boron: add firmware and optimise compilation for hardware

2024-05-19 00:33:13 +01:00
56 changed files with 433 additions and 800 deletions
--- a/.gitea/workflows/flake.yaml
+++ b/.gitea/workflows/flake.yaml
@ -11,9 +11,12 @@ jobs:
  flake:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
+      - name: Prepare for Nix installation
-      - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
+        run: |
          apt-get update
          apt-get install -y sudo
      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
      - name: lint
        run: |
          nix fmt
--- a/darwin/jakehillion-mba-m2-15/configuration.nix
+++ b/darwin/jakehillion-mba-m2-15/configuration.nix
@ -1,27 +0,0 @@
 { config, pkgs, ... }:
 {
  config = {
    system.stateVersion = 4;
    networking.hostName = "jakehillion-mba-m2-15";
    nix = {
      useDaemon = true;
    };
    programs.zsh.enable = true;
    security.pam.enableSudoTouchIdAuth = true;
    environment.systemPackages = with pkgs; [
      fd
      htop
      mosh
      neovim
      nix
      ripgrep
      sapling
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -2,9 +2,7 @@
  "nodes": {
    "agenix": {
      "inputs": {
-        "darwin": [
+        "darwin": "darwin",
          "darwin"
        ],
        "home-manager": [
          "home-manager"
        ],
@ -14,11 +12,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1715290355,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
        "type": "github"
      },
      "original": {
@ -30,19 +28,21 @@
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1726188813,
+        "lastModified": 1700795494,
-        "narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
@ -72,16 +72,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1725703823,
+        "lastModified": 1715381426,
-        "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
+        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
+        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-23.11",
        "repo": "home-manager",
        "type": "github"
      }
@ -93,11 +93,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726357542,
+        "lastModified": 1715930644,
-        "narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
+        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
+        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
        "type": "github"
      },
      "original": {
@ -108,11 +108,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1725690722,
+        "lastModified": 1708968331,
-        "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
+        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
+        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
        "type": "github"
      },
      "original": {
@ -122,44 +122,29 @@
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1725885300,
        "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
        "owner": "nixos",
        "repo": "nixos-hardware",
        "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1726320982,
+        "lastModified": 1715948915,
-        "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
+        "narHash": "sha256-dxMrggEogQuJQr6f02VAFtsSNtjEPkgxczeiyW7WOQc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
+        "rev": "bacb8503d3a51d9e9b52e52a1ba45e2c380ad07d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1726243404,
+        "lastModified": 1715787315,
-        "narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
+        "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
+        "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
        "type": "github"
      },
      "original": {
@ -172,12 +157,10 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "darwin": "darwin",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "home-manager-unstable": "home-manager-unstable",
        "impermanence": "impermanence",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable"
      }
--- a/flake.nix
+++ b/flake.nix
@ -1,21 +1,15 @@
 {
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:nixos/nixos-hardware";
    flake-utils.url = "github:numtide/flake-utils";
    darwin.url = "github:lnl7/nix-darwin";
    darwin.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    agenix.inputs.darwin.follows = "darwin";
    agenix.inputs.home-manager.follows = "home-manager";
-    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    home-manager.url = "github:nix-community/home-manager/release-23.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    home-manager-unstable.url = "github:nix-community/home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -25,19 +19,15 @@
  description = "Hillion Nix flake";
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
    let
      getSystemOverlays = system: nixpkgsConfig: [
        (final: prev: {
          unstable = nixpkgs-unstable.legacyPackages.${prev.system};
          "storj" = final.callPackage ./pkgs/storj.nix { };
        })
      ];
    in
    {
    nixosConfigurations =
      let
        fqdns = builtins.attrNames (builtins.readDir ./hosts);
        getSystemOverlays = system: nixpkgsConfig: [
          (final: prev: {
            "storj" = final.callPackage ./pkgs/storj.nix { };
          })
        ];
        mkHost = fqdn:
          let
            system = builtins.readFile ./hosts/${fqdn}/system;
@ -69,22 +59,6 @@
          };
      in
      nixpkgs.lib.genAttrs fqdns mkHost;
      darwinConfigurations = {
        jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
          system = "aarch64-darwin";
          specialArgs = inputs;
          modules = [
            ./darwin/jakehillion-mba-m2-15/configuration.nix
            ({ config, ... }: {
              nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
            })
          ];
        };
      };
  } // flake-utils.lib.eachDefaultSystem (system: {
    formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
  });
--- a/hosts/be.lt.ts.hillion.co.uk/default.nix
+++ b/hosts/be.lt.ts.hillion.co.uk/default.nix
@ -24,17 +24,6 @@
      ];
    };
    ## WiFi
    age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
    networking.wireless = {
      enable = true;
      environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
      networks = {
        "Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
      };
    };
    ## Desktop
    custom.users.jake.password = true;
    custom.desktop.awesome.enable = true;
--- a/hosts/boron.cx.ts.hillion.co.uk/README.md
+++ b/hosts/boron.cx.ts.hillion.co.uk/README.md
@ -2,6 +2,6 @@
 Additional installation step for Clevis/Tang:
-    $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
+    $ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
    $ sudo chown root:root /mnt/data/disk_encryption.jwe
    $ sudo chmod 0400 /mnt/data/disk_encryption.jwe
--- a/hosts/boron.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix
@ -30,44 +30,28 @@
    custom.defaults = true;
    ## Hardware optimisations
    hardware.enableAllFirmware = true;
    nix.settings.system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-znver4" ];
    nixpkgs.hostPlatform = {
      gcc.arch = "znver4";
      gcc.tune = "znver4";
      system = builtins.readFile ./system;
    };
    ## Kernel
    ### Explicitly use the latest kernel at time of writing because the LTS
    ### kernels available in NixOS do not seem to support this server's very
    ### modern hardware.
-    boot.kernelPackages = pkgs.linuxPackages_6_10;
+    boot.kernelPackages = pkgs.linuxPackages_6_8;
    ### Apply patch to enable sched_ext which isn't yet available upstream.
    boot.kernelPatches = [{
      name = "sched_ext";
      patch = pkgs.fetchpatch {
        url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
        hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
        decode = "${pkgs.zstd}/bin/unzstd";
        excludes = [ "Makefile" ];
      };
      extraConfig = ''
        BPF y
        BPF_EVENTS y
        BPF_JIT y
        BPF_SYSCALL y
        DEBUG_INFO_BTF y
        FTRACE y
        SCHED_CLASS_EXT y
      '';
    }];
    ## Enable btrfs compression
    fileSystems."/data".options = [ "compress=zstd" ];
    fileSystems."/nix".options = [ "compress=zstd" ];
    ## Impermanence
-    custom.impermanence = {
+    custom.impermanence.enable = true;
      enable = true;
      cache.enable = true;
    };
    boot.initrd.postDeviceCommands = lib.mkAfter ''
      btrfs subvolume delete /cache/system
      btrfs subvolume snapshot /cache/empty_snapshot /cache/system
    '';
    ## Custom Services
    custom = {
@ -101,18 +85,6 @@
      fileSystems = [ "/data" ];
    };
    ## General usability
    ### Make podman available for dev tools such as act
    virtualisation = {
      containers.enable = true;
      podman = {
        enable = true;
        dockerCompat = true;
        dockerSocket.enable = true;
      };
    };
    users.users.jake.extraGroups = [ "podman" ];
    ## Networking
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
--- a/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
@ -18,7 +18,7 @@
    {
      device = "tmpfs";
      fsType = "tmpfs";
-      options = [ "mode=0755" "size=100%" ];
+      options = [ "mode=0755" ];
    };
  fileSystems."/boot" =
@ -35,13 +35,6 @@
      options = [ "subvol=data" ];
    };
  fileSystems."/cache" =
    {
      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
      fsType = "btrfs";
      options = [ "subvol=cache" ];
    };
  fileSystems."/nix" =
    {
      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
--- a/hosts/boron.cx.ts.hillion.co.uk/unstable
+++ b/hosts/boron.cx.ts.hillion.co.uk/unstable
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ../../modules/spotify/default.nix
    ./bluetooth.nix
    ./hardware-configuration.nix
  ];
@ -29,13 +30,6 @@
      ];
    };
    ## Enable ZRAM swap to help with root on tmpfs
    zramSwap = {
      enable = true;
      memoryPercent = 200;
      algorithm = "zstd";
    };
    ## Desktop
    custom.users.jake.password = true;
    custom.desktop.awesome.enable = true;
@ -83,6 +77,15 @@
    boot.initrd.kernelModules = [ "amdgpu" ];
    services.xserver.videoDrivers = [ "amdgpu" ];
    ## Spotify
    home-manager.users.jake.services.spotifyd.settings = {
      global = {
        device_name = "Gendry";
        device_type = "computer";
        bitrate = 320;
      };
    };
    users.users."${config.custom.user}" = {
      packages = with pkgs; [
        prismlauncher
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
@ -28,10 +28,7 @@
      options = [ "subvol=nix" ];
    };
-  boot.initrd.luks.devices."root" = {
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
    device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
    allowDiscards = true;
  };
  fileSystems."/data" =
    {
--- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix
@ -0,0 +1,106 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  config = {
    system.stateVersion = "23.05";
    networking.hostName = "jorah";
    networking.domain = "cx.ts.hillion.co.uk";
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    custom.defaults = true;
    ## Impermanence
    custom.impermanence.enable = true;
    ## Custom Services
    custom = {
      locations.autoServe = true;
      services = {
        gitea.actions = {
          enable = true;
          tokenSecret = ../../secrets/gitea/actions/jorah.age;
        };
      };
    };
    services.nsd.interfaces = [
      "95.217.229.104"
      "2a01:4f9:4b:3953::2"
    ];
    services.foldingathome = {
      enable = true;
      user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
      daemonNiceLevel = 19;
    };
    ## Enable ZRAM to help with root on tmpfs
    zramSwap = {
      enable = true;
      memoryPercent = 200;
      algorithm = "zstd";
    };
    ## Filesystems
    services.btrfs.autoScrub = {
      enable = true;
      interval = "Tue, 02:00";
      # By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
      fileSystems = [ "/data" ];
    };
    ## Networking
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
      "net.ipv6.conf.all.forwarding" = true;
    };
    networking = {
      useDHCP = false;
      interfaces = {
        enp5s0 = {
          name = "eth0";
          useDHCP = true;
          ipv6.addresses = [{
            address = "2a01:4f9:4b:3953::2";
            prefixLength = 64;
          }];
        };
      };
      defaultGateway6 = {
        address = "fe80::1";
        interface = "eth0";
      };
    };
    networking.firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = lib.mkForce [ ];
      allowedUDPPorts = lib.mkForce [ ];
      interfaces = {
        eth0 = {
          allowedTCPPorts = lib.mkForce [
            53 # DNS
          ];
          allowedUDPPorts = lib.mkForce [
            53 # DNS
          ];
        };
      };
    };
    ## Tailscale
    age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
    };
  };
 }
--- a/hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
@ -0,0 +1,48 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "tmpfs";
      fsType = "tmpfs";
      options = [ "mode=0755" ];
    };
  fileSystems."/nix" =
    {
      device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/data" =
    {
      device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
      fsType = "btrfs";
      options = [ "subvol=data" ];
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/4D7E-8DE8";
      fsType = "vfat";
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/jorah.cx.ts.hillion.co.uk/system
+++ b/hosts/jorah.cx.ts.hillion.co.uk/system
@ -0,0 +1 @@
 x86_64-linux
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@ -59,7 +59,6 @@
          5353 # HomeKit
        ];
        allowedTCPPorts = [
          1400 # HA Sonos
          7654 # Tang
          21063 # HomeKit
        ];
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@ -32,14 +32,6 @@
      nat.enable = lib.mkForce false;
      useDHCP = false;
      vlans = {
        cameras = {
          id = 3;
          interface = "eth2";
        };
      };
      interfaces = {
        enp1s0 = {
          name = "eth0";
@ -64,14 +56,6 @@
            }
          ];
        };
        cameras /* cameras@eth2 */ = {
          ipv4.addresses = [
            {
              address = "10.133.145.1";
              prefixLength = 24;
            }
          ];
        };
        enp4s0 = { name = "eth3"; };
        enp5s0 = { name = "eth4"; };
        enp6s0 = { name = "eth5"; };
@ -98,8 +82,8 @@
              ip protocol icmp counter accept comment "accept all ICMP types"
-              iifname { "eth0", "cameras" } ct state { established, related } counter accept
+              iifname "eth0" ct state { established, related } counter accept
-              iifname { "eth0", "cameras" } drop
+              iifname "eth0" drop
            }
            chain forward {
@ -154,42 +138,12 @@
          settings = {
            interfaces-config = {
-              interfaces = [ "eth1" "eth2" "cameras" ];
+              interfaces = [ "eth1" "eth2" ];
            };
            lease-database = {
              type = "memfile";
-              persist = true;
+              persist = false;
              name = "/var/lib/kea/dhcp4.leases";
            };
            option-def = [
              {
                name = "cookie";
                space = "vendor-encapsulated-options-space";
                code = 1;
                type = "string";
                array = false;
              }
            ];
            client-classes = [
              {
                name = "APC";
                test = "option[vendor-class-identifier].text == 'APC'";
                option-data = [
                  {
                    always-send = true;
                    name = "vendor-encapsulated-options";
                  }
                  {
                    name = "cookie";
                    space = "vendor-encapsulated-options-space";
                    code = 1;
                    data = "1APC";
                  }
                ];
              }
            ];
            subnet4 = [
              {
                subnet = "10.64.50.0/24";
@ -211,17 +165,25 @@
                    data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
                  }
                ];
-                reservations = lib.lists.imap0
+                reservations = [
-                  (i: el: {
+                  {
-                    ip-address = "10.64.50.${toString (20 + i)}";
+                    # tywin.storage.ts.hillion.co.uk
-                    inherit (el) hw-address hostname;
+                    hw-address = "c8:7f:54:6d:e1:03";
-                  }) [
+                    ip-address = "10.64.50.20";
-                  { hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
+                    hostname = "tywin";
-                  { hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
+                  }
-                  { hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
+                  {
-                  { hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
+                    # syncbox
-                  { hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
+                    hw-address = "00:1e:06:49:06:1e";
-                  { hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
+                    ip-address = "10.64.50.22";
                    hostname = "syncbox";
                  }
                  {
                    # microserver.home.ts.hillion.co.uk
                    hw-address = "e4:5f:01:b4:58:95";
                    ip-address = "10.64.50.21";
                    hostname = "microserver";
                  }
                ];
              }
              {
@ -259,29 +221,6 @@
                  }
                ];
              }
              {
                subnet = "10.133.145.0/24";
                interface = "cameras";
                pools = [{
                  pool = "10.133.145.64 - 10.133.145.254";
                }];
                option-data = [
                  {
                    name = "routers";
                    data = "10.133.145.1";
                  }
                  {
                    name = "broadcast-address";
                    data = "10.133.145.255";
                  }
                  {
                    name = "domain-name-servers";
                    data = "1.1.1.1, 8.8.8.8";
                  }
                ];
                reservations = [
                ];
              }
            ];
          };
        };
--- a/hosts/sodium.pop.ts.hillion.co.uk/default.nix
+++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix
@ -1,87 +0,0 @@
 { config, pkgs, lib, nixos-hardware, ... }:
 {
  imports = [
    "${nixos-hardware}/raspberry-pi/5/default.nix"
    ./hardware-configuration.nix
  ];
  config = {
    system.stateVersion = "24.05";
    networking.hostName = "sodium";
    networking.domain = "pop.ts.hillion.co.uk";
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    custom.defaults = true;
    ## Enable btrfs compression
    fileSystems."/data".options = [ "compress=zstd" ];
    fileSystems."/nix".options = [ "compress=zstd" ];
    ## Impermanence
    custom.impermanence = {
      enable = true;
      cache.enable = true;
    };
    boot.initrd.postDeviceCommands = lib.mkAfter ''
      btrfs subvolume delete /cache/tmp
      btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
      chmod 1777 /cache/tmp
    '';
    ## CA server
    custom.ca.service.enable = true;
    ### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
    fileSystems."/tmp" = {
      device = "/cache/tmp";
      options = [ "bind" ];
    };
    # nix = {
    #   settings = {
    #     build-dir = "/cache/tmp/";
    #   };
    # };
    ## Custom Services
    custom.locations.autoServe = true;
    # Networking
    networking = {
      useDHCP = false;
      interfaces = {
        end0 = {
          name = "eth0";
          useDHCP = true;
        };
      };
    };
    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
    networking.firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = lib.mkForce [
      ];
      allowedUDPPorts = lib.mkForce [ ];
      interfaces = {
        eth0 = {
          allowedTCPPorts = lib.mkForce [
            7654 # Tang
          ];
          allowedUDPPorts = lib.mkForce [
          ];
        };
      };
    };
    ## Tailscale
    age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
    };
  };
 }
--- a/hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
@ -1,63 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "tmpfs";
      fsType = "tmpfs";
      options = [ "mode=0755" ];
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/417B-1063";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  fileSystems."/nix" =
    {
      device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/data" =
    {
      device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
      fsType = "btrfs";
      options = [ "subvol=data" ];
    };
  fileSystems."/cache" =
    {
      device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
      fsType = "btrfs";
      options = [ "subvol=cache" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/hosts/sodium.pop.ts.hillion.co.uk/system
+++ b/hosts/sodium.pop.ts.hillion.co.uk/system
@ -1 +0,0 @@
 aarch64-linux
--- a/hosts/theon.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/theon.storage.ts.hillion.co.uk/default.nix
@ -22,7 +22,6 @@
    };
    ## Networking
    networking.useNetworkd = true;
    systemd.network.enable = true;
    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
--- a/hosts/tywin.storage.ts.hillion.co.uk/README.md
+++ b/hosts/tywin.storage.ts.hillion.co.uk/README.md
@ -1,7 +0,0 @@
 # tywin.storage.ts.hillion.co.uk
 Additional installation step for Clevis/Tang:
    $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
    $ sudo chown root:root /mnt/disk_encryption.jwe
    $ sudo chmod 0400 /mnt/disk_encryption.jwe
--- a/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
+++ b/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
@ -1,14 +0,0 @@
 {
  "t": 1,
  "pins": {
    "tang": [
      {
        "url": "http://10.64.50.21:7654"
      },
      {
        "url": "http://10.64.50.25:7654"
      }
    ]
  }
 }
--- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
@ -15,20 +15,6 @@
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    boot.kernelParams = [
      "ip=dhcp"
      "zfs.zfs_arc_max=25769803776"
    ];
    boot.initrd = {
      availableKernelModules = [ "r8169" ];
      network.enable = true;
      clevis = {
        enable = true;
        useTang = true;
        devices."root".secretFile = "/disk_encryption.jwe";
      };
    };
    custom.locations.autoServe = true;
    custom.defaults = true;
@ -54,6 +40,7 @@
      forceImportRoot = false;
      extraPools = [ "data" ];
    };
    boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
    services.btrfs.autoScrub = {
      enable = true;
@ -218,7 +205,7 @@
      enable = true;
      openFirewall = true;
      keyFile = config.age.secrets."chia/farmer.key".path;
-      plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
+      plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
    };
    ## Downloads
--- a/hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
@ -20,11 +20,6 @@
      fsType = "btrfs";
    };
  boot.initrd.luks.devices."root" = {
    device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
    allowDiscards = true;
  };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/BC57-0AF6";
@ -67,18 +62,6 @@
      fsType = "btrfs";
    };
  fileSystems."/mnt/d6" =
    {
      device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
      fsType = "btrfs";
    };
  fileSystems."/mnt/d7" =
    {
      device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
      fsType = "btrfs";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/modules/ca/README.md
+++ b/modules/ca/README.md
@ -1,11 +0,0 @@
 # ca
 Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
 Creating a 10 year root certificate:
    nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
 Creating the intermediate key:
    nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem
--- a/modules/ca/cert.pem
+++ b/modules/ca/cert.pem
@ -1,13 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
 EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
 MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
 ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
 +xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
 Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
 DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
 fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
 MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
 Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
 vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
 -----END CERTIFICATE-----
--- a/modules/ca/consumer.nix
+++ b/modules/ca/consumer.nix
@ -1,14 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.custom.ca.consumer;
 in
 {
  options.custom.ca.consumer = {
    enable = lib.mkEnableOption "ca.service";
  };
  config = lib.mkIf cfg.enable {
    security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
  };
 }
--- a/modules/ca/default.nix
+++ b/modules/ca/default.nix
@ -1,8 +0,0 @@
 { ... }:
 {
  imports = [
    ./consumer.nix
    ./service.nix
  ];
 }
--- a/modules/ca/service.nix
+++ b/modules/ca/service.nix
@ -1,45 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.custom.ca.service;
 in
 {
  options.custom.ca.service = {
    enable = lib.mkEnableOption "ca.service";
  };
  config = lib.mkIf cfg.enable {
    services.step-ca = {
      enable = true;
      address = config.custom.dns.tailscale.ipv4;
      port = 8443;
      intermediatePasswordFile = "/data/system/ca/intermediate.psk";
      settings = {
        root = ./cert.pem;
        crt = "/data/system/ca/intermediate.crt";
        key = "/data/system/ca/intermediate.pem";
        dnsNames = [ "ca.ts.hillion.co.uk" ];
        logger = { format = "text"; };
        db = {
          type = "badgerv2";
          dataSource = "/var/lib/step-ca/db";
        };
        authority = {
          provisioners = [
            {
              type = "ACME";
              name = "acme";
            }
          ];
        };
      };
    };
  };
 }
--- a/modules/chia.nix
+++ b/modules/chia.nix
@ -46,7 +46,7 @@ in
    };
    virtualisation.oci-containers.containers.chia = {
-      image = "ghcr.io/chia-network/chia:2.4.1";
+      image = "ghcr.io/chia-network/chia:2.2.1";
      ports = [ "8444" ];
      extraOptions = [
        "--uidmap=0:${toString config.users.users.chia.uid}:1"
--- a/modules/default.nix
+++ b/modules/default.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ./backups/default.nix
    ./ca/default.nix
    ./chia.nix
    ./defaults.nix
    ./desktop/awesome/default.nix
--- a/modules/defaults.nix
+++ b/modules/defaults.nix
@ -54,7 +54,6 @@
    networking.firewall.enable = true;
    # Delegation
    custom.ca.consumer.enable = true;
    custom.dns.enable = true;
    custom.home.defaults = true;
    custom.hostinfo.enable = true;
--- a/modules/dns.nix
+++ b/modules/dns.nix
@ -40,6 +40,7 @@ in
              ts = {
                cx = {
                  boron = "100.113.188.46";
                  jorah = "100.96.143.138";
                };
                home = {
                  microserver = "100.105.131.47";
@ -47,10 +48,7 @@ in
                };
                jakehillion-terminals = { gendry = "100.70.100.77"; };
                lt = { be = "100.105.166.79"; };
-                pop = {
+                pop = { li = "100.106.87.35"; };
                  li = "100.106.87.35";
                  sodium = "100.87.188.4";
                };
                storage = {
                  theon = "100.104.142.22";
                  tywin = "100.115.31.91";
@ -67,6 +65,7 @@ in
              ts = {
                cx = {
                  boron = "fd7a:115c:a1e0::2a01:bc2f";
                  jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
                };
                home = {
                  microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
@ -74,10 +73,7 @@ in
                };
                jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
                lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
-                pop = {
+                pop = { li = "fd7a:115c:a1e0::e701:5723"; };
                  li = "fd7a:115c:a1e0::e701:5723";
                  sodium = "fd7a:115c:a1e0::3701:bc04";
                };
                storage = {
                  theon = "fd7a:115c:a1e0::4aa8:8e16";
                  tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
--- a/modules/home/tmux/.tmux.conf
+++ b/modules/home/tmux/.tmux.conf
@ -8,11 +8,3 @@ bind -n C-k clear-history
 bind '"' split-window -c "#{pane_current_path}"
 bind % split-window -h -c "#{pane_current_path}"
 bind c new-window -c "#{pane_current_path}"
 # Start indices at 1 to match keyboard
 set  -g base-index      1
 setw -g pane-base-index 1
 # Open a new session when attached to and one isn't open
 # Must come after base-index settings
 new-session
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@ -2,6 +2,7 @@
 let
  cfg = config.custom.impermanence;
  listIf = (enable: x: if enable then x else [ ]);
 in
 {
  options.custom.impermanence = {
@ -11,13 +12,6 @@ in
      type = lib.types.str;
      default = "/data";
    };
    cache = {
      enable = lib.mkEnableOption "impermanence.cache";
      path = lib.mkOption {
        type = lib.types.str;
        default = "/cache";
      };
    };
    users = lib.mkOption {
      type = with lib.types; listOf str;
@ -46,32 +40,18 @@ in
      gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
    };
-    environment.persistence = lib.mkMerge [
+    environment.persistence."${cfg.base}/system" = {
      {
        "${cfg.base}/system" = {
      hideMounts = true;
      directories = [
        "/etc/nixos"
-          ] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
+      ] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
-          (lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
+      (listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
-          (lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
+      (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
-          (lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
+      (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
-          (lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
+      (listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
-          (lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
+      (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
          (lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
          (lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
          (lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
    };
      }
      (lib.mkIf cfg.cache.enable {
        "${cfg.cache.path}/system" = {
          hideMounts = true;
          directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
        };
      })
    ];
    home-manager.users =
      let
--- a/modules/locations.nix
+++ b/modules/locations.nix
@ -19,7 +19,10 @@ in
    {
      custom.locations.locations = {
        services = {
-          authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
+          authoritative_dns = [
            "boron.cx.ts.hillion.co.uk"
            "jorah.cx.ts.hillion.co.uk"
          ];
          downloads = "tywin.storage.ts.hillion.co.uk";
          gitea = "boron.cx.ts.hillion.co.uk";
          homeassistant = "microserver.home.ts.hillion.co.uk";
@ -28,10 +31,9 @@ in
          tang = [
            "li.pop.ts.hillion.co.uk"
            "microserver.home.ts.hillion.co.uk"
            "sodium.pop.ts.hillion.co.uk"
          ];
          unifi = "boron.cx.ts.hillion.co.uk";
-          version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
+          version_tracker = [ "boron.cx.ts.hillion.co.uk" "jorah.cx.ts.hillion.co.uk" ];
        };
      };
    }
--- a/modules/resilio.nix
+++ b/modules/resilio.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixpkgs-unstable, ... }:
 let
  cfg = config.custom.resilio;
@ -61,7 +61,5 @@ in
        in
        builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
    };
    systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
  };
 }
--- a/modules/services/authoritative_dns.nix
+++ b/modules/services/authoritative_dns.nix
@ -32,7 +32,6 @@ in
              86400 NS ns1.hillion.co.uk.
              ca                    21600 CNAME sodium.pop.ts.hillion.co.uk.
              deluge.downloads      21600 CNAME tywin.storage.ts.hillion.co.uk.
              graphs.router.home    21600 CNAME router.home.ts.hillion.co.uk.
              prowlarr.downloads    21600 CNAME tywin.storage.ts.hillion.co.uk.
--- a/modules/services/downloads.nix
+++ b/modules/services/downloads.nix
@ -29,16 +29,10 @@ in
      virtualHosts = builtins.listToAttrs (builtins.map
        (x: {
-          name = "${x}.downloads.ts.hillion.co.uk";
+          name = "http://${x}.downloads.ts.hillion.co.uk";
          value = {
            listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
-            extraConfig = ''
+            extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
              reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
              tls {
                ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
              }
            '';
          };
        }) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
    };
--- a/modules/services/gitea/actions.nix
+++ b/modules/services/gitea/actions.nix
@ -63,11 +63,6 @@ in
              runner = {
                capacity = 3;
              };
              cache = {
                enabled = true;
                host = "10.108.27.2";
                port = 41919;
              };
            };
          };
@ -81,8 +76,6 @@ in
                  chain output {
                    type filter hook output priority 100; policy accept;
                    ct state { established, related } counter accept
                    ip daddr 10.0.0.0/8 drop
                    ip daddr 100.64.0.0/10 drop
                    ip daddr 172.16.0.0/12 drop
--- a/modules/services/gitea/gitea.nix
+++ b/modules/services/gitea/gitea.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, nixpkgs-unstable, ... }:
 let
  cfg = config.custom.services.gitea;
@ -55,7 +55,7 @@ in
    services.gitea = {
      enable = true;
-      package = pkgs.unstable.gitea;
+      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
      mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
      appName = "Hillion Gitea";
--- a/modules/services/homeassistant.nix
+++ b/modules/services/homeassistant.nix
@ -44,20 +44,16 @@ in
          "bluetooth"
          "default_config"
          "esphome"
          "flux"
          "google_assistant"
          "homekit"
          "met"
          "mobile_app"
          "mqtt"
          "otp"
          "smartthings"
          "sonos"
          "sun"
          "switchbot"
        ];
        customComponents = with pkgs.home-assistant-custom-components; [
          adaptive_lighting
        ];
        config = {
          default_config = { };
@ -83,9 +79,6 @@ in
            report_state = true;
            expose_by_default = true;
            exposed_domains = [ "light" ];
            entity_config = {
              "input_boolean.sleep_mode" = { };
            };
          };
          homekit = [{
            filter = {
@ -95,7 +88,13 @@ in
          bluetooth = { };
-          adaptive_lighting = {
+          switch = [
            {
              platform = "flux";
              start_time = "07:00";
              stop_time = "23:59";
              mode = "mired";
              disable_brightness_adjust = true;
              lights = [
                "light.bedroom_lamp"
                "light.bedroom_light"
@ -106,8 +105,8 @@ in
                "light.living_room_light"
                "light.wardrobe_light"
              ];
-            min_sunset_time = "21:00";
+            }
-          };
+          ];
          light = [
            {
@ -115,9 +114,12 @@ in
              lights = {
                bathroom_light = {
                  unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
-                  value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
+                  value_template = "on";
                  turn_on = { service = "script.noop"; };
-                  turn_off = { service = "script.bathroom_light_switch_if_on"; };
+                  turn_off = {
                    service = "switch.turn_on";
                    entity_id = "switch.bathroom_light";
                  };
                };
              };
            }
@ -146,13 +148,6 @@ in
            }
          ];
          input_boolean = {
            sleep_mode = {
              name = "Set house to sleep mode";
              icon = "mdi:sleep";
            };
          };
          # UI managed expansions
          automation = "!include automations.yaml";
          script = "!include scripts.yaml";
--- a/modules/services/matrix.nix
+++ b/modules/services/matrix.nix
@ -41,10 +41,6 @@ in
        owner = "matrix-synapse";
        group = "matrix-synapse";
      };
      "matrix/matrix.hillion.co.uk/syncv3_secret" = {
        file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
      };
    };
    services = {
@ -118,15 +114,6 @@ in
        };
      };
      matrix-sliding-sync = {
        enable = true;
        environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
        settings = {
          SYNCV3_SERVER = "https://matrix.hillion.co.uk";
          SYNCV3_BINDADDR = "[::]:8009";
        };
      };
      heisenbridge = lib.mkIf cfg.heisenbridge {
        enable = true;
        owner = "@jake:hillion.co.uk";
--- a/modules/services/tang.nix
+++ b/modules/services/tang.nix
@ -13,7 +13,6 @@ in
      enable = true;
      ipAddressAllow = [
        "138.201.252.214/32"
        "10.64.50.20/32"
      ];
    };
  };
--- a/modules/services/unifi.nix
+++ b/modules/services/unifi.nix
@ -10,14 +10,20 @@ in
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/unifi";
      readOnly = true; # NixOS module only supports this directory
    };
  };
  config = lib.mkIf cfg.enable {
-    # Fix dynamically allocated user and group ids
+    users.users.unifi = {
-    users.users.unifi.uid = config.ids.uids.unifi;
+      uid = config.ids.uids.unifi;
-    users.groups.unifi.gid = config.ids.gids.unifi;
+      isSystemUser = true;
      group = "unifi";
      description = "UniFi controller daemon user";
      home = "${cfg.dataDir}";
    };
    users.groups.unifi = {
      gid = config.ids.gids.unifi;
    };
    services.caddy = {
      enable = true;
@ -32,9 +38,21 @@ in
      };
    };
-    services.unifi = {
+    virtualisation.oci-containers.containers = {
-      enable = true;
+      "unifi" = {
-      unifiPackage = pkgs.unifi8;
+        image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
        environment = {
          PUID = toString config.ids.uids.unifi;
          PGID = toString config.ids.gids.unifi;
          TZ = "Etc/UTC";
        };
        volumes = [ "${cfg.dataDir}:/config" ];
        ports = [
          "8080:8080"
          "8443:8443"
          "3478:3478/udp"
        ];
      };
    };
  };
 }
--- a/modules/spotify/default.nix
+++ b/modules/spotify/default.nix
@ -0,0 +1,25 @@
 { config, pkgs, lib, ... }:
 {
  config.age.secrets."spotify/11132032266" = {
    file = ../../secrets/spotify/11132032266.age;
    owner = "jake";
  };
  config.hardware.pulseaudio.enable = true;
  config.users.users.jake.extraGroups = [ "audio" ];
  config.users.users.jake.packages = with pkgs; [ spotify-tui ];
  config.home-manager.users.jake.services.spotifyd = {
    enable = true;
    settings = {
      global = {
        username = "11132032266";
        password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
        backend = "pulseaudio";
      };
    };
  };
 }
--- a/modules/ssh/default.nix
+++ b/modules/ssh/default.nix
@ -43,10 +43,10 @@ in
      "dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
      "gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
      "homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
      "jorah.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5";
      "li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
      "microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
      "router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
      "sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
      "theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
      "tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
    };
--- a/modules/www/global.nix
+++ b/modules/www/global.nix
@ -33,11 +33,6 @@ in
    services.caddy = {
      enable = true;
      package = pkgs.unstable.caddy;
      globalConfig = ''
        email acme@hillion.co.uk
      '';
      virtualHosts = {
        "hillion.co.uk".extraConfig = ''
@ -47,10 +42,7 @@ in
            header /.well-known/matrix/* Access-Control-Allow-Origin *
            respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
-            respond /.well-known/matrix/client `${builtins.toJSON {
+            respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
              "m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
              "org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
            }}` 200
            respond 404
          }
@ -73,7 +65,6 @@ in
          reverse_proxy http://${locations.services.gitea}:3000
        '';
        "matrix.hillion.co.uk".extraConfig = ''
          reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
          reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
          reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
        '';
--- a/secrets/gitea/actions/jorah.age
+++ b/secrets/gitea/actions/jorah.age
@ -0,0 +1,19 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
 IULcxHpUsH6OI4cfixNPM89VJNcVkK+Z8IpgjzRspSyKc5N7jox6DYSbcuPsjGs7
 aS2JYOKOx4hYW9aL3B+tef2I24+NzMDTCT31g9gvuLA0wSMWBoFwVodPbfj1ekHy
 wDUK5XrgyJtFrwTrvuklGYpb/qIEG//k7M/342C9QqfNesv9nULQ6P7+r7jJvxIW
 sOo6qWHFqD/wIiwtLYiX3pOWC6m91L1QNGVh+9/t58YU8RLsgLm2+2vyg13mKya1
 UktTKZbhgRXyUJb7h+vVgDKjAnwqnIDL8asCSDuoSRDBcCxwgSpTDOxAEn9X2oJx
 6S3JLQDhWLlIYrqmVT1aGg
 -> ssh-rsa K9mW1w
 hbVlu640hhzR9rJi4b+1c+/V+EilbmwWaNzV7/0+a9BQusTf413hffhk8QXvuze8
 04LuVctZW5L5B1eOCIeziHc6F5CyAjTsaEDM8SeKGmFjKccjdcSUdbsql87KR5Id
 /drK41oNA6NlmWrLz3YaSz7A9F+B5lgsJDWgXhMFK3Hru8+gnBQPXkwT/IuQLWI1
 sXhJN/dHrBsQ5Cc+fRO7/r6u3jiQ1DOS85qQHStsYYXqea0pfiu5wpPdGZVuECwa
 /R3+ov1JOTK4T3W8TIqOU9ODJxWT697Nv64c8dV3Hq5ymEKkvmZpp1C1/QoCW2EY
 Nk7PF5zM95SM/IdECQjJGQ
 -> ssh-ed25519 Qo6/7A 3gQq8TrBY/7Evlu+q6awqBFjG9m5b7ED+dolo8CJCE4
 JdbLYPo875DQyocjOaVmWQPdgWssuz/T6DJNqgFF020
 --- 0si8/IY1PiYgcmtTFDqu0cj7dW6DFqvgirY0tiSZfdA
 ûÈA©®¦£Ž®¬(]ý¸’7£ÆüùÙÚqp0<70>„5Èc“ý$$æW|ß%`§/uXûÉˆ\~â!åléedäþDg˜	.<2E>i•]§§)l>EÌ
--- a/secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age
+++ b/secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age
@ -1,20 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
 Z3WKcEusrn04hb2zUpEFBHOoqDIaCzMo/jZuOX/eMKPBqTrxcba9ZgxOFE7+yaUi
 FJvlQNg5pQn/vaCtHkJWfBXdKiwZ3pIeaqwNcto8EprKLxIAkLjMBMOursz9k41E
 0B4NKRyxiQO2kMgjKb9jYzhioan3NG1Loto8RbjbUPlqn/Q0NEsq8Uql0qaM02Ba
 zBd1Xt1MFDtemXxzfmeqLMX45F67B8JKFujnXajR7qoRCmzz6kkj6zb+SEE+Nodq
 9J/i4rpgwP0B9Zgp9QqnvOBVuLtxPOv/EE+Dp9Ktj1v5SxlJbQoPBiX5pZd5n3/n
 dqibdn1Jls57qCs9sHAlDQ
 -> ssh-rsa K9mW1w
 BMNOK5nTDPSw5wZsdWlpWzbA62WdDmqg3CdiYSA8mDZT5LFHsmZt4azfwvCWnwKh
 jvzWsNgASSdCCGk4xzDR8qzVAvcku5IxgQjGWCfa307r8k1RFMF910+QpS0nsckE
 voBCvNIbv1Qjg6MKSXIDmmDjeLedL/0WYp7mX2FHQbs2Mau3xHz+l4mW9C6Dlyeu
 PdR6IYJxqxDOqQk2FIMYq7vS1JWDo2ntS3XcufUL4V6TeFj1Soauff9/55hqt8Tm
 JlUkbHmc/69bsqbr3en1sk6lk7GV7M87tfjGJuhdsMQLY10jFuZfkpewRhCLTEpR
 LFooblAploXTZfXkvmoj2A
 -> ssh-ed25519 iWiFbA izGiArlZgQMVSnQv/WG7+tBUnk0z/iUHI1TgAf0d5V0
 Qw/pUd8y7UNElE9U+VwE7cQhemfPXFhFoiKQya34Bwo
 --- FfPFhjvH78/oBzE1tL93Vxm6fV9zsHL3S8aDb3KWA4o
 óœ}þŠlj¿mE_¿9mç}z ¼?ü-Ø9F•]IóãÞØy7uw¼x¼ŠQ3ÅìüqñŠJ„åVº–/”º@>°vÊî-G4;Êí1Ñ&@§k®
ÍWë+c*ûžìá|#»û˜Èª³Wy
 fC°
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,16 +14,14 @@ let
          ts = {
            cx = {
              boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
              jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
            };
            home = {
              microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
              router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
            };
            lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
-            pop = {
+            pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; };
              li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
              sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
            };
            terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
            storage = {
              tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
@ -50,16 +48,13 @@ in
  "tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
  "tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
  "tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
  "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
  "tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
  "tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
  "tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
  "tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
  "tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
  # WiFi Environment Files
  "wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
  # Resilio Sync Secrets
  ## Encrypted Resilio Sync Secrets
  "resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
@ -79,8 +74,6 @@ in
  "matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  # Backups Secrets
  "restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
  "restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
@ -88,6 +81,9 @@ in
  "git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
  "git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
  # Spotify Secrets
  "spotify/11132032266.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
  # Mastodon Secrets
  "mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
  "mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
@ -101,7 +97,7 @@ in
  "storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
  # Version tracker secrets
-  "version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ts.cx.jorah ];
  # Home Automation secrets
  "mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
@ -121,6 +117,7 @@ in
  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
  # HomeAssistant Secrets
  "homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
--- a/secrets/spotify/11132032266.age
+++ b/secrets/spotify/11132032266.age
--- a/secrets/tailscale/jorah.cx.ts.hillion.co.uk.age
+++ b/secrets/tailscale/jorah.cx.ts.hillion.co.uk.age
@ -0,0 +1,23 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
 kqQ9ovZi1Wqf7hz75QB+v8oLr5oRT4Uce7juM+R04CrOOGn1O6DkQtVeFa4Q7Ho0
 DTYeaP3jTR8zo7poTI323q8FbQ/dLG4jxBFafDZJZlXGEThVLnhNYqZZSjiCJHma
 hUn8nSC0y6AdA+lMn8tvZcaivaYpPtT+bALXtvxZ6rTo+mTbJrVRxPY5FZdmdmCC
 Z1h3UFZoyuAO9VWQKtPO3o0Ijh+L7e+TFdRl1YowGB+hvZdJ08AkPXrwIEUMnnMA
 +e/FA5HxHgvi6ud8RTcAkaecYt0l/vKDgBON9ESfHIMuS+vNk5GKT7a+ImKmfb4/
 o2cSmR8y/+J5z4MEBcj/Vg
 -> ssh-rsa K9mW1w
 veHh0OpoW3Hnvy9k7NwANMae2StqGcohTI9hfeHNi7mR6wHly1HqOD9U7eijVYIC
 qvKJsk7sEO8NyAVqLWqrvdq9bLkgTgsNWQsXbulY8VHhwZMIko9YYIZeJv8Um9Bz
 q4QiwJW1KoLItqJNR9c1ZLRfwHaLZwKTThAKMjgt5KFiN5NJYb9CLbAZi4eG1hi0
 PsIP/S/dsUKAeN6Bz2JZ4HB0jsvyPiQLr2p4q5nfEKybJEmjOfc9Z7TjwZTNlC0Y
 0MKVarhwFqsMIP63gTYZisacAhmsG7DoLFA5eHf0VPa1KjqFait0dG+zuojehMfj
 uifZFGahsWaAMg+oq+/Cvg
 -> ssh-ed25519 Qo6/7A sLXu4pSLH2lnzLYVzisN9Zl/EW1jL21Km6kPZO0/Zjk
 chDyf7Sb5GtSVi3TmfYpwwFbI3PhoOnxS5lRcqQGwyY
 -> Y1-grease ,Lz| "Uil>z36 -K
 xfFD+uEZIkGkysF3HdMkMbhsPnu+Cnu6o8tT0lq8rdSOn26V6Fj5CZi1muuD7d2c
 BLtH1vyQx4M71Hb6PmKu7+s5V9xsJqKxtDqx/6iAc9uZnbmeU27nsA
 --- YXh9Kl4PGetzx8qsLJa5gTO3W7UNtio1tXs/HXS271U
 Þûa…kž+J+/û€áñ<1A>ÍKÅbÄä‰éù|Ï$MäåÒ{NýÇ]¦ï=ö7Ïß@ƒ›—<E280BA>(h.ql2¢X}]ê,¦'ùN ÙCô!Æ;ØW£±
 äû·Dï
--- a/secrets/tailscale/sodium.pop.ts.hillion.co.uk.age
+++ b/secrets/tailscale/sodium.pop.ts.hillion.co.uk.age
@ -1,19 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
 rgebPOZWAkQIqQZn5UywtUzu1ZpEK9yF3wDLl7b76vOLBM8BeE/cud2AgwRe49VM
 UfbL+5IInvqvVCtCmciVvDhBp85BLvuB/e6DkWxH+HkKm7/stgXkuaotnbxftLN5
 w90Qz8jVgwOSWlpDdW+MACphLBOiDe6oUrcodiQTD+FmA/cH7oEnjaxyElZA4aey
 Yw6df7NiMCbh8LitSqLm9YTB6yWlVw6fumpvsVJqW9UPOdTtOEilFT6qrXIMeu10
 MEdDkU5FlocDSxYLN1buIRSVb+wtN8eSYrMsOd7zwB/FYWw9fFNbZ/1JFxQKl9SK
 w+fHN1jQyOjKpbYELeCdRg
 -> ssh-rsa K9mW1w
 hAYfQrfwWNmck6t7oDzS/JKd7Gb/j3MMH19kEZ74k2Z/t6j9VgNlo0cLCQCRd29l
 NXNwx4H1VLFqP0f0YOIpbeZAPjvLxWODv97ovLWTtokPX9/kDugigqdW59KYcxWB
 cbGAJrBm+D7b5uEuVBCWWBAAv8dZ4EajguoBR6u9mkJRDyy55q3JnS8zUoSz/9XK
 Ne+pf9Bej2hen5CrFJoIBs3YGL81Tqn9zfI3RsgyncB355aL0bH3FKeeWU/Qm2Eb
 fqJroSjNteWp+vqu9RzgrzpRUrZbw+KZL7sssTc0qXTI6UuUrchJ3ku8bOAmYYj+
 4GgOgMeY5ne15Xkc0g/U7Q
 -> ssh-ed25519 oW6Y8A koK5dt68rm3ItiMLS/D85cL1FyvBFOoOUn2iU431HXk
 isWccUR1wymJzBSoNVh+aFMrp1/VS3In6w/kcb1RTSM
 --- Askgu9440tsbF855jM94XpINs1fv69fSY/+CchwH/q8
 š3 ÌV÷<07>‘‹Ôy~Ï¸tˆ¯ÿÉÏè@öpƒÆà¢…~Ón‚Oî°¥Ä	¾âaUUr›•1P¤žÓ6W8ÆFÎ<46>Å<EFBFBD>€?ë›7…üÞ&Ü—OŠ×t|œpoË
--- a/secrets/version_tracker/ssh.key.age
+++ b/secrets/version_tracker/ssh.key.age
--- a/secrets/wifi/be.lt.ts.hillion.co.uk.age
+++ b/secrets/wifi/be.lt.ts.hillion.co.uk.age
@ -1,20 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
 j23rAXS9bmi74Aw3K+Ym/+4eajkeddGn0JsT4y7LkM54KZDazHLSpdIY8G4bPEC1
 Hmwb6tC/fXjCwxZlR69UcWOhYtGFNQKKe66uO4+LnLHrosppsFNUduk1/yamorxh
 foTF1BYstniAO4dkeS+gqU+EozOnpOgnXDjJwQu2az7H0ecTkrdaExVSZefoak2Q
 NdiMVzLgx4/jcuNFIQhej9h2RuTZFcYqoxLvpDYhgCHHrZGXT4MpMtpbV/1z0rjE
 RZiMsaD0cFUB0xY4ncZu/UYTqDInCmiQ/hT1IpHXo41mJgAoOjxvBuMtT1JLFIPx
 eHV8+2B6t6cmvJ94oDb6pA
 -> ssh-rsa K9mW1w
 nX3geP4iz2iW8cIaiI+gUsf2Me5N5yLVxyp0AZx3mxm+REVeW/3gIs6RFwgVvNz4
 O3Rd714c5eufkVb0jaHcnh9xPkhd9JPhDx9ALJebFyDwviQelRucCNkAiFU8cCp0
 5CwdTOsa+QoTL0yzkgFch32sEnrmi3NQpMyQdIACFaFyvVl0vd8jOvIrNUqEc1dZ
 XL2brlteJ5tDn4+7riShILdrkWUXMt127YtBLk4kzAFq9bem6KR3mxoupoGOMZKM
 6erqfETaoGyQYfETg7+/4CSoCOnSw7EgleOQ92Esof2KPiLWqvVVLRYQkajr5atn
 QM8pEVHysfP7tYCOw5Pc3Q
 -> ssh-ed25519 ikTTQA pS/dHNYcNr5Td/Gd7bzuODNdtg5Z/EOl2ZMkRhWIbxs
 7S4TzwwGr20Ar2EHYzF42yK3nKf6k2YAV97URcvtssU
 --- aaywXgy4WGMmd1EoyFk/LXbATavqk0N5rrAJ43aHXo0
 *¢’X%jø
gàïP5)ÚKS•=ØøÞa~Ð·R7œ©\>ëŠv¡w°¿›8©Ã
 Ì•ŠQ±Nx…Lžlã`™÷Ì!ä¸^Z¥éE¼R››·V è\×º ‰ÚÝ-R°vÞû¾Sgtw
M©ÞÓÓç)#8ÃÎƒóÉ¾n