hosts/helios: add initial disko config

hosts/artemis: update README.md
flake.lock: Update
2025-08-23 21:39:28 +01:00 · 2025-08-23 09:33:33 +01:00 · 2025-08-23 09:22:56 +01:00 · 2025-08-22 21:04:58 +01:00 · 2025-08-22 11:57:16 +01:00 · 2025-08-22 09:54:19 +01:00
66 changed files with 1506 additions and 407 deletions
--- a/README.md
+++ b/README.md
@@ -10,10 +10,12 @@ System and user configuration for NixOS-based systems.
 | **Terminal:** | Ghostty |

 ## Provisioning a new host
+
 > [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used
 > for provisioning

 Generate a new SSH host key in "$temp/etc/ssh" as per [this guide](https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-decrypting-an-openssh-host-key-with-pass).
+
 ```
 ssh-keygen -t ed25519 -f /tmp/ssh_host_ed25519_key
 ```
@@ -29,6 +31,7 @@ Create a new directory under `hosts/` with a system configuration and disk layou
 Boot the NixOS installer (or any Linux distribution) on the target.

 Then run:
+
 ```
 nix run github:nix-community/nixos-anywhere -- \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
@@ -40,15 +43,19 @@ nix run github:nix-community/nixos-anywhere -- \
 ### Post install

 If backups are configured, you'll need to run:
+
 ```
 borgmatic init --encryption repokey-blake2
 ```
+
 then restart `borgmatic`.

 To join the Tailscale network, run:
+
 ```
 tailscale up --login-server https://headscale.vimium.net
 ```
+
 then visit the URL, SSH onto `vps1` and run `headscale --user mesh nodes register --key <key>`.

 The new node can optionally be given a friendly name with `headscale node rename -i <index> <hostname>`.
--- a/flake.lock
+++ b/flake.lock
@@ -3,16 +3,20 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs",
+        "home-manager": [
+          "nixpkgs"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
        "type": "github"
      },
      "original": {
@@ -21,6 +25,32 @@
        "type": "github"
      }
    },
+    "agenix-rekey": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "pre-commit-hooks"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1754492276,
+        "narHash": "sha256-cCtleJZQY5eWPYRGl5x63BZ2rfOik4pLveCveH+tmvM=",
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "69ed7833c0e4e6a677a20894d8f12876b9e2bedb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "type": "github"
+      }
+    },
    "aquamarine": {
      "inputs": {
        "hyprutils": [
@@ -41,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752743471,
-        "narHash": "sha256-4izhj1j7J4mE8LgljCXSIUDculqOsxxhdoC81VhqizM=",
+        "lastModified": 1753216019,
+        "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=",
        "owner": "hyprwm",
        "repo": "aquamarine",
-        "rev": "e31b575d19e7cf8a8f4398e2f9cffe27a1332506",
+        "rev": "be166e11d86ba4186db93e10c54a141058bdce49",
        "type": "github"
      },
      "original": {
@@ -95,7 +125,9 @@
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "utils": "utils"
      },
      "locked": {
@@ -112,6 +144,68 @@
        "type": "github"
      }
    },
+    "devshell": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1728330715,
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "devshell_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741473158,
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "devshell_3": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-topology",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1728330715,
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -119,11 +213,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753140376,
-        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "lastModified": 1755519972,
+        "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
        "type": "github"
      },
      "original": {
@@ -135,11 +229,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1753659700,
-        "narHash": "sha256-KJjs4BdQ03X4jcc/aAcjO0PwHaYUYBAb6UIIL5fFslY=",
+        "lastModified": 1755874650,
+        "narHash": "sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "722a3117a01600c6dcc78271aff4aeff62b7af09",
+        "rev": "6fafa0409ad451b90db466f900b7549a1890bf1a",
        "type": "github"
      },
      "original": {
@@ -167,11 +261,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -199,11 +293,11 @@
    "flake-compat_4": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -213,6 +307,45 @@
      }
    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
@@ -220,11 +353,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753121425,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "lastModified": 1754091436,
+        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
        "type": "github"
      },
      "original": {
@@ -237,6 +370,24 @@
      "inputs": {
        "systems": "systems_4"
      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_5"
+      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@@ -362,36 +513,15 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
-          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "lastModified": 1755928099,
+        "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1753592768,
-        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
        "type": "github"
      },
      "original": {
@@ -417,11 +547,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749155331,
-        "narHash": "sha256-XR9fsI0zwLiFWfqi/pdS/VD+YNorKb3XIykgTg4l1nA=",
+        "lastModified": 1753964049,
+        "narHash": "sha256-lIqabfBY7z/OANxHoPeIrDJrFyYy9jAM4GQLzZ2feCM=",
        "owner": "hyprwm",
        "repo": "hyprcursor",
-        "rev": "45fcc10b4c282746d93ec406a740c43b48b4ef80",
+        "rev": "44e91d467bdad8dcf8bbd2ac7cf49972540980a5",
        "type": "github"
      },
      "original": {
@@ -446,11 +576,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752149140,
-        "narHash": "sha256-gbh1HL98Fdqu0jJIWN4OJQN7Kkth7+rbkFpSZLm/62A=",
+        "lastModified": 1754305013,
+        "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=",
        "owner": "hyprwm",
        "repo": "hyprgraphics",
-        "rev": "340494a38b5ec453dfc542c6226481f736cc8a9a",
+        "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d",
        "type": "github"
      },
      "original": {
@@ -469,17 +599,17 @@
        "hyprlang": "hyprlang",
        "hyprutils": "hyprutils",
        "hyprwayland-scanner": "hyprwayland-scanner",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs",
        "pre-commit-hooks": "pre-commit-hooks",
        "systems": "systems_3",
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1753819175,
-        "narHash": "sha256-W5bwvvpcje6K5EOstNflIWqkAii4P2qrB5+0luE2lME=",
+        "lastModified": 1755883465,
+        "narHash": "sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "43966cc787c4a8844ac1e7affaadeedde8f4cc60",
+        "rev": "0d45b277d6c750377b336034b8adc53eae238d91",
        "type": "github"
      },
      "original": {
@@ -505,11 +635,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753028264,
-        "narHash": "sha256-GbfsRZWW5uBAOeddLkmrYV2XmAbI0etVUTBXFH5thcw=",
+        "lastModified": 1755183521,
+        "narHash": "sha256-wrP8TM2lb2x0+PyTc7Uc3yfVBeIlYW7+hFeG14N9Cr8=",
        "owner": "hyprwm",
        "repo": "hyprland-plugins",
-        "rev": "14f9a444793d6dd78c29033acf9c3c974ded708d",
+        "rev": "c1ddebb423acc7c88653c04de5ddafee64dac89a",
        "type": "github"
      },
      "original": {
@@ -598,11 +728,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371812,
-        "narHash": "sha256-D868K1dVEACw17elVxRgXC6hOxY+54wIEjURztDWLk8=",
+        "lastModified": 1753819801,
+        "narHash": "sha256-tHe6XeNeVeKapkNM3tcjW4RuD+tB2iwwoogWJOtsqTI=",
        "owner": "hyprwm",
        "repo": "hyprland-qtutils",
-        "rev": "b13c7481e37856f322177010bdf75fccacd1adc8",
+        "rev": "b308a818b9dcaa7ab8ccab891c1b84ebde2152bc",
        "type": "github"
      },
      "original": {
@@ -627,11 +757,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371198,
-        "narHash": "sha256-/iuJ1paQOBoSLqHflRNNGyroqfF/yvPNurxzcCT0cAE=",
+        "lastModified": 1753622892,
+        "narHash": "sha256-0K+A+gmOI8IklSg5It1nyRNv0kCNL51duwnhUO/B8JA=",
        "owner": "hyprwm",
        "repo": "hyprlang",
-        "rev": "cee01452bca58d6cadb3224e21e370de8bc20f0b",
+        "rev": "23f0debd2003f17bd65f851cd3f930cff8a8c809",
        "type": "github"
      },
      "original": {
@@ -652,11 +782,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752252310,
-        "narHash": "sha256-06i1pIh6wb+sDeDmWlzuPwIdaFMxLlj1J9I5B9XqSeo=",
+        "lastModified": 1754481650,
+        "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=",
        "owner": "hyprwm",
        "repo": "hyprutils",
-        "rev": "bcabcbada90ed2aacb435dc09b91001819a6dc82",
+        "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd",
        "type": "github"
      },
      "original": {
@@ -749,13 +879,38 @@
        "type": "github"
      }
    },
+    "nix-topology": {
+      "inputs": {
+        "devshell": "devshell_3",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "pre-commit-hooks"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752093877,
+        "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=",
+        "owner": "oddlama",
+        "repo": "nix-topology",
+        "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "nix-topology",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1753122741,
-        "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
+        "lastModified": 1755330281,
+        "narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
+        "rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
        "type": "github"
      },
      "original": {
@@ -775,11 +930,11 @@
        "nixpkgs-25_05": "nixpkgs-25_05"
      },
      "locked": {
-        "lastModified": 1747965231,
-        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "lastModified": 1755110674,
+        "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "rev": "f5936247dbdb8501221978562ab0b302dd75456c",
        "type": "gitlab"
      },
      "original": {
@@ -791,11 +946,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1745391562,
-        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
+        "lastModified": 1754725699,
+        "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
+        "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
        "type": "github"
      },
      "original": {
@@ -821,13 +976,28 @@
        "type": "github"
      }
    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1753579242,
+        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1753694789,
-        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
+        "lastModified": 1755615617,
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
        "type": "github"
      },
      "original": {
@@ -838,43 +1008,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1743014863,
-        "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
+        "lastModified": 1755704039,
+        "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1752687322,
-        "narHash": "sha256-RKwfXA4OZROjBTQAl9WOZQFm7L8Bo93FQwSJpAiSRvo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "6e987485eb2c77e5dcc5af4e3c70843711ef9251",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1753489912,
-        "narHash": "sha256-uDCFHeXdRIgJpYmtcUxGEsZ+hYlLPBhR83fdU+vbC1s=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "13e8d35b7d6028b7198f8186bc0347c6abaa2701",
+        "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
        "type": "github"
      },
      "original": {
@@ -885,19 +1023,19 @@
    },
    "nixvim": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nuschtosSearch": "nuschtosSearch",
-        "systems": "systems_5"
+        "systems": "systems_6"
      },
      "locked": {
-        "lastModified": 1753534875,
-        "narHash": "sha256-U8eKkKR+c70Sj+XuhbCzRAWJBfRLEF7Qh7gKk/7f93M=",
+        "lastModified": 1755727480,
+        "narHash": "sha256-eb9N7XFj1zirk+D2KV+rn/CjmVHDISlxhtZCWZEVpkM=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "f25f269dddf2e464f0d4a79bb42b6bfbab63b0df",
+        "rev": "6df0b97b39baa1c0b3002b051f307aed68e17d1b",
        "type": "github"
      },
      "original": {
@@ -909,7 +1047,7 @@
    },
    "nuschtosSearch": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "ixx": "ixx",
        "nixpkgs": [
          "nixvim",
@@ -917,11 +1055,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753450833,
+        "lastModified": 1753771532,
        "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "40987cc1a24feba378438d691f87c52819f7bd75",
+        "rev": "2a65adaf2c0c428efb0f4a2bc406aab466e96a06",
        "type": "github"
      },
      "original": {
@@ -940,11 +1078,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "lastModified": 1754416808,
+        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
        "type": "github"
      },
      "original": {
@@ -962,11 +1100,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "lastModified": 1755879220,
+        "narHash": "sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "3ff4596663c8cbbffe06d863ee4c950bce2c3b78",
        "type": "github"
      },
      "original": {
@@ -978,33 +1116,38 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "agenix-rekey": "agenix-rekey",
        "deploy-rs": "deploy-rs",
+        "devshell": "devshell_2",
        "disko": "disko",
        "firefox-gnome-theme": "firefox-gnome-theme",
+        "flake-parts": "flake-parts_2",
        "gitea-github-theme": "gitea-github-theme",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "hyprland-plugins": "hyprland-plugins",
        "impermanence": "impermanence",
        "kvlibadwaita": "kvlibadwaita",
+        "nix-topology": "nix-topology",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
        "pre-commit-hooks": "pre-commit-hooks_2",
        "secrets": "secrets",
-        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
+        "thunderbird-gnome-theme": "thunderbird-gnome-theme",
+        "treefmt-nix": "treefmt-nix_2"
      }
    },
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1752936308,
-        "narHash": "sha256-OAlj8oJpcKo9cCIwxzMolnwdfczlovvC1y1MeIpDPYM=",
+        "lastModified": 1755887038,
+        "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
        "ref": "refs/heads/master",
-        "rev": "eddee7a0b83063ba60c0dd49fc18399b6564559d",
-        "revCount": 36,
+        "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
+        "revCount": 40,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
@@ -1088,14 +1231,29 @@
        "type": "github"
      }
    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1753018656,
-        "narHash": "sha256-XBZfXgarX1QOgN2dZYtLmYdO7Q73IyALJanjd4nWn08=",
+        "lastModified": 1755861050,
+        "narHash": "sha256-oLmw1VRrmbuLwT5errG3lT85K0jLII/aQ32VtdJ+1xM=",
        "owner": "rafaelmardojai",
        "repo": "thunderbird-gnome-theme",
-        "rev": "163ab2a77ffbbc2545889d05c8ce00f56c9f727e",
+        "rev": "b1fbb41db5718c23667bd9b40268b8e7317634fd",
        "type": "github"
      },
      "original": {
@@ -1104,6 +1262,47 @@
        "type": "github"
      }
    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735135567,
+        "narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "9e09d30a644c57257715902efbb3adc56c79cf28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755934250,
+        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
    "utils": {
      "inputs": {
        "systems": "systems_2"
@@ -1150,11 +1349,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1751300244,
-        "narHash": "sha256-PFuv1TZVYvQhha0ac53E3YgdtmLShrN0t4T6xqHl0jE=",
+        "lastModified": 1753633878,
+        "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=",
        "owner": "hyprwm",
        "repo": "xdg-desktop-portal-hyprland",
-        "rev": "6115f3fdcb2c1a57b4a80a69f3c797e47607b90a",
+        "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,168 +2,176 @@
  description = "NixOS system configuration";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.05";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    # nixpkgs-master.url = "nixpkgs";
-    agenix.url = "github:ryantm/agenix";
-    deploy-rs.url = "github:serokell/deploy-rs";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.home-manager.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    agenix-rekey = {
+      url = "github:oddlama/agenix-rekey";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
+    };
+
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    devshell = {
+      url = "github:numtide/devshell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
    home-manager = {
      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
    hyprland.url = "github:hyprwm/Hyprland";
+
    hyprland-plugins = {
      url = "github:hyprwm/hyprland-plugins";
      inputs.hyprland.follows = "hyprland";
    };
+
    firefox-gnome-theme = {
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
    };
+
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
    gitea-github-theme = {
      url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
      flake = false;
    };
+
    impermanence.url = "github:nix-community/impermanence";
+
    kvlibadwaita = {
      url = "github:GabePoel/KvLibadwaita";
      flake = false;
    };
+
    nixos-hardware.url = "github:NixOS/nixos-hardware";
+
    nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    nixpkgs.url = "nixpkgs/nixos-25.05";
+
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+
+    # nixpkgs-master.url = "nixpkgs";
+
    nixvim = {
      url = "github:nix-community/nixvim/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    nix-topology = {
+      url = "github:oddlama/nix-topology";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
+    };
+
    pre-commit-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
    secrets = {
      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
      flake = false;
    };
+
    thunderbird-gnome-theme = {
      url = "github:rafaelmardojai/thunderbird-gnome-theme";
      flake = false;
    };
+
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
-    inputs@{ self, nixpkgs, ... }:
-    let
-      inherit (nixpkgs) lib;
-
-      domain = "mesh.vimium.net";
-      forEachSystem = lib.genAttrs [
-        "x86_64-linux"
-        "aarch64-linux"
+    inputs@{
+      nixpkgs,
+      flake-parts,
+      ...
+    }:
+    flake-parts.lib.mkFlake { inherit inputs; } {
+      imports = [
+        inputs.agenix-rekey.flakeModule
+        inputs.pre-commit-hooks.flakeModule
+        inputs.nix-topology.flakeModule
+        inputs.treefmt-nix.flakeModule
+        ./nix/devshell.nix
+        ./nix/hosts.nix
      ];
-      mkDeployNode = hostName: {
-        hostname = "${hostName}.${domain}";

-        profiles.system = {
-          user = "root";
-          path =
-            inputs.deploy-rs.lib.${
-              self.nixosConfigurations.${hostName}.config.system.build.toplevel.system
-            }.activate.nixos
-              self.nixosConfigurations.${hostName};
+      flake = {
+        overlays = nixpkgs.lib.packagesFromDirectoryRecursive {
+          callPackage = path: overrides: import path;
+          directory = ./overlays;
        };
      };
-    in
-    {
-      overlays = lib.packagesFromDirectoryRecursive {
-        callPackage = path: overrides: import path;
-        directory = ./overlays;
-      };

-      legacyPackages = forEachSystem (
-        system:
-        lib.packagesFromDirectoryRecursive {
-          callPackage = nixpkgs.legacyPackages.${system}.callPackage;
-          directory = ./pkgs;
-        }
-      );
-
-      nixosConfigurations = lib.pipe ./hosts [
-        builtins.readDir
-        (lib.filterAttrs (name: value: value == "directory"))
-        (lib.mapAttrs (
-          name: value:
-          lib.nixosSystem {
-            specialArgs = { inherit inputs; };
-
-            modules = [
-              {
-                networking = {
-                  inherit domain;
-                  hostName = name;
-                };
-              }
-              ./hosts/${name}
-            ];
-          }
-        ))
+      systems = [
+        "aarch64-linux"
+        "x86_64-linux"
      ];

-      checks =
-        builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib
-        // (forEachSystem (system: {
-          pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
-            src = ./.;
-            hooks = {
-              check-case-conflicts.enable = true;
-              check-executables-have-shebangs.enable = true;
-              check-merge-conflicts.enable = true;
+      perSystem =
+        { pkgs, ... }:
+        {
+          formatter = pkgs.nixfmt-rfc-style;
+
+          legacyPackages = pkgs.lib.packagesFromDirectoryRecursive {
+            callPackage = pkgs.callPackage;
+            directory = ./pkgs;
+          };
+
+          pre-commit = {
+            settings = {
+              excludes = [ "pkgs/libcamera-rpi/libcamera-rpi-ipa-priv-key.pem" ];
+              hooks = {
+                check-case-conflicts.enable = true;
+                check-executables-have-shebangs.enable = true;
+                check-merge-conflicts.enable = true;
+                detect-private-keys.enable = true;
+                end-of-file-fixer.enable = true;
+                fix-byte-order-marker.enable = true;
+                mixed-line-endings.enable = true;
+                treefmt.enable = true;
+                trim-trailing-whitespace.enable = true;
+              };
+            };
+          };
+
+          treefmt = {
+            projectRootFile = "flake.nix";
+            programs = {
              deadnix = {
                enable = true;
-                settings = {
-                  noLambdaArg = true;
-                };
+                no-lambda-arg = true;
              };
-              detect-private-keys.enable = true;
-              end-of-file-fixer.enable = true;
-              fix-byte-order-marker.enable = true;
-              mixed-line-endings.enable = true;
+              mdformat.enable = true;
              nixfmt-rfc-style.enable = true;
-              trim-trailing-whitespace.enable = true;
+              shellcheck.enable = true;
            };
-            excludes = [ "pkgs/libcamera-rpi/libcamera-rpi-ipa-priv-key.pem" ];
          };
-        }));
-
-      formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
-
-      devShells = forEachSystem (system: {
-        default = nixpkgs.legacyPackages.${system}.mkShell {
-          inherit (self.checks.${system}.pre-commit-check) shellHook;
-          buildInputs = [
-            inputs.agenix.packages.${system}.agenix
-            inputs.deploy-rs.packages.${system}.deploy-rs
-          ]
-          ++ self.checks.${system}.pre-commit-check.enabledPackages;
        };
-      });
-
-      deploy = {
-        magicRollback = true;
-        autoRollback = true;
-        sshUser = "root";
-        nodes = lib.genAttrs [
-          "artemis"
-          "mail"
-          "pi"
-          "skycam"
-          "vps1"
-        ] mkDeployNode;
-      };
    };
 }
--- a/hosts/artemis/README.md
+++ b/hosts/artemis/README.md
@@ -1,36 +1,49 @@
 # Artemis

 ## Overview
-Couch gaming PC and media centre
+
+Home theatre and gaming PC

 ## Specs
-* CPU - AMD Ryzen 7 9800X3D @ 4.70GHz
-* Chipset - AMD B850
-* Memory - 64 GB DDR5
-* Motherboard - ASUS ROG STRIX B850-I Gaming WiFi
-* GPU - AMD Radeon 7900 XTX
-* Case - MCPRUE Apollo S v4
+
+- CPU - AMD Ryzen 7 9800X3D @ 4.70GHz
+- Chipset - AMD B850
+- Memory - 64 GB DDR5
+- Motherboard - ASUS ROG STRIX B850-I Gaming WiFi
+- GPU - AMD Radeon 7900 XTX
+- Case - MCPRUE Apollo S v4

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 WD Black SN850X | `/dev/nvme0n1p1` (EFI, 500 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS, 4 TiB, NixOS Root)

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
 │   ├── nix
-│   └── tmp
-├── system
 │   ├── root
-│   └── var
-└── user
-    └── home
+│   └── state
+└── safe
+    └── persist
 ```

 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

+#### Impermanence
+
+This machine uses [impermanence](https://github.com/nix-community/impermanence) and is rolled back to a clean state on each reboot.
+
+Mountpoint | Persists across reboots? | Backed up?
+--- | --- | ---
+`/` | No | Yes
+`/state` | Yes | No
+`/persist` | Yes | Yes
+
 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `artemis.mesh.vimium.net`.
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -18,6 +18,7 @@ in
    ./hardware-configuration.nix
    ./disko-config.nix
    ../desktop.nix
+    ../../users/guest
  ];

  nixpkgs = {
@@ -72,11 +73,16 @@ in
    capSysAdmin = true;
  };

+  programs.steam.enable = true;
+
  environment = {
    systemPackages = [ pkgs.wine ];
    sessionVariables.WINE_BIN = getExe pkgs.wine;
  };

+  environment.persistence."/persist".enable = mkForce true;
+  environment.persistence."/state".enable = mkForce true;
+
  modules = {
    services = {
      borgmatic = {
@@ -90,7 +96,7 @@ in
    system = {
      wireless = {
        enable = true;
-        interfaces = [ "wlp8s0" ];
+        interfaces = [ "wlp11s0" ];
      };
      desktop = {
        gnome.enable = lib.mkForce false;
--- a/hosts/artemis/disko-config.nix
+++ b/hosts/artemis/disko-config.nix
@@ -35,80 +35,59 @@
          ashift = "12";
        };
        rootFsOptions = {
-          canmount = "off";
-          mountpoint = "none";
-          dnodesize = "auto";
+          compression = "zstd";
+          acltype = "posix";
+          atime = "off";
          xattr = "sa";
+          dnodesize = "auto";
+          mountpoint = "none";
+          canmount = "off";
+          devices = "off";
+          exec = "off";
+          setuid = "off";
        };
-        postCreateHook = "zfs snapshot rpool@blank";
        datasets = {
-          local = {
+          "local" = {
            type = "zfs_fs";
+          };
+          "local/root" = {
+            type = "zfs_fs";
+            mountpoint = "/";
            options = {
-              mountpoint = "none";
+              canmount = "noauto";
+              mountpoint = "/";
+              exec = "on";
+              setuid = "on";
            };
+            postCreateHook = "zfs snapshot rpool/local/root@blank";
          };
          "local/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
            options = {
-              atime = "off";
-              mountpoint = "legacy";
+              canmount = "noauto";
+              mountpoint = "/nix";
+              exec = "on";
+              setuid = "on";
            };
          };
-          "local/tmp" = {
+          "local/state" = {
            type = "zfs_fs";
-            mountpoint = "/tmp";
+            mountpoint = "/state";
            options = {
-              setuid = "off";
-              devices = "off";
-              mountpoint = "legacy";
+              canmount = "noauto";
+              mountpoint = "/state";
            };
          };
-          system = {
+          "safe" = {
            type = "zfs_fs";
-            mountpoint = "/";
-            options = {
-              mountpoint = "legacy";
-            };
          };
-          "system/var" = {
+          "safe/persist" = {
            type = "zfs_fs";
-            mountpoint = "/var";
+            mountpoint = "/persist";
            options = {
-              mountpoint = "legacy";
-            };
-          };
-          "system/var/tmp" = {
-            type = "zfs_fs";
-            mountpoint = "/var/tmp";
-            options = {
-              devices = "off";
-              mountpoint = "legacy";
-            };
-          };
-          "system/var/log" = {
-            type = "zfs_fs";
-            mountpoint = "/var/log";
-            options = {
-              compression = "on";
-              acltype = "posix";
-              mountpoint = "legacy";
-            };
-          };
-          user = {
-            type = "zfs_fs";
-            options = {
-              mountpoint = "none";
-            };
-          };
-          "user/home" = {
-            type = "zfs_fs";
-            mountpoint = "/home";
-            options = {
-              setuid = "off";
-              devices = "off";
-              mountpoint = "legacy";
+              canmount = "noauto";
+              mountpoint = "/persist";
            };
          };
        };
--- a/hosts/artemis/hardware-configuration.nix
+++ b/hosts/artemis/hardware-configuration.nix
@@ -68,7 +68,7 @@ in
      "amdgpu.sched_hw_submission=4"
      "audit=0"
    ];
-    kernelPackages = pkgs.linuxPackages_6_14;
+    kernelPackages = pkgs.linuxPackages_6_15;
    supportedFilesystems = [ "ntfs" ];
  };

@@ -91,7 +91,10 @@ in
    };
    graphics = {
      enable32Bit = true;
-      extraPackages = [ pkgs.gamescope-wsi ];
+      extraPackages = [
+        pkgs.gamescope-wsi
+        pkgs.vk-hdr-layer
+      ];
      extraPackages32 = [ pkgs.pkgsi686Linux.gamescope-wsi ];
    };
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/hosts/atlas/README.md
+++ b/hosts/atlas/README.md
@@ -1,24 +1,28 @@
 # Atlas

 ## Overview
+
 A general purpose mini computer used for web browsing and multimedia.

 ## Specs
-* CPU - Intel Core i7-4790K @ 4.00GHz
-* Chipset - Intel Z97
-* Memory - 8 GB DDR3
-* Motherboard - ASRock Z97M-ITX
-* GPU - AMD Radeon R9 290X 4GB
-* Case - SilverStone Sugo SG13
-* NIC - Intel Gigabit I218-V, Broadcom BCM4360 802.11ac
+
+- CPU - Intel Core i7-4790K @ 4.00GHz
+- Chipset - Intel Z97
+- Memory - 8 GB DDR3
+- Motherboard - ASRock Z97M-ITX
+- GPU - AMD Radeon R9 290X 4GB
+- Case - SilverStone Sugo SG13
+- NIC - Intel Gigabit I218-V, Broadcom BCM4360 802.11ac

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung SSD 850 | `/dev/sda1` (NTFS, 500 GiB, Windows XP)
 Samsung SSD 850 | `/dev/sdb1` (EFI, 500 MiB, NixOS Boot) <br> `/dev/sdb2` (ZFS, 500 GiB, NixOS Root)

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
@@ -34,5 +38,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `atlas.mesh.vimium.net`.
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -4,6 +4,7 @@
  imports = [
    ./hardware-configuration.nix
    ../desktop.nix
+    ../../users/jordan
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -4,12 +4,12 @@
  pkgs,
  ...
 }:
-
 {
  imports = [
    inputs.agenix.nixosModules.age
    inputs.home-manager.nixosModules.home-manager
    ../modules/nixos
+    ../modules/nixos/impermanence.nix
  ];

  nixpkgs = {
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@@ -1,4 +1,6 @@
 {
+  inputs,
+  config,
  pkgs,
  ...
 }:
@@ -6,7 +8,6 @@
 {
  imports = [
    ./common.nix
-    ../users/jordan
  ];

  services.printing.enable = true;
@@ -44,6 +45,9 @@
    randomizedDelaySec = "10min";
  };

+  age.secrets."passwords/users/root".file = "${inputs.secrets}/passwords/users/jordan.age";
+  users.users.root.hashedPasswordFile = config.age.secrets."passwords/users/root".path;
+
  systemd.services.NetworkManager-wait-online.enable = false;

  modules = {
--- a/hosts/eos/README.md
+++ b/hosts/eos/README.md
@@ -1,18 +1,22 @@
 # Eos

 ## Overview
+
 ThinkPad X220 laptop.

 ## Specs
-* CPU - Intel Core i5-2520M @ 3.20GHz
-* Memory - 8 GB DDR3
+
+- CPU - Intel Core i5-2520M @ 3.20GHz
+- Memory - 8 GB DDR3

 ### Disks
+
 Device | Partitions _(filesystem, usage)_
 --- | ---
 Solid | `/dev/sda1` (EFI, NixOS Boot) <br> `/dev/sda2` (ZFS, NixOS Root)

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
@@ -28,5 +32,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `eos.mesh.vimium.net`.
--- a/hosts/eos/default.nix
+++ b/hosts/eos/default.nix
@@ -4,6 +4,7 @@
  imports = [
    ./hardware-configuration.nix
    ../desktop.nix
+    ../../users/jordan
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
--- a/hosts/helios/README.md
+++ b/hosts/helios/README.md
@@ -1,16 +1,19 @@
 # Helios

 ## Overview
+
 Dell OptiPlex 980 small form factor desktop.

 ## Specs
-* CPU - Intel Core i7-860 @ 2.8GHz
-* Chipset - Intel Q57 Express
-* Memory - 8 GB DDR2
-* GPU - AMD FirePro 2460
-* NIC - Intel Gigabit 82578DM
+
+- CPU - Intel Core i7-860 @ 2.8GHz
+- Chipset - Intel Q57 Express
+- Memory - 8 GB DDR2
+- GPU - AMD FirePro 2460
+- NIC - Intel Gigabit 82578DM

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 SanDisk Ultra II | `/dev/sda1` (ext2, 200 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS, 480 GiB, NixOS Root)
@@ -19,6 +22,7 @@ SanDisk Ultra II | `/dev/sda1` (ext2, 200 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS
 > an MBR partition table.

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
@@ -34,5 +38,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

 ### Networks
+
 - DHCP on `192.168.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `helios.mesh.vimium.net`.
--- a/hosts/helios/default.nix
+++ b/hosts/helios/default.nix
@@ -1,4 +1,5 @@
 {
+  inputs,
  pkgs,
  lib,
  ...
@@ -9,8 +10,11 @@ let
 in
 {
  imports = [
+    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
+    ./disko-config.nix
    ../desktop.nix
+    ../../users/jordan
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
--- a/hosts/helios/disko-config.nix
+++ b/hosts/helios/disko-config.nix
@@ -0,0 +1,101 @@
+{ ... }:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-SanDisk_Ultra_II_480GB_162224802391";
+        content = {
+          type = "gpt";
+          partitions = {
+            MBR = {
+              size = "1M";
+              type = "EF02"; # For GRUB MBR
+            };
+            boot = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = {
+        type = "zpool";
+        options = {
+          ashift = "12";
+        };
+        rootFsOptions = {
+          compression = "zstd";
+          acltype = "posix";
+          atime = "off";
+          xattr = "sa";
+          dnodesize = "auto";
+          mountpoint = "none";
+          canmount = "off";
+          devices = "off";
+          exec = "off";
+          setuid = "off";
+        };
+        datasets = {
+          "local" = {
+            type = "zfs_fs";
+          };
+          "local/root" = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/";
+              exec = "on";
+              setuid = "on";
+            };
+            postCreateHook = "zfs snapshot rpool/local/root@blank";
+          };
+          "local/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/nix";
+              exec = "on";
+              setuid = "on";
+            };
+          };
+          "local/state" = {
+            type = "zfs_fs";
+            mountpoint = "/state";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/state";
+            };
+          };
+          "safe" = {
+            type = "zfs_fs";
+          };
+          "safe/persist" = {
+            type = "zfs_fs";
+            mountpoint = "/persist";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/persist";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/hypnos/README.md
+++ b/hosts/hypnos/README.md
@@ -1,21 +1,25 @@
 # Hypnos

 ## Overview
+
 15-inch MacBook Pro 11,3 (Mid 2014).

 ## Specs
-* CPU - Intel Core i7-4870HQ @ 2.50GHz
-* Memory - 16 GB DDR3
-* GPU - Intel Iris Pro 5200
-* GPU - NVIDIA GeForce GT 750M
-* NIC - Broadcom BCM43xx 802.11ac
+
+- CPU - Intel Core i7-4870HQ @ 2.50GHz
+- Memory - 16 GB DDR3
+- GPU - Intel Iris Pro 5200
+- GPU - NVIDIA GeForce GT 750M
+- NIC - Broadcom BCM43xx 802.11ac

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Apple SSD SM0512F | `/dev/sda1` (EFI, 256 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS, 500 GiB, NixOS Root)

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
@@ -31,5 +35,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `hypnos.mesh.vimium.net`.
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@@ -11,12 +11,14 @@
    ./hardware-configuration.nix
    ./disko-config.nix
    ../desktop.nix
+    ../../users/jordan
  ];

  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config = {
      nvidia.acceptLicense = true;
+      permittedInsecurePackages = [ "broadcom-sta-6.30.223.271-57-6.12.41" ];
    };
  };

--- a/hosts/library/README.md
+++ b/hosts/library/README.md
@@ -1,21 +1,25 @@
 # Library

 ## Overview
+
 Media and public file server.

 ## Specs
-* CPU - AMD Ryzen 5 5600G @ 3.90GHz
-* Chipset - AMD B550
-* Memory - 64 GB DDR4
-* Motherboard - ASRock B550M Pro4
-* Case - JMCD-12S4
+
+- CPU - AMD Ryzen 5 5600G @ 3.90GHz
+- Chipset - AMD B550
+- Memory - 64 GB DDR4
+- Motherboard - ASRock B550M Pro4
+- Case - JMCD-12S4

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung 970 Evo Plus | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS `rpool`, 200 GiB, NixOS Root)

 #### ZFS datasets
+
 ```
 rpool/
 ├── local
@@ -41,5 +45,6 @@ library/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind the `rpool` datasets.

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `library.mesh.vimium.net`.
--- a/hosts/library/ai.nix
+++ b/hosts/library/ai.nix
@@ -26,6 +26,7 @@
        ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
        OAUTH_CLIENT_ID = clientId;
        OAUTH_PROVIDER_NAME = "Vimium";
+        OFFLINE_MODE = "True";
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
      };
@@ -35,4 +36,11 @@
  modules.services.borgmatic.directories = [
    "/var/lib/private/open-webui"
  ];
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/open-webui";
+      mode = "0700";
+    }
+  ];
 }
--- a/hosts/library/grafana.nix
+++ b/hosts/library/grafana.nix
@@ -1,4 +1,5 @@
 {
+  config,
  ...
 }:

@@ -13,4 +14,13 @@
      };
    };
  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.grafana.dataDir;
+      user = "grafana";
+      group = "grafana";
+      mode = "0700";
+    }
+  ];
 }
--- a/hosts/library/jellyfin.nix
+++ b/hosts/library/jellyfin.nix
@@ -24,6 +24,22 @@
    dataDir = "/var/lib/jellyfin";
  };

+  environment.persistence."/state".directories = [
+    {
+      directory = config.services.jellyfin.cacheDir;
+      inherit (config.services.jellyfin) user group;
+      mode = "0700";
+    }
+  ];
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.jellyfin.dataDir;
+      inherit (config.services.jellyfin) user group;
+      mode = "0700";
+    }
+  ];
+
  modules.services.borgmatic.directories = [
    config.services.jellyfin.dataDir
  ];
--- a/hosts/library/jellysearch.nix
+++ b/hosts/library/jellysearch.nix
@@ -55,4 +55,8 @@
      MEILI_URL = "http://localhost:${toString config.services.meilisearch.listenPort}";
    };
  };
+
+  environment.persistence."/state".directories = [
+    config.systemd.services.jellysearch.serviceConfig.WorkingDirectory
+  ];
 }
--- a/hosts/library/prometheus.nix
+++ b/hosts/library/prometheus.nix
@@ -32,4 +32,13 @@
      }
    ];
  };
+
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/${config.services.prometheus.stateDir}";
+      user = "prometheus";
+      group = "prometheus";
+      mode = "0700";
+    }
+  ];
 }
--- a/hosts/mail/README.md
+++ b/hosts/mail/README.md
@@ -1,17 +1,21 @@
 # Mail server

 ## Overview
+
 Mail server hosted in OVH.

 ## Specs
-* CPU - ??
-* Memory - ??
+
+- CPU - ??
+- Memory - ??

 ### Disks
+
 Device | Partitions _(filesystem, usage)_
 --- | ---
 NVMe | `/dev/sda1` (ext4, NixOS Root)

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `mail.mesh.vimium.net`.
--- a/hosts/mail/mail.nix
+++ b/hosts/mail/mail.nix
@@ -85,4 +85,52 @@ in
    smtp_destination_concurrency_limit = "20";
    header_size_limit = "4096000";
  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/dkim";
+      user = "rspamd";
+      group = "rspamd";
+      mode = "0755";
+    }
+    {
+      directory = "/var/sieve";
+      user = "virtualMail";
+      group = "virtualMail";
+      mode = "0770";
+    }
+    {
+      directory = "/var/vmail";
+      user = "virtualMail";
+      group = "virtualMail";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/rspamd";
+      user = "rspamd";
+      group = "rspamd";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/redis-rspamd";
+      user = "redis-rspamd";
+      group = "redis-rspamd";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/opendkim";
+      user = 221;
+      group = 221;
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/knot-resolver";
+      user = "knot-resolver";
+      group = "knot-resolver";
+      mode = "0770";
+    }
+    "/var/lib/dhparams"
+    "/var/lib/dovecot"
+    "/var/lib/postfix"
+  ];
 }
--- a/hosts/odyssey/README.md
+++ b/hosts/odyssey/README.md
@@ -1,22 +1,26 @@
 # Odyssey

 ## Overview
+
 Primary workstation.

 ## Specs
-* CPU - AMD Ryzen 9 9950X3D @ 4.30GHz
-* Chipset - AMD X870E
-* Memory - 96 GB DDR5
-* Motherboard - ASUS ProArt X870E-Creator WiFi
-* GPU - NVIDIA RTX 3090
-* Case - Thermaltake A500
+
+- CPU - AMD Ryzen 9 9950X3D @ 4.30GHz
+- Chipset - AMD X870E
+- Memory - 96 GB DDR5
+- Motherboard - ASUS ProArt X870E-Creator WiFi
+- GPU - NVIDIA RTX 3090
+- Case - Thermaltake A500

 ### Disks
+
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung 980 Pro | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS, 2 TiB, NixOS Root)

 #### ZFS pool layout
+
 ```
 rpool/
 ├── local
@@ -32,5 +36,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `odyssey.mesh.vimium.net`.
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -10,6 +10,7 @@
    ./gitea-runner.nix
    ./nix-serve.nix
    ../desktop.nix
+    ../../users/jordan
  ];

  nixpkgs = {
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -34,6 +34,9 @@
      powerOnBoot = true;
    };
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    graphics = {
+      extraPackages = [ pkgs.vk-hdr-layer ];
+    };
    nvidia = {
      modesetting.enable = true;
      open = true;
--- a/hosts/pi/README.md
+++ b/hosts/pi/README.md
@@ -1,19 +1,23 @@
 # Pi

 ## Overview
+
 Raspberry Pi 4

 ## Specs
-* SoC - Broadcom BCM2711
-* CPU - ARM Cortex-A72 @ 1.8 GHz
-* Memory - 8 GB LPDDR4
+
+- SoC - Broadcom BCM2711
+- CPU - ARM Cortex-A72 @ 1.8 GHz
+- Memory - 8 GB LPDDR4

 ### Disks
+
 Device | Partitions _(filesystem, usage)_
 --- | ---
 SD card | `/dev/mmcblk0` (ext4, NixOS Root)

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `pi.mesh.vimium.net`.

--- a/hosts/pi/home-assistant/default.nix
+++ b/hosts/pi/home-assistant/default.nix
@@ -276,6 +276,15 @@
    lovelaceConfigWritable = true;
  };

+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.home-assistant.configDir;
+      user = "hass";
+      group = "hass";
+      mode = "0700";
+    }
+  ];
+
  modules.services.borgmatic.directories = [
    config.services.home-assistant.configDir
  ];
--- a/hosts/pi/home-assistant/mqtt.nix
+++ b/hosts/pi/home-assistant/mqtt.nix
@@ -69,6 +69,21 @@
    };
  };

+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.zigbee2mqtt.dataDir;
+      user = "zigbee2mqtt";
+      group = "zigbee2mqtt";
+      mode = "0700";
+    }
+    {
+      directory = config.services.mosquitto.dataDir;
+      user = "mosquitto";
+      group = "mosquitto";
+      mode = "0700";
+    }
+  ];
+
  modules.services.borgmatic.directories = [
    config.services.mosquitto.dataDir
    config.services.zigbee2mqtt.dataDir
--- a/hosts/server.nix
+++ b/hosts/server.nix
@@ -65,6 +65,13 @@ in
    ];
  };

+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/fail2ban";
+      mode = "0750";
+    }
+  ];
+
  services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";

  modules.services.tailscale = {
--- a/hosts/skycam/README.md
+++ b/hosts/skycam/README.md
@@ -1,26 +1,32 @@
 # Skycam

 ## Overview
+
 Raspberry Pi 4-based webcam

 ## Specs
-* SoC - Broadcom BCM2711
-* CPU - ARM Cortex-A72 @ 1.8 GHz
-* Memory - 8 GB LPDDR4
+
+- SoC - Broadcom BCM2711
+- CPU - ARM Cortex-A72 @ 1.8 GHz
+- Memory - 8 GB LPDDR4

 ### Disks
+
 Device | Partitions _(filesystem, usage)_
 --- | ---
 SD card | `/dev/mmcblk0` (ext4, NixOS Root)

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `skycam.mesh.vimium.net`.

 ## Devices and connections
+
 - Camera Module 3 with wide-angle lens

 ## Building
+
 To generate a compressed SD card image for Skycam, run:
 `nix build '.#nixosConfigurations.skycam.config.system.build.sdImage'`

--- a/hosts/skycam/default.nix
+++ b/hosts/skycam/default.nix
@@ -79,6 +79,10 @@
    };
  };

+  environment.persistence."/persist".directories = [
+    "/var/lib/skycam-archiver"
+  ];
+
  modules.services.borgmatic = {
    enable = true;
    directories = [
--- a/hosts/vps1/README.md
+++ b/hosts/vps1/README.md
@@ -1,17 +1,21 @@
 # vps1

 ## Overview
+
 VPS hosted in OVH.

 ## Specs
-* CPU - ??
-* Memory - ??
+
+- CPU - ??
+- Memory - ??

 ### Disks
+
 Device | Partitions _(filesystem, usage)_
 --- | ---
 NVMe | `/dev/sda1` (ext4, NixOS Root)

 ### Networks
+
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `vps1.mesh.vimium.net`.
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -11,7 +11,6 @@
    ./kanidm.nix
    ./matrix.nix
    ./nginx.nix
-    ./outline.nix
    ./photoprism.nix
    ../server.nix
  ];
--- a/hosts/vps1/gitea.nix
+++ b/hosts/vps1/gitea.nix
@@ -86,4 +86,12 @@ in
      packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
    };
  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.gitea.stateDir;
+      inherit (config.services.gitea) user group;
+      mode = "0700";
+    }
+  ];
 }
--- a/hosts/vps1/headscale.nix
+++ b/hosts/vps1/headscale.nix
@@ -48,6 +48,13 @@ in
    };
  };

+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/headscale";
+      inherit (config.services.headscale) user group;
+    }
+  ];
+
  services.nginx.virtualHosts = {
    "${domain}" = {
      forceSSL = true;
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@@ -49,4 +49,13 @@ in
    postRun = "systemctl restart kanidm.service";
    group = "acme";
  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/kanidm";
+      user = "kanidm";
+      group = "kanidm";
+      mode = "0700";
+    }
+  ];
 }
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -216,4 +216,23 @@ in
    }
    // commonBridgeSettings "mautrix-whatsapp";
  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.matrix-synapse.dataDir;
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mautrix-signal";
+      user = "mautrix-signal";
+      group = "mautrix-signal";
+    }
+    {
+      directory = "/var/lib/mautrix-whatsapp";
+      user = "mautrix-whatsapp";
+      group = "mautrix-whatsapp";
+    }
+  ];
 }
--- a/hosts/vps1/outline.nix
+++ b/hosts/vps1/outline.nix
@@ -1,51 +0,0 @@
-{
-  inputs,
-  config,
-  ...
-}:
-let
-  domain = "outline.vimium.com";
-in
-{
-  services.nginx.virtualHosts = {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        extraConfig = ''
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
-          proxy_set_header Host $host;
-
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Scheme $scheme;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_redirect off;
-        '';
-      };
-    };
-  };
-
-  age.secrets."passwords/services/outline/oidc-client-secret" = {
-    file = "${inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
-    owner = "outline";
-    group = "outline";
-  };
-
-  services.outline = {
-    enable = true;
-    forceHttps = false;
-    oidcAuthentication = {
-      clientId = "outline";
-      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
-      displayName = "Vimium";
-      authUrl = "https://auth.vimium.com/ui/oauth2";
-      tokenUrl = "https://auth.vimium.com/oauth2/token";
-      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
-    };
-    publicUrl = "https://${domain}";
-    storage.storageType = "local";
-  };
-}
--- a/hosts/vps1/photoprism.nix
+++ b/hosts/vps1/photoprism.nix
@@ -32,6 +32,14 @@ in
    file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
  };

+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/photoprism";
+      user = "photoprism";
+      group = "photoprism";
+    }
+  ];
+
  services.photoprism = {
    enable = true;
    address = "localhost";
--- a/hosts/vps2/default.nix
+++ b/hosts/vps2/default.nix
@@ -0,0 +1,31 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ../server.nix
+  ];
+
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+  };
+
+  networking = {
+    hostId = "60de4af8";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+      ];
+    };
+  };
+
+  modules.services.tailscale.isExitNode = true;
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/vps2/disko-config.nix
+++ b/hosts/vps2/disko-config.nix
@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "2M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "300M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/vps2/hardware-configuration.nix
+++ b/hosts/vps2/hardware-configuration.nix
@@ -0,0 +1,29 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "xen_blkfront"
+        "vmw_pvscsi"
+      ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+}
--- a/modules/nixos/impermanence.nix
+++ b/modules/nixos/impermanence.nix
@@ -0,0 +1,147 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    attrNames
+    flip
+    isAttrs
+    mapAttrs
+    mkIf
+    mkMerge
+    mkOption
+    optionals
+    types
+    ;
+in
+{
+  boot.zfs.forceImportRoot = false;
+  boot.initrd.systemd.enable = true;
+  boot.initrd.systemd.services.impermanence-rollback =
+    mkIf
+      (config.environment.persistence."/persist".enable || config.environment.persistence."/state".enable)
+      {
+        description = "Rollback root filesystem";
+        wantedBy = [ "initrd.target" ];
+        after = [ "zfs-import-rpool.service" ];
+        before = [ "sysroot.mount" ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+        };
+      };
+
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+  fileSystems."/state" = mkIf config.environment.persistence."/state".enable {
+    neededForBoot = true;
+  };
+  environment.persistence."/state" = {
+    enable = false;
+    hideMounts = true;
+    directories = [
+      "/var/lib/systemd"
+      "/var/log"
+      "/var/spool"
+    ];
+  };
+
+  fileSystems."/persist" = mkIf config.environment.persistence."/persist".enable {
+    neededForBoot = true;
+  };
+  environment.persistence."/persist" = {
+    enable = false;
+    hideMounts = true;
+    files = [
+      (mkIf (!config.boot.isContainer) "/etc/machine-id")
+      "/etc/adjtime"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    directories = [
+      "/var/lib/nixos"
+    ]
+    ++ optionals config.security.acme.acceptTerms [
+      {
+        directory = "/var/lib/acme";
+        user = "acme";
+        group = "acme";
+        mode = "0755";
+      }
+    ]
+    ++ optionals config.services.printing.enable [
+      {
+        directory = "/var/lib/cups";
+        mode = "0700";
+      }
+    ]
+    ++ optionals config.hardware.bluetooth.enable [
+      "/var/lib/bluetooth"
+    ];
+  };
+
+  users.mutableUsers = !config.environment.persistence."/persist".enable;
+
+  # For each user that has a home-manager config, merge the locally defined
+  # persistence options that we defined above.
+  imports =
+    let
+      mkUserFiles = map (
+        x: { parentDirectory.mode = "700"; } // (if isAttrs x then x else { file = x; })
+      );
+      mkUserDirs = map (x: { mode = "700"; } // (if isAttrs x then x else { directory = x; }));
+    in
+    [
+      {
+        environment.persistence = mkMerge (
+          flip map (attrNames config.home-manager.users) (
+            user:
+            let
+              hmUserCfg = config.home-manager.users.${user};
+            in
+            flip mapAttrs hmUserCfg.home.persistence (
+              _: sourceCfg: {
+                users.${user} = {
+                  files = mkUserFiles sourceCfg.files;
+                  directories = mkUserDirs sourceCfg.directories;
+                };
+              }
+            )
+          )
+        );
+      }
+    ];
+
+  home-manager.sharedModules = [
+    {
+      options.home.persistence = mkOption {
+        description = "Additional persistence config for the given source path";
+        default = { };
+        type = types.attrsOf (
+          types.submodule {
+            options = {
+              files = mkOption {
+                description = "Additional files to persist via NixOS impermanence.";
+                type = types.listOf (types.either types.attrs types.str);
+                default = [ ];
+              };
+
+              directories = mkOption {
+                description = "Additional directories to persist via NixOS impermanence.";
+                type = types.listOf (types.either types.attrs types.str);
+                default = [ ];
+              };
+            };
+          }
+        );
+      };
+    }
+  ];
+}
--- a/modules/nixos/podman.nix
+++ b/modules/nixos/podman.nix
@@ -40,6 +40,10 @@ in

    };

+    environment.persistence."/persist".directories = [
+      "/var/lib/containers/storage"
+    ];
+
    networking.firewall.interfaces."podman+" = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 53 ];
--- a/modules/nixos/services/postgresql.nix
+++ b/modules/nixos/services/postgresql.nix
@@ -30,6 +30,15 @@ in
      };
    };

+    environment.persistence."/persist".directories = [
+      {
+        directory = "/var/lib/postgresql";
+        user = "postgres";
+        group = "postgres";
+        mode = "0700";
+      }
+    ];
+
    services.borgmatic.settings = {
      postgresql_databases = [
        {
--- a/modules/nixos/services/tailscale.nix
+++ b/modules/nixos/services/tailscale.nix
@@ -17,6 +17,14 @@ in
      default = false;
      example = true;
    };
+    isExitNode = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    useExitNode = lib.mkOption {
+      default = false;
+      example = true;
+    };
    restrictSSH = lib.mkOption {
      default = true;
      example = true;
@@ -37,7 +45,8 @@ in
      extraUpFlags = [
        "--login-server"
        headscale
-      ];
+      ]
+      ++ (if cfg.isExitNode then [ "--advertise-exit-node" ] else [ ]);
    };

    services.openssh.openFirewall = !cfg.restrictSSH;
@@ -47,5 +56,9 @@ in
      trustedInterfaces = [ "tailscale0" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
+
+    environment.persistence."/state".directories = [
+      "/var/lib/tailscale"
+    ];
  };
 }
--- a/modules/nixos/system/desktop/gnome.nix
+++ b/modules/nixos/system/desktop/gnome.nix
@@ -70,5 +70,11 @@ in
      gnomeExtensions.worksets
      gnomeExtensions.workspace-matrix
    ];
+
+    environment.persistence."/persist".directories = [
+      "/etc/NetworkManager"
+      "/var/lib/AccountsService"
+      "/var/lib/NetworkManager"
+    ];
  };
 }
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@@ -0,0 +1,26 @@
+{ inputs, ... }:
+{
+  imports = [
+    inputs.devshell.flakeModule
+  ];
+
+  perSystem =
+    { config, pkgs, ... }:
+    {
+      devshells.default = {
+        commands = [
+          {
+            package = config.treefmt.build.wrapper;
+            help = "Format all files";
+          }
+          {
+            package = pkgs.deploy-rs;
+            name = "deploy";
+            help = "Deploy this nix-config to remote hosts";
+          }
+        ];
+
+        devshell.startup.pre-commit.text = config.pre-commit.installationScript;
+      };
+    };
+}
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -0,0 +1,61 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  flake =
+    { config, lib, ... }:
+    let
+      domain = "mesh.vimium.net";
+      mkDeployNode = hostName: {
+        hostname = "${hostName}.${domain}";
+
+        profiles.system = {
+          user = "root";
+          path =
+            inputs.deploy-rs.lib.${
+              config.nixosConfigurations.${hostName}.config.system.build.toplevel.system
+            }.activate.nixos
+              config.nixosConfigurations.${hostName};
+        };
+      };
+    in
+    {
+      nixosConfigurations = lib.pipe ../hosts [
+        builtins.readDir
+        (lib.filterAttrs (name: value: value == "directory"))
+        (lib.mapAttrs (
+          name: value:
+          inputs.nixpkgs.lib.nixosSystem {
+            specialArgs = { inherit inputs; };
+
+            modules = [
+              inputs.impermanence.nixosModules.impermanence
+              {
+                networking = {
+                  inherit domain;
+                  hostName = name;
+                };
+              }
+              ../hosts/${name}
+            ];
+          }
+        ))
+      ];
+
+      deploy = {
+        magicRollback = true;
+        autoRollback = true;
+        sshUser = "root";
+        nodes = lib.genAttrs [
+          "artemis"
+          "mail"
+          "pi"
+          "skycam"
+          "vps1"
+          "vps2"
+        ] mkDeployNode;
+      };
+    };
+}
--- a/pkgs/vk-hdr-layer/package.nix
+++ b/pkgs/vk-hdr-layer/package.nix
@@ -0,0 +1,44 @@
+{
+  stdenv,
+  fetchFromGitHub,
+  lib,
+  meson,
+  ninja,
+  pkg-config,
+  vulkan-headers,
+  vulkan-loader,
+  wayland-scanner,
+  wayland,
+  xorg,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "vk-hdr-layer";
+  version = "303e0c69e1d33acd95158d92b1fc652fb5b85399";
+
+  src = fetchFromGitHub {
+    owner = "Zamundaaa";
+    repo = "VK_hdr_layer";
+    rev = "303e0c69e1d33acd95158d92b1fc652fb5b85399";
+    fetchSubmodules = true;
+    hash = "sha256-NsC44Ifl/fAHvFqP7NLrVZ71Y+x5mBEkv+r43HN5yn4=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+  ];
+  buildInputs = [
+    vulkan-headers
+    vulkan-loader
+    wayland
+    wayland-scanner
+    xorg.libX11
+  ];
+
+  meta = {
+    description = "Vulkan layer utilizing a small color management / HDR protocol for experimentation";
+    homepage = "https://github.com/Zamundaaa/VK_hdr_layer";
+    license = lib.licenses.mit;
+  };
+})
--- a/users/guest/common/optional/graphical/steam.nix
+++ b/users/guest/common/optional/graphical/steam.nix
@@ -0,0 +1,30 @@
+{
+  pkgs,
+  ...
+}:
+{
+  home.packages = with pkgs; [
+    gamescope
+    steam
+  ];
+
+  systemd.user.services.steam-big-picture = {
+    Unit = {
+      Description = "Steam Big Picture in Gamescope";
+      After = [
+        "graphical.target"
+        "default.target"
+      ];
+    };
+    Service = {
+      ExecStart = ''
+        ${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- \
+          ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
+      '';
+      Restart = "always";
+    };
+    Install = {
+      WantedBy = [ "default.target" ];
+    };
+  };
+}
--- a/users/guest/default.nix
+++ b/users/guest/default.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    optional
+    ;
+  name = "guest";
+  hostFile = ./. + "/${config.networking.hostName}.nix";
+in
+{
+  users.users.${name} = {
+    description = "Guest";
+    extraGroups = [
+      "audio"
+      "input"
+      "render"
+      "video"
+    ];
+    group = "users";
+    isNormalUser = true;
+    shell = pkgs.zsh;
+  };
+
+  home-manager.users.${name} = {
+    imports = [
+      ./common/optional/graphical/steam.nix
+      {
+        home.persistence."/state" = {
+          directories = [
+            ".local/state/wireplumber"
+          ];
+        };
+        home.persistence."/persist" = {
+          directories = [
+            ".config/gamescope"
+            ".local/share/icons"
+            ".local/share/Steam"
+            ".local/share/vulkan"
+            ".steam"
+          ];
+        };
+      }
+    ]
+    ++ optional (builtins.pathExists hostFile) hostFile;
+
+    home = {
+      username = name;
+    };
+
+    xdg.enable = true;
+  };
+
+  services.getty = {
+    autologinOnce = true;
+    autologinUser = "guest";
+  };
+
+  # Workaround: https://github.com/nix-community/home-manager/issues/7166
+  systemd.services."home-manager-${name}".serviceConfig = {
+    RemainAfterExit = "yes";
+  };
+}
--- a/users/jordan/common/gpg.nix
+++ b/users/jordan/common/gpg.nix
@@ -11,4 +11,8 @@
    enable = true;
    enableSshSupport = true;
  };
+
+  home.persistence."/persist".directories = [
+    ".gnupg"
+  ];
 }
--- a/users/jordan/common/neovim.nix
+++ b/users/jordan/common/neovim.nix
@@ -130,4 +130,10 @@
  };

  home.sessionVariables.EDITOR = "nvim";
+
+  home.persistence."/state".directories = [
+    ".local/share/nvim"
+    ".local/state/nvim"
+    ".cache/nvim"
+  ];
 }
--- a/users/jordan/common/optional/graphical/firefox.nix
+++ b/users/jordan/common/optional/graphical/firefox.nix
@@ -207,4 +207,12 @@
      };
    };
  };
+
+  home.persistence."/state".directories = [
+    ".cache/mozilla"
+  ];
+
+  home.persistence."/persist".directories = [
+    ".mozilla"
+  ];
 }
--- a/users/jordan/common/optional/graphical/fonts.nix
+++ b/users/jordan/common/optional/graphical/fonts.nix
@@ -8,6 +8,7 @@
    adwaita-fonts
    apple-color-emoji
    corefonts
+    dejavu_fonts
    nerd-fonts.bigblue-terminal
    nerd-fonts.comic-shanns-mono
    nerd-fonts.terminess-ttf
--- a/users/jordan/common/optional/graphical/hyprland/default.nix
+++ b/users/jordan/common/optional/graphical/hyprland/default.nix
@@ -110,6 +110,10 @@ in
        no_update_news = true;
      };

+      experimental = {
+        xx_color_management_v4 = true;
+      };
+
      decoration = {
        rounding = 10;

@@ -160,7 +164,10 @@ in
        ];
      };

-      monitor = "desc:Dell Inc. DELL U3219Q HPTP413, preferred, auto, 1";
+      monitor = [
+        "desc:Dell Inc. DELL U3219Q HPTP413, preferred, auto, 1, vrr, 0, bitdepth, 10, cm, hdr"
+        "desc:LG Electronics LG TV SSCR2, 3840x2160@60, 0x0, 1, vrr, 0, bitdepth, 10, cm, hdr"
+      ];

      input = {
        kb_layout = "us";
--- a/users/jordan/common/optional/graphical/thunderbird.nix
+++ b/users/jordan/common/optional/graphical/thunderbird.nix
@@ -24,4 +24,12 @@
      };
    };
  };
+
+  home.persistence."/state".directories = [
+    ".cache/thunderbird"
+  ];
+
+  home.persistence."/persist".directories = [
+    ".thunderbird"
+  ];
 }
--- a/users/jordan/common/pass.nix
+++ b/users/jordan/common/pass.nix
@@ -8,4 +8,8 @@
    enable = true;
    package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]);
  };
+
+  home.persistence."/state".directories = [
+    ".local/share/password-store"
+  ];
 }
--- a/users/jordan/common/shell.nix
+++ b/users/jordan/common/shell.nix
@@ -176,6 +176,15 @@ in
    nix-index.enable = true;
  };

+  home.persistence."/persist" = {
+    directories = [
+      ".local/share/mcfly"
+    ];
+    files = [
+      ".zsh_history"
+    ];
+  };
+
  home.packages = with pkgs; [
    bat
    btop
--- a/users/jordan/common/ssh.nix
+++ b/users/jordan/common/ssh.nix
@@ -9,4 +9,8 @@
    enable = true;
    addKeysToAgent = "yes";
  };
+
+  home.persistence."/state".files = [
+    ".ssh/known_hosts"
+  ];
 }
--- a/users/jordan/default.nix
+++ b/users/jordan/default.nix
@@ -42,6 +42,24 @@ in
      ./common/pass.nix
      ./common/shell.nix
      ./common/ssh.nix
+      {
+        home.persistence."/state" = {
+          directories = [
+            "Downloads"
+            ".local/state/wireplumber"
+          ];
+        };
+        home.persistence."/persist" = {
+          directories = [
+            "Desktop"
+            "Documents"
+            "Music"
+            "Pictures"
+            "projects"
+            "Videos"
+          ];
+        };
+      }
    ]
    ++ optional (builtins.pathExists hostFile) hostFile;