nixos/home/hass: Add androidtv_remote and alarmo

nixos/home/routing-common: Add media DHCP reservations
nixos/netboot: Use older iPXE with patch
2025-03-11 02:12:16 +00:00 · 2025-03-10 22:33:48 +00:00 · 2025-03-10 22:23:08 +00:00 · 2025-03-10 14:04:22 +00:00 · 2025-03-10 10:46:21 +00:00 · 2025-03-10 01:28:14 +00:00
39 changed files with 2057 additions and 143 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -193,11 +193,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728330715,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "lastModified": 1735644329,
+        "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
        "type": "github"
      },
      "original": {
@@ -437,11 +437,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732466619,
-        "narHash": "sha256-T1e5oceypZu3Q8vzICjv1X/sGs9XfJRMW5OuXHgpB3c=",
+        "lastModified": 1739757849,
+        "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f3111f62a23451114433888902a55cf0692b408d",
+        "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
        "type": "github"
      },
      "original": {
@@ -457,11 +457,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732884235,
-        "narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
+        "lastModified": 1741457641,
+        "narHash": "sha256-HIoSAfme6BReJI8wbtZxSuALfI21OqagDPlbGkeVX0c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "819f682269f4e002884702b87e445c82840c68f2",
+        "rev": "2c87a6475fba12c9eb04ccb7375da0e32da48dc1",
        "type": "github"
      },
      "original": {
@@ -471,11 +471,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1731242966,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
@@ -545,11 +545,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1732985787,
-        "narHash": "sha256-6rSJ9L4QywpHLi/xvpOHdTuPm6/eOJcXxnYzDbP3U1k=",
+        "lastModified": 1741543477,
+        "narHash": "sha256-CIXkalXwVcUFxb2TF33j45GlWWVHGmHu0GaMvVM/f6M=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "a28c46933ef5038fb7a2dd483b85152a539c7969",
+        "rev": "811543d59a6dec53bd025bb17be0896f3c37c03a",
        "type": "github"
      },
      "original": {
@@ -561,11 +561,11 @@
    },
    "nixpkgs-mine-stable": {
      "locked": {
-        "lastModified": 1732985894,
-        "narHash": "sha256-YYuQQCcSF6KjgtAenZJiBmqt5jqP3UvYgC424VQ+22s=",
+        "lastModified": 1741456679,
+        "narHash": "sha256-5f6f3yFT4+KDV02PXlKxhJ7ig++oa+NzGwlW8vxWPHk=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "e0a3f4e2bbc5f7b681e344b389dcbab23f2e92a8",
+        "rev": "c82613e3e6a22d4cc1e80e1e91bea15c601dbbe7",
        "type": "github"
      },
      "original": {
@@ -577,11 +577,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1732824227,
-        "narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
+        "lastModified": 1741332913,
+        "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c71ad5c34d51dcbda4c15f44ea4e4aa6bb6ac1e9",
+        "rev": "20755fa05115c84be00b04690630cb38f0a203ad",
        "type": "github"
      },
      "original": {
@@ -592,11 +592,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1732758367,
-        "narHash": "sha256-RzaI1RO0UXqLjydtz3GAXSTzHkpb/lLD1JD8a0W4Wpo=",
+        "lastModified": 1741246872,
+        "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa42b5a5f401aab8a32bd33c9a4de0738180dc59",
+        "rev": "10069ef4cf863633f57238f179a0297de84bd8d3",
        "type": "github"
      },
      "original": {
@@ -785,11 +785,11 @@
        "sbt": "sbt"
      },
      "locked": {
-        "lastModified": 1720592125,
-        "narHash": "sha256-vR89LefkY8mBPWxDTQ8SNg6Z7/J6Yga80T4kSb6MNdk=",
+        "lastModified": 1741328331,
+        "narHash": "sha256-OtsHm9ykxfAOMRcgFDsqFBBy5Wu0ag7eq1qmTIluVcw=",
        "owner": "eikek",
        "repo": "sharry",
-        "rev": "604b20517150599cb05dbe178cd35cd10659aa4c",
+        "rev": "6203b90f9a76357d75c108a27ad00f323d45c1d0",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -126,6 +126,7 @@
        nixos/boxes/home/palace
        nixos/boxes/home/castle
        nixos/boxes/britway
+        nixos/boxes/britnet.nix
        nixos/boxes/kelder

        # Homes
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -22,12 +22,13 @@ rec {
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
+      adbusers = 407;
    };
  };

  kernel = {
-    lts = pkgs: pkgs.linuxKernel.packages.linux_6_6;
-    latest = pkgs: pkgs.linuxKernel.packages.linux_6_12;
+    lts = pkgs: pkgs.linuxKernel.packages.linux_6_12;
+    latest = pkgs: pkgs.linuxKernel.packages.linux_6_13;
  };

  nginx = rec {
@@ -199,12 +200,17 @@ rec {
        port = 25566;
        dst = aa.simpcraft-staging-oci.internal.ipv4.address;
      }
-
      {
-        port = 25575;
-        dst = aa.simpcraft-oci.internal.ipv4.address;
+        port = 25567;
+        dst = aa.kevcraft-oci.internal.ipv4.address;
      }

+      # RCON... unsafe?
+      # {
+      #   port = 25575;
+      #   dst = aa.simpcraft-oci.internal.ipv4.address;
+      # }
+
      {
        port = 2456;
        dst = aa.valheim-oci.internal.ipv4.address;
@@ -227,6 +233,10 @@ rec {
        dst = aa.simpcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
+      {
+        port = 25567;
+        dst = aa.kevcraft-oci.internal.ipv4.address;
+      }

      {
        port = 15636;
@@ -267,8 +277,8 @@ rec {
      "stream"
    ];
    routersPubV4 = [
-      "109.255.31.155"
-      "109.255.252.63"
+      "109.255.108.88"
+      "109.255.108.121"
    ];

    prefixes = with lib.my.net.cidr; rec {
@@ -334,6 +344,20 @@ rec {
    assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
  };

+  britnet = {
+    domain = "bhx1.int.${pubDomain}";
+    pubV4 = "77.74.199.67";
+    vpn = {
+      port = 51820;
+    };
+    prefixes = with lib.my.net.cidr; rec {
+      vpn = {
+        v4 = "10.200.0.0/24";
+        v6 = "fdfb:5ebf:6e84::/64";
+      };
+    };
+  };
+
  tailscale = {
    prefix = {
      v4 = "100.64.0.0/10";
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -53,7 +53,7 @@ rec {
    in mkApp "${app}/bin/${app.meta.mainProgram}";
  flakePackageOverlay' = flake: pkg: system: (final: prev:
    let
-      pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.defaultPackage.${system};
+      pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.packages.${system}.default;
      name = if pkg != null then pkg else pkg'.name;
    in
    {
@@ -248,8 +248,8 @@ rec {
  in
  {
    trivial = prev.trivial // {
-      release = "24.12:u-${prev.trivial.release}";
-      codeName = "Epic";
+      release = "25.03:u-${prev.trivial.release}";
+      codeName = "Frick";
      revisionWithDefault = default: self.rev or default;
      versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
    };
--- a/nixos/boxes/britnet.nix
+++ b/nixos/boxes/britnet.nix
@@ -0,0 +1,191 @@
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
+  inherit (lib.my.c.britnet) domain pubV4 prefixes;
+in
+{
+  nixos.systems.britnet = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      allhost = {
+        inherit domain;
+        ipv4 = {
+          address = pubV4;
+          mask = 24;
+          gateway = "77.74.199.1";
+        };
+        ipv6 = {
+          address = "2a12:ab46:5344:99::a";
+          gateway = "2a12:ab46:5344::1";
+        };
+      };
+      vpn = {
+        ipv4 = {
+          address = net.cidr.host 1 prefixes.vpn.v4;
+          gateway = null;
+        };
+        ipv6.address = net.cidr.host 1 prefixes.vpn.v6;
+      };
+    };
+
+    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
+      let
+        inherit (lib) mkMerge mkForce;
+        inherit (lib.my) networkdAssignment;
+      in
+      {
+        imports = [
+          "${modulesPath}/profiles/qemu-guest.nix"
+        ];
+
+        config = mkMerge [
+          {
+            boot = {
+              initrd.availableKernelModules = [
+                "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sr_mod" "virtio_blk"
+              ];
+              loader = {
+                systemd-boot.enable = false;
+                grub = {
+                  enable = true;
+                  device = "/dev/vda";
+                };
+              };
+            };
+
+            fileSystems = {
+              "/boot" = {
+                device = "/dev/disk/by-uuid/457444a1-81dd-4934-960c-650ad16c92b5";
+                fsType = "ext4";
+              };
+              "/nix" = {
+                device = "/dev/disk/by-uuid/992c0c79-5be6-45b6-bc30-dc82e3ec082a";
+                fsType = "ext4";
+              };
+              "/persist" = {
+                device = "/dev/disk/by-uuid/f020a955-54d5-4098-98ba-d3615781d96a";
+                fsType = "ext4";
+                neededForBoot = true;
+              };
+            };
+
+            environment = {
+              systemPackages = with pkgs; [
+                wireguard-tools
+              ];
+            };
+
+            services = {
+              iperf3 = {
+                enable = true;
+                openFirewall = true;
+              };
+
+              tailscale = {
+                enable = true;
+                authKeyFile = config.age.secrets."tailscale-auth.key".path;
+                openFirewall = true;
+                interfaceName = "tailscale0";
+                extraUpFlags = [
+                  "--operator=${config.my.user.config.name}"
+                  "--login-server=https://hs.nul.ie"
+                  "--netfilter-mode=off"
+                  "--advertise-exit-node"
+                  "--accept-routes=false"
+                ];
+              };
+            };
+
+            networking = { inherit domain; };
+
+            systemd.network = {
+              netdevs = {
+                "30-wg0" = {
+                  netdevConfig = {
+                    Name = "wg0";
+                    Kind = "wireguard";
+                  };
+                  wireguardConfig = {
+                    PrivateKeyFile = config.age.secrets."britnet/wg.key".path;
+                    ListenPort = lib.my.c.britnet.vpn.port;
+                  };
+                  wireguardPeers = [
+                    {
+                      PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE=";
+                      AllowedIPs = [
+                        (net.cidr.host 10 prefixes.vpn.v4)
+                        (net.cidr.host 10 prefixes.vpn.v6)
+                      ];
+                    }
+                  ];
+                };
+              };
+
+              links = {
+                "10-veth0" = {
+                  matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
+                  linkConfig.Name = "veth0";
+                };
+              };
+
+              networks = {
+                "20-veth0" = mkMerge [
+                  (networkdAssignment "veth0" assignments.allhost)
+                  {
+                    dns = [ "1.1.1.1" "1.0.0.1" ];
+                    routes = [
+                      {
+                        # Gateway is on a different network for some reason...
+                        Destination = "2a12:ab46:5344::1";
+                        Scope = "link";
+                      }
+                    ];
+                  }
+                ];
+                "30-wg0" = mkMerge [
+                  (networkdAssignment "wg0" assignments.vpn)
+                  {
+                    networkConfig.IPv6AcceptRA = mkForce false;
+                  }
+                ];
+              };
+            };
+
+            my = {
+              server.enable = true;
+              secrets = {
+                key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
+                files = {
+                  "tailscale-auth.key" = {};
+                  "britnet/wg.key" = {
+                    owner = "systemd-network";
+                  };
+                };
+              };
+
+              firewall = {
+                udp.allowed = [ lib.my.c.britnet.vpn.port ];
+                trustedInterfaces = [ "tailscale0" ];
+                extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      iifname wg0 oifname veth0 accept
+                    }
+                  }
+                  table inet nat {
+                    chain postrouting {
+                      iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
+                      iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
+                    }
+                  }
+                '';
+              };
+            };
+          }
+        ];
+      };
+  };
+}
--- a/nixos/boxes/britway/bgp.nix
+++ b/nixos/boxes/britway/bgp.nix
@@ -11,23 +11,24 @@ in
  config = {
    my = {
      secrets.files."britway/bgp-password-vultr.conf" = {
-        owner = "bird2";
-        group = "bird2";
+        owner = "bird";
+        group = "bird";
      };
    };

    environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path;

    systemd = {
-      services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ];
+      services.bird.after = [ "systemd-networkd-wait-online@veth0.service" ];
      network = {
        config.networkConfig.ManageForeignRoutes = false;
      };
    };

    services = {
-      bird2 = {
+      bird = {
        enable = true;
+        package = pkgs.bird2;
        preCheckConfig = ''
          echo '"dummy"' > vultr-password.conf
        '';
--- a/nixos/boxes/colony/vms/estuary/bgp.nix
+++ b/nixos/boxes/colony/vms/estuary/bgp.nix
@@ -8,8 +8,9 @@ in
 {
  config = {
    services = {
-      bird2 = {
+      bird = {
        enable = true;
+        package = pkgs.bird2;
        # TODO: Clean up and modularise
        config = ''
          define OWNAS = 211024;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -399,8 +399,9 @@ in

                      ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
                      ${matchInet "tcp dport { http, https } accept" "git"}
-                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
+                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport 25565 accept
                      ip6 daddr ${aa.simpcraft-staging-oci.internal.ipv6.address} tcp dport 25565 accept
+                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} tcp dport 25567 accept
                      return
                    }
                    chain routing-udp {
@@ -408,6 +409,7 @@ in
                      ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
                      ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
+                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} udp dport 25567 accept
                      return
                    }
                    chain filter-routing {
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -154,6 +154,8 @@ in
            simpcraft-staging IN A ${assignments.internal.ipv4.address}
            simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
            enshrouded IN A ${assignments.internal.ipv4.address}
+            kevcraft IN A ${assignments.internal.ipv4.address}
+            kevcraft IN AAAA ${allAssignments.kevcraft-oci.internal.ipv6.address}

            mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
            mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -49,6 +49,7 @@ let
    "/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
    "/.well-known/nodeinfo".return = "301 https://toot.nul.ie$request_uri";
    "/.well-known/host-meta".return = "301 https://toot.nul.ie$request_uri";
+    "/.well-known/atproto-did".return = "301 https://pds.nul.ie$request_uri";
  };
 in
 {
@@ -79,6 +80,10 @@ in
                  sha256 = "018wh6ps19n7323fi44njzj9yd4wqslc90dykbwfyscv7bgxhlar";
                };
              }
+              {
+                name = "ssh.pub";
+                path = lib.my.c.sshKeyFiles.me;
+              }
            ];
          }
          wellKnown
@@ -322,6 +327,15 @@ in
        useACMEHost = pubDomain;
      };

+      "pds.nul.ie" = {
+        locations."/" = {
+          proxyPass = "http://toot-ctr.${domain}:3000";
+          proxyWebsockets = true;
+          extraConfig = proxyHeaders;
+        };
+        useACMEHost = pubDomain;
+      };
+
      "share.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://object-ctr.${domain}:9090";
@@ -343,6 +357,8 @@ in
        useACMEHost = pubDomain;
      };
      "public.${pubDomain}" = {
+        onlySSL = false;
+        addSSL = true;
        serverAliases = [ "p.${pubDomain}" ];
        locations."/" = {
          root = "/mnt/media/public";
@@ -413,6 +429,14 @@ in
        }
        (ssoServer "generic")
      ];
+      "hass.${pubDomain}" = {
+        locations."/" = {
+          proxyPass = "http://hass-ctr.${home.domain}:8123";
+          proxyWebsockets = true;
+          extraConfig = proxyHeaders;
+        };
+        useACMEHost = pubDomain;
+      };
    };

    minio =
--- a/nixos/boxes/colony/vms/shill/containers/toot.nix
+++ b/nixos/boxes/colony/vms/shill/containers/toot.nix
@@ -26,6 +26,8 @@ in
    let
      inherit (lib) mkMerge mkIf genAttrs;
      inherit (lib.my) networkdAssignment systemdAwaitPostgres;
+
+      pdsPort = 3000;
    in
    {
      config = mkMerge [
@@ -36,7 +38,7 @@ in

            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
-              files = genAttrs
+              files = (genAttrs
                (map (f: "toot/${f}") [
                  "postgres-password.txt"
                  "secret-key.txt"
@@ -48,7 +50,12 @@ in
                (_: with config.services.mastodon; {
                  owner = user;
                  inherit group;
-                });
+                })) // {
+                  "toot/pds.env" = {
+                    owner = "pds";
+                    group = "pds";
+                  };
+                };
            };

            firewall = {
@@ -56,6 +63,7 @@ in
                19999

                "http"
+                pdsPort
              ];
            };
          };
@@ -155,6 +163,32 @@ in
                };
              };
            };
+
+            pds = {
+              enable = true;
+              environmentFiles = [ config.age.secrets."toot/pds.env".path ];
+              settings = {
+                PDS_HOSTNAME = "pds.nul.ie";
+                PDS_PORT = pdsPort;
+
+                PDS_BLOBSTORE_DISK_LOCATION = null;
+                PDS_BLOBSTORE_S3_BUCKET = "pds";
+                PDS_BLOBSTORE_S3_ENDPOINT = "https://s3.nul.ie/";
+                PDS_BLOBSTORE_S3_REGION = "eu-central-1";
+                PDS_BLOBSTORE_S3_ACCESS_KEY_ID = "pds";
+                PDS_BLOB_UPLOAD_LIMIT = "52428800";
+
+                PDS_EMAIL_FROM_ADDRESS = "pds@nul.ie";
+
+                PDS_DID_PLC_URL = "https://plc.directory";
+                PDS_INVITE_REQUIRED = 1;
+                PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
+                PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
+                PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
+                PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac";
+                PDS_CRAWLERS = "https://bsky.network";
+              };
+            };
          };
        }
        (mkIf config.my.build.isDevVM {
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@@ -53,6 +53,7 @@ in
      simpcraft-oci = 3;
      simpcraft-staging-oci = 4;
      enshrouded-oci = 5;
+      kevcraft-oci = 6;
    };

    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -104,6 +104,46 @@ in
      #     ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
      #   ];
      # };
+
+      kevcraft = {
+        # 2025.2.1-java21-alpine
+        image = "itzg/minecraft-server@sha256:57e319c15e9fee63f61029a65a33acc3de85118b21a2b4bb29f351cf4a915027";
+
+        environment = {
+          TYPE = "VANILLA";
+          VERSION = "1.20.1";
+          SERVER_PORT = "25567";
+          QUERY_PORT = "25567";
+
+          EULA = "true";
+          ENABLE_QUERY = "true";
+          ENABLE_RCON = "true";
+          MOTD = "§4§k----- §9K§ae§bv§cc§dr§ea§ff§6t §4§k-----";
+          ICON = "/ext/icon.png";
+
+          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
+          WHITELIST = whitelist;
+          EXISTING_OPS_FILE = "SYNCHRONIZE";
+          OPS = op;
+          DIFFICULTY = "normal";
+          SPAWN_PROTECTION = "0";
+          # VIEW_DISTANCE = "20";
+
+          MAX_MEMORY = "4G";
+
+          TZ = "Europe/Dublin";
+        };
+        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
+
+        volumes = [
+          "kevcraft_data:/data"
+          "${./kev.png}:/ext/icon.png:ro"
+        ];
+
+        extraOptions = [
+          ''--network=colony:${dockerNetAssignment allAssignments "kevcraft-oci"}''
+        ];
+      };
    };

    services = {
--- a/nixos/boxes/colony/vms/whale2/minecraft/kev.png
+++ b/nixos/boxes/colony/vms/whale2/minecraft/kev.png
--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -150,6 +150,7 @@ in
          mstflint
          qperf
          ethtool
+          android-tools
        ];

        nix = {
--- a/nixos/boxes/home/palace/vms/default.nix
+++ b/nixos/boxes/home/palace/vms/default.nix
@@ -188,6 +188,11 @@
                hostBDF = "44:00.4";
              };
            };
+            qemuFlags = [
+              "device qemu-xhci,id=xhci"
+              # Front-right port?
+              "device usb-host,hostbus=1,hostport=4"
+            ];
          };
        };
      };
--- a/nixos/boxes/home/palace/vms/sfh/containers/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/default.nix
@@ -1,5 +1,6 @@
 {
  imports = [
    ./unifi.nix
+    ./hass.nix
  ];
 }
--- a/nixos/boxes/home/palace/vms/sfh/containers/hass.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/hass.nix
@@ -0,0 +1,178 @@
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
+  inherit (lib.my.c.home) domain prefixes vips hiMTU;
+in
+{
+  nixos.systems.hass = { config, ... }: {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+    rendered = config.configuration.config.my.asContainer;
+
+    assignments = {
+      hi = {
+        name = "hass-ctr";
+        inherit domain;
+        mtu = hiMTU;
+        ipv4 = {
+          address = net.cidr.host 103 prefixes.hi.v4;
+          mask = 22;
+          gateway = vips.hi.v4;
+        };
+        ipv6 = {
+          iid = "::5:3";
+          address = net.cidr.host (65536*5+3) prefixes.hi.v6;
+        };
+      };
+      lo = {
+        name = "hass-ctr-lo";
+        inherit domain;
+        mtu = 1500;
+        ipv4 = {
+          address = net.cidr.host 103 prefixes.lo.v4;
+          mask = 21;
+          gateway = null;
+        };
+        ipv6 = {
+          iid = "::5:3";
+          address = net.cidr.host (65536*5+3) prefixes.lo.v6;
+        };
+      };
+    };
+
+    configuration = { lib, config, pkgs, assignments, allAssignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf mkForce;
+      inherit (lib.my) networkdAssignment;
+
+      hassCli = pkgs.writeShellScriptBin "hass-cli" ''
+        export HASS_SERVER="http://localhost:${toString config.services.home-assistant.config.http.server_port}"
+        export HASS_TOKEN="$(< ${config.age.secrets."hass/cli-token.txt".path})"
+        exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
+      '';
+    in
+    {
+      config = {
+        my = {
+          deploy.enable = false;
+          server.enable = true;
+
+          secrets = {
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpYX2WbYwUqHp8bFFf0eHFrqrR8xp8IheguA054F8V4";
+            files = {
+              "hass/cli-token.txt" = {
+                owner = config.my.user.config.name;
+              };
+            };
+          };
+
+          firewall = {
+            tcp.allowed = [ ];
+          };
+        };
+
+        environment = {
+          systemPackages = with pkgs; [
+            usbutils
+            hassCli
+          ];
+        };
+
+        systemd = {
+          network.networks = {
+            "80-container-host0" = networkdAssignment "host0" assignments.hi;
+            "80-container-lan-lo" = networkdAssignment "lan-lo" assignments.lo;
+          };
+        };
+
+        services = {
+          home-assistant =
+          let
+            cfg = config.services.home-assistant;
+
+            pyirishrail = ps: ps.buildPythonPackage rec {
+              pname = "pyirishrail";
+              version = "0.0.2";
+              src = pkgs.fetchFromGitHub {
+                owner = "ttroy50";
+                repo = "pyirishrail";
+                tag = version;
+                hash = "sha256-NgARqhcXP0lgGpgBRiNtQaSn9JcRNtCcZPljcL7t3Xc=";
+              };
+
+              dependencies = with ps; [
+                requests
+              ];
+            };
+          in
+          {
+            enable = true;
+
+            extraComponents = [
+              "default_config"
+              "esphome"
+              "google_translate"
+
+              "met"
+              "zha"
+              "denonavr"
+              "webostv"
+              "androidtv_remote"
+            ];
+            extraPackages = python3Packages: with python3Packages; [
+              zlib-ng
+              isal
+
+              gtts
+              (pyirishrail python3Packages)
+            ];
+            customComponents = with pkgs.home-assistant-custom-components; [
+              alarmo
+            ];
+
+            configWritable = false;
+            openFirewall = true;
+            config = {
+              default_config = {};
+              homeassistant = {
+                name = "Home";
+                unit_system = "metric";
+                currency = "EUR";
+                country = "IE";
+                time_zone = "Europe/Dublin";
+                external_url = "https://hass.${pubDomain}";
+                internal_url = "http://hass-ctr.${domain}:${toString cfg.config.http.server_port}";
+              };
+              http = {
+                use_x_forwarded_for = true;
+                trusted_proxies = with allAssignments.middleman.internal; [
+                  ipv4.address
+                  ipv6.address
+                ];
+              };
+              automation = "!include automations.yaml";
+
+              sensor = [
+                {
+                  platform = "irish_rail_transport";
+                  name = "To Work from Home";
+                  station = "Glenageary";
+                  stops_at = "Dublin Connolly";
+                  direction = "Northbound";
+                }
+                {
+                  platform = "irish_rail_transport";
+                  name = "To Home from Work";
+                  station = "Dublin Connolly";
+                  stops_at = "Glenageary";
+                  direction = "Southbound";
+                }
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixos/boxes/home/palace/vms/sfh/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/default.nix
@@ -29,7 +29,7 @@ in

    configuration = { lib, modulesPath, pkgs, config, assignments, allAssignments, ... }:
    let
-      inherit (lib) mapAttrs mkMerge;
+      inherit (lib) mapAttrs mkMerge mkForce;
      inherit (lib.my) networkdAssignment;
      inherit (lib.my.c) networkd;
      inherit (lib.my.c.home) domain;
@@ -83,6 +83,12 @@ in
          };
        };

+        environment = {
+          systemPackages = with pkgs; [
+            usbutils
+          ];
+        };
+
        systemd.network = {
          links = {
            "10-lan-hi" = {
@@ -105,6 +111,13 @@ in
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
+            "10-lan-lo-ctrs" = {
+              matchConfig = {
+                Driver = "virtio_net";
+                PermanentMACAddress = "52:54:00:a5:7e:93";
+              };
+              linkConfig.Name = "lan-lo-ctrs";
+            };
          };

          networks = {
@@ -118,8 +131,27 @@ in
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
+            "30-lan-lo-ctrs" = {
+              matchConfig.Name = "lan-lo-ctrs";
+              linkConfig.RequiredForOnline = "no";
+              networkConfig = networkd.noL3;
            };
          };
+        };
+
+        systemd.nspawn = {
+          hass = {
+            networkConfig = {
+              MACVLAN = mkForce "lan-hi-ctrs:host0 lan-lo-ctrs:lan-lo";
+            };
+          };
+        };
+
+        systemd.services = {
+          "systemd-nspawn@hass".serviceConfig.DeviceAllow = [
+            "char-ttyUSB rw"
+          ];
+        };

        my = {
          secrets = {
@@ -141,7 +173,16 @@ in
          containers.instances =
          let
            instances = {
-              unifi = {};
+              # unifi = {};
+              hass = {
+                bindMounts = {
+                  "/dev/bus/usb/001/002".readOnly = false;
+                  "/dev/serial/by-id/usb-Nabu_Casa_Home_Assistant_Connect_ZBT-1_ce549704fe38ef11a2c2e5d154516304-if00-port0" = {
+                    readOnly = false;
+                    mountPoint = "/dev/ttyUSB0";
+                  };
+                };
+              };
            };
          in
          mkMerge [
--- a/nixos/boxes/home/routing-common/dns-blocklist.txt
+++ b/nixos/boxes/home/routing-common/dns-blocklist.txt
@@ -0,0 +1,74 @@
+# Blocklist for LG WebOS Services (US)
+ad.lgappstv.com
+ibis.lgappstv.com
+info.lgsmartad.com
+lgtvsdp.com
+ngfts.lge.com
+rdx2.lgtvsdp.com
+smartshare.lgtvsdp.com
+lgappstv.com
+us.ad.lgsmartad.com
+us.ibs.lgappstv.com
+us.info.lgsmartad.com
+us.lgtvsdp.com
+
+# Community Contributions
+lgad.cjpowercast.com
+edgesuite.net
+yumenetworks.com
+smartclip.net
+smartclip.com
+
+# Non-US Entries
+rdx2.lgtvsdp.com
+info.lgsmartad.com
+ibs.lgappstv.com
+lgtvsdp.com
+lgappstv.com
+smartshare.lgtvsdp.com
+
+# Full Block for Europe and Other Regions
+de.ad.lgsmartad.com
+de.emp.lgsmartplatform.com
+de.ibs.lgappstv.com
+de.info.lgsmartad.com
+de.lgeapi.com
+de.lgtvsdp.com
+de.rdx2.lgtvsdp.com
+eu.ad.lgsmartad.com
+eu.ibs.lgappstv.com
+eu.info.lgsmartad.com
+app-lgwebos.pluto.tv
+it.lgtvsdp.com
+it.lgeapi.com
+it.emp.lgsmartplatform.com
+
+# LG ThinQ Services
+eic.common.lgthinq.com
+eic.iotservice.lgthinq.com
+eic.service.lgthinq.com
+eic.ngfts.lge.com
+eic.svc-lgthinq-com.aws-thinq-prd.net
+eic.cdpsvc.lgtvcommon.com
+eic.cdpbeacon.lgtvcommon.com
+eic.cdplauncher.lgtvcommon.com
+eic.homeprv.lgtvcommon.com
+eic.lgtviot.com
+eic.nudge.lgtvcommon.com
+eic.rdl.lgtvcommon.com
+eic.recommend.lgtvcommon.com
+eic.service.lgtvcommon.com
+gb-lgeapi-com.esi-prd.net
+gb.lgeapi.com
+lgtvonline.lge.com
+lg-channelplus-de-beacons.xumo.com
+lg-channelplus-de-mds.xumo.com
+lg-channelplus-eu-beacons.xumo.com
+lg-channelplus-eu-mds.xumo.com
+kr-op-v2.lgthinqhome.com
+ngfts.lge.com
+noti.lgthinq.com
+objectcontent.lgthinq.com
+
+# Update Server Block
+#snu.lge.com
--- a/nixos/boxes/home/routing-common/dns.nix
+++ b/nixos/boxes/home/routing-common/dns.nix
@@ -63,16 +63,35 @@ in
          webserver-allow-from = [ "127.0.0.1" "::1" ];

          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
-            -- Disney+ doesn't like our IP space...
+            blocklist = newDS()
+
            function preresolve(dq)
              local name = dq.qname:toString()
+
+              -- Disney+ doesn't like our IP space...
              if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
                dq.rcode = 0
                return true
              end

+              if blocklist:check(dq.qname) then
+                if dq.qtype == pdns.A then
+                  dq:addAnswer(dq.qtype, "127.0.0.1")
+                elseif dq.qtype == pdns.AAAA then
+                  dq:addAnswer(dq.qtype, "::1")
+                end
+                return true
+              end
+
              return false
            end
+
+            for line in io.lines("${./dns-blocklist.txt}") do
+              entry = line:gsub("%s+", "")
+              if entry ~= "" and string.sub(entry, 1, 1) ~= "#" then
+                blocklist:add(entry)
+              end
+            end
          '';
        };
      };
--- a/nixos/boxes/home/routing-common/dns_update.py
+++ b/nixos/boxes/home/routing-common/dns_update.py
@@ -2,7 +2,7 @@
 import argparse
 import subprocess

-import CloudFlare
+import cloudflare

 def main():
    parser = argparse.ArgumentParser(description='Cloudflare DNS update script')
@@ -19,17 +19,22 @@ def main():
    if args.api_token_file:
        with open(args.api_token_file) as f:
            cf_token = f.readline().strip()
+    cf = cloudflare.Cloudflare(api_token=cf_token)

-    cf = CloudFlare.CloudFlare(token=cf_token)
-    zones = cf.zones.get(params={'name': args.zone})
+    zones = list(cf.zones.list(name=args.zone))
    assert zones, f'Zone {args.zone} not found'
-    records = cf.zones.dns_records.get(zones[0]['id'], params={'name': args.record})
+    assert len(zones) == 1, f'More than one zone found for {args.zone}'
+    zone = zones[0]
+
+    records = list(cf.dns.records.list(zone_id=zone.id, name=args.record, type='A'))
    assert records, f'Record {args.record} not found in zone {args.zone}'
+    assert len(records) == 1, f'More than one record found for {args.record}'
+    record = records[0]

    print(f'Updating {args.record} -> {address}')
-    cf.zones.dns_records.patch(
-        zones[0]['id'], records[0]['id'],
-        data={'type': 'A', 'name': args.record, 'content': address})
+    cf.dns.records.edit(
+        zone_id=zone.id, dns_record_id=record.id,
+        type='A', content=address)

 if __name__ == '__main__':
    main()
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -132,6 +132,22 @@ in
                  hw-address = "24:8a:07:a8:fe:3a";
                  ip-address = net.cidr.host 40 prefixes.lo.v4;
                }
+
+                {
+                  # avr
+                  hw-address = "8c:a9:6f:30:03:6b";
+                  ip-address = net.cidr.host 41 prefixes.lo.v4;
+                }
+                {
+                  # tv
+                  hw-address = "00:a1:59:b8:4d:86";
+                  ip-address = net.cidr.host 42 prefixes.lo.v4;
+                }
+                {
+                  # android tv
+                  hw-address = "b8:7b:d4:95:c6:74";
+                  ip-address = net.cidr.host 43 prefixes.lo.v4;
+                }
              ];
            }
          ];
--- a/nixos/boxes/home/stream.nix
+++ b/nixos/boxes/home/stream.nix
@@ -45,12 +45,12 @@

        services = {
          mjpg-streamer = {
-            enable = true;
+            enable = false;
            inputPlugin = "input_uvc.so";
            outputPlugin = "output_http.so -w @www@ -n -p 5050";
          };
          octoprint = {
-            enable = true;
+            enable = false;
            host = "::";
            extraConfig = {
              plugins = {
--- a/nixos/boxes/kelder/containers/spoder/default.nix
+++ b/nixos/boxes/kelder/containers/spoder/default.nix
@@ -98,6 +98,7 @@ in
            https = true;
            config = {
              adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
+              dbtype = "sqlite";
            };
            settings = {
              updatechecker = false;
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -23,7 +23,7 @@ let
      pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
      allPkgs = mapAttrs (_: p: p.${config'.system}) pkgs';

-      modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
+      modules' = [ hmFlakes.${config'.home-manager}.nixosModules.default ] ++ (attrValues cfg.modules);
    in
    # Import eval-config ourselves since the flake now force-sets lib
    import "${pkgsFlake}/nixos/lib/eval-config.nix" {
--- a/nixos/modules/_list.nix
+++ b/nixos/modules/_list.nix
@@ -14,7 +14,7 @@
    network = ./network.nix;
    pdns = ./pdns.nix;
    nginx-sso = ./nginx-sso.nix;
-    gui = ./gui.nix;
+    gui = ./gui;
    l2mesh = ./l2mesh.nix;
    borgthin = ./borgthin.nix;
    nvme = ./nvme;
--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -15,6 +15,7 @@ let
    passAsFile = [ "code" ];
    code = ''
      #include <stdio.h>
+      #include <stdlib.h>
      #include <signal.h>
      #include <unistd.h>
      #include <systemd/sd-daemon.h>
--- a/nixos/modules/gui/android-udev.rules
+++ b/nixos/modules/gui/android-udev.rules
--- a/nixos/modules/gui/default.nix
+++ b/nixos/modules/gui/default.nix
@@ -4,6 +4,12 @@ let
  inherit (lib.my) mkBoolOpt';

  cfg = config.my.gui;
+
+  androidUdevRules = pkgs.runCommand "udev-rules-android" {
+    rulesFile = ./android-udev.rules;
+  } ''
+    install -D "$rulesFile" "$out"/lib/udev/rules.d/51-android.rules
+  '';
 in
 {
  options.my.gui = with lib.types; {
@@ -26,6 +32,12 @@ in
      pam.services.swaylock-plugin = {};
    };

+    users = {
+      groups = {
+        adbusers.gid = lib.my.c.ids.gids.adbusers;
+      };
+    };
+
    environment.systemPackages = with pkgs; [
      # for pw-jack
      pipewire.jack
@@ -46,6 +58,9 @@ in
      };

      udev = {
+        packages = [
+          androidUdevRules
+        ];
        extraRules = ''
          # Nvidia
          SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="wheel"
@@ -88,5 +103,13 @@ in
        ];
      };
    };
+
+    my = {
+      user = {
+        config = {
+          extraGroups = [ "adbusers" ];
+        };
+      };
+    };
  };
 }
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -5,6 +5,7 @@ let

  cfg = config.my.netboot;

+  # Newer releases don't boot on desktop?
  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
    version = "1.21.1-unstable-2024-06-27";
    src = pkgs.fetchFromGitHub {
@@ -13,6 +14,9 @@ let
      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
+
+    # This upstream patch (in newer versions) is needed for newer GCC
+    patches = (if (o ? patches) then o.patches else []) ++ [ ./fix-uninitialised-var.patch ];
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
--- a/nixos/modules/netboot/fix-uninitialised-var.patch
+++ b/nixos/modules/netboot/fix-uninitialised-var.patch
@@ -0,0 +1,48 @@
+From 7f75d320f6d8ac7ec5185b2145da87f698aec273 Mon Sep 17 00:00:00 2001
+From: Michael Brown <mcb30@ipxe.org>
+Date: Mon, 2 Sep 2024 12:24:57 +0100
+Subject: [PATCH] [etherfabric] Fix use of uninitialised variable in
+ falcon_xaui_link_ok()
+
+The link status check in falcon_xaui_link_ok() reads from the
+FCN_XX_CORE_STAT_REG_MAC register only on production hardware (where
+the FPGA version reads as zero), but modifies the value and writes
+back to this register unconditionally.  This triggers an uninitialised
+variable warning on newer versions of gcc.
+
+Fix by assuming that the register exists only on production hardware,
+and so moving the "modify-write" portion of the "read-modify-write"
+operation to also be covered by the same conditional check.
+
+Signed-off-by: Michael Brown <mcb30@ipxe.org>
+---
+ src/drivers/net/etherfabric.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/drivers/net/etherfabric.c b/src/drivers/net/etherfabric.c
+index b40596beae7..be30b71f79f 100644
+--- a/src/drivers/net/etherfabric.c
+++ b/src/drivers/net/etherfabric.c
+@@ -2225,13 +2225,16 @@ falcon_xaui_link_ok ( struct efab_nic *efab )
+ 		sync = ( sync == FCN_XX_SYNC_STAT_DECODE_SYNCED );
+ 		
+ 		link_ok = align_done && sync;
+-	}
+ 
+-	/* Clear link status ready for next read */
+-	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET, FCN_XX_COMMA_DET_RESET );
+-	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR, FCN_XX_CHARERR_RESET);
+-	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR, FCN_XX_DISPERR_RESET);
+-	falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
+		/* Clear link status ready for next read */
+		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET,
+				       FCN_XX_COMMA_DET_RESET );
+		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR,
+				       FCN_XX_CHARERR_RESET );
+		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR,
+				       FCN_XX_DISPERR_RESET );
+		falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
+	}
+ 
+ 	has_phyxs = ( efab->phy_op->mmds & ( 1 << MDIO_MMD_PHYXS ) );
+ 	if ( link_ok && has_phyxs ) {
--- a/nixos/modules/network.nix
+++ b/nixos/modules/network.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (lib) flatten optional mkIf mkDefault mkMerge;
+  inherit (lib) flatten optional mkIf mkDefault mkMerge versionAtLeast;
 in
 {
  config = mkMerge [
@@ -13,9 +13,11 @@ in
      };

      systemd = {
-        additionalUpstreamSystemUnits = [
+        additionalUpstreamSystemUnits = mkIf (config.system.nixos.release == "24.12:u-24.11") [
          # TODO: NixOS has its own version of this, but with `network` instead of `networkd`. Is this just a typo? It
          # hasn't been updated in 2 years...
+          # This has been done upstream now :)
+          # TODO: Remove when 25.05 releases
          "systemd-networkd-wait-online@.service"
        ];
      };
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -551,6 +551,26 @@ in
          ];
        });
      })
+      (mkIf (config.services ? "pds" && config.services.pds.enable) {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/pds";
+            mode = "0750";
+            user = "pds";
+            group = "pds";
+          }
+        ];
+      })
+      (mkIf config.services.home-assistant.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.home-assistant.configDir;
+            mode = "0750";
+            user = "hass";
+            group = "hass";
+          }
+        ];
+      })
    ]))
  ]);

--- a/secrets/britnet/wg.key.age
+++ b/secrets/britnet/wg.key.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBVVkI0
+dE5YN1pJWExzLzltcmhna2tJUmdRNjZ1Y1hwbzdtRE0wa2hReTNBCk4ydmNFK0FF
+b0RUdVl3a3d4amhKSEVhZWZPeHZDenBiTXpkVVFiNXFXNGsKLT4gWDI1NTE5IG9i
+K0ZrNEc5SVlyWU1EbXdlbWppRG1DdjFRbTBCREY2OUxrMmVqNHhSazQKVnRaVmVn
+MFBRL1dWeFNOaEwyU2szb1lOVzF1enQwdmVZZWRJcHd5MHdFbwotPiB2Wy1gUV8/
+LWdyZWFzZSBdSDFebHsgKkBkVzl+KnggJTEKdlhrdzVpMHYxUUliQnhaYXNaVWNR
+S3NxbjhFMEFGamZkRU1RNURhcmwzOGxFbGxXelhOdDBWTHBSY1hBcGFtUwpkampi
+WnhzMDcxTk1seWZ6VURZb1l1QU1GdwotLS0gRFNpcXpDUFZLTXFJN3Z0bEJQd280
+WGROWUVvdSt3ZUdBbmRNcGFhRE9BWQoDDlPEY/t2eapa4Xbv8FcW6gdLzQn7Y2cH
+5UwD+0CTF3JdUpxWUIx9RWFleHekkt8j1+2/oO+m7+24yCg5mdqTJ3ZIwu9uk1eI
+0As8IA==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/hass/cli-token.txt.age
+++ b/secrets/hass/cli-token.txt.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFQrc2JHQSBmTlVp
+RnlKNE9ySGo4L2h3VXBXRzIyZGdqU0RtUWk4ZmJVcGNKZ3BqTmpjCjJtQjUyTmJN
+dkpsbVI3M01mQlNPSEI0U1lVeUJTMVlXUlpheGxVblhUbUkKLT4gWDI1NTE5IG5K
+K0F3QWxJaW5CbW5TZElEVklIeUJxS0JCc2IxaFI5dVZrbDc3NDZGV2MKOVR6M0k5
+eW5HWDQrT3Rtb0tIM1EyajI1V0dKbHBLb0tVNU9nb21OUjcxYwotPiA5anw6bk56
+dC1ncmVhc2UgPCVeLiZyIH4KTGFRWHBGZFBJUElONUZLb3pJeXNZeXhoakYwT3BM
+TW9kUXBhOGhNbHh1Q1RPRTlCRnhSckg5NEUxWk5MVHJucQp4YlFDcVRzK2V5bWVT
+V0xLQjN1SjVTaWNJajJaTjRrQTd2VHlMRy82TExXbAotLS0gVE5YZVhTWXl4VUN2
+WUpidkJLV1JDU0R2QkdHZE5ZbCt2K2FlbGNjK0ZlNApzDh+kgAy4SBqC51mJi+VX
+ON8wbwLVTQRs1H30eyWNzt/3MO++eS4AoZUKQZUxURwXfhV0t0zd5/MlByBsqaHR
+W6O/9Dp8e/8GYSX3D892r1LKN0AYHgcKeKwEtJojt5CTNJS2IgU6UxZhTliqAEc
+NkfxvcoAEHhGhPOudEIX2SgjrgVGJA8MYm6/46zAolZws3TWim3NEgJpb9tWXpvi
+1f/MXuxiowplF+PqCsd1EGzpXKsvADq6Rwyxpo6CbJzrq+GhFrTHF+LRkzjWx6JE
+LUsZwDqOZUY=
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/tailscale-auth.key.age
+++ b/secrets/tailscale-auth.key.age
@@ -1,14 +1,18 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyByYlJn
-aERLcEhadS9jVUlyUmgxWEk5K0U2cE9WUlhCc0ZXbzhDRnZLTERvCmo2Vy9XeFhq
-NTcwdG5PZjlDb1JIM3BYWEVzMlBFWHFmRWt2dkF2OEQ2TDQKLT4gc3NoLWVkMjU1
-MTkgT0VxTXNnIHROaUlGUExERTZFaU5QL3dBcFpQVWNobGQwSEZ1YTU3NXJkekRi
-c0RUMGsKUHg4V0hIdFJ0aGxwOTFhaVB6MUdVWE0wUFgrMjI2am5uZlhWL09ObjhB
-VQotPiBYMjU1MTkgTWwyQjZjcUFYQ01KUHpoajRrVkpZd0czSzVrMTZxdjVHaHRh
-bERCSjBqSQpYOXJibDZPM2Z6bkNCSGpMRExZT21UTzU0N0RiT2FNM0l3N1pnRkl6
-WUJBCi0+IE0qLWdyZWFzZSB6TDVwIGRiQm0gajFFIEVqUXcKU3pEOFBqRVQ0dDZi
-REszS1h0T2FnOFF6cHBrN2xtOHdEQkIrCi0tLSBTM3EwNHhDaEo1eldDOTN5dzQz
-Q3Rpeno1K25KRU15L01wU21tczNmdlVJCqHBdFLovtLJGH9IY86pvc3xhpoLnfI/
-OVAF5RdpR9T2oNCr3oAiVURkPocYXLHnbjZhLKoj3uDoSZAE52VN9l05jhyX1wwY
-/Vfnp48kP8xfbQ==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyArUnBS
+MCtjZERmK2IwTm16eGcrZFF5QlpYZU9VbUNzbHZ2VDBoZkJkam0wCndDdmhHc2pu
+TFFiT3MzcU13YklrdFpiRW1ZSU4zUGFQbXF3ellUU3U3bUkKLT4gc3NoLWVkMjU1
+MTkgRExNZUZnIE9EbUtYRFg0Z0xuVGNRM2pad3FFVGRDVTA3ZE50SHlvT1ZrU1NW
+b3VYREkKL0dPV3RGMHYyUW9jSlJhTU5yTnR3L0pHVjZTNWpoaGJiSmlPVWlDYlFv
+RQotPiBzc2gtZWQyNTUxOSBPRXFNc2cgRkwrZEY4RjAxYzhpbEE2eU0ya2N4emE5
+T0NlUnJwUi8vdVlJWlVOWEZESQo0OFdldUdML0hoR0NENHp2UktCTFhOYkxUZyti
+OGlhS3V1RnFUdHhVT0JvCi0+IFgyNTUxOSBOcnEzanBFWnltMUwwd3VBd3Jablk1
+Z3hDU283RVJxSlkzKy9JQW1adVVVCmtnSjVTTSsxblpsczMzR2NldlFlTFk0S210
+T1AxV1RQRjhDSU1CQ2p6M1UKLT4gVnNOLWdyZWFzZSB1fDAgYy1xRSBESjoyIDJz
+CkdRcWxTa1NHVkJDcUVmeDlIVEZTcW13N0I4ek5jTjliQ2t6Zk9nRkloQmhSY3hG
+TUdJekhXdlRzUGJ6WU8zRXgKZXFGUGgrTndSQmVyMFcyL2J0bEdKY09paTkzRHd0
+R1ZWVVVuaDljWE4zK00rdllOdGRVTzVZTnFtT1p0WlZOYgpGdwotLS0gd3dvU08x
+SzJkdjAvQys5Mnp0dDZQUWp1dzZ3U2tuYUpqR09xeTJnSzVDTQooXx8cndfMYlmf
+7eCLssPnHKj7KKgUfiihj91X8pokJR/++wQSarMdRtFB0S0MpDs/khwgG0HkmrKp
+XB1jureGwJs7gmJ6gafKCKSkBv9Jkaw=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/toot/pds.env.age
+++ b/secrets/toot/pds.env.age
@@ -0,0 +1,18 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDYySmNjQSBONnFw
+QVduaWJac2hVVDl0bHY5dXFQSkFUNGlWaTNUbGkxN3d1RWpSZGdRCmpBZ2pLZHZ0
+V21EenE0U3lYblp3dTFyRlRrMGVjWGpxdVVRWW5pcnpCVlUKLT4gWDI1NTE5IEx0
+QUM0aEVsbCtLd3ZmS0kyb0Q3d2RuVW1oc2pHSFpMbUZHY2VXYlhYR28KSHhraW9K
+RXArS1lia0NsMWkvRFhTVEduM1M0c2JnYmduY0ZmSjhCN1M1YwotPiAlL1lJLWdy
+ZWFzZSAhVCpkTAplMU5KckU1K2diWnBreG9LbERtbGJZQjZwK0lOZjJHcEJyMWZp
+c1lxL1UvbTE5QzRIMm9wSXFmY2xUSzhBMEJiCmgxUQotLS0gOUhYVERseXJlVksr
+SEZtby92YUIrTG4ra0hneklheFBERHhqSlFlT0YwVQr5gAYwgdPqUqW2XEtN7+ZR
+VblX1NFXjMLljiGcW+ZlMXHIaKMxizPr+S/6U183e4wiUUqcpipnznnslhm/Zkny
+iHmW37pnNC0T9kctqOXeEjqsQxAMo2YKFroxo1iK0YvN+VyoIDSYMDKu8uDe1Cna
+rabi42KfdZNDjtPLrJyHSo2cCdnDUeWalAjQ3eQqn4y85gfPZq8kZcwvK6SmurDN
+GkwxXpZpSd6MdY4fIaaBEwe7WY9hq4fE7WgcQaz5yG47F+ArCwWauAz38+309XHj
+omsDSzj1jrN7T4kr2gjtUX227NrCw3REHYRNN6IQK/6fDNyPF1wbLFpXU4dnANLT
+OdMRnsDRPafNLAOYn0pgCVcVs0KLpaJvy3KLevVt2MZEtSZe/S+ys28H3JJCB8qz
+igaX3gw9+W8by4ET864fpFgufJrpufVvdz/MZ1207YHz1URQACWRtFKwnwfzP45+
+l47Y4s+xy34V+IXLJduEQdQ0ZHqKmTv02BjEjqksBwZswjI0EbTvD3Nsiw==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@@ -1,72 +1,74 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBVUDR4
-Um1XS00yUDFIRnYyZzg2KzYzanBIMWFNTmV1MVF6ei8rZDBiTXowCnBBRFEyQU14
-ZU5MdSt0NnRJdUMyMyt6dVlOWHBqUnkvRWNmMjNRUENKeTgKLT4gc3NoLWVkMjU1
-MTkgM2JCM1pnIHFyc2laWnBTQU0rcThOamJTcEtlUGNsSW8reTc2eTJjbVBkZlJu
-cXEzbUUKcmFrTEVjaXY2a0lJNEtCWXNjTUsxNENkSWZmZUJhRm5ydWZ6WlJ1aDdR
-RQotPiBzc2gtZWQyNTUxOSBxKzBYY3cgRVBuOEJ4K0NRVjdLdFhIU2Y3ZGQwL3F4
-clFjMVNsOWNvTU8wVlRoNG5CZwpycFRlMzFjZ0drN0t5QXpoMkJ4aERMYkxVSFhU
-STJTdUNzeWtkUmFMTHVBCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBBRUhnNlNzbDVX
-Q1ArRENrZzBrNkhhSUd5dEZnM2oxRUtmYWx2L1NtbG53ClZIalNsaUNBUUtKWGpT
-dTM3VExldm0xRXJoSWZ0SU4vdWk5SDlZTEFPczQKLT4gc3NoLWVkMjU1MTkgajY3
-RlhRIGR0VkhtNWxCK2xSYUNlS2hhdzRldEVZRDQwNmVnN0dtRTdOamFSM1Jqek0K
-YS9uWGMyY3JzeUZCWkhLTzk4d1dxT0NkbEQ3UnlWOStCdUh0bkg3K2N3TQotPiBz
-c2gtZWQyNTUxOSBjMFROYVEgYXJhZUdOeEphOGxkMTZmamJxdmMrTElkYkFScVA3
-alExSC9TVTJzeUFqNApsZXo1cC9wdnp3Zml4bG52ekFHMEUyU29acFFJeU1VN3Mr
-ZlorWC9VWDZzCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBTenhVdjNncGxudDJ2Y3lw
-K0JIOFJDd2VVQzFkWGc1STROdFZqbnUrYlJnCk5MTWxRYVRPcUFjMmdySEJ5Rndy
-TzdnNGErNnBRa1dTSFVFekxQUitOYTAKLT4gc3NoLWVkMjU1MTkgakk4UkFnIGtL
-c1psRWRRN1hNZUNiVHFmR3JGVm1jUWJtdm91ZVR6M01zNmhGdW9pRTAKNGpwek8w
-QkRnSkZXUjhEMEpPaUdkeGwxZDRGbTRSMjg1Z1pMdEVSaTJEdwotPiBzc2gtZWQy
-NTUxOSBoTWE0bncgYmRqR1FRaDdQQ09ZZHQwWmQxVUJ2QWdLYjdoRlNLU09GYUNi
-ajJhMWx5QQo3ZWFNWjMvTzNxSXJjeTY5cTNMWmk0K0IzZ053Mmd6T1hhaVFTVVBj
-NHBrCi0+IHNzaC1lZDI1NTE5IGV5cTNkZyBXbUdJKzdMZDF1NW1pTi94aUtjNGpo
-aGVLbno0RzE1MXlURTJJQ3hRb1dVClg5K2FwRHBvcXIwVUl1U21GSnJsSmJmMGZN
-cmdBcmRiRERzcjJmZzV4Q2sKLT4gc3NoLWVkMjU1MTkgN1dROVBBIEIrays1YUJN
-TkRMS01oVzQyZEJuSjFPTTV4YkZSMDdTV0UvZE4rZ1U3SFEKWEZSL0g0dmFnelJC
-S3VGZDlaTHhJQ3NaaEc2aUsvRmdKdjRNZ1VXMExmQQotPiBzc2gtZWQyNTUxOSBn
-U3hQMFEgODNUUEg4M0hLL3RSUXk4M3dGV0tZNjJXQWxabmxLanF0Slc0WWMyUkNo
-bwpCMGlaZDdodk4zeDROczVFc0FxM25qMFdicWZZSVpjb2tiT081bUVUTGFzCi0+
-IHNzaC1lZDI1NTE5IFZGY3c1ZyBKanVnSDI0bUhvS3RVbzdSc0s2TmQzSVdEczRF
-eU1CazZPM094eEt1ZGp3Cm1HWGluLzhoRUtNRDZOcVJDVUR1R3dneHNHa1M1VGpH
-YWF3TDQ5cS9saFUKLT4gc3NoLWVkMjU1MTkgaGtidHZnIHJLN2dJQnA4eGo5SnU3
-SkttSlM2YXNERXJOYjc1Tlo4NnhFakdYT0dqUWMKQllrZm83NHJrYmtWaytCc1VI
-aVhESUtYeHpoT0JmdStSRURMZ0JldlQwYwotPiBzc2gtZWQyNTUxOSBldDJ6cFEg
-d3NnSXpMRzU0QjBBL0c4SGw5Znl6d3hRdWxvbHdXZCtIeVdnU1F6MFVVQQpiQjVX
-TSsycGZqMVNWajZHcFkyN2JwY2RqcGRlNitRWXgxWnN5TzlpU1lRCi0+IHNzaC1l
-ZDI1NTE5IFpiTEpXQSB3VmFwR2ZqR2p4OXlpSnQrbExqTktkaEJ4emxLM2ZZbGdx
-U0drOWtxUGprClgyYnd1M1NQem1rZkxwUk5tVXBLNGVDMFVjNjc5Lys4N0RsajZN
-eG9LeEEKLT4gc3NoLWVkMjU1MTkgWk5xSW9nIFl3QUlPNnVHNXNwQ2sxRUEycFda
-TkJsUmx0dCtRdnRVRVAzY3pPbm1LM0EKbVZDMHBSOFBiMFVQbkxHOGpkQjhrbDRJ
-YUN0M2JPOW1PbjVtQURaUnVFbwotPiBzc2gtZWQyNTUxOSBxTGpxeVEgUXc5TUxn
-YXk2ai9EbHdVeFVsUk96bHZIRFdlcDFqYkxLQ3FJaFBQVG93bwpTSFJ5dmJiN2tt
-TVlLUlBhb3VmSG8zVHNYdC9HVjcwN3JUVVVWN3BFUkhvCi0+IHNzaC1lZDI1NTE5
-IEJhUWxSZyAxYkNsekljV0s1ZWR2eVZnSk9Oc2QvWjE2a2dMaldDYzJRU0FWUVE0
-Z0FvCnk5UlhrT0ZaK3FXTThVY0RKZlE0d0FTajJLRCtSNWdvWjd5V3hZNEg4dUkK
-LT4gc3NoLWVkMjU1MTkgcytxUmZnIHA5cGpXWlMvTlVreDNremhCa1FDUlFVYk45
-OHhjaUhYTWZVa3dySzNLeW8KNXZnZzFPNC8zMExuMG4yUTJFMDgxTFdGdDZ6VVl1
-WEFGUC9zNVgrd2RRdwotPiBzc2gtZWQyNTUxOSA2MkpjY0EgMG51elJWRWRDNzRM
-SERza2RiNFBoOHc1eCt0SWtmUy90dGl0VEd6QTJENApodnNBM1FkUlZ2ZjB6b1Np
-QWNXdjVoNFlsa0NOQWp6TUw2TVQrU3VNRlVZCi0+IHNzaC1lZDI1NTE5IC9oeC9k
-QSBxdlhXM3Rqb3J4YjVDUzdhUUVYQlFvSTJjZXA5MHBYY0NXWVR0VzllR2hzCkU2
-K2xCY2tGeEJjK1dMYkhCZ29pR3EzYndWUXF4bWorNC83d1E3U3luMFUKLT4gc3No
-LWVkMjU1MTkgV3pMR0hBIGg1MjIydFM3YlM3aWVFR0h4TytwRWxYWTVkTXN4VkdW
-TnJ0bXQ0WTduQUEKemtad2lsTTlPUEtUaVpFLzNPVFhqd3VpeWJWbDFyayt2VVhy
-Q0FSb01rRQotPiBzc2gtZWQyNTUxOSBISi9KN0EgTkdKZUx2U1NTODZzTlpJb2xT
-VFptQ3hWOS9BMCsyZXdsM3ErMXhtaHlFQQoyUnp3RW81VUh6OVRQcGhJOXYxNXRR
-NHNGT3ZIU2ZQb2c5aEg0UmhRcG13Ci0+IHNzaC1lZDI1NTE5IE9FcU1zZyBLMi9r
-bmFyTnBCU1lsdUpDWTJsd3ltRzAxZmw5eDNqVUtjMkR0OGF1dVRjCndrNmVHcmYy
-c0lQOFM5SjBjN1ZqZXk1Vkk3RzA0b3JtaWZrdDBmdmFrYXcKLT4gc3NoLWVkMjU1
-MTkgL0VKWHZnIEV6eVNrNEZvVWhPMXppeFpmSEt1Y2NqcmtUOXAxQ1lOWVdtcnlm
-R3B3VFEKVXJJRWlmOFVHZ3hyWWhLZE03VlNlM0M4ejFDYjM1b1c0YWhMMVcrRXlH
-bwotPiBYMjU1MTkgUkRPY2JrSGZYeGNVWldVbTAzbkdtbHdUS1hoZXg2R2JEOGtC
-ckZSOWV3TQpGejNQOUlxb05oWE9hRWdjbzI2a0NKVkpHMG1PMWlMWVZpYkVQNlpx
-c2xRCi0+ICwlLDsrbWYtZ3JlYXNlIE8mcz1jaywgeiJbOE9FeyAjXFl4Ugo1c2VM
-THdsOFlhODVMV3JsYzY3QU5Hb1BJTHBWNFEvalRHN3lXQlBBZFVvQXRIdXpXYVpU
-b0NLRG40WWhMQ2hDCnZyS1d6SGxGekIzWUs2Uk5XSFRscTIrTTEwNzJKMExGcG5m
-UWR0MWtBNnk4bDBYYStVQzFwZDlWRzRDNXJVZm0KajVrCi0tLSBkQ044Z3A5R0dt
-S0htaUZaSzdPOTNCcXZrSWFVVHlTZk0zejBuT21yQzFBCo6rc9fznstf3eXBRUA8
-73MZAYqSnJ5wVMrYrwGfT9lXvKbHCOvkgjUI6Ieo0nuw+aZpXoV3t9HfZv62UEll
-ZZVu+ieRCZqOOqZKKZ3TCP24vdXun8Tu+3YK8fyn88QSRH/0ZMnqI9FXbtsUhsF8
-2o7m7Fn48B0nVKy16HZyBsksknAuZCkfS/JOkgI=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBlbHl0
+S0lQbXBKVGpNNnJOUS9TSlp0U0EvYWFVanN3N0RMb1JudEdwYVQ4CnJGdklzeEFy
+RmxjamNyUWszYjFGb0ZZbk9EQVdERERtckpqczVscjdmUE0KLT4gc3NoLWVkMjU1
+MTkgRExNZUZnIGR4czhRYjUyU29JbnFnRk5IeXliNzZzMVMya1ZuS2tkUlFVTkxU
+aFd0VWsKenprWWQ0UEdaUGhvRlJUbnU1T2h1czZBK1dpOGwwcjJxc2p6ejV1RnM0
+RQotPiBzc2gtZWQyNTUxOSAzYkIzWmcgMHB6dzVFQ3FtaWErVWNyRXo3WnNhT2NF
+eldUVWtOaVlWOTVwcVVaOUlGMApJUDUzNmhKbUxleTV6SjV0Zmk3dno0STVIRDIv
+SUkyd1M2Z21mdUtMUXIwCi0+IHNzaC1lZDI1NTE5IHErMFhjdyBnRFBPRnNSa0Nn
+UTlpR1Y4OU1UQmNLRnRWaGxzU3RBV0c1bG90K2I5QUQ0CjArUFlGS1B2RkVKSEtP
+ajRpUUNlMkRPN3pxaEkrZ1M3RndxRDZ6U09Wc2cKLT4gc3NoLWVkMjU1MTkgWkIz
+ZTZRIFRPdXRTeEVvUTM1dlQzMll2VDFkUlY2eEFRcnRrc1lNeDZDbFE1a3BjaDgK
+MytBM0Y2Mmo2M1JOWExLQy8xTm9SR05WcmxrV2xBZ0RpeXQxeGVkZ1VZcwotPiBz
+c2gtZWQyNTUxOSBqNjdGWFEgYUw5cnJabnhhdU9lN0NPVXVUazRnVWpzcUVtM3VR
+bWQxNVVSQTN5N3hXRQp0blhXUC94TlRPbS9Ba2N1eVM0QkNNblJBa1hJYjZ1Y1lM
+UDhWbUd5bWNVCi0+IHNzaC1lZDI1NTE5IGMwVE5hUSA0TXowVjA0N2FvcER6OEts
+VTVwa0UzUEtsY005WDhmaU8zZ3VLaXQvaVRJCjB4cjJiMHVGM3hyWlg0OHhaT0lu
+K2NJQWVndzYrSDAyK25NMklSVUI4S28KLT4gc3NoLWVkMjU1MTkgbjhDcFV3IFNE
+Q1NZbnpqUkdiaktnYkxZdzZrYUVqWDEvYnMvOTJqSUpybERTNk9uQ0kKYlMzZkVu
+SXVtaWk2WEtDMEpwZFM3ZVIyWHQwUWNOZjVRS0I0ZjN5MklHYwotPiBzc2gtZWQy
+NTUxOSBqSThSQWcgWTZIMCtNMCtzTFpROHpBMnA3b2s2UFE2dDZGbnlxU2VxMlkz
+aGJFUzV6awpKNDhobHQrTCs4cUVpNE5wblJMako3bU5tVldjVDBjVlJOOHhkUTNk
+NFdrCi0+IHNzaC1lZDI1NTE5IFQrc2JHQSBTbVlBTXIzQ09SOHRJakZXK3NkT1Uy
+RFgrUTZncSsyK3p5WlVDSFNwM2lFClErRHk4Qmp2VlIvZW8rV2lNME53ZFlIUmVC
+bXF5RlVvV2FUM3ZmeWpaQzgKLT4gc3NoLWVkMjU1MTkgaE1hNG53IDBINGhyMDBy
+bkp0RWpTU0F6Uk1kaXllRHBHbXF2QWUwNkN1U0tEWE53VGsKdi9QRlhwRCtyQkRq
+cng1Wk1rZkx2NnJTMUxGajN3b2Z3SG0zd0ptcklCZwotPiBzc2gtZWQyNTUxOSBl
+eXEzZGcgcnQ4WUFMcGRtL1BvYTkxWU12WTdkT1lLRmJlZXZ4cWtHNG54QVo0dDYw
+RQp2NkMwbTROZTBuRUVLNEs3L3BmOTZ2S3dDL0hUbm5OaHZXbjVCRG15bExnCi0+
+IHNzaC1lZDI1NTE5IDdXUTlQQSBPL0t1ZWptTm5YQXIwc3ZNUGhkaVM5QU1DMkNL
+NU1WSFlTT05KOWR3dGhJCmdTTEIrNEZma3E0UzArMndqVEgzWnVLNzl0TjhsbG9P
+OE9aRVk1Ung1cEkKLT4gc3NoLWVkMjU1MTkgZ1N4UDBRIGJNazFtRThSVVVvb3dP
+RHV5WGxCbktDK3c5aEhiYkphNU4zUnVNUVNNV2sKbWZJYkNSZFMvTDI1WVg5SnJV
+bUFSY2JsNDJBc253dlN5Y2Nqdm9TbU9IawotPiBzc2gtZWQyNTUxOSBWRmN3NWcg
+eEo0dmRNWVpuVGdxRHpXc09tUDZldFRKcTBIMVVWcXdmVFRhZnZmenBETQpJWHVp
+NWJNRWhacHlMbHlQcjEzdEZWdUVpbGg0N2pqMjcvTk92UDJpNUlvCi0+IHNzaC1l
+ZDI1NTE5IGhrYnR2ZyB0SFJGRE03T3lnTUJZakVCcnQxVklPNXhzak94eU5KUzNX
+L216SCtUWEVzCmRrS2Rlc1JiNEg1KzExaUsrNHJuSDlTcU5Oa0J4QVZKVmNBRGFP
+ZWlqUjAKLT4gc3NoLWVkMjU1MTkgZXQyenBRIEFhMFVxZ3RRbk4za2t5cWtwVjVi
+Qm9ucVdMekVsSHEwSWlML0JIdmQ2SFkKWW5mWnQvRWlaT3hJLzJyTE5RdTNUMWNM
+SDB4TjVKZCtDN0tCR1NhdnRqbwotPiBzc2gtZWQyNTUxOSBaYkxKV0EgV1loMWZx
+OHhKelNvNzErMDc4cUE5amgycTFTem5lVmlGYTk5bUM2T2dEUQpkMVQ0VS80Y3Jt
+QTZUVnNZV0daczM0Titvc3Q1T2JiTVZYV2tXOW4xV0VRCi0+IHNzaC1lZDI1NTE5
+IFpOcUlvZyAzMnZ2NjR1R2R2UlJNZjNvOU9RckR0MEtnbllyYVJPSUZtUDNWSU5k
+U3c4Ckgza2txalJhOW14c1dGZ0VTc3EzK2NpOUJaVWhqN2lMWU9HL3hMSWlJUVkK
+LT4gc3NoLWVkMjU1MTkgcUxqcXlRIHMxNStVTnY1TUZJaHlXQnNTSFhXditsWnVF
+Y2ZKRWZ5UXVPZUVKY2VjakEKV1N3ODVFYXROTzFReWE5Y1A5MkpXUjJVc00wVVd3
+ZUpzTC9rRGdOWUpxWQotPiBzc2gtZWQyNTUxOSBCYVFsUmcganpkWlpaWlRVQ3Vp
+Y2hvbkpld2kzdzVtdERHajBNUTEyM0NOWlp0WkxtRQp1MEJUKzFUSW9tWjluVU9Y
+clBzNFpzdU83MXdGN2dJSGducnplbEd4M1JNCi0+IHNzaC1lZDI1NTE5IHMrcVJm
+ZyBSRW1pZWFhQkpQRTFYTG9IZnVmWmx6S2pNUll4MGhtRFd1Y0ZhS25JNFZVCjhU
+UDhoOTlTUEtqbytZMjZ2NlozcnZTNXVNcVA3cU1TRmtsL1g4bEhKUzgKLT4gc3No
+LWVkMjU1MTkgNjJKY2NBIElSSXZjc3J5cWNwOHFNV281YzBrVzc2TlVwMnRwb0NJ
+dEdST0s4MEhmQnMKaTNEdkFjRktCZHNCY3FsWE5UbFo1R3lXSlI2NE5MR25neWJ4
+NTlsSllxWQotPiBzc2gtZWQyNTUxOSAvaHgvZEEgOExaRjJiNTJkUGFxZllSK1Uz
+eWxQTmtxOVFPZkVFb2w2Z0tmZVpwTndDWQpuRFlqZWdaQjZaT1BZSmllVzB5NWhY
+MmhHaWtZOXFERzhSRWRXWk5TR1RRCi0+IHNzaC1lZDI1NTE5IFd6TEdIQSBtZW04
+eWlNWU9JOXYvcVlsb1JXM2JKRlREeXJXNHd6MlkvazZrSzdscG5BCnZzWUFwb3lK
+dUhkcDZNakFPN0RMRG5LQzdqU1UzNlJ6eGRGSGlhYUx0YXMKLT4gc3NoLWVkMjU1
+MTkgSEovSjdBIDBaNzZGVkdaVWlWNk4yVW5UdnFCZ2xWUEtIc2QzQmJTMnlINVF1
+V093UmsKcXNhSnlnWHQrRzVSU296NENDN29aMUN5VlRIcittdGNySGhvMHZlT0xl
+NAotPiBzc2gtZWQyNTUxOSBPRXFNc2cgNUFSc045eUVqQWI3MXB4Tkd2RndDS2Na
+VGJrblFLaENPVlZucFdGRGFDTQp6dlRHTnRLSFkxb1RFdmxGS09Jenh2Q25VZ2ha
+QWQ4YUNjdVNJbW8vVGVrCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyBGM2lrUG1DWUx3
+YndZWWdobVo3TjZHTDNabmdsa3ZHcndwUXVZSVg5T0VZCjNYdlFYSHBsWjBTWXlS
+V0lSZkpwVE05eU1LcFBEbWdXWEZ0U0tSTkthQnMKLT4gWDI1NTE5IDF5SmczUWpo
+bkdmWS9SamxtTTF1eVJnc1QxUGJiUjQwR1VSTmdxMEtqQzAKeTF0NWp6dG1CWGNy
+VVVXVGFLV3dkWWo2YTVkZmtXcHRZai9FSDVBSmJhbwotPiAmJC1ncmVhc2UgaWU3
+YGkpVSBNV0ZfIDM1fltQdzBcCmZYRXB1NEVMNkVqWVF3Ci0tLSB2RVRFYmVGVklB
+bGFiUTBKYlMrRitvN2NnUkhScTMvWml6ZzRKU3ZIeEtvChoKB2c5roTC97pdDOi6
+aPFIaTyOu9NZ4ESwwRjpEgB0D6GP2r7YR3CnxVyXa4sCFUnTF8dLUkABFnSeNeQZ
+M64tM6J+tZAyJa9IKaTgSqvQaGYHHYinygNvf6BShCK4nPUJu0cV6gFtqFle0MWA
+Rez5eRMFH/M2aubhwBeDyHG4WRelkt7oMVXyY6U=
 -----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	25267d09a2	nixos/home/hass: Add androidtv_remote and alarmo All checks were successful CI / Check, build and cache nixfiles (push) Successful in 59m46s Details	2025-03-11 02:12:16 +00:00
Jack O'Sullivan	f02f538ab2	nixos/home/routing-common: Add media DHCP reservations	2025-03-10 22:33:48 +00:00
Jack O'Sullivan	d319657680	nixos/netboot: Use older iPXE with patch All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m31s Details	2025-03-10 22:23:08 +00:00
Jack O'Sullivan	dff5a4e6d8	nixos/home/hass: Add Irish Rail integration All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h9m21s Details	2025-03-10 14:04:22 +00:00
Jack O'Sullivan	2a8ced0fec	nixos/home/routing-common: Add DNS blocklist All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h6m52s Details	2025-03-10 10:46:21 +00:00
Jack O'Sullivan	36c7096120	nixos/home/hass: Home Assistant CLI and automation fix All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h47m3s Details	2025-03-10 01:28:14 +00:00
Jack O'Sullivan	adfcf2f848	nixos/home/hass: Initial Home Assistant setup Some checks failed CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 22:59:59 +00:00
Jack O'Sullivan	a3870a4293	nixos/home/sfh: Introduce hass container Some checks failed CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 20:07:28 +00:00
Jack O'Sullivan	8f4b61fc2b	Update inputs	2025-03-09 20:00:35 +00:00
Jack O'Sullivan	44e3a3011a	nixos/stream: Disable octoprint for now Some checks failed CI / Check, build and cache nixfiles (push) Failing after 3m16s Details	2025-03-02 14:21:31 +00:00
Jack O'Sullivan	45c972cca9	lib: Update public IPs	2025-03-02 13:40:22 +00:00
Jack O'Sullivan	7bd5b8cbdf	nixos/whale2: Add kevcraft Some checks failed CI / Check, build and cache nixfiles (push) Failing after 2m33s Details	2025-02-18 17:15:03 +00:00
Jack O'Sullivan	d1eb9cc981	nixos/toot: Add BlueSky PDS Some checks failed CI / Check, build and cache nixfiles (push) Failing after 3m4s Details	2025-01-31 14:54:40 +00:00
Jack O'Sullivan	7a2ebf6872	nixos: Add ADB stuff All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m46s Details	2025-01-26 18:33:04 +00:00
Jack O'Sullivan	72b8bd089c	nixos/uk: Add WireGuard VPN for access All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h15m33s Details	2025-01-22 19:19:03 +00:00
Jack O'Sullivan	cff229f487	nixos: Add britway All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m58s Details	2025-01-19 23:58:51 +00:00
Jack O'Sullivan	f3ac3cd67f	nixos/middleman: Add pubkey and HTTP access to p.nul.ie All checks were successful CI / Check, build and cache nixfiles (push) Successful in 51m34s Details	2025-01-16 15:20:57 +00:00