Add nerdfonts

Remove unused variable
Switch to lunarvim
2024-03-09 21:35:42 +00:00 · 2024-03-09 21:17:54 +00:00 · 2024-03-03 23:17:42 +00:00 · 2024-03-03 19:44:38 +00:00 · 2024-03-03 19:44:04 +00:00 · 2024-03-03 16:11:54 +00:00
56 changed files with 2127 additions and 715 deletions
--- a/README.md
+++ b/README.md
@ -9,8 +9,16 @@ System and user configuration for NixOS-based systems.
 | **Theme:** | adwaita |
 | **Terminal:** | Console |

-## Quick start
-1. Copy SSH keypair and `known_hosts` to `~/.ssh`
-1. Import GPG keys and set ultimate trust with `echo "KEYID:6:" | gpg --import-ownertrust`
-1. `git clone git@git.vimium.com:jordan/nix-config.git projects/jordan/nix-config`
-1. `sudo nixos-rebuild switch --flake .#`
+## Provisioning
+> [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used for provisioning
+
+Generate a new SSH host key in "$temp/etc/ssh" as per [this guide](https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-decrypting-an-openssh-host-key-with-pass).
+
+Then run;
+```
+nix run github:nix-community/nixos-anywhere -- \
+  --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
+  --extra-files "$temp" \
+  --flake .#<hostname> \
+  root@<ip>
+```
--- a/flake.lock
+++ b/flake.lock
@ -4,14 +4,15 @@
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1701216516,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
        "type": "github"
      },
      "original": {
@ -28,11 +29,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
@ -42,14 +43,54 @@
        "type": "github"
      }
    },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs_2",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1708091384,
+        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709439398,
+        "narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1702138393,
-        "narHash": "sha256-2jRm1yzX+gKpSCtdpYt1olIgWVEkJnS7FeK00o9X1ko=",
+        "lastModified": 1708965002,
+        "narHash": "sha256-gIBZCPB0sA8Gagrxd8w4+y9uUkWBnXJBmq9Ur5BYTQU=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "d2e6cfdd63651ae8168e5905d94138f406580dd6",
+        "rev": "4e966509c180f93ba8665cd73cad8456bf44baab",
        "type": "github"
      },
      "original": {
@ -58,6 +99,22 @@
        "type": "github"
      }
    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -66,11 +123,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
@ -86,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1702195709,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "lastModified": 1706981411,
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
        "type": "github"
      },
      "original": {
@ -100,13 +157,28 @@
        "type": "github"
      }
    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1709410583,
+        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1677676435,
-        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
@ -116,13 +188,44 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1702233072,
-        "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
+        "lastModified": 1709237383,
+        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
+        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1709309926,
+        "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "79baff8812a0d68e24a836df0a364c678089e2c7",
        "type": "github"
      },
      "original": {
@ -134,12 +237,63 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "deploy-rs": "deploy-rs",
+        "disko": "disko",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_2",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "secrets": "secrets",
        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
      }
    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1709495020,
+        "narHash": "sha256-eiz0qUjUbdeb6m28XPY7OVnrGMZ45JiT2dZZ0Bmq2X0=",
+        "ref": "refs/heads/master",
+        "rev": "d135b4d6d5f0079999188895f8b5f35e821b0d4b",
+        "revCount": 14,
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
@ -155,6 +309,24 @@
        "repo": "thunderbird-gnome-theme",
        "type": "github"
      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,14 @@

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    # nixpkgs-master.url = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
+    deploy-rs.url = "github:serokell/deploy-rs";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    home-manager = {
      url = "github:nix-community/home-manager/release-23.11";
      inputs.nixpkgs.follows = "nixpkgs";
@ -12,27 +19,39 @@
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
    };
+    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    secrets = {
+      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
+      flake = false;
+    };
    thunderbird-gnome-theme = {
      url = "github:rafaelmardojai/thunderbird-gnome-theme";
      flake = false;
    };
  };

-  outputs = inputs @ { self, nixpkgs, agenix, home-manager, ... }:
+  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, secrets, ... }:
    let
-      nixpkgsForSystem = system: inputs.nixpkgs;
+      mkPkgsForSystem = system: inputs.nixpkgs;
      overlays = [
        agenix.overlays.default
        (import ./overlays/gnome.nix)
+        (
+          final: prev: {
+            unstable = import inputs.nixpkgs-unstable { system = final.system; };
+            custom = self.packages { system = final.system; };
+          }
+        )
      ];
      commonModules = [
        agenix.nixosModules.age
+        disko.nixosModules.disko
        home-manager.nixosModule
        ./modules
      ];
-      nixosSystem = system: name:
+      mkNixosSystem = { system, name, extraModules ? [] }:
        let
-          nixpkgs = nixpkgsForSystem system;
+          nixpkgs = mkPkgsForSystem system;
          lib = (import nixpkgs { inherit overlays system; }).lib;
        in
        inputs.nixpkgs.lib.nixosSystem {
@ -47,20 +66,54 @@
                  config.allowUnfree = true;
                };
                networking.hostName = name;
-                nix = {
-                  extraOptions = "experimental-features = nix-command flakes";
-                };
              })
            ./hosts/${name}
-          ];
-        };
-      nixosConfigurations = {
-        atlas = nixosSystem "x86_64-linux" "atlas";
-        eos = nixosSystem "x86_64-linux" "eos";
-        helios = nixosSystem "x86_64-linux" "helios";
-        odyssey = nixosSystem "x86_64-linux" "odyssey";
+          ] ++ extraModules;
        };
    in
-    { inherit nixosConfigurations; };
+    {
+      nixosConfigurations = {
+        atlas = mkNixosSystem { system = "x86_64-linux"; name = "atlas"; };
+        eos = mkNixosSystem { system = "x86_64-linux"; name = "eos"; };
+        helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
+        hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
+        library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
+        odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
+        pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
+        vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };
+      };
+
+      devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
+        buildInputs = [
+          deploy-rs.packages.x86_64-linux.deploy-rs
+        ];
+      };
+
+      deploy = {
+        magicRollback = true;
+        autoRollback = true;
+        sshUser = "root";
+        nodes = {
+          vps1 = {
+            hostname = "vps1.mesh.vimium.net";
+
+            profiles.system = {
+              user = "root";
+              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vps1;
+            };
+          };
+          # pi = {
+          #   hostname = "10.0.1.191";
+          #
+          #   profiles.system = {
+          #     user = "root";
+          #     path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi;
+          #   };
+          # };
+        };
+      };
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+    };
 }

--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@ -6,21 +6,15 @@
    ../desktop.nix
  ];

-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };

-  networking.hostName = "atlas";
-  networking.hostId = "8425e349";
-  networking.networkmanager.enable = true;
-
-  nix.package = pkgs.nixFlakes;
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-
-  users.defaultUserShell = pkgs.zsh;
-
-  system.stateVersion = "22.11";
+  networking = {
+    hostId = "8425e349";
+    networkmanager.enable = true;
+  };

  modules = {
    desktop = {
@ -48,9 +42,20 @@
      gpg.enable = true;
      pass.enable = true;
    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home/jordan/Documents"
+        ];
+        repoPath = "ssh://uzu2y5b1@uzu2y5b1.repo.borgbase.com/./repo";
+      };
+    };
    shell = {
      git.enable = true;
      zsh.enable = true;
    };
  };
+
+  system.stateVersion = "22.11";
 }
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+{
+  time.timeZone = "Europe/London";
+
+  i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_GB.UTF-8";
+    LC_IDENTIFICATION = "en_GB.UTF-8";
+    LC_MEASUREMENT = "en_GB.UTF-8";
+    LC_MONETARY = "en_GB.UTF-8";
+    LC_NAME = "en_GB.UTF-8";
+    LC_NUMERIC = "en_GB.UTF-8";
+    LC_PAPER = "en_GB.UTF-8";
+    LC_TELEPHONE = "en_GB.UTF-8";
+    LC_TIME = "en_GB.UTF-8";
+  };
+  
+  console.keyMap = "uk";
+
+  security.sudo.execWheelOnly = true;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=4G
+    MaxRetentionSec=90day
+  '';
+
+  users.defaultUserShell = pkgs.zsh;
+  programs.zsh.enable = true;
+
+  nix = {
+    package = pkgs.nixFlakes;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+    settings = {
+      connect-timeout = 5;
+      log-lines = 25;
+      min-free = 128000000;
+      max-free = 1000000000;
+      fallback = true;
+      allowed-users = [ "@wheel" ];
+      auto-optimise-store = true;
+      substituters = [
+        "http://odyssey.mesh.vimium.net"
+        "https://cache.nixos.org"
+      ];
+      trusted-public-keys = [
+        "odyssey.mesh.vimium.net:ZhQhjscPWjoN4rlZwoMELznEiBnZ9O26iyGA27ibilQ="
+      ];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "-d --delete-older-than 7d";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    neovim
+  ];
+}
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@ -1,33 +1,12 @@
 { config, lib, pkgs, ... }:

 {
-  time.timeZone = "Europe/London";
-
-  i18n.defaultLocale = "en_GB.UTF-8";
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_GB.UTF-8";
-    LC_IDENTIFICATION = "en_GB.UTF-8";
-    LC_MEASUREMENT = "en_GB.UTF-8";
-    LC_MONETARY = "en_GB.UTF-8";
-    LC_NAME = "en_GB.UTF-8";
-    LC_NUMERIC = "en_GB.UTF-8";
-    LC_PAPER = "en_GB.UTF-8";
-    LC_TELEPHONE = "en_GB.UTF-8";
-    LC_TIME = "en_GB.UTF-8";
-  };
-
-  console.keyMap = "uk";
+  imports = [
+    ./common.nix
+  ];

  services.printing.enable = true;
-  services.openssh = {
-    enable = true;
-    settings = {
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
-      PermitRootLogin = "no";
-    };
-    startWhenNeeded = true;
-  };
+  services.openssh.startWhenNeeded = true;

  sound.enable = true;
  hardware.pulseaudio.enable = false;
@ -39,34 +18,20 @@
    pulse.enable = true;
  };

-  environment.systemPackages = with pkgs; [
-    git
-    neovim
-  ];
-
-  nix = {
-    settings = {
-      connect-timeout = 5;
-      log-lines = 25;
-      min-free = 128000000;
-      max-free = 1000000000;
-      fallback = true;
-      auto-optimise-store = true;
-      substituters = [
-        "http://odyssey.mesh.vimium.net"
-        "https://cache.nixos.org"
-      ];
-      trusted-public-keys = [
-        "odyssey.mesh.vimium.net:ZhQhjscPWjoN4rlZwoMELznEiBnZ9O26iyGA27ibilQ="
-      ];
-    };
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "-d --delete-older-than 7d";
-    };
+  fileSystems."/mnt/library" = {
+    device = "library.mesh.vimium.net:/mnt/library";
+    fsType = "nfs";
+    options = [ "nfsvers=4.2" "soft" "nocto" "ro" "x-systemd.automount" "noauto" ];
  };

-  modules.desktop.gnome.enable = true;
-  modules.networking.tailscale.enable = true;
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+ssh://git@git.vimium.com/jordan/nix-config.git";
+    randomizedDelaySec = "10min";
+  };
+
+  modules = {
+    desktop.gnome.enable = true;
+    networking.tailscale.enable = true;
+  };
 }
--- a/hosts/eos/default.nix
+++ b/hosts/eos/default.nix
@ -6,22 +6,15 @@
    ../desktop.nix
  ];

-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };

-  networking.hostName = "eos";
-  networking.hostId = "cc858347";
-  networking.networkmanager.enable = true;
-
-  nix.package = pkgs.nixFlakes;
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-  nix.settings.auto-optimise-store = true;
-
-  users.defaultUserShell = pkgs.zsh;
-
-  system.stateVersion = "22.11";
+  networking = {
+    hostId = "cc858347";
+    networkmanager.enable = true;
+  };

  dconf.settings = {
    "org/gnome/desktop/interface" = {
@ -51,4 +44,6 @@
      zsh.enable = true;
    };
  };
+
+  system.stateVersion = "22.11";
 }
--- a/hosts/helios/default.nix
+++ b/hosts/helios/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:

 {
  imports = [
@ -6,22 +6,18 @@
    ../desktop.nix
  ];

-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.zfsSupport = true;
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+      zfsSupport = true;
+    };
+  };

-  networking.hostName = "helios";
-  networking.hostId = "47d23505";
-  networking.networkmanager.enable = true;
-
-  nix.package = pkgs.nixFlakes;
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-
-  users.defaultUserShell = pkgs.zsh;
-
-  system.stateVersion = "22.11";
+  networking = {
+    hostId = "47d23505";
+    networkmanager.enable = true;
+  };

  modules = {
    desktop = {
@ -40,9 +36,20 @@
      gpg.enable = true;
      pass.enable = true;
    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home/jordan/Documents"
+        ];
+        repoPath = "ssh://b9cjl9hq@b9cjl9hq.repo.borgbase.com/./repo";
+      };
+    };
    shell = {
      git.enable = true;
      zsh.enable = true;
    };
  };
+
+  system.stateVersion = "22.11";
 }
--- a/hosts/hypnos/README.md
+++ b/hosts/hypnos/README.md
@ -0,0 +1,35 @@
+# Hypnos
+
+## Overview
+15-inch MacBook Pro 11,3 (Mid 2014).
+
+## Specs
+* CPU - Intel Core i7-4870HQ @ 2.50GHz
+* Memory - 16 GB DDR3
+* GPU - Intel Iris Pro 5200
+* GPU - NVIDIA GeForce GT 750M
+* NIC - Broadcom BCM43xx 802.11ac
+
+### Disks
+Device | Partitions _(filesystem, size, usage)_
+--- | ---
+Apple SSD SM0512F | `/dev/sda1` (EFI, 256 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS, 500 GiB, NixOS Root)
+
+#### ZFS pool layout
+```
+rpool/
+├── local
+│   ├── nix
+│   └── tmp
+├── system
+│   ├── root
+│   └── var
+└── user
+    └── home
+```
+
+See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `hypnos.mesh.vimium.net`.
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ../desktop.nix
+  ];
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  networking.hostId = "cf791898";
+
+  modules = {
+    desktop = {
+      browsers = {
+        firefox.enable = true;
+      };
+      media.recording = {
+        audio.enable = true;
+      };
+    };
+    dev = {
+      node.enable = true;
+    };
+    editors = {
+      neovim.enable = true;
+    };
+    security = {
+      gpg.enable = true;
+      pass.enable = true;
+    };
+    shell = {
+      git.enable = true;
+      zsh.enable = true;
+    };
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/hypnos/disko-config.nix
+++ b/hosts/hypnos/disko-config.nix
@ -0,0 +1,126 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-APPLE_SSD_SM0512F_S1K5NYBF736152";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "256M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = {
+        type = "zpool";
+        options = {
+          ashift = "12";
+        };
+        rootFsOptions = {
+          canmount = "off";
+          mountpoint = "none";
+          dnodesize = "auto";
+          xattr = "sa";
+        };
+        postCreateHook = "zfs snapshot rpool@blank";
+        datasets = {
+          local = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+            };
+          };
+          "local/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options = {
+              atime = "off";
+              mountpoint = "legacy";
+            };
+          };
+          "local/tmp" = {
+            type = "zfs_fs";
+            mountpoint = "/tmp";
+            options = {
+              setuid = "off";
+              devices = "off";
+              mountpoint = "legacy";
+            };
+          };
+          system = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              mountpoint = "legacy";
+            };
+          };
+          "system/var" = {
+            type = "zfs_fs";
+            mountpoint = "/var";
+            options = {
+              mountpoint = "legacy";
+            };
+          };
+          "system/var/tmp" = {
+            type = "zfs_fs";
+            mountpoint = "/var/tmp";
+            options = {
+              devices = "off";
+              mountpoint = "legacy";
+            };
+          };
+          "system/var/log" = {
+            type = "zfs_fs";
+            mountpoint = "/var/log";
+            options = {
+              compression = "on";
+              acltype = "posix";
+              mountpoint = "legacy";
+            };
+          };
+          user = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              keylocation = "file:///tmp/secret.key";
+            };
+            # use this to read the key during boot
+            postCreateHook = ''
+              zfs set keylocation="prompt" "rpool/$name";
+            '';
+          };
+          "user/home" = {
+            type = "zfs_fs";
+            mountpoint = "/home";
+            options = {
+              setuid = "off";
+              devices = "off";
+              mountpoint = "legacy";
+            };
+          };
+        };
+      };
+    };
+  };
+}
+
--- a/hosts/hypnos/hardware-configuration.nix
+++ b/hosts/hypnos/hardware-configuration.nix
@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "applesmc" "kvm-intel" "wl" ];
+    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  hardware = {
+    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    nvidia = {
+      modesetting.enable = true;
+      powerManagement.enable = true;
+    };
+  };
+}
+
--- a/hosts/library/README.md
+++ b/hosts/library/README.md
@ -0,0 +1,46 @@
+# Library
+
+## Overview
+Media and public file server.
+
+## Specs
+* CPU - AMD Ryzen 5 5600G @ 3.90GHz
+* Chipset - AMD B550
+* Memory - 64 GB DDR4
+* Motherboard - ASRock B550M Pro4
+* Case - Fractal Design Node 804
+
+### Disks
+Device | Partitions _(filesystem, size, usage)_
+--- | ---
+Samsung 980 Evo | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS `rpool`, 200 GiB, NixOS Root)
+
+#### ZFS datasets
+```
+rpool/
+├── local
+│   ├── nix
+│   └── tmp
+├── system
+│   ├── root
+│   └── var
+└── user
+    └── home
+
+library/
+├── books
+├── fonts
+├── movies
+├── music
+├── software
+├── tv
+├── videos
+└── web
+```
+
+See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind the `rpool` datasets.
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `library.mesh.vimium.net`.
+
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@ -0,0 +1,175 @@
+{ config, lib, pkgs, ... }:
+
+with lib.my;
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    zfs.extraPools = [ "library" ];
+  };
+
+  networking = {
+    domain = "mesh.vimium.net";
+    hostId = "d24ae953";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22  # SSH
+      ];
+      interfaces."podman+" = {
+        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
+      };
+    };
+    networkmanager.enable = true;
+  };
+
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      pools = [ "library" ];
+    };
+    autoSnapshot = {
+      enable = true;
+      flags = "-k -p --utc";
+      frequent = 0;
+      hourly = 0;
+      daily = 7;
+      monthly = 1;
+    };
+  };
+
+  services.nfs.server = {
+    enable = true;
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+      zfs = {
+        enable = true;
+        port = 9003;
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "library";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}"
+          ];
+        }];
+      }
+    ];
+  };
+
+  systemd.services.vps1-tunnel = {
+    enable = true;
+    description = "vps1.mesh.vimium.net SSH tunnel";
+    after = [
+      "network-online.target"
+      "jellyfin.service"
+    ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type="simple";
+      ExecStart=pkgs.lib.mkForce ''
+        ${pkgs.openssh}/bin/ssh \
+          -NT \
+          -o ExitOnForwardFailure=yes \
+          -o ServerAliveInterval=60 \
+          -o TCPKeepAlive=no \
+          -i %h/.ssh/id_jellyfin \
+          -R localhost:8000:localhost:8000 \
+          jellyfin@vps1.mesh.vimium.net
+      '';
+      Restart="always";
+      RestartSec=20;
+    };
+    wantedBy = [ "default.target" ];
+  };
+
+  services.nginx = let
+    proxyConfig = ''
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Host $host;
+
+      proxy_set_header Range $http_range;
+      proxy_set_header If-Range $http_if_range;
+
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    '';
+  in {
+    enable = true;
+    package = pkgs.openresty;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "2G";
+    virtualHosts = {
+      "library.mesh.vimium.net" = {
+        locations."/" = {
+          root = "/mnt/library";
+          extraConfig = ''
+            autoindex on;
+          '';
+        };
+      };
+      "jellyfin.vimium.com" = {
+        default = true;
+        listen = [
+          {
+            addr = "127.0.0.1";
+            port = 8000;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://localhost:8096";
+          extraConfig = proxyConfig;
+        };
+        locations."/metrics" = {
+          return = "404";
+        };
+      };
+    };
+  };
+
+  services.jellyfin.enable = true;
+
+  modules = {
+    security = {
+      gpg.enable = true;
+    };
+    shell = {
+      zsh.enable = true;
+    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home/jordan"
+        ];
+        repoPath = "ssh://b61758r4@b61758r4.repo.borgbase.com/./repo";
+      };
+    };
+  };
+
+  system.stateVersion = "22.11";
+}
+
--- a/hosts/library/hardware-configuration.nix
+++ b/hosts/library/hardware-configuration.nix
@ -0,0 +1,68 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "rpool/system/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var" = {
+    device = "rpool/system/var";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/log" = {
+    device = "rpool/system/var/log";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/tmp" = {
+    device = "rpool/system/var/tmp";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/lib/containers/storage" = {
+    device = "rpool/system/var/lib-containers-storage";
+    fsType = "zfs";
+  };
+
+  fileSystems."/nix" = {
+    device = "rpool/local/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/tmp" = {
+    device = "rpool/local/tmp";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "rpool/user/home";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/F697-F1C0";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+
--- a/hosts/odyssey/audio.nix
+++ b/hosts/odyssey/audio.nix
@ -1,45 +0,0 @@
-{ config, pkgs, ... }:
-let
-  snd-usb-audio-module = pkgs.callPackage ./snd-usb-audio.nix {
-    kernel = config.boot.kernelPackages.kernel;
-  };
-  upmixConfig = ''
-    stream.properties = {
-      channelmix.upmix = true
-      channelmix.upmix-method = psd
-    }
-  '';
-in {
-  boot.extraModulePackages = [
-    (snd-usb-audio-module.overrideAttrs (_: {
-      patches = [ ./0001-Update-device-ID-for-PreSonus-1824c.patch ];
-    }))
-  ];
-
-  environment.etc = {
-    "pipewire/pipewire.conf.d/surround.conf".text = ''
-      context.modules = [
-        {
-          name = libpipewire-module-loopback
-          args = {
-            node.description = "Genelec 4.1 Surround"
-            capture.props = {
-              node.name = "Genelec_Speakers"
-              media.class = "Audio/Sink"
-              audio.position = [ FL FR SL SR LFE ]
-            }
-            playback.props = {
-              node.name = "playback.Genelec_Speakers"
-              audio.position = [ AUX0 AUX1 AUX3 AUX4 AUX5 ]
-              target.object = "alsa_output.usb-PreSonus_Studio_1824c_SC4E21110775-00.multichannel-output"
-              stream.dont-remix = true
-              node.passive = true
-            }
-          }
-        }
-      ]
-    '';
-    "pipewire/pipewire-pulse.conf.d/40-upmix.conf".text = upmixConfig;
-    "pipewire/client-rt.conf.d/40-upmix.conf".text = upmixConfig;
-  };
- } 
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@ -1,39 +1,30 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:

 {
  imports = [
    ./hardware-configuration.nix
-    ./audio.nix
    ../desktop.nix
  ];

-  boot.loader.systemd-boot = {
+  boot.loader = {
+    systemd-boot = {
      enable = true;
      graceful = true;
      netbootxyz.enable = true;
    };
-  boot.loader.efi.canTouchEfiVariables = true;
+    efi.canTouchEfiVariables = true;
+  };

-  networking.hostName = "odyssey";
-  networking.hostId = "c5e68d78";
-  networking.networkmanager.enable = true;
+  networking = {
+    hostId = "c5e68d78";
+    networkmanager.enable = true;
+    firewall.trustedInterfaces = [ "lxdbr0" "virbr0" ]; # Work around https://github.com/NixOS/nixpkgs/issues/263359
+  };

-  nix.package = pkgs.nixFlakes;
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-
-  virtualisation.libvirtd.enable = true;
-  virtualisation.lxd.enable = true;
-
-  users.defaultUserShell = pkgs.zsh;
-
-  system.stateVersion = "22.11";
-
-  services.journald.extraConfig = ''
-    SystemMaxUse=4G
-    MaxRetentionSec=90day
-  '';
+  virtualisation = {
+    libvirtd.enable = true;
+    lxd.enable = true;
+  };

  services.nix-serve = {
    enable = true;
@ -50,40 +41,20 @@
    };
  };

-  age.secrets."odyssey_borg_passphrase" = {
-    file = ../../secrets/odyssey_borg_passphrase.age;
-  };
-
-  services.borgmatic = {
-    enable = true;
-    settings = {
-      source_directories = [
-        "/home/jordan/Documents"
-      ];
-      repositories = [
-        { label = "borgbase"; path = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"; }
-      ];
-      storage = {
-        encryption_passcommand = "cat ${config.age.secrets.odyssey_borg_passphrase.path}";
-        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
-      };
-      retention = {
-        keep_daily = 7;
-        keep_weekly = 4;
-        keep_monthly = 6;
-      };
-    };
-  };
-
-  # Without this override, `cat` is unavailable for `encryption_passcommand`
-  systemd.services.borgmatic.confinement.fullUnit = true;
-
  modules = {
    desktop = {
      apps.qbittorrent.enable = true;
      browsers = {
        firefox.enable = true;
      };
+      gaming.emulators = {
+        gamecube.enable = true;
+        ps2.enable = true;
+        ps3.enable = true;
+        psp.enable = true;
+        wii.enable = true;
+        xbox.enable = true;
+      };
      media.graphics = {
        modeling.enable = true;
        raster.enable = true;
@ -101,13 +72,25 @@
      neovim.enable = true;
      vscode.enable = true;
    };
+    hardware.presonus-studio.enable = true;
    security = {
      gpg.enable = true;
      pass.enable = true;
    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home/jordan/Documents"
+        ];
+        repoPath = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo";
+      };
+    };
    shell = {
      git.enable = true;
      zsh.enable = true;
    };
  };
+
+  system.stateVersion = "22.11";
 }
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@ -64,5 +64,9 @@

  networking.useDHCP = lib.mkDefault true;

+  environment.systemPackages = [
+    pkgs.apfs-fuse
+  ];
+
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/pi/README.md
+++ b/hosts/pi/README.md
@ -0,0 +1,25 @@
+# Pi
+
+## Overview
+Raspberry Pi 4
+
+## Specs
+* SoC - Broadcom BCM2711
+* CPU - ARM Cortex-A72 @ 1.8 GHz
+* Memory - 8 GB LPDDR4
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+SD card | `/dev/mmcblk0` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `pi.mesh.vimium.net`.
+
+## Devices and connections
+
+- SONOFF Zigbee 3.0 USB Dongle Plus (connected to USB 2.0 port to avoid [interference](https://www.unit3compliance.co.uk/2-4ghz-intra-system-or-self-platform-interference-demonstration/))
+- HDMI to ONKYO HT-R990
+- S/PDIF to ONKYO HT-R990
+- Ethernet to ONKYO HT-R990
--- a/hosts/pi/default.nix
+++ b/hosts/pi/default.nix
@ -0,0 +1,250 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  networking.hostId = "731d1660";
+
+  hardware = {
+    raspberry-pi."4" = {
+      apply-overlays-dtmerge.enable = true;
+      audio.enable = false;
+      fkms-3d.enable = false;
+      xhci.enable = false;
+    };
+    deviceTree = {
+      enable = true;
+      filter = "*rpi-4-*.dtb";
+      overlays = [
+        {
+          name = "audio-off-overlay";
+          dtsText = ''
+            /dts-v1/;
+            /plugin/;
+
+            / {
+              compatible = "brcm,bcm2711";
+
+              fragment@0 {
+                target = <&vchiq>;
+
+                __overlay__ {
+                  status = "disabled";
+                };
+              };
+            };
+          '';
+        }
+        {
+          # Adapted from: https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/hifiberry-digi-pro-overlay.dts
+          # changes:
+          # - modified top-level "compatible" field from bcm2835 to bcm2711
+          # - s/i2s_clk_consumer/i2s/ (name on bcm2711 platform)
+          name = "hifiberry-digi-pro";
+          dtsText = ''
+            /dts-v1/;
+            /plugin/;
+
+            / {
+                compatible = "brcm,bcm2711";
+
+                fragment@0 {
+                    target = <&i2s>;
+                    __overlay__ {
+                        status = "okay";
+                    };
+                };
+
+                fragment@1 {
+                    target = <&i2c1>;
+                    __overlay__ {
+                        #address-cells = <1>;
+                        #size-cells = <0>;
+                        status = "okay";
+
+                        wm8804@3b {
+                            #sound-dai-cells = <0>;
+                            compatible = "wlf,wm8804";
+                            reg = <0x3b>;
+                            PVDD-supply = <&vdd_3v3_reg>;
+                            DVDD-supply = <&vdd_3v3_reg>;
+                            status = "okay";
+                        };
+                    };
+                };
+
+                fragment@2 {
+                    target = <&sound>;
+                    __overlay__ {
+                        compatible = "hifiberry,hifiberry-digi";
+                        i2s-controller = <&i2s>;
+                        status = "okay";
+                        clock44-gpio = <&gpio 5 0>;
+                        clock48-gpio = <&gpio 6 0>;
+                    };
+                };
+            };
+          '';
+        }
+      ];
+    };
+    firmware = with pkgs; [
+      firmwareLinuxNonfree
+      wireless-regdb
+    ];
+  };
+
+  sound.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  age.secrets."files/services/home-assistant/secrets.yaml" = {
+    file = "${inputs.secrets}/files/services/home-assistant/secrets.yaml.age";
+    path = "${config.services.home-assistant.configDir}/secrets.yaml";
+    owner = "hass";
+    group = "hass";
+  };
+
+  services.home-assistant = {
+    enable = true;
+    extraComponents = [
+      "api"
+      "alert"
+      "auth"
+      "backup"
+      "command_line"
+      "default_config"
+      "homekit_controller"
+      "homekit"
+      "http"
+      "icloud"
+      "jellyfin"
+      "metoffice"
+      "mqtt"
+      "onkyo"
+      "ping"
+      "proximity"
+      "radio_browser"
+      "scrape"
+      "sensor"
+      "system_health"
+    ];
+    config = {
+      default_config = {};
+      backup = {};
+      homeassistant = {
+        name = "Home";
+        latitude = "!secret latitude";
+        longitude = "!secret longitude";
+        country = "GB";
+        temperature_unit = "C";
+        time_zone = config.time.timeZone;
+        unit_system = "metric";
+      };
+      mqtt = { };
+      scene = "!include scenes.yaml";
+      automation = "!include automations.yaml";
+      system_health = { };
+      recorder = {
+        purge_keep_days = 365;
+      };
+    };
+  };
+
+  services.mosquitto = {
+    enable = true;
+    listeners = [{
+      acl = [ "pattern readwrite #" ];
+      omitPasswordAuth = true;
+      port = 1883;
+      settings = {
+        allow_anonymous = true;
+      };
+    }];
+  };
+
+  age.secrets."files/services/zigbee2mqtt/secret.yaml" = {
+    file = "${inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
+    path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
+    owner = "zigbee2mqtt";
+    group = "zigbee2mqtt";
+  };
+
+  services.zigbee2mqtt = {
+    package = pkgs.unstable.zigbee2mqtt;
+    enable = true;
+    dataDir = "/var/lib/zigbee2mqtt";
+    settings = {
+      homeassistant = lib.optionalAttrs config.services.home-assistant.enable {
+        discovery_topic = "homeassistant";
+        status_topic = "hass/status";
+        legacy_entity_attributes = true;
+        legacy_triggers = true;
+      };
+      availability = true;
+      frontend = true;
+      device_options = {
+        retain = true;
+      };
+      serial = {
+        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
+      };
+      advanced = {
+        channel = 20;
+        network_key = "!secret.yaml network_key";
+        pan_id = 13001;
+        ext_pan_id = [ 79 1 73 47 250 136 124 222 ];
+        transmit_power = 20;
+      };
+      mqtt = {
+        version = 5;
+        server = "mqtt://localhost:1883";
+      };
+    };
+  };
+
+  modules = {
+    networking = {
+      wireless = {
+        enable = true;
+        interfaces = [ "wlan0" ];
+      };
+    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/var/lib/mosquitto"
+          "/var/lib/zigbee2mqtt"
+        ];
+        repoPath = "ssh://qcw86s11@qcw86s11.repo.borgbase.com/./repo";
+      };
+    };
+  };
+
+  # Connection to ONKYO HT-R990
+  networking.interfaces.end0 = {
+    ipv4.addresses = [{
+      address = "172.16.0.1";
+      prefixLength = 30;
+    }];
+  };
+
+  environment.systemPackages = with pkgs; [
+    python311Packages.onkyo-eiscp
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+
+  system.stateVersion = "22.11";
+}
+
--- a/hosts/pi/hardware-configuration.nix
+++ b/hosts/pi/hardware-configuration.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+  ];
+
+  boot = {
+    # Stop ZFS kernel being built
+    supportedFilesystems = lib.mkForce [ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ];
+    tmp.cleanOnBoot = true;
+  };
+
+  # Fix missing modules
+  # https://github.com/NixOS/nixpkgs/issues/154163
+  nixpkgs.overlays = [
+    (final: super: {
+      makeModulesClosure = x:
+        super.makeModulesClosure (x // { allowMissing = true; });
+    })
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+}
+
--- a/hosts/server.nix
+++ b/hosts/server.nix
@ -1,45 +1,20 @@
 { config, lib, pkgs, ... }:

 {
-  time.timeZone = "Europe/London";
-
-  i18n.defaultLocale = "en_GB.UTF-8";
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_GB.UTF-8";
-    LC_IDENTIFICATION = "en_GB.UTF-8";
-    LC_MEASUREMENT = "en_GB.UTF-8";
-    LC_MONETARY = "en_GB.UTF-8";
-    LC_NAME = "en_GB.UTF-8";
-    LC_NUMERIC = "en_GB.UTF-8";
-    LC_PAPER = "en_GB.UTF-8";
-    LC_TELEPHONE = "en_GB.UTF-8";
-    LC_TIME = "en_GB.UTF-8";
-  };
-
-  console.keyMap = "uk";
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
-      PermitRootLogin = "no";
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    git
-    neovim
+  imports = [
+    ./common.nix
  ];

-  nix = {
-    settings = {
-      auto-optimise-store = true;
-    };
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "-d --delete-older-than 7d";
+  documentation.enable = false;
+
+  security = {
+    acme.acceptTerms = true;
+    auditd.enable = true;
+    audit = {
+      enable = true;
+      rules = [
+        "-a exit,always -F arch=b64 -S execve"
+      ];
    };
  };

--- a/hosts/vps1/README.md
+++ b/hosts/vps1/README.md
@ -0,0 +1,18 @@
+# vps1
+
+## Overview
+VPS hosted in OVH.
+
+## Specs
+* CPU - ??
+* Memory - ??
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+NVMe | `/dev/sda1` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `vps1.mesh.vimium.net`.
+
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -0,0 +1,69 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  networking = {
+    hostId = "08bf6db3";
+    domain = "mesh.vimium.net";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22    # SSH
+      ];
+    };
+  };
+
+  users = {
+    users = {
+      jellyfin = {
+        isSystemUser = true;
+        group = "jellyfin";
+        shell = "/bin/sh";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin"
+        ];
+      };
+      root = {
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
+        ];
+      };
+    };
+    groups = {
+      jellyfin = { };
+    };
+  };
+
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+
+  security.acme.defaults = {
+    email = "hostmaster@vimium.com";
+    group = "nginx";
+    webroot = "/var/lib/acme/acme-challenge";
+  };
+
+  modules = {
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home"
+          "/var/lib"
+          "/var/www"
+        ];
+        repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
+      };
+      coturn.enable = true;
+      gitea.enable = true;
+      headscale.enable = true;
+      matrix-synapse.enable = true;
+      nginx.enable = true;
+    };
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/vps1/hardware-configuration.nix
+++ b/hosts/vps1/hardware-configuration.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub.device = "/dev/sda";
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+  };
+}
+
--- a/modules/default.nix
+++ b/modules/default.nix
@ -25,9 +25,17 @@
    ./dev/zig.nix
    ./editors/neovim
    ./editors/vscode.nix
+    ./hardware/presonus-studio.nix
    ./networking/tailscale.nix
+    ./networking/wireless.nix
    ./security/gpg.nix
    ./security/pass.nix
+    ./services/borgmatic
+    ./services/coturn
+    ./services/gitea
+    ./services/headscale
+    ./services/matrix-synapse
+    ./services/nginx
    ./shell/git
    ./shell/zsh
  ];
--- a/modules/desktop/gaming/emulators.nix
+++ b/modules/desktop/gaming/emulators.nix
@ -19,6 +19,10 @@ in {
      default = false;
      example = true;
    };
+    ps1.enable      = lib.mkOption {
+      default = false;
+      example = true;
+    };
    ps2.enable      = lib.mkOption {
      default = false;
      example = true;
@ -35,14 +39,23 @@ in {
      default = false;
      example = true;
    };
+    switch.enable   = lib.mkOption {
+      default = false;
+      example = true;
+    };
    wii.enable      = lib.mkOption {
      default = false;
      example = true;
    };
+    xbox.enable     = lib.mkOption {
+      default = false;
+      example = true;
+    };
  };

  config = {
-    user.packages = with pkgs; [
+    user.packages = with pkgs.unstable; [
+      (lib.mkIf cfg.ps1.enable duckstation)
      (lib.mkIf cfg.ps2.enable pcsx2)
      (lib.mkIf cfg.ps3.enable rpcs3)
      (lib.mkIf cfg.psp.enable ppsspp)
@ -51,9 +64,11 @@ in {
             cfg.gb.enable  ||
             cfg.snes.enable)
        higan)
+      (lib.mkIf cfg.switch.enable yuzuPackages.mainline)
      (lib.mkIf (cfg.wii.enable ||
             cfg.gamecube.enable)
        dolphin-emu)
+      (lib.mkIf cfg.xbox.enable xemu)
    ];
  };
 }
--- a/modules/desktop/gnome.nix
+++ b/modules/desktop/gnome.nix
@ -17,6 +17,7 @@ in {
    };

    services.flatpak.enable = true;
+    services.fwupd.enable = true;

    programs.dconf.enable = true;
    dconf.settings = {
@ -102,6 +103,12 @@ in {
        picture-uri = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-l.jpg";
        picture-uri-dark = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-d.jpg";
      };
+      "org/gnome/desktop/peripherals/touchpad" = {
+        tap-to-click = true;
+      };
+      "org/gnome/desktop/search-providers" = {
+        disabled = [ "org.gnome.Epiphany.desktop" ];
+      };
      "org/gtk/settings/file-chooser" = {
        show-hidden = true;
        sort-directories-first = true;
@ -131,12 +138,13 @@ in {
      };
      "org/gnome/mutter" = {
        center-new-windows = true;
+        edge-tiling = true;
        experimental-features = [ "scale-monitor-framebuffer" ];
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
        enable-hot-corners = false;
-        monospace-font-name = "Ubuntu Mono 11";
+        monospace-font-name = "UbuntuMono Nerd Font 11";
      };
      "org/gnome/desktop/wm/keybindings" = {
        switch-group = [ "<Super>grave" ];
@ -149,16 +157,33 @@ in {

    fonts.packages = with pkgs; [
      noto-fonts
-      ubuntu_font_family
+      (nerdfonts.override { fonts = [ "BigBlueTerminal" "ComicShannsMono" "UbuntuMono" ]; })
    ];

    user.packages = with pkgs; [
+      authenticator
+      bottles
+      bustle
      celluloid
+      d-spy
+      drawing
      fragments
+      gnome.ghex
+      # gnome-builder
+      gnome-decoder
+      gnome-firmware
+      gnome-frog
+      gnome-obfuscate
+      gnome-podcasts
+      identity
      mission-center
+      newsflash
+      schemes
+      shortwave
    ];

    environment.systemPackages = with pkgs; [
+      adw-gtk3
      bind
      bmon
      fd
@ -194,13 +219,16 @@ in {
      # gnomeExtensions.worksets
      # gnomeExtensions.workspace-matrix
      iotop
+      unstable.morewaita-icon-theme
      ripgrep
      rsync
      tcpdump
      tokei
      tree
      wl-clipboard
-    ];
+    ] ++ (if config.virtualisation.podman.enable then [
+      pods
+    ] else []);

    home.services.gpg-agent.pinentryFlavor = "gnome3";
  };
--- a/modules/editors/neovim/default.nix
+++ b/modules/editors/neovim/default.nix
@ -2,7 +2,6 @@

 let
  cfg = config.modules.editors.neovim;
-  dev = config.modules.dev;
 in {
  options.modules.editors.neovim = {
    enable = lib.mkOption {
@ -12,124 +11,15 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    user.packages = with pkgs; [
-      (neovim.override {
-        configure = {
-          customRC = ''
-            luafile ~/.config/nvim/init.lua
-          '';
-          packages.myPlugins = with pkgs.vimPlugins; {
-            start = [
-              (nvim-treesitter.withPlugins (
-                plugins: with plugins; [
-                  bash
-                  c
-                  cmake
-                  cpp
-                  css
-                  dockerfile
-                  elm
-                  glsl
-                  graphql
-                  haskell
-                  http
-                  html
-                  java
-                  javascript
-                  jsdoc
-                  json
-                  json5
-                  latex
-                  lua
-                  markdown
-                  ninja
-                  nix
-                  org
-                  perl
-                  php
-                  pug
-                  python
-                  regex
-                  rst
-                  ruby
-                  rust
-                  scala
-                  scss
-                  toml
-                  tsx
-                  typescript
-                  vim
-                  yaml
-                  zig
-                ]
-              ))
-              nvim-treesitter-context
-              nvim-treesitter-textobjects
-              nvim-lspconfig
+    user.packages = with pkgs.unstable; [
+      lunarvim
    ];
-          };
-        };
-      })
-    ] ++

-    # Install appropriate language servers
-    (if dev.cc.enable then [
-      ccls                                            # C/C++
-    ] else []) ++
-    (if dev.java.enable then [
-      java-language-server                            # Java
-      ltex-ls                                         # LaTeX
-    ] else []) ++
-    (if dev.lua.enable then [
-      sumneko-lua-language-server                     # Lua
-    ] else []) ++
-    (if dev.node.enable then [
-      nodePackages.bash-language-server               # Bash
-      nodePackages.dockerfile-language-server-nodejs  # Dockerfile
-      nodePackages.graphql-language-service-cli       # GraphQL
-      nodePackages.purescript-language-server         # PureScript
-      nodePackages.svelte-language-server             # Svelte
-      nodePackages.typescript-language-server         # JavaScript/TypeScript
-      nodePackages.vim-language-server                # Vim
-      nodePackages.vscode-langservers-extracted       # HTML, CSS, JSON, ESLint
-      nodePackages.vue-language-server                # Vue.js
-      nodePackages.yaml-language-server               # YAML
-    ] else []) ++
-    (if dev.python.enable then [
-      cmake-language-server                           # CMake
-      python310Packages.python-lsp-server             # Python
-    ] else []) ++
-    (if dev.rust.enable then [
-      rust-analyzer                                   # Rust
-    ] else []) ++
-    (if dev.scala.enable then [
-      metals                                          # Scala
-    ] else []) ++
-    (if dev.zig.enable then [
-      zls                                             # Zig
-    ] else []);
-
-    home.configFile = {
-      "nvim/init.lua".source = ./init.lua;
-      "nvim/lua" = { source = ./lua; recursive = true; };
-      "nvim/lua/config/lsp.lua".text = ''
-        -- This file is autogenerated, do not edit.
-        ${if dev.cc.enable then "require('config.lsp.cc')\n" else ""}
-        ${if dev.java.enable then "require('config.lsp.java')\n" else ""}
-        ${if dev.lua.enable then "require('config.lsp.lua')\n" else ""}
-        ${if dev.node.enable then "require('config.lsp.node')\n" else ""}
-        ${if dev.python.enable then "require('config.lsp.python')\n" else ""}
-        ${if dev.rust.enable then "require('config.lsp.rust')\n" else ""}
-        ${if dev.scala.enable then "require('config.lsp.scala')\n" else ""}
-        ${if dev.zig.enable then "require('config.lsp.zig')\n" else ""}
-      '';
-    };
-
-    env.EDITOR = "nvim";
+    env.EDITOR = "lvim";

    environment.shellAliases = {
-      vim = "nvim";
-      v   = "nvim";
+      vim = "lvim";
+      v   = "lvim";
    };
  };
 }
--- a/modules/editors/neovim/init.lua
+++ b/modules/editors/neovim/init.lua
@ -1,6 +0,0 @@
-require("config.core")
-require("config.keymap")
-require("config.treesitter")
-require("config.plugins")
-require("config.lsp")
-
--- a/modules/editors/neovim/lua/config/core.lua
+++ b/modules/editors/neovim/lua/config/core.lua
@ -1,36 +0,0 @@
-local o = vim.opt
-local wo = vim.wo
-local bo = vim.bo
-
-- Global dirs
-local cachedir = os.getenv("XDG_CACHE_HOME")
-o.backupdir = cachedir .. "/nvim/backup/"
-o.directory = cachedir .. "/nvim/swap/"
-o.undodir   = cachedir .. "/nvim/undo/"
-
-- Global
-o.breakindent = true
-o.clipboard = "unnamedplus"
-o.compatible = false
-o.encoding = "utf-8"
-o.expandtab = true
-o.foldlevel = 99
-o.hidden = true
-o.hlsearch = false
-o.ignorecase = true
-o.laststatus = 2
-o.listchars = { eol = '↲', tab = '▸ ', trail = '·' }
-o.relativenumber = true
-o.shiftwidth = 2
-o.showmode = false
-o.smartcase = true
-o.smarttab = true
-o.softtabstop = 2
-o.synmaxcol = 150
-o.tabstop = 4
-o.undofile = true
-o.wildmenu = true
-
-- Window
-
-- Buffer
--- a/modules/editors/neovim/lua/config/keymap.lua
+++ b/modules/editors/neovim/lua/config/keymap.lua
@ -1,35 +0,0 @@
-local keymap = vim.keymap.set
-local opts = { noremap = true, silent = true }
-
-vim.g.mapleader = ","
-
-- Modes
--   Normal = "n",
--   Insert = "i",
--   Visual = "v",
--   Visual Block = "x",
--   Term = "t",
--   Command = "c"
-
-keymap("n", "<Left>", "<Nop>", opts)
-keymap("n", "<Right>", "<Nop>", opts)
-keymap("n", "<Up>", "<Nop>", opts)
-keymap("n", "<Down>", "<Nop>", opts)
-
-keymap("n", "<C-h>", "<C-w>h", { noremap = true })
-keymap("n", "<C-j>", "<C-w>j", { noremap = true })
-keymap("n", "<C-k>", "<C-w>k", { noremap = true })
-keymap("n", "<C-l>", "<C-w>l", { noremap = true })
-
-keymap("n", "gV", "`[v`]", opts)
-
-keymap("n", ";", ":", { noremap = true })
-
-- Bubble single lines with vim-unimpaired
-keymap("n", "<C-Up>", "[e", opts)
-keymap("n", "<C-Down>", "]e", opts)
-
-- Bubble multiple lines with vim-unimpaired
-keymap("v", "<C-Up>", "[egv", opts)
-keymap("v", "<C-Down>", "]egv", opts)
-
--- a/modules/editors/neovim/lua/config/lsp/cc.lua
+++ b/modules/editors/neovim/lua/config/lsp/cc.lua
@ -1,5 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires C/C++
-lspconfig.ccls.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/java.lua
+++ b/modules/editors/neovim/lua/config/lsp/java.lua
@ -1,6 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Java
-lspconfig.java_language_server.setup{}
-lspconfig.ltex.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/lua.lua
+++ b/modules/editors/neovim/lua/config/lsp/lua.lua
@ -1,22 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Lua
-lspconfig.sumneko_lua.setup {
-  settings = {
-    Lua = {
-      runtime = {
-        -- Tell the language server which version of Lua you're using (most likely LuaJIT in the case of Neovim)
-        version = 'LuaJIT',
-      },
-      diagnostics = {
-        -- Get the language server to recognize the `vim` global
-        globals = {'vim'},
-      },
-      -- Do not send telemetry data containing a randomized but unique identifier
-      telemetry = {
-        enable = false,
-      },
-    },
-  },
-}
-
--- a/modules/editors/neovim/lua/config/lsp/node.lua
+++ b/modules/editors/neovim/lua/config/lsp/node.lua
@ -1,17 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Node.js
-lspconfig.bashls.setup{}
-lspconfig.cssls.setup{}
-lspconfig.dockerls.setup{}
-lspconfig.eslint.setup{}
-lspconfig.graphql.setup{}
-lspconfig.html.setup{}
-lspconfig.jsonls.setup{}
-lspconfig.purescriptls.setup{}
-lspconfig.svelte.setup{}
-lspconfig.tsserver.setup{}
-lspconfig.vimls.setup{}
-lspconfig.vuels.setup{}
-lspconfig.yamlls.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/python.lua
+++ b/modules/editors/neovim/lua/config/lsp/python.lua
@ -1,6 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Python
-lspconfig.cmake.setup{}
-lspconfig.pylsp.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/rust.lua
+++ b/modules/editors/neovim/lua/config/lsp/rust.lua
@ -1,5 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Rust
-lspconfig.rls.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/scala.lua
+++ b/modules/editors/neovim/lua/config/lsp/scala.lua
@ -1,5 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Scala
-lspconfig.metals.setup{}
-
--- a/modules/editors/neovim/lua/config/lsp/zig.lua
+++ b/modules/editors/neovim/lua/config/lsp/zig.lua
@ -1,5 +0,0 @@
-lspconfig = require('lspconfig')
-
-- Requires Zig
-lspconfig.zls.setup{}
-
--- a/modules/editors/neovim/lua/config/plugins.lua
+++ b/modules/editors/neovim/lua/config/plugins.lua
@ -1,77 +0,0 @@
-local fn = vim.fn
-
-local install_path = fn.stdpath "data" .. "/site/pack/packer/start/packer.nvim"
-if fn.empty(fn.glob(install_path)) > 0 then
-  PACKER_BOOTSTRAP = fn.system {
-    "git",
-    "clone",
-    "--depth",
-    "1",
-    "https://github.com/wbthomason/packer.nvim",
-    install_path,
-  }
-  print "Installing packer close and reopen Neovim..."
-  vim.cmd [[packadd packer.nvim]]
-end
-
-vim.cmd [[
-  augroup packer_user_config
-    autocmd!
-    autocmd BufWritePost plugins.lua source <afile> | PackerSync
-  augroup end
-]]
-
-local status_ok, packer = pcall(require, "packer")
-if not status_ok then
-  return
-end
-
-packer.init {
-  display = {
-    open_fn = function()
-      return require("packer.util").float { border = "rounded" }
-    end,
-  },
-}
-
-return packer.startup(function(use)
-  -- Utilities
-  use { "wbthomason/packer.nvim", opt = true }
-  use { "mbbill/undotree" }
-  use { "nvim-lua/plenary.nvim" }
-  use { "tpope/vim-fugitive", event = "User InGitRepo" }
-
-  -- Editing
-  use { "andymass/vim-matchup" }
-  use { "godlygeek/tabular" }
-  use { "JoosepAlviste/nvim-ts-context-commentstring" }
-  use { "kana/vim-textobj-user" }
-  use { "mg979/vim-visual-multi", branch = "master" }
-  use { "p00f/nvim-ts-rainbow" }
-  use { "terryma/vim-expand-region" }
-  use { "tommcdo/vim-exchange", event = "VimEnter" }
-  use { "tpope/vim-abolish" }
-  use { "tpope/vim-commentary", event = "VimEnter" }
-  use { "tpope/vim-repeat", event = "VimEnter" }
-  use { "tpope/vim-surround", event = "VimEnter" }
-  use { "windwp/nvim-autopairs" }
-  use { "windwp/nvim-ts-autotag" }
-
-  -- UI
-  use { "junegunn/goyo.vim" }
-  use { "junegunn/limelight.vim" }
-  use { "markonm/traces.vim" }
-
-  -- Searching
-  use { "nvim-telescope/telescope.nvim", config = [[require('config.telescope')]] }
-  use { "cljoly/telescope-repo.nvim", requires = "telescope.nvim" }
-  use { "dyng/ctrlsf.vim" }
-
-  -- LSP
-  use { "jose-elias-alvarez/null-ls.nvim" }
-
-  if PACKER_BOOTSTRAP then
-    require("packer").sync()
-  end
-end)
-
--- a/modules/editors/neovim/lua/config/telescope.lua
+++ b/modules/editors/neovim/lua/config/telescope.lua
@ -1,46 +0,0 @@
-local status_ok, telescope = pcall(require, "telescope")
-if not status_ok then
-  return
-end
-
-local actions = require("telescope.actions")
-
-telescope.setup({
-  defaults = {
-    file_ignore_patterns = { ".git/", "node_modules" },
-  },
-  mappings = {
-    i = {
-      ["<Down>"] = actions.cycle_history_next,
-      ["<Up>"] = actions.cycle_history_prev,
-      ["<C-j>"] = actions.move_selection_next,
-      ["<C-k>"] = actions.move_selection_previous,
-    },
-  },
-  extensions = {
-    repo = {
-      list = {
-        fd_opts = {
-          "--no-ignore-vcs",
-        },
-        search_dirs = {
-          "~/projects",
-          "~/repos",
-          "~/workspace",
-        },
-      },
-    },
-  },
-})
-
-telescope.load_extension("repo")
-
-local keymap = vim.keymap.set
-local opts = { noremap = true, silent = true }
-
-keymap("n", "<Leader>ff", "<cmd>Telescope find_files<cr>", opts)
-keymap("n", "<Leader>fg", "<cmd>Telescope live_grep<cr>", opts)
-keymap("n", "<Leader>fb", "<cmd>Telescope buffers<cr>", opts)
-keymap("n", "<Leader>fh", "<cmd>Telescope help_tags<cr>", opts)
-keymap("n", "<Leader>fr", "<cmd>Telescope repo list<cr>", opts)
-
--- a/modules/editors/neovim/lua/config/treesitter.lua
+++ b/modules/editors/neovim/lua/config/treesitter.lua
@ -1,35 +0,0 @@
-require("nvim-treesitter.configs").setup({
-  ignore_install = {},
-  highlight = {
-    enable = true,
-    disable = {},
-  },
-  indent = { enable = true },
-  incremental_selection = {
-    enable = true,
-    keymaps = {
-      init_selection = "gnn",
-      node_incremental = "grn",
-      scope_incremental = "grc",
-      node_decremental = "grm",
-    },
-  },
-  -- Extensions
-  autotag = { enable = true },
-  context_commentstring = { enable = true },
-  matchup = { enable = true },
-  rainbow = { enable = true },
-  textobjects = {
-    select = {
-      enable = true,
-      keymaps = {
-        ["af"] = "@function.outer",
-        ["if"] = "@function.inner",
-      },
-    },
-  },
-})
-
-vim.opt.foldmethod = "expr"
-vim.opt.foldexpr = "nvim_treesitter#foldexpr()"
-
--- a/modules/hardware/0001-Update-device-ID-for-PreSonus-1824c.patch
+++ b/modules/hardware/0001-Update-device-ID-for-PreSonus-1824c.patch
--- a/modules/hardware/presonus-studio.nix
+++ b/modules/hardware/presonus-studio.nix
@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.modules.hardware.presonus-studio;
+  snd-usb-audio-module = pkgs.callPackage ./snd-usb-audio.nix {
+    kernel = config.boot.kernelPackages.kernel;
+  };
+  patched = snd-usb-audio-module.overrideAttrs (prev: {
+    patches = [ ./0001-Update-device-ID-for-PreSonus-1824c.patch ];
+  });
+  upmixConfig = ''
+    stream.properties = {
+      channelmix.upmix = true
+      channelmix.upmix-method = psd
+    }
+  '';
+in {
+  options.modules.hardware.presonus-studio = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.kernelModules = [ "snd-usb-audio" ];
+    boot.extraModulePackages = [
+      (patched)
+    ];
+
+    environment.etc = {
+      "pipewire/pipewire.conf.d/10-network.conf".text = ''
+        context.modules = [
+          {
+            name = libpipewire-module-rtp-session
+            args = {
+              stream.props = {
+                node.name = "rtp-source"
+              }
+            }
+          }
+        ]
+      '';
+      "pipewire/pipewire.conf.d/surround.conf".text = ''
+        context.modules = [
+          {
+            name = libpipewire-module-loopback
+            args = {
+              node.description = "Genelec 4.1 Surround"
+              capture.props = {
+                node.name = "Genelec_Speakers"
+                media.class = "Audio/Sink"
+                audio.position = [ FL FR SL SR LFE ]
+              }
+              playback.props = {
+                node.name = "playback.Genelec_Speakers"
+                audio.position = [ AUX0 AUX1 AUX3 AUX4 AUX5 ]
+                target.object = "alsa_output.usb-PreSonus_Studio_1824c_SC4E21110775-00.multichannel-output"
+                stream.dont-remix = true
+                node.passive = true
+              }
+            }
+          }
+        ]
+      '';
+      "pipewire/pipewire-pulse.conf.d/40-upmix.conf".text = upmixConfig;
+      "pipewire/client-rt.conf.d/40-upmix.conf".text = upmixConfig;
+    };
+  };
+ } 
--- a/modules/hardware/snd-usb-audio.nix
+++ b/modules/hardware/snd-usb-audio.nix
--- a/modules/networking/wireless.nix
+++ b/modules/networking/wireless.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let cfg = config.modules.networking.wireless;
+in {
+  options.modules.networking.wireless = {
+    enable = mkOption {
+      default = false;
+      example = true;
+      description = mdDoc "Automatically connect to known networks";
+    };
+    interfaces = mkOption {
+      default = [ ];  # All interfaces
+      example = [ "wlan0" ];
+      description = mdDoc "Interfaces for `wpa_supplicant` to bind to";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets."passwords/networks" = {
+      file = "${inputs.secrets}/passwords/networks.age";
+    };
+
+    networking = {
+      wireless = {
+        enable = true;
+        interfaces = cfg.interfaces;
+        environmentFile = config.age.secrets."passwords/networks".path;
+        networks = {
+          "Apollo 600 Mbps".psk = "@PSK_APOLLO@";
+        };
+      };
+      networkmanager.ensureProfiles.profiles = {
+        "Apollo" = {
+          connection = {
+            id = "Apollo 600 Mbps";
+            type = "wifi";
+          };
+          wifi = {
+            mode = "infrastructure";
+            ssid = "Apollo 600 Mbps";
+          };
+          wifi-security = {
+            auth-alg = "open";
+            key-mgmt = "wpa-psk";
+            psk = "";
+          };
+          ipv4 = {
+            method = "auto";
+          };
+          ipv6 = {
+            addr-gen-mode = "stable-privacy";
+            method = "auto";
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/options.nix
+++ b/modules/options.nix
@ -1,4 +1,4 @@
-{ config, options, lib, home-manager, ... }:
+{ config, options, lib, home-manager, inputs, ... }:

 with lib;
 {
@ -29,6 +29,7 @@ with lib;
  };

  config = {
+    age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
    user =
      let user = builtins.getEnv "USER";
          name = if elem user [ "" "root" ] then "jordan" else user;
@ -41,6 +42,7 @@ with lib;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
+        hashedPasswordFile = config.age.secrets."passwords/users/jordan".path;
        home = "/home/${name}";
        group = "users";
        uid = 1000;
--- a/modules/services/borgmatic/default.nix
+++ b/modules/services/borgmatic/default.nix
@ -0,0 +1,53 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.borgmatic;
+  hostname = config.networking.hostName;
+in {
+  options.modules.services.borgmatic = {
+    enable = mkOption {
+      default = false;
+      example = true;
+      description = mdDoc "Enable backups on this host with `borgmatic`";
+    };
+    directories = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [
+        "/home/jordan/Documents"
+      ];
+      description = mdDoc "List of directories to backup";
+    };
+    repoPath = mkOption {
+      type = types.str;
+      example = "ssh://example@example.repo.borgbase.com/./repo";
+      description = mdDoc "Destination borg repository for backup";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets."passwords/services/borg/${hostname}-passphrase" = {
+      file = "${inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
+    };
+
+    services.borgmatic = {
+      enable = true;
+      settings = {
+        source_directories = cfg.directories;
+        repositories = [
+          { label = "borgbase"; path = cfg.repoPath; }
+        ];
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/${hostname}-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+
+    # Without this override, `cat` is unavailable for `encryption_passcommand`
+    systemd.services.borgmatic.confinement.fullUnit = true;
+  };
+}
--- a/modules/services/coturn/default.nix
+++ b/modules/services/coturn/default.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.coturn;
+in {
+  options.modules.services.coturn = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall = {
+      allowedTCPPorts = [
+        5349  # STUN TLS
+        5350  # STUN TLS alt
+      ];
+      allowedUDPPortRanges = [
+        { from = 49152; to = 49999; } # TURN relay
+      ];
+    };
+
+    security.acme.certs = {
+      "turn.vimium.com" = {
+        reloadServices = [ "coturn" ];
+      };
+    };
+
+    age.secrets."passwords/services/coturn/shared-secret" = {
+      file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
+      owner = "turnserver";
+      group = "turnserver";
+    };
+
+    services.coturn = {
+      enable = true;
+      lt-cred-mech = true;
+      use-auth-secret = true;
+      static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret".path;
+      realm = "turn.vimium.com";
+      relay-ips = [
+        "198.244.190.160"
+      ];
+      no-tcp-relay = true;
+      extraConfig = ''
+        cipher-list="HIGH"
+        no-loopback-peers
+        no-multicast-peers
+      '';
+      secure-stun = true;
+      cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
+      pkey = "/var/lib/acme/turn.vimium.com/key.pem";
+      min-port = 49152;
+      max-port = 49999;
+    };
+  };
+}
--- a/modules/services/gitea/default.nix
+++ b/modules/services/gitea/default.nix
@ -0,0 +1,83 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.gitea;
+in {
+  options.modules.services.gitea = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users = {
+      users.git = {
+        isSystemUser = true;
+        useDefaultShell = true;
+        group =  "git";
+        extraGroups = [ "gitea" ];
+        home = config.services.gitea.stateDir;
+      };
+      groups.git = { };
+    };
+
+    services.nginx = {
+      upstreams.gitea = {
+        servers = {
+          "unix:${config.services.gitea.settings.server.HTTP_ADDR}" = { };
+        };
+      };
+      virtualHosts = {
+        "git.vimium.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://gitea";
+        };
+      };
+    };
+
+    services.gitea = rec {
+      package = pkgs.unstable.gitea;
+      enable = true;
+      user = "git";
+      appName = "Vimium Git";
+      stateDir = "/var/lib/gitea";
+      repositoryRoot = "${stateDir}/repositories";
+      database = {
+        type = "sqlite3";
+        inherit user;
+        path = "${stateDir}/gitea.db";
+      };
+      lfs = {
+        enable = true;
+        contentDir = "${stateDir}/lfs";
+      };
+      settings = {
+        server = {
+          SSH_USER = "git";
+          SSH_DOMAIN = "git.vimium.com";
+          SSH_PORT = lib.head config.services.openssh.ports;
+          OFFLINE_MODE = true;
+          PROTOCOL = "http+unix";
+          DOMAIN = config.networking.domain;
+          ROOT_URL = "https://git.vimium.com/";
+        };
+        service.DISABLE_REGISTRATION = true;
+        session.COOKIE_SECURE = true;
+        log.ROOT_PATH = "${stateDir}/log";
+        ui = {
+          THEMES = "gitea,arc-green,github-dark,bthree-dark";
+          DEFAULT_THEME = "github-dark";
+        };
+        actions.ENABLED = true;
+        indexer = {
+          REPO_INDEXER_ENABLED = true;
+        };
+        packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
+      };
+    };
+  };
+}
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@ -0,0 +1,43 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.headscale;
+in {
+  options.modules.services.headscale = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx.virtualHosts = {
+      "headscale.vimium.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.headscale.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    services.headscale = {
+      enable = true;
+      port = 8080;
+      settings = {
+        server_url = "https://headscale.vimium.net";
+        dns_config = {
+          base_domain = "vimium.net";
+        };
+        logtail.enabled = false;
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      config.services.headscale.package
+    ];
+  };
+}
--- a/modules/services/matrix-synapse/default.nix
+++ b/modules/services/matrix-synapse/default.nix
@ -0,0 +1,127 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.matrix-synapse;
+  matrixClientConfig = {
+    "m.homeserver" = {
+      base_url = "https://matrix.vimium.com";
+      server_name = "vimium.com";
+    };
+    "m.identity_server" = {};
+  };
+  matrixServerConfig."m.server" = "matrix.vimium.com:443";
+  mkWellKnown = data: ''
+    more_set_headers 'Content-Type: application/json';
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  options.modules.services.matrix-synapse = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      8448 # Matrix federation
+    ];
+
+    security.acme.certs = {
+      "matrix.vimium.com" = {
+        reloadServices = [ "matrix-synapse" ];
+      };
+    };
+
+    services.nginx.virtualHosts = {
+      "chat.vimium.com" = {
+        forceSSL = true;
+        enableACME = true;
+        root = pkgs.unstable.element-web.override {
+          conf = {
+            default_server_config = matrixClientConfig;
+            brand = "Vimium Chat";
+            branding = {
+              auth_header_logo_url = "https://vimium.com/images/logo.svg";
+              auth_footer_links = [
+                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
+              ];
+            };
+          };
+        };
+      };
+      "matrix.vimium.com" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::1]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::1]";
+            port = 80;
+          }
+          {
+            addr = "[::1]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:8008";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-For $remote_addr;
+            '';
+          };
+          "/_matrix" = {
+            proxyPass = "http://localhost:8008";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-For $remote_addr;
+              client_max_body_size 50M;
+            '';
+          };
+          "/_synapse/client".proxyPass = "http://localhost:8008";
+        };
+      };
+      "vimium.com" = {
+        locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
+        locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
+      };
+    };
+
+    services.matrix-synapse = {
+      enable = true;
+      settings = {
+        database.name = "sqlite3";
+        enable_registration = false;
+        server_name = "vimium.com";
+        # turn_shared_secret = "???";
+        # turn_uris = [
+        #   "turn:turn.vimium.com:5349?transport=udp"
+        #   "turn:turn.vimium.com:5350?transport=udp"
+        #   "turn:turn.vimium.com:5349?transport=tcp"
+        #   "turn:turn.vimium.com:5350?transport=tcp"
+        # ];
+      };
+    };
+  };
+}
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@ -0,0 +1,157 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+let
+  cfg = config.modules.services.nginx;
+  nginxErrorPages = ''
+    location @error_pages {
+      rewrite ^.*$ /''${status}.html break;
+
+      root "/var/www/html/errors";
+    }
+  '';
+  nginxEdgeHeaders = ''
+    more_set_headers 'Server: Vimium';
+    more_set_headers 'Access-Control-Allow-Origin: *';
+    add_header Expect-CT max-age=30 always;
+    add_header Referrer-Policy strict-origin-when-cross-origin always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Vimium-Responding-Instance $hostname;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options nosniff always;
+  '';
+  nginxStrictHeaders = ''
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header Permissions-Policy "fullscreen=(self), sync-xhr=(self)" always;
+  '';
+  mkRedirect = from: to: {
+    "${from}" = {
+      forceSSL = true;
+      enableACME = true;
+      serverAliases = [ "www.${from}" ];
+      locations."/".return = "301 https://${to}$request_uri";
+      extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+    };
+  };
+in {
+  options.modules.services.nginx = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80    # HTTP
+      443   # HTTPS
+    ];
+
+    services.nginx = {
+      enable = true;
+      package = pkgs.openresty;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      clientMaxBodySize = "2G";
+      sslProtocols = "TLSv1.2 TLSv1.3";
+      sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+      appendHttpConfig = ''
+        error_page 400 @error_pages;
+        error_page 401 @error_pages;
+        error_page 403 @error_pages;
+        error_page 404 @error_pages;
+        error_page 405 @error_pages;
+        error_page 429 @error_pages;
+        error_page 500 @error_pages;
+        error_page 501 @error_pages;
+        error_page 502 @error_pages;
+        error_page 503 @error_pages;
+        error_page 504 @error_pages;
+
+        client_body_buffer_size 16k;
+        client_header_buffer_size 8k;
+      '';
+      appendConfig = ''
+        worker_processes auto;
+        worker_cpu_affinity auto;
+        worker_rlimit_nofile 50000;
+      '';
+      eventsConfig = ''
+        worker_connections 20000;
+        multi_accept off;
+      '';
+      virtualHosts = {
+        ## Static sites
+        "jellyfin.vimium.com" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = nginxErrorPages + nginxEdgeHeaders;
+          locations."/" = {
+            proxyPass = "http://localhost:8000";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header Host $host;
+
+              proxy_set_header Range $http_range;
+              proxy_set_header If-Range $http_if_range;
+
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
+          };
+        };
+        "pki.vimium.com" = {
+          addSSL = true;
+          forceSSL = false;
+          enableACME = true;
+          extraConfig = ''
+            ${nginxErrorPages}
+            more_set_headers 'Server: Vimium';
+          '';
+          locations."/" = {
+            root = "/var/www/pki.vimium.com";
+          };
+        };
+        "suhailhussain.com" = {
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [ "www.suhailhussain.com" ];
+          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+          locations."/" = {
+            root = "/var/www/suhailhussain.com";
+          };
+        };
+        "vimium.com" = {
+          default = true;
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [ "www.vimium.com" ];
+          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders + ''
+            add_header Content-Security-Policy "default-src 'self' https://vimium.com https://www.vimium.com; style-src 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests" always;
+          '';
+          locations."/" = {
+            root = "/var/www/vimium.com";
+          };
+        };
+      }
+      ## Redirects
+      // (mkRedirect "h0lt.com" "jdholt.com")
+      // (mkRedirect "jordanholt.xyz" "jdholt.com")
+      // (mkRedirect "jdholt.com" "vimium.com")
+      // (mkRedirect "omnimagic.com" "vimium.com")
+      // (mkRedirect "omnimagic.net" "vimium.com")
+      // (mkRedirect "thelostlegend.com" "suhailhussain.com")
+      // (mkRedirect "vimium.co" "vimium.com")
+      // (mkRedirect "vimium.co.uk" "vimium.com")
+      // (mkRedirect "vimium.info" "vimium.com")
+      // (mkRedirect "vimium.net" "vimium.com")
+      // (mkRedirect "vimium.org" "vimium.com")
+      // (mkRedirect "vimium.xyz" "vimium.com");
+    };
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -1,10 +0,0 @@
-let
-  jordan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS";
-  users = [ jordan ];
-
-  odyssey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7";
-  systems = [ odyssey ];
-in
-{
-  "secrets/odyssey_borg_passphrase.age".publicKeys = [ jordan odyssey ];
-}
--- a/secrets/odyssey_borg_passphrase.age
+++ b/secrets/odyssey_borg_passphrase.age