feat: Finished user setup

Reviewed-on: Jan/dotfiles#2

README.md

@@ -4,8 +4,39 @@ My NixOS configuration.
 
 ## Installation
 
-For disk configuration we use disko, this means that installing the system from the configuration is just a single command:
+For disk configuration we use disko, but for secrets management we use sops-nix and the particular setup makes the installation process a bit more involved. It is required that the computer from which the installation is being run has access to the `nixos-secrets` repository, otherwise you will need to manually add the required ssh keys to the installation image. 
+```bash
+# Load into the installer
+sudo passwd # Set a root password
 
+# From a machine with network access to the installer
+# and access to the nixos-secrets repo
+ssh -A root@(installer-ip)
+
+# Set up disks
+nix-shell -p disko
+disko --mode disko --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
+exit
+
+# Install NixOS
+nixos-install --no-channel-copy --no-root-password --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
+
+# Set up host credentials for access to the secrets
+cd /mnt/persist/system/etc/sops
+touch sops_ed25519_key 
+chmod 600 sops_ed25519_key
+nano sops_ed25519_key
 ```
-sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/latest#disko-install" -- --flake git+https://git.bulthuis.dev/Jan/dotfiles#<hostname> --disk main /dev/sda
+If `nixos-install` is being stopped by the OOM-killer, you can try adding `-j 1` to limit the amount of jobs that will be executed at the same time to 1. It might require running nixos-install multiple times untill it has managed to download all requirements and slowly start building the rest of the system.
+
+## Updating
+
+To update the system configuration, it is a single command:
+```bash
+sudo system-update
 ```
+Or if this shell script has not been installed for some reason:
+```bash
+sudo nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config
+```
+Sometimes it may be necessary to reboot of course.

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748225455,
+        "lastModified": 1764350888,
-        "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=",
+        "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba",
+        "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1747046372,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -54,6 +54,24 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -61,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748134483,
+        "lastModified": 1764304195,
-        "narHash": "sha256-5PBK1nV8X39K3qUj8B477Aa2RdbLq3m7wRxUKRtggX4=",
+        "narHash": "sha256-bO7FN/bF6gG7TlZpKAZjO3VvfsLaPFkefeUfJJ7F/7w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c1e671036224089937e111e32ea899f59181c383",
+        "rev": "86ff0ef506c209bb397849706e85cc3a913cb577",
         "type": "github"
       },
       "original": {
@@ -89,20 +107,41 @@
         "type": "github"
       }
     },
-    "nix-minecraft": {
+    "madd": {
       "inputs": {
-        "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1747581338,
+        "lastModified": 1754781336,
-        "narHash": "sha256-/+H9qce+NPsEcAC31s3pbD64nB6GKC3+3ZNLV1+tffk=",
+        "narHash": "sha256-EUavinU3psYqVDx7Cjdypsf4dUymdu1yawbwRYv6wbM=",
+        "ref": "refs/heads/master",
+        "rev": "d490b648ac5acb65aa24c8e8314c1a6fa9e2c0c1",
+        "revCount": 8,
+        "type": "git",
+        "url": "https://git.bulthuis.dev/Jan/madd"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.bulthuis.dev/Jan/madd"
+      }
+    },
+    "nix-minecraft": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751650156,
+        "narHash": "sha256-1gIPVDf159TQlcVg3WQBHMZVn8RllHOa8eT7AJPj2IE=",
         "owner": "Jan-Bulthuis",
         "repo": "nix-minecraft",
-        "rev": "44b6b40d7a3e0a114567b38a203029a5bc67e838",
+        "rev": "d3b3779fd78bd55db24d25e896438b2b51cbb6cb",
         "type": "github"
       },
       "original": {
@@ -133,16 +172,32 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1747958103,
+        "lastModified": 1764242076,
-        "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=",
+        "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fe51d34885f7b5e3e7b59572796e1bcb427eccb1",
+        "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1763049705,
+        "narHash": "sha256-A5LS0AJZ1yDPTa2fHxufZN++n8MCmtgrJDtxFxrH4S8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "3acb677ea67d4c6218f33de0db0955f116b7588c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -152,9 +207,48 @@
         "disko": "disko",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "madd": "madd",
         "nix-minecraft": "nix-minecraft",
         "nix-modpack": "nix-modpack",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable",
+        "secrets": "secrets",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "secrets": {
+      "locked": {
+        "lastModified": 1762547267,
+        "narHash": "sha256-bDYmYBJxtsSES+gcpHfpnURA7QDJ3cC1Mg2jzQl5zdg=",
+        "ref": "refs/heads/main",
+        "rev": "601b97ba998f743a333fe7523dd5825816155778",
+        "revCount": 17,
+        "type": "git",
+        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759635238,
+        "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
@@ -171,6 +265,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,13 +3,25 @@
 
   inputs = {
     # General inputs
-    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Secrets
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    secrets.url = "git+ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets";
+
+    # Disk setup
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
     impermanence.url = "github:nix-community/impermanence";
 
+    # MADD
+    madd.url = "git+https://git.bulthuis.dev/Jan/madd";
+    madd.inputs.nixpkgs.follows = "nixpkgs";
+
     # For Minecraft VM
     nix-minecraft.url = "github:Jan-Bulthuis/nix-minecraft";
     nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";

glue/default.nix

@@ -4,6 +4,10 @@ let
   nixpkgs = inputs.nixpkgs;
   lib = nixpkgs.lib;
 
+  nixpkgs-config = {
+    allowUnfree = true;
+  };
+
   importDir =
     path: fn:
     let
@@ -49,6 +53,13 @@ let
     pkgs = (
       import inputs.nixpkgs {
         inherit system;
+        config = nixpkgs-config;
+      }
+    );
+    stable-pkgs = (
+      import inputs.nixpkgs-stable {
+        inherit system;
+        config = nixpkgs-config;
       }
     );
   });
@@ -118,13 +129,22 @@ let
       nixpkgs.overlays = [ overlay ] ++ inputOverlays;
     };
 
+  nixpkgsModule =
+    { ... }:
+    {
+      nixpkgs.config = nixpkgs-config;
+    };
+
   nixosConfigurations = importDir "${flake}/hosts" (
     attrs:
     lib.mapAttrs (
       name: entry:
+      let
+        pkgs-stable = systemArgs."x86_64-linux".stable-pkgs;
+      in
       lib.nixosSystem {
         specialArgs = {
-          inherit inputs;
+          inherit inputs pkgs-stable;
         };
         modules =
           let
@@ -143,8 +163,11 @@ let
             usersModule =
               { ... }:
               {
+                home-manager.extraSpecialArgs = {
+                  inherit inputs pkgs-stable;
+                };
                 home-manager.sharedModules = homeModules ++ homeProfiles ++ inputHomeModules;
-                home-manager.useUserPackages = false; # TODO: See if this should be changed to true?
+                home-manager.useUserPackages = true;
                 home-manager.useGlobalPkgs = true;
                 home-manager.users = homesConfiguration;
                 users.users = usersConfiguration;
@@ -155,6 +178,7 @@ let
             systemPath
             overlayModule
             usersModule
+            nixpkgsModule
           ]
           ++ nixosModules
           ++ nixosProfiles

hosts/20212060/configuration.nix

@@ -1,4 +1,9 @@
-{ flake, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 
 {
   # State version
@@ -11,8 +16,87 @@
   users.users.jan.extraGroups = [
     "wheel"
     "wireshark"
+    "podman"
   ];
 
+  # Set up kerberos
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        rdns = false;
+      };
+      realms = (inputs.secrets.gewis.krb5Realm);
+    };
+  };
+
+  services.netbird = {
+    enable = true;
+  };
+
+  # TODO: Move clatd setup
+
+  # services.clatd = {
+  #   enable = true;
+  #   enableNetworkManagerIntegration = true;
+  # };
+  # networking.networkmanager.settings = {
+  #   connection."ipv6.clat" = "yes";
+  # };
+  networking.networkmanager.package = pkgs.networkmanager.overrideAttrs (
+    final: prev: {
+      src = pkgs.fetchFromGitLab {
+        domain = "gitlab.freedesktop.org";
+        owner = "Mstrodl";
+        repo = "NetworkManager";
+        # rev = "d367285a1fec5167f2fa94af2ea1448b6e21650e";
+        # sha256 = "0BHxuJ6KtFoVxh2Xt0bq4oM3q87QBhtawyMtixz/cPs=";
+        rev = "fa3b0c6ade05a67316520d143608c5bd9963a23c";
+        hash = "sha256-7TENrRDKXMFPWv6oDuBWBYIBrDvNsy/JGtkppMk1oQo=";
+      };
+
+      postPatch = prev.postPatch + ''
+        substituteInPlace meson.build \
+          --replace "find_program('clang'" "find_program('${pkgs.stdenv.cc.targetPrefix}clang'"
+      '';
+
+      hardeningDisable = [
+        "zerocallusedregs"
+        "shadowstack"
+        "pacret"
+      ];
+
+      nativeBuildInputs =
+        prev.nativeBuildInputs
+        ++ (with pkgs; [
+          xdp-tools
+          bpftools
+          buildPackages.llvmPackages.clang
+          buildPackages.llvmPackages.libllvm
+        ]);
+
+      buildInputs =
+        prev.buildInputs
+        ++ (with pkgs; [
+          libbpf
+        ]);
+
+      mesonFlags = prev.mesonFlags ++ [
+        "-Dclat=true"
+        "-Dnbft=false"
+        "-Dbpf-compiler=clang"
+      ];
+    }
+  );
+
+  # TODO: Remove once laptop is properly integrated into domain
+  programs.ssh = {
+    package = pkgs.openssh_gssapi;
+    extraConfig = ''
+      GSSAPIAuthentication yes
+    '';
+  };
+
   # Enable virtualisation for VMs
   virtualisation.libvirtd.enable = true;
 
@@ -23,17 +107,46 @@
     usbmon.enable = true;
   };
 
+  # Enable Nix-LD
+  programs.nix-ld = {
+    enable = true;
+  };
+
   # Set up wstunnel client
   services.wstunnel = {
     enable = true;
     clients.wg-tunnel = {
       connectTo = "wss://tunnel.bulthuis.dev:443";
-      localToRemote = [
+      settings.local-to-remote = [
         "udp://51820:10.10.40.100:51820"
       ];
     };
   };
 
+  # Enable flatpak
+  services.flatpak.enable = true;
+
+  # Set up MADD
+  # services.madd-client = {
+  #   enable = true;
+  #   endpoint = "http://localhost:3000";
+  #   interface = "wlp0s20f3";
+  # };
+  # services.madd-server = {
+  #   enable = true;
+  #   settings = {
+  #     bind = "127.0.0.1:3000";
+  #     zone = "lab.bulthuis.dev";
+  #     networks = [ "10.0.0.0/8" ];
+  #     registration_limit = 1;
+  #     dns_server = "127.0.0.1:2053";
+  #     tsig_key_name = "madd";
+  #     tsig_key_file = "/home/jan/Code/MADD/madd.tsig";
+  #     tsig_algorithm = "hmac-sha256";
+  #     data_dir = "/var/lib/madd";
+  #   };
+  # };
+
   # Module setup
   modules = {
     profiles.laptop.enable = true;
@@ -42,4 +155,52 @@
   imports = [
     ./hardware-configuration.nix
   ];
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+    autoPrune.enable = true;
+  };
+
+  environment.systemPackages =
+    let
+      wrapProgram =
+        pkg: bwrapArgs:
+        pkgs.runCommandLocal pkg.name { bwrapArgs = (lib.join " \\\n" bwrapArgs) + " \\"; } ''
+          mkdir -p $out
+
+          # Link all top level folders
+          ln -s ${pkg}/* $out
+
+          # Except for bin
+          rm $out/bin
+          mkdir -p $out/bin
+
+          # Wrap each executable
+          for file in ${pkg}/bin/*; do
+            base=$(basename $file)
+            echo "#!/usr/bin/env bash" > $out/bin/$base
+            echo "exec ${pkgs.bubblewrap}/bin/bwrap \\" >> $out/bin/$base
+            echo "$bwrapArgs" >> $out/bin/$base
+            echo "-- $file \"\$@\"" >> $out/bin/$base
+            chmod +x $out/bin/$base
+          done
+        '';
+      wish = pkgs.writeShellScriptBin "wish" ''
+        env
+        exec ${lib.getExe pkgs.firefox} "$@"
+      '';
+    in
+    [
+      (wrapProgram wish [
+        "--new-session"
+        "--unshare-all"
+        "--clearenv"
+        "--dev /dev"
+        "--proc /proc"
+        "--ro-bind /nix/store /nix/store"
+        "--bind $HOME/Code $HOME/Code"
+      ])
+    ];
 }

hosts/20212060/users/compprog.nix

@@ -0,0 +1,120 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  home.stateVersion = "24.11";
+
+  home.packages = with pkgs; [
+    # Desktop environment
+    gnome-text-editor
+    gnome-calculator
+    gnome-console
+    gnome-logs
+    gnome-system-monitor
+    nautilus
+    adwaita-icon-theme
+    gnome-control-center
+    gnome-shell-extensions
+    glib
+    gnome-menus
+    gtk3.out
+    xdg-user-dirs
+    xdg-user-dirs-gtk
+    cantarell-fonts
+    dejavu_fonts
+    source-code-pro
+    source-sans
+    gnome-session
+    adwaita-fonts
+
+    # Coding tools
+    vim-full
+    nano
+    neovim
+    emacs
+    gedit
+    geany
+    kdePackages.kate
+    vscode
+    python310
+    jdk17
+    gnumake
+    gcc
+    lldb
+    # pypy310
+
+    # Runners
+    (writeShellScriptBin "mygcc" "gcc -std=gnu17 -x c -Wall -O2 -static -pipe -o $1 \"$1.c\" -lm")
+    (writeShellScriptBin "mygpp" "g++ -std=gnu++20 -x c++ -Wall -O2 -static -pipe -o $1 \"$1.cpp\" -lm")
+    (writeShellScriptBin "mypython" "python3 $@")
+    (writeShellScriptBin "myjavac" "javac -encoding UTF-8 -sourcepath . -d . $@")
+    (writeShellScriptBin "mykotlinc" "kotlinc -d . $@")
+  ];
+
+  modules.profiles.gnome.enable = true;
+
+  programs.vscode = {
+    enable = true;
+    mutableExtensionsDir = false;
+    profiles.default = {
+      extensions = with pkgs.vscode-extensions; [
+        ms-vscode.cpptools
+        ms-dotnettools.csharp
+        formulahendry.code-runner
+        vscjava.vscode-java-debug
+        dbaeumer.vscode-eslint
+        redhat.java
+        ms-python.python
+      ];
+    };
+  };
+
+  programs.firefox = {
+    enable = true;
+    package = pkgs.firefox;
+    profiles.default = {
+      settings = {
+        "browser.startup.homepage" = "https://domjudge.bulthuis.dev";
+      };
+      bookmarks = {
+        force = true;
+        settings = [
+          {
+            name = "Sites";
+            toolbar = true;
+            bookmarks = [
+              {
+                name = "C Reference";
+                url = "https://en.cppreference.com/w/c";
+              }
+              {
+                name = "C++ Reference";
+                url = "https://en.cppreference.com/w/cpp";
+              }
+              {
+                name = "Python 3.10 documentation";
+                url = "https://docs.python.org/3.10/download.html";
+              }
+              {
+                name = "Java 17 API Specification";
+                url = "https://docs.oracle.com/en/java/javase/17/docs/api/";
+              }
+              {
+                name = "Kotlin Language Documentation";
+                url = "https://kotlinlang.org/docs/kotlin-reference.pdf";
+              }
+              {
+                name = "DOMjudge Team Manual";
+                url = "https://www.domjudge.org/docs/manual/main/index.html";
+              }
+            ];
+          }
+        ];
+      };
+    };
+  };
+}

hosts/20212060/users/jan.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   ...
 }:
 
@@ -6,4 +7,25 @@
   home.stateVersion = "24.11";
 
   modules.profiles.jan.enable = true;
+
+  # home.packages = with pkgs; [
+  #   opencloud-desktop
+  #   code-nautilus
+  #   nautilus-open-in-blackbox
+  # ];
+
+  xdg.desktopEntries = {
+    canvas = {
+      name = "Canvas";
+      type = "Application";
+      exec = "${pkgs.chromium}/bin/chromium --app=\"https://canvas.tue.nl\" --user-data-dir=/home/jan/.local/state/Canvas";
+      settings.StartupWMClass = "chrome-canvas.tue.nl__-Default";
+    };
+    overleaf = {
+      name = "Overleaf";
+      type = "Application";
+      exec = "${pkgs.chromium}/bin/chromium --app=\"https://www.overleaf.com\" --user-data-dir=/home/jan/.local/state/Overleaf";
+      settings.StartupWMClass = "chrome-www.overleaf.com__-Default";
+    };
+  };
 }

hosts/vm-audio/configuration.nix

@@ -77,7 +77,7 @@
     group = "mixer";
     extraGroups = [ "systemd-journal" ];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq jan@bulthuis.dev"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Personal"
     ];
   };
   users.groups.mixer = { };

hosts/vm-audio/users/local.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  home.stateVersion = "24.11";
-
-  modules.profiles.base.enable = true;
-}

hosts/vm-infra/configuration.nix

@@ -0,0 +1,39 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "25.05";
+
+  # Machine hostname
+  networking.hostName = "vm-infra";
+
+  # Enabled modules
+  modules = {
+    profiles.vm.enable = true;
+  };
+
+  # Setup JOOL NAT64
+  networking.jool = {
+    enable = true;
+    nat64.default = {
+      global.pool6 = "64:ff9b::/96";
+      pool4 = [
+        {
+          protocol = "TCP";
+          prefix = "10.64.0.1/32";
+        }
+        {
+          protocol = "UDP";
+          prefix = "10.64.0.1/32";
+        }
+        {
+          protocol = "ICMP";
+          prefix = "10.64.0.1/32";
+        }
+      ];
+    };
+  };
+}

hosts/vm-minecraft/configuration.nix

@@ -25,14 +25,27 @@
 
   # Set up minecraft servers
   users.users.local.extraGroups = [ "minecraft" ];
+  modules.impermanence.directories = [
+    "/srv/minecraft"
+  ];
   services.minecraft-servers = {
     enable = true;
     eula = true;
     openFirewall = true;
     servers = {
-      modpack = {
+      vanilla = {
         enable = true;
         autoStart = true;
+        serverProperties = {
+          white-list = true;
+          difficulty = "normal";
+          max-players = 5;
+        };
+        package = inputs.nix-minecraft.legacyPackages.${pkgs.system}.fabricServers.fabric-1_21_7;
+      };
+      modpack = {
+        enable = false;
+        autoStart = true;
         serverProperties = { };
         package = inputs.nix-modpack.packages.${pkgs.system}.mkModpackServer {
           packUrl = "https://raw.githubusercontent.com/Jan-Bulthuis/Modpack/refs/heads/master/pack.toml";

hosts/vm-minecraft/users/local.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  home.stateVersion = "24.11";
-
-  modules.profiles.base.enable = true;
-}

hosts/vm-oddjob/configuration.nix

@@ -0,0 +1,143 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "24.11";
+
+  # Machine hostname
+  networking.hostName = "vm-oddjob";
+
+  # Enabled modules
+  modules = {
+    profiles.vm.enable = true;
+  };
+
+  # Omada Software Controller
+  users.users.omada = {
+    isSystemUser = true;
+    group = "omada";
+  };
+  users.groups.omada = { };
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers = {
+      omada-controller = {
+        volumes = [
+          "/var/lib/omada:/opt/tplink/EAPController/data"
+        ];
+        environment = {
+          TZ = "Europe/Amsterdam";
+        };
+        extraOptions = [
+          "--network=host"
+          "--ulimit"
+          "nofile=4096:8192"
+        ];
+        image = "mbentley/omada-controller:5.15";
+      };
+    };
+  };
+  modules.impermanence.directories = [
+    "/var/lib/omada"
+  ];
+  networking.firewall = {
+    allowedTCPPorts = [
+      8088
+      8043
+      8843
+    ];
+    allowedTCPPortRanges = [
+      {
+        from = 29811;
+        to = 29816;
+      }
+    ];
+    allowedUDPPorts = [
+      19810
+      27001
+      29810
+    ];
+  };
+
+  # Setup NAS backups
+  environment.systemPackages = with pkgs; [
+    keyutils
+  ];
+  environment.etc."request-key.d/cifs.spnego.conf".text = ''
+    create cifs.spnego * * ${pkgs.cifs-utils}/bin/cifs.upcall -t %k
+  '';
+  environment.etc."request-key.d/cifs.idmap.conf".text = ''
+    create cifs.idmap * * ${pkgs.cifs-utils}/bin/cifs.idmap %k
+  '';
+  sops.secrets."smb-credentials" = {
+    sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
+  };
+  sops.secrets."backup-script-env" = {
+    sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
+  };
+  services.cron = {
+    enable = true;
+    systemCronJobs =
+      let
+        script = pkgs.writeShellScript "backup-script" (
+          lib.concatStrings (
+            [
+              ''
+                . ${config.sops.secrets."backup-script-env".path}
+                export PBS_REPOSITORY=$PBS_REPOSITORY
+                export PBS_NAMESPACE=$PBS_NAMESPACE
+                export PBS_PASSWORD=$PBS_PASSWORD
+                export PBS_FINGERPRINT=$PBS_FINGERPRINT
+              ''
+            ]
+            ++ lib.map (share: ''
+              systemctl start mnt-${share}.mount
+              ${pkgs.util-linux}/bin/prlimit --nofile=1024:1024 ${pkgs.proxmox-backup-client}/bin/proxmox-backup-client backup nfs.pxar:/mnt/${share} --ns $PBS_NAMESPACE --backup-id share-${share} --change-detection-mode=metadata --exclude "#recycle"
+              systemctl stop mnt-${share}.mount
+            '') inputs.secrets.lab.nas.backupShares
+          )
+        );
+      in
+      [
+        "0 0 * * * root ${script}"
+      ];
+  };
+
+  # Mount filesystems
+  systemd.services.krb5-mnt-credentials = {
+    description = "Set up Kerberos credentials for mounting shares";
+    before = map (share: "mnt-${share}.mount") inputs.secrets.lab.nas.backupShares;
+    requiredBy = map (share: "mnt-${share}.mount") inputs.secrets.lab.nas.backupShares;
+    after = [ "network-online.target" ];
+    requires = [ "network-online.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      . ${config.sops.secrets."smb-credentials".path}
+      echo $password | ${pkgs.krb5}/bin/kinit $username
+    '';
+  };
+  fileSystems = lib.listToAttrs (
+    lib.map (share: {
+      name = "/mnt/${share}";
+      value = {
+        device = "//${inputs.secrets.lab.nas.host}/${share}";
+        fsType = "cifs";
+        options = [
+          "noauto"
+          "sec=krb5,credentials=${config.sops.secrets."smb-credentials".path}"
+        ];
+      };
+    }) inputs.secrets.lab.nas.backupShares
+  );
+}

hosts/vm-test/configuration.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "24.11";
+
+  # Machine hostname
+  networking.hostName = "vm-test";
+
+  # Enabled modules
+  modules = {
+    profiles.vm.enable = true;
+  };
+}

hosts/vm-vpn/users/local.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  home.stateVersion = "24.11";
-
-  modules.profiles.base.enable = true;
-}

hosts/ws-think/configuration.nix

@@ -0,0 +1,117 @@
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "24.05";
+
+  # Machine hostname
+  networking.hostName = "ws-think";
+
+  # Set up users
+  sops.secrets."passwords/jan-hashed" = {
+    sopsFile = "${inputs.secrets}/secrets/ws-think.enc.yaml";
+    neededForUsers = true;
+  };
+  users.mutableUsers = false;
+  users.users.Jan = {
+    hashedPasswordFile = config.sops.secrets."passwords/jan-hashed".path;
+    # Extra admin groups
+    # TODO: Streamline setup of this
+    extraGroups = [
+      "wheel"
+      "wireshark"
+      "podman"
+      "libvirtd"
+    ];
+  };
+
+  # Set up kerberos
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        rdns = false;
+      };
+      realms = (inputs.secrets.gewis.krb5Realm);
+    };
+  };
+
+  services.netbird = {
+    enable = true;
+  };
+
+  # SSH X11 forwarding
+  programs.ssh.forwardX11 = true;
+
+  # Enable older samba versions
+  services.samba = {
+    enable = true;
+    settings = {
+      global = {
+        "invalid users" = [ "root" ];
+        "passwd program" = "/run/wrappers/bin/passwd %u";
+        "security" = "user";
+        "client min protocol" = "NT1";
+      };
+    };
+  };
+
+  # TODO: Remove once laptop is properly integrated into domain
+  programs.ssh = {
+    package = pkgs.openssh_gssapi;
+    extraConfig = ''
+      GSSAPIAuthentication yes
+    '';
+  };
+
+  # Enable virtualisation for VMs
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+
+  # Enable wireshark
+  programs.wireshark = {
+    enable = true;
+    dumpcap.enable = true;
+    usbmon.enable = true;
+  };
+
+  # Enable Nix-LD
+  programs.nix-ld = {
+    enable = true;
+  };
+
+  # Set up wstunnel client
+  services.wstunnel = {
+    enable = true;
+    clients.wg-tunnel = {
+      connectTo = "wss://tunnel.bulthuis.dev:443";
+      settings.local-to-remote = [
+        "udp://51820:10.10.40.100:51820"
+      ];
+    };
+  };
+
+  # Enable flatpak
+  services.flatpak.enable = true;
+
+  # Module setup
+  modules = {
+    profiles.laptop.enable = true;
+  };
+
+  # Set up podman
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+    autoPrune.enable = true;
+  };
+
+  # Set up hardware
+  imports = [ ./hardware-configuration.nix ];
+}

hosts/ws-think/hardware-configuration.nix

@@ -0,0 +1,61 @@
+{ ... }:
+
+{
+  # Machine platform
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  # Set hostid (required for ZFS)
+  networking.hostId = "deadbeef";
+
+  # Hardware configuration
+  hardware.enableRedistributableFirmware = true;
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  hardware.cpu.intel.updateMicrocode = true;
+
+  # Filesystems
+  fileSystems = {
+    "/" = {
+      device = "tank/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+    "/nix" = {
+      device = "tank/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+    "/persist" = {
+      device = "tank/persist";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/46BF-DE2C";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  # Swap setup
+  swapDevices = [
+    {
+      device = "/dev/disk/by-uuid/9f6f2a47-e53a-45a0-8cb2-8c1082f54ccb";
+      discardPolicy = "both";
+    }
+  ];
+}

hosts/ws-think/users/Jan.nix

@@ -0,0 +1,31 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  home.stateVersion = "25.11";
+
+  modules.profiles.jan.enable = true;
+
+  # home.packages = with pkgs; [
+  #   opencloud-desktop
+  #   code-nautilus
+  #   nautilus-open-in-blackbox
+  # ];
+
+  xdg.desktopEntries = {
+    canvas = {
+      name = "Canvas";
+      type = "Application";
+      exec = "${pkgs.chromium}/bin/chromium --app=\"https://canvas.tue.nl\" --user-data-dir=/home/jan/.local/state/Canvas";
+      settings.StartupWMClass = "chrome-canvas.tue.nl__-Default";
+    };
+    overleaf = {
+      name = "Overleaf";
+      type = "Application";
+      exec = "${pkgs.chromium}/bin/chromium --app=\"https://www.overleaf.com\" --user-data-dir=/home/jan/.local/state/Overleaf";
+      settings.StartupWMClass = "chrome-www.overleaf.com__-Default";
+    };
+  };
+}

modules/home/desktop/gnome.nix

@@ -15,14 +15,14 @@ in
   };
 
   config = mkIf cfg.enable {
-    # TODO: Enable extensions with dconf
+    # TODO: Enable extensions (declaratively) with dconf
 
     home.pointerCursor = {
+      enable = true;
       name = "capitaine-cursors";
       size = 24;
       package = pkgs.capitaine-cursors;
       gtk.enable = true;
-      x11.enable = true;
     };
 
     home.packages =
@@ -50,32 +50,47 @@ in
         file-roller
         mission-center
         dconf-editor
+        gnome-calendar
 
         # For theming gtk3
-        adw-gtk3
+        # adw-gtk3 # TODO: Do this better, same for morewaita, not sure if it even works
+
+        # More icons
+        # morewaita-icon-theme
       ]
       ++ (with pkgs.gnomeExtensions; [
         gsconnect
         disable-workspace-animation
         wallpaper-slideshow
         media-progress
-        # luminus-desktop
+        mpris-label
+        pip-on-top
+        rounded-window-corners-reborn
       ]);
 
-    # Enable and set the gtk themes
+    # Set up gnome terminal as changing the default terminal is a pain
-    gtk = {
+    programs.gnome-terminal = {
       enable = true;
-      gtk3.extraConfig = {
+      profile."12d2da79-b36c-43d5-8e1f-cf70907b84b3" = {
-        gtk-theme-name = "adw-gtk3";
+        visibleName = "Default";
-      };
+        default = true;
-      gtk4.extraConfig = {
-        gtk-theme-name = "Adwaita";
       };
     };
 
+    # Enable and set the gtk themes
+    # gtk = {
+    #   enable = true;
+    #   gtk3.extraConfig = {
+    #     gtk-theme-name = "adw-gtk3";
+    #   };
+    #   gtk4.extraConfig = {
+    #     gtk-theme-name = "Adwaita";
+    #   };
+    # };
+
     # Set the theme with dconf
-    dconf.settings."org/gnome/desktop/interface" = {
+    # dconf.settings."org/gnome/desktop/interface" = {
-      gtk-theme = "adw-gtk3";
+    #   gtk-theme = "adw-gtk3";
-    };
+    # };
   };
 }

modules/home/development/languages/go.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.go;
+in
+{
+  options.modules.go = {
+    enable = mkEnableOption "go";
+  };
+
+  config = mkIf cfg.enable {
+    # Development packages
+    home.packages = with pkgs; [
+    ];
+
+    # VSCode configuration
+    programs.vscode = {
+      profiles.default = {
+        extensions = with pkgs.vscode-extensions; [
+          golang.go
+
+        ];
+
+        userSettings = {
+        };
+      };
+    };
+
+    # Neovim configuration
+    # programs.nixvim = {
+    #   plugins.rustaceanvim = {
+    #     enable = true;
+    #   };
+    # };
+  };
+}

modules/home/development/mathematica.nix

@@ -9,10 +9,11 @@ with lib;
 let
   cfg = config.modules.mathematica;
 
-  my-mathematica = pkgs.mathematica.override {
+  my-mathematica = pkgs.mathematica.overrideAttrs (old: {
+    force-rebuild = "1";
     # TODO: Just use a generic name for the installer?
     # source = ./Wolfram_14.2.1_LIN_Bndl.sh;
-  };
+  });
 in
 {
   options.modules.mathematica = {
@@ -21,6 +22,7 @@ in
 
   config = mkIf cfg.enable {
     home.packages = [
+      # pkgs.mathematica-cuda
       my-mathematica
     ];
   };

modules/home/utilities/bitwarden.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.bitwarden;
+in
+{
+  options.modules.bitwarden = {
+    enable = mkEnableOption "Bitwarden";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      bitwarden-desktop
+    ];
+  };
+}

modules/home/utilities/secrets.nix

@@ -0,0 +1,43 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    # TODO: Fix the key not being present in .config/sops before sops-nix runs
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [
+      "${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
+      # "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
+    ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ ".config/sops" ];
+  };
+}

modules/nixos/bootloader.nix

@@ -16,5 +16,8 @@ in
       systemd-boot.editor = false;
       efi.canTouchEfiVariables = true;
     };
+
+    # Initrd
+    boot.initrd.systemd.enable = true;
   };
 }

modules/nixos/disko.nix

@@ -20,5 +20,7 @@ in
     };
   };
 
-  config = mkIf cfg.enable { disko.devices = profile.disko.devices; };
+  config = mkIf cfg.enable {
+    disko.devices = profile.disko.devices;
+  };
 }

modules/nixos/domain.nix

@@ -0,0 +1,218 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.domain;
+  domain = inputs.secrets.lab.domain;
+  domainUpper = lib.strings.toUpper domain;
+in
+{
+  options.modules.domain = {
+    enable = mkEnableOption "Domain Integration";
+    join = {
+      userFile = mkOption {
+        type = types.str;
+        description = "File containing the user used to join the computer.";
+      };
+      passwordFile = mkOption {
+        type = types.str;
+        description = "File containing the password for the join user.";
+      };
+      domainOUFile = mkOption {
+        type = types.str;
+        description = "The OU to join the computer to.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set network domain
+    networking.domain = domain;
+    networking.search = [ domain ];
+
+    # Automatically join the domain
+    systemd.services.adcli-join = {
+      description = "Automatically join the domain";
+      wantedBy = [ "default.target" ];
+      before = [ "sssd.service" ];
+      requiredBy = [ "sssd.service" ];
+      after = [
+        "network-online.target"
+      ];
+      requires = [
+        "network-online.target"
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = ''
+        ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})
+        ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})
+        ${pkgs.adcli}/bin/adcli join -D ${domain} \
+          -U $ADCLI_JOIN_USER \
+          -O $ADCLI_JOIN_OU \
+          --dont-expire-password=true \
+          --stdin-password < ${cfg.join.passwordFile}
+      '';
+    };
+
+    # Set up Kerberos
+    security.krb5 = {
+      enable = true;
+      settings = {
+        libdefaults = {
+          default_realm = domainUpper;
+        };
+        realms.${domainUpper} = {
+        };
+        domain_realm = {
+          "${domain}" = domainUpper;
+          ".${domain}" = domainUpper;
+        };
+      };
+    };
+
+    # Set up SSSD
+    services.sssd = {
+      enable = true;
+      config = ''
+        [sssd]
+        domains = ${domain}
+        config_file_version = 2
+        services = nss, pam
+
+        [nss]
+        filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}
+        filter_groups = ${concatStringsSep "," (lib.attrNames config.users.groups)}
+
+        [domain/${domain}]
+        enumerate = False
+        ad_domain = ${domain}
+        krb5_realm = ${domainUpper}H
+        id_provider = ad
+        auth_provider = ad
+        access_provider = ad
+        chpass_provider = ad
+        use_fully_qualified_names = False
+        ldap_schema = ad
+        ldap_id_mapping = True
+        ad_gpo_access_control = enforcing
+        ad_gpo_implicit_deny = True
+        dyndns_update = True
+        dyndns_update_ptr = False
+        dyndns_refresh_interval = 86400
+        dyndns_ttl = 3600
+      '';
+    };
+    security.pam.services.login.sssdStrictAccess = true;
+    security.pam.services.sshd.sssdStrictAccess = true;
+    security.pam.services.su.sssdStrictAccess = true;
+
+    # Set up Sudo
+    security.sudo =
+      let
+        admin_group = "host_${lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName}_admin";
+      in
+      {
+        extraConfig = ''
+          %${admin_group} ALL=(ALL) SETENV: ALL
+        '';
+      };
+
+    # Set up SSH
+    programs.ssh = {
+      package = pkgs.openssh_gssapi;
+      extraConfig = ''
+        GSSAPIAuthentication yes
+      '';
+    };
+    services.openssh = {
+      package = pkgs.openssh_gssapi;
+      settings = {
+        GSSAPIAuthentication = true;
+        GSSAPICleanupCredentials = true;
+        GSSAPIStrictAcceptorCheck = true;
+      };
+    };
+
+    # Set up home directory
+    security.pam.services.login.makeHomeDir = true;
+    security.pam.services.sshd.makeHomeDir = true;
+    security.pam.services.su.makeHomeDir = true;
+    environment.etc.profile.text =
+      let
+        # TODO: Activate configuration based on AD group
+        homeConfiguration = inputs.home-manager.lib.homeManagerConfiguration {
+          inherit pkgs;
+          modules = [
+            (
+              { lib, ... }:
+              {
+                home.stateVersion = "24.11";
+                home.username = "$USER";
+                home.homeDirectory = "/.$HOME";
+                modules.profiles.base.enable = true;
+
+                # Mount the directories from the network share
+                # home.activation.dirMount =
+                #   let
+                #     bindScript = dir: ''
+                #       mkdir -p /network/$USER/${dir}
+                #       mkdir -p $HOME/${dir}
+                #       ${pkgs.bindfs}/bin/bindfs /network/$USER/${dir} $HOME/${dir}
+                #     '';
+                #   in
+                #   lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+                #     if ! ${pkgs.krb5}/bin/klist -s; then
+                #       echo "No kerberos ticket found"
+                #       ${pkgs.krb5}/bin/kinit
+                #     fi
+
+                #     if ${pkgs.krb5}/bin/klist -s; then
+                #       echo "Kerberos ticket found, mounting home directory"
+                #       ${bindScript "Documents"}
+                #       ${bindScript "Music"}
+                #       ${bindScript "Pictures"}
+                #       ${bindScript "Video"}
+                #     else
+                #       echo "Still no kerberos ticket found, skipping home directory mount"
+                #     fi
+                #   '';
+              }
+            )
+          ] ++ config.home-manager.sharedModules;
+        };
+      in
+      mkAfter ''
+        # Activate Home Manager configuration for domain users
+        if id | egrep -o 'groups=.*' | sed 's/,/\n/g' | cut -d'(' -f2 | sed 's/)//' | egrep -o "^domain users$"; then
+          echo "Setting up environment for domain user"
+          SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate
+          if test -f "$HOME/.bashrc"; then
+            . $HOME/.bashrc
+          fi
+        fi
+      '';
+
+    # Automatically mount home share
+    # Can be accessed at /network/$USER
+    # services.autofs = {
+    #   enable = true;
+    #   autoMaster =
+    #     let
+    #       networkMap = pkgs.writeText "auto" ''
+    #         * -fstype=cifs,sec=krb5,user=&,uid=$UID,gid=$GID,cruid=$UID ://${inputs.secrets.lab.nas.host}/home
+    #       '';
+    #     in
+    #     ''
+    #       /network ${networkMap} --timeout=30
+    #     '';
+    # };
+  };
+}

modules/nixos/gnome.nix

@@ -17,10 +17,9 @@ in
 
   config = mkIf cfg.enable {
     # Enable GDM and Gnome
-    services.xserver.enable = true;
+    services.displayManager.gdm.enable = true;
-    services.xserver.displayManager.gdm.enable = true;
+    services.desktopManager.gnome.enable = true;
-    services.xserver.desktopManager.gnome.enable = true;
+    services.gnome.core-apps.enable = false;
-    services.gnome.core-utilities.enable = false;
     services.gnome.games.enable = false;
     services.gnome.core-developer-tools.enable = false;
     environment.gnome.excludePackages = with pkgs; [
@@ -29,7 +28,6 @@ in
       gnome-backgrounds
       gnome-bluetooth
       gnome-color-manager
-      gnome-control-center
       gnome-shell-extensions
       gnome-tour
       gnome-user-docs

modules/nixos/impermanence.nix

@@ -24,18 +24,32 @@ in
     resetScript = mkOption {
       type = types.lines;
       description = ''
-        Script to run on boot that resets the root partition.
+        Script to run in order to reset the system to a clean state.
       '';
     };
   };
 
   config = mkIf cfg.enable {
+    # Filesystem setup
     fileSystems."/persist".neededForBoot = true;
-    boot.initrd.postResumeCommands = mkAfter cfg.resetScript;
+    # boot.initrd.postResumeCommands = mkAfter cfg.resetScript;
+    # TODO: Reduce dependency on the root filesystem being ZFS?
+    boot.initrd.systemd.services.impermanence-rollback = {
+      description = "Rollback filesystem to clean state.";
+      wantedBy = [ "initrd.target" ];
+      after = [ "zfs-import.target" ];
+      before = [ "sysroot.mount" ];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig.Type = "oneshot";
+      script = cfg.resetScript;
+    };
 
     # For home-manager persistence
     programs.fuse.userAllowOther = true;
 
+    # For testing purposes with VM
+    virtualisation.vmVariantWithDisko.virtualisation.fileSystems."/persist".neededForBoot = true;
+
     environment.persistence."/persist/system" = {
       enable = true;
       hideMounts = true;

modules/nixos/networkmanager.nix

@@ -11,5 +11,7 @@ in
   config = mkIf cfg.enable {
     # TODO: Add sudo users to the networkmanager group?
     networking.networkmanager.enable = true;
+
+    networking.firewall.checkReversePath = false;
   };
 }

modules/nixos/secrets.nix

@@ -0,0 +1,44 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    # TODO: Fix the key not being present in /etc/sops before sops-nix runs
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [
+      "/etc/sops/sops_ed25519_key"
+      "/persist/system/etc/sops/sops_ed25519_key"
+    ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ "/etc/sops" ];
+    virtualisation.vmVariantWithDisko.sops.age.sshKeyPaths = [ "/tmp/shared/sops_ed25519_key" ];
+  };
+}

modules/nixos/ssh.nix

@@ -9,7 +9,24 @@ in
     enable = mkEnableOption "ssh";
   };
   config = mkIf cfg.enable {
-    services.openssh.enable = true;
+    services.openssh = {
-    # TODO: Is this default configuration secure?
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+      };
+      hostKeys = mkIf (config.modules.impermanence.enable) [
+        {
+          type = "ed25519";
+          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
+        }
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
+        }
+      ];
+    };
   };
 }

packages/carla_osc_bridge.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+with pkgs;
+rustPlatform.buildRustPackage {
+  pname = "carla_osc_bridge";
+  version = "master";
+
+  src = fetchFromGitea {
+    domain = "git.bulthuis.dev";
+    owner = "Jan";
+    repo = "carla_osc_bridge";
+    rev = "c037e2d2a1b29b785d8acc10fa0cb761afdb3fcf";
+    hash = "sha256-Wvdfm+4dfygZwkvaUhO9w7DrrUl3ZYvtD7nYrPSD0eA=";
+  };
+
+  cargoHash = "sha256-s1ZKbhHudgPOy7613zbT8TkbM6B7oloLEuTYHoWjX5o=";
+
+  useFetchCargoVendor = true;
+}

packages/helix.nix

@@ -0,0 +1,82 @@
+{
+  fetchFromGitHub,
+  fetchzip,
+  lib,
+  rustPlatform,
+  git,
+  installShellFiles,
+  versionCheckHook,
+  nix-update-script,
+}:
+
+rustPlatform.buildRustPackage (final: rec {
+  pname = "helix";
+  version = "25.07.1";
+
+  # This release tarball includes source code for the tree-sitter grammars,
+  # which is not ordinarily part of the repository.
+  src = fetchFromGitHub {
+    owner = "helix-editor";
+    repo = "helix";
+    rev = "109c812233e442addccf1739dec4406248bd3244";
+    hash = "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=";
+  };
+  grammars = fetchzip {
+    url = "https://github.com/helix-editor/helix/releases/download/${final.version}/helix-${final.version}-source.tar.xz";
+    hash = "sha256-Pj/lfcQXRWqBOTTWt6+Gk61F9F1UmeCYr+26hGdG974=";
+    stripRoot = false;
+  };
+
+  cargoHash = "sha256-g5MfCedLBiz41HMkIHl9NLWiewE8t3H2iRKOuWBmRig=";
+
+  nativeBuildInputs = [
+    git
+    installShellFiles
+  ];
+
+  env.HELIX_DEFAULT_RUNTIME = "${placeholder "out"}/lib/runtime";
+
+  patchPhase = ''
+    # Add the runtime data
+    rm -r runtime
+    cp ${grammars}/languages.toml languages.toml
+    cp -r ${grammars}/runtime runtime
+    chmod -R u+w runtime
+  '';
+
+  postInstall = ''
+    # not needed at runtime
+    rm -r runtime/grammars/sources
+
+    mkdir -p $out/lib
+    cp -r runtime $out/lib
+    installShellCompletion contrib/completion/hx.{bash,fish,zsh}
+    mkdir -p $out/share/{applications,icons/hicolor/256x256/apps}
+    cp contrib/Helix.desktop $out/share/applications
+    cp contrib/helix.png $out/share/icons/hicolor/256x256/apps
+  '';
+
+  nativeInstallCheckInputs = [
+    versionCheckHook
+  ];
+  versionCheckProgram = "${placeholder "out"}/bin/hx";
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru = {
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "Post-modern modal text editor";
+    homepage = "https://helix-editor.com";
+    changelog = "https://github.com/helix-editor/helix/blob/${final.version}/CHANGELOG.md";
+    license = lib.licenses.mpl20;
+    mainProgram = "hx";
+    maintainers = with lib.maintainers; [
+      danth
+      yusdacra
+      zowoq
+    ];
+  };
+})

packages/open-stage-control.nix

@@ -0,0 +1,104 @@
+{
+  lib,
+  buildNpmPackage,
+  fetchFromGitHub,
+  makeBinaryWrapper,
+  makeDesktopItem,
+  copyDesktopItems,
+  nodejs_20,
+  electron,
+  python3,
+  nix-update-script,
+}:
+
+buildNpmPackage rec {
+  pname = "open-stage-control";
+  version = "1.29.8";
+
+  src = fetchFromGitHub {
+    owner = "jean-emmanuel";
+    repo = "open-stage-control";
+    rev = "v${version}";
+    hash = "sha256-518KXvNffLOV2aIWlLJcnPzxEbWxYdjWeiDBC1jlecQ=";
+  };
+
+  # Remove some Electron stuff from package.json
+  postPatch = ''
+    sed -i -e '/"electron"\|"electron-installer-debian"/d' package.json
+  '';
+
+  npmDepsHash = "sha256-U4zwYL5URNW0y0W4WvWAVL0hubiiU+2z9F5mDE9l8UU=";
+
+  nodejs = nodejs_20;
+
+  nativeBuildInputs = [
+    copyDesktopItems
+    makeBinaryWrapper
+  ];
+
+  buildInputs = [
+    python3.pkgs.python-rtmidi
+  ];
+
+  doInstallCheck = true;
+
+  makeCacheWritable = true;
+  npmFlags = [
+    "--legacy-peer-deps"
+    "--skip-pkg"
+  ];
+
+  # Override installPhase so we can copy the only directory that matters (app)
+  installPhase = ''
+    runHook preInstall
+
+    # copy built app and node_modules directories
+    mkdir -p $out/lib/node_modules/open-stage-control
+    cp -r app $out/lib/node_modules/open-stage-control/
+
+    # copy icon
+    install -Dm644 resources/images/logo.png $out/share/icons/hicolor/256x256/apps/open-stage-control.png
+    install -Dm644 resources/images/logo.svg $out/share/icons/hicolor/scalable/apps/open-stage-control.svg
+
+    # wrap electron and include python-rtmidi
+    makeWrapper '${electron}/bin/electron' $out/bin/open-stage-control \
+      --inherit-argv0 \
+      --add-flags $out/lib/node_modules/open-stage-control/app \
+      --prefix PYTHONPATH : "$PYTHONPATH" \
+      --prefix PATH : '${lib.makeBinPath [ python3 ]}'
+
+    runHook postInstall
+  '';
+
+  installCheckPhase = ''
+    XDG_CONFIG_HOME="$(mktemp -d)" $out/bin/open-stage-control --help
+  '';
+
+  desktopItems = [
+    (makeDesktopItem {
+      name = "open-stage-control";
+      exec = "open-stage-control";
+      icon = "open-stage-control";
+      desktopName = "Open Stage Control";
+      comment = meta.description;
+      categories = [
+        "Network"
+        "Audio"
+        "AudioVideo"
+        "Midi"
+      ];
+      startupWMClass = "open-stage-control";
+    })
+  ];
+
+  passthru.updateScript = nix-update-script { };
+
+  meta = with lib; {
+    description = "Libre and modular OSC / MIDI controller";
+    homepage = "https://openstagecontrol.ammd.net/";
+    license = licenses.gpl3Only;
+    maintainers = [ ];
+    platforms = platforms.linux;
+    mainProgram = "open-stage-control";
+  };
+}

profiles/disko/vm.nix

@@ -3,6 +3,8 @@
     disk = {
       main = {
         type = "disk";
+        device = "/dev/sda";
+        imageSize = "32G"; # For test VMs
         content = {
           type = "gpt";
           partitions = {
@@ -17,12 +19,19 @@
               };
             };
             zfs = {
-              size = "100%";
+              end = "-4G";
               content = {
                 type = "zfs";
                 pool = "tank";
               };
             };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+              };
+            };
           };
         };
       };

profiles/disko/workstation.nix

@@ -0,0 +1,65 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/sda"; # How do I handle this for laptops
+        imageSize = "64G"; # For test VMs
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            zfs = {
+              end = "-16G";
+              content = {
+                type = "zfs";
+                pool = "tank";
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      tank = {
+        type = "zpool";
+        rootFsOptions = {
+          compression = "zstd";
+        };
+        mountpoint = null;
+        postCreateHook = "zfs snapshot -r tank@blank && zfs hold -r blank tank@blank";
+
+        datasets = {
+          root = {
+            type = "zfs_fs";
+            mountpoint = "/";
+          };
+          nix = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+          };
+          persist = {
+            type = "zfs_fs";
+            mountpoint = "/persist";
+          };
+        };
+      };
+    };
+  };
+}

profiles/disko/ws-think.nix

@@ -0,0 +1,65 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/sda";
+        imageSize = "64G"; # For test VMs
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            zfs = {
+              end = "-16G";
+              content = {
+                type = "zfs";
+                pool = "tank";
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      tank = {
+        type = "zpool";
+        rootFsOptions = {
+          compression = "zstd";
+        };
+        mountpoint = null;
+        postCreateHook = "zfs snapshot -r tank@blank && zfs hold -r blank tank@blank";
+
+        datasets = {
+          root = {
+            type = "zfs_fs";
+            mountpoint = "/";
+          };
+          nix = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+          };
+          persist = {
+            type = "zfs_fs";
+            mountpoint = "/persist";
+          };
+        };
+      };
+    };
+  };
+}

profiles/home/gnome.nix

@@ -16,9 +16,15 @@ in
 
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
-      firefox # TODO: Move to dediated module
+      # firefox # TODO: Move to dediated module
     ];
 
+    dconf.settings = {
+      "org/gnome/shell" = {
+        disable-extension-version-validation = true;
+      };
+    };
+
     modules = {
       profiles.base.enable = true;
 

profiles/home/jan.nix

@@ -1,7 +1,9 @@
 {
   pkgs,
+  pkgs-stable,
   lib,
   config,
+  inputs,
   ...
 }:
 
@@ -16,31 +18,141 @@ in
 
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
-      libreoffice-still
+      firefox
+      # inputs.stable-nixpkgs.legacyPackages.${config.nixpkgs.hostPlatform}.libreoffice
+      libreoffice
       remmina
       thunderbird
       signal-desktop
       prusa-slicer
       freecad-wayland
       inkscape
-      ente-auth
+      # ente-auth
-      bitwarden
+      audacity
       carla
-      winbox
+      pkgs-stable.winbox
-      whatsapp-for-linux
+      # whatsapp-for-linux
+      wasistlos
       discord
       steam
       spotify
-      # feishin # TODO: Fix or replace as insecure
+      # feishin
       eduvpn-client
-      river # TODO: Move
       ryubing
       bottles
       prismlauncher
       foliate
       wireshark
+      obsidian
+      # devenv
+      # kicad
+      vlc
+      authenticator
+
+      podman
+      podman-compose
+
+      gnome-network-displays
+      gnome-logs
     ];
 
+    programs.helix = {
+      enable = true;
+      defaultEditor = true;
+      # settings = {
+      #   theme = {
+      #     light = "adwaita-light";
+      #     dark = "adwaita-dark";
+      #     fallback = "default";
+      #   };
+      # };
+      extraPackages = with pkgs; [
+        bash-language-server # Bash
+        fish-lsp # Fish
+        systemd-lsp # Systemd
+        yaml-language-server # Yaml
+        taplo # Toml
+        nixd # Nix
+        protols # Protobuf
+        dockerfile-language-server # Dockerfile
+        docker-compose-language-service # Docker compose
+
+        clang-tools # C, C++
+        neocmakelsp # Cmake
+        rust-analyzer # Rust
+        lldb # C, C++, Rust
+        zls # Zig
+
+        texlab # Latex
+        tinymist # Typst
+        marksman # Markdown
+        markdown-oxide # Markdown
+        vscode-langservers-extracted # HTML, CSS, JSON, ESLint
+        typescript-language-server # Typescript, Javascript
+        intelephense # PHP
+        vue-language-server # Vue
+
+        ruff # Python
+        basedpyright # Python
+
+        helix-gpt # Copilot
+
+        # texlab # Latex, Bibtex
+        # bibtex-tidy # Bibtex
+        # docker-langserver # Dockerfile
+        # docker-compose-langserver # Docker compose
+        # elixir-ls # Elixir
+        # gopls # Go
+        # golangci-lint-langserver # Go
+        # dlv # Go
+        # haskell-language-server # Haskell
+        # julia # Julia
+        # kotlin-language-server # Kotlin
+        # lua-language-server # Lua
+        # slint-lsp # Slint
+        # tinymist # Typst
+      ];
+      languages = {
+        language-server = {
+          basedpyright = {
+            command = "basedpyright-langserver";
+            args = [ "--stdio" ];
+          };
+          tinymist = {
+            command = "tinymist";
+            config.preview.background = {
+              enabled = true;
+              args = [
+                "--data-plane-host=127.0.0.1:23635"
+                "--invert-colors=never"
+                "--open"
+              ];
+            };
+          };
+        };
+        language = [
+          {
+            name = "python";
+            language-servers = [
+              {
+                name = "basedpyright";
+                except-features = [ "diagnostics" ];
+              }
+              "ruff"
+            ];
+            auto-format = true;
+            formatter = {
+              command = "ruff";
+              args = [
+                "format"
+                "-"
+              ];
+            };
+          }
+        ];
+      };
+    };
+
     modules = {
       profiles.gnome.enable = true;
 
@@ -61,17 +173,18 @@ in
           "flake.lock"
         ];
       };
+      bitwarden.enable = true;
       xpra = {
         enable = true;
         hosts = [
-          "mixer@10.20.60.251"
+          "mixer@10.20.40.100"
         ];
       };
 
       # Development
       # docker.enable = true;
       # matlab.enable = true;
-      mathematica.enable = true;
+      # mathematica.enable = true;
 
       # Languages
       haskell.enable = false;
@@ -80,8 +193,9 @@ in
       rust.enable = true;
       python.enable = true;
       cpp.enable = true;
-      tex.enable = true;
+      tex.enable = false;
-      jupyter.enable = false;
+      jupyter.enable = true;
+      go.enable = true;
     };
   };
 }

profiles/nixos/base.nix

@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
@@ -20,13 +19,19 @@ in
       bootloader.enable = mkDefault true;
       ssh.enable = mkDefault true;
 
-      # Setup sensible default persistent data
       impermanence.directories = [
         "/var/lib/nixos"
       ];
-      impermanence.files = [
+
-        "/etc/shadow"
+      # TODO: Remove the secrets module and use sops directly?
-      ];
+      secrets = {
+        enable = true;
+        secrets = {
+          "ssh-keys/deploy-priv" = {
+            path = "/root/.ssh/id_ed25519";
+          };
+        };
+      };
     };
 
     # Localization
@@ -40,9 +45,6 @@ in
       defaultEditor = true;
     };
 
-    # Allow unfree packages
-    nixpkgs.config.allowUnfree = true;
-
     # Enable the usage of flakes
     nix.settings.experimental-features = [
       "nix-command"

profiles/nixos/vm.nix

@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
@@ -30,17 +29,50 @@ in
           zfs rollback -r tank/root@blank
         '';
       };
+      domain = {
+        enable = true;
+        join = {
+          userFile = config.sops.secrets."vm-join/user".path;
+          passwordFile = config.sops.secrets."vm-join/password".path;
+          domainOUFile = config.sops.secrets."vm-join/ou".path;
+        };
+      };
       ssh.enable = true;
     };
 
-    # Admin users
+    # Initialize domain join secrets
+    sops.secrets."vm-join/user" = { };
+    sops.secrets."vm-join/password" = { };
+    sops.secrets."vm-join/ou" = { };
+
+    # Autologin to root for access from hypervisor
+    services.getty.autologinUser = "root";
+
+    # Local user
+    sops.secrets."passwords/local-hashed".neededForUsers = true;
+    users.mutableUsers = false;
     users.users.local = {
-      initialPassword = "local";
+      isNormalUser = true;
+      group = "local";
+      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
       extraGroups = [ "wheel" ];
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519  jan@bulthuis.dev"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Admin"
       ];
     };
+    users.groups.local = { };
+    home-manager.users.local =
+      { ... }:
+      {
+        home.stateVersion = "24.11";
+        modules.profiles.base.enable = true;
+      };
+
+    # System packages
+    environment.systemPackages = with pkgs; [
+      # TODO: Make module for utilities/scripts
+      (writeShellScriptBin "system-update" "nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config")
+    ];
 
     # Enable qemu guest agent
     services.qemuGuest.enable = true;
@@ -48,7 +80,7 @@ in
     # Machine platform
     nixpkgs.hostPlatform = "x86_64-linux";
 
-    # Set hostid for ZFS
+    # Set hostid (required for ZFS)
     networking.hostId = "deadbeef";
 
     # Hardware configuration
@@ -56,22 +88,22 @@ in
     boot.initrd.availableKernelModules = [
       "ata_piix"
       "uhci_hcd"
+      "virtio_net"
       "virtio_pci"
+      "virtio_mmio"
+      "virtio_blk"
       "virtio_scsi"
+      "9p"
+      "9pnet_virtio"
       "sd_mod"
       "sr_mod"
     ];
-    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [
-    boot.kernelModules = [ "kvm-intel" ];
+      "kvm-intel"
-    boot.extraModulePackages = [ ];
+      "virtio_balloon"
-    hardware.cpu.intel.updateMicrocode = true;
+      "virtio_console"
-
+      "virtio_rng"
-    # Swapfile
+      "virtio_gpu"
-    swapDevices = [
-      {
-        device = "/var/lib/swapfile";
-        size = 6 * 1024;
-      }
     ];
   };
 }