started overhaul

2025-02-10 22:16:14 +01:00 · 2025-02-10 22:16:14 +01:00 · d6bdbe514d
commit d6bdbe514d
parent d1fec56ebf
14 changed files with 649 additions and 23 deletions
--- a/overhaul/machines/common/configuration.nix
+++ b/overhaul/machines/common/configuration.nix
@ -0,0 +1,86 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../pkgs/zsh.nix
+  ];
+
+  services.tailscale.enable = true;
+
+  services.mullvad-vpn.enable = true;
+  services.mullvad-vpn.package = pkgs.mullvad-vpn;
+  networking.nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+  };
+
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age = {
+      sshKeyPaths = [ "/home/horseman/.ssh/id_ed25519" ];
+      keyFile = "/home/horseman/.config/sops/age/keys.txt";
+      generateKey = false;
+    };
+    secrets = {
+      "syncthing/user".owner = "horseman";
+      "syncthing/password".owner = "horseman";
+    };
+    templates = {
+      "syncuser".content = ''${config.sops.placeholder."syncthing/user"}''; 
+      "syncpassword".content = ''${config.sops.placeholder."syncthing/password"}'';       
+    };
+  };
+
+  services.syncthing = {
+    enable = true;
+    user = "horseman";
+    dataDir = "/home/horseman";
+    configDir = "/home/horseman/.config/syncthing";
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      options = {
+        urAccepted = -1;
+      };
+      gui = {
+        user = config.sops.templates."syncuser".content;
+        password = config.sops.templates."syncpassword".content;
+      };
+      devices = {
+        "luna" = {
+          id = "MW4ZTAX-D7KDLRL-YHNGNCF-V6FW5L4-SCKQKES-BO7KV43-L5667GL-JHIYEAA";
+          autoAcceptFolders = true;
+          name = "luna";
+        };
+        "terra" = {
+          id = "2QWRFLY-ZUY5C6C-X36R5CY-PJSGLYY-5HWIWJN-2YYWRPU-T66GJMU-GXTQ6QK";
+          autoAcceptFolders = true;
+          name = "terra";
+        };
+        "solis" = {
+          id = "YOSYADZ-3OZ3XBH-7XEIK2W-DHAEIFD-5P5ZIHB-PAP74DH-T7GHLKT-O32YEA4";
+          autoAcceptFolders = true;
+          name = "solis";
+        };
+      };
+      folders = {
+        "Documents" = {
+          id = "documentFolder";
+          path = "/home/horseman/Documents";
+          devices = [ "luna" "terra" "solis" ];
+        };
+      };
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+  networking.firewall.allowedTCPPorts = [ 8384 22000 ];
+}
--- a/overhaul/machines/luna/configuration.nix
+++ b/overhaul/machines/luna/configuration.nix
@ -0,0 +1,74 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./hardware-configuration.nix
+    ../../pkgs/firefox.nix
+    ../common/configuration.nix
+  ];
+
+  home-manager = {
+    extraSpecialArgs = { inherit inputs outputs; };
+    users = {
+      horseman = import ../../home-manager/apps.nix;
+    };
+  };
+
+  networking.hostName = "luna";
+  networking.networkmanager.enable = true;
+  networking.extraHosts = ''
+    127.0.0.1 koala.rails.local members.rails.local leden.rails.local intro.rails.local
+  '';
+
+  services.xserver.enable = true;
+  services.desktopManager.plasma6.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.autoNumlock = true;
+  services.displayManager.defaultSession = "plasma";
+  boot.loader.systemd-boot.enable = true;  
+  boot.kernelModules = [ "snd-seq" "snd-rawmidi" ];
+
+  hardware.bluetooth.enable = true;
+  hardware.pulseaudio.enable = false;
+  services.jack = {
+    jackd.enable = false;
+    alsa.enable = true;
+    loopback.enable = false;
+  };
+
+  environment.plasma6.excludePackages = with pkgs.kdePackages; [
+    kate
+    konsole
+  ];
+  environment.gnome.excludePackages = with pkgs; [
+    gnome-calendar
+    gnome-characters
+    nautilus
+    gnome-clocks
+    gnome-contacts
+    evince
+    file-roller
+    geary
+    gnome-system-monitor
+    eog
+    gnome-logs
+    gnome-maps
+    gnome-music
+    seahorse
+    gnome-text-editor
+  ];
+
+
+  virtualisation.docker.enable = true;
+
+  virtualisation.virtualbox.host.enable = true;
+  users.extraGroups.vboxusers.members = [ "horseman" ];
+
+  users.extraUsers.horseman.extraGroups = [ "jackaudio" ];
+}
--- a/overhaul/machines/luna/hardware-configuration.nix
+++ b/overhaul/machines/luna/hardware-configuration.nix
@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c1447573-eee5-48ea-9937-84330065628b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B516-99F1";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/overhaul/machines/solis/configuration.nix
+++ b/overhaul/machines/solis/configuration.nix
@ -0,0 +1,62 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./hardware-configuration.nix
+    ../common/configuration.nix
+    ../../modules/sleep-at-night.nix
+  ];
+
+  home-manager = {
+    extraSpecialArgs = { inherit inputs outputs; };
+    users = {
+      horseman = import ../../home-manager/server-apps.nix;
+    };
+  };
+
+  networking.hostName = "solis";
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  virtualisation.docker.enable = true;
+
+  services.resolved.enable = true;
+  services.resolved.extraConfig = "DNSStubListener=no\n";
+
+  systemd.timers."backupSyncthing" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "weekly";
+        Persistent = true;
+      };
+  };
+
+  systemd.services."backupSyncthing" = {
+    script = ''
+      /home/horseman/nix-config/misc/backup.sh
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "horseman";
+    };
+  };
+
+  # services.sleep-at-night = {
+  #   enable = true;
+  #   shutdown = {
+  #     hour = 00;
+  #     minute = 30;
+  #   };
+  #   wakeup = "08:00:00";
+  # };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+}
--- a/overhaul/machines/solis/hardware-configuration.nix
+++ b/overhaul/machines/solis/hardware-configuration.nix
@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/74211087-d087-49d5-bc58-eb49748a51f0";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/bfe8c490-e8d7-438e-b95b-5bc5743bb23b"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/overhaul/machines/terra/configuration.nix
+++ b/overhaul/machines/terra/configuration.nix
@ -0,0 +1,109 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./hardware-configuration.nix
+    ./refind.nix
+    ../../pkgs/firefox.nix
+    ../common/configuration.nix
+  ];
+
+  # NVIDIA Drivers
+  hardware.graphics.enable32Bit = true;
+  hardware.graphics.enable = true;
+  services.xserver.videoDrivers = ["nvidia"];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+    open = true;
+    nvidiaSettings = true;
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+  # End NVIDIA
+
+
+  home-manager = {
+    extraSpecialArgs = { inherit inputs outputs; };
+    users = {
+      horseman = import ../../home-manager/apps.nix;
+    };
+  };
+
+  networking.hostName = "terra";
+
+  systemd.timers."enable-wol" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "5m";
+        OnUnitActiveSec = "1m";
+        Unit = "enable-wol.service";
+      };
+  };
+
+  systemd.services."enable-wol" = {
+    script = ''
+      /home/horseman/nix-config/misc/startup.sh
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    ethtool
+  ];
+
+  environment.plasma6.excludePackages = with pkgs.kdePackages; [
+    kate
+    konsole
+  ];
+  environment.gnome.excludePackages = with pkgs; [
+    gnome-calendar
+    gnome-characters
+    nautilus
+    gnome-clocks
+    gnome-contacts
+    evince
+    file-roller
+    geary
+    gnome-system-monitor
+    eog
+    gnome-logs
+    gnome-maps
+    gnome-music
+    seahorse
+    gnome-text-editor
+  ];
+
+  services.xserver.enable = true;
+  services.desktopManager.plasma6.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.autoNumlock = true;
+  services.displayManager.sddm.wayland.enable = false;
+  services.displayManager.defaultSession = "plasma";
+  boot.loader.systemd-boot.enable = true;
+
+  programs.ssh.askPassword = lib.mkForce "/nix/store/qrzq7dqp8dkffb5dvi42q647dhm87ady-ksshaskpass-6.0.3/bin/ksshaskpass";
+
+  networking.networkmanager.enable = true;
+
+  virtualisation.docker.enable = true;
+
+  hardware.pulseaudio.enable = false;
+  services.jack = {
+    jackd.enable = true;
+    alsa.enable = false;
+    loopback.enable = true;
+  };
+
+  users.extraUsers.horseman.extraGroups = [ "jackaudio" ];
+}
--- a/overhaul/machines/terra/hardware-configuration.nix
+++ b/overhaul/machines/terra/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4d963cda-4ec7-4cee-8e82-35402d385f54";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/6AB6-63FD";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/53db744d-a858-49b0-a3a1-c7c576aba0c9"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/overhaul/machines/terra/refind.nix
+++ b/overhaul/machines/terra/refind.nix
@ -0,0 +1,13 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = [
+    pkgs.refind
+    pkgs.efibootmgr
+  ];
+}
--- a/overhaul/modules/common/locale.nix
+++ b/overhaul/modules/common/locale.nix
@ -0,0 +1,21 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  cfg = config.horseman.common.locale;
+in {
+  options = {
+    horseman.common.locale = {
+      enable = mkEnableOption "Dutch locale settings";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    time.timeZone = "Europe/Amsterdam";
+  };
+}
--- a/overhaul/modules/common/nix.nix
+++ b/overhaul/modules/common/nix.nix
@ -0,0 +1,45 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  cfg = config.horseman.common.nix;
+in {
+  options = {
+    horseman.common.nix = {
+      enable = mkEnableOption "Nix settings";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nixpkgs = {
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
+
+    programs.nix-ld.enable = true;
+    programs.nix-ld.libraries = with pkgs; [];
+
+    nix.nixPath = ["/etc/nix/path"];
+    environment.etc =
+      lib.mapAttrs'
+      (name: value: {
+        name = "nix/path/${name}";
+        value.source = value.flake;
+      })
+      config.nix.registry;
+
+    nix.settings.trusted-users = [ "root" "horseman" ];
+    nix.settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+    };
+  };
+}
--- a/overhaul/modules/terminal/zsh.nix
+++ b/overhaul/modules/terminal/zsh.nix
@ -0,0 +1,56 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  cfg = config.horseman.base.locale;
+in {
+  options = {
+    horseman.terminal.zsh = {
+      enable = mkEnableOption "Enable ZSH and all associated plugins";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.lorri.enable = true;
+
+    users.defaultUserShell = pkgs.zsh;
+    environment.shells = with pkgs; [ zsh ];
+
+    programs.zsh = {
+      enable = true;
+      enableCompletion = true;
+
+      histSize = 10000;
+
+      shellAliases = {
+        clone-dotfiles = "cp /home/horseman/nix-config/config/dotfiles/.\* /home/horseman/";
+        rebuild = "nix fmt && clone-dotfiles && sudo nixos-rebuild switch --flake";
+        update = "sudo nix flake update && rebuild";
+        compose = "sudo docker compose";
+        wolpc = "wakeonlan D8:5E:D3:A8:B1:0A";
+        capture-config = "nix run github:pjones/plasma-manager > ~/nix-config/home-manager/plasma.nix";
+        reboot-to-windows = "sudo efibootmgr -n 0000";
+        mkdir = "mkdir -p";
+      };
+
+      ohMyZsh = {
+        enable = true;
+        plugins = [
+          "git"
+          "zsh-interactive-cd"
+          "python"
+          "git-auto-fetch"
+          "wd"
+        ];
+        theme = "jonathan";
+      };
+
+      shellInit = "eval \"$(direnv hook zsh)\"";
+    };
+  };
+}
--- a/overhaul/modules/users/horseman.nix
+++ b/overhaul/modules/users/horseman.nix
@ -0,0 +1,49 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  cfg = config.horseman.users.horseman;
+in
+{
+  options = {
+    horseman.users.horseman = {
+      enable = mkEnableOption "User 'horseman'";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users = {
+      horseman = {
+        initialPassword = "correct horse battery staple";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtbmZFvOsukUtqKnRkzLqphpgA0HF/mCcH/6BtPah6G4v6gqu8za58w8/0//aGkurG3sfQ5YhphFMJYm26/QdCUvVYeC92LWC5mjWB/md+BOWCoZYoEL0NHuu5f+7EQcmxLYuIv7mzHB1T+fwgOyuoW6IKLLQcmokx4uyg8apUs0yaRr9rCmoxeYOlZlsE6pKS2E8YUEkCRUZ1PZW6ILHXOOaz3KQ7s429MPvKv+061SlyEZuyinzsS1+4e/j5fCddq9Ac2ar1TiIkFhmtpJfJ2iWzVAvpZ08KV4nHgews07jjuj0/dZufSXbWJI6fQCMRvETeQsDU0RB6AxO//6plSo6svsGa/XhZx55AZAotflc2EzIi5QPWa078xu8IR23/flj52gqCj3O7RxhZib+L4cCdAS8nSZkLw9VV2kROqf4JcRYsinfKetBBPJU3RYKDVq8uF23eliNw+5lYKJu5FzPVFmS/J+vAme/vHkHLNKz5CnZoABjeue4PEnpSyFCJhf4w94lbB9JBaxKuZoXvaPE7bKDTHWbVC9DKWrL+QqNP5tsiV3/jI9gx4ty9OihMv5p46ennD17AbMM6xi/yPjvX6jbDIo+jMswW1ndhH2Ka6PTRpx8G+BWgoEVjCoP/DptloE6B5EfZous8Yd+RBuRiqNk4WUB+6PWVO7ELfQ horseman" # luna
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmYI+jn1B69r4GUEeVE1/q+HSNcLzT+qG0nEpIjyO3VCsocLIJqT6cJtPKTh/j9RPySvz1lo2ZFemCeKBfsdHy95JoYqbAcoJ9jacH3X8LixIiGin6ew/h6QJONU1UAuxcEDoEyeHfmNBRdgaahNTWtgvFd1YhB4WQwN9THZ/axGdnWLi/y0y98aqERw98fGOhAzxqZyeGkWK5ByRiiGmfrmU7IsX916z5s9OPFYeIGvI3UPKL5awpQMrD/+VhtQjAy8guWbBKbN+7cVU/JQjhaPAeVC18iON++Ux6pGq1/yA+IFDb/fFofXD70vRYemg7zSVbf2ceBg8iSR2OdcZVPfhIKq7mx62TcYVY7aDlz7fFedl7tVhxRd5Ze7T/kbRQtbqL++3UQaZwnx6HoXGMvdIbKV/KHcmqjQQClzWZyk8oI+VbkF/nfTgShW/X0UQYzBSdsCb4XywzfnLRH4Ops/v7ZOc2zBApl7j1Oj+nW7dJ5/P6FgMw553tNXnEVXqGvdvalmDl/hjR3UVedm18ZKwu+6+1mcHsDGKCi5C79zVksr9IbFNICosA23xfrnKQYmncBzobbY4N39SToI9ulcukOJj26ooAG3RhHqSyOkcM3nTUbHwKb/19J+NAm2iT9ipNGurwwPO4VcJY36237es7MEkmQHfD1ZOo6biafw horseman" # terra
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrgH3kBWwxoFms9ggilPmiKX9X0/AlWjGN7a+k3ddwfK0LvH9T8ueil1Zjw16P0XNMmy076bUBJJ89aVILXgYx+ngKmnIg32lqo5bafEpub1c3wtjGcwXtJnUXMwcqdIjkR2sfzuQPLXlob/Q+GsShm4TBEtzVTdpbCj768LyTtFx4vHZByyGtam0Ibb/6GVE1V2IcA/R+iQlCAqSjFxvSq1ll+wxsEUaT7b0ru1WhUXz0ITWoRkA8p0UjTl/uoXYcsPsqGR7dXgW7hNF087TOf+FsmiL+I6pbbB8+at5yq8I6l1lCwfLaMz2M5lHkn5jZiBuUDOXWpbbk1214iWrymAbpbVmNU68QVEcQkJTnfbRQ/56Nvq80emFgke6p4vcVnR9iVbaZDnOkMVH6HEs0Qc/rC38p9aISAdJvI49GWaz8fs1OgVi7mj9xA0QREc6/oalJ1F3BehPUk8v4uqww3u+I2AdWPp/6HO9zVU2mTrO30a8IbjOqFqMqdV+nYFxNbHIIIZ9acv95FGqIBCG0U9d8XVVFQ+kVWxkXxPk0uynzAsrXyiH3gzxHwy7stCxybZkTpQPjf+vSt4Tz3PRxnyq1OWTUzWmBVe0MCdZX5h/oQp6kI1Ys/t+UrP1G9NEIwGg+/zlpmGiV8Pm10b6gEXgv09BQPFGPsBbl4NRpQQ horseman" # solis
+        ];
+        extraGroups = [
+          "wheel"
+          "networkmanager"
+          "docker"
+        ];
+      };
+    };
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+
+    # lmao idk if I should remove this but it's funny so imma keep it
+    system.stateVersion = "23.11";
+  };
+}
--- a/overhaul/secrets/secrets.yaml
+++ b/overhaul/secrets/secrets.yaml
@ -0,0 +1,23 @@
+syncthing:
+    user: ENC[AES256_GCM,data:DfJyEnHAC74qvy8=,iv:q5A1to6eoBkXF6uRo+OWhVoP5WnkBnEVVd66tWAI7Sc=,tag:hK3OtNXX66BT8hpxtY1a0w==,type:str]
+    password: ENC[AES256_GCM,data:5So/Ay3zszQl58d1ub9PmTPs0wwERa28X0Osh0qSwjaHqOewxQ==,iv:zcRrxgcO+vGnVzuXMY8BXYrc+xFHh3/RZXvC7FBKLcY=,tag:GbPqK447lfS4ME3FXTVZaA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age167thunwadsswd0u37tajk85wy4x7sgw6sg3j2aspcax7essmge6qwen0uz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3hLRWQrSHBQdjNhbDV2
+            VmwrbUVsc0IwaDZKUndOTEMxN0kwWUtaYzJrCjJtNUdBMkhDVDB0akg2TTlqS1lF
+            NWJESlorR28rUGZHeEh6dFJYcEFsQnMKLS0tIFY3b0ZDSzM3SGVCZW9xcnJLc296
+            ckJwQ3EzU2JzdGhnWkNnRExRNlprM28KUHkZe8FvLOAt+UVqvgOxBQdApbEXQ44v
+            vXW8UtZuq7GjsP5qD2MK6oKs/ZDfe+PhqiWl4ONNHvpn8rmfbQDcRw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-08T16:55:41Z"
+    mac: ENC[AES256_GCM,data:VSOGYnpkU9gD/7JaCdIC84XHI5rHc4PhqSB64YvPehTrA4rgRGynMxSfvb+zRt+rIO8Qyhnt+i9zjsOLa9Z1F8xOx6f23oLRtguvYBNWJIhYaUvmS7lqPryvJGv3aoVvWkRAoSHyizIqXfmHvn0z/QfEst9PS72I4xf1pQu3trs=,iv:GJzYvWn1EOJ++QYW9jYrUfLAwTceAKFD078JWukMhH0=,tag:q62MpyvDneSYXSzu8S3qUQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,23 +0,0 @@
-# This file defines overlays
-{inputs, ...}: {
-  # This one brings our custom packages from the 'pkgs' directory
-  additions = final: _prev: import ../pkgs {pkgs = final;};
-
-  # This one contains whatever you want to overlay
-  # You can change versions, add patches, set compilation flags, anything really.
-  # https://nixos.wiki/wiki/Overlays
-  modifications = final: prev: {
-    # example = prev.example.overrideAttrs (oldAttrs: rec {
-    # ...
-    # });
-  };
-
-  # When applied, the unstable nixpkgs set (declared in the flake inputs) will
-  # be accessible through 'pkgs.unstable'
-  unstable-packages = final: _prev: {
-    unstable = import inputs.nixpkgs-unstable {
-      system = final.system;
-      config.allowUnfree = true;
-    };
-  };
-}