modify nixos update script to add remote build

Flake lock file updates:

• Updated input 'nix-bitcoin':
    'github:fort-nix/nix-bitcoin/33dbb41d581b86decf421cb3835c426d557e0e9c?narHash=sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk%3D' (2024-12-18)
  → 'github:fort-nix/nix-bitcoin/dc4d14e07324e43b8773e3eb5eb2a10c6b469287?narHash=sha256-FJ0ATgYWavH3ZeA0ofTEMS%2B22HqYN2Lqu3G6IsqbKIg%3D' (2025-01-21)
• Updated input 'nix-bitcoin/nixpkgs-unstable':
    'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2?narHash=sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU%3D' (2024-12-13)
  → 'github:NixOS/nixpkgs/300081d0cc72df578b02d914df941b8ec62240e6?narHash=sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE%3D' (2025-01-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0d6514cc638f30997676f5be71317c7dc917ef0f?narHash=sha256-w5xL1oUVRZRC6mZ9CcuhfLn3b1vB5SXEMyzBQH8btvc%3D' (2025-01-22)
  → 'github:nixos/nixpkgs/f7b572b004be8e60c6727b3856a13efe17323212?narHash=sha256-xP8UQqo3XSXy92tQ%2BwFvps46rVHnIc8W7ShQ5CUQALo%3D' (2025-01-22)
• Updated input 'nur':
    'github:nix-community/NUR/71551eca173cc56fbf4b3d781ac5d152635e05d9?narHash=sha256-%2BU9pqH8KBC0QrwkqtA8RzmKXyxLTzmUBElR0JBRS11c%3D' (2025-01-22)
  → 'github:nix-community/NUR/80b6ff6a51dbebbe0bcc71858ae9a299e1207704?narHash=sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk%2Bt4lrJA%3D' (2025-01-23)

bin/auto-update-nixos

@@ -8,6 +8,7 @@ flakeDir="${FLAKE_DIR}"                         # Path to the flake file (and op
 update=false                                    # Whether to update flake.lock (false by default)
 user=$(/run/current-system/sw/bin/whoami)       # Which user account to use for git commands (defaults to whoever called the script)
 reboot=false
+remote=false
 remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
 
 function usage() {
@@ -25,39 +26,46 @@ function usage() {
   echo " -o, --operation                The nixos-rebuild operation to perform."
   echo " -f, --flake <path>             The path to your flake.nix file (and optionally, the hostname to build)."
   echo " -U, --update                   Update and commit flake.lock."
+  echo " -R, --build-host <user@host>   Attempt build on remote host."
+  echo " -r, --reboot                   Reboots system is there is a kernel or init update"
   echo " -u, --user                     Which user account to run git commands under."
   echo ""
   exit 2
 }
 
-# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
   case "$1" in
-	--flake|-f)
+  --flake | -f)
     flakeDir="$2"
     shift
     shift
     ;;
-	--update|--upgrade|-U)
+  --operation | -o)
-		update=true
-		shift
-		;;
-	--reboot|-r)
-		reboot=true
-		shift
-		;;
-	--operation|-o)
     operation="$2"
     shift
     shift
     ;;
-	--user|-u)
+  --user | -u)
     user="$2"
     shift
     shift
     ;;
-	--help|-h)
+  --build-host | -R)
+    remote=true
+    host="$2"
+    shift
+    shift
+    ;;
+  --update | --upgrade | -U)
+    update=true
+    shift
+    ;;
+  --reboot | -r)
+    reboot=true
+    shift
+    ;;
+  --help | -h)
     usage
     exit 0
     ;;
@@ -67,6 +75,7 @@ while [[ $# -gt 0 ]]; do
     ;;
   esac
 done
+
 remainingArgs=${POSITIONAL_ARGS[@]}
 set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
 
@@ -94,7 +103,13 @@ fi
 options="--flake $flakeDir $remainingArgs --use-remote-sudo"
 
 echo "Running this operation: nixos-rebuild $operation $options"
-/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
+
+if [ $remote = true ]; then
+  echo "Attempting remote build..."
+  /run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
+else
+  /run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
+fi
 
 echo "Checking if reboot is necessary"
 reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))

flake.lock

@@ -271,11 +271,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735882644,
+        "lastModified": 1737043064,
-        "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
+        "narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
+        "rev": "94ee657f6032d913fe0ef49adaa743804635b0bb",
         "type": "github"
       },
       "original": {
@@ -460,11 +460,11 @@
         "nixpkgs-unstable": "nixpkgs-unstable"
       },
       "locked": {
-        "lastModified": 1734508046,
+        "lastModified": 1737481937,
-        "narHash": "sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk=",
+        "narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=",
         "owner": "fort-nix",
         "repo": "nix-bitcoin",
-        "rev": "33dbb41d581b86decf421cb3835c426d557e0e9c",
+        "rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287",
         "type": "github"
       },
       "original": {
@@ -501,15 +501,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1736370755,
+        "lastModified": 1736820923,
-        "narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
+        "narHash": "sha256-SDuKLOWAh8VJRXlNWQn9QE99bjeEUAAbYXqrKGbsiyk=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
+        "rev": "944c2b181792ae7ae6b20c0df3f44879c11706c9",
         "type": "github"
       },
       "original": {
         "owner": "lnl7",
+        "ref": "nix-darwin-24.11",
         "repo": "nix-darwin",
         "type": "github"
       }
@@ -538,11 +539,11 @@
     },
     "nix-secrets": {
       "locked": {
-        "lastModified": 1737144574,
+        "lastModified": 1737643624,
-        "narHash": "sha256-g0B0+UkiRusGm5QkGC6uHa7Ybq6J7RgeF4aa/nrCeLg=",
+        "narHash": "sha256-RAnbZSi2yagPCpNcm3U3wA6FAzbhGUi9ifvnu6Du3Rs=",
         "ref": "refs/heads/master",
-        "rev": "471fa5ee6f6d12f02c0e06a6fd595b7646139da4",
+        "rev": "5260822187ce58af680e5aceba8fb01f10415def",
-        "revCount": 211,
+        "revCount": 248,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
@@ -584,11 +585,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1734126203,
+        "lastModified": 1737370608,
-        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
+        "narHash": "sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
+        "rev": "300081d0cc72df578b02d914df941b8ec62240e6",
         "type": "github"
       },
       "original": {
@@ -600,11 +601,11 @@
     },
     "nixpkgs-unstable_2": {
       "locked": {
-        "lastModified": 1736883708,
+        "lastModified": 1737469691,
-        "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
+        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
+        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
         "type": "github"
       },
       "original": {
@@ -632,11 +633,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1737097711,
+        "lastModified": 1737584761,
-        "narHash": "sha256-Zql7TDxEMAOASLSu0wBlfM5SIY+4Pz2R/k17O/asCYc=",
+        "narHash": "sha256-xP8UQqo3XSXy92tQ+wFvps46rVHnIc8W7ShQ5CUQALo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3cbc78cfa611511c04f47c4932509f9dbdf4381a",
+        "rev": "f7b572b004be8e60c6727b3856a13efe17323212",
         "type": "github"
       },
       "original": {
@@ -648,11 +649,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1736883708,
+        "lastModified": 1737469691,
-        "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
+        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
+        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
         "type": "github"
       },
       "original": {
@@ -677,11 +678,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1736598792,
+        "lastModified": 1737283156,
-        "narHash": "sha256-G6/9vT12RAxkNWQPEX9p8tTx/i8jJcmISpbVDGbEPGc=",
+        "narHash": "sha256-FyHmM6vvz+UxCrPZo/poIaZBZejLHVKkAH4cjtUxZDA=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "2004ff4547f11d25da78f393fe797dde2b831ce7",
+        "rev": "abcbd250b8a2c7aab1f4b2b9e01598ee24b42337",
         "type": "github"
       },
       "original": {
@@ -698,11 +699,11 @@
         "treefmt-nix": "treefmt-nix_3"
       },
       "locked": {
-        "lastModified": 1737107600,
+        "lastModified": 1737602136,
-        "narHash": "sha256-pBF7pAmSRlmmObXbS71v0YM5sEC4/4HvesFV3oz2xQU=",
+        "narHash": "sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk+t4lrJA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b65350213a768bdf4d2da001537a6635edcd562a",
+        "rev": "80b6ff6a51dbebbe0bcc71858ae9a299e1207704",
         "type": "github"
       },
       "original": {
@@ -783,11 +784,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737107480,
+        "lastModified": 1737411508,
-        "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
         "owner": "mic92",
         "repo": "sops-nix",
-        "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
         "type": "github"
       },
       "original": {
@@ -885,11 +886,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736154270,
+        "lastModified": 1737103437,
-        "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
+        "narHash": "sha256-uPNWcYbhY2fjY3HOfRCR5jsfzdzemhfxLSxwjXYXqNc=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
+        "rev": "d1ed3b385f8130e392870cfb1dbfaff8a63a1899",
         "type": "github"
       },
       "original": {

flake.nix

@@ -118,7 +118,7 @@
       merlin = nixpkgs.lib.nixosSystem {
         inherit specialArgs;
         modules = [
-          ./hosts/nebula
+          ./hosts/merlin
           home-manager.nixosModules.home-manager
           {
             home-manager.extraSpecialArgs = specialArgs;

home/common/optional/desktop/common/default.nix

@@ -26,7 +26,6 @@
     pkgs.hunspellDicts.en_US
     pkgs.set_wm_class
     pkgs.xorg.xkill
-    pkgs.krita
     pkgs.R
     pkgs.gimp
     pkgs.gajim

home/merlin.nix

@@ -0,0 +1,11 @@
+{
+  ...
+}: {
+  imports = [
+    ./users/admin
+    ./common/core
+    ./common/optional/git.nix
+    ./common/optional/sops.nix
+  ];
+
+}

home/users/admin/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, outputs, ... }:
+{ outputs, ... }:
 
 {
   home.username = "admin";
@@ -7,6 +7,16 @@
   imports = [
   ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
 
+  programs.ssh = {
+    enable = true;
+    matchBlocks = {
+      "git.bitlab21.com" = {
+        identitiesOnly = true;
+        identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
+      };
+    };
+  };
+
   home.packages = [
   ];
 
@@ -17,6 +27,7 @@
   ];
 
   home.sessionVariables = {
+    EDITOR = "nvim";
   };
 
   programs.home-manager.enable = true;

hosts/citadel/default.nix

@@ -11,13 +11,11 @@
   fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
   dev = "/dev/nvme0n1"; # depends on target hardware
   encrypted = true; # currrently only applies to btrfs
-  btrfsMountDevice =
+  btrfsMountDevice = "/dev/mapper/crypted";
-    if encrypted
-    then "/dev/mapper/crypted"
-    else "/dev/root_vg/root";
   user = "sam";
   impermanence = true;
   piholeIp = configVars.networking.addresses.pihole.ip;
+  merlinIp = configVars.networking.addresses.merlin.ip;
   gatewayIp = configVars.networking.addresses.gateway.ip;
 in {
   imports = [
@@ -48,9 +46,11 @@ in {
     ../common/optional/pipewire.nix
     ../common/optional/openssh.nix
     ../common/optional/dwm.nix
-    ../common/optional/nfs-mounts/media.nix
+
-    ../common/optional/nfs-mounts/homeshare.nix
+    ../common/optional/fileserver/nfs-client/media.nix
-    ../common/optional/nfs-mounts/photos.nix
+    ../common/optional/fileserver/nfs-client/photos.nix
+    ../common/optional/fileserver/nfs-client/personal.nix
+
     ../common/optional/printing.nix
     ../common/optional/backlight.nix
     ../common/optional/xmodmap-arrow-remaps.nix
@@ -58,19 +58,21 @@ in {
     ../common/optional/gaming.nix
     ../common/optional/powersave.nix
     ../common/optional/restic-backup.nix
-
+    ../common/optional/distributed-builds/local-machine.nix
-    # This machine is used for remote building
-    ../common/optional/distributed-builds/remote-builder-machine.nix
 
     # ../../modules/nixos
     outputs.nixosModules.nixosAutoUpgrade
   ];
 
   boot = {
+    supportedFilesystems = ["nfs"];
     blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
     kernelModules = ["iwlwifi"];
-    initrd.kernelModules = ["thinkpad-acpi" "acpi-call"];
+    initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"];
-    kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
+    # BUG: Using older linux kernel because of build errors
+    # see https://github.com/NixOS/nixpkgs/issues/375605
+    # kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
+    kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
     extraModulePackages = [
       config.boot.kernelPackages.acpi_call
     ];
@@ -92,6 +94,7 @@ in {
     enable = true;
     persistent = true;
     reboot = false;
+    remote = "remotebuild@${merlinIp}";
     pushUpdates = false;
     configDir = "/etc/nixos";
     onCalendar = "*-*-* 08:00:00";
@@ -104,15 +107,8 @@ in {
       xkb.options = "caps:swapescape";
       dpi = 196;
       upscaleDefaultCursor = true;
-      # FIXME this doesnt work for some reason
-      #     displayManager.sessionCommands = pkgs.writeShellScriptBin "key-remaps" ''
-      #     ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
-      #     ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
-      #     ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
-      #     ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
-      #     ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
-      # '';
     };
+
     # enable oom killer when system ram drops below 5% free
     earlyoom = {
       enable = true;
@@ -165,18 +161,6 @@ in {
     powerManagement.finegrained = true;
     open = false;
     nvidiaSettings = true;
-    # # FIXME issue with stable nvidia driver and latest linux kernel
-    # # use mkDriver to specify newer nvidia driver that is compatible
-    # # see: https://github.com/NixOS/nixpkgs/issues/341844#issuecomment-2351075413
-    # # and https://discourse.nixos.org/t/builder-for-nvidia-x11-550-78-6-10-drv-failed-with-exit-code-2/49360/32
-    # package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
-    #   version = "555.58.02";
-    #   sha256_64bit = "sha256-xctt4TPRlOJ6r5S54h5W6PT6/3Zy2R4ASNFPu8TSHKM=";
-    #   sha256_aarch64 = "sha256-wb20isMrRg8PeQBU96lWJzBMkjfySAUaqt4EgZnhyF8=";
-    #   openSha256 = "sha256-8hyRiGB+m2hL3c9MDA/Pon+Xl6E788MZ50WrrAGUVuY=";
-    #   settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
-    #   persistencedSha256 = "sha256-a1D7ZZmcKFWfPjjH1REqPM5j/YLWKnbkP9qfRyIyxAw=";
-    # };
   };
   # https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
   # https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15

hosts/common/disks/basic.nix

@@ -0,0 +1,36 @@
+{
+device ? throw "Must define a device, e.g. /dev/sda",
+fsModule ? "Must specify submodule"
+}:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        inherit device;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "128M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = ["umask=0077"];
+              };
+            };
+            root = {
+              size = "100%";
+              content = import "${fsModule}";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/common/disks/btrfs/persist.nix

@@ -19,7 +19,6 @@
       "/swap" = {
         mountOptions = [ "noatime" ];
         mountpoint = "/.swapvol";
-        swap.swapfile.size = "8192M";
       };
     };
 }

hosts/common/disks/default.nix

@@ -1,11 +1,8 @@
 { device, fsType, encrypted, impermanence, ... }:
 let
   fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
-  basic = import ./${fsType}/basic.nix { inherit device; };
+  basic = import ./basic.nix { inherit device; fsModule = fsModule; };
-  lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
   luks = import ./luks.nix { inherit device; fsModule = fsModule; };
 in
-if fsType == "ext4" then basic
+if fsType == "btrfs" && encrypted then luks
-else if fsType == "btrfs" && encrypted then luks
+else basic
-else if fsType == "btrfs" then lvm
-else null 

hosts/common/optional/arion-containers/arrstack.nix

@@ -1,5 +1,4 @@
-{config, ...}: 
+{config, ...}: let
-let
   openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
   openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
 in {
@@ -8,6 +7,18 @@ in {
     "software/proton/openvpn_user" = {};
   };
 
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        6887
+      ];
+      allowedUDPPorts = [
+        6887
+      ];
+    };
+  };
+
   virtualisation.arion = {
     backend = "podman-socket";
     projects.arrstack = {
@@ -19,7 +30,7 @@ in {
             "6887:6887/udp" # qbittorrent torrenting port
           ];
           image = "qmcgaw/gluetun";
-          capabilities = { NET_ADMIN = true; };
+          capabilities = {NET_ADMIN = true;};
           container_name = "glutun";
           restart = "always";
           volumes = [
@@ -31,6 +42,7 @@ in {
             VPN_SERVICE_PROVIDER = "protonvpn";
             VPN_TYPE = "openvpn";
             SERVER_COUNTRIES = "Switzerland";
+            VPN_PORT_FORWARDING = "on";
           };
           devices = ["/dev/net/tun:/dev/net/tun"];
         };
@@ -41,18 +53,17 @@ in {
           restart = "always";
           volumes = [
             "/srv/docker/media-server/arrstack/qbittorrent:/config"
-            "/media/media:/media"
+            "/media/media/downloads:/downloads"
           ];
           environment = {
-            TZ="Europe/London";
+            TZ = "Europe/London";
-            WEBUI_PORT=8076;
+            WEBUI_PORT = 8076;
-            TORRENTING_PORT=6887;
+            TORRENTING_PORT = 6887;
-            PUID=1000;
+            PUID = 1000;
-            PGID=1000;
+            PGID = 1000;
           };
           network_mode = "service:gluetun";
         };
-
       };
     };
   };

hosts/common/optional/arion-containers/syncthing.nix

@@ -0,0 +1,29 @@
+{
+  virtualisation.arion = {
+    backend = "podman-socket";
+    projects.syncthing = {
+      settings = {
+        services.syncthing.service = {
+          ports = [
+            "8384:8384"
+            "22000:22000/tcp"
+            "22000:22000/udp"
+            "21027:21027/udp"
+          ];
+          container_name = "syncthing";
+          image = "lscr.io/linuxserver/syncthing:latest";
+          restart = "always";
+          environment = {
+            PUID = "1000";
+            GUID = "1000";
+
+          };
+          volumes = [
+            "/srv/docker/syncthing/appdata/config:/config"
+            "/srv/docker/syncthing/data:/data"
+          ];
+        };
+      };
+    };
+  };
+}

hosts/common/optional/distributed-builds/local-machine.nix

@@ -3,29 +3,28 @@ let
   remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
 in
 {
-  nix.distributedBuilds = true;
+  # nix.distributedBuilds = true;
-  nix.settings.builders-use-substitutes = true;
+  # nix.settings.builders-use-substitutes = true;
-  nix.settings.max-jobs = 0;
+  # nix.settings.max-jobs = 0;
-  nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
+  # nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
-  nix.settings.substituters = ["ssh://${remoteMachineIp}"];
+  # nix.settings.substituters = ["ssh://${remoteMachineIp}"];
+  #
+  # nix.buildMachines = [
+  #   {
+  #     hostName = "remotebuild@${remoteMachineIp}";
+  #     speedFactor = 1;
+  #     maxJobs = 10;
+  #     sshKey = "/root/.ssh/remotebuild";
+  #     system = pkgs.stdenv.hostPlatform.system;
+  #     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+  #   }
+  # ];
 
-  nix.buildMachines = [
+  programs.ssh.knownHosts = {
-    {
+    "merlin" = {
-      hostName = "remotebuild@${remoteMachineIp}";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ root@merlin";
-      speedFactor = 1;
+    };
-      maxJobs = 10;
+  };
-      sshKey = "/root/.ssh/remotebuild";
-      system = pkgs.stdenv.hostPlatform.system;
-      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-    }
-  ];
-
-  # TODO: set known host here when have static ip on main server
-  # programs.ssh.knownHosts = {
-  #   "merlin" = {
-  #     publicKey = "server pubkey";
-  #   };
-  # };
 
   programs.ssh.extraConfig = ''
     Host ${remoteMachineIp}

hosts/common/optional/fileserver-nfs-mount.nix

@@ -1,27 +0,0 @@
-{...}:
-{
-  fileSystems."/exports" = {
-    device = "/dev/vdb1";
-    fsType = "ext4";
-  };
-
- services.nfs.server = {
-    enable = true;
-    # fixed rpc.statd port; for firewall
-    lockdPort = 4001;
-    mountdPort = 4002;
-    statdPort = 4000;
-    extraNfsdConfig = '''';
-    exports = ''
-      /exports    *(rw,insecure,all_squash)
-    '';
-  };
-  # open nfs ports
-  networking.firewall = {
-    enable = true;
-      # for NFSv3; view with `rpcinfo -p`
-    allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
-    allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
-  };
-}
-

hosts/common/optional/fileserver/nfs-client/media.nix

@@ -0,0 +1,10 @@
+{configVars, pkgs, ...}: let
+  fileserverIp = configVars.networking.addresses.fileserver.ip;
+in {
+  environment.systemPackages = [pkgs.nfs-utils];
+  fileSystems."/media/media" = {
+    device = "${fileserverIp}:/srv/export/media";
+    fsType = "nfs";
+    options = ["noatime" "_netdev"];
+  };
+}

hosts/common/optional/fileserver/nfs-client/personal.nix

@@ -0,0 +1,10 @@
+{configVars, pkgs, ...}: let
+  fileserverIp = configVars.networking.addresses.fileserver.ip;
+in {
+  environment.systemPackages = [pkgs.nfs-utils];
+  fileSystems."/media/personal" = {
+    device = "${fileserverIp}:/srv/export/personal";
+    fsType = "nfs";
+    options = ["noatime" "_netdev"];
+  };
+}

hosts/common/optional/fileserver/nfs-client/photos.nix

@@ -0,0 +1,10 @@
+{configVars, pkgs, ...}: let
+  fileserverIp = configVars.networking.addresses.fileserver.ip;
+in {
+  environment.systemPackages = [pkgs.nfs-utils];
+  fileSystems."/media/photos" = {
+    device = "${fileserverIp}:/srv/export/photos";
+    fsType = "nfs";
+    options = ["noatime" "_netdev"];
+  };
+}

hosts/common/optional/fileserver/nfs-server/homeshare.nix

@@ -0,0 +1,42 @@
+{configVars, ...}: 
+let
+  homeshareDataLocation = configVars.locations.homeshareDataLocation;
+  subnetIp = configVars.networking.addresses.subnet.ip;
+in {
+  fileSystems."/srv/export/photos" = {
+    device = "${homeshareDataLocation}/photos";
+    options = [ "bind" ];
+  };
+
+  fileSystems."/srv/export/personal" = {
+    device = "${homeshareDataLocation}/personal";
+    options = [ "bind" ];
+  };
+
+  fileSystems."/srv/export/media" = {
+    device = "${homeshareDataLocation}/media";
+    options = [ "bind" ];
+  };
+ services.nfs.server = {
+    enable = true;
+    # fixed rpc.statd port; for firewall
+    lockdPort = 4001;
+    mountdPort = 4002;
+    statdPort = 4000;
+    extraNfsdConfig = '''';
+    exports = ''
+      /srv/export/photos    ${subnetIp}/24(rw,sync,no_subtree_check)
+      /srv/export/media    ${subnetIp}/24(rw,sync,no_subtree_check)
+      /srv/export/personal    ${subnetIp}/24(rw,sync,no_subtree_check)
+    '';
+  };
+  # open nfs ports
+  networking.firewall = {
+    enable = true;
+      # for NFSv3; view with `rpcinfo -p`
+    allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
+    allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
+  };
+}
+
+

hosts/common/optional/nfs-mounts/homeshare.nix

@@ -1,9 +0,0 @@
-{
-  fileSystems."/media/homeshare" = {
-    device = "10.0.10.30:/mnt/homeshare";
-    fsType = "nfs";
-    options = [ "noatime" "_netdev" ];
-  };
-}
-
-

hosts/common/optional/nfs-mounts/media.nix

@@ -1,9 +0,0 @@
-{configVars, ...}: let
-  mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
-in {
-  fileSystems.${mediaDataMountPoint} = {
-    device = "10.0.10.30:/mnt/media";
-    fsType = "nfs";
-    options = ["noatime" "_netdev"];
-  };
-}

hosts/common/optional/nfs-mounts/photos.nix

@@ -1,9 +0,0 @@
-{configVars, ...}: let
-  photosDataMountPoint = configVars.locations.photosDataMountPoint;
-in {
-  fileSystems.${photosDataMountPoint} = {
-    device = "10.0.10.30:/mnt/photos";
-    fsType = "nfs";
-    options = ["noatime" "_netdev" "ro"];
-  };
-}

hosts/common/optional/nixos-containers/backup-server.nix

@@ -65,6 +65,16 @@ in {
         pkgs.apacheHttpd
       ];
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/nixos-containers/baseddata-worker.nix

@@ -17,6 +17,14 @@ in {
     ];
   };
 
+  services.restic.backups = {
+    daily = {
+      paths = [
+        baseddataData
+      ];
+    };
+  };
+
   networking.nat.enable = true;
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "br0";
@@ -287,6 +295,16 @@ in {
         };
       };
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/nixos-containers/docker.nix

@@ -3,14 +3,15 @@
   lib,
   inputs,
   configVars,
+  config,
+  outputs,
   ...
 }: let
   containerName = "docker";
   containerIp = configVars.networking.addresses.docker.ip;
   gatewayIp = configVars.networking.addresses.gateway.ip;
   dockerContainerData = configVars.locations.dockerContainerData;
-  mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
+  homeshareDataLocation = configVars.locations.homeshareDataLocation;
-  photosDataMountPoint = configVars.locations.photosDataMountPoint;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
   arion = inputs.arion;
   sops-nix = inputs.sops-nix;
@@ -24,8 +25,6 @@ in {
       paths = [
         dockerContainerData
       ];
-      exclude = [
-      ];
     };
   };
 
@@ -46,6 +45,14 @@ in {
     ];
     extraFlags = ["--private-users-ownership=chown"];
     allowedDevices = [
+      {
+        node = "/dev/nvidia0";
+        modifier = "rwm";
+      }
+      {
+        node = "/dev/nvidiactl";
+        modifier = "rwm";
+      }
       {
         node = "/dev/fuse";
         modifier = "rwm";
@@ -79,7 +86,11 @@ in {
     nixpkgs = pkgs.path;
     bindMounts = {
       "/media/photos" = {
-        hostPath = photosDataMountPoint;
+        hostPath = "${homeshareDataLocation}/photos";
+        isReadOnly = false;
+      };
+      "/run/opengl-driver/lib" = {
+        hostPath = "/run/opengl-driver/lib";
         isReadOnly = false;
       };
       "/dev/dri" = {
@@ -87,7 +98,7 @@ in {
         isReadOnly = false;
       };
       "/media/media" = {
-        hostPath = mediaDataMountPoint;
+        hostPath = "${homeshareDataLocation}/media";
         isReadOnly = false;
       };
       "/srv/docker" = {
@@ -108,7 +119,13 @@ in {
       secretsDirectory = builtins.toString inputs.nix-secrets;
       secretsFile = "${secretsDirectory}/secrets.yaml";
     in {
+
+      nixpkgs.overlays = [
+        outputs.overlays.unstable-packages
+      ];
+
       networking = {
+        enableIPv6 = false;
         defaultGateway = "${gatewayIp}";
         interfaces.eth0.ipv4.addresses = [
           {
@@ -124,6 +141,26 @@ in {
         useHostResolvConf = lib.mkForce false;
       };
 
+      hardware.graphics = {
+        enable = true;
+      };
+
+      nixpkgs.config.allowUnfreePredicate = pkg:
+        builtins.elem (lib.getName pkg) [
+          "nvidia-x11"
+          "nvidia-settings"
+          "nvidia-persistenced"
+        ];
+
+      services.xserver.videoDrivers = ["nvidia"];
+      hardware.nvidia = {
+        modesetting.enable = true;
+        powerManagement.enable = false;
+        open = false;
+        nvidiaSettings = false;
+        package = config.boot.kernelPackages.nvidiaPackages.stable;
+      };
+
       services.resolved.enable = true;
 
       sops = {
@@ -141,6 +178,7 @@ in {
         ../arion-containers/arrstack.nix
         ../arion-containers/jellyfin.nix
         ../arion-containers/photoprism.nix
+        ../arion-containers/syncthing.nix
       ];
 
       environment.systemPackages = [
@@ -150,10 +188,13 @@ in {
         pkgs.dive
         pkgs.podman-tui
         pkgs.podman-compose
+        pkgs.unstable.nvidia-container-toolkit
       ];
 
       virtualisation = {
+        containers.cdi.dynamic.nvidia.enable = true;
         podman = {
+          enableNvidia = true;
           enable = true;
           dockerSocket.enable = true;
           defaultNetwork.settings.dns_enabled = true;

hosts/common/optional/nixos-containers/metrics-server.nix

@@ -6,8 +6,18 @@
 }: let
   containerName = "metrics-server";
   containerIp = configVars.networking.addresses.metrics-server.ip;
+
   dockerContainerIp = configVars.networking.addresses.docker.ip;
-  semitaIp = configVars.networking.addresses.semita.ip;
+  smWorkerIp = configVars.networking.addresses.sm-worker.ip;
+  merlinIp = configVars.networking.addresses.merlin.ip;
+  bdWorker = configVars.networking.addresses.bd-worker.ip;
+  pihole = configVars.networking.addresses.pihole.ip;
+  bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
+  postres = configVars.networking.addresses.postgres.ip;
+  backupServer = configVars.networking.addresses.backup-server.ip;
+
+  http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
+
   gatewayIp = configVars.networking.addresses.gateway.ip;
   metricsServerContainerData = configVars.locations.metricsServerContainerData;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@@ -21,8 +31,6 @@ in {
       paths = [
         metricsServerContainerData
       ];
-      exclude = [
-      ];
     };
   };
 
@@ -65,6 +73,7 @@ in {
           allowedTCPPorts = [
             config.services.prometheus.port
             config.services.grafana.port
+            config.services.prometheus.exporters.blackbox.port
           ];
         };
         useHostResolvConf = lib.mkForce false;
@@ -90,22 +99,77 @@ in {
               {
                 targets = [
                   "${dockerContainerIp}:9100"
-                  "${semitaIp}:9100"
+                  "${smWorkerIp}:9100"
+                  "${merlinIp}:9100"
+                  "${bdWorker}:9100"
+                  "${pihole}:9100"
+                  "${bitcoinNode}:9100"
+                  "${postres}:9100"
+                  "${backupServer}:9100"
                 ];
               }
             ];
           }
+
+          {
+            job_name = "blackbox";
+            scrape_interval = "30s";
+            scrape_timeout = "15s";
+            metrics_path = "/probe";
+            params.module = ["http_basic"];
+            relabel_configs = [
+              {
+                source_labels = ["__address__"];
+                target_label = "__param_target";
+              }
+              {
+                source_labels = ["__param_target"];
+                target_label = "instance";
+              }
+              {
+                target_label = "__address__";
+                replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
+              }
+            ];
+            static_configs = [
+              {targets = http_endpoints;}
+            ];
+          }
         ];
       };
 
       services.grafana = {
         enable = true;
-        port = 2342;
+        settings.server = {
-        addr = "0.0.0.0";
+          http_port = 2342;
+          http_addr = "0.0.0.0";
+        };
       };
 
       services.prometheus = {
         exporters = {
+          blackbox = {
+            enable = true;
+            configFile = pkgs.writeText "blackbox-conf.yaml" ''
+              modules:
+                http_basic:
+                  prober: http
+                  timeout: 5s
+                  http:
+                    preferred_ip_protocol: ip4
+                    valid_http_versions: ["HTTP/1.1", "HTTP/2"]
+                    method: GET
+                    fail_if_ssl: false
+                    fail_if_not_ssl: true
+                    tls_config:
+                      insecure_skip_verify: true
+                tcp_connect:
+                  prober: tcp
+                  tcp:
+                    preferred_ip_protocol: ip4
+
+            '';
+          };
           node = {
             enable = true;
             enabledCollectors = ["systemd"];

hosts/common/optional/nixos-containers/nix-bitcoin.nix

@@ -10,6 +10,7 @@
   containerIp = configVars.networking.addresses.bitcoin-node.ip;
   mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
   bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
+  bitcoindData = configVars.locations.bitcoindData;
   gatewayIp = configVars.networking.addresses.gateway.ip;
   allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@@ -21,7 +22,7 @@ in {
         bitcoinNodeContainerData
       ];
       exclude = [
-        "${bitcoinNodeContainerData}/bitcoind"
+        "${bitcoindData}"
         "${bitcoinNodeContainerData}/electrs"
       ];
     };
@@ -48,6 +49,10 @@ in {
         hostPath = bitcoinNodeContainerData;
         isReadOnly = false;
       };
+      "/var/lib/bitcoind" = {
+        hostPath = bitcoindData;
+        isReadOnly = false;
+      };
     };
 
     config = {
@@ -181,6 +186,16 @@ in {
         lnd.public = true;
       };
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/nixos-containers/pihole.nix

@@ -16,16 +16,6 @@ in {
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "br0";
 
-  services.restic.backups = {
-    daily = {
-      paths = [
-        piholeContainerData
-      ];
-      exclude = [
-      ];
-    };
-  };
-
   environment.persistence."/persist" = {
     hideMounts = true;
     directories = [
@@ -78,7 +68,7 @@ in {
         useHostResolvConf = lib.mkForce false;
       };
 
-      services.resolved.enable = true;
+      services.resolved.enable = false;
 
       imports = [
         arion.nixosModules.arion
@@ -89,6 +79,8 @@ in {
         pkgs.vim
         pkgs.git
         pkgs.arion
+        pkgs.lsof
+        pkgs.podman-compose
       ];
 
       virtualisation = {
@@ -102,6 +94,16 @@ in {
 
       networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/nixos-containers/postgres.nix

@@ -123,6 +123,16 @@ in {
       #   EOF
       # '';
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/nixos-containers/semitamaps-worker.nix

@@ -24,6 +24,14 @@ in {
     ];
   };
 
+  services.restic.backups = {
+    daily = {
+      paths = [
+        semitamapsData
+      ];
+    };
+  };
+
   containers."${containerName}" = {
     enableTun = true;
 
@@ -100,6 +108,7 @@ in {
         pkgs.vim
         pkgs.git
         pkgs.arion
+        pkgs.podman-compose
         pkgs.jdk
       ];
 
@@ -128,6 +137,16 @@ in {
         };
       };
 
+      services.prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = ["systemd"];
+            openFirewall = true;
+          };
+        };
+      };
+
       services.openssh = {
         enable = true;
         settings.PasswordAuthentication = false;

hosts/common/optional/persistence.nix

@@ -4,13 +4,10 @@
     hideMounts = true;
     directories = [
       "/etc/nixos"
-      "/srv"
       "/var/log"
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
-      "/var/lib/flatpak"
-      "/run/secrets-for-users"
     ];
     files = [
       "/etc/ssh/ssh_host_ed25519_key"

hosts/common/users/admin/default.nix

@@ -1,31 +1,31 @@
-{ pkgs, inputs, config, lib, ... }:
+{
-let
+  pkgs,
-  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  inputs,
+  config,
+  lib,
+  ...
+}: let
   username = "admin";
-  pubKeys = lib.filesystem.listFilesRecursive (../keys);
+  pubKeys = lib.filesystem.listFilesRecursive ../keys;
   hostname = config.networking.hostName;
-  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
+  sopsHashedPasswordFile = config.sops.secrets."passwords/${username}".path;
   secretsDirectory = builtins.toString inputs.nix-secrets;
   secretsFile = "${secretsDirectory}/secrets.yaml";
-
+in {
-in
-{
   users.users.${username} = {
     isNormalUser = true;
-    shell = pkgs.zsh; # default shell
+    shell = pkgs.zsh;
     hashedPasswordFile = sopsHashedPasswordFile;
     openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
 
     extraGroups = [
       "wheel"
-    ] ++ ifTheyExist [
-      "docker"
-      "lxc"
-      "git"
-      "podman"
     ];
+  };
 
-    packages = with pkgs; [
+  environment.persistence."/persist" = {
+    directories = [
+      "/home/${username}"
     ];
   };
 
@@ -44,13 +44,16 @@ in
       mode = "0644";
       owner = "${username}";
     };
+    "github-access-token" = {
+      mode = "0655";
+    };
   };
 
   programs.zsh.enable = true;
   programs.fuse.userAllowOther = true;
 
   home-manager = {
-    extraSpecialArgs = { inherit inputs; };
+    extraSpecialArgs = {inherit inputs;};
     users = {
       ${username} = import ../../../../home/${hostname}.nix;
     };

hosts/common/users/sam/default.nix

@@ -133,6 +133,7 @@ in {
   environment.persistence."/persist" = {
     directories = [
       "/home/${username}"
+      "/var/lib/tailscale"
     ];
   };
 

hosts/merlin/default.nix

@@ -1,21 +1,42 @@
-{ inputs, ... }:
-let
-  # Disko setup
-  fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
-  dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
-  encrypted = false; # currrently only applies to btrfs
-  impermanence = false;
-  user = "admin";
-in
 {
-  imports =
+  inputs,
-    [
+  configVars,
-      # Create users for this host
+  lib,
-      ../common/users/${user}
+  config,
+  outputs,
+  ...
+}: let
+  fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
+  dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
+  encrypted = false; # currrently only applies to btrfs
+  btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
+  impermanence = true;
 
-      # Root disk configuration
+  homeshareDataLocation = configVars.locations.homeshareDataLocation;
+
+  piholeIp = configVars.networking.addresses.pihole.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+  merlinIp = configVars.networking.addresses.merlin.ip;
+in {
+  imports = [
+    # Create users for this host
+    ../common/users/admin
+
+    # Disk configuration
     inputs.disko.nixosModules.disko
-      (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
+    (import ../common/disks {
+      device = dev;
+      impermanence = impermanence;
+      fsType = fsType;
+      encrypted = encrypted;
+    })
+
+    # Impermanence
+    ../common/optional/persistence.nix
+    (import ../common/disks/btrfs/impermanence.nix {
+      btrfsMountDevice = btrfsMountDevice;
+      lib = lib;
+    })
 
     # Import core options
     ./hardware-configuration.nix
@@ -23,9 +44,26 @@ in
 
     # Import optional options
     ../common/optional/openssh.nix
-      ../common/optional/docker
+    ../common/optional/restic-backup.nix
-      ../common/optional/docker/postgres.nix
+    ../common/optional/docker.nix
+    ../common/optional/nix-ld.nix
+    ../common/optional/fileserver/nfs-server/homeshare.nix
 
+    # Nixos containers
+    ../common/optional/nixos-containers/docker.nix
+    ../common/optional/nixos-containers/baseddata-worker.nix
+    ../common/optional/nixos-containers/pihole.nix
+    ../common/optional/nixos-containers/semitamaps-worker.nix
+    ../common/optional/nixos-containers/nix-bitcoin.nix
+    ../common/optional/nixos-containers/postgres.nix
+    ../common/optional/nixos-containers/baseddata-worker.nix
+    ../common/optional/nixos-containers/backup-server.nix
+    ../common/optional/nixos-containers/metrics-server.nix
+
+    # This machine is used for remote building
+    ../common/optional/distributed-builds/remote-builder-machine.nix
+
+    outputs.nixosModules.nixosAutoUpgrade
   ];
 
   boot = {
@@ -36,17 +74,102 @@ in
     };
   };
 
-  networking = {
+  fileSystems."/mnt/main-ssd" = {
-    hostName = "merlin";
+    device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
-    networkmanager.enable = true;
+    fsType = "ext4";
-    enableIPv6 = false;
   };
 
-  boot.supportedFilesystems = [ "zfs" ];
+  fileSystems."/mnt/btcnode" = {
+    device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
+    fsType = "btrfs";
+  };
+
+  networking = {
+    hostName = "merlin";
+    nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
+    defaultGateway = "${gatewayIp}";
+    useDHCP = false;
+    enableIPv6 = false;
+    bridges = {
+      br0 = {
+        interfaces = ["eth0"];
+      };
+    };
+    interfaces.br0 = {
+      ipv4.addresses = [
+        {
+          "address" = "${merlinIp}";
+          "prefixLength" = 24;
+        }
+      ];
+    };
+  };
+
+  environment.persistence."/persist" = {
+    directories = [
+      "/etc/zpool"
+      "/var/lib/tailscale"
+    ];
+  };
+
+  services.restic.backups = {
+    daily = {
+      paths = [
+        homeshareDataLocation
+      ];
+    };
+  };
+
+  # Enable OpenGL
+  hardware.graphics = {
+    enable = true;
+  };
+
+  # enable tailscale
+  services.tailscale.useRoutingFeatures = "server";
+  services.tailscale.enable = true;
+
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "nvidia-x11"
+      "nvidia-settings"
+      "nvidia-persistenced"
+    ];
+
+  # Load nvidia driver
+  services.xserver.videoDrivers = ["nvidia"];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    open = false;
+    nvidiaSettings = false;
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+
+  system.services.nixosAutoUpgrade = {
+    enable = true;
+    persistent = false;
+    reboot = true;
+    pushUpdates = true;
+    configDir = "/etc/nixos";
+    onCalendar = "*-*-* 03:00:00";
+    user = "admin";
+  };
+
+  services.prometheus = {
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        openFirewall = true;
+      };
+    };
+  };
+
+  boot.supportedFilesystems = ["zfs"];
   boot.zfs.forceImportRoot = false;
   networking.hostId = "18aec5d7";
-  boot.zfs.extraPools = [ "zspeed" ];
+  boot.zfs.extraPools = ["deepzfs" "nvme-zpool"];
 
   services.libinput.enable = true;
 }
-

hosts/merlin/hardware-configuration.nix

@@ -4,9 +4,6 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
 
   boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];

hosts/semita/default.nix

@@ -18,6 +18,7 @@
   impermanence = true;
   piholeIp = configVars.networking.addresses.pihole.ip;
   gatewayIp = configVars.networking.addresses.gateway.ip;
+  merlinIp = configVars.networking.addresses.merlin.ip;
   semitaIp = configVars.networking.addresses.semita.ip;
 in {
   imports = [
@@ -54,31 +55,12 @@ in {
     ../common/optional/gaming.nix
     ../common/optional/restic-backup.nix
 
-    # nfs mounts
+    ../common/optional/distributed-builds/local-machine.nix
-    ../common/optional/nfs-mounts/media.nix
-    ../common/optional/nfs-mounts/homeshare.nix
-    ../common/optional/nfs-mounts/photos.nix
-
-    # nixos-containers
-    ../common/optional/nixos-containers/nix-bitcoin.nix
-    ../common/optional/nixos-containers/postgres.nix
-    ../common/optional/nixos-containers/baseddata-worker.nix
-    ../common/optional/nixos-containers/semitamaps-worker.nix
-    ../common/optional/nixos-containers/backup-server.nix
-    ../common/optional/nixos-containers/docker.nix
-    # ../common/optional/nixos-containers/pihole.nix
-    ../common/optional/nixos-containers/metrics-server.nix
-
-    # # Build nix derivations on remote machine
-    # ../common/optional/distributed-builds/local-machine.nix
 
     outputs.nixosModules.nixosAutoUpgrade
   ];
 
-  fileSystems."/mnt/main-ssd" = {
+  services.tailscale.useRoutingFeatures = "server";
-    device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
-    fsType = "ext4";
-  };
 
   boot = {
     blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
@@ -102,21 +84,12 @@ in {
     };
   };
 
-  services.prometheus = {
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = ["systemd"];
-        openFirewall = true;
-      };
-    };
-  };
-
   system.services.nixosAutoUpgrade = {
     enable = true;
     persistent = true;
+    remote = "remotebuild@${merlinIp}";
     reboot = false;
-    pushUpdates = true;
+    pushUpdates = false;
     configDir = "/etc/nixos";
     onCalendar = "*-*-* 06:00:00";
     user = "sam";

hosts/sparky/default.nix

@@ -44,7 +44,7 @@ in {
     # Import optional options
     ../common/optional/openssh.nix
     ../common/optional/persistence.nix
-    ../common/optional/nfs-mounts/media.nix
+    # ../common/optional/fileserver/media.nix
     ../common/optional/gaming.nix
     ../common/optional/printing.nix
     outputs.nixosModules.nixosAutoUpgrade

modules/nixos/nixosAutoUpgrade.nix

@@ -25,6 +25,10 @@ in
         description = "Automatically reboots the system if there is a kernel or systemd update.";
         default = false;
       };
+      remote = lib.mkOption {
+        type = lib.types.str;
+        description = "Attempts build on remote host <user@host>.";
+      };
       onCalendar = lib.mkOption {
         default = "daily";
         type = lib.types.str;
@@ -72,11 +76,12 @@ in
         unitConfig.RequiresMountsFor = cfg.configDir;
         script = lib.strings.concatStrings [
           "${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} "
-          (lib.mkIf (cfg.configDir != "") "--flake ${cfg.configDir} ").content
+          (if cfg.configDir != "" then "--flake ${cfg.configDir} " else "")
-          (lib.mkIf (cfg.user != "") "--user ${cfg.user} ").content
+          (if cfg.user != "" then "--user ${cfg.user} " else "")
-          (lib.mkIf (cfg.pushUpdates) "--update ").content
+          (if cfg.pushUpdates then "--update " else "")
-          (lib.mkIf (cfg.reboot) "--reboot ").content
+          (if cfg.reboot then "--reboot " else "")
-          (lib.mkIf (cfg.extraFlags != "") cfg.extraFlags).content
+          (if cfg.remote != "" then "--build-host ${cfg.remote} " else "")
+          cfg.extraFlags
         ];
       };
       timers."nixos-upgrade" = {

scripts/bootstrap.sh

@@ -40,41 +40,48 @@ trap cleanup EXIT
 # Create the directory for target host keys
 install -d -m755 "$temp$persist/etc/ssh"
 
-# Create ssh keys
+# Extract ssh keys from secrets
-echo "Creating '$hostname' ssh keys"
+echo "Extracting ssh keys"
-ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
+ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
+echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key 
+ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
+echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
 
-# Extract luks key from secrets
+# # Extract luks key from secrets
-luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
+# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
-echo "$luks_secret" > /tmp/luks_secret.key
+# echo "$luks_secret" > /tmp/luks_secret.key
 
-# Generate age key from target host and user public ssh key
+# # Create ssh keys
-echo "Generating age key from target host and user ssh key"
+# echo "Creating '$hostname' ssh keys"
-HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
+# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
-echo -e "Host age key:\n$HOST_AGE_KEY\n"
 
-# Update .sops.yaml with new age key:
+# # Generate age key from target host and user public ssh key
-SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
+# echo "Generating age key from target host and user ssh key"
-sed -i "{
+# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
-# Remove any * and & entries for this host
+# echo -e "Host age key:\n$HOST_AGE_KEY\n"
-/[*&]$hostname/ d;
-# Inject a new age: entry
-# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
-/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
-# Inject a new hosts: entry
-/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
-}" "$SOPS_FILE"
 
-# Commit and push changes to sops file
+# # Update .sops.yaml with new age key:
-just update-sops-secrets && just update-flake-secrets && just update-flake
+# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
+# sed -i "{
+# # Remove any * and & entries for this host
+# /[*&]$hostname/ d;
+# # Inject a new age: entry
+# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
+# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
+# # Inject a new hosts: entry
+# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
+# }" "$SOPS_FILE"
+
+# # Commit and push changes to sops file
+# just update-sops-secrets && just update-flake-secrets && just update-flake
 
 # Copy current nix config over to target
 echo "copying current nix config to host"
 cp -pr . "$temp$persist/etc/nixos"
 
 # Install Nixos to target
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.6.0 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
-[ $? != 0 ] && echo "Error installing Nixos" && exit 1
+echo $?
 
 ## Delete keys from local known_hosts
 echo "Deleting host from known_hosts"

vars/default.nix

@@ -3,19 +3,22 @@
   inherit (inputs.nix-secrets)
     networking
     email
+    metrics-server
     ;
   locations = {
     mediaDataMountPoint = "/media/media";
     photosDataMountPoint = "/media/photos";
-
+    personalDataMountPoint = "/media/personal";
+    homeshareDataLocation = "/mnt/main-ssd/homeshare";
     metricsServerContainerData = "/mnt/main-ssd/metrics-server";
     dockerContainerData = "/mnt/main-ssd/docker";
     piholeContainerData = "/mnt/main-ssd/docker/pihole";
-    bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
-    backupContainerData = "/mnt/main-ssd/backup";
-    postgresContainerData = "/mnt/main-ssd/postgresql";
-    semitamapsData = "/mnt/main-ssd/semitamaps-data";
     baseddataData = "/mnt/main-ssd/baseddata-data";
+    bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
+    bitcoindData = "/mnt/btcnode/bitcoind";
+    backupContainerData = "/mnt/deepzfs/backup";
+    postgresContainerData = "/mnt/nvme-zpool/postgresql";
+    semitamapsData = "/mnt/nvme-zpool/semitamaps-data";
   };
 
 }