -1,64 +0,0 @@
 if [[ "$EUID" -ne 0 ]]; then
  echo "Please run the script as root."
  exit 1
 fi
 usage() {
  echo "Usage: $0 [-m partition] [-b backup_location]"
  exit 1
 }
 cleanup() {
  if [ -d "/persist.bak" ]; then btrfs -q subvolume delete "/persist.bak"; fi
  if [ -n "$backup_location" ]; then rm -f "$backup_location.tmp"; fi
  if [ -n "$mount_location" ]; then
    if mount | grep -q "$mount_location"; then umount "$mount_location"; fi
    if [ -d "$mount_location" ]; then rmdir "$mount_location"; fi
  fi
 }
 partition=""
 backup_location=""
 mount_location=""
 trap cleanup EXIT
 while getopts "m:b:" opt; do
  case "$opt" in
    m) partition="$OPTARG" ;;
    b) backup_location="$OPTARG" ;;
    *) usage ;;
  esac
 done
 if [ -n "$partition" ]; then
  mount_location=$(mktemp -d /mnt/backup.XXXXXX)
  echo "Mounting $partition at $mount_location..."
  mount "$partition" "$mount_location"
 fi
 if [ -z "$mount_location" ]; then
  if [[ "$backup_location" != /* ]]; then
    backup_location="$(realpath "$backup_location")"
  fi
 else
  if [[ "$backup_location" = /* ]]; then
    echo "Error: When a partition is mounted, backup_location must be relative."
    exit 1
  fi
  backup_location="$(realpath "$mount_location/$backup_location")"
 fi
 backup_location="$backup_location/$(hostname)-$(date +%Y-%m-%d-%H-%M-%S).btrfs.gz"
 echo "Creating /persist snapshot..."
 btrfs -q subvolume snapshot -r "/persist" "/persist.bak"
 echo "Creating backup at $backup_location..."
 btrfs -q send "/persist.bak" | gzip > "$backup_location.tmp"
 mv "$backup_location.tmp" "$backup_location"
 echo "Backup completed successfully!"
--- a/hosts/common/configs/system/backup/default.nix
+++ b/hosts/common/configs/system/backup/default.nix
@@ -1,20 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = [
    (pkgs.writeShellApplication {
      name = "backup";
      runtimeInputs = with pkgs; [
        btrfs-progs
        coreutils-full
        util-linux
      ];
      text = builtins.readFile ./backup.sh;
    })
  ];
  home-manager.sharedModules = [
    {
      programs.zsh.initExtra = builtins.readFile ./backup.completion.zsh;
    }
  ];
 }
--- a/hosts/common/configs/system/bluetooth/default.nix
+++ b/hosts/common/configs/system/bluetooth/default.nix
@@ -8,15 +8,11 @@
    };
  };
-  environment.persistence."/persist"."/var/lib/bluetooth" = { };
+  environment.persistence."/persist/state"."/var/lib/bluetooth" = { };
  systemd.services.bluetooth.after = [
-    config.environment.persistence."/persist"."/var/lib/bluetooth".mount
+    config.environment.persistence."/persist/state"."/var/lib/bluetooth".mount
  ];
-  home-manager.sharedModules = [
+  home-manager.sharedModules = [ { services.mpris-proxy.enable = config.services.pipewire.enable; } ];
    {
      services.mpris-proxy.enable = config.services.pipewire.enable;
    }
  ];
 }
--- a/hosts/common/configs/system/boot/default.nix
+++ b/hosts/common/configs/system/boot/default.nix
@@ -10,11 +10,8 @@
      timeout = 1;
      efi.canTouchEfiVariables = true;
    };
    initrd.systemd.enable = true;
    kernelPackages = pkgs.linuxPackages_latest;
    supportedFilesystems = [
      "btrfs"
      "ntfs"
    ];
  };
 }
--- a/hosts/common/configs/system/btrbk/default.nix
+++ b/hosts/common/configs/system/btrbk/default.nix
@@ -0,0 +1,33 @@
 { ... }:
 {
  systemd.tmpfiles.rules = [
    "d /persist/user.bak 0755 root root"
    "d /persist/state.bak 0755 root root"
  ];
  services.btrbk = {
    ioSchedulingClass = "idle";
    niceness = 19;
    instances = {
      persist-user = {
        onCalendar = "hourly";
        settings.volume."/persist" = {
          subvolume = "user";
          snapshot_dir = "user.bak";
          snapshot_preserve_min = "latest";
          snapshot_preserve = "48h 14d 4w 6m";
        };
      };
      persist-state = {
        onCalendar = "daily";
        settings.volume."/persist" = {
          subvolume = "state";
          snapshot_dir = "state.bak";
          snapshot_preserve_min = "latest";
          snapshot_preserve = "7d 4w 3m";
        };
      };
    };
  };
 }
--- a/hosts/common/configs/system/btrfs/default.nix
+++ b/hosts/common/configs/system/btrfs/default.nix
@@ -1,7 +1,14 @@
-{ ... }:
+{ pkgs, ... }:
 {
  boot = {
    initrd.supportedFilesystems = [ "btrfs" ];
    supportedFilesystems = [ "btrfs" ];
  };
  services.btrfs.autoScrub = {
    enable = true;
    interval = "weekly";
  };
  environment.systemPackages = with pkgs; [ compsize ];
 }
--- a/hosts/common/configs/system/cpu/default.nix
+++ b/hosts/common/configs/system/cpu/default.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  imports = [ ./options.nix ];
 }
--- a/hosts/common/configs/system/default.nix
+++ b/hosts/common/configs/system/default.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./cpu/options.nix
    ./impermanence/options.nix
  ];
 }
--- a/hosts/common/configs/system/dnsmasq/default.nix
+++ b/hosts/common/configs/system/dnsmasq/default.nix
@@ -0,0 +1,22 @@
 { lib, pkgs, ... }:
 {
  networking.networkmanager.dns = "dnsmasq";
  environment.etc."NetworkManager/dnsmasq.d/10-bind-interfaces.conf".source =
    (pkgs.formats.keyValue {
      mkKeyValue =
        name: value:
        if value == true then
          name
        else if value == false then
          ""
        else
          lib.generators.mkKeyValueDefault { } "=" name value;
      listsAsDuplicateKeys = true;
    }).generate
      "10-bind-interfaces.conf"
      {
        bind-interfaces = true;
        listen-address = [ "127.0.0.1" ];
      };
 }
--- a/hosts/common/configs/system/docker/default.nix
+++ b/hosts/common/configs/system/docker/default.nix
@@ -1,29 +0,0 @@
 { config, pkgs, ... }:
 {
  virtualisation.docker = {
    enable = true;
    enableOnBoot = false;
    storageDriver = "btrfs";
    daemon.settings = {
      experimental = true;
      ipv6 = true;
      fixed-cidr-v6 = "fd00::/80";
    };
    autoPrune = {
      enable = true;
      flags = [ "--all" ];
    };
  };
  environment = {
    persistence."/persist"."/var/lib/docker" = { };
    systemPackages = with pkgs; [ docker-compose ];
  };
  systemd = {
    services.docker.after = [ config.environment.persistence."/persist"."/var/lib/docker".mount ];
    sockets.docker.after = [ config.environment.persistence."/persist"."/var/lib/docker".mount ];
  };
 }
--- a/hosts/common/configs/system/documentation/default.nix
+++ b/hosts/common/configs/system/documentation/default.nix
@@ -1,5 +1,10 @@
-{ ... }:
+{ pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    man-pages
    man-pages-posix
  ];
  documentation = {
    enable = true;
--- a/hosts/common/configs/system/impermanence/default.nix
+++ b/hosts/common/configs/system/impermanence/default.nix
@@ -1,48 +1,16 @@
 { config, pkgs, ... }:
 {
  imports = [ ./options.nix ];
  boot.initrd.systemd = {
    enable = true;
    initrdBin = with pkgs; [
      coreutils
      util-linux
      findutils
      btrfs-progs
    ];
    services.impermanence = {
      description = "Rollback BTRFS subvolumes to a pristine state";
      wantedBy = [ "initrd.target" ];
      before = [ "sysroot.mount" ];
      after = [
        "cryptsetup.target"
        "local-fs-pre.target"
      ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      environment.DEVICE = config.environment.impermanence.device;
      script = builtins.readFile ./scripts/wipe.sh;
    };
  };
  # uuidgen -r | tr -d -
  # https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/administration/systemd-state.section.md
  # https://github.com/NixOS/nixpkgs/pull/286140/files
  # https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
-  sops.secrets."machineId".mode = "0444";
+  sops.secrets.machineId.mode = "0444";
  environment = {
-    etc."machine-id".source = pkgs.runCommandLocal "machine-id-link" { } ''
+    impermanence.enable = true;
      ln -s ${config.sops.secrets."machineId".path} $out
    '';
-    persistence."/persist" = {
+    etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } ''
-      "/etc/nixos" = { };
+      ln -s ${config.sops.secrets.machineId.path} $out
-      "/var/lib/nixos" = { };
+    '';
      "/var/lib/systemd" = { };
      "/var/log" = { };
    };
  };
 }
--- a/hosts/common/configs/system/impermanence/options.nix
+++ b/hosts/common/configs/system/impermanence/options.nix
@@ -1,6 +1,7 @@
 {
  config,
  lib,
  pkgs,
  utils,
  ...
 }:
@@ -47,13 +48,17 @@ in
    with lib;
    with types;
    {
-      impermanence.device = mkOption {
+      impermanence = {
        enable = mkEnableOption "Impermanence";
        device = mkOption {
          type = str;
-        default = config.disko.devices.disk.main.content.partitions.root.content.name;
+          default = config.disko.devices.disk.main.content.partitions.root.content.content.device;
          description = ''
            LUKS BTRFS partition to wipe on boot.
          '';
        };
      };
      persistence =
        let
@@ -116,6 +121,19 @@ in
                        type = str;
                        readOnly = true;
                      };
                      create = mkOption {
                        type = enum [
                          "none"
                          "file"
                          "directory"
                        ];
                        default = "none";
                        description = ''
                          Whether to create the file or directory
                          in persistence if it does not exist.
                        '';
                      };
                    };
                  }
                )
@@ -179,8 +197,31 @@ in
    let
      all = lib.lists.flatten (builtins.concatMap builtins.attrValues (builtins.attrValues cfg));
    in
-    {
+    lib.mkIf config.environment.impermanence.enable {
-      fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg;
+      boot.initrd.systemd = {
        enable = true;
        initrdBin = with pkgs; [
          coreutils
          util-linux
          findutils
          btrfs-progs
        ];
        services.impermanence = {
          description = "Rollback BTRFS subvolumes to a pristine state";
          wantedBy = [ "initrd.target" ];
          before = [ "sysroot.mount" ];
          after = [
            "cryptsetup.target"
            "local-fs-pre.target"
          ];
          unitConfig.DefaultDependencies = false;
          serviceConfig.Type = "oneshot";
          environment.DEVICE = config.environment.impermanence.device;
          script = builtins.readFile ./scripts/wipe.sh;
        };
      };
      systemd = {
        mounts = builtins.map (c: {
@@ -229,6 +270,7 @@ in
                source=${lib.strings.escapeShellArg c._sourceRoot}
                target=${lib.strings.escapeShellArg c._targetRoot}
                path=${lib.strings.escapeShellArg c.path}
                create=${lib.strings.escapeShellArg c.create}
                ${builtins.readFile ./scripts/start.sh}
              '';
@@ -236,6 +278,7 @@ in
                source=${lib.strings.escapeShellArg c._sourceRoot}
                target=${lib.strings.escapeShellArg c._targetRoot}
                path=${lib.strings.escapeShellArg c.path}
                create=${lib.strings.escapeShellArg c.create}
                ${builtins.readFile ./scripts/stop.sh}
              '';
@@ -244,6 +287,19 @@ in
        );
      };
      fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg // {
        "/persist".neededForBoot = true;
      };
      environment.persistence = {
        "/persist/user"."/etc/nixos" = { };
        "/persist/state" = {
          "/var/lib/nixos" = { };
          "/var/lib/systemd" = { };
          "/var/log" = { };
        };
      };
      assertions =
        let
          paths = builtins.map (c: c.path) all;
--- a/hosts/common/configs/system/impermanence/scripts/start.sh
+++ b/hosts/common/configs/system/impermanence/scripts/start.sh
@@ -1,19 +1,49 @@
-echo "Starting impermanence mount with source: $source, target: $target, path: $path."
+# shellcheck shell=bash
 # shellcheck disable=SC2154
 echo "Starting impermanence mount with source: $source, target: $target, path: $path, create: $create"
 source_current="$source"
 target_current="$target"
-IFS='/' read -ra path_parts <<< "$path"
+IFS='/' read -ra parts <<< "$path"
-unset "path_parts[-1]"
+leaf="${parts[-1]}"
-for part in "${path_parts[@]}"; do
+for part in "${parts[@]}"; do
-  source_current="$source_current/$part"
+  source_current+="/$part"
-  target_current="$target_current/$part"
+  target_current+="/$part"
-  if [[ ! -d "$source_current" ]]; then
+  if [[ -e "$source_current" ]]; then
    read -r mode owner group <<< "$(stat -c '%a %u %g' "$source_current")"
    if [[ -d "$source_current" ]]; then
      install -d -m "$mode" -o "$owner" -g "$group" "$target_current"
      continue
    fi
    if [[ "$part" != "$leaf" ]]; then
      echo "Error: $source_current is not a directory, persistence for $path can not be applied."
      exit 1
    fi
    install -m "$mode" -o "$owner" -g "$group" /dev/null "$target_current"
  fi
  if [[ "$create" == "none" ]]; then
    break
  fi
-  read -r mode owner group <<< "$(stat -c '%a %u %g' "$source_current")"
+  if [[ -e "$target_current" ]]; then
-  install -d -m "$mode" -o "$owner" -g "$group" "$target_current"
+    template="$target_current"
  else
    template="${source_current%/*}"
  fi
  read -r mode owner group <<< "$(stat -c '%a %u %g' "$template")"
  if [[ "$part" == "$leaf" && "$create" == "file" ]]; then
    install -m "$mode" -o "$owner" -g "$group" /dev/null "$source_current"
  else
    install -d -m "$mode" -o "$owner" -g "$group" "$source_current"
  fi
 done
--- a/hosts/common/configs/system/impermanence/scripts/stop.sh
+++ b/hosts/common/configs/system/impermanence/scripts/stop.sh
@@ -1,4 +1,7 @@
-echo "Stopping impermanence mount with source: $source, target: $target, path: $path."
+# shellcheck shell=bash
 # shellcheck disable=SC2154
 echo "Stopping impermanence mount with source: $source, target: $target, path: $path, create: $create"
 source_current="$source"
 target_current="$target"
--- a/hosts/common/configs/system/impermanence/scripts/wipe.sh
+++ b/hosts/common/configs/system/impermanence/scripts/wipe.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 delete_subvolume_recursively() {
  IFS=$'\n'
  for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
@@ -6,21 +8,27 @@ delete_subvolume_recursively() {
  btrfs subvolume delete "$1"
 }
 if [[ -z "$DEVICE" ]]; then
  echo "Error: DEVICE variable is not set."
  exit 1
 fi
 mkdir -p /mnt/btrfs
-mount "/dev/mapper/$DEVICE" /mnt/btrfs
+mount "$DEVICE" /mnt/btrfs
 if [[ -e /mnt/btrfs/@ ]]; then
  mkdir -p /mnt/btrfs/@.bak
-  timestamp=$(date --date="@$(stat -c %Y /mnt/btrfs/@)" "+%Y-%m-%d_%H:%M:%S")
+  timestamp=$(date --date="@$(stat -c %Y /mnt/btrfs/@)" "+%Y%m%dT%H%M")
-  mv /mnt/btrfs/@ "/mnt/btrfs/@.bak/$timestamp"
+  base="@.$timestamp"
  target="/mnt/btrfs/@.bak/$base"
  if [[ -e "$target" ]]; then
    i=1
    while [[ -e "/mnt/btrfs/@.bak/${base}_$i" ]]; do
      (( i++ ))
    done
    target="/mnt/btrfs/@.bak/${base}_$i"
  fi
  mv /mnt/btrfs/@ "$target"
 fi
-find /mnt/btrfs/@.bak/ -maxdepth 1 -mtime +14 | while IFS= read -r i; do
+find /mnt/btrfs/@.bak/ -maxdepth 1 -mtime +7 | while IFS= read -r i; do
  delete_subvolume_recursively "$i"
 done
--- a/hosts/common/configs/system/kubernetes/addons/bootstrap/default.nix
+++ b/hosts/common/configs/system/kubernetes/addons/bootstrap/default.nix
@@ -1,212 +0,0 @@
 { config, ... }:
 {
  bootstrap-node-bootstrapper-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      name = "create-csrs-for-bootstrapping";
    };
    subjects = [
      {
        kind = "Group";
        name = "system:bootstrappers";
        apiGroup = "rbac.authorization.k8s.io";
      }
    ];
    roleRef = {
      kind = "ClusterRole";
      name = "system:node-bootstrapper";
      apiGroup = "rbac.authorization.k8s.io";
    };
  };
  bootstrap-csr-nodeclient-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      name = "auto-approve-csrs-for-group";
    };
    subjects = [
      {
        kind = "Group";
        name = "system:bootstrappers";
        apiGroup = "rbac.authorization.k8s.io";
      }
    ];
    roleRef = {
      kind = "ClusterRole";
      name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient";
      apiGroup = "rbac.authorization.k8s.io";
    };
  };
  bootstrap-csr-selfnodeclient-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      name = "auto-approve-renewals-for-nodes";
    };
    subjects = [
      {
        kind = "Group";
        name = "system:nodes";
        apiGroup = "rbac.authorization.k8s.io";
      }
    ];
    roleRef = {
      kind = "ClusterRole";
      name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient";
      apiGroup = "rbac.authorization.k8s.io";
    };
  };
  csr-approver-cr = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRole";
    metadata = {
      name = "kubelet-csr-approver";
    };
    rules = [
      {
        apiGroups = [ "certificates.k8s.io" ];
        resources = [ "certificatesigningrequests" ];
        verbs = [
          "get"
          "list"
          "watch"
        ];
      }
      {
        apiGroups = [ "coordination.k8s.io" ];
        resources = [ "leases" ];
        verbs = [
          "create"
          "get"
          "update"
        ];
      }
      {
        apiGroups = [ "certificates.k8s.io" ];
        resources = [ "certificatesigningrequests/approval" ];
        verbs = [ "update" ];
      }
      {
        apiGroups = [ "certificates.k8s.io" ];
        resourceNames = [ "kubernetes.io/kubelet-serving" ];
        resources = [ "signers" ];
        verbs = [ "approve" ];
      }
      {
        apiGroups = [ "" ];
        resources = [ "events" ];
        verbs = [ "create" ];
      }
    ];
  };
  csr-approver-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      name = "kubelet-csr-approver";
      namespace = "kube-system";
    };
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "ClusterRole";
      name = "kubelet-csr-approver";
    };
    subjects = [
      {
        kind = "ServiceAccount";
        name = "kubelet-csr-approver";
        namespace = "kube-system";
      }
    ];
  };
  csr-approver-sa = {
    apiVersion = "v1";
    kind = "ServiceAccount";
    metadata = {
      name = "kubelet-csr-approver";
      namespace = "kube-system";
    };
  };
  csr-approver-d = {
    apiVersion = "apps/v1";
    kind = "Deployment";
    metadata = {
      name = "kubelet-csr-approver";
      namespace = "kube-system";
    };
    spec = {
      replicas = 1;
      selector = {
        matchLabels = {
          app = "kubelet-csr-approver";
        };
      };
      template = {
        metadata = {
          labels = {
            app = "kubelet-csr-approver";
          };
        };
        spec = {
          serviceAccountName = "kubelet-csr-approver";
          containers = [
            {
              name = "kubelet-csr-approver";
              image = "postfinance/kubelet-csr-approver:latest";
              args = [
                "-metrics-bind-address"
                ":8080"
                "-health-probe-bind-address"
                ":8081"
              ];
              livenessProbe = {
                httpGet = {
                  path = "/healthz";
                  port = 8081;
                };
              };
              resources = {
                requests = {
                  cpu = "100m";
                  memory = "200Mi";
                };
              };
              env = [
                {
                  name = "PROVIDER_REGEX";
                  value = "^${config.services.kubernetes.kubelet.hostname}$";
                }
                {
                  name = "PROVIDER_IP_PREFIXES";
                  value = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16,::1/128,fe80::/10,fc00::/7";
                }
                {
                  name = "MAX_EXPIRATION_SEC";
                  value = "31622400";
                }
                {
                  name = "BYPASS_DNS_RESOLUTION";
                  value = "true";
                }
              ];
            }
          ];
          tolerations = [
            {
              effect = "NoSchedule";
              key = "node-role.kubernetes.io/control-plane";
              operator = "Equal";
            }
          ];
        };
      };
    };
  };
 }
--- a/hosts/common/configs/system/kubernetes/addons/default.nix
+++ b/hosts/common/configs/system/kubernetes/addons/default.nix
@@ -1,7 +0,0 @@
 { config, lib, ... }:
 {
  services.kubernetes.addonManager.bootstrapAddons = lib.mkMerge [
    (import ./bootstrap { inherit config; })
    (import ./metrics-server { })
  ];
 }
--- a/hosts/common/configs/system/kubernetes/addons/metrics-server/default.nix
+++ b/hosts/common/configs/system/kubernetes/addons/metrics-server/default.nix
@@ -1,297 +0,0 @@
 { ... }:
 {
  metrics-server-sa = {
    apiVersion = "v1";
    kind = "ServiceAccount";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "metrics-server";
      namespace = "kube-system";
    };
  };
  metrics-server-metrics-reader-cr = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRole";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
        "rbac.authorization.k8s.io/aggregate-to-admin" = "true";
        "rbac.authorization.k8s.io/aggregate-to-edit" = "true";
        "rbac.authorization.k8s.io/aggregate-to-view" = "true";
      };
      name = "system:aggregated-metrics-reader";
    };
    rules = [
      {
        apiGroups = [ "metrics.k8s.io" ];
        resources = [
          "pods"
          "nodes"
        ];
        verbs = [
          "get"
          "list"
          "watch"
        ];
      }
    ];
  };
  metrics-server-cr = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRole";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "system:metrics-server";
    };
    rules = [
      {
        apiGroups = [ "" ];
        resources = [ "nodes/metrics" ];
        verbs = [ "get" ];
      }
      {
        apiGroups = [ "" ];
        resources = [
          "pods"
          "nodes"
        ];
        verbs = [
          "get"
          "list"
          "watch"
        ];
      }
    ];
  };
  metrics-server-rb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "RoleBinding";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "metrics-server-auth-reader";
      namespace = "kube-system";
    };
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "Role";
      name = "extension-apiserver-authentication-reader";
    };
    subjects = [
      {
        kind = "ServiceAccount";
        name = "metrics-server";
        namespace = "kube-system";
      }
    ];
  };
  metrics-server-auth-delegator-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "metrics-server:system:auth-delegator";
    };
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "ClusterRole";
      name = "system:auth-delegator";
    };
    subjects = [
      {
        kind = "ServiceAccount";
        name = "metrics-server";
        namespace = "kube-system";
      }
    ];
  };
  metrics-server-crb = {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "ClusterRoleBinding";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "system:metrics-server";
    };
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "ClusterRole";
      name = "system:metrics-server";
    };
    subjects = [
      {
        kind = "ServiceAccount";
        name = "metrics-server";
        namespace = "kube-system";
      }
    ];
  };
  metrics-server-s = {
    apiVersion = "v1";
    kind = "Service";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "metrics-server";
      namespace = "kube-system";
    };
    spec = {
      ports = [
        {
          name = "https";
          port = 443;
          protocol = "TCP";
          targetPort = "https";
        }
      ];
      selector = {
        k8s-app = "metrics-server";
      };
    };
  };
  metrics-server-d = {
    apiVersion = "apps/v1";
    kind = "Deployment";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "metrics-server";
      namespace = "kube-system";
    };
    spec = {
      selector = {
        matchLabels = {
          k8s-app = "metrics-server";
        };
      };
      strategy = {
        rollingUpdate = {
          maxUnavailable = 0;
        };
      };
      template = {
        metadata = {
          labels = {
            k8s-app = "metrics-server";
          };
        };
        spec = {
          containers = [
            {
              args = [
                "--cert-dir=/tmp"
                "--secure-port=10250"
                "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname"
                "--kubelet-use-node-status-port"
                "--metric-resolution=15s"
              ];
              image = "registry.k8s.io/metrics-server/metrics-server:v0.7.2";
              imagePullPolicy = "IfNotPresent";
              livenessProbe = {
                failureThreshold = 3;
                httpGet = {
                  path = "/livez";
                  port = "https";
                  scheme = "HTTPS";
                };
                periodSeconds = 10;
              };
              name = "metrics-server";
              ports = [
                {
                  containerPort = 10250;
                  name = "https";
                  protocol = "TCP";
                }
              ];
              readinessProbe = {
                failureThreshold = 3;
                httpGet = {
                  path = "/readyz";
                  port = "https";
                  scheme = "HTTPS";
                };
                initialDelaySeconds = 20;
                periodSeconds = 10;
              };
              resources = {
                requests = {
                  cpu = "100m";
                  memory = "200Mi";
                };
              };
              securityContext = {
                allowPrivilegeEscalation = false;
                capabilities = {
                  drop = [ "ALL" ];
                };
                readOnlyRootFilesystem = true;
                runAsNonRoot = true;
                runAsUser = 1000;
                seccompProfile = {
                  type = "RuntimeDefault";
                };
              };
              volumeMounts = [
                {
                  mountPath = "/tmp";
                  name = "tmp-dir";
                }
              ];
            }
          ];
          nodeSelector = {
            "kubernetes.io/os" = "linux";
          };
          priorityClassName = "system-cluster-critical";
          serviceAccountName = "metrics-server";
          volumes = [
            {
              emptyDir = { };
              name = "tmp-dir";
            }
          ];
        };
      };
    };
  };
  metrics-server-apis = {
    apiVersion = "apiregistration.k8s.io/v1";
    kind = "APIService";
    metadata = {
      labels = {
        k8s-app = "metrics-server";
      };
      name = "v1beta1.metrics.k8s.io";
    };
    spec = {
      group = "metrics.k8s.io";
      groupPriorityMinimum = 100;
      insecureSkipTLSVerify = true;
      service = {
        name = "metrics-server";
        namespace = "kube-system";
      };
      version = "v1beta1";
      versionPriority = 100;
    };
  };
 }
--- a/hosts/common/configs/system/kubernetes/default.nix
+++ b/hosts/common/configs/system/kubernetes/default.nix
@@ -1,233 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  adminKubeconfig = config.services.kubernetes.lib.mkKubeConfig "admin" {
    caFile = config.sops.secrets."kubernetes/ca/crt".path;
    keyFile = config.sops.secrets."kubernetes/accounts/admin/key".path;
    certFile = config.sops.secrets."kubernetes/accounts/admin/crt".path;
    server = config.services.kubernetes.apiserverAddress;
  };
 in
 {
  imports = [
    ./addons
    ./secrets
  ];
  environment = {
    persistence."/persist" = {
      "/var/lib/containerd" = { };
      "/var/lib/kubernetes" = { };
      "/var/lib/kubelet" = { };
      "/var/lib/etcd" = { };
    };
    etc."kubeconfig".source = adminKubeconfig;
    systemPackages = with pkgs; [ kubectl ];
  };
  services = {
    kubernetes = {
      roles = [
        "master"
        "node"
      ];
      masterAddress = "localhost";
      easyCerts = false;
      caFile = config.sops.secrets."kubernetes/ca/crt".path;
      addonManager.enable = true;
      apiserver = {
        allowPrivileged = true;
        clientCaFile = config.sops.secrets."kubernetes/ca/crt".path;
        kubeletClientCaFile = config.sops.secrets."kubernetes/ca/crt".path;
        tlsKeyFile = config.sops.secrets."kubernetes/apiserver/cert/key".path;
        tlsCertFile = config.sops.secrets."kubernetes/apiserver/cert/crt".path;
        kubeletClientKeyFile = config.sops.secrets."kubernetes/apiserver/kubelet-client/key".path;
        kubeletClientCertFile = config.sops.secrets."kubernetes/apiserver/kubelet-client/crt".path;
        proxyClientKeyFile = config.sops.secrets."kubernetes/front-proxy/client/key".path;
        proxyClientCertFile = config.sops.secrets."kubernetes/front-proxy/client/crt".path;
        serviceAccountSigningKeyFile = config.sops.secrets."kubernetes/sa/key".path;
        serviceAccountKeyFile = config.sops.secrets."kubernetes/sa/pub".path;
        extraOpts = lib.strings.concatStringsSep " " [
          "--enable-bootstrap-token-auth=true"
          "--token-auth-file=${config.sops.secrets."kubernetes/accounts/kubelet-bootstrap/csv".path}"
          "--requestheader-client-ca-file=${config.sops.secrets."kubernetes/front-proxy/ca/crt".path}"
          "--requestheader-allowed-names=front-proxy-client"
          "--requestheader-extra-headers-prefix=X-Remote-Extra-"
          "--requestheader-group-headers=X-Remote-Group"
          "--requestheader-username-headers=X-Remote-User"
        ];
        etcd = {
          servers = [ "https://etcd.local:2379" ];
          caFile = config.sops.secrets."kubernetes/etcd/ca/crt".path;
          keyFile = config.sops.secrets."kubernetes/apiserver/etcd-client/key".path;
          certFile = config.sops.secrets."kubernetes/apiserver/etcd-client/crt".path;
        };
      };
      controllerManager = {
        rootCaFile = config.sops.secrets."kubernetes/ca/crt".path;
        serviceAccountKeyFile = config.sops.secrets."kubernetes/sa/key".path;
        extraOpts = lib.strings.concatStringsSep " " [
          "--client-ca-file=${config.sops.secrets."kubernetes/ca/crt".path}"
          "--cluster-signing-cert-file=${config.sops.secrets."kubernetes/ca/crt".path}"
          "--cluster-signing-key-file=${config.sops.secrets."kubernetes/ca/key".path}"
          "--requestheader-client-ca-file=${config.sops.secrets."kubernetes/front-proxy/ca/crt".path}"
        ];
        kubeconfig = {
          caFile = config.sops.secrets."kubernetes/ca/crt".path;
          keyFile = config.sops.secrets."kubernetes/accounts/controller-manager/key".path;
          certFile = config.sops.secrets."kubernetes/accounts/controller-manager/crt".path;
        };
      };
      kubelet = {
        clientCaFile = config.sops.secrets."kubernetes/ca/crt".path;
        extraOpts = lib.strings.concatStringsSep " " [
          "--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubeconfig"
          "--kubeconfig=/var/lib/kubelet/kubeconfig"
          "--cert-dir=/var/lib/kubelet"
        ];
        extraConfig = {
          failSwapOn = false;
          rotateCertificates = true;
          serverTLSBootstrap = true;
          memorySwap.swapBehavior = "LimitedSwap";
        };
        featureGates = {
          RotateKubeletServerCertificate = true;
          NodeSwap = true;
        };
      };
      proxy.kubeconfig = {
        caFile = config.sops.secrets."kubernetes/ca/crt".path;
        keyFile = config.sops.secrets."kubernetes/accounts/proxy/key".path;
        certFile = config.sops.secrets."kubernetes/accounts/proxy/crt".path;
      };
      scheduler.kubeconfig = {
        caFile = config.sops.secrets."kubernetes/ca/crt".path;
        keyFile = config.sops.secrets."kubernetes/accounts/scheduler/key".path;
        certFile = config.sops.secrets."kubernetes/accounts/scheduler/crt".path;
      };
    };
    etcd = {
      keyFile = config.sops.secrets."kubernetes/etcd/server/key".path;
      certFile = config.sops.secrets."kubernetes/etcd/server/crt".path;
      peerKeyFile = config.sops.secrets."kubernetes/etcd/peer/key".path;
      peerCertFile = config.sops.secrets."kubernetes/etcd/peer/crt".path;
      trustedCaFile = config.sops.secrets."kubernetes/etcd/ca/crt".path;
      peerTrustedCaFile = config.sops.secrets."kubernetes/etcd/ca/crt".path;
      listenClientUrls = [ "https://127.0.0.1:2379" ];
      listenPeerUrls = [ "https://127.0.0.1:2380" ];
      advertiseClientUrls = [ "https://etcd.local:2379" ];
      initialCluster = [ "${config.services.kubernetes.masterAddress}=https://etcd.local:2380" ];
      initialAdvertisePeerUrls = [ "https://etcd.local:2380" ];
    };
    flannel.kubeconfig = config.services.kubernetes.lib.mkKubeConfig "flannel" {
      caFile = config.sops.secrets."kubernetes/ca/crt".path;
      keyFile = config.sops.secrets."kubernetes/accounts/flannel/key".path;
      certFile = config.sops.secrets."kubernetes/accounts/flannel/crt".path;
      server = config.services.kubernetes.apiserverAddress;
    };
  };
  networking = {
    firewall.enable = false;
    extraHosts = lib.strings.optionalString (config.services.etcd.enable) ''
      127.0.0.1 etcd.${config.services.kubernetes.addons.dns.clusterDomain} etcd.local
    '';
  };
  systemd.services = {
    kube-addon-manager = {
      after = [
        "sops-nix.service"
        config.environment.persistence."/persist"."/var/lib/kubernetes".mount
      ];
      environment.KUBECONFIG = config.services.kubernetes.lib.mkKubeConfig "addon-manager" {
        caFile = config.sops.secrets."kubernetes/ca/crt".path;
        keyFile = config.sops.secrets."kubernetes/accounts/addon-manager/key".path;
        certFile = config.sops.secrets."kubernetes/accounts/addon-manager/crt".path;
        server = config.services.kubernetes.apiserverAddress;
      };
      serviceConfig.PermissionsStartOnly = true;
      preStart = ''
        export KUBECONFIG=${adminKubeconfig}
        ${config.services.kubernetes.package}/bin/kubectl apply -f ${
          lib.strings.concatStringsSep " \\\n -f " (
            lib.attrsets.mapAttrsToList (
              n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)
            ) config.services.kubernetes.addonManager.bootstrapAddons
          )
        }
      '';
    };
    kubelet = {
      preStart = ''
        mkdir -p /etc/kubernetes
        cat > /etc/kubernetes/bootstrap-kubeconfig <<EOF
        apiVersion: v1
        kind: Config
        clusters:
        - cluster:
            certificate-authority: ${config.sops.secrets."kubernetes/ca/crt".path}
            server: ${config.services.kubernetes.apiserverAddress}
          name: local
        contexts:
        - context:
            cluster: local
            user: kubelet-bootstrap
          name: bootstrap
        current-context: bootstrap
        preferences: {}
        users:
        - name: kubelet-bootstrap
          user:
            token: $(<${config.sops.secrets."kubernetes/accounts/kubelet-bootstrap/token".path})
        EOF
      '';
      after = [
        "sops-nix.service"
        config.environment.persistence."/persist"."/var/lib/kubelet".mount
      ];
    };
    kube-apiserver.after = [
      "sops-nix.service"
      config.environment.persistence."/persist"."/var/lib/kubernetes".mount
    ];
    etcd.after = [
      "sops-nix.service"
      config.environment.persistence."/persist"."/var/lib/etcd".mount
    ];
    kube-controller-manager.after = [ "sops-nix.service" ];
    kube-proxy.after = [ "sops-nix.service" ];
    kube-scheduler.after = [ "sops-nix.service" ];
    flannel.after = [ "sops-nix.service" ];
  };
 }
--- a/hosts/common/configs/system/kubernetes/secrets/default.nix
+++ b/hosts/common/configs/system/kubernetes/secrets/default.nix
@@ -1,204 +0,0 @@
 { ... }:
 {
  sops.secrets = {
    "kubernetes/ca/crt" = {
      owner = "kubernetes";
      group = "users";
      mode = "0440";
    };
    "kubernetes/ca/key" = {
      owner = "kubernetes";
      group = "users";
      mode = "0440";
    };
    "kubernetes/front-proxy/ca/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/front-proxy/ca/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/ca/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/ca/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/cert/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/cert/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/kubelet-client/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/kubelet-client/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/etcd-client/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/apiserver/etcd-client/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/front-proxy/client/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/front-proxy/client/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/server/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/server/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/peer/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/etcd/peer/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/sa/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/sa/pub" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/admin/crt" = {
      group = "kubernetes";
    };
    "kubernetes/accounts/admin/key" = {
      group = "kubernetes";
    };
    "kubernetes/accounts/controller-manager/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/controller-manager/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/addon-manager/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/addon-manager/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/scheduler/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/scheduler/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/proxy/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/proxy/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/flannel/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/flannel/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/kubelet-bootstrap/token" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
    "kubernetes/accounts/kubelet-bootstrap/csv" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
  };
 }
--- a/hosts/common/configs/system/kubernetes/secrets/generate-secrets.sh
+++ b/hosts/common/configs/system/kubernetes/secrets/generate-secrets.sh
@@ -1,210 +0,0 @@
 #!/usr/bin/env -S nix shell nixpkgs#openssl nixpkgs#yq-go nixpkgs#sops -c bash
 set -o errexit
 set -o pipefail
 generate_ca() {
  local target_dir=$1
  local ca_name=$2
  local ca_days=$3
  local cn=$4
  mkdir -p "${target_dir}"
  local ca_key=${target_dir}/${ca_name}.key
  local ca_cert=${target_dir}/${ca_name}.crt
  openssl genrsa -out "${ca_key}" 2048
  openssl req -x509 -new -nodes -key "${ca_key}" -days "${ca_days}" -out "${ca_cert}" -subj "/CN=${cn}"
 }
 generate_alt_names() {
  local hosts=("$@")
  local dns=0
  local ip=0
  local alt_names=""
  for host in "${hosts[@]}"; do
    if [[ ${host} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      alt_names="${alt_names}IP.${ip} = ${host}\n"
      ((ip++))
    else
      alt_names="${alt_names}DNS.${dns} = ${host}\n"
      ((dns++))
    fi
  done
  echo -e "${alt_names}"
 }
 generate_cnf() {
  local target_dir=$1
  local cnf_name=$2
  local cn=$3
  local hosts=("${@:4}")
  mkdir -p "${target_dir}"
  local cnf_file=${target_dir}/${cnf_name}.cnf
  cat <<EOF > "${cnf_file}"
 [req]
 prompt = no
 [ req_ext ]
 subjectAltName = @alt_names
 [ alt_names ]
 $(generate_alt_names "${hosts[@]}")
 [ v3_ext ]
 authorityKeyIdentifier=keyid,issuer:always
 basicConstraints=CA:FALSE
 keyUsage=keyEncipherment,dataEncipherment,digitalSignature
 extendedKeyUsage=serverAuth,clientAuth
 subjectAltName=@alt_names
 EOF
 }
 generate_crt() {
  local target_dir=$1
  local cert_name=$2
  local cert_days=$3
  local cn=$4
  local o=$5
  local ca_key=$6
  local ca_cert=$7
  local hosts=("${@:8}")
  mkdir -p "${target_dir}"
  local cert_key=${target_dir}/${cert_name}.key
  local cert_csr=${target_dir}/${cert_name}.csr
  local cert_cert=${target_dir}/${cert_name}.crt
  openssl genrsa -out "${cert_key}" 2048
  local subject="/CN=${cn}"
  if [ -n "${o}" ]; then
    subject="${subject}/O=${o}"
  fi
  if [ -n "${hosts}" ]; then
    generate_cnf "${target_dir}" "${cert_name}" "${cn}" "${hosts[@]}"
    openssl req -new -key "${cert_key}" -out "${cert_csr}" -subj "${subject}" -config "${target_dir}"/"${cert_name}".cnf
    openssl x509 -req -in "${cert_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -out "${cert_cert}" -days "${cert_days}" -extfile "${target_dir}"/"${cert_name}".cnf -extensions v3_ext
  else
    openssl req -new -key "${cert_key}" -out "${cert_csr}" -subj "${subject}"
    openssl x509 -req -in "${cert_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -out "${cert_cert}" -days "${cert_days}"
  fi
 }
 generate_key_pair() {
  local target_dir=$1
  local key_name=$2
  mkdir -p "${target_dir}"
  local private_key=${target_dir}/${key_name}.key
  local public_key=${target_dir}/${key_name}.pub
  openssl genrsa -out "${private_key}" 2048
  openssl rsa -in "${private_key}" -pubout -out "${public_key}"
 }
 generate_auth_token() {
  local target_dir=$1
  local token_name=$2
  local user=$3
  local id=$4
  local groups=$5
  mkdir -p "${target_dir}"
  local token_file="${target_dir}/${token_name}.token"
  local token_auth_file="${target_dir}/${token_name}.csv"
  token="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"
  echo "${token}" > "${token_file}"
  echo "${token},${user},${id},\"${groups}\"" > "${token_auth_file}"
 }
 DEFAULT_CA_DAYS=3650
 if [[ -z "$SOPS_AGE_KEY_FILE" ]]; then
  echo "Please set the SOPS_AGE_KEY_FILE environment variable"
  exit 1
 fi
 hostname=${1:-$(hostname)}
 if [ -z "${hostname}" ]; then
  echo "Usage: $0 [hostname]"
  exit 1
 fi
 generate_ca out ca ${DEFAULT_CA_DAYS} kubernetes-ca ""
 generate_ca out/front-proxy ca ${DEFAULT_CA_DAYS} kubernetes-front-proxy-ca ""
 generate_ca out/etcd ca ${DEFAULT_CA_DAYS} etcd-ca ""
 generate_crt out/apiserver cert ${DEFAULT_CA_DAYS} kube-apiserver "" out/ca.key out/ca.crt "kubernetes" "kubernetes.default" "kubernetes.default.svc" "kubernetes.default.svc.cluster" "kubernetes.default.svc.cluster.local" "localhost" "10.0.0.1" "127.0.0.1"
 generate_crt out/apiserver kubelet-client ${DEFAULT_CA_DAYS} kube-apiserver-kubelet-client system:masters out/ca.key out/ca.crt ""
 generate_crt out/apiserver etcd-client ${DEFAULT_CA_DAYS} kube-apiserver-etcd-client "" out/etcd/ca.key out/etcd/ca.crt ""
 generate_crt out/front-proxy client ${DEFAULT_CA_DAYS} front-proxy-client "" out/front-proxy/ca.key out/front-proxy/ca.crt ""
 generate_crt out/etcd server ${DEFAULT_CA_DAYS} kube-etcd "" out/etcd/ca.key out/etcd/ca.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
 generate_crt out/etcd peer ${DEFAULT_CA_DAYS} kube-etcd-peer "" out/etcd/ca.key out/etcd/ca.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
 generate_key_pair out sa
 generate_crt out/accounts admin ${DEFAULT_CA_DAYS} kubernetes-admin system:masters out/ca.key out/ca.crt ""
 generate_crt out/accounts users ${DEFAULT_CA_DAYS} kubernetes-users system:masters out/ca.key out/ca.crt ""
 generate_crt out/accounts controller-manager ${DEFAULT_CA_DAYS} system:kube-controller-manager "" out/ca.key out/ca.crt ""
 generate_crt out/accounts addon-manager ${DEFAULT_CA_DAYS} system:kube-addon-manager "" out/ca.key out/ca.crt ""
 generate_crt out/accounts scheduler ${DEFAULT_CA_DAYS} system:kube-scheduler "" out/ca.key out/ca.crt ""
 generate_crt out/accounts proxy ${DEFAULT_CA_DAYS} system:kube-proxy "" out/ca.key out/ca.crt ""
 generate_crt out/accounts flannel ${DEFAULT_CA_DAYS} flannel-client "" out/ca.key out/ca.crt ""
 generate_auth_token out/accounts kubelet-bootstrap "kubelet-bootstrap" 10001 "system:bootstrappers"
 sops_config="../../../../../$(hostname)/secrets/sops.yaml"
 secrets_file="../../../../../$(hostname)/secrets/secrets.yaml"
 decrypted_secrets_file="../../../../../$(hostname)/secrets/.decrypted~secrets.yaml"
 sops -d "${secrets_file}" > "${decrypted_secrets_file}"
 yq -i '
  del(.kubernetes) |
  .kubernetes.ca.crt = load_str("out/ca.crt") |
  .kubernetes.ca.key = load_str("out/ca.key") |
  .kubernetes.front-proxy.ca.crt = load_str("out/front-proxy/ca.crt") |
  .kubernetes.front-proxy.ca.key = load_str("out/front-proxy/ca.key") |
  .kubernetes.etcd.ca.crt = load_str("out/etcd/ca.crt") |
  .kubernetes.etcd.ca.key = load_str("out/etcd/ca.key") |
  .kubernetes.apiserver.cert.crt = load_str("out/apiserver/cert.crt") |
  .kubernetes.apiserver.cert.key = load_str("out/apiserver/cert.key") |
  .kubernetes.apiserver.kubelet-client.crt = load_str("out/apiserver/kubelet-client.crt") |
  .kubernetes.apiserver.kubelet-client.key = load_str("out/apiserver/kubelet-client.key") |
  .kubernetes.apiserver.etcd-client.crt = load_str("out/apiserver/etcd-client.crt") |
  .kubernetes.apiserver.etcd-client.key = load_str("out/apiserver/etcd-client.key") |
  .kubernetes.front-proxy.client.crt = load_str("out/front-proxy/client.crt") |
  .kubernetes.front-proxy.client.key = load_str("out/front-proxy/client.key") |
  .kubernetes.etcd.server.crt = load_str("out/etcd/server.crt") |
  .kubernetes.etcd.server.key = load_str("out/etcd/server.key") |
  .kubernetes.etcd.peer.crt = load_str("out/etcd/peer.crt") |
  .kubernetes.etcd.peer.key = load_str("out/etcd/peer.key") |
  .kubernetes.sa.key = load_str("out/sa.key") |
  .kubernetes.sa.pub = load_str("out/sa.pub") |
  .kubernetes.accounts.admin.crt = load_str("out/accounts/admin.crt") |
  .kubernetes.accounts.admin.key = load_str("out/accounts/admin.key") |
  .kubernetes.accounts.users.crt = load_str("out/accounts/users.crt") |
  .kubernetes.accounts.users.key = load_str("out/accounts/users.key") |
  .kubernetes.accounts.controller-manager.crt = load_str("out/accounts/controller-manager.crt") |
  .kubernetes.accounts.controller-manager.key = load_str("out/accounts/controller-manager.key") |
  .kubernetes.accounts.addon-manager.crt = load_str("out/accounts/addon-manager.crt") |
  .kubernetes.accounts.addon-manager.key = load_str("out/accounts/addon-manager.key") |
  .kubernetes.accounts.scheduler.crt = load_str("out/accounts/scheduler.crt") |
  .kubernetes.accounts.scheduler.key = load_str("out/accounts/scheduler.key") |
  .kubernetes.accounts.proxy.crt = load_str("out/accounts/proxy.crt") |
  .kubernetes.accounts.proxy.key = load_str("out/accounts/proxy.key") |
  .kubernetes.accounts.flannel.crt = load_str("out/accounts/flannel.crt") |
  .kubernetes.accounts.flannel.key = load_str("out/accounts/flannel.key") |
  .kubernetes.accounts.kubelet-bootstrap.token = load_str("out/accounts/kubelet-bootstrap.token") |
  .kubernetes.accounts.kubelet-bootstrap.csv = load_str("out/accounts/kubelet-bootstrap.csv")
 ' "${decrypted_secrets_file}"
 sops --config "${sops_config}" -e "${decrypted_secrets_file}" > "${secrets_file}"
 rm -rf out
--- a/hosts/common/configs/system/libvirt/default.nix
+++ b/hosts/common/configs/system/libvirt/default.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 {
  virtualisation = {
    libvirtd = {
@@ -12,7 +17,10 @@
    spiceUSBRedirection.enable = true;
  };
-  systemd.services.libvirtd-network-default = {
+  systemd.services = {
    libvirtd.after = [ "NetworkManager.service" ];
    libvirtd-network-default = {
      description = "Start Default Virtual Network for Libvirt";
      script = "${config.virtualisation.libvirtd.package}/bin/virsh net-start default";
      preStop = "${config.virtualisation.libvirtd.package}/bin/virsh net-destroy default";
@@ -23,6 +31,7 @@
      wantedBy = [ "libvirtd.service" ];
      after = [ "libvirtd.service" ];
    };
  };
  environment = {
    systemPackages = [ config.virtualisation.libvirtd.qemu.swtpm.package ];
@@ -32,7 +41,7 @@
      "ovmf/edk2-i386-vars.fd".source =
        "${config.virtualisation.libvirtd.qemu.package}/share/qemu/edk2-i386-vars.fd";
    };
-    persistence."/persist"."/var/lib/libvirt" = { };
+    persistence."/persist/state"."/var/lib/libvirt" = { };
  };
  programs.virt-manager.enable = true;
--- a/hosts/common/configs/system/networking/default.nix
+++ b/hosts/common/configs/system/networking/default.nix
@@ -1,10 +0,0 @@
 { config, ... }:
 {
  networking.networkmanager.enable = true;
  environment.persistence."/persist"."/etc/NetworkManager/system-connections" = { };
  systemd.services.NetworkManager.after = [
    config.environment.persistence."/persist"."/etc/NetworkManager/system-connections".mount
  ];
 }
--- a/hosts/common/configs/system/networkmanager/default.nix
+++ b/hosts/common/configs/system/networkmanager/default.nix
@@ -0,0 +1,10 @@
 { config, ... }:
 {
  networking.networkmanager.enable = true;
  environment.persistence."/persist/state"."/etc/NetworkManager/system-connections" = { };
  systemd.services.NetworkManager.after = [
    config.environment.persistence."/persist/state"."/etc/NetworkManager/system-connections".mount
  ];
 }
--- a/hosts/common/configs/system/nix-cleanup/cleanup.sh
+++ b/hosts/common/configs/system/nix-cleanup/cleanup.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 if [[ "${EUID}" -ne 0 ]]; then
  echo "Please run the script as root."
  exit 1
@@ -16,13 +18,8 @@ if [[ -e /mnt/btrfs && -n $(mountpoint -q /mnt/btrfs) ]]; then
  exit 1
 fi
 if [[ -z "$DEVICE" ]]; then
  echo "Error: DEVICE variable is not set."
  exit 1
 fi
 mkdir -p /mnt/btrfs
-mount "/dev/mapper/$DEVICE" /mnt/btrfs
+mount "$DEVICE" /mnt/btrfs
 if [[ -e /mnt/btrfs/@.bak ]]; then
  if [[ -n "$(ls -A /mnt/btrfs/@.bak)" ]]; then
--- a/hosts/common/configs/system/nix-install/default.nix
+++ b/hosts/common/configs/system/nix-install/default.nix
@@ -8,6 +8,7 @@
        iputils
        jq
        nix
        sops
        inputs.disko.packages.${system}.disko
      ];
      text = builtins.readFile ./install.sh;
@@ -15,8 +16,6 @@
  ];
  home-manager.sharedModules = [
-    {
+    { programs.zsh.initContent = builtins.readFile ./install.completion.zsh; }
      programs.zsh.initExtra = builtins.readFile ./install.completion.zsh;
    }
  ];
 }
--- a/hosts/common/configs/system/nix-install/install.completion.zsh
+++ b/hosts/common/configs/system/nix-install/install.completion.zsh
@@ -4,7 +4,6 @@ _nix-install_completion() {
    '-m[Mode: 'install' or 'repair']:mode:(install repair)'
    '-h[Host to configure]:host:($(_list_hosts))'
    '-k[Key file to copy to user config]:key:($(_list_keys))'
    '-p[LUKS password file to use for encryption]:password_file:_files'
    '-c[Copy configuration to target]'
    '-r[Reboot after completion]'
  )
--- a/hosts/common/configs/system/nix-install/install.sh
+++ b/hosts/common/configs/system/nix-install/install.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 usage() {
  echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]"
  echo
@@ -6,7 +8,6 @@ usage() {
  echo "  -m mode             Mode: 'install' or 'repair'."
  echo "  -h host             Host to configure."
  echo "  -k key              Key file to copy to user config."
  echo "  -p password_file    LUKS password file to use for encryption."
  echo "  -c                  Copy configuration to target."
  echo "  -r                  Reboot after completion."
  exit 1
@@ -48,34 +49,22 @@ check_key() {
 }
 set_password_file() {
-  if [[ -n "$password_file" ]]; then
+  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
-    if [[ ! -f "$password_file" ]]; then
+  export SOPS_AGE_KEY_FILE
-      echo "LUKS key file '$password_file' not found."
+  sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/keyfile
-      exit 1
+  unset SOPS_AGE_KEY_FILE
    fi
    ln -sf "$(realpath "$password_file")" /tmp/installer.key
  else
    echo "Enter password for LUKS encryption:"
    IFS= read -r -s password
    echo "Enter password again to confirm: "
    IFS= read -r -s password_check
    [ "$password" != "$password_check" ]
    echo -n "$password" > /tmp/installer.key
    unset password password_check
  fi
 }
 prepare_disk() {
  local disko_mode="$1"
  mkdir -p /mnt
  root=$(mktemp -d /mnt/install.XXXXXX)
-  disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix" --arg device "\"$device\""
+  disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix"
 }
 copy_keys() {
-  mkdir -p "$root/persist/etc/ssh"
+  mkdir -p "$root/persist/state/etc/ssh"
-  cp "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
  for path in "$flake/hosts/$host/users"/*; do
    if [[ -z "$key" ]]; then
@@ -84,9 +73,17 @@ copy_keys() {
    local user
    user=$(basename "$path")
-    mkdir -p "$root/persist/home/$user/.config/sops-nix"
+
-    cp "$flake/secrets/$key/key.txt" "$root/persist/home/$user/.config/sops-nix/key.txt"
+    mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
-    chown -R "$(cat "$flake/hosts/$host/users/$user/uid"):100" "$root/persist/home/$user"
+    cp -f "$flake/secrets/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
    owner=$(cat "$flake/hosts/$host/users/$user/uid")
    group=100
    chown "$owner:$group" \
      "$root/persist/state/home/$user" \
      "$root/persist/state/home/$user/.config" \
      "$root/persist/state/home/$user/.config/sops-nix" \
      "$root/persist/state/home/$user/.config/sops-nix/key.txt"
  done
 }
@@ -96,8 +93,9 @@ install() {
 copy_config() {
  echo "Copying configuration..."
-  rm -rf "$root/persist/etc/nixos"
+  mkdir -p "$root/persist/user/etc/nixos"
-  cp -r "$flake" "$root/persist/etc/nixos"
+  rm -rf "$root/persist/user/etc/nixos"
  cp -r "$flake" "$root/persist/user/etc/nixos"
 }
 finish() {
@@ -108,66 +106,57 @@ finish() {
 }
 cleanup() {
-  rm -f /tmp/installer.key
+  rm -f /tmp/keyfile
-  if [[ -n "$host" && -n "$device" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix" --arg device "\"$device\""; fi
+  if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi
  if [[ -d "$root" ]]; then rmdir "$root"; fi
 }
-check_root
+main() {
-check_network
+  check_root
  check_network
-if [[ "$#" -lt 1 ]]; then
+  if [[ "$#" -lt 1 ]]; then usage; fi
  usage
 fi
-flake="$(realpath "$1")"
+  flake="$(realpath "$1")"
-check_flake
+  check_flake
-shift
+  shift
-mode=""
+  mode=""
-host=""
+  host=""
-key=""
+  key=""
-password_file=""
+  copy_config_flag="false"
-copy_config_flag="false"
+  reboot_flag="false"
 reboot_flag="false"
-while getopts "m:h:k:p:cr" opt; do
+  while getopts "m:h:k:cr" opt; do
    case "$opt" in
      m) mode="$OPTARG" ;;
      h) host="$OPTARG" ;;
      k) key="$OPTARG" ;;
    p) password_file="$OPTARG" ;;
      c) copy_config_flag="true" ;;
      r) reboot_flag="true" ;;
      *) usage ;;
    esac
-done
+  done
-if [[ -z "$mode" || -z "$host" ]]; then
+  if [[ -z "$mode" || -z "$host" ]]; then usage; fi
  usage
 fi
-check_host
+  check_host
-check_key
+  check_key
-until set_password_file; do echo "Passwords did not match, please try again."; done
+  set_password_file
-device=$(grep -oP '(?<=device = ")[^"]+' "$flake/hosts/$host/default.nix")
+  case "$mode" in
-
+    install) prepare_disk "destroy,format,mount";;
-case "$mode" in
+    repair) prepare_disk "mount";;
  install)
    prepare_disk "destroy,format,mount"
    copy_keys
    install
    if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi
    if [[ "$reboot_flag" == "true" ]]; then finish; fi
    ;;
  repair)
    prepare_disk "mount"
    install
    if [[ "$reboot_flag" == "true" ]]; then finish; fi
    ;;
    *)
      echo "Invalid mode: $mode"
      usage
      ;;
-esac
+  esac
  copy_keys
  install
  [[ "$copy_config_flag" == "true" ]] && copy_config
  [[ "$reboot_flag" == "true" ]] && finish
 }
 main "$@"
--- a/hosts/common/configs/system/nix-ld/default.nix
+++ b/hosts/common/configs/system/nix-ld/default.nix
@@ -1,7 +1,4 @@
 { ... }:
 {
-  programs.nix-ld = {
+  programs.nix-ld.enable = true;
    enable = true;
    libraries = [ ];
  };
 }
--- a/hosts/common/configs/system/nix-update/default.nix
+++ b/hosts/common/configs/system/nix-update/default.nix
@@ -0,0 +1,12 @@
 { pkgs, ... }:
 {
  nixpkgs.overlays = [
    (final: prev: {
      nix-update = prev.nix-update.overrideAttrs (oldAttrs: {
        patches = oldAttrs.patches or [ ] ++ [ ./source-attribute.patch ];
      });
    })
  ];
  environment.systemPackages = with pkgs; [ nix-update ];
 }
--- a/hosts/common/configs/system/nix-update/source-attribute.patch
+++ b/hosts/common/configs/system/nix-update/source-attribute.patch
@@ -0,0 +1,127 @@
 diff --git a/nix_update/__init__.py b/nix_update/__init__.py
 index 89bbe45..93f9322 100644
 --- a/nix_update/__init__.py
 +++ b/nix_update/__init__.py
@@ -124,6 +124,12 @@ def parse_args(args: list[str]) -> Options:
         default=[],
     )
 +    parser.add_argument(
 +        "--src-attr",
 +        help="Src attribute",
 +        default="src",
 +    )
 +
     a = parser.parse_args(args)
     extra_flags = ["--extra-experimental-features", "flakes nix-command"]
     if a.system:
@@ -146,6 +152,7 @@ def parse_args(args: list[str]) -> Options:
         version=a.version,
         version_preference=VersionPreference.from_str(a.version),
         attribute=a.attribute,
 +        source_attribute=a.src_attr,
         test=a.test,
         version_regex=a.version_regex,
         review=a.review,
 diff --git a/nix_update/eval.py b/nix_update/eval.py
 index 1767056..f85ea69 100644
 --- a/nix_update/eval.py
 +++ b/nix_update/eval.py
@@ -105,12 +105,19 @@ class Package:
 def eval_expression(
     escaped_import_path: str,
     attr: str,
 +    source_attr: str,
     flake: bool,
     system: str | None,
     override_filename: str | None,
 ) -> str:
     system = f'"{system}"' if system else "builtins.currentSystem"
 +    source_attrs = source_attr.rpartition(".")
 +    source_attr_last = source_attrs[-1] or source_attr
 +    source_attr_all_but_last = (
 +        f".{source_attrs[0]}" if source_attr_last != source_attr else ""
 +    )
 +
     if flake:
         sanitize_position = (
             f"""
@@ -164,8 +171,8 @@ let
     raw_version_position
   else if pkg ? isPhpExtension then
     raw_version_position
 -  else if (builtins.unsafeGetAttrPos "src" pkg) != null then
 -    sanitizePosition (builtins.unsafeGetAttrPos "src" pkg)
 +  else if (builtins.unsafeGetAttrPos "{source_attr_last}" pkg) != null then
 +    sanitizePosition (builtins.unsafeGetAttrPos "{source_attr_last}" pkg{source_attr_all_but_last})
   else
     sanitizePosition (positionFromMeta pkg);
 in {{
@@ -174,11 +181,11 @@ in {{
   inherit raw_version_position;
   filename = position.file;
   line = position.line;
 -  urls = pkg.src.urls or null;
 -  url = pkg.src.url or null;
 -  rev = pkg.src.rev or null;
 -  tag = pkg.src.tag or null;
 -  hash = pkg.src.outputHash or null;
 +  urls = pkg.{source_attr}.urls or null;
 +  url = pkg.{source_attr}.url or null;
 +  rev = pkg.{source_attr}.rev or null;
 +  tag = pkg.{source_attr}.tag or null;
 +  hash = pkg.{source_attr}.outputHash or null;
   go_modules = pkg.goModules.outputHash or null;
   go_modules_old = pkg.go-modules.outputHash or null;
   cargo_deps = pkg.cargoDeps.outputHash or null;
@@ -205,7 +212,7 @@ in {{
   mix_deps = pkg.mixFodDeps.outputHash or null;
   tests = builtins.attrNames (pkg.passthru.tests or {{}});
   has_update_script = {has_update_script};
 -  src_homepage = pkg.src.meta.homepage or null;
 +  src_homepage = pkg.{source_attr}.meta.homepage or null;
   changelog = pkg.meta.changelog or null;
   maintainers = pkg.meta.maintainers or null;
 }}"""
@@ -215,6 +222,7 @@ def eval_attr(opts: Options) -> Package:
     expr = eval_expression(
         opts.escaped_import_path,
         opts.escaped_attribute,
 +        opts.source_attribute,
         opts.flake,
         opts.system,
         opts.override_filename,
 diff --git a/nix_update/options.py b/nix_update/options.py
 index 2d07b77..ab5c305 100644
 --- a/nix_update/options.py
 +++ b/nix_update/options.py
@@ -8,6 +8,7 @@ from .version.version import VersionPreference
 @dataclass
 class Options:
     attribute: str
 +    source_attribute: str = "src"
     flake: bool = False
     version: str = "stable"
     version_preference: VersionPreference = VersionPreference.STABLE
@@ -33,4 +34,7 @@ class Options:
     def __post_init__(self) -> None:
         self.escaped_attribute = ".".join(map(json.dumps, self.attribute.split(".")))
 +        self.escaped_source_attribute = ".".join(
 +            map(json.dumps, self.source_attribute.split("."))
 +        )
         self.escaped_import_path = json.dumps(self.import_path)
 diff --git a/nix_update/update.py b/nix_update/update.py
 index 82b7bc5..464bf3d 100644
 --- a/nix_update/update.py
 +++ b/nix_update/update.py
@@ -155,7 +155,7 @@ def git_prefetch(x: tuple[str, tuple[str, str]]) -> tuple[str, str]:
 def update_src_hash(opts: Options, filename: str, current_hash: str) -> None:
 -    target_hash = nix_prefetch(opts, "src")
 +    target_hash = nix_prefetch(opts, opts.source_attribute)
     replace_hash(filename, current_hash, target_hash)
--- a/hosts/common/configs/system/nix/default.nix
+++ b/hosts/common/configs/system/nix/default.nix
@@ -1,9 +1,20 @@
 { config, inputs, ... }:
 {
-  sops.secrets."nix/accessTokens/github" = {
+  sops = {
-    sopsFile = ../../../../../secrets/personal/secrets.yaml;
+    secrets = {
      "git/credentials/github.com/public/username".sopsFile =
        ../../../../../secrets/personal/secrets.yaml;
      "git/credentials/github.com/public/password".sopsFile =
        ../../../../../secrets/personal/secrets.yaml;
    };
    templates.nix-access-tokens = {
      content = ''
        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
      '';
      group = "users";
    };
  };
  nix = {
    settings = {
@@ -12,14 +23,18 @@
        "nix-command"
        "flakes"
      ];
      download-buffer-size = 524288000;
    };
-    registry.self.flake = inputs.self;
+    channel.enable = false;
    gc.automatic = true;
    optimise.automatic = true;
    registry.self.flake = inputs.self;
    extraOptions = ''
-      !include ${config.sops.secrets."nix/accessTokens/github".path}
+      !include ${config.sops.templates.nix-access-tokens.path}
    '';
  };
 }
--- a/hosts/common/configs/system/nixpkgs/default.nix
+++ b/hosts/common/configs/system/nixpkgs/default.nix
@@ -1,6 +1,9 @@
-{ inputs, ... }:
+{ inputs, system, ... }:
 {
  imports = [ inputs.nur.modules.nixos.default ];
-  nixpkgs.config.allowUnfree = true;
+  nixpkgs = {
    hostPlatform = system;
    config.allowUnfree = true;
  };
 }
--- a/hosts/common/configs/system/pipewire/default.nix
+++ b/hosts/common/configs/system/pipewire/default.nix
@@ -8,12 +8,16 @@
    };
    pulse.enable = true;
    jack.enable = true;
-    extraConfig.pipewire-pulse = {
+    extraConfig.pipewire-pulse.pipewire-pulse = {
-      pulse.cmd = [
+      "pulse.cmd" = [
        {
          cmd = "load-module";
          args = "module-switch-on-connect";
        }
        {
          cmd = "load-module";
          args = "module-combine-sink";
        }
      ];
    };
  };
--- a/hosts/common/configs/system/podman/default.nix
+++ b/hosts/common/configs/system/podman/default.nix
@@ -0,0 +1,24 @@
 { pkgs, inputs, ... }:
 {
  imports = [ inputs.quadlet-nix.nixosModules.quadlet ];
  virtualisation = {
    podman.enable = true;
    containers = {
      enable = true;
      storage.settings.storage.driver = "btrfs";
    };
    quadlet.autoEscape = true;
  };
  environment = {
    persistence."/persist/state"."/var/lib/containers".create = "directory";
    systemPackages = with pkgs; [
      podman-compose
      kompose
    ];
  };
 }
--- a/hosts/common/configs/system/power/default.nix
+++ b/hosts/common/configs/system/power/default.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  powerManagement.enable = true;
 }
--- a/hosts/common/configs/system/powertop/default.nix
+++ b/hosts/common/configs/system/powertop/default.nix
@@ -1,5 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ powertop ];
  powerManagement.powertop.enable = true;
 }
--- a/hosts/common/configs/system/printing/default.nix
+++ b/hosts/common/configs/system/printing/default.nix
@@ -18,19 +18,19 @@
    };
  };
-  environment.persistence."/persist" = {
+  environment.persistence."/persist/state" = {
    "/var/lib/cups/ppd" = { };
    "/var/lib/cups/printers.conf" = { };
  };
  systemd = {
    services.cups.after = [
-      config.environment.persistence."/persist"."/var/lib/cups/ppd".mount
+      config.environment.persistence."/persist/state"."/var/lib/cups/ppd".mount
-      config.environment.persistence."/persist"."/var/lib/cups/printers.conf".mount
+      config.environment.persistence."/persist/state"."/var/lib/cups/printers.conf".mount
    ];
    sockets.cups.after = [
-      config.environment.persistence."/persist"."/var/lib/cups/ppd".mount
+      config.environment.persistence."/persist/state"."/var/lib/cups/ppd".mount
-      config.environment.persistence."/persist"."/var/lib/cups/printers.conf".mount
+      config.environment.persistence."/persist/state"."/var/lib/cups/printers.conf".mount
    ];
  };
 }
--- a/hosts/common/configs/system/smartmontools/default.nix
+++ b/hosts/common/configs/system/smartmontools/default.nix
@@ -0,0 +1,7 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    smartmontools
    nvme-cli
  ];
 }
--- a/hosts/common/configs/system/sops/default.nix
+++ b/hosts/common/configs/system/sops/default.nix
@@ -8,13 +8,27 @@
  imports = [ inputs.sops-nix.nixosModules.sops ];
  environment = {
-    persistence."/persist"."/etc/ssh/ssh_host_ed25519_key" = { };
+    persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key" = { };
-    systemPackages = with pkgs; [ sops ];
+
    systemPackages = with pkgs; [
      sops
      age
      ssh-to-age
    ];
  };
-  sops.age = {
+  sops = {
    defaultSopsFile = ../../../../. + "/${config.networking.hostName}/secrets/secrets.yaml";
    age = {
      generateKey = true;
    sshKeyPaths = [ config.environment.persistence."/persist"."/etc/ssh/ssh_host_ed25519_key".source ];
      keyFile = "/var/lib/sops-nix/key.txt";
      sshKeyPaths =
        if config.environment.impermanence.enable then
          [ config.environment.persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key".source ]
        else
          [ "/etc/ssh/ssh_host_ed25519_key" ];
    };
  };
 }
--- a/hosts/common/configs/system/ssh-agent/default.nix
+++ b/hosts/common/configs/system/ssh-agent/default.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  programs.ssh.startAgent = true;
 }
--- a/hosts/common/configs/system/ssh/default.nix
+++ b/hosts/common/configs/system/ssh/default.nix
@@ -1,12 +1,23 @@
 { ... }:
 {
-  programs.ssh = {
+  programs.ssh.knownHosts = {
    startAgent = true;
    knownHosts = {
    installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
      eirene.publicKeyFile = ../../../../eirene/secrets/ssh_host_ed25519_key.pub;
    elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
    himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub;
    jupiter = {
      publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub;
      extraHostNames = [ "karaolidis.com" ];
    };
    jupiter-sish = {
      publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub;
      extraHostNames = [ "karaolidis.com" ];
    };
    jupiter-vps = {
      publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub;
      extraHostNames = [ "vps.karaolidis.com" ];
    };
  };
 }
--- a/hosts/common/configs/system/sshd/default.nix
+++ b/hosts/common/configs/system/sshd/default.nix
@@ -0,0 +1,27 @@
 { ... }:
 {
  environment = {
    enableAllTerminfo = true;
    persistence."/persist/state"."/var/lib/fail2ban" = { };
  };
  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        PrintMotd = false;
      };
    };
    fail2ban = {
      enable = true;
      bantime = "24h";
      bantime-increment = {
        enable = true;
        maxtime = "720h";
        overalljails = true;
      };
    };
  };
 }
--- a/hosts/common/configs/system/sudo/default.nix
+++ b/hosts/common/configs/system/sudo/default.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  security.pam.services.sudo.nodelay = true;
 }
--- a/hosts/common/configs/system/system/default.nix
+++ b/hosts/common/configs/system/system/default.nix
@@ -1,17 +1,4 @@
-{ inputs, ... }:
+{ ... }:
 {
-  system = {
+  system.stateVersion = "24.11";
    autoUpgrade = {
      enable = true;
      flake = inputs.self.outPath;
      flags = [
        "--update-input"
        "nixpkgs"
        "-L"
      ];
      dates = "02:00";
    };
    stateVersion = "24.11";
  };
 }
--- a/hosts/common/configs/system/timezone/timezone.sh
+++ b/hosts/common/configs/system/timezone/timezone.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 case "$2" in
  connectivity-change)
    if timezone=$(curl --fail https://ipapi.co/timezone); then
--- a/hosts/common/configs/system/tlp/default.nix
+++ b/hosts/common/configs/system/tlp/default.nix
@@ -1,12 +0,0 @@
 { ... }:
 {
  services.tlp = {
    enable = true;
    settings = {
      CPU_SCALING_GOVERNOR_ON_AC = "performance";
      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
      CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
      CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
    };
  };
 }
--- a/hosts/common/configs/system/tree/default.nix
+++ b/hosts/common/configs/system/tree/default.nix
@@ -1,4 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ tree ];
 }
--- a/hosts/common/configs/system/upower/default.nix
+++ b/hosts/common/configs/system/upower/default.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  services.upower = {
    enable = true;
    allowRiskyCriticalPowerAction = true;
    criticalPowerAction = "Ignore";
  };
 }
--- a/hosts/common/configs/system/wget/default.nix
+++ b/hosts/common/configs/system/wget/default.nix
@@ -1,4 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ wget ];
 }
--- a/hosts/common/configs/system/zsh/default.nix
+++ b/hosts/common/configs/system/zsh/default.nix
@@ -6,7 +6,9 @@
  };
  environment = {
-    persistence."/persist"."/var/lib/zsh" = { };
+    persistence."/persist/state"."/var/lib/zsh" = { };
    pathsToLink = [ "/share/zsh" ];
  };
  systemd.tmpfiles.rules = [ "d /var/lib/zsh 0755 root root" ];
 }
--- a/hosts/common/configs/user/console/android/default.nix
+++ b/hosts/common/configs/user/console/android/default.nix
@@ -17,7 +17,7 @@
  users.users.${user}.extraGroups = [ "adbusers" ];
-  environment.persistence."/persist" = {
+  environment.persistence."/persist/state" = {
    "${home}/.local/share/android/adbkey" = { };
    "${home}/.local/share/android/adbkey.pub" = { };
  };
--- a/hosts/common/configs/user/console/brightnessctl/default.nix
+++ b/hosts/common/configs/user/console/brightnessctl/default.nix
@@ -8,6 +8,4 @@
    "video"
    "inputs"
  ];
  home-manager.users.${user}.home.packages = with pkgs; [ brightnessctl ];
 }
--- a/hosts/common/configs/user/console/btop/default.nix
+++ b/hosts/common/configs/user/console/btop/default.nix
@@ -14,7 +14,7 @@
      update_ms = 1000;
      proc_tree = true;
      cpu_single_graph = true;
-      disks_filter = "/ /nix /persist /cache";
+      disks_filter = "/ /nix /persist";
    };
  };
 }
--- a/hosts/common/configs/user/console/dive/default.nix
+++ b/hosts/common/configs/user/console/dive/default.nix
@@ -0,0 +1,22 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  home-manager.users.${user} = {
    home.packages = with pkgs; [ dive ];
    xdg.configFile."dive/config.yaml" = lib.mkIf (
      config.virtualisation.podman.enable || hmConfig.services.podman.enable
    ) { source = (pkgs.formats.yaml { }).generate "config.yaml" { container-engine = "podman"; }; };
  };
 }
--- a/hosts/common/configs/user/console/docker/default.nix
+++ b/hosts/common/configs/user/console/docker/default.nix
@@ -1,55 +0,0 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
  rootless ? true,
 }:
 {
  config,
  lib,
  pkgs,
  ...
 }:
 lib.mkMerge [
  {
    virtualisation.docker.rootless = {
      enable = rootless;
      setSocketVariable = true;
      enableOnBoot = false;
      storageDriver = "btrfs";
      daemon.settings = {
        experimental = true;
        ipv6 = true;
        fixed-cidr-v6 = "fd00::/80";
      };
      autoPrune = {
        enable = true;
        flags = [ "--all" ];
      };
    };
    home-manager.users.${user}.home = {
      packages = with pkgs; [ docker-compose ];
      sessionVariables = {
        DOCKER_CONFIG = "${home}/.config/docker";
      };
    };
  }
  (lib.mkIf rootless {
    environment.persistence."/persist"."${home}/.local/share/docker" = { };
    systemd.user = {
      services.docker.after = [
        config.environment.persistence."/persist"."${home}/.local/share/docker".mount
      ];
      sockets.docker.after = [
        config.environment.persistence."/persist"."${home}/.local/share/docker".mount
      ];
    };
  })
  (lib.mkIf (!rootless) {
    users.users.${user}.extraGroups = [ "docker" ];
  })
 ]
--- a/hosts/common/configs/user/console/ffmpeg/default.nix
+++ b/hosts/common/configs/user/console/ffmpeg/default.nix
@@ -4,5 +4,8 @@
 }:
 { pkgs, ... }:
 {
-  home-manager.users.${user}.home.packages = with pkgs; [ ffmpeg ];
+  home-manager.users.${user}.home.packages = with pkgs; [
    ffmpeg
    mediainfo
  ];
 }
--- a/hosts/common/configs/user/console/git/commit-msg.sh
+++ b/hosts/common/configs/user/console/git/commit-msg.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 git interpret-trailers --if-exists doNothing --trailer \
  "Signed-off-by: $(git config user.name) <$(git config user.email)>" \
  --in-place "$1"
--- a/hosts/common/configs/user/console/gpg-agent/import-gpg-keys.sh
+++ b/hosts/common/configs/user/console/gpg-agent/import-gpg-keys.sh
@@ -1,3 +1,5 @@
 # shellcheck shell=bash
 install -d -m 700 "$GNUPGHOME"
 KEYS="$HOME/.config/sops-nix/secrets/gpg"
--- a/hosts/common/configs/user/console/home-manager/default.nix
+++ b/hosts/common/configs/user/console/home-manager/default.nix
@@ -9,9 +9,7 @@
  programs.dconf.enable = true;
  home-manager = {
-    extraSpecialArgs = {
+    extraSpecialArgs = { inherit inputs; };
      inherit inputs;
    };
    backupFileExtension = "bak";
    useUserPackages = true;
    useGlobalPkgs = true;
--- a/hosts/common/configs/user/console/ip/default.nix
+++ b/hosts/common/configs/user/console/ip/default.nix
@@ -0,0 +1,15 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { pkgs, ... }:
 {
  home-manager.users.${user}.home.packages = with pkgs; [
    iproute2
    iptables
    ipset
    ethtool
    tcpdump
    ipcalc
  ];
 }
--- a/hosts/common/configs/user/console/kubernetes/default.nix
+++ b/hosts/common/configs/user/console/kubernetes/default.nix
@@ -9,52 +9,20 @@
  ...
 }:
 {
  nixpkgs.overlays = [
    (final: prev: {
      k9s = prev.k9s.overrideAttrs (oldAttrs: {
        patches = oldAttrs.patches or [ ] ++ [ ./remove-splash.patch ];
      });
    })
  ];
  environment.persistence = {
-    "/persist"."${home}/.kube" = { };
+    "/persist/user"."${home}/.kube" = { };
-    "/cache"."${home}/.kube/cache" = { };
+    "/persist/cache"."${home}/.kube/cache" = { };
  };
  users.users.${user}.extraGroups = [ "kubernetes" ];
  sops.secrets = {
    "kubernetes/accounts/${user}/crt" = {
      key = "kubernetes/accounts/users/crt";
      group = "users";
      mode = "0440";
    };
    "kubernetes/accounts/${user}/key" = {
      key = "kubernetes/accounts/users/key";
      group = "users";
      mode = "0440";
    };
  };
  home-manager.users.${user} = {
-    home = {
+    home.packages = with pkgs; [
      packages = with pkgs; [
      kubectl
      kustomize
      kubernetes-helm
      kompose
      kind
    ];
      file.".kube/local".source = config.services.kubernetes.lib.mkKubeConfig user {
        caFile = config.sops.secrets."kubernetes/ca/crt".path;
        certFile = config.sops.secrets."kubernetes/accounts/${user}/crt".path;
        keyFile = config.sops.secrets."kubernetes/accounts/${user}/key".path;
        server = config.services.kubernetes.apiserverAddress;
      };
    };
    programs = {
      k9s = {
        enable = true;
@@ -67,19 +35,20 @@
          ui = {
            skin = "matugen";
            logoless = true;
            splashless = true;
            reactive = true;
          };
        };
      };
      zsh = {
-        initExtra = ''
+        initContent = ''
          kubeswitch() {
            local target="$HOME/.kube/$1"
            local config="$HOME/.kube/config"
            if [[ -f "$target" && "$target" != "$config" ]]; then
-              ln -sf "$target" "$config"
+              ln -srf "$target" "$config"
              echo "Switched kube context to $1"
              p10k reload
            else
@@ -101,6 +70,6 @@
      };
    };
-    theme.template."${home}/.config/k9s/skins/matugen.yaml".source = ./theme.yaml;
+    theme.template.".config/k9s/skins/matugen.yaml".source = ./theme.yaml;
  };
 }
--- a/hosts/common/configs/user/console/kubernetes/remove-splash.patch
+++ b/hosts/common/configs/user/console/kubernetes/remove-splash.patch
@@ -1,123 +0,0 @@
 diff --git a/internal/ui/splash.go b/internal/ui/splash.go
 index bfe58e46..21683c53 100644
 --- a/internal/ui/splash.go
 +++ b/internal/ui/splash.go
@@ -3,14 +3,6 @@
 package ui
 -import (
 -	"fmt"
 -	"strings"
 -
 -	"github.com/derailed/k9s/internal/config"
 -	"github.com/derailed/tview"
 -)
 -
 // LogoSmall K9s small log.
 var LogoSmall = []string{
 	` ____  __.________       `,
@@ -30,42 +22,3 @@ var LogoBig = []string{
 	`|____|__ \ /____//____  >\______  /_______ \___|`,
 	`        \/            \/        \/        \/    `,
 }
 -
 -// Splash represents a splash screen.
 -type Splash struct {
 -	*tview.Flex
 -}
 -
 -// NewSplash instantiates a new splash screen with product and company info.
 -func NewSplash(styles *config.Styles, version string) *Splash {
 -	s := Splash{Flex: tview.NewFlex()}
 -	s.SetBackgroundColor(styles.BgColor())
 -
 -	logo := tview.NewTextView()
 -	logo.SetDynamicColors(true)
 -	logo.SetTextAlign(tview.AlignCenter)
 -	s.layoutLogo(logo, styles)
 -
 -	vers := tview.NewTextView()
 -	vers.SetDynamicColors(true)
 -	vers.SetTextAlign(tview.AlignCenter)
 -	s.layoutRev(vers, version, styles)
 -
 -	s.SetDirection(tview.FlexRow)
 -	s.AddItem(logo, 10, 1, false)
 -	s.AddItem(vers, 1, 1, false)
 -
 -	return &s
 -}
 -
 -func (s *Splash) layoutLogo(t *tview.TextView, styles *config.Styles) {
 -	logo := strings.Join(LogoBig, fmt.Sprintf("\n[%s::b]", styles.Body().LogoColor))
 -	fmt.Fprintf(t, "%s[%s::b]%s\n",
 -		strings.Repeat("\n", 2),
 -		styles.Body().LogoColor,
 -		logo)
 -}
 -
 -func (s *Splash) layoutRev(t *tview.TextView, rev string, styles *config.Styles) {
 -	fmt.Fprintf(t, "[%s::b]Revision [red::b]%s", styles.Body().FgColor, rev)
 -}
 diff --git a/internal/ui/splash_test.go b/internal/ui/splash_test.go
 deleted file mode 100644
 index 69b4b50d..00000000
 --- a/internal/ui/splash_test.go
 +++ /dev/null
@@ -1,22 +0,0 @@
 -// SPDX-License-Identifier: Apache-2.0
 -// Copyright Authors of K9s
 -
 -package ui_test
 -
 -import (
 -	"testing"
 -
 -	"github.com/derailed/k9s/internal/config"
 -	"github.com/derailed/k9s/internal/ui"
 -	"github.com/stretchr/testify/assert"
 -)
 -
 -func TestNewSplash(t *testing.T) {
 -	s := ui.NewSplash(config.NewStyles(), "bozo")
 -
 -	x, y, w, h := s.GetRect()
 -	assert.Equal(t, 0, x)
 -	assert.Equal(t, 0, y)
 -	assert.Equal(t, 15, w)
 -	assert.Equal(t, 10, h)
 -}
 diff --git a/internal/view/app.go b/internal/view/app.go
 index 4ac7e7c2..2b3a3fc5 100644
 --- a/internal/view/app.go
 +++ b/internal/view/app.go
@@ -35,7 +35,6 @@ import (
 var ExitStatus = ""
 const (
 -	splashDelay      = 1 * time.Second
 	clusterRefresh   = 15 * time.Second
 	clusterInfoWidth = 50
 	clusterInfoPad   = 15
@@ -165,8 +164,7 @@ func (a *App) layout(ctx context.Context) {
 	}
 	main.AddItem(flash, 1, 1, false)
 -	a.Main.AddPage("main", main, true, false)
 -	a.Main.AddPage("splash", ui.NewSplash(a.Styles, a.version), true, true)
 +	a.Main.AddPage("main", main, true, true)
 	a.toggleHeader(!a.Config.K9s.IsHeadless(), !a.Config.K9s.IsLogoless())
 }
@@ -520,10 +518,7 @@ func (a *App) Run() error {
 	a.Resume()
 	go func() {
 -		<-time.After(splashDelay)
 		a.QueueUpdateDraw(func() {
 -			a.Main.SwitchToPage("main")
 -			// if command bar is already active, focus it
 			if a.CmdBuff().IsActive() {
 				a.SetFocus(a.Prompt())
 			}
--- a/hosts/elara/users/nikara/configs/console/jsonify/default.nix
+++ b/hosts/elara/users/nikara/configs/console/jsonify/default.nix
@@ -4,5 +4,5 @@
 }:
 { pkgs, ... }:
 {
-  home-manager.users.${user}.home.packages = [ (pkgs.callPackage ./package.nix { }) ];
+  home-manager.users.${user}.home.packages = with pkgs; [ mprocs ];
 }
--- a/hosts/common/configs/user/console/ncspot/default.nix
+++ b/hosts/common/configs/user/console/ncspot/default.nix
@@ -0,0 +1,31 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { lib, pkgs, ... }:
 {
  environment.persistence = {
    "/persist/state"."${home}/.config/ncspot/userstate.cbor" = { };
    "/persist/cache"."${home}/.cache/ncspot" = { };
  };
  home-manager.users.${user} = {
    programs.ncspot.enable = true;
    theme = {
      template.".config/ncspot/config.toml".source = ./theme.toml;
      reloadExtraConfig = "${
        lib.meta.getExe (
          pkgs.writeShellApplication {
            name = "reload-ncspot";
            runtimeInputs = with pkgs; [ netcat ];
            text = ''
              printf "reload\n" | nc -W 1 -U "''${XDG_RUNTIME_DIR:-/run/user/$UID}/ncspot/ncspot.sock"
            '';
          }
        )
      } &";
    };
  };
 }
--- a/hosts/common/configs/user/console/ncspot/theme.toml
+++ b/hosts/common/configs/user/console/ncspot/theme.toml
@@ -0,0 +1,23 @@
 use_nerdfont = true
 volnorm = true
 default_keybindings = true
 library_tabs = [ "albums", "artists", "playlists", "browse" ]
 [theme]
 background = "{{colors.surface.default.hex}}"
 primary = "{{colors.on_surface.default.hex}}"
 secondary = "{{colors.inverse_surface.default.hex}}"
 title = "{{colors.primary.default.hex}}"
 playing = "{{colors.primary.default.hex}}"
 playing_bg = "{{colors.surface.default.hex}}"
 highlight = "{{colors.on_primary.default.hex}}"
 highlight_bg = "{{colors.primary.default.hex}}"
 playing_selected = "{{colors.on_primary.default.hex}}"
 error = "{{colors.on_error.default.hex}}"
 error_bg = "{{colors.error.default.hex}}"
 statusbar = "{{colors.primary.default.hex}}"
 statusbar_progress = "{{colors.primary.default.hex}}"
 statusbar_bg = "{{colors.surface.default.hex}}"
 cmdline = "{{colors.on_surface.default.hex}}"
 cmdline_bg = "{{colors.surface.default.hex}}"
 search_match = "{{colors.tertiary.default.hex}}"
--- a/hosts/common/configs/user/console/nix-develop/default.nix
+++ b/hosts/common/configs/user/console/nix-develop/default.nix
@@ -12,7 +12,7 @@
  home-manager.users.${user}.programs.zsh = {
    shellAliases.nd = "nix-develop";
-    initExtra =
+    initContent =
      let
        devShells = lib.strings.concatStringsSep " " (
          lib.attrsets.mapAttrsToList (key: _: key) inputs.self.devShells.${system}
@@ -35,7 +35,16 @@
          done
          if [[ -z "$devshell" ]]; then
-            if [ ! -f flake.nix ]; then cp "${./template.nix}" flake.nix; fi
+            if [ ! -f flake.nix ]; then
              cp "${./template.nix}" flake.nix
              chmod 755 flake.nix
            fi
            if [ ! treefmt.nix ]; then
              cp "${./treefmt.nix}" treefmt.nix
              chmod 755 treefmt.nix
            fi
            nix develop -c "$SHELL"
          else
            nix develop self#"$devshell" -c "$SHELL"
--- a/hosts/common/configs/user/console/nix-develop/template.nix
+++ b/hosts/common/configs/user/console/nix-develop/template.nix
@@ -8,23 +8,35 @@
    };
    flake-utils = {
-      url = "github:numtide/flake-utils";
+      type = "github";
      owner = "numtide";
      repo = "flake-utils";
      ref = "main";
    };
    treefmt-nix = {
      type = "github";
      owner = "numtide";
      repo = "treefmt-nix";
      ref = "main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
-    { nixpkgs, ... }@inputs:
+    { self, nixpkgs, ... }@inputs:
    inputs.flake-utils.lib.eachDefaultSystem (
      system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
      in
      {
-        devShells.default = pkgs.mkShell {
+        devShells.default = pkgs.mkShell { packages = with pkgs; [ ]; };
          packages = [ ];
        };
-        formatter = pkgs.nixfmt-rfc-style;
+        formatter = treefmt.config.build.wrapper;
        checks.formatting = treefmt.config.build.check self;
      }
    );
 }
--- a/hosts/common/configs/user/console/nix-develop/treefmt.nix
+++ b/hosts/common/configs/user/console/nix-develop/treefmt.nix
@@ -0,0 +1,17 @@
 { ... }:
 {
  projectRootFile = "flake.nix";
  programs = {
    nixfmt = {
      enable = true;
      strict = true;
    };
  };
  settings = {
    global = {
      excludes = [ ".envrc" ];
    };
  };
 }
--- a/hosts/common/configs/user/console/nix-direnv/default.nix
+++ b/hosts/common/configs/user/console/nix-direnv/default.nix
@@ -10,19 +10,35 @@
  ...
 }:
 {
-  home-manager.users.${user} = {
+  home-manager.users.${user}.programs = {
    programs = {
    direnv = {
      enable = true;
      silent = true;
      nix-direnv.enable = true;
      enableZshIntegration = true;
      config = {
        global.warn_timeout = 0;
      };
      # https://github.com/direnv/direnv/wiki/Customizing-cache-location
      stdlib = ''
        declare -A direnv_layout_dirs
        direnv_layout_dir() {
          local hash path
          echo "''${direnv_layout_dirs[$PWD]:=$(
            hash="$(sha1sum - <<< "$PWD" | head -c40)"
            path="''${PWD//[^a-zA-Z0-9]/-}"
            echo "${home}/.cache/direnv/layouts/''${hash}''${path}"
          )}"
        }
      '';
    };
    zsh = {
      shellAliases.nde = "nix-direnv";
-        initExtra =
+      initContent =
        let
          devShells = lib.strings.concatStringsSep " " (
            lib.attrsets.mapAttrsToList (key: _: key) inputs.self.devShells.${system}
@@ -36,7 +52,7 @@
            while getopts "s:h" opt; do
              case $opt in
                s)
-                    devshell=$OPTARG
+                  devshell="$OPTARG"
                  ;;
                h)
                  hide=true
@@ -49,19 +65,33 @@
            done
            if [[ -z "$devshell" ]]; then
-                echo "use flake" > .envrc
+              if "$hide"; then
-                if [ ! -f flake.nix ]; then cp "${../nix-develop/template.nix}" flake.nix; fi
+                echo "use flake path:." > .envrc;
              else
                echo "use flake" > .envrc;
              fi
              if [ ! -f flake.nix ]; then
                cp "${../nix-develop/template.nix}" flake.nix
                chmod 755 flake.nix
              fi
              if [ ! -f treefmt.nix ]; then
                cp "${../nix-develop/treefmt.nix}" treefmt.nix
                chmod 755 treefmt.nix
              fi
            else
              echo "use flake self#$devshell" > .envrc
            fi
-              if hide && git rev-parse --is-inside-work-tree &>/dev/null; then
+            if "$hide" && git rev-parse --is-inside-work-tree &>/dev/null; then
              local top
-                top=$(git rev-parse --show-toplevel)
+              top="$(git rev-parse --show-toplevel)"
              if ! grep -q "^\.envrc$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "$(realpath --relative-to="$top" .envrc)" >> "$top/.git/info/exclude"; fi
              if [ -z "$devshell" ]; then
                if ! grep -q "^flake.nix$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "flake.nix" >> "$top/.git/info/exclude"; fi
                if ! grep -q "^flake.lock$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "flake.lock" >> "$top/.git/info/exclude"; fi
                if ! grep -q "^treefmt.nix$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "treefmt.nix" >> "$top/.git/info/exclude"; fi
              fi
            fi
@@ -84,30 +114,8 @@
    };
  };
    # https://github.com/direnv/direnv/wiki/Customizing-cache-location
    xdg.configFile = {
      "direnv/direnvrc".text = ''
        declare -A direnv_layout_dirs
        direnv_layout_dir() {
          local hash path
          echo "''${direnv_layout_dirs[$PWD]:=$(
            hash="$(sha1sum - <<< "$PWD" | head -c40)"
            path="''${PWD//[^a-zA-Z0-9]/-}"
            echo "${home}/.cache/direnv/layouts/''${hash}''${path}"
          )}"
        }
      '';
      "direnv/direnv.toml".source = (
        (pkgs.formats.toml { }).generate "direnv.toml" {
          global.warn_timeout = 0;
        }
      );
    };
  };
  environment.persistence = {
-    "/persist"."${home}/.local/share/direnv/allow" = { };
+    "/persist/state"."${home}/.local/share/direnv/allow" = { };
-    "/cache"."${home}/.cache/direnv" = { };
+    "/persist/cache"."${home}/.cache/direnv" = { };
  };
 }
--- a/hosts/common/configs/user/console/nix/default.nix
+++ b/hosts/common/configs/user/console/nix/default.nix
@@ -2,12 +2,16 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ ... }:
+{ pkgs, ... }:
 {
-  environment.persistence."/cache"."${home}/.cache/nix" = { };
+  environment.persistence."/persist/cache"."${home}/.cache/nix" = { };
-  home-manager.users.${user}.programs.zsh.shellAliases = {
+  home-manager.users.${user} = {
    home.packages = with pkgs; [ nurl ];
    programs.zsh.shellAliases = {
      nrs = "sudo nixos-rebuild switch --flake .#$(hostname) --show-trace";
      nrb = "sudo nixos-rebuild boot --flake .#$(hostname) --show-trace";
    };
  };
 }
--- a/hosts/elara/users/nikara/configs/console/klog/default.nix
+++ b/hosts/elara/users/nikara/configs/console/klog/default.nix
@@ -4,5 +4,5 @@
 }:
 { pkgs, ... }:
 {
-  home-manager.users.${user}.home.packages = [ (pkgs.callPackage ./package.nix { }) ];
+  home-manager.users.${user}.home.packages = with pkgs; [ ouch ];
 }
--- a/hosts/common/configs/user/console/pipewire/default.nix
+++ b/hosts/common/configs/user/console/pipewire/default.nix
@@ -4,16 +4,17 @@
 }:
 { config, pkgs, ... }:
 {
-  environment.persistence."/persist"."${home}/.local/state/wireplumber" = { };
+  environment.persistence."/persist/state"."${home}/.local/state/wireplumber" = { };
  systemd.user.services.wireplumber.after = [
-    config.environment.persistence."/persist"."${home}/.local/state/wireplumber".mount
+    config.environment.persistence."/persist/state"."${home}/.local/state/wireplumber".mount
  ];
  home-manager.users.${user} = {
    home.packages = with pkgs; [
      wireplumber
      playerctl
      easyeffects
    ];
    services.playerctld.enable = true;
--- a/hosts/common/configs/user/console/podman/default.nix
+++ b/hosts/common/configs/user/console/podman/default.nix
@@ -0,0 +1,33 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 {
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
  environment.persistence."/persist/state"."${home}/.local/share/containers".create = "directory";
  home-manager.users.${user} = {
    imports = [ inputs.quadlet-nix.homeManagerModules.quadlet ];
    services.podman = {
      enable = true;
      settings.storage.storage.driver = "btrfs";
    };
    virtualisation.quadlet.autoEscape = true;
    home = {
      packages = with pkgs; [
        podman-compose
        kompose
      ];
      sessionVariables.REGISTRY_AUTH_FILE = "${home}/.config/containers/auth.json";
    };
  };
 }
--- a/hosts/common/configs/user/console/ranger/default.nix
+++ b/hosts/common/configs/user/console/ranger/default.nix
@@ -1,21 +0,0 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { ... }:
 {
  environment.persistence."/cache"."${home}/.cache/ranger" = { };
  home-manager.users.${user}.programs = {
    ranger = {
      enable = true;
      settings = {
        preview_images = true;
        preview_images_method = "kitty";
      };
    };
    zsh.p10k.extraRightPromptElements = [ "ranger" ];
  };
 }
--- a/hosts/common/configs/user/console/sops/default.nix
+++ b/hosts/common/configs/user/console/sops/default.nix
@@ -4,14 +4,14 @@
 }:
 { config, inputs, ... }:
 {
-  environment.persistence."/persist"."${home}/.config/sops-nix/key.txt" = { };
+  environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt" = { };
  home-manager.users.${user} = {
    imports = [ inputs.sops-nix.homeManagerModules.sops ];
    sops.age.keyFile =
-      config.environment.persistence."/persist"."${home}/.config/sops-nix/key.txt".source;
+      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
    home.sessionVariables.SOPS_AGE_KEY_FILE =
-      config.environment.persistence."/persist"."${home}/.config/sops-nix/key.txt".source;
+      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
  };
 }
--- a/hosts/common/configs/user/console/ssh-agent/default.nix
+++ b/hosts/common/configs/user/console/ssh-agent/default.nix
@@ -2,9 +2,10 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ inputs, ... }:
+{ ... }:
 {
  home-manager.users.${user} = {
-    imports = [ inputs.nur.modules.homeManager.default ];
+    services.ssh-agent.enable = true;
    programs.ssh.addKeysToAgent = "yes";
  };
 }
--- a/hosts/common/configs/user/console/ssh/default.nix
+++ b/hosts/common/configs/user/console/ssh/default.nix
@@ -2,24 +2,7 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { ... }:
 {
-  config,
+  home-manager.users.${user}.programs.ssh.enable = true;
  lib,
  pkgs,
  ...
 }:
 {
  home-manager.users.${user} = {
    programs.ssh = {
      enable = true;
      addKeysToAgent = "yes";
      userKnownHostsFile = lib.strings.concatStringsSep " " [
        ../../../../../installer/secrets/ssh_host_ed25519_key.pub
        ../../../../../eirene/secrets/ssh_host_ed25519_key.pub
        ../../../../../elara/secrets/ssh_host_ed25519_key.pub
      ];
    };
    services.ssh-agent.enable = true;
  };
 }
--- a/hosts/common/configs/user/console/xdg/default.nix
+++ b/hosts/common/configs/user/console/xdg/default.nix
@@ -4,7 +4,7 @@
 }:
 { config, pkgs, ... }:
 {
-  environment.persistence."/persist" = {
+  environment.persistence."/persist/user" = {
    "${home}/Desktop" = { };
    "${home}/Documents" = { };
    "${home}/Downloads" = { };
@@ -18,8 +18,6 @@
  };
  home-manager.users.${user} = {
    imports = [ (import ./options.nix { inherit home; }) ];
    xdg = {
      enable = true;
      mimeApps.enable = true;
--- a/hosts/common/configs/user/console/xdg/options.nix
+++ b/hosts/common/configs/user/console/xdg/options.nix
@@ -1,112 +0,0 @@
 {
  home ? throw "home argument is required",
 }:
 { config, lib, ... }:
 let
  cfg = config.xdg;
 in
 {
  options.xdg =
    with lib;
    with types;
    {
      relativeCacheHome = mkOption {
        type = str;
        readOnly = true;
        default = ".cache";
        description = "Relative path to directory holding application caches.";
      };
      relativeConfigHome = mkOption {
        type = str;
        readOnly = true;
        default = ".config";
        description = "Relative path to directory holding application configurations.";
      };
      relativeDataHome = mkOption {
        type = str;
        readOnly = true;
        default = ".local/share";
        description = "Relative path to directory holding application data.";
      };
      relativeStateHome = mkOption {
        type = str;
        readOnly = true;
        default = ".local/state";
        description = "Relative path to directory holding application states.";
      };
      userDirs = {
        relativeDesktop = mkOption {
          type = str;
          readOnly = true;
          default = "Desktop";
          description = "Relative path to the Desktop directory.";
        };
        relativeDocuments = mkOption {
          type = str;
          readOnly = true;
          default = "Documents";
          description = "Relative path to the Documents directory.";
        };
        relativeDownload = mkOption {
          type = str;
          readOnly = true;
          default = "Downloads";
          description = "Relative path to the Downloads directory.";
        };
        relativeMusic = mkOption {
          type = str;
          readOnly = true;
          default = "Music";
          description = "Relative path to the Music directory.";
        };
        relativePictures = mkOption {
          type = str;
          readOnly = true;
          default = "Pictures";
          description = "Relative path to the Pictures directory.";
        };
        relativeTemplates = mkOption {
          type = str;
          readOnly = true;
          default = "Templates";
          description = "Relative path to the Templates directory.";
        };
        relativeVideos = mkOption {
          type = str;
          readOnly = true;
          default = "Videos";
          description = "Relative path to the Videos directory.";
        };
      };
    };
  config.xdg =
    with lib;
    with cfg;
    {
      cacheHome = mkDefault "${home}/${relativeCacheHome}";
      configHome = mkDefault "${home}/${relativeConfigHome}";
      dataHome = mkDefault "${home}/${relativeDataHome}";
      stateHome = mkDefault "${home}/${relativeStateHome}";
      userDirs = with userDirs; {
        desktop = mkDefault "${home}/${relativeDesktop}";
        documents = mkDefault "${home}/${relativeDocuments}";
        download = mkDefault "${home}/${relativeDownload}";
        music = mkDefault "${home}/${relativeMusic}";
        pictures = mkDefault "${home}/${relativePictures}";
        templates = mkDefault "${home}/${relativeTemplates}";
        videos = mkDefault "${home}/${relativeVideos}";
      };
    };
 }
--- a/hosts/common/configs/user/console/yazi/default.nix
+++ b/hosts/common/configs/user/console/yazi/default.nix
@@ -0,0 +1,208 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 {
  config,
  lib,
  pkgs,
  inputs,
  system,
  ...
 }:
 let
  hmConfig = config.home-manager.users.${user};
  selfPkgs = inputs.self.packages.${system};
 in
 {
  home-manager.users.${user} = {
    programs = {
      yazi = {
        enable = true;
        enableZshIntegration = true;
        settings = {
          mgr = {
            show_hidden = true;
          };
          opener = {
            edit =
              [
                {
                  run = "${hmConfig.programs.neovim.finalPackage}/bin/nvim \"$@\"";
                  desc = "nvim";
                  block = true;
                }
              ]
              ++ lib.lists.optional hmConfig.programs.vscode.enable {
                run = "${hmConfig.programs.vscode.package}/bin/code \"$@\"";
                desc = "code";
                orphan = true;
              };
            open = [
              {
                run = "uwsm app -- xdg-open \"$1\"";
                desc = "Open";
              }
            ];
            reveal = [
              {
                run = "uwsm app -- xdg-open \"$(dirname \"$1\")\"";
                desc = "Reveal";
              }
            ];
            extract = [
              {
                run = "ouch d -y \"$@\"";
                desc = "Extract here with ouch";
              }
            ];
            play = [
              {
                run = "uwsm app -- mpv \"$@\"";
                orphan = true;
              }
            ];
          };
          plugin = {
            prepend_preloaders = [
              {
                mime = "{audio,video,image}/*";
                run = "mediainfo";
              }
              {
                mime = "application/subrip";
                run = "mediainfo";
              }
            ];
            prepend_previewers = [
              {
                mime = "{audio,video,image}/*";
                run = "mediainfo";
              }
              {
                mime = "application/subrip";
                run = "mediainfo";
              }
              {
                mime = "application/*zip";
                run = "ouch";
              }
              {
                mime = "application/x-tar";
                run = "ouch";
              }
              {
                mime = "application/x-bzip2";
                run = "ouch";
              }
              {
                mime = "application/x-7z-compressed";
                run = "ouch";
              }
              {
                mime = "application/x-rar";
                run = "ouch";
              }
              {
                mime = "application/x-xz";
                run = "ouch";
              }
              {
                mime = "application/xz";
                run = "ouch";
              }
            ];
          };
        };
        keymap = {
          mgr.prepend_keymap = [
            {
              on = "<Enter>";
              run = "plugin smart-enter";
              desc = "Enter the child directory, or open the file";
            }
            {
              on = ";";
              run = "plugin custom-shell -- auto --interactive";
              desc = "Run a shell command";
            }
            {
              on = ":";
              run = "plugin custom-shell -- auto --interactive --block";
              desc = "Run a shell command (block until finishes)";
            }
            {
              on = "!";
              run = "shell \"$SHELL\" --block";
              desc = "Open $SHELL here";
            }
            {
              on = "C";
              run = "plugin ouch";
              desc = "Compress";
            }
            {
              on = "M";
              run = "plugin chmod";
              desc = "Chmod on selected files";
            }
            {
              on = "<C-m>";
              run = "plugin mount";
              desc = "Open the mount menu";
            }
          ];
        };
        initLua = ''
          Status:children_add(function(self)
            local h = self._current.hovered
            if not h or not h.link_to then
              return ""
            end
            return " -> " .. tostring(h.link_to)
          end, 3300, Status.LEFT)
          Status:children_add(function()
          	local h = cx.active.current.hovered
          	if not h then
              return ""
          	end
          	return ui.Line {
          		ui.Span(ya.user_name(h.cha.uid) or tostring(h.cha.uid)),
          		":",
          		ui.Span(ya.group_name(h.cha.gid) or tostring(h.cha.gid)),
          		" ",
          	}
          end, 500, Status.RIGHT)
        '';
        plugins = with pkgs.yaziPlugins; {
          inherit
            smart-enter
            chmod
            ouch
            mount
            mediainfo
            ;
          custom-shell = selfPkgs.yazi-plugin-custom-shell;
        };
      };
      zsh = {
        shellAliases.y = "yazi";
        p10k.extraRightPromptElements = [ "yazi" ];
      };
    };
    theme.template.".config/yazi/theme.toml".source = ./theme.toml;
  };
 }
--- a/hosts/common/configs/user/console/yazi/theme.toml
+++ b/hosts/common/configs/user/console/yazi/theme.toml
@@ -0,0 +1,101 @@
 [mgr]
 cwd = { fg = "{{colors.primary.default.hex}}" }
 preview_hovered = { }
 find_keyword = { fg = "{{colors.tertiary.default.hex}}", bold = true, italic = true, underline = true }
 find_position = { fg = "{{colors.tertiary.default.hex}}", bg = "reset", bold = true, italic = true }
 marker_selected = { fg = "{{colors.primary.default.hex}}", bg = "{{colors.primary.default.hex}}" }
 marker_copied   = { fg = "{{colors.secondary.default.hex}}",  bg = "{{colors.secondary.default.hex}}" }
 marker_cut      = { fg = "{{colors.secondary.default.hex}}",    bg = "{{colors.secondary.default.hex}}" }
 marker_marked   = { fg = "{{colors.tertiary.default.hex}}",   bg = "{{colors.tertiary.default.hex}}" }
 count_selected = { fg = "{{colors.on_primary.default.hex}}", bg = "{{colors.primary.default.hex}}" }
 count_copied   = { fg = "{{colors.on_secondary.default.hex}}", bg = "{{colors.secondary.default.hex}}" }
 count_cut      = { fg = "{{colors.on_secondary.default.hex}}", bg = "{{colors.secondary.default.hex}}" }
 border_style  = { fg = "{{colors.outline.default.hex}}" }
 [tabs]
 active   = { fg = "{{colors.on_primary.default.hex}}", bg = "{{colors.primary.default.hex}}", bold = true }
 inactive = { fg = "{{colors.on_surface_variant.default.hex}}", bg = "{{colors.surface_dim.default.hex}}" }
 sep_inner = { open = "", close = "" }
 sep_outer = { open = "", close = "" }
 [mode]
 normal_main = { fg = "{{colors.on_primary.default.hex}}", bg = "{{colors.primary.default.hex}}", bold = true }
 normal_alt  = { fg = "{{colors.on_primary_container.default.hex}}", bg = "{{colors.primary_container.default.hex}}" }
 select_main = { fg = "{{colors.on_secondary.default.hex}}", bg = "{{colors.secondary.default.hex}}", bold = true }
 select_alt  = { fg = "{{colors.on_secondary_container.default.hex}}", bg = "{{colors.secondary_container.default.hex}}" }
 unset_main = { fg = "{{colors.on_tertiary.default.hex}}", bg = "{{colors.tertiary.default.hex}}", bold = true }
 unset_alt  = { fg = "{{colors.on_tertiary_container.default.hex}}", bg = "{{colors.tertiary_container.default.hex}}" }
 [status]
 sep_left  = { open = "", close = "" }
 sep_right = { open = "", close = "" }
 perm_sep   = { fg = "{{colors.scrim.default.hex}}" }
 perm_type  = { fg = "{{colors.primary.default.hex}}" }
 perm_read  = { fg = "{{colors.primary.default.hex}}" }
 perm_write = { fg = "{{colors.secondary.default.hex}}" }
 perm_exec  = { fg = "{{colors.tertiary.default.hex}}" }
 progress_label  = { bold = true }
 progress_normal = { fg = "{{colors.primary.default.hex}}", bg = "{{colors.primary_container.default.hex}}" }
 progress_error  = { fg = "{{colors.error.default.hex}}", bg = "{{colors.error_container.default.hex}}" }
 [which]
 mask            = { bg = "{{colors.surface.default.hex}}" }
 cand            = { fg = "{{colors.primary.default.hex}}" }
 rest            = { fg = "{{colors.primary_container.default.hex}}" }
 desc            = { fg = "{{colors.on_surface.default.hex}}" }
 separator_style = { fg = "{{colors.scrim.default.hex}}" }
 [confirm]
 border     = { fg = "{{colors.primary.default.hex}}" }
 title      = { fg = "{{colors.primary.default.hex}}" }
 [spot]
 border = { fg = "{{colors.primary.default.hex}}" }
 title  = { fg = "{{colors.primary.default.hex}}" }
 tbl_col  = { fg = "{{colors.primary.default.hex}}" }
 tbl_cell = { fg = "{{colors.secondary.default.hex}}", reversed = true }
 [notify]
 title_info  = { fg = "{{colors.info.default.hex}}" }
 title_warn  = { fg = "{{colors.warning.default.hex}}" }
 title_error = { fg = "{{colors.error.default.hex}}" }
 [pick]
 border   = { fg = "{{colors.primary.default.hex}}" }
 active   = { fg = "{{colors.secondary.default.hex}}", bold = true }
 [input]
 border   = { fg = "{{colors.primary.default.hex}}" }
 [cmp]
 border   = { fg = "{{colors.primary.default.hex}}" }
 [tasks]
 border  = { fg = "{{colors.primary.default.hex}}" }
 hovered = { fg = "{{colors.secondary.default.hex}}", bold = true }
 [help]
 on      = { fg = "{{colors.primary.default.hex}}" }
 run     = { fg = "{{colors.secondary.default.hex}}" }
 footer  = { fg = "{{colors.surface.default.hex}}", bg = "{{colors.on_surface.default.hex}}" }
 [icon]
 prepend_dirs  = [
  { name = ".cache", text = "" },
  { name = ".local", text = "󱋣" },
 	{ name = "Games", text = "󰊖" },
 	{ name = "git", text = "" },
 	{ name = "Templates", text = "" },
 	{ name = "VMs", text = "" },
 ]
--- a/hosts/common/configs/user/console/zoxide/default.nix
+++ b/hosts/common/configs/user/console/zoxide/default.nix
@@ -0,0 +1,13 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { ... }:
 {
  environment.persistence."/persist/state"."${home}/.local/share/zoxide" = { };
  home-manager.users.${user}.programs.zoxide = {
    enable = true;
    enableZshIntegration = true;
  };
 }
--- a/hosts/common/configs/user/console/zsh/default.nix
+++ b/hosts/common/configs/user/console/zsh/default.nix
@@ -5,15 +5,13 @@
 { config, pkgs, ... }:
 {
  environment = {
-    persistence."/persist"."${home}/.local/share/zsh" = { };
+    persistence."/persist/state"."${home}/.local/share/zsh" = { };
    # If we set this under home-manager.users.${user}.home.sessionVariables,
    # it runs too late in the init process and zsh fails.
    sessionVariables.ZDOTDIR = "$HOME/.config/zsh";
  };
  home-manager.users.${user} = {
    imports = [ ./options.nix ];
    programs.zsh = {
      enable = true;
      dotDir = ".config/zsh";
@@ -33,7 +31,7 @@
          file = "share/zsh-powerlevel10k/powerlevel10k.zsh-theme";
        }
      ];
-      initExtra = ''
+      initContent = ''
        source ${./.p10k.zsh}
      '';
    };
--- a/hosts/common/configs/user/console/zsh/options.nix
+++ b/hosts/common/configs/user/console/zsh/options.nix
@@ -18,7 +18,7 @@ in
    with lib;
    with cfg;
    {
-      initExtra = ''
+      initContent = ''
        export P10K_EXTRA_RIGHT_PROMPT_ELEMENTS=(${strings.concatStringsSep " " p10k.extraRightPromptElements})
      '';
    };
--- a/hosts/common/configs/user/default.nix
+++ b/hosts/common/configs/user/default.nix
@@ -0,0 +1,16 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { ... }:
 {
  imports = [ ./options.nix ];
  home-manager.users.${user}.imports = [
    ./console/zsh/options.nix
    ./gui/clipbook/options.nix
    ./gui/hyprland/options.nix
    (import ./gui/theme/options.nix { inherit user home; })
    ./gui/vscode/options.nix
  ];
 }
--- a/hosts/common/configs/user/gui/astal/config/app.ts
+++ b/hosts/common/configs/user/gui/astal/config/app.ts
@@ -1,10 +1,12 @@
-import { App } from "astal/gtk3"
+import { App } from "astal/gtk3";
-import Bar from "./widget/Bar"
+import { monitorFile } from "astal/file";
-import { monitorFile } from "astal/file"
+import { exec } from "astal/process";
-import { exec } from "astal/process"
+import GLib from "gi://GLib";
-import GLib from "gi://GLib"
+import Left from "./widget/Left";
 import Center from "./widget/Center";
 import Right from "./widget/Right";
-const HOME = GLib.getenv("HOME")
+const HOME = GLib.getenv("HOME");
 const css = `${HOME}/.config/astal/theme.css`;
 const scss = `${HOME}/.config/astal/theme.sass`;
@@ -18,6 +20,10 @@ exec(`sassc ${scss} ${css}`);
 App.start({
  css,
  main() {
-    App.get_monitors().map(Bar)
+    App.get_monitors().map((monitor) => {
      Left(monitor);
      Center(monitor);
      Right(monitor);
    });
  },
-})
+});
--- a/hosts/common/configs/user/gui/astal/config/env.d.ts
+++ b/hosts/common/configs/user/gui/astal/config/env.d.ts
@@ -1,26 +1,26 @@
-export const SRC: string
+export const SRC: string;
 declare module "inline:*" {
-  const content: string
+  const content: string;
-  export default content
+  export default content;
 }
 declare module "*.scss" {
-  const content: string
+  const content: string;
-  export default content
+  export default content;
 }
 declare module "*.sass" {
-  const content: string
+  const content: string;
-  export default content
+  export default content;
 }
 declare module "*.blp" {
-  const content: string
+  const content: string;
-  export default content
+  export default content;
 }
 declare module "*.css" {
-  const content: string
+  const content: string;
-  export default content
+  export default content;
 }
--- a/hosts/common/configs/user/gui/astal/config/lib.ts
+++ b/hosts/common/configs/user/gui/astal/config/lib.ts
@@ -1,3 +1,16 @@
 import { Gdk } from "astal/gtk3";
 import Hyprland from "gi://AstalHyprland";
 export const range = (length: number, start = 1) => {
  return Array.from({ length }, (n, i) => i + start);
 };
 export const getHyprlandMonitor = (gdkmonitor: Gdk.Monitor) => {
  const hyprland = Hyprland.get_default();
  const display = Gdk.Display.get_default()!;
  const screen = display.get_default_screen();
  for (let i = 0; i < display.get_n_monitors(); ++i) {
    if (gdkmonitor === display.get_monitor(i))
      return hyprland.get_monitor_by_name(screen.get_monitor_plug_name(i)!);
  }
 };
--- a/hosts/common/configs/user/gui/astal/config/tsconfig.json
+++ b/hosts/common/configs/user/gui/astal/config/tsconfig.json
@@ -7,6 +7,6 @@
    "module": "ES2022",
    "moduleResolution": "Bundler",
    "jsx": "react-jsx",
-    "jsxImportSource": "astal/gtk3",
+    "jsxImportSource": "astal/gtk3"
  }
 }
--- a/hosts/common/configs/user/gui/astal/config/widget/Bar.tsx
+++ b/hosts/common/configs/user/gui/astal/config/widget/Bar.tsx
@@ -1,29 +0,0 @@
 import { App, Astal, Gtk, Gdk } from 'astal/gtk3'
 import Launcher from './components/Launcher';
 import Workspace from './components/Workspaces';
 import Date from './components/Date';
 import Systray from './components/Tray';
 const anchor = Astal.WindowAnchor.TOP
  | Astal.WindowAnchor.LEFT
  | Astal.WindowAnchor.RIGHT;
 export default (monitor: Gdk.Monitor) => <window
  className='bar'
  gdkmonitor={monitor}
  exclusivity={Astal.Exclusivity.EXCLUSIVE}
  anchor={anchor}
  application={App}>
  <centerbox className='widgets'>
    <box hexpand halign={Gtk.Align.START}>
      <Launcher />
      <Workspace />
    </box>
    <box hexpand halign={Gtk.Align.CENTER}>
      <Date />
    </box>
    <box hexpand halign={Gtk.Align.END}>
      <Systray />
    </box>
  </centerbox>
 </window>
--- a/Show More
+++ b/Show More
		`@@ -1,2 +0,0 @@`
			`*/wallpapers/.jpg filter=lfs diff=lfs merge=lfs -text`
			`*/wallpapers/.png filter=lfs diff=lfs merge=lfs -text`
`@@ -1,2 +1,2 @@`
	`*/secrets/ssh_host_ed25519_key`	`**/secrets/ssh_host_ed25519_key`
	`/secrets/.decrypted~`	`*/secrets/.decrypted~`