From 10b8fc11fcbb4a741003d0ccb755bddd0355cd43 Mon Sep 17 00:00:00 2001
From: Tristan Druyen <tristan@vault81.de>
Date: Wed, 26 Mar 2025 16:16:53 +0100
Subject: [PATCH] Bootwip

---
 flake.nix                                     |   6 +-
 ...5182b8b59ae075c09-tristand_passwd_hash.age | Bin 0 -> 441 bytes
 ...fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age |   8 +++
 ...520a68df8c74eba9558-tester_passwd_hash.age | Bin 470 -> 0 bytes
 ...72726e87096a9ec145a-tester_passwd_hash.age | Bin 0 -> 373 bytes
 ...e067a9832580d7899-tristand_passwd_hash.age |   9 ---
 ...71a3e62472d160241e0d2497a3b57-oeko-smb.age |   8 ---
 systems/nixos-fw16/default.nix                |  43 ++++++------
 systems/nixos-fw16/disks.nix                  |  61 +++++++-----------
 users/admin-thin.nix                          |   4 +-
 users/default.nix                             |   8 ++-
 11 files changed, 64 insertions(+), 83 deletions(-)
 create mode 100644 secrets/rekeyed/nixos-fw16/1e80b286118d1a05182b8b59ae075c09-tristand_passwd_hash.age
 create mode 100644 secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age
 delete mode 100644 secrets/rekeyed/nixos-fw16/3f7ba2027615b520a68df8c74eba9558-tester_passwd_hash.age
 create mode 100644 secrets/rekeyed/nixos-fw16/9632fb41a7c8b72726e87096a9ec145a-tester_passwd_hash.age
 delete mode 100644 secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age
 delete mode 100644 secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age
diff --git a/flake.nix b/flake.nix
index 3f946ee..ca8fc51 100644
--- a/flake.nix
+++ b/flake.nix
@@ -188,7 +188,7 @@
         emacs-overlay.overlay
         inputs.nix-alien.overlays.default
         inputs.nix-ld-rs.overlays.default
-        agenix-rekey.overlays.default
+        # agenix-rekey.overlays.default
         devshell.overlays.default
       ];
       config = {
@@ -229,8 +229,8 @@
         chaotic.nixosModules.default
         envfs.nixosModules.envfs
         stylix.nixosModules.stylix
-        agenix.nixosModules.default
-        agenix-rekey.nixosModules.default
+        # agenix.nixosModules.default
+        # agenix-rekey.nixosModules.default
       ];
       args = {
         inherit self inputs system;
diff --git a/secrets/rekeyed/nixos-fw16/1e80b286118d1a05182b8b59ae075c09-tristand_passwd_hash.age b/secrets/rekeyed/nixos-fw16/1e80b286118d1a05182b8b59ae075c09-tristand_passwd_hash.age
new file mode 100644
index 0000000000000000000000000000000000000000..3c76fa0ad7ae2130f6aeef474eb0fcfb0919aca8
GIT binary patch
literal 441
zcmV;q0Y?5|XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LZb2|@Zc!ju
zXGvvGZAe;EX-zV8Y*I!@GGuaiHghvMbTv<SGgwY9VO2SCd2TgDGdK!JS#VBnSV4MM
zQciJiLuf&GZE1Q>IC(fYR8lK7Yc^OgVoFLxS4TE6d20$SJ|H?=eKIs{EoX9NVRL05
zHBe6qVJ~@Pa8grbFiCJwX<AY@dP!kqH+D~XL}*T9XKz$$GemM`Zc9%_HaJ6BLQXP7
zNkMHmc499<a5-a1X?9gM3Uxs*cv^RKPBK$XLSbV~T1`u3YC>@}QZG+5MS6H|Y<Ffe
zOA0M5Eg(=bLV0vqc1T52XIVp6W_WFJaxrIdS7SIsLq>NrYH4axSx{{@ZE|LLO$u;t
zj}5_Sl~3jRMny?1_N6Kr6{lCnia-9+-xq>npnVxTJt7jBy0Up%CkZ~|lx+ee5V|-y
zL6LnT;m8gZbwSu;4I>{wM~`+6Q+=H=EnM2v5HE=#0ASuD0m<Eof`+NY+8JeC21Z5U
jYws5lbpigjp+!t9^MS|C<Y#XR1BfA8(Nkf#9<vB0mI#~s

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age b/secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age
new file mode 100644
index 0000000..32ceb3d
--- /dev/null
+++ b/secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 nA0mnQ WtsuBNNRDJ2qBqqfKPYBjsG5J8RA1FLG22V4rcpmIAs
++b/BJpaLA/TCIMwRg0c7eO8UqIa+KPgpaOTmpVeW60k
+-> m-grease
+RCMzLSoDYLRPgxDe1bS2EOXDAD19QYDO3UI/0tzYNOGvcEMnHw
+--- WBgm8Vf3dtFoPsTbBIoS73fD824cOm5COYSz66dcvYQ
+¢˜6æ…{šÑ;æà³
+‰Ä÷³üJm‡	<<WÐ’ÑÇ§‚×É]øÎ/ú‰5YÅOò‘§¢ÝaÐ>Î÷ÒZ7ª†ó"y
\ No newline at end of file
diff --git a/secrets/rekeyed/nixos-fw16/3f7ba2027615b520a68df8c74eba9558-tester_passwd_hash.age b/secrets/rekeyed/nixos-fw16/3f7ba2027615b520a68df8c74eba9558-tester_passwd_hash.age
deleted file mode 100644
index ecbaa2c63c56e66ec7d7be1c48c4ee632eddbeed..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 470
zcmV;{0V)1rXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LO>t*bQ9&S6
zQ%Gh=T5NW5aaVakGHG)#FE~<Db#_WrNJlnKWq4I=HFj!4RB19dSWOB>FGW;kF-28N
zG-5A9PIop>QfonYMQkupX>nmiWKDNLadt8_V`O(~Q)>z>J|Id}VL&Zsa%Ew2Wgv86
zP9Q)tRc28jGI)G#L1b_&3RXjIRAo;|c1T%yX;e~fZERR+X=G$nFlSV0T316yaY<z`
zSXpaiSZ-QpWj1+6Y%xJLaY{05D^)OXM^{a7R|-{PD=SV%FKKpVST;p@Pgq(~b8k#e
zbv1KgFi=ZKG($8)LuNxmWl%LkXmmL?R7-a?bvFtvEiE8UXl`s%Z%|1>ZgDw5ZDnm(
zdQn0+Q%+e$Wp6QIHD)<=OLJ~*H#TKUOic>P<G!fcY@fD8A|64ibXGf>>!jCgfS(MV
znXEM`)ZSLSEGO|igPS1M*4gjVTJY7kqc7#8kkz5-5s~>*zJ*#ZR}T-OC%K&F(9H<}
zV53JwNB}8iqeMuglE=sj^CdPnbfA<Cgx$0K)(n2o12dB3TtYbopvcwob(maM&2{Tu
M@vON;on#8PyHWVEc>n+a

diff --git a/secrets/rekeyed/nixos-fw16/9632fb41a7c8b72726e87096a9ec145a-tester_passwd_hash.age b/secrets/rekeyed/nixos-fw16/9632fb41a7c8b72726e87096a9ec145a-tester_passwd_hash.age
new file mode 100644
index 0000000000000000000000000000000000000000..625ad59a04e8b0c953b9be8fcd3c37691de92bb7
GIT binary patch
literal 373
zcmV-*0gC=%XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LZb2|@Zc!jq
zMtNgxLQGM1NMck{M|e$8IagFSW=dLTQ)4n#M0Zy)X+ukCbxw6-Fii?jPGvYRP*zkq
zNN+S}T5U&DMrvqjbyzcOF;h@)PDWZuM^|WhMolwia&HPPJ|HDxD<W?#XL4m>b7cxQ
zH#k{gM?zUIVsv*`PdP*~P*r15HfmH@b~$KPK~^_PFfn;mQ3@?BEg(xPWk@$}P-J;S
zSX4z(H$r4<cSuiqb}>|XL~=<@b#P-iD`RX!F*ZVYQ3??w5&HX>D0aBNH+}5%NXu5p
z#Ub+!NOFvF%rFcfCM^D|?<>&I0<qE-DF6aXf>57=o}Ygl)<>l>m8{({{BUqmjo*~9
z{eX1C1Xok!rY@ODc64JP!#z{457Z(ffMWP}yz!Q!4DXrYIgN~Yqc~6u*LfKGO-mE5
TO}hOy4kd-eRC31SZv?ah#6ygG

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age b/secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age
deleted file mode 100644
index afe3bb6..0000000
--- a/secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 MqgTQA kHKU7lp3SvhVlgDk8qBbQU+nrV8O84CLtR32ZGATDw4
-1E9KyKzKwio7ltF1H36tSLWSao0TPNNlbwJAwxhw3CI
--> +&-grease
-y1YrcXJ8+mGdSTrJywOZM/E8jbHPSX9rARC6uKOHgESGkH1NWsINbEk0/1fYHi62
-6Y+k9Ig9oX7taekoNCU
---- lgK5w16T9LaMc6yoWW+h+zVNyuKuoEoeJi8p7lura1Q
-X
-¢ò&ÃbZ[IßC>ÊÔ˜ÐžWp¼²ˆŠŠ?èµ ä[˜š-]À)HY¦(u/Ý°šÄÃ»¹É–Ý÷Þ^æ‘¨à@„9öõýxVG.¾n£9»°‡Rr¡ŸàŽxzJf±ÛwK‡zbq÷ZÖ©ùf»FÎÓ‹ê=†½¼Œ„P
\ No newline at end of file
diff --git a/secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age b/secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age
deleted file mode 100644
index 9c97c4f..0000000
--- a/secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 MqgTQA 7y3on/Y6P89gncEtSzn6dak659D+C0jT0Lo711yQaQ0
-bsILI8jRG8MFJ2xSowtYyNYHPbcZmS+OFBbTrn7vNgo
--> a-grease /3
-faRjVzpKpTOBeDIZVd+uK9AGzVH7LYbIH3QiTZMHE+zE21fI6yjGEQyIE2jsVhTq
-q/PxcbNtJ9fZ2JCU43lGX7DveIYT7Z84vX955I3BkIppgQ4
---- dNDrqjg89dlNEf3ZkyW0fU7OyETfVPtRAw7JcRJxQ1o
-ŠâCØ¯“DXo¤Ø‚Á?9±ÿ©u°iÉÝ”s„çrºÞ©wyB¶~umÈ¹¶3Dæ€MÓëÏÅbé2táì€j`zDñXù
\ No newline at end of file
diff --git a/systems/nixos-fw16/default.nix b/systems/nixos-fw16/default.nix
index 7204ee9..1be6bfa 100644
--- a/systems/nixos-fw16/default.nix
+++ b/systems/nixos-fw16/default.nix
@@ -10,24 +10,24 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     inputs.nixos-hardware.nixosModules.common-hidpi
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
-    ../../os-mods/age
-    ../../os-mods/net_disks/oeko.nix
+    # ../../os-mods/age
+    # ../../os-mods/net_disks/oeko.nix
     ../../os-mods/amdgpu
     ../../os-mods/cachix
     ../../os-mods/common
     ../../os-mods/desktop
     ../../os-mods/desktop/audio.nix
-    ../../os-mods/desktop/gaming.nix
-    ../../os-mods/desktop/printing.nix
-    ../../os-mods/netdata/client.nix
-    ../../os-mods/network
+    # ../../os-mods/desktop/gaming.nix
+    # ../../os-mods/desktop/printing.nix
+    # ../../os-mods/netdata/client.nix
+    # ../../os-mods/network
     ../../os-mods/ryzenapu
-    ../../os-mods/virt
+    # ../../os-mods/virt
     ../../users
     ./disks.nix
   ];
 
-  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRFEtmoq36QmvAwv/xIVdvaf+B9Scbm5cUFFkP/c1nS root@nixos-f16";
+  # age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRFEtmoq36QmvAwv/xIVdvaf+B9Scbm5cUFFkP/c1nS root@nixos-f16";
   nix.settings.builders-use-substitutes = true;
   nix.distributedBuilds = true;
   nix.buildMachines = [ ];
@@ -127,17 +127,17 @@
     };
   };
 
-  specialisation = {
-    linux-latest.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-    };
-    linux-zen.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
-    };
-    linux-cachyos.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
-    };
-  };
+  # specialisation = {
+  # linux-latest.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  # };
+  # linux-zen.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+  # };
+  # linux-cachyos.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
+  # };
+  # };
   boot = {
     # kernelPackages = pkgs.linuxPackages_latest; # bootstrap
     # kernelPackages = pkgs.linuxPackages_zen; # bootstrap
@@ -165,7 +165,8 @@
     loader = {
       timeout = 0;
       systemd-boot = {
-        enable = false; # due to lanzaboote
+        # enable = false; # due to lanzaboote
+        enable = true; # bootstrap
         configurationLimit = 12;
 
         memtest86.enable = true;
@@ -175,7 +176,7 @@
     };
 
     lanzaboote = {
-      enable = true;
+      # enable = true;
       configurationLimit = 12;
       # pkiBundle = "/etc/secureboot";
       pkiBundle = "/var/lib/sbctl";
diff --git a/systems/nixos-fw16/disks.nix b/systems/nixos-fw16/disks.nix
index 37fd754..ce4e4fb 100644
--- a/systems/nixos-fw16/disks.nix
+++ b/systems/nixos-fw16/disks.nix
@@ -16,8 +16,8 @@
 
   config = {
     boot = {
-      supportedFilesystems = [ "bcachefs" "vfat" ];
-      initrd.supportedFilesystems = [ "bcachefs" "vfat" ];
+      supportedFilesystems = [ "btrfs" "vfat" ];
+      initrd.supportedFilesystems = [ "btrfs" "vfat" ];
       initrd.luks.devices =
         lib.attrsets.mergeAttrsList
           (
@@ -38,45 +38,32 @@
           );
     };
 
-    fileSystems =
-      let
-        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-        perm_opts = "uid=1001,gid=100";
-        smb_opts = [
-          "vers=3,credentials=/home/tristand/.smb-secrets"
-          perm_opts
-          automount_opts
+    fileSystems = {
+      "/" = {
+        device = "/dev/mapper/crypt_ssd_4t_data";
+        # device = "UUID=f89215ba-3313-42d3-8f68-051ad2453870";
+        fsType = "btrfs";
+        options = [
+          "rw"
+          "autodefrag"
+          "compress=zstd"
+          "discard=async"
+          "relatime"
+          "space_cache=v2"
+          "ssd"
         ];
-        sshfs_opts = [
-          "allow_other,_netdev,reconnect,ServerAliveInterval=15,IdentityFile=/var/secrets/id_ed25519"
-          perm_opts
-          automount_opts
-        ];
-      in
-      {
-        "/" = {
-          device = "/dev/mapper/crypt_ssd_4t_data";
-          # device = "UUID=f89215ba-3313-42d3-8f68-051ad2453870";
-          fsType = "bcachefs";
-          options = [ "relatime" ];
-        };
-
-        "/boot" = {
-          device = "/dev/disk/by-uuid/05A2-6A8A";
-          fsType = "vfat";
-          options = [ "fmask=0022" "dmask=0022" ];
-        };
-
-        # "/mnt/media_v2" = {
-        #  device = "root@23.88.68.113:/media_v2";
-        #  fsType = "sshfs";
-        #  options = sshfs_opts;
-        # };
       };
 
+      "/boot" = {
+        device = "/dev/disk/by-uuid/05A2-6A8A";
+        fsType = "vfat";
+        options = [ "fmask=0022" "dmask=0022" ];
+      };
+    };
+
     swapDevices = [
-      { device = "/dev/disk/by-uuid/a8f478f0-ad5e-47ae-8e18-63060f7e5706"; }
-      { device = "/dev/disk/by-uuid/59987b2a-c5c5-4547-95ad-f0d1dcdf8458"; }
+      # { device = "/dev/disk/by-uuid/a8f478f0-ad5e-47ae-8e18-63060f7e5706"; }
+      # { device = "/dev/disk/by-uuid/59987b2a-c5c5-4547-95ad-f0d1dcdf8458"; }
     ];
 
     system.fsPackages = [ pkgs.sshfs ];
diff --git a/users/admin-thin.nix b/users/admin-thin.nix
index ffe08c4..f8b8e6c 100644
--- a/users/admin-thin.nix
+++ b/users/admin-thin.nix
@@ -8,9 +8,9 @@
   imports = [
     ../home-mods/audio
     ../home-mods/common
-    ../home-mods/firefox
+    ../home-mods/firefox/zen-browser.nix
     # ../home-mods/plasma
-    ../home-mods/shell
+    # ../home-mods/shell
   ];
 
   config.home = {
diff --git a/users/default.nix b/users/default.nix
index a485648..c0d91b8 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -13,7 +13,8 @@
       extraGroups = [ "audio" "corectrl" "docker" "networkmanager" "i2c" "wheel" "libvirtd" "qemu-libvirtd" "input" ];
       shell = pkgs.fish;
       home = "/home/tester";
-      hashedPasswordFile = config.age.secrets.tester_passwd_hash.path;
+      # hashedPasswordFile = config.age.secrets.tester_passwd_hash.path;
+      initialPassword = "384249Nv";
     };
     tristand = {
       isNormalUser = true;
@@ -21,7 +22,8 @@
       extraGroups = [ "audio" "corectrl" "dialout" "docker" "networkmanager" "i2c" "wheel" "libvirtd" "qemu-libvirtd" "input" ];
       shell = pkgs.fish;
       home = "/home/tristand";
-      hashedPasswordFile = config.age.secrets.tristand_passwd_hash.path;
+      # hashedPasswordFile = config.age.secrets.tristand_passwd_hash.path;
+      initialPassword = "384249Nv";
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4xz3EgIRiRb/gmnCSq17kHd4MLilf05zYOFZrwOIrA tristand@nixos-fw16"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDS/4JFRaAPoUaDiwDRbbNoaJqsBzaE+DEdaQH9OezM root@nixos-fw16"
@@ -51,7 +53,7 @@
   home-manager = {
     useUserPackages = true;
     useGlobalPkgs = true;
-    users.tristand = import ./admin-fat.nix {
+    users.tristand = import ./admin-thin.nix {
       username = "tristand";
 
       inherit pkgs config inputs system lib;
