24 changed files with 73 additions and 584 deletions
--- a/dotfiles/emacs.d/.mc-lists.el
+++ b/dotfiles/emacs.d/.mc-lists.el
@ -4,7 +4,6 @@
 (setq mc/cmds-to-run-for-all
      '(
        TeX-insert-backslash
        align
        backward-sexp
        beginning-of-buffer
        beginning-of-visual-line
--- a/dotfiles/emacs.d/snippets/python-mode/inp
+++ b/dotfiles/emacs.d/snippets/python-mode/inp
@ -1,5 +0,0 @@
 # -*- mode: snippet -*-
 # name: inp
 # key: inp
 # --
 import numpy as np
--- a/dotfiles/emacs.d/snippets/python-mode/isa
+++ b/dotfiles/emacs.d/snippets/python-mode/isa
@ -1,5 +0,0 @@
 # -*- mode: snippet -*-
 # name: isa
 # key: isa
 # --
 import sqlalchemy as sa
--- a/nix-darwin/flake.lock
+++ b/nix-darwin/flake.lock
@ -3,7 +3,7 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
        "nixpkgs": [
          "railbird-secrets",
          "nixpkgs"
@ -101,26 +101,6 @@
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1723399884,
        "narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "086f619dd991a4d355c07837448244029fc2d9ab",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "railbird-secrets",
@ -316,7 +296,6 @@
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "homebrew-cask": "homebrew-cask",
        "homebrew-core": "homebrew-core",
        "nix-darwin": "nix-darwin",
--- a/nix-darwin/flake.nix
+++ b/nix-darwin/flake.nix
@ -19,114 +19,21 @@
      url = "github:homebrew/homebrew-cask";
      flake = false;
    };
-    home-manager.url = "github:nix-community/home-manager";
+
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = inputs@{ self, nix-darwin, nixpkgs, home-manager, ... }:
+  outputs = inputs@{ self, nix-darwin, nixpkgs, ... }:
  let
    libDir = ../dotfiles/lib;
    configuration = { pkgs, config, ... }: {
      networking.hostName = "mac-demarco-mini";
      imports = [ (import ./gitea-actions-runner.nix) ];
      services.gitea-actions-runner = {
        user = "gitea-runner";
        instances.nix = {
          enable = true;
          name = config.networking.hostName;
          url = "https://dev.railbird.ai";
          token = "H0A7YXAWsKSp9QzvMymfJI12hbxwR7UerEHpCJUe";
          labels = [
            "nix-darwin-${pkgs.system}:host"
            "macos-aarch64-darwin"
            "nix:host"
          ];
          settings = {
            cache = {
              enabled = true;
            };
            host = {
              workdir_parent = "/var/lib/gitea-runner/action-cache-dir";
            };
          };
          hostPackages = with pkgs; [
            bash
            coreutils
            curl
            direnv
            gawk
            just
            git-lfs
            isort
            gitFull
            gnused
            ncdu
            nixFlakes
            nodejs
            openssh
            wget
          ];
        };
      };
      launchd.daemons.gitea-runner-nix.serviceConfig.EnvironmentVariables = {
        XDG_CONFIG_HOME = "/var/lib/gitea-runner";
        XDG_CACHE_HOME = "/var/lib/gitea-runner/.cache";
        XDG_RUNTIME_DIR = "/var/lib/gitea-runner/tmp";
      };
      # launchd.daemons.gitea-runner-restarter = {
      #   serviceConfig = {
      #     ProgramArguments = [
      #       "/usr/bin/env"
      #       "bash"
      #       "-c"
      #       ''
      #         SERVICE_NAME="org.nixos.gitea-runner-nix"
      #         while true; do
      #         # Check the second column of launchctl list output for our service
      #         EXIT_CODE=$(sudo launchctl list | grep "$SERVICE_NAME" | awk '{print $2}')
      #         if [ -z "$EXIT_CODE" ]; then
      #         echo "$(date): $SERVICE_NAME is running correctly. Terminating the restarter."
      #         exit 0
      #         else
      #         echo "$(date): $SERVICE_NAME is not running or in error state. Attempting to restart..."
      #         sudo launchctl bootout system/$SERVICE_NAME 2>/dev/null || true
      #         sudo launchctl load /Library/LaunchDaemons/$SERVICE_NAME.plist
      #         sleep 2  # Give the service some time to start
      #         fi
      #         done
      #       ''
      #     ];
      #     RunAtLoad = true;
      #     ThrottleInterval = 300;
      #   };
      # };
      launchd.daemons.does-anything-work = {
        serviceConfig = {
          ProgramArguments = ["/usr/bin/env" "bash" "-c" "date > /var/log/does-anything-work"];
          RunAtLoad = true;
        };
      };
      nixpkgs.overlays = [(import ../nixos/overlay.nix)];
      environment.systemPackages = with pkgs; [
        python-with-my-packages
 	      emacs
        alejandra
        cocoapods
        gitFull
        just
        tmux
        htop
        nodePackages.prettier
        nodejs
        ripgrep
        slack
-        typescript
+        gitFull
-        vim
+        ripgrep
        yarn
        nodePackages.prettier
        vim
        just
      ];
      nixpkgs.config.allowUnfree = true;
@ -141,63 +48,26 @@
      # Necessary for using flakes on this system.
      nix.settings.experimental-features = "nix-command flakes";
      # Create /etc/zshrc that loads the nix-darwin environment.
      programs.zsh.enable = true;
      # Set Git commit hash for darwin-version.
      system.configurationRevision = self.rev or self.dirtyRev or null;
-      # Used for backwards compatibility, please read the changelog before changing
+      # Used for backwards compatibility, please read the changelog before changing.
      # $ darwin-rebuild changelog
      system.stateVersion = 4;
      # The platform the configuration will be used on.
      nixpkgs.hostPlatform = "aarch64-darwin";
      users.users.kat.openssh.authorizedKeys.keys = inputs.railbird-secrets.keys.kanivanKeys;
      users.users.gitea-runner = {
        name = "gitea-runner";
        isHidden = false;
        home = "/Users/gitea-runner";
        createHome = false;
      };
      home-manager.useGlobalPkgs = true;      home-manager.useUserPackages = true;
      users.users.kat = {
        name = "kat";
        home = "/Users/kat";
      };
      programs.zsh = {
        enable = true;
        shellInit = ''
          fpath+="${libDir}/functions"
          for file in "${libDir}/functions/"*
          do
          autoload "''${file##*/}"
          done
        '';
        interactiveShellInit = ''
          # eval "$(register-python-argcomplete prb)"
          # eval "$(register-python-argcomplete prod-prb)"
          # eval "$(register-python-argcomplete railbird)"
          # [ -n "$EAT_SHELL_INTEGRATION_DIR" ] && source "$EAT_SHELL_INTEGRATION_DIR/zsh"
          autoload -Uz bracketed-paste-magic
          zle -N bracketed-paste bracketed-paste-magic
        '';
      };
      home-manager.users.kat = {
        programs.starship = {
          enable = true;
        };
        programs.zsh.enable = true;
        home.stateVersion = "24.05";
      };
    };
  in
  {
-    darwinConfigurations."mac-demarco-mini" = nix-darwin.lib.darwinSystem {
+    # Build darwin flake using:
    # $ darwin-rebuild build --flake .#Kats-Mac-mini
    darwinConfigurations."Kats-Mac-mini" = nix-darwin.lib.darwinSystem {
      modules = [
        home-manager.darwinModules.home-manager
        configuration
      ];
    };
--- a/nix-darwin/gitea-actions-runner.nix
+++ b/nix-darwin/gitea-actions-runner.nix
@ -1,176 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.services.gitea-actions-runner;
  settingsFormat = pkgs.formats.yaml {};
  hasDockerScheme = instance:
    instance.labels == [] || any (label: hasInfix ":docker:" label) instance.labels;
  wantsContainerRuntime = any hasDockerScheme (attrValues cfg.instances);
  hasHostScheme = instance: any (label: hasSuffix ":host" label) instance.labels;
  tokenXorTokenFile = instance:
    (instance.token == null && instance.tokenFile != null)
    || (instance.token != null && instance.tokenFile == null);
 in {
  options.services.gitea-actions-runner = {
    package = mkOption {
      type = types.package;
      default = pkgs.gitea-actions-runner;
      defaultText = literalExpression "pkgs.gitea-actions-runner";
      description = "The gitea-actions-runner package to use.";
    };
    user = mkOption {
      type = types.str;
      default = "gitea-runner";
      description = "The user account under which the Gitea Actions Runner should run.";
    };
    instances = mkOption {
      default = {};
      description = "Gitea Actions Runner instances.";
      type = types.attrsOf (types.submodule {
        options = {
          enable = mkEnableOption "Gitea Actions Runner instance";
          name = mkOption {
            type = types.str;
            example = "my-runner";
            description = "The name identifying the runner instance towards the Gitea/Forgejo instance.";
          };
          url = mkOption {
            type = types.str;
            example = "https://forge.example.com";
            description = "Base URL of your Gitea/Forgejo instance.";
          };
          token = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = "Plain token to register at the configured Gitea/Forgejo instance.";
          };
          tokenFile = mkOption {
            type = types.nullOr (types.either types.str types.path);
            default = null;
            description = "Path to a file containing the token to register at the configured Gitea/Forgejo instance.";
          };
          labels = mkOption {
            type = types.listOf types.str;
            default = [];
            example = ["macos:host" "x86_64:host"];
            description = "Labels used to map jobs to their runtime environment.";
          };
          settings = mkOption {
            description = "Configuration for `act_runner daemon`.";
            type = types.submodule {
              freeformType = settingsFormat.type;
            };
            default = {};
          };
          hostPackages = mkOption {
            type = types.listOf types.package;
            default = with pkgs; [
              bash
              coreutils
              curl
              gawk
              git
              gnused
              nodejs
              wget
              openssh
            ];
            description = "List of packages available to actions when the runner is configured with a host execution label.";
          };
        };
      });
    };
  };
  config = mkIf (cfg.instances != {}) {
    assertions = [
      {
        assertion = all tokenXorTokenFile (attrValues cfg.instances);
        message = "Instances of gitea-actions-runner can have `token` or `tokenFile`, not both.";
      }
    ];
    users.users.${cfg.user} = {
      name = cfg.user;
      description = "Gitea Actions Runner user";
    };
    launchd.daemons =
      (mapAttrs' (
          name: instance:
            nameValuePair "gitea-runner-${name}" {
              serviceConfig = {
                ProgramArguments = [
                  "/usr/bin/env"
                  "bash"
                  "-c"
                  ''
                    cd /var/lib/gitea-runner/${name}
                    exec ${cfg.package}/bin/act_runner daemon --config ${settingsFormat.generate "config.yaml" instance.settings}
                  ''
                ];
                KeepAlive = true;
                ThrottleInterval = 5;
                SessionCreate = true;
                UserName = cfg.user;
                GroupName = "staff";
                WorkingDirectory = "/var/lib/gitea-runner/${name}";
                EnvironmentVariables = {
                  PATH = (lib.makeBinPath (instance.hostPackages ++ [cfg.package])) + ":/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin";
                };
              };
            }
        )
        cfg.instances)
      // (mapAttrs' (
          name: instance:
            nameValuePair "gitea-runner-setup-${name}"
            {
              serviceConfig = {
                EnvironmentVariables =
                  {}
                  // optionalAttrs (instance.token != null) {
                    TOKEN = instance.token;
                  };
                RunAtLoad = true;
                ProgramArguments = [
                  "${pkgs.writeShellScript "gitea-runner-setup-${name}" ''
                    mkdir -p /var/lib/gitea-runner/${name}
                    cd /var/lib/gitea-runner/${name}
                    if [ ! -e "/var/lib/gitea-runner/${name}/.runner" ]; then
                        ${cfg.package}/bin/act_runner register --no-interactive \
                        --instance ${escapeShellArg instance.url} \
                        --token "$TOKEN" \
                        --name ${escapeShellArg instance.name} \
                        --labels ${escapeShellArg (concatStringsSep "," instance.labels)} \
                        --config ${settingsFormat.generate "config.yaml" instance.settings}
                    fi
                    # Start the runner
                    chown -R ${cfg.user} /var/lib/gitea-runner
                    chown -R ${cfg.user} /var/log/gitea-runner
                  ''}"
                ];
              };
            }
        )
        cfg.instances);
  };
 }
--- a/nixos/base.nix
+++ b/nixos/base.nix
@ -70,5 +70,5 @@ makeEnable config "myModules.base" true {
  programs.dconf.enable = true;
  home-manager.users = forEachUser (import ./home-manager.nix);
-  nix.settings.trusted-users = realUsers ++ ["gitea-runner"];
+  nix.settings.trusted-users = realUsers;
 }
--- a/nixos/gitea-runner.nix
+++ b/nixos/gitea-runner.nix
@ -1,7 +1,7 @@
 { pkgs, config, makeEnable, ... }:
 makeEnable config "myModules.gitea-runner" false {
  age.secrets.gitea-runner-token = {
-    file = ./secrets/gitea-runner-token.age;
+    file = ./secrets/gitea-runner-token.${config.networking.hostName}.age;
    group = "docker";
  };
--- a/nixos/k3s.nix
+++ b/nixos/k3s.nix
@ -1,84 +1,12 @@
-{
+{ config, makeEnable, ... }:
-  pkgs,
+makeEnable config "myModules.railbird-k3s" false {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.myModules.railbird-k3s;
  mount-path = "/var/lib/railbird/bucket";
  bucket-name = "railbird-dev-videos";
 in {
  options = {
    myModules.railbird-k3s = {
      enable = mkEnableOption "railbird k3s";
      serverAddr = mkOption {
        type = lib.types.str;
        default = "";
      };
    };
  };
  config = mkIf cfg.enable {
    age.secrets."1896Folsom-k3s-token.age".file = ./secrets/1896Folsom-k3s-token.age;
    age.secrets."k3s-registry.yaml.age".file = ./secrets/k3s-registry.yaml.age;
    age.secrets.api-service-key = {
      file = ./secrets/api_service_account_key.json.age;
      owner = "railbird";
      group = "users";
    };
    environment.etc."rancher/k3s/registries.yaml".source = config.age.secrets."k3s-registry.yaml.age".path;
    services.dockerRegistry = {
      enable = true;
      listenAddress = "0.0.0.0";
      port = 5279;
      enableDelete = true;
      enableGarbageCollect = true;
    };
    systemd.services.mount-railbird-bucket = {
      after = ["agenix.service"];
      description = "Mount railbird bucket";
      serviceConfig = {
        Type = "simple";
        RemainAfterExit = true;
        ExecStartPre = [
          "-${pkgs.util-linux}/bin/umount -f ${mount-path}"
          "${pkgs.coreutils}/bin/mkdir -p ${mount-path}"
          "${pkgs.coreutils}/bin/chown railbird:users ${mount-path}"
          "${pkgs.coreutils}/bin/chmod 0775 ${mount-path}"
        ];
        ExecStart = "${pkgs.gcsfuse}/bin/gcsfuse --implicit-dirs --key-file ${config.age.secrets.api-service-key.path} ${bucket-name} ${mount-path}";
        User = "root";
      };
    };
  services.k3s = {
    enable = true;
-      clusterInit = cfg.serverAddr == "";
+    role = "server";
-      serverAddr = cfg.serverAddr;
+    clusterInit = true;
      configPath = pkgs.writeTextFile {
        name = "k3s-config.yaml";
        text = ''
          kubelet-arg:
          - "eviction-hard=nodefs.available<2Gi"
          - "eviction-soft=nodefs.available<5Gi"
          - "eviction-soft-grace-period=nodefs.available=5m"
        '';
      };
      tokenFile = config.age.secrets."1896Folsom-k3s-token.age".path;
      extraFlags = [
        "--tls-san ryzen-shine.local"
        "--tls-san nixquick.local"
        "--tls-san biskcomp.local"
        "--tls-san jimi-hendnix.local"
        "--tls-san dev.railbird.ai"
        "--node-label nixos-nvidia-cdi=enabled"
      ];
    containerdConfigTemplate = ''
      {{ template "base" . }}
        [plugins]
        "io.containerd.grpc.v1.cri".enable_cdi = true
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
      privileged_without_host_devices = false
      runtime_engine = ""
@ -92,5 +20,4 @@ in {
      enable = true;
    };
  };
  };
 }
--- a/nixos/keys.nix
+++ b/nixos/keys.nix
@ -23,7 +23,6 @@ rec {
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVGIGnpkU7HNQ/zl/Ffi562M+laWY9/yIjB63BCMiTS kat@nixcomp.local"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3tlMePru6ZlSuf8yUii3N1dy3WwJnSQAt3EgETkctK kat@jay-lenovo.local"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrOYD3ReFc2+xFUylBFHREcm1lO7BRJGW5JrOoY3I8s ivanm@strixi-minaj"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYy93265G59aA1ksckjqlfeHq0vpEpzC8BwqCrpeXdh kat@Kats-Mac-mini.local"
  ];
  deanKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDvbEVL+y7eV4+mtxOuHwyomBBQ6uYMesctstua20+e deanwenstrand@deans-mbp-2.lan"
--- a/nixos/machines/biskcomp.nix
+++ b/nixos/machines/biskcomp.nix
@ -33,12 +33,6 @@ in
  myModules.gitea.enable = true;
  myModules.gitea-runner.enable = false;
  myModules.railbird-k3s = {
    enable = true;
    serverAddr = "https://dev.railbird.ai:6443";
  };
  services.k3s.disableAgent = true;
  services.vaultwarden = {
    enable = true;
    config = {
--- a/nixos/machines/jimi-hendnix.nix
+++ b/nixos/machines/jimi-hendnix.nix
@ -5,10 +5,6 @@
    ../configuration.nix
  ];
  myModules.railbird-k3s = {
    enable = true;
    serverAddr = "https://ryzen-shine.local:6443";
  };
  myModules.base.enable = true;
  myModules.desktop.enable = true;
  myModules.xmonad.enable = true;
@ -22,7 +18,10 @@
  myModules.postgres.enable = true;
  hardware.enableRedistributableFirmware = true;
-  myModules.nvidia.enable = true;
+
  # install nvidia drivers in addition to intel one
  hardware.opengl.extraPackages = [ pkgs.linuxPackages.nvidia_x11.out ];
  hardware.opengl.extraPackages32 = [ pkgs.linuxPackages.nvidia_x11.lib32 ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
  boot.kernelModules = [ "kvm-intel" ];
--- a/nixos/machines/nixquick.nix
+++ b/nixos/machines/nixquick.nix
@ -19,10 +19,6 @@
  myModules.vscode.enable = true;
  myModules.kat.enable = true;
  myModules.nvidia.enable = true;
  myModules.railbird-k3s = {
    enable = true;
    serverAddr = "https://dev.railbird.ai:6443";
  };
  networking.hostName = "nixquick";
--- a/nixos/machines/railbird-sf.nix
+++ b/nixos/machines/railbird-sf.nix
@ -12,36 +12,58 @@
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.loader.systemd-boot.enable = true;
  modules.postgres.enable = true;
-  services.k3s.role = "agent";
+  hardware.opengl.extraPackages = [ pkgs.linuxPackages.nvidia_x11.out ];
-  services.k3s.extraFlags = lib.mkForce ["--node-label nixos-nvidia-cdi=enabled"];
+  hardware.opengl.extraPackages32 = [ pkgs.linuxPackages.nvidia_x11.lib32 ];
  services.xserver = {
    videoDrivers = [ "nvidia" ];
  };
  # Enable OpenGL
  hardware.opengl = {
    enable = true;
    driSupport = true;
    driSupport32Bit = true;
  };
  hardware.nvidia = {
    # Modesetting is required.
    modesetting.enable = true;
    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
    powerManagement.enable = false;
    # Fine-grained power management. Turns off GPU when not in use.
    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
    powerManagement.finegrained = false;
    # Use the NVidia open source kernel module (not to be confused with the
    # independent third-party "nouveau" open source driver).
    # Support is limited to the Turing and later architectures. Full list of
    # supported GPUs is at:
    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
    # Only available from driver 515.43.04+
    # Currently alpha-quality/buggy, so false is currently the recommended setting.
    open = false;
    # Enable the Nvidia settings menu,
 	  # accessible via `nvidia-settings`.
    nvidiaSettings = true;
    # Optionally, you may need to select the appropriate driver version for your specific GPU.
    package = config.boot.kernelPackages.nvidiaPackages.stable;
  };
  features.full.enable = false;
  myModules.base.enable = true;
  myModules.desktop.enable = true;
  myModules.xmonad.enable = false;
  myModules.gnome.enable = true;
  myModules.code.enable = true;
  myModules.syncthing.enable = true;
  myModules.fonts.enable = true;
-  myModules.plasma.enable = true;
+  myModules.plasma.enable = false;
  myModules.nvidia.enable = true;
  myModules.gitea-runner.enable = true;
  myModules.railbird-k3s = {
    enable = false;
    serverAddr = "https://dev.railbird.ai:6443";
  };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/a317d456-6f84-41ee-a149-8e466e414aae";
--- a/nixos/machines/ryzen-shine.nix
+++ b/nixos/machines/ryzen-shine.nix
@ -16,7 +16,6 @@
  };
  myModules.gitea-runner.enable = true;
  myModules.postgres.enable = true;
  myModules.railbird-k3s.enable = true;
  boot.loader.systemd-boot.configurationLimit = 5;
--- a/nixos/machines/strixi-minaj.nix
+++ b/nixos/machines/strixi-minaj.nix
@ -6,7 +6,6 @@
    inputs.nixos-hardware.nixosModules.asus-rog-strix-g834jzr
  ];
  hardware.nvidia.open = false;
  myModules.base.enable = true;
  myModules.desktop.enable = true;
  myModules.xmonad.enable = true;
--- a/nixos/nvidia.nix
+++ b/nixos/nvidia.nix
@ -4,10 +4,7 @@ makeEnable config "myModules.nvidia" false {
  environment.systemPackages = with pkgs; [
    nvidia-container-toolkit
  ];
-  hardware.nvidia-container-toolkit = {
+  hardware.nvidia-container-toolkit.enable = true;
    enable = true;
    mount-nvidia-executables = true;
  };
  hardware.nvidia.open = false;
  hardware.graphics.extraPackages = [ pkgs.linuxPackages.nvidia_x11.out ];
  hardware.graphics.extraPackages32 = [ pkgs.linuxPackages.nvidia_x11.lib32 ];
--- a/nixos/raspberry-pi.nix
+++ b/nixos/raspberry-pi.nix
@ -12,7 +12,6 @@ makeEnable config "myModules.raspberry-pi" false {
  # hardware.raspberry-pi."4".audio.enable = true;
  boot = {
    initrd.systemd.tpm2.enable = false;
    initrd.availableKernelModules = [
      "usbhid"
      "usb_storage"
--- a/nixos/secrets/1896Folsom-k3s-token.age
+++ b/nixos/secrets/1896Folsom-k3s-token.age
@ -1,51 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 ZgrTqA MGp4jtyXCV3QBrIuy/WQthJGxLUnFNgZlf3HNtZtukY
 jbskLgoJDhl755Qn4ZdW5nYK7Ug2eLm4oQyazff6Uf4
 -> ssh-ed25519 ZaBdSg hjFZhYc4AKvp8585jS4pivMFTxPd0miyQdjJQjQvERQ
 4P8PqJ7gz99nuGyAOh73gECCNTa8U56t/byr0h1plLo
 -> ssh-ed25519 MHZylw iZq2dXCa4gSDpmbQazU4JPCXnbXjrMx2Nh0FCYACCTM
 yVE+tooOjxvD1OBziXHz5yv0k2purR/QouE3SSzinPw
 -> ssh-ed25519 sIUg6g ppAmkq3uj/heZ/RhK6BCz3o6d9l6tw+FeoV+GM4jh2M
 F+Og7e744NSgaUs9zZ28ttPdbl0xkN82KgqGnfv/9sM
 -> ssh-ed25519 TnanwQ GwsA+F4Co/Vxg5I04GxBW6EPPXOT2PtHCdiq6KEFJ0w
 vcJiXNxnh32Q00VodKXhvTmiTglxSCiSPLwOFXrQPxU
 -> ssh-rsa gwJx0Q
 EoF9WbtAgRZyWQPtcwrQTIxXMfNSl6Fpm7DITAwocm04U2aoNEnhvsU/0olrCGpU
 ez4CTnTZuOCVe8yr9KYjy9bU/41L2k89P/yk92i0Fm9412tIvYodSx0Qjju4hpPo
 ptLAp+5wUgeRarEpnPHQBKnyeR4PcaVAeAYyiFHKjFZIaZ6oBEHbJGd8QO02RwAG
 2hnGkVzHhQOxnd6VN4h4xP4BfWXZ8rwTigenVMSwMkrWg0Xx+iXPvGhbLh0P/o5d
 VKtISQGzfL9rr2N4VYJHUT6JgQHNy66qd9YKrcY0bRanlMSeR7p217f/sKOc9SIL
 h9URYNbaxGhdx9JuQVywIA
 -> ssh-ed25519 YFIoHA xsirlZemMNZIOEcc164PM3SO2gJ6DrNM1xU2Phj/TWA
 v0cCi2mVuPMpy17w6q1GLgv/5k6wetFFBUzeAw6YGK8
 -> ssh-ed25519 KQfiow wVCBy3SI6pY/Q1C5Zqq6//KPHma8PR8Qd5DhwO7+SSY
 ODABvuKUzhcuUj/YVwa1tCdgj/WBrhMHpwOmjgMTNDo
 -> ssh-ed25519 kScIxg 9qaWKYi08kVEz5HnFluLfHJz0dNl0gqSj+yTBRmX5U8
 2NBABg/XbcWq4gZp3vtnLZ4yBAZkPdXckDGnHc0rC1U
 -> ssh-ed25519 HzX1zw hMbFcHddfBJ+fU2Ay+J+siEi/rH0kTXTRJS1pFe9rFg
 IBPsFZ2vBc/t0L+anbugwX9A8lj8t6AykZzSovxTCxc
 -> ssh-ed25519 KQfiow 5mUphYz0qwZi78nxpxrQNWeXdum5o1cVj76sSrDgIlA
 KamxIS2NJaI7DTy9SJisGU+KTKTsDx7dXw7TlsSnq9o
 -> ssh-ed25519 1o2X0w zwmrw9msofsTJ9qkqaQWs0CWG2ArWXIb3hX/eFlM/2E
 L8CTuqIKNU1Ff2vWmIWtvLPmI8MOSlUobTLzQGladMg
 -> ssh-ed25519 KQ5iUA 03zopYKa8ki6hqJiiFOoAE0cNEg6uGWk7VF3teDzkws
 FxHYVfs2lCDlWspyv+03yjdJHSIIDUq8PTkhyLyomdM
 -> ssh-ed25519 AKGkDw BBg9+2iPHediKJ0xd/tVcoofbJvws2QIF2yskvE1OBs
 ZM32S8i6ZNG1cPSO3Ojkyy4JYKnJMXv72/RsE1g2o2Y
 -> ssh-ed25519 0eS5+A VedHoAI2jnrcY5E+Db6qyoJJnevOJ4NF1YzSGUAP6R4
 jO9JaT6BiuiriIpWzc6fpJMDxqu3718KMMcHWFtHq14
 -> ssh-ed25519 9/4Prw gcQ7zE+fSceLHLIi26qs348WJH7Jta36N1dPRIp2+2E
 69jtpz9PVWh1KJM5fKUy923ddah7PiwvabFsNST19Ag
 -> ssh-ed25519 gAk3+Q C30KhWJmYd4D3bCuoD7hOZrehDhjMhTpzB1PmqRqph4
 BEpcSaCnz8zLOho7Da7mBtAeLeCJMXbMkyg8CW5OKQI
 -> ssh-ed25519 X6eGtQ EP1F3zxhA6pPsFl638bLkYgsBDn1NHH4xbR3U50ZtSA
 0h8Oe4zZ68GwzHp07LjUmKA69paiGBQGcakpIi8w+VA
 -> ssh-ed25519 0ma8Cw hQ1jQxz3XqtHo3ENzLiX85dmrtD2KpFb+Nx9t95EugM
 1oFklRDdtko9lf9GxJbu0IH7uTD7Iae8nLA6KoVLA1g
 -> ssh-ed25519 Tp0Z1Q VvWo+U0VBidsCCtQKWfEqcgnjzbi7TlSPdrqaZcAGzA
 zRKu1PrurMXm/hQL1DzdgXQLDwebJCtcDzdiceBS00I
 -> ssh-ed25519 qQi7yA kOOIJPZqdp7dRRxPLqwDlNv4OXUI+RYXkA5IlI0YP04
 HnwjK1XmdwIL478UXhRPVPU5YCJYALnpmryF0Kaz5vA
 --- 3MSdvhunDcposjHvMTMOSX6jM4Zj6EndDVgEMMrDpiM
 òEÑ“É4š˜à`|[áØ
]BÌs/€£a1o7ðF'<27>xU§<55>¤qšáðpdäid®,£ìp“bB0ØL‰nÃã~Qm|žK\ŽçiM™G>¿ðx9ÿïÒ€Ù9òwQŒÝ=ýl^YÊÐ+E[J¤É<C2A4>yë€§ûåœDàQÃè1k†Ó
 4‡ñH«Èh!
--- a/nixos/secrets/api_service_account_key.json.age
+++ b/nixos/secrets/api_service_account_key.json.age
--- a/nixos/secrets/gitea-runner-token.age
+++ b/nixos/secrets/gitea-runner-token.age
@ -1,50 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 ZgrTqA fUdYNjuALrimf6eo5FoqjGF0Zvzo4HBMW6cr53NO+D4
 YPI8i4LK2Iz0C89Cx91kx0z+oLQmzVp7rTI9r7+TJcc
 -> ssh-ed25519 ZaBdSg 4INz9+Kf25/qCECW0ylv3oZ0j6ouFJigP+gVSvm97Vc
 mmzlvBxYh703ZEzf73FF7ifDjysMEl2GOT5heGEn+Ts
 -> ssh-ed25519 MHZylw I/e6YCpLKOmjfmnkhF9qsG1S690YuCuHkHm10SOTSTo
 3hnodZC9lVNTsigacqP26JibaaRdModVJCsaiugBNCs
 -> ssh-ed25519 sIUg6g VTWz7slnoJSC5bpGw6o5G7n2y439GbjNiZaFMLaN5jI
 lIJgwvZSyv422Nqct3LmB65ga66y4WSp0ok9RVN9G0s
 -> ssh-ed25519 TnanwQ jnix1dT8u58lNCEmn4mMEn/66XNhYkfOmlQzz9ybpXA
 rpJ1RE1aN8ZFvwXdnWMz5WmtIPVYuaoFW+dUxUHSue0
 -> ssh-rsa gwJx0Q
 d3ys74cy6D+bpqZoaWyzcCHlgY+2sxSR4U41KpLTa1CodYQfhf/QzfhMhNRbKNrg
 eoFB4Z9QSIkbqQedkqmR+gjDtklSG/Jz/1QZxkKm3pRulDq0YA+crduA72Xs+ReF
 yRfAotYMZ+fJvJBJ4C604XzX2JyDsZ9pMxvzH3ntWLL2ay9wgY8beVekCfyAEgr6
 EmFE1xPS5/SvEGz/3x0pxn6qtGXR7JAQYIZw7xVgpLvaY+yGjBGgF97RT8NZKmps
 Y+4DpQMVhJpMREpsGa78zN2PNsZoV3uc/rT7GLfhX1NJxjDfQ5whLF4ykrerg4ZB
 Mm3HhALUqeGd8trA+dRZiw
 -> ssh-ed25519 YFIoHA U7m8uc58dgdk3HS920pXyMUwSustTkyHbomhhYvKxhc
 8TRED2gwbj1IeZxFR9EmkTqsVLgl1pLgja7FpRvw8WY
 -> ssh-ed25519 KQfiow et6x8B9B0X0hX695r/tfriEoInXXcHUkAiaQhXK6NGo
 UkJcdPjs1q//FDy+dGY2uaaGbgw6azVB1/zc5wrdQy8
 -> ssh-ed25519 kScIxg 9UbFUlg4SGEY7L8vOummxwHhypcipPtRq/yhw8k6K2g
 vfLB37DdDA7nEXlNSkJUXwDwQ5UoDonkiKIhSjG4N24
 -> ssh-ed25519 HzX1zw 4LkDXxeqKtYI8EhwXccMRlRw88flevLGFgzwt9nbNWY
 EtrL0itCfPvQtrIFWXqnPoje6Cy//KHZ//OwcibLy4s
 -> ssh-ed25519 KQfiow VPlZHErfIKR0NOG8/Rqwu7LQKP13izSQVck8s217LkM
 v8+OEZZTe+pybXqEtUQ1ILNQ2TbB4QSIkHacMQUkYGg
 -> ssh-ed25519 1o2X0w s8Of4YUoOKrBMa2AjcBYFXPEqwmjZEKGpGwf0F5Z9wo
 ifK7DqiArFCFIjxMHxLB1vlzZ+H/60H+a4xdmdvkf0I
 -> ssh-ed25519 KQ5iUA 1Jn+jIAmcJ1QUbC2Yz6XfVoM4XbS3HHEXJHJvDS3mlE
 rsmCtAlqxVzUfJeRT5kmU0FI5cAiCtqA1bpeG0aci+c
 -> ssh-ed25519 AKGkDw uB/GYB86+P5I9EtWJjCyrPYJKxlF8KLwjVacnS3FYg0
 kAsGXL4c1IDU3rklHnyMpY454DLSCibhEy5U9vfoQxE
 -> ssh-ed25519 0eS5+A xe3LGZVaCS6rCrULdfdtHpuwdnib0FizFhseyWjUxBQ
 nKmumufCm1WQj1MdfawMWFHztFJhP/7+4h8f7PD4+z8
 -> ssh-ed25519 9/4Prw vsOHzuM608TC+t+dqQbMHtZnTcfgGHJq/CfVazWeVFk
 I/w6R2t/pmdA+Ktool+1hU21GjjG/hwe0vSq89jtULw
 -> ssh-ed25519 gAk3+Q GMi0sxNOfeqbmMuU25wGnZdLx8D7zTYZ5Nx5OLjOaCA
 eweAPpjwjHYdySCtWbzwpM9RZ+Ohim/0HQiy2bssIFg
 -> ssh-ed25519 X6eGtQ bTbsvZYuHIYj6AUQ8hLvn9OKLhapi3VqU7nUDT2kxRQ
 X0Kh45FK79mdXA1AqySw/rC73maypSP5BpKso0BKHeM
 -> ssh-ed25519 0ma8Cw miWf5St4zNDpl7ydZPm4NDbhN0Pp5jAP28IdIXfoA38
 yH13uHPwUCRyaXqnieNvkDDNkrACPaoIVFQUiVK2ZLk
 -> ssh-ed25519 Tp0Z1Q dvgXe3vQqY9le3KaROdzaP4jnjQ8kljfC+D/sSpwjnw
 /fwCFlvRRwUZ0ebYXJTdlGRxY6H9elCh5ULsyLve6IM
 -> ssh-ed25519 qQi7yA 83iacCsgW3Iw83C753dqBCM6/i8qyKLqJ0AvEIgxsT4
 uI6NwcRcJUJMYR7vMhZvlnmdWRV9J4FUm8KbDutuKTo
 --- o88XKoHrskw3WGcaj1Ie6UzwfWcfKl76oO8zwk2jcNk
 z…ðÆeïYòUêp[ò4ËVëî-þLE%EÚ›Â¾Ó<C2BE>BSWõ²Õ–½ñ0¼ÿ¯=¢‡-Jt•ÌO<C38C>õšï<C5A1>ç€–É9èp_Kd¬
--- a/nixos/secrets/gpg-keys.age
+++ b/nixos/secrets/gpg-keys.age
--- a/nixos/secrets/k3s-registry.yaml.age
+++ b/nixos/secrets/k3s-registry.yaml.age
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@ -11,10 +11,7 @@ in
  "gitea-runner-token.adele.age".publicKeys = keys.agenixKeys;
  "gitea-runner-token.railbird-sf.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
  "gitea-runner-token.mac-demarco-mini.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
  "gitea-runner-token.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
  "nextcloud-admin.age".publicKeys = keys.agenixKeys;
  "ryzen-shine-kubernetes-token.age".publicKeys = keys.agenixKeys;
  "1896Folsom-k3s-token.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
  "api_service_account_key.json.age".publicKeys = keys.agenixKeys;
  "k3s-registry.yaml.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
 }